pool/audit
SHA256
3
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: pool:factory
Branches Tags
pool:factory
pool:devel
..
compare: pool:devel
Branches Tags
pool:factory
pool:devel

No commits in common. "factory" and "devel" have entirely different histories.
factory ... devel

4 changed files with 164 additions and 0 deletions
Show Stats Expand all files Collapse all files

BIN
audit-3.1.1.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

38
audit-userspace-517-compat.patch Normal file
View File

@ -0,0 +1,38 @@
From: Sergei Trofimovich <slyich@gmail.com>
Date: Wed, 23 Mar 2022 07:27:05 +0000
Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf
References: https://github.com/linux-audit/audit-userspace/issues/252
Git-commit: https://github.com/linux-audit/audit-userspace/pull/253/commits/beed138222421a2eb4212d83cb889404bd7efc49
Git-repo: [if different from https://github.com/linux-audit/audit-userspace.git]
Patch-mainline: submitted for review upstream
As it's a flexible array generated code was never safe to use.
With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed98ea2128b6fd83bce13716edf8f5fe6c47f574
change it's a build failure now:
audit> audit_wrap.c:5010:15: error: invalid use of flexible array member
audit> 5010 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size));
audit> | ^
Let's avoid setter generation entirely.
Closes: https://github.com/linux-audit/audit-userspace/issues/252
---
bindings/swig/src/auditswig.i | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i
index 21aafca31..9a2c5661d 100644
--- a/bindings/swig/src/auditswig.i
+++ b/bindings/swig/src/auditswig.i
@@ -39,6 +39,10 @@ signed
#define __attribute(X) /*nothing*/
typedef unsigned __u32;
typedef unsigned uid_t;
+/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not:
+ * generating setters against them: https://github.com/swig/swig/issues/1699
+ */
+%ignore audit_rule_data::buf;
%include "/usr/include/linux/audit.h"
#define __extension__ /*nothing*/
%include <stdint.i>

97
create-augenrules-service.patch Normal file
View File

@ -0,0 +1,97 @@
Index: audit-3.1.1/init.d/augenrules.service
===================================================================
--- /dev/null
+++ audit-3.1.1/init.d/augenrules.service
@@ -0,0 +1,29 @@
+[Unit]
+Description=auditd rules generation
+After=auditd.service
+Documentation=man:augenrules(8)
+
+[Service]
+Type=oneshot
+## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
+ExecStart=/sbin/augenrules --load
+# We need RemainAfterExit=true so augenrules is called again
+# in case auditd.service is restarted.
+RemainAfterExit=true
+
+### Security Settings ###
+MemoryDenyWriteExecute=true
+LockPersonality=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectHome=true
+RestrictRealtime=true
+# for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelLogs=true
+ReadWritePaths=/etc/audit
Index: audit-3.1.1/init.d/auditd.service
===================================================================
--- audit-3.1.1.orig/init.d/auditd.service
+++ audit-3.1.1/init.d/auditd.service
@@ -15,15 +15,16 @@ ConditionKernelCommandLine=!audit=0
ConditionKernelCommandLine=!audit=off
Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
+Requires=augenrules.service
+# This unit clears rules on stop, so make sure that augenrules runs again
+PropagatesStopTo=augenrules.service
[Service]
Type=forking
PIDFile=/run/auditd.pid
ExecStart=/sbin/auditd
-## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
-## and comment/delete the next line and uncomment the auditctl line.
-## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
-ExecStartPost=-/sbin/augenrules --load
+## To not use augenrules: copy this file to /etc/systemd/system/auditd.service,
+## uncomment the next line, and comment the Requires=augenrules.service above.
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
# By default we clear the rules on exit. To disable this, comment
# the next line after copying the file to /etc/systemd/system/auditd.service
@@ -47,7 +48,6 @@ ProtectClock=true
ProtectKernelTunables=true
ProtectKernelLogs=true
# end of automatic additions
-ReadWritePaths=/etc/audit
[Install]
WantedBy=multi-user.target
Index: audit-3.1.1/init.d/Makefile.am
===================================================================
--- audit-3.1.1.orig/init.d/Makefile.am
+++ audit-3.1.1/init.d/Makefile.am
@@ -26,7 +26,8 @@ EXTRA_DIST = auditd.init auditd.service
auditd.cron libaudit.conf auditd.condrestart \
auditd.reload auditd.restart auditd.resume \
auditd.rotate auditd.state auditd.stop \
- audit-stop.rules augenrules audit-functions
+ audit-stop.rules augenrules audit-functions \
+ augenrules.service
libconfig = libaudit.conf
if ENABLE_SYSTEMD
initdir = /usr/lib/systemd/system
@@ -54,6 +55,7 @@ if ENABLE_SYSTEMD
mkdir -p ${DESTDIR}${legacydir}
mkdir -p ${DESTDIR}${libexecdir}
$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir}
+ $(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir}
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload
@@ -72,6 +74,7 @@ uninstall-hook:
rm ${DESTDIR}${sysconfdir}/${libconfig}
if ENABLE_SYSTEMD
rm ${DESTDIR}${initdir}/auditd.service
+ rm ${DESTDIR}${initdir}/augenrules.service
rm ${DESTDIR}${legacydir}/rotate
rm ${DESTDIR}${legacydir}/resume
rm ${DESTDIR}${legacydir}/reload

26
libev-werror.patch Normal file
View File

@ -0,0 +1,26 @@
From: Jan Engelhardt <jengelh@inai.de>
Date: 2021-06-02 16:18:03.256597842 +0200
Cherry-pick http://cvs.schmorp.de/libev/ev_iouring.c?view=log&r1=1.25
to fix some terrible code.
[ 50s] ev_iouring.c: In function 'iouring_sqe_submit':
[ 50s] ev_iouring.c:300:1: error: no return statement in function returning non-void [-Werror=return-type]
---
src/libev/ev_iouring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: audit-3.0.1/src/libev/ev_iouring.c
===================================================================
--- audit-3.0.1.orig/src/libev/ev_iouring.c
+++ audit-3.0.1/src/libev/ev_iouring.c
@@ -287,7 +287,7 @@ iouring_sqe_get (EV_P)
}
inline_size
-struct io_uring_sqe *
+void
iouring_sqe_submit (EV_P_ struct io_uring_sqe *sqe)
{
unsigned idx = sqe - EV_SQES;