On 03/07/2016 07:08 AM, Radzykewycz, T (Radzy) wrote: > > ________________________________________ >> From: Philip Tricca [fl...@twobit.us] >> Sent: Sunday, March 06, 2016 3:38 PM >> To: Radzykewycz, T (Radzy); joe_macdon...@mentor.com; Hatle, Mark >> Cc: yocto@yoctoproject.org; Li, Rongqing; Fan, Wenzong >> Subject: Re: [meta-selinux][PATCH] audit: upgrade 2.4.4 -> 2.5 >> >> Tested this today and it works as expected: thanks! >> >> This leaves the same PR value as the previous version. The OE style >> guide thinks PR should be removed when PV changes. Since we're going >> from 2.4.4 -> 2.5 this makes me think that since PV changes PR should be >> removed. I've never given this much thought in the past so I had to look >> it up and may have misunderstood the docs. Is removing PR like this >> correct or should it be left as is? > > My mistake. I agree with your interpretation of the docs. > I believe it should be removed. Do you want to do that before > merging, or should I send a revised patch ?
Mark had already answered this question in another recent thread so I did the fixup and pushed. Should already be in. Best, Philip > > Enjoy! > > -- radzy > >> Thanks, >> Philip >> >> On 02/29/2016 02:50 PM, T.O. Radzy Radzykewycz wrote: >>> * rebase patch audit-python-configure.patch >>> >>> * remove audit-auvirt-get-inline-functions-work-with-gnu89-gnu11.patch >>> as it had already been applied upstream >>> >>> * 2.5 includes miscellaneous enhancements and fixes: >>> >>> 2.5 >>> - Make augenrules the default method to load audit rules >>> - Put rules in its own directory and break out rules into groups >>> - Have auditd do a fsync before closing log >>> - Make default flush setting larger >>> - In auparse. terminate the generated strings (Burn Alting) >>> - In auditd, add incremental_async flushing mode >>> - Clean up dangling fields in DAEMON events >>> - Add audit by process name support to auditctl (Richard Briggs) >>> - Relax permissions on systemd files >>> - Fix auparse to handle interlaced events (Burn Alting) >>> - Allow more syslog facilities in audispd-syslog (Aleksander Adamowski) >>> >>> 2.4.5 >>> - Fix auditd disk flushing for data and sync modes >>> - Fix auditctl to not show options not supported on older OS >>> - Add audit.m4 file to aid adding support to other projects >>> - Fix C99 inline function build issue >>> - Add account lock and unlock event types >>> - Change logging loophole check to geteuid() >>> - Fix ausearch to not consider AUDIT_PROCTITLE events malformed (Burn >>> Alting) >>> - Fix ausearch to parse FEATURE_CHANGE events >>> >>> ( From http://people.redhat.com/sgrubb/audit/ChangeLog ) >>> >>> Signed-off-by: T.O. Radzy Radzykewycz <ra...@windriver.com> >>> --- >>> ...et-inline-functions-work-with-gnu89-gnu11.patch | 71 -------------- >>> .../audit/audit/audit-python-configure.patch | 3 +- >>> recipes-security/audit/audit_2.4.4.bb | 100 >>> -------------------- >>> recipes-security/audit/audit_2.5.bb | 104 >>> +++++++++++++++++++++ >>> 4 files changed, 106 insertions(+), 172 deletions(-) >>> delete mode 100644 >>> recipes-security/audit/audit/audit-auvirt-get-inline-functions-work-with-gnu89-gnu11.patch >>> delete mode 100644 recipes-security/audit/audit_2.4.4.bb >>> create mode 100644 recipes-security/audit/audit_2.5.bb >>> >>> diff --git >>> a/recipes-security/audit/audit/audit-auvirt-get-inline-functions-work-with-gnu89-gnu11.patch >>> >>> b/recipes-security/audit/audit/audit-auvirt-get-inline-functions-work-with-gnu89-gnu11.patch >>> deleted file mode 100644 >>> index 578cfc1dc476..000000000000 >>> --- >>> a/recipes-security/audit/audit/audit-auvirt-get-inline-functions-work-with-gnu89-gnu11.patch >>> +++ /dev/null >>> @@ -1,71 +0,0 @@ >>> -From 15036dd4fa9eb209f5e148c6f7ee081f5ca78fa4 Mon Sep 17 00:00:00 2001 >>> -From: Wenzong Fan <wenzong....@windriver.com> >>> -Date: Fri, 11 Sep 2015 03:37:13 -0400 >>> -Subject: [PATCH] audit/auvirt: get inline functions work with both gnu89 & >>> gnu11 >>> - >>> -After gcc upgraded to gcc5, and if the codes are compiled without >>> -optimization (-O0), and the below error will happen: >>> - >>> - auvirt.c:484: undefined reference to `copy_str' >>> - auvirt.c:667: undefined reference to `is_resource' >>> - collect2: error: ld returned 1 exit status >>> - >>> -gcc5 defaults to -std=gnu11 instead of -std=gnu89, and it requires that >>> -exactly one C source file has the callable copy of the inline function. >>> -Consider the following program: >>> - >>> - inline int >>> - foo (void) >>> - { >>> - return 42; >>> - } >>> - >>> - int >>> - main (void) >>> - { >>> - return foo (); >>> - } >>> - >>> -The program above will not link with the C99 inline semantics, because >>> -no out-of-line function foo is generated. To fix this, either mark the >>> -function foo as static, or add the following declaration: >>> - >>> - static inline int foo (void); >>> - >>> -More information refer to: https://gcc.gnu.org/gcc-5/porting_to.html >>> - >>> -Note: using "extern inline" will fail to build with gcc4.x, so replace >>> -inline with "static inline". >>> - >>> -Upstream-Status: Pending >>> - >>> -Signed-off-by: Wenzong Fan <wenzong....@windriver.com> >>> ---- >>> - tools/auvirt/auvirt.c | 4 ++-- >>> - 1 file changed, 2 insertions(+), 2 deletions(-) >>> - >>> -diff --git a/tools/auvirt/auvirt.c b/tools/auvirt/auvirt.c >>> -index 655c454..b16d718 100644 >>> ---- a/tools/auvirt/auvirt.c >>> -+++ b/tools/auvirt/auvirt.c >>> -@@ -138,7 +138,7 @@ void event_free(struct event *event) >>> - } >>> - } >>> - >>> --inline char *copy_str(const char *str) >>> -+static inline char *copy_str(const char *str) >>> - { >>> - return (str) ? strdup(str) : NULL; >>> - } >>> -@@ -650,7 +650,7 @@ int process_control_event(auparse_state_t *au) >>> - return 0; >>> - } >>> - >>> --inline int is_resource(const char *res) >>> -+static inline int is_resource(const char *res) >>> - { >>> - if (res == NULL || >>> - res[0] == '\0' || >>> --- >>> -1.9.1 >>> - >>> diff --git a/recipes-security/audit/audit/audit-python-configure.patch >>> b/recipes-security/audit/audit/audit-python-configure.patch >>> index b47cf5d2d968..cb62ec3022bb 100644 >>> --- a/recipes-security/audit/audit/audit-python-configure.patch >>> +++ b/recipes-security/audit/audit/audit-python-configure.patch >>> @@ -8,6 +8,7 @@ Upstream-Status: pending >>> Signed-off-by: Xin Ouyang <xin.ouy...@windriver.com> >>> Signed-off-by: Li Xin <lixin.f...@cn.fujitsu.com> >>> Signed-off-by: Wenzong Fan <wenzong....@windriver.com> >>> +Signed-off-by: T.O. Radzy Radzykewycz <ra...@windriver.com> >>> --- >>> configure.ac | 17 ++--------------- >>> 1 file changed, 2 insertions(+), 15 deletions(-) >>> @@ -29,7 +30,7 @@ index 1f48cb4..cdb5219 100644 >>> - AC_MSG_NOTICE(Python bindings will be built) >>> -else >>> - python_found="no" >>> -- if test x$use_python = xyes ; then >>> +- if test "x$use_python" = xyes ; then >>> - AC_MSG_ERROR([Python explicitly requested and python headers >>> were not found]) >>> - else >>> - AC_MSG_WARN("Python headers not found - python bindings will >>> not be made") >>> diff --git a/recipes-security/audit/audit_2.4.4.bb >>> b/recipes-security/audit/audit_2.4.4.bb >>> deleted file mode 100644 >>> index 55a5b12ba9c9..000000000000 >>> --- a/recipes-security/audit/audit_2.4.4.bb >>> +++ /dev/null >>> @@ -1,100 +0,0 @@ >>> -SUMMARY = "User space tools for kernel auditing" >>> -DESCRIPTION = "The audit package contains the user space utilities for \ >>> -storing and searching the audit records generated by the audit subsystem \ >>> -in the Linux kernel." >>> -HOMEPAGE = "http://people.redhat.com/sgrubb/audit/"; >>> -SECTION = "base" >>> -PR = "r8" >>> -LICENSE = "GPLv2+ & LGPLv2+" >>> -LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" >>> - >>> -SRC_URI = "http://people.redhat.com/sgrubb/audit/audit-${PV}.tar.gz \ >>> - file://audit-python-configure.patch \ >>> - file://audit-python.patch \ >>> - file://fix-swig-host-contamination.patch \ >>> - file://auditd \ >>> - file://auditd.service \ >>> - file://audit-volatile.conf \ >>> - >>> file://audit-auvirt-get-inline-functions-work-with-gnu89-gnu11.patch \ >>> -" >>> -SRC_URI[md5sum] = "72b0fd94d32846142bc472f0d91e62b4" >>> -SRC_URI[sha256sum] = >>> "25f57f465f3230d7b1166b615ffd6748818a3dc225d0e8b396c5b2e951674e23" >>> - >>> -inherit autotools pythonnative update-rc.d systemd >>> - >>> -UPDATERCPN = "auditd" >>> -INITSCRIPT_NAME = "auditd" >>> -INITSCRIPT_PARAMS = "defaults" >>> - >>> -SYSTEMD_SERVICE_${PN} = "auditd.service" >>> - >>> -DEPENDS += "python tcp-wrappers libcap-ng linux-libc-headers (>= 2.6.30)" >>> - >>> -EXTRA_OECONF += "--without-prelude \ >>> - --with-libwrap \ >>> - --enable-gssapi-krb5=no \ >>> - --with-libcap-ng=yes \ >>> - --with-python=yes \ >>> - --libdir=${base_libdir} \ >>> - --sbindir=${base_sbindir} \ >>> - --without-python3 \ >>> - --disable-zos-remote \ >>> - " >>> -EXTRA_OECONF_append_arm = " --with-arm=yes" >>> - >>> -EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \ >>> - PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \ >>> - pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \ >>> - STDINC='${STAGING_INCDIR}' \ >>> - " >>> - >>> -SUMMARY_audispd-plugins = "Plugins for the audit event dispatcher" >>> -DESCRIPTION_audispd-plugins = "The audispd-plugins package provides >>> plugins for the real-time \ >>> -interface to the audit system, audispd. These plugins can do things \ >>> -like relay events to remote machines or analyze events for suspicious \ >>> -behavior." >>> - >>> -PACKAGES =+ "audispd-plugins" >>> -PACKAGES += "auditd ${PN}-python" >>> - >>> -FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* >>> ${base_libdir}/libauparse.so.*" >>> -FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*" >>> -FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \ >>> - ${sysconfdir}/audisp/plugins.d/au-remote.conf \ >>> - ${sbindir}/audisp-remote ${localstatedir}/spool/audit \ >>> - " >>> -FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug" >>> -FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}" >>> -FILES_${PN}-dev += "${base_libdir}/*.so ${base_libdir}/*.la >>> ${base_libdir}/pkgconfig/*" >>> - >>> -CONFFILES_auditd += "${sysconfdir}/audit/audit.rules" >>> -RDEPENDS_auditd += "bash" >>> - >>> -do_install_append() { >>> - rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a >>> - rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la >>> - >>> - # reuse auditd config >>> - [ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default >>> - mv ${D}/etc/sysconfig/auditd ${D}/etc/default >>> - rmdir ${D}/etc/sysconfig/ >>> - >>> - # replace init.d >>> - install -D -m 0755 ${S}/../auditd ${D}/etc/init.d/auditd >>> - rm -rf ${D}/etc/rc.d >>> - >>> - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', >>> 'false', d)}; then >>> - install -d ${D}${sysconfdir}/tmpfiles.d/ >>> - install -m 0644 ${WORKDIR}/audit-volatile.conf >>> ${D}${sysconfdir}/tmpfiles.d/ >>> - fi >>> - >>> - # install systemd unit files >>> - install -d ${D}${systemd_unitdir}/system >>> - install -m 0644 ${WORKDIR}/auditd.service >>> ${D}${systemd_unitdir}/system >>> - >>> - chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d >>> - chmod 640 ${D}/etc/audit/auditd.conf >>> ${D}/etc/audit/rules.d/audit.rules >>> - >>> - # Based on the audit.spec "Copy default rules into place on new >>> installation" >>> - cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules >>> -} >>> diff --git a/recipes-security/audit/audit_2.5.bb >>> b/recipes-security/audit/audit_2.5.bb >>> new file mode 100644 >>> index 000000000000..53aa23dabdd9 >>> --- /dev/null >>> +++ b/recipes-security/audit/audit_2.5.bb >>> @@ -0,0 +1,104 @@ >>> +SUMMARY = "User space tools for kernel auditing" >>> +DESCRIPTION = "The audit package contains the user space utilities for \ >>> +storing and searching the audit records generated by the audit subsystem \ >>> +in the Linux kernel." >>> +HOMEPAGE = "http://people.redhat.com/sgrubb/audit/"; >>> +SECTION = "base" >>> +PR = "r8" >>> +LICENSE = "GPLv2+ & LGPLv2+" >>> +LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f" >>> + >>> +SRC_URI = "http://people.redhat.com/sgrubb/${BPN}/${BPN}-${PV}.tar.gz \ >>> + file://audit-python-configure.patch \ >>> + file://audit-python.patch \ >>> + file://fix-swig-host-contamination.patch \ >>> + file://auditd \ >>> + file://auditd.service \ >>> + file://audit-volatile.conf \ >>> +" >>> +SRC_URI[md5sum] = "e721d48f3e1927c84b7c176b3bdbc443" >>> +SRC_URI[sha256sum] = >>> "9b0a0760c6f37d80cbbfe46a74db722e60ac8100b28eb31953878ffca8ac14b4" >>> + >>> + >>> +inherit autotools pythonnative update-rc.d systemd >>> + >>> +UPDATERCPN = "auditd" >>> +INITSCRIPT_NAME = "auditd" >>> +INITSCRIPT_PARAMS = "defaults" >>> + >>> +SYSTEMD_SERVICE_${PN} = "auditd.service" >>> + >>> +DEPENDS += "python tcp-wrappers libcap-ng linux-libc-headers (>= 2.6.30)" >>> + >>> +EXTRA_OECONF += "--without-prelude \ >>> + --with-libwrap \ >>> + --enable-gssapi-krb5=no \ >>> + --with-libcap-ng=yes \ >>> + --with-python=yes \ >>> + --libdir=${base_libdir} \ >>> + --sbindir=${base_sbindir} \ >>> + --without-python3 \ >>> + --disable-zos-remote \ >>> + " >>> +EXTRA_OECONF_append_arm = " --with-arm=yes" >>> + >>> +EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \ >>> + PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \ >>> + pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \ >>> + STDINC='${STAGING_INCDIR}' \ >>> + " >>> + >>> +SUMMARY_audispd-plugins = "Plugins for the audit event dispatcher" >>> +DESCRIPTION_audispd-plugins = "The audispd-plugins package provides >>> plugins for the real-time \ >>> +interface to the audit system, audispd. These plugins can do things \ >>> +like relay events to remote machines or analyze events for suspicious \ >>> +behavior." >>> + >>> +PACKAGES =+ "audispd-plugins" >>> +PACKAGES += "auditd ${PN}-python" >>> + >>> +FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* >>> ${base_libdir}/libauparse.so.*" >>> +FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*" >>> +FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \ >>> + ${sysconfdir}/audisp/plugins.d/au-remote.conf \ >>> + ${sbindir}/audisp-remote ${localstatedir}/spool/audit \ >>> + " >>> +FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug" >>> +FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}" >>> +FILES_${PN}-dev += "${base_libdir}/*.so ${base_libdir}/*.la >>> ${base_libdir}/pkgconfig/*" >>> + >>> +CONFFILES_auditd += "${sysconfdir}/audit/audit.rules" >>> +RDEPENDS_auditd += "bash" >>> + >>> +do_install_append() { >>> + rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a >>> + rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la >>> + >>> + # reuse auditd config >>> + [ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default >>> + mv ${D}/etc/sysconfig/auditd ${D}/etc/default >>> + rmdir ${D}/etc/sysconfig/ >>> + >>> + # replace init.d >>> + install -D -m 0755 ${S}/../auditd ${D}/etc/init.d/auditd >>> + rm -rf ${D}/etc/rc.d >>> + >>> + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', >>> 'false', d)}; then >>> + install -d ${D}${sysconfdir}/tmpfiles.d/ >>> + install -m 0644 ${WORKDIR}/audit-volatile.conf >>> ${D}${sysconfdir}/tmpfiles.d/ >>> + fi >>> + >>> + # install systemd unit files >>> + install -d ${D}${systemd_unitdir}/system >>> + install -m 0644 ${WORKDIR}/auditd.service >>> ${D}${systemd_unitdir}/system >>> + >>> + # audit-2.5 doesn't install any rules by default, so we do that here >>> + mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d >>> + cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules >>> + >>> + chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d >>> + chmod 640 ${D}/etc/audit/auditd.conf >>> ${D}/etc/audit/rules.d/audit.rules >>> + >>> + # Based on the audit.spec "Copy default rules into place on new >>> installation" >>> + cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules >>> +} -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
