RHEL 9.2.0 ERRATUM

- Set OOMScoreAdjust to -1000 in service file
Resolves: rhbz#2097419
- Fix race condition in usbguard-daemon when forking
Resolves: rhbz#2042345
- Add missing files to documentation
Resolves: rhbz#2122107
- Neither RuleFolder nor RuleFile exists bugfix
Resolves: rhbz#2122109
- Remove build for i686 arch
Resolves: rhbz#2126622

usbguard-OOMScoreAdjust.patch

@@ -0,0 +1,11 @@
+diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
+--- usbguard-1.0.0/usbguard.service.in.orig	2022-11-28 10:21:35.889977314 +0100
++++ usbguard-1.0.0/usbguard.service.in	2022-11-28 10:21:52.711987716 +0100
+@@ -4,6 +4,7 @@ Wants=systemd-udevd.service local-fs.tar
+ Documentation=man:usbguard-daemon(8)
+ 
+ [Service]
++OOMScoreAdjust=-1000
+ AmbientCapabilities=
+ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
+ DevicePolicy=closed

usbguard-consistent-rules.patch

@@ -0,0 +1,12 @@
+diff -up usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp
+--- usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig	2022-11-28 10:35:44.052560664 +0100
++++ usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp	2022-11-28 10:35:55.510568939 +0100
+@@ -76,7 +76,7 @@ namespace usbguard
+       }
+ 
+       if (ruleSet.empty()){
+-        USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible.";
++        USBGUARD_LOG(Warning) << "Neither RuleFile nor RuleFolder are set; Modification of the permanent policy won't be possible.";
+         ruleSet = generateDefaultRuleSet();
+       }
+ 

usbguard-daemon-race-condition.patch

@@ -0,0 +1,19 @@
+diff -up usbguard-1.0.0/src/Daemon/Daemon.cpp.orig usbguard-1.0.0/src/Daemon/Daemon.cpp
+--- usbguard-1.0.0/src/Daemon/Daemon.cpp.orig	2022-11-28 10:25:01.044104150 +0100
++++ usbguard-1.0.0/src/Daemon/Daemon.cpp	2022-11-28 10:25:34.736124980 +0100
+@@ -40,6 +40,7 @@
+ #include <sys/types.h>
+ #include <sys/poll.h>
+ #include <unistd.h>
++#include <sys/wait.h>
+ #include <signal.h>
+ #include <string.h>
+ #include <sys/stat.h>
+@@ -606,6 +607,7 @@ namespace usbguard
+         const int signum = sigtimedwait(&mask, &info, &timeout);
+ 
+         if (signum == SIGUSR1 && info.si_signo == SIGUSR1 && info.si_pid == pid) {
++          waitpid(pid, nullptr, 0);
+           USBGUARD_LOG(Trace) << "Finished daemonization";
+           exit(EXIT_SUCCESS);
+         }

usbguard-documentation-missing-files.patch

@@ -0,0 +1,111 @@
+diff --git a/Makefile.am b/Makefile.am
+index f4ce03d8..2d1ded8e 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -71,7 +71,10 @@ man_ROFF_FILES=\
+ 	$(man_ADOC_FILES:.adoc=.roff)
+ 
+ EXTRA_DIST+=\
+-	$(man_ADOC_FILES)
++	$(man_ADOC_FILES) \
++	doc/man/example-allow-device.adoc \
++	doc/man/example-initial-policy.adoc \
++	doc/man/footer.adoc
+ 
+ CLEANFILES+=\
+ 	$(man_ROFF_FILES) \
+diff --git a/scripts/docker/build_on_alpine_linux_3_15.Dockerfile b/scripts/docker/build_on_alpine_linux_3_15.Dockerfile
+index a86a18a0..5b20958d 100644
+--- a/scripts/docker/build_on_alpine_linux_3_15.Dockerfile
++++ b/scripts/docker/build_on_alpine_linux_3_15.Dockerfile
+@@ -18,6 +18,7 @@ FROM alpine:3.15
+ RUN echo '@edge-testing https://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories \
+         && \
+     apk add --update \
++            asciidoc \
+             autoconf \
+             automake \
+             dbus-glib-dev \
+@@ -34,10 +35,19 @@ RUN echo '@edge-testing https://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /
+             pegtl@edge-testing \
+             pkgconf \
+             polkit-dev \
+-            protobuf-dev
++            protobuf-dev \
++            tar
+ ADD usbguard.tar usbguard/
+ ADD catch.tar usbguard/src/ThirdParty/Catch/
+ WORKDIR usbguard
+ RUN git init &>/dev/null && ./autogen.sh
+ RUN ./configure --with-bundled-catch || ! cat config.log
+-RUN make V=1 "-j$(nproc)"
++RUN make dist
++RUN tar --version
++RUN tar xf usbguard-*.tar.gz
++RUN mv -v usbguard-*.*.*/ usbguard-release/
++RUN mkdir usbguard-release/build/
++WORKDIR usbguard-release/build/
++RUN ../configure --with-bundled-catch || ! cat config.log
++RUN bash -c 'set -o pipefail; make V=1 "-j$(nproc)" |& tee build.log'
++RUN ! grep -F 'include file not found' build.log
+diff --git a/scripts/docker/build_on_centos_8_2.Dockerfile b/scripts/docker/build_on_centos_8_2.Dockerfile
+index a9947c56..fea933dd 100644
+--- a/scripts/docker/build_on_centos_8_2.Dockerfile
++++ b/scripts/docker/build_on_centos_8_2.Dockerfile
+@@ -27,6 +27,7 @@ RUN sed \
+     dnf config-manager --set-enabled PowerTools \
+         && \
+     dnf install -y \
++            asciidoc \
+             autoconf \
+             automake \
+             dbus-glib-devel \
+@@ -49,4 +50,11 @@ ADD pegtl.tar usbguard/src/ThirdParty/PEGTL/
+ WORKDIR usbguard
+ RUN git init &>/dev/null && ./autogen.sh
+ RUN ./configure --with-bundled-catch --with-bundled-pegtl || ! cat config.log
+-RUN make V=1 "-j$(nproc)"
++RUN make dist
++RUN tar xf usbguard-*.tar.gz
++RUN mv -v usbguard-*.*.*/ usbguard-release/
++RUN mkdir usbguard-release/build/
++WORKDIR usbguard-release/build/
++RUN ../configure --with-bundled-catch --with-bundled-pegtl || ! cat config.log
++RUN bash -c 'set -o pipefail; make V=1 "-j$(nproc)" |& tee build.log'
++RUN ! grep -F 'include file not found' build.log
+diff --git a/scripts/docker/build_on_debian_buster_with_gcc_9_2.Dockerfile b/scripts/docker/build_on_debian_buster_with_gcc_9_2.Dockerfile
+index dc884cc6..802a3f05 100644
+--- a/scripts/docker/build_on_debian_buster_with_gcc_9_2.Dockerfile
++++ b/scripts/docker/build_on_debian_buster_with_gcc_9_2.Dockerfile
+@@ -58,5 +58,12 @@ ADD catch.tar usbguard/src/ThirdParty/Catch/
+ WORKDIR usbguard
+ RUN git init &>/dev/null && ./autogen.sh
+ RUN ./configure --enable-systemd --with-bundled-catch || ! cat config.log
+-RUN make V=1 "-j$(nproc)"
++RUN make dist
++RUN tar xf usbguard-*.tar.gz
++RUN mv -v usbguard-*.*.*/ usbguard-release/
++RUN mkdir usbguard-release/build/
++WORKDIR usbguard-release/build/
++RUN ../configure --enable-systemd --with-bundled-catch || ! cat config.log
++RUN bash -c 'set -o pipefail; make V=1 "-j$(nproc)" |& tee build.log'
++RUN ! grep -F 'include file not found' build.log
+ RUN make V=1 check || { cat src/Tests/test-suite.log ; false ; }
+diff --git a/scripts/docker/build_on_ubuntu_22_04.Dockerfile b/scripts/docker/build_on_ubuntu_22_04.Dockerfile
+index 0303dffe..e9214439 100644
+--- a/scripts/docker/build_on_ubuntu_22_04.Dockerfile
++++ b/scripts/docker/build_on_ubuntu_22_04.Dockerfile
+@@ -50,5 +50,12 @@ ADD usbguard.tar usbguard/
+ WORKDIR usbguard
+ RUN git init &>/dev/null && ./autogen.sh
+ RUN ./configure --enable-systemd || ! cat config.log
+-RUN make V=1 "-j$(nproc)"
++RUN make dist
++RUN tar xf usbguard-*.tar.gz
++RUN mv -v usbguard-*.*.*/ usbguard-release/
++RUN mkdir usbguard-release/build/
++WORKDIR usbguard-release/build/
++RUN ../configure --enable-systemd || ! cat config.log
++RUN bash -c 'set -o pipefail; make V=1 "-j$(nproc)" |& tee build.log'
++RUN ! grep -F 'include file not found' build.log
+ RUN make V=1 check || { cat src/Tests/test-suite.log ; false ; }

usbguard-missing-doc.patch

@@ -0,0 +1,43 @@
+diff -up usbguard-1.0.0/doc/man/example-allow-device.adoc.orig usbguard-1.0.0/doc/man/example-allow-device.adoc
+--- usbguard-1.0.0/doc/man/example-allow-device.adoc.orig	2022-11-28 12:00:26.695561514 +0100
++++ usbguard-1.0.0/doc/man/example-allow-device.adoc	2022-11-28 11:57:01.120457773 +0100
+@@ -0,0 +1,6 @@
++....
++    # Allow a device by ID(it is the very first number from the list-devices command output)
++    $ sudo usbguard allow-device 10
++    # Allow all devices named "Dell Wired Multimedia Keyboard"
++    $ sudo usbguard allow-device name \"Dell Wired Multimedia Keyboard\"
++....
+diff -up usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig usbguard-1.0.0/doc/man/example-initial-policy.adoc
+--- usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig	2022-11-28 12:00:31.781564080 +0100
++++ usbguard-1.0.0/doc/man/example-initial-policy.adoc	2022-11-28 11:57:25.353470002 +0100
+@@ -0,0 +1,7 @@
++....
++    $ sudo usbguard generate-policy > rules.conf
++    $ vi rules.conf
++    (review/modify the rule set)
++    $ sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf
++    $ sudo systemctl restart usbguard
++....
+diff -up usbguard-1.0.0/doc/man/footer.adoc.orig usbguard-1.0.0/doc/man/footer.adoc
+--- usbguard-1.0.0/doc/man/footer.adoc.orig	2022-11-28 11:54:21.495377220 +0100
++++ usbguard-1.0.0/doc/man/footer.adoc	2022-11-28 11:55:51.960422872 +0100
+@@ -0,0 +1,18 @@
++== BUGS
++If you find a bug in this software or if you'd like to request a feature to be implemented, please file a ticket at <https://github.com/USBGuard/usbguard/issues/new>.
++
++
++== AUTHOR
++USBGuard was originally written by Daniel Kopeček.
++Many people have contributed to it.
++
++
++== RESOURCES
++Main web site: <https://usbguard.github.io/>
++
++
++== COPYING
++Copyright © 2015-{docyear} Red Hat, Inc. +
++License GPLv2+: GNU GPL version 2 or later http://gnu.org/licenses/gpl.html. +
++This is free software: you are free to change and redistribute it.
++There is NO WARRANTY, to the extent permitted by law.

usbguard.spec

@@ -8,7 +8,7 @@
 
 Name:           usbguard
 Version:        1.0.0
-Release:        11%{?dist}
+Release:        12%{?dist}
 Summary:        A tool for implementing USB device usage policy
 Group:          System Environment/Daemons
 License:        GPLv2+
@@ -19,6 +19,7 @@ Source0:        https://github.com/USBGuard/usbguard/releases/download/%{name}-%
 Source1:        https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz
 Source2:        https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz
 Source3:        usbguard-daemon.conf
+ExcludeArch: i686
 
 Requires: systemd
 Requires(post): systemd
@@ -27,7 +28,6 @@ Requires(postun): systemd
 Requires(post): /sbin/ldconfig
 Requires(postun): /sbin/ldconfig
 Recommends: (%{name}-selinux if selinux-policy-%{selinuxtype})
-Conflicts:  %{name}
 
 BuildRequires: gcc-c++
 BuildRequires: libqb-devel
@@ -60,6 +60,10 @@ Patch7: usbguard-notifier-decrease-spam.patch
 Patch8: usbguard-dbus-CVE.patch
 Patch9: usbguard-selinux-dbus-CVE.patch
 Patch10: usbguard-dbus-CVE-leak.patch
+Patch11: usbguard-OOMScoreAdjust.patch
+Patch12: usbguard-daemon-race-condition.patch
+Patch13: usbguard-consistent-rules.patch
+Patch14: usbguard-missing-doc.patch
 
 %description
 The USBGuard software framework helps to protect your computer against rogue USB
@@ -146,6 +150,10 @@ rm -rf src/ThirdParty/{Catch,PEGTL}
 %patch8 -p1 -b .dbus-CVE
 %patch9 -p1 -b .selinux-dbus-CVE
 %patch10 -p1 -b .dbus-CVE-leak
+%patch11 -p1 -b .oomscore-adjust
+%patch12 -p1 -b .race-condition
+%patch13 -p1 -b .consistent-rules
+%patch14 -p1 -b .missing-doc
 
 %build
 mkdir -p ./m4
@@ -310,6 +318,18 @@ fi
 
 
 %changelog
+* Mon Nov 28 2022 Attila Lakatos <alakatos@redhat.com> - 1.0.0-12
+- Set OOMScoreAdjust to -1000 in service file
+Resolves: rhbz#2097419
+- Fix race condition in usbguard-daemon when forking
+Resolves: rhbz#2042345
+- Add missing files to documentation
+Resolves: rhbz#2122107
+- Neither RuleFolder nor RuleFile exists bugfix
+Resolves: rhbz#2122109
+- Remove build for i686 arch
+Resolves: rhbz#2126622
+
 * Tue Aug 16 2022 Attila Lakatos <alakatos@redhat.com> - 1.0.0-11
 - Fix unauthorized access via D-bus
 - Fix memory leak when connection to dbus is broken