audit: 3.1 -> 3.1.1

3 files changed, 91 insertions, 42 deletions

diff --git a/pkgs/os-specific/linux/audit/fix-static.patch b/pkgs/os-specific/linux/audit/000-fix-static-attribute-malloc.diff
index ce76fc3b87a..ce76fc3b87a 100644
--- a/pkgs/os-specific/linux/audit/fix-static.patch
+++ b/pkgs/os-specific/linux/audit/000-fix-static-attribute-malloc.diff
diff --git a/pkgs/os-specific/linux/audit/001-ignore-flexible-array.patch b/pkgs/os-specific/linux/audit/001-ignore-flexible-array.patch
new file mode 100644
index 00000000000..e072cc942cf
--- /dev/null
+++ b/pkgs/os-specific/linux/audit/001-ignore-flexible-array.patch
@@ -0,0 +1,35 @@
+From beed138222421a2eb4212d83cb889404bd7efc49 Mon Sep 17 00:00:00 2001
+From: Sergei Trofimovich <slyich@gmail.com>
+Date: Wed, 23 Mar 2022 07:27:05 +0000
+Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf
+
+As it's a flexible array generated code was never safe to use.
+With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed98ea2128b6fd83bce13716edf8f5fe6c47f574
+change it's a build failure now:
+
+    audit> audit_wrap.c:5010:15: error: invalid use of flexible array member
+    audit>  5010 |     arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size));
+    audit>       |               ^
+
+Let's avoid setter generation entirely.
+
+Closes: https://github.com/linux-audit/audit-userspace/issues/252
+---
+ bindings/swig/src/auditswig.i | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i
+index 21aafca31..9a2c5661d 100644
+--- a/bindings/swig/src/auditswig.i
++++ b/bindings/swig/src/auditswig.i
+@@ -39,6 +39,10 @@ signed
+ #define __attribute(X) /*nothing*/
+ typedef unsigned __u32;
+ typedef unsigned uid_t;
++/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not:
++ * generating setters against them: https://github.com/swig/swig/issues/1699
++ */
++%ignore audit_rule_data::buf;
+ %include "/usr/include/linux/audit.h"
+ #define __extension__ /*nothing*/
+ %include <stdint.i>
diff --git a/pkgs/os-specific/linux/audit/default.nix b/pkgs/os-specific/linux/audit/default.nix
index 34043ce083c..0fd96892013 100644
--- a/pkgs/os-specific/linux/audit/default.nix
+++ b/pkgs/os-specific/linux/audit/default.nix
@@ -1,65 +1,79 @@
-{
-  lib, stdenv, buildPackages, fetchurl, fetchpatch,
-  runCommand,
-  autoreconfHook,
-  autoconf, automake, libtool, bash,
-  # Enabling python support while cross compiling would be possible, but
-  # the configure script tries executing python to gather info instead of
-  # relying on python3-config exclusively
-  enablePython ? stdenv.hostPlatform == stdenv.buildPlatform, python3, swig,
-  linuxHeaders ? stdenv.cc.libc.linuxHeaders
+{ lib
+, stdenv
+, fetchurl
+, fetchpatch
+, autoreconfHook
+, bash
+, buildPackages
+, libtool
+, linuxHeaders
+, python3
+, swig
+
+# Enabling python support while cross compiling would be possible, but the
+# configure script tries executing python to gather info instead of relying on
+# python3-config exclusively
+, enablePython ? stdenv.hostPlatform == stdenv.buildPlatform,
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "audit";
-  version = "3.1";
+  version = "3.1.1";
 
   src = fetchurl {
-    url = "https://people.redhat.com/sgrubb/audit/audit-${version}.tar.gz";
-    sha256 = "sha256-tc882rsnhsCLHeNZmjsaVH5V96n5wesgePW0TPROg3g=";
+    url = "https://people.redhat.com/sgrubb/audit/audit-${finalAttrs.version}.tar.gz";
+    hash = "sha256-RuRrN2I8zgnm7hNOeNZor8NPThyHDIU+8S5BkweM/oc=";
   };
 
+  patches = [
+    ./000-fix-static-attribute-malloc.diff
+    ./001-ignore-flexible-array.patch
+  ];
+
+  postPatch = ''
+    sed -i 's,#include <sys/poll.h>,#include <poll.h>\n#include <limits.h>,' audisp/audispd.c
+    substituteInPlace bindings/swig/src/auditswig.i \
+      --replace "/usr/include/linux/audit.h" \
+                "${linuxHeaders}/include/linux/audit.h"
+  '';
+
   outputs = [ "bin" "dev" "out" "man" ];
 
   strictDeps = true;
-  depsBuildBuild = [ buildPackages.stdenv.cc ];
-  nativeBuildInputs = [ autoreconfHook ]
-    ++ lib.optionals enablePython [ python3 swig ];
-  buildInputs = [ bash ];
+
+  depsBuildBuild = [
+    buildPackages.stdenv.cc
+  ];
+
+  nativeBuildInputs = [
+    autoreconfHook
+  ]
+  ++ lib.optionals enablePython [
+    python3
+    swig
+  ];
+
+  buildInputs = [
+    bash
+  ];
 
   configureFlags = [
-    # z/OS plugin is not useful on Linux,
-    # and pulls in an extra openldap dependency otherwise
+    # z/OS plugin is not useful on Linux, and pulls in an extra openldap
+    # dependency otherwise
     "--disable-zos-remote"
-    (if enablePython then "--with-python" else "--without-python")
     "--with-arm"
     "--with-aarch64"
+    (if enablePython then "--with-python" else "--without-python")
   ];
 
   enableParallelBuilding = true;
-  patches = [
-    ./fix-static.patch
-
-    # Fix pending upstream inclusion for linux-headers-5.17 support:
-    #  https://github.com/linux-audit/audit-userspace/pull/253
-    (fetchpatch {
-      name = "ignore-flexible-array.patch";
-      url = "https://github.com/linux-audit/audit-userspace/commit/beed138222421a2eb4212d83cb889404bd7efc49.patch";
-      sha256 = "1hf02zaxv6x0wmn4ca9fj48y2shks7vfna43i1zz58xw9jq7sza0";
-    })
-  ];
 
-  postPatch = ''
-    sed -i 's,#include <sys/poll.h>,#include <poll.h>\n#include <limits.h>,' audisp/audispd.c
-    substituteInPlace bindings/swig/src/auditswig.i \
-      --replace "/usr/include/linux/audit.h" \
-                "${linuxHeaders}/include/linux/audit.h"
-  '';
   meta = {
-    description = "Audit Library";
     homepage = "https://people.redhat.com/sgrubb/audit/";
-    license = lib.licenses.gpl2;
+    description = "Audit Library";
+    changelog = "https://github.com/linux-audit/audit-userspace/releases/tag/v${finalAttrs.version}";
+    license = lib.licenses.gpl2Plus;
+    maintainers = with lib.maintainers; [ AndersonTorres ];
     platforms = lib.platforms.linux;
-    maintainers = with lib.maintainers; [ ];
   };
-}
+})