From affdcc0b01b2d3e5dc735c22b1b0996e5400d6d11670652d09267ae1a4b35af2 Mon Sep 17 00:00:00 2001 From: Enzo Matsumiya Date: Fri, 25 Mar 2022 20:12:53 +0000 Subject: [PATCH] Accepting request 964942 from home:ematsumiya:branches:security - Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645) * add libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch - Fix hang in audisp-remote with disk_low_action=suspend (bsc#1196517) * add audisp-remote-fix-hang-with-disk_low_action-suspend-.patch OBS-URL: https://build.opensuse.org/request/show/964942 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=136 --- ...x-hang-with-disk_low_action-suspend-.patch | 31 +++++++++ audit-secondary.changes | 8 +++ audit-secondary.spec | 2 + ...andled-ECONNREFUSED-from-getpwnam-25.patch | 64 +++++++++++++++++++ 4 files changed, 105 insertions(+) create mode 100644 audisp-remote-fix-hang-with-disk_low_action-suspend-.patch create mode 100644 libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch diff --git a/audisp-remote-fix-hang-with-disk_low_action-suspend-.patch b/audisp-remote-fix-hang-with-disk_low_action-suspend-.patch new file mode 100644 index 0000000..8d03c49 --- /dev/null +++ b/audisp-remote-fix-hang-with-disk_low_action-suspend-.patch @@ -0,0 +1,31 @@ +From b6c474b22f6e76969221138d0d9ec8d97cb217ee Mon Sep 17 00:00:00 2001 +From: Enzo Matsumiya +Date: Thu, 24 Mar 2022 23:38:24 -0300 +Subject: [PATCH] audisp-remote: fix hang with disk_low_action=suspend (#254) + +If auditd.conf has disk_low_action=suspend and the partition where the +log is triggers the disk_low_action, audisp-remote will hang in +infinite loop. + +Fixes: 10dde069d1ac ("Dont look for stop on exit while draining the queue") +Signed-off-by: Enzo Matsumiya +--- + audisp/plugins/remote/audisp-remote.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c +index b7e610e8ca32..3be91b3d5190 100644 +--- a/audisp/plugins/remote/audisp-remote.c ++++ b/audisp/plugins/remote/audisp-remote.c +@@ -619,7 +619,7 @@ int main(int argc, char *argv[]) + + // If stdin is a pipe, then flush the queue + if (is_pipe(0)) { +- while (q_queue_length(queue) && transport_ok) ++ while (q_queue_length(queue) && !suspend && transport_ok) + send_one(queue); + } + +-- +2.35.1 + diff --git a/audit-secondary.changes b/audit-secondary.changes index eb9deb0..764497d 100644 --- a/audit-secondary.changes +++ b/audit-secondary.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Fri Mar 25 04:56:19 UTC 2022 - Enzo Matsumiya + +- Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645) + * add libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch +- Fix hang in audisp-remote with disk_low_action=suspend (bsc#1196517) + * add audisp-remote-fix-hang-with-disk_low_action-suspend-.patch + ------------------------------------------------------------------- Wed Mar 23 16:37:06 UTC 2022 - Dirk Müller diff --git a/audit-secondary.spec b/audit-secondary.spec index ca9799c..4626a78 100644 --- a/audit-secondary.spec +++ b/audit-secondary.spec @@ -42,6 +42,8 @@ Patch9: fix-hardened-service.patch Patch10: enable-stop-rules.patch Patch11: create-augenrules-service.patch Patch12: audit-userspace-517-compat.patch +Patch13: audisp-remote-fix-hang-with-disk_low_action-suspend-.patch +Patch14: libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch BuildRequires: audit-devel = %{version} BuildRequires: autoconf >= 2.12 BuildRequires: gcc-c++ diff --git a/libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch b/libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch new file mode 100644 index 0000000..cce6813 --- /dev/null +++ b/libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch @@ -0,0 +1,64 @@ +From 614edbe52180698c5b447ff4c3e7031ff0721683 Mon Sep 17 00:00:00 2001 +From: Enzo Matsumiya +Date: Thu, 24 Mar 2022 23:36:53 -0300 +Subject: [PATCH] libaudit: fix unhandled ECONNREFUSED from getpwnam() (#255) + +From: Luis Galdos + +In some very specific scenarios with LDAP + network issues, +getpwnam() and getgrnam() might return ECONNREFUSED. + +Up in the call chain to audit_name_to_uid()/audit_name_to_gid(), +ECONNREFUSED will be handled as kernel auditd is not running, +showing "The audit system is disabled" and stopping parsing rules. + +This patch manually sets errno to ENOENT after those affected calls, in +case they fail, so rule parsing can continue cleanly. + +Signed-off-by: Enzo Matsumiya +--- + lib/libaudit.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/lib/libaudit.c b/lib/libaudit.c +index 54e276156ef0..41303c244aee 100644 +--- a/lib/libaudit.c ++++ b/lib/libaudit.c +@@ -1830,9 +1830,17 @@ static int audit_name_to_uid(const char *name, uid_t *uid) + { + struct passwd *pw; + ++ errno = 0; + pw = getpwnam(name); +- if (pw == NULL) ++ if (pw == NULL) { ++ /* getpwnam() might return ECONNREFUSED in some very ++ * specific cases when using LDAP. ++ * Manually set it to ENOENT so callers don't get confused ++ * with netlink's ECONNREFUSED */ ++ if (errno == ECONNREFUSED) ++ errno = ENOENT; + return 1; ++ } + + memset(pw->pw_passwd, ' ', strlen(pw->pw_passwd)); + *uid = pw->pw_uid; +@@ -1843,9 +1851,14 @@ static int audit_name_to_gid(const char *name, gid_t *gid) + { + struct group *gr; + ++ errno = 0; + gr = getgrnam(name); +- if (gr == NULL) ++ if (gr == NULL) { ++ /* See above for explanation. */ ++ if (errno == ECONNREFUSED) ++ errno = ENOENT; + return 1; ++ } + + *gid = gr->gr_gid; + return 0; +-- +2.35.1 +