import fapolicyd-1.1.3-102.el9
This commit is contained in:
parent
24927c172e
commit
dae0fc63cd
@ -1,3 +1,3 @@
|
|||||||
1fa6cf3f0a15bbef745438c1ba7b685ebf7e75f1 SOURCES/fapolicyd-1.1.tar.gz
|
3887d3f97a4f506ad6bf7dcef36b01cc7897a692 SOURCES/fapolicyd-1.1.3.tar.gz
|
||||||
bdbe20a4db2cd58073abf17a537e3a6766cdea21 SOURCES/fapolicyd-selinux-0.4.tar.gz
|
bdbe20a4db2cd58073abf17a537e3a6766cdea21 SOURCES/fapolicyd-selinux-0.4.tar.gz
|
||||||
fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz
|
fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz
|
||||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,3 +1,3 @@
|
|||||||
SOURCES/fapolicyd-1.1.tar.gz
|
SOURCES/fapolicyd-1.1.3.tar.gz
|
||||||
SOURCES/fapolicyd-selinux-0.4.tar.gz
|
SOURCES/fapolicyd-selinux-0.4.tar.gz
|
||||||
SOURCES/uthash-2.3.0.tar.gz
|
SOURCES/uthash-2.3.0.tar.gz
|
||||||
|
@ -1,27 +0,0 @@
|
|||||||
diff -urp fapolicyd-1.1.1.orig/fapolicyd.spec fapolicyd-1.1.1/fapolicyd.spec
|
|
||||||
--- fapolicyd-1.1.1.orig/fapolicyd.spec 2022-01-28 15:17:55.000000000 -0500
|
|
||||||
+++ fapolicyd-1.1.1/fapolicyd.spec 2022-01-28 15:19:31.594155397 -0500
|
|
||||||
@@ -30,7 +30,7 @@ makes use of the kernel's fanotify inter
|
|
||||||
# generate rules for python
|
|
||||||
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
|
|
||||||
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
|
|
||||||
-sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
|
|
||||||
+sed -i "s/%ld_so_path%/`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
|
|
||||||
|
|
||||||
%build
|
|
||||||
%configure \
|
|
||||||
diff -urp fapolicyd-1.1.1.orig/m4/dyn_linker.m4 fapolicyd-1.1.1/m4/dyn_linker.m4
|
|
||||||
--- fapolicyd-1.1.1.orig/m4/dyn_linker.m4 2022-01-28 15:17:55.000000000 -0500
|
|
||||||
+++ fapolicyd-1.1.1/m4/dyn_linker.m4 2022-01-28 15:20:02.048609672 -0500
|
|
||||||
@@ -1,6 +1,10 @@
|
|
||||||
AC_DEFUN([LD_SO_PATH],
|
|
||||||
[
|
|
||||||
- xpath=`realpath /usr/lib64/ld-2.*.so`
|
|
||||||
+ xpath1=`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev`
|
|
||||||
+ xpath=`realpath $xpath1`
|
|
||||||
+ if test ! -f "$xpath" ; then
|
|
||||||
+ AC_MSG_ERROR([Cant find the dynamic linker])
|
|
||||||
+ fi
|
|
||||||
echo "dynamic linker is.....$xpath"
|
|
||||||
AC_DEFINE_UNQUOTED(SYSTEM_LD_SO, ["$xpath"], [dynamic linker])
|
|
||||||
])
|
|
@ -1,19 +0,0 @@
|
|||||||
diff -urp fapolicyd-1.1.1.orig/src/library/event.c fapolicyd-1.1.1/src/library/event.c
|
|
||||||
--- fapolicyd-1.1.1.orig/src/library/event.c 2022-01-28 15:23:58.000000000 -0500
|
|
||||||
+++ fapolicyd-1.1.1/src/library/event.c 2022-01-30 20:11:05.516785465 -0500
|
|
||||||
@@ -140,7 +140,14 @@ int new_event(const struct fanotify_even
|
|
||||||
|
|
||||||
// We need to reset everything now that execve has finished
|
|
||||||
if (s->info->state == STATE_STATIC_PARTIAL && !rc) {
|
|
||||||
- s->info->state = STATE_STATIC;
|
|
||||||
+ // If the static app itself launches an app right
|
|
||||||
+ // away, go back to collecting.
|
|
||||||
+ if (e->type & FAN_OPEN_EXEC_PERM)
|
|
||||||
+ s->info->state = STATE_COLLECTING;
|
|
||||||
+ else {
|
|
||||||
+ s->info->state = STATE_STATIC;
|
|
||||||
+ skip_path = 1;
|
|
||||||
+ }
|
|
||||||
evict = 0;
|
|
||||||
skip_path = 1;
|
|
||||||
subject_reset(s, EXE);
|
|
11
SOURCES/fapolicyd-cli-segfault.patch
Normal file
11
SOURCES/fapolicyd-cli-segfault.patch
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
diff -up ./src/cli/fapolicyd-cli.c.segfault ./src/cli/fapolicyd-cli.c
|
||||||
|
--- ./src/cli/fapolicyd-cli.c.segfault 2022-08-03 17:51:54.903081124 +0200
|
||||||
|
+++ ./src/cli/fapolicyd-cli.c 2022-08-03 17:55:18.256458750 +0200
|
||||||
|
@@ -77,6 +77,7 @@ static struct option long_opts[] =
|
||||||
|
{"ftype", 1, NULL, 't'},
|
||||||
|
{"list", 0, NULL, 'l'},
|
||||||
|
{"update", 0, NULL, 'u'},
|
||||||
|
+ {NULL, 0, NULL, 0 }
|
||||||
|
};
|
||||||
|
|
||||||
|
static const char *_pipe = "/run/fapolicyd/fapolicyd.fifo";
|
215
SOURCES/fapolicyd-fgets-update-thread.patch
Normal file
215
SOURCES/fapolicyd-fgets-update-thread.patch
Normal file
@ -0,0 +1,215 @@
|
|||||||
|
diff -up ./src/cli/fapolicyd-cli.c.upgrade-thread ./src/cli/fapolicyd-cli.c
|
||||||
|
--- ./src/cli/fapolicyd-cli.c.upgrade-thread 2022-08-03 18:00:02.374999369 +0200
|
||||||
|
+++ ./src/cli/fapolicyd-cli.c 2022-08-03 18:00:09.802830497 +0200
|
||||||
|
@@ -482,7 +482,7 @@ static int do_update(void)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- ssize_t ret = write(fd, "1", 2);
|
||||||
|
+ ssize_t ret = write(fd, "1\n", 3);
|
||||||
|
|
||||||
|
if (ret == -1) {
|
||||||
|
fprintf(stderr, "Write: %s -> %s\n", _pipe, strerror(errno));
|
||||||
|
diff -up ./src/library/database.c.upgrade-thread ./src/library/database.c
|
||||||
|
--- ./src/library/database.c.upgrade-thread 2022-06-21 16:55:47.000000000 +0200
|
||||||
|
+++ ./src/library/database.c 2022-08-03 17:58:04.034689808 +0200
|
||||||
|
@@ -34,6 +34,7 @@
|
||||||
|
#include <errno.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
+#include <ctype.h>
|
||||||
|
#include <gcrypt.h>
|
||||||
|
#include <signal.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
|
@@ -43,6 +44,7 @@
|
||||||
|
#include "message.h"
|
||||||
|
#include "llist.h"
|
||||||
|
#include "file.h"
|
||||||
|
+#include "fd-fgets.h"
|
||||||
|
|
||||||
|
#include "fapolicyd-backend.h"
|
||||||
|
#include "backend-manager.h"
|
||||||
|
@@ -1181,6 +1183,7 @@ static void *update_thread_main(void *ar
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ fcntl(ffd[0].fd, F_SETFL, O_NONBLOCK);
|
||||||
|
ffd[0].events = POLLIN;
|
||||||
|
|
||||||
|
while (!stop) {
|
||||||
|
@@ -1200,97 +1203,102 @@ static void *update_thread_main(void *ar
|
||||||
|
} else {
|
||||||
|
msg(LOG_ERR, "Update poll error (%s)",
|
||||||
|
strerror_r(errno, err_buff, BUFFER_SIZE));
|
||||||
|
- goto err_out;
|
||||||
|
+ goto finalize;
|
||||||
|
}
|
||||||
|
} else if (rc == 0) {
|
||||||
|
#ifdef DEBUG
|
||||||
|
msg(LOG_DEBUG, "Update poll timeout expired");
|
||||||
|
#endif
|
||||||
|
- if (db_operation != DB_NO_OP)
|
||||||
|
- goto handle_db_ops;
|
||||||
|
continue;
|
||||||
|
} else {
|
||||||
|
if (ffd[0].revents & POLLIN) {
|
||||||
|
- ssize_t count = read(ffd[0].fd, buff,
|
||||||
|
- BUFFER_SIZE-1);
|
||||||
|
|
||||||
|
- if (count == -1) {
|
||||||
|
- msg(LOG_ERR,
|
||||||
|
- "Failed to read from a pipe %s (%s)",
|
||||||
|
- fifo_path,
|
||||||
|
- strerror_r(errno, err_buff,
|
||||||
|
- BUFFER_SIZE));
|
||||||
|
- goto err_out;
|
||||||
|
- }
|
||||||
|
+ do {
|
||||||
|
+ fd_fgets_rewind();
|
||||||
|
+ int res = fd_fgets(buff, sizeof(buff), ffd[0].fd);
|
||||||
|
|
||||||
|
- if (count == 0) {
|
||||||
|
-#ifdef DEBUG
|
||||||
|
- msg(LOG_DEBUG,
|
||||||
|
- "Buffer contains zero bytes!");
|
||||||
|
-#endif
|
||||||
|
- continue;
|
||||||
|
- } else // Manually terminate buff
|
||||||
|
- buff[count] = 0;
|
||||||
|
-#ifdef DEBUG
|
||||||
|
- msg(LOG_DEBUG, "Buffer contains: \"%s\"", buff);
|
||||||
|
-#endif
|
||||||
|
- for (int i = 0 ; i < count ; i++) {
|
||||||
|
- // assume file name
|
||||||
|
- // operation = 0
|
||||||
|
- if (buff[i] == '/') {
|
||||||
|
- db_operation = ONE_FILE;
|
||||||
|
+ // nothing to read
|
||||||
|
+ if (res == -1)
|
||||||
|
break;
|
||||||
|
- }
|
||||||
|
+ else if (res > 0) {
|
||||||
|
+ char* end = strchr(buff, '\n');
|
||||||
|
|
||||||
|
- if (buff[i] == '1') {
|
||||||
|
- db_operation = RELOAD_DB;
|
||||||
|
- break;
|
||||||
|
+ if (end == NULL) {
|
||||||
|
+ msg(LOG_ERR, "Too long line?");
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ int count = end - buff;
|
||||||
|
+
|
||||||
|
+ *end = '\0';
|
||||||
|
+
|
||||||
|
+ for (int i = 0 ; i < count ; i++) {
|
||||||
|
+ // assume file name
|
||||||
|
+ // operation = 0
|
||||||
|
+ if (buff[i] == '/') {
|
||||||
|
+ db_operation = ONE_FILE;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (buff[i] == '1') {
|
||||||
|
+ db_operation = RELOAD_DB;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (buff[i] == '2') {
|
||||||
|
+ db_operation = FLUSH_CACHE;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (isspace(buff[i]))
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
+ msg(LOG_ERR, "Cannot handle data \"%s\" from pipe", buff);
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ *end = '\n';
|
||||||
|
+
|
||||||
|
+ // got "1" -> reload db
|
||||||
|
+ if (db_operation == RELOAD_DB) {
|
||||||
|
+ db_operation = DB_NO_OP;
|
||||||
|
+ msg(LOG_INFO,
|
||||||
|
+ "It looks like there was an update of the system... Syncing DB.");
|
||||||
|
+
|
||||||
|
+ backend_close();
|
||||||
|
+ backend_init(config);
|
||||||
|
+ backend_load(config);
|
||||||
|
+
|
||||||
|
+ if ((rc = update_database(config))) {
|
||||||
|
+ msg(LOG_ERR,
|
||||||
|
+ "Cannot update trust database!");
|
||||||
|
+ close(ffd[0].fd);
|
||||||
|
+ backend_close();
|
||||||
|
+ unlink_fifo();
|
||||||
|
+ exit(rc);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ msg(LOG_INFO, "Updated");
|
||||||
|
+
|
||||||
|
+ // Conserve memory
|
||||||
|
+ backend_close();
|
||||||
|
+ // got "2" -> flush cache
|
||||||
|
+ } else if (db_operation == FLUSH_CACHE) {
|
||||||
|
+ db_operation = DB_NO_OP;
|
||||||
|
+ needs_flush = true;
|
||||||
|
+ } else if (db_operation == ONE_FILE) {
|
||||||
|
+ db_operation = DB_NO_OP;
|
||||||
|
+ if (handle_record(buff))
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (buff[i] == '2') {
|
||||||
|
- db_operation = FLUSH_CACHE;
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
-handle_db_ops:
|
||||||
|
- // got "1" -> reload db
|
||||||
|
- if (db_operation == RELOAD_DB) {
|
||||||
|
- db_operation = DB_NO_OP;
|
||||||
|
- msg(LOG_INFO,
|
||||||
|
- "It looks like there was an update of the system... Syncing DB.");
|
||||||
|
-
|
||||||
|
- backend_close();
|
||||||
|
- backend_init(config);
|
||||||
|
- backend_load(config);
|
||||||
|
-
|
||||||
|
- if ((rc = update_database(config))) {
|
||||||
|
- msg(LOG_ERR,
|
||||||
|
- "Cannot update trust database!");
|
||||||
|
- close(ffd[0].fd);
|
||||||
|
- backend_close();
|
||||||
|
- unlink_fifo();
|
||||||
|
- exit(rc);
|
||||||
|
- } else
|
||||||
|
- msg(LOG_INFO, "Updated");
|
||||||
|
-
|
||||||
|
- // Conserve memory
|
||||||
|
- backend_close();
|
||||||
|
- // got "2" -> flush cache
|
||||||
|
- } else if (db_operation == FLUSH_CACHE) {
|
||||||
|
- db_operation = DB_NO_OP;
|
||||||
|
- needs_flush = true;
|
||||||
|
- } else if (db_operation == ONE_FILE) {
|
||||||
|
- db_operation = DB_NO_OP;
|
||||||
|
- if (handle_record(buff))
|
||||||
|
- continue;
|
||||||
|
- }
|
||||||
|
+ } while(!fd_fgets_eof());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
-
|
||||||
|
}
|
||||||
|
|
||||||
|
-err_out:
|
||||||
|
+finalize:
|
||||||
|
close(ffd[0].fd);
|
||||||
|
unlink_fifo();
|
||||||
|
|
195
SOURCES/fapolicyd-openssl.patch
Normal file
195
SOURCES/fapolicyd-openssl.patch
Normal file
@ -0,0 +1,195 @@
|
|||||||
|
diff -up ./BUILD.md.openssl ./BUILD.md
|
||||||
|
--- ./BUILD.md.openssl 2022-06-21 16:55:47.000000000 +0200
|
||||||
|
+++ ./BUILD.md 2022-08-02 14:10:48.092466542 +0200
|
||||||
|
@@ -16,7 +16,8 @@ BUILD-TIME DEPENDENCIES (fedora and RHEL
|
||||||
|
* libudev-devel
|
||||||
|
* kernel-headers
|
||||||
|
* systemd-devel
|
||||||
|
-* libgcrypt-devel
|
||||||
|
+* libgcrypt-devel ( <= fapolicyd-1.1.3)
|
||||||
|
+* openssl ( >= fapolicyd-1.1.4)
|
||||||
|
* rpm-devel (optional)
|
||||||
|
* file
|
||||||
|
* file-devel
|
||||||
|
diff -U0 ./ChangeLog.openssl ./ChangeLog
|
||||||
|
diff -up ./configure.ac.openssl ./configure.ac
|
||||||
|
--- ./configure.ac.openssl 2022-06-21 16:55:47.000000000 +0200
|
||||||
|
+++ ./configure.ac 2022-08-02 14:10:48.092466542 +0200
|
||||||
|
@@ -87,7 +87,7 @@ AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERRO
|
||||||
|
echo .
|
||||||
|
echo Checking for required libraries
|
||||||
|
AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev)
|
||||||
|
-AC_CHECK_LIB(gcrypt, gcry_md_open, , [AC_MSG_ERROR([libgcrypt not found])], -lgcrypt)
|
||||||
|
+AC_CHECK_LIB(crypto, SHA256, , [AC_MSG_ERROR([openssl libcrypto not found])], -lcrypto)
|
||||||
|
AC_CHECK_LIB(magic, magic_descriptor, , [AC_MSG_ERROR([libmagic not found])], -lmagic)
|
||||||
|
AC_CHECK_LIB(cap-ng, capng_change_id, , [AC_MSG_ERROR([libcap-ng not found])], -lcap-ng)
|
||||||
|
AC_CHECK_LIB(seccomp, seccomp_rule_add, , [AC_MSG_ERROR([libseccomp not found])], -lseccomp)
|
||||||
|
diff -up ./fapolicyd.spec.openssl ./fapolicyd.spec
|
||||||
|
--- ./fapolicyd.spec.openssl 2022-06-21 16:55:47.000000000 +0200
|
||||||
|
+++ ./fapolicyd.spec 2022-08-02 14:10:48.092466542 +0200
|
||||||
|
@@ -8,7 +8,7 @@ Source0: https://people.redhat.com/sgrub
|
||||||
|
BuildRequires: gcc
|
||||||
|
BuildRequires: kernel-headers
|
||||||
|
BuildRequires: autoconf automake make gcc libtool
|
||||||
|
-BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file
|
||||||
|
+BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file
|
||||||
|
BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
|
||||||
|
BuildRequires: python3-devel
|
||||||
|
BuildRequires: uthash-devel
|
||||||
|
diff -up ./src/cli/fapolicyd-cli.c.openssl ./src/cli/fapolicyd-cli.c
|
||||||
|
--- ./src/cli/fapolicyd-cli.c.openssl 2022-06-21 16:55:47.000000000 +0200
|
||||||
|
+++ ./src/cli/fapolicyd-cli.c 2022-08-02 14:10:48.093466520 +0200
|
||||||
|
@@ -39,7 +39,6 @@
|
||||||
|
#include <stdatomic.h>
|
||||||
|
#include <lmdb.h>
|
||||||
|
#include <limits.h>
|
||||||
|
-#include <gcrypt.h>
|
||||||
|
#include "policy.h"
|
||||||
|
#include "database.h"
|
||||||
|
#include "file-cli.h"
|
||||||
|
@@ -670,11 +669,6 @@ static int check_trustdb(void)
|
||||||
|
if (rc)
|
||||||
|
return 1;
|
||||||
|
|
||||||
|
- // Initialize libgcrypt
|
||||||
|
- gcry_check_version(NULL);
|
||||||
|
- gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
|
||||||
|
- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
|
||||||
|
-
|
||||||
|
do {
|
||||||
|
unsigned int tsource; // unused
|
||||||
|
off_t size;
|
||||||
|
diff -up ./src/library/database.c.openssl ./src/library/database.c
|
||||||
|
--- ./src/library/database.c.openssl 2022-08-02 14:10:48.090466587 +0200
|
||||||
|
+++ ./src/library/database.c 2022-08-02 14:13:11.995236110 +0200
|
||||||
|
@@ -35,7 +35,7 @@
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <ctype.h>
|
||||||
|
-#include <gcrypt.h>
|
||||||
|
+#include <openssl/sha.h>
|
||||||
|
#include <signal.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
|
#include <sys/types.h>
|
||||||
|
@@ -244,26 +244,18 @@ static void abort_transaction(MDB_txn *t
|
||||||
|
static char *path_to_hash(const char *path, const size_t path_len) MALLOCLIKE;
|
||||||
|
static char *path_to_hash(const char *path, const size_t path_len)
|
||||||
|
{
|
||||||
|
- gcry_md_hd_t h;
|
||||||
|
- unsigned int len;
|
||||||
|
- unsigned char *hptr;
|
||||||
|
+ unsigned char hptr[80];
|
||||||
|
char *digest;
|
||||||
|
|
||||||
|
- if (gcry_md_open(&h, GCRY_MD_SHA512, GCRY_MD_FLAG_SECURE))
|
||||||
|
+ if (path_len == 0)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
- gcry_md_write(h, path, path_len);
|
||||||
|
- hptr = gcry_md_read(h, GCRY_MD_SHA512);
|
||||||
|
-
|
||||||
|
- len = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * sizeof(char);
|
||||||
|
- digest = malloc((2 * len) + 1);
|
||||||
|
- if (digest == NULL) {
|
||||||
|
- gcry_md_close(h);
|
||||||
|
+ SHA512((unsigned char *)path, path_len, (unsigned char *)&hptr);
|
||||||
|
+ digest = malloc((SHA512_LEN * 2) + 1);
|
||||||
|
+ if (digest == NULL)
|
||||||
|
return digest;
|
||||||
|
- }
|
||||||
|
|
||||||
|
- bytes2hex(digest, hptr, len);
|
||||||
|
- gcry_md_close(h);
|
||||||
|
+ bytes2hex(digest, hptr, SHA512_LEN);
|
||||||
|
|
||||||
|
return digest;
|
||||||
|
}
|
||||||
|
@@ -296,7 +288,7 @@ static int write_db(const char *idx, con
|
||||||
|
if (hash == NULL)
|
||||||
|
return 5;
|
||||||
|
key.mv_data = (void *)hash;
|
||||||
|
- key.mv_size = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * 2 + 1;
|
||||||
|
+ key.mv_size = (SHA512_LEN * 2) + 1;
|
||||||
|
} else {
|
||||||
|
key.mv_data = (void *)idx;
|
||||||
|
key.mv_size = len;
|
||||||
|
@@ -416,7 +408,7 @@ static char *lt_read_db(const char *inde
|
||||||
|
if (hash == NULL)
|
||||||
|
return NULL;
|
||||||
|
key.mv_data = (void *)hash;
|
||||||
|
- key.mv_size = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * 2 + 1;
|
||||||
|
+ key.mv_size = (SHA512_LEN * 2) + 1;
|
||||||
|
} else {
|
||||||
|
key.mv_data = (void *)index;
|
||||||
|
key.mv_size = len;
|
||||||
|
diff -up ./src/library/file.c.openssl ./src/library/file.c
|
||||||
|
--- ./src/library/file.c.openssl 2022-06-21 16:55:47.000000000 +0200
|
||||||
|
+++ ./src/library/file.c 2022-08-02 14:10:48.094466497 +0200
|
||||||
|
@@ -31,7 +31,7 @@
|
||||||
|
#include <sys/stat.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
-#include <gcrypt.h>
|
||||||
|
+#include <openssl/sha.h>
|
||||||
|
#include <magic.h>
|
||||||
|
#include <libudev.h>
|
||||||
|
#include <elf.h>
|
||||||
|
@@ -51,7 +51,6 @@ static struct udev *udev;
|
||||||
|
magic_t magic_cookie;
|
||||||
|
struct cache { dev_t device; const char *devname; };
|
||||||
|
static struct cache c = { 0, NULL };
|
||||||
|
-static size_t hash_size = 32; // init so cli doesn't need to call file_init
|
||||||
|
|
||||||
|
// readelf -l path-to-app | grep 'Requesting' | cut -d':' -f2 | tr -d ' ]';
|
||||||
|
static const char *interpreters[] = {
|
||||||
|
@@ -96,12 +95,6 @@ void file_init(void)
|
||||||
|
msg(LOG_ERR, "Unable to load magic database");
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
-
|
||||||
|
- // Initialize libgcrypt
|
||||||
|
- gcry_check_version(NULL);
|
||||||
|
- gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
|
||||||
|
- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
|
||||||
|
- hash_size = gcry_md_get_algo_dlen(GCRY_MD_SHA256) * sizeof(char);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@@ -445,12 +438,12 @@ char *get_hash_from_fd2(int fd, size_t s
|
||||||
|
if (mapped != MAP_FAILED) {
|
||||||
|
unsigned char hptr[40];
|
||||||
|
|
||||||
|
- gcry_md_hash_buffer(GCRY_MD_SHA256, &hptr, mapped, size);
|
||||||
|
+ SHA256(mapped, size, (unsigned char *)&hptr);
|
||||||
|
munmap(mapped, size);
|
||||||
|
- digest = malloc(65);
|
||||||
|
+ digest = malloc((SHA256_LEN * 2) + 1);
|
||||||
|
|
||||||
|
// Convert to ASCII string
|
||||||
|
- bytes2hex(digest, hptr, hash_size);
|
||||||
|
+ bytes2hex(digest, hptr, SHA256_LEN);
|
||||||
|
}
|
||||||
|
return digest;
|
||||||
|
}
|
||||||
|
@@ -476,7 +469,7 @@ int get_ima_hash(int fd, char *sha)
|
||||||
|
}
|
||||||
|
|
||||||
|
// Looks like it what we want...
|
||||||
|
- bytes2hex(sha, &tmp[2], 32);
|
||||||
|
+ bytes2hex(sha, &tmp[2], SHA256_LEN);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff -up ./src/library/file.h.openssl ./src/library/file.h
|
||||||
|
--- ./src/library/file.h.openssl 2022-06-21 16:55:47.000000000 +0200
|
||||||
|
+++ ./src/library/file.h 2022-08-02 14:10:48.094466497 +0200
|
||||||
|
@@ -40,6 +40,9 @@ struct file_info
|
||||||
|
struct timespec time;
|
||||||
|
};
|
||||||
|
|
||||||
|
+#define SHA256_LEN 32
|
||||||
|
+#define SHA512_LEN 64
|
||||||
|
+
|
||||||
|
void file_init(void);
|
||||||
|
void file_close(void);
|
||||||
|
struct file_info *stat_file_entry(int fd) MALLOCLIKE;
|
30
SOURCES/fapolicyd-readme.patch
Normal file
30
SOURCES/fapolicyd-readme.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
From b4618d133f473b9bbc36f2a5e94b8b0f257ba3e0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Radovan Sroka <rsroka@redhat.com>
|
||||||
|
Date: Fri, 5 Aug 2022 14:49:30 +0200
|
||||||
|
Subject: [PATCH] Add mention that using of names requires name resolution
|
||||||
|
|
||||||
|
- using of user and group names as uid and gid attributes
|
||||||
|
requires correct name resolution
|
||||||
|
|
||||||
|
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
||||||
|
---
|
||||||
|
README.md | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/README.md b/README.md
|
||||||
|
index d932e00..abc5eee 100644
|
||||||
|
--- a/README.md
|
||||||
|
+++ b/README.md
|
||||||
|
@@ -131,6 +131,12 @@ You can similarly do this for trusted users that have to execute things in
|
||||||
|
the home dir. You can create a trusted_user group, add them the group,
|
||||||
|
and then write a rule allowing them to execute from their home dir.
|
||||||
|
|
||||||
|
+When you want to use user or group name (as a string). You have to guarantee
|
||||||
|
+that these names were correctly resolved. In case of systemd, you need to add
|
||||||
|
+a new after target 'After=nss-user-lookup.target'.
|
||||||
|
+To achieve that you can use `systemctl edit --full fapolicyd`,
|
||||||
|
+uncomment the respective line and save the change.
|
||||||
|
+
|
||||||
|
```
|
||||||
|
allow perm=any gid=trusted_user : ftype=%languages dir=/home
|
||||||
|
deny_audit perm=any all : ftype=%languages dir=/home
|
@ -1,109 +0,0 @@
|
|||||||
From 609ffa1d2ed490c7d5c77d2dd2dfdc50f415b935 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Radovan Sroka <rsroka@redhat.com>
|
|
||||||
Date: Thu, 24 Mar 2022 09:59:05 +0100
|
|
||||||
Subject: [PATCH] Reorder loop holes with patterns in rules.d
|
|
||||||
|
|
||||||
- this keeps backwards compatibility with older wersions of rules
|
|
||||||
- the ld_so pattern was applied to root
|
|
||||||
- it caused problems with running ldd as root(previously unrestricted)
|
|
||||||
|
|
||||||
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
|
||||||
---
|
|
||||||
fapolicyd.spec | 6 +++---
|
|
||||||
rules.d/{30-dracut.rules => 20-dracut.rules} | 0
|
|
||||||
rules.d/{30-updaters.rules => 21-updaters.rules} | 0
|
|
||||||
rules.d/{20-patterns.rules => 30-patterns.rules} | 0
|
|
||||||
rules.d/Makefile.am | 4 ++--
|
|
||||||
rules.d/README-rules | 16 ++++++++--------
|
|
||||||
6 files changed, 13 insertions(+), 13 deletions(-)
|
|
||||||
rename rules.d/{30-dracut.rules => 20-dracut.rules} (100%)
|
|
||||||
rename rules.d/{30-updaters.rules => 21-updaters.rules} (100%)
|
|
||||||
rename rules.d/{20-patterns.rules => 30-patterns.rules} (100%)
|
|
||||||
|
|
||||||
diff --git a/fapolicyd.spec b/fapolicyd.spec
|
|
||||||
index c2aae21..261b780 100644
|
|
||||||
--- a/fapolicyd.spec
|
|
||||||
+++ b/fapolicyd.spec
|
|
||||||
@@ -66,9 +66,9 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
|
|
||||||
if [ "$files" -eq 0 ] ; then
|
|
||||||
## Install the known libs policy
|
|
||||||
cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/
|
|
||||||
-cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/
|
|
||||||
-cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/
|
|
||||||
-cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/
|
|
||||||
+cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/
|
|
||||||
+cp %{_datadir}/%{name}/sample-rules/21-updaters.rules %{_sysconfdir}/%{name}/rules.d/
|
|
||||||
+cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/
|
|
||||||
cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/
|
|
||||||
cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/
|
|
||||||
cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/
|
|
||||||
diff --git a/rules.d/30-dracut.rules b/rules.d/20-dracut.rules
|
|
||||||
similarity index 100%
|
|
||||||
rename from rules.d/30-dracut.rules
|
|
||||||
rename to rules.d/20-dracut.rules
|
|
||||||
diff --git a/rules.d/30-updaters.rules b/rules.d/21-updaters.rules
|
|
||||||
similarity index 100%
|
|
||||||
rename from rules.d/30-updaters.rules
|
|
||||||
rename to rules.d/21-updaters.rules
|
|
||||||
diff --git a/rules.d/20-patterns.rules b/rules.d/30-patterns.rules
|
|
||||||
similarity index 100%
|
|
||||||
rename from rules.d/20-patterns.rules
|
|
||||||
rename to rules.d/30-patterns.rules
|
|
||||||
diff --git a/rules.d/Makefile.am b/rules.d/Makefile.am
|
|
||||||
index 76b5377..9bb61a7 100644
|
|
||||||
--- a/rules.d/Makefile.am
|
|
||||||
+++ b/rules.d/Makefile.am
|
|
||||||
@@ -23,8 +23,8 @@
|
|
||||||
|
|
||||||
CONFIG_CLEAN_FILES = *.rej *.orig
|
|
||||||
|
|
||||||
-EXTRA_DIST = README-rules 10-languages.rules 20-patterns.rules \
|
|
||||||
- 30-dracut.rules 30-updaters.rules \
|
|
||||||
+EXTRA_DIST = README-rules 10-languages.rules 20-dracut.rules \
|
|
||||||
+ 21-updaters.rules 30-patterns.rules \
|
|
||||||
40-bad-elf.rules 41-shared-obj.rules 42-trusted-elf.rules \
|
|
||||||
43-known-elf.rules \
|
|
||||||
70-trusted-lang.rules 71-known-python.rules 72-shell.rules \
|
|
||||||
diff --git a/rules.d/README-rules b/rules.d/README-rules
|
|
||||||
index c03c02b..30fcd01 100644
|
|
||||||
--- a/rules.d/README-rules
|
|
||||||
+++ b/rules.d/README-rules
|
|
||||||
@@ -5,8 +5,8 @@ sort order. To make things easier to use, the files in this directory are
|
|
||||||
organized into groups with the following meanings:
|
|
||||||
|
|
||||||
10 - macros
|
|
||||||
-20 - patterns
|
|
||||||
-30 - loop holes
|
|
||||||
+20 - loop holes
|
|
||||||
+30 - patterns
|
|
||||||
40 - ELF rules
|
|
||||||
50 - user/group access rules
|
|
||||||
60 - application access rules
|
|
||||||
@@ -25,9 +25,9 @@ You can reconstruct the old policy files by including the following:
|
|
||||||
fapolicyd.rules.known-libs
|
|
||||||
--------------------------
|
|
||||||
10-languages.rules
|
|
||||||
-20-patterns.rules
|
|
||||||
-30-dracut.rules
|
|
||||||
-30-updaters.rules
|
|
||||||
+20-dracut.rules
|
|
||||||
+21-updaters.rules
|
|
||||||
+30-patterns.rules
|
|
||||||
40-bad-elf.rules
|
|
||||||
41-shared-obj.rules
|
|
||||||
42-trusted-elf.rules
|
|
||||||
@@ -39,9 +39,9 @@ fapolicyd.rules.known-libs
|
|
||||||
fapolicyd.rules.restrictive
|
|
||||||
---------------------------
|
|
||||||
10-languages.rules
|
|
||||||
-20-patterns.rules
|
|
||||||
-30-dracut.rules
|
|
||||||
-30-updaters.rules
|
|
||||||
+20-dracut.rules
|
|
||||||
+21-updaters.rules
|
|
||||||
+30-patterns.rules
|
|
||||||
40-bad-elf.rules
|
|
||||||
41-shared-obj.rules
|
|
||||||
43-known-elf.rules
|
|
||||||
--
|
|
||||||
2.35.1
|
|
@ -1,6 +1,6 @@
|
|||||||
diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.if b/fapolicyd-selinux-0.4/fapolicyd.if
|
diff -up ./fapolicyd-selinux-0.4/fapolicyd.if.selinux ./fapolicyd-selinux-0.4/fapolicyd.if
|
||||||
--- a/fapolicyd-selinux-0.4/fapolicyd.if 2021-03-23 10:21:31.000000000 +0100
|
--- ./fapolicyd-selinux-0.4/fapolicyd.if.selinux 2021-03-23 10:21:31.000000000 +0100
|
||||||
+++ b/fapolicyd-selinux-0.4/fapolicyd.if 2021-12-14 13:35:17.842430123 +0100
|
+++ ./fapolicyd-selinux-0.4/fapolicyd.if 2022-06-30 10:52:05.112355159 +0200
|
||||||
@@ -2,6 +2,122 @@
|
@@ -2,6 +2,122 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -124,9 +124,9 @@ diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.if b/fapolicyd-selinux-0.4/fa
|
|||||||
## Execute fapolicyd_exec_t in the fapolicyd domain.
|
## Execute fapolicyd_exec_t in the fapolicyd domain.
|
||||||
## </summary>
|
## </summary>
|
||||||
## <param name="domain">
|
## <param name="domain">
|
||||||
diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
|
diff -up ./fapolicyd-selinux-0.4/fapolicyd.te.selinux ./fapolicyd-selinux-0.4/fapolicyd.te
|
||||||
--- a/fapolicyd-selinux-0.4/fapolicyd.te 2021-03-23 10:21:31.000000000 +0100
|
--- ./fapolicyd-selinux-0.4/fapolicyd.te.selinux 2021-03-23 10:21:31.000000000 +0100
|
||||||
+++ b/fapolicyd-selinux-0.4/fapolicyd.te 2021-12-14 13:35:17.842430123 +0100
|
+++ ./fapolicyd-selinux-0.4/fapolicyd.te 2022-06-30 10:53:01.693055971 +0200
|
||||||
@@ -1,5 +1,6 @@
|
@@ -1,5 +1,6 @@
|
||||||
policy_module(fapolicyd, 1.0.0)
|
policy_module(fapolicyd, 1.0.0)
|
||||||
|
|
||||||
@ -134,7 +134,7 @@ diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fa
|
|||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Declarations
|
# Declarations
|
||||||
@@ -36,6 +37,12 @@
|
@@ -36,6 +37,12 @@ allow fapolicyd_t self:process { setcap
|
||||||
allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms;
|
allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow fapolicyd_t self:unix_dgram_socket create_socket_perms;
|
allow fapolicyd_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
@ -147,9 +147,12 @@ diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fa
|
|||||||
manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
|
manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
|
||||||
logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
|
logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
|
||||||
|
|
||||||
@@ -63,14 +70,20 @@
|
@@ -61,16 +68,22 @@ corecmd_exec_bin(fapolicyd_t)
|
||||||
|
|
||||||
files_mmap_usr_files(fapolicyd_t)
|
domain_read_all_domains_state(fapolicyd_t)
|
||||||
|
|
||||||
|
-files_mmap_usr_files(fapolicyd_t)
|
||||||
|
+files_mmap_all_files(fapolicyd_t)
|
||||||
files_read_all_files(fapolicyd_t)
|
files_read_all_files(fapolicyd_t)
|
||||||
+files_watch_mount_boot_dirs(fapolicyd_t)
|
+files_watch_mount_boot_dirs(fapolicyd_t)
|
||||||
+files_watch_with_perm_boot_dirs(fapolicyd_t)
|
+files_watch_with_perm_boot_dirs(fapolicyd_t)
|
||||||
|
141
SOURCES/fapolicyd-sighup.patch
Normal file
141
SOURCES/fapolicyd-sighup.patch
Normal file
@ -0,0 +1,141 @@
|
|||||||
|
diff -up ./src/daemon/fapolicyd.c.sighup ./src/daemon/fapolicyd.c
|
||||||
|
--- ./src/daemon/fapolicyd.c.sighup 2022-06-21 16:55:47.000000000 +0200
|
||||||
|
+++ ./src/daemon/fapolicyd.c 2022-08-04 11:07:10.245069443 +0200
|
||||||
|
@@ -527,6 +527,7 @@ int main(int argc, const char *argv[])
|
||||||
|
while (!stop) {
|
||||||
|
if (hup) {
|
||||||
|
hup = 0;
|
||||||
|
+ msg(LOG_INFO, "Got SIGHUP");
|
||||||
|
reconfigure();
|
||||||
|
}
|
||||||
|
rc = poll(pfd, 2, -1);
|
||||||
|
diff -up ./src/library/database.c.sighup ./src/library/database.c
|
||||||
|
--- ./src/library/database.c.sighup 2022-08-04 11:07:10.237069609 +0200
|
||||||
|
+++ ./src/library/database.c 2022-08-04 11:08:44.852057119 +0200
|
||||||
|
@@ -68,7 +68,7 @@ static int lib_symlink=0, lib64_symlink=
|
||||||
|
static struct pollfd ffd[1] = { {0, 0, 0} };
|
||||||
|
static const char *fifo_path = "/run/fapolicyd/fapolicyd.fifo";
|
||||||
|
static integrity_t integrity;
|
||||||
|
-static atomic_int db_operation;
|
||||||
|
+static atomic_int reload_db = 0;
|
||||||
|
|
||||||
|
static pthread_t update_thread;
|
||||||
|
static pthread_mutex_t update_lock;
|
||||||
|
@@ -1147,7 +1147,31 @@ static int handle_record(const char * bu
|
||||||
|
|
||||||
|
void update_trust_database(void)
|
||||||
|
{
|
||||||
|
- db_operation = RELOAD_DB;
|
||||||
|
+ reload_db = 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void do_reload_db(conf_t* config)
|
||||||
|
+{
|
||||||
|
+ msg(LOG_INFO,"It looks like there was an update of the system... Syncing DB.");
|
||||||
|
+
|
||||||
|
+ int rc;
|
||||||
|
+ backend_close();
|
||||||
|
+ backend_init(config);
|
||||||
|
+ backend_load(config);
|
||||||
|
+
|
||||||
|
+ if ((rc = update_database(config))) {
|
||||||
|
+ msg(LOG_ERR,
|
||||||
|
+ "Cannot update trust database!");
|
||||||
|
+ close(ffd[0].fd);
|
||||||
|
+ backend_close();
|
||||||
|
+ unlink_fifo();
|
||||||
|
+ exit(rc);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ msg(LOG_INFO, "Updated");
|
||||||
|
+
|
||||||
|
+ // Conserve memory
|
||||||
|
+ backend_close();
|
||||||
|
}
|
||||||
|
|
||||||
|
static void *update_thread_main(void *arg)
|
||||||
|
@@ -1158,6 +1182,8 @@ static void *update_thread_main(void *ar
|
||||||
|
char err_buff[BUFFER_SIZE];
|
||||||
|
conf_t *config = (conf_t *)arg;
|
||||||
|
|
||||||
|
+ int do_operation = DB_NO_OP;;
|
||||||
|
+
|
||||||
|
#ifdef DEBUG
|
||||||
|
msg(LOG_DEBUG, "Update thread main started");
|
||||||
|
#endif
|
||||||
|
@@ -1182,6 +1208,12 @@ static void *update_thread_main(void *ar
|
||||||
|
|
||||||
|
rc = poll(ffd, 1, 1000);
|
||||||
|
|
||||||
|
+ // got SIGHUP
|
||||||
|
+ if (reload_db) {
|
||||||
|
+ reload_db = 0;
|
||||||
|
+ do_reload_db(config);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
#ifdef DEBUG
|
||||||
|
msg(LOG_DEBUG, "Update poll interrupted");
|
||||||
|
#endif
|
||||||
|
@@ -1228,17 +1260,17 @@ static void *update_thread_main(void *ar
|
||||||
|
// assume file name
|
||||||
|
// operation = 0
|
||||||
|
if (buff[i] == '/') {
|
||||||
|
- db_operation = ONE_FILE;
|
||||||
|
+ do_operation = ONE_FILE;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (buff[i] == '1') {
|
||||||
|
- db_operation = RELOAD_DB;
|
||||||
|
+ do_operation = RELOAD_DB;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (buff[i] == '2') {
|
||||||
|
- db_operation = FLUSH_CACHE;
|
||||||
|
+ do_operation = FLUSH_CACHE;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1252,34 +1284,16 @@ static void *update_thread_main(void *ar
|
||||||
|
*end = '\n';
|
||||||
|
|
||||||
|
// got "1" -> reload db
|
||||||
|
- if (db_operation == RELOAD_DB) {
|
||||||
|
- db_operation = DB_NO_OP;
|
||||||
|
- msg(LOG_INFO,
|
||||||
|
- "It looks like there was an update of the system... Syncing DB.");
|
||||||
|
-
|
||||||
|
- backend_close();
|
||||||
|
- backend_init(config);
|
||||||
|
- backend_load(config);
|
||||||
|
-
|
||||||
|
- if ((rc = update_database(config))) {
|
||||||
|
- msg(LOG_ERR,
|
||||||
|
- "Cannot update trust database!");
|
||||||
|
- close(ffd[0].fd);
|
||||||
|
- backend_close();
|
||||||
|
- unlink_fifo();
|
||||||
|
- exit(rc);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- msg(LOG_INFO, "Updated");
|
||||||
|
+ if (do_operation == RELOAD_DB) {
|
||||||
|
+ do_operation = DB_NO_OP;
|
||||||
|
+ do_reload_db(config);
|
||||||
|
|
||||||
|
- // Conserve memory
|
||||||
|
- backend_close();
|
||||||
|
// got "2" -> flush cache
|
||||||
|
- } else if (db_operation == FLUSH_CACHE) {
|
||||||
|
- db_operation = DB_NO_OP;
|
||||||
|
+ } else if (do_operation == FLUSH_CACHE) {
|
||||||
|
+ do_operation = DB_NO_OP;
|
||||||
|
needs_flush = true;
|
||||||
|
- } else if (db_operation == ONE_FILE) {
|
||||||
|
- db_operation = DB_NO_OP;
|
||||||
|
+ } else if (do_operation == ONE_FILE) {
|
||||||
|
+ do_operation = DB_NO_OP;
|
||||||
|
if (handle_record(buff))
|
||||||
|
continue;
|
||||||
|
}
|
47
SOURCES/fapolicyd-user-group-doc.patch
Normal file
47
SOURCES/fapolicyd-user-group-doc.patch
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
From fb4c274f4857f2d652014b0189abafb1df4b001a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Steve Grubb <sgrubb@redhat.com>
|
||||||
|
Date: Tue, 19 Jul 2022 12:18:18 -0400
|
||||||
|
Subject: [PATCH] Add documentation describing support for user/group names
|
||||||
|
|
||||||
|
---
|
||||||
|
doc/fapolicyd.rules.5 | 6 +++---
|
||||||
|
init/fapolicyd.service | 2 ++
|
||||||
|
2 files changed, 5 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/doc/fapolicyd.rules.5 b/doc/fapolicyd.rules.5
|
||||||
|
index aa77177..3b8ec09 100644
|
||||||
|
--- a/doc/fapolicyd.rules.5
|
||||||
|
+++ b/doc/fapolicyd.rules.5
|
||||||
|
@@ -35,13 +35,13 @@ The subject is the process that is performing actions on system resources. The f
|
||||||
|
This matches against any subject. When used, this must be the only subject in the rule.
|
||||||
|
.TP
|
||||||
|
.B auid
|
||||||
|
-This is the login uid that the audit system assigns users when they log in to the system. Daemons have a value of -1.
|
||||||
|
+This is the login uid that the audit system assigns users when they log in to the system. Daemons have a value of -1. The given value may be numeric or the account name.
|
||||||
|
.TP
|
||||||
|
.B uid
|
||||||
|
-This is the user id that the program is running under.
|
||||||
|
+This is the user id that the program is running under. The given value may be numeric or the account name.
|
||||||
|
.TP
|
||||||
|
.B gid
|
||||||
|
-This is the group id that the program is running under.
|
||||||
|
+This is the group id that the program is running under. The given value may be numeric or the group name.
|
||||||
|
.TP
|
||||||
|
.B sessionid
|
||||||
|
This is the numeric session id that the audit system assigns to users when they log in. Daemons have a value of -1.
|
||||||
|
diff --git a/init/fapolicyd.service b/init/fapolicyd.service
|
||||||
|
index 715de98..a5a6a3f 100644
|
||||||
|
--- a/init/fapolicyd.service
|
||||||
|
+++ b/init/fapolicyd.service
|
||||||
|
@@ -11,6 +11,8 @@ PIDFile=/run/fapolicyd.pid
|
||||||
|
ExecStartPre=/usr/sbin/fagenrules
|
||||||
|
ExecStart=/usr/sbin/fapolicyd
|
||||||
|
Restart=on-abnormal
|
||||||
|
+# Uncomment the following line if rules need user/group name lookup
|
||||||
|
+#After=nss-user-lookup.target
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
--
|
||||||
|
2.37.1
|
||||||
|
|
@ -4,8 +4,8 @@
|
|||||||
|
|
||||||
Summary: Application Whitelisting Daemon
|
Summary: Application Whitelisting Daemon
|
||||||
Name: fapolicyd
|
Name: fapolicyd
|
||||||
Version: 1.1
|
Version: 1.1.3
|
||||||
Release: 103%{?dist}.1
|
Release: 102%{?dist}
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
URL: http://people.redhat.com/sgrubb/fapolicyd
|
URL: http://people.redhat.com/sgrubb/fapolicyd
|
||||||
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
|
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
|
||||||
@ -15,7 +15,7 @@ Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/
|
|||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
BuildRequires: kernel-headers
|
BuildRequires: kernel-headers
|
||||||
BuildRequires: autoconf automake make gcc libtool
|
BuildRequires: autoconf automake make gcc libtool
|
||||||
BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file
|
BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file
|
||||||
BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
|
BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
|
||||||
BuildRequires: python3-devel
|
BuildRequires: python3-devel
|
||||||
|
|
||||||
@ -32,12 +32,13 @@ Requires(postun): systemd-units
|
|||||||
|
|
||||||
Patch1: fapolicyd-uthash-bundle.patch
|
Patch1: fapolicyd-uthash-bundle.patch
|
||||||
Patch2: fapolicyd-selinux.patch
|
Patch2: fapolicyd-selinux.patch
|
||||||
Patch3: fapolicyd-reorder-rules.patch
|
Patch3: fagenrules-group.patch
|
||||||
Patch4: fagenrules-group.patch
|
Patch4: fapolicyd-fgets-update-thread.patch
|
||||||
# 2069120 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.6.0]
|
Patch5: fapolicyd-openssl.patch
|
||||||
Patch5: fapolicyd-1.1.1-ld_so.patch
|
Patch6: fapolicyd-user-group-doc.patch
|
||||||
# 2097734 - Faulty handling of static applications [rhel-9.0.0.z]
|
Patch7: fapolicyd-cli-segfault.patch
|
||||||
Patch6: fapolicyd-1.1.1-static.patch
|
Patch8: fapolicyd-sighup.patch
|
||||||
|
Patch9: fapolicyd-readme.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Fapolicyd (File Access Policy Daemon) implements application whitelisting
|
Fapolicyd (File Access Policy Daemon) implements application whitelisting
|
||||||
@ -57,19 +58,6 @@ BuildArch: noarch
|
|||||||
%description selinux
|
%description selinux
|
||||||
The %{name}-selinux package contains selinux policy for the %{name} daemon.
|
The %{name}-selinux package contains selinux policy for the %{name} daemon.
|
||||||
|
|
||||||
%package dnf-plugin
|
|
||||||
Summary: Fapolicyd dnf plugin
|
|
||||||
Group: Applications/System
|
|
||||||
Requires: %{name} = %{version}-%{release}
|
|
||||||
BuildArch: noarch
|
|
||||||
Provides: %{name}-plugin
|
|
||||||
|
|
||||||
%description dnf-plugin
|
|
||||||
The %{name}-dnf-plugin notifies %{name} daemon about dnf update.
|
|
||||||
The dnf plugin will be replaced with rpm plugin later.
|
|
||||||
Don't use dnf and rpm plugin together.
|
|
||||||
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
|
|
||||||
%setup -q
|
%setup -q
|
||||||
@ -84,10 +72,13 @@ Don't use dnf and rpm plugin together.
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%patch2 -p1 -b .selinux
|
%patch2 -p1 -b .selinux
|
||||||
%patch3 -p1 -b .reorder
|
%patch3 -p1 -b .group
|
||||||
%patch4 -p1 -b .group
|
%patch4 -p1 -b .update-thread
|
||||||
%patch5 -p1 -b .ld_so
|
%patch5 -p1 -b .openssl
|
||||||
%patch6 -p1 -b .static
|
%patch6 -p1 -b .user-group-doc
|
||||||
|
%patch7 -p1 -b .cli-segfault
|
||||||
|
%patch8 -p1 -b .sighup
|
||||||
|
%patch9 -p1 -b .readme
|
||||||
|
|
||||||
# generate rules for python
|
# generate rules for python
|
||||||
sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
|
sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
|
||||||
@ -124,8 +115,6 @@ make check
|
|||||||
|
|
||||||
%install
|
%install
|
||||||
%make_install
|
%make_install
|
||||||
mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
|
|
||||||
install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/
|
|
||||||
install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
|
install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
|
||||||
mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
|
mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
|
||||||
mkdir -p %{buildroot}/run/%{name}
|
mkdir -p %{buildroot}/run/%{name}
|
||||||
@ -206,7 +195,7 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
|
|||||||
# restore correct label
|
# restore correct label
|
||||||
/usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/*
|
/usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/*
|
||||||
fi
|
fi
|
||||||
fagenrules > /dev/null 2>&1
|
fagenrules >/dev/null
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
%systemd_post %{name}.service
|
%systemd_post %{name}.service
|
||||||
@ -273,26 +262,37 @@ fi
|
|||||||
%posttrans selinux
|
%posttrans selinux
|
||||||
%selinux_relabel_post -s %{selinuxtype}
|
%selinux_relabel_post -s %{selinuxtype}
|
||||||
|
|
||||||
%files dnf-plugin
|
|
||||||
%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py
|
|
||||||
%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc
|
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Thu Jun 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-103-1
|
* Fri Aug 05 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-102
|
||||||
RHEL 9.0.Z ERRATUM
|
RHEL 9.1.0 ERRATUM
|
||||||
- Faulty handling of static applications
|
- rebase fapolicyd to the latest stable vesion
|
||||||
Resolves: rhbz#2097734
|
Resolves: rhbz#2100041
|
||||||
|
- fapolicyd gets way too easily killed by OOM killer
|
||||||
|
Resolves: rhbz#2097385
|
||||||
|
- fapolicyd does not correctly handle SIGHUP
|
||||||
|
Resolves: rhbz#2070655
|
||||||
|
- Introduce ppid rule attribute
|
||||||
|
Resolves: rhbz#2102558
|
||||||
|
- fapolicyd often breaks package updates
|
||||||
|
Resolves: rhbz#2111244
|
||||||
|
- drop libgcrypt in favour of openssl
|
||||||
|
Resolves: rhbz#2111938
|
||||||
|
- Remove dnf plugin
|
||||||
|
Resolves: rhbz#2113959
|
||||||
|
- fapolicyd.rules doesn't advertise that using a username/groupname instead of uid/gid also works
|
||||||
|
Resolves: rhbz#2115849
|
||||||
|
|
||||||
* Wed Apr 06 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-103
|
* Thu Jun 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-104
|
||||||
RHEL 9.0.0 ERRATUM
|
RHEL 9.1.0 ERRATUM
|
||||||
- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path
|
- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path
|
||||||
Resolves: rhbz#2069122
|
Resolves: rhbz#2069123
|
||||||
|
- Faulty handling of static applications
|
||||||
|
Resolves: rhbz#2096457
|
||||||
|
|
||||||
* Sun Apr 3 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-101
|
* Sun Apr 3 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-101
|
||||||
RHEL 9.0.0 ERRATUM
|
RHEL 9.1.0 ERRATUM
|
||||||
- fapolicyd denies access to /usr/lib64/ld-2.28.so
|
- fapolicyd denies access to /usr/lib64/ld-2.28.so
|
||||||
Resolves: rhbz#2066904
|
Resolves: rhbz#2067493
|
||||||
|
|
||||||
* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-100
|
* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-100
|
||||||
RHEL 9.0.0 ERRATUM
|
RHEL 9.0.0 ERRATUM
|
||||||
|
Loading…
Reference in New Issue
Block a user