import usbguard-1.0.0-2.el8
This commit is contained in:
parent
32df1fdeb9
commit
36ae2592e5
|
@ -1,3 +1,3 @@
|
||||||
SOURCES/usbguard-0.7.8.tar.gz
|
SOURCES/usbguard-1.0.0.tar.gz
|
||||||
SOURCES/usbguard-notifier-0.0.6.tar.gz
|
SOURCES/usbguard-notifier-0.0.6.tar.gz
|
||||||
SOURCES/usbguard-selinux-0.0.3.tar.gz
|
SOURCES/usbguard-selinux-0.0.3.tar.gz
|
||||||
|
|
|
@ -1,3 +1,3 @@
|
||||||
d8bbd3e9f4f0deb1418f71422e7fab3d14053412 SOURCES/usbguard-0.7.8.tar.gz
|
bf909799daae6798634e1b01efaaadc5781b9755 SOURCES/usbguard-1.0.0.tar.gz
|
||||||
7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz
|
7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz
|
||||||
e223495a2c41013bc786a5ceae730f2574aeba1b SOURCES/usbguard-selinux-0.0.3.tar.gz
|
e223495a2c41013bc786a5ceae730f2574aeba1b SOURCES/usbguard-selinux-0.0.3.tar.gz
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
|
||||||
|
--- usbguard-1.0.0/usbguard.service.in.orig 2021-03-17 14:16:21.675374844 +0100
|
||||||
|
+++ usbguard-1.0.0/usbguard.service.in 2021-03-17 14:16:29.056373213 +0100
|
||||||
|
@@ -5,7 +5,7 @@ Documentation=man:usbguard-daemon(8)
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
AmbientCapabilities=
|
||||||
|
-CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
|
||||||
|
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
|
||||||
|
DevicePolicy=closed
|
||||||
|
ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
|
||||||
|
IPAddressDeny=any
|
|
@ -1,34 +0,0 @@
|
||||||
diff -up ./usbguard.service.in.forking ./usbguard.service.in
|
|
||||||
--- ./usbguard.service.in.forking 2020-06-17 20:07:04.720564149 +0200
|
|
||||||
+++ ./usbguard.service.in 2020-06-17 20:10:00.744063846 +0200
|
|
||||||
@@ -8,11 +8,12 @@ AmbientCapabilities=
|
|
||||||
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
|
|
||||||
DeviceAllow=/dev/null rw
|
|
||||||
DevicePolicy=strict
|
|
||||||
-ExecStart=%sbindir%/usbguard-daemon -k -c %sysconfdir%/usbguard/usbguard-daemon.conf
|
|
||||||
+ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
|
|
||||||
IPAddressDeny=any
|
|
||||||
LockPersonality=yes
|
|
||||||
MemoryDenyWriteExecute=yes
|
|
||||||
NoNewPrivileges=yes
|
|
||||||
+PIDFile=/var/run/usbguard.pid
|
|
||||||
PrivateDevices=yes
|
|
||||||
PrivateTmp=yes
|
|
||||||
ProtectControlGroups=yes
|
|
||||||
@@ -20,14 +21,14 @@ ProtectHome=yes
|
|
||||||
ProtectKernelModules=yes
|
|
||||||
ProtectSystem=yes
|
|
||||||
ReadOnlyPaths=-/
|
|
||||||
-ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/
|
|
||||||
+ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ -/var/run
|
|
||||||
Restart=on-failure
|
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
|
||||||
RestrictNamespaces=yes
|
|
||||||
RestrictRealtime=yes
|
|
||||||
SystemCallArchitectures=native
|
|
||||||
SystemCallFilter=@system-service
|
|
||||||
-Type=simple
|
|
||||||
+Type=forking
|
|
||||||
UMask=0077
|
|
||||||
|
|
||||||
[Install]
|
|
|
@ -1,69 +0,0 @@
|
||||||
From 39fc4c24333c3bf42eba0855f3b75ccea99865a4 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Radovan Sroka <rsroka@redhat.com>
|
|
||||||
Date: Tue, 21 Jul 2020 16:24:15 +0200
|
|
||||||
Subject: [PATCH] Added permissions check also for IPC access files
|
|
||||||
|
|
||||||
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
|
|
||||||
---
|
|
||||||
src/Common/Utility.cpp | 2 +-
|
|
||||||
src/Common/Utility.hpp | 2 +-
|
|
||||||
src/Daemon/Daemon.cpp | 13 +++++++++----
|
|
||||||
3 files changed, 11 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/Common/Utility.cpp b/src/Common/Utility.cpp
|
|
||||||
index d9fc26a..8eb4bd7 100644
|
|
||||||
--- a/src/Common/Utility.cpp
|
|
||||||
+++ b/src/Common/Utility.cpp
|
|
||||||
@@ -524,7 +524,7 @@ namespace usbguard
|
|
||||||
std::string file_name;
|
|
||||||
|
|
||||||
if (!dir_fd) {
|
|
||||||
- throw Exception("getConfigsFromDir", "opendir: " + path , strerror(errno));
|
|
||||||
+ throw Exception("getConfigsFromDir", "opendir: " + path, strerror(errno));
|
|
||||||
}
|
|
||||||
|
|
||||||
while ((dp = readdir(dir_fd)) != NULL) { // iterate over directory for file entries
|
|
||||||
diff --git a/src/Common/Utility.hpp b/src/Common/Utility.hpp
|
|
||||||
index df1afcd..4e90364 100644
|
|
||||||
--- a/src/Common/Utility.hpp
|
|
||||||
+++ b/src/Common/Utility.hpp
|
|
||||||
@@ -192,7 +192,7 @@ namespace usbguard
|
|
||||||
[](const std::pair<std::string, std::string>& a, const std::pair<std::string, std::string>& b) -> bool {
|
|
||||||
return a.first < b.first;
|
|
||||||
},
|
|
||||||
- bool directory_required = false);
|
|
||||||
+ bool directory_required = true);
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Remove prefix from string.
|
|
||||||
diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp
|
|
||||||
index acc148f..9e67a3a 100644
|
|
||||||
--- a/src/Daemon/Daemon.cpp
|
|
||||||
+++ b/src/Daemon/Daemon.cpp
|
|
||||||
@@ -327,8 +327,13 @@ namespace usbguard
|
|
||||||
|
|
||||||
/* IPCAccessControlFiles */
|
|
||||||
if (_config.hasSettingValue("IPCAccessControlFiles")) {
|
|
||||||
- const std::string value = _config.getSettingValue("IPCAccessControlFiles");
|
|
||||||
- loadIPCAccessControlFiles(value);
|
|
||||||
+ const std::string ipc_dir = _config.getSettingValue("IPCAccessControlFiles");
|
|
||||||
+
|
|
||||||
+ if (check_permissions) {
|
|
||||||
+ checkFolderPermissions(ipc_dir, (S_IRUSR | S_IWUSR));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ loadIPCAccessControlFiles(ipc_dir);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* AuditBackend */
|
|
||||||
@@ -1030,8 +1035,8 @@ namespace usbguard
|
|
||||||
|
|
||||||
/* Generate a match rule for upsert */
|
|
||||||
std::shared_ptr<Rule> match_rule = device->getDeviceRule(/*with-port=*/false,
|
|
||||||
- /*with-parent-hash=*/false,
|
|
||||||
- /*match_rule=*/true);
|
|
||||||
+ /*with-parent-hash=*/false,
|
|
||||||
+ /*match_rule=*/true);
|
|
||||||
const std::string match_spec = match_rule->toString();
|
|
||||||
USBGUARD_LOG(Debug) << "match_spec=" << match_spec;
|
|
||||||
/* Generate new device rule */
|
|
|
@ -1,48 +0,0 @@
|
||||||
diff -up ./doc/man/usbguard-daemon.conf.5.adoc.wired ./doc/man/usbguard-daemon.conf.5.adoc
|
|
||||||
--- ./doc/man/usbguard-daemon.conf.5.adoc.wired 2020-08-05 16:12:15.064272832 +0200
|
|
||||||
+++ ./doc/man/usbguard-daemon.conf.5.adoc 2020-08-05 16:14:04.146885179 +0200
|
|
||||||
@@ -51,8 +51,7 @@ It may be overridden using the *-c* comm
|
|
||||||
The USBGuard daemon modifies some of the default authorization state
|
|
||||||
attributes of controller devices. This setting, enables you to define what
|
|
||||||
value the default authorization is set to. Authorized default should be one
|
|
||||||
- of `keep` (do not change autorization state), `wired` (new wired USB
|
|
||||||
- devices start out authorized, wireless do not), `none` (every new device
|
|
||||||
+ of `keep` (do not change autorization state), `none` (every new device
|
|
||||||
starts out deauthorized), `all` (every new device starts out authorized) or
|
|
||||||
`internal` (internal devices start out authorized, external do not).
|
|
||||||
|
|
||||||
diff -up ./src/Library/public/usbguard/DeviceManager.cpp.wired ./src/Library/public/usbguard/DeviceManager.cpp
|
|
||||||
--- ./src/Library/public/usbguard/DeviceManager.cpp.wired 2019-11-16 18:32:45.220532059 +0100
|
|
||||||
+++ ./src/Library/public/usbguard/DeviceManager.cpp 2020-08-05 16:12:15.064272832 +0200
|
|
||||||
@@ -71,7 +71,6 @@ namespace usbguard
|
|
||||||
|
|
||||||
static const std::vector<std::pair<std::string, DeviceManager::AuthorizedDefaultType>> authorized_default_type_strings = {
|
|
||||||
{ "keep", DeviceManager::AuthorizedDefaultType::Keep },
|
|
||||||
- { "wired", DeviceManager::AuthorizedDefaultType::Wired },
|
|
||||||
{ "none", DeviceManager::AuthorizedDefaultType::None },
|
|
||||||
{ "all", DeviceManager::AuthorizedDefaultType::All },
|
|
||||||
{ "internal", DeviceManager::AuthorizedDefaultType::Internal }
|
|
||||||
diff -up ./src/Library/public/usbguard/DeviceManager.hpp.wired ./src/Library/public/usbguard/DeviceManager.hpp
|
|
||||||
--- ./src/Library/public/usbguard/DeviceManager.hpp.wired 2020-05-14 13:45:48.183508037 +0200
|
|
||||||
+++ ./src/Library/public/usbguard/DeviceManager.hpp 2020-08-05 16:12:15.064272832 +0200
|
|
||||||
@@ -60,8 +60,6 @@ namespace usbguard
|
|
||||||
*/
|
|
||||||
enum class AuthorizedDefaultType {
|
|
||||||
Keep = -128, /**< Do not change the authorization state. */
|
|
||||||
- Wired = -1, /**< New wired USB devices start out authorized,
|
|
||||||
- wireless USB devices do not. */
|
|
||||||
None = 0, /**< Every new device starts out deauthorized. */
|
|
||||||
All = 1, /**< Every new device starts out authorized. */
|
|
||||||
Internal = 2, /**< Internal devices start out authorized,
|
|
||||||
diff -up ./usbguard-daemon.conf.in.wired ./usbguard-daemon.conf.in
|
|
||||||
--- ./usbguard-daemon.conf.in.wired 2020-05-20 13:56:50.809203248 +0200
|
|
||||||
+++ ./usbguard-daemon.conf.in 2020-08-05 16:12:15.064272832 +0200
|
|
||||||
@@ -91,8 +91,6 @@ InsertedDevicePolicy=apply-policy
|
|
||||||
# default authorization is set to.
|
|
||||||
#
|
|
||||||
# * keep - do not change the authorization state
|
|
||||||
-# * wired - new wired USB devices start out authorized, wireless USB
|
|
||||||
-# devices do not
|
|
||||||
# * none - every new device starts out deauthorized
|
|
||||||
# * all - every new device starts out authorized
|
|
||||||
# * internal - internal devices start out authorized, external devices start
|
|
|
@ -1,13 +0,0 @@
|
||||||
diff -up ./src/Daemon/RuleSetFactory.cpp.orig ./src/Daemon/RuleSetFactory.cpp
|
|
||||||
--- ./src/Daemon/RuleSetFactory.cpp.orig 2020-08-11 11:10:00.924479577 +0200
|
|
||||||
+++ ./src/Daemon/RuleSetFactory.cpp 2020-08-11 11:12:56.447279841 +0200
|
|
||||||
@@ -74,7 +74,8 @@ namespace usbguard
|
|
||||||
ruleSet.push_back(rs);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
- else if (ns.getRulesPath().empty()){
|
|
||||||
+
|
|
||||||
+ if (ruleSet.empty()){
|
|
||||||
USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible.";
|
|
||||||
ruleSet = generateDefaultRuleSet();
|
|
||||||
}
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te
|
||||||
|
--- usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig 2021-03-17 15:08:59.975712403 +0100
|
||||||
|
+++ usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te 2021-03-17 15:09:21.565708348 +0100
|
||||||
|
@@ -68,7 +68,7 @@ files_pid_file(usbguard_var_run_t)
|
||||||
|
# Local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
-allow usbguard_t self:capability { chown fowner };
|
||||||
|
+allow usbguard_t self:capability { chown fowner audit_write };
|
||||||
|
allow usbguard_t self:netlink_kobject_uevent_socket { bind create setopt read };
|
||||||
|
allow usbguard_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
|
||||||
|
|
|
@ -1,13 +0,0 @@
|
||||||
diff -up ./usbguard.service.in.service-fips ./usbguard.service.in
|
|
||||||
--- ./usbguard.service.in.service-fips 2020-06-22 10:44:44.815860376 +0200
|
|
||||||
+++ ./usbguard.service.in 2020-06-22 10:45:07.699135514 +0200
|
|
||||||
@@ -6,8 +6,7 @@ Documentation=man:usbguard-daemon(8)
|
|
||||||
[Service]
|
|
||||||
AmbientCapabilities=
|
|
||||||
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
|
|
||||||
-DeviceAllow=/dev/null rw
|
|
||||||
-DevicePolicy=strict
|
|
||||||
+DevicePolicy=closed
|
|
||||||
ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
|
|
||||||
IPAddressDeny=any
|
|
||||||
LockPersonality=yes
|
|
|
@ -7,8 +7,8 @@
|
||||||
%bcond_without check
|
%bcond_without check
|
||||||
|
|
||||||
Name: usbguard
|
Name: usbguard
|
||||||
Version: 0.7.8
|
Version: 1.0.0
|
||||||
Release: 7%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: A tool for implementing USB device usage policy
|
Summary: A tool for implementing USB device usage policy
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
|
@ -52,14 +52,9 @@ BuildRequires: libxml2
|
||||||
Patch1: usbguard-0.7.6-notifier.patch
|
Patch1: usbguard-0.7.6-notifier.patch
|
||||||
Patch2: usbguard-selinux-rules-d.patch
|
Patch2: usbguard-selinux-rules-d.patch
|
||||||
Patch3: usbguard-selinux-list-dir.patch
|
Patch3: usbguard-selinux-list-dir.patch
|
||||||
Patch4: usbguard-forking-style.patch
|
Patch4: usbguard-selinux-cpuinfo.patch
|
||||||
Patch5: usbguard-selinux-cpuinfo.patch
|
Patch5: usbguard-audit-capability.patch
|
||||||
Patch6: usbguard-service-fips.patch
|
Patch6: usbguard-selinux-audit-capability.patch
|
||||||
|
|
||||||
Patch7: usbguard-permission-check.patch
|
|
||||||
Patch8: usbguard-removed-wired.patch
|
|
||||||
Patch9: usbguard-rulesd.patch
|
|
||||||
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
The USBGuard software framework helps to protect your computer against rogue USB
|
The USBGuard software framework helps to protect your computer against rogue USB
|
||||||
|
@ -139,13 +134,9 @@ rm -rf src/ThirdParty/{Catch,PEGTL}
|
||||||
%patch1 -p1 -b .notifier
|
%patch1 -p1 -b .notifier
|
||||||
%patch2 -p1 -b .rules-d-selinux
|
%patch2 -p1 -b .rules-d-selinux
|
||||||
%patch3 -p1 -b .list-dir
|
%patch3 -p1 -b .list-dir
|
||||||
%patch4 -p1 -b .forking
|
%patch4 -p1 -b .cpuinfo
|
||||||
%patch5 -p1 -b .cpuinfo
|
%patch5 -p1 -b .audit-capability
|
||||||
%patch6 -p1 -b .service-fips
|
%patch6 -p1 -b .selinux-audit-capability
|
||||||
|
|
||||||
%patch7 -p1 -b .perm
|
|
||||||
%patch8 -p1 -b .wired
|
|
||||||
%patch9 -p1 -b .rulesd
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
mkdir -p ./m4
|
mkdir -p ./m4
|
||||||
|
@ -310,6 +301,18 @@ fi
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Mar 17 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-2
|
||||||
|
- Add CAP_AUDIT_WRITE capability to service file
|
||||||
|
Resolves: rhbz#1940060
|
||||||
|
|
||||||
|
* Tue Jan 19 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-1
|
||||||
|
- Rebase to 1.0.0
|
||||||
|
Resolves: rhbz#1887448
|
||||||
|
- Filtering rules by attribute
|
||||||
|
Resolves: rhbz#1873953
|
||||||
|
- Change device policy of multiple devices using rule instead of ID
|
||||||
|
Resolves: rhbz#1852568
|
||||||
|
|
||||||
* Tue Aug 11 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-7
|
* Tue Aug 11 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-7
|
||||||
- Do not cause segfault in case of an empty rulesd folder
|
- Do not cause segfault in case of an empty rulesd folder
|
||||||
Resolves: rhbz#1738590
|
Resolves: rhbz#1738590
|
||||||
|
|
Loading…
Reference in New Issue