diff -Nru audit-3.0.9/aclocal.m4 audit-3.1.1/aclocal.m4 --- audit-3.0.9/aclocal.m4 2022-08-29 21:23:16.000000000 +0000 +++ audit-3.1.1/aclocal.m4 2023-04-27 17:26:59.000000000 +0000 @@ -732,35 +732,6 @@ fi ]) -# -*- Autoconf -*- -# Obsolete and "removed" macros, that must however still report explicit -# error messages when used, to smooth transition. -# -# Copyright (C) 1996-2021 Free Software Foundation, Inc. -# -# This file is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -AC_DEFUN([AM_CONFIG_HEADER], -[AC_DIAGNOSE([obsolete], -['$0': this macro is obsolete. -You should use the 'AC][_CONFIG_HEADERS' macro instead.])dnl -AC_CONFIG_HEADERS($@)]) - -AC_DEFUN([AM_PROG_CC_STDC], -[AC_PROG_CC -am_cv_prog_cc_stdc=$ac_cv_prog_cc_stdc -AC_DIAGNOSE([obsolete], -['$0': this macro is obsolete. -You should simply use the 'AC][_PROG_CC' macro instead. -Also, your code should no longer depend upon 'am_cv_prog_cc_stdc', -but upon 'ac_cv_prog_cc_stdc'.])]) - -AC_DEFUN([AM_C_PROTOTYPES], - [AC_FATAL([automatic de-ANSI-fication support has been removed])]) -AU_DEFUN([fp_C_PROTOTYPES], [AM_C_PROTOTYPES]) - # Helper functions for option handling. -*- Autoconf -*- # Copyright (C) 2001-2021 Free Software Foundation, Inc. diff -Nru audit-3.0.9/audisp/audispd-builtins.c audit-3.1.1/audisp/audispd-builtins.c --- audit-3.0.9/audisp/audispd-builtins.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/audispd-builtins.c 1970-01-01 00:00:00.000000000 +0000 @@ -1,293 +0,0 @@ -/* -* audispd-builtins.c - some common builtin plugins -* Copyright (c) 2007,2010,2013,2018 Red Hat Inc., Durham, North Carolina. -* All Rights Reserved. -* -* This software may be freely redistributed and/or modified under the -* terms of the GNU General Public License as published by the Free -* Software Foundation; either version 2, or (at your option) any -* later version. -* -* This program is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -* GNU General Public License for more details. -* -* You should have received a copy of the GNU General Public License -* along with this program; see the file COPYING. If not, write to the -* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -* Boston, MA 02110-1335, USA. -* -* Authors: -* Steve Grubb -*/ - -#include "config.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include // writev -#include -#include -#include "ev.h" -#include "audispd-pconfig.h" -#include "audispd-builtins.h" - -// Global data -extern struct ev_loop *loop; - -// Local data -static volatile int sock = -1, conn = -1; -static char *path = NULL; -static struct ev_io af_unix_watcher; - -// Local prototypes -static void init_af_unix(const plugin_conf_t *conf); - - -void start_builtin(plugin_conf_t *conf) -{ - if (strcasecmp("builtin_af_unix", conf->path) == 0) { - conf->type = S_AF_UNIX; - init_af_unix(conf); - } else - syslog(LOG_ERR, "Unknown builtin %s", conf->path); -} - -void stop_builtin(plugin_conf_t *conf) -{ - if (conf->type == S_AF_UNIX) - destroy_af_unix(); - else - syslog(LOG_ERR, "Unknown builtin %s", conf->path); -} - -static int watching = 0; -static void stop_watching(void) -{ - if (watching) { - ev_io_stop(loop, &af_unix_watcher); - watching = 0; - } -} - -static void af_unix_accept(struct ev_loop *l, struct ev_io *_io, int revents) -{ - int cmd; - - do { - conn = accept(_io->fd, NULL, NULL); - } while (conn < 0 && errno == EINTR); - - // De-register since this is intended to be one listener - if (conn >= 0) - stop_watching(); - cmd = fcntl(conn, F_GETFD); - fcntl(conn, F_SETFD, cmd|FD_CLOEXEC); -} - -static void start_watching(void) -{ - ev_io_init(&af_unix_watcher, af_unix_accept, sock, EV_READ); - ev_io_start(loop, &af_unix_watcher); - watching = 1; -} - -static int create_af_unix_socket(const char *spath, int mode) -{ - struct sockaddr_un addr; - socklen_t len; - int rc, cmd; - - sock = socket(PF_UNIX, SOCK_STREAM, 0); - if (sock < 0) { - syslog(LOG_ERR, "Couldn't open af_unix socket (%s)", - strerror(errno)); - return -1; - } - memset(&addr, 0, sizeof(addr)); - addr.sun_family = AF_UNIX; - snprintf(&addr.sun_path[0], 108, "%.107s", spath); - len = sizeof(addr); - rc = bind(sock, (const struct sockaddr *)&addr, len); - if (rc < 0) { - syslog(LOG_ERR, "Couldn't bind af_unix socket (%s)", - strerror(errno)); - destroy_af_unix(); - return -1; - } - if (mode != -1) { - rc = chmod(spath, mode); - if (rc < 0) { - syslog(LOG_ERR, "Couldn't chmod %s to %04o (%s)", - spath, mode, strerror(errno)); - destroy_af_unix(); - return -1; - } - } - - // Put socket in nonblock mode - cmd = fcntl(sock, F_GETFL); - fcntl(sock, F_SETFL, cmd|FNDELAY); - - // don't leak the descriptor - cmd = fcntl(sock, F_GETFD); - fcntl(sock, F_SETFD, cmd|FD_CLOEXEC); - - // Make socket listening...won't block - (void)listen(sock, 5); - - // Register socket with libev - start_watching(); - return 0; -} - -static void init_af_unix(const plugin_conf_t *conf) -{ - int i = 1, mode = -1; - char *base = NULL; - - // while args - while (conf->args[i]) { - int rc, bad = 0; - - // is all nums - do mode - base = conf->args[i]; - while (*base) { - if (!isdigit(*base)) { - bad = 1; - break; - } - base++; - } - if (!bad) { - errno = 0; - mode = strtoul(conf->args[i], NULL, 8); - if (errno) { - syslog(LOG_ERR, "Error converting %s (%s)", - conf->args[i], strerror(errno)); - mode = -1; - bad = 1; - } else if (path) { - rc = chmod(path, mode); - if (rc < 0) { - syslog(LOG_ERR, - "Couldn't chmod %s to %04o (%s)", - conf->args[i], mode, - strerror(errno)); - destroy_af_unix(); - return; - } - } - } else { - // else check for '/' - base = strchr(conf->args[i], '/'); - if (base) { - // get dirname - DIR *d; - char *dir = strdup(conf->args[i]); - base = dirname(dir); - d = opendir(base); - if (d) { - closedir(d); - unlink(conf->args[i]); - if (create_af_unix_socket( - conf->args[i], mode)<0) { - free(dir); - return; - } - path = strdup(conf->args[i]); - bad = 0; - } else - syslog(LOG_ERR, "Couldn't open %s (%s)", - base, strerror(errno)); - free(dir); - } else - syslog(LOG_ERR, "Malformed path %s", - conf->args[i]); - } - if (bad) { - destroy_af_unix(); - return; - } - i++; - } - syslog(LOG_INFO, "af_unix plugin initialized"); -} - -void send_af_unix_string(const char *s, unsigned int len) -{ - if (sock < 0) - return; - - if (conn >= 0) { - int rc; - do { - rc = write(conn, s, len); - } while (rc < 0 && errno == EINTR); - if (rc < 0 && errno == EPIPE) { - close(conn); - conn = -1; - stop_watching(); - start_watching(); - } - } -} - -void send_af_unix_binary(event_t *e) -{ - if (sock < 0) - return; - - if (conn >= 0) { - int rc; - struct iovec vec[2]; - - vec[0].iov_base = &e->hdr; - vec[0].iov_len = sizeof(struct audit_dispatcher_header); - vec[1].iov_base = e->data; - vec[1].iov_len = MAX_AUDIT_MESSAGE_LENGTH; - do { - rc = writev(conn, vec, 2); - } while (rc < 0 && errno == EINTR); - if (rc < 0 && errno == EPIPE) { - close(conn); - conn = -1; - stop_watching(); - start_watching(); - } - } -} - -void destroy_af_unix(void) -{ - int did_something = 0; - if (conn >= 0) { - close(conn); - conn = -1; - did_something = 1; - } - stop_watching(); - if (sock >= 0) { - - close(sock); - sock = -1; - did_something = 1; - - } - if (path) { - unlink(path); - free(path); - path = NULL; - did_something = 1; - } - if (did_something) - syslog(LOG_INFO, "af_unix plugin terminated"); -} - diff -Nru audit-3.0.9/audisp/audispd-builtins.h audit-3.1.1/audisp/audispd-builtins.h --- audit-3.0.9/audisp/audispd-builtins.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/audispd-builtins.h 1970-01-01 00:00:00.000000000 +0000 @@ -1,41 +0,0 @@ -/* -* audispd-builtins.h - Interface to builtin plugins -* Copyright (c) 2007,2013,2018,2022 Red Hat Inc. -* All Rights Reserved. -* -* This software may be freely redistributed and/or modified under the -* terms of the GNU General Public License as published by the Free -* Software Foundation; either version 2, or (at your option) any -* later version. -* -* This program is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -* GNU General Public License for more details. -* -* You should have received a copy of the GNU General Public License -* along with this program; see the file COPYING. If not, write to the - * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. -* -* Authors: -* Steve Grubb -*/ - -#ifndef AUDISPD_BUILTINS_HEADER -#define AUDISPD_BUILTINS_HEADER - -#include "queue.h" -#ifndef __attr_access -# define __attr_access(x) -#endif - -void start_builtin(plugin_conf_t *conf); -void stop_builtin(plugin_conf_t *conf); -void send_af_unix_string(const char *s, unsigned int len) - __attr_access ((__read_only__, 1, 2)); -void send_af_unix_binary(event_t *e); -void destroy_af_unix(void); - -#endif - diff -Nru audit-3.0.9/audisp/audispd.c audit-3.1.1/audisp/audispd.c --- audit-3.0.9/audisp/audispd.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/audispd.c 2023-04-27 17:26:56.000000000 +0000 @@ -1,11 +1,11 @@ /* audispd.c -- - * Copyright 2007-08,2013,2016-18 Red Hat Inc. + * Copyright 2007-08,2013,2016-23 Red Hat Inc. * All Rights Reserved. * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2, or (at your option) any + * later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of @@ -13,8 +13,9 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * along with this program; see the file COPYING. If not, write to the + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. * * Authors: * Steve Grubb @@ -40,7 +41,6 @@ #include "audispd-pconfig.h" #include "audispd-config.h" #include "audispd-llist.h" -#include "audispd-builtins.h" #include "queue.h" #include "libaudit.h" #include "private.h" @@ -137,9 +137,7 @@ if (conf->p->restart_cnt > daemon_config.max_restarts) return 1; - if (conf->p->type == S_BUILTIN) - start_builtin(conf->p); - else if (conf->p->type == S_ALWAYS) { + if (conf->p->type == S_ALWAYS) { if (safe_exec(conf->p)) { audit_msg(LOG_ERR, "Error running %s (%s) continuing without it", @@ -288,8 +286,7 @@ if (tpconf->p->pid) kill(tpconf->p->pid, SIGTERM); close(tpconf->p->plug_pipe[1]); - } else - stop_builtin(tpconf->p); + } tpconf->p->plug_pipe[1] = -1; tpconf->p->pid = 0; tpconf->p->checked = 1; @@ -379,9 +376,6 @@ /* Tell plugins we are going down */ signal_plugins(SIGTERM); - /* Cleanup builtin plugins */ - destroy_af_unix(); - /* Release configs */ plist_first(&plugin_conf); conf = plist_get_cur(&plugin_conf); @@ -537,13 +531,8 @@ if (conf->p->active == A_NO || stop) continue; - /* Now send the event to the right child */ - if (conf->p->type == S_AF_UNIX) { - if (conf->p->format == F_STRING) - send_af_unix_string(v, len); - else - send_af_unix_binary(e); - } else if (conf->p->type == S_ALWAYS && !stop) { + /* Now send the event to the child */ + if (conf->p->type == S_ALWAYS && !stop) { int rc; rc = write_to_plugin(e, v, len, conf); if (rc < 0 && errno == EPIPE) { diff -Nru audit-3.0.9/audisp/audispd-pconfig.c audit-3.1.1/audisp/audispd-pconfig.c --- audit-3.0.9/audisp/audispd-pconfig.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/audispd-pconfig.c 2023-04-27 17:26:56.000000000 +0000 @@ -1,11 +1,11 @@ /* audispd-pconfig.c -- - * Copyright 2007,2010,2015,2021 Red Hat Inc. + * Copyright 2007,2010,2015,2021-23 Red Hat Inc. * All Rights Reserved. * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2, or (at your option) any + * later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of @@ -13,8 +13,9 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * along with this program; see the file COPYING. If not, write to the + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. * * Authors: * Steve Grubb @@ -378,6 +379,7 @@ return 1; } +static const char *BUILTIN_PATH="/sbin/audisp-af_unix"; static int path_parser(struct nv_pair *nv, int line, plugin_conf_t *config) { @@ -389,7 +391,10 @@ } if (strncasecmp(nv->value, "builtin_", 8) == 0) { - config->path = strdup(nv->value); + audit_msg(LOG_WARNING, + "Option %s line %d is obsolete - using %s", + nv->value, line, BUILTIN_PATH); + config->path = strdup(BUILTIN_PATH); return 0; } @@ -421,6 +426,11 @@ for (i=0; service_type[i].name != NULL; i++) { if (strcasecmp(nv->value, service_type[i].name) == 0) { config->type = service_type[i].option; + if (config->type == S_BUILTIN) { + audit_msg(LOG_WARNING, + "Option %s line %d is obsolete - update it", nv->value, line); + config->type = S_ALWAYS; + } return 0; } } diff -Nru audit-3.0.9/audisp/audispd-pconfig.h audit-3.1.1/audisp/audispd-pconfig.h --- audit-3.0.9/audisp/audispd-pconfig.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/audispd-pconfig.h 2023-04-27 17:26:56.000000000 +0000 @@ -1,11 +1,11 @@ -/* audispd-pconfig.h -- - * Copyright 2007,2013 Red Hat Inc., Durham, North Carolina. +/* audispd-pconfig.h -- + * Copyright 2007,2013,2023 Red Hat Inc. * All Rights Reserved. * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2, or (at your option) any + * later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of @@ -13,12 +13,12 @@ * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * along with this program; see the file COPYING. If not, write to the + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. * * Authors: * Steve Grubb - * */ #ifndef AUDISPD_PCONFIG_H @@ -30,7 +30,7 @@ typedef enum { A_NO, A_YES } active_t; typedef enum { D_UNSET, D_IN, D_OUT } direction_t; -typedef enum { S_ALWAYS, S_BUILTIN, S_AF_UNIX } service_t; +typedef enum { S_ALWAYS, S_BUILTIN } service_t; typedef enum { F_BINARY, F_STRING } format_t; typedef struct plugin_conf diff -Nru audit-3.0.9/audisp/Makefile.am audit-3.1.1/audisp/Makefile.am --- audit-3.0.9/audisp/Makefile.am 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/Makefile.am 2023-04-27 17:26:56.000000000 +0000 @@ -1,5 +1,5 @@ # Makefile.am-- -# Copyright 2007,2011,2015-16,2018 Red Hat Inc., Durham, North Carolina. +# Copyright 2007,2011,2015-23 Red Hat Inc. # All Rights Reserved. # # This program is free software; you can redistribute it and/or modify @@ -28,9 +28,9 @@ LDADD = -lpthread noinst_HEADERS = audispd-pconfig.h audispd-llist.h audispd-config.h \ - queue.h audispd-builtins.h libdisp.h + queue.h libdisp.h libdisp_la_SOURCES = audispd.c audispd-pconfig.c queue.c \ - audispd-llist.c audispd-builtins.c + audispd-llist.c libdisp_la_CFLAGS = -fno-strict-aliasing ${WFLAGS} libdisp_la_LDFLAGS = -no-undefined -static noinst_LTLIBRARIES = libdisp.la diff -Nru audit-3.0.9/audisp/Makefile.in audit-3.1.1/audisp/Makefile.in --- audit-3.0.9/audisp/Makefile.in 2022-08-29 21:23:16.000000000 +0000 +++ audit-3.1.1/audisp/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -15,7 +15,7 @@ @SET_MAKE@ # Makefile.am-- -# Copyright 2007,2011,2015-16,2018 Red Hat Inc., Durham, North Carolina. +# Copyright 2007,2011,2015-23 Red Hat Inc. # All Rights Reserved. # # This program is free software; you can redistribute it and/or modify @@ -131,7 +131,7 @@ libdisp_la_LIBADD = am_libdisp_la_OBJECTS = libdisp_la-audispd.lo \ libdisp_la-audispd-pconfig.lo libdisp_la-queue.lo \ - libdisp_la-audispd-llist.lo libdisp_la-audispd-builtins.lo + libdisp_la-audispd-llist.lo libdisp_la_OBJECTS = $(am_libdisp_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) @@ -155,8 +155,7 @@ DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__maybe_remake_depfiles = depfiles -am__depfiles_remade = ./$(DEPDIR)/libdisp_la-audispd-builtins.Plo \ - ./$(DEPDIR)/libdisp_la-audispd-llist.Plo \ +am__depfiles_remade = ./$(DEPDIR)/libdisp_la-audispd-llist.Plo \ ./$(DEPDIR)/libdisp_la-audispd-pconfig.Plo \ ./$(DEPDIR)/libdisp_la-audispd.Plo \ ./$(DEPDIR)/libdisp_la-queue.Plo @@ -259,6 +258,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -339,6 +339,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ @@ -413,10 +414,10 @@ AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/src -I${top_srcdir}/src/libev LDADD = -lpthread noinst_HEADERS = audispd-pconfig.h audispd-llist.h audispd-config.h \ - queue.h audispd-builtins.h libdisp.h + queue.h libdisp.h libdisp_la_SOURCES = audispd.c audispd-pconfig.c queue.c \ - audispd-llist.c audispd-builtins.c + audispd-llist.c libdisp_la_CFLAGS = -fno-strict-aliasing ${WFLAGS} libdisp_la_LDFLAGS = -no-undefined -static @@ -475,7 +476,6 @@ distclean-compile: -rm -f *.tab.c -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_la-audispd-builtins.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_la-audispd-llist.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_la-audispd-pconfig.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libdisp_la-audispd.Plo@am__quote@ # am--include-marker @@ -536,13 +536,6 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_la_CFLAGS) $(CFLAGS) -c -o libdisp_la-audispd-llist.lo `test -f 'audispd-llist.c' || echo '$(srcdir)/'`audispd-llist.c -libdisp_la-audispd-builtins.lo: audispd-builtins.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_la_CFLAGS) $(CFLAGS) -MT libdisp_la-audispd-builtins.lo -MD -MP -MF $(DEPDIR)/libdisp_la-audispd-builtins.Tpo -c -o libdisp_la-audispd-builtins.lo `test -f 'audispd-builtins.c' || echo '$(srcdir)/'`audispd-builtins.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libdisp_la-audispd-builtins.Tpo $(DEPDIR)/libdisp_la-audispd-builtins.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='audispd-builtins.c' object='libdisp_la-audispd-builtins.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libdisp_la_CFLAGS) $(CFLAGS) -c -o libdisp_la-audispd-builtins.lo `test -f 'audispd-builtins.c' || echo '$(srcdir)/'`audispd-builtins.c - mostlyclean-libtool: -rm -f *.lo @@ -746,8 +739,7 @@ mostlyclean-am distclean: distclean-recursive - -rm -f ./$(DEPDIR)/libdisp_la-audispd-builtins.Plo - -rm -f ./$(DEPDIR)/libdisp_la-audispd-llist.Plo + -rm -f ./$(DEPDIR)/libdisp_la-audispd-llist.Plo -rm -f ./$(DEPDIR)/libdisp_la-audispd-pconfig.Plo -rm -f ./$(DEPDIR)/libdisp_la-audispd.Plo -rm -f ./$(DEPDIR)/libdisp_la-queue.Plo @@ -796,8 +788,7 @@ installcheck-am: maintainer-clean: maintainer-clean-recursive - -rm -f ./$(DEPDIR)/libdisp_la-audispd-builtins.Plo - -rm -f ./$(DEPDIR)/libdisp_la-audispd-llist.Plo + -rm -f ./$(DEPDIR)/libdisp_la-audispd-llist.Plo -rm -f ./$(DEPDIR)/libdisp_la-audispd-pconfig.Plo -rm -f ./$(DEPDIR)/libdisp_la-audispd.Plo -rm -f ./$(DEPDIR)/libdisp_la-queue.Plo diff -Nru audit-3.0.9/audisp/plugins/af_unix/af_unix.conf audit-3.1.1/audisp/plugins/af_unix/af_unix.conf --- audit-3.0.9/audisp/plugins/af_unix/af_unix.conf 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.1.1/audisp/plugins/af_unix/af_unix.conf 2023-04-27 17:26:56.000000000 +0000 @@ -0,0 +1,14 @@ + +# This file controls the configuration of the +# af_unix socket plugin. It simply takes events +# and writes them to a unix domain socket. This +# plugin can take 2 arguments, the path for the +# socket and the socket permissions in octal. + +active = no +direction = out +path = builtin_af_unix +type = builtin +args = 0640 /var/run/audispd_events +format = string + diff -Nru audit-3.0.9/audisp/plugins/af_unix/audisp-af_unix.8 audit-3.1.1/audisp/plugins/af_unix/audisp-af_unix.8 --- audit-3.0.9/audisp/plugins/af_unix/audisp-af_unix.8 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.1.1/audisp/plugins/af_unix/audisp-af_unix.8 2023-04-27 17:26:56.000000000 +0000 @@ -0,0 +1,21 @@ +.TH AUDISP-AF_UNIX "8" "Apr 2023" "Red Hat" "System Administration Utilities" +.SH NAME +audisp-af_unix \- plugin to push audit events to an af_unix socket +.SH SYNOPSIS +.B audisp-af_unix +[ \fIOPTIONS\fP ] +.SH DESCRIPTION +\fBaudisp-af_unix\fP is a plugin for the audit event dispatcher that sends audit events to an af_unix socket where other applications can read events. The +.B args +line of the +.B af_unix.conf +file expects two arguments: the access mode and the path to the socket. The default values are 0640 and /var/run/audispd_events respectively. + +.SH FILES +/etc/audit/plugins/af_unix.conf +/etc/audit/auditd.conf +.SH "SEE ALSO" +.BR auditd.conf (8), +.BR auditd-plugins (5). +.SH AUTHOR +Steve Grubb diff -Nru audit-3.0.9/audisp/plugins/af_unix/audisp-af_unix.c audit-3.1.1/audisp/plugins/af_unix/audisp-af_unix.c --- audit-3.0.9/audisp/plugins/af_unix/audisp-af_unix.c 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.1.1/audisp/plugins/af_unix/audisp-af_unix.c 2023-04-27 17:26:56.000000000 +0000 @@ -0,0 +1,326 @@ +/* + * af_unix.c - implementation of the audisp-af_unix plugin + * Copyright (c) 2023 Red Hat Inc. + * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2, or (at your option) any + * later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: + * Steve Grubb + */ + +#include "config.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#ifdef HAVE_LIBCAP_NG +#include +#endif +#include "libaudit.h" +#include "common.h" + +#define DEFAULT_PATH "/var/run/audispd_events" +//#define DEBUG + +/* Global Data */ +static volatile int stop = 0, hup = 0; +char rx_buf[MAX_AUDIT_MESSAGE_LENGTH]; +int sock = -1, conn = -1, client = 0; +struct pollfd pfd[3]; +unsigned mode = 0; +char *path = NULL; + +/* + * SIGTERM handler + */ +static void term_handler(int sig) +{ + stop = 1; +} + +/* + * SIGHUP handler: re-read config + */ +static void hup_handler(int sig) +{ + hup = 1; +} + +int create_af_unix_socket(const char *spath, int mode) +{ + struct sockaddr_un addr; + socklen_t len; + int rc, cmd, one = 1; + + sock = socket(PF_UNIX, SOCK_STREAM, 0); + if (sock < 0) { + syslog(LOG_ERR, "Couldn't open af_unix socket (%s)", + strerror(errno)); + return -1; + } + setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, + (char *)&one, sizeof (int)); +#ifdef DEBUG + printf("%o %s\n", mode, spath); +#else + memset(&addr, 0, sizeof(addr)); + addr.sun_family = AF_UNIX; + snprintf(&addr.sun_path[0], 108, "%.107s", spath); + len = sizeof(addr); + rc = bind(sock, (const struct sockaddr *)&addr, len); + if (rc < 0) { + syslog(LOG_ERR, "Couldn't bind af_unix socket (%s)", + strerror(errno)); + close(sock); + return -1; + } + rc = chmod(spath, mode); + if (rc < 0) { + syslog(LOG_ERR, "Couldn't chmod %s to %04o (%s)", + spath, mode, strerror(errno)); + close(sock); + unlink(spath); + return -1; + } + // Put socket in nonblock mode and don't leak the descriptor + cmd = fcntl(sock, F_GETFL); + fcntl(sock, F_SETFL, cmd|FNDELAY|FD_CLOEXEC); + + // Make socket listening...won't block + (void)listen(sock, 1); +#endif + return 0; +} + +int setup_socket(int argc, char *argv[]) +{ + if (argc != 3) { + syslog(LOG_ERR, "Missing arguments, using defaults"); + mode = 0640; + path = DEFAULT_PATH; + } else { + int i; + for (i=1; i < 3; i++) { + if (isdigit(argv[i][0])) { + errno = 0; + mode = strtoul(argv[i], NULL, 8); + if (errno) { + syslog(LOG_ERR, + "Error converting %s (%s)", + argv[i], strerror(errno)); + mode = 0; + } + } else { + char *base; + path = argv[i]; + // Make sure there are directories + base = strchr(path, '/'); + if (base) { + DIR *d; + char *dir = strdup(path); + base = dirname(dir); + d = opendir(base); + if (d) { + closedir(d); + unlink(path); + free(dir); + } else { + syslog(LOG_ERR, + "Couldn't open %s (%s)", + base, strerror(errno)); + free(dir); + exit(1); + } + + } else { + syslog(LOG_ERR, "Malformed path %s", + path); + exit(1); + } + } + } + if (mode == 0 || path == NULL) { + syslog(LOG_ERR, "Bad arguments, using defaults"); + mode = 0640; + path = DEFAULT_PATH; + } + } + return create_af_unix_socket(path, mode); +} + +void read_audit_record(int ifd) +{ + do { + int len; + + // Read stdin + if ((len = audit_fgets(rx_buf, sizeof(rx_buf), ifd)) > 0) { +#ifdef DEBUG + write(1, rx_buf, len); +#else + if (client) { + // Send it to the client + int rc; + + do { + rc = write(conn, rx_buf, len); + } while (rc < 0 && errno == EINTR); + if (rc < 0 && errno == EPIPE) { + close(conn); + conn = -1; + client = 0; + audit_fgets_clear(); + } + if (rc >= 0 && rc != len) { + // what to do with leftovers? + } + } +#endif + } else if (audit_fgets_eof()) + stop = 1; + } while (audit_fgets_more(sizeof(rx_buf))); +} + +void accept_connection(void) +{ + int tmp_conn; + + do { + tmp_conn = accept4(sock, NULL,NULL, SOCK_NONBLOCK|SOCK_CLOEXEC); + } while (tmp_conn < 0 && errno == EINTR); + + if (tmp_conn >= 0) { + if (conn < 0) { + syslog(LOG_INFO, "Client connected"); + client = 1; + conn = tmp_conn; + } else + close(tmp_conn); + } +} + +void event_loop(int ifd) +{ + // setup poll + pfd[0].fd = ifd; //stdin + pfd[0].events = POLLIN; + pfd[1].fd = sock; // listen socket + pfd[1].events = POLLIN|POLLOUT; + + // loop on poll until stop - not doing HUP for now + while (!stop) { + int rc; + + if (client) { + pfd[2].fd = conn; // the client + pfd[2].events = POLLHUP; + } + + rc = poll(pfd, 2 + client, -1); + if (rc < 0) { + if (errno == EINTR) + continue; + syslog(LOG_WARNING, "Poll error (%s), exiting", + strerror(errno)); + return; + } + if (rc > 0) { + if (client && (pfd[2].revents & POLLHUP)) { + // client hung up, do this first in case + // an inbound audit record is available + close(conn); + conn = -1; + client = 0; + audit_fgets_clear(); + } + if (pfd[0].revents & POLLIN) { + // Inbound audit event + read_audit_record(ifd); + } + // auditd closed it's socket, exit + if (pfd[0].revents & POLLHUP) + return; + + if (pfd[1].revents & (POLLIN|POLLOUT)) { + // someone connected, accept it + accept_connection(); + } + } + } +} + + +int main(int argc, char *argv[]) +{ + struct sigaction sa; + int i, ifd; + + /* Register sighandlers */ + sa.sa_flags = 0; + sigemptyset(&sa.sa_mask); + /* Ignore all signals by default */ + sa.sa_handler = SIG_IGN; + for (i=1; i= 0) close(conn); + if (sock >= 0) close(sock); + unlink(path); + + return 0; +} + + diff -Nru audit-3.0.9/audisp/plugins/af_unix/Makefile.am audit-3.1.1/audisp/plugins/af_unix/Makefile.am --- audit-3.0.9/audisp/plugins/af_unix/Makefile.am 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.1.1/audisp/plugins/af_unix/Makefile.am 2023-04-27 17:26:56.000000000 +0000 @@ -0,0 +1,52 @@ +# Makefile.am-- +# Copyright 2023 Red Hat Inc. +# All Rights Reserved. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. +# +# Authors: +# Steve Grubb +# + +CONFIG_CLEAN_FILES = *.rej *.orig +CONF_FILES = af_unix.conf +EXTRA_DIST = $(CONF_FILES) $(man_MANS) + +AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/common +prog_confdir = $(sysconfdir)/audit +plugin_confdir=$(prog_confdir)/plugins.d +plugin_conf = af_unix.conf +sbin_PROGRAMS = audisp-af_unix +man_MANS = audisp-af_unix.8 + +audisp_af_unix_DEPENDENCIES = ${top_builddir}/common/libaucommon.la +audisp_af_unix_SOURCES = audisp-af_unix.c +audisp_af_unix_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE -Wundef ${WFLAGS} +audisp_af_unix_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now +audisp_af_unix_LDADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.la + +install-data-hook: + mkdir -p -m 0750 ${DESTDIR}${plugin_confdir} + for i in $(CONF_FILES); do \ + $(INSTALL_DATA) -D -m 640 ${srcdir}/"$$i" \ + ${DESTDIR}${plugin_confdir}; \ + done + +uninstall-hook: + for i in $(CONF_FILES); do \ + rm ${DESTDIR}${plugin_confdir}/"$$i"; \ + done + diff -Nru audit-3.0.9/audisp/plugins/af_unix/Makefile.in audit-3.1.1/audisp/plugins/af_unix/Makefile.in --- audit-3.0.9/audisp/plugins/af_unix/Makefile.in 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.1.1/audisp/plugins/af_unix/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -0,0 +1,824 @@ +# Makefile.in generated by automake 1.16.5 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2021 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# Makefile.am-- +# Copyright 2023 Red Hat Inc. +# All Rights Reserved. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; see the file COPYING. If not, write to the +# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor +# Boston, MA 02110-1335, USA. +# +# Authors: +# Steve Grubb +# + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +target_triplet = @target@ +sbin_PROGRAMS = audisp-af_unix$(EXEEXT) +subdir = audisp/plugins/af_unix +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ + $(top_srcdir)/m4/cap-ng.m4 $(top_srcdir)/m4/libtool.m4 \ + $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ + $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ + $(top_srcdir)/src/libev/libev.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_VPATH_FILES = +am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)" +PROGRAMS = $(sbin_PROGRAMS) +am_audisp_af_unix_OBJECTS = audisp_af_unix-audisp-af_unix.$(OBJEXT) +audisp_af_unix_OBJECTS = $(am_audisp_af_unix_OBJECTS) +am__DEPENDENCIES_1 = +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +audisp_af_unix_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(audisp_af_unix_CFLAGS) $(CFLAGS) $(audisp_af_unix_LDFLAGS) \ + $(LDFLAGS) -o $@ +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__maybe_remake_depfiles = depfiles +am__depfiles_remade = ./$(DEPDIR)/audisp_af_unix-audisp-af_unix.Po +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = $(audisp_af_unix_SOURCES) +DIST_SOURCES = $(audisp_af_unix_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BUILD_EXEEXT = @BUILD_EXEEXT@ +BUILD_OBJEXT = @BUILD_OBJEXT@ +CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CC_FOR_BUILD = @CC_FOR_BUILD@ +CFLAGS = @CFLAGS@ +CFLAGS_FOR_BUILD = @CFLAGS_FOR_BUILD@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ +CPP_FOR_BUILD = @CPP_FOR_BUILD@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ +CYGPATH_W = @CYGPATH_W@ +DEBUG = @DEBUG@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +ETAGS = @ETAGS@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +FILECMD = @FILECMD@ +GOLANG = @GOLANG@ +GOROOT = @GOROOT@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIBTOOL_DEPS = @LIBTOOL_DEPS@ +LIBWRAP_LIBS = @LIBWRAP_LIBS@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PYINCLUDEDIR = @PYINCLUDEDIR@ +PYTHON = @PYTHON@ +PYTHON3 = @PYTHON3@ +PYTHON3_CFLAGS = @PYTHON3_CFLAGS@ +PYTHON3_EXEC_PREFIX = @PYTHON3_EXEC_PREFIX@ +PYTHON3_INCLUDES = @PYTHON3_INCLUDES@ +PYTHON3_LIBS = @PYTHON3_LIBS@ +PYTHON3_PREFIX = @PYTHON3_PREFIX@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +RANLIB = @RANLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +SWIG = @SWIG@ +VERSION = @VERSION@ +WFLAGS = @WFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CC_FOR_BUILD = @ac_ct_CC_FOR_BUILD@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gss_libs = @gss_libs@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +py3execdir = @py3execdir@ +pybind_dir = @pybind_dir@ +pyexecdir = @pyexecdir@ +python3dir = @python3dir@ +pythondir = @pythondir@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target = @target@ +target_alias = @target_alias@ +target_cpu = @target_cpu@ +target_os = @target_os@ +target_vendor = @target_vendor@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +use_python3 = @use_python3@ +CONFIG_CLEAN_FILES = *.rej *.orig +CONF_FILES = af_unix.conf +EXTRA_DIST = $(CONF_FILES) $(man_MANS) +AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib -I${top_srcdir}/common +prog_confdir = $(sysconfdir)/audit +plugin_confdir = $(prog_confdir)/plugins.d +plugin_conf = af_unix.conf +man_MANS = audisp-af_unix.8 +audisp_af_unix_DEPENDENCIES = ${top_builddir}/common/libaucommon.la +audisp_af_unix_SOURCES = audisp-af_unix.c +audisp_af_unix_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE -Wundef ${WFLAGS} +audisp_af_unix_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now +audisp_af_unix_LDADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.la +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu audisp/plugins/af_unix/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu audisp/plugins/af_unix/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-sbinPROGRAMS: $(sbin_PROGRAMS) + @$(NORMAL_INSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(sbindir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(sbindir)" || exit 1; \ + fi; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p \ + || test -f $$p1 \ + ; then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' \ + -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-sbinPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' \ + `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(sbindir)" && rm -f $$files + +clean-sbinPROGRAMS: + @list='$(sbin_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + +audisp-af_unix$(EXEEXT): $(audisp_af_unix_OBJECTS) $(audisp_af_unix_DEPENDENCIES) $(EXTRA_audisp_af_unix_DEPENDENCIES) + @rm -f audisp-af_unix$(EXEEXT) + $(AM_V_CCLD)$(audisp_af_unix_LINK) $(audisp_af_unix_OBJECTS) $(audisp_af_unix_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/audisp_af_unix-audisp-af_unix.Po@am__quote@ # am--include-marker + +$(am__depfiles_remade): + @$(MKDIR_P) $(@D) + @echo '# dummy' >$@-t && $(am__mv) $@-t $@ + +am--depfiles: $(am__depfiles_remade) + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +audisp_af_unix-audisp-af_unix.o: audisp-af_unix.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_af_unix_CFLAGS) $(CFLAGS) -MT audisp_af_unix-audisp-af_unix.o -MD -MP -MF $(DEPDIR)/audisp_af_unix-audisp-af_unix.Tpo -c -o audisp_af_unix-audisp-af_unix.o `test -f 'audisp-af_unix.c' || echo '$(srcdir)/'`audisp-af_unix.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_af_unix-audisp-af_unix.Tpo $(DEPDIR)/audisp_af_unix-audisp-af_unix.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='audisp-af_unix.c' object='audisp_af_unix-audisp-af_unix.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_af_unix_CFLAGS) $(CFLAGS) -c -o audisp_af_unix-audisp-af_unix.o `test -f 'audisp-af_unix.c' || echo '$(srcdir)/'`audisp-af_unix.c + +audisp_af_unix-audisp-af_unix.obj: audisp-af_unix.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_af_unix_CFLAGS) $(CFLAGS) -MT audisp_af_unix-audisp-af_unix.obj -MD -MP -MF $(DEPDIR)/audisp_af_unix-audisp-af_unix.Tpo -c -o audisp_af_unix-audisp-af_unix.obj `if test -f 'audisp-af_unix.c'; then $(CYGPATH_W) 'audisp-af_unix.c'; else $(CYGPATH_W) '$(srcdir)/audisp-af_unix.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/audisp_af_unix-audisp-af_unix.Tpo $(DEPDIR)/audisp_af_unix-audisp-af_unix.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='audisp-af_unix.c' object='audisp_af_unix-audisp-af_unix.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(audisp_af_unix_CFLAGS) $(CFLAGS) -c -o audisp_af_unix-audisp-af_unix.obj `if test -f 'audisp-af_unix.c'; then $(CYGPATH_W) 'audisp-af_unix.c'; else $(CYGPATH_W) '$(srcdir)/audisp-af_unix.c'; fi` + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man8dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.8[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(PROGRAMS) $(MANS) +installdirs: + for dir in "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-sbinPROGRAMS \ + mostlyclean-am + +distclean: distclean-am + -rm -f ./$(DEPDIR)/audisp_af_unix-audisp-af_unix.Po + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-man + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-data-hook +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: install-sbinPROGRAMS + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f ./$(DEPDIR)/audisp_af_unix-audisp-af_unix.Po + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-sbinPROGRAMS + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) uninstall-hook +uninstall-man: uninstall-man8 + +.MAKE: install-am install-data-am install-strip uninstall-am + +.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-am clean \ + clean-generic clean-libtool clean-sbinPROGRAMS cscopelist-am \ + ctags ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-data-hook install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-man8 \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-sbinPROGRAMS install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-am uninstall uninstall-am uninstall-hook \ + uninstall-man uninstall-man8 uninstall-sbinPROGRAMS + +.PRECIOUS: Makefile + + +install-data-hook: + mkdir -p -m 0750 ${DESTDIR}${plugin_confdir} + for i in $(CONF_FILES); do \ + $(INSTALL_DATA) -D -m 640 ${srcdir}/"$$i" \ + ${DESTDIR}${plugin_confdir}; \ + done + +uninstall-hook: + for i in $(CONF_FILES); do \ + rm ${DESTDIR}${plugin_confdir}/"$$i"; \ + done + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff -Nru audit-3.0.9/audisp/plugins/builtins/af_unix.conf audit-3.1.1/audisp/plugins/builtins/af_unix.conf --- audit-3.0.9/audisp/plugins/builtins/af_unix.conf 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/plugins/builtins/af_unix.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,14 +0,0 @@ - -# This file controls the configuration of the -# af_unix socket plugin. It simply takes events -# and writes them to a unix domain socket. This -# plugin can take 2 arguments, the path for the -# socket and the socket permissions in octal. - -active = no -direction = out -path = builtin_af_unix -type = builtin -args = 0640 /var/run/audispd_events -format = string - diff -Nru audit-3.0.9/audisp/plugins/builtins/Makefile.am audit-3.1.1/audisp/plugins/builtins/Makefile.am --- audit-3.0.9/audisp/plugins/builtins/Makefile.am 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/plugins/builtins/Makefile.am 1970-01-01 00:00:00.000000000 +0000 @@ -1,40 +0,0 @@ -# Makefile.am-- -# Copyright 2007 Red Hat Inc., Durham, North Carolina. -# All Rights Reserved. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; see the file COPYING. If not, write to the -# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -# Boston, MA 02110-1335, USA. -# -# Authors: -# Steve Grubb -# - -CONFIG_CLEAN_FILES = *.rej *.orig -CONF_FILES = af_unix.conf -EXTRA_DIST = $(CONF_FILES) -plugin_confdir=$(sysconfdir)/audit/plugins.d - -install-data-hook: - mkdir -p -m 0750 ${DESTDIR}${plugin_confdir} - for i in $(CONF_FILES); do \ - $(INSTALL_DATA) -D -m 640 ${srcdir}/"$$i" \ - ${DESTDIR}${plugin_confdir}; \ - done - -uninstall-hook: - for i in $(CONF_FILES); do \ - rm ${DESTDIR}${plugin_confdir}/"$$i"; \ - done - diff -Nru audit-3.0.9/audisp/plugins/builtins/Makefile.in audit-3.1.1/audisp/plugins/builtins/Makefile.in --- audit-3.0.9/audisp/plugins/builtins/Makefile.in 2022-08-29 21:23:16.000000000 +0000 +++ audit-3.1.1/audisp/plugins/builtins/Makefile.in 1970-01-01 00:00:00.000000000 +0000 @@ -1,524 +0,0 @@ -# Makefile.in generated by automake 1.16.5 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994-2021 Free Software Foundation, Inc. - -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -# Makefile.am-- -# Copyright 2007 Red Hat Inc., Durham, North Carolina. -# All Rights Reserved. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; see the file COPYING. If not, write to the -# Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -# Boston, MA 02110-1335, USA. -# -# Authors: -# Steve Grubb -# -VPATH = @srcdir@ -am__is_gnu_make = { \ - if test -z '$(MAKELEVEL)'; then \ - false; \ - elif test -n '$(MAKE_HOST)'; then \ - true; \ - elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ - true; \ - else \ - false; \ - fi; \ -} -am__make_running_with_option = \ - case $${target_option-} in \ - ?) ;; \ - *) echo "am__make_running_with_option: internal error: invalid" \ - "target option '$${target_option-}' specified" >&2; \ - exit 1;; \ - esac; \ - has_opt=no; \ - sane_makeflags=$$MAKEFLAGS; \ - if $(am__is_gnu_make); then \ - sane_makeflags=$$MFLAGS; \ - else \ - case $$MAKEFLAGS in \ - *\\[\ \ ]*) \ - bs=\\; \ - sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ - | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ - esac; \ - fi; \ - skip_next=no; \ - strip_trailopt () \ - { \ - flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ - }; \ - for flg in $$sane_makeflags; do \ - test $$skip_next = yes && { skip_next=no; continue; }; \ - case $$flg in \ - *=*|--*) continue;; \ - -*I) strip_trailopt 'I'; skip_next=yes;; \ - -*I?*) strip_trailopt 'I';; \ - -*O) strip_trailopt 'O'; skip_next=yes;; \ - -*O?*) strip_trailopt 'O';; \ - -*l) strip_trailopt 'l'; skip_next=yes;; \ - -*l?*) strip_trailopt 'l';; \ - -[dEDm]) skip_next=yes;; \ - -[JT]) skip_next=yes;; \ - esac; \ - case $$flg in \ - *$$target_option*) has_opt=yes; break;; \ - esac; \ - done; \ - test $$has_opt = yes -am__make_dryrun = (target_option=n; $(am__make_running_with_option)) -am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) -pkgdatadir = $(datadir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkglibexecdir = $(libexecdir)/@PACKAGE@ -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -build_triplet = @build@ -host_triplet = @host@ -target_triplet = @target@ -subdir = audisp/plugins/builtins -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/ax_prog_cc_for_build.m4 \ - $(top_srcdir)/m4/cap-ng.m4 $(top_srcdir)/m4/libtool.m4 \ - $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ - $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ - $(top_srcdir)/src/libev/libev.m4 $(top_srcdir)/configure.ac -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) -mkinstalldirs = $(install_sh) -d -CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_VPATH_FILES = -AM_V_P = $(am__v_P_@AM_V@) -am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) -am__v_P_0 = false -am__v_P_1 = : -AM_V_GEN = $(am__v_GEN_@AM_V@) -am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) -am__v_GEN_0 = @echo " GEN " $@; -am__v_GEN_1 = -AM_V_at = $(am__v_at_@AM_V@) -am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) -am__v_at_0 = @ -am__v_at_1 = -SOURCES = -DIST_SOURCES = -am__can_run_installinfo = \ - case $$AM_UPDATE_INFO_DIR in \ - n|no|NO) false;; \ - *) (install-info --version) >/dev/null 2>&1;; \ - esac -am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) -am__DIST_COMMON = $(srcdir)/Makefile.in -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -AMTAR = @AMTAR@ -AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -BUILD_EXEEXT = @BUILD_EXEEXT@ -BUILD_OBJEXT = @BUILD_OBJEXT@ -CAPNG_LDADD = @CAPNG_LDADD@ -CC = @CC@ -CCDEPMODE = @CCDEPMODE@ -CC_FOR_BUILD = @CC_FOR_BUILD@ -CFLAGS = @CFLAGS@ -CFLAGS_FOR_BUILD = @CFLAGS_FOR_BUILD@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CPPFLAGS_FOR_BUILD = @CPPFLAGS_FOR_BUILD@ -CPP_FOR_BUILD = @CPP_FOR_BUILD@ -CSCOPE = @CSCOPE@ -CTAGS = @CTAGS@ -CYGPATH_W = @CYGPATH_W@ -DEBUG = @DEBUG@ -DEFS = @DEFS@ -DEPDIR = @DEPDIR@ -DLLTOOL = @DLLTOOL@ -DSYMUTIL = @DSYMUTIL@ -DUMPBIN = @DUMPBIN@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -ETAGS = @ETAGS@ -EXEEXT = @EXEEXT@ -FGREP = @FGREP@ -FILECMD = @FILECMD@ -GOLANG = @GOLANG@ -GOROOT = @GOROOT@ -GREP = @GREP@ -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LD = @LD@ -LDFLAGS = @LDFLAGS@ -LDFLAGS_FOR_BUILD = @LDFLAGS_FOR_BUILD@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIBTOOL_DEPS = @LIBTOOL_DEPS@ -LIBWRAP_LIBS = @LIBWRAP_LIBS@ -LIPO = @LIPO@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ -MAKEINFO = @MAKEINFO@ -MANIFEST_TOOL = @MANIFEST_TOOL@ -MKDIR_P = @MKDIR_P@ -NM = @NM@ -NMEDIT = @NMEDIT@ -OBJDUMP = @OBJDUMP@ -OBJEXT = @OBJEXT@ -OTOOL = @OTOOL@ -OTOOL64 = @OTOOL64@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -PYINCLUDEDIR = @PYINCLUDEDIR@ -PYTHON = @PYTHON@ -PYTHON3 = @PYTHON3@ -PYTHON3_CFLAGS = @PYTHON3_CFLAGS@ -PYTHON3_EXEC_PREFIX = @PYTHON3_EXEC_PREFIX@ -PYTHON3_INCLUDES = @PYTHON3_INCLUDES@ -PYTHON3_LIBS = @PYTHON3_LIBS@ -PYTHON3_PREFIX = @PYTHON3_PREFIX@ -PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ -PYTHON_PLATFORM = @PYTHON_PLATFORM@ -PYTHON_PREFIX = @PYTHON_PREFIX@ -PYTHON_VERSION = @PYTHON_VERSION@ -RANLIB = @RANLIB@ -SED = @SED@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -STRIP = @STRIP@ -VERSION = @VERSION@ -WFLAGS = @WFLAGS@ -abs_builddir = @abs_builddir@ -abs_srcdir = @abs_srcdir@ -abs_top_builddir = @abs_top_builddir@ -abs_top_srcdir = @abs_top_srcdir@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_CC_FOR_BUILD = @ac_ct_CC_FOR_BUILD@ -ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ -am__include = @am__include@ -am__leading_dot = @am__leading_dot@ -am__quote = @am__quote@ -am__tar = @am__tar@ -am__untar = @am__untar@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -builddir = @builddir@ -datadir = @datadir@ -datarootdir = @datarootdir@ -docdir = @docdir@ -dvidir = @dvidir@ -exec_prefix = @exec_prefix@ -gss_libs = @gss_libs@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -htmldir = @htmldir@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localedir = @localedir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -pdfdir = @pdfdir@ -pkgpyexecdir = @pkgpyexecdir@ -pkgpythondir = @pkgpythondir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -psdir = @psdir@ -py3execdir = @py3execdir@ -pybind_dir = @pybind_dir@ -pyexecdir = @pyexecdir@ -python3dir = @python3dir@ -pythondir = @pythondir@ -runstatedir = @runstatedir@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -srcdir = @srcdir@ -sysconfdir = @sysconfdir@ -target = @target@ -target_alias = @target_alias@ -target_cpu = @target_cpu@ -target_os = @target_os@ -target_vendor = @target_vendor@ -top_build_prefix = @top_build_prefix@ -top_builddir = @top_builddir@ -top_srcdir = @top_srcdir@ -use_python3 = @use_python3@ -CONFIG_CLEAN_FILES = *.rej *.orig -CONF_FILES = af_unix.conf -EXTRA_DIST = $(CONF_FILES) -plugin_confdir = $(sysconfdir)/audit/plugins.d -all: all-am - -.SUFFIXES: -$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ - && { if test -f $@; then exit 0; else break; fi; }; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu audisp/plugins/builtins/Makefile'; \ - $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu audisp/plugins/builtins/Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(am__aclocal_m4_deps): - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs -tags TAGS: - -ctags CTAGS: - -cscope cscopelist: - -distdir: $(BUILT_SOURCES) - $(MAKE) $(AM_MAKEFLAGS) distdir-am - -distdir-am: $(DISTFILES) - @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - list='$(DISTFILES)'; \ - dist_files=`for file in $$list; do echo $$file; done | \ - sed -e "s|^$$srcdirstrip/||;t" \ - -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ - case $$dist_files in \ - */*) $(MKDIR_P) `echo "$$dist_files" | \ - sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ - sort -u` ;; \ - esac; \ - for file in $$dist_files; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - if test -d $$d/$$file; then \ - dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test -d "$(distdir)/$$file"; then \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ - else \ - test -f "$(distdir)/$$file" \ - || cp -p $$d/$$file "$(distdir)/$$file" \ - || exit 1; \ - fi; \ - done -check-am: all-am -check: check-am -all-am: Makefile -installdirs: -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - if test -z '$(STRIP)'; then \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - install; \ - else \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ - fi -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) - -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -f Makefile -distclean-am: clean-am distclean-generic - -dvi: dvi-am - -dvi-am: - -html: html-am - -html-am: - -info: info-am - -info-am: - -install-data-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) install-data-hook -install-dvi: install-dvi-am - -install-dvi-am: - -install-exec-am: - -install-html: install-html-am - -install-html-am: - -install-info: install-info-am - -install-info-am: - -install-man: - -install-pdf: install-pdf-am - -install-pdf-am: - -install-ps: install-ps-am - -install-ps-am: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-generic mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: - @$(NORMAL_INSTALL) - $(MAKE) $(AM_MAKEFLAGS) uninstall-hook -.MAKE: install-am install-data-am install-strip uninstall-am - -.PHONY: all all-am check check-am clean clean-generic clean-libtool \ - cscopelist-am ctags-am distclean distclean-generic \ - distclean-libtool distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am \ - install-data-hook install-dvi install-dvi-am install-exec \ - install-exec-am install-html install-html-am install-info \ - install-info-am install-man install-pdf install-pdf-am \ - install-ps install-ps-am install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-generic \ - mostlyclean-libtool pdf pdf-am ps ps-am tags-am uninstall \ - uninstall-am uninstall-hook - -.PRECIOUS: Makefile - - -install-data-hook: - mkdir -p -m 0750 ${DESTDIR}${plugin_confdir} - for i in $(CONF_FILES); do \ - $(INSTALL_DATA) -D -m 640 ${srcdir}/"$$i" \ - ${DESTDIR}${plugin_confdir}; \ - done - -uninstall-hook: - for i in $(CONF_FILES); do \ - rm ${DESTDIR}${plugin_confdir}/"$$i"; \ - done - -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff -Nru audit-3.0.9/audisp/plugins/ids/account.c audit-3.1.1/audisp/plugins/ids/account.c --- audit-3.0.9/audisp/plugins/ids/account.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/plugins/ids/account.c 2023-04-27 17:26:56.000000000 +0000 @@ -15,7 +15,7 @@ // This holds info about all sessions struct account_avl{ - avl_tree index; + avl_tree_t index; unsigned int count; }; @@ -70,10 +70,10 @@ static void destroy_account(void) { - avl *cur = accounts.index.root; + avl_t *cur = accounts.index.root; account_data_t *a = (account_data_t *)avl_remove(&accounts.index, cur); - if ((avl *)a != cur) + if ((avl_t *)a != cur) my_printf("account: removal of invalid node"); // Now free any data pointed to by cur @@ -106,7 +106,7 @@ my_printf("Adding account %s", a->name); cur = NULL; - tmp = (account_data_t *)avl_insert(&accounts.index, (avl *)(a)); + tmp = (account_data_t *)avl_insert(&accounts.index, (avl_t *)(a)); if (tmp) { if (tmp != a) { if (debug) @@ -129,7 +129,7 @@ return NULL; tmp.name = name; - cur = (account_data_t *)avl_search(&accounts.index, (avl *) &tmp); + cur = (account_data_t *)avl_search(&accounts.index, (avl_t *) &tmp); return cur; } @@ -146,7 +146,7 @@ if (debug) my_printf("Deleting %s", name); cur = NULL; - tmp2 = (account_data_t *)avl_remove(&accounts.index, (avl *) &tmp1); + tmp2 = (account_data_t *)avl_remove(&accounts.index, (avl_t *) &tmp1); if (tmp2) { accounts.count--; if (strcmp(tmp2->name, name) != 0) { diff -Nru audit-3.0.9/audisp/plugins/ids/account.h audit-3.1.1/audisp/plugins/ids/account.h --- audit-3.0.9/audisp/plugins/ids/account.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/plugins/ids/account.h 2023-04-27 17:26:56.000000000 +0000 @@ -12,7 +12,7 @@ #include "avl.h" typedef struct account_data { - avl avl; // This has to be first + avl_t avl; // This has to be first const char *name; unsigned int karma; diff -Nru audit-3.0.9/audisp/plugins/ids/avl.c audit-3.1.1/audisp/plugins/ids/avl.c --- audit-3.0.9/audisp/plugins/ids/avl.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/plugins/ids/avl.c 2023-04-27 17:26:56.000000000 +0000 @@ -28,8 +28,8 @@ /* Search |tree| for an item matching |item|, and return it if found. Otherwise return |NULL|. */ -avl *avl_search(avl_tree *tree, avl *item) { - avl *p; +avl_t *avl_search(const avl_tree_t *tree, avl_t *item) { + avl_t *p; // assert (tree != NULL && item != NULL); @@ -51,11 +51,11 @@ If a duplicate item is found in the tree, returns a pointer to the duplicate without inserting |item|. */ -avl *avl_insert(avl_tree *tree, avl *item) { - avl *y, *z; /* Top node to update balance factor, and parent. */ - avl *p, *q; /* Iterator, and parent. */ - avl *n; /* Newly inserted node. */ - avl *w; /* New root of rebalanced subtree. */ +avl_t *avl_insert(avl_tree_t *tree, avl_t *item) { + avl_t *y, *z; /* Top node to update balance factor, and parent. */ + avl_t *p, *q; /* Iterator, and parent. */ + avl_t *n; /* Newly inserted node. */ + avl_t *w; /* New root of rebalanced subtree. */ unsigned char dir; /* Direction to descend. */ unsigned char da[AVL_MAX_HEIGHT]; /* Cached comparison results. */ @@ -63,7 +63,7 @@ // assert(tree != NULL && item != NULL); - z = (avl *) &tree->root; + z = (avl_t *) &tree->root; y = tree->root; dir = 0; for (q = z, p = y; p != NULL; q = p, p = p->avl_link[dir]) { @@ -90,7 +90,7 @@ p->avl_balance++; if (y->avl_balance == -2) { - avl *x = y->avl_link[0]; + avl_t *x = y->avl_link[0]; if (x->avl_balance == -1) { w = x; y->avl_link[0] = x->avl_link[1]; @@ -114,7 +114,7 @@ } } else if (y->avl_balance == +2) { - avl *x = y->avl_link[1]; + avl_t *x = y->avl_link[1]; if (x->avl_balance == +1) { w = x; y->avl_link[1] = x->avl_link[0]; @@ -147,19 +147,19 @@ /* Deletes from |tree| and returns an item matching |item|. Returns a null pointer if no matching item found. */ -avl *avl_remove(avl_tree *tree, avl *item) { +avl_t *avl_remove(avl_tree_t *tree, avl_t *item) { /* Stack of nodes. */ - avl *pa[AVL_MAX_HEIGHT]; /* Nodes. */ + avl_t *pa[AVL_MAX_HEIGHT]; /* Nodes. */ unsigned char da[AVL_MAX_HEIGHT]; /* |avl_link[]| indexes. */ int k; /* Stack pointer. */ - avl *p; /* Traverses tree to find node to delete. */ + avl_t *p; /* Traverses tree to find node to delete. */ int cmp; /* Result of comparison between |item| and |p|. */ // assert (tree != NULL && item != NULL); k = 0; - p = (avl *) &tree->root; + p = (avl_t *) &tree->root; for(cmp = -1; cmp != 0; cmp = tree->compar(item, p)) { unsigned char dir = (unsigned char)(cmp > 0); @@ -175,7 +175,7 @@ if (p->avl_link[1] == NULL) pa[k - 1]->avl_link[da[k - 1]] = p->avl_link[0]; else { - avl *r = p->avl_link[1]; + avl_t *r = p->avl_link[1]; if (r->avl_link[0] == NULL) { r->avl_link[0] = p->avl_link[0]; r->avl_balance = p->avl_balance; @@ -184,7 +184,7 @@ pa[k++] = r; } else { - avl *s; + avl_t *s; int j = k++; for (;;) { @@ -209,15 +209,15 @@ // assert (k > 0); while (--k > 0) { - avl *y = pa[k]; + avl_t *y = pa[k]; if (da[k] == 0) { y->avl_balance++; if (y->avl_balance == +1) break; else if (y->avl_balance == +2) { - avl *x = y->avl_link[1]; + avl_t *x = y->avl_link[1]; if (x->avl_balance == -1) { - avl *w; + avl_t *w; // assert (x->avl_balance == -1); w = x->avl_link[0]; x->avl_link[0] = w->avl_link[1]; @@ -251,9 +251,9 @@ y->avl_balance--; if (y->avl_balance == -1) break; else if (y->avl_balance == -2) { - avl *x = y->avl_link[0]; + avl_t *x = y->avl_link[0]; if (x->avl_balance == +1) { - avl *w; + avl_t *w; // assert (x->avl_balance == +1); w = x->avl_link[1]; x->avl_link[1] = w->avl_link[0]; @@ -295,7 +295,7 @@ // --------------------------- // traversing -int avl_walker(avl *node, int (*callback)(void *entry, void *data), void *data) { +int avl_walker(avl_t *node, int (*callback)(void *entry, void *data), void *data) { int total = 0, ret = 0; if(node->avl_link[0]) { @@ -317,7 +317,7 @@ return total; } -int avl_traverse(avl_tree *t, int (*callback)(void *entry, void *data), +int avl_traverse(const avl_tree_t *t, int (*callback)(void *entry, void *data), void *data) { if(t->root) return avl_walker(t->root, callback, data); @@ -325,7 +325,7 @@ return 0; } -void avl_init(avl_tree *t, int (*compar)(void *a, void *b)) { +void avl_init(avl_tree_t *t, int (*compar)(void *a, void *b)) { t->root = NULL; t->compar = compar; } @@ -335,7 +335,7 @@ // --------------------------- -avl *avl_first(avl_iterator *i, avl_tree *t) +avl_t *avl_first(avl_iterator *i, avl_tree_t *t) { if (t->root == NULL || i == NULL) return NULL; @@ -344,7 +344,7 @@ i->height = 0; // follow the leftmost node to its bottom - avl *node = t->root; + avl_t *node = t->root; while (node->avl_link[0]) { i->stack[i->height] = node; i->height++; @@ -355,12 +355,12 @@ return node; } -avl *avl_next(avl_iterator *i) +avl_t *avl_next(avl_iterator *i) { if (i == NULL || i->tree == NULL) return NULL; - avl *node = i->current; + avl_t *node = i->current; if (node == NULL) return avl_first(i, i->tree); else if (node->avl_link[1]) { @@ -374,7 +374,7 @@ node = node->avl_link[0]; } } else { - avl *tmp; + avl_t *tmp; do { if (i->height == 0) { @@ -392,7 +392,7 @@ return node; } -static int avl_walker2(avl *node, avl_tree *haystack) { +static int avl_walker2(avl_t *node, avl_tree_t *haystack) { int ret; // If the lefthand has a link, take it so that we walk to the @@ -403,7 +403,7 @@ } // Next, check the current node - avl *res = avl_search(haystack, node); + avl_t *res = avl_search(haystack, node); if (res) return 1; // If the righthand has a link, take it so that we check all the @@ -417,7 +417,7 @@ return 0; } -int avl_intersection(avl_tree *needle, avl_tree *haystack) +int avl_intersection(const avl_tree_t *needle, avl_tree_t *haystack) { // traverse the needle and search the haystack // this implies that needle should be smaller than haystack diff -Nru audit-3.0.9/audisp/plugins/ids/avl.h audit-3.1.1/audisp/plugins/ids/avl.h --- audit-3.0.9/audisp/plugins/ids/avl.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/plugins/ids/avl.h 2023-04-27 17:26:56.000000000 +0000 @@ -14,19 +14,19 @@ typedef struct avl { struct avl *avl_link[2]; /* Subtrees - 0 left, 1 right */ signed char avl_balance; /* Balance factor. */ -} avl; +} avl_t; /* An AVL tree */ typedef struct avl_tree { - avl *root; + avl_t *root; int (*compar)(void *a, void *b); -} avl_tree; +} avl_tree_t; /* Iterator state struct */ typedef struct avl_iterator { - avl_tree *tree; - avl *current; - avl *stack[AVL_MAX_HEIGHT]; + avl_tree_t *tree; + avl_t *current; + avl_t *stack[AVL_MAX_HEIGHT]; unsigned height; } avl_iterator; @@ -39,40 +39,40 @@ * a is linked directly to the tree, so it has to * be properly allocated by the caller. */ -avl *avl_insert(avl_tree *t, avl *a) NEVERNULL WARNUNUSED; +avl_t *avl_insert(avl_tree_t *t, avl_t *a) NEVERNULL WARNUNUSED; /* Remove an element a from the AVL tree t * returns a pointer to the removed element * or NULL if an element equal to a is not found * (equal as returned by t->compar()) */ -avl *avl_remove(avl_tree *t, avl *a) WARNUNUSED; +avl_t *avl_remove(avl_tree_t *t, avl_t *a) WARNUNUSED; /* Find the element into the tree that equal to a * (equal as returned by t->compar()) * returns NULL is no element is equal to a */ -avl *avl_search(avl_tree *t, avl *a); +avl_t *avl_search(const avl_tree_t *t, avl_t *a); -/* Initialize the avl_tree +/* Initialize the avl_tree_t */ -void avl_init(avl_tree *t, int (*compar)(void *a, void *b)); +void avl_init(avl_tree_t *t, int (*compar)(void *a, void *b)); /* Walk the tree and call callback at each node */ -int avl_traverse(avl_tree *t, int (*callback)(void *entry, void *data), +int avl_traverse(const avl_tree_t *t, int (*callback)(void *entry, void *data), void *data); /* Walk the tree down to the first node and return it */ -avl *avl_first(avl_iterator *i, avl_tree *t); +avl_t *avl_first(avl_iterator *i, avl_tree_t *t); /* Walk the tree to the next logical node and return it */ -avl *avl_next(avl_iterator *i); +avl_t *avl_next(avl_iterator *i); /* Given two trees, see if any in needle are contained in haystack */ -int avl_intersection(avl_tree *needle, avl_tree *haystack); +int avl_intersection(const avl_tree_t *needle, avl_tree_t *haystack); #endif /* avl.h */ diff -Nru audit-3.0.9/audisp/plugins/ids/ids_config.h audit-3.1.1/audisp/plugins/ids/ids_config.h --- audit-3.0.9/audisp/plugins/ids/ids_config.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/plugins/ids/ids_config.h 2023-04-27 17:26:56.000000000 +0000 @@ -37,7 +37,7 @@ // sysctls, selinux booleans // update specific rpm, all rpms // restart service -// drop service timed <- need to whitelist these +// drop service timed <- check this against list of things that can't be dropped // System terminations // Drop network timed diff -Nru audit-3.0.9/audisp/plugins/ids/Makefile.in audit-3.1.1/audisp/plugins/ids/Makefile.in --- audit-3.0.9/audisp/plugins/ids/Makefile.in 2022-08-29 21:23:16.000000000 +0000 +++ audit-3.1.1/audisp/plugins/ids/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -270,6 +270,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -350,6 +351,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/audisp/plugins/ids/origin.c audit-3.1.1/audisp/plugins/ids/origin.c --- audit-3.0.9/audisp/plugins/ids/origin.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/plugins/ids/origin.c 2023-04-27 17:26:56.000000000 +0000 @@ -13,7 +13,7 @@ // This holds info about all sessions struct origin_avl{ - avl_tree index; + avl_tree_t index; unsigned int count; }; @@ -79,10 +79,10 @@ static void destroy_origin(void) { - avl *cur = origins.index.root; + avl_t *cur = origins.index.root; origin_data_t *o = (origin_data_t *)avl_remove(&origins.index, cur); - if ((avl *)o != cur) + if ((avl_t *)o != cur) my_printf("origin: removal of invalid node"); // Now free any data pointed to by cur @@ -105,7 +105,7 @@ my_printf("Adding origin %u", o->address); cur = NULL; - tmp = (origin_data_t *)avl_insert(&origins.index, (avl *)(o)); + tmp = (origin_data_t *)avl_insert(&origins.index, (avl_t *)(o)); if (tmp) { if (tmp != o) { if (debug) @@ -125,7 +125,7 @@ origin_data_t tmp; tmp.address = addr; - cur = (origin_data_t *)avl_search(&origins.index, (avl *) &tmp); + cur = (origin_data_t *)avl_search(&origins.index, (avl_t *) &tmp); return cur; } @@ -142,7 +142,7 @@ if (debug) my_printf("Deleting %u", addr); cur = NULL; - tmp2 = (origin_data_t *)avl_remove(&origins.index, (avl *) &tmp1); + tmp2 = (origin_data_t *)avl_remove(&origins.index, (avl_t *) &tmp1); if (tmp2) { origins.count--; if (tmp2->address != addr) { diff -Nru audit-3.0.9/audisp/plugins/ids/origin.h audit-3.1.1/audisp/plugins/ids/origin.h --- audit-3.0.9/audisp/plugins/ids/origin.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/plugins/ids/origin.h 2023-04-27 17:26:56.000000000 +0000 @@ -13,7 +13,7 @@ #include "ids_config.h" typedef struct origin_data { - avl avl; // This has to be first + avl_t avl; // This has to be first unsigned int address; // This hack works for IPv4 unsigned int karma; diff -Nru audit-3.0.9/audisp/plugins/ids/rules/Makefile.in audit-3.1.1/audisp/plugins/ids/rules/Makefile.in --- audit-3.0.9/audisp/plugins/ids/rules/Makefile.in 2022-08-29 21:23:16.000000000 +0000 +++ audit-3.1.1/audisp/plugins/ids/rules/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -187,6 +187,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -267,6 +268,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/audisp/plugins/ids/session.c audit-3.1.1/audisp/plugins/ids/session.c --- audit-3.0.9/audisp/plugins/ids/session.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/plugins/ids/session.c 2023-04-27 17:26:56.000000000 +0000 @@ -17,7 +17,7 @@ // This holds info about all sessions struct session_avl{ - avl_tree index; + avl_tree_t index; unsigned int count; }; @@ -76,10 +76,10 @@ static void destroy_session(void) { - avl *cur = sessions.index.root; + avl_t *cur = sessions.index.root; session_data_t *tmp =(session_data_t *)avl_remove(&sessions.index, cur); - if ((avl *)tmp != cur) + if ((avl_t *)tmp != cur) my_printf("session: removal of invalid node"); free_session(tmp); cur = NULL; @@ -113,7 +113,7 @@ my_printf("Adding session %u, %p", s->session, s); cur = NULL; - tmp = (session_data_t *)avl_insert(&sessions.index, (avl *)(s)); + tmp = (session_data_t *)avl_insert(&sessions.index, (avl_t *)(s)); if (tmp) { if (tmp != s) { if (debug) @@ -144,7 +144,7 @@ session_data_t tmp; tmp.session = s; - cur = (session_data_t *)avl_search(&sessions.index, (avl *) &tmp); + cur = (session_data_t *)avl_search(&sessions.index, (avl_t *) &tmp); return cur; } @@ -161,7 +161,7 @@ if (debug) my_printf("Deleting %u", s); cur = NULL; - tmp2 = (session_data_t *)avl_remove(&sessions.index, (avl *) &tmp1); + tmp2 = (session_data_t *)avl_remove(&sessions.index, (avl_t *) &tmp1); if (tmp2) { sessions.count--; if (tmp2->session != s) { diff -Nru audit-3.0.9/audisp/plugins/ids/session.h audit-3.1.1/audisp/plugins/ids/session.h --- audit-3.0.9/audisp/plugins/ids/session.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/plugins/ids/session.h 2023-04-27 17:26:56.000000000 +0000 @@ -14,7 +14,7 @@ #include "ids_config.h" typedef struct session_data { - avl avl; // This has to be first + avl_t avl; // This has to be first unsigned int session; unsigned int score; diff -Nru audit-3.0.9/audisp/plugins/Makefile.am audit-3.1.1/audisp/plugins/Makefile.am --- audit-3.0.9/audisp/plugins/Makefile.am 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/plugins/Makefile.am 2023-04-27 17:26:56.000000000 +0000 @@ -1,5 +1,5 @@ # Makefile.am -- -# Copyright 2007-08,2018,2021 Red Hat Inc. +# Copyright 2007-08,2018-23 Red Hat Inc. # All Rights Reserved. # # This library is free software; you can redistribute it and/or @@ -23,7 +23,7 @@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig -SUBDIRS = builtins remote syslog +SUBDIRS = af_unix remote syslog if ENABLE_EXPERIMENTAL SUBDIRS += ids statsd endif diff -Nru audit-3.0.9/audisp/plugins/Makefile.in audit-3.1.1/audisp/plugins/Makefile.in --- audit-3.0.9/audisp/plugins/Makefile.in 2022-08-29 21:23:16.000000000 +0000 +++ audit-3.1.1/audisp/plugins/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -15,7 +15,7 @@ @SET_MAKE@ # Makefile.am -- -# Copyright 2007-08,2018,2021 Red Hat Inc. +# Copyright 2007-08,2018-23 Red Hat Inc. # All Rights Reserved. # # This library is free software; you can redistribute it and/or @@ -178,7 +178,7 @@ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | $(am__uniquify_input)` -DIST_SUBDIRS = builtins remote syslog ids statsd zos-remote +DIST_SUBDIRS = af_unix remote syslog ids statsd zos-remote am__DIST_COMMON = $(srcdir)/Makefile.in DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ @@ -217,6 +217,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -297,6 +298,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ @@ -367,7 +369,7 @@ top_srcdir = @top_srcdir@ use_python3 = @use_python3@ CONFIG_CLEAN_FILES = *.loT *.rej *.orig -SUBDIRS = builtins remote syslog $(am__append_1) $(am__append_2) +SUBDIRS = af_unix remote syslog $(am__append_1) $(am__append_2) all: all-recursive .SUFFIXES: diff -Nru audit-3.0.9/audisp/plugins/remote/Makefile.in audit-3.1.1/audisp/plugins/remote/Makefile.in --- audit-3.0.9/audisp/plugins/remote/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/audisp/plugins/remote/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -433,6 +433,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -513,6 +514,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/audisp/plugins/statsd/audisp-statsd.c audit-3.1.1/audisp/plugins/statsd/audisp-statsd.c --- audit-3.0.9/audisp/plugins/statsd/audisp-statsd.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/plugins/statsd/audisp-statsd.c 2023-04-27 17:26:56.000000000 +0000 @@ -351,6 +351,10 @@ // Initialize interval timer timer_fd = timerfd_create (CLOCK_MONOTONIC, 0); + if (timer_fd < 0) { + syslog(LOG_ERR, "unable to open a timerfd"); + return 1; + } pfd[1].fd = timer_fd; pfd[1].events = POLLIN; itval.it_interval.tv_sec = d.interval; diff -Nru audit-3.0.9/audisp/plugins/statsd/Makefile.in audit-3.1.1/audisp/plugins/statsd/Makefile.in --- audit-3.0.9/audisp/plugins/statsd/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/audisp/plugins/statsd/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -218,6 +218,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -298,6 +299,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/audisp/plugins/syslog/audisp-syslog.8 audit-3.1.1/audisp/plugins/syslog/audisp-syslog.8 --- audit-3.0.9/audisp/plugins/syslog/audisp-syslog.8 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/plugins/syslog/audisp-syslog.8 2023-04-27 17:26:56.000000000 +0000 @@ -14,7 +14,7 @@ If you are aggregating multiple machines, you should edit auditd.conf to set the name_format to something meaningful and the log_format to enriched. This way you can tell where the event came from and have the user name and groups resolved locally before it is sent off of the machine. .SH FILES -/etc/audit/syslog.conf +/etc/audit/plugins/syslog.conf /etc/audit/auditd.conf .SH "SEE ALSO" .BR auditd.conf (8), diff -Nru audit-3.0.9/audisp/plugins/syslog/audisp-syslog.c audit-3.1.1/audisp/plugins/syslog/audisp-syslog.c --- audit-3.0.9/audisp/plugins/syslog/audisp-syslog.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audisp/plugins/syslog/audisp-syslog.c 2023-04-27 17:26:56.000000000 +0000 @@ -156,10 +156,11 @@ // Now iterate over the fields and print each one mptr = record; - while (rc > 0) { + while (rc > 0 && + ((mptr-record) < (MAX_AUDIT_MESSAGE_LENGTH-128))) { int ftype = auparse_get_field_type(au); const char *fname = auparse_get_field_name(au); - const char *fval; + const char *fval; switch (ftype) { case AUPARSE_TYPE_ESCAPED_FILE: fval = auparse_interpret_realpath(au); diff -Nru audit-3.0.9/audisp/plugins/syslog/Makefile.in audit-3.1.1/audisp/plugins/syslog/Makefile.in --- audit-3.0.9/audisp/plugins/syslog/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/audisp/plugins/syslog/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -240,6 +240,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -320,6 +321,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/audisp/plugins/zos-remote/Makefile.in audit-3.1.1/audisp/plugins/zos-remote/Makefile.in --- audit-3.0.9/audisp/plugins/zos-remote/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/audisp/plugins/zos-remote/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -227,6 +227,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -307,6 +308,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/audit.spec audit-3.1.1/audit.spec --- audit-3.0.9/audit.spec 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/audit.spec 2023-04-27 17:26:56.000000000 +0000 @@ -1,9 +1,8 @@ - Summary: User space tools for kernel auditing Name: audit -Version: 3.0.9 +Version: 3.1.1 Release: 1%{dist} -License: GPLv2+ +License: GPL-2.0-or-later AND LGPL-2.0-or-later Group: System Environment/Daemons URL: http://people.redhat.com/sgrubb/audit/ Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz @@ -93,8 +92,8 @@ %configure --sbindir=/sbin --libdir=/%{_lib} --with-python=no \ --with-python3=yes \ --enable-gssapi-krb5=yes --with-arm --with-aarch64 \ - --with-libcap-ng=yes --enable-zos-remote \ - --enable-systemd + --with-libcap-ng=yes --without-golang --enable-zos-remote \ + --enable-systemd --enable-experimental --with-io_uring make CFLAGS="%{optflags}" %{?_smp_mflags} @@ -130,7 +129,7 @@ touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz %check -make check +make %{?_smp_mflags} check # Get rid of make files so that they don't get packaged. rm -f rules/Makefile* @@ -164,7 +163,6 @@ %{_mandir}/man5/libaudit.conf.5.gz %files libs-devel -%defattr(-,root,root,-) %doc contrib/plugin %{_libdir}/libaudit.so %{_libdir}/libauparse.so @@ -194,7 +192,6 @@ %license COPYING %doc README ChangeLog rules init.d/auditd.cron %attr(755,root,root) %{_datadir}/%{name} -%attr(644,root,root) %{_datadir}/%{name}/sample-rules/* %attr(644,root,root) %{_mandir}/man8/auditctl.8.gz %attr(644,root,root) %{_mandir}/man8/auditd.8.gz %attr(644,root,root) %{_mandir}/man8/aureport.8.gz @@ -214,7 +211,7 @@ %attr(755,root,root) /sbin/ausearch %attr(755,root,root) /sbin/aureport %attr(750,root,root) /sbin/autrace -%attr(750,root,root) /sbin/augenrules +%attr(755,root,root) /sbin/augenrules %attr(755,root,root) %{_bindir}/aulast %attr(755,root,root) %{_bindir}/aulastlog %attr(755,root,root) %{_bindir}/ausyscall @@ -247,17 +244,26 @@ %config(noreplace) %attr(640,root,root) /etc/audit/audisp-remote.conf %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-remote.conf %config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/syslog.conf +%config(noreplace) %attr(640,root,root) /etc/audit/audisp-statsd.conf +%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-statsd.conf +%config(noreplace) %attr(640,root,root) /etc/audit/ids.conf +%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/audisp-ids.conf +%attr(644,root,root) %{_datadir}/%{name}/ids-rules/* %attr(750,root,root) /sbin/audisp-remote %attr(750,root,root) /sbin/audisp-syslog +%attr(750,root,root) /sbin/audisp-af_unix +%attr(750,root,root) /sbin/audisp-ids +%attr(750,root,root) /sbin/audisp-statsd %attr(700,root,root) %dir %{_var}/spool/audit %attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz %attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz %attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz %attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz +%attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz %changelog -* Mon Aug 29 2022 Steve Grubb 3.0.9-1 +* Thu Feb 09 2023 Steve Grubb 3.1i.-1 - New upstream release diff -Nru audit-3.0.9/auparse/auditd-config.c audit-3.1.1/auparse/auditd-config.c --- audit-3.0.9/auparse/auditd-config.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/auparse/auditd-config.c 2023-04-27 17:26:56.000000000 +0000 @@ -107,14 +107,13 @@ } int aup_load_config(auparse_state_t *au, struct daemon_conf *config, - log_test_t lt) + log_test_t lt __attribute__((unused))) { int fd, lineno = 1; FILE *f; char buf[160]; aup_clear_config(config); - lt = lt; /* open the file */ fd = open(CONFIG_FILE, O_RDONLY|O_NOFOLLOW); diff -Nru audit-3.0.9/auparse/auparse-defs.h audit-3.1.1/auparse/auparse-defs.h --- audit-3.0.9/auparse/auparse-defs.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/auparse/auparse-defs.h 2023-04-27 17:26:56.000000000 +0000 @@ -1,5 +1,5 @@ /* auparse-defs.h -- - * Copyright 2006-07,09,2011-12,2014-17 Red Hat Inc., Durham, North Carolina. + * Copyright 2006-07,09,2011-12,2014-17,2023 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -88,7 +88,8 @@ AUPARSE_TYPE_NETACTION, AUPARSE_TYPE_MACPROTO, AUPARSE_TYPE_IOCTL_REQ, AUPARSE_TYPE_ESCAPED_KEY, AUPARSE_TYPE_ESCAPED_FILE, AUPARSE_TYPE_FANOTIFY, - AUPARSE_TYPE_NLMCGRP, AUPARSE_TYPE_RESOLVE + AUPARSE_TYPE_NLMCGRP, AUPARSE_TYPE_RESOLVE, AUPARSE_TYPE_TRUST, + AUPARSE_TYPE_FAN_TYPE, AUPARSE_TYPE_FAN_INFO } auparse_type_t; /* This type determines what escaping if any gets applied to interpreted fields */ diff -Nru audit-3.0.9/auparse/ellist.c audit-3.1.1/auparse/ellist.c --- audit-3.0.9/auparse/ellist.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/auparse/ellist.c 2023-04-27 17:26:56.000000000 +0000 @@ -1,7 +1,7 @@ /* * ellist.c - Minimal linked list library -* Copyright (c) 2006-08,2014,2016-17 Red Hat Inc., Durham, North Carolina. -* All Rights Reserved. +* Copyright (c) 2006-08,2014,2016-17,2023 Red Hat Inc. +* All Rights Reserved. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -122,6 +122,7 @@ memcpy(r->nv.record, r->record, len); r->nv.end = r->nv.record + len; ptr = audit_strsplit_r(buf, &saved); + // If no fields we have fuzzer induced problems, leave if (ptr == NULL) { free(buf); r->nv.record = NULL; @@ -130,6 +131,7 @@ do { // If there's an '=' sign, its a keeper nvnode n; + char *val = strchr(ptr, '='); if (val) { int len; @@ -245,6 +247,8 @@ else if (r->nv.cnt == (1 + offset) && strcmp(n.name, "type") == 0) { r->type = audit_name_to_msg_type(n.val); + if (r->type == AUDIT_URINGOP) + r->machine = MACH_IO_URING; // This has to account for seccomp records } else if ((r->nv.cnt == (2 + offset) || r->nv.cnt == (11 + offset)) && @@ -263,6 +267,12 @@ r->syscall = strtoul(n.val, NULL, 10); if (errno) r->syscall = -1; + } else if (r->nv.cnt == (2 + offset) && + strcmp(n.name, "uring_op") == 0) { + errno = 0; + r->syscall = strtoul(n.val, NULL, 10); + if (errno) + r->syscall = -1; } else if (r->nv.cnt == (6 + offset) && strcmp(n.name, "a0") == 0){ errno = 0; @@ -276,7 +286,8 @@ if (errno) r->a1 = -1LL; } else if (r->type == AUDIT_CWD) { - if (strcmp(n.name, "cwd") == 0) + // most common fuzzing hit: duplicate cwds + if (strcmp(n.name, "cwd") == 0 && !r->cwd) r->cwd = strdup(n.val); } } else if (r->type == AUDIT_AVC || r->type == AUDIT_USER_AVC) { @@ -323,6 +334,7 @@ } } else continue; + n.val = ptr; nvlist_append(&r->nv, &n); } @@ -334,6 +346,7 @@ r->nv.record = NULL; r->nv.end = NULL; free((void *)r->cwd); + r->cwd = NULL; } r->nv.cur = 0; // reset to beginning @@ -362,7 +375,7 @@ r->a1 = 0LL; r->machine = -1; r->syscall = -1; - r->item = l->cnt; + r->item = l->cnt; r->list_idx = list_idx; r->line_number = line_number; r->next = NULL; @@ -382,6 +395,9 @@ // Then parse the record up into nvlist rc = parse_up_record(r); + if (r->nv.cnt == 0) // This is fuzzer induced, return an error. + rc = -1; + if (r->cwd) { // Should never be 2 cwd records unless log is corrupted free((void *)l->cwd); diff -Nru audit-3.0.9/auparse/interpret.c audit-3.1.1/auparse/interpret.c --- audit-3.0.9/auparse/interpret.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/auparse/interpret.c 2023-04-27 17:26:56.000000000 +0000 @@ -1,6 +1,6 @@ /* * interpret.c - Lookup values to something more readable -* Copyright (c) 2007-09,2011-16,2018-21 Red Hat Inc. +* Copyright (c) 2007-09,2011-16,2018-21,2023 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -918,7 +918,7 @@ if (dest > rpath + 1) while ((--dest)[-1] != '/'); } else { - if (dest[-1] != '/') + if (dest != working && dest[-1] != '/') *dest++ = '/'; // If it will overflow, chop it at last component @@ -939,23 +939,29 @@ if (id->cwd) { char *str1 = NULL, *str2, *str3 = NULL, *out = NULL; str2 = print_escaped(id->val); + if (!str2) goto err_out; if (*str2 != '/') { + // Glue the cwd and path together str1 = print_escaped(id->cwd); if (!str1) goto err_out; if (asprintf(&str3, "%s/%s", str1, str2) < 0) goto err_out; } else { - // Check in case /home/../etc/passwd - if (strstr(str2, "..") == NULL) - return str2; - + // Normal looking string str3 = str2; str2 = NULL; - str1 = NULL; } + + // Check in case /home/../etc/passwd + if (strstr(str3, "..") == NULL) { + free(str1); + free(str2); + return str3; // Nope, just return the string + } + out = path_norm(str3); if (!out) { // If there's an error, just return the original free(str1); @@ -1490,15 +1496,15 @@ return strdup(val); } -static const char *print_open_flags(const char *val) +static const char *print_open_flags(const char *val, int base) { size_t i; - unsigned int flags; + unsigned long flags; int cnt = 0; char *out, buf[sizeof(open_flag_strings)+OPEN_FLAG_NUM_ENTRIES+1]; errno = 0; - flags = strtoul(val, NULL, 16); + flags = strtoul(val, NULL, base); if (errno) { if (asprintf(&out, "conversion error(%s)", val) < 0) out = NULL; @@ -2372,6 +2378,60 @@ return strdup(buf); } +static const char *print_trust(const char *val) +{ + const char *out; + + if (strcmp(val, "0") == 0) + out = strdup("no"); + else if (strcmp(val, "1") == 0) + out = strdup("yes"); + else + out = strdup("unknown"); + + return out; +} + +// fan_type always preceeds fan_info +static int last_type = 2; +static const char *print_fan_type(const char *val) +{ + const char *out; + + if (strcmp(val, "0") == 0) { + out = strdup("none"); + last_type = 0; + } else if (strcmp(val, "1") == 0) { + out = strdup("rule_info"); + last_type = 1; + } else { + out = strdup("unknown"); + last_type = 2; + } + + return out; +} + +static const char *print_fan_info(const char *val) +{ + char *out; + if (last_type == 1) { + errno = 0; + unsigned long info = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } else { + if (asprintf(&out, "%lu", info) < 0) + out = NULL; + return out; + } + } else + out = strdup(val); + return out; +} + static const char *print_a0(const char *val, const idata *id) { char *out; @@ -2504,10 +2564,10 @@ else if (strcmp(sys, "mknod") == 0) return print_mode(val, 16); else if (strcmp(sys, "mq_open") == 0) - return print_open_flags(val); + return print_open_flags(val, 16); } else if (strcmp(sys, "open") == 0) - return print_open_flags(val); + return print_open_flags(val, 16); else if (strcmp(sys, "access") == 0) return print_access(val); else if (strcmp(sys, "epoll_ctl") == 0) @@ -2581,11 +2641,11 @@ goto normal; } else if (*sys == 'o') { if (strcmp(sys, "openat") == 0) - return print_open_flags(val); + return print_open_flags(val, 16); if ((strcmp(sys, "open") == 0) && (id->a1 & O_CREAT)) return print_mode_short(val, 16); if (strcmp(sys, "open_by_handle_at") == 0) - return print_open_flags(val); + return print_open_flags(val, 16); } else if (*sys == 'f') { if (strcmp(sys, "fchmodat") == 0) return print_mode_short(val, 16); @@ -3256,8 +3316,8 @@ case AUPARSE_TYPE_SECCOMP: out = print_seccomp_code(id->val); break; - case AUPARSE_TYPE_OFLAG: - out = print_open_flags(id->val); + case AUPARSE_TYPE_OFLAG: // AUDIT_OPENAT2,MQ_OPEN + out = print_open_flags(id->val, 0); break; case AUPARSE_TYPE_MMAP: out = print_mmap(id->val); @@ -3286,6 +3346,15 @@ case AUPARSE_TYPE_RESOLVE: out = print_openat2_resolve(id->val); break; + case AUPARSE_TYPE_TRUST: + out = print_trust(id->val); + break; + case AUPARSE_TYPE_FAN_TYPE: + out = print_fan_type(id->val); + break; + case AUPARSE_TYPE_FAN_INFO: + out = print_fan_info(id->val); + break; case AUPARSE_TYPE_MAC_LABEL: case AUPARSE_TYPE_UNCLASSIFIED: default: @@ -3338,8 +3407,23 @@ // Its here just in the off chance someone // actually put a control character in a key. char *dest = malloc(len + 1 + (3*cnt)); - if (dest) - key_escape(out, dest, escape_mode); + if (dest) { + // Because need_escaping was called + // terminated, we need to do the same + // incase there's a Ctl-A in the key. + // This is likely fuzzer induced. + char tmp; + str = strchr(out, AUDIT_KEY_SEPARATOR); + if (str) { + tmp = *str; + *str = 0; + key_escape(out, dest, + escape_mode); + *str = tmp; + } else + key_escape(out, dest, + escape_mode); + } free((void *)out); out = dest; } diff -Nru audit-3.0.9/auparse/Makefile.in audit-3.1.1/auparse/Makefile.in --- audit-3.0.9/auparse/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/auparse/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -752,6 +752,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -832,6 +833,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/auparse/normalize.c audit-3.1.1/auparse/normalize.c --- audit-3.0.9/auparse/normalize.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/auparse/normalize.c 2023-04-27 17:26:56.000000000 +0000 @@ -1037,6 +1037,7 @@ case AUDIT_SOCKADDR ... AUDIT_MQ_GETSETATTR: case AUDIT_FD_PAIR ... AUDIT_OBJ_PID: case AUDIT_BPRM_FCAPS ... AUDIT_NETFILTER_PKT: + case AUDIT_URINGOP: kind = NORM_EVTYPE_AUDIT_RULE; break; case AUDIT_FANOTIFY: diff -Nru audit-3.0.9/auparse/normalize_record_map.h audit-3.1.1/auparse/normalize_record_map.h --- audit-3.0.9/auparse/normalize_record_map.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/auparse/normalize_record_map.h 2023-04-27 17:26:56.000000000 +0000 @@ -87,6 +87,7 @@ //_S(AUDIT_BPF, "") //_S(AUDIT_EVENT_LISTENER, "") //_S(AUDIT_OPENAT2, "") +_S(AUDIT_URINGOP, "io_uring-operation") _S(AUDIT_AVC, "accessed-mac-policy-controlled-object") _S(AUDIT_MAC_POLICY_LOAD, "loaded-selinux-policy") _S(AUDIT_MAC_STATUS, "changed-selinux-enforcement-to") diff -Nru audit-3.0.9/auparse/nvlist.c audit-3.1.1/auparse/nvlist.c --- audit-3.0.9/auparse/nvlist.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/auparse/nvlist.c 2023-04-27 17:26:56.000000000 +0000 @@ -158,9 +158,6 @@ unsigned int i = 0; register nvnode *current; - if (l->cnt == 0) - return; - while (i < l->cnt) { current = &l->array[i]; if (free_interp) { diff -Nru audit-3.0.9/auparse/test/Makefile.in audit-3.1.1/auparse/test/Makefile.in --- audit-3.0.9/auparse/test/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/auparse/test/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -227,6 +227,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -307,6 +308,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/auparse/typetab.h audit-3.1.1/auparse/typetab.h --- audit-3.0.9/auparse/typetab.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/auparse/typetab.h 2023-04-27 17:26:56.000000000 +0000 @@ -1,5 +1,5 @@ /* typetab.h -- - * Copyright 2007-09,2011-12,2014-18 Red Hat Inc., Durham, North Carolina. + * Copyright 2007-09,2011-12,2014-18,2023 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -44,6 +44,7 @@ _S(AUPARSE_TYPE_GID, "inode_gid" ) _S(AUPARSE_TYPE_GID, "new_gid" ) _S(AUPARSE_TYPE_SYSCALL, "syscall" ) +_S(AUPARSE_TYPE_SYSCALL, "uring_op" ) _S(AUPARSE_TYPE_ARCH, "arch" ) _S(AUPARSE_TYPE_EXIT, "exit" ) _S(AUPARSE_TYPE_ESCAPED, "path" ) @@ -144,3 +145,7 @@ _S(AUPARSE_TYPE_ESCAPED, "root_dir" ) _S(AUPARSE_TYPE_NLMCGRP, "nl-mcgrp" ) _S(AUPARSE_TYPE_RESOLVE, "resolve" ) +_S(AUPARSE_TYPE_TRUST, "subj_trust" ) +_S(AUPARSE_TYPE_TRUST, "obj_trust" ) +_S(AUPARSE_TYPE_FAN_TYPE, "fan_type" ) +_S(AUPARSE_TYPE_FAN_INFO, "fan_info" ) diff -Nru audit-3.0.9/bindings/golang/Makefile.in audit-3.1.1/bindings/golang/Makefile.in --- audit-3.0.9/bindings/golang/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/bindings/golang/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -158,6 +158,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -238,6 +239,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/bindings/Makefile.in audit-3.1.1/bindings/Makefile.in --- audit-3.0.9/bindings/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/bindings/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -215,6 +215,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -295,6 +296,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/bindings/python/auparse_python.c audit-3.1.1/bindings/python/auparse_python.c --- audit-3.0.9/bindings/python/auparse_python.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/bindings/python/auparse_python.c 2023-04-27 17:26:56.000000000 +0000 @@ -362,11 +362,11 @@ case AUSOURCE_FILE_ARRAY: { int i, n; PyObject *item = NULL; - char **files = NULL; + const char **files = NULL; if (PySequence_Check(source)) { n = PySequence_Size(source); - if ((files = PyMem_New(char *, n+1)) == NULL) { + if ((files = (const char **)PyMem_New(char *, n+1)) == NULL) { PyErr_NoMemory(); return -1; } @@ -405,11 +405,11 @@ case AUSOURCE_BUFFER_ARRAY: { int i, n; PyObject *item = NULL; - char **buffers = NULL; + const char **buffers = NULL; if (PySequence_Check(source)) { n = PySequence_Size(source); - if ((buffers = PyMem_New(char *, n+1)) == NULL) { + if ((buffers = (const char **)PyMem_New(char *, n+1)) == NULL) { PyErr_NoMemory(); return -1; } diff -Nru audit-3.0.9/bindings/python/Makefile.in audit-3.1.1/bindings/python/Makefile.in --- audit-3.0.9/bindings/python/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/bindings/python/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -194,6 +194,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -274,6 +275,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/bindings/python/python2/Makefile.in audit-3.1.1/bindings/python/python2/Makefile.in --- audit-3.0.9/bindings/python/python2/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/bindings/python/python2/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -238,6 +238,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -318,6 +319,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/bindings/python/python3/Makefile.in audit-3.1.1/bindings/python/python3/Makefile.in --- audit-3.0.9/bindings/python/python3/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/bindings/python/python3/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -237,6 +237,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -317,6 +318,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/bindings/swig/Makefile.in audit-3.1.1/bindings/swig/Makefile.in --- audit-3.0.9/bindings/swig/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/bindings/swig/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -217,6 +217,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -297,6 +298,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/bindings/swig/python/audit.py audit-3.1.1/bindings/swig/python/audit.py --- audit-3.0.9/bindings/swig/python/audit.py 2022-08-29 21:23:21.000000000 +0000 +++ audit-3.1.1/bindings/swig/python/audit.py 2023-04-27 17:27:05.000000000 +0000 @@ -620,6 +620,7 @@ MACH_ARM = _audit.MACH_ARM MACH_AARCH64 = _audit.MACH_AARCH64 MACH_PPC64LE = _audit.MACH_PPC64LE +MACH_IO_URING = _audit.MACH_IO_URING FAIL_IGNORE = _audit.FAIL_IGNORE FAIL_LOG = _audit.FAIL_LOG FAIL_TERMINATE = _audit.FAIL_TERMINATE @@ -673,6 +674,12 @@ def audit_syscall_to_name(sc, machine): return _audit.audit_syscall_to_name(sc, machine) +def audit_uringop_to_name(uringop): + return _audit.audit_uringop_to_name(uringop) + +def audit_name_to_uringop(uringop): + return _audit.audit_name_to_uringop(uringop) + def audit_name_to_flag(flag): return _audit.audit_name_to_flag(flag) @@ -837,6 +844,9 @@ def audit_rule_syscallbyname_data(rule, scall): return _audit.audit_rule_syscallbyname_data(rule, scall) +def audit_rule_io_uringbyname_data(rule, scall): + return _audit.audit_rule_io_uringbyname_data(rule, scall) + def audit_rule_fieldpair_data(rulep, pair, flags): return _audit.audit_rule_fieldpair_data(rulep, pair, flags) diff -Nru audit-3.0.9/bindings/swig/python/Makefile.in audit-3.1.1/bindings/swig/python/Makefile.in --- audit-3.0.9/bindings/swig/python/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/bindings/swig/python/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -218,6 +218,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -298,6 +299,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/bindings/swig/python3/audit.py audit-3.1.1/bindings/swig/python3/audit.py --- audit-3.0.9/bindings/swig/python3/audit.py 2022-08-29 21:23:22.000000000 +0000 +++ audit-3.1.1/bindings/swig/python3/audit.py 2023-04-27 17:27:05.000000000 +0000 @@ -620,6 +620,7 @@ MACH_ARM = _audit.MACH_ARM MACH_AARCH64 = _audit.MACH_AARCH64 MACH_PPC64LE = _audit.MACH_PPC64LE +MACH_IO_URING = _audit.MACH_IO_URING FAIL_IGNORE = _audit.FAIL_IGNORE FAIL_LOG = _audit.FAIL_LOG FAIL_TERMINATE = _audit.FAIL_TERMINATE @@ -673,6 +674,12 @@ def audit_syscall_to_name(sc: "int", machine: "int") -> "char const *": return _audit.audit_syscall_to_name(sc, machine) +def audit_uringop_to_name(uringop: "int") -> "char const *": + return _audit.audit_uringop_to_name(uringop) + +def audit_name_to_uringop(uringop: "char const *") -> "int": + return _audit.audit_name_to_uringop(uringop) + def audit_name_to_flag(flag: "char const *") -> "int": return _audit.audit_name_to_flag(flag) @@ -837,6 +844,9 @@ def audit_rule_syscallbyname_data(rule: "audit_rule_data", scall: "char const *") -> "int": return _audit.audit_rule_syscallbyname_data(rule, scall) +def audit_rule_io_uringbyname_data(rule: "audit_rule_data", scall: "char const *") -> "int": + return _audit.audit_rule_io_uringbyname_data(rule, scall) + def audit_rule_fieldpair_data(rulep: "struct audit_rule_data **", pair: "char const *", flags: "int") -> "int": return _audit.audit_rule_fieldpair_data(rulep, pair, flags) diff -Nru audit-3.0.9/bindings/swig/python3/Makefile.in audit-3.1.1/bindings/swig/python3/Makefile.in --- audit-3.0.9/bindings/swig/python3/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/bindings/swig/python3/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -218,6 +218,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -298,6 +299,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/bindings/swig/src/Makefile.in audit-3.1.1/bindings/swig/src/Makefile.in --- audit-3.0.9/bindings/swig/src/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/bindings/swig/src/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -157,6 +157,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -237,6 +238,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/ChangeLog audit-3.1.1/ChangeLog --- audit-3.0.9/ChangeLog 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/ChangeLog 2023-04-27 17:26:56.000000000 +0000 @@ -1,3 +1,21 @@ +3.1.1 +- Add user friendly keywords for signals to auditctl +- In ausearch, parse up URINGOP and DM_CTRL records +- Harden auparse to better handle corrupt logs +- Fix a CFLAGS propogation problem in the common directory +- Move the audispd af_unix plugin to a standalone program + +3.1 +- Disable ProtectControlGroups in auditd.service by default +- Fix rule checking for exclude filter +- Make audit_rule_syscallbyname_data work correctly outside of auditctl +- Add new record types +- Add io_uring support +- Add support for new FANOTIFY record fields +- Add keyword, this-hour, to ausearch/report start/end options +- Add Requires.private to audit.pc file +- Try to interpret OPENAT2 fields correctly + 3.0.9 - In auditd, release the async flush lock on stop - Don't allow auditd to log directly into /var/log when log_group is non-zero @@ -145,7 +163,7 @@ - Fix memleak in auparse caused by corrected event ordering - Fix legacy reload script to reload audit rules when daemon is reloaded - Support for unescaping in trusted messages (Dmitry Voronin) -- In auditd, use standard template for DEAMON events (Richard Guy Briggs) +- In auditd, use standard template for DAEMON events (Richard Guy Briggs) - In aureport, fix segfault for malformed USER_CMD events - Add exe field to audit_log_user_command in libaudit - In auditctl support filter on socket address families (Richard Guy Briggs) diff -Nru audit-3.0.9/common/audit-fgets.c audit-3.1.1/common/audit-fgets.c --- audit-3.0.9/common/audit-fgets.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/common/audit-fgets.c 2023-04-27 17:26:56.000000000 +0000 @@ -1,23 +1,23 @@ -/* audit-fgets.c -- - * Copyright 2011 Red Hat Inc., Durham, North Carolina. +/* audit-fgets.c -- a replacement for glibc's fgets + * Copyright 2018,2022 Red Hat Inc. * All Rights Reserved. * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. * - * This program is distributed in the hope that it will be useful, + * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * * Authors: - * Steve Grubb + * Steve Grubb */ #include "config.h" @@ -38,6 +38,15 @@ return eof; } +/* This function dumps any accumulated text. This is to remove dangling text + * that never got consumed for the intended purpose. */ +void audit_fgets_clear(void) +{ + buffer[0] = 0; + current = buffer; + eof = 0; +} + /* Function to check if we have more data stored * and ready to process. If we have a newline or enough * bytes we return 1 for success. Otherwise 0 meaning that diff -Nru audit-3.0.9/common/common.h audit-3.1.1/common/common.h --- audit-3.0.9/common/common.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/common/common.h 2023-04-27 17:26:56.000000000 +0000 @@ -30,6 +30,7 @@ #endif AUDIT_HIDDEN_START +void audit_fgets_clear(void); int audit_fgets_eof(void); int audit_fgets_more(size_t blen); int audit_fgets(char *buf, size_t blen, int fd) diff -Nru audit-3.0.9/common/Makefile.am audit-3.1.1/common/Makefile.am --- audit-3.0.9/common/Makefile.am 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/common/Makefile.am 2023-04-27 17:26:56.000000000 +0000 @@ -1,5 +1,5 @@ # Makefile.am-- -# Copyright 2018 Red Hat Inc., Durham, North Carolina. +# Copyright 2018-2023 Red Hat Inc. # All Rights Reserved. # # This program is free software; you can redistribute it and/or modify @@ -22,7 +22,8 @@ # CONFIG_CLEAN_FILES = *.rej *.orig -AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib +AM_CFLAGS = -fPIC -DPIC -D_GNU_SOURCE -g +AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib noinst_HEADERS = common.h libaucommon_la_DEPENDENCIES = ../config.h diff -Nru audit-3.0.9/common/Makefile.in audit-3.1.1/common/Makefile.in --- audit-3.0.9/common/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/common/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -15,7 +15,7 @@ @SET_MAKE@ # Makefile.am-- -# Copyright 2018 Red Hat Inc., Durham, North Carolina. +# Copyright 2018-2023 Red Hat Inc. # All Rights Reserved. # # This program is free software; you can redistribute it and/or modify @@ -209,6 +209,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -289,6 +290,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ @@ -359,7 +361,8 @@ top_srcdir = @top_srcdir@ use_python3 = @use_python3@ CONFIG_CLEAN_FILES = *.rej *.orig -AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib +AM_CFLAGS = -fPIC -DPIC -D_GNU_SOURCE -g +AM_CPPFLAGS = -I${top_srcdir} -I${top_srcdir}/lib noinst_HEADERS = common.h libaucommon_la_DEPENDENCIES = ../config.h libaucommon_la_SOURCES = audit-fgets.c strsplit.c diff -Nru audit-3.0.9/config.h.in audit-3.1.1/config.h.in --- audit-3.0.9/config.h.in 2022-08-29 21:23:16.000000000 +0000 +++ audit-3.1.1/config.h.in 2023-04-27 17:27:00.000000000 +0000 @@ -211,3 +211,6 @@ /* Define if you want to enable Arm eabi processor support. */ #undef WITH_ARM + +/* Define if you want to enable io_uring support. */ +#undef WITH_IO_URING diff -Nru audit-3.0.9/configure audit-3.1.1/configure --- audit-3.0.9/configure 2022-08-29 21:23:16.000000000 +0000 +++ audit-3.1.1/configure 2023-04-27 17:26:59.000000000 +0000 @@ -1,7 +1,7 @@ #! /bin/sh # From configure.ac Revision: 1.3 . # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for audit 3.0.9. +# Generated by GNU Autoconf 2.71 for audit 3.1.1. # # # Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation, @@ -619,8 +619,8 @@ # Identity of this package. PACKAGE_NAME='audit' PACKAGE_TARNAME='audit' -PACKAGE_VERSION='3.0.9' -PACKAGE_STRING='audit 3.0.9' +PACKAGE_VERSION='3.1.1' +PACKAGE_STRING='audit 3.1.1' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -662,6 +662,7 @@ LIBOBJS LIBWRAP_LIBS DEBUG +CAPNG_PKG CAPNG_LDADD USE_AARCH64_FALSE USE_AARCH64_TRUE @@ -685,6 +686,7 @@ HAVE_GOLANG_TRUE GOROOT GOLANG +SWIG USE_PYTHON3_FALSE USE_PYTHON3_TRUE py3execdir @@ -870,6 +872,7 @@ with_aarch64 with_apparmor with_libwrap +with_io_uring with_libcap_ng ' ac_precious_vars='build_alias @@ -1431,7 +1434,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures audit 3.0.9 to adapt to many kinds of systems. +\`configure' configures audit 3.1.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1503,7 +1506,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of audit 3.0.9:";; + short | recursive ) echo "Configuration of audit 3.1.1:";; esac cat <<\_ACEOF @@ -1553,6 +1556,7 @@ --with-aarch64 enable Aarch64 processor support --with-apparmor enable AppArmor events --with-libwrap=PATH Compile in libwrap (tcp_wrappers) support. + --with-io_uring enable io_uring support --with-libcap-ng=auto/yes/no Add Libcap-ng support default=auto Some influential environment variables: @@ -1635,7 +1639,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -audit configure 3.0.9 +audit configure 3.1.1 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2292,7 +2296,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by audit $as_me 3.0.9, which was +It was created by audit $as_me 3.1.1, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3683,7 +3687,7 @@ # Define the identity of the package. PACKAGE='audit' - VERSION='3.0.9' + VERSION='3.1.1' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -15675,83 +15679,6 @@ echo . echo Checking for header files -# Autoupdate added the next two lines to ensure that your configure -# script's behavior did not change. They are probably safe to remove. - -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 -printf %s "checking for egrep... " >&6; } -if test ${ac_cv_path_EGREP+y} -then : - printf %s "(cached) " >&6 -else $as_nop - if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 - then ac_cv_path_EGREP="$GREP -E" - else - if test -z "$EGREP"; then - ac_path_EGREP_found=false - # Loop through the user's path and test for each of PROGNAME-LIST - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin -do - IFS=$as_save_IFS - case $as_dir in #((( - '') as_dir=./ ;; - */) ;; - *) as_dir=$as_dir/ ;; - esac - for ac_prog in egrep - do - for ac_exec_ext in '' $ac_executable_extensions; do - ac_path_EGREP="$as_dir$ac_prog$ac_exec_ext" - as_fn_executable_p "$ac_path_EGREP" || continue -# Check for GNU ac_path_EGREP and select it if it is found. - # Check for GNU $ac_path_EGREP -case `"$ac_path_EGREP" --version 2>&1` in -*GNU*) - ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; -*) - ac_count=0 - printf %s 0123456789 >"conftest.in" - while : - do - cat "conftest.in" "conftest.in" >"conftest.tmp" - mv "conftest.tmp" "conftest.in" - cp "conftest.in" "conftest.nl" - printf "%s\n" 'EGREP' >> "conftest.nl" - "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break - diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break - as_fn_arith $ac_count + 1 && ac_count=$as_val - if test $ac_count -gt ${ac_path_EGREP_max-0}; then - # Best one so far, save it but keep looking for a better one - ac_cv_path_EGREP="$ac_path_EGREP" - ac_path_EGREP_max=$ac_count - fi - # 10*(2^10) chars as input seems more than enough - test $ac_count -gt 10 && break - done - rm -f conftest.in conftest.tmp conftest.nl conftest.out;; -esac - - $ac_path_EGREP_found && break 3 - done - done - done -IFS=$as_save_IFS - if test -z "$ac_cv_path_EGREP"; then - as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 - fi -else - ac_cv_path_EGREP=$EGREP -fi - - fi -fi -{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 -printf "%s\n" "$ac_cv_path_EGREP" >&6; } - EGREP="$ac_cv_path_EGREP" - - - # Obsolete code to be removed. @@ -16539,8 +16466,8 @@ if test "x$use_python" = xyes ; then as_fn_error $? "Python explicitly requested and python headers were not found" "$LINENO" 5 else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: \"Python headers not found - python bindings will not be made\"" >&5 -printf "%s\n" "$as_me: WARNING: \"Python headers not found - python bindings will not be made\"" >&2;} + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: Python headers not found - python bindings will not be made" >&5 +printf "%s\n" "$as_me: WARNING: Python headers not found - python bindings will not be made" >&2;} fi fi fi @@ -16708,6 +16635,56 @@ fi +if test "x$use_python" = "xyes" || test "x$use_python3" = "xyes" ; then + # Extract the first word of "swig", so it can be a program name with args. +set dummy swig; ac_word=$2 +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +printf %s "checking for $ac_word... " >&6; } +if test ${ac_cv_prog_SWIG+y} +then : + printf %s "(cached) " >&6 +else $as_nop + if test -n "$SWIG"; then + ac_cv_prog_SWIG="$SWIG" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + case $as_dir in #((( + '') as_dir=./ ;; + */) ;; + *) as_dir=$as_dir/ ;; + esac + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then + ac_cv_prog_SWIG="swig" + printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + test -z "$ac_cv_prog_SWIG" && ac_cv_prog_SWIG="no" +fi +fi +SWIG=$ac_cv_prog_SWIG +if test -n "$SWIG"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $SWIG" >&5 +printf "%s\n" "$SWIG" >&6; } +else + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } +fi + + + if test x"$SWIG" == x"no" +then : + as_fn_error $? "Please install swig before configuring (required by python/python3)." "$LINENO" 5 +fi +fi + withval="" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether to create Go language bindings" >&5 printf %s "checking whether to create Go language bindings... " >&6; } @@ -16786,8 +16763,8 @@ if test "x$use_golang" = xyes ; then as_fn_error $? "Go language explicitly requested and program not found" "$LINENO" 5 else - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: \"Go not found - go bindings will not be made\"" >&5 -printf "%s\n" "$as_me: WARNING: \"Go not found - go bindings will not be made\"" >&2;} + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: Go not found - go bindings will not be made" >&5 +printf "%s\n" "$as_me: WARNING: Go not found - go bindings will not be made" >&2;} fi fi @@ -17479,6 +17456,27 @@ fi +withval="" +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether to include io_uring support" >&5 +printf %s "checking whether to include io_uring support... " >&6; } + +# Check whether --with-io_uring was given. +if test ${with_io_uring+y} +then : + withval=$with_io_uring; use_io_uring=$withval +else $as_nop + use_io_uring=no +fi + +if test x$use_io_uring != xno ; then + +printf "%s\n" "#define WITH_IO_URING 1" >>confdefs.h + +fi +# AM_CONDITIONAL(USE_IO_URING, test x$use_io_uring = xyes) +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $use_io_uring" >&5 +printf "%s\n" "$use_io_uring" >&6; } + # linux/ipx.h - deprecated in 2018 ac_fn_c_check_header_compile "$LINENO" "linux/ipx.h" "ac_cv_header_linux_ipx_h" "$ac_includes_default" if test "x$ac_cv_header_linux_ipx_h" = xyes @@ -17580,6 +17578,8 @@ printf "%s\n" "#define HAVE_LIBCAP_NG 1" >>confdefs.h + CAPNG_PKG="libcap-ng" + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } else @@ -17592,7 +17592,7 @@ #AC_SUBST(libev_LIBS) -ac_config_files="$ac_config_files Makefile common/Makefile lib/Makefile lib/audit.pc lib/test/Makefile auparse/Makefile auparse/test/Makefile auparse/auparse.pc src/Makefile src/libev/Makefile src/test/Makefile docs/Makefile rules/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile audisp/plugins/syslog/Makefile audisp/plugins/ids/Makefile audisp/plugins/ids/rules/Makefile audisp/plugins/statsd/Makefile bindings/Makefile bindings/python/Makefile bindings/python/python2/Makefile bindings/python/python3/Makefile bindings/golang/Makefile bindings/swig/Makefile bindings/swig/src/Makefile bindings/swig/python/Makefile bindings/swig/python3/Makefile tools/Makefile tools/aulast/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile tools/auvirt/Makefile m4/Makefile" +ac_config_files="$ac_config_files Makefile common/Makefile lib/Makefile lib/audit.pc lib/test/Makefile auparse/Makefile auparse/test/Makefile auparse/auparse.pc src/Makefile src/libev/Makefile src/test/Makefile docs/Makefile rules/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/af_unix/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile audisp/plugins/syslog/Makefile audisp/plugins/ids/Makefile audisp/plugins/ids/rules/Makefile audisp/plugins/statsd/Makefile bindings/Makefile bindings/python/Makefile bindings/python/python2/Makefile bindings/python/python3/Makefile bindings/golang/Makefile bindings/swig/Makefile bindings/swig/src/Makefile bindings/swig/python/Makefile bindings/swig/python3/Makefile tools/Makefile tools/aulast/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile tools/auvirt/Makefile m4/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -17688,6 +17688,7 @@ ac_libobjs= ac_ltlibobjs= +U= for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue # 1. Remove the extension, and $U if already installed. ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' @@ -18176,7 +18177,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by audit $as_me 3.0.9, which was +This file was extended by audit $as_me 3.1.1, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -18244,7 +18245,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -audit config.status 3.0.9 +audit config.status 3.1.1 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" @@ -18677,7 +18678,7 @@ "init.d/Makefile") CONFIG_FILES="$CONFIG_FILES init.d/Makefile" ;; "audisp/Makefile") CONFIG_FILES="$CONFIG_FILES audisp/Makefile" ;; "audisp/plugins/Makefile") CONFIG_FILES="$CONFIG_FILES audisp/plugins/Makefile" ;; - "audisp/plugins/builtins/Makefile") CONFIG_FILES="$CONFIG_FILES audisp/plugins/builtins/Makefile" ;; + "audisp/plugins/af_unix/Makefile") CONFIG_FILES="$CONFIG_FILES audisp/plugins/af_unix/Makefile" ;; "audisp/plugins/remote/Makefile") CONFIG_FILES="$CONFIG_FILES audisp/plugins/remote/Makefile" ;; "audisp/plugins/zos-remote/Makefile") CONFIG_FILES="$CONFIG_FILES audisp/plugins/zos-remote/Makefile" ;; "audisp/plugins/syslog/Makefile") CONFIG_FILES="$CONFIG_FILES audisp/plugins/syslog/Makefile" ;; diff -Nru audit-3.0.9/configure.ac audit-3.1.1/configure.ac --- audit-3.0.9/configure.ac 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/configure.ac 2023-04-27 17:26:56.000000000 +0000 @@ -1,7 +1,7 @@ dnl define([AC_INIT_NOTICE], [### Generated automatically using autoconf version] AC_ACVERSION [ -### Copyright 2005-22 Steve Grubb +### Copyright 2005-23 Steve Grubb ### ### Permission is hereby granted, free of charge, to any person obtaining a ### copy of this software and associated documentation files (the "Software"), @@ -29,16 +29,16 @@ ]) AC_REVISION($Revision: 1.3 $)dnl -AC_INIT(audit,3.0.9) -AC_PREREQ(2.12)dnl -AM_CONFIG_HEADER(config.h) +AC_INIT([audit], [3.1.1]) +AC_PREREQ([2.50])dnl +AC_CONFIG_HEADERS([config.h]) echo Configuring auditd $VERSION AC_CONFIG_MACRO_DIR([m4]) AC_CANONICAL_TARGET AM_INIT_AUTOMAKE -AM_PROG_LIBTOOL +LT_INIT AC_SUBST(LIBTOOL_DEPS) OLDLIBS="$LIBS" m4_include([src/libev/libev.m4]) @@ -55,7 +55,6 @@ echo . echo Checking for header files -AC_HEADER_STDC AC_HEADER_TIME AC_CHECK_SIZEOF([unsigned int]) @@ -157,7 +156,7 @@ if test "x$use_python" = xyes ; then AC_MSG_ERROR([Python explicitly requested and python headers were not found]) else - AC_MSG_WARN("Python headers not found - python bindings will not be made") + AC_MSG_WARN(Python headers not found - python bindings will not be made) fi fi fi @@ -209,6 +208,11 @@ fi AM_CONDITIONAL(USE_PYTHON3, test ${use_python3} = "yes") +if test "x$use_python" = "xyes" || test "x$use_python3" = "xyes" ; then + AC_CHECK_PROG([SWIG],[swig],[swig], [no]) + AS_IF([test x"$SWIG" == x"no"], [AC_MSG_ERROR([Please install swig before configuring (required by python/python3).])]) +fi + withval="" AC_MSG_CHECKING(whether to create Go language bindings) AC_ARG_WITH(golang, @@ -232,7 +236,7 @@ if test "x$use_golang" = xyes ; then AC_MSG_ERROR([Go language explicitly requested and program not found]) else - AC_MSG_WARN("Go not found - go bindings will not be made") + AC_MSG_WARN(Go not found - go bindings will not be made) fi ]) fi @@ -434,8 +438,9 @@ LIBWRAP_LIBS="$LIBWRAP_LIBS -lnsl" ]) OLDLIBS="$LIBS" LIBS="$LIBWRAP_LIBS $LIBS" - AC_TRY_LINK([ int allow_severity; int deny_severity; ], - [ hosts_access(); ], [], + AC_LINK_IFELSE([AC_LANG_PROGRAM( + [[ int allow_severity; int deny_severity; ]], + [[ hosts_access(); ]])],[], [ AC_MSG_ERROR(Could not find the $withval library. You must first install tcp_wrappers.) ]) LIBS="$OLDLIBS" ;; @@ -446,6 +451,18 @@ AC_DEFINE_UNQUOTED(HAVE_LIBWRAP, [], Define if tcp_wrappers support is enabled ) fi +withval="" +AC_MSG_CHECKING(whether to include io_uring support) +AC_ARG_WITH(io_uring, +AS_HELP_STRING([--with-io_uring],[enable io_uring support]), +use_io_uring=$withval, +use_io_uring=no) +if test x$use_io_uring != xno ; then + AC_DEFINE(WITH_IO_URING,1,[Define if you want to enable io_uring support.]) +fi +# AM_CONDITIONAL(USE_IO_URING, test x$use_io_uring = xyes) +AC_MSG_RESULT($use_io_uring) + # linux/ipx.h - deprecated in 2018 AC_CHECK_HEADER(linux/ipx.h, ipx_headers=yes, ipx_headers=no) if test $ipx_headers = yes ; then @@ -459,7 +476,8 @@ AC_SUBST(LIBWRAP_LIBS) #AC_SUBST(libev_LIBS) -AC_OUTPUT(Makefile common/Makefile lib/Makefile lib/audit.pc lib/test/Makefile auparse/Makefile auparse/test/Makefile auparse/auparse.pc src/Makefile src/libev/Makefile src/test/Makefile docs/Makefile rules/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/builtins/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile audisp/plugins/syslog/Makefile audisp/plugins/ids/Makefile audisp/plugins/ids/rules/Makefile audisp/plugins/statsd/Makefile bindings/Makefile bindings/python/Makefile bindings/python/python2/Makefile bindings/python/python3/Makefile bindings/golang/Makefile bindings/swig/Makefile bindings/swig/src/Makefile bindings/swig/python/Makefile bindings/swig/python3/Makefile tools/Makefile tools/aulast/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile tools/auvirt/Makefile m4/Makefile) +AC_CONFIG_FILES(Makefile common/Makefile lib/Makefile lib/audit.pc lib/test/Makefile auparse/Makefile auparse/test/Makefile auparse/auparse.pc src/Makefile src/libev/Makefile src/test/Makefile docs/Makefile rules/Makefile init.d/Makefile audisp/Makefile audisp/plugins/Makefile audisp/plugins/af_unix/Makefile audisp/plugins/remote/Makefile audisp/plugins/zos-remote/Makefile audisp/plugins/syslog/Makefile audisp/plugins/ids/Makefile audisp/plugins/ids/rules/Makefile audisp/plugins/statsd/Makefile bindings/Makefile bindings/python/Makefile bindings/python/python2/Makefile bindings/python/python3/Makefile bindings/golang/Makefile bindings/swig/Makefile bindings/swig/src/Makefile bindings/swig/python/Makefile bindings/swig/python3/Makefile tools/Makefile tools/aulast/Makefile tools/aulastlog/Makefile tools/ausyscall/Makefile tools/auvirt/Makefile m4/Makefile) +AC_OUTPUT echo . echo " diff -Nru audit-3.0.9/debian/auditd.install audit-3.1.1/debian/auditd.install --- audit-3.0.9/debian/auditd.install 2023-02-09 09:36:04.000000000 +0000 +++ audit-3.1.1/debian/auditd.install 2023-07-10 08:19:11.000000000 +0000 @@ -4,6 +4,7 @@ etc/audit/plugins.d/syslog.conf etc/audit/rules.d/audit.rules init.d/auditd.service lib/systemd/system +sbin/audisp-af_unix sbin/audisp-syslog sbin/auditctl sbin/auditd @@ -19,6 +20,7 @@ usr/share/man/man5/auditd.conf.5 usr/share/man/man5/ausearch-expression.5 usr/share/man/man7/audit.rules.7 +usr/share/man/man8/audisp-af_unix.8 usr/share/man/man8/audisp-syslog.8 usr/share/man/man8/auditctl.8 usr/share/man/man8/auditd.8 diff -Nru audit-3.0.9/debian/changelog audit-3.1.1/debian/changelog --- audit-3.0.9/debian/changelog 2023-02-09 09:36:04.000000000 +0000 +++ audit-3.1.1/debian/changelog 2023-07-10 08:19:11.000000000 +0000 @@ -1,3 +1,17 @@ +audit (1:3.1.1-1) unstable; urgency=medium + + [ Christian Göttsche ] + * Bump to debhelper compat level 13 + + [ Laurent Bigonville ] + * New upstream release + - debian/patches/02-restorecon-path.patch: Refresh + - debian/auditd.install: Install new audisp-af_unix executable + - debian/libaudit1.symbols: Add newly exported symbols + * debian/patches/03-Set-log_group-adm.patch: Tag as Forwarded: not-needed + + -- Laurent Bigonville Mon, 10 Jul 2023 10:19:11 +0200 + audit (1:3.0.9-1) unstable; urgency=medium * Add missing debian/changelog entry diff -Nru audit-3.0.9/debian/control audit-3.1.1/debian/control --- audit-3.0.9/debian/control 2023-02-09 09:36:04.000000000 +0000 +++ audit-3.1.1/debian/control 2023-07-10 08:19:11.000000000 +0000 @@ -1,7 +1,7 @@ Source: audit Priority: optional Maintainer: Laurent Bigonville -Build-Depends: debhelper-compat (= 12), +Build-Depends: debhelper-compat (= 13), dh-python , # dh-golang, dpkg-dev (>= 1.16.1~), diff -Nru audit-3.0.9/debian/libaudit1.symbols audit-3.1.1/debian/libaudit1.symbols --- audit-3.0.9/debian/libaudit1.symbols 2023-02-09 09:36:04.000000000 +0000 +++ audit-3.1.1/debian/libaudit1.symbols 2023-07-10 08:19:11.000000000 +0000 @@ -52,6 +52,7 @@ audit_name_to_machine@Base 1:2.2.1 audit_name_to_msg_type@Base 1:2.2.1 audit_name_to_syscall@Base 1:2.2.1 + audit_name_to_uringop@Base 1:3.1.1 audit_number_to_errmsg@Base 1:2.2.1 audit_open@Base 1:2.2.1 audit_operator_to_symbol@Base 1:2.2.1 @@ -66,6 +67,7 @@ audit_rule_free_data@Base 1:2.2.1 audit_rule_init_data@Base 1:3.0~alpha9 audit_rule_interfield_comp_data@Base 1:2.2.1 + audit_rule_io_uringbyname_data@Base 1:3.1.1 audit_rule_syscall_data@Base 1:2.2.1 audit_rule_syscallbyname_data@Base 1:2.2.1 audit_send@Base 1:2.2.1 @@ -81,6 +83,7 @@ audit_syscall_to_name@Base 1:2.2.1 audit_trim_subtrees@Base 1:2.2.1 audit_update_watch_perms@Base 1:2.2.1 + audit_uringop_to_name@Base 1:3.1.1 audit_value_needs_encoding@Base 1:2.2.1 get_auditfail_action@Base 1:2.2.1 set_aumessage_mode@Base 1:2.2.1 diff -Nru audit-3.0.9/debian/not-installed audit-3.1.1/debian/not-installed --- audit-3.0.9/debian/not-installed 2023-02-09 09:36:04.000000000 +0000 +++ audit-3.1.1/debian/not-installed 2023-07-10 08:19:11.000000000 +0000 @@ -1,2 +1,10 @@ # These are already installed by dh_installexamples usr/share/audit/sample-rules/ +# la files +lib/*/libaudit.la +lib/*/libauparse.la +usr/lib/python*/*-packages/_audit.la +usr/lib/python*/*-packages/auparse.la +# python caches +usr/lib/python*/*-packages/__pycache__/ +usr/lib/python*/*-packages/__pycache__/ diff -Nru audit-3.0.9/debian/patches/02-restorecon-path.patch audit-3.1.1/debian/patches/02-restorecon-path.patch --- audit-3.0.9/debian/patches/02-restorecon-path.patch 2023-02-09 09:36:04.000000000 +0000 +++ audit-3.1.1/debian/patches/02-restorecon-path.patch 2023-07-10 08:19:11.000000000 +0000 @@ -2,10 +2,10 @@ Author: Laurent Bigonville Forwarded: not-needed ---- audit.orig/init.d/augenrules -+++ audit/init.d/augenrules -@@ -127,8 +127,8 @@ fi - cp ${TmpRules} ${DestinationFile} +--- a/init.d/augenrules ++++ b/init.d/augenrules +@@ -128,8 +128,8 @@ fi + cp "${TmpRules}" ${DestinationFile} chmod 0640 ${DestinationFile} # Restore context on MLS system. /tmp is SystemLow & audit.rules is SystemHigh -if [ -x /usr/sbin/restorecon ] ; then @@ -13,5 +13,5 @@ +if [ -x /sbin/restorecon ] ; then + /sbin/restorecon -F ${DestinationFile} fi - rm -f ${TmpRules} + rm -f "${TmpRules}" diff -Nru audit-3.0.9/debian/patches/03-Set-log_group-adm.patch audit-3.1.1/debian/patches/03-Set-log_group-adm.patch --- audit-3.0.9/debian/patches/03-Set-log_group-adm.patch 2023-02-09 09:36:04.000000000 +0000 +++ audit-3.1.1/debian/patches/03-Set-log_group-adm.patch 2023-07-10 08:19:11.000000000 +0000 @@ -1,6 +1,7 @@ From: Nicolas Braud-Santoni Date: Thu, 28 Jul 2016 16:49:18 +0200 Subject: Set log_group=adm +Forwarded: not-needed --- init.d/auditd.conf | 2 +- diff -Nru audit-3.0.9/docs/auditctl.8 audit-3.1.1/docs/auditctl.8 --- audit-3.0.9/docs/auditctl.8 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/docs/auditctl.8 2023-04-27 17:26:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AUDITCTL "8" "July 2021" "Red Hat" "System Administration Utilities" +.TH AUDITCTL "8" "Feb 2023" "Red Hat" "System Administration Utilities" .SH NAME auditctl \- a utility to assist controlling the kernel's audit system .SH SYNOPSIS @@ -50,11 +50,13 @@ Reset the lost record counter shown by the status command. .TP .BI \-R\ file -Read rules from a \fIfile\fP. The rules must be 1 per line and in the order that they are to be executed in. The rule file must be owned by root and not readable by other users or it will be rejected. The rule file may have comments embedded by starting the line with a '#' character. Rules that are read from a file are identical to what you would type on a command line except they are not preceded by auditctl (since auditctl is the one executing the file) and you would not use shell escaping since auditctl is reading the file instead of bash. +Read and execute auditctl commands from a \fIfile\fP. The commands are executed line-by-line, in the order that they appear in the file. The file must be owned by root and not readable by other users, or else it will be rejected. Empty lines are skipped. Lines starting with the '#' character are treated as comment lines. Each line is executed as if it was provided to auditctl as command line arguments. Since auditctl is the one reading the file and not a shell such as bash, do not escape special shell characters. See the EXAMPLES section for an example. .TP .BI \-\-signal\ signal Send a signal to the audit daemon. You must have privileges to do this. Supported signals are -.I TERM, HUP, USR1, USR2, CONT. +.I TERM, HUP, USR1, USR2, CONT + and user friendly versions +.I stop, reload, rotate, resume, state. .TP .BI \-t Trim the subtrees after a mount command. @@ -92,6 +94,9 @@ .TP .B filesystem Add a rule that will be applied to a whole filesystem. The filesystem must be identified with a fstype field. Normally this filter is used to exclude any events for a whole filesystem such as tracefs or debugfs. +.TP +.B io_uring +Add a rule to the io_uring syscall filter. Rules against this filter specify the syscall operation using the -S syscall notion explained below. You can add a key field to the rule so that it may be grouped with other rules watching the same underlying syscall. .RE The following describes the valid \fIactions\fP for the rule: @@ -163,6 +168,9 @@ .B fsgid Filesystem Group ID. May be numeric or the groups name. .TP +.B fstype +File system type. This is used with the filesystem rule list. The only values supported are debugfs and tracefs. +.TP .B fsuid Filesystem User ID. May be numeric or the user account name. .TP @@ -330,6 +338,15 @@ .B auditctl \-a always,exit \-F dir=/home/ \-F uid=0 \-C auid!=obj_uid .fi +This is an example rules file: + +.nf +# Remove all existing rules +\-D +# Never record sudo invocations +\-A exclude,always \-F exe=/usr/bin/sudo +.fi + .SH DISABLED BY DEFAULT On many systems auditd is configured to install an diff -Nru audit-3.0.9/docs/auditd-plugins.5 audit-3.1.1/docs/auditd-plugins.5 --- audit-3.0.9/docs/auditd-plugins.5 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/docs/auditd-plugins.5 2023-04-27 17:26:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AUDITD-PLUGINS "5" "Aug 2022" "Red Hat" "System Administration Utilities" +.TH AUDITD-PLUGINS "5" "Apr 2023" "Red Hat" "System Administration Utilities" .SH NAME auditd-plugins \- realtime event receivers .SH DESCRIPTION @@ -32,15 +32,9 @@ This is the absolute path to the plugin executable. In the case of internal plugins, it would be the name of the plugin. .TP .I type -This tells the dispatcher how the plugin wants to be run. Choices are +This tells the dispatcher how the plugin wants to be run. There is currently only one option, .IR builtin -and -.IR always. -.IR Builtin -should always be given for plugins that are internal to the audit event dispatcher. These are af_unix and syslog. The option -.IR always -should be given for most if not all plugins. The default setting is -.IR always. +, which is the default setting. .TP .I args This allows you to pass arguments to the child program. Generally plugins do not take arguments and have their own config file that instructs them how they should be configured. At the moment, there is a limit of 2 args. @@ -66,12 +60,21 @@ auditctl -s When tuning the audit system's performance, you'd want to check both kernel and auditd metrics and adjust accordingly. + +.SH NOTES FOR DEVELOPERS +When the audit daemon starts your plugin, you will be running as root. If you do not need root privileges, you should change uid/gid to lower chances of being a target for exploit. If you need to retain capabilities, using \fBlibcap-ng\fP is the simplest way. + +Your environment is not going to be clean. You are inheriting many attributes from auditd itself. You will need to adjust your \fBsignal mask\fP, \fBsigaction\fP, \fBumask\fP, and \fBenvironmental variables\fP. Look at the auditd man page to see which signals auditd used. Plugins are expected to handle \fBSIGTERM\fP and \fBSIGHUP\fP. You will also inherit the resource limits of auditd. Note that some of these resource limits, such as maximum number of open descriptors, are controlled by systemd. You also inherit auditd's nice value. You might want to adjust that to be sure to keep up with incoming audit events. + +Auditd will send events to the plugin on it's \fBstdin\fP. The plugin has to keep this descriptor empty so that events don't back up. If you do significant processing of each event, you should add an internal queue to your design in order to keep events flowing. The \fBauparse_feed\fP function is the preferred way to examine whole events if you need to analyze the contents of the events. .SH FILES /etc/auditd/auditd.conf /etc/audit/plugins.d .SH "SEE ALSO" .BR auditd.conf (5), -.BR auditd (8). +.BR auditd (8), +.BR execve(2), +.BR auparse_feed(3). .SH AUTHOR Steve Grubb diff -Nru audit-3.0.9/docs/audit.rules.7 audit-3.1.1/docs/audit.rules.7 --- audit-3.0.9/docs/audit.rules.7 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/docs/audit.rules.7 2023-04-27 17:26:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AUDIT.RULES "7" "Jan 2019" "Red Hat" "System Administration Utilities" +.TH AUDIT.RULES "7" "Feb 2023" "Red Hat" "System Administration Utilities" .SH NAME audit.rules \- a set of rules loaded in the kernel audit system .SH DESCRIPTION @@ -43,7 +43,7 @@ .SS System Call The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible. -The Linux kernel has 5 rule matching lists or filters as they are sometimes called. They are: task, exit, user, exclude, and filesystem. The task list is checked only during the fork or clone syscalls. It is rarely used in practice. +The Linux kernel has 6 rule matching lists or filters as they are sometimes called. They are: task, exit, user, exclude, filesystem, and io_uring. The task list is checked only during the fork or clone syscalls. It is rarely used in practice. The exit filter is the place where all syscall and file system audit requests are evaluated. @@ -51,6 +51,8 @@ The exclude filter is used to exclude certain events from being emitted. The msgtype and a number of subject attribute fields can be used to tell the kernel which message types you do not want to record. This filter can remove the event as a whole and is not selective about any other attribute. The user and exit filters are better suited to selectively auditing events. The action is ignored for this filter, defaulting to "never". +The io_uring filter is used to watch underlying syscalls performed by io_uring operations. + Syscall rules take the general form of: .nf @@ -71,7 +73,7 @@ .RE The action and list are separated by a comma but no space in between. Valid lists are: -.IR task ", " exit ", " user ", " exclude ", and " filesystem ". Their meaning was explained earlier. +.IR task ", " exit ", " user ", " exclude ", " filesystem ", and "io_uring ". Their meaning was explained earlier. Next in the rule would normally be the .B \-S @@ -172,6 +174,12 @@ .B \-a always,exit \-F arch=b64 \-S open \-S openat \-S openat2 \-F exit=\-EPERM \-k access .fi +.SH IO_URING RULES +Io_uring rules do not take an arch field. It is implicit in the specification of the filter. The following example rule watches for file opens through the io_uring subsystem: + +.nf +.B \-a always,io_uring \-S openat \-S openat2 \-F key=access + .SH HARD WIRED EVENTS If auditing is enabled, then you can get any event that is not caused by syscall or file watch rules (because you don't have any rules loaded). So, that means, any event from 1100-1299, 1326, 1328, 1331 and higher can be emitted. The reason that there are a number of events that are hardwired is because they are required by regulatory compliance and are sent automatically as a convenience. (For example, logon/logoff is a mandatory event in all security guidance.) If you don't want this, you can use the exclude filter to drop events that you do not want. diff -Nru audit-3.0.9/docs/auparse_init.3 audit-3.1.1/docs/auparse_init.3 --- audit-3.0.9/docs/auparse_init.3 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/docs/auparse_init.3 2023-04-27 17:26:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH "AUPARSE_INIT" "3" "Feb 2007" "Red Hat" "Linux Audit API" +.TH "AUPARSE_INIT" "3" "Jan 2023" "Red Hat" "Linux Audit API" .SH NAME auparse_init \- initialize an instance of the audit parsing library .SH "SYNOPSIS" @@ -23,6 +23,8 @@ The pointer 'b' is used to set the file name, array of filenames, the buffer address, or an array of pointers to buffers, or the descriptor number based on what source is given. When the data source is an array of files or buffers, you would create an array of pointers with the last one being a NULL pointer. Buffers should be NUL terminated. +The data structure returned by auparse_init is not thread-safe. If you need to use it in a multithreaded program, you will need to add locking around any use of the data structure. + .SH "RETURN VALUE" Returns a NULL pointer if an error occurs; otherwise, the return value is an opaque pointer to the parser's internal state. diff -Nru audit-3.0.9/docs/aureport.8 audit-3.1.1/docs/aureport.8 --- audit-3.0.9/docs/aureport.8 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/docs/aureport.8 2023-04-27 17:26:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AUREPORT "8" "March 2017" "Red Hat" "System Administration Utilities" +.TH AUREPORT "8" "February 2023" "Red Hat" "System Administration Utilities" .SH NAME aureport \- a tool that produces summary reports of audit daemon logs .SH SYNOPSIS @@ -109,7 +109,7 @@ .B now is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date using the en_US.utf8 locale is 09/03/2009. An example of time is 18:00:00. The date format accepted is influenced by the LC_TIME environmental variable. -You may also use the word: \fBnow\fP, \fBrecent\fP, \fBboot\fP, \fBtoday\fP, \fByesterday\fP, \fBthis\-week\fP, \fBweek\-ago\fP, \fBthis\-month\fP, \fBthis\-year\fP. \fBNow\fP means starting now. \fBRecent\fP is 10 minutes ago. \fBBoot\fP means the time of day to the second when the system last booted. \fBToday\fP means now. \fBYesterday\fP is 1 second after midnight the previous day. \fBThis\-week\fP means starting 1 second after midnight on day 0 of the week determined by your locale (see \fBlocaltime\fP). \fBWeek\-ago\fP means 1 second after midnight exactly 7 days ago. \fBThis\-month\fP means 1 second after midnight on day 1 of the month. \fBThis\-year\fP means the 1 second after midnight on the first day of the first month. +You may also use the word: \fBnow\fP, \fBrecent\fP, \fBthis-hour\fP, \fBboot\fP, \fBtoday\fP, \fByesterday\fP, \fBthis\-week\fP, \fBweek\-ago\fP, \fBthis\-month\fP, \fBthis\-year\fP. \fBNow\fP means starting now. \fBRecent\fP is 10 minutes ago. \fBBoot\fP means the time of day to the second when the system last booted. \fBToday\fP means now. \fBYesterday\fP is 1 second after midnight the previous day. \fBThis\-week\fP means starting 1 second after midnight on day 0 of the week determined by your locale (see \fBlocaltime\fP). \fBWeek\-ago\fP means 1 second after midnight exactly 7 days ago. \fBThis\-month\fP means 1 second after midnight on day 1 of the month. \fBThis\-year\fP means the 1 second after midnight on the first day of the first month. .TP .BR \-tm ,\ \-\-terminal Report about terminals @@ -121,7 +121,7 @@ .B midnight is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date using the en_US.utf8 locale is 09/03/2009. An example of time is 18:00:00. The date format accepted is influenced by the LC_TIME environmental variable. -You may also use the word: \fBnow\fP, \fBrecent\fP, \fBboot\fP, \fBtoday\fP, \fByesterday\fP, \fBthis\-week\fP, \fBweek\-ago\fP, \fBthis\-month\fP, \fBthis\-year\fP. \fBBoot\fP means the time of day to the second when the system last booted. \fBToday\fP means starting at 1 second after midnight. \fBRecent\fP is 10 minutes ago. \fBYesterday\fP is 1 second after midnight the previous day. \fBThis\-week\fP means starting 1 second after midnight on day 0 of the week determined by your locale (see \fBlocaltime\fP). \fBWeek\-ago\fP means starting 1 second after midnight exactly 7 days ago. \fBThis\-month\fP means 1 second after midnight on day 1 of the month. \fBThis\-year\fP means the 1 second after midnight on the first day of the first month. +You may also use the word: \fBnow\fP, \fBrecent\fP, \fBthis-hour\fP, \fBboot\fP, \fBtoday\fP, \fByesterday\fP, \fBthis\-week\fP, \fBweek\-ago\fP, \fBthis\-month\fP, \fBthis\-year\fP. \fBBoot\fP means the time of day to the second when the system last booted. \fBToday\fP means starting at 1 second after midnight. \fBRecent\fP is 10 minutes ago. \fBYesterday\fP is 1 second after midnight the previous day. \fBThis\-week\fP means starting 1 second after midnight on day 0 of the week determined by your locale (see \fBlocaltime\fP). \fBWeek\-ago\fP means starting 1 second after midnight exactly 7 days ago. \fBThis\-month\fP means 1 second after midnight on day 1 of the month. \fBThis\-year\fP means the 1 second after midnight on the first day of the first month. .TP .BR \-u ,\ \-\-user Report about users diff -Nru audit-3.0.9/docs/ausearch.8 audit-3.1.1/docs/ausearch.8 --- audit-3.0.9/docs/ausearch.8 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/docs/ausearch.8 2023-04-27 17:26:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AUSEARCH "8" "April 2021" "Red Hat" "System Administration Utilities" +.TH AUSEARCH "8" "February 2023" "Red Hat" "System Administration Utilities" .SH NAME ausearch \- a tool to query audit daemon logs .SH SYNOPSIS @@ -154,7 +154,7 @@ .B now is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date using the en_US.utf8 locale is 09/03/2009. An example of time is 18:00:00. The date format accepted is influenced by the LC_TIME environmental variable. -You may also use the word: \fBnow\fP, \fBrecent\fP, \fBboot\fP, \fBtoday\fP, \fByesterday\fP, \fBthis\-week\fP, \fBweek\-ago\fP, \fBthis\-month\fP, or \fBthis\-year\fP. \fBNow\fP means starting now. \fBRecent\fP is 10 minutes ago. \fBBoot\fP means the time of day to the second when the system last booted. \fBToday\fP means now. \fBYesterday\fP is 1 second after midnight the previous day. \fBThis\-week\fP means starting 1 second after midnight on day 0 of the week determined by your locale (see \fBlocaltime\fP). \fBWeek\-ago\fP means 1 second after midnight exactly 7 days ago. \fBThis\-month\fP means 1 second after midnight on day 1 of the month. \fBThis\-year\fP means the 1 second after midnight on the first day of the first month. +You may also use the word: \fBnow\fP, \fBrecent\fP, \fBthis-hour\fP, \fBboot\fP, \fBtoday\fP, \fByesterday\fP, \fBthis\-week\fP, \fBweek\-ago\fP, \fBthis\-month\fP, or \fBthis\-year\fP. \fBNow\fP means starting now. \fBRecent\fP is 10 minutes ago. \fBBoot\fP means the time of day to the second when the system last booted. \fBToday\fP means now. \fBYesterday\fP is 1 second after midnight the previous day. \fBThis\-week\fP means starting 1 second after midnight on day 0 of the week determined by your locale (see \fBlocaltime\fP). \fBWeek\-ago\fP means 1 second after midnight exactly 7 days ago. \fBThis\-month\fP means 1 second after midnight on day 1 of the month. \fBThis\-year\fP means the 1 second after midnight on the first day of the first month. .TP .BR \-ts ,\ \-\-start \ [\fIstart-date\fP]\ [\fIstart-time\fP] Search for events with time stamps equal to or after the given start time. The format of start time depends on your locale. You can check the format of your locale by running @@ -165,7 +165,7 @@ .B midnight is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date using the en_US.utf8 locale is 09/03/2009. An example of time is 18:00:00. The date format accepted is influenced by the LC_TIME environmental variable. -You may also use the word: \fBnow\fP, \fBrecent\fP, \fBboot\fP, \fBtoday\fP, \fByesterday\fP, \fBthis\-week\fP, \fBweek\-ago\fP, \fBthis\-month\fP, \fBthis\-year\fP, or \fBcheckpoint\fP. \fBBoot\fP means the time of day to the second when the system last booted. \fBToday\fP means starting at 1 second after midnight. \fBRecent\fP is 10 minutes ago. \fBYesterday\fP is 1 second after midnight the previous day. \fBThis\-week\fP means starting 1 second after midnight on day 0 of the week determined by your locale (see \fBlocaltime\fP). \fBWeek\-ago\fP means starting 1 second after midnight exactly 7 days ago. \fBThis\-month\fP means 1 second after midnight on day 1 of the month. \fBThis\-year\fP means the 1 second after midnight on the first day of the first month. +You may also use the word: \fBnow\fP, \fBrecent\fP, \fBthis-hour\fP, \fBboot\fP, \fBtoday\fP, \fByesterday\fP, \fBthis\-week\fP, \fBweek\-ago\fP, \fBthis\-month\fP, \fBthis\-year\fP, or \fBcheckpoint\fP. \fBBoot\fP means the time of day to the second when the system last booted. \fBToday\fP means starting at 1 second after midnight. \fBRecent\fP is 10 minutes ago. \fBYesterday\fP is 1 second after midnight the previous day. \fBThis\-week\fP means starting 1 second after midnight on day 0 of the week determined by your locale (see \fBlocaltime\fP). \fBWeek\-ago\fP means starting 1 second after midnight exactly 7 days ago. \fBThis\-month\fP means 1 second after midnight on day 1 of the month. \fBThis\-year\fP means the 1 second after midnight on the first day of the first month. .sp \fBcheckpoint\fP means \fIausearch\fP will use the timestamp found within a valid checkpoint file ignoring the recorded inode, device, serial, node and event type also found within a checkpoint file. Essentially, this is the recovery action should an invocation of \fIausearch\fP with a checkpoint option fail with an exit status of 10, 11 or 12. It could be used in a shell script something like: .sp diff -Nru audit-3.0.9/docs/Makefile.in audit-3.1.1/docs/Makefile.in --- audit-3.0.9/docs/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/docs/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -192,6 +192,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -272,6 +273,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/init.d/auditd.service audit-3.1.1/init.d/auditd.service --- audit-3.0.9/init.d/auditd.service 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/init.d/auditd.service 2023-04-27 17:26:56.000000000 +0000 @@ -36,7 +36,8 @@ ### Security Settings ### MemoryDenyWriteExecute=true LockPersonality=true -ProtectControlGroups=true +# The following control prevents rules on /proc so its off by default +#ProtectControlGroups=true ProtectKernelModules=true RestrictRealtime=true diff -Nru audit-3.0.9/init.d/augenrules audit-3.1.1/init.d/augenrules --- audit-3.0.9/init.d/augenrules 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/init.d/augenrules 2023-04-27 17:26:56.000000000 +0000 @@ -60,7 +60,7 @@ # Check environment if [ ! -d ${SourceRulesDir} ]; then echo "$0: No rules directory - ${SourceRulesDir}" - rm -f ${TmpRules} + rm -f "${TmpRules}" try_load exit 1 fi @@ -73,9 +73,9 @@ # - the last processed -f directory is emitted as the third line # - the last processed -e directive is emitted as the last line umask 0137 -echo "## This file is automatically generated from $SourceRulesDir" >> ${TmpRules} +echo "## This file is automatically generated from $SourceRulesDir" >> "${TmpRules}" for rules in $(/bin/ls -1v ${SourceRulesDir} | grep "\.rules$") ; do - cat ${SourceRulesDir}/${rules} + cat ${SourceRulesDir}/"${rules}" done | awk ' BEGIN { minus_e = ""; @@ -84,6 +84,7 @@ minus_b = ""; rest = 0; } { + sub(/\r$/, ""); if (length($0) < 1) { next; } if (match($0, "^\\s*#")) { next; } if (match($0, "^\\s*-e")) { minus_e = $0; next; } @@ -96,26 +97,26 @@ printf "%s\n%s\n%s\n", minus_D, minus_b, minus_f; for (i = 0; i < rest; i++) { printf "%s\n", rules[i]; } printf "%s\n", minus_e; -}' >> ${TmpRules} +}' >> "${TmpRules}" # If empty then quit -if [ ! -s ${TmpRules} ]; then +if [ ! -s "${TmpRules}" ]; then echo "$0: No rules" - rm -f ${TmpRules} + rm -f "${TmpRules}" try_load exit $RETVAL fi # If the same then quit -cmp -s ${TmpRules} ${DestinationFile} > /dev/null 2>&1 +cmp -s "${TmpRules}" ${DestinationFile} > /dev/null 2>&1 if [ $? -eq 0 ]; then echo "$0: No change" - rm -f ${TmpRules} + rm -f "${TmpRules}" try_load exit $RETVAL elif [ $OnlyCheck -eq 1 ] ; then echo "$0: Rules have changed and should be updated" - rm -f ${TmpRules} + rm -f "${TmpRules}" exit 0 fi @@ -124,13 +125,13 @@ cp ${DestinationFile} ${DestinationFile}.${ASuffix} fi # We copy the file so that it gets the right selinux lable -cp ${TmpRules} ${DestinationFile} +cp "${TmpRules}" ${DestinationFile} chmod 0640 ${DestinationFile} # Restore context on MLS system. /tmp is SystemLow & audit.rules is SystemHigh if [ -x /usr/sbin/restorecon ] ; then /usr/sbin/restorecon -F ${DestinationFile} fi -rm -f ${TmpRules} +rm -f "${TmpRules}" try_load exit $RETVAL diff -Nru audit-3.0.9/init.d/Makefile.am audit-3.1.1/init.d/Makefile.am --- audit-3.0.9/init.d/Makefile.am 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/init.d/Makefile.am 2023-04-27 17:26:56.000000000 +0000 @@ -1,5 +1,5 @@ # Makefile.am-- -# Copyright 2004-07,2012-13,2018 Red Hat Inc., Durham, North Carolina. +# Copyright 2004-07,2012-13,2018 Red Hat Inc. # All Rights Reserved. # # This program is free software; you can redistribute it and/or modify @@ -65,7 +65,7 @@ else $(INSTALL_SCRIPT) -D ${srcdir}/auditd.init ${DESTDIR}${initdir}/auditd endif - chmod 0750 $(DESTDIR)$(sbindir)/augenrules + chmod 0755 $(DESTDIR)$(sbindir)/augenrules uninstall-hook: diff -Nru audit-3.0.9/init.d/Makefile.in audit-3.1.1/init.d/Makefile.in --- audit-3.0.9/init.d/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/init.d/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -15,7 +15,7 @@ @SET_MAKE@ # Makefile.am-- -# Copyright 2004-07,2012-13,2018 Red Hat Inc., Durham, North Carolina. +# Copyright 2004-07,2012-13,2018 Red Hat Inc. # All Rights Reserved. # # This program is free software; you can redistribute it and/or modify @@ -190,6 +190,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -270,6 +271,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ @@ -633,7 +635,7 @@ @ENABLE_SYSTEMD_TRUE@ $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.condrestart ${DESTDIR}${legacydir}/condrestart @ENABLE_SYSTEMD_TRUE@ $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/audit-functions ${DESTDIR}${libexecdir} @ENABLE_SYSTEMD_FALSE@ $(INSTALL_SCRIPT) -D ${srcdir}/auditd.init ${DESTDIR}${initdir}/auditd - chmod 0750 $(DESTDIR)$(sbindir)/augenrules + chmod 0755 $(DESTDIR)$(sbindir)/augenrules uninstall-hook: rm ${DESTDIR}${sysconfdir}/${libconfig} diff -Nru audit-3.0.9/lib/audit.pc.in audit-3.1.1/lib/audit.pc.in --- audit-3.0.9/lib/audit.pc.in 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/lib/audit.pc.in 2023-04-27 17:26:56.000000000 +0000 @@ -9,3 +9,4 @@ Libs: -L${libdir} -laudit Libs.private: @CAPNG_LDADD@ Cflags: -I${includedir} +Requires.private: @CAPNG_PKG@ diff -Nru audit-3.0.9/lib/flagtab.h audit-3.1.1/lib/flagtab.h --- audit-3.0.9/lib/flagtab.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/lib/flagtab.h 2023-04-27 17:26:56.000000000 +0000 @@ -1,5 +1,5 @@ /* flagtab.h -- - * Copyright 2005,2006, 2016 Red Hat Inc., Durham, North Carolina. + * Copyright 2005,2006,2016,2022 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -20,8 +20,14 @@ * Steve Grubb * Richard Guy Briggs */ -_S(AUDIT_FILTER_TASK, "task" ) -_S(AUDIT_FILTER_EXIT, "exit" ) -_S(AUDIT_FILTER_USER, "user" ) -_S(AUDIT_FILTER_EXCLUDE, "exclude" ) -_S(AUDIT_FILTER_FS, "filesystem") +#include "config.h" + +_S(AUDIT_FILTER_TASK, "task" ) +_S(AUDIT_FILTER_EXIT, "exit" ) +_S(AUDIT_FILTER_USER, "user" ) +_S(AUDIT_FILTER_EXCLUDE, "exclude" ) +_S(AUDIT_FILTER_FS, "filesystem") +#ifdef WITH_IO_URING +_S(AUDIT_FILTER_URING_EXIT, "io_uring" ) +#endif + diff -Nru audit-3.0.9/lib/libaudit.c audit-3.1.1/lib/libaudit.c --- audit-3.0.9/lib/libaudit.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/lib/libaudit.c 2023-04-27 17:26:56.000000000 +0000 @@ -43,6 +43,9 @@ #ifdef HAVE_LIBCAP_NG #include #endif +#ifdef WITH_IO_URING +#include +#endif #include "libaudit.h" #include "private.h" #include "errormsg.h" @@ -50,6 +53,9 @@ /* #defines for the audit failure query */ #define CONFIG_FILE "/etc/libaudit.conf" +#ifndef IORING_OP_LAST +#define IORING_OP_LAST 37 +#endif /* Local prototypes */ struct nv_pair @@ -997,6 +1003,7 @@ if (word > (AUDIT_BITMASK_SIZE-1)) return -1; rule->mask[word] |= bit; + _audit_syscalladded = 1; return 0; } @@ -1027,6 +1034,32 @@ return -1; } +int audit_rule_io_uringbyname_data(struct audit_rule_data *rule, + const char *scall) +{ +#ifdef WITH_IO_URING + int nr; + + if (!strcmp(scall, "all")) { + int i, rc = 0; + for (i = 0; i < IORING_OP_LAST && !rc; i++) { + // while names resolve + if (audit_uringop_to_name(i)) + rc = audit_rule_syscall_data(rule, i); + } + return rc; + } + nr = audit_name_to_uringop(scall); + if (nr < 0) { + if (isdigit(scall[0])) + nr = strtol(scall, NULL, 0); + } + if (nr >= 0) + return audit_rule_syscall_data(rule, nr); +#endif + return -1; +} + int audit_rule_interfield_comp_data(struct audit_rule_data **rulep, const char *pair, int flags) @@ -1427,6 +1460,7 @@ case MACH_86_64: /* fallthrough */ case MACH_PPC64: /* fallthrough */ case MACH_S390X: /* fallthrough */ + case MACH_IO_URING: break; case MACH_PPC64LE: /* 64 bit only */ if (bits && bits != __AUDIT_ARCH_64BIT) @@ -1502,13 +1536,11 @@ if ((field = audit_name_to_field(f)) < 0) return -EAU_FIELDUNKNOWN; - /* Exclude filter can be used only with MSGTYPE, cred and EXE fields */ + /* Exclude filter can be used only with MSGTYPE, cred, and EXE fields + * when the EXTEND Feature is not present. */ if (flags == AUDIT_FILTER_EXCLUDE) { uint32_t features = audit_get_features(); if ((features & AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND) == 0) { - if (field != AUDIT_MSGTYPE) - return -EAU_FIELDNOSUPPORT; - } else { switch(field) { case AUDIT_PID: case AUDIT_UID: @@ -1707,7 +1739,8 @@ _audit_archadded = 1; break; case AUDIT_PERM: - if (flags != AUDIT_FILTER_EXIT) + if (!(flags == AUDIT_FILTER_EXIT || + flags == AUDIT_FILTER_EXCLUDE)) return -EAU_EXITONLY; else if (op != AUDIT_EQUAL) return -EAU_OPEQ; diff -Nru audit-3.0.9/lib/libaudit.h audit-3.1.1/lib/libaudit.h --- audit-3.0.9/lib/libaudit.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/lib/libaudit.h 2023-04-27 17:26:56.000000000 +0000 @@ -1,5 +1,5 @@ /* libaudit.h -- - * Copyright 2004-2018,2021-22 Red Hat Inc. + * Copyright 2004-2018,2021-23 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -321,6 +321,14 @@ #define AUDIT_OPENAT2 1337 /* openat2 open_how flags */ #endif +#ifndef AUDIT_DM_CTRL +#define AUDIT_DM_CTRL 1338 /* Device Mapper target control */ +#endif + +#ifndef AUDIT_DM_EVENT +#define AUDIT_DM_EVENT 1339 /* Device Mapper events */ +#endif + #ifndef AUDIT_MAC_CALIPSO_ADD #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ #endif @@ -344,6 +352,9 @@ #ifndef AUDIT_FILTER_FS #define AUDIT_FILTER_FS 0x06 /* FS record filter in __audit_inode_child */ #endif +#ifndef AUDIT_FILTER_URING_EXIT +#define AUDIT_FILTER_URING_EXIT 0x07 /* Apply rule at io_uring op exit */ +#endif #ifndef AUDIT_FILTER_EXCLUDE #define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE #endif @@ -585,7 +596,8 @@ MACH_ALPHA, // Deprecated but has to stay MACH_ARM, MACH_AARCH64, - MACH_PPC64LE + MACH_PPC64LE, + MACH_IO_URING } machine_t; /* These are the valid audit failure tunable enum values */ @@ -620,6 +632,8 @@ extern const char *audit_field_to_name(int field); extern int audit_name_to_syscall(const char *sc, int machine); extern const char *audit_syscall_to_name(int sc, int machine); +extern const char *audit_uringop_to_name(int uringop); +extern int audit_name_to_uringop(const char *uringop); extern int audit_name_to_flag(const char *flag); extern const char *audit_flag_to_name(int flag); extern int audit_name_to_action(const char *action); @@ -720,6 +734,9 @@ extern void audit_rule_init_data(struct audit_rule_data *rule); extern int audit_rule_syscallbyname_data(struct audit_rule_data *rule, const char *scall); +extern int audit_rule_io_uringbyname_data(struct audit_rule_data *rule, + const char *scall); + /* Note that the following function takes a **, where audit_rule_fieldpair() * takes just a *. That structure may need to be reallocated as a result of * adding new fields */ diff -Nru audit-3.0.9/lib/lookup_table.c audit-3.1.1/lib/lookup_table.c --- audit-3.0.9/lib/lookup_table.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/lib/lookup_table.c 2023-04-27 17:26:56.000000000 +0000 @@ -46,6 +46,9 @@ #include "s390_tables.h" #include "s390x_tables.h" #include "x86_64_tables.h" +#ifdef WITH_IO_URING +#include "uringop_tables.h" +#endif #include "errtabs.h" #include "fstypetabs.h" #include "ftypetabs.h" @@ -99,6 +102,20 @@ #endif } +int audit_name_to_uringop(const char *uringop) +{ +#ifdef WITH_IO_URING + int res = -1, found = 0; + +#ifndef NO_TABLES + found = uringop_s2i(uringop, &res); +#endif + if (found) + return res; +#endif + return -1; +} + int audit_name_to_syscall(const char *sc, int machine) { int res = -1, found = 0; @@ -134,6 +151,9 @@ break; #endif #endif + case MACH_IO_URING: + return audit_name_to_uringop(sc); + break; default: return -1; } @@ -142,6 +162,16 @@ return -1; } +const char *audit_uringop_to_name(int uringop) +{ +#ifdef WITH_IO_URING +#ifndef NO_TABLES + return uringop_i2s(uringop); +#endif +#endif + return NULL; +} + const char *audit_syscall_to_name(int sc, int machine) { #ifndef NO_TABLES @@ -167,6 +197,8 @@ case MACH_AARCH64: return aarch64_syscall_i2s(sc); #endif + case MACH_IO_URING: + return audit_uringop_to_name(sc); } #endif return NULL; diff -Nru audit-3.0.9/lib/machinetab.h audit-3.1.1/lib/machinetab.h --- audit-3.0.9/lib/machinetab.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/lib/machinetab.h 2023-04-27 17:26:56.000000000 +0000 @@ -1,5 +1,5 @@ /* machine.h -- - * Copyright 2005,2006,2009,2012,2013 Red Hat Inc., Durham, North Carolina. + * Copyright 2005-06,2009,2012-13,2022 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -19,7 +19,7 @@ * Authors: * Steve Grubb */ - +#include "config.h" _S(MACH_X86, "i386" ) _S(MACH_X86, "i486" ) _S(MACH_X86, "i586" ) @@ -42,3 +42,7 @@ _S(MACH_AARCH64, "aarch64" ) _S(MACH_AARCH64, "armv8l") #endif +#ifdef WITH_IO_URING +_S(MACH_IO_URING, "uring") +#endif + diff -Nru audit-3.0.9/lib/Makefile.am audit-3.1.1/lib/Makefile.am --- audit-3.0.9/lib/Makefile.am 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/lib/Makefile.am 2023-04-27 17:26:56.000000000 +0000 @@ -47,7 +47,7 @@ BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \ fstypetabs.h ftypetabs.h i386_tables.h machinetabs.h \ msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \ - s390x_tables.h x86_64_tables.h + s390x_tables.h x86_64_tables.h uringop_tables.h if USE_ARM BUILT_SOURCES += arm_tables.h endif @@ -58,7 +58,7 @@ gen_flagtabs_h gen_fstypetabs_h gen_ftypetabs_h gen_i386_tables_h \ gen_machinetabs_h gen_msg_typetabs_h \ gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \ - gen_s390x_tables_h gen_x86_64_tables_h + gen_s390x_tables_h gen_x86_64_tables_h gen_uringop_tables_h if USE_ARM noinst_PROGRAMS += gen_arm_tables_h endif @@ -266,6 +266,19 @@ s390x_tables.h: gen_s390x_tables_h Makefile ./gen_s390x_tables_h --lowercase --i2s --s2i s390x_syscall > $@ +gen_uringop_tables_h_SOURCES = gen_tables.c gen_tables.h uringop_table.h +gen_uringop_tables_h_CFLAGS = '-DTABLE_H="uringop_table.h"' +$(gen_uringop_tables_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_uringop_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_uringop_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +$(gen_uringop_tables_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD) +gen_uringop_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_uringop_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_uringop_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_uringop_tables_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD) +uringop_tables.h: gen_uringop_tables_h Makefile + ./gen_uringop_tables_h --lowercase --i2s --s2i uringop > $@ + gen_x86_64_tables_h_SOURCES = gen_tables.c gen_tables.h x86_64_table.h gen_x86_64_tables_h_CFLAGS = '-DTABLE_H="x86_64_table.h"' $(gen_x86_64_tables_h_OBJECTS): CC=$(CC_FOR_BUILD) diff -Nru audit-3.0.9/lib/Makefile.in audit-3.1.1/lib/Makefile.in --- audit-3.0.9/lib/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/lib/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -124,7 +124,7 @@ gen_msg_typetabs_h$(EXEEXT) gen_optabs_h$(EXEEXT) \ gen_ppc_tables_h$(EXEEXT) gen_s390_tables_h$(EXEEXT) \ gen_s390x_tables_h$(EXEEXT) gen_x86_64_tables_h$(EXEEXT) \ - $(am__EXEEXT_1) $(am__EXEEXT_2) + gen_uringop_tables_h$(EXEEXT) $(am__EXEEXT_1) $(am__EXEEXT_2) @USE_ARM_TRUE@am__append_3 = gen_arm_tables_h @USE_AARCH64_TRUE@am__append_4 = gen_aarch64_tables_h subdir = lib @@ -300,6 +300,14 @@ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(gen_s390x_tables_h_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ +am_gen_uringop_tables_h_OBJECTS = \ + gen_uringop_tables_h-gen_tables.$(OBJEXT) +gen_uringop_tables_h_OBJECTS = $(am_gen_uringop_tables_h_OBJECTS) +gen_uringop_tables_h_LDADD = $(LDADD) +gen_uringop_tables_h_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(gen_uringop_tables_h_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ am_gen_x86_64_tables_h_OBJECTS = \ gen_x86_64_tables_h-gen_tables.$(OBJEXT) gen_x86_64_tables_h_OBJECTS = $(am_gen_x86_64_tables_h_OBJECTS) @@ -340,6 +348,7 @@ ./$(DEPDIR)/gen_ppc_tables_h-gen_tables.Po \ ./$(DEPDIR)/gen_s390_tables_h-gen_tables.Po \ ./$(DEPDIR)/gen_s390x_tables_h-gen_tables.Po \ + ./$(DEPDIR)/gen_uringop_tables_h-gen_tables.Po \ ./$(DEPDIR)/gen_x86_64_tables_h-gen_tables.Po \ ./$(DEPDIR)/libaudit.Plo ./$(DEPDIR)/lookup_table.Plo \ ./$(DEPDIR)/message.Plo ./$(DEPDIR)/netlink.Plo @@ -370,7 +379,8 @@ $(gen_i386_tables_h_SOURCES) $(gen_machinetabs_h_SOURCES) \ $(gen_msg_typetabs_h_SOURCES) $(gen_optabs_h_SOURCES) \ $(gen_ppc_tables_h_SOURCES) $(gen_s390_tables_h_SOURCES) \ - $(gen_s390x_tables_h_SOURCES) $(gen_x86_64_tables_h_SOURCES) + $(gen_s390x_tables_h_SOURCES) $(gen_uringop_tables_h_SOURCES) \ + $(gen_x86_64_tables_h_SOURCES) DIST_SOURCES = $(libaudit_la_SOURCES) \ $(am__gen_aarch64_tables_h_SOURCES_DIST) \ $(gen_actiontabs_h_SOURCES) \ @@ -380,7 +390,8 @@ $(gen_i386_tables_h_SOURCES) $(gen_machinetabs_h_SOURCES) \ $(gen_msg_typetabs_h_SOURCES) $(gen_optabs_h_SOURCES) \ $(gen_ppc_tables_h_SOURCES) $(gen_s390_tables_h_SOURCES) \ - $(gen_s390x_tables_h_SOURCES) $(gen_x86_64_tables_h_SOURCES) + $(gen_s390x_tables_h_SOURCES) $(gen_uringop_tables_h_SOURCES) \ + $(gen_x86_64_tables_h_SOURCES) RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ ctags-recursive dvi-recursive html-recursive info-recursive \ install-data-recursive install-dvi-recursive \ @@ -461,6 +472,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -541,6 +553,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ @@ -633,7 +646,8 @@ BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \ fstypetabs.h ftypetabs.h i386_tables.h machinetabs.h \ msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \ - s390x_tables.h x86_64_tables.h $(am__append_1) $(am__append_2) + s390x_tables.h x86_64_tables.h uringop_tables.h \ + $(am__append_1) $(am__append_2) gen_actiontabs_h_SOURCES = gen_tables.c gen_tables.h actiontab.h gen_actiontabs_h_CFLAGS = '-DTABLE_H="actiontab.h"' @USE_ARM_TRUE@gen_arm_tables_h_SOURCES = gen_tables.c gen_tables.h arm_table.h @@ -664,6 +678,8 @@ gen_s390_tables_h_CFLAGS = '-DTABLE_H="s390_table.h"' gen_s390x_tables_h_SOURCES = gen_tables.c gen_tables.h s390x_table.h gen_s390x_tables_h_CFLAGS = '-DTABLE_H="s390x_table.h"' +gen_uringop_tables_h_SOURCES = gen_tables.c gen_tables.h uringop_table.h +gen_uringop_tables_h_CFLAGS = '-DTABLE_H="uringop_table.h"' gen_x86_64_tables_h_SOURCES = gen_tables.c gen_tables.h x86_64_table.h gen_x86_64_tables_h_CFLAGS = '-DTABLE_H="x86_64_table.h"' all: $(BUILT_SOURCES) @@ -810,6 +826,10 @@ @rm -f gen_s390x_tables_h$(EXEEXT) $(AM_V_CCLD)$(gen_s390x_tables_h_LINK) $(gen_s390x_tables_h_OBJECTS) $(gen_s390x_tables_h_LDADD) $(LIBS) +gen_uringop_tables_h$(EXEEXT): $(gen_uringop_tables_h_OBJECTS) $(gen_uringop_tables_h_DEPENDENCIES) $(EXTRA_gen_uringop_tables_h_DEPENDENCIES) + @rm -f gen_uringop_tables_h$(EXEEXT) + $(AM_V_CCLD)$(gen_uringop_tables_h_LINK) $(gen_uringop_tables_h_OBJECTS) $(gen_uringop_tables_h_LDADD) $(LIBS) + gen_x86_64_tables_h$(EXEEXT): $(gen_x86_64_tables_h_OBJECTS) $(gen_x86_64_tables_h_DEPENDENCIES) $(EXTRA_gen_x86_64_tables_h_DEPENDENCIES) @rm -f gen_x86_64_tables_h$(EXEEXT) $(AM_V_CCLD)$(gen_x86_64_tables_h_LINK) $(gen_x86_64_tables_h_OBJECTS) $(gen_x86_64_tables_h_LDADD) $(LIBS) @@ -837,6 +857,7 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_ppc_tables_h-gen_tables.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_s390_tables_h-gen_tables.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_s390x_tables_h-gen_tables.Po@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_uringop_tables_h-gen_tables.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gen_x86_64_tables_h-gen_tables.Po@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libaudit.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lookup_table.Plo@am__quote@ # am--include-marker @@ -1080,6 +1101,20 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_s390x_tables_h_CFLAGS) $(CFLAGS) -c -o gen_s390x_tables_h-gen_tables.obj `if test -f 'gen_tables.c'; then $(CYGPATH_W) 'gen_tables.c'; else $(CYGPATH_W) '$(srcdir)/gen_tables.c'; fi` +gen_uringop_tables_h-gen_tables.o: gen_tables.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_uringop_tables_h_CFLAGS) $(CFLAGS) -MT gen_uringop_tables_h-gen_tables.o -MD -MP -MF $(DEPDIR)/gen_uringop_tables_h-gen_tables.Tpo -c -o gen_uringop_tables_h-gen_tables.o `test -f 'gen_tables.c' || echo '$(srcdir)/'`gen_tables.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/gen_uringop_tables_h-gen_tables.Tpo $(DEPDIR)/gen_uringop_tables_h-gen_tables.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='gen_tables.c' object='gen_uringop_tables_h-gen_tables.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_uringop_tables_h_CFLAGS) $(CFLAGS) -c -o gen_uringop_tables_h-gen_tables.o `test -f 'gen_tables.c' || echo '$(srcdir)/'`gen_tables.c + +gen_uringop_tables_h-gen_tables.obj: gen_tables.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_uringop_tables_h_CFLAGS) $(CFLAGS) -MT gen_uringop_tables_h-gen_tables.obj -MD -MP -MF $(DEPDIR)/gen_uringop_tables_h-gen_tables.Tpo -c -o gen_uringop_tables_h-gen_tables.obj `if test -f 'gen_tables.c'; then $(CYGPATH_W) 'gen_tables.c'; else $(CYGPATH_W) '$(srcdir)/gen_tables.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/gen_uringop_tables_h-gen_tables.Tpo $(DEPDIR)/gen_uringop_tables_h-gen_tables.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='gen_tables.c' object='gen_uringop_tables_h-gen_tables.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_uringop_tables_h_CFLAGS) $(CFLAGS) -c -o gen_uringop_tables_h-gen_tables.obj `if test -f 'gen_tables.c'; then $(CYGPATH_W) 'gen_tables.c'; else $(CYGPATH_W) '$(srcdir)/gen_tables.c'; fi` + gen_x86_64_tables_h-gen_tables.o: gen_tables.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(gen_x86_64_tables_h_CFLAGS) $(CFLAGS) -MT gen_x86_64_tables_h-gen_tables.o -MD -MP -MF $(DEPDIR)/gen_x86_64_tables_h-gen_tables.Tpo -c -o gen_x86_64_tables_h-gen_tables.o `test -f 'gen_tables.c' || echo '$(srcdir)/'`gen_tables.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/gen_x86_64_tables_h-gen_tables.Tpo $(DEPDIR)/gen_x86_64_tables_h-gen_tables.Po @@ -1365,6 +1400,7 @@ -rm -f ./$(DEPDIR)/gen_ppc_tables_h-gen_tables.Po -rm -f ./$(DEPDIR)/gen_s390_tables_h-gen_tables.Po -rm -f ./$(DEPDIR)/gen_s390x_tables_h-gen_tables.Po + -rm -f ./$(DEPDIR)/gen_uringop_tables_h-gen_tables.Po -rm -f ./$(DEPDIR)/gen_x86_64_tables_h-gen_tables.Po -rm -f ./$(DEPDIR)/libaudit.Plo -rm -f ./$(DEPDIR)/lookup_table.Plo @@ -1432,6 +1468,7 @@ -rm -f ./$(DEPDIR)/gen_ppc_tables_h-gen_tables.Po -rm -f ./$(DEPDIR)/gen_s390_tables_h-gen_tables.Po -rm -f ./$(DEPDIR)/gen_s390x_tables_h-gen_tables.Po + -rm -f ./$(DEPDIR)/gen_uringop_tables_h-gen_tables.Po -rm -f ./$(DEPDIR)/gen_x86_64_tables_h-gen_tables.Po -rm -f ./$(DEPDIR)/libaudit.Plo -rm -f ./$(DEPDIR)/lookup_table.Plo @@ -1631,6 +1668,16 @@ gen_s390x_tables_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD) s390x_tables.h: gen_s390x_tables_h Makefile ./gen_s390x_tables_h --lowercase --i2s --s2i s390x_syscall > $@ +$(gen_uringop_tables_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_uringop_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_uringop_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +$(gen_uringop_tables_h_OBJECTS): LDFLAGS=$(LDFLAGS_FOR_BUILD) +gen_uringop_tables_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_uringop_tables_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_uringop_tables_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_uringop_tables_h$(BUILD_EXEEXT): LDFLAGS=$(LDFLAGS_FOR_BUILD) +uringop_tables.h: gen_uringop_tables_h Makefile + ./gen_uringop_tables_h --lowercase --i2s --s2i uringop > $@ $(gen_x86_64_tables_h_OBJECTS): CC=$(CC_FOR_BUILD) $(gen_x86_64_tables_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) $(gen_x86_64_tables_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) diff -Nru audit-3.0.9/lib/msg_typetab.h audit-3.1.1/lib/msg_typetab.h --- audit-3.0.9/lib/msg_typetab.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/lib/msg_typetab.h 2023-04-27 17:26:56.000000000 +0000 @@ -1,5 +1,5 @@ /* msg_typetab.h -- - * Copyright 2005-07,2009-18,21 Red Hat Inc. + * Copyright 2005-07,2009-18,21-23 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -129,13 +129,15 @@ _S(AUDIT_EVENT_LISTENER, "EVENT_LISTENER" ) _S(AUDIT_URINGOP, "URINGOP" ) _S(AUDIT_OPENAT2, "OPENAT2" ) +_S(AUDIT_DM_CTRL, "DM_CTRL" ) +_S(AUDIT_DM_EVENT, "DM_EVENT" ) _S(AUDIT_AVC, "AVC" ) _S(AUDIT_SELINUX_ERR, "SELINUX_ERR" ) _S(AUDIT_AVC_PATH, "AVC_PATH" ) _S(AUDIT_MAC_POLICY_LOAD, "MAC_POLICY_LOAD" ) _S(AUDIT_MAC_STATUS, "MAC_STATUS" ) _S(AUDIT_MAC_CONFIG_CHANGE, "MAC_CONFIG_CHANGE" ) -_S(AUDIT_MAC_UNLBL_ALLOW, "MAC_UNLBL_ALLOW" ) +_S(AUDIT_MAC_UNLBL_ALLOW, "MAC_UNLBL_ALLOW" ) _S(AUDIT_MAC_CIPSOV4_ADD, "MAC_CIPSOV4_ADD" ) _S(AUDIT_MAC_CIPSOV4_DEL, "MAC_CIPSOV4_DEL" ) _S(AUDIT_MAC_MAP_ADD, "MAC_MAP_ADD" ) diff -Nru audit-3.0.9/lib/test/lookup_test.c audit-3.1.1/lib/test/lookup_test.c --- audit-3.0.9/lib/test/lookup_test.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/lib/test/lookup_test.c 2023-04-27 17:26:56.000000000 +0000 @@ -234,6 +234,24 @@ #undef S2I } +#ifdef WITH_IO_URING +static void +test_uringop_table(void) +{ + static const struct entry t[] = { +#include "../uringop_table.h" + }; + + printf("Testing uringop_table...\n"); +#define I2S(I) audit_uringop_to_name((I)) +#define S2I(S) audit_name_to_uringop((S)) + TEST_I2S(0); + TEST_S2I(-1); +#undef I2S +#undef S2I +} +#endif + static void test_actiontab(void) { @@ -395,6 +413,9 @@ test_s390_table(); test_s390x_table(); test_x86_64_table(); +#ifdef WITH_IO_URING + test_uringop_table(); +#endif test_actiontab(); test_errtab(); test_fieldtab(); diff -Nru audit-3.0.9/lib/test/Makefile.in audit-3.1.1/lib/test/Makefile.in --- audit-3.0.9/lib/test/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/lib/test/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -409,6 +409,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -489,6 +490,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/lib/uringop_table.h audit-3.1.1/lib/uringop_table.h --- audit-3.0.9/lib/uringop_table.h 1970-01-01 00:00:00.000000000 +0000 +++ audit-3.1.1/lib/uringop_table.h 2023-04-27 17:26:56.000000000 +0000 @@ -0,0 +1,53 @@ +/* uringop_table.h -- + * Copyright 2005-23 Red Hat Inc. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Richard Guy Briggs + */ + +/* + * From /usr/include/linux/io_uring.h + * kernel location here: io_uring/opdef.c + * + * Note: not all ops are auditable for performance reasons. This was + * discussed on the linux-audit mail list: + * https://listman.redhat.com/archives/linux-audit/2021-June/018042.html + */ + +_S(9, "sendmsg") +_S(10, "recvmsg") +_S(13, "accept") +_S(16, "connect") +_S(17, "fallocate") +_S(18, "openat") +_S(19, "close") +_S(28, "openat2") +_S(34, "shutdown") +_S(35, "renameat") +_S(36, "unlinkat") +_S(37, "mkdirat") +_S(38, "symlinkat") +_S(39, "linkat") +_S(40, "msg_ring") +_S(41, "fsetxattr") +_S(42, "setxattr") +_S(43, "fgetxattr") +_S(44, "getxattr") +_S(46, "uring_cmd") +_S(48, "sendmsg_zc") + diff -Nru audit-3.0.9/m4/cap-ng.m4 audit-3.1.1/m4/cap-ng.m4 --- audit-3.0.9/m4/cap-ng.m4 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/m4/cap-ng.m4 2023-04-27 17:26:56.000000000 +0000 @@ -33,6 +33,8 @@ AC_MSG_CHECKING(whether to use libcap-ng) if test x$CAPNG_LDADD != x ; then AC_DEFINE(HAVE_LIBCAP_NG,1,[libcap-ng support]) + CAPNG_PKG="libcap-ng" + AC_SUBST(CAPNG_PKG) AC_MSG_RESULT(yes) else AC_MSG_RESULT(no) diff -Nru audit-3.0.9/m4/Makefile.in audit-3.1.1/m4/Makefile.in --- audit-3.0.9/m4/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/m4/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -188,6 +188,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -268,6 +269,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/Makefile.in audit-3.1.1/Makefile.in --- audit-3.0.9/Makefile.in 2022-08-29 21:23:16.000000000 +0000 +++ audit-3.1.1/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -240,6 +240,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -320,6 +321,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/rules/30-ospp-v42.rules audit-3.1.1/rules/30-ospp-v42.rules --- audit-3.0.9/rules/30-ospp-v42.rules 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/rules/30-ospp-v42.rules 2023-04-27 17:26:56.000000000 +0000 @@ -57,6 +57,11 @@ -a always,exit -F path=/usr/sbin/grub2-set-bootflag -F perm=x -F auid>=1000 -F auid!=unset -F key=special-config-changes ## Privilege escalation via su or sudo. This is entirely handled by pam. +## Special case for systemd-run. It is not audit aware, specifically watch it +-a always,exit -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation +## Special case for pkexec. It is not audit aware, specifically watch it +-a always,exit -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation + ## Watch for configuration changes to privilege escalation. -a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes diff -Nru audit-3.0.9/rules/30-pci-dss-v31.rules audit-3.1.1/rules/30-pci-dss-v31.rules --- audit-3.0.9/rules/30-pci-dss-v31.rules 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/rules/30-pci-dss-v31.rules 2023-04-27 17:26:56.000000000 +0000 @@ -25,6 +25,11 @@ ## logging. The pam config below should be placed into su and sudo pam stacks. ## session required pam_tty_audit.so disable=* enable=root +## Special case for systemd-run. It is not audit aware, specifically watch it +-a always,exit -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation +## Special case for pkexec. It is not audit aware, specifically watch it +-a always,exit -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation + ## Watch for configuration changes to privilege escalation. -a always,exit -F path=/etc/sudoers -F perm=wa -F key=10.2.2-priv-config-changes -a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=10.2.2-priv-config-changes diff -Nru audit-3.0.9/rules/30-stig.rules audit-3.1.1/rules/30-stig.rules --- audit-3.0.9/rules/30-stig.rules 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/rules/30-stig.rules 2023-04-27 17:26:56.000000000 +0000 @@ -130,6 +130,11 @@ -w /etc/sudoers -p wa -k actions -w /etc/sudoers.d/ -p wa -k actions +## Special case for systemd-run. It is not audit aware, specifically watch it +-a always,exit -F path=/usr/bin/systemd-run -F perm=x -F auid!=unset -F key=maybe-escalation +## Special case for pkexec. It is not audit aware, specifically watch it +-a always,exit -F path=/usr/bin/pkexec -F perm=x -F key=maybe-escalation + ## (GEN002860: CAT II) (Previously – G674) The SA and/or IAO will ##ensure old audit logs are closed and new audit logs are started daily. ## diff -Nru audit-3.0.9/rules/Makefile.in audit-3.1.1/rules/Makefile.in --- audit-3.0.9/rules/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/rules/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -188,6 +188,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -268,6 +269,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/src/auditctl.c audit-3.1.1/src/auditctl.c --- audit-3.0.9/src/auditctl.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/src/auditctl.c 2023-04-27 17:26:56.000000000 +0000 @@ -1,5 +1,5 @@ -/* auditctl.c -- - * Copyright 2004-2017,2020 Red Hat Inc. +/* auditctl.c -- + * Copyright 2004-2017,202-3 Red Hat Inc. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -153,18 +153,10 @@ static int lookup_filter(const char *str, int *filter) { - if (strcmp(str, "exit") == 0) - *filter = AUDIT_FILTER_EXIT; - else if (strcmp(str, "task") == 0) - *filter = AUDIT_FILTER_TASK; - else if (strcmp(str, "user") == 0) - *filter = AUDIT_FILTER_USER; - else if (strcmp(str, "exclude") == 0) { - *filter = AUDIT_FILTER_EXCLUDE; + *filter = audit_name_to_flag(str); + if (*filter == AUDIT_FILTER_EXCLUDE) exclude = 1; - } else if (strcmp(str, "filesystem") == 0) - *filter = AUDIT_FILTER_FS; - else + if (*filter == -1) return 2; return 0; } @@ -421,15 +413,20 @@ FD_ZERO(&read_mask); FD_SET(fd, &read_mask); - if (strcasecmp(optarg, "TERM") == 0) + if (strcasecmp(optarg, "TERM") == 0 || + strcasecmp(optarg, "stop") == 0) signal = SIGTERM; - else if (strcasecmp(optarg, "HUP") == 0) + else if (strcasecmp(optarg, "HUP") == 0 || + strcasecmp(optarg, "reload") == 0) signal = SIGHUP; - else if (strcasecmp(optarg, "USR1") == 0) + else if (strcasecmp(optarg, "USR1") == 0 || + strcasecmp(optarg, "rotate") == 0) signal = SIGUSR1; - else if (strcasecmp(optarg, "USR2") == 0) + else if (strcasecmp(optarg, "USR2") == 0 || + strcasecmp(optarg, "resume") == 0) signal = SIGUSR2; - else if (strcasecmp(optarg, "CONT") == 0) + else if (strcasecmp(optarg, "CONT") == 0 || + strcasecmp(optarg, "state") == 0) signal = SIGCONT; if (signal == 0) { @@ -541,6 +538,29 @@ return audit_rule_syscallbyname_data(rule_new, optarg); } +#ifdef WITH_IO_URING +// return 0 on success and -1 if unknow op. +static int parse_io_uring(const char *optarg) +{ + if (strchr(optarg, ',')) { + int retval; + char *saved, *ptr, *tmp = strdup(optarg); + if (tmp == NULL) + return -1; + ptr = strtok_r(tmp, ",", &saved); + while (ptr) { + retval = audit_rule_io_uringbyname_data(rule_new, ptr); + if (retval != 0) + break; + ptr = strtok_r(NULL, ",", &saved); + } + free(tmp); + return retval; + } + return audit_rule_io_uringbyname_data(rule_new, optarg); +} +#endif + static struct option long_opts[] = { #if HAVE_DECL_AUDIT_FEATURE_VERSION == 1 @@ -782,6 +802,29 @@ break; case 'S': { int unknown_arch = !_audit_elf; +#ifdef WITH_IO_URING + if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_URING_EXIT || (del & + (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == + AUDIT_FILTER_URING_EXIT)) { + // Do io_uring op + rc = parse_io_uring(optarg); + switch (rc) + { + case 0: + _audit_syscalladded = 1; + retval = 1; /* success - please send */ + break; + case -1: + audit_msg(LOG_ERR, + "io_uring op unknown: %s", + optarg); + retval = -1; + break; + } + break; + } +#endif /* Do some checking to make sure that we are not adding a * syscall rule to a list that does not make sense. */ if (((add & (AUDIT_FILTER_MASK|AUDIT_FILTER_UNSET)) == diff -Nru audit-3.0.9/src/auditctl-listing.c audit-3.1.1/src/auditctl-listing.c --- audit-3.0.9/src/auditctl-listing.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/src/auditctl-listing.c 2023-04-27 17:26:56.000000000 +0000 @@ -1,5 +1,5 @@ /* auditctl-listing.c -- - * Copyright 2014,16,2021 Red Hat Inc. + * Copyright 2014,16,2021-2 Red Hat Inc. * All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -25,11 +25,18 @@ #include #include #include +#ifdef WITH_IO_URING +#include +#endif #include "auditctl-listing.h" #include "private.h" #include "auditctl-llist.h" #include "auparse-idata.h" +#ifndef IORING_OP_LAST +#define IORING_OP_LAST 37 +#endif + /* Global vars */ static llist l; static int printed; @@ -135,18 +142,24 @@ { int count = 0; int all = 1; - unsigned int i; + unsigned int i, len; int machine = audit_detect_machine(); /* Rules on the following filters do not take a syscall */ if (((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_USER) || ((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_TASK) || - ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) || - ((r->flags &AUDIT_FILTER_MASK) == AUDIT_FILTER_FS)) + ((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_EXCLUDE) || + ((r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_FS)) return 0; + int io_uring=(r->flags & AUDIT_FILTER_MASK) == AUDIT_FILTER_URING_EXIT; + if (io_uring) + len = IORING_OP_LAST; + else + len = AUDIT_BITMASK_SIZE-1; + /* See if its all or specific syscalls */ - for (i = 0; i < (AUDIT_BITMASK_SIZE-1); i++) { + for (i = 0; i < len; i++) { if (r->mask[i] != (uint32_t)~0) { all = 0; break; @@ -156,25 +169,43 @@ if (all) { printf(" -S all"); count = i; - } else for (i = 0; i < AUDIT_BITMASK_SIZE * 32; i++) { - int word = AUDIT_WORD(i); - int bit = AUDIT_BIT(i); - if (r->mask[word] & bit) { - const char *ptr; - if (_audit_elf) - machine = audit_elf_to_machine(_audit_elf); - if (machine < 0) - ptr = NULL; - else - ptr = audit_syscall_to_name(i, machine); - if (!count) - printf(" -S "); - if (ptr) - printf("%s%s", !count ? "" : ",", ptr); - else - printf("%s%u", !count ? "" : ",", i); - count++; - *sc = i; + } else if (io_uring) { + for (i = 0; i < IORING_OP_LAST; i++) { + int word = AUDIT_WORD(i); + int bit = AUDIT_BIT(i); + if (r->mask[word] & bit) { + const char *ptr = audit_uringop_to_name(i); + if (!count) + printf(" -S "); + if (ptr) + printf("%s%s", !count ? "" : ",", ptr); + else + printf("%s%u", !count ? "" : ",", i); + count++; + *sc = i; + } + } + } else { + for (i = 0; i < AUDIT_BITMASK_SIZE * 32; i++) { + int word = AUDIT_WORD(i); + int bit = AUDIT_BIT(i); + if (r->mask[word] & bit) { + const char *ptr; + if (_audit_elf) + machine = audit_elf_to_machine(_audit_elf); + if (machine < 0) + ptr = NULL; + else + ptr = audit_syscall_to_name(i, machine); + if (!count) + printf(" -S "); + if (ptr) + printf("%s%s", !count ? "" : ",", ptr); + else + printf("%s%u", !count ? "" : ",", i); + count++; + *sc = i; + } } } return count; diff -Nru audit-3.0.9/src/auditd.c audit-3.1.1/src/auditd.c --- audit-3.0.9/src/auditd.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/src/auditd.c 2023-04-27 17:26:56.000000000 +0000 @@ -989,6 +989,7 @@ ev_signal_stop (loop, &sigusr1_watcher); ev_signal_stop (loop, &sigusr2_watcher); ev_signal_stop (loop, &sigterm_watcher); + ev_signal_stop (loop, &sigcont_watcher); /* Write message to log that we are going down */ rc = audit_request_signal_info(fd); diff -Nru audit-3.0.9/src/auditd-config.c audit-3.1.1/src/auditd-config.c --- audit-3.0.9/src/auditd-config.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/src/auditd-config.c 2023-04-27 17:26:56.000000000 +0000 @@ -1,24 +1,23 @@ -/* auditd-config.c -- +/* auditd-config.c -- * Copyright 2004-2011,2013-14,2016,2018,2020-21 Red Hat Inc. * All Rights Reserved. + + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, + * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * * Authors: * Steve Grubb - * */ #include "config.h" @@ -1844,7 +1843,7 @@ config->plugin_dir = malloc(len + 2); if (config->plugin_dir) { strcpy(config->plugin_dir, nv->value); - if (config->plugin_dir[len - 1] != '/') + if (len > 1 && config->plugin_dir[len - 1] != '/') config->plugin_dir[len] = '/'; config->plugin_dir[len + 1] = 0; } diff -Nru audit-3.0.9/src/auditd-config.h audit-3.1.1/src/auditd-config.h --- audit-3.0.9/src/auditd-config.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/src/auditd-config.h 2023-04-27 17:26:56.000000000 +0000 @@ -1,24 +1,23 @@ /* auditd-config.h -- - * Copyright 2004-2009,2014,2016,2018 Red Hat Inc., Durham, North Carolina. + * Copyright 2004-2009,2014,2016,2018 Red Hat Inc. * All Rights Reserved. * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. * - * This program is distributed in the hope that it will be useful, + * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * * Authors: * Steve Grubb - * */ #ifndef AUDITD_CONFIG_H diff -Nru audit-3.0.9/src/auditd-event.c audit-3.1.1/src/auditd-event.c --- audit-3.0.9/src/auditd-event.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/src/auditd-event.c 2023-04-27 17:26:56.000000000 +0000 @@ -1107,9 +1107,11 @@ "rotating log file (%s)", strerror(errno)); } } - if (log_file) + if (log_file) { + log_fd = -1; fclose(log_file); - log_file = NULL; + log_file = NULL; + } /* Rotate */ len = strlen(config->log_file) + 16; diff -Nru audit-3.0.9/src/auditd-listen.c audit-3.1.1/src/auditd-listen.c --- audit-3.0.9/src/auditd-listen.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/src/auditd-listen.c 2023-04-27 17:26:56.000000000 +0000 @@ -358,6 +358,7 @@ if (major_status != GSS_S_COMPLETE) { gss_failure("acquiring credentials", major_status, minor_status); + (void) gss_release_name(&minor_status, &server_name); return -1; } diff -Nru audit-3.0.9/src/ausearch-llist.h audit-3.1.1/src/ausearch-llist.h --- audit-3.0.9/src/ausearch-llist.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/src/ausearch-llist.h 2023-04-27 17:26:56.000000000 +0000 @@ -1,6 +1,6 @@ /* * ausearch-llist.h - Header file for ausearch-llist.c -* Copyright (c) 2005-2008, 2013-14,2016 Red Hat Inc., Durham, North Carolina. +* Copyright (c) 2005-2008, 2013-14,2016 Red Hat Inc. * Copyright (c) 2011 IBM Corp. * All Rights Reserved. * @@ -97,7 +97,7 @@ // Data we add as 1 per event event e; // event - time & serial number - search_items s; // items in master rec that are searchable + search_items s; // items in the record that are searchable int fmt; // The event's format (raw, enriched) } llist; diff -Nru audit-3.0.9/src/ausearch-parse.c audit-3.1.1/src/ausearch-parse.c --- audit-3.0.9/src/ausearch-parse.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/src/ausearch-parse.c 2023-04-27 17:26:56.000000000 +0000 @@ -92,6 +92,7 @@ do { switch (n->type) { case AUDIT_SYSCALL: + case AUDIT_URINGOP: ret = parse_syscall(n, s); break; case AUDIT_CWD: @@ -147,6 +148,7 @@ break; case AUDIT_FEATURE_CHANGE: case AUDIT_ANOM_LINK: + case AUDIT_DM_CTRL: ret = parse_task_info(n, s); break; case AUDIT_SECCOMP: @@ -176,6 +178,7 @@ case AUDIT_PROCTITLE: case AUDIT_REPLACE...AUDIT_BPF: case AUDIT_OPENAT2: + case AUDIT_DM_EVENT: // Nothing to parse break; case AUDIT_NETFILTER_CFG: @@ -508,7 +511,8 @@ int ret; term = n->message; - if (report_format > RPT_DEFAULT || event_machine != -1) { + if ((report_format > RPT_DEFAULT || event_machine != -1) && + n->type == AUDIT_SYSCALL) { // get arch str = strstr(term, "arch="); if (str == NULL) @@ -525,7 +529,13 @@ *term = ' '; } // get syscall - str = strstr(term, "syscall="); + if (n->type == AUDIT_SYSCALL) + str = strstr(term, "syscall="); + else if (n->type == AUDIT_URINGOP) { // or uring_op + str = strstr(term, "uring_op="); + s->arch = MACH_IO_URING; + } else + str = NULL; // unimplemented type if (str == NULL) return 4; ptr = str + 8; @@ -571,36 +581,38 @@ s->exit_is_set = 1; *term = ' '; } - // get a0 - str = strstr(term, "a0="); - if (str == NULL) - return 11; - ptr = str + 3; - term = strchr(ptr, ' '); - if (term == NULL) - return 12; - *term = 0; - errno = 0; - // 64 bit dump on 32 bit machine looks bad here - need long long - n->a0 = strtoull(ptr, NULL, 16); // Hex - if (errno) - return 13; - *term = ' '; - // get a1 - str = strstr(term, "a1="); - if (str == NULL) - return 11; - ptr = str + 3; - term = strchr(ptr, ' '); - if (term == NULL) - return 12; - *term = 0; - errno = 0; - // 64 bit dump on 32 bit machine looks bad here - need long long - n->a1 = strtoull(ptr, NULL, 16); // Hex - if (errno) - return 13; - *term = ' '; + if (n->type == AUDIT_SYSCALL) { + // get a0 + str = strstr(term, "a0="); + if (str == NULL) + return 11; + ptr = str + 3; + term = strchr(ptr, ' '); + if (term == NULL) + return 12; + *term = 0; + errno = 0; + // 64 bit dump on 32 bit machine looks bad here - need long long + n->a0 = strtoull(ptr, NULL, 16); // Hex + if (errno) + return 13; + *term = ' '; + // get a1 + str = strstr(term, "a1="); + if (str == NULL) + return 11; + ptr = str + 3; + term = strchr(ptr, ' '); + if (term == NULL) + return 12; + *term = 0; + errno = 0; + // 64 bit dump on 32 bit machine looks bad here - need long long + n->a1 = strtoull(ptr, NULL, 16); // Hex + if (errno) + return 13; + *term = ' '; + } ret = parse_task_info(n, s); if (ret) @@ -1164,7 +1176,8 @@ saved = *term; *term = 0; ptr++; - s->acct = strdup(ptr); + if (!s->acct) //fuzzer induced duplicate + s->acct = strdup(ptr); *term = saved; } else { /* Handle legacy accts */ diff -Nru audit-3.0.9/src/ausearch-report.c audit-3.1.1/src/ausearch-report.c --- audit-3.0.9/src/ausearch-report.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/src/ausearch-report.c 2023-04-27 17:26:56.000000000 +0000 @@ -1,6 +1,6 @@ /* * ausearch-report.c - Format and output events -* Copyright (c) 2005-09,2011-13,2016-17,2021 Red Hat +* Copyright (c) 2005-09,2011-13,2016-17,2021-23 Red Hat * All Rights Reserved. * * This software may be freely redistributed and/or modified under the @@ -343,8 +343,11 @@ } type = auparse_interp_adjust_type(rtype, name, val); - if (rtype == AUDIT_SYSCALL || rtype == AUDIT_SECCOMP) { - if (machine == (unsigned long)-1) + if (rtype == AUDIT_SYSCALL || rtype == AUDIT_SECCOMP || + rtype == AUDIT_URINGOP) { + if (rtype == AUDIT_URINGOP) + machine = MACH_IO_URING; + else if (machine == (unsigned long)-1) machine = audit_detect_machine(); if (*name == 'a' && strcmp(name, "arch") == 0) { unsigned long ival; @@ -356,8 +359,9 @@ } machine = audit_elf_to_machine(ival); } - if (cur_syscall < 0 && *name == 's' && - strcmp(name, "syscall") == 0) { + if (cur_syscall < 0 && ((*name == 's' && + strcmp(name, "syscall") == 0) || + (*name == 'u' && strcmp(name, "uring_op") == 0))) { unsigned long ival; errno = 0; ival = strtoul(val, NULL, 10); @@ -370,6 +374,7 @@ id.syscall = cur_syscall; } else id.syscall = 0; + id.machine = machine; id.a0 = a0; id.a1 = a1; diff -Nru audit-3.0.9/src/ausearch-time.c audit-3.1.1/src/ausearch-time.c --- audit-3.0.9/src/ausearch-time.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/src/ausearch-time.c 2023-04-27 17:26:56.000000000 +0000 @@ -46,6 +46,7 @@ static struct nv_pair timetab[] = { { T_NOW, "now" }, { T_RECENT, "recent" }, + { T_THIS_HOUR, "this-hour" }, { T_BOOT, "boot" }, { T_TODAY, "today" }, { T_YESTERDAY, "yesterday" }, @@ -85,6 +86,8 @@ t->tm_mday = 0; /* day of the month */ t->tm_mon = 0; /* month */ t->tm_year = 0; /* year */ + t->tm_wday = 0; /* not used */ + t->tm_yday = 0; /* not used */ t->tm_isdst = 0; /* DST flag */ } @@ -124,6 +127,15 @@ replace_date(d, tv); } +static void set_tm_hour(struct tm *d) +{ + time_t t = time(NULL); + struct tm *tv = localtime(&t); + d->tm_sec = 0; /* seconds */ + d->tm_min = 0; /* minutes */ + replace_time(d, tv); +} + static int set_tm_boot(struct tm *d) { char buf[128]; @@ -244,6 +256,9 @@ case T_RECENT: set_tm_recent(d); break; + case T_THIS_HOUR: + set_tm_hour(d); + break; case T_BOOT: if (set_tm_boot(d)) return -2; @@ -302,7 +317,7 @@ } else { int keyword=lookup_time(da); if (keyword == T_RECENT || keyword == T_NOW || - keyword == T_BOOT) { + keyword == T_THIS_HOUR || keyword == T_BOOT) { if (ti == NULL || strcmp(ti, "00:00:00") == 0) goto set_it; } @@ -376,7 +391,7 @@ } else { int keyword=lookup_time(da); if (keyword == T_RECENT || keyword == T_NOW || - keyword == T_BOOT) { + keyword == T_THIS_HOUR || keyword == T_BOOT) { if (ti == NULL || strcmp(ti, "00:00:00") == 0) goto set_it; } diff -Nru audit-3.0.9/src/ausearch-time.h audit-3.1.1/src/ausearch-time.h --- audit-3.0.9/src/ausearch-time.h 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/src/ausearch-time.h 2023-04-27 17:26:56.000000000 +0000 @@ -1,5 +1,5 @@ /* ausearch-time.h - header file for ausearch-time.c - * Copyright 2006-07,2016-17 Red Hat Inc., Durham, North Carolina. + * Copyright 2006-07,2016-17,2023 Red Hat Inc. * All Rights Reserved. * * This program is free software; you can redistribute it and/or modify @@ -25,8 +25,8 @@ #include "ausearch-common.h" -enum { T_NOW, T_RECENT, T_BOOT, T_TODAY, T_YESTERDAY, T_THIS_WEEK, T_WEEK_AGO, - T_THIS_MONTH, T_THIS_YEAR }; +enum { T_NOW, T_RECENT, T_THIS_HOUR, T_BOOT, T_TODAY, T_YESTERDAY, + T_THIS_WEEK, T_WEEK_AGO, T_THIS_MONTH, T_THIS_YEAR }; int lookup_time(const char *name); int ausearch_time_start(const char *da, const char *ti); diff -Nru audit-3.0.9/src/libev/Makefile.in audit-3.1.1/src/libev/Makefile.in --- audit-3.0.9/src/libev/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/src/libev/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -189,6 +189,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -269,6 +270,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/src/Makefile.in audit-3.1.1/src/Makefile.in --- audit-3.0.9/src/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/src/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -331,6 +331,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -411,6 +412,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/src/test/Makefile.in audit-3.1.1/src/test/Makefile.in --- audit-3.0.9/src/test/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/src/test/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -413,6 +413,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -493,6 +494,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/TODO audit-3.1.1/TODO --- audit-3.0.9/TODO 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/TODO 2023-04-27 17:26:56.000000000 +0000 @@ -1,19 +1,15 @@ Future roadmap (subject to change): =================================== -3.1 +3.2 * Basic HIDS based on reactive audit component * Multi-thread audisp-remote -* Add keywords for time: month-ago, this-hour, last-hour * If searching user/group doesn't map to uid/gid, do translated string search * In auditd, look into non-blocking handling of write to plugins * Support multiple time streams when searching -3.2 +3.3 * Container support * Support TLS PSK as remote logging transport -* Add rule verify to detect mismatch between in-kernel and on-disk rules +* Rewrite swig based python * audisp-remote, add config to say what home network is so laptops don't try if their not on a network that can reach the server. -* Fix audit.pc.in to use Requires.private * Change ausearch to output name="" unless its a real null. (mount) ausearch-report.c, 523. FIXME -* Fix SIGHUP for auditd network settings -* Add ability to filter events in auditd diff -Nru audit-3.0.9/tools/aulast/Makefile.in audit-3.1.1/tools/aulast/Makefile.in --- audit-3.0.9/tools/aulast/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/tools/aulast/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -241,6 +241,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -321,6 +322,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/tools/aulastlog/Makefile.in audit-3.1.1/tools/aulastlog/Makefile.in --- audit-3.0.9/tools/aulastlog/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/tools/aulastlog/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -241,6 +241,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -321,6 +322,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/tools/ausyscall/ausyscall.8 audit-3.1.1/tools/ausyscall/ausyscall.8 --- audit-3.0.9/tools/ausyscall/ausyscall.8 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/tools/ausyscall/ausyscall.8 2023-04-27 17:26:56.000000000 +0000 @@ -1,4 +1,4 @@ -.TH AUSYSCALL "8" "Nov 2008" "Red Hat" "System Administration Utilities" +.TH AUSYSCALL "8" "Feb 2023" "Red Hat" "System Administration Utilities" .SH NAME ausyscall \- a program that allows mapping syscall names and numbers .SH SYNOPSIS @@ -6,6 +6,10 @@ .SH DESCRIPTION \fBausyscall\fP is a program that prints out the mapping from syscall name to number and reverse for the given arch. The arch can be anything returned by `uname \-m`. If arch is not given, the program will take a guess based on the running image. Or for convenience, you can pass \fBb32\fP or \fBb64\fP to use the current arch but a specific ABI. You may give the syscall name or number and it will find the opposite. You can also dump the whole table with the \-\-dump option. By default a syscall name lookup will be a substring match meaning that it will try to match all occurrences of the given name with syscalls. So giving a name of chown will match both fchown and chown as any other syscall with chown in its name. If this behavior is not desired, pass the \-\-exact flag and it will do an exact string match. +The program takes the special arch, +.B uring, +to denote that you want to specify io_uring operations. In this case, the arch must be given because it will otherwise detect the underlying harware. + This program can be used to verify syscall numbers on a biarch platform for rule optimization. For example, suppose you had an auditctl rule: .B \-a always, exit \-S open \-F exit=\-EPERM \-k fail\-open diff -Nru audit-3.0.9/tools/ausyscall/ausyscall.c audit-3.1.1/tools/ausyscall/ausyscall.c --- audit-3.0.9/tools/ausyscall/ausyscall.c 2022-08-29 21:23:13.000000000 +0000 +++ audit-3.1.1/tools/ausyscall/ausyscall.c 2023-04-27 17:26:56.000000000 +0000 @@ -1,6 +1,6 @@ /* - * ausysvcall.c - A program that lets you map syscall names and numbers - * Copyright (c) 2008 Red Hat Inc., Durham, North Carolina. + * ausysvcall.c - A program that lets you map syscall names and numbers + * Copyright (c) 2008,2022 Red Hat Inc. * All Rights Reserved. * * This software may be freely redistributed and/or modified under the @@ -15,7 +15,7 @@ * * You should have received a copy of the GNU General Public License * along with this program; see the file COPYING. If not, write to the - * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor * Boston, MA 02110-1335, USA. * * Authors: @@ -32,8 +32,8 @@ void usage(void) { - fprintf(stderr, "usage: ausyscall [arch] name | number | --dump | --exact\n"); - exit(1); + fprintf(stderr, "usage: ausyscall [arch] name | number | --dump | --exact\n"); + exit(1); } int main(int argc, char *argv[]) @@ -93,6 +93,11 @@ name = argv[i]; } } + // If they passed only uring, assume they want the syscall + if (name == NULL && machine == MACH_IO_URING && i == 2) { + machine = -1; + name = argv[i - 1]; + } if (machine == -1) machine = audit_detect_machine(); if (machine == -1) { @@ -105,7 +110,7 @@ audit_machine_to_name(machine)); for (i=0; i<8192; i++) { name = audit_syscall_to_name(i, machine); - if (name) + if (name) printf("%d\t%s\n", i, name); } return 0; @@ -116,7 +121,7 @@ rc = audit_name_to_syscall(name, machine); if (rc < 0) { fprintf(stderr, - "Unknown syscall %s using %s lookup table\n", + "Unknown syscall %s using %s lookup table\n", name, audit_machine_to_name(machine)); return 1; } else @@ -124,7 +129,7 @@ } else { int found = 0; for (i=0; i< LAST_SYSCALL; i++) { - const char *n = audit_syscall_to_name(i, machine); + const char *n=audit_syscall_to_name(i, machine); if (n && strcasestr(n, name)) { found = 1; printf("%-18s %d\n", n, i); @@ -132,7 +137,7 @@ } if (!found) { fprintf(stderr, - "Unknown syscall %s using %s lookup table\n", + "Unknown syscall %s using %s lookup table\n", name, audit_machine_to_name(machine)); return 1; } diff -Nru audit-3.0.9/tools/ausyscall/Makefile.in audit-3.1.1/tools/ausyscall/Makefile.in --- audit-3.0.9/tools/ausyscall/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/tools/ausyscall/Makefile.in 2023-04-27 17:27:01.000000000 +0000 @@ -237,6 +237,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -317,6 +318,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/tools/auvirt/Makefile.in audit-3.1.1/tools/auvirt/Makefile.in --- audit-3.0.9/tools/auvirt/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/tools/auvirt/Makefile.in 2023-04-27 17:27:01.000000000 +0000 @@ -244,6 +244,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -324,6 +325,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@ diff -Nru audit-3.0.9/tools/Makefile.in audit-3.1.1/tools/Makefile.in --- audit-3.0.9/tools/Makefile.in 2022-08-29 21:23:17.000000000 +0000 +++ audit-3.1.1/tools/Makefile.in 2023-04-27 17:27:00.000000000 +0000 @@ -215,6 +215,7 @@ BUILD_EXEEXT = @BUILD_EXEEXT@ BUILD_OBJEXT = @BUILD_OBJEXT@ CAPNG_LDADD = @CAPNG_LDADD@ +CAPNG_PKG = @CAPNG_PKG@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CC_FOR_BUILD = @CC_FOR_BUILD@ @@ -295,6 +296,7 @@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ STRIP = @STRIP@ +SWIG = @SWIG@ VERSION = @VERSION@ WFLAGS = @WFLAGS@ abs_builddir = @abs_builddir@