From 62377fbd34991902a17f1c04495395a2e04d9cc9 Mon Sep 17 00:00:00 2001 From: Cropi Date: Wed, 27 Nov 2019 08:51:40 +0100 Subject: [PATCH] Added 3 patches to fix 1.libqb permission inconsistencies, 2. permanent device policy changes and daemon signal handling. --- usbguard-0.7.6-libqb.patch | 118 +++++++++++++++++++++++++++++++ usbguard-0.7.6-servicefile.patch | 12 ++++ usbguard-0.7.6-sigwaitinfo.patch | 32 +++++++++ usbguard.spec | 16 ++++- 4 files changed, 177 insertions(+), 1 deletion(-) create mode 100644 usbguard-0.7.6-libqb.patch create mode 100644 usbguard-0.7.6-servicefile.patch create mode 100644 usbguard-0.7.6-sigwaitinfo.patch diff --git a/usbguard-0.7.6-libqb.patch b/usbguard-0.7.6-libqb.patch new file mode 100644 index 0000000..44b5f8d --- /dev/null +++ b/usbguard-0.7.6-libqb.patch @@ -0,0 +1,118 @@ +diff -up usbguard-0.7.6/src/Library/IPCServerPrivate.cpp.orig usbguard-0.7.6/src/Library/IPCServerPrivate.cpp +--- usbguard-0.7.6/src/Library/IPCServerPrivate.cpp.orig 2019-11-25 12:11:49.632373175 +0100 ++++ usbguard-0.7.6/src/Library/IPCServerPrivate.cpp 2019-11-25 12:12:42.361781652 +0100 +@@ -242,6 +242,22 @@ namespace usbguard + return stats->client_pid; + } + ++ void IPCServerPrivate::qbIPCConnectionAuthSet(qb_ipcs_connection_t* conn, uid_t uid, gid_t gid) ++ { ++ try { ++ std::string path = conn->description; ++ size_t last_slash = path.find_last_of("/"); ++ path = path.substr(0, last_slash); ++ chown(path.c_str(), uid, gid); ++ } ++ catch (const std::exception& exception) { ++ USBGUARD_LOG(Error) << "IPC connection chmod error. Exception: " << exception.what(); ++ } ++ catch (...) { ++ USBGUARD_LOG(Error) << "IPC connection error. Could not change mode bits."; ++ } ++ } ++ + int32_t IPCServerPrivate::qbIPCConnectionAcceptFn(qb_ipcs_connection_t* conn, uid_t uid, gid_t gid) + { + try { +@@ -259,6 +275,7 @@ namespace usbguard + << " gid=" << 0 + << " mode=0660"; + qb_ipcs_connection_auth_set(conn, uid, 0, 0660); ++ qbIPCConnectionAuthSet(conn, uid, 0); + return 0; + } + else { +diff -up usbguard-0.7.6/src/Library/IPCServerPrivate.hpp.orig usbguard-0.7.6/src/Library/IPCServerPrivate.hpp +--- usbguard-0.7.6/src/Library/IPCServerPrivate.hpp.orig 2019-11-25 12:11:27.723203531 +0100 ++++ usbguard-0.7.6/src/Library/IPCServerPrivate.hpp 2019-11-25 12:13:04.635954202 +0100 +@@ -39,6 +39,71 @@ + #include + #include + ++ ++/*libqb header starts*/ ++ #define CONNECTION_DESCRIPTION NAME_MAX ++ ++ enum qb_ipcs_connection_state { ++ QB_IPCS_CONNECTION_INACTIVE, ++ QB_IPCS_CONNECTION_ACTIVE, ++ QB_IPCS_CONNECTION_ESTABLISHED, ++ QB_IPCS_CONNECTION_SHUTTING_DOWN, ++ }; ++ ++ struct qb_ipcs_connection_auth { ++ uid_t uid; ++ gid_t gid; ++ mode_t mode; ++ }; ++ ++ struct qb_ringbuffer_s; ++ typedef struct qb_ringbuffer_s qb_ringbuffer_t; ++ ++ struct qb_ipc_one_way { ++ size_t max_msg_size; ++ enum qb_ipc_type type; ++ union { ++ struct { ++ int32_t sock; ++ char *sock_name; ++ void* shared_data; ++ char shared_file_name[NAME_MAX]; ++ } us; ++ struct { ++ qb_ringbuffer_t *rb; ++ } shm; ++ } u; ++ }; ++ ++ struct qb_list_head { ++ struct qb_list_head *next; ++ struct qb_list_head *prev; ++ }; ++ ++ ++ struct qb_ipcs_connection { ++ enum qb_ipcs_connection_state state; ++ int32_t refcount; ++ pid_t pid; ++ uid_t euid; ++ gid_t egid; ++ struct qb_ipcs_connection_auth auth; ++ struct qb_ipc_one_way setup; ++ struct qb_ipc_one_way request; ++ struct qb_ipc_one_way response; ++ struct qb_ipc_one_way event; ++ struct qb_ipcs_service *service; ++ struct qb_list_head list; ++ struct qb_ipc_request_header *receive_buf; ++ void *context; ++ int32_t fc_enabled; ++ int32_t poll_events; ++ int32_t outstanding_notifiers; ++ char description[CONNECTION_DESCRIPTION]; ++ struct qb_ipcs_connection_stats_2 stats; ++ }; ++/*libqb header ends*/ ++ + namespace usbguard + { + class IPCServerPrivate +@@ -107,6 +172,8 @@ namespace usbguard + bool qbIPCConnectionAllowed(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr) const; + bool authenticateIPCConnectionDAC(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr = nullptr) const; + ++ static void qbIPCConnectionAuthSet(qb_ipcs_connection_t* connection, uid_t uid, gid_t gid); ++ + bool matchACLByUID(uid_t uid, IPCServer::AccessControl* const ac_ptr) const; + bool matchACLByGID(gid_t gid, IPCServer::AccessControl* const ac_ptr) const; + bool matchACLByName(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr) const; diff --git a/usbguard-0.7.6-servicefile.patch b/usbguard-0.7.6-servicefile.patch new file mode 100644 index 0000000..63c462c --- /dev/null +++ b/usbguard-0.7.6-servicefile.patch @@ -0,0 +1,12 @@ +diff -up usbguard-0.7.6/usbguard.service.in.orig usbguard-0.7.6/usbguard.service.in +--- usbguard-0.7.6/usbguard.service.in.orig 2019-11-25 17:02:34.518355971 +0100 ++++ usbguard-0.7.6/usbguard.service.in 2019-11-25 17:04:38.753066258 +0100 +@@ -21,7 +21,7 @@ ProtectKernelModules=yes + ProtectSystem=yes + PIDFile=/run/usbguard.pid + ReadOnlyPaths=-/ +-ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp ++ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ + Restart=on-failure + RestrictAddressFamilies=AF_UNIX AF_NETLINK + RestrictNamespaces=yes diff --git a/usbguard-0.7.6-sigwaitinfo.patch b/usbguard-0.7.6-sigwaitinfo.patch new file mode 100644 index 0000000..daf8aae --- /dev/null +++ b/usbguard-0.7.6-sigwaitinfo.patch @@ -0,0 +1,32 @@ +diff -up usbguard-0.7.6/src/Daemon/Daemon.cpp.orig usbguard-0.7.6/src/Daemon/Daemon.cpp +--- usbguard-0.7.6/src/Daemon/Daemon.cpp.orig 2019-11-25 15:45:50.869913293 +0100 ++++ usbguard-0.7.6/src/Daemon/Daemon.cpp 2019-11-25 15:47:37.722735108 +0100 +@@ -507,8 +507,14 @@ namespace usbguard + const int signal_num = sigwaitinfo(&signal_set, &signal_info); + + if (signal_num <= 0) { +- USBGUARD_LOG(Error) << "sigwaitinfo failed: errno=" << errno << "; Shutting down."; +- break; ++ if (errno == EINTR) { ++ USBGUARD_LOG(Info) << "sigwaitinfo interrupted: [EINTR]. Ignoring."; ++ continue; ++ } ++ else { ++ USBGUARD_LOG(Error) << "sigwaitinfo failed: errno=" << errno << "; Shutting down."; ++ throw Exception("Daemon::run", "sigwaitinfo", "failed"); ++ } + } + + switch (signal_num) { +@@ -523,8 +529,11 @@ namespace usbguard + exit_loop = false; + break; + ++ ++ /* should not be reachable */ + default: + USBGUARD_LOG(Warning) << "Received signal " << signal_num << ". Ignoring!"; ++ continue; + } + } + while (!exit_loop); diff --git a/usbguard.spec b/usbguard.spec index 7651344..c3f4637 100644 --- a/usbguard.spec +++ b/usbguard.spec @@ -4,7 +4,7 @@ Name: usbguard Version: 0.7.6 -Release: 3%{?dist} +Release: 4%{?dist} Summary: A tool for implementing USB device usage policy License: GPLv2+ ## Not installed @@ -45,6 +45,9 @@ BuildRequires: polkit-devel BuildRequires: libxslt BuildRequires: libxml2 +Patch1: usbguard-0.7.6-libqb.patch +Patch2: usbguard-0.7.6-sigwaitinfo.patch +Patch3: usbguard-0.7.6-servicefile.patch %description The USBGuard software framework helps to protect your computer against rogue USB @@ -104,6 +107,10 @@ daemon. # Remove bundled library sources before build rm -rf src/ThirdParty/{Catch,PEGTL} +%patch1 -p1 -b .libqb +%patch2 -p1 -b .sigwaitinfo +%patch3 -p1 -b .servicefile + %build mkdir -p ./m4 autoreconf -i -v --no-recursive ./ @@ -221,6 +228,13 @@ fi %changelog +* Mon Nov 25 2019 Attila Lakatos - 0.7.6-4 +- added patch for libqb related permission issues + resolves: rhbz#1776357 +- added patch to ensure that usbguard-daemons is still running after locked screen + resolves: rhbz#1751861 +- added patch to fix permanent device policy changes + * Wed Nov 13 2019 Radovan Sroka - 0.7.6-3 - fixed typo in specfile - usbguard.conf was generated incorrectly