!152 backport patches to fix bug

From: @fwo Reviewed-by: @zhujianwei001 Signed-off-by: @zhujianwei001
2024-12-12 07:55:19 +00:00 · 2024-12-12 07:55:19 +00:00 · f517345409
commit f517345409
parent 5f33272f1b c0cb68b58c
2 changed files with 53 additions and 1 deletions
--- a/audit.spec
+++ b/audit.spec
@ -2,7 +2,7 @@ Summary:            User space tools for kernel auditing
 Name:               audit
 Epoch:              1
 Version:            3.1.2
-Release:            6
+Release:            7
 License:            GPLv2+ and LGPLv2+
 URL:                https://people.redhat.com/sgrubb/audit/
 Source0:            https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
@ -44,6 +44,7 @@ Patch32:   backport-Cleanup-code-in-LRU.patch
 Patch33:   backport-Fix-memory-leaks.patch
 Patch34:   backport-fix-one-more-leak.patch
 Patch35:   backport-Correct-output-when-displaying-rules-with-exe-path-d.patch
+Patch36:   backport-ausearch-format-Fix-display-of-renamed-file-411.patch

 BuildRequires:      gcc swig libtool systemd kernel-headers >= 2.6.29
 BuildRequires:      openldap-devel krb5-devel libcap-ng-devel
@ -386,6 +387,9 @@ fi
 %attr(644,root,root) %{_mandir}/man8/*.8.gz

 %changelog
+* Wed Dec 11 2024 wangjiang <app@cameyan.coom> - 1:3.1.2-7
+- backport patches to fix bug
+
 * Sat Aug 24 2024 fangxiuning<fangxiuning@huawei.com> - 1:3.1.2-6
 - backport patches to fix bug

--- a/backport-ausearch-format-Fix-display-of-renamed-file-411.patch
+++ b/backport-ausearch-format-Fix-display-of-renamed-file-411.patch
@ -0,0 +1,48 @@
+From 7cdcfd30c6122acc6b2e54e1ad8cd1a12dd537d2 Mon Sep 17 00:00:00 2001
+From: Attila Lakatos <Cropi@users.noreply.github.com>
+Date: Mon, 21 Oct 2024 04:25:37 +0200
+Subject: [PATCH] ausearch format: Fix display of renamed file (#411)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+ 
+In some cases, ausearch was not correctly showing
+the new name of a renamed file when searching for
+audit events. If the target file didn’t exist prior
+to the rename, ausearch was unable to parse the new
+file name. This occurred because ausearch attempted
+to retrieve this information from the 7th record,
+which is absent when the target file does not exist.
+---
+ auparse/normalize.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+ 
+diff --git a/auparse/normalize.c b/auparse/normalize.c
+index 036c0b86..f1a07d18 100644
+--- a/auparse/normalize.c
+++ b/auparse/normalize.c
+@@ -693,7 +693,20 @@ static int normalize_syscall(auparse_state_t *au, const char *syscall)
+ 		case NORM_FILE_RENAME:
+ 			act = "renamed";
+ 			D.thing.what = NORM_WHAT_FILE; // this gets overridden
+-			set_prime_object2(au, "name", 4);
+			/* A sucessfull syscall from the rename family will provide
+			 * the following items:
+			 *  0 - new dir, in which the file will be located
+			 *  1 - old dir, in which the file was located
+			 *  2 - old name, the name of the original file
+			 * 	if the file was already present in the new dir:
+			 *   3 - removal of the new file
+			 *   4 - creation of the new file
+			 *  otherwise:
+			 *  3 - creation of the new file
+			 */
+
+			// The 3rd record will always contain the name of the new file
+			set_prime_object2(au, "name", 3);
+ 			set_file_object(au, 2); // Thing renamed is 2 after
+ 			simple_file_attr(au);
+ 			break;
+-- 
+2.33.0
+