import usbguard-1.0.0-13.el8
This commit is contained in:
parent
6633813040
commit
74d5a3eb3d
|
@ -0,0 +1,11 @@
|
|||
diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
|
||||
--- usbguard-1.0.0/usbguard.service.in.orig 2022-11-28 10:21:35.889977314 +0100
|
||||
+++ usbguard-1.0.0/usbguard.service.in 2022-11-28 10:21:52.711987716 +0100
|
||||
@@ -4,6 +4,7 @@ Wants=systemd-udevd.service local-fs.tar
|
||||
Documentation=man:usbguard-daemon(8)
|
||||
|
||||
[Service]
|
||||
+OOMScoreAdjust=-1000
|
||||
AmbientCapabilities=
|
||||
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
|
||||
DevicePolicy=closed
|
|
@ -0,0 +1,12 @@
|
|||
diff -up usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp
|
||||
--- usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig 2022-11-28 10:35:44.052560664 +0100
|
||||
+++ usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp 2022-11-28 10:35:55.510568939 +0100
|
||||
@@ -76,7 +76,7 @@ namespace usbguard
|
||||
}
|
||||
|
||||
if (ruleSet.empty()){
|
||||
- USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible.";
|
||||
+ USBGUARD_LOG(Warning) << "Neither RuleFile nor RuleFolder are set; Modification of the permanent policy won't be possible.";
|
||||
ruleSet = generateDefaultRuleSet();
|
||||
}
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
diff -up usbguard-1.0.0/src/Daemon/Daemon.cpp.orig usbguard-1.0.0/src/Daemon/Daemon.cpp
|
||||
--- usbguard-1.0.0/src/Daemon/Daemon.cpp.orig 2022-11-28 10:25:01.044104150 +0100
|
||||
+++ usbguard-1.0.0/src/Daemon/Daemon.cpp 2022-11-28 10:25:34.736124980 +0100
|
||||
@@ -40,6 +40,7 @@
|
||||
#include <sys/types.h>
|
||||
#include <sys/poll.h>
|
||||
#include <unistd.h>
|
||||
+#include <sys/wait.h>
|
||||
#include <signal.h>
|
||||
#include <string.h>
|
||||
#include <sys/stat.h>
|
||||
@@ -606,6 +607,7 @@ namespace usbguard
|
||||
const int signum = sigtimedwait(&mask, &info, &timeout);
|
||||
|
||||
if (signum == SIGUSR1 && info.si_signo == SIGUSR1 && info.si_pid == pid) {
|
||||
+ waitpid(pid, nullptr, 0);
|
||||
USBGUARD_LOG(Trace) << "Finished daemonization";
|
||||
exit(EXIT_SUCCESS);
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp
|
||||
--- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig 2022-10-18 10:33:04.498762878 +0200
|
||||
+++ usbguard-1.0.0/src/DBus/DBusBridge.cpp 2022-10-18 10:33:36.920785285 +0200
|
||||
@@ -434,12 +434,11 @@ namespace usbguard
|
||||
USBGUARD_LOG(Trace) << "Connecting with Polkit authority...";
|
||||
PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error);
|
||||
|
||||
- if (! authority || error) {
|
||||
+ if (! authority) {
|
||||
USBGUARD_LOG(Trace) << "Failed to connect to Polkit authority: " << formatGError(error) << ".";
|
||||
*authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
|
||||
*authErrorMessage = "Failed to connect to Polkit authority";
|
||||
g_error_free(error);
|
||||
- g_object_unref(authority);
|
||||
g_object_unref(subject);
|
||||
return false;
|
||||
}
|
||||
@@ -470,12 +469,11 @@ namespace usbguard
|
||||
/*cancellable=*/ NULL,
|
||||
&error);
|
||||
|
||||
- if (! result || error) {
|
||||
+ if (! result) {
|
||||
USBGUARD_LOG(Trace) << "Failed to check back with Polkit for authoriation: " << formatGError(error) << ".";
|
||||
*authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
|
||||
*authErrorMessage = "Failed to check back with Polkit for authoriation.";
|
||||
g_error_free(error);
|
||||
- g_object_unref(result);
|
||||
g_object_unref(details);
|
||||
g_object_unref(authority);
|
||||
g_object_unref(subject);
|
|
@ -0,0 +1,335 @@
|
|||
diff -up usbguard-1.0.0/configure.ac.orig usbguard-1.0.0/configure.ac
|
||||
--- usbguard-1.0.0/configure.ac.orig 2022-08-16 10:24:34.345570913 +0200
|
||||
+++ usbguard-1.0.0/configure.ac 2022-08-16 10:24:34.307571236 +0200
|
||||
@@ -399,7 +399,7 @@ if test "x$with_dbus" = xyes; then
|
||||
#
|
||||
# Check for required D-Bus modules
|
||||
#
|
||||
- PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0],
|
||||
+ PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0 polkit-gobject-1],
|
||||
[AC_DEFINE([HAVE_DBUS], [1], [Required GDBus API available])
|
||||
dbus_summary="system-wide; $dbus_CFLAGS $dbus_LIBS"],
|
||||
[AC_MSG_FAILURE([Required D-Bus modules (dbus-1, gio-2.0) not found!])]
|
||||
diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp
|
||||
--- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig 2022-08-16 10:24:34.312571194 +0200
|
||||
+++ usbguard-1.0.0/src/DBus/DBusBridge.cpp 2022-08-16 10:28:28.595587136 +0200
|
||||
@@ -21,6 +21,8 @@
|
||||
#endif
|
||||
|
||||
#include "DBusBridge.hpp"
|
||||
+#include <polkit/polkit.h>
|
||||
+
|
||||
namespace usbguard
|
||||
{
|
||||
DBusBridge::DBusBridge(GDBusConnection* const gdbus_connection,
|
||||
@@ -74,9 +76,19 @@ namespace usbguard
|
||||
return;
|
||||
}
|
||||
|
||||
+ #define DBUS_AUTH_CHECK \
|
||||
+ GDBusError authErrorCode = G_DBUS_ERROR_FAILED; \
|
||||
+ const gchar* authErrorMessage = NULL; \
|
||||
+ if (! isAuthorizedByPolkit(invocation, &authErrorCode, &authErrorMessage)) { \
|
||||
+ g_dbus_method_invocation_return_error_literal(invocation, G_DBUS_ERROR, authErrorCode, authErrorMessage); \
|
||||
+ return; \
|
||||
+ }
|
||||
+
|
||||
void DBusBridge::handleRootMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation)
|
||||
{
|
||||
if (method_name == "getParameter") {
|
||||
+ DBUS_AUTH_CHECK
|
||||
+
|
||||
const char* name_cstr = nullptr;
|
||||
g_variant_get(parameters, "(&s)", &name_cstr);
|
||||
std::string name(name_cstr);
|
||||
@@ -86,6 +98,8 @@ namespace usbguard
|
||||
}
|
||||
|
||||
if (method_name == "setParameter") {
|
||||
+ DBUS_AUTH_CHECK
|
||||
+
|
||||
const char* name_cstr = nullptr;
|
||||
const char* value_cstr = nullptr;
|
||||
g_variant_get(parameters, "(&s&s)", &name_cstr, &value_cstr);
|
||||
@@ -104,6 +118,8 @@ namespace usbguard
|
||||
void DBusBridge::handlePolicyMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation)
|
||||
{
|
||||
if (method_name == "listRules") {
|
||||
+ DBUS_AUTH_CHECK
|
||||
+
|
||||
const char* label_cstr = nullptr;
|
||||
g_variant_get(parameters, "(&s)", &label_cstr);
|
||||
std::string label(label_cstr);
|
||||
@@ -136,6 +152,8 @@ namespace usbguard
|
||||
}
|
||||
|
||||
if (method_name == "appendRule") {
|
||||
+ DBUS_AUTH_CHECK
|
||||
+
|
||||
const char* rule_spec_cstr = nullptr;
|
||||
uint32_t parent_id = 0;
|
||||
gboolean temporary = false;
|
||||
@@ -147,6 +165,8 @@ namespace usbguard
|
||||
}
|
||||
|
||||
if (method_name == "removeRule") {
|
||||
+ DBUS_AUTH_CHECK
|
||||
+
|
||||
uint32_t rule_id = 0;
|
||||
g_variant_get(parameters, "(u)", &rule_id);
|
||||
removeRule(rule_id);
|
||||
@@ -163,6 +183,8 @@ namespace usbguard
|
||||
GDBusMethodInvocation* invocation)
|
||||
{
|
||||
if (method_name == "listDevices") {
|
||||
+ DBUS_AUTH_CHECK
|
||||
+
|
||||
const char* query_cstr = nullptr;
|
||||
g_variant_get(parameters, "(&s)", &query_cstr);
|
||||
std::string query(query_cstr);
|
||||
@@ -195,6 +217,8 @@ namespace usbguard
|
||||
}
|
||||
|
||||
if (method_name == "applyDevicePolicy") {
|
||||
+ DBUS_AUTH_CHECK
|
||||
+
|
||||
uint32_t device_id = 0;
|
||||
uint32_t target_integer = 0;
|
||||
gboolean permanent = false;
|
||||
@@ -344,6 +368,135 @@ namespace usbguard
|
||||
|
||||
return builder;
|
||||
}
|
||||
+
|
||||
+ std::string DBusBridge::formatGError(GError* error)
|
||||
+ {
|
||||
+ if (error) {
|
||||
+ std::stringstream formatGError;
|
||||
+ formatGError << error->message << " (code " << error->code << ")";
|
||||
+ return formatGError.str();
|
||||
+ }
|
||||
+ else {
|
||||
+ return "unknown error";
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ bool DBusBridge::isAuthorizedByPolkit(GDBusMethodInvocation* invocation, GDBusError* authErrorCode,
|
||||
+ const gchar** authErrorMessage)
|
||||
+ {
|
||||
+ GError* error = NULL;
|
||||
+ USBGUARD_LOG(Trace) << "Extracting bus name...";
|
||||
+ const gchar* const /*no-free!*/ bus_name = g_dbus_method_invocation_get_sender (invocation);
|
||||
+
|
||||
+ if (! bus_name) {
|
||||
+ USBGUARD_LOG(Trace) << "Failed to extract bus name.";
|
||||
+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
|
||||
+ *authErrorMessage = "Failed to extract bus name.";
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ USBGUARD_LOG(Trace) << "Extracted bus name \"" << bus_name << "\".";
|
||||
+ USBGUARD_LOG(Trace) << "Extracting interface name...";
|
||||
+ const gchar* const /*no-free!*/ interfaceName = g_dbus_method_invocation_get_interface_name(invocation);
|
||||
+
|
||||
+ if (! interfaceName) {
|
||||
+ USBGUARD_LOG(Trace) << "Failed to extract interface name.";
|
||||
+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
|
||||
+ *authErrorMessage = "Failed to extract interface name.";
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ USBGUARD_LOG(Trace) << "Extracted interface name \"" << interfaceName << "\".";
|
||||
+ USBGUARD_LOG(Trace) << "Extracting method name...";
|
||||
+ const gchar* const /*no-free!*/ methodName = g_dbus_method_invocation_get_method_name(invocation);
|
||||
+
|
||||
+ if (! methodName) {
|
||||
+ USBGUARD_LOG(Trace) << "Failed to extract method name.";
|
||||
+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
|
||||
+ *authErrorMessage = "Failed to extract method name.";
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ std::stringstream action_id;
|
||||
+ action_id << interfaceName << "." << methodName;
|
||||
+ USBGUARD_LOG(Trace) << "Extracted method name \"" << methodName << "\".";
|
||||
+ USBGUARD_LOG(Trace) << "Creating a system bus Polkit subject...";
|
||||
+ PolkitSubject* const subject = polkit_system_bus_name_new(bus_name);
|
||||
+
|
||||
+ if (! subject) {
|
||||
+ USBGUARD_LOG(Trace) << "Failed to create Polkit subject.";
|
||||
+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
|
||||
+ *authErrorMessage = "Failed to create Polkit subject.";
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ USBGUARD_LOG(Trace) << "Created.";
|
||||
+ USBGUARD_LOG(Trace) << "Connecting with Polkit authority...";
|
||||
+ PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error);
|
||||
+
|
||||
+ if (! authority || error) {
|
||||
+ USBGUARD_LOG(Trace) << "Failed to connect to Polkit authority: " << formatGError(error) << ".";
|
||||
+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
|
||||
+ *authErrorMessage = "Failed to connect to Polkit authority";
|
||||
+ g_error_free(error);
|
||||
+ g_object_unref(authority);
|
||||
+ g_object_unref(subject);
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ USBGUARD_LOG(Trace) << "Connected.";
|
||||
+ USBGUARD_LOG(Trace) << "Customizing Polkit authentification dialog...";
|
||||
+ PolkitDetails* const details = polkit_details_new();
|
||||
+
|
||||
+ if (! details) {
|
||||
+ USBGUARD_LOG(Trace) << "Failed to customize the Polkit authentification dialog.";
|
||||
+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
|
||||
+ *authErrorMessage = "Failed to customize the Polkit authentication dialog.";
|
||||
+ g_object_unref(authority);
|
||||
+ g_object_unref(subject);
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ polkit_details_insert (details, "polkit.message", "This USBGuard action needs authorization");
|
||||
+ USBGUARD_LOG(Trace) << "Customized.";
|
||||
+ USBGUARD_LOG(Trace) << "Checking authorization of action \"" << action_id.str() << "\" with Polkit ...";
|
||||
+ const PolkitCheckAuthorizationFlags flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION;
|
||||
+ PolkitAuthorizationResult* const result = polkit_authority_check_authorization_sync
|
||||
+ (authority,
|
||||
+ subject,
|
||||
+ action_id.str().c_str(),
|
||||
+ details,
|
||||
+ flags,
|
||||
+ /*cancellable=*/ NULL,
|
||||
+ &error);
|
||||
+
|
||||
+ if (! result || error) {
|
||||
+ USBGUARD_LOG(Trace) << "Failed to check back with Polkit for authoriation: " << formatGError(error) << ".";
|
||||
+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
|
||||
+ *authErrorMessage = "Failed to check back with Polkit for authoriation.";
|
||||
+ g_error_free(error);
|
||||
+ g_object_unref(result);
|
||||
+ g_object_unref(details);
|
||||
+ g_object_unref(authority);
|
||||
+ g_object_unref(subject);
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
+ gboolean isAuthorized = polkit_authorization_result_get_is_authorized(result);
|
||||
+ USBGUARD_LOG(Trace) << (isAuthorized ? "Authorized" : "Not authorized") << ".";
|
||||
+
|
||||
+ if (! isAuthorized) {
|
||||
+ *authErrorCode = G_DBUS_ERROR_ACCESS_DENIED;
|
||||
+ *authErrorMessage = "Not authorized.";
|
||||
+ }
|
||||
+
|
||||
+ g_object_unref(result);
|
||||
+ g_object_unref(details);
|
||||
+ g_object_unref(authority);
|
||||
+ g_object_unref(subject);
|
||||
+ return isAuthorized;
|
||||
+ }
|
||||
+
|
||||
} /* namespace usbguard */
|
||||
|
||||
/* vim: set ts=2 sw=2 et */
|
||||
diff -up usbguard-1.0.0/src/DBus/DBusBridge.hpp.orig usbguard-1.0.0/src/DBus/DBusBridge.hpp
|
||||
--- usbguard-1.0.0/src/DBus/DBusBridge.hpp.orig 2022-08-16 10:24:34.312571194 +0200
|
||||
+++ usbguard-1.0.0/src/DBus/DBusBridge.hpp 2022-08-16 10:28:33.514545528 +0200
|
||||
@@ -83,6 +83,9 @@ namespace usbguard
|
||||
bool rule_match,
|
||||
uint32_t rule_id);
|
||||
|
||||
+ static std::string formatGError(GError* error);
|
||||
+ static bool isAuthorizedByPolkit(GDBusMethodInvocation* invocation, GDBusError* authErrorCode,
|
||||
+ const gchar** authErrorMessage);
|
||||
|
||||
GDBusConnection* const p_gdbus_connection;
|
||||
void(*p_ipc_callback)(bool);
|
||||
diff -up usbguard-1.0.0/src/DBus/org.usbguard1.policy.orig usbguard-1.0.0/src/DBus/org.usbguard1.policy
|
||||
--- usbguard-1.0.0/src/DBus/org.usbguard1.policy.orig 2022-08-16 10:24:34.312571194 +0200
|
||||
+++ usbguard-1.0.0/src/DBus/org.usbguard1.policy 2022-08-16 10:24:34.311571202 +0200
|
||||
@@ -1,23 +1,23 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
|
||||
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
|
||||
-
|
||||
+
|
||||
<policyconfig>
|
||||
<vendor>The USBGuard Project</vendor>
|
||||
<vendor_url>https://github.org/USBGuard/usbguard</vendor_url>
|
||||
|
||||
<action id="org.usbguard.Policy1.listRules">
|
||||
<description>List the rule set (policy) used by the USBGuard daemon</description>
|
||||
- <message>Prevents from listing the USBGuard policy</message>
|
||||
+ <message>Prevents listing the USBGuard policy</message>
|
||||
<defaults>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
- <allow_active>auth_self_keep_session</allow_active>
|
||||
+ <allow_active>yes</allow_active>
|
||||
</defaults>
|
||||
</action>
|
||||
|
||||
<action id="org.usbguard.Policy1.appendRule">
|
||||
<description>Append a new rule to the policy</description>
|
||||
- <message>Prevents from appending rules to the USBGuard policy</message>
|
||||
+ <message>Prevents appending rules to the USBGuard policy</message>
|
||||
<defaults>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
<allow_active>auth_admin</allow_active>
|
||||
@@ -33,40 +33,41 @@
|
||||
</defaults>
|
||||
</action>
|
||||
|
||||
- <action id="org.usbguard.Devices1.listDevices">
|
||||
- <description>List all USB devices recognized by the USBGuard daemon</description>
|
||||
- <message>Prevents from listing USB devices recognized by the USBGuard daemon</message>
|
||||
+ <action id="org.usbguard.Devices1.applyDevicePolicy">
|
||||
+ <description>Apply a policy to a device in USBGuard</description>
|
||||
+ <message>Prevents applying a policy to a device in USBGuard</message>
|
||||
<defaults>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
- <allow_active>auth_self_keep_session</allow_active>
|
||||
+ <allow_active>auth_admin</allow_active>
|
||||
</defaults>
|
||||
</action>
|
||||
|
||||
- <action id="org.usbguard.Devices1.allowDevice">
|
||||
- <description>Authorize a USB device via the USBGuard daemon to interact with the system</description>
|
||||
- <message>Prevents from authorizing USB devices via the USBGuard daemon</message>
|
||||
+ <action id="org.usbguard.Devices1.listDevices">
|
||||
+ <description>List all USB devices recognized by the USBGuard daemon</description>
|
||||
+ <message>Prevents listing USB devices recognized by the USBGuard daemon</message>
|
||||
<defaults>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
- <allow_active>auth_admin</allow_active>
|
||||
+ <allow_active>yes</allow_active>
|
||||
</defaults>
|
||||
</action>
|
||||
|
||||
- <action id="org.usbguard.Devices1.blockDevice">
|
||||
- <description>Deauthorize a USB device via the USBGuard daemon</description>
|
||||
- <message>Prevents from deauthorizing USB devices via the USBGuard daemon</message>
|
||||
+ <action id="org.usbguard1.getParameter">
|
||||
+ <description>Get the value of a runtime parameter</description>
|
||||
+ <message>Prevents getting values of runtime USBGuard parameters</message>
|
||||
<defaults>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
- <allow_active>auth_admin</allow_active>
|
||||
+ <allow_active>yes</allow_active>
|
||||
</defaults>
|
||||
</action>
|
||||
|
||||
- <action id="org.usbguard.Devices1.rejectDevice">
|
||||
- <description>Remove a USB device via the USBGuard daemon</description>
|
||||
- <message>Prevents from removing USB devices via the USBGuard daemon</message>
|
||||
+ <action id="org.usbguard1.setParameter">
|
||||
+ <description>Set the value of a runtime parameter</description>
|
||||
+ <message>Prevents setting values of runtime USBGuard parameters</message>
|
||||
<defaults>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
<allow_active>auth_admin</allow_active>
|
||||
</defaults>
|
||||
</action>
|
||||
+
|
||||
</policyconfig>
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
|
||||
--- usbguard-1.0.0/usbguard.service.in.orig 2023-01-12 13:17:14.200064956 +0100
|
||||
+++ usbguard-1.0.0/usbguard.service.in 2023-01-12 13:17:22.588078994 +0100
|
||||
@@ -8,7 +8,7 @@ OOMScoreAdjust=-1000
|
||||
AmbientCapabilities=
|
||||
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
|
||||
DevicePolicy=closed
|
||||
-ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
|
||||
+ExecStart=%sbindir%/usbguard-daemon -f -s -K -c %sysconfdir%/usbguard/usbguard-daemon.conf
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
NoNewPrivileges=yes
|
|
@ -0,0 +1,43 @@
|
|||
diff -up usbguard-1.0.0/doc/man/example-allow-device.adoc.orig usbguard-1.0.0/doc/man/example-allow-device.adoc
|
||||
--- usbguard-1.0.0/doc/man/example-allow-device.adoc.orig 2022-11-28 12:00:26.695561514 +0100
|
||||
+++ usbguard-1.0.0/doc/man/example-allow-device.adoc 2022-11-28 11:57:01.120457773 +0100
|
||||
@@ -0,0 +1,6 @@
|
||||
+....
|
||||
+ # Allow a device by ID(it is the very first number from the list-devices command output)
|
||||
+ $ sudo usbguard allow-device 10
|
||||
+ # Allow all devices named "Dell Wired Multimedia Keyboard"
|
||||
+ $ sudo usbguard allow-device name \"Dell Wired Multimedia Keyboard\"
|
||||
+....
|
||||
diff -up usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig usbguard-1.0.0/doc/man/example-initial-policy.adoc
|
||||
--- usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig 2022-11-28 12:00:31.781564080 +0100
|
||||
+++ usbguard-1.0.0/doc/man/example-initial-policy.adoc 2022-11-28 11:57:25.353470002 +0100
|
||||
@@ -0,0 +1,7 @@
|
||||
+....
|
||||
+ $ sudo usbguard generate-policy > rules.conf
|
||||
+ $ vi rules.conf
|
||||
+ (review/modify the rule set)
|
||||
+ $ sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf
|
||||
+ $ sudo systemctl restart usbguard
|
||||
+....
|
||||
diff -up usbguard-1.0.0/doc/man/footer.adoc.orig usbguard-1.0.0/doc/man/footer.adoc
|
||||
--- usbguard-1.0.0/doc/man/footer.adoc.orig 2022-11-28 11:54:21.495377220 +0100
|
||||
+++ usbguard-1.0.0/doc/man/footer.adoc 2022-11-28 11:55:51.960422872 +0100
|
||||
@@ -0,0 +1,18 @@
|
||||
+== BUGS
|
||||
+If you find a bug in this software or if you'd like to request a feature to be implemented, please file a ticket at <https://github.com/USBGuard/usbguard/issues/new>.
|
||||
+
|
||||
+
|
||||
+== AUTHOR
|
||||
+USBGuard was originally written by Daniel Kopeček.
|
||||
+Many people have contributed to it.
|
||||
+
|
||||
+
|
||||
+== RESOURCES
|
||||
+Main web site: <https://usbguard.github.io/>
|
||||
+
|
||||
+
|
||||
+== COPYING
|
||||
+Copyright © 2015-{docyear} Red Hat, Inc. +
|
||||
+License GPLv2+: GNU GPL version 2 or later http://gnu.org/licenses/gpl.html. +
|
||||
+This is free software: you are free to change and redistribute it.
|
||||
+There is NO WARRANTY, to the extent permitted by law.
|
|
@ -0,0 +1,68 @@
|
|||
diff -up usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc.orig usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc
|
||||
--- usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc.orig 2023-01-05 10:58:24.684407437 +0100
|
||||
+++ usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc 2023-01-05 10:58:42.323426745 +0100
|
||||
@@ -27,7 +27,12 @@ It may be overridden using the *-c* comm
|
||||
behave like any other standard Linux daemon therefore it loads rule files in
|
||||
alpha-numeric order. File names inside `RuleFolder` directory should start
|
||||
with a two-digit number prefix indicating the position, in which the rules
|
||||
- are scanned by the daemon.
|
||||
+ are scanned by the daemon. Using RuleFile and RuleFolder at the same time is
|
||||
+ permitted. However, modification of the permanent policy is not possible if
|
||||
+ one of the following conditions are met:
|
||||
+ ** Neither RuleFile nor RuleFolder are specified.
|
||||
+ ** RuleFile is not specified, RuleFolder is but it does not contain any files,
|
||||
+ where we could save permanent rules.
|
||||
|
||||
*ImplicitPolicyTarget*='target'::
|
||||
How to treat USB devices that don't match any rule in the policy. Target
|
||||
diff -up usbguard-1.0.0/src/Daemon/Daemon.cpp.orig usbguard-1.0.0/src/Daemon/Daemon.cpp
|
||||
--- usbguard-1.0.0/src/Daemon/Daemon.cpp.orig 2023-01-05 10:58:49.689434809 +0100
|
||||
+++ usbguard-1.0.0/src/Daemon/Daemon.cpp 2023-01-05 10:59:18.991466884 +0100
|
||||
@@ -742,7 +742,7 @@ namespace usbguard
|
||||
/* TODO: reevaluate the firewall rules for all active devices */
|
||||
const uint32_t id = _policy.appendRule(rule, parent_id);
|
||||
|
||||
- if (_config.hasSettingValue("RuleFile") && permanent) {
|
||||
+ if ((_config.hasSettingValue("RuleFile") || _config.hasSettingValue("RuleFolder")) && permanent) {
|
||||
_policy.save();
|
||||
}
|
||||
|
||||
@@ -755,7 +755,7 @@ namespace usbguard
|
||||
USBGUARD_LOG(Trace) << "id=" << id;
|
||||
_policy.removeRule(id);
|
||||
|
||||
- if (_config.hasSettingValue("RuleFile")) {
|
||||
+ if (_config.hasSettingValue("RuleFile") || _config.hasSettingValue("RuleFolder")) {
|
||||
_policy.save();
|
||||
}
|
||||
}
|
||||
diff -up usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp
|
||||
--- usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig 2023-01-05 10:59:27.117475780 +0100
|
||||
+++ usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp 2023-01-05 10:59:46.228496702 +0100
|
||||
@@ -75,8 +75,24 @@ namespace usbguard
|
||||
}
|
||||
}
|
||||
|
||||
- if (ruleSet.empty()){
|
||||
- USBGUARD_LOG(Warning) << "Neither RuleFile nor RuleFolder are set; Modification of the permanent policy won't be possible.";
|
||||
+ /*
|
||||
+ * This means one of the following:
|
||||
+ * - Neither RuleFile nor RuleFolder are specified
|
||||
+ * - RuleFile not specified, RuleFolder is but it does not contain any files,
|
||||
+ * where we could save permanent rules
|
||||
+ */
|
||||
+ if (ruleSet.empty()) {
|
||||
+ std::string msg;
|
||||
+
|
||||
+ if (ns.getRulesPath().empty() && ns.getRulesDirPath().empty()) {
|
||||
+ msg = "Neither RuleFile nor RuleFolder are set.";
|
||||
+ }
|
||||
+ else {
|
||||
+ msg = "RuleFile is not set, RuleFolder is but it does not contain any rule files.";
|
||||
+ }
|
||||
+
|
||||
+ USBGUARD_LOG(Warning) << "Modification of the permanent policy won't be possible."
|
||||
+ << " Reason: " << msg;
|
||||
ruleSet = generateDefaultRuleSet();
|
||||
}
|
||||
|
|
@ -0,0 +1,27 @@
|
|||
diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te
|
||||
--- usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig 2022-08-24 16:14:30.810875871 +0200
|
||||
+++ usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te 2022-08-24 16:15:50.064906117 +0200
|
||||
@@ -100,7 +100,6 @@ logging_log_filetrans(usbguard_t, usbgua
|
||||
|
||||
logging_send_syslog_msg(usbguard_t)
|
||||
|
||||
-dbus_system_domain(usbguard_t, usbguard_exec_t)
|
||||
usbguard_ipc_access(usbguard_t)
|
||||
|
||||
tunable_policy(`usbguard_daemon_write_rules',`
|
||||
@@ -111,6 +110,15 @@ tunable_policy(`usbguard_daemon_write_co
|
||||
rw_files_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t)
|
||||
')
|
||||
|
||||
+optional_policy(`
|
||||
+ dbus_system_domain(usbguard_t, usbguard_exec_t)
|
||||
+
|
||||
+ optional_policy(`
|
||||
+ policykit_dbus_chat(usbguard_t)
|
||||
+ ')
|
||||
+')
|
||||
+
|
||||
+
|
||||
# Allow confined users to communicate with usbguard over unix socket
|
||||
optional_policy(`
|
||||
gen_require(`
|
|
@ -8,7 +8,7 @@
|
|||
|
||||
Name: usbguard
|
||||
Version: 1.0.0
|
||||
Release: 8%{?dist}
|
||||
Release: 13%{?dist}
|
||||
Summary: A tool for implementing USB device usage policy
|
||||
Group: System Environment/Daemons
|
||||
License: GPLv2+
|
||||
|
@ -19,6 +19,7 @@ Source0: https://github.com/USBGuard/usbguard/releases/download/%{name}-%
|
|||
Source1: https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz
|
||||
Source2: https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz
|
||||
Source3: usbguard-daemon.conf
|
||||
ExcludeArch: i686
|
||||
|
||||
Requires: systemd
|
||||
Requires(post): systemd
|
||||
|
@ -27,7 +28,6 @@ Requires(postun): systemd
|
|||
Requires(post): /sbin/ldconfig
|
||||
Requires(postun): /sbin/ldconfig
|
||||
Recommends: (%{name}-selinux if selinux-policy-%{selinuxtype})
|
||||
Conflicts: %{name}
|
||||
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: libqb-devel
|
||||
|
@ -61,6 +61,15 @@ Patch8: usbguard-ipc-override-fix.patch
|
|||
Patch9: usbguard-validate-acl.patch
|
||||
Patch10: usbguard-notifier-decrease-spam.patch
|
||||
Patch11: usbguard-notifier-icon-injection.patch
|
||||
Patch12: usbguard-dbus-CVE.patch
|
||||
Patch13: usbguard-selinux-dbus-CVE.patch
|
||||
Patch14: usbguard-dbus-CVE-leak.patch
|
||||
Patch15: usbguard-daemon-race-condition.patch
|
||||
Patch16: usbguard-OOMScoreAdjust.patch
|
||||
Patch17: usbguard-consistent-rules.patch
|
||||
Patch18: usbguard-missing-doc.patch
|
||||
Patch19: usbguard-permanent-rules.patch
|
||||
Patch20: usbguard-disable-console-log.patch
|
||||
|
||||
%description
|
||||
The USBGuard software framework helps to protect your computer against rogue USB
|
||||
|
@ -148,6 +157,15 @@ rm -rf src/ThirdParty/{Catch,PEGTL}
|
|||
%patch9 -p1 -b .validate-acl
|
||||
%patch10 -p1 -b .notifier-decrease-spam
|
||||
%patch11 -p1 -b .notifier-icon-injection
|
||||
%patch12 -p1 -b .dbus-CVE
|
||||
%patch13 -p1 -b .selinux-dbus-CVE
|
||||
%patch14 -p1 -b .dbus-CVE-leak
|
||||
%patch15 -p1 -b .daemon-race
|
||||
%patch16 -p1 -b .OOMScoreAdjust
|
||||
%patch17 -p1 -b .consistent-rules
|
||||
%patch18 -p1 -b .missing-doc
|
||||
%patch19 -p1 -b .permanent-rules
|
||||
%patch20 -p1 -b .disable-syslog
|
||||
|
||||
%build
|
||||
mkdir -p ./m4
|
||||
|
@ -312,6 +330,25 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Thu Jan 12 2023 Attila Lakatos <alakatos@redhat.com> - 1.0.0-13
|
||||
- Set OOMScoreAdjust to -1000 in service file
|
||||
Resolves: rhbz#2159411
|
||||
- Fix race condition in usbguard-daemon when forking
|
||||
Resolves: rhbz#2159409
|
||||
- Add missing files to documentation
|
||||
Resolves: rhbz#2159412
|
||||
- Disable logging to console, logging to syslog is still enabled
|
||||
- Store permanent rules even if RuleFile is not set but RuleFolder is
|
||||
- Neither RuleFolder nor RuleFile exists bugfix
|
||||
Resolves: rhbz#2159413
|
||||
- Remove build for i686 arch
|
||||
Resolves: rhbz#2105091
|
||||
|
||||
* Wed Aug 24 2022 Attila Lakatos <alakatos@redhat.com> - 1.0.0-10
|
||||
- Fix unauthorized access via D-bus
|
||||
- Fix memory leaks on connection failure to D-bus
|
||||
Resolves: rhbz#2059067
|
||||
|
||||
* Mon Nov 29 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.0-8
|
||||
- change usbguard icon injection
|
||||
- fix DSP module definition in spec file
|
||||
|
|
Loading…
Reference in New Issue