From 010ed2b4524bb51b04aab9858638e54b6201f819 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Sep 03 2012 13:36:31 +0000
Subject: link setuid binaries with full relro (#853158)


- add rhost and tty to auditing data in modules (#677664)

---

diff --git a/pam-1.1.6-audit-data.patch b/pam-1.1.6-audit-data.patch
new file mode 100644
index 0000000..c41f513
--- /dev/null
+++ b/pam-1.1.6-audit-data.patch
@@ -0,0 +1,173 @@
+diff -up Linux-PAM-1.1.6/modules/pam_faillock/main.c.audata Linux-PAM-1.1.6/modules/pam_faillock/main.c
+--- Linux-PAM-1.1.6/modules/pam_faillock/main.c.audata	2012-09-03 15:18:19.077405822 +0200
++++ Linux-PAM-1.1.6/modules/pam_faillock/main.c	2012-09-03 15:18:19.082405927 +0200
+@@ -42,6 +42,7 @@
+ #include <errno.h>
+ #include <pwd.h>
+ #include <time.h>
++#include <unistd.h>
+ #ifdef HAVE_LIBAUDIT
+ #include <libaudit.h>
+ #endif
+@@ -142,7 +143,7 @@ do_user(struct options *opts, const char
+ 				snprintf(buf, sizeof(buf), "faillock reset uid=%u",
+ 					pwd->pw_uid);
+ 				audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+-					buf, NULL, NULL, NULL, rv == 0);
++					buf, NULL, NULL, ttyname(fileno(stdin)), rv == 0);
+ 			}
+ 			close(audit_fd);
+ 		}
+diff -up Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c.audata Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c
+--- Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c.audata	2012-09-03 15:18:19.077405822 +0200
++++ Linux-PAM-1.1.6/modules/pam_faillock/pam_faillock.c	2012-09-03 15:18:19.083405948 +0200
+@@ -264,6 +264,7 @@ check_tally(pam_handle_t *pamh, struct o
+ 			if (opts->action != FAILLOCK_ACTION_PREAUTH) { /* do not audit in preauth */
+ 				char buf[64];
+ 				int audit_fd;
++				const void *rhost = NULL, *tty = NULL;
+ 
+ 				audit_fd = audit_open();
+ 				/* If there is an error & audit support is in the kernel report error */
+@@ -271,9 +272,11 @@ check_tally(pam_handle_t *pamh, struct o
+ 					errno == EAFNOSUPPORT))
+ 					return PAM_SYSTEM_ERR;
+ 
++				(void)pam_get_item(pamh, PAM_TTY, &tty);
++				(void)pam_get_item(pamh, PAM_RHOST, &rhost);
+ 				snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
+ 				audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
+-					NULL, NULL, NULL, 1);
++					rhost, NULL, tty, 1);
+ 			}
+ #endif
+ 			opts->flags |= FAILLOCK_FLAG_UNLOCKED;
+@@ -378,6 +381,7 @@ write_tally(pam_handle_t *pamh, struct o
+ #ifdef HAVE_LIBAUDIT
+ 		char buf[64];
+ 		int audit_fd;
++		const void *tty = NULL, *rhost = NULL;
+ 
+ 		audit_fd = audit_open();
+ 		/* If there is an error & audit support is in the kernel report error */
+@@ -385,13 +389,15 @@ write_tally(pam_handle_t *pamh, struct o
+ 			errno == EAFNOSUPPORT))
+ 			return PAM_SYSTEM_ERR;
+ 
++		(void)pam_get_item(pamh, PAM_TTY, &tty);
++		(void)pam_get_item(pamh, PAM_RHOST, &rhost);
+ 		snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid);
+ 		audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
+-			NULL, NULL, NULL, 1);
++			rhost, NULL, tty, 1);
+ 
+ 		if (opts->uid != 0 || (opts->flags & FAILLOCK_FLAG_DENY_ROOT)) {
+ 			audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
+-				NULL, NULL, NULL, 1);
++				rhost, NULL, tty, 1);
+ 		}
+ 		close(audit_fd);
+ #endif
+diff -up Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.audata Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c
+--- Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c.audata	2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_selinux/pam_selinux.c	2012-09-03 15:18:19.083405948 +0200
+@@ -87,6 +87,7 @@ int send_audit_message(pam_handle_t *pam
+ 	int audit_fd = audit_open();
+ 	security_context_t default_raw=NULL;
+ 	security_context_t selected_raw=NULL;
++	const void *tty = NULL, *rhost = NULL;
+ 	rc = -1;
+ 	if (audit_fd < 0) {
+ 		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+@@ -95,6 +96,8 @@ int send_audit_message(pam_handle_t *pam
+ 		pam_syslog(pamh, LOG_ERR, "Error connecting to audit system.");
+ 		return rc;
+ 	}
++	(void)pam_get_item(pamh, PAM_TTY, &tty);
++	(void)pam_get_item(pamh, PAM_RHOST, &rhost);
+ 	if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
+ 		pam_syslog(pamh, LOG_ERR, "Error translating default context.");
+ 		default_raw = NULL;
+@@ -110,7 +113,7 @@ int send_audit_message(pam_handle_t *pam
+ 		goto out;
+ 	}
+ 	if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
+-				   msg, NULL, NULL, NULL, success) <= 0) {
++				   msg, rhost, NULL, tty, success) <= 0) {
+ 		pam_syslog(pamh, LOG_ERR, "Error sending audit message.");
+ 		goto out;
+ 	}
+diff -up Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c.audata Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c
+--- Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c.audata	2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_tally2/pam_tally2.c	2012-09-03 15:20:06.071641000 +0200
+@@ -509,6 +509,7 @@ tally_check (tally_t oldcnt, time_t oldt
+ #ifdef HAVE_LIBAUDIT
+     char buf[64];
+     int audit_fd = -1;
++    const void *rhost = NULL, *tty = NULL;
+ #endif
+ 
+     if ((opts->ctrl & OPT_MAGIC_ROOT) && getuid() == 0) {
+@@ -521,6 +522,8 @@ tally_check (tally_t oldcnt, time_t oldt
+     if ((audit_fd < 0) && !(errno == EINVAL || errno == EPROTONOSUPPORT ||
+                             errno == EAFNOSUPPORT))
+          return PAM_SYSTEM_ERR;
++    (void)pam_get_item(pamh, PAM_TTY, &tty);
++    (void)pam_get_item(pamh, PAM_RHOST, &rhost);
+ #endif
+     if (opts->deny != 0 &&                        /* deny==0 means no deny        */
+         tally->fail_cnt > opts->deny &&           /* tally>deny means exceeded    */
+@@ -530,7 +533,7 @@ tally_check (tally_t oldcnt, time_t oldt
+             /* First say that max number was hit. */
+             snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
+             audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf,
+-                                   NULL, NULL, NULL, 1);
++                                   rhost, NULL, tty, 1);
+         }
+ #endif
+         if (uid) {
+@@ -541,7 +544,7 @@ tally_check (tally_t oldcnt, time_t oldt
+ #ifdef HAVE_LIBAUDIT
+                     snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
+                     audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
+-                                   NULL, NULL, NULL, 1);
++                                   rhost, NULL, tty, 1);
+ #endif
+ 	            rv = PAM_SUCCESS;
+ 		    goto cleanup;
+@@ -555,7 +558,7 @@ tally_check (tally_t oldcnt, time_t oldt
+ #ifdef HAVE_LIBAUDIT
+                     snprintf(buf, sizeof(buf), "pam_tally2 uid=%u ", uid);
+                     audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
+-                                   NULL, NULL, NULL, 1);
++                                   rhost, NULL, tty, 1);
+ #endif
+ 	            rv = PAM_SUCCESS;
+ 	            goto cleanup;
+@@ -567,7 +570,7 @@ tally_check (tally_t oldcnt, time_t oldt
+         if (tally->fail_cnt == opts->deny+1) {
+             /* First say that max number was hit. */
+             audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_LOCK, buf,
+-                                   NULL, NULL, NULL, 1);
++                                   rhost, NULL, tty, 1);
+         }
+ #endif
+ 
+@@ -996,7 +999,7 @@ main( int argc UNUSED, char **argv )
+         int audit_fd = audit_open();
+         snprintf(buf, sizeof(buf), "pam_tally2 uid=%u reset=%hu", uid, cline_reset);
+         audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+-                buf, NULL, NULL, NULL, 1);
++                buf, NULL, NULL, ttyname(fileno(stdin)), 1);
+         if (audit_fd >=0)
+                 close(audit_fd);
+ #endif
+@@ -1041,7 +1044,7 @@ main( int argc UNUSED, char **argv )
+       int audit_fd = audit_open();
+       snprintf(buf, sizeof(buf), "pam_tally2 uid=all reset=0");
+       audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
+-              buf, NULL, NULL, NULL, 1);
++              buf, NULL, NULL, ttyname(fileno(stdin)), 1);
+       if (audit_fd >=0)
+               close(audit_fd);
+ #endif
diff --git a/pam-1.1.6-full-relro.patch b/pam-1.1.6-full-relro.patch
new file mode 100644
index 0000000..30cb79b
--- /dev/null
+++ b/pam-1.1.6-full-relro.patch
@@ -0,0 +1,31 @@
+diff -up Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am.relro Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am
+--- Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am.relro	2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_timestamp/Makefile.am	2012-09-03 15:22:13.735307976 +0200
+@@ -36,7 +36,7 @@ pam_timestamp_la_CFLAGS = $(AM_CFLAGS)
+ pam_timestamp_check_SOURCES = pam_timestamp_check.c
+ pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@
+ pam_timestamp_check_LDADD = $(top_builddir)/libpam/libpam.la
+-pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@
++pam_timestamp_check_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+ 
+ hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c
+ hmacfile_LDADD = $(top_builddir)/libpam/libpam.la
+diff -up Linux-PAM-1.1.6/modules/pam_unix/Makefile.am.relro Linux-PAM-1.1.6/modules/pam_unix/Makefile.am
+--- Linux-PAM-1.1.6/modules/pam_unix/Makefile.am.relro	2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_unix/Makefile.am	2012-09-03 15:21:31.464424910 +0200
+@@ -55,13 +55,13 @@ bigcrypt_LDADD = @LIBCRYPT@
+ unix_chkpwd_SOURCES = unix_chkpwd.c md5_good.c md5_broken.c bigcrypt.c \
+ 	passverify.c
+ unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
+-unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@
++unix_chkpwd_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+ unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
+ 
+ unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
+ 	passverify.c
+ unix_update_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_update\"
+-unix_update_LDFLAGS = @PIE_LDFLAGS@
++unix_update_LDFLAGS = -Wl,-z,now @PIE_LDFLAGS@
+ unix_update_LDADD = @LIBCRYPT@ @LIBSELINUX@
+ 
+ if ENABLE_REGENERATE_MAN
diff --git a/pam.spec b/pam.spec
index b0b0d8c..eb1858e 100644
--- a/pam.spec
+++ b/pam.spec
@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.1.6
-Release: 1%{?dist}
+Release: 2%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -38,6 +38,8 @@ Patch10: pam-1.1.3-nouserenv.patch
 Patch11: pam-1.1.3-console-abstract.patch
 Patch12: pam-1.1.3-faillock-screensaver.patch
 Patch13: pam-1.1.5-limits-user.patch
+Patch14: pam-1.1.6-audit-data.patch
+Patch15: pam-1.1.6-full-relro.patch
 # FIPS related - non upstreamable
 Patch20: pam-1.1.5-unix-no-fallback.patch
 # Upstreamed
@@ -116,6 +118,8 @@ mv pam-redhat-%{pam_redhat_version}/* modules
 %patch11 -p1 -b .abstract
 %patch12 -p1 -b .screensaver
 %patch13 -p1 -b .limits
+%patch14 -p1 -b .audata
+%patch15 -p1 -b .relro
 %patch20 -p1 -b .no-fallback
 %patch21 -p1 -b .empty
 %patch22 -p1 -b .build
@@ -373,6 +377,10 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Mon Sep  3 2012 Tomas Mraz <tmraz@redhat.com> 1.1.6-2
+- link setuid binaries with full relro (#853158)
+- add rhost and tty to auditing data in modules (#677664)
+
 * Fri Aug 17 2012 Tomas Mraz <tmraz@redhat.com> - 1.1.6-1
 - new upstream release