From 36ae2592e5dccb0a1798a707b181dca913e149f1 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 18 May 2021 02:59:14 -0400 Subject: [PATCH] import usbguard-1.0.0-2.el8 --- .gitignore | 2 +- .usbguard.metadata | 2 +- SOURCES/usbguard-audit-capability.patch | 12 ++++ SOURCES/usbguard-forking-style.patch | 34 --------- SOURCES/usbguard-permission-check.patch | 69 ------------------- SOURCES/usbguard-removed-wired.patch | 48 ------------- SOURCES/usbguard-rulesd.patch | 13 ---- .../usbguard-selinux-audit-capability.patch | 12 ++++ SOURCES/usbguard-service-fips.patch | 13 ---- SPECS/usbguard.spec | 37 +++++----- 10 files changed, 46 insertions(+), 196 deletions(-) create mode 100644 SOURCES/usbguard-audit-capability.patch delete mode 100644 SOURCES/usbguard-forking-style.patch delete mode 100644 SOURCES/usbguard-permission-check.patch delete mode 100644 SOURCES/usbguard-removed-wired.patch delete mode 100644 SOURCES/usbguard-rulesd.patch create mode 100644 SOURCES/usbguard-selinux-audit-capability.patch delete mode 100644 SOURCES/usbguard-service-fips.patch diff --git a/.gitignore b/.gitignore index 4626c85..1da3842 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -SOURCES/usbguard-0.7.8.tar.gz +SOURCES/usbguard-1.0.0.tar.gz SOURCES/usbguard-notifier-0.0.6.tar.gz SOURCES/usbguard-selinux-0.0.3.tar.gz diff --git a/.usbguard.metadata b/.usbguard.metadata index 8582250..91463cb 100644 --- a/.usbguard.metadata +++ b/.usbguard.metadata @@ -1,3 +1,3 @@ -d8bbd3e9f4f0deb1418f71422e7fab3d14053412 SOURCES/usbguard-0.7.8.tar.gz +bf909799daae6798634e1b01efaaadc5781b9755 SOURCES/usbguard-1.0.0.tar.gz 7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz e223495a2c41013bc786a5ceae730f2574aeba1b SOURCES/usbguard-selinux-0.0.3.tar.gz diff --git a/SOURCES/usbguard-audit-capability.patch b/SOURCES/usbguard-audit-capability.patch new file mode 100644 index 0000000..934a25a --- /dev/null +++ b/SOURCES/usbguard-audit-capability.patch @@ -0,0 +1,12 @@ +diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in +--- usbguard-1.0.0/usbguard.service.in.orig 2021-03-17 14:16:21.675374844 +0100 ++++ usbguard-1.0.0/usbguard.service.in 2021-03-17 14:16:29.056373213 +0100 +@@ -5,7 +5,7 @@ Documentation=man:usbguard-daemon(8) + + [Service] + AmbientCapabilities= +-CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER ++CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE + DevicePolicy=closed + ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf + IPAddressDeny=any diff --git a/SOURCES/usbguard-forking-style.patch b/SOURCES/usbguard-forking-style.patch deleted file mode 100644 index 8a6500a..0000000 --- a/SOURCES/usbguard-forking-style.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff -up ./usbguard.service.in.forking ./usbguard.service.in ---- ./usbguard.service.in.forking 2020-06-17 20:07:04.720564149 +0200 -+++ ./usbguard.service.in 2020-06-17 20:10:00.744063846 +0200 -@@ -8,11 +8,12 @@ AmbientCapabilities= - CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER - DeviceAllow=/dev/null rw - DevicePolicy=strict --ExecStart=%sbindir%/usbguard-daemon -k -c %sysconfdir%/usbguard/usbguard-daemon.conf -+ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf - IPAddressDeny=any - LockPersonality=yes - MemoryDenyWriteExecute=yes - NoNewPrivileges=yes -+PIDFile=/var/run/usbguard.pid - PrivateDevices=yes - PrivateTmp=yes - ProtectControlGroups=yes -@@ -20,14 +21,14 @@ ProtectHome=yes - ProtectKernelModules=yes - ProtectSystem=yes - ReadOnlyPaths=-/ --ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ -+ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ -/var/run - Restart=on-failure - RestrictAddressFamilies=AF_UNIX AF_NETLINK - RestrictNamespaces=yes - RestrictRealtime=yes - SystemCallArchitectures=native - SystemCallFilter=@system-service --Type=simple -+Type=forking - UMask=0077 - - [Install] diff --git a/SOURCES/usbguard-permission-check.patch b/SOURCES/usbguard-permission-check.patch deleted file mode 100644 index d9266e5..0000000 --- a/SOURCES/usbguard-permission-check.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 39fc4c24333c3bf42eba0855f3b75ccea99865a4 Mon Sep 17 00:00:00 2001 -From: Radovan Sroka -Date: Tue, 21 Jul 2020 16:24:15 +0200 -Subject: [PATCH] Added permissions check also for IPC access files - -Signed-off-by: Radovan Sroka ---- - src/Common/Utility.cpp | 2 +- - src/Common/Utility.hpp | 2 +- - src/Daemon/Daemon.cpp | 13 +++++++++---- - 3 files changed, 11 insertions(+), 6 deletions(-) - -diff --git a/src/Common/Utility.cpp b/src/Common/Utility.cpp -index d9fc26a..8eb4bd7 100644 ---- a/src/Common/Utility.cpp -+++ b/src/Common/Utility.cpp -@@ -524,7 +524,7 @@ namespace usbguard - std::string file_name; - - if (!dir_fd) { -- throw Exception("getConfigsFromDir", "opendir: " + path , strerror(errno)); -+ throw Exception("getConfigsFromDir", "opendir: " + path, strerror(errno)); - } - - while ((dp = readdir(dir_fd)) != NULL) { // iterate over directory for file entries -diff --git a/src/Common/Utility.hpp b/src/Common/Utility.hpp -index df1afcd..4e90364 100644 ---- a/src/Common/Utility.hpp -+++ b/src/Common/Utility.hpp -@@ -192,7 +192,7 @@ namespace usbguard - [](const std::pair& a, const std::pair& b) -> bool { - return a.first < b.first; - }, -- bool directory_required = false); -+ bool directory_required = true); - - /** - * Remove prefix from string. -diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp -index acc148f..9e67a3a 100644 ---- a/src/Daemon/Daemon.cpp -+++ b/src/Daemon/Daemon.cpp -@@ -327,8 +327,13 @@ namespace usbguard - - /* IPCAccessControlFiles */ - if (_config.hasSettingValue("IPCAccessControlFiles")) { -- const std::string value = _config.getSettingValue("IPCAccessControlFiles"); -- loadIPCAccessControlFiles(value); -+ const std::string ipc_dir = _config.getSettingValue("IPCAccessControlFiles"); -+ -+ if (check_permissions) { -+ checkFolderPermissions(ipc_dir, (S_IRUSR | S_IWUSR)); -+ } -+ -+ loadIPCAccessControlFiles(ipc_dir); - } - - /* AuditBackend */ -@@ -1030,8 +1035,8 @@ namespace usbguard - - /* Generate a match rule for upsert */ - std::shared_ptr match_rule = device->getDeviceRule(/*with-port=*/false, -- /*with-parent-hash=*/false, -- /*match_rule=*/true); -+ /*with-parent-hash=*/false, -+ /*match_rule=*/true); - const std::string match_spec = match_rule->toString(); - USBGUARD_LOG(Debug) << "match_spec=" << match_spec; - /* Generate new device rule */ diff --git a/SOURCES/usbguard-removed-wired.patch b/SOURCES/usbguard-removed-wired.patch deleted file mode 100644 index 5e87154..0000000 --- a/SOURCES/usbguard-removed-wired.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff -up ./doc/man/usbguard-daemon.conf.5.adoc.wired ./doc/man/usbguard-daemon.conf.5.adoc ---- ./doc/man/usbguard-daemon.conf.5.adoc.wired 2020-08-05 16:12:15.064272832 +0200 -+++ ./doc/man/usbguard-daemon.conf.5.adoc 2020-08-05 16:14:04.146885179 +0200 -@@ -51,8 +51,7 @@ It may be overridden using the *-c* comm - The USBGuard daemon modifies some of the default authorization state - attributes of controller devices. This setting, enables you to define what - value the default authorization is set to. Authorized default should be one -- of `keep` (do not change autorization state), `wired` (new wired USB -- devices start out authorized, wireless do not), `none` (every new device -+ of `keep` (do not change autorization state), `none` (every new device - starts out deauthorized), `all` (every new device starts out authorized) or - `internal` (internal devices start out authorized, external do not). - -diff -up ./src/Library/public/usbguard/DeviceManager.cpp.wired ./src/Library/public/usbguard/DeviceManager.cpp ---- ./src/Library/public/usbguard/DeviceManager.cpp.wired 2019-11-16 18:32:45.220532059 +0100 -+++ ./src/Library/public/usbguard/DeviceManager.cpp 2020-08-05 16:12:15.064272832 +0200 -@@ -71,7 +71,6 @@ namespace usbguard - - static const std::vector> authorized_default_type_strings = { - { "keep", DeviceManager::AuthorizedDefaultType::Keep }, -- { "wired", DeviceManager::AuthorizedDefaultType::Wired }, - { "none", DeviceManager::AuthorizedDefaultType::None }, - { "all", DeviceManager::AuthorizedDefaultType::All }, - { "internal", DeviceManager::AuthorizedDefaultType::Internal } -diff -up ./src/Library/public/usbguard/DeviceManager.hpp.wired ./src/Library/public/usbguard/DeviceManager.hpp ---- ./src/Library/public/usbguard/DeviceManager.hpp.wired 2020-05-14 13:45:48.183508037 +0200 -+++ ./src/Library/public/usbguard/DeviceManager.hpp 2020-08-05 16:12:15.064272832 +0200 -@@ -60,8 +60,6 @@ namespace usbguard - */ - enum class AuthorizedDefaultType { - Keep = -128, /**< Do not change the authorization state. */ -- Wired = -1, /**< New wired USB devices start out authorized, -- wireless USB devices do not. */ - None = 0, /**< Every new device starts out deauthorized. */ - All = 1, /**< Every new device starts out authorized. */ - Internal = 2, /**< Internal devices start out authorized, -diff -up ./usbguard-daemon.conf.in.wired ./usbguard-daemon.conf.in ---- ./usbguard-daemon.conf.in.wired 2020-05-20 13:56:50.809203248 +0200 -+++ ./usbguard-daemon.conf.in 2020-08-05 16:12:15.064272832 +0200 -@@ -91,8 +91,6 @@ InsertedDevicePolicy=apply-policy - # default authorization is set to. - # - # * keep - do not change the authorization state --# * wired - new wired USB devices start out authorized, wireless USB --# devices do not - # * none - every new device starts out deauthorized - # * all - every new device starts out authorized - # * internal - internal devices start out authorized, external devices start diff --git a/SOURCES/usbguard-rulesd.patch b/SOURCES/usbguard-rulesd.patch deleted file mode 100644 index 7c54c38..0000000 --- a/SOURCES/usbguard-rulesd.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up ./src/Daemon/RuleSetFactory.cpp.orig ./src/Daemon/RuleSetFactory.cpp ---- ./src/Daemon/RuleSetFactory.cpp.orig 2020-08-11 11:10:00.924479577 +0200 -+++ ./src/Daemon/RuleSetFactory.cpp 2020-08-11 11:12:56.447279841 +0200 -@@ -74,7 +74,8 @@ namespace usbguard - ruleSet.push_back(rs); - } - } -- else if (ns.getRulesPath().empty()){ -+ -+ if (ruleSet.empty()){ - USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible."; - ruleSet = generateDefaultRuleSet(); - } diff --git a/SOURCES/usbguard-selinux-audit-capability.patch b/SOURCES/usbguard-selinux-audit-capability.patch new file mode 100644 index 0000000..46bc72e --- /dev/null +++ b/SOURCES/usbguard-selinux-audit-capability.patch @@ -0,0 +1,12 @@ +diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te +--- usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig 2021-03-17 15:08:59.975712403 +0100 ++++ usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te 2021-03-17 15:09:21.565708348 +0100 +@@ -68,7 +68,7 @@ files_pid_file(usbguard_var_run_t) + # Local policy + # + +-allow usbguard_t self:capability { chown fowner }; ++allow usbguard_t self:capability { chown fowner audit_write }; + allow usbguard_t self:netlink_kobject_uevent_socket { bind create setopt read }; + allow usbguard_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; + diff --git a/SOURCES/usbguard-service-fips.patch b/SOURCES/usbguard-service-fips.patch deleted file mode 100644 index fce50c9..0000000 --- a/SOURCES/usbguard-service-fips.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up ./usbguard.service.in.service-fips ./usbguard.service.in ---- ./usbguard.service.in.service-fips 2020-06-22 10:44:44.815860376 +0200 -+++ ./usbguard.service.in 2020-06-22 10:45:07.699135514 +0200 -@@ -6,8 +6,7 @@ Documentation=man:usbguard-daemon(8) - [Service] - AmbientCapabilities= - CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER --DeviceAllow=/dev/null rw --DevicePolicy=strict -+DevicePolicy=closed - ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf - IPAddressDeny=any - LockPersonality=yes diff --git a/SPECS/usbguard.spec b/SPECS/usbguard.spec index 886bc4c..e2a7abb 100644 --- a/SPECS/usbguard.spec +++ b/SPECS/usbguard.spec @@ -7,8 +7,8 @@ %bcond_without check Name: usbguard -Version: 0.7.8 -Release: 7%{?dist} +Version: 1.0.0 +Release: 2%{?dist} Summary: A tool for implementing USB device usage policy Group: System Environment/Daemons License: GPLv2+ @@ -52,14 +52,9 @@ BuildRequires: libxml2 Patch1: usbguard-0.7.6-notifier.patch Patch2: usbguard-selinux-rules-d.patch Patch3: usbguard-selinux-list-dir.patch -Patch4: usbguard-forking-style.patch -Patch5: usbguard-selinux-cpuinfo.patch -Patch6: usbguard-service-fips.patch - -Patch7: usbguard-permission-check.patch -Patch8: usbguard-removed-wired.patch -Patch9: usbguard-rulesd.patch - +Patch4: usbguard-selinux-cpuinfo.patch +Patch5: usbguard-audit-capability.patch +Patch6: usbguard-selinux-audit-capability.patch %description The USBGuard software framework helps to protect your computer against rogue USB @@ -139,13 +134,9 @@ rm -rf src/ThirdParty/{Catch,PEGTL} %patch1 -p1 -b .notifier %patch2 -p1 -b .rules-d-selinux %patch3 -p1 -b .list-dir -%patch4 -p1 -b .forking -%patch5 -p1 -b .cpuinfo -%patch6 -p1 -b .service-fips - -%patch7 -p1 -b .perm -%patch8 -p1 -b .wired -%patch9 -p1 -b .rulesd +%patch4 -p1 -b .cpuinfo +%patch5 -p1 -b .audit-capability +%patch6 -p1 -b .selinux-audit-capability %build mkdir -p ./m4 @@ -310,6 +301,18 @@ fi %changelog +* Wed Mar 17 2021 Attila Lakatos - 1.0.0-2 +- Add CAP_AUDIT_WRITE capability to service file +Resolves: rhbz#1940060 + +* Tue Jan 19 2021 Attila Lakatos - 1.0.0-1 +- Rebase to 1.0.0 +Resolves: rhbz#1887448 +- Filtering rules by attribute +Resolves: rhbz#1873953 +- Change device policy of multiple devices using rule instead of ID +Resolves: rhbz#1852568 + * Tue Aug 11 2020 Attila Lakatos - 0.7.8-7 - Do not cause segfault in case of an empty rulesd folder Resolves: rhbz#1738590