diff --git a/pkgs/by-name/au/audit/musl.patch b/pkgs/by-name/au/audit/musl.patch deleted file mode 100644 index 8485a0759548d..0000000000000 --- a/pkgs/by-name/au/audit/musl.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 87c782153deb10bd8c3345723a8bcee343826e78 Mon Sep 17 00:00:00 2001 -From: Grimmauld -Date: Thu, 10 Jul 2025 18:58:31 +0200 -Subject: [PATCH 1/2] lib/audit_logging.h: fix includes for musl - -`sys/types.h` is indirectly included with `glibc`, -but needs to be specified explicitly on musl. ---- - lib/audit_logging.h | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/lib/audit_logging.h b/lib/audit_logging.h -index 9082a2720..c58861b1e 100644 ---- a/lib/audit_logging.h -+++ b/lib/audit_logging.h -@@ -25,6 +25,7 @@ - - // Next include is to pick up the function attribute macros - #include -+#include - #include - - #ifdef __cplusplus - -From 98adfcc4bfa66ac25db0b609d7172d7d40c4f85f Mon Sep 17 00:00:00 2001 -From: Grimmauld -Date: Fri, 11 Jul 2025 08:11:21 +0200 -Subject: [PATCH 2/2] Guard __attr_dealloc_free seperately from __attr_dealloc - -Otherwise, header include order matters when building against a libc that -does not itself define __attr_dealloc_free, such as musl. ---- - auparse/auparse.h | 2 ++ - lib/audit_logging.h | 2 ++ - lib/libaudit.h | 2 ++ - 3 files changed, 6 insertions(+) - -diff --git a/auparse/auparse.h b/auparse/auparse.h -index 48375e2c7..ba5139625 100644 ---- a/auparse/auparse.h -+++ b/auparse/auparse.h -@@ -31,6 +31,8 @@ - #endif - #ifndef __attr_dealloc - # define __attr_dealloc(dealloc, argno) -+#endif -+#ifndef __attr_dealloc_free - # define __attr_dealloc_free - #endif - #ifndef __attribute_malloc__ -diff --git a/lib/audit_logging.h b/lib/audit_logging.h -index c58861b1e..fab7e75d1 100644 ---- a/lib/audit_logging.h -+++ b/lib/audit_logging.h -@@ -40,6 +40,8 @@ extern "C" { - #endif - #ifndef __attr_dealloc - # define __attr_dealloc(dealloc, argno) -+#endif -+#ifndef __attr_dealloc_free - # define __attr_dealloc_free - #endif - // Warn unused result -diff --git a/lib/libaudit.h b/lib/libaudit.h -index 2c51853b7..cce5dc493 100644 ---- a/lib/libaudit.h -+++ b/lib/libaudit.h -@@ -43,6 +43,8 @@ - // malloc and free assignments - #ifndef __attr_dealloc - # define __attr_dealloc(dealloc, argno) -+#endif -+#ifndef __attr_dealloc_free - # define __attr_dealloc_free - #endif - #ifndef __attribute_malloc__ diff --git a/pkgs/by-name/au/audit/package.nix b/pkgs/by-name/au/audit/package.nix index 177bf7212c057..e33b1116c061d 100644 --- a/pkgs/by-name/au/audit/package.nix +++ b/pkgs/by-name/au/audit/package.nix @@ -4,12 +4,14 @@ fetchFromGitHub, autoreconfHook, bash, + bashNonInteractive, buildPackages, linuxHeaders, python3, swig, pkgsCross, libcap_ng, + installShellFiles, # Enabling python support while cross compiling would be possible, but the # configure script tries executing python to gather info instead of relying on @@ -21,20 +23,15 @@ }: stdenv.mkDerivation (finalAttrs: { pname = "audit"; - version = "4.1.0"; + version = "4.1.1-unstable-2025-08-01"; src = fetchFromGitHub { owner = "linux-audit"; repo = "audit-userspace"; - tag = "v${finalAttrs.version}"; - hash = "sha256-MWlHaGue7Ca8ks34KNg74n4Rfj8ivqAhLOJHeyE2Q04="; + rev = "bee5984843d0b38992a369825a87a65fb54b18fc"; # musl fixes, --disable-legacy-actions and --runstatedir support + hash = "sha256-l3JHWEHz2xGrYxEvfCUD29W8xm5llUnXwX5hLymRG74="; }; - patches = [ - # https://github.com/linux-audit/audit-userspace/pull/476 - ./musl.patch - ]; - postPatch = '' substituteInPlace bindings/swig/src/auditswig.i \ --replace-fail "/usr/include/linux/audit.h" \ @@ -61,6 +58,7 @@ stdenv.mkDerivation (finalAttrs: { nativeBuildInputs = [ autoreconfHook + installShellFiles ] ++ lib.optionals enablePython [ python3 @@ -76,14 +74,34 @@ stdenv.mkDerivation (finalAttrs: { # z/OS plugin is not useful on Linux, and pulls in an extra openldap # dependency otherwise "--disable-zos-remote" + # remove legacy start/stop scripts to remove a bash dependency in $lib + # People interested in logging auditd interactions (e.g. for compliance) can start/stop audit using `auditctl --signal` + # See also https://github.com/linux-audit/audit-userspace?tab=readme-ov-file#starting-and-stopping-the-daemon + "--disable-legacy-actions" "--with-arm" "--with-aarch64" + "--with-io_uring" + # allows putting audit files in /run/audit, which removes the requirement + # to wait for tmpfiles to set up the /var/run -> /run symlink + "--runstatedir=/run" # capability dropping, currently mostly for plugins as those get spawned as root # see auditd-plugins(5) "--with-libcap-ng=yes" (if enablePython then "--with-python" else "--without-python") ]; + __structuredAttrs = true; + + # lib output is part of the mandatory nixos system closure, so avoid bash here + outputChecks.lib.disallowedRequisites = [ + bash + bashNonInteractive + ]; + + postInstall = '' + installShellCompletion --bash init.d/audit.bash_completion + ''; + enableParallelBuilding = true; passthru = { @@ -98,7 +116,7 @@ stdenv.mkDerivation (finalAttrs: { meta = { homepage = "https://people.redhat.com/sgrubb/audit/"; description = "Audit Library"; - changelog = "https://github.com/linux-audit/audit-userspace/releases/tag/v${finalAttrs.version}"; + changelog = "https://github.com/linux-audit/audit-userspace/releases/tag/v4.1.1"; license = lib.licenses.gpl2Plus; maintainers = with lib.maintainers; [ grimmauld ]; pkgConfigModules = [