From 5eccaf9b3488d3f6da800281363697e4e4834e77 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Wed, 22 May 2024 11:16:28 +0200
Subject: pam_faillock: close the audit socket after use

* modules/pam_faillock/pam_faillock.c (check_tally): Close the audit
socket when it will no longer be used.

```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: open_fn: Returning handle opened by "audit_open".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:247: var_assign: Assigning: "audit_fd" = handle returned from "audit_open()".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:256: noescape: Resource "audit_fd" is not freed or pointed-to in "audit_log_user_message".
Linux-PAM-1.6.0/modules/pam_faillock/pam_faillock.c:258: leaked_handle: Handle variable "audit_fd" going out of scope leaks the handle.
256|                                   audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
257|                                           rhost, NULL, tty, 1);
258|->                         }
259|   #endif
260|                           opts->flags |= FAILLOCK_FLAG_UNLOCKED;
```

Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
 modules/pam_faillock/pam_faillock.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'modules')

diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
index e636a24e..f39a9d95 100644
--- a/modules/pam_faillock/pam_faillock.c
+++ b/modules/pam_faillock/pam_faillock.c
@@ -255,6 +255,7 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies
 				snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid);
 				audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf,
 					rhost, NULL, tty, 1);
+				audit_close(audit_fd);
 			}
 #endif
 			opts->flags |= FAILLOCK_FLAG_UNLOCKED;
-- 
cgit v1.2.3