Bug#1034060: unblock: aide/0.18.2-1
On Fri, Apr 07, 2023 at 07:34:54PM +0200, Marc Haber wrote:
> I am attaching the upstream diff between 0.18.1 and 0.18.2, pulled apart
> to the respective commits, 273 lines length including commit messages,
> comments and the noise caused by the release.
Forgot trhe attachment.
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
commit 3d5b18b9e5e1c51533ac01d8acd3499b2f9fcc2e
Author: Hannes von Haugwitz <hannes@vonhaugwitz.com>
Date: Fri Apr 7 16:06:18 2023 +0200
Release aide 0.18.2
commit adc07f01042f327b78e4e787bb0afbbae73d566a
Author: Hannes von Haugwitz <hannes@vonhaugwitz.com>
Date: Mon Apr 3 21:15:05 2023 +0200
Add another missing lock for tree operations
commit d3376eb6523bbae5ee8b8ea32c14355045524e12
Author: Hannes von Haugwitz <hannes@vonhaugwitz.com>
Date: Sat Apr 1 11:21:54 2023 +0200
Add missing lock for tree operations during file system scan
commit 5d46267c5d72bc2263aba76496707490acdb2a28
Author: Hannes von Haugwitz <hannes@vonhaugwitz.com>
Date: Wed Mar 8 20:50:58 2023 +0100
Add warning if rules contain not compiled-in attributes
commit 5d46267c5d72bc2263aba76496707490acdb2a28
Author: Hannes von Haugwitz <hannes@vonhaugwitz.com>
Date: Wed Mar 8 20:50:58 2023 +0100
Add warning if rules contain not compiled-in attributes
diff --git a/ChangeLog b/ChangeLog
index 31ff00c..b6435bf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+2023-03-08 Hannes von Haugwitz <hannes@vonhaugwitz.com>
+ * Add warning if rules contain not compiled-in attributes (closes: #153)
+
2023-03-04 Hannes von Haugwitz <hannes@vonhaugwitz.com>
* Release aide 0.18.1
diff --git a/NEWS b/NEWS
index 88ae5af..97db895 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,6 @@
+Version 0.18.2 (UNRELEASED)
+ * Add warning if rules contain not compiled-in attributes
+
Version 0.18.1 (2023-03-04)
* Fix handling of empty growing files
* Fix segfault when using --dry-init
diff --git a/src/commandconf.c b/src/commandconf.c
index 1fcfbaa..e5ef8b9 100644
--- a/src/commandconf.c
+++ b/src/commandconf.c
@@ -338,14 +338,40 @@ bool add_rx_rule_to_tree(char* rx, char* rule_prefix, RESTRICTION_TYPE restricti
r->config_line = checked_strdup(linebuf);
r->prefix = rule_prefix;
+ char *str;
+
DB_ATTR_TYPE unsupported_hashes = attr&(get_hashes(true)&~get_hashes(false));
if (unsupported_hashes) {
- char *str;
LOG_CONFIG_FORMAT_LINE(LOG_LEVEL_WARNING, "ignoring unsupported hash algorithm(s): %s", str = diff_attributes(0, unsupported_hashes));
free(str);
attr &= ~unsupported_hashes;
}
+ DB_ATTR_TYPE unsupported_attrs = attr&
+ (0
+#ifndef WITH_ACL
+ |ATTR(attr_acl)
+#endif
+#ifndef WITH_SELINUX
+ |ATTR(attr_selinux)
+#endif
+#ifndef WITH_XATTR
+ |ATTR(attr_xattrs)
+#endif
+#ifndef WITH_E2FSATTRS
+ |ATTR(attr_e2fsattrs)
+#endif
+#ifndef WITH_CAPABILITIES
+ |ATTR(attr_capabilities)
+#endif
+ )
+ ;
+ if (unsupported_attrs) {
+ LOG_CONFIG_FORMAT_LINE(LOG_LEVEL_WARNING, "ignoring not compiiled-in attribute(s): %s", str = diff_attributes(0, unsupported_attrs));
+ free(str);
+ attr &= ~unsupported_attrs;
+ }
+
r->attr=attr;
if (attr&ATTR(attr_sizeg)) {
log_msg(LOG_LEVEL_NOTICE, "%s:%d: Using 'S' attribute is DEPRECATED and will be removed in the release after next. Update your config and use 'growing+s' instead (line: '%s')", filename, linenumber, linebuf);
commit d3376eb6523bbae5ee8b8ea32c14355045524e12
Author: Hannes von Haugwitz <hannes@vonhaugwitz.com>
Date: Sat Apr 1 11:21:54 2023 +0200
Add missing lock for tree operations during file system scan
diff --git a/ChangeLog b/ChangeLog
index b6435bf..80d0366 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+2023-04-01 Hannes von Haugwitz <hannes@vonhaugwitz.com>
+ * Add missing lock for tree operations during file system scan
+
2023-03-08 Hannes von Haugwitz <hannes@vonhaugwitz.com>
* Add warning if rules contain not compiled-in attributes (closes: #153)
diff --git a/NEWS b/NEWS
index 97db895..5904559 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,6 @@
Version 0.18.2 (UNRELEASED)
* Add warning if rules contain not compiled-in attributes
+ * Add missing lock for tree operations during file system scan
Version 0.18.1 (2023-03-04)
* Fix handling of empty growing files
diff --git a/src/db_disk.c b/src/db_disk.c
index a1f1606..1bc91bb 100644
--- a/src/db_disk.c
+++ b/src/db_disk.c
@@ -46,6 +46,10 @@
#include <pthread.h>
#endif
+#ifdef WITH_PTHREAD
+pthread_mutex_t seltree_mutex = PTHREAD_MUTEX_INITIALIZER;
+#endif
+
static int get_file_status(char *filename, struct stat *fs) {
int sres = 0;
sres = lstat(filename,fs);
@@ -121,7 +125,13 @@ void scan_dir(char *root_path, bool dry_run) {
log_msg(LOG_LEVEL_DEBUG,"scan_dir: process root directory '%s' (fullpath: '%s')", &root_path[conf->root_prefix_length], root_path);
if (!get_file_status(root_path, &fs)) {
+#ifdef WITH_PTHREAD
+ pthread_mutex_lock(&seltree_mutex);
+#endif
match_result match = check_rxtree (&root_path[conf->root_prefix_length], conf->tree, &rule, get_restriction_from_perm(fs.st_mode), "disk");
+#ifdef WITH_PTHREAD
+ pthread_mutex_unlock(&seltree_mutex);
+#endif
if (dry_run) {
print_match(&root_path[conf->root_prefix_length], rule, match, get_restriction_from_perm(fs.st_mode));
}
@@ -152,7 +162,13 @@ void scan_dir(char *root_path, bool dry_run) {
if (!get_file_status(entry_full_path, &fs)) {
rule = NULL;
node = NULL;
+#ifdef WITH_PTHREAD
+ pthread_mutex_lock(&seltree_mutex);
+#endif
match_result match = check_rxtree (&entry_full_path[conf->root_prefix_length], conf->tree, &rule, get_restriction_from_perm(fs.st_mode), "disk");
+#ifdef WITH_PTHREAD
+ pthread_mutex_unlock(&seltree_mutex);
+#endif
switch (match) {
case RESULT_SELECTIVE_MATCH:
if (S_ISDIR(fs.st_mode)) {
@@ -221,7 +237,9 @@ static void * add2tree( __attribute__((unused)) void *arg) {
database_entry *data;
while ((data = queue_ts_dequeue_wait(queue_database_entries, whoami)) != NULL) {
log_msg(LOG_LEVEL_THREAD, "%10s: got line '%s'", whoami, (data->line)->filename);
+ pthread_mutex_lock(&seltree_mutex);
add_file_to_tree(conf->tree, data->line, DB_NEW|DB_DISK, NULL, &data->fs);
+ pthread_mutex_unlock(&seltree_mutex);
free(data);
}
queue_ts_free(queue_database_entries);
commit adc07f01042f327b78e4e787bb0afbbae73d566a
Author: Hannes von Haugwitz <hannes@vonhaugwitz.com>
Date: Mon Apr 3 21:15:05 2023 +0200
Add another missing lock for tree operations
diff --git a/ChangeLog b/ChangeLog
index 80d0366..86ef681 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+2023-04-03 Hannes von Haugwitz <hannes@vonhaugwitz.com>
+ * Add another missing lock for tree operations
+
2023-04-01 Hannes von Haugwitz <hannes@vonhaugwitz.com>
* Add missing lock for tree operations during file system scan
diff --git a/src/db_disk.c b/src/db_disk.c
index 1bc91bb..f76c1ee 100644
--- a/src/db_disk.c
+++ b/src/db_disk.c
@@ -190,7 +190,13 @@ void scan_dir(char *root_path, bool dry_run) {
}
break;
case RESULT_NO_MATCH:
+#ifdef WITH_PTHREAD
+ pthread_mutex_lock(&seltree_mutex);
+#endif
node = get_seltree_node(conf->tree, &entry_full_path[conf->root_prefix_length]);
+#ifdef WITH_PTHREAD
+ pthread_mutex_unlock(&seltree_mutex);
+#endif
if(S_ISDIR(fs.st_mode) && node) {
log_msg(log_level, "scan_dir: add child directory '%s' to scan stack (reason: existing tree node '%s' (%p))", &entry_full_path[conf->root_prefix_length], node->path, node);
free_entry_full_path = false;
commit 3d5b18b9e5e1c51533ac01d8acd3499b2f9fcc2e
Author: Hannes von Haugwitz <hannes@vonhaugwitz.com>
Date: Fri Apr 7 16:06:18 2023 +0200
Release aide 0.18.2
diff --git a/ChangeLog b/ChangeLog
index 86ef681..82d4e90 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,6 @@
+2023-04-07 Hannes von Haugwitz <hannes@vonhaugwitz.com>
+ * Release aide 0.18.2
+
2023-04-03 Hannes von Haugwitz <hannes@vonhaugwitz.com>
* Add another missing lock for tree operations
diff --git a/NEWS b/NEWS
index 5904559..cd87f52 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,4 @@
-Version 0.18.2 (UNRELEASED)
+Version 0.18.2 (2023-04-07)
* Add warning if rules contain not compiled-in attributes
* Add missing lock for tree operations during file system scan
diff --git a/README b/README
index af29747..a67a57f 100644
--- a/README
+++ b/README
@@ -1,7 +1,7 @@
AIDE - Advanced Intrusion Detection Environment
-------------------------------------------------
- Version 0.18.1
+ Version 0.18.2
This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
diff --git a/doc/aide.1 b/doc/aide.1
index 11f4251..c9e1398 100644
--- a/doc/aide.1
+++ b/doc/aide.1
@@ -1,4 +1,4 @@
-.TH AIDE 1 "2023-03-04" "aide v0.18.1" "User Commands"
+.TH AIDE 1 "2023-04-07" "aide v0.18.2" "User Commands"
.SH NAME
\fBaide\fP \- Advanced Intrusion Detection Environment
.SH SYNOPSIS
diff --git a/doc/aide.conf.5 b/doc/aide.conf.5
index 185a71d..ea39a6f 100644
--- a/doc/aide.conf.5
+++ b/doc/aide.conf.5
@@ -1,4 +1,4 @@
-.TH AIDE.CONF 5 "2023-03-04" "aide v0.18.1" "AIDE"
+.TH AIDE.CONF 5 "2023-04-07" "aide v0.18.2" "AIDE"
.SH NAME
aide.conf - The configuration file for Advanced Intrusion Detection
Environment
Reply to: