diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/Manifest b/sdk_container/src/third_party/portage-stable/sys-process/audit/Manifest index 8fde549680..947ffaef62 100644 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/Manifest +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/Manifest @@ -1 +1,2 @@ -DIST audit-3.0.6.tar.gz 1190011 BLAKE2B 93a7efad1cbea6771a73222b05aacbabc4ac61d1efb9fc2532607a94804bcac6512d0be2f4d89aa62d94fb85ba5818ffae4bf0a72676e8d549ddbec766e83e9c SHA512 74734e1b1fddea086db9c5dc8c4b7817917fdf17bc7ca4e5b440aae975484d020a17c3f485f6a37b6b150a307d809e50d559d31a8cbd6f1e554933719551bcd1 +DIST audit-3.1.1.tar.gz 1218111 BLAKE2B a804684e438efc5f35b387708b3dc91bf857eeb56624261e0f75543556c436bfe638b792f63289f049c11541b10b2dc0e9f17b22f44b913da0168b1cf20684fc SHA512 4917970cc4c7f786c464a6d101bf66d55d55ac4716cf415ff97177f08176a6301e946716d28cf5b16054538469b3140b97db99d55a28686a9a807eea60c070f3 +DIST audit-3.1.2.tar.gz 1219860 BLAKE2B dfdec470bf12cce6c570b3d260e65e2b49e8ac0761e6a6fbf7b4f4a57f92e88367cd74bfcb88e6d718619b88fea27ce963a977c9f4346c95d18a5310e217accb SHA512 a97003a294ed3671df01e2952688e7d5eef59a35f6891feb53e67c4c7eab9ae8c2d18de41a5b5b20e0ad7156fac93aec05f32f6bc5eea706b42b6f27f676446a diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/README.md b/sdk_container/src/third_party/portage-stable/sys-process/audit/README.md deleted file mode 100644 index 20ef8bab00..0000000000 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/README.md +++ /dev/null @@ -1,24 +0,0 @@ -This is a fork of gentoo's `sys-process/audit` package. The main -reasons for having our fork seem to be: - -1. We have our own audit rules (see files in `files/rules.d` - directory). - - - These seem to be mostly similar to what gentoo provides, but split - into several files and they have an additional rule for SELinux - events. - - - We also install it in a different place and place symlinks with - systemd's tmpfiles functionality. - -2. We install a systemd service that loads our rules at startup. - -3. We build and install only a subset of binaries in the project. - Namely, we skip all the daemon stuff that puts the logs in - `/var/log/audit` and some tools that process those logs. Since - audit logs are also written to journal, writing them to disk seems - redundant, thus auditd and the tools seem to be unnecessary. This - also reduces the final image size a bit. - -4. Since we do not install the daemon, we don't do the permissions - lockdown on some auditd files. diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.0.6-r1.ebuild b/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.1.ebuild similarity index 51% rename from sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.0.6-r1.ebuild rename to sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.1.ebuild index 846a0db491..ab8e362008 100644 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.0.6-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.1.ebuild @@ -1,13 +1,15 @@ -# Copyright 1999-2021 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 -# Flatcar: Support python 3.6. -PYTHON_COMPAT=( python3_{6..11} ) +# As with sys-libs/libcap-ng, same maintainer in Fedora as upstream, so +# check Fedora's packaging (https://src.fedoraproject.org/rpms/audit/tree/rawhide) +# on bumps (or if hitting a bug) to see what they've done there. -TMPFILES_OPTIONAL=1 -inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript tmpfiles +PYTHON_COMPAT=( python3_{9..11} ) + +inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript DESCRIPTION="Userspace utilities for storing and processing auditing records" HOMEPAGE="https://people.redhat.com/sgrubb/audit/" @@ -15,24 +17,34 @@ SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz" LICENSE="GPL-2+ LGPL-2.1+" SLOT="0" -# Flatcar: Build amd64 and arm64 by default. -KEYWORDS="amd64 ~arm arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" -IUSE="gssapi ldap python static-libs test" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~mips ppc ppc64 ~riscv ~s390 sparc x86" +IUSE="gssapi io-uring ldap python static-libs test" REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" RESTRICT="!test? ( test )" -RDEPEND="gssapi? ( virtual/krb5 ) - ldap? ( net-nds/openldap ) +RDEPEND=" sys-libs/libcap-ng - python? ( ${PYTHON_DEPS} )" -DEPEND="${RDEPEND} + gssapi? ( virtual/krb5 ) + ldap? ( net-nds/openldap:= ) + python? ( ${PYTHON_DEPS} ) +" +DEPEND=" + ${RDEPEND} >=sys-kernel/linux-headers-2.6.34 - test? ( dev-libs/check )" -BDEPEND="python? ( dev-lang/swig:0 )" + test? ( dev-libs/check ) +" +BDEPEND="python? ( dev-lang/swig )" CONFIG_CHECK="~AUDIT" +PATCHES=( + # See bug #836702 before removing / verify builds fine w/ USE=python + # with latest kernel headers. + "${FILESDIR}"/${PN}-3.0.8-linux-headers-5.17.patch + "${FILESDIR}"/${PN}-3.0.8-musl-malloc.patch +) + src_prepare() { # audisp-remote moved in multilib_src_install_all sed -i \ @@ -40,51 +52,48 @@ src_prepare() { audisp/plugins/remote/au-remote.conf || die # Disable installing sample rules so they can be installed as docs. - echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null - - # Flatcar: Some legacy stuff is being installed when systemd - # is enabled. Drop all the lines that try doing it. - sed -e '/${DESTDIR}${initdir}/d' \ - -e '/${DESTDIR}${legacydir}/d' \ - -i init.d/Makefile.am || die - # Flatcar: Do not build daemon stuff. - sed -e '/^sbin_PROGRAMS =/s/aureport//' \ - -e '/^sbin_PROGRAMS =/s/ausearch//' \ - -i src/Makefile.am || die + echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null || die default eautoreconf } multilib_src_configure() { - local -a myeconfargs=( - --sbindir="${EPREFIX}/sbin" + local myeconfargs=( + --sbindir="${EPREFIX}"/sbin $(use_enable gssapi gssapi-krb5) $(use_enable ldap zos-remote) $(use_enable static-libs static) + $(use_with io-uring io_uring) --enable-systemd --without-golang + --without-libwrap --without-python --without-python3 ) - ECONF_SOURCE=${S} econf "${myeconfargs[@]}" + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" if multilib_is_native_abi && use python; then python_configure() { - mkdir -p "${BUILD_DIR}" + mkdir -p "${BUILD_DIR}" || die pushd "${BUILD_DIR}" &>/dev/null || die - ECONF_SOURCE=${S} econf "${myeconfargs[@]}" --with-python3 + + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" --with-python3 + popd &>/dev/null || die } + python_foreach_impl python_configure fi } src_configure() { tc-export_build_env BUILD_{CC,CPP} + local -x CC_FOR_BUILD="${BUILD_CC}" local -x CPP_FOR_BUILD="${BUILD_CPP}" + multilib-minimal_src_configure } @@ -93,10 +102,12 @@ multilib_src_compile() { default local native_build="${BUILD_DIR}" + python_compile() { emake -C "${BUILD_DIR}"/bindings/swig top_builddir="${native_build}" emake -C "${BUILD_DIR}"/bindings/python/python3 top_builddir="${native_build}" } + use python && python_foreach_impl python_compile else emake -C common @@ -110,14 +121,16 @@ multilib_src_install() { emake DESTDIR="${D}" initdir="$(systemd_get_systemunitdir)" install local native_build="${BUILD_DIR}" + python_install() { emake -C "${BUILD_DIR}"/bindings/swig DESTDIR="${D}" top_builddir="${native_build}" install emake -C "${BUILD_DIR}"/bindings/python/python3 DESTDIR="${D}" top_builddir="${native_build}" install python_optimize } + use python && python_foreach_impl python_install - # things like shadow use this so we need to be in / + # Things like shadow use this so we need to be in / gen_usr_ldscript -a audit auparse else emake -C lib DESTDIR="${D}" install @@ -129,35 +142,24 @@ multilib_src_install_all() { dodoc AUTHORS ChangeLog README* THANKS docinto contrib dodoc contrib/avc_snap - # Flatcar: Do not install any plugin stuff, these are parts of - # auditd that we don't build and install anyway. - # docinto contrib/plugin - # dodoc contrib/plugin/* + docinto contrib/plugin + dodoc contrib/plugin/* docinto rules dodoc rules/*rules - # Flatcar: Do not install stuff auditd stuff. - # newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd - # newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd + newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd + newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd - # Flatcar: install sample configuration - insinto /usr/share/auditd - doins "${S}"/init.d/auditd.conf + if [[ -f "${ED}"/sbin/audisp-remote ]] ; then + dodir /usr/sbin + mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die + fi - - # Flatcar: We are not installing audisp too. - # [ -f "${ED}"/sbin/audisp-remote ] && \ - # dodir /usr/sbin && \ - # mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die - - # Flatcar: Do not install gentoo rules. # Gentoo rules - # newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules - # Flatcar: We are installing our own rules. - insinto /usr/share/audit/rules.d - doins "${FILESDIR}"/rules.d/*.rules - # Flatcar: Do not install deamon stuff. - # doins "${FILESDIR}"/audit.rules.stop* + insinto /etc/audit + newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules + doins "${FILESDIR}"/audit.rules.stop* + keepdir /etc/audit/rules.d # audit logs go here keepdir /var/log/audit @@ -166,14 +168,6 @@ multilib_src_install_all() { # Security lockdown_perms "${ED}" - - # Flatcar: We add the systemd unit but don't enable it. - systemd_dounit init.d/auditd.service - - # Flatcar: Our systemd stuff. - newtmpfiles "${FILESDIR}"/audit-rules.tmpfiles audit-rules.conf - systemd_dounit "${FILESDIR}"/audit-rules.service - systemd_enable_service multi-user.target audit-rules.service } pkg_postinst() { @@ -183,13 +177,8 @@ pkg_postinst() { lockdown_perms() { # Upstream wants these to have restrictive perms. # Should not || die as not all paths may exist. - # Flatcar: We don't include ausearch and aureport - # so they're removed from the hardening list local basedir="${1}" - # chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null - chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,trace} 2>/dev/null + chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null chmod 0750 "${basedir}"/var/log/audit 2>/dev/null - # chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null - rm -f "${basedir}"/etc/audit/auditd.conf 2>/dev/null - : + chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null } diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.2.ebuild b/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.2.ebuild new file mode 100644 index 0000000000..d2b9730673 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/audit-3.1.2.ebuild @@ -0,0 +1,181 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# As with sys-libs/libcap-ng, same maintainer in Fedora as upstream, so +# check Fedora's packaging (https://src.fedoraproject.org/rpms/audit/tree/rawhide) +# on bumps (or if hitting a bug) to see what they've done there. + +PYTHON_COMPAT=( python3_{9..11} ) + +inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript + +DESCRIPTION="Userspace utilities for storing and processing auditing records" +HOMEPAGE="https://people.redhat.com/sgrubb/audit/" +SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz" + +LICENSE="GPL-2+ LGPL-2.1+" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +IUSE="gssapi io-uring ldap python static-libs test" + +REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" +RESTRICT="!test? ( test )" + +RDEPEND=" + sys-libs/libcap-ng + gssapi? ( virtual/krb5 ) + ldap? ( net-nds/openldap:= ) + python? ( ${PYTHON_DEPS} ) +" +DEPEND=" + ${RDEPEND} + >=sys-kernel/linux-headers-2.6.34 + test? ( dev-libs/check ) +" +BDEPEND="python? ( dev-lang/swig )" + +CONFIG_CHECK="~AUDIT" + +PATCHES=( + "${FILESDIR}"/${PN}-3.0.8-musl-malloc.patch +) + +src_prepare() { + # audisp-remote moved in multilib_src_install_all + sed -i \ + -e "s,/sbin/audisp-remote,${EPREFIX}/usr/sbin/audisp-remote," \ + audisp/plugins/remote/au-remote.conf || die + + # Disable installing sample rules so they can be installed as docs. + echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null || die + + default + eautoreconf +} + +multilib_src_configure() { + local myeconfargs=( + --sbindir="${EPREFIX}"/sbin + $(use_enable gssapi gssapi-krb5) + $(use_enable ldap zos-remote) + $(use_enable static-libs static) + $(use_with io-uring io_uring) + --enable-systemd + --without-golang + --without-libwrap + --without-python + --without-python3 + ) + + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" + + if multilib_is_native_abi && use python; then + python_configure() { + mkdir -p "${BUILD_DIR}" || die + pushd "${BUILD_DIR}" &>/dev/null || die + + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" --with-python3 + + popd &>/dev/null || die + } + + python_foreach_impl python_configure + fi +} + +src_configure() { + tc-export_build_env BUILD_{CC,CPP} + + local -x CC_FOR_BUILD="${BUILD_CC}" + local -x CPP_FOR_BUILD="${BUILD_CPP}" + + multilib-minimal_src_configure +} + +multilib_src_compile() { + if multilib_is_native_abi; then + default + + local native_build="${BUILD_DIR}" + + python_compile() { + emake -C "${BUILD_DIR}"/bindings/swig top_builddir="${native_build}" + emake -C "${BUILD_DIR}"/bindings/python/python3 top_builddir="${native_build}" + } + + use python && python_foreach_impl python_compile + else + emake -C common + emake -C lib + emake -C auparse + fi +} + +multilib_src_install() { + if multilib_is_native_abi; then + emake DESTDIR="${D}" initdir="$(systemd_get_systemunitdir)" install + + local native_build="${BUILD_DIR}" + + python_install() { + emake -C "${BUILD_DIR}"/bindings/swig DESTDIR="${D}" top_builddir="${native_build}" install + emake -C "${BUILD_DIR}"/bindings/python/python3 DESTDIR="${D}" top_builddir="${native_build}" install + python_optimize + } + + use python && python_foreach_impl python_install + + # Things like shadow use this so we need to be in / + gen_usr_ldscript -a audit auparse + else + emake -C lib DESTDIR="${D}" install + emake -C auparse DESTDIR="${D}" install + fi +} + +multilib_src_install_all() { + dodoc AUTHORS ChangeLog README* THANKS + docinto contrib + dodoc contrib/avc_snap + docinto contrib/plugin + dodoc contrib/plugin/* + docinto rules + dodoc rules/*rules + + newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd + newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd + + if [[ -f "${ED}"/sbin/audisp-remote ]] ; then + dodir /usr/sbin + mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die + fi + + # Gentoo rules + insinto /etc/audit + newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules + doins "${FILESDIR}"/audit.rules.stop* + keepdir /etc/audit/rules.d + + # audit logs go here + keepdir /var/log/audit + + find "${ED}" -type f -name '*.la' -delete || die + + # Security + lockdown_perms "${ED}" +} + +pkg_postinst() { + lockdown_perms "${EROOT}" +} + +lockdown_perms() { + # Upstream wants these to have restrictive perms. + # Should not || die as not all paths may exist. + local basedir="${1}" + chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null + chmod 0750 "${basedir}"/var/log/audit 2>/dev/null + chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null +} diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch new file mode 100644 index 0000000000..8d41d83638 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch @@ -0,0 +1,41 @@ +Upstream rejected a workaround/fix at https://github.com/linux-audit/audit-userspace/pull/253 +/ https://github.com/linux-audit/audit-userspace/issues/252#issuecomment-1078595249. + +Instead, in Fedora (same maintainer as upstream), they're patching the headers then unpatching before install. + +Apparently the swig bindings are on their way out but I'm not convinced that's going to be a quick migration given the API will.. surely change? + +It's not ideal but let's take the patch slyfox ended up using in nixpkgs anyway. + +https://bugs.gentoo.org/836702 + +From beed138222421a2eb4212d83cb889404bd7efc49 Mon Sep 17 00:00:00 2001 +From: Sergei Trofimovich +Date: Wed, 23 Mar 2022 07:27:05 +0000 +Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf + +As it's a flexible array generated code was never safe to use. +With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed98ea2128b6fd83bce13716edf8f5fe6c47f574 +change it's a build failure now: + + audit> audit_wrap.c:5010:15: error: invalid use of flexible array member + audit> 5010 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size)); + audit> | ^ + +Let's avoid setter generation entirely. + +Closes: https://github.com/linux-audit/audit-userspace/issues/252 +--- a/bindings/swig/src/auditswig.i ++++ b/bindings/swig/src/auditswig.i +@@ -39,6 +39,10 @@ signed + #define __attribute(X) /*nothing*/ + typedef unsigned __u32; + typedef unsigned uid_t; ++/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not: ++ * generating setters against them: https://github.com/swig/swig/issues/1699 ++ */ ++%ignore audit_rule_data::buf; + %include "/usr/include/linux/audit.h" + #define __extension__ /*nothing*/ + %include + diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-musl-malloc.patch b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-musl-malloc.patch new file mode 100644 index 0000000000..7233aabe03 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-3.0.8-musl-malloc.patch @@ -0,0 +1,29 @@ +https://cgit.openembedded.org/meta-openembedded/tree/meta-oe/recipes-security/audit/audit/0001-Replace-__attribute_malloc__-with-__attribute__-__ma.patch?id=ad978133a1a10d609bb2545882a2f720a2572f3d +https://github.com/linux-audit/audit-userspace/pull/311 +https://bugs.gentoo.org/837275 + +From 79c8d6a2755c9dfa00a5e86378e89a94eef0504d Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Tue, 9 Aug 2022 23:57:03 -0700 +Subject: [PATCH] Replace __attribute_malloc__ with + __attribute__((__malloc__)) + +__attribute_malloc__ is not available on musl + +Fixes +| ../../git/auparse/auparse.h:54:2: error: expected function body after function declarator +| __attribute_malloc__ __attr_dealloc (auparse_destroy, 1); +| ^ + +Signed-off-by: Khem Raj +--- a/auparse/auparse.h ++++ b/auparse/auparse.h +@@ -51,7 +51,7 @@ typedef void (*auparse_callback_ptr)(auparse_state_t *au, + void auparse_destroy(auparse_state_t *au); + void auparse_destroy_ext(auparse_state_t *au, auparse_destroy_what_t what); + auparse_state_t *auparse_init(ausource_t source, const void *b) +- __attribute_malloc__ __attr_dealloc (auparse_destroy, 1); ++ __attribute__((__malloc__)) __attr_dealloc (auparse_destroy, 1); + int auparse_new_buffer(auparse_state_t *au, const char *data, size_t data_len) + __attr_access ((__read_only__, 2, 3)); + int auparse_feed(auparse_state_t *au, const char *data, size_t data_len) diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.service b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.service deleted file mode 100644 index 8c54802fb5..0000000000 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.service +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Load Security Auditing Rules -DefaultDependencies=no -After=local-fs.target systemd-tmpfiles-setup.service -Conflicts=shutdown.target -Before=sysinit.target shutdown.target -ConditionSecurity=audit - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/sbin/augenrules --load -ExecStop=-/sbin/auditctl -D - -[Install] -WantedBy=multi-user.target diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.tmpfiles b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.tmpfiles deleted file mode 100644 index b7f9530cca..0000000000 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit-rules.tmpfiles +++ /dev/null @@ -1,6 +0,0 @@ -d /etc/audit 750 - - - - -C /etc/audit/auditd.conf 640 - - - /usr/share/auditd/auditd.conf -d /etc/audit/rules.d 750 - - - - -L /etc/audit/rules.d/00-clear.rules 640 - - - /usr/share/audit/rules.d/00-clear.rules -L /etc/audit/rules.d/80-selinux.rules 640 - - - /usr/share/audit/rules.d/80-selinux.rules -L /etc/audit/rules.d/99-default.rules 640 - - - /usr/share/audit/rules.d/99-default.rules diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules-2.1.3 b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules-2.1.3 new file mode 100644 index 0000000000..25dbedfd1d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules-2.1.3 @@ -0,0 +1,25 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# +# This file contains the auditctl rules that are loaded +# whenever the audit daemon is started via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# First rule - delete all +# This is to clear out old rules, so we don't append to them. +-D + +# Feel free to add below this line. See auditctl man page + +# The following rule would cause all of the syscalls listed to be ignored in logging. +-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat +-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat + +# The following rule would cause the capture of all systems not caught above. +# -a exit,always -S all + +# Increase the buffers to survive stress events +-b 8192 + +# vim:ft=conf: diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.post b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.post new file mode 100644 index 0000000000..29ae197f18 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.post @@ -0,0 +1,12 @@ +# Copyright 1999-2005 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# +# This file contains the auditctl rules that are loaded immediately after the +# audit deamon is stopped via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# Not used for the default Gentoo configuration as of v1.2.3 +# Paranoid security types might wish to reconfigure kauditd here. + +# vim:ft=conf: diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.pre b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.pre new file mode 100644 index 0000000000..1f34173369 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/audit.rules.stop.pre @@ -0,0 +1,15 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# +# This file contains the auditctl rules that are loaded immediately before the +# audit deamon is stopped via the initscripts. +# The rules are simply the parameters that would be passed +# to auditctl. + +# auditd is stopping, don't capture events anymore +-D + +# Disable kernel generating audit events +-e 0 + +# vim:ft=conf: diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-conf.d-2.1.3 b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-conf.d-2.1.3 new file mode 100644 index 0000000000..c66be166ce --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-conf.d-2.1.3 @@ -0,0 +1,22 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +# Configuration options for auditd +# -f for foreground mode +# There are some other options as well, but you'll have to look in the source +# code to find them as they aren't ready for use yet. +EXTRAOPTIONS='' + +# Audit rules file to run after starting auditd +RULEFILE_STARTUP=/etc/audit/audit.rules + +# Audit rules file to run before and after stopping auditd +RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre +RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post + +# If you want to enforce a certain locale for auditd, +# uncomment one of the next lines: +#AUDITD_LANG=none +AUDITD_LANG=C +#AUDITD_LANG=en_US +#AUDITD_LANG=en_US.UTF-8 diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-init.d-2.4.3 b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-init.d-2.4.3 new file mode 100644 index 0000000000..c952554df2 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/auditd-init.d-2.4.3 @@ -0,0 +1,90 @@ +#!/sbin/openrc-run +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_started_commands='reload reload_auditd reload_rules' +description='Linux Auditing System' +description_reload='Reload daemon configuration and rules' +description_reload_rules='Reload daemon rules' +description_reload_auditd='Reload daemon configuration' + +name='auditd' +pidfile='/var/run/auditd.pid' +command='/sbin/auditd' + +start_auditd() { + # Env handling taken from the upstream init script + if [ -z "$AUDITD_LANG" -o "$AUDITD_LANG" = "none" -o "$AUDITD_LANG" = "NONE" ]; then + unset LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE + else + LANG="$AUDITD_LANG" + LC_TIME="$AUDITD_LANG" + LC_ALL="$AUDITD_LANG" + LC_MESSAGES="$AUDITD_LANG" + LC_NUMERIC="$AUDITD_LANG" + LC_MONETARY="$AUDITD_LANG" + LC_COLLATE="$AUDITD_LANG" + export LANG LC_TIME LC_ALL LC_MESSAGES LC_NUMERIC LC_MONETARY LC_COLLATE + fi + unset HOME MAIL USER USERNAME + + ebegin "Starting ${name}" + start-stop-daemon \ + --start --quiet --pidfile ${pidfile} \ + --exec ${command} -- ${EXTRAOPTIONS} + local ret=$? + eend $ret + return $ret +} + +stop_auditd() { + ebegin "Stopping ${name}" + start-stop-daemon --stop --quiet --pidfile ${pidfile} + local ret=$? + eend $ret + return $ret +} + +loadfile() { + local rules="$1" + if [ -n "${rules}" -a -f "${rules}" ]; then + einfo "Loading audit rules from ${rules}" + /sbin/auditctl -R "${rules}" >/dev/null + return $? + else + return 0 + fi +} + +start() { + start_auditd + local ret=$? + if [ $ret -eq 0 -a "${RC_CMD}" != "restart" ]; then + loadfile "${RULEFILE_STARTUP}" + fi + return $ret +} + +reload_rules() { + loadfile "${RULEFILE_STARTUP}" +} + +reload_auditd() { + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP \ + --exec "${command}" --pidfile "${pidfile}" + eend $? +} + +reload() { + reload_auditd + reload_rules +} + +stop() { + [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_PRE}" + stop_auditd + local ret=$? + [ "${RC_CMD}" != "restart" ] && loadfile "${RULEFILE_STOP_POST}" + return $ret +} diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/00-clear.rules b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/00-clear.rules deleted file mode 100644 index f43e62771c..0000000000 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/00-clear.rules +++ /dev/null @@ -1,3 +0,0 @@ -# First rule - delete all -# This is to clear out old rules, so we don't append to them. --D diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/80-selinux.rules b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/80-selinux.rules deleted file mode 100644 index 627b17db3f..0000000000 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/80-selinux.rules +++ /dev/null @@ -1,4 +0,0 @@ -# Enable all SELinux related events -# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h) - --a exclude,never -F msgtype>=1400 -F msgtype<=1499 diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/99-default.rules b/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/99-default.rules deleted file mode 100644 index cc373d8406..0000000000 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/files/rules.d/99-default.rules +++ /dev/null @@ -1,5 +0,0 @@ -# Always report changes to the audit subsystem itself. --a exclude,never -F msgtype=CONFIG_CHANGE - -# Ignore everything else. --a exclude,always -F msgtype>0 diff --git a/sdk_container/src/third_party/portage-stable/sys-process/audit/metadata.xml b/sdk_container/src/third_party/portage-stable/sys-process/audit/metadata.xml index 3524ab03cd..79fc6fdac9 100644 --- a/sdk_container/src/third_party/portage-stable/sys-process/audit/metadata.xml +++ b/sdk_container/src/third_party/portage-stable/sys-process/audit/metadata.xml @@ -9,8 +9,10 @@ Enable GSSAPI support + Enable support for io-uring. Doesn't need the library but needs at least kernel 5.1. linux-audit/audit-userspace + cpe:/a:linux:audit