diff --git a/audit-3.0.1.tar.gz b/audit-3.0.1.tar.gz deleted file mode 100644 index 4be9e3466ba463e3bccc3ba475c5620d1e5390e5..0000000000000000000000000000000000000000 Binary files a/audit-3.0.1.tar.gz and /dev/null differ diff --git a/audit-3.0.9.tar.gz b/audit-3.0.9.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..214d6ae6994e716baa96a003d2044b158d7b602e Binary files /dev/null and b/audit-3.0.9.tar.gz differ diff --git a/audit-Add-sw64-architecture.patch b/audit-Add-sw64-architecture.patch index 11f06a928fd96db07e811a025d779a06cbadbc1c..cb3260e841761a140570b56acd8844cc500fec2c 100644 --- a/audit-Add-sw64-architecture.patch +++ b/audit-Add-sw64-architecture.patch @@ -31,20 +31,20 @@ diff --git a/config.guess b/config.guess index b33c9e8..69e3005 100755 --- a/config.guess +++ b/config.guess -@@ -913,6 +913,14 @@ EOF +@@ -976,6 +976,14 @@ EOF UNAME_MACHINE=aarch64_be - echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" - exit ;; + GUESS=$UNAME_MACHINE-unknown-linux-$LIBC + ;; + sw_64:Linux:*:*) -+ case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in -+ sw) UNAME_MACHINE=sw_64 ;; -+ esac -+ objdump --private-headers /bin/sh | grep -q ld.so.1 -+ if test "$?" = 0 ; then LIBC=gnulibc1 ; fi -+ echo "$UNAME_MACHINE"-sunway-linux-"$LIBC" -+ exit ;; ++ case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' /proc/cpuinfo 2>/dev/null` in ++ sw) UNAME_MACHINE=sw_64 ;; ++ esac ++ objdump --private-headers /bin/sh | grep -q ld.so.1 ++ if test "$?" = 0 ; then LIBC=gnulibc1 ; fi ++ GUESS=$UNAME_MACHINE-sunway-linux-$LIBC ++ ;; alpha:Linux:*:*) - case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in + case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' /proc/cpuinfo 2>/dev/null` in EV5) UNAME_MACHINE=alphaev5 ;; diff --git a/config.sub b/config.sub index b51fb8c..76babe9 100755 diff --git a/audit.spec b/audit.spec index 86f5a67b58d3481921fb1d2307261eb665b58500..3f3b1db311e767c50609b5a23643860e4c2739f2 100644 --- a/audit.spec +++ b/audit.spec @@ -1,8 +1,8 @@ Summary: User space tools for kernel auditing Name: audit Epoch: 1 -Version: 3.0.1 -Release: 5 +Version: 3.0.9 +Release: 1 License: GPLv2+ and LGPLv2+ URL: https://people.redhat.com/sgrubb/audit/ Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz @@ -11,31 +11,9 @@ Source1: https://www.gnu.org/licenses/lgpl-2.1.txt Patch0: bugfix-audit-support-armv7b.patch Patch1: bugfix-audit-userspace-missing-syscalls-for-aarm64.patch Patch2: bugfix-audit-reload-coredump.patch -Patch3: backport-Fix-the-default-location-for-zos-remote.conf-171.patch -Patch4: backport-Add-missing-call-to-free_interpretation_list.patch -Patch5: backport-fix-2-more-issues-found-by-fuzzing.patch -Patch6: backport-Fix-an-auparse-memory-leak-caused-in-recent-glibc.patch -Patch7: backport-Fix-double-free-with-corrupted-logs.patch -Patch8: backport-Fix-the-closing-timing-of-audit_fd-166.patch -Patch9: backport-Fix-some-string-length-issues.patch -Patch10: backport-Move-the-free_config-to-success-path.patch -Patch11: backport-Check-for-fuzzer-induced-invalid-value.patch -Patch12: backport-error-out-if-log-is-mangled.patch -Patch13: backport-Dont-run-off-the-end-with-corrupt-logs.patch -Patch14: backport-Another-hardening-measure-for-corrupted-logs.patch -Patch15: backport-Fix-busy-loop-in-normalizer-when-logs-are-corrupt.patch -Patch16: backport-Better-fix-for-busy-loop-in-normalizer-when-logs-are.patch -Patch17: backport-flush-uid-gid-caches-when-user-group-added-deleted-m.patch -Patch18: backport-In-auditd-check-if-log_file-is-valid-before-closing-.patch -Patch19: backport-Check-ctime-return-code.patch -Patch20: backport-When-interpreting-if-val-is-NULL-return-an-empty-str.patch -Patch21: backport-auditd.service-Restart-on-failure-ignoring-some-exit.patch -Patch22: backport-0001-In-auditd-close-the-logging-file-descriptor-when-log.patch -Patch23: backport-0002-In-auditd-close-the-logging-file-descriptor-when-log.patch -Patch24: audit-Add-sw64-architecture.patch -Patch25: backport-Make-IPX-packet-interpretation-dependent-on-the-ipx-.patch -Patch26: backport-audit-flex-array-workaround.patch -Patch27: backport-audit-undo-flex-array.patch +Patch3: audit-Add-sw64-architecture.patch +Patch4: backport-audit-flex-array-workaround.patch +Patch5: backport-audit-undo-flex-array.patch BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29 BuildRequires: openldap-devel krb5-devel libcap-ng-devel @@ -117,28 +95,6 @@ cp /usr/include/linux/audit.h lib/ %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 -%patch16 -p1 -%patch17 -p1 -%patch18 -p1 -%patch19 -p1 -%patch20 -p1 -%patch21 -p1 -%patch22 -p1 -%patch23 -p1 -%patch24 -p1 -%patch25 -p1 -%patch26 -p1 autoreconf -f -i %build @@ -184,7 +140,8 @@ touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz cur=`pwd` cd $RPM_BUILD_ROOT -patch -p1 < %{PATCH27} +patch -p1 < %{PATCH5} +find . -name '*.orig' -delete cd $cur %delete_la @@ -342,6 +299,7 @@ fi %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop +%attr(750,root,root) %{_libexecdir}/audit-functions %ghost %{_localstatedir}/run/auditd.state %attr(750,root,root) %dir %{_var}/log/audit %attr(750,root,root) %dir /etc/audit @@ -404,6 +362,9 @@ fi %attr(644,root,root) %{_mandir}/man8/*.8.gz %changelog +* Thu Feb 2 2023 zhangguangzhi - 1:3.0.9-1 +- update version to 3.0.9 + * Mon Jan 16 2023 zhangguangzhi - 1:3.0.1-5 - backport patch adapt to kernel 6.1 diff --git a/backport-0001-In-auditd-close-the-logging-file-descriptor-when-log.patch b/backport-0001-In-auditd-close-the-logging-file-descriptor-when-log.patch deleted file mode 100644 index 13a6eac8744c98faf1f37fabe8a05ba01e74a60d..0000000000000000000000000000000000000000 --- a/backport-0001-In-auditd-close-the-logging-file-descriptor-when-log.patch +++ /dev/null @@ -1,32 +0,0 @@ -From d62c38a55520e58220d8e42497c4ab343185106f Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Thu, 28 Oct 2021 13:22:24 -0400 -Subject: [PATCH 2237/2246] In auditd, close the logging file descriptor when - logging is suspended - ---- - src/auditd-event.c | 8 ++++++++ - 1 files changed, 8 insertions(+) - -diff --git a/src/auditd-event.c b/src/auditd-event.c -index f886b67..4dee990 100644 ---- a/src/auditd-event.c -+++ b/src/auditd-event.c -@@ -723,6 +723,14 @@ static void check_log_file_size(void) - case SZ_SUSPEND: - audit_msg(LOG_ERR, - "Audit daemon is suspending logging due to logfile size."); -+ // We need to close the file so that manual -+ // intervention can move or delete the file. -+ // We don't want to keep logging to a deleted -+ // file. -+ if (log_file) -+ fclose(log_file); -+ log_file = NULL; -+ log_fd = -1; - logging_suspended = 1; - break; - case SZ_ROTATE: --- -1.8.3.1 - diff --git a/backport-0002-In-auditd-close-the-logging-file-descriptor-when-log.patch b/backport-0002-In-auditd-close-the-logging-file-descriptor-when-log.patch deleted file mode 100644 index 7f522c20abeb21eef959cc1c67ef3685ea43c805..0000000000000000000000000000000000000000 --- a/backport-0002-In-auditd-close-the-logging-file-descriptor-when-log.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 770e4f538103f8a055f46c04a9e2514f88f175c3 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Mon, 1 Nov 2021 08:29:56 -0400 -Subject: [PATCH 2244/2246] In auditd, close the logging file descriptor when - logging is suspended - ---- - src/auditd-event.c | 21 +++++++++++++++++++++ - 1 file changed, 21 insertions(+) - -diff --git a/src/auditd-event.c b/src/auditd-event.c -index 4a0a351..e88ef6e 100644 ---- a/src/auditd-event.c -+++ b/src/auditd-event.c -@@ -861,6 +861,13 @@ static void do_space_left_action(int admin) - case FA_SUSPEND: - audit_msg(LOG_ALERT, - "Audit daemon is suspending logging due to low disk space."); -+ // We need to close the file so that manual -+ // intervention can move or delete the file. We -+ // don't want to keep logging to a deleted file. -+ if (log_file) -+ fclose(log_file); -+ log_file = NULL; -+ log_fd = -1; - logging_suspended = 1; - break; - case FA_SINGLE: -@@ -909,6 +916,13 @@ static void do_disk_full_action(void) - case FA_SUSPEND: - audit_msg(LOG_ALERT, - "Audit daemon is suspending logging due to no space left on logging partition."); -+ // We need to close the file so that manual -+ // intervention can move or delete the file. We -+ // don't want to keep logging to a deleted file. -+ if (log_file) -+ fclose(log_file); -+ log_file = NULL; -+ log_fd = -1; - logging_suspended = 1; - break; - case FA_SINGLE: -@@ -957,6 +971,13 @@ static void do_disk_error_action(const char *func, int err) - case FA_SUSPEND: - audit_msg(LOG_ALERT, - "Audit daemon is suspending logging due to previously mentioned write error"); -+ // We need to close the file so that manual -+ // intervention can move or delete the file. We -+ // don't want to keep logging to a deleted file. -+ if (log_file) -+ fclose(log_file); -+ log_file = NULL; -+ log_fd = -1; - logging_suspended = 1; - break; - case FA_SINGLE: --- -1.8.3.1 - diff --git a/backport-Add-missing-call-to-free_interpretation_list.patch b/backport-Add-missing-call-to-free_interpretation_list.patch deleted file mode 100644 index 9f10263ed5a81f7374d242ed46c7b03b33aafa93..0000000000000000000000000000000000000000 --- a/backport-Add-missing-call-to-free_interpretation_list.patch +++ /dev/null @@ -1,30 +0,0 @@ -From a9668df44bd635d40b6e7b4db2d12e5cf91c8013 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Thu, 5 Aug 2021 09:54:44 -0400 -Subject: [PATCH] Add missing call to free_interpretation_list - ---- - auparse/auparse.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/auparse/auparse.c b/auparse/auparse.c -index ee3c97b..18f1127 100644 ---- a/auparse/auparse.c -+++ b/auparse/auparse.c -@@ -1,5 +1,5 @@ - /* auparse.c -- -- * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina. -+ * Copyright 2006-08,2012-19,21 Red Hat Inc. - * All Rights Reserved. - * - * This library is free software; you can redistribute it and/or -@@ -2014,6 +2014,7 @@ const char *auparse_find_field_next(auparse_state_t *au) - r = aup_list_next(au->le); - if (r) { - aup_list_first_field(au->le); -+ free_interpretation_list(); - load_interpretation_list(r->interp); - } - } --- - diff --git a/backport-Another-hardening-measure-for-corrupted-logs.patch b/backport-Another-hardening-measure-for-corrupted-logs.patch deleted file mode 100644 index f887ae9167e52b9b27cc20f71d528ed8023dcaef..0000000000000000000000000000000000000000 --- a/backport-Another-hardening-measure-for-corrupted-logs.patch +++ /dev/null @@ -1,85 +0,0 @@ -From ab8f522953a56c860cac2cca2a7d7874419111d5 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Sat, 7 Aug 2021 13:13:19 -0400 -Subject: [PATCH 2198/2246] Another hardening measure for corrupted logs - ---- - src/ausearch-lookup.c | 3 +++ - src/ausearch-parse.c | 25 +++++++++++++++---------- - 2 files changed, 18 insertions(+), 10 deletions(-) - -diff --git a/src/ausearch-lookup.c b/src/ausearch-lookup.c -index e27c784..dd58c36 100644 ---- a/src/ausearch-lookup.c -+++ b/src/ausearch-lookup.c -@@ -300,6 +300,9 @@ char *unescape(const char *buf) - while (isxdigit(*ptr)) - ptr++; - } -+ if ((ptr - buf) == 0) -+ return NULL; -+ - str = strndup(buf, ptr - buf); - - if (*buf == '(') -diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c -index d051137..78dc44c 100644 ---- a/src/ausearch-parse.c -+++ b/src/ausearch-parse.c -@@ -1658,12 +1658,21 @@ static int parse_sockaddr(const lnode *n, search_items *s) - if (event_hostname || event_filename) { - str = strstr(n->message, "saddr="); - if (str) { -- int len; -+ unsigned int len = 0; - struct sockaddr *saddr; - char name[NI_MAXHOST]; - - str += 6; -- len = strlen(str)/2; -+ const char *ptr = str; -+ if (*ptr == '(') { -+ const char *ptr2 = strchr(ptr, ')'); -+ if (ptr2) -+ len = (ptr2 - ptr) + 1; -+ } else { -+ while (isxdigit(ptr[len])) -+ len++; -+ len /= 2; -+ } - s->hostname = unescape(str); - if (s->hostname == NULL) - return 4; -@@ -1683,17 +1692,13 @@ static int parse_sockaddr(const lnode *n, search_items *s) - } - len = sizeof(struct sockaddr_in6); - } else if (saddr->sa_family == AF_UNIX) { -- struct sockaddr_un *un = -- (struct sockaddr_un *)saddr; -- if (un->sun_path[0]) -- len = strlen(un->sun_path); -- else // abstract name -- len = strlen(&un->sun_path[1]); -- if (len == 0) { -+ if (len < 4) { - fprintf(stderr, - "sun_path len too short\n"); - return 3; - } -+ struct sockaddr_un *un = -+ (struct sockaddr_un *)saddr; - if (event_filename) { - if (!s->filename) { - //create -@@ -1736,7 +1741,7 @@ static int parse_sockaddr(const lnode *n, search_items *s) - s->hostname = NULL; - return 0; - } -- if (getnameinfo(saddr, len, name, NI_MAXHOST, -+ if (getnameinfo(saddr, len, name, NI_MAXHOST, - NULL, 0, NI_NUMERICHOST) ) { - free(s->hostname); - s->hostname = NULL; --- -1.8.3.1 - diff --git a/backport-Better-fix-for-busy-loop-in-normalizer-when-logs-are.patch b/backport-Better-fix-for-busy-loop-in-normalizer-when-logs-are.patch deleted file mode 100644 index 44a825349aa40d94b99092e245622dc54a42b494..0000000000000000000000000000000000000000 --- a/backport-Better-fix-for-busy-loop-in-normalizer-when-logs-are.patch +++ /dev/null @@ -1,31 +0,0 @@ -From ad62fa01c7a963c56bac75d8f7db6a5c76be4655 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Sat, 7 Aug 2021 13:59:40 -0400 -Subject: [PATCH 2200/2246] Better fix for busy loop in normalizer when logs - are corrupt - ---- - auparse/normalize.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/auparse/normalize.c b/auparse/normalize.c -index cd0a7c2..0ccabc5 100644 ---- a/auparse/normalize.c -+++ b/auparse/normalize.c -@@ -346,10 +346,11 @@ static void collect_id_obj2(auparse_state_t *au, const char *syscall) - if ((strcmp(str, "unset") == 0) && errno == 0) { - // Only move it if its safe to - if (cnt < limit) { -- auparse_next_field(au); -+ if (auparse_next_field(au) == 0) -+ return; - cnt++; - } else -- break; -+ return; - } else - break; - } --- -1.8.3.1 - diff --git a/backport-Check-ctime-return-code.patch b/backport-Check-ctime-return-code.patch deleted file mode 100644 index 80b141fcb3370398f6723f4f5d6a9ca6c2b0a81a..0000000000000000000000000000000000000000 --- a/backport-Check-ctime-return-code.patch +++ /dev/null @@ -1,47 +0,0 @@ -From fd76e380ea117000d9d350405e2cfbd070c5c01a Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Sat, 21 Aug 2021 10:18:30 -0400 -Subject: [PATCH 2213/2246] Check ctime return code - ---- - tools/aulast/aulast.c | 16 +++++++++++----- - 1 file changed, 11 insertions(+), 5 deletions(-) - -diff --git a/tools/aulast/aulast.c b/tools/aulast/aulast.c -index c513aac..8a25f3b 100644 ---- a/tools/aulast/aulast.c -+++ b/tools/aulast/aulast.c -@@ -96,8 +96,11 @@ static void report_session(lnode* cur) - int mins, hours, days; - if (notime) - printf("- %-7.5s", " "); -- else -- printf("- %-7.5s", ctime(&cur->end) + 11); -+ else { -+ char *ttime = ctime(&cur->end); -+ printf("- %-7.5s", ttime ? ttime + 11 : -+ "bad value"); -+ } - secs = cur->end - cur->start; - mins = (secs / 60) % 60; - hours = (secs / 3600) % 24; -@@ -128,10 +131,13 @@ static void report_session(lnode* cur) - strftime(start, sizeof(start), "%x %T", btm); - if (cur->end != 0) { - btm = localtime(&cur->end); -- strftime(end, sizeof(end), "%x %T", btm); -- printf(" ausearch --start %s --end %s", -- start, end); -+ if (btm) { -+ strftime(end, sizeof(end), "%x %T", btm); -+ printf(" ausearch --start %s --end %s", -+ start, end); -+ } else goto no_end; - } else { -+no_end: - printf(" ausearch --start %s", start); - } - if (cur->name == NULL) --- -1.8.3.1 - diff --git a/backport-Check-for-fuzzer-induced-invalid-value.patch b/backport-Check-for-fuzzer-induced-invalid-value.patch deleted file mode 100644 index 8652368369e61e50b89de8f395496889470a8494..0000000000000000000000000000000000000000 --- a/backport-Check-for-fuzzer-induced-invalid-value.patch +++ /dev/null @@ -1,26 +0,0 @@ -From a3db7a4f849f52105b13fa412e64fc76c6b2895b Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Thu, 5 Aug 2021 21:51:33 -0400 -Subject: [PATCH 2182/2246] Check for fuzzer induced invalid value - ---- - auparse/ellist.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/auparse/ellist.c b/auparse/ellist.c -index 17384a7..175e44e 100644 ---- a/auparse/ellist.c -+++ b/auparse/ellist.c -@@ -151,6 +151,9 @@ static int parse_up_record(rnode* r) - n.val = strdup(val); - // Remove trailing punctuation - len = strlen(n.val); -+ // Check for invalid val -+ if (!len) -+ continue; - if (len && n.val[len-1] == ':') { - n.val[len-1] = 0; - len--; --- -1.8.3.1 - diff --git a/backport-Dont-run-off-the-end-with-corrupt-logs.patch b/backport-Dont-run-off-the-end-with-corrupt-logs.patch deleted file mode 100644 index 8cc023414aedb8aa9e10b41b33cbabaff919c50e..0000000000000000000000000000000000000000 --- a/backport-Dont-run-off-the-end-with-corrupt-logs.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 50c65ae25e64b7bd4489ce22a4c7789fa9a81f2f Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Sat, 7 Aug 2021 11:33:20 -0400 -Subject: [PATCH 2197/2246] Dont run off the end with corrupt logs - ---- - src/ausearch-parse.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c -index 81ef319..d051137 100644 ---- a/src/ausearch-parse.c -+++ b/src/ausearch-parse.c -@@ -1031,7 +1031,7 @@ static int parse_user(const lnode *n, search_items *s, anode *avc) - if (str) { - str += 5; - term = str; -- while (*term != ' ' && *term != ':') -+ while (*term != ' ' && *term != ':' && *term) - term++; - if (term == str) - return 24; -@@ -1244,7 +1244,7 @@ skip: - char *end = str; - int legacy = 0; - -- while (*end != ' ') { -+ while (*end != ' ' && *end) { - if (!isxdigit(*end)) { - legacy = 1; - } -@@ -1295,7 +1295,7 @@ skip: - char *end = str; - int legacy = 0; - -- while (*end != ' ') { -+ while (*end != ' ' && *end) { - if (!isxdigit(*end)) { - legacy = 1; - } --- -1.8.3.1 - diff --git a/backport-Fix-an-auparse-memory-leak-caused-in-recent-glibc.patch b/backport-Fix-an-auparse-memory-leak-caused-in-recent-glibc.patch deleted file mode 100644 index e06ed9b66f0ad6f8887dd3cc94b6c45c322df126..0000000000000000000000000000000000000000 --- a/backport-Fix-an-auparse-memory-leak-caused-in-recent-glibc.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 16246878c503d7395ae668817bf629e05361fec5 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Thu, 29 Jul 2021 18:39:22 -0400 -Subject: [PATCH] Fix an auparse memory leak caused in recent glibc - ---- - auparse/interpret.c | 4 ++++- - 1 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/auparse/interpret.c b/auparse/interpret.c -index 2813acb..33c173e 100644 ---- a/auparse/interpret.c -+++ b/auparse/interpret.c -@@ -50,6 +50,7 @@ - #include - #include - #include -+#include /* PATH_MAX */ - #ifdef USE_FANOTIFY - #include - #else -@@ -865,8 +866,10 @@ static const char *print_escaped_ext(const idata *id) - str1 = NULL; - } - errno = 0; -- out = realpath(str3, NULL); -+ out = malloc(PATH_MAX); -+ realpath(str3, out); - if (errno) { // If there's an error, just return the original -+ free(out); - free(str1); - free(str2); - return str3; --- - diff --git a/backport-Fix-busy-loop-in-normalizer-when-logs-are-corrupt.patch b/backport-Fix-busy-loop-in-normalizer-when-logs-are-corrupt.patch deleted file mode 100644 index 9dd4cc6c1be8d6d3273872a0e1df0249443371b2..0000000000000000000000000000000000000000 --- a/backport-Fix-busy-loop-in-normalizer-when-logs-are-corrupt.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 2b34fea50a9f6a65dd51a2b7abf67e6f19c8d1f5 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Sat, 7 Aug 2021 13:51:30 -0400 -Subject: [PATCH 2199/2246] Fix busy loop in normalizer when logs are corrupt - ---- - auparse/normalize.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/auparse/normalize.c b/auparse/normalize.c -index 99f9803..cd0a7c2 100644 ---- a/auparse/normalize.c -+++ b/auparse/normalize.c -@@ -348,7 +348,8 @@ static void collect_id_obj2(auparse_state_t *au, const char *syscall) - if (cnt < limit) { - auparse_next_field(au); - cnt++; -- } -+ } else -+ break; - } else - break; - } --- -1.8.3.1 - diff --git a/backport-Fix-double-free-with-corrupted-logs.patch b/backport-Fix-double-free-with-corrupted-logs.patch deleted file mode 100644 index c252d88a2df0e48829a3f007a056d7d244dcac31..0000000000000000000000000000000000000000 --- a/backport-Fix-double-free-with-corrupted-logs.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 0177e03f0809da0007f09504b789eba4b8cbe739 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Fri, 6 Aug 2021 17:03:41 -0400 -Subject: [PATCH] Fix double free with corrupted logs - ---- - src/ausearch-parse.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c -index 9ee4a4f..cb7d481 100644 ---- a/src/ausearch-parse.c -+++ b/src/ausearch-parse.c -@@ -420,8 +420,10 @@ try_again: - str = strstr(term, "comm="); - if (str) { - /* Make the syscall one override */ -- if (s->comm) -+ if (s->comm) { - free(s->comm); -+ s->comm = NULL; -+ } - str += 5; - if (*str == '"') { - str++; -@@ -431,7 +433,7 @@ try_again: - *term = 0; - s->comm = strdup(str); - *term = '"'; -- } else -+ } else - s->comm = unescape(str); - } else - return 38; --- - diff --git a/backport-Fix-some-string-length-issues.patch b/backport-Fix-some-string-length-issues.patch deleted file mode 100644 index ebc988f2c9092c6e1f6851b45635915b9f07e892..0000000000000000000000000000000000000000 --- a/backport-Fix-some-string-length-issues.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 39f868fef95f95786358bc3690a327d4f11d2d43 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Thu, 3 Jun 2021 16:18:36 -0400 -Subject: [PATCH 2084/2246] Fix some string length issues - -In interpret, fix the size so that we need to size it again later if new -strings get added. The ausearch/report issues have the size information -available, so FORTIFY_SOURCE should keep things in check. ---- - auparse/interpret.c | 2 +- - src/aureport.c | 4 ++-- - src/ausearch.c | 4 ++-- - 3 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/auparse/interpret.c b/auparse/interpret.c -index e22cae7..5d6f31a 100644 ---- a/auparse/interpret.c -+++ b/auparse/interpret.c -@@ -1242,7 +1242,7 @@ static const char *print_flags(const char *val) - { - int flags, cnt = 0; - size_t i; -- char *out, buf[80]; -+ char *out, buf[sizeof(flag_strings)]; - - errno = 0; - flags = strtoul(val, NULL, 16); -diff --git a/src/aureport.c b/src/aureport.c -index d0251a4..22618f0 100644 ---- a/src/aureport.c -+++ b/src/aureport.c -@@ -168,10 +168,10 @@ static int process_logs(void) - int num = 0; - - if (user_file && userfile_is_dir) { -- char dirname[MAXPATHLEN]; -+ char dirname[MAXPATHLEN+1]; - clear_config (&config); - -- strcpy(dirname, user_file); -+ strncpy(dirname, user_file, MAXPATHLEN-32); - if (dirname[strlen(dirname)-1] != '/') - strcat(dirname, "/"); - strcat (dirname, "audit.log"); -diff --git a/src/ausearch.c b/src/ausearch.c -index 97f89bf..768807e 100644 ---- a/src/ausearch.c -+++ b/src/ausearch.c -@@ -228,10 +228,10 @@ static int process_logs(void) - int ret; - - if (user_file && userfile_is_dir) { -- char dirname[MAXPATHLEN]; -+ char dirname[MAXPATHLEN+1]; - clear_config (&config); - -- strcpy(dirname, user_file); -+ strncpy(dirname, user_file, MAXPATHLEN-32); - if (dirname[strlen(dirname)-1] != '/') - strcat(dirname, "/"); - strcat (dirname, "audit.log"); --- -1.8.3.1 - diff --git a/backport-Fix-the-closing-timing-of-audit_fd-166.patch b/backport-Fix-the-closing-timing-of-audit_fd-166.patch deleted file mode 100644 index ae5a25ab25e67552885dc4a45c2f4709d70cc9ab..0000000000000000000000000000000000000000 --- a/backport-Fix-the-closing-timing-of-audit_fd-166.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 72996b1821b5dbd22f5e08c477660a75a38e4414 Mon Sep 17 00:00:00 2001 -From: MIZUTA Takeshi -Date: Wed, 14 Apr 2021 20:08:17 +0900 -Subject: [PATCH 2048/2246] Fix the closing timing of audit_fd (#166) - ---- - lib/netlink.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/netlink.c b/lib/netlink.c -index 9525b8d..f7cbeb0 100644 ---- a/lib/netlink.c -+++ b/lib/netlink.c -@@ -64,10 +64,10 @@ int audit_open(void) - } - if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) { - saved_errno = errno; -- close(fd); - audit_msg(LOG_ERR, - "Error setting audit netlink socket CLOEXEC flag (%s)", - strerror(errno)); -+ close(fd); - errno = saved_errno; - return -1; - } --- -1.8.3.1 - diff --git a/backport-Fix-the-default-location-for-zos-remote.conf-171.patch b/backport-Fix-the-default-location-for-zos-remote.conf-171.patch deleted file mode 100644 index ade88056686c2d97568e840555022a3b5694afbd..0000000000000000000000000000000000000000 --- a/backport-Fix-the-default-location-for-zos-remote.conf-171.patch +++ /dev/null @@ -1,37 +0,0 @@ -From ea21005f1abba62ed4acd7432c6e721504909511 Mon Sep 17 00:00:00 2001 -From: Pythoner -Date: Mon, 19 Apr 2021 14:10:14 -0500 -Subject: [PATCH 2052/2052] Fix the default location for zos-remote.conf (#171) - ---- - audisp/plugins/zos-remote/audispd-zos-remote.conf | 2 +- - docs/zos-remote.conf.5 | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/audisp/plugins/zos-remote/audispd-zos-remote.conf b/audisp/plugins/zos-remote/audispd-zos-remote.conf -index 13aef2c..eda199e 100644 ---- a/audisp/plugins/zos-remote/audispd-zos-remote.conf -+++ b/audisp/plugins/zos-remote/audispd-zos-remote.conf -@@ -10,5 +10,5 @@ active = no - direction = out - path = /sbin/audispd-zos-remote - type = always --args = /etc/audisp/zos-remote.conf -+args = /etc/audit/zos-remote.conf - format = string -diff --git a/docs/zos-remote.conf.5 b/docs/zos-remote.conf.5 -index 4bf504d..7ee92e3 100644 ---- a/docs/zos-remote.conf.5 -+++ b/docs/zos-remote.conf.5 -@@ -26,7 +26,7 @@ zos\-remote.conf \- the audisp-racf plugin configuration file - controls the configuration for the - .BR audispd\-zos\-remote (8) - Audit dispatcher plugin. The default location for this file is --.IR /etc/audisp/zos\-remote.conf , -+.IR /etc/audit/zos\-remote.conf , - however, a different file can be specified as the first argument to the - .B audispd\-zos\-remote - plugin. See --- -1.8.3.1 - diff --git a/backport-In-auditd-check-if-log_file-is-valid-before-closing-.patch b/backport-In-auditd-check-if-log_file-is-valid-before-closing-.patch deleted file mode 100644 index 60c2d49d2355eef11137640abc999d4d853b3f55..0000000000000000000000000000000000000000 --- a/backport-In-auditd-check-if-log_file-is-valid-before-closing-.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 6531c7dfb832ea245d8004662ea7c4e90107c0df Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Wed, 11 Aug 2021 15:10:18 -0400 -Subject: [PATCH 2207/2246] In auditd, check if log_file is valid before - closing handle - ---- - src/auditd-event.c | 44 +++++++++++++++++++++++++++++++---------------- - 1 files changed, 29 insertions(+), 15 deletions(-) - -diff --git a/src/auditd-event.c b/src/auditd-event.c -index 3655726..788c44a 100644 ---- a/src/auditd-event.c -+++ b/src/auditd-event.c -@@ -71,7 +71,7 @@ static void init_flush_thread(void); - /* Local Data */ - static struct daemon_conf *config; - static volatile int log_fd; --static FILE *log_file; -+static FILE *log_file = NULL; - static unsigned int disk_err_warning = 0; - static int fs_space_warning = 0; - static int fs_admin_space_warning = 0; -@@ -174,7 +175,8 @@ int init_event(struct daemon_conf *conf) - format_buf = (char *)malloc(FORMAT_BUF_LEN); - if (format_buf == NULL) { - audit_msg(LOG_ERR, "No memory for formatting, exiting"); -- fclose(log_file); -+ if (log_file) -+ fclose(log_file); - log_file = NULL; - return 1; - } -@@ -212,7 +214,8 @@ static void *flush_thread_main(void *arg) - flush = 0; - pthread_mutex_unlock(&flush_lock); - -- fsync(log_fd); -+ if (log_fd >= 0) -+ fsync(log_fd); - } - return NULL; - } -@@ -589,7 +592,8 @@ void handle_event(struct auditd_event *e) - if (config->daemonize == D_BACKGROUND) { - if (config->flush == FT_INCREMENTAL) { - /* EIO is only likely failure */ -- if (fsync(log_fd) != 0) { -+ if (log_fd >= 0 && -+ fsync(log_fd) != 0) { - do_disk_error_action( - "fsync", - errno); -@@ -744,6 +748,9 @@ static void check_space_left(void) - int rc; - struct statfs buf; - -+ if (log_fd < 0) -+ return; -+ - rc = fstatfs(log_fd, &buf); - if (rc == 0) { - if (buf.f_bavail < 5) { -@@ -831,7 +838,8 @@ static void do_space_left_action(int admin) - case FA_EXEC: - // Close the logging file in case the script zips or - // moves the file. We'll reopen in sigusr2 handler -- fclose(log_file); -+ if (log_file) -+ fclose(log_file); - log_file = NULL; - log_fd = -1; - logging_suspended = 1; -@@ -881,7 +889,8 @@ static void do_disk_full_action(void) - case FA_EXEC: - // Close the logging file in case the script zips or - // moves the file. We'll reopen in sigusr2 handler -- fclose(log_file); -+ if (log_file) -+ fclose(log_file); - log_file = NULL; - log_fd = -1; - logging_suspended = 1; -@@ -928,7 +937,8 @@ static void do_disk_error_action(const char *func, int err) - case FA_EXEC: - // Close the logging file in case the script zips or - // moves the file. We'll reopen in sigusr2 handler -- fclose(log_file); -+ if (log_file) -+ fclose(log_file); - log_file = NULL; - log_fd = -1; - logging_suspended = 1; -@@ -1053,17 +1063,21 @@ static void rotate_logs(unsigned int num_logs, unsigned int keep_logs) - /* Close audit file. fchmod and fchown errors are not fatal because we - * already adjusted log file permissions and ownership when opening the - * log file. */ -- if (fchmod(log_fd, config->log_group ? S_IRUSR|S_IRGRP : S_IRUSR) < 0){ -- audit_msg(LOG_WARNING, "Couldn't change permissions while " -+ if (log_fd >= 0) { -+ if (fchmod(log_fd, config->log_group ? S_IRUSR|S_IRGRP : -+ S_IRUSR) < 0){ -+ audit_msg(LOG_WARNING, "Couldn't change permissions while " - "rotating log file (%s)", strerror(errno)); -- } -- if (fchown(log_fd, 0, config->log_group) < 0) { -- audit_msg(LOG_WARNING, "Couldn't change ownership while " -+ } -+ if (fchown(log_fd, 0, config->log_group) < 0) { -+ audit_msg(LOG_WARNING, "Couldn't change ownership while " - "rotating log file (%s)", strerror(errno)); -+ } - } -- fclose(log_file); -+ if (log_file) -+ fclose(log_file); - log_file = NULL; -- -+ - /* Rotate */ - len = strlen(config->log_file) + 16; - oldname = (char *)malloc(len); -@@ -1470,7 +1484,8 @@ static void reconfigure(struct auditd_event *e) - free((void *)nconf->log_file); - - if (need_reopen) { -- fclose(log_file); -+ if (log_file) -+ fclose(log_file); - log_file = NULL; - fix_disk_permissions(); - if (open_audit_log()) { --- -1.8.3.1 - diff --git a/backport-Make-IPX-packet-interpretation-dependent-on-the-ipx-.patch b/backport-Make-IPX-packet-interpretation-dependent-on-the-ipx-.patch deleted file mode 100644 index fbb67329bf42ccd02b5b24cee12f9d0799b4aa51..0000000000000000000000000000000000000000 --- a/backport-Make-IPX-packet-interpretation-dependent-on-the-ipx-.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 6b09724c69d91668418ddb3af00da6db6755208c Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Thu, 2 Sep 2021 15:01:12 -0400 -Subject: [PATCH] Make IPX packet interpretation dependent on the ipx header - file existing - -Conflict: del ChangeLog ---- - auparse/interpret.c | 8 ++++++-- - configure.ac | 6 ++++++ - 2 files changed, 12 insertions(+), 2 deletions(-) - -diff --git a/auparse/interpret.c b/auparse/interpret.c -index 63829aa..6c31645 100644 ---- a/auparse/interpret.c -+++ b/auparse/interpret.c -@@ -44,8 +44,10 @@ - #include - #include - #include --#include // FIXME: remove when ipx.h is fixed --#include -+#ifdef HAVE_IPX_HEADERS -+ #include // FIXME: remove when ipx.h is fixed -+ #include -+#endif - #include - #include - #include -@@ -1279,6 +1281,7 @@ static const char *print_sockaddr(const char *val) - x->sax25_call.ax25_call[6]); - } - break; -+#ifdef HAVE_IPX_HEADERS - case AF_IPX: - { - const struct sockaddr_ipx *ip = -@@ -1288,6 +1291,7 @@ static const char *print_sockaddr(const char *val) - str, ip->sipx_port, ip->sipx_network); - } - break; -+#endif - case AF_ATMPVC: - { - const struct sockaddr_atmpvc* at = -diff --git a/configure.ac b/configure.ac -index 8f541e4..005eb0b 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -418,6 +418,12 @@ if test x"$LIBWRAP_LIBS" != "x"; then - AC_DEFINE_UNQUOTED(HAVE_LIBWRAP, [], Define if tcp_wrappers support is enabled ) - fi - -+# linux/ipx.h - deprecated in 2018 -+AC_CHECK_HEADER(linux/ipx.h, ipx_headers=yes, ipx_headers=no) -+if test $ipx_headers = yes ; then -+ AC_DEFINE(HAVE_IPX_HEADERS,1,[IPX packet interpretation]) -+fi -+ - # See if we want to support lower capabilities for plugins - LIBCAP_NG_PATH - --- -2.27.0 - diff --git a/backport-Move-the-free_config-to-success-path.patch b/backport-Move-the-free_config-to-success-path.patch deleted file mode 100644 index c64b333ce81530fc3a93c7442ef99852bc46e35d..0000000000000000000000000000000000000000 --- a/backport-Move-the-free_config-to-success-path.patch +++ /dev/null @@ -1,28 +0,0 @@ -From d89e5647d9e090f45146c144d920bd1f686a8230 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Thu, 15 Jul 2021 11:36:17 -0400 -Subject: [PATCH 2163/2246] Move the free_config to success path - ---- - src/auditd.c | 4 +++--- - 1 file changed, 3 insertions(+), 1 deletions(-) - -diff --git a/src/auditd.c b/src/auditd.c -index ca69d3b..5478cc4 100644 ---- a/src/auditd.c -+++ b/src/auditd.c -@@ -457,8 +457,10 @@ static int become_daemon(void) - return -1; - - /* Success - die a happy death */ -- if (status == SUCCESS) -+ if (status == SUCCESS) { -+ free_config(&config); - _exit(0); -+ } - return -1; - } - --- -1.8.3.1 - diff --git a/backport-When-interpreting-if-val-is-NULL-return-an-empty-str.patch b/backport-When-interpreting-if-val-is-NULL-return-an-empty-str.patch deleted file mode 100644 index 2473f7855a756faeaf69f01f8127a838c29faa72..0000000000000000000000000000000000000000 --- a/backport-When-interpreting-if-val-is-NULL-return-an-empty-str.patch +++ /dev/null @@ -1,27 +0,0 @@ -From ce58837d44b7d9fcb4e140c23f68e0c94d95ab6e Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Sat, 21 Aug 2021 10:20:11 -0400 -Subject: [PATCH 2214/2246] When interpreting, if val is NULL return an empty - string - ---- - auparse/interpret.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/auparse/interpret.c b/auparse/interpret.c -index 177ab82..63829aa 100644 ---- a/auparse/interpret.c -+++ b/auparse/interpret.c -@@ -840,6 +840,9 @@ static char *print_escaped(const char *val) - { - char *out; - -+ if (val == NULL) -+ return strdup(" "); -+ - if (*val == '"') { - char *term; - val++; --- -1.8.3.1 - diff --git a/backport-audit-flex-array-workaround.patch b/backport-audit-flex-array-workaround.patch index 66d16ee84f5138a0d69a1ec5015ea83c3c8de4ac..d5228f111cd42de578d7b5f120e818ef81418b37 100644 --- a/backport-audit-flex-array-workaround.patch +++ b/backport-audit-flex-array-workaround.patch @@ -36,7 +36,7 @@ diff --git a/lib/audit.h b/lib/audit.h diff --git a/lib/libaudit.h b/lib/libaudit.h --- a/lib/libaudit.h +++ b/lib/libaudit.h -@@ -32,7 +32,7 @@ +@@ -27,7 +27,7 @@ #include #include #include @@ -44,4 +44,4 @@ diff --git a/lib/libaudit.h b/lib/libaudit.h +#include "audit.h" #include #include - + #ifndef __attr_access diff --git a/backport-auditd.service-Restart-on-failure-ignoring-some-exit.patch b/backport-auditd.service-Restart-on-failure-ignoring-some-exit.patch deleted file mode 100644 index c236d93592abe27254dc7cfcbc733ec3187b1226..0000000000000000000000000000000000000000 --- a/backport-auditd.service-Restart-on-failure-ignoring-some-exit.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 30382bfcc0f64f451bc084c9657a546cb34492a7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= -Date: Fri, 1 Oct 2021 16:35:57 +0200 -Subject: [PATCH 2228/2246] auditd.service: Restart 'on-failure', ignoring some - exit codes (#217) - -Use `Restart=on-failure` to automatically restart `auditd`. Do not -restart for intentional exits. See EXIT CODES section in auditd(8). - -See: -- https://www.freedesktop.org/software/systemd/man/systemd.service.html#Restart= -- https://www.freedesktop.org/software/systemd/man/systemd.service.html#RestartPreventExitStatus= - -Fixes: https://github.com/linux-audit/audit-userspace/issues/211 ---- - init.d/auditd.service | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/init.d/auditd.service b/init.d/auditd.service -index 67cda58..e801281 100644 ---- a/init.d/auditd.service -+++ b/init.d/auditd.service -@@ -27,6 +27,9 @@ ExecStartPost=-/sbin/augenrules --load - # By default we don't clear the rules on exit. To enable this, uncomment - # the next line after copying the file to /etc/systemd/system/auditd.service - #ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules -+Restart=on-failure -+# Do not restart for intentional exits. See EXIT CODES section in auditd(8). -+RestartPreventExitStatus=2 4 6 - - ### Security Settings ### - MemoryDenyWriteExecute=true --- -1.8.3.1 - diff --git a/backport-error-out-if-log-is-mangled.patch b/backport-error-out-if-log-is-mangled.patch deleted file mode 100644 index 207e1c18daf5f4489e11a2eb0a3a0787e0d22413..0000000000000000000000000000000000000000 --- a/backport-error-out-if-log-is-mangled.patch +++ /dev/null @@ -1,27 +0,0 @@ -From fc97c70fdba18280985747198a6ce836d39cce9e Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Sat, 7 Aug 2021 10:29:07 -0400 -Subject: [PATCH 2196/2246] error out if log is mangled - ---- - src/ausearch-parse.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c -index b0c8b2a..81ef319 100644 ---- a/src/ausearch-parse.c -+++ b/src/ausearch-parse.c -@@ -1995,6 +1995,10 @@ other_avc: - *term = '"'; - } else { - s->comm = unescape(str); -+ if (s->comm == NULL) { -+ rc = 11; -+ goto err; -+ } - term = str + 6; - } - } --- -1.8.3.1 - diff --git a/backport-fix-2-more-issues-found-by-fuzzing.patch b/backport-fix-2-more-issues-found-by-fuzzing.patch deleted file mode 100644 index 0a317781c4980457c1a2dc2a548eeeca95f1e128..0000000000000000000000000000000000000000 --- a/backport-fix-2-more-issues-found-by-fuzzing.patch +++ /dev/null @@ -1,46 +0,0 @@ -From f4683d04eadb7d76b98497af834f027d6005d893 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Mon, 9 Aug 2021 17:14:17 -0400 -Subject: [PATCH] fix 2 more issues found by fuzzing - ---- - auparse/auparse.c | 8 +++++++- - auparse/ellist.c | 4 +++- - 2 files changed, 10 insertions(+), 2 deletions(-) - -diff --git a/auparse/auparse.c b/auparse/auparse.c -index b0e685a..3cf512a 100644 ---- a/auparse/auparse.c -+++ b/auparse/auparse.c -@@ -1611,7 +1611,13 @@ static int au_auparse_next_event(auparse_state_t *au) - } - aup_list_create(l); - aup_list_set_event(l, &e); -- aup_list_append(l, au->cur_buf, au->list_idx, au->line_number); -+ if (aup_list_append(l, au->cur_buf, au->list_idx, -+ au->line_number) < 0) { -+ au->cur_buf = NULL; -+ aup_list_clear(l); -+ free(l); -+ continue; -+ } - // Eat standalone EOE - main event was already marked complete - if (l->head->type == AUDIT_EOE) { - au->cur_buf = NULL; -diff --git a/auparse/ellist.c b/auparse/ellist.c -index 7d9c552..dd711bc 100644 ---- a/auparse/ellist.c -+++ b/auparse/ellist.c -@@ -290,7 +290,9 @@ static int parse_up_record(rnode* r) - while (ptr && *ptr != '}') { - len = strlen(ptr); - if ((len+1) >= (256-total)) { -- free(buf); -+ if (nvlist_get_cnt(&r->nv) -+ == 0) -+ free(buf); - return -1; - } - if (tmpctx[0]) { --- - diff --git a/backport-flush-uid-gid-caches-when-user-group-added-deleted-m.patch b/backport-flush-uid-gid-caches-when-user-group-added-deleted-m.patch deleted file mode 100644 index 6836ea076389084a25b151d56977dca7a763c4bd..0000000000000000000000000000000000000000 --- a/backport-flush-uid-gid-caches-when-user-group-added-deleted-m.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 8662f61108f8b9365f96ef49ca8ca331a7880f24 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Tue, 10 Aug 2021 11:27:16 -0400 -Subject: [PATCH 2205/2246] flush uid/gid caches when user/group - added/deleted/modified - -It was reported in issue #209 that in the enriched format that auditd -is creating the wrong account associations. This is due to caching -previous lookups. The fix is to monitor for account lifecycle changes -and flush the LRUs if any are seen. ---- - auparse/auparse-idata.h | 3 ++- - auparse/interpret.c | 12 ++++++++++++ - src/auditd-event.c | 27 +++++++++++++++++++++++++-- - 3 files changed, 39 insertions(+), 3 deletions(-) - -diff --git a/auparse/auparse-idata.h b/auparse/auparse-idata.h -index 660901a..eaca86a 100644 ---- a/auparse/auparse-idata.h -+++ b/auparse/auparse-idata.h -@@ -1,6 +1,6 @@ - /* - * idata.h - Header file for ausearch-lookup.c --* Copyright (c) 2013,2016-17 Red Hat Inc., Durham, North Carolina. -+* Copyright (c) 2013,2016-17,2021 Red Hat Inc. - * All Rights Reserved. - * - * This library is free software; you can redistribute it and/or -@@ -45,6 +45,7 @@ char *auparse_do_interpretation(int type, const idata *id, - void _auparse_load_interpretations(const char *buf); - void _auparse_free_interpretations(void); - const char *_auparse_lookup_interpretation(const char *name); -+void _auparse_flush_caches(void); - - #endif - -diff --git a/auparse/interpret.c b/auparse/interpret.c -index 046867b..eef377a 100644 ---- a/auparse/interpret.c -+++ b/auparse/interpret.c -@@ -653,6 +653,18 @@ void aulookup_destroy_gid_list(void) - gid_cache_created = 0; - } - -+void _auparse_flush_caches(void) -+{ -+ if (uid_cache_created) { -+ destroy_lru(uid_cache); -+ uid_cache_created = 0; -+ } -+ if (gid_cache_created) { -+ destroy_lru(gid_cache); -+ gid_cache_created = 0; -+ } -+} -+ - static const char *print_uid(const char *val, unsigned int base) - { - int uid; -diff --git a/src/auditd-event.c b/src/auditd-event.c -index cb29fee..3655726 100644 ---- a/src/auditd-event.c -+++ b/src/auditd-event.c -@@ -42,6 +42,7 @@ - #include "libaudit.h" - #include "private.h" - #include "auparse.h" -+#include "auparse-idata.h" - - /* This is defined in auditd.c */ - extern volatile int stop; -@@ -56,7 +57,7 @@ static void do_space_left_action(int admin); - static void do_disk_full_action(void); - static void do_disk_error_action(const char *func, int err); - static void fix_disk_permissions(void); --static void check_excess_logs(void); -+static void check_excess_logs(void); - static void rotate_logs_now(void); - static void rotate_logs(unsigned int num_logs, unsigned int keep_logs); - static void shift_logs(void); -@@ -394,7 +395,7 @@ static const char *format_enrich(const struct audit_reply *rep) - snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH, - "type=DAEMON_ERR op=format-enriched msg=NULL res=failed"); - } else { -- int rc; -+ int rc, rtype; - size_t mlen, len; - char *message; - // Do raw format to get event started -@@ -427,6 +428,17 @@ static const char *format_enrich(const struct audit_reply *rep) - - // Loop over all fields while possible to add field - rc = auparse_first_record(au); -+ rtype = auparse_get_type(au); -+ switch (rtype) -+ { // Flush before adding to pickup new associations -+ case AUDIT_ADD_USER: -+ case AUDIT_ADD_GROUP: -+ _auparse_flush_caches(); -+ break; -+ default: -+ break; -+ } -+ - while (rc > 0 && len > MIN_SPACE_LEFT) { - // See what kind of field we have - size_t vlen; -@@ -454,6 +466,17 @@ static const char *format_enrich(const struct audit_reply *rep) - rc = auparse_next_field(au); - } - -+ switch(rtype) -+ { // Flush after modification to remove stale entries -+ case AUDIT_USER_MGMT: -+ case AUDIT_DEL_USER: -+ case AUDIT_DEL_GROUP: -+ case AUDIT_GRP_MGMT: -+ _auparse_flush_caches(); -+ break; -+ default: -+ break; -+ } - free(message); - } - return format_buf; --- -1.8.3.1 - diff --git a/bugfix-audit-reload-coredump.patch b/bugfix-audit-reload-coredump.patch index e183873f863c6fcb1f8bd6810171f73b46a061fd..8cd0a452aeea41115d786c21b0763b94615299af 100644 --- a/bugfix-audit-reload-coredump.patch +++ b/bugfix-audit-reload-coredump.patch @@ -5,11 +5,11 @@ Subject: [PATCH] bugfix-audit-reload-coredump --- src/auditd-reconfig.c | 2 ++ - src/auditd.c | 36 +++++++++++++++++++++++++++++------- - 2 files changed, 31 insertions(+), 7 deletions(-) + src/auditd.c | 26 ++++++++++++++++++++++++-- + 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/src/auditd-reconfig.c b/src/auditd-reconfig.c -index f5b00e6..5ea9126 100644 +index 37e0adc..66ded38 100644 --- a/src/auditd-reconfig.c +++ b/src/auditd-reconfig.c @@ -35,6 +35,7 @@ @@ -29,7 +29,7 @@ index f5b00e6..5ea9126 100644 pthread_mutex_unlock(&config_lock); diff --git a/src/auditd.c b/src/auditd.c -index fa783a2..0d76e0c 100644 +index 5933703..53f4803 100644 --- a/src/auditd.c +++ b/src/auditd.c @@ -76,6 +76,7 @@ static int hup_info_requested = 0; @@ -40,45 +40,33 @@ index fa783a2..0d76e0c 100644 /* Local function prototypes */ int send_audit_event(int type, const char *str); -@@ -519,15 +520,30 @@ static void netlink_handler(struct ev_loop *loop, struct ev_io *io, - char hup[MAX_AUDIT_MESSAGE_LENGTH]; - audit_msg(LOG_DEBUG, +@@ -525,8 +526,23 @@ static void netlink_handler(struct ev_loop *loop, struct ev_io *io, + char hup[MAX_AUDIT_MESSAGE_LENGTH]; + audit_msg(LOG_DEBUG, "HUP detected, starting config manager"); -- reconfig_ev = cur_event; -- if (start_config_manager(cur_event)) { -+ if(hup_flag == 0) -+ { -+ hup_flag = 1; -+ reconfig_ev = cur_event; -+ if (start_config_manager(cur_event)) { -+ audit_format_signal_info(hup, -+ sizeof(hup), -+ "reconfigure state=no-change", -+ &cur_event->reply, -+ "failed"); -+ send_audit_event(AUDIT_DAEMON_CONFIG, -+ hup); -+ hup_flag = 0; +- reconfig_ev = cur_event; +- if (start_config_manager(cur_event)) { ++ if(hup_flag == 0) ++ { ++ hup_flag = 1; ++ reconfig_ev = cur_event; ++ if (start_config_manager(cur_event)) { ++ audit_format_signal_info(hup, ++ sizeof(hup), ++ "reconfigure state=no-change", ++ &cur_event->reply, ++ "failed"); ++ send_audit_event(AUDIT_DAEMON_CONFIG, ++ hup); ++ hup_flag = 0; ++ } + } -+ } -+ else -+ { - audit_format_signal_info(hup, -- sizeof(hup), -- "reconfigure state=no-change", -- &cur_event->reply, -- "failed"); -+ sizeof(hup), -+ "reconfigure state=no-change", -+ &cur_event->reply, -+ "failed"); - send_audit_event(AUDIT_DAEMON_CONFIG, -- hup); -+ hup); - } - cur_event = NULL; - hup_info_requested = 0; -@@ -571,9 +587,15 @@ static void pipe_handler(struct ev_loop *loop, struct ev_io *io, ++ else ++ { + audit_format_signal_info(hup, + sizeof(hup), + "reconfigure state=no-change", +@@ -576,9 +592,15 @@ static void pipe_handler(struct ev_loop *loop, struct ev_io *io, // Drain the pipe - won't block because libev sets non-blocking mode read(pipefds[0], buf, sizeof(buf)); enqueue_event(reconfig_ev); @@ -95,5 +83,5 @@ index fa783a2..0d76e0c 100644 { const char *msg = "ready\n"; -- -1.8.3.1 +2.27.0 diff --git a/bugfix-audit-userspace-missing-syscalls-for-aarm64.patch b/bugfix-audit-userspace-missing-syscalls-for-aarm64.patch index 23483cce6f04002d95df0a2e9af9e54efb107856..7483a3583781c700ef233d6095d3ffaaf5e381bc 100644 --- a/bugfix-audit-userspace-missing-syscalls-for-aarm64.patch +++ b/bugfix-audit-userspace-missing-syscalls-for-aarm64.patch @@ -8,17 +8,18 @@ reason: reconsitution userspace audit missing syscalls for aarm64 Signed-off-by: jinbo --- - lib/aarch64_table.h | 43 +++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 43 insertions(+) + lib/aarch64_table.h | 44 +++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/lib/aarch64_table.h b/lib/aarch64_table.h index c61aa91..ea634c1 100644 --- a/lib/aarch64_table.h +++ b/lib/aarch64_table.h -@@ -311,3 +311,46 @@ _S(438, "pidfd_getfd") - _S(439, "faccessat2") - _S(440, "process_madvise") - _S(441, "epoll_pwait2") +@@ -326,4 +326,46 @@ _S(447, "memfd_secret") + _S(448, "process_mrelease") + _S(449, "futex_waitv") + _S(450, "set_mempolicy_home_node") +- +_S(1024, "open") +_S(1025, "link") +_S(1026, "unlink")