import usbguard-0.7.4-2.el8

2019-05-07 06:31:02 -04:00 · 2019-05-07 06:31:02 -04:00 · 013b78561c
commit 013b78561c
5 changed files with 573 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+SOURCES/usbguard-0.7.4.tar.gz
--- a/.usbguard.metadata
+++ b/.usbguard.metadata
@ -0,0 +1 @@
+803815ec31700468bb935ca9c18bd277bcc22237 SOURCES/usbguard-0.7.4.tar.gz
--- a/SOURCES/usbguard-0.7.4-loadFilesError.patch
+++ b/SOURCES/usbguard-0.7.4-loadFilesError.patch
@ -0,0 +1,17 @@
+diff -up usbguard-0.7.4/src/Daemon/Daemon.cpp.loadFilesError usbguard-0.7.4/src/Daemon/Daemon.cpp
+--- usbguard-0.7.4/src/Daemon/Daemon.cpp.loadFilesError	2018-07-10 14:25:41.580361063 +0200
+++ usbguard-0.7.4/src/Daemon/Daemon.cpp	2018-07-31 10:19:21.529000000 +0200
+@@ -365,7 +365,12 @@ namespace usbguard
+     ,
+     [this](const std::string& basename, const std::string& fullpath) {
+       return loadIPCAccessControlFile(basename, fullpath);
+-    });
+    },
+    [](const std::pair<std::string, std::string>& a, const std::pair<std::string, std::string>& b)
+    {
+      return a.first < b.first;
+    },
+    /*directory_required=*/true);
+   }
+ 
+   void Daemon::checkIPCAccessControlName(const std::string& name)
--- a/SOURCES/usbguard-daemon.conf
+++ b/SOURCES/usbguard-daemon.conf
@ -0,0 +1,173 @@
+#
+# Rule set file path.
+#
+# The USBGuard daemon will use this file to load the policy
+# rule set from it and to write new rules received via the
+# IPC interface.
+#
+# RuleFile=/path/to/rules.conf
+#
+RuleFile=/etc/usbguard/rules.conf
+
+#
+# Implicit policy target.
+#
+# How to treat devices that don't match any rule in the
+# policy. One of:
+#
+# * allow  - authorize the device
+# * block  - block the device
+# * reject - remove the device
+#
+ImplicitPolicyTarget=block
+
+#
+# Present device policy.
+#
+# How to treat devices that are already connected when the
+# daemon starts. One of:
+#
+# * allow        - authorize every present device
+# * block        - deauthorize every present device
+# * reject       - remove every present device
+# * keep         - just sync the internal state and leave it
+# * apply-policy - evaluate the ruleset for every present
+#                  device
+#
+PresentDevicePolicy=apply-policy
+
+#
+# Present controller policy.
+#
+# How to treat USB controllers that are already connected
+# when the daemon starts. One of:
+#
+# * allow        - authorize every present device
+# * block        - deauthorize every present device
+# * reject       - remove every present device
+# * keep         - just sync the internal state and leave it
+# * apply-policy - evaluate the ruleset for every present
+#                  device
+#
+PresentControllerPolicy=keep
+
+#
+# Inserted device policy.
+#
+# How to treat USB devices that are already connected
+# *after* the daemon starts. One of:
+#
+# * block        - deauthorize every present device
+# * reject       - remove every present device
+# * apply-policy - evaluate the ruleset for every present
+#                  device
+#
+InsertedDevicePolicy=apply-policy
+
+#
+# Restore controller device state.
+#
+# The USBGuard daemon modifies some attributes of controller
+# devices like the default authorization state of new child device
+# instances. Using this setting, you can controll whether the
+# daemon will try to restore the attribute values to the state
+# before modificaton on shutdown.
+#
+# SECURITY CONSIDERATIONS: If set to true, the USB authorization
+# policy could be bypassed by performing some sort of attack on the
+# daemon (via a local exploit or via a USB device) to make it shutdown
+# and restore to the operating-system default state (known to be permissive).
+#
+RestoreControllerDeviceState=false
+
+#
+# Device manager backend
+#
+# Which device manager backend implementation to use. One of:
+#
+# * uevent - Netlink based implementation which uses sysfs to scan for present
+#            devices and an uevent netlink socket for receiving USB device
+#            related events.
+# * dummy  - A dummy device manager which simulates several devices and device
+#            events. Useful for testing.
+#
+DeviceManagerBackend=uevent
+
+#!!! WARNING: It's good practice to set at least one of the !!!
+#!!!          two options bellow. If none of them are set,  !!!
+#!!!          the daemon will accept IPC connections from   !!!
+#!!!          anyone, thus allowing anyone to modify the    !!!
+#!!!          rule set and (de)authorize USB devices.       !!!
+
+#
+# Users allowed to use the IPC interface.
+#
+# A space delimited list of usernames that the daemon will
+# accept IPC connections from.
+#
+# IPCAllowedUsers=username1 username2 ...
+#
+IPCAllowedUsers=root
+
+#
+# Groups allowed to use the IPC interface.
+#
+# A space delimited list of groupnames that the daemon will
+# accept IPC connections from.
+#
+# IPCAllowedGroups=groupname1 groupname2 ...
+#
+IPCAllowedGroups=wheel
+
+#
+# IPC access control definition files path.
+#
+# The files at this location will be interpreted by the daemon
+# as access control definition files. The (base)name of a file
+# should be in the form:
+#
+#   [user][:<group>]
+#
+# and should contain lines in the form:
+#
+#   <section>=[privilege] ...
+#
+# This way each file defines who is able to connect to the IPC
+# bus and what privileges he has.
+#
+IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/
+
+#
+# Generate device specific rules including the "via-port"
+# attribute.
+#
+# This option modifies the behavior of the allowDevice
+# action. When instructed to generate a permanent rule,
+# the action can generate a port specific rule. Because
+# some systems have unstable port numbering, the generated
+# rule might not match the device after rebooting the system.
+#
+# If set to false, the generated rule will still contain
+# the "parent-hash" attribute which also defines an association
+# to the parent device. See usbguard-rules.conf(5) for more
+# details.
+#
+DeviceRulesWithPort=false
+
+#
+# USBGuard Audit events log backend
+#
+# One of:
+#
+# * FileAudit - Log audit events into a file specified by
+#               AuditFilePath setting (see below)
+# * LinuxAudit - Log audit events using the Linux Audit
+#                subsystem (using audit_log_user_message)
+#
+AuditBackend=FileAudit
+
+#
+# USBGuard audit events log file path.
+#
+AuditFilePath=/var/log/usbguard/usbguard-audit.log
+
--- a/SPECS/usbguard.spec
+++ b/SPECS/usbguard.spec
@ -0,0 +1,381 @@
+%global _hardened_build 1
+
+%define with_gui_qt5 0
+%define with_dbus    1
+
+Name:           usbguard
+Version:        0.7.4
+Release:        2%{?dist}
+Summary:        A tool for implementing USB device usage policy
+Group:          System Environment/Daemons
+License:        GPLv2+
+## Not installed
+# src/ThirdParty/Catch: Boost Software License - Version 1.0
+URL:            https://usbguard.github.io/
+Source0:        https://github.com/USBGuard/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
+Source1:        usbguard-daemon.conf
+
+Requires: systemd
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+Requires(post): /sbin/ldconfig
+Requires(postun): /sbin/ldconfig
+
+BuildRequires: libqb-devel
+BuildRequires: libgcrypt-devel
+BuildRequires: libstdc++-devel
+BuildRequires: protobuf-devel protobuf-compiler
+BuildRequires: PEGTL-static
+BuildRequires: catch1-devel
+BuildRequires: autoconf automake libtool
+BuildRequires: bash-completion
+BuildRequires: asciidoc
+BuildRequires: audit-libs-devel
+# For `pkg-config systemd` only
+BuildRequires: systemd
+
+%if 0%{with_gui_qt5}
+BuildRequires: qt5-qtbase-devel qt5-qtsvg-devel qt5-linguist
+%endif
+
+%if 0%{with_dbus}
+BuildRequires: dbus-glib-devel
+BuildRequires: dbus-devel
+BuildRequires: glib2-devel
+BuildRequires: polkit-devel
+BuildRequires: libxslt
+BuildRequires: libxml2
+%endif
+
+Patch0: usbguard-0.7.4-loadFilesError.patch
+
+%description
+The USBGuard software framework helps to protect your computer against rogue USB
+devices by implementing basic whitelisting/blacklisting capabilities based on
+USB device attributes.
+
+%package        devel
+Summary:        Development files for %{name}
+Group:          Development/Libraries
+Requires:       %{name} = %{version}-%{release}
+Requires:       pkgconfig
+Requires:       libstdc++-devel
+
+%description    devel
+The %{name}-devel package contains libraries and header files for
+developing applications that use %{name}.
+
+%package        tools
+Summary:        USBGuard Tools
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+
+%description    tools
+The %{name}-tools package contains optional tools from the USBGuard
+software framework.
+
+%if 0%{with_gui_qt5}
+###
+%package        applet-qt
+Summary:        USBGuard Qt 5.x Applet
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+Obsoletes:      usbguard-applet-qt <= 0.3
+
+%description    applet-qt
+The %{name}-applet-qt package contains an optional Qt 5.x desktop applet
+for interacting with the USBGuard daemon component.
+###
+%endif
+
+%if 0%{with_dbus}
+###
+%package        dbus
+Summary:        USBGuard D-Bus Service
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+Requires:       dbus
+Requires:       polkit
+
+%description    dbus
+The %{name}-dbus package contains an optional component that provides
+a D-Bus interface to the USBGuard daemon component.
+###
+%endif
+
+%prep
+%setup -q
+%patch0 -p1 -b .loadFilesError
+
+# Remove bundled library sources before build
+rm -rf src/ThirdParty/{Catch,PEGTL}
+
+%build
+mkdir -p ./m4
+autoreconf -i -v --no-recursive ./
+%configure \
+    --disable-silent-rules \
+    --without-bundled-catch \
+    --without-bundled-pegtl \
+    --enable-systemd \
+%if 0%{with_gui_qt5}
+    --with-gui-qt=qt5 \
+%endif
+%if 0%{with_dbus}
+    --with-dbus \
+    --with-polkit \
+%else
+    --without-dbus \
+    --without-polkit \
+%endif
+    --with-crypto-library=gcrypt
+
+make %{?_smp_mflags}
+
+%check
+make check
+
+%install
+make install INSTALL='install -p' DESTDIR=%{buildroot}
+
+# Overwrite configuration with distribution defaults
+mkdir -p %{buildroot}%{_sysconfdir}/usbguard
+mkdir -p %{buildroot}%{_sysconfdir}/usbguard/IPCAccessControl.d
+install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
+
+# Cleanup
+find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
+
+%preun
+%systemd_preun usbguard.service
+
+%post
+/sbin/ldconfig
+%systemd_post usbguard.service
+
+%postun
+/sbin/ldconfig
+%systemd_postun usbguard.service
+
+%files
+%defattr(-,root,root,-)
+%doc README.adoc CHANGELOG.md
+%license LICENSE
+%{_libdir}/*.so.*
+%{_sbindir}/usbguard-daemon
+%{_bindir}/usbguard
+%dir %{_localstatedir}/log/usbguard
+%dir %{_sysconfdir}/usbguard
+%dir %{_sysconfdir}/usbguard/IPCAccessControl.d
+%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/usbguard-daemon.conf
+%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/rules.conf
+%{_unitdir}/usbguard.service
+%{_datadir}/man/man8/usbguard-daemon.8.gz
+%{_datadir}/man/man5/usbguard-daemon.conf.5.gz
+%{_datadir}/man/man5/usbguard-rules.conf.5.gz
+%{_datadir}/man/man1/usbguard.1.gz
+%{_datadir}/bash-completion/completions/usbguard
+
+%files devel
+%defattr(-,root,root,-)
+%{_includedir}/*
+%{_libdir}/*.so
+%{_libdir}/pkgconfig/*.pc
+
+%files tools
+%defattr(-,root,root,-)
+%{_bindir}/usbguard-rule-parser
+
+%if 0%{with_gui_qt5}
+###
+%files applet-qt
+%defattr(-,root,root,-)
+%{_bindir}/usbguard-applet-qt
+%{_mandir}/man1/usbguard-applet-qt.1.gz
+%{_datadir}/applications/usbguard-applet-qt.desktop
+%{_datadir}/icons/hicolor/scalable/apps/usbguard-icon.svg
+###
+%endif
+
+%if 0%{with_dbus}
+###
+%files dbus
+%defattr(-,root,root,-)
+%{_sbindir}/usbguard-dbus
+%{_datadir}/dbus-1/system-services/org.usbguard.service
+%{_datadir}/dbus-1/system.d/org.usbguard.conf
+%{_datadir}/polkit-1/actions/org.usbguard.policy
+%{_unitdir}/usbguard-dbus.service
+%{_mandir}/man8/usbguard-dbus.8.gz
+
+%preun dbus
+%systemd_preun usbguard-dbus.service
+
+%post dbus
+%systemd_post usbguard-dbus.service
+
+%postun dbus
+%systemd_postun_with_restart usbguard-dbus.service
+###
+%endif
+
+%changelog
+* Fri Dec 14 2018 Jiri Vymazal <jvymazal@redhat.com> - 0.7.4-2
+  Resolves: rhbz#1643057 - usbguard fails to report invalid value in IPCAccessControlFiles directive
+
+* Wed Jul 11 2018 Daniel Kopeček <dkopecek@redhat.com> - 0.7.4-1
+- Update to 0.7.4
+- Replaced asciidoctor dependency with asciidoc
+- Disabled Qt applet
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Tue Jan 23 2018 Daniel Kopeček <dkopecek@redhat.com> - 0.7.2-2
+- Escape rpm macros mentioned in changelog section
+
+* Tue Jan 23 2018 Daniel Kopeček <dkopecek@redhat.com> - 0.7.2-1
+- Update to 0.7.2
+- Don't use --enable-werror downstream
+- Removed patches related to compiler warnings
+
+* Mon Jan 15 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.7.1-2
+- catch → catch1
+
+* Wed Dec 06 2017 Daniel Kopeček <dkopecek@redhat.com> - 0.7.1-1
+- Update to 0.7.1
+
+* Wed Nov 29 2017 Igor Gnatenko <ignatenko@redhat.com> - 0.7.0-9
+- Rebuild for protobuf 3.5
+
+* Mon Nov 13 2017 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.7.0-8
+- Rebuild for protobuf 3.4
+
+* Mon Oct 16 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-7
+- Fix enumeration timeout on kernel >= 4.13
+  Resolves: rhbz#1499052
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu Jul 13 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-4
+- Added patch to disable unused parameter warning for protobuf
+  generated sources to fix compilation with newer protobuf version
+
+* Tue Jun 13 2017 Orion Poplawski <orion@cora.nwra.com> - 0.7.0-3
+- Rebuild for protobuf 3.3.1
+
+* Mon May 15 2017 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_27_Mass_Rebuild
+
+* Thu Apr 13 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-1
+- Update to 0.7.0
+  - changed PresentDevicePolicy setting from keep to apply-policy
+  - added AuditFilePath configuration option pointing to
+    /var/log/usbguard/usbguard-audit.log file
+  - install bash-completion script
+  - use 0600 file permissions for usbguard-daemon.conf and rules.conf
+
+* Sun Mar 19 2017 Daniel Kopeček <dkopecek@redhat.com> 0.6.3-0.1.20170319
+- Update to latest git snapshot
+
+* Fri Mar 17 2017 Daniel Kopeček <dkopecek@redhat.com> 0.6.3-0.1.20170317
+- Update to latest git snapshot
+- Use --enable-werror configure option as the upstream default
+  changed to not use -Werror.
+
+* Thu Mar 02 2017 Daniel Kopeček <dkopecek@redhat.com> 0.6.3-0.1.20170301
+- Update to latest git snapshot
+- Disabled upstream alignment warning compiler flag
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Jan 26 2017 Orion Poplawski <orion@cora.nwra.com> - 0.6.2-3
+- Rebuild for protobuf 3.2.0
+
+* Sat Nov 19 2016 Orion Poplawski <orion@cora.nwra.com> - 0.6.2-2
+- Rebuild for protobuf 3.1.0
+
+* Sun Sep 18 2016 Daniel Kopeček <dkopecek@redhat.com> 0.6.2-1
+- Update to 0.6.2
+
+* Fri Sep 16 2016 Daniel Kopeček <dkopecek@redhat.com> 0.6.1-1
+- Update to 0.6.1
+
+* Sun Sep 04 2016 Daniel Kopeček <dkopecek@redhat.com> 0.6.0-1
+- Update to 0.6.0
+
+* Thu Aug 18 2016 Daniel Kopeček <dkopecek@redhat.com> 0.5.14-1
+- Update to 0.5.14
+
+* Tue Aug 16 2016 Daniel Kopeček <dkopecek@redhat.com> 0.5.13-1
+- Update to 0.5.13
+
+* Sun Aug 14 2016 Daniel Kopeček <dkopecek@redhat.com> 0.5.12-1
+- Update to 0.5.12
+
+* Sat Aug 13 2016 Daniel Kopeček <dkopecek@redhat.com> 0.5.11-2
+- Update source tarball
+- Ship CHANGELOG.md
+
+* Sat Aug 13 2016 Daniel Kopeček <dkopecek@redhat.com> 0.5.11-1
+- Update to 0.5.11
+- Use libgcrypt instead of libsodium for crypto
+
+* Thu Jul 21 2016 Daniel Kopecek <dkopecek@redhat.com> 0.5.10-2
+- Adjust the default configuration to keep the authorization state
+  of present controller devices.
+
+* Sat Jul 09 2016 Daniel Kopecek <dkopecek@redhat.com> 0.5.10-1
+- Update to release 0.5.10
+
+* Mon Mar 07 2016 Remi Collet <remi@fedoraproject.org> - 0.4-5
+- rebuild for new libsodium soname
+
+* Sun Feb 07 2016 Daniel Kopecek <dkopecek@redhat.com> 0.4-4
+- Update to version 0.4
+- added usbguard CLI
+- added a tools subpackage with usbguard-rule-parser binary
+
+* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.3p3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3p3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue Apr 14 2015 Daniel Kopecek <dkopecek@redhat.com> 0.3p3-1
+- Update to version 0.3p3
+- added %%check section
+- removed explicit -devel requires on systemd, libqb and
+  libsodium devel files
+- added -devel requires on libstdc++-devel
+
+* Sat Apr 11 2015 Daniel Kopecek <dkopecek@redhat.com> 0.3p2-1
+- Update to version 0.3p2
+- use system-wide json and spdlog packages
+
+* Fri Apr 10 2015 Daniel Kopecek <dkopecek@redhat.com> 0.3p1-1
+- Update to version 0.3p1
+- removed bundled cppformat copylib
+
+* Thu Apr 09 2015 Daniel Kopecek <dkopecek@redhat.com> 0.3-1
+- Update to version 0.3
+- disabled silent rules
+- install license file
+- added man pages
+- use _hardened_build 1 instead of custom compilation flags
+- fix file permissions on files in /etc
+- do not install an empty rule set file
+
+* Fri Apr 03 2015 Daniel Kopecek <dkopecek@redhat.com> 0.2-1
+- Update to version 0.2
+- Updated description
+- Corrected package group
+
+* Tue Mar 17 2015 Daniel Kopecek <dkopecek@redhat.com> 0.1-1
+- Initial package
				`@ -0,0 +1 @@`
				`803815ec31700468bb935ca9c18bd277bcc22237 SOURCES/usbguard-0.7.4.tar.gz`