| 1 |
commit: b0fbaa7cc15c6663e4a854c0caca4ffffe7d1ff9 |
| 2 |
Author: Sam James <sam <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Thu Apr 7 03:03:22 2022 +0000 |
| 4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Thu Apr 7 03:37:43 2022 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0fbaa7c |
| 7 |
|
| 8 |
sys-process/audit: add 3.0.8 |
| 9 |
|
| 10 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
| 11 |
|
| 12 |
sys-process/audit/Manifest | 1 + |
| 13 |
sys-process/audit/audit-3.0.8.ebuild | 175 +++++++++++++++++++++ |
| 14 |
.../files/audit-3.0.8-linux-headers-5.17.patch | 41 +++++ |
| 15 |
3 files changed, 217 insertions(+) |
| 16 |
|
| 17 |
diff --git a/sys-process/audit/Manifest b/sys-process/audit/Manifest |
| 18 |
index 84d6a8474b9b..66d3b1f8fc41 100644 |
| 19 |
--- a/sys-process/audit/Manifest |
| 20 |
+++ b/sys-process/audit/Manifest |
| 21 |
@@ -1,3 +1,4 @@ |
| 22 |
DIST audit-3.0.6.tar.gz 1190011 BLAKE2B 93a7efad1cbea6771a73222b05aacbabc4ac61d1efb9fc2532607a94804bcac6512d0be2f4d89aa62d94fb85ba5818ffae4bf0a72676e8d549ddbec766e83e9c SHA512 74734e1b1fddea086db9c5dc8c4b7817917fdf17bc7ca4e5b440aae975484d020a17c3f485f6a37b6b150a307d809e50d559d31a8cbd6f1e554933719551bcd1 |
| 23 |
DIST audit-3.0.7.tar.gz 1180226 BLAKE2B 706db746fb779913619da794bab24a9e890e1655bbd0abb007cbc909b32ab1d643e93953a23ef864d5e189f3447a7ddb4dca1478144cdc226f5a5594545bd28f SHA512 b5662b32082fc2ac54e247aa0db5442d76afa30134ebba1d624a17004e9ccf6856bb75344af4ce9d9a0a66c03e1c6f18b7d45658d7df13ea71af0c8362e08d70 |
| 24 |
+DIST audit-3.0.8.tar.gz 1182432 BLAKE2B 38a35a7540e608127cfc54a2de2cb12df8c29e778799ca53318824c84565a67b7ea131f9bba455fa469ce9139a27908738f571a6e383ce9a3274f70c09d27ec7 SHA512 8379bf425d68381d182300e628e42de8460d2f3e15b2395e10880f94b9989656852a50a9bece75b632ec8a04c40c9e666ff4c9d6b25ace3a8f50d2011506afab |
| 25 |
DIST audit-3.0.tar.gz 1109442 BLAKE2B f9c94f7163522068f5f37163a242cb913acc87b5465f7f8550fad27ac1dc673fd7a98e208bd5e6fb136eac1fdadd659e599e7722426937481bbf8c66d86a1617 SHA512 b82ec73c85a8ebb5108b526673d6fe08cbe0b51376788f3ea6ed5747c4612158462893e719496dffbd723f833f84383a2d1d55fd78a3ed985ecfd19545060c88 |
| 26 |
|
| 27 |
diff --git a/sys-process/audit/audit-3.0.8.ebuild b/sys-process/audit/audit-3.0.8.ebuild |
| 28 |
new file mode 100644 |
| 29 |
index 000000000000..5b0d02d64cbe |
| 30 |
--- /dev/null |
| 31 |
+++ b/sys-process/audit/audit-3.0.8.ebuild |
| 32 |
@@ -0,0 +1,175 @@ |
| 33 |
+# Copyright 1999-2022 Gentoo Authors |
| 34 |
+# Distributed under the terms of the GNU General Public License v2 |
| 35 |
+ |
| 36 |
+EAPI=7 |
| 37 |
+ |
| 38 |
+# As with sys-libs/libcap-ng, same maintainer in Fedora as upstream, so |
| 39 |
+# check Fedora's packaging (https://src.fedoraproject.org/rpms/audit/tree/rawhide) |
| 40 |
+# on bumps (or if hitting a bug) to see what they've done there. |
| 41 |
+ |
| 42 |
+PYTHON_COMPAT=( python3_{8..10} ) |
| 43 |
+ |
| 44 |
+inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript |
| 45 |
+ |
| 46 |
+DESCRIPTION="Userspace utilities for storing and processing auditing records" |
| 47 |
+HOMEPAGE="https://people.redhat.com/sgrubb/audit/" |
| 48 |
+SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz" |
| 49 |
+ |
| 50 |
+LICENSE="GPL-2+ LGPL-2.1+" |
| 51 |
+SLOT="0" |
| 52 |
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" |
| 53 |
+IUSE="gssapi ldap python static-libs test" |
| 54 |
+ |
| 55 |
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )" |
| 56 |
+RESTRICT="!test? ( test )" |
| 57 |
+ |
| 58 |
+RDEPEND="gssapi? ( virtual/krb5 ) |
| 59 |
+ ldap? ( net-nds/openldap:= ) |
| 60 |
+ python? ( ${PYTHON_DEPS} ) |
| 61 |
+ sys-libs/libcap-ng" |
| 62 |
+DEPEND="${RDEPEND} |
| 63 |
+ >=sys-kernel/linux-headers-2.6.34 |
| 64 |
+ test? ( dev-libs/check )" |
| 65 |
+BDEPEND="python? ( dev-lang/swig )" |
| 66 |
+ |
| 67 |
+CONFIG_CHECK="~AUDIT" |
| 68 |
+ |
| 69 |
+PATCHES=( |
| 70 |
+ # See bug #836702 before removing / verify builds fine w/ USE=python |
| 71 |
+ # with latest kernel headers. |
| 72 |
+ "${FILESDIR}"/${PN}-3.0.8-linux-headers-5.17.patch |
| 73 |
+) |
| 74 |
+ |
| 75 |
+src_prepare() { |
| 76 |
+ # audisp-remote moved in multilib_src_install_all |
| 77 |
+ sed -i \ |
| 78 |
+ -e "s,/sbin/audisp-remote,${EPREFIX}/usr/sbin/audisp-remote," \ |
| 79 |
+ audisp/plugins/remote/au-remote.conf || die |
| 80 |
+ |
| 81 |
+ # Disable installing sample rules so they can be installed as docs. |
| 82 |
+ echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null || die |
| 83 |
+ |
| 84 |
+ default |
| 85 |
+ eautoreconf |
| 86 |
+} |
| 87 |
+ |
| 88 |
+multilib_src_configure() { |
| 89 |
+ local -a myeconfargs=( |
| 90 |
+ --sbindir="${EPREFIX}/sbin" |
| 91 |
+ $(use_enable gssapi gssapi-krb5) |
| 92 |
+ $(use_enable ldap zos-remote) |
| 93 |
+ $(use_enable static-libs static) |
| 94 |
+ --enable-systemd |
| 95 |
+ --without-golang |
| 96 |
+ --without-python |
| 97 |
+ --without-python3 |
| 98 |
+ ) |
| 99 |
+ |
| 100 |
+ ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" |
| 101 |
+ |
| 102 |
+ if multilib_is_native_abi && use python; then |
| 103 |
+ python_configure() { |
| 104 |
+ mkdir -p "${BUILD_DIR}" || die |
| 105 |
+ pushd "${BUILD_DIR}" &>/dev/null || die |
| 106 |
+ |
| 107 |
+ ECONF_SOURCE=${S} econf "${myeconfargs[@]}" --with-python3 |
| 108 |
+ |
| 109 |
+ popd &>/dev/null || die |
| 110 |
+ } |
| 111 |
+ |
| 112 |
+ python_foreach_impl python_configure |
| 113 |
+ fi |
| 114 |
+} |
| 115 |
+ |
| 116 |
+src_configure() { |
| 117 |
+ tc-export_build_env BUILD_{CC,CPP} |
| 118 |
+ |
| 119 |
+ local -x CC_FOR_BUILD="${BUILD_CC}" |
| 120 |
+ local -x CPP_FOR_BUILD="${BUILD_CPP}" |
| 121 |
+ |
| 122 |
+ multilib-minimal_src_configure |
| 123 |
+} |
| 124 |
+ |
| 125 |
+multilib_src_compile() { |
| 126 |
+ if multilib_is_native_abi; then |
| 127 |
+ default |
| 128 |
+ |
| 129 |
+ local native_build="${BUILD_DIR}" |
| 130 |
+ |
| 131 |
+ python_compile() { |
| 132 |
+ emake -C "${BUILD_DIR}"/bindings/swig top_builddir="${native_build}" |
| 133 |
+ emake -C "${BUILD_DIR}"/bindings/python/python3 top_builddir="${native_build}" |
| 134 |
+ } |
| 135 |
+ |
| 136 |
+ use python && python_foreach_impl python_compile |
| 137 |
+ else |
| 138 |
+ emake -C common |
| 139 |
+ emake -C lib |
| 140 |
+ emake -C auparse |
| 141 |
+ fi |
| 142 |
+} |
| 143 |
+ |
| 144 |
+multilib_src_install() { |
| 145 |
+ if multilib_is_native_abi; then |
| 146 |
+ emake DESTDIR="${D}" initdir="$(systemd_get_systemunitdir)" install |
| 147 |
+ |
| 148 |
+ local native_build="${BUILD_DIR}" |
| 149 |
+ |
| 150 |
+ python_install() { |
| 151 |
+ emake -C "${BUILD_DIR}"/bindings/swig DESTDIR="${D}" top_builddir="${native_build}" install |
| 152 |
+ emake -C "${BUILD_DIR}"/bindings/python/python3 DESTDIR="${D}" top_builddir="${native_build}" install |
| 153 |
+ python_optimize |
| 154 |
+ } |
| 155 |
+ |
| 156 |
+ use python && python_foreach_impl python_install |
| 157 |
+ |
| 158 |
+ # Things like shadow use this so we need to be in / |
| 159 |
+ gen_usr_ldscript -a audit auparse |
| 160 |
+ else |
| 161 |
+ emake -C lib DESTDIR="${D}" install |
| 162 |
+ emake -C auparse DESTDIR="${D}" install |
| 163 |
+ fi |
| 164 |
+} |
| 165 |
+ |
| 166 |
+multilib_src_install_all() { |
| 167 |
+ dodoc AUTHORS ChangeLog README* THANKS |
| 168 |
+ docinto contrib |
| 169 |
+ dodoc contrib/avc_snap |
| 170 |
+ docinto contrib/plugin |
| 171 |
+ dodoc contrib/plugin/* |
| 172 |
+ docinto rules |
| 173 |
+ dodoc rules/*rules |
| 174 |
+ |
| 175 |
+ newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd |
| 176 |
+ newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd |
| 177 |
+ |
| 178 |
+ [ -f "${ED}"/sbin/audisp-remote ] && \ |
| 179 |
+ dodir /usr/sbin && \ |
| 180 |
+ mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die |
| 181 |
+ |
| 182 |
+ # Gentoo rules |
| 183 |
+ insinto /etc/audit |
| 184 |
+ newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules |
| 185 |
+ doins "${FILESDIR}"/audit.rules.stop* |
| 186 |
+ |
| 187 |
+ # audit logs go here |
| 188 |
+ keepdir /var/log/audit |
| 189 |
+ |
| 190 |
+ find "${ED}" -type f -name '*.la' -delete || die |
| 191 |
+ |
| 192 |
+ # Security |
| 193 |
+ lockdown_perms "${ED}" |
| 194 |
+} |
| 195 |
+ |
| 196 |
+pkg_postinst() { |
| 197 |
+ lockdown_perms "${EROOT}" |
| 198 |
+} |
| 199 |
+ |
| 200 |
+lockdown_perms() { |
| 201 |
+ # Upstream wants these to have restrictive perms. |
| 202 |
+ # Should not || die as not all paths may exist. |
| 203 |
+ local basedir="${1}" |
| 204 |
+ chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null |
| 205 |
+ chmod 0750 "${basedir}"/var/log/audit 2>/dev/null |
| 206 |
+ chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null |
| 207 |
+} |
| 208 |
|
| 209 |
diff --git a/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch b/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch |
| 210 |
new file mode 100644 |
| 211 |
index 000000000000..8d41d8363822 |
| 212 |
--- /dev/null |
| 213 |
+++ b/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch |
| 214 |
@@ -0,0 +1,41 @@ |
| 215 |
+Upstream rejected a workaround/fix at https://github.com/linux-audit/audit-userspace/pull/253 |
| 216 |
+/ https://github.com/linux-audit/audit-userspace/issues/252#issuecomment-1078595249. |
| 217 |
+ |
| 218 |
+Instead, in Fedora (same maintainer as upstream), they're patching the headers then unpatching before install. |
| 219 |
+ |
| 220 |
+Apparently the swig bindings are on their way out but I'm not convinced that's going to be a quick migration given the API will.. surely change? |
| 221 |
+ |
| 222 |
+It's not ideal but let's take the patch slyfox ended up using in nixpkgs anyway. |
| 223 |
+ |
| 224 |
+https://bugs.gentoo.org/836702 |
| 225 |
+ |
| 226 |
+From beed138222421a2eb4212d83cb889404bd7efc49 Mon Sep 17 00:00:00 2001 |
| 227 |
+From: Sergei Trofimovich <slyich@×××××.com> |
| 228 |
+Date: Wed, 23 Mar 2022 07:27:05 +0000 |
| 229 |
+Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf |
| 230 |
+ |
| 231 |
+As it's a flexible array generated code was never safe to use. |
| 232 |
+With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed98ea2128b6fd83bce13716edf8f5fe6c47f574 |
| 233 |
+change it's a build failure now: |
| 234 |
+ |
| 235 |
+ audit> audit_wrap.c:5010:15: error: invalid use of flexible array member |
| 236 |
+ audit> 5010 | arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size)); |
| 237 |
+ audit> | ^ |
| 238 |
+ |
| 239 |
+Let's avoid setter generation entirely. |
| 240 |
+ |
| 241 |
+Closes: https://github.com/linux-audit/audit-userspace/issues/252 |
| 242 |
+--- a/bindings/swig/src/auditswig.i |
| 243 |
++++ b/bindings/swig/src/auditswig.i |
| 244 |
+@@ -39,6 +39,10 @@ signed |
| 245 |
+ #define __attribute(X) /*nothing*/ |
| 246 |
+ typedef unsigned __u32; |
| 247 |
+ typedef unsigned uid_t; |
| 248 |
++/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not: |
| 249 |
++ * generating setters against them: https://github.com/swig/swig/issues/1699 |
| 250 |
++ */ |
| 251 |
++%ignore audit_rule_data::buf; |
| 252 |
+ %include "/usr/include/linux/audit.h" |
| 253 |
+ #define __extension__ /*nothing*/ |
| 254 |
+ %include <stdint.i> |
| 255 |
+ |
Archives