From 5633fc128b5170179f833d5086f216b5b89ffdb8 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Thu, 25 Nov 2021 15:58:15 +0100 Subject: [PATCH] sys-process/audit: Sync with gentoo It's from gentoo commit 9537582d2381dcbac871953273430ce1391e46aa. --- .../coreos-overlay/sys-process/audit/Manifest | 3 +- .../sys-process/audit/README.md | 27 --- .../sys-process/audit/audit-2.8.5-r1.ebuild | 218 ------------------ .../sys-process/audit/audit-3.0.6.ebuild | 156 +++++++++++++ .../audit/files/audit-2.4.3-python.patch | 46 ---- .../files/audit-2.8.4-ia64-compile-fix.patch | 195 ---------------- .../audit/files/audit-rules.service | 16 -- .../audit/files/audit-rules.tmpfiles | 5 - .../sys-process/audit/files/audit.rules-2.1.3 | 25 ++ .../audit/files/audit.rules.stop.post | 12 + .../audit/files/audit.rules.stop.pre | 15 ++ .../audit/files/rules.d/00-clear.rules | 3 - .../audit/files/rules.d/80-selinux.rules | 4 - .../audit/files/rules.d/99-default.rules | 5 - .../sys-process/audit/metadata.xml | 5 +- 15 files changed, 213 insertions(+), 522 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-2.8.5-r1.ebuild create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-2.4.3-python.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-2.8.4-ia64-compile-fix.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules delete mode 100644 sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/Manifest index d250026251..8fde549680 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/Manifest @@ -1,2 +1 @@ -DIST audit-017e6c6ab95df55f34e339d2139def83e5dada1f.patch 854 BLAKE2B 53129e3d90dc0685dbf4cd5403deb6498f04d494e42030617fd9c28da17c2c90e39cdd00449e430cc9bed108fd866fdf78091bcce5bfae8f2a3abc84595c8544 SHA512 58b3e85a505fbd73e405da53e521a0d823c44bd27b7fdb7b1dea790931bcf4531d6e1cad1fc303d4dbb59db2dd3562f0056263a10fe8fcc18d751eafa9d6f418 -DIST audit-2.8.5_p80866dc78b5d.tar.gz 552094 BLAKE2B adb936a314ef2f11828ee00f3513631e06e2df09e37e68be27b1b694e278116d2f486dbde7ed57c77d9ff0bcd09309ea841959c7a66caed6770f367d65dd14f4 SHA512 7ec103bf076cfac7906748162e78835f1f65dd9d68e3a7466346e0473075beb47897adf88ab9ba0eb42db1953372aafb16cc040674b9a9c887730c062b82540a +DIST audit-3.0.6.tar.gz 1190011 BLAKE2B 93a7efad1cbea6771a73222b05aacbabc4ac61d1efb9fc2532607a94804bcac6512d0be2f4d89aa62d94fb85ba5818ffae4bf0a72676e8d549ddbec766e83e9c SHA512 74734e1b1fddea086db9c5dc8c4b7817917fdf17bc7ca4e5b440aae975484d020a17c3f485f6a37b6b150a307d809e50d559d31a8cbd6f1e554933719551bcd1 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md deleted file mode 100644 index c6005dfb96..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/README.md +++ /dev/null @@ -1,27 +0,0 @@ -This is a fork of gentoo's `sys-process/audit` package. The main -reasons for having our fork seem to be: - -1. We have our own audit rules (see files in `files/rules.d` - directory). - - - These seem to be mostly similar to what gentoo provides, but split - into several files and they have an additional rule for SELinux - events. - - - We also install it in a different place and place symlinks with - systemd's tmpfiles functionality. - -2. We install a systemd service that loads our rules at startup. - -3. We add a `daemon` use flag that gates a build of `auditd` binary - and some more tools. This flag seems to be unused, which results in - the daemon and tools not being built. The role of auditd is to - write audit records to disk, and both ausearch and aureport utilize - those written logs. Since audit logs are also written to journal, - writing them to disk seems redundant, thus auditd and the tools - seem to be unnecessary. This also reduces the final image size a - bit. - -4. We don't do the permissions lockdown on some auditd files for some - reason. It's either related that we don't build auditd in practice - or it's about our own audit rules. diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-2.8.5-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-2.8.5-r1.ebuild deleted file mode 100644 index e4da39e5b0..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-2.8.5-r1.ebuild +++ /dev/null @@ -1,218 +0,0 @@ -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -# Flatcar: Based on audit-2.8.5-r1.ebuild from commit -# b9fd64557974fa02bc719f282a1776623072a864 in gentoo repo (see -# https://gitweb.gentoo.org/repo/gentoo.git/plain/sys-process/audit/audit-2.8.5-r1.ebuild?id=b9fd64557974fa02bc719f282a1776623072a864). - -EAPI="6" - -PYTHON_COMPAT=( python{3_6,3_7} ) - -# Flatcar: We don't use preserve-libs. -inherit autotools multilib multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript - -DESCRIPTION="Userspace utilities for storing and processing auditing records" -HOMEPAGE="https://people.redhat.com/sgrubb/audit/" -# https://github.com/linux-audit/audit-userspace/tree/2.8_maintenance -COMMIT='80866dc78b5db17010516e24344eaed8dcc6fb99' # contains many fixes not yet released -if [[ -n $COMMIT ]]; then - SRC_URI="https://github.com/linux-audit/audit-userspace/archive/${COMMIT}.tar.gz -> ${P}_p${COMMIT:0:12}.tar.gz" - S="${WORKDIR}/audit-userspace-${COMMIT}" -else - SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz" -fi -# -fno-common patch: -SRC_URI+=" https://github.com/linux-audit/audit-userspace/commit/017e6c6ab95df55f34e339d2139def83e5dada1f.patch -> ${PN}-017e6c6ab95df55f34e339d2139def83e5dada1f.patch" - -LICENSE="GPL-2+ LGPL-2.1+" -SLOT="0" -# Flatcar: Build amd64 and arm64 by default. -KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" -# Flatcar: Daemon USE flag for building (or not) auditd and tools. -IUSE="daemon gssapi ldap python static-libs" -# Flatcar: Requiring ldap on audit makes sense only if daemon is set. -REQUIRED_USE="ldap? ( daemon ) - python? ( ${PYTHON_REQUIRED_USE} )" -# Testcases are pretty useless as they are built for RedHat users/groups and kernels. -RESTRICT="test" - -RDEPEND="gssapi? ( virtual/krb5 ) - ldap? ( net-nds/openldap ) - sys-libs/libcap-ng - python? ( ${PYTHON_DEPS} )" -DEPEND="${RDEPEND} - >=sys-kernel/linux-headers-2.6.34 - python? ( dev-lang/swig:0 )" -# Do not use os-headers as this is linux specific - -CONFIG_CHECK="~AUDIT" - -pkg_setup() { - linux-info_pkg_setup -} - -src_prepare() { - # Do not build GUI tools - sed -i \ - -e '/AC_CONFIG_SUBDIRS.*system-config-audit/d' \ - "${S}"/configure.ac || die - sed -i \ - -e 's,system-config-audit,,g' \ - "${S}"/Makefile.am || die - rm -rf "${S}"/system-config-audit - - # audisp-remote moved in multilib_src_install_all - sed -i \ - -e "s,/sbin/audisp-remote,${EPREFIX}/usr/sbin/audisp-remote," \ - "${S}"/audisp/plugins/remote/au-remote.conf || die - - # Don't build static version of Python module. - eapply "${FILESDIR}"/${PN}-2.4.3-python.patch - - # glibc/kernel upstreams suck with both defining ia64_fpreg - # This patch is a horribly workaround that is only valid as long as you - # don't need the OTHER definitions in fpu.h. - eapply "${FILESDIR}"/${PN}-2.8.4-ia64-compile-fix.patch - - # -fno-common - eapply "${DISTDIR}/${PN}-017e6c6ab95df55f34e339d2139def83e5dada1f.patch" - - eapply_user - - if ! use daemon; then - sed -e '/^SUBDIRS =/s/audisp//' \ - -i Makefile.am || die - sed -e '/${DESTDIR}${initdir}/d' \ - -e '/${DESTDIR}${legacydir}/d' \ - -i init.d/Makefile.am || die - sed -e '/^sbin_PROGRAMS =/s/auditd//' \ - -e '/^sbin_PROGRAMS =/s/aureport//' \ - -e '/^sbin_PROGRAMS =/s/ausearch//' \ - -i src/Makefile.am || die - fi - - # Regenerate autotooling - eautoreconf -} - -multilib_src_configure() { - local ECONF_SOURCE=${S} - local my_conf="$(use_enable ldap zos-remote)" - econf \ - ${my_conf} \ - --sbindir="${EPREFIX}/sbin" \ - $(use_enable gssapi gssapi-krb5) \ - $(use_enable static-libs static) \ - --enable-systemd \ - --without-golang \ - --without-python \ - --without-python3 - - if multilib_is_native_abi; then - python_configure() { - mkdir -p "${BUILD_DIR}" || die - cd "${BUILD_DIR}" || die - - econf ${my_conf} --without-python --with-python3 - } - - use python && python_foreach_impl python_configure - fi -} - -src_configure() { - tc-export_build_env BUILD_{CC,CPP} - export CC_FOR_BUILD="${BUILD_CC}" - export CPP_FOR_BUILD="${BUILD_CPP}" - - multilib-minimal_src_configure -} - -multilib_src_compile() { - if multilib_is_native_abi; then - default - - python_compile() { - emake -C "${BUILD_DIR}"/bindings/swig \ - VPATH="${native_build}/lib" \ - LIBS="${native_build}/lib/libaudit.la" \ - _audit_la_LIBADD="${native_build}/lib/libaudit.la" \ - _audit_la_DEPENDENCIES="${S}/lib/libaudit.h ${native_build}/lib/libaudit.la" \ - USE_PYTHON3=true - emake -C "${BUILD_DIR}"/bindings/python/python3 \ - VPATH="${S}/bindings/python/python3:${native_build}/bindings/python/python3" \ - auparse_la_LIBADD="${native_build}/auparse/libauparse.la ${native_build}/lib/libaudit.la" \ - USE_PYTHON3=true - } - - local native_build="${BUILD_DIR}" - use python && python_foreach_impl python_compile - else - emake -C lib - emake -C auparse - fi -} - -multilib_src_install() { - if multilib_is_native_abi; then - emake DESTDIR="${D}" initdir="$(systemd_get_systemunitdir)" install - - python_install() { - emake -C "${BUILD_DIR}"/bindings/swig \ - VPATH="${native_build}/lib" \ - LIBS="${native_build}/lib/libaudit.la" \ - _audit_la_LIBADD="${native_build}/lib/libaudit.la" \ - _audit_la_DEPENDENCIES="${S}/lib/libaudit.h ${native_build}/lib/libaudit.la" \ - USE_PYTHON3=true \ - DESTDIR="${D}" install - emake -C "${BUILD_DIR}"/bindings/python/python3 \ - VPATH="${S}/bindings/python/python3:${native_build}/bindings/python/python3" \ - auparse_la_LIBADD="${native_build}/auparse/libauparse.la ${native_build}/lib/libaudit.la" \ - USE_PYTHON3=true \ - DESTDIR="${D}" install - } - - local native_build=${BUILD_DIR} - use python && python_foreach_impl python_install - - # things like shadow use this so we need to be in / - gen_usr_ldscript -a audit auparse - else - emake -C lib DESTDIR="${D}" install - emake -C auparse DESTDIR="${D}" install - fi -} - -multilib_src_install_all() { - dodoc AUTHORS ChangeLog README* THANKS - docinto contrib - dodoc contrib/{avc_snap,skeleton.c} - use daemon && docinto contrib/plugin - use daemon && dodoc contrib/plugin/* - docinto rules - dodoc rules/* - - use daemon && newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd - use daemon && newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd - - if use daemon; then - [ -f "${ED}"/sbin/audisp-remote ] && \ - dodir /usr/sbin && \ - mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die - fi - - # Flatcar: We install our own rules. - insinto /usr/share/audit/rules.d - doins "${FILESDIR}"/rules.d/*.rules - - # audit logs go here - use daemon && keepdir /var/log/audit/ - - find "${D}" -name '*.la' -delete || die - - # Flatcar: Our systemd stuff. - systemd_newtmpfilesd "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf - systemd_dounit "${FILESDIR}"/audit-rules.service - systemd_enable_service multi-user.target audit-rules.service -} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild new file mode 100644 index 0000000000..515bd1b841 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/audit-3.0.6.ebuild @@ -0,0 +1,156 @@ +# Copyright 1999-2021 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python3_{8..10} ) + +inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript + +DESCRIPTION="Userspace utilities for storing and processing auditing records" +HOMEPAGE="https://people.redhat.com/sgrubb/audit/" +SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz" + +LICENSE="GPL-2+ LGPL-2.1+" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="gssapi ldap python static-libs test" + +REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" +RESTRICT="!test? ( test )" + +RDEPEND="gssapi? ( virtual/krb5 ) + ldap? ( net-nds/openldap ) + sys-libs/libcap-ng + python? ( ${PYTHON_DEPS} )" +DEPEND="${RDEPEND} + >=sys-kernel/linux-headers-2.6.34 + test? ( dev-libs/check )" +BDEPEND="python? ( dev-lang/swig:0 )" + +CONFIG_CHECK="~AUDIT" + +src_prepare() { + # audisp-remote moved in multilib_src_install_all + sed -i \ + -e "s,/sbin/audisp-remote,${EPREFIX}/usr/sbin/audisp-remote," \ + audisp/plugins/remote/au-remote.conf || die + + # Disable installing sample rules so they can be installed as docs. + echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null + + default + eautoreconf +} + +multilib_src_configure() { + local -a myeconfargs=( + --sbindir="${EPREFIX}/sbin" + $(use_enable gssapi gssapi-krb5) + $(use_enable ldap zos-remote) + $(use_enable static-libs static) + --enable-systemd + --without-golang + --without-python + --without-python3 + ) + + ECONF_SOURCE=${S} econf "${myeconfargs[@]}" + + if multilib_is_native_abi && use python; then + python_configure() { + mkdir -p "${BUILD_DIR}" + pushd "${BUILD_DIR}" &>/dev/null || die + ECONF_SOURCE=${S} econf "${myeconfargs[@]}" --with-python3 + popd &>/dev/null || die + } + python_foreach_impl python_configure + fi +} + +src_configure() { + tc-export_build_env BUILD_{CC,CPP} + local -x CC_FOR_BUILD="${BUILD_CC}" + local -x CPP_FOR_BUILD="${BUILD_CPP}" + multilib-minimal_src_configure +} + +multilib_src_compile() { + if multilib_is_native_abi; then + default + + local native_build="${BUILD_DIR}" + python_compile() { + emake -C "${BUILD_DIR}"/bindings/swig top_builddir="${native_build}" + emake -C "${BUILD_DIR}"/bindings/python/python3 top_builddir="${native_build}" + } + use python && python_foreach_impl python_compile + else + emake -C common + emake -C lib + emake -C auparse + fi +} + +multilib_src_install() { + if multilib_is_native_abi; then + emake DESTDIR="${D}" initdir="$(systemd_get_systemunitdir)" install + + local native_build="${BUILD_DIR}" + python_install() { + emake -C "${BUILD_DIR}"/bindings/swig DESTDIR="${D}" top_builddir="${native_build}" install + emake -C "${BUILD_DIR}"/bindings/python/python3 DESTDIR="${D}" top_builddir="${native_build}" install + python_optimize + } + use python && python_foreach_impl python_install + + # things like shadow use this so we need to be in / + gen_usr_ldscript -a audit auparse + else + emake -C lib DESTDIR="${D}" install + emake -C auparse DESTDIR="${D}" install + fi +} + +multilib_src_install_all() { + dodoc AUTHORS ChangeLog README* THANKS + docinto contrib + dodoc contrib/avc_snap + docinto contrib/plugin + dodoc contrib/plugin/* + docinto rules + dodoc rules/*rules + + newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd + newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd + + [ -f "${ED}"/sbin/audisp-remote ] && \ + dodir /usr/sbin && \ + mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die + + # Gentoo rules + insinto /etc/audit + newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules + doins "${FILESDIR}"/audit.rules.stop* + + # audit logs go here + keepdir /var/log/audit + + find "${ED}" -type f -name '*.la' -delete || die + + # Security + lockdown_perms "${ED}" +} + +pkg_postinst() { + lockdown_perms "${EROOT}" +} + +lockdown_perms() { + # Upstream wants these to have restrictive perms. + # Should not || die as not all paths may exist. + local basedir="${1}" + chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null + chmod 0750 "${basedir}"/var/log/audit 2>/dev/null + chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null +} diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-2.4.3-python.patch b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-2.4.3-python.patch deleted file mode 100644 index 7b9ea53e09..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-2.4.3-python.patch +++ /dev/null @@ -1,46 +0,0 @@ -diff -ur audit-2.4.3.orig/bindings/python/python2/Makefile.am audit-2.4.3/bindings/python/python2/Makefile.am ---- audit-2.4.3.orig/bindings/python/python2/Makefile.am 2015-07-22 23:35:24.315424091 +0800 -+++ audit-2.4.3/bindings/python/python2/Makefile.am 2015-07-22 23:37:16.861510504 +0800 -@@ -29,5 +29,6 @@ - - auparse_la_SOURCES = $(top_srcdir)/bindings/python/auparse_python.c - auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS) --auparse_la_LDFLAGS = -module -avoid-version -Wl,-z,relro -+auparse_la_CFLAGS = -shared -+auparse_la_LDFLAGS = -module -avoid-version -shared -Wl,-z,relro - auparse_la_LIBADD = ${top_builddir}/auparse/libauparse.la ${top_builddir}/lib/libaudit.la -diff -ur audit-2.4.3.orig/bindings/python/python3/Makefile.am audit-2.4.3/bindings/python/python3/Makefile.am ---- audit-2.4.3.orig/bindings/python/python3/Makefile.am 2015-07-22 23:35:24.315424091 +0800 -+++ audit-2.4.3/bindings/python/python3/Makefile.am 2015-07-22 23:37:30.395400641 +0800 -@@ -28,5 +28,6 @@ - - auparse_la_SOURCES = $(top_srcdir)/bindings/python/auparse_python.c - auparse_la_CPPFLAGS = -I$(top_srcdir)/auparse $(AM_CPPFLAGS) --auparse_la_LDFLAGS = -module -avoid-version -Wl,-z,relro -+auparse_la_CFLAGS = -shared -+auparse_la_LDFLAGS = -module -avoid-version -shared -Wl,-z,relro - auparse_la_LIBADD = ${top_builddir}/auparse/libauparse.la ${top_builddir}/lib/libaudit.la -diff -ur audit-2.4.3.orig/bindings/swig/python/Makefile.am audit-2.4.3/bindings/swig/python/Makefile.am ---- audit-2.4.3.orig/bindings/swig/python/Makefile.am 2015-07-22 23:35:24.316424083 +0800 -+++ audit-2.4.3/bindings/swig/python/Makefile.am 2015-07-22 23:35:53.244189263 +0800 -@@ -28,7 +28,7 @@ - pyexec_LTLIBRARIES = _audit.la - pyexec_SOLIBRARIES = _audit.so - _audit_la_CFLAGS = -shared --_audit_la_LDFLAGS = -module -avoid-version -Wl,-z,relro -+_audit_la_LDFLAGS = -module -avoid-version -shared -Wl,-z,relro - _audit_la_HEADERS: $(top_builddir)/config.h - _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudit.la - _audit_la_LIBADD = $(top_builddir)/lib/libaudit.la -diff -ur audit-2.4.3.orig/bindings/swig/python3/Makefile.am audit-2.4.3/bindings/swig/python3/Makefile.am ---- audit-2.4.3.orig/bindings/swig/python3/Makefile.am 2015-07-22 23:35:24.316424083 +0800 -+++ audit-2.4.3/bindings/swig/python3/Makefile.am 2015-07-22 23:36:27.833908482 +0800 -@@ -29,7 +29,7 @@ - py3exec_LTLIBRARIES = _audit.la - py3exec_SOLIBRARIES = _audit.so - _audit_la_CFLAGS = -shared --_audit_la_LDFLAGS = -module -avoid-version -Wl,-z,relro -+_audit_la_LDFLAGS = -module -avoid-version -shared -Wl,-z,relro - _audit_la_HEADERS: $(top_builddir)/config.h - _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudit.la - _audit_la_LIBADD = ${top_builddir}/lib/libaudit.la diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-2.8.4-ia64-compile-fix.patch b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-2.8.4-ia64-compile-fix.patch deleted file mode 100644 index ef04f72049..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-2.8.4-ia64-compile-fix.patch +++ /dev/null @@ -1,195 +0,0 @@ ---- a/audisp/audispd.c -+++ b/audisp/audispd.c -@@ -21,6 +21,7 @@ - */ - - #include "config.h" -+#include "fixup.h" - #include - #include - #include ---- a/audisp/plugins/prelude/audisp-prelude.c -+++ b/audisp/plugins/prelude/audisp-prelude.c -@@ -21,6 +21,8 @@ - * - */ - -+#include "config.h" -+#include "fixup.h" - #include - #include - #include ---- a/audisp/plugins/remote/audisp-remote.c -+++ b/audisp/plugins/remote/audisp-remote.c -@@ -22,6 +22,7 @@ - */ - - #include "config.h" -+#include "fixup.h" - #include - #include - #include ---- a/configure.ac -+++ b/configure.ac -@@ -216,6 +216,9 @@ AC_ARG_ENABLE(zos-remote, - AM_CONDITIONAL(ENABLE_ZOS_REMOTE, test "x$enable_zos_remote" != "xno") - AC_MSG_RESULT($enable_zos_remote) - -+AC_CHECK_HEADER([asm/ptrace.h], [AC_DEFINE([HAVE_ASM_PTRACE_H],[],[Define to 1 if you have asm/ptrace.h])], []) -+AC_CHECK_HEADER([linux/ptrace.h], [AC_DEFINE([HAVE_LINUX_PTRACE_H],[],[Define to 1 if you have linux/ptrace.h])], []) -+ - #gssapi - AC_ARG_ENABLE(gssapi_krb5, - [AS_HELP_STRING([--enable-gssapi-krb5],[Enable GSSAPI Kerberos 5 support @<:@default=no@:>@])], ---- a/contrib/plugin/audisp-example.c -+++ b/contrib/plugin/audisp-example.c -@@ -37,6 +37,8 @@ - */ - - #define _GNU_SOURCE -+#include "config.h" -+#include "fixup.h" - #include - #include - #include ---- a/contrib/skeleton.c -+++ b/contrib/skeleton.c -@@ -13,6 +13,8 @@ - * gcc skeleton.c -o skeleton -laudit - */ - -+#include "config.h" -+#include "fixup.h" - #include - #include - #include ---- /dev/null -+++ b/lib/fixup.h -@@ -0,0 +1,17 @@ -+#ifndef _AUDIT_IA64_FIXUP_H_ -+#define _AUDIT_IA64_FIXUP_H_ -+ -+#ifdef __ia64__ /* what a pos */ -+# include -+# define _ASM_IA64_FPU_H -+#endif -+#include -+/* -+#ifdef HAVE_ASM_PTRACE_H -+# include -+#endif -+#ifdef HAVE_LINUX_PTRACE_H -+# include -+#endif -+*/ -+#endif ---- a/src/auditctl.c -+++ b/src/auditctl.c -@@ -23,6 +23,7 @@ - */ - - #include "config.h" -+#include "fixup.h" - #include - #include - #include ---- a/src/auditd-config.c -+++ b/src/auditd-config.c -@@ -22,6 +22,7 @@ - */ - - #include "config.h" -+#include "fixup.h" - #include - #include - #include ---- a/src/auditd-dispatch.c -+++ b/src/auditd-dispatch.c -@@ -22,6 +22,7 @@ - */ - - #include "config.h" -+#include "fixup.h" - #include - #include - #include ---- a/src/auditd-event.c -+++ b/src/auditd-event.c -@@ -22,6 +22,7 @@ - */ - - #include "config.h" -+#include "fixup.h" - #include - #include - #include ---- a/src/auditd-listen.c -+++ b/src/auditd-listen.c -@@ -23,6 +23,7 @@ - */ - - #include "config.h" -+#include "fixup.h" - #include - #include - #include ---- a/src/auditd-reconfig.c -+++ b/src/auditd-reconfig.c -@@ -22,6 +22,7 @@ - */ - - #include "config.h" -+#include "fixup.h" - #include - #include - #include ---- a/src/auditd-sendmail.c -+++ b/src/auditd-sendmail.c -@@ -22,6 +22,7 @@ - */ - - #include "config.h" -+#include "fixup.h" - #include - #include // for access() - #include ---- a/src/auditd.c -+++ b/src/auditd.c -@@ -22,6 +22,7 @@ - */ - - #include "config.h" -+#include "fixup.h" - #include - #include - #include ---- a/src/ausearch.c -+++ b/src/ausearch.c -@@ -22,6 +22,7 @@ - */ - - #include "config.h" -+#include "fixup.h" - #include - #include - #include ---- a/src/autrace.c -+++ b/src/autrace.c -@@ -21,6 +21,7 @@ - */ - - #include "config.h" -+#include "fixup.h" - #include - #include - #include ---- a/src/delete_all.c -+++ b/src/delete_all.c -@@ -20,6 +20,7 @@ - * Steve Grubb - */ - #include "config.h" -+#include "fixup.h" - #include - #include - #include diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service deleted file mode 100644 index 8c54802fb5..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Load Security Auditing Rules -DefaultDependencies=no -After=local-fs.target systemd-tmpfiles-setup.service -Conflicts=shutdown.target -Before=sysinit.target shutdown.target -ConditionSecurity=audit - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/sbin/augenrules --load -ExecStop=-/sbin/auditctl -D - -[Install] -WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles deleted file mode 100644 index 2c15b63d23..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit-rules.tmpfiles +++ /dev/null @@ -1,5 +0,0 @@ -d /etc/audit - - - - - -d /etc/audit/rules.d - - - - - -L /etc/audit/rules.d/00-clear.rules - - - - /usr/share/audit/rules.d/00-clear.rules -L /etc/audit/rules.d/80-selinux.rules - - - - /usr/share/audit/rules.d/80-selinux.rules -L /etc/audit/rules.d/99-default.rules - - - - /usr/share/audit/rules.d/99-default.rules diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 new file mode 100644 index 0000000000..25dbedfd1d --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules-2.1.3 @@ -0,0 +1,25 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# +# This file contains the auditctl rules that are loaded +# whenever the audit daemon is started via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# First rule - delete all +# This is to clear out old rules, so we don't append to them. +-D + +# Feel free to add below this line. See auditctl man page + +# The following rule would cause all of the syscalls listed to be ignored in logging. +-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat +-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat + +# The following rule would cause the capture of all systems not caught above. +# -a exit,always -S all + +# Increase the buffers to survive stress events +-b 8192 + +# vim:ft=conf: diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post new file mode 100644 index 0000000000..29ae197f18 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.post @@ -0,0 +1,12 @@ +# Copyright 1999-2005 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# +# This file contains the auditctl rules that are loaded immediately after the +# audit deamon is stopped via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# Not used for the default Gentoo configuration as of v1.2.3 +# Paranoid security types might wish to reconfigure kauditd here. + +# vim:ft=conf: diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre new file mode 100644 index 0000000000..1f34173369 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/audit.rules.stop.pre @@ -0,0 +1,15 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# +# This file contains the auditctl rules that are loaded immediately before the +# audit deamon is stopped via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# auditd is stopping, don't capture events anymore +-D + +# Disable kernel generating audit events +-e 0 + +# vim:ft=conf: diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules deleted file mode 100644 index f43e62771c..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/00-clear.rules +++ /dev/null @@ -1,3 +0,0 @@ -# First rule - delete all -# This is to clear out old rules, so we don't append to them. --D diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules deleted file mode 100644 index 627b17db3f..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/80-selinux.rules +++ /dev/null @@ -1,4 +0,0 @@ -# Enable all SELinux related events -# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h) - --a exclude,never -F msgtype>=1400 -F msgtype<=1499 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules deleted file mode 100644 index cc373d8406..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/files/rules.d/99-default.rules +++ /dev/null @@ -1,5 +0,0 @@ -# Always report changes to the audit subsystem itself. --a exclude,never -F msgtype=CONFIG_CHANGE - -# Ignore everything else. --a exclude,always -F msgtype>0 diff --git a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/metadata.xml index 411e621a64..3524ab03cd 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-process/audit/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/sys-process/audit/metadata.xml @@ -1,5 +1,5 @@ - + selinux@gentoo.org @@ -10,4 +10,7 @@ Enable GSSAPI support + + linux-audit/audit-userspace +