File _service:tar_scm:backport-Avoid-file-descriptor... of Package audit

File _service:tar_scm:backport-Avoid-file-descriptor-leaks-in-multi-threaded-applic.patch of Package audit

From 2663987c5088924bce510fcf8e7891d6aae976ba Mon Sep 17 00:00:00 2001
From: cgzones <cgzones@googlemail.com>
Date: Sat, 4 Nov 2023 03:48:39 +0100
Subject: [PATCH] Avoid file descriptor leaks in multi-threaded applications
 (#339)

* lib: set close-on-exec flag

libaudit may be called from a multi-threaded application.
Avoid leaking local file descriptors on a concurrent execve.

* lib: simplify SOCK_CLOEXEC

SOCK_CLOEXEC is supported since Linux 2.6.27.

Reference:https://github.com/linux-audit/audit-userspace/commit/2663987c5088924bce510fcf8e7891d6aae976ba
Conflict:lib/audit_logging.c,lib/netlink.c,lib/libaudit.c

---
 lib/audit_logging.c |  2 +-
 lib/libaudit.c      | 14 +++++++-------
 lib/netlink.c       | 12 +-----------
 3 files changed, 9 insertions(+), 19 deletions(-)

diff --git a/lib/audit_logging.c b/lib/audit_logging.c
index 302c242..08b53aa 100644
--- a/lib/audit_logging.c
+++ b/lib/audit_logging.c
@@ -177,7 +177,7 @@ static char *_get_commname(const char *comm, char *commname, unsigned int size)
 	
 	if (comm == NULL) {
 		int len;
-		int fd = open("/proc/self/comm", O_RDONLY);
+		int fd = open("/proc/self/comm", O_RDONLY|O_CLOEXEC);
 		if (fd < 0) {
 			strcpy(commname, "\"?\"");
 			return commname;
diff --git a/lib/libaudit.c b/lib/libaudit.c
index 2cc7afd..74fa2f3 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -221,7 +221,7 @@ static int load_libaudit_config(const char *path)
 	char buf[128];
 
 	/* open the file */
-	rc = open(path, O_NOFOLLOW|O_RDONLY);
+	rc = open(path, O_NOFOLLOW|O_RDONLY|O_CLOEXEC);
 	if (rc < 0) {
 		if (errno != ENOENT) {
 			audit_msg(LOG_ERR, "Error opening %s (%s)",
@@ -261,7 +261,7 @@ static int load_libaudit_config(const char *path)
 	}
 
 	/* it's ok, read line by line */
-	f = fdopen(fd, "rm");
+	f = fdopen(fd, "rme");
 	if (f == NULL) {
 		audit_msg(LOG_ERR, "Error - fdopen failed (%s)",
 			strerror(errno));
@@ -705,7 +705,7 @@ char *audit_format_signal_info(char *buf, int len, char *op,
 	char path[32], ses[16];
 	int rlen;
 	snprintf(path, sizeof(path), "/proc/%u", rep->signal_info->pid);
-	int fd = open(path, O_RDONLY);
+	int fd = open(path, O_RDONLY|O_DIRECTORY|O_CLOEXEC);
 	if (fd >= 0) {
 		if (fstat(fd, &sb) < 0)
 			sb.st_uid = -1;
@@ -714,7 +714,7 @@ char *audit_format_signal_info(char *buf, int len, char *op,
 		sb.st_uid = -1;
 	snprintf(path, sizeof(path), "/proc/%u/sessionid",
 		 rep->signal_info->pid);
-	fd = open(path, O_RDONLY, rep->signal_info->pid);
+	fd = open(path, O_RDONLY|O_CLOEXEC, rep->signal_info->pid);
 	if (fd < 0)
 		strcpy(ses, "4294967295");
 	else {
@@ -918,7 +918,7 @@ uid_t audit_getloginuid(void)
 	char buf[16];
 
 	errno = 0;
-	in = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY);
+	in = open("/proc/self/loginuid", O_NOFOLLOW|O_RDONLY|O_CLOEXEC);
 	if (in < 0)
 		return -1;
 	do {
@@ -946,7 +946,7 @@ int audit_setloginuid(uid_t uid)
 
 	errno = 0;
 	count = snprintf(loginuid, sizeof(loginuid), "%u", uid);
-	o = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC);
+	o = open("/proc/self/loginuid", O_NOFOLLOW|O_WRONLY|O_TRUNC|O_CLOEXEC);
 	if (o >= 0) {
 		int block, offset = 0;
 
@@ -982,7 +982,7 @@ uint32_t audit_get_session(void)
 	char buf[16];
 
 	errno = 0;
-	in = open("/proc/self/sessionid", O_NOFOLLOW|O_RDONLY);
+	in = open("/proc/self/sessionid", O_NOFOLLOW|O_RDONLY|O_CLOEXEC);
 	if (in < 0)
 		return -2;
 	do {
diff --git a/lib/netlink.c b/lib/netlink.c
index 66a1e7c..f862da4 100644
--- a/lib/netlink.c
+++ b/lib/netlink.c
@@ -47,7 +47,7 @@ static int check_ack(int fd);
 int audit_open(void)
 {
 	int saved_errno;
-	int fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
+	int fd = socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT);
 
 	if (fd < 0) {
 		saved_errno = errno;
@@ -60,16 +60,6 @@ int audit_open(void)
 				"Error opening audit netlink socket (%s)", 
 				strerror(errno));
 		errno = saved_errno;
-		return fd;
-	}
-	if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) {
-		saved_errno = errno;
-		audit_msg(LOG_ERR, 
-			"Error setting audit netlink socket CLOEXEC flag (%s)", 
-			strerror(errno));
-		close(fd);
-		errno = saved_errno;
-		return -1;
 	}
 	return fd;
 }
-- 
2.33.0