sys-process/audit: Apply Flatcar modifications

2025-10-02 02:51:06 +02:00 · 2021-12-15 21:00:38 +01:00 · 2021-12-15 21:00:38 +01:00 · 52c0685d0f
commit 52c0685d0f
parent 25b036f454
12 changed files with 111 additions and 182 deletions
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md
@ -0,0 +1,24 @@
+This is a fork of gentoo's `sys-process/audit` package. The main
+reasons for having our fork seem to be:
+
+1. We have our own audit rules (see files in `files/rules.d`
+   directory).
+
+  - These seem to be mostly similar to what gentoo provides, but split
+    into several files and they have an additional rule for SELinux
+    events.
+
+  - We also install it in a different place and place symlinks with
+    systemd's tmpfiles functionality.
+
+2. We install a systemd service that loads our rules at startup.
+
+3. We build and install only a subset of binaries in the project.
+   Namely, we skip all the daemon stuff that puts the logs in
+   `/var/log/audit` and some tools that process those logs. Since
+   audit logs are also written to journal, writing them to disk seems
+   redundant, thus auditd and the tools seem to be unnecessary. This
+   also reduces the final image size a bit.
+
+4. Since we do not install the daemon, we don't do the permissions
+   lockdown on some auditd files.
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild
@ -3,9 +3,11 @@

 EAPI=7

-PYTHON_COMPAT=( python3_{8..10} )
+# Flatcar: Support python 3.6.
+PYTHON_COMPAT=( python3_{6..10} )

-inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript
+TMPFILES_OPTIONAL=1
+inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript tmpfiles

 DESCRIPTION="Userspace utilities for storing and processing auditing records"
 HOMEPAGE="https://people.redhat.com/sgrubb/audit/"
@ -13,7 +15,8 @@ SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz"

 LICENSE="GPL-2+ LGPL-2.1+"
 SLOT="0"
-KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+# Flatcar: Build amd64 and arm64 by default.
+KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 IUSE="gssapi ldap python static-libs test"

 REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
@ -39,6 +42,20 @@ src_prepare() {
 	# Disable installing sample rules so they can be installed as docs.
 	echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null

+	# Flatcar: Do not build daemon stuff.
+	sed -e '/^SUBDIRS =/s/audisp//' \
+		-i Makefile.am || die
+	# Flatcar: Some legacy stuff is being installed when systemd
+	# is enabled. Drop all the lines that try doing it.
+	sed -e '/${DESTDIR}${initdir}/d' \
+		-e '/${DESTDIR}${legacydir}/d' \
+		-i init.d/Makefile.am || die
+	# Flatcar: Do not build daemon stuff.
+	sed -e '/^sbin_PROGRAMS =/s/auditd//' \
+		-e '/^sbin_PROGRAMS =/s/aureport//' \
+		-e '/^sbin_PROGRAMS =/s/ausearch//' \
+		-i src/Makefile.am || die
+
 	default
 	eautoreconf
 }
@ -116,30 +133,46 @@ multilib_src_install_all() {
 	dodoc AUTHORS ChangeLog README* THANKS
 	docinto contrib
 	dodoc contrib/avc_snap
-	docinto contrib/plugin
-	dodoc contrib/plugin/*
+	# Flatcar: Do not install any plugin stuff, these are parts of
+	# auditd that we don't build and install anyway.
+	# docinto contrib/plugin
+	# dodoc contrib/plugin/*
 	docinto rules
 	dodoc rules/*rules

-	newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
-	newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
+	# Flatcar: Do not install stuff auditd stuff.
+	# newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
+	# newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd

-	[ -f "${ED}"/sbin/audisp-remote ] && \
-	dodir /usr/sbin && \
-	mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
+	# Flatcar: We are not installing audisp too.
+	# [ -f "${ED}"/sbin/audisp-remote ] && \
+	# dodir /usr/sbin && \
+	# mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die

+	# Flatcar: Do not install gentoo rules.
 	# Gentoo rules
-	insinto /etc/audit
-	newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
-	doins "${FILESDIR}"/audit.rules.stop*
+	# insinto /etc/audit
+	# newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
+	# Flatcar: We are installing our own rules.
+	insinto /usr/share/audit/rules.d
+	doins "${FILESDIR}"/rules.d/*.rules
+	# Flatcar: Do not install deamon stuff.
+	# doins "${FILESDIR}"/audit.rules.stop*

 	# audit logs go here
-	keepdir /var/log/audit
+	# Flatcar: This is where auditd puts its logs. We don't have
+	# the daemon, so get rid of the unnecessary directory.
+	# keepdir /var/log/audit

 	find "${ED}" -type f -name '*.la' -delete || die

 	# Security
 	lockdown_perms "${ED}"
+
+	# Flatcar: Our systemd stuff.
+	newtmpfiles "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf
+	systemd_dounit "${FILESDIR}"/audit-rules.service
+	systemd_enable_service multi-user.target audit-rules.service
 }

 pkg_postinst() {
@ -149,8 +182,11 @@ pkg_postinst() {
 lockdown_perms() {
 	# Upstream wants these to have restrictive perms.
 	# Should not || die as not all paths may exist.
-	local basedir="${1}"
-	chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
-	chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
-	chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
+	# Flatcar: No lockdown of permissions - it's probably only
+	# related to auditd.
+	# local basedir="${1}"
+	# chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
+	# chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
+	# chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
+	:
 }
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service
@ -0,0 +1,16 @@
+[Unit]
+Description=Load Security Auditing Rules
+DefaultDependencies=no
+After=local-fs.target systemd-tmpfiles-setup.service
+Conflicts=shutdown.target
+Before=sysinit.target shutdown.target
+ConditionSecurity=audit
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/augenrules --load
+ExecStop=-/sbin/auditctl -D
+
+[Install]
+WantedBy=multi-user.target
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles
@ -0,0 +1,5 @@
+d   /etc/audit                          -   -   -   -   -
+d   /etc/audit/rules.d                  -   -   -   -   -
+L   /etc/audit/rules.d/00-clear.rules   -   -   -   -   /usr/share/audit/rules.d/00-clear.rules
+L   /etc/audit/rules.d/80-selinux.rules -   -   -   -   /usr/share/audit/rules.d/80-selinux.rules
+L   /etc/audit/rules.d/99-default.rules -   -   -   -   /usr/share/audit/rules.d/99-default.rules
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3
@ -1,25 +0,0 @@
-# Copyright 1999-2011 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-#
-# This file contains the auditctl rules that are loaded
-# whenever the audit daemon is started via the initscripts.
-# The rules are simply the parameters that would be passed
-# to auditctl.
-
-# First rule - delete all
-# This is to clear out old rules, so we don't append to them.
-D
-
-# Feel free to add below this line. See auditctl man page
-
-# The following rule would cause all of the syscalls listed to be ignored in logging.
-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
-
-# The following rule would cause the capture of all systems not caught above.
-# -a exit,always -S all
-
-# Increase the buffers to survive stress events
-b 8192
-
-# vim:ft=conf:
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post
@ -1,12 +0,0 @@
-# Copyright 1999-2005 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-#
-# This file contains the auditctl rules that are loaded immediately after the
-# audit deamon is stopped via the initscripts.
-# The rules are simply the parameters that would be passed
-# to auditctl.
-
-# Not used for the default Gentoo configuration as of v1.2.3
-# Paranoid security types might wish to reconfigure kauditd here.
-
-# vim:ft=conf:
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre
@ -1,15 +0,0 @@
-# Copyright 1999-2011 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-#
-# This file contains the auditctl rules that are loaded immediately before the
-# audit deamon is stopped via the initscripts.
-# The rules are simply the parameters that would be passed
-# to auditctl.
-
-# auditd is stopping, don't capture events anymore
-D
-
-# Disable kernel generating audit events
-e 0
-
-# vim:ft=conf:
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-conf.d-2.1.3
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-conf.d-2.1.3
@ -1,22 +0,0 @@
-# Copyright 1999-2011 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-# Configuration options for auditd
-# -f for foreground mode
-# There are some other options as well, but you'll have to look in the source
-# code to find them as they aren't ready for use yet.
-EXTRAOPTIONS=''
-
-# Audit rules file to run after starting auditd
-RULEFILE_STARTUP=/etc/audit/audit.rules
-
-# Audit rules file to run before and after stopping auditd
-RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre
-RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post
-
-# If you want to enforce a certain locale for auditd, 
-# uncomment one of the next lines:
-#AUDITD_LANG=none
-AUDITD_LANG=C
-#AUDITD_LANG=en_US
-#AUDITD_LANG=en_US.UTF-8
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-init.d-2.4.3
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/auditd-init.d-2.4.3
@ -1,90 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-extra_started_commands='reload reload_auditd reload_rules'
-description='Linux Auditing System'
-description_reload='Reload daemon configuration and rules'
-description_reload_rules='Reload daemon rules'
-description_reload_auditd='Reload daemon configuration'
-
-name='auditd'
-pidfile='/var/run/auditd.pid'
-command='/sbin/auditd'
-
-start_auditd() {
-	# Env handling taken from the upstream init script
-	if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then
-		unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
-	else
-		LANG="$AUDITD_LANG"
-		LC_TIME="$AUDITD_LANG"
-		LC_ALL="$AUDITD_LANG"
-		LC_MESSAGES="$AUDITD_LANG"
-		LC_NUMERIC="$AUDITD_LANG"
-		LC_MONETARY="$AUDITD_LANG"
-		LC_COLLATE="$AUDITD_LANG"
-		export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
-	fi
-	unset HOME MAIL USER USERNAME
-
-	ebegin "Starting ${name}"
-	start-stop-daemon \
-		--start --quiet --pidfile ${pidfile} \
-		--exec ${command} -- ${EXTRAOPTIONS}
-	local ret=$?
-	eend $ret
-	return $ret
-}
-
-stop_auditd() {
-	ebegin "Stopping ${name}"
-	start-stop-daemon --stop --quiet --pidfile ${pidfile}
-	local ret=$?
-	eend $ret
-	return $ret
-}
-
-loadfile() {
-	local rules="$1"
-	if [ -n "${rules}" -a -f "${rules}" ]; then
-		einfo "Loading audit rules from ${rules}"
-		/sbin/auditctl -R "${rules}" >/dev/null
-		return $?
-	else
-		return 0
-	fi
-}
-
-start() {
-	start_auditd
-	local ret=$?
-	if [ $ret -eq 0 -a "${RC_CMD}" != "restart" ]; then
-		loadfile "${RULEFILE_STARTUP}"
-	fi
-	return $ret
-}
-
-reload_rules() {
-	loadfile "${RULEFILE_STARTUP}"
-}
-
-reload_auditd() {
-	ebegin "Reloading ${SVCNAME}"
-	start-stop-daemon --signal HUP \
-	    --exec "${command}" --pidfile "${pidfile}"
-	eend $?
-}
-
-reload() {
-	reload_auditd
-	reload_rules
-}
-
-stop() {
-	[ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_PRE}"
-	stop_auditd
-	local ret=$?
-	[ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_POST}"
-	return $ret
-}
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules
@ -0,0 +1,3 @@
+# First rule - delete all
+# This is to clear out old rules, so we don't append to them.
+-D
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules
@ -0,0 +1,4 @@
+# Enable all SELinux related events
+# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h)
+
+-a exclude,never -F msgtype>=1400 -F msgtype<=1499
--- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules
+++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules
@ -0,0 +1,5 @@
+# Always report changes to the audit subsystem itself.
+-a exclude,never -F msgtype=CONFIG_CHANGE
+
+# Ignore everything else.
+-a exclude,always -F msgtype>0