import usbguard-1.0.0-13.el8

SOURCES/usbguard-OOMScoreAdjust.patch

@@ -0,0 +1,11 @@
+diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
+--- usbguard-1.0.0/usbguard.service.in.orig	2022-11-28 10:21:35.889977314 +0100
++++ usbguard-1.0.0/usbguard.service.in	2022-11-28 10:21:52.711987716 +0100
+@@ -4,6 +4,7 @@ Wants=systemd-udevd.service local-fs.tar
+ Documentation=man:usbguard-daemon(8)
+ 
+ [Service]
++OOMScoreAdjust=-1000
+ AmbientCapabilities=
+ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
+ DevicePolicy=closed

SOURCES/usbguard-consistent-rules.patch

@@ -0,0 +1,12 @@
+diff -up usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp
+--- usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig	2022-11-28 10:35:44.052560664 +0100
++++ usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp	2022-11-28 10:35:55.510568939 +0100
+@@ -76,7 +76,7 @@ namespace usbguard
+       }
+ 
+       if (ruleSet.empty()){
+-        USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible.";
++        USBGUARD_LOG(Warning) << "Neither RuleFile nor RuleFolder are set; Modification of the permanent policy won't be possible.";
+         ruleSet = generateDefaultRuleSet();
+       }
+ 

SOURCES/usbguard-daemon-race-condition.patch

@@ -0,0 +1,19 @@
+diff -up usbguard-1.0.0/src/Daemon/Daemon.cpp.orig usbguard-1.0.0/src/Daemon/Daemon.cpp
+--- usbguard-1.0.0/src/Daemon/Daemon.cpp.orig	2022-11-28 10:25:01.044104150 +0100
++++ usbguard-1.0.0/src/Daemon/Daemon.cpp	2022-11-28 10:25:34.736124980 +0100
+@@ -40,6 +40,7 @@
+ #include <sys/types.h>
+ #include <sys/poll.h>
+ #include <unistd.h>
++#include <sys/wait.h>
+ #include <signal.h>
+ #include <string.h>
+ #include <sys/stat.h>
+@@ -606,6 +607,7 @@ namespace usbguard
+         const int signum = sigtimedwait(&mask, &info, &timeout);
+ 
+         if (signum == SIGUSR1 && info.si_signo == SIGUSR1 && info.si_pid == pid) {
++          waitpid(pid, nullptr, 0);
+           USBGUARD_LOG(Trace) << "Finished daemonization";
+           exit(EXIT_SUCCESS);
+         }

SOURCES/usbguard-dbus-CVE-leak.patch

@@ -1,6 +1,6 @@
 diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp
---- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig	2022-10-18 10:15:30.730138795 +0200
+--- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig	2022-10-18 10:33:04.498762878 +0200
-+++ usbguard-1.0.0/src/DBus/DBusBridge.cpp	2022-10-18 10:15:55.773153276 +0200
++++ usbguard-1.0.0/src/DBus/DBusBridge.cpp	2022-10-18 10:33:36.920785285 +0200
 @@ -434,12 +434,11 @@ namespace usbguard
      USBGUARD_LOG(Trace) << "Connecting with Polkit authority...";
      PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error);

SOURCES/usbguard-disable-console-log.patch

@@ -0,0 +1,12 @@
+diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
+--- usbguard-1.0.0/usbguard.service.in.orig	2023-01-12 13:17:14.200064956 +0100
++++ usbguard-1.0.0/usbguard.service.in	2023-01-12 13:17:22.588078994 +0100
+@@ -8,7 +8,7 @@ OOMScoreAdjust=-1000
+ AmbientCapabilities=
+ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
+ DevicePolicy=closed
+-ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
++ExecStart=%sbindir%/usbguard-daemon -f -s -K -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+ NoNewPrivileges=yes

SOURCES/usbguard-missing-doc.patch

@@ -0,0 +1,43 @@
+diff -up usbguard-1.0.0/doc/man/example-allow-device.adoc.orig usbguard-1.0.0/doc/man/example-allow-device.adoc
+--- usbguard-1.0.0/doc/man/example-allow-device.adoc.orig	2022-11-28 12:00:26.695561514 +0100
++++ usbguard-1.0.0/doc/man/example-allow-device.adoc	2022-11-28 11:57:01.120457773 +0100
+@@ -0,0 +1,6 @@
++....
++    # Allow a device by ID(it is the very first number from the list-devices command output)
++    $ sudo usbguard allow-device 10
++    # Allow all devices named "Dell Wired Multimedia Keyboard"
++    $ sudo usbguard allow-device name \"Dell Wired Multimedia Keyboard\"
++....
+diff -up usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig usbguard-1.0.0/doc/man/example-initial-policy.adoc
+--- usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig	2022-11-28 12:00:31.781564080 +0100
++++ usbguard-1.0.0/doc/man/example-initial-policy.adoc	2022-11-28 11:57:25.353470002 +0100
+@@ -0,0 +1,7 @@
++....
++    $ sudo usbguard generate-policy > rules.conf
++    $ vi rules.conf
++    (review/modify the rule set)
++    $ sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf
++    $ sudo systemctl restart usbguard
++....
+diff -up usbguard-1.0.0/doc/man/footer.adoc.orig usbguard-1.0.0/doc/man/footer.adoc
+--- usbguard-1.0.0/doc/man/footer.adoc.orig	2022-11-28 11:54:21.495377220 +0100
++++ usbguard-1.0.0/doc/man/footer.adoc	2022-11-28 11:55:51.960422872 +0100
+@@ -0,0 +1,18 @@
++== BUGS
++If you find a bug in this software or if you'd like to request a feature to be implemented, please file a ticket at <https://github.com/USBGuard/usbguard/issues/new>.
++
++
++== AUTHOR
++USBGuard was originally written by Daniel Kopeček.
++Many people have contributed to it.
++
++
++== RESOURCES
++Main web site: <https://usbguard.github.io/>
++
++
++== COPYING
++Copyright © 2015-{docyear} Red Hat, Inc. +
++License GPLv2+: GNU GPL version 2 or later http://gnu.org/licenses/gpl.html. +
++This is free software: you are free to change and redistribute it.
++There is NO WARRANTY, to the extent permitted by law.

SOURCES/usbguard-permanent-rules.patch

@@ -0,0 +1,68 @@
+diff -up usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc.orig usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc
+--- usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc.orig	2023-01-05 10:58:24.684407437 +0100
++++ usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc	2023-01-05 10:58:42.323426745 +0100
+@@ -27,7 +27,12 @@ It may be overridden using the *-c* comm
+     behave like any other standard Linux daemon therefore it loads rule files in
+     alpha-numeric order. File names inside `RuleFolder` directory should start
+     with a two-digit number prefix indicating the position, in which the rules
+-    are scanned by the daemon.
++    are scanned by the daemon. Using RuleFile and RuleFolder at the same time is
++    permitted. However, modification of the permanent policy is not possible if
++    one of the following conditions are met:
++    ** Neither RuleFile nor RuleFolder are specified.
++    ** RuleFile is not specified, RuleFolder is but it does not contain any files,
++       where we could save permanent rules.
+ 
+ *ImplicitPolicyTarget*='target'::
+     How to treat USB devices that don't match any rule in the policy. Target
+diff -up usbguard-1.0.0/src/Daemon/Daemon.cpp.orig usbguard-1.0.0/src/Daemon/Daemon.cpp
+--- usbguard-1.0.0/src/Daemon/Daemon.cpp.orig	2023-01-05 10:58:49.689434809 +0100
++++ usbguard-1.0.0/src/Daemon/Daemon.cpp	2023-01-05 10:59:18.991466884 +0100
+@@ -742,7 +742,7 @@ namespace usbguard
+     /* TODO: reevaluate the firewall rules for all active devices */
+     const uint32_t id = _policy.appendRule(rule, parent_id);
+ 
+-    if (_config.hasSettingValue("RuleFile") && permanent) {
++    if ((_config.hasSettingValue("RuleFile") || _config.hasSettingValue("RuleFolder")) && permanent) {
+       _policy.save();
+     }
+ 
+@@ -755,7 +755,7 @@ namespace usbguard
+     USBGUARD_LOG(Trace) << "id=" << id;
+     _policy.removeRule(id);
+ 
+-    if (_config.hasSettingValue("RuleFile")) {
++    if (_config.hasSettingValue("RuleFile") || _config.hasSettingValue("RuleFolder")) {
+       _policy.save();
+     }
+   }
+diff -up usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp
+--- usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig	2023-01-05 10:59:27.117475780 +0100
++++ usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp	2023-01-05 10:59:46.228496702 +0100
+@@ -75,8 +75,24 @@ namespace usbguard
+         }
+       }
+ 
+-      if (ruleSet.empty()){
+-        USBGUARD_LOG(Warning) << "Neither RuleFile nor RuleFolder are set; Modification of the permanent policy won't be possible.";
++      /*
++       * This means one of the following:
++       *  - Neither RuleFile nor RuleFolder are specified
++       *  - RuleFile not specified, RuleFolder is but it does not contain any files,
++       *    where we could save permanent rules
++       */
++      if (ruleSet.empty()) {
++        std::string msg;
++
++        if (ns.getRulesPath().empty() && ns.getRulesDirPath().empty()) {
++          msg = "Neither RuleFile nor RuleFolder are set.";
++        }
++        else {
++          msg = "RuleFile is not set, RuleFolder is but it does not contain any rule files.";
++        }
++
++        USBGUARD_LOG(Warning) << "Modification of the permanent policy won't be possible."
++          << " Reason: " << msg;
+         ruleSet = generateDefaultRuleSet();
+       }
+ 

SPECS/usbguard.spec

@@ -8,7 +8,7 @@
 
 Name:           usbguard
 Version:        1.0.0
-Release:        8%{?dist}.2
+Release:        13%{?dist}
 Summary:        A tool for implementing USB device usage policy
 Group:          System Environment/Daemons
 License:        GPLv2+
@@ -19,6 +19,7 @@ Source0:        https://github.com/USBGuard/usbguard/releases/download/%{name}-%
 Source1:        https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz
 Source2:        https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz
 Source3:        usbguard-daemon.conf
+ExcludeArch: i686
 
 Requires: systemd
 Requires(post): systemd
@@ -27,7 +28,6 @@ Requires(postun): systemd
 Requires(post): /sbin/ldconfig
 Requires(postun): /sbin/ldconfig
 Recommends: (%{name}-selinux if selinux-policy-%{selinuxtype})
-Conflicts: %{name}
 
 BuildRequires: gcc-c++
 BuildRequires: libqb-devel
@@ -64,6 +64,12 @@ Patch11: usbguard-notifier-icon-injection.patch
 Patch12: usbguard-dbus-CVE.patch
 Patch13: usbguard-selinux-dbus-CVE.patch
 Patch14: usbguard-dbus-CVE-leak.patch
+Patch15: usbguard-daemon-race-condition.patch
+Patch16: usbguard-OOMScoreAdjust.patch
+Patch17: usbguard-consistent-rules.patch
+Patch18: usbguard-missing-doc.patch
+Patch19: usbguard-permanent-rules.patch
+Patch20: usbguard-disable-console-log.patch
 
 %description
 The USBGuard software framework helps to protect your computer against rogue USB
@@ -154,6 +160,12 @@ rm -rf src/ThirdParty/{Catch,PEGTL}
 %patch12 -p1 -b .dbus-CVE
 %patch13 -p1 -b .selinux-dbus-CVE
 %patch14 -p1 -b .dbus-CVE-leak
+%patch15 -p1 -b .daemon-race
+%patch16 -p1 -b .OOMScoreAdjust
+%patch17 -p1 -b .consistent-rules
+%patch18 -p1 -b .missing-doc
+%patch19 -p1 -b .permanent-rules
+%patch20 -p1 -b .disable-syslog
 
 %build
 mkdir -p ./m4
@@ -318,10 +330,24 @@ fi
 
 
 %changelog
-* Wed Aug 24 2022 Attila Lakatos <alakatos@redhat.com> - 1.0.0-8.2
+* Thu Jan 12 2023 Attila Lakatos <alakatos@redhat.com> - 1.0.0-13
+- Set OOMScoreAdjust to -1000 in service file
+Resolves: rhbz#2159411
+- Fix race condition in usbguard-daemon when forking
+Resolves: rhbz#2159409
+- Add missing files to documentation
+Resolves: rhbz#2159412
+- Disable logging to console, logging to syslog is still enabled
+- Store permanent rules even if RuleFile is not set but RuleFolder is
+- Neither RuleFolder nor RuleFile exists bugfix
+Resolves: rhbz#2159413
+- Remove build for i686 arch
+Resolves: rhbz#2105091
+
+* Wed Aug 24 2022 Attila Lakatos <alakatos@redhat.com> - 1.0.0-10
 - Fix unauthorized access via D-bus
-- Fix memory leak on D-bus connection failure
+- Fix memory leaks on connection failure to D-bus
-Resolves: rhbz#2127848
+Resolves: rhbz#2059067
 
 * Mon Nov 29 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.0-8
 - change usbguard icon injection