audit: 4.0.3 -> 4.1.0 (#425015)

2026-01-11 18:32:23 +08:00 · 2025-07-28 10:46:42 +02:00
parent 8fc74e87a7 0b55cdb96d
commit 0dae4128fe
2 changed files with 105 additions and 5 deletions
--- a/pkgs/by-name/au/audit/musl.patch
+++ b/pkgs/by-name/au/audit/musl.patch
@@ -0,0 +1,76 @@
+From 87c782153deb10bd8c3345723a8bcee343826e78 Mon Sep 17 00:00:00 2001
+From: Grimmauld <Grimmauld@grimmauld.de>
+Date: Thu, 10 Jul 2025 18:58:31 +0200
+Subject: [PATCH 1/2] lib/audit_logging.h: fix includes for musl
+
+`sys/types.h` is indirectly included with `glibc`,
+but needs to be specified explicitly on musl.
+---
+ lib/audit_logging.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/audit_logging.h b/lib/audit_logging.h
+index 9082a2720..c58861b1e 100644
+--- a/lib/audit_logging.h
+++ b/lib/audit_logging.h
+@@ -25,6 +25,7 @@
+ 
+ // Next include is to pick up the function attribute macros
+ #include <features.h>
+#include <sys/types.h>
+ #include <audit-records.h>
+ 
+ #ifdef __cplusplus
+
+From 98adfcc4bfa66ac25db0b609d7172d7d40c4f85f Mon Sep 17 00:00:00 2001
+From: Grimmauld <Grimmauld@grimmauld.de>
+Date: Fri, 11 Jul 2025 08:11:21 +0200
+Subject: [PATCH 2/2] Guard __attr_dealloc_free seperately from __attr_dealloc
+
+Otherwise, header include order matters when building against a libc that
+does not itself define __attr_dealloc_free, such as musl.
+---
+ auparse/auparse.h   | 2 ++
+ lib/audit_logging.h | 2 ++
+ lib/libaudit.h      | 2 ++
+ 3 files changed, 6 insertions(+)
+
+diff --git a/auparse/auparse.h b/auparse/auparse.h
+index 48375e2c7..ba5139625 100644
+--- a/auparse/auparse.h
+++ b/auparse/auparse.h
+@@ -31,6 +31,8 @@
+ #endif
+ #ifndef __attr_dealloc
+ # define __attr_dealloc(dealloc, argno)
+#endif
+#ifndef __attr_dealloc_free
+ # define __attr_dealloc_free
+ #endif
+ #ifndef __attribute_malloc__
+diff --git a/lib/audit_logging.h b/lib/audit_logging.h
+index c58861b1e..fab7e75d1 100644
+--- a/lib/audit_logging.h
+++ b/lib/audit_logging.h
+@@ -40,6 +40,8 @@ extern "C" {
+ #endif
+ #ifndef __attr_dealloc
+ # define __attr_dealloc(dealloc, argno)
+#endif
+#ifndef __attr_dealloc_free
+ # define __attr_dealloc_free
+ #endif
+ // Warn unused result
+diff --git a/lib/libaudit.h b/lib/libaudit.h
+index 2c51853b7..cce5dc493 100644
+--- a/lib/libaudit.h
+++ b/lib/libaudit.h
+@@ -43,6 +43,8 @@
+ // malloc and free assignments
+ #ifndef __attr_dealloc
+ # define __attr_dealloc(dealloc, argno)
+#endif
+#ifndef __attr_dealloc_free
+ # define __attr_dealloc_free
+ #endif
+ #ifndef __attribute_malloc__
--- a/pkgs/by-name/au/audit/package.nix
+++ b/pkgs/by-name/au/audit/package.nix
@@ -9,29 +9,41 @@
  python3,
  swig,
  pkgsCross,
+  libcap_ng,

  # Enabling python support while cross compiling would be possible, but the
  # configure script tries executing python to gather info instead of relying on
  # python3-config exclusively
  enablePython ? stdenv.hostPlatform == stdenv.buildPlatform,
+  nix-update-script,
+  testers,
 }:
 stdenv.mkDerivation (finalAttrs: {
  pname = "audit";
-  version = "4.0.3";
+  version = "4.1.0";

  src = fetchFromGitHub {
    owner = "linux-audit";
    repo = "audit-userspace";
    tag = "v${finalAttrs.version}";
-    hash = "sha256-+M5Nai/ruK16udsHcMwv1YoVQbCLKNuz/4FCXaLbiCw=";
+    hash = "sha256-MWlHaGue7Ca8ks34KNg74n4Rfj8ivqAhLOJHeyE2Q04=";
  };

+  patches = [
+    # https://github.com/linux-audit/audit-userspace/pull/476
+    ./musl.patch
+  ];
+
  postPatch = ''
    substituteInPlace bindings/swig/src/auditswig.i \
      --replace-fail "/usr/include/linux/audit.h" \
                     "${linuxHeaders}/include/linux/audit.h"
  '';

+  # https://github.com/linux-audit/audit-userspace/issues/474
+  # building databuf_test fails otherwise, as that uses hidden symbols only available in the static builds
+  dontDisableStatic = true;
+
  outputs = [
    "bin"
    "lib"
@@ -56,6 +68,7 @@ stdenv.mkDerivation (finalAttrs: {

  buildInputs = [
    bash
+    libcap_ng
  ];

  configureFlags = [
@@ -64,13 +77,20 @@ stdenv.mkDerivation (finalAttrs: {
    "--disable-zos-remote"
    "--with-arm"
    "--with-aarch64"
+    # capability dropping, currently mostly for plugins as those get spawned as root
+    # see auditd-plugins(5)
+    "--with-libcap-ng=yes"
    (if enablePython then "--with-python" else "--without-python")
  ];

  enableParallelBuilding = true;

-  passthru.tests = {
-    musl = pkgsCross.musl64.audit;
+  passthru = {
+    updateScript = nix-update-script { };
+    tests = {
+      musl = pkgsCross.musl64.audit;
+      pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage;
+    };
  };

  meta = {
@@ -78,7 +98,11 @@ stdenv.mkDerivation (finalAttrs: {
    description = "Audit Library";
    changelog = "https://github.com/linux-audit/audit-userspace/releases/tag/v${finalAttrs.version}";
    license = lib.licenses.gpl2Plus;
-    maintainers = with lib.maintainers; [ ];
+    maintainers = with lib.maintainers; [ grimmauld ];
+    pkgConfigModules = [
+      "audit"
+      "auparse"
+    ];
    platforms = lib.platforms.linux;
  };
 })