sys-process/audit: Add Container Linux rules and loader

From: Michael Marineau <michael.marineau@coreos.com> [Rebase to latest] Signed-off-by: Geoff Levand <geoff@infradead.org>
2025-08-20 22:11:39 +02:00 · 2018-04-24 17:27:02 -07:00 · 2018-04-24 17:27:02 -07:00 · 1502b8cd91
commit 1502b8cd91
parent 55670c9efe
7 changed files with 38 additions and 51 deletions
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-2.7.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-2.7.1.ebuild
@ -216,34 +216,13 @@ multilib_src_install_all() {
 		keepdir /var/log/audit/
 	fi
-	# Gentoo rules
+	insinto /usr/share/audit/rules.d
-	insinto /etc/audit/
+	doins "${FILESDIR}"/rules.d/*.rules
 	newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
 	use daemon && doins "${FILESDIR}"/audit.rules.stop*
 	# Security
-	lockdown_perms "${ED}"
+	systemd_newtmpfilesd "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf
 	systemd_dounit "${FILESDIR}"/audit-rules.service
 	systemd_enable_service multi-user.target audit-rules.service
 	prune_libtool_files --modules
 }
 pkg_preinst() {
 	# Preserve from the audit-1 series
 	preserve_old_lib /$(get_libdir)/libaudit.so.0
 }
 pkg_postinst() {
 	lockdown_perms "${EROOT}"
 	# Preserve from the audit-1 series
 	preserve_old_lib_notify /$(get_libdir)/libaudit.so.0
 }
 lockdown_perms() {
 	# Upstream wants these to have restrictive perms.
 	# Should not || die as not all paths may exist.
 	local basedir="$1"
 	chmod 0750 "${basedir}"/sbin/au{ditctl,report,dispd,ditd,search,trace} 2>/dev/null
 	chmod 0750 "${basedir}"/var/log/audit/ 2>/dev/null
 	chmod 0640 "${basedir}"/etc/{audit/,}{auditd.conf,audit.rules*} 2>/dev/null
 }
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service
@ -0,0 +1,16 @@
 [Unit]
 Description=Load Security Auditing Rules
 DefaultDependencies=no
 After=local-fs.target systemd-tmpfiles-setup.service
 Conflicts=shutdown.target
 Before=sysinit.target shutdown.target
 ConditionSecurity=audit
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/sbin/augenrules --load
 ExecStop=-/sbin/auditctl -D
 [Install]
 WantedBy=multi-user.target
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles
@ -0,0 +1,5 @@
 d   /etc/audit                          -   -   -   -   -
 d   /etc/audit/rules.d                  -   -   -   -   -
 L   /etc/audit/rules.d/00-clear.rules   -   -   -   -   /usr/share/audit/rules.d/00-clear.rules
 L   /etc/audit/rules.d/80-selinux.rules -   -   -   -   /usr/share/audit/rules.d/80-selinux.rules
 L   /etc/audit/rules.d/99-default.rules -   -   -   -   /usr/share/audit/rules.d/99-default.rules
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3
@ -1,25 +0,0 @@
 # Copyright 1999-2011 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 #
 # This file contains the auditctl rules that are loaded
 # whenever the audit daemon is started via the initscripts.
 # The rules are simply the parameters that would be passed
 # to auditctl.
 # First rule - delete all
 # This is to clear out old rules, so we don't append to them.
 -D
 # Feel free to add below this line. See auditctl man page
 # The following rule would cause all of the syscalls listed to be ignored in logging.
 -a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
 -a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
 # The following rule would cause the capture of all systems not caught above.
 # -a exit,always -S all
 # Increase the buffers to survive stress events
 -b 8192
 # vim:ft=conf:
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules
@ -0,0 +1,3 @@
 # First rule - delete all
 # This is to clear out old rules, so we don't append to them.
 -D
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules
@ -0,0 +1,4 @@
 # Enable all SELinux related events
 # 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h)
 -a exclude,never -F msgtype>=1400 -F msgtype<=1499
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules
@ -0,0 +1,5 @@
 # Always report changes to the audit subsystem itself.
 -a exclude,never -F msgtype=CONFIG_CHANGE
 # Ignore everything else.
 -a exclude,always -F msgtype>0