import fapolicyd-1.1.3-104.el9

2023-05-09 05:22:30 +00:00 · 2023-05-09 05:22:30 +00:00 · b3b505171d
commit b3b505171d
parent 13d3b58081
4 changed files with 1296 additions and 7 deletions
--- a/SOURCES/fapolicyd-already-started.patch
+++ b/SOURCES/fapolicyd-already-started.patch
@ -0,0 +1,110 @@
+diff -up ./src/daemon/fapolicyd.c.already-started ./src/daemon/fapolicyd.c
+--- ./src/daemon/fapolicyd.c.already-started	2023-01-12 17:40:45.366909652 +0100
+++ ./src/daemon/fapolicyd.c	2023-01-12 17:46:22.458139519 +0100
+@@ -378,6 +378,58 @@ static void usage(void)
+ }
+ 
+ 
+int already_running(void)
+{
+	int pidfd = open(pidfile, O_RDONLY);
+	if (pidfd >= 0) {
+		char pid_buf[16];
+
+		if (fd_fgets(pid_buf, sizeof(pid_buf), pidfd)) {
+			int pid;
+			char exe_buf[80], my_path[80];
+
+			// Get our path
+			if (get_program_from_pid(getpid(),
+					sizeof(exe_buf), my_path) == NULL)
+				goto err_out; // shouldn't happen, but be safe
+
+			// convert pidfile to integer
+			errno = 0;
+			pid = strtoul(pid_buf, NULL, 10);
+			if (errno)
+				goto err_out; // shouldn't happen, but be safe
+
+			// verify it really is fapolicyd
+			if (get_program_from_pid(pid,
+					sizeof(exe_buf), exe_buf) == NULL)
+				goto good; //if pid doesn't exist, we're OK
+
+			// If the path doesn't have fapolicyd in it, we're OK
+			if (strstr(exe_buf, "fapolicyd") == NULL)
+				goto good;
+
+			if (strcmp(exe_buf, my_path) == 0)
+				goto err_out; // if the same, we need to exit
+
+			// one last sanity check in case path is unexpected
+			// for example: /sbin/fapolicyd & /home/test/fapolicyd
+			if (pid != getpid())
+				goto err_out;
+good:
+			close(pidfd);
+			unlink(pidfile);
+			return 0;
+		} else
+		    msg(LOG_ERR, "fapolicyd pid file found but unreadable");
+err_out: // At this point, we have a pid file, let's just assume it's alive
+	 // because if 2 are running, it deadlocks the machine
+		close(pidfd);
+		return 1;
+	}
+	return 0; // pid file doesn't exist, we're good to go
+}
+
+
+ int main(int argc, const char *argv[])
+ {
+ 	struct pollfd pfd[2];
+@@ -428,6 +480,11 @@ int main(int argc, const char *argv[])
+ 		}
+ 	}
+ 
+	if (already_running()) {
+		msg(LOG_ERR, "fapolicyd is already running");
+		exit(1);
+	}
+
+ 	// Set a couple signal handlers
+ 	sa.sa_flags = 0;
+ 	sigemptyset(&sa.sa_mask);
+@@ -446,9 +503,6 @@ int main(int argc, const char *argv[])
+ 	setrlimit(RLIMIT_FSIZE, &limit);
+ 	setrlimit(RLIMIT_NOFILE, &limit);
+ 
+-	// Set strict umask
+-	(void) umask( 0117 );
+-
+ 	// get more time slices because everything is waiting on us
+ 	rc = nice(-config.nice_val);
+ 	if (rc == -1)
+@@ -473,17 +527,20 @@ int main(int argc, const char *argv[])
+ 		exit(1);
+ 	}
+ 
+-	if (preconstruct_fifo(&config)) {
+-		msg(LOG_ERR, "Cannot contruct a pipe");
+-		exit(1);
+-	}
+-
+ 	// Setup filesystem to watch list
+ 	init_fs_list(config.watch_fs);
+ 
+ 	// Write the pid file for the init system
+ 	write_pid_file();
+ 
+	// Set strict umask
+	(void) umask( 0117 );
+
+	if (preconstruct_fifo(&config)) {
+		msg(LOG_ERR, "Cannot contruct a pipe");
+		exit(1);
+	}
+
+ 	// If we are not going to be root, then setup necessary capabilities
+ 	if (config.uid != 0) {
+ 		capng_clear(CAPNG_SELECT_BOTH);
--- a/SOURCES/fapolicyd-exclude-list.patch
+++ b/SOURCES/fapolicyd-exclude-list.patch
--- a/SOURCES/fapolicyd-falcon-sensor.patch
+++ b/SOURCES/fapolicyd-falcon-sensor.patch
@ -0,0 +1,79 @@
+From 2b13715219bbb6a84a73e007cea84f0d5d1d39ab Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Tue, 6 Dec 2022 15:09:44 +0100
+Subject: [PATCH] Extend new_event state machine
+
+- allow other opens before dynamic linker execution
+- split original STATE_REOPEN to the new STATE_REOPEN and STATE_DEFAULT_REOPEN
+
+- STATE_REOPEN now behaves as loop state for new opens (from the same subject),
+  uses skip_path
+- STATE_DEFAULT_REOPEN is needed when dynamic linker is directly executed
+  in such scenario we need to be sure that non of the following opens will
+  skip the path
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/library/event.c   | 16 ++++++++++++++++
+ src/library/process.h |  3 ++-
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/src/library/event.c b/src/library/event.c
+index 4d79eb98..649cb9d6 100644
+--- a/src/library/event.c
+++ b/src/library/event.c
+@@ -133,6 +133,12 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e)
+ 			(e->type & FAN_OPEN_PERM) && !rc) {
+ 			skip_path = 1;
+ 			s->info->state = STATE_REOPEN;
+
+			// special branch after ld_so exec
+			// next opens will go fall trough
+			if (s->info->path1 &&
+				(strcmp(s->info->path1, SYSTEM_LD_SO) == 0))
+				s->info->state = STATE_DEFAULT_REOPEN;
+ 		}
+ 
+ 		// If not same proc or we detect execution, evict
+@@ -164,6 +170,7 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e)
+ 			skip_path = 1;
+ 		}
+ 
+
+ 		// If we've seen the reopen and its an execute and process
+ 		// has an interpreter and we're the same process, don't evict
+ 		// and don't collect the path since reopen interp will. The
+@@ -172,10 +179,19 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e)
+ 		if ((s->info->state == STATE_REOPEN) && !skip_path &&
+ 				(e->type & FAN_OPEN_EXEC_PERM) &&
+ 				(s->info->elf_info & HAS_INTERP) && !rc) {
+			s->info->state = STATE_DEFAULT_REOPEN;
+ 			evict = 0;
+ 			skip_path = 1;
+ 		}
+ 
+		// this is how STATE_REOPEN and
+		// STATE_DEFAULT_REOPEN differs
+		// in STATE_REOPEN path is always skipped
+		if ((s->info->state == STATE_REOPEN) && !skip_path &&
+				(e->type & FAN_OPEN_PERM) && !rc) {
+			skip_path = 1;
+		}
+
+ 		if (evict) {
+ 			lru_evict(subj_cache, key);
+ 			q_node = check_lru_cache(subj_cache, key);
+diff --git a/src/library/process.h b/src/library/process.h
+index daa9d0d0..a741d1ac 100644
+--- a/src/library/process.h
+++ b/src/library/process.h
+@@ -31,7 +31,8 @@
+ #include "gcc-attributes.h"
+ 
+ typedef enum {	STATE_COLLECTING=0,	// initial state - execute
+-		STATE_REOPEN,		// anticipating open perm next
+		STATE_REOPEN,		// anticipating open perm next, always skips the path
+		STATE_DEFAULT_REOPEN,  // reopen after dyn. linker exec, never skips the path
+ 		STATE_STATIC_REOPEN,	// static app aniticipating
+ 		STATE_PARTIAL,		// second path collected
+ 		STATE_STATIC_PARTIAL,	// second path collected
--- a/SPECS/fapolicyd.spec
+++ b/SPECS/fapolicyd.spec
@ -5,7 +5,7 @@
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
 Version: 1.1.3
-Release: 102%{?dist}.7
+Release: 104%{?dist}
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
 Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@ -40,9 +40,7 @@ Patch7: fapolicyd-cli-segfault.patch
 Patch8: fapolicyd-sighup.patch
 Patch9: fapolicyd-readme.patch

-# 2137254 - statically linked app can execute untrusted app [rhel-9.1.0.z]
 Patch10: fapolicyd-static-app.patch
-# 2137263 - fapolicyd ineffective with systemd DynamicUser=yes [rhel-9.1.0.z]
 Patch11: fapolicyd-markfs-1.patch
 Patch12: fapolicyd-markfs-2.patch
 Patch13: fapolicyd-markfs-3.patch
@ -50,6 +48,9 @@ Patch14: fapolicyd-markfs-4.patch

 Patch15: fapolicyd-selinux-2.patch

+Patch16: fapolicyd-falcon-sensor.patch
+Patch17: fapolicyd-exclude-list.patch
+Patch18: fapolicyd-already-started.patch

 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -99,6 +100,10 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.

 %patch15 -p1 -b .selinux2

+%patch16 -p1 -b .event
+%patch17 -p1 -b .exclude
+%patch18 -p1 -b .already-started
+
 # generate rules for python
 sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
 sed -i "s|%python3_path%|`readlink -f %{__python3}`|g" rules.d/*.rules
@ -246,6 +251,7 @@ fi
 %ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rules.d/*
 %ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
+%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rpm-filter.conf
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
 %ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
 %attr(644,root,root) %{_unitdir}/%{name}.service
@ -282,12 +288,18 @@ fi
 %selinux_relabel_post -s %{selinuxtype}

 %changelog
-* Tue Oct 25 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-102.7
-RHEL 9.1.0.Z ERRATUM
+* Mon Jan 30 2023 Radovan Sroka <rsroka@redhat.com> - 1.1.3-104
+RHEL 9.2.0 ERRATUM
 - statically linked app can execute untrusted app
-Resolves: rhbz#2137254
+Resolves: rhbz#2097077
 - fapolicyd ineffective with systemd DynamicUser=yes
-Resolves: rhbz#2137263
+Resolves: rhbz#2136802
+- Starting manually fapolicyd while the service is already running breaks the system
+Resolves: rhbz#2160517
+- Cannot execute /usr/libexec/grepconf.sh when falcon-sensor is enabled
+Resolves: rhbz#2160518
+- fapolicyd: Introduce filtering of rpmdb
+Resolves: RHEL-192

 * Fri Aug 05 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-102
 RHEL 9.1.0 ERRATUM