import usbguard-0.7.8-7.el8
This commit is contained in:
parent
24d8a59329
commit
32df1fdeb9
|
@ -1 +1,3 @@
|
|||
SOURCES/usbguard-0.7.4.tar.gz
|
||||
SOURCES/usbguard-0.7.8.tar.gz
|
||||
SOURCES/usbguard-notifier-0.0.6.tar.gz
|
||||
SOURCES/usbguard-selinux-0.0.3.tar.gz
|
||||
|
|
|
@ -1 +1,3 @@
|
|||
803815ec31700468bb935ca9c18bd277bcc22237 SOURCES/usbguard-0.7.4.tar.gz
|
||||
d8bbd3e9f4f0deb1418f71422e7fab3d14053412 SOURCES/usbguard-0.7.8.tar.gz
|
||||
7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz
|
||||
e223495a2c41013bc786a5ceae730f2574aeba1b SOURCES/usbguard-selinux-0.0.3.tar.gz
|
||||
|
|
|
@ -1,242 +0,0 @@
|
|||
diff --git a/doc/man/usbguard-rules.conf.5.adoc b/doc/man/usbguard-rules.conf.5.adoc
|
||||
index 44f399c..c0f86f8 100644
|
||||
--- a/doc/man/usbguard-rules.conf.5.adoc
|
||||
+++ b/doc/man/usbguard-rules.conf.5.adoc
|
||||
@@ -93,6 +93,9 @@ where the optional 'operator' is one of:
|
||||
*equals-ordered*::
|
||||
The device attribute set must contain exactly the same set of values in the same order for the rule to match.
|
||||
|
||||
+*match-all*::
|
||||
+ The device attribute set must be a subset of the specified values for the rule to match.
|
||||
+
|
||||
If the operator is not specified it is set to *equals*.
|
||||
|
||||
[.underline]#List of attributes:#
|
||||
diff --git a/src/Library/RuleParser/Grammar.hpp b/src/Library/RuleParser/Grammar.hpp
|
||||
index 4d785c0..764380e 100644
|
||||
--- a/src/Library/RuleParser/Grammar.hpp
|
||||
+++ b/src/Library/RuleParser/Grammar.hpp
|
||||
@@ -15,6 +15,7 @@
|
||||
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
//
|
||||
// Authors: Daniel Kopecek <dkopecek@redhat.com>
|
||||
+// Marek Tamaskovic <mtamasko@redhat.com>
|
||||
//
|
||||
#pragma once
|
||||
#ifdef HAVE_BUILD_CONFIG_H
|
||||
@@ -53,12 +54,13 @@ namespace usbguard
|
||||
struct str_none_of : TAOCPP_PEGTL_STRING("none-of") {};
|
||||
struct str_equals : TAOCPP_PEGTL_STRING("equals") {};
|
||||
struct str_equals_ordered : TAOCPP_PEGTL_STRING("equals-ordered") {};
|
||||
+ struct str_match_all: TAOCPP_PEGTL_STRING("match-all") {};
|
||||
|
||||
/*
|
||||
* Generic rule attribute
|
||||
*/
|
||||
struct multiset_operator
|
||||
- : sor<str_all_of, str_one_of, str_none_of, str_equals_ordered, str_equals> {};
|
||||
+ : sor<str_all_of, str_one_of, str_none_of, str_equals_ordered, str_equals, str_match_all> {};
|
||||
|
||||
template<class attribute_value_rule>
|
||||
struct attribute_value_multiset
|
||||
diff --git a/src/Library/RulePrivate.cpp b/src/Library/RulePrivate.cpp
|
||||
index 73140fa..6ceb12d 100644
|
||||
--- a/src/Library/RulePrivate.cpp
|
||||
+++ b/src/Library/RulePrivate.cpp
|
||||
@@ -15,6 +15,7 @@
|
||||
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
//
|
||||
// Authors: Daniel Kopecek <dkopecek@redhat.com>
|
||||
+// Marek Tamaskovic <mtamasko@redhat.com>
|
||||
//
|
||||
#ifdef HAVE_BUILD_CONFIG_H
|
||||
#include <build-config.h>
|
||||
@@ -177,6 +178,7 @@ namespace usbguard
|
||||
case Rule::SetOperator::AllOf:
|
||||
case Rule::SetOperator::Equals:
|
||||
case Rule::SetOperator::EqualsOrdered:
|
||||
+ case Rule::SetOperator::MatchAll:
|
||||
meets_conditions = \
|
||||
(conditionsState() == ((((uint64_t)1) << _conditions.count()) - 1));
|
||||
break;
|
||||
diff --git a/src/Library/public/usbguard/Predicates.hpp b/src/Library/public/usbguard/Predicates.hpp
|
||||
index 412517e..95ede3a 100644
|
||||
--- a/src/Library/public/usbguard/Predicates.hpp
|
||||
+++ b/src/Library/public/usbguard/Predicates.hpp
|
||||
@@ -15,6 +15,7 @@
|
||||
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
//
|
||||
// Authors: Daniel Kopecek <dkopecek@redhat.com>
|
||||
+// Marek Tamaskovic <mtamasko@redhat.com>
|
||||
//
|
||||
#pragma once
|
||||
|
||||
@@ -35,6 +36,15 @@ namespace usbguard
|
||||
USBGUARD_LOG(Trace) << "generic isSubsetOf";
|
||||
return source == target;
|
||||
}
|
||||
+
|
||||
+ template<typename T>
|
||||
+ bool isSupersetOf(const T& source, const T& target)
|
||||
+ {
|
||||
+ USBGUARD_LOG(Error) << "Not implemented";
|
||||
+ (void) source;
|
||||
+ (void) target;
|
||||
+ return true;
|
||||
+ }
|
||||
}
|
||||
} /* namespace usbguard */
|
||||
|
||||
diff --git a/src/Library/public/usbguard/Rule.cpp b/src/Library/public/usbguard/Rule.cpp
|
||||
index f7bb35a..fa97578 100644
|
||||
--- a/src/Library/public/usbguard/Rule.cpp
|
||||
+++ b/src/Library/public/usbguard/Rule.cpp
|
||||
@@ -15,6 +15,7 @@
|
||||
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
//
|
||||
// Authors: Daniel Kopecek <dkopecek@redhat.com>
|
||||
+// Marek Tamaskovic <mtamasko@redhat.com>
|
||||
//
|
||||
#ifdef HAVE_BUILD_CONFIG_H
|
||||
#include <build-config.h>
|
||||
@@ -325,7 +326,8 @@ namespace usbguard
|
||||
{ "none-of", Rule::SetOperator::NoneOf },
|
||||
{ "equals", Rule::SetOperator::Equals },
|
||||
{ "equals-ordered", Rule::SetOperator::EqualsOrdered },
|
||||
- { "match", Rule::SetOperator::Match }
|
||||
+ { "match", Rule::SetOperator::Match },
|
||||
+ { "match-all", Rule::SetOperator::MatchAll}
|
||||
};
|
||||
|
||||
const std::string Rule::setOperatorToString(const Rule::SetOperator& op)
|
||||
diff --git a/src/Library/public/usbguard/Rule.hpp b/src/Library/public/usbguard/Rule.hpp
|
||||
index 0ebfdaf..67a67f0 100644
|
||||
--- a/src/Library/public/usbguard/Rule.hpp
|
||||
+++ b/src/Library/public/usbguard/Rule.hpp
|
||||
@@ -15,6 +15,7 @@
|
||||
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
//
|
||||
// Authors: Daniel Kopecek <dkopecek@redhat.com>
|
||||
+// Marek Tamaskovic <mtamasko@redhat.com>
|
||||
//
|
||||
#pragma once
|
||||
|
||||
@@ -77,7 +78,8 @@ namespace usbguard
|
||||
NoneOf,
|
||||
Equals,
|
||||
EqualsOrdered,
|
||||
- Match /* Special operator: matches anything, cannot be used directly in a rule */
|
||||
+ Match, /* Special operator: matches anything, cannot be used directly in a rule */
|
||||
+ MatchAll
|
||||
};
|
||||
|
||||
static const std::string setOperatorToString(const Rule::SetOperator& op);
|
||||
@@ -237,6 +239,10 @@ namespace usbguard
|
||||
applies = setSolveEqualsOrdered(_values, target._values);
|
||||
break;
|
||||
|
||||
+ case SetOperator::MatchAll:
|
||||
+ applies = setSolveMatchAll(_values, target._values);
|
||||
+ break;
|
||||
+
|
||||
default:
|
||||
throw USBGUARD_BUG("Invalid set operator value");
|
||||
}
|
||||
@@ -409,6 +415,26 @@ namespace usbguard
|
||||
return false;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * All of the items in target set must match an item in the source set
|
||||
+ */
|
||||
+ bool setSolveMatchAll(const std::vector<ValueType>& source_set, const std::vector<ValueType>& target_set) const
|
||||
+ {
|
||||
+ USBGUARD_LOG(Trace);
|
||||
+ size_t match = 0;
|
||||
+
|
||||
+ for (auto const& target_item : target_set) {
|
||||
+ for (auto const& source_item : source_set) {
|
||||
+ if (Predicates::isSupersetOf(source_item, target_item)) {
|
||||
+ match++;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return match == target_set.size();
|
||||
+ }
|
||||
+
|
||||
std::string _name;
|
||||
SetOperator _set_operator;
|
||||
std::vector<ValueType> _values;
|
||||
diff --git a/src/Library/public/usbguard/USB.cpp b/src/Library/public/usbguard/USB.cpp
|
||||
index 281d1c9..54e5fb8 100644
|
||||
--- a/src/Library/public/usbguard/USB.cpp
|
||||
+++ b/src/Library/public/usbguard/USB.cpp
|
||||
@@ -15,6 +15,7 @@
|
||||
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
//
|
||||
// Authors: Daniel Kopecek <dkopecek@redhat.com>
|
||||
+// Marek Tamaskovic <mtamasko@redhat.com>
|
||||
//
|
||||
#ifdef HAVE_BUILD_CONFIG_H
|
||||
#include <build-config.h>
|
||||
@@ -125,6 +126,15 @@ namespace usbguard
|
||||
return result;
|
||||
}
|
||||
|
||||
+ template<>
|
||||
+ bool Predicates::isSupersetOf(const USBDeviceID& source, const USBDeviceID& target)
|
||||
+ {
|
||||
+ USBGUARD_LOG(Trace) << "source=" << source.toString() << " target=" << target.toString();
|
||||
+ const bool result = target.isSubsetOf(source);
|
||||
+ USBGUARD_LOG(Trace) << "result=" << result;
|
||||
+ return result;
|
||||
+ }
|
||||
+
|
||||
USBInterfaceType::USBInterfaceType()
|
||||
{
|
||||
_bClass = 0;
|
||||
@@ -234,6 +244,12 @@ namespace usbguard
|
||||
return source.appliesTo(target);
|
||||
}
|
||||
|
||||
+ template<>
|
||||
+ bool Predicates::isSupersetOf(const USBInterfaceType& source, const USBInterfaceType& target)
|
||||
+ {
|
||||
+ return source.appliesTo(target);
|
||||
+ }
|
||||
+
|
||||
const std::string USBInterfaceType::typeString() const
|
||||
{
|
||||
return USBInterfaceType::typeString(_bClass, _bSubClass, _bProtocol, _mask);
|
||||
diff --git a/src/Library/public/usbguard/USB.hpp b/src/Library/public/usbguard/USB.hpp
|
||||
index 914d74b..f538aac 100644
|
||||
--- a/src/Library/public/usbguard/USB.hpp
|
||||
+++ b/src/Library/public/usbguard/USB.hpp
|
||||
@@ -15,6 +15,7 @@
|
||||
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
//
|
||||
// Authors: Daniel Kopecek <dkopecek@redhat.com>
|
||||
+// Marek Tamaskovic <mtamasko@redhat.com>
|
||||
//
|
||||
#pragma once
|
||||
|
||||
@@ -169,6 +170,8 @@ namespace usbguard
|
||||
{
|
||||
template<>
|
||||
bool isSubsetOf(const USBDeviceID& source, const USBDeviceID& target);
|
||||
+ template<>
|
||||
+ bool isSupersetOf(const USBDeviceID& source, const USBDeviceID& target);
|
||||
}
|
||||
|
||||
class DLL_PUBLIC USBInterfaceType
|
||||
@@ -202,6 +205,8 @@ namespace usbguard
|
||||
{
|
||||
template<>
|
||||
bool isSubsetOf(const USBInterfaceType& source, const USBInterfaceType& target);
|
||||
+ template<>
|
||||
+ bool isSupersetOf(const USBInterfaceType& source, const USBInterfaceType& target);
|
||||
}
|
||||
|
||||
class USBDescriptorParser;
|
|
@ -1,17 +0,0 @@
|
|||
diff -up usbguard-0.7.4/src/Daemon/Daemon.cpp.loadFilesError usbguard-0.7.4/src/Daemon/Daemon.cpp
|
||||
--- usbguard-0.7.4/src/Daemon/Daemon.cpp.loadFilesError 2018-07-10 14:25:41.580361063 +0200
|
||||
+++ usbguard-0.7.4/src/Daemon/Daemon.cpp 2018-07-31 10:19:21.529000000 +0200
|
||||
@@ -365,7 +365,12 @@ namespace usbguard
|
||||
,
|
||||
[this](const std::string& basename, const std::string& fullpath) {
|
||||
return loadIPCAccessControlFile(basename, fullpath);
|
||||
- });
|
||||
+ },
|
||||
+ [](const std::pair<std::string, std::string>& a, const std::pair<std::string, std::string>& b)
|
||||
+ {
|
||||
+ return a.first < b.first;
|
||||
+ },
|
||||
+ /*directory_required=*/true);
|
||||
}
|
||||
|
||||
void Daemon::checkIPCAccessControlName(const std::string& name)
|
|
@ -0,0 +1,88 @@
|
|||
diff -up ./usbguard-notifier-0.0.6/configure.ac.notifier ./usbguard-notifier-0.0.6/configure.ac
|
||||
--- ./usbguard-notifier-0.0.6/configure.ac.notifier 2020-04-29 07:35:43.057914703 +0200
|
||||
+++ ./usbguard-notifier-0.0.6/configure.ac 2020-06-17 16:27:53.577151720 +0200
|
||||
@@ -44,6 +44,32 @@ AC_ARG_WITH(
|
||||
[notificaiton_path="/tmp/usbguard-notifier"]
|
||||
)
|
||||
|
||||
+# usbguard-devel
|
||||
+# Add the path to where your usbguard-devel includes are
|
||||
+# You might need this option when you want to package usbguard-notifier
|
||||
+# together with usbguard at the same time
|
||||
+AC_ARG_WITH(
|
||||
+ [usbguard-devel],
|
||||
+ AS_HELP_STRING([--with-usbguard-devel], [Select to compile notifier from source usbguard devel files(only top level directory)]),
|
||||
+ [usbguard_CFLAGS="-I$withval/src/Library/public/"
|
||||
+ usbguard_LIBS=""
|
||||
+ usbguard_LA="$withval/libusbguard.la"
|
||||
+ libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"
|
||||
+ AC_SUBST([usbguard_CFLAGS])
|
||||
+ AC_SUBST([usbguard_LIBS])
|
||||
+ AC_SUBST([usbguard_LA])
|
||||
+ custom_usbguard_devel_enabled=yes
|
||||
+ ],
|
||||
+ [
|
||||
+ PKG_CHECK_MODULES(
|
||||
+ [usbguard],
|
||||
+ [libusbguard >= 0.7.2],
|
||||
+ [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"],
|
||||
+ [AC_MSG_FAILURE([libusbguard development files not found])]
|
||||
+ )
|
||||
+ ]
|
||||
+)
|
||||
+
|
||||
# Build notifier-cli, default is yes
|
||||
AC_ARG_ENABLE([notifier-cli],
|
||||
[AC_HELP_STRING([--enable-notifier-cli], [enable notifier cli(default=yes)])],
|
||||
@@ -81,14 +107,6 @@ PKG_CHECK_MODULES(
|
||||
[AC_MSG_FAILURE([libnotify development files not found])]
|
||||
)
|
||||
|
||||
-# usbguard
|
||||
-PKG_CHECK_MODULES(
|
||||
- [usbguard],
|
||||
- [libusbguard >= 0.7.2],
|
||||
- [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"],
|
||||
- [AC_MSG_FAILURE([libusbguard development files not found])]
|
||||
-)
|
||||
-
|
||||
# asciidoc
|
||||
AC_CHECK_PROGS(A2X, [a2x])
|
||||
if test -z "$A2X"; then
|
||||
@@ -162,6 +180,7 @@ AC_SUBST(config_PATH, $prefix/.config)
|
||||
AC_SUBST(NOTIFICATION_PATH, $notification_path)
|
||||
|
||||
AM_CONDITIONAL([NOTIFIER_CLI_ENABLED], [test "x$notifier_cli_enabled" = xyes ])
|
||||
+AM_CONDITIONAL([CUSTOM_USBGUARD_DEVEL_ENABLED], [test "x$custom_usbguard_devel_enabled" = "xyes"])
|
||||
|
||||
AC_CONFIG_FILES([
|
||||
Makefile
|
||||
diff -up ./usbguard-notifier-0.0.6/Makefile.am.notifier ./usbguard-notifier-0.0.6/Makefile.am
|
||||
--- ./usbguard-notifier-0.0.6/Makefile.am.notifier 2020-04-29 07:18:21.024388188 +0200
|
||||
+++ ./usbguard-notifier-0.0.6/Makefile.am 2020-06-17 16:27:53.592151848 +0200
|
||||
@@ -57,6 +57,13 @@ usbguard_notifier_CXXFLAGS = \
|
||||
@usbguard_CFLAGS@ \
|
||||
-fPIC
|
||||
|
||||
+if CUSTOM_USBGUARD_DEVEL_ENABLED
|
||||
+usbguard_notifier_LDADD = \
|
||||
+ @usbguard_LA@
|
||||
+usbguard_notifier_cli_LDADD = \
|
||||
+ @usbguard_LA@
|
||||
+endif
|
||||
+
|
||||
BUILT_SOURCES = \
|
||||
src/BuildConfig.h
|
||||
|
||||
diff -up ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier ./usbguard-notifier-0.0.6/man/usbguard-notifier.1
|
||||
--- ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier 2020-06-17 19:55:54.621855004 +0200
|
||||
+++ ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 2020-06-17 19:56:46.551297432 +0200
|
||||
@@ -53,7 +53,7 @@ Show help\&.
|
||||
.RE
|
||||
.SH "SEE ALSO"
|
||||
.sp
|
||||
-usbguard\-notifier\-cli(1), usbguard(1)
|
||||
+usbguard(1)
|
||||
.SH "BUGS"
|
||||
.sp
|
||||
If you find a bug in this software or if you\(cqd like to request a feature to be implemented, please file a ticket at https://github\&.com/Cropi/usbguard\-notifier/issues/new\&.
|
|
@ -9,6 +9,23 @@
|
|||
#
|
||||
RuleFile=/etc/usbguard/rules.conf
|
||||
|
||||
#
|
||||
# Rule set folder path.
|
||||
#
|
||||
# The USBGuard daemon will use this folder to load the policy
|
||||
# rule set from it and to write new rules received via the
|
||||
# IPC interface. Usually, we set the option to
|
||||
# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to
|
||||
# behave like any other standard Linux daemon therefore it
|
||||
# loads rule files in alpha-numeric order. File names inside
|
||||
# RuleFolder directory should start with a two-digit number
|
||||
# prefix indicating the position, in which the rules are
|
||||
# scanned by the daemon.
|
||||
#
|
||||
# RuleFolder=/path/to/rulesfolder/
|
||||
#
|
||||
RuleFolder=/etc/usbguard/rules.d/
|
||||
|
||||
#
|
||||
# Implicit policy target.
|
||||
#
|
||||
|
@ -64,14 +81,30 @@ PresentControllerPolicy=keep
|
|||
#
|
||||
InsertedDevicePolicy=apply-policy
|
||||
|
||||
#
|
||||
# Control which devices are authorized by default.
|
||||
#
|
||||
# The USBGuard daemon modifies some the default authorization state attributes
|
||||
# of controller devices. This setting, enables you to define what value the
|
||||
# default authorization is set to.
|
||||
#
|
||||
# * keep - do not change the authorization state
|
||||
# * none - every new device starts out deauthorized
|
||||
# * all - every new device starts out authorized
|
||||
# * internal - internal devices start out authorized, external devices start
|
||||
# out deauthorized (this requires the ACPI tables to properly
|
||||
# label internal devices, and kernel support)
|
||||
#
|
||||
#AuthorizedDefault=none
|
||||
|
||||
#
|
||||
# Restore controller device state.
|
||||
#
|
||||
# The USBGuard daemon modifies some attributes of controller
|
||||
# devices like the default authorization state of new child device
|
||||
# instances. Using this setting, you can controll whether the
|
||||
# instances. Using this setting, you can control whether the
|
||||
# daemon will try to restore the attribute values to the state
|
||||
# before modificaton on shutdown.
|
||||
# before modification on shutdown.
|
||||
#
|
||||
# SECURITY CONSIDERATIONS: If set to true, the USB authorization
|
||||
# policy could be bypassed by performing some sort of attack on the
|
||||
|
@ -85,11 +118,11 @@ RestoreControllerDeviceState=false
|
|||
#
|
||||
# Which device manager backend implementation to use. One of:
|
||||
#
|
||||
# * uevent - Netlink based implementation which uses sysfs to scan for present
|
||||
# devices and an uevent netlink socket for receiving USB device
|
||||
# related events.
|
||||
# * dummy - A dummy device manager which simulates several devices and device
|
||||
# events. Useful for testing.
|
||||
# * uevent - Netlink based implementation which uses sysfs to scan for present
|
||||
# devices and an uevent netlink socket for receiving USB device
|
||||
# related events.
|
||||
# * umockdev - umockdev based device manager capable of simulating devices based
|
||||
# on umockdev-record files. Useful for testing.
|
||||
#
|
||||
DeviceManagerBackend=uevent
|
||||
|
||||
|
@ -171,3 +204,8 @@ AuditBackend=FileAudit
|
|||
#
|
||||
AuditFilePath=/var/log/usbguard/usbguard-audit.log
|
||||
|
||||
#
|
||||
# Hides personally identifiable information such as device serial numbers and
|
||||
# hashes of descriptors (which include the serial number) from audit entries.
|
||||
#
|
||||
#HidePII=false
|
||||
|
|
|
@ -0,0 +1,34 @@
|
|||
diff -up ./usbguard.service.in.forking ./usbguard.service.in
|
||||
--- ./usbguard.service.in.forking 2020-06-17 20:07:04.720564149 +0200
|
||||
+++ ./usbguard.service.in 2020-06-17 20:10:00.744063846 +0200
|
||||
@@ -8,11 +8,12 @@ AmbientCapabilities=
|
||||
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
|
||||
DeviceAllow=/dev/null rw
|
||||
DevicePolicy=strict
|
||||
-ExecStart=%sbindir%/usbguard-daemon -k -c %sysconfdir%/usbguard/usbguard-daemon.conf
|
||||
+ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
|
||||
IPAddressDeny=any
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
NoNewPrivileges=yes
|
||||
+PIDFile=/var/run/usbguard.pid
|
||||
PrivateDevices=yes
|
||||
PrivateTmp=yes
|
||||
ProtectControlGroups=yes
|
||||
@@ -20,14 +21,14 @@ ProtectHome=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectSystem=yes
|
||||
ReadOnlyPaths=-/
|
||||
-ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/
|
||||
+ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ -/var/run
|
||||
Restart=on-failure
|
||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service
|
||||
-Type=simple
|
||||
+Type=forking
|
||||
UMask=0077
|
||||
|
||||
[Install]
|
|
@ -0,0 +1,69 @@
|
|||
From 39fc4c24333c3bf42eba0855f3b75ccea99865a4 Mon Sep 17 00:00:00 2001
|
||||
From: Radovan Sroka <rsroka@redhat.com>
|
||||
Date: Tue, 21 Jul 2020 16:24:15 +0200
|
||||
Subject: [PATCH] Added permissions check also for IPC access files
|
||||
|
||||
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
||||
---
|
||||
src/Common/Utility.cpp | 2 +-
|
||||
src/Common/Utility.hpp | 2 +-
|
||||
src/Daemon/Daemon.cpp | 13 +++++++++----
|
||||
3 files changed, 11 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/Common/Utility.cpp b/src/Common/Utility.cpp
|
||||
index d9fc26a..8eb4bd7 100644
|
||||
--- a/src/Common/Utility.cpp
|
||||
+++ b/src/Common/Utility.cpp
|
||||
@@ -524,7 +524,7 @@ namespace usbguard
|
||||
std::string file_name;
|
||||
|
||||
if (!dir_fd) {
|
||||
- throw Exception("getConfigsFromDir", "opendir: " + path , strerror(errno));
|
||||
+ throw Exception("getConfigsFromDir", "opendir: " + path, strerror(errno));
|
||||
}
|
||||
|
||||
while ((dp = readdir(dir_fd)) != NULL) { // iterate over directory for file entries
|
||||
diff --git a/src/Common/Utility.hpp b/src/Common/Utility.hpp
|
||||
index df1afcd..4e90364 100644
|
||||
--- a/src/Common/Utility.hpp
|
||||
+++ b/src/Common/Utility.hpp
|
||||
@@ -192,7 +192,7 @@ namespace usbguard
|
||||
[](const std::pair<std::string, std::string>& a, const std::pair<std::string, std::string>& b) -> bool {
|
||||
return a.first < b.first;
|
||||
},
|
||||
- bool directory_required = false);
|
||||
+ bool directory_required = true);
|
||||
|
||||
/**
|
||||
* Remove prefix from string.
|
||||
diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp
|
||||
index acc148f..9e67a3a 100644
|
||||
--- a/src/Daemon/Daemon.cpp
|
||||
+++ b/src/Daemon/Daemon.cpp
|
||||
@@ -327,8 +327,13 @@ namespace usbguard
|
||||
|
||||
/* IPCAccessControlFiles */
|
||||
if (_config.hasSettingValue("IPCAccessControlFiles")) {
|
||||
- const std::string value = _config.getSettingValue("IPCAccessControlFiles");
|
||||
- loadIPCAccessControlFiles(value);
|
||||
+ const std::string ipc_dir = _config.getSettingValue("IPCAccessControlFiles");
|
||||
+
|
||||
+ if (check_permissions) {
|
||||
+ checkFolderPermissions(ipc_dir, (S_IRUSR | S_IWUSR));
|
||||
+ }
|
||||
+
|
||||
+ loadIPCAccessControlFiles(ipc_dir);
|
||||
}
|
||||
|
||||
/* AuditBackend */
|
||||
@@ -1030,8 +1035,8 @@ namespace usbguard
|
||||
|
||||
/* Generate a match rule for upsert */
|
||||
std::shared_ptr<Rule> match_rule = device->getDeviceRule(/*with-port=*/false,
|
||||
- /*with-parent-hash=*/false,
|
||||
- /*match_rule=*/true);
|
||||
+ /*with-parent-hash=*/false,
|
||||
+ /*match_rule=*/true);
|
||||
const std::string match_spec = match_rule->toString();
|
||||
USBGUARD_LOG(Debug) << "match_spec=" << match_spec;
|
||||
/* Generate new device rule */
|
|
@ -0,0 +1,48 @@
|
|||
diff -up ./doc/man/usbguard-daemon.conf.5.adoc.wired ./doc/man/usbguard-daemon.conf.5.adoc
|
||||
--- ./doc/man/usbguard-daemon.conf.5.adoc.wired 2020-08-05 16:12:15.064272832 +0200
|
||||
+++ ./doc/man/usbguard-daemon.conf.5.adoc 2020-08-05 16:14:04.146885179 +0200
|
||||
@@ -51,8 +51,7 @@ It may be overridden using the *-c* comm
|
||||
The USBGuard daemon modifies some of the default authorization state
|
||||
attributes of controller devices. This setting, enables you to define what
|
||||
value the default authorization is set to. Authorized default should be one
|
||||
- of `keep` (do not change autorization state), `wired` (new wired USB
|
||||
- devices start out authorized, wireless do not), `none` (every new device
|
||||
+ of `keep` (do not change autorization state), `none` (every new device
|
||||
starts out deauthorized), `all` (every new device starts out authorized) or
|
||||
`internal` (internal devices start out authorized, external do not).
|
||||
|
||||
diff -up ./src/Library/public/usbguard/DeviceManager.cpp.wired ./src/Library/public/usbguard/DeviceManager.cpp
|
||||
--- ./src/Library/public/usbguard/DeviceManager.cpp.wired 2019-11-16 18:32:45.220532059 +0100
|
||||
+++ ./src/Library/public/usbguard/DeviceManager.cpp 2020-08-05 16:12:15.064272832 +0200
|
||||
@@ -71,7 +71,6 @@ namespace usbguard
|
||||
|
||||
static const std::vector<std::pair<std::string, DeviceManager::AuthorizedDefaultType>> authorized_default_type_strings = {
|
||||
{ "keep", DeviceManager::AuthorizedDefaultType::Keep },
|
||||
- { "wired", DeviceManager::AuthorizedDefaultType::Wired },
|
||||
{ "none", DeviceManager::AuthorizedDefaultType::None },
|
||||
{ "all", DeviceManager::AuthorizedDefaultType::All },
|
||||
{ "internal", DeviceManager::AuthorizedDefaultType::Internal }
|
||||
diff -up ./src/Library/public/usbguard/DeviceManager.hpp.wired ./src/Library/public/usbguard/DeviceManager.hpp
|
||||
--- ./src/Library/public/usbguard/DeviceManager.hpp.wired 2020-05-14 13:45:48.183508037 +0200
|
||||
+++ ./src/Library/public/usbguard/DeviceManager.hpp 2020-08-05 16:12:15.064272832 +0200
|
||||
@@ -60,8 +60,6 @@ namespace usbguard
|
||||
*/
|
||||
enum class AuthorizedDefaultType {
|
||||
Keep = -128, /**< Do not change the authorization state. */
|
||||
- Wired = -1, /**< New wired USB devices start out authorized,
|
||||
- wireless USB devices do not. */
|
||||
None = 0, /**< Every new device starts out deauthorized. */
|
||||
All = 1, /**< Every new device starts out authorized. */
|
||||
Internal = 2, /**< Internal devices start out authorized,
|
||||
diff -up ./usbguard-daemon.conf.in.wired ./usbguard-daemon.conf.in
|
||||
--- ./usbguard-daemon.conf.in.wired 2020-05-20 13:56:50.809203248 +0200
|
||||
+++ ./usbguard-daemon.conf.in 2020-08-05 16:12:15.064272832 +0200
|
||||
@@ -91,8 +91,6 @@ InsertedDevicePolicy=apply-policy
|
||||
# default authorization is set to.
|
||||
#
|
||||
# * keep - do not change the authorization state
|
||||
-# * wired - new wired USB devices start out authorized, wireless USB
|
||||
-# devices do not
|
||||
# * none - every new device starts out deauthorized
|
||||
# * all - every new device starts out authorized
|
||||
# * internal - internal devices start out authorized, external devices start
|
|
@ -0,0 +1,13 @@
|
|||
diff -up ./src/Daemon/RuleSetFactory.cpp.orig ./src/Daemon/RuleSetFactory.cpp
|
||||
--- ./src/Daemon/RuleSetFactory.cpp.orig 2020-08-11 11:10:00.924479577 +0200
|
||||
+++ ./src/Daemon/RuleSetFactory.cpp 2020-08-11 11:12:56.447279841 +0200
|
||||
@@ -74,7 +74,8 @@ namespace usbguard
|
||||
ruleSet.push_back(rs);
|
||||
}
|
||||
}
|
||||
- else if (ns.getRulesPath().empty()){
|
||||
+
|
||||
+ if (ruleSet.empty()){
|
||||
USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible.";
|
||||
ruleSet = generateDefaultRuleSet();
|
||||
}
|
|
@ -0,0 +1,12 @@
|
|||
diff -up ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo ./usbguard-selinux-0.0.3/usbguard.te
|
||||
--- ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo 2020-06-18 15:53:40.161615146 +0200
|
||||
+++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-18 15:54:28.399982328 +0200
|
||||
@@ -77,6 +77,8 @@ auth_read_passwd(usbguard_t)
|
||||
dev_list_sysfs(usbguard_t)
|
||||
dev_rw_sysfs(usbguard_t)
|
||||
|
||||
+kernel_read_system_state(usbguard_t)
|
||||
+
|
||||
list_dirs_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
|
||||
read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
|
||||
dontaudit usbguard_t usbguard_conf_t:file write;
|
|
@ -0,0 +1,11 @@
|
|||
diff -up ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir ./usbguard-selinux-0.0.3/usbguard.te
|
||||
--- ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir 2020-06-09 10:53:03.191977241 +0200
|
||||
+++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-09 10:54:21.441965315 +0200
|
||||
@@ -81,6 +81,7 @@ list_dirs_pattern(usbguard_t,usbguard_co
|
||||
read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
|
||||
dontaudit usbguard_t usbguard_conf_t:file write;
|
||||
|
||||
+list_dirs_pattern(usbguard_t,usbguard_rules_t,usbguard_rules_t)
|
||||
read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_rules_t)
|
||||
|
||||
manage_dirs_pattern(usbguard_t, usbguard_var_run_t, usbguard_var_run_t)
|
|
@ -0,0 +1,22 @@
|
|||
From 008af22f238bfb97f6d337759732ac87bdef7b24 Mon Sep 17 00:00:00 2001
|
||||
From: alakatos <alakatos@redhat.com>
|
||||
Date: Mon, 25 May 2020 15:27:38 +0200
|
||||
Subject: [PATCH] /etc/usrbuard/rules.d(/.*)? has usbguard_rules_t label right
|
||||
after the installation
|
||||
|
||||
---
|
||||
usbguard.fc | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/usbguard.fc b/usbguard.fc
|
||||
index bce3e8c..3e14720 100644
|
||||
--- a/usbguard-selinux-0.0.3/usbguard.fc
|
||||
+++ b/usbguard-selinux-0.0.3/usbguard.fc
|
||||
@@ -13,6 +13,7 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
+/etc/usbguard/rules\.d(/.*)? gen_context(system_u:object_r:usbguard_rules_t,s0)
|
||||
/etc/usbguard/rules.conf -- gen_context(system_u:object_r:usbguard_rules_t,s0)
|
||||
/etc/usbguard(/.*)? gen_context(system_u:object_r:usbguard_conf_t,s0)
|
||||
/dev/shm/qb-usbguard-.* -- gen_context(system_u:object_r:usbguard_tmpfs_t,s0)
|
|
@ -0,0 +1,13 @@
|
|||
diff -up ./usbguard.service.in.service-fips ./usbguard.service.in
|
||||
--- ./usbguard.service.in.service-fips 2020-06-22 10:44:44.815860376 +0200
|
||||
+++ ./usbguard.service.in 2020-06-22 10:45:07.699135514 +0200
|
||||
@@ -6,8 +6,7 @@ Documentation=man:usbguard-daemon(8)
|
||||
[Service]
|
||||
AmbientCapabilities=
|
||||
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
|
||||
-DeviceAllow=/dev/null rw
|
||||
-DevicePolicy=strict
|
||||
+DevicePolicy=closed
|
||||
ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
|
||||
IPAddressDeny=any
|
||||
LockPersonality=yes
|
|
@ -1,13 +1,14 @@
|
|||
%global _hardened_build 1
|
||||
|
||||
%define with_gui_qt5 0
|
||||
%define with_dbus 1
|
||||
%global selinuxtype targeted
|
||||
%global moduletype contrib
|
||||
%define semodule_version 0.0.3
|
||||
%define notifier_version 0.0.6
|
||||
|
||||
%bcond_without check
|
||||
|
||||
Name: usbguard
|
||||
Version: 0.7.4
|
||||
Release: 4%{?dist}
|
||||
Version: 0.7.8
|
||||
Release: 7%{?dist}
|
||||
Summary: A tool for implementing USB device usage policy
|
||||
Group: System Environment/Daemons
|
||||
License: GPLv2+
|
||||
|
@ -15,7 +16,9 @@ License: GPLv2+
|
|||
# src/ThirdParty/Catch: Boost Software License - Version 1.0
|
||||
URL: https://usbguard.github.io/
|
||||
Source0: https://github.com/USBGuard/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
|
||||
Source1: usbguard-daemon.conf
|
||||
Source1: https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz
|
||||
Source2: https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz
|
||||
Source3: usbguard-daemon.conf
|
||||
|
||||
Requires: systemd
|
||||
Requires(post): systemd
|
||||
|
@ -23,7 +26,9 @@ Requires(preun): systemd
|
|||
Requires(postun): systemd
|
||||
Requires(post): /sbin/ldconfig
|
||||
Requires(postun): /sbin/ldconfig
|
||||
Recommends: %{name}-selinux
|
||||
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: libqb-devel
|
||||
BuildRequires: libgcrypt-devel
|
||||
BuildRequires: libstdc++-devel
|
||||
|
@ -37,21 +42,24 @@ BuildRequires: audit-libs-devel
|
|||
# For `pkg-config systemd` only
|
||||
BuildRequires: systemd
|
||||
|
||||
%if 0%{with_gui_qt5}
|
||||
BuildRequires: qt5-qtbase-devel qt5-qtsvg-devel qt5-linguist
|
||||
%endif
|
||||
|
||||
%if 0%{with_dbus}
|
||||
BuildRequires: dbus-glib-devel
|
||||
BuildRequires: dbus-devel
|
||||
BuildRequires: glib2-devel
|
||||
BuildRequires: polkit-devel
|
||||
BuildRequires: libxslt
|
||||
BuildRequires: libxml2
|
||||
%endif
|
||||
|
||||
Patch0: usbguard-0.7.4-loadFilesError.patch
|
||||
Patch1: match-all.patch
|
||||
Patch1: usbguard-0.7.6-notifier.patch
|
||||
Patch2: usbguard-selinux-rules-d.patch
|
||||
Patch3: usbguard-selinux-list-dir.patch
|
||||
Patch4: usbguard-forking-style.patch
|
||||
Patch5: usbguard-selinux-cpuinfo.patch
|
||||
Patch6: usbguard-service-fips.patch
|
||||
|
||||
Patch7: usbguard-permission-check.patch
|
||||
Patch8: usbguard-removed-wired.patch
|
||||
Patch9: usbguard-rulesd.patch
|
||||
|
||||
|
||||
%description
|
||||
The USBGuard software framework helps to protect your computer against rogue USB
|
||||
|
@ -78,22 +86,6 @@ Requires: %{name} = %{version}-%{release}
|
|||
The %{name}-tools package contains optional tools from the USBGuard
|
||||
software framework.
|
||||
|
||||
%if 0%{with_gui_qt5}
|
||||
###
|
||||
%package applet-qt
|
||||
Summary: USBGuard Qt 5.x Applet
|
||||
Group: Applications/System
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Obsoletes: usbguard-applet-qt <= 0.3
|
||||
|
||||
%description applet-qt
|
||||
The %{name}-applet-qt package contains an optional Qt 5.x desktop applet
|
||||
for interacting with the USBGuard daemon component.
|
||||
###
|
||||
%endif
|
||||
|
||||
%if 0%{with_dbus}
|
||||
###
|
||||
%package dbus
|
||||
Summary: USBGuard D-Bus Service
|
||||
Group: Applications/System
|
||||
|
@ -104,17 +96,57 @@ Requires: polkit
|
|||
%description dbus
|
||||
The %{name}-dbus package contains an optional component that provides
|
||||
a D-Bus interface to the USBGuard daemon component.
|
||||
###
|
||||
%endif
|
||||
|
||||
%package selinux
|
||||
Summary: USBGuard selinux
|
||||
Group: Applications/System
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
BuildRequires: selinux-policy
|
||||
BuildRequires: selinux-policy-devel
|
||||
BuildArch: noarch
|
||||
%{?selinux_requires}
|
||||
|
||||
%description selinux
|
||||
The %{name}-selinux package contains selinux policy for the USBGuard
|
||||
daemon.
|
||||
|
||||
%package notifier
|
||||
Summary: A tool for detecting usbguard policy and device presence changes
|
||||
Group: Applications/System
|
||||
Requires: %{name} = %{version}-%{release}
|
||||
Requires: systemd
|
||||
BuildRequires: librsvg2-devel
|
||||
BuildRequires: libnotify-devel
|
||||
BuildRequires: execstack
|
||||
|
||||
%description notifier
|
||||
The %{name}-notifier package detects usbguard policy modifications as well as
|
||||
device presence changes and displays them as pop-up notifications.
|
||||
|
||||
# usbguard
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1 -b .loadFilesError
|
||||
%patch1 -p1 -b .matchallkeyword
|
||||
|
||||
# selinux
|
||||
%setup -q -D -T -a 1
|
||||
|
||||
# notifier
|
||||
%setup -q -D -T -a 2
|
||||
|
||||
# Remove bundled library sources before build
|
||||
rm -rf src/ThirdParty/{Catch,PEGTL}
|
||||
|
||||
%patch1 -p1 -b .notifier
|
||||
%patch2 -p1 -b .rules-d-selinux
|
||||
%patch3 -p1 -b .list-dir
|
||||
%patch4 -p1 -b .forking
|
||||
%patch5 -p1 -b .cpuinfo
|
||||
%patch6 -p1 -b .service-fips
|
||||
|
||||
%patch7 -p1 -b .perm
|
||||
%patch8 -p1 -b .wired
|
||||
%patch9 -p1 -b .rulesd
|
||||
|
||||
%build
|
||||
mkdir -p ./m4
|
||||
autoreconf -i -v --no-recursive ./
|
||||
|
@ -123,32 +155,62 @@ autoreconf -i -v --no-recursive ./
|
|||
--without-bundled-catch \
|
||||
--without-bundled-pegtl \
|
||||
--enable-systemd \
|
||||
%if 0%{with_gui_qt5}
|
||||
--with-gui-qt=qt5 \
|
||||
%endif
|
||||
%if 0%{with_dbus}
|
||||
--with-dbus \
|
||||
--with-polkit \
|
||||
%else
|
||||
--without-dbus \
|
||||
--without-polkit \
|
||||
%endif
|
||||
--with-crypto-library=gcrypt
|
||||
|
||||
make %{?_smp_mflags}
|
||||
|
||||
# selinux
|
||||
pushd %{name}-selinux-%{semodule_version}
|
||||
make
|
||||
popd
|
||||
|
||||
# notifier
|
||||
pushd %{name}-notifier-%{notifier_version}
|
||||
mkdir -p ./m4
|
||||
autoreconf -i -v --no-recursive ./
|
||||
export CXXFLAGS="$RPM_OPT_FLAGS"
|
||||
%configure \
|
||||
--disable-silent-rules \
|
||||
--without-bundled-catch \
|
||||
--enable-debug-build \
|
||||
--disable-notifier-cli \
|
||||
--with-usbguard-devel="../"
|
||||
|
||||
%set_build_flags
|
||||
make %{?_smp_mflags}
|
||||
popd
|
||||
|
||||
%if %{with check}
|
||||
%check
|
||||
make check
|
||||
%endif
|
||||
|
||||
# selinux
|
||||
%pre selinux
|
||||
%selinux_relabel_pre -s %{selinuxtype}
|
||||
|
||||
%install
|
||||
make install INSTALL='install -p' DESTDIR=%{buildroot}
|
||||
|
||||
# Overwrite configuration with distribution defaults
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/usbguard
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/usbguard/rules.d
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/usbguard/IPCAccessControl.d
|
||||
install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
|
||||
install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
|
||||
|
||||
# selinux
|
||||
install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
|
||||
install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
|
||||
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
|
||||
install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
|
||||
|
||||
# notifier
|
||||
pushd %{name}-notifier-%{notifier_version}
|
||||
make install INSTALL='install -p' DESTDIR=%{buildroot}
|
||||
#execstack -c %{buildroot}%{_bindir}/%{name}-notifier
|
||||
popd
|
||||
|
||||
# Cleanup
|
||||
find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
|
||||
|
@ -173,6 +235,7 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
|
|||
%{_bindir}/usbguard
|
||||
%dir %{_localstatedir}/log/usbguard
|
||||
%dir %{_sysconfdir}/usbguard
|
||||
%dir %{_sysconfdir}/usbguard/rules.d/
|
||||
%dir %{_sysconfdir}/usbguard/IPCAccessControl.d
|
||||
%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/usbguard-daemon.conf
|
||||
%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/rules.conf
|
||||
|
@ -193,25 +256,13 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
|
|||
%defattr(-,root,root,-)
|
||||
%{_bindir}/usbguard-rule-parser
|
||||
|
||||
%if 0%{with_gui_qt5}
|
||||
###
|
||||
%files applet-qt
|
||||
%defattr(-,root,root,-)
|
||||
%{_bindir}/usbguard-applet-qt
|
||||
%{_mandir}/man1/usbguard-applet-qt.1.gz
|
||||
%{_datadir}/applications/usbguard-applet-qt.desktop
|
||||
%{_datadir}/icons/hicolor/scalable/apps/usbguard-icon.svg
|
||||
###
|
||||
%endif
|
||||
|
||||
%if 0%{with_dbus}
|
||||
###
|
||||
%files dbus
|
||||
%defattr(-,root,root,-)
|
||||
%{_sbindir}/usbguard-dbus
|
||||
%{_datadir}/dbus-1/system-services/org.usbguard.service
|
||||
%{_datadir}/dbus-1/system.d/org.usbguard.conf
|
||||
%{_datadir}/polkit-1/actions/org.usbguard.policy
|
||||
%{_datadir}/dbus-1/system-services/org.usbguard1.service
|
||||
%{_datadir}/dbus-1/system.d/org.usbguard1.conf
|
||||
%{_datadir}/polkit-1/actions/org.usbguard1.policy
|
||||
%{_unitdir}/usbguard-dbus.service
|
||||
%{_mandir}/man8/usbguard-dbus.8.gz
|
||||
|
||||
|
@ -223,10 +274,80 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
|
|||
|
||||
%postun dbus
|
||||
%systemd_postun_with_restart usbguard-dbus.service
|
||||
###
|
||||
%endif
|
||||
|
||||
%files selinux
|
||||
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
|
||||
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
|
||||
%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
|
||||
|
||||
%post selinux
|
||||
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
|
||||
|
||||
%postun selinux
|
||||
if [ $1 -eq 0 ]; then
|
||||
%selinux_modules_uninstall -s %{selinuxtype} %{name}
|
||||
fi
|
||||
|
||||
%posttrans selinux
|
||||
%selinux_relabel_post -s %{selinuxtype}
|
||||
|
||||
%files notifier
|
||||
%defattr(-,root,root,-)
|
||||
%doc %{name}-notifier-%{notifier_version}/README.md %{name}-notifier-%{notifier_version}/CHANGELOG.md
|
||||
%license %{name}-notifier-%{notifier_version}/LICENSE
|
||||
%{_bindir}/%{name}-notifier
|
||||
%{_mandir}/man1/%{name}-notifier.1.gz
|
||||
%{_userunitdir}/%{name}-notifier.service
|
||||
|
||||
%post notifier
|
||||
%systemd_user_post %{name}-notifier.service
|
||||
|
||||
%preun notifier
|
||||
%systemd_user_preun %{name}-notifier.service
|
||||
|
||||
%postun notifier
|
||||
%systemd_user_postun_with_restart %{name}-notifier.service
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Aug 11 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-7
|
||||
- Do not cause segfault in case of an empty rulesd folder
|
||||
Resolves: rhbz#1738590
|
||||
|
||||
* Wed Aug 05 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-6
|
||||
- RHEL 8.3.0 ERRATUM
|
||||
- Removed execstack from .spec
|
||||
- Removed AuthorizedDefault=wired from the usbguard
|
||||
Resolves: rhbz#1852539
|
||||
- Missing error message on bad configuration
|
||||
Resolves: rhbz#1857299
|
||||
- /etc/usbguard/usbguard-daemon.conf file does not contain all default options
|
||||
Resolves: rhbz#1862907
|
||||
|
||||
* Wed Jun 17 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-5
|
||||
- RHEL 8.3.0 ERRATUM
|
||||
- Use old-fasioned forking style in unit file
|
||||
Resolves: rhbz#1846885
|
||||
- Allow usbguard to read /proc/cpuinfo
|
||||
Resolves: rhbz#1847870
|
||||
- Removed notifier's Requires for usbguard-devel
|
||||
Resolves: rhbz#1667395
|
||||
- Allow usbguard to read /dev/urandom
|
||||
Resolves: rhbz#1848618
|
||||
|
||||
* Wed May 06 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-4
|
||||
- RHEL 8.3.0 ERRATUM
|
||||
- Spec file clean up
|
||||
- Rebase to 0.7.8
|
||||
Resolves: rhbz#1738590
|
||||
- Added selinux subpackage
|
||||
Resolves: rhbz#1683567
|
||||
- Added notifier subpackage
|
||||
- Installing /etc/usbguard/rules.d/
|
||||
Resolves: rhbz#1667395
|
||||
- Fixed sigwaitinfo handling
|
||||
Resolves: rhbz#1835210
|
||||
|
||||
* Mon Nov 25 2019 Marek Tamaskovic <mtamasko@redhat.com> - 0.7.4-4
|
||||
- add match-all keyword
|
||||
|
||||
|
|
Loading…
Reference in New Issue