2 files changed, 134 insertions, 1 deletions
diff --git a/meta-oe/recipes-security/audit/audit/0001-flush-uid-gid-caches-when-user-group-added-deleted-m.patch b/meta-oe/recipes-security/audit/audit/0001-flush-uid-gid-caches-when-user-group-added-deleted-m.patch
new file mode 100644
index 0000000000..e55093d1ad
--- /dev/null
+++ b/meta-oe/recipes-security/audit/audit/0001-flush-uid-gid-caches-when-user-group-added-deleted-m.patch
@@ -0,0 +1,132 @@
+From 759318f11352d01b45bbab62c7bf0a53fb781083 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Tue, 10 Aug 2021 11:27:16 -0400
+Subject: [PATCH] flush uid/gid caches when user/group added/deleted/modified
+It was reported in issue #209 that in the enriched format that auditd
+is creating the wrong account associations. This is due to caching
+previous lookups. The fix is to monitor for account lifecycle changes
+and flush the LRUs if any are seen.
+Upstream-Status: Backport
+[https://github.com/linux-audit/audit-userspace/commit/8662f61108f8b9365f96ef49ca8ca331a7880f24]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ auparse/auparse-idata.h |  3 ++-
+ auparse/interpret.c     | 12 ++++++++++++
+ src/auditd-event.c      | 27 +++++++++++++++++++++++++--
+ 3 files changed, 39 insertions(+), 3 deletions(-)
+diff --git a/auparse/auparse-idata.h b/auparse/auparse-idata.h
+index 660901a..eaca86a 100644
+--- a/auparse/auparse-idata.h
+++ b/auparse/auparse-idata.h
+@@ -1,6 +1,6 @@
+ /*
+ * idata.h - Header file for ausearch-lookup.c
+-* Copyright (c) 2013,2016-17 Red Hat Inc., Durham, North Carolina.
+* Copyright (c) 2013,2016-17,2021 Red Hat Inc.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+@@ -45,6 +45,7 @@ char *auparse_do_interpretation(int type, const idata *id,
+ void _auparse_load_interpretations(const char *buf);
+ void _auparse_free_interpretations(void);
+ const char *_auparse_lookup_interpretation(const char *name);
+void _auparse_flush_caches(void);
+ 
+ #endif
+ 
+diff --git a/auparse/interpret.c b/auparse/interpret.c
+index 046867b..eef377a 100644
+--- a/auparse/interpret.c
+++ b/auparse/interpret.c
+@@ -653,6 +653,18 @@ void aulookup_destroy_gid_list(void)
+        gid_cache_created = 0;
+ }
+ 
+void _auparse_flush_caches(void)
+{
+       if (uid_cache_created) {
+               destroy_lru(uid_cache);
+               uid_cache_created = 0;
+       }
+       if (gid_cache_created) {
+               destroy_lru(gid_cache);
+               gid_cache_created = 0;
+       }
+}
+
+ static const char *print_uid(const char *val, unsigned int base)
+ {
+         int uid;
+diff --git a/src/auditd-event.c b/src/auditd-event.c
+index cb29fee..3655726 100644
+--- a/src/auditd-event.c
+++ b/src/auditd-event.c
+@@ -42,6 +42,7 @@
+ #include "libaudit.h"
+ #include "private.h"
+ #include "auparse.h"
+#include "auparse-idata.h"
+ 
+ /* This is defined in auditd.c */
+ extern volatile int stop;
+@@ -56,7 +57,7 @@ static void do_space_left_action(int admin);
+ static void do_disk_full_action(void);
+ static void do_disk_error_action(const char *func, int err);
+ static void fix_disk_permissions(void);
+-static void check_excess_logs(void); 
+static void check_excess_logs(void);
+ static void rotate_logs_now(void);
+ static void rotate_logs(unsigned int num_logs, unsigned int keep_logs);
+ static void shift_logs(void);
+@@ -394,7 +395,7 @@ static const char *format_enrich(const struct audit_reply *rep)
+                        snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH,
+                    "type=DAEMON_ERR op=format-enriched msg=NULL res=failed");
+        } else {
+-               int rc;
+               int rc, rtype;
+                size_t mlen, len;
+                char *message;
+                // Do raw format to get event started
+@@ -427,6 +428,17 @@ static const char *format_enrich(const struct audit_reply *rep)
+ 
+                // Loop over all fields while possible to add field
+                rc = auparse_first_record(au);
+               rtype = auparse_get_type(au);
+               switch (rtype)
+               {       // Flush before adding to pickup new associations
+                       case AUDIT_ADD_USER:
+                       case AUDIT_ADD_GROUP:
+                               _auparse_flush_caches();
+                               break;
+                       default:
+                               break;
+               }
+
+                while (rc > 0 && len > MIN_SPACE_LEFT) {
+                        // See what kind of field we have
+                        size_t vlen;
+@@ -454,6 +466,17 @@ static const char *format_enrich(const struct audit_reply *rep)
+                        rc = auparse_next_field(au);
+                }
+ 
+               switch(rtype)
+               {       // Flush after modification to remove stale entries
+                       case AUDIT_USER_MGMT:
+                       case AUDIT_DEL_USER:
+                       case AUDIT_DEL_GROUP:
+                       case AUDIT_GRP_MGMT:
+                               _auparse_flush_caches();
+                               break;
+                       default:
+                               break;
+               }
+                free(message);
+        }
+         return format_buf;
+-- 
+2.17.1
diff --git a/meta-oe/recipes-security/audit/audit_3.0.3.bb b/meta-oe/recipes-security/audit/audit_3.0.4.bb
index c30b971625..db550492e5 100644
--- a/meta-oe/recipes-security/audit/audit_3.0.3.bb
+++ b/meta-oe/recipes-security/audit/audit_3.0.4.bb
@@ -9,13 +9,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
 SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=master \
           file://Fixed-swig-host-contamination-issue.patch \
+           file://0001-flush-uid-gid-caches-when-user-group-added-deleted-m.patch \
           file://auditd \
           file://auditd.service \
           file://audit-volatile.conf \
 "
 S = "${WORKDIR}/git"
-SRCREV = "17c100abcfef4cbd94a0a5be9b830c8386c3add6"
+SRCREV = "86a975cd96c3838e56be9d27262f8a36bb822634"
 inherit autotools python3native update-rc.d systemd

diff --git a/meta-oe/recipes-security/audit/audit/0001-flush-uid-gid-caches-when-user-group-added-deleted-m.patch b/meta-oe/recipes-security/audit/audit/0001-flush-uid-gid-caches-when-user-group-added-deleted-m.patch new file mode 100644 index 0000000000..e55093d1ad --- /dev/null +++ b/meta-oe/recipes-security/audit/audit/0001-flush-uid-gid-caches-when-user-group-added-deleted-m.patch
@@ -0,0 +1,132 @@
		1	From 759318f11352d01b45bbab62c7bf0a53fb781083 Mon Sep 17 00:00:00 2001
		2	From: Steve Grubb <sgrubb@redhat.com>
		3	Date: Tue, 10 Aug 2021 11:27:16 -0400
		4	Subject: [PATCH] flush uid/gid caches when user/group added/deleted/modified
		5
		6	It was reported in issue #209 that in the enriched format that auditd
		7	is creating the wrong account associations. This is due to caching
		8	previous lookups. The fix is to monitor for account lifecycle changes
		9	and flush the LRUs if any are seen.
		10
		11	Upstream-Status: Backport
		12	[https://github.com/linux-audit/audit-userspace/commit/8662f61108f8b9365f96ef49ca8ca331a7880f24]
		13
		14	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		15	---
		16	auparse/auparse-idata.h \| 3 ++-
		17	auparse/interpret.c \| 12 ++++++++++++
		18	src/auditd-event.c \| 27 +++++++++++++++++++++++++--
		19	3 files changed, 39 insertions(+), 3 deletions(-)
		20
		21	diff --git a/auparse/auparse-idata.h b/auparse/auparse-idata.h
		22	index 660901a..eaca86a 100644
		23	--- a/auparse/auparse-idata.h
		24	+++ b/auparse/auparse-idata.h
		25	@@ -1,6 +1,6 @@
		26	/*
		27	* idata.h - Header file for ausearch-lookup.c
		28	-* Copyright (c) 2013,2016-17 Red Hat Inc., Durham, North Carolina.
		29	+* Copyright (c) 2013,2016-17,2021 Red Hat Inc.
		30	* All Rights Reserved.
		31	*
		32	* This library is free software; you can redistribute it and/or
		33	@@ -45,6 +45,7 @@ char auparse_do_interpretation(int type, const idata id,
		34	void _auparse_load_interpretations(const char *buf);
		35	void _auparse_free_interpretations(void);
		36	const char _auparse_lookup_interpretation(const char name);
		37	+void _auparse_flush_caches(void);
		38
		39	#endif
		40
		41	diff --git a/auparse/interpret.c b/auparse/interpret.c
		42	index 046867b..eef377a 100644
		43	--- a/auparse/interpret.c
		44	+++ b/auparse/interpret.c
		45	@@ -653,6 +653,18 @@ void aulookup_destroy_gid_list(void)
		46	gid_cache_created = 0;
		47	}
		48
		49	+void _auparse_flush_caches(void)
		50	+{
		51	+ if (uid_cache_created) {
		52	+ destroy_lru(uid_cache);
		53	+ uid_cache_created = 0;
		54	+ }
		55	+ if (gid_cache_created) {
		56	+ destroy_lru(gid_cache);
		57	+ gid_cache_created = 0;
		58	+ }
		59	+}
		60	+
		61	static const char print_uid(const char val, unsigned int base)
		62	{
		63	int uid;
		64	diff --git a/src/auditd-event.c b/src/auditd-event.c
		65	index cb29fee..3655726 100644
		66	--- a/src/auditd-event.c
		67	+++ b/src/auditd-event.c
		68	@@ -42,6 +42,7 @@
		69	#include "libaudit.h"
		70	#include "private.h"
		71	#include "auparse.h"
		72	+#include "auparse-idata.h"
		73
		74	/* This is defined in auditd.c */
		75	extern volatile int stop;
		76	@@ -56,7 +57,7 @@ static void do_space_left_action(int admin);
		77	static void do_disk_full_action(void);
		78	static void do_disk_error_action(const char *func, int err);
		79	static void fix_disk_permissions(void);
		80	-static void check_excess_logs(void);
		81	+static void check_excess_logs(void);
		82	static void rotate_logs_now(void);
		83	static void rotate_logs(unsigned int num_logs, unsigned int keep_logs);
		84	static void shift_logs(void);
		85	@@ -394,7 +395,7 @@ static const char format_enrich(const struct audit_reply rep)
		86	snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH,
		87	"type=DAEMON_ERR op=format-enriched msg=NULL res=failed");
		88	} else {
		89	- int rc;
		90	+ int rc, rtype;
		91	size_t mlen, len;
		92	char *message;
		93	// Do raw format to get event started
		94	@@ -427,6 +428,17 @@ static const char format_enrich(const struct audit_reply rep)
		95
		96	// Loop over all fields while possible to add field
		97	rc = auparse_first_record(au);
		98	+ rtype = auparse_get_type(au);
		99	+ switch (rtype)
		100	+ { // Flush before adding to pickup new associations
		101	+ case AUDIT_ADD_USER:
		102	+ case AUDIT_ADD_GROUP:
		103	+ _auparse_flush_caches();
		104	+ break;
		105	+ default:
		106	+ break;
		107	+ }
		108	+
		109	while (rc > 0 && len > MIN_SPACE_LEFT) {
		110	// See what kind of field we have
		111	size_t vlen;
		112	@@ -454,6 +466,17 @@ static const char format_enrich(const struct audit_reply rep)
		113	rc = auparse_next_field(au);
		114	}
		115
		116	+ switch(rtype)
		117	+ { // Flush after modification to remove stale entries
		118	+ case AUDIT_USER_MGMT:
		119	+ case AUDIT_DEL_USER:
		120	+ case AUDIT_DEL_GROUP:
		121	+ case AUDIT_GRP_MGMT:
		122	+ _auparse_flush_caches();
		123	+ break;
		124	+ default:
		125	+ break;
		126	+ }
		127	free(message);
		128	}
		129	return format_buf;
		130	--
		131	2.17.1
		132


diff --git a/meta-oe/recipes-security/audit/audit_3.0.3.bb b/meta-oe/recipes-security/audit/audit_3.0.4.bb index c30b971625..db550492e5 100644 --- a/meta-oe/recipes-security/audit/audit_3.0.3.bb +++ b/meta-oe/recipes-security/audit/audit_3.0.4.bb
@@ -9,13 +9,14 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
9		9
10	SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=master \	10	SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=master \
11	file://Fixed-swig-host-contamination-issue.patch \	11	file://Fixed-swig-host-contamination-issue.patch \
		12	file://0001-flush-uid-gid-caches-when-user-group-added-deleted-m.patch \
12	file://auditd \	13	file://auditd \
13	file://auditd.service \	14	file://auditd.service \
14	file://audit-volatile.conf \	15	file://audit-volatile.conf \
15	"	16	"
16		17
17	S = "${WORKDIR}/git"	18	S = "${WORKDIR}/git"
18	SRCREV = "17c100abcfef4cbd94a0a5be9b830c8386c3add6"	19	SRCREV = "86a975cd96c3838e56be9d27262f8a36bb822634"
19		20
20	inherit autotools python3native update-rc.d systemd	21	inherit autotools python3native update-rc.d systemd
21		22