fapolicyd-1.4.5

https://github.com/linux-application-whitelisting/fapolicyd/releases/tag/v1.4.5 Resolves: RHEL-166377
2026-03-19 16:45:31 +01:00 · 2026-03-19 16:45:31 +01:00 · 3a04395c5b
commit 3a04395c5b
parent ff5690e3a5
7 changed files with 17 additions and 232 deletions
--- a/.gitignore
+++ b/.gitignore
@ -39,3 +39,7 @@
 /fapolicyd-1.4.3.tar.gz.asc
 /fapolicyd-selinux-1.1.tar.gz
 /fapolicyd-selinux-1.1.tar.gz.asc
+/fapolicyd-1.4.4.tar.gz
+/fapolicyd-1.4.4.tar.gz.asc
+/fapolicyd-1.4.5.tar.gz
+/fapolicyd-1.4.5.tar.gz.asc
--- a/0002-If-less-than-16-chars-were-read-allow-shebang-test-c.patch
+++ b/0002-If-less-than-16-chars-were-read-allow-shebang-test-c.patch
@ -1,61 +0,0 @@
-From a2ea4efcae9ff6c7af47058d8b61aa88f269cf66 Mon Sep 17 00:00:00 2001
-From: Steve Grubb <ausearch.1@gmail.com>
-Date: Mon, 19 Jan 2026 16:27:54 -0500
-Subject: [PATCH] If less than 16 chars were read, allow shebang test (corner
- case)
-Content-type: text/plain
-
---
- src/library/file.c | 16 +++++++++-------
- 1 file changed, 9 insertions(+), 7 deletions(-)
-
-diff --git a/src/library/file.c b/src/library/file.c
-index 30571890071b..6491733c0042 100644
--- a/src/library/file.c
-+++ b/src/library/file.c
-@@ -1253,12 +1253,9 @@ int get_ima_hash(int fd, file_hash_alg_t *alg, char *sha)
- 
- 
- static unsigned char e_ident[EI_NIDENT];
-static int read_preliminary_header(int fd)
-+static inline ssize_t read_preliminary_header(int fd)
- {
-	ssize_t rc = safe_read(fd, (char *)e_ident, EI_NIDENT);
-	if (rc == EI_NIDENT)
-		return 0;
-	return 1;
-+	return safe_read(fd, (char *)e_ident, EI_NIDENT);
- }
- 
- 
-@@ -1356,8 +1353,10 @@ static int looks_like_text_script(int fd)
- uint32_t gather_elf(int fd, off_t size)
- {
- 	uint32_t info = 0;
-+	ssize_t rc;
- 
-	if (read_preliminary_header(fd))
-+	rc = read_preliminary_header(fd);
-+	if (rc < 2)
- 		goto rewind_out;
- 
- 	/* Detect scripts via shebang before ELF check */
-@@ -1366,6 +1365,10 @@ uint32_t gather_elf(int fd, off_t size)
- 		goto rewind_out;
- 	}
- 
-+	/* Make sure we have the full preliminary header */
-+	if (rc < EI_NIDENT)
-+		goto rewind_out;
-+
- 	/* Check ELF magic */
- 	if (strncmp((char *)e_ident, ELFMAG, 4)) {
- 		// Not ELF - see if it might be text script
-@@ -1688,4 +1691,3 @@ rewind_out:
- 	rewind_fd(fd);
- 	return info;
- }
-
-- 
-2.52.0
-
--- a/0003-Fix-binary-path-of-rpm-loader.patch
+++ b/0003-Fix-binary-path-of-rpm-loader.patch
@ -1,39 +0,0 @@
-From ee5ab7e537a922855e5e5f5905071adb1fc2eb25 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
-Date: Wed, 3 Dec 2025 16:36:54 +0100
-Subject: [PATCH] Fix binary path of rpm-loader
-Content-type: text/plain
-
---
- src/Makefile.am           | 1 +
- src/library/rpm-backend.c | 2 +-
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/Makefile.am b/src/Makefile.am
-index cab58ee130bd..8a356805b5ab 100644
--- a/src/Makefile.am
-+++ b/src/Makefile.am
-@@ -84,6 +84,7 @@ bin_PROGRAMS = fapolicyd-rpm-loader
- fapolicyd_rpm_loader_SOURCES = \
- 	handler/fapolicyd-rpm-loader.c
- 
-+fapolicyd_CFLAGS += -DBINARYDIR='"$(bindir)"'
- fapolicyd_rpm_loader_CFLAGS = $(fapolicyd_CFLAGS)
- fapolicyd_rpm_loader_LDFLAGS = $(fapolicyd_LDFLAGS)
- fapolicyd_rpm_loader_LDADD = libfapolicyd.la
-diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c
-index fab8e5345d40..5b24c9589040 100644
--- a/src/library/rpm-backend.c
-+++ b/src/library/rpm-backend.c
-@@ -238,7 +238,7 @@ static int rpm_load_list(const conf_t *conf)
- 	char *custom_env[] = { "FAPO_SOCK_FD=3", NULL };
- 
- 	pid_t pid = -1;
-	int status = posix_spawn(&pid, "/usr/bin/fapolicyd-rpm-loader",
-+	int status = posix_spawn(&pid, BINARYDIR "/fapolicyd-rpm-loader",
- 					 &actions, NULL, argv, custom_env);
- 	close(sv[1]);  // Parent doesn't write
- 
-- 
-2.52.0
-
--- a/0004-Map-file-with-MAP_SHARED-instead-of-MAP_PRIVATE.patch
+++ b/0004-Map-file-with-MAP_SHARED-instead-of-MAP_PRIVATE.patch
@ -1,48 +0,0 @@
-From d6956ef82051a9c805b02431e6c0083754549edd Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
-Date: Wed, 21 Jan 2026 11:30:58 +0100
-Subject: [PATCH] Map file with MAP_SHARED instead of MAP_PRIVATE
-Content-type: text/plain
-
-When setting up a user probe using ebpf or systemtap on a file,
-fapolicyd computes a different checksum, causing (usually) denial to
-occur.
-
-eBPF is used by Microsoft's MDATP, in particular for monitoring
-/usr/lib64/libpam.so.0 function calls. Through setting a user probe,
-mdatp and fapolicyd cannot be used concurrently.
-
-The reason for computing a different checksum is using mmap(MAP_PRIVATE)
-which makes the hooks set by ebpf and/or systemtap be visible:
-~~~
-1140 char *get_hash_from_fd2(int fd, size_t size, file_hash_alg_t alg)
-1141 {
- :
-1165         mapped = mmap(0, size, PROT_READ, MAP_PRIVATE|MAP_POPULATE, fd, 0);
-1166         if (mapped != MAP_FAILED) {
- :
-~~~
-
-A solution consists in using MAP_SHARED instead of MAP_PRIVATE.
-
-Fixes RHEL-142628.
---
- src/library/file.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/library/file.c b/src/library/file.c
-index 6491733c0042..802a89cc028a 100644
--- a/src/library/file.c
-+++ b/src/library/file.c
-@@ -1162,7 +1162,7 @@ char *get_hash_from_fd2(int fd, size_t size, file_hash_alg_t alg)
- 	if (digest_length == 0)
- 		return NULL;
- 
-	mapped = mmap(0, size, PROT_READ, MAP_PRIVATE|MAP_POPULATE, fd, 0);
-+	mapped = mmap(0, size, PROT_READ, MAP_SHARED|MAP_POPULATE, fd, 0);
- 	if (mapped != MAP_FAILED) {
- 		unsigned char hptr[SHA512_DIGEST_LENGTH];
- 		int computed = 0;
-- 
-2.52.0
-
--- a/0005-Fix-segfault-when-interrupting-fapolicyd-startup.patch
+++ b/0005-Fix-segfault-when-interrupting-fapolicyd-startup.patch
@ -1,72 +0,0 @@
-From 67620805316e85b4edf6133a106181a4b4c8afac Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
-Date: Thu, 22 Jan 2026 10:55:45 +0100
-Subject: [PATCH] Fix segfault when interrupting fapolicyd startup
-Content-type: text/plain
-
-In non-daemon mode, hitting Ctrl-C while fapolicyd initializes leads to
-getting 2 segfaults:
- first one in term_handler() because 'q' is not initialized yet
- then one in coredump_handler() because 'm' is not initialized yet
-
-Reproducer:
-~~~
- # fapolicyd --debug
- [...]
- 01/22/26 10:48:37 [ INFO ]: Loading rpmdb backend
- ^CSegmentation fault (core dumped)
-~~~
-
-GDB shows:
-~~~
-(gdb) bt
- #0  mlist_first (m=m@entry=0x0) at daemon/mounts.c:86  <<<<< SECOND SEGFAULT
- #1  0x00005627e02de9ec in unmark_fanotify (m=0x0) at daemon/notify.c:258
- #2  0x00005627e02dda13 in coredump_handler (sig=11) at daemon/fapolicyd.c:336
- #3  coredump_handler (sig=11) at daemon/fapolicyd.c:333
- #4  <signal handler called>
- #5  __new_sem_post (sem=0x20) at sem_post.c:36         <<<<< FIRST SEGFAULT
- #6  <signal handler called>
- #7  __recvmsg_syscall (flags=0, msg=0x7ffe93e00350, fd=6) at ../sysdeps/unix/sysv/linux/recvmsg.c:27
- #8  __libc_recvmsg (fd=6, msg=msg@entry=0x7ffe93e00350, flags=flags@entry=0)
-     at ../sysdeps/unix/sysv/linux/recvmsg.c:41
- #9  0x00005627e02eef82 in rpm_load_list (conf=<optimized out>) at library/rpm-backend.c:260
- #10 0x00005627e02ecc02 in backend_load (conf=conf@entry=0x5627e02fa0e0 <config>) at library/backend-manager.c:152
- #11 0x00005627e02e21c0 in init_database (config=config@entry=0x5627e02fa0e0 <config>) at library/database.c:1440
- #12 0x00005627e02db599 in main (argc=<optimized out>, argv=<optimized out>) at daemon/fapolicyd.c:1053
-~~~
---
- src/daemon/notify.c | 3 +++
- src/library/queue.c | 3 ++-
- 2 files changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/src/daemon/notify.c b/src/daemon/notify.c
-index 8e1e778cb8c8..db6fb72e01ac 100644
--- a/src/daemon/notify.c
-+++ b/src/daemon/notify.c
-@@ -255,6 +255,9 @@ void fanotify_update(mlist *m)
- 
- void unmark_fanotify(mlist *m)
- {
-+	if (m == NULL)
-+		return;
-+
- 	const char *path = mlist_first(m);
- 
- 	// Stop the flow of events
-diff --git a/src/library/queue.c b/src/library/queue.c
-index c82026439923..6236d0096c80 100644
--- a/src/library/queue.c
-+++ b/src/library/queue.c
-@@ -236,6 +236,7 @@ int q_timed_dequeue(struct queue *q, struct fanotify_event_metadata *data,
- 
- void q_shutdown(struct queue *q)
- {
-+	if (q == NULL)
-+		return;
- 	sem_post(&q->sem);
- }
-
-- 
-2.52.0
-
--- a/fapolicyd.spec
+++ b/fapolicyd.spec
@ -4,8 +4,8 @@

 Summary: Application Whitelisting Daemon
 Name: fapolicyd
-Version: 1.4.3
-Release: 3%{?dist}
+Version: 1.4.5
+Release: 1%{?dist}
 License: GPL-3.0-or-later
 URL: https://github.com/linux-application-whitelisting/fapolicyd
 Source0: https://github.com/linux-application-whitelisting/fapolicyd/releases/download/v%{version}/fapolicyd-%{version}.tar.gz
@ -18,18 +18,11 @@ Source11: https://github.com/linux-application-whitelisting/%{name}-selinux/rele
 Source20: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/uthash-2.3.0.tar.gz

 # https://github.com/linux-application-whitelisting/fapolicyd
-# $ git format-patch -N v1.4.3
+# $ git format-patch -N v1.4.5
 # https://github.com/linux-application-whitelisting/fapolicyd-selinux
 # $ git format-patch -N --start-number 100 --src-prefix=a/fapolicyd-selinux-1.1/ --dst-prefix=b/fapolicyd-selinux-1.1/ v1.1
 # $ for j in [0-9]*.patch; do printf "Patch: %s\n" $j; done
 # Patch list start
-Patch: 0002-If-less-than-16-chars-were-read-allow-shebang-test-c.patch
-Patch: 0003-Fix-binary-path-of-rpm-loader.patch
-Patch: 0004-Map-file-with-MAP_SHARED-instead-of-MAP_PRIVATE.patch
-Patch: 0005-Fix-segfault-when-interrupting-fapolicyd-startup.patch
-Patch: 0006-Potential-memory-leak-on-early-return-in-file_append.patch
-Patch: 0007-whitespace-fix.patch
-Patch: 0008-Fix-32-bit-ELF-dynamic-section-parsing.patch
 # Patch list end

 BuildRequires: gcc
@ -284,6 +277,14 @@ fi
 %selinux_relabel_post -s %{selinuxtype}

 %changelog
+* Mon Mar 30 2026 Petr Lautrbach <lautrbach@redhat.com> - 1.4.5-1
+- fapolicyd-1.4.5
+  https://github.com/linux-application-whitelisting/fapolicyd/releases/tag/v1.4.5
+
+* Thu Mar 19 2026 Petr Lautrbach <lautrbach@redhat.com> - 1.4.4-1
+- fapolicyd-1.4.4
+  https://github.com/linux-application-whitelisting/fapolicyd/releases/tag/v1.4.4
+
 * Fri Feb 06 2026 Petr Lautrbach <lautrbach@redhat.com> - 1.4.3-3
 - Fix 32-bit ELF dynamic section parsing

--- a/4
+++ b/4
@ -1,5 +1,5 @@
-SHA512 (fapolicyd-1.4.3.tar.gz) = 486e1ac5ef0909fc3759eef8086143cd145e61c1e9430a6d0ade686a625534c93a5fcf7208b7ae8ab692ecffeed915ae17c441230635fccaa1fe6c1604a75142
-SHA512 (fapolicyd-1.4.3.tar.gz.asc) = 74d1743b58431a9d54f36b7b494405a23fca24bf95d75f595b430f6145d4ea405728035fef0e4daac260fb9159870c8606564dd0e5d1d707832945c032fd2c0c
+SHA512 (fapolicyd-1.4.5.tar.gz) = 8211ff92947f378aba2882b0fe6b20d72973295f9d10d0d83e18edf6aafa504ac51f49e84506951d0df228524383ca339a1e861bfd00315a3469d6d7d825f109
+SHA512 (fapolicyd-1.4.5.tar.gz.asc) = faebf3c23992d72e1a4028e0a14a313e9a3dbfb0932a51206c5223b2949b072cfa7b2cb7ca010ccdf6030a51c595a2dfb346df3390ae846795826b9174a22e13
 SHA512 (fapolicyd-selinux-1.1.tar.gz) = 64a7068f8f0a730363e546921ac2eec66a8195d027bacd53f9bf837f55c82d3a667563eb553c6111bc7dfbd90693029577ccefc99dca3d7fe9b7ae5bb61d19bd
 SHA512 (fapolicyd-selinux-1.1.tar.gz.asc) = e881e57d07b00143fce97349060b206f9f1706a914206c0cc4fc700318f4497ff362de1faea463f769594a6f6e5e30cfd18667e25146be7f138ff4cb13dbc7b8
 SHA512 (uthash-2.3.0.tar.gz) = 3b01f1074790fb242900411cb16eb82c1a9afcf58e3196a0f4611d9d7ef94690ad38c0a500e7783d3efa20328aa8d6ab14f246be63b3b3d385502ba2b6b2a294