mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-18 10:27:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #537 from flatcar-linux/krnowak/audit

Browse Source 
Update audit to 2.8.5
This commit is contained in:
Krzesimir Nowak 2020-10-01 17:28:32 +02:00 committed by GitHub
commit 2900eb190e
10 changed files with 287 additions and 577 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
sdk_container/src/third_party/coreos-overlay/sys-process/audit/Manifest vendored
View File

@ -1,13 +1,2 @@
AUX audit-2.1.3-ia64-compile-fix.patch 7173 BLAKE2B 0bd30fd04a6c65792d068d96134ba5ccb7f2af85ab060924a9443a9a74df8407cf87012353d8005cf767f24a76993aa9f89b416dd6a616caa300b091b0c88004 SHA512 be1f0fd8933e962b11818bace04a14f89afd40c20d9e3ecc839c210fc946e851bb8ba0ce0eae9267023397f77c5a1a3c8b574b9285c0351f534a24f5c9a2a512
AUX audit-2.4.3-python.patch 2768 BLAKE2B 374fb16cf85d4ee8bb108f6af1b045e140855fbb35527531adbf51dd8392069c3a3c3393e0b9bde892a8f8492b2e1845b89d7d9f801e26934150d7c05973ea2a SHA512 97c1f2eda07f3d986bab161d299f2cf110c1fdc76b889013748812ee7e33ece0fd6d3f34296d5d875db8c966d7fe77c57e2214c0cf6592beb48e462a504c1d70
AUX audit.rules 886 BLAKE2B ebb2fab57467eee38040d4dde68b9ab0cbbf08af9c3115d7cba74019035cf0fbffd9e21a77064206d13f737eadc58e8ba1da2bcb3605b5efec183e262b0e37eb SHA512 070e51d8182f84385bacb0801b8d0f390f560a650b9b94b74fd5f30fdf9fb2d2ae38bd29e70e2d38a26a6188a5bc3a74d732a84d0a46de926ada692ddd19cbe0
AUX audit.rules-2.1.3 1009 BLAKE2B df40176208bd68cb9021d15ea5803bb0d1c768c9d6400036a69409e1aae3ad55b89983ed94f22a6399a9cec8fc3dc7b20a7b27e75cdea24edda92b95ee19af87 SHA512 bce3ee9aaa0ab48395e6e10ee9b3627d6b7a8083abefdc4009de26649c65a39e000078f799e8c3c9e3341dfa030c6dfbbcad2fb7756fbb3d01b27be078adecec
AUX audit.rules.stop.post 452 BLAKE2B b10d6d6c0fa475998856e674bd5c8dc0d7ca8f1d676a684223f48d1b22ce90441b2970c02b0eab882b3d3059f2b350d8a34109b03f5457f709624dccb3722e82 SHA512 a7bc52cbbea278a38e2837149524bb21b2c5367c96ed07fe576e08322595c5bee57ff07f8ebecd17391d9c3abe1ba187ac6e39400a153bf0ace4257303d036d3
AUX audit.rules.stop.pre 427 BLAKE2B ddf4ac16c3e1fd401c266287e792865adf8f4dd0b4bbaea6f991bf8dcee69c8ecd69c93d0cbd8352e280c3c61d24de23ca89f700e383c79036526e59c311c004 SHA512 def5ef378ad554f38754839d1c00c598686645a59896e37a3c7ff07b00aaa05a2b92305e49a750358eaba63a7d48fb647472529b155301069771678eed272463
AUX auditd-conf.d-2.1.3 734 BLAKE2B 018677362bc82c2052885cdd0e2185050cf5e97722ead4acdc51d428b52c265317c7dd03d1459be38b781e78f857cd967e5a60b68360c3381c31c62e1d61d843 SHA512 69d8777772ded7a8c0db2bcf84961b121bb355fa0d4ba0e14e311f8a8bfe665cbd2b7ac632d73477f9dfa9a6eec357a7ed458fe9b3e7b5ede75b166f3f092ab7
AUX auditd-init.d-2.4.3 2054 BLAKE2B 20e68ab676c925b8567a7e9a12d2ac055fd90477cbbd6444136b7198828798f7b6428948503c344639fab5fea54962682be7c986950c2cbae8b7c9dfeb321a4b SHA512 1b48c248db5d34f148f9c79f8b2a6acbf61c729230341b861f5e331bbfb0c8356305a09eb2cc5c82c14c4fd9a13c7c13957e1ed493834b8b3b9ee38978e4c31f
DIST audit-2.6.4.tar.gz 1078677 BLAKE2B 056d9f269926d9b0d74f7187f833f1e94d4e03a5137750fe4ff87b71fa0ce0e0a8569b97ecbd671f951061cfb088dff17b46e37cc14122864c37615356646fc5 SHA512 69b5d3987d2b8b189d1242fde639af3d7d366e901733133e47ee71223caf73aa7da40b7811298f0af861969b0ab482c5ef9830b711bdd15bd5f4d0ebc88a1224
DIST audit-2.7.1.tar.gz 1099083 BLAKE2B 10f72ac3273ce9e23e1fb8ad8d57dcae772ba1f861f519867399d95e14f4809897637969de45566d62a73a35e5674260155773daf8de00481fcbd1b9c3138f96 SHA512 37964d81deee8608fde5f90d5d096727d3eb009e084be34749adcb0662e607e35c49c80bd83ce38b17161f11363b691721c8a8aa5dea832d320c53ab0ebb7483
EBUILD audit-2.6.4.ebuild 6168 BLAKE2B 361c1128c2faf2895580041349eb48deb67f8a3ba28061eebb991c1d23fca98d82f00b0d41c32fcc3ce1f4e4ed9b44654d0c6f66177ff835a9b452eb0e60839f SHA512 ca6269971071902dc3688f16287d1c54ee420bab9efd8cfb8e63bdb7eb03d4e80d1bbc75b9e4cb82be3a78743e8617fe656018e509ad77562fe8a14a8f4e5c0d
EBUILD audit-2.7.1.ebuild 6179 BLAKE2B b4a5a03fb5f3f3807fca8d5d0c26be53480fcc619cbab9344295a7ca09921e2cc7ae2441fd5d40cee7dcb7992ea29cee274f0892bba8c987a30a572bf901c237 SHA512 3b6efbe46f347e3b7abe092557e4c3cbe7cc30fd6a1648cf1d0395dd1f9a707e7eb10c3202481874657d5b9c809506b61b8dfb8dcf494fe62152a2fa6a9007cf
MISC metadata.xml 284 BLAKE2B c99c67d5591687a10bb380f1264dd1cde6370ff3a96864093cb41c7c17617bed826652b7651490b6a4634a7429589bbd137402afd7cf8e79cfd5f636c86baa52 SHA512 84f04c94a976c0e2c7db9a7c8c392b6c714e37650efefe2db9807688c28a8cdb64722064be23b89d0263c82c5de7b7dc412ae13f95b42c97ae928c00bb584fac
DIST audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch 852 BLAKE2B 60d8b813f57338ce267a09913e68a0726acf5cf878cd2893fe2493f80d2b0ac1e0504dc7a72e85134ae2597b268cb1772b4e7c6c2f19149fc905f6928e2db47f SHA512 78e32c05b6896d37bacf0938954fbce7486a528dabd55421f1715438fe489171f9157059050abdcb3f673258aa28b4a11f643ddb7824f3499a195dbbe634f101
DIST audit-2.8.5_p80866dc78b5d.tar.gz 552094 BLAKE2B adb936a314ef2f11828ee00f3513631e06e2df09e37e68be27b1b694e278116d2f486dbde7ed57c77d9ff0bcd09309ea841959c7a66caed6770f367d65dd14f4 SHA512 7ec103bf076cfac7906748162e78835f1f65dd9d68e3a7466346e0473075beb47897adf88ab9ba0eb42db1953372aafb16cc040674b9a9c887730c062b82540a

27
sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md vendored Normal file
View File

@ -0,0 +1,27 @@
This is a fork of gentoo's `sys-process/audit` package. The main
reasons for having our fork seem to be:
1. We have our own audit rules (see files in `files/rules.d`
directory).
- These seem to be mostly similar to what gentoo provides, but split
into several files and they have an additional rule for SELinux
events.
- We also install it in a different place and place symlinks with
systemd's tmpfiles functionality.
2. We install a systemd service that loads our rules at startup.
3. We add a `daemon` use flag that gates a build of `auditd` binary
and some more tools. This flag seems to be unused, which results in
the daemon and tools not being built. The role of auditd is to
write audit records to disk, and both ausearch and aureport utilize
those written logs. Since audit logs are also written to journal,
writing them to disk seems redundant, thus auditd and the tools
seem to be unnecessary. This also reduces the final image size a
bit.
4. We don't do the permissions lockdown on some auditd files for some
reason. It's either related that we don't build auditd in practice
or it's about our own audit rules.

230
sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-2.6.4.ebuild vendored
View File

@ -1,230 +0,0 @@
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI="6"
PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} )
inherit autotools multilib multilib-minimal toolchain-funcs python-r1 linux-info systemd
DESCRIPTION="Userspace utilities for storing and processing auditing records"
HOMEPAGE="https://people.redhat.com/sgrubb/audit/"
SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz"
LICENSE="GPL-2"
SLOT="0"
KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86"
IUSE="gssapi ldap python static-libs"
REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
# Testcases are pretty useless as they are built for RedHat users/groups and kernels.
RESTRICT="test"
RDEPEND="gssapi? ( virtual/krb5 )
ldap? ( net-nds/openldap )
sys-libs/libcap-ng
python? ( ${PYTHON_DEPS} )"
DEPEND="${RDEPEND}
>=sys-kernel/linux-headers-2.6.34
python? ( dev-lang/swig:0 )"
# Do not use os-headers as this is linux specific
CONFIG_CHECK="~AUDIT"
pkg_setup() {
linux-info_pkg_setup
}
src_prepare() {
eapply_user
# Do not build GUI tools
sed -i \
-e '/AC_CONFIG_SUBDIRS.*system-config-audit/d' \
"${S}"/configure.ac || die
sed -i \
-e 's,system-config-audit,,g' \
"${S}"/Makefile.am || die
rm -rf "${S}"/system-config-audit
if ! use ldap; then
sed -i \
-e '/^AC_OUTPUT/s,audisp/plugins/zos-remote/Makefile,,g' \
"${S}"/configure.ac || die
sed -i \
-e '/^SUBDIRS/s,zos-remote,,g' \
"${S}"/audisp/plugins/Makefile.am || die
fi
# Don't build static version of Python module.
eapply "${FILESDIR}"/${PN}-2.4.3-python.patch
# glibc/kernel upstreams suck with both defining ia64_fpreg
# This patch is a horribly workaround that is only valid as long as you
# don't need the OTHER definitions in fpu.h.
eapply "${FILESDIR}"/${PN}-2.1.3-ia64-compile-fix.patch
# there is no --without-golang conf option
sed -e "/^SUBDIRS =/s/ @gobind_dir@//" -i bindings/Makefile.am || die
# Regenerate autotooling
eautoreconf
}
multilib_src_configure() {
local ECONF_SOURCE=${S}
econf \
--sbindir="${EPREFIX}/sbin" \
$(use_enable gssapi gssapi-krb5) \
$(use_enable static-libs static) \
--enable-systemd \
--without-python \
--without-python3
if multilib_is_native_abi; then
python_configure() {
mkdir -p "${BUILD_DIR}" || die
cd "${BUILD_DIR}" || die
if python_is_python3; then
econf --without-python --with-python3
else
econf --with-python --without-python3
fi
}
use python && python_foreach_impl python_configure
fi
}
src_configure() {
tc-export_build_env BUILD_{CC,CPP}
export CC_FOR_BUILD="${BUILD_CC}"
export CPP_FOR_BUILD="${BUILD_CPP}"
multilib-minimal_src_configure
}
multilib_src_compile() {
if multilib_is_native_abi; then
default
python_compile() {
local pysuffix pydef
if python_is_python3; then
pysuffix=3
pydef='USE_PYTHON3=true'
else
pysuffix=2
pydef='HAVE_PYTHON=true'
fi
emake -C "${BUILD_DIR}"/bindings/swig \
VPATH="${native_build}/lib" \
LIBS="${native_build}/lib/libaudit.la" \
_audit_la_LIBADD="${native_build}/lib/libaudit.la" \
_audit_la_DEPENDENCIES="${S}/lib/libaudit.h ${native_build}/lib/libaudit.la" \
${pydef}
emake -C "${BUILD_DIR}"/bindings/python/python${pysuffix} \
VPATH="${S}/bindings/python/python${pysuffix}:${native_build}/bindings/python/python${pysuffix}" \
auparse_la_LIBADD="${native_build}/auparse/libauparse.la ${native_build}/lib/libaudit.la" \
${pydef}
}
local native_build="${BUILD_DIR}"
use python && python_foreach_impl python_compile
else
emake -C lib
emake -C auparse
fi
}
multilib_src_install() {
if multilib_is_native_abi; then
emake DESTDIR="${D}" initdir="$(systemd_get_systemunitdir)" install
python_install() {
local pysuffix pydef
if python_is_python3; then
pysuffix=3
pydef='USE_PYTHON3=true'
else
pysuffix=2
pydef='HAVE_PYTHON=true'
fi
emake -C "${BUILD_DIR}"/bindings/swig \
VPATH="${native_build}/lib" \
LIBS="${native_build}/lib/libaudit.la" \
_audit_la_LIBADD="${native_build}/lib/libaudit.la" \
_audit_la_DEPENDENCIES="${S}/lib/libaudit.h ${native_build}/lib/libaudit.la" \
${pydef} \
DESTDIR="${D}" install
emake -C "${BUILD_DIR}"/bindings/python/python${pysuffix} \
VPATH="${S}/bindings/python/python${pysuffix}:${native_build}/bindings/python/python${pysuffix}" \
auparse_la_LIBADD="${native_build}/auparse/libauparse.la ${native_build}/lib/libaudit.la" \
${pydef} \
DESTDIR="${D}" install
}
local native_build=${BUILD_DIR}
use python && python_foreach_impl python_install
# things like shadow use this so we need to be in /
gen_usr_ldscript -a audit auparse
else
emake -C lib DESTDIR="${D}" install
emake -C auparse DESTDIR="${D}" install
fi
}
multilib_src_install_all() {
dodoc AUTHORS ChangeLog README* THANKS TODO
docinto contrib
dodoc contrib/{avc_snap,skeleton.c}
docinto contrib/plugin
dodoc contrib/plugin/*
docinto rules
dodoc rules/*
newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
fperms 644 "$(systemd_get_systemunitdir)"/auditd.service # 556436
[ -f "${ED}"/sbin/audisp-remote ] && \
dodir /usr/sbin && \
mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
# Gentoo rules
insinto /etc/audit/
newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
doins "${FILESDIR}"/audit.rules.stop*
# audit logs go here
keepdir /var/log/audit/
# Security
lockdown_perms "${ED}"
prune_libtool_files --modules
}
pkg_preinst() {
# Preserve from the audit-1 series
preserve_old_lib /$(get_libdir)/libaudit.so.0
}
pkg_postinst() {
lockdown_perms "${EROOT}"
# Preserve from the audit-1 series
preserve_old_lib_notify /$(get_libdir)/libaudit.so.0
}
lockdown_perms() {
# Upstream wants these to have restrictive perms.
# Should not || die as not all paths may exist.
local basedir="$1"
chmod 0750 "${basedir}"/sbin/au{ditctl,report,dispd,ditd,search,trace} 2>/dev/null
chmod 0750 "${basedir}"/var/log/audit/ 2>/dev/null
chmod 0640 "${basedir}"/etc/{audit/,}{auditd.conf,audit.rules*} 2>/dev/null
}

124
sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-2.7.1.ebuild → sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-2.8.5-r1.ebuild vendored
View File

@ -1,20 +1,37 @@
# Copyright 1999-2017 Gentoo Foundation
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=6
# Flatcar: Based on audit-2.8.5-r1.ebuild from commit
# b9fd64557974fa02bc719f282a1776623072a864 in gentoo repo (see
# https://gitweb.gentoo.org/repo/gentoo.git/plain/sys-process/audit/audit-2.8.5-r1.ebuild?id=b9fd64557974fa02bc719f282a1776623072a864).
PYTHON_COMPAT=( python{2_7,3_4,3_5,3_6} )
EAPI="6"
inherit autotools multilib multilib-minimal toolchain-funcs python-r1 linux-info systemd
PYTHON_COMPAT=( python{3_6,3_7} )
# Flatcar: We don't use preserve-libs.
inherit autotools multilib multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript
DESCRIPTION="Userspace utilities for storing and processing auditing records"
HOMEPAGE="https://people.redhat.com/sgrubb/audit/"
SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz"
# https://github.com/linux-audit/audit-userspace/tree/2.8_maintenance
COMMIT='80866dc78b5db17010516e24344eaed8dcc6fb99' # contains many fixes not yet released
if [[ -n $COMMIT ]]; then
SRC_URI="https://github.com/linux-audit/audit-userspace/archive/${COMMIT}.tar.gz -> ${P}_p${COMMIT:0:12}.tar.gz"
S="${WORKDIR}/audit-userspace-${COMMIT}"
else
SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz"
fi
# -fno-common patch:
SRC_URI+=" https://github.com/linux-audit/audit-userspace/commit/017e6c6ab95df55f34e339d2139def83e5dada1f.patch -> ${PN}-017e6c6ab95df55f34e339d2139def83e5dada1f.patch"
LICENSE="GPL-2"
LICENSE="GPL-2+ LGPL-2.1+"
SLOT="0"
KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
# Flatcar: Build amd64 and arm64 by default.
KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
# Flatcar: Daemon USE flag for building (or not) auditd and tools.
IUSE="daemon gssapi ldap python static-libs"
# Flatcar: Requiring ldap on audit makes sense only if daemon is set.
REQUIRED_USE="ldap? ( daemon )
python? ( ${PYTHON_REQUIRED_USE} )"
# Testcases are pretty useless as they are built for RedHat users/groups and kernels.
@ -22,7 +39,6 @@ RESTRICT="test"
RDEPEND="gssapi? ( virtual/krb5 )
ldap? ( net-nds/openldap )
sys-apps/diffutils
sys-libs/libcap-ng
python? ( ${PYTHON_DEPS} )"
DEPEND="${RDEPEND}
@ -37,8 +53,6 @@ pkg_setup() {
}
src_prepare() {
eapply_user
# Do not build GUI tools
sed -i \
-e '/AC_CONFIG_SUBDIRS.*system-config-audit/d' \
@ -48,14 +62,10 @@ src_prepare() {
"${S}"/Makefile.am || die
rm -rf "${S}"/system-config-audit
if ! use ldap; then
# audisp-remote moved in multilib_src_install_all
sed -i \
-e '/^AC_OUTPUT/s,audisp/plugins/zos-remote/Makefile,,g' \
"${S}"/configure.ac || die
sed -i \
-e '/^SUBDIRS/s,zos-remote,,g' \
"${S}"/audisp/plugins/Makefile.am || die
fi
-e "s,/sbin/audisp-remote,${EPREFIX}/usr/sbin/audisp-remote," \
"${S}"/audisp/plugins/remote/au-remote.conf || die
# Don't build static version of Python module.
eapply "${FILESDIR}"/${PN}-2.4.3-python.patch
@ -63,10 +73,12 @@ src_prepare() {
# glibc/kernel upstreams suck with both defining ia64_fpreg
# This patch is a horribly workaround that is only valid as long as you
# don't need the OTHER definitions in fpu.h.
eapply "${FILESDIR}"/${PN}-2.1.3-ia64-compile-fix.patch
eapply "${FILESDIR}"/${PN}-2.8.4-ia64-compile-fix.patch
# there is no --without-golang conf option
sed -e "/^SUBDIRS =/s/ @gobind_dir@//" -i bindings/Makefile.am || die
# -fno-common
eapply "${DISTDIR}/${PN}-017e6c6ab95df55f34e339d2139def83e5dada1f.patch"
eapply_user
if ! use daemon; then
sed -e '/^SUBDIRS =/s/audisp//' \
@ -86,13 +98,14 @@ src_prepare() {
multilib_src_configure() {
local ECONF_SOURCE=${S}
local my_conf="$(use_enable ldap zos-remote)"
econf \
${my_conf} \
--sbindir="${EPREFIX}/sbin" \
$(use_enable gssapi gssapi-krb5) \
$(use_enable static-libs static) \
$(use_enable ldap zos-remote) \
--without-golang \
--enable-systemd \
--without-golang \
--without-python \
--without-python3
@ -101,11 +114,7 @@ multilib_src_configure() {
mkdir -p "${BUILD_DIR}" || die
cd "${BUILD_DIR}" || die
if python_is_python3; then
econf --without-python --with-python3
else
econf --with-python --without-python3
fi
econf ${my_conf} --without-python --with-python3
}
use python && python_foreach_impl python_configure
@ -125,25 +134,16 @@ multilib_src_compile() {
default
python_compile() {
local pysuffix pydef
if python_is_python3; then
pysuffix=3
pydef='USE_PYTHON3=true'
else
pysuffix=2
pydef='HAVE_PYTHON=true'
fi
emake -C "${BUILD_DIR}"/bindings/swig \
VPATH="${native_build}/lib" \
LIBS="${native_build}/lib/libaudit.la" \
_audit_la_LIBADD="${native_build}/lib/libaudit.la" \
_audit_la_DEPENDENCIES="${S}/lib/libaudit.h ${native_build}/lib/libaudit.la" \
${pydef}
emake -C "${BUILD_DIR}"/bindings/python/python${pysuffix} \
VPATH="${S}/bindings/python/python${pysuffix}:${native_build}/bindings/python/python${pysuffix}" \
USE_PYTHON3=true
emake -C "${BUILD_DIR}"/bindings/python/python3 \
VPATH="${S}/bindings/python/python3:${native_build}/bindings/python/python3" \
auparse_la_LIBADD="${native_build}/auparse/libauparse.la ${native_build}/lib/libaudit.la" \
${pydef}
USE_PYTHON3=true
}
local native_build="${BUILD_DIR}"
@ -159,26 +159,17 @@ multilib_src_install() {
emake DESTDIR="${D}" initdir="$(systemd_get_systemunitdir)" install
python_install() {
local pysuffix pydef
if python_is_python3; then
pysuffix=3
pydef='USE_PYTHON3=true'
else
pysuffix=2
pydef='HAVE_PYTHON=true'
fi
emake -C "${BUILD_DIR}"/bindings/swig \
VPATH="${native_build}/lib" \
LIBS="${native_build}/lib/libaudit.la" \
_audit_la_LIBADD="${native_build}/lib/libaudit.la" \
_audit_la_DEPENDENCIES="${S}/lib/libaudit.h ${native_build}/lib/libaudit.la" \
${pydef} \
USE_PYTHON3=true \
DESTDIR="${D}" install
emake -C "${BUILD_DIR}"/bindings/python/python${pysuffix} \
VPATH="${S}/bindings/python/python${pysuffix}:${native_build}/bindings/python/python${pysuffix}" \
emake -C "${BUILD_DIR}"/bindings/python/python3 \
VPATH="${S}/bindings/python/python3:${native_build}/bindings/python/python3" \
auparse_la_LIBADD="${native_build}/auparse/libauparse.la ${native_build}/lib/libaudit.la" \
${pydef} \
USE_PYTHON3=true \
DESTDIR="${D}" install
}
@ -194,35 +185,34 @@ multilib_src_install() {
}
multilib_src_install_all() {
dodoc AUTHORS ChangeLog README* THANKS TODO
dodoc AUTHORS ChangeLog README* THANKS
docinto contrib
dodoc contrib/{avc_snap,skeleton.c}
use daemon && docinto contrib/plugin
use daemon && dodoc contrib/plugin/*
docinto rules
dodoc rules/*
use daemon && newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
use daemon && newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
if use daemon; then
docinto contrib/plugin
dodoc contrib/plugin/*
newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
fperms 644 "$(systemd_get_systemunitdir)"/auditd.service # 556436
[ -f "${ED}"/sbin/audisp-remote ] && \
dodir /usr/sbin && \
mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
# audit logs go here
keepdir /var/log/audit/
fi
# Flatcar: We install our own rules.
insinto /usr/share/audit/rules.d
doins "${FILESDIR}"/rules.d/*.rules
# Security
# audit logs go here
use daemon && keepdir /var/log/audit/
find "${D}" -name '*.la' -delete || die
# Flatcar: Our systemd stuff.
systemd_newtmpfilesd "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf
systemd_dounit "${FILESDIR}"/audit-rules.service
systemd_enable_service multi-user.target audit-rules.service
prune_libtool_files --modules
}

212
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-2.1.3-ia64-compile-fix.patch vendored
View File

@ -1,212 +0,0 @@
diff -Nuar -X exclude audit-2.1.3.orig/configure.ac audit-2.1.3/configure.ac
--- audit-2.1.3.orig/configure.ac 2011-08-15 17:30:58.000000000 +0000
+++ audit-2.1.3/configure.ac 2012-12-18 20:03:22.000000000 +0000
@@ -79,6 +79,9 @@
esac
fi
+AC_CHECK_HEADER([asm/ptrace.h], [AC_DEFINE([HAVE_ASM_PTRACE_H],[],[Define to 1 if you have asm/ptrace.h])], [])
+AC_CHECK_HEADER([linux/ptrace.h], [AC_DEFINE([HAVE_LINUX_PTRACE_H],[],[Define to 1 if you have linux/ptrace.h])], [])
+
#gssapi
AC_ARG_ENABLE(gssapi_krb5,
[AS_HELP_STRING([--enable-gssapi-krb5],[Enable GSSAPI Kerberos 5 support @<:@default=no@:>@])],
diff -Nuar -X exclude audit-2.1.3.orig/src/auditctl.c audit-2.1.3/src/auditctl.c
--- audit-2.1.3.orig/src/auditctl.c 2011-08-15 17:31:00.000000000 +0000
+++ audit-2.1.3/src/auditctl.c 2012-12-18 20:21:21.000000000 +0000
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h> /* strdup needs xopen define */
diff -Nuar -X exclude audit-2.1.3.orig/src/auditd-config.c audit-2.1.3/src/auditd-config.c
--- audit-2.1.3.orig/src/auditd-config.c 2011-08-15 17:31:00.000000000 +0000
+++ audit-2.1.3/src/auditd-config.c 2012-12-18 20:21:23.000000000 +0000
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
diff -Nuar -X exclude audit-2.1.3.orig/src/auditd-dispatch.c audit-2.1.3/src/auditd-dispatch.c
--- audit-2.1.3.orig/src/auditd-dispatch.c 2011-08-15 17:31:00.000000000 +0000
+++ audit-2.1.3/src/auditd-dispatch.c 2012-12-18 20:21:27.000000000 +0000
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <unistd.h>
#include <sys/uio.h>
#include <fcntl.h>
diff -Nuar -X exclude audit-2.1.3.orig/src/auditd-event.c audit-2.1.3/src/auditd-event.c
--- audit-2.1.3.orig/src/auditd-event.c 2011-08-15 17:31:00.000000000 +0000
+++ audit-2.1.3/src/auditd-event.c 2012-12-18 20:21:29.000000000 +0000
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
diff -Nuar -X exclude audit-2.1.3.orig/src/auditd-listen.c audit-2.1.3/src/auditd-listen.c
--- audit-2.1.3.orig/src/auditd-listen.c 2011-08-15 17:31:00.000000000 +0000
+++ audit-2.1.3/src/auditd-listen.c 2012-12-18 20:21:31.000000000 +0000
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
diff -Nuar -X exclude audit-2.1.3.orig/src/auditd-reconfig.c audit-2.1.3/src/auditd-reconfig.c
--- audit-2.1.3.orig/src/auditd-reconfig.c 2011-08-15 17:31:00.000000000 +0000
+++ audit-2.1.3/src/auditd-reconfig.c 2012-12-18 20:21:33.000000000 +0000
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <pthread.h>
#include <signal.h>
#include <stdlib.h>
diff -Nuar -X exclude audit-2.1.3.orig/src/auditd-sendmail.c audit-2.1.3/src/auditd-sendmail.c
--- audit-2.1.3.orig/src/auditd-sendmail.c 2011-08-15 17:31:00.000000000 +0000
+++ audit-2.1.3/src/auditd-sendmail.c 2012-12-18 20:21:34.000000000 +0000
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <unistd.h> // for access()
#include <string.h>
diff -Nuar -X exclude audit-2.1.3.orig/src/auditd.c audit-2.1.3/src/auditd.c
--- audit-2.1.3.orig/src/auditd.c 2011-08-15 17:31:00.000000000 +0000
+++ audit-2.1.3/src/auditd.c 2012-12-18 20:21:38.000000000 +0000
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
diff -Nuar -X exclude audit-2.1.3.orig/src/autrace.c audit-2.1.3/src/autrace.c
--- audit-2.1.3.orig/src/autrace.c 2011-08-15 17:31:00.000000000 +0000
+++ audit-2.1.3/src/autrace.c 2012-12-18 20:21:43.000000000 +0000
@@ -21,6 +21,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <string.h>
#include <sys/wait.h>
diff -Nuar -X exclude audit-2.1.3.orig/src/delete_all.c audit-2.1.3/src/delete_all.c
--- audit-2.1.3.orig/src/delete_all.c 2011-08-15 17:31:00.000000000 +0000
+++ audit-2.1.3/src/delete_all.c 2012-12-18 20:21:48.000000000 +0000
@@ -20,6 +20,7 @@
* Steve Grubb <sgrubb@redhat.com>
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <string.h>
#include <errno.h>
diff -Nuar -X exclude audit-2.1.3.orig/lib/fixup.h audit-2.1.3/lib/fixup.h
--- audit-2.1.3.orig/lib/fixup.h 1970-01-01 00:00:00.000000000 +0000
+++ audit-2.1.3/lib/fixup.h 2012-12-18 20:21:02.000000000 +0000
@@ -0,0 +1,17 @@
+#ifndef _AUDIT_IA64_FIXUP_H_
+#define _AUDIT_IA64_FIXUP_H_
+
+#ifdef __ia64__ /* what a pos */
+# include <linux/types.h>
+# define _ASM_IA64_FPU_H
+#endif
+#include <signal.h>
+/*
+#ifdef HAVE_ASM_PTRACE_H
+# include <asm/ptrace.h>
+#endif
+#ifdef HAVE_LINUX_PTRACE_H
+# include <linux/ptrace.h>
+#endif
+*/
+#endif
--- audit-2.1.3/src/ausearch.c 2012-12-22 03:09:54.000000000 +0000
+++ audit-2.1.3/src/ausearch.c 2012-12-22 03:10:02.000000000 +0000
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <stdio_ext.h>
#include <string.h>
diff -Nuar audit-2.1.3.orig/audisp/audispd.c audit-2.1.3/audisp/audispd.c
--- audit-2.1.3.orig/audisp/audispd.c 2011-08-15 17:30:59.000000000 +0000
+++ audit-2.1.3/audisp/audispd.c 2012-12-22 03:25:15.000000000 +0000
@@ -21,6 +21,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
diff -Nuar audit-2.1.3.orig/audisp/plugins/prelude/audisp-prelude.c audit-2.1.3/audisp/plugins/prelude/audisp-prelude.c
--- audit-2.1.3.orig/audisp/plugins/prelude/audisp-prelude.c 2011-08-15 17:30:59.000000000 +0000
+++ audit-2.1.3/audisp/plugins/prelude/audisp-prelude.c 2012-12-22 03:25:20.000000000 +0000
@@ -21,6 +21,8 @@
*
*/
+#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
diff -Nuar audit-2.1.3.orig/audisp/plugins/remote/audisp-remote.c audit-2.1.3/audisp/plugins/remote/audisp-remote.c
--- audit-2.1.3.orig/audisp/plugins/remote/audisp-remote.c 2011-08-15 17:30:59.000000000 +0000
+++ audit-2.1.3/audisp/plugins/remote/audisp-remote.c 2012-12-22 03:25:22.000000000 +0000
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <signal.h>
#include <syslog.h>
diff -Nuar audit-2.1.3.orig/contrib/plugin/audisp-example.c audit-2.1.3/contrib/plugin/audisp-example.c
--- audit-2.1.3.orig/contrib/plugin/audisp-example.c 2011-08-15 17:31:02.000000000 +0000
+++ audit-2.1.3/contrib/plugin/audisp-example.c 2012-12-22 03:25:27.000000000 +0000
@@ -37,6 +37,8 @@
*/
#define _GNU_SOURCE
+#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <signal.h>
#include <string.h>
diff -Nuar audit-2.1.3.orig/contrib/skeleton.c audit-2.1.3/contrib/skeleton.c
--- audit-2.1.3.orig/contrib/skeleton.c 2011-08-15 17:31:02.000000000 +0000
+++ audit-2.1.3/contrib/skeleton.c 2012-12-22 03:25:40.000000000 +0000
@@ -7,6 +7,8 @@
* gcc skeleton.c -o skeleton -laudit
*/
+#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <sys/types.h>
#include <sys/uio.h>

195
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-2.8.4-ia64-compile-fix.patch vendored Normal file
View File

@ -0,0 +1,195 @@
--- a/audisp/audispd.c
+++ b/audisp/audispd.c
@@ -21,6 +21,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
--- a/audisp/plugins/prelude/audisp-prelude.c
+++ b/audisp/plugins/prelude/audisp-prelude.c
@@ -21,6 +21,8 @@
*
*/
+#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
--- a/audisp/plugins/remote/audisp-remote.c
+++ b/audisp/plugins/remote/audisp-remote.c
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <signal.h>
#include <syslog.h>
--- a/configure.ac
+++ b/configure.ac
@@ -216,6 +216,9 @@ AC_ARG_ENABLE(zos-remote,
AM_CONDITIONAL(ENABLE_ZOS_REMOTE, test "x$enable_zos_remote" != "xno")
AC_MSG_RESULT($enable_zos_remote)
+AC_CHECK_HEADER([asm/ptrace.h], [AC_DEFINE([HAVE_ASM_PTRACE_H],[],[Define to 1 if you have asm/ptrace.h])], [])
+AC_CHECK_HEADER([linux/ptrace.h], [AC_DEFINE([HAVE_LINUX_PTRACE_H],[],[Define to 1 if you have linux/ptrace.h])], [])
+
#gssapi
AC_ARG_ENABLE(gssapi_krb5,
[AS_HELP_STRING([--enable-gssapi-krb5],[Enable GSSAPI Kerberos 5 support @<:@default=no@:>@])],
--- a/contrib/plugin/audisp-example.c
+++ b/contrib/plugin/audisp-example.c
@@ -37,6 +37,8 @@
*/
#define _GNU_SOURCE
+#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <signal.h>
#include <string.h>
--- a/contrib/skeleton.c
+++ b/contrib/skeleton.c
@@ -13,6 +13,8 @@
* gcc skeleton.c -o skeleton -laudit
*/
+#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <sys/types.h>
#include <sys/uio.h>
--- /dev/null
+++ b/lib/fixup.h
@@ -0,0 +1,17 @@
+#ifndef _AUDIT_IA64_FIXUP_H_
+#define _AUDIT_IA64_FIXUP_H_
+
+#ifdef __ia64__ /* what a pos */
+# include <linux/types.h>
+# define _ASM_IA64_FPU_H
+#endif
+#include <signal.h>
+/*
+#ifdef HAVE_ASM_PTRACE_H
+# include <asm/ptrace.h>
+#endif
+#ifdef HAVE_LINUX_PTRACE_H
+# include <linux/ptrace.h>
+#endif
+*/
+#endif
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -23,6 +23,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
--- a/src/auditd-config.c
+++ b/src/auditd-config.c
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
--- a/src/auditd-dispatch.c
+++ b/src/auditd-dispatch.c
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <unistd.h>
#include <sys/uio.h>
#include <fcntl.h>
--- a/src/auditd-event.c
+++ b/src/auditd-event.c
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdlib.h>
#include <unistd.h>
#include <pthread.h>
--- a/src/auditd-listen.c
+++ b/src/auditd-listen.c
@@ -23,6 +23,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
--- a/src/auditd-reconfig.c
+++ b/src/auditd-reconfig.c
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <pthread.h>
#include <signal.h>
#include <stdlib.h>
--- a/src/auditd-sendmail.c
+++ b/src/auditd-sendmail.c
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <unistd.h> // for access()
#include <string.h>
--- a/src/auditd.c
+++ b/src/auditd.c
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
--- a/src/ausearch.c
+++ b/src/ausearch.c
@@ -22,6 +22,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <stdio_ext.h>
#include <string.h>
--- a/src/autrace.c
+++ b/src/autrace.c
@@ -21,6 +21,7 @@
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <string.h>
#include <sys/wait.h>
--- a/src/delete_all.c
+++ b/src/delete_all.c
@@ -20,6 +20,7 @@
* Steve Grubb <sgrubb@redhat.com>
*/
#include "config.h"
+#include "fixup.h"
#include <stdio.h>
#include <string.h>
#include <errno.h>

24
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules vendored
View File

@ -1,24 +0,0 @@
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
#
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
# This is to clear out old rules, so we don't append to them.
-D
# Feel free to add below this line. See auditctl man page
# The following rule would cause all of the syscalls listed to be ignored in logging.
# -a entry,never -S read -S write -S open -S fstat -S fstat64 -S mmap -S brk -S munmap -S _llseek -S nanosleep -S fcntl64 -S close -S dup2 -S rt_sigaction -S stat64 -S stat
# The following rule would cause the capture of all systems not caught above.
# -a entry,always -S all
# Increase the buffers to survive stress events
-b 256
# vim:ft=conf:

12
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post vendored
View File

@ -1,12 +0,0 @@
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
#
# This file contains the auditctl rules that are loaded immediately after the
# audit deamon is stopped via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# Not used for the default Gentoo configuration as of v1.2.3
# Paranoid security types might wish to reconfigure kauditd here.
# vim:ft=conf:

15
sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre vendored
View File

@ -1,15 +0,0 @@
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
#
# This file contains the auditctl rules that are loaded immediately before the
# audit deamon is stopped via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# auditd is stopping, don't capture events anymore
-D
# Disable kernel generating audit events
-e 0
# vim:ft=conf:

4
sdk_container/src/third_party/coreos-overlay/sys-process/audit/metadata.xml vendored
View File

@ -1,11 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>selinux@gentoo.org</email>
</maintainer>
<maintainer type="person">
<email>robbat2@gentoo.org</email>
</maintainer>
<use>
<flag name="gssapi">Enable GSSAPI support</flag>
<flag name="daemon">Enable auditd and audisp support</flag>
</use>
</pkgmetadata>