sys-process/audit: Sync with Gentoo

It's from Gentoo commit b3421946f41290093bd4bfe67fee6ecccab31bcb.

sdk_container/src/third_party/portage-stable/sys-process/audit/Manifest

@@ -1 +1,2 @@
-DIST audit-3.0.6.tar.gz 1190011 BLAKE2B 93a7efad1cbea6771a73222b05aacbabc4ac61d1efb9fc2532607a94804bcac6512d0be2f4d89aa62d94fb85ba5818ffae4bf0a72676e8d549ddbec766e83e9c SHA512 74734e1b1fddea086db9c5dc8c4b7817917fdf17bc7ca4e5b440aae975484d020a17c3f485f6a37b6b150a307d809e50d559d31a8cbd6f1e554933719551bcd1
+DIST audit-3.1.1.tar.gz 1218111 BLAKE2B a804684e438efc5f35b387708b3dc91bf857eeb56624261e0f75543556c436bfe638b792f63289f049c11541b10b2dc0e9f17b22f44b913da0168b1cf20684fc SHA512 4917970cc4c7f786c464a6d101bf66d55d55ac4716cf415ff97177f08176a6301e946716d28cf5b16054538469b3140b97db99d55a28686a9a807eea60c070f3
+DIST audit-3.1.2.tar.gz 1219860 BLAKE2B dfdec470bf12cce6c570b3d260e65e2b49e8ac0761e6a6fbf7b4f4a57f92e88367cd74bfcb88e6d718619b88fea27ce963a977c9f4346c95d18a5310e217accb SHA512 a97003a294ed3671df01e2952688e7d5eef59a35f6891feb53e67c4c7eab9ae8c2d18de41a5b5b20e0ad7156fac93aec05f32f6bc5eea706b42b6f27f676446a

sdk_container/src/third_party/portage-stable/sys-process/audit/README.md

@@ -1,24 +0,0 @@
-This is a fork of gentoo's `sys-process/audit` package. The main
-reasons for having our fork seem to be:
-
-1. We have our own audit rules (see files in `files/rules.d`
-   directory).
-
-  - These seem to be mostly similar to what gentoo provides, but split
-    into several files and they have an additional rule for SELinux
-    events.
-
-  - We also install it in a different place and place symlinks with
-    systemd's tmpfiles functionality.
-
-2. We install a systemd service that loads our rules at startup.
-
-3. We build and install only a subset of binaries in the project.
-   Namely, we skip all the daemon stuff that puts the logs in
-   `/var/log/audit` and some tools that process those logs. Since
-   audit logs are also written to journal, writing them to disk seems
-   redundant, thus auditd and the tools seem to be unnecessary. This
-   also reduces the final image size a bit.
-
-4. Since we do not install the daemon, we don't do the permissions
-   lockdown on some auditd files.

sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.1.ebuild

@@ -1,13 +1,15 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=8
 
-# Flatcar: Support python 3.6.
-PYTHON_COMPAT=( python3_{6..11} )
+# As with sys-libs/libcap-ng, same maintainer in Fedora as upstream, so
+# check Fedora's packaging (https://src.fedoraproject.org/rpms/audit/tree/rawhide)
+# on bumps (or if hitting a bug) to see what they've done there.
 
-TMPFILES_OPTIONAL=1
-inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript tmpfiles
+PYTHON_COMPAT=( python3_{9..11} )
+
+inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript
 
 DESCRIPTION="Userspace utilities for storing and processing auditing records"
 HOMEPAGE="https://people.redhat.com/sgrubb/audit/"
@@ -15,24 +17,34 @@ SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz"
 
 LICENSE="GPL-2+ LGPL-2.1+"
 SLOT="0"
-# Flatcar: Build amd64 and arm64 by default.
-KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
-IUSE="gssapi ldap python static-libs test"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv ~s390 sparc x86"
+IUSE="gssapi io-uring ldap python static-libs test"
 
 REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
 RESTRICT="!test? ( test )"
 
-RDEPEND="gssapi? ( virtual/krb5 )
-	ldap? ( net-nds/openldap )
+RDEPEND="
 	sys-libs/libcap-ng
-	python? ( ${PYTHON_DEPS} )"
-DEPEND="${RDEPEND}
+	gssapi? ( virtual/krb5 )
+	ldap? ( net-nds/openldap:= )
+	python? ( ${PYTHON_DEPS} )
+"
+DEPEND="
+	${RDEPEND}
 	>=sys-kernel/linux-headers-2.6.34
-	test? ( dev-libs/check )"
-BDEPEND="python? ( dev-lang/swig:0 )"
+	test? ( dev-libs/check )
+"
+BDEPEND="python? ( dev-lang/swig )"
 
 CONFIG_CHECK="~AUDIT"
 
+PATCHES=(
+	# See bug #836702 before removing / verify builds fine w/ USE=python
+	# with latest kernel headers.
+	"${FILESDIR}"/${PN}-3.0.8-linux-headers-5.17.patch
+	"${FILESDIR}"/${PN}-3.0.8-musl-malloc.patch
+)
+
 src_prepare() {
 	# audisp-remote moved in multilib_src_install_all
 	sed -i \
@@ -40,51 +52,48 @@ src_prepare() {
 		audisp/plugins/remote/au-remote.conf || die
 
 	# Disable installing sample rules so they can be installed as docs.
-	echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null
-
-	# Flatcar: Some legacy stuff is being installed when systemd
-	# is enabled. Drop all the lines that try doing it.
-	sed -e '/${DESTDIR}${initdir}/d' \
-		-e '/${DESTDIR}${legacydir}/d' \
-		-i init.d/Makefile.am || die
-	# Flatcar: Do not build daemon stuff.
-	sed -e '/^sbin_PROGRAMS =/s/aureport//' \
-		-e '/^sbin_PROGRAMS =/s/ausearch//' \
-		-i src/Makefile.am || die
+	echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null || die
 
 	default
 	eautoreconf
 }
 
 multilib_src_configure() {
-	local -a myeconfargs=(
-		--sbindir="${EPREFIX}/sbin"
+	local myeconfargs=(
+		--sbindir="${EPREFIX}"/sbin
 		$(use_enable gssapi gssapi-krb5)
 		$(use_enable ldap zos-remote)
 		$(use_enable static-libs static)
+		$(use_with io-uring io_uring)
 		--enable-systemd
 		--without-golang
+		--without-libwrap
 		--without-python
 		--without-python3
 	)
 
-	ECONF_SOURCE=${S} econf "${myeconfargs[@]}"
+	ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
 
 	if multilib_is_native_abi && use python; then
 		python_configure() {
-			mkdir -p "${BUILD_DIR}"
+			mkdir -p "${BUILD_DIR}" || die
 			pushd "${BUILD_DIR}" &>/dev/null || die
-			ECONF_SOURCE=${S} econf "${myeconfargs[@]}" --with-python3
+
+			ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" --with-python3
+
 			popd &>/dev/null || die
 		}
+
 		python_foreach_impl python_configure
 	fi
 }
 
 src_configure() {
 	tc-export_build_env BUILD_{CC,CPP}
+
 	local -x CC_FOR_BUILD="${BUILD_CC}"
 	local -x CPP_FOR_BUILD="${BUILD_CPP}"
+
 	multilib-minimal_src_configure
 }
 
@@ -93,10 +102,12 @@ multilib_src_compile() {
 		default
 
 		local native_build="${BUILD_DIR}"
+
 		python_compile() {
 			emake -C "${BUILD_DIR}"/bindings/swig top_builddir="${native_build}"
 			emake -C "${BUILD_DIR}"/bindings/python/python3 top_builddir="${native_build}"
 		}
+
 		use python && python_foreach_impl python_compile
 	else
 		emake -C common
@@ -110,14 +121,16 @@ multilib_src_install() {
 		emake DESTDIR="${D}" initdir="$(systemd_get_systemunitdir)" install
 
 		local native_build="${BUILD_DIR}"
+
 		python_install() {
 			emake -C "${BUILD_DIR}"/bindings/swig DESTDIR="${D}" top_builddir="${native_build}" install
 			emake -C "${BUILD_DIR}"/bindings/python/python3 DESTDIR="${D}" top_builddir="${native_build}" install
 			python_optimize
 		}
+
 		use python && python_foreach_impl python_install
 
-		# things like shadow use this so we need to be in /
+		# Things like shadow use this so we need to be in /
 		gen_usr_ldscript -a audit auparse
 	else
 		emake -C lib DESTDIR="${D}" install
@@ -129,35 +142,24 @@ multilib_src_install_all() {
 	dodoc AUTHORS ChangeLog README* THANKS
 	docinto contrib
 	dodoc contrib/avc_snap
-	# Flatcar: Do not install any plugin stuff, these are parts of
-	# auditd that we don't build and install anyway.
-	# docinto contrib/plugin
-	# dodoc contrib/plugin/*
+	docinto contrib/plugin
+	dodoc contrib/plugin/*
 	docinto rules
 	dodoc rules/*rules
 
-	# Flatcar: Do not install stuff auditd stuff.
-	# newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
-	# newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
+	newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
+	newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
 
-	# Flatcar: install sample configuration
-	insinto /usr/share/auditd
-	doins "${S}"/init.d/auditd.conf
+	if [[ -f "${ED}"/sbin/audisp-remote ]] ; then
+		dodir /usr/sbin
+		mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
+	fi
 
-
-	# Flatcar: We are not installing audisp too.
-	# [ -f "${ED}"/sbin/audisp-remote ] && \
-	# dodir /usr/sbin && \
-	# mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
-
-	# Flatcar: Do not install gentoo rules.
 	# Gentoo rules
-	# newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
-	# Flatcar: We are installing our own rules.
-	insinto /usr/share/audit/rules.d
-	doins "${FILESDIR}"/rules.d/*.rules
-	# Flatcar: Do not install deamon stuff.
-	# doins "${FILESDIR}"/audit.rules.stop*
+	insinto /etc/audit
+	newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
+	doins "${FILESDIR}"/audit.rules.stop*
+	keepdir /etc/audit/rules.d
 
 	# audit logs go here
 	keepdir /var/log/audit
@@ -166,14 +168,6 @@ multilib_src_install_all() {
 
 	# Security
 	lockdown_perms "${ED}"
-
-	# Flatcar: We add the systemd unit but don't enable it.
-	systemd_dounit init.d/auditd.service
-
-	# Flatcar: Our systemd stuff.
-	newtmpfiles "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf
-	systemd_dounit "${FILESDIR}"/audit-rules.service
-	systemd_enable_service multi-user.target audit-rules.service
 }
 
 pkg_postinst() {
@@ -183,13 +177,8 @@ pkg_postinst() {
 lockdown_perms() {
 	# Upstream wants these to have restrictive perms.
 	# Should not || die as not all paths may exist.
-	# Flatcar: We don't include ausearch and aureport
-	# so they're removed from the hardening list
 	local basedir="${1}"
-	# chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
-	chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,trace} 2>/dev/null
+	chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
 	chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
-	# chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
-	rm -f  "${basedir}"/etc/audit/auditd.conf 2>/dev/null
-	:
+	chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
 }

sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.2.ebuild

@@ -0,0 +1,181 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# As with sys-libs/libcap-ng, same maintainer in Fedora as upstream, so
+# check Fedora's packaging (https://src.fedoraproject.org/rpms/audit/tree/rawhide)
+# on bumps (or if hitting a bug) to see what they've done there.
+
+PYTHON_COMPAT=( python3_{9..11} )
+
+inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript
+
+DESCRIPTION="Userspace utilities for storing and processing auditing records"
+HOMEPAGE="https://people.redhat.com/sgrubb/audit/"
+SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz"
+
+LICENSE="GPL-2+ LGPL-2.1+"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="gssapi io-uring ldap python static-libs test"
+
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+	sys-libs/libcap-ng
+	gssapi? ( virtual/krb5 )
+	ldap? ( net-nds/openldap:= )
+	python? ( ${PYTHON_DEPS} )
+"
+DEPEND="
+	${RDEPEND}
+	>=sys-kernel/linux-headers-2.6.34
+	test? ( dev-libs/check )
+"
+BDEPEND="python? ( dev-lang/swig )"
+
+CONFIG_CHECK="~AUDIT"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-3.0.8-musl-malloc.patch
+)
+
+src_prepare() {
+	# audisp-remote moved in multilib_src_install_all
+	sed -i \
+		-e "s,/sbin/audisp-remote,${EPREFIX}/usr/sbin/audisp-remote," \
+		audisp/plugins/remote/au-remote.conf || die
+
+	# Disable installing sample rules so they can be installed as docs.
+	echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null || die
+
+	default
+	eautoreconf
+}
+
+multilib_src_configure() {
+	local myeconfargs=(
+		--sbindir="${EPREFIX}"/sbin
+		$(use_enable gssapi gssapi-krb5)
+		$(use_enable ldap zos-remote)
+		$(use_enable static-libs static)
+		$(use_with io-uring io_uring)
+		--enable-systemd
+		--without-golang
+		--without-libwrap
+		--without-python
+		--without-python3
+	)
+
+	ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
+
+	if multilib_is_native_abi && use python; then
+		python_configure() {
+			mkdir -p "${BUILD_DIR}" || die
+			pushd "${BUILD_DIR}" &>/dev/null || die
+
+			ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" --with-python3
+
+			popd &>/dev/null || die
+		}
+
+		python_foreach_impl python_configure
+	fi
+}
+
+src_configure() {
+	tc-export_build_env BUILD_{CC,CPP}
+
+	local -x CC_FOR_BUILD="${BUILD_CC}"
+	local -x CPP_FOR_BUILD="${BUILD_CPP}"
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_compile() {
+	if multilib_is_native_abi; then
+		default
+
+		local native_build="${BUILD_DIR}"
+
+		python_compile() {
+			emake -C "${BUILD_DIR}"/bindings/swig top_builddir="${native_build}"
+			emake -C "${BUILD_DIR}"/bindings/python/python3 top_builddir="${native_build}"
+		}
+
+		use python && python_foreach_impl python_compile
+	else
+		emake -C common
+		emake -C lib
+		emake -C auparse
+	fi
+}
+
+multilib_src_install() {
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" initdir="$(systemd_get_systemunitdir)" install
+
+		local native_build="${BUILD_DIR}"
+
+		python_install() {
+			emake -C "${BUILD_DIR}"/bindings/swig DESTDIR="${D}" top_builddir="${native_build}" install
+			emake -C "${BUILD_DIR}"/bindings/python/python3 DESTDIR="${D}" top_builddir="${native_build}" install
+			python_optimize
+		}
+
+		use python && python_foreach_impl python_install
+
+		# Things like shadow use this so we need to be in /
+		gen_usr_ldscript -a audit auparse
+	else
+		emake -C lib DESTDIR="${D}" install
+		emake -C auparse DESTDIR="${D}" install
+	fi
+}
+
+multilib_src_install_all() {
+	dodoc AUTHORS ChangeLog README* THANKS
+	docinto contrib
+	dodoc contrib/avc_snap
+	docinto contrib/plugin
+	dodoc contrib/plugin/*
+	docinto rules
+	dodoc rules/*rules
+
+	newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
+	newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
+
+	if [[ -f "${ED}"/sbin/audisp-remote ]] ; then
+		dodir /usr/sbin
+		mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
+	fi
+
+	# Gentoo rules
+	insinto /etc/audit
+	newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
+	doins "${FILESDIR}"/audit.rules.stop*
+	keepdir /etc/audit/rules.d
+
+	# audit logs go here
+	keepdir /var/log/audit
+
+	find "${ED}" -type f -name '*.la' -delete || die
+
+	# Security
+	lockdown_perms "${ED}"
+}
+
+pkg_postinst() {
+	lockdown_perms "${EROOT}"
+}
+
+lockdown_perms() {
+	# Upstream wants these to have restrictive perms.
+	# Should not || die as not all paths may exist.
+	local basedir="${1}"
+	chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
+	chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
+	chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
+}

sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch

@@ -0,0 +1,41 @@
+Upstream rejected a workaround/fix at https://github.com/linux-audit/audit-userspace/pull/253
+/ https://github.com/linux-audit/audit-userspace/issues/252#issuecomment-1078595249.
+
+Instead, in Fedora (same maintainer as upstream), they're patching the headers then unpatching before install.
+
+Apparently the swig bindings are on their way out but I'm not convinced that's going to be a quick migration given the API will.. surely change?
+
+It's not ideal but let's take the patch slyfox ended up using in nixpkgs anyway.
+
+https://bugs.gentoo.org/836702
+
+From beed138222421a2eb4212d83cb889404bd7efc49 Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <slyich@gmail.com>
+Date: Wed, 23 Mar 2022 07:27:05 +0000
+Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf
+
+As it's a flexible array generated code was never safe to use.
+With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed98ea2128b6fd83bce13716edf8f5fe6c47f574
+change it's a build failure now:
+
+    audit> audit_wrap.c:5010:15: error: invalid use of flexible array member
+    audit>  5010 |     arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size));
+    audit>       |               ^
+
+Let's avoid setter generation entirely.
+
+Closes: https://github.com/linux-audit/audit-userspace/issues/252
+--- a/bindings/swig/src/auditswig.i
++++ b/bindings/swig/src/auditswig.i
+@@ -39,6 +39,10 @@ signed
+ #define __attribute(X) /*nothing*/
+ typedef unsigned __u32;
+ typedef unsigned uid_t;
++/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not:
++ * generating setters against them: https://github.com/swig/swig/issues/1699
++ */
++%ignore audit_rule_data::buf;
+ %include "/usr/include/linux/audit.h"
+ #define __extension__ /*nothing*/
+ %include <stdint.i>
+

sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-musl-malloc.patch

@@ -0,0 +1,29 @@
+https://cgit.openembedded.org/meta-openembedded/tree/meta-oe/recipes-security/audit/audit/0001-Replace-__attribute_malloc__-with-__attribute__-__ma.patch?id=ad978133a1a10d609bb2545882a2f720a2572f3d
+https://github.com/linux-audit/audit-userspace/pull/311
+https://bugs.gentoo.org/837275
+
+From 79c8d6a2755c9dfa00a5e86378e89a94eef0504d Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Tue, 9 Aug 2022 23:57:03 -0700
+Subject: [PATCH] Replace __attribute_malloc__ with 
+ __attribute__((__malloc__))
+
+__attribute_malloc__ is not available on musl
+
+Fixes
+| ../../git/auparse/auparse.h:54:2: error: expected function body after function declarator
+|         __attribute_malloc__ __attr_dealloc (auparse_destroy, 1);
+|         ^
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+--- a/auparse/auparse.h
++++ b/auparse/auparse.h
+@@ -51,7 +51,7 @@ typedef void (*auparse_callback_ptr)(auparse_state_t *au,
+ void auparse_destroy(auparse_state_t *au);
+ void auparse_destroy_ext(auparse_state_t *au, auparse_destroy_what_t what);
+ auparse_state_t *auparse_init(ausource_t source, const void *b)
+-	__attribute_malloc__ __attr_dealloc (auparse_destroy, 1);
++	__attribute__((__malloc__)) __attr_dealloc (auparse_destroy, 1);
+ int auparse_new_buffer(auparse_state_t *au, const char *data, size_t data_len)
+ 	__attr_access ((__read_only__, 2, 3));
+ int auparse_feed(auparse_state_t *au, const char *data, size_t data_len)

sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.service

@@ -1,16 +0,0 @@
-[Unit]
-Description=Load Security Auditing Rules
-DefaultDependencies=no
-After=local-fs.target systemd-tmpfiles-setup.service
-Conflicts=shutdown.target
-Before=sysinit.target shutdown.target
-ConditionSecurity=audit
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/sbin/augenrules --load
-ExecStop=-/sbin/auditctl -D
-
-[Install]
-WantedBy=multi-user.target

sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.tmpfiles

@@ -1,6 +0,0 @@
-d   /etc/audit                          750   -   -   -   -
-C   /etc/audit/auditd.conf              640  -   -   -   /usr/share/auditd/auditd.conf
-d   /etc/audit/rules.d                  750   -   -   -   -
-L   /etc/audit/rules.d/00-clear.rules   640   -   -   -   /usr/share/audit/rules.d/00-clear.rules
-L   /etc/audit/rules.d/80-selinux.rules 640   -   -   -   /usr/share/audit/rules.d/80-selinux.rules
-L   /etc/audit/rules.d/99-default.rules 640   -   -   -   /usr/share/audit/rules.d/99-default.rules

sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules-2.1.3

@@ -0,0 +1,25 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+#
+# This file contains the auditctl rules that are loaded
+# whenever the audit daemon is started via the initscripts.
+# The rules are simply the parameters that would be passed
+# to auditctl.
+
+# First rule - delete all
+# This is to clear out old rules, so we don't append to them.
+-D
+
+# Feel free to add below this line. See auditctl man page
+
+# The following rule would cause all of the syscalls listed to be ignored in logging.
+-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
+-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
+
+# The following rule would cause the capture of all systems not caught above.
+# -a exit,always -S all
+
+# Increase the buffers to survive stress events
+-b 8192
+
+# vim:ft=conf:

sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.post

@@ -0,0 +1,12 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+#
+# This file contains the auditctl rules that are loaded immediately after the
+# audit deamon is stopped via the initscripts.
+# The rules are simply the parameters that would be passed
+# to auditctl.
+
+# Not used for the default Gentoo configuration as of v1.2.3
+# Paranoid security types might wish to reconfigure kauditd here.
+
+# vim:ft=conf:

sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.pre

@@ -0,0 +1,15 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+#
+# This file contains the auditctl rules that are loaded immediately before the
+# audit deamon is stopped via the initscripts.
+# The rules are simply the parameters that would be passed
+# to auditctl.
+
+# auditd is stopping, don't capture events anymore
+-D
+
+# Disable kernel generating audit events
+-e 0
+
+# vim:ft=conf:

sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-conf.d-2.1.3

@@ -0,0 +1,22 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+# Configuration options for auditd
+# -f for foreground mode
+# There are some other options as well, but you'll have to look in the source
+# code to find them as they aren't ready for use yet.
+EXTRAOPTIONS=''
+
+# Audit rules file to run after starting auditd
+RULEFILE_STARTUP=/etc/audit/audit.rules
+
+# Audit rules file to run before and after stopping auditd
+RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre
+RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post
+
+# If you want to enforce a certain locale for auditd, 
+# uncomment one of the next lines:
+#AUDITD_LANG=none
+AUDITD_LANG=C
+#AUDITD_LANG=en_US
+#AUDITD_LANG=en_US.UTF-8

sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-init.d-2.4.3

@@ -0,0 +1,90 @@
+#!/sbin/openrc-run
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+extra_started_commands='reload reload_auditd reload_rules'
+description='Linux Auditing System'
+description_reload='Reload daemon configuration and rules'
+description_reload_rules='Reload daemon rules'
+description_reload_auditd='Reload daemon configuration'
+
+name='auditd'
+pidfile='/var/run/auditd.pid'
+command='/sbin/auditd'
+
+start_auditd() {
+	# Env handling taken from the upstream init script
+	if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then
+		unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
+	else
+		LANG="$AUDITD_LANG"
+		LC_TIME="$AUDITD_LANG"
+		LC_ALL="$AUDITD_LANG"
+		LC_MESSAGES="$AUDITD_LANG"
+		LC_NUMERIC="$AUDITD_LANG"
+		LC_MONETARY="$AUDITD_LANG"
+		LC_COLLATE="$AUDITD_LANG"
+		export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE
+	fi
+	unset HOME MAIL USER USERNAME
+
+	ebegin "Starting ${name}"
+	start-stop-daemon \
+		--start --quiet --pidfile ${pidfile} \
+		--exec ${command} -- ${EXTRAOPTIONS}
+	local ret=$?
+	eend $ret
+	return $ret
+}
+
+stop_auditd() {
+	ebegin "Stopping ${name}"
+	start-stop-daemon --stop --quiet --pidfile ${pidfile}
+	local ret=$?
+	eend $ret
+	return $ret
+}
+
+loadfile() {
+	local rules="$1"
+	if [ -n "${rules}" -a -f "${rules}" ]; then
+		einfo "Loading audit rules from ${rules}"
+		/sbin/auditctl -R "${rules}" >/dev/null
+		return $?
+	else
+		return 0
+	fi
+}
+
+start() {
+	start_auditd
+	local ret=$?
+	if [ $ret -eq 0 -a "${RC_CMD}" != "restart" ]; then
+		loadfile "${RULEFILE_STARTUP}"
+	fi
+	return $ret
+}
+
+reload_rules() {
+	loadfile "${RULEFILE_STARTUP}"
+}
+
+reload_auditd() {
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --signal HUP \
+	    --exec "${command}" --pidfile "${pidfile}"
+	eend $?
+}
+
+reload() {
+	reload_auditd
+	reload_rules
+}
+
+stop() {
+	[ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_PRE}"
+	stop_auditd
+	local ret=$?
+	[ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_POST}"
+	return $ret
+}

sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/00-clear.rules

@@ -1,3 +0,0 @@
-# First rule - delete all
-# This is to clear out old rules, so we don't append to them.
--D

sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/80-selinux.rules

@@ -1,4 +0,0 @@
-# Enable all SELinux related events
-# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h)
-
--a exclude,never -F msgtype>=1400 -F msgtype<=1499

sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/99-default.rules

@@ -1,5 +0,0 @@
-# Always report changes to the audit subsystem itself.
--a exclude,never -F msgtype=CONFIG_CHANGE
-
-# Ignore everything else.
--a exclude,always -F msgtype>0

sdk_container/src/third_party/portage-stable/sys-process/audit/metadata.xml

@@ -9,8 +9,10 @@
 	</maintainer>
 	<use>
 		<flag name="gssapi">Enable GSSAPI support</flag>
+		<flag name="io-uring">Enable support for io-uring. Doesn't need the library but needs at least kernel 5.1.</flag>
 	</use>
 	<upstream>
 		<remote-id type="github">linux-audit/audit-userspace</remote-id>
+		<remote-id type="cpe">cpe:/a:linux:audit</remote-id>
 	</upstream>
 </pkgmetadata>