From 4db1e1cf1356bf7569db932fb339efa83657ee5d Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Wed, 25 Jun 2025 23:12:13 +0200
Subject: [PATCH] audit: build with libcap_ng

See auditd-plugins(5) for motivation:
> When the audit daemon starts your plugin, you will be running as root.
> If you do not need root privileges, you should change uid/gid to lower
> chances of being a target for exploit. If you need to retain capabilities,
> using libcap-ng is the simplest way.

`libcap_ng` is already in the closure via util-linux and thus does not
unnecessarily bloat the system. It is also a very sane idea to allow
plugins to drop privileges if they already conveniently support it.
---
 pkgs/by-name/au/audit/package.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkgs/by-name/au/audit/package.nix b/pkgs/by-name/au/audit/package.nix
index ba908eddbd8f..62732842d66a 100644
--- a/pkgs/by-name/au/audit/package.nix
+++ b/pkgs/by-name/au/audit/package.nix
@@ -10,6 +10,7 @@
   python3,
   swig,
   pkgsCross,
+  libcap_ng,
 
   # Enabling python support while cross compiling would be possible, but the
   # configure script tries executing python to gather info instead of relying on
@@ -78,6 +79,7 @@ stdenv.mkDerivation (finalAttrs: {
 
   buildInputs = [
     bash
+    libcap_ng
   ];
 
   configureFlags = [
@@ -86,6 +88,9 @@ stdenv.mkDerivation (finalAttrs: {
     "--disable-zos-remote"
     "--with-arm"
     "--with-aarch64"
+    # capability dropping, currently mostly for plugins as those get spawned as root
+    # see auditd-plugins(5)
+    "--with-libcap-ng=yes"
     (if enablePython then "--with-python" else "--without-python")
   ];