Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package audit for openSUSE:Factory checked in at 2023-07-16 17:28:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/audit (Old) and /work/SRC/openSUSE:Factory/.audit.new.3193 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "audit" Sun Jul 16 17:28:32 2023 rev:104 rq:1098554 version:3.1.1 Changes: -------- --- /work/SRC/openSUSE:Factory/audit/audit-secondary.changes 2023-02-19 18:18:38.521359057 +0100 +++ /work/SRC/openSUSE:Factory/.audit.new.3193/audit-secondary.changes 2023-07-16 17:28:33.775901872 +0200 @@ -1,0 +2,31 @@ +Mon Jul 3 08:34:22 UTC 2023 - Paolo Stivanin <[email protected]> + +- Update to 3.1.1: + * Add user friendly keywords for signals to auditctl + * In ausearch, parse up URINGOP and DM_CTRL records + * Harden auparse to better handle corrupt logs + * Fix a CFLAGS propogation problem in the common directory + * Move the audispd af_unix plugin to a standalone program + +------------------------------------------------------------------- +Thu May 4 12:58:06 UTC 2023 - Frederic Crozat <[email protected]> + +- Add _multibuild to define additional spec files as additional + flavors. + Eliminates the need for source package links in OBS. + +------------------------------------------------------------------- +Mon Feb 20 14:13:06 UTC 2023 - Paolo Stivanin <[email protected]> + +- Update to 3.1: + * Disable ProtectControlGroups in auditd.service by default + * Fix rule checking for exclude filter + * Make audit_rule_syscallbyname_data work correctly outside of auditctl + * Add new record types + * Add io_uring support + * Add support for new FANOTIFY record fields + * Add keyword, this-hour, to ausearch/report start/end options + * Add Requires.private to audit.pc file + * Try to interpret OPENAT2 fields correctly + +------------------------------------------------------------------- --- /work/SRC/openSUSE:Factory/audit/audit.changes 2023-02-19 18:18:38.617359667 +0100 +++ /work/SRC/openSUSE:Factory/.audit.new.3193/audit.changes 2023-07-16 17:28:33.835902231 +0200 @@ -1,0 +2,36 @@ +Mon Jul 3 08:33:52 UTC 2023 - Paolo Stivanin <[email protected]> + +- Update to 3.1.1: + * Add user friendly keywords for signals to auditctl + * In ausearch, parse up URINGOP and DM_CTRL records + * Harden auparse to better handle corrupt logs + * Fix a CFLAGS propogation problem in the common directory + * Move the audispd af_unix plugin to a standalone program + +------------------------------------------------------------------- +Thu May 4 12:58:06 UTC 2023 - Frederic Crozat <[email protected]> + +- Add _multibuild to define additional spec files as additional + flavors. + Eliminates the need for source package links in OBS. + +------------------------------------------------------------------- +Mon Mar 20 14:53:26 UTC 2023 - Giuliano Belinassi <[email protected]> + +- Enable livepatching on main library on x86_64. + +------------------------------------------------------------------- +Mon Feb 20 14:12:55 UTC 2023 - Paolo Stivanin <[email protected]> + +- Update to 3.1: + * Disable ProtectControlGroups in auditd.service by default + * Fix rule checking for exclude filter + * Make audit_rule_syscallbyname_data work correctly outside of auditctl + * Add new record types + * Add io_uring support + * Add support for new FANOTIFY record fields + * Add keyword, this-hour, to ausearch/report start/end options + * Add Requires.private to audit.pc file + * Try to interpret OPENAT2 fields correctly + +------------------------------------------------------------------- Old: ---- audit-3.0.9.tar.gz New: ---- _multibuild audit-3.1.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ audit-secondary.spec ++++++ --- /var/tmp/diff_new_pack.no6srf/_old 2023-07-16 17:28:34.831908190 +0200 +++ /var/tmp/diff_new_pack.no6srf/_new 2023-07-16 17:28:34.839908237 +0200 @@ -22,7 +22,7 @@ # The seperation is required to minimize unnecessary build cycles. %define _name audit Name: audit-secondary -Version: 3.0.9 +Version: 3.1.1 Release: 0 Summary: Linux kernel audit subsystem utilities License: GPL-2.0-or-later @@ -258,6 +258,7 @@ %attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz %attr(644,root,root) %{_mandir}/man8/auvirt.8.gz %attr(644,root,root) %{_mandir}/man8/augenrules.8.gz +%attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz %if 0%{?suse_version} < 1550 /sbin/auditctl /sbin/auditd @@ -276,6 +277,7 @@ %attr(755,root,root) %{_bindir}/aulastlog %attr(755,root,root) %{_bindir}/ausyscall %attr(755,root,root) %{_sbindir}/aureport +%attr(755,root,root) %{_sbindir}/audisp-af_unix %attr(755,root,root) %{_bindir}/auvirt %dir %attr(750,root,root) %{_sysconfdir}/audit %attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d ++++++ audit.spec ++++++ --- /var/tmp/diff_new_pack.no6srf/_old 2023-07-16 17:28:34.863908381 +0200 +++ /var/tmp/diff_new_pack.no6srf/_new 2023-07-16 17:28:34.867908405 +0200 @@ -16,8 +16,14 @@ # +%ifarch x86_64 +%bcond_without livepatching +%else +%bcond_with livepatching +%endif + Name: audit -Version: 3.0.9 +Version: 3.1.1 Release: 0 Summary: Linux kernel audit subsystem utilities License: GPL-2.0-or-later @@ -79,6 +85,9 @@ %build autoreconf -fi export CFLAGS="%{optflags} -fno-strict-aliasing" +%if %{with livepatching} +export CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones" +%endif export CXXFLAGS="$CFLAGS" export LDFLAGS="-Wl,-z,relro,-z,now" # no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch @@ -102,6 +111,33 @@ %make_build -C auparse %make_build -C docs +%if %{with livepatching} +# Workaround bsc#1208721: remove _patchable_function_entry from static libs. +find . -name "*.a" -exec \ + objcopy --remove-section "__patchable_function_entries" {} \; + +%define tar_basename audit-livepatch-%{version}-%{release} +%define tar_package_name %{tar_basename}.%{_arch}.tar.xz +%define clones_dest_dir %{tar_basename}/%{_arch} + +# Ipa-clones are files generated by gcc which logs changes made across +# functions, and we need to know such changes to build livepatches +# correctly. These files are intended to be used by the livepatch +# developers and may be retrieved by using `osc getbinaries`. +# +# Create ipa-clones destination folder and move clones there. +mkdir -p ipa-clones/%{clones_dest_dir} +find . -name "*.ipa-clones" ! -empty \ + -exec cp -t ipa-clones/%{clones_dest_dir} --parents {} + + +# Create tarball with ipa-clones. +tar -cJf %{tar_package_name} -C ipa-clones \ + --owner root --group root --sort name %{tar_basename} + +# Copy tarball to the OTHER folder to store it as artifact. +cp %{tar_package_name} %{_topdir}/OTHER +%endif + %install %make_install -C common %make_install -C lib ++++++ _multibuild ++++++ <multibuild> <package>audit-secondary</package> </multibuild> ++++++ audit-3.0.9.tar.gz -> audit-3.1.1.tar.gz ++++++ ++++ 6793 lines of diff (skipped) ++++++ audit-ausearch-do-not-require-tclass.patch ++++++ --- /var/tmp/diff_new_pack.no6srf/_old 2023-07-16 17:28:35.131909984 +0200 +++ /var/tmp/diff_new_pack.no6srf/_new 2023-07-16 17:28:35.135910008 +0200 @@ -9,11 +9,11 @@ src/ausearch-parse.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) -Index: audit-3.0.9/src/ausearch-parse.c +Index: audit-3.1.1/src/ausearch-parse.c =================================================================== ---- audit-3.0.9.orig/src/ausearch-parse.c -+++ audit-3.0.9/src/ausearch-parse.c -@@ -2062,17 +2062,15 @@ other_avc: +--- audit-3.1.1.orig/src/ausearch-parse.c ++++ audit-3.1.1/src/ausearch-parse.c +@@ -2075,17 +2075,15 @@ other_avc: // Now get the class...its at the end, so we do things different str = strstr(term, "tclass="); ++++++ create-augenrules-service.patch ++++++ --- /var/tmp/diff_new_pack.no6srf/_old 2023-07-16 17:28:35.171910223 +0200 +++ /var/tmp/diff_new_pack.no6srf/_new 2023-07-16 17:28:35.175910247 +0200 @@ -1,7 +1,7 @@ -Index: audit-3.0.9/init.d/augenrules.service +Index: audit-3.1.1/init.d/augenrules.service =================================================================== --- /dev/null -+++ audit-3.0.9/init.d/augenrules.service ++++ audit-3.1.1/init.d/augenrules.service @@ -0,0 +1,29 @@ +[Unit] +Description=auditd rules generation @@ -32,10 +32,10 @@ +ProtectKernelTunables=true +ProtectKernelLogs=true +ReadWritePaths=/etc/audit -Index: audit-3.0.9/init.d/auditd.service +Index: audit-3.1.1/init.d/auditd.service =================================================================== ---- audit-3.0.9.orig/init.d/auditd.service -+++ audit-3.0.9/init.d/auditd.service +--- audit-3.1.1.orig/init.d/auditd.service ++++ audit-3.1.1/init.d/auditd.service @@ -15,15 +15,16 @@ ConditionKernelCommandLine=!audit=0 ConditionKernelCommandLine=!audit=off @@ -57,7 +57,7 @@ #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules # By default we clear the rules on exit. To disable this, comment # the next line after copying the file to /etc/systemd/system/auditd.service -@@ -46,7 +47,6 @@ ProtectClock=true +@@ -47,7 +48,6 @@ ProtectClock=true ProtectKernelTunables=true ProtectKernelLogs=true # end of automatic additions @@ -65,10 +65,10 @@ [Install] WantedBy=multi-user.target -Index: audit-3.0.9/init.d/Makefile.am +Index: audit-3.1.1/init.d/Makefile.am =================================================================== ---- audit-3.0.9.orig/init.d/Makefile.am -+++ audit-3.0.9/init.d/Makefile.am +--- audit-3.1.1.orig/init.d/Makefile.am ++++ audit-3.1.1/init.d/Makefile.am @@ -26,7 +26,8 @@ EXTRA_DIST = auditd.init auditd.service auditd.cron libaudit.conf auditd.condrestart \ auditd.reload auditd.restart auditd.resume \ ++++++ fix-hardened-service.patch ++++++ --- /var/tmp/diff_new_pack.no6srf/_old 2023-07-16 17:28:35.187910319 +0200 +++ /var/tmp/diff_new_pack.no6srf/_new 2023-07-16 17:28:35.191910343 +0200 @@ -12,11 +12,11 @@ Signed-off-by: Enzo Matsumiya <[email protected]> -Index: audit-3.0.9/init.d/auditd.service +Index: audit-3.1.1/init.d/auditd.service =================================================================== ---- audit-3.0.9.orig/init.d/auditd.service -+++ audit-3.0.9/init.d/auditd.service -@@ -41,12 +41,12 @@ RestrictRealtime=true +--- audit-3.1.1.orig/init.d/auditd.service ++++ audit-3.1.1/init.d/auditd.service +@@ -42,12 +42,12 @@ RestrictRealtime=true # added automatically, for details please see # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ProtectSystem=full ++++++ harden_auditd.service.patch ++++++ --- /var/tmp/diff_new_pack.no6srf/_old 2023-07-16 17:28:35.199910391 +0200 +++ /var/tmp/diff_new_pack.no6srf/_new 2023-07-16 17:28:35.203910415 +0200 @@ -1,9 +1,9 @@ -Index: audit-3.0.9/init.d/auditd.service +Index: audit-3.1.1/init.d/auditd.service =================================================================== ---- audit-3.0.9.orig/init.d/auditd.service -+++ audit-3.0.9/init.d/auditd.service -@@ -38,6 +38,15 @@ LockPersonality=true - ProtectControlGroups=true +--- audit-3.1.1.orig/init.d/auditd.service ++++ audit-3.1.1/init.d/auditd.service +@@ -39,6 +39,15 @@ LockPersonality=true + #ProtectControlGroups=true ProtectKernelModules=true RestrictRealtime=true +# added automatically, for details please see
