import fapolicyd-1.1.3-12.el8

2023-05-16 06:11:08 +00:00 · 2023-05-16 06:11:08 +00:00 · 550d85d191
parent 111b19ec94
commit 550d85d191
5 changed files with 1289 additions and 29 deletions
--- a/SOURCES/fapolicyd-already-started.patch
+++ b/SOURCES/fapolicyd-already-started.patch
@ -0,0 +1,110 @@
+diff -up ./src/daemon/fapolicyd.c.already-started ./src/daemon/fapolicyd.c
+--- ./src/daemon/fapolicyd.c.already-started	2023-01-12 17:40:45.366909652 +0100
+++ ./src/daemon/fapolicyd.c	2023-01-12 17:46:22.458139519 +0100
+@@ -378,6 +378,58 @@ static void usage(void)
+ }
+ 
+ 
+int already_running(void)
+{
+	int pidfd = open(pidfile, O_RDONLY);
+	if (pidfd >= 0) {
+		char pid_buf[16];
+
+		if (fd_fgets(pid_buf, sizeof(pid_buf), pidfd)) {
+			int pid;
+			char exe_buf[80], my_path[80];
+
+			// Get our path
+			if (get_program_from_pid(getpid(),
+					sizeof(exe_buf), my_path) == NULL)
+				goto err_out; // shouldn't happen, but be safe
+
+			// convert pidfile to integer
+			errno = 0;
+			pid = strtoul(pid_buf, NULL, 10);
+			if (errno)
+				goto err_out; // shouldn't happen, but be safe
+
+			// verify it really is fapolicyd
+			if (get_program_from_pid(pid,
+					sizeof(exe_buf), exe_buf) == NULL)
+				goto good; //if pid doesn't exist, we're OK
+
+			// If the path doesn't have fapolicyd in it, we're OK
+			if (strstr(exe_buf, "fapolicyd") == NULL)
+				goto good;
+
+			if (strcmp(exe_buf, my_path) == 0)
+				goto err_out; // if the same, we need to exit
+
+			// one last sanity check in case path is unexpected
+			// for example: /sbin/fapolicyd & /home/test/fapolicyd
+			if (pid != getpid())
+				goto err_out;
+good:
+			close(pidfd);
+			unlink(pidfile);
+			return 0;
+		} else
+		    msg(LOG_ERR, "fapolicyd pid file found but unreadable");
+err_out: // At this point, we have a pid file, let's just assume it's alive
+	 // because if 2 are running, it deadlocks the machine
+		close(pidfd);
+		return 1;
+	}
+	return 0; // pid file doesn't exist, we're good to go
+}
+
+
+ int main(int argc, const char *argv[])
+ {
+ 	struct pollfd pfd[2];
+@@ -428,6 +480,11 @@ int main(int argc, const char *argv[])
+ 		}
+ 	}
+ 
+	if (already_running()) {
+		msg(LOG_ERR, "fapolicyd is already running");
+		exit(1);
+	}
+
+ 	// Set a couple signal handlers
+ 	sa.sa_flags = 0;
+ 	sigemptyset(&sa.sa_mask);
+@@ -446,9 +503,6 @@ int main(int argc, const char *argv[])
+ 	setrlimit(RLIMIT_FSIZE, &limit);
+ 	setrlimit(RLIMIT_NOFILE, &limit);
+ 
+-	// Set strict umask
+-	(void) umask( 0117 );
+-
+ 	// get more time slices because everything is waiting on us
+ 	rc = nice(-config.nice_val);
+ 	if (rc == -1)
+@@ -473,17 +527,20 @@ int main(int argc, const char *argv[])
+ 		exit(1);
+ 	}
+ 
+-	if (preconstruct_fifo(&config)) {
+-		msg(LOG_ERR, "Cannot contruct a pipe");
+-		exit(1);
+-	}
+-
+ 	// Setup filesystem to watch list
+ 	init_fs_list(config.watch_fs);
+ 
+ 	// Write the pid file for the init system
+ 	write_pid_file();
+ 
+	// Set strict umask
+	(void) umask( 0117 );
+
+	if (preconstruct_fifo(&config)) {
+		msg(LOG_ERR, "Cannot contruct a pipe");
+		exit(1);
+	}
+
+ 	// If we are not going to be root, then setup necessary capabilities
+ 	if (config.uid != 0) {
+ 		capng_clear(CAPNG_SELECT_BOTH);
--- a/SOURCES/fapolicyd-exclude-list.patch
+++ b/SOURCES/fapolicyd-exclude-list.patch
--- a/SOURCES/fapolicyd-falcon-sensor.patch
+++ b/SOURCES/fapolicyd-falcon-sensor.patch
@ -0,0 +1,74 @@
+diff -up ./src/library/event.c.event ./src/library/event.c
+--- ./src/library/event.c.event	2022-06-21 16:55:47.000000000 +0200
+++ ./src/library/event.c	2022-12-22 13:12:58.226816235 +0100
+@@ -132,7 +132,15 @@ int new_event(const struct fanotify_even
+ 		if ((s->info->state == STATE_COLLECTING) &&
+ 			(e->type & FAN_OPEN_PERM) && !rc) {
+ 			skip_path = 1;
+
+ 			s->info->state = STATE_REOPEN;
+
+			// special branch after ld_so exec
+			// next opens will go fall trough
+			if (s->info->path1 &&
+				(strcmp(s->info->path1, SYSTEM_LD_SO) == 0))
+				s->info->state = STATE_DEFAULT_REOPEN;
+
+ 		}
+ 
+ 		// If not same proc or we detect execution, evict
+@@ -149,7 +157,6 @@ int new_event(const struct fanotify_even
+ 				skip_path = 1;
+ 			}
+ 			evict = 0;
+-			skip_path = 1;
+ 			subject_reset(s, EXE);
+ 			subject_reset(s, COMM);
+ 			subject_reset(s, EXE_TYPE);
+@@ -165,6 +172,7 @@ int new_event(const struct fanotify_even
+ 			skip_path = 1;
+ 		}
+ 
+
+ 		// If we've seen the reopen and its an execute and process
+ 		// has an interpreter and we're the same process, don't evict
+ 		// and don't collect the path since reopen interp will. The
+@@ -173,14 +181,25 @@ int new_event(const struct fanotify_even
+ 		if ((s->info->state == STATE_REOPEN) && !skip_path &&
+ 				(e->type & FAN_OPEN_EXEC_PERM) &&
+ 				(s->info->elf_info & HAS_INTERP) && !rc) {
+			s->info->state = STATE_DEFAULT_REOPEN;
+ 			evict = 0;
+ 			skip_path = 1;
+ 		}
+ 
+
+		// this is what differs between STATE_REOPEN and
+		// STATE_DEFAULT_REOPEN
+		// in STATE_REOPEN path is always skipped
+		if ((s->info->state == STATE_REOPEN) && !skip_path &&
+				(e->type & FAN_OPEN_PERM) && !rc) {
+			skip_path = 1;
+		}
+
+ 		if (evict) {
+ 			lru_evict(subj_cache, key);
+ 			q_node = check_lru_cache(subj_cache, key);
+ 			s = (s_array *)q_node->item;
+
+ 		} else if (s->cnt == 0)
+ 			msg(LOG_DEBUG, "cached subject has cnt of 0");
+ 	}
+diff -up ./src/library/process.h.event ./src/library/process.h
+--- ./src/library/process.h.event	2022-06-21 16:55:47.000000000 +0200
+++ ./src/library/process.h	2022-12-22 13:10:23.260996771 +0100
+@@ -31,7 +31,8 @@
+ #include "gcc-attributes.h"
+ 
+ typedef enum {	STATE_COLLECTING=0,	// initial state - execute
+-		STATE_REOPEN,		// anticipating open perm next
+		STATE_REOPEN,		// anticipating open perm next, always skips the path
+		STATE_DEFAULT_REOPEN,  // reopen after dyn. linker exec, never skips the path
+ 		STATE_STATIC_REOPEN,	// static app aniticipating
+ 		STATE_PARTIAL,		// second path collected
+ 		STATE_STATIC_PARTIAL,	// second path collected
--- a/SOURCES/fapolicyd-static-app.patch
+++ b/SOURCES/fapolicyd-static-app.patch
@ -1,22 +0,0 @@
-From 67c116d07ed4e73127392a2100a042882488585a Mon Sep 17 00:00:00 2001
-From: Steve Grubb <sgrubb@redhat.com>
-Date: Tue, 27 Sep 2022 10:32:28 -0400
-Subject: [PATCH] Detect trusted static apps running programs by ld.so
-
---
- ChangeLog           | 1 +
- src/library/event.c | 1 -
- 2 files changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/library/event.c b/src/library/event.c
-index cbb4292..4d79eb9 100644
--- a/src/library/event.c
-+++ b/src/library/event.c
-@@ -149,7 +149,6 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e)
- 				skip_path = 1;
- 			}
- 			evict = 0;
-			skip_path = 1;
- 			subject_reset(s, EXE);
- 			subject_reset(s, COMM);
- 			subject_reset(s, EXE_TYPE);
--- a/SPECS/fapolicyd.spec
+++ b/SPECS/fapolicyd.spec
@ -5,7 +5,7 @@
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
 Version: 1.1.3
-Release: 8%{?dist}.1
+Release: 12%{?dist}
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
 Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@ -40,8 +40,9 @@ Patch7: fapolicyd-cli-segfault.patch
 Patch8: fapolicyd-sighup.patch
 Patch9: fapolicyd-readme.patch

-# 2137251 - statically linked app can execute untrusted app [rhel-8.7.0.z]
-Patch10: fapolicyd-static-app.patch
+Patch10: fapolicyd-falcon-sensor.patch
+Patch11: fapolicyd-exclude-list.patch
+Patch12: fapolicyd-already-started.patch

 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -78,7 +79,9 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
 %patch8 -p1 -b .sighup
 %patch9 -p1 -b .readme

-%patch10 -p1 -b .static
+%patch10 -p1 -b .event
+%patch11 -p1 -b .exclude
+%patch12 -p1 -b .already-started

 # generate rules for python
 sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
@ -230,6 +233,7 @@ fi
 %ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
 %ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
+%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rpm-filter.conf
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
 %attr(644,root,root) %{_unitdir}/%{name}.service
 %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
@ -267,10 +271,16 @@ fi
 %selinux_relabel_post -s %{selinuxtype}

 %changelog
-* Wed Oct 26 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-8.1
-RHEL 8.7.0.Z ERRATUM
+* Mon Jan 30 2023 Radovan Sroka <rsroka@redhat.com> - 1.1.3-12
+RHEL 8.8.0 ERRATUM
 - statically linked app can execute untrusted app
-Resolves: rhbz#2137251
+Resolves: rhbz#2088349
+- Starting manually fapolicyd while the service is already running breaks the system
+Resolves: rhbz#2103352
+- Cannot execute /usr/libexec/grepconf.sh when falcon-sensor is enabled
+Resolves: rhbz#2087040
+- fapolicyd: Introduce filtering of rpmdb
+Resolves: rhbz#2165645

 * Fri Aug 05 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-8
 RHEL 8.7.0 ERRATUM