Skip to content

audit: 4.1.0 -> 4.1.1, enable uring support and bash completions#429438

Merged
nikstur merged 5 commits intoNixOS:stagingfrom
LordGrimmauld:audit-uring
Aug 4, 2025
Merged

audit: 4.1.0 -> 4.1.1, enable uring support and bash completions#429438
nikstur merged 5 commits intoNixOS:stagingfrom
LordGrimmauld:audit-uring

Conversation

@LordGrimmauld
Copy link
Contributor

@LordGrimmauld LordGrimmauld commented Jul 29, 2025
edited
Loading

Release notes: https://github.com/linux-audit/audit-userspace/releases/tag/v4.1.1

The goal is to eventually run the audit-testsuite, which also requires io_uring support.

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. labels Jul 29, 2025
@LordGrimmauld LordGrimmauld changed the base branch from master to staging July 29, 2025 19:16
@nixpkgs-ci nixpkgs-ci bot closed this Jul 29, 2025
@nixpkgs-ci nixpkgs-ci bot reopened this Jul 29, 2025
@nixpkgs-ci nixpkgs-ci bot added the 9.needs: reviewer This PR currently has no reviewers requested and needs attention. label Jul 30, 2025
@LordGrimmauld LordGrimmauld mentioned this pull request Jul 30, 2025
Merged
13 tasks
@LordGrimmauld LordGrimmauld changed the title audit: enable uring support, allow symlinked config for ausearch audit: 4.1.0 -> 4.1.1, enable uring support Jul 31, 2025
@LordGrimmauld
Copy link
Contributor Author

LordGrimmauld commented Jul 31, 2025

Hmm, seems there are new musl issues:

audit> libaudit.c: In function 'get_progname':
audit> libaudit.c:130:42: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
audit>   130 |                         strcpy(progname, basename(progname));
audit>       |                                          ^~~~~~~~
audit> libaudit.c:130:42: error: passing argument 2 of 'strcpy' makes pointer from integer without a cast [-Wint-conversion]
audit>   130 |                         strcpy(progname, basename(progname));
audit>       |                                          ^~~~~~~~~~~~~~~~~~
audit>       |                                          |
audit>       |                                          int

I'll investigate.

@LordGrimmauld
Copy link
Contributor Author

LordGrimmauld commented Jul 31, 2025

Okay, fixed the musl build, proposed the fix upstream in linux-audit/audit-userspace#491

@LordGrimmauld LordGrimmauld force-pushed the audit-uring branch 2 times, most recently from 192be61 to 6e81e1a Compare July 31, 2025 19:04
@LordGrimmauld LordGrimmauld changed the title audit: 4.1.0 -> 4.1.1, enable uring support audit: 4.1.0 -> 4.1.1, enable uring support and bash completions Jul 31, 2025
@LordGrimmauld LordGrimmauld mentioned this pull request Aug 1, 2025
Merged
13 tasks
@LordGrimmauld
Copy link
Contributor Author

LordGrimmauld commented Aug 1, 2025

I'll bump this to an unstable build once linux-audit/audit-userspace#492 is merged. Then we can make use of --runstatedir and --disable-legacy-actions.

@LordGrimmauld LordGrimmauld force-pushed the audit-uring branch 2 times, most recently from 36a0e14 to 90263bf Compare August 2, 2025 07:23
LordGrimmauld
LordGrimmauld commented Aug 2, 2025
View reviewed changes
pkgs/by-name/au/audit/package.nix Outdated
Comment on lines 88 to 103
Copy link
Contributor Author

@LordGrimmauld LordGrimmauld Aug 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After the README updates upstream, i decided its probably best for now to keep the legacy scripts for people that are interested in compliance. I plan to remove them once i figured out a way to log who triggers systemctl commands. Systemd is already aware of who tries to do systemctl stuff, and it knows about audit. I imagine we could just add a piece of code that logs an audit entry whenever someone tries something funny. But that is a project for future me.

Copy link
Contributor Author

@LordGrimmauld LordGrimmauld Aug 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually hold on, the legacy scripts point to /sbin/auditctl, so they never worked to begin with. We should just remove them, seems absolutely no one uses them or there'd have been a bug report about that.

Copy link
Contributor

@nikstur nikstur Aug 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On a FHS distro, they are also by default in libexec, so I don't know who uses them anyways. I agree, they should be removed and if you really care about this, you should just execute the shutdown yourself with auditctl --signal.

@LordGrimmauld LordGrimmauld requested a review from nikstur August 2, 2025 07:29
@nixpkgs-ci nixpkgs-ci bot removed the 9.needs: reviewer This PR currently has no reviewers requested and needs attention. label Aug 2, 2025
nikstur
nikstur approved these changes Aug 3, 2025
View reviewed changes
pkgs/by-name/au/audit/package.nix Outdated
Comment on lines +76 to +79
Copy link
Contributor

@nikstur nikstur Aug 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I don't think this is necessarily the right spot to put this kind of information. Probably better suited for the NixOS manual.

@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Aug 3, 2025
@nikstur
Copy link
Contributor

nikstur commented Aug 3, 2025

It would be awesome if we could add a disallowedRequisites to the lib output so that we won't silently reintroduce bash. Thinking of this basically (not a blocker for this PR ofc):

+  __structuredAttrs = true;
+
+  outputChecks.lib.disallowedRequisites = [
+    bash
+    bashNonInteractive
+  ];

@nikstur
Copy link
Contributor

nikstur commented Aug 3, 2025

Commits should be squashed (at least 93e320bc1bffd985bbe33bfa311498f05f7a6dd1 and 8e6df209b2c3ec6c8ca79c4bd0bbce3db3340edd)

@LordGrimmauld
Copy link
Contributor Author

LordGrimmauld commented Aug 3, 2025

Alright, squashed and explicitly disallowed bash, this should be good then.

@nikstur nikstur mentioned this pull request Aug 4, 2025
Closed
@nikstur nikstur merged commit 517a749 into NixOS:staging Aug 4, 2025
24 of 27 checks passed
@nikstur
Copy link
Contributor

nikstur commented Aug 4, 2025

Awesome, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nikstur nikstur nikstur approved these changes

Assignees

No one assigned

Labels

10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LordGrimmauld @nikstur