rpms
/
usbguard
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import usbguard-0.7.8-7.el8

This commit is contained in:
CentOS Sources 2020-11-03 07:01:49 -05:00 committed by Andrew Lukoshko
parent 24d8a59329
commit 32df1fdeb9
15 changed files with 542 additions and 328 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1 +1,3 @@
SOURCES/usbguard-0.7.4.tar.gz
SOURCES/usbguard-0.7.8.tar.gz
SOURCES/usbguard-notifier-0.0.6.tar.gz
SOURCES/usbguard-selinux-0.0.3.tar.gz

4
.usbguard.metadata
View File

@ -1 +1,3 @@
803815ec31700468bb935ca9c18bd277bcc22237 SOURCES/usbguard-0.7.4.tar.gz
d8bbd3e9f4f0deb1418f71422e7fab3d14053412 SOURCES/usbguard-0.7.8.tar.gz
7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz
e223495a2c41013bc786a5ceae730f2574aeba1b SOURCES/usbguard-selinux-0.0.3.tar.gz

242
SOURCES/match-all.patch
View File

@ -1,242 +0,0 @@
diff --git a/doc/man/usbguard-rules.conf.5.adoc b/doc/man/usbguard-rules.conf.5.adoc
index 44f399c..c0f86f8 100644
--- a/doc/man/usbguard-rules.conf.5.adoc
+++ b/doc/man/usbguard-rules.conf.5.adoc
@@ -93,6 +93,9 @@ where the optional 'operator' is one of:
*equals-ordered*::
The device attribute set must contain exactly the same set of values in the same order for the rule to match.
+*match-all*::
+ The device attribute set must be a subset of the specified values for the rule to match.
+
If the operator is not specified it is set to *equals*.
[.underline]#List of attributes:#
diff --git a/src/Library/RuleParser/Grammar.hpp b/src/Library/RuleParser/Grammar.hpp
index 4d785c0..764380e 100644
--- a/src/Library/RuleParser/Grammar.hpp
+++ b/src/Library/RuleParser/Grammar.hpp
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Marek Tamaskovic <mtamasko@redhat.com>
//
#pragma once
#ifdef HAVE_BUILD_CONFIG_H
@@ -53,12 +54,13 @@ namespace usbguard
struct str_none_of : TAOCPP_PEGTL_STRING("none-of") {};
struct str_equals : TAOCPP_PEGTL_STRING("equals") {};
struct str_equals_ordered : TAOCPP_PEGTL_STRING("equals-ordered") {};
+ struct str_match_all: TAOCPP_PEGTL_STRING("match-all") {};
/*
* Generic rule attribute
*/
struct multiset_operator
- : sor<str_all_of, str_one_of, str_none_of, str_equals_ordered, str_equals> {};
+ : sor<str_all_of, str_one_of, str_none_of, str_equals_ordered, str_equals, str_match_all> {};
template<class attribute_value_rule>
struct attribute_value_multiset
diff --git a/src/Library/RulePrivate.cpp b/src/Library/RulePrivate.cpp
index 73140fa..6ceb12d 100644
--- a/src/Library/RulePrivate.cpp
+++ b/src/Library/RulePrivate.cpp
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Marek Tamaskovic <mtamasko@redhat.com>
//
#ifdef HAVE_BUILD_CONFIG_H
#include <build-config.h>
@@ -177,6 +178,7 @@ namespace usbguard
case Rule::SetOperator::AllOf:
case Rule::SetOperator::Equals:
case Rule::SetOperator::EqualsOrdered:
+ case Rule::SetOperator::MatchAll:
meets_conditions = \
(conditionsState() == ((((uint64_t)1) << _conditions.count()) - 1));
break;
diff --git a/src/Library/public/usbguard/Predicates.hpp b/src/Library/public/usbguard/Predicates.hpp
index 412517e..95ede3a 100644
--- a/src/Library/public/usbguard/Predicates.hpp
+++ b/src/Library/public/usbguard/Predicates.hpp
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Marek Tamaskovic <mtamasko@redhat.com>
//
#pragma once
@@ -35,6 +36,15 @@ namespace usbguard
USBGUARD_LOG(Trace) << "generic isSubsetOf";
return source == target;
}
+
+ template<typename T>
+ bool isSupersetOf(const T& source, const T& target)
+ {
+ USBGUARD_LOG(Error) << "Not implemented";
+ (void) source;
+ (void) target;
+ return true;
+ }
}
} /* namespace usbguard */
diff --git a/src/Library/public/usbguard/Rule.cpp b/src/Library/public/usbguard/Rule.cpp
index f7bb35a..fa97578 100644
--- a/src/Library/public/usbguard/Rule.cpp
+++ b/src/Library/public/usbguard/Rule.cpp
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Marek Tamaskovic <mtamasko@redhat.com>
//
#ifdef HAVE_BUILD_CONFIG_H
#include <build-config.h>
@@ -325,7 +326,8 @@ namespace usbguard
{ "none-of", Rule::SetOperator::NoneOf },
{ "equals", Rule::SetOperator::Equals },
{ "equals-ordered", Rule::SetOperator::EqualsOrdered },
- { "match", Rule::SetOperator::Match }
+ { "match", Rule::SetOperator::Match },
+ { "match-all", Rule::SetOperator::MatchAll}
};
const std::string Rule::setOperatorToString(const Rule::SetOperator& op)
diff --git a/src/Library/public/usbguard/Rule.hpp b/src/Library/public/usbguard/Rule.hpp
index 0ebfdaf..67a67f0 100644
--- a/src/Library/public/usbguard/Rule.hpp
+++ b/src/Library/public/usbguard/Rule.hpp
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Marek Tamaskovic <mtamasko@redhat.com>
//
#pragma once
@@ -77,7 +78,8 @@ namespace usbguard
NoneOf,
Equals,
EqualsOrdered,
- Match /* Special operator: matches anything, cannot be used directly in a rule */
+ Match, /* Special operator: matches anything, cannot be used directly in a rule */
+ MatchAll
};
static const std::string setOperatorToString(const Rule::SetOperator& op);
@@ -237,6 +239,10 @@ namespace usbguard
applies = setSolveEqualsOrdered(_values, target._values);
break;
+ case SetOperator::MatchAll:
+ applies = setSolveMatchAll(_values, target._values);
+ break;
+
default:
throw USBGUARD_BUG("Invalid set operator value");
}
@@ -409,6 +415,26 @@ namespace usbguard
return false;
}
+ /*
+ * All of the items in target set must match an item in the source set
+ */
+ bool setSolveMatchAll(const std::vector<ValueType>& source_set, const std::vector<ValueType>& target_set) const
+ {
+ USBGUARD_LOG(Trace);
+ size_t match = 0;
+
+ for (auto const& target_item : target_set) {
+ for (auto const& source_item : source_set) {
+ if (Predicates::isSupersetOf(source_item, target_item)) {
+ match++;
+ break;
+ }
+ }
+ }
+
+ return match == target_set.size();
+ }
+
std::string _name;
SetOperator _set_operator;
std::vector<ValueType> _values;
diff --git a/src/Library/public/usbguard/USB.cpp b/src/Library/public/usbguard/USB.cpp
index 281d1c9..54e5fb8 100644
--- a/src/Library/public/usbguard/USB.cpp
+++ b/src/Library/public/usbguard/USB.cpp
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Marek Tamaskovic <mtamasko@redhat.com>
//
#ifdef HAVE_BUILD_CONFIG_H
#include <build-config.h>
@@ -125,6 +126,15 @@ namespace usbguard
return result;
}
+ template<>
+ bool Predicates::isSupersetOf(const USBDeviceID& source, const USBDeviceID& target)
+ {
+ USBGUARD_LOG(Trace) << "source=" << source.toString() << " target=" << target.toString();
+ const bool result = target.isSubsetOf(source);
+ USBGUARD_LOG(Trace) << "result=" << result;
+ return result;
+ }
+
USBInterfaceType::USBInterfaceType()
{
_bClass = 0;
@@ -234,6 +244,12 @@ namespace usbguard
return source.appliesTo(target);
}
+ template<>
+ bool Predicates::isSupersetOf(const USBInterfaceType& source, const USBInterfaceType& target)
+ {
+ return source.appliesTo(target);
+ }
+
const std::string USBInterfaceType::typeString() const
{
return USBInterfaceType::typeString(_bClass, _bSubClass, _bProtocol, _mask);
diff --git a/src/Library/public/usbguard/USB.hpp b/src/Library/public/usbguard/USB.hpp
index 914d74b..f538aac 100644
--- a/src/Library/public/usbguard/USB.hpp
+++ b/src/Library/public/usbguard/USB.hpp
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Marek Tamaskovic <mtamasko@redhat.com>
//
#pragma once
@@ -169,6 +170,8 @@ namespace usbguard
{
template<>
bool isSubsetOf(const USBDeviceID& source, const USBDeviceID& target);
+ template<>
+ bool isSupersetOf(const USBDeviceID& source, const USBDeviceID& target);
}
class DLL_PUBLIC USBInterfaceType
@@ -202,6 +205,8 @@ namespace usbguard
{
template<>
bool isSubsetOf(const USBInterfaceType& source, const USBInterfaceType& target);
+ template<>
+ bool isSupersetOf(const USBInterfaceType& source, const USBInterfaceType& target);
}
class USBDescriptorParser;

17
SOURCES/usbguard-0.7.4-loadFilesError.patch
View File

@ -1,17 +0,0 @@
diff -up usbguard-0.7.4/src/Daemon/Daemon.cpp.loadFilesError usbguard-0.7.4/src/Daemon/Daemon.cpp
--- usbguard-0.7.4/src/Daemon/Daemon.cpp.loadFilesError 2018-07-10 14:25:41.580361063 +0200
+++ usbguard-0.7.4/src/Daemon/Daemon.cpp 2018-07-31 10:19:21.529000000 +0200
@@ -365,7 +365,12 @@ namespace usbguard
,
[this](const std::string& basename, const std::string& fullpath) {
return loadIPCAccessControlFile(basename, fullpath);
- });
+ },
+ [](const std::pair<std::string, std::string>& a, const std::pair<std::string, std::string>& b)
+ {
+ return a.first < b.first;
+ },
+ /*directory_required=*/true);
}
void Daemon::checkIPCAccessControlName(const std::string& name)

88
SOURCES/usbguard-0.7.6-notifier.patch Normal file
View File

@ -0,0 +1,88 @@
diff -up ./usbguard-notifier-0.0.6/configure.ac.notifier ./usbguard-notifier-0.0.6/configure.ac
--- ./usbguard-notifier-0.0.6/configure.ac.notifier 2020-04-29 07:35:43.057914703 +0200
+++ ./usbguard-notifier-0.0.6/configure.ac 2020-06-17 16:27:53.577151720 +0200
@@ -44,6 +44,32 @@ AC_ARG_WITH(
[notificaiton_path="/tmp/usbguard-notifier"]
)
+# usbguard-devel
+# Add the path to where your usbguard-devel includes are
+# You might need this option when you want to package usbguard-notifier
+# together with usbguard at the same time
+AC_ARG_WITH(
+ [usbguard-devel],
+ AS_HELP_STRING([--with-usbguard-devel], [Select to compile notifier from source usbguard devel files(only top level directory)]),
+ [usbguard_CFLAGS="-I$withval/src/Library/public/"
+ usbguard_LIBS=""
+ usbguard_LA="$withval/libusbguard.la"
+ libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"
+ AC_SUBST([usbguard_CFLAGS])
+ AC_SUBST([usbguard_LIBS])
+ AC_SUBST([usbguard_LA])
+ custom_usbguard_devel_enabled=yes
+ ],
+ [
+ PKG_CHECK_MODULES(
+ [usbguard],
+ [libusbguard >= 0.7.2],
+ [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"],
+ [AC_MSG_FAILURE([libusbguard development files not found])]
+ )
+ ]
+)
+
# Build notifier-cli, default is yes
AC_ARG_ENABLE([notifier-cli],
[AC_HELP_STRING([--enable-notifier-cli], [enable notifier cli(default=yes)])],
@@ -81,14 +107,6 @@ PKG_CHECK_MODULES(
[AC_MSG_FAILURE([libnotify development files not found])]
)
-# usbguard
-PKG_CHECK_MODULES(
- [usbguard],
- [libusbguard >= 0.7.2],
- [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"],
- [AC_MSG_FAILURE([libusbguard development files not found])]
-)
-
# asciidoc
AC_CHECK_PROGS(A2X, [a2x])
if test -z "$A2X"; then
@@ -162,6 +180,7 @@ AC_SUBST(config_PATH, $prefix/.config)
AC_SUBST(NOTIFICATION_PATH, $notification_path)
AM_CONDITIONAL([NOTIFIER_CLI_ENABLED], [test "x$notifier_cli_enabled" = xyes ])
+AM_CONDITIONAL([CUSTOM_USBGUARD_DEVEL_ENABLED], [test "x$custom_usbguard_devel_enabled" = "xyes"])
AC_CONFIG_FILES([
Makefile
diff -up ./usbguard-notifier-0.0.6/Makefile.am.notifier ./usbguard-notifier-0.0.6/Makefile.am
--- ./usbguard-notifier-0.0.6/Makefile.am.notifier 2020-04-29 07:18:21.024388188 +0200
+++ ./usbguard-notifier-0.0.6/Makefile.am 2020-06-17 16:27:53.592151848 +0200
@@ -57,6 +57,13 @@ usbguard_notifier_CXXFLAGS = \
@usbguard_CFLAGS@ \
-fPIC
+if CUSTOM_USBGUARD_DEVEL_ENABLED
+usbguard_notifier_LDADD = \
+ @usbguard_LA@
+usbguard_notifier_cli_LDADD = \
+ @usbguard_LA@
+endif
+
BUILT_SOURCES = \
src/BuildConfig.h
diff -up ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier ./usbguard-notifier-0.0.6/man/usbguard-notifier.1
--- ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier 2020-06-17 19:55:54.621855004 +0200
+++ ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 2020-06-17 19:56:46.551297432 +0200
@@ -53,7 +53,7 @@ Show help\&.
.RE
.SH "SEE ALSO"
.sp
-usbguard\-notifier\-cli(1), usbguard(1)
+usbguard(1)
.SH "BUGS"
.sp
If you find a bug in this software or if you\(cqd like to request a feature to be implemented, please file a ticket at https://github\&.com/Cropi/usbguard\-notifier/issues/new\&.

52
SOURCES/usbguard-daemon.conf
View File

@ -9,6 +9,23 @@
#
RuleFile=/etc/usbguard/rules.conf
#
# Rule set folder path.
#
# The USBGuard daemon will use this folder to load the policy
# rule set from it and to write new rules received via the
# IPC interface. Usually, we set the option to
# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to
# behave like any other standard Linux daemon therefore it
# loads rule files in alpha-numeric order. File names inside
# RuleFolder directory should start with a two-digit number
# prefix indicating the position, in which the rules are
# scanned by the daemon.
#
# RuleFolder=/path/to/rulesfolder/
#
RuleFolder=/etc/usbguard/rules.d/
#
# Implicit policy target.
#
@ -64,14 +81,30 @@ PresentControllerPolicy=keep
#
InsertedDevicePolicy=apply-policy
#
# Control which devices are authorized by default.
#
# The USBGuard daemon modifies some the default authorization state attributes
# of controller devices. This setting, enables you to define what value the
# default authorization is set to.
#
# * keep - do not change the authorization state
# * none - every new device starts out deauthorized
# * all - every new device starts out authorized
# * internal - internal devices start out authorized, external devices start
# out deauthorized (this requires the ACPI tables to properly
# label internal devices, and kernel support)
#
#AuthorizedDefault=none
#
# Restore controller device state.
#
# The USBGuard daemon modifies some attributes of controller
# devices like the default authorization state of new child device
# instances. Using this setting, you can controll whether the
# instances. Using this setting, you can control whether the
# daemon will try to restore the attribute values to the state
# before modificaton on shutdown.
# before modification on shutdown.
#
# SECURITY CONSIDERATIONS: If set to true, the USB authorization
# policy could be bypassed by performing some sort of attack on the
@ -85,11 +118,11 @@ RestoreControllerDeviceState=false
#
# Which device manager backend implementation to use. One of:
#
# * uevent - Netlink based implementation which uses sysfs to scan for present
# devices and an uevent netlink socket for receiving USB device
# related events.
# * dummy - A dummy device manager which simulates several devices and device
# events. Useful for testing.
# * uevent - Netlink based implementation which uses sysfs to scan for present
# devices and an uevent netlink socket for receiving USB device
# related events.
# * umockdev - umockdev based device manager capable of simulating devices based
# on umockdev-record files. Useful for testing.
#
DeviceManagerBackend=uevent
@ -171,3 +204,8 @@ AuditBackend=FileAudit
#
AuditFilePath=/var/log/usbguard/usbguard-audit.log
#
# Hides personally identifiable information such as device serial numbers and
# hashes of descriptors (which include the serial number) from audit entries.
#
#HidePII=false

34
SOURCES/usbguard-forking-style.patch Normal file
View File

@ -0,0 +1,34 @@
diff -up ./usbguard.service.in.forking ./usbguard.service.in
--- ./usbguard.service.in.forking 2020-06-17 20:07:04.720564149 +0200
+++ ./usbguard.service.in 2020-06-17 20:10:00.744063846 +0200
@@ -8,11 +8,12 @@ AmbientCapabilities=
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
DeviceAllow=/dev/null rw
DevicePolicy=strict
-ExecStart=%sbindir%/usbguard-daemon -k -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
+PIDFile=/var/run/usbguard.pid
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
@@ -20,14 +21,14 @@ ProtectHome=yes
ProtectKernelModules=yes
ProtectSystem=yes
ReadOnlyPaths=-/
-ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/
+ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ -/var/run
Restart=on-failure
RestrictAddressFamilies=AF_UNIX AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
-Type=simple
+Type=forking
UMask=0077
[Install]

69
SOURCES/usbguard-permission-check.patch Normal file
View File

@ -0,0 +1,69 @@
From 39fc4c24333c3bf42eba0855f3b75ccea99865a4 Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Tue, 21 Jul 2020 16:24:15 +0200
Subject: [PATCH] Added permissions check also for IPC access files
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
src/Common/Utility.cpp | 2 +-
src/Common/Utility.hpp | 2 +-
src/Daemon/Daemon.cpp | 13 +++++++++----
3 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/src/Common/Utility.cpp b/src/Common/Utility.cpp
index d9fc26a..8eb4bd7 100644
--- a/src/Common/Utility.cpp
+++ b/src/Common/Utility.cpp
@@ -524,7 +524,7 @@ namespace usbguard
std::string file_name;
if (!dir_fd) {
- throw Exception("getConfigsFromDir", "opendir: " + path , strerror(errno));
+ throw Exception("getConfigsFromDir", "opendir: " + path, strerror(errno));
}
while ((dp = readdir(dir_fd)) != NULL) { // iterate over directory for file entries
diff --git a/src/Common/Utility.hpp b/src/Common/Utility.hpp
index df1afcd..4e90364 100644
--- a/src/Common/Utility.hpp
+++ b/src/Common/Utility.hpp
@@ -192,7 +192,7 @@ namespace usbguard
[](const std::pair<std::string, std::string>& a, const std::pair<std::string, std::string>& b) -> bool {
return a.first < b.first;
},
- bool directory_required = false);
+ bool directory_required = true);
/**
* Remove prefix from string.
diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp
index acc148f..9e67a3a 100644
--- a/src/Daemon/Daemon.cpp
+++ b/src/Daemon/Daemon.cpp
@@ -327,8 +327,13 @@ namespace usbguard
/* IPCAccessControlFiles */
if (_config.hasSettingValue("IPCAccessControlFiles")) {
- const std::string value = _config.getSettingValue("IPCAccessControlFiles");
- loadIPCAccessControlFiles(value);
+ const std::string ipc_dir = _config.getSettingValue("IPCAccessControlFiles");
+
+ if (check_permissions) {
+ checkFolderPermissions(ipc_dir, (S_IRUSR | S_IWUSR));
+ }
+
+ loadIPCAccessControlFiles(ipc_dir);
}
/* AuditBackend */
@@ -1030,8 +1035,8 @@ namespace usbguard
/* Generate a match rule for upsert */
std::shared_ptr<Rule> match_rule = device->getDeviceRule(/*with-port=*/false,
- /*with-parent-hash=*/false,
- /*match_rule=*/true);
+ /*with-parent-hash=*/false,
+ /*match_rule=*/true);
const std::string match_spec = match_rule->toString();
USBGUARD_LOG(Debug) << "match_spec=" << match_spec;
/* Generate new device rule */

48
SOURCES/usbguard-removed-wired.patch Normal file
View File

@ -0,0 +1,48 @@
diff -up ./doc/man/usbguard-daemon.conf.5.adoc.wired ./doc/man/usbguard-daemon.conf.5.adoc
--- ./doc/man/usbguard-daemon.conf.5.adoc.wired 2020-08-05 16:12:15.064272832 +0200
+++ ./doc/man/usbguard-daemon.conf.5.adoc 2020-08-05 16:14:04.146885179 +0200
@@ -51,8 +51,7 @@ It may be overridden using the *-c* comm
The USBGuard daemon modifies some of the default authorization state
attributes of controller devices. This setting, enables you to define what
value the default authorization is set to. Authorized default should be one
- of `keep` (do not change autorization state), `wired` (new wired USB
- devices start out authorized, wireless do not), `none` (every new device
+ of `keep` (do not change autorization state), `none` (every new device
starts out deauthorized), `all` (every new device starts out authorized) or
`internal` (internal devices start out authorized, external do not).
diff -up ./src/Library/public/usbguard/DeviceManager.cpp.wired ./src/Library/public/usbguard/DeviceManager.cpp
--- ./src/Library/public/usbguard/DeviceManager.cpp.wired 2019-11-16 18:32:45.220532059 +0100
+++ ./src/Library/public/usbguard/DeviceManager.cpp 2020-08-05 16:12:15.064272832 +0200
@@ -71,7 +71,6 @@ namespace usbguard
static const std::vector<std::pair<std::string, DeviceManager::AuthorizedDefaultType>> authorized_default_type_strings = {
{ "keep", DeviceManager::AuthorizedDefaultType::Keep },
- { "wired", DeviceManager::AuthorizedDefaultType::Wired },
{ "none", DeviceManager::AuthorizedDefaultType::None },
{ "all", DeviceManager::AuthorizedDefaultType::All },
{ "internal", DeviceManager::AuthorizedDefaultType::Internal }
diff -up ./src/Library/public/usbguard/DeviceManager.hpp.wired ./src/Library/public/usbguard/DeviceManager.hpp
--- ./src/Library/public/usbguard/DeviceManager.hpp.wired 2020-05-14 13:45:48.183508037 +0200
+++ ./src/Library/public/usbguard/DeviceManager.hpp 2020-08-05 16:12:15.064272832 +0200
@@ -60,8 +60,6 @@ namespace usbguard
*/
enum class AuthorizedDefaultType {
Keep = -128, /**< Do not change the authorization state. */
- Wired = -1, /**< New wired USB devices start out authorized,
- wireless USB devices do not. */
None = 0, /**< Every new device starts out deauthorized. */
All = 1, /**< Every new device starts out authorized. */
Internal = 2, /**< Internal devices start out authorized,
diff -up ./usbguard-daemon.conf.in.wired ./usbguard-daemon.conf.in
--- ./usbguard-daemon.conf.in.wired 2020-05-20 13:56:50.809203248 +0200
+++ ./usbguard-daemon.conf.in 2020-08-05 16:12:15.064272832 +0200
@@ -91,8 +91,6 @@ InsertedDevicePolicy=apply-policy
# default authorization is set to.
#
# * keep - do not change the authorization state
-# * wired - new wired USB devices start out authorized, wireless USB
-# devices do not
# * none - every new device starts out deauthorized
# * all - every new device starts out authorized
# * internal - internal devices start out authorized, external devices start

13
SOURCES/usbguard-rulesd.patch Normal file
View File

@ -0,0 +1,13 @@
diff -up ./src/Daemon/RuleSetFactory.cpp.orig ./src/Daemon/RuleSetFactory.cpp
--- ./src/Daemon/RuleSetFactory.cpp.orig 2020-08-11 11:10:00.924479577 +0200
+++ ./src/Daemon/RuleSetFactory.cpp 2020-08-11 11:12:56.447279841 +0200
@@ -74,7 +74,8 @@ namespace usbguard
ruleSet.push_back(rs);
}
}
- else if (ns.getRulesPath().empty()){
+
+ if (ruleSet.empty()){
USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible.";
ruleSet = generateDefaultRuleSet();
}

12
SOURCES/usbguard-selinux-cpuinfo.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo ./usbguard-selinux-0.0.3/usbguard.te
--- ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo 2020-06-18 15:53:40.161615146 +0200
+++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-18 15:54:28.399982328 +0200
@@ -77,6 +77,8 @@ auth_read_passwd(usbguard_t)
dev_list_sysfs(usbguard_t)
dev_rw_sysfs(usbguard_t)
+kernel_read_system_state(usbguard_t)
+
list_dirs_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
dontaudit usbguard_t usbguard_conf_t:file write;

11
SOURCES/usbguard-selinux-list-dir.patch Normal file
View File

@ -0,0 +1,11 @@
diff -up ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir ./usbguard-selinux-0.0.3/usbguard.te
--- ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir 2020-06-09 10:53:03.191977241 +0200
+++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-09 10:54:21.441965315 +0200
@@ -81,6 +81,7 @@ list_dirs_pattern(usbguard_t,usbguard_co
read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
dontaudit usbguard_t usbguard_conf_t:file write;
+list_dirs_pattern(usbguard_t,usbguard_rules_t,usbguard_rules_t)
read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_rules_t)
manage_dirs_pattern(usbguard_t, usbguard_var_run_t, usbguard_var_run_t)

22
SOURCES/usbguard-selinux-rules-d.patch Normal file
View File

@ -0,0 +1,22 @@
From 008af22f238bfb97f6d337759732ac87bdef7b24 Mon Sep 17 00:00:00 2001
From: alakatos <alakatos@redhat.com>
Date: Mon, 25 May 2020 15:27:38 +0200
Subject: [PATCH] /etc/usrbuard/rules.d(/.*)? has usbguard_rules_t label right
after the installation
---
usbguard.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/usbguard.fc b/usbguard.fc
index bce3e8c..3e14720 100644
--- a/usbguard-selinux-0.0.3/usbguard.fc
+++ b/usbguard-selinux-0.0.3/usbguard.fc
@@ -13,6 +13,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+/etc/usbguard/rules\.d(/.*)? gen_context(system_u:object_r:usbguard_rules_t,s0)
/etc/usbguard/rules.conf -- gen_context(system_u:object_r:usbguard_rules_t,s0)
/etc/usbguard(/.*)? gen_context(system_u:object_r:usbguard_conf_t,s0)
/dev/shm/qb-usbguard-.* -- gen_context(system_u:object_r:usbguard_tmpfs_t,s0)

13
SOURCES/usbguard-service-fips.patch Normal file
View File

@ -0,0 +1,13 @@
diff -up ./usbguard.service.in.service-fips ./usbguard.service.in
--- ./usbguard.service.in.service-fips 2020-06-22 10:44:44.815860376 +0200
+++ ./usbguard.service.in 2020-06-22 10:45:07.699135514 +0200
@@ -6,8 +6,7 @@ Documentation=man:usbguard-daemon(8)
[Service]
AmbientCapabilities=
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
-DeviceAllow=/dev/null rw
-DevicePolicy=strict
+DevicePolicy=closed
ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
IPAddressDeny=any
LockPersonality=yes

241
SPECS/usbguard.spec
View File

@ -1,13 +1,14 @@
%global _hardened_build 1
%define with_gui_qt5 0
%define with_dbus 1
%global selinuxtype targeted
%global moduletype contrib
%define semodule_version 0.0.3
%define notifier_version 0.0.6
%bcond_without check
Name: usbguard
Version: 0.7.4
Release: 4%{?dist}
Version: 0.7.8
Release: 7%{?dist}
Summary: A tool for implementing USB device usage policy
Group: System Environment/Daemons
License: GPLv2+
@ -15,7 +16,9 @@ License: GPLv2+
# src/ThirdParty/Catch: Boost Software License - Version 1.0
URL: https://usbguard.github.io/
Source0: https://github.com/USBGuard/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
Source1: usbguard-daemon.conf
Source1: https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz
Source2: https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz
Source3: usbguard-daemon.conf
Requires: systemd
Requires(post): systemd
@ -23,7 +26,9 @@ Requires(preun): systemd
Requires(postun): systemd
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
Recommends: %{name}-selinux
BuildRequires: gcc-c++
BuildRequires: libqb-devel
BuildRequires: libgcrypt-devel
BuildRequires: libstdc++-devel
@ -37,21 +42,24 @@ BuildRequires: audit-libs-devel
# For `pkg-config systemd` only
BuildRequires: systemd
%if 0%{with_gui_qt5}
BuildRequires: qt5-qtbase-devel qt5-qtsvg-devel qt5-linguist
%endif
%if 0%{with_dbus}
BuildRequires: dbus-glib-devel
BuildRequires: dbus-devel
BuildRequires: glib2-devel
BuildRequires: polkit-devel
BuildRequires: libxslt
BuildRequires: libxml2
%endif
Patch0: usbguard-0.7.4-loadFilesError.patch
Patch1: match-all.patch
Patch1: usbguard-0.7.6-notifier.patch
Patch2: usbguard-selinux-rules-d.patch
Patch3: usbguard-selinux-list-dir.patch
Patch4: usbguard-forking-style.patch
Patch5: usbguard-selinux-cpuinfo.patch
Patch6: usbguard-service-fips.patch
Patch7: usbguard-permission-check.patch
Patch8: usbguard-removed-wired.patch
Patch9: usbguard-rulesd.patch
%description
The USBGuard software framework helps to protect your computer against rogue USB
@ -78,22 +86,6 @@ Requires: %{name} = %{version}-%{release}
The %{name}-tools package contains optional tools from the USBGuard
software framework.
%if 0%{with_gui_qt5}
###
%package applet-qt
Summary: USBGuard Qt 5.x Applet
Group: Applications/System
Requires: %{name} = %{version}-%{release}
Obsoletes: usbguard-applet-qt <= 0.3
%description applet-qt
The %{name}-applet-qt package contains an optional Qt 5.x desktop applet
for interacting with the USBGuard daemon component.
###
%endif
%if 0%{with_dbus}
###
%package dbus
Summary: USBGuard D-Bus Service
Group: Applications/System
@ -104,17 +96,57 @@ Requires: polkit
%description dbus
The %{name}-dbus package contains an optional component that provides
a D-Bus interface to the USBGuard daemon component.
###
%endif
%package selinux
Summary: USBGuard selinux
Group: Applications/System
Requires: %{name} = %{version}-%{release}
BuildRequires: selinux-policy
BuildRequires: selinux-policy-devel
BuildArch: noarch
%{?selinux_requires}
%description selinux
The %{name}-selinux package contains selinux policy for the USBGuard
daemon.
%package notifier
Summary: A tool for detecting usbguard policy and device presence changes
Group: Applications/System
Requires: %{name} = %{version}-%{release}
Requires: systemd
BuildRequires: librsvg2-devel
BuildRequires: libnotify-devel
BuildRequires: execstack
%description notifier
The %{name}-notifier package detects usbguard policy modifications as well as
device presence changes and displays them as pop-up notifications.
# usbguard
%prep
%setup -q
%patch0 -p1 -b .loadFilesError
%patch1 -p1 -b .matchallkeyword
# selinux
%setup -q -D -T -a 1
# notifier
%setup -q -D -T -a 2
# Remove bundled library sources before build
rm -rf src/ThirdParty/{Catch,PEGTL}
%patch1 -p1 -b .notifier
%patch2 -p1 -b .rules-d-selinux
%patch3 -p1 -b .list-dir
%patch4 -p1 -b .forking
%patch5 -p1 -b .cpuinfo
%patch6 -p1 -b .service-fips
%patch7 -p1 -b .perm
%patch8 -p1 -b .wired
%patch9 -p1 -b .rulesd
%build
mkdir -p ./m4
autoreconf -i -v --no-recursive ./
@ -123,32 +155,62 @@ autoreconf -i -v --no-recursive ./
--without-bundled-catch \
--without-bundled-pegtl \
--enable-systemd \
%if 0%{with_gui_qt5}
--with-gui-qt=qt5 \
%endif
%if 0%{with_dbus}
--with-dbus \
--with-polkit \
%else
--without-dbus \
--without-polkit \
%endif
--with-crypto-library=gcrypt
make %{?_smp_mflags}
# selinux
pushd %{name}-selinux-%{semodule_version}
make
popd
# notifier
pushd %{name}-notifier-%{notifier_version}
mkdir -p ./m4
autoreconf -i -v --no-recursive ./
export CXXFLAGS="$RPM_OPT_FLAGS"
%configure \
--disable-silent-rules \
--without-bundled-catch \
--enable-debug-build \
--disable-notifier-cli \
--with-usbguard-devel="../"
%set_build_flags
make %{?_smp_mflags}
popd
%if %{with check}
%check
make check
%endif
# selinux
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%install
make install INSTALL='install -p' DESTDIR=%{buildroot}
# Overwrite configuration with distribution defaults
mkdir -p %{buildroot}%{_sysconfdir}/usbguard
mkdir -p %{buildroot}%{_sysconfdir}/usbguard/rules.d
mkdir -p %{buildroot}%{_sysconfdir}/usbguard/IPCAccessControl.d
install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
# selinux
install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
# notifier
pushd %{name}-notifier-%{notifier_version}
make install INSTALL='install -p' DESTDIR=%{buildroot}
#execstack -c %{buildroot}%{_bindir}/%{name}-notifier
popd
# Cleanup
find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
@ -173,6 +235,7 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
%{_bindir}/usbguard
%dir %{_localstatedir}/log/usbguard
%dir %{_sysconfdir}/usbguard
%dir %{_sysconfdir}/usbguard/rules.d/
%dir %{_sysconfdir}/usbguard/IPCAccessControl.d
%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/usbguard-daemon.conf
%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/rules.conf
@ -193,25 +256,13 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
%defattr(-,root,root,-)
%{_bindir}/usbguard-rule-parser
%if 0%{with_gui_qt5}
###
%files applet-qt
%defattr(-,root,root,-)
%{_bindir}/usbguard-applet-qt
%{_mandir}/man1/usbguard-applet-qt.1.gz
%{_datadir}/applications/usbguard-applet-qt.desktop
%{_datadir}/icons/hicolor/scalable/apps/usbguard-icon.svg
###
%endif
%if 0%{with_dbus}
###
%files dbus
%defattr(-,root,root,-)
%{_sbindir}/usbguard-dbus
%{_datadir}/dbus-1/system-services/org.usbguard.service
%{_datadir}/dbus-1/system.d/org.usbguard.conf
%{_datadir}/polkit-1/actions/org.usbguard.policy
%{_datadir}/dbus-1/system-services/org.usbguard1.service
%{_datadir}/dbus-1/system.d/org.usbguard1.conf
%{_datadir}/polkit-1/actions/org.usbguard1.policy
%{_unitdir}/usbguard-dbus.service
%{_mandir}/man8/usbguard-dbus.8.gz
@ -223,10 +274,80 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
%postun dbus
%systemd_postun_with_restart usbguard-dbus.service
###
%endif
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{name}
fi
%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
%files notifier
%defattr(-,root,root,-)
%doc %{name}-notifier-%{notifier_version}/README.md %{name}-notifier-%{notifier_version}/CHANGELOG.md
%license %{name}-notifier-%{notifier_version}/LICENSE
%{_bindir}/%{name}-notifier
%{_mandir}/man1/%{name}-notifier.1.gz
%{_userunitdir}/%{name}-notifier.service
%post notifier
%systemd_user_post %{name}-notifier.service
%preun notifier
%systemd_user_preun %{name}-notifier.service
%postun notifier
%systemd_user_postun_with_restart %{name}-notifier.service
%changelog
* Tue Aug 11 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-7
- Do not cause segfault in case of an empty rulesd folder
Resolves: rhbz#1738590
* Wed Aug 05 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-6
- RHEL 8.3.0 ERRATUM
- Removed execstack from .spec
- Removed AuthorizedDefault=wired from the usbguard
Resolves: rhbz#1852539
- Missing error message on bad configuration
Resolves: rhbz#1857299
- /etc/usbguard/usbguard-daemon.conf file does not contain all default options
Resolves: rhbz#1862907
* Wed Jun 17 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-5
- RHEL 8.3.0 ERRATUM
- Use old-fasioned forking style in unit file
Resolves: rhbz#1846885
- Allow usbguard to read /proc/cpuinfo
Resolves: rhbz#1847870
- Removed notifier's Requires for usbguard-devel
Resolves: rhbz#1667395
- Allow usbguard to read /dev/urandom
Resolves: rhbz#1848618
* Wed May 06 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-4
- RHEL 8.3.0 ERRATUM
- Spec file clean up
- Rebase to 0.7.8
Resolves: rhbz#1738590
- Added selinux subpackage
Resolves: rhbz#1683567
- Added notifier subpackage
- Installing /etc/usbguard/rules.d/
Resolves: rhbz#1667395
- Fixed sigwaitinfo handling
Resolves: rhbz#1835210
* Mon Nov 25 2019 Marek Tamaskovic <mtamasko@redhat.com> - 0.7.4-4
- add match-all keyword