Accepting request 964942 from home:ematsumiya:branches:security

- Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645)
  * add libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
- Fix hang in audisp-remote with disk_low_action=suspend (bsc#1196517)
  * add audisp-remote-fix-hang-with-disk_low_action-suspend-.patch

OBS-URL: https://build.opensuse.org/request/show/964942
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=136
This commit is contained in:
Enzo Matsumiya 2022-03-25 20:12:53 +00:00 committed by Git OBS Bridge
parent 8c6f875550
commit affdcc0b01
4 changed files with 105 additions and 0 deletions

View File

@ -0,0 +1,31 @@
From b6c474b22f6e76969221138d0d9ec8d97cb217ee Mon Sep 17 00:00:00 2001
From: Enzo Matsumiya <ematsumiya@suse.com>
Date: Thu, 24 Mar 2022 23:38:24 -0300
Subject: [PATCH] audisp-remote: fix hang with disk_low_action=suspend (#254)
If auditd.conf has disk_low_action=suspend and the partition where the
log is triggers the disk_low_action, audisp-remote will hang in
infinite loop.
Fixes: 10dde069d1ac ("Dont look for stop on exit while draining the queue")
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
---
audisp/plugins/remote/audisp-remote.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c
index b7e610e8ca32..3be91b3d5190 100644
--- a/audisp/plugins/remote/audisp-remote.c
+++ b/audisp/plugins/remote/audisp-remote.c
@@ -619,7 +619,7 @@ int main(int argc, char *argv[])
// If stdin is a pipe, then flush the queue
if (is_pipe(0)) {
- while (q_queue_length(queue) && transport_ok)
+ while (q_queue_length(queue) && !suspend && transport_ok)
send_one(queue);
}
--
2.35.1

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Fri Mar 25 04:56:19 UTC 2022 - Enzo Matsumiya <ematsumiya@suse.com>
- Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645)
* add libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
- Fix hang in audisp-remote with disk_low_action=suspend (bsc#1196517)
* add audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
-------------------------------------------------------------------
Wed Mar 23 16:37:06 UTC 2022 - Dirk Müller <dmueller@suse.com>

View File

@ -42,6 +42,8 @@ Patch9: fix-hardened-service.patch
Patch10: enable-stop-rules.patch
Patch11: create-augenrules-service.patch
Patch12: audit-userspace-517-compat.patch
Patch13: audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
Patch14: libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
BuildRequires: audit-devel = %{version}
BuildRequires: autoconf >= 2.12
BuildRequires: gcc-c++

View File

@ -0,0 +1,64 @@
From 614edbe52180698c5b447ff4c3e7031ff0721683 Mon Sep 17 00:00:00 2001
From: Enzo Matsumiya <ematsumiya@suse.com>
Date: Thu, 24 Mar 2022 23:36:53 -0300
Subject: [PATCH] libaudit: fix unhandled ECONNREFUSED from getpwnam() (#255)
From: Luis Galdos <luis.galdos@suse.com>
In some very specific scenarios with LDAP + network issues,
getpwnam() and getgrnam() might return ECONNREFUSED.
Up in the call chain to audit_name_to_uid()/audit_name_to_gid(),
ECONNREFUSED will be handled as kernel auditd is not running,
showing "The audit system is disabled" and stopping parsing rules.
This patch manually sets errno to ENOENT after those affected calls, in
case they fail, so rule parsing can continue cleanly.
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
---
lib/libaudit.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 54e276156ef0..41303c244aee 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1830,9 +1830,17 @@ static int audit_name_to_uid(const char *name, uid_t *uid)
{
struct passwd *pw;
+ errno = 0;
pw = getpwnam(name);
- if (pw == NULL)
+ if (pw == NULL) {
+ /* getpwnam() might return ECONNREFUSED in some very
+ * specific cases when using LDAP.
+ * Manually set it to ENOENT so callers don't get confused
+ * with netlink's ECONNREFUSED */
+ if (errno == ECONNREFUSED)
+ errno = ENOENT;
return 1;
+ }
memset(pw->pw_passwd, ' ', strlen(pw->pw_passwd));
*uid = pw->pw_uid;
@@ -1843,9 +1851,14 @@ static int audit_name_to_gid(const char *name, gid_t *gid)
{
struct group *gr;
+ errno = 0;
gr = getgrnam(name);
- if (gr == NULL)
+ if (gr == NULL) {
+ /* See above for explanation. */
+ if (errno == ECONNREFUSED)
+ errno = ENOENT;
return 1;
+ }
*gid = gr->gr_gid;
return 0;
--
2.35.1