RHEL 9.3.0 ERRATUM

- Rebase fapolicyd to the latest stable version
Resolves: RHEL-430
- fapolicyd can leak FDs and never answer request, causing target process to hang forever
Resolves: RHEL-621
- RFE: send rule number to fanotify so it gets audited
Resolves: RHEL-624
- fapolicyd needs to make sure the FD limit is never reached
Resolves: RHEL-623
- fapolicyd still allows execution of a program after "untrusting" it
Resolves: RHEL-622
- Default q_size doesn't match manpage's one
Resolves: RHEL-627
- fapolicyd-cli --update then mount/umount twice causes fapolicyd daemon to block (state 'D')
Resolves: RHEL-817
- Fix broken backwards compatibility backend numbers
Resolves: RHEL-730
- SELinux prevents the fapolicyd from reading symlink (cert_t)
Resolves: RHEL-816

Signed-off-by: Radovan Sroka <rsroka@redhat.com>
This commit is contained in:
Radovan Sroka 2023-07-19 14:07:37 +02:00
parent 6bd1af3f3c
commit 57dfd7b96f
7 changed files with 117 additions and 87 deletions

1
.gitignore vendored
View File

@ -22,3 +22,4 @@
/fapolicyd-1.1.3.tar.gz
/fapolicyd-1.3.1.tar.gz
/fapolicyd-selinux-0.6.tar.gz
/fapolicyd-1.3.2.tar.gz

78
fapolicyd-leaks.patch Normal file
View File

@ -0,0 +1,78 @@
From 248219377a034d7da9238e7424c97558395700e3 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Tue, 18 Jul 2023 17:05:11 +0200
Subject: [PATCH] Fix multiple leaks
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
src/library/filter.c | 3 +++
src/library/policy.c | 13 +++++++++++--
src/library/rules.c | 3 ---
3 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/src/library/filter.c b/src/library/filter.c
index d5d8cca..eb378ca 100644
--- a/src/library/filter.c
+++ b/src/library/filter.c
@@ -472,9 +472,12 @@ int filter_load_file(void)
msg(LOG_ERR, "filter_load_file: paring error line: %ld, \"%s\"", line_number, line);
filter_destroy_obj(filter);
free(line);
+ line = NULL;
goto bad;
}
+ }
+ if (line) {
free(line);
line = NULL;
}
diff --git a/src/library/policy.c b/src/library/policy.c
index 7fe1210..31ff6e2 100644
--- a/src/library/policy.c
+++ b/src/library/policy.c
@@ -23,6 +23,7 @@
* Radovan Sroka <rsroka@redhat.com>
*/
+#include "attr-sets.h"
#include "config.h"
#include <stdbool.h>
#include <stdio.h>
@@ -273,12 +274,20 @@ int load_rules(const conf_t *_config)
return 1;
FILE * f = open_file();
- if (f == NULL)
+ if (f == NULL) {
+ destroy_attr_sets();
return 1;
+ }
int res = _load_rules(_config, f);
fclose(f);
- return res;
+
+ if (res) {
+ destroy_attr_sets();
+ return 1;
+ }
+
+ return 0;
}
void destroy_rules(void)
diff --git a/src/library/rules.c b/src/library/rules.c
index 5ffa40e..4a8b098 100644
--- a/src/library/rules.c
+++ b/src/library/rules.c
@@ -65,9 +65,6 @@ int rules_create(llist *l)
l->cur = NULL;
l->cnt = 0;
- if (init_attr_sets())
- return 1;
-
return 0;
}

View File

@ -1,23 +0,0 @@
From f36592179308967fcbd19a20e8338cfdf0b87697 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Thu, 22 Jun 2023 20:37:05 +0200
Subject: [PATCH] Sync the default q_size value with manpage
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
init/fapolicyd.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/init/fapolicyd.conf b/init/fapolicyd.conf
index 8363b89a..933595e9 100644
--- a/init/fapolicyd.conf
+++ b/init/fapolicyd.conf
@@ -5,7 +5,7 @@
permissive = 0
nice_val = 14
-q_size = 640
+q_size = 800
uid = fapolicyd
gid = fapolicyd
do_stat_report = 1

View File

@ -1,55 +0,0 @@
From 00ebdf8b45f83019dd0c00d741ce99cdb4b177ba Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Wed, 21 Jun 2023 10:49:27 -0400
Subject: [PATCH] Change how rlimit is set
Last release changed to using the systemd LimitNOFILE=16384. This also
has the effect of changing the hard rlimit to the same number. If we
instead call getrlimit and set the soft limit to the hard limit, we
can have more descriptors available.
Also correct the error detection of failed nice syscalls.
---
init/fapolicyd.service | 1 -
src/daemon/fapolicyd.c | 11 ++++++++++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/init/fapolicyd.service b/init/fapolicyd.service
index 831b5ff8..a5a6a3fc 100644
--- a/init/fapolicyd.service
+++ b/init/fapolicyd.service
@@ -6,7 +6,6 @@ Documentation=man:fapolicyd(8)
[Service]
OOMScoreAdjust=-1000
-LimitNOFILE=16384
Type=forking
PIDFile=/run/fapolicyd.pid
ExecStartPre=/usr/sbin/fagenrules
diff --git a/src/daemon/fapolicyd.c b/src/daemon/fapolicyd.c
index 454e43b4..173f41c4 100644
--- a/src/daemon/fapolicyd.c
+++ b/src/daemon/fapolicyd.c
@@ -516,12 +516,21 @@ int main(int argc, const char *argv[])
limit.rlim_cur = RLIM_INFINITY;
limit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_FSIZE, &limit);
+ getrlimit(RLIMIT_NOFILE, &limit);
+ if (limit.rlim_max >= 16384)
+ limit.rlim_cur = limit.rlim_max;
+ else
+ limit.rlim_cur = 16834;
if (setrlimit(RLIMIT_NOFILE, &limit))
msg(LOG_WARNING, "Can't increase file number rlimit - %s",
strerror(errno));
+ else
+ msg(LOG_INFO, "Can handle %u file descriptors", limit.rlim_cur);
// get more time slices because everything is waiting on us
- if (nice(-config.nice_val))
+ errno = 0;
+ nice(-config.nice_val);
+ if (errno)
msg(LOG_WARNING, "Couldn't adjust priority (%s)",
strerror(errno));

View File

@ -0,0 +1,23 @@
From 05780f9accae504440ffed0548bd3e4144cfb70e Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Wed, 19 Jul 2023 16:00:13 +0200
Subject: [PATCH] Allow links
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
fapolicyd.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fapolicyd-selinux-0.6/fapolicyd.te b/fapolicyd-selinux-0.6/fapolicyd.te
index daf31bd..5d6f9aa 100644
--- a/fapolicyd-selinux-0.6/fapolicyd.te
+++ b/fapolicyd-selinux-0.6/fapolicyd.te
@@ -53,6 +53,8 @@ ifdef(`fs_watch_all_fs',`
files_watch_sb_all_mountpoints(fapolicyd_t)
')
+allow fapolicyd_t file_type : lnk_file { getattr read };
+
manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)

View File

@ -4,7 +4,7 @@
Summary: Application Whitelisting Daemon
Name: fapolicyd
Version: 1.3.1
Version: 1.3.2
Release: 100%{?dist}
License: GPLv3+
URL: http://people.redhat.com/sgrubb/fapolicyd
@ -32,8 +32,8 @@ Requires(postun): systemd-units
Patch1: fapolicyd-uthash-bundle.patch
Patch2: selinux.patch
Patch3: fapolicyd-rlimit-change.patch
Patch4: fapolicyd-q-size-default.patch
Patch3: fapolicyd-leaks.patch
Patch4: fapolicyd-selinux-links.patch
%description
Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -67,8 +67,8 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
%endif
%patch -P 2 -p1 -b .selinux
%patch -P 3 -p1 -b .rlimit
%patch -P 4 -p1 -b .q-size
%patch -P 3 -p1 -b .leaks
%patch -P 4 -p1 -b .links
# generate rules for python
sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
@ -255,7 +255,7 @@ fi
%selinux_relabel_post -s %{selinuxtype}
%changelog
* Fri Jun 16 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.1-100
* Wed Jul 19 2023 Radovan Sroka <rsroka@redhat.com> - 1.3.2-100
RHEL 9.3.0 ERRATUM
- Rebase fapolicyd to the latest stable version
Resolves: RHEL-430
@ -268,7 +268,13 @@ Resolves: RHEL-623
- fapolicyd still allows execution of a program after "untrusting" it
Resolves: RHEL-622
- Default q_size doesn't match manpage's one
Resolves: TBD
Resolves: RHEL-627
- fapolicyd-cli --update then mount/umount twice causes fapolicyd daemon to block (state 'D')
Resolves: RHEL-817
- Fix broken backwards compatibility backend numbers
Resolves: RHEL-730
- SELinux prevents the fapolicyd from reading symlink (cert_t)
Resolves: RHEL-816
* Mon Jan 30 2023 Radovan Sroka <rsroka@redhat.com> - 1.1.3-104
RHEL 9.2.0 ERRATUM

View File

@ -1,3 +1,3 @@
SHA512 (fapolicyd-1.3.1.tar.gz) = 319b793db0f59ef49d67c0734aa379501f2ceec206eeedbd5f193c6148bb4f2327a00546c6eeccc38500ef3be60354fee2ca643e7a2c2e668dea5a93034ce69c
SHA512 (fapolicyd-selinux-0.6.tar.gz) = db3fb9fce2146cd9137585eae271e727aee4d774e385bbffa10ae70c6e40cf58f2e7aecd8ff8bc3ae446d75089f3ab1bd615237866d600df4acef6747a0c77c7
SHA512 (fapolicyd-1.3.2.tar.gz) = b10e4e1e5068a67e7b36f876552de86404db09f768113773eb35d2b166818ece9098af5c38b2930c54feae8b4be80de6f3e7dbd96b94932b86e008d47c89506f
SHA512 (uthash-2.3.0.tar.gz) = 3b01f1074790fb242900411cb16eb82c1a9afcf58e3196a0f4611d9d7ef94690ad38c0a500e7783d3efa20328aa8d6ab14f246be63b3b3d385502ba2b6b2a294
SHA512 (fapolicyd-selinux-0.6.tar.gz) = db3fb9fce2146cd9137585eae271e727aee4d774e385bbffa10ae70c6e40cf58f2e7aecd8ff8bc3ae446d75089f3ab1bd615237866d600df4acef6747a0c77c7