From 81577c904bb6e9dc305ba33907d6cd48bfb45809 Mon Sep 17 00:00:00 2001 From: wjiang Date: Wed, 11 Dec 2024 10:49:46 +0800 Subject: [PATCH] backport patches to fix bug --- audit.spec | 6 ++- ...rmat-Fix-display-of-renamed-file-411.patch | 48 +++++++++++++++++++ 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 backport-ausearch-format-Fix-display-of-renamed-file-411.patch diff --git a/audit.spec b/audit.spec index c084880..66ff151 100644 --- a/audit.spec +++ b/audit.spec @@ -2,7 +2,7 @@ Summary: User space tools for kernel auditing Name: audit Epoch: 1 Version: 3.0.1 -Release: 17 +Release: 18 License: GPLv2+ and LGPLv2+ URL: https://people.redhat.com/sgrubb/audit/ Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz @@ -80,6 +80,7 @@ Patch68: backport-Cleanup-code-in-LRU.patch Patch69: backport-Fix-memory-leaks.patch Patch70: backport-fix-one-more-leak.patch Patch71: backport-Correct-output-when-displaying-rules-with-exe-path-d.patch +Patch72: backport-ausearch-format-Fix-display-of-renamed-file-411.patch BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29 BuildRequires: openldap-devel krb5-devel libcap-ng-devel @@ -415,6 +416,9 @@ fi %attr(644,root,root) %{_mandir}/man8/*.8.gz %changelog +* Wed Dec 11 2024 wangjiang - 1:3.0.1-18 +- backport patches to fix bug + * Fri Aug 30 2024 xuraoqing - 1:3.0.1-17 - backport patches from upstream diff --git a/backport-ausearch-format-Fix-display-of-renamed-file-411.patch b/backport-ausearch-format-Fix-display-of-renamed-file-411.patch new file mode 100644 index 0000000..e7d2cfd --- /dev/null +++ b/backport-ausearch-format-Fix-display-of-renamed-file-411.patch @@ -0,0 +1,48 @@ +From 7cdcfd30c6122acc6b2e54e1ad8cd1a12dd537d2 Mon Sep 17 00:00:00 2001 +From: Attila Lakatos +Date: Mon, 21 Oct 2024 04:25:37 +0200 +Subject: [PATCH] ausearch format: Fix display of renamed file (#411) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In some cases, ausearch was not correctly showing +the new name of a renamed file when searching for +audit events. If the target file didn’t exist prior +to the rename, ausearch was unable to parse the new +file name. This occurred because ausearch attempted +to retrieve this information from the 7th record, +which is absent when the target file does not exist. +--- + auparse/normalize.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/auparse/normalize.c b/auparse/normalize.c +index 036c0b86..f1a07d18 100644 +--- a/auparse/normalize.c ++++ b/auparse/normalize.c +@@ -693,7 +693,20 @@ static int normalize_syscall(auparse_state_t *au, const char *syscall) + case NORM_FILE_RENAME: + act = "renamed"; + D.thing.what = NORM_WHAT_FILE; // this gets overridden +- set_prime_object2(au, "name", 4); ++ /* A sucessfull syscall from the rename family will provide ++ * the following items: ++ * 0 - new dir, in which the file will be located ++ * 1 - old dir, in which the file was located ++ * 2 - old name, the name of the original file ++ * if the file was already present in the new dir: ++ * 3 - removal of the new file ++ * 4 - creation of the new file ++ * otherwise: ++ * 3 - creation of the new file ++ */ ++ ++ // The 3rd record will always contain the name of the new file ++ set_prime_object2(au, "name", 3); + set_file_object(au, 2); // Thing renamed is 2 after + simple_file_attr(au); + break; +-- +2.33.0 + -- Gitee