RHEL 9.2.0 ERRATUM
- statically linked app can execute untrusted app Resolves: rhbz#2097077 - fapolicyd ineffective with systemd DynamicUser=yes Resolves: rhbz#2136802 - Starting manually fapolicyd while the service is already running breaks the system Resolves: rhbz#2160517 - Cannot execute /usr/libexec/grepconf.sh when falcon-sensor is enabled Resolves: rhbz#2160518 Signed-off-by: Radovan Sroka <rsroka@redhat.com>
This commit is contained in:
parent
1c06afb128
commit
cb1e3ca81e
110
fapolicyd-already-started.patch
Normal file
110
fapolicyd-already-started.patch
Normal file
@ -0,0 +1,110 @@
|
||||
diff -up ./src/daemon/fapolicyd.c.already-started ./src/daemon/fapolicyd.c
|
||||
--- ./src/daemon/fapolicyd.c.already-started 2023-01-12 17:40:45.366909652 +0100
|
||||
+++ ./src/daemon/fapolicyd.c 2023-01-12 17:46:22.458139519 +0100
|
||||
@@ -378,6 +378,58 @@ static void usage(void)
|
||||
}
|
||||
|
||||
|
||||
+int already_running(void)
|
||||
+{
|
||||
+ int pidfd = open(pidfile, O_RDONLY);
|
||||
+ if (pidfd >= 0) {
|
||||
+ char pid_buf[16];
|
||||
+
|
||||
+ if (fd_fgets(pid_buf, sizeof(pid_buf), pidfd)) {
|
||||
+ int pid;
|
||||
+ char exe_buf[80], my_path[80];
|
||||
+
|
||||
+ // Get our path
|
||||
+ if (get_program_from_pid(getpid(),
|
||||
+ sizeof(exe_buf), my_path) == NULL)
|
||||
+ goto err_out; // shouldn't happen, but be safe
|
||||
+
|
||||
+ // convert pidfile to integer
|
||||
+ errno = 0;
|
||||
+ pid = strtoul(pid_buf, NULL, 10);
|
||||
+ if (errno)
|
||||
+ goto err_out; // shouldn't happen, but be safe
|
||||
+
|
||||
+ // verify it really is fapolicyd
|
||||
+ if (get_program_from_pid(pid,
|
||||
+ sizeof(exe_buf), exe_buf) == NULL)
|
||||
+ goto good; //if pid doesn't exist, we're OK
|
||||
+
|
||||
+ // If the path doesn't have fapolicyd in it, we're OK
|
||||
+ if (strstr(exe_buf, "fapolicyd") == NULL)
|
||||
+ goto good;
|
||||
+
|
||||
+ if (strcmp(exe_buf, my_path) == 0)
|
||||
+ goto err_out; // if the same, we need to exit
|
||||
+
|
||||
+ // one last sanity check in case path is unexpected
|
||||
+ // for example: /sbin/fapolicyd & /home/test/fapolicyd
|
||||
+ if (pid != getpid())
|
||||
+ goto err_out;
|
||||
+good:
|
||||
+ close(pidfd);
|
||||
+ unlink(pidfile);
|
||||
+ return 0;
|
||||
+ } else
|
||||
+ msg(LOG_ERR, "fapolicyd pid file found but unreadable");
|
||||
+err_out: // At this point, we have a pid file, let's just assume it's alive
|
||||
+ // because if 2 are running, it deadlocks the machine
|
||||
+ close(pidfd);
|
||||
+ return 1;
|
||||
+ }
|
||||
+ return 0; // pid file doesn't exist, we're good to go
|
||||
+}
|
||||
+
|
||||
+
|
||||
int main(int argc, const char *argv[])
|
||||
{
|
||||
struct pollfd pfd[2];
|
||||
@@ -428,6 +480,11 @@ int main(int argc, const char *argv[])
|
||||
}
|
||||
}
|
||||
|
||||
+ if (already_running()) {
|
||||
+ msg(LOG_ERR, "fapolicyd is already running");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
// Set a couple signal handlers
|
||||
sa.sa_flags = 0;
|
||||
sigemptyset(&sa.sa_mask);
|
||||
@@ -446,9 +503,6 @@ int main(int argc, const char *argv[])
|
||||
setrlimit(RLIMIT_FSIZE, &limit);
|
||||
setrlimit(RLIMIT_NOFILE, &limit);
|
||||
|
||||
- // Set strict umask
|
||||
- (void) umask( 0117 );
|
||||
-
|
||||
// get more time slices because everything is waiting on us
|
||||
rc = nice(-config.nice_val);
|
||||
if (rc == -1)
|
||||
@@ -473,17 +527,20 @@ int main(int argc, const char *argv[])
|
||||
exit(1);
|
||||
}
|
||||
|
||||
- if (preconstruct_fifo(&config)) {
|
||||
- msg(LOG_ERR, "Cannot contruct a pipe");
|
||||
- exit(1);
|
||||
- }
|
||||
-
|
||||
// Setup filesystem to watch list
|
||||
init_fs_list(config.watch_fs);
|
||||
|
||||
// Write the pid file for the init system
|
||||
write_pid_file();
|
||||
|
||||
+ // Set strict umask
|
||||
+ (void) umask( 0117 );
|
||||
+
|
||||
+ if (preconstruct_fifo(&config)) {
|
||||
+ msg(LOG_ERR, "Cannot contruct a pipe");
|
||||
+ exit(1);
|
||||
+ }
|
||||
+
|
||||
// If we are not going to be root, then setup necessary capabilities
|
||||
if (config.uid != 0) {
|
||||
capng_clear(CAPNG_SELECT_BOTH);
|
1008
fapolicyd-exclude-list.patch
Normal file
1008
fapolicyd-exclude-list.patch
Normal file
File diff suppressed because it is too large
Load Diff
79
fapolicyd-falcon-sensor.patch
Normal file
79
fapolicyd-falcon-sensor.patch
Normal file
@ -0,0 +1,79 @@
|
||||
From 2b13715219bbb6a84a73e007cea84f0d5d1d39ab Mon Sep 17 00:00:00 2001
|
||||
From: Radovan Sroka <rsroka@redhat.com>
|
||||
Date: Tue, 6 Dec 2022 15:09:44 +0100
|
||||
Subject: [PATCH] Extend new_event state machine
|
||||
|
||||
- allow other opens before dynamic linker execution
|
||||
- split original STATE_REOPEN to the new STATE_REOPEN and STATE_DEFAULT_REOPEN
|
||||
|
||||
- STATE_REOPEN now behaves as loop state for new opens (from the same subject),
|
||||
uses skip_path
|
||||
- STATE_DEFAULT_REOPEN is needed when dynamic linker is directly executed
|
||||
in such scenario we need to be sure that non of the following opens will
|
||||
skip the path
|
||||
|
||||
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
||||
---
|
||||
src/library/event.c | 16 ++++++++++++++++
|
||||
src/library/process.h | 3 ++-
|
||||
2 files changed, 18 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/library/event.c b/src/library/event.c
|
||||
index 4d79eb98..649cb9d6 100644
|
||||
--- a/src/library/event.c
|
||||
+++ b/src/library/event.c
|
||||
@@ -133,6 +133,12 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e)
|
||||
(e->type & FAN_OPEN_PERM) && !rc) {
|
||||
skip_path = 1;
|
||||
s->info->state = STATE_REOPEN;
|
||||
+
|
||||
+ // special branch after ld_so exec
|
||||
+ // next opens will go fall trough
|
||||
+ if (s->info->path1 &&
|
||||
+ (strcmp(s->info->path1, SYSTEM_LD_SO) == 0))
|
||||
+ s->info->state = STATE_DEFAULT_REOPEN;
|
||||
}
|
||||
|
||||
// If not same proc or we detect execution, evict
|
||||
@@ -164,6 +170,7 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e)
|
||||
skip_path = 1;
|
||||
}
|
||||
|
||||
+
|
||||
// If we've seen the reopen and its an execute and process
|
||||
// has an interpreter and we're the same process, don't evict
|
||||
// and don't collect the path since reopen interp will. The
|
||||
@@ -172,10 +179,19 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e)
|
||||
if ((s->info->state == STATE_REOPEN) && !skip_path &&
|
||||
(e->type & FAN_OPEN_EXEC_PERM) &&
|
||||
(s->info->elf_info & HAS_INTERP) && !rc) {
|
||||
+ s->info->state = STATE_DEFAULT_REOPEN;
|
||||
evict = 0;
|
||||
skip_path = 1;
|
||||
}
|
||||
|
||||
+ // this is how STATE_REOPEN and
|
||||
+ // STATE_DEFAULT_REOPEN differs
|
||||
+ // in STATE_REOPEN path is always skipped
|
||||
+ if ((s->info->state == STATE_REOPEN) && !skip_path &&
|
||||
+ (e->type & FAN_OPEN_PERM) && !rc) {
|
||||
+ skip_path = 1;
|
||||
+ }
|
||||
+
|
||||
if (evict) {
|
||||
lru_evict(subj_cache, key);
|
||||
q_node = check_lru_cache(subj_cache, key);
|
||||
diff --git a/src/library/process.h b/src/library/process.h
|
||||
index daa9d0d0..a741d1ac 100644
|
||||
--- a/src/library/process.h
|
||||
+++ b/src/library/process.h
|
||||
@@ -31,7 +31,8 @@
|
||||
#include "gcc-attributes.h"
|
||||
|
||||
typedef enum { STATE_COLLECTING=0, // initial state - execute
|
||||
- STATE_REOPEN, // anticipating open perm next
|
||||
+ STATE_REOPEN, // anticipating open perm next, always skips the path
|
||||
+ STATE_DEFAULT_REOPEN, // reopen after dyn. linker exec, never skips the path
|
||||
STATE_STATIC_REOPEN, // static app aniticipating
|
||||
STATE_PARTIAL, // second path collected
|
||||
STATE_STATIC_PARTIAL, // second path collected
|
170
fapolicyd-markfs-1.patch
Normal file
170
fapolicyd-markfs-1.patch
Normal file
@ -0,0 +1,170 @@
|
||||
From 2d15ea13e2a3dca1bb159f2cf031ca437c0b9aa1 Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Tue, 27 Sep 2022 10:33:44 -0400
|
||||
Subject: [PATCH] Add support for using FAN_MARK_FILESYSTEM to see bind mounted
|
||||
accesses
|
||||
|
||||
---
|
||||
ChangeLog | 1 +
|
||||
configure.ac | 1 +
|
||||
doc/fapolicyd.conf.5 | 5 ++++-
|
||||
init/fapolicyd.conf | 1 +
|
||||
src/daemon/notify.c | 12 ++++++++++--
|
||||
src/library/conf.h | 3 ++-
|
||||
src/library/daemon-config.c | 28 +++++++++++++++++++++++++++-
|
||||
7 files changed, 46 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index 4437685..a67c46b 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -56,6 +56,7 @@ AC_CHECK_DECLS([FAN_OPEN_EXEC_PERM], [perm=yes], [perm=no], [[#include <linux/fa
|
||||
if test $perm = "no"; then
|
||||
AC_MSG_ERROR([FAN_OPEN_EXEC_PERM is not defined in linux/fanotify.h. It is required for the kernel to support it])
|
||||
fi
|
||||
+AC_CHECK_DECLS([FAN_MARK_FILESYSTEM], [], [], [[#include <linux/fanotify.h>]])
|
||||
|
||||
withval=""
|
||||
AC_ARG_WITH(rpm,
|
||||
diff --git a/doc/fapolicyd.conf.5 b/doc/fapolicyd.conf.5
|
||||
index 812cfa4..d8cb296 100644
|
||||
--- a/doc/fapolicyd.conf.5
|
||||
+++ b/doc/fapolicyd.conf.5
|
||||
@@ -1,4 +1,4 @@
|
||||
-.TH FAPOLICYD.CONF: "6" "October 2021" "Red Hat" "System Administration Utilities"
|
||||
+.TH FAPOLICYD.CONF: "6" "September 2022" "Red Hat" "System Administration Utilities"
|
||||
.SH NAME
|
||||
fapolicyd.conf \- fapolicyd configuration file
|
||||
.SH DESCRIPTION
|
||||
@@ -87,6 +87,9 @@ Example:
|
||||
.B rpm_sha256_only
|
||||
The option set to 1 forces the daemon to work only with SHA256 hashes. This is useful on the systems where the integrity is set to SHA256 or IMA and some rpms were originally built with e.g. SHA1. The daemon will ingore these SHA1 entries therefore they can be added manually via CLI with correct SHA256 to a trust file later. If set to 0 the daemon stores SHA1 in trustdb as well. This is compatible with older behavior which works with the integrity set to NONE and SIZE. The NONE or SIZE integrity setting considers the files installed via rpm as trusted and it does not care about their hashes at all. On the other hand the integrity set to SHA256 or IMA will never consider a file with SHA1 in trustdb as trusted. The default value is 0.
|
||||
|
||||
+.TP
|
||||
+.B allow_filesystem_mark
|
||||
+When this option is set to 1, it allows fapolicyd to monitor file access events on the underlying file system when they are bind mounted or are overlayed (e.g. the overlayfs). Normally they block fapolicyd from seeing events on the underlying file systems. This may or may not be desirable. For example, you might start seeing containers accessing things outside of the container but there is no source of trust for the container. In that case you probably do not want to see access from the container. Or maybe you do not use containers but want to control anything run by systemd-run when dynamic users are allowed. In that case you probably want to turn it on. Not all kernel's supoport this option. Therefore the default value is 0.
|
||||
|
||||
.SH "SEE ALSO"
|
||||
.BR fapolicyd (8),
|
||||
diff --git a/init/fapolicyd.conf b/init/fapolicyd.conf
|
||||
index 42e8798..8363b89 100644
|
||||
--- a/init/fapolicyd.conf
|
||||
+++ b/init/fapolicyd.conf
|
||||
@@ -18,3 +18,4 @@ trust = rpmdb,file
|
||||
integrity = none
|
||||
syslog_format = rule,dec,perm,auid,pid,exe,:,path,ftype,trust
|
||||
rpm_sha256_only = 0
|
||||
+allow_filesystem_mark = 0
|
||||
diff --git a/src/daemon/notify.c b/src/daemon/notify.c
|
||||
index f550e99..c91abc4 100644
|
||||
--- a/src/daemon/notify.c
|
||||
+++ b/src/daemon/notify.c
|
||||
@@ -123,8 +123,16 @@ int init_fanotify(const conf_t *conf, mlist *m)
|
||||
path = mlist_first(m);
|
||||
while (path) {
|
||||
retry_mark:
|
||||
- if (fanotify_mark(fd, FAN_MARK_ADD | FAN_MARK_MOUNT,
|
||||
- mask, -1, path) == -1) {
|
||||
+ unsigned int flags = FAN_MARK_ADD;
|
||||
+#ifdef HAVE_DECL_FAN_MARK_FILESYSTEM
|
||||
+ if (conf->allow_filesystem_mark)
|
||||
+ flags |= FAN_MARK_FILESYSTEM;
|
||||
+#else
|
||||
+ if (conf->allow_filesystem_mark)
|
||||
+ msg(LOG_ERR,
|
||||
+ "allow_filesystem_mark is unsupported for this kernel - ignoring");
|
||||
+#endif
|
||||
+ if (fanotify_mark(fd, flags, mask, -1, path) == -1) {
|
||||
/*
|
||||
* The FAN_OPEN_EXEC_PERM mask is not supported by
|
||||
* all kernel releases prior to 5.0. Retry setting
|
||||
diff --git a/src/library/conf.h b/src/library/conf.h
|
||||
index e774ff6..57c19a2 100644
|
||||
--- a/src/library/conf.h
|
||||
+++ b/src/library/conf.h
|
||||
@@ -1,5 +1,5 @@
|
||||
/* conf.h configuration structure
|
||||
- * Copyright 2018-20 Red Hat Inc.
|
||||
+ * Copyright 2018-20,22 Red Hat Inc.
|
||||
* All Rights Reserved.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
@@ -45,6 +45,7 @@ typedef struct conf
|
||||
integrity_t integrity;
|
||||
const char *syslog_format;
|
||||
unsigned int rpm_sha256_only;
|
||||
+ unsigned int allow_filesystem_mark;
|
||||
} conf_t;
|
||||
|
||||
#endif
|
||||
diff --git a/src/library/daemon-config.c b/src/library/daemon-config.c
|
||||
index e803e0b..89b7f68 100644
|
||||
--- a/src/library/daemon-config.c
|
||||
+++ b/src/library/daemon-config.c
|
||||
@@ -1,7 +1,7 @@
|
||||
/*
|
||||
* daemon-config.c - This is a config file parser
|
||||
*
|
||||
- * Copyright 2018-21 Red Hat Inc.
|
||||
+ * Copyright 2018-22 Red Hat Inc.
|
||||
* All Rights Reserved.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
@@ -92,6 +92,8 @@ static int syslog_format_parser(const struct nv_pair *nv, int line,
|
||||
conf_t *config);
|
||||
static int rpm_sha256_only_parser(const struct nv_pair *nv, int line,
|
||||
conf_t *config);
|
||||
+static int fs_mark_parser(const struct nv_pair *nv, int line,
|
||||
+ conf_t *config);
|
||||
|
||||
static const struct kw_pair keywords[] =
|
||||
{
|
||||
@@ -110,6 +112,7 @@ static const struct kw_pair keywords[] =
|
||||
{"integrity", integrity_parser },
|
||||
{"syslog_format", syslog_format_parser },
|
||||
{"rpm_sha256_only", rpm_sha256_only_parser},
|
||||
+ {"allow_filesystem_mark", fs_mark_parser },
|
||||
{ NULL, NULL }
|
||||
};
|
||||
|
||||
@@ -138,6 +141,7 @@ static void clear_daemon_config(conf_t *config)
|
||||
config->syslog_format =
|
||||
strdup("rule,dec,perm,auid,pid,exe,:,path,ftype");
|
||||
config->rpm_sha256_only = 0;
|
||||
+ config->allow_filesystem_mark = 0;
|
||||
}
|
||||
|
||||
int load_daemon_config(conf_t *config)
|
||||
@@ -590,6 +594,7 @@ static int syslog_format_parser(const struct nv_pair *nv, int line,
|
||||
return 1;
|
||||
}
|
||||
|
||||
+
|
||||
static int rpm_sha256_only_parser(const struct nv_pair *nv, int line,
|
||||
conf_t *config)
|
||||
{
|
||||
@@ -607,3 +612,24 @@ static int rpm_sha256_only_parser(const struct nv_pair *nv, int line,
|
||||
|
||||
return rc;
|
||||
}
|
||||
+
|
||||
+
|
||||
+static int fs_mark_parser(const struct nv_pair *nv, int line,
|
||||
+ conf_t *config)
|
||||
+{
|
||||
+ int rc = 0;
|
||||
+#ifndef HAVE_DECL_FAN_MARK_FILESYSTEM
|
||||
+ msg(LOG_WARNING,
|
||||
+ "allow_filesystem_mark is unsupported on this kernel - ignoring");
|
||||
+#else
|
||||
+ rc = unsigned_int_parser(&(config->allow_filesystem_mark), nv->value, line);
|
||||
+
|
||||
+ if (rc == 0 && config->allow_filesystem_mark > 1) {
|
||||
+ msg(LOG_WARNING,
|
||||
+ "allow_filesystem_mark value reset to 0 - line %d", line);
|
||||
+ config->allow_filesystem_mark = 0;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ return rc;
|
||||
+}
|
38
fapolicyd-markfs-2.patch
Normal file
38
fapolicyd-markfs-2.patch
Normal file
@ -0,0 +1,38 @@
|
||||
From ca225c8e83b37e5f29703d7352af0b937b2e933c Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Tue, 27 Sep 2022 19:41:24 -0400
|
||||
Subject: [PATCH] Correct the optional inclusion of code based on
|
||||
HAVE_DECL_FAN_MARK_FILESYSTEM
|
||||
|
||||
---
|
||||
ChangeLog | 1 +
|
||||
src/daemon/notify.c | 2 +-
|
||||
src/library/daemon-config.c | 2 +-
|
||||
3 files changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/daemon/notify.c b/src/daemon/notify.c
|
||||
index c91abc4..f36b644 100644
|
||||
--- a/src/daemon/notify.c
|
||||
+++ b/src/daemon/notify.c
|
||||
@@ -124,7 +124,7 @@ int init_fanotify(const conf_t *conf, mlist *m)
|
||||
while (path) {
|
||||
retry_mark:
|
||||
unsigned int flags = FAN_MARK_ADD;
|
||||
-#ifdef HAVE_DECL_FAN_MARK_FILESYSTEM
|
||||
+#if HAVE_DECL_FAN_MARK_FILESYSTEM != 0
|
||||
if (conf->allow_filesystem_mark)
|
||||
flags |= FAN_MARK_FILESYSTEM;
|
||||
#else
|
||||
diff --git a/src/library/daemon-config.c b/src/library/daemon-config.c
|
||||
index 89b7f68..778b89a 100644
|
||||
--- a/src/library/daemon-config.c
|
||||
+++ b/src/library/daemon-config.c
|
||||
@@ -618,7 +618,7 @@ static int fs_mark_parser(const struct nv_pair *nv, int line,
|
||||
conf_t *config)
|
||||
{
|
||||
int rc = 0;
|
||||
-#ifndef HAVE_DECL_FAN_MARK_FILESYSTEM
|
||||
+#if HAVE_DECL_FAN_MARK_FILESYSTEM == 0
|
||||
msg(LOG_WARNING,
|
||||
"allow_filesystem_mark is unsupported on this kernel - ignoring");
|
||||
#else
|
53
fapolicyd-markfs-3.patch
Normal file
53
fapolicyd-markfs-3.patch
Normal file
@ -0,0 +1,53 @@
|
||||
From cd315ebb45e3a095f612ec0e03f606a5383c39ba Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Wed, 28 Sep 2022 16:36:28 -0400
|
||||
Subject: [PATCH] Add a check to see if they are defined before using them
|
||||
|
||||
---
|
||||
src/daemon/notify.c | 2 +-
|
||||
src/library/daemon-config.c | 14 ++++++++------
|
||||
2 files changed, 9 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/src/daemon/notify.c b/src/daemon/notify.c
|
||||
index f36b644..3986390 100644
|
||||
--- a/src/daemon/notify.c
|
||||
+++ b/src/daemon/notify.c
|
||||
@@ -124,7 +124,7 @@ int init_fanotify(const conf_t *conf, mlist *m)
|
||||
while (path) {
|
||||
retry_mark:
|
||||
unsigned int flags = FAN_MARK_ADD;
|
||||
-#if HAVE_DECL_FAN_MARK_FILESYSTEM != 0
|
||||
+#if defined HAVE_DECL_FAN_MARK_FILESYSTEM && HAVE_DECL_FAN_MARK_FILESYSTEM != 0
|
||||
if (conf->allow_filesystem_mark)
|
||||
flags |= FAN_MARK_FILESYSTEM;
|
||||
#else
|
||||
diff --git a/src/library/daemon-config.c b/src/library/daemon-config.c
|
||||
index 778b89a..ba8ade0 100644
|
||||
--- a/src/library/daemon-config.c
|
||||
+++ b/src/library/daemon-config.c
|
||||
@@ -618,17 +618,19 @@ static int fs_mark_parser(const struct nv_pair *nv, int line,
|
||||
conf_t *config)
|
||||
{
|
||||
int rc = 0;
|
||||
-#if HAVE_DECL_FAN_MARK_FILESYSTEM == 0
|
||||
- msg(LOG_WARNING,
|
||||
- "allow_filesystem_mark is unsupported on this kernel - ignoring");
|
||||
-#else
|
||||
- rc = unsigned_int_parser(&(config->allow_filesystem_mark), nv->value, line);
|
||||
+#if defined HAVE_DECL_FAN_MARK_FILESYSTEM && HAVE_DECL_FAN_MARK_FILESYSTEM != 0
|
||||
+ rc = unsigned_int_parser(&(config->allow_filesystem_mark),
|
||||
+ nv->value, line);
|
||||
|
||||
if (rc == 0 && config->allow_filesystem_mark > 1) {
|
||||
msg(LOG_WARNING,
|
||||
- "allow_filesystem_mark value reset to 0 - line %d", line);
|
||||
+ "allow_filesystem_mark value reset to 0 - line %d",
|
||||
+ line);
|
||||
config->allow_filesystem_mark = 0;
|
||||
}
|
||||
+#else
|
||||
+ msg(LOG_WARNING,
|
||||
+ "allow_filesystem_mark is unsupported on this kernel - ignoring");
|
||||
#endif
|
||||
|
||||
return rc;
|
29
fapolicyd-markfs-4.patch
Normal file
29
fapolicyd-markfs-4.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From 194ac1b87ba46ea9e26a865e8432e228cf8fefef Mon Sep 17 00:00:00 2001
|
||||
From: Steven Brzozowski <stevenbrz8@gmail.com>
|
||||
Date: Thu, 20 Oct 2022 17:55:30 -0400
|
||||
Subject: [PATCH] Add `FAN_MARK_MOUNT` when opting out of `FAN_MARK_FILESYSTEM`
|
||||
(#210)
|
||||
|
||||
Without `FAN_MARK_MOUNT`, fapolicyd will not receive events for any subdirectories specified by the path parameter.
|
||||
---
|
||||
src/daemon/notify.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/daemon/notify.c b/src/daemon/notify.c
|
||||
index 586b6df..5e4f160 100644
|
||||
--- a/src/daemon/notify.c
|
||||
+++ b/src/daemon/notify.c
|
||||
@@ -128,10 +128,13 @@ int init_fanotify(const conf_t *conf, mlist *m)
|
||||
#if defined HAVE_DECL_FAN_MARK_FILESYSTEM && HAVE_DECL_FAN_MARK_FILESYSTEM != 0
|
||||
if (conf->allow_filesystem_mark)
|
||||
flags |= FAN_MARK_FILESYSTEM;
|
||||
+ else
|
||||
+ flags |= FAN_MARK_MOUNT;
|
||||
#else
|
||||
if (conf->allow_filesystem_mark)
|
||||
msg(LOG_ERR,
|
||||
"allow_filesystem_mark is unsupported for this kernel - ignoring");
|
||||
+ flags |= FAN_MARK_MOUNT;
|
||||
#endif
|
||||
if (fanotify_mark(fd, flags, mask, -1, path) == -1) {
|
||||
/*
|
19
fapolicyd-selinux-2.patch
Normal file
19
fapolicyd-selinux-2.patch
Normal file
@ -0,0 +1,19 @@
|
||||
diff -up ./fapolicyd-selinux-0.4/fapolicyd.te.selinux2 ./fapolicyd-selinux-0.4/fapolicyd.te
|
||||
--- ./fapolicyd-selinux-0.4/fapolicyd.te.selinux2 2022-11-11 10:46:51.016420807 +0100
|
||||
+++ ./fapolicyd-selinux-0.4/fapolicyd.te 2022-11-11 10:47:25.161793205 +0100
|
||||
@@ -39,10 +39,15 @@ allow fapolicyd_t self:unix_dgram_socket
|
||||
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
+ attribute filesystem_type;
|
||||
+ attribute mountpoint;
|
||||
')
|
||||
allow fapolicyd_t file_type:dir { watch_mount watch_with_perm };
|
||||
allow fapolicyd_t file_type:file { watch_mount watch_with_perm };
|
||||
|
||||
+allow fapolicyd_t filesystem_type : filesystem { watch };
|
||||
+allow fapolicyd_t mountpoint : dir { watch_sb };
|
||||
+
|
||||
manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
|
||||
logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
|
||||
|
22
fapolicyd-static-app.patch
Normal file
22
fapolicyd-static-app.patch
Normal file
@ -0,0 +1,22 @@
|
||||
From 67c116d07ed4e73127392a2100a042882488585a Mon Sep 17 00:00:00 2001
|
||||
From: Steve Grubb <sgrubb@redhat.com>
|
||||
Date: Tue, 27 Sep 2022 10:32:28 -0400
|
||||
Subject: [PATCH] Detect trusted static apps running programs by ld.so
|
||||
|
||||
---
|
||||
ChangeLog | 1 +
|
||||
src/library/event.c | 1 -
|
||||
2 files changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/library/event.c b/src/library/event.c
|
||||
index cbb4292..4d79eb9 100644
|
||||
--- a/src/library/event.c
|
||||
+++ b/src/library/event.c
|
||||
@@ -149,7 +149,6 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e)
|
||||
skip_path = 1;
|
||||
}
|
||||
evict = 0;
|
||||
- skip_path = 1;
|
||||
subject_reset(s, EXE);
|
||||
subject_reset(s, COMM);
|
||||
subject_reset(s, EXE_TYPE);
|
@ -5,7 +5,7 @@
|
||||
Summary: Application Whitelisting Daemon
|
||||
Name: fapolicyd
|
||||
Version: 1.1.3
|
||||
Release: 102%{?dist}
|
||||
Release: 103%{?dist}
|
||||
License: GPLv3+
|
||||
URL: http://people.redhat.com/sgrubb/fapolicyd
|
||||
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
|
||||
@ -31,7 +31,7 @@ Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
|
||||
Patch1: fapolicyd-uthash-bundle.patch
|
||||
Patch2: fapolicyd-selinux.patch
|
||||
Patch2: fapolicyd-selinux-1.patch
|
||||
Patch3: fagenrules-group.patch
|
||||
Patch4: fapolicyd-fgets-update-thread.patch
|
||||
Patch5: fapolicyd-openssl.patch
|
||||
@ -40,6 +40,18 @@ Patch7: fapolicyd-cli-segfault.patch
|
||||
Patch8: fapolicyd-sighup.patch
|
||||
Patch9: fapolicyd-readme.patch
|
||||
|
||||
Patch10: fapolicyd-static-app.patch
|
||||
Patch11: fapolicyd-markfs-1.patch
|
||||
Patch12: fapolicyd-markfs-2.patch
|
||||
Patch13: fapolicyd-markfs-3.patch
|
||||
Patch14: fapolicyd-markfs-4.patch
|
||||
|
||||
Patch15: fapolicyd-selinux-2.patch
|
||||
|
||||
Patch16: fapolicyd-falcon-sensor.patch
|
||||
Patch17: fapolicyd-exclude-list.patch
|
||||
Patch18: fapolicyd-already-started.patch
|
||||
|
||||
%description
|
||||
Fapolicyd (File Access Policy Daemon) implements application whitelisting
|
||||
to decide file access rights. Applications that are known via a reputation
|
||||
@ -71,7 +83,7 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
|
||||
%patch1 -p1 -b .uthash
|
||||
%endif
|
||||
|
||||
%patch2 -p1 -b .selinux
|
||||
%patch2 -p1 -b .selinux1
|
||||
%patch3 -p1 -b .group
|
||||
%patch4 -p1 -b .update-thread
|
||||
%patch5 -p1 -b .openssl
|
||||
@ -80,6 +92,18 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
|
||||
%patch8 -p1 -b .sighup
|
||||
%patch9 -p1 -b .readme
|
||||
|
||||
%patch10 -p1 -b .static
|
||||
%patch11 -p1 -b .markfs1
|
||||
%patch12 -p1 -b .markfs2
|
||||
%patch13 -p1 -b .markfs3
|
||||
%patch14 -p1 -b .markfs4
|
||||
|
||||
%patch15 -p1 -b .selinux2
|
||||
|
||||
%patch16 -p1 -b .event
|
||||
%patch17 -p1 -b .exclude
|
||||
%patch18 -p1 -b .already-started
|
||||
|
||||
# generate rules for python
|
||||
sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
|
||||
sed -i "s|%python3_path%|`readlink -f %{__python3}`|g" rules.d/*.rules
|
||||
@ -227,6 +251,7 @@ fi
|
||||
%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rules.d/*
|
||||
%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules
|
||||
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
|
||||
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rpm-filter.conf
|
||||
%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
|
||||
%ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
|
||||
%attr(644,root,root) %{_unitdir}/%{name}.service
|
||||
@ -263,6 +288,17 @@ fi
|
||||
%selinux_relabel_post -s %{selinuxtype}
|
||||
|
||||
%changelog
|
||||
* Fri Jan 13 2023 Radovan Sroka <rsroka@redhat.com> - 1.1.3-103
|
||||
RHEL 9.2.0 ERRATUM
|
||||
- statically linked app can execute untrusted app
|
||||
Resolves: rhbz#2097077
|
||||
- fapolicyd ineffective with systemd DynamicUser=yes
|
||||
Resolves: rhbz#2136802
|
||||
- Starting manually fapolicyd while the service is already running breaks the system
|
||||
Resolves: rhbz#2160517
|
||||
- Cannot execute /usr/libexec/grepconf.sh when falcon-sensor is enabled
|
||||
Resolves: rhbz#2160518
|
||||
|
||||
* Fri Aug 05 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-102
|
||||
RHEL 9.1.0 ERRATUM
|
||||
- rebase fapolicyd to the latest stable vesion
|
||||
|
Loading…
Reference in New Issue
Block a user