diff --git a/.gitignore b/.gitignore
index 4ebdfb6..4626c85 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,3 @@
-SOURCES/usbguard-0.7.4.tar.gz
+SOURCES/usbguard-0.7.8.tar.gz
+SOURCES/usbguard-notifier-0.0.6.tar.gz
+SOURCES/usbguard-selinux-0.0.3.tar.gz
diff --git a/.usbguard.metadata b/.usbguard.metadata
index 5e1f2a7..8582250 100644
--- a/.usbguard.metadata
+++ b/.usbguard.metadata
@@ -1 +1,3 @@
-803815ec31700468bb935ca9c18bd277bcc22237 SOURCES/usbguard-0.7.4.tar.gz
+d8bbd3e9f4f0deb1418f71422e7fab3d14053412 SOURCES/usbguard-0.7.8.tar.gz
+7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz
+e223495a2c41013bc786a5ceae730f2574aeba1b SOURCES/usbguard-selinux-0.0.3.tar.gz
diff --git a/SOURCES/match-all.patch b/SOURCES/match-all.patch
deleted file mode 100644
index f2c9c28..0000000
--- a/SOURCES/match-all.patch
+++ /dev/null
@@ -1,242 +0,0 @@
-diff --git a/doc/man/usbguard-rules.conf.5.adoc b/doc/man/usbguard-rules.conf.5.adoc
-index 44f399c..c0f86f8 100644
---- a/doc/man/usbguard-rules.conf.5.adoc
-+++ b/doc/man/usbguard-rules.conf.5.adoc
-@@ -93,6 +93,9 @@ where the optional 'operator' is one of:
- *equals-ordered*::
- The device attribute set must contain exactly the same set of values in the same order for the rule to match.
-
-+*match-all*::
-+ The device attribute set must be a subset of the specified values for the rule to match.
-+
- If the operator is not specified it is set to *equals*.
-
- [.underline]#List of attributes:#
-diff --git a/src/Library/RuleParser/Grammar.hpp b/src/Library/RuleParser/Grammar.hpp
-index 4d785c0..764380e 100644
---- a/src/Library/RuleParser/Grammar.hpp
-+++ b/src/Library/RuleParser/Grammar.hpp
-@@ -15,6 +15,7 @@
- // along with this program. If not, see .
- //
- // Authors: Daniel Kopecek
-+// Marek Tamaskovic
- //
- #pragma once
- #ifdef HAVE_BUILD_CONFIG_H
-@@ -53,12 +54,13 @@ namespace usbguard
- struct str_none_of : TAOCPP_PEGTL_STRING("none-of") {};
- struct str_equals : TAOCPP_PEGTL_STRING("equals") {};
- struct str_equals_ordered : TAOCPP_PEGTL_STRING("equals-ordered") {};
-+ struct str_match_all: TAOCPP_PEGTL_STRING("match-all") {};
-
- /*
- * Generic rule attribute
- */
- struct multiset_operator
-- : sor {};
-+ : sor {};
-
- template
- struct attribute_value_multiset
-diff --git a/src/Library/RulePrivate.cpp b/src/Library/RulePrivate.cpp
-index 73140fa..6ceb12d 100644
---- a/src/Library/RulePrivate.cpp
-+++ b/src/Library/RulePrivate.cpp
-@@ -15,6 +15,7 @@
- // along with this program. If not, see .
- //
- // Authors: Daniel Kopecek
-+// Marek Tamaskovic
- //
- #ifdef HAVE_BUILD_CONFIG_H
- #include
-@@ -177,6 +178,7 @@ namespace usbguard
- case Rule::SetOperator::AllOf:
- case Rule::SetOperator::Equals:
- case Rule::SetOperator::EqualsOrdered:
-+ case Rule::SetOperator::MatchAll:
- meets_conditions = \
- (conditionsState() == ((((uint64_t)1) << _conditions.count()) - 1));
- break;
-diff --git a/src/Library/public/usbguard/Predicates.hpp b/src/Library/public/usbguard/Predicates.hpp
-index 412517e..95ede3a 100644
---- a/src/Library/public/usbguard/Predicates.hpp
-+++ b/src/Library/public/usbguard/Predicates.hpp
-@@ -15,6 +15,7 @@
- // along with this program. If not, see .
- //
- // Authors: Daniel Kopecek
-+// Marek Tamaskovic
- //
- #pragma once
-
-@@ -35,6 +36,15 @@ namespace usbguard
- USBGUARD_LOG(Trace) << "generic isSubsetOf";
- return source == target;
- }
-+
-+ template
-+ bool isSupersetOf(const T& source, const T& target)
-+ {
-+ USBGUARD_LOG(Error) << "Not implemented";
-+ (void) source;
-+ (void) target;
-+ return true;
-+ }
- }
- } /* namespace usbguard */
-
-diff --git a/src/Library/public/usbguard/Rule.cpp b/src/Library/public/usbguard/Rule.cpp
-index f7bb35a..fa97578 100644
---- a/src/Library/public/usbguard/Rule.cpp
-+++ b/src/Library/public/usbguard/Rule.cpp
-@@ -15,6 +15,7 @@
- // along with this program. If not, see .
- //
- // Authors: Daniel Kopecek
-+// Marek Tamaskovic
- //
- #ifdef HAVE_BUILD_CONFIG_H
- #include
-@@ -325,7 +326,8 @@ namespace usbguard
- { "none-of", Rule::SetOperator::NoneOf },
- { "equals", Rule::SetOperator::Equals },
- { "equals-ordered", Rule::SetOperator::EqualsOrdered },
-- { "match", Rule::SetOperator::Match }
-+ { "match", Rule::SetOperator::Match },
-+ { "match-all", Rule::SetOperator::MatchAll}
- };
-
- const std::string Rule::setOperatorToString(const Rule::SetOperator& op)
-diff --git a/src/Library/public/usbguard/Rule.hpp b/src/Library/public/usbguard/Rule.hpp
-index 0ebfdaf..67a67f0 100644
---- a/src/Library/public/usbguard/Rule.hpp
-+++ b/src/Library/public/usbguard/Rule.hpp
-@@ -15,6 +15,7 @@
- // along with this program. If not, see .
- //
- // Authors: Daniel Kopecek
-+// Marek Tamaskovic
- //
- #pragma once
-
-@@ -77,7 +78,8 @@ namespace usbguard
- NoneOf,
- Equals,
- EqualsOrdered,
-- Match /* Special operator: matches anything, cannot be used directly in a rule */
-+ Match, /* Special operator: matches anything, cannot be used directly in a rule */
-+ MatchAll
- };
-
- static const std::string setOperatorToString(const Rule::SetOperator& op);
-@@ -237,6 +239,10 @@ namespace usbguard
- applies = setSolveEqualsOrdered(_values, target._values);
- break;
-
-+ case SetOperator::MatchAll:
-+ applies = setSolveMatchAll(_values, target._values);
-+ break;
-+
- default:
- throw USBGUARD_BUG("Invalid set operator value");
- }
-@@ -409,6 +415,26 @@ namespace usbguard
- return false;
- }
-
-+ /*
-+ * All of the items in target set must match an item in the source set
-+ */
-+ bool setSolveMatchAll(const std::vector& source_set, const std::vector& target_set) const
-+ {
-+ USBGUARD_LOG(Trace);
-+ size_t match = 0;
-+
-+ for (auto const& target_item : target_set) {
-+ for (auto const& source_item : source_set) {
-+ if (Predicates::isSupersetOf(source_item, target_item)) {
-+ match++;
-+ break;
-+ }
-+ }
-+ }
-+
-+ return match == target_set.size();
-+ }
-+
- std::string _name;
- SetOperator _set_operator;
- std::vector _values;
-diff --git a/src/Library/public/usbguard/USB.cpp b/src/Library/public/usbguard/USB.cpp
-index 281d1c9..54e5fb8 100644
---- a/src/Library/public/usbguard/USB.cpp
-+++ b/src/Library/public/usbguard/USB.cpp
-@@ -15,6 +15,7 @@
- // along with this program. If not, see .
- //
- // Authors: Daniel Kopecek
-+// Marek Tamaskovic
- //
- #ifdef HAVE_BUILD_CONFIG_H
- #include
-@@ -125,6 +126,15 @@ namespace usbguard
- return result;
- }
-
-+ template<>
-+ bool Predicates::isSupersetOf(const USBDeviceID& source, const USBDeviceID& target)
-+ {
-+ USBGUARD_LOG(Trace) << "source=" << source.toString() << " target=" << target.toString();
-+ const bool result = target.isSubsetOf(source);
-+ USBGUARD_LOG(Trace) << "result=" << result;
-+ return result;
-+ }
-+
- USBInterfaceType::USBInterfaceType()
- {
- _bClass = 0;
-@@ -234,6 +244,12 @@ namespace usbguard
- return source.appliesTo(target);
- }
-
-+ template<>
-+ bool Predicates::isSupersetOf(const USBInterfaceType& source, const USBInterfaceType& target)
-+ {
-+ return source.appliesTo(target);
-+ }
-+
- const std::string USBInterfaceType::typeString() const
- {
- return USBInterfaceType::typeString(_bClass, _bSubClass, _bProtocol, _mask);
-diff --git a/src/Library/public/usbguard/USB.hpp b/src/Library/public/usbguard/USB.hpp
-index 914d74b..f538aac 100644
---- a/src/Library/public/usbguard/USB.hpp
-+++ b/src/Library/public/usbguard/USB.hpp
-@@ -15,6 +15,7 @@
- // along with this program. If not, see .
- //
- // Authors: Daniel Kopecek
-+// Marek Tamaskovic
- //
- #pragma once
-
-@@ -169,6 +170,8 @@ namespace usbguard
- {
- template<>
- bool isSubsetOf(const USBDeviceID& source, const USBDeviceID& target);
-+ template<>
-+ bool isSupersetOf(const USBDeviceID& source, const USBDeviceID& target);
- }
-
- class DLL_PUBLIC USBInterfaceType
-@@ -202,6 +205,8 @@ namespace usbguard
- {
- template<>
- bool isSubsetOf(const USBInterfaceType& source, const USBInterfaceType& target);
-+ template<>
-+ bool isSupersetOf(const USBInterfaceType& source, const USBInterfaceType& target);
- }
-
- class USBDescriptorParser;
diff --git a/SOURCES/usbguard-0.7.4-loadFilesError.patch b/SOURCES/usbguard-0.7.4-loadFilesError.patch
deleted file mode 100644
index 5a6a6d5..0000000
--- a/SOURCES/usbguard-0.7.4-loadFilesError.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-diff -up usbguard-0.7.4/src/Daemon/Daemon.cpp.loadFilesError usbguard-0.7.4/src/Daemon/Daemon.cpp
---- usbguard-0.7.4/src/Daemon/Daemon.cpp.loadFilesError 2018-07-10 14:25:41.580361063 +0200
-+++ usbguard-0.7.4/src/Daemon/Daemon.cpp 2018-07-31 10:19:21.529000000 +0200
-@@ -365,7 +365,12 @@ namespace usbguard
- ,
- [this](const std::string& basename, const std::string& fullpath) {
- return loadIPCAccessControlFile(basename, fullpath);
-- });
-+ },
-+ [](const std::pair& a, const std::pair& b)
-+ {
-+ return a.first < b.first;
-+ },
-+ /*directory_required=*/true);
- }
-
- void Daemon::checkIPCAccessControlName(const std::string& name)
diff --git a/SOURCES/usbguard-0.7.6-notifier.patch b/SOURCES/usbguard-0.7.6-notifier.patch
new file mode 100644
index 0000000..9d21147
--- /dev/null
+++ b/SOURCES/usbguard-0.7.6-notifier.patch
@@ -0,0 +1,88 @@
+diff -up ./usbguard-notifier-0.0.6/configure.ac.notifier ./usbguard-notifier-0.0.6/configure.ac
+--- ./usbguard-notifier-0.0.6/configure.ac.notifier 2020-04-29 07:35:43.057914703 +0200
++++ ./usbguard-notifier-0.0.6/configure.ac 2020-06-17 16:27:53.577151720 +0200
+@@ -44,6 +44,32 @@ AC_ARG_WITH(
+ [notificaiton_path="/tmp/usbguard-notifier"]
+ )
+
++# usbguard-devel
++# Add the path to where your usbguard-devel includes are
++# You might need this option when you want to package usbguard-notifier
++# together with usbguard at the same time
++AC_ARG_WITH(
++ [usbguard-devel],
++ AS_HELP_STRING([--with-usbguard-devel], [Select to compile notifier from source usbguard devel files(only top level directory)]),
++ [usbguard_CFLAGS="-I$withval/src/Library/public/"
++ usbguard_LIBS=""
++ usbguard_LA="$withval/libusbguard.la"
++ libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"
++ AC_SUBST([usbguard_CFLAGS])
++ AC_SUBST([usbguard_LIBS])
++ AC_SUBST([usbguard_LA])
++ custom_usbguard_devel_enabled=yes
++ ],
++ [
++ PKG_CHECK_MODULES(
++ [usbguard],
++ [libusbguard >= 0.7.2],
++ [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"],
++ [AC_MSG_FAILURE([libusbguard development files not found])]
++ )
++ ]
++)
++
+ # Build notifier-cli, default is yes
+ AC_ARG_ENABLE([notifier-cli],
+ [AC_HELP_STRING([--enable-notifier-cli], [enable notifier cli(default=yes)])],
+@@ -81,14 +107,6 @@ PKG_CHECK_MODULES(
+ [AC_MSG_FAILURE([libnotify development files not found])]
+ )
+
+-# usbguard
+-PKG_CHECK_MODULES(
+- [usbguard],
+- [libusbguard >= 0.7.2],
+- [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"],
+- [AC_MSG_FAILURE([libusbguard development files not found])]
+-)
+-
+ # asciidoc
+ AC_CHECK_PROGS(A2X, [a2x])
+ if test -z "$A2X"; then
+@@ -162,6 +180,7 @@ AC_SUBST(config_PATH, $prefix/.config)
+ AC_SUBST(NOTIFICATION_PATH, $notification_path)
+
+ AM_CONDITIONAL([NOTIFIER_CLI_ENABLED], [test "x$notifier_cli_enabled" = xyes ])
++AM_CONDITIONAL([CUSTOM_USBGUARD_DEVEL_ENABLED], [test "x$custom_usbguard_devel_enabled" = "xyes"])
+
+ AC_CONFIG_FILES([
+ Makefile
+diff -up ./usbguard-notifier-0.0.6/Makefile.am.notifier ./usbguard-notifier-0.0.6/Makefile.am
+--- ./usbguard-notifier-0.0.6/Makefile.am.notifier 2020-04-29 07:18:21.024388188 +0200
++++ ./usbguard-notifier-0.0.6/Makefile.am 2020-06-17 16:27:53.592151848 +0200
+@@ -57,6 +57,13 @@ usbguard_notifier_CXXFLAGS = \
+ @usbguard_CFLAGS@ \
+ -fPIC
+
++if CUSTOM_USBGUARD_DEVEL_ENABLED
++usbguard_notifier_LDADD = \
++ @usbguard_LA@
++usbguard_notifier_cli_LDADD = \
++ @usbguard_LA@
++endif
++
+ BUILT_SOURCES = \
+ src/BuildConfig.h
+
+diff -up ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier ./usbguard-notifier-0.0.6/man/usbguard-notifier.1
+--- ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier 2020-06-17 19:55:54.621855004 +0200
++++ ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 2020-06-17 19:56:46.551297432 +0200
+@@ -53,7 +53,7 @@ Show help\&.
+ .RE
+ .SH "SEE ALSO"
+ .sp
+-usbguard\-notifier\-cli(1), usbguard(1)
++usbguard(1)
+ .SH "BUGS"
+ .sp
+ If you find a bug in this software or if you\(cqd like to request a feature to be implemented, please file a ticket at https://github\&.com/Cropi/usbguard\-notifier/issues/new\&.
diff --git a/SOURCES/usbguard-daemon.conf b/SOURCES/usbguard-daemon.conf
index e9800b2..ae5a6a2 100644
--- a/SOURCES/usbguard-daemon.conf
+++ b/SOURCES/usbguard-daemon.conf
@@ -9,6 +9,23 @@
#
RuleFile=/etc/usbguard/rules.conf
+#
+# Rule set folder path.
+#
+# The USBGuard daemon will use this folder to load the policy
+# rule set from it and to write new rules received via the
+# IPC interface. Usually, we set the option to
+# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to
+# behave like any other standard Linux daemon therefore it
+# loads rule files in alpha-numeric order. File names inside
+# RuleFolder directory should start with a two-digit number
+# prefix indicating the position, in which the rules are
+# scanned by the daemon.
+#
+# RuleFolder=/path/to/rulesfolder/
+#
+RuleFolder=/etc/usbguard/rules.d/
+
#
# Implicit policy target.
#
@@ -64,14 +81,30 @@ PresentControllerPolicy=keep
#
InsertedDevicePolicy=apply-policy
+#
+# Control which devices are authorized by default.
+#
+# The USBGuard daemon modifies some the default authorization state attributes
+# of controller devices. This setting, enables you to define what value the
+# default authorization is set to.
+#
+# * keep - do not change the authorization state
+# * none - every new device starts out deauthorized
+# * all - every new device starts out authorized
+# * internal - internal devices start out authorized, external devices start
+# out deauthorized (this requires the ACPI tables to properly
+# label internal devices, and kernel support)
+#
+#AuthorizedDefault=none
+
#
# Restore controller device state.
#
# The USBGuard daemon modifies some attributes of controller
# devices like the default authorization state of new child device
-# instances. Using this setting, you can controll whether the
+# instances. Using this setting, you can control whether the
# daemon will try to restore the attribute values to the state
-# before modificaton on shutdown.
+# before modification on shutdown.
#
# SECURITY CONSIDERATIONS: If set to true, the USB authorization
# policy could be bypassed by performing some sort of attack on the
@@ -85,11 +118,11 @@ RestoreControllerDeviceState=false
#
# Which device manager backend implementation to use. One of:
#
-# * uevent - Netlink based implementation which uses sysfs to scan for present
-# devices and an uevent netlink socket for receiving USB device
-# related events.
-# * dummy - A dummy device manager which simulates several devices and device
-# events. Useful for testing.
+# * uevent - Netlink based implementation which uses sysfs to scan for present
+# devices and an uevent netlink socket for receiving USB device
+# related events.
+# * umockdev - umockdev based device manager capable of simulating devices based
+# on umockdev-record files. Useful for testing.
#
DeviceManagerBackend=uevent
@@ -171,3 +204,8 @@ AuditBackend=FileAudit
#
AuditFilePath=/var/log/usbguard/usbguard-audit.log
+#
+# Hides personally identifiable information such as device serial numbers and
+# hashes of descriptors (which include the serial number) from audit entries.
+#
+#HidePII=false
diff --git a/SOURCES/usbguard-forking-style.patch b/SOURCES/usbguard-forking-style.patch
new file mode 100644
index 0000000..8a6500a
--- /dev/null
+++ b/SOURCES/usbguard-forking-style.patch
@@ -0,0 +1,34 @@
+diff -up ./usbguard.service.in.forking ./usbguard.service.in
+--- ./usbguard.service.in.forking 2020-06-17 20:07:04.720564149 +0200
++++ ./usbguard.service.in 2020-06-17 20:10:00.744063846 +0200
+@@ -8,11 +8,12 @@ AmbientCapabilities=
+ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
+ DeviceAllow=/dev/null rw
+ DevicePolicy=strict
+-ExecStart=%sbindir%/usbguard-daemon -k -c %sysconfdir%/usbguard/usbguard-daemon.conf
++ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+ NoNewPrivileges=yes
++PIDFile=/var/run/usbguard.pid
+ PrivateDevices=yes
+ PrivateTmp=yes
+ ProtectControlGroups=yes
+@@ -20,14 +21,14 @@ ProtectHome=yes
+ ProtectKernelModules=yes
+ ProtectSystem=yes
+ ReadOnlyPaths=-/
+-ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/
++ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ -/var/run
+ Restart=on-failure
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK
+ RestrictNamespaces=yes
+ RestrictRealtime=yes
+ SystemCallArchitectures=native
+ SystemCallFilter=@system-service
+-Type=simple
++Type=forking
+ UMask=0077
+
+ [Install]
diff --git a/SOURCES/usbguard-permission-check.patch b/SOURCES/usbguard-permission-check.patch
new file mode 100644
index 0000000..d9266e5
--- /dev/null
+++ b/SOURCES/usbguard-permission-check.patch
@@ -0,0 +1,69 @@
+From 39fc4c24333c3bf42eba0855f3b75ccea99865a4 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka
+Date: Tue, 21 Jul 2020 16:24:15 +0200
+Subject: [PATCH] Added permissions check also for IPC access files
+
+Signed-off-by: Radovan Sroka
+---
+ src/Common/Utility.cpp | 2 +-
+ src/Common/Utility.hpp | 2 +-
+ src/Daemon/Daemon.cpp | 13 +++++++++----
+ 3 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/src/Common/Utility.cpp b/src/Common/Utility.cpp
+index d9fc26a..8eb4bd7 100644
+--- a/src/Common/Utility.cpp
++++ b/src/Common/Utility.cpp
+@@ -524,7 +524,7 @@ namespace usbguard
+ std::string file_name;
+
+ if (!dir_fd) {
+- throw Exception("getConfigsFromDir", "opendir: " + path , strerror(errno));
++ throw Exception("getConfigsFromDir", "opendir: " + path, strerror(errno));
+ }
+
+ while ((dp = readdir(dir_fd)) != NULL) { // iterate over directory for file entries
+diff --git a/src/Common/Utility.hpp b/src/Common/Utility.hpp
+index df1afcd..4e90364 100644
+--- a/src/Common/Utility.hpp
++++ b/src/Common/Utility.hpp
+@@ -192,7 +192,7 @@ namespace usbguard
+ [](const std::pair& a, const std::pair& b) -> bool {
+ return a.first < b.first;
+ },
+- bool directory_required = false);
++ bool directory_required = true);
+
+ /**
+ * Remove prefix from string.
+diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp
+index acc148f..9e67a3a 100644
+--- a/src/Daemon/Daemon.cpp
++++ b/src/Daemon/Daemon.cpp
+@@ -327,8 +327,13 @@ namespace usbguard
+
+ /* IPCAccessControlFiles */
+ if (_config.hasSettingValue("IPCAccessControlFiles")) {
+- const std::string value = _config.getSettingValue("IPCAccessControlFiles");
+- loadIPCAccessControlFiles(value);
++ const std::string ipc_dir = _config.getSettingValue("IPCAccessControlFiles");
++
++ if (check_permissions) {
++ checkFolderPermissions(ipc_dir, (S_IRUSR | S_IWUSR));
++ }
++
++ loadIPCAccessControlFiles(ipc_dir);
+ }
+
+ /* AuditBackend */
+@@ -1030,8 +1035,8 @@ namespace usbguard
+
+ /* Generate a match rule for upsert */
+ std::shared_ptr match_rule = device->getDeviceRule(/*with-port=*/false,
+- /*with-parent-hash=*/false,
+- /*match_rule=*/true);
++ /*with-parent-hash=*/false,
++ /*match_rule=*/true);
+ const std::string match_spec = match_rule->toString();
+ USBGUARD_LOG(Debug) << "match_spec=" << match_spec;
+ /* Generate new device rule */
diff --git a/SOURCES/usbguard-removed-wired.patch b/SOURCES/usbguard-removed-wired.patch
new file mode 100644
index 0000000..5e87154
--- /dev/null
+++ b/SOURCES/usbguard-removed-wired.patch
@@ -0,0 +1,48 @@
+diff -up ./doc/man/usbguard-daemon.conf.5.adoc.wired ./doc/man/usbguard-daemon.conf.5.adoc
+--- ./doc/man/usbguard-daemon.conf.5.adoc.wired 2020-08-05 16:12:15.064272832 +0200
++++ ./doc/man/usbguard-daemon.conf.5.adoc 2020-08-05 16:14:04.146885179 +0200
+@@ -51,8 +51,7 @@ It may be overridden using the *-c* comm
+ The USBGuard daemon modifies some of the default authorization state
+ attributes of controller devices. This setting, enables you to define what
+ value the default authorization is set to. Authorized default should be one
+- of `keep` (do not change autorization state), `wired` (new wired USB
+- devices start out authorized, wireless do not), `none` (every new device
++ of `keep` (do not change autorization state), `none` (every new device
+ starts out deauthorized), `all` (every new device starts out authorized) or
+ `internal` (internal devices start out authorized, external do not).
+
+diff -up ./src/Library/public/usbguard/DeviceManager.cpp.wired ./src/Library/public/usbguard/DeviceManager.cpp
+--- ./src/Library/public/usbguard/DeviceManager.cpp.wired 2019-11-16 18:32:45.220532059 +0100
++++ ./src/Library/public/usbguard/DeviceManager.cpp 2020-08-05 16:12:15.064272832 +0200
+@@ -71,7 +71,6 @@ namespace usbguard
+
+ static const std::vector> authorized_default_type_strings = {
+ { "keep", DeviceManager::AuthorizedDefaultType::Keep },
+- { "wired", DeviceManager::AuthorizedDefaultType::Wired },
+ { "none", DeviceManager::AuthorizedDefaultType::None },
+ { "all", DeviceManager::AuthorizedDefaultType::All },
+ { "internal", DeviceManager::AuthorizedDefaultType::Internal }
+diff -up ./src/Library/public/usbguard/DeviceManager.hpp.wired ./src/Library/public/usbguard/DeviceManager.hpp
+--- ./src/Library/public/usbguard/DeviceManager.hpp.wired 2020-05-14 13:45:48.183508037 +0200
++++ ./src/Library/public/usbguard/DeviceManager.hpp 2020-08-05 16:12:15.064272832 +0200
+@@ -60,8 +60,6 @@ namespace usbguard
+ */
+ enum class AuthorizedDefaultType {
+ Keep = -128, /**< Do not change the authorization state. */
+- Wired = -1, /**< New wired USB devices start out authorized,
+- wireless USB devices do not. */
+ None = 0, /**< Every new device starts out deauthorized. */
+ All = 1, /**< Every new device starts out authorized. */
+ Internal = 2, /**< Internal devices start out authorized,
+diff -up ./usbguard-daemon.conf.in.wired ./usbguard-daemon.conf.in
+--- ./usbguard-daemon.conf.in.wired 2020-05-20 13:56:50.809203248 +0200
++++ ./usbguard-daemon.conf.in 2020-08-05 16:12:15.064272832 +0200
+@@ -91,8 +91,6 @@ InsertedDevicePolicy=apply-policy
+ # default authorization is set to.
+ #
+ # * keep - do not change the authorization state
+-# * wired - new wired USB devices start out authorized, wireless USB
+-# devices do not
+ # * none - every new device starts out deauthorized
+ # * all - every new device starts out authorized
+ # * internal - internal devices start out authorized, external devices start
diff --git a/SOURCES/usbguard-rulesd.patch b/SOURCES/usbguard-rulesd.patch
new file mode 100644
index 0000000..7c54c38
--- /dev/null
+++ b/SOURCES/usbguard-rulesd.patch
@@ -0,0 +1,13 @@
+diff -up ./src/Daemon/RuleSetFactory.cpp.orig ./src/Daemon/RuleSetFactory.cpp
+--- ./src/Daemon/RuleSetFactory.cpp.orig 2020-08-11 11:10:00.924479577 +0200
++++ ./src/Daemon/RuleSetFactory.cpp 2020-08-11 11:12:56.447279841 +0200
+@@ -74,7 +74,8 @@ namespace usbguard
+ ruleSet.push_back(rs);
+ }
+ }
+- else if (ns.getRulesPath().empty()){
++
++ if (ruleSet.empty()){
+ USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible.";
+ ruleSet = generateDefaultRuleSet();
+ }
diff --git a/SOURCES/usbguard-selinux-cpuinfo.patch b/SOURCES/usbguard-selinux-cpuinfo.patch
new file mode 100644
index 0000000..2371d64
--- /dev/null
+++ b/SOURCES/usbguard-selinux-cpuinfo.patch
@@ -0,0 +1,12 @@
+diff -up ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo ./usbguard-selinux-0.0.3/usbguard.te
+--- ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo 2020-06-18 15:53:40.161615146 +0200
++++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-18 15:54:28.399982328 +0200
+@@ -77,6 +77,8 @@ auth_read_passwd(usbguard_t)
+ dev_list_sysfs(usbguard_t)
+ dev_rw_sysfs(usbguard_t)
+
++kernel_read_system_state(usbguard_t)
++
+ list_dirs_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
+ read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
+ dontaudit usbguard_t usbguard_conf_t:file write;
diff --git a/SOURCES/usbguard-selinux-list-dir.patch b/SOURCES/usbguard-selinux-list-dir.patch
new file mode 100644
index 0000000..9334b45
--- /dev/null
+++ b/SOURCES/usbguard-selinux-list-dir.patch
@@ -0,0 +1,11 @@
+diff -up ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir ./usbguard-selinux-0.0.3/usbguard.te
+--- ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir 2020-06-09 10:53:03.191977241 +0200
++++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-09 10:54:21.441965315 +0200
+@@ -81,6 +81,7 @@ list_dirs_pattern(usbguard_t,usbguard_co
+ read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
+ dontaudit usbguard_t usbguard_conf_t:file write;
+
++list_dirs_pattern(usbguard_t,usbguard_rules_t,usbguard_rules_t)
+ read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_rules_t)
+
+ manage_dirs_pattern(usbguard_t, usbguard_var_run_t, usbguard_var_run_t)
diff --git a/SOURCES/usbguard-selinux-rules-d.patch b/SOURCES/usbguard-selinux-rules-d.patch
new file mode 100644
index 0000000..5d56573
--- /dev/null
+++ b/SOURCES/usbguard-selinux-rules-d.patch
@@ -0,0 +1,22 @@
+From 008af22f238bfb97f6d337759732ac87bdef7b24 Mon Sep 17 00:00:00 2001
+From: alakatos
+Date: Mon, 25 May 2020 15:27:38 +0200
+Subject: [PATCH] /etc/usrbuard/rules.d(/.*)? has usbguard_rules_t label right
+ after the installation
+
+---
+ usbguard.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/usbguard.fc b/usbguard.fc
+index bce3e8c..3e14720 100644
+--- a/usbguard-selinux-0.0.3/usbguard.fc
++++ b/usbguard-selinux-0.0.3/usbguard.fc
+@@ -13,6 +13,7 @@
+ # You should have received a copy of the GNU General Public License
+ # along with this program. If not, see .
+
++/etc/usbguard/rules\.d(/.*)? gen_context(system_u:object_r:usbguard_rules_t,s0)
+ /etc/usbguard/rules.conf -- gen_context(system_u:object_r:usbguard_rules_t,s0)
+ /etc/usbguard(/.*)? gen_context(system_u:object_r:usbguard_conf_t,s0)
+ /dev/shm/qb-usbguard-.* -- gen_context(system_u:object_r:usbguard_tmpfs_t,s0)
diff --git a/SOURCES/usbguard-service-fips.patch b/SOURCES/usbguard-service-fips.patch
new file mode 100644
index 0000000..fce50c9
--- /dev/null
+++ b/SOURCES/usbguard-service-fips.patch
@@ -0,0 +1,13 @@
+diff -up ./usbguard.service.in.service-fips ./usbguard.service.in
+--- ./usbguard.service.in.service-fips 2020-06-22 10:44:44.815860376 +0200
++++ ./usbguard.service.in 2020-06-22 10:45:07.699135514 +0200
+@@ -6,8 +6,7 @@ Documentation=man:usbguard-daemon(8)
+ [Service]
+ AmbientCapabilities=
+ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
+-DeviceAllow=/dev/null rw
+-DevicePolicy=strict
++DevicePolicy=closed
+ ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ IPAddressDeny=any
+ LockPersonality=yes
diff --git a/SPECS/usbguard.spec b/SPECS/usbguard.spec
index 138381f..886bc4c 100644
--- a/SPECS/usbguard.spec
+++ b/SPECS/usbguard.spec
@@ -1,13 +1,14 @@
%global _hardened_build 1
-
-%define with_gui_qt5 0
-%define with_dbus 1
+%global selinuxtype targeted
+%global moduletype contrib
+%define semodule_version 0.0.3
+%define notifier_version 0.0.6
%bcond_without check
Name: usbguard
-Version: 0.7.4
-Release: 4%{?dist}
+Version: 0.7.8
+Release: 7%{?dist}
Summary: A tool for implementing USB device usage policy
Group: System Environment/Daemons
License: GPLv2+
@@ -15,7 +16,9 @@ License: GPLv2+
# src/ThirdParty/Catch: Boost Software License - Version 1.0
URL: https://usbguard.github.io/
Source0: https://github.com/USBGuard/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
-Source1: usbguard-daemon.conf
+Source1: https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz
+Source2: https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz
+Source3: usbguard-daemon.conf
Requires: systemd
Requires(post): systemd
@@ -23,7 +26,9 @@ Requires(preun): systemd
Requires(postun): systemd
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
+Recommends: %{name}-selinux
+BuildRequires: gcc-c++
BuildRequires: libqb-devel
BuildRequires: libgcrypt-devel
BuildRequires: libstdc++-devel
@@ -37,21 +42,24 @@ BuildRequires: audit-libs-devel
# For `pkg-config systemd` only
BuildRequires: systemd
-%if 0%{with_gui_qt5}
-BuildRequires: qt5-qtbase-devel qt5-qtsvg-devel qt5-linguist
-%endif
-
-%if 0%{with_dbus}
BuildRequires: dbus-glib-devel
BuildRequires: dbus-devel
BuildRequires: glib2-devel
BuildRequires: polkit-devel
BuildRequires: libxslt
BuildRequires: libxml2
-%endif
-Patch0: usbguard-0.7.4-loadFilesError.patch
-Patch1: match-all.patch
+Patch1: usbguard-0.7.6-notifier.patch
+Patch2: usbguard-selinux-rules-d.patch
+Patch3: usbguard-selinux-list-dir.patch
+Patch4: usbguard-forking-style.patch
+Patch5: usbguard-selinux-cpuinfo.patch
+Patch6: usbguard-service-fips.patch
+
+Patch7: usbguard-permission-check.patch
+Patch8: usbguard-removed-wired.patch
+Patch9: usbguard-rulesd.patch
+
%description
The USBGuard software framework helps to protect your computer against rogue USB
@@ -78,22 +86,6 @@ Requires: %{name} = %{version}-%{release}
The %{name}-tools package contains optional tools from the USBGuard
software framework.
-%if 0%{with_gui_qt5}
-###
-%package applet-qt
-Summary: USBGuard Qt 5.x Applet
-Group: Applications/System
-Requires: %{name} = %{version}-%{release}
-Obsoletes: usbguard-applet-qt <= 0.3
-
-%description applet-qt
-The %{name}-applet-qt package contains an optional Qt 5.x desktop applet
-for interacting with the USBGuard daemon component.
-###
-%endif
-
-%if 0%{with_dbus}
-###
%package dbus
Summary: USBGuard D-Bus Service
Group: Applications/System
@@ -104,17 +96,57 @@ Requires: polkit
%description dbus
The %{name}-dbus package contains an optional component that provides
a D-Bus interface to the USBGuard daemon component.
-###
-%endif
+%package selinux
+Summary: USBGuard selinux
+Group: Applications/System
+Requires: %{name} = %{version}-%{release}
+BuildRequires: selinux-policy
+BuildRequires: selinux-policy-devel
+BuildArch: noarch
+%{?selinux_requires}
+
+%description selinux
+The %{name}-selinux package contains selinux policy for the USBGuard
+daemon.
+
+%package notifier
+Summary: A tool for detecting usbguard policy and device presence changes
+Group: Applications/System
+Requires: %{name} = %{version}-%{release}
+Requires: systemd
+BuildRequires: librsvg2-devel
+BuildRequires: libnotify-devel
+BuildRequires: execstack
+
+%description notifier
+The %{name}-notifier package detects usbguard policy modifications as well as
+device presence changes and displays them as pop-up notifications.
+
+# usbguard
%prep
%setup -q
-%patch0 -p1 -b .loadFilesError
-%patch1 -p1 -b .matchallkeyword
+
+# selinux
+%setup -q -D -T -a 1
+
+# notifier
+%setup -q -D -T -a 2
# Remove bundled library sources before build
rm -rf src/ThirdParty/{Catch,PEGTL}
+%patch1 -p1 -b .notifier
+%patch2 -p1 -b .rules-d-selinux
+%patch3 -p1 -b .list-dir
+%patch4 -p1 -b .forking
+%patch5 -p1 -b .cpuinfo
+%patch6 -p1 -b .service-fips
+
+%patch7 -p1 -b .perm
+%patch8 -p1 -b .wired
+%patch9 -p1 -b .rulesd
+
%build
mkdir -p ./m4
autoreconf -i -v --no-recursive ./
@@ -123,32 +155,62 @@ autoreconf -i -v --no-recursive ./
--without-bundled-catch \
--without-bundled-pegtl \
--enable-systemd \
-%if 0%{with_gui_qt5}
- --with-gui-qt=qt5 \
-%endif
-%if 0%{with_dbus}
--with-dbus \
--with-polkit \
-%else
- --without-dbus \
- --without-polkit \
-%endif
--with-crypto-library=gcrypt
make %{?_smp_mflags}
+# selinux
+pushd %{name}-selinux-%{semodule_version}
+make
+popd
+
+# notifier
+pushd %{name}-notifier-%{notifier_version}
+mkdir -p ./m4
+autoreconf -i -v --no-recursive ./
+export CXXFLAGS="$RPM_OPT_FLAGS"
+%configure \
+ --disable-silent-rules \
+ --without-bundled-catch \
+ --enable-debug-build \
+ --disable-notifier-cli \
+ --with-usbguard-devel="../"
+
+%set_build_flags
+make %{?_smp_mflags}
+popd
+
%if %{with check}
%check
make check
%endif
+# selinux
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
%install
make install INSTALL='install -p' DESTDIR=%{buildroot}
# Overwrite configuration with distribution defaults
mkdir -p %{buildroot}%{_sysconfdir}/usbguard
+mkdir -p %{buildroot}%{_sysconfdir}/usbguard/rules.d
mkdir -p %{buildroot}%{_sysconfdir}/usbguard/IPCAccessControl.d
-install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
+install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
+
+# selinux
+install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
+install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
+
+# notifier
+pushd %{name}-notifier-%{notifier_version}
+make install INSTALL='install -p' DESTDIR=%{buildroot}
+#execstack -c %{buildroot}%{_bindir}/%{name}-notifier
+popd
# Cleanup
find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
@@ -173,6 +235,7 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
%{_bindir}/usbguard
%dir %{_localstatedir}/log/usbguard
%dir %{_sysconfdir}/usbguard
+%dir %{_sysconfdir}/usbguard/rules.d/
%dir %{_sysconfdir}/usbguard/IPCAccessControl.d
%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/usbguard-daemon.conf
%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/rules.conf
@@ -193,25 +256,13 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
%defattr(-,root,root,-)
%{_bindir}/usbguard-rule-parser
-%if 0%{with_gui_qt5}
-###
-%files applet-qt
-%defattr(-,root,root,-)
-%{_bindir}/usbguard-applet-qt
-%{_mandir}/man1/usbguard-applet-qt.1.gz
-%{_datadir}/applications/usbguard-applet-qt.desktop
-%{_datadir}/icons/hicolor/scalable/apps/usbguard-icon.svg
-###
-%endif
-%if 0%{with_dbus}
-###
%files dbus
%defattr(-,root,root,-)
%{_sbindir}/usbguard-dbus
-%{_datadir}/dbus-1/system-services/org.usbguard.service
-%{_datadir}/dbus-1/system.d/org.usbguard.conf
-%{_datadir}/polkit-1/actions/org.usbguard.policy
+%{_datadir}/dbus-1/system-services/org.usbguard1.service
+%{_datadir}/dbus-1/system.d/org.usbguard1.conf
+%{_datadir}/polkit-1/actions/org.usbguard1.policy
%{_unitdir}/usbguard-dbus.service
%{_mandir}/man8/usbguard-dbus.8.gz
@@ -223,10 +274,80 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
%postun dbus
%systemd_postun_with_restart usbguard-dbus.service
-###
-%endif
+
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
+%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+ %selinux_modules_uninstall -s %{selinuxtype} %{name}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+
+%files notifier
+%defattr(-,root,root,-)
+%doc %{name}-notifier-%{notifier_version}/README.md %{name}-notifier-%{notifier_version}/CHANGELOG.md
+%license %{name}-notifier-%{notifier_version}/LICENSE
+%{_bindir}/%{name}-notifier
+%{_mandir}/man1/%{name}-notifier.1.gz
+%{_userunitdir}/%{name}-notifier.service
+
+%post notifier
+%systemd_user_post %{name}-notifier.service
+
+%preun notifier
+%systemd_user_preun %{name}-notifier.service
+
+%postun notifier
+%systemd_user_postun_with_restart %{name}-notifier.service
+
%changelog
+* Tue Aug 11 2020 Attila Lakatos - 0.7.8-7
+- Do not cause segfault in case of an empty rulesd folder
+Resolves: rhbz#1738590
+
+* Wed Aug 05 2020 Radovan Sroka - 0.7.8-6
+- RHEL 8.3.0 ERRATUM
+- Removed execstack from .spec
+- Removed AuthorizedDefault=wired from the usbguard
+Resolves: rhbz#1852539
+- Missing error message on bad configuration
+Resolves: rhbz#1857299
+- /etc/usbguard/usbguard-daemon.conf file does not contain all default options
+Resolves: rhbz#1862907
+
+* Wed Jun 17 2020 Radovan Sroka - 0.7.8-5
+- RHEL 8.3.0 ERRATUM
+- Use old-fasioned forking style in unit file
+Resolves: rhbz#1846885
+- Allow usbguard to read /proc/cpuinfo
+Resolves: rhbz#1847870
+- Removed notifier's Requires for usbguard-devel
+Resolves: rhbz#1667395
+- Allow usbguard to read /dev/urandom
+Resolves: rhbz#1848618
+
+* Wed May 06 2020 Attila Lakatos - 0.7.8-4
+- RHEL 8.3.0 ERRATUM
+- Spec file clean up
+- Rebase to 0.7.8
+Resolves: rhbz#1738590
+- Added selinux subpackage
+Resolves: rhbz#1683567
+- Added notifier subpackage
+- Installing /etc/usbguard/rules.d/
+Resolves: rhbz#1667395
+- Fixed sigwaitinfo handling
+Resolves: rhbz#1835210
+
* Mon Nov 25 2019 Marek Tamaskovic - 0.7.4-4
- add match-all keyword