From 11889fd100911f356afef392bf86d22aaa2fc22c Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 27 Jan 2026 08:46:34 +0100 Subject: [PATCH] fapolicyd-1.4.3-2 - Fix binary path of rpm-loader - Map file with MAP_SHARED instead of MAP_PRIVATE - Fix segfault when interrupting fapolicyd startup Resolves: RHEL-142948 --- 0003-Fix-binary-path-of-rpm-loader.patch | 39 ++++++++++ ...th-MAP_SHARED-instead-of-MAP_PRIVATE.patch | 48 +++++++++++++ ...-when-interrupting-fapolicyd-startup.patch | 72 +++++++++++++++++++ fapolicyd.spec | 10 ++- 4 files changed, 168 insertions(+), 1 deletion(-) create mode 100644 0003-Fix-binary-path-of-rpm-loader.patch create mode 100644 0004-Map-file-with-MAP_SHARED-instead-of-MAP_PRIVATE.patch create mode 100644 0005-Fix-segfault-when-interrupting-fapolicyd-startup.patch diff --git a/0003-Fix-binary-path-of-rpm-loader.patch b/0003-Fix-binary-path-of-rpm-loader.patch new file mode 100644 index 0000000..766dfed --- /dev/null +++ b/0003-Fix-binary-path-of-rpm-loader.patch @@ -0,0 +1,39 @@ +From ee5ab7e537a922855e5e5f5905071adb1fc2eb25 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Wed, 3 Dec 2025 16:36:54 +0100 +Subject: [PATCH] Fix binary path of rpm-loader +Content-type: text/plain + +--- + src/Makefile.am | 1 + + src/library/rpm-backend.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/Makefile.am b/src/Makefile.am +index cab58ee130bd..8a356805b5ab 100644 +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -84,6 +84,7 @@ bin_PROGRAMS = fapolicyd-rpm-loader + fapolicyd_rpm_loader_SOURCES = \ + handler/fapolicyd-rpm-loader.c + ++fapolicyd_CFLAGS += -DBINARYDIR='"$(bindir)"' + fapolicyd_rpm_loader_CFLAGS = $(fapolicyd_CFLAGS) + fapolicyd_rpm_loader_LDFLAGS = $(fapolicyd_LDFLAGS) + fapolicyd_rpm_loader_LDADD = libfapolicyd.la +diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c +index fab8e5345d40..5b24c9589040 100644 +--- a/src/library/rpm-backend.c ++++ b/src/library/rpm-backend.c +@@ -238,7 +238,7 @@ static int rpm_load_list(const conf_t *conf) + char *custom_env[] = { "FAPO_SOCK_FD=3", NULL }; + + pid_t pid = -1; +- int status = posix_spawn(&pid, "/usr/bin/fapolicyd-rpm-loader", ++ int status = posix_spawn(&pid, BINARYDIR "/fapolicyd-rpm-loader", + &actions, NULL, argv, custom_env); + close(sv[1]); // Parent doesn't write + +-- +2.52.0 + diff --git a/0004-Map-file-with-MAP_SHARED-instead-of-MAP_PRIVATE.patch b/0004-Map-file-with-MAP_SHARED-instead-of-MAP_PRIVATE.patch new file mode 100644 index 0000000..130d4f9 --- /dev/null +++ b/0004-Map-file-with-MAP_SHARED-instead-of-MAP_PRIVATE.patch @@ -0,0 +1,48 @@ +From d6956ef82051a9c805b02431e6c0083754549edd Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Wed, 21 Jan 2026 11:30:58 +0100 +Subject: [PATCH] Map file with MAP_SHARED instead of MAP_PRIVATE +Content-type: text/plain + +When setting up a user probe using ebpf or systemtap on a file, +fapolicyd computes a different checksum, causing (usually) denial to +occur. + +eBPF is used by Microsoft's MDATP, in particular for monitoring +/usr/lib64/libpam.so.0 function calls. Through setting a user probe, +mdatp and fapolicyd cannot be used concurrently. + +The reason for computing a different checksum is using mmap(MAP_PRIVATE) +which makes the hooks set by ebpf and/or systemtap be visible: +~~~ +1140 char *get_hash_from_fd2(int fd, size_t size, file_hash_alg_t alg) +1141 { + : +1165 mapped = mmap(0, size, PROT_READ, MAP_PRIVATE|MAP_POPULATE, fd, 0); +1166 if (mapped != MAP_FAILED) { + : +~~~ + +A solution consists in using MAP_SHARED instead of MAP_PRIVATE. + +Fixes RHEL-142628. +--- + src/library/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/library/file.c b/src/library/file.c +index 6491733c0042..802a89cc028a 100644 +--- a/src/library/file.c ++++ b/src/library/file.c +@@ -1162,7 +1162,7 @@ char *get_hash_from_fd2(int fd, size_t size, file_hash_alg_t alg) + if (digest_length == 0) + return NULL; + +- mapped = mmap(0, size, PROT_READ, MAP_PRIVATE|MAP_POPULATE, fd, 0); ++ mapped = mmap(0, size, PROT_READ, MAP_SHARED|MAP_POPULATE, fd, 0); + if (mapped != MAP_FAILED) { + unsigned char hptr[SHA512_DIGEST_LENGTH]; + int computed = 0; +-- +2.52.0 + diff --git a/0005-Fix-segfault-when-interrupting-fapolicyd-startup.patch b/0005-Fix-segfault-when-interrupting-fapolicyd-startup.patch new file mode 100644 index 0000000..646dc0d --- /dev/null +++ b/0005-Fix-segfault-when-interrupting-fapolicyd-startup.patch @@ -0,0 +1,72 @@ +From 67620805316e85b4edf6133a106181a4b4c8afac Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Thu, 22 Jan 2026 10:55:45 +0100 +Subject: [PATCH] Fix segfault when interrupting fapolicyd startup +Content-type: text/plain + +In non-daemon mode, hitting Ctrl-C while fapolicyd initializes leads to +getting 2 segfaults: +- first one in term_handler() because 'q' is not initialized yet +- then one in coredump_handler() because 'm' is not initialized yet + +Reproducer: +~~~ + # fapolicyd --debug + [...] + 01/22/26 10:48:37 [ INFO ]: Loading rpmdb backend + ^CSegmentation fault (core dumped) +~~~ + +GDB shows: +~~~ +(gdb) bt + #0 mlist_first (m=m@entry=0x0) at daemon/mounts.c:86 <<<<< SECOND SEGFAULT + #1 0x00005627e02de9ec in unmark_fanotify (m=0x0) at daemon/notify.c:258 + #2 0x00005627e02dda13 in coredump_handler (sig=11) at daemon/fapolicyd.c:336 + #3 coredump_handler (sig=11) at daemon/fapolicyd.c:333 + #4 + #5 __new_sem_post (sem=0x20) at sem_post.c:36 <<<<< FIRST SEGFAULT + #6 + #7 __recvmsg_syscall (flags=0, msg=0x7ffe93e00350, fd=6) at ../sysdeps/unix/sysv/linux/recvmsg.c:27 + #8 __libc_recvmsg (fd=6, msg=msg@entry=0x7ffe93e00350, flags=flags@entry=0) + at ../sysdeps/unix/sysv/linux/recvmsg.c:41 + #9 0x00005627e02eef82 in rpm_load_list (conf=) at library/rpm-backend.c:260 + #10 0x00005627e02ecc02 in backend_load (conf=conf@entry=0x5627e02fa0e0 ) at library/backend-manager.c:152 + #11 0x00005627e02e21c0 in init_database (config=config@entry=0x5627e02fa0e0 ) at library/database.c:1440 + #12 0x00005627e02db599 in main (argc=, argv=) at daemon/fapolicyd.c:1053 +~~~ +--- + src/daemon/notify.c | 3 +++ + src/library/queue.c | 3 ++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/daemon/notify.c b/src/daemon/notify.c +index 8e1e778cb8c8..db6fb72e01ac 100644 +--- a/src/daemon/notify.c ++++ b/src/daemon/notify.c +@@ -255,6 +255,9 @@ void fanotify_update(mlist *m) + + void unmark_fanotify(mlist *m) + { ++ if (m == NULL) ++ return; ++ + const char *path = mlist_first(m); + + // Stop the flow of events +diff --git a/src/library/queue.c b/src/library/queue.c +index c82026439923..6236d0096c80 100644 +--- a/src/library/queue.c ++++ b/src/library/queue.c +@@ -236,6 +236,7 @@ int q_timed_dequeue(struct queue *q, struct fanotify_event_metadata *data, + + void q_shutdown(struct queue *q) + { ++ if (q == NULL) ++ return; + sem_post(&q->sem); + } +- +-- +2.52.0 + diff --git a/fapolicyd.spec b/fapolicyd.spec index 59a5f20..176f540 100644 --- a/fapolicyd.spec +++ b/fapolicyd.spec @@ -5,7 +5,7 @@ Summary: Application Whitelisting Daemon Name: fapolicyd Version: 1.4.3 -Release: 1%{?dist} +Release: 2%{?dist} License: GPL-3.0-or-later URL: https://github.com/linux-application-whitelisting/fapolicyd Source0: https://github.com/linux-application-whitelisting/fapolicyd/releases/download/v%{version}/fapolicyd-%{version}.tar.gz @@ -24,6 +24,9 @@ Source20: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz# # $ for j in [0-9]*.patch; do printf "Patch: %s\n" $j; done # Patch list start Patch: 0002-If-less-than-16-chars-were-read-allow-shebang-test-c.patch +Patch: 0003-Fix-binary-path-of-rpm-loader.patch +Patch: 0004-Map-file-with-MAP_SHARED-instead-of-MAP_PRIVATE.patch +Patch: 0005-Fix-segfault-when-interrupting-fapolicyd-startup.patch # Patch list end BuildRequires: gcc @@ -232,6 +235,11 @@ fi %selinux_relabel_post -s %{selinuxtype} %changelog +* Tue Jan 27 2026 Petr Lautrbach - 1.4.3-2 +- Fix binary path of rpm-loader +- Map file with MAP_SHARED instead of MAP_PRIVATE +- Fix segfault when interrupting fapolicyd startup + * Tue Jan 13 2026 Petr Lautrbach - 1.4.3-1 - fapolicyd-1.4.3 https://github.com/linux-application-whitelisting/fapolicyd/releases/tag/v1.4.3