From 35df0b606e1adc0db58dfe8088d0ba5cab2f3df6 Mon Sep 17 00:00:00 2001 From: Randy MacLeod Date: Wed, 1 Mar 2023 16:24:26 -0800 Subject: rsyslog: add disabled PACKAGECONFIG to drop capabilities Add PACKAGECONFIG to enable dropping capabilities but leave it as disabled to follow upstream and avoid a systemd issue described below. rsyslog-8.2302 added a configure option to drop capabilities from full to: chown, dac_override, setgid, setuid, setpcap, net_bind_service, net_admin, ipc_lock, sys_chroot, sys_admin, sys_resource, lease, syslog, block_suspend This works fine and passes ptests with sysvinit however there is a bug when using systemd that breaks some tests: https://github.com/rsyslog/rsyslog/issues/5091 Therefore only add a non-default PACKAGECONFIG option in keeping with the rsyslog upstream. One can install libcap-ng-bin to run pscap to see the capabilities. Without this option the ptest result with systemd as init is: Version | Passed | Failed | Skipped 8.2302 | 473 | 0 | 3 Signed-off-by: Randy MacLeod Signed-off-by: Khem Raj --- meta-oe/recipes-extended/rsyslog/rsyslog_8.2302.0.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-oe/recipes-extended/rsyslog/rsyslog_8.2302.0.bb b/meta-oe/recipes-extended/rsyslog/rsyslog_8.2302.0.bb index 727e231112..39d9516d0f 100644 --- a/meta-oe/recipes-extended/rsyslog/rsyslog_8.2302.0.bb +++ b/meta-oe/recipes-extended/rsyslog/rsyslog_8.2302.0.bb @@ -76,6 +76,8 @@ PACKAGECONFIG[mmjsonparse] = "--enable-mmjsonparse,--disable-mmjsonparse," PACKAGECONFIG[mysql] = "--enable-mysql,--disable-mysql,mysql5," PACKAGECONFIG[postgresql] = "--enable-pgsql,--disable-pgsql,postgresql," PACKAGECONFIG[libdbi] = "--enable-libdbi,--disable-libdbi,libdbi," +# For libcap-ng, see commit log and https://github.com/rsyslog/rsyslog/issues/5091 +PACKAGECONFIG[libcap-ng] = "--enable-libcap-ng,--disable-libcap-ng,libcap-ng," PACKAGECONFIG[mail] = "--enable-mail,--disable-mail,," PACKAGECONFIG[valgrind] = ",--without-valgrind-testbench,valgrind," PACKAGECONFIG[imhttp] = "--enable-imhttp,--disable-imhttp,civetweb," -- cgit v1.2.3-54-g00ecf