diff --git a/audit.spec b/audit.spec index 53adcdee6cc7984899153d94c296668a526ced2f..86634ab8dca25fd58ac2d8f4f780ae16f7d916d9 100644 --- a/audit.spec +++ b/audit.spec @@ -2,7 +2,7 @@ Summary: User space tools for kernel auditing Name: audit Epoch: 1 Version: 3.0.1 -Release: 14 +Release: 15 License: GPLv2+ and LGPLv2+ URL: https://people.redhat.com/sgrubb/audit/ Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz @@ -60,6 +60,11 @@ Patch48: backport-Avoid-file-descriptor-leaks-in-multi-threaded-applic.p Patch49: backport-fix-the-use-of-isdigit-everywhere.patch Patch50: backport-Fix-new-warnings-for-unused-results.patch Patch51: backport-Change-the-first-iteration-test-so-static-analysis-b.patch +Patch52: backport-Consolidate-end-of-event-detection-to-a-common-funct.patch +Patch53: backport-Issue343-Fix-checkpoint-issue-to-ensure-all-complete.patch +Patch54: backport-lib-avoid-UB-on-sequence-wrap-around-347.patch +Patch55: backport-Change-python-bindings-to-switch-from-PyEval_CallObj.patch +Patch56: backport-Cleanup-shell-script-warnings.patch BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29 BuildRequires: openldap-devel krb5-devel libcap-ng-devel @@ -395,6 +400,9 @@ fi %attr(644,root,root) %{_mandir}/man8/*.8.gz %changelog +* Tue Mar 19 2024 xuraoqing - 1:3.0.1-15 +- backport patches from upstream + * Fri Feb 2 2024 fangxiuning - 1:3.0.1-14 - backport patches from upstream diff --git a/backport-Change-python-bindings-to-switch-from-PyEval_CallObj.patch b/backport-Change-python-bindings-to-switch-from-PyEval_CallObj.patch new file mode 100644 index 0000000000000000000000000000000000000000..5799adbab8899cdc67e971a86c024da66f61e784 --- /dev/null +++ b/backport-Change-python-bindings-to-switch-from-PyEval_CallObj.patch @@ -0,0 +1,29 @@ +From cd7599210fe398360ddb81c0c2453a085d408089 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 19 Feb 2024 10:50:42 -0500 +Subject: [PATCH] Change python bindings to switch from PyEval_CallObject on + 3.12 and later to silence warning + +Reference:https://github.com/linux-audit/audit-userspace/commit/cd7599210fe398360ddb81c0c2453a085d408089 +Conflict:NA + +--- + bindings/python/auparse_python.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bindings/python/auparse_python.c b/bindings/python/auparse_python.c +index 99d37cca..9ab919b3 100644 +--- a/bindings/python/auparse_python.c ++++ b/bindings/python/auparse_python.c +@@ -290,7 +290,7 @@ static void auparse_callback(auparse_state_t *au, + if (debug) printf("<< auparse_callback\n"); + arglist = Py_BuildValue("OiO", cb->py_AuParser, cb_event_type, + cb->user_data); +-#if PY_MINOR_VERSION >= 13 ++#if PY_MINOR_VERSION >= 12 + result = PyObject_CallObject(cb->func, arglist); + #else + result = PyEval_CallObject(cb->func, arglist); +-- +2.33.0 + diff --git a/backport-Cleanup-shell-script-warnings.patch b/backport-Cleanup-shell-script-warnings.patch new file mode 100644 index 0000000000000000000000000000000000000000..9f1fe2492ac80f4c97e5115a124dcf0e53b2a56d --- /dev/null +++ b/backport-Cleanup-shell-script-warnings.patch @@ -0,0 +1,107 @@ +From 79c1212ff38254a961c27d8eb10bc766e412ffe9 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Fri, 23 Feb 2024 12:26:05 -0500 +Subject: [PATCH] Cleanup shell script warnings + +Reference:https://github.com/linux-audit/audit-userspace/commit/79c1212ff38254a961c27d8eb10bc766e412ffe9 +Conflict:init.d/augenrules,init.d/auditd.state + +--- + init.d/auditd.reload | 2 +- + init.d/auditd.resume | 2 +- + init.d/auditd.rotate | 2 +- + init.d/auditd.state | 4 ++-- + init.d/auditd.stop | 2 +- + init.d/augenrules | 2 +- + 6 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/init.d/auditd.reload b/init.d/auditd.reload +index 9c30295..2ea8f7e 100644 +--- a/init.d/auditd.reload ++++ b/init.d/auditd.reload +@@ -3,7 +3,7 @@ + # directly supported by systemd + + # Check that we are root ... so non-root users stop here +-test $(id -u) = 0 || exit 4 ++test "$(id -u)" = "0" || exit 4 + + PATH=/sbin:/bin:/usr/bin:/usr/sbin + prog="auditd" +diff --git a/init.d/auditd.resume b/init.d/auditd.resume +index f1d2157..23219bc 100644 +--- a/init.d/auditd.resume ++++ b/init.d/auditd.resume +@@ -3,7 +3,7 @@ + # directly supported by systemd + + # Check that we are root ... so non-root users stop here +-test $(id -u) = 0 || exit 4 ++test "$(id -u)" = "0" || exit 4 + + PATH=/sbin:/bin:/usr/bin:/usr/sbin + prog="auditd" +diff --git a/init.d/auditd.rotate b/init.d/auditd.rotate +index 2b13cf7..0764ac0 100644 +--- a/init.d/auditd.rotate ++++ b/init.d/auditd.rotate +@@ -3,7 +3,7 @@ + # directly supported by systemd + + # Check that we are root ... so non-root users stop here +-test $(id -u) = 0 || exit 4 ++test "$(id -u)" = "0" || exit 4 + + PATH=/sbin:/bin:/usr/bin:/usr/sbin + prog="auditd" +diff --git a/init.d/auditd.state b/init.d/auditd.state +index c7e291e..c93df8b 100644 +--- a/init.d/auditd.state ++++ b/init.d/auditd.state +@@ -3,7 +3,7 @@ + # directly supported by systemd + + # Check that we are root ... so non-root users stop here +-test $(id -u) = 0 || exit 4 ++test "$(id -u)" = "0" || exit 4 + + PATH=/sbin:/bin:/usr/bin:/usr/sbin + prog="auditd" +@@ -15,7 +15,7 @@ killproc $prog -CONT + RETVAL=$? + echo -e "\n" + sleep 1 +-if [ $? -eq 0 ] ; then ++if [ $RETVAL -eq 0 ] ; then + if [ -e $state_file ] ; then + cat $state_file + fi +diff --git a/init.d/auditd.stop b/init.d/auditd.stop +index ed8207b..08db366 100644 +--- a/init.d/auditd.stop ++++ b/init.d/auditd.stop +@@ -3,7 +3,7 @@ + # directly supported by systemd + + # Check that we are root ... so non-root users stop here +-test $(id -u) = 0 || exit 4 ++test "$(id -u)" = "0" || exit 4 + + PATH=/sbin:/bin:/usr/bin:/usr/sbin + prog="auditd" +diff --git a/init.d/augenrules b/init.d/augenrules +index d482d2e..7a512bf 100644 +--- a/init.d/augenrules ++++ b/init.d/augenrules +@@ -35,7 +35,7 @@ RETVAL=0 + usage="Usage: $0 [--check|--load]" + + # Delete the interim file on faults +-trap 'rm -f ${TmpRules}; exit 1' 1 2 3 13 15 ++trap 'rm -f ${TmpRules}; exit 1' HUP INT QUIT PIPE TERM + + try_load() { + if [ $LoadRules -eq 1 ] ; then +-- +2.33.0 + diff --git a/backport-Consolidate-end-of-event-detection-to-a-common-funct.patch b/backport-Consolidate-end-of-event-detection-to-a-common-funct.patch new file mode 100644 index 0000000000000000000000000000000000000000..6ee981b00088f370e0edde5fd205e43846cfaa5e --- /dev/null +++ b/backport-Consolidate-end-of-event-detection-to-a-common-funct.patch @@ -0,0 +1,143 @@ +From 6dabe8de1c502b4bcd0ad945f6d7636d5aeb9fed Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Sat, 26 Aug 2023 08:52:25 -0400 +Subject: [PATCH] Consolidate end of event detection to a common function + +Reference:https://github.com/linux-audit/audit-userspace/commit/6dabe8de1c502b4bcd0ad945f6d7636d5aeb9fed +Conflict:ChangeLog,auparse/auparse.c,common/common.h + +--- + auparse/auparse.c | 9 +-------- + common/Makefile.am | 2 +- + common/common.c | 43 +++++++++++++++++++++++++++++++++++++++++++ + common/common.h | 3 ++- + src/ausearch-lol.c | 9 ++------- + 5 files changed, 49 insertions(+), 17 deletions(-) + create mode 100644 common/common.c + +diff --git a/auparse/auparse.c b/auparse/auparse.c +index 474e536..afc6741 100644 +--- a/auparse/auparse.c ++++ b/auparse/auparse.c +@@ -293,14 +293,7 @@ static void au_check_events(auparse_state_t *au, time_t sec) + if (cur->l->e.sec + eoe_timeout <= sec) { + cur->status = EBS_COMPLETE; + au->au_ready++; +- } else if ( // FIXME: Check this v remains true +- r->type == AUDIT_PROCTITLE || +- r->type == AUDIT_EOE || +- r->type < AUDIT_FIRST_EVENT || +- r->type >= AUDIT_FIRST_ANOM_MSG || +- r->type == AUDIT_KERNEL || +- (r->type >= AUDIT_MAC_UNLBL_ALLOW && +- r->type <= AUDIT_MAC_CALIPSO_DEL)) { ++ } else if (audit_is_last_record(r->type)) { + // If known to be 1 record event, we are done + cur->status = EBS_COMPLETE; + au->au_ready++; +diff --git a/common/Makefile.am b/common/Makefile.am +index 8b9aacb..fb78c35 100644 +--- a/common/Makefile.am ++++ b/common/Makefile.am +@@ -25,6 +25,6 @@ AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib + + noinst_HEADERS = common.h + libaucommon_la_DEPENDENCIES = ../config.h +-libaucommon_la_SOURCES = audit-fgets.c strsplit.c ++libaucommon_la_SOURCES = audit-fgets.c strsplit.c common.c + noinst_LTLIBRARIES = libaucommon.la + +diff --git a/common/common.c b/common/common.c +new file mode 100644 +index 0000000..cbfa46c +--- /dev/null ++++ b/common/common.c +@@ -0,0 +1,43 @@ ++/* common.c -- ++ * Copyright 2023 Red Hat Inc. ++ * All Rights Reserved. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ * ++ * Authors: ++ * Steve Grubb ++ */ ++ ++#include "libaudit.h" ++#include "common.h" ++ ++/* ++ * This function returns 1 if it is the last record in an event. ++ * It returns 0 otherwise. ++ */ ++int audit_is_last_record(int type) ++{ ++ if (type == AUDIT_PROCTITLE || ++ type == AUDIT_EOE || ++ type < AUDIT_FIRST_EVENT || ++ type >= AUDIT_FIRST_ANOM_MSG || ++ type == AUDIT_KERNEL || ++ (type >= AUDIT_MAC_UNLBL_ALLOW && ++ type <= AUDIT_MAC_CALIPSO_DEL)) { ++ return 1; ++ } ++ return 0; ++} ++ +diff --git a/common/common.h b/common/common.h +index 011be46..b706784 100644 +--- a/common/common.h ++++ b/common/common.h +@@ -1,5 +1,5 @@ + /* audit-fgets.h -- a replacement for glibc's fgets +- * Copyright 2018 Red Hat Inc., Durham, North Carolina. ++ * Copyright 2018-23 Red Hat Inc. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or +@@ -33,6 +33,7 @@ int audit_fgets(char *buf, size_t blen, int fd); + + char *audit_strsplit_r(char *s, char **savedpp); + char *audit_strsplit(char *s); ++int audit_is_last_record(int type); + + AUDIT_HIDDEN_END + #endif +diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c +index 6d378cc..b09228f 100644 +--- a/src/ausearch-lol.c ++++ b/src/ausearch-lol.c +@@ -250,16 +250,11 @@ static void check_events(lol *lo, time_t sec) + if (cur->l->e.sec + eoe_timeout <= sec) { + cur->status = L_COMPLETE; + ready++; +- } else if (cur->l->e.type == AUDIT_PROCTITLE || +- cur->l->e.type < AUDIT_FIRST_EVENT || +- cur->l->e.type >= AUDIT_FIRST_ANOM_MSG || +- cur->l->e.type == AUDIT_KERNEL || +- (cur->l->e.type >= AUDIT_MAC_UNLBL_ALLOW && +- cur->l->e.type <= AUDIT_MAC_CALIPSO_DEL)) { ++ } else if (audit_is_last_record(cur->l->e.type)) { + // If known to be 1 record event, we are done + cur->status = L_COMPLETE; + ready++; +- } ++ } + } + } + } +-- +2.33.0 + diff --git a/backport-Issue343-Fix-checkpoint-issue-to-ensure-all-complete.patch b/backport-Issue343-Fix-checkpoint-issue-to-ensure-all-complete.patch new file mode 100644 index 0000000000000000000000000000000000000000..34a368d848ab94837f9c3081b4c72416af7740a1 --- /dev/null +++ b/backport-Issue343-Fix-checkpoint-issue-to-ensure-all-complete.patch @@ -0,0 +1,114 @@ +From 139c61a9007600c93702947179d7836be1bc8403 Mon Sep 17 00:00:00 2001 +From: burnalting +Date: Thu, 11 Jan 2024 08:22:32 +1100 +Subject: [PATCH] Issue343: Fix checkpoint issue to ensure all complete events + are gained (#345) + +Co-authored-by: Burn Alting + +Reference:https://github.com/linux-audit/audit-userspace/commit/139c61a9007600c93702947179d7836be1bc8403 +Conflict:NA + +--- + src/ausearch-lol.c | 33 +++++++++++++++++++++++++++++++++ + src/ausearch-lol.h | 1 + + src/ausearch.c | 12 +++++++----- + 3 files changed, 41 insertions(+), 5 deletions(-) + +diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c +index f22f358..dc91034 100644 +--- a/src/ausearch-lol.c ++++ b/src/ausearch-lol.c +@@ -283,6 +283,32 @@ static void check_events(lol *lo, time_t sec) + } + } + ++// This function will check events to see if they are complete but not compare against a given time ++static void check_events_without_time(lol *lo) ++{ ++ int i; ++ ++ for(i=0;i<=lo->maxi; i++) { ++ lolnode *cur = &lo->array[i]; ++ if (cur->status == L_BUILDING) { ++ /* We now iterate over the event's records but without affecting the node's current ++ * pointer (cur->l->cur). That is, we don't call the list-* routines ++ * We could jump to the last record in the list which is normally a PROCTITLE, but this ++ * may not be guaranteed, so we check all record types ++ */ ++ lnode *ln = cur->l->head; ++ while (ln) { ++ if (audit_is_last_record(ln->type)) { ++ cur->status = L_COMPLETE; ++ ready++; ++ break; ++ } ++ ln = ln->next; ++ } ++ } ++ } ++} ++ + // This function adds a new record to an existing linked list + // or creates a new one if its a new event + int lol_add_record(lol *lo, char *buff) +@@ -382,6 +408,13 @@ void terminate_all_events(lol *lo) + } + } + ++// This function will mark all events as complete if it can. ++void complete_all_events(lol *lo) ++{ ++ ++ check_events_without_time(lo); ++} ++ + /* Search the list for any event that is ready to go. The caller + * takes custody of the memory */ + llist* get_ready_event(lol *lo) +diff --git a/src/ausearch-lol.h b/src/ausearch-lol.h +index 21f2c15..bab0c81 100644 +--- a/src/ausearch-lol.h ++++ b/src/ausearch-lol.h +@@ -49,6 +49,7 @@ void lol_create(lol *lo); + void lol_clear(lol *lo); + int lol_add_record(lol *lo, char *buff); + void terminate_all_events(lol *lo); ++void complete_all_events(lol *lo); + llist* get_ready_event(lol *lo); + + void lol_set_eoe_timeout(time_t new_eoe_tmo); +diff --git a/src/ausearch.c b/src/ausearch.c +index 0091a1c..f54eda9 100644 +--- a/src/ausearch.c ++++ b/src/ausearch.c +@@ -593,19 +593,21 @@ static int get_next_event(llist **l) + * If we get an EINTR error or we are at EOF, we check + * to see if we have any events to print and return + * appropriately. If we are the last file being +- * processed, we mark all incomplete events as +- * complete so they will be printed. ++ * processed, and we are not checkpointing, we mark all incomplete ++ * events as complete so they will be printed. If we are checkpointing ++ * we do an exhaustive validation to see if there are complete events still + */ + if ((ferror_unlocked(log_fd) && + errno == EINTR) || feof_unlocked(log_fd)) { + /* +- * Only mark all events as L_COMPLETE if we are ++ * Only attempt to mark all events as L_COMPLETE if we are + * the last file being processed. +- * We DO NOT do this if we are checkpointing. + */ + if (files_to_process == 0) { + if (!checkpt_filename) +- terminate_all_events(&lo); ++ terminate_all_events(&lo); // terminate as we are not checkpointing ++ else ++ complete_all_events(&lo); // exhaustively check if we can complete events + } + *l = get_ready_event(&lo); + if (*l) +-- +2.33.0 + diff --git a/backport-lib-avoid-UB-on-sequence-wrap-around-347.patch b/backport-lib-avoid-UB-on-sequence-wrap-around-347.patch new file mode 100644 index 0000000000000000000000000000000000000000..9f08b0d944cbd5d42d96f03b78804d9656c15ffe --- /dev/null +++ b/backport-lib-avoid-UB-on-sequence-wrap-around-347.patch @@ -0,0 +1,42 @@ +From f5c35d7d5e064af5ad31d22f900d148d932ad9b1 Mon Sep 17 00:00:00 2001 +From: cgzones +Date: Mon, 15 Jan 2024 21:44:04 +0100 +Subject: [PATCH] lib: avoid UB on sequence wrap-around (#347) + +Signed integer overflow is undefined, allowing compilers to optimize the +condition `++sequence < 0` away. + +Reference:https://github.com/linux-audit/audit-userspace/commit/f5c35d7d5e064af5ad31d22f900d148d932ad9b1 +Conflict:NA + +--- + lib/netlink.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/netlink.c b/lib/netlink.c +index e643e4e..7e81ab5 100644 +--- a/lib/netlink.c ++++ b/lib/netlink.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + #include + #include "libaudit.h" +@@ -210,8 +211,10 @@ int __audit_send(int fd, int type, const void *data, unsigned int size, int *seq + return -errno; + } + +- if (++sequence < 0) ++ if (sequence == INT_MAX) + sequence = 1; ++ else ++ sequence++; + *seq = sequence; + + memset(&req, 0, sizeof(req)); +-- +2.33.0 +