* Drop backported patches: 0001-Header-definitions-need-to-be-external-when-building.patch 0001-lib-i386_table.h-add-new-syscall.patch Add-substitue-functions-for-strndupa-rawmemchr.patch
* Refresh patch: Fixed-swig-host-contamination-issue.patch * Update auditd.service. Signed-off-by: Yi Zhao <[email protected]> --- ...ns-need-to-be-external-when-building.patch | 28 ---- ...001-lib-i386_table.h-add-new-syscall.patch | 42 ------ ...tue-functions-for-strndupa-rawmemchr.patch | 133 ------------------ .../Fixed-swig-host-contamination-issue.patch | 12 +- recipes-security/audit/audit/auditd.service | 26 ++-- .../audit/{audit_2.8.5.bb => audit_3.0.bb} | 28 ++-- 6 files changed, 35 insertions(+), 234 deletions(-) delete mode 100644 recipes-security/audit/audit/0001-Header-definitions-need-to-be-external-when-building.patch delete mode 100644 recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch delete mode 100644 recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch rename recipes-security/audit/{audit_2.8.5.bb => audit_3.0.bb} (80%) diff --git a/recipes-security/audit/audit/0001-Header-definitions-need-to-be-external-when-building.patch b/recipes-security/audit/audit/0001-Header-definitions-need-to-be-external-when-building.patch deleted file mode 100644 index 65ea478..0000000 --- a/recipes-security/audit/audit/0001-Header-definitions-need-to-be-external-when-building.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 017e6c6ab95df55f34e339d2139def83e5dada1f Mon Sep 17 00:00:00 2001 -From: Steve Grubb <[email protected]> -Date: Fri, 10 Jan 2020 21:13:50 -0500 -Subject: [PATCH] Header definitions need to be external when building with - -fno-common (which is default in GCC 10) - Tony Jones - -Upstream-Status: Backport -Signed-off-by: Alex Kiernan <[email protected]> ---- - src/ausearch-common.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/ausearch-common.h b/src/ausearch-common.h -index 6669203664ec..3040547afe95 100644 ---- a/src/ausearch-common.h -+++ b/src/ausearch-common.h -@@ -50,7 +50,7 @@ extern pid_t event_pid; - extern int event_exact_match; - extern uid_t event_uid, event_euid, event_loginuid; - extern const char *event_tuid, *event_teuid, *event_tauid; --slist *event_node_list; -+extern slist *event_node_list; - extern const char *event_comm; - extern const char *event_filename; - extern const char *event_hostname; --- -2.17.1 - diff --git a/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch b/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch deleted file mode 100644 index 6e1827c..0000000 --- a/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch +++ /dev/null @@ -1,42 +0,0 @@ -From df878b92e01f4d1c3de7f7d8229cea6a431509eb Mon Sep 17 00:00:00 2001 -From: Mingli Yu <[email protected]> -Date: Wed, 19 Feb 2020 15:23:40 +0800 -Subject: [PATCH] lib/i386_table.h: add new syscall - -On 32bit system, -After upgrade glibc to 2.31 - # strace -o /tmp/test.log date -s 09:16:45 - # tail -f /tmp/test.log - close(3) = 0 - stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=114, ...}) = 0 - clock_settime64(CLOCK_REALTIME, {tv_sec=1582103805, tv_nsec=0}) = 0 - fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x4, 0x40), ...}) = 0 - ioctl(1, TCGETS, {B115200 opost isig icanon echo ...}) = 0 - write(1, "Wed Feb 19 09:16:45 UTC 2020\n", 29) = 29 - close(1) = 0 - close(2) = 0 - exit_group(0) = ? - +++ exited with 0 +++ - -It means the clock_settime64 syscall is used, so -add the syscall. - -Upstream-Status: Submitted [https://github.com/linux-audit/audit-userspace/pull/116] - -Signed-off-by: Mingli Yu <[email protected]> ---- - lib/i386_table.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/i386_table.h b/lib/i386_table.h -index 1a64c88..65fd4d9 100644 ---- a/lib/i386_table.h -+++ b/lib/i386_table.h -@@ -405,3 +405,4 @@ _S(383, "statx") - _S(384, "arch_prctl") - _S(385, "io_pgetevents") - _S(386, "rseq") -+_S(404, "clock_settime64") --- -2.7.4 - diff --git a/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch b/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch deleted file mode 100644 index bb6c61e..0000000 --- a/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch +++ /dev/null @@ -1,133 +0,0 @@ -From bdcdc3dff4469aac88e718bd15958d5ed4b9392a Mon Sep 17 00:00:00 2001 -From: Steve Grubb <[email protected]> -Date: Tue, 26 Feb 2019 18:33:33 -0500 -Subject: [PATCH] Add substitue functions for strndupa & rawmemchr - -Upstream-Status: Backport -[https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e] ---- - auparse/auparse.c | 12 +++++++++++- - auparse/interpret.c | 9 ++++++++- - configure.ac | 14 +++++++++++++- - src/ausearch-lol.c | 12 +++++++++++- - 4 files changed, 43 insertions(+), 4 deletions(-) - -diff --git a/auparse/auparse.c b/auparse/auparse.c -index 650db02..2e1c737 100644 ---- a/auparse/auparse.c -+++ b/auparse/auparse.c -@@ -1,5 +1,5 @@ - /* auparse.c -- -- * Copyright 2006-08,2012-17 Red Hat Inc., Durham, North Carolina. -+ * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This library is free software; you can redistribute it and/or -@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t *e) - return 0; - } - -+#ifndef HAVE_STRNDUPA -+static inline char *strndupa(const char *old, size_t n) -+{ -+ size_t len = strnlen(old, n); -+ char *tmp = alloca(len + 1); -+ tmp[len] = 0; -+ return memcpy(tmp, old, len); -+} -+#endif -+ - /* Returns 0 on success and 1 on error */ - static int extract_timestamp(const char *b, au_event_t *e) - { -diff --git a/auparse/interpret.c b/auparse/interpret.c -index 51c4a5e..67b7b77 100644 ---- a/auparse/interpret.c -+++ b/auparse/interpret.c -@@ -853,6 +853,13 @@ err_out: - return print_escaped(id->val); - } - -+// rawmemchr is faster. Let's use it if we have it. -+#ifdef HAVE_RAWMEMCHR -+#define STRCHR rawmemchr -+#else -+#define STRCHR strchr -+#endif -+ - static const char *print_proctitle(const char *val) - { - char *out = (char *)print_escaped(val); -@@ -863,7 +870,7 @@ static const char *print_proctitle(const char *val) - // Proctitle has arguments separated by NUL bytes - // We need to write over the NUL bytes with a space - // so that we can see the arguments -- while ((ptr = rawmemchr(ptr, '\0'))) { -+ while ((ptr = STRCHR(ptr, '\0'))) { - if (ptr >= end) - break; - *ptr = ' '; -diff --git a/configure.ac b/configure.ac -index 54bdbf1..aef07fb 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1,7 +1,7 @@ - dnl - define([AC_INIT_NOTICE], - [### Generated automatically using autoconf version] AC_ACVERSION [ --### Copyright 2005-18 Steve Grubb <[email protected]> -+### Copyright 2005-19 Steve Grubb <[email protected]> - ### - ### Permission is hereby granted, free of charge, to any person obtaining a - ### copy of this software and associated documentation files (the "Software"), -@@ -72,6 +72,18 @@ dnl; posix_fallocate is used in audisp-remote - AC_CHECK_FUNCS([posix_fallocate]) - dnl; signalfd is needed for libev - AC_CHECK_FUNC([signalfd], [], [ AC_MSG_ERROR([The signalfd system call is necessary for auditd]) ]) -+dnl; check if rawmemchr is available -+AC_CHECK_FUNCS([rawmemchr]) -+dnl; check if strndupa is available -+AC_LINK_IFELSE( -+ [AC_LANG_SOURCE( -+ [[ -+ #define _GNU_SOURCE -+ #include <string.h> -+ int main() { (void) strndupa("test", 10); return 0; }]])], -+ [AC_DEFINE(HAVE_STRNDUPA, 1, [Let us know if we have it or not])], -+ [] -+) - - ALLWARNS="" - ALLDEBUG="-g" -diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c -index 5d17a72..758c33e 100644 ---- a/src/ausearch-lol.c -+++ b/src/ausearch-lol.c -@@ -1,6 +1,6 @@ - /* - * ausearch-lol.c - linked list of linked lists library --* Copyright (c) 2008,2010,2014,2016 Red Hat Inc., Durham, North Carolina. -+* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the -@@ -152,6 +152,16 @@ static int compare_event_time(event *e1, event *e2) - return 0; - } - -+#ifndef HAVE_STRNDUPA -+static inline char *strndupa(const char *old, size_t n) -+{ -+ size_t len = strnlen(old, n); -+ char *tmp = alloca(len + 1); -+ tmp[len] = 0; -+ return memcpy(tmp, old, len); -+} -+#endif -+ - /* - * This function will look at the line and pick out pieces of it. - */ --- -2.7.4 - diff --git a/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch b/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch index 7c26995..740bcb5 100644 --- a/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch +++ b/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch @@ -1,4 +1,4 @@ -From a07271f1cce82122610b622bcea4a8a37528f321 Mon Sep 17 00:00:00 2001 +From 3d13f92c1bb293523670ba01aea7e655b00a6709 Mon Sep 17 00:00:00 2001 From: Li xin <[email protected]> Date: Sun, 19 Jul 2015 02:42:58 +0900 Subject: [PATCH] audit: Fixed swig host contamination issue @@ -19,7 +19,7 @@ Signed-off-by: Yi Zhao <[email protected]> 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/bindings/swig/python3/Makefile.am b/bindings/swig/python3/Makefile.am -index 9938418..fa46aac 100644 +index dd9d934..61b486d 100644 --- a/bindings/swig/python3/Makefile.am +++ b/bindings/swig/python3/Makefile.am @@ -22,6 +22,7 @@ @@ -30,7 +30,7 @@ index 9938418..fa46aac 100644 LIBS = $(top_builddir)/lib/libaudit.la SWIG_FLAGS = -python -py3 -modern SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES) -@@ -37,7 +38,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi +@@ -36,7 +37,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi _audit_la_LIBADD = ${top_builddir}/lib/libaudit.la nodist__audit_la_SOURCES = audit_wrap.c audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i @@ -40,7 +40,7 @@ index 9938418..fa46aac 100644 CLEANFILES = audit.py* audit_wrap.c *~ diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i -index 7ebb373..424fb68 100644 +index 21aafca..dd0f62c 100644 --- a/bindings/swig/src/auditswig.i +++ b/bindings/swig/src/auditswig.i @@ -39,7 +39,7 @@ signed @@ -50,8 +50,8 @@ index 7ebb373..424fb68 100644 -%include "/usr/include/linux/audit.h" +%include "linux/audit.h" #define __extension__ /*nothing*/ - #include <stdint.h> + %include <stdint.i> %include "../lib/libaudit.h" -- -2.7.4 +2.17.1 diff --git a/recipes-security/audit/audit/auditd.service b/recipes-security/audit/audit/auditd.service index ebc0798..06c63f0 100644 --- a/recipes-security/audit/audit/auditd.service +++ b/recipes-security/audit/audit/auditd.service @@ -1,20 +1,28 @@ [Unit] Description=Security Auditing Service DefaultDependencies=no -After=local-fs.target -Conflicts=shutdown.target +After=local-fs.target systemd-tmpfiles-setup.service Before=sysinit.target shutdown.target -After=systemd-tmpfiles-setup.service +Conflicts=shutdown.target +ConditionKernelCommandLine=!audit=0 [Service] -ExecStart=/sbin/auditd -n -## To use augenrules, copy this file to /etc/systemd/system/auditd.service -## and uncomment the next line and delete/comment out the auditctl line. -## Then copy existing rules to /etc/audit/rules.d/ -## Not doing this last step can cause loss of existing rules +Type=forking +PIDFile=/run/auditd.pid +ExecStart=/sbin/auditd +## To use augenrules, uncomment the next line and comment/delete the auditctl line. +## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ #ExecStartPost=-/sbin/augenrules --load ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules -ExecReload=/bin/kill -HUP $MAINPID +# By default we don't clear the rules on exit. +# To enable this, uncomment the next line. +#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules + +### Security Settings ### +MemoryDenyWriteExecute=true +LockPersonality=true +ProtectControlGroups=true +ProtectKernelModules=true [Install] WantedBy=multi-user.target diff --git a/recipes-security/audit/audit_2.8.5.bb b/recipes-security/audit/audit_3.0.bb similarity index 80% rename from recipes-security/audit/audit_2.8.5.bb rename to recipes-security/audit/audit_3.0.bb index e2e0352..b7170c7 100644 --- a/recipes-security/audit/audit_2.8.5.bb +++ b/recipes-security/audit/audit_3.0.bb @@ -7,18 +7,15 @@ SECTION = "base" LICENSE = "GPLv2+ & LGPLv2+" LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" -SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=2.8_maintenance \ - file://Add-substitue-functions-for-strndupa-rawmemchr.patch \ +SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=master \ file://Fixed-swig-host-contamination-issue.patch \ - file://0001-lib-i386_table.h-add-new-syscall.patch \ - file://0001-Header-definitions-need-to-be-external-when-building.patch \ file://auditd \ file://auditd.service \ file://audit-volatile.conf \ " S = "${WORKDIR}/git" -SRCREV = "5fae55c1ad15b3cefe6890eba7311af163e9133c" +SRCREV = "ea8dbab9e0fb3fb2507ac5b8dc792ef32a97c87e" inherit autotools python3native update-rc.d systemd @@ -29,10 +26,9 @@ INITSCRIPT_PARAMS = "defaults" SYSTEMD_PACKAGES = "auditd" SYSTEMD_SERVICE_auditd = "auditd.service" -DEPENDS += "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native" +DEPENDS = "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native" -EXTRA_OECONF += "--without-prelude \ - --with-libwrap \ +EXTRA_OECONF = " --with-libwrap \ --enable-gssapi-krb5=no \ --with-libcap-ng=yes \ --with-python3=yes \ @@ -45,7 +41,7 @@ EXTRA_OECONF += "--without-prelude \ --with-aarch64=yes \ " -EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \ +EXTRA_OEMAKE = "PYLIBVER='python${PYTHON_BASEVERSION}' \ PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \ pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \ STDINC='${STAGING_INCDIR}' \ @@ -62,7 +58,7 @@ PACKAGES =+ "audispd-plugins" PACKAGES += "auditd ${PN}-python" FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*" -FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*" +FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/* ${datadir}/audit/*" FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \ ${sysconfdir}/audisp/plugins.d/au-remote.conf \ ${sbindir}/audisp-remote ${localstatedir}/spool/audit \ @@ -70,8 +66,8 @@ FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \ FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug" FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}" -CONFFILES_auditd += "${sysconfdir}/audit/audit.rules" -RDEPENDS_auditd += "bash" +CONFFILES_auditd = "${sysconfdir}/audit/audit.rules" +RDEPENDS_auditd = "bash" do_install_append() { rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a @@ -87,14 +83,14 @@ do_install_append() { rm -rf ${D}/etc/rc.d if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + # install systemd unit files + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system + install -d ${D}${sysconfdir}/tmpfiles.d/ install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/ fi - # install systemd unit files - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system - # audit-2.5 doesn't install any rules by default, so we do that here mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#51894): https://lists.yoctoproject.org/g/yocto/message/51894 Mute This Topic: https://lists.yoctoproject.org/mt/79492062/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
