diff --git a/audit.spec b/audit.spec index bd00536..438b245 100644 --- a/audit.spec +++ b/audit.spec @@ -4,7 +4,7 @@ Summary: User space tools for kernel auditing Name: audit Epoch: 1 Version: 3.0 -Release: 5 +Release: 6 License: GPLv2+ and LGPLv2+ URL: https://people.redhat.com/sgrubb/audit/ Source0: https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz @@ -35,6 +35,12 @@ Patch21: backport-When-interpreting-if-val-is-NULL-return-an-empty-st Patch22: backport-auditd.service-Restart-on-failure-ignoring-some-exit.patch Patch23: backport-0001-In-auditd-close-the-logging-file-descriptor-when-log.patch Patch24: backport-0002-In-auditd-close-the-logging-file-descriptor-when-log.patch +Patch25: backport-In-auditd-release-the-async-flush-lock-on-stop.patch +Patch26: backport-auditd-cleanup-krb5-memory-leaks-on-error-paths.patch +Patch27: backport-audisp-remote-cleanup-krb5-memory-leaks-on-error-paths.patch +Patch28: backport-Final-kerberos-leak-fixups.patch +Patch29: backport-time_t-is-not-an-int-anymore.patch +Patch30: backport-krb5_cc_store_cred-takes-custody-of-my_creds-so-we-do-not-need-to-keep-it-around.patch BuildRequires: gcc swig libtool systemd kernel-headers >= 2.6.29 BuildRequires: openldap-devel krb5-devel libcap-ng-devel @@ -389,6 +395,15 @@ fi %attr(644,root,root) %{_mandir}/man8/*.8.gz %changelog +* Tue Feb 14 2023 zhangguangzhi - 1:3.0-6 +- backport some patches + In auditd release the async flush lock on stop + auditd cleanup krb5 memory leaks on error paths + audisp remote cleanup krb5 memory leaks on error paths + Final kerberos leak fixups + time_t is not an int anymore + krb5_cc_store_cred takes custody of my_creds so we do not need to keep it around + * Tue Mar 22 2022 yixiangzhike - 3.0-5 - rebuild for upgrade diff --git a/backport-Final-kerberos-leak-fixups.patch b/backport-Final-kerberos-leak-fixups.patch new file mode 100644 index 0000000..ca3e079 --- /dev/null +++ b/backport-Final-kerberos-leak-fixups.patch @@ -0,0 +1,122 @@ +From 7bda187f92424bf4891eb22f1877808ca5eb059a Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 11 Jul 2022 17:03:09 -0400 +Subject: Final kerberos leak fixups + +--- + audisp/plugins/remote/audisp-remote.c | 34 ++++++++++++++++++++------- + src/auditd-listen.c | 6 +++-- + 2 files changed, 29 insertions(+), 11 deletions(-) + +diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c +index 3b9d8f0..eda8c4e 100644 +--- a/audisp/plugins/remote/audisp-remote.c ++++ b/audisp/plugins/remote/audisp-remote.c +@@ -757,8 +757,17 @@ static void gss_failure (const char *msg, int major_status, int minor_status) + gss_failure_2 (msg, minor_status, GSS_C_MECH_CODE); + } + +-#define KLOG(x,f) syslog (LOG_ERR, "krb5 error: %s in %s\n", \ +- krb5_get_error_message (kcontext, x), f); ++#define KLOG(x,f) { \ ++ const char *kstr = krb5_get_error_message(kcontext, x); \ ++ syslog (LOG_ERR, "krb5 error: %s in %s\n", kstr, f); \ ++ krb5_free_error_message(kcontext, kstr); } ++static krb5_context kcontext = NULL; ++static char *realm_name = NULL; ++static krb5_principal audit_princ; ++static krb5_ccache ccache = NULL; ++static krb5_creds my_creds; ++static krb5_get_init_creds_opt options; ++static krb5_keytab keytab = NULL; + + /* Each time we connect to the server, we negotiate a set of credentials and + a security context. To do this, we need our own credentials first. For +@@ -781,13 +790,6 @@ static int negotiate_credentials (void) + we use Kerberos calls here. */ + + int krberr; +- krb5_context kcontext = NULL; +- char *realm_name; +- krb5_principal audit_princ; +- krb5_ccache ccache = NULL; +- krb5_creds my_creds; +- krb5_get_init_creds_opt options; +- krb5_keytab keytab = NULL; + const char *krb5_client_name; + char *slashptr; + char host_name[255]; +@@ -1013,14 +1015,18 @@ error6: + krb5_free_creds(kcontext, &my_creds); + error5: + krb5_cc_close(kcontext, ccache); ++ ccache = NULL; + error4: + krb5_kt_close(kcontext, keytab); ++ keytab = NULL; + error3: + krb5_free_principal(kcontext, audit_princ); + error2: + krb5_free_default_realm(kcontext, realm_name); ++ realm_name = NULL; + error1: + krb5_free_context(kcontext); ++ kcontext = NULL; + return -1; + } + #endif // USE_GSSAPI +@@ -1034,6 +1040,16 @@ static int stop_sock(void) + gss_delete_sec_context(&minor_status, &my_context, + GSS_C_NO_BUFFER); + my_context = GSS_C_NO_CONTEXT; ++ krb5_free_creds(kcontext, &my_creds); ++ krb5_cc_close(kcontext, ccache); ++ ccache = NULL; ++ krb5_kt_close(kcontext, keytab); ++ keytab = NULL; ++ krb5_free_principal(kcontext, audit_princ); ++ krb5_free_default_realm(kcontext, realm_name); ++ realm_name = NULL; ++ krb5_free_context(kcontext); ++ kcontext = NULL; + } + #endif + shutdown(sock, SHUT_RDWR); +diff --git a/src/auditd-listen.c b/src/auditd-listen.c +index c8cae38..34a142a 100644 +--- a/src/auditd-listen.c ++++ b/src/auditd-listen.c +@@ -325,11 +325,12 @@ static void gss_failure(const char *msg, int major_status, int minor_status) + const char *kstr = krb5_get_error_message(kcontext, x); \ + audit_msg(LOG_ERR, "krb5 error: %s in %s\n", kstr, f); \ + krb5_free_error_message(kcontext, kstr); \ +- krb5_free_context(k); \ ++ krb5_free_context(k); k = NULL; \ + return -1; } + + /* These are our private credentials, which come from a key file on + our server. They are aquired once, at program start. */ ++static krb5_context kcontext = NULL; + static int server_acquire_creds(const char *service_name, + gss_cred_id_t *lserver_creds) + { +@@ -337,7 +338,6 @@ static int server_acquire_creds(const char *service_name, + gss_name_t server_name; + OM_uint32 major_status, minor_status; + +- krb5_context kcontext = NULL; + int krberr; + + my_service_name = strdup(service_name); +@@ -1139,6 +1139,8 @@ void auditd_tcp_listen_uninit(struct ev_loop *loop, struct daemon_conf *config) + #ifdef USE_GSSAPI + if (USE_GSS) { + gss_release_cred(&status, &server_creds); ++ krb5_free_context(kcontext); ++ kcontext = NULL; + free(my_service_name); + my_service_name = NULL; + } +-- +2.27.0 + diff --git a/backport-In-auditd-release-the-async-flush-lock-on-stop.patch b/backport-In-auditd-release-the-async-flush-lock-on-stop.patch new file mode 100644 index 0000000..2d6eef7 --- /dev/null +++ b/backport-In-auditd-release-the-async-flush-lock-on-stop.patch @@ -0,0 +1,29 @@ +From f7df667ba76391ffd65a4ed45b2150bf9902b99d Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Wed, 30 Mar 2022 10:12:16 -0400 +Subject: In auditd, release the async flush lock on stop + +Conflict:delete changelog +--- + src/auditd-event.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/auditd-event.c b/src/auditd-event.c +index e88ef6e..ed6e929 100644 +--- a/src/auditd-event.c ++++ b/src/auditd-event.c +@@ -208,8 +208,10 @@ static void *flush_thread_main(void *arg) + // into a loop of fsyncs. + while (flush == 0) { + pthread_cond_wait(&do_flush, &flush_lock); +- if (stop) ++ if (stop) { ++ pthread_mutex_unlock(&flush_lock); + return NULL; ++ } + } + flush = 0; + pthread_mutex_unlock(&flush_lock); +-- +2.27.0 + diff --git a/backport-audisp-remote-cleanup-krb5-memory-leaks-on-error-paths.patch b/backport-audisp-remote-cleanup-krb5-memory-leaks-on-error-paths.patch new file mode 100644 index 0000000..76ab3f1 --- /dev/null +++ b/backport-audisp-remote-cleanup-krb5-memory-leaks-on-error-paths.patch @@ -0,0 +1,200 @@ +From 09c62a6f4e4a6963a731d3018209b91dc6447f70 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 11 Jul 2022 14:21:04 -0400 +Subject: audisp-remote - cleanup krb5 memory leaks on error + paths +Conflict:context adaptation +--- + audisp/plugins/remote/audisp-remote.c | 75 ++++++++++++++++++++------- + 1 file changed, 56 insertions(+), 19 deletions(-) + +diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c +index 3be91b3..3b9d8f0 100644 +--- a/audisp/plugins/remote/audisp-remote.c ++++ b/audisp/plugins/remote/audisp-remote.c +@@ -757,9 +757,8 @@ static void gss_failure (const char *msg, int major_status, int minor_status) + gss_failure_2 (msg, minor_status, GSS_C_MECH_CODE); + } + +-#define KCHECK(x,f) if (x) { \ +- syslog (LOG_ERR, "krb5 error: %s in %s\n", krb5_get_error_message (kcontext, x), f); \ +- return -1; } ++#define KLOG(x,f) syslog (LOG_ERR, "krb5 error: %s in %s\n", \ ++ krb5_get_error_message (kcontext, x), f); + + /* Each time we connect to the server, we negotiate a set of credentials and + a security context. To do this, we need our own credentials first. For +@@ -800,7 +799,10 @@ static int negotiate_credentials (void) + recv_tok.value = NULL; + + krberr = krb5_init_context (&kcontext); +- KCHECK (krberr, "krb5_init_context"); ++ if (krberr) { ++ KLOG (krberr, "krb5_init_context"); ++ return -1; ++ } + + if (config.krb5_key_file) + key_file = config.krb5_key_file; +@@ -815,21 +817,24 @@ static int negotiate_credentials (void) + syslog (LOG_ERR, + "%s is not mode 0400 (it's %#o) - compromised key?", + key_file, st.st_mode & 07777); +- return -1; ++ goto error1; + } + if (st.st_uid != 0) { + if (!quiet) + syslog (LOG_ERR, + "%s is not owned by root (it's %d) - compromised key?", + key_file, st.st_uid); +- return -1; ++ goto error1; + } + } + + /* This looks up the default real (*our* realm) from + /etc/krb5.conf (or wherever) */ + krberr = krb5_get_default_realm (kcontext, &realm_name); +- KCHECK (krberr, "krb5_get_default_realm"); ++ if (krberr) { ++ KLOG (krberr, "krb5_get_default_realm"); ++ goto error1; ++ } + + krb5_client_name = config.krb5_client_name ? + config.krb5_client_name : "auditd"; +@@ -838,7 +843,7 @@ static int negotiate_credentials (void) + syslog (LOG_ERR, + "gethostname: host name longer than %ld characters?", + sizeof (host_name)); +- return -1; ++ goto error2; + } + + syslog (LOG_ERR, "kerberos principal: %s/%s@%s\n", +@@ -847,17 +852,26 @@ static int negotiate_credentials (void) + krberr = krb5_build_principal (kcontext, &audit_princ, + strlen(realm_name), realm_name, + krb5_client_name, host_name, NULL); +- KCHECK (krberr, "krb5_build_principal"); ++ if (krberr) { ++ KLOG (krberr, "krb5_build_principal"); ++ goto error2; ++ } + + /* Locate our machine's key table, where our private key is + * held. */ + krberr = krb5_kt_resolve (kcontext, key_file, &keytab); +- KCHECK (krberr, "krb5_kt_resolve"); ++ if (krberr) { ++ KLOG (krberr, "krb5_kt_resolve"); ++ goto error3; ++ } + + /* Identify a cache to hold the key in. The GSS wrappers look + up our credentials here. */ + krberr = krb5_cc_resolve (kcontext, CCACHE_NAME, &ccache); +- KCHECK (krberr, "krb5_cc_resolve"); ++ if (krberr) { ++ KLOG (krberr, "krb5_cc_resolve"); ++ goto error4; ++ } + + setenv("KRB5CCNAME", CCACHE_NAME, 1); + +@@ -872,15 +886,24 @@ static int negotiate_credentials (void) + krberr = krb5_get_init_creds_keytab(kcontext, &my_creds, audit_princ, + keytab, 0, NULL, + &options); +- KCHECK (krberr, "krb5_get_init_creds_keytab"); ++ if (krberr) { ++ KLOG (krberr, "krb5_get_init_creds_keytab"); ++ goto error5; ++ } + + /* Create the cache... */ + krberr = krb5_cc_initialize(kcontext, ccache, audit_princ); +- KCHECK (krberr, "krb5_cc_initialize"); ++ if (krberr) { ++ KLOG (krberr, "krb5_cc_initialize"); ++ goto error6; ++ } + + /* ...and store our credentials in it. */ + krberr = krb5_cc_store_cred(kcontext, ccache, &my_creds); +- KCHECK (krberr, "krb5_cc_store_cred"); ++ if (krberr) { ++ KLOG (krberr, "krb5_cc_store_cred"); ++ goto error6; ++ } + + /* The GSS code now has a set of credentials for this program. + I.e. we know who "we" are. Now we talk to the server to +@@ -903,13 +926,13 @@ static int negotiate_credentials (void) + (gss_OID) gss_nt_service_name, &service_name_e); + if (major_status != GSS_S_COMPLETE) { + gss_failure("importing name", major_status, minor_status); +- return -1; ++ goto error6; + } + + /* Someone has to go first. In this case, it's us. */ + if (send_token(sock, empty_token) < 0) { + (void) gss_release_name(&minor_status, &service_name_e); +- return -1; ++ goto error6; + } + + /* The server starts this loop with the token we just sent +@@ -936,7 +959,7 @@ static int negotiate_credentials (void) + &send_tok); + (void) gss_release_name(&minor_status, + &service_name_e); +- return -1; ++ goto error6; + } + } + (void) gss_release_buffer(&minor_status, &send_tok); +@@ -949,7 +972,7 @@ static int negotiate_credentials (void) + if (*gss_context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&minor_status, + gss_context, GSS_C_NO_BUFFER); +- return -1; ++ goto error6; + } + + /* Now get any tokens the sever sends back. We use +@@ -958,7 +981,7 @@ static int negotiate_credentials (void) + if (recv_token(sock, &recv_tok) < 0) { + (void) gss_release_name(&minor_status, + &service_name_e); +- return -1; ++ goto error6; + } + token_ptr = &recv_tok; + } +@@ -985,6 +1008,20 @@ static int negotiate_credentials (void) + (char *)recv_tok.value); + #endif + return 0; ++ ++error6: ++ krb5_free_creds(kcontext, &my_creds); ++error5: ++ krb5_cc_close(kcontext, ccache); ++error4: ++ krb5_kt_close(kcontext, keytab); ++error3: ++ krb5_free_principal(kcontext, audit_princ); ++error2: ++ krb5_free_default_realm(kcontext, realm_name); ++error1: ++ krb5_free_context(kcontext); ++ return -1; + } + #endif // USE_GSSAPI + +-- +2.27.0 + diff --git a/backport-auditd-cleanup-krb5-memory-leaks-on-error-paths.patch b/backport-auditd-cleanup-krb5-memory-leaks-on-error-paths.patch new file mode 100644 index 0000000..b7d7c5c --- /dev/null +++ b/backport-auditd-cleanup-krb5-memory-leaks-on-error-paths.patch @@ -0,0 +1,42 @@ +From f0ce136497ea4f3e7f6e7b05283c1299e76251e7 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 11 Jul 2022 12:07:50 -0400 +Subject: auditd - cleanup krb5 memory leaks on error paths + +Conflict:delete changelog +--- + src/auditd-listen.c | 7 ++++--- + 1 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/auditd-listen.c b/src/auditd-listen.c +index 5c433e7..c8cae38 100644 +--- a/src/auditd-listen.c ++++ b/src/auditd-listen.c +@@ -321,10 +321,11 @@ static void gss_failure(const char *msg, int major_status, int minor_status) + gss_failure_2(msg, minor_status, GSS_C_MECH_CODE); + } + +-#define KCHECK(x,f) if (x) { \ ++#define KCHECK(x,f, k) if (x) { \ + const char *kstr = krb5_get_error_message(kcontext, x); \ + audit_msg(LOG_ERR, "krb5 error: %s in %s\n", kstr, f); \ + krb5_free_error_message(kcontext, kstr); \ ++ krb5_free_context(k); \ + return -1; } + + /* These are our private credentials, which come from a key file on +@@ -363,9 +364,9 @@ static int server_acquire_creds(const char *service_name, + (void) gss_release_name(&minor_status, &server_name); + + krberr = krb5_init_context(&kcontext); +- KCHECK (krberr, "krb5_init_context"); ++ KCHECK (krberr, "krb5_init_context", kcontext); + krberr = krb5_get_default_realm(kcontext, &my_gss_realm); +- KCHECK (krberr, "krb5_get_default_realm"); ++ KCHECK (krberr, "krb5_get_default_realm", kcontext); + + audit_msg(LOG_DEBUG, "GSS creds for %s acquired", service_name); + +-- +2.27.0 + diff --git a/backport-krb5_cc_store_cred-takes-custody-of-my_creds-so-we-do-not-need-to-keep-it-around.patch b/backport-krb5_cc_store_cred-takes-custody-of-my_creds-so-we-do-not-need-to-keep-it-around.patch new file mode 100644 index 0000000..db1dd46 --- /dev/null +++ b/backport-krb5_cc_store_cred-takes-custody-of-my_creds-so-we-do-not-need-to-keep-it-around.patch @@ -0,0 +1,110 @@ +From a1c3ba0fbbafc8f9a4dcb64fdee55fe2f8eef3be Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 11 Jul 2022 17:37:13 -0400 +Subject: krb5_cc_store_cred takes custody of my_creds so we do + not need to keep it around + +--- + audisp/plugins/remote/audisp-remote.c | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +diff --git a/audisp/plugins/remote/audisp-remote.c b/audisp/plugins/remote/audisp-remote.c +index eda8c4e..78c3eca 100644 +--- a/audisp/plugins/remote/audisp-remote.c ++++ b/audisp/plugins/remote/audisp-remote.c +@@ -765,7 +765,6 @@ static krb5_context kcontext = NULL; + static char *realm_name = NULL; + static krb5_principal audit_princ; + static krb5_ccache ccache = NULL; +-static krb5_creds my_creds; + static krb5_get_init_creds_opt options; + static krb5_keytab keytab = NULL; + +@@ -790,6 +789,7 @@ static int negotiate_credentials (void) + we use Kerberos calls here. */ + + int krberr; ++ krb5_creds my_creds; + const char *krb5_client_name; + char *slashptr; + char host_name[255]; +@@ -897,14 +897,14 @@ static int negotiate_credentials (void) + krberr = krb5_cc_initialize(kcontext, ccache, audit_princ); + if (krberr) { + KLOG (krberr, "krb5_cc_initialize"); +- goto error6; ++ goto error5; + } + + /* ...and store our credentials in it. */ + krberr = krb5_cc_store_cred(kcontext, ccache, &my_creds); + if (krberr) { + KLOG (krberr, "krb5_cc_store_cred"); +- goto error6; ++ goto error5; + } + + /* The GSS code now has a set of credentials for this program. +@@ -928,13 +928,13 @@ static int negotiate_credentials (void) + (gss_OID) gss_nt_service_name, &service_name_e); + if (major_status != GSS_S_COMPLETE) { + gss_failure("importing name", major_status, minor_status); +- goto error6; ++ goto error5; + } + + /* Someone has to go first. In this case, it's us. */ + if (send_token(sock, empty_token) < 0) { + (void) gss_release_name(&minor_status, &service_name_e); +- goto error6; ++ goto error5; + } + + /* The server starts this loop with the token we just sent +@@ -961,7 +961,7 @@ static int negotiate_credentials (void) + &send_tok); + (void) gss_release_name(&minor_status, + &service_name_e); +- goto error6; ++ goto error5; + } + } + (void) gss_release_buffer(&minor_status, &send_tok); +@@ -974,7 +974,7 @@ static int negotiate_credentials (void) + if (*gss_context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&minor_status, + gss_context, GSS_C_NO_BUFFER); +- goto error6; ++ goto error5; + } + + /* Now get any tokens the sever sends back. We use +@@ -983,7 +983,7 @@ static int negotiate_credentials (void) + if (recv_token(sock, &recv_tok) < 0) { + (void) gss_release_name(&minor_status, + &service_name_e); +- goto error6; ++ goto error5; + } + token_ptr = &recv_tok; + } +@@ -1011,8 +1011,6 @@ static int negotiate_credentials (void) + #endif + return 0; + +-error6: +- krb5_free_creds(kcontext, &my_creds); + error5: + krb5_cc_close(kcontext, ccache); + ccache = NULL; +@@ -1040,7 +1038,6 @@ static int stop_sock(void) + gss_delete_sec_context(&minor_status, &my_context, + GSS_C_NO_BUFFER); + my_context = GSS_C_NO_CONTEXT; +- krb5_free_creds(kcontext, &my_creds); + krb5_cc_close(kcontext, ccache); + ccache = NULL; + krb5_kt_close(kcontext, keytab); +-- +2.27.0 + diff --git a/backport-time_t-is-not-an-int-anymore.patch b/backport-time_t-is-not-an-int-anymore.patch new file mode 100644 index 0000000..00ee8bc --- /dev/null +++ b/backport-time_t-is-not-an-int-anymore.patch @@ -0,0 +1,25 @@ +From 5023b59ac710a25fe30e689aaf0af38a4b7ea3f1 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Mon, 11 Jul 2022 17:03:45 -0400 +Subject: time_t is not an int anymore + +--- + tools/aulast/aulast.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/aulast/aulast.c b/tools/aulast/aulast.c +index 8a25f3b..cf9be60 100644 +--- a/tools/aulast/aulast.c ++++ b/tools/aulast/aulast.c +@@ -408,7 +408,7 @@ static void update_session_logout(auparse_state_t *au) + static void process_bootup(auparse_state_t *au) + { + lnode *cur; +- int start; ++ time_t start; + + // See if we have unclosed boot up and make into CRASH record + list_first(&l); +-- +2.27.0 +