From f3fd8a34e9f8bb27b9a1b9d1623f6e83b39bd32b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 10 May 2022 03:00:08 -0400 Subject: [PATCH] import usbguard-1.0.0-8.el8 --- SOURCES/usbguard-ipaddressdeny.patch | 11 ++ SOURCES/usbguard-ipc-override-fix.patch | 20 ++ SOURCES/usbguard-notifier-decrease-spam.patch | 182 ++++++++++++++++++ .../usbguard-notifier-icon-injection.patch | 82 ++++++++ SOURCES/usbguard-validate-acl.patch | 105 ++++++++++ SPECS/usbguard.spec | 41 +++- 6 files changed, 434 insertions(+), 7 deletions(-) create mode 100644 SOURCES/usbguard-ipaddressdeny.patch create mode 100644 SOURCES/usbguard-ipc-override-fix.patch create mode 100644 SOURCES/usbguard-notifier-decrease-spam.patch create mode 100644 SOURCES/usbguard-notifier-icon-injection.patch create mode 100644 SOURCES/usbguard-validate-acl.patch diff --git a/SOURCES/usbguard-ipaddressdeny.patch b/SOURCES/usbguard-ipaddressdeny.patch new file mode 100644 index 0000000..85a78b3 --- /dev/null +++ b/SOURCES/usbguard-ipaddressdeny.patch @@ -0,0 +1,11 @@ +diff --color -ru a/usbguard.service.in b/usbguard.service.in +--- a/usbguard.service.in 2021-09-07 16:33:49.911540537 +0200 ++++ b/usbguard.service.in 2021-09-07 16:37:20.788885123 +0200 +@@ -8,7 +8,6 @@ + CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE + DevicePolicy=closed + ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf +-IPAddressDeny=any + LockPersonality=yes + MemoryDenyWriteExecute=yes + NoNewPrivileges=yes diff --git a/SOURCES/usbguard-ipc-override-fix.patch b/SOURCES/usbguard-ipc-override-fix.patch new file mode 100644 index 0000000..4083c7d --- /dev/null +++ b/SOURCES/usbguard-ipc-override-fix.patch @@ -0,0 +1,20 @@ +diff --color -ru a/src/Library/IPCServerPrivate.cpp b/src/Library/IPCServerPrivate.cpp +--- a/src/Library/IPCServerPrivate.cpp 2020-11-23 15:56:12.979847655 +0100 ++++ b/src/Library/IPCServerPrivate.cpp 2021-09-15 10:02:51.641082533 +0200 +@@ -567,10 +567,12 @@ + bool IPCServerPrivate::authenticateIPCConnectionDAC(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr) const + { + USBGUARD_LOG(Trace) << "uid=" << uid << " gid=" << gid << " ac_ptr=" << ac_ptr; +- return \ +- matchACLByUID(uid, ac_ptr) || \ +- matchACLByGID(gid, ac_ptr) || \ +- matchACLByName(uid, gid, ac_ptr); ++ ++ bool matched_uid = matchACLByUID(uid, ac_ptr); ++ bool matched_gid = matchACLByGID(gid, ac_ptr); ++ bool matched_name = matchACLByName(uid, gid, ac_ptr); ++ ++ return matched_uid || matched_gid || matched_name; + } + + bool IPCServerPrivate::matchACLByUID(uid_t uid, IPCServer::AccessControl* const ac_ptr) const diff --git a/SOURCES/usbguard-notifier-decrease-spam.patch b/SOURCES/usbguard-notifier-decrease-spam.patch new file mode 100644 index 0000000..4b4015b --- /dev/null +++ b/SOURCES/usbguard-notifier-decrease-spam.patch @@ -0,0 +1,182 @@ +diff --color -ru a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 b/usbguard-notifier-0.0.6/man/usbguard-notifier.1 +--- a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 2021-09-24 13:08:23.304639109 +0200 ++++ b/usbguard-notifier-0.0.6/man/usbguard-notifier.1 2021-09-24 13:16:14.177186425 +0200 +@@ -39,7 +39,12 @@ + .PP + \fB\-w, \-\-wait\fR + .RS 4 +-Wait until an active IPC connection is estabilished\&. ++Wait until an active IPC connection is estabilished\&. ie\&. infinite number of attempts\&. ++.RE ++.PP ++\fB\-n, \-\-num\-attempts\fR \fInum\fR ++.RS 4 ++Number of IPC connection attempts. Window between each attempt is 1 second\&. The default number of attempts is 3\&. + .RE + .PP + \fB\-d, \-\-debug\fR +@@ -51,6 +56,64 @@ + .RS 4 + Show help\&. + .RE ++.SH "HOW TO START" ++.sp ++In order to make usbguard\-notifier work properly, you will need to perform certain actions: ++.sp ++.RS 4 ++.ie n \{\ ++\h'-04' 1.\h'+01'\c ++.\} ++.el \{\ ++.sp -1 ++.IP " 1." 4.2 ++.\} ++Each user who wants to run usbguard\-notifier service needs to have sufficient IPC privileges to connect to the usbguard IPC interface\&. To allow a specific user to listen to the device signals you can use the following command: ++ ++ ++\fB$ sudo usbguard add\-user\fR ++\fIUSER\fR ++\fB\-d listen\fR ++ ++Or you can allow a group of users: ++ ++ ++\fB$ sudo usbguard add\-user \-g\fR ++\fIGROUP\fR ++\fB\-d listen\fR ++.RE ++.sp ++.RS 4 ++.ie n \{\ ++\h'-04' 2.\h'+01'\c ++.\} ++.el \{\ ++.sp -1 ++.IP " 2." 4.2 ++.\} ++Now, you need a running usbguard\-daemon instance to connect to\&. Start the usbguard service or restart it if it is already running\&. ++.RE ++.sp ++.RS 4 ++.ie n \{\ ++\h'-04' 3.\h'+01'\c ++.\} ++.el \{\ ++.sp -1 ++.IP " 3." 4.2 ++.\} ++After configuring IPC privileges and starting up the usbguard\-daemon, the user can now start the usbguard\-notifier service: ++ ++ ++\fB$ systemctl start \-\-user usbguard\-notifier\&.service\fR ++ ++Optionally, the user can enable the usbguard\-notifier service to start automatically after the login: ++ ++ ++\fB$ systemctl enable \-\-user usbguard\-notifier\&.service\fR ++.RE ++.sp ++The usbguard\-notifier should now be running\&. Anytime a USB device gets inserted/ejected or allowed/blocked a message will pop up in the user\(cqs graphical interface\&. + .SH "SEE ALSO" + .sp + usbguard(1) +diff --color -ru a/usbguard-notifier-0.0.6/src/Main.cpp b/usbguard-notifier-0.0.6/src/Main.cpp +--- a/usbguard-notifier-0.0.6/src/Main.cpp 2020-03-04 08:59:49.138771474 +0100 ++++ b/usbguard-notifier-0.0.6/src/Main.cpp 2021-09-24 13:07:41.322966320 +0200 +@@ -20,6 +20,7 @@ + #include "Log.hpp" + #include "Notifier.hpp" + ++#include + #include + #include + #include +@@ -27,10 +28,11 @@ + + #include + +-static const char* short_options = "wdh"; ++static const char* short_options = "wn:dh"; + + static const struct ::option long_options[] = { + { "wait", no_argument, nullptr, 'w' }, ++ { "num-attempts", required_argument, nullptr, 'n' }, + { "debug", no_argument, nullptr, 'd' }, + { "help", no_argument, nullptr, 'h' } + }; +@@ -40,22 +42,26 @@ + out << "Usage: " << app_name << " [OPTIONS]" << std::endl; + out << std::endl; + out << "Options:" << std::endl; +- out << " -w, --wait Wait until an active IPC connection is estabilished." << std::endl; +- out << " -d, --debug Enable debug mode." << std::endl; +- out << " -h, --help Show this usage message." << std::endl; ++ out << " -w, --wait Wait until an active IPC connection is estabilished." << std::endl; ++ out << " -n, --num-attempts Number of IPC connection attempts." << std::endl; ++ out << " -d, --debug Enable debug mode." << std::endl; ++ out << " -h, --help Show this usage message." << std::endl; + } + + int main(int argc, char** argv) + { + const std::string app_name(::basename(*argv)); + bool wait_connection = false, debug = false; +- int opt; ++ int opt, num_attempts = 3; + + while ((opt = getopt_long(argc, argv, short_options, long_options, nullptr)) != -1) { + switch (opt) { + case 'w': + wait_connection = true; + break; ++ case 'n': ++ num_attempts = std::atoi(optarg); ++ break; + case 'd': + debug = true; + break; +@@ -71,23 +77,26 @@ + } + NOTIFIER_LOGGER.setDebugMode(debug); + +- for (;;) { ++ bool print_err = true; ++ for (int i = 0; wait_connection || i < num_attempts; ++i) { + try { + usbguardNotifier::Notifier notifier(app_name); + notifier.connect(); + std::cout << "Connection has been established" << std::endl; ++ print_err = true; ++ i = 0; + notifier.wait(); + } catch (const std::runtime_error& e) { + std::cerr << "Error:" << e.what() << std::endl; + return EXIT_FAILURE; + } catch (const usbguard::Exception& e) { +- std::cerr << "IPC connection failure!" << e.message() << std::endl; +- std::cerr << "Check if usbguard-daemon is running in the background" << std::endl; +- if (!wait_connection) { +- break; ++ if (print_err) { ++ print_err = false; ++ std::cerr << "IPC connection failure!" << e.message() << std::endl; ++ std::cerr << "Check if usbguard-daemon is running in the background" << std::endl; + } +- sleep(1); + } ++ sleep(1); + } + return EXIT_SUCCESS; + } +diff --color -ru a/usbguard-notifier-0.0.6/usbguard-notifier.service.in b/usbguard-notifier-0.0.6/usbguard-notifier.service.in +--- a/usbguard-notifier-0.0.6/usbguard-notifier.service.in 2020-03-04 09:00:32.019254871 +0100 ++++ b/usbguard-notifier-0.0.6/usbguard-notifier.service.in 2021-09-24 13:07:41.322966320 +0200 +@@ -3,7 +3,7 @@ + After=usbguard.service + + [Service] +-ExecStart=%bindir%/usbguard-notifier -w ++ExecStart=%bindir%/usbguard-notifier + + [Install] + WantedBy=default.target diff --git a/SOURCES/usbguard-notifier-icon-injection.patch b/SOURCES/usbguard-notifier-icon-injection.patch new file mode 100644 index 0000000..daf5411 --- /dev/null +++ b/SOURCES/usbguard-notifier-icon-injection.patch @@ -0,0 +1,82 @@ +diff --color -ru a/usbguard-notifier-0.0.6/Makefile.am b/usbguard-notifier-0.0.6/Makefile.am +--- a/usbguard-notifier-0.0.6/Makefile.am 2021-11-18 11:38:43.704876330 +0100 ++++ b/usbguard-notifier-0.0.6/Makefile.am 2021-11-18 11:35:39.108500175 +0100 +@@ -35,6 +35,7 @@ + src/ThirdParty/Catch2/single_include/catch2 + + usbguard_notifier_SOURCES = \ ++ src/usbguard-icon.hpp \ + src/Notifier.hpp \ + src/NotifyWrapper.hpp \ + src/Serializer.hpp \ +@@ -43,8 +44,7 @@ + src/Notifier.cpp \ + src/NotifyWrapper.cpp \ + src/Serializer.cpp \ +- src/Log.cpp \ +- icons/usbguard-icon.svg ++ src/Log.cpp + + usbguard_notifier_LDFLAGS = \ + @rsvg_LIBS@ \ +@@ -65,7 +65,8 @@ + endif + + BUILT_SOURCES = \ +- src/BuildConfig.h ++ src/BuildConfig.h \ ++ src/usbguard-icon.hpp + + usbguard_notifier_cli_SOURCES = \ + src/Serializer.hpp \ +@@ -109,8 +110,16 @@ + # + # usbguard icon + # +-.svg.o: +- $(LD) -r -b binary -o $@ $< ++EXTRA_DIST += \ ++ $(top_builddir)/icons/usbguard-icon.svg ++ ++$(top_builddir)/src/usbguard-icon.hpp: $(top_builddir)/icons/usbguard-icon.svg ++ echo -e "#ifndef ICON_HPP\n#define ICON_HPP\nnamespace notify {\nconst char *icon =" > $@ ++ $(SED) 's/"/\\"/g' $^ | $(SED) 's/^/"/' | $(SED) 's/$$/\\n"/' >> $@ ++ echo -e ";\n}\n#endif" >> $@ ++ ++CLEANFILES += \ ++ $(top_builddir)/src/usbguard-icon.hpp + + # + # unit file +diff --color -ru a/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp b/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp +--- a/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp 2020-03-02 11:55:25.932999263 +0100 ++++ b/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp 2021-11-18 11:29:52.825157237 +0100 +@@ -18,14 +18,13 @@ + */ + + #include "NotifyWrapper.hpp" ++#include "usbguard-icon.hpp" + ++#include + #include + + #include + +-extern char _binary_icons_usbguard_icon_svg_start[]; +-extern char _binary_icons_usbguard_icon_svg_end[]; +- + namespace notify + { + +@@ -54,10 +53,7 @@ + Notification::Notification(const std::string& summary, const std::string& body) + : _n(notify_notification_new(summary.c_str(), body.c_str(), nullptr)) + { +- RsvgHandle* handle = rsvg_handle_new_from_data( +- (const guint8*)(_binary_icons_usbguard_icon_svg_start), +- _binary_icons_usbguard_icon_svg_end - _binary_icons_usbguard_icon_svg_start, +- nullptr); ++ RsvgHandle* handle = rsvg_handle_new_from_data((const guint8*)icon, std::strlen(icon), nullptr); + if (!handle) { + throw std::runtime_error("Failed to obtain rsvg handle"); + } diff --git a/SOURCES/usbguard-validate-acl.patch b/SOURCES/usbguard-validate-acl.patch new file mode 100644 index 0000000..b2b5bd4 --- /dev/null +++ b/SOURCES/usbguard-validate-acl.patch @@ -0,0 +1,105 @@ +diff --color -ru a/doc/man/usbguard.1.adoc b/doc/man/usbguard.1.adoc +--- a/doc/man/usbguard.1.adoc 2021-09-20 09:08:55.134538747 +0200 ++++ b/doc/man/usbguard.1.adoc 2021-09-20 16:46:48.266557561 +0200 +@@ -282,6 +282,7 @@ + .... + + Consult the usbguard-daemon.conf(5) man-page for a detailed list of available privileges in each section. ++You can also use 'ALL' instead of 'privileges' to automatically assign all relevant privileges to a given section. + + + === *remove-user* 'name' ['OPTIONS'] +diff --color -ru a/doc/man/usbguard-daemon.conf.5.adoc b/doc/man/usbguard-daemon.conf.5.adoc +--- a/doc/man/usbguard-daemon.conf.5.adoc 2021-09-20 09:08:55.135538763 +0200 ++++ b/doc/man/usbguard-daemon.conf.5.adoc 2021-09-20 13:20:09.788855176 +0200 +@@ -162,6 +162,8 @@ + + ** list: Get values of run-time parameters. + ++ ** listen: Listen to property parameter changes. ++ + The following is a generally usable and reasonably safe example of an access control file. + It allows one to modify USB device authorization state (`Devices=modify`), list USB devices (`Devices=list`), listen to USB device related events (`Devices=listen`), list USB authorization policy rules (`Policy=list`) and listen to exception events (`Exceptions=listen`): + +diff --color -ru a/src/Library/public/usbguard/IPCServer.cpp b/src/Library/public/usbguard/IPCServer.cpp +--- a/src/Library/public/usbguard/IPCServer.cpp 2021-09-20 09:08:55.206539917 +0200 ++++ b/src/Library/public/usbguard/IPCServer.cpp 2021-09-22 10:38:28.703655497 +0200 +@@ -159,18 +159,25 @@ + throw USBGUARD_BUG("Cannot set privileges for NONE section"); + } + ++ const uint8_t p = static_cast(privilege); ++ + if (section == Section::ALL) { +- for (const auto& value : { ++ for (const auto& s : { + Section::POLICY, + Section::PARAMETERS, + Section::EXCEPTIONS, + Section::DEVICES + }) { +- _access_control[value] |= static_cast(privilege); ++ _access_control[s] |= p & ~ac_mask(s); + } + } + else { +- _access_control[section] |= static_cast(privilege); ++ if (privilege != Privilege::ALL && (p & ac_mask(section))) { ++ throw std::runtime_error("Invalid privilege " + ++ privilegeToString(privilege) + " for section " + ++ sectionToString(section)); ++ } ++ _access_control[section] |= p & ~ac_mask(section); + } + } + +@@ -254,6 +261,28 @@ + merge(access_control); + } + ++ uint8_t IPCServer::AccessControl::ac_mask(IPCServer::AccessControl::Section section) const ++ { ++ const uint8_t MODIFY = static_cast(Privilege::MODIFY); ++ const uint8_t LIST = static_cast(Privilege::LIST); ++ const uint8_t LISTEN = static_cast(Privilege::LISTEN); ++ ++ switch (section) { ++ case Section::DEVICES: ++ return ~(MODIFY | LIST | LISTEN); ++ case Section::POLICY: ++ return ~(MODIFY | LIST); ++ case Section::EXCEPTIONS: ++ return ~(LISTEN); ++ case Section::PARAMETERS: ++ return ~(MODIFY | LIST | LISTEN); ++ case Section::ALL: ++ case Section::NONE: ++ default: ++ return 0xff; ++ } ++ } ++ + IPCServer::IPCServer() + : d_pointer(usbguard::make_unique(*this)) + { +diff --color -ru a/src/Library/public/usbguard/IPCServer.hpp b/src/Library/public/usbguard/IPCServer.hpp +--- a/src/Library/public/usbguard/IPCServer.hpp 2021-09-20 09:08:55.200539819 +0200 ++++ b/src/Library/public/usbguard/IPCServer.hpp 2021-09-20 13:11:31.476803776 +0200 +@@ -278,6 +278,17 @@ + }; + + /** ++ * @brief Get a privilege mask for given section ++ * ++ * For example, if the section is POLICY that has privileges MODIFY ++ * and LIST, the mask would be ~(MODIFY | LIST) ++ * ++ * @param section Section for which the privilege mask should be returned ++ * @return Privilege mask for section ++ */ ++ uint8_t ac_mask(Section section) const; ++ ++ /** + * @brief Access control represented by unordered map of + * tuples (Section, 8b privileges). + * diff --git a/SPECS/usbguard.spec b/SPECS/usbguard.spec index e2a7abb..74d96f1 100644 --- a/SPECS/usbguard.spec +++ b/SPECS/usbguard.spec @@ -8,7 +8,7 @@ Name: usbguard Version: 1.0.0 -Release: 2%{?dist} +Release: 8%{?dist} Summary: A tool for implementing USB device usage policy Group: System Environment/Daemons License: GPLv2+ @@ -26,7 +26,8 @@ Requires(preun): systemd Requires(postun): systemd Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig -Recommends: %{name}-selinux +Recommends: (%{name}-selinux if selinux-policy-%{selinuxtype}) +Conflicts: %{name} BuildRequires: gcc-c++ BuildRequires: libqb-devel @@ -55,6 +56,11 @@ Patch3: usbguard-selinux-list-dir.patch Patch4: usbguard-selinux-cpuinfo.patch Patch5: usbguard-audit-capability.patch Patch6: usbguard-selinux-audit-capability.patch +Patch7: usbguard-ipaddressdeny.patch +Patch8: usbguard-ipc-override-fix.patch +Patch9: usbguard-validate-acl.patch +Patch10: usbguard-notifier-decrease-spam.patch +Patch11: usbguard-notifier-icon-injection.patch %description The USBGuard software framework helps to protect your computer against rogue USB @@ -95,8 +101,8 @@ a D-Bus interface to the USBGuard daemon component. %package selinux Summary: USBGuard selinux Group: Applications/System -Requires: %{name} = %{version}-%{release} -BuildRequires: selinux-policy +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} BuildRequires: selinux-policy-devel BuildArch: noarch %{?selinux_requires} @@ -137,6 +143,11 @@ rm -rf src/ThirdParty/{Catch,PEGTL} %patch4 -p1 -b .cpuinfo %patch5 -p1 -b .audit-capability %patch6 -p1 -b .selinux-audit-capability +%patch7 -p1 -b .ipaddressdeny +%patch8 -p1 -b .ipc-override-fix +%patch9 -p1 -b .validate-acl +%patch10 -p1 -b .notifier-decrease-spam +%patch11 -p1 -b .notifier-icon-injection %build mkdir -p ./m4 @@ -200,7 +211,7 @@ install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_ # notifier pushd %{name}-notifier-%{notifier_version} make install INSTALL='install -p' DESTDIR=%{buildroot} -#execstack -c %{buildroot}%{_bindir}/%{name}-notifier +execstack -c %{buildroot}%{_bindir}/%{name}-notifier popd # Cleanup @@ -268,7 +279,7 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 -%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} %{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if %post selinux @@ -291,7 +302,7 @@ fi %{_userunitdir}/%{name}-notifier.service %post notifier -%systemd_user_post %{name}-notifier.service +%systemd_user_post \--preset-mode=disable-only %{name}-notifier.service %preun notifier %systemd_user_preun %{name}-notifier.service @@ -301,6 +312,22 @@ fi %changelog +* Mon Nov 29 2021 Zoltan Fridrich - 1.0.0-8 +- change usbguard icon injection +- fix DSP module definition in spec file +Resolves: rhbz#2014441 +- add execstack to spec +- remove IPAddressDeny from usbguard service +Resolves: rhbz#1929364 +- fix file conflict when installing usbguard on rhel +Resolves: rhbz#1963271 +- fix IPC access control files override +Resolves: rhbz#2004511 +- validate ACL permission existence +Resolves: rhbz#2005020 +- decrease usbguard-notifier spam when denied connection +Resolves: rhbz#2000000 + * Wed Mar 17 2021 Attila Lakatos - 1.0.0-2 - Add CAP_AUDIT_WRITE capability to service file Resolves: rhbz#1940060