audit/backport-flush-uid-gid-caches-when-user-group-added-deleted-m.patch

From 8662f61108f8b9365f96ef49ca8ca331a7880f24 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Tue, 10 Aug 2021 11:27:16 -0400
Subject: [PATCH 2205/2246] flush uid/gid caches when user/group
 added/deleted/modified

It was reported in issue #209 that in the enriched format that auditd
is creating the wrong account associations. This is due to caching
previous lookups. The fix is to monitor for account lifecycle changes
and flush the LRUs if any are seen.
---
 auparse/auparse-idata.h |  3 ++-
 auparse/interpret.c     | 12 ++++++++++++
 src/auditd-event.c      | 27 +++++++++++++++++++++++++--
 3 files changed, 39 insertions(+), 3 deletions(-)

diff --git a/auparse/auparse-idata.h b/auparse/auparse-idata.h
index 660901a..eaca86a 100644
--- a/auparse/auparse-idata.h
+++ b/auparse/auparse-idata.h
@@ -1,6 +1,6 @@
 /*
 * idata.h - Header file for ausearch-lookup.c
-* Copyright (c) 2013,2016-17 Red Hat Inc., Durham, North Carolina.
+* Copyright (c) 2013,2016-17,2021 Red Hat Inc.
 * All Rights Reserved.
 *
 * This library is free software; you can redistribute it and/or
@@ -45,6 +45,7 @@ char *auparse_do_interpretation(int type, const idata *id,
 void _auparse_load_interpretations(const char *buf);
 void _auparse_free_interpretations(void);
 const char *_auparse_lookup_interpretation(const char *name);
+void _auparse_flush_caches(void);
 
 #endif
 
diff --git a/auparse/interpret.c b/auparse/interpret.c
index 046867b..eef377a 100644
--- a/auparse/interpret.c
+++ b/auparse/interpret.c
@@ -653,6 +653,18 @@ void aulookup_destroy_gid_list(void)
 	gid_cache_created = 0;
 }
 
+void _auparse_flush_caches(void)
+{
+	if (uid_cache_created) {
+		destroy_lru(uid_cache);
+		uid_cache_created = 0;
+	}
+	if (gid_cache_created) {
+		destroy_lru(gid_cache);
+		gid_cache_created = 0;
+	}
+}
+
 static const char *print_uid(const char *val, unsigned int base)
 {
         int uid;
diff --git a/src/auditd-event.c b/src/auditd-event.c
index cb29fee..3655726 100644
--- a/src/auditd-event.c
+++ b/src/auditd-event.c
@@ -42,6 +42,7 @@
 #include "libaudit.h"
 #include "private.h"
 #include "auparse.h"
+#include "auparse-idata.h"
 
 /* This is defined in auditd.c */
 extern volatile int stop;
@@ -56,7 +57,7 @@ static void do_space_left_action(int admin);
 static void do_disk_full_action(void);
 static void do_disk_error_action(const char *func, int err);
 static void fix_disk_permissions(void);
-static void check_excess_logs(void); 
+static void check_excess_logs(void);
 static void rotate_logs_now(void);
 static void rotate_logs(unsigned int num_logs, unsigned int keep_logs);
 static void shift_logs(void);
@@ -394,7 +395,7 @@ static const char *format_enrich(const struct audit_reply *rep)
 	        	snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH,
 		    "type=DAEMON_ERR op=format-enriched msg=NULL res=failed");
 	} else {
-		int rc;
+		int rc, rtype;
 		size_t mlen, len;
		auparse_state_t *au;
 		char *message;
@@ -427,6 +428,17 @@ static const char *format_enrich(const struct audit_reply *rep)
 
 		// Loop over all fields while possible to add field
 		rc = auparse_first_record(au);
+		rtype = auparse_get_type(au);
+		switch (rtype)
+		{	// Flush before adding to pickup new associations
+			case AUDIT_ADD_USER:
+			case AUDIT_ADD_GROUP:
+				_auparse_flush_caches();
+				break;
+			default:
+				break;
+		}
+
 		while (rc > 0 && len > MIN_SPACE_LEFT) {
 			// See what kind of field we have
 			size_t vlen;
@@ -454,6 +466,17 @@ static const char *format_enrich(const struct audit_reply *rep)
 			rc = auparse_next_field(au);
 		}
 
+		switch(rtype)
+		{	// Flush after modification to remove stale entries
+			case AUDIT_USER_MGMT:
+			case AUDIT_DEL_USER:
+			case AUDIT_DEL_GROUP:
+			case AUDIT_GRP_MGMT:
+				_auparse_flush_caches();
+				break;
+			default:
+				break;
+		}
 		auparse_destroy_ext(au, AUPARSE_DESTROY_COMMON);
 		free(message);
 	}
-- 
1.8.3.1