Sync from SUSE:SLFO:Main audit revision ffd72b38aef75051423272adc56880c1

2024-08-30 15:41:46 +02:00 · 2024-08-30 15:41:46 +02:00 · 214403da86
commit 214403da86
parent c08b6413a2
11 changed files with 147 additions and 29 deletions
--- a/4
+++ b/4
@ -0,0 +1,4 @@
+<multibuild>
+  <package>audit-secondary</package>
+</multibuild>
+
--- a/audit-3.0.9.tar.gz
+++ b/audit-3.0.9.tar.gz
--- a/audit-3.1.1.tar.gz
+++ b/audit-3.1.1.tar.gz
--- a/audit-ausearch-do-not-require-tclass.patch
+++ b/audit-ausearch-do-not-require-tclass.patch
@ -9,11 +9,11 @@ Signed-off-by: Tony Jones <tonyj@suse.de>
 src/ausearch-parse.c |   18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

-Index: audit-3.0.9/src/ausearch-parse.c
+Index: audit-3.1.1/src/ausearch-parse.c
 ===================================================================
--- audit-3.0.9.orig/src/ausearch-parse.c
-+++ audit-3.0.9/src/ausearch-parse.c
-@@ -2062,17 +2062,15 @@ other_avc:
+--- audit-3.1.1.orig/src/ausearch-parse.c
+++ audit-3.1.1/src/ausearch-parse.c
+@@ -2075,17 +2075,15 @@ other_avc:
 
 	// Now get the class...its at the end, so we do things different
 	str = strstr(term, "tclass=");
--- a/audit-secondary.changes
+++ b/audit-secondary.changes
@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Mon Aug  5 08:50:50 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
+
+- Remove rcaudit symlink [jsc#PED-266]
+
+-------------------------------------------------------------------
+Mon Jul  3 08:34:22 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 3.1.1:
+  * Add user friendly keywords for signals to auditctl
+  * In ausearch, parse up URINGOP and DM_CTRL records
+  * Harden auparse to better handle corrupt logs
+  * Fix a CFLAGS propogation problem in the common directory
+  * Move the audispd af_unix plugin to a standalone program 
+
+-------------------------------------------------------------------
+Thu May  4 12:58:06 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
+
+- Add _multibuild to define additional spec files as additional
+  flavors.
+  Eliminates the need for source package links in OBS.
+
+-------------------------------------------------------------------
+Mon Feb 20 14:13:06 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 3.1:
+  * Disable ProtectControlGroups in auditd.service by default
+  * Fix rule checking for exclude filter
+  * Make audit_rule_syscallbyname_data work correctly outside of auditctl
+  * Add new record types
+  * Add io_uring support
+  * Add support for new FANOTIFY record fields
+  * Add keyword, this-hour, to ausearch/report start/end options
+  * Add Requires.private to audit.pc file
+  * Try to interpret OPENAT2 fields correctly
+
 -------------------------------------------------------------------
 Tue Dec 27 10:21:56 UTC 2022 - Ludwig Nussel <lnussel@suse.com>

--- a/audit-secondary.spec
+++ b/audit-secondary.spec
@ -1,7 +1,7 @@
 #
 # spec file for package audit-secondary
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -22,7 +22,7 @@
 # The seperation is required to minimize unnecessary build cycles.
 %define 	_name audit
 Name:           audit-secondary
-Version:        3.0.9
+Version:        3.1.1
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@ -206,8 +206,10 @@ for prog in auditctl auditd ausearch autrace aureport augenrules; do
 done
 %endif
 #END-USR-MERGE
+%if 0%{?suse_version} < 1550
 # rcauditd symlink
 ln -s service %{buildroot}%{_sbindir}/rcauditd
+%endif
 chmod 0644 %{buildroot}%{_unitdir}/auditd.service
 chmod 0644 %{buildroot}%{_unitdir}/augenrules.service

@ -258,6 +260,7 @@ fi
 %attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
 %attr(644,root,root) %{_mandir}/man8/auvirt.8.gz
 %attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
+%attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz
 %if 0%{?suse_version} < 1550
 /sbin/auditctl
 /sbin/auditd
@ -276,6 +279,7 @@ fi
 %attr(755,root,root) %{_bindir}/aulastlog
 %attr(755,root,root) %{_bindir}/ausyscall
 %attr(755,root,root) %{_sbindir}/aureport
+%attr(755,root,root) %{_sbindir}/audisp-af_unix
 %attr(755,root,root) %{_bindir}/auvirt
 %dir %attr(750,root,root) %{_sysconfdir}/audit
 %attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d
@ -292,7 +296,9 @@ fi
 %dir %attr(700,root,root) %{_localstatedir}/spool/audit
 %{_unitdir}/auditd.service
 %{_unitdir}/augenrules.service
+%if 0%{?suse_version} < 1550
 %{_sbindir}/rcauditd
+%endif
 %{_datadir}/audit/

 %files -n system-group-audit
--- a/audit.changes
+++ b/audit.changes
@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Mon Jul  3 08:33:52 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 3.1.1:
+  * Add user friendly keywords for signals to auditctl
+  * In ausearch, parse up URINGOP and DM_CTRL records
+  * Harden auparse to better handle corrupt logs
+  * Fix a CFLAGS propogation problem in the common directory
+  * Move the audispd af_unix plugin to a standalone program
+
+-------------------------------------------------------------------
+Thu May  4 12:58:06 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
+
+- Add _multibuild to define additional spec files as additional
+  flavors.
+  Eliminates the need for source package links in OBS.
+
+-------------------------------------------------------------------
+Mon Mar 20 14:53:26 UTC 2023 - Giuliano Belinassi <giuliano.belinassi@suse.com>
+
+- Enable livepatching on main library on x86_64.
+
+-------------------------------------------------------------------
+Mon Feb 20 14:12:55 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 3.1:
+  * Disable ProtectControlGroups in auditd.service by default
+  * Fix rule checking for exclude filter
+  * Make audit_rule_syscallbyname_data work correctly outside of auditctl
+  * Add new record types
+  * Add io_uring support
+  * Add support for new FANOTIFY record fields
+  * Add keyword, this-hour, to ausearch/report start/end options
+  * Add Requires.private to audit.pc file
+  * Try to interpret OPENAT2 fields correctly
+
 -------------------------------------------------------------------
 Thu Dec 15 19:17:35 UTC 2022 - Enzo Matsumiya <ematsumiya@suse.de>

--- a/audit.spec
+++ b/audit.spec
@ -1,7 +1,7 @@
 #
 # spec file for package audit
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -16,8 +16,14 @@
 #


+%ifarch x86_64
+%bcond_without livepatching
+%else
+%bcond_with livepatching
+%endif
+
 Name:           audit
-Version:        3.0.9
+Version:        3.1.1
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@ -79,6 +85,9 @@ libraries.
 %build
 autoreconf -fi
 export CFLAGS="%{optflags} -fno-strict-aliasing"
+%if %{with livepatching}
+export CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
+%endif
 export CXXFLAGS="$CFLAGS"
 export LDFLAGS="-Wl,-z,relro,-z,now"
 # no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch
@ -102,6 +111,33 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
 %make_build -C auparse
 %make_build -C docs

+%if %{with livepatching}
+# Workaround bsc#1208721: remove _patchable_function_entry from static libs.
+find . -name "*.a" -exec \
+       objcopy --remove-section "__patchable_function_entries" {} \;
+
+%define tar_basename audit-livepatch-%{version}-%{release}
+%define tar_package_name %{tar_basename}.%{_arch}.tar.xz
+%define clones_dest_dir %{tar_basename}/%{_arch}
+
+# Ipa-clones are files generated by gcc which logs changes made across
+# functions, and we need to know such changes to build livepatches
+# correctly. These files are intended to be used by the livepatch
+# developers and may be retrieved by using `osc getbinaries`.
+#
+# Create ipa-clones destination folder and move clones there.
+mkdir -p ipa-clones/%{clones_dest_dir}
+find . -name "*.ipa-clones" ! -empty \
+       -exec cp -t ipa-clones/%{clones_dest_dir} --parents {} +
+
+# Create tarball with ipa-clones.
+tar -cJf %{tar_package_name} -C ipa-clones \
+    --owner root --group root --sort name %{tar_basename}
+
+# Copy tarball to the OTHER folder to store it as artifact.
+cp %{tar_package_name} %{_topdir}/OTHER
+%endif
+
 %install
 %make_install -C common
 %make_install -C lib
--- a/create-augenrules-service.patch
+++ b/create-augenrules-service.patch
@ -1,7 +1,7 @@
-Index: audit-3.0.9/init.d/augenrules.service
+Index: audit-3.1.1/init.d/augenrules.service
 ===================================================================
 --- /dev/null
-+++ audit-3.0.9/init.d/augenrules.service
+++ audit-3.1.1/init.d/augenrules.service
@@ -0,0 +1,29 @@
 +[Unit]
 +Description=auditd rules generation
@ -32,10 +32,10 @@ Index: audit-3.0.9/init.d/augenrules.service
 +ProtectKernelTunables=true
 +ProtectKernelLogs=true
 +ReadWritePaths=/etc/audit
-Index: audit-3.0.9/init.d/auditd.service
+Index: audit-3.1.1/init.d/auditd.service
 ===================================================================
--- audit-3.0.9.orig/init.d/auditd.service
-+++ audit-3.0.9/init.d/auditd.service
+--- audit-3.1.1.orig/init.d/auditd.service
+++ audit-3.1.1/init.d/auditd.service
@@ -15,15 +15,16 @@ ConditionKernelCommandLine=!audit=0
 ConditionKernelCommandLine=!audit=off
 
@ -57,7 +57,7 @@ Index: audit-3.0.9/init.d/auditd.service
 #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
 # By default we clear the rules on exit. To disable this, comment
 # the next line after copying the file to /etc/systemd/system/auditd.service
-@@ -46,7 +47,6 @@ ProtectClock=true
+@@ -47,7 +48,6 @@ ProtectClock=true
 ProtectKernelTunables=true
 ProtectKernelLogs=true
 # end of automatic additions 
@ -65,10 +65,10 @@ Index: audit-3.0.9/init.d/auditd.service
 
 [Install]
 WantedBy=multi-user.target
-Index: audit-3.0.9/init.d/Makefile.am
+Index: audit-3.1.1/init.d/Makefile.am
 ===================================================================
--- audit-3.0.9.orig/init.d/Makefile.am
-+++ audit-3.0.9/init.d/Makefile.am
+--- audit-3.1.1.orig/init.d/Makefile.am
+++ audit-3.1.1/init.d/Makefile.am
@@ -26,7 +26,8 @@ EXTRA_DIST = auditd.init auditd.service
 	auditd.cron libaudit.conf auditd.condrestart \
 	auditd.reload auditd.restart auditd.resume \
--- a/fix-hardened-service.patch
+++ b/fix-hardened-service.patch
@ -12,11 +12,11 @@ Also remove PrivateDevices=true so /dev/* are exposed to auditd.

 Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>

-Index: audit-3.0.9/init.d/auditd.service
+Index: audit-3.1.1/init.d/auditd.service
 ===================================================================
--- audit-3.0.9.orig/init.d/auditd.service
-+++ audit-3.0.9/init.d/auditd.service
-@@ -41,12 +41,12 @@ RestrictRealtime=true
+--- audit-3.1.1.orig/init.d/auditd.service
+++ audit-3.1.1/init.d/auditd.service
+@@ -42,12 +42,12 @@ RestrictRealtime=true
 # added automatically, for details please see
 # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
 ProtectSystem=full
--- a/harden_auditd.service.patch
+++ b/harden_auditd.service.patch
@ -1,9 +1,9 @@
-Index: audit-3.0.9/init.d/auditd.service
+Index: audit-3.1.1/init.d/auditd.service
 ===================================================================
--- audit-3.0.9.orig/init.d/auditd.service
-+++ audit-3.0.9/init.d/auditd.service
-@@ -38,6 +38,15 @@ LockPersonality=true
- ProtectControlGroups=true
+--- audit-3.1.1.orig/init.d/auditd.service
+++ audit-3.1.1/init.d/auditd.service
+@@ -39,6 +39,15 @@ LockPersonality=true
+ #ProtectControlGroups=true
 ProtectKernelModules=true
 RestrictRealtime=true
 +# added automatically, for details please see