import usbguard-0.7.8-7.el8

2020-08-12 18:30:46 +00:00 · 2020-08-12 18:30:46 +00:00 · d3745cb0ce
commit d3745cb0ce
parent 96eb0f7b90
5 changed files with 200 additions and 9 deletions
--- a/SOURCES/usbguard-daemon.conf
+++ b/SOURCES/usbguard-daemon.conf
@ -9,6 +9,23 @@
 #
 RuleFile=/etc/usbguard/rules.conf

+#
+# Rule set folder path.
+#
+# The USBGuard daemon will use this folder to load the policy
+# rule set from it and to write new rules received via the
+# IPC interface. Usually, we set the option to
+# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to
+# behave like any other standard Linux daemon therefore it
+# loads rule files in alpha-numeric order. File names inside
+# RuleFolder directory should start with a two-digit number
+# prefix indicating the position, in which the rules are
+# scanned by the daemon.
+#
+# RuleFolder=/path/to/rulesfolder/
+#
+RuleFolder=/etc/usbguard/rules.d/
+
 #
 # Implicit policy target.
 #
@ -64,14 +81,30 @@ PresentControllerPolicy=keep
 #
 InsertedDevicePolicy=apply-policy

+#
+# Control which devices are authorized by default.
+#
+# The USBGuard daemon modifies some the default authorization state attributes
+# of controller devices. This setting, enables you to define what value the
+# default authorization is set to.
+#
+# * keep         - do not change the authorization state
+# * none         - every new device starts out deauthorized
+# * all          - every new device starts out authorized
+# * internal     - internal devices start out authorized, external devices start
+#                  out deauthorized (this requires the ACPI tables to properly
+#                  label internal devices, and kernel support)
+#
+#AuthorizedDefault=none
+
 #
 # Restore controller device state.
 #
 # The USBGuard daemon modifies some attributes of controller
 # devices like the default authorization state of new child device
-# instances. Using this setting, you can controll whether the
+# instances. Using this setting, you can control whether the
 # daemon will try to restore the attribute values to the state
-# before modificaton on shutdown.
+# before modification on shutdown.
 #
 # SECURITY CONSIDERATIONS: If set to true, the USB authorization
 # policy could be bypassed by performing some sort of attack on the
@ -85,11 +118,11 @@ RestoreControllerDeviceState=false
 #
 # Which device manager backend implementation to use. One of:
 #
-# * uevent - Netlink based implementation which uses sysfs to scan for present
-#            devices and an uevent netlink socket for receiving USB device
-#            related events.
-# * dummy  - A dummy device manager which simulates several devices and device
-#            events. Useful for testing.
+# * uevent   - Netlink based implementation which uses sysfs to scan for present
+#              devices and an uevent netlink socket for receiving USB device
+#              related events.
+# * umockdev - umockdev based device manager capable of simulating devices based
+#              on umockdev-record files. Useful for testing.
 #
 DeviceManagerBackend=uevent

@ -171,3 +204,8 @@ AuditBackend=FileAudit
 #
 AuditFilePath=/var/log/usbguard/usbguard-audit.log

+#
+# Hides personally identifiable information such as device serial numbers and
+# hashes of descriptors (which include the serial number) from audit entries.
+#
+#HidePII=false
--- a/SOURCES/usbguard-permission-check.patch
+++ b/SOURCES/usbguard-permission-check.patch
@ -0,0 +1,69 @@
+From 39fc4c24333c3bf42eba0855f3b75ccea99865a4 Mon Sep 17 00:00:00 2001
+From: Radovan Sroka <rsroka@redhat.com>
+Date: Tue, 21 Jul 2020 16:24:15 +0200
+Subject: [PATCH] Added permissions check also for IPC access files
+
+Signed-off-by: Radovan Sroka <rsroka@redhat.com>
+---
+ src/Common/Utility.cpp |  2 +-
+ src/Common/Utility.hpp |  2 +-
+ src/Daemon/Daemon.cpp  | 13 +++++++++----
+ 3 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/src/Common/Utility.cpp b/src/Common/Utility.cpp
+index d9fc26a..8eb4bd7 100644
+--- a/src/Common/Utility.cpp
+++ b/src/Common/Utility.cpp
+@@ -524,7 +524,7 @@ namespace usbguard
+     std::string file_name;
+ 
+     if (!dir_fd) {
+-      throw Exception("getConfigsFromDir", "opendir: " + path , strerror(errno));
+      throw Exception("getConfigsFromDir", "opendir: " + path, strerror(errno));
+     }
+ 
+     while ((dp = readdir(dir_fd)) != NULL) { // iterate over directory for file entries
+diff --git a/src/Common/Utility.hpp b/src/Common/Utility.hpp
+index df1afcd..4e90364 100644
+--- a/src/Common/Utility.hpp
+++ b/src/Common/Utility.hpp
+@@ -192,7 +192,7 @@ namespace usbguard
+   [](const std::pair<std::string, std::string>& a, const std::pair<std::string, std::string>& b) -> bool {
+     return a.first < b.first;
+   },
+-  bool directory_required = false);
+  bool directory_required = true);
+ 
+   /**
+    * Remove prefix from string.
+diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp
+index acc148f..9e67a3a 100644
+--- a/src/Daemon/Daemon.cpp
+++ b/src/Daemon/Daemon.cpp
+@@ -327,8 +327,13 @@ namespace usbguard
+ 
+     /* IPCAccessControlFiles */
+     if (_config.hasSettingValue("IPCAccessControlFiles")) {
+-      const std::string value = _config.getSettingValue("IPCAccessControlFiles");
+-      loadIPCAccessControlFiles(value);
+      const std::string ipc_dir = _config.getSettingValue("IPCAccessControlFiles");
+
+      if (check_permissions) {
+        checkFolderPermissions(ipc_dir, (S_IRUSR | S_IWUSR));
+      }
+
+      loadIPCAccessControlFiles(ipc_dir);
+     }
+ 
+     /* AuditBackend */
+@@ -1030,8 +1035,8 @@ namespace usbguard
+ 
+     /* Generate a match rule for upsert */
+     std::shared_ptr<Rule> match_rule = device->getDeviceRule(/*with-port=*/false,
+-							     /*with-parent-hash=*/false,
+-							     /*match_rule=*/true);
+        /*with-parent-hash=*/false,
+        /*match_rule=*/true);
+     const std::string match_spec = match_rule->toString();
+     USBGUARD_LOG(Debug) << "match_spec=" << match_spec;
+     /* Generate new device rule */
--- a/SOURCES/usbguard-removed-wired.patch
+++ b/SOURCES/usbguard-removed-wired.patch
@ -0,0 +1,48 @@
+diff -up ./doc/man/usbguard-daemon.conf.5.adoc.wired ./doc/man/usbguard-daemon.conf.5.adoc
+--- ./doc/man/usbguard-daemon.conf.5.adoc.wired	2020-08-05 16:12:15.064272832 +0200
+++ ./doc/man/usbguard-daemon.conf.5.adoc	2020-08-05 16:14:04.146885179 +0200
+@@ -51,8 +51,7 @@ It may be overridden using the *-c* comm
+     The USBGuard daemon modifies some of the default authorization state
+     attributes of controller devices. This setting, enables you to define what
+     value the default authorization is set to. Authorized default should be one
+-    of `keep` (do not change autorization state), `wired` (new wired USB
+-    devices start out authorized, wireless do not), `none` (every new device
+    of `keep` (do not change autorization state), `none` (every new device
+     starts out deauthorized), `all` (every new device starts out authorized) or
+     `internal` (internal devices start out authorized, external do not).
+ 
+diff -up ./src/Library/public/usbguard/DeviceManager.cpp.wired ./src/Library/public/usbguard/DeviceManager.cpp
+--- ./src/Library/public/usbguard/DeviceManager.cpp.wired	2019-11-16 18:32:45.220532059 +0100
+++ ./src/Library/public/usbguard/DeviceManager.cpp	2020-08-05 16:12:15.064272832 +0200
+@@ -71,7 +71,6 @@ namespace usbguard
+ 
+   static const std::vector<std::pair<std::string, DeviceManager::AuthorizedDefaultType>> authorized_default_type_strings = {
+     { "keep", DeviceManager::AuthorizedDefaultType::Keep },
+-    { "wired", DeviceManager::AuthorizedDefaultType::Wired },
+     { "none", DeviceManager::AuthorizedDefaultType::None },
+     { "all", DeviceManager::AuthorizedDefaultType::All },
+     { "internal", DeviceManager::AuthorizedDefaultType::Internal }
+diff -up ./src/Library/public/usbguard/DeviceManager.hpp.wired ./src/Library/public/usbguard/DeviceManager.hpp
+--- ./src/Library/public/usbguard/DeviceManager.hpp.wired	2020-05-14 13:45:48.183508037 +0200
+++ ./src/Library/public/usbguard/DeviceManager.hpp	2020-08-05 16:12:15.064272832 +0200
+@@ -60,8 +60,6 @@ namespace usbguard
+      */
+     enum class AuthorizedDefaultType {
+       Keep = -128, /**< Do not change the authorization state. */
+-      Wired = -1, /**< New wired USB devices start out authorized,
+-                    wireless USB devices do not. */
+       None = 0, /**< Every new device starts out deauthorized. */
+       All = 1, /**< Every new device starts out authorized. */
+       Internal = 2, /**< Internal devices start out authorized,
+diff -up ./usbguard-daemon.conf.in.wired ./usbguard-daemon.conf.in
+--- ./usbguard-daemon.conf.in.wired	2020-05-20 13:56:50.809203248 +0200
+++ ./usbguard-daemon.conf.in	2020-08-05 16:12:15.064272832 +0200
+@@ -91,8 +91,6 @@ InsertedDevicePolicy=apply-policy
+ # default authorization is set to.
+ #
+ # * keep         - do not change the authorization state
+-# * wired        - new wired USB devices start out authorized, wireless USB
+-#                  devices do not
+ # * none         - every new device starts out deauthorized
+ # * all          - every new device starts out authorized
+ # * internal     - internal devices start out authorized, external devices start
--- a/SOURCES/usbguard-rulesd.patch
+++ b/SOURCES/usbguard-rulesd.patch
@ -0,0 +1,13 @@
+diff -up ./src/Daemon/RuleSetFactory.cpp.orig ./src/Daemon/RuleSetFactory.cpp
+--- ./src/Daemon/RuleSetFactory.cpp.orig	2020-08-11 11:10:00.924479577 +0200
+++ ./src/Daemon/RuleSetFactory.cpp	2020-08-11 11:12:56.447279841 +0200
+@@ -74,7 +74,8 @@ namespace usbguard
+           ruleSet.push_back(rs);
+         }
+       }
+-      else if (ns.getRulesPath().empty()){
+
+      if (ruleSet.empty()){
+         USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible.";
+         ruleSet = generateDefaultRuleSet();
+       }
--- a/SPECS/usbguard.spec
+++ b/SPECS/usbguard.spec
@ -8,7 +8,7 @@

 Name:           usbguard
 Version:        0.7.8
-Release:        5%{?dist}
+Release:        7%{?dist}
 Summary:        A tool for implementing USB device usage policy
 Group:          System Environment/Daemons
 License:        GPLv2+
@ -56,6 +56,11 @@ Patch4: usbguard-forking-style.patch
 Patch5: usbguard-selinux-cpuinfo.patch
 Patch6: usbguard-service-fips.patch

+Patch7: usbguard-permission-check.patch
+Patch8: usbguard-removed-wired.patch
+Patch9: usbguard-rulesd.patch
+
+
 %description
 The USBGuard software framework helps to protect your computer against rogue USB
 devices by implementing basic whitelisting/blacklisting capabilities based on
@ -138,6 +143,10 @@ rm -rf src/ThirdParty/{Catch,PEGTL}
 %patch5 -p1 -b .cpuinfo
 %patch6 -p1 -b .service-fips

+%patch7 -p1 -b .perm
+%patch8 -p1 -b .wired
+%patch9 -p1 -b .rulesd
+
 %build
 mkdir -p ./m4
 autoreconf -i -v --no-recursive ./
@ -200,7 +209,7 @@ install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_
 # notifier
 pushd %{name}-notifier-%{notifier_version}
 make install INSTALL='install -p' DESTDIR=%{buildroot}
-execstack -c %{buildroot}%{_bindir}/%{name}-notifier
+#execstack -c %{buildroot}%{_bindir}/%{name}-notifier
 popd

 # Cleanup
@ -301,6 +310,20 @@ fi


 %changelog
+* Tue Aug 11 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-7
+- Do not cause segfault in case of an empty rulesd folder
+Resolves: rhbz#1738590
+
+* Wed Aug 05 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-6
+- RHEL 8.3.0 ERRATUM
+- Removed execstack from .spec
+- Removed AuthorizedDefault=wired from the usbguard
+Resolves: rhbz#1852539
+- Missing error message on bad configuration
+Resolves: rhbz#1857299
+- /etc/usbguard/usbguard-daemon.conf file does not contain all default options
+Resolves: rhbz#1862907
+
 * Wed Jun 17 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-5
 - RHEL 8.3.0 ERRATUM
 - Use old-fasioned forking style in unit file