Accepting request 1066163 from security

Replace transitional %usrmerged macro

OBS-URL: https://build.opensuse.org/request/show/1066163
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=103

audisp-remote-fix-hang-with-disk_low_action-suspend-.patch

@@ -1,31 +0,0 @@
-From b6c474b22f6e76969221138d0d9ec8d97cb217ee Mon Sep 17 00:00:00 2001
-From: Enzo Matsumiya <ematsumiya@suse.com>
-Date: Thu, 24 Mar 2022 23:38:24 -0300
-Subject: [PATCH] audisp-remote: fix hang with disk_low_action=suspend (#254)
-
-If auditd.conf has disk_low_action=suspend and the partition where the
-log is triggers the disk_low_action, audisp-remote will hang in
-infinite loop.
-
-Fixes: 10dde069d1ac ("Dont look for stop on exit while draining the queue")
-Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
----
- audisp/plugins/remote/audisp-remote.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c
-index b7e610e8ca32..3be91b3d5190 100644
---- a/audisp/plugins/remote/audisp-remote.c
-+++ b/audisp/plugins/remote/audisp-remote.c
-@@ -619,7 +619,7 @@ int main(int argc, char *argv[])
- 
- 	// If stdin is a pipe, then flush the queue
- 	if (is_pipe(0)) {
--		while (q_queue_length(queue) && transport_ok)
-+		while (q_queue_length(queue) && !suspend && transport_ok)
- 			send_one(queue);
- 	}
- 
--- 
-2.35.1
-

audit-3.0.6.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c3e44d77513a42401d417dd0ceb203cf23886cb89402dea7b9494faa3f4fcc5e
-size 1190011

audit-allow-manual-stop.patch

@@ -11,13 +11,15 @@ SUSE since we lack the ability to use a custom stop/restart
  init.d/auditd.service |    1 -
  1 file changed, 1 deletion(-)
 
---- a/init.d/auditd.service
-+++ b/init.d/auditd.service
-@@ -11,7 +11,6 @@
+Index: audit-3.0.9/init.d/auditd.service
+===================================================================
+--- audit-3.0.9.orig/init.d/auditd.service
++++ audit-3.0.9/init.d/auditd.service
+@@ -11,7 +11,6 @@ After=local-fs.target systemd-tmpfiles-s
  Before=sysinit.target shutdown.target
  ##Before=shutdown.target
  Conflicts=shutdown.target
 -RefuseManualStop=yes
  ConditionKernelCommandLine=!audit=0
- Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
+ ConditionKernelCommandLine=!audit=off
  

audit-ausearch-do-not-require-tclass.patch

@@ -9,9 +9,11 @@ Signed-off-by: Tony Jones <tonyj@suse.de>
  src/ausearch-parse.c |   18 ++++++++----------
  1 file changed, 8 insertions(+), 10 deletions(-)
 
---- a/src/ausearch-parse.c
-+++ b/src/ausearch-parse.c
-@@ -2061,17 +2061,15 @@ other_avc:
+Index: audit-3.0.9/src/ausearch-parse.c
+===================================================================
+--- audit-3.0.9.orig/src/ausearch-parse.c
++++ audit-3.0.9/src/ausearch-parse.c
+@@ -2062,17 +2062,15 @@ other_avc:
  
  	// Now get the class...its at the end, so we do things different
  	str = strstr(term, "tclass=");

audit-no-gss.patch

@@ -9,8 +9,10 @@ but need manual removal here.
  init.d/auditd.conf |    3 ---
  1 file changed, 3 deletions(-)
 
---- a/init.d/auditd.conf
-+++ b/init.d/auditd.conf
+Index: audit-3.0.9/init.d/auditd.conf
+===================================================================
+--- audit-3.0.9.orig/init.d/auditd.conf
++++ audit-3.0.9/init.d/auditd.conf
 @@ -30,8 +30,6 @@ tcp_max_per_addr = 1
  ##tcp_client_ports = 1024-65535
  tcp_client_max_idle = 0
@@ -18,5 +20,5 @@ but need manual removal here.
 -krb5_principal = auditd
 -##krb5_key_file = /etc/audit/audit.key
  distribute_network = no
- q_depth = 1200
+ q_depth = 2000
  overflow_action = SYSLOG

audit-secondary.changes

@@ -1,3 +1,46 @@
+-------------------------------------------------------------------
+Tue Dec 27 10:21:56 UTC 2022 - Ludwig Nussel <lnussel@suse.com>
+
+- Replace transitional %usrmerged macro with regular version check (boo#1206798)
+
+-------------------------------------------------------------------
+Thu Dec 15 19:17:35 UTC 2022 - Enzo Matsumiya <ematsumiya@suse.de>
+
+- Enable build for ARM (32-bit)
+- Update to version 3.0.9:
+  * In auditd, release the async flush lock on stop
+  * Don't allow auditd to log directly into /var/log when log_group is non-zero
+  * Cleanup krb5 memory leaks on error paths
+  * Update auditd.cron to use auditctl --signal
+  * In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
+  * In auparse, special case kernel module name interpretation
+  * If overflow_action is ignore, don't treat as an error
+  (3.0.8)
+  * Add gcc function attributes for access and allocation
+  * Add some more man pages (MIZUTA Takeshi)
+  * In auditd, change the reinitializing of the plugin queue
+  * Fix path normalization in auparse (Sergio Correia)
+  * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya)
+  * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
+  * Drop ProtectHome from auditd.service as it interferes with rules
+  (3.0.7)
+  * Add support for the OPENAT2 record type (Richard Guy Briggs)
+  * In auditd, close the logging file descriptor when logging is suspended
+  * Update the capabilities lookup table to match 5.16 kernel
+  * Improve interpretation of renamat & faccessat family of syscalls
+  * Update syscall table for the 5.16 kernel
+  * Reduce dependency from initscripts to initscripts-service
+- Refresh patches (context adjusment):
+  * audit-allow-manual-stop.patch
+  * audit-ausearch-do-not-require-tclass.patch
+  * audit-no-gss.patch
+  * enable-stop-rules.patch
+  * fix-hardened-service.patch
+  * harden_auditd.service.patch
+- Remove patches (fixed by version update):
+  * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
+  * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
+
 -------------------------------------------------------------------
 Mon Apr 11 20:44:34 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
 

audit-secondary.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package audit-secondary
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
 # The seperation is required to minimize unnecessary build cycles.
 %define 	_name audit
 Name:           audit-secondary
-Version:        3.0.6
+Version:        3.0.9
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@@ -42,8 +42,6 @@ Patch9:         fix-hardened-service.patch
 Patch10:        enable-stop-rules.patch
 Patch11:        create-augenrules-service.patch
 Patch12:        audit-userspace-517-compat.patch
-Patch13:        audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
-Patch14:        libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
 BuildRequires:  audit-devel = %{version}
 BuildRequires:  autoconf >= 2.12
 BuildRequires:  kernel-headers >= 2.6.30
@@ -146,6 +144,9 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
 %configure \
 %ifarch aarch64
 	--with-aarch64 \
+%endif
+%ifarch arm
+	--with-arm \
 %endif
 	--enable-systemd \
 	--libexecdir=%{_libexecdir}/%{_name} \
@@ -198,7 +199,7 @@ rm -f %{buildroot}/%{_mandir}/man5/libaudit.conf.5
 rm -rf %{buildroot}/%{_mandir}/man3
 # Cleanup plugins
 #USR-MERGE
-%if !0%{?usrmerged}
+%if 0%{?suse_version} < 1550
 mkdir %{buildroot}/sbin/
 for prog in auditctl auditd ausearch autrace aureport augenrules; do
   ln -s %{_sbindir}/$prog %{buildroot}/sbin/$prog
@@ -257,7 +258,7 @@ fi
 %attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
 %attr(644,root,root) %{_mandir}/man8/auvirt.8.gz
 %attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
-%if !0%{?usrmerged}
+%if 0%{?suse_version} < 1550
 /sbin/auditctl
 /sbin/auditd
 /sbin/ausearch

audit.changes

@@ -1,3 +1,41 @@
+-------------------------------------------------------------------
+Thu Dec 15 19:17:35 UTC 2022 - Enzo Matsumiya <ematsumiya@suse.de>
+
+- Enable build for ARM (32-bit)
+- Update to version 3.0.9:
+  * In auditd, release the async flush lock on stop
+  * Don't allow auditd to log directly into /var/log when log_group is non-zero
+  * Cleanup krb5 memory leaks on error paths
+  * Update auditd.cron to use auditctl --signal
+  * In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
+  * In auparse, special case kernel module name interpretation
+  * If overflow_action is ignore, don't treat as an error
+  (3.0.8)
+  * Add gcc function attributes for access and allocation
+  * Add some more man pages (MIZUTA Takeshi)
+  * In auditd, change the reinitializing of the plugin queue
+  * Fix path normalization in auparse (Sergio Correia)
+  * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya)
+  * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
+  * Drop ProtectHome from auditd.service as it interferes with rules
+  (3.0.7)
+  * Add support for the OPENAT2 record type (Richard Guy Briggs)
+  * In auditd, close the logging file descriptor when logging is suspended
+  * Update the capabilities lookup table to match 5.16 kernel
+  * Improve interpretation of renamat & faccessat family of syscalls
+  * Update syscall table for the 5.16 kernel
+  * Reduce dependency from initscripts to initscripts-service
+- Refresh patches (context adjusment):
+  * audit-allow-manual-stop.patch
+  * audit-ausearch-do-not-require-tclass.patch
+  * audit-no-gss.patch
+  * enable-stop-rules.patch
+  * fix-hardened-service.patch
+  * harden_auditd.service.patch
+- Remove patches (fixed by version update):
+  * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
+  * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
+
 -------------------------------------------------------------------
 Mon Apr 11 20:45:33 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
 
@@ -1013,8 +1051,8 @@ Mon May 11 17:20:28 CEST 2009 - tonyj@suse.de
   - Add --exit search option to ausearch
   - Fix parsing config file when kerberos is disabled
 
--------------------------------------------------------------------
 
+-------------------------------------------------------------------
 Tue Apr 14 14:52:39 CEST 2009 - dmueller@suse.de
 
 - refresh patches

audit.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package audit
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           audit
-Version:        3.0.6
+Version:        3.0.9
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@@ -85,6 +85,9 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
 %configure \
 %ifarch aarch64
 	--with-aarch64 \
+%endif
+%ifarch arm
+	--with-arm \
 %endif
 	--enable-systemd \
 	--libexecdir=%{_libexecdir}/%{name} \

create-augenrules-service.patch

@@ -1,7 +1,7 @@
-Index: audit-3.0.6/init.d/augenrules.service
+Index: audit-3.0.9/init.d/augenrules.service
 ===================================================================
 --- /dev/null
-+++ audit-3.0.6/init.d/augenrules.service
++++ audit-3.0.9/init.d/augenrules.service
 @@ -0,0 +1,29 @@
 +[Unit]
 +Description=auditd rules generation
@@ -32,13 +32,13 @@ Index: audit-3.0.6/init.d/augenrules.service
 +ProtectKernelTunables=true
 +ProtectKernelLogs=true
 +ReadWritePaths=/etc/audit
-Index: audit-3.0.6/init.d/auditd.service
+Index: audit-3.0.9/init.d/auditd.service
 ===================================================================
---- audit-3.0.6.orig/init.d/auditd.service
-+++ audit-3.0.6/init.d/auditd.service
-@@ -13,15 +13,16 @@ Before=sysinit.target shutdown.target
- Conflicts=shutdown.target
- ConditionKernelCommandLine=!audit=0
+--- audit-3.0.9.orig/init.d/auditd.service
++++ audit-3.0.9/init.d/auditd.service
+@@ -15,15 +15,16 @@ ConditionKernelCommandLine=!audit=0
+ ConditionKernelCommandLine=!audit=off
+ 
  Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
 +Requires=augenrules.service
 +# This unit clears rules on stop, so make sure that augenrules runs again
@@ -57,7 +57,7 @@ Index: audit-3.0.6/init.d/auditd.service
  #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
  # By default we clear the rules on exit. To disable this, comment
  # the next line after copying the file to /etc/systemd/system/auditd.service
-@@ -45,7 +46,6 @@ ProtectClock=true
+@@ -46,7 +47,6 @@ ProtectClock=true
  ProtectKernelTunables=true
  ProtectKernelLogs=true
  # end of automatic additions 
@@ -65,28 +65,29 @@ Index: audit-3.0.6/init.d/auditd.service
  
  [Install]
  WantedBy=multi-user.target
-Index: audit-3.0.6/init.d/Makefile.am
+Index: audit-3.0.9/init.d/Makefile.am
 ===================================================================
---- audit-3.0.6.orig/init.d/Makefile.am
-+++ audit-3.0.6/init.d/Makefile.am
-@@ -26,7 +26,7 @@ EXTRA_DIST = auditd.init auditd.service
+--- audit-3.0.9.orig/init.d/Makefile.am
++++ audit-3.0.9/init.d/Makefile.am
+@@ -26,7 +26,8 @@ EXTRA_DIST = auditd.init auditd.service
  	auditd.cron libaudit.conf auditd.condrestart \
  	auditd.reload auditd.restart auditd.resume \
  	auditd.rotate auditd.state auditd.stop \
--	audit-stop.rules augenrules
-+	audit-stop.rules augenrules augenrules.service
+-	audit-stop.rules augenrules audit-functions
++	audit-stop.rules augenrules audit-functions \
++	augenrules.service
  libconfig = libaudit.conf
  if ENABLE_SYSTEMD
  initdir = /usr/lib/systemd/system
-@@ -53,6 +53,7 @@ if ENABLE_SYSTEMD
- 	mkdir -p ${DESTDIR}${initdir}
+@@ -54,6 +55,7 @@ if ENABLE_SYSTEMD
  	mkdir -p ${DESTDIR}${legacydir}
+ 	mkdir -p ${DESTDIR}${libexecdir}
  	$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir}
 +	$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir}
  	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate
  	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume
  	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload
-@@ -70,6 +71,7 @@ uninstall-hook:
+@@ -72,6 +74,7 @@ uninstall-hook:
  	rm ${DESTDIR}${sysconfdir}/${libconfig}
  if ENABLE_SYSTEMD
  	rm ${DESTDIR}${initdir}/auditd.service

enable-stop-rules.patch

@@ -11,11 +11,11 @@ Disable audit when auditd.service stops, so kauditd stops logging/running.
 
 Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
 
-Index: audit-3.0.6/init.d/auditd.service
+Index: audit-3.0.9/init.d/auditd.service
 ===================================================================
---- audit-3.0.6.orig/init.d/auditd.service
-+++ audit-3.0.6/init.d/auditd.service
-@@ -23,9 +23,9 @@ ExecStart=/sbin/auditd
+--- audit-3.0.9.orig/init.d/auditd.service
++++ audit-3.0.9/init.d/auditd.service
+@@ -25,9 +25,9 @@ ExecStart=/sbin/auditd
  ## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
  ExecStartPost=-/sbin/augenrules --load
  #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules

fix-hardened-service.patch

@@ -12,9 +12,11 @@ Also remove PrivateDevices=true so /dev/* are exposed to auditd.
 
 Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
 
---- a/init.d/auditd.service
-+++ b/init.d/auditd.service
-@@ -37,12 +37,12 @@ RestrictRealtime=true
+Index: audit-3.0.9/init.d/auditd.service
+===================================================================
+--- audit-3.0.9.orig/init.d/auditd.service
++++ audit-3.0.9/init.d/auditd.service
+@@ -41,12 +41,12 @@ RestrictRealtime=true
  # added automatically, for details please see
  # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
  ProtectSystem=full

harden_auditd.service.patch

@@ -1,8 +1,10 @@
---- a/init.d/auditd.service
-+++ b/init.d/auditd.service
-@@ -34,6 +34,15 @@ ProtectControlGroups=true
+Index: audit-3.0.9/init.d/auditd.service
+===================================================================
+--- audit-3.0.9.orig/init.d/auditd.service
++++ audit-3.0.9/init.d/auditd.service
+@@ -38,6 +38,15 @@ LockPersonality=true
+ ProtectControlGroups=true
  ProtectKernelModules=true
- ProtectHome=true
  RestrictRealtime=true
 +# added automatically, for details please see
 +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch

@@ -1,64 +0,0 @@
-From 614edbe52180698c5b447ff4c3e7031ff0721683 Mon Sep 17 00:00:00 2001
-From: Enzo Matsumiya <ematsumiya@suse.com>
-Date: Thu, 24 Mar 2022 23:36:53 -0300
-Subject: [PATCH] libaudit: fix unhandled ECONNREFUSED from getpwnam() (#255)
-
-From: Luis Galdos <luis.galdos@suse.com>
-
-In some very specific scenarios with LDAP + network issues,
-getpwnam() and getgrnam() might return ECONNREFUSED.
-
-Up in the call chain to audit_name_to_uid()/audit_name_to_gid(),
-ECONNREFUSED will be handled as kernel auditd is not running,
-showing "The audit system is disabled" and stopping parsing rules.
-
-This patch manually sets errno to ENOENT after those affected calls, in
-case they fail, so rule parsing can continue cleanly.
-
-Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
----
- lib/libaudit.c | 17 +++++++++++++++--
- 1 file changed, 15 insertions(+), 2 deletions(-)
-
-diff --git a/lib/libaudit.c b/lib/libaudit.c
-index 54e276156ef0..41303c244aee 100644
---- a/lib/libaudit.c
-+++ b/lib/libaudit.c
-@@ -1830,9 +1830,17 @@ static int audit_name_to_uid(const char *name, uid_t *uid)
- {
- 	struct passwd *pw;
- 
-+	errno = 0;
- 	pw = getpwnam(name);
--	if (pw == NULL)
-+	if (pw == NULL) {
-+		/* getpwnam() might return ECONNREFUSED in some very
-+		 * specific cases when using LDAP.
-+		 * Manually set it to ENOENT so callers don't get confused
-+		 * with netlink's ECONNREFUSED */
-+		if (errno == ECONNREFUSED)
-+			errno = ENOENT;
- 		return 1;
-+	}
- 
- 	memset(pw->pw_passwd, ' ', strlen(pw->pw_passwd));
- 	*uid = pw->pw_uid;
-@@ -1843,9 +1851,14 @@ static int audit_name_to_gid(const char *name, gid_t *gid)
- {
- 	struct group *gr;
- 
-+	errno = 0;
- 	gr = getgrnam(name);
--	if (gr == NULL)
-+	if (gr == NULL) {
-+		/* See above for explanation. */
-+		if (errno == ECONNREFUSED)
-+			errno = ENOENT;
- 		return 1;
-+	}
- 
- 	*gid = gr->gr_gid;
- 	return 0;
--- 
-2.35.1
-