packages/audit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!130 backport patches to fix bug

Browse Source 
From: @fangxiuning 
Reviewed-by: @zhujianwei001 
Signed-off-by: @zhujianwei001
This commit is contained in:
openeuler-ci-bot 2024-07-22 12:35:19 +00:00 committed by Gitee
commit 2024bedff5
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
13 changed files with 1347 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
audit.spec
View File

@ -2,36 +2,47 @@ Summary: User space tools for kernel auditing
Name: audit
Epoch: 1
Version: 3.1.2
Release: 4
Release: 5
License: GPLv2+ and LGPLv2+
URL: https://people.redhat.com/sgrubb/audit/
Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
Patch0: bugfix-audit-support-armv7b.patch
Patch1: bugfix-audit-userspace-missing-syscalls-for-aarm64.patch
Patch2: bugfix-audit-reload-coredump.patch
Patch3: audit-Add-sw64-architecture.patch
Patch4: backport-Solve-issue-363-by-moving-check-to-after-load_config.patch
Patch5: backport-first-part-of-NULL-pointer-checks.patch
Patch6: backport-second-part-of-NULL-pointer-checks.patch
Patch7: backport-last-part-of-NULL-pointer-checks.patch
Patch8: backport-Fixed-NULL-checks.patch
Patch9: backport-update-error-messages-in-NULL-Checks.patch
Patch10: backport-adding-the-file-descriptor-closure.patch
Patch11: backport-correcting-memcmp-args-in-check_rule_mismatch-functi.patch
Patch12: backport-Use-atomic_int-if-available-for-signal-related-flags.patch
Patch13: backport-Use-atomic_uint-if-available-for-signal-related-flag.patch
Patch14: backport-avoiding-of-NULL-pointers-dereference-366.patch
Patch15: backport-Cleanup-code-in-LRU.patch
Patch16: backport-Fix-memory-leaks.patch
Patch17: backport-fix-one-more-leak.patch
Patch18: backport-Consolidate-end-of-event-detection-to-a-common-funct.patch
Patch19: backport-Issue343-Fix-checkpoint-issue-to-ensure-all-complete.patch
Patch20: backport-lib-avoid-UB-on-sequence-wrap-around-347.patch
Patch21: backport-Fix-deprecated-python-function.patch
Patch22: backport-Change-python-bindings-to-switch-from-PyEval_CallObj.patch
Patch23: backport-Cleanup-shell-script-warnings.patch
Patch0: bugfix-audit-support-armv7b.patch
Patch1: bugfix-audit-userspace-missing-syscalls-for-aarm64.patch
Patch2: bugfix-audit-reload-coredump.patch
Patch3: audit-Add-sw64-architecture.patch
Patch4: backport-Rewrite-legacy-service-functions-in-terms-of-systemc.patch
Patch5: backport-Error-out-if-required-zos-parameters-missing.patch
Patch6: backport-Fix-deprecated-python-function.patch
Patch7: backport-lib-close-audit-socket-in-load_feature_bitmap-334.patch
Patch8: backport-lib-enclose-macro-to-avoid-precedence-issues.patch
Patch9: backport-memory-allocation-updates-341.patch
Patch10: backport-lib-cast-to-unsigned-char-for-character-test-functio.patch
Patch11: backport-Make-session-id-consistently-typed-327.patch
Patch12: backport-Avoid-file-descriptor-leaks-in-multi-threaded-applic.patch
Patch13: backport-fix-the-use-of-isdigit-everywhere.patch
Patch14: backport-Fix-new-warnings-for-unused-results.patch
Patch15: backport-Change-the-first-iteration-test-so-static-analysis-b.patch
Patch16: backport-Consolidate-end-of-event-detection-to-a-common-funct.patch
Patch17: backport-Issue343-Fix-checkpoint-issue-to-ensure-all-complete.patch
Patch18: backport-lib-avoid-UB-on-sequence-wrap-around-347.patch
Patch19: backport-Change-python-bindings-to-switch-from-PyEval_CallObj.patch
Patch20: backport-Cleanup-shell-script-warnings.patch
Patch21: backport-Solve-issue-363-by-moving-check-to-after-load_config.patch
Patch22: backport-first-part-of-NULL-pointer-checks.patch
Patch23: backport-second-part-of-NULL-pointer-checks.patch
Patch24: backport-last-part-of-NULL-pointer-checks.patch
Patch25: backport-Fixed-NULL-checks.patch
Patch26: backport-update-error-messages-in-NULL-Checks.patch
Patch27: backport-adding-the-file-descriptor-closure.patch
Patch28: backport-correcting-memcmp-args-in-check_rule_mismatch-functi.patch
Patch29: backport-Use-atomic_int-if-available-for-signal-related-flags.patch
Patch30: backport-Use-atomic_uint-if-available-for-signal-related-flag.patch
Patch31: backport-avoiding-of-NULL-pointers-dereference-366.patch
Patch32: backport-Cleanup-code-in-LRU.patch
Patch33: backport-Fix-memory-leaks.patch
Patch34: backport-fix-one-more-leak.patch
BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29
BuildRequires: openldap-devel krb5-devel libcap-ng-devel
@ -311,7 +322,6 @@ fi
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
%attr(750,root,root) %{_libexecdir}/audit-functions
%ghost %{_localstatedir}/run/auditd.state
%attr(750,root,root) %dir %{_var}/log/audit
%attr(750,root,root) %dir /etc/audit
@ -375,6 +385,9 @@ fi
%attr(644,root,root) %{_mandir}/man8/*.8.gz
%changelog
* Thu Jul 18 2024 fangxiuning<fangxiuning@huawei.com> - 1:3.1.2-5
- backport patches to fix bugs
* Thu Jun 06 2024 fuanan <fuanan3@h-partners.com> - 1:3.1.2-4
- backport patches from upstream

137
backport-Avoid-file-descriptor-leaks-in-multi-threaded-applic.patch Normal file
View File

@ -0,0 +1,137 @@
From 2663987c5088924bce510fcf8e7891d6aae976ba Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Sat, 4 Nov 2023 03:48:39 +0100
Subject: [PATCH] Avoid file descriptor leaks in multi-threaded applications
(#339)
* lib: set close-on-exec flag
libaudit may be called from a multi-threaded application.
Avoid leaking local file descriptors on a concurrent execve.
* lib: simplify SOCK_CLOEXEC
SOCK_CLOEXEC is supported since Linux 2.6.27.
Reference:https://github.com/linux-audit/audit-userspace/commit/2663987c5088924bce510fcf8e7891d6aae976ba
Conflict:lib/audit_logging.c,lib/netlink.c,lib/libaudit.c
---
lib/audit_logging.c | 2 +-
lib/libaudit.c | 14 +++++++-------
lib/netlink.c | 12 +-----------
3 files changed, 9 insertions(+), 19 deletions(-)
diff --git a/lib/audit_logging.c b/lib/audit_logging.c
index 302c242..08b53aa 100644
--- a/lib/audit_logging.c
+++ b/lib/audit_logging.c
@@ -177,7 +177,7 @@ static char *_get_commname(const char *comm, char *commname, unsigned int size)
if (comm == NULL) {
int len;
- int fd = open("/proc/self/comm", O_RDONLY);
+ int fd = open("/proc/self/comm", O_RDONLY|O_CLOEXEC);
if (fd < 0) {
strcpy(commname, "\"?\"");
return commname;
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 2cc7afd..74fa2f3 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -221,7 +221,7 @@ static int load_libaudit_config(const char *path)
char buf[128];
/* open the file */
- rc = open(path, O_NOFOLLOW|O_RDONLY);
+ rc = open(path, O_NOFOLLOW|O_RDONLY|O_CLOEXEC);
if (rc < 0) {
if (errno != ENOENT) {
audit_msg(LOG_ERR, "Error opening %s (%s)",
@@ -261,7 +261,7 @@ static int load_libaudit_config(const char *path)
}
/* it's ok, read line by line */
- f = fdopen(fd, "rm");
+ f = fdopen(fd, "rme");
if (f == NULL) {
audit_msg(LOG_ERR, "Error - fdopen failed (%s)",
strerror(errno));
@@ -705,7 +705,7 @@ char *audit_format_signal_info(char *buf, int len, char *op,
char path[32], ses[16];
int rlen;
snprintf(path, sizeof(path), "/proc/%u", rep->signal_info->pid);
- int fd = open(path, O_RDONLY);
+ int fd = open(path, O_RDONLY|O_DIRECTORY|O_CLOEXEC);
if (fd >= 0) {
if (fstat(fd, &sb) < 0)
sb.st_uid = -1;
@@ -714,7 +714,7 @@ char *audit_format_signal_info(char *buf, int len, char *op,
sb.st_uid = -1;
snprintf(path, sizeof(path), "/proc/%u/sessionid",
rep->signal_info->pid);
- fd = open(path, O_RDONLY, rep->signal_info->pid);
+ fd = open(path, O_RDONLY|O_CLOEXEC, rep->signal_info->pid);
if (fd < 0)
strcpy(ses, "4294967295");
else {
@@ -918,7 +918,7 @@ uid_t audit_getloginuid(void)
char buf[16];
errno = 0;
- in = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY);
+ in = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY|O_CLOEXEC);
if (in < 0)
return -1;
do {
@@ -946,7 +946,7 @@ int audit_setloginuid(uid_t uid)
errno = 0;
count = snprintf(loginuid, sizeof(loginuid), "%u", uid);
- o = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
+ o = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC|O_CLOEXEC);
if (o >= 0) {
int block, offset = 0;
@@ -982,7 +982,7 @@ uint32_t audit_get_session(void)
char buf[16];
errno = 0;
- in = open("/proc/self/sessionid", O_NOFOLLOW|O_RDONLY);
+ in = open("/proc/self/sessionid", O_NOFOLLOW|O_RDONLY|O_CLOEXEC);
if (in < 0)
return -2;
do {
diff --git a/lib/netlink.c b/lib/netlink.c
index 66a1e7c..f862da4 100644
--- a/lib/netlink.c
+++ b/lib/netlink.c
@@ -47,7 +47,7 @@ static int check_ack(int fd);
int audit_open(void)
{
int saved_errno;
- int fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
+ int fd = socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT);
if (fd < 0) {
saved_errno = errno;
@@ -60,16 +60,6 @@ int audit_open(void)
"Error opening audit netlink socket (%s)",
strerror(errno));
errno = saved_errno;
- return fd;
- }
- if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) {
- saved_errno = errno;
- audit_msg(LOG_ERR,
- "Error setting audit netlink socket CLOEXEC flag (%s)",
- strerror(errno));
- close(fd);
- errno = saved_errno;
- return -1;
}
return fd;
}
--
2.33.0

39
backport-Change-the-first-iteration-test-so-static-analysis-b.patch Normal file
View File

@ -0,0 +1,39 @@
From b84b007cd0ef504e8c86b8cc73646f3119ed343c Mon Sep 17 00:00:00 2001
From: Steve Grubb <ausearch.1@gmail.com>
Date: Wed, 29 Nov 2023 15:49:21 -0500
Subject: [PATCH] Change the first iteration test so static analysis better
understands the code
Reference:https://github.com/linux-audit/audit-userspace/commit/b84b007cd0ef504e8c86b8cc73646f3119ed343c
Conflict:NA
---
tools/aulast/aulast-llist.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/tools/aulast/aulast-llist.c b/tools/aulast/aulast-llist.c
index 87638ebc..d7765ba4 100644
--- a/tools/aulast/aulast-llist.c
+++ b/tools/aulast/aulast-llist.c
@@ -140,11 +140,15 @@ int list_update_logout(llist* l, time_t t, unsigned long serial)
lnode *list_delete_cur(llist *l)
{
register lnode *cur, *prev;
-
- prev = cur = l->head; /* start at the beginning */
+
+ if (l == NULL || l->head == NULL)
+ return NULL;
+
+ prev = cur = l->head; /* start at the beginning */
while (cur) {
if (cur == l->cur) {
- if (cur == prev && cur == l->head) {
+ // If the first iteration
+ if (prev == l->head && cur == l->head) {
l->head = cur->next;
l->cur = cur->next;
free((void *)cur->name);
--
2.33.0

40
backport-Cleanup-shell-script-warnings.patch
View File

@ -4,7 +4,7 @@ Date: Fri, 23 Feb 2024 12:26:05 -0500
Subject: [PATCH] Cleanup shell script warnings
Reference:https://github.com/linux-audit/audit-userspace/commit/79c1212ff38254a961c27d8eb10bc766e412ffe9
Conflict:init.d/augenrules, init.d/auditd.state
Conflict:NA
---
init.d/auditd.reload | 2 +-
@ -12,11 +12,11 @@ Conflict:init.d/augenrules, init.d/auditd.state
init.d/auditd.rotate | 2 +-
init.d/auditd.state | 6 +++---
init.d/auditd.stop | 2 +-
init.d/augenrules | 4 ++--
6 files changed, 7 insertions(+), 7 deletions(-)
init.d/augenrules | 2 +-
6 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/init.d/auditd.reload b/init.d/auditd.reload
index 6db1bd74..b42fa6bf 100644
index 53ff2f4..4f09d00 100644
--- a/init.d/auditd.reload
+++ b/init.d/auditd.reload
@@ -3,7 +3,7 @@
@ -26,10 +26,10 @@ index 6db1bd74..b42fa6bf 100644
-test $(id -u) = 0 || exit 4
+test "$(id -u)" = "0" || exit 4
PATH=/sbin:/bin:/usr/bin:/usr/sbin
prog="auditd"
printf "Reconfiguring: "
/sbin/augenrules --load
diff --git a/init.d/auditd.resume b/init.d/auditd.resume
index 96189eb6..8193bea9 100644
index 96189eb..8193bea 100644
--- a/init.d/auditd.resume
+++ b/init.d/auditd.resume
@@ -3,7 +3,7 @@
@ -39,10 +39,10 @@ index 96189eb6..8193bea9 100644
-test $(id -u) = 0 || exit 4
+test "$(id -u)" = "0" || exit 4
PATH=/sbin:/bin:/usr/bin:/usr/sbin
prog="auditd"
printf "Resuming logging: "
/sbin/auditctl --signal resume
diff --git a/init.d/auditd.rotate b/init.d/auditd.rotate
index dcb12c26..8bb65530 100644
index dcb12c2..8bb6553 100644
--- a/init.d/auditd.rotate
+++ b/init.d/auditd.rotate
@@ -3,7 +3,7 @@
@ -52,10 +52,10 @@ index dcb12c26..8bb65530 100644
-test $(id -u) = 0 || exit 4
+test "$(id -u)" = "0" || exit 4
PATH=/sbin:/bin:/usr/bin:/usr/sbin
prog="auditd"
printf "Rotating logs: "
/sbin/auditctl --signal rotate
diff --git a/init.d/auditd.state b/init.d/auditd.state
index 6ae0845a..c59fe5a6 100644
index 6ae0845..c59fe5a 100644
--- a/init.d/auditd.state
+++ b/init.d/auditd.state
@@ -3,7 +3,7 @@
@ -66,18 +66,22 @@ index 6ae0845a..c59fe5a6 100644
+test "$(id -u)" = "0" || exit 4
PATH=/sbin:/bin:/usr/bin:/usr/sbin
prog="auditd"
@@ -15,7 +15,7 @@ killproc $prog -CONT
state_file="/var/run/auditd.state"
@@ -11,10 +11,10 @@ state_file="/var/run/auditd.state"
printf "Getting auditd internal state: "
/sbin/auditctl --signal state
RETVAL=$?
echo -e "\n"
-echo -e "\n"
sleep 1
-if [ $? -eq 0 ] ; then
+if [ $RETVAL -eq 0 ] ; then
if [ -e $state_file ] ; then
+ printf "\n\n"
cat $state_file
fi
fi
diff --git a/init.d/auditd.stop b/init.d/auditd.stop
index 4cfe88b1..79e53a59 100644
index 5049285..41c67d6 100644
--- a/init.d/auditd.stop
+++ b/init.d/auditd.stop
@@ -3,7 +3,7 @@
@ -90,7 +94,7 @@ index 4cfe88b1..79e53a59 100644
PATH=/sbin:/bin:/usr/bin:/usr/sbin
prog="auditd"
diff --git a/init.d/augenrules b/init.d/augenrules
index be6c9f5c..8c1a670b 100644
index ea96aa7..605cfef 100644
--- a/init.d/augenrules
+++ b/init.d/augenrules
@@ -35,7 +35,7 @@ RETVAL=0

41
backport-Error-out-if-required-zos-parameters-missing.patch Normal file
View File

@ -0,0 +1,41 @@
From bbe96f9798451129ae2555f92e2f698f842f7833 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Tue, 10 Oct 2023 08:22:49 -0400
Subject: [PATCH] Error out if required zos parameters missing
Reference:https://github.com/linux-audit/audit-userspace/commit/bbe96f9798451129ae2555f92e2f698f842f7833
Conflict:NA
---
audisp/plugins/zos-remote/zos-remote-ldap.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/audisp/plugins/zos-remote/zos-remote-ldap.c b/audisp/plugins/zos-remote/zos-remote-ldap.c
index 7dd1424f..7e27eda4 100644
--- a/audisp/plugins/zos-remote/zos-remote-ldap.c
+++ b/audisp/plugins/zos-remote/zos-remote-ldap.c
@@ -134,14 +134,18 @@ retry:
int zos_remote_init(ZOS_REMOTE *zos_remote, const char *server, int port,
const char *user, const char *password, int timeout)
-{
+{
+ if (server == NULL || user == NULL || password == NULL) {
+ log_err("Error: required parameters are not present in config file");
+ return ICTX_E_FATAL;
+ }
zos_remote->server = strdup(server);
zos_remote->port = port;
zos_remote->user = strdup(user);
zos_remote->password = strdup(password);
zos_remote->timeout = timeout;
zos_remote->connected = 0;
-
+
if (!zos_remote->server || !zos_remote->user || !zos_remote->password) {
log_err("Error allocating memory for session members");
return ICTX_E_FATAL;
--
2.33.0

107
backport-Fix-new-warnings-for-unused-results.patch Normal file
View File

@ -0,0 +1,107 @@
From a4e8b7e18f249fe5decdd2fe748a5068ffeaee57 Mon Sep 17 00:00:00 2001
From: Steve Grubb <ausearch.1@gmail.com>
Date: Mon, 20 Nov 2023 16:37:46 -0500
Subject: [PATCH] Fix new warnings for unused results
Reference:https://github.com/linux-audit/audit-userspace/commit/a4e8b7e18f249fe5decdd2fe748a5068ffeaee57
Conflict:NA
---
audisp/plugins/ids/ids.c | 5 +++--
audisp/plugins/ids/ids.h | 2 +-
audisp/plugins/statsd/audisp-statsd.c | 4 ++--
lib/libaudit.c | 3 ++-
lib/netlink.c | 3 ++-
src/auditd.c | 3 ++-
6 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/audisp/plugins/ids/ids.c b/audisp/plugins/ids/ids.c
index d28237e5..1446ca71 100644
--- a/audisp/plugins/ids/ids.c
+++ b/audisp/plugins/ids/ids.c
@@ -107,9 +107,10 @@ static void destroy_audit(void)
}
-void log_audit_event(int type, const char *text, int res)
+int log_audit_event(int type, const char *text, int res)
{
- audit_log_user_message(audit_fd, type, text, NULL, NULL, NULL, res);
+ return audit_log_user_message(audit_fd, type, text,
+ NULL, NULL, NULL, res);
}
diff --git a/audisp/plugins/ids/ids.h b/audisp/plugins/ids/ids.h
index f3710066..cb98cdba 100644
--- a/audisp/plugins/ids/ids.h
+++ b/audisp/plugins/ids/ids.h
@@ -15,6 +15,6 @@
extern int debug;
extern void my_printf(const char *fmt, ...)
__attribute__ (( format(printf, 1, 2) ));
-extern void log_audit_event(int type, const char *text, int res);
+extern int log_audit_event(int type, const char *text, int res);
#endif
diff --git a/audisp/plugins/statsd/audisp-statsd.c b/audisp/plugins/statsd/audisp-statsd.c
index db2c6111..912f9171 100644
--- a/audisp/plugins/statsd/audisp-statsd.c
+++ b/audisp/plugins/statsd/audisp-statsd.c
@@ -218,9 +218,9 @@ static void get_kernel_status(void)
struct audit_reply rep;
audit_request_status(audit_fd);
- audit_get_reply(audit_fd, &rep, GET_REPLY_BLOCKING, 0);
+ int rc = audit_get_reply(audit_fd, &rep, GET_REPLY_BLOCKING, 0);
- if (rep.type == AUDIT_GET) {
+ if (rc > 0 && rep.type == AUDIT_GET) {
// add info to global audit event struct
r.lost = rep.status->lost;
r.backlog = rep.status->backlog;
diff --git a/lib/libaudit.c b/lib/libaudit.c
index e5f2a7c5..3decff12 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -473,7 +473,8 @@ int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode)
rc = poll(pfd, 1, 100); /* .1 second */
} while (rc < 0 && errno == EINTR);
- (void)audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
+ if (audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0))
+ ; // intentionally empty
return 1;
}
diff --git a/lib/netlink.c b/lib/netlink.c
index eeeefc26..3381651a 100644
--- a/lib/netlink.c
+++ b/lib/netlink.c
@@ -280,7 +280,8 @@ retry:
else if (rc > 0 && rep.type == NLMSG_ERROR) {
int error = rep.error->error;
/* Eat the message */
- (void)audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
+ if (audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0))
+ ; // intentionally empty
/* NLMSG_ERROR can indicate success, only report nonzero */
if (error) {
diff --git a/src/auditd.c b/src/auditd.c
index 2dedf35b..54b407f3 100644
--- a/src/auditd.c
+++ b/src/auditd.c
@@ -1044,7 +1044,8 @@ static void clean_exit(void)
audit_msg(LOG_INFO, "The audit daemon is exiting.");
if (fd >= 0) {
if (!opt_aggregate_only)
- audit_set_pid(fd, 0, WAIT_NO);
+ if (audit_set_pid(fd, 0, WAIT_NO))
+ ; // intentionally empty
audit_close(fd);
}
if (pidfile)
--
2.33.0

62
backport-Make-session-id-consistently-typed-327.patch Normal file
View File

@ -0,0 +1,62 @@
From 8359a7004de5e22c5a9b85c01c56e3b376d84a81 Mon Sep 17 00:00:00 2001
From: Michael Tautschnig <mt@debian.org>
Date: Thu, 2 Nov 2023 21:53:29 +0100
Subject: [PATCH] Make session id consistently typed (#327)
This fixes type-conflicting definitions and declarations.
Reference:https://github.com/linux-audit/audit-userspace/commit/8359a7004de5e22c5a9b85c01c56e3b376d84a81
Conflict:NA
---
src/aureport-options.c | 3 ++-
src/ausearch-options.c | 10 ++++++----
2 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/aureport-options.c b/src/aureport-options.c
index 93621e25..76a4b9f1 100644
--- a/src/aureport-options.c
+++ b/src/aureport-options.c
@@ -61,7 +61,8 @@ const char *event_uuid = NULL;
const char *event_vmname = NULL;
long long event_exit = 0;
int event_exit_is_set = 0;
-int event_ppid = -1, event_session_id = -2;
+pid_t event_ppid = -1;
+uint32_t event_session_id = -2;
int event_debug = 0, event_machine = -1;
time_t arg_eoe_timeout = (time_t)0;
diff --git a/src/ausearch-options.c b/src/ausearch-options.c
index 8a1f4772..499c2aa3 100644
--- a/src/ausearch-options.c
+++ b/src/ausearch-options.c
@@ -895,19 +895,21 @@ int check_params(int count, char *vars[])
size_t len = strlen(optarg);
if (isdigit(optarg[0])) {
errno = 0;
- event_session_id = strtoul(optarg,NULL,10);
- if (errno)
+ unsigned long optval = strtoul(optarg,NULL,10);
+ if (errno || optval >= (1ul << 32))
retval = -1;
+ event_session_id = optval;
c++;
} else if (len >= 2 && *(optarg)=='-' &&
(isdigit(optarg[1]))) {
errno = 0;
- event_session_id = strtoul(optarg, NULL, 0);
- if (errno) {
+ long optval = strtol(optarg, NULL, 0);
+ if (errno || optval < INT_MIN || optval > INT_MAX) {
retval = -1;
fprintf(stderr, "Error converting %s\n",
optarg);
}
+ event_session_id = optval;
c++;
} else {
fprintf(stderr,
--
2.33.0

214
backport-Rewrite-legacy-service-functions-in-terms-of-systemc.patch Normal file
View File

@ -0,0 +1,214 @@
From 38572e7eead76015b388723038f03e2ef0b1e3c1 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Fri, 25 Aug 2023 10:41:20 -0400
Subject: [PATCH] Rewrite legacy service functions in terms of systemctl
Reference:https://github.com/linux-audit/audit-userspace/commit/38572e7eead76015b388723038f03e2ef0b1e3c1
Conflict:init.d/Makefile.am,ChangeLog
---
init.d/Makefile.am | 3 +--
init.d/audit-functions | 52 ---------------------------------------
init.d/auditd.condrestart | 7 +++---
init.d/auditd.reload | 6 +----
init.d/auditd.resume | 6 +----
init.d/auditd.rotate | 6 +----
init.d/auditd.state | 4 +--
init.d/auditd.stop | 3 +--
8 files changed, 10 insertions(+), 77 deletions(-)
delete mode 100644 init.d/audit-functions
diff --git a/init.d/Makefile.am b/init.d/Makefile.am
index fdbf81c..3a73697 100644
--- a/init.d/Makefile.am
+++ b/init.d/Makefile.am
@@ -26,7 +26,7 @@ EXTRA_DIST = auditd.init auditd.service auditd.sysconfig auditd.conf \
auditd.cron libaudit.conf auditd.condrestart \
auditd.reload auditd.restart auditd.resume \
auditd.rotate auditd.state auditd.stop \
- audit-stop.rules augenrules audit-functions
+ audit-stop.rules augenrules
libconfig = libaudit.conf
if ENABLE_SYSTEMD
initdir = /usr/lib/systemd/system
@@ -61,7 +61,6 @@ if ENABLE_SYSTEMD
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.stop ${DESTDIR}${legacydir}/stop
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.restart ${DESTDIR}${legacydir}/restart
$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.condrestart ${DESTDIR}${legacydir}/condrestart
- $(INSTALL_SCRIPT) -D -m 750 ${srcdir}/audit-functions ${DESTDIR}${libexecdir}
else
$(INSTALL_SCRIPT) -D ${srcdir}/auditd.init ${DESTDIR}${initdir}/auditd
endif
diff --git a/init.d/audit-functions b/init.d/audit-functions
deleted file mode 100644
index 12f5023..0000000
--- a/init.d/audit-functions
+++ /dev/null
@@ -1,52 +0,0 @@
-# -*-Shell-script-*-
-
-# Make sure umask is sane
-umask 022
-
-#/usr/libexec/audit/audit-functions
-
-# killproc {program} [-signal]
-killproc ()
-{
- local daemon="$1"
- local sig=
- [ -n "${2:-}" ] && sig=$2
-
- # This matches src/auditd.c
- local pid_file="/var/run/auditd.pid"
- local pid_dir=$(dirname $pid_file)
-
- if [ ! -d "$pid_dir" ] ; then
- return 4
- fi
-
- local pid=
- if [ -f "$pid_file" ] ; then
- # pid file exists, use it
- while : ; do
- read line
- [ -z "$line" ] && break
- for p in $line ; do
- # pid is numeric and corresponds to a process
- if [ -z "${p//[0-9]/}" ] && [ -d "/proc/$p" ] ; then
- d=$(cat "/proc/$p/comm")
- if [ "$d" = "$daemon" ] ; then
- pid="$p"
- break
- fi
- fi
- done
- done < "$pid_file"
- else
- # need to search /proc
- p=$(pidof "$daemon")
- if [ -n "$p" ] ; then
- pid="$p"
- fi
- fi
-
- # At this point we should have a pid or the process is dead
- if [ -n "$pid" ] && [ -n "$sig" ] ; then
- kill "$sig" "$pid" >/dev/null 2>&1
- fi
-}
diff --git a/init.d/auditd.condrestart b/init.d/auditd.condrestart
index d86e5e4..c5803ff 100644
--- a/init.d/auditd.condrestart
+++ b/init.d/auditd.condrestart
@@ -2,9 +2,10 @@
# Helper script to provide legacy auditd service options not
# directly supported by systemd.
-state=`service auditd status | awk '/^ Active/ { print $2 }'`
-if [ $state = "active" ] ; then
- /usr/libexec/initscripts/legacy-actions/auditd/restart
+state=$(systemctl status auditd | awk '/Active:/ { print $2 }')
+if [ "$state" = "active" ] ; then
+ /usr/libexec/initscripts/legacy-actions/auditd/stop
+ /bin/systemctl start auditd
RETVAL="$?"
exit $RETVAL
fi
diff --git a/init.d/auditd.reload b/init.d/auditd.reload
index e689534..53ff2f4 100644
--- a/init.d/auditd.reload
+++ b/init.d/auditd.reload
@@ -5,13 +5,9 @@
# Check that we are root ... so non-root users stop here
test $(id -u) = 0 || exit 4
-PATH=/sbin:/bin:/usr/bin:/usr/sbin
-prog="auditd"
-. /usr/libexec/audit-functions
-
printf "Reconfiguring: "
/sbin/augenrules --load
-killproc $prog -HUP
+/sbin/auditctl --signal reload
RETVAL=$?
echo
exit $RETVAL
diff --git a/init.d/auditd.resume b/init.d/auditd.resume
index 6852fd6..96189eb 100644
--- a/init.d/auditd.resume
+++ b/init.d/auditd.resume
@@ -5,12 +5,8 @@
# Check that we are root ... so non-root users stop here
test $(id -u) = 0 || exit 4
-PATH=/sbin:/bin:/usr/bin:/usr/sbin
-prog="auditd"
-. /usr/libexec/audit-functions
-
printf "Resuming logging: "
-killproc $prog -USR2
+/sbin/auditctl --signal resume
RETVAL=$?
echo
exit $RETVAL
diff --git a/init.d/auditd.rotate b/init.d/auditd.rotate
index 643b935..dcb12c2 100644
--- a/init.d/auditd.rotate
+++ b/init.d/auditd.rotate
@@ -5,12 +5,8 @@
# Check that we are root ... so non-root users stop here
test $(id -u) = 0 || exit 4
-PATH=/sbin:/bin:/usr/bin:/usr/sbin
-prog="auditd"
-. /usr/libexec/audit-functions
-
printf "Rotating logs: "
-killproc $prog -USR1
+/sbin/auditctl --signal rotate
RETVAL=$?
echo
exit $RETVAL
diff --git a/init.d/auditd.state b/init.d/auditd.state
index 4724c4f..6ae0845 100644
--- a/init.d/auditd.state
+++ b/init.d/auditd.state
@@ -6,12 +6,10 @@
test $(id -u) = 0 || exit 4
PATH=/sbin:/bin:/usr/bin:/usr/sbin
-prog="auditd"
state_file="/var/run/auditd.state"
-. /usr/libexec/audit-functions
printf "Getting auditd internal state: "
-killproc $prog -CONT
+/sbin/auditctl --signal state
RETVAL=$?
echo -e "\n"
sleep 1
diff --git a/init.d/auditd.stop b/init.d/auditd.stop
index d3fbc79..5049285 100644
--- a/init.d/auditd.stop
+++ b/init.d/auditd.stop
@@ -7,7 +7,6 @@ test $(id -u) = 0 || exit 4
PATH=/sbin:/bin:/usr/bin:/usr/sbin
prog="auditd"
-. /usr/libexec/audit-functions
pid=
p=$(pidof "$prog")
if [ -n "$p" ] ; then
@@ -15,7 +14,7 @@ if [ -n "$p" ] ; then
fi
printf "Stopping logging: "
-killproc $prog -TERM
+/sbin/auditctl --signal stop
RETVAL=$?
if [ -n "$pid" ] ; then
# Wait up to 20 seconds for auditd to shutdown
--
2.33.0

401
backport-fix-the-use-of-isdigit-everywhere.patch Normal file
View File

@ -0,0 +1,401 @@
From 149a3464ef35fbaa98c57e2775a7a4ab20c2ee75 Mon Sep 17 00:00:00 2001
From: Steve Grubb <ausearch.1@gmail.com>
Date: Sun, 5 Nov 2023 14:24:49 -0500
Subject: [PATCH] fix the use of isdigit everywhere
Reference:https://github.com/linux-audit/audit-userspace/commit/149a3464ef35fbaa98c57e2775a7a4ab20c2ee75
Conflict:NA
---
audisp/plugins/af_unix/audisp-af_unix.c | 2 +-
audisp/plugins/ids/ids_config.c | 2 +-
audisp/plugins/remote/remote-config.c | 2 +-
audisp/plugins/zos-remote/zos-remote-config.c | 6 ++--
auparse/auditd-config.c | 2 +-
auparse/interpret.c | 6 ++--
src/auditctl.c | 6 ++--
src/aureport-options.c | 4 +--
src/aureport-output.c | 2 +-
src/ausearch-options.c | 36 +++++++++----------
src/ausearch-parse.c | 2 +-
tools/ausyscall/ausyscall.c | 4 +--
12 files changed, 37 insertions(+), 37 deletions(-)
diff --git a/audisp/plugins/af_unix/audisp-af_unix.c b/audisp/plugins/af_unix/audisp-af_unix.c
index ffcc7603..ffbf2ac0 100644
--- a/audisp/plugins/af_unix/audisp-af_unix.c
+++ b/audisp/plugins/af_unix/audisp-af_unix.c
@@ -126,7 +126,7 @@ int setup_socket(int argc, char *argv[])
} else {
int i;
for (i=1; i < 3; i++) {
- if (isdigit(argv[i][0])) {
+ if (isdigit((unsigned char)argv[i][0])) {
errno = 0;
mode = strtoul(argv[i], NULL, 8);
if (errno) {
diff --git a/audisp/plugins/ids/ids_config.c b/audisp/plugins/ids/ids_config.c
index 4da5ca93..f773794a 100644
--- a/audisp/plugins/ids/ids_config.c
+++ b/audisp/plugins/ids/ids_config.c
@@ -345,7 +345,7 @@ static int unsigned_int_parser(struct nv_pair *nv, int line, unsigned int *val)
/* check that all chars are numbers */
for (i=0; ptr[i]; i++) {
- if (!isdigit(ptr[i])) {
+ if (!isdigit((unsigned char)ptr[i])) {
syslog(LOG_ERR,
"Value %s should only be numbers - line %d",
nv->value, line);
diff --git a/audisp/plugins/remote/remote-config.c b/audisp/plugins/remote/remote-config.c
index 02b51337..8de7b27f 100644
--- a/audisp/plugins/remote/remote-config.c
+++ b/audisp/plugins/remote/remote-config.c
@@ -484,7 +484,7 @@ static int parse_uint (const struct nv_pair *nv, int line, unsigned int *valp,
/* check that all chars are numbers */
for (i=0; ptr[i]; i++) {
- if (!isdigit(ptr[i])) {
+ if (!isdigit((unsigned char)ptr[i])) {
syslog(LOG_ERR,
"Value %s should only be numbers - line %d",
nv->value, line);
diff --git a/audisp/plugins/zos-remote/zos-remote-config.c b/audisp/plugins/zos-remote/zos-remote-config.c
index b92dc778..2f7e42f5 100644
--- a/audisp/plugins/zos-remote/zos-remote-config.c
+++ b/audisp/plugins/zos-remote/zos-remote-config.c
@@ -301,7 +301,7 @@ static int port_parser(struct nv_pair *nv, int line, plugin_conf_t * c)
/* check that all chars are numbers */
for (i = 0; ptr[i]; i++) {
- if (!isdigit(ptr[i])) {
+ if (!isdigit((unsigned char)ptr[i])) {
log_err("Value %s should only be numbers - line %d", nv->value, line);
return 1;
}
@@ -327,7 +327,7 @@ static int timeout_parser(struct nv_pair *nv, int line, plugin_conf_t * c)
/* check that all chars are numbers */
for (i = 0; ptr[i]; i++) {
- if (!isdigit(ptr[i])) {
+ if (!isdigit((unsigned char)ptr[i])) {
log_err("Value %s should only be numbers - line %d", nv->value, line);
return 1;
}
@@ -376,7 +376,7 @@ static int q_depth_parser(struct nv_pair *nv, int line, plugin_conf_t * c)
/* check that all chars are numbers */
for (i = 0; ptr[i]; i++) {
- if (!isdigit(ptr[i])) {
+ if (!isdigit((unsigned char)ptr[i])) {
log_err("Value %s should only be numbers - line %d", nv->value, line);
return 1;
}
diff --git a/auparse/auditd-config.c b/auparse/auditd-config.c
index 9a6a6a71..6e5c86a8 100644
--- a/auparse/auditd-config.c
+++ b/auparse/auditd-config.c
@@ -340,7 +340,7 @@ static int eoe_timeout_parser(auparse_state_t *au, const char *val, int line,
/* check that all chars are numbers */
for (i=0; ptr[i]; i++) {
- if (!isdigit(ptr[i])) {
+ if (!isdigit((unsigned char)ptr[i])) {
audit_msg(au, LOG_ERR,
"Value %s should only be numbers - line %d",
val, line);
diff --git a/auparse/interpret.c b/auparse/interpret.c
index f13723b6..77c96468 100644
--- a/auparse/interpret.c
+++ b/auparse/interpret.c
@@ -325,7 +325,7 @@ static void key_escape(const char *orig, char *dest, auparse_esc_t escape_mode)
static int is_int_string(const char *str)
{
while (*str) {
- if (!isdigit(*str))
+ if (!isdigit((unsigned char)*str))
return 0;
str++;
}
@@ -1485,7 +1485,7 @@ static const char *print_success(const char *val)
{
int res;
- if (isdigit(*val)) {
+ if (isdigit((unsigned char)*val)) {
errno = 0;
res = strtoul(val, NULL, 10);
if (errno) {
@@ -2319,7 +2319,7 @@ static const char *print_fanotify(const char *val)
{
int res;
- if (isdigit(*val)) {
+ if (isdigit((unsigned char)*val)) {
errno = 0;
res = strtoul(val, NULL, 10);
if (errno) {
diff --git a/src/auditctl.c b/src/auditctl.c
index ccd62bc3..e1ca0f83 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -680,7 +680,7 @@ static int setopt(int count, int lineno, char *vars[])
}
break;
case 'r':
- if (optarg && isdigit(optarg[0])) {
+ if (optarg && isdigit((unsigned char)optarg[0])) {
uint32_t rate;
errno = 0;
rate = strtoul(optarg,NULL,0);
@@ -699,7 +699,7 @@ static int setopt(int count, int lineno, char *vars[])
}
break;
case 'b':
- if (optarg && isdigit(optarg[0])) {
+ if (optarg && isdigit((unsigned char)optarg[0])) {
uint32_t limit;
errno = 0;
limit = strtoul(optarg,NULL,0);
@@ -1134,7 +1134,7 @@ process_keys:
case 2:
#if HAVE_DECL_AUDIT_VERSION_BACKLOG_WAIT_TIME == 1 || \
HAVE_DECL_AUDIT_STATUS_BACKLOG_WAIT_TIME == 1
- if (optarg && isdigit(optarg[0])) {
+ if (optarg && isdigit((unsigned char)optarg[0])) {
uint32_t bwt;
errno = 0;
bwt = strtoul(optarg,NULL,0);
diff --git a/src/aureport-options.c b/src/aureport-options.c
index 203c3880..7480c8a9 100644
--- a/src/aureport-options.c
+++ b/src/aureport-options.c
@@ -385,7 +385,7 @@ int check_params(int count, char *vars[])
// } else {
// UNIMPLEMENTED;
// set_detail(D_SPECIFIC);
-// if (isdigit(optarg[0])) {
+// if (isdigit((unsigned char)optarg[0])) {
// errno = 0;
// event_id = strtoul(optarg,
// NULL, 10);
@@ -764,7 +764,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
arg_eoe_timeout = (time_t)strtoul(optarg, NULL, 10);
if (errno || arg_eoe_timeout == 0) {
diff --git a/src/aureport-output.c b/src/aureport-output.c
index a635d536..27a2ce25 100644
--- a/src/aureport-output.c
+++ b/src/aureport-output.c
@@ -976,7 +976,7 @@ static void do_user_summary_output(slist *sptr)
long uid;
char name[64];
- if (sn->str[0] == '-' || isdigit(sn->str[0])) {
+ if (sn->str[0] == '-' || isdigit((unsigned char)sn->str[0])) {
uid = strtol(sn->str, NULL, 10);
printf("%u ", sn->hits);
safe_print_string(aulookup_uid(uid, name,
diff --git a/src/ausearch-options.c b/src/ausearch-options.c
index 53d0db64..1c653648 100644
--- a/src/ausearch-options.c
+++ b/src/ausearch-options.c
@@ -253,7 +253,7 @@ static int convert_str_to_msg(const char *optarg)
{
int tmp, retval = 0;
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
tmp = strtoul(optarg, NULL, 10);
if (errno) {
@@ -335,7 +335,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_id = strtoul(optarg, NULL, 10);
if (errno) {
@@ -357,7 +357,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
arg_eoe_timeout = (time_t)strtoul(optarg, NULL, 10);
if (errno || arg_eoe_timeout == 0) {
@@ -463,7 +463,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_gid = strtoul(optarg,NULL,10);
if (errno) {
@@ -497,7 +497,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_egid = strtoul(optarg,NULL,10);
if (errno) {
@@ -529,7 +529,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_gid = strtoul(optarg,NULL,10);
if (errno) {
@@ -655,7 +655,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_ppid = strtol(optarg,NULL,10);
if (errno)
@@ -676,7 +676,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_pid = strtol(optarg,NULL,10);
if (errno)
@@ -794,7 +794,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_syscall = (int)strtoul(optarg, NULL, 10);
if (errno) {
@@ -893,7 +893,7 @@ int check_params(int count, char *vars[])
}
{
size_t len = strlen(optarg);
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
unsigned long optval = strtoul(optarg,NULL,10);
if (errno || optval >= (1ul << 32))
@@ -901,7 +901,7 @@ int check_params(int count, char *vars[])
event_session_id = optval;
c++;
} else if (len >= 2 && *(optarg)=='-' &&
- (isdigit(optarg[1]))) {
+ (isdigit((unsigned char)optarg[1]))) {
errno = 0;
long optval = strtol(optarg, NULL, 0);
if (errno || optval < INT_MIN || optval > INT_MAX) {
@@ -933,7 +933,7 @@ int check_params(int count, char *vars[])
}
{
size_t len = strlen(optarg);
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_exit = strtoll(optarg, NULL, 0);
if (errno) {
@@ -942,7 +942,7 @@ int check_params(int count, char *vars[])
optarg);
}
} else if (len >= 2 && *(optarg)=='-' &&
- (isdigit(optarg[1]))) {
+ (isdigit((unsigned char)optarg[1]))) {
errno = 0;
event_exit = strtoll(optarg, NULL, 0);
if (errno) {
@@ -1074,7 +1074,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_uid = strtoul(optarg,NULL,10);
if (errno) {
@@ -1107,7 +1107,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_euid = strtoul(optarg,NULL,10);
if (errno) {
@@ -1140,7 +1140,7 @@ int check_params(int count, char *vars[])
retval = -1;
break;
}
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_uid = strtoul(optarg,NULL,10);
if (errno) {
@@ -1184,7 +1184,7 @@ int check_params(int count, char *vars[])
}
{
size_t len = strlen(optarg);
- if (isdigit(optarg[0])) {
+ if (isdigit((unsigned char)optarg[0])) {
errno = 0;
event_loginuid = strtoul(optarg,NULL,10);
if (errno) {
@@ -1194,7 +1194,7 @@ int check_params(int count, char *vars[])
retval = -1;
}
} else if (len >= 2 && *(optarg)=='-' &&
- (isdigit(optarg[1]))) {
+ (isdigit((unsigned char)optarg[1]))) {
errno = 0;
event_loginuid = strtol(optarg, NULL, 0);
if (errno) {
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index e6868c6e..1a5b047f 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1128,7 +1128,7 @@ try_again:
return 25;
ptr = str + 4;
term = ptr;
- while (isdigit(*term))
+ while (isdigit((unsigned char)*term))
term++;
if (term == ptr)
return 14;
diff --git a/tools/ausyscall/ausyscall.c b/tools/ausyscall/ausyscall.c
index bf751f17..489b1095 100644
--- a/tools/ausyscall/ausyscall.c
+++ b/tools/ausyscall/ausyscall.c
@@ -47,9 +47,9 @@ int main(int argc, char *argv[])
usage();
} else if (argc < 2)
usage();
-
+
for (i=1; i<argc; i++) {
- if (isdigit(argv[i][0])) {
+ if (isdigit((unsigned char)argv[i][0])) {
if (syscall_num != -1) {
fputs("Two syscall numbers not allowed\n",
stderr);
--
2.33.0

165
backport-lib-cast-to-unsigned-char-for-character-test-functio.patch Normal file
View File

@ -0,0 +1,165 @@
From 3aa3ccb2bb1c8804fbf43b260c93b65e831242c1 Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Thu, 2 Nov 2023 21:20:40 +0100
Subject: [PATCH] lib: cast to unsigned char for character test functions
(#338)
Passing a value not representable by unsigned char is undefined
behavior.
Reference:https://github.com/linux-audit/audit-userspace/commit/3aa3ccb2bb1c8804fbf43b260c93b65e831242c1
Conflict:NA
---
lib/libaudit.c | 32 ++++++++++++++++----------------
lib/lookup_table.c | 2 +-
2 files changed, 17 insertions(+), 17 deletions(-)
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 960525a..abcdf4a 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -1031,7 +1031,7 @@ int audit_rule_syscallbyname_data(struct audit_rule_data *rule,
return -2;
nr = audit_name_to_syscall(scall, machine);
if (nr < 0) {
- if (isdigit(scall[0]))
+ if (isdigit((unsigned char)scall[0]))
nr = strtol(scall, NULL, 0);
}
if (nr >= 0)
@@ -1056,7 +1056,7 @@ int audit_rule_io_uringbyname_data(struct audit_rule_data *rule,
}
nr = audit_name_to_uringop(scall);
if (nr < 0) {
- if (isdigit(scall[0]))
+ if (isdigit((unsigned char)scall[0]))
nr = strtol(scall, NULL, 0);
}
if (nr >= 0)
@@ -1585,11 +1585,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_OBJ_UID:
// Do positive & negative separate for 32 bit systems
vlen = strlen(v);
- if (isdigit((char)*(v)))
+ if (isdigit((unsigned char)*(v)))
rule->values[rule->field_count] =
strtoul(v, NULL, 0);
else if (vlen >= 2 && *(v)=='-' &&
- (isdigit((char)*(v+1))))
+ (isdigit((unsigned char)*(v+1))))
rule->values[rule->field_count] =
strtol(v, NULL, 0);
else {
@@ -1609,7 +1609,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
case AUDIT_SGID:
case AUDIT_FSGID:
case AUDIT_OBJ_GID:
- if (isdigit((char)*(v)))
+ if (isdigit((unsigned char)*(v)))
rule->values[rule->field_count] =
strtol(v, NULL, 0);
else {
@@ -1625,11 +1625,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (flags != AUDIT_FILTER_EXIT)
return -EAU_EXITONLY;
vlen = strlen(v);
- if (isdigit((char)*(v)))
+ if (isdigit((unsigned char)*(v)))
rule->values[rule->field_count] =
strtol(v, NULL, 0);
else if (vlen >= 2 && *(v)=='-' &&
- (isdigit((char)*(v+1))))
+ (isdigit((unsigned char)*(v+1))))
rule->values[rule->field_count] =
strtol(v, NULL, 0);
else {
@@ -1644,7 +1644,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
flags != AUDIT_FILTER_USER)
return -EAU_MSGTYPEEXCLUDEUSER;
- if (isdigit((char)*(v)))
+ if (isdigit((unsigned char)*(v)))
rule->values[rule->field_count] =
strtol(v, NULL, 0);
else
@@ -1715,7 +1715,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
return -EAU_ARCHMISPLACED;
if (!(op == AUDIT_NOT_EQUAL || op == AUDIT_EQUAL))
return -EAU_OPEQNOTEQ;
- if (isdigit((char)*(v))) {
+ if (isdigit((unsigned char)*(v))) {
int machine;
errno = 0;
@@ -1757,7 +1757,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
return -EAU_STRTOOLONG;
for (i = 0; i < len; i++) {
- switch (tolower(v[i])) {
+ switch (tolower((unsigned char)v[i])) {
case 'r':
val |= AUDIT_PERM_READ;
break;
@@ -1791,7 +1791,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
return -EAU_FIELDUNAVAIL;
if (!(op == AUDIT_NOT_EQUAL || op == AUDIT_EQUAL))
return -EAU_OPEQNOTEQ;
- if (isdigit((char)*(v)))
+ if (isdigit((unsigned char)*(v)))
rule->values[rule->field_count] =
strtoul(v, NULL, 0);
else
@@ -1804,11 +1804,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
break;
case AUDIT_ARG0...AUDIT_ARG3:
vlen = strlen(v);
- if (isdigit((char)*(v)))
+ if (isdigit((unsigned char)*(v)))
rule->values[rule->field_count] =
strtoul(v, NULL, 0);
else if (vlen >= 2 && *(v)=='-' &&
- (isdigit((char)*(v+1))))
+ (isdigit((unsigned char)*(v+1))))
rule->values[rule->field_count] =
strtol(v, NULL, 0);
else
@@ -1824,11 +1824,11 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
return -EAU_FIELDNOFILTER;
// Do positive & negative separate for 32 bit systems
vlen = strlen(v);
- if (isdigit((char)*(v)))
+ if (isdigit((unsigned char)*(v)))
rule->values[rule->field_count] =
strtoul(v, NULL, 0);
else if (vlen >= 2 && *(v)=='-' &&
- (isdigit((char)*(v+1))))
+ (isdigit((unsigned char)*(v+1))))
rule->values[rule->field_count] =
strtol(v, NULL, 0);
else if (strcmp(v, "unset") == 0)
@@ -1854,7 +1854,7 @@ int audit_rule_fieldpair_data(struct audit_rule_data **rulep, const char *pair,
if (field == AUDIT_PPID && !(flags==AUDIT_FILTER_EXIT))
return -EAU_EXITONLY;
- if (!isdigit((char)*(v)))
+ if (!isdigit((unsigned char)*(v)))
return -EAU_FIELDVALNUM;
if (field == AUDIT_INODE)
diff --git a/lib/lookup_table.c b/lib/lookup_table.c
index 2f5e6cd..d839205 100644
--- a/lib/lookup_table.c
+++ b/lib/lookup_table.c
@@ -255,7 +255,7 @@ int audit_name_to_msg_type(const char *msg_type)
strncpy(buf, msg_type + 8, len);
errno = 0;
return strtol(buf, NULL, 10);
- } else if (isdigit(*msg_type)) {
+ } else if (isdigit((unsigned char)*msg_type)) {
errno = 0;
return strtol(msg_type, NULL, 10);
}
--
2.33.0

35
backport-lib-close-audit-socket-in-load_feature_bitmap-334.patch Normal file
View File

@ -0,0 +1,35 @@
From 3f928b21486369c495d9eaca46eb9d506ae576b3 Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Wed, 1 Nov 2023 20:35:40 +0100
Subject: [PATCH] lib: close audit socket in load_feature_bitmap() (#334)
Reference:https://github.com/linux-audit/audit-userspace/commit/3f928b21486369c495d9eaca46eb9d506ae576b3
Conflict:NA
---
lib/libaudit.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/libaudit.c b/lib/libaudit.c
index ded3ab47..4c317c87 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -657,12 +657,14 @@ static void load_feature_bitmap(void)
/* Found it... */
features_bitmap = rep.status->feature_bitmap;
+ audit_close(fd);
return;
}
}
}
#endif
features_bitmap = AUDIT_FEATURES_UNSUPPORTED;
+ audit_close(fd);
}
uint32_t audit_get_features(void)
--
2.33.0

29
backport-lib-enclose-macro-to-avoid-precedence-issues.patch Normal file
View File

@ -0,0 +1,29 @@
From e97c79260a2e7bdbf02c5162b0c40451c9555111 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 31 Oct 2023 16:49:10 +0100
Subject: [PATCH] lib: enclose macro to avoid precedence issues
Reference:https://github.com/linux-audit/audit-userspace/commit/e97c79260a2e7bdbf02c5162b0c40451c9555111
Conflict:NA
---
lib/audit_logging.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/audit_logging.c b/lib/audit_logging.c
index 8b8b6207..e8b79d3e 100644
--- a/lib/audit_logging.c
+++ b/lib/audit_logging.c
@@ -38,7 +38,7 @@
#include "private.h"
#define TTY_PATH 32
-#define MAX_USER (UT_NAMESIZE * 2) + 8
+#define MAX_USER ((UT_NAMESIZE * 2) + 8)
// NOTE: The kernel fills in pid, uid, and loginuid of sender. Therefore,
// these routines do not need to send them.
--
2.33.0

56
backport-memory-allocation-updates-341.patch Normal file
View File

@ -0,0 +1,56 @@
From b92027ac9e29659483a5e920e548fe74126f72af Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Wed, 1 Nov 2023 22:15:40 +0100
Subject: [PATCH] memory allocation updates (#341)
* Check memory allocation
Avoid later NULL dereference.
* Check memory allocation and merge zeroing
Avoid later NULL dereference.
Reference:https://github.com/linux-audit/audit-userspace/commit/b92027ac9e29659483a5e920e548fe74126f72af
Conflict:NA
---
auparse/interpret.c | 2 ++
lib/libaudit.c | 7 +++++--
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/auparse/interpret.c b/auparse/interpret.c
index ecde07ae..76ca2814 100644
--- a/auparse/interpret.c
+++ b/auparse/interpret.c
@@ -366,6 +366,8 @@ char *au_unescape(char *buf)
// strlen(buf) / 2.
olen = strlen(buf);
str = malloc(olen+1);
+ if (!str)
+ return NULL;
saved = *ptr;
*ptr = 0;
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 6a42871b..d90d83b8 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -891,9 +891,12 @@ int audit_make_equivalent(int fd, const char *mount_point,
struct {
uint32_t sizes[2];
unsigned char buf[];
- } *cmd = malloc(sizeof(*cmd) + len1 + len2);
+ } *cmd = calloc(1, sizeof(*cmd) + len1 + len2);
- memset(cmd, 0, sizeof(*cmd) + len1 + len2);
+ if (!cmd) {
+ audit_msg(LOG_ERR, "Cannot allocate memory!");
+ return -ENOMEM;
+ }
cmd->sizes[0] = len1;
cmd->sizes[1] = len2;
--
2.33.0