Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Packages to support the SELinux security mechanism #10664

Open
wants to merge 11 commits into
base: master
from

utils/audit: new package

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
  • Loading branch information
tpetazzoni committed May 22, 2019
commit b70c5a074e87bd23f4f86d838b6ed50ab1e7a95e
@@ -0,0 +1,125 @@
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#

include $(TOPDIR)/rules.mk

PKG_NAME:=audit
PKG_VERSION:=2.8.5
PKG_RELEASE:=1

PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://people.redhat.com/sgrubb/audit
PKG_HASH:=0e5d4103646e00f8d1981e1cd2faea7a2ae28e854c31a803e907a383c5e2ecb7

PKG_MAINTAINER:=Thomas Petazzoni <thomas.petazzoni@bootlin.com>
PKG_FIXUP:=autoreconf

include $(INCLUDE_DIR)/package.mk

define Package/audit/Default
SECTION:=utils
TITLE:=Audit Daemon
URL:=http://people.redhat.com/sgrubb/audit/
endef

define Package/audit/Default/description
The audit package contains the user space utilities for
storing and searching the audit records generated by
the audit subsystem in the Linux 2.6 kernel
endef

define Package/libaudit
$(call Package/audit/Default)
CATEGORY:=Libraries
TITLE+= (library)
DEPENDS:=+@KERNEL_AUDIT
endef

define Package/libaudit/description
$(call Package/audit/Default/description)
This package contains the audit shared library.
endef

define Package/audit
$(call Package/audit/Default)
CATEGORY:=Utilities
TITLE+= (daemon)
DEPENDS:= +libaudit
endef

define Package/audit/description
$(call Package/audit/Default/description)
This package contains the audit daemon.
endef

CONFIGURE_VARS += \
LDFLAGS_FOR_BUILD="$(HOST_LDFLAGS)" \
CPPFLAGS_FOR_BUILD="$(HOST_CPPFLAGS)" \
CFLAGS_FOR_BUILD="$(HOST_CFLAGS)" \
CC_FOR_BUILD="$(HOSTCC)"

CONFIGURE_ARGS += \
--without-libcap-ng \
--disable-systemd \
--without-python \
--without-python3 \
--disable-zos-remote

ifeq ($(ARCH),aarch64)
CONFIGURE_ARGS += --with-aarch64
else ifeq ($(ARCH),arm)
CONFIGURE_ARGS += --with-arm
endif

# We can't use the default, as the default passes $(MAKE_ARGS), which
# overrides CC, CFLAGS, etc. and defeats the *_FOR_BUILD definitions
# passed in CONFIGURE_VARS
define Build/Compile
$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)/$(MAKE_PATH)
endef

define Build/Install
$(call Build/Install/Default,install)
$(SED) 's%^dispatcher *=.*%dispatcher = /usr/sbin/audispd%' $(PKG_INSTALL_DIR)/etc/audit/auditd.conf
endef

define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/include
$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/*.pc $(1)/usr/lib/pkgconfig/
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/
endef

define Package/libaudit/install
$(INSTALL_DIR) $(1)/usr/lib
$(CP) $(PKG_INSTALL_DIR)/usr/lib/*.so.* $(1)/usr/lib/
$(INSTALL_DIR) $(1)/etc
$(CP) $(PKG_INSTALL_DIR)/etc/libaudit.conf $(1)/etc/
endef

define Package/audit/install
$(INSTALL_DIR) $(1)/usr/bin
$(CP) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/bin/
$(INSTALL_DIR) $(1)/usr/sbin
$(CP) $(PKG_INSTALL_DIR)/usr/sbin/* $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/etc/audit
$(CP) $(PKG_INSTALL_DIR)/etc/audit/* $(1)/etc/audit/
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/audit.init $(1)/etc/init.d/audit
endef

include $(INCLUDE_DIR)/host-build.mk

HOST_CONFIGURE_ARGS += \
--without-python \
--without-python3 \
--disable-zos-remote \
--without-libcap-ng

$(eval $(call HostBuild))
$(eval $(call BuildPackage,libaudit))
$(eval $(call BuildPackage,audit))
@@ -0,0 +1,16 @@
#!/bin/sh /etc/rc.common
# Copyright (c) 2014 OpenWrt.org

START=11

USE_PROCD=1
PROG=/usr/sbin/auditd

start_service() {
mkdir -p /var/log/audit
procd_open_instance
procd_set_param command "$PROG" -n
procd_set_param respawn
procd_close_instance
test -f /etc/audit/rules.d/audit.rules && /usr/sbin/auditctl -R /etc/audit/rules.d/audit.rules
}
@@ -0,0 +1,133 @@
From c39a071e7c021f6ff3554aca2758e97b47a9777c Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Tue, 26 Feb 2019 18:33:33 -0500
Subject: [PATCH] Add substitue functions for strndupa & rawmemchr

(cherry picked from commit d579a08bb1cde71f939c13ac6b2261052ae9f77e)
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
auparse/auparse.c | 12 +++++++++++-
auparse/interpret.c | 9 ++++++++-
configure.ac | 14 +++++++++++++-
src/ausearch-lol.c | 12 +++++++++++-
4 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/auparse/auparse.c b/auparse/auparse.c
index 650db02..2e1c737 100644
--- a/auparse/auparse.c
+++ b/auparse/auparse.c
@@ -1,5 +1,5 @@
/* auparse.c --
- * Copyright 2006-08,2012-17 Red Hat Inc., Durham, North Carolina.
+ * Copyright 2006-08,2012-19 Red Hat Inc., Durham, North Carolina.
* All Rights Reserved.
*
* This library is free software; you can redistribute it and/or
@@ -1118,6 +1118,16 @@ static int str2event(char *s, au_event_t *e)
return 0;
}

+#ifndef HAVE_STRNDUPA
+static inline char *strndupa(const char *old, size_t n)
+{
+ size_t len = strnlen(old, n);
+ char *tmp = alloca(len + 1);
+ tmp[len] = 0;
+ return memcpy(tmp, old, len);
+}
+#endif
+
/* Returns 0 on success and 1 on error */
static int extract_timestamp(const char *b, au_event_t *e)
{
diff --git a/auparse/interpret.c b/auparse/interpret.c
index 51c4a5e..67b7b77 100644
--- a/auparse/interpret.c
+++ b/auparse/interpret.c
@@ -853,6 +853,13 @@ err_out:
return print_escaped(id->val);
}

+// rawmemchr is faster. Let's use it if we have it.
+#ifdef HAVE_RAWMEMCHR
+#define STRCHR rawmemchr
+#else
+#define STRCHR strchr
+#endif
+
static const char *print_proctitle(const char *val)
{
char *out = (char *)print_escaped(val);
@@ -863,7 +870,7 @@ static const char *print_proctitle(const char *val)
// Proctitle has arguments separated by NUL bytes
// We need to write over the NUL bytes with a space
// so that we can see the arguments
- while ((ptr = rawmemchr(ptr, '\0'))) {
+ while ((ptr = STRCHR(ptr, '\0'))) {
if (ptr >= end)
break;
*ptr = ' ';
diff --git a/configure.ac b/configure.ac
index 6e345f1..6f3007e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,7 @@
dnl
define([AC_INIT_NOTICE],
[### Generated automatically using autoconf version] AC_ACVERSION [
-### Copyright 2005-18 Steve Grubb <sgrubb@redhat.com>
+### Copyright 2005-19 Steve Grubb <sgrubb@redhat.com>
###
### Permission is hereby granted, free of charge, to any person obtaining a
### copy of this software and associated documentation files (the "Software"),
@@ -72,6 +72,18 @@ dnl; posix_fallocate is used in audisp-remote
AC_CHECK_FUNCS([posix_fallocate])
dnl; signalfd is needed for libev
AC_CHECK_FUNC([signalfd], [], [ AC_MSG_ERROR([The signalfd system call is necessary for auditd]) ])
+dnl; check if rawmemchr is available
+AC_CHECK_FUNCS([rawmemchr])
+dnl; check if strndupa is available
+AC_LINK_IFELSE(
+ [AC_LANG_SOURCE(
+ [[
+ #define _GNU_SOURCE
+ #include <string.h>
+ int main() { (void) strndupa("test", 10); return 0; }]])],
+ [AC_DEFINE(HAVE_STRNDUPA, 1, [Let us know if we have it or not])],
+ []
+)

ALLWARNS=""
ALLDEBUG="-g"
diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
index 5d17a72..758c33e 100644
--- a/src/ausearch-lol.c
+++ b/src/ausearch-lol.c
@@ -1,6 +1,6 @@
/*
* ausearch-lol.c - linked list of linked lists library
-* Copyright (c) 2008,2010,2014,2016 Red Hat Inc., Durham, North Carolina.
+* Copyright (c) 2008,2010,2014,2016,2019 Red Hat Inc., Durham, North Carolina.
* All Rights Reserved.
*
* This software may be freely redistributed and/or modified under the
@@ -152,6 +152,16 @@ static int compare_event_time(event *e1, event *e2)
return 0;
}

+#ifndef HAVE_STRNDUPA
+static inline char *strndupa(const char *old, size_t n)
+{
+ size_t len = strnlen(old, n);
+ char *tmp = alloca(len + 1);
+ tmp[len] = 0;
+ return memcpy(tmp, old, len);
+}
+#endif
+
/*
* This function will look at the line and pick out pieces of it.
*/
--
2.21.0

ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.