On Fri, Apr 07, 2023 at 07:34:54PM +0200, Marc Haber wrote: > I am attaching the upstream diff between 0.18.1 and 0.18.2, pulled apart > to the respective commits, 273 lines length including commit messages, > comments and the noise caused by the release.
Forgot trhe attachment. -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
commit 3d5b18b9e5e1c51533ac01d8acd3499b2f9fcc2e Author: Hannes von Haugwitz <han...@vonhaugwitz.com> Date: Fri Apr 7 16:06:18 2023 +0200 Release aide 0.18.2 commit adc07f01042f327b78e4e787bb0afbbae73d566a Author: Hannes von Haugwitz <han...@vonhaugwitz.com> Date: Mon Apr 3 21:15:05 2023 +0200 Add another missing lock for tree operations commit d3376eb6523bbae5ee8b8ea32c14355045524e12 Author: Hannes von Haugwitz <han...@vonhaugwitz.com> Date: Sat Apr 1 11:21:54 2023 +0200 Add missing lock for tree operations during file system scan commit 5d46267c5d72bc2263aba76496707490acdb2a28 Author: Hannes von Haugwitz <han...@vonhaugwitz.com> Date: Wed Mar 8 20:50:58 2023 +0100 Add warning if rules contain not compiled-in attributes commit 5d46267c5d72bc2263aba76496707490acdb2a28 Author: Hannes von Haugwitz <han...@vonhaugwitz.com> Date: Wed Mar 8 20:50:58 2023 +0100 Add warning if rules contain not compiled-in attributes diff --git a/ChangeLog b/ChangeLog index 31ff00c..b6435bf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +2023-03-08 Hannes von Haugwitz <han...@vonhaugwitz.com> + * Add warning if rules contain not compiled-in attributes (closes: #153) + 2023-03-04 Hannes von Haugwitz <han...@vonhaugwitz.com> * Release aide 0.18.1 diff --git a/NEWS b/NEWS index 88ae5af..97db895 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,6 @@ +Version 0.18.2 (UNRELEASED) + * Add warning if rules contain not compiled-in attributes + Version 0.18.1 (2023-03-04) * Fix handling of empty growing files * Fix segfault when using --dry-init diff --git a/src/commandconf.c b/src/commandconf.c index 1fcfbaa..e5ef8b9 100644 --- a/src/commandconf.c +++ b/src/commandconf.c @@ -338,14 +338,40 @@ bool add_rx_rule_to_tree(char* rx, char* rule_prefix, RESTRICTION_TYPE restricti r->config_line = checked_strdup(linebuf); r->prefix = rule_prefix; + char *str; + DB_ATTR_TYPE unsupported_hashes = attr&(get_hashes(true)&~get_hashes(false)); if (unsupported_hashes) { - char *str; LOG_CONFIG_FORMAT_LINE(LOG_LEVEL_WARNING, "ignoring unsupported hash algorithm(s): %s", str = diff_attributes(0, unsupported_hashes)); free(str); attr &= ~unsupported_hashes; } + DB_ATTR_TYPE unsupported_attrs = attr& + (0 +#ifndef WITH_ACL + |ATTR(attr_acl) +#endif +#ifndef WITH_SELINUX + |ATTR(attr_selinux) +#endif +#ifndef WITH_XATTR + |ATTR(attr_xattrs) +#endif +#ifndef WITH_E2FSATTRS + |ATTR(attr_e2fsattrs) +#endif +#ifndef WITH_CAPABILITIES + |ATTR(attr_capabilities) +#endif + ) + ; + if (unsupported_attrs) { + LOG_CONFIG_FORMAT_LINE(LOG_LEVEL_WARNING, "ignoring not compiiled-in attribute(s): %s", str = diff_attributes(0, unsupported_attrs)); + free(str); + attr &= ~unsupported_attrs; + } + r->attr=attr; if (attr&ATTR(attr_sizeg)) { log_msg(LOG_LEVEL_NOTICE, "%s:%d: Using 'S' attribute is DEPRECATED and will be removed in the release after next. Update your config and use 'growing+s' instead (line: '%s')", filename, linenumber, linebuf); commit d3376eb6523bbae5ee8b8ea32c14355045524e12 Author: Hannes von Haugwitz <han...@vonhaugwitz.com> Date: Sat Apr 1 11:21:54 2023 +0200 Add missing lock for tree operations during file system scan diff --git a/ChangeLog b/ChangeLog index b6435bf..80d0366 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +2023-04-01 Hannes von Haugwitz <han...@vonhaugwitz.com> + * Add missing lock for tree operations during file system scan + 2023-03-08 Hannes von Haugwitz <han...@vonhaugwitz.com> * Add warning if rules contain not compiled-in attributes (closes: #153) diff --git a/NEWS b/NEWS index 97db895..5904559 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,6 @@ Version 0.18.2 (UNRELEASED) * Add warning if rules contain not compiled-in attributes + * Add missing lock for tree operations during file system scan Version 0.18.1 (2023-03-04) * Fix handling of empty growing files diff --git a/src/db_disk.c b/src/db_disk.c index a1f1606..1bc91bb 100644 --- a/src/db_disk.c +++ b/src/db_disk.c @@ -46,6 +46,10 @@ #include <pthread.h> #endif +#ifdef WITH_PTHREAD +pthread_mutex_t seltree_mutex = PTHREAD_MUTEX_INITIALIZER; +#endif + static int get_file_status(char *filename, struct stat *fs) { int sres = 0; sres = lstat(filename,fs); @@ -121,7 +125,13 @@ void scan_dir(char *root_path, bool dry_run) { log_msg(LOG_LEVEL_DEBUG,"scan_dir: process root directory '%s' (fullpath: '%s')", &root_path[conf->root_prefix_length], root_path); if (!get_file_status(root_path, &fs)) { +#ifdef WITH_PTHREAD + pthread_mutex_lock(&seltree_mutex); +#endif match_result match = check_rxtree (&root_path[conf->root_prefix_length], conf->tree, &rule, get_restriction_from_perm(fs.st_mode), "disk"); +#ifdef WITH_PTHREAD + pthread_mutex_unlock(&seltree_mutex); +#endif if (dry_run) { print_match(&root_path[conf->root_prefix_length], rule, match, get_restriction_from_perm(fs.st_mode)); } @@ -152,7 +162,13 @@ void scan_dir(char *root_path, bool dry_run) { if (!get_file_status(entry_full_path, &fs)) { rule = NULL; node = NULL; +#ifdef WITH_PTHREAD + pthread_mutex_lock(&seltree_mutex); +#endif match_result match = check_rxtree (&entry_full_path[conf->root_prefix_length], conf->tree, &rule, get_restriction_from_perm(fs.st_mode), "disk"); +#ifdef WITH_PTHREAD + pthread_mutex_unlock(&seltree_mutex); +#endif switch (match) { case RESULT_SELECTIVE_MATCH: if (S_ISDIR(fs.st_mode)) { @@ -221,7 +237,9 @@ static void * add2tree( __attribute__((unused)) void *arg) { database_entry *data; while ((data = queue_ts_dequeue_wait(queue_database_entries, whoami)) != NULL) { log_msg(LOG_LEVEL_THREAD, "%10s: got line '%s'", whoami, (data->line)->filename); + pthread_mutex_lock(&seltree_mutex); add_file_to_tree(conf->tree, data->line, DB_NEW|DB_DISK, NULL, &data->fs); + pthread_mutex_unlock(&seltree_mutex); free(data); } queue_ts_free(queue_database_entries); commit adc07f01042f327b78e4e787bb0afbbae73d566a Author: Hannes von Haugwitz <han...@vonhaugwitz.com> Date: Mon Apr 3 21:15:05 2023 +0200 Add another missing lock for tree operations diff --git a/ChangeLog b/ChangeLog index 80d0366..86ef681 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +2023-04-03 Hannes von Haugwitz <han...@vonhaugwitz.com> + * Add another missing lock for tree operations + 2023-04-01 Hannes von Haugwitz <han...@vonhaugwitz.com> * Add missing lock for tree operations during file system scan diff --git a/src/db_disk.c b/src/db_disk.c index 1bc91bb..f76c1ee 100644 --- a/src/db_disk.c +++ b/src/db_disk.c @@ -190,7 +190,13 @@ void scan_dir(char *root_path, bool dry_run) { } break; case RESULT_NO_MATCH: +#ifdef WITH_PTHREAD + pthread_mutex_lock(&seltree_mutex); +#endif node = get_seltree_node(conf->tree, &entry_full_path[conf->root_prefix_length]); +#ifdef WITH_PTHREAD + pthread_mutex_unlock(&seltree_mutex); +#endif if(S_ISDIR(fs.st_mode) && node) { log_msg(log_level, "scan_dir: add child directory '%s' to scan stack (reason: existing tree node '%s' (%p))", &entry_full_path[conf->root_prefix_length], node->path, node); free_entry_full_path = false; commit 3d5b18b9e5e1c51533ac01d8acd3499b2f9fcc2e Author: Hannes von Haugwitz <han...@vonhaugwitz.com> Date: Fri Apr 7 16:06:18 2023 +0200 Release aide 0.18.2 diff --git a/ChangeLog b/ChangeLog index 86ef681..82d4e90 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +2023-04-07 Hannes von Haugwitz <han...@vonhaugwitz.com> + * Release aide 0.18.2 + 2023-04-03 Hannes von Haugwitz <han...@vonhaugwitz.com> * Add another missing lock for tree operations diff --git a/NEWS b/NEWS index 5904559..cd87f52 100644 --- a/NEWS +++ b/NEWS @@ -1,4 +1,4 @@ -Version 0.18.2 (UNRELEASED) +Version 0.18.2 (2023-04-07) * Add warning if rules contain not compiled-in attributes * Add missing lock for tree operations during file system scan diff --git a/README b/README index af29747..a67a57f 100644 --- a/README +++ b/README @@ -1,7 +1,7 @@ AIDE - Advanced Intrusion Detection Environment ------------------------------------------------- - Version 0.18.1 + Version 0.18.2 This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without diff --git a/doc/aide.1 b/doc/aide.1 index 11f4251..c9e1398 100644 --- a/doc/aide.1 +++ b/doc/aide.1 @@ -1,4 +1,4 @@ -.TH AIDE 1 "2023-03-04" "aide v0.18.1" "User Commands" +.TH AIDE 1 "2023-04-07" "aide v0.18.2" "User Commands" .SH NAME \fBaide\fP \- Advanced Intrusion Detection Environment .SH SYNOPSIS diff --git a/doc/aide.conf.5 b/doc/aide.conf.5 index 185a71d..ea39a6f 100644 --- a/doc/aide.conf.5 +++ b/doc/aide.conf.5 @@ -1,4 +1,4 @@ -.TH AIDE.CONF 5 "2023-03-04" "aide v0.18.1" "AIDE" +.TH AIDE.CONF 5 "2023-04-07" "aide v0.18.2" "AIDE" .SH NAME aide.conf - The configuration file for Advanced Intrusion Detection Environment