Rebase audit to latest upstream release

Resolves: RHEL-15001
This commit is contained in:
Sergio Correia 2023-10-30 10:51:06 +00:00
parent 5a011c9219
commit d3b0c2631c
No known key found for this signature in database
GPG Key ID: D0D219ED1F7E762C
8 changed files with 14 additions and 258 deletions

1
.gitignore vendored
View File

@ -1,2 +1,3 @@
SOURCES/audit-3.0.7.tar.gz SOURCES/audit-3.0.7.tar.gz
/audit-3.0.7.tar.gz /audit-3.0.7.tar.gz
/audit-3.1.2.tar.gz

View File

@ -1,31 +0,0 @@
From becc1c297279f757835943e2cad63992134511f9 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Mon, 7 Mar 2022 13:11:09 -0300
Subject: [PATCH] auparse: fix off-by-one issue in path_norm() (#242)
When defining dest = rpath + 1, we end up having the first char of
`dest' as NULL -- since `rpath' points to `working', which is a static
buffer.
With the first char as NULL, path_norm() ends up producing an empty string.
This commit fixes the issue reported in this [1] mailing list post.
[1] https://listman.redhat.com/archives/linux-audit/2022-February/018844.html
---
auparse/interpret.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auparse/interpret.c b/auparse/interpret.c
index c8a0d96dd..df593c44c 100644
--- a/auparse/interpret.c
+++ b/auparse/interpret.c
@@ -895,7 +895,7 @@ static char *path_norm(const char *name)
return strdup(name);
rpath = working;
- dest = rpath + 1;
+ dest = rpath;
rpath_limit = rpath + PATH_MAX;
for (start = name; *start; start = end) {

View File

@ -1,26 +0,0 @@
From c426507a501efde0367a09a81e917d1d10722b78 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Thu, 31 Mar 2022 15:00:57 -0300
Subject: [PATCH] Drop ProtectHome from auditd.service as it interferes with
rules
Upstream: https://github.com/linux-audit/audit-userspace/commit/12cf14ed
---
init.d/auditd.service | 1 -
1 file changed, 1 deletion(-)
diff --git a/init.d/auditd.service b/init.d/auditd.service
index e801281..0a4c498 100644
--- a/init.d/auditd.service
+++ b/init.d/auditd.service
@@ -36,7 +36,6 @@ MemoryDenyWriteExecute=true
LockPersonality=true
ProtectControlGroups=true
ProtectKernelModules=true
-ProtectHome=true
RestrictRealtime=true
[Install]
--
2.35.1

View File

@ -1,39 +0,0 @@
diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i
index 21aafca..8c48123 100644
--- a/bindings/swig/src/auditswig.i
+++ b/bindings/swig/src/auditswig.i
@@ -39,7 +39,7 @@ signed
#define __attribute(X) /*nothing*/
typedef unsigned __u32;
typedef unsigned uid_t;
-%include "/usr/include/linux/audit.h"
+%include "../lib/audit.h"
#define __extension__ /*nothing*/
%include <stdint.i>
%include "../lib/libaudit.h"
diff --git a/lib/audit.h b/lib/audit.h
index 51d7f2b..b2f306d 100644
--- a/lib/audit.h
+++ b/lib/audit.h
@@ -514,7 +514,7 @@ struct audit_rule_data {
__u32 values[AUDIT_MAX_FIELDS];
__u32 fieldflags[AUDIT_MAX_FIELDS];
__u32 buflen; /* total length of string fields */
- char buf[]; /* string fields buffer */
+ char buf[0]; /* string fields buffer */
};
#endif /* _LINUX_AUDIT_H_ */
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 08b7d22..6b7408c 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -32,7 +32,7 @@ extern "C" {
#include <stdint.h>
#include <sys/socket.h>
#include <linux/netlink.h>
-#include <linux/audit.h>
+#include "audit.h"
#include <stdarg.h>
#include <syslog.h>

View File

@ -1,13 +0,0 @@
diff --git a/usr/include/libaudit.h b/usr/include/libaudit.h
index 6b7408c..08b7d22 100644
--- a/usr/include/libaudit.h
+++ b/usr/include/libaudit.h
@@ -32,7 +32,7 @@ extern "C" {
#include <stdint.h>
#include <sys/socket.h>
#include <linux/netlink.h>
-#include "audit.h"
+#include <linux/audit.h>
#include <stdarg.h>
#include <syslog.h>

View File

@ -1,122 +0,0 @@
From d1aec22f62b1cd95c16b26b67a9268ed27713f84 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Tue, 7 Feb 2023 10:32:11 -0500
Subject: [PATCH] Add support for new FANOTIFY record fields
---
ChangeLog | 1 +
auparse/auparse-defs.h | 5 ++--
auparse/interpret.c | 65 +++++++++++++++++++++++++++++++++++++++++-
auparse/typetab.h | 4 +++
4 files changed, 72 insertions(+), 3 deletions(-)
diff --git a/auparse/auparse-defs.h b/auparse/auparse-defs.h
index 7c0ac76..81a85a4 100644
--- a/auparse/auparse-defs.h
+++ b/auparse/auparse-defs.h
@@ -88,7 +88,8 @@ typedef enum { AUPARSE_TYPE_UNCLASSIFIED, AUPARSE_TYPE_UID, AUPARSE_TYPE_GID,
AUPARSE_TYPE_NETACTION, AUPARSE_TYPE_MACPROTO,
AUPARSE_TYPE_IOCTL_REQ, AUPARSE_TYPE_ESCAPED_KEY,
AUPARSE_TYPE_ESCAPED_FILE, AUPARSE_TYPE_FANOTIFY,
- AUPARSE_TYPE_NLMCGRP, AUPARSE_TYPE_RESOLVE
+ AUPARSE_TYPE_NLMCGRP, AUPARSE_TYPE_RESOLVE, AUPARSE_TYPE_TRUST,
+ AUPARSE_TYPE_FAN_TYPE, AUPARSE_TYPE_FAN_INFO
} auparse_type_t;
/* This type determines what escaping if any gets applied to interpreted fields */
diff --git a/auparse/interpret.c b/auparse/interpret.c
index 373851f..f106056 100644
--- a/auparse/interpret.c
+++ b/auparse/interpret.c
@@ -2372,6 +2372,60 @@ static const char *print_openat2_resolve(const char *val)
return strdup(buf);
}
+static const char *print_trust(const char *val)
+{
+ const char *out;
+
+ if (strcmp(val, "0") == 0)
+ out = strdup("no");
+ else if (strcmp(val, "1") == 0)
+ out = strdup("yes");
+ else
+ out = strdup("unknown");
+
+ return out;
+}
+
+// fan_type always preceeds fan_info
+static int last_type = 2;
+static const char *print_fan_type(const char *val)
+{
+ const char *out;
+
+ if (strcmp(val, "0") == 0) {
+ out = strdup("none");
+ last_type = 0;
+ } else if (strcmp(val, "1") == 0) {
+ out = strdup("rule_info");
+ last_type = 1;
+ } else {
+ out = strdup("unknown");
+ last_type = 2;
+ }
+
+ return out;
+}
+
+static const char *print_fan_info(const char *val)
+{
+ const char *out;
+ if (last_type == 1) {
+ errno = 0;
+ unsigned long info = strtoul(val, NULL, 16);
+ if (errno) {
+ if (asprintf(&out, "conversion error(%s)", val) < 0)
+ out = NULL;
+ return out;
+ } else {
+ if (asprintf(&out, "%lu", info) < 0)
+ out = NULL;
+ return out;
+ }
+ } else
+ out = strdup(val);
+ return out;
+}
+
static const char *print_a0(const char *val, const idata *id)
{
char *out;
@@ -3286,6 +3340,15 @@ unknown:
case AUPARSE_TYPE_RESOLVE:
out = print_openat2_resolve(id->val);
break;
+ case AUPARSE_TYPE_TRUST:
+ out = print_trust(id->val);
+ break;
+ case AUPARSE_TYPE_FAN_TYPE:
+ out = print_fan_type(id->val);
+ break;
+ case AUPARSE_TYPE_FAN_INFO:
+ out = print_fan_info(id->val);
+ break;
case AUPARSE_TYPE_MAC_LABEL:
case AUPARSE_TYPE_UNCLASSIFIED:
default:
diff --git a/auparse/typetab.h b/auparse/typetab.h
index 0e37d02..5c8fca8 100644
--- a/auparse/typetab.h
+++ b/auparse/typetab.h
@@ -145,3 +145,7 @@ _S(AUPARSE_TYPE_ESCAPED, "sw" )
_S(AUPARSE_TYPE_ESCAPED, "root_dir" )
_S(AUPARSE_TYPE_NLMCGRP, "nl-mcgrp" )
_S(AUPARSE_TYPE_RESOLVE, "resolve" )
+_S(AUPARSE_TYPE_TRUST, "subj_trust" )
+_S(AUPARSE_TYPE_TRUST, "obj_trust" )
+_S(AUPARSE_TYPE_FAN_TYPE, "fan_type" )
+_S(AUPARSE_TYPE_FAN_INFO, "fan_info" )
--
2.41.0

View File

@ -2,19 +2,13 @@
Summary: User space tools for kernel auditing Summary: User space tools for kernel auditing
Name: audit Name: audit
Version: 3.0.7 Version: 3.1.2
Release: 5%{?dist} Release: 1%{?dist}
License: GPLv2+ License: GPLv2+
URL: http://people.redhat.com/sgrubb/audit/ URL: http://people.redhat.com/sgrubb/audit/
Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
Patch1: audit-3.0.8-auparse-path-norm.patch
Patch2: audit-3.0.8-drop-protecthome.patch
Patch3: audit-3.1-fanotify-records.patch
Patch4: audit-3.0.8-flex-array-workaround.patch
Patch5: audit-3.0.8-undo-flex-array.patch
BuildRequires: gcc swig make BuildRequires: gcc swig make
BuildRequires: openldap-devel BuildRequires: openldap-devel
BuildRequires: krb5-devel libcap-ng-devel BuildRequires: krb5-devel libcap-ng-devel
@ -90,21 +84,13 @@ Management Facility) database, through an IBM Tivoli Directory Server
%prep %prep
%setup -q %setup -q
cp %{SOURCE1} . cp %{SOURCE1} .
#autoreconf -fv --install #autoreconf -fv --install
cp /usr/include/linux/audit.h lib/
%patch -P 1 -p1
%patch -P 2 -p1
%patch -P 3 -p1
%patch -P 4 -p1
%build %build
%configure --with-python=no \ %configure --with-python=no \
--with-python3=yes \ --with-python3=yes \
--enable-gssapi-krb5=yes --with-arm --with-aarch64 \ --enable-gssapi-krb5=yes --with-arm --with-aarch64 \
--with-libcap-ng=yes --enable-zos-remote \ --with-libcap-ng=yes --without-golang --enable-zos-remote \
--enable-systemd --enable-systemd
make CFLAGS="%{optflags}" %{?_smp_mflags} make CFLAGS="%{optflags}" %{?_smp_mflags}
@ -129,13 +115,6 @@ find $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages -name '*.a' -delete || t
touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz
# undo the workaround
cur=`pwd`
cd $RPM_BUILD_ROOT
patch -p1 < %{PATCH5}
find . -name '*.orig' -delete
cd $cur
%check %check
make check make check
# Get rid of make files so that they don't get packaged. # Get rid of make files so that they don't get packaged.
@ -243,12 +222,15 @@ fi
%config(noreplace) %attr(640,root,root) /etc/audit/audisp-remote.conf %config(noreplace) %attr(640,root,root) /etc/audit/audisp-remote.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-remote.conf %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-remote.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/syslog.conf %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/syslog.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf
%attr(750,root,root) %{_sbindir}/audisp-remote %attr(750,root,root) %{_sbindir}/audisp-remote
%attr(750,root,root) %{_sbindir}/audisp-syslog %attr(750,root,root) %{_sbindir}/audisp-syslog
%attr(750,root,root) %{_sbindir}/audisp-af_unix
%attr(700,root,root) %dir %{_var}/spool/audit %attr(700,root,root) %dir %{_var}/spool/audit
%attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz %attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz
%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz %attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz
%files -n audispd-plugins-zos %files -n audispd-plugins-zos
%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz %attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz
@ -258,11 +240,15 @@ fi
%attr(750,root,root) %{_sbindir}/audispd-zos-remote %attr(750,root,root) %{_sbindir}/audispd-zos-remote
%changelog %changelog
* Sat Oct 21 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-1
- Rebase audit to latest upstream release
Resolves: RHEL-15001
* Thu Jun 22 2023 Radovan Sroka <rsroka@redhat.com> - 3.0.7-5 * Thu Jun 22 2023 Radovan Sroka <rsroka@redhat.com> - 3.0.7-5
- Introduce new fanotify record fields - Introduce new fanotify record fields
Resolves: rhbz#2216668 Resolves: rhbz#2216668
- invalid use of flexible array member - invalid use of flexible array member
Resolves: rhbz#2116867 Resolves: rhbz#2116867
* Mon May 02 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-4 * Mon May 02 2022 Sergio Correia <scorreia@redhat.com> - 3.0.7-4
- Drop ProtectHome from auditd.service as it interferes with rules - Drop ProtectHome from auditd.service as it interferes with rules

View File

@ -1 +1 @@
SHA512 (audit-3.0.7.tar.gz) = b5662b32082fc2ac54e247aa0db5442d76afa30134ebba1d624a17004e9ccf6856bb75344af4ce9d9a0a66c03e1c6f18b7d45658d7df13ea71af0c8362e08d70 SHA512 (audit-3.1.2.tar.gz) = a97003a294ed3671df01e2952688e7d5eef59a35f6891feb53e67c4c7eab9ae8c2d18de41a5b5b20e0ad7156fac93aec05f32f6bc5eea706b42b6f27f676446a