import usbguard-1.0.0-2.el8

.gitignore

@@ -1,3 +1,3 @@
-SOURCES/usbguard-0.7.8.tar.gz
+SOURCES/usbguard-1.0.0.tar.gz
 SOURCES/usbguard-notifier-0.0.6.tar.gz
 SOURCES/usbguard-selinux-0.0.3.tar.gz

.usbguard.metadata

@@ -1,3 +1,3 @@
-d8bbd3e9f4f0deb1418f71422e7fab3d14053412 SOURCES/usbguard-0.7.8.tar.gz
+bf909799daae6798634e1b01efaaadc5781b9755 SOURCES/usbguard-1.0.0.tar.gz
 7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz
 e223495a2c41013bc786a5ceae730f2574aeba1b SOURCES/usbguard-selinux-0.0.3.tar.gz

SOURCES/usbguard-audit-capability.patch

@@ -0,0 +1,12 @@
+diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
+--- usbguard-1.0.0/usbguard.service.in.orig	2021-03-17 14:16:21.675374844 +0100
++++ usbguard-1.0.0/usbguard.service.in	2021-03-17 14:16:29.056373213 +0100
+@@ -5,7 +5,7 @@ Documentation=man:usbguard-daemon(8)
+ 
+ [Service]
+ AmbientCapabilities=
+-CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
++CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
+ DevicePolicy=closed
+ ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ IPAddressDeny=any

SOURCES/usbguard-forking-style.patch

@@ -1,34 +0,0 @@
-diff -up ./usbguard.service.in.forking ./usbguard.service.in
---- ./usbguard.service.in.forking	2020-06-17 20:07:04.720564149 +0200
-+++ ./usbguard.service.in	2020-06-17 20:10:00.744063846 +0200
-@@ -8,11 +8,12 @@ AmbientCapabilities=
- CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
- DeviceAllow=/dev/null rw
- DevicePolicy=strict
--ExecStart=%sbindir%/usbguard-daemon -k -c %sysconfdir%/usbguard/usbguard-daemon.conf
-+ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
- IPAddressDeny=any
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
- NoNewPrivileges=yes
-+PIDFile=/var/run/usbguard.pid
- PrivateDevices=yes
- PrivateTmp=yes
- ProtectControlGroups=yes
-@@ -20,14 +21,14 @@ ProtectHome=yes
- ProtectKernelModules=yes
- ProtectSystem=yes
- ReadOnlyPaths=-/
--ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/
-+ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ -/var/run
- Restart=on-failure
- RestrictAddressFamilies=AF_UNIX AF_NETLINK
- RestrictNamespaces=yes
- RestrictRealtime=yes
- SystemCallArchitectures=native
- SystemCallFilter=@system-service
--Type=simple
-+Type=forking
- UMask=0077
- 
- [Install]

SOURCES/usbguard-permission-check.patch

@@ -1,69 +0,0 @@
-From 39fc4c24333c3bf42eba0855f3b75ccea99865a4 Mon Sep 17 00:00:00 2001
-From: Radovan Sroka <rsroka@redhat.com>
-Date: Tue, 21 Jul 2020 16:24:15 +0200
-Subject: [PATCH] Added permissions check also for IPC access files
-
-Signed-off-by: Radovan Sroka <rsroka@redhat.com>
----
- src/Common/Utility.cpp |  2 +-
- src/Common/Utility.hpp |  2 +-
- src/Daemon/Daemon.cpp  | 13 +++++++++----
- 3 files changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/src/Common/Utility.cpp b/src/Common/Utility.cpp
-index d9fc26a..8eb4bd7 100644
---- a/src/Common/Utility.cpp
-+++ b/src/Common/Utility.cpp
-@@ -524,7 +524,7 @@ namespace usbguard
-     std::string file_name;
- 
-     if (!dir_fd) {
--      throw Exception("getConfigsFromDir", "opendir: " + path , strerror(errno));
-+      throw Exception("getConfigsFromDir", "opendir: " + path, strerror(errno));
-     }
- 
-     while ((dp = readdir(dir_fd)) != NULL) { // iterate over directory for file entries
-diff --git a/src/Common/Utility.hpp b/src/Common/Utility.hpp
-index df1afcd..4e90364 100644
---- a/src/Common/Utility.hpp
-+++ b/src/Common/Utility.hpp
-@@ -192,7 +192,7 @@ namespace usbguard
-   [](const std::pair<std::string, std::string>& a, const std::pair<std::string, std::string>& b) -> bool {
-     return a.first < b.first;
-   },
--  bool directory_required = false);
-+  bool directory_required = true);
- 
-   /**
-    * Remove prefix from string.
-diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp
-index acc148f..9e67a3a 100644
---- a/src/Daemon/Daemon.cpp
-+++ b/src/Daemon/Daemon.cpp
-@@ -327,8 +327,13 @@ namespace usbguard
- 
-     /* IPCAccessControlFiles */
-     if (_config.hasSettingValue("IPCAccessControlFiles")) {
--      const std::string value = _config.getSettingValue("IPCAccessControlFiles");
--      loadIPCAccessControlFiles(value);
-+      const std::string ipc_dir = _config.getSettingValue("IPCAccessControlFiles");
-+
-+      if (check_permissions) {
-+        checkFolderPermissions(ipc_dir, (S_IRUSR | S_IWUSR));
-+      }
-+
-+      loadIPCAccessControlFiles(ipc_dir);
-     }
- 
-     /* AuditBackend */
-@@ -1030,8 +1035,8 @@ namespace usbguard
- 
-     /* Generate a match rule for upsert */
-     std::shared_ptr<Rule> match_rule = device->getDeviceRule(/*with-port=*/false,
--							     /*with-parent-hash=*/false,
--							     /*match_rule=*/true);
-+        /*with-parent-hash=*/false,
-+        /*match_rule=*/true);
-     const std::string match_spec = match_rule->toString();
-     USBGUARD_LOG(Debug) << "match_spec=" << match_spec;
-     /* Generate new device rule */

SOURCES/usbguard-removed-wired.patch

@@ -1,48 +0,0 @@
-diff -up ./doc/man/usbguard-daemon.conf.5.adoc.wired ./doc/man/usbguard-daemon.conf.5.adoc
---- ./doc/man/usbguard-daemon.conf.5.adoc.wired	2020-08-05 16:12:15.064272832 +0200
-+++ ./doc/man/usbguard-daemon.conf.5.adoc	2020-08-05 16:14:04.146885179 +0200
-@@ -51,8 +51,7 @@ It may be overridden using the *-c* comm
-     The USBGuard daemon modifies some of the default authorization state
-     attributes of controller devices. This setting, enables you to define what
-     value the default authorization is set to. Authorized default should be one
--    of `keep` (do not change autorization state), `wired` (new wired USB
--    devices start out authorized, wireless do not), `none` (every new device
-+    of `keep` (do not change autorization state), `none` (every new device
-     starts out deauthorized), `all` (every new device starts out authorized) or
-     `internal` (internal devices start out authorized, external do not).
- 
-diff -up ./src/Library/public/usbguard/DeviceManager.cpp.wired ./src/Library/public/usbguard/DeviceManager.cpp
---- ./src/Library/public/usbguard/DeviceManager.cpp.wired	2019-11-16 18:32:45.220532059 +0100
-+++ ./src/Library/public/usbguard/DeviceManager.cpp	2020-08-05 16:12:15.064272832 +0200
-@@ -71,7 +71,6 @@ namespace usbguard
- 
-   static const std::vector<std::pair<std::string, DeviceManager::AuthorizedDefaultType>> authorized_default_type_strings = {
-     { "keep", DeviceManager::AuthorizedDefaultType::Keep },
--    { "wired", DeviceManager::AuthorizedDefaultType::Wired },
-     { "none", DeviceManager::AuthorizedDefaultType::None },
-     { "all", DeviceManager::AuthorizedDefaultType::All },
-     { "internal", DeviceManager::AuthorizedDefaultType::Internal }
-diff -up ./src/Library/public/usbguard/DeviceManager.hpp.wired ./src/Library/public/usbguard/DeviceManager.hpp
---- ./src/Library/public/usbguard/DeviceManager.hpp.wired	2020-05-14 13:45:48.183508037 +0200
-+++ ./src/Library/public/usbguard/DeviceManager.hpp	2020-08-05 16:12:15.064272832 +0200
-@@ -60,8 +60,6 @@ namespace usbguard
-      */
-     enum class AuthorizedDefaultType {
-       Keep = -128, /**< Do not change the authorization state. */
--      Wired = -1, /**< New wired USB devices start out authorized,
--                    wireless USB devices do not. */
-       None = 0, /**< Every new device starts out deauthorized. */
-       All = 1, /**< Every new device starts out authorized. */
-       Internal = 2, /**< Internal devices start out authorized,
-diff -up ./usbguard-daemon.conf.in.wired ./usbguard-daemon.conf.in
---- ./usbguard-daemon.conf.in.wired	2020-05-20 13:56:50.809203248 +0200
-+++ ./usbguard-daemon.conf.in	2020-08-05 16:12:15.064272832 +0200
-@@ -91,8 +91,6 @@ InsertedDevicePolicy=apply-policy
- # default authorization is set to.
- #
- # * keep         - do not change the authorization state
--# * wired        - new wired USB devices start out authorized, wireless USB
--#                  devices do not
- # * none         - every new device starts out deauthorized
- # * all          - every new device starts out authorized
- # * internal     - internal devices start out authorized, external devices start

SOURCES/usbguard-rulesd.patch

@@ -1,13 +0,0 @@
-diff -up ./src/Daemon/RuleSetFactory.cpp.orig ./src/Daemon/RuleSetFactory.cpp
---- ./src/Daemon/RuleSetFactory.cpp.orig	2020-08-11 11:10:00.924479577 +0200
-+++ ./src/Daemon/RuleSetFactory.cpp	2020-08-11 11:12:56.447279841 +0200
-@@ -74,7 +74,8 @@ namespace usbguard
-           ruleSet.push_back(rs);
-         }
-       }
--      else if (ns.getRulesPath().empty()){
-+
-+      if (ruleSet.empty()){
-         USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible.";
-         ruleSet = generateDefaultRuleSet();
-       }

SOURCES/usbguard-selinux-audit-capability.patch

@@ -0,0 +1,12 @@
+diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te
+--- usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig	2021-03-17 15:08:59.975712403 +0100
++++ usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te	2021-03-17 15:09:21.565708348 +0100
+@@ -68,7 +68,7 @@ files_pid_file(usbguard_var_run_t)
+ # Local policy
+ #
+ 
+-allow usbguard_t self:capability { chown fowner };
++allow usbguard_t self:capability { chown fowner audit_write };
+ allow usbguard_t self:netlink_kobject_uevent_socket { bind create setopt read };
+ allow usbguard_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+ 

SOURCES/usbguard-service-fips.patch

@@ -1,13 +0,0 @@
-diff -up ./usbguard.service.in.service-fips ./usbguard.service.in
---- ./usbguard.service.in.service-fips	2020-06-22 10:44:44.815860376 +0200
-+++ ./usbguard.service.in	2020-06-22 10:45:07.699135514 +0200
-@@ -6,8 +6,7 @@ Documentation=man:usbguard-daemon(8)
- [Service]
- AmbientCapabilities=
- CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
--DeviceAllow=/dev/null rw
--DevicePolicy=strict
-+DevicePolicy=closed
- ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
- IPAddressDeny=any
- LockPersonality=yes

SPECS/usbguard.spec

@@ -7,8 +7,8 @@
 %bcond_without check
 
 Name:           usbguard
-Version:        0.7.8
-Release:        7%{?dist}
+Version:        1.0.0
+Release:        2%{?dist}
 Summary:        A tool for implementing USB device usage policy
 Group:          System Environment/Daemons
 License:        GPLv2+
@@ -52,14 +52,9 @@ BuildRequires: libxml2
 Patch1: usbguard-0.7.6-notifier.patch
 Patch2: usbguard-selinux-rules-d.patch
 Patch3: usbguard-selinux-list-dir.patch
-Patch4: usbguard-forking-style.patch
-Patch5: usbguard-selinux-cpuinfo.patch
-Patch6: usbguard-service-fips.patch
-
-Patch7: usbguard-permission-check.patch
-Patch8: usbguard-removed-wired.patch
-Patch9: usbguard-rulesd.patch
-
+Patch4: usbguard-selinux-cpuinfo.patch
+Patch5: usbguard-audit-capability.patch
+Patch6: usbguard-selinux-audit-capability.patch
 
 %description
 The USBGuard software framework helps to protect your computer against rogue USB
@@ -139,13 +134,9 @@ rm -rf src/ThirdParty/{Catch,PEGTL}
 %patch1 -p1 -b .notifier
 %patch2 -p1 -b .rules-d-selinux
 %patch3 -p1 -b .list-dir
-%patch4 -p1 -b .forking
-%patch5 -p1 -b .cpuinfo
-%patch6 -p1 -b .service-fips
-
-%patch7 -p1 -b .perm
-%patch8 -p1 -b .wired
-%patch9 -p1 -b .rulesd
+%patch4 -p1 -b .cpuinfo
+%patch5 -p1 -b .audit-capability
+%patch6 -p1 -b .selinux-audit-capability
 
 %build
 mkdir -p ./m4
@@ -310,6 +301,18 @@ fi
 
 
 %changelog
+* Wed Mar 17 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-2
+- Add CAP_AUDIT_WRITE capability to service file
+Resolves: rhbz#1940060
+
+* Tue Jan 19 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-1
+- Rebase to 1.0.0
+Resolves: rhbz#1887448
+- Filtering rules by attribute
+Resolves: rhbz#1873953
+- Change device policy of multiple devices using rule instead of ID
+Resolves: rhbz#1852568
+
 * Tue Aug 11 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-7
 - Do not cause segfault in case of an empty rulesd folder
 Resolves: rhbz#1738590