Projects
openEuler:20.03:LTS:SP3
audit
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 7
View file
_service:tar_scm_kernel_repo:audit.spec
Changed
@@ -4,7 +4,7 @@ Name: audit Epoch: 1 Version: 3.0 -Release: 5 +Release: 6 License: GPLv2+ and LGPLv2+ URL: https://people.redhat.com/sgrubb/audit/ Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz @@ -35,6 +35,12 @@ Patch22: backport-auditd.service-Restart-on-failure-ignoring-some-exit.patch Patch23: backport-0001-In-auditd-close-the-logging-file-descriptor-when-log.patch Patch24: backport-0002-In-auditd-close-the-logging-file-descriptor-when-log.patch +Patch25: backport-In-auditd-release-the-async-flush-lock-on-stop.patch +Patch26: backport-auditd-cleanup-krb5-memory-leaks-on-error-paths.patch +Patch27: backport-audisp-remote-cleanup-krb5-memory-leaks-on-error-paths.patch +Patch28: backport-Final-kerberos-leak-fixups.patch +Patch29: backport-time_t-is-not-an-int-anymore.patch +Patch30: backport-krb5_cc_store_cred-takes-custody-of-my_creds-so-we-do-not-need-to-keep-it-around.patch BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29 BuildRequires: openldap-devel krb5-devel libcap-ng-devel @@ -389,6 +395,15 @@ %attr(644,root,root) %{_mandir}/man8/*.8.gz %changelog +* Tue Feb 14 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 1:3.0-6 +- backport some patches + In auditd release the async flush lock on stop + auditd cleanup krb5 memory leaks on error paths + audisp remote cleanup krb5 memory leaks on error paths + Final kerberos leak fixups + time_t is not an int anymore + krb5_cc_store_cred takes custody of my_creds so we do not need to keep it around + * Tue Mar 22 2022 yixiangzhike <yixiangzhike007@163.com> - 3.0-5 - rebuild for upgrade
View file
_service:tar_scm_kernel_repo:backport-Final-kerberos-leak-fixups.patch
Added
@@ -0,0 +1,122 @@ +From 7bda187f92424bf4891eb22f1877808ca5eb059a Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Mon, 11 Jul 2022 17:03:09 -0400 +Subject: Final kerberos leak fixups + +--- + audisp/plugins/remote/audisp-remote.c | 34 ++++++++++++++++++++------- + src/auditd-listen.c | 6 +++-- + 2 files changed, 29 insertions(+), 11 deletions(-) + +diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c +index 3b9d8f0..eda8c4e 100644 +--- a/audisp/plugins/remote/audisp-remote.c ++++ b/audisp/plugins/remote/audisp-remote.c +@@ -757,8 +757,17 @@ static void gss_failure (const char *msg, int major_status, int minor_status) + gss_failure_2 (msg, minor_status, GSS_C_MECH_CODE); + } + +-#define KLOG(x,f) syslog (LOG_ERR, "krb5 error: %s in %s\n", \ +- krb5_get_error_message (kcontext, x), f); ++#define KLOG(x,f) { \ ++ const char *kstr = krb5_get_error_message(kcontext, x); \ ++ syslog (LOG_ERR, "krb5 error: %s in %s\n", kstr, f); \ ++ krb5_free_error_message(kcontext, kstr); } ++static krb5_context kcontext = NULL; ++static char *realm_name = NULL; ++static krb5_principal audit_princ; ++static krb5_ccache ccache = NULL; ++static krb5_creds my_creds; ++static krb5_get_init_creds_opt options; ++static krb5_keytab keytab = NULL; + + /* Each time we connect to the server, we negotiate a set of credentials and + a security context. To do this, we need our own credentials first. For +@@ -781,13 +790,6 @@ static int negotiate_credentials (void) + we use Kerberos calls here. */ + + int krberr; +- krb5_context kcontext = NULL; +- char *realm_name; +- krb5_principal audit_princ; +- krb5_ccache ccache = NULL; +- krb5_creds my_creds; +- krb5_get_init_creds_opt options; +- krb5_keytab keytab = NULL; + const char *krb5_client_name; + char *slashptr; + char host_name[255]; +@@ -1013,14 +1015,18 @@ error6: + krb5_free_creds(kcontext, &my_creds); + error5: + krb5_cc_close(kcontext, ccache); ++ ccache = NULL; + error4: + krb5_kt_close(kcontext, keytab); ++ keytab = NULL; + error3: + krb5_free_principal(kcontext, audit_princ); + error2: + krb5_free_default_realm(kcontext, realm_name); ++ realm_name = NULL; + error1: + krb5_free_context(kcontext); ++ kcontext = NULL; + return -1; + } + #endif // USE_GSSAPI +@@ -1034,6 +1040,16 @@ static int stop_sock(void) + gss_delete_sec_context(&minor_status, &my_context, + GSS_C_NO_BUFFER); + my_context = GSS_C_NO_CONTEXT; ++ krb5_free_creds(kcontext, &my_creds); ++ krb5_cc_close(kcontext, ccache); ++ ccache = NULL; ++ krb5_kt_close(kcontext, keytab); ++ keytab = NULL; ++ krb5_free_principal(kcontext, audit_princ); ++ krb5_free_default_realm(kcontext, realm_name); ++ realm_name = NULL; ++ krb5_free_context(kcontext); ++ kcontext = NULL; + } + #endif + shutdown(sock, SHUT_RDWR); +diff --git a/src/auditd-listen.c b/src/auditd-listen.c +index c8cae38..34a142a 100644 +--- a/src/auditd-listen.c ++++ b/src/auditd-listen.c +@@ -325,11 +325,12 @@ static void gss_failure(const char *msg, int major_status, int minor_status) + const char *kstr = krb5_get_error_message(kcontext, x); \ + audit_msg(LOG_ERR, "krb5 error: %s in %s\n", kstr, f); \ + krb5_free_error_message(kcontext, kstr); \ +- krb5_free_context(k); \ ++ krb5_free_context(k); k = NULL; \ + return -1; } + + /* These are our private credentials, which come from a key file on + our server. They are aquired once, at program start. */ ++static krb5_context kcontext = NULL; + static int server_acquire_creds(const char *service_name, + gss_cred_id_t *lserver_creds) + { +@@ -337,7 +338,6 @@ static int server_acquire_creds(const char *service_name, + gss_name_t server_name; + OM_uint32 major_status, minor_status; + +- krb5_context kcontext = NULL; + int krberr; + + my_service_name = strdup(service_name); +@@ -1139,6 +1139,8 @@ void auditd_tcp_listen_uninit(struct ev_loop *loop, struct daemon_conf *config) + #ifdef USE_GSSAPI + if (USE_GSS) { + gss_release_cred(&status, &server_creds); ++ krb5_free_context(kcontext); ++ kcontext = NULL; + free(my_service_name); + my_service_name = NULL; + } +-- +2.27.0 +
View file
_service:tar_scm_kernel_repo:backport-In-auditd-release-the-async-flush-lock-on-stop.patch
Added
@@ -0,0 +1,29 @@ +From f7df667ba76391ffd65a4ed45b2150bf9902b99d Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Wed, 30 Mar 2022 10:12:16 -0400 +Subject: In auditd, release the async flush lock on stop + +Conflict:delete changelog +--- + src/auditd-event.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/auditd-event.c b/src/auditd-event.c +index e88ef6e..ed6e929 100644 +--- a/src/auditd-event.c ++++ b/src/auditd-event.c +@@ -208,8 +208,10 @@ static void *flush_thread_main(void *arg) + // into a loop of fsyncs. + while (flush == 0) { + pthread_cond_wait(&do_flush, &flush_lock); +- if (stop) ++ if (stop) { ++ pthread_mutex_unlock(&flush_lock); + return NULL; ++ } + } + flush = 0; + pthread_mutex_unlock(&flush_lock); +-- +2.27.0 +
View file
_service:tar_scm_kernel_repo:backport-audisp-remote-cleanup-krb5-memory-leaks-on-error-paths.patch
Added
@@ -0,0 +1,200 @@ +From 09c62a6f4e4a6963a731d3018209b91dc6447f70 Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Mon, 11 Jul 2022 14:21:04 -0400 +Subject: audisp-remote - cleanup krb5 memory leaks on error + paths +Conflict:context adaptation +--- + audisp/plugins/remote/audisp-remote.c | 75 ++++++++++++++++++++------- + 1 file changed, 56 insertions(+), 19 deletions(-) + +diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c +index 3be91b3..3b9d8f0 100644 +--- a/audisp/plugins/remote/audisp-remote.c ++++ b/audisp/plugins/remote/audisp-remote.c +@@ -757,9 +757,8 @@ static void gss_failure (const char *msg, int major_status, int minor_status) + gss_failure_2 (msg, minor_status, GSS_C_MECH_CODE); + } + +-#define KCHECK(x,f) if (x) { \ +- syslog (LOG_ERR, "krb5 error: %s in %s\n", krb5_get_error_message (kcontext, x), f); \ +- return -1; } ++#define KLOG(x,f) syslog (LOG_ERR, "krb5 error: %s in %s\n", \ ++ krb5_get_error_message (kcontext, x), f); + + /* Each time we connect to the server, we negotiate a set of credentials and + a security context. To do this, we need our own credentials first. For +@@ -800,7 +799,10 @@ static int negotiate_credentials (void) + recv_tok.value = NULL; + + krberr = krb5_init_context (&kcontext); +- KCHECK (krberr, "krb5_init_context"); ++ if (krberr) { ++ KLOG (krberr, "krb5_init_context"); ++ return -1; ++ } + + if (config.krb5_key_file) + key_file = config.krb5_key_file; +@@ -815,21 +817,24 @@ static int negotiate_credentials (void) + syslog (LOG_ERR, + "%s is not mode 0400 (it's %#o) - compromised key?", + key_file, st.st_mode & 07777); +- return -1; ++ goto error1; + } + if (st.st_uid != 0) { + if (!quiet) + syslog (LOG_ERR, + "%s is not owned by root (it's %d) - compromised key?", + key_file, st.st_uid); +- return -1; ++ goto error1; + } + } + + /* This looks up the default real (*our* realm) from + /etc/krb5.conf (or wherever) */ + krberr = krb5_get_default_realm (kcontext, &realm_name); +- KCHECK (krberr, "krb5_get_default_realm"); ++ if (krberr) { ++ KLOG (krberr, "krb5_get_default_realm"); ++ goto error1; ++ } + + krb5_client_name = config.krb5_client_name ? + config.krb5_client_name : "auditd"; +@@ -838,7 +843,7 @@ static int negotiate_credentials (void) + syslog (LOG_ERR, + "gethostname: host name longer than %ld characters?", + sizeof (host_name)); +- return -1; ++ goto error2; + } + + syslog (LOG_ERR, "kerberos principal: %s/%s@%s\n", +@@ -847,17 +852,26 @@ static int negotiate_credentials (void) + krberr = krb5_build_principal (kcontext, &audit_princ, + strlen(realm_name), realm_name, + krb5_client_name, host_name, NULL); +- KCHECK (krberr, "krb5_build_principal"); ++ if (krberr) { ++ KLOG (krberr, "krb5_build_principal"); ++ goto error2; ++ } + + /* Locate our machine's key table, where our private key is + * held. */ + krberr = krb5_kt_resolve (kcontext, key_file, &keytab); +- KCHECK (krberr, "krb5_kt_resolve"); ++ if (krberr) { ++ KLOG (krberr, "krb5_kt_resolve"); ++ goto error3; ++ } + + /* Identify a cache to hold the key in. The GSS wrappers look + up our credentials here. */ + krberr = krb5_cc_resolve (kcontext, CCACHE_NAME, &ccache); +- KCHECK (krberr, "krb5_cc_resolve"); ++ if (krberr) { ++ KLOG (krberr, "krb5_cc_resolve"); ++ goto error4; ++ } + + setenv("KRB5CCNAME", CCACHE_NAME, 1); + +@@ -872,15 +886,24 @@ static int negotiate_credentials (void) + krberr = krb5_get_init_creds_keytab(kcontext, &my_creds, audit_princ, + keytab, 0, NULL, + &options); +- KCHECK (krberr, "krb5_get_init_creds_keytab"); ++ if (krberr) { ++ KLOG (krberr, "krb5_get_init_creds_keytab"); ++ goto error5; ++ } + + /* Create the cache... */ + krberr = krb5_cc_initialize(kcontext, ccache, audit_princ); +- KCHECK (krberr, "krb5_cc_initialize"); ++ if (krberr) { ++ KLOG (krberr, "krb5_cc_initialize"); ++ goto error6; ++ } + + /* ...and store our credentials in it. */ + krberr = krb5_cc_store_cred(kcontext, ccache, &my_creds); +- KCHECK (krberr, "krb5_cc_store_cred"); ++ if (krberr) { ++ KLOG (krberr, "krb5_cc_store_cred"); ++ goto error6; ++ } + + /* The GSS code now has a set of credentials for this program. + I.e. we know who "we" are. Now we talk to the server to +@@ -903,13 +926,13 @@ static int negotiate_credentials (void) + (gss_OID) gss_nt_service_name, &service_name_e); + if (major_status != GSS_S_COMPLETE) { + gss_failure("importing name", major_status, minor_status); +- return -1; ++ goto error6; + } + + /* Someone has to go first. In this case, it's us. */ + if (send_token(sock, empty_token) < 0) { + (void) gss_release_name(&minor_status, &service_name_e); +- return -1; ++ goto error6; + } + + /* The server starts this loop with the token we just sent +@@ -936,7 +959,7 @@ static int negotiate_credentials (void) + &send_tok); + (void) gss_release_name(&minor_status, + &service_name_e); +- return -1; ++ goto error6; + } + } + (void) gss_release_buffer(&minor_status, &send_tok); +@@ -949,7 +972,7 @@ static int negotiate_credentials (void) + if (*gss_context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&minor_status, + gss_context, GSS_C_NO_BUFFER); +- return -1; ++ goto error6; + } + + /* Now get any tokens the sever sends back. We use +@@ -958,7 +981,7 @@ static int negotiate_credentials (void) + if (recv_token(sock, &recv_tok) < 0) { + (void) gss_release_name(&minor_status, + &service_name_e); +- return -1; ++ goto error6; + } + token_ptr = &recv_tok; + } +@@ -985,6 +1008,20 @@ static int negotiate_credentials (void) + (char *)recv_tok.value); + #endif + return 0; ++ ++error6: ++ krb5_free_creds(kcontext, &my_creds); ++error5: ++ krb5_cc_close(kcontext, ccache); ++error4: ++ krb5_kt_close(kcontext, keytab); ++error3: ++ krb5_free_principal(kcontext, audit_princ); ++error2: ++ krb5_free_default_realm(kcontext, realm_name); ++error1: ++ krb5_free_context(kcontext); ++ return -1; + } + #endif // USE_GSSAPI + +-- +2.27.0
View file
_service:tar_scm_kernel_repo:backport-auditd-cleanup-krb5-memory-leaks-on-error-paths.patch
Added
@@ -0,0 +1,42 @@ +From f0ce136497ea4f3e7f6e7b05283c1299e76251e7 Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Mon, 11 Jul 2022 12:07:50 -0400 +Subject: auditd - cleanup krb5 memory leaks on error paths + +Conflict:delete changelog +--- + src/auditd-listen.c | 7 ++++--- + 1 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/auditd-listen.c b/src/auditd-listen.c +index 5c433e7..c8cae38 100644 +--- a/src/auditd-listen.c ++++ b/src/auditd-listen.c +@@ -321,10 +321,11 @@ static void gss_failure(const char *msg, int major_status, int minor_status) + gss_failure_2(msg, minor_status, GSS_C_MECH_CODE); + } + +-#define KCHECK(x,f) if (x) { \ ++#define KCHECK(x,f, k) if (x) { \ + const char *kstr = krb5_get_error_message(kcontext, x); \ + audit_msg(LOG_ERR, "krb5 error: %s in %s\n", kstr, f); \ + krb5_free_error_message(kcontext, kstr); \ ++ krb5_free_context(k); \ + return -1; } + + /* These are our private credentials, which come from a key file on +@@ -363,9 +364,9 @@ static int server_acquire_creds(const char *service_name, + (void) gss_release_name(&minor_status, &server_name); + + krberr = krb5_init_context(&kcontext); +- KCHECK (krberr, "krb5_init_context"); ++ KCHECK (krberr, "krb5_init_context", kcontext); + krberr = krb5_get_default_realm(kcontext, &my_gss_realm); +- KCHECK (krberr, "krb5_get_default_realm"); ++ KCHECK (krberr, "krb5_get_default_realm", kcontext); + + audit_msg(LOG_DEBUG, "GSS creds for %s acquired", service_name); + +-- +2.27.0 +
View file
_service:tar_scm_kernel_repo:backport-krb5_cc_store_cred-takes-custody-of-my_creds-so-we-do-not-need-to-keep-it-around.patch
Added
@@ -0,0 +1,110 @@ +From a1c3ba0fbbafc8f9a4dcb64fdee55fe2f8eef3be Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Mon, 11 Jul 2022 17:37:13 -0400 +Subject: krb5_cc_store_cred takes custody of my_creds so we do + not need to keep it around + +--- + audisp/plugins/remote/audisp-remote.c | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c +index eda8c4e..78c3eca 100644 +--- a/audisp/plugins/remote/audisp-remote.c ++++ b/audisp/plugins/remote/audisp-remote.c +@@ -765,7 +765,6 @@ static krb5_context kcontext = NULL; + static char *realm_name = NULL; + static krb5_principal audit_princ; + static krb5_ccache ccache = NULL; +-static krb5_creds my_creds; + static krb5_get_init_creds_opt options; + static krb5_keytab keytab = NULL; + +@@ -790,6 +789,7 @@ static int negotiate_credentials (void) + we use Kerberos calls here. */ + + int krberr; ++ krb5_creds my_creds; + const char *krb5_client_name; + char *slashptr; + char host_name[255]; +@@ -897,14 +897,14 @@ static int negotiate_credentials (void) + krberr = krb5_cc_initialize(kcontext, ccache, audit_princ); + if (krberr) { + KLOG (krberr, "krb5_cc_initialize"); +- goto error6; ++ goto error5; + } + + /* ...and store our credentials in it. */ + krberr = krb5_cc_store_cred(kcontext, ccache, &my_creds); + if (krberr) { + KLOG (krberr, "krb5_cc_store_cred"); +- goto error6; ++ goto error5; + } + + /* The GSS code now has a set of credentials for this program. +@@ -928,13 +928,13 @@ static int negotiate_credentials (void) + (gss_OID) gss_nt_service_name, &service_name_e); + if (major_status != GSS_S_COMPLETE) { + gss_failure("importing name", major_status, minor_status); +- goto error6; ++ goto error5; + } + + /* Someone has to go first. In this case, it's us. */ + if (send_token(sock, empty_token) < 0) { + (void) gss_release_name(&minor_status, &service_name_e); +- goto error6; ++ goto error5; + } + + /* The server starts this loop with the token we just sent +@@ -961,7 +961,7 @@ static int negotiate_credentials (void) + &send_tok); + (void) gss_release_name(&minor_status, + &service_name_e); +- goto error6; ++ goto error5; + } + } + (void) gss_release_buffer(&minor_status, &send_tok); +@@ -974,7 +974,7 @@ static int negotiate_credentials (void) + if (*gss_context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&minor_status, + gss_context, GSS_C_NO_BUFFER); +- goto error6; ++ goto error5; + } + + /* Now get any tokens the sever sends back. We use +@@ -983,7 +983,7 @@ static int negotiate_credentials (void) + if (recv_token(sock, &recv_tok) < 0) { + (void) gss_release_name(&minor_status, + &service_name_e); +- goto error6; ++ goto error5; + } + token_ptr = &recv_tok; + } +@@ -1011,8 +1011,6 @@ static int negotiate_credentials (void) + #endif + return 0; + +-error6: +- krb5_free_creds(kcontext, &my_creds); + error5: + krb5_cc_close(kcontext, ccache); + ccache = NULL; +@@ -1040,7 +1038,6 @@ static int stop_sock(void) + gss_delete_sec_context(&minor_status, &my_context, + GSS_C_NO_BUFFER); + my_context = GSS_C_NO_CONTEXT; +- krb5_free_creds(kcontext, &my_creds); + krb5_cc_close(kcontext, ccache); + ccache = NULL; + krb5_kt_close(kcontext, keytab); +-- +2.27.0 +
View file
_service:tar_scm_kernel_repo:backport-time_t-is-not-an-int-anymore.patch
Added
@@ -0,0 +1,25 @@ +From 5023b59ac710a25fe30e689aaf0af38a4b7ea3f1 Mon Sep 17 00:00:00 2001 +From: Steve Grubb <sgrubb@redhat.com> +Date: Mon, 11 Jul 2022 17:03:45 -0400 +Subject: time_t is not an int anymore + +--- + tools/aulast/aulast.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/aulast/aulast.c b/tools/aulast/aulast.c +index 8a25f3b..cf9be60 100644 +--- a/tools/aulast/aulast.c ++++ b/tools/aulast/aulast.c +@@ -408,7 +408,7 @@ static void update_session_logout(auparse_state_t *au) + static void process_bootup(auparse_state_t *au) + { + lnode *cur; +- int start; ++ time_t start; + + // See if we have unclosed boot up and make into CRASH record + list_first(&l); +-- +2.27.0 +
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.