From 39e88985f738716bbf6b8cb89763ae4917783dcf Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Wed, 25 Jun 2025 15:41:06 +0200 Subject: [PATCH 1/5] audit: support loading audisp plugins from symlinks Upstream PR: https://github.com/linux-audit/audit-userspace/pull/467 --- pkgs/by-name/au/audit/package.nix | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/pkgs/by-name/au/audit/package.nix b/pkgs/by-name/au/audit/package.nix index 820d39137744c..cc87889f03b9d 100644 --- a/pkgs/by-name/au/audit/package.nix +++ b/pkgs/by-name/au/audit/package.nix @@ -2,6 +2,7 @@ lib, stdenv, fetchFromGitHub, + fetchpatch, autoreconfHook, bash, buildPackages, @@ -26,6 +27,24 @@ stdenv.mkDerivation (finalAttrs: { hash = "sha256-SgMt1MmcH7r7O6bmJCetRg3IdoZXAXjVJyeu0HRfyf8="; }; + patches = [ + # nix configures most stuff by symlinks, e.g. in /etc + # thus, for plugins to be picked up, symlinks must be allowed + # https://github.com/linux-audit/audit-userspace/pull/467 + (fetchpatch { + url = "https://github.com/linux-audit/audit-userspace/pull/467/commits/dbefc642b3bd0cafe599fcd18c6c88cb672397ee.patch?full_index=1"; + hash = "sha256-Ksn/qKBQYFAjvs1OVuWhgWCdf4Bdp9/a+MrhyJAT+Bw="; + }) + (fetchpatch { + url = "https://github.com/linux-audit/audit-userspace/pull/467/commits/50094f56fefc0b9033ef65e8c4f108ed52ef5de5.patch?full_index=1"; + hash = "sha256-CJKDLdlpsCd+bG6j5agcnxY1+vMCImHwHGN6BXURa4c="; + }) + (fetchpatch { + url = "https://github.com/linux-audit/audit-userspace/pull/467/commits/5e75091abd297807b71b3cfe54345c2ef223939a.patch?full_index=1"; + hash = "sha256-LPpO4PH/3MyCJq2xhmhhcnFeK3yh7LK6Mjypuvhacu4="; + }) + ]; + postPatch = '' substituteInPlace bindings/swig/src/auditswig.i \ --replace-fail "/usr/include/linux/audit.h" \ From 59f60cc6ad82aa47d0cb71ffd486edfb588ffef8 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Wed, 25 Jun 2025 15:41:57 +0200 Subject: [PATCH 2/5] audit: add grimmauld to maintainers --- pkgs/by-name/au/audit/package.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/by-name/au/audit/package.nix b/pkgs/by-name/au/audit/package.nix index cc87889f03b9d..d8abee529f78f 100644 --- a/pkgs/by-name/au/audit/package.nix +++ b/pkgs/by-name/au/audit/package.nix @@ -98,7 +98,7 @@ stdenv.mkDerivation (finalAttrs: { description = "Audit Library"; changelog = "https://github.com/linux-audit/audit-userspace/releases/tag/v${finalAttrs.version}"; license = lib.licenses.gpl2Plus; - maintainers = with lib.maintainers; [ ]; + maintainers = with lib.maintainers; [ grimmauld ]; platforms = lib.platforms.linux; }; }) From 1838aeba8b5034daa95fc2fa14c2e87d0c2fd264 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Wed, 25 Jun 2025 22:42:40 +0200 Subject: [PATCH 3/5] audit: add updateScript --- pkgs/by-name/au/audit/package.nix | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pkgs/by-name/au/audit/package.nix b/pkgs/by-name/au/audit/package.nix index d8abee529f78f..e633133fff1f8 100644 --- a/pkgs/by-name/au/audit/package.nix +++ b/pkgs/by-name/au/audit/package.nix @@ -15,6 +15,7 @@ # configure script tries executing python to gather info instead of relying on # python3-config exclusively enablePython ? stdenv.hostPlatform == stdenv.buildPlatform, + nix-update-script, }: stdenv.mkDerivation (finalAttrs: { pname = "audit"; @@ -89,8 +90,11 @@ stdenv.mkDerivation (finalAttrs: { enableParallelBuilding = true; - passthru.tests = { - musl = pkgsCross.musl64.audit; + passthru = { + updateScript = nix-update-script { }; + tests = { + musl = pkgsCross.musl64.audit; + }; }; meta = { From 916454f79645ecba4da6b7974927fea9cc4a8d60 Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Wed, 25 Jun 2025 23:01:30 +0200 Subject: [PATCH 4/5] audit: add pkg-config meta and tester --- pkgs/by-name/au/audit/package.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkgs/by-name/au/audit/package.nix b/pkgs/by-name/au/audit/package.nix index e633133fff1f8..ba908eddbd8f3 100644 --- a/pkgs/by-name/au/audit/package.nix +++ b/pkgs/by-name/au/audit/package.nix @@ -16,6 +16,7 @@ # python3-config exclusively enablePython ? stdenv.hostPlatform == stdenv.buildPlatform, nix-update-script, + testers, }: stdenv.mkDerivation (finalAttrs: { pname = "audit"; @@ -94,6 +95,7 @@ stdenv.mkDerivation (finalAttrs: { updateScript = nix-update-script { }; tests = { musl = pkgsCross.musl64.audit; + pkg-config = testers.testMetaPkgConfig finalAttrs.finalPackage; }; }; @@ -103,6 +105,10 @@ stdenv.mkDerivation (finalAttrs: { changelog = "https://github.com/linux-audit/audit-userspace/releases/tag/v${finalAttrs.version}"; license = lib.licenses.gpl2Plus; maintainers = with lib.maintainers; [ grimmauld ]; + pkgConfigModules = [ + "audit" + "auparse" + ]; platforms = lib.platforms.linux; }; }) From 4db1e1cf1356bf7569db932fb339efa83657ee5d Mon Sep 17 00:00:00 2001 From: Grimmauld Date: Wed, 25 Jun 2025 23:12:13 +0200 Subject: [PATCH 5/5] audit: build with libcap_ng See auditd-plugins(5) for motivation: > When the audit daemon starts your plugin, you will be running as root. > If you do not need root privileges, you should change uid/gid to lower > chances of being a target for exploit. If you need to retain capabilities, > using libcap-ng is the simplest way. `libcap_ng` is already in the closure via util-linux and thus does not unnecessarily bloat the system. It is also a very sane idea to allow plugins to drop privileges if they already conveniently support it. --- pkgs/by-name/au/audit/package.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkgs/by-name/au/audit/package.nix b/pkgs/by-name/au/audit/package.nix index ba908eddbd8f3..62732842d66a8 100644 --- a/pkgs/by-name/au/audit/package.nix +++ b/pkgs/by-name/au/audit/package.nix @@ -10,6 +10,7 @@ python3, swig, pkgsCross, + libcap_ng, # Enabling python support while cross compiling would be possible, but the # configure script tries executing python to gather info instead of relying on @@ -78,6 +79,7 @@ stdenv.mkDerivation (finalAttrs: { buildInputs = [ bash + libcap_ng ]; configureFlags = [ @@ -86,6 +88,9 @@ stdenv.mkDerivation (finalAttrs: { "--disable-zos-remote" "--with-arm" "--with-aarch64" + # capability dropping, currently mostly for plugins as those get spawned as root + # see auditd-plugins(5) + "--with-libcap-ng=yes" (if enablePython then "--with-python" else "--without-python") ];