import usbguard-1.0.0-8.el8

SOURCES/usbguard-ipaddressdeny.patch

@@ -0,0 +1,11 @@
+diff --color -ru a/usbguard.service.in b/usbguard.service.in
+--- a/usbguard.service.in	2021-09-07 16:33:49.911540537 +0200
++++ b/usbguard.service.in	2021-09-07 16:37:20.788885123 +0200
+@@ -8,7 +8,6 @@
+ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
+ DevicePolicy=closed
+ ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
+-IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+ NoNewPrivileges=yes

SOURCES/usbguard-ipc-override-fix.patch

@@ -0,0 +1,20 @@
+diff --color -ru a/src/Library/IPCServerPrivate.cpp b/src/Library/IPCServerPrivate.cpp
+--- a/src/Library/IPCServerPrivate.cpp	2020-11-23 15:56:12.979847655 +0100
++++ b/src/Library/IPCServerPrivate.cpp	2021-09-15 10:02:51.641082533 +0200
+@@ -567,10 +567,12 @@
+   bool IPCServerPrivate::authenticateIPCConnectionDAC(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr) const
+   {
+     USBGUARD_LOG(Trace) << "uid=" << uid << " gid=" << gid << " ac_ptr=" << ac_ptr;
+-    return \
+-      matchACLByUID(uid, ac_ptr) || \
+-      matchACLByGID(gid, ac_ptr) || \
+-      matchACLByName(uid, gid, ac_ptr);
++
++    bool matched_uid = matchACLByUID(uid, ac_ptr);
++    bool matched_gid = matchACLByGID(gid, ac_ptr);
++    bool matched_name = matchACLByName(uid, gid, ac_ptr);
++
++    return matched_uid || matched_gid || matched_name;
+   }
+ 
+   bool IPCServerPrivate::matchACLByUID(uid_t uid, IPCServer::AccessControl* const ac_ptr) const

SOURCES/usbguard-notifier-decrease-spam.patch

@@ -0,0 +1,182 @@
+diff --color -ru a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 b/usbguard-notifier-0.0.6/man/usbguard-notifier.1
+--- a/usbguard-notifier-0.0.6/man/usbguard-notifier.1	2021-09-24 13:08:23.304639109 +0200
++++ b/usbguard-notifier-0.0.6/man/usbguard-notifier.1	2021-09-24 13:16:14.177186425 +0200
+@@ -39,7 +39,12 @@
+ .PP
+ \fB\-w, \-\-wait\fR
+ .RS 4
+-Wait until an active IPC connection is estabilished\&.
++Wait until an active IPC connection is estabilished\&. ie\&. infinite number of attempts\&.
++.RE
++.PP
++\fB\-n, \-\-num\-attempts\fR \fInum\fR
++.RS 4
++Number of IPC connection attempts. Window between each attempt is 1 second\&. The default number of attempts is 3\&.
+ .RE
+ .PP
+ \fB\-d, \-\-debug\fR
+@@ -51,6 +56,64 @@
+ .RS 4
+ Show help\&.
+ .RE
++.SH "HOW TO START"
++.sp
++In order to make usbguard\-notifier work properly, you will need to perform certain actions:
++.sp
++.RS 4
++.ie n \{\
++\h'-04' 1.\h'+01'\c
++.\}
++.el \{\
++.sp -1
++.IP "  1." 4.2
++.\}
++Each user who wants to run usbguard\-notifier service needs to have sufficient IPC privileges to connect to the usbguard IPC interface\&. To allow a specific user to listen to the device signals you can use the following command:
++
++
++\fB$ sudo usbguard add\-user\fR
++\fIUSER\fR
++\fB\-d listen\fR
++
++Or you can allow a group of users:
++
++
++\fB$ sudo usbguard add\-user \-g\fR
++\fIGROUP\fR
++\fB\-d listen\fR
++.RE
++.sp
++.RS 4
++.ie n \{\
++\h'-04' 2.\h'+01'\c
++.\}
++.el \{\
++.sp -1
++.IP "  2." 4.2
++.\}
++Now, you need a running usbguard\-daemon instance to connect to\&. Start the usbguard service or restart it if it is already running\&.
++.RE
++.sp
++.RS 4
++.ie n \{\
++\h'-04' 3.\h'+01'\c
++.\}
++.el \{\
++.sp -1
++.IP "  3." 4.2
++.\}
++After configuring IPC privileges and starting up the usbguard\-daemon, the user can now start the usbguard\-notifier service:
++
++
++\fB$ systemctl start \-\-user usbguard\-notifier\&.service\fR
++
++Optionally, the user can enable the usbguard\-notifier service to start automatically after the login:
++
++
++\fB$ systemctl enable \-\-user usbguard\-notifier\&.service\fR
++.RE
++.sp
++The usbguard\-notifier should now be running\&. Anytime a USB device gets inserted/ejected or allowed/blocked a message will pop up in the user\(cqs graphical interface\&.
+ .SH "SEE ALSO"
+ .sp
+ usbguard(1)
+diff --color -ru a/usbguard-notifier-0.0.6/src/Main.cpp b/usbguard-notifier-0.0.6/src/Main.cpp
+--- a/usbguard-notifier-0.0.6/src/Main.cpp	2020-03-04 08:59:49.138771474 +0100
++++ b/usbguard-notifier-0.0.6/src/Main.cpp	2021-09-24 13:07:41.322966320 +0200
+@@ -20,6 +20,7 @@
+ #include "Log.hpp"
+ #include "Notifier.hpp"
+ 
++#include <cstdlib>
+ #include <getopt.h>
+ #include <iostream>
+ #include <libgen.h>
+@@ -27,10 +28,11 @@
+ 
+ #include <usbguard/Exception.hpp>
+ 
+-static const char* short_options = "wdh";
++static const char* short_options = "wn:dh";
+ 
+ static const struct ::option long_options[] = {
+     { "wait",  no_argument, nullptr, 'w' },
++    { "num-attempts", required_argument, nullptr, 'n' },
+     { "debug", no_argument, nullptr, 'd' },
+     { "help",  no_argument, nullptr, 'h' }
+ };
+@@ -40,22 +42,26 @@
+     out << "Usage: " << app_name << " [OPTIONS]" << std::endl;
+     out << std::endl;
+     out << "Options:" << std::endl;
+-    out << "    -w, --wait      Wait until an active IPC connection is estabilished." << std::endl;
+-    out << "    -d, --debug     Enable debug mode." << std::endl;
+-    out << "    -h, --help      Show this usage message." << std::endl;
++    out << "    -w, --wait               Wait until an active IPC connection is estabilished." << std::endl;
++    out << "    -n, --num-attempts <num> Number of IPC connection attempts." << std::endl;
++    out << "    -d, --debug              Enable debug mode." << std::endl;
++    out << "    -h, --help               Show this usage message." << std::endl;
+ }
+ 
+ int main(int argc, char** argv)
+ {
+     const std::string app_name(::basename(*argv));
+     bool wait_connection = false, debug = false;
+-    int opt;
++    int opt, num_attempts = 3;
+ 
+     while ((opt = getopt_long(argc, argv, short_options, long_options, nullptr)) != -1) {
+         switch (opt) {
+         case 'w':
+             wait_connection = true;
+             break;
++        case 'n':
++            num_attempts = std::atoi(optarg);
++            break;
+         case 'd':
+             debug = true;
+             break;
+@@ -71,23 +77,26 @@
+     }
+     NOTIFIER_LOGGER.setDebugMode(debug);
+ 
+-    for (;;) {
++    bool print_err = true;
++    for (int i = 0; wait_connection || i < num_attempts; ++i) {
+         try {
+             usbguardNotifier::Notifier notifier(app_name);
+             notifier.connect();
+             std::cout << "Connection has been established" << std::endl;
++            print_err = true;
++            i = 0;
+             notifier.wait();
+         } catch (const std::runtime_error& e) {
+             std::cerr << "Error:" << e.what() << std::endl;
+             return EXIT_FAILURE;
+         } catch (const usbguard::Exception& e) {
+-            std::cerr << "IPC connection failure!" << e.message() << std::endl;
+-            std::cerr << "Check if usbguard-daemon is running in the background" << std::endl;
+-            if (!wait_connection) {
+-                break;
++            if (print_err) {
++                print_err = false;
++                std::cerr << "IPC connection failure!" << e.message() << std::endl;
++                std::cerr << "Check if usbguard-daemon is running in the background" << std::endl;
+             }
+-            sleep(1);
+         }
++        sleep(1);
+     }
+     return EXIT_SUCCESS;
+ }
+diff --color -ru a/usbguard-notifier-0.0.6/usbguard-notifier.service.in b/usbguard-notifier-0.0.6/usbguard-notifier.service.in
+--- a/usbguard-notifier-0.0.6/usbguard-notifier.service.in	2020-03-04 09:00:32.019254871 +0100
++++ b/usbguard-notifier-0.0.6/usbguard-notifier.service.in	2021-09-24 13:07:41.322966320 +0200
+@@ -3,7 +3,7 @@
+ After=usbguard.service
+ 
+ [Service]
+-ExecStart=%bindir%/usbguard-notifier -w
++ExecStart=%bindir%/usbguard-notifier
+ 
+ [Install]
+ WantedBy=default.target

SOURCES/usbguard-notifier-icon-injection.patch

@@ -0,0 +1,82 @@
+diff --color -ru a/usbguard-notifier-0.0.6/Makefile.am b/usbguard-notifier-0.0.6/Makefile.am
+--- a/usbguard-notifier-0.0.6/Makefile.am	2021-11-18 11:38:43.704876330 +0100
++++ b/usbguard-notifier-0.0.6/Makefile.am	2021-11-18 11:35:39.108500175 +0100
+@@ -35,6 +35,7 @@
+ 	src/ThirdParty/Catch2/single_include/catch2
+ 
+ usbguard_notifier_SOURCES = \
++	src/usbguard-icon.hpp \
+ 	src/Notifier.hpp \
+ 	src/NotifyWrapper.hpp \
+ 	src/Serializer.hpp \
+@@ -43,8 +44,7 @@
+ 	src/Notifier.cpp \
+ 	src/NotifyWrapper.cpp \
+ 	src/Serializer.cpp \
+-	src/Log.cpp \
+-	icons/usbguard-icon.svg
++	src/Log.cpp
+ 
+ usbguard_notifier_LDFLAGS = \
+ 	@rsvg_LIBS@ \
+@@ -65,7 +65,8 @@
+ endif
+ 
+ BUILT_SOURCES = \
+-	src/BuildConfig.h
++	src/BuildConfig.h \
++	src/usbguard-icon.hpp
+ 
+ usbguard_notifier_cli_SOURCES = \
+ 	src/Serializer.hpp \
+@@ -109,8 +110,16 @@
+ #
+ # usbguard icon
+ #
+-.svg.o:
+-	$(LD) -r -b binary -o $@ $<
++EXTRA_DIST += \
++	$(top_builddir)/icons/usbguard-icon.svg
++
++$(top_builddir)/src/usbguard-icon.hpp: $(top_builddir)/icons/usbguard-icon.svg
++	echo -e "#ifndef ICON_HPP\n#define ICON_HPP\nnamespace notify {\nconst char *icon =" > $@
++	$(SED) 's/"/\\"/g' $^ | $(SED) 's/^/"/' | $(SED) 's/$$/\\n"/' >> $@
++	echo -e ";\n}\n#endif" >> $@
++
++CLEANFILES += \
++	$(top_builddir)/src/usbguard-icon.hpp
+ 
+ #
+ # unit file
+diff --color -ru a/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp b/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp
+--- a/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp	2020-03-02 11:55:25.932999263 +0100
++++ b/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp	2021-11-18 11:29:52.825157237 +0100
+@@ -18,14 +18,13 @@
+  */
+ 
+ #include "NotifyWrapper.hpp"
++#include "usbguard-icon.hpp"
+ 
++#include <cstring>
+ #include <stdexcept>
+ 
+ #include <librsvg-2.0/librsvg/rsvg.h>
+ 
+-extern char _binary_icons_usbguard_icon_svg_start[];
+-extern char _binary_icons_usbguard_icon_svg_end[];
+-
+ namespace notify
+ {
+ 
+@@ -54,10 +53,7 @@
+ Notification::Notification(const std::string& summary, const std::string& body)
+     : _n(notify_notification_new(summary.c_str(), body.c_str(), nullptr))
+ {
+-    RsvgHandle* handle = rsvg_handle_new_from_data(
+-            (const guint8*)(_binary_icons_usbguard_icon_svg_start),
+-            _binary_icons_usbguard_icon_svg_end - _binary_icons_usbguard_icon_svg_start,
+-            nullptr);
++    RsvgHandle* handle = rsvg_handle_new_from_data((const guint8*)icon, std::strlen(icon), nullptr);
+     if (!handle) {
+         throw std::runtime_error("Failed to obtain rsvg handle");
+     }

SOURCES/usbguard-validate-acl.patch

@@ -0,0 +1,105 @@
+diff --color -ru a/doc/man/usbguard.1.adoc b/doc/man/usbguard.1.adoc
+--- a/doc/man/usbguard.1.adoc	2021-09-20 09:08:55.134538747 +0200
++++ b/doc/man/usbguard.1.adoc	2021-09-20 16:46:48.266557561 +0200
+@@ -282,6 +282,7 @@
+ ....
+ 
+ Consult the usbguard-daemon.conf(5) man-page for a detailed list of available privileges in each section.
++You can also use 'ALL' instead of 'privileges' to automatically assign all relevant privileges to a given section.
+ 
+ 
+ === *remove-user* 'name' ['OPTIONS']
+diff --color -ru a/doc/man/usbguard-daemon.conf.5.adoc b/doc/man/usbguard-daemon.conf.5.adoc
+--- a/doc/man/usbguard-daemon.conf.5.adoc	2021-09-20 09:08:55.135538763 +0200
++++ b/doc/man/usbguard-daemon.conf.5.adoc	2021-09-20 13:20:09.788855176 +0200
+@@ -162,6 +162,8 @@
+ 
+  ** list: Get values of run-time parameters.
+ 
++ ** listen: Listen to property parameter changes.
++
+ The following is a generally usable and reasonably safe example of an access control file.
+ It allows one to modify USB device authorization state (`Devices=modify`), list USB devices (`Devices=list`), listen to USB device related events (`Devices=listen`), list USB authorization policy rules (`Policy=list`) and listen to exception events (`Exceptions=listen`):
+ 
+diff --color -ru a/src/Library/public/usbguard/IPCServer.cpp b/src/Library/public/usbguard/IPCServer.cpp
+--- a/src/Library/public/usbguard/IPCServer.cpp	2021-09-20 09:08:55.206539917 +0200
++++ b/src/Library/public/usbguard/IPCServer.cpp	2021-09-22 10:38:28.703655497 +0200
+@@ -159,18 +159,25 @@
+       throw USBGUARD_BUG("Cannot set privileges for NONE section");
+     }
+ 
++    const uint8_t p = static_cast<uint8_t>(privilege);
++
+     if (section == Section::ALL) {
+-      for (const auto& value : {
++      for (const auto& s : {
+           Section::POLICY,
+           Section::PARAMETERS,
+           Section::EXCEPTIONS,
+           Section::DEVICES
+         }) {
+-        _access_control[value] |= static_cast<uint8_t>(privilege);
++        _access_control[s] |= p & ~ac_mask(s);
+       }
+     }
+     else {
+-      _access_control[section] |= static_cast<uint8_t>(privilege);
++      if (privilege != Privilege::ALL && (p & ac_mask(section))) {
++        throw std::runtime_error("Invalid privilege " +
++                privilegeToString(privilege) + " for section " +
++                sectionToString(section));
++      }
++      _access_control[section] |= p & ~ac_mask(section);
+     }
+   }
+ 
+@@ -254,6 +261,28 @@
+     merge(access_control);
+   }
+ 
++  uint8_t IPCServer::AccessControl::ac_mask(IPCServer::AccessControl::Section section) const
++  {
++    const uint8_t MODIFY = static_cast<uint8_t>(Privilege::MODIFY);
++    const uint8_t LIST = static_cast<uint8_t>(Privilege::LIST);
++    const uint8_t LISTEN = static_cast<uint8_t>(Privilege::LISTEN);
++
++    switch (section) {
++    case Section::DEVICES:
++      return ~(MODIFY | LIST | LISTEN);
++    case Section::POLICY:
++      return ~(MODIFY | LIST);
++    case Section::EXCEPTIONS:
++      return ~(LISTEN);
++    case Section::PARAMETERS:
++      return ~(MODIFY | LIST | LISTEN);
++    case Section::ALL:
++    case Section::NONE:
++    default:
++      return 0xff;
++    }
++  }
++
+   IPCServer::IPCServer()
+     : d_pointer(usbguard::make_unique<IPCServerPrivate>(*this))
+   {
+diff --color -ru a/src/Library/public/usbguard/IPCServer.hpp b/src/Library/public/usbguard/IPCServer.hpp
+--- a/src/Library/public/usbguard/IPCServer.hpp	2021-09-20 09:08:55.200539819 +0200
++++ b/src/Library/public/usbguard/IPCServer.hpp	2021-09-20 13:11:31.476803776 +0200
+@@ -278,6 +278,17 @@
+       };
+ 
+       /**
++       * @brief Get a privilege mask for given section
++       * 
++       * For example, if the section is POLICY that has privileges MODIFY
++       * and LIST, the mask would be ~(MODIFY | LIST)
++       *
++       * @param section Section for which the privilege mask should be returned
++       * @return Privilege mask for section
++       */
++      uint8_t ac_mask(Section section) const;
++
++      /**
+        * @brief Access control represented by unordered map of
+        * tuples (Section, 8b privileges).
+        *

SPECS/usbguard.spec

@@ -8,7 +8,7 @@
 
 Name:           usbguard
 Version:        1.0.0
-Release:        2%{?dist}
+Release:        8%{?dist}
 Summary:        A tool for implementing USB device usage policy
 Group:          System Environment/Daemons
 License:        GPLv2+
@@ -26,7 +26,8 @@ Requires(preun): systemd
 Requires(postun): systemd
 Requires(post): /sbin/ldconfig
 Requires(postun): /sbin/ldconfig
-Recommends: %{name}-selinux
+Recommends: (%{name}-selinux if selinux-policy-%{selinuxtype})
+Conflicts: %{name}
 
 BuildRequires: gcc-c++
 BuildRequires: libqb-devel
@@ -55,6 +56,11 @@ Patch3: usbguard-selinux-list-dir.patch
 Patch4: usbguard-selinux-cpuinfo.patch
 Patch5: usbguard-audit-capability.patch
 Patch6: usbguard-selinux-audit-capability.patch
+Patch7: usbguard-ipaddressdeny.patch
+Patch8: usbguard-ipc-override-fix.patch
+Patch9: usbguard-validate-acl.patch
+Patch10: usbguard-notifier-decrease-spam.patch
+Patch11: usbguard-notifier-icon-injection.patch
 
 %description
 The USBGuard software framework helps to protect your computer against rogue USB
@@ -95,8 +101,8 @@ a D-Bus interface to the USBGuard daemon component.
 %package        selinux
 Summary:        USBGuard selinux
 Group:          Applications/System
-Requires:       %{name} = %{version}-%{release}
-BuildRequires:  selinux-policy
+Requires:       selinux-policy-%{selinuxtype}
+Requires(post): selinux-policy-%{selinuxtype}
 BuildRequires:  selinux-policy-devel
 BuildArch: noarch
 %{?selinux_requires}
@@ -137,6 +143,11 @@ rm -rf src/ThirdParty/{Catch,PEGTL}
 %patch4 -p1 -b .cpuinfo
 %patch5 -p1 -b .audit-capability
 %patch6 -p1 -b .selinux-audit-capability
+%patch7 -p1 -b .ipaddressdeny
+%patch8 -p1 -b .ipc-override-fix
+%patch9 -p1 -b .validate-acl
+%patch10 -p1 -b .notifier-decrease-spam
+%patch11 -p1 -b .notifier-icon-injection
 
 %build
 mkdir -p ./m4
@@ -200,7 +211,7 @@ install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_
 # notifier
 pushd %{name}-notifier-%{notifier_version}
 make install INSTALL='install -p' DESTDIR=%{buildroot}
-#execstack -c %{buildroot}%{_bindir}/%{name}-notifier
+execstack -c %{buildroot}%{_bindir}/%{name}-notifier
 popd
 
 # Cleanup
@@ -268,7 +279,7 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
 
 %files selinux
 %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
-%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
 %{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
 
 %post selinux
@@ -291,7 +302,7 @@ fi
 %{_userunitdir}/%{name}-notifier.service
 
 %post notifier
-%systemd_user_post %{name}-notifier.service
+%systemd_user_post \--preset-mode=disable-only %{name}-notifier.service
 
 %preun notifier
 %systemd_user_preun %{name}-notifier.service
@@ -301,6 +312,22 @@ fi
 
 
 %changelog
+* Mon Nov 29 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.0-8
+- change usbguard icon injection
+- fix DSP module definition in spec file
+Resolves: rhbz#2014441
+- add execstack to spec
+- remove IPAddressDeny from usbguard service
+Resolves: rhbz#1929364
+- fix file conflict when installing usbguard on rhel
+Resolves: rhbz#1963271
+- fix IPC access control files override
+Resolves: rhbz#2004511
+- validate ACL permission existence
+Resolves: rhbz#2005020
+- decrease usbguard-notifier spam when denied connection
+Resolves: rhbz#2000000
+
 * Wed Mar 17 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-2
 - Add CAP_AUDIT_WRITE capability to service file
 Resolves: rhbz#1940060