Accepting request 1098554 from security

OBS-URL: https://build.opensuse.org/request/show/1098554
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=104

_multibuild

@@ -0,0 +1,4 @@
+<multibuild>
+  <package>audit-secondary</package>
+</multibuild>
+

audit-3.1.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:46e46b37623cce09e6ee134e78d668afc34f4e1c870c853ef12e4193078cfe87
+size 1218111

audit-ausearch-do-not-require-tclass.patch

@@ -9,11 +9,11 @@ Signed-off-by: Tony Jones <tonyj@suse.de>
  src/ausearch-parse.c |   18 ++++++++----------
  1 file changed, 8 insertions(+), 10 deletions(-)
 
-Index: audit-3.0.9/src/ausearch-parse.c
+Index: audit-3.1.1/src/ausearch-parse.c
 ===================================================================
---- audit-3.0.9.orig/src/ausearch-parse.c
-+++ audit-3.0.9/src/ausearch-parse.c
-@@ -2062,17 +2062,15 @@ other_avc:
+--- audit-3.1.1.orig/src/ausearch-parse.c
++++ audit-3.1.1/src/ausearch-parse.c
+@@ -2075,17 +2075,15 @@ other_avc:
  
  	// Now get the class...its at the end, so we do things different
  	str = strstr(term, "tclass=");

audit-secondary.changes

@@ -1,3 +1,34 @@
+-------------------------------------------------------------------
+Mon Jul  3 08:34:22 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 3.1.1:
+  * Add user friendly keywords for signals to auditctl
+  * In ausearch, parse up URINGOP and DM_CTRL records
+  * Harden auparse to better handle corrupt logs
+  * Fix a CFLAGS propogation problem in the common directory
+  * Move the audispd af_unix plugin to a standalone program 
+
+-------------------------------------------------------------------
+Thu May  4 12:58:06 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
+
+- Add _multibuild to define additional spec files as additional
+  flavors.
+  Eliminates the need for source package links in OBS.
+
+-------------------------------------------------------------------
+Mon Feb 20 14:13:06 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 3.1:
+  * Disable ProtectControlGroups in auditd.service by default
+  * Fix rule checking for exclude filter
+  * Make audit_rule_syscallbyname_data work correctly outside of auditctl
+  * Add new record types
+  * Add io_uring support
+  * Add support for new FANOTIFY record fields
+  * Add keyword, this-hour, to ausearch/report start/end options
+  * Add Requires.private to audit.pc file
+  * Try to interpret OPENAT2 fields correctly
+
 -------------------------------------------------------------------
 Tue Dec 27 10:21:56 UTC 2022 - Ludwig Nussel <lnussel@suse.com>
 

audit-secondary.spec

@@ -22,7 +22,7 @@
 # The seperation is required to minimize unnecessary build cycles.
 %define 	_name audit
 Name:           audit-secondary
-Version:        3.0.9
+Version:        3.1.1
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@@ -258,6 +258,7 @@ fi
 %attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
 %attr(644,root,root) %{_mandir}/man8/auvirt.8.gz
 %attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
+%attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz
 %if 0%{?suse_version} < 1550
 /sbin/auditctl
 /sbin/auditd
@@ -276,6 +277,7 @@ fi
 %attr(755,root,root) %{_bindir}/aulastlog
 %attr(755,root,root) %{_bindir}/ausyscall
 %attr(755,root,root) %{_sbindir}/aureport
+%attr(755,root,root) %{_sbindir}/audisp-af_unix
 %attr(755,root,root) %{_bindir}/auvirt
 %dir %attr(750,root,root) %{_sysconfdir}/audit
 %attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d

audit.changes

@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Mon Jul  3 08:33:52 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 3.1.1:
+  * Add user friendly keywords for signals to auditctl
+  * In ausearch, parse up URINGOP and DM_CTRL records
+  * Harden auparse to better handle corrupt logs
+  * Fix a CFLAGS propogation problem in the common directory
+  * Move the audispd af_unix plugin to a standalone program
+
+-------------------------------------------------------------------
+Thu May  4 12:58:06 UTC 2023 - Frederic Crozat <fcrozat@suse.com>
+
+- Add _multibuild to define additional spec files as additional
+  flavors.
+  Eliminates the need for source package links in OBS.
+
+-------------------------------------------------------------------
+Mon Mar 20 14:53:26 UTC 2023 - Giuliano Belinassi <giuliano.belinassi@suse.com>
+
+- Enable livepatching on main library on x86_64.
+
+-------------------------------------------------------------------
+Mon Feb 20 14:12:55 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>
+
+- Update to 3.1:
+  * Disable ProtectControlGroups in auditd.service by default
+  * Fix rule checking for exclude filter
+  * Make audit_rule_syscallbyname_data work correctly outside of auditctl
+  * Add new record types
+  * Add io_uring support
+  * Add support for new FANOTIFY record fields
+  * Add keyword, this-hour, to ausearch/report start/end options
+  * Add Requires.private to audit.pc file
+  * Try to interpret OPENAT2 fields correctly
+
 -------------------------------------------------------------------
 Thu Dec 15 19:17:35 UTC 2022 - Enzo Matsumiya <ematsumiya@suse.de>
 

audit.spec

@@ -16,8 +16,14 @@
 #
 
 
+%ifarch x86_64
+%bcond_without livepatching
+%else
+%bcond_with livepatching
+%endif
+
 Name:           audit
-Version:        3.0.9
+Version:        3.1.1
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@@ -79,6 +85,9 @@ libraries.
 %build
 autoreconf -fi
 export CFLAGS="%{optflags} -fno-strict-aliasing"
+%if %{with livepatching}
+export CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
+%endif
 export CXXFLAGS="$CFLAGS"
 export LDFLAGS="-Wl,-z,relro,-z,now"
 # no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch
@@ -102,6 +111,33 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
 %make_build -C auparse
 %make_build -C docs
 
+%if %{with livepatching}
+# Workaround bsc#1208721: remove _patchable_function_entry from static libs.
+find . -name "*.a" -exec \
+       objcopy --remove-section "__patchable_function_entries" {} \;
+
+%define tar_basename audit-livepatch-%{version}-%{release}
+%define tar_package_name %{tar_basename}.%{_arch}.tar.xz
+%define clones_dest_dir %{tar_basename}/%{_arch}
+
+# Ipa-clones are files generated by gcc which logs changes made across
+# functions, and we need to know such changes to build livepatches
+# correctly. These files are intended to be used by the livepatch
+# developers and may be retrieved by using `osc getbinaries`.
+#
+# Create ipa-clones destination folder and move clones there.
+mkdir -p ipa-clones/%{clones_dest_dir}
+find . -name "*.ipa-clones" ! -empty \
+       -exec cp -t ipa-clones/%{clones_dest_dir} --parents {} +
+
+# Create tarball with ipa-clones.
+tar -cJf %{tar_package_name} -C ipa-clones \
+    --owner root --group root --sort name %{tar_basename}
+
+# Copy tarball to the OTHER folder to store it as artifact.
+cp %{tar_package_name} %{_topdir}/OTHER
+%endif
+
 %install
 %make_install -C common
 %make_install -C lib

create-augenrules-service.patch

@@ -1,7 +1,7 @@
-Index: audit-3.0.9/init.d/augenrules.service
+Index: audit-3.1.1/init.d/augenrules.service
 ===================================================================
 --- /dev/null
-+++ audit-3.0.9/init.d/augenrules.service
++++ audit-3.1.1/init.d/augenrules.service
 @@ -0,0 +1,29 @@
 +[Unit]
 +Description=auditd rules generation
@@ -32,10 +32,10 @@ Index: audit-3.0.9/init.d/augenrules.service
 +ProtectKernelTunables=true
 +ProtectKernelLogs=true
 +ReadWritePaths=/etc/audit
-Index: audit-3.0.9/init.d/auditd.service
+Index: audit-3.1.1/init.d/auditd.service
 ===================================================================
---- audit-3.0.9.orig/init.d/auditd.service
-+++ audit-3.0.9/init.d/auditd.service
+--- audit-3.1.1.orig/init.d/auditd.service
++++ audit-3.1.1/init.d/auditd.service
 @@ -15,15 +15,16 @@ ConditionKernelCommandLine=!audit=0
  ConditionKernelCommandLine=!audit=off
  
@@ -57,7 +57,7 @@ Index: audit-3.0.9/init.d/auditd.service
  #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
  # By default we clear the rules on exit. To disable this, comment
  # the next line after copying the file to /etc/systemd/system/auditd.service
-@@ -46,7 +47,6 @@ ProtectClock=true
+@@ -47,7 +48,6 @@ ProtectClock=true
  ProtectKernelTunables=true
  ProtectKernelLogs=true
  # end of automatic additions 
@@ -65,10 +65,10 @@ Index: audit-3.0.9/init.d/auditd.service
  
  [Install]
  WantedBy=multi-user.target
-Index: audit-3.0.9/init.d/Makefile.am
+Index: audit-3.1.1/init.d/Makefile.am
 ===================================================================
---- audit-3.0.9.orig/init.d/Makefile.am
-+++ audit-3.0.9/init.d/Makefile.am
+--- audit-3.1.1.orig/init.d/Makefile.am
++++ audit-3.1.1/init.d/Makefile.am
 @@ -26,7 +26,8 @@ EXTRA_DIST = auditd.init auditd.service
  	auditd.cron libaudit.conf auditd.condrestart \
  	auditd.reload auditd.restart auditd.resume \

fix-hardened-service.patch

@@ -12,11 +12,11 @@ Also remove PrivateDevices=true so /dev/* are exposed to auditd.
 
 Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
 
-Index: audit-3.0.9/init.d/auditd.service
+Index: audit-3.1.1/init.d/auditd.service
 ===================================================================
---- audit-3.0.9.orig/init.d/auditd.service
-+++ audit-3.0.9/init.d/auditd.service
-@@ -41,12 +41,12 @@ RestrictRealtime=true
+--- audit-3.1.1.orig/init.d/auditd.service
++++ audit-3.1.1/init.d/auditd.service
+@@ -42,12 +42,12 @@ RestrictRealtime=true
  # added automatically, for details please see
  # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
  ProtectSystem=full

harden_auditd.service.patch

@@ -1,9 +1,9 @@
-Index: audit-3.0.9/init.d/auditd.service
+Index: audit-3.1.1/init.d/auditd.service
 ===================================================================
---- audit-3.0.9.orig/init.d/auditd.service
-+++ audit-3.0.9/init.d/auditd.service
-@@ -38,6 +38,15 @@ LockPersonality=true
- ProtectControlGroups=true
+--- audit-3.1.1.orig/init.d/auditd.service
++++ audit-3.1.1/init.d/auditd.service
+@@ -39,6 +39,15 @@ LockPersonality=true
+ #ProtectControlGroups=true
  ProtectKernelModules=true
  RestrictRealtime=true
 +# added automatically, for details please see