audit: upgrade 2.8.5 -> 3.0

* Drop backported patches: 0001-Header-definitions-need-to-be-external-when-building.patch 0001-lib-i386_table.h-add-new-syscall.patch Add-substitue-functions-for-strndupa-rawmemchr.patch * Refresh patch: Fixed-swig-host-contamination-issue.patch * Update auditd.service. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
author: Yi Zhao <yi.zhao@windriver.com> 2021-01-07 11:43:30 +0800
committer: Joe MacDonald <joe@deserted.net> 2021-01-14 07:12:08 -0500
commit: 79c529e5ad749189bdbcc1350889cf20a23732d8 (patch)
tree: d586534d72af410da5e89b34e9ace969081233e6
parent: f01787d62766166fc006ec6104417788bdba97c4 (diff)
download: meta-selinux-79c529e5ad749189bdbcc1350889cf20a23732d8.tar.gz
6 files changed, 35 insertions, 234 deletions
diff --git a/recipes-security/audit/audit/0001-Header-definitions-need-to-be-external-when-building.patch b/recipes-security/audit/audit/0001-Header-definitions-need-to-be-external-when-building.patch
deleted file mode 100644
index 65ea478..0000000
--- a/recipes-security/audit/audit/0001-Header-definitions-need-to-be-external-when-building.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 017e6c6ab95df55f34e339d2139def83e5dada1f Mon Sep 17 00:00:00 2001
-From: Steve Grubb <sgrubb@redhat.com>
-Date: Fri, 10 Jan 2020 21:13:50 -0500
-Subject: [PATCH] Header definitions need to be external when building with
- -fno-common (which is default in GCC 10) - Tony Jones
-Upstream-Status: Backport
-Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
---
- src/ausearch-common.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/src/ausearch-common.h b/src/ausearch-common.h
-index 6669203664ec..3040547afe95 100644
--- a/src/ausearch-common.h
-+++ b/src/ausearch-common.h
-@@ -50,7 +50,7 @@ extern pid_t event_pid;
- extern int event_exact_match;
- extern uid_t event_uid, event_euid, event_loginuid;
- extern const char *event_tuid, *event_teuid, *event_tauid;
-slist *event_node_list;
-+extern slist *event_node_list;
- extern const char *event_comm;
- extern const char *event_filename;
- extern const char *event_hostname;
-- 
-2.17.1
diff --git a/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch b/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch
deleted file mode 100644
index 6e1827c..0000000
--- a/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From df878b92e01f4d1c3de7f7d8229cea6a431509eb Mon Sep 17 00:00:00 2001
-From: Mingli Yu <mingli.yu@windriver.com>
-Date: Wed, 19 Feb 2020 15:23:40 +0800
-Subject: [PATCH] lib/i386_table.h: add new syscall
-On 32bit system,
-After upgrade glibc to 2.31
- # strace -o /tmp/test.log date -s 09:16:45
- # tail -f /tmp/test.log
- close(3)                                = 0
- stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=114, ...}) = 0
- clock_settime64(CLOCK_REALTIME, {tv_sec=1582103805, tv_nsec=0}) = 0
- fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x4, 0x40), ...}) = 0
- ioctl(1, TCGETS, {B115200 opost isig icanon echo ...}) = 0
- write(1, "Wed Feb 19 09:16:45 UTC 2020\n", 29) = 29
- close(1)                                = 0
- close(2)                                = 0
- exit_group(0)                           = ?
- +++ exited with 0 +++
-It means the clock_settime64 syscall is used, so
-add the syscall.
-Upstream-Status: Submitted [https://github.com/linux-audit/audit-userspace/pull/116]
-Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
---
- lib/i386_table.h | 1 +
- 1 file changed, 1 insertion(+)
-diff --git a/lib/i386_table.h b/lib/i386_table.h
-index 1a64c88..65fd4d9 100644
--- a/lib/i386_table.h
-+++ b/lib/i386_table.h
-@@ -405,3 +405,4 @@ _S(383, "statx")
- _S(384, "arch_prctl")
- _S(385, "io_pgetevents")
- _S(386, "rseq")
-+_S(404, "clock_settime64")
-- 
-2.7.4
diff --git a/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch b/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
deleted file mode 100644
index bb6c61e..0000000
--- a/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch
+++ /dev/null
@@ -1,133 +0,0 @@
-From bdcdc3dff4469aac88e718bd15958d5ed4b9392a Mon Sep 17 00:00:00 2001
-From: Steve Grubb <sgrubb@redhat.com>
-Date: Tue, 26 Feb 2019 18:33:33 -0500
-Subject: [PATCH] Add substitue functions for strndupa & rawmemchr
-Upstream-Status: Backport
-[https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e]
---
- auparse/auparse.c   | 12 +++++++++++-
- auparse/interpret.c |  9 ++++++++-
- configure.ac        | 14 +++++++++++++-
- src/ausearch-lol.c  | 12 +++++++++++-
- 4 files changed, 43 insertions(+), 4 deletions(-)
-diff --git a/auparse/auparse.c b/auparse/auparse.c
-index 650db02..2e1c737 100644
--- a/auparse/auparse.c
-+++ b/auparse/auparse.c
-@@ -1,5 +1,5 @@
- /* auparse.c --
- * Copyright 2006-08,2012-17 Red Hat Inc., Durham, North Carolina.
-+ * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina.
-  * All Rights Reserved.
-  *
-  * This library is free software; you can redistribute it and/or
-@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t *e)
-        return 0;
- }
- 
-+#ifndef HAVE_STRNDUPA
-+static inline char *strndupa(const char *old, size_t n)
-+{
-+       size_t len = strnlen(old, n);
-+       char *tmp = alloca(len + 1);
-+       tmp[len] = 0;
-+       return memcpy(tmp, old, len);
-+}
-+#endif
-+
- /* Returns 0 on success and 1 on error */
- static int extract_timestamp(const char *b, au_event_t *e)
- {
-diff --git a/auparse/interpret.c b/auparse/interpret.c
-index 51c4a5e..67b7b77 100644
--- a/auparse/interpret.c
-+++ b/auparse/interpret.c
-@@ -853,6 +853,13 @@ err_out:
-                return print_escaped(id->val);
- }
- 
-+// rawmemchr is faster. Let's use it if we have it.
-+#ifdef HAVE_RAWMEMCHR
-+#define STRCHR rawmemchr
-+#else
-+#define STRCHR strchr
-+#endif
-+
- static const char *print_proctitle(const char *val)
- {
-        char *out = (char *)print_escaped(val);
-@@ -863,7 +870,7 @@ static const char *print_proctitle(const char *val)
-                // Proctitle has arguments separated by NUL bytes
-                // We need to write over the NUL bytes with a space
-                // so that we can see the arguments
-               while ((ptr  = rawmemchr(ptr, '\0'))) {
-+               while ((ptr  = STRCHR(ptr, '\0'))) {
-                        if (ptr >= end)
-                                break;
-                        *ptr = ' ';
-diff --git a/configure.ac b/configure.ac
-index 54bdbf1..aef07fb 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -1,7 +1,7 @@
- dnl
- define([AC_INIT_NOTICE],
- [### Generated automatically using autoconf version] AC_ACVERSION [
-### Copyright 2005-18 Steve Grubb <sgrubb@redhat.com>
-+### Copyright 2005-19 Steve Grubb <sgrubb@redhat.com>
- ###
- ### Permission is hereby granted, free of charge, to any person obtaining a
- ### copy of this software and associated documentation files (the "Software"),
-@@ -72,6 +72,18 @@ dnl; posix_fallocate is used in audisp-remote
- AC_CHECK_FUNCS([posix_fallocate])
- dnl; signalfd is needed for libev
- AC_CHECK_FUNC([signalfd], [], [ AC_MSG_ERROR([The signalfd system call is necessary for auditd]) ])
-+dnl; check if rawmemchr is available
-+AC_CHECK_FUNCS([rawmemchr])
-+dnl; check if strndupa is available
-+AC_LINK_IFELSE(
-+  [AC_LANG_SOURCE(
-+    [[
-+      #define _GNU_SOURCE
-+      #include <string.h>
-+      int main() { (void) strndupa("test", 10); return 0; }]])],
-+ [AC_DEFINE(HAVE_STRNDUPA, 1, [Let us know if we have it or not])],
-+ []
-+)
- 
- ALLWARNS=""
- ALLDEBUG="-g"
-diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
-index 5d17a72..758c33e 100644
--- a/src/ausearch-lol.c
-+++ b/src/ausearch-lol.c
-@@ -1,6 +1,6 @@
- /*
- * ausearch-lol.c - linked list of linked lists library
-* Copyright (c) 2008,2010,2014,2016 Red Hat Inc., Durham, North Carolina.
-+* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved. 
- *
- * This software may be freely redistributed and/or modified under the
-@@ -152,6 +152,16 @@ static int compare_event_time(event *e1, event *e2)
-        return 0;
- }
- 
-+#ifndef HAVE_STRNDUPA
-+static inline char *strndupa(const char *old, size_t n)
-+{
-+       size_t len = strnlen(old, n);
-+       char *tmp = alloca(len + 1);
-+       tmp[len] = 0;
-+       return memcpy(tmp, old, len);
-+}
-+#endif
-+
- /*
-  * This function will look at the line and pick out pieces of it.
-  */
-- 
-2.7.4
diff --git a/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch b/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch
index 7c26995..740bcb5 100644
--- a/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch
+++ b/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch
@@ -1,4 +1,4 @@
-From a07271f1cce82122610b622bcea4a8a37528f321 Mon Sep 17 00:00:00 2001
+From 3d13f92c1bb293523670ba01aea7e655b00a6709 Mon Sep 17 00:00:00 2001
 From: Li xin <lixin.fnst@cn.fujitsu.com>
 Date: Sun, 19 Jul 2015 02:42:58 +0900
 Subject: [PATCH] audit: Fixed swig host contamination issue
@@ -19,7 +19,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2 files changed, 3 insertions(+), 2 deletions(-)
 diff --git a/bindings/swig/python3/Makefile.am b/bindings/swig/python3/Makefile.am
-index 9938418..fa46aac 100644
+index dd9d934..61b486d 100644
 --- a/bindings/swig/python3/Makefile.am
 +++ b/bindings/swig/python3/Makefile.am
 @@ -22,6 +22,7 @@
@@ -30,7 +30,7 @@ index 9938418..fa46aac 100644
 LIBS = $(top_builddir)/lib/libaudit.la
 SWIG_FLAGS = -python -py3 -modern
 SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES)
-@@ -37,7 +38,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi
+@@ -36,7 +37,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi
 _audit_la_LIBADD = ${top_builddir}/lib/libaudit.la
 nodist__audit_la_SOURCES  = audit_wrap.c
 audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i 
@@ -40,7 +40,7 @@ index 9938418..fa46aac 100644
 CLEANFILES = audit.py* audit_wrap.c *~
 
 diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i
-index 7ebb373..424fb68 100644
+index 21aafca..dd0f62c 100644
 --- a/bindings/swig/src/auditswig.i
 +++ b/bindings/swig/src/auditswig.i
 @@ -39,7 +39,7 @@ signed
@@ -50,8 +50,8 @@ index 7ebb373..424fb68 100644
 -%include "/usr/include/linux/audit.h"
 +%include "linux/audit.h"
 #define __extension__ /*nothing*/
- #include <stdint.h>
+ %include <stdint.i>
 %include "../lib/libaudit.h"
 -- 
-2.7.4
+2.17.1
diff --git a/recipes-security/audit/audit/auditd.service b/recipes-security/audit/audit/auditd.service
index ebc0798..06c63f0 100644
--- a/recipes-security/audit/audit/auditd.service
+++ b/recipes-security/audit/audit/auditd.service
@@ -1,20 +1,28 @@
 [Unit]
 Description=Security Auditing Service
 DefaultDependencies=no
-After=local-fs.target
+After=local-fs.target systemd-tmpfiles-setup.service
-Conflicts=shutdown.target
 Before=sysinit.target shutdown.target
-After=systemd-tmpfiles-setup.service
+Conflicts=shutdown.target
+ConditionKernelCommandLine=!audit=0
 [Service]
-ExecStart=/sbin/auditd -n
+Type=forking
-## To use augenrules, copy this file to /etc/systemd/system/auditd.service
+PIDFile=/run/auditd.pid
-## and uncomment the next line and delete/comment out the auditctl line.
+ExecStart=/sbin/auditd
-## Then copy existing rules to /etc/audit/rules.d/
+## To use augenrules, uncomment the next line and comment/delete the auditctl line.
-## Not doing this last step can cause loss of existing rules
+## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
 #ExecStartPost=-/sbin/augenrules --load
 ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
-ExecReload=/bin/kill -HUP $MAINPID
+# By default we don't clear the rules on exit.
+# To enable this, uncomment the next line.
+#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
+### Security Settings ###
+MemoryDenyWriteExecute=true
+LockPersonality=true
+ProtectControlGroups=true
+ProtectKernelModules=true
 [Install]
 WantedBy=multi-user.target
diff --git a/recipes-security/audit/audit_2.8.5.bb b/recipes-security/audit/audit_3.0.bb
index e2e0352..b7170c7 100644
--- a/recipes-security/audit/audit_2.8.5.bb
+++ b/recipes-security/audit/audit_3.0.bb
@@ -7,18 +7,15 @@ SECTION = "base"
 LICENSE = "GPLv2+ & LGPLv2+"
 LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
-SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=2.8_maintenance \
+SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=master \
-           file://Add-substitue-functions-for-strndupa-rawmemchr.patch \
           file://Fixed-swig-host-contamination-issue.patch \
-           file://0001-lib-i386_table.h-add-new-syscall.patch \
-           file://0001-Header-definitions-need-to-be-external-when-building.patch \
           file://auditd \
           file://auditd.service \
           file://audit-volatile.conf \
 "
 S = "${WORKDIR}/git"
-SRCREV = "5fae55c1ad15b3cefe6890eba7311af163e9133c"
+SRCREV = "ea8dbab9e0fb3fb2507ac5b8dc792ef32a97c87e"
 inherit autotools python3native update-rc.d systemd
@@ -29,10 +26,9 @@ INITSCRIPT_PARAMS = "defaults"
 SYSTEMD_PACKAGES = "auditd"
 SYSTEMD_SERVICE_auditd = "auditd.service"
-DEPENDS += "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native"
+DEPENDS = "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native"
-EXTRA_OECONF += "--without-prelude \
+EXTRA_OECONF = " --with-libwrap \
-        --with-libwrap \
        --enable-gssapi-krb5=no \
        --with-libcap-ng=yes \
        --with-python3=yes \
@@ -45,7 +41,7 @@ EXTRA_OECONF += "--without-prelude \
        --with-aarch64=yes \
        "
-EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \
+EXTRA_OEMAKE = "PYLIBVER='python${PYTHON_BASEVERSION}' \
        PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \
        pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \
        STDINC='${STAGING_INCDIR}' \
@@ -62,7 +58,7 @@ PACKAGES =+ "audispd-plugins"
 PACKAGES += "auditd ${PN}-python"
 FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*"
-FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*"
+FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/* ${datadir}/audit/*"
 FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \
        ${sysconfdir}/audisp/plugins.d/au-remote.conf \
        ${sbindir}/audisp-remote ${localstatedir}/spool/audit \
@@ -70,8 +66,8 @@ FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \
 FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"
 FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"
-CONFFILES_auditd += "${sysconfdir}/audit/audit.rules"
+CONFFILES_auditd = "${sysconfdir}/audit/audit.rules"
-RDEPENDS_auditd += "bash"
+RDEPENDS_auditd = "bash"
 do_install_append() {
        rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a
@@ -87,14 +83,14 @@ do_install_append() {
        rm -rf ${D}/etc/rc.d
        if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+                # install systemd unit files
+                install -d ${D}${systemd_unitdir}/system
+                install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system
                install -d ${D}${sysconfdir}/tmpfiles.d/
                install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/
        fi
-        # install systemd unit files
-        install -d ${D}${systemd_unitdir}/system
-        install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system
        # audit-2.5 doesn't install any rules by default, so we do that here
        mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d
        cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules
author	Yi Zhao <yi.zhao@windriver.com>	2021-01-07 11:43:30 +0800
committer	Joe MacDonald <joe@deserted.net>	2021-01-14 07:12:08 -0500
commit	79c529e5ad749189bdbcc1350889cf20a23732d8 (patch)
tree	d586534d72af410da5e89b34e9ace969081233e6
parent	f01787d62766166fc006ec6104417788bdba97c4 (diff)
download	meta-selinux-79c529e5ad749189bdbcc1350889cf20a23732d8.tar.gz

diff --git a/recipes-security/audit/audit/0001-Header-definitions-need-to-be-external-when-building.patch b/recipes-security/audit/audit/0001-Header-definitions-need-to-be-external-when-building.patch deleted file mode 100644 index 65ea478..0000000 --- a/recipes-security/audit/audit/0001-Header-definitions-need-to-be-external-when-building.patch +++ /dev/null
@@ -1,28 +0,0 @@
1	From 017e6c6ab95df55f34e339d2139def83e5dada1f Mon Sep 17 00:00:00 2001
2	From: Steve Grubb <sgrubb@redhat.com>
3	Date: Fri, 10 Jan 2020 21:13:50 -0500
4	Subject: [PATCH] Header definitions need to be external when building with
5	-fno-common (which is default in GCC 10) - Tony Jones
6
7	Upstream-Status: Backport
8	Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
9	---
10	src/ausearch-common.h \| 2 +-
11	1 file changed, 1 insertion(+), 1 deletion(-)
12
13	diff --git a/src/ausearch-common.h b/src/ausearch-common.h
14	index 6669203664ec..3040547afe95 100644
15	--- a/src/ausearch-common.h
16	+++ b/src/ausearch-common.h
17	@@ -50,7 +50,7 @@ extern pid_t event_pid;
18	extern int event_exact_match;
19	extern uid_t event_uid, event_euid, event_loginuid;
20	extern const char event_tuid, event_teuid, *event_tauid;
21	-slist *event_node_list;
22	+extern slist *event_node_list;
23	extern const char *event_comm;
24	extern const char *event_filename;
25	extern const char *event_hostname;
26	--
27	2.17.1
28


diff --git a/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch b/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch deleted file mode 100644 index 6e1827c..0000000 --- a/recipes-security/audit/audit/0001-lib-i386_table.h-add-new-syscall.patch +++ /dev/null
@@ -1,42 +0,0 @@
1	From df878b92e01f4d1c3de7f7d8229cea6a431509eb Mon Sep 17 00:00:00 2001
2	From: Mingli Yu <mingli.yu@windriver.com>
3	Date: Wed, 19 Feb 2020 15:23:40 +0800
4	Subject: [PATCH] lib/i386_table.h: add new syscall
5
6	On 32bit system,
7	After upgrade glibc to 2.31
8	# strace -o /tmp/test.log date -s 09:16:45
9	# tail -f /tmp/test.log
10	close(3) = 0
11	stat64("/etc/localtime", {st_mode=S_IFREG\|0644, st_size=114, ...}) = 0
12	clock_settime64(CLOCK_REALTIME, {tv_sec=1582103805, tv_nsec=0}) = 0
13	fstat64(1, {st_mode=S_IFCHR\|0600, st_rdev=makedev(0x4, 0x40), ...}) = 0
14	ioctl(1, TCGETS, {B115200 opost isig icanon echo ...}) = 0
15	write(1, "Wed Feb 19 09:16:45 UTC 2020\n", 29) = 29
16	close(1) = 0
17	close(2) = 0
18	exit_group(0) = ?
19	+++ exited with 0 +++
20
21	It means the clock_settime64 syscall is used, so
22	add the syscall.
23
24	Upstream-Status: Submitted [https://github.com/linux-audit/audit-userspace/pull/116]
25
26	Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
27	---
28	lib/i386_table.h \| 1 +
29	1 file changed, 1 insertion(+)
30
31	diff --git a/lib/i386_table.h b/lib/i386_table.h
32	index 1a64c88..65fd4d9 100644
33	--- a/lib/i386_table.h
34	+++ b/lib/i386_table.h
35	@@ -405,3 +405,4 @@ _S(383, "statx")
36	_S(384, "arch_prctl")
37	_S(385, "io_pgetevents")
38	_S(386, "rseq")
39	+_S(404, "clock_settime64")
40	--
41	2.7.4
42


diff --git a/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch b/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch deleted file mode 100644 index bb6c61e..0000000 --- a/recipes-security/audit/audit/Add-substitue-functions-for-strndupa-rawmemchr.patch +++ /dev/null
@@ -1,133 +0,0 @@
1	From bdcdc3dff4469aac88e718bd15958d5ed4b9392a Mon Sep 17 00:00:00 2001
2	From: Steve Grubb <sgrubb@redhat.com>
3	Date: Tue, 26 Feb 2019 18:33:33 -0500
4	Subject: [PATCH] Add substitue functions for strndupa & rawmemchr
5
6	Upstream-Status: Backport
7	[https://github.com/linux-audit/audit-userspace/commit/d579a08bb1cde71f939c13ac6b2261052ae9f77e]
8	---
9	auparse/auparse.c \| 12 +++++++++++-
10	auparse/interpret.c \| 9 ++++++++-
11	configure.ac \| 14 +++++++++++++-
12	src/ausearch-lol.c \| 12 +++++++++++-
13	4 files changed, 43 insertions(+), 4 deletions(-)
14
15	diff --git a/auparse/auparse.c b/auparse/auparse.c
16	index 650db02..2e1c737 100644
17	--- a/auparse/auparse.c
18	+++ b/auparse/auparse.c
19	@@ -1,5 +1,5 @@
20	/* auparse.c --
21	- * Copyright 2006-08,2012-17 Red Hat Inc., Durham, North Carolina.
22	+ * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina.
23	* All Rights Reserved.
24	*
25	* This library is free software; you can redistribute it and/or
26	@@ -1118,6 +1118,16 @@ static int str2event(char s, au_event_t e)
27	return 0;
28	}
29
30	+#ifndef HAVE_STRNDUPA
31	+static inline char strndupa(const char old, size_t n)
32	+{
33	+ size_t len = strnlen(old, n);
34	+ char *tmp = alloca(len + 1);
35	+ tmp[len] = 0;
36	+ return memcpy(tmp, old, len);
37	+}
38	+#endif
39	+
40	/* Returns 0 on success and 1 on error */
41	static int extract_timestamp(const char b, au_event_t e)
42	{
43	diff --git a/auparse/interpret.c b/auparse/interpret.c
44	index 51c4a5e..67b7b77 100644
45	--- a/auparse/interpret.c
46	+++ b/auparse/interpret.c
47	@@ -853,6 +853,13 @@ err_out:
48	return print_escaped(id->val);
49	}
50
51	+// rawmemchr is faster. Let's use it if we have it.
52	+#ifdef HAVE_RAWMEMCHR
53	+#define STRCHR rawmemchr
54	+#else
55	+#define STRCHR strchr
56	+#endif
57	+
58	static const char print_proctitle(const char val)
59	{
60	char out = (char )print_escaped(val);
61	@@ -863,7 +870,7 @@ static const char print_proctitle(const char val)
62	// Proctitle has arguments separated by NUL bytes
63	// We need to write over the NUL bytes with a space
64	// so that we can see the arguments
65	- while ((ptr = rawmemchr(ptr, '\0'))) {
66	+ while ((ptr = STRCHR(ptr, '\0'))) {
67	if (ptr >= end)
68	break;
69	*ptr = ' ';
70	diff --git a/configure.ac b/configure.ac
71	index 54bdbf1..aef07fb 100644
72	--- a/configure.ac
73	+++ b/configure.ac
74	@@ -1,7 +1,7 @@
75	dnl
76	define([AC_INIT_NOTICE],
77	[### Generated automatically using autoconf version] AC_ACVERSION [
78	-### Copyright 2005-18 Steve Grubb <sgrubb@redhat.com>
79	+### Copyright 2005-19 Steve Grubb <sgrubb@redhat.com>
80	###
81	### Permission is hereby granted, free of charge, to any person obtaining a
82	### copy of this software and associated documentation files (the "Software"),
83	@@ -72,6 +72,18 @@ dnl; posix_fallocate is used in audisp-remote
84	AC_CHECK_FUNCS([posix_fallocate])
85	dnl; signalfd is needed for libev
86	AC_CHECK_FUNC([signalfd], [], [ AC_MSG_ERROR([The signalfd system call is necessary for auditd]) ])
87	+dnl; check if rawmemchr is available
88	+AC_CHECK_FUNCS([rawmemchr])
89	+dnl; check if strndupa is available
90	+AC_LINK_IFELSE(
91	+ [AC_LANG_SOURCE(
92	+ [[
93	+ #define _GNU_SOURCE
94	+ #include <string.h>
95	+ int main() { (void) strndupa("test", 10); return 0; }]])],
96	+ [AC_DEFINE(HAVE_STRNDUPA, 1, [Let us know if we have it or not])],
97	+ []
98	+)
99
100	ALLWARNS=""
101	ALLDEBUG="-g"
102	diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
103	index 5d17a72..758c33e 100644
104	--- a/src/ausearch-lol.c
105	+++ b/src/ausearch-lol.c
106	@@ -1,6 +1,6 @@
107	/*
108	* ausearch-lol.c - linked list of linked lists library
109	-* Copyright (c) 2008,2010,2014,2016 Red Hat Inc., Durham, North Carolina.
110	+* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina.
111	* All Rights Reserved.
112	*
113	* This software may be freely redistributed and/or modified under the
114	@@ -152,6 +152,16 @@ static int compare_event_time(event e1, event e2)
115	return 0;
116	}
117
118	+#ifndef HAVE_STRNDUPA
119	+static inline char strndupa(const char old, size_t n)
120	+{
121	+ size_t len = strnlen(old, n);
122	+ char *tmp = alloca(len + 1);
123	+ tmp[len] = 0;
124	+ return memcpy(tmp, old, len);
125	+}
126	+#endif
127	+
128	/*
129	* This function will look at the line and pick out pieces of it.
130	*/
131	--
132	2.7.4
133


diff --git a/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch b/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch index 7c26995..740bcb5 100644 --- a/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch +++ b/recipes-security/audit/audit/Fixed-swig-host-contamination-issue.patch
@@ -1,4 +1,4 @@
1	From a07271f1cce82122610b622bcea4a8a37528f321 Mon Sep 17 00:00:00 2001	1	From 3d13f92c1bb293523670ba01aea7e655b00a6709 Mon Sep 17 00:00:00 2001
2	From: Li xin <lixin.fnst@cn.fujitsu.com>	2	From: Li xin <lixin.fnst@cn.fujitsu.com>
3	Date: Sun, 19 Jul 2015 02:42:58 +0900	3	Date: Sun, 19 Jul 2015 02:42:58 +0900
4	Subject: [PATCH] audit: Fixed swig host contamination issue	4	Subject: [PATCH] audit: Fixed swig host contamination issue
@@ -19,7 +19,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
19	2 files changed, 3 insertions(+), 2 deletions(-)	19	2 files changed, 3 insertions(+), 2 deletions(-)
20		20
21	diff --git a/bindings/swig/python3/Makefile.am b/bindings/swig/python3/Makefile.am	21	diff --git a/bindings/swig/python3/Makefile.am b/bindings/swig/python3/Makefile.am
22	index 9938418..fa46aac 100644	22	index dd9d934..61b486d 100644
23	--- a/bindings/swig/python3/Makefile.am	23	--- a/bindings/swig/python3/Makefile.am
24	+++ b/bindings/swig/python3/Makefile.am	24	+++ b/bindings/swig/python3/Makefile.am
25	@@ -22,6 +22,7 @@	25	@@ -22,6 +22,7 @@
@@ -30,7 +30,7 @@ index 9938418..fa46aac 100644
30	LIBS = $(top_builddir)/lib/libaudit.la	30	LIBS = $(top_builddir)/lib/libaudit.la
31	SWIG_FLAGS = -python -py3 -modern	31	SWIG_FLAGS = -python -py3 -modern
32	SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES)	32	SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES)
33	@@ -37,7 +38,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi	33	@@ -36,7 +37,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi
34	_audit_la_LIBADD = ${top_builddir}/lib/libaudit.la	34	_audit_la_LIBADD = ${top_builddir}/lib/libaudit.la
35	nodist__audit_la_SOURCES = audit_wrap.c	35	nodist__audit_la_SOURCES = audit_wrap.c
36	audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i	36	audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i
@@ -40,7 +40,7 @@ index 9938418..fa46aac 100644
40	CLEANFILES = audit.py* audit_wrap.c *~	40	CLEANFILES = audit.py* audit_wrap.c *~
41		41
42	diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i	42	diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i
43	index 7ebb373..424fb68 100644	43	index 21aafca..dd0f62c 100644
44	--- a/bindings/swig/src/auditswig.i	44	--- a/bindings/swig/src/auditswig.i
45	+++ b/bindings/swig/src/auditswig.i	45	+++ b/bindings/swig/src/auditswig.i
46	@@ -39,7 +39,7 @@ signed	46	@@ -39,7 +39,7 @@ signed
@@ -50,8 +50,8 @@ index 7ebb373..424fb68 100644
50	-%include "/usr/include/linux/audit.h"	50	-%include "/usr/include/linux/audit.h"
51	+%include "linux/audit.h"	51	+%include "linux/audit.h"
52	#define __extension__ /nothing/	52	#define __extension__ /nothing/
53	#include <stdint.h>	53	%include <stdint.i>
54	%include "../lib/libaudit.h"	54	%include "../lib/libaudit.h"
55	--	55	--
56	2.7.4	56	2.17.1
57		57


diff --git a/recipes-security/audit/audit/auditd.service b/recipes-security/audit/audit/auditd.service index ebc0798..06c63f0 100644 --- a/recipes-security/audit/audit/auditd.service +++ b/recipes-security/audit/audit/auditd.service
@@ -1,20 +1,28 @@
1	[Unit]	1	[Unit]
2	Description=Security Auditing Service	2	Description=Security Auditing Service
3	DefaultDependencies=no	3	DefaultDependencies=no
4	After=local-fs.target	4	After=local-fs.target systemd-tmpfiles-setup.service
5	Conflicts=shutdown.target
6	Before=sysinit.target shutdown.target	5	Before=sysinit.target shutdown.target
7	After=systemd-tmpfiles-setup.service	6	Conflicts=shutdown.target
		7	ConditionKernelCommandLine=!audit=0
8		8
9	[Service]	9	[Service]
10	ExecStart=/sbin/auditd -n	10	Type=forking
11	## To use augenrules, copy this file to /etc/systemd/system/auditd.service	11	PIDFile=/run/auditd.pid
12	## and uncomment the next line and delete/comment out the auditctl line.	12	ExecStart=/sbin/auditd
13	## Then copy existing rules to /etc/audit/rules.d/	13	## To use augenrules, uncomment the next line and comment/delete the auditctl line.
14	## Not doing this last step can cause loss of existing rules	14	## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
15	#ExecStartPost=-/sbin/augenrules --load	15	#ExecStartPost=-/sbin/augenrules --load
16	ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules	16	ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
17	ExecReload=/bin/kill -HUP $MAINPID	17	# By default we don't clear the rules on exit.
		18	# To enable this, uncomment the next line.
		19	#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
		20
		21	### Security Settings ###
		22	MemoryDenyWriteExecute=true
		23	LockPersonality=true
		24	ProtectControlGroups=true
		25	ProtectKernelModules=true
18		26
19	[Install]	27	[Install]
20	WantedBy=multi-user.target	28	WantedBy=multi-user.target


diff --git a/recipes-security/audit/audit_2.8.5.bb b/recipes-security/audit/audit_3.0.bb index e2e0352..b7170c7 100644 --- a/recipes-security/audit/audit_2.8.5.bb +++ b/recipes-security/audit/audit_3.0.bb
@@ -7,18 +7,15 @@ SECTION = "base"
7	LICENSE = "GPLv2+ & LGPLv2+"	7	LICENSE = "GPLv2+ & LGPLv2+"
8	LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"	8	LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
9		9
10	SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=2.8_maintenance \	10	SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=master \
11	file://Add-substitue-functions-for-strndupa-rawmemchr.patch \
12	file://Fixed-swig-host-contamination-issue.patch \	11	file://Fixed-swig-host-contamination-issue.patch \
13	file://0001-lib-i386_table.h-add-new-syscall.patch \
14	file://0001-Header-definitions-need-to-be-external-when-building.patch \
15	file://auditd \	12	file://auditd \
16	file://auditd.service \	13	file://auditd.service \
17	file://audit-volatile.conf \	14	file://audit-volatile.conf \
18	"	15	"
19		16
20	S = "${WORKDIR}/git"	17	S = "${WORKDIR}/git"
21	SRCREV = "5fae55c1ad15b3cefe6890eba7311af163e9133c"	18	SRCREV = "ea8dbab9e0fb3fb2507ac5b8dc792ef32a97c87e"
22		19
23	inherit autotools python3native update-rc.d systemd	20	inherit autotools python3native update-rc.d systemd
24		21
@@ -29,10 +26,9 @@ INITSCRIPT_PARAMS = "defaults"
29	SYSTEMD_PACKAGES = "auditd"	26	SYSTEMD_PACKAGES = "auditd"
30	SYSTEMD_SERVICE_auditd = "auditd.service"	27	SYSTEMD_SERVICE_auditd = "auditd.service"
31		28
32	DEPENDS += "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native"	29	DEPENDS = "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native"
33		30
34	EXTRA_OECONF += "--without-prelude \	31	EXTRA_OECONF = " --with-libwrap \
35	--with-libwrap \
36	--enable-gssapi-krb5=no \	32	--enable-gssapi-krb5=no \
37	--with-libcap-ng=yes \	33	--with-libcap-ng=yes \
38	--with-python3=yes \	34	--with-python3=yes \
@@ -45,7 +41,7 @@ EXTRA_OECONF += "--without-prelude \
45	--with-aarch64=yes \	41	--with-aarch64=yes \
46	"	42	"
47		43
48	EXTRA_OEMAKE += "PYLIBVER='python${PYTHON_BASEVERSION}' \	44	EXTRA_OEMAKE = "PYLIBVER='python${PYTHON_BASEVERSION}' \
49	PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \	45	PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \
50	pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \	46	pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \
51	STDINC='${STAGING_INCDIR}' \	47	STDINC='${STAGING_INCDIR}' \
@@ -62,7 +58,7 @@ PACKAGES =+ "audispd-plugins"
62	PACKAGES += "auditd ${PN}-python"	58	PACKAGES += "auditd ${PN}-python"
63		59
64	FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*"	60	FILES_${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*"
65	FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/*"	61	FILES_auditd += "${bindir}/* ${base_sbindir}/* ${sysconfdir}/* ${datadir}/audit/*"
66	FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \	62	FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \
67	${sysconfdir}/audisp/plugins.d/au-remote.conf \	63	${sysconfdir}/audisp/plugins.d/au-remote.conf \
68	${sbindir}/audisp-remote ${localstatedir}/spool/audit \	64	${sbindir}/audisp-remote ${localstatedir}/spool/audit \
@@ -70,8 +66,8 @@ FILES_audispd-plugins += "${sysconfdir}/audisp/audisp-remote.conf \
70	FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"	66	FILES_${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"
71	FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"	67	FILES_${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"
72		68
73	CONFFILES_auditd += "${sysconfdir}/audit/audit.rules"	69	CONFFILES_auditd = "${sysconfdir}/audit/audit.rules"
74	RDEPENDS_auditd += "bash"	70	RDEPENDS_auditd = "bash"
75		71
76	do_install_append() {	72	do_install_append() {
77	rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a	73	rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a
@@ -87,14 +83,14 @@ do_install_append() {
87	rm -rf ${D}/etc/rc.d	83	rm -rf ${D}/etc/rc.d
88		84
89	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then	85	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
		86	# install systemd unit files
		87	install -d ${D}${systemd_unitdir}/system
		88	install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system
		89
90	install -d ${D}${sysconfdir}/tmpfiles.d/	90	install -d ${D}${sysconfdir}/tmpfiles.d/
91	install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/	91	install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/
92	fi	92	fi
93		93
94	# install systemd unit files
95	install -d ${D}${systemd_unitdir}/system
96	install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system
97
98	# audit-2.5 doesn't install any rules by default, so we do that here	94	# audit-2.5 doesn't install any rules by default, so we do that here
99	mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d	95	mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d
100	cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules	96	cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules