diff --git a/audit.spec b/audit.spec index ee6a44ab5b994cc2836d2ebbd697aa0a7f67cf0c..3e7294f152047fe4628a26be5cd4e709f08821d5 100644 --- a/audit.spec +++ b/audit.spec @@ -2,7 +2,7 @@ Summary: User space tools for kernel auditing Name: audit Epoch: 1 Version: 3.1.2 -Release: 12 +Release: 13 License: GPLv2+ and LGPLv2+ URL: https://people.redhat.com/sgrubb/audit/ Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz @@ -65,6 +65,19 @@ Patch51: backport-make-slist_last-a-static-function.patch Patch52: backport-code-cleanup-constification-deadcode-removal-lower-s.patch # https://github.com/linux-audit/audit-userspace/commit/8c7eaa7ead6c70486623674c19d649f3831578ad Patch53: backport-Implicit-builtin-functions.patch +Patch55: backport-Fix-allocation-failure-in-list_append.patch +Patch56: backport-Fix-possible-segfault-in-auparse_interp_adjust_type.patch +Patch57: backport-merged.patch +Patch58: backport-Verify-the-rule-is-empty-before-adding-a-watch.patch +Patch59: backport-IDS-safe_exec-returns-without-confirming-child-succe.patch +Patch60: backport-safe_exec-exits-the-child-process-directly-on-execve.patch +Patch61: backport-Invalid-magic-number-on-remote-reply-leaves-connecti.patch +Patch62: backport-AVC-parser-overwrites-existing-syscall-success-statu.patch +Patch63: backport-Re-enable-missing-audit-event-on-reconfiguration-fai.patch +Patch64: backport-Make-h_errno-more-reliable-and-remove-FIXME.patch +Patch65: backport-Path-normalization-fix-segmentation-fault-for-.-hand.patch +Patch66: backport-Adjust-path_norm-for-malformed-input.patch +Patch67: backport-Add-missing-reports-to-aureport.patch BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29 BuildRequires: openldap-devel krb5-devel libcap-ng-devel @@ -406,6 +419,9 @@ fi %attr(644,root,root) %{_mandir}/man8/*.8.gz %changelog +* Thu Nov 20 2025 xuraoqing - 1:3.1.2-13 +- backport patches to fix bug + * Tue Aug 26 2025 jchzhou - 1:3.1.2-12 - backport patches for fixing Wimplicit-function-declaration, Wbuiltin-declaration-mismatch when building with newer compilers diff --git a/backport-AVC-parser-overwrites-existing-syscall-success-statu.patch b/backport-AVC-parser-overwrites-existing-syscall-success-statu.patch new file mode 100644 index 0000000000000000000000000000000000000000..3b67afd132a13e25052f41fb0e4383b8f6764938 --- /dev/null +++ b/backport-AVC-parser-overwrites-existing-syscall-success-statu.patch @@ -0,0 +1,43 @@ +From 5ccb9195c74ff76d235493dd3a3abaf38de90725 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Sat, 2 Aug 2025 23:23:37 -0400 +Subject: [PATCH] AVC parser overwrites existing syscall success status + +parse_avc assigns s->success based on the AVC message whenever a +success filter is set, even if s->success already contains the +authoritative syscall result. + +Updated parse_avc so the AVC result only sets s->success when it hasn't +already been determined, preserving earlier success values. + +Reference:https://github.com/linux-audit/audit-userspace/commit/5ccb9195c74ff76d235493dd3a3abaf38de90725 +Conflict:NA + +--- + src/ausearch-parse.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c +index 7c12c6c3..e7f1f132 100644 +--- a/src/ausearch-parse.c ++++ b/src/ausearch-parse.c +@@ -1959,12 +1959,12 @@ static int parse_avc(const lnode *n, search_items *s) + term = n->message; + goto other_avc; + } +- if (event_success != S_UNSET) { ++ // Do not override syscall success if already set. ++ // Syscall pass/fail is the authoritative value. ++ if (event_success != S_UNSET && s->success == S_UNSET) { + *term = 0; +- // FIXME. Do not override syscall success if already +- // set. Syscall pass/fail is the authoritative value. + if (strstr(str, "denied")) { +- s->success = S_FAILED; ++ s->success = S_FAILED; + an.avc_result = AVC_DENIED; + } else { + s->success = S_SUCCESS; +-- +2.48.1 + diff --git a/backport-Add-missing-reports-to-aureport.patch b/backport-Add-missing-reports-to-aureport.patch new file mode 100644 index 0000000000000000000000000000000000000000..48ff02b8c569a701b403536b552d138f12210130 --- /dev/null +++ b/backport-Add-missing-reports-to-aureport.patch @@ -0,0 +1,178 @@ +From 4dbed28a8d0588fa82efc90c2ecb94494ad7956a Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Fri, 8 Aug 2025 17:46:55 -0400 +Subject: [PATCH] Add missing reports to aureport + +The report switch falls back to UNIMPLEMENTED for summary views of +anomaly, response, and crypto categories, leaving those report modes +unusable. Implemented aggregation helpers for anomaly, response, +and crypto reports and integrated them into per-event handling, +replacing previous placeholder branches. + +Reference:https://github.com/linux-audit/audit-userspace/commit/4dbed28a8d0588fa82efc90c2ecb94494ad7956a +Conflict:NA + +--- + src/aureport-scan.c | 90 ++++++++++++++++++++++++++++++++++++++------- + 1 file changed, 77 insertions(+), 13 deletions(-) + +diff --git a/src/aureport-scan.c b/src/aureport-scan.c +index 93f03d69..88ca2806 100644 +--- a/src/aureport-scan.c ++++ b/src/aureport-scan.c +@@ -1,6 +1,6 @@ + /* + * aureport-scan.c - Extract interesting fields and check for match +-* Copyright (c) 2005-06,2008,2011,2014-15 Red Hat Inc., Durham, North Carolina. ++* Copyright (c) 2005-06,2008,2011,2014-15 Red Hat Inc. + * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the +@@ -36,6 +36,9 @@ + static void do_summary_total(llist *l); + static int per_event_summary(llist *l); + static int per_event_detailed(llist *l); ++static void aggregate_anom_item(llist *l); ++static void aggregate_resp_item(llist *l); ++static void aggregate_crypto_item(llist *l); + + summary_data sd; + +@@ -108,7 +111,65 @@ void destroy_counters(void) + ilist_clear(&sd.resp_list); + ilist_create(&sd.crypto_list); + ilist_create(&sd.virt_list); +- ilist_create(&sd.integ_list); ++ ilist_create(&sd.integ_list); ++} ++ ++/* Aggregate counts and key fields for anomaly events. ++ * l - pointer to event list ++ */ ++static void aggregate_anom_item(llist *l) ++{ ++ if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG, ++ AUDIT_LAST_ANOM_MSG)) { ++ ilist_add_if_uniq(&sd.anom_list, l->head->type, 0); ++ } else if (list_find_msg_range(l, AUDIT_FIRST_KERN_ANOM_MSG, ++ AUDIT_LAST_KERN_ANOM_MSG) || ++ list_find_msg(l, AUDIT_SECCOMP)) { ++ ilist_add_if_uniq(&sd.anom_list, l->head->type, 0); ++ } ++ if (l->s.exe) ++ slist_add_if_uniq(&sd.exes, l->s.exe); ++ else if (l->s.comm) ++ slist_add_if_uniq(&sd.comms, l->s.comm); ++ if (l->s.terminal) ++ slist_add_if_uniq(&sd.terms, l->s.terminal); ++ if (l->s.hostname) ++ slist_add_if_uniq(&sd.hosts, l->s.hostname); ++ if (l->s.loginuid != -2) { ++ char tmp[32]; ++ ++ aulookup_uid(l->s.loginuid, tmp, sizeof(tmp)); ++ slist_add_if_uniq(&sd.users, tmp); ++ } ++} ++ ++/* Aggregate counts and key fields for anomaly response events. ++ * l - pointer to event list ++ */ ++static void aggregate_resp_item(llist *l) ++{ ++ if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP, ++ AUDIT_LAST_ANOM_RESP)) ++ ilist_add_if_uniq(&sd.resp_list, l->head->type, 0); ++} ++ ++/* Aggregate counts and key fields for crypto events. ++ * l - pointer to event list ++ */ ++static void aggregate_crypto_item(llist *l) ++{ ++ if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG, ++ AUDIT_LAST_KERN_CRYPTO_MSG) || ++ list_find_msg_range(l, AUDIT_FIRST_CRYPTO_MSG, ++ AUDIT_LAST_CRYPTO_MSG)) ++ ilist_add_if_uniq(&sd.crypto_list, l->head->type, 0); ++ ++ if (l->s.loginuid != -2) { ++ char tmp[32]; ++ ++ aulookup_uid(l->s.loginuid, tmp, sizeof(tmp)); ++ slist_add_if_uniq(&sd.users, tmp); ++ } + } + + /* This function will return 0 on no match and 1 on match */ +@@ -723,13 +784,13 @@ static int per_event_detailed(llist *l) + break; + case RPT_ANOMALY: + if (report_detail == D_DETAILED) { +- if (list_find_msg_range(l, ++ if (list_find_msg_range(l, + AUDIT_FIRST_ANOM_MSG, + AUDIT_LAST_ANOM_MSG)) { + print_per_event_item(l); + rc = 1; + } else { +- if (list_find_msg_range(l, ++ if (list_find_msg_range(l, + AUDIT_FIRST_KERN_ANOM_MSG, + AUDIT_LAST_KERN_ANOM_MSG) || + list_find_msg(l, AUDIT_SECCOMP) ) { +@@ -737,39 +798,42 @@ static int per_event_detailed(llist *l) + rc = 1; + } + } +- } else { // FIXME: specific anom report +- UNIMPLEMENTED; ++ } else { ++ aggregate_anom_item(l); ++ rc = 1; + } + break; + case RPT_RESPONSE: + if (report_detail == D_DETAILED) { +- if (list_find_msg_range(l, ++ if (list_find_msg_range(l, + AUDIT_FIRST_ANOM_RESP, + AUDIT_LAST_ANOM_RESP)) { + print_per_event_item(l); + rc = 1; + } +- } else { // FIXME: specific resp report +- UNIMPLEMENTED; ++ } else { ++ aggregate_resp_item(l); ++ rc = 1; + } + break; + case RPT_CRYPTO: + if (report_detail == D_DETAILED) { +- if (list_find_msg_range(l, ++ if (list_find_msg_range(l, + AUDIT_FIRST_KERN_CRYPTO_MSG, + AUDIT_LAST_KERN_CRYPTO_MSG)) { + print_per_event_item(l); + rc = 1; + } else { +- if (list_find_msg_range(l, ++ if (list_find_msg_range(l, + AUDIT_FIRST_CRYPTO_MSG, + AUDIT_LAST_CRYPTO_MSG)) { + print_per_event_item(l); + rc = 1; + } + } +- } else { // FIXME: specific crypto report +- UNIMPLEMENTED; ++ } else { ++ aggregate_crypto_item(l); ++ rc = 1; + } + break; + case RPT_KEY: +-- +2.48.1 + diff --git a/backport-Adjust-path_norm-for-malformed-input.patch b/backport-Adjust-path_norm-for-malformed-input.patch new file mode 100644 index 0000000000000000000000000000000000000000..a457860719350bcec7ae01b2732a519a28d17951 --- /dev/null +++ b/backport-Adjust-path_norm-for-malformed-input.patch @@ -0,0 +1,33 @@ +From 4f01ca0d56ddab5cd8d7501b25c6049279415b65 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Thu, 7 Aug 2025 15:58:55 -0400 +Subject: [PATCH] Adjust path_norm for malformed input + +Updated path normalization to remove the pre-decrement from its +backtracking loop, using a post-check that safely walks backward +through components. + +Reference:https://github.com/linux-audit/audit-userspace/commit/4f01ca0d56ddab5cd8d7501b25c6049279415b65 +Conflict:NA + +--- + auparse/interpret.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/auparse/interpret.c b/auparse/interpret.c +index 0cd9daca..cceb0c13 100644 +--- a/auparse/interpret.c ++++ b/auparse/interpret.c +@@ -925,7 +925,8 @@ static char *path_norm(const char *name) + else if (end - start == 2 && start[0] == '.' && + start[1] == '.') { + // Back up to previous component, ignore if root +- while (dest > rpath && (--dest)[-1] != '/'); ++ while (dest > rpath && dest[-1] != '/') ++ --dest; + } else { + // we need to insert a '/' if we are at the beginning + // and the path is absolute or we've found the next component +-- +2.48.1 + diff --git a/backport-Fix-allocation-failure-in-list_append.patch b/backport-Fix-allocation-failure-in-list_append.patch new file mode 100644 index 0000000000000000000000000000000000000000..563dfabee94885e59400ac40378c0766cb54c0fa --- /dev/null +++ b/backport-Fix-allocation-failure-in-list_append.patch @@ -0,0 +1,30 @@ +From 554b5f086b1107019f51c158a29585ffbc18a426 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 20 May 2025 17:18:26 -0400 +Subject: [PATCH] Fix allocation failure in list_append + +--- + src/auditctl-llist.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/auditctl-llist.c b/src/auditctl-llist.c +index de5c38dd..3be046f8 100644 +--- a/src/auditctl-llist.c ++++ b/src/auditctl-llist.c +@@ -69,8 +69,11 @@ int list_append(llist *l, const struct audit_rule_data *r, size_t sz) + + if (r) { + void *rr = malloc(sz); +- if (rr) +- memcpy(rr, r, sz); ++ if (rr == NULL) { ++ free(newnode); ++ return 1; ++ } ++ memcpy(rr, r, sz); + newnode->r = rr; + } else + newnode->r = NULL; +-- +2.48.1 + diff --git a/backport-Fix-possible-segfault-in-auparse_interp_adjust_type.patch b/backport-Fix-possible-segfault-in-auparse_interp_adjust_type.patch new file mode 100644 index 0000000000000000000000000000000000000000..b341bbfae8e0b9c0fb3e571f34b0e786857fdede --- /dev/null +++ b/backport-Fix-possible-segfault-in-auparse_interp_adjust_type.patch @@ -0,0 +1,47 @@ +From c296b7ae36a95723abf1782d6cc242e44220c802 Mon Sep 17 00:00:00 2001 +From: Dmitry Voronin +Date: Thu, 24 Jul 2025 16:07:55 +0300 +Subject: [PATCH] Fix possible segfault in auparse_interp_adjust_type() + +Reference:https://github.com/linux-audit/audit-userspace/commit/9c3d09b43ce0c6439f3f049f85ed12da4d9be062 +Conflict:NA +--- + auparse/interpret.c | 6 +++++- + auparse/nvlist.c | 4 ++-- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/auparse/interpret.c b/auparse/interpret.c +index 8f89178..31cb812 100644 +--- a/auparse/interpret.c ++++ b/auparse/interpret.c +@@ -3172,7 +3172,11 @@ const char *do_interpret(rnode *r, auparse_esc_t escape_mode) + */ + int auparse_interp_adjust_type(int rtype, const char *name, const char *val) + { +- int type; ++ int type = AUPARSE_TYPE_UNCLASSIFIED; ++ ++ if (!name || !val) { ++ return type; ++ } + + /* This set of statements overrides or corrects the detection. + * In almost all cases its a double use of a field. */ +diff --git a/auparse/nvlist.c b/auparse/nvlist.c +index ff8c2f2..9a7968f 100644 +--- a/auparse/nvlist.c ++++ b/auparse/nvlist.c +@@ -58,8 +58,8 @@ nvnode *nvlist_next(nvlist *l) + // 0 on success and 1 on error + int nvlist_append(nvlist *l, nvnode *node) + { +- if (node->name == NULL) +- return 1; ++ if ((node->name == NULL) || ++ (node->val == NULL)) + + if (l->array == NULL) + alloc_array(l); +-- +2.48.1 + diff --git a/backport-IDS-safe_exec-returns-without-confirming-child-succe.patch b/backport-IDS-safe_exec-returns-without-confirming-child-succe.patch new file mode 100644 index 0000000000000000000000000000000000000000..92691723b2c4e04c5678bc5ebff064e8b8116c43 --- /dev/null +++ b/backport-IDS-safe_exec-returns-without-confirming-child-succe.patch @@ -0,0 +1,53 @@ +From f4457859d1c9acd40d35d8cc612cadc39719ad71 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Sat, 2 Aug 2025 15:07:36 -0400 +Subject: [PATCH] IDS: safe_exec returns without confirming child success + +Updated safe_exec to wait for the spawned child, returning success +only on a clean exit and logging errors otherwise. + +Reference:https://github.com/linux-audit/audit-userspace/commit/f4457859d1c9acd40d35d8cc612cadc39719ad71 +Conflict:NA + +--- + audisp/plugins/ids/reactions.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/audisp/plugins/ids/reactions.c b/audisp/plugins/ids/reactions.c +index ed8321ae..2f67c9c3 100644 +--- a/audisp/plugins/ids/reactions.c ++++ b/audisp/plugins/ids/reactions.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include // nanosleep + #include +@@ -47,8 +48,20 @@ static int safe_exec(const char *exe, ...) + "Audit IDS failed to fork doing safe_exec"); + return 1; + } +- if (pid) /* Parent */ +- return 0; // FIXME: should we waitpid to know if it succeeded? ++ if (pid) { /* Parent */ ++ int status; ++ ++ if (waitpid(pid, &status, 0) < 0) { ++ syslog(LOG_ALERT, ++ "Audit IDS waitpid failed for %s", exe); ++ return 1; ++ } ++ if (WIFEXITED(status) && WEXITSTATUS(status) == 0) ++ return 0; ++ ++ syslog(LOG_ALERT, "Audit IDS %s exited abnormally", exe); ++ return 1; ++ } + + /* Child */ + sigfillset (&sa.sa_mask); +-- +2.48.1 + diff --git a/backport-Invalid-magic-number-on-remote-reply-leaves-connecti.patch b/backport-Invalid-magic-number-on-remote-reply-leaves-connecti.patch new file mode 100644 index 0000000000000000000000000000000000000000..073f0a8f8572726156f770d8edf20977370cb504 --- /dev/null +++ b/backport-Invalid-magic-number-on-remote-reply-leaves-connecti.patch @@ -0,0 +1,42 @@ +From 80ebc60e61b20d7ee6a87d7d062a711905cc226c Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Sat, 2 Aug 2025 23:17:08 -0400 +Subject: [PATCH] Invalid magic number on remote reply leaves connection open + +In recv_msg_tcp, encountering a bad magic number only logs an error and +returns, leaving the socket open even though the comment notes it should +be closed and restarted. + +When recv_msg_tcp encounters an invalid magic number it now shuts down +the existing connection with stop_transport(), attempts to re-establish +it immediately, and returns a failure if reconnection fails. + +Reference:https://github.com/linux-audit/audit-userspace/commit/80ebc60e61b20d7ee6a87d7d062a711905cc226c +Conflict:NA + +--- + audisp/plugins/remote/audisp-remote.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c +index 9c7d2b54..2633bf79 100644 +--- a/audisp/plugins/remote/audisp-remote.c ++++ b/audisp/plugins/remote/audisp-remote.c +@@ -1454,10 +1454,12 @@ static int recv_msg_tcp (unsigned char *header, char *msg, uint32_t *mlen) + } + + if (! AUDIT_RMW_IS_MAGIC (header, AUDIT_RMW_HEADER_SIZE)) { +- /* FIXME: the right thing to do here is close the socket +- * and start a new one. */ ++ /* close the socket and start a new one. */ + sync_error_handler ("bad magic number"); ++ stop_transport(); ++ init_transport(); + return -1; ++ + } + + AUDIT_RMW_UNPACK_HEADER (header, hver, mver, type, rlen, seq); +-- +2.48.1 + diff --git a/backport-Make-h_errno-more-reliable-and-remove-FIXME.patch b/backport-Make-h_errno-more-reliable-and-remove-FIXME.patch new file mode 100644 index 0000000000000000000000000000000000000000..ab5ca680a1880a63eadc0ebfd186a6abd56001d8 --- /dev/null +++ b/backport-Make-h_errno-more-reliable-and-remove-FIXME.patch @@ -0,0 +1,37 @@ +From 998e4972e18277a6b55e5ace807eec6fc9062f0b Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 5 Aug 2025 17:26:55 -0400 +Subject: [PATCH] Make h_errno more reliable and remove FIXME + +Reference:https://github.com/linux-audit/audit-userspace/commit/998e4972e18277a6b55e5ace807eec6fc9062f0b +Conflict:NA + +--- + src/auditd-config.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/src/auditd-config.c b/src/auditd-config.c +index 862e6dcd..8b0fbb14 100644 +--- a/src/auditd-config.c ++++ b/src/auditd-config.c +@@ -1111,6 +1111,7 @@ static int validate_email(const char *acct) + hints.ai_flags = AI_ADDRCONFIG | AI_CANONNAME; + hints.ai_socktype = SOCK_STREAM; + ++ h_errno = 0; + rc2 = getaddrinfo(ptr1+1, NULL, &hints, &ai); + if (rc2 != 0) { + if ((h_errno == HOST_NOT_FOUND) || +@@ -1118,9 +1119,6 @@ static int validate_email(const char *acct) + audit_msg(LOG_ERR, + "validate_email: failed looking up host for %s (%s)", + ptr1+1, gai_strerror(rc2)); +- // FIXME: How can we tell that we truly have +- // a permanent failure and what is that? For +- // now treat all as temp failure. + } else if (h_errno == TRY_AGAIN) { + audit_msg(LOG_DEBUG, + "validate_email: temporary failure looking up domain for %s", +-- +2.48.1 + diff --git a/backport-Path-normalization-fix-segmentation-fault-for-.-hand.patch b/backport-Path-normalization-fix-segmentation-fault-for-.-hand.patch new file mode 100644 index 0000000000000000000000000000000000000000..cfb0676633da97c05b41fabfadc860d346cc6c38 --- /dev/null +++ b/backport-Path-normalization-fix-segmentation-fault-for-.-hand.patch @@ -0,0 +1,50 @@ +From 37ab2d21d46123497fccbe91db0badbcc7ddae84 Mon Sep 17 00:00:00 2001 +From: Attila Lakatos +Date: Sat, 12 Oct 2024 20:33:29 +0200 +Subject: [PATCH] Path normalization: fix segmentation fault for ".." handling + (#403) + +When a path contains ".." character, it requires normalization +to resolve these. However, certain cases caused unexpected +behavior, resulting in segmentation faults due to invalid +memory access. + +In path_norm, when encountering "..", the function attempts +to backtrack to the previous "/" character. This approach +failed when the leading "/" characters were removed earlier +in the function, causing out-of-bounds memory access. + +This fix ensures proper handling of ".." by adjusting the +backtracking logic to account for removed leading slashes, +preventing segmentation faults. + +Reference:https://github.com/linux-audit/audit-userspace/commit/37ab2d21d46123497fccbe91db0badbcc7ddae84 +Conflict:NA + +--- + auparse/interpret.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/auparse/interpret.c b/auparse/interpret.c +index adf226cc..1ca986d0 100644 +--- a/auparse/interpret.c ++++ b/auparse/interpret.c +@@ -921,10 +921,12 @@ static char *path_norm(const char *name) + else if (end - start == 2 && start[0] == '.' && + start[1] == '.') { + // Back up to previous component, ignore if root +- if (dest > rpath + 1) +- while ((--dest)[-1] != '/'); ++ while (dest > rpath && (--dest)[-1] != '/'); + } else { +- if (dest != working && dest[-1] != '/') ++ // we need to insert a '/' if we are at the beginning ++ // and the path is absolute or we've found the next component ++ if ((dest == working && name[0] == '/') || ++ (dest == working || dest[-1] != '/')) + *dest++ = '/'; + + // If it will overflow, chop it at last component +-- +2.48.1 + diff --git a/backport-Re-enable-missing-audit-event-on-reconfiguration-fai.patch b/backport-Re-enable-missing-audit-event-on-reconfiguration-fai.patch new file mode 100644 index 0000000000000000000000000000000000000000..80d73212ed83119893cd2fb561d39136b4d88fe6 --- /dev/null +++ b/backport-Re-enable-missing-audit-event-on-reconfiguration-fai.patch @@ -0,0 +1,28 @@ +From fef88df6eb0549e4a8520b0f517eaffbaadeb63e Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 4 Aug 2025 13:11:23 -0400 +Subject: [PATCH] Re-enable missing audit event on reconfiguration failure + +Reference:https://github.com/linux-audit/audit-userspace/commit/2244509eacac4029101e40dc1c7d44dc0812ef8e +Conflict:NA +--- + src/auditd-reconfig.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/auditd-reconfig.c b/src/auditd-reconfig.c +index 7e6c412..4c46ef4 100644 +--- a/src/auditd-reconfig.c ++++ b/src/auditd-reconfig.c +@@ -114,8 +114,7 @@ static void *config_thread_main(void *arg) + audit_format_signal_info(txt, sizeof(txt), + "reconfigure state=no-change", + &e->reply, "failed"); +- // FIXME: need to figure out sending this +- //send_audit_event(AUDIT_DAEMON_CONFIG, txt); ++ send_audit_event(AUDIT_DAEMON_CONFIG, txt); + free_config(&new_config); + free(e); + reconfig_pthread_failed(); +-- +2.48.1 + diff --git a/backport-Verify-the-rule-is-empty-before-adding-a-watch.patch b/backport-Verify-the-rule-is-empty-before-adding-a-watch.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc108684d395161620c7c6660360db402ffb406b --- /dev/null +++ b/backport-Verify-the-rule-is-empty-before-adding-a-watch.patch @@ -0,0 +1,62 @@ +From 3cac9bb91c190d2d45b1bf0e6e2e94ddb2cbb409 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Sat, 2 Aug 2025 15:01:51 -0400 +Subject: [PATCH] Verify the rule is empty before adding a watch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Added a safety check in audit_setup_watch_name to verify that watch +rules contain no fields or actions, ensuring the rule is empty before +adding a watch and providing a clear error path when it isn’t. + +Reference:https://github.com/linux-audit/audit-userspace/commit/c58b59ee17eb50cfe89399289a2255fe6fd5b29e +Conflict:src/auditctl.c +--- + src/auditctl.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/src/auditctl.c b/src/auditctl.c +index 088e64e..4694c30 100644 +--- a/src/auditctl.c ++++ b/src/auditctl.c +@@ -268,6 +268,7 @@ static int audit_setup_watch_name(struct audit_rule_data **rulep, char *path) + int type = AUDIT_WATCH; + size_t len; + struct stat buf; ++ unsigned int i; + + if (check_path(path)) + return -1; +@@ -284,11 +285,26 @@ static int audit_setup_watch_name(struct audit_rule_data **rulep, char *path) + if (S_ISDIR(buf.st_mode)) + type = AUDIT_DIR; + } +- /* FIXME: might want to check to see that rule is empty */ +- if (audit_add_watch_dir(type, rulep, path)) ++ /* Ensure the rule is empty before adding a watch */ ++ if ((*rulep)->field_count || (*rulep)->action || (*rulep)->flags || ++ (*rulep)->buflen) ++ goto err; ++ for (i = 0; i < AUDIT_MAX_FIELDS; i++) ++ if ((*rulep)->fields[i] || (*rulep)->values[i] || ++ (*rulep)->fieldflags[i]) ++ goto err; ++ for (i = 0; i < AUDIT_BITMASK_SIZE; i++) ++ if ((*rulep)->mask[i]) ++ goto err; ++ if (audit_add_watch_dir(type, rulep, path)) + return -1; + + return 1; ++err: ++ audit_msg(LOG_ERR, "Watches may not include fields or actions"); ++ audit_rule_free_data(*rulep); ++ *rulep = audit_rule_create_data(); ++ return -1; + } + + /* +-- +2.48.1 + diff --git a/backport-merged.patch b/backport-merged.patch new file mode 100644 index 0000000000000000000000000000000000000000..37111260a87eba93abc4278d57982d6fd7116e62 --- /dev/null +++ b/backport-merged.patch @@ -0,0 +1,27 @@ +From dea18f27e244366952c55c0daa077a9e6b9d3e75 Mon Sep 17 00:00:00 2001 +From: Dmitry Voronin +Date: Fri, 25 Jul 2025 07:06:53 +0300 +Subject: [PATCH] merged + +Reference:https://github.com/linux-audit/audit-userspace/commit/dea18f27e244366952c55c0daa077a9e6b9d3e75 +Conflict:NA + +--- + auparse/nvlist.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/auparse/nvlist.c b/auparse/nvlist.c +index ec7d4176..705cc8af 100644 +--- a/auparse/nvlist.c ++++ b/auparse/nvlist.c +@@ -60,6 +60,7 @@ int nvlist_append(nvlist *l, const nvnode *node) + { + if ((node->name == NULL) || + (node->val == NULL)) ++ return 1; + + if (l->array == NULL) + alloc_array(l); +-- +2.48.1 + diff --git a/backport-safe_exec-exits-the-child-process-directly-on-execve.patch b/backport-safe_exec-exits-the-child-process-directly-on-execve.patch new file mode 100644 index 0000000000000000000000000000000000000000..b27fc90c528bfe7c74a3dacbfc18250e41f46035 --- /dev/null +++ b/backport-safe_exec-exits-the-child-process-directly-on-execve.patch @@ -0,0 +1,39 @@ +From 90cd4f5350f22340d5a2406ee42befd875607733 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Sat, 2 Aug 2025 23:12:57 -0400 +Subject: [PATCH] safe_exec exits the child process directly on execve failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The child side of safe_exec calls exit(1) after a failed execve, which +can run atexit handlers and flush shared stdio buffers. The comment +notes this should “error instead of exit.” + +Updated safe_exec in the audit daemon to terminate failing child +processes with _exit(EXIT_FAILURE) rather than exit(1), preventing +execution of atexit handlers and aligning shutdown behavior with +POSIX recommendations. + +Reference:https://github.com/linux-audit/audit-userspace/commit/fd40e02f84e4b0078bea54872f282f10658407c7 +Conflict:NA +--- + src/auditd-event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/auditd-event.c b/src/auditd-event.c +index 1a81471..ddd7cb1 100644 +--- a/src/auditd-event.c ++++ b/src/auditd-event.c +@@ -1395,7 +1395,7 @@ static void safe_exec(const char *exe) + argv[1] = NULL; + execve(exe, argv, NULL); + audit_msg(LOG_ALERT, "Audit daemon failed to exec %s", exe); +- exit(1); ++ _exit(EXIT_FAILURE); // Avoid running the atexit handlers + } + + static void reconfigure(struct auditd_event *e) +-- +2.48.1 +