diff --git a/audisp-remote-fix-hang-with-disk_low_action-suspend-.patch b/audisp-remote-fix-hang-with-disk_low_action-suspend-.patch new file mode 100644 index 0000000..8d03c49 --- /dev/null +++ b/audisp-remote-fix-hang-with-disk_low_action-suspend-.patch @@ -0,0 +1,31 @@ +From b6c474b22f6e76969221138d0d9ec8d97cb217ee Mon Sep 17 00:00:00 2001 +From: Enzo Matsumiya +Date: Thu, 24 Mar 2022 23:38:24 -0300 +Subject: [PATCH] audisp-remote: fix hang with disk_low_action=suspend (#254) + +If auditd.conf has disk_low_action=suspend and the partition where the +log is triggers the disk_low_action, audisp-remote will hang in +infinite loop. + +Fixes: 10dde069d1ac ("Dont look for stop on exit while draining the queue") +Signed-off-by: Enzo Matsumiya +--- + audisp/plugins/remote/audisp-remote.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c +index b7e610e8ca32..3be91b3d5190 100644 +--- a/audisp/plugins/remote/audisp-remote.c ++++ b/audisp/plugins/remote/audisp-remote.c +@@ -619,7 +619,7 @@ int main(int argc, char *argv[]) + + // If stdin is a pipe, then flush the queue + if (is_pipe(0)) { +- while (q_queue_length(queue) && transport_ok) ++ while (q_queue_length(queue) && !suspend && transport_ok) + send_one(queue); + } + +-- +2.35.1 + diff --git a/audit-secondary.changes b/audit-secondary.changes index 098dda5..88924e9 100644 --- a/audit-secondary.changes +++ b/audit-secondary.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Sat Mar 26 11:14:19 UTC 2022 - Stephan Kulow + +- Fix buildrequire for openldap2-devel - audit doesn't require the + (outdated) C++ binding, but the C headers that happen to be pulled + in by buildrequiring the C++ devel package + +------------------------------------------------------------------- +Fri Mar 25 04:56:19 UTC 2022 - Enzo Matsumiya + +- Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645) + * add libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch +- Fix hang in audisp-remote with disk_low_action=suspend (bsc#1196517) + * add audisp-remote-fix-hang-with-disk_low_action-suspend-.patch + +------------------------------------------------------------------- +Wed Mar 23 16:37:06 UTC 2022 - Dirk Müller + +- add audit-userspace-517-compat.patch + ------------------------------------------------------------------- Mon Nov 29 13:13:56 UTC 2021 - Fabian Vogt diff --git a/audit-secondary.spec b/audit-secondary.spec index efed795..7c83104 100644 --- a/audit-secondary.spec +++ b/audit-secondary.spec @@ -1,7 +1,7 @@ # # spec file for package audit-secondary # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -41,12 +41,15 @@ Patch8: change-default-log_format.patch Patch9: fix-hardened-service.patch Patch10: enable-stop-rules.patch Patch11: create-augenrules-service.patch +Patch12: audit-userspace-517-compat.patch +Patch13: audisp-remote-fix-hang-with-disk_low_action-suspend-.patch +Patch14: libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch BuildRequires: audit-devel = %{version} BuildRequires: autoconf >= 2.12 BuildRequires: gcc-c++ BuildRequires: kernel-headers >= 2.6.30 -BuildRequires: libldapcpp-devel BuildRequires: libtool +BuildRequires: openldap2-devel BuildRequires: pkgconfig %if %{with python2} BuildRequires: python2-devel diff --git a/audit-userspace-517-compat.patch b/audit-userspace-517-compat.patch new file mode 100644 index 0000000..6d3b72e --- /dev/null +++ b/audit-userspace-517-compat.patch @@ -0,0 +1,38 @@ +From: Sergei Trofimovich +Date: Wed, 23 Mar 2022 07:27:05 +0000 +Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf +References: https://github.com/linux-audit/audit-userspace/issues/252 +Git-commit: https://github.com/linux-audit/audit-userspace/pull/253/commits/beed138222421a2eb4212d83cb889404bd7efc49 +Git-repo: [if different from https://github.com/linux-audit/audit-userspace.git] +Patch-mainline: submitted for review upstream + +As it's a flexible array generated code was never safe to use. +With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed98ea2128b6fd83bce13716edf8f5fe6c47f574 +change it's a build failure now: + + audit> audit_wrap.c:5010:15: error: invalid use of flexible array member + audit> 5010 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size)); + audit> | ^ + +Let's avoid setter generation entirely. + +Closes: https://github.com/linux-audit/audit-userspace/issues/252 +--- + bindings/swig/src/auditswig.i | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i +index 21aafca31..9a2c5661d 100644 +--- a/bindings/swig/src/auditswig.i ++++ b/bindings/swig/src/auditswig.i +@@ -39,6 +39,10 @@ signed + #define __attribute(X) /*nothing*/ + typedef unsigned __u32; + typedef unsigned uid_t; ++/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not: ++ * generating setters against them: https://github.com/swig/swig/issues/1699 ++ */ ++%ignore audit_rule_data::buf; + %include "/usr/include/linux/audit.h" + #define __extension__ /*nothing*/ + %include diff --git a/audit.spec b/audit.spec index 4f7a1a5..98109a9 100644 --- a/audit.spec +++ b/audit.spec @@ -1,7 +1,7 @@ # # spec file for package audit # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed diff --git a/libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch b/libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch new file mode 100644 index 0000000..cce6813 --- /dev/null +++ b/libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch @@ -0,0 +1,64 @@ +From 614edbe52180698c5b447ff4c3e7031ff0721683 Mon Sep 17 00:00:00 2001 +From: Enzo Matsumiya +Date: Thu, 24 Mar 2022 23:36:53 -0300 +Subject: [PATCH] libaudit: fix unhandled ECONNREFUSED from getpwnam() (#255) + +From: Luis Galdos + +In some very specific scenarios with LDAP + network issues, +getpwnam() and getgrnam() might return ECONNREFUSED. + +Up in the call chain to audit_name_to_uid()/audit_name_to_gid(), +ECONNREFUSED will be handled as kernel auditd is not running, +showing "The audit system is disabled" and stopping parsing rules. + +This patch manually sets errno to ENOENT after those affected calls, in +case they fail, so rule parsing can continue cleanly. + +Signed-off-by: Enzo Matsumiya +--- + lib/libaudit.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/lib/libaudit.c b/lib/libaudit.c +index 54e276156ef0..41303c244aee 100644 +--- a/lib/libaudit.c ++++ b/lib/libaudit.c +@@ -1830,9 +1830,17 @@ static int audit_name_to_uid(const char *name, uid_t *uid) + { + struct passwd *pw; + ++ errno = 0; + pw = getpwnam(name); +- if (pw == NULL) ++ if (pw == NULL) { ++ /* getpwnam() might return ECONNREFUSED in some very ++ * specific cases when using LDAP. ++ * Manually set it to ENOENT so callers don't get confused ++ * with netlink's ECONNREFUSED */ ++ if (errno == ECONNREFUSED) ++ errno = ENOENT; + return 1; ++ } + + memset(pw->pw_passwd, ' ', strlen(pw->pw_passwd)); + *uid = pw->pw_uid; +@@ -1843,9 +1851,14 @@ static int audit_name_to_gid(const char *name, gid_t *gid) + { + struct group *gr; + ++ errno = 0; + gr = getgrnam(name); +- if (gr == NULL) ++ if (gr == NULL) { ++ /* See above for explanation. */ ++ if (errno == ECONNREFUSED) ++ errno = ENOENT; + return 1; ++ } + + *gid = gr->gr_gid; + return 0; +-- +2.35.1 +