port of audit to Alpine Linux/MUSL

port of audit to Alpine Linux/MUSL

[Tycho Andersen]

Hi,

I'm interested in creating an audit package for Alpine Linux, which uses MUSL
libc. MUSL doesn't provide some of the GLIBC extensions, so here's some patches
that remove the need for those extensions.

Thoughts welcome,

Tycho

[Please keep me in CC, I'm not on the list]

[PATCH 1/3] auditctl: include headers to make build work with musl

[Tycho Andersen]

technically select is defined in sys/select.h, and `struct timeval`
requires sys/time.h

Signed-off-by: Tycho Andersen <tycho@docker.com>
---
 src/auditctl.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/auditctl.c b/src/auditctl.c
index e112b16..11d2dc7 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -32,6 +32,8 @@
 #include <ctype.h>
 #include <unistd.h>
 #include <sys/utsname.h>
+#include <sys/select.h>
+#include <sys/time.h>
 #include <fcntl.h>
 #include <errno.h>
 #include <libgen.h>	/* For basename */
-- 
2.9.3

[PATCH 2/3] auparse: remove use of rawmemchr

[Tycho Andersen]

just iterate over the string instead, it's much simpler and doesn't use a
glibc extension.

Signed-off-by: Tycho Andersen <tycho@docker.com>
---
 auparse/interpret.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/auparse/interpret.c b/auparse/interpret.c
index 1f517d7..57da00c 100644
--- a/auparse/interpret.c
+++ b/auparse/interpret.c
@@ -803,10 +803,9 @@ static const char *print_proctitle(const char *val)
 		size_t len = strlen(val) / 2;
 		const char *end = out + len;
 		char *ptr = out;
-		while ((ptr  = rawmemchr(ptr, '\0'))) {
-			if (ptr >= end)
-				break;
-			*ptr = ' ';
+		while (ptr < end) {
+			if (*ptr == '\0')
+				*ptr = ' ';
 			ptr++;
 		}
 	}
-- 
2.9.3

[PATCH 3/3] all: get rid of strndupa

[Tycho Andersen]

in one case (src/auditd.c) we don't even need to allocate a buffer, in the
other two we do it in two steps to avoid using a non-standard function.

Signed-off-by: Tycho Andersen <tycho@docker.com>
---
 auparse/auparse.c  |  6 ++++--
 src/auditd.c       | 10 +++++-----
 src/ausearch-lol.c |  6 ++++--
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/auparse/auparse.c b/auparse/auparse.c
index 3677ad7..b428330 100644
--- a/auparse/auparse.c
+++ b/auparse/auparse.c
@@ -1096,10 +1096,12 @@ static int extract_timestamp(const char *b, au_event_t *e)
 	int rc = 1;
 
         e->host = NULL;
+
+	tmp = alloca(340);
 	if (*b == 'n')
-		tmp = strndupa(b, 340);
+		tmp = strncpy(tmp, b, 340);
 	else
-		tmp = strndupa(b, 80);
+		tmp = strncpy(tmp, b, 80);
 	ptr = audit_strsplit(tmp);
 	if (ptr) {
 		// Optionally grab the node - may or may not be included
diff --git a/src/auditd.c b/src/auditd.c
index 3f0162d..a1c2c51 100644
--- a/src/auditd.c
+++ b/src/auditd.c
@@ -185,7 +185,7 @@ static void child_handler2( int sig )
 
 static int extract_type(const char *str)
 {
-	const char *tptr, *ptr2, *ptr = str;
+	const char *ptr2, *ptr = str;
 	if (*str == 'n') {
 		ptr = strchr(str+1, ' ');
 		if (ptr == NULL)
@@ -194,12 +194,12 @@ static int extract_type(const char *str)
 	}
 	// ptr should be at 't'
 	ptr2 = strchr(ptr, ' ');
-	// get type=xxx in a buffer
-	tptr = strndupa(ptr, ptr2 - ptr);
+
 	// find =
-	str = strchr(tptr, '=');
-	if (str == NULL)
+	str = strchr(ptr, '=');
+	if (str == NULL || str >= ptr2)
 		return -1; // Malformed - bomb out
+
 	// name is 1 past
 	str++;
 	return audit_name_to_msg_type(str);
diff --git a/src/ausearch-lol.c b/src/ausearch-lol.c
index b1aec06..5d461b0 100644
--- a/src/ausearch-lol.c
+++ b/src/ausearch-lol.c
@@ -135,10 +135,12 @@ static int extract_timestamp(const char *b, event *e)
 	char *ptr, *tmp, *tnode, *ttype;
 
 	e->node = NULL;
+
+	tmp = alloca(340);
 	if (*b == 'n')
-		tmp = strndupa(b, 340);
+		tmp = strncpy(tmp, b, 340);
 	else
-		tmp = strndupa(b, 80);
+		tmp = strncpy(tmp, b, 80);
 	ptr = audit_strsplit(tmp);
 	if (ptr) {
 		// Check to see if this is the node info
-- 
2.9.3