rpms/fapolicyd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import fapolicyd-1.1.3-102.el9

Browse Source
This commit is contained in:
CentOS Sources 2022-11-15 01:54:08 -05:00 committed by Stepan Oksanichenko
parent 24927c172e
commit dae0fc63cd
13 changed files with 696 additions and 209 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.fapolicyd.metadata
View File

@ -1,3 +1,3 @@
1fa6cf3f0a15bbef745438c1ba7b685ebf7e75f1 SOURCES/fapolicyd-1.1.tar.gz
3887d3f97a4f506ad6bf7dcef36b01cc7897a692 SOURCES/fapolicyd-1.1.3.tar.gz
bdbe20a4db2cd58073abf17a537e3a6766cdea21 SOURCES/fapolicyd-selinux-0.4.tar.gz
fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz

2
.gitignore vendored
View File

@ -1,3 +1,3 @@
SOURCES/fapolicyd-1.1.tar.gz
SOURCES/fapolicyd-1.1.3.tar.gz
SOURCES/fapolicyd-selinux-0.4.tar.gz
SOURCES/uthash-2.3.0.tar.gz

27
SOURCES/fapolicyd-1.1.1-ld_so.patch
View File

@ -1,27 +0,0 @@
diff -urp fapolicyd-1.1.1.orig/fapolicyd.spec fapolicyd-1.1.1/fapolicyd.spec
--- fapolicyd-1.1.1.orig/fapolicyd.spec 2022-01-28 15:17:55.000000000 -0500
+++ fapolicyd-1.1.1/fapolicyd.spec 2022-01-28 15:19:31.594155397 -0500
@@ -30,7 +30,7 @@ makes use of the kernel's fanotify inter
# generate rules for python
sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
-sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+sed -i "s/%ld_so_path%/`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
%build
%configure \
diff -urp fapolicyd-1.1.1.orig/m4/dyn_linker.m4 fapolicyd-1.1.1/m4/dyn_linker.m4
--- fapolicyd-1.1.1.orig/m4/dyn_linker.m4 2022-01-28 15:17:55.000000000 -0500
+++ fapolicyd-1.1.1/m4/dyn_linker.m4 2022-01-28 15:20:02.048609672 -0500
@@ -1,6 +1,10 @@
AC_DEFUN([LD_SO_PATH],
[
- xpath=`realpath /usr/lib64/ld-2.*.so`
+ xpath1=`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev`
+ xpath=`realpath $xpath1`
+ if test ! -f "$xpath" ; then
+ AC_MSG_ERROR([Cant find the dynamic linker])
+ fi
echo "dynamic linker is.....$xpath"
AC_DEFINE_UNQUOTED(SYSTEM_LD_SO, ["$xpath"], [dynamic linker])
])

19
SOURCES/fapolicyd-1.1.1-static.patch
View File

@ -1,19 +0,0 @@
diff -urp fapolicyd-1.1.1.orig/src/library/event.c fapolicyd-1.1.1/src/library/event.c
--- fapolicyd-1.1.1.orig/src/library/event.c 2022-01-28 15:23:58.000000000 -0500
+++ fapolicyd-1.1.1/src/library/event.c 2022-01-30 20:11:05.516785465 -0500
@@ -140,7 +140,14 @@ int new_event(const struct fanotify_even
// We need to reset everything now that execve has finished
if (s->info->state == STATE_STATIC_PARTIAL && !rc) {
- s->info->state = STATE_STATIC;
+ // If the static app itself launches an app right
+ // away, go back to collecting.
+ if (e->type & FAN_OPEN_EXEC_PERM)
+ s->info->state = STATE_COLLECTING;
+ else {
+ s->info->state = STATE_STATIC;
+ skip_path = 1;
+ }
evict = 0;
skip_path = 1;
subject_reset(s, EXE);

11
SOURCES/fapolicyd-cli-segfault.patch Normal file
View File

@ -0,0 +1,11 @@
diff -up ./src/cli/fapolicyd-cli.c.segfault ./src/cli/fapolicyd-cli.c
--- ./src/cli/fapolicyd-cli.c.segfault 2022-08-03 17:51:54.903081124 +0200
+++ ./src/cli/fapolicyd-cli.c 2022-08-03 17:55:18.256458750 +0200
@@ -77,6 +77,7 @@ static struct option long_opts[] =
{"ftype", 1, NULL, 't'},
{"list", 0, NULL, 'l'},
{"update", 0, NULL, 'u'},
+ {NULL, 0, NULL, 0 }
};
static const char *_pipe = "/run/fapolicyd/fapolicyd.fifo";

215
SOURCES/fapolicyd-fgets-update-thread.patch Normal file
View File

@ -0,0 +1,215 @@
diff -up ./src/cli/fapolicyd-cli.c.upgrade-thread ./src/cli/fapolicyd-cli.c
--- ./src/cli/fapolicyd-cli.c.upgrade-thread 2022-08-03 18:00:02.374999369 +0200
+++ ./src/cli/fapolicyd-cli.c 2022-08-03 18:00:09.802830497 +0200
@@ -482,7 +482,7 @@ static int do_update(void)
}
}
- ssize_t ret = write(fd, "1", 2);
+ ssize_t ret = write(fd, "1\n", 3);
if (ret == -1) {
fprintf(stderr, "Write: %s -> %s\n", _pipe, strerror(errno));
diff -up ./src/library/database.c.upgrade-thread ./src/library/database.c
--- ./src/library/database.c.upgrade-thread 2022-06-21 16:55:47.000000000 +0200
+++ ./src/library/database.c 2022-08-03 17:58:04.034689808 +0200
@@ -34,6 +34,7 @@
#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
+#include <ctype.h>
#include <gcrypt.h>
#include <signal.h>
#include <sys/stat.h>
@@ -43,6 +44,7 @@
#include "message.h"
#include "llist.h"
#include "file.h"
+#include "fd-fgets.h"
#include "fapolicyd-backend.h"
#include "backend-manager.h"
@@ -1181,6 +1183,7 @@ static void *update_thread_main(void *ar
return NULL;
}
+ fcntl(ffd[0].fd, F_SETFL, O_NONBLOCK);
ffd[0].events = POLLIN;
while (!stop) {
@@ -1200,97 +1203,102 @@ static void *update_thread_main(void *ar
} else {
msg(LOG_ERR, "Update poll error (%s)",
strerror_r(errno, err_buff, BUFFER_SIZE));
- goto err_out;
+ goto finalize;
}
} else if (rc == 0) {
#ifdef DEBUG
msg(LOG_DEBUG, "Update poll timeout expired");
#endif
- if (db_operation != DB_NO_OP)
- goto handle_db_ops;
continue;
} else {
if (ffd[0].revents & POLLIN) {
- ssize_t count = read(ffd[0].fd, buff,
- BUFFER_SIZE-1);
- if (count == -1) {
- msg(LOG_ERR,
- "Failed to read from a pipe %s (%s)",
- fifo_path,
- strerror_r(errno, err_buff,
- BUFFER_SIZE));
- goto err_out;
- }
+ do {
+ fd_fgets_rewind();
+ int res = fd_fgets(buff, sizeof(buff), ffd[0].fd);
- if (count == 0) {
-#ifdef DEBUG
- msg(LOG_DEBUG,
- "Buffer contains zero bytes!");
-#endif
- continue;
- } else // Manually terminate buff
- buff[count] = 0;
-#ifdef DEBUG
- msg(LOG_DEBUG, "Buffer contains: \"%s\"", buff);
-#endif
- for (int i = 0 ; i < count ; i++) {
- // assume file name
- // operation = 0
- if (buff[i] == '/') {
- db_operation = ONE_FILE;
+ // nothing to read
+ if (res == -1)
break;
- }
+ else if (res > 0) {
+ char* end = strchr(buff, '\n');
- if (buff[i] == '1') {
- db_operation = RELOAD_DB;
- break;
+ if (end == NULL) {
+ msg(LOG_ERR, "Too long line?");
+ continue;
+ }
+
+ int count = end - buff;
+
+ *end = '\0';
+
+ for (int i = 0 ; i < count ; i++) {
+ // assume file name
+ // operation = 0
+ if (buff[i] == '/') {
+ db_operation = ONE_FILE;
+ break;
+ }
+
+ if (buff[i] == '1') {
+ db_operation = RELOAD_DB;
+ break;
+ }
+
+ if (buff[i] == '2') {
+ db_operation = FLUSH_CACHE;
+ break;
+ }
+
+ if (isspace(buff[i]))
+ continue;
+
+ msg(LOG_ERR, "Cannot handle data \"%s\" from pipe", buff);
+ break;
+ }
+
+ *end = '\n';
+
+ // got "1" -> reload db
+ if (db_operation == RELOAD_DB) {
+ db_operation = DB_NO_OP;
+ msg(LOG_INFO,
+ "It looks like there was an update of the system... Syncing DB.");
+
+ backend_close();
+ backend_init(config);
+ backend_load(config);
+
+ if ((rc = update_database(config))) {
+ msg(LOG_ERR,
+ "Cannot update trust database!");
+ close(ffd[0].fd);
+ backend_close();
+ unlink_fifo();
+ exit(rc);
+ }
+
+ msg(LOG_INFO, "Updated");
+
+ // Conserve memory
+ backend_close();
+ // got "2" -> flush cache
+ } else if (db_operation == FLUSH_CACHE) {
+ db_operation = DB_NO_OP;
+ needs_flush = true;
+ } else if (db_operation == ONE_FILE) {
+ db_operation = DB_NO_OP;
+ if (handle_record(buff))
+ continue;
+ }
}
- if (buff[i] == '2') {
- db_operation = FLUSH_CACHE;
- break;
- }
- }
-
-handle_db_ops:
- // got "1" -> reload db
- if (db_operation == RELOAD_DB) {
- db_operation = DB_NO_OP;
- msg(LOG_INFO,
- "It looks like there was an update of the system... Syncing DB.");
-
- backend_close();
- backend_init(config);
- backend_load(config);
-
- if ((rc = update_database(config))) {
- msg(LOG_ERR,
- "Cannot update trust database!");
- close(ffd[0].fd);
- backend_close();
- unlink_fifo();
- exit(rc);
- } else
- msg(LOG_INFO, "Updated");
-
- // Conserve memory
- backend_close();
- // got "2" -> flush cache
- } else if (db_operation == FLUSH_CACHE) {
- db_operation = DB_NO_OP;
- needs_flush = true;
- } else if (db_operation == ONE_FILE) {
- db_operation = DB_NO_OP;
- if (handle_record(buff))
- continue;
- }
+ } while(!fd_fgets_eof());
}
}
-
}
-err_out:
+finalize:
close(ffd[0].fd);
unlink_fifo();

195
SOURCES/fapolicyd-openssl.patch Normal file
View File

@ -0,0 +1,195 @@
diff -up ./BUILD.md.openssl ./BUILD.md
--- ./BUILD.md.openssl 2022-06-21 16:55:47.000000000 +0200
+++ ./BUILD.md 2022-08-02 14:10:48.092466542 +0200
@@ -16,7 +16,8 @@ BUILD-TIME DEPENDENCIES (fedora and RHEL
* libudev-devel
* kernel-headers
* systemd-devel
-* libgcrypt-devel
+* libgcrypt-devel ( <= fapolicyd-1.1.3)
+* openssl ( >= fapolicyd-1.1.4)
* rpm-devel (optional)
* file
* file-devel
diff -U0 ./ChangeLog.openssl ./ChangeLog
diff -up ./configure.ac.openssl ./configure.ac
--- ./configure.ac.openssl 2022-06-21 16:55:47.000000000 +0200
+++ ./configure.ac 2022-08-02 14:10:48.092466542 +0200
@@ -87,7 +87,7 @@ AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERRO
echo .
echo Checking for required libraries
AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev)
-AC_CHECK_LIB(gcrypt, gcry_md_open, , [AC_MSG_ERROR([libgcrypt not found])], -lgcrypt)
+AC_CHECK_LIB(crypto, SHA256, , [AC_MSG_ERROR([openssl libcrypto not found])], -lcrypto)
AC_CHECK_LIB(magic, magic_descriptor, , [AC_MSG_ERROR([libmagic not found])], -lmagic)
AC_CHECK_LIB(cap-ng, capng_change_id, , [AC_MSG_ERROR([libcap-ng not found])], -lcap-ng)
AC_CHECK_LIB(seccomp, seccomp_rule_add, , [AC_MSG_ERROR([libseccomp not found])], -lseccomp)
diff -up ./fapolicyd.spec.openssl ./fapolicyd.spec
--- ./fapolicyd.spec.openssl 2022-06-21 16:55:47.000000000 +0200
+++ ./fapolicyd.spec 2022-08-02 14:10:48.092466542 +0200
@@ -8,7 +8,7 @@ Source0: https://people.redhat.com/sgrub
BuildRequires: gcc
BuildRequires: kernel-headers
BuildRequires: autoconf automake make gcc libtool
-BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file
+BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file
BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
BuildRequires: python3-devel
BuildRequires: uthash-devel
diff -up ./src/cli/fapolicyd-cli.c.openssl ./src/cli/fapolicyd-cli.c
--- ./src/cli/fapolicyd-cli.c.openssl 2022-06-21 16:55:47.000000000 +0200
+++ ./src/cli/fapolicyd-cli.c 2022-08-02 14:10:48.093466520 +0200
@@ -39,7 +39,6 @@
#include <stdatomic.h>
#include <lmdb.h>
#include <limits.h>
-#include <gcrypt.h>
#include "policy.h"
#include "database.h"
#include "file-cli.h"
@@ -670,11 +669,6 @@ static int check_trustdb(void)
if (rc)
return 1;
- // Initialize libgcrypt
- gcry_check_version(NULL);
- gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
-
do {
unsigned int tsource; // unused
off_t size;
diff -up ./src/library/database.c.openssl ./src/library/database.c
--- ./src/library/database.c.openssl 2022-08-02 14:10:48.090466587 +0200
+++ ./src/library/database.c 2022-08-02 14:13:11.995236110 +0200
@@ -35,7 +35,7 @@
#include <unistd.h>
#include <fcntl.h>
#include <ctype.h>
-#include <gcrypt.h>
+#include <openssl/sha.h>
#include <signal.h>
#include <sys/stat.h>
#include <sys/types.h>
@@ -244,26 +244,18 @@ static void abort_transaction(MDB_txn *t
static char *path_to_hash(const char *path, const size_t path_len) MALLOCLIKE;
static char *path_to_hash(const char *path, const size_t path_len)
{
- gcry_md_hd_t h;
- unsigned int len;
- unsigned char *hptr;
+ unsigned char hptr[80];
char *digest;
- if (gcry_md_open(&h, GCRY_MD_SHA512, GCRY_MD_FLAG_SECURE))
+ if (path_len == 0)
return NULL;
- gcry_md_write(h, path, path_len);
- hptr = gcry_md_read(h, GCRY_MD_SHA512);
-
- len = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * sizeof(char);
- digest = malloc((2 * len) + 1);
- if (digest == NULL) {
- gcry_md_close(h);
+ SHA512((unsigned char *)path, path_len, (unsigned char *)&hptr);
+ digest = malloc((SHA512_LEN * 2) + 1);
+ if (digest == NULL)
return digest;
- }
- bytes2hex(digest, hptr, len);
- gcry_md_close(h);
+ bytes2hex(digest, hptr, SHA512_LEN);
return digest;
}
@@ -296,7 +288,7 @@ static int write_db(const char *idx, con
if (hash == NULL)
return 5;
key.mv_data = (void *)hash;
- key.mv_size = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * 2 + 1;
+ key.mv_size = (SHA512_LEN * 2) + 1;
} else {
key.mv_data = (void *)idx;
key.mv_size = len;
@@ -416,7 +408,7 @@ static char *lt_read_db(const char *inde
if (hash == NULL)
return NULL;
key.mv_data = (void *)hash;
- key.mv_size = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * 2 + 1;
+ key.mv_size = (SHA512_LEN * 2) + 1;
} else {
key.mv_data = (void *)index;
key.mv_size = len;
diff -up ./src/library/file.c.openssl ./src/library/file.c
--- ./src/library/file.c.openssl 2022-06-21 16:55:47.000000000 +0200
+++ ./src/library/file.c 2022-08-02 14:10:48.094466497 +0200
@@ -31,7 +31,7 @@
#include <sys/stat.h>
#include <string.h>
#include <stdlib.h>
-#include <gcrypt.h>
+#include <openssl/sha.h>
#include <magic.h>
#include <libudev.h>
#include <elf.h>
@@ -51,7 +51,6 @@ static struct udev *udev;
magic_t magic_cookie;
struct cache { dev_t device; const char *devname; };
static struct cache c = { 0, NULL };
-static size_t hash_size = 32; // init so cli doesn't need to call file_init
// readelf -l path-to-app | grep 'Requesting' | cut -d':' -f2 | tr -d ' ]';
static const char *interpreters[] = {
@@ -96,12 +95,6 @@ void file_init(void)
msg(LOG_ERR, "Unable to load magic database");
exit(1);
}
-
- // Initialize libgcrypt
- gcry_check_version(NULL);
- gcry_control(GCRYCTL_DISABLE_SECMEM, 0);
- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
- hash_size = gcry_md_get_algo_dlen(GCRY_MD_SHA256) * sizeof(char);
}
@@ -445,12 +438,12 @@ char *get_hash_from_fd2(int fd, size_t s
if (mapped != MAP_FAILED) {
unsigned char hptr[40];
- gcry_md_hash_buffer(GCRY_MD_SHA256, &hptr, mapped, size);
+ SHA256(mapped, size, (unsigned char *)&hptr);
munmap(mapped, size);
- digest = malloc(65);
+ digest = malloc((SHA256_LEN * 2) + 1);
// Convert to ASCII string
- bytes2hex(digest, hptr, hash_size);
+ bytes2hex(digest, hptr, SHA256_LEN);
}
return digest;
}
@@ -476,7 +469,7 @@ int get_ima_hash(int fd, char *sha)
}
// Looks like it what we want...
- bytes2hex(sha, &tmp[2], 32);
+ bytes2hex(sha, &tmp[2], SHA256_LEN);
return 1;
}
diff -up ./src/library/file.h.openssl ./src/library/file.h
--- ./src/library/file.h.openssl 2022-06-21 16:55:47.000000000 +0200
+++ ./src/library/file.h 2022-08-02 14:10:48.094466497 +0200
@@ -40,6 +40,9 @@ struct file_info
struct timespec time;
};
+#define SHA256_LEN 32
+#define SHA512_LEN 64
+
void file_init(void);
void file_close(void);
struct file_info *stat_file_entry(int fd) MALLOCLIKE;

30
SOURCES/fapolicyd-readme.patch Normal file
View File

@ -0,0 +1,30 @@
From b4618d133f473b9bbc36f2a5e94b8b0f257ba3e0 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Fri, 5 Aug 2022 14:49:30 +0200
Subject: [PATCH] Add mention that using of names requires name resolution
- using of user and group names as uid and gid attributes
requires correct name resolution
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
README.md | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/README.md b/README.md
index d932e00..abc5eee 100644
--- a/README.md
+++ b/README.md
@@ -131,6 +131,12 @@ You can similarly do this for trusted users that have to execute things in
the home dir. You can create a trusted_user group, add them the group,
and then write a rule allowing them to execute from their home dir.
+When you want to use user or group name (as a string). You have to guarantee
+that these names were correctly resolved. In case of systemd, you need to add
+a new after target 'After=nss-user-lookup.target'.
+To achieve that you can use `systemctl edit --full fapolicyd`,
+uncomment the respective line and save the change.
+
```
allow perm=any gid=trusted_user : ftype=%languages dir=/home
deny_audit perm=any all : ftype=%languages dir=/home

109
SOURCES/fapolicyd-reorder-rules.patch
View File

@ -1,109 +0,0 @@
From 609ffa1d2ed490c7d5c77d2dd2dfdc50f415b935 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Thu, 24 Mar 2022 09:59:05 +0100
Subject: [PATCH] Reorder loop holes with patterns in rules.d
- this keeps backwards compatibility with older wersions of rules
- the ld_so pattern was applied to root
- it caused problems with running ldd as root(previously unrestricted)
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
fapolicyd.spec | 6 +++---
rules.d/{30-dracut.rules => 20-dracut.rules} | 0
rules.d/{30-updaters.rules => 21-updaters.rules} | 0
rules.d/{20-patterns.rules => 30-patterns.rules} | 0
rules.d/Makefile.am | 4 ++--
rules.d/README-rules | 16 ++++++++--------
6 files changed, 13 insertions(+), 13 deletions(-)
rename rules.d/{30-dracut.rules => 20-dracut.rules} (100%)
rename rules.d/{30-updaters.rules => 21-updaters.rules} (100%)
rename rules.d/{20-patterns.rules => 30-patterns.rules} (100%)
diff --git a/fapolicyd.spec b/fapolicyd.spec
index c2aae21..261b780 100644
--- a/fapolicyd.spec
+++ b/fapolicyd.spec
@@ -66,9 +66,9 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
if [ "$files" -eq 0 ] ; then
## Install the known libs policy
cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/
-cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/
-cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/
-cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/
+cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/
+cp %{_datadir}/%{name}/sample-rules/21-updaters.rules %{_sysconfdir}/%{name}/rules.d/
+cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/
cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/
diff --git a/rules.d/30-dracut.rules b/rules.d/20-dracut.rules
similarity index 100%
rename from rules.d/30-dracut.rules
rename to rules.d/20-dracut.rules
diff --git a/rules.d/30-updaters.rules b/rules.d/21-updaters.rules
similarity index 100%
rename from rules.d/30-updaters.rules
rename to rules.d/21-updaters.rules
diff --git a/rules.d/20-patterns.rules b/rules.d/30-patterns.rules
similarity index 100%
rename from rules.d/20-patterns.rules
rename to rules.d/30-patterns.rules
diff --git a/rules.d/Makefile.am b/rules.d/Makefile.am
index 76b5377..9bb61a7 100644
--- a/rules.d/Makefile.am
+++ b/rules.d/Makefile.am
@@ -23,8 +23,8 @@
CONFIG_CLEAN_FILES = *.rej *.orig
-EXTRA_DIST = README-rules 10-languages.rules 20-patterns.rules \
- 30-dracut.rules 30-updaters.rules \
+EXTRA_DIST = README-rules 10-languages.rules 20-dracut.rules \
+ 21-updaters.rules 30-patterns.rules \
40-bad-elf.rules 41-shared-obj.rules 42-trusted-elf.rules \
43-known-elf.rules \
70-trusted-lang.rules 71-known-python.rules 72-shell.rules \
diff --git a/rules.d/README-rules b/rules.d/README-rules
index c03c02b..30fcd01 100644
--- a/rules.d/README-rules
+++ b/rules.d/README-rules
@@ -5,8 +5,8 @@ sort order. To make things easier to use, the files in this directory are
organized into groups with the following meanings:
10 - macros
-20 - patterns
-30 - loop holes
+20 - loop holes
+30 - patterns
40 - ELF rules
50 - user/group access rules
60 - application access rules
@@ -25,9 +25,9 @@ You can reconstruct the old policy files by including the following:
fapolicyd.rules.known-libs
--------------------------
10-languages.rules
-20-patterns.rules
-30-dracut.rules
-30-updaters.rules
+20-dracut.rules
+21-updaters.rules
+30-patterns.rules
40-bad-elf.rules
41-shared-obj.rules
42-trusted-elf.rules
@@ -39,9 +39,9 @@ fapolicyd.rules.known-libs
fapolicyd.rules.restrictive
---------------------------
10-languages.rules
-20-patterns.rules
-30-dracut.rules
-30-updaters.rules
+20-dracut.rules
+21-updaters.rules
+30-patterns.rules
40-bad-elf.rules
41-shared-obj.rules
43-known-elf.rules
--
2.35.1

21
SOURCES/fapolicyd-selinux.patch
View File

@ -1,6 +1,6 @@
diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.if b/fapolicyd-selinux-0.4/fapolicyd.if
--- a/fapolicyd-selinux-0.4/fapolicyd.if 2021-03-23 10:21:31.000000000 +0100
+++ b/fapolicyd-selinux-0.4/fapolicyd.if 2021-12-14 13:35:17.842430123 +0100
diff -up ./fapolicyd-selinux-0.4/fapolicyd.if.selinux ./fapolicyd-selinux-0.4/fapolicyd.if
--- ./fapolicyd-selinux-0.4/fapolicyd.if.selinux 2021-03-23 10:21:31.000000000 +0100
+++ ./fapolicyd-selinux-0.4/fapolicyd.if 2022-06-30 10:52:05.112355159 +0200
@@ -2,6 +2,122 @@
########################################
@ -124,9 +124,9 @@ diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.if b/fapolicyd-selinux-0.4/fa
## Execute fapolicyd_exec_t in the fapolicyd domain.
## </summary>
## <param name="domain">
diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
--- a/fapolicyd-selinux-0.4/fapolicyd.te 2021-03-23 10:21:31.000000000 +0100
+++ b/fapolicyd-selinux-0.4/fapolicyd.te 2021-12-14 13:35:17.842430123 +0100
diff -up ./fapolicyd-selinux-0.4/fapolicyd.te.selinux ./fapolicyd-selinux-0.4/fapolicyd.te
--- ./fapolicyd-selinux-0.4/fapolicyd.te.selinux 2021-03-23 10:21:31.000000000 +0100
+++ ./fapolicyd-selinux-0.4/fapolicyd.te 2022-06-30 10:53:01.693055971 +0200
@@ -1,5 +1,6 @@
policy_module(fapolicyd, 1.0.0)
@ -134,7 +134,7 @@ diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fa
########################################
#
# Declarations
@@ -36,6 +37,12 @@
@@ -36,6 +37,12 @@ allow fapolicyd_t self:process { setcap
allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms;
allow fapolicyd_t self:unix_dgram_socket create_socket_perms;
@ -147,9 +147,12 @@ diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fa
manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
@@ -63,14 +70,20 @@
@@ -61,16 +68,22 @@ corecmd_exec_bin(fapolicyd_t)
files_mmap_usr_files(fapolicyd_t)
domain_read_all_domains_state(fapolicyd_t)
-files_mmap_usr_files(fapolicyd_t)
+files_mmap_all_files(fapolicyd_t)
files_read_all_files(fapolicyd_t)
+files_watch_mount_boot_dirs(fapolicyd_t)
+files_watch_with_perm_boot_dirs(fapolicyd_t)

141
SOURCES/fapolicyd-sighup.patch Normal file
View File

@ -0,0 +1,141 @@
diff -up ./src/daemon/fapolicyd.c.sighup ./src/daemon/fapolicyd.c
--- ./src/daemon/fapolicyd.c.sighup 2022-06-21 16:55:47.000000000 +0200
+++ ./src/daemon/fapolicyd.c 2022-08-04 11:07:10.245069443 +0200
@@ -527,6 +527,7 @@ int main(int argc, const char *argv[])
while (!stop) {
if (hup) {
hup = 0;
+ msg(LOG_INFO, "Got SIGHUP");
reconfigure();
}
rc = poll(pfd, 2, -1);
diff -up ./src/library/database.c.sighup ./src/library/database.c
--- ./src/library/database.c.sighup 2022-08-04 11:07:10.237069609 +0200
+++ ./src/library/database.c 2022-08-04 11:08:44.852057119 +0200
@@ -68,7 +68,7 @@ static int lib_symlink=0, lib64_symlink=
static struct pollfd ffd[1] = { {0, 0, 0} };
static const char *fifo_path = "/run/fapolicyd/fapolicyd.fifo";
static integrity_t integrity;
-static atomic_int db_operation;
+static atomic_int reload_db = 0;
static pthread_t update_thread;
static pthread_mutex_t update_lock;
@@ -1147,7 +1147,31 @@ static int handle_record(const char * bu
void update_trust_database(void)
{
- db_operation = RELOAD_DB;
+ reload_db = 1;
+}
+
+static void do_reload_db(conf_t* config)
+{
+ msg(LOG_INFO,"It looks like there was an update of the system... Syncing DB.");
+
+ int rc;
+ backend_close();
+ backend_init(config);
+ backend_load(config);
+
+ if ((rc = update_database(config))) {
+ msg(LOG_ERR,
+ "Cannot update trust database!");
+ close(ffd[0].fd);
+ backend_close();
+ unlink_fifo();
+ exit(rc);
+ }
+
+ msg(LOG_INFO, "Updated");
+
+ // Conserve memory
+ backend_close();
}
static void *update_thread_main(void *arg)
@@ -1158,6 +1182,8 @@ static void *update_thread_main(void *ar
char err_buff[BUFFER_SIZE];
conf_t *config = (conf_t *)arg;
+ int do_operation = DB_NO_OP;;
+
#ifdef DEBUG
msg(LOG_DEBUG, "Update thread main started");
#endif
@@ -1182,6 +1208,12 @@ static void *update_thread_main(void *ar
rc = poll(ffd, 1, 1000);
+ // got SIGHUP
+ if (reload_db) {
+ reload_db = 0;
+ do_reload_db(config);
+ }
+
#ifdef DEBUG
msg(LOG_DEBUG, "Update poll interrupted");
#endif
@@ -1228,17 +1260,17 @@ static void *update_thread_main(void *ar
// assume file name
// operation = 0
if (buff[i] == '/') {
- db_operation = ONE_FILE;
+ do_operation = ONE_FILE;
break;
}
if (buff[i] == '1') {
- db_operation = RELOAD_DB;
+ do_operation = RELOAD_DB;
break;
}
if (buff[i] == '2') {
- db_operation = FLUSH_CACHE;
+ do_operation = FLUSH_CACHE;
break;
}
@@ -1252,34 +1284,16 @@ static void *update_thread_main(void *ar
*end = '\n';
// got "1" -> reload db
- if (db_operation == RELOAD_DB) {
- db_operation = DB_NO_OP;
- msg(LOG_INFO,
- "It looks like there was an update of the system... Syncing DB.");
-
- backend_close();
- backend_init(config);
- backend_load(config);
-
- if ((rc = update_database(config))) {
- msg(LOG_ERR,
- "Cannot update trust database!");
- close(ffd[0].fd);
- backend_close();
- unlink_fifo();
- exit(rc);
- }
-
- msg(LOG_INFO, "Updated");
+ if (do_operation == RELOAD_DB) {
+ do_operation = DB_NO_OP;
+ do_reload_db(config);
- // Conserve memory
- backend_close();
// got "2" -> flush cache
- } else if (db_operation == FLUSH_CACHE) {
- db_operation = DB_NO_OP;
+ } else if (do_operation == FLUSH_CACHE) {
+ do_operation = DB_NO_OP;
needs_flush = true;
- } else if (db_operation == ONE_FILE) {
- db_operation = DB_NO_OP;
+ } else if (do_operation == ONE_FILE) {
+ do_operation = DB_NO_OP;
if (handle_record(buff))
continue;
}

47
SOURCES/fapolicyd-user-group-doc.patch Normal file
View File

@ -0,0 +1,47 @@
From fb4c274f4857f2d652014b0189abafb1df4b001a Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Tue, 19 Jul 2022 12:18:18 -0400
Subject: [PATCH] Add documentation describing support for user/group names
---
doc/fapolicyd.rules.5 | 6 +++---
init/fapolicyd.service | 2 ++
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/doc/fapolicyd.rules.5 b/doc/fapolicyd.rules.5
index aa77177..3b8ec09 100644
--- a/doc/fapolicyd.rules.5
+++ b/doc/fapolicyd.rules.5
@@ -35,13 +35,13 @@ The subject is the process that is performing actions on system resources. The f
This matches against any subject. When used, this must be the only subject in the rule.
.TP
.B auid
-This is the login uid that the audit system assigns users when they log in to the system. Daemons have a value of -1.
+This is the login uid that the audit system assigns users when they log in to the system. Daemons have a value of -1. The given value may be numeric or the account name.
.TP
.B uid
-This is the user id that the program is running under.
+This is the user id that the program is running under. The given value may be numeric or the account name.
.TP
.B gid
-This is the group id that the program is running under.
+This is the group id that the program is running under. The given value may be numeric or the group name.
.TP
.B sessionid
This is the numeric session id that the audit system assigns to users when they log in. Daemons have a value of -1.
diff --git a/init/fapolicyd.service b/init/fapolicyd.service
index 715de98..a5a6a3f 100644
--- a/init/fapolicyd.service
+++ b/init/fapolicyd.service
@@ -11,6 +11,8 @@ PIDFile=/run/fapolicyd.pid
ExecStartPre=/usr/sbin/fagenrules
ExecStart=/usr/sbin/fapolicyd
Restart=on-abnormal
+# Uncomment the following line if rules need user/group name lookup
+#After=nss-user-lookup.target
[Install]
WantedBy=multi-user.target
--
2.37.1

86
SPECS/fapolicyd.spec
View File

@ -4,8 +4,8 @@
Summary: Application Whitelisting Daemon
Name: fapolicyd
Version: 1.1
Release: 103%{?dist}.1
Version: 1.1.3
Release: 102%{?dist}
License: GPLv3+
URL: http://people.redhat.com/sgrubb/fapolicyd
Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@ -15,7 +15,7 @@ Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/
BuildRequires: gcc
BuildRequires: kernel-headers
BuildRequires: autoconf automake make gcc libtool
BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file
BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file
BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
BuildRequires: python3-devel
@ -32,12 +32,13 @@ Requires(postun): systemd-units
Patch1: fapolicyd-uthash-bundle.patch
Patch2: fapolicyd-selinux.patch
Patch3: fapolicyd-reorder-rules.patch
Patch4: fagenrules-group.patch
# 2069120 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.6.0]
Patch5: fapolicyd-1.1.1-ld_so.patch
# 2097734 - Faulty handling of static applications [rhel-9.0.0.z]
Patch6: fapolicyd-1.1.1-static.patch
Patch3: fagenrules-group.patch
Patch4: fapolicyd-fgets-update-thread.patch
Patch5: fapolicyd-openssl.patch
Patch6: fapolicyd-user-group-doc.patch
Patch7: fapolicyd-cli-segfault.patch
Patch8: fapolicyd-sighup.patch
Patch9: fapolicyd-readme.patch
%description
Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -57,19 +58,6 @@ BuildArch: noarch
%description selinux
The %{name}-selinux package contains selinux policy for the %{name} daemon.
%package dnf-plugin
Summary: Fapolicyd dnf plugin
Group: Applications/System
Requires: %{name} = %{version}-%{release}
BuildArch: noarch
Provides: %{name}-plugin
%description dnf-plugin
The %{name}-dnf-plugin notifies %{name} daemon about dnf update.
The dnf plugin will be replaced with rpm plugin later.
Don't use dnf and rpm plugin together.
%prep
%setup -q
@ -84,10 +72,13 @@ Don't use dnf and rpm plugin together.
%endif
%patch2 -p1 -b .selinux
%patch3 -p1 -b .reorder
%patch4 -p1 -b .group
%patch5 -p1 -b .ld_so
%patch6 -p1 -b .static
%patch3 -p1 -b .group
%patch4 -p1 -b .update-thread
%patch5 -p1 -b .openssl
%patch6 -p1 -b .user-group-doc
%patch7 -p1 -b .cli-segfault
%patch8 -p1 -b .sighup
%patch9 -p1 -b .readme
# generate rules for python
sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
@ -124,8 +115,6 @@ make check
%install
%make_install
mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/
install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/
install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
mkdir -p %{buildroot}/run/%{name}
@ -206,7 +195,7 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
# restore correct label
/usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/*
fi
fagenrules > /dev/null 2>&1
fagenrules >/dev/null
fi
fi
%systemd_post %{name}.service
@ -273,26 +262,37 @@ fi
%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
%files dnf-plugin
%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py
%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc
%changelog
* Thu Jun 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-103-1
RHEL 9.0.Z ERRATUM
- Faulty handling of static applications
Resolves: rhbz#2097734
* Fri Aug 05 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-102
RHEL 9.1.0 ERRATUM
- rebase fapolicyd to the latest stable vesion
Resolves: rhbz#2100041
- fapolicyd gets way too easily killed by OOM killer
Resolves: rhbz#2097385
- fapolicyd does not correctly handle SIGHUP
Resolves: rhbz#2070655
- Introduce ppid rule attribute
Resolves: rhbz#2102558
- fapolicyd often breaks package updates
Resolves: rhbz#2111244
- drop libgcrypt in favour of openssl
Resolves: rhbz#2111938
- Remove dnf plugin
Resolves: rhbz#2113959
- fapolicyd.rules doesn't advertise that using a username/groupname instead of uid/gid also works
Resolves: rhbz#2115849
* Wed Apr 06 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-103
RHEL 9.0.0 ERRATUM
* Thu Jun 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-104
RHEL 9.1.0 ERRATUM
- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path
Resolves: rhbz#2069122
Resolves: rhbz#2069123
- Faulty handling of static applications
Resolves: rhbz#2096457
* Sun Apr 3 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-101
RHEL 9.0.0 ERRATUM
RHEL 9.1.0 ERRATUM
- fapolicyd denies access to /usr/lib64/ld-2.28.so
Resolves: rhbz#2066904
Resolves: rhbz#2067493
* Wed Feb 16 2022 Radovan Sroka <rsroka@redhat.com> - 1.1-100
RHEL 9.0.0 ERRATUM