From de242faccadd0d8c6caa9bd0270dbc1920d02e3a Mon Sep 17 00:00:00 2001
From: Ian Campbell <ijc@docker.com>
Date: Fri, 15 Dec 2017 10:16:37 +0000
Subject: [PATCH 1/3] auditd: move config into build.yml

Signed-off-by: Ian Campbell <ijc@docker.com>
---
 pkg/auditd/Dockerfile | 2 --
 pkg/auditd/build.yml  | 9 +++++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/pkg/auditd/Dockerfile b/pkg/auditd/Dockerfile
index 5c6027d98..7bdb35c68 100644
--- a/pkg/auditd/Dockerfile
+++ b/pkg/auditd/Dockerfile
@@ -25,5 +25,3 @@ COPY audit.rules /etc/audit
 COPY runaudit.sh /usr/bin
 
 CMD ["/sbin/tini", "/usr/bin/runaudit.sh"]
-
-LABEL org.mobyproject.config='{"pid": "host", "binds": ["/var/log:/var/log"], "capabilities": ["CAP_AUDIT_CONTROL", "CAP_AUDIT_READ", "CAP_AUDIT_WRITE", "CAP_SYS_NICE"]}'
diff --git a/pkg/auditd/build.yml b/pkg/auditd/build.yml
index 82454acfd..3388e2f64 100644
--- a/pkg/auditd/build.yml
+++ b/pkg/auditd/build.yml
@@ -1,2 +1,11 @@
 image: auditd
 network: true
+config:
+  pid: host
+  binds:
+    - /var/log:/var/log
+  capabilities:
+    - CAP_AUDIT_CONTROL
+    - CAP_AUDIT_READ
+    - CAP_AUDIT_WRITE
+    - CAP_SYS_NICE

From d01f4e97d7361d60684cd6d14426f66e1f6d23ff Mon Sep 17 00:00:00 2001
From: Ian Campbell <ijc@docker.com>
Date: Fri, 15 Dec 2017 10:20:35 +0000
Subject: [PATCH 2/3] Add audit package to mirror.

Signed-off-by: Ian Campbell <ijc@docker.com>
---
 tools/alpine/packages         |  1 +
 tools/alpine/versions.aarch64 | 10 ++++++----
 tools/alpine/versions.x86_64  | 18 ++++++++++--------
 3 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/tools/alpine/packages b/tools/alpine/packages
index 0d300913c..67f258660 100644
--- a/tools/alpine/packages
+++ b/tools/alpine/packages
@@ -4,6 +4,7 @@ alpine-keys
 apk-tools
 argp-standalone
 attr-dev
+audit
 autoconf
 automake
 bash
diff --git a/tools/alpine/versions.aarch64 b/tools/alpine/versions.aarch64
index c4b11353b..81b5e869b 100644
--- a/tools/alpine/versions.aarch64
+++ b/tools/alpine/versions.aarch64
@@ -1,13 +1,15 @@
-# linuxkit/alpine:dd9b3a4d8c6c7a21b8457aa3017d06eb97ed731c-arm64
+# linuxkit/alpine:9d29dc154440859d729ba864ffd67bb4c90e630d-arm64
 # automatically generated list of installed packages
 abuild-3.1.0-r3
 alpine-baselayout-3.0.5-r2
 alpine-keys-2.1-r1
 alsa-lib-1.1.4.1-r2
-apk-tools-2.8.1-r1
+apk-tools-2.8.1-r2
 argp-standalone-1.3-r2
 attr-2.4.47-r6
 attr-dev-2.4.47-r6
+audit-2.7.7-r1
+audit-libs-2.7.7-r1
 autoconf-2.69-r0
 automake-1.15.1-r0
 bash-4.4.12-r2
@@ -23,7 +25,7 @@ btrfs-progs-4.13.2-r0
 btrfs-progs-dev-4.13.2-r0
 btrfs-progs-libs-4.13.2-r0
 build-base-0.5-r0
-busybox-1.27.2-r6
+busybox-1.27.2-r7
 busybox-initscripts-3.1-r2
 bzip2-1.0.6-r6
 ca-certificates-20171114-r0
@@ -264,7 +266,7 @@ vim-8.0.1359-r0
 wayland-libs-client-1.14.0-r2
 wayland-libs-cursor-1.14.0-r2
 wayland-libs-server-1.14.0-r2
-wireguard-tools-0.0.20171127-r0
+wireguard-tools-0.0.20171211-r0
 wireless-tools-30_pre9-r0
 wpa_supplicant-2.6-r8
 xfsprogs-4.14.0-r0
diff --git a/tools/alpine/versions.x86_64 b/tools/alpine/versions.x86_64
index 2c6a5a1a3..7f037ed54 100644
--- a/tools/alpine/versions.x86_64
+++ b/tools/alpine/versions.x86_64
@@ -1,13 +1,15 @@
-# linuxkit/alpine:d307c8a386fa3f32cddda9409b9687e191cdd6f1-amd64
+# linuxkit/alpine:4584958639b2378246371fe219f33b270667e22e-amd64
 # automatically generated list of installed packages
 abuild-3.1.0-r3
 alpine-baselayout-3.0.5-r2
 alpine-keys-2.1-r1
 alsa-lib-1.1.4.1-r2
-apk-tools-2.8.1-r1
+apk-tools-2.8.1-r2
 argp-standalone-1.3-r2
 attr-2.4.47-r6
 attr-dev-2.4.47-r6
+audit-2.7.7-r1
+audit-libs-2.7.7-r1
 autoconf-2.69-r0
 automake-1.15.1-r0
 bash-4.4.12-r2
@@ -23,7 +25,7 @@ btrfs-progs-4.13.2-r0
 btrfs-progs-dev-4.13.2-r0
 btrfs-progs-libs-4.13.2-r0
 build-base-0.5-r0
-busybox-1.27.2-r6
+busybox-1.27.2-r7
 busybox-initscripts-3.1-r2
 bzip2-1.0.6-r6
 ca-certificates-20171114-r0
@@ -116,7 +118,7 @@ libcap-2.25-r1
 libcap-ng-0.7.8-r1
 libcap-ng-dev-0.7.8-r1
 libcom_err-1.43.7-r0
-libcrypto1.0-1.0.2m-r0
+libcrypto1.0-1.0.2n-r0
 libcurl-7.57.0-r0
 libdrm-2.4.88-r0
 libedit-20170329.3.1-r3
@@ -163,7 +165,7 @@ libseccomp-2.3.2-r0
 libseccomp-dev-2.3.2-r0
 libsmartcols-2.31-r0
 libssh2-1.8.0-r2
-libssl1.0-1.0.2m-r0
+libssl1.0-1.0.2n-r0
 libstdc++-6.4.0-r5
 libtasn1-4.12-r2
 libtirpc-1.0.1-r2
@@ -212,8 +214,8 @@ openrc-0.24.1-r4
 openssh-keygen-7.5_p1-r7
 openssh-server-7.5_p1-r7
 openssh-server-common-7.5_p1-r7
-openssl-1.0.2m-r0
-openssl-dev-1.0.2m-r0
+openssl-1.0.2n-r0
+openssl-dev-1.0.2n-r0
 opus-1.2.1-r1
 ovmf-0.0.20170624-r0
 p11-kit-0.23.2-r2
@@ -272,7 +274,7 @@ vim-8.0.1359-r0
 wayland-libs-client-1.14.0-r2
 wayland-libs-cursor-1.14.0-r2
 wayland-libs-server-1.14.0-r2
-wireguard-tools-0.0.20171127-r0
+wireguard-tools-0.0.20171211-r0
 wireless-tools-30_pre9-r0
 wpa_supplicant-2.6-r8
 xfsprogs-4.14.0-r0

From abf0a5d0988d4f7ddd4c53c2c115c6a672789bad Mon Sep 17 00:00:00 2001
From: Ian Campbell <ijc@docker.com>
Date: Fri, 15 Dec 2017 11:05:53 +0000
Subject: [PATCH 3/3] auditd: Use package from alpine 3.7

This was added to alpine since our package was created. Now we have upgraded we
can just use the binary.

The package contains an auditd.conf but we have a tweak local copy which writes
to stdio (which goes to /var/log/auditd.*.log already). The package doesn't
have an audit.rules so keep that here too.

Signed-off-by: Ian Campbell <ijc@docker.com>
---
 pkg/auditd/Dockerfile | 12 ++----------
 pkg/auditd/build.sh   | 16 ----------------
 2 files changed, 2 insertions(+), 26 deletions(-)
 delete mode 100755 pkg/auditd/build.sh

diff --git a/pkg/auditd/Dockerfile b/pkg/auditd/Dockerfile
index 7bdb35c68..816b4f0fe 100644
--- a/pkg/auditd/Dockerfile
+++ b/pkg/auditd/Dockerfile
@@ -1,15 +1,7 @@
-FROM linuxkit/alpine:d307c8a386fa3f32cddda9409b9687e191cdd6f1 AS build
-RUN apk add abuild gcc git
-
-ADD build.sh /
-RUN adduser -D -G abuild builder && sudo -u builder /build.sh
-
-FROM linuxkit/alpine:d307c8a386fa3f32cddda9409b9687e191cdd6f1 AS mirror
-COPY --from=build /home/builder/*apk /
+FROM linuxkit/alpine:4584958639b2378246371fe219f33b270667e22e AS mirror
 
 RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
-RUN apk add --initdb -p /out alpine-baselayout busybox tini
-RUN apk add --allow-untrusted -p /out /*apk
+RUN apk add --initdb -p /out alpine-baselayout apk-tools audit busybox tini
 
 # Remove apk residuals. We have a read-only rootfs, so apk is of no use.
 RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
diff --git a/pkg/auditd/build.sh b/pkg/auditd/build.sh
deleted file mode 100755
index 57002aa08..000000000
--- a/pkg/auditd/build.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/sh
-
-AUDIT_HASH=59763dd8e587d1821f2d039b2bf446c3a31ea58e
-
-set -e
-
-cd /home/builder
-
-git clone https://github.com/alpinelinux/aports && cd aports && git checkout $AUDIT_HASH
-cd testing/audit
-
-abuild-keygen -a
-abuild -F -r
-
-find ~/packages
-cp ~/packages/testing/$(abuild -A)/*apk ~