Rebase to 1.1.3

Update usbguard-selinux subpackage Include usbguard-notifier subpackage Resolves: RHEL-37322
2024-06-07 09:41:37 +02:00 · 2024-06-07 09:41:37 +02:00 · d4e322bd1d
commit d4e322bd1d
parent 2995f5b575
7 changed files with 96 additions and 64 deletions
--- a/.gitignore
+++ b/.gitignore
@ -22,3 +22,6 @@
 /usbguard-1.0.0.tar.gz
 /usbguard-1.1.0.tar.gz
 /usbguard-1.1.2.tar.gz
+/usbguard-notifier-0.1.1.tar.gz
+/usbguard-1.1.3.tar.gz
+/usbguard-selinux-0.0.5.tar.gz
--- a/disable-console-logging.patch
+++ b/disable-console-logging.patch
@ -0,0 +1,12 @@
+diff -up usbguard-1.1.3/usbguard.service.in.orig usbguard-1.1.3/usbguard.service.in
+--- usbguard-1.1.3/usbguard.service.in.orig	2024-06-12 14:36:13.192536970 +0200
+++ usbguard-1.1.3/usbguard.service.in	2024-06-12 14:36:21.110609346 +0200
+@@ -8,7 +8,7 @@ OOMScoreAdjust=-1000
+ AmbientCapabilities=
+ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
+ DevicePolicy=closed
+-ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ExecStart=%sbindir%/usbguard-daemon -f -s -K -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
--- a/policykit-dbus-chat-selinux.patch
+++ b/policykit-dbus-chat-selinux.patch
@ -1,22 +0,0 @@
-diff -up ./usbguard-selinux-0.0.4/usbguard.te.policykit ./usbguard-selinux-0.0.4/usbguard.te
--- ./usbguard-selinux-0.0.4/usbguard.te.policykit	2022-03-15 10:32:21.002852930 +0100
-+++ ./usbguard-selinux-0.0.4/usbguard.te	2022-03-15 10:36:47.844040559 +0100
-@@ -99,9 +99,17 @@ logging_log_filetrans(usbguard_t, usbgua
- 
- logging_send_syslog_msg(usbguard_t)
- 
-dbus_system_domain(usbguard_t, usbguard_exec_t)
- usbguard_ipc_access(usbguard_t)
- 
-+optional_policy(`
-+	dbus_system_domain(usbguard_t, usbguard_exec_t)
-+
-+	optional_policy(`
-+		policykit_dbus_chat(usbguard_t)
-+	')
-+')
-+
-+
- tunable_policy(`usbguard_daemon_write_rules',`
- 	rw_files_pattern(usbguard_t, usbguard_rules_t, usbguard_rules_t)
- ')
--- a/5
+++ b/5
@ -1,2 +1,3 @@
-SHA512 (usbguard-1.1.2.tar.gz) = 03b6dd026a0fe6a7a055208f09a56e2cc86985570388e33fde08671b8aa2d60ea4a0e59505e9646ddf50f42f5b6310d1b230379f9c26ec99c7ca736f3b4ad850
-SHA512 (usbguard-selinux-0.0.4.tar.gz) = b73b14396e40f847704511097bfed17c94b9b28cc70f3391a6effab763a315fe723aba37bb4c622d18ab691306c485fcd7632ccc8a837413f32c73cd9879c8b0
+SHA512 (usbguard-notifier-0.1.1.tar.gz) = 5540739301f4f4c83f7443b740cf7345be7928f3ed697878094dee1752eac7dedfab9eb652856bfa555be9bfa24687c4b74194afa022973848af13328f0ca1ba
+SHA512 (usbguard-1.1.3.tar.gz) = 530bfea12ec8497c30d530c73f868207aad8b0e0e917cb7c7506f6148681a6a4ff12de5cddcfea458eb2b91ce8bb8b0e68d42e2590a4dc6b15f43c18f8256cf1
+SHA512 (usbguard-selinux-0.0.5.tar.gz) = 72b12e6a44dddfd863909f82e288170f935c4e941cb65678cd544fd0fa33ecce0a794c4b620dea9f496a45f2035d3b3b6dde662319db200eaff38e26999c4496
--- a/usbguard-gcc13.patch
+++ b/usbguard-gcc13.patch
@ -1,12 +0,0 @@
-diff --git a/src/Library/Base64.hpp b/src/Library/Base64.hpp
-index 0947f21..aa76311 100644
--- a/src/Library/Base64.hpp
-+++ b/src/Library/Base64.hpp
-@@ -24,6 +24,7 @@
- 
- #include <string>
- #include <cstddef>
-+#include <cstdint>
- 
- namespace usbguard
- {
--- a/usbguard-selinux-audit-write.patch
+++ b/usbguard-selinux-audit-write.patch
@ -1,12 +0,0 @@
-diff -up usbguard-1.1.0/usbguard-selinux-0.0.4/usbguard.te.orig usbguard-1.1.0/usbguard-selinux-0.0.4/usbguard.te
--- usbguard-1.1.0/usbguard-selinux-0.0.4/usbguard.te.orig	2023-07-27 10:41:25.540984667 +0200
-+++ usbguard-1.1.0/usbguard-selinux-0.0.4/usbguard.te	2023-07-27 10:41:59.970006413 +0200
-@@ -68,7 +68,7 @@ files_pid_file(usbguard_var_run_t)
- # Local policy
- #
- 
-allow usbguard_t self:capability { chown fowner };
-+allow usbguard_t self:capability { chown fowner audit_write };
- allow usbguard_t self:netlink_kobject_uevent_socket { bind create setopt read };
- allow usbguard_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
- 
--- a/usbguard.spec
+++ b/usbguard.spec
@ -1,9 +1,11 @@
+%global _hardened_build 1
 %global selinuxtype targeted
 %global moduletype contrib
-%define semodule_version 0.0.4
+%define semodule_version 0.0.5
+%define notifier_version 0.1.1

 Name:           usbguard
-Version:        1.1.2
+Version:        1.1.3
 Release:        2%{?dist}
 Summary:        A tool for implementing USB device usage policy
 License:        GPL-2.0-or-later
@ -11,8 +13,10 @@ License:        GPL-2.0-or-later
 # src/ThirdParty/Catch: Boost Software License - Version 1.0
 URL:            https://usbguard.github.io/
 Source0:        https://github.com/USBGuard/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
-Source1:        https://github.com/USBGuard/usbguard/releases/download/%{name}-selinux-%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
-Source2:        usbguard-daemon.conf
+Source1:        https://github.com/USBGuard/usbguard-selinux/archive/refs/tags/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz
+Source2:        https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz
+Source3:        usbguard-daemon.conf
+

 Requires: systemd
 Requires(post): systemd
@ -21,14 +25,14 @@ Requires(postun): systemd
 Requires(post): /sbin/ldconfig
 Requires(postun): /sbin/ldconfig

-Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
+Recommends: (%{name}-selinux if selinux-policy-%{selinuxtype})
 Obsoletes: %{name}-applet-qt < 0.7.6

 BuildRequires: make
 BuildRequires: gcc
 BuildRequires: gcc-c++
 BuildRequires: libqb-devel
-BuildRequires: libgcrypt-devel
+BuildRequires: openssl-devel
 BuildRequires: libstdc++-devel
 BuildRequires: protobuf-devel protobuf-compiler
 BuildRequires: PEGTL-static
@ -41,10 +45,6 @@ BuildRequires: audit-libs-devel
 BuildRequires: systemd

 Patch1: usbguard-revert-catch.patch
-Patch2: policykit-dbus-chat-selinux.patch
-# https://github.com/USBGuard/usbguard/pull/582
-Patch3: usbguard-gcc13.patch
-Patch4: usbguard-selinux-audit-write.patch

 %description
 The USBGuard software framework helps to protect your computer against rogue USB
@ -99,22 +99,38 @@ BuildArch: noarch
 The %{name}-selinux package contains selinux policy for the USBGuard
 daemon.

-# usbguard
+%package        notifier
+Summary:        A tool for detecting usbguard policy and device presence changes
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+Requires:       systemd
+BuildRequires:  librsvg2-devel
+BuildRequires:  libnotify-devel
+BuildRequires:  execstack
+
+%description    notifier
+The %{name}-notifier package detects usbguard policy modifications as well as
+device presence changes and displays them as pop-up notifications.
+
 %prep
+
+# usbguard
 %setup -q

 # selinux
 %setup -q -D -T -a 1

+# notifier
+%setup -q -D -T -a 2
+
 %patch -P 1 -p1 -b .catch
-%patch -P 2 -p1 -b .policykit
-%patch -P 3 -p1 -b .gcc13
-%patch -P 4 -p1

 # Remove bundled library sources before build
 rm -rf src/ThirdParty/{Catch,PEGTL}

 %build
+
+# usbguard
 mkdir -p ./m4
 autoreconf -i -v --no-recursive ./
 %configure \
@ -124,7 +140,7 @@ autoreconf -i -v --no-recursive ./
    --enable-systemd \
    --with-dbus \
    --with-polkit \
-    --with-crypto-library=gcrypt
+    --with-crypto-library=openssl

 make %{?_smp_mflags}

@ -133,6 +149,22 @@ pushd %{name}-selinux-%{semodule_version}
 make
 popd

+# notifier
+pushd %{name}-notifier-%{notifier_version}
+mkdir -p ./m4
+autoreconf -i -v --no-recursive ./
+export CXXFLAGS="$RPM_OPT_FLAGS"
+%configure \
+    --disable-silent-rules \
+    --without-bundled-catch \
+    --enable-debug-build \
+    --disable-notifier-cli \
+    --with-usbguard-devel="../"
+
+%set_build_flags
+make %{?_smp_mflags}
+popd
+
 %check
 make check

@ -147,7 +179,7 @@ make install INSTALL='install -p' DESTDIR=%{buildroot}
 mkdir -p %{buildroot}%{_sysconfdir}/usbguard
 mkdir -p %{buildroot}%{_sysconfdir}/usbguard/rules.d
 mkdir -p %{buildroot}%{_sysconfdir}/usbguard/IPCAccessControl.d
-install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
+install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf

 # selinux
 install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
@ -155,6 +187,12 @@ install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%
 install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
 install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if

+# notifier
+pushd %{name}-notifier-%{notifier_version}
+make install INSTALL='install -p' DESTDIR=%{buildroot}
+execstack -c %{buildroot}%{_bindir}/%{name}-notifier
+popd
+
 # Cleanup
 find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'

@ -230,8 +268,32 @@ fi
 %posttrans selinux
 %selinux_relabel_post -s %{selinuxtype}

+%files notifier
+%defattr(-,root,root,-)
+%doc %{name}-notifier-%{notifier_version}/README.md %{name}-notifier-%{notifier_version}/CHANGELOG.md
+%license %{name}-notifier-%{notifier_version}/LICENSE
+%{_bindir}/%{name}-notifier
+%{_mandir}/man1/%{name}-notifier.1.gz
+%{_userunitdir}/%{name}-notifier.service
+
+%post notifier
+%systemd_user_post \--preset-mode=disable-only %{name}-notifier.service
+
+%preun notifier
+%systemd_user_preun %{name}-notifier.service
+
+%postun notifier
+%systemd_user_postun_with_restart %{name}-notifier.service
+

 %changelog
+* Fri Jun 07 2024 Attila Lakatos <alakatos@redhat.com> - 1.1.3-2
+- Rebase to 1.1.3
+- Update usbguard-selinux subpackage
+- Include usbguard-notifier subpackage
+Resolves: RHEL-37322
+- Disable logging to console
+
 * Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild