New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
audit: add patch to allow 0555 permissions #96626
Conversation
cc @copumpkin @lihop |
@GrahamcOfBorg build audit |
@zowoq partially related to our container work. Auditd seems the only way to log security/permission issues together with containers. |
@@ -36,7 +36,7 @@ stdenv.mkDerivation rec { | |||
# TODO: Remove the musl patches when | |||
# https://github.com/linux-audit/audit-userspace/pull/25 | |||
# is available with the next release. | |||
patches = stdenv.lib.optional stdenv.hostPlatform.isMusl [ | |||
patches = [ ./allowed-permissions.patch ] ++ stdenv.lib.optional stdenv.hostPlatform.isMusl [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a comment explaining the patch, ideally linking to a relevant upstream issue?
It would also be nice to move the musl comment inside the musl conditional to make it easier to see what it refers to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did add a comment and reformatted the section.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you also clarify whether there is an upstream issue or pull request?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This still doesn't seem resolved.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that there is any PR for linux-audit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there an issue at least? How will upstream learn we have this problem?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I created a PR for audit there: linux-audit/audit-userspace#138
I'm not sure how open they're about this contributions, so let's see.
Signed-off-by: Sascha Grunert <sgrunert@suse.com>
Can you please target staging with this mass rebuild? |
Yep, sure changed it to target |
I marked this as stale due to inactivity. → More info |
Motivation for this change
When configuring the dispatcher like this in /etc/audit/auditd.conf:
Then it would complain that the permissions are not valid for the binary. This is now fixed with the added patch.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)