Accepting request 1043243 from home:ematsumiya:branches:security

- Enable build for ARM (32-bit)
- Update to version 3.0.9:
  * In auditd, release the async flush lock on stop
  * Don't allow auditd to log directly into /var/log when log_group is non-zero
  * Cleanup krb5 memory leaks on error paths
  * Update auditd.cron to use auditctl --signal
  * In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
  * In auparse, special case kernel module name interpretation
  * If overflow_action is ignore, don't treat as an error
  (3.0.8)
  * Add gcc function attributes for access and allocation
  * Add some more man pages (MIZUTA Takeshi)
  * In auditd, change the reinitializing of the plugin queue
  * Fix path normalization in auparse (Sergio Correia)
  * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya)
  * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
  * Drop ProtectHome from auditd.service as it interferes with rules
  (3.0.7)
  * Add support for the OPENAT2 record type (Richard Guy Briggs)
  * In auditd, close the logging file descriptor when logging is suspended
  * Update the capabilities lookup table to match 5.16 kernel
  * Improve interpretation of renamat & faccessat family of syscalls
  * Update syscall table for the 5.16 kernel
  * Reduce dependency from initscripts to initscripts-service
- Refresh patches (context adjusment):
  * audit-allow-manual-stop.patch
  * audit-ausearch-do-not-require-tclass.patch
  * audit-no-gss.patch
  * enable-stop-rules.patch
  * fix-hardened-service.patch
  * harden_auditd.service.patch
- Remove patches (fixed by version update):
  * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
  * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
- Enable build for ARM (32-bit)
- Update to version 3.0.9:
  * In auditd, release the async flush lock on stop
  * Don't allow auditd to log directly into /var/log when log_group is non-zero
  * Cleanup krb5 memory leaks on error paths
  * Update auditd.cron to use auditctl --signal
  * In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
  * In auparse, special case kernel module name interpretation
  * If overflow_action is ignore, don't treat as an error
  (3.0.8)
  * Add gcc function attributes for access and allocation
  * Add some more man pages (MIZUTA Takeshi)
  * In auditd, change the reinitializing of the plugin queue
  * Fix path normalization in auparse (Sergio Correia)
  * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya)
  * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
  * Drop ProtectHome from auditd.service as it interferes with rules
  (3.0.7)
  * Add support for the OPENAT2 record type (Richard Guy Briggs)
  * In auditd, close the logging file descriptor when logging is suspended
  * Update the capabilities lookup table to match 5.16 kernel
  * Improve interpretation of renamat & faccessat family of syscalls
  * Update syscall table for the 5.16 kernel
  * Reduce dependency from initscripts to initscripts-service
- Refresh patches (context adjusment):
  * audit-allow-manual-stop.patch
  * audit-ausearch-do-not-require-tclass.patch
  * audit-no-gss.patch
  * enable-stop-rules.patch
  * fix-hardened-service.patch
  * harden_auditd.service.patch
- Remove patches (fixed by version update):
  * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
  * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch

OBS-URL: https://build.opensuse.org/request/show/1043243
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=141

audit-allow-manual-stop.patch

@@ -11,13 +11,15 @@ SUSE since we lack the ability to use a custom stop/restart
  init.d/auditd.service |    1 -
  1 file changed, 1 deletion(-)
 
---- a/init.d/auditd.service
-+++ b/init.d/auditd.service
-@@ -11,7 +11,6 @@
+Index: audit-3.0.9/init.d/auditd.service
+===================================================================
+--- audit-3.0.9.orig/init.d/auditd.service
++++ audit-3.0.9/init.d/auditd.service
+@@ -11,7 +11,6 @@ After=local-fs.target systemd-tmpfiles-s
  Before=sysinit.target shutdown.target
  ##Before=shutdown.target
  Conflicts=shutdown.target
 -RefuseManualStop=yes
  ConditionKernelCommandLine=!audit=0
- Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
+ ConditionKernelCommandLine=!audit=off
  

audit-ausearch-do-not-require-tclass.patch

@@ -9,9 +9,11 @@ Signed-off-by: Tony Jones <tonyj@suse.de>
  src/ausearch-parse.c |   18 ++++++++----------
  1 file changed, 8 insertions(+), 10 deletions(-)
 
---- a/src/ausearch-parse.c
-+++ b/src/ausearch-parse.c
-@@ -2061,17 +2061,15 @@ other_avc:
+Index: audit-3.0.9/src/ausearch-parse.c
+===================================================================
+--- audit-3.0.9.orig/src/ausearch-parse.c
++++ audit-3.0.9/src/ausearch-parse.c
+@@ -2062,17 +2062,15 @@ other_avc:
  
  	// Now get the class...its at the end, so we do things different
  	str = strstr(term, "tclass=");

audit-no-gss.patch

@@ -9,8 +9,10 @@ but need manual removal here.
  init.d/auditd.conf |    3 ---
  1 file changed, 3 deletions(-)
 
---- a/init.d/auditd.conf
-+++ b/init.d/auditd.conf
+Index: audit-3.0.9/init.d/auditd.conf
+===================================================================
+--- audit-3.0.9.orig/init.d/auditd.conf
++++ audit-3.0.9/init.d/auditd.conf
 @@ -30,8 +30,6 @@ tcp_max_per_addr = 1
  ##tcp_client_ports = 1024-65535
  tcp_client_max_idle = 0
@@ -18,5 +20,5 @@ but need manual removal here.
 -krb5_principal = auditd
 -##krb5_key_file = /etc/audit/audit.key
  distribute_network = no
- q_depth = 1200
+ q_depth = 2000
  overflow_action = SYSLOG

audit-secondary.changes

@@ -1,3 +1,41 @@
+-------------------------------------------------------------------
+Thu Dec 15 19:17:35 UTC 2022 - Enzo Matsumiya <ematsumiya@suse.de>
+
+- Enable build for ARM (32-bit)
+- Update to version 3.0.9:
+  * In auditd, release the async flush lock on stop
+  * Don't allow auditd to log directly into /var/log when log_group is non-zero
+  * Cleanup krb5 memory leaks on error paths
+  * Update auditd.cron to use auditctl --signal
+  * In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
+  * In auparse, special case kernel module name interpretation
+  * If overflow_action is ignore, don't treat as an error
+  (3.0.8)
+  * Add gcc function attributes for access and allocation
+  * Add some more man pages (MIZUTA Takeshi)
+  * In auditd, change the reinitializing of the plugin queue
+  * Fix path normalization in auparse (Sergio Correia)
+  * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya)
+  * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
+  * Drop ProtectHome from auditd.service as it interferes with rules
+  (3.0.7)
+  * Add support for the OPENAT2 record type (Richard Guy Briggs)
+  * In auditd, close the logging file descriptor when logging is suspended
+  * Update the capabilities lookup table to match 5.16 kernel
+  * Improve interpretation of renamat & faccessat family of syscalls
+  * Update syscall table for the 5.16 kernel
+  * Reduce dependency from initscripts to initscripts-service
+- Refresh patches (context adjusment):
+  * audit-allow-manual-stop.patch
+  * audit-ausearch-do-not-require-tclass.patch
+  * audit-no-gss.patch
+  * enable-stop-rules.patch
+  * fix-hardened-service.patch
+  * harden_auditd.service.patch
+- Remove patches (fixed by version update):
+  * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
+  * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
+
 -------------------------------------------------------------------
 Mon Apr 11 20:44:34 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
 

audit-secondary.spec

@@ -22,7 +22,7 @@
 # The seperation is required to minimize unnecessary build cycles.
 %define 	_name audit
 Name:           audit-secondary
-Version:        3.0.6
+Version:        3.0.9
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@@ -42,8 +42,6 @@ Patch9:         fix-hardened-service.patch
 Patch10:        enable-stop-rules.patch
 Patch11:        create-augenrules-service.patch
 Patch12:        audit-userspace-517-compat.patch
-Patch13:        audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
-Patch14:        libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
 BuildRequires:  audit-devel = %{version}
 BuildRequires:  autoconf >= 2.12
 BuildRequires:  kernel-headers >= 2.6.30
@@ -146,6 +144,9 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
 %configure \
 %ifarch aarch64
 	--with-aarch64 \
+%endif
+%ifarch arm
+	--with-arm \
 %endif
 	--enable-systemd \
 	--libexecdir=%{_libexecdir}/%{_name} \

audit.changes

@@ -1,3 +1,41 @@
+-------------------------------------------------------------------
+Thu Dec 15 19:17:35 UTC 2022 - Enzo Matsumiya <ematsumiya@suse.de>
+
+- Enable build for ARM (32-bit)
+- Update to version 3.0.9:
+  * In auditd, release the async flush lock on stop
+  * Don't allow auditd to log directly into /var/log when log_group is non-zero
+  * Cleanup krb5 memory leaks on error paths
+  * Update auditd.cron to use auditctl --signal
+  * In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
+  * In auparse, special case kernel module name interpretation
+  * If overflow_action is ignore, don't treat as an error
+  (3.0.8)
+  * Add gcc function attributes for access and allocation
+  * Add some more man pages (MIZUTA Takeshi)
+  * In auditd, change the reinitializing of the plugin queue
+  * Fix path normalization in auparse (Sergio Correia)
+  * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya)
+  * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
+  * Drop ProtectHome from auditd.service as it interferes with rules
+  (3.0.7)
+  * Add support for the OPENAT2 record type (Richard Guy Briggs)
+  * In auditd, close the logging file descriptor when logging is suspended
+  * Update the capabilities lookup table to match 5.16 kernel
+  * Improve interpretation of renamat & faccessat family of syscalls
+  * Update syscall table for the 5.16 kernel
+  * Reduce dependency from initscripts to initscripts-service
+- Refresh patches (context adjusment):
+  * audit-allow-manual-stop.patch
+  * audit-ausearch-do-not-require-tclass.patch
+  * audit-no-gss.patch
+  * enable-stop-rules.patch
+  * fix-hardened-service.patch
+  * harden_auditd.service.patch
+- Remove patches (fixed by version update):
+  * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
+  * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
+
 -------------------------------------------------------------------
 Mon Apr 11 20:45:33 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
 
@@ -1013,8 +1051,8 @@ Mon May 11 17:20:28 CEST 2009 - tonyj@suse.de
   - Add --exit search option to ausearch
   - Fix parsing config file when kerberos is disabled
 
--------------------------------------------------------------------
 
+-------------------------------------------------------------------
 Tue Apr 14 14:52:39 CEST 2009 - dmueller@suse.de
 
 - refresh patches

audit.spec

@@ -17,7 +17,7 @@
 
 
 Name:           audit
-Version:        3.0.6
+Version:        3.0.9
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@@ -85,6 +85,9 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
 %configure \
 %ifarch aarch64
 	--with-aarch64 \
+%endif
+%ifarch arm
+	--with-arm \
 %endif
 	--enable-systemd \
 	--libexecdir=%{_libexecdir}/%{name} \

create-augenrules-service.patch

@@ -1,7 +1,7 @@
-Index: audit-3.0.6/init.d/augenrules.service
+Index: audit-3.0.9/init.d/augenrules.service
 ===================================================================
 --- /dev/null
-+++ audit-3.0.6/init.d/augenrules.service
++++ audit-3.0.9/init.d/augenrules.service
 @@ -0,0 +1,29 @@
 +[Unit]
 +Description=auditd rules generation
@@ -32,13 +32,13 @@ Index: audit-3.0.6/init.d/augenrules.service
 +ProtectKernelTunables=true
 +ProtectKernelLogs=true
 +ReadWritePaths=/etc/audit
-Index: audit-3.0.6/init.d/auditd.service
+Index: audit-3.0.9/init.d/auditd.service
 ===================================================================
---- audit-3.0.6.orig/init.d/auditd.service
-+++ audit-3.0.6/init.d/auditd.service
-@@ -13,15 +13,16 @@ Before=sysinit.target shutdown.target
- Conflicts=shutdown.target
- ConditionKernelCommandLine=!audit=0
+--- audit-3.0.9.orig/init.d/auditd.service
++++ audit-3.0.9/init.d/auditd.service
+@@ -15,15 +15,16 @@ ConditionKernelCommandLine=!audit=0
+ ConditionKernelCommandLine=!audit=off
+ 
  Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
 +Requires=augenrules.service
 +# This unit clears rules on stop, so make sure that augenrules runs again
@@ -57,7 +57,7 @@ Index: audit-3.0.6/init.d/auditd.service
  #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
  # By default we clear the rules on exit. To disable this, comment
  # the next line after copying the file to /etc/systemd/system/auditd.service
-@@ -45,7 +46,6 @@ ProtectClock=true
+@@ -46,7 +47,6 @@ ProtectClock=true
  ProtectKernelTunables=true
  ProtectKernelLogs=true
  # end of automatic additions 
@@ -65,28 +65,29 @@ Index: audit-3.0.6/init.d/auditd.service
  
  [Install]
  WantedBy=multi-user.target
-Index: audit-3.0.6/init.d/Makefile.am
+Index: audit-3.0.9/init.d/Makefile.am
 ===================================================================
---- audit-3.0.6.orig/init.d/Makefile.am
-+++ audit-3.0.6/init.d/Makefile.am
-@@ -26,7 +26,7 @@ EXTRA_DIST = auditd.init auditd.service
+--- audit-3.0.9.orig/init.d/Makefile.am
++++ audit-3.0.9/init.d/Makefile.am
+@@ -26,7 +26,8 @@ EXTRA_DIST = auditd.init auditd.service
  	auditd.cron libaudit.conf auditd.condrestart \
  	auditd.reload auditd.restart auditd.resume \
  	auditd.rotate auditd.state auditd.stop \
--	audit-stop.rules augenrules
-+	audit-stop.rules augenrules augenrules.service
+-	audit-stop.rules augenrules audit-functions
++	audit-stop.rules augenrules audit-functions \
++	augenrules.service
  libconfig = libaudit.conf
  if ENABLE_SYSTEMD
  initdir = /usr/lib/systemd/system
-@@ -53,6 +53,7 @@ if ENABLE_SYSTEMD
- 	mkdir -p ${DESTDIR}${initdir}
+@@ -54,6 +55,7 @@ if ENABLE_SYSTEMD
  	mkdir -p ${DESTDIR}${legacydir}
+ 	mkdir -p ${DESTDIR}${libexecdir}
  	$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir}
 +	$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir}
  	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate
  	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume
  	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload
-@@ -70,6 +71,7 @@ uninstall-hook:
+@@ -72,6 +74,7 @@ uninstall-hook:
  	rm ${DESTDIR}${sysconfdir}/${libconfig}
  if ENABLE_SYSTEMD
  	rm ${DESTDIR}${initdir}/auditd.service

enable-stop-rules.patch

@@ -11,11 +11,11 @@ Disable audit when auditd.service stops, so kauditd stops logging/running.
 
 Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
 
-Index: audit-3.0.6/init.d/auditd.service
+Index: audit-3.0.9/init.d/auditd.service
 ===================================================================
---- audit-3.0.6.orig/init.d/auditd.service
-+++ audit-3.0.6/init.d/auditd.service
-@@ -23,9 +23,9 @@ ExecStart=/sbin/auditd
+--- audit-3.0.9.orig/init.d/auditd.service
++++ audit-3.0.9/init.d/auditd.service
+@@ -25,9 +25,9 @@ ExecStart=/sbin/auditd
  ## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
  ExecStartPost=-/sbin/augenrules --load
  #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules

fix-hardened-service.patch

@@ -12,9 +12,11 @@ Also remove PrivateDevices=true so /dev/* are exposed to auditd.
 
 Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
 
---- a/init.d/auditd.service
-+++ b/init.d/auditd.service
-@@ -37,12 +37,12 @@ RestrictRealtime=true
+Index: audit-3.0.9/init.d/auditd.service
+===================================================================
+--- audit-3.0.9.orig/init.d/auditd.service
++++ audit-3.0.9/init.d/auditd.service
+@@ -41,12 +41,12 @@ RestrictRealtime=true
  # added automatically, for details please see
  # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
  ProtectSystem=full

harden_auditd.service.patch

@@ -1,8 +1,10 @@
---- a/init.d/auditd.service
-+++ b/init.d/auditd.service
-@@ -34,6 +34,15 @@ ProtectControlGroups=true
+Index: audit-3.0.9/init.d/auditd.service
+===================================================================
+--- audit-3.0.9.orig/init.d/auditd.service
++++ audit-3.0.9/init.d/auditd.service
+@@ -38,6 +38,15 @@ LockPersonality=true
+ ProtectControlGroups=true
  ProtectKernelModules=true
- ProtectHome=true
  RestrictRealtime=true
 +# added automatically, for details please see
 +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort