Accepting request 1043243 from home:ematsumiya:branches:security

- Enable build for ARM (32-bit) - Update to version 3.0.9: * In auditd, release the async flush lock on stop * Don't allow auditd to log directly into /var/log when log_group is non-zero * Cleanup krb5 memory leaks on error paths * Update auditd.cron to use auditctl --signal * In auparse, if too many fields, realloc array bigger (Paul Wolneykien) * In auparse, special case kernel module name interpretation * If overflow_action is ignore, don't treat as an error (3.0.8) * Add gcc function attributes for access and allocation * Add some more man pages (MIZUTA Takeshi) * In auditd, change the reinitializing of the plugin queue * Fix path normalization in auparse (Sergio Correia) * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya) * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya) * Drop ProtectHome from auditd.service as it interferes with rules (3.0.7) * Add support for the OPENAT2 record type (Richard Guy Briggs) * In auditd, close the logging file descriptor when logging is suspended * Update the capabilities lookup table to match 5.16 kernel * Improve interpretation of renamat & faccessat family of syscalls * Update syscall table for the 5.16 kernel * Reduce dependency from initscripts to initscripts-service - Refresh patches (context adjusment): * audit-allow-manual-stop.patch * audit-ausearch-do-not-require-tclass.patch * audit-no-gss.patch * enable-stop-rules.patch * fix-hardened-service.patch * harden_auditd.service.patch - Remove patches (fixed by version update): * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch - Enable build for ARM (32-bit) - Update to version 3.0.9: * In auditd, release the async flush lock on stop * Don't allow auditd to log directly into /var/log when log_group is non-zero * Cleanup krb5 memory leaks on error paths * Update auditd.cron to use auditctl --signal * In auparse, if too many fields, realloc array bigger (Paul Wolneykien) * In auparse, special case kernel module name interpretation * If overflow_action is ignore, don't treat as an error (3.0.8) * Add gcc function attributes for access and allocation * Add some more man pages (MIZUTA Takeshi) * In auditd, change the reinitializing of the plugin queue * Fix path normalization in auparse (Sergio Correia) * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya) * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya) * Drop ProtectHome from auditd.service as it interferes with rules (3.0.7) * Add support for the OPENAT2 record type (Richard Guy Briggs) * In auditd, close the logging file descriptor when logging is suspended * Update the capabilities lookup table to match 5.16 kernel * Improve interpretation of renamat & faccessat family of syscalls * Update syscall table for the 5.16 kernel * Reduce dependency from initscripts to initscripts-service - Refresh patches (context adjusment): * audit-allow-manual-stop.patch * audit-ausearch-do-not-require-tclass.patch * audit-no-gss.patch * enable-stop-rules.patch * fix-hardened-service.patch * harden_auditd.service.patch - Remove patches (fixed by version update): * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch OBS-URL: https://build.opensuse.org/request/show/1043243 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=141
2022-12-19 19:54:31 +00:00 · 2022-12-19 19:54:31 +00:00 · 7e1b0e83b8
commit 7e1b0e83b8
parent 4a3ef5cf8e
12 changed files with 138 additions and 44 deletions
--- a/audit-3.0.9.tar.gz
+++ b/audit-3.0.9.tar.gz
--- a/audit-allow-manual-stop.patch
+++ b/audit-allow-manual-stop.patch
@ -11,13 +11,15 @@ SUSE since we lack the ability to use a custom stop/restart
 init.d/auditd.service |    1 -
 1 file changed, 1 deletion(-)
--- a/init.d/auditd.service
+Index: audit-3.0.9/init.d/auditd.service
-+++ b/init.d/auditd.service
+===================================================================
-@@ -11,7 +11,6 @@
+--- audit-3.0.9.orig/init.d/auditd.service
 +++ audit-3.0.9/init.d/auditd.service
@@ -11,7 +11,6 @@ After=local-fs.target systemd-tmpfiles-s
 Before=sysinit.target shutdown.target
 ##Before=shutdown.target
 Conflicts=shutdown.target
 -RefuseManualStop=yes
 ConditionKernelCommandLine=!audit=0
- Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
+ ConditionKernelCommandLine=!audit=off
--- a/audit-ausearch-do-not-require-tclass.patch
+++ b/audit-ausearch-do-not-require-tclass.patch
@ -9,9 +9,11 @@ Signed-off-by: Tony Jones <tonyj@suse.de>
 src/ausearch-parse.c |   18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)
--- a/src/ausearch-parse.c
+Index: audit-3.0.9/src/ausearch-parse.c
-+++ b/src/ausearch-parse.c
+===================================================================
-@@ -2061,17 +2061,15 @@ other_avc:
+--- audit-3.0.9.orig/src/ausearch-parse.c
 +++ audit-3.0.9/src/ausearch-parse.c
@@ -2062,17 +2062,15 @@ other_avc:
 	// Now get the class...its at the end, so we do things different
 	str = strstr(term, "tclass=");
--- a/audit-no-gss.patch
+++ b/audit-no-gss.patch
@ -9,8 +9,10 @@ but need manual removal here.
 init.d/auditd.conf |    3 ---
 1 file changed, 3 deletions(-)
--- a/init.d/auditd.conf
+Index: audit-3.0.9/init.d/auditd.conf
-+++ b/init.d/auditd.conf
+===================================================================
 --- audit-3.0.9.orig/init.d/auditd.conf
 +++ audit-3.0.9/init.d/auditd.conf
@@ -30,8 +30,6 @@ tcp_max_per_addr = 1
 ##tcp_client_ports = 1024-65535
 tcp_client_max_idle = 0
@ -18,5 +20,5 @@ but need manual removal here.
 -krb5_principal = auditd
 -##krb5_key_file = /etc/audit/audit.key
 distribute_network = no
- q_depth = 1200
+ q_depth = 2000
 overflow_action = SYSLOG
--- a/audit-secondary.changes
+++ b/audit-secondary.changes
@ -1,3 +1,41 @@
 -------------------------------------------------------------------
 Thu Dec 15 19:17:35 UTC 2022 - Enzo Matsumiya <ematsumiya@suse.de>
 - Enable build for ARM (32-bit)
 - Update to version 3.0.9:
  * In auditd, release the async flush lock on stop
  * Don't allow auditd to log directly into /var/log when log_group is non-zero
  * Cleanup krb5 memory leaks on error paths
  * Update auditd.cron to use auditctl --signal
  * In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
  * In auparse, special case kernel module name interpretation
  * If overflow_action is ignore, don't treat as an error
  (3.0.8)
  * Add gcc function attributes for access and allocation
  * Add some more man pages (MIZUTA Takeshi)
  * In auditd, change the reinitializing of the plugin queue
  * Fix path normalization in auparse (Sergio Correia)
  * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya)
  * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
  * Drop ProtectHome from auditd.service as it interferes with rules
  (3.0.7)
  * Add support for the OPENAT2 record type (Richard Guy Briggs)
  * In auditd, close the logging file descriptor when logging is suspended
  * Update the capabilities lookup table to match 5.16 kernel
  * Improve interpretation of renamat & faccessat family of syscalls
  * Update syscall table for the 5.16 kernel
  * Reduce dependency from initscripts to initscripts-service
 - Refresh patches (context adjusment):
  * audit-allow-manual-stop.patch
  * audit-ausearch-do-not-require-tclass.patch
  * audit-no-gss.patch
  * enable-stop-rules.patch
  * fix-hardened-service.patch
  * harden_auditd.service.patch
 - Remove patches (fixed by version update):
  * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
  * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
 -------------------------------------------------------------------
 Mon Apr 11 20:44:34 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
--- a/audit-secondary.spec
+++ b/audit-secondary.spec
@ -22,7 +22,7 @@
 # The seperation is required to minimize unnecessary build cycles.
 %define 	_name audit
 Name:           audit-secondary
-Version:        3.0.6
+Version:        3.0.9
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@ -42,8 +42,6 @@ Patch9:         fix-hardened-service.patch
 Patch10:        enable-stop-rules.patch
 Patch11:        create-augenrules-service.patch
 Patch12:        audit-userspace-517-compat.patch
 Patch13:        audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
 Patch14:        libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
 BuildRequires:  audit-devel = %{version}
 BuildRequires:  autoconf >= 2.12
 BuildRequires:  kernel-headers >= 2.6.30
@ -146,6 +144,9 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
 %configure \
 %ifarch aarch64
 	--with-aarch64 \
 %endif
 %ifarch arm
 	--with-arm \
 %endif
 	--enable-systemd \
 	--libexecdir=%{_libexecdir}/%{_name} \
--- a/audit.changes
+++ b/audit.changes
@ -1,3 +1,41 @@
 -------------------------------------------------------------------
 Thu Dec 15 19:17:35 UTC 2022 - Enzo Matsumiya <ematsumiya@suse.de>
 - Enable build for ARM (32-bit)
 - Update to version 3.0.9:
  * In auditd, release the async flush lock on stop
  * Don't allow auditd to log directly into /var/log when log_group is non-zero
  * Cleanup krb5 memory leaks on error paths
  * Update auditd.cron to use auditctl --signal
  * In auparse, if too many fields, realloc array bigger (Paul Wolneykien)
  * In auparse, special case kernel module name interpretation
  * If overflow_action is ignore, don't treat as an error
  (3.0.8)
  * Add gcc function attributes for access and allocation
  * Add some more man pages (MIZUTA Takeshi)
  * In auditd, change the reinitializing of the plugin queue
  * Fix path normalization in auparse (Sergio Correia)
  * In libaudit, handle ECONNREFUSED for network uid/gid lookups (Enzo Matsumiya)
  * In audisp-remote, fix hang with disk_low_action=suspend (Enzo Matsumiya)
  * Drop ProtectHome from auditd.service as it interferes with rules
  (3.0.7)
  * Add support for the OPENAT2 record type (Richard Guy Briggs)
  * In auditd, close the logging file descriptor when logging is suspended
  * Update the capabilities lookup table to match 5.16 kernel
  * Improve interpretation of renamat & faccessat family of syscalls
  * Update syscall table for the 5.16 kernel
  * Reduce dependency from initscripts to initscripts-service
 - Refresh patches (context adjusment):
  * audit-allow-manual-stop.patch
  * audit-ausearch-do-not-require-tclass.patch
  * audit-no-gss.patch
  * enable-stop-rules.patch
  * fix-hardened-service.patch
  * harden_auditd.service.patch
 - Remove patches (fixed by version update):
  * libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch
  * audisp-remote-fix-hang-with-disk_low_action-suspend-.patch
 -------------------------------------------------------------------
 Mon Apr 11 20:45:33 UTC 2022 - Jan Engelhardt <jengelh@inai.de>
@ -1013,8 +1051,8 @@ Mon May 11 17:20:28 CEST 2009 - tonyj@suse.de
  - Add --exit search option to ausearch
  - Fix parsing config file when kerberos is disabled
 -------------------------------------------------------------------
 -------------------------------------------------------------------
 Tue Apr 14 14:52:39 CEST 2009 - dmueller@suse.de
 - refresh patches
--- a/audit.spec
+++ b/audit.spec
@ -17,7 +17,7 @@
 Name:           audit
-Version:        3.0.6
+Version:        3.0.9
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@ -85,6 +85,9 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
 %configure \
 %ifarch aarch64
 	--with-aarch64 \
 %endif
 %ifarch arm
 	--with-arm \
 %endif
 	--enable-systemd \
 	--libexecdir=%{_libexecdir}/%{name} \
--- a/create-augenrules-service.patch
+++ b/create-augenrules-service.patch
@ -1,7 +1,7 @@
-Index: audit-3.0.6/init.d/augenrules.service
+Index: audit-3.0.9/init.d/augenrules.service
 ===================================================================
 --- /dev/null
-+++ audit-3.0.6/init.d/augenrules.service
+++ audit-3.0.9/init.d/augenrules.service
@@ -0,0 +1,29 @@
 +[Unit]
 +Description=auditd rules generation
@ -32,13 +32,13 @@ Index: audit-3.0.6/init.d/augenrules.service
 +ProtectKernelTunables=true
 +ProtectKernelLogs=true
 +ReadWritePaths=/etc/audit
-Index: audit-3.0.6/init.d/auditd.service
+Index: audit-3.0.9/init.d/auditd.service
 ===================================================================
--- audit-3.0.6.orig/init.d/auditd.service
+--- audit-3.0.9.orig/init.d/auditd.service
-+++ audit-3.0.6/init.d/auditd.service
+++ audit-3.0.9/init.d/auditd.service
-@@ -13,15 +13,16 @@ Before=sysinit.target shutdown.target
+@@ -15,15 +15,16 @@ ConditionKernelCommandLine=!audit=0
- Conflicts=shutdown.target
+ ConditionKernelCommandLine=!audit=off
- ConditionKernelCommandLine=!audit=0
+ 
 Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
 +Requires=augenrules.service
 +# This unit clears rules on stop, so make sure that augenrules runs again
@ -57,7 +57,7 @@ Index: audit-3.0.6/init.d/auditd.service
 #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
 # By default we clear the rules on exit. To disable this, comment
 # the next line after copying the file to /etc/systemd/system/auditd.service
-@@ -45,7 +46,6 @@ ProtectClock=true
+@@ -46,7 +47,6 @@ ProtectClock=true
 ProtectKernelTunables=true
 ProtectKernelLogs=true
 # end of automatic additions 
@ -65,28 +65,29 @@ Index: audit-3.0.6/init.d/auditd.service
 [Install]
 WantedBy=multi-user.target
-Index: audit-3.0.6/init.d/Makefile.am
+Index: audit-3.0.9/init.d/Makefile.am
 ===================================================================
--- audit-3.0.6.orig/init.d/Makefile.am
+--- audit-3.0.9.orig/init.d/Makefile.am
-+++ audit-3.0.6/init.d/Makefile.am
+++ audit-3.0.9/init.d/Makefile.am
-@@ -26,7 +26,7 @@ EXTRA_DIST = auditd.init auditd.service
+@@ -26,7 +26,8 @@ EXTRA_DIST = auditd.init auditd.service
 	auditd.cron libaudit.conf auditd.condrestart \
 	auditd.reload auditd.restart auditd.resume \
 	auditd.rotate auditd.state auditd.stop \
-	audit-stop.rules augenrules
+-	audit-stop.rules augenrules audit-functions
-+	audit-stop.rules augenrules augenrules.service
+	audit-stop.rules augenrules audit-functions \
 +	augenrules.service
 libconfig = libaudit.conf
 if ENABLE_SYSTEMD
 initdir = /usr/lib/systemd/system
-@@ -53,6 +53,7 @@ if ENABLE_SYSTEMD
+@@ -54,6 +55,7 @@ if ENABLE_SYSTEMD
 	mkdir -p ${DESTDIR}${initdir}
 	mkdir -p ${DESTDIR}${legacydir}
 	mkdir -p ${DESTDIR}${libexecdir}
 	$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir}
 +	$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir}
 	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate
 	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume
 	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload
-@@ -70,6 +71,7 @@ uninstall-hook:
+@@ -72,6 +74,7 @@ uninstall-hook:
 	rm ${DESTDIR}${sysconfdir}/${libconfig}
 if ENABLE_SYSTEMD
 	rm ${DESTDIR}${initdir}/auditd.service
--- a/enable-stop-rules.patch
+++ b/enable-stop-rules.patch
@ -11,11 +11,11 @@ Disable audit when auditd.service stops, so kauditd stops logging/running.
 Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
-Index: audit-3.0.6/init.d/auditd.service
+Index: audit-3.0.9/init.d/auditd.service
 ===================================================================
--- audit-3.0.6.orig/init.d/auditd.service
+--- audit-3.0.9.orig/init.d/auditd.service
-+++ audit-3.0.6/init.d/auditd.service
+++ audit-3.0.9/init.d/auditd.service
-@@ -23,9 +23,9 @@ ExecStart=/sbin/auditd
+@@ -25,9 +25,9 @@ ExecStart=/sbin/auditd
 ## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
 ExecStartPost=-/sbin/augenrules --load
 #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
--- a/fix-hardened-service.patch
+++ b/fix-hardened-service.patch
@ -12,9 +12,11 @@ Also remove PrivateDevices=true so /dev/* are exposed to auditd.
 Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
--- a/init.d/auditd.service
+Index: audit-3.0.9/init.d/auditd.service
-+++ b/init.d/auditd.service
+===================================================================
-@@ -37,12 +37,12 @@ RestrictRealtime=true
+--- audit-3.0.9.orig/init.d/auditd.service
 +++ audit-3.0.9/init.d/auditd.service
@@ -41,12 +41,12 @@ RestrictRealtime=true
 # added automatically, for details please see
 # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
 ProtectSystem=full
--- a/harden_auditd.service.patch
+++ b/harden_auditd.service.patch
@ -1,8 +1,10 @@
--- a/init.d/auditd.service
+Index: audit-3.0.9/init.d/auditd.service
-+++ b/init.d/auditd.service
+===================================================================
-@@ -34,6 +34,15 @@ ProtectControlGroups=true
+--- audit-3.0.9.orig/init.d/auditd.service
 +++ audit-3.0.9/init.d/auditd.service
@@ -38,6 +38,15 @@ LockPersonality=true
 ProtectControlGroups=true
 ProtectKernelModules=true
 ProtectHome=true
 RestrictRealtime=true
 +# added automatically, for details please see
 +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort