diff --git a/.gitignore b/.gitignore index 7219e77..0ec0776 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -SOURCES/usbguard-1.0.0.tar.gz -SOURCES/usbguard-notifier-0.0.6.tar.gz -SOURCES/usbguard-selinux-0.0.4.tar.gz +SOURCES/usbguard-1.1.4.tar.gz +SOURCES/usbguard-notifier-0.1.1.tar.gz +SOURCES/usbguard-selinux-0.0.5.tar.gz diff --git a/.usbguard.metadata b/.usbguard.metadata index c53175f..ebf4597 100644 --- a/.usbguard.metadata +++ b/.usbguard.metadata @@ -1,3 +1,3 @@ -bf909799daae6798634e1b01efaaadc5781b9755 SOURCES/usbguard-1.0.0.tar.gz -7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz -40db29405c2236791ca5ce616d9e563a8309356e SOURCES/usbguard-selinux-0.0.4.tar.gz +5191ae6f4a7e92037ebb3aef32a4fbf6fef3ad37 SOURCES/usbguard-1.1.4.tar.gz +5c316478b16dda001603536a53347b253b484da1 SOURCES/usbguard-notifier-0.1.1.tar.gz +1e1b42e55b931e1665b8132937266c84a8050c57 SOURCES/usbguard-selinux-0.0.5.tar.gz diff --git a/SOURCES/catch1-devel.patch b/SOURCES/catch1-devel.patch new file mode 100644 index 0000000..b6ec178 --- /dev/null +++ b/SOURCES/catch1-devel.patch @@ -0,0 +1,34 @@ +diff -up usbguard-1.1.4/configure.ac.orig usbguard-1.1.4/configure.ac +--- usbguard-1.1.4/configure.ac.orig 2025-11-04 09:27:33.016736712 +0100 ++++ usbguard-1.1.4/configure.ac 2025-11-04 09:27:54.843249396 +0100 +@@ -400,16 +400,13 @@ if test "x$enable_catch" = xyes; then + catch_summary="bundled; $catch_CFLAGS $catch_LIBS" + else + SAVE_CPPFLAGS=$CPPFLAGS +- CPPFLAGS="-std=c++17 $CPPFLAGS -I/usr/include/catch2" ++ CPPFLAGS="-std=c++17 $CPPFLAGS -I/usr/include/catch" + AC_LANG_PUSH([C++]) +- AC_CHECK_HEADER([catch_test_macros.hpp], +- [catch_CFLAGS="-I/usr/include/catch2 -DHAVE_CATCH2_V3" +- catch_LIBS="-lCatch2Main -lCatch2"], +- [AC_CHECK_HEADER([catch.hpp], +- [catch_CFLAGS="-I/usr/include/catch2" ++ AC_CHECK_HEADER([catch.hpp], ++ [catch_CFLAGS="-I/usr/include/catch" + catch_LIBS=""], +- [AC_MSG_FAILURE(Catch2 not found or not usable. Re-run with --with-bundled-catch to use the bundled library.)] +- )]) ++ [AC_MSG_FAILURE(Catch not found or not usable. Re-run with --with-bundled-catch to use the bundled library.)] ++ ) + AC_LANG_POP + CPPFLAGS=$SAVE_CPPFLAGS + catch_summary="system-wide; $catch_CFLAGS $catch_LIBS" +@@ -417,7 +414,7 @@ if test "x$enable_catch" = xyes; then + else + catch_CFLAGS="" + catch_LIBS="" +- catch_summary="disabled; not checking for Catch2" ++ catch_summary="disabled; not checking for Catch" + fi + AC_SUBST([catch_CFLAGS]) + AC_SUBST([catch_LIBS]) diff --git a/SOURCES/usbguard-disable-console-log.patch b/SOURCES/disable-console-logging.patch similarity index 53% rename from SOURCES/usbguard-disable-console-log.patch rename to SOURCES/disable-console-logging.patch index ac77c47..d17113a 100644 --- a/SOURCES/usbguard-disable-console-log.patch +++ b/SOURCES/disable-console-logging.patch @@ -1,9 +1,9 @@ -diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in ---- usbguard-1.0.0/usbguard.service.in.orig 2023-01-12 13:22:23.032554498 +0100 -+++ usbguard-1.0.0/usbguard.service.in 2023-01-12 13:22:33.082568210 +0100 +diff -up usbguard-1.1.4/usbguard.service.in.orig usbguard-1.1.4/usbguard.service.in +--- usbguard-1.1.4/usbguard.service.in.orig 2025-11-04 09:30:06.066901646 +0100 ++++ usbguard-1.1.4/usbguard.service.in 2025-11-04 09:30:08.179271961 +0100 @@ -8,7 +8,7 @@ OOMScoreAdjust=-1000 AmbientCapabilities= - CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE + CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE CAP_DAC_READ_SEARCH DevicePolicy=closed -ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf +ExecStart=%sbindir%/usbguard-daemon -f -s -K -c %sysconfdir%/usbguard/usbguard-daemon.conf diff --git a/SOURCES/selinux-sbin.patch b/SOURCES/selinux-sbin.patch new file mode 100644 index 0000000..93de40b --- /dev/null +++ b/SOURCES/selinux-sbin.patch @@ -0,0 +1,14 @@ +diff --git a/usbguard.fc b/usbguard.fc +index d8cfa45..3904962 100644 +--- a/usbguard.fc ++++ b/usbguard.fc +@@ -18,7 +18,9 @@ + /etc/usbguard/rules\.conf -- gen_context(system_u:object_r:usbguard_rules_t,s0) + /etc/usbguard(/.*)? gen_context(system_u:object_r:usbguard_conf_t,s0) + /usr/lib/systemd/system/usbguard.* -- gen_context(system_u:object_r:usbguard_unit_file_t,s0) ++/usr/bin/usbguard-daemon -- gen_context(system_u:object_r:usbguard_exec_t,s0) + /usr/sbin/usbguard-daemon -- gen_context(system_u:object_r:usbguard_exec_t,s0) ++/usr/bin/usbguard-dbus -- gen_context(system_u:object_r:usbguard_exec_t,s0) + /usr/sbin/usbguard-dbus -- gen_context(system_u:object_r:usbguard_exec_t,s0) + /var/log/usbguard(/.*)? gen_context(system_u:object_r:usbguard_log_t,s0) + /run/usbguard.* -- gen_context(system_u:object_r:usbguard_var_run_t,s0) diff --git a/SOURCES/tmpfiles-rework.patch b/SOURCES/tmpfiles-rework.patch new file mode 100644 index 0000000..98e0c24 --- /dev/null +++ b/SOURCES/tmpfiles-rework.patch @@ -0,0 +1,19 @@ +diff --git a/Makefile.am b/Makefile.am +index 74a08cb..8271412 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -119,6 +119,7 @@ install-daemon-conf: $(top_builddir)/usbguard-daemon.conf + $(MKDIR_P) $(DESTDIR)/$(usbguard_confdir) + $(MKDIR_P) $(DESTDIR)/$(usbguard_confdir)/IPCAccessControl.d + $(MKDIR_P) $(DESTDIR)/${localstatedir}/log/usbguard ++ chmod 0700 $(DESTDIR)/${localstatedir}/log/usbguard + $(INSTALL) -m 600 $(top_builddir)/usbguard-daemon.conf \ + $(DESTDIR)/$(usbguard_confdir)/usbguard-daemon.conf + if ! test -f "$(DESTDIR)/$(usbguard_confdir)/rules.conf"; then \ +diff --git a/usbguard-tmpfiles.conf b/usbguard-tmpfiles.conf +index aff00c5..e90908f 100644 +--- a/usbguard-tmpfiles.conf ++++ b/usbguard-tmpfiles.conf +@@ -1 +1 @@ +-d /var/log/usbguard 0755 root root - - ++d /var/log/usbguard 0700 root root - - diff --git a/SOURCES/tmpfiles.patch b/SOURCES/tmpfiles.patch deleted file mode 100644 index 4eb6b0f..0000000 --- a/SOURCES/tmpfiles.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 306cad81aee91d6adb61acdb9f1a9900fe2a13cd Mon Sep 17 00:00:00 2001 -From: Cropi -Date: Thu, 6 Feb 2025 08:00:59 +0100 -Subject: [PATCH] =?UTF-8?q?At=20boot=20time,=20systemd=E2=80=91tmpfiles=20?= - =?UTF-8?q?processes=20this=20file=20and=20creates=20/var/log/usbguard=20s?= - =?UTF-8?q?o=20that=20the=20usbguard=20service=20can=20start=20successfull?= - =?UTF-8?q?y.?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - ---- - Makefile.am | 13 +++++++++++-- - usbguard-tmpfiles.conf | 1 + - 2 files changed, 12 insertions(+), 2 deletions(-) - create mode 100644 usbguard-tmpfiles.conf - -diff --git a/Makefile.am b/Makefile.am -index 7dc6849..2a8bfeb 100644 ---- a/Makefile.am -+++ b/Makefile.am -@@ -90,8 +90,8 @@ $(top_builddir)/%.roff: %.adoc - $(INSTALL) -m 644 $(top_builddir)/$(@:.roff=) $(top_builddir)/$@ - endif - --install-data-hook: install-daemon-conf install-systemd-service install-data-dbus --uninstall-hook: uninstall-daemon-conf uninstall-systemd-service uninstall-data-dbus -+install-data-hook: install-daemon-conf install-systemd-service install-data-dbus install-tmpfiles -+uninstall-hook: uninstall-daemon-conf uninstall-systemd-service uninstall-data-dbus uninstall-tmpfiles - - CLEANFILES+=\ - $(top_builddir)/usbguard-daemon.conf -@@ -106,6 +106,15 @@ usbguard_confdir= $(sysconfdir)/usbguard - - distuninstallcheck_listfiles= find . -type f ! -name rules.conf -print - -+EXTRA_DIST+=usbguard-tmpfiles.conf -+ -+install-tmpfiles: -+ mkdir -p ${DESTDIR}$(prefix)/lib/tmpfiles.d/ -+ $(INSTALL_DATA) -m 640 ${srcdir}/usbguard-tmpfiles.conf ${DESTDIR}$(prefix)/lib/tmpfiles.d/usbguard.conf -+ -+uninstall-tmpfiles: -+ rm ${DESTDIR}$(prefix)/lib/tmpfiles.d/usbguard.conf -+ - install-daemon-conf: $(top_builddir)/usbguard-daemon.conf - $(MKDIR_P) $(DESTDIR)/$(usbguard_confdir) - $(MKDIR_P) $(DESTDIR)/$(usbguard_confdir)/IPCAccessControl.d -diff --git a/usbguard-tmpfiles.conf b/usbguard-tmpfiles.conf -new file mode 100644 -index 0000000..e90908f ---- /dev/null -+++ b/usbguard-tmpfiles.conf -@@ -0,0 +1 @@ -+d /var/log/usbguard 0700 root root - - --- -2.48.1 - diff --git a/SOURCES/usbguard-0.7.6-notifier.patch b/SOURCES/usbguard-0.7.6-notifier.patch deleted file mode 100644 index 9d21147..0000000 --- a/SOURCES/usbguard-0.7.6-notifier.patch +++ /dev/null @@ -1,88 +0,0 @@ -diff -up ./usbguard-notifier-0.0.6/configure.ac.notifier ./usbguard-notifier-0.0.6/configure.ac ---- ./usbguard-notifier-0.0.6/configure.ac.notifier 2020-04-29 07:35:43.057914703 +0200 -+++ ./usbguard-notifier-0.0.6/configure.ac 2020-06-17 16:27:53.577151720 +0200 -@@ -44,6 +44,32 @@ AC_ARG_WITH( - [notificaiton_path="/tmp/usbguard-notifier"] - ) - -+# usbguard-devel -+# Add the path to where your usbguard-devel includes are -+# You might need this option when you want to package usbguard-notifier -+# together with usbguard at the same time -+AC_ARG_WITH( -+ [usbguard-devel], -+ AS_HELP_STRING([--with-usbguard-devel], [Select to compile notifier from source usbguard devel files(only top level directory)]), -+ [usbguard_CFLAGS="-I$withval/src/Library/public/" -+ usbguard_LIBS="" -+ usbguard_LA="$withval/libusbguard.la" -+ libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS" -+ AC_SUBST([usbguard_CFLAGS]) -+ AC_SUBST([usbguard_LIBS]) -+ AC_SUBST([usbguard_LA]) -+ custom_usbguard_devel_enabled=yes -+ ], -+ [ -+ PKG_CHECK_MODULES( -+ [usbguard], -+ [libusbguard >= 0.7.2], -+ [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"], -+ [AC_MSG_FAILURE([libusbguard development files not found])] -+ ) -+ ] -+) -+ - # Build notifier-cli, default is yes - AC_ARG_ENABLE([notifier-cli], - [AC_HELP_STRING([--enable-notifier-cli], [enable notifier cli(default=yes)])], -@@ -81,14 +107,6 @@ PKG_CHECK_MODULES( - [AC_MSG_FAILURE([libnotify development files not found])] - ) - --# usbguard --PKG_CHECK_MODULES( -- [usbguard], -- [libusbguard >= 0.7.2], -- [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"], -- [AC_MSG_FAILURE([libusbguard development files not found])] --) -- - # asciidoc - AC_CHECK_PROGS(A2X, [a2x]) - if test -z "$A2X"; then -@@ -162,6 +180,7 @@ AC_SUBST(config_PATH, $prefix/.config) - AC_SUBST(NOTIFICATION_PATH, $notification_path) - - AM_CONDITIONAL([NOTIFIER_CLI_ENABLED], [test "x$notifier_cli_enabled" = xyes ]) -+AM_CONDITIONAL([CUSTOM_USBGUARD_DEVEL_ENABLED], [test "x$custom_usbguard_devel_enabled" = "xyes"]) - - AC_CONFIG_FILES([ - Makefile -diff -up ./usbguard-notifier-0.0.6/Makefile.am.notifier ./usbguard-notifier-0.0.6/Makefile.am ---- ./usbguard-notifier-0.0.6/Makefile.am.notifier 2020-04-29 07:18:21.024388188 +0200 -+++ ./usbguard-notifier-0.0.6/Makefile.am 2020-06-17 16:27:53.592151848 +0200 -@@ -57,6 +57,13 @@ usbguard_notifier_CXXFLAGS = \ - @usbguard_CFLAGS@ \ - -fPIC - -+if CUSTOM_USBGUARD_DEVEL_ENABLED -+usbguard_notifier_LDADD = \ -+ @usbguard_LA@ -+usbguard_notifier_cli_LDADD = \ -+ @usbguard_LA@ -+endif -+ - BUILT_SOURCES = \ - src/BuildConfig.h - -diff -up ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 ---- ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier 2020-06-17 19:55:54.621855004 +0200 -+++ ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 2020-06-17 19:56:46.551297432 +0200 -@@ -53,7 +53,7 @@ Show help\&. - .RE - .SH "SEE ALSO" - .sp --usbguard\-notifier\-cli(1), usbguard(1) -+usbguard(1) - .SH "BUGS" - .sp - If you find a bug in this software or if you\(cqd like to request a feature to be implemented, please file a ticket at https://github\&.com/Cropi/usbguard\-notifier/issues/new\&. diff --git a/SOURCES/usbguard-OOMScoreAdjust.patch b/SOURCES/usbguard-OOMScoreAdjust.patch deleted file mode 100644 index d101768..0000000 --- a/SOURCES/usbguard-OOMScoreAdjust.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in ---- usbguard-1.0.0/usbguard.service.in.orig 2022-11-28 10:21:35.889977314 +0100 -+++ usbguard-1.0.0/usbguard.service.in 2022-11-28 10:21:52.711987716 +0100 -@@ -4,6 +4,7 @@ Wants=systemd-udevd.service local-fs.tar - Documentation=man:usbguard-daemon(8) - - [Service] -+OOMScoreAdjust=-1000 - AmbientCapabilities= - CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE - DevicePolicy=closed diff --git a/SOURCES/usbguard-audit-capability.patch b/SOURCES/usbguard-audit-capability.patch deleted file mode 100644 index 934a25a..0000000 --- a/SOURCES/usbguard-audit-capability.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in ---- usbguard-1.0.0/usbguard.service.in.orig 2021-03-17 14:16:21.675374844 +0100 -+++ usbguard-1.0.0/usbguard.service.in 2021-03-17 14:16:29.056373213 +0100 -@@ -5,7 +5,7 @@ Documentation=man:usbguard-daemon(8) - - [Service] - AmbientCapabilities= --CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER -+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE - DevicePolicy=closed - ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf - IPAddressDeny=any diff --git a/SOURCES/usbguard-consistent-rules.patch b/SOURCES/usbguard-consistent-rules.patch deleted file mode 100644 index 7420215..0000000 --- a/SOURCES/usbguard-consistent-rules.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp ---- usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig 2022-11-28 10:35:44.052560664 +0100 -+++ usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp 2022-11-28 10:35:55.510568939 +0100 -@@ -76,7 +76,7 @@ namespace usbguard - } - - if (ruleSet.empty()){ -- USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible."; -+ USBGUARD_LOG(Warning) << "Neither RuleFile nor RuleFolder are set; Modification of the permanent policy won't be possible."; - ruleSet = generateDefaultRuleSet(); - } - diff --git a/SOURCES/usbguard-daemon-race-condition.patch b/SOURCES/usbguard-daemon-race-condition.patch deleted file mode 100644 index 40e5645..0000000 --- a/SOURCES/usbguard-daemon-race-condition.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -up usbguard-1.0.0/src/Daemon/Daemon.cpp.orig usbguard-1.0.0/src/Daemon/Daemon.cpp ---- usbguard-1.0.0/src/Daemon/Daemon.cpp.orig 2022-11-28 10:25:01.044104150 +0100 -+++ usbguard-1.0.0/src/Daemon/Daemon.cpp 2022-11-28 10:25:34.736124980 +0100 -@@ -40,6 +40,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -606,6 +607,7 @@ namespace usbguard - const int signum = sigtimedwait(&mask, &info, &timeout); - - if (signum == SIGUSR1 && info.si_signo == SIGUSR1 && info.si_pid == pid) { -+ waitpid(pid, nullptr, 0); - USBGUARD_LOG(Trace) << "Finished daemonization"; - exit(EXIT_SUCCESS); - } diff --git a/SOURCES/usbguard-dbus-CVE-leak.patch b/SOURCES/usbguard-dbus-CVE-leak.patch deleted file mode 100644 index 5f6e0f7..0000000 --- a/SOURCES/usbguard-dbus-CVE-leak.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp ---- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig 2022-11-23 08:57:40.119760422 +0100 -+++ usbguard-1.0.0/src/DBus/DBusBridge.cpp 2022-11-23 08:58:22.380845720 +0100 -@@ -434,12 +434,11 @@ namespace usbguard - USBGUARD_LOG(Trace) << "Connecting with Polkit authority..."; - PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error); - -- if (! authority || error) { -+ if (! authority) { - USBGUARD_LOG(Trace) << "Failed to connect to Polkit authority: " << formatGError(error) << "."; - *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; - *authErrorMessage = "Failed to connect to Polkit authority"; - g_error_free(error); -- g_object_unref(authority); - g_object_unref(subject); - return false; - } -@@ -470,12 +469,11 @@ namespace usbguard - /*cancellable=*/ NULL, - &error); - -- if (! result || error) { -+ if (! result) { - USBGUARD_LOG(Trace) << "Failed to check back with Polkit for authoriation: " << formatGError(error) << "."; - *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; - *authErrorMessage = "Failed to check back with Polkit for authoriation."; - g_error_free(error); -- g_object_unref(result); - g_object_unref(details); - g_object_unref(authority); - g_object_unref(subject); diff --git a/SOURCES/usbguard-dbus-CVE.patch b/SOURCES/usbguard-dbus-CVE.patch deleted file mode 100644 index ed2747a..0000000 --- a/SOURCES/usbguard-dbus-CVE.patch +++ /dev/null @@ -1,335 +0,0 @@ -diff -up usbguard-1.0.0/configure.ac.orig usbguard-1.0.0/configure.ac ---- usbguard-1.0.0/configure.ac.orig 2022-08-16 10:24:34.345570913 +0200 -+++ usbguard-1.0.0/configure.ac 2022-08-16 10:24:34.307571236 +0200 -@@ -399,7 +399,7 @@ if test "x$with_dbus" = xyes; then - # - # Check for required D-Bus modules - # -- PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0], -+ PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0 polkit-gobject-1], - [AC_DEFINE([HAVE_DBUS], [1], [Required GDBus API available]) - dbus_summary="system-wide; $dbus_CFLAGS $dbus_LIBS"], - [AC_MSG_FAILURE([Required D-Bus modules (dbus-1, gio-2.0) not found!])] -diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp ---- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig 2022-08-16 10:24:34.312571194 +0200 -+++ usbguard-1.0.0/src/DBus/DBusBridge.cpp 2022-08-16 10:28:28.595587136 +0200 -@@ -21,6 +21,8 @@ - #endif - - #include "DBusBridge.hpp" -+#include -+ - namespace usbguard - { - DBusBridge::DBusBridge(GDBusConnection* const gdbus_connection, -@@ -74,9 +76,19 @@ namespace usbguard - return; - } - -+ #define DBUS_AUTH_CHECK \ -+ GDBusError authErrorCode = G_DBUS_ERROR_FAILED; \ -+ const gchar* authErrorMessage = NULL; \ -+ if (! isAuthorizedByPolkit(invocation, &authErrorCode, &authErrorMessage)) { \ -+ g_dbus_method_invocation_return_error_literal(invocation, G_DBUS_ERROR, authErrorCode, authErrorMessage); \ -+ return; \ -+ } -+ - void DBusBridge::handleRootMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation) - { - if (method_name == "getParameter") { -+ DBUS_AUTH_CHECK -+ - const char* name_cstr = nullptr; - g_variant_get(parameters, "(&s)", &name_cstr); - std::string name(name_cstr); -@@ -86,6 +98,8 @@ namespace usbguard - } - - if (method_name == "setParameter") { -+ DBUS_AUTH_CHECK -+ - const char* name_cstr = nullptr; - const char* value_cstr = nullptr; - g_variant_get(parameters, "(&s&s)", &name_cstr, &value_cstr); -@@ -104,6 +118,8 @@ namespace usbguard - void DBusBridge::handlePolicyMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation) - { - if (method_name == "listRules") { -+ DBUS_AUTH_CHECK -+ - const char* label_cstr = nullptr; - g_variant_get(parameters, "(&s)", &label_cstr); - std::string label(label_cstr); -@@ -136,6 +152,8 @@ namespace usbguard - } - - if (method_name == "appendRule") { -+ DBUS_AUTH_CHECK -+ - const char* rule_spec_cstr = nullptr; - uint32_t parent_id = 0; - gboolean temporary = false; -@@ -147,6 +165,8 @@ namespace usbguard - } - - if (method_name == "removeRule") { -+ DBUS_AUTH_CHECK -+ - uint32_t rule_id = 0; - g_variant_get(parameters, "(u)", &rule_id); - removeRule(rule_id); -@@ -163,6 +183,8 @@ namespace usbguard - GDBusMethodInvocation* invocation) - { - if (method_name == "listDevices") { -+ DBUS_AUTH_CHECK -+ - const char* query_cstr = nullptr; - g_variant_get(parameters, "(&s)", &query_cstr); - std::string query(query_cstr); -@@ -195,6 +217,8 @@ namespace usbguard - } - - if (method_name == "applyDevicePolicy") { -+ DBUS_AUTH_CHECK -+ - uint32_t device_id = 0; - uint32_t target_integer = 0; - gboolean permanent = false; -@@ -344,6 +368,135 @@ namespace usbguard - - return builder; - } -+ -+ std::string DBusBridge::formatGError(GError* error) -+ { -+ if (error) { -+ std::stringstream formatGError; -+ formatGError << error->message << " (code " << error->code << ")"; -+ return formatGError.str(); -+ } -+ else { -+ return "unknown error"; -+ } -+ } -+ -+ bool DBusBridge::isAuthorizedByPolkit(GDBusMethodInvocation* invocation, GDBusError* authErrorCode, -+ const gchar** authErrorMessage) -+ { -+ GError* error = NULL; -+ USBGUARD_LOG(Trace) << "Extracting bus name..."; -+ const gchar* const /*no-free!*/ bus_name = g_dbus_method_invocation_get_sender (invocation); -+ -+ if (! bus_name) { -+ USBGUARD_LOG(Trace) << "Failed to extract bus name."; -+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; -+ *authErrorMessage = "Failed to extract bus name."; -+ return false; -+ } -+ -+ USBGUARD_LOG(Trace) << "Extracted bus name \"" << bus_name << "\"."; -+ USBGUARD_LOG(Trace) << "Extracting interface name..."; -+ const gchar* const /*no-free!*/ interfaceName = g_dbus_method_invocation_get_interface_name(invocation); -+ -+ if (! interfaceName) { -+ USBGUARD_LOG(Trace) << "Failed to extract interface name."; -+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; -+ *authErrorMessage = "Failed to extract interface name."; -+ return false; -+ } -+ -+ USBGUARD_LOG(Trace) << "Extracted interface name \"" << interfaceName << "\"."; -+ USBGUARD_LOG(Trace) << "Extracting method name..."; -+ const gchar* const /*no-free!*/ methodName = g_dbus_method_invocation_get_method_name(invocation); -+ -+ if (! methodName) { -+ USBGUARD_LOG(Trace) << "Failed to extract method name."; -+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; -+ *authErrorMessage = "Failed to extract method name."; -+ return false; -+ } -+ -+ std::stringstream action_id; -+ action_id << interfaceName << "." << methodName; -+ USBGUARD_LOG(Trace) << "Extracted method name \"" << methodName << "\"."; -+ USBGUARD_LOG(Trace) << "Creating a system bus Polkit subject..."; -+ PolkitSubject* const subject = polkit_system_bus_name_new(bus_name); -+ -+ if (! subject) { -+ USBGUARD_LOG(Trace) << "Failed to create Polkit subject."; -+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; -+ *authErrorMessage = "Failed to create Polkit subject."; -+ return false; -+ } -+ -+ USBGUARD_LOG(Trace) << "Created."; -+ USBGUARD_LOG(Trace) << "Connecting with Polkit authority..."; -+ PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error); -+ -+ if (! authority || error) { -+ USBGUARD_LOG(Trace) << "Failed to connect to Polkit authority: " << formatGError(error) << "."; -+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; -+ *authErrorMessage = "Failed to connect to Polkit authority"; -+ g_error_free(error); -+ g_object_unref(authority); -+ g_object_unref(subject); -+ return false; -+ } -+ -+ USBGUARD_LOG(Trace) << "Connected."; -+ USBGUARD_LOG(Trace) << "Customizing Polkit authentification dialog..."; -+ PolkitDetails* const details = polkit_details_new(); -+ -+ if (! details) { -+ USBGUARD_LOG(Trace) << "Failed to customize the Polkit authentification dialog."; -+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; -+ *authErrorMessage = "Failed to customize the Polkit authentication dialog."; -+ g_object_unref(authority); -+ g_object_unref(subject); -+ return false; -+ } -+ -+ polkit_details_insert (details, "polkit.message", "This USBGuard action needs authorization"); -+ USBGUARD_LOG(Trace) << "Customized."; -+ USBGUARD_LOG(Trace) << "Checking authorization of action \"" << action_id.str() << "\" with Polkit ..."; -+ const PolkitCheckAuthorizationFlags flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION; -+ PolkitAuthorizationResult* const result = polkit_authority_check_authorization_sync -+ (authority, -+ subject, -+ action_id.str().c_str(), -+ details, -+ flags, -+ /*cancellable=*/ NULL, -+ &error); -+ -+ if (! result || error) { -+ USBGUARD_LOG(Trace) << "Failed to check back with Polkit for authoriation: " << formatGError(error) << "."; -+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; -+ *authErrorMessage = "Failed to check back with Polkit for authoriation."; -+ g_error_free(error); -+ g_object_unref(result); -+ g_object_unref(details); -+ g_object_unref(authority); -+ g_object_unref(subject); -+ return false; -+ } -+ -+ gboolean isAuthorized = polkit_authorization_result_get_is_authorized(result); -+ USBGUARD_LOG(Trace) << (isAuthorized ? "Authorized" : "Not authorized") << "."; -+ -+ if (! isAuthorized) { -+ *authErrorCode = G_DBUS_ERROR_ACCESS_DENIED; -+ *authErrorMessage = "Not authorized."; -+ } -+ -+ g_object_unref(result); -+ g_object_unref(details); -+ g_object_unref(authority); -+ g_object_unref(subject); -+ return isAuthorized; -+ } -+ - } /* namespace usbguard */ - - /* vim: set ts=2 sw=2 et */ -diff -up usbguard-1.0.0/src/DBus/DBusBridge.hpp.orig usbguard-1.0.0/src/DBus/DBusBridge.hpp ---- usbguard-1.0.0/src/DBus/DBusBridge.hpp.orig 2022-08-16 10:24:34.312571194 +0200 -+++ usbguard-1.0.0/src/DBus/DBusBridge.hpp 2022-08-16 10:28:33.514545528 +0200 -@@ -83,6 +83,9 @@ namespace usbguard - bool rule_match, - uint32_t rule_id); - -+ static std::string formatGError(GError* error); -+ static bool isAuthorizedByPolkit(GDBusMethodInvocation* invocation, GDBusError* authErrorCode, -+ const gchar** authErrorMessage); - - GDBusConnection* const p_gdbus_connection; - void(*p_ipc_callback)(bool); -diff -up usbguard-1.0.0/src/DBus/org.usbguard1.policy.orig usbguard-1.0.0/src/DBus/org.usbguard1.policy ---- usbguard-1.0.0/src/DBus/org.usbguard1.policy.orig 2022-08-16 10:24:34.312571194 +0200 -+++ usbguard-1.0.0/src/DBus/org.usbguard1.policy 2022-08-16 10:24:34.311571202 +0200 -@@ -1,23 +1,23 @@ - - -- -+ - - The USBGuard Project - https://github.org/USBGuard/usbguard - - - List the rule set (policy) used by the USBGuard daemon -- Prevents from listing the USBGuard policy -+ Prevents listing the USBGuard policy - - no -- auth_self_keep_session -+ yes - - - - - Append a new rule to the policy -- Prevents from appending rules to the USBGuard policy -+ Prevents appending rules to the USBGuard policy - - no - auth_admin -@@ -33,40 +33,41 @@ - - - -- -- List all USB devices recognized by the USBGuard daemon -- Prevents from listing USB devices recognized by the USBGuard daemon -+ -+ Apply a policy to a device in USBGuard -+ Prevents applying a policy to a device in USBGuard - - no -- auth_self_keep_session -+ auth_admin - - - -- -- Authorize a USB device via the USBGuard daemon to interact with the system -- Prevents from authorizing USB devices via the USBGuard daemon -+ -+ List all USB devices recognized by the USBGuard daemon -+ Prevents listing USB devices recognized by the USBGuard daemon - - no -- auth_admin -+ yes - - - -- -- Deauthorize a USB device via the USBGuard daemon -- Prevents from deauthorizing USB devices via the USBGuard daemon -+ -+ Get the value of a runtime parameter -+ Prevents getting values of runtime USBGuard parameters - - no -- auth_admin -+ yes - - - -- -- Remove a USB device via the USBGuard daemon -- Prevents from removing USB devices via the USBGuard daemon -+ -+ Set the value of a runtime parameter -+ Prevents setting values of runtime USBGuard parameters - - no - auth_admin - - -+ - - diff --git a/SOURCES/usbguard-ipc-override-fix.patch b/SOURCES/usbguard-ipc-override-fix.patch deleted file mode 100644 index 61a54c7..0000000 --- a/SOURCES/usbguard-ipc-override-fix.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff --color -ru a/src/Library/IPCServerPrivate.cpp b/src/Library/IPCServerPrivate.cpp ---- a/src/Library/IPCServerPrivate.cpp 2020-11-23 15:56:12.979847655 +0100 -+++ b/src/Library/IPCServerPrivate.cpp 2021-10-14 12:33:12.462503822 +0200 -@@ -567,10 +567,12 @@ - bool IPCServerPrivate::authenticateIPCConnectionDAC(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr) const - { - USBGUARD_LOG(Trace) << "uid=" << uid << " gid=" << gid << " ac_ptr=" << ac_ptr; -- return \ -- matchACLByUID(uid, ac_ptr) || \ -- matchACLByGID(gid, ac_ptr) || \ -- matchACLByName(uid, gid, ac_ptr); -+ -+ bool matched_uid = matchACLByUID(uid, ac_ptr); -+ bool matched_gid = matchACLByGID(gid, ac_ptr); -+ bool matched_name = matchACLByName(uid, gid, ac_ptr); -+ -+ return matched_uid || matched_gid || matched_name; - } - - bool IPCServerPrivate::matchACLByUID(uid_t uid, IPCServer::AccessControl* const ac_ptr) const diff --git a/SOURCES/usbguard-missing-doc.patch b/SOURCES/usbguard-missing-doc.patch deleted file mode 100644 index 138a3cb..0000000 --- a/SOURCES/usbguard-missing-doc.patch +++ /dev/null @@ -1,43 +0,0 @@ -diff -up usbguard-1.0.0/doc/man/example-allow-device.adoc.orig usbguard-1.0.0/doc/man/example-allow-device.adoc ---- usbguard-1.0.0/doc/man/example-allow-device.adoc.orig 2022-11-28 12:00:26.695561514 +0100 -+++ usbguard-1.0.0/doc/man/example-allow-device.adoc 2022-11-28 11:57:01.120457773 +0100 -@@ -0,0 +1,6 @@ -+.... -+ # Allow a device by ID(it is the very first number from the list-devices command output) -+ $ sudo usbguard allow-device 10 -+ # Allow all devices named "Dell Wired Multimedia Keyboard" -+ $ sudo usbguard allow-device name \"Dell Wired Multimedia Keyboard\" -+.... -diff -up usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig usbguard-1.0.0/doc/man/example-initial-policy.adoc ---- usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig 2022-11-28 12:00:31.781564080 +0100 -+++ usbguard-1.0.0/doc/man/example-initial-policy.adoc 2022-11-28 11:57:25.353470002 +0100 -@@ -0,0 +1,7 @@ -+.... -+ $ sudo usbguard generate-policy > rules.conf -+ $ vi rules.conf -+ (review/modify the rule set) -+ $ sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf -+ $ sudo systemctl restart usbguard -+.... -diff -up usbguard-1.0.0/doc/man/footer.adoc.orig usbguard-1.0.0/doc/man/footer.adoc ---- usbguard-1.0.0/doc/man/footer.adoc.orig 2022-11-28 11:54:21.495377220 +0100 -+++ usbguard-1.0.0/doc/man/footer.adoc 2022-11-28 11:55:51.960422872 +0100 -@@ -0,0 +1,18 @@ -+== BUGS -+If you find a bug in this software or if you'd like to request a feature to be implemented, please file a ticket at . -+ -+ -+== AUTHOR -+USBGuard was originally written by Daniel Kopeček. -+Many people have contributed to it. -+ -+ -+== RESOURCES -+Main web site: -+ -+ -+== COPYING -+Copyright © 2015-{docyear} Red Hat, Inc. + -+License GPLv2+: GNU GPL version 2 or later http://gnu.org/licenses/gpl.html. + -+This is free software: you are free to change and redistribute it. -+There is NO WARRANTY, to the extent permitted by law. diff --git a/SOURCES/usbguard-notifier-decrease-spam.patch b/SOURCES/usbguard-notifier-decrease-spam.patch deleted file mode 100644 index 5173805..0000000 --- a/SOURCES/usbguard-notifier-decrease-spam.patch +++ /dev/null @@ -1,182 +0,0 @@ -diff --color -ru a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 b/usbguard-notifier-0.0.6/man/usbguard-notifier.1 ---- a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 2021-10-14 12:44:57.816146101 +0200 -+++ b/usbguard-notifier-0.0.6/man/usbguard-notifier.1 2021-10-14 12:46:14.442519466 +0200 -@@ -39,7 +39,12 @@ - .PP - \fB\-w, \-\-wait\fR - .RS 4 --Wait until an active IPC connection is estabilished\&. -+Wait until an active IPC connection is estabilished\&. ie\&. infinite number of attempts\&. -+.RE -+.PP -+\fB\-n, \-\-num\-attempts\fR \fInum\fR -+.RS 4 -+Number of IPC connection attempts. Window between each attempt is 1 second\&. The default number of attempts is 3\&. - .RE - .PP - \fB\-d, \-\-debug\fR -@@ -51,6 +56,64 @@ - .RS 4 - Show help\&. - .RE -+.SH "HOW TO START" -+.sp -+In order to make usbguard\-notifier work properly, you will need to perform certain actions: -+.sp -+.RS 4 -+.ie n \{\ -+\h'-04' 1.\h'+01'\c -+.\} -+.el \{\ -+.sp -1 -+.IP " 1." 4.2 -+.\} -+Each user who wants to run usbguard\-notifier service needs to have sufficient IPC privileges to connect to the usbguard IPC interface\&. To allow a specific user to listen to the device signals you can use the following command: -+ -+ -+\fB$ sudo usbguard add\-user\fR -+\fIUSER\fR -+\fB\-d listen\fR -+ -+Or you can allow a group of users: -+ -+ -+\fB$ sudo usbguard add\-user \-g\fR -+\fIGROUP\fR -+\fB\-d listen\fR -+.RE -+.sp -+.RS 4 -+.ie n \{\ -+\h'-04' 2.\h'+01'\c -+.\} -+.el \{\ -+.sp -1 -+.IP " 2." 4.2 -+.\} -+Now, you need a running usbguard\-daemon instance to connect to\&. Start the usbguard service or restart it if it is already running\&. -+.RE -+.sp -+.RS 4 -+.ie n \{\ -+\h'-04' 3.\h'+01'\c -+.\} -+.el \{\ -+.sp -1 -+.IP " 3." 4.2 -+.\} -+After configuring IPC privileges and starting up the usbguard\-daemon, the user can now start the usbguard\-notifier service: -+ -+ -+\fB$ systemctl start \-\-user usbguard\-notifier\&.service\fR -+ -+Optionally, the user can enable the usbguard\-notifier service to start automatically after the login: -+ -+ -+\fB$ systemctl enable \-\-user usbguard\-notifier\&.service\fR -+.RE -+.sp -+The usbguard\-notifier should now be running\&. Anytime a USB device gets inserted/ejected or allowed/blocked a message will pop up in the user\(cqs graphical interface\&. - .SH "SEE ALSO" - .sp - usbguard(1) -diff --color -ru a/usbguard-notifier-0.0.6/src/Main.cpp b/usbguard-notifier-0.0.6/src/Main.cpp ---- a/usbguard-notifier-0.0.6/src/Main.cpp 2020-03-04 08:59:49.138771474 +0100 -+++ b/usbguard-notifier-0.0.6/src/Main.cpp 2021-10-14 12:46:14.443519484 +0200 -@@ -20,6 +20,7 @@ - #include "Log.hpp" - #include "Notifier.hpp" - -+#include - #include - #include - #include -@@ -27,10 +28,11 @@ - - #include - --static const char* short_options = "wdh"; -+static const char* short_options = "wn:dh"; - - static const struct ::option long_options[] = { - { "wait", no_argument, nullptr, 'w' }, -+ { "num-attempts", required_argument, nullptr, 'n' }, - { "debug", no_argument, nullptr, 'd' }, - { "help", no_argument, nullptr, 'h' } - }; -@@ -40,22 +42,26 @@ - out << "Usage: " << app_name << " [OPTIONS]" << std::endl; - out << std::endl; - out << "Options:" << std::endl; -- out << " -w, --wait Wait until an active IPC connection is estabilished." << std::endl; -- out << " -d, --debug Enable debug mode." << std::endl; -- out << " -h, --help Show this usage message." << std::endl; -+ out << " -w, --wait Wait until an active IPC connection is estabilished." << std::endl; -+ out << " -n, --num-attempts Number of IPC connection attempts." << std::endl; -+ out << " -d, --debug Enable debug mode." << std::endl; -+ out << " -h, --help Show this usage message." << std::endl; - } - - int main(int argc, char** argv) - { - const std::string app_name(::basename(*argv)); - bool wait_connection = false, debug = false; -- int opt; -+ int opt, num_attempts = 3; - - while ((opt = getopt_long(argc, argv, short_options, long_options, nullptr)) != -1) { - switch (opt) { - case 'w': - wait_connection = true; - break; -+ case 'n': -+ num_attempts = std::atoi(optarg); -+ break; - case 'd': - debug = true; - break; -@@ -71,23 +77,26 @@ - } - NOTIFIER_LOGGER.setDebugMode(debug); - -- for (;;) { -+ bool print_err = true; -+ for (int i = 0; wait_connection || i < num_attempts; ++i) { - try { - usbguardNotifier::Notifier notifier(app_name); - notifier.connect(); - std::cout << "Connection has been established" << std::endl; -+ print_err = true; -+ i = 0; - notifier.wait(); - } catch (const std::runtime_error& e) { - std::cerr << "Error:" << e.what() << std::endl; - return EXIT_FAILURE; - } catch (const usbguard::Exception& e) { -- std::cerr << "IPC connection failure!" << e.message() << std::endl; -- std::cerr << "Check if usbguard-daemon is running in the background" << std::endl; -- if (!wait_connection) { -- break; -+ if (print_err) { -+ print_err = false; -+ std::cerr << "IPC connection failure!" << e.message() << std::endl; -+ std::cerr << "Check if usbguard-daemon is running in the background" << std::endl; - } -- sleep(1); - } -+ sleep(1); - } - return EXIT_SUCCESS; - } -diff --color -ru a/usbguard-notifier-0.0.6/usbguard-notifier.service.in b/usbguard-notifier-0.0.6/usbguard-notifier.service.in ---- a/usbguard-notifier-0.0.6/usbguard-notifier.service.in 2020-03-04 09:00:32.019254871 +0100 -+++ b/usbguard-notifier-0.0.6/usbguard-notifier.service.in 2021-10-14 12:46:14.444519502 +0200 -@@ -3,7 +3,7 @@ - After=usbguard.service - - [Service] --ExecStart=%bindir%/usbguard-notifier -w -+ExecStart=%bindir%/usbguard-notifier - - [Install] - WantedBy=default.target diff --git a/SOURCES/usbguard-permanent-rules.patch b/SOURCES/usbguard-permanent-rules.patch deleted file mode 100644 index 845c702..0000000 --- a/SOURCES/usbguard-permanent-rules.patch +++ /dev/null @@ -1,68 +0,0 @@ -diff -up usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc.orig usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc ---- usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc.orig 2023-01-05 10:58:24.684407437 +0100 -+++ usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc 2023-01-05 10:58:42.323426745 +0100 -@@ -27,7 +27,12 @@ It may be overridden using the *-c* comm - behave like any other standard Linux daemon therefore it loads rule files in - alpha-numeric order. File names inside `RuleFolder` directory should start - with a two-digit number prefix indicating the position, in which the rules -- are scanned by the daemon. -+ are scanned by the daemon. Using RuleFile and RuleFolder at the same time is -+ permitted. However, modification of the permanent policy is not possible if -+ one of the following conditions are met: -+ ** Neither RuleFile nor RuleFolder are specified. -+ ** RuleFile is not specified, RuleFolder is but it does not contain any files, -+ where we could save permanent rules. - - *ImplicitPolicyTarget*='target':: - How to treat USB devices that don't match any rule in the policy. Target -diff -up usbguard-1.0.0/src/Daemon/Daemon.cpp.orig usbguard-1.0.0/src/Daemon/Daemon.cpp ---- usbguard-1.0.0/src/Daemon/Daemon.cpp.orig 2023-01-05 10:58:49.689434809 +0100 -+++ usbguard-1.0.0/src/Daemon/Daemon.cpp 2023-01-05 10:59:18.991466884 +0100 -@@ -742,7 +742,7 @@ namespace usbguard - /* TODO: reevaluate the firewall rules for all active devices */ - const uint32_t id = _policy.appendRule(rule, parent_id); - -- if (_config.hasSettingValue("RuleFile") && permanent) { -+ if ((_config.hasSettingValue("RuleFile") || _config.hasSettingValue("RuleFolder")) && permanent) { - _policy.save(); - } - -@@ -755,7 +755,7 @@ namespace usbguard - USBGUARD_LOG(Trace) << "id=" << id; - _policy.removeRule(id); - -- if (_config.hasSettingValue("RuleFile")) { -+ if (_config.hasSettingValue("RuleFile") || _config.hasSettingValue("RuleFolder")) { - _policy.save(); - } - } -diff -up usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp ---- usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig 2023-01-05 10:59:27.117475780 +0100 -+++ usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp 2023-01-05 10:59:46.228496702 +0100 -@@ -75,8 +75,24 @@ namespace usbguard - } - } - -- if (ruleSet.empty()){ -- USBGUARD_LOG(Warning) << "Neither RuleFile nor RuleFolder are set; Modification of the permanent policy won't be possible."; -+ /* -+ * This means one of the following: -+ * - Neither RuleFile nor RuleFolder are specified -+ * - RuleFile not specified, RuleFolder is but it does not contain any files, -+ * where we could save permanent rules -+ */ -+ if (ruleSet.empty()) { -+ std::string msg; -+ -+ if (ns.getRulesPath().empty() && ns.getRulesDirPath().empty()) { -+ msg = "Neither RuleFile nor RuleFolder are set."; -+ } -+ else { -+ msg = "RuleFile is not set, RuleFolder is but it does not contain any rule files."; -+ } -+ -+ USBGUARD_LOG(Warning) << "Modification of the permanent policy won't be possible." -+ << " Reason: " << msg; - ruleSet = generateDefaultRuleSet(); - } - diff --git a/SOURCES/usbguard-selinux-audit-capability.patch b/SOURCES/usbguard-selinux-audit-capability.patch deleted file mode 100644 index 41a6631..0000000 --- a/SOURCES/usbguard-selinux-audit-capability.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te ---- usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig 2021-03-23 10:32:56.239139027 +0100 -+++ usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te 2021-03-23 10:33:05.718229143 +0100 -@@ -68,7 +68,7 @@ files_pid_file(usbguard_var_run_t) - # Local policy - # - --allow usbguard_t self:capability { chown fowner }; -+allow usbguard_t self:capability { chown fowner audit_write }; - allow usbguard_t self:netlink_kobject_uevent_socket { bind create setopt read }; - allow usbguard_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; - diff --git a/SOURCES/usbguard-selinux-dbus-CVE.patch b/SOURCES/usbguard-selinux-dbus-CVE.patch deleted file mode 100644 index 705c15e..0000000 --- a/SOURCES/usbguard-selinux-dbus-CVE.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -up usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te ---- usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig 2022-08-17 09:17:13.995269603 +0200 -+++ usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te 2022-08-17 09:18:47.439260009 +0200 -@@ -99,7 +99,6 @@ logging_log_filetrans(usbguard_t, usbgua - - logging_send_syslog_msg(usbguard_t) - --dbus_system_domain(usbguard_t, usbguard_exec_t) - usbguard_ipc_access(usbguard_t) - - tunable_policy(`usbguard_daemon_write_rules',` -@@ -110,6 +109,14 @@ tunable_policy(`usbguard_daemon_write_co - rw_files_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t) - ') - -+optional_policy(` -+ dbus_system_domain(usbguard_t, usbguard_exec_t) -+ -+ optional_policy(` -+ policykit_dbus_chat(usbguard_t) -+ ') -+') -+ - # Allow confined users to communicate with usbguard over unix socket - optional_policy(` - gen_require(` diff --git a/SOURCES/usbguard-service-pidfile.patch b/SOURCES/usbguard-service-pidfile.patch deleted file mode 100644 index 6fe546a..0000000 --- a/SOURCES/usbguard-service-pidfile.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 6a596441eb91215898542bce4aadabfe396a3875 Mon Sep 17 00:00:00 2001 -From: Birger Schacht <1143280+b1rger@users.noreply.github.com> -Date: Mon, 18 Jan 2021 15:00:47 +0000 -Subject: [PATCH] Write PIDFile to /run instead of /var/run - -According to https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s13.html regarding /var/run: -This directory was once intended for system information data describing the system since it was booted. These functions have been moved to /run; this directory exists to ensure compatibility with systems and software using an older version of this specification. ---- - usbguard.service.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/usbguard.service.in b/usbguard.service.in -index 0d7e193c..2ec8c633 100644 ---- a/usbguard.service.in -+++ b/usbguard.service.in -@@ -12,7 +12,7 @@ IPAddressDeny=any - LockPersonality=yes - MemoryDenyWriteExecute=yes - NoNewPrivileges=yes --PIDFile=/var/run/usbguard.pid -+PIDFile=/run/usbguard.pid - PrivateDevices=yes - PrivateTmp=yes - ProtectControlGroups=yes diff --git a/SOURCES/usbguard-validate-acl.patch b/SOURCES/usbguard-validate-acl.patch deleted file mode 100644 index 8625a86..0000000 --- a/SOURCES/usbguard-validate-acl.patch +++ /dev/null @@ -1,105 +0,0 @@ -diff --color -ru a/doc/man/usbguard.1.adoc b/doc/man/usbguard.1.adoc ---- a/doc/man/usbguard.1.adoc 2020-11-23 15:56:12.977847682 +0100 -+++ b/doc/man/usbguard.1.adoc 2021-10-14 12:39:11.949947187 +0200 -@@ -282,6 +282,7 @@ - .... - - Consult the usbguard-daemon.conf(5) man-page for a detailed list of available privileges in each section. -+You can also use 'ALL' instead of 'privileges' to automatically assign all relevant privileges to a given section. - - - === *remove-user* 'name' ['OPTIONS'] -diff --color -ru a/doc/man/usbguard-daemon.conf.5.adoc b/doc/man/usbguard-daemon.conf.5.adoc ---- a/doc/man/usbguard-daemon.conf.5.adoc 2020-11-23 15:56:12.977847682 +0100 -+++ b/doc/man/usbguard-daemon.conf.5.adoc 2021-10-14 12:39:11.953947259 +0200 -@@ -162,6 +162,8 @@ - - ** list: Get values of run-time parameters. - -+ ** listen: Listen to property parameter changes. -+ - The following is a generally usable and reasonably safe example of an access control file. - It allows one to modify USB device authorization state (`Devices=modify`), list USB devices (`Devices=list`), listen to USB device related events (`Devices=listen`), list USB authorization policy rules (`Policy=list`) and listen to exception events (`Exceptions=listen`): - -diff --color -ru a/src/Library/public/usbguard/IPCServer.cpp b/src/Library/public/usbguard/IPCServer.cpp ---- a/src/Library/public/usbguard/IPCServer.cpp 2020-11-23 15:56:12.979847655 +0100 -+++ b/src/Library/public/usbguard/IPCServer.cpp 2021-10-14 12:39:11.954947277 +0200 -@@ -159,18 +159,25 @@ - throw USBGUARD_BUG("Cannot set privileges for NONE section"); - } - -+ const uint8_t p = static_cast(privilege); -+ - if (section == Section::ALL) { -- for (const auto& value : { -+ for (const auto& s : { - Section::POLICY, - Section::PARAMETERS, - Section::EXCEPTIONS, - Section::DEVICES - }) { -- _access_control[value] |= static_cast(privilege); -+ _access_control[s] |= p & ~ac_mask(s); - } - } - else { -- _access_control[section] |= static_cast(privilege); -+ if (privilege != Privilege::ALL && (p & ac_mask(section))) { -+ throw std::runtime_error("Invalid privilege " + -+ privilegeToString(privilege) + " for section " + -+ sectionToString(section)); -+ } -+ _access_control[section] |= p & ~ac_mask(section); - } - } - -@@ -254,6 +261,28 @@ - merge(access_control); - } - -+ uint8_t IPCServer::AccessControl::ac_mask(IPCServer::AccessControl::Section section) const -+ { -+ const uint8_t MODIFY = static_cast(Privilege::MODIFY); -+ const uint8_t LIST = static_cast(Privilege::LIST); -+ const uint8_t LISTEN = static_cast(Privilege::LISTEN); -+ -+ switch (section) { -+ case Section::DEVICES: -+ return ~(MODIFY | LIST | LISTEN); -+ case Section::POLICY: -+ return ~(MODIFY | LIST); -+ case Section::EXCEPTIONS: -+ return ~(LISTEN); -+ case Section::PARAMETERS: -+ return ~(MODIFY | LIST | LISTEN); -+ case Section::ALL: -+ case Section::NONE: -+ default: -+ return 0xff; -+ } -+ } -+ - IPCServer::IPCServer() - : d_pointer(usbguard::make_unique(*this)) - { -diff --color -ru a/src/Library/public/usbguard/IPCServer.hpp b/src/Library/public/usbguard/IPCServer.hpp ---- a/src/Library/public/usbguard/IPCServer.hpp 2020-10-11 17:43:43.519295669 +0200 -+++ b/src/Library/public/usbguard/IPCServer.hpp 2021-10-14 12:39:11.955947295 +0200 -@@ -278,6 +278,17 @@ - }; - - /** -+ * @brief Get a privilege mask for given section -+ * -+ * For example, if the section is POLICY that has privileges MODIFY -+ * and LIST, the mask would be ~(MODIFY | LIST) -+ * -+ * @param section Section for which the privilege mask should be returned -+ * @return Privilege mask for section -+ */ -+ uint8_t ac_mask(Section section) const; -+ -+ /** - * @brief Access control represented by unordered map of - * tuples (Section, 8b privileges). - * diff --git a/SPECS/usbguard.spec b/SPECS/usbguard.spec index c4a4773..763ff78 100644 --- a/SPECS/usbguard.spec +++ b/SPECS/usbguard.spec @@ -1,14 +1,14 @@ %global _hardened_build 1 %global selinuxtype targeted %global moduletype contrib -%define semodule_version 0.0.4 -%define notifier_version 0.0.6 +%define semodule_version 0.0.5 +%define notifier_version 0.1.1 %bcond_without check Name: usbguard -Version: 1.0.0 -Release: 16%{?dist} +Version: 1.1.4 +Release: 2%{?dist} Summary: A tool for implementing USB device usage policy Group: System Environment/Daemons License: GPLv2+ @@ -16,7 +16,7 @@ License: GPLv2+ # src/ThirdParty/Catch: Boost Software License - Version 1.0 URL: https://usbguard.github.io/ Source0: https://github.com/USBGuard/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz -Source1: https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz +Source1: https://github.com/USBGuard/usbguard-selinux/archive/refs/tags/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz Source2: https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz Source3: usbguard-daemon.conf ExcludeArch: i686 @@ -50,23 +50,10 @@ BuildRequires: polkit-devel BuildRequires: libxslt BuildRequires: libxml2 -Patch1: usbguard-0.7.6-notifier.patch -Patch2: usbguard-audit-capability.patch -Patch3: usbguard-selinux-audit-capability.patch -Patch4: usbguard-service-pidfile.patch -Patch5: usbguard-ipc-override-fix.patch -Patch6: usbguard-validate-acl.patch -Patch7: usbguard-notifier-decrease-spam.patch -Patch8: usbguard-dbus-CVE.patch -Patch9: usbguard-selinux-dbus-CVE.patch -Patch10: usbguard-dbus-CVE-leak.patch -Patch11: usbguard-OOMScoreAdjust.patch -Patch12: usbguard-daemon-race-condition.patch -Patch13: usbguard-consistent-rules.patch -Patch14: usbguard-missing-doc.patch -Patch15: usbguard-permanent-rules.patch -Patch16: usbguard-disable-console-log.patch -Patch17: tmpfiles.patch +Patch1: catch1-devel.patch +Patch2: disable-console-logging.patch +Patch3: selinux-sbin.patch +Patch4: tmpfiles-rework.patch %description The USBGuard software framework helps to protect your computer against rogue USB @@ -136,6 +123,9 @@ device presence changes and displays them as pop-up notifications. # selinux %setup -q -D -T -a 1 +pushd %{name}-selinux-%{semodule_version} +%patch -P 3 -p1 +popd # notifier %setup -q -D -T -a 2 @@ -143,23 +133,9 @@ device presence changes and displays them as pop-up notifications. # Remove bundled library sources before build rm -rf src/ThirdParty/{Catch,PEGTL} -%patch -P 1 -p1 -b .notifier -%patch -P 2 -p1 -b .audit-write -%patch -P 3 -p1 -b .selinux-audit-write -%patch -P 4 -p1 -b .pidfile -%patch -P 5 -p1 -b .ipc-override-fix -%patch -P 6 -p1 -b .validate-acl -%patch -P 7 -p1 -b .notifier-decrease-spam -%patch -P 8 -p1 -b .dbus-CVE -%patch -P 9 -p1 -b .selinux-dbus-CVE -%patch -P 10 -p1 -b .dbus-CVE-leak -%patch -P 11 -p1 -b .oomscore-adjust -%patch -P 12 -p1 -b .race-condition -%patch -P 13 -p1 -b .consistent-rules -%patch -P 14 -p1 -b .missing-doc -%patch -P 15 -p1 -b .permanent-rules -%patch -P 16 -p1 -b .disable-syslog -%patch -P 17 -p1 -b .tmpfiles +%patch -P 1 -p1 +%patch -P 2 -p1 +%patch -P 4 -p1 %build mkdir -p ./m4 @@ -247,7 +223,7 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %{_libdir}/*.so.* %{_sbindir}/usbguard-daemon %{_bindir}/usbguard -%dir %{_localstatedir}/log/usbguard +%dir %attr(700,root,root) %{_localstatedir}/log/usbguard %dir %{_sysconfdir}/usbguard %dir %{_sysconfdir}/usbguard/rules.d/ %dir %{_sysconfdir}/usbguard/IPCAccessControl.d @@ -325,6 +301,15 @@ fi %changelog +* Fri Nov 21 2025 Attila Lakatos - 1.1.4-2 +- restore permissions of usbguard files +Resolves: RHEL-126440 + +* Wed Nov 05 2025 Attila Lakatos - 1.1.4-1 +- rebase to 1.1.4 +- restore permissions of usbguard files +Resolves: RHEL-126440 + * Thu Feb 06 2025 Attila Lakatos - 1.0.0-16 - Install usbguard-tmpfles.conf Resolves: RHEL-78188