diff --git a/SOURCES/usbguard-OOMScoreAdjust.patch b/SOURCES/usbguard-OOMScoreAdjust.patch new file mode 100644 index 0000000..d101768 --- /dev/null +++ b/SOURCES/usbguard-OOMScoreAdjust.patch @@ -0,0 +1,11 @@ +diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in +--- usbguard-1.0.0/usbguard.service.in.orig 2022-11-28 10:21:35.889977314 +0100 ++++ usbguard-1.0.0/usbguard.service.in 2022-11-28 10:21:52.711987716 +0100 +@@ -4,6 +4,7 @@ Wants=systemd-udevd.service local-fs.tar + Documentation=man:usbguard-daemon(8) + + [Service] ++OOMScoreAdjust=-1000 + AmbientCapabilities= + CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE + DevicePolicy=closed diff --git a/SOURCES/usbguard-consistent-rules.patch b/SOURCES/usbguard-consistent-rules.patch new file mode 100644 index 0000000..7420215 --- /dev/null +++ b/SOURCES/usbguard-consistent-rules.patch @@ -0,0 +1,12 @@ +diff -up usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp +--- usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig 2022-11-28 10:35:44.052560664 +0100 ++++ usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp 2022-11-28 10:35:55.510568939 +0100 +@@ -76,7 +76,7 @@ namespace usbguard + } + + if (ruleSet.empty()){ +- USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible."; ++ USBGUARD_LOG(Warning) << "Neither RuleFile nor RuleFolder are set; Modification of the permanent policy won't be possible."; + ruleSet = generateDefaultRuleSet(); + } + diff --git a/SOURCES/usbguard-daemon-race-condition.patch b/SOURCES/usbguard-daemon-race-condition.patch new file mode 100644 index 0000000..40e5645 --- /dev/null +++ b/SOURCES/usbguard-daemon-race-condition.patch @@ -0,0 +1,19 @@ +diff -up usbguard-1.0.0/src/Daemon/Daemon.cpp.orig usbguard-1.0.0/src/Daemon/Daemon.cpp +--- usbguard-1.0.0/src/Daemon/Daemon.cpp.orig 2022-11-28 10:25:01.044104150 +0100 ++++ usbguard-1.0.0/src/Daemon/Daemon.cpp 2022-11-28 10:25:34.736124980 +0100 +@@ -40,6 +40,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -606,6 +607,7 @@ namespace usbguard + const int signum = sigtimedwait(&mask, &info, &timeout); + + if (signum == SIGUSR1 && info.si_signo == SIGUSR1 && info.si_pid == pid) { ++ waitpid(pid, nullptr, 0); + USBGUARD_LOG(Trace) << "Finished daemonization"; + exit(EXIT_SUCCESS); + } diff --git a/SOURCES/usbguard-dbus-CVE-leak.patch b/SOURCES/usbguard-dbus-CVE-leak.patch new file mode 100644 index 0000000..f34290a --- /dev/null +++ b/SOURCES/usbguard-dbus-CVE-leak.patch @@ -0,0 +1,31 @@ +diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp +--- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig 2022-10-18 10:33:04.498762878 +0200 ++++ usbguard-1.0.0/src/DBus/DBusBridge.cpp 2022-10-18 10:33:36.920785285 +0200 +@@ -434,12 +434,11 @@ namespace usbguard + USBGUARD_LOG(Trace) << "Connecting with Polkit authority..."; + PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error); + +- if (! authority || error) { ++ if (! authority) { + USBGUARD_LOG(Trace) << "Failed to connect to Polkit authority: " << formatGError(error) << "."; + *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; + *authErrorMessage = "Failed to connect to Polkit authority"; + g_error_free(error); +- g_object_unref(authority); + g_object_unref(subject); + return false; + } +@@ -470,12 +469,11 @@ namespace usbguard + /*cancellable=*/ NULL, + &error); + +- if (! result || error) { ++ if (! result) { + USBGUARD_LOG(Trace) << "Failed to check back with Polkit for authoriation: " << formatGError(error) << "."; + *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; + *authErrorMessage = "Failed to check back with Polkit for authoriation."; + g_error_free(error); +- g_object_unref(result); + g_object_unref(details); + g_object_unref(authority); + g_object_unref(subject); diff --git a/SOURCES/usbguard-dbus-CVE.patch b/SOURCES/usbguard-dbus-CVE.patch new file mode 100644 index 0000000..ed2747a --- /dev/null +++ b/SOURCES/usbguard-dbus-CVE.patch @@ -0,0 +1,335 @@ +diff -up usbguard-1.0.0/configure.ac.orig usbguard-1.0.0/configure.ac +--- usbguard-1.0.0/configure.ac.orig 2022-08-16 10:24:34.345570913 +0200 ++++ usbguard-1.0.0/configure.ac 2022-08-16 10:24:34.307571236 +0200 +@@ -399,7 +399,7 @@ if test "x$with_dbus" = xyes; then + # + # Check for required D-Bus modules + # +- PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0], ++ PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0 polkit-gobject-1], + [AC_DEFINE([HAVE_DBUS], [1], [Required GDBus API available]) + dbus_summary="system-wide; $dbus_CFLAGS $dbus_LIBS"], + [AC_MSG_FAILURE([Required D-Bus modules (dbus-1, gio-2.0) not found!])] +diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp +--- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig 2022-08-16 10:24:34.312571194 +0200 ++++ usbguard-1.0.0/src/DBus/DBusBridge.cpp 2022-08-16 10:28:28.595587136 +0200 +@@ -21,6 +21,8 @@ + #endif + + #include "DBusBridge.hpp" ++#include ++ + namespace usbguard + { + DBusBridge::DBusBridge(GDBusConnection* const gdbus_connection, +@@ -74,9 +76,19 @@ namespace usbguard + return; + } + ++ #define DBUS_AUTH_CHECK \ ++ GDBusError authErrorCode = G_DBUS_ERROR_FAILED; \ ++ const gchar* authErrorMessage = NULL; \ ++ if (! isAuthorizedByPolkit(invocation, &authErrorCode, &authErrorMessage)) { \ ++ g_dbus_method_invocation_return_error_literal(invocation, G_DBUS_ERROR, authErrorCode, authErrorMessage); \ ++ return; \ ++ } ++ + void DBusBridge::handleRootMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation) + { + if (method_name == "getParameter") { ++ DBUS_AUTH_CHECK ++ + const char* name_cstr = nullptr; + g_variant_get(parameters, "(&s)", &name_cstr); + std::string name(name_cstr); +@@ -86,6 +98,8 @@ namespace usbguard + } + + if (method_name == "setParameter") { ++ DBUS_AUTH_CHECK ++ + const char* name_cstr = nullptr; + const char* value_cstr = nullptr; + g_variant_get(parameters, "(&s&s)", &name_cstr, &value_cstr); +@@ -104,6 +118,8 @@ namespace usbguard + void DBusBridge::handlePolicyMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation) + { + if (method_name == "listRules") { ++ DBUS_AUTH_CHECK ++ + const char* label_cstr = nullptr; + g_variant_get(parameters, "(&s)", &label_cstr); + std::string label(label_cstr); +@@ -136,6 +152,8 @@ namespace usbguard + } + + if (method_name == "appendRule") { ++ DBUS_AUTH_CHECK ++ + const char* rule_spec_cstr = nullptr; + uint32_t parent_id = 0; + gboolean temporary = false; +@@ -147,6 +165,8 @@ namespace usbguard + } + + if (method_name == "removeRule") { ++ DBUS_AUTH_CHECK ++ + uint32_t rule_id = 0; + g_variant_get(parameters, "(u)", &rule_id); + removeRule(rule_id); +@@ -163,6 +183,8 @@ namespace usbguard + GDBusMethodInvocation* invocation) + { + if (method_name == "listDevices") { ++ DBUS_AUTH_CHECK ++ + const char* query_cstr = nullptr; + g_variant_get(parameters, "(&s)", &query_cstr); + std::string query(query_cstr); +@@ -195,6 +217,8 @@ namespace usbguard + } + + if (method_name == "applyDevicePolicy") { ++ DBUS_AUTH_CHECK ++ + uint32_t device_id = 0; + uint32_t target_integer = 0; + gboolean permanent = false; +@@ -344,6 +368,135 @@ namespace usbguard + + return builder; + } ++ ++ std::string DBusBridge::formatGError(GError* error) ++ { ++ if (error) { ++ std::stringstream formatGError; ++ formatGError << error->message << " (code " << error->code << ")"; ++ return formatGError.str(); ++ } ++ else { ++ return "unknown error"; ++ } ++ } ++ ++ bool DBusBridge::isAuthorizedByPolkit(GDBusMethodInvocation* invocation, GDBusError* authErrorCode, ++ const gchar** authErrorMessage) ++ { ++ GError* error = NULL; ++ USBGUARD_LOG(Trace) << "Extracting bus name..."; ++ const gchar* const /*no-free!*/ bus_name = g_dbus_method_invocation_get_sender (invocation); ++ ++ if (! bus_name) { ++ USBGUARD_LOG(Trace) << "Failed to extract bus name."; ++ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; ++ *authErrorMessage = "Failed to extract bus name."; ++ return false; ++ } ++ ++ USBGUARD_LOG(Trace) << "Extracted bus name \"" << bus_name << "\"."; ++ USBGUARD_LOG(Trace) << "Extracting interface name..."; ++ const gchar* const /*no-free!*/ interfaceName = g_dbus_method_invocation_get_interface_name(invocation); ++ ++ if (! interfaceName) { ++ USBGUARD_LOG(Trace) << "Failed to extract interface name."; ++ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; ++ *authErrorMessage = "Failed to extract interface name."; ++ return false; ++ } ++ ++ USBGUARD_LOG(Trace) << "Extracted interface name \"" << interfaceName << "\"."; ++ USBGUARD_LOG(Trace) << "Extracting method name..."; ++ const gchar* const /*no-free!*/ methodName = g_dbus_method_invocation_get_method_name(invocation); ++ ++ if (! methodName) { ++ USBGUARD_LOG(Trace) << "Failed to extract method name."; ++ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; ++ *authErrorMessage = "Failed to extract method name."; ++ return false; ++ } ++ ++ std::stringstream action_id; ++ action_id << interfaceName << "." << methodName; ++ USBGUARD_LOG(Trace) << "Extracted method name \"" << methodName << "\"."; ++ USBGUARD_LOG(Trace) << "Creating a system bus Polkit subject..."; ++ PolkitSubject* const subject = polkit_system_bus_name_new(bus_name); ++ ++ if (! subject) { ++ USBGUARD_LOG(Trace) << "Failed to create Polkit subject."; ++ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; ++ *authErrorMessage = "Failed to create Polkit subject."; ++ return false; ++ } ++ ++ USBGUARD_LOG(Trace) << "Created."; ++ USBGUARD_LOG(Trace) << "Connecting with Polkit authority..."; ++ PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error); ++ ++ if (! authority || error) { ++ USBGUARD_LOG(Trace) << "Failed to connect to Polkit authority: " << formatGError(error) << "."; ++ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; ++ *authErrorMessage = "Failed to connect to Polkit authority"; ++ g_error_free(error); ++ g_object_unref(authority); ++ g_object_unref(subject); ++ return false; ++ } ++ ++ USBGUARD_LOG(Trace) << "Connected."; ++ USBGUARD_LOG(Trace) << "Customizing Polkit authentification dialog..."; ++ PolkitDetails* const details = polkit_details_new(); ++ ++ if (! details) { ++ USBGUARD_LOG(Trace) << "Failed to customize the Polkit authentification dialog."; ++ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; ++ *authErrorMessage = "Failed to customize the Polkit authentication dialog."; ++ g_object_unref(authority); ++ g_object_unref(subject); ++ return false; ++ } ++ ++ polkit_details_insert (details, "polkit.message", "This USBGuard action needs authorization"); ++ USBGUARD_LOG(Trace) << "Customized."; ++ USBGUARD_LOG(Trace) << "Checking authorization of action \"" << action_id.str() << "\" with Polkit ..."; ++ const PolkitCheckAuthorizationFlags flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION; ++ PolkitAuthorizationResult* const result = polkit_authority_check_authorization_sync ++ (authority, ++ subject, ++ action_id.str().c_str(), ++ details, ++ flags, ++ /*cancellable=*/ NULL, ++ &error); ++ ++ if (! result || error) { ++ USBGUARD_LOG(Trace) << "Failed to check back with Polkit for authoriation: " << formatGError(error) << "."; ++ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; ++ *authErrorMessage = "Failed to check back with Polkit for authoriation."; ++ g_error_free(error); ++ g_object_unref(result); ++ g_object_unref(details); ++ g_object_unref(authority); ++ g_object_unref(subject); ++ return false; ++ } ++ ++ gboolean isAuthorized = polkit_authorization_result_get_is_authorized(result); ++ USBGUARD_LOG(Trace) << (isAuthorized ? "Authorized" : "Not authorized") << "."; ++ ++ if (! isAuthorized) { ++ *authErrorCode = G_DBUS_ERROR_ACCESS_DENIED; ++ *authErrorMessage = "Not authorized."; ++ } ++ ++ g_object_unref(result); ++ g_object_unref(details); ++ g_object_unref(authority); ++ g_object_unref(subject); ++ return isAuthorized; ++ } ++ + } /* namespace usbguard */ + + /* vim: set ts=2 sw=2 et */ +diff -up usbguard-1.0.0/src/DBus/DBusBridge.hpp.orig usbguard-1.0.0/src/DBus/DBusBridge.hpp +--- usbguard-1.0.0/src/DBus/DBusBridge.hpp.orig 2022-08-16 10:24:34.312571194 +0200 ++++ usbguard-1.0.0/src/DBus/DBusBridge.hpp 2022-08-16 10:28:33.514545528 +0200 +@@ -83,6 +83,9 @@ namespace usbguard + bool rule_match, + uint32_t rule_id); + ++ static std::string formatGError(GError* error); ++ static bool isAuthorizedByPolkit(GDBusMethodInvocation* invocation, GDBusError* authErrorCode, ++ const gchar** authErrorMessage); + + GDBusConnection* const p_gdbus_connection; + void(*p_ipc_callback)(bool); +diff -up usbguard-1.0.0/src/DBus/org.usbguard1.policy.orig usbguard-1.0.0/src/DBus/org.usbguard1.policy +--- usbguard-1.0.0/src/DBus/org.usbguard1.policy.orig 2022-08-16 10:24:34.312571194 +0200 ++++ usbguard-1.0.0/src/DBus/org.usbguard1.policy 2022-08-16 10:24:34.311571202 +0200 +@@ -1,23 +1,23 @@ + + +- ++ + + The USBGuard Project + https://github.org/USBGuard/usbguard + + + List the rule set (policy) used by the USBGuard daemon +- Prevents from listing the USBGuard policy ++ Prevents listing the USBGuard policy + + no +- auth_self_keep_session ++ yes + + + + + Append a new rule to the policy +- Prevents from appending rules to the USBGuard policy ++ Prevents appending rules to the USBGuard policy + + no + auth_admin +@@ -33,40 +33,41 @@ + + + +- +- List all USB devices recognized by the USBGuard daemon +- Prevents from listing USB devices recognized by the USBGuard daemon ++ ++ Apply a policy to a device in USBGuard ++ Prevents applying a policy to a device in USBGuard + + no +- auth_self_keep_session ++ auth_admin + + + +- +- Authorize a USB device via the USBGuard daemon to interact with the system +- Prevents from authorizing USB devices via the USBGuard daemon ++ ++ List all USB devices recognized by the USBGuard daemon ++ Prevents listing USB devices recognized by the USBGuard daemon + + no +- auth_admin ++ yes + + + +- +- Deauthorize a USB device via the USBGuard daemon +- Prevents from deauthorizing USB devices via the USBGuard daemon ++ ++ Get the value of a runtime parameter ++ Prevents getting values of runtime USBGuard parameters + + no +- auth_admin ++ yes + + + +- +- Remove a USB device via the USBGuard daemon +- Prevents from removing USB devices via the USBGuard daemon ++ ++ Set the value of a runtime parameter ++ Prevents setting values of runtime USBGuard parameters + + no + auth_admin + + ++ + + diff --git a/SOURCES/usbguard-disable-console-log.patch b/SOURCES/usbguard-disable-console-log.patch new file mode 100644 index 0000000..4eda60b --- /dev/null +++ b/SOURCES/usbguard-disable-console-log.patch @@ -0,0 +1,12 @@ +diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in +--- usbguard-1.0.0/usbguard.service.in.orig 2023-01-12 13:17:14.200064956 +0100 ++++ usbguard-1.0.0/usbguard.service.in 2023-01-12 13:17:22.588078994 +0100 +@@ -8,7 +8,7 @@ OOMScoreAdjust=-1000 + AmbientCapabilities= + CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE + DevicePolicy=closed +-ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf ++ExecStart=%sbindir%/usbguard-daemon -f -s -K -c %sysconfdir%/usbguard/usbguard-daemon.conf + LockPersonality=yes + MemoryDenyWriteExecute=yes + NoNewPrivileges=yes diff --git a/SOURCES/usbguard-missing-doc.patch b/SOURCES/usbguard-missing-doc.patch new file mode 100644 index 0000000..138a3cb --- /dev/null +++ b/SOURCES/usbguard-missing-doc.patch @@ -0,0 +1,43 @@ +diff -up usbguard-1.0.0/doc/man/example-allow-device.adoc.orig usbguard-1.0.0/doc/man/example-allow-device.adoc +--- usbguard-1.0.0/doc/man/example-allow-device.adoc.orig 2022-11-28 12:00:26.695561514 +0100 ++++ usbguard-1.0.0/doc/man/example-allow-device.adoc 2022-11-28 11:57:01.120457773 +0100 +@@ -0,0 +1,6 @@ ++.... ++ # Allow a device by ID(it is the very first number from the list-devices command output) ++ $ sudo usbguard allow-device 10 ++ # Allow all devices named "Dell Wired Multimedia Keyboard" ++ $ sudo usbguard allow-device name \"Dell Wired Multimedia Keyboard\" ++.... +diff -up usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig usbguard-1.0.0/doc/man/example-initial-policy.adoc +--- usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig 2022-11-28 12:00:31.781564080 +0100 ++++ usbguard-1.0.0/doc/man/example-initial-policy.adoc 2022-11-28 11:57:25.353470002 +0100 +@@ -0,0 +1,7 @@ ++.... ++ $ sudo usbguard generate-policy > rules.conf ++ $ vi rules.conf ++ (review/modify the rule set) ++ $ sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf ++ $ sudo systemctl restart usbguard ++.... +diff -up usbguard-1.0.0/doc/man/footer.adoc.orig usbguard-1.0.0/doc/man/footer.adoc +--- usbguard-1.0.0/doc/man/footer.adoc.orig 2022-11-28 11:54:21.495377220 +0100 ++++ usbguard-1.0.0/doc/man/footer.adoc 2022-11-28 11:55:51.960422872 +0100 +@@ -0,0 +1,18 @@ ++== BUGS ++If you find a bug in this software or if you'd like to request a feature to be implemented, please file a ticket at . ++ ++ ++== AUTHOR ++USBGuard was originally written by Daniel Kopeček. ++Many people have contributed to it. ++ ++ ++== RESOURCES ++Main web site: ++ ++ ++== COPYING ++Copyright © 2015-{docyear} Red Hat, Inc. + ++License GPLv2+: GNU GPL version 2 or later http://gnu.org/licenses/gpl.html. + ++This is free software: you are free to change and redistribute it. ++There is NO WARRANTY, to the extent permitted by law. diff --git a/SOURCES/usbguard-permanent-rules.patch b/SOURCES/usbguard-permanent-rules.patch new file mode 100644 index 0000000..845c702 --- /dev/null +++ b/SOURCES/usbguard-permanent-rules.patch @@ -0,0 +1,68 @@ +diff -up usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc.orig usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc +--- usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc.orig 2023-01-05 10:58:24.684407437 +0100 ++++ usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc 2023-01-05 10:58:42.323426745 +0100 +@@ -27,7 +27,12 @@ It may be overridden using the *-c* comm + behave like any other standard Linux daemon therefore it loads rule files in + alpha-numeric order. File names inside `RuleFolder` directory should start + with a two-digit number prefix indicating the position, in which the rules +- are scanned by the daemon. ++ are scanned by the daemon. Using RuleFile and RuleFolder at the same time is ++ permitted. However, modification of the permanent policy is not possible if ++ one of the following conditions are met: ++ ** Neither RuleFile nor RuleFolder are specified. ++ ** RuleFile is not specified, RuleFolder is but it does not contain any files, ++ where we could save permanent rules. + + *ImplicitPolicyTarget*='target':: + How to treat USB devices that don't match any rule in the policy. Target +diff -up usbguard-1.0.0/src/Daemon/Daemon.cpp.orig usbguard-1.0.0/src/Daemon/Daemon.cpp +--- usbguard-1.0.0/src/Daemon/Daemon.cpp.orig 2023-01-05 10:58:49.689434809 +0100 ++++ usbguard-1.0.0/src/Daemon/Daemon.cpp 2023-01-05 10:59:18.991466884 +0100 +@@ -742,7 +742,7 @@ namespace usbguard + /* TODO: reevaluate the firewall rules for all active devices */ + const uint32_t id = _policy.appendRule(rule, parent_id); + +- if (_config.hasSettingValue("RuleFile") && permanent) { ++ if ((_config.hasSettingValue("RuleFile") || _config.hasSettingValue("RuleFolder")) && permanent) { + _policy.save(); + } + +@@ -755,7 +755,7 @@ namespace usbguard + USBGUARD_LOG(Trace) << "id=" << id; + _policy.removeRule(id); + +- if (_config.hasSettingValue("RuleFile")) { ++ if (_config.hasSettingValue("RuleFile") || _config.hasSettingValue("RuleFolder")) { + _policy.save(); + } + } +diff -up usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp +--- usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig 2023-01-05 10:59:27.117475780 +0100 ++++ usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp 2023-01-05 10:59:46.228496702 +0100 +@@ -75,8 +75,24 @@ namespace usbguard + } + } + +- if (ruleSet.empty()){ +- USBGUARD_LOG(Warning) << "Neither RuleFile nor RuleFolder are set; Modification of the permanent policy won't be possible."; ++ /* ++ * This means one of the following: ++ * - Neither RuleFile nor RuleFolder are specified ++ * - RuleFile not specified, RuleFolder is but it does not contain any files, ++ * where we could save permanent rules ++ */ ++ if (ruleSet.empty()) { ++ std::string msg; ++ ++ if (ns.getRulesPath().empty() && ns.getRulesDirPath().empty()) { ++ msg = "Neither RuleFile nor RuleFolder are set."; ++ } ++ else { ++ msg = "RuleFile is not set, RuleFolder is but it does not contain any rule files."; ++ } ++ ++ USBGUARD_LOG(Warning) << "Modification of the permanent policy won't be possible." ++ << " Reason: " << msg; + ruleSet = generateDefaultRuleSet(); + } + diff --git a/SOURCES/usbguard-selinux-dbus-CVE.patch b/SOURCES/usbguard-selinux-dbus-CVE.patch new file mode 100644 index 0000000..24d378e --- /dev/null +++ b/SOURCES/usbguard-selinux-dbus-CVE.patch @@ -0,0 +1,27 @@ +diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te +--- usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig 2022-08-24 16:14:30.810875871 +0200 ++++ usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te 2022-08-24 16:15:50.064906117 +0200 +@@ -100,7 +100,6 @@ logging_log_filetrans(usbguard_t, usbgua + + logging_send_syslog_msg(usbguard_t) + +-dbus_system_domain(usbguard_t, usbguard_exec_t) + usbguard_ipc_access(usbguard_t) + + tunable_policy(`usbguard_daemon_write_rules',` +@@ -111,6 +110,15 @@ tunable_policy(`usbguard_daemon_write_co + rw_files_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t) + ') + ++optional_policy(` ++ dbus_system_domain(usbguard_t, usbguard_exec_t) ++ ++ optional_policy(` ++ policykit_dbus_chat(usbguard_t) ++ ') ++') ++ ++ + # Allow confined users to communicate with usbguard over unix socket + optional_policy(` + gen_require(` diff --git a/SPECS/usbguard.spec b/SPECS/usbguard.spec index 74d96f1..52c652e 100644 --- a/SPECS/usbguard.spec +++ b/SPECS/usbguard.spec @@ -8,7 +8,7 @@ Name: usbguard Version: 1.0.0 -Release: 8%{?dist} +Release: 13%{?dist} Summary: A tool for implementing USB device usage policy Group: System Environment/Daemons License: GPLv2+ @@ -19,6 +19,7 @@ Source0: https://github.com/USBGuard/usbguard/releases/download/%{name}-% Source1: https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz Source2: https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz Source3: usbguard-daemon.conf +ExcludeArch: i686 Requires: systemd Requires(post): systemd @@ -27,7 +28,6 @@ Requires(postun): systemd Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig Recommends: (%{name}-selinux if selinux-policy-%{selinuxtype}) -Conflicts: %{name} BuildRequires: gcc-c++ BuildRequires: libqb-devel @@ -61,6 +61,15 @@ Patch8: usbguard-ipc-override-fix.patch Patch9: usbguard-validate-acl.patch Patch10: usbguard-notifier-decrease-spam.patch Patch11: usbguard-notifier-icon-injection.patch +Patch12: usbguard-dbus-CVE.patch +Patch13: usbguard-selinux-dbus-CVE.patch +Patch14: usbguard-dbus-CVE-leak.patch +Patch15: usbguard-daemon-race-condition.patch +Patch16: usbguard-OOMScoreAdjust.patch +Patch17: usbguard-consistent-rules.patch +Patch18: usbguard-missing-doc.patch +Patch19: usbguard-permanent-rules.patch +Patch20: usbguard-disable-console-log.patch %description The USBGuard software framework helps to protect your computer against rogue USB @@ -148,6 +157,15 @@ rm -rf src/ThirdParty/{Catch,PEGTL} %patch9 -p1 -b .validate-acl %patch10 -p1 -b .notifier-decrease-spam %patch11 -p1 -b .notifier-icon-injection +%patch12 -p1 -b .dbus-CVE +%patch13 -p1 -b .selinux-dbus-CVE +%patch14 -p1 -b .dbus-CVE-leak +%patch15 -p1 -b .daemon-race +%patch16 -p1 -b .OOMScoreAdjust +%patch17 -p1 -b .consistent-rules +%patch18 -p1 -b .missing-doc +%patch19 -p1 -b .permanent-rules +%patch20 -p1 -b .disable-syslog %build mkdir -p ./m4 @@ -312,6 +330,25 @@ fi %changelog +* Thu Jan 12 2023 Attila Lakatos - 1.0.0-13 +- Set OOMScoreAdjust to -1000 in service file +Resolves: rhbz#2159411 +- Fix race condition in usbguard-daemon when forking +Resolves: rhbz#2159409 +- Add missing files to documentation +Resolves: rhbz#2159412 +- Disable logging to console, logging to syslog is still enabled +- Store permanent rules even if RuleFile is not set but RuleFolder is +- Neither RuleFolder nor RuleFile exists bugfix +Resolves: rhbz#2159413 +- Remove build for i686 arch +Resolves: rhbz#2105091 + +* Wed Aug 24 2022 Attila Lakatos - 1.0.0-10 +- Fix unauthorized access via D-bus +- Fix memory leaks on connection failure to D-bus +Resolves: rhbz#2059067 + * Mon Nov 29 2021 Zoltan Fridrich - 1.0.0-8 - change usbguard icon injection - fix DSP module definition in spec file