[audit] Fix clone syscall interpretation

[Steve Grubb]

commit 27e2c9cf8d92870f2fd3bd5146b3c18c72989446
Author: Steve <sgrubb at redhat.com>
Date:   Thu Mar 21 08:28:54 2013 -0400

    Fix clone syscall interpretation

 audit-2.2.4-clone.patch |   69 +++++++++++++++++++++++++++++++++++++++++++++++
 audit.spec              |    7 ++++-
 2 files changed, 75 insertions(+), 1 deletions(-)
---
diff --git a/audit-2.2.4-clone.patch b/audit-2.2.4-clone.patch
new file mode 100644
index 0000000..2f3e813
--- /dev/null
+++ b/audit-2.2.4-clone.patch
@@ -0,0 +1,69 @@
+diff -urp audit-2.2.3/auparse/interpret.c audit-2.2.4/auparse/interpret.c
+--- audit-2.2.3/auparse/interpret.c	2013-03-19 16:28:53.000000000 -0400
++++ audit-2.2.4/auparse/interpret.c	2013-03-20 17:09:31.000000000 -0400
+@@ -1339,6 +1339,8 @@ static const char *print_a0(const char *
+ 			return print_dirfd(val);
+ 		else if (strcmp(sys, "futimensat") == 0)
+ 			return print_dirfd(val);
++		else if (strcmp(sys, "clone") == 0)
++			return print_clone_flags(val);
+ 		else if (strcmp(sys, "unshare") == 0)
+ 			return print_clone_flags(val);
+ 	}
+@@ -1441,8 +1443,6 @@ static const char *print_a2(const char *
+ 			return print_prot(val, 0);
+                 else if (strcmp(sys, "socket") == 0)
+ 			return print_socket_proto(val);
+-		else if (strcmp(sys, "clone") == 0)
+-			return print_clone_flags(val);
+                 else if (strcmp(sys, "recvmsg") == 0)
+ 			return print_recv(val);
+ 		else if (strcmp(sys, "linkat") == 0)
+diff -urp audit-2.2.3/contrib/stig.rules audit-2.2.4/contrib/stig.rules
+--- audit-2.2.3/contrib/stig.rules	2013-03-19 16:28:53.000000000 -0400
++++ audit-2.2.4/contrib/stig.rules	2013-03-20 17:09:31.000000000 -0400
+@@ -177,8 +177,8 @@
+ #-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
+ 
+ ## Optional - log container creation  
+-#-a always,exit -F arch=b32 -S clone -F a2&2080505856 -k container-create
+-#-a always,exit -F arch=b64 -S clone -F a2&2080505856 -k container-create
++#-a always,exit -F arch=b32 -S clone -F a0&2080505856 -k container-create
++#-a always,exit -F arch=b64 -S clone -F a0&2080505856 -k container-create
+ 
+ ## Optional - watch for containers that may change their configuration 
+ #-a always,exit -F arch=b32 -S setns -S unshare -k container-config
+diff -urp audit-2.2.3/docs/auditctl.8 audit-2.2.4/docs/auditctl.8
+--- audit-2.2.3/docs/auditctl.8	2013-03-19 16:28:53.000000000 -0400
++++ audit-2.2.4/docs/auditctl.8	2013-03-20 17:09:31.000000000 -0400
+@@ -63,6 +63,9 @@ Report the kernel's audit subsystem stat
+ .BI \-t
+ Trim the subtrees after a mount command.
+ .TP
++.BI \-v
++Print the version of auditctl.
++.TP
+ .BI \-a\  [ list,action | action,list ]
+ Append rule to the end of \fIlist\fP with \fIaction\fP. Please note the comma separating the two values. Omitting it will cause errors. The fields may be in either order. It could be list,action or action,list. The following describes the valid \fIlist\fP names:
+ .RS
+diff -urp audit-2.2.3/src/ausearch-report.c audit-2.2.4/src/ausearch-report.c
+--- audit-2.2.3/src/ausearch-report.c	2013-03-19 16:28:53.000000000 -0400
++++ audit-2.2.4/src/ausearch-report.c	2013-03-20 17:09:31.000000000 -0400
+@@ -1723,6 +1723,8 @@ static void print_a0(const char *val)
+ 			return print_dirfd(val);
+ 		else if (strcmp(sys, "futimensat") == 0)
+ 			return print_dirfd(val);
++		else if (strcmp(sys, "clone") == 0)
++			return print_clone(val);
+ 		else if (strcmp(sys, "unshare") == 0)
+ 			return print_clone(val);
+ 		else goto normal;
+@@ -1799,8 +1801,6 @@ static void print_a2(const char *val)
+ 			return print_prot(val, 0);
+ 		else if (strcmp(sys, "socket") == 0)
+ 			return print_socket_proto(val);
+-		else if (strcmp(sys, "clone") == 0)
+-			return print_clone(val);
+ 		else if (strcmp(sys, "recvmsg") == 0)
+ 			print_recv(val);
+ 		else if (strcmp(sys, "linkat") == 0)
diff --git a/audit.spec b/audit.spec
index a27b19a..82189a8 100644
--- a/audit.spec
+++ b/audit.spec
@@ -6,11 +6,12 @@
 Summary: User space tools for 2.6 kernel auditing
 Name: audit
 Version: 2.2.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Daemons
 URL: http://people.redhat.com/sgrubb/audit/
 Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
+Patch1: audit-2.2.4-clone.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: swig python-devel
 BuildRequires: tcp_wrappers-devel krb5-devel libcap-ng-devel
@@ -89,6 +90,7 @@ behavior.
 
 %prep
 %setup -q
+%patch1 -p1
 
 %build
 %configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes --with-prelude --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes --with-armeb \
@@ -267,6 +269,9 @@ fi
 %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
 
 %changelog
+* Thu Mar 21 2013 Steve Grubb <sgrubb at redhat.com> 2.2.3-2
+- Fix clone syscall interpretation
+
 * Tue Mar 19 2013 Steve Grubb <sgrubb at redhat.com> 2.2.3-1
 - New upstream bugfix release