ausearch-checkpoint race condition fix

Resolves: RHEL-86897
2025-04-11 13:44:35 +02:00 · 2025-04-11 13:44:35 +02:00 · 935b145ca6
commit 935b145ca6
parent fb748ca9eb
2 changed files with 41 additions and 0 deletions
--- a/audit.spec
+++ b/audit.spec
@ -23,6 +23,7 @@ Patch12: afunix-memleak.patch
 Patch13: end-of-event.patch
 Patch14: end-of-event-check.patch
 Patch15: end-of-event-gdm.patch
+Patch16: ausearch-checkpoint-race.patch

 BuildRequires: make gcc swig
 BuildRequires: openldap-devel
@ -120,6 +121,7 @@ cp %{SOURCE1} .
 %patch -P 13 -p1
 %patch -P 14 -p1
 %patch -P 15 -p1
+%patch -P 16 -p1

 autoreconf -fv --install

@ -308,6 +310,10 @@ fi
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote

 %changelog
+* Fri Apr 11 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-7
+- ausearch-checkpoint race condition fix
+  Resolves: RHEL-86897
+
 * Wed Apr 02 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.5-6
 - Update end of event detection mechanism
  Resolves: RHEL-78323
--- a/ausearch-checkpoint-race.patch
+++ b/ausearch-checkpoint-race.patch
@ -0,0 +1,35 @@
+diff --git a/src/ausearch.c b/src/ausearch.c
+index 3bf95b5a..cf77ba14 100644
+--- a/src/ausearch.c
+++ b/src/ausearch.c
+@@ -464,6 +464,17 @@ static int process_log_fd(void)
+ 		if ((ret != 0)||(entries->cnt == 0))
+ 			break;
+ 
+		/*
+		 * If we are checkpointing, decide if we output this event.
+		 * We need to do it as early as here. The chkpt_input_levent event
+		 * might not match the entries, so we need to ensure that we don't
+		 * skip the event that is the checkpoint event. That is the marking point
+		 * from which we start outputting events. Leaving that event out will produce
+		 * empty results.
+		 */
+		if (checkpt_filename)
+			do_output = chkpt_output_decision(&entries->e);
+
+ 		/*
+  		 * We flush all events on the last log file being processed.
+  		 * Thus incomplete events are 'carried forward' to be
+@@ -471,12 +482,6 @@ static int process_log_fd(void)
+  		 * in the next file we are about to process.
+  		 */
+ 		if (match(entries)) {
+-			/*
+-			 * If we are checkpointing, decide if we output
+-			 * this event
+-			 */
+-			if (checkpt_filename)
+-				do_output = chkpt_output_decision(&entries->e);
+ 
+ 			if (do_output == 1) {
+ 				found = 1;