import fapolicyd-1.0-3.el8_3.3

2020-11-30 05:00:41 -05:00 · 2020-11-30 05:00:41 -05:00 · 2ec52a8c82
commit 2ec52a8c82
parent 6166397a20
3 changed files with 79 additions and 53 deletions
--- a/SOURCES/fapolicyd-deleted-suffix.patch
+++ b/SOURCES/fapolicyd-deleted-suffix.patch
@ -0,0 +1,49 @@
+From 8b7ea120670525d9ac7f1698ae7482d691e840a4 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Mon, 9 Nov 2020 17:02:22 +0100
+Subject: [PATCH] Added check for " (deleted)" suffix in get_program_from_fd()
+ (#97)
+
+- get rid of this suffix
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+
+Removed strstr (#102)
+---
+ src/library/process.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/src/library/process.c b/src/library/process.c
+index edd2cca..6406610 100644
+--- a/src/library/process.c
+++ b/src/library/process.c
+@@ -146,10 +146,24 @@ char *get_program_from_pid(pid_t pid, size_t blen, char *buf)
+ 
+ 		return buf;
+ 	}
+
+	size_t len = 0;
+ 	if ((size_t)path_len < blen)
+-		buf[path_len] = 0;
+		len = path_len;
+ 	else
+-		buf[blen-1] = '\0';
+		len = blen-1;
+
+	buf[len] = '\0';
+	// some binaries can be deleted after execution
+	// then we need to delete the suffix so they are
+	// trusted even after deletion
+
+	// strlen(" deleted") == 10
+	if (buf[len-1] == ')' && len > 10) {
+
+		if (strcmp(&buf[len - 10], " (deleted)") == 0)
+			buf[len - 10] = '\0';
+	}
+ 
+ 	return buf;
+ }
+-- 
+2.26.2
+
--- a/SOURCES/fapolicyd-rules-root.patch
+++ b/SOURCES/fapolicyd-rules-root.patch
@ -1,26 +0,0 @@
-diff -up ./init/fapolicyd.rules.known-libs.root ./init/fapolicyd.rules.known-libs
--- ./init/fapolicyd.rules.known-libs.root	2020-11-06 22:38:10.308866211 +0100
-+++ ./init/fapolicyd.rules.known-libs	2020-11-06 22:39:17.857469844 +0100
-@@ -6,8 +6,7 @@
- %languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/javascript,text/x-awk,text/x-gawk,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
- 
- # Carve out an exception for dracut initramfs building
-allow perm=any uid=0 : dir=/var/tmp/
-allow perm=any uid=0 trust=1 : all
-+allow perm=any uid=0 : all
- 
- # Prevent execution by ld.so
- deny_audit perm=any pattern=ld_so : all
-diff -up ./init/fapolicyd.rules.restrictive.root ./init/fapolicyd.rules.restrictive
--- ./init/fapolicyd.rules.restrictive.root	2020-11-06 22:38:14.562904224 +0100
-+++ ./init/fapolicyd.rules.restrictive	2020-11-06 22:38:58.440296333 +0100
-@@ -18,8 +18,7 @@
- %languages=application/x-bytecode.ocaml,application/java-archive,text/javascript,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
- 
- # Carve out an exception for dracut
-allow perm=any uid=0 : dir=/var/tmp/
-allow perm=any uid=0 trust=1 : all
-+allow perm=any uid=0 : all
- 
- # Prevent execution by ld.so
- deny_audit perm=any pattern=ld_so : all
--- a/SPECS/fapolicyd.spec
+++ b/SPECS/fapolicyd.spec
@ -6,7 +6,7 @@
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
 Version: 1.0
-Release: 3%{?dist}.2
+Release: 3%{?dist}.3
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
 Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@ -38,7 +38,7 @@ Patch10: fapolicyd-cli-big-buffer.patch
 Patch11: fapolicyd-get-line.patch
 Patch12: fapolicyd-man-page-trust.patch

-Patch13: fapolicyd-rules-root.patch
+Patch13: fapolicyd-deleted-suffix.patch

 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -68,7 +68,6 @@ Requires(post): policycoreutils-python
 %endif


-
 %description    selinux
 The %{name}-selinux package contains selinux policy for the %{name} daemon.

@ -98,9 +97,8 @@ sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//
 %patch11 -p1 -b .get-line
 %patch12 -p1 -b .man-page-trust

-
 # zstream
-%patch13 -p1 -b .root
+%patch13 -p1 -b .deleted

 %build
 ./autogen.sh
@ -141,33 +139,34 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
 %pre
 getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}

-%pretrans
+%pretrans -p <lua>
+if posix.access("/run/fapolicyd.pid", "f") then
+  os.execute([[
    c=/etc/fapolicyd/fapolicyd.rules
-if test -e $c; then
-  cat $c | grep -Em1 '^allow' | grep -q 'uid=0 : all' || {
-    if systemctl is-active fapolicyd &> dev/null; then
-      tmp=`mktemp`
-      rpm -qV fapolicyd | grep -q $c || touch /tmp/fapolicyd-cleanup
-      cat $c > $tmp
-      echo "allow perm=any uid=0 : all" > $c
-      cat $tmp >> $c
-      rm -f $tmp
-      systemctl restart fapolicyd
+    release=/etc/redhat-release
+    rule="allow perm=any uid=0 : all"
+    if test -e $release; then
+       if grep -q '8.1' $release; then
+          rule="allow uid=0 all"
       fi
-  }
    fi

+    if test -e $c; then
+       if systemctl is-active fapolicyd &> /dev/null; then
+          tmp=`mktemp`
+          cat $c > $tmp
+          echo "$rule" > $c
+          cat $tmp >> $c
+          systemctl restart fapolicyd || true
+          cat $tmp > $c
+          rm -f $tmp
+        fi
+    fi
+    ]])
+end

 %post
 %systemd_post %{name}.service
-c=/etc/fapolicyd/fapolicyd.rules
-if test -e /tmp/fapolicyd-cleanup; then
-  cat ${c}.rpmnew > $c
-  touch -d "`stat -c %y ${c}.rpmnew`" $c
-  rm -f /tmp/fapolicyd-cleanup ${c}.rpmnew
-  systemctl restart fapolicyd
-fi
-

 %preun
 %systemd_preun %{name}.service
@ -220,6 +219,10 @@ fi
 %selinux_relabel_post -s %{selinuxtype}

 %changelog
+* Fri Nov 13 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.3
+RHEL 8.3.Z ERRATUM
+Resolves: rhbz#1897090
+
 * Fri Nov 06 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.2
 RHEL 8.3.Z ERRATUM
 - selinux requires inlined