[gentoo-commits] repo/gentoo:master commit in: sys-process/audit/files/, sys-process/audit/

["Sam James" <sam@gentoo.org>]

commit:     b0fbaa7cc15c6663e4a854c0caca4ffffe7d1ff9
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Thu Apr  7 03:03:22 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Thu Apr  7 03:37:43 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0fbaa7c

sys-process/audit: add 3.0.8

Signed-off-by: Sam James <sam <AT> gentoo.org>

 sys-process/audit/Manifest                         |   1 +
 sys-process/audit/audit-3.0.8.ebuild               | 175 +++++++++++++++++++++
 .../files/audit-3.0.8-linux-headers-5.17.patch     |  41 +++++
 3 files changed, 217 insertions(+)

diff --git a/sys-process/audit/Manifest b/sys-process/audit/Manifest
index 84d6a8474b9b..66d3b1f8fc41 100644
--- a/sys-process/audit/Manifest
+++ b/sys-process/audit/Manifest
@@ -1,3 +1,4 @@
 DIST audit-3.0.6.tar.gz 1190011 BLAKE2B 93a7efad1cbea6771a73222b05aacbabc4ac61d1efb9fc2532607a94804bcac6512d0be2f4d89aa62d94fb85ba5818ffae4bf0a72676e8d549ddbec766e83e9c SHA512 74734e1b1fddea086db9c5dc8c4b7817917fdf17bc7ca4e5b440aae975484d020a17c3f485f6a37b6b150a307d809e50d559d31a8cbd6f1e554933719551bcd1
 DIST audit-3.0.7.tar.gz 1180226 BLAKE2B 706db746fb779913619da794bab24a9e890e1655bbd0abb007cbc909b32ab1d643e93953a23ef864d5e189f3447a7ddb4dca1478144cdc226f5a5594545bd28f SHA512 b5662b32082fc2ac54e247aa0db5442d76afa30134ebba1d624a17004e9ccf6856bb75344af4ce9d9a0a66c03e1c6f18b7d45658d7df13ea71af0c8362e08d70
+DIST audit-3.0.8.tar.gz 1182432 BLAKE2B 38a35a7540e608127cfc54a2de2cb12df8c29e778799ca53318824c84565a67b7ea131f9bba455fa469ce9139a27908738f571a6e383ce9a3274f70c09d27ec7 SHA512 8379bf425d68381d182300e628e42de8460d2f3e15b2395e10880f94b9989656852a50a9bece75b632ec8a04c40c9e666ff4c9d6b25ace3a8f50d2011506afab
 DIST audit-3.0.tar.gz 1109442 BLAKE2B f9c94f7163522068f5f37163a242cb913acc87b5465f7f8550fad27ac1dc673fd7a98e208bd5e6fb136eac1fdadd659e599e7722426937481bbf8c66d86a1617 SHA512 b82ec73c85a8ebb5108b526673d6fe08cbe0b51376788f3ea6ed5747c4612158462893e719496dffbd723f833f84383a2d1d55fd78a3ed985ecfd19545060c88

diff --git a/sys-process/audit/audit-3.0.8.ebuild b/sys-process/audit/audit-3.0.8.ebuild
new file mode 100644
index 000000000000..5b0d02d64cbe
--- /dev/null
+++ b/sys-process/audit/audit-3.0.8.ebuild
@@ -0,0 +1,175 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+# As with sys-libs/libcap-ng, same maintainer in Fedora as upstream, so
+# check Fedora's packaging (https://src.fedoraproject.org/rpms/audit/tree/rawhide)
+# on bumps (or if hitting a bug) to see what they've done there.
+
+PYTHON_COMPAT=( python3_{8..10} )
+
+inherit autotools multilib-minimal toolchain-funcs python-r1 linux-info systemd usr-ldscript
+
+DESCRIPTION="Userspace utilities for storing and processing auditing records"
+HOMEPAGE="https://people.redhat.com/sgrubb/audit/"
+SRC_URI="https://people.redhat.com/sgrubb/audit/${P}.tar.gz"
+
+LICENSE="GPL-2+ LGPL-2.1+"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="gssapi ldap python static-libs test"
+
+REQUIRED_USE="python? ( ${PYTHON_REQUIRED_USE} )"
+RESTRICT="!test? ( test )"
+
+RDEPEND="gssapi? ( virtual/krb5 )
+	ldap? ( net-nds/openldap:= )
+	python? ( ${PYTHON_DEPS} )
+	sys-libs/libcap-ng"
+DEPEND="${RDEPEND}
+	>=sys-kernel/linux-headers-2.6.34
+	test? ( dev-libs/check )"
+BDEPEND="python? ( dev-lang/swig )"
+
+CONFIG_CHECK="~AUDIT"
+
+PATCHES=(
+	# See bug #836702 before removing / verify builds fine w/ USE=python
+	# with latest kernel headers.
+	"${FILESDIR}"/${PN}-3.0.8-linux-headers-5.17.patch
+)
+
+src_prepare() {
+	# audisp-remote moved in multilib_src_install_all
+	sed -i \
+		-e "s,/sbin/audisp-remote,${EPREFIX}/usr/sbin/audisp-remote," \
+		audisp/plugins/remote/au-remote.conf || die
+
+	# Disable installing sample rules so they can be installed as docs.
+	echo -e '%:\n\t:' | tee rules/Makefile.{am,in} >/dev/null || die
+
+	default
+	eautoreconf
+}
+
+multilib_src_configure() {
+	local -a myeconfargs=(
+		--sbindir="${EPREFIX}/sbin"
+		$(use_enable gssapi gssapi-krb5)
+		$(use_enable ldap zos-remote)
+		$(use_enable static-libs static)
+		--enable-systemd
+		--without-golang
+		--without-python
+		--without-python3
+	)
+
+	ECONF_SOURCE="${S}" econf "${myeconfargs[@]}"
+
+	if multilib_is_native_abi && use python; then
+		python_configure() {
+			mkdir -p "${BUILD_DIR}" || die
+			pushd "${BUILD_DIR}" &>/dev/null || die
+
+			ECONF_SOURCE=${S} econf "${myeconfargs[@]}" --with-python3
+
+			popd &>/dev/null || die
+		}
+
+		python_foreach_impl python_configure
+	fi
+}
+
+src_configure() {
+	tc-export_build_env BUILD_{CC,CPP}
+
+	local -x CC_FOR_BUILD="${BUILD_CC}"
+	local -x CPP_FOR_BUILD="${BUILD_CPP}"
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_compile() {
+	if multilib_is_native_abi; then
+		default
+
+		local native_build="${BUILD_DIR}"
+
+		python_compile() {
+			emake -C "${BUILD_DIR}"/bindings/swig top_builddir="${native_build}"
+			emake -C "${BUILD_DIR}"/bindings/python/python3 top_builddir="${native_build}"
+		}
+
+		use python && python_foreach_impl python_compile
+	else
+		emake -C common
+		emake -C lib
+		emake -C auparse
+	fi
+}
+
+multilib_src_install() {
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" initdir="$(systemd_get_systemunitdir)" install
+
+		local native_build="${BUILD_DIR}"
+
+		python_install() {
+			emake -C "${BUILD_DIR}"/bindings/swig DESTDIR="${D}" top_builddir="${native_build}" install
+			emake -C "${BUILD_DIR}"/bindings/python/python3 DESTDIR="${D}" top_builddir="${native_build}" install
+			python_optimize
+		}
+
+		use python && python_foreach_impl python_install
+
+		# Things like shadow use this so we need to be in /
+		gen_usr_ldscript -a audit auparse
+	else
+		emake -C lib DESTDIR="${D}" install
+		emake -C auparse DESTDIR="${D}" install
+	fi
+}
+
+multilib_src_install_all() {
+	dodoc AUTHORS ChangeLog README* THANKS
+	docinto contrib
+	dodoc contrib/avc_snap
+	docinto contrib/plugin
+	dodoc contrib/plugin/*
+	docinto rules
+	dodoc rules/*rules
+
+	newinitd "${FILESDIR}"/auditd-init.d-2.4.3 auditd
+	newconfd "${FILESDIR}"/auditd-conf.d-2.1.3 auditd
+
+	[ -f "${ED}"/sbin/audisp-remote ] && \
+	dodir /usr/sbin && \
+	mv "${ED}"/{sbin,usr/sbin}/audisp-remote || die
+
+	# Gentoo rules
+	insinto /etc/audit
+	newins "${FILESDIR}"/audit.rules-2.1.3 audit.rules
+	doins "${FILESDIR}"/audit.rules.stop*
+
+	# audit logs go here
+	keepdir /var/log/audit
+
+	find "${ED}" -type f -name '*.la' -delete || die
+
+	# Security
+	lockdown_perms "${ED}"
+}
+
+pkg_postinst() {
+	lockdown_perms "${EROOT}"
+}
+
+lockdown_perms() {
+	# Upstream wants these to have restrictive perms.
+	# Should not || die as not all paths may exist.
+	local basedir="${1}"
+	chmod 0750 "${basedir}"/sbin/au{ditctl,ditd,report,search,trace} 2>/dev/null
+	chmod 0750 "${basedir}"/var/log/audit 2>/dev/null
+	chmod 0640 "${basedir}"/etc/audit/{auditd.conf,audit*.rules*} 2>/dev/null
+}

diff --git a/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch b/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch
new file mode 100644
index 000000000000..8d41d8363822
--- /dev/null
+++ b/sys-process/audit/files/audit-3.0.8-linux-headers-5.17.patch
@@ -0,0 +1,41 @@
+Upstream rejected a workaround/fix at https://github.com/linux-audit/audit-userspace/pull/253
+/ https://github.com/linux-audit/audit-userspace/issues/252#issuecomment-1078595249.
+
+Instead, in Fedora (same maintainer as upstream), they're patching the headers then unpatching before install.
+
+Apparently the swig bindings are on their way out but I'm not convinced that's going to be a quick migration given the API will.. surely change?
+
+It's not ideal but let's take the patch slyfox ended up using in nixpkgs anyway.
+
+https://bugs.gentoo.org/836702
+
+From beed138222421a2eb4212d83cb889404bd7efc49 Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <slyich@gmail.com>
+Date: Wed, 23 Mar 2022 07:27:05 +0000
+Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf
+
+As it's a flexible array generated code was never safe to use.
+With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed98ea2128b6fd83bce13716edf8f5fe6c47f574
+change it's a build failure now:
+
+    audit> audit_wrap.c:5010:15: error: invalid use of flexible array member
+    audit>  5010 |     arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size));
+    audit>       |               ^
+
+Let's avoid setter generation entirely.
+
+Closes: https://github.com/linux-audit/audit-userspace/issues/252
+--- a/bindings/swig/src/auditswig.i
++++ b/bindings/swig/src/auditswig.i
+@@ -39,6 +39,10 @@ signed
+ #define __attribute(X) /*nothing*/
+ typedef unsigned __u32;
+ typedef unsigned uid_t;
++/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not:
++ * generating setters against them: https://github.com/swig/swig/issues/1699
++ */
++%ignore audit_rule_data::buf;
+ %include "/usr/include/linux/audit.h"
+ #define __extension__ /*nothing*/
+ %include <stdint.i>
+