rpms/usbguard
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import usbguard-0.7.8-5.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-07-28 09:00:44 -04:00 committed by Stepan Oksanichenko
parent 5836a477b6
commit dd79c49c5e
11 changed files with 344 additions and 321 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1 +1,3 @@
SOURCES/usbguard-0.7.4.tar.gz
SOURCES/usbguard-0.7.8.tar.gz
SOURCES/usbguard-notifier-0.0.6.tar.gz
SOURCES/usbguard-selinux-0.0.3.tar.gz

4
.usbguard.metadata
View File

@ -1 +1,3 @@
803815ec31700468bb935ca9c18bd277bcc22237 SOURCES/usbguard-0.7.4.tar.gz
d8bbd3e9f4f0deb1418f71422e7fab3d14053412 SOURCES/usbguard-0.7.8.tar.gz
7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz
e223495a2c41013bc786a5ceae730f2574aeba1b SOURCES/usbguard-selinux-0.0.3.tar.gz

242
SOURCES/match-all.patch
View File

@ -1,242 +0,0 @@
diff --git a/doc/man/usbguard-rules.conf.5.adoc b/doc/man/usbguard-rules.conf.5.adoc
index 44f399c..c0f86f8 100644
--- a/doc/man/usbguard-rules.conf.5.adoc
+++ b/doc/man/usbguard-rules.conf.5.adoc
@@ -93,6 +93,9 @@ where the optional 'operator' is one of:
*equals-ordered*::
The device attribute set must contain exactly the same set of values in the same order for the rule to match.
+*match-all*::
+ The device attribute set must be a subset of the specified values for the rule to match.
+
If the operator is not specified it is set to *equals*.
[.underline]#List of attributes:#
diff --git a/src/Library/RuleParser/Grammar.hpp b/src/Library/RuleParser/Grammar.hpp
index 4d785c0..764380e 100644
--- a/src/Library/RuleParser/Grammar.hpp
+++ b/src/Library/RuleParser/Grammar.hpp
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Marek Tamaskovic <mtamasko@redhat.com>
//
#pragma once
#ifdef HAVE_BUILD_CONFIG_H
@@ -53,12 +54,13 @@ namespace usbguard
struct str_none_of : TAOCPP_PEGTL_STRING("none-of") {};
struct str_equals : TAOCPP_PEGTL_STRING("equals") {};
struct str_equals_ordered : TAOCPP_PEGTL_STRING("equals-ordered") {};
+ struct str_match_all: TAOCPP_PEGTL_STRING("match-all") {};
/*
* Generic rule attribute
*/
struct multiset_operator
- : sor<str_all_of, str_one_of, str_none_of, str_equals_ordered, str_equals> {};
+ : sor<str_all_of, str_one_of, str_none_of, str_equals_ordered, str_equals, str_match_all> {};
template<class attribute_value_rule>
struct attribute_value_multiset
diff --git a/src/Library/RulePrivate.cpp b/src/Library/RulePrivate.cpp
index 73140fa..6ceb12d 100644
--- a/src/Library/RulePrivate.cpp
+++ b/src/Library/RulePrivate.cpp
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Marek Tamaskovic <mtamasko@redhat.com>
//
#ifdef HAVE_BUILD_CONFIG_H
#include <build-config.h>
@@ -177,6 +178,7 @@ namespace usbguard
case Rule::SetOperator::AllOf:
case Rule::SetOperator::Equals:
case Rule::SetOperator::EqualsOrdered:
+ case Rule::SetOperator::MatchAll:
meets_conditions = \
(conditionsState() == ((((uint64_t)1) << _conditions.count()) - 1));
break;
diff --git a/src/Library/public/usbguard/Predicates.hpp b/src/Library/public/usbguard/Predicates.hpp
index 412517e..95ede3a 100644
--- a/src/Library/public/usbguard/Predicates.hpp
+++ b/src/Library/public/usbguard/Predicates.hpp
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Marek Tamaskovic <mtamasko@redhat.com>
//
#pragma once
@@ -35,6 +36,15 @@ namespace usbguard
USBGUARD_LOG(Trace) << "generic isSubsetOf";
return source == target;
}
+
+ template<typename T>
+ bool isSupersetOf(const T& source, const T& target)
+ {
+ USBGUARD_LOG(Error) << "Not implemented";
+ (void) source;
+ (void) target;
+ return true;
+ }
}
} /* namespace usbguard */
diff --git a/src/Library/public/usbguard/Rule.cpp b/src/Library/public/usbguard/Rule.cpp
index f7bb35a..fa97578 100644
--- a/src/Library/public/usbguard/Rule.cpp
+++ b/src/Library/public/usbguard/Rule.cpp
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Marek Tamaskovic <mtamasko@redhat.com>
//
#ifdef HAVE_BUILD_CONFIG_H
#include <build-config.h>
@@ -325,7 +326,8 @@ namespace usbguard
{ "none-of", Rule::SetOperator::NoneOf },
{ "equals", Rule::SetOperator::Equals },
{ "equals-ordered", Rule::SetOperator::EqualsOrdered },
- { "match", Rule::SetOperator::Match }
+ { "match", Rule::SetOperator::Match },
+ { "match-all", Rule::SetOperator::MatchAll}
};
const std::string Rule::setOperatorToString(const Rule::SetOperator& op)
diff --git a/src/Library/public/usbguard/Rule.hpp b/src/Library/public/usbguard/Rule.hpp
index 0ebfdaf..67a67f0 100644
--- a/src/Library/public/usbguard/Rule.hpp
+++ b/src/Library/public/usbguard/Rule.hpp
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Marek Tamaskovic <mtamasko@redhat.com>
//
#pragma once
@@ -77,7 +78,8 @@ namespace usbguard
NoneOf,
Equals,
EqualsOrdered,
- Match /* Special operator: matches anything, cannot be used directly in a rule */
+ Match, /* Special operator: matches anything, cannot be used directly in a rule */
+ MatchAll
};
static const std::string setOperatorToString(const Rule::SetOperator& op);
@@ -237,6 +239,10 @@ namespace usbguard
applies = setSolveEqualsOrdered(_values, target._values);
break;
+ case SetOperator::MatchAll:
+ applies = setSolveMatchAll(_values, target._values);
+ break;
+
default:
throw USBGUARD_BUG("Invalid set operator value");
}
@@ -409,6 +415,26 @@ namespace usbguard
return false;
}
+ /*
+ * All of the items in target set must match an item in the source set
+ */
+ bool setSolveMatchAll(const std::vector<ValueType>& source_set, const std::vector<ValueType>& target_set) const
+ {
+ USBGUARD_LOG(Trace);
+ size_t match = 0;
+
+ for (auto const& target_item : target_set) {
+ for (auto const& source_item : source_set) {
+ if (Predicates::isSupersetOf(source_item, target_item)) {
+ match++;
+ break;
+ }
+ }
+ }
+
+ return match == target_set.size();
+ }
+
std::string _name;
SetOperator _set_operator;
std::vector<ValueType> _values;
diff --git a/src/Library/public/usbguard/USB.cpp b/src/Library/public/usbguard/USB.cpp
index 281d1c9..54e5fb8 100644
--- a/src/Library/public/usbguard/USB.cpp
+++ b/src/Library/public/usbguard/USB.cpp
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Marek Tamaskovic <mtamasko@redhat.com>
//
#ifdef HAVE_BUILD_CONFIG_H
#include <build-config.h>
@@ -125,6 +126,15 @@ namespace usbguard
return result;
}
+ template<>
+ bool Predicates::isSupersetOf(const USBDeviceID& source, const USBDeviceID& target)
+ {
+ USBGUARD_LOG(Trace) << "source=" << source.toString() << " target=" << target.toString();
+ const bool result = target.isSubsetOf(source);
+ USBGUARD_LOG(Trace) << "result=" << result;
+ return result;
+ }
+
USBInterfaceType::USBInterfaceType()
{
_bClass = 0;
@@ -234,6 +244,12 @@ namespace usbguard
return source.appliesTo(target);
}
+ template<>
+ bool Predicates::isSupersetOf(const USBInterfaceType& source, const USBInterfaceType& target)
+ {
+ return source.appliesTo(target);
+ }
+
const std::string USBInterfaceType::typeString() const
{
return USBInterfaceType::typeString(_bClass, _bSubClass, _bProtocol, _mask);
diff --git a/src/Library/public/usbguard/USB.hpp b/src/Library/public/usbguard/USB.hpp
index 914d74b..f538aac 100644
--- a/src/Library/public/usbguard/USB.hpp
+++ b/src/Library/public/usbguard/USB.hpp
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Marek Tamaskovic <mtamasko@redhat.com>
//
#pragma once
@@ -169,6 +170,8 @@ namespace usbguard
{
template<>
bool isSubsetOf(const USBDeviceID& source, const USBDeviceID& target);
+ template<>
+ bool isSupersetOf(const USBDeviceID& source, const USBDeviceID& target);
}
class DLL_PUBLIC USBInterfaceType
@@ -202,6 +205,8 @@ namespace usbguard
{
template<>
bool isSubsetOf(const USBInterfaceType& source, const USBInterfaceType& target);
+ template<>
+ bool isSupersetOf(const USBInterfaceType& source, const USBInterfaceType& target);
}
class USBDescriptorParser;

17
SOURCES/usbguard-0.7.4-loadFilesError.patch
View File

@ -1,17 +0,0 @@
diff -up usbguard-0.7.4/src/Daemon/Daemon.cpp.loadFilesError usbguard-0.7.4/src/Daemon/Daemon.cpp
--- usbguard-0.7.4/src/Daemon/Daemon.cpp.loadFilesError 2018-07-10 14:25:41.580361063 +0200
+++ usbguard-0.7.4/src/Daemon/Daemon.cpp 2018-07-31 10:19:21.529000000 +0200
@@ -365,7 +365,12 @@ namespace usbguard
,
[this](const std::string& basename, const std::string& fullpath) {
return loadIPCAccessControlFile(basename, fullpath);
- });
+ },
+ [](const std::pair<std::string, std::string>& a, const std::pair<std::string, std::string>& b)
+ {
+ return a.first < b.first;
+ },
+ /*directory_required=*/true);
}
void Daemon::checkIPCAccessControlName(const std::string& name)

88
SOURCES/usbguard-0.7.6-notifier.patch Normal file
View File

@ -0,0 +1,88 @@
diff -up ./usbguard-notifier-0.0.6/configure.ac.notifier ./usbguard-notifier-0.0.6/configure.ac
--- ./usbguard-notifier-0.0.6/configure.ac.notifier 2020-04-29 07:35:43.057914703 +0200
+++ ./usbguard-notifier-0.0.6/configure.ac 2020-06-17 16:27:53.577151720 +0200
@@ -44,6 +44,32 @@ AC_ARG_WITH(
[notificaiton_path="/tmp/usbguard-notifier"]
)
+# usbguard-devel
+# Add the path to where your usbguard-devel includes are
+# You might need this option when you want to package usbguard-notifier
+# together with usbguard at the same time
+AC_ARG_WITH(
+ [usbguard-devel],
+ AS_HELP_STRING([--with-usbguard-devel], [Select to compile notifier from source usbguard devel files(only top level directory)]),
+ [usbguard_CFLAGS="-I$withval/src/Library/public/"
+ usbguard_LIBS=""
+ usbguard_LA="$withval/libusbguard.la"
+ libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"
+ AC_SUBST([usbguard_CFLAGS])
+ AC_SUBST([usbguard_LIBS])
+ AC_SUBST([usbguard_LA])
+ custom_usbguard_devel_enabled=yes
+ ],
+ [
+ PKG_CHECK_MODULES(
+ [usbguard],
+ [libusbguard >= 0.7.2],
+ [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"],
+ [AC_MSG_FAILURE([libusbguard development files not found])]
+ )
+ ]
+)
+
# Build notifier-cli, default is yes
AC_ARG_ENABLE([notifier-cli],
[AC_HELP_STRING([--enable-notifier-cli], [enable notifier cli(default=yes)])],
@@ -81,14 +107,6 @@ PKG_CHECK_MODULES(
[AC_MSG_FAILURE([libnotify development files not found])]
)
-# usbguard
-PKG_CHECK_MODULES(
- [usbguard],
- [libusbguard >= 0.7.2],
- [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"],
- [AC_MSG_FAILURE([libusbguard development files not found])]
-)
-
# asciidoc
AC_CHECK_PROGS(A2X, [a2x])
if test -z "$A2X"; then
@@ -162,6 +180,7 @@ AC_SUBST(config_PATH, $prefix/.config)
AC_SUBST(NOTIFICATION_PATH, $notification_path)
AM_CONDITIONAL([NOTIFIER_CLI_ENABLED], [test "x$notifier_cli_enabled" = xyes ])
+AM_CONDITIONAL([CUSTOM_USBGUARD_DEVEL_ENABLED], [test "x$custom_usbguard_devel_enabled" = "xyes"])
AC_CONFIG_FILES([
Makefile
diff -up ./usbguard-notifier-0.0.6/Makefile.am.notifier ./usbguard-notifier-0.0.6/Makefile.am
--- ./usbguard-notifier-0.0.6/Makefile.am.notifier 2020-04-29 07:18:21.024388188 +0200
+++ ./usbguard-notifier-0.0.6/Makefile.am 2020-06-17 16:27:53.592151848 +0200
@@ -57,6 +57,13 @@ usbguard_notifier_CXXFLAGS = \
@usbguard_CFLAGS@ \
-fPIC
+if CUSTOM_USBGUARD_DEVEL_ENABLED
+usbguard_notifier_LDADD = \
+ @usbguard_LA@
+usbguard_notifier_cli_LDADD = \
+ @usbguard_LA@
+endif
+
BUILT_SOURCES = \
src/BuildConfig.h
diff -up ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier ./usbguard-notifier-0.0.6/man/usbguard-notifier.1
--- ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier 2020-06-17 19:55:54.621855004 +0200
+++ ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 2020-06-17 19:56:46.551297432 +0200
@@ -53,7 +53,7 @@ Show help\&.
.RE
.SH "SEE ALSO"
.sp
-usbguard\-notifier\-cli(1), usbguard(1)
+usbguard(1)
.SH "BUGS"
.sp
If you find a bug in this software or if you\(cqd like to request a feature to be implemented, please file a ticket at https://github\&.com/Cropi/usbguard\-notifier/issues/new\&.

34
SOURCES/usbguard-forking-style.patch Normal file
View File

@ -0,0 +1,34 @@
diff -up ./usbguard.service.in.forking ./usbguard.service.in
--- ./usbguard.service.in.forking 2020-06-17 20:07:04.720564149 +0200
+++ ./usbguard.service.in 2020-06-17 20:10:00.744063846 +0200
@@ -8,11 +8,12 @@ AmbientCapabilities=
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
DeviceAllow=/dev/null rw
DevicePolicy=strict
-ExecStart=%sbindir%/usbguard-daemon -k -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
+PIDFile=/var/run/usbguard.pid
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
@@ -20,14 +21,14 @@ ProtectHome=yes
ProtectKernelModules=yes
ProtectSystem=yes
ReadOnlyPaths=-/
-ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/
+ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ -/var/run
Restart=on-failure
RestrictAddressFamilies=AF_UNIX AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
-Type=simple
+Type=forking
UMask=0077
[Install]

12
SOURCES/usbguard-selinux-cpuinfo.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo ./usbguard-selinux-0.0.3/usbguard.te
--- ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo 2020-06-18 15:53:40.161615146 +0200
+++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-18 15:54:28.399982328 +0200
@@ -77,6 +77,8 @@ auth_read_passwd(usbguard_t)
dev_list_sysfs(usbguard_t)
dev_rw_sysfs(usbguard_t)
+kernel_read_system_state(usbguard_t)
+
list_dirs_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
dontaudit usbguard_t usbguard_conf_t:file write;

11
SOURCES/usbguard-selinux-list-dir.patch Normal file
View File

@ -0,0 +1,11 @@
diff -up ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir ./usbguard-selinux-0.0.3/usbguard.te
--- ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir 2020-06-09 10:53:03.191977241 +0200
+++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-09 10:54:21.441965315 +0200
@@ -81,6 +81,7 @@ list_dirs_pattern(usbguard_t,usbguard_co
read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
dontaudit usbguard_t usbguard_conf_t:file write;
+list_dirs_pattern(usbguard_t,usbguard_rules_t,usbguard_rules_t)
read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_rules_t)
manage_dirs_pattern(usbguard_t, usbguard_var_run_t, usbguard_var_run_t)

22
SOURCES/usbguard-selinux-rules-d.patch Normal file
View File

@ -0,0 +1,22 @@
From 008af22f238bfb97f6d337759732ac87bdef7b24 Mon Sep 17 00:00:00 2001
From: alakatos <alakatos@redhat.com>
Date: Mon, 25 May 2020 15:27:38 +0200
Subject: [PATCH] /etc/usrbuard/rules.d(/.*)? has usbguard_rules_t label right
after the installation
---
usbguard.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/usbguard.fc b/usbguard.fc
index bce3e8c..3e14720 100644
--- a/usbguard-selinux-0.0.3/usbguard.fc
+++ b/usbguard-selinux-0.0.3/usbguard.fc
@@ -13,6 +13,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+/etc/usbguard/rules\.d(/.*)? gen_context(system_u:object_r:usbguard_rules_t,s0)
/etc/usbguard/rules.conf -- gen_context(system_u:object_r:usbguard_rules_t,s0)
/etc/usbguard(/.*)? gen_context(system_u:object_r:usbguard_conf_t,s0)
/dev/shm/qb-usbguard-.* -- gen_context(system_u:object_r:usbguard_tmpfs_t,s0)

13
SOURCES/usbguard-service-fips.patch Normal file
View File

@ -0,0 +1,13 @@
diff -up ./usbguard.service.in.service-fips ./usbguard.service.in
--- ./usbguard.service.in.service-fips 2020-06-22 10:44:44.815860376 +0200
+++ ./usbguard.service.in 2020-06-22 10:45:07.699135514 +0200
@@ -6,8 +6,7 @@ Documentation=man:usbguard-daemon(8)
[Service]
AmbientCapabilities=
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
-DeviceAllow=/dev/null rw
-DevicePolicy=strict
+DevicePolicy=closed
ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
IPAddressDeny=any
LockPersonality=yes

218
SPECS/usbguard.spec
View File

@ -1,13 +1,14 @@
%global _hardened_build 1
%define with_gui_qt5 0
%define with_dbus 1
%global selinuxtype targeted
%global moduletype contrib
%define semodule_version 0.0.3
%define notifier_version 0.0.6
%bcond_without check
Name: usbguard
Version: 0.7.4
Release: 4%{?dist}
Version: 0.7.8
Release: 5%{?dist}
Summary: A tool for implementing USB device usage policy
Group: System Environment/Daemons
License: GPLv2+
@ -15,7 +16,9 @@ License: GPLv2+
# src/ThirdParty/Catch: Boost Software License - Version 1.0
URL: https://usbguard.github.io/
Source0: https://github.com/USBGuard/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
Source1: usbguard-daemon.conf
Source1: https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz
Source2: https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz
Source3: usbguard-daemon.conf
Requires: systemd
Requires(post): systemd
@ -23,7 +26,9 @@ Requires(preun): systemd
Requires(postun): systemd
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
Recommends: %{name}-selinux
BuildRequires: gcc-c++
BuildRequires: libqb-devel
BuildRequires: libgcrypt-devel
BuildRequires: libstdc++-devel
@ -37,21 +42,19 @@ BuildRequires: audit-libs-devel
# For `pkg-config systemd` only
BuildRequires: systemd
%if 0%{with_gui_qt5}
BuildRequires: qt5-qtbase-devel qt5-qtsvg-devel qt5-linguist
%endif
%if 0%{with_dbus}
BuildRequires: dbus-glib-devel
BuildRequires: dbus-devel
BuildRequires: glib2-devel
BuildRequires: polkit-devel
BuildRequires: libxslt
BuildRequires: libxml2
%endif
Patch0: usbguard-0.7.4-loadFilesError.patch
Patch1: match-all.patch
Patch1: usbguard-0.7.6-notifier.patch
Patch2: usbguard-selinux-rules-d.patch
Patch3: usbguard-selinux-list-dir.patch
Patch4: usbguard-forking-style.patch
Patch5: usbguard-selinux-cpuinfo.patch
Patch6: usbguard-service-fips.patch
%description
The USBGuard software framework helps to protect your computer against rogue USB
@ -78,22 +81,6 @@ Requires: %{name} = %{version}-%{release}
The %{name}-tools package contains optional tools from the USBGuard
software framework.
%if 0%{with_gui_qt5}
###
%package applet-qt
Summary: USBGuard Qt 5.x Applet
Group: Applications/System
Requires: %{name} = %{version}-%{release}
Obsoletes: usbguard-applet-qt <= 0.3
%description applet-qt
The %{name}-applet-qt package contains an optional Qt 5.x desktop applet
for interacting with the USBGuard daemon component.
###
%endif
%if 0%{with_dbus}
###
%package dbus
Summary: USBGuard D-Bus Service
Group: Applications/System
@ -104,17 +91,53 @@ Requires: polkit
%description dbus
The %{name}-dbus package contains an optional component that provides
a D-Bus interface to the USBGuard daemon component.
###
%endif
%package selinux
Summary: USBGuard selinux
Group: Applications/System
Requires: %{name} = %{version}-%{release}
BuildRequires: selinux-policy
BuildRequires: selinux-policy-devel
BuildArch: noarch
%{?selinux_requires}
%description selinux
The %{name}-selinux package contains selinux policy for the USBGuard
daemon.
%package notifier
Summary: A tool for detecting usbguard policy and device presence changes
Group: Applications/System
Requires: %{name} = %{version}-%{release}
Requires: systemd
BuildRequires: librsvg2-devel
BuildRequires: libnotify-devel
BuildRequires: execstack
%description notifier
The %{name}-notifier package detects usbguard policy modifications as well as
device presence changes and displays them as pop-up notifications.
# usbguard
%prep
%setup -q
%patch0 -p1 -b .loadFilesError
%patch1 -p1 -b .matchallkeyword
# selinux
%setup -q -D -T -a 1
# notifier
%setup -q -D -T -a 2
# Remove bundled library sources before build
rm -rf src/ThirdParty/{Catch,PEGTL}
%patch1 -p1 -b .notifier
%patch2 -p1 -b .rules-d-selinux
%patch3 -p1 -b .list-dir
%patch4 -p1 -b .forking
%patch5 -p1 -b .cpuinfo
%patch6 -p1 -b .service-fips
%build
mkdir -p ./m4
autoreconf -i -v --no-recursive ./
@ -123,32 +146,62 @@ autoreconf -i -v --no-recursive ./
--without-bundled-catch \
--without-bundled-pegtl \
--enable-systemd \
%if 0%{with_gui_qt5}
--with-gui-qt=qt5 \
%endif
%if 0%{with_dbus}
--with-dbus \
--with-polkit \
%else
--without-dbus \
--without-polkit \
%endif
--with-crypto-library=gcrypt
make %{?_smp_mflags}
# selinux
pushd %{name}-selinux-%{semodule_version}
make
popd
# notifier
pushd %{name}-notifier-%{notifier_version}
mkdir -p ./m4
autoreconf -i -v --no-recursive ./
export CXXFLAGS="$RPM_OPT_FLAGS"
%configure \
--disable-silent-rules \
--without-bundled-catch \
--enable-debug-build \
--disable-notifier-cli \
--with-usbguard-devel="../"
%set_build_flags
make %{?_smp_mflags}
popd
%if %{with check}
%check
make check
%endif
# selinux
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%install
make install INSTALL='install -p' DESTDIR=%{buildroot}
# Overwrite configuration with distribution defaults
mkdir -p %{buildroot}%{_sysconfdir}/usbguard
mkdir -p %{buildroot}%{_sysconfdir}/usbguard/rules.d
mkdir -p %{buildroot}%{_sysconfdir}/usbguard/IPCAccessControl.d
install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
# selinux
install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
# notifier
pushd %{name}-notifier-%{notifier_version}
make install INSTALL='install -p' DESTDIR=%{buildroot}
execstack -c %{buildroot}%{_bindir}/%{name}-notifier
popd
# Cleanup
find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
@ -173,6 +226,7 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
%{_bindir}/usbguard
%dir %{_localstatedir}/log/usbguard
%dir %{_sysconfdir}/usbguard
%dir %{_sysconfdir}/usbguard/rules.d/
%dir %{_sysconfdir}/usbguard/IPCAccessControl.d
%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/usbguard-daemon.conf
%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/rules.conf
@ -193,25 +247,13 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
%defattr(-,root,root,-)
%{_bindir}/usbguard-rule-parser
%if 0%{with_gui_qt5}
###
%files applet-qt
%defattr(-,root,root,-)
%{_bindir}/usbguard-applet-qt
%{_mandir}/man1/usbguard-applet-qt.1.gz
%{_datadir}/applications/usbguard-applet-qt.desktop
%{_datadir}/icons/hicolor/scalable/apps/usbguard-icon.svg
###
%endif
%if 0%{with_dbus}
###
%files dbus
%defattr(-,root,root,-)
%{_sbindir}/usbguard-dbus
%{_datadir}/dbus-1/system-services/org.usbguard.service
%{_datadir}/dbus-1/system.d/org.usbguard.conf
%{_datadir}/polkit-1/actions/org.usbguard.policy
%{_datadir}/dbus-1/system-services/org.usbguard1.service
%{_datadir}/dbus-1/system.d/org.usbguard1.conf
%{_datadir}/polkit-1/actions/org.usbguard1.policy
%{_unitdir}/usbguard-dbus.service
%{_mandir}/man8/usbguard-dbus.8.gz
@ -223,10 +265,66 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
%postun dbus
%systemd_postun_with_restart usbguard-dbus.service
###
%endif
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{name}
fi
%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
%files notifier
%defattr(-,root,root,-)
%doc %{name}-notifier-%{notifier_version}/README.md %{name}-notifier-%{notifier_version}/CHANGELOG.md
%license %{name}-notifier-%{notifier_version}/LICENSE
%{_bindir}/%{name}-notifier
%{_mandir}/man1/%{name}-notifier.1.gz
%{_userunitdir}/%{name}-notifier.service
%post notifier
%systemd_user_post %{name}-notifier.service
%preun notifier
%systemd_user_preun %{name}-notifier.service
%postun notifier
%systemd_user_postun_with_restart %{name}-notifier.service
%changelog
* Wed Jun 17 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-5
- RHEL 8.3.0 ERRATUM
- Use old-fasioned forking style in unit file
Resolves: rhbz#1846885
- Allow usbguard to read /proc/cpuinfo
Resolves: rhbz#1847870
- Removed notifier's Requires for usbguard-devel
Resolves: rhbz#1667395
- Allow usbguard to read /dev/urandom
Resolves: rhbz#1848618
* Wed May 06 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-4
- RHEL 8.3.0 ERRATUM
- Spec file clean up
- Rebase to 0.7.8
Resolves: rhbz#1738590
- Added selinux subpackage
Resolves: rhbz#1683567
- Added notifier subpackage
- Installing /etc/usbguard/rules.d/
Resolves: rhbz#1667395
- Fixed sigwaitinfo handling
Resolves: rhbz#1835210
* Mon Nov 25 2019 Marek Tamaskovic <mtamasko@redhat.com> - 0.7.4-4
- add match-all keyword