From dd79c49c5ee403f53d489f89024eddc45b966717 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Jul 2020 09:00:44 -0400 Subject: [PATCH] import usbguard-0.7.8-5.el8 --- .gitignore | 4 +- .usbguard.metadata | 4 +- SOURCES/match-all.patch | 242 -------------------- SOURCES/usbguard-0.7.4-loadFilesError.patch | 17 -- SOURCES/usbguard-0.7.6-notifier.patch | 88 +++++++ SOURCES/usbguard-forking-style.patch | 34 +++ SOURCES/usbguard-selinux-cpuinfo.patch | 12 + SOURCES/usbguard-selinux-list-dir.patch | 11 + SOURCES/usbguard-selinux-rules-d.patch | 22 ++ SOURCES/usbguard-service-fips.patch | 13 ++ SPECS/usbguard.spec | 218 +++++++++++++----- 11 files changed, 344 insertions(+), 321 deletions(-) delete mode 100644 SOURCES/match-all.patch delete mode 100644 SOURCES/usbguard-0.7.4-loadFilesError.patch create mode 100644 SOURCES/usbguard-0.7.6-notifier.patch create mode 100644 SOURCES/usbguard-forking-style.patch create mode 100644 SOURCES/usbguard-selinux-cpuinfo.patch create mode 100644 SOURCES/usbguard-selinux-list-dir.patch create mode 100644 SOURCES/usbguard-selinux-rules-d.patch create mode 100644 SOURCES/usbguard-service-fips.patch diff --git a/.gitignore b/.gitignore index 4ebdfb6..4626c85 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ -SOURCES/usbguard-0.7.4.tar.gz +SOURCES/usbguard-0.7.8.tar.gz +SOURCES/usbguard-notifier-0.0.6.tar.gz +SOURCES/usbguard-selinux-0.0.3.tar.gz diff --git a/.usbguard.metadata b/.usbguard.metadata index 5e1f2a7..8582250 100644 --- a/.usbguard.metadata +++ b/.usbguard.metadata @@ -1 +1,3 @@ -803815ec31700468bb935ca9c18bd277bcc22237 SOURCES/usbguard-0.7.4.tar.gz +d8bbd3e9f4f0deb1418f71422e7fab3d14053412 SOURCES/usbguard-0.7.8.tar.gz +7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz +e223495a2c41013bc786a5ceae730f2574aeba1b SOURCES/usbguard-selinux-0.0.3.tar.gz diff --git a/SOURCES/match-all.patch b/SOURCES/match-all.patch deleted file mode 100644 index f2c9c28..0000000 --- a/SOURCES/match-all.patch +++ /dev/null @@ -1,242 +0,0 @@ -diff --git a/doc/man/usbguard-rules.conf.5.adoc b/doc/man/usbguard-rules.conf.5.adoc -index 44f399c..c0f86f8 100644 ---- a/doc/man/usbguard-rules.conf.5.adoc -+++ b/doc/man/usbguard-rules.conf.5.adoc -@@ -93,6 +93,9 @@ where the optional 'operator' is one of: - *equals-ordered*:: - The device attribute set must contain exactly the same set of values in the same order for the rule to match. - -+*match-all*:: -+ The device attribute set must be a subset of the specified values for the rule to match. -+ - If the operator is not specified it is set to *equals*. - - [.underline]#List of attributes:# -diff --git a/src/Library/RuleParser/Grammar.hpp b/src/Library/RuleParser/Grammar.hpp -index 4d785c0..764380e 100644 ---- a/src/Library/RuleParser/Grammar.hpp -+++ b/src/Library/RuleParser/Grammar.hpp -@@ -15,6 +15,7 @@ - // along with this program. If not, see . - // - // Authors: Daniel Kopecek -+// Marek Tamaskovic - // - #pragma once - #ifdef HAVE_BUILD_CONFIG_H -@@ -53,12 +54,13 @@ namespace usbguard - struct str_none_of : TAOCPP_PEGTL_STRING("none-of") {}; - struct str_equals : TAOCPP_PEGTL_STRING("equals") {}; - struct str_equals_ordered : TAOCPP_PEGTL_STRING("equals-ordered") {}; -+ struct str_match_all: TAOCPP_PEGTL_STRING("match-all") {}; - - /* - * Generic rule attribute - */ - struct multiset_operator -- : sor {}; -+ : sor {}; - - template - struct attribute_value_multiset -diff --git a/src/Library/RulePrivate.cpp b/src/Library/RulePrivate.cpp -index 73140fa..6ceb12d 100644 ---- a/src/Library/RulePrivate.cpp -+++ b/src/Library/RulePrivate.cpp -@@ -15,6 +15,7 @@ - // along with this program. If not, see . - // - // Authors: Daniel Kopecek -+// Marek Tamaskovic - // - #ifdef HAVE_BUILD_CONFIG_H - #include -@@ -177,6 +178,7 @@ namespace usbguard - case Rule::SetOperator::AllOf: - case Rule::SetOperator::Equals: - case Rule::SetOperator::EqualsOrdered: -+ case Rule::SetOperator::MatchAll: - meets_conditions = \ - (conditionsState() == ((((uint64_t)1) << _conditions.count()) - 1)); - break; -diff --git a/src/Library/public/usbguard/Predicates.hpp b/src/Library/public/usbguard/Predicates.hpp -index 412517e..95ede3a 100644 ---- a/src/Library/public/usbguard/Predicates.hpp -+++ b/src/Library/public/usbguard/Predicates.hpp -@@ -15,6 +15,7 @@ - // along with this program. If not, see . - // - // Authors: Daniel Kopecek -+// Marek Tamaskovic - // - #pragma once - -@@ -35,6 +36,15 @@ namespace usbguard - USBGUARD_LOG(Trace) << "generic isSubsetOf"; - return source == target; - } -+ -+ template -+ bool isSupersetOf(const T& source, const T& target) -+ { -+ USBGUARD_LOG(Error) << "Not implemented"; -+ (void) source; -+ (void) target; -+ return true; -+ } - } - } /* namespace usbguard */ - -diff --git a/src/Library/public/usbguard/Rule.cpp b/src/Library/public/usbguard/Rule.cpp -index f7bb35a..fa97578 100644 ---- a/src/Library/public/usbguard/Rule.cpp -+++ b/src/Library/public/usbguard/Rule.cpp -@@ -15,6 +15,7 @@ - // along with this program. If not, see . - // - // Authors: Daniel Kopecek -+// Marek Tamaskovic - // - #ifdef HAVE_BUILD_CONFIG_H - #include -@@ -325,7 +326,8 @@ namespace usbguard - { "none-of", Rule::SetOperator::NoneOf }, - { "equals", Rule::SetOperator::Equals }, - { "equals-ordered", Rule::SetOperator::EqualsOrdered }, -- { "match", Rule::SetOperator::Match } -+ { "match", Rule::SetOperator::Match }, -+ { "match-all", Rule::SetOperator::MatchAll} - }; - - const std::string Rule::setOperatorToString(const Rule::SetOperator& op) -diff --git a/src/Library/public/usbguard/Rule.hpp b/src/Library/public/usbguard/Rule.hpp -index 0ebfdaf..67a67f0 100644 ---- a/src/Library/public/usbguard/Rule.hpp -+++ b/src/Library/public/usbguard/Rule.hpp -@@ -15,6 +15,7 @@ - // along with this program. If not, see . - // - // Authors: Daniel Kopecek -+// Marek Tamaskovic - // - #pragma once - -@@ -77,7 +78,8 @@ namespace usbguard - NoneOf, - Equals, - EqualsOrdered, -- Match /* Special operator: matches anything, cannot be used directly in a rule */ -+ Match, /* Special operator: matches anything, cannot be used directly in a rule */ -+ MatchAll - }; - - static const std::string setOperatorToString(const Rule::SetOperator& op); -@@ -237,6 +239,10 @@ namespace usbguard - applies = setSolveEqualsOrdered(_values, target._values); - break; - -+ case SetOperator::MatchAll: -+ applies = setSolveMatchAll(_values, target._values); -+ break; -+ - default: - throw USBGUARD_BUG("Invalid set operator value"); - } -@@ -409,6 +415,26 @@ namespace usbguard - return false; - } - -+ /* -+ * All of the items in target set must match an item in the source set -+ */ -+ bool setSolveMatchAll(const std::vector& source_set, const std::vector& target_set) const -+ { -+ USBGUARD_LOG(Trace); -+ size_t match = 0; -+ -+ for (auto const& target_item : target_set) { -+ for (auto const& source_item : source_set) { -+ if (Predicates::isSupersetOf(source_item, target_item)) { -+ match++; -+ break; -+ } -+ } -+ } -+ -+ return match == target_set.size(); -+ } -+ - std::string _name; - SetOperator _set_operator; - std::vector _values; -diff --git a/src/Library/public/usbguard/USB.cpp b/src/Library/public/usbguard/USB.cpp -index 281d1c9..54e5fb8 100644 ---- a/src/Library/public/usbguard/USB.cpp -+++ b/src/Library/public/usbguard/USB.cpp -@@ -15,6 +15,7 @@ - // along with this program. If not, see . - // - // Authors: Daniel Kopecek -+// Marek Tamaskovic - // - #ifdef HAVE_BUILD_CONFIG_H - #include -@@ -125,6 +126,15 @@ namespace usbguard - return result; - } - -+ template<> -+ bool Predicates::isSupersetOf(const USBDeviceID& source, const USBDeviceID& target) -+ { -+ USBGUARD_LOG(Trace) << "source=" << source.toString() << " target=" << target.toString(); -+ const bool result = target.isSubsetOf(source); -+ USBGUARD_LOG(Trace) << "result=" << result; -+ return result; -+ } -+ - USBInterfaceType::USBInterfaceType() - { - _bClass = 0; -@@ -234,6 +244,12 @@ namespace usbguard - return source.appliesTo(target); - } - -+ template<> -+ bool Predicates::isSupersetOf(const USBInterfaceType& source, const USBInterfaceType& target) -+ { -+ return source.appliesTo(target); -+ } -+ - const std::string USBInterfaceType::typeString() const - { - return USBInterfaceType::typeString(_bClass, _bSubClass, _bProtocol, _mask); -diff --git a/src/Library/public/usbguard/USB.hpp b/src/Library/public/usbguard/USB.hpp -index 914d74b..f538aac 100644 ---- a/src/Library/public/usbguard/USB.hpp -+++ b/src/Library/public/usbguard/USB.hpp -@@ -15,6 +15,7 @@ - // along with this program. If not, see . - // - // Authors: Daniel Kopecek -+// Marek Tamaskovic - // - #pragma once - -@@ -169,6 +170,8 @@ namespace usbguard - { - template<> - bool isSubsetOf(const USBDeviceID& source, const USBDeviceID& target); -+ template<> -+ bool isSupersetOf(const USBDeviceID& source, const USBDeviceID& target); - } - - class DLL_PUBLIC USBInterfaceType -@@ -202,6 +205,8 @@ namespace usbguard - { - template<> - bool isSubsetOf(const USBInterfaceType& source, const USBInterfaceType& target); -+ template<> -+ bool isSupersetOf(const USBInterfaceType& source, const USBInterfaceType& target); - } - - class USBDescriptorParser; diff --git a/SOURCES/usbguard-0.7.4-loadFilesError.patch b/SOURCES/usbguard-0.7.4-loadFilesError.patch deleted file mode 100644 index 5a6a6d5..0000000 --- a/SOURCES/usbguard-0.7.4-loadFilesError.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff -up usbguard-0.7.4/src/Daemon/Daemon.cpp.loadFilesError usbguard-0.7.4/src/Daemon/Daemon.cpp ---- usbguard-0.7.4/src/Daemon/Daemon.cpp.loadFilesError 2018-07-10 14:25:41.580361063 +0200 -+++ usbguard-0.7.4/src/Daemon/Daemon.cpp 2018-07-31 10:19:21.529000000 +0200 -@@ -365,7 +365,12 @@ namespace usbguard - , - [this](const std::string& basename, const std::string& fullpath) { - return loadIPCAccessControlFile(basename, fullpath); -- }); -+ }, -+ [](const std::pair& a, const std::pair& b) -+ { -+ return a.first < b.first; -+ }, -+ /*directory_required=*/true); - } - - void Daemon::checkIPCAccessControlName(const std::string& name) diff --git a/SOURCES/usbguard-0.7.6-notifier.patch b/SOURCES/usbguard-0.7.6-notifier.patch new file mode 100644 index 0000000..9d21147 --- /dev/null +++ b/SOURCES/usbguard-0.7.6-notifier.patch @@ -0,0 +1,88 @@ +diff -up ./usbguard-notifier-0.0.6/configure.ac.notifier ./usbguard-notifier-0.0.6/configure.ac +--- ./usbguard-notifier-0.0.6/configure.ac.notifier 2020-04-29 07:35:43.057914703 +0200 ++++ ./usbguard-notifier-0.0.6/configure.ac 2020-06-17 16:27:53.577151720 +0200 +@@ -44,6 +44,32 @@ AC_ARG_WITH( + [notificaiton_path="/tmp/usbguard-notifier"] + ) + ++# usbguard-devel ++# Add the path to where your usbguard-devel includes are ++# You might need this option when you want to package usbguard-notifier ++# together with usbguard at the same time ++AC_ARG_WITH( ++ [usbguard-devel], ++ AS_HELP_STRING([--with-usbguard-devel], [Select to compile notifier from source usbguard devel files(only top level directory)]), ++ [usbguard_CFLAGS="-I$withval/src/Library/public/" ++ usbguard_LIBS="" ++ usbguard_LA="$withval/libusbguard.la" ++ libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS" ++ AC_SUBST([usbguard_CFLAGS]) ++ AC_SUBST([usbguard_LIBS]) ++ AC_SUBST([usbguard_LA]) ++ custom_usbguard_devel_enabled=yes ++ ], ++ [ ++ PKG_CHECK_MODULES( ++ [usbguard], ++ [libusbguard >= 0.7.2], ++ [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"], ++ [AC_MSG_FAILURE([libusbguard development files not found])] ++ ) ++ ] ++) ++ + # Build notifier-cli, default is yes + AC_ARG_ENABLE([notifier-cli], + [AC_HELP_STRING([--enable-notifier-cli], [enable notifier cli(default=yes)])], +@@ -81,14 +107,6 @@ PKG_CHECK_MODULES( + [AC_MSG_FAILURE([libnotify development files not found])] + ) + +-# usbguard +-PKG_CHECK_MODULES( +- [usbguard], +- [libusbguard >= 0.7.2], +- [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"], +- [AC_MSG_FAILURE([libusbguard development files not found])] +-) +- + # asciidoc + AC_CHECK_PROGS(A2X, [a2x]) + if test -z "$A2X"; then +@@ -162,6 +180,7 @@ AC_SUBST(config_PATH, $prefix/.config) + AC_SUBST(NOTIFICATION_PATH, $notification_path) + + AM_CONDITIONAL([NOTIFIER_CLI_ENABLED], [test "x$notifier_cli_enabled" = xyes ]) ++AM_CONDITIONAL([CUSTOM_USBGUARD_DEVEL_ENABLED], [test "x$custom_usbguard_devel_enabled" = "xyes"]) + + AC_CONFIG_FILES([ + Makefile +diff -up ./usbguard-notifier-0.0.6/Makefile.am.notifier ./usbguard-notifier-0.0.6/Makefile.am +--- ./usbguard-notifier-0.0.6/Makefile.am.notifier 2020-04-29 07:18:21.024388188 +0200 ++++ ./usbguard-notifier-0.0.6/Makefile.am 2020-06-17 16:27:53.592151848 +0200 +@@ -57,6 +57,13 @@ usbguard_notifier_CXXFLAGS = \ + @usbguard_CFLAGS@ \ + -fPIC + ++if CUSTOM_USBGUARD_DEVEL_ENABLED ++usbguard_notifier_LDADD = \ ++ @usbguard_LA@ ++usbguard_notifier_cli_LDADD = \ ++ @usbguard_LA@ ++endif ++ + BUILT_SOURCES = \ + src/BuildConfig.h + +diff -up ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 +--- ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier 2020-06-17 19:55:54.621855004 +0200 ++++ ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 2020-06-17 19:56:46.551297432 +0200 +@@ -53,7 +53,7 @@ Show help\&. + .RE + .SH "SEE ALSO" + .sp +-usbguard\-notifier\-cli(1), usbguard(1) ++usbguard(1) + .SH "BUGS" + .sp + If you find a bug in this software or if you\(cqd like to request a feature to be implemented, please file a ticket at https://github\&.com/Cropi/usbguard\-notifier/issues/new\&. diff --git a/SOURCES/usbguard-forking-style.patch b/SOURCES/usbguard-forking-style.patch new file mode 100644 index 0000000..8a6500a --- /dev/null +++ b/SOURCES/usbguard-forking-style.patch @@ -0,0 +1,34 @@ +diff -up ./usbguard.service.in.forking ./usbguard.service.in +--- ./usbguard.service.in.forking 2020-06-17 20:07:04.720564149 +0200 ++++ ./usbguard.service.in 2020-06-17 20:10:00.744063846 +0200 +@@ -8,11 +8,12 @@ AmbientCapabilities= + CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER + DeviceAllow=/dev/null rw + DevicePolicy=strict +-ExecStart=%sbindir%/usbguard-daemon -k -c %sysconfdir%/usbguard/usbguard-daemon.conf ++ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf + IPAddressDeny=any + LockPersonality=yes + MemoryDenyWriteExecute=yes + NoNewPrivileges=yes ++PIDFile=/var/run/usbguard.pid + PrivateDevices=yes + PrivateTmp=yes + ProtectControlGroups=yes +@@ -20,14 +21,14 @@ ProtectHome=yes + ProtectKernelModules=yes + ProtectSystem=yes + ReadOnlyPaths=-/ +-ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ ++ReadWritePaths=-/dev/shm -%localstatedir%/log/usbguard -/tmp -%sysconfdir%/usbguard/ -/var/run + Restart=on-failure + RestrictAddressFamilies=AF_UNIX AF_NETLINK + RestrictNamespaces=yes + RestrictRealtime=yes + SystemCallArchitectures=native + SystemCallFilter=@system-service +-Type=simple ++Type=forking + UMask=0077 + + [Install] diff --git a/SOURCES/usbguard-selinux-cpuinfo.patch b/SOURCES/usbguard-selinux-cpuinfo.patch new file mode 100644 index 0000000..2371d64 --- /dev/null +++ b/SOURCES/usbguard-selinux-cpuinfo.patch @@ -0,0 +1,12 @@ +diff -up ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo ./usbguard-selinux-0.0.3/usbguard.te +--- ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo 2020-06-18 15:53:40.161615146 +0200 ++++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-18 15:54:28.399982328 +0200 +@@ -77,6 +77,8 @@ auth_read_passwd(usbguard_t) + dev_list_sysfs(usbguard_t) + dev_rw_sysfs(usbguard_t) + ++kernel_read_system_state(usbguard_t) ++ + list_dirs_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t) + read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t) + dontaudit usbguard_t usbguard_conf_t:file write; diff --git a/SOURCES/usbguard-selinux-list-dir.patch b/SOURCES/usbguard-selinux-list-dir.patch new file mode 100644 index 0000000..9334b45 --- /dev/null +++ b/SOURCES/usbguard-selinux-list-dir.patch @@ -0,0 +1,11 @@ +diff -up ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir ./usbguard-selinux-0.0.3/usbguard.te +--- ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir 2020-06-09 10:53:03.191977241 +0200 ++++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-09 10:54:21.441965315 +0200 +@@ -81,6 +81,7 @@ list_dirs_pattern(usbguard_t,usbguard_co + read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t) + dontaudit usbguard_t usbguard_conf_t:file write; + ++list_dirs_pattern(usbguard_t,usbguard_rules_t,usbguard_rules_t) + read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_rules_t) + + manage_dirs_pattern(usbguard_t, usbguard_var_run_t, usbguard_var_run_t) diff --git a/SOURCES/usbguard-selinux-rules-d.patch b/SOURCES/usbguard-selinux-rules-d.patch new file mode 100644 index 0000000..5d56573 --- /dev/null +++ b/SOURCES/usbguard-selinux-rules-d.patch @@ -0,0 +1,22 @@ +From 008af22f238bfb97f6d337759732ac87bdef7b24 Mon Sep 17 00:00:00 2001 +From: alakatos +Date: Mon, 25 May 2020 15:27:38 +0200 +Subject: [PATCH] /etc/usrbuard/rules.d(/.*)? has usbguard_rules_t label right + after the installation + +--- + usbguard.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/usbguard.fc b/usbguard.fc +index bce3e8c..3e14720 100644 +--- a/usbguard-selinux-0.0.3/usbguard.fc ++++ b/usbguard-selinux-0.0.3/usbguard.fc +@@ -13,6 +13,7 @@ + # You should have received a copy of the GNU General Public License + # along with this program. If not, see . + ++/etc/usbguard/rules\.d(/.*)? gen_context(system_u:object_r:usbguard_rules_t,s0) + /etc/usbguard/rules.conf -- gen_context(system_u:object_r:usbguard_rules_t,s0) + /etc/usbguard(/.*)? gen_context(system_u:object_r:usbguard_conf_t,s0) + /dev/shm/qb-usbguard-.* -- gen_context(system_u:object_r:usbguard_tmpfs_t,s0) diff --git a/SOURCES/usbguard-service-fips.patch b/SOURCES/usbguard-service-fips.patch new file mode 100644 index 0000000..fce50c9 --- /dev/null +++ b/SOURCES/usbguard-service-fips.patch @@ -0,0 +1,13 @@ +diff -up ./usbguard.service.in.service-fips ./usbguard.service.in +--- ./usbguard.service.in.service-fips 2020-06-22 10:44:44.815860376 +0200 ++++ ./usbguard.service.in 2020-06-22 10:45:07.699135514 +0200 +@@ -6,8 +6,7 @@ Documentation=man:usbguard-daemon(8) + [Service] + AmbientCapabilities= + CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER +-DeviceAllow=/dev/null rw +-DevicePolicy=strict ++DevicePolicy=closed + ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf + IPAddressDeny=any + LockPersonality=yes diff --git a/SPECS/usbguard.spec b/SPECS/usbguard.spec index 138381f..737c85a 100644 --- a/SPECS/usbguard.spec +++ b/SPECS/usbguard.spec @@ -1,13 +1,14 @@ %global _hardened_build 1 - -%define with_gui_qt5 0 -%define with_dbus 1 +%global selinuxtype targeted +%global moduletype contrib +%define semodule_version 0.0.3 +%define notifier_version 0.0.6 %bcond_without check Name: usbguard -Version: 0.7.4 -Release: 4%{?dist} +Version: 0.7.8 +Release: 5%{?dist} Summary: A tool for implementing USB device usage policy Group: System Environment/Daemons License: GPLv2+ @@ -15,7 +16,9 @@ License: GPLv2+ # src/ThirdParty/Catch: Boost Software License - Version 1.0 URL: https://usbguard.github.io/ Source0: https://github.com/USBGuard/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz -Source1: usbguard-daemon.conf +Source1: https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz +Source2: https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz +Source3: usbguard-daemon.conf Requires: systemd Requires(post): systemd @@ -23,7 +26,9 @@ Requires(preun): systemd Requires(postun): systemd Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig +Recommends: %{name}-selinux +BuildRequires: gcc-c++ BuildRequires: libqb-devel BuildRequires: libgcrypt-devel BuildRequires: libstdc++-devel @@ -37,21 +42,19 @@ BuildRequires: audit-libs-devel # For `pkg-config systemd` only BuildRequires: systemd -%if 0%{with_gui_qt5} -BuildRequires: qt5-qtbase-devel qt5-qtsvg-devel qt5-linguist -%endif - -%if 0%{with_dbus} BuildRequires: dbus-glib-devel BuildRequires: dbus-devel BuildRequires: glib2-devel BuildRequires: polkit-devel BuildRequires: libxslt BuildRequires: libxml2 -%endif -Patch0: usbguard-0.7.4-loadFilesError.patch -Patch1: match-all.patch +Patch1: usbguard-0.7.6-notifier.patch +Patch2: usbguard-selinux-rules-d.patch +Patch3: usbguard-selinux-list-dir.patch +Patch4: usbguard-forking-style.patch +Patch5: usbguard-selinux-cpuinfo.patch +Patch6: usbguard-service-fips.patch %description The USBGuard software framework helps to protect your computer against rogue USB @@ -78,22 +81,6 @@ Requires: %{name} = %{version}-%{release} The %{name}-tools package contains optional tools from the USBGuard software framework. -%if 0%{with_gui_qt5} -### -%package applet-qt -Summary: USBGuard Qt 5.x Applet -Group: Applications/System -Requires: %{name} = %{version}-%{release} -Obsoletes: usbguard-applet-qt <= 0.3 - -%description applet-qt -The %{name}-applet-qt package contains an optional Qt 5.x desktop applet -for interacting with the USBGuard daemon component. -### -%endif - -%if 0%{with_dbus} -### %package dbus Summary: USBGuard D-Bus Service Group: Applications/System @@ -104,17 +91,53 @@ Requires: polkit %description dbus The %{name}-dbus package contains an optional component that provides a D-Bus interface to the USBGuard daemon component. -### -%endif +%package selinux +Summary: USBGuard selinux +Group: Applications/System +Requires: %{name} = %{version}-%{release} +BuildRequires: selinux-policy +BuildRequires: selinux-policy-devel +BuildArch: noarch +%{?selinux_requires} + +%description selinux +The %{name}-selinux package contains selinux policy for the USBGuard +daemon. + +%package notifier +Summary: A tool for detecting usbguard policy and device presence changes +Group: Applications/System +Requires: %{name} = %{version}-%{release} +Requires: systemd +BuildRequires: librsvg2-devel +BuildRequires: libnotify-devel +BuildRequires: execstack + +%description notifier +The %{name}-notifier package detects usbguard policy modifications as well as +device presence changes and displays them as pop-up notifications. + +# usbguard %prep %setup -q -%patch0 -p1 -b .loadFilesError -%patch1 -p1 -b .matchallkeyword + +# selinux +%setup -q -D -T -a 1 + +# notifier +%setup -q -D -T -a 2 # Remove bundled library sources before build rm -rf src/ThirdParty/{Catch,PEGTL} +%patch1 -p1 -b .notifier +%patch2 -p1 -b .rules-d-selinux +%patch3 -p1 -b .list-dir +%patch4 -p1 -b .forking +%patch5 -p1 -b .cpuinfo +%patch6 -p1 -b .service-fips + %build mkdir -p ./m4 autoreconf -i -v --no-recursive ./ @@ -123,32 +146,62 @@ autoreconf -i -v --no-recursive ./ --without-bundled-catch \ --without-bundled-pegtl \ --enable-systemd \ -%if 0%{with_gui_qt5} - --with-gui-qt=qt5 \ -%endif -%if 0%{with_dbus} --with-dbus \ --with-polkit \ -%else - --without-dbus \ - --without-polkit \ -%endif --with-crypto-library=gcrypt make %{?_smp_mflags} +# selinux +pushd %{name}-selinux-%{semodule_version} +make +popd + +# notifier +pushd %{name}-notifier-%{notifier_version} +mkdir -p ./m4 +autoreconf -i -v --no-recursive ./ +export CXXFLAGS="$RPM_OPT_FLAGS" +%configure \ + --disable-silent-rules \ + --without-bundled-catch \ + --enable-debug-build \ + --disable-notifier-cli \ + --with-usbguard-devel="../" + +%set_build_flags +make %{?_smp_mflags} +popd + %if %{with check} %check make check %endif +# selinux +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + %install make install INSTALL='install -p' DESTDIR=%{buildroot} # Overwrite configuration with distribution defaults mkdir -p %{buildroot}%{_sysconfdir}/usbguard +mkdir -p %{buildroot}%{_sysconfdir}/usbguard/rules.d mkdir -p %{buildroot}%{_sysconfdir}/usbguard/IPCAccessControl.d -install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf +install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf + +# selinux +install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} +install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if + +# notifier +pushd %{name}-notifier-%{notifier_version} +make install INSTALL='install -p' DESTDIR=%{buildroot} +execstack -c %{buildroot}%{_bindir}/%{name}-notifier +popd # Cleanup find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' @@ -173,6 +226,7 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %{_bindir}/usbguard %dir %{_localstatedir}/log/usbguard %dir %{_sysconfdir}/usbguard +%dir %{_sysconfdir}/usbguard/rules.d/ %dir %{_sysconfdir}/usbguard/IPCAccessControl.d %config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/usbguard-daemon.conf %config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/rules.conf @@ -193,25 +247,13 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %defattr(-,root,root,-) %{_bindir}/usbguard-rule-parser -%if 0%{with_gui_qt5} -### -%files applet-qt -%defattr(-,root,root,-) -%{_bindir}/usbguard-applet-qt -%{_mandir}/man1/usbguard-applet-qt.1.gz -%{_datadir}/applications/usbguard-applet-qt.desktop -%{_datadir}/icons/hicolor/scalable/apps/usbguard-icon.svg -### -%endif -%if 0%{with_dbus} -### %files dbus %defattr(-,root,root,-) %{_sbindir}/usbguard-dbus -%{_datadir}/dbus-1/system-services/org.usbguard.service -%{_datadir}/dbus-1/system.d/org.usbguard.conf -%{_datadir}/polkit-1/actions/org.usbguard.policy +%{_datadir}/dbus-1/system-services/org.usbguard1.service +%{_datadir}/dbus-1/system.d/org.usbguard1.conf +%{_datadir}/polkit-1/actions/org.usbguard1.policy %{_unitdir}/usbguard-dbus.service %{_mandir}/man8/usbguard-dbus.8.gz @@ -223,10 +265,66 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %postun dbus %systemd_postun_with_restart usbguard-dbus.service -### -%endif + +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + +%files notifier +%defattr(-,root,root,-) +%doc %{name}-notifier-%{notifier_version}/README.md %{name}-notifier-%{notifier_version}/CHANGELOG.md +%license %{name}-notifier-%{notifier_version}/LICENSE +%{_bindir}/%{name}-notifier +%{_mandir}/man1/%{name}-notifier.1.gz +%{_userunitdir}/%{name}-notifier.service + +%post notifier +%systemd_user_post %{name}-notifier.service + +%preun notifier +%systemd_user_preun %{name}-notifier.service + +%postun notifier +%systemd_user_postun_with_restart %{name}-notifier.service + %changelog +* Wed Jun 17 2020 Radovan Sroka - 0.7.8-5 +- RHEL 8.3.0 ERRATUM +- Use old-fasioned forking style in unit file +Resolves: rhbz#1846885 +- Allow usbguard to read /proc/cpuinfo +Resolves: rhbz#1847870 +- Removed notifier's Requires for usbguard-devel +Resolves: rhbz#1667395 +- Allow usbguard to read /dev/urandom +Resolves: rhbz#1848618 + +* Wed May 06 2020 Attila Lakatos - 0.7.8-4 +- RHEL 8.3.0 ERRATUM +- Spec file clean up +- Rebase to 0.7.8 +Resolves: rhbz#1738590 +- Added selinux subpackage +Resolves: rhbz#1683567 +- Added notifier subpackage +- Installing /etc/usbguard/rules.d/ +Resolves: rhbz#1667395 +- Fixed sigwaitinfo handling +Resolves: rhbz#1835210 + * Mon Nov 25 2019 Marek Tamaskovic - 0.7.4-4 - add match-all keyword