Bug 257685

Summary:

security/base-audit: patch to allow ignored jails

Product:

Ports & Packages

Reporter:

Dan Langille <dvl>

Component:

Individual Port(s)

Assignee:

Dan Langille <dvl>

Status:

Closed FIXED

Severity:

Affects Only Me

CC:

000.fbsd, lwhsu

Priority:

---

Flags:

bugzilla: maintainer-feedback? (000.fbsd)

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
patch for security_status_baseaudit_jails_ignore	none

Description Dan Langille freebsd_committer

2021-08-08 16:16:38 UTC

Created attachment 227018 [details]
patch for security_status_baseaudit_jails_ignore

security_status_baseaudit_jails_ignore is a space delimited list of jails
to ignore.

If non-empty, the code iterates over security_status_baseaudit_jails_ignore
to avoid partial matches (i.e. ignore foo.bar, but not foo). If there is a
better way to do that without looping, please let me know.


Example use case: I have jails which purposely are older vulnerable versions for testing.

Comment 1 Li-Wen Hsu freebsd_committer

2021-08-09 16:07:03 UTC

Submitter is committer.

Comment 2 Miroslav Lachman 2021-08-09 18:11:34 UTC

(In reply to Dan Langille from comment #0)
Should it be really that verbose to print "ignoring jail:" for each ignored jail?

I think it will be better to be silent if the jail is ignored on purpose.

Comment 3 Dan Langille freebsd_committer

2021-08-09 18:12:25 UTC

(In reply to Miroslav Lachman from comment #2)

It prints out each jail it is processing. Why not print the jails it is ignoring?

Comment 4 Miroslav Lachman 2021-08-09 23:13:23 UTC

(In reply to Dan Langille from comment #3)
You are right Dan. I already pushed this change to my github
https://github.com/MirLach/freebsd-ports/commit/998ea1a8dbe73bbf14cfde3f69e6aeeb7d57acdb

Go ahead and commit this version 0.5.

Comment 5 commit-hook freebsd_committer

2021-08-10 02:03:51 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a5bd3edbfb4991f75ec5f2a5580e164f5e977fb4

commit a5bd3edbfb4991f75ec5f2a5580e164f5e977fb4
Author:     Dan Langille <dvl@FreeBSD.org>
AuthorDate: 2021-08-10 02:01:00 +0000
Commit:     Dan Langille <dvl@FreeBSD.org>
CommitDate: 2021-08-10 02:03:29 +0000

    security/base-audit: Add the ability to specify ignored jails

    security_status_baseaudit_jails_ignore is a space delimited list of jails
    to ignore.

    If non-empty, the code iterates over security_status_baseaudit_jails_ignore
    to avoid partial matches (i.e. ignore foo.bar, but not foo). If there is a
    better way to do that without looping, please let me know.

    Example use case: I have jails which purposely are older vulnerable versions
    for testing.

    PR:             257685
    Approved by:    000.fbsd@quip.cz (maintainer)

 security/base-audit/Makefile                              |  2 +-
 security/base-audit/files/405.pkg-base-audit.in (mode +x) | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

Comment 6 Dan Langille freebsd_committer

2021-08-10 02:04:42 UTC

Committed, thank you. I know I will find this useful, and hope others do too.