Sync with rhel-8.4.0 branch

Bundle usbguard-notifier as subpackage Resolves: rhbz#1917544
2021-02-19 18:21:44 +01:00 · 2021-02-19 18:21:44 +01:00 · 9014c5c9d8
commit 9014c5c9d8
parent 40023e6b76
7 changed files with 241 additions and 29 deletions
--- a/.gitignore
+++ b/.gitignore
@ -20,3 +20,4 @@
 /usbguard-0.7.8.tar.gz
 /usbguard-selinux-0.0.4.tar.gz
 /usbguard-1.0.0.tar.gz
+/usbguard-notifier-0.0.6.tar.gz
--- a/1
+++ b/1
@ -1,2 +1,3 @@
 SHA512 (usbguard-1.0.0.tar.gz) = 068a9be8bd5ea05efcdad79e2c4beb5e8b646b4703fbe1f8bb262e37ae9a6284a6eeb811a6bd441250a38bce1e45b7f44ad15726aa5963da2e1b56e85f5e16fd
 SHA512 (usbguard-selinux-0.0.4.tar.gz) = b73b14396e40f847704511097bfed17c94b9b28cc70f3391a6effab763a315fe723aba37bb4c622d18ab691306c485fcd7632ccc8a837413f32c73cd9879c8b0
+SHA512 (usbguard-notifier-0.0.6.tar.gz) = 25402ff336ed89c92a2c7824e97a25c59570f6240e2e9c97fd37dabc25ed49ebe7dc051982f4aaff181eb835677ec29cd4e4dfe9efc11f07583ff5cfb92630b0
--- a/usbguard-0.7.6-notifier.patch
+++ b/usbguard-0.7.6-notifier.patch
@ -0,0 +1,88 @@
+diff -up ./usbguard-notifier-0.0.6/configure.ac.notifier ./usbguard-notifier-0.0.6/configure.ac
+--- ./usbguard-notifier-0.0.6/configure.ac.notifier	2020-04-29 07:35:43.057914703 +0200
+++ ./usbguard-notifier-0.0.6/configure.ac	2020-06-17 16:27:53.577151720 +0200
+@@ -44,6 +44,32 @@ AC_ARG_WITH(
+     [notificaiton_path="/tmp/usbguard-notifier"]
+ )
+ 
+# usbguard-devel
+# Add the path to where your usbguard-devel includes are
+# You might need this option when you want to package usbguard-notifier
+# together with usbguard at the same time
+AC_ARG_WITH(
+    [usbguard-devel],
+    AS_HELP_STRING([--with-usbguard-devel], [Select to compile notifier from source usbguard devel files(only top level directory)]),
+    [usbguard_CFLAGS="-I$withval/src/Library/public/"
+     usbguard_LIBS=""
+     usbguard_LA="$withval/libusbguard.la"
+     libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"
+     AC_SUBST([usbguard_CFLAGS])
+     AC_SUBST([usbguard_LIBS])
+     AC_SUBST([usbguard_LA])
+     custom_usbguard_devel_enabled=yes
+    ],
+    [
+        PKG_CHECK_MODULES(
+            [usbguard],
+            [libusbguard >= 0.7.2],
+            [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"],
+            [AC_MSG_FAILURE([libusbguard development files not found])]
+        )
+    ]
+)
+
+ # Build notifier-cli, default is yes
+ AC_ARG_ENABLE([notifier-cli],
+     [AC_HELP_STRING([--enable-notifier-cli], [enable notifier cli(default=yes)])],
+@@ -81,14 +107,6 @@ PKG_CHECK_MODULES(
+     [AC_MSG_FAILURE([libnotify development files not found])]
+ )
+ 
+-# usbguard
+-PKG_CHECK_MODULES(
+-    [usbguard],
+-    [libusbguard >= 0.7.2],
+-    [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"],
+-    [AC_MSG_FAILURE([libusbguard development files not found])]
+-)
+-
+ # asciidoc
+ AC_CHECK_PROGS(A2X, [a2x])
+ if test -z "$A2X"; then
+@@ -162,6 +180,7 @@ AC_SUBST(config_PATH, $prefix/.config)
+ AC_SUBST(NOTIFICATION_PATH, $notification_path)
+ 
+ AM_CONDITIONAL([NOTIFIER_CLI_ENABLED], [test "x$notifier_cli_enabled" = xyes ])
+AM_CONDITIONAL([CUSTOM_USBGUARD_DEVEL_ENABLED], [test "x$custom_usbguard_devel_enabled" = "xyes"])
+ 
+ AC_CONFIG_FILES([
+     Makefile
+diff -up ./usbguard-notifier-0.0.6/Makefile.am.notifier ./usbguard-notifier-0.0.6/Makefile.am
+--- ./usbguard-notifier-0.0.6/Makefile.am.notifier	2020-04-29 07:18:21.024388188 +0200
+++ ./usbguard-notifier-0.0.6/Makefile.am	2020-06-17 16:27:53.592151848 +0200
+@@ -57,6 +57,13 @@ usbguard_notifier_CXXFLAGS = \
+ 	@usbguard_CFLAGS@ \
+ 	-fPIC
+ 
+if CUSTOM_USBGUARD_DEVEL_ENABLED
+usbguard_notifier_LDADD = \
+	@usbguard_LA@
+usbguard_notifier_cli_LDADD = \
+	@usbguard_LA@
+endif
+
+ BUILT_SOURCES = \
+ 	src/BuildConfig.h
+ 
+diff -up ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier ./usbguard-notifier-0.0.6/man/usbguard-notifier.1
+--- ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier	2020-06-17 19:55:54.621855004 +0200
+++ ./usbguard-notifier-0.0.6/man/usbguard-notifier.1	2020-06-17 19:56:46.551297432 +0200
+@@ -53,7 +53,7 @@ Show help\&.
+ .RE
+ .SH "SEE ALSO"
+ .sp
+-usbguard\-notifier\-cli(1), usbguard(1)
+usbguard(1)
+ .SH "BUGS"
+ .sp
+ If you find a bug in this software or if you\(cqd like to request a feature to be implemented, please file a ticket at https://github\&.com/Cropi/usbguard\-notifier/issues/new\&.
--- a/usbguard-audit-capability.patch
+++ b/usbguard-audit-capability.patch
@ -0,0 +1,12 @@
+diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
+--- usbguard-1.0.0/usbguard.service.in.orig	2021-03-17 14:16:21.675374844 +0100
+++ usbguard-1.0.0/usbguard.service.in	2021-03-17 14:16:29.056373213 +0100
+@@ -5,7 +5,7 @@ Documentation=man:usbguard-daemon(8)
+ 
+ [Service]
+ AmbientCapabilities=
+-CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
+ DevicePolicy=closed
+ ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ IPAddressDeny=any
--- a/usbguard-daemon.conf
+++ b/usbguard-daemon.conf
@ -14,14 +14,18 @@ RuleFile=/etc/usbguard/rules.conf
 #
 # The USBGuard daemon will use this folder to load the policy
 # rule set from it and to write new rules received via the
-# IPC interface.
+# IPC interface. Usually, we set the option to
+# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to
+# behave like any other standard Linux daemon therefore it
+# loads rule files in alpha-numeric order. File names inside
+# RuleFolder directory should start with a two-digit number
+# prefix indicating the position, in which the rules are
+# scanned by the daemon.
 #
 # RuleFolder=/path/to/rulesfolder/
 #
-
 RuleFolder=/etc/usbguard/rules.d/

-
 #
 # Implicit policy target.
 #
@ -77,14 +81,30 @@ PresentControllerPolicy=keep
 #
 InsertedDevicePolicy=apply-policy

+#
+# Control which devices are authorized by default.
+#
+# The USBGuard daemon modifies some the default authorization state attributes
+# of controller devices. This setting, enables you to define what value the
+# default authorization is set to.
+#
+# * keep         - do not change the authorization state
+# * none         - every new device starts out deauthorized
+# * all          - every new device starts out authorized
+# * internal     - internal devices start out authorized, external devices start
+#                  out deauthorized (this requires the ACPI tables to properly
+#                  label internal devices, and kernel support)
+#
+#AuthorizedDefault=none
+
 #
 # Restore controller device state.
 #
 # The USBGuard daemon modifies some attributes of controller
 # devices like the default authorization state of new child device
-# instances. Using this setting, you can controll whether the
+# instances. Using this setting, you can control whether the
 # daemon will try to restore the attribute values to the state
-# before modificaton on shutdown.
+# before modification on shutdown.
 #
 # SECURITY CONSIDERATIONS: If set to true, the USB authorization
 # policy could be bypassed by performing some sort of attack on the
@ -98,11 +118,11 @@ RestoreControllerDeviceState=false
 #
 # Which device manager backend implementation to use. One of:
 #
-# * uevent - Netlink based implementation which uses sysfs to scan for present
-#            devices and an uevent netlink socket for receiving USB device
-#            related events.
-# * dummy  - A dummy device manager which simulates several devices and device
-#            events. Useful for testing.
+# * uevent   - Netlink based implementation which uses sysfs to scan for present
+#              devices and an uevent netlink socket for receiving USB device
+#              related events.
+# * umockdev - umockdev based device manager capable of simulating devices based
+#              on umockdev-record files. Useful for testing.
 #
 DeviceManagerBackend=uevent

@ -188,4 +208,4 @@ AuditFilePath=/var/log/usbguard/usbguard-audit.log
 # Hides personally identifiable information such as device serial numbers and
 # hashes of descriptors (which include the serial number) from audit entries.
 #
-HidePII=false
+#HidePII=false
--- a/usbguard-selinux-audit-capability.patch
+++ b/usbguard-selinux-audit-capability.patch
@ -0,0 +1,12 @@
+diff -up usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te
+--- usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig	2021-03-23 10:32:56.239139027 +0100
+++ usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te	2021-03-23 10:33:05.718229143 +0100
+@@ -68,7 +68,7 @@ files_pid_file(usbguard_var_run_t)
+ # Local policy
+ #
+ 
+-allow usbguard_t self:capability { chown fowner };
+allow usbguard_t self:capability { chown fowner audit_write };
+ allow usbguard_t self:netlink_kobject_uevent_socket { bind create setopt read };
+ allow usbguard_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+ 
--- a/usbguard.spec
+++ b/usbguard.spec
@ -1,18 +1,24 @@
+%global _hardened_build 1
 %global selinuxtype targeted
 %global moduletype contrib
 %define semodule_version 0.0.4
+%define notifier_version 0.0.6
+
+%bcond_without check

 Name:           usbguard
 Version:        1.0.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        A tool for implementing USB device usage policy
+Group:          System Environment/Daemons
 License:        GPLv2+
 ## Not installed
 # src/ThirdParty/Catch: Boost Software License - Version 1.0
 URL:            https://usbguard.github.io/
 Source0:        https://github.com/USBGuard/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
-Source1:        https://github.com/USBGuard/usbguard/releases/download/%{name}-selinux-%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
-Source2:        usbguard-daemon.conf
+Source1:        https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz
+Source2:        https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz
+Source3:        usbguard-daemon.conf

 Requires: systemd
 Requires(post): systemd
@ -21,10 +27,7 @@ Requires(postun): systemd
 Requires(post): /sbin/ldconfig
 Requires(postun): /sbin/ldconfig
 Recommends: %{name}-selinux
-Obsoletes: %{name}-applet-qt < 0.7.6

-BuildRequires: make
-BuildRequires: gcc
 BuildRequires: gcc-c++
 BuildRequires: libqb-devel
 BuildRequires: libgcrypt-devel
@ -39,6 +42,17 @@ BuildRequires: audit-libs-devel
 # For `pkg-config systemd` only
 BuildRequires: systemd

+BuildRequires: dbus-glib-devel
+BuildRequires: dbus-devel
+BuildRequires: glib2-devel
+BuildRequires: polkit-devel
+BuildRequires: libxslt
+BuildRequires: libxml2
+
+Patch1: usbguard-0.7.6-notifier.patch
+Patch2: usbguard-audit-capability.patch
+Patch3: usbguard-selinux-audit-capability.patch
+
 %description
 The USBGuard software framework helps to protect your computer against rogue USB
 devices by implementing basic whitelisting/blacklisting capabilities based on
@ -46,6 +60,7 @@ USB device attributes.

 %package        devel
 Summary:        Development files for %{name}
+Group:          Development/Libraries
 Requires:       %{name} = %{version}-%{release}
 Requires:       pkgconfig
 Requires:       libstdc++-devel
@ -56,23 +71,17 @@ developing applications that use %{name}.

 %package        tools
 Summary:        USBGuard Tools
+Group:          Applications/System
 Requires:       %{name} = %{version}-%{release}

 %description    tools
 The %{name}-tools package contains optional tools from the USBGuard
 software framework.

-
-# dbus
 %package        dbus
 Summary:        USBGuard D-Bus Service
+Group:          Applications/System
 Requires:       %{name} = %{version}-%{release}
-BuildRequires:	dbus-glib-devel
-BuildRequires:	dbus-devel
-BuildRequires:	glib2-devel
-BuildRequires:	polkit-devel
-BuildRequires:	libxslt
-BuildRequires:	libxml2
 Requires:       dbus
 Requires:       polkit

@ -93,6 +102,19 @@ BuildArch: noarch
 The %{name}-selinux package contains selinux policy for the USBGuard
 daemon.

+%package        notifier
+Summary:        A tool for detecting usbguard policy and device presence changes
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+Requires:       systemd
+BuildRequires:  librsvg2-devel
+BuildRequires:  libnotify-devel
+BuildRequires:  execstack
+
+%description    notifier
+The %{name}-notifier package detects usbguard policy modifications as well as
+device presence changes and displays them as pop-up notifications.
+
 # usbguard
 %prep
 %setup -q
@ -100,9 +122,16 @@ daemon.
 # selinux
 %setup -q -D -T -a 1

+# notifier
+%setup -q -D -T -a 2
+
 # Remove bundled library sources before build
 rm -rf src/ThirdParty/{Catch,PEGTL}

+%patch1 -p1 -b .notifier
+%patch2 -p1 -b .audit-write
+%patch3 -p1 -b .selinux-audit-write
+
 %build
 mkdir -p ./m4
 autoreconf -i -v --no-recursive ./
@ -122,8 +151,26 @@ pushd %{name}-selinux-%{semodule_version}
 make
 popd

+# notifier
+pushd %{name}-notifier-%{notifier_version}
+mkdir -p ./m4
+autoreconf -i -v --no-recursive ./
+export CXXFLAGS="$RPM_OPT_FLAGS"
+%configure \
+    --disable-silent-rules \
+    --without-bundled-catch \
+    --enable-debug-build \
+    --disable-notifier-cli \
+    --with-usbguard-devel="../"
+
+%set_build_flags
+make %{?_smp_mflags}
+popd
+
+%if %{with check}
 %check
 make check
+%endif

 # selinux
 %pre selinux
@ -136,7 +183,7 @@ make install INSTALL='install -p' DESTDIR=%{buildroot}
 mkdir -p %{buildroot}%{_sysconfdir}/usbguard
 mkdir -p %{buildroot}%{_sysconfdir}/usbguard/rules.d
 mkdir -p %{buildroot}%{_sysconfdir}/usbguard/IPCAccessControl.d
-install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
+install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf

 # selinux
 install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
@ -144,6 +191,12 @@ install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%
 install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
 install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if

+# notifier
+pushd %{name}-notifier-%{notifier_version}
+make install INSTALL='install -p' DESTDIR=%{buildroot}
+#execstack -c %{buildroot}%{_bindir}/%{name}-notifier
+popd
+
 # Cleanup
 find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'

@ -151,14 +204,15 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
 %systemd_preun usbguard.service

 %post
-%{?ldconfig}
+/sbin/ldconfig
 %systemd_post usbguard.service

 %postun
-%{?ldconfig}
+/sbin/ldconfig
 %systemd_postun usbguard.service

 %files
+%defattr(-,root,root,-)
 %doc README.adoc CHANGELOG.md
 %license LICENSE
 %{_libdir}/*.so.*
@ -178,15 +232,18 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
 %{_datadir}/bash-completion/completions/usbguard

 %files devel
+%defattr(-,root,root,-)
 %{_includedir}/*
 %{_libdir}/*.so
 %{_libdir}/pkgconfig/*.pc

 %files tools
+%defattr(-,root,root,-)
 %{_bindir}/usbguard-rule-parser

-# dbus
+
 %files dbus
+%defattr(-,root,root,-)
 %{_sbindir}/usbguard-dbus
 %{_datadir}/dbus-1/system-services/org.usbguard1.service
 %{_datadir}/dbus-1/system.d/org.usbguard1.conf
@ -219,9 +276,30 @@ fi
 %posttrans selinux
 %selinux_relabel_post -s %{selinuxtype}

+%files notifier
+%defattr(-,root,root,-)
+%doc %{name}-notifier-%{notifier_version}/README.md %{name}-notifier-%{notifier_version}/CHANGELOG.md
+%license %{name}-notifier-%{notifier_version}/LICENSE
+%{_bindir}/%{name}-notifier
+%{_mandir}/man1/%{name}-notifier.1.gz
+%{_userunitdir}/%{name}-notifier.service
+
+%post notifier
+%systemd_user_post %{name}-notifier.service
+
+%preun notifier
+%systemd_user_preun %{name}-notifier.service
+
+%postun notifier
+%systemd_user_postun_with_restart %{name}-notifier.service


 %changelog
+* Fri Feb 19 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-4
+- sync with rhel-8.4.0 branch
+- bundle usbguard-notifier as subpackage
+Resolves: rhbz#1917544
+
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild