cap_syslog.patch

   1 diff -upr syslog-ng-3.0.9./src/affile.c syslog-ng-3.0.9/src/affile.c
   2 --- syslog-ng-3.0.9./src/affile.c       2011-01-19 15:14:11.813181829 +0100
   3 +++ syslog-ng-3.0.9/src/affile.c        2011-01-19 16:10:12.399928759 +0100
   4 @@ -59,7 +59,12 @@ affile_open_file(gchar *name, gint flags
   5    if (privileged)
   6      {
   7        g_process_cap_modify(CAP_DAC_READ_SEARCH, TRUE);
   8 -      g_process_cap_modify(CAP_SYS_ADMIN, TRUE);
   9 +      if (!kernel_version)
  10 +        get_kernel_version();
  11 +      if (kernel_version < LINUX_VERSION(2, 6, 38))
  12 +        g_process_cap_modify(CAP_SYS_ADMIN, TRUE);
  13 +      else
  14 +        g_process_cap_modify(CAP_SYSLOG, TRUE);
  15      }
  16    else
  17        g_process_cap_modify(CAP_DAC_OVERRIDE, TRUE);
  18 diff -upr syslog-ng-3.0.9./src/gprocess.h syslog-ng-3.0.9/src/gprocess.h
  19 --- syslog-ng-3.0.9./src/gprocess.h     2009-04-22 13:06:55.000000000 +0200
  20 +++ syslog-ng-3.0.9/src/gprocess.h      2011-01-19 16:10:12.399928759 +0100
  21 @@ -27,6 +27,7 @@
  22  #include "syslog-ng.h"
  23
  24  #include <sys/types.h>
  25 +#include <sys/utsname.h>
  26
  27  #if ENABLE_LINUX_CAPS
  28  #  include <sys/capability.h>
  29 @@ -77,5 +78,8 @@ void g_process_finish(void);
  30
  31  void g_process_add_option_group(GOptionContext *ctx);
  32
  33 +extern int kernel_version;
  34 +extern void get_kernel_version(void);
  35 +#define LINUX_VERSION(x,y,z)    (0x10000*(x) + 0x100*(y) + z)
  36
  37  #endif
  38 diff -upr syslog-ng-3.0.9./src/main.c syslog-ng-3.0.9/src/main.c
  39 --- syslog-ng-3.0.9./src/main.c 2010-05-10 17:46:05.000000000 +0200
  40 +++ syslog-ng-3.0.9/src/main.c  2011-01-19 16:10:25.346593248 +0100
  41 @@ -64,6 +64,7 @@ static const gchar *persist_file = PATH_
  42  static gboolean syntax_only = FALSE;
  43  static gboolean seed_rng = FALSE;
  44  static gboolean display_version = FALSE;
  45 +int kernel_version;
  46
  47  static volatile sig_atomic_t sig_hup_received = FALSE;
  48  static volatile sig_atomic_t sig_term_received = FALSE;
  49 @@ -395,6 +396,20 @@ version(void)
  50           ON_OFF_STR(ENABLE_PCRE));
  51  }
  52
  53 +void
  54 +get_kernel_version(void) {
  55 +       static struct utsname uts;
  56 +       int x = 0, y = 0, z = 0;
  57 +
  58 +       if (uname(&uts) == -1) {
  59 +               fprintf(stderr, "Unable to retrieve kernel version.\n");
  60 +               exit(1);
  61 +       }
  62 +
  63 +       sscanf(uts.release, "%d.%d.%d", &x, &y, &z);
  64 +       kernel_version = LINUX_VERSION(x, y, z);
  65 +}
  66 +
  67  int
  68  main(int argc, char *argv[])
  69  {
  70 @@ -411,9 +426,20 @@ main(int argc, char *argv[])
  71     * indicate readability. Enabling/disabling cap_sys_admin on every poll
  72     * invocation seems to be too expensive. So I enable it for now. */
  73
  74 -  g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
  75 +  if (!kernel_version)
  76 +    get_kernel_version();
  77 +  if (kernel_version < LINUX_VERSION(2, 6, 34))
  78 +    g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
  79                       "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner=p "
  80                       "cap_sys_admin=ep");
  81 +  else if (kernel_version < LINUX_VERSION(2, 6, 38))
  82 +    g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
  83 +                     "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner,"
  84 +                     "cap_sys_admin=p");
  85 +  else
  86 +    g_process_set_caps("cap_net_bind_service,cap_net_broadcast,cap_net_raw,"
  87 +                     "cap_dac_read_search,cap_dac_override,cap_chown,cap_fowner,"
  88 +                     "cap_syslog=p");
  89    ctx = g_option_context_new("syslog-ng");
  90    g_process_add_option_group(ctx);
  91    msg_add_option_group(ctx);