From 32df1fdeb98b38538999dbfcbd38999463ae8740 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 3 Nov 2020 07:01:49 -0500 Subject: [PATCH] import usbguard-0.7.8-7.el8 --- .gitignore | 4 +- .usbguard.metadata | 4 +- SOURCES/match-all.patch | 242 -------------------- SOURCES/usbguard-0.7.4-loadFilesError.patch | 17 -- SOURCES/usbguard-0.7.6-notifier.patch | 88 +++++++ SOURCES/usbguard-daemon.conf | 52 ++++- SOURCES/usbguard-forking-style.patch | 34 +++ SOURCES/usbguard-permission-check.patch | 69 ++++++ SOURCES/usbguard-removed-wired.patch | 48 ++++ SOURCES/usbguard-rulesd.patch | 13 ++ SOURCES/usbguard-selinux-cpuinfo.patch | 12 + SOURCES/usbguard-selinux-list-dir.patch | 11 + SOURCES/usbguard-selinux-rules-d.patch | 22 ++ SOURCES/usbguard-service-fips.patch | 13 ++ SPECS/usbguard.spec | 241 ++++++++++++++----- 15 files changed, 542 insertions(+), 328 deletions(-) delete mode 100644 SOURCES/match-all.patch delete mode 100644 SOURCES/usbguard-0.7.4-loadFilesError.patch create mode 100644 SOURCES/usbguard-0.7.6-notifier.patch create mode 100644 SOURCES/usbguard-forking-style.patch create mode 100644 SOURCES/usbguard-permission-check.patch create mode 100644 SOURCES/usbguard-removed-wired.patch create mode 100644 SOURCES/usbguard-rulesd.patch create mode 100644 SOURCES/usbguard-selinux-cpuinfo.patch create mode 100644 SOURCES/usbguard-selinux-list-dir.patch create mode 100644 SOURCES/usbguard-selinux-rules-d.patch create mode 100644 SOURCES/usbguard-service-fips.patch diff --git a/.gitignore b/.gitignore index 4ebdfb6..4626c85 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ -SOURCES/usbguard-0.7.4.tar.gz +SOURCES/usbguard-0.7.8.tar.gz +SOURCES/usbguard-notifier-0.0.6.tar.gz +SOURCES/usbguard-selinux-0.0.3.tar.gz diff --git a/.usbguard.metadata b/.usbguard.metadata index 5e1f2a7..8582250 100644 --- a/.usbguard.metadata +++ b/.usbguard.metadata @@ -1 +1,3 @@ -803815ec31700468bb935ca9c18bd277bcc22237 SOURCES/usbguard-0.7.4.tar.gz +d8bbd3e9f4f0deb1418f71422e7fab3d14053412 SOURCES/usbguard-0.7.8.tar.gz +7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz +e223495a2c41013bc786a5ceae730f2574aeba1b SOURCES/usbguard-selinux-0.0.3.tar.gz diff --git a/SOURCES/match-all.patch b/SOURCES/match-all.patch deleted file mode 100644 index f2c9c28..0000000 --- a/SOURCES/match-all.patch +++ /dev/null @@ -1,242 +0,0 @@ -diff --git a/doc/man/usbguard-rules.conf.5.adoc b/doc/man/usbguard-rules.conf.5.adoc -index 44f399c..c0f86f8 100644 ---- a/doc/man/usbguard-rules.conf.5.adoc -+++ b/doc/man/usbguard-rules.conf.5.adoc -@@ -93,6 +93,9 @@ where the optional 'operator' is one of: - *equals-ordered*:: - The device attribute set must contain exactly the same set of values in the same order for the rule to match. - -+*match-all*:: -+ The device attribute set must be a subset of the specified values for the rule to match. -+ - If the operator is not specified it is set to *equals*. - - [.underline]#List of attributes:# -diff --git a/src/Library/RuleParser/Grammar.hpp b/src/Library/RuleParser/Grammar.hpp -index 4d785c0..764380e 100644 ---- a/src/Library/RuleParser/Grammar.hpp -+++ b/src/Library/RuleParser/Grammar.hpp -@@ -15,6 +15,7 @@ - // along with this program. If not, see . - // - // Authors: Daniel Kopecek -+// Marek Tamaskovic - // - #pragma once - #ifdef HAVE_BUILD_CONFIG_H -@@ -53,12 +54,13 @@ namespace usbguard - struct str_none_of : TAOCPP_PEGTL_STRING("none-of") {}; - struct str_equals : TAOCPP_PEGTL_STRING("equals") {}; - struct str_equals_ordered : TAOCPP_PEGTL_STRING("equals-ordered") {}; -+ struct str_match_all: TAOCPP_PEGTL_STRING("match-all") {}; - - /* - * Generic rule attribute - */ - struct multiset_operator -- : sor {}; -+ : sor {}; - - template - struct attribute_value_multiset -diff --git a/src/Library/RulePrivate.cpp b/src/Library/RulePrivate.cpp -index 73140fa..6ceb12d 100644 ---- a/src/Library/RulePrivate.cpp -+++ b/src/Library/RulePrivate.cpp -@@ -15,6 +15,7 @@ - // along with this program. If not, see . - // - // Authors: Daniel Kopecek -+// Marek Tamaskovic - // - #ifdef HAVE_BUILD_CONFIG_H - #include -@@ -177,6 +178,7 @@ namespace usbguard - case Rule::SetOperator::AllOf: - case Rule::SetOperator::Equals: - case Rule::SetOperator::EqualsOrdered: -+ case Rule::SetOperator::MatchAll: - meets_conditions = \ - (conditionsState() == ((((uint64_t)1) << _conditions.count()) - 1)); - break; -diff --git a/src/Library/public/usbguard/Predicates.hpp b/src/Library/public/usbguard/Predicates.hpp -index 412517e..95ede3a 100644 ---- a/src/Library/public/usbguard/Predicates.hpp -+++ b/src/Library/public/usbguard/Predicates.hpp -@@ -15,6 +15,7 @@ - // along with this program. If not, see . - // - // Authors: Daniel Kopecek -+// Marek Tamaskovic - // - #pragma once - -@@ -35,6 +36,15 @@ namespace usbguard - USBGUARD_LOG(Trace) << "generic isSubsetOf"; - return source == target; - } -+ -+ template -+ bool isSupersetOf(const T& source, const T& target) -+ { -+ USBGUARD_LOG(Error) << "Not implemented"; -+ (void) source; -+ (void) target; -+ return true; -+ } - } - } /* namespace usbguard */ - -diff --git a/src/Library/public/usbguard/Rule.cpp b/src/Library/public/usbguard/Rule.cpp -index f7bb35a..fa97578 100644 ---- a/src/Library/public/usbguard/Rule.cpp -+++ b/src/Library/public/usbguard/Rule.cpp -@@ -15,6 +15,7 @@ - // along with this program. If not, see . - // - // Authors: Daniel Kopecek -+// Marek Tamaskovic - // - #ifdef HAVE_BUILD_CONFIG_H - #include -@@ -325,7 +326,8 @@ namespace usbguard - { "none-of", Rule::SetOperator::NoneOf }, - { "equals", Rule::SetOperator::Equals }, - { "equals-ordered", Rule::SetOperator::EqualsOrdered }, -- { "match", Rule::SetOperator::Match } -+ { "match", Rule::SetOperator::Match }, -+ { "match-all", Rule::SetOperator::MatchAll} - }; - - const std::string Rule::setOperatorToString(const Rule::SetOperator& op) -diff --git a/src/Library/public/usbguard/Rule.hpp b/src/Library/public/usbguard/Rule.hpp -index 0ebfdaf..67a67f0 100644 ---- a/src/Library/public/usbguard/Rule.hpp -+++ b/src/Library/public/usbguard/Rule.hpp -@@ -15,6 +15,7 @@ - // along with this program. If not, see . - // - // Authors: Daniel Kopecek -+// Marek Tamaskovic - // - #pragma once - -@@ -77,7 +78,8 @@ namespace usbguard - NoneOf, - Equals, - EqualsOrdered, -- Match /* Special operator: matches anything, cannot be used directly in a rule */ -+ Match, /* Special operator: matches anything, cannot be used directly in a rule */ -+ MatchAll - }; - - static const std::string setOperatorToString(const Rule::SetOperator& op); -@@ -237,6 +239,10 @@ namespace usbguard - applies = setSolveEqualsOrdered(_values, target._values); - break; - -+ case SetOperator::MatchAll: -+ applies = setSolveMatchAll(_values, target._values); -+ break; -+ - default: - throw USBGUARD_BUG("Invalid set operator value"); - } -@@ -409,6 +415,26 @@ namespace usbguard - return false; - } - -+ /* -+ * All of the items in target set must match an item in the source set -+ */ -+ bool setSolveMatchAll(const std::vector& source_set, const std::vector& target_set) const -+ { -+ USBGUARD_LOG(Trace); -+ size_t match = 0; -+ -+ for (auto const& target_item : target_set) { -+ for (auto const& source_item : source_set) { -+ if (Predicates::isSupersetOf(source_item, target_item)) { -+ match++; -+ break; -+ } -+ } -+ } -+ -+ return match == target_set.size(); -+ } -+ - std::string _name; - SetOperator _set_operator; - std::vector _values; -diff --git a/src/Library/public/usbguard/USB.cpp b/src/Library/public/usbguard/USB.cpp -index 281d1c9..54e5fb8 100644 ---- a/src/Library/public/usbguard/USB.cpp -+++ b/src/Library/public/usbguard/USB.cpp -@@ -15,6 +15,7 @@ - // along with this program. If not, see . - // - // Authors: Daniel Kopecek -+// Marek Tamaskovic - // - #ifdef HAVE_BUILD_CONFIG_H - #include -@@ -125,6 +126,15 @@ namespace usbguard - return result; - } - -+ template<> -+ bool Predicates::isSupersetOf(const USBDeviceID& source, const USBDeviceID& target) -+ { -+ USBGUARD_LOG(Trace) << "source=" << source.toString() << " target=" << target.toString(); -+ const bool result = target.isSubsetOf(source); -+ USBGUARD_LOG(Trace) << "result=" << result; -+ return result; -+ } -+ - USBInterfaceType::USBInterfaceType() - { - _bClass = 0; -@@ -234,6 +244,12 @@ namespace usbguard - return source.appliesTo(target); - } - -+ template<> -+ bool Predicates::isSupersetOf(const USBInterfaceType& source, const USBInterfaceType& target) -+ { -+ return source.appliesTo(target); -+ } -+ - const std::string USBInterfaceType::typeString() const - { - return USBInterfaceType::typeString(_bClass, _bSubClass, _bProtocol, _mask); -diff --git a/src/Library/public/usbguard/USB.hpp b/src/Library/public/usbguard/USB.hpp -index 914d74b..f538aac 100644 ---- a/src/Library/public/usbguard/USB.hpp -+++ b/src/Library/public/usbguard/USB.hpp -@@ -15,6 +15,7 @@ - // along with this program. If not, see . - // - // Authors: Daniel Kopecek -+// Marek Tamaskovic - // - #pragma once - -@@ -169,6 +170,8 @@ namespace usbguard - { - template<> - bool isSubsetOf(const USBDeviceID& source, const USBDeviceID& target); -+ template<> -+ bool isSupersetOf(const USBDeviceID& source, const USBDeviceID& target); - } - - class DLL_PUBLIC USBInterfaceType -@@ -202,6 +205,8 @@ namespace usbguard - { - template<> - bool isSubsetOf(const USBInterfaceType& source, const USBInterfaceType& target); -+ template<> -+ bool isSupersetOf(const USBInterfaceType& source, const USBInterfaceType& target); - } - - class USBDescriptorParser; diff --git a/SOURCES/usbguard-0.7.4-loadFilesError.patch b/SOURCES/usbguard-0.7.4-loadFilesError.patch deleted file mode 100644 index 5a6a6d5..0000000 --- a/SOURCES/usbguard-0.7.4-loadFilesError.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff -up usbguard-0.7.4/src/Daemon/Daemon.cpp.loadFilesError usbguard-0.7.4/src/Daemon/Daemon.cpp ---- usbguard-0.7.4/src/Daemon/Daemon.cpp.loadFilesError 2018-07-10 14:25:41.580361063 +0200 -+++ usbguard-0.7.4/src/Daemon/Daemon.cpp 2018-07-31 10:19:21.529000000 +0200 -@@ -365,7 +365,12 @@ namespace usbguard - , - [this](const std::string& basename, const std::string& fullpath) { - return loadIPCAccessControlFile(basename, fullpath); -- }); -+ }, -+ [](const std::pair& a, const std::pair& b) -+ { -+ return a.first < b.first; -+ }, -+ /*directory_required=*/true); - } - - void Daemon::checkIPCAccessControlName(const std::string& name) diff --git a/SOURCES/usbguard-0.7.6-notifier.patch b/SOURCES/usbguard-0.7.6-notifier.patch new file mode 100644 index 0000000..9d21147 --- /dev/null +++ b/SOURCES/usbguard-0.7.6-notifier.patch @@ -0,0 +1,88 @@ +diff -up ./usbguard-notifier-0.0.6/configure.ac.notifier ./usbguard-notifier-0.0.6/configure.ac +--- ./usbguard-notifier-0.0.6/configure.ac.notifier 2020-04-29 07:35:43.057914703 +0200 ++++ ./usbguard-notifier-0.0.6/configure.ac 2020-06-17 16:27:53.577151720 +0200 +@@ -44,6 +44,32 @@ AC_ARG_WITH( + [notificaiton_path="/tmp/usbguard-notifier"] + ) + ++# usbguard-devel ++# Add the path to where your usbguard-devel includes are ++# You might need this option when you want to package usbguard-notifier ++# together with usbguard at the same time ++AC_ARG_WITH( ++ [usbguard-devel], ++ AS_HELP_STRING([--with-usbguard-devel], [Select to compile notifier from source usbguard devel files(only top level directory)]), ++ [usbguard_CFLAGS="-I$withval/src/Library/public/" ++ usbguard_LIBS="" ++ usbguard_LA="$withval/libusbguard.la" ++ libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS" ++ AC_SUBST([usbguard_CFLAGS]) ++ AC_SUBST([usbguard_LIBS]) ++ AC_SUBST([usbguard_LA]) ++ custom_usbguard_devel_enabled=yes ++ ], ++ [ ++ PKG_CHECK_MODULES( ++ [usbguard], ++ [libusbguard >= 0.7.2], ++ [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"], ++ [AC_MSG_FAILURE([libusbguard development files not found])] ++ ) ++ ] ++) ++ + # Build notifier-cli, default is yes + AC_ARG_ENABLE([notifier-cli], + [AC_HELP_STRING([--enable-notifier-cli], [enable notifier cli(default=yes)])], +@@ -81,14 +107,6 @@ PKG_CHECK_MODULES( + [AC_MSG_FAILURE([libnotify development files not found])] + ) + +-# usbguard +-PKG_CHECK_MODULES( +- [usbguard], +- [libusbguard >= 0.7.2], +- [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"], +- [AC_MSG_FAILURE([libusbguard development files not found])] +-) +- + # asciidoc + AC_CHECK_PROGS(A2X, [a2x]) + if test -z "$A2X"; then +@@ -162,6 +180,7 @@ AC_SUBST(config_PATH, $prefix/.config) + AC_SUBST(NOTIFICATION_PATH, $notification_path) + + AM_CONDITIONAL([NOTIFIER_CLI_ENABLED], [test "x$notifier_cli_enabled" = xyes ]) ++AM_CONDITIONAL([CUSTOM_USBGUARD_DEVEL_ENABLED], [test "x$custom_usbguard_devel_enabled" = "xyes"]) + + AC_CONFIG_FILES([ + Makefile +diff -up ./usbguard-notifier-0.0.6/Makefile.am.notifier ./usbguard-notifier-0.0.6/Makefile.am +--- ./usbguard-notifier-0.0.6/Makefile.am.notifier 2020-04-29 07:18:21.024388188 +0200 ++++ ./usbguard-notifier-0.0.6/Makefile.am 2020-06-17 16:27:53.592151848 +0200 +@@ -57,6 +57,13 @@ usbguard_notifier_CXXFLAGS = \ + @usbguard_CFLAGS@ \ + -fPIC + ++if CUSTOM_USBGUARD_DEVEL_ENABLED ++usbguard_notifier_LDADD = \ ++ @usbguard_LA@ ++usbguard_notifier_cli_LDADD = \ ++ @usbguard_LA@ ++endif ++ + BUILT_SOURCES = \ + src/BuildConfig.h + +diff -up ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 +--- ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier 2020-06-17 19:55:54.621855004 +0200 ++++ ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 2020-06-17 19:56:46.551297432 +0200 +@@ -53,7 +53,7 @@ Show help\&. + .RE + .SH "SEE ALSO" + .sp +-usbguard\-notifier\-cli(1), usbguard(1) ++usbguard(1) + .SH "BUGS" + .sp + If you find a bug in this software or if you\(cqd like to request a feature to be implemented, please file a ticket at https://github\&.com/Cropi/usbguard\-notifier/issues/new\&. diff --git a/SOURCES/usbguard-daemon.conf b/SOURCES/usbguard-daemon.conf index e9800b2..ae5a6a2 100644 --- a/SOURCES/usbguard-daemon.conf +++ b/SOURCES/usbguard-daemon.conf @@ -9,6 +9,23 @@ # RuleFile=/etc/usbguard/rules.conf +# +# Rule set folder path. +# +# The USBGuard daemon will use this folder to load the policy +# rule set from it and to write new rules received via the +# IPC interface. Usually, we set the option to +# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to +# behave like any other standard Linux daemon therefore it +# loads rule files in alpha-numeric order. File names inside +# RuleFolder directory should start with a two-digit number +# prefix indicating the position, in which the rules are +# scanned by the daemon. +# +# RuleFolder=/path/to/rulesfolder/ +# +RuleFolder=/etc/usbguard/rules.d/ + # # Implicit policy target. # @@ -64,14 +81,30 @@ PresentControllerPolicy=keep # InsertedDevicePolicy=apply-policy +# +# Control which devices are authorized by default. +# +# The USBGuard daemon modifies some the default authorization state attributes +# of controller devices. This setting, enables you to define what value the +# default authorization is set to. +# +# * keep - do not change the authorization state +# * none - every new device starts out deauthorized +# * all - every new device starts out authorized +# * internal - internal devices start out authorized, external devices start +# out deauthorized (this requires the ACPI tables to properly +# label internal devices, and kernel support) +# +#AuthorizedDefault=none + # # Restore controller device state. # # The USBGuard daemon modifies some attributes of controller # devices like the default authorization state of new child device -# instances. Using this setting, you can controll whether the +# instances. Using this setting, you can control whether the # daemon will try to restore the attribute values to the state -# before modificaton on shutdown. +# before modification on shutdown. # # SECURITY CONSIDERATIONS: If set to true, the USB authorization # policy could be bypassed by performing some sort of attack on the @@ -85,11 +118,11 @@ RestoreControllerDeviceState=false # # Which device manager backend implementation to use. One of: # -# * uevent - Netlink based implementation which uses sysfs to scan for present -# devices and an uevent netlink socket for receiving USB device -# related events. -# * dummy - A dummy device manager which simulates several devices and device -# events. Useful for testing. +# * uevent - Netlink based implementation which uses sysfs to scan for present +# devices and an uevent netlink socket for receiving USB device +# related events. +# * umockdev - umockdev based device manager capable of simulating devices based +# on umockdev-record files. Useful for testing. # DeviceManagerBackend=uevent @@ -171,3 +204,8 @@ AuditBackend=FileAudit # AuditFilePath=/var/log/usbguard/usbguard-audit.log +# +# Hides personally identifiable information such as device serial numbers and +# hashes of descriptors (which include the serial number) from audit entries. +# +#HidePII=false diff --git a/SOURCES/usbguard-forking-style.patch b/SOURCES/usbguard-forking-style.patch new file mode 100644 index 0000000..8a6500a --- /dev/null +++ b/SOURCES/usbguard-forking-style.patch @@ -0,0 +1,34 @@ +diff -up ./usbguard.service.in.forking ./usbguard.service.in +--- ./usbguard.service.in.forking 2020-06-17 20:07:04.720564149 +0200 ++++ ./usbguard.service.in 2020-06-17 20:10:00.744063846 +0200 +@@ -8,11 +8,12 @@ AmbientCapabilities= + CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER + DeviceAllow=/dev/null rw + DevicePolicy=strict +-ExecStart=%sbindir%/usbguard-daemon -k -c %sysconfdir%/usbguard/usbguard-daemon.conf ++ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf + IPAddressDeny=any + LockPersonality=yes + MemoryDenyWriteExecute=yes + NoNewPrivileges=yes ++PIDFile=/var/run/usbguard.pid + PrivateDevices=yes + PrivateTmp=yes + ProtectControlGroups=yes +@@ -20,14 +21,14 @@ ProtectHome=yes + ProtectKernelModules=yes + ProtectSystem=yes + ReadOnlyPaths=-/ +-ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ ++ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ -/var/run + Restart=on-failure + RestrictAddressFamilies=AF_UNIX AF_NETLINK + RestrictNamespaces=yes + RestrictRealtime=yes + SystemCallArchitectures=native + SystemCallFilter=@system-service +-Type=simple ++Type=forking + UMask=0077 + + [Install] diff --git a/SOURCES/usbguard-permission-check.patch b/SOURCES/usbguard-permission-check.patch new file mode 100644 index 0000000..d9266e5 --- /dev/null +++ b/SOURCES/usbguard-permission-check.patch @@ -0,0 +1,69 @@ +From 39fc4c24333c3bf42eba0855f3b75ccea99865a4 Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Tue, 21 Jul 2020 16:24:15 +0200 +Subject: [PATCH] Added permissions check also for IPC access files + +Signed-off-by: Radovan Sroka +--- + src/Common/Utility.cpp | 2 +- + src/Common/Utility.hpp | 2 +- + src/Daemon/Daemon.cpp | 13 +++++++++---- + 3 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/src/Common/Utility.cpp b/src/Common/Utility.cpp +index d9fc26a..8eb4bd7 100644 +--- a/src/Common/Utility.cpp ++++ b/src/Common/Utility.cpp +@@ -524,7 +524,7 @@ namespace usbguard + std::string file_name; + + if (!dir_fd) { +- throw Exception("getConfigsFromDir", "opendir: " + path , strerror(errno)); ++ throw Exception("getConfigsFromDir", "opendir: " + path, strerror(errno)); + } + + while ((dp = readdir(dir_fd)) != NULL) { // iterate over directory for file entries +diff --git a/src/Common/Utility.hpp b/src/Common/Utility.hpp +index df1afcd..4e90364 100644 +--- a/src/Common/Utility.hpp ++++ b/src/Common/Utility.hpp +@@ -192,7 +192,7 @@ namespace usbguard + [](const std::pair& a, const std::pair& b) -> bool { + return a.first < b.first; + }, +- bool directory_required = false); ++ bool directory_required = true); + + /** + * Remove prefix from string. +diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp +index acc148f..9e67a3a 100644 +--- a/src/Daemon/Daemon.cpp ++++ b/src/Daemon/Daemon.cpp +@@ -327,8 +327,13 @@ namespace usbguard + + /* IPCAccessControlFiles */ + if (_config.hasSettingValue("IPCAccessControlFiles")) { +- const std::string value = _config.getSettingValue("IPCAccessControlFiles"); +- loadIPCAccessControlFiles(value); ++ const std::string ipc_dir = _config.getSettingValue("IPCAccessControlFiles"); ++ ++ if (check_permissions) { ++ checkFolderPermissions(ipc_dir, (S_IRUSR | S_IWUSR)); ++ } ++ ++ loadIPCAccessControlFiles(ipc_dir); + } + + /* AuditBackend */ +@@ -1030,8 +1035,8 @@ namespace usbguard + + /* Generate a match rule for upsert */ + std::shared_ptr match_rule = device->getDeviceRule(/*with-port=*/false, +- /*with-parent-hash=*/false, +- /*match_rule=*/true); ++ /*with-parent-hash=*/false, ++ /*match_rule=*/true); + const std::string match_spec = match_rule->toString(); + USBGUARD_LOG(Debug) << "match_spec=" << match_spec; + /* Generate new device rule */ diff --git a/SOURCES/usbguard-removed-wired.patch b/SOURCES/usbguard-removed-wired.patch new file mode 100644 index 0000000..5e87154 --- /dev/null +++ b/SOURCES/usbguard-removed-wired.patch @@ -0,0 +1,48 @@ +diff -up ./doc/man/usbguard-daemon.conf.5.adoc.wired ./doc/man/usbguard-daemon.conf.5.adoc +--- ./doc/man/usbguard-daemon.conf.5.adoc.wired 2020-08-05 16:12:15.064272832 +0200 ++++ ./doc/man/usbguard-daemon.conf.5.adoc 2020-08-05 16:14:04.146885179 +0200 +@@ -51,8 +51,7 @@ It may be overridden using the *-c* comm + The USBGuard daemon modifies some of the default authorization state + attributes of controller devices. This setting, enables you to define what + value the default authorization is set to. Authorized default should be one +- of `keep` (do not change autorization state), `wired` (new wired USB +- devices start out authorized, wireless do not), `none` (every new device ++ of `keep` (do not change autorization state), `none` (every new device + starts out deauthorized), `all` (every new device starts out authorized) or + `internal` (internal devices start out authorized, external do not). + +diff -up ./src/Library/public/usbguard/DeviceManager.cpp.wired ./src/Library/public/usbguard/DeviceManager.cpp +--- ./src/Library/public/usbguard/DeviceManager.cpp.wired 2019-11-16 18:32:45.220532059 +0100 ++++ ./src/Library/public/usbguard/DeviceManager.cpp 2020-08-05 16:12:15.064272832 +0200 +@@ -71,7 +71,6 @@ namespace usbguard + + static const std::vector> authorized_default_type_strings = { + { "keep", DeviceManager::AuthorizedDefaultType::Keep }, +- { "wired", DeviceManager::AuthorizedDefaultType::Wired }, + { "none", DeviceManager::AuthorizedDefaultType::None }, + { "all", DeviceManager::AuthorizedDefaultType::All }, + { "internal", DeviceManager::AuthorizedDefaultType::Internal } +diff -up ./src/Library/public/usbguard/DeviceManager.hpp.wired ./src/Library/public/usbguard/DeviceManager.hpp +--- ./src/Library/public/usbguard/DeviceManager.hpp.wired 2020-05-14 13:45:48.183508037 +0200 ++++ ./src/Library/public/usbguard/DeviceManager.hpp 2020-08-05 16:12:15.064272832 +0200 +@@ -60,8 +60,6 @@ namespace usbguard + */ + enum class AuthorizedDefaultType { + Keep = -128, /**< Do not change the authorization state. */ +- Wired = -1, /**< New wired USB devices start out authorized, +- wireless USB devices do not. */ + None = 0, /**< Every new device starts out deauthorized. */ + All = 1, /**< Every new device starts out authorized. */ + Internal = 2, /**< Internal devices start out authorized, +diff -up ./usbguard-daemon.conf.in.wired ./usbguard-daemon.conf.in +--- ./usbguard-daemon.conf.in.wired 2020-05-20 13:56:50.809203248 +0200 ++++ ./usbguard-daemon.conf.in 2020-08-05 16:12:15.064272832 +0200 +@@ -91,8 +91,6 @@ InsertedDevicePolicy=apply-policy + # default authorization is set to. + # + # * keep - do not change the authorization state +-# * wired - new wired USB devices start out authorized, wireless USB +-# devices do not + # * none - every new device starts out deauthorized + # * all - every new device starts out authorized + # * internal - internal devices start out authorized, external devices start diff --git a/SOURCES/usbguard-rulesd.patch b/SOURCES/usbguard-rulesd.patch new file mode 100644 index 0000000..7c54c38 --- /dev/null +++ b/SOURCES/usbguard-rulesd.patch @@ -0,0 +1,13 @@ +diff -up ./src/Daemon/RuleSetFactory.cpp.orig ./src/Daemon/RuleSetFactory.cpp +--- ./src/Daemon/RuleSetFactory.cpp.orig 2020-08-11 11:10:00.924479577 +0200 ++++ ./src/Daemon/RuleSetFactory.cpp 2020-08-11 11:12:56.447279841 +0200 +@@ -74,7 +74,8 @@ namespace usbguard + ruleSet.push_back(rs); + } + } +- else if (ns.getRulesPath().empty()){ ++ ++ if (ruleSet.empty()){ + USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible."; + ruleSet = generateDefaultRuleSet(); + } diff --git a/SOURCES/usbguard-selinux-cpuinfo.patch b/SOURCES/usbguard-selinux-cpuinfo.patch new file mode 100644 index 0000000..2371d64 --- /dev/null +++ b/SOURCES/usbguard-selinux-cpuinfo.patch @@ -0,0 +1,12 @@ +diff -up ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo ./usbguard-selinux-0.0.3/usbguard.te +--- ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo 2020-06-18 15:53:40.161615146 +0200 ++++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-18 15:54:28.399982328 +0200 +@@ -77,6 +77,8 @@ auth_read_passwd(usbguard_t) + dev_list_sysfs(usbguard_t) + dev_rw_sysfs(usbguard_t) + ++kernel_read_system_state(usbguard_t) ++ + list_dirs_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t) + read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t) + dontaudit usbguard_t usbguard_conf_t:file write; diff --git a/SOURCES/usbguard-selinux-list-dir.patch b/SOURCES/usbguard-selinux-list-dir.patch new file mode 100644 index 0000000..9334b45 --- /dev/null +++ b/SOURCES/usbguard-selinux-list-dir.patch @@ -0,0 +1,11 @@ +diff -up ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir ./usbguard-selinux-0.0.3/usbguard.te +--- ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir 2020-06-09 10:53:03.191977241 +0200 ++++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-09 10:54:21.441965315 +0200 +@@ -81,6 +81,7 @@ list_dirs_pattern(usbguard_t,usbguard_co + read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t) + dontaudit usbguard_t usbguard_conf_t:file write; + ++list_dirs_pattern(usbguard_t,usbguard_rules_t,usbguard_rules_t) + read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_rules_t) + + manage_dirs_pattern(usbguard_t, usbguard_var_run_t, usbguard_var_run_t) diff --git a/SOURCES/usbguard-selinux-rules-d.patch b/SOURCES/usbguard-selinux-rules-d.patch new file mode 100644 index 0000000..5d56573 --- /dev/null +++ b/SOURCES/usbguard-selinux-rules-d.patch @@ -0,0 +1,22 @@ +From 008af22f238bfb97f6d337759732ac87bdef7b24 Mon Sep 17 00:00:00 2001 +From: alakatos +Date: Mon, 25 May 2020 15:27:38 +0200 +Subject: [PATCH] /etc/usrbuard/rules.d(/.*)? has usbguard_rules_t label right + after the installation + +--- + usbguard.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/usbguard.fc b/usbguard.fc +index bce3e8c..3e14720 100644 +--- a/usbguard-selinux-0.0.3/usbguard.fc ++++ b/usbguard-selinux-0.0.3/usbguard.fc +@@ -13,6 +13,7 @@ + # You should have received a copy of the GNU General Public License + # along with this program. If not, see . + ++/etc/usbguard/rules\.d(/.*)? gen_context(system_u:object_r:usbguard_rules_t,s0) + /etc/usbguard/rules.conf -- gen_context(system_u:object_r:usbguard_rules_t,s0) + /etc/usbguard(/.*)? gen_context(system_u:object_r:usbguard_conf_t,s0) + /dev/shm/qb-usbguard-.* -- gen_context(system_u:object_r:usbguard_tmpfs_t,s0) diff --git a/SOURCES/usbguard-service-fips.patch b/SOURCES/usbguard-service-fips.patch new file mode 100644 index 0000000..fce50c9 --- /dev/null +++ b/SOURCES/usbguard-service-fips.patch @@ -0,0 +1,13 @@ +diff -up ./usbguard.service.in.service-fips ./usbguard.service.in +--- ./usbguard.service.in.service-fips 2020-06-22 10:44:44.815860376 +0200 ++++ ./usbguard.service.in 2020-06-22 10:45:07.699135514 +0200 +@@ -6,8 +6,7 @@ Documentation=man:usbguard-daemon(8) + [Service] + AmbientCapabilities= + CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER +-DeviceAllow=/dev/null rw +-DevicePolicy=strict ++DevicePolicy=closed + ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf + IPAddressDeny=any + LockPersonality=yes diff --git a/SPECS/usbguard.spec b/SPECS/usbguard.spec index 138381f..886bc4c 100644 --- a/SPECS/usbguard.spec +++ b/SPECS/usbguard.spec @@ -1,13 +1,14 @@ %global _hardened_build 1 - -%define with_gui_qt5 0 -%define with_dbus 1 +%global selinuxtype targeted +%global moduletype contrib +%define semodule_version 0.0.3 +%define notifier_version 0.0.6 %bcond_without check Name: usbguard -Version: 0.7.4 -Release: 4%{?dist} +Version: 0.7.8 +Release: 7%{?dist} Summary: A tool for implementing USB device usage policy Group: System Environment/Daemons License: GPLv2+ @@ -15,7 +16,9 @@ License: GPLv2+ # src/ThirdParty/Catch: Boost Software License - Version 1.0 URL: https://usbguard.github.io/ Source0: https://github.com/USBGuard/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz -Source1: usbguard-daemon.conf +Source1: https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz +Source2: https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz +Source3: usbguard-daemon.conf Requires: systemd Requires(post): systemd @@ -23,7 +26,9 @@ Requires(preun): systemd Requires(postun): systemd Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig +Recommends: %{name}-selinux +BuildRequires: gcc-c++ BuildRequires: libqb-devel BuildRequires: libgcrypt-devel BuildRequires: libstdc++-devel @@ -37,21 +42,24 @@ BuildRequires: audit-libs-devel # For `pkg-config systemd` only BuildRequires: systemd -%if 0%{with_gui_qt5} -BuildRequires: qt5-qtbase-devel qt5-qtsvg-devel qt5-linguist -%endif - -%if 0%{with_dbus} BuildRequires: dbus-glib-devel BuildRequires: dbus-devel BuildRequires: glib2-devel BuildRequires: polkit-devel BuildRequires: libxslt BuildRequires: libxml2 -%endif -Patch0: usbguard-0.7.4-loadFilesError.patch -Patch1: match-all.patch +Patch1: usbguard-0.7.6-notifier.patch +Patch2: usbguard-selinux-rules-d.patch +Patch3: usbguard-selinux-list-dir.patch +Patch4: usbguard-forking-style.patch +Patch5: usbguard-selinux-cpuinfo.patch +Patch6: usbguard-service-fips.patch + +Patch7: usbguard-permission-check.patch +Patch8: usbguard-removed-wired.patch +Patch9: usbguard-rulesd.patch + %description The USBGuard software framework helps to protect your computer against rogue USB @@ -78,22 +86,6 @@ Requires: %{name} = %{version}-%{release} The %{name}-tools package contains optional tools from the USBGuard software framework. -%if 0%{with_gui_qt5} -### -%package applet-qt -Summary: USBGuard Qt 5.x Applet -Group: Applications/System -Requires: %{name} = %{version}-%{release} -Obsoletes: usbguard-applet-qt <= 0.3 - -%description applet-qt -The %{name}-applet-qt package contains an optional Qt 5.x desktop applet -for interacting with the USBGuard daemon component. -### -%endif - -%if 0%{with_dbus} -### %package dbus Summary: USBGuard D-Bus Service Group: Applications/System @@ -104,17 +96,57 @@ Requires: polkit %description dbus The %{name}-dbus package contains an optional component that provides a D-Bus interface to the USBGuard daemon component. -### -%endif +%package selinux +Summary: USBGuard selinux +Group: Applications/System +Requires: %{name} = %{version}-%{release} +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +BuildArch: noarch +%{?selinux_requires} + +%description selinux +The %{name}-selinux package contains selinux policy for the USBGuard +daemon. + +%package notifier +Summary: A tool for detecting usbguard policy and device presence changes +Group: Applications/System +Requires: %{name} = %{version}-%{release} +Requires: systemd +BuildRequires: librsvg2-devel +BuildRequires: libnotify-devel +BuildRequires: execstack + +%description notifier +The %{name}-notifier package detects usbguard policy modifications as well as +device presence changes and displays them as pop-up notifications. + +# usbguard %prep %setup -q -%patch0 -p1 -b .loadFilesError -%patch1 -p1 -b .matchallkeyword + +# selinux +%setup -q -D -T -a 1 + +# notifier +%setup -q -D -T -a 2 # Remove bundled library sources before build rm -rf src/ThirdParty/{Catch,PEGTL} +%patch1 -p1 -b .notifier +%patch2 -p1 -b .rules-d-selinux +%patch3 -p1 -b .list-dir +%patch4 -p1 -b .forking +%patch5 -p1 -b .cpuinfo +%patch6 -p1 -b .service-fips + +%patch7 -p1 -b .perm +%patch8 -p1 -b .wired +%patch9 -p1 -b .rulesd + %build mkdir -p ./m4 autoreconf -i -v --no-recursive ./ @@ -123,32 +155,62 @@ autoreconf -i -v --no-recursive ./ --without-bundled-catch \ --without-bundled-pegtl \ --enable-systemd \ -%if 0%{with_gui_qt5} - --with-gui-qt=qt5 \ -%endif -%if 0%{with_dbus} --with-dbus \ --with-polkit \ -%else - --without-dbus \ - --without-polkit \ -%endif --with-crypto-library=gcrypt make %{?_smp_mflags} +# selinux +pushd %{name}-selinux-%{semodule_version} +make +popd + +# notifier +pushd %{name}-notifier-%{notifier_version} +mkdir -p ./m4 +autoreconf -i -v --no-recursive ./ +export CXXFLAGS="$RPM_OPT_FLAGS" +%configure \ + --disable-silent-rules \ + --without-bundled-catch \ + --enable-debug-build \ + --disable-notifier-cli \ + --with-usbguard-devel="../" + +%set_build_flags +make %{?_smp_mflags} +popd + %if %{with check} %check make check %endif +# selinux +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + %install make install INSTALL='install -p' DESTDIR=%{buildroot} # Overwrite configuration with distribution defaults mkdir -p %{buildroot}%{_sysconfdir}/usbguard +mkdir -p %{buildroot}%{_sysconfdir}/usbguard/rules.d mkdir -p %{buildroot}%{_sysconfdir}/usbguard/IPCAccessControl.d -install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf +install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf + +# selinux +install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} +install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if + +# notifier +pushd %{name}-notifier-%{notifier_version} +make install INSTALL='install -p' DESTDIR=%{buildroot} +#execstack -c %{buildroot}%{_bindir}/%{name}-notifier +popd # Cleanup find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' @@ -173,6 +235,7 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %{_bindir}/usbguard %dir %{_localstatedir}/log/usbguard %dir %{_sysconfdir}/usbguard +%dir %{_sysconfdir}/usbguard/rules.d/ %dir %{_sysconfdir}/usbguard/IPCAccessControl.d %config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/usbguard-daemon.conf %config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/rules.conf @@ -193,25 +256,13 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %defattr(-,root,root,-) %{_bindir}/usbguard-rule-parser -%if 0%{with_gui_qt5} -### -%files applet-qt -%defattr(-,root,root,-) -%{_bindir}/usbguard-applet-qt -%{_mandir}/man1/usbguard-applet-qt.1.gz -%{_datadir}/applications/usbguard-applet-qt.desktop -%{_datadir}/icons/hicolor/scalable/apps/usbguard-icon.svg -### -%endif -%if 0%{with_dbus} -### %files dbus %defattr(-,root,root,-) %{_sbindir}/usbguard-dbus -%{_datadir}/dbus-1/system-services/org.usbguard.service -%{_datadir}/dbus-1/system.d/org.usbguard.conf -%{_datadir}/polkit-1/actions/org.usbguard.policy +%{_datadir}/dbus-1/system-services/org.usbguard1.service +%{_datadir}/dbus-1/system.d/org.usbguard1.conf +%{_datadir}/polkit-1/actions/org.usbguard1.policy %{_unitdir}/usbguard-dbus.service %{_mandir}/man8/usbguard-dbus.8.gz @@ -223,10 +274,80 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %postun dbus %systemd_postun_with_restart usbguard-dbus.service -### -%endif + +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + +%files notifier +%defattr(-,root,root,-) +%doc %{name}-notifier-%{notifier_version}/README.md %{name}-notifier-%{notifier_version}/CHANGELOG.md +%license %{name}-notifier-%{notifier_version}/LICENSE +%{_bindir}/%{name}-notifier +%{_mandir}/man1/%{name}-notifier.1.gz +%{_userunitdir}/%{name}-notifier.service + +%post notifier +%systemd_user_post %{name}-notifier.service + +%preun notifier +%systemd_user_preun %{name}-notifier.service + +%postun notifier +%systemd_user_postun_with_restart %{name}-notifier.service + %changelog +* Tue Aug 11 2020 Attila Lakatos - 0.7.8-7 +- Do not cause segfault in case of an empty rulesd folder +Resolves: rhbz#1738590 + +* Wed Aug 05 2020 Radovan Sroka - 0.7.8-6 +- RHEL 8.3.0 ERRATUM +- Removed execstack from .spec +- Removed AuthorizedDefault=wired from the usbguard +Resolves: rhbz#1852539 +- Missing error message on bad configuration +Resolves: rhbz#1857299 +- /etc/usbguard/usbguard-daemon.conf file does not contain all default options +Resolves: rhbz#1862907 + +* Wed Jun 17 2020 Radovan Sroka - 0.7.8-5 +- RHEL 8.3.0 ERRATUM +- Use old-fasioned forking style in unit file +Resolves: rhbz#1846885 +- Allow usbguard to read /proc/cpuinfo +Resolves: rhbz#1847870 +- Removed notifier's Requires for usbguard-devel +Resolves: rhbz#1667395 +- Allow usbguard to read /dev/urandom +Resolves: rhbz#1848618 + +* Wed May 06 2020 Attila Lakatos - 0.7.8-4 +- RHEL 8.3.0 ERRATUM +- Spec file clean up +- Rebase to 0.7.8 +Resolves: rhbz#1738590 +- Added selinux subpackage +Resolves: rhbz#1683567 +- Added notifier subpackage +- Installing /etc/usbguard/rules.d/ +Resolves: rhbz#1667395 +- Fixed sigwaitinfo handling +Resolves: rhbz#1835210 + * Mon Nov 25 2019 Marek Tamaskovic - 0.7.4-4 - add match-all keyword