audit: 4.1.0 -> 4.1.1, enable uring support and bash completions

[LordGrimmauld]

Release notes: https://github.com/linux-audit/audit-userspace/releases/tag/v4.1.1

The goal is to eventually run the audit-testsuite, which also requires io_uring support.

Things done

• Built on platform:
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• Tested, as applicable:
  • NixOS tests in nixos/tests.
  • Package tests at passthru.tests.
  • Tests in lib/tests or pkgs/test for functions and "core" functionality.
• Ran nixpkgs-review on this PR. See nixpkgs-review usage.
• Tested basic functionality of all binary files, usually in ./result/bin/.
• Nixpkgs Release Notes
  • Package update: when the change is major or breaking.
• NixOS Release Notes
  • Module addition: when adding a new NixOS module.
  • Module update: when the change is significant.
• Fits CONTRIBUTING.md, pkgs/README.md, maintainers/README.md and other READMEs.

---

Add a 👍 reaction to pull requests you find important.

[LordGrimmauld]

Hmm, seems there are new musl issues:

audit> libaudit.c: In function 'get_progname':
audit> libaudit.c:130:42: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
audit>   130 |                         strcpy(progname, basename(progname));
audit>       |                                          ^~~~~~~~
audit> libaudit.c:130:42: error: passing argument 2 of 'strcpy' makes pointer from integer without a cast [-Wint-conversion]
audit>   130 |                         strcpy(progname, basename(progname));
audit>       |                                          ^~~~~~~~~~~~~~~~~~
audit>       |                                          |
audit>       |                                          int

I'll investigate.

[LordGrimmauld]

Okay, fixed the musl build, proposed the fix upstream in linux-audit/audit-userspace#491

[LordGrimmauld]

I'll bump this to an unstable build once linux-audit/audit-userspace#492 is merged. Then we can make use of --runstatedir and --disable-legacy-actions.

[LordGrimmauld]

After the README updates upstream, i decided its probably best for now to keep the legacy scripts for people that are interested in compliance. I plan to remove them once i figured out a way to log who triggers systemctl commands. Systemd is already aware of who tries to do systemctl stuff, and it knows about audit. I imagine we could just add a piece of code that logs an audit entry whenever someone tries something funny. But that is a project for future me.

[LordGrimmauld]

Actually hold on, the legacy scripts point to /sbin/auditctl, so they never worked to begin with. We should just remove them, seems absolutely no one uses them or there'd have been a bug report about that.

[nikstur]

On a FHS distro, they are also by default in libexec, so I don't know who uses them anyways. I agree, they should be removed and if you really care about this, you should just execute the shutdown yourself with auditctl --signal.

[nikstur]

nit: I don't think this is necessarily the right spot to put this kind of information. Probably better suited for the NixOS manual.

[nikstur]

It would be awesome if we could add a disallowedRequisites to the lib output so that we won't silently reintroduce bash. Thinking of this basically (not a blocker for this PR ofc):

+  __structuredAttrs = true;
+
+  outputChecks.lib.disallowedRequisites = [
+    bash
+    bashNonInteractive
+  ];

[nikstur]

Commits should be squashed (at least 93e320bc1bffd985bbe33bfa311498f05f7a6dd1 and 8e6df209b2c3ec6c8ca79c4bd0bbce3db3340edd)

[LordGrimmauld]

Alright, squashed and explicitly disallowed bash, this should be good then.

[nikstur]

Awesome, thank you!