From ee2831e09ea29b5073341dfd7bdb1fb923e4782f Mon Sep 17 00:00:00 2001 From: alakatos Date: Mon, 28 Nov 2022 10:39:27 +0100 Subject: [PATCH] RHEL 9.2.0 ERRATUM - Set OOMScoreAdjust to -1000 in service file Resolves: rhbz#2097419 - Fix race condition in usbguard-daemon when forking Resolves: rhbz#2042345 - Add missing files to documentation Resolves: rhbz#2122107 - Neither RuleFolder nor RuleFile exists bugfix Resolves: rhbz#2122109 - Remove build for i686 arch Resolves: rhbz#2126622 --- usbguard-OOMScoreAdjust.patch | 11 ++ usbguard-consistent-rules.patch | 12 +++ usbguard-daemon-race-condition.patch | 19 ++++ usbguard-documentation-missing-files.patch | 111 +++++++++++++++++++++ usbguard-missing-doc.patch | 43 ++++++++ usbguard.spec | 24 ++++- 6 files changed, 218 insertions(+), 2 deletions(-) create mode 100644 usbguard-OOMScoreAdjust.patch create mode 100644 usbguard-consistent-rules.patch create mode 100644 usbguard-daemon-race-condition.patch create mode 100644 usbguard-documentation-missing-files.patch create mode 100644 usbguard-missing-doc.patch diff --git a/usbguard-OOMScoreAdjust.patch b/usbguard-OOMScoreAdjust.patch new file mode 100644 index 0000000..d101768 --- /dev/null +++ b/usbguard-OOMScoreAdjust.patch @@ -0,0 +1,11 @@ +diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in +--- usbguard-1.0.0/usbguard.service.in.orig 2022-11-28 10:21:35.889977314 +0100 ++++ usbguard-1.0.0/usbguard.service.in 2022-11-28 10:21:52.711987716 +0100 +@@ -4,6 +4,7 @@ Wants=systemd-udevd.service local-fs.tar + Documentation=man:usbguard-daemon(8) + + [Service] ++OOMScoreAdjust=-1000 + AmbientCapabilities= + CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE + DevicePolicy=closed diff --git a/usbguard-consistent-rules.patch b/usbguard-consistent-rules.patch new file mode 100644 index 0000000..7420215 --- /dev/null +++ b/usbguard-consistent-rules.patch @@ -0,0 +1,12 @@ +diff -up usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp +--- usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig 2022-11-28 10:35:44.052560664 +0100 ++++ usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp 2022-11-28 10:35:55.510568939 +0100 +@@ -76,7 +76,7 @@ namespace usbguard + } + + if (ruleSet.empty()){ +- USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible."; ++ USBGUARD_LOG(Warning) << "Neither RuleFile nor RuleFolder are set; Modification of the permanent policy won't be possible."; + ruleSet = generateDefaultRuleSet(); + } + diff --git a/usbguard-daemon-race-condition.patch b/usbguard-daemon-race-condition.patch new file mode 100644 index 0000000..40e5645 --- /dev/null +++ b/usbguard-daemon-race-condition.patch @@ -0,0 +1,19 @@ +diff -up usbguard-1.0.0/src/Daemon/Daemon.cpp.orig usbguard-1.0.0/src/Daemon/Daemon.cpp +--- usbguard-1.0.0/src/Daemon/Daemon.cpp.orig 2022-11-28 10:25:01.044104150 +0100 ++++ usbguard-1.0.0/src/Daemon/Daemon.cpp 2022-11-28 10:25:34.736124980 +0100 +@@ -40,6 +40,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -606,6 +607,7 @@ namespace usbguard + const int signum = sigtimedwait(&mask, &info, &timeout); + + if (signum == SIGUSR1 && info.si_signo == SIGUSR1 && info.si_pid == pid) { ++ waitpid(pid, nullptr, 0); + USBGUARD_LOG(Trace) << "Finished daemonization"; + exit(EXIT_SUCCESS); + } diff --git a/usbguard-documentation-missing-files.patch b/usbguard-documentation-missing-files.patch new file mode 100644 index 0000000..84b84a3 --- /dev/null +++ b/usbguard-documentation-missing-files.patch @@ -0,0 +1,111 @@ +diff --git a/Makefile.am b/Makefile.am +index f4ce03d8..2d1ded8e 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -71,7 +71,10 @@ man_ROFF_FILES=\ + $(man_ADOC_FILES:.adoc=.roff) + + EXTRA_DIST+=\ +- $(man_ADOC_FILES) ++ $(man_ADOC_FILES) \ ++ doc/man/example-allow-device.adoc \ ++ doc/man/example-initial-policy.adoc \ ++ doc/man/footer.adoc + + CLEANFILES+=\ + $(man_ROFF_FILES) \ +diff --git a/scripts/docker/build_on_alpine_linux_3_15.Dockerfile b/scripts/docker/build_on_alpine_linux_3_15.Dockerfile +index a86a18a0..5b20958d 100644 +--- a/scripts/docker/build_on_alpine_linux_3_15.Dockerfile ++++ b/scripts/docker/build_on_alpine_linux_3_15.Dockerfile +@@ -18,6 +18,7 @@ FROM alpine:3.15 + RUN echo '@edge-testing https://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories \ + && \ + apk add --update \ ++ asciidoc \ + autoconf \ + automake \ + dbus-glib-dev \ +@@ -34,10 +35,19 @@ RUN echo '@edge-testing https://dl-cdn.alpinelinux.org/alpine/edge/testing' >> / + pegtl@edge-testing \ + pkgconf \ + polkit-dev \ +- protobuf-dev ++ protobuf-dev \ ++ tar + ADD usbguard.tar usbguard/ + ADD catch.tar usbguard/src/ThirdParty/Catch/ + WORKDIR usbguard + RUN git init &>/dev/null && ./autogen.sh + RUN ./configure --with-bundled-catch || ! cat config.log +-RUN make V=1 "-j$(nproc)" ++RUN make dist ++RUN tar --version ++RUN tar xf usbguard-*.tar.gz ++RUN mv -v usbguard-*.*.*/ usbguard-release/ ++RUN mkdir usbguard-release/build/ ++WORKDIR usbguard-release/build/ ++RUN ../configure --with-bundled-catch || ! cat config.log ++RUN bash -c 'set -o pipefail; make V=1 "-j$(nproc)" |& tee build.log' ++RUN ! grep -F 'include file not found' build.log +diff --git a/scripts/docker/build_on_centos_8_2.Dockerfile b/scripts/docker/build_on_centos_8_2.Dockerfile +index a9947c56..fea933dd 100644 +--- a/scripts/docker/build_on_centos_8_2.Dockerfile ++++ b/scripts/docker/build_on_centos_8_2.Dockerfile +@@ -27,6 +27,7 @@ RUN sed \ + dnf config-manager --set-enabled PowerTools \ + && \ + dnf install -y \ ++ asciidoc \ + autoconf \ + automake \ + dbus-glib-devel \ +@@ -49,4 +50,11 @@ ADD pegtl.tar usbguard/src/ThirdParty/PEGTL/ + WORKDIR usbguard + RUN git init &>/dev/null && ./autogen.sh + RUN ./configure --with-bundled-catch --with-bundled-pegtl || ! cat config.log +-RUN make V=1 "-j$(nproc)" ++RUN make dist ++RUN tar xf usbguard-*.tar.gz ++RUN mv -v usbguard-*.*.*/ usbguard-release/ ++RUN mkdir usbguard-release/build/ ++WORKDIR usbguard-release/build/ ++RUN ../configure --with-bundled-catch --with-bundled-pegtl || ! cat config.log ++RUN bash -c 'set -o pipefail; make V=1 "-j$(nproc)" |& tee build.log' ++RUN ! grep -F 'include file not found' build.log +diff --git a/scripts/docker/build_on_debian_buster_with_gcc_9_2.Dockerfile b/scripts/docker/build_on_debian_buster_with_gcc_9_2.Dockerfile +index dc884cc6..802a3f05 100644 +--- a/scripts/docker/build_on_debian_buster_with_gcc_9_2.Dockerfile ++++ b/scripts/docker/build_on_debian_buster_with_gcc_9_2.Dockerfile +@@ -58,5 +58,12 @@ ADD catch.tar usbguard/src/ThirdParty/Catch/ + WORKDIR usbguard + RUN git init &>/dev/null && ./autogen.sh + RUN ./configure --enable-systemd --with-bundled-catch || ! cat config.log +-RUN make V=1 "-j$(nproc)" ++RUN make dist ++RUN tar xf usbguard-*.tar.gz ++RUN mv -v usbguard-*.*.*/ usbguard-release/ ++RUN mkdir usbguard-release/build/ ++WORKDIR usbguard-release/build/ ++RUN ../configure --enable-systemd --with-bundled-catch || ! cat config.log ++RUN bash -c 'set -o pipefail; make V=1 "-j$(nproc)" |& tee build.log' ++RUN ! grep -F 'include file not found' build.log + RUN make V=1 check || { cat src/Tests/test-suite.log ; false ; } +diff --git a/scripts/docker/build_on_ubuntu_22_04.Dockerfile b/scripts/docker/build_on_ubuntu_22_04.Dockerfile +index 0303dffe..e9214439 100644 +--- a/scripts/docker/build_on_ubuntu_22_04.Dockerfile ++++ b/scripts/docker/build_on_ubuntu_22_04.Dockerfile +@@ -50,5 +50,12 @@ ADD usbguard.tar usbguard/ + WORKDIR usbguard + RUN git init &>/dev/null && ./autogen.sh + RUN ./configure --enable-systemd || ! cat config.log +-RUN make V=1 "-j$(nproc)" ++RUN make dist ++RUN tar xf usbguard-*.tar.gz ++RUN mv -v usbguard-*.*.*/ usbguard-release/ ++RUN mkdir usbguard-release/build/ ++WORKDIR usbguard-release/build/ ++RUN ../configure --enable-systemd || ! cat config.log ++RUN bash -c 'set -o pipefail; make V=1 "-j$(nproc)" |& tee build.log' ++RUN ! grep -F 'include file not found' build.log + RUN make V=1 check || { cat src/Tests/test-suite.log ; false ; } diff --git a/usbguard-missing-doc.patch b/usbguard-missing-doc.patch new file mode 100644 index 0000000..138a3cb --- /dev/null +++ b/usbguard-missing-doc.patch @@ -0,0 +1,43 @@ +diff -up usbguard-1.0.0/doc/man/example-allow-device.adoc.orig usbguard-1.0.0/doc/man/example-allow-device.adoc +--- usbguard-1.0.0/doc/man/example-allow-device.adoc.orig 2022-11-28 12:00:26.695561514 +0100 ++++ usbguard-1.0.0/doc/man/example-allow-device.adoc 2022-11-28 11:57:01.120457773 +0100 +@@ -0,0 +1,6 @@ ++.... ++ # Allow a device by ID(it is the very first number from the list-devices command output) ++ $ sudo usbguard allow-device 10 ++ # Allow all devices named "Dell Wired Multimedia Keyboard" ++ $ sudo usbguard allow-device name \"Dell Wired Multimedia Keyboard\" ++.... +diff -up usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig usbguard-1.0.0/doc/man/example-initial-policy.adoc +--- usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig 2022-11-28 12:00:31.781564080 +0100 ++++ usbguard-1.0.0/doc/man/example-initial-policy.adoc 2022-11-28 11:57:25.353470002 +0100 +@@ -0,0 +1,7 @@ ++.... ++ $ sudo usbguard generate-policy > rules.conf ++ $ vi rules.conf ++ (review/modify the rule set) ++ $ sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf ++ $ sudo systemctl restart usbguard ++.... +diff -up usbguard-1.0.0/doc/man/footer.adoc.orig usbguard-1.0.0/doc/man/footer.adoc +--- usbguard-1.0.0/doc/man/footer.adoc.orig 2022-11-28 11:54:21.495377220 +0100 ++++ usbguard-1.0.0/doc/man/footer.adoc 2022-11-28 11:55:51.960422872 +0100 +@@ -0,0 +1,18 @@ ++== BUGS ++If you find a bug in this software or if you'd like to request a feature to be implemented, please file a ticket at . ++ ++ ++== AUTHOR ++USBGuard was originally written by Daniel Kopeček. ++Many people have contributed to it. ++ ++ ++== RESOURCES ++Main web site: ++ ++ ++== COPYING ++Copyright © 2015-{docyear} Red Hat, Inc. + ++License GPLv2+: GNU GPL version 2 or later http://gnu.org/licenses/gpl.html. + ++This is free software: you are free to change and redistribute it. ++There is NO WARRANTY, to the extent permitted by law. diff --git a/usbguard.spec b/usbguard.spec index 20439b4..2d2eba3 100644 --- a/usbguard.spec +++ b/usbguard.spec @@ -8,7 +8,7 @@ Name: usbguard Version: 1.0.0 -Release: 11%{?dist} +Release: 12%{?dist} Summary: A tool for implementing USB device usage policy Group: System Environment/Daemons License: GPLv2+ @@ -19,6 +19,7 @@ Source0: https://github.com/USBGuard/usbguard/releases/download/%{name}-% Source1: https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz Source2: https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz Source3: usbguard-daemon.conf +ExcludeArch: i686 Requires: systemd Requires(post): systemd @@ -27,7 +28,6 @@ Requires(postun): systemd Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig Recommends: (%{name}-selinux if selinux-policy-%{selinuxtype}) -Conflicts: %{name} BuildRequires: gcc-c++ BuildRequires: libqb-devel @@ -60,6 +60,10 @@ Patch7: usbguard-notifier-decrease-spam.patch Patch8: usbguard-dbus-CVE.patch Patch9: usbguard-selinux-dbus-CVE.patch Patch10: usbguard-dbus-CVE-leak.patch +Patch11: usbguard-OOMScoreAdjust.patch +Patch12: usbguard-daemon-race-condition.patch +Patch13: usbguard-consistent-rules.patch +Patch14: usbguard-missing-doc.patch %description The USBGuard software framework helps to protect your computer against rogue USB @@ -146,6 +150,10 @@ rm -rf src/ThirdParty/{Catch,PEGTL} %patch8 -p1 -b .dbus-CVE %patch9 -p1 -b .selinux-dbus-CVE %patch10 -p1 -b .dbus-CVE-leak +%patch11 -p1 -b .oomscore-adjust +%patch12 -p1 -b .race-condition +%patch13 -p1 -b .consistent-rules +%patch14 -p1 -b .missing-doc %build mkdir -p ./m4 @@ -310,6 +318,18 @@ fi %changelog +* Mon Nov 28 2022 Attila Lakatos - 1.0.0-12 +- Set OOMScoreAdjust to -1000 in service file +Resolves: rhbz#2097419 +- Fix race condition in usbguard-daemon when forking +Resolves: rhbz#2042345 +- Add missing files to documentation +Resolves: rhbz#2122107 +- Neither RuleFolder nor RuleFile exists bugfix +Resolves: rhbz#2122109 +- Remove build for i686 arch +Resolves: rhbz#2126622 + * Tue Aug 16 2022 Attila Lakatos - 1.0.0-11 - Fix unauthorized access via D-bus - Fix memory leak when connection to dbus is broken