Projects
openEuler:20.03:LTS:SP3
audit
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 3
View file
_service:tar_scm_kernel_repo:audit.spec
Changed
@@ -4,7 +4,7 @@ Name: audit Epoch: 1 Version: 3.0 -Release: 3 +Release: 4 License: GPLv2+ and LGPLv2+ URL: https://people.redhat.com/sgrubb/audit/ Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz @@ -14,6 +14,27 @@ Patch1: bugfix-audit-userspace-missing-syscalls-for-aarm64.patch Patch2: bugfix-audit-reload-coredump.patch Patch3: backport-Fix-the-default-location-for-zos-remote.conf-171.patch +Patch4: backport-Add-missing-call-to-free_interpretation_list.patch +Patch5: backport-fix-2-more-issues-found-by-fuzzing.patch +Patch6: backport-Fix-an-auparse-memory-leak-caused-in-recent-glibc.patch +Patch7: backport-Fix-double-free-with-corrupted-logs.patch +Patch8: backport-Turn-libaucommon-into-a-libtool-convenience-library-.patch +Patch9: backport-Fix-the-closing-timing-of-audit_fd-166.patch +Patch10: backport-Fix-some-string-length-issues.patch +Patch11: backport-Move-the-free_config-to-success-path.patch +Patch12: backport-Check-for-fuzzer-induced-invalid-value.patch +Patch13: backport-error-out-if-log-is-mangled.patch +Patch14: backport-Dont-run-off-the-end-with-corrupt-logs.patch +Patch15: backport-Another-hardening-measure-for-corrupted-logs.patch +Patch16: backport-Fix-busy-loop-in-normalizer-when-logs-are-corrupt.patch +Patch17: backport-Better-fix-for-busy-loop-in-normalizer-when-logs-are.patch +Patch18: backport-flush-uid-gid-caches-when-user-group-added-deleted-m.patch +Patch19: backport-In-auditd-check-if-log_file-is-valid-before-closing-.patch +Patch20: backport-Check-ctime-return-code.patch +Patch21: backport-When-interpreting-if-val-is-NULL-return-an-empty-str.patch +Patch22: backport-auditd.service-Restart-on-failure-ignoring-some-exit.patch +Patch23: backport-0001-In-auditd-close-the-logging-file-descriptor-when-log.patch +Patch24: backport-0002-In-auditd-close-the-logging-file-descriptor-when-log.patch BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29 BuildRequires: openldap-devel krb5-devel libcap-ng-devel @@ -368,6 +389,29 @@ %attr(644,root,root) %{_mandir}/man8/*.8.gz %changelog +* Tue Nov 16 2021 yixiangzhike <yixiangzhike007@163.com> - 3.0-4 +- backport some patches + Add missing call to free_interpretation_list + fix 2 more issues found by fuzzing + Fix an auparse memory leak caused in recent glibc + Fix double free with corrupted logs + Turn libaucommon into a libtool convenience library + Fix the closing timing of audit_fd + Fix some string length issues + Move the free_config to success path + Check for fuzzer induced invalid value + error out if log is mangled + Dont run off the end with corrupt logs + Another hardening measure for corrupted logs + Fix busy loop in normalizer when logs are corrupt + Better fix for busy loop in normalizer when logs are corrupt + flush uid gid caches when user group added deleted modified + In auditd check if log_file is valid before closing handle + Check ctime return code + When interpreting if val is NULL return an empty string + auditd.service Restart on failure ignoring some exit + In auditd close the logging file descriptor when logging is suspended + * Fri May 28 2021 yixiangzhike <zhangxingliang3@huawei.com> - 3.0-3 - solve the script failure when package upgrade
View file
_service:tar_scm_kernel_repo:backport-0001-In-auditd-close-the-logging-file-descriptor-when-log.patch
Added
@@ -0,0 +1,32 @@ +From d62c38a55520e58220d8e42497c4ab343185106f Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Thu, 28 Oct 2021 13:22:24 -0400 +Subject: [PATCH 2237/2246] In auditd, close the logging file descriptor when + logging is suspended + +--- + src/auditd-event.c | 8 ++++++++ + 1 files changed, 8 insertions(+) + +diff --git a/src/auditd-event.c b/src/auditd-event.c +index f886b67..4dee990 100644 +--- a/src/auditd-event.c ++++ b/src/auditd-event.c +@@ -723,6 +723,14 @@ static void check_log_file_size(void) + case SZ_SUSPEND: + audit_msg(LOG_ERR, + "Audit daemon is suspending logging due to logfile size."); ++ // We need to close the file so that manual ++ // intervention can move or delete the file. ++ // We don't want to keep logging to a deleted ++ // file. ++ if (log_file) ++ fclose(log_file); ++ log_file = NULL; ++ log_fd = -1; + logging_suspended = 1; + break; + case SZ_ROTATE: +-- +1.8.3.1 +
View file
_service:tar_scm_kernel_repo:backport-0002-In-auditd-close-the-logging-file-descriptor-when-log.patch
Added
@@ -0,0 +1,59 @@ +From 770e4f538103f8a055f46c04a9e2514f88f175c3 Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Mon, 1 Nov 2021 08:29:56 -0400 +Subject: [PATCH 2244/2246] In auditd, close the logging file descriptor when + logging is suspended + +--- + src/auditd-event.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/src/auditd-event.c b/src/auditd-event.c +index 4a0a351..e88ef6e 100644 +--- a/src/auditd-event.c ++++ b/src/auditd-event.c +@@ -861,6 +861,13 @@ static void do_space_left_action(int admin) + case FA_SUSPEND: + audit_msg(LOG_ALERT, + "Audit daemon is suspending logging due to low disk space."); ++ // We need to close the file so that manual ++ // intervention can move or delete the file. We ++ // don't want to keep logging to a deleted file. ++ if (log_file) ++ fclose(log_file); ++ log_file = NULL; ++ log_fd = -1; + logging_suspended = 1; + break; + case FA_SINGLE: +@@ -909,6 +916,13 @@ static void do_disk_full_action(void) + case FA_SUSPEND: + audit_msg(LOG_ALERT, + "Audit daemon is suspending logging due to no space left on logging partition."); ++ // We need to close the file so that manual ++ // intervention can move or delete the file. We ++ // don't want to keep logging to a deleted file. ++ if (log_file) ++ fclose(log_file); ++ log_file = NULL; ++ log_fd = -1; + logging_suspended = 1; + break; + case FA_SINGLE: +@@ -957,6 +971,13 @@ static void do_disk_error_action(const char *func, int err) + case FA_SUSPEND: + audit_msg(LOG_ALERT, + "Audit daemon is suspending logging due to previously mentioned write error"); ++ // We need to close the file so that manual ++ // intervention can move or delete the file. We ++ // don't want to keep logging to a deleted file. ++ if (log_file) ++ fclose(log_file); ++ log_file = NULL; ++ log_fd = -1; + logging_suspended = 1; + break; + case FA_SINGLE: +-- +1.8.3.1 +
View file
_service:tar_scm_kernel_repo:backport-Add-missing-call-to-free_interpretation_list.patch
Added
@@ -0,0 +1,30 @@ +From a9668df44bd635d40b6e7b4db2d12e5cf91c8013 Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Thu, 5 Aug 2021 09:54:44 -0400 +Subject: [PATCH] Add missing call to free_interpretation_list + +--- + auparse/auparse.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/auparse/auparse.c b/auparse/auparse.c +index ee3c97b..18f1127 100644 +--- a/auparse/auparse.c ++++ b/auparse/auparse.c +@@ -1,5 +1,5 @@ + /* auparse.c -- +- * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina. ++ * Copyright 2006-08,2012-19,21 Red Hat Inc. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or +@@ -2014,6 +2014,7 @@ const char *auparse_find_field_next(auparse_state_t *au) + r = aup_list_next(au->le); + if (r) { + aup_list_first_field(au->le); ++ free_interpretation_list(); + load_interpretation_list(r->interp); + } + } +-- +
View file
_service:tar_scm_kernel_repo:backport-Another-hardening-measure-for-corrupted-logs.patch
Added
@@ -0,0 +1,85 @@ +From ab8f522953a56c860cac2cca2a7d7874419111d5 Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Sat, 7 Aug 2021 13:13:19 -0400 +Subject: [PATCH 2198/2246] Another hardening measure for corrupted logs + +--- + src/ausearch-lookup.c | 3 +++ + src/ausearch-parse.c | 25 +++++++++++++++---------- + 2 files changed, 18 insertions(+), 10 deletions(-) + +diff --git a/src/ausearch-lookup.c b/src/ausearch-lookup.c +index e27c784..dd58c36 100644 +--- a/src/ausearch-lookup.c ++++ b/src/ausearch-lookup.c +@@ -300,6 +300,9 @@ char *unescape(const char *buf) + while (isxdigit(*ptr)) + ptr++; + } ++ if ((ptr - buf) == 0) ++ return NULL; ++ + str = strndup(buf, ptr - buf); + + if (*buf == '(') +diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c +index d051137..78dc44c 100644 +--- a/src/ausearch-parse.c ++++ b/src/ausearch-parse.c +@@ -1658,12 +1658,21 @@ static int parse_sockaddr(const lnode *n, search_items *s) + if (event_hostname || event_filename) { + str = strstr(n->message, "saddr="); + if (str) { +- int len; ++ unsigned int len = 0; + struct sockaddr *saddr; + char name[NI_MAXHOST]; + + str += 6; +- len = strlen(str)/2; ++ const char *ptr = str; ++ if (*ptr == '(') { ++ const char *ptr2 = strchr(ptr, ')'); ++ if (ptr2) ++ len = (ptr2 - ptr) + 1; ++ } else { ++ while (isxdigit(ptr[len])) ++ len++; ++ len /= 2; ++ } + s->hostname = unescape(str); + if (s->hostname == NULL) + return 4; +@@ -1683,17 +1692,13 @@ static int parse_sockaddr(const lnode *n, search_items *s) + } + len = sizeof(struct sockaddr_in6); + } else if (saddr->sa_family == AF_UNIX) { +- struct sockaddr_un *un = +- (struct sockaddr_un *)saddr; +- if (un->sun_path[0]) +- len = strlen(un->sun_path); +- else // abstract name +- len = strlen(&un->sun_path[1]); +- if (len == 0) { ++ if (len < 4) { + fprintf(stderr, + "sun_path len too short\n"); + return 3; + } ++ struct sockaddr_un *un = ++ (struct sockaddr_un *)saddr; + if (event_filename) { + if (!s->filename) { + //create +@@ -1736,7 +1741,7 @@ static int parse_sockaddr(const lnode *n, search_items *s) + s->hostname = NULL; + return 0; + } +- if (getnameinfo(saddr, len, name, NI_MAXHOST, ++ if (getnameinfo(saddr, len, name, NI_MAXHOST, + NULL, 0, NI_NUMERICHOST) ) { + free(s->hostname); + s->hostname = NULL; +-- +1.8.3.1 +
View file
_service:tar_scm_kernel_repo:backport-Better-fix-for-busy-loop-in-normalizer-when-logs-are.patch
Added
@@ -0,0 +1,31 @@ +From ad62fa01c7a963c56bac75d8f7db6a5c76be4655 Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Sat, 7 Aug 2021 13:59:40 -0400 +Subject: [PATCH 2200/2246] Better fix for busy loop in normalizer when logs + are corrupt + +--- + auparse/normalize.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/auparse/normalize.c b/auparse/normalize.c +index cd0a7c2..0ccabc5 100644 +--- a/auparse/normalize.c ++++ b/auparse/normalize.c +@@ -346,10 +346,11 @@ static void collect_id_obj2(auparse_state_t *au, const char *syscall) + if ((strcmp(str, "unset") == 0) && errno == 0) { + // Only move it if its safe to + if (cnt < limit) { +- auparse_next_field(au); ++ if (auparse_next_field(au) == 0) ++ return; + cnt++; + } else +- break; ++ return; + } else + break; + } +-- +1.8.3.1 +
View file
_service:tar_scm_kernel_repo:backport-Check-ctime-return-code.patch
Added
@@ -0,0 +1,47 @@ +From fd76e380ea117000d9d350405e2cfbd070c5c01a Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Sat, 21 Aug 2021 10:18:30 -0400 +Subject: [PATCH 2213/2246] Check ctime return code + +--- + tools/aulast/aulast.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/tools/aulast/aulast.c b/tools/aulast/aulast.c +index c513aac..8a25f3b 100644 +--- a/tools/aulast/aulast.c ++++ b/tools/aulast/aulast.c +@@ -96,8 +96,11 @@ static void report_session(lnode* cur) + int mins, hours, days; + if (notime) + printf("- %-7.5s", " "); +- else +- printf("- %-7.5s", ctime(&cur->end) + 11); ++ else { ++ char *ttime = ctime(&cur->end); ++ printf("- %-7.5s", ttime ? ttime + 11 : ++ "bad value"); ++ } + secs = cur->end - cur->start; + mins = (secs / 60) % 60; + hours = (secs / 3600) % 24; +@@ -128,10 +131,13 @@ static void report_session(lnode* cur) + strftime(start, sizeof(start), "%x %T", btm); + if (cur->end != 0) { + btm = localtime(&cur->end); +- strftime(end, sizeof(end), "%x %T", btm); +- printf(" ausearch --start %s --end %s", +- start, end); ++ if (btm) { ++ strftime(end, sizeof(end), "%x %T", btm); ++ printf(" ausearch --start %s --end %s", ++ start, end); ++ } else goto no_end; + } else { ++no_end: + printf(" ausearch --start %s", start); + } + if (cur->name == NULL) +-- +1.8.3.1 +
View file
_service:tar_scm_kernel_repo:backport-Check-for-fuzzer-induced-invalid-value.patch
Added
@@ -0,0 +1,26 @@ +From a3db7a4f849f52105b13fa412e64fc76c6b2895b Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Thu, 5 Aug 2021 21:51:33 -0400 +Subject: [PATCH 2182/2246] Check for fuzzer induced invalid value + +--- + auparse/ellist.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/auparse/ellist.c b/auparse/ellist.c +index 17384a7..175e44e 100644 +--- a/auparse/ellist.c ++++ b/auparse/ellist.c +@@ -151,6 +151,9 @@ static int parse_up_record(rnode* r) + n.val = strdup(val); + // Remove trailing punctuation + len = strlen(n.val); ++ // Check for invalid val ++ if (!len) ++ continue; + if (len && n.val[len-1] == ':') { + n.val[len-1] = 0; + len--; +-- +1.8.3.1 +
View file
_service:tar_scm_kernel_repo:backport-Dont-run-off-the-end-with-corrupt-logs.patch
Added
@@ -0,0 +1,43 @@ +From 50c65ae25e64b7bd4489ce22a4c7789fa9a81f2f Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Sat, 7 Aug 2021 11:33:20 -0400 +Subject: [PATCH 2197/2246] Dont run off the end with corrupt logs + +--- + src/ausearch-parse.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c +index 81ef319..d051137 100644 +--- a/src/ausearch-parse.c ++++ b/src/ausearch-parse.c +@@ -1031,7 +1031,7 @@ static int parse_user(const lnode *n, search_items *s, anode *avc) + if (str) { + str += 5; + term = str; +- while (*term != ' ' && *term != ':') ++ while (*term != ' ' && *term != ':' && *term) + term++; + if (term == str) + return 24; +@@ -1244,7 +1244,7 @@ skip: + char *end = str; + int legacy = 0; + +- while (*end != ' ') { ++ while (*end != ' ' && *end) { + if (!isxdigit(*end)) { + legacy = 1; + } +@@ -1295,7 +1295,7 @@ skip: + char *end = str; + int legacy = 0; + +- while (*end != ' ') { ++ while (*end != ' ' && *end) { + if (!isxdigit(*end)) { + legacy = 1; + } +-- +1.8.3.1 +
View file
_service:tar_scm_kernel_repo:backport-Fix-an-auparse-memory-leak-caused-in-recent-glibc.patch
Added
@@ -0,0 +1,35 @@ +From 16246878c503d7395ae668817bf629e05361fec5 Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Thu, 29 Jul 2021 18:39:22 -0400 +Subject: [PATCH] Fix an auparse memory leak caused in recent glibc + +--- + auparse/interpret.c | 4 ++++- + 1 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/auparse/interpret.c b/auparse/interpret.c +index 2813acb..33c173e 100644 +--- a/auparse/interpret.c ++++ b/auparse/interpret.c +@@ -50,6 +50,7 @@ + #include <sys/personality.h> + #include <sys/prctl.h> + #include <sched.h> ++#include <limits.h> /* PATH_MAX */ + #ifdef USE_FANOTIFY + #include <linux/fanotify.h> + #else +@@ -865,8 +866,10 @@ static const char *print_escaped_ext(const idata *id) + str1 = NULL; + } + errno = 0; +- out = realpath(str3, NULL); ++ out = malloc(PATH_MAX); ++ realpath(str3, out); + if (errno) { // If there's an error, just return the original ++ free(out); + free(str1); + free(str2); + return str3; +-- +
View file
_service:tar_scm_kernel_repo:backport-Fix-busy-loop-in-normalizer-when-logs-are-corrupt.patch
Added
@@ -0,0 +1,26 @@ +From 2b34fea50a9f6a65dd51a2b7abf67e6f19c8d1f5 Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Sat, 7 Aug 2021 13:51:30 -0400 +Subject: [PATCH 2199/2246] Fix busy loop in normalizer when logs are corrupt + +--- + auparse/normalize.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/auparse/normalize.c b/auparse/normalize.c +index 99f9803..cd0a7c2 100644 +--- a/auparse/normalize.c ++++ b/auparse/normalize.c +@@ -348,7 +348,8 @@ static void collect_id_obj2(auparse_state_t *au, const char *syscall) + if (cnt < limit) { + auparse_next_field(au); + cnt++; +- } ++ } else ++ break; + } else + break; + } +-- +1.8.3.1 +
View file
_service:tar_scm_kernel_repo:backport-Fix-double-free-with-corrupted-logs.patch
Added
@@ -0,0 +1,36 @@ +From 0177e03f0809da0007f09504b789eba4b8cbe739 Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Fri, 6 Aug 2021 17:03:41 -0400 +Subject: [PATCH] Fix double free with corrupted logs + +--- + src/ausearch-parse.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c +index 9ee4a4f..cb7d481 100644 +--- a/src/ausearch-parse.c ++++ b/src/ausearch-parse.c +@@ -420,8 +420,10 @@ try_again: + str = strstr(term, "comm="); + if (str) { + /* Make the syscall one override */ +- if (s->comm) ++ if (s->comm) { + free(s->comm); ++ s->comm = NULL; ++ } + str += 5; + if (*str == '"') { + str++; +@@ -431,7 +433,7 @@ try_again: + *term = 0; + s->comm = strdup(str); + *term = '"'; +- } else ++ } else + s->comm = unescape(str); + } else + return 38; +-- +
View file
_service:tar_scm_kernel_repo:backport-Fix-some-string-length-issues.patch
Added
@@ -0,0 +1,64 @@ +From 39f868fef95f95786358bc3690a327d4f11d2d43 Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Thu, 3 Jun 2021 16:18:36 -0400 +Subject: [PATCH 2084/2246] Fix some string length issues + +In interpret, fix the size so that we need to size it again later if new +strings get added. The ausearch/report issues have the size information +available, so FORTIFY_SOURCE should keep things in check. +--- + auparse/interpret.c | 2 +- + src/aureport.c | 4 ++-- + src/ausearch.c | 4 ++-- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/auparse/interpret.c b/auparse/interpret.c +index e22cae7..5d6f31a 100644 +--- a/auparse/interpret.c ++++ b/auparse/interpret.c +@@ -1242,7 +1242,7 @@ static const char *print_flags(const char *val) + { + int flags, cnt = 0; + size_t i; +- char *out, buf[80]; ++ char *out, buf[sizeof(flag_strings)]; + + errno = 0; + flags = strtoul(val, NULL, 16); +diff --git a/src/aureport.c b/src/aureport.c +index d0251a4..22618f0 100644 +--- a/src/aureport.c ++++ b/src/aureport.c +@@ -168,10 +168,10 @@ static int process_logs(void) + int num = 0; + + if (user_file && userfile_is_dir) { +- char dirname[MAXPATHLEN]; ++ char dirname[MAXPATHLEN+1]; + clear_config (&config); + +- strcpy(dirname, user_file); ++ strncpy(dirname, user_file, MAXPATHLEN-32); + if (dirname[strlen(dirname)-1] != '/') + strcat(dirname, "/"); + strcat (dirname, "audit.log"); +diff --git a/src/ausearch.c b/src/ausearch.c +index 97f89bf..768807e 100644 +--- a/src/ausearch.c ++++ b/src/ausearch.c +@@ -228,10 +228,10 @@ static int process_logs(void) + int ret; + + if (user_file && userfile_is_dir) { +- char dirname[MAXPATHLEN]; ++ char dirname[MAXPATHLEN+1]; + clear_config (&config); + +- strcpy(dirname, user_file); ++ strncpy(dirname, user_file, MAXPATHLEN-32); + if (dirname[strlen(dirname)-1] != '/') + strcat(dirname, "/"); + strcat (dirname, "audit.log"); +-- +1.8.3.1 +
View file
_service:tar_scm_kernel_repo:backport-Fix-the-closing-timing-of-audit_fd-166.patch
Added
@@ -0,0 +1,28 @@ +From 72996b1821b5dbd22f5e08c477660a75a38e4414 Mon Sep 17 00:00:00 2001 +From: MIZUTA Takeshi <mizuta.takeshi@fujitsu.com> +Date: Wed, 14 Apr 2021 20:08:17 +0900 +Subject: [PATCH 2048/2246] Fix the closing timing of audit_fd (#166) + +--- + lib/netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/netlink.c b/lib/netlink.c +index 9525b8d..f7cbeb0 100644 +--- a/lib/netlink.c ++++ b/lib/netlink.c +@@ -64,10 +64,10 @@ int audit_open(void) + } + if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) { + saved_errno = errno; +- close(fd); + audit_msg(LOG_ERR, + "Error setting audit netlink socket CLOEXEC flag (%s)", + strerror(errno)); ++ close(fd); + errno = saved_errno; + return -1; + } +-- +1.8.3.1 +
View file
_service:tar_scm_kernel_repo:backport-In-auditd-check-if-log_file-is-valid-before-closing-.patch
Added
@@ -0,0 +1,135 @@ +From 6531c7dfb832ea245d8004662ea7c4e90107c0df Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Wed, 11 Aug 2021 15:10:18 -0400 +Subject: [PATCH 2207/2246] In auditd, check if log_file is valid before + closing handle + +--- + src/auditd-event.c | 44 +++++++++++++++++++++++++++++++---------------- + 1 files changed, 29 insertions(+), 15 deletions(-) + +diff --git a/src/auditd-event.c b/src/auditd-event.c +index 3655726..788c44a 100644 +--- a/src/auditd-event.c ++++ b/src/auditd-event.c +@@ -71,7 +71,7 @@ static void init_flush_thread(void); + /* Local Data */ + static struct daemon_conf *config; + static volatile int log_fd; +-static FILE *log_file; ++static FILE *log_file = NULL; + static unsigned int disk_err_warning = 0; + static int fs_space_warning = 0; + static int fs_admin_space_warning = 0; +@@ -174,7 +175,8 @@ int init_event(struct daemon_conf *conf) + format_buf = (char *)malloc(FORMAT_BUF_LEN); + if (format_buf == NULL) { + audit_msg(LOG_ERR, "No memory for formatting, exiting"); +- fclose(log_file); ++ if (log_file) ++ fclose(log_file); + log_file = NULL; + return 1; + } +@@ -212,7 +214,8 @@ static void *flush_thread_main(void *arg) + flush = 0; + pthread_mutex_unlock(&flush_lock); + +- fsync(log_fd); ++ if (log_fd >= 0) ++ fsync(log_fd); + } + return NULL; + } +@@ -589,7 +592,8 @@ void handle_event(struct auditd_event *e) + if (config->daemonize == D_BACKGROUND) { + if (config->flush == FT_INCREMENTAL) { + /* EIO is only likely failure */ +- if (fsync(log_fd) != 0) { ++ if (log_fd >= 0 && ++ fsync(log_fd) != 0) { + do_disk_error_action( + "fsync", + errno); +@@ -744,6 +748,9 @@ static void check_space_left(void) + int rc; + struct statfs buf; + ++ if (log_fd < 0) ++ return; ++ + rc = fstatfs(log_fd, &buf); + if (rc == 0) { + if (buf.f_bavail < 5) { +@@ -831,7 +838,8 @@ static void do_space_left_action(int admin) + case FA_EXEC: + // Close the logging file in case the script zips or + // moves the file. We'll reopen in sigusr2 handler +- fclose(log_file); ++ if (log_file) ++ fclose(log_file); + log_file = NULL; + log_fd = -1; + logging_suspended = 1; +@@ -881,7 +889,8 @@ static void do_disk_full_action(void) + case FA_EXEC: + // Close the logging file in case the script zips or + // moves the file. We'll reopen in sigusr2 handler +- fclose(log_file); ++ if (log_file) ++ fclose(log_file); + log_file = NULL; + log_fd = -1; + logging_suspended = 1; +@@ -928,7 +937,8 @@ static void do_disk_error_action(const char *func, int err) + case FA_EXEC: + // Close the logging file in case the script zips or + // moves the file. We'll reopen in sigusr2 handler +- fclose(log_file); ++ if (log_file) ++ fclose(log_file); + log_file = NULL; + log_fd = -1; + logging_suspended = 1; +@@ -1053,17 +1063,21 @@ static void rotate_logs(unsigned int num_logs, unsigned int keep_logs) + /* Close audit file. fchmod and fchown errors are not fatal because we + * already adjusted log file permissions and ownership when opening the + * log file. */ +- if (fchmod(log_fd, config->log_group ? S_IRUSR|S_IRGRP : S_IRUSR) < 0){ +- audit_msg(LOG_WARNING, "Couldn't change permissions while " ++ if (log_fd >= 0) { ++ if (fchmod(log_fd, config->log_group ? S_IRUSR|S_IRGRP : ++ S_IRUSR) < 0){ ++ audit_msg(LOG_WARNING, "Couldn't change permissions while " + "rotating log file (%s)", strerror(errno)); +- } +- if (fchown(log_fd, 0, config->log_group) < 0) { +- audit_msg(LOG_WARNING, "Couldn't change ownership while " ++ } ++ if (fchown(log_fd, 0, config->log_group) < 0) { ++ audit_msg(LOG_WARNING, "Couldn't change ownership while " + "rotating log file (%s)", strerror(errno)); ++ } + } +- fclose(log_file); ++ if (log_file) ++ fclose(log_file); + log_file = NULL; +- ++ + /* Rotate */ + len = strlen(config->log_file) + 16; + oldname = (char *)malloc(len); +@@ -1470,7 +1484,8 @@ static void reconfigure(struct auditd_event *e) + free((void *)nconf->log_file); + + if (need_reopen) { +- fclose(log_file); ++ if (log_file) ++ fclose(log_file); + log_file = NULL; + fix_disk_permissions(); + if (open_audit_log()) { +-- +1.8.3.1 +
View file
_service:tar_scm_kernel_repo:backport-Move-the-free_config-to-success-path.patch
Added
@@ -0,0 +1,28 @@ +From d89e5647d9e090f45146c144d920bd1f686a8230 Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Thu, 15 Jul 2021 11:36:17 -0400 +Subject: [PATCH 2163/2246] Move the free_config to success path + +--- + src/auditd.c | 4 +++--- + 1 file changed, 3 insertions(+), 1 deletions(-) + +diff --git a/src/auditd.c b/src/auditd.c +index ca69d3b..5478cc4 100644 +--- a/src/auditd.c ++++ b/src/auditd.c +@@ -457,8 +457,10 @@ static int become_daemon(void) + return -1; + + /* Success - die a happy death */ +- if (status == SUCCESS) ++ if (status == SUCCESS) { ++ free_config(&config); + _exit(0); ++ } + return -1; + } + +-- +1.8.3.1 +
View file
_service:tar_scm_kernel_repo:backport-Turn-libaucommon-into-a-libtool-convenience-library-.patch
Added
@@ -0,0 +1,118 @@ +From dcbc6c76b10651c1d1b27b95869ab82ee2153afe Mon Sep 17 00:00:00 2001 +From: Laurent Bigonville <bigon@users.noreply.github.com> +Date: Tue, 5 Jan 2021 19:29:44 +0100 +Subject: [PATCH 1988/2246] Turn libaucommon into a libtool convenience library + (#147) + +This makes sure that the functions compiled into libaucommon +(audit_strsplit_r,...) end up in the libaudit/libauparse static library + +Fixes: #146 +--- + audisp/plugins/remote/Makefile.am | 2 +- + audisp/plugins/syslog/Makefile.am | 2 +- + auparse/Makefile.am | 4 ++-- + auparse/test/Makefile.am | 6 +++--- + common/Makefile.am | 6 +++--- + lib/Makefile.am | 4 ++-- + 6 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/audisp/plugins/remote/Makefile.am b/audisp/plugins/remote/Makefile.am +index 0066e25..bd3f301 100644 +--- a/audisp/plugins/remote/Makefile.am ++++ b/audisp/plugins/remote/Makefile.am +@@ -33,7 +33,7 @@ man_MANS = audisp-remote.8 audisp-remote.conf.5 + check_PROGRAMS = test-queue + TESTS = $(check_PROGRAMS) + +-audisp_remote_DEPENDENCIES = ${top_builddir}/common/libaucommon.a ++audisp_remote_DEPENDENCIES = ${top_builddir}/common/libaucommon.la + audisp_remote_SOURCES = audisp-remote.c remote-config.c queue.c + audisp_remote_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -Wundef + audisp_remote_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now +diff --git a/audisp/plugins/syslog/Makefile.am b/audisp/plugins/syslog/Makefile.am +index 55ca77b..353229e 100644 +--- a/audisp/plugins/syslog/Makefile.am ++++ b/audisp/plugins/syslog/Makefile.am +@@ -29,7 +29,7 @@ plugin_conf = syslog.conf + sbin_PROGRAMS = audisp-syslog + man_MANS = audisp-syslog.8 + +-audisp_syslog_DEPENDENCIES = ${top_builddir}/common/libaucommon.a ++audisp_syslog_DEPENDENCIES = ${top_builddir}/common/libaucommon.la + audisp_syslog_SOURCES = audisp-syslog.c + audisp_syslog_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE -Wundef + audisp_syslog_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now +diff --git a/auparse/Makefile.am b/auparse/Makefile.am +index b853003..d180c34 100644 +--- a/auparse/Makefile.am ++++ b/auparse/Makefile.am +@@ -45,8 +45,8 @@ libauparse_la_SOURCES = lru.c interpret.c nvlist.c ellist.c \ + normalize_record_map.h normalize_syscall_map.h + nodist_libauparse_la_SOURCES = $(BUILT_SOURCES) + +-libauparse_la_LIBADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a +-libauparse_la_DEPENDENCIES = $(libauparse_la_SOURCES) ${top_builddir}/config.h ${top_builddir}/common/libaucommon.a ++libauparse_la_LIBADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la ++libauparse_la_DEPENDENCIES = $(libauparse_la_SOURCES) ${top_builddir}/config.h ${top_builddir}/common/libaucommon.la + libauparse_la_LDFLAGS = -Wl,-z,relro + + message.c: +diff --git a/auparse/test/Makefile.am b/auparse/test/Makefile.am +index 89ffcc4..11d10b0 100644 +--- a/auparse/test/Makefile.am ++++ b/auparse/test/Makefile.am +@@ -29,17 +29,17 @@ AM_CPPFLAGS = -I${top_srcdir}/auparse -I${top_srcdir}/lib + + lookup_test_SOURCES = lookup_test.c + lookup_test_LDADD = ${top_builddir}/auparse/libauparse.la \ +- ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a ++ ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la + + auparse_test_SOURCES = auparse_test.c + auparse_test_LDFLAGS = -static + auparse_test_LDADD = ${top_builddir}/auparse/libauparse.la \ +- ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a ++ ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la + + auparselol_test_SOURCES = auparselol_test.c + auparselol_test_LDFLAGS = -static + auparselol_test_LDADD = ${top_builddir}/auparse/libauparse.la \ +- ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a ++ ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la + + drop_srcdir = sed 's,$(srcdir)/test,test,' + +diff --git a/common/Makefile.am b/common/Makefile.am +index 9e00cbc..8b9aacb 100644 +--- a/common/Makefile.am ++++ b/common/Makefile.am +@@ -24,7 +24,7 @@ CONFIG_CLEAN_FILES = *.rej *.orig + AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib + + noinst_HEADERS = common.h +-libaucommon_a_DEPENDENCIES = ../config.h +-libaucommon_a_SOURCES = audit-fgets.c strsplit.c +-noinst_LIBRARIES = libaucommon.a ++libaucommon_la_DEPENDENCIES = ../config.h ++libaucommon_la_SOURCES = audit-fgets.c strsplit.c ++noinst_LTLIBRARIES = libaucommon.la + +diff --git a/lib/Makefile.am b/lib/Makefile.am +index 107c444..12e5861 100644 +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -38,8 +38,8 @@ include_HEADERS = libaudit.h + libaudit_la_SOURCES = libaudit.c message.c netlink.c \ + lookup_table.c audit_logging.c deprecated.c \ + dso.h private.h errormsg.h +-libaudit_la_LIBADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.a +-libaudit_la_DEPENDENCIES = $(libaudit_la_SOURCES) ../config.h ${top_builddir}/common/libaucommon.a ++libaudit_la_LIBADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.la ++libaudit_la_DEPENDENCIES = $(libaudit_la_SOURCES) ../config.h ${top_builddir}/common/libaucommon.la + libaudit_la_LDFLAGS = -Wl,-z,relro -version-info $(VERSION_INFO) + nodist_libaudit_la_SOURCES = $(BUILT_SOURCES) + +-- +1.8.3.1 +
View file
_service:tar_scm_kernel_repo:backport-When-interpreting-if-val-is-NULL-return-an-empty-str.patch
Added
@@ -0,0 +1,27 @@ +From ce58837d44b7d9fcb4e140c23f68e0c94d95ab6e Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Sat, 21 Aug 2021 10:20:11 -0400 +Subject: [PATCH 2214/2246] When interpreting, if val is NULL return an empty + string + +--- + auparse/interpret.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/auparse/interpret.c b/auparse/interpret.c +index 177ab82..63829aa 100644 +--- a/auparse/interpret.c ++++ b/auparse/interpret.c +@@ -840,6 +840,9 @@ static char *print_escaped(const char *val) + { + char *out; + ++ if (val == NULL) ++ return strdup(" "); ++ + if (*val == '"') { + char *term; + val++; +-- +1.8.3.1 +
View file
_service:tar_scm_kernel_repo:backport-auditd.service-Restart-on-failure-ignoring-some-exit.patch
Added
@@ -0,0 +1,35 @@ +From 30382bfcc0f64f451bc084c9657a546cb34492a7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= <travier@redhat.com> +Date: Fri, 1 Oct 2021 16:35:57 +0200 +Subject: [PATCH 2228/2246] auditd.service: Restart 'on-failure', ignoring some + exit codes (#217) + +Use `Restart=on-failure` to automatically restart `auditd`. Do not +restart for intentional exits. See EXIT CODES section in auditd(8). + +See: +- https://www.freedesktop.org/software/systemd/man/systemd.service.html#Restart= +- https://www.freedesktop.org/software/systemd/man/systemd.service.html#RestartPreventExitStatus= + +Fixes: https://github.com/linux-audit/audit-userspace/issues/211 +--- + init.d/auditd.service | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/init.d/auditd.service b/init.d/auditd.service +index 67cda58..e801281 100644 +--- a/init.d/auditd.service ++++ b/init.d/auditd.service +@@ -27,6 +27,9 @@ ExecStartPost=-/sbin/augenrules --load + # By default we don't clear the rules on exit. To enable this, uncomment + # the next line after copying the file to /etc/systemd/system/auditd.service + #ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules ++Restart=on-failure ++# Do not restart for intentional exits. See EXIT CODES section in auditd(8). ++RestartPreventExitStatus=2 4 6 + + ### Security Settings ### + MemoryDenyWriteExecute=true +-- +1.8.3.1 +
View file
_service:tar_scm_kernel_repo:backport-error-out-if-log-is-mangled.patch
Added
@@ -0,0 +1,27 @@ +From fc97c70fdba18280985747198a6ce836d39cce9e Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Sat, 7 Aug 2021 10:29:07 -0400 +Subject: [PATCH 2196/2246] error out if log is mangled + +--- + src/ausearch-parse.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c +index b0c8b2a..81ef319 100644 +--- a/src/ausearch-parse.c ++++ b/src/ausearch-parse.c +@@ -1995,6 +1995,10 @@ other_avc: + *term = '"'; + } else { + s->comm = unescape(str); ++ if (s->comm == NULL) { ++ rc = 11; ++ goto err; ++ } + term = str + 6; + } + } +-- +1.8.3.1 +
View file
_service:tar_scm_kernel_repo:backport-fix-2-more-issues-found-by-fuzzing.patch
Added
@@ -0,0 +1,46 @@ +From f4683d04eadb7d76b98497af834f027d6005d893 Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Mon, 9 Aug 2021 17:14:17 -0400 +Subject: [PATCH] fix 2 more issues found by fuzzing + +--- + auparse/auparse.c | 8 +++++++- + auparse/ellist.c | 4 +++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/auparse/auparse.c b/auparse/auparse.c +index b0e685a..3cf512a 100644 +--- a/auparse/auparse.c ++++ b/auparse/auparse.c +@@ -1611,7 +1611,13 @@ static int au_auparse_next_event(auparse_state_t *au) + } + aup_list_create(l); + aup_list_set_event(l, &e); +- aup_list_append(l, au->cur_buf, au->list_idx, au->line_number); ++ if (aup_list_append(l, au->cur_buf, au->list_idx, ++ au->line_number) < 0) { ++ au->cur_buf = NULL; ++ aup_list_clear(l); ++ free(l); ++ continue; ++ } + // Eat standalone EOE - main event was already marked complete + if (l->head->type == AUDIT_EOE) { + au->cur_buf = NULL; +diff --git a/auparse/ellist.c b/auparse/ellist.c +index 7d9c552..dd711bc 100644 +--- a/auparse/ellist.c ++++ b/auparse/ellist.c +@@ -290,7 +290,9 @@ static int parse_up_record(rnode* r) + while (ptr && *ptr != '}') { + len = strlen(ptr); + if ((len+1) >= (256-total)) { +- free(buf); ++ if (nvlist_get_cnt(&r->nv) ++ == 0) ++ free(buf); + return -1; + } + if (tmpctx[0]) { +-- +
View file
_service:tar_scm_kernel_repo:backport-flush-uid-gid-caches-when-user-group-added-deleted-m.patch
Added
@@ -0,0 +1,128 @@ +From 8662f61108f8b9365f96ef49ca8ca331a7880f24 Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Tue, 10 Aug 2021 11:27:16 -0400 +Subject: [PATCH 2205/2246] flush uid/gid caches when user/group + added/deleted/modified + +It was reported in issue #209 that in the enriched format that auditd +is creating the wrong account associations. This is due to caching +previous lookups. The fix is to monitor for account lifecycle changes +and flush the LRUs if any are seen. +--- + auparse/auparse-idata.h | 3 ++- + auparse/interpret.c | 12 ++++++++++++ + src/auditd-event.c | 27 +++++++++++++++++++++++++-- + 3 files changed, 39 insertions(+), 3 deletions(-) + +diff --git a/auparse/auparse-idata.h b/auparse/auparse-idata.h +index 660901a..eaca86a 100644 +--- a/auparse/auparse-idata.h ++++ b/auparse/auparse-idata.h +@@ -1,6 +1,6 @@ + /* + * idata.h - Header file for ausearch-lookup.c +-* Copyright (c) 2013,2016-17 Red Hat Inc., Durham, North Carolina. ++* Copyright (c) 2013,2016-17,2021 Red Hat Inc. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or +@@ -45,6 +45,7 @@ char *auparse_do_interpretation(int type, const idata *id, + void _auparse_load_interpretations(const char *buf); + void _auparse_free_interpretations(void); + const char *_auparse_lookup_interpretation(const char *name); ++void _auparse_flush_caches(void); + + #endif + +diff --git a/auparse/interpret.c b/auparse/interpret.c +index 046867b..eef377a 100644 +--- a/auparse/interpret.c ++++ b/auparse/interpret.c +@@ -653,6 +653,18 @@ void aulookup_destroy_gid_list(void) + gid_cache_created = 0; + } + ++void _auparse_flush_caches(void) ++{ ++ if (uid_cache_created) { ++ destroy_lru(uid_cache); ++ uid_cache_created = 0; ++ } ++ if (gid_cache_created) { ++ destroy_lru(gid_cache); ++ gid_cache_created = 0; ++ } ++} ++ + static const char *print_uid(const char *val, unsigned int base) + { + int uid; +diff --git a/src/auditd-event.c b/src/auditd-event.c +index cb29fee..3655726 100644 +--- a/src/auditd-event.c ++++ b/src/auditd-event.c +@@ -42,6 +42,7 @@ + #include "libaudit.h" + #include "private.h" + #include "auparse.h" ++#include "auparse-idata.h" + + /* This is defined in auditd.c */ + extern volatile int stop; +@@ -56,7 +57,7 @@ static void do_space_left_action(int admin); + static void do_disk_full_action(void); + static void do_disk_error_action(const char *func, int err); + static void fix_disk_permissions(void); +-static void check_excess_logs(void); ++static void check_excess_logs(void); + static void rotate_logs_now(void); + static void rotate_logs(unsigned int num_logs, unsigned int keep_logs); + static void shift_logs(void); +@@ -394,7 +395,7 @@ static const char *format_enrich(const struct audit_reply *rep) + snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH, + "type=DAEMON_ERR op=format-enriched msg=NULL res=failed"); + } else { +- int rc; ++ int rc, rtype; + size_t mlen, len; + auparse_state_t *au; + char *message; +@@ -427,6 +428,17 @@ static const char *format_enrich(const struct audit_reply *rep) + + // Loop over all fields while possible to add field + rc = auparse_first_record(au); ++ rtype = auparse_get_type(au); ++ switch (rtype) ++ { // Flush before adding to pickup new associations ++ case AUDIT_ADD_USER: ++ case AUDIT_ADD_GROUP: ++ _auparse_flush_caches(); ++ break; ++ default: ++ break; ++ } ++ + while (rc > 0 && len > MIN_SPACE_LEFT) { + // See what kind of field we have + size_t vlen; +@@ -454,6 +466,17 @@ static const char *format_enrich(const struct audit_reply *rep) + rc = auparse_next_field(au); + } + ++ switch(rtype) ++ { // Flush after modification to remove stale entries ++ case AUDIT_USER_MGMT: ++ case AUDIT_DEL_USER: ++ case AUDIT_DEL_GROUP: ++ case AUDIT_GRP_MGMT: ++ _auparse_flush_caches(); ++ break; ++ default: ++ break; ++ } + auparse_destroy_ext(au, AUPARSE_DESTROY_COMMON); + free(message); + } +-- +1.8.3.1 +
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.