rpms
/
fapolicyd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import fapolicyd-1.1-6.el8

This commit is contained in:
CentOS Sources 2022-05-10 03:07:05 -04:00 committed by Stepan Oksanichenko
parent a40b0c24cc
commit 700d89d3a8
18 changed files with 339 additions and 505 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.fapolicyd.metadata
View File

@ -1,2 +1,2 @@
f3b2418bcbea4b2208de429e5fa449666af84b6e SOURCES/fapolicyd-1.0.2.tar.gz
30a587d8d696846ac05fbae206a8f563b2945189 SOURCES/fapolicyd-selinux-0.3.tar.gz
1fa6cf3f0a15bbef745438c1ba7b685ebf7e75f1 SOURCES/fapolicyd-1.1.tar.gz
bdbe20a4db2cd58073abf17a537e3a6766cdea21 SOURCES/fapolicyd-selinux-0.4.tar.gz

4
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/fapolicyd-1.0.2.tar.gz
SOURCES/fapolicyd-selinux-0.3.tar.gz
SOURCES/fapolicyd-1.1.tar.gz
SOURCES/fapolicyd-selinux-0.4.tar.gz

13
SOURCES/fagenrules-group.patch Normal file
View File

@ -0,0 +1,13 @@
diff -up ./init/fagenrules.fix ./init/fagenrules
--- ./init/fagenrules.fix 2022-04-01 16:12:50.512164904 +0200
+++ ./init/fagenrules 2022-04-01 16:21:07.924712100 +0200
@@ -117,7 +117,8 @@ fi
# We copy the file so that it gets the right selinux label
cp ${TmpRules} ${DestinationFile}
-chmod 0640 ${DestinationFile}
+chmod 0644 ${DestinationFile}
+chgrp fapolicyd ${DestinationFile}
# Restore context on MLS system.
# /tmp is SystemLow & fapolicyd.rules is SystemHigh

27
SOURCES/fapolicyd-1.1.1-ld_so.patch Normal file
View File

@ -0,0 +1,27 @@
diff -urp fapolicyd-1.1.1.orig/fapolicyd.spec fapolicyd-1.1.1/fapolicyd.spec
--- fapolicyd-1.1.1.orig/fapolicyd.spec 2022-01-28 15:17:55.000000000 -0500
+++ fapolicyd-1.1.1/fapolicyd.spec 2022-01-28 15:19:31.594155397 -0500
@@ -30,7 +30,7 @@ makes use of the kernel's fanotify inter
# generate rules for python
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
-sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+sed -i "s/%ld_so_path%/`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
%build
%configure \
diff -urp fapolicyd-1.1.1.orig/m4/dyn_linker.m4 fapolicyd-1.1.1/m4/dyn_linker.m4
--- fapolicyd-1.1.1.orig/m4/dyn_linker.m4 2022-01-28 15:17:55.000000000 -0500
+++ fapolicyd-1.1.1/m4/dyn_linker.m4 2022-01-28 15:20:02.048609672 -0500
@@ -1,6 +1,10 @@
AC_DEFUN([LD_SO_PATH],
[
- xpath=`realpath /usr/lib64/ld-2.*.so`
+ xpath1=`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev`
+ xpath=`realpath $xpath1`
+ if test ! -f "$xpath" ; then
+ AC_MSG_ERROR([Cant find the dynamic linker])
+ fi
echo "dynamic linker is.....$xpath"
AC_DEFINE_UNQUOTED(SYSTEM_LD_SO, ["$xpath"], [dynamic linker])
])

25
SOURCES/fapolicyd-cli-hang.patch
View File

@ -1,25 +0,0 @@
From 3f43b262b1c5b9841fd0f387cac442aefeb84da9 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Sun, 31 Jan 2021 18:49:10 +0100
Subject: [PATCH] Added MDB_NOLOCK to cli mdb_env_open() (#114)
- MDB_NOLOCK option resolves the issue with --dump-db hang
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
src/cli/fapolicyd-cli.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/cli/fapolicyd-cli.c b/src/cli/fapolicyd-cli.c
index fe47948..befb8ce 100644
--- a/src/cli/fapolicyd-cli.c
+++ b/src/cli/fapolicyd-cli.c
@@ -114,7 +114,7 @@ static int do_dump_db(void)
return 1;
}
mdb_env_set_maxdbs(env, 2);
- rc = mdb_env_open(env, DB_DIR, MDB_RDONLY, 0660);
+ rc = mdb_env_open(env, DB_DIR, MDB_RDONLY|MDB_NOLOCK, 0660);
if (rc) {
fprintf(stderr, "mdb_env_open failed, error %d %s\n", rc,
mdb_strerror(rc));

14
SOURCES/fapolicyd-dnf-plugin.patch
View File

@ -1,14 +1,13 @@
diff -up ./dnf/fapolicyd-dnf-plugin.py.plugin ./dnf/fapolicyd-dnf-plugin.py
--- ./dnf/fapolicyd-dnf-plugin.py.plugin 2021-02-11 13:41:27.837534982 +0100
+++ ./dnf/fapolicyd-dnf-plugin.py 2021-02-11 13:41:50.750225335 +0100
@@ -7,30 +7,8 @@ import sys
diff --color -ru a/dnf/fapolicyd-dnf-plugin.py b/dnf/fapolicyd-dnf-plugin.py
--- a/dnf/fapolicyd-dnf-plugin.py 2021-11-12 20:21:54.000000000 +0100
+++ b/dnf/fapolicyd-dnf-plugin.py 2021-11-18 16:29:03.919237116 +0100
@@ -8,29 +8,9 @@
class Fapolicyd(dnf.Plugin):
- name = "fapolicyd"
name = "fapolicyd"
- pipe = "/var/run/fapolicyd/fapolicyd.fifo"
- file = None
-
def __init__(self, base, cli):
pass
@ -33,3 +32,4 @@ diff -up ./dnf/fapolicyd-dnf-plugin.py.plugin ./dnf/fapolicyd-dnf-plugin.py
- self.file.write("1")
- self.file.close()
+ pass
Only in b/dnf: fapolicyd-dnf-plugin.py.plugin

30
SOURCES/fapolicyd-fanotify-read-error.patch
View File

@ -1,30 +0,0 @@
From d12dde7f3fdeb82a9fb064e26d260f40fb2036c0 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Mon, 22 Mar 2021 10:38:31 -0400
Subject: [PATCH] Do not exit on fanotify_event read failure
---
ChangeLog | 1 +
src/daemon/notify.c | 11 ++++++++---
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/daemon/notify.c b/src/daemon/notify.c
index 3e42b92..a83db39 100644
--- a/src/daemon/notify.c
+++ b/src/daemon/notify.c
@@ -337,8 +337,13 @@ void handle_events(void)
len = read(fd, (void *) buf, sizeof(buf));
} while (len == -1 && errno == EINTR && stop == 0);
if (len == -1 && errno != EAGAIN) {
- msg(LOG_ERR,"Error reading (%s)", strerror(errno));
- exit(1);
+ // If we get this, we have no access to the file. We
+ // cannot formulate a reply either to deny it because
+ // we have nothing to work with.
+ msg(LOG_ERR,
+ "Error receiving fanotify_event (%s)",
+ strerror(errno));
+ return;
}
if (stop)
return;

47
SOURCES/fapolicyd-magic-override.patch
View File

@ -1,47 +0,0 @@
diff -up ./init/fapolicyd-magic.magic ./init/fapolicyd-magic
--- ./init/fapolicyd-magic.magic 2021-01-05 16:27:53.000000000 +0100
+++ ./init/fapolicyd-magic 2021-02-17 15:51:41.420604805 +0100
@@ -1,9 +1,17 @@
0 string/w #!\ /usr/bin/bash Bourne-Again shell script text executable
!:mime text/x-shellscript
+0 search/1/w #!\ /usr/bin/env\ bash Bourne-Again shell script text executable
+!:strength + 15
+!:mime text/x-shellscript
+
0 string/w #!\ /usr/bin/sh Shell script text executable
!:mime text/x-shellscript
+0 search/1/w #!\ /usr/bin/env\ sh Shell script text executable
+!:strength + 15
+!:mime text/x-shellscript
+
0 string/wt #!\ /bin/rc Plan 9 shell script text executable
!:mime text/x-plan9-shellscript
@@ -47,10 +55,18 @@
!:strength + 15
!:mime text/x-python
+0 search/1/w #!\ /usr/bin/env\ python3 Python script text executable
+!:strength + 15
+!:mime text/x-python
+
0 search/1/wt #!\ /usr/bin/python2 Python script text executable
!:strength + 15
!:mime text/x-python
+0 search/1/w #!\ /usr/bin/env\ python2 Python script text executable
+!:strength + 15
+!:mime text/x-python
+
0 search/1/wt #!\ /usr/bin/python Python script text executable
!:strength + 15
!:mime text/x-python
@@ -72,6 +88,5 @@
0 search/1/wt #!\ /usr/bin/tclsh Tcl/Tk script text executable
!:mime text/x-tcl
-
0 search/1/wt #!\ /usr/bin/stap Systemtap script text executable
!:mime text/x-systemtap

110
SOURCES/fapolicyd-reorder-rules.patch Normal file
View File

@ -0,0 +1,110 @@
From 609ffa1d2ed490c7d5c77d2dd2dfdc50f415b935 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Thu, 24 Mar 2022 09:59:05 +0100
Subject: [PATCH] Reorder loop holes with patterns in rules.d
- this keeps backwards compatibility with older wersions of rules
- the ld_so pattern was applied to root
- it caused problems with running ldd as root(previously unrestricted)
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
fapolicyd.spec | 6 +++---
rules.d/{30-dracut.rules => 20-dracut.rules} | 0
rules.d/{30-updaters.rules => 21-updaters.rules} | 0
rules.d/{20-patterns.rules => 30-patterns.rules} | 0
rules.d/Makefile.am | 4 ++--
rules.d/README-rules | 16 ++++++++--------
6 files changed, 13 insertions(+), 13 deletions(-)
rename rules.d/{30-dracut.rules => 20-dracut.rules} (100%)
rename rules.d/{30-updaters.rules => 21-updaters.rules} (100%)
rename rules.d/{20-patterns.rules => 30-patterns.rules} (100%)
diff --git a/fapolicyd.spec b/fapolicyd.spec
index c2aae21..261b780 100644
--- a/fapolicyd.spec
+++ b/fapolicyd.spec
@@ -66,9 +66,9 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
if [ "$files" -eq 0 ] ; then
## Install the known libs policy
cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/
-cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/
-cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/
-cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/
+cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/
+cp %{_datadir}/%{name}/sample-rules/21-updaters.rules %{_sysconfdir}/%{name}/rules.d/
+cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/
diff --git a/rules.d/30-dracut.rules b/rules.d/20-dracut.rules
similarity index 100%
rename from rules.d/30-dracut.rules
rename to rules.d/20-dracut.rules
diff --git a/rules.d/30-updaters.rules b/rules.d/21-updaters.rules
similarity index 100%
rename from rules.d/30-updaters.rules
rename to rules.d/21-updaters.rules
diff --git a/rules.d/20-patterns.rules b/rules.d/30-patterns.rules
similarity index 100%
rename from rules.d/20-patterns.rules
rename to rules.d/30-patterns.rules
diff --git a/rules.d/Makefile.am b/rules.d/Makefile.am
index 76b5377..9bb61a7 100644
--- a/rules.d/Makefile.am
+++ b/rules.d/Makefile.am
@@ -23,8 +23,8 @@
CONFIG_CLEAN_FILES = *.rej *.orig
-EXTRA_DIST = README-rules 10-languages.rules 20-patterns.rules \
- 30-dracut.rules 30-updaters.rules \
+EXTRA_DIST = README-rules 10-languages.rules 20-dracut.rules \
+ 21-updaters.rules 30-patterns.rules \
40-bad-elf.rules 41-shared-obj.rules 42-trusted-elf.rules \
43-known-elf.rules \
70-trusted-lang.rules 71-known-python.rules 72-shell.rules \
diff --git a/rules.d/README-rules b/rules.d/README-rules
index c03c02b..30fcd01 100644
--- a/rules.d/README-rules
+++ b/rules.d/README-rules
@@ -5,8 +5,8 @@ sort order. To make things easier to use, the files in this directory are
organized into groups with the following meanings:
10 - macros
-20 - patterns
-30 - loop holes
+20 - loop holes
+30 - patterns
40 - ELF rules
50 - user/group access rules
60 - application access rules
@@ -25,9 +25,9 @@ You can reconstruct the old policy files by including the following:
fapolicyd.rules.known-libs
--------------------------
10-languages.rules
-20-patterns.rules
-30-dracut.rules
-30-updaters.rules
+20-dracut.rules
+21-updaters.rules
+30-patterns.rules
40-bad-elf.rules
41-shared-obj.rules
42-trusted-elf.rules
@@ -39,9 +39,9 @@ fapolicyd.rules.known-libs
fapolicyd.rules.restrictive
---------------------------
10-languages.rules
-20-patterns.rules
-30-dracut.rules
-30-updaters.rules
+20-dracut.rules
+21-updaters.rules
+30-patterns.rules
40-bad-elf.rules
41-shared-obj.rules
43-known-elf.rules
--
2.35.1

28
SOURCES/fapolicyd-selinux.patch Normal file
View File

@ -0,0 +1,28 @@
diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
--- a/fapolicyd-selinux-0.4/fapolicyd.te 2021-03-23 10:21:31.000000000 +0100
+++ b/fapolicyd-selinux-0.4/fapolicyd.te 2021-11-19 10:24:20.000002248 +0100
@@ -63,23 +63,13 @@
files_mmap_usr_files(fapolicyd_t)
files_read_all_files(fapolicyd_t)
-files_watch_mount_generic_tmp_dirs(fapolicyd_t)
-files_watch_with_perm_generic_tmp_dirs(fapolicyd_t)
-files_watch_mount_root_dirs(fapolicyd_t)
-files_watch_with_perm_root_dirs(fapolicyd_t)
fs_getattr_xattr_fs(fapolicyd_t)
-fs_watch_mount_tmpfs_dirs(fapolicyd_t)
-fs_watch_with_perm_tmpfs_dirs(fapolicyd_t)
logging_send_syslog_msg(fapolicyd_t)
dbus_system_bus_client(fapolicyd_t)
-userdom_watch_mount_tmp_dirs(fapolicyd_t)
-userdom_watch_with_perm_tmp_dirs(fapolicyd_t)
-
optional_policy(`
rpm_read_db(fapolicyd_t)
- allow fapolicyd_t rpm_var_lib_t:file { create };
- allow fapolicyd_t rpm_var_lib_t:dir { add_name write };
+ rpm_manage_db(fapolicyd_t)
')

32
SOURCES/fapolicyd-startup-message.patch
View File

@ -1,32 +0,0 @@
From 54b0679719bf82e25b2b007a32f26b1654912fa2 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Tue, 26 Jan 2021 15:07:05 -0500
Subject: [PATCH] Add startup and shutdown syslog message
---
ChangeLog | 1 +
src/daemon/fapolicyd.c | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/daemon/fapolicyd.c b/src/daemon/fapolicyd.c
index e0e01ae..55e085d 100644
--- a/src/daemon/fapolicyd.c
+++ b/src/daemon/fapolicyd.c
@@ -491,7 +491,7 @@ int main(int argc, const char *argv[])
pfd[1].fd = init_fanotify(&config, m);
pfd[1].events = POLLIN;
- msg(LOG_DEBUG, "Starting to listen for events");
+ msg(LOG_INFO, "Starting to listen for events");
while (!stop) {
rc = poll(pfd, 2, -1);
@@ -526,7 +526,7 @@ int main(int argc, const char *argv[])
#endif
}
}
- msg(LOG_DEBUG, "shutting down...");
+ msg(LOG_INFO, "shutting down...");
shutdown_fanotify(m);
close(pfd[0].fd);
mlist_clear(m);

50
SOURCES/fapolicyd-unlink-fifo1.patch
View File

@ -1,50 +0,0 @@
From 8cf74e7f147836e81c3583a046e4dc2b4673a14c Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Thu, 11 Mar 2021 14:45:50 +0100
Subject: [PATCH] Ensure that fifo will be removed after termination
- unlink_fifo() will be called after every succesful termination
because dnf/yum can hang if the pipe exists after daemon termination
- move preconstruct_fifo() out of the scope because it is needed also
when the daemon is configured to run as root
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
src/daemon/fapolicyd.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/src/daemon/fapolicyd.c b/src/daemon/fapolicyd.c
index 5dce666..c29611c 100644
--- a/src/daemon/fapolicyd.c
+++ b/src/daemon/fapolicyd.c
@@ -446,6 +446,17 @@ int main(int argc, const char *argv[])
openlog("fapolicyd", LOG_PID, LOG_DAEMON);
}
+ // Set the exit function so there is always a fifo cleanup
+ if (atexit(unlink_fifo)) {
+ msg(LOG_ERR, "Cannot set exit function");
+ exit(1);
+ }
+
+ if (preconstruct_fifo(&config)) {
+ msg(LOG_ERR, "Cannot contruct a pipe");
+ exit(1);
+ }
+
// Setup filesystem to watch list
init_fs_list(config.watch_fs);
@@ -454,8 +465,6 @@ int main(int argc, const char *argv[])
// If we are not going to be root, then setup necessary capabilities
if (config.uid != 0) {
- if (preconstruct_fifo(&config))
- exit(1);
capng_clear(CAPNG_SELECT_BOTH);
capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
CAP_DAC_OVERRIDE, CAP_SYS_ADMIN, CAP_SYS_PTRACE,
--
2.26.2

35
SOURCES/fapolicyd-unlink-fifo2.patch
View File

@ -1,35 +0,0 @@
From 7c2726e8d9c3aa5f8f6710a7ea147bf99877e1a5 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Tue, 16 Mar 2021 12:49:48 +0100
Subject: [PATCH] Fixed problem with startup failed on unlink() (#120)
- introduced in 128e22d0c638aed81337a6dbbfa664e5bfc9ea06
- daemon does not start when unlinking non existing db
- fapolicyd-cli returned error when there is no db to unlink
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
src/library/database.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/library/database.c b/src/library/database.c
index a010923..59816cb 100644
--- a/src/library/database.c
+++ b/src/library/database.c
@@ -718,13 +718,13 @@ int unlink_db(void)
snprintf(path, sizeof(path), "%s/data.mdb", data_dir);
rc = unlink(path);
- if (rc) {
+ if (rc == -1 && errno != ENOENT) {
msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno));
ret_val = 1;
}
snprintf(path, sizeof(path), "%s/lock.mdb", data_dir);
rc = unlink(path);
- if (rc) {
+ if (rc == -1 && errno != ENOENT) {
msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno));
ret_val = 1;
}

25
SOURCES/fapolicyd-unlink1.patch
View File

@ -1,25 +0,0 @@
From a0d93349003100ec773c3253e515c7162737c4c2 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Wed, 3 Mar 2021 13:16:07 -0500
Subject: [PATCH] Add error message for debugging
---
src/library/database.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/library/database.c b/src/library/database.c
index db52000..9497c06 100644
--- a/src/library/database.c
+++ b/src/library/database.c
@@ -161,8 +161,10 @@ static int init_db(const conf_t *config)
return 4;
int rc = mdb_env_open(env, data_dir, flags, 0660);
- if (rc)
+ if (rc) {
+ msg(LOG_ERR, "env_open error: %s", mdb_strerror(rc));
return 5;
+ }
MDB_maxkeysize = mdb_env_get_maxkeysize(env);
integrity = config->integrity;

33
SOURCES/fapolicyd-unlink2.patch
View File

@ -1,33 +0,0 @@
From 1b862f3b7c489928f1861396cebb763ae0654371 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Wed, 3 Mar 2021 13:22:10 -0500
Subject: [PATCH] Add error message for debugging
---
src/library/database.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/library/database.c b/src/library/database.c
index 9497c06..831ec74 100644
--- a/src/library/database.c
+++ b/src/library/database.c
@@ -713,12 +713,17 @@ static int check_database_copy(void)
*/
void unlink_db(void)
{
+ int rc;
char path[64];
snprintf(path, sizeof(path), "%s/data.mdb", data_dir);
- unlink(path);
+ rc = unlink(path);
+ if (rc)
+ msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno));
snprintf(path, sizeof(path), "%s/lock.mdb", data_dir);
- unlink(path);
+ rc = unlink(path);
+ if (rc)
+ msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno));
}

114
SOURCES/fapolicyd-unlink3.patch
View File

@ -1,114 +0,0 @@
From 128e22d0c638aed81337a6dbbfa664e5bfc9ea06 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Wed, 3 Mar 2021 13:34:58 -0500
Subject: [PATCH] If db migration fails due to unlinking problem, fail startup
---
ChangeLog | 1 +
src/cli/fapolicyd-cli.c | 5 +++--
src/library/database.c | 22 ++++++++++++++++------
src/library/database.h | 4 ++--
4 files changed, 22 insertions(+), 10 deletions(-)
diff --git a/src/cli/fapolicyd-cli.c b/src/cli/fapolicyd-cli.c
index 994c9a6..fb9081b 100644
--- a/src/cli/fapolicyd-cli.c
+++ b/src/cli/fapolicyd-cli.c
@@ -1,6 +1,6 @@
/*
* fapolicy-cli.c - CLI tool for fapolicyd
- * Copyright (c) 2019,2020 Red Hat Inc.
+ * Copyright (c) 2019-2021 Red Hat Inc.
* All Rights Reserved.
*
* This software may be freely redistributed and/or modified under the
@@ -89,7 +89,8 @@ static char *get_line(FILE *f, unsigned *lineno)
static int do_delete_db(void)
{
- unlink_db();
+ if (unlink_db())
+ return 1;
return 0;
}
diff --git a/src/library/database.c b/src/library/database.c
index 831ec74..a010923 100644
--- a/src/library/database.c
+++ b/src/library/database.c
@@ -1,6 +1,6 @@
/*
* database.c - Trust database
- * Copyright (c) 2016,2018-20 Red Hat Inc.
+ * Copyright (c) 2016,2018-21 Red Hat Inc.
* All Rights Reserved.
*
* This software may be freely redistributed and/or modified under the
@@ -711,23 +711,32 @@ static int check_database_copy(void)
/*
* This function removes the trust database files.
*/
-void unlink_db(void)
+int unlink_db(void)
{
- int rc;
+ int rc, ret_val = 0;
char path[64];
snprintf(path, sizeof(path), "%s/data.mdb", data_dir);
rc = unlink(path);
- if (rc)
+ if (rc) {
msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno));
+ ret_val = 1;
+ }
snprintf(path, sizeof(path), "%s/lock.mdb", data_dir);
rc = unlink(path);
- if (rc)
+ if (rc) {
msg(LOG_ERR, "Could not unlink %s (%s)", path, strerror(errno));
+ ret_val = 1;
+ }
+
+ return ret_val;
}
/*
+ * DB version 1 = unique keys (0.8 - 0.9.2)
+ * DB version 2 = allow duplicate keys (0.9.3 - )
+ *
* This function is used to detect if we are using version1 of the database.
* If so, we have to delete the database and rebuild it. We cannot mix
* database versions because lmdb doesn't do that.
@@ -744,7 +753,8 @@ static int migrate_database(void)
msg(LOG_INFO, "Database migration will be performed.");
// Then we have a version1 db since it does not track versions
- unlink_db();
+ if (unlink_db())
+ return 1;
// Create the new, db version tracker and write current version
fd = open(vpath, O_CREAT|O_EXCL|O_WRONLY, 0640);
diff --git a/src/library/database.h b/src/library/database.h
index e828503..f4516b2 100644
--- a/src/library/database.h
+++ b/src/library/database.h
@@ -1,6 +1,6 @@
/*
* database.h - Header file for trust database
- * Copyright (c) 2018-20 Red Hat Inc.
+ * Copyright (c) 2018-21 Red Hat Inc.
* All Rights Reserved.
*
* This software may be freely redistributed and/or modified under the
@@ -41,7 +41,7 @@ int init_database(conf_t *config);
int check_trust_database(const char *path, struct file_info *info, int fd);
void close_database(void);
void database_report(FILE *f);
-void unlink_db(void);
+int unlink_db(void);
void unlink_fifo(void);
#endif

19
SOURCES/selinux.patch
View File

@ -1,19 +0,0 @@
diff -up ./fapolicyd-selinux-0.3/fapolicyd.te.selinux ./fapolicyd-selinux-0.3/fapolicyd.te
--- ./fapolicyd-selinux-0.3/fapolicyd.te.selinux 2020-06-01 14:41:37.000000000 +0200
+++ ./fapolicyd-selinux-0.3/fapolicyd.te 2021-03-19 10:50:13.885358270 +0100
@@ -62,9 +62,14 @@ domain_read_all_domains_state(fapolicyd_
files_mmap_usr_files(fapolicyd_t)
files_read_all_files(fapolicyd_t)
fs_getattr_xattr_fs(fapolicyd_t)
+kernel_read_all_sysctls(fapolicyd_t)
+kernel_read_all_proc(fapolicyd_t)
logging_send_syslog_msg(fapolicyd_t)
+dbus_system_bus_client(fapolicyd_t)
optional_policy(`
- rpm_read_db(fapolicyd_t)
+ rpm_read_db(fapolicyd_t)
+ allow fapolicyd_t rpm_var_lib_t:file { create };
+ allow fapolicyd_t rpm_var_lib_t:dir { add_name write };
')

234
SPECS/fapolicyd.spec
View File

@ -1,11 +1,11 @@
%global selinuxtype targeted
%global moduletype contrib
%define semodule_version 0.3
%define semodule_version 0.4
Summary: Application Whitelisting Daemon
Name: fapolicyd
Version: 1.0.2
Version: 1.1
Release: 6%{?dist}
License: GPLv3+
URL: http://people.redhat.com/sgrubb/fapolicyd
@ -26,25 +26,16 @@ Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Patch1: fapolicyd-magic-override.patch
Patch2: selinux.patch
Patch3: fapolicyd-startup-message.patch
Patch4: fapolicyd-cli-hang.patch
# we are making the dnf-plugin completelly dummy because of
# https://bugzilla.redhat.com/show_bug.cgi?id=1929163
# we require the rpm-plugin from now on and the dnf-plugin still needs to be part of
# the fapolicyd package because it provides safe upgrade path
Patch5: fapolicyd-dnf-plugin.patch
Patch6: fapolicyd-unlink1.patch
Patch7: fapolicyd-unlink2.patch
Patch8: fapolicyd-unlink3.patch
Patch9: fapolicyd-unlink-fifo1.patch
Patch10: fapolicyd-unlink-fifo2.patch
Patch11: fapolicyd-fanotify-read-error.patch
Patch1: fapolicyd-dnf-plugin.patch
Patch2: fapolicyd-selinux.patch
Patch3: fapolicyd-reorder-rules.patch
Patch4: fagenrules-group.patch
# 2069120 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.6.0]
Patch5: fapolicyd-1.1.1-ld_so.patch
%description
Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -71,26 +62,23 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
# selinux
%setup -q -D -T -a 1
%patch1 -p1 -b .magic
%patch1 -p1 -b .plugin
%patch2 -p1 -b .selinux
%patch3 -p1 -b .startup
%patch4 -p1 -b .cli-hang
%patch5 -p1 -b .plugin
%patch6 -p1 -b .unlink1
%patch7 -p1 -b .unlink2
%patch8 -p1 -b .unlink3
%patch9 -p1 -b .unlink_fifo1
%patch10 -p1 -b .unlink_fifo2
%patch11 -p1 -b .fanotify_read
%patch3 -p1 -b .rules
%patch4 -p1 -b .group
%patch5 -p1 -b .ld_so
# generate rules for python
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules.*
sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
sed -i "s|%python3_path%|`readlink -f %{__python3}`|g" rules.d/*.rules
interpret=`readelf -e /usr/bin/bash \
| grep Requesting \
| sed 's/.$//' \
| rev | cut -d" " -f1 \
| rev`
sed -i "s|%ld_so_path%|`realpath $interpret`|g" rules.d/*.rules
%build
./autogen.sh
@ -99,28 +87,35 @@ sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//
--with-rpm \
--disable-shared
make CFLAGS="%{optflags}" %{?_smp_mflags}
%make_build
# selinux
pushd %{name}-selinux-%{semodule_version}
make
popd
%check
make check
# selinux
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%check
make check
%install
make DESTDIR="%{buildroot}" INSTALL='install -p' install
%make_install
mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/
install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
install -p -m 644 init/%{name}.rules.known-libs %{buildroot}/%{_sysconfdir}/%{name}/%{name}.rules
mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
mkdir -p %{buildroot}/run/%{name}
mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d
mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d
# get list of file names between known-libs and restrictive from sample-rules/README-rules
cat %{buildroot}/%{_datadir}/%{name}/sample-rules/README-rules \
| grep -A 100 'known-libs' \
| grep -B 100 'restrictive' \
| grep '^[0-9]' > %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs
chmod 644 %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs
# selinux
install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
@ -129,43 +124,80 @@ install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
#cleanup
find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete
%define manage_default_rules default_changed=0 \
# check changed fapolicyd.rules \
if [ -e %{_sysconfdir}/%{name}/%{name}.rules ]; then \
diff %{_sysconfdir}/%{name}/%{name}.rules %{_datadir}/%{name}/%{name}.rules.known-libs >/dev/null 2>&1 || { \
default_changed=1; \
#echo "change detected in fapolicyd.rules"; \
} \
fi \
if [ -e %{_sysconfdir}/%{name}/rules.d ]; then \
default_ruleset='' \
# get listing of default rule files in known-libs \
[ -e %{_datadir}/%{name}/default-ruleset.known-libs ] && default_ruleset=`cat %{_datadir}/%{name}/default-ruleset.known-libs` \
# check for removed or added files \
default_count=`echo "$default_ruleset" | wc -l` \
current_count=`ls -1 %{_sysconfdir}/%{name}/rules.d/*.rules | wc -l` \
[ $default_count -eq $current_count ] || { \
default_changed=1; \
#echo "change detected in number of rule files d:$default_count vs c:$current_count"; \
} \
for file in %{_sysconfdir}/%{name}/rules.d/*.rules; do \
if echo "$default_ruleset" | grep -q "`basename $file`"; then \
# compare content of the rule files \
diff $file %{_datadir}/%{name}/sample-rules/`basename $file` >/dev/null 2>&1 || { \
default_changed=1; \
#echo "change detected in `basename $file`"; \
} \
else \
# added file detected \
default_changed=1 \
#echo "change detected in added rules file `basename $file`"; \
fi \
done \
fi \
# remove files if no change against default rules detected \
[ $default_changed -eq 0 ] && rm -rf %{_sysconfdir}/%{name}/%{name}.rules %{_sysconfdir}/%{name}/rules.d/* || : \
%pre
getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
%pretrans -p <lua>
if posix.access("/run/fapolicyd.pid", "f") then
os.execute([[
c=/etc/fapolicyd/fapolicyd.rules
release=/etc/redhat-release
rule="allow perm=any uid=0 : all"
if test -e $release; then
if grep -q '8.1' $release; then
rule="allow uid=0 all"
fi
fi
if test -e $c; then
if systemctl is-active fapolicyd &> /dev/null; then
tmp=`mktemp`
cat $c > $tmp
echo "$rule" > $c
cat $tmp >> $c
systemctl restart fapolicyd || true
sleep 10
cat $tmp > $c
rm -f $tmp
fi
fi
]])
end
if [ $1 -eq 2 ]; then
# detect changed default rules in case of upgrade
%manage_default_rules
fi
%post
# if no pre-existing rule file
if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
files=`ls %{_sysconfdir}/%{name}/rules.d/ 2>/dev/null | wc -w`
# Only if no pre-existing component rules
if [ "$files" -eq 0 ] ; then
## Install the known libs policy
for rulesfile in `cat %{_datadir}/%{name}/default-ruleset.known-libs`; do
cp %{_datadir}/%{name}/sample-rules/$rulesfile %{_sysconfdir}/%{name}/rules.d/
done
chgrp %{name} %{_sysconfdir}/%{name}/rules.d/*
if [ -x /usr/sbin/restorecon ] ; then
# restore correct label
/usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/*
fi
fagenrules > /dev/null 2>&1
fi
fi
%systemd_post %{name}.service
%preun
%systemd_preun %{name}.service
if [ $1 -eq 0 ]; then
# detect changed default rules in case of uninstall
%manage_default_rules
else
[ -e %{_sysconfdir}/%{name}/%{name}.rules ] && rm -rf %{_sysconfdir}/%{name}/rules.d/* || :
fi
%postun
%systemd_postun_with_restart %{name}.service
@ -175,33 +207,39 @@ end
%{!?_licensedir:%global license %%doc}
%license COPYING
%attr(755,root,%{name}) %dir %{_datadir}/%{name}
%attr(644,root,%{name}) %{_datadir}/%{name}/%{name}.rules.*
%attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules
%attr(644,root,%{name}) %{_datadir}/%{name}/default-ruleset.known-libs
%attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/*
%attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d
%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d
%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rules.d/*
%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
%attr(644,root,root) %{_unitdir}/%{name}.service
%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
%attr(755,root,root) %{_sbindir}/%{name}
%attr(755,root,root) %{_sbindir}/%{name}-cli
%attr(755,root,root) %{_sbindir}/fagenrules
%attr(644,root,root) %{_mandir}/man8/*
%attr(644,root,root) %{_mandir}/man5/*
%attr(644,root,root) %{_mandir}/man1/*
%attr(644,root,root) %{_datadir}/%{name}/*
%ghost %{_localstatedir}/log/%{name}-access.log
%ghost %attr(440,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}-access.log
%attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name}
%attr(770,root,%{name}) %dir /run/%{name}
%ghost %{_localstatedir}/run/%{name}/%{name}.fifo
%ghost %{_localstatedir}/lib/%{name}/data.mdb
%ghost %{_localstatedir}/lib/%{name}/lock.mdb
%ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo
%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb
%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb
%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py
%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc
# selinux
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
%post selinux
@ -217,16 +255,44 @@ fi
%selinux_relabel_post -s %{selinuxtype}
%changelog
* Tue Mar 23 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-6
RHEL 8.4.0 ERRATUM
- fapolicyd abnormally exits by executing sosreport
Resolves: rhbz#1940289
* Wed Apr 06 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-6
- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path
Resolves: rhbz#2069120
* Thu Mar 18 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-5
RHEL 8.4.0 ERRATUM
* Sat Apr 02 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-4
RHEL 8.6.0 ERRATUM
- fapolicyd denies access to /usr/lib64/ld-2.28.so
Resolves: rhbz#2066300
* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-1
RHEL 8.6.0 ERRATUM
- rebase to 1.1
Resolves: rhbz#1939379
- introduce rules.d feature
Resolves: rhbz#2054741
- remove pretrans scriptlet
Resolves: rhbz#2051485
* Mon Dec 13 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.4-2
RHEL 8.6.0 ERRATUM
- rebase to 1.0.4
- added rpm_sha256_only option
- added trust.d directory
- allow file names with whitespace in trust files
- use full paths in trust files
Resolves: rhbz#1939379
- fix libc.so getting identified as application/x-executable
Resolves: rhbz#1989272
- fix fapolicyd-dnf-plugin reporting as '<invalid>'
Resolves: rhbz#1997414
- fix selinux DSP module definition in spec file
Resolves: rhbz#2014445
* Thu Aug 19 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-7
- fapolicyd abnormally exits by executing sosreport
- fixed multiple problems with unlink()
- fapolicyd breaks system upgrade, leaving system in dead state - complete fix
Resolves: rhbz#1896875
Resolves: rhbz#1943251
* Tue Feb 16 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.2-3
RHEL 8.4.0 ERRATUM