fapolicyd-1.4.3-2

- Fix binary path of rpm-loader - Map file with MAP_SHARED instead of MAP_PRIVATE - Fix segfault when interrupting fapolicyd startup Resolves: RHEL-142948
2026-01-27 08:46:34 +01:00 · 2026-01-27 08:46:34 +01:00 · 11889fd100
commit 11889fd100
parent 1d034e244e
4 changed files with 168 additions and 1 deletions
--- a/0003-Fix-binary-path-of-rpm-loader.patch
+++ b/0003-Fix-binary-path-of-rpm-loader.patch
@ -0,0 +1,39 @@
+From ee5ab7e537a922855e5e5f5905071adb1fc2eb25 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
+Date: Wed, 3 Dec 2025 16:36:54 +0100
+Subject: [PATCH] Fix binary path of rpm-loader
+Content-type: text/plain
+
+---
+ src/Makefile.am           | 1 +
+ src/library/rpm-backend.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/Makefile.am b/src/Makefile.am
+index cab58ee130bd..8a356805b5ab 100644
+--- a/src/Makefile.am
+++ b/src/Makefile.am
+@@ -84,6 +84,7 @@ bin_PROGRAMS = fapolicyd-rpm-loader
+ fapolicyd_rpm_loader_SOURCES = \
+ 	handler/fapolicyd-rpm-loader.c
+ 
+fapolicyd_CFLAGS += -DBINARYDIR='"$(bindir)"'
+ fapolicyd_rpm_loader_CFLAGS = $(fapolicyd_CFLAGS)
+ fapolicyd_rpm_loader_LDFLAGS = $(fapolicyd_LDFLAGS)
+ fapolicyd_rpm_loader_LDADD = libfapolicyd.la
+diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c
+index fab8e5345d40..5b24c9589040 100644
+--- a/src/library/rpm-backend.c
+++ b/src/library/rpm-backend.c
+@@ -238,7 +238,7 @@ static int rpm_load_list(const conf_t *conf)
+ 	char *custom_env[] = { "FAPO_SOCK_FD=3", NULL };
+ 
+ 	pid_t pid = -1;
+-	int status = posix_spawn(&pid, "/usr/bin/fapolicyd-rpm-loader",
+	int status = posix_spawn(&pid, BINARYDIR "/fapolicyd-rpm-loader",
+ 					 &actions, NULL, argv, custom_env);
+ 	close(sv[1]);  // Parent doesn't write
+ 
+-- 
+2.52.0
+
--- a/0004-Map-file-with-MAP_SHARED-instead-of-MAP_PRIVATE.patch
+++ b/0004-Map-file-with-MAP_SHARED-instead-of-MAP_PRIVATE.patch
@ -0,0 +1,48 @@
+From d6956ef82051a9c805b02431e6c0083754549edd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
+Date: Wed, 21 Jan 2026 11:30:58 +0100
+Subject: [PATCH] Map file with MAP_SHARED instead of MAP_PRIVATE
+Content-type: text/plain
+
+When setting up a user probe using ebpf or systemtap on a file,
+fapolicyd computes a different checksum, causing (usually) denial to
+occur.
+
+eBPF is used by Microsoft's MDATP, in particular for monitoring
+/usr/lib64/libpam.so.0 function calls. Through setting a user probe,
+mdatp and fapolicyd cannot be used concurrently.
+
+The reason for computing a different checksum is using mmap(MAP_PRIVATE)
+which makes the hooks set by ebpf and/or systemtap be visible:
+~~~
+1140 char *get_hash_from_fd2(int fd, size_t size, file_hash_alg_t alg)
+1141 {
+ :
+1165         mapped = mmap(0, size, PROT_READ, MAP_PRIVATE|MAP_POPULATE, fd, 0);
+1166         if (mapped != MAP_FAILED) {
+ :
+~~~
+
+A solution consists in using MAP_SHARED instead of MAP_PRIVATE.
+
+Fixes RHEL-142628.
+---
+ src/library/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/library/file.c b/src/library/file.c
+index 6491733c0042..802a89cc028a 100644
+--- a/src/library/file.c
+++ b/src/library/file.c
+@@ -1162,7 +1162,7 @@ char *get_hash_from_fd2(int fd, size_t size, file_hash_alg_t alg)
+ 	if (digest_length == 0)
+ 		return NULL;
+ 
+-	mapped = mmap(0, size, PROT_READ, MAP_PRIVATE|MAP_POPULATE, fd, 0);
+	mapped = mmap(0, size, PROT_READ, MAP_SHARED|MAP_POPULATE, fd, 0);
+ 	if (mapped != MAP_FAILED) {
+ 		unsigned char hptr[SHA512_DIGEST_LENGTH];
+ 		int computed = 0;
+-- 
+2.52.0
+
--- a/0005-Fix-segfault-when-interrupting-fapolicyd-startup.patch
+++ b/0005-Fix-segfault-when-interrupting-fapolicyd-startup.patch
@ -0,0 +1,72 @@
+From 67620805316e85b4edf6133a106181a4b4c8afac Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
+Date: Thu, 22 Jan 2026 10:55:45 +0100
+Subject: [PATCH] Fix segfault when interrupting fapolicyd startup
+Content-type: text/plain
+
+In non-daemon mode, hitting Ctrl-C while fapolicyd initializes leads to
+getting 2 segfaults:
+- first one in term_handler() because 'q' is not initialized yet
+- then one in coredump_handler() because 'm' is not initialized yet
+
+Reproducer:
+~~~
+ # fapolicyd --debug
+ [...]
+ 01/22/26 10:48:37 [ INFO ]: Loading rpmdb backend
+ ^CSegmentation fault (core dumped)
+~~~
+
+GDB shows:
+~~~
+(gdb) bt
+ #0  mlist_first (m=m@entry=0x0) at daemon/mounts.c:86  <<<<< SECOND SEGFAULT
+ #1  0x00005627e02de9ec in unmark_fanotify (m=0x0) at daemon/notify.c:258
+ #2  0x00005627e02dda13 in coredump_handler (sig=11) at daemon/fapolicyd.c:336
+ #3  coredump_handler (sig=11) at daemon/fapolicyd.c:333
+ #4  <signal handler called>
+ #5  __new_sem_post (sem=0x20) at sem_post.c:36         <<<<< FIRST SEGFAULT
+ #6  <signal handler called>
+ #7  __recvmsg_syscall (flags=0, msg=0x7ffe93e00350, fd=6) at ../sysdeps/unix/sysv/linux/recvmsg.c:27
+ #8  __libc_recvmsg (fd=6, msg=msg@entry=0x7ffe93e00350, flags=flags@entry=0)
+     at ../sysdeps/unix/sysv/linux/recvmsg.c:41
+ #9  0x00005627e02eef82 in rpm_load_list (conf=<optimized out>) at library/rpm-backend.c:260
+ #10 0x00005627e02ecc02 in backend_load (conf=conf@entry=0x5627e02fa0e0 <config>) at library/backend-manager.c:152
+ #11 0x00005627e02e21c0 in init_database (config=config@entry=0x5627e02fa0e0 <config>) at library/database.c:1440
+ #12 0x00005627e02db599 in main (argc=<optimized out>, argv=<optimized out>) at daemon/fapolicyd.c:1053
+~~~
+---
+ src/daemon/notify.c | 3 +++
+ src/library/queue.c | 3 ++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/daemon/notify.c b/src/daemon/notify.c
+index 8e1e778cb8c8..db6fb72e01ac 100644
+--- a/src/daemon/notify.c
+++ b/src/daemon/notify.c
+@@ -255,6 +255,9 @@ void fanotify_update(mlist *m)
+ 
+ void unmark_fanotify(mlist *m)
+ {
+	if (m == NULL)
+		return;
+
+ 	const char *path = mlist_first(m);
+ 
+ 	// Stop the flow of events
+diff --git a/src/library/queue.c b/src/library/queue.c
+index c82026439923..6236d0096c80 100644
+--- a/src/library/queue.c
+++ b/src/library/queue.c
+@@ -236,6 +236,7 @@ int q_timed_dequeue(struct queue *q, struct fanotify_event_metadata *data,
+ 
+ void q_shutdown(struct queue *q)
+ {
+	if (q == NULL)
+		return;
+ 	sem_post(&q->sem);
+ }
+-
+-- 
+2.52.0
+
--- a/fapolicyd.spec
+++ b/fapolicyd.spec
@ -5,7 +5,7 @@
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
 Version: 1.4.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPL-3.0-or-later
 URL: https://github.com/linux-application-whitelisting/fapolicyd
 Source0: https://github.com/linux-application-whitelisting/fapolicyd/releases/download/v%{version}/fapolicyd-%{version}.tar.gz
@ -24,6 +24,9 @@ Source20: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#
 # $ for j in [0-9]*.patch; do printf "Patch: %s\n" $j; done
 # Patch list start
 Patch: 0002-If-less-than-16-chars-were-read-allow-shebang-test-c.patch
+Patch: 0003-Fix-binary-path-of-rpm-loader.patch
+Patch: 0004-Map-file-with-MAP_SHARED-instead-of-MAP_PRIVATE.patch
+Patch: 0005-Fix-segfault-when-interrupting-fapolicyd-startup.patch
 # Patch list end

 BuildRequires: gcc
@ -232,6 +235,11 @@ fi
 %selinux_relabel_post -s %{selinuxtype}

 %changelog
+* Tue Jan 27 2026 Petr Lautrbach <lautrbach@redhat.com> - 1.4.3-2
+- Fix binary path of rpm-loader
+- Map file with MAP_SHARED instead of MAP_PRIVATE
+- Fix segfault when interrupting fapolicyd startup
+
 * Tue Jan 13 2026 Petr Lautrbach <lautrbach@redhat.com> - 1.4.3-1
 - fapolicyd-1.4.3
  https://github.com/linux-application-whitelisting/fapolicyd/releases/tag/v1.4.3