From 24927c172e89ff23f981b5b6071e514bbeebf279 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 9 Aug 2022 05:41:25 -0400 Subject: [PATCH] import fapolicyd-1.1-103.el9_0.1 --- SOURCES/fapolicyd-1.1.1-static.patch | 19 +++++++++++++++++++ SPECS/fapolicyd.spec | 10 +++++++++- 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 SOURCES/fapolicyd-1.1.1-static.patch diff --git a/SOURCES/fapolicyd-1.1.1-static.patch b/SOURCES/fapolicyd-1.1.1-static.patch new file mode 100644 index 0000000..49c371b --- /dev/null +++ b/SOURCES/fapolicyd-1.1.1-static.patch @@ -0,0 +1,19 @@ +diff -urp fapolicyd-1.1.1.orig/src/library/event.c fapolicyd-1.1.1/src/library/event.c +--- fapolicyd-1.1.1.orig/src/library/event.c 2022-01-28 15:23:58.000000000 -0500 ++++ fapolicyd-1.1.1/src/library/event.c 2022-01-30 20:11:05.516785465 -0500 +@@ -140,7 +140,14 @@ int new_event(const struct fanotify_even + + // We need to reset everything now that execve has finished + if (s->info->state == STATE_STATIC_PARTIAL && !rc) { +- s->info->state = STATE_STATIC; ++ // If the static app itself launches an app right ++ // away, go back to collecting. ++ if (e->type & FAN_OPEN_EXEC_PERM) ++ s->info->state = STATE_COLLECTING; ++ else { ++ s->info->state = STATE_STATIC; ++ skip_path = 1; ++ } + evict = 0; + skip_path = 1; + subject_reset(s, EXE); diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec index aeb1cba..0e7dc48 100644 --- a/SPECS/fapolicyd.spec +++ b/SPECS/fapolicyd.spec @@ -5,7 +5,7 @@ Summary: Application Whitelisting Daemon Name: fapolicyd Version: 1.1 -Release: 103%{?dist} +Release: 103%{?dist}.1 License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -36,6 +36,8 @@ Patch3: fapolicyd-reorder-rules.patch Patch4: fagenrules-group.patch # 2069120 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.6.0] Patch5: fapolicyd-1.1.1-ld_so.patch +# 2097734 - Faulty handling of static applications [rhel-9.0.0.z] +Patch6: fapolicyd-1.1.1-static.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting @@ -85,6 +87,7 @@ Don't use dnf and rpm plugin together. %patch3 -p1 -b .reorder %patch4 -p1 -b .group %patch5 -p1 -b .ld_so +%patch6 -p1 -b .static # generate rules for python sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules @@ -276,6 +279,11 @@ fi %changelog +* Thu Jun 16 2022 Radovan Sroka - 1.1-103-1 +RHEL 9.0.Z ERRATUM +- Faulty handling of static applications +Resolves: rhbz#2097734 + * Wed Apr 06 2022 Radovan Sroka - 1.1-103 RHEL 9.0.0 ERRATUM - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path