From 586b5e37fdfb92da67ae31be8706ba18ac7abc97 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Thu, 16 Jun 2022 17:20:05 +0200
Subject: [PATCH] RHEL 9.1.0 ERRATUM

- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path
Resolves: rhbz#2069123
- Faulty handling of static applications
Resolves: rhbz#2096457

Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
 fapolicyd-1.1.1-ld_so.patch  | 27 +++++++++++++++++++++++++++
 fapolicyd-1.1.1-static.patch | 19 +++++++++++++++++++
 fapolicyd.spec               | 28 ++++++++++++++++++++++++----
 3 files changed, 70 insertions(+), 4 deletions(-)
 create mode 100644 fapolicyd-1.1.1-ld_so.patch
 create mode 100644 fapolicyd-1.1.1-static.patch

diff --git a/fapolicyd-1.1.1-ld_so.patch b/fapolicyd-1.1.1-ld_so.patch
new file mode 100644
index 0000000..a79cca7
--- /dev/null
+++ b/fapolicyd-1.1.1-ld_so.patch
@@ -0,0 +1,27 @@
+diff -urp fapolicyd-1.1.1.orig/fapolicyd.spec fapolicyd-1.1.1/fapolicyd.spec
+--- fapolicyd-1.1.1.orig/fapolicyd.spec	2022-01-28 15:17:55.000000000 -0500
++++ fapolicyd-1.1.1/fapolicyd.spec	2022-01-28 15:19:31.594155397 -0500
+@@ -30,7 +30,7 @@ makes use of the kernel's fanotify inter
+ # generate rules for python
+ sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+ sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+-sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
++sed -i "s/%ld_so_path%/`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev  | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+ 
+ %build
+ %configure \
+diff -urp fapolicyd-1.1.1.orig/m4/dyn_linker.m4 fapolicyd-1.1.1/m4/dyn_linker.m4
+--- fapolicyd-1.1.1.orig/m4/dyn_linker.m4	2022-01-28 15:17:55.000000000 -0500
++++ fapolicyd-1.1.1/m4/dyn_linker.m4	2022-01-28 15:20:02.048609672 -0500
+@@ -1,6 +1,10 @@
+ AC_DEFUN([LD_SO_PATH],
+ [
+-  xpath=`realpath /usr/lib64/ld-2.*.so`
++  xpath1=`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev`
++  xpath=`realpath $xpath1`
++  if test ! -f "$xpath" ; then
++    AC_MSG_ERROR([Cant find the dynamic linker])
++  fi
+   echo "dynamic linker is.....$xpath"
+   AC_DEFINE_UNQUOTED(SYSTEM_LD_SO, ["$xpath"], [dynamic linker])
+ ])
diff --git a/fapolicyd-1.1.1-static.patch b/fapolicyd-1.1.1-static.patch
new file mode 100644
index 0000000..49c371b
--- /dev/null
+++ b/fapolicyd-1.1.1-static.patch
@@ -0,0 +1,19 @@
+diff -urp fapolicyd-1.1.1.orig/src/library/event.c fapolicyd-1.1.1/src/library/event.c
+--- fapolicyd-1.1.1.orig/src/library/event.c	2022-01-28 15:23:58.000000000 -0500
++++ fapolicyd-1.1.1/src/library/event.c	2022-01-30 20:11:05.516785465 -0500
+@@ -140,7 +140,14 @@ int new_event(const struct fanotify_even
+ 
+ 		// We need to reset everything now that execve has finished
+ 		if (s->info->state == STATE_STATIC_PARTIAL && !rc) {
+-			s->info->state = STATE_STATIC;
++			// If the static app itself launches an app right
++			// away, go back to collecting.
++			if (e->type & FAN_OPEN_EXEC_PERM)
++				s->info->state = STATE_COLLECTING;
++			else {
++				s->info->state = STATE_STATIC;
++				skip_path = 1;
++			}
+ 			evict = 0;
+ 			skip_path = 1;
+ 			subject_reset(s, EXE);
diff --git a/fapolicyd.spec b/fapolicyd.spec
index 797ea91..fd9d8bf 100644
--- a/fapolicyd.spec
+++ b/fapolicyd.spec
@@ -5,7 +5,7 @@
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
 Version: 1.1
-Release: 101%{?dist}
+Release: 104%{?dist}
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
 Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@@ -34,6 +34,9 @@ Patch1: fapolicyd-uthash-bundle.patch
 Patch2: fapolicyd-selinux.patch
 Patch3: fapolicyd-reorder-rules.patch
 Patch4: fagenrules-group.patch
+# 2069123 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-9.1.0]
+Patch5: fapolicyd-1.1.1-ld_so.patch
+Patch6: fapolicyd-1.1.1-static.patch
 
 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@@ -82,10 +85,20 @@ Don't use dnf and rpm plugin together.
 %patch2 -p1 -b .selinux
 %patch3 -p1 -b .reorder
 %patch4 -p1 -b .group
+%patch5 -p1 -b .ld_so
+%patch6 -p1 -b .static
 
-sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
-sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
-sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name  'ld-linux-*.so.*' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+# generate rules for python
+sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
+sed -i "s|%python3_path%|`readlink -f %{__python3}`|g" rules.d/*.rules
+
+interpret=`readelf -e /usr/bin/bash \
+                   | grep Requesting \
+                   | sed 's/.$//' \
+                   | rev | cut -d" " -f1 \
+                   | rev`
+
+sed -i "s|%ld_so_path%|`realpath $interpret`|g" rules.d/*.rules
 
 %build
 ./autogen.sh
@@ -265,6 +278,13 @@ fi
 
 
 %changelog
+* Thu Jun 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-104
+RHEL 9.1.0 ERRATUM
+- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path
+Resolves: rhbz#2069123
+- Faulty handling of static applications
+Resolves: rhbz#2096457
+
 * Sun Apr 3 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-101
 RHEL 9.1.0 ERRATUM
 - fapolicyd denies access to /usr/lib64/ld-2.28.so