diff --git a/.gitignore b/.gitignore index ed26253..a24719f 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ /usbguard-0.7.8.tar.gz /usbguard-selinux-0.0.4.tar.gz /usbguard-1.0.0.tar.gz +/usbguard-notifier-0.0.6.tar.gz diff --git a/sources b/sources index 6b48e8e..2261636 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ SHA512 (usbguard-1.0.0.tar.gz) = 068a9be8bd5ea05efcdad79e2c4beb5e8b646b4703fbe1f8bb262e37ae9a6284a6eeb811a6bd441250a38bce1e45b7f44ad15726aa5963da2e1b56e85f5e16fd SHA512 (usbguard-selinux-0.0.4.tar.gz) = b73b14396e40f847704511097bfed17c94b9b28cc70f3391a6effab763a315fe723aba37bb4c622d18ab691306c485fcd7632ccc8a837413f32c73cd9879c8b0 +SHA512 (usbguard-notifier-0.0.6.tar.gz) = 25402ff336ed89c92a2c7824e97a25c59570f6240e2e9c97fd37dabc25ed49ebe7dc051982f4aaff181eb835677ec29cd4e4dfe9efc11f07583ff5cfb92630b0 diff --git a/usbguard-0.7.6-notifier.patch b/usbguard-0.7.6-notifier.patch new file mode 100644 index 0000000..9d21147 --- /dev/null +++ b/usbguard-0.7.6-notifier.patch @@ -0,0 +1,88 @@ +diff -up ./usbguard-notifier-0.0.6/configure.ac.notifier ./usbguard-notifier-0.0.6/configure.ac +--- ./usbguard-notifier-0.0.6/configure.ac.notifier 2020-04-29 07:35:43.057914703 +0200 ++++ ./usbguard-notifier-0.0.6/configure.ac 2020-06-17 16:27:53.577151720 +0200 +@@ -44,6 +44,32 @@ AC_ARG_WITH( + [notificaiton_path="/tmp/usbguard-notifier"] + ) + ++# usbguard-devel ++# Add the path to where your usbguard-devel includes are ++# You might need this option when you want to package usbguard-notifier ++# together with usbguard at the same time ++AC_ARG_WITH( ++ [usbguard-devel], ++ AS_HELP_STRING([--with-usbguard-devel], [Select to compile notifier from source usbguard devel files(only top level directory)]), ++ [usbguard_CFLAGS="-I$withval/src/Library/public/" ++ usbguard_LIBS="" ++ usbguard_LA="$withval/libusbguard.la" ++ libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS" ++ AC_SUBST([usbguard_CFLAGS]) ++ AC_SUBST([usbguard_LIBS]) ++ AC_SUBST([usbguard_LA]) ++ custom_usbguard_devel_enabled=yes ++ ], ++ [ ++ PKG_CHECK_MODULES( ++ [usbguard], ++ [libusbguard >= 0.7.2], ++ [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"], ++ [AC_MSG_FAILURE([libusbguard development files not found])] ++ ) ++ ] ++) ++ + # Build notifier-cli, default is yes + AC_ARG_ENABLE([notifier-cli], + [AC_HELP_STRING([--enable-notifier-cli], [enable notifier cli(default=yes)])], +@@ -81,14 +107,6 @@ PKG_CHECK_MODULES( + [AC_MSG_FAILURE([libnotify development files not found])] + ) + +-# usbguard +-PKG_CHECK_MODULES( +- [usbguard], +- [libusbguard >= 0.7.2], +- [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"], +- [AC_MSG_FAILURE([libusbguard development files not found])] +-) +- + # asciidoc + AC_CHECK_PROGS(A2X, [a2x]) + if test -z "$A2X"; then +@@ -162,6 +180,7 @@ AC_SUBST(config_PATH, $prefix/.config) + AC_SUBST(NOTIFICATION_PATH, $notification_path) + + AM_CONDITIONAL([NOTIFIER_CLI_ENABLED], [test "x$notifier_cli_enabled" = xyes ]) ++AM_CONDITIONAL([CUSTOM_USBGUARD_DEVEL_ENABLED], [test "x$custom_usbguard_devel_enabled" = "xyes"]) + + AC_CONFIG_FILES([ + Makefile +diff -up ./usbguard-notifier-0.0.6/Makefile.am.notifier ./usbguard-notifier-0.0.6/Makefile.am +--- ./usbguard-notifier-0.0.6/Makefile.am.notifier 2020-04-29 07:18:21.024388188 +0200 ++++ ./usbguard-notifier-0.0.6/Makefile.am 2020-06-17 16:27:53.592151848 +0200 +@@ -57,6 +57,13 @@ usbguard_notifier_CXXFLAGS = \ + @usbguard_CFLAGS@ \ + -fPIC + ++if CUSTOM_USBGUARD_DEVEL_ENABLED ++usbguard_notifier_LDADD = \ ++ @usbguard_LA@ ++usbguard_notifier_cli_LDADD = \ ++ @usbguard_LA@ ++endif ++ + BUILT_SOURCES = \ + src/BuildConfig.h + +diff -up ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 +--- ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier 2020-06-17 19:55:54.621855004 +0200 ++++ ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 2020-06-17 19:56:46.551297432 +0200 +@@ -53,7 +53,7 @@ Show help\&. + .RE + .SH "SEE ALSO" + .sp +-usbguard\-notifier\-cli(1), usbguard(1) ++usbguard(1) + .SH "BUGS" + .sp + If you find a bug in this software or if you\(cqd like to request a feature to be implemented, please file a ticket at https://github\&.com/Cropi/usbguard\-notifier/issues/new\&. diff --git a/usbguard-audit-capability.patch b/usbguard-audit-capability.patch new file mode 100644 index 0000000..934a25a --- /dev/null +++ b/usbguard-audit-capability.patch @@ -0,0 +1,12 @@ +diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in +--- usbguard-1.0.0/usbguard.service.in.orig 2021-03-17 14:16:21.675374844 +0100 ++++ usbguard-1.0.0/usbguard.service.in 2021-03-17 14:16:29.056373213 +0100 +@@ -5,7 +5,7 @@ Documentation=man:usbguard-daemon(8) + + [Service] + AmbientCapabilities= +-CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER ++CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE + DevicePolicy=closed + ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf + IPAddressDeny=any diff --git a/usbguard-daemon.conf b/usbguard-daemon.conf index d8806a1..ae5a6a2 100644 --- a/usbguard-daemon.conf +++ b/usbguard-daemon.conf @@ -14,14 +14,18 @@ RuleFile=/etc/usbguard/rules.conf # # The USBGuard daemon will use this folder to load the policy # rule set from it and to write new rules received via the -# IPC interface. +# IPC interface. Usually, we set the option to +# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to +# behave like any other standard Linux daemon therefore it +# loads rule files in alpha-numeric order. File names inside +# RuleFolder directory should start with a two-digit number +# prefix indicating the position, in which the rules are +# scanned by the daemon. # # RuleFolder=/path/to/rulesfolder/ # - RuleFolder=/etc/usbguard/rules.d/ - # # Implicit policy target. # @@ -77,14 +81,30 @@ PresentControllerPolicy=keep # InsertedDevicePolicy=apply-policy +# +# Control which devices are authorized by default. +# +# The USBGuard daemon modifies some the default authorization state attributes +# of controller devices. This setting, enables you to define what value the +# default authorization is set to. +# +# * keep - do not change the authorization state +# * none - every new device starts out deauthorized +# * all - every new device starts out authorized +# * internal - internal devices start out authorized, external devices start +# out deauthorized (this requires the ACPI tables to properly +# label internal devices, and kernel support) +# +#AuthorizedDefault=none + # # Restore controller device state. # # The USBGuard daemon modifies some attributes of controller # devices like the default authorization state of new child device -# instances. Using this setting, you can controll whether the +# instances. Using this setting, you can control whether the # daemon will try to restore the attribute values to the state -# before modificaton on shutdown. +# before modification on shutdown. # # SECURITY CONSIDERATIONS: If set to true, the USB authorization # policy could be bypassed by performing some sort of attack on the @@ -98,11 +118,11 @@ RestoreControllerDeviceState=false # # Which device manager backend implementation to use. One of: # -# * uevent - Netlink based implementation which uses sysfs to scan for present -# devices and an uevent netlink socket for receiving USB device -# related events. -# * dummy - A dummy device manager which simulates several devices and device -# events. Useful for testing. +# * uevent - Netlink based implementation which uses sysfs to scan for present +# devices and an uevent netlink socket for receiving USB device +# related events. +# * umockdev - umockdev based device manager capable of simulating devices based +# on umockdev-record files. Useful for testing. # DeviceManagerBackend=uevent @@ -188,4 +208,4 @@ AuditFilePath=/var/log/usbguard/usbguard-audit.log # Hides personally identifiable information such as device serial numbers and # hashes of descriptors (which include the serial number) from audit entries. # -HidePII=false +#HidePII=false diff --git a/usbguard-selinux-audit-capability.patch b/usbguard-selinux-audit-capability.patch new file mode 100644 index 0000000..41a6631 --- /dev/null +++ b/usbguard-selinux-audit-capability.patch @@ -0,0 +1,12 @@ +diff -up usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te +--- usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig 2021-03-23 10:32:56.239139027 +0100 ++++ usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te 2021-03-23 10:33:05.718229143 +0100 +@@ -68,7 +68,7 @@ files_pid_file(usbguard_var_run_t) + # Local policy + # + +-allow usbguard_t self:capability { chown fowner }; ++allow usbguard_t self:capability { chown fowner audit_write }; + allow usbguard_t self:netlink_kobject_uevent_socket { bind create setopt read }; + allow usbguard_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; + diff --git a/usbguard.spec b/usbguard.spec index 7a5e489..adc72fa 100644 --- a/usbguard.spec +++ b/usbguard.spec @@ -1,18 +1,24 @@ +%global _hardened_build 1 %global selinuxtype targeted %global moduletype contrib %define semodule_version 0.0.4 +%define notifier_version 0.0.6 + +%bcond_without check Name: usbguard Version: 1.0.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: A tool for implementing USB device usage policy +Group: System Environment/Daemons License: GPLv2+ ## Not installed # src/ThirdParty/Catch: Boost Software License - Version 1.0 URL: https://usbguard.github.io/ Source0: https://github.com/USBGuard/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz -Source1: https://github.com/USBGuard/usbguard/releases/download/%{name}-selinux-%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz -Source2: usbguard-daemon.conf +Source1: https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz +Source2: https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz +Source3: usbguard-daemon.conf Requires: systemd Requires(post): systemd @@ -21,10 +27,7 @@ Requires(postun): systemd Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig Recommends: %{name}-selinux -Obsoletes: %{name}-applet-qt < 0.7.6 -BuildRequires: make -BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: libqb-devel BuildRequires: libgcrypt-devel @@ -39,6 +42,17 @@ BuildRequires: audit-libs-devel # For `pkg-config systemd` only BuildRequires: systemd +BuildRequires: dbus-glib-devel +BuildRequires: dbus-devel +BuildRequires: glib2-devel +BuildRequires: polkit-devel +BuildRequires: libxslt +BuildRequires: libxml2 + +Patch1: usbguard-0.7.6-notifier.patch +Patch2: usbguard-audit-capability.patch +Patch3: usbguard-selinux-audit-capability.patch + %description The USBGuard software framework helps to protect your computer against rogue USB devices by implementing basic whitelisting/blacklisting capabilities based on @@ -46,6 +60,7 @@ USB device attributes. %package devel Summary: Development files for %{name} +Group: Development/Libraries Requires: %{name} = %{version}-%{release} Requires: pkgconfig Requires: libstdc++-devel @@ -56,23 +71,17 @@ developing applications that use %{name}. %package tools Summary: USBGuard Tools +Group: Applications/System Requires: %{name} = %{version}-%{release} %description tools The %{name}-tools package contains optional tools from the USBGuard software framework. - -# dbus %package dbus Summary: USBGuard D-Bus Service +Group: Applications/System Requires: %{name} = %{version}-%{release} -BuildRequires: dbus-glib-devel -BuildRequires: dbus-devel -BuildRequires: glib2-devel -BuildRequires: polkit-devel -BuildRequires: libxslt -BuildRequires: libxml2 Requires: dbus Requires: polkit @@ -93,6 +102,19 @@ BuildArch: noarch The %{name}-selinux package contains selinux policy for the USBGuard daemon. +%package notifier +Summary: A tool for detecting usbguard policy and device presence changes +Group: Applications/System +Requires: %{name} = %{version}-%{release} +Requires: systemd +BuildRequires: librsvg2-devel +BuildRequires: libnotify-devel +BuildRequires: execstack + +%description notifier +The %{name}-notifier package detects usbguard policy modifications as well as +device presence changes and displays them as pop-up notifications. + # usbguard %prep %setup -q @@ -100,9 +122,16 @@ daemon. # selinux %setup -q -D -T -a 1 +# notifier +%setup -q -D -T -a 2 + # Remove bundled library sources before build rm -rf src/ThirdParty/{Catch,PEGTL} +%patch1 -p1 -b .notifier +%patch2 -p1 -b .audit-write +%patch3 -p1 -b .selinux-audit-write + %build mkdir -p ./m4 autoreconf -i -v --no-recursive ./ @@ -122,8 +151,26 @@ pushd %{name}-selinux-%{semodule_version} make popd +# notifier +pushd %{name}-notifier-%{notifier_version} +mkdir -p ./m4 +autoreconf -i -v --no-recursive ./ +export CXXFLAGS="$RPM_OPT_FLAGS" +%configure \ + --disable-silent-rules \ + --without-bundled-catch \ + --enable-debug-build \ + --disable-notifier-cli \ + --with-usbguard-devel="../" + +%set_build_flags +make %{?_smp_mflags} +popd + +%if %{with check} %check make check +%endif # selinux %pre selinux @@ -136,7 +183,7 @@ make install INSTALL='install -p' DESTDIR=%{buildroot} mkdir -p %{buildroot}%{_sysconfdir}/usbguard mkdir -p %{buildroot}%{_sysconfdir}/usbguard/rules.d mkdir -p %{buildroot}%{_sysconfdir}/usbguard/IPCAccessControl.d -install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf +install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf # selinux install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} @@ -144,6 +191,12 @@ install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}% install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if +# notifier +pushd %{name}-notifier-%{notifier_version} +make install INSTALL='install -p' DESTDIR=%{buildroot} +#execstack -c %{buildroot}%{_bindir}/%{name}-notifier +popd + # Cleanup find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' @@ -151,14 +204,15 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %systemd_preun usbguard.service %post -%{?ldconfig} +/sbin/ldconfig %systemd_post usbguard.service %postun -%{?ldconfig} +/sbin/ldconfig %systemd_postun usbguard.service %files +%defattr(-,root,root,-) %doc README.adoc CHANGELOG.md %license LICENSE %{_libdir}/*.so.* @@ -178,15 +232,18 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %{_datadir}/bash-completion/completions/usbguard %files devel +%defattr(-,root,root,-) %{_includedir}/* %{_libdir}/*.so %{_libdir}/pkgconfig/*.pc %files tools +%defattr(-,root,root,-) %{_bindir}/usbguard-rule-parser -# dbus + %files dbus +%defattr(-,root,root,-) %{_sbindir}/usbguard-dbus %{_datadir}/dbus-1/system-services/org.usbguard1.service %{_datadir}/dbus-1/system.d/org.usbguard1.conf @@ -219,9 +276,30 @@ fi %posttrans selinux %selinux_relabel_post -s %{selinuxtype} +%files notifier +%defattr(-,root,root,-) +%doc %{name}-notifier-%{notifier_version}/README.md %{name}-notifier-%{notifier_version}/CHANGELOG.md +%license %{name}-notifier-%{notifier_version}/LICENSE +%{_bindir}/%{name}-notifier +%{_mandir}/man1/%{name}-notifier.1.gz +%{_userunitdir}/%{name}-notifier.service + +%post notifier +%systemd_user_post %{name}-notifier.service + +%preun notifier +%systemd_user_preun %{name}-notifier.service + +%postun notifier +%systemd_user_postun_with_restart %{name}-notifier.service %changelog +* Fri Feb 19 2021 Attila Lakatos - 1.0.0-4 +- sync with rhel-8.4.0 branch +- bundle usbguard-notifier as subpackage +Resolves: rhbz#1917544 + * Wed Jan 27 2021 Fedora Release Engineering - 1.0.0-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild