rpms/fapolicyd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

New upstream release

Browse Source 
This release features:
- systemd usage updates
- file permission adjustments based on selinux policy review
- unterminated reads of auid & sessionid values was fixed
- ld_preload pattern is deprecated for now
This commit is contained in:
Radovan Sroka 2019-05-06 12:25:23 +02:00
parent 917c00eccc
commit c8075c471d
14 changed files with 7 additions and 1948 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -2,3 +2,4 @@
/fapolicyd-0.8.6.tar.gz
/fapolicyd-0.8.7.tar.gz
/fapolicyd-0.8.8.tar.gz
/fapolicyd-0.8.9.tar.gz

54
0001-Fix-the-spec-file-to-use-run-instead-of-var-run.patch
View File

@ -1,54 +0,0 @@
From 76b68d4bb5b1fc75c3621f3761721380ef8c76a4 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Tue, 12 Mar 2019 11:08:38 -0400
Subject: [PATCH 01/11] Fix the spec file to use /run instead of /var/run
---
fapolicyd.spec | 6 +++---
src/database.c | 2 +-
src/fapolicyd-cli.c | 2 +-
src/fapolicyd.c | 2 +-
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/database.c b/src/database.c
index 649f6fd..87ba376 100644
--- a/src/database.c
+++ b/src/database.c
@@ -60,7 +60,7 @@ static int lib_symlink=0, lib64_symlink=0, bin_symlink=0, sbin_symlink=0;
// External variables
extern volatile atomic_bool stop;
-static const char* fifo_path = "/var/run/fapolicyd/fapolicyd.fifo";
+static const char* fifo_path = "/run/fapolicyd/fapolicyd.fifo";
static pthread_t update_thread;
diff --git a/src/fapolicyd-cli.c b/src/fapolicyd-cli.c
index 17a9055..06e7464 100644
--- a/src/fapolicyd-cli.c
+++ b/src/fapolicyd-cli.c
@@ -37,7 +37,7 @@ const char * usage =
"-u\t--update\t\tNotifies fapolicyd to perform update of database\n"
;
-const char * _pipe = "/var/run/fapolicyd/fapolicyd.fifo";
+const char * _pipe = "/run/fapolicyd/fapolicyd.fifo";
int main(int argc, char const *argv[])
{
diff --git a/src/fapolicyd.c b/src/fapolicyd.c
index dee339f..53d4273 100644
--- a/src/fapolicyd.c
+++ b/src/fapolicyd.c
@@ -60,7 +60,7 @@ int debug = 0, permissive = 0;
volatile atomic_bool stop = 0;
// Local variables
-static const char *pidfile = "/var/run/fapolicyd.pid";
+static const char *pidfile = "/run/fapolicyd.pid";
#define REPORT "/var/log/fapolicyd-access.log"
static struct daemon_conf config;
--
2.20.1

25
0002-Fix-service-file-to-use-run-instead-of-var-run.patch
View File

@ -1,25 +0,0 @@
From 557244e37f856a3d374ac6bc0d4d05fbbbcc2700 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Tue, 12 Mar 2019 11:10:29 -0400
Subject: [PATCH 02/11] Fix service file to use /run instead of /var/run
---
init/fapolicyd.service | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/init/fapolicyd.service b/init/fapolicyd.service
index 169ce3c..461f0ba 100644
--- a/init/fapolicyd.service
+++ b/init/fapolicyd.service
@@ -5,7 +5,7 @@ After=local-fs.target systemd-tmpfiles-setup.service
[Service]
Type=forking
-PIDFile=/var/run/fapolicyd.pid
+PIDFile=/run/fapolicyd.pid
Restart=on-abnormal
ExecStart=/usr/sbin/fapolicyd
--
2.20.1

35
0003-Install-a-usr-lib-tmpfiles.d-fapolicyd.conf-for-run-.patch
View File

@ -1,35 +0,0 @@
From b820c237a8fefdc159dcbad4198232156a5180d9 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Tue, 12 Mar 2019 11:58:33 -0400
Subject: [PATCH 03/11] Install a /usr/lib/tmpfiles.d/fapolicyd.conf for
/run/fapolicyd
---
fapolicyd.spec | 2 ++
init/Makefile.am | 3 +--
init/fapolicyd-tmpfiles.conf | 1 +
3 files changed, 4 insertions(+), 2 deletions(-)
create mode 100644 init/fapolicyd-tmpfiles.conf
diff --git a/init/Makefile.am b/init/Makefile.am
index 29037c1..659142e 100644
--- a/init/Makefile.am
++ b/init/Makefile.am
@@ -1,6 +1,5 @@
-EXTRA_DIST = fapolicyd.rules fapolicyd.mounts fapolicyd.service fapolicyd.conf
+EXTRA_DIST = fapolicyd.rules fapolicyd.mounts fapolicyd.service fapolicyd.conf fapolicyd-tmpfiles.conf
fapolicyddir = $(sysconfdir)/fapolicyd
dist_fapolicyd_DATA = fapolicyd.rules fapolicyd.mounts fapolicyd.conf
systemdservicedir = $(systemdsystemunitdir)
dist_systemdservice_DATA = fapolicyd.service
-
diff --git a/init/fapolicyd-tmpfiles.conf b/init/fapolicyd-tmpfiles.conf
new file mode 100644
index 0000000..24459d3
--- /dev/null
+++ b/init/fapolicyd-tmpfiles.conf
@@ -0,0 +1 @@
+d /run/fapolicyd 0770 root fapolicyd -
--
2.20.1

62
0004-remove-fifo-on-all-exit-paths-for-update-thread.patch
View File

@ -1,62 +0,0 @@
From 8d2dc2210c866bcf21362bc7c5686a60ca6938b3 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Tue, 12 Mar 2019 12:29:08 -0400
Subject: [PATCH 04/11] remove fifo on all exit paths for update thread
---
src/database.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/database.c b/src/database.c
index 87ba376..1b3dc1a 100644
--- a/src/database.c
+++ b/src/database.c
@@ -743,6 +743,7 @@ static void *update_thread_main(void *arg)
if ((pfd[0].fd = open(fifo_path, O_RDWR)) == -1) {
msg(LOG_ERR, "Failed to open a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE));
+ unlink(fifo_path);
return NULL;
}
@@ -759,8 +760,7 @@ static void *update_thread_main(void *arg)
continue;
} else {
msg(LOG_ERR, "Update poll error (%s)", strerror_r(errno, err_buff, BUFFER_SIZE));
- close(pfd[0].fd);
- return NULL;
+ goto err_out;
}
} else if (rc == 0) {
msg(LOG_DEBUG, "Update poll timeout expired");
@@ -772,7 +772,7 @@ static void *update_thread_main(void *arg)
if (count == -1) {
msg(LOG_ERR, "Failed to read from a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE));
- return NULL;
+ goto err_out;
}
if (count == 0) {
@@ -796,6 +796,7 @@ static void *update_thread_main(void *arg)
if ((rc = update_database(config))) {
msg(LOG_ERR, "Cannot update a database!");
+ close(pfd[0].fd);
unlink(fifo_path);
exit(rc);
} else {
@@ -806,5 +807,10 @@ static void *update_thread_main(void *arg)
}
}
+
+err_out:
+ close(pfd[0].fd);
+ unlink(fifo_path);
+
return NULL;
}
--
2.20.1

107
0005-Move-some-debug-messages-under-ifdef-DEBUG-24.patch
View File

@ -1,107 +0,0 @@
From 4aded37a3901a1f076f3b88834c3dfd994086e62 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Wed, 13 Mar 2019 17:49:21 +0100
Subject: [PATCH 05/11] Move some debug messages under #ifdef DEBUG (#24)
---
src/database.c | 25 ++++++++++++++++++-------
src/fapolicyd.c | 5 +++--
2 files changed, 21 insertions(+), 9 deletions(-)
diff --git a/src/database.c b/src/database.c
index 1b3dc1a..2a0c029 100644
--- a/src/database.c
+++ b/src/database.c
@@ -732,7 +732,9 @@ static void *update_thread_main(void *arg)
struct daemon_conf *config = (struct daemon_conf *)arg;
- msg(LOG_INFO, "Update thread main started");
+#ifdef DEBUG
+ msg(LOG_DEBUG, "Update thread main started");
+#endif
/* Make sure that there is no such file/fifo */
unlink(fifo_path);
@@ -752,18 +754,25 @@ static void *update_thread_main(void *arg)
while (!stop) {
rc = poll(pfd, 1, 1000);
- msg(LOG_DEBUG, "Update poll interupted");
+
+#ifdef DEBUG
+ msg(LOG_DEBUG, "Update poll interrupted");
+#endif
if (rc < 0) {
if (errno == EINTR) {
+#ifdef DEBUG
msg(LOG_DEBUG, "update poll rc = EINTR");
+#endif
continue;
} else {
msg(LOG_ERR, "Update poll error (%s)", strerror_r(errno, err_buff, BUFFER_SIZE));
goto err_out;
}
} else if (rc == 0) {
+#ifdef DEBUG
msg(LOG_DEBUG, "Update poll timeout expired");
+#endif
continue;
} else {
if (pfd[0].revents & POLLIN) {
@@ -776,12 +785,14 @@ static void *update_thread_main(void *arg)
}
if (count == 0) {
- msg(LOG_DEBUG, "Buffer contains zero bytes!");
+#ifdef DEBUG
+ msg(LOG_DEBUG, "Buffer contains zero bytes!");
+#endif
continue;
}
-
+#ifdef DEBUG
msg(LOG_DEBUG, "Buffer contains: \"%s\"", buff);
-
+#endif
int check = 1;
for (int i = 0 ; i < count ; i++) {
if (buff[i] != '1' && buff[i] != '\n' && buff[i] != '\0') {
@@ -792,7 +803,7 @@ static void *update_thread_main(void *arg)
}
if (check) {
- msg(LOG_DEBUG, "It looks like there was an update of the system... Syncing DB.");
+ msg(LOG_INFO, "It looks like there was an update of the system... Syncing DB.");
if ((rc = update_database(config))) {
msg(LOG_ERR, "Cannot update a database!");
@@ -800,7 +811,7 @@ static void *update_thread_main(void *arg)
unlink(fifo_path);
exit(rc);
} else {
- msg(LOG_DEBUG, "Updated");
+ msg(LOG_INFO, "Updated");
}
}
}
diff --git a/src/fapolicyd.c b/src/fapolicyd.c
index 53d4273..6e1e987 100644
--- a/src/fapolicyd.c
+++ b/src/fapolicyd.c
@@ -389,8 +389,9 @@ int main(int argc, char *argv[])
while (!stop) {
rc = poll(pfd, 1, -1);
- msg(LOG_DEBUG, "Main poll interupted");
-
+#ifdef DEBUG
+ msg(LOG_DEBUG, "Main poll interrupted");
+#endif
if (rc < 0) {
if (errno == EINTR)
continue;
--
2.20.1

1247
0006-Get-rid-of-trailing-whitespaces-25.patch
View File

File diff suppressed because it is too large Load Diff

84
0007-Add-some-documentation-about-how-ELF-startup-works.patch
View File

@ -1,84 +0,0 @@
From b430ebc0cec78e01ea1ab139001020335314283f Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Wed, 13 Mar 2019 15:55:10 -0400
Subject: [PATCH 07/11] Add some documentation about how ELF startup works.
---
src/rules.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 61 insertions(+)
diff --git a/src/rules.c b/src/rules.c
index 3c3b294..66c1df7 100644
--- a/src/rules.c
+++ b/src/rules.c
@@ -449,6 +449,67 @@ static int subj_dir_test(subject_attr_t *s, subject_attr_t *subj)
return 1;
}
+/*
+ * Notes about elf program startup
+ * ===============================
+ * The run time linker will do the folowing:
+ * 1) kernel loads executable
+ * 2) kernel attaches ld-2.2x.so to executable memory and turns over execution
+ * 3) rtl loads LD_AUDIT libs
+ * 4) rtl loads LD_PRELOAD libs
+ * 5) rtl next loads /etc/ld.so.preload libs
+ *
+ * Then for each dependency:
+ * Call into LD_AUDIT la_objsearch() to modify path/name and try
+ * 1) RPATH in object
+ * 2) RPATH in executable
+ * 3) LD_LIBRARY_PATH: for each path, iterate permutations of
+ * tls, x86_64, haswell, & plain path
+ * 4) RUNPATH in object
+ * 5) Try the name as found in the object
+ * 6) Consult /etc/ld.so.cache
+ * 7) Try default path (can't find where string table is)
+ *
+ * LD_AUDIT modules can add arbitrary early file system actions because
+ * the may also call open. They can also trigger loading another copy of
+ * libc.so.6.
+ *
+ * Patterns
+ * ========
+ * Normal:
+ * exe=/usr/bin/bash file=/usr/bin/ls
+ * exe=/usr/bin/bash file=/usr/lib64/ld-2.27.so
+ * exe=/usr/bin/ls file=/etc/ld.so.cache
+ * exe=/usr/bin/ls file=/usr/lib64/libselinux.so.1
+ *
+ * runtime linker started:
+ * exe=/usr/bin/bash file=/usr/lib64/ld-2.27.so
+ * exe=/usr/bin/bash file=/usr/bin/ls
+ * exe=/usr/lib64/ld-2.27.so file=/etc/ld.so.cache
+ * exe=/usr/lib64/ld-2.27.so file=/usr/lib64/libselinux.so.1
+ *
+ * LD_PRELOAD=libaudit no LD_LIBRARY_PATH:
+ * exe=/usr/bin/bash file=/usr/bin/ls
+ * exe=/usr/bin/bash file=/usr/lib64/ld-2.27.so
+ * exe=/usr/bin/ls file=/usr/lib64/libaudit.so.1.0.0
+ * exe=/usr/bin/ls file=/etc/ld.so.cache
+ * exe=/usr/bin/ls file=/usr/lib64/libselinux.so.1
+ *
+ * LD_PRELOAD=libaudit with LD_LIBRARY_PATH:
+ * exe=/usr/bin/bash file=/usr/bin/ls
+ * exe=/usr/bin/bash file=/usr/lib64/ld-2.28.so
+ * exe=/usr/bin/ls file=/usr/lib64/libaudit.so.1.0.0
+ * exe=/usr/bin/ls file=/usr/lib64/libselinux.so.1
+ *
+ * /etc/ld.so.preload:
+ * exe=/usr/bin/bash file=/usr/bin/ls
+ * exe=/usr/bin/bash file=/usr/lib64/ld-2.27.so
+ * exe=/usr/bin/ls file=/etc/ld.so.preload
+ * exe=/usr/bin/ls file=/usr/lib64/libaudit.so.1.0.0
+ *
+ * This means only first two can be counted on. Looking for ld.so.cache
+ * is no good because its almost the last option.
+ */
//#define NEW_WAY 1
--
2.20.1

77
0008-Change-fifo-mode-to-0660-26.patch
View File

@ -1,77 +0,0 @@
From 36ad6b8dd2a8effba70fccbaf1d580a75a167e6d Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Wed, 13 Mar 2019 20:57:37 +0100
Subject: [PATCH 08/11] Change fifo mode to 0660 (#26)
- fapolicyd-cli requires fapolicyd.fifo to have 0660 permissions
---
src/database.c | 9 +++++++--
src/fapolicyd-cli.c | 32 ++++++++++++++++++++++++++++++++
2 files changed, 39 insertions(+), 2 deletions(-)
diff --git a/src/database.c b/src/database.c
index 64a9fda..52deda4 100644
--- a/src/database.c
+++ b/src/database.c
@@ -738,8 +738,13 @@ static void *update_thread_main(void *arg)
/* Make sure that there is no such file/fifo */
unlink(fifo_path);
- if ((rc = mkfifo(fifo_path, 0600)) != 0) {
- msg(LOG_ERR, "Failed to create a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE));
+
+ mode_t old_mask = umask(0);
+ rc = mkfifo(fifo_path, 0660);
+ (void) umask(old_mask);
+
+ if (rc != 0) {
+ msg(LOG_ERR, "Failed to create a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE));
return NULL;
}
diff --git a/src/fapolicyd-cli.c b/src/fapolicyd-cli.c
index 06e7464..529b63b 100644
--- a/src/fapolicyd-cli.c
+++ b/src/fapolicyd-cli.c
@@ -76,6 +76,38 @@ int main(int argc, char const *argv[])
close(fd);
return 1;
}
+ // we will require pipe to have 0660 permissions
+ if (!(
+ (s.st_mode & S_IRUSR) &&
+ (s.st_mode & S_IWUSR) &&
+ !(s.st_mode & S_IXUSR) &&
+
+ (s.st_mode & S_IRGRP) &&
+ (s.st_mode & S_IWGRP) &&
+ !(s.st_mode & S_IXGRP) &&
+
+ !(s.st_mode & S_IROTH) &&
+ !(s.st_mode & S_IWOTH) &&
+ !(s.st_mode & S_IXOTH)
+ )) {
+ fprintf(stderr, "File: %s has 0%d%d%d instead of 0660 \n"
+ , _pipe
+ ,
+ ((s.st_mode & S_IRUSR) ? 4 : 0) +
+ ((s.st_mode & S_IWUSR) ? 2 : 0) +
+ ((s.st_mode & S_IXUSR) ? 1 : 0)
+ ,
+ ((s.st_mode & S_IRGRP) ? 4 : 0) +
+ ((s.st_mode & S_IWGRP) ? 2 : 0) +
+ ((s.st_mode & S_IXGRP) ? 1 : 0)
+ ,
+ ((s.st_mode & S_IROTH) ? 4 : 0) +
+ ((s.st_mode & S_IWOTH) ? 2 : 0) +
+ ((s.st_mode & S_IXOTH) ? 1 : 0)
+ );
+ close(fd);
+ return 1;
+ }
}
ssize_t ret = write(fd, "1", 2);
--
2.20.1

28
0009-Let-lmdb-create-writable-db-27.patch
View File

@ -1,28 +0,0 @@
From d6797522257d5a295f47f6b1d0f4e9334d31fdb7 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Wed, 13 Mar 2019 20:59:08 +0100
Subject: [PATCH 09/11] Let lmdb create writable db (#27)
---
src/database.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/database.c b/src/database.c
index 52deda4..70c0611 100644
--- a/src/database.c
+++ b/src/database.c
@@ -100,7 +100,10 @@ static int init_db(struct daemon_conf *config)
if (mdb_env_set_maxreaders(env, 4))
return 4;
- if (mdb_env_open(env, data_dir, MDB_MAPASYNC|MDB_NOSYNC , 0664))
+ mode_t old_mode = umask(0);
+ int rc = mdb_env_open(env, data_dir, MDB_MAPASYNC|MDB_NOSYNC , 0664);
+ (void) umask(old_mode);
+ if (rc)
return 5;
lib_symlink = is_link("/lib");
--
2.20.1

27
0010-Add-a-note-to-rules-file-how-to-handle-systems-with-.patch
View File

@ -1,27 +0,0 @@
From c7c5700d5afc0f828a0152ad3171a3b2c3655b2a Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Wed, 13 Mar 2019 16:15:11 -0400
Subject: [PATCH 10/11] Add a note to rules file how to handle systems with
LD_LIBRARY_PATH
---
init/fapolicyd.rules | 3 +++
1 file changed, 3 insertions(+)
diff --git a/init/fapolicyd.rules b/init/fapolicyd.rules
index 57fff97..27a5d6d 100644
--- a/init/fapolicyd.rules
+++ b/init/fapolicyd.rules
@@ -24,6 +24,9 @@ deny_audit exe_dir=execdirs exe=untrusted all
allow all dir=execdirs ftype=application/x-executable
deny_audit all ftype=application/x-executable
+# If you have a LD_LIBRARY_PATH, you may need to allow those here
+# allow all dir=/usr/local/cuda/lib64 ftype=application/x-sharedlib
+
# Only allow system ELF libs
allow all dir=execdirs ftype=application/x-sharedlib
deny_audit all ftype=application/x-sharedlib
--
2.20.1

176
0011-In-order-to-create-the-correct-permissions-on-the-fi.patch
View File

@ -1,176 +0,0 @@
From abb747485f436f8d16eb88745f6f02225ffb1201 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Wed, 13 Mar 2019 17:33:19 -0400
Subject: [PATCH 11/11] In order to create the correct permissions on the fifo,
we need to do this while we are still root. Move the fifo construction to its
own function, then call it when we are about to change uid. Meanwhile, still
create it in the usual spot if we are staying root.
One change added was renaming the variable from pfd to ffd. This was done
as a preventive measure to ensure no symbol collision with pfd in
fapolicyd.c
---
src/database.c | 72 +++++++++++++++++++++++++++++++++----------------
src/database.h | 1 +
src/fapolicyd.c | 2 ++
3 files changed, 52 insertions(+), 23 deletions(-)
diff --git a/src/database.c b/src/database.c
index 70c0611..c360119 100644
--- a/src/database.c
+++ b/src/database.c
@@ -56,6 +56,7 @@ static int dbi_init = 0;
const char *data_dir = "/var/lib/fapolicyd";
const char *db = "trust.db";
static int lib_symlink=0, lib64_symlink=0, bin_symlink=0, sbin_symlink=0;
+static struct pollfd ffd[1] = { {0, 0, 0} };
// External variables
extern volatile atomic_bool stop;
@@ -86,6 +87,45 @@ static int is_link(const char *path)
return 0;
}
+int preconstruct_fifo(struct daemon_conf *config)
+{
+ int rc;
+ char err_buff[BUFFER_SIZE];
+
+ /* Make sure that there is no such file/fifo */
+ unlink(fifo_path);
+
+ mode_t old_mask = umask(0);
+ rc = mkfifo(fifo_path, 0660);
+ (void) umask(old_mask);
+
+ if (rc != 0) {
+ msg(LOG_ERR, "Failed to create a pipe %s (%s)", fifo_path,
+ strerror_r(errno, err_buff, BUFFER_SIZE));
+ return 1;
+ }
+
+ if ((ffd[0].fd = open(fifo_path, O_RDWR)) == -1) {
+ msg(LOG_ERR, "Failed to open a pipe %s (%s)", fifo_path,
+ strerror_r(errno, err_buff, BUFFER_SIZE));
+ unlink(fifo_path);
+ return 1;
+ }
+
+ if (config->gid != getgid()) {
+ if ((fchown(ffd[0].fd, 0, config->gid))) {
+ msg(LOG_ERR, "Failed to fix ownership of pipe %s (%s)",
+ fifo_path, strerror_r(errno, err_buff,
+ BUFFER_SIZE));
+ unlink(fifo_path);
+ close(ffd[0].fd);
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
static int init_db(struct daemon_conf *config)
{
if (mdb_env_create(&env))
@@ -728,7 +768,6 @@ int update_database(struct daemon_conf *config)
static void *update_thread_main(void *arg)
{
int rc;
- struct pollfd pfd[1];
char buff[BUFFER_SIZE];
char err_buff[BUFFER_SIZE];
@@ -739,29 +778,16 @@ static void *update_thread_main(void *arg)
msg(LOG_DEBUG, "Update thread main started");
#endif
- /* Make sure that there is no such file/fifo */
- unlink(fifo_path);
-
- mode_t old_mask = umask(0);
- rc = mkfifo(fifo_path, 0660);
- (void) umask(old_mask);
-
- if (rc != 0) {
- msg(LOG_ERR, "Failed to create a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE));
- return NULL;
- }
-
- if ((pfd[0].fd = open(fifo_path, O_RDWR)) == -1) {
- msg(LOG_ERR, "Failed to open a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE));
- unlink(fifo_path);
- return NULL;
+ if (ffd[0].fd == 0) {
+ if (preconstruct_fifo(config))
+ return NULL;
}
- pfd[0].events = POLLIN;
+ ffd[0].events = POLLIN;
while (!stop) {
- rc = poll(pfd, 1, 1000);
+ rc = poll(ffd, 1, 1000);
#ifdef DEBUG
msg(LOG_DEBUG, "Update poll interrupted");
@@ -783,9 +809,9 @@ static void *update_thread_main(void *arg)
#endif
continue;
} else {
- if (pfd[0].revents & POLLIN) {
+ if (ffd[0].revents & POLLIN) {
memset(buff, 0, BUFFER_SIZE);
- ssize_t count = read(pfd[0].fd, buff, BUFFER_SIZE);
+ ssize_t count = read(ffd[0].fd, buff, BUFFER_SIZE);
if (count == -1) {
msg(LOG_ERR, "Failed to read from a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE));
@@ -815,7 +841,7 @@ static void *update_thread_main(void *arg)
if ((rc = update_database(config))) {
msg(LOG_ERR, "Cannot update a database!");
- close(pfd[0].fd);
+ close(ffd[0].fd);
unlink(fifo_path);
exit(rc);
} else {
@@ -828,7 +854,7 @@ static void *update_thread_main(void *arg)
}
err_out:
- close(pfd[0].fd);
+ close(ffd[0].fd);
unlink(fifo_path);
return NULL;
diff --git a/src/database.h b/src/database.h
index eca7b0d..13881e9 100644
--- a/src/database.h
+++ b/src/database.h
@@ -31,6 +31,7 @@
void lock_update_thread(void);
void unlock_update_thread(void);
+int preconstruct_fifo(struct daemon_conf *config);
int init_database(struct daemon_conf *config);
int update_database(struct daemon_conf *config);
int check_trust_database(const char *path);
diff --git a/src/fapolicyd.c b/src/fapolicyd.c
index ad9f2f2..f327386 100644
--- a/src/fapolicyd.c
+++ b/src/fapolicyd.c
@@ -357,6 +357,8 @@ int main(int argc, char *argv[])
// If we are not going to be root, then setup necessary capabilities
if (config.uid != 0) {
+ if (preconstruct_fifo(&config))
+ exit(1);
capng_clear(CAPNG_SELECT_BOTH);
capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
CAP_DAC_OVERRIDE, CAP_SYS_ADMIN, CAP_SYS_PTRACE,
--
2.20.1

30
fapolicyd.spec
View File

@ -1,7 +1,7 @@
Summary: Application Whitelisting Daemon
Name: fapolicyd
Version: 0.8.8
Release: 2%{?dist}
Version: 0.8.9
Release: 1%{?dist}
License: GPLv3+
URL: http://people.redhat.com/sgrubb/fapolicyd
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@ -15,17 +15,6 @@ Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Patch1: 0001-Fix-the-spec-file-to-use-run-instead-of-var-run.patch
Patch2: 0002-Fix-service-file-to-use-run-instead-of-var-run.patch
Patch3: 0003-Install-a-usr-lib-tmpfiles.d-fapolicyd.conf-for-run-.patch
Patch4: 0004-remove-fifo-on-all-exit-paths-for-update-thread.patch
Patch5: 0005-Move-some-debug-messages-under-ifdef-DEBUG-24.patch
Patch6: 0006-Get-rid-of-trailing-whitespaces-25.patch
Patch7: 0007-Add-some-documentation-about-how-ELF-startup-works.patch
Patch8: 0008-Change-fifo-mode-to-0660-26.patch
Patch9: 0009-Let-lmdb-create-writable-db-27.patch
Patch10: 0010-Add-a-note-to-rules-file-how-to-handle-systems-with-.patch
Patch11: 0011-In-order-to-create-the-correct-permissions-on-the-fi.patch
%description
Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -36,18 +25,6 @@ makes use of the kernel's fanotify interface to determine file access rights.
%prep
%setup -q
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%build
./autogen.sh
%configure --with-audit
@ -97,6 +74,9 @@ getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{nam
%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc
%changelog
* Mon May 06 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.9-1
- New upstream release
* Wed Mar 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.8.8-2
- backport some patches to resolve dac_override for fapolicyd

2
sources
View File

@ -1 +1 @@
SHA512 (fapolicyd-0.8.8.tar.gz) = 1aefdcea23862d7d18a6dbe8433f975d40047828674cc5f6a87e2190132eaa6ea4457be994a090597c248343936eb5c687a8dd732a8e6c8a254c242f28f1ad88
SHA512 (fapolicyd-0.8.9.tar.gz) = de3f9aaac36fb7d2b00bc873d4b0cb68fabf5f3bb74812d530ec7f66b3c3690a0cc51f35922a3f0a212c670ecae719956e26bfb0b14cab76d8356ea058709dc5