rpms
/
fapolicyd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import fapolicyd-1.0-3.el8_3.4

This commit is contained in:
CentOS Sources 2020-12-17 02:21:12 -05:00 committed by Andrew Lukoshko
parent 2ec52a8c82
commit 93f8e76c68
6 changed files with 238 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
SOURCES/fapolicyd-java1.patch Normal file
View File

@ -0,0 +1,23 @@
From 6810b42e04dd1f450862a647f05c62706f3a1c40 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Thu, 12 Nov 2020 22:21:36 -0500
Subject: [PATCH] Add application/x-java-applet to languages in known.libs
---
ChangeLog | 1 +
init/fapolicyd.rules.known-libs | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/init/fapolicyd.rules.known-libs b/init/fapolicyd.rules.known-libs
index a847f71..d7ce529 100644
--- a/init/fapolicyd.rules.known-libs
+++ b/init/fapolicyd.rules.known-libs
@@ -3,7 +3,7 @@
# performance while ensuring that there is not much interference by
# the daemon.
-%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/javascript,text/x-awk,text/x-gawk,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
+%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/x-java,application/x-java-applet,text/javascript,text/x-awk,text/x-gawk,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
# Carve out an exception for dracut initramfs building
allow perm=any uid=0 : dir=/var/tmp/

65
SOURCES/fapolicyd-java2.patch Normal file
View File

@ -0,0 +1,65 @@
From 32a47ce0557c9b38ee59acec97d8f5bd01b4751d Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Tue, 10 Nov 2020 11:47:37 -0500
Subject: [PATCH] Pickup more languages in /usr/share
It turns out that there is a lot of languages placing code for execution
in /usr/share. This patch widens the filter so that more file extensions
are included in the trust database. Without this, access to pki-ca.jar,
for example, is denied access.
---
src/library/rpm-backend.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c
index 25f867a..6ce8a2d 100644
--- a/src/library/rpm-backend.c
+++ b/src/library/rpm-backend.c
@@ -183,6 +183,7 @@ static int drop_path(const char *file_name)
// Drop anything in /usr/share that's
// not python, javascript, or has a libexec dir
if (file_name[6] == 'h' ) {
+ // These are roughly ordered by quantity
if (fnmatch("*.py?",
file_name, 0) == 0)
return 0;
@@ -192,9 +193,39 @@ static int drop_path(const char *file_name)
else if (fnmatch("*/libexec/*",
file_name, 0) == 0)
return 0;
+ else if (fnmatch("*.rb",
+ file_name, 0) == 0)
+ return 0;
+ else if (fnmatch("*.pl",
+ file_name, 0) == 0)
+ return 0;
+ else if (fnmatch("*.stp",
+ file_name, 0) == 0)
+ return 0;
else if (fnmatch("*.js",
file_name, 0) == 0)
return 0;
+ else if (fnmatch("*.jar",
+ file_name, 0) == 0)
+ return 0;
+ else if (fnmatch("*.m4",
+ file_name, 0) == 0)
+ return 0;
+ else if (fnmatch("*.php",
+ file_name, 0) == 0)
+ return 0;
+ else if (fnmatch("*.el",
+ file_name, 0) == 0)
+ return 0;
+ else if (fnmatch("*.pm",
+ file_name, 0) == 0)
+ return 0;
+ else if (fnmatch("*.lua",
+ file_name, 0) == 0)
+ return 0;
+ else if (fnmatch("*.java",
+ file_name, 0) == 0)
+ return 0;
return 1;
// Akmod need scripts in /usr/src/kernel
} else if (file_name[6] == 'r' ) {

74
SOURCES/fapolicyd-java3.patch Normal file
View File

@ -0,0 +1,74 @@
From 006a656205765ce26327d176b4ca07e44bd55422 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Tue, 10 Nov 2020 16:44:25 -0500
Subject: [PATCH] Add comments about what each file extension is looking for in
the /usr/share filter
---
src/library/rpm-backend.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c
index 6ce8a2d..ba648d3 100644
--- a/src/library/rpm-backend.c
+++ b/src/library/rpm-backend.c
@@ -184,45 +184,59 @@ static int drop_path(const char *file_name)
// not python, javascript, or has a libexec dir
if (file_name[6] == 'h' ) {
// These are roughly ordered by quantity
+ // Python byte code
if (fnmatch("*.py?",
file_name, 0) == 0)
return 0;
+ // Python text files
else if (fnmatch("*.py",
file_name, 0) == 0)
return 0;
+ // Some apps have a private libexec
else if (fnmatch("*/libexec/*",
file_name, 0) == 0)
return 0;
+ // Ruby
else if (fnmatch("*.rb",
file_name, 0) == 0)
return 0;
+ // Perl
else if (fnmatch("*.pl",
file_name, 0) == 0)
return 0;
+ // System Tap
else if (fnmatch("*.stp",
file_name, 0) == 0)
return 0;
+ // Javascript
else if (fnmatch("*.js",
file_name, 0) == 0)
return 0;
+ // Java
else if (fnmatch("*.jar",
file_name, 0) == 0)
return 0;
+ // M4
else if (fnmatch("*.m4",
file_name, 0) == 0)
return 0;
+ // PHP
else if (fnmatch("*.php",
file_name, 0) == 0)
return 0;
+ // Lisp
else if (fnmatch("*.el",
file_name, 0) == 0)
return 0;
+ // Perl Modules
else if (fnmatch("*.pm",
file_name, 0) == 0)
return 0;
+ // Lua
else if (fnmatch("*.lua",
file_name, 0) == 0)
return 0;
+ // Java
else if (fnmatch("*.java",
file_name, 0) == 0)
return 0;

32
SOURCES/fapolicyd-java4.patch Normal file
View File

@ -0,0 +1,32 @@
From 2ac23e04f3f14716cf4493fc30eb6ad63760d945 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alexander.m.scheel@gmail.com>
Date: Wed, 11 Nov 2020 07:26:29 -0500
Subject: [PATCH] Allow .class files instead of .java files (#101)
.java files themselves aren't directly executable using the default java
program; instead, they must first be compiled to .class files (using
javac) before they can be executed via java. This means that .java files
shipped in RPMs (as say, API usage examples) won't be executed and don't
necessarily need to be. They could however, be compiled first and then
executed as .class; however, this resulting .class file should likely be
somewhere other than /usr/share if it wasn't distributed by the RPM
itself.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
src/library/rpm-backend.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c
index ba648d3..111e9f2 100644
--- a/src/library/rpm-backend.c
+++ b/src/library/rpm-backend.c
@@ -237,7 +237,7 @@ static int drop_path(const char *file_name)
file_name, 0) == 0)
return 0;
// Java
- else if (fnmatch("*.java",
+ else if (fnmatch("*.class",
file_name, 0) == 0)
return 0;
return 1;

24
SOURCES/fapolicyd-java5.patch Normal file
View File

@ -0,0 +1,24 @@
From 26fd69ab1df5025a4445ac533c2b273a2f1dda3b Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Wed, 2 Dec 2020 16:01:54 +0100
Subject: [PATCH] Sync languages list
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
init/fapolicyd.rules.restrictive | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/init/fapolicyd.rules.restrictive b/init/fapolicyd.rules.restrictive
index 1635ef3..50944f1 100644
--- a/init/fapolicyd.rules.restrictive
+++ b/init/fapolicyd.rules.restrictive
@@ -14,8 +14,7 @@
# %python=/usr/bin/python2.7,/usr/bin/python3.6
# allow perm=open exe=%python : all
#
-
-%languages=application/x-bytecode.ocaml,application/java-archive,text/javascript,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
+%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/x-java,application/x-java-applet,text/javascript,text/x-awk,text/x-gawk,text/x-lisp,application/x-elc,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
# Carve out an exception for dracut
allow perm=any uid=0 : dir=/var/tmp/

21
SPECS/fapolicyd.spec
View File

@ -6,7 +6,7 @@
Summary: Application Whitelisting Daemon
Name: fapolicyd
Version: 1.0
Release: 3%{?dist}.3
Release: 3%{?dist}.4
License: GPLv3+
URL: http://people.redhat.com/sgrubb/fapolicyd
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@ -19,6 +19,7 @@ BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
BuildRequires: python3-devel
BuildRequires: python2-devel
Recommends: %{name}-selinux
Requires(pre): shadow-utils
Requires(post): systemd-units
Requires(preun): systemd-units
@ -39,6 +40,11 @@ Patch11: fapolicyd-get-line.patch
Patch12: fapolicyd-man-page-trust.patch
Patch13: fapolicyd-deleted-suffix.patch
Patch14: fapolicyd-java1.patch
Patch15: fapolicyd-java2.patch
Patch16: fapolicyd-java3.patch
Patch17: fapolicyd-java4.patch
Patch18: fapolicyd-java5.patch
%description
Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -99,6 +105,11 @@ sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//
# zstream
%patch13 -p1 -b .deleted
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%build
./autogen.sh
@ -219,6 +230,14 @@ fi
%selinux_relabel_post -s %{selinuxtype}
%changelog
* Thu Dec 10 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.4
RHEL 8.3.Z ERRATUM
- Adding DISA STIG during OS installation causes 'ipa-server-install' to fail [rhel-8.3.0.z]
- fixed java detection
Resolves: rhbz#1905895
- Erratum RHBA-2020:4969 is of no help when upgrading partially RHEL 8.2 systems [rhel-8.3.0.z]
Resolves: rhbz#1906472
* Fri Nov 13 2020 Radovan Sroka <rsroka@redhat.com> - 1.0-3.3
RHEL 8.3.Z ERRATUM
Resolves: rhbz#1897090