From 13fc541c8da5084d65e60c67115b3e75506742d4 Mon Sep 17 00:00:00 2001 From: markeryang Date: Tue, 18 Jun 2024 07:50:14 +0000 Subject: [PATCH] backport patches from upstream --- audit.spec | 11 +- ...ndings-to-switch-from-PyEval_CallObj.patch | 30 ++++ backport-Cleanup-shell-script-warnings.patch | 107 +++++++++++++ ...of-event-detection-to-a-common-funct.patch | 143 ++++++++++++++++++ backport-Fix-deprecated-python-function.patch | 31 ++++ ...ckpoint-issue-to-ensure-all-complete.patch | 114 ++++++++++++++ ...avoid-UB-on-sequence-wrap-around-347.patch | 42 +++++ 7 files changed, 477 insertions(+), 1 deletion(-) create mode 100644 backport-Change-python-bindings-to-switch-from-PyEval_CallObj.patch create mode 100644 backport-Cleanup-shell-script-warnings.patch create mode 100644 backport-Consolidate-end-of-event-detection-to-a-common-funct.patch create mode 100644 backport-Fix-deprecated-python-function.patch create mode 100644 backport-Issue343-Fix-checkpoint-issue-to-ensure-all-complete.patch create mode 100644 backport-lib-avoid-UB-on-sequence-wrap-around-347.patch diff --git a/audit.spec b/audit.spec index f61bd57..3809d58 100644 --- a/audit.spec +++ b/audit.spec @@ -4,7 +4,7 @@ Summary: User space tools for kernel auditing Name: audit Epoch: 1 Version: 3.0 -Release: 10 +Release: 11 License: GPLv2+ and LGPLv2+ URL: https://people.redhat.com/sgrubb/audit/ Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz @@ -45,6 +45,12 @@ Patch31: backport-asprintf-can-return-a-negative-number.patch Patch32: backport-Cleanup-gssapi-code.patch Patch33: backport-Fix-another-krb5-memory-leak.patch Patch34: backport-Try-to-interpret-OPENAT2-fields-correctly.patch +Patch35: backport-Consolidate-end-of-event-detection-to-a-common-funct.patch +Patch36: backport-Issue343-Fix-checkpoint-issue-to-ensure-all-complete.patch +Patch37: backport-lib-avoid-UB-on-sequence-wrap-around-347.patch +Patch38: backport-Fix-deprecated-python-function.patch +Patch39: backport-Change-python-bindings-to-switch-from-PyEval_CallObj.patch +Patch40: backport-Cleanup-shell-script-warnings.patch BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29 BuildRequires: openldap-devel krb5-devel libcap-ng-devel @@ -397,6 +403,9 @@ fi %attr(644,root,root) %{_mandir}/man8/*.8.gz %changelog +* Tue Jun 18 2024 yanglongkang - 1:3.0-11 +- backport patches from upstream + * Thu Mar 23 2023 dongyuzhen - 1:3.0-10 - backport patches from upstream diff --git a/backport-Change-python-bindings-to-switch-from-PyEval_CallObj.patch b/backport-Change-python-bindings-to-switch-from-PyEval_CallObj.patch new file mode 100644 index 0000000..28337bf --- /dev/null +++ b/backport-Change-python-bindings-to-switch-from-PyEval_CallObj.patch @@ -0,0 +1,30 @@ +From cd7599210fe398360ddb81c0c2453a085d408089 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 19 Feb 2024 10:50:42 -0500 +Subject: [PATCH] Change python bindings to switch from PyEval_CallObject on + 3.12 and later to silence warning + + +Reference:https://github.com/linux-audit/audit-userspace/commit/cd7599210fe398360ddb81c0c2453a085d408089 +Conflict:NA + +--- + bindings/python/auparse_python.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/bindings/python/auparse_python.c b/bindings/python/auparse_python.c +index bdcf816..f7b5f56 100644 +--- a/bindings/python/auparse_python.c ++++ b/bindings/python/auparse_python.c +@@ -291,7 +291,7 @@ static void auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_ty + PyObject *result; + + arglist = Py_BuildValue("OiO", cb->py_AuParser, cb_event_type, cb->user_data); +-#if PY_MINOR_VERSION >= 13 ++#if PY_MINOR_VERSION >= 12 + result = PyObject_CallObject(cb->func, arglist); + #else + result = PyEval_CallObject(cb->func, arglist); +-- +2.43.0 + diff --git a/backport-Cleanup-shell-script-warnings.patch b/backport-Cleanup-shell-script-warnings.patch new file mode 100644 index 0000000..5fbb69b --- /dev/null +++ b/backport-Cleanup-shell-script-warnings.patch @@ -0,0 +1,107 @@ +From 79c1212ff38254a961c27d8eb10bc766e412ffe9 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Fri, 23 Feb 2024 12:26:05 -0500 +Subject: [PATCH] Cleanup shell script warnings + +Reference:https://github.com/linux-audit/audit-userspace/commit/79c1212ff38254a961c27d8eb10bc766e412ffe9 +Conflict:init.d/augenrules, init.d/auditd.state + +--- + init.d/auditd.reload | 2 +- + init.d/auditd.resume | 2 +- + init.d/auditd.rotate | 2 +- + init.d/auditd.state | 4 ++-- + init.d/auditd.stop | 2 +- + init.d/augenrules | 2 +- + 6 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/init.d/auditd.reload b/init.d/auditd.reload +index 9c30295..2ea8f7e 100644 +--- a/init.d/auditd.reload ++++ b/init.d/auditd.reload +@@ -3,7 +3,7 @@ + # directly supported by systemd + + # Check that we are root ... so non-root users stop here +-test $(id -u) = 0 || exit 4 ++test "$(id -u)" = "0" || exit 4 + + PATH=/sbin:/bin:/usr/bin:/usr/sbin + prog="auditd" +diff --git a/init.d/auditd.resume b/init.d/auditd.resume +index f1d2157..23219bc 100644 +--- a/init.d/auditd.resume ++++ b/init.d/auditd.resume +@@ -3,7 +3,7 @@ + # directly supported by systemd + + # Check that we are root ... so non-root users stop here +-test $(id -u) = 0 || exit 4 ++test "$(id -u)" = "0" || exit 4 + + PATH=/sbin:/bin:/usr/bin:/usr/sbin + prog="auditd" +diff --git a/init.d/auditd.rotate b/init.d/auditd.rotate +index 2b13cf7..0764ac0 100644 +--- a/init.d/auditd.rotate ++++ b/init.d/auditd.rotate +@@ -3,7 +3,7 @@ + # directly supported by systemd + + # Check that we are root ... so non-root users stop here +-test $(id -u) = 0 || exit 4 ++test "$(id -u)" = "0" || exit 4 + + PATH=/sbin:/bin:/usr/bin:/usr/sbin + prog="auditd" +diff --git a/init.d/auditd.state b/init.d/auditd.state +index c7e291e..c93df8b 100644 +--- a/init.d/auditd.state ++++ b/init.d/auditd.state +@@ -3,7 +3,7 @@ + # directly supported by systemd + + # Check that we are root ... so non-root users stop here +-test $(id -u) = 0 || exit 4 ++test "$(id -u)" = "0" || exit 4 + + PATH=/sbin:/bin:/usr/bin:/usr/sbin + prog="auditd" +@@ -15,7 +15,7 @@ killproc $prog -CONT + RETVAL=$? + echo -e "\n" + sleep 1 +-if [ $? -eq 0 ] ; then ++if [ $RETVAL -eq 0 ] ; then + if [ -e $state_file ] ; then + cat $state_file + fi +diff --git a/init.d/auditd.stop b/init.d/auditd.stop +index 7c74723..b61c54f 100644 +--- a/init.d/auditd.stop ++++ b/init.d/auditd.stop +@@ -3,7 +3,7 @@ + # directly supported by systemd + + # Check that we are root ... so non-root users stop here +-test $(id -u) = 0 || exit 4 ++test "$(id -u)" = "0" || exit 4 + + PATH=/sbin:/bin:/usr/bin:/usr/sbin + prog="auditd" +diff --git a/init.d/augenrules b/init.d/augenrules +index d482d2e..7a512bf 100644 +--- a/init.d/augenrules ++++ b/init.d/augenrules +@@ -35,7 +35,7 @@ RETVAL=0 + usage="Usage: $0 [--check|--load]" + + # Delete the interim file on faults +-trap 'rm -f ${TmpRules}; exit 1' 1 2 3 13 15 ++trap 'rm -f ${TmpRules}; exit 1' HUP INT QUIT PIPE TERM + + try_load() { + if [ $LoadRules -eq 1 ] ; then +-- +2.43.0 + diff --git a/backport-Consolidate-end-of-event-detection-to-a-common-funct.patch b/backport-Consolidate-end-of-event-detection-to-a-common-funct.patch new file mode 100644 index 0000000..58c9871 --- /dev/null +++ b/backport-Consolidate-end-of-event-detection-to-a-common-funct.patch @@ -0,0 +1,143 @@ +From 6dabe8de1c502b4bcd0ad945f6d7636d5aeb9fed Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Sat, 26 Aug 2023 08:52:25 -0400 +Subject: [PATCH] Consolidate end of event detection to a common function + +Reference:https://github.com/linux-audit/audit-userspace/commit/6dabe8de1c502b4bcd0ad945f6d7636d5aeb9fed +Conflict:ChangeLog + +--- + auparse/auparse.c | 9 +-------- + common/Makefile.am | 2 +- + common/common.c | 43 +++++++++++++++++++++++++++++++++++++++++++ + common/common.h | 3 ++- + src/ausearch-lol.c | 9 ++------- + 5 files changed, 49 insertions(+), 17 deletions(-) + create mode 100644 common/common.c + +diff --git a/auparse/auparse.c b/auparse/auparse.c +index e3c7531..7da4e93 100644 +--- a/auparse/auparse.c ++++ b/auparse/auparse.c +@@ -291,14 +291,7 @@ static void au_check_events(auparse_state_t *au, time_t sec) + if (cur->l->e.sec + 2 <= sec) { + cur->status = EBS_COMPLETE; + au->au_ready++; +- } else if ( // FIXME: Check this v remains true +- r->type == AUDIT_PROCTITLE || +- r->type == AUDIT_EOE || +- r->type < AUDIT_FIRST_EVENT || +- r->type >= AUDIT_FIRST_ANOM_MSG || +- r->type == AUDIT_KERNEL || +- (r->type >= AUDIT_MAC_UNLBL_ALLOW && +- r->type <= AUDIT_MAC_CALIPSO_DEL)) { ++ } else if (audit_is_last_record(r->type)) { + // If known to be 1 record event, we are done + cur->status = EBS_COMPLETE; + au->au_ready++; +diff --git a/common/Makefile.am b/common/Makefile.am +index 8b9aacb..fb78c35 100644 +--- a/common/Makefile.am ++++ b/common/Makefile.am +@@ -25,6 +25,6 @@ AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib + + noinst_HEADERS = common.h + libaucommon_la_DEPENDENCIES = ../config.h +-libaucommon_la_SOURCES = audit-fgets.c strsplit.c ++libaucommon_la_SOURCES = audit-fgets.c strsplit.c common.c + noinst_LTLIBRARIES = libaucommon.la + +diff --git a/common/common.c b/common/common.c +new file mode 100644 +index 0000000..cbfa46c +--- /dev/null ++++ b/common/common.c +@@ -0,0 +1,43 @@ ++/* common.c -- ++ * Copyright 2023 Red Hat Inc. ++ * All Rights Reserved. ++ * ++ * This library is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU Lesser General Public ++ * License as published by the Free Software Foundation; either ++ * version 2.1 of the License, or (at your option) any later version. ++ * ++ * This library is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ * Lesser General Public License for more details. ++ * ++ * You should have received a copy of the GNU Lesser General Public ++ * License along with this library; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ * ++ * Authors: ++ * Steve Grubb ++ */ ++ ++#include "libaudit.h" ++#include "common.h" ++ ++/* ++ * This function returns 1 if it is the last record in an event. ++ * It returns 0 otherwise. ++ */ ++int audit_is_last_record(int type) ++{ ++ if (type == AUDIT_PROCTITLE || ++ type == AUDIT_EOE || ++ type < AUDIT_FIRST_EVENT || ++ type >= AUDIT_FIRST_ANOM_MSG || ++ type == AUDIT_KERNEL || ++ (type >= AUDIT_MAC_UNLBL_ALLOW && ++ type <= AUDIT_MAC_CALIPSO_DEL)) { ++ return 1; ++ } ++ return 0; ++} ++ +diff --git a/common/common.h b/common/common.h +index 011be46..148c47c 100644 +--- a/common/common.h ++++ b/common/common.h +@@ -1,5 +1,5 @@ + /* audit-fgets.h -- a replacement for glibc's fgets +- * Copyright 2018 Red Hat Inc., Durham, North Carolina. ++ * Copyright 2018-23 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or +@@ -33,6 +33,7 @@ int audit_fgets(char *buf, size_t blen, int fd); + + char *audit_strsplit_r(char *s, char **savedpp); + char *audit_strsplit(char *s); ++int audit_is_last_record(int type); + + AUDIT_HIDDEN_END + #endif +diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c +index e709456..bda601b 100644 +--- a/src/ausearch-lol.c ++++ b/src/ausearch-lol.c +@@ -246,16 +246,11 @@ static void check_events(lol *lo, time_t sec) + if (cur->l->e.sec + 2 <= sec) { + cur->status = L_COMPLETE; + ready++; +- } else if (cur->l->e.type == AUDIT_PROCTITLE || +- cur->l->e.type < AUDIT_FIRST_EVENT || +- cur->l->e.type >= AUDIT_FIRST_ANOM_MSG || +- cur->l->e.type == AUDIT_KERNEL || +- (cur->l->e.type >= AUDIT_MAC_UNLBL_ALLOW && +- cur->l->e.type <= AUDIT_MAC_CALIPSO_DEL)) { ++ } else if (audit_is_last_record(cur->l->e.type)) { + // If known to be 1 record event, we are done + cur->status = L_COMPLETE; + ready++; +- } ++ } + } + } + } +-- +2.43.0 + diff --git a/backport-Fix-deprecated-python-function.patch b/backport-Fix-deprecated-python-function.patch new file mode 100644 index 0000000..e482bcb --- /dev/null +++ b/backport-Fix-deprecated-python-function.patch @@ -0,0 +1,31 @@ +From c344a8a370afed66e78db88c2d129f6672dae1e6 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 24 Oct 2023 11:51:04 -0400 +Subject: [PATCH] Fix deprecated python function + +Reference:https://github.com/linux-audit/audit-userspace/commit/c344a8a370afed66e78db88c2d129f6672dae1e6 +Conflict:NA + +--- + bindings/python/auparse_python.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/bindings/python/auparse_python.c b/bindings/python/auparse_python.c +index 1ba59cf..bdcf816 100644 +--- a/bindings/python/auparse_python.c ++++ b/bindings/python/auparse_python.c +@@ -291,7 +291,11 @@ static void auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_ty + PyObject *result; + + arglist = Py_BuildValue("OiO", cb->py_AuParser, cb_event_type, cb->user_data); ++#if PY_MINOR_VERSION >= 13 ++ result = PyObject_CallObject(cb->func, arglist); ++#else + result = PyEval_CallObject(cb->func, arglist); ++#endif + Py_DECREF(arglist); + Py_XDECREF(result); + } +-- +2.43.0 + diff --git a/backport-Issue343-Fix-checkpoint-issue-to-ensure-all-complete.patch b/backport-Issue343-Fix-checkpoint-issue-to-ensure-all-complete.patch new file mode 100644 index 0000000..da0623d --- /dev/null +++ b/backport-Issue343-Fix-checkpoint-issue-to-ensure-all-complete.patch @@ -0,0 +1,114 @@ +From 139c61a9007600c93702947179d7836be1bc8403 Mon Sep 17 00:00:00 2001 +From: burnalting +Date: Thu, 11 Jan 2024 08:22:32 +1100 +Subject: [PATCH] Issue343: Fix checkpoint issue to ensure all complete events + are gained (#345) + +Co-authored-by: Burn Alting + +Reference:https://github.com/linux-audit/audit-userspace/commit/139c61a9007600c93702947179d7836be1bc8403 +Conflict:NA + +--- + src/ausearch-lol.c | 33 +++++++++++++++++++++++++++++++++ + src/ausearch-lol.h | 1 + + src/ausearch.c | 12 +++++++----- + 3 files changed, 41 insertions(+), 5 deletions(-) + +diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c +index bda601b..60fd490 100644 +--- a/src/ausearch-lol.c ++++ b/src/ausearch-lol.c +@@ -255,6 +255,32 @@ static void check_events(lol *lo, time_t sec) + } + } + ++// This function will check events to see if they are complete but not compare against a given time ++static void check_events_without_time(lol *lo) ++{ ++ int i; ++ ++ for(i=0;i<=lo->maxi; i++) { ++ lolnode *cur = &lo->array[i]; ++ if (cur->status == L_BUILDING) { ++ /* We now iterate over the event's records but without affecting the node's current ++ * pointer (cur->l->cur). That is, we don't call the list-* routines ++ * We could jump to the last record in the list which is normally a PROCTITLE, but this ++ * may not be guaranteed, so we check all record types ++ */ ++ lnode *ln = cur->l->head; ++ while (ln) { ++ if (audit_is_last_record(ln->type)) { ++ cur->status = L_COMPLETE; ++ ready++; ++ break; ++ } ++ ln = ln->next; ++ } ++ } ++ } ++} ++ + // This function adds a new record to an existing linked list + // or creates a new one if its a new event + int lol_add_record(lol *lo, char *buff) +@@ -354,6 +380,13 @@ void terminate_all_events(lol *lo) + } + } + ++// This function will mark all events as complete if it can. ++void complete_all_events(lol *lo) ++{ ++ ++ check_events_without_time(lo); ++} ++ + /* Search the list for any event that is ready to go. The caller + * takes custody of the memory */ + llist* get_ready_event(lol *lo) +diff --git a/src/ausearch-lol.h b/src/ausearch-lol.h +index 2b574ac..70111f4 100644 +--- a/src/ausearch-lol.h ++++ b/src/ausearch-lol.h +@@ -49,6 +49,7 @@ void lol_create(lol *lo); + void lol_clear(lol *lo); + int lol_add_record(lol *lo, char *buff); + void terminate_all_events(lol *lo); ++void complete_all_events(lol *lo); + llist* get_ready_event(lol *lo); + + #endif +diff --git a/src/ausearch.c b/src/ausearch.c +index 97752f1..6f08465 100644 +--- a/src/ausearch.c ++++ b/src/ausearch.c +@@ -580,19 +580,21 @@ static int get_record(llist **l) + * If we get an EINTR error or we are at EOF, we check + * to see if we have any events to print and return + * appropriately. If we are the last file being +- * processed, we mark all incomplete events as +- * complete so they will be printed. ++ * processed, and we are not checkpointing, we mark all incomplete ++ * events as complete so they will be printed. If we are checkpointing ++ * we do an exhaustive validation to see if there are complete events still + */ + if ((ferror_unlocked(log_fd) && + errno == EINTR) || feof_unlocked(log_fd)) { + /* +- * Only mark all events as L_COMPLETE if we are ++ * Only attempt to mark all events as L_COMPLETE if we are + * the last file being processed. +- * We DO NOT do this if we are checkpointing. + */ + if (files_to_process == 0) { + if (!checkpt_filename) +- terminate_all_events(&lo); ++ terminate_all_events(&lo); // terminate as we are not checkpointing ++ else ++ complete_all_events(&lo); // exhaustively check if we can complete events + } + *l = get_ready_event(&lo); + if (*l) +-- +2.43.0 + diff --git a/backport-lib-avoid-UB-on-sequence-wrap-around-347.patch b/backport-lib-avoid-UB-on-sequence-wrap-around-347.patch new file mode 100644 index 0000000..ededd12 --- /dev/null +++ b/backport-lib-avoid-UB-on-sequence-wrap-around-347.patch @@ -0,0 +1,42 @@ +From f5c35d7d5e064af5ad31d22f900d148d932ad9b1 Mon Sep 17 00:00:00 2001 +From: cgzones +Date: Mon, 15 Jan 2024 21:44:04 +0100 +Subject: [PATCH] lib: avoid UB on sequence wrap-around (#347) + +Signed integer overflow is undefined, allowing compilers to optimize the +condition `++sequence < 0` away. + +Reference:https://github.com/linux-audit/audit-userspace/commit/f5c35d7d5e064af5ad31d22f900d148d932ad9b1 +Conflict:NA + +--- + lib/netlink.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/netlink.c b/lib/netlink.c +index ed730e9..98b57c9 100644 +--- a/lib/netlink.c ++++ b/lib/netlink.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + #include + #include "libaudit.h" +@@ -222,8 +223,10 @@ int __audit_send(int fd, int type, const void *data, unsigned int size, int *seq + return -errno; + } + +- if (++sequence < 0) ++ if (sequence == INT_MAX) + sequence = 1; ++ else ++ sequence++; + *seq = sequence; + + memset(&req, 0, sizeof(req)); +-- +2.43.0 + -- Gitee