Backported two patches

- selinux: allow policykit dbus comunnication - restore support for access control filenames without a group Signed-off-by: Radovan Sroka <rsroka@redhat.com>
2022-03-15 10:41:50 +01:00 · 2022-03-15 10:41:50 +01:00 · 2eb6b48d69
commit 2eb6b48d69
parent 80738463b0
3 changed files with 75 additions and 3 deletions
--- a/policykit-dbus-chat-selinux.patch
+++ b/policykit-dbus-chat-selinux.patch
@ -0,0 +1,22 @@
+diff -up ./usbguard-selinux-0.0.4/usbguard.te.policykit ./usbguard-selinux-0.0.4/usbguard.te
+--- ./usbguard-selinux-0.0.4/usbguard.te.policykit	2022-03-15 10:32:21.002852930 +0100
+++ ./usbguard-selinux-0.0.4/usbguard.te	2022-03-15 10:36:47.844040559 +0100
+@@ -99,9 +99,17 @@ logging_log_filetrans(usbguard_t, usbgua
+ 
+ logging_send_syslog_msg(usbguard_t)
+ 
+-dbus_system_domain(usbguard_t, usbguard_exec_t)
+ usbguard_ipc_access(usbguard_t)
+ 
+optional_policy(`
+	dbus_system_domain(usbguard_t, usbguard_exec_t)
+
+	optional_policy(`
+		policykit_dbus_chat(usbguard_t)
+	')
+')
+
+
+ tunable_policy(`usbguard_daemon_write_rules',`
+ 	rw_files_pattern(usbguard_t, usbguard_rules_t, usbguard_rules_t)
+ ')
--- a/usbguard-restore-support-access-control-names.patch
+++ b/usbguard-restore-support-access-control-names.patch
@ -0,0 +1,44 @@
+From 22eb68cde27046c684e3ee2061b085b18fad863b Mon Sep 17 00:00:00 2001
+From: Sebastian Pipping <sebastian@pipping.org>
+Date: Sat, 5 Mar 2022 17:22:05 +0100
+Subject: [PATCH] Restore support for access control filenames without a group
+
+Regression from commit b15ef713a9ac47e84525bbf829c7f444b84c3c81
+of release 1.1.0, detailed analysis online at
+https://github.com/USBGuard/usbguard/issues/540#issuecomment-1059784284
+---
+ src/Daemon/Daemon.cpp | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp
+index 45ddb76d..4ec2d934 100644
+--- a/src/Daemon/Daemon.cpp
+++ b/src/Daemon/Daemon.cpp
+@@ -446,12 +446,25 @@ namespace usbguard
+   void Daemon::parseIPCAccessControlFilename(const std::string& basename, std::string* const ptr_user,
+     std::string* const ptr_group)
+   {
+    // There are five supported forms:
+    // - "<user>:<group>"
+    // - "<user>:"
+    // - "<user>"
+    // - ":<group>"
+    // - ":"
+     const auto ug_separator = basename.find_first_of(":");
+     const bool has_group = ug_separator != std::string::npos;
+     const std::string user = basename.substr(0, ug_separator);
+     const std::string group = has_group ? basename.substr(ug_separator + 1) : std::string();
+-    checkIPCAccessControlName(user);
+-    checkIPCAccessControlName(group);
+
+    if (! user.empty()) {
+      checkIPCAccessControlName(user);
+    }
+
+    if (! group.empty()) {
+      checkIPCAccessControlName(group);
+    }
+
+     *ptr_user = user;
+     *ptr_group = group;
+   }
--- a/usbguard.spec
+++ b/usbguard.spec
@ -4,7 +4,7 @@

 Name:           usbguard
 Version:        1.1.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        A tool for implementing USB device usage policy
 License:        GPLv2+
 ## Not installed
@ -40,8 +40,8 @@ BuildRequires: audit-libs-devel
 BuildRequires: systemd

 Patch1: usbguard-revert-catch.patch
-
-
+Patch2: policykit-dbus-chat-selinux.patch
+Patch3: usbguard-restore-support-access-control-names.patch

 %description
 The USBGuard software framework helps to protect your computer against rogue USB
@ -104,6 +104,8 @@ daemon.
 %setup -q -D -T -a 1

 %patch1 -p1 -b .catch
+%patch2 -p1 -b .policykit
+%patch3 -p1 -b .access-contol-names

 # Remove bundled library sources before build
 rm -rf src/ThirdParty/{Catch,PEGTL}
@ -227,6 +229,10 @@ fi


 %changelog
+* Tue Mar 15 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.0-2
+- selinux: allow policykit dbus comunnication
+- restore support for access control filenames without a group
+
 * Thu Mar 03 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.0-1
 - rebase to 1.1.0
 Resolves: rhbz#2058450