audit: upgrade 3.1.2 -> 4.0

ChangeLog:
https://github.com/linux-audit/audit-userspace/releases/tag/v4.0
Major changes:
  Separate loading rules and logging events into separate services,
  audit-rules.service and auditd.service.
  Drop support for python2 and SysVinit.
  The auvirt and autrace programs have been dropped.
  The syscall and interpretation tables have been updated for the 6.8
  kernel.

* Backport patch to fix build error with musl
* Clean up configure options
* Use its own systemd service files
* Refresh patches
* Fix indentation

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>

meta-oe/recipes-security/audit/audit/0001-Fixed-swig-host-contamination-issue.patch

@@ -1,4 +1,4 @@
-From 9a32d42dfc6713fd0085dd4563a934afc30ec097 Mon Sep 17 00:00:00 2001
+From 5cdc667aeb7a014cdc1f8c7df8f8080408773dbe Mon Sep 17 00:00:00 2001
 From: Li xin <lixin.fnst@cn.fujitsu.com>
 Date: Sun, 19 Jul 2015 02:42:58 +0900
 Subject: [PATCH] Fixed swig host contamination issue
@@ -19,7 +19,7 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
  2 files changed, 3 insertions(+), 2 deletions(-)
 
 diff --git a/bindings/swig/python3/Makefile.am b/bindings/swig/python3/Makefile.am
-index 6131e80d..2fb7207b 100644
+index c2c6def4..bcc2836c 100644
 --- a/bindings/swig/python3/Makefile.am
 +++ b/bindings/swig/python3/Makefile.am
 @@ -23,6 +23,7 @@
@@ -28,9 +28,9 @@ index 6131e80d..2fb7207b 100644
  AM_CPPFLAGS = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES)
 +STDINC ?= /usr/include
  LIBS = $(top_builddir)/lib/libaudit.la
- SWIG_FLAGS = -python -py3 -modern
+ SWIG_FLAGS = -python
  SWIG_INCLUDES = -I. -I$(top_builddir) -I${top_srcdir}/lib $(PYTHON3_INCLUDES)
-@@ -37,7 +38,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/libaudit.h ${top_builddir}/lib/libaudi
+@@ -37,7 +38,7 @@ _audit_la_DEPENDENCIES =${top_srcdir}/lib/audit_logging.h ${top_builddir}/lib/li
  _audit_la_LIBADD = ${top_builddir}/lib/libaudit.la
  nodist__audit_la_SOURCES  = audit_wrap.c
  audit.py audit_wrap.c: ${srcdir}/../src/auditswig.i 
@@ -40,18 +40,18 @@ index 6131e80d..2fb7207b 100644
  CLEANFILES = audit.py* audit_wrap.c *~
  
 diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i
-index 9a2c5661..6cbb7295 100644
+index 6b267844..5a4e442f 100644
 --- a/bindings/swig/src/auditswig.i
 +++ b/bindings/swig/src/auditswig.i
-@@ -43,7 +43,7 @@ typedef unsigned uid_t;
-  * generating setters against them: https://github.com/swig/swig/issues/1699
+@@ -50,7 +50,7 @@ typedef unsigned uid_t;
   */
  %ignore audit_rule_data::buf;
+ 
 -%include "/usr/include/linux/audit.h"
 +%include "../lib/audit.h"
  #define __extension__ /*nothing*/
  %include <stdint.i>
- %include "../lib/libaudit.h"
+ %include "../lib/audit-records.h"
 -- 
 2.25.1
 

meta-oe/recipes-security/audit/audit/0001-Replace-__attribute_malloc__-with-__attribute__-__ma.patch

@@ -1,4 +1,4 @@
-From 679cb57fa93984fed345dd3890cdbcbaa24e8518 Mon Sep 17 00:00:00 2001
+From 88c9b2c5cebebf13f90890baebbadc60d9fe8d16 Mon Sep 17 00:00:00 2001
 From: Khem Raj <raj.khem@gmail.com>
 Date: Tue, 9 Aug 2022 23:57:03 -0700
 Subject: [PATCH] Replace __attribute_malloc__ with __attribute__((__malloc__))
@@ -14,14 +14,28 @@ Upstream-Status: Pending
 
 Signed-off-by: Khem Raj <raj.khem@gmail.com>
 ---
- auparse/auparse.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ audisp/plugins/remote/queue.h | 2 +-
+ auparse/auparse.h             | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
 
+diff --git a/audisp/plugins/remote/queue.h b/audisp/plugins/remote/queue.h
+index 36b70d04..031507dc 100644
+--- a/audisp/plugins/remote/queue.h
++++ b/audisp/plugins/remote/queue.h
+@@ -53,7 +53,7 @@ void q_close(struct queue *q);
+  * On error, return NULL and set errno. */
+ struct queue *q_open(int q_flags, const char *path, size_t num_entries,
+ 		     size_t entry_size)
+-	__attribute_malloc__ __attr_dealloc (q_close, 1) __wur;
++	__attribute__((__malloc__)) __attr_dealloc (q_close, 1) __wur;
+ 
+ /* Add DATA to tail of Q. Return 0 on success, -1 on error and set errno. */
+ int q_append(struct queue *q, const char *data);
 diff --git a/auparse/auparse.h b/auparse/auparse.h
-index 5cb7402e..39156eff 100644
+index c27f1ff9..87c52965 100644
 --- a/auparse/auparse.h
 +++ b/auparse/auparse.h
-@@ -54,7 +54,7 @@ typedef void (*auparse_callback_ptr)(auparse_state_t *au,
+@@ -55,7 +55,7 @@ typedef void (*auparse_callback_ptr)(auparse_state_t *au,
  void auparse_destroy(auparse_state_t *au);
  void auparse_destroy_ext(auparse_state_t *au, auparse_destroy_what_t what);
  auparse_state_t *auparse_init(ausource_t source, const void *b)

meta-oe/recipes-security/audit/audit/0002-Add-attribute-declarations.patch

@@ -0,0 +1,35 @@
+From 64cb48e1e5137b8a389c7528e611617a98389bc7 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <ausearch.1@gmail.com>
+Date: Thu, 25 Jan 2024 15:14:51 -0500
+Subject: [PATCH] Add attribute declarations
+
+Upstream-Status: Backport
+[https://github.com/linux-audit/audit-userspace/commit/64cb48e1e5137b8a389c7528e611617a98389bc7]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ audisp/plugins/remote/queue.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/audisp/plugins/remote/queue.h b/audisp/plugins/remote/queue.h
+index 36b70d04..2c70e839 100644
+--- a/audisp/plugins/remote/queue.h
++++ b/audisp/plugins/remote/queue.h
+@@ -1,5 +1,5 @@
+ /* queue.h -- a queue abstraction
+- * Copyright 2009, 2011 Red Hat Inc., Durham, North Carolina.
++ * Copyright 2009, 2011 Red Hat Inc.
+  * All Rights Reserved.
+  *
+  * This library is free software; you can redistribute it and/or
+@@ -25,6 +25,7 @@
+ #define QUEUE_HEADER
+ 
+ #include <sys/types.h>
++#include "common.h"   // attribute decls
+ 
+ struct queue;
+ 
+-- 
+2.25.1
+

meta-oe/recipes-security/audit/audit/auditd.service

@@ -1,28 +0,0 @@
-[Unit]
-Description=Security Auditing Service
-DefaultDependencies=no
-After=local-fs.target systemd-tmpfiles-setup.service
-Before=sysinit.target shutdown.target
-Conflicts=shutdown.target
-ConditionKernelCommandLine=!audit=0
-
-[Service]
-Type=forking
-PIDFile=/run/auditd.pid
-ExecStart=/sbin/auditd
-## To use augenrules, uncomment the next line and comment/delete the auditctl line.
-## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
-#ExecStartPost=-/sbin/augenrules --load
-ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
-# By default we don't clear the rules on exit.
-# To enable this, uncomment the next line.
-#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
-
-### Security Settings ###
-MemoryDenyWriteExecute=true
-LockPersonality=true
-ProtectControlGroups=true
-ProtectKernelModules=true
-
-[Install]
-WantedBy=multi-user.target

meta-oe/recipes-security/audit/audit_3.1.2.bb

@@ -1,116 +0,0 @@
-SUMMARY = "User space tools for kernel auditing"
-DESCRIPTION = "The audit package contains the user space utilities for \
-storing and searching the audit records generated by the audit subsystem \
-in the Linux kernel."
-HOMEPAGE = "http://people.redhat.com/sgrubb/audit/"
-SECTION = "base"
-LICENSE = "GPL-2.0-or-later & LGPL-2.0-or-later"
-LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
-
-SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=master;protocol=https \
-           file://0001-Fixed-swig-host-contamination-issue.patch \
-           file://0002-Replace-__attribute_malloc__-with-__attribute__-__ma.patch \
-           file://auditd \
-           file://auditd.service \
-           file://audit-volatile.conf \
-"
-
-S = "${WORKDIR}/git"
-SRCREV = "572eb7d4fe926e7c1c52166d08e78af54877cbc5"
-
-inherit autotools python3targetconfig update-rc.d systemd
-
-UPDATERCPN = "auditd"
-INITSCRIPT_NAME = "auditd"
-INITSCRIPT_PARAMS = "defaults"
-
-SYSTEMD_PACKAGES = "auditd"
-SYSTEMD_SERVICE:auditd = "auditd.service"
-
-DEPENDS = "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native python3-setuptools-native"
-
-EXTRA_OECONF = " --with-libwrap \
-        --enable-gssapi-krb5=no \
-        --with-libcap-ng=yes \
-        --with-python3=yes \
-        --libdir=${base_libdir} \
-        --sbindir=${base_sbindir} \
-        --without-python \
-        --without-golang \
-        --disable-zos-remote \
-        --with-arm=yes \
-        --with-aarch64=yes \
-        "
-
-EXTRA_OEMAKE = "PYLIBVER='python${PYTHON_BASEVERSION}' \
-	PYINC='${STAGING_INCDIR}/$(PYLIBVER)' \
-	pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \
-	STDINC='${STAGING_INCDIR}' \
-	pkgconfigdir=${libdir}/pkgconfig \
-	"
-
-SUMMARY:audispd-plugins = "Plugins for the audit event dispatcher"
-DESCRIPTION:audispd-plugins = "The audispd-plugins package provides plugins for the real-time \
-interface to the audit system, audispd. These plugins can do things \
-like relay events to remote machines or analyze events for suspicious \
-behavior."
-
-PACKAGES =+ "audispd-plugins"
-PACKAGES += "auditd ${PN}-python"
-
-FILES:${PN} = "${sysconfdir}/libaudit.conf ${base_libdir}/libaudit.so.1* ${base_libdir}/libauparse.so.*"
-FILES:auditd = "${bindir}/* ${base_sbindir}/* ${sysconfdir}/* ${datadir}/audit/*"
-FILES:audispd-plugins = "${sysconfdir}/audit/audisp-remote.conf \
-	${sysconfdir}/audit/plugins.d/au-remote.conf \
-	${sysconfdir}/audit/plugins.d/syslog.conf \
-	${base_sbindir}/audisp-remote \
-	${base_sbindir}/audisp-syslog \
-	${localstatedir}/spool/audit \
-	"
-FILES:${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"
-FILES:${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"
-
-CONFFILES:auditd = "${sysconfdir}/audit/audit.rules"
-
-do_configure:prepend() {
-	sed -e 's|buf\[];|buf[0];|g'  ${STAGING_INCDIR}/linux/audit.h > ${S}/lib/audit.h
-	sed -i -e 's|#include <linux/audit.h>|#include "audit.h"|g' ${S}/lib/libaudit.h
-}
-
-do_install:append() {
-	sed -i -e 's|#include "audit.h"|#include <linux/audit.h>|g' ${D}${includedir}/libaudit.h
-
-	rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.a
-	rm -f ${D}/${libdir}/python${PYTHON_BASEVERSION}/site-packages/*.la
-
-	# reuse auditd config
-	[ ! -e ${D}/etc/default ] && mkdir ${D}/etc/default
-	mv ${D}/etc/sysconfig/auditd ${D}/etc/default
-	rmdir ${D}/etc/sysconfig/
-
-	# replace init.d
-	install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd
-	rm -rf ${D}/etc/rc.d
-
-	if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
-		# install systemd unit files
-		install -d ${D}${systemd_unitdir}/system
-		install -m 0644 ${WORKDIR}/auditd.service ${D}${systemd_unitdir}/system
-
-		install -d ${D}${sysconfdir}/tmpfiles.d/
-		install -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/
-	fi
-
-	# audit-2.5 doesn't install any rules by default, so we do that here
-	mkdir -p ${D}/etc/audit ${D}/etc/audit/rules.d
-	cp ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules
-
-	chmod 750 ${D}/etc/audit ${D}/etc/audit/rules.d
-	chmod 640 ${D}/etc/audit/auditd.conf ${D}/etc/audit/rules.d/audit.rules
-
-	# Based on the audit.spec "Copy default rules into place on new installation"
-	cp ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules
-
-	# Create /var/spool/audit directory for audisp-remote
-	install -m 0700 -d ${D}${localstatedir}/spool/audit
-}

meta-oe/recipes-security/audit/audit_4.0.bb

@@ -0,0 +1,103 @@
+SUMMARY = "User space tools for kernel auditing"
+DESCRIPTION = "The audit package contains the user space utilities for \
+storing and searching the audit records generated by the audit subsystem \
+in the Linux kernel."
+HOMEPAGE = "http://people.redhat.com/sgrubb/audit/"
+SECTION = "base"
+LICENSE = "GPL-2.0-or-later & LGPL-2.0-or-later"
+LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f"
+
+SRC_URI = "git://github.com/linux-audit/${BPN}-userspace.git;branch=master;protocol=https \
+           file://0001-Fixed-swig-host-contamination-issue.patch \
+           file://0002-Add-attribute-declarations.patch \
+           file://auditd \
+           file://audit-volatile.conf \
+          "
+
+SRC_URI:append:libc-musl = " file://0001-Replace-__attribute_malloc__-with-__attribute__-__ma.patch"
+
+S = "${WORKDIR}/git"
+SRCREV = "ae7d2830391c1115cebff6340ef3130b1b03ce45"
+
+inherit autotools python3targetconfig update-rc.d systemd
+
+UPDATERCPN = "auditd"
+INITSCRIPT_NAME = "auditd"
+INITSCRIPT_PARAMS = "defaults"
+
+SYSTEMD_PACKAGES = "auditd"
+SYSTEMD_SERVICE:auditd = "auditd.service audit-rules.service"
+
+DEPENDS = "python3 tcp-wrappers libcap-ng linux-libc-headers swig-native python3-setuptools-native coreutils-native"
+
+EXTRA_OECONF = " \
+        --with-libwrap \
+        --with-libcap-ng \
+        --with-python3 \
+        --with-arm \
+        --with-aarch64 \
+        --without-golang \
+        --disable-gssapi-krb5 \
+        --disable-zos-remote \
+        --sbindir=${base_sbindir} \
+        "
+
+EXTRA_OEMAKE = " \
+        PYTHON=python3 \
+        pythondir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \
+        pyexecdir=${libdir}/python${PYTHON_BASEVERSION}/site-packages \
+        STDINC='${STAGING_INCDIR}' \
+        "
+
+SUMMARY:audispd-plugins = "Plugins for the audit event dispatcher"
+DESCRIPTION:audispd-plugins = "The audispd-plugins package provides plugins for the real-time \
+interface to the audit system, audispd. These plugins can do things \
+like relay events to remote machines or analyze events for suspicious \
+behavior."
+
+PACKAGES =+ "audispd-plugins"
+PACKAGES += "auditd ${PN}-python"
+
+FILES:${PN} = "${sysconfdir}/libaudit.conf ${libdir}/libau*.so.*"
+FILES:auditd = "${bindir}/* ${base_sbindir}/* ${sysconfdir}/* ${datadir}/audit-rules/* ${libexecdir}/*"
+FILES:audispd-plugins = "${sysconfdir}/audit/audisp-remote.conf \
+        ${sysconfdir}/audit/plugins.d/au-remote.conf \
+        ${sysconfdir}/audit/plugins.d/syslog.conf \
+        ${base_sbindir}/audisp-remote \
+        ${base_sbindir}/audisp-syslog \
+        ${localstatedir}/spool/audit \
+        "
+FILES:${PN}-dbg += "${libdir}/python${PYTHON_BASEVERSION}/*/.debug"
+FILES:${PN}-python = "${libdir}/python${PYTHON_BASEVERSION}"
+
+CONFFILES:auditd = "${sysconfdir}/audit/audit.rules"
+
+do_configure:prepend() {
+    sed -e 's|buf\[];|buf[0];|g'  ${STAGING_INCDIR}/linux/audit.h > ${S}/lib/audit.h
+    sed -i -e 's|#include <linux/audit.h>|#include "audit.h"|g' ${S}/lib/libaudit.h
+}
+
+do_install:append() {
+    sed -i -e 's|#include "audit.h"|#include <linux/audit.h>|g' ${D}${includedir}/libaudit.h
+
+    # Install default rules
+    install -d -m 750 ${D}/etc/audit
+    install -d -m 750 ${D}/etc/audit/rules.d
+
+    install -m 0640 ${S}/rules/10-base-config.rules ${D}/etc/audit/rules.d/audit.rules
+
+    # Based on the audit.spec "Copy default rules into place on new installation"
+    install -m 0640 ${D}/etc/audit/rules.d/audit.rules ${D}/etc/audit/audit.rules
+
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+        install -D -m 0644 ${WORKDIR}/audit-volatile.conf ${D}${sysconfdir}/tmpfiles.d/audit.conf
+    fi
+
+    if ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then
+        install -D -m 0755 ${WORKDIR}/auditd ${D}/etc/init.d/auditd
+        rm -rf ${D}${libdir}/systemd
+    fi
+
+    # Create /var/spool/audit directory for audisp-remote
+    install -d -m 0700 ${D}${localstatedir}/spool/audit
+}