Skip to content

audit: 4.1.1-unstable-2025-08-01 -> 4.1.2, cleanup #441506

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nikstur merged 12 commits into from
Sep 15, 2025
Merged

audit: 4.1.1-unstable-2025-08-01 -> 4.1.2, cleanup #441506

nikstur merged 12 commits into from
Sep 15, 2025

Conversation

@LordGrimmauld
Copy link
Contributor

@LordGrimmauld LordGrimmauld commented Sep 9, 2025

  • Release Notes for 4.1.2: https://github.com/linux-audit/audit-userspace/releases/tag/v4.1.2
  • the default audisp socket path was changed, so the default in nix was adjusted accordingly. This allows removing the dependency on systemd-tmpfiles-setup.service
  • adjusted the audit test to look for the new socket path
  • adjusted opensnitch to use the new socket path
  • set doCheck = true (required patching a #! /usr/bin/env shebang)
  • disabled static build by default (was enabled to allow tests of audit internals to build, but these will now automatically be disabled if static is disabled, thanks to a patch upstream)
  • enabled python bindings on cross, disabled them on static (makes little sense, wouldn't be importable)
  • added audit to the python package set so it can be imported on all python3 versions
  • cleaned up passthru tests
  • added pythonImportsCheckHook

Things done

  • Built on platform:
    • x86_64-linux
    • aarch64-linux
    • aarch64-linux (cross)
    • x86_64-darwin
    • aarch64-darwin
  • Tested, as applicable:
  • Ran nixpkgs-review on this PR. See nixpkgs-review usage.
  • Tested basic functionality of all binary files, usually in ./result/bin/.
  • Nixpkgs Release Notes
    • Package update: when the change is major or breaking.
  • NixOS Release Notes
    • Module addition: when adding a new NixOS module.
    • Module update: when the change is significant.
  • Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

Add a 👍 reaction to pull requests you find important.

@LordGrimmauld LordGrimmauld changed the base branch from master to staging September 9, 2025 16:45
@nixpkgs-ci nixpkgs-ci bot closed this Sep 9, 2025
@nixpkgs-ci nixpkgs-ci bot reopened this Sep 9, 2025
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 6.topic: python Python is a high-level, general-purpose programming language. 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels Sep 9, 2025
@nix-owners nix-owners bot requested review from natsukium and onny September 9, 2025 17:02
nikstur
nikstur approved these changes Sep 10, 2025
View reviewed changes
LordGrimmauld
LordGrimmauld commented Sep 10, 2025
View reviewed changes
@nixpkgs-ci nixpkgs-ci bot added the 12.approvals: 1 This PR was reviewed and approved by one person. label Sep 10, 2025
@LordGrimmauld
audit: 4.1.1-unstable-2025-08-01 -> 4.1.2-unstable-2025-09-06
75271d6 
Release notes: https://github.com/linux-audit/audit-userspace/releases/tag/v4.1.2
@LordGrimmauld
audit: enable checks
ef0f4c0
@LordGrimmauld
audit: disable static by default
7596747
@LordGrimmauld
audit: clean up passthru.tests
c0e0f97
@LordGrimmauld
audit: enable python on cross
211b818 
previously, audit would attempt to execute the hostPlatform python to gather extra info, which broke on cross.
This was fixed upstream in linux-audit/audit-userspace@8f6095a,
so the audit python module just works, even on cross.

Python support is still disabled on static, because the module wouldn't be importable anyways.
@LordGrimmauld
audit: fix augenrules script
d54599d
@LordGrimmauld
python3Packages.audit: init from audit
c98add0
@LordGrimmauld
nixos/audit: rename service to audit-rules-nixos to avoid collisions …
1884f0f 
…with the upstream unit
@LordGrimmauld
nixos/auditd: Use new default socket path
f063f32 
The default path of the audisp socket was chanegd in linux-audit/audit-userspace@4ade146
@LordGrimmauld
nixos/auditd: use upstream unit
7d5e1d9
@LordGrimmauld
opensnitch: allow configuring audit socket path
08e4406
@LordGrimmauld
nixos/opensnitch: add audit socket path option
d4ebfe3
@LordGrimmauld
Copy link
Contributor Author

LordGrimmauld commented Sep 11, 2025

I still need to run testing on this, but i made use of the upstream unit, switched to unstable instead of patch, and cleaned up the opensnitch socket path stuff.

@LordGrimmauld
Copy link
Contributor Author

LordGrimmauld commented Sep 11, 2025

VM and passthru tests all passed on x86_64-linux, running some final tests on aarch64 (opensnitch VM test is known-broken there, on master too) but this looks about ready now

@LordGrimmauld
Copy link
Contributor Author

LordGrimmauld commented Sep 11, 2025

I also opened two PRs upstream to hopefully drop some of the patches done here:
linux-audit/audit-userspace#500
linux-audit/audit-userspace#501

@nikstur
Copy link
Contributor

nikstur commented Sep 14, 2025
edited
Loading

I'm not convinced that it is a particularly good idea to rely more on upstream:

  1. I find the upstream service weird/inferior: why is it set to Type=forking? Type=simple is much better and what the systemd docs suggest to use whenever possible: https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html#PIDFile=
  2. What we currently do to load the rules is superior to augenrules: (a) it's not a script (b) augenrules does something we do not need on NixOS and putting things into /etc is a hack that makes our boot process needlessly bloated. By introducing augenrules we have an unnecessary dependency on bash for using the audit subsystem which I would like to avoid. I suggest we actually drop augenrules instead of trying to fix it.

@LordGrimmauld
Copy link
Contributor Author

LordGrimmauld commented Sep 15, 2025
edited
Loading

  1. Type=simple is in the process of being deprecated. Type=exec might be an option, but imo that consideration should be moved upstream. As it stands, audit writes the pid file unconditionally, even if we do Type=simple: https://github.com/linux-audit/audit-userspace/blob/8ed522ae8ef3313d74b944fadd7d8cc01dc814dd/src/auditd.c#L882
    Further, @arianvp suggested switching to Type=forking and @ElvishJerricco followed up by suggesting to use the upstream unit (in systemd matrix room).
  2. a) yes, and i kept that loading of rules. But augenrules was broken, so fixing it should be an improvement. And it may still be useful (in different context), happy to split it to a $scripts output if necessary (and delete the service we don't use from the package).
  3. b) not quite. This PR does not actually make use of the augenrules-based audit-rules service. In fact we are setting systemd.services.audit-rules.enable = lib.mkDefault false; to disable that service.
  4. About augenrules: augenrules as stand-alone script may still be useful. Not in its current form, but once I made it accept path arguments of where to load/put rules, it may be an interesting script to call not as part of a service, but as part of a nix file writer to generate/collect rules. Our current rule generation is limited in the fact it can only consume and write strings. This means any package providing rule files would inherently require IFD to build the complete audit rule set, and i would rather not rely on this inferior pattern.

@arianvp
Copy link
Member

arianvp commented Sep 15, 2025

Auditd is implemented as a classic self-forking daemon and uses forking for readiness notification that audit logging is setup and working. The contract is that if you order after the audit service that audit logging is working.

With Type=exec and simple you dont get that guarantee

An alternative would be Type=notify but they don't have integration with sd_notify (at the moment).

nikstur
nikstur approved these changes Sep 15, 2025
View reviewed changes
Copy link
Contributor

@nikstur nikstur left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good. Thank you for taking the time to answer my concerns. I'm convinced.

@nikstur nikstur merged commit 950fb49 into NixOS:staging Sep 15, 2025
30 of 31 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nikstur nikstur nikstur approved these changes

@natsukium natsukium Awaiting requested review from natsukium

@onny onny Awaiting requested review from onny

@arianvp arianvp Awaiting requested review from arianvp

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 6.topic: python Python is a high-level, general-purpose programming language. 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 5001+ This PR causes many rebuilds on Linux and must target the staging branches. 11.by: package-maintainer This PR was created by a maintainer of all the package it changes. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LordGrimmauld @nikstur @arianvp