diff --git a/SOURCES/usbguard-daemon.conf b/SOURCES/usbguard-daemon.conf index e9800b2..ae5a6a2 100644 --- a/SOURCES/usbguard-daemon.conf +++ b/SOURCES/usbguard-daemon.conf @@ -9,6 +9,23 @@ # RuleFile=/etc/usbguard/rules.conf +# +# Rule set folder path. +# +# The USBGuard daemon will use this folder to load the policy +# rule set from it and to write new rules received via the +# IPC interface. Usually, we set the option to +# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to +# behave like any other standard Linux daemon therefore it +# loads rule files in alpha-numeric order. File names inside +# RuleFolder directory should start with a two-digit number +# prefix indicating the position, in which the rules are +# scanned by the daemon. +# +# RuleFolder=/path/to/rulesfolder/ +# +RuleFolder=/etc/usbguard/rules.d/ + # # Implicit policy target. # @@ -64,14 +81,30 @@ PresentControllerPolicy=keep # InsertedDevicePolicy=apply-policy +# +# Control which devices are authorized by default. +# +# The USBGuard daemon modifies some the default authorization state attributes +# of controller devices. This setting, enables you to define what value the +# default authorization is set to. +# +# * keep - do not change the authorization state +# * none - every new device starts out deauthorized +# * all - every new device starts out authorized +# * internal - internal devices start out authorized, external devices start +# out deauthorized (this requires the ACPI tables to properly +# label internal devices, and kernel support) +# +#AuthorizedDefault=none + # # Restore controller device state. # # The USBGuard daemon modifies some attributes of controller # devices like the default authorization state of new child device -# instances. Using this setting, you can controll whether the +# instances. Using this setting, you can control whether the # daemon will try to restore the attribute values to the state -# before modificaton on shutdown. +# before modification on shutdown. # # SECURITY CONSIDERATIONS: If set to true, the USB authorization # policy could be bypassed by performing some sort of attack on the @@ -85,11 +118,11 @@ RestoreControllerDeviceState=false # # Which device manager backend implementation to use. One of: # -# * uevent - Netlink based implementation which uses sysfs to scan for present -# devices and an uevent netlink socket for receiving USB device -# related events. -# * dummy - A dummy device manager which simulates several devices and device -# events. Useful for testing. +# * uevent - Netlink based implementation which uses sysfs to scan for present +# devices and an uevent netlink socket for receiving USB device +# related events. +# * umockdev - umockdev based device manager capable of simulating devices based +# on umockdev-record files. Useful for testing. # DeviceManagerBackend=uevent @@ -171,3 +204,8 @@ AuditBackend=FileAudit # AuditFilePath=/var/log/usbguard/usbguard-audit.log +# +# Hides personally identifiable information such as device serial numbers and +# hashes of descriptors (which include the serial number) from audit entries. +# +#HidePII=false diff --git a/SOURCES/usbguard-permission-check.patch b/SOURCES/usbguard-permission-check.patch new file mode 100644 index 0000000..d9266e5 --- /dev/null +++ b/SOURCES/usbguard-permission-check.patch @@ -0,0 +1,69 @@ +From 39fc4c24333c3bf42eba0855f3b75ccea99865a4 Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Tue, 21 Jul 2020 16:24:15 +0200 +Subject: [PATCH] Added permissions check also for IPC access files + +Signed-off-by: Radovan Sroka +--- + src/Common/Utility.cpp | 2 +- + src/Common/Utility.hpp | 2 +- + src/Daemon/Daemon.cpp | 13 +++++++++---- + 3 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/src/Common/Utility.cpp b/src/Common/Utility.cpp +index d9fc26a..8eb4bd7 100644 +--- a/src/Common/Utility.cpp ++++ b/src/Common/Utility.cpp +@@ -524,7 +524,7 @@ namespace usbguard + std::string file_name; + + if (!dir_fd) { +- throw Exception("getConfigsFromDir", "opendir: " + path , strerror(errno)); ++ throw Exception("getConfigsFromDir", "opendir: " + path, strerror(errno)); + } + + while ((dp = readdir(dir_fd)) != NULL) { // iterate over directory for file entries +diff --git a/src/Common/Utility.hpp b/src/Common/Utility.hpp +index df1afcd..4e90364 100644 +--- a/src/Common/Utility.hpp ++++ b/src/Common/Utility.hpp +@@ -192,7 +192,7 @@ namespace usbguard + [](const std::pair& a, const std::pair& b) -> bool { + return a.first < b.first; + }, +- bool directory_required = false); ++ bool directory_required = true); + + /** + * Remove prefix from string. +diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp +index acc148f..9e67a3a 100644 +--- a/src/Daemon/Daemon.cpp ++++ b/src/Daemon/Daemon.cpp +@@ -327,8 +327,13 @@ namespace usbguard + + /* IPCAccessControlFiles */ + if (_config.hasSettingValue("IPCAccessControlFiles")) { +- const std::string value = _config.getSettingValue("IPCAccessControlFiles"); +- loadIPCAccessControlFiles(value); ++ const std::string ipc_dir = _config.getSettingValue("IPCAccessControlFiles"); ++ ++ if (check_permissions) { ++ checkFolderPermissions(ipc_dir, (S_IRUSR | S_IWUSR)); ++ } ++ ++ loadIPCAccessControlFiles(ipc_dir); + } + + /* AuditBackend */ +@@ -1030,8 +1035,8 @@ namespace usbguard + + /* Generate a match rule for upsert */ + std::shared_ptr match_rule = device->getDeviceRule(/*with-port=*/false, +- /*with-parent-hash=*/false, +- /*match_rule=*/true); ++ /*with-parent-hash=*/false, ++ /*match_rule=*/true); + const std::string match_spec = match_rule->toString(); + USBGUARD_LOG(Debug) << "match_spec=" << match_spec; + /* Generate new device rule */ diff --git a/SOURCES/usbguard-removed-wired.patch b/SOURCES/usbguard-removed-wired.patch new file mode 100644 index 0000000..5e87154 --- /dev/null +++ b/SOURCES/usbguard-removed-wired.patch @@ -0,0 +1,48 @@ +diff -up ./doc/man/usbguard-daemon.conf.5.adoc.wired ./doc/man/usbguard-daemon.conf.5.adoc +--- ./doc/man/usbguard-daemon.conf.5.adoc.wired 2020-08-05 16:12:15.064272832 +0200 ++++ ./doc/man/usbguard-daemon.conf.5.adoc 2020-08-05 16:14:04.146885179 +0200 +@@ -51,8 +51,7 @@ It may be overridden using the *-c* comm + The USBGuard daemon modifies some of the default authorization state + attributes of controller devices. This setting, enables you to define what + value the default authorization is set to. Authorized default should be one +- of `keep` (do not change autorization state), `wired` (new wired USB +- devices start out authorized, wireless do not), `none` (every new device ++ of `keep` (do not change autorization state), `none` (every new device + starts out deauthorized), `all` (every new device starts out authorized) or + `internal` (internal devices start out authorized, external do not). + +diff -up ./src/Library/public/usbguard/DeviceManager.cpp.wired ./src/Library/public/usbguard/DeviceManager.cpp +--- ./src/Library/public/usbguard/DeviceManager.cpp.wired 2019-11-16 18:32:45.220532059 +0100 ++++ ./src/Library/public/usbguard/DeviceManager.cpp 2020-08-05 16:12:15.064272832 +0200 +@@ -71,7 +71,6 @@ namespace usbguard + + static const std::vector> authorized_default_type_strings = { + { "keep", DeviceManager::AuthorizedDefaultType::Keep }, +- { "wired", DeviceManager::AuthorizedDefaultType::Wired }, + { "none", DeviceManager::AuthorizedDefaultType::None }, + { "all", DeviceManager::AuthorizedDefaultType::All }, + { "internal", DeviceManager::AuthorizedDefaultType::Internal } +diff -up ./src/Library/public/usbguard/DeviceManager.hpp.wired ./src/Library/public/usbguard/DeviceManager.hpp +--- ./src/Library/public/usbguard/DeviceManager.hpp.wired 2020-05-14 13:45:48.183508037 +0200 ++++ ./src/Library/public/usbguard/DeviceManager.hpp 2020-08-05 16:12:15.064272832 +0200 +@@ -60,8 +60,6 @@ namespace usbguard + */ + enum class AuthorizedDefaultType { + Keep = -128, /**< Do not change the authorization state. */ +- Wired = -1, /**< New wired USB devices start out authorized, +- wireless USB devices do not. */ + None = 0, /**< Every new device starts out deauthorized. */ + All = 1, /**< Every new device starts out authorized. */ + Internal = 2, /**< Internal devices start out authorized, +diff -up ./usbguard-daemon.conf.in.wired ./usbguard-daemon.conf.in +--- ./usbguard-daemon.conf.in.wired 2020-05-20 13:56:50.809203248 +0200 ++++ ./usbguard-daemon.conf.in 2020-08-05 16:12:15.064272832 +0200 +@@ -91,8 +91,6 @@ InsertedDevicePolicy=apply-policy + # default authorization is set to. + # + # * keep - do not change the authorization state +-# * wired - new wired USB devices start out authorized, wireless USB +-# devices do not + # * none - every new device starts out deauthorized + # * all - every new device starts out authorized + # * internal - internal devices start out authorized, external devices start diff --git a/SOURCES/usbguard-rulesd.patch b/SOURCES/usbguard-rulesd.patch new file mode 100644 index 0000000..7c54c38 --- /dev/null +++ b/SOURCES/usbguard-rulesd.patch @@ -0,0 +1,13 @@ +diff -up ./src/Daemon/RuleSetFactory.cpp.orig ./src/Daemon/RuleSetFactory.cpp +--- ./src/Daemon/RuleSetFactory.cpp.orig 2020-08-11 11:10:00.924479577 +0200 ++++ ./src/Daemon/RuleSetFactory.cpp 2020-08-11 11:12:56.447279841 +0200 +@@ -74,7 +74,8 @@ namespace usbguard + ruleSet.push_back(rs); + } + } +- else if (ns.getRulesPath().empty()){ ++ ++ if (ruleSet.empty()){ + USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible."; + ruleSet = generateDefaultRuleSet(); + } diff --git a/SPECS/usbguard.spec b/SPECS/usbguard.spec index 737c85a..886bc4c 100644 --- a/SPECS/usbguard.spec +++ b/SPECS/usbguard.spec @@ -8,7 +8,7 @@ Name: usbguard Version: 0.7.8 -Release: 5%{?dist} +Release: 7%{?dist} Summary: A tool for implementing USB device usage policy Group: System Environment/Daemons License: GPLv2+ @@ -56,6 +56,11 @@ Patch4: usbguard-forking-style.patch Patch5: usbguard-selinux-cpuinfo.patch Patch6: usbguard-service-fips.patch +Patch7: usbguard-permission-check.patch +Patch8: usbguard-removed-wired.patch +Patch9: usbguard-rulesd.patch + + %description The USBGuard software framework helps to protect your computer against rogue USB devices by implementing basic whitelisting/blacklisting capabilities based on @@ -138,6 +143,10 @@ rm -rf src/ThirdParty/{Catch,PEGTL} %patch5 -p1 -b .cpuinfo %patch6 -p1 -b .service-fips +%patch7 -p1 -b .perm +%patch8 -p1 -b .wired +%patch9 -p1 -b .rulesd + %build mkdir -p ./m4 autoreconf -i -v --no-recursive ./ @@ -200,7 +209,7 @@ install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_ # notifier pushd %{name}-notifier-%{notifier_version} make install INSTALL='install -p' DESTDIR=%{buildroot} -execstack -c %{buildroot}%{_bindir}/%{name}-notifier +#execstack -c %{buildroot}%{_bindir}/%{name}-notifier popd # Cleanup @@ -301,6 +310,20 @@ fi %changelog +* Tue Aug 11 2020 Attila Lakatos - 0.7.8-7 +- Do not cause segfault in case of an empty rulesd folder +Resolves: rhbz#1738590 + +* Wed Aug 05 2020 Radovan Sroka - 0.7.8-6 +- RHEL 8.3.0 ERRATUM +- Removed execstack from .spec +- Removed AuthorizedDefault=wired from the usbguard +Resolves: rhbz#1852539 +- Missing error message on bad configuration +Resolves: rhbz#1857299 +- /etc/usbguard/usbguard-daemon.conf file does not contain all default options +Resolves: rhbz#1862907 + * Wed Jun 17 2020 Radovan Sroka - 0.7.8-5 - RHEL 8.3.0 ERRATUM - Use old-fasioned forking style in unit file