rpms/usbguard
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import usbguard-1.0.0-4.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-10-01 10:24:22 +00:00 committed by Stepan
parent 8c11e8e96c
commit e6d05e6e87
5 changed files with 346 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
SOURCES/usbguard-ipaddressdeny.patch Normal file
View File

@ -0,0 +1,11 @@
diff --color -ru a/usbguard.service.in b/usbguard.service.in
--- a/usbguard.service.in 2021-09-07 16:33:49.911540537 +0200
+++ b/usbguard.service.in 2021-09-07 16:37:20.788885123 +0200
@@ -8,7 +8,6 @@
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
DevicePolicy=closed
ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
-IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes

20
SOURCES/usbguard-ipc-override-fix.patch Normal file
View File

@ -0,0 +1,20 @@
diff --color -ru a/src/Library/IPCServerPrivate.cpp b/src/Library/IPCServerPrivate.cpp
--- a/src/Library/IPCServerPrivate.cpp 2020-11-23 15:56:12.979847655 +0100
+++ b/src/Library/IPCServerPrivate.cpp 2021-09-15 10:02:51.641082533 +0200
@@ -567,10 +567,12 @@
bool IPCServerPrivate::authenticateIPCConnectionDAC(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr) const
{
USBGUARD_LOG(Trace) << "uid=" << uid << " gid=" << gid << " ac_ptr=" << ac_ptr;
- return \
- matchACLByUID(uid, ac_ptr) || \
- matchACLByGID(gid, ac_ptr) || \
- matchACLByName(uid, gid, ac_ptr);
+
+ bool matched_uid = matchACLByUID(uid, ac_ptr);
+ bool matched_gid = matchACLByGID(gid, ac_ptr);
+ bool matched_name = matchACLByName(uid, gid, ac_ptr);
+
+ return matched_uid || matched_gid || matched_name;
}
bool IPCServerPrivate::matchACLByUID(uid_t uid, IPCServer::AccessControl* const ac_ptr) const

182
SOURCES/usbguard-notifier-decrease-spam.patch Normal file
View File

@ -0,0 +1,182 @@
diff --color -ru a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 b/usbguard-notifier-0.0.6/man/usbguard-notifier.1
--- a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 2021-09-24 13:08:23.304639109 +0200
+++ b/usbguard-notifier-0.0.6/man/usbguard-notifier.1 2021-09-24 13:16:14.177186425 +0200
@@ -39,7 +39,12 @@
.PP
\fB\-w, \-\-wait\fR
.RS 4
-Wait until an active IPC connection is estabilished\&.
+Wait until an active IPC connection is estabilished\&. ie\&. infinite number of attempts\&.
+.RE
+.PP
+\fB\-n, \-\-num\-attempts\fR \fInum\fR
+.RS 4
+Number of IPC connection attempts. Window between each attempt is 1 second\&. The default number of attempts is 3\&.
.RE
.PP
\fB\-d, \-\-debug\fR
@@ -51,6 +56,64 @@
.RS 4
Show help\&.
.RE
+.SH "HOW TO START"
+.sp
+In order to make usbguard\-notifier work properly, you will need to perform certain actions:
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 1.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP " 1." 4.2
+.\}
+Each user who wants to run usbguard\-notifier service needs to have sufficient IPC privileges to connect to the usbguard IPC interface\&. To allow a specific user to listen to the device signals you can use the following command:
+
+
+\fB$ sudo usbguard add\-user\fR
+\fIUSER\fR
+\fB\-d listen\fR
+
+Or you can allow a group of users:
+
+
+\fB$ sudo usbguard add\-user \-g\fR
+\fIGROUP\fR
+\fB\-d listen\fR
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 2.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP " 2." 4.2
+.\}
+Now, you need a running usbguard\-daemon instance to connect to\&. Start the usbguard service or restart it if it is already running\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 3.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP " 3." 4.2
+.\}
+After configuring IPC privileges and starting up the usbguard\-daemon, the user can now start the usbguard\-notifier service:
+
+
+\fB$ systemctl start \-\-user usbguard\-notifier\&.service\fR
+
+Optionally, the user can enable the usbguard\-notifier service to start automatically after the login:
+
+
+\fB$ systemctl enable \-\-user usbguard\-notifier\&.service\fR
+.RE
+.sp
+The usbguard\-notifier should now be running\&. Anytime a USB device gets inserted/ejected or allowed/blocked a message will pop up in the user\(cqs graphical interface\&.
.SH "SEE ALSO"
.sp
usbguard(1)
diff --color -ru a/usbguard-notifier-0.0.6/src/Main.cpp b/usbguard-notifier-0.0.6/src/Main.cpp
--- a/usbguard-notifier-0.0.6/src/Main.cpp 2020-03-04 08:59:49.138771474 +0100
+++ b/usbguard-notifier-0.0.6/src/Main.cpp 2021-09-24 13:07:41.322966320 +0200
@@ -20,6 +20,7 @@
#include "Log.hpp"
#include "Notifier.hpp"
+#include <cstdlib>
#include <getopt.h>
#include <iostream>
#include <libgen.h>
@@ -27,10 +28,11 @@
#include <usbguard/Exception.hpp>
-static const char* short_options = "wdh";
+static const char* short_options = "wn:dh";
static const struct ::option long_options[] = {
{ "wait", no_argument, nullptr, 'w' },
+ { "num-attempts", required_argument, nullptr, 'n' },
{ "debug", no_argument, nullptr, 'd' },
{ "help", no_argument, nullptr, 'h' }
};
@@ -40,22 +42,26 @@
out << "Usage: " << app_name << " [OPTIONS]" << std::endl;
out << std::endl;
out << "Options:" << std::endl;
- out << " -w, --wait Wait until an active IPC connection is estabilished." << std::endl;
- out << " -d, --debug Enable debug mode." << std::endl;
- out << " -h, --help Show this usage message." << std::endl;
+ out << " -w, --wait Wait until an active IPC connection is estabilished." << std::endl;
+ out << " -n, --num-attempts <num> Number of IPC connection attempts." << std::endl;
+ out << " -d, --debug Enable debug mode." << std::endl;
+ out << " -h, --help Show this usage message." << std::endl;
}
int main(int argc, char** argv)
{
const std::string app_name(::basename(*argv));
bool wait_connection = false, debug = false;
- int opt;
+ int opt, num_attempts = 3;
while ((opt = getopt_long(argc, argv, short_options, long_options, nullptr)) != -1) {
switch (opt) {
case 'w':
wait_connection = true;
break;
+ case 'n':
+ num_attempts = std::atoi(optarg);
+ break;
case 'd':
debug = true;
break;
@@ -71,23 +77,26 @@
}
NOTIFIER_LOGGER.setDebugMode(debug);
- for (;;) {
+ bool print_err = true;
+ for (int i = 0; wait_connection || i < num_attempts; ++i) {
try {
usbguardNotifier::Notifier notifier(app_name);
notifier.connect();
std::cout << "Connection has been established" << std::endl;
+ print_err = true;
+ i = 0;
notifier.wait();
} catch (const std::runtime_error& e) {
std::cerr << "Error:" << e.what() << std::endl;
return EXIT_FAILURE;
} catch (const usbguard::Exception& e) {
- std::cerr << "IPC connection failure!" << e.message() << std::endl;
- std::cerr << "Check if usbguard-daemon is running in the background" << std::endl;
- if (!wait_connection) {
- break;
+ if (print_err) {
+ print_err = false;
+ std::cerr << "IPC connection failure!" << e.message() << std::endl;
+ std::cerr << "Check if usbguard-daemon is running in the background" << std::endl;
}
- sleep(1);
}
+ sleep(1);
}
return EXIT_SUCCESS;
}
diff --color -ru a/usbguard-notifier-0.0.6/usbguard-notifier.service.in b/usbguard-notifier-0.0.6/usbguard-notifier.service.in
--- a/usbguard-notifier-0.0.6/usbguard-notifier.service.in 2020-03-04 09:00:32.019254871 +0100
+++ b/usbguard-notifier-0.0.6/usbguard-notifier.service.in 2021-09-24 13:07:41.322966320 +0200
@@ -3,7 +3,7 @@
After=usbguard.service
[Service]
-ExecStart=%bindir%/usbguard-notifier -w
+ExecStart=%bindir%/usbguard-notifier
[Install]
WantedBy=default.target

105
SOURCES/usbguard-validate-acl.patch Normal file
View File

@ -0,0 +1,105 @@
diff --color -ru a/doc/man/usbguard.1.adoc b/doc/man/usbguard.1.adoc
--- a/doc/man/usbguard.1.adoc 2021-09-20 09:08:55.134538747 +0200
+++ b/doc/man/usbguard.1.adoc 2021-09-20 16:46:48.266557561 +0200
@@ -282,6 +282,7 @@
....
Consult the usbguard-daemon.conf(5) man-page for a detailed list of available privileges in each section.
+You can also use 'ALL' instead of 'privileges' to automatically assign all relevant privileges to a given section.
=== *remove-user* 'name' ['OPTIONS']
diff --color -ru a/doc/man/usbguard-daemon.conf.5.adoc b/doc/man/usbguard-daemon.conf.5.adoc
--- a/doc/man/usbguard-daemon.conf.5.adoc 2021-09-20 09:08:55.135538763 +0200
+++ b/doc/man/usbguard-daemon.conf.5.adoc 2021-09-20 13:20:09.788855176 +0200
@@ -162,6 +162,8 @@
** list: Get values of run-time parameters.
+ ** listen: Listen to property parameter changes.
+
The following is a generally usable and reasonably safe example of an access control file.
It allows one to modify USB device authorization state (`Devices=modify`), list USB devices (`Devices=list`), listen to USB device related events (`Devices=listen`), list USB authorization policy rules (`Policy=list`) and listen to exception events (`Exceptions=listen`):
diff --color -ru a/src/Library/public/usbguard/IPCServer.cpp b/src/Library/public/usbguard/IPCServer.cpp
--- a/src/Library/public/usbguard/IPCServer.cpp 2021-09-20 09:08:55.206539917 +0200
+++ b/src/Library/public/usbguard/IPCServer.cpp 2021-09-22 10:38:28.703655497 +0200
@@ -159,18 +159,25 @@
throw USBGUARD_BUG("Cannot set privileges for NONE section");
}
+ const uint8_t p = static_cast<uint8_t>(privilege);
+
if (section == Section::ALL) {
- for (const auto& value : {
+ for (const auto& s : {
Section::POLICY,
Section::PARAMETERS,
Section::EXCEPTIONS,
Section::DEVICES
}) {
- _access_control[value] |= static_cast<uint8_t>(privilege);
+ _access_control[s] |= p & ~ac_mask(s);
}
}
else {
- _access_control[section] |= static_cast<uint8_t>(privilege);
+ if (privilege != Privilege::ALL && (p & ac_mask(section))) {
+ throw std::runtime_error("Invalid privilege " +
+ privilegeToString(privilege) + " for section " +
+ sectionToString(section));
+ }
+ _access_control[section] |= p & ~ac_mask(section);
}
}
@@ -254,6 +261,28 @@
merge(access_control);
}
+ uint8_t IPCServer::AccessControl::ac_mask(IPCServer::AccessControl::Section section) const
+ {
+ const uint8_t MODIFY = static_cast<uint8_t>(Privilege::MODIFY);
+ const uint8_t LIST = static_cast<uint8_t>(Privilege::LIST);
+ const uint8_t LISTEN = static_cast<uint8_t>(Privilege::LISTEN);
+
+ switch (section) {
+ case Section::DEVICES:
+ return ~(MODIFY | LIST | LISTEN);
+ case Section::POLICY:
+ return ~(MODIFY | LIST);
+ case Section::EXCEPTIONS:
+ return ~(LISTEN);
+ case Section::PARAMETERS:
+ return ~(MODIFY | LIST | LISTEN);
+ case Section::ALL:
+ case Section::NONE:
+ default:
+ return 0xff;
+ }
+ }
+
IPCServer::IPCServer()
: d_pointer(usbguard::make_unique<IPCServerPrivate>(*this))
{
diff --color -ru a/src/Library/public/usbguard/IPCServer.hpp b/src/Library/public/usbguard/IPCServer.hpp
--- a/src/Library/public/usbguard/IPCServer.hpp 2021-09-20 09:08:55.200539819 +0200
+++ b/src/Library/public/usbguard/IPCServer.hpp 2021-09-20 13:11:31.476803776 +0200
@@ -278,6 +278,17 @@
};
/**
+ * @brief Get a privilege mask for given section
+ *
+ * For example, if the section is POLICY that has privileges MODIFY
+ * and LIST, the mask would be ~(MODIFY | LIST)
+ *
+ * @param section Section for which the privilege mask should be returned
+ * @return Privilege mask for section
+ */
+ uint8_t ac_mask(Section section) const;
+
+ /**
* @brief Access control represented by unordered map of
* tuples (Section, 8b privileges).
*

34
SPECS/usbguard.spec
View File

@ -8,7 +8,7 @@
Name: usbguard
Version: 1.0.0
Release: 2%{?dist}
Release: 4%{?dist}
Summary: A tool for implementing USB device usage policy
Group: System Environment/Daemons
License: GPLv2+
@ -26,7 +26,8 @@ Requires(preun): systemd
Requires(postun): systemd
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
Recommends: %{name}-selinux
Recommends: (%{name}-selinux if selinux-policy-%{selinuxtype})
Conflicts: %{name}
BuildRequires: gcc-c++
BuildRequires: libqb-devel
@ -55,6 +56,10 @@ Patch3: usbguard-selinux-list-dir.patch
Patch4: usbguard-selinux-cpuinfo.patch
Patch5: usbguard-audit-capability.patch
Patch6: usbguard-selinux-audit-capability.patch
Patch7: usbguard-ipaddressdeny.patch
Patch8: usbguard-ipc-override-fix.patch
Patch9: usbguard-validate-acl.patch
Patch10: usbguard-notifier-decrease-spam.patch
%description
The USBGuard software framework helps to protect your computer against rogue USB
@ -95,8 +100,8 @@ a D-Bus interface to the USBGuard daemon component.
%package selinux
Summary: USBGuard selinux
Group: Applications/System
Requires: %{name} = %{version}-%{release}
BuildRequires: selinux-policy
Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype}
BuildRequires: selinux-policy-devel
BuildArch: noarch
%{?selinux_requires}
@ -137,6 +142,10 @@ rm -rf src/ThirdParty/{Catch,PEGTL}
%patch4 -p1 -b .cpuinfo
%patch5 -p1 -b .audit-capability
%patch6 -p1 -b .selinux-audit-capability
%patch7 -p1 -b .ipaddressdeny
%patch8 -p1 -b .ipc-override-fix
%patch9 -p1 -b .validate-acl
%patch10 -p1 -b .notifier-decrease-spam
%build
mkdir -p ./m4
@ -200,7 +209,7 @@ install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_
# notifier
pushd %{name}-notifier-%{notifier_version}
make install INSTALL='install -p' DESTDIR=%{buildroot}
#execstack -c %{buildroot}%{_bindir}/%{name}-notifier
execstack -c %{buildroot}%{_bindir}/%{name}-notifier
popd
# Cleanup
@ -291,7 +300,7 @@ fi
%{_userunitdir}/%{name}-notifier.service
%post notifier
%systemd_user_post %{name}-notifier.service
%systemd_user_post \--preset-mode=disable-only %{name}-notifier.service
%preun notifier
%systemd_user_preun %{name}-notifier.service
@ -301,6 +310,19 @@ fi
%changelog
* Fri Sep 17 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.0-4
- add execstack to spec
- remove IPAddressDeny from usbguard service
Resolves: rhbz#1929364
- fix file conflict when installing usbguard on rhel
Resolves: rhbz#1963271
- fix IPC access control files override
Resolves: rhbz#2004511
- validate ACL permission existence
Resolves: rhbz#2005020
- decrease usbguard-notifier spam when denied connection
Resolves: rhbz#2000000
* Wed Mar 17 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-2
- Add CAP_AUDIT_WRITE capability to service file
Resolves: rhbz#1940060