audit/libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch

From 614edbe52180698c5b447ff4c3e7031ff0721683 Mon Sep 17 00:00:00 2001
From: Enzo Matsumiya <ematsumiya@suse.com>
Date: Thu, 24 Mar 2022 23:36:53 -0300
Subject: [PATCH] libaudit: fix unhandled ECONNREFUSED from getpwnam() (#255)

From: Luis Galdos <luis.galdos@suse.com>

In some very specific scenarios with LDAP + network issues,
getpwnam() and getgrnam() might return ECONNREFUSED.

Up in the call chain to audit_name_to_uid()/audit_name_to_gid(),
ECONNREFUSED will be handled as kernel auditd is not running,
showing "The audit system is disabled" and stopping parsing rules.

This patch manually sets errno to ENOENT after those affected calls, in
case they fail, so rule parsing can continue cleanly.

Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
---
 lib/libaudit.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/lib/libaudit.c b/lib/libaudit.c
index 54e276156ef0..41303c244aee 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1830,9 +1830,17 @@ static int audit_name_to_uid(const char *name, uid_t *uid)
 {
 	struct passwd *pw;
 
+	errno = 0;
 	pw = getpwnam(name);
-	if (pw == NULL)
+	if (pw == NULL) {
+		/* getpwnam() might return ECONNREFUSED in some very
+		 * specific cases when using LDAP.
+		 * Manually set it to ENOENT so callers don't get confused
+		 * with netlink's ECONNREFUSED */
+		if (errno == ECONNREFUSED)
+			errno = ENOENT;
 		return 1;
+	}
 
 	memset(pw->pw_passwd, ' ', strlen(pw->pw_passwd));
 	*uid = pw->pw_uid;
@@ -1843,9 +1851,14 @@ static int audit_name_to_gid(const char *name, gid_t *gid)
 {
 	struct group *gr;
 
+	errno = 0;
 	gr = getgrnam(name);
-	if (gr == NULL)
+	if (gr == NULL) {
+		/* See above for explanation. */
+		if (errno == ECONNREFUSED)
+			errno = ENOENT;
 		return 1;
+	}
 
 	*gid = gr->gr_gid;
 	return 0;
-- 
2.35.1