NixOS · nikstur · Aug 4, 2025 · Jul 29, 2025 · Jul 31, 2025 · Jul 31, 2025
diff --git a/pkgs/by-name/au/audit/musl.patch b/pkgs/by-name/au/audit/musl.patch
diff --git a/pkgs/by-name/au/audit/package.nix b/pkgs/by-name/au/audit/package.nix
@@ -4,12 +4,14 @@
   fetchFromGitHub,
   autoreconfHook,
   bash,
+  bashNonInteractive,
   buildPackages,
   linuxHeaders,
   python3,
   swig,
   pkgsCross,
   libcap_ng,
+  installShellFiles,
 
   # Enabling python support while cross compiling would be possible, but the
   # configure script tries executing python to gather info instead of relying on
@@ -21,20 +23,15 @@
 }:
 stdenv.mkDerivation (finalAttrs: {
   pname = "audit";
-  version = "4.1.0";
+  version = "4.1.1-unstable-2025-08-01";
 
   src = fetchFromGitHub {
     owner = "linux-audit";
     repo = "audit-userspace";
-    tag = "v${finalAttrs.version}";
-    hash = "sha256-MWlHaGue7Ca8ks34KNg74n4Rfj8ivqAhLOJHeyE2Q04=";
+    rev = "bee5984843d0b38992a369825a87a65fb54b18fc"; # musl fixes, --disable-legacy-actions and --runstatedir support
+    hash = "sha256-l3JHWEHz2xGrYxEvfCUD29W8xm5llUnXwX5hLymRG74=";
   };
 
-  patches = [
-    # https://github.com/linux-audit/audit-userspace/pull/476
-    ./musl.patch
-  ];
-
   postPatch = ''
     substituteInPlace bindings/swig/src/auditswig.i \
       --replace-fail "/usr/include/linux/audit.h" \
@@ -61,6 +58,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   nativeBuildInputs = [
     autoreconfHook
+    installShellFiles
   ]
   ++ lib.optionals enablePython [
     python3
@@ -76,14 +74,34 @@ stdenv.mkDerivation (finalAttrs: {
     # z/OS plugin is not useful on Linux, and pulls in an extra openldap
     # dependency otherwise
     "--disable-zos-remote"
+    # remove legacy start/stop scripts to remove a bash dependency in $lib
+    # People interested in logging auditd interactions (e.g. for compliance) can start/stop audit using `auditctl --signal`
+    # See also https://github.com/linux-audit/audit-userspace?tab=readme-ov-file#starting-and-stopping-the-daemon
+    "--disable-legacy-actions"
     "--with-arm"
     "--with-aarch64"
+    "--with-io_uring"
+    # allows putting audit files in /run/audit, which removes the requirement
+    # to wait for tmpfiles to set up the /var/run -> /run symlink
+    "--runstatedir=/run"
     # capability dropping, currently mostly for plugins as those get spawned as root
     # see auditd-plugins(5)
     "--with-libcap-ng=yes"
     (if enablePython then "--with-python" else "--without-python")
   ];
 
+  __structuredAttrs = true;
+
+  # lib output is part of the mandatory nixos system closure, so avoid bash here
+  outputChecks.lib.disallowedRequisites = [
+    bash
+    bashNonInteractive
+  ];
+
+  postInstall = ''
+    installShellCompletion --bash init.d/audit.bash_completion
+  '';
+
   enableParallelBuilding = true;
 
   passthru = {
@@ -98,7 +116,7 @@ stdenv.mkDerivation (finalAttrs: {
   meta = {
     homepage = "https://people.redhat.com/sgrubb/audit/";
     description = "Audit Library";
-    changelog = "https://github.com/linux-audit/audit-userspace/releases/tag/v${finalAttrs.version}";
+    changelog = "https://github.com/linux-audit/audit-userspace/releases/tag/v4.1.1";
     license = lib.licenses.gpl2Plus;
     maintainers = with lib.maintainers; [ grimmauld ];
     pkgConfigModules = [