Added 3 patches to fix 1.libqb permission inconsistencies, 2. permanent device policy changes and daemon signal handling.

2019-11-27 08:51:40 +01:00 · 2019-11-27 08:51:40 +01:00 · 62377fbd34
commit 62377fbd34
parent 1228f42051
4 changed files with 177 additions and 1 deletions
--- a/usbguard-0.7.6-libqb.patch
+++ b/usbguard-0.7.6-libqb.patch
@ -0,0 +1,118 @@
+diff -up usbguard-0.7.6/src/Library/IPCServerPrivate.cpp.orig usbguard-0.7.6/src/Library/IPCServerPrivate.cpp
+--- usbguard-0.7.6/src/Library/IPCServerPrivate.cpp.orig	2019-11-25 12:11:49.632373175 +0100
+++ usbguard-0.7.6/src/Library/IPCServerPrivate.cpp	2019-11-25 12:12:42.361781652 +0100
+@@ -242,6 +242,22 @@ namespace usbguard
+     return stats->client_pid;
+   }
+ 
+  void IPCServerPrivate::qbIPCConnectionAuthSet(qb_ipcs_connection_t* conn, uid_t uid, gid_t gid)
+  {
+    try {
+      std::string path = conn->description;
+      size_t last_slash = path.find_last_of("/");
+      path = path.substr(0, last_slash);
+      chown(path.c_str(), uid, gid);
+    }
+    catch (const std::exception& exception) {
+      USBGUARD_LOG(Error) << "IPC connection chmod error. Exception: " << exception.what();
+    }
+    catch (...) {
+      USBGUARD_LOG(Error) << "IPC connection error. Could not change mode bits.";
+    }
+  }
+
+   int32_t IPCServerPrivate::qbIPCConnectionAcceptFn(qb_ipcs_connection_t* conn, uid_t uid, gid_t gid)
+   {
+     try {
+@@ -259,6 +275,7 @@ namespace usbguard
+           << " gid=" << 0
+           << " mode=0660";
+         qb_ipcs_connection_auth_set(conn, uid, 0, 0660);
+        qbIPCConnectionAuthSet(conn, uid, 0);
+         return 0;
+       }
+       else {
+diff -up usbguard-0.7.6/src/Library/IPCServerPrivate.hpp.orig usbguard-0.7.6/src/Library/IPCServerPrivate.hpp
+--- usbguard-0.7.6/src/Library/IPCServerPrivate.hpp.orig	2019-11-25 12:11:27.723203531 +0100
+++ usbguard-0.7.6/src/Library/IPCServerPrivate.hpp	2019-11-25 12:13:04.635954202 +0100
+@@ -39,6 +39,71 @@
+ #include <qb/qbipcs.h>
+ #include <qb/qbloop.h>
+ 
+
+/*libqb header starts*/
+    #define CONNECTION_DESCRIPTION NAME_MAX
+
+    enum qb_ipcs_connection_state {
+        QB_IPCS_CONNECTION_INACTIVE,
+        QB_IPCS_CONNECTION_ACTIVE,
+        QB_IPCS_CONNECTION_ESTABLISHED,
+	    QB_IPCS_CONNECTION_SHUTTING_DOWN,
+    };
+
+    struct qb_ipcs_connection_auth {
+        uid_t uid;
+        gid_t gid;
+        mode_t mode;
+    };
+
+    struct qb_ringbuffer_s;
+    typedef struct qb_ringbuffer_s qb_ringbuffer_t;
+
+    struct qb_ipc_one_way {
+        size_t max_msg_size;
+        enum qb_ipc_type type;
+        union {
+            struct {
+                int32_t sock;
+                char *sock_name;
+                void* shared_data;
+                char shared_file_name[NAME_MAX];
+            } us;
+            struct {
+                qb_ringbuffer_t *rb;
+            } shm;
+        } u;
+    };
+
+    struct qb_list_head {
+        struct qb_list_head *next;
+        struct qb_list_head *prev;
+    };
+
+
+    struct qb_ipcs_connection {
+        enum qb_ipcs_connection_state state;
+        int32_t refcount;
+        pid_t pid;
+        uid_t euid;
+        gid_t egid;
+        struct qb_ipcs_connection_auth auth;
+        struct qb_ipc_one_way setup;
+        struct qb_ipc_one_way request;
+        struct qb_ipc_one_way response;
+        struct qb_ipc_one_way event;
+        struct qb_ipcs_service *service;
+        struct qb_list_head list;
+        struct qb_ipc_request_header *receive_buf;
+        void *context;
+        int32_t fc_enabled;
+        int32_t poll_events;
+        int32_t outstanding_notifiers;
+        char description[CONNECTION_DESCRIPTION];
+        struct qb_ipcs_connection_stats_2 stats;
+    };
+/*libqb header ends*/
+
+ namespace usbguard
+ {
+   class IPCServerPrivate
+@@ -107,6 +172,8 @@ namespace usbguard
+     bool qbIPCConnectionAllowed(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr) const;
+     bool authenticateIPCConnectionDAC(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr = nullptr) const;
+ 
+    static void qbIPCConnectionAuthSet(qb_ipcs_connection_t* connection, uid_t uid, gid_t gid);
+
+     bool matchACLByUID(uid_t uid, IPCServer::AccessControl* const ac_ptr) const;
+     bool matchACLByGID(gid_t gid, IPCServer::AccessControl* const ac_ptr) const;
+     bool matchACLByName(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr) const;
--- a/usbguard-0.7.6-servicefile.patch
+++ b/usbguard-0.7.6-servicefile.patch
@ -0,0 +1,12 @@
+diff -up usbguard-0.7.6/usbguard.service.in.orig usbguard-0.7.6/usbguard.service.in
+--- usbguard-0.7.6/usbguard.service.in.orig	2019-11-25 17:02:34.518355971 +0100
+++ usbguard-0.7.6/usbguard.service.in	2019-11-25 17:04:38.753066258 +0100
+@@ -21,7 +21,7 @@ ProtectKernelModules=yes
+ ProtectSystem=yes
+ PIDFile=/run/usbguard.pid
+ ReadOnlyPaths=-/
+-ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp
+ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/
+ Restart=on-failure
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK
+ RestrictNamespaces=yes
--- a/usbguard-0.7.6-sigwaitinfo.patch
+++ b/usbguard-0.7.6-sigwaitinfo.patch
@ -0,0 +1,32 @@
+diff -up usbguard-0.7.6/src/Daemon/Daemon.cpp.orig usbguard-0.7.6/src/Daemon/Daemon.cpp
+--- usbguard-0.7.6/src/Daemon/Daemon.cpp.orig	2019-11-25 15:45:50.869913293 +0100
+++ usbguard-0.7.6/src/Daemon/Daemon.cpp	2019-11-25 15:47:37.722735108 +0100
+@@ -507,8 +507,14 @@ namespace usbguard
+       const int signal_num = sigwaitinfo(&signal_set, &signal_info);
+ 
+       if (signal_num <= 0) {
+-        USBGUARD_LOG(Error) << "sigwaitinfo failed: errno=" << errno << "; Shutting down.";
+-        break;
+        if (errno == EINTR) {
+          USBGUARD_LOG(Info) << "sigwaitinfo interrupted: [EINTR]. Ignoring.";
+          continue;
+        }
+        else {
+          USBGUARD_LOG(Error) << "sigwaitinfo failed: errno=" << errno << "; Shutting down.";
+          throw Exception("Daemon::run", "sigwaitinfo", "failed");
+        }
+       }
+ 
+       switch (signal_num) {
+@@ -523,8 +529,11 @@ namespace usbguard
+         exit_loop = false;
+         break;
+ 
+
+      /* should not be reachable */
+       default:
+         USBGUARD_LOG(Warning) << "Received signal " << signal_num << ". Ignoring!";
+        continue;
+       }
+     }
+     while (!exit_loop);
--- a/usbguard.spec
+++ b/usbguard.spec
@ -4,7 +4,7 @@

 Name:           usbguard
 Version:        0.7.6
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        A tool for implementing USB device usage policy
 License:        GPLv2+
 ## Not installed
@ -45,6 +45,9 @@ BuildRequires: polkit-devel
 BuildRequires: libxslt
 BuildRequires: libxml2

+Patch1: usbguard-0.7.6-libqb.patch
+Patch2: usbguard-0.7.6-sigwaitinfo.patch
+Patch3: usbguard-0.7.6-servicefile.patch

 %description
 The USBGuard software framework helps to protect your computer against rogue USB
@ -104,6 +107,10 @@ daemon.
 # Remove bundled library sources before build
 rm -rf src/ThirdParty/{Catch,PEGTL}

+%patch1 -p1 -b .libqb
+%patch2 -p1 -b .sigwaitinfo
+%patch3 -p1 -b .servicefile
+
 %build
 mkdir -p ./m4
 autoreconf -i -v --no-recursive ./
@ -221,6 +228,13 @@ fi


 %changelog
+* Mon Nov 25 2019 Attila Lakatos <alakatos@redhat.com> - 0.7.6-4
+- added patch for libqb related permission issues
+  resolves: rhbz#1776357
+- added patch to ensure that usbguard-daemons is still running after locked screen
+  resolves: rhbz#1751861
+- added patch to fix permanent device policy changes
+
 * Wed Nov 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-3
 - fixed typo in specfile
 - usbguard.conf was generated incorrectly