Rebase to 1.1.3

- rebase fapolicyd to the latest stable vesion
Resolves: rhbz#2100041
- fapolicyd gets way too easily killed by OOM killer
Resolves: rhbz#2097385
- fapolicyd does not correctly handle SIGHUP
Resolves: rhbz#2070655

Signed-off-by: Radovan Sroka <rsroka@redhat.com>
This commit is contained in:
Radovan Sroka 2022-06-22 11:25:32 +02:00
parent 586b5e37fd
commit 2dc7eac9a4
6 changed files with 13 additions and 168 deletions

1
.gitignore vendored
View File

@ -19,3 +19,4 @@
/fapolicyd-1.0.3.tar.gz
/fapolicyd-1.0.4.tar.gz
/fapolicyd-1.1.tar.gz
/fapolicyd-1.1.3.tar.gz

View File

@ -1,27 +0,0 @@
diff -urp fapolicyd-1.1.1.orig/fapolicyd.spec fapolicyd-1.1.1/fapolicyd.spec
--- fapolicyd-1.1.1.orig/fapolicyd.spec 2022-01-28 15:17:55.000000000 -0500
+++ fapolicyd-1.1.1/fapolicyd.spec 2022-01-28 15:19:31.594155397 -0500
@@ -30,7 +30,7 @@ makes use of the kernel's fanotify inter
# generate rules for python
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
-sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+sed -i "s/%ld_so_path%/`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
%build
%configure \
diff -urp fapolicyd-1.1.1.orig/m4/dyn_linker.m4 fapolicyd-1.1.1/m4/dyn_linker.m4
--- fapolicyd-1.1.1.orig/m4/dyn_linker.m4 2022-01-28 15:17:55.000000000 -0500
+++ fapolicyd-1.1.1/m4/dyn_linker.m4 2022-01-28 15:20:02.048609672 -0500
@@ -1,6 +1,10 @@
AC_DEFUN([LD_SO_PATH],
[
- xpath=`realpath /usr/lib64/ld-2.*.so`
+ xpath1=`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev`
+ xpath=`realpath $xpath1`
+ if test ! -f "$xpath" ; then
+ AC_MSG_ERROR([Cant find the dynamic linker])
+ fi
echo "dynamic linker is.....$xpath"
AC_DEFINE_UNQUOTED(SYSTEM_LD_SO, ["$xpath"], [dynamic linker])
])

View File

@ -1,19 +0,0 @@
diff -urp fapolicyd-1.1.1.orig/src/library/event.c fapolicyd-1.1.1/src/library/event.c
--- fapolicyd-1.1.1.orig/src/library/event.c 2022-01-28 15:23:58.000000000 -0500
+++ fapolicyd-1.1.1/src/library/event.c 2022-01-30 20:11:05.516785465 -0500
@@ -140,7 +140,14 @@ int new_event(const struct fanotify_even
// We need to reset everything now that execve has finished
if (s->info->state == STATE_STATIC_PARTIAL && !rc) {
- s->info->state = STATE_STATIC;
+ // If the static app itself launches an app right
+ // away, go back to collecting.
+ if (e->type & FAN_OPEN_EXEC_PERM)
+ s->info->state = STATE_COLLECTING;
+ else {
+ s->info->state = STATE_STATIC;
+ skip_path = 1;
+ }
evict = 0;
skip_path = 1;
subject_reset(s, EXE);

View File

@ -1,109 +0,0 @@
From 609ffa1d2ed490c7d5c77d2dd2dfdc50f415b935 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Thu, 24 Mar 2022 09:59:05 +0100
Subject: [PATCH] Reorder loop holes with patterns in rules.d
- this keeps backwards compatibility with older wersions of rules
- the ld_so pattern was applied to root
- it caused problems with running ldd as root(previously unrestricted)
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
fapolicyd.spec | 6 +++---
rules.d/{30-dracut.rules => 20-dracut.rules} | 0
rules.d/{30-updaters.rules => 21-updaters.rules} | 0
rules.d/{20-patterns.rules => 30-patterns.rules} | 0
rules.d/Makefile.am | 4 ++--
rules.d/README-rules | 16 ++++++++--------
6 files changed, 13 insertions(+), 13 deletions(-)
rename rules.d/{30-dracut.rules => 20-dracut.rules} (100%)
rename rules.d/{30-updaters.rules => 21-updaters.rules} (100%)
rename rules.d/{20-patterns.rules => 30-patterns.rules} (100%)
diff --git a/fapolicyd.spec b/fapolicyd.spec
index c2aae21..261b780 100644
--- a/fapolicyd.spec
+++ b/fapolicyd.spec
@@ -66,9 +66,9 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
if [ "$files" -eq 0 ] ; then
## Install the known libs policy
cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/
-cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/
-cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/
-cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/
+cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/
+cp %{_datadir}/%{name}/sample-rules/21-updaters.rules %{_sysconfdir}/%{name}/rules.d/
+cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/
diff --git a/rules.d/30-dracut.rules b/rules.d/20-dracut.rules
similarity index 100%
rename from rules.d/30-dracut.rules
rename to rules.d/20-dracut.rules
diff --git a/rules.d/30-updaters.rules b/rules.d/21-updaters.rules
similarity index 100%
rename from rules.d/30-updaters.rules
rename to rules.d/21-updaters.rules
diff --git a/rules.d/20-patterns.rules b/rules.d/30-patterns.rules
similarity index 100%
rename from rules.d/20-patterns.rules
rename to rules.d/30-patterns.rules
diff --git a/rules.d/Makefile.am b/rules.d/Makefile.am
index 76b5377..9bb61a7 100644
--- a/rules.d/Makefile.am
+++ b/rules.d/Makefile.am
@@ -23,8 +23,8 @@
CONFIG_CLEAN_FILES = *.rej *.orig
-EXTRA_DIST = README-rules 10-languages.rules 20-patterns.rules \
- 30-dracut.rules 30-updaters.rules \
+EXTRA_DIST = README-rules 10-languages.rules 20-dracut.rules \
+ 21-updaters.rules 30-patterns.rules \
40-bad-elf.rules 41-shared-obj.rules 42-trusted-elf.rules \
43-known-elf.rules \
70-trusted-lang.rules 71-known-python.rules 72-shell.rules \
diff --git a/rules.d/README-rules b/rules.d/README-rules
index c03c02b..30fcd01 100644
--- a/rules.d/README-rules
+++ b/rules.d/README-rules
@@ -5,8 +5,8 @@ sort order. To make things easier to use, the files in this directory are
organized into groups with the following meanings:
10 - macros
-20 - patterns
-30 - loop holes
+20 - loop holes
+30 - patterns
40 - ELF rules
50 - user/group access rules
60 - application access rules
@@ -25,9 +25,9 @@ You can reconstruct the old policy files by including the following:
fapolicyd.rules.known-libs
--------------------------
10-languages.rules
-20-patterns.rules
-30-dracut.rules
-30-updaters.rules
+20-dracut.rules
+21-updaters.rules
+30-patterns.rules
40-bad-elf.rules
41-shared-obj.rules
42-trusted-elf.rules
@@ -39,9 +39,9 @@ fapolicyd.rules.known-libs
fapolicyd.rules.restrictive
---------------------------
10-languages.rules
-20-patterns.rules
-30-dracut.rules
-30-updaters.rules
+20-dracut.rules
+21-updaters.rules
+30-patterns.rules
40-bad-elf.rules
41-shared-obj.rules
43-known-elf.rules
--
2.35.1

View File

@ -4,8 +4,8 @@
Summary: Application Whitelisting Daemon
Name: fapolicyd
Version: 1.1
Release: 104%{?dist}
Version: 1.1.3
Release: 100%{?dist}
License: GPLv3+
URL: http://people.redhat.com/sgrubb/fapolicyd
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@ -32,11 +32,6 @@ Requires(postun): systemd-units
Patch1: fapolicyd-uthash-bundle.patch
Patch2: fapolicyd-selinux.patch
Patch3: fapolicyd-reorder-rules.patch
Patch4: fagenrules-group.patch
# 2069123 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-9.1.0]
Patch5: fapolicyd-1.1.1-ld_so.patch
Patch6: fapolicyd-1.1.1-static.patch
%description
Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -83,10 +78,6 @@ Don't use dnf and rpm plugin together.
%endif
%patch2 -p1 -b .selinux
%patch3 -p1 -b .reorder
%patch4 -p1 -b .group
%patch5 -p1 -b .ld_so
%patch6 -p1 -b .static
# generate rules for python
sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
@ -205,7 +196,7 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
# restore correct label
/usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/*
fi
fagenrules > /dev/null 2>&1
fagenrules --load
fi
fi
%systemd_post %{name}.service
@ -278,6 +269,14 @@ fi
%changelog
* Wed Jun 22 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-100
- rebase fapolicyd to the latest stable vesion
Resolves: rhbz#2100041
- fapolicyd gets way too easily killed by OOM killer
Resolves: rhbz#2097385
- fapolicyd does not correctly handle SIGHUP
Resolves: rhbz#2070655
* Thu Jun 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-104
RHEL 9.1.0 ERRATUM
- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path

View File

@ -1,3 +1,3 @@
SHA512 (fapolicyd-1.1.tar.gz) = d8478a5e55f8ab3b40ab881795d391d6edd8c4149e743f3685afedf561f853f46f80e49f7b0f05e20c86d71442e286c7db9b289049b5314047d14d8d1b9f3b4e
SHA512 (fapolicyd-1.1.3.tar.gz) = c2bf7d49a555d2c158764d6c9360ce40692d2f8ea0f0d3e21408c45318bae8a34233f5a468039bfceafb140e069605ea010a64b784fd1b0e3ad71f5f1753ca25
SHA512 (fapolicyd-selinux-0.4.tar.gz) = afc74b9c55c71bec2039d112e8e16abc510b58bf794bd665f3128a63daa45572a6f18d1c4de1f63e45a01f8696aacfbf54ed2a07485d581f25446b7fe92307a2
SHA512 (uthash-2.3.0.tar.gz) = 3b01f1074790fb242900411cb16eb82c1a9afcf58e3196a0f4611d9d7ef94690ad38c0a500e7783d3efa20328aa8d6ab14f246be63b3b3d385502ba2b6b2a294