import usbguard-1.0.0-1.el8

.gitignore

@@ -1,3 +1,3 @@
-SOURCES/usbguard-0.7.8.tar.gz
+SOURCES/usbguard-1.0.0.tar.gz
 SOURCES/usbguard-notifier-0.0.6.tar.gz
 SOURCES/usbguard-selinux-0.0.3.tar.gz

.usbguard.metadata

@@ -1,3 +1,3 @@
-d8bbd3e9f4f0deb1418f71422e7fab3d14053412 SOURCES/usbguard-0.7.8.tar.gz
+bf909799daae6798634e1b01efaaadc5781b9755 SOURCES/usbguard-1.0.0.tar.gz
 7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz
 e223495a2c41013bc786a5ceae730f2574aeba1b SOURCES/usbguard-selinux-0.0.3.tar.gz

SOURCES/usbguard-daemon.conf

@@ -9,6 +9,23 @@
 #
 RuleFile=/etc/usbguard/rules.conf
 
+#
+# Rule set folder path.
+#
+# The USBGuard daemon will use this folder to load the policy
+# rule set from it and to write new rules received via the
+# IPC interface. Usually, we set the option to
+# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to
+# behave like any other standard Linux daemon therefore it
+# loads rule files in alpha-numeric order. File names inside
+# RuleFolder directory should start with a two-digit number
+# prefix indicating the position, in which the rules are
+# scanned by the daemon.
+#
+# RuleFolder=/path/to/rulesfolder/
+#
+RuleFolder=/etc/usbguard/rules.d/
+
 #
 # Implicit policy target.
 #
@@ -64,14 +81,30 @@ PresentControllerPolicy=keep
 #
 InsertedDevicePolicy=apply-policy
 
+#
+# Control which devices are authorized by default.
+#
+# The USBGuard daemon modifies some the default authorization state attributes
+# of controller devices. This setting, enables you to define what value the
+# default authorization is set to.
+#
+# * keep         - do not change the authorization state
+# * none         - every new device starts out deauthorized
+# * all          - every new device starts out authorized
+# * internal     - internal devices start out authorized, external devices start
+#                  out deauthorized (this requires the ACPI tables to properly
+#                  label internal devices, and kernel support)
+#
+#AuthorizedDefault=none
+
 #
 # Restore controller device state.
 #
 # The USBGuard daemon modifies some attributes of controller
 # devices like the default authorization state of new child device
-# instances. Using this setting, you can controll whether the
+# instances. Using this setting, you can control whether the
 # daemon will try to restore the attribute values to the state
-# before modificaton on shutdown.
+# before modification on shutdown.
 #
 # SECURITY CONSIDERATIONS: If set to true, the USB authorization
 # policy could be bypassed by performing some sort of attack on the
@@ -85,11 +118,11 @@ RestoreControllerDeviceState=false
 #
 # Which device manager backend implementation to use. One of:
 #
-# * uevent - Netlink based implementation which uses sysfs to scan for present
-#            devices and an uevent netlink socket for receiving USB device
-#            related events.
-# * dummy  - A dummy device manager which simulates several devices and device
-#            events. Useful for testing.
+# * uevent   - Netlink based implementation which uses sysfs to scan for present
+#              devices and an uevent netlink socket for receiving USB device
+#              related events.
+# * umockdev - umockdev based device manager capable of simulating devices based
+#              on umockdev-record files. Useful for testing.
 #
 DeviceManagerBackend=uevent
 
@@ -171,3 +204,8 @@ AuditBackend=FileAudit
 #
 AuditFilePath=/var/log/usbguard/usbguard-audit.log
 
+#
+# Hides personally identifiable information such as device serial numbers and
+# hashes of descriptors (which include the serial number) from audit entries.
+#
+#HidePII=false

SOURCES/usbguard-forking-style.patch

@@ -1,34 +0,0 @@
-diff -up ./usbguard.service.in.forking ./usbguard.service.in
---- ./usbguard.service.in.forking	2020-06-17 20:07:04.720564149 +0200
-+++ ./usbguard.service.in	2020-06-17 20:10:00.744063846 +0200
-@@ -8,11 +8,12 @@ AmbientCapabilities=
- CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
- DeviceAllow=/dev/null rw
- DevicePolicy=strict
--ExecStart=%sbindir%/usbguard-daemon -k -c %sysconfdir%/usbguard/usbguard-daemon.conf
-+ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
- IPAddressDeny=any
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
- NoNewPrivileges=yes
-+PIDFile=/var/run/usbguard.pid
- PrivateDevices=yes
- PrivateTmp=yes
- ProtectControlGroups=yes
-@@ -20,14 +21,14 @@ ProtectHome=yes
- ProtectKernelModules=yes
- ProtectSystem=yes
- ReadOnlyPaths=-/
--ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/
-+ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ -/var/run
- Restart=on-failure
- RestrictAddressFamilies=AF_UNIX AF_NETLINK
- RestrictNamespaces=yes
- RestrictRealtime=yes
- SystemCallArchitectures=native
- SystemCallFilter=@system-service
--Type=simple
-+Type=forking
- UMask=0077
- 
- [Install]

SOURCES/usbguard-service-fips.patch

@@ -1,13 +0,0 @@
-diff -up ./usbguard.service.in.service-fips ./usbguard.service.in
---- ./usbguard.service.in.service-fips	2020-06-22 10:44:44.815860376 +0200
-+++ ./usbguard.service.in	2020-06-22 10:45:07.699135514 +0200
-@@ -6,8 +6,7 @@ Documentation=man:usbguard-daemon(8)
- [Service]
- AmbientCapabilities=
- CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
--DeviceAllow=/dev/null rw
--DevicePolicy=strict
-+DevicePolicy=closed
- ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
- IPAddressDeny=any
- LockPersonality=yes

SPECS/usbguard.spec

@@ -7,8 +7,8 @@
 %bcond_without check
 
 Name:           usbguard
-Version:        0.7.8
-Release:        5%{?dist}
+Version:        1.0.0
+Release:        1%{?dist}
 Summary:        A tool for implementing USB device usage policy
 Group:          System Environment/Daemons
 License:        GPLv2+
@@ -52,9 +52,7 @@ BuildRequires: libxml2
 Patch1: usbguard-0.7.6-notifier.patch
 Patch2: usbguard-selinux-rules-d.patch
 Patch3: usbguard-selinux-list-dir.patch
-Patch4: usbguard-forking-style.patch
-Patch5: usbguard-selinux-cpuinfo.patch
-Patch6: usbguard-service-fips.patch
+Patch4: usbguard-selinux-cpuinfo.patch
 
 %description
 The USBGuard software framework helps to protect your computer against rogue USB
@@ -134,9 +132,7 @@ rm -rf src/ThirdParty/{Catch,PEGTL}
 %patch1 -p1 -b .notifier
 %patch2 -p1 -b .rules-d-selinux
 %patch3 -p1 -b .list-dir
-%patch4 -p1 -b .forking
-%patch5 -p1 -b .cpuinfo
-%patch6 -p1 -b .service-fips
+%patch4 -p1 -b .cpuinfo
 
 %build
 mkdir -p ./m4
@@ -200,7 +196,7 @@ install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_
 # notifier
 pushd %{name}-notifier-%{notifier_version}
 make install INSTALL='install -p' DESTDIR=%{buildroot}
-execstack -c %{buildroot}%{_bindir}/%{name}-notifier
+#execstack -c %{buildroot}%{_bindir}/%{name}-notifier
 popd
 
 # Cleanup
@@ -301,6 +297,28 @@ fi
 
 
 %changelog
+* Tue Jan 19 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-1
+- Rebase to 1.0.0
+Resolves: rhbz#1887448
+- Filtering rules by attribute
+Resolves: rhbz#1873953
+- Change device policy of multiple devices using rule instead of ID
+Resolves: rhbz#1852568
+
+* Tue Aug 11 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-7
+- Do not cause segfault in case of an empty rulesd folder
+Resolves: rhbz#1738590
+
+* Wed Aug 05 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-6
+- RHEL 8.3.0 ERRATUM
+- Removed execstack from .spec
+- Removed AuthorizedDefault=wired from the usbguard
+Resolves: rhbz#1852539
+- Missing error message on bad configuration
+Resolves: rhbz#1857299
+- /etc/usbguard/usbguard-daemon.conf file does not contain all default options
+Resolves: rhbz#1862907
+
 * Wed Jun 17 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-5
 - RHEL 8.3.0 ERRATUM
 - Use old-fasioned forking style in unit file