Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package audit for openSUSE:Factory checked in at 2022-03-31 17:18:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/audit (Old) and /work/SRC/openSUSE:Factory/.audit.new.1900 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "audit" Thu Mar 31 17:18:30 2022 rev:101 rq:965461 version:3.0.6 Changes: -------- --- /work/SRC/openSUSE:Factory/audit/audit-secondary.changes 2021-12-02 02:10:11.367589486 +0100 +++ /work/SRC/openSUSE:Factory/.audit.new.1900/audit-secondary.changes 2022-03-31 17:18:50.553167949 +0200 @@ -1,0 +2,20 @@ +Sat Mar 26 11:14:19 UTC 2022 - Stephan Kulow <coolo@suse.com> + +- Fix buildrequire for openldap2-devel - audit doesn't require the + (outdated) C++ binding, but the C headers that happen to be pulled + in by buildrequiring the C++ devel package + +------------------------------------------------------------------- +Fri Mar 25 04:56:19 UTC 2022 - Enzo Matsumiya <ematsumiya@suse.com> + +- Fix unhandled ECONNREFUSED with LDAP environments (bsc#1196645) + * add libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch +- Fix hang in audisp-remote with disk_low_action=suspend (bsc#1196517) + * add audisp-remote-fix-hang-with-disk_low_action-suspend-.patch + +------------------------------------------------------------------- +Wed Mar 23 16:37:06 UTC 2022 - Dirk M��ller <dmueller@suse.com> + +- add audit-userspace-517-compat.patch + +------------------------------------------------------------------- New: ---- audisp-remote-fix-hang-with-disk_low_action-suspend-.patch audit-userspace-517-compat.patch libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ audit-secondary.spec ++++++ --- /var/tmp/diff_new_pack.9bG2tN/_old 2022-03-31 17:18:51.401158383 +0200 +++ /var/tmp/diff_new_pack.9bG2tN/_new 2022-03-31 17:18:51.409158293 +0200 @@ -1,7 +1,7 @@ # # spec file for package audit-secondary # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -41,12 +41,15 @@ Patch9: fix-hardened-service.patch Patch10: enable-stop-rules.patch Patch11: create-augenrules-service.patch +Patch12: audit-userspace-517-compat.patch +Patch13: audisp-remote-fix-hang-with-disk_low_action-suspend-.patch +Patch14: libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch BuildRequires: audit-devel = %{version} BuildRequires: autoconf >= 2.12 BuildRequires: gcc-c++ BuildRequires: kernel-headers >= 2.6.30 -BuildRequires: libldapcpp-devel BuildRequires: libtool +BuildRequires: openldap2-devel BuildRequires: pkgconfig %if %{with python2} BuildRequires: python2-devel ++++++ audit.spec ++++++ --- /var/tmp/diff_new_pack.9bG2tN/_old 2022-03-31 17:18:51.433158022 +0200 +++ /var/tmp/diff_new_pack.9bG2tN/_new 2022-03-31 17:18:51.437157977 +0200 @@ -1,7 +1,7 @@ # # spec file for package audit # -# Copyright (c) 2021 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++++++ audisp-remote-fix-hang-with-disk_low_action-suspend-.patch ++++++ From b6c474b22f6e76969221138d0d9ec8d97cb217ee Mon Sep 17 00:00:00 2001 From: Enzo Matsumiya <ematsumiya@suse.com> Date: Thu, 24 Mar 2022 23:38:24 -0300 Subject: [PATCH] audisp-remote: fix hang with disk_low_action=suspend (#254) If auditd.conf has disk_low_action=suspend and the partition where the log is triggers the disk_low_action, audisp-remote will hang in infinite loop. Fixes: 10dde069d1ac ("Dont look for stop on exit while draining the queue") Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de> --- audisp/plugins/remote/audisp-remote.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c index b7e610e8ca32..3be91b3d5190 100644 --- a/audisp/plugins/remote/audisp-remote.c +++ b/audisp/plugins/remote/audisp-remote.c @@ -619,7 +619,7 @@ int main(int argc, char *argv[]) // If stdin is a pipe, then flush the queue if (is_pipe(0)) { - while (q_queue_length(queue) && transport_ok) + while (q_queue_length(queue) && !suspend && transport_ok) send_one(queue); } -- 2.35.1 ++++++ audit-userspace-517-compat.patch ++++++ From: Sergei Trofimovich <slyich@gmail.com> Date: Wed, 23 Mar 2022 07:27:05 +0000 Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf References: https://github.com/linux-audit/audit-userspace/issues/252 Git-commit: https://github.com/linux-audit/audit-userspace/pull/253/commits/beed13822242... Git-repo: [if different from https://github.com/linux-audit/audit-userspace.git] Patch-mainline: submitted for review upstream As it's a flexible array generated code was never safe to use. With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... change it's a build failure now: audit> audit_wrap.c:5010:15: error: invalid use of flexible array member audit> 5010 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size)); audit> | ^ Let's avoid setter generation entirely. Closes: https://github.com/linux-audit/audit-userspace/issues/252 --- bindings/swig/src/auditswig.i | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i index 21aafca31..9a2c5661d 100644 --- a/bindings/swig/src/auditswig.i +++ b/bindings/swig/src/auditswig.i @@ -39,6 +39,10 @@ signed #define __attribute(X) /*nothing*/ typedef unsigned __u32; typedef unsigned uid_t; +/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not: + * generating setters against them: https://github.com/swig/swig/issues/1699 + */ +%ignore audit_rule_data::buf; %include "/usr/include/linux/audit.h" #define __extension__ /*nothing*/ %include <stdint.i> ++++++ libaudit-fix-unhandled-ECONNREFUSED-from-getpwnam-25.patch ++++++ From 614edbe52180698c5b447ff4c3e7031ff0721683 Mon Sep 17 00:00:00 2001 From: Enzo Matsumiya <ematsumiya@suse.com> Date: Thu, 24 Mar 2022 23:36:53 -0300 Subject: [PATCH] libaudit: fix unhandled ECONNREFUSED from getpwnam() (#255) From: Luis Galdos <luis.galdos@suse.com> In some very specific scenarios with LDAP + network issues, getpwnam() and getgrnam() might return ECONNREFUSED. Up in the call chain to audit_name_to_uid()/audit_name_to_gid(), ECONNREFUSED will be handled as kernel auditd is not running, showing "The audit system is disabled" and stopping parsing rules. This patch manually sets errno to ENOENT after those affected calls, in case they fail, so rule parsing can continue cleanly. Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de> --- lib/libaudit.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/lib/libaudit.c b/lib/libaudit.c index 54e276156ef0..41303c244aee 100644 --- a/lib/libaudit.c +++ b/lib/libaudit.c @@ -1830,9 +1830,17 @@ static int audit_name_to_uid(const char *name, uid_t *uid) { struct passwd *pw; + errno = 0; pw = getpwnam(name); - if (pw == NULL) + if (pw == NULL) { + /* getpwnam() might return ECONNREFUSED in some very + * specific cases when using LDAP. + * Manually set it to ENOENT so callers don't get confused + * with netlink's ECONNREFUSED */ + if (errno == ECONNREFUSED) + errno = ENOENT; return 1; + } memset(pw->pw_passwd, ' ', strlen(pw->pw_passwd)); *uid = pw->pw_uid; @@ -1843,9 +1851,14 @@ static int audit_name_to_gid(const char *name, gid_t *gid) { struct group *gr; + errno = 0; gr = getgrnam(name); - if (gr == NULL) + if (gr == NULL) { + /* See above for explanation. */ + if (errno == ECONNREFUSED) + errno = ENOENT; return 1; + } *gid = gr->gr_gid; return 0; -- 2.35.1