packages/audit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!63 backport some patches

Browse Source 
From: @zgzxx 
Reviewed-by: @huangzq6 
Signed-off-by: @huangzq6
This commit is contained in:
openeuler-ci-bot 2023-02-17 08:51:27 +00:00 committed by Gitee
commit b186f672ce
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
7 changed files with 544 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
audit.spec
View File

@ -4,7 +4,7 @@ Summary: User space tools for kernel auditing
Name: audit
Epoch: 1
Version: 3.0
Release: 5
Release: 6
License: GPLv2+ and LGPLv2+
URL: https://people.redhat.com/sgrubb/audit/
Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
@ -35,6 +35,12 @@ Patch21: backport-When-interpreting-if-val-is-NULL-return-an-empty-st
Patch22: backport-auditd.service-Restart-on-failure-ignoring-some-exit.patch
Patch23: backport-0001-In-auditd-close-the-logging-file-descriptor-when-log.patch
Patch24: backport-0002-In-auditd-close-the-logging-file-descriptor-when-log.patch
Patch25: backport-In-auditd-release-the-async-flush-lock-on-stop.patch
Patch26: backport-auditd-cleanup-krb5-memory-leaks-on-error-paths.patch
Patch27: backport-audisp-remote-cleanup-krb5-memory-leaks-on-error-paths.patch
Patch28: backport-Final-kerberos-leak-fixups.patch
Patch29: backport-time_t-is-not-an-int-anymore.patch
Patch30: backport-krb5_cc_store_cred-takes-custody-of-my_creds-so-we-do-not-need-to-keep-it-around.patch
BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29
BuildRequires: openldap-devel krb5-devel libcap-ng-devel
@ -389,6 +395,15 @@ fi
%attr(644,root,root) %{_mandir}/man8/*.8.gz
%changelog
* Tue Feb 14 2023 zhangguangzhi <zhangguangzhi3@huawei.com> - 1:3.0-6
- backport some patches
In auditd release the async flush lock on stop
auditd cleanup krb5 memory leaks on error paths
audisp remote cleanup krb5 memory leaks on error paths
Final kerberos leak fixups
time_t is not an int anymore
krb5_cc_store_cred takes custody of my_creds so we do not need to keep it around
* Tue Mar 22 2022 yixiangzhike <yixiangzhike007@163.com> - 3.0-5
- rebuild for upgrade

122
backport-Final-kerberos-leak-fixups.patch Normal file
View File

@ -0,0 +1,122 @@
From 7bda187f92424bf4891eb22f1877808ca5eb059a Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Mon, 11 Jul 2022 17:03:09 -0400
Subject: Final kerberos leak fixups
---
audisp/plugins/remote/audisp-remote.c | 34 ++++++++++++++++++++-------
src/auditd-listen.c | 6 +++--
2 files changed, 29 insertions(+), 11 deletions(-)
diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c
index 3b9d8f0..eda8c4e 100644
--- a/audisp/plugins/remote/audisp-remote.c
+++ b/audisp/plugins/remote/audisp-remote.c
@@ -757,8 +757,17 @@ static void gss_failure (const char *msg, int major_status, int minor_status)
gss_failure_2 (msg, minor_status, GSS_C_MECH_CODE);
}
-#define KLOG(x,f) syslog (LOG_ERR, "krb5 error: %s in %s\n", \
- krb5_get_error_message (kcontext, x), f);
+#define KLOG(x,f) { \
+ const char *kstr = krb5_get_error_message(kcontext, x); \
+ syslog (LOG_ERR, "krb5 error: %s in %s\n", kstr, f); \
+ krb5_free_error_message(kcontext, kstr); }
+static krb5_context kcontext = NULL;
+static char *realm_name = NULL;
+static krb5_principal audit_princ;
+static krb5_ccache ccache = NULL;
+static krb5_creds my_creds;
+static krb5_get_init_creds_opt options;
+static krb5_keytab keytab = NULL;
/* Each time we connect to the server, we negotiate a set of credentials and
a security context. To do this, we need our own credentials first. For
@@ -781,13 +790,6 @@ static int negotiate_credentials (void)
we use Kerberos calls here. */
int krberr;
- krb5_context kcontext = NULL;
- char *realm_name;
- krb5_principal audit_princ;
- krb5_ccache ccache = NULL;
- krb5_creds my_creds;
- krb5_get_init_creds_opt options;
- krb5_keytab keytab = NULL;
const char *krb5_client_name;
char *slashptr;
char host_name[255];
@@ -1013,14 +1015,18 @@ error6:
krb5_free_creds(kcontext, &my_creds);
error5:
krb5_cc_close(kcontext, ccache);
+ ccache = NULL;
error4:
krb5_kt_close(kcontext, keytab);
+ keytab = NULL;
error3:
krb5_free_principal(kcontext, audit_princ);
error2:
krb5_free_default_realm(kcontext, realm_name);
+ realm_name = NULL;
error1:
krb5_free_context(kcontext);
+ kcontext = NULL;
return -1;
}
#endif // USE_GSSAPI
@@ -1034,6 +1040,16 @@ static int stop_sock(void)
gss_delete_sec_context(&minor_status, &my_context,
GSS_C_NO_BUFFER);
my_context = GSS_C_NO_CONTEXT;
+ krb5_free_creds(kcontext, &my_creds);
+ krb5_cc_close(kcontext, ccache);
+ ccache = NULL;
+ krb5_kt_close(kcontext, keytab);
+ keytab = NULL;
+ krb5_free_principal(kcontext, audit_princ);
+ krb5_free_default_realm(kcontext, realm_name);
+ realm_name = NULL;
+ krb5_free_context(kcontext);
+ kcontext = NULL;
}
#endif
shutdown(sock, SHUT_RDWR);
diff --git a/src/auditd-listen.c b/src/auditd-listen.c
index c8cae38..34a142a 100644
--- a/src/auditd-listen.c
+++ b/src/auditd-listen.c
@@ -325,11 +325,12 @@ static void gss_failure(const char *msg, int major_status, int minor_status)
const char *kstr = krb5_get_error_message(kcontext, x); \
audit_msg(LOG_ERR, "krb5 error: %s in %s\n", kstr, f); \
krb5_free_error_message(kcontext, kstr); \
- krb5_free_context(k); \
+ krb5_free_context(k); k = NULL; \
return -1; }
/* These are our private credentials, which come from a key file on
our server. They are aquired once, at program start. */
+static krb5_context kcontext = NULL;
static int server_acquire_creds(const char *service_name,
gss_cred_id_t *lserver_creds)
{
@@ -337,7 +338,6 @@ static int server_acquire_creds(const char *service_name,
gss_name_t server_name;
OM_uint32 major_status, minor_status;
- krb5_context kcontext = NULL;
int krberr;
my_service_name = strdup(service_name);
@@ -1139,6 +1139,8 @@ void auditd_tcp_listen_uninit(struct ev_loop *loop, struct daemon_conf *config)
#ifdef USE_GSSAPI
if (USE_GSS) {
gss_release_cred(&status, &server_creds);
+ krb5_free_context(kcontext);
+ kcontext = NULL;
free(my_service_name);
my_service_name = NULL;
}
--
2.27.0

29
backport-In-auditd-release-the-async-flush-lock-on-stop.patch Normal file
View File

@ -0,0 +1,29 @@
From f7df667ba76391ffd65a4ed45b2150bf9902b99d Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Wed, 30 Mar 2022 10:12:16 -0400
Subject: In auditd, release the async flush lock on stop
Conflict:delete changelog
---
src/auditd-event.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/auditd-event.c b/src/auditd-event.c
index e88ef6e..ed6e929 100644
--- a/src/auditd-event.c
+++ b/src/auditd-event.c
@@ -208,8 +208,10 @@ static void *flush_thread_main(void *arg)
// into a loop of fsyncs.
while (flush == 0) {
pthread_cond_wait(&do_flush, &flush_lock);
- if (stop)
+ if (stop) {
+ pthread_mutex_unlock(&flush_lock);
return NULL;
+ }
}
flush = 0;
pthread_mutex_unlock(&flush_lock);
--
2.27.0

200
backport-audisp-remote-cleanup-krb5-memory-leaks-on-error-paths.patch Normal file
View File

@ -0,0 +1,200 @@
From 09c62a6f4e4a6963a731d3018209b91dc6447f70 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Mon, 11 Jul 2022 14:21:04 -0400
Subject: audisp-remote - cleanup krb5 memory leaks on error
paths
Conflict:context adaptation
---
audisp/plugins/remote/audisp-remote.c | 75 ++++++++++++++++++++-------
1 file changed, 56 insertions(+), 19 deletions(-)
diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c
index 3be91b3..3b9d8f0 100644
--- a/audisp/plugins/remote/audisp-remote.c
+++ b/audisp/plugins/remote/audisp-remote.c
@@ -757,9 +757,8 @@ static void gss_failure (const char *msg, int major_status, int minor_status)
gss_failure_2 (msg, minor_status, GSS_C_MECH_CODE);
}
-#define KCHECK(x,f) if (x) { \
- syslog (LOG_ERR, "krb5 error: %s in %s\n", krb5_get_error_message (kcontext, x), f); \
- return -1; }
+#define KLOG(x,f) syslog (LOG_ERR, "krb5 error: %s in %s\n", \
+ krb5_get_error_message (kcontext, x), f);
/* Each time we connect to the server, we negotiate a set of credentials and
a security context. To do this, we need our own credentials first. For
@@ -800,7 +799,10 @@ static int negotiate_credentials (void)
recv_tok.value = NULL;
krberr = krb5_init_context (&kcontext);
- KCHECK (krberr, "krb5_init_context");
+ if (krberr) {
+ KLOG (krberr, "krb5_init_context");
+ return -1;
+ }
if (config.krb5_key_file)
key_file = config.krb5_key_file;
@@ -815,21 +817,24 @@ static int negotiate_credentials (void)
syslog (LOG_ERR,
"%s is not mode 0400 (it's %#o) - compromised key?",
key_file, st.st_mode & 07777);
- return -1;
+ goto error1;
}
if (st.st_uid != 0) {
if (!quiet)
syslog (LOG_ERR,
"%s is not owned by root (it's %d) - compromised key?",
key_file, st.st_uid);
- return -1;
+ goto error1;
}
}
/* This looks up the default real (*our* realm) from
/etc/krb5.conf (or wherever) */
krberr = krb5_get_default_realm (kcontext, &realm_name);
- KCHECK (krberr, "krb5_get_default_realm");
+ if (krberr) {
+ KLOG (krberr, "krb5_get_default_realm");
+ goto error1;
+ }
krb5_client_name = config.krb5_client_name ?
config.krb5_client_name : "auditd";
@@ -838,7 +843,7 @@ static int negotiate_credentials (void)
syslog (LOG_ERR,
"gethostname: host name longer than %ld characters?",
sizeof (host_name));
- return -1;
+ goto error2;
}
syslog (LOG_ERR, "kerberos principal: %s/%s@%s\n",
@@ -847,17 +852,26 @@ static int negotiate_credentials (void)
krberr = krb5_build_principal (kcontext, &audit_princ,
strlen(realm_name), realm_name,
krb5_client_name, host_name, NULL);
- KCHECK (krberr, "krb5_build_principal");
+ if (krberr) {
+ KLOG (krberr, "krb5_build_principal");
+ goto error2;
+ }
/* Locate our machine's key table, where our private key is
* held. */
krberr = krb5_kt_resolve (kcontext, key_file, &keytab);
- KCHECK (krberr, "krb5_kt_resolve");
+ if (krberr) {
+ KLOG (krberr, "krb5_kt_resolve");
+ goto error3;
+ }
/* Identify a cache to hold the key in. The GSS wrappers look
up our credentials here. */
krberr = krb5_cc_resolve (kcontext, CCACHE_NAME, &ccache);
- KCHECK (krberr, "krb5_cc_resolve");
+ if (krberr) {
+ KLOG (krberr, "krb5_cc_resolve");
+ goto error4;
+ }
setenv("KRB5CCNAME", CCACHE_NAME, 1);
@@ -872,15 +886,24 @@ static int negotiate_credentials (void)
krberr = krb5_get_init_creds_keytab(kcontext, &my_creds, audit_princ,
keytab, 0, NULL,
&options);
- KCHECK (krberr, "krb5_get_init_creds_keytab");
+ if (krberr) {
+ KLOG (krberr, "krb5_get_init_creds_keytab");
+ goto error5;
+ }
/* Create the cache... */
krberr = krb5_cc_initialize(kcontext, ccache, audit_princ);
- KCHECK (krberr, "krb5_cc_initialize");
+ if (krberr) {
+ KLOG (krberr, "krb5_cc_initialize");
+ goto error6;
+ }
/* ...and store our credentials in it. */
krberr = krb5_cc_store_cred(kcontext, ccache, &my_creds);
- KCHECK (krberr, "krb5_cc_store_cred");
+ if (krberr) {
+ KLOG (krberr, "krb5_cc_store_cred");
+ goto error6;
+ }
/* The GSS code now has a set of credentials for this program.
I.e. we know who "we" are. Now we talk to the server to
@@ -903,13 +926,13 @@ static int negotiate_credentials (void)
(gss_OID) gss_nt_service_name, &service_name_e);
if (major_status != GSS_S_COMPLETE) {
gss_failure("importing name", major_status, minor_status);
- return -1;
+ goto error6;
}
/* Someone has to go first. In this case, it's us. */
if (send_token(sock, empty_token) < 0) {
(void) gss_release_name(&minor_status, &service_name_e);
- return -1;
+ goto error6;
}
/* The server starts this loop with the token we just sent
@@ -936,7 +959,7 @@ static int negotiate_credentials (void)
&send_tok);
(void) gss_release_name(&minor_status,
&service_name_e);
- return -1;
+ goto error6;
}
}
(void) gss_release_buffer(&minor_status, &send_tok);
@@ -949,7 +972,7 @@ static int negotiate_credentials (void)
if (*gss_context != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&minor_status,
gss_context, GSS_C_NO_BUFFER);
- return -1;
+ goto error6;
}
/* Now get any tokens the sever sends back. We use
@@ -958,7 +981,7 @@ static int negotiate_credentials (void)
if (recv_token(sock, &recv_tok) < 0) {
(void) gss_release_name(&minor_status,
&service_name_e);
- return -1;
+ goto error6;
}
token_ptr = &recv_tok;
}
@@ -985,6 +1008,20 @@ static int negotiate_credentials (void)
(char *)recv_tok.value);
#endif
return 0;
+
+error6:
+ krb5_free_creds(kcontext, &my_creds);
+error5:
+ krb5_cc_close(kcontext, ccache);
+error4:
+ krb5_kt_close(kcontext, keytab);
+error3:
+ krb5_free_principal(kcontext, audit_princ);
+error2:
+ krb5_free_default_realm(kcontext, realm_name);
+error1:
+ krb5_free_context(kcontext);
+ return -1;
}
#endif // USE_GSSAPI
--
2.27.0

42
backport-auditd-cleanup-krb5-memory-leaks-on-error-paths.patch Normal file
View File

@ -0,0 +1,42 @@
From f0ce136497ea4f3e7f6e7b05283c1299e76251e7 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Mon, 11 Jul 2022 12:07:50 -0400
Subject: auditd - cleanup krb5 memory leaks on error paths
Conflict:delete changelog
---
src/auditd-listen.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/auditd-listen.c b/src/auditd-listen.c
index 5c433e7..c8cae38 100644
--- a/src/auditd-listen.c
+++ b/src/auditd-listen.c
@@ -321,10 +321,11 @@ static void gss_failure(const char *msg, int major_status, int minor_status)
gss_failure_2(msg, minor_status, GSS_C_MECH_CODE);
}
-#define KCHECK(x,f) if (x) { \
+#define KCHECK(x,f, k) if (x) { \
const char *kstr = krb5_get_error_message(kcontext, x); \
audit_msg(LOG_ERR, "krb5 error: %s in %s\n", kstr, f); \
krb5_free_error_message(kcontext, kstr); \
+ krb5_free_context(k); \
return -1; }
/* These are our private credentials, which come from a key file on
@@ -363,9 +364,9 @@ static int server_acquire_creds(const char *service_name,
(void) gss_release_name(&minor_status, &server_name);
krberr = krb5_init_context(&kcontext);
- KCHECK (krberr, "krb5_init_context");
+ KCHECK (krberr, "krb5_init_context", kcontext);
krberr = krb5_get_default_realm(kcontext, &my_gss_realm);
- KCHECK (krberr, "krb5_get_default_realm");
+ KCHECK (krberr, "krb5_get_default_realm", kcontext);
audit_msg(LOG_DEBUG, "GSS creds for %s acquired", service_name);
--
2.27.0

110
backport-krb5_cc_store_cred-takes-custody-of-my_creds-so-we-do-not-need-to-keep-it-around.patch Normal file
View File

@ -0,0 +1,110 @@
From a1c3ba0fbbafc8f9a4dcb64fdee55fe2f8eef3be Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Mon, 11 Jul 2022 17:37:13 -0400
Subject: krb5_cc_store_cred takes custody of my_creds so we do
not need to keep it around
---
audisp/plugins/remote/audisp-remote.c | 19 ++++++++-----------
1 file changed, 8 insertions(+), 11 deletions(-)
diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c
index eda8c4e..78c3eca 100644
--- a/audisp/plugins/remote/audisp-remote.c
+++ b/audisp/plugins/remote/audisp-remote.c
@@ -765,7 +765,6 @@ static krb5_context kcontext = NULL;
static char *realm_name = NULL;
static krb5_principal audit_princ;
static krb5_ccache ccache = NULL;
-static krb5_creds my_creds;
static krb5_get_init_creds_opt options;
static krb5_keytab keytab = NULL;
@@ -790,6 +789,7 @@ static int negotiate_credentials (void)
we use Kerberos calls here. */
int krberr;
+ krb5_creds my_creds;
const char *krb5_client_name;
char *slashptr;
char host_name[255];
@@ -897,14 +897,14 @@ static int negotiate_credentials (void)
krberr = krb5_cc_initialize(kcontext, ccache, audit_princ);
if (krberr) {
KLOG (krberr, "krb5_cc_initialize");
- goto error6;
+ goto error5;
}
/* ...and store our credentials in it. */
krberr = krb5_cc_store_cred(kcontext, ccache, &my_creds);
if (krberr) {
KLOG (krberr, "krb5_cc_store_cred");
- goto error6;
+ goto error5;
}
/* The GSS code now has a set of credentials for this program.
@@ -928,13 +928,13 @@ static int negotiate_credentials (void)
(gss_OID) gss_nt_service_name, &service_name_e);
if (major_status != GSS_S_COMPLETE) {
gss_failure("importing name", major_status, minor_status);
- goto error6;
+ goto error5;
}
/* Someone has to go first. In this case, it's us. */
if (send_token(sock, empty_token) < 0) {
(void) gss_release_name(&minor_status, &service_name_e);
- goto error6;
+ goto error5;
}
/* The server starts this loop with the token we just sent
@@ -961,7 +961,7 @@ static int negotiate_credentials (void)
&send_tok);
(void) gss_release_name(&minor_status,
&service_name_e);
- goto error6;
+ goto error5;
}
}
(void) gss_release_buffer(&minor_status, &send_tok);
@@ -974,7 +974,7 @@ static int negotiate_credentials (void)
if (*gss_context != GSS_C_NO_CONTEXT)
gss_delete_sec_context(&minor_status,
gss_context, GSS_C_NO_BUFFER);
- goto error6;
+ goto error5;
}
/* Now get any tokens the sever sends back. We use
@@ -983,7 +983,7 @@ static int negotiate_credentials (void)
if (recv_token(sock, &recv_tok) < 0) {
(void) gss_release_name(&minor_status,
&service_name_e);
- goto error6;
+ goto error5;
}
token_ptr = &recv_tok;
}
@@ -1011,8 +1011,6 @@ static int negotiate_credentials (void)
#endif
return 0;
-error6:
- krb5_free_creds(kcontext, &my_creds);
error5:
krb5_cc_close(kcontext, ccache);
ccache = NULL;
@@ -1040,7 +1038,6 @@ static int stop_sock(void)
gss_delete_sec_context(&minor_status, &my_context,
GSS_C_NO_BUFFER);
my_context = GSS_C_NO_CONTEXT;
- krb5_free_creds(kcontext, &my_creds);
krb5_cc_close(kcontext, ccache);
ccache = NULL;
krb5_kt_close(kcontext, keytab);
--
2.27.0

25
backport-time_t-is-not-an-int-anymore.patch Normal file
View File

@ -0,0 +1,25 @@
From 5023b59ac710a25fe30e689aaf0af38a4b7ea3f1 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Mon, 11 Jul 2022 17:03:45 -0400
Subject: time_t is not an int anymore
---
tools/aulast/aulast.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/aulast/aulast.c b/tools/aulast/aulast.c
index 8a25f3b..cf9be60 100644
--- a/tools/aulast/aulast.c
+++ b/tools/aulast/aulast.c
@@ -408,7 +408,7 @@ static void update_session_logout(auparse_state_t *au)
static void process_bootup(auparse_state_t *au)
{
lnode *cur;
- int start;
+ time_t start;
// See if we have unclosed boot up and make into CRASH record
list_first(&l);
--
2.27.0