import fapolicyd-1.1-103.el9_0.1

This commit is contained in:
CentOS Sources 2022-08-09 05:41:25 -04:00 committed by Stepan Oksanichenko
parent b4398e8698
commit 24927c172e
2 changed files with 28 additions and 1 deletions

View File

@ -0,0 +1,19 @@
diff -urp fapolicyd-1.1.1.orig/src/library/event.c fapolicyd-1.1.1/src/library/event.c
--- fapolicyd-1.1.1.orig/src/library/event.c 2022-01-28 15:23:58.000000000 -0500
+++ fapolicyd-1.1.1/src/library/event.c 2022-01-30 20:11:05.516785465 -0500
@@ -140,7 +140,14 @@ int new_event(const struct fanotify_even
// We need to reset everything now that execve has finished
if (s->info->state == STATE_STATIC_PARTIAL && !rc) {
- s->info->state = STATE_STATIC;
+ // If the static app itself launches an app right
+ // away, go back to collecting.
+ if (e->type & FAN_OPEN_EXEC_PERM)
+ s->info->state = STATE_COLLECTING;
+ else {
+ s->info->state = STATE_STATIC;
+ skip_path = 1;
+ }
evict = 0;
skip_path = 1;
subject_reset(s, EXE);

View File

@ -5,7 +5,7 @@
Summary: Application Whitelisting Daemon Summary: Application Whitelisting Daemon
Name: fapolicyd Name: fapolicyd
Version: 1.1 Version: 1.1
Release: 103%{?dist} Release: 103%{?dist}.1
License: GPLv3+ License: GPLv3+
URL: http://people.redhat.com/sgrubb/fapolicyd URL: http://people.redhat.com/sgrubb/fapolicyd
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@ -36,6 +36,8 @@ Patch3: fapolicyd-reorder-rules.patch
Patch4: fagenrules-group.patch Patch4: fagenrules-group.patch
# 2069120 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.6.0] # 2069120 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.6.0]
Patch5: fapolicyd-1.1.1-ld_so.patch Patch5: fapolicyd-1.1.1-ld_so.patch
# 2097734 - Faulty handling of static applications [rhel-9.0.0.z]
Patch6: fapolicyd-1.1.1-static.patch
%description %description
Fapolicyd (File Access Policy Daemon) implements application whitelisting Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -85,6 +87,7 @@ Don't use dnf and rpm plugin together.
%patch3 -p1 -b .reorder %patch3 -p1 -b .reorder
%patch4 -p1 -b .group %patch4 -p1 -b .group
%patch5 -p1 -b .ld_so %patch5 -p1 -b .ld_so
%patch6 -p1 -b .static
# generate rules for python # generate rules for python
sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
@ -276,6 +279,11 @@ fi
%changelog %changelog
* Thu Jun 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-103-1
RHEL 9.0.Z ERRATUM
- Faulty handling of static applications
Resolves: rhbz#2097734
* Wed Apr 06 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-103 * Wed Apr 06 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-103
RHEL 9.0.0 ERRATUM RHEL 9.0.0 ERRATUM
- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path