30 changed files with 1303 additions and 325 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -1 +0,0 @@
-1
--- a/.gitignore
+++ b/.gitignore
@ -1,27 +1,3 @@
-/usbguard-0.5.10.tar.gz
-/usbguard-0.5.11.tar.gz
-/usbguard-0.5.12.tar.gz
-/usbguard-0.5.13.tar.gz
-/usbguard-0.5.14.tar.gz
-/usbguard-0.6.0.tar.gz
-/usbguard-0.6.1.tar.gz
-/usbguard-0.6.2.tar.gz
-/dkopecek-usbguard-fcde518.tar.gz
-/dkopecek-usbguard-522c34c.tar.gz
-/dkopecek-usbguard-e528ff6.tar.gz
-/usbguard-0.7.0.tar.gz
-/usbguard-0.7.1.tar.gz
-/usbguard-0.7.2.tar.gz
-/usbguard-0.7.6.tar.gz
-/usbguard-selinux-0.0.1.tar.gz
-/usbguard-selinux-0.0.2.tar.gz
-/usbguard-0.7.7.tar.gz
-/usbguard-selinux-0.0.3.tar.gz
-/usbguard-0.7.8.tar.gz
-/usbguard-selinux-0.0.4.tar.gz
-/usbguard-1.0.0.tar.gz
-/usbguard-1.1.0.tar.gz
-/usbguard-1.1.2.tar.gz
-/usbguard-notifier-0.1.1.tar.gz
-/usbguard-1.1.3.tar.gz
-/usbguard-selinux-0.0.5.tar.gz
+SOURCES/usbguard-1.0.0.tar.gz
+SOURCES/usbguard-notifier-0.0.6.tar.gz
+SOURCES/usbguard-selinux-0.0.3.tar.gz
--- a/.usbguard.metadata
+++ b/.usbguard.metadata
@ -0,0 +1,3 @@
+bf909799daae6798634e1b01efaaadc5781b9755 SOURCES/usbguard-1.0.0.tar.gz
+7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz
+e223495a2c41013bc786a5ceae730f2574aeba1b SOURCES/usbguard-selinux-0.0.3.tar.gz
--- a/SOURCES/usbguard-0.7.6-notifier.patch
+++ b/SOURCES/usbguard-0.7.6-notifier.patch
@ -0,0 +1,88 @@
+diff -up ./usbguard-notifier-0.0.6/configure.ac.notifier ./usbguard-notifier-0.0.6/configure.ac
+--- ./usbguard-notifier-0.0.6/configure.ac.notifier	2020-04-29 07:35:43.057914703 +0200
+++ ./usbguard-notifier-0.0.6/configure.ac	2020-06-17 16:27:53.577151720 +0200
+@@ -44,6 +44,32 @@ AC_ARG_WITH(
+     [notificaiton_path="/tmp/usbguard-notifier"]
+ )
+ 
+# usbguard-devel
+# Add the path to where your usbguard-devel includes are
+# You might need this option when you want to package usbguard-notifier
+# together with usbguard at the same time
+AC_ARG_WITH(
+    [usbguard-devel],
+    AS_HELP_STRING([--with-usbguard-devel], [Select to compile notifier from source usbguard devel files(only top level directory)]),
+    [usbguard_CFLAGS="-I$withval/src/Library/public/"
+     usbguard_LIBS=""
+     usbguard_LA="$withval/libusbguard.la"
+     libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"
+     AC_SUBST([usbguard_CFLAGS])
+     AC_SUBST([usbguard_LIBS])
+     AC_SUBST([usbguard_LA])
+     custom_usbguard_devel_enabled=yes
+    ],
+    [
+        PKG_CHECK_MODULES(
+            [usbguard],
+            [libusbguard >= 0.7.2],
+            [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"],
+            [AC_MSG_FAILURE([libusbguard development files not found])]
+        )
+    ]
+)
+
+ # Build notifier-cli, default is yes
+ AC_ARG_ENABLE([notifier-cli],
+     [AC_HELP_STRING([--enable-notifier-cli], [enable notifier cli(default=yes)])],
+@@ -81,14 +107,6 @@ PKG_CHECK_MODULES(
+     [AC_MSG_FAILURE([libnotify development files not found])]
+ )
+ 
+-# usbguard
+-PKG_CHECK_MODULES(
+-    [usbguard],
+-    [libusbguard >= 0.7.2],
+-    [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"],
+-    [AC_MSG_FAILURE([libusbguard development files not found])]
+-)
+-
+ # asciidoc
+ AC_CHECK_PROGS(A2X, [a2x])
+ if test -z "$A2X"; then
+@@ -162,6 +180,7 @@ AC_SUBST(config_PATH, $prefix/.config)
+ AC_SUBST(NOTIFICATION_PATH, $notification_path)
+ 
+ AM_CONDITIONAL([NOTIFIER_CLI_ENABLED], [test "x$notifier_cli_enabled" = xyes ])
+AM_CONDITIONAL([CUSTOM_USBGUARD_DEVEL_ENABLED], [test "x$custom_usbguard_devel_enabled" = "xyes"])
+ 
+ AC_CONFIG_FILES([
+     Makefile
+diff -up ./usbguard-notifier-0.0.6/Makefile.am.notifier ./usbguard-notifier-0.0.6/Makefile.am
+--- ./usbguard-notifier-0.0.6/Makefile.am.notifier	2020-04-29 07:18:21.024388188 +0200
+++ ./usbguard-notifier-0.0.6/Makefile.am	2020-06-17 16:27:53.592151848 +0200
+@@ -57,6 +57,13 @@ usbguard_notifier_CXXFLAGS = \
+ 	@usbguard_CFLAGS@ \
+ 	-fPIC
+ 
+if CUSTOM_USBGUARD_DEVEL_ENABLED
+usbguard_notifier_LDADD = \
+	@usbguard_LA@
+usbguard_notifier_cli_LDADD = \
+	@usbguard_LA@
+endif
+
+ BUILT_SOURCES = \
+ 	src/BuildConfig.h
+ 
+diff -up ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier ./usbguard-notifier-0.0.6/man/usbguard-notifier.1
+--- ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier	2020-06-17 19:55:54.621855004 +0200
+++ ./usbguard-notifier-0.0.6/man/usbguard-notifier.1	2020-06-17 19:56:46.551297432 +0200
+@@ -53,7 +53,7 @@ Show help\&.
+ .RE
+ .SH "SEE ALSO"
+ .sp
+-usbguard\-notifier\-cli(1), usbguard(1)
+usbguard(1)
+ .SH "BUGS"
+ .sp
+ If you find a bug in this software or if you\(cqd like to request a feature to be implemented, please file a ticket at https://github\&.com/Cropi/usbguard\-notifier/issues/new\&.
--- a/SOURCES/usbguard-OOMScoreAdjust.patch
+++ b/SOURCES/usbguard-OOMScoreAdjust.patch
@ -0,0 +1,11 @@
+diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
+--- usbguard-1.0.0/usbguard.service.in.orig	2022-11-28 10:21:35.889977314 +0100
+++ usbguard-1.0.0/usbguard.service.in	2022-11-28 10:21:52.711987716 +0100
+@@ -4,6 +4,7 @@ Wants=systemd-udevd.service local-fs.tar
+ Documentation=man:usbguard-daemon(8)
+ 
+ [Service]
+OOMScoreAdjust=-1000
+ AmbientCapabilities=
+ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
+ DevicePolicy=closed
--- a/SOURCES/usbguard-audit-capability.patch
+++ b/SOURCES/usbguard-audit-capability.patch
@ -0,0 +1,12 @@
+diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
+--- usbguard-1.0.0/usbguard.service.in.orig	2021-03-17 14:16:21.675374844 +0100
+++ usbguard-1.0.0/usbguard.service.in	2021-03-17 14:16:29.056373213 +0100
+@@ -5,7 +5,7 @@ Documentation=man:usbguard-daemon(8)
+ 
+ [Service]
+ AmbientCapabilities=
+-CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
+ DevicePolicy=closed
+ ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ IPAddressDeny=any
--- a/SOURCES/usbguard-consistent-rules.patch
+++ b/SOURCES/usbguard-consistent-rules.patch
@ -0,0 +1,12 @@
+diff -up usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp
+--- usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig	2022-11-28 10:35:44.052560664 +0100
+++ usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp	2022-11-28 10:35:55.510568939 +0100
+@@ -76,7 +76,7 @@ namespace usbguard
+       }
+ 
+       if (ruleSet.empty()){
+-        USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible.";
+        USBGUARD_LOG(Warning) << "Neither RuleFile nor RuleFolder are set; Modification of the permanent policy won't be possible.";
+         ruleSet = generateDefaultRuleSet();
+       }
+ 
--- a/SOURCES/usbguard-daemon-race-condition.patch
+++ b/SOURCES/usbguard-daemon-race-condition.patch
@ -0,0 +1,19 @@
+diff -up usbguard-1.0.0/src/Daemon/Daemon.cpp.orig usbguard-1.0.0/src/Daemon/Daemon.cpp
+--- usbguard-1.0.0/src/Daemon/Daemon.cpp.orig	2022-11-28 10:25:01.044104150 +0100
+++ usbguard-1.0.0/src/Daemon/Daemon.cpp	2022-11-28 10:25:34.736124980 +0100
+@@ -40,6 +40,7 @@
+ #include <sys/types.h>
+ #include <sys/poll.h>
+ #include <unistd.h>
+#include <sys/wait.h>
+ #include <signal.h>
+ #include <string.h>
+ #include <sys/stat.h>
+@@ -606,6 +607,7 @@ namespace usbguard
+         const int signum = sigtimedwait(&mask, &info, &timeout);
+ 
+         if (signum == SIGUSR1 && info.si_signo == SIGUSR1 && info.si_pid == pid) {
+          waitpid(pid, nullptr, 0);
+           USBGUARD_LOG(Trace) << "Finished daemonization";
+           exit(EXIT_SUCCESS);
+         }
--- a/SOURCES/usbguard-daemon.conf
+++ b/SOURCES/usbguard-daemon.conf
@ -14,14 +14,18 @@ RuleFile=/etc/usbguard/rules.conf
 #
 # The USBGuard daemon will use this folder to load the policy
 # rule set from it and to write new rules received via the
-# IPC interface.
+# IPC interface. Usually, we set the option to
+# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to
+# behave like any other standard Linux daemon therefore it
+# loads rule files in alpha-numeric order. File names inside
+# RuleFolder directory should start with a two-digit number
+# prefix indicating the position, in which the rules are
+# scanned by the daemon.
 #
 # RuleFolder=/path/to/rulesfolder/
 #
-
 RuleFolder=/etc/usbguard/rules.d/

-
 #
 # Implicit policy target.
 #
@ -77,14 +81,30 @@ PresentControllerPolicy=keep
 #
 InsertedDevicePolicy=apply-policy

+#
+# Control which devices are authorized by default.
+#
+# The USBGuard daemon modifies some the default authorization state attributes
+# of controller devices. This setting, enables you to define what value the
+# default authorization is set to.
+#
+# * keep         - do not change the authorization state
+# * none         - every new device starts out deauthorized
+# * all          - every new device starts out authorized
+# * internal     - internal devices start out authorized, external devices start
+#                  out deauthorized (this requires the ACPI tables to properly
+#                  label internal devices, and kernel support)
+#
+#AuthorizedDefault=none
+
 #
 # Restore controller device state.
 #
 # The USBGuard daemon modifies some attributes of controller
 # devices like the default authorization state of new child device
-# instances. Using this setting, you can controll whether the
+# instances. Using this setting, you can control whether the
 # daemon will try to restore the attribute values to the state
-# before modificaton on shutdown.
+# before modification on shutdown.
 #
 # SECURITY CONSIDERATIONS: If set to true, the USB authorization
 # policy could be bypassed by performing some sort of attack on the
@ -98,11 +118,11 @@ RestoreControllerDeviceState=false
 #
 # Which device manager backend implementation to use. One of:
 #
-# * uevent - Netlink based implementation which uses sysfs to scan for present
-#            devices and an uevent netlink socket for receiving USB device
-#            related events.
-# * dummy  - A dummy device manager which simulates several devices and device
-#            events. Useful for testing.
+# * uevent   - Netlink based implementation which uses sysfs to scan for present
+#              devices and an uevent netlink socket for receiving USB device
+#              related events.
+# * umockdev - umockdev based device manager capable of simulating devices based
+#              on umockdev-record files. Useful for testing.
 #
 DeviceManagerBackend=uevent

@ -188,4 +208,4 @@ AuditFilePath=/var/log/usbguard/usbguard-audit.log
 # Hides personally identifiable information such as device serial numbers and
 # hashes of descriptors (which include the serial number) from audit entries.
 #
-HidePII=false
+#HidePII=false
--- a/SOURCES/usbguard-dbus-CVE-leak.patch
+++ b/SOURCES/usbguard-dbus-CVE-leak.patch
@ -0,0 +1,31 @@
+diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp
+--- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig	2022-10-18 10:33:04.498762878 +0200
+++ usbguard-1.0.0/src/DBus/DBusBridge.cpp	2022-10-18 10:33:36.920785285 +0200
+@@ -434,12 +434,11 @@ namespace usbguard
+     USBGUARD_LOG(Trace) << "Connecting with Polkit authority...";
+     PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error);
+ 
+-    if (! authority || error) {
+    if (! authority) {
+       USBGUARD_LOG(Trace) << "Failed to connect to Polkit authority: " << formatGError(error) << ".";
+       *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
+       *authErrorMessage = "Failed to connect to Polkit authority";
+       g_error_free(error);
+-      g_object_unref(authority);
+       g_object_unref(subject);
+       return false;
+     }
+@@ -470,12 +469,11 @@ namespace usbguard
+         /*cancellable=*/ NULL,
+         &error);
+ 
+-    if (! result || error) {
+    if (! result) {
+       USBGUARD_LOG(Trace) << "Failed to check back with Polkit for authoriation: " << formatGError(error) << ".";
+       *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
+       *authErrorMessage = "Failed to check back with Polkit for authoriation.";
+       g_error_free(error);
+-      g_object_unref(result);
+       g_object_unref(details);
+       g_object_unref(authority);
+       g_object_unref(subject);
--- a/SOURCES/usbguard-dbus-CVE.patch
+++ b/SOURCES/usbguard-dbus-CVE.patch
@ -0,0 +1,335 @@
+diff -up usbguard-1.0.0/configure.ac.orig usbguard-1.0.0/configure.ac
+--- usbguard-1.0.0/configure.ac.orig	2022-08-16 10:24:34.345570913 +0200
+++ usbguard-1.0.0/configure.ac	2022-08-16 10:24:34.307571236 +0200
+@@ -399,7 +399,7 @@ if test "x$with_dbus" = xyes; then
+   #
+   # Check for required D-Bus modules
+   #
+-  PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0],
+  PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0 polkit-gobject-1],
+   [AC_DEFINE([HAVE_DBUS], [1], [Required GDBus API available])
+   dbus_summary="system-wide; $dbus_CFLAGS $dbus_LIBS"],
+   [AC_MSG_FAILURE([Required D-Bus modules (dbus-1, gio-2.0) not found!])]
+diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp
+--- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig	2022-08-16 10:24:34.312571194 +0200
+++ usbguard-1.0.0/src/DBus/DBusBridge.cpp	2022-08-16 10:28:28.595587136 +0200
+@@ -21,6 +21,8 @@
+ #endif
+ 
+ #include "DBusBridge.hpp"
+#include <polkit/polkit.h>
+
+ namespace usbguard
+ {
+   DBusBridge::DBusBridge(GDBusConnection* const gdbus_connection,
+@@ -74,9 +76,19 @@ namespace usbguard
+     return;
+   }
+ 
+  #define DBUS_AUTH_CHECK \
+      GDBusError authErrorCode = G_DBUS_ERROR_FAILED; \
+      const gchar* authErrorMessage = NULL; \
+      if (! isAuthorizedByPolkit(invocation, &authErrorCode, &authErrorMessage)) { \
+        g_dbus_method_invocation_return_error_literal(invocation, G_DBUS_ERROR, authErrorCode, authErrorMessage); \
+        return; \
+      }
+
+   void DBusBridge::handleRootMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation)
+   {
+     if (method_name == "getParameter") {
+      DBUS_AUTH_CHECK
+
+       const char* name_cstr = nullptr;
+       g_variant_get(parameters, "(&s)", &name_cstr);
+       std::string name(name_cstr);
+@@ -86,6 +98,8 @@ namespace usbguard
+     }
+ 
+     if (method_name == "setParameter") {
+      DBUS_AUTH_CHECK
+
+       const char* name_cstr = nullptr;
+       const char* value_cstr = nullptr;
+       g_variant_get(parameters, "(&s&s)", &name_cstr, &value_cstr);
+@@ -104,6 +118,8 @@ namespace usbguard
+   void DBusBridge::handlePolicyMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation)
+   {
+     if (method_name == "listRules") {
+      DBUS_AUTH_CHECK
+
+       const char* label_cstr = nullptr;
+       g_variant_get(parameters, "(&s)", &label_cstr);
+       std::string label(label_cstr);
+@@ -136,6 +152,8 @@ namespace usbguard
+     }
+ 
+     if (method_name == "appendRule") {
+      DBUS_AUTH_CHECK
+
+       const char* rule_spec_cstr = nullptr;
+       uint32_t parent_id = 0;
+       gboolean temporary = false;
+@@ -147,6 +165,8 @@ namespace usbguard
+     }
+ 
+     if (method_name == "removeRule") {
+      DBUS_AUTH_CHECK
+
+       uint32_t rule_id = 0;
+       g_variant_get(parameters, "(u)", &rule_id);
+       removeRule(rule_id);
+@@ -163,6 +183,8 @@ namespace usbguard
+     GDBusMethodInvocation* invocation)
+   {
+     if (method_name == "listDevices") {
+      DBUS_AUTH_CHECK
+
+       const char* query_cstr = nullptr;
+       g_variant_get(parameters, "(&s)", &query_cstr);
+       std::string query(query_cstr);
+@@ -195,6 +217,8 @@ namespace usbguard
+     }
+ 
+     if (method_name == "applyDevicePolicy") {
+      DBUS_AUTH_CHECK
+
+       uint32_t device_id = 0;
+       uint32_t target_integer = 0;
+       gboolean permanent = false;
+@@ -344,6 +368,135 @@ namespace usbguard
+ 
+     return builder;
+   }
+
+  std::string DBusBridge::formatGError(GError* error)
+  {
+    if (error) {
+      std::stringstream formatGError;
+      formatGError << error->message << " (code " << error->code << ")";
+      return formatGError.str();
+    }
+    else {
+      return "unknown error";
+    }
+  }
+
+  bool DBusBridge::isAuthorizedByPolkit(GDBusMethodInvocation* invocation, GDBusError* authErrorCode,
+    const gchar** authErrorMessage)
+  {
+    GError* error = NULL;
+    USBGUARD_LOG(Trace) << "Extracting bus name...";
+    const gchar* const /*no-free!*/ bus_name = g_dbus_method_invocation_get_sender (invocation);
+
+    if (! bus_name) {
+      USBGUARD_LOG(Trace) << "Failed to extract bus name.";
+      *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
+      *authErrorMessage = "Failed to extract bus name.";
+      return false;
+    }
+
+    USBGUARD_LOG(Trace) << "Extracted bus name \"" << bus_name << "\".";
+    USBGUARD_LOG(Trace) << "Extracting interface name...";
+    const gchar* const /*no-free!*/ interfaceName = g_dbus_method_invocation_get_interface_name(invocation);
+
+    if (! interfaceName) {
+      USBGUARD_LOG(Trace) << "Failed to extract interface name.";
+      *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
+      *authErrorMessage = "Failed to extract interface name.";
+      return false;
+    }
+
+    USBGUARD_LOG(Trace) << "Extracted interface name \"" << interfaceName << "\".";
+    USBGUARD_LOG(Trace) << "Extracting method name...";
+    const gchar* const /*no-free!*/ methodName = g_dbus_method_invocation_get_method_name(invocation);
+
+    if (! methodName) {
+      USBGUARD_LOG(Trace) << "Failed to extract method name.";
+      *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
+      *authErrorMessage = "Failed to extract method name.";
+      return false;
+    }
+
+    std::stringstream action_id;
+    action_id << interfaceName << "." << methodName;
+    USBGUARD_LOG(Trace) << "Extracted method name \"" << methodName << "\".";
+    USBGUARD_LOG(Trace) << "Creating a system bus Polkit subject...";
+    PolkitSubject* const subject = polkit_system_bus_name_new(bus_name);
+
+    if (! subject) {
+      USBGUARD_LOG(Trace) << "Failed to create Polkit subject.";
+      *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
+      *authErrorMessage = "Failed to create Polkit subject.";
+      return false;
+    }
+
+    USBGUARD_LOG(Trace) << "Created.";
+    USBGUARD_LOG(Trace) << "Connecting with Polkit authority...";
+    PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error);
+
+    if (! authority || error) {
+      USBGUARD_LOG(Trace) << "Failed to connect to Polkit authority: " << formatGError(error) << ".";
+      *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
+      *authErrorMessage = "Failed to connect to Polkit authority";
+      g_error_free(error);
+      g_object_unref(authority);
+      g_object_unref(subject);
+      return false;
+    }
+
+    USBGUARD_LOG(Trace) << "Connected.";
+    USBGUARD_LOG(Trace) << "Customizing Polkit authentification dialog...";
+    PolkitDetails* const details = polkit_details_new();
+
+    if (! details) {
+      USBGUARD_LOG(Trace) << "Failed to customize the Polkit authentification dialog.";
+      *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
+      *authErrorMessage = "Failed to customize the Polkit authentication dialog.";
+      g_object_unref(authority);
+      g_object_unref(subject);
+      return false;
+    }
+
+    polkit_details_insert (details, "polkit.message", "This USBGuard action needs authorization");
+    USBGUARD_LOG(Trace) << "Customized.";
+    USBGUARD_LOG(Trace) << "Checking authorization of action \"" << action_id.str() << "\" with Polkit ...";
+    const PolkitCheckAuthorizationFlags flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION;
+    PolkitAuthorizationResult* const result = polkit_authority_check_authorization_sync
+      (authority,
+        subject,
+        action_id.str().c_str(),
+        details,
+        flags,
+        /*cancellable=*/ NULL,
+        &error);
+
+    if (! result || error) {
+      USBGUARD_LOG(Trace) << "Failed to check back with Polkit for authoriation: " << formatGError(error) << ".";
+      *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
+      *authErrorMessage = "Failed to check back with Polkit for authoriation.";
+      g_error_free(error);
+      g_object_unref(result);
+      g_object_unref(details);
+      g_object_unref(authority);
+      g_object_unref(subject);
+      return false;
+    }
+
+    gboolean isAuthorized = polkit_authorization_result_get_is_authorized(result);
+    USBGUARD_LOG(Trace) << (isAuthorized ? "Authorized" : "Not authorized") << ".";
+
+    if (! isAuthorized) {
+      *authErrorCode = G_DBUS_ERROR_ACCESS_DENIED;
+      *authErrorMessage = "Not authorized.";
+    }
+
+    g_object_unref(result);
+    g_object_unref(details);
+    g_object_unref(authority);
+    g_object_unref(subject);
+    return isAuthorized;
+  }
+
+ } /* namespace usbguard */
+ 
+ /* vim: set ts=2 sw=2 et */
+diff -up usbguard-1.0.0/src/DBus/DBusBridge.hpp.orig usbguard-1.0.0/src/DBus/DBusBridge.hpp
+--- usbguard-1.0.0/src/DBus/DBusBridge.hpp.orig	2022-08-16 10:24:34.312571194 +0200
+++ usbguard-1.0.0/src/DBus/DBusBridge.hpp	2022-08-16 10:28:33.514545528 +0200
+@@ -83,6 +83,9 @@ namespace usbguard
+       bool rule_match,
+       uint32_t rule_id);
+ 
+    static std::string formatGError(GError* error);
+    static bool isAuthorizedByPolkit(GDBusMethodInvocation* invocation, GDBusError* authErrorCode,
+    const gchar** authErrorMessage);
+ 
+     GDBusConnection* const p_gdbus_connection;
+     void(*p_ipc_callback)(bool);
+diff -up usbguard-1.0.0/src/DBus/org.usbguard1.policy.orig usbguard-1.0.0/src/DBus/org.usbguard1.policy
+--- usbguard-1.0.0/src/DBus/org.usbguard1.policy.orig	2022-08-16 10:24:34.312571194 +0200
+++ usbguard-1.0.0/src/DBus/org.usbguard1.policy	2022-08-16 10:24:34.311571202 +0200
+@@ -1,23 +1,23 @@
+ <?xml version="1.0" encoding="UTF-8"?>
+ <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+         "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
+-        
+
+ <policyconfig>
+   <vendor>The USBGuard Project</vendor>
+   <vendor_url>https://github.org/USBGuard/usbguard</vendor_url>
+ 
+   <action id="org.usbguard.Policy1.listRules">
+     <description>List the rule set (policy) used by the USBGuard daemon</description>
+-    <message>Prevents from listing the USBGuard policy</message>
+    <message>Prevents listing the USBGuard policy</message>
+     <defaults>
+       <allow_inactive>no</allow_inactive>
+-      <allow_active>auth_self_keep_session</allow_active>
+      <allow_active>yes</allow_active>
+     </defaults>
+   </action>
+ 
+   <action id="org.usbguard.Policy1.appendRule">
+     <description>Append a new rule to the policy</description>
+-    <message>Prevents from appending rules to the USBGuard policy</message>
+    <message>Prevents appending rules to the USBGuard policy</message>
+     <defaults>
+       <allow_inactive>no</allow_inactive>
+       <allow_active>auth_admin</allow_active>
+@@ -33,40 +33,41 @@
+     </defaults>
+   </action>
+ 
+-  <action id="org.usbguard.Devices1.listDevices">
+-    <description>List all USB devices recognized by the USBGuard daemon</description>
+-    <message>Prevents from listing USB devices recognized by the USBGuard daemon</message>
+  <action id="org.usbguard.Devices1.applyDevicePolicy">
+    <description>Apply a policy to a device in USBGuard</description>
+    <message>Prevents applying a policy to a device in USBGuard</message>
+     <defaults>
+       <allow_inactive>no</allow_inactive>
+-      <allow_active>auth_self_keep_session</allow_active>
+      <allow_active>auth_admin</allow_active>
+     </defaults>
+   </action>
+ 
+-  <action id="org.usbguard.Devices1.allowDevice">
+-    <description>Authorize a USB device via the USBGuard daemon to interact with the system</description>
+-    <message>Prevents from authorizing USB devices via the USBGuard daemon</message>
+  <action id="org.usbguard.Devices1.listDevices">
+    <description>List all USB devices recognized by the USBGuard daemon</description>
+    <message>Prevents listing USB devices recognized by the USBGuard daemon</message>
+     <defaults>
+       <allow_inactive>no</allow_inactive>
+-      <allow_active>auth_admin</allow_active>
+      <allow_active>yes</allow_active>
+     </defaults>
+   </action>
+ 
+-  <action id="org.usbguard.Devices1.blockDevice">
+-    <description>Deauthorize a USB device via the USBGuard daemon</description>
+-    <message>Prevents from deauthorizing USB devices via the USBGuard daemon</message>
+  <action id="org.usbguard1.getParameter">
+    <description>Get the value of a runtime parameter</description>
+    <message>Prevents getting values of runtime USBGuard parameters</message>
+     <defaults>
+       <allow_inactive>no</allow_inactive>
+-      <allow_active>auth_admin</allow_active>
+      <allow_active>yes</allow_active>
+     </defaults>
+   </action>
+ 
+-  <action id="org.usbguard.Devices1.rejectDevice">
+-    <description>Remove a USB device via the USBGuard daemon</description>
+-    <message>Prevents from removing USB devices via the USBGuard daemon</message>
+  <action id="org.usbguard1.setParameter">
+    <description>Set the value of a runtime parameter</description>
+    <message>Prevents setting values of runtime USBGuard parameters</message>
+     <defaults>
+       <allow_inactive>no</allow_inactive>
+       <allow_active>auth_admin</allow_active>
+     </defaults>
+   </action>
+
+ </policyconfig>
+ 
--- a/SOURCES/usbguard-disable-console-log.patch
+++ b/SOURCES/usbguard-disable-console-log.patch
@ -1,12 +1,12 @@
-diff -up usbguard-1.1.3/usbguard.service.in.orig usbguard-1.1.3/usbguard.service.in
--- usbguard-1.1.3/usbguard.service.in.orig	2024-06-12 14:36:13.192536970 +0200
-+++ usbguard-1.1.3/usbguard.service.in	2024-06-12 14:36:21.110609346 +0200
+diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
+--- usbguard-1.0.0/usbguard.service.in.orig	2023-01-12 13:17:14.200064956 +0100
+++ usbguard-1.0.0/usbguard.service.in	2023-01-12 13:17:22.588078994 +0100
@@ -8,7 +8,7 @@ OOMScoreAdjust=-1000
 AmbientCapabilities=
 CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
 DevicePolicy=closed
 -ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
 +ExecStart=%sbindir%/usbguard-daemon -f -s -K -c %sysconfdir%/usbguard/usbguard-daemon.conf
- IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
+ NoNewPrivileges=yes
--- a/SOURCES/usbguard-ipaddressdeny.patch
+++ b/SOURCES/usbguard-ipaddressdeny.patch
@ -0,0 +1,11 @@
+diff --color -ru a/usbguard.service.in b/usbguard.service.in
+--- a/usbguard.service.in	2021-09-07 16:33:49.911540537 +0200
+++ b/usbguard.service.in	2021-09-07 16:37:20.788885123 +0200
+@@ -8,7 +8,6 @@
+ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
+ DevicePolicy=closed
+ ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
+-IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+ NoNewPrivileges=yes
--- a/SOURCES/usbguard-ipc-override-fix.patch
+++ b/SOURCES/usbguard-ipc-override-fix.patch
@ -0,0 +1,20 @@
+diff --color -ru a/src/Library/IPCServerPrivate.cpp b/src/Library/IPCServerPrivate.cpp
+--- a/src/Library/IPCServerPrivate.cpp	2020-11-23 15:56:12.979847655 +0100
+++ b/src/Library/IPCServerPrivate.cpp	2021-09-15 10:02:51.641082533 +0200
+@@ -567,10 +567,12 @@
+   bool IPCServerPrivate::authenticateIPCConnectionDAC(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr) const
+   {
+     USBGUARD_LOG(Trace) << "uid=" << uid << " gid=" << gid << " ac_ptr=" << ac_ptr;
+-    return \
+-      matchACLByUID(uid, ac_ptr) || \
+-      matchACLByGID(gid, ac_ptr) || \
+-      matchACLByName(uid, gid, ac_ptr);
+
+    bool matched_uid = matchACLByUID(uid, ac_ptr);
+    bool matched_gid = matchACLByGID(gid, ac_ptr);
+    bool matched_name = matchACLByName(uid, gid, ac_ptr);
+
+    return matched_uid || matched_gid || matched_name;
+   }
+ 
+   bool IPCServerPrivate::matchACLByUID(uid_t uid, IPCServer::AccessControl* const ac_ptr) const
--- a/SOURCES/usbguard-missing-doc.patch
+++ b/SOURCES/usbguard-missing-doc.patch
@ -0,0 +1,43 @@
+diff -up usbguard-1.0.0/doc/man/example-allow-device.adoc.orig usbguard-1.0.0/doc/man/example-allow-device.adoc
+--- usbguard-1.0.0/doc/man/example-allow-device.adoc.orig	2022-11-28 12:00:26.695561514 +0100
+++ usbguard-1.0.0/doc/man/example-allow-device.adoc	2022-11-28 11:57:01.120457773 +0100
+@@ -0,0 +1,6 @@
+....
+    # Allow a device by ID(it is the very first number from the list-devices command output)
+    $ sudo usbguard allow-device 10
+    # Allow all devices named "Dell Wired Multimedia Keyboard"
+    $ sudo usbguard allow-device name \"Dell Wired Multimedia Keyboard\"
+....
+diff -up usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig usbguard-1.0.0/doc/man/example-initial-policy.adoc
+--- usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig	2022-11-28 12:00:31.781564080 +0100
+++ usbguard-1.0.0/doc/man/example-initial-policy.adoc	2022-11-28 11:57:25.353470002 +0100
+@@ -0,0 +1,7 @@
+....
+    $ sudo usbguard generate-policy > rules.conf
+    $ vi rules.conf
+    (review/modify the rule set)
+    $ sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf
+    $ sudo systemctl restart usbguard
+....
+diff -up usbguard-1.0.0/doc/man/footer.adoc.orig usbguard-1.0.0/doc/man/footer.adoc
+--- usbguard-1.0.0/doc/man/footer.adoc.orig	2022-11-28 11:54:21.495377220 +0100
+++ usbguard-1.0.0/doc/man/footer.adoc	2022-11-28 11:55:51.960422872 +0100
+@@ -0,0 +1,18 @@
+== BUGS
+If you find a bug in this software or if you'd like to request a feature to be implemented, please file a ticket at <https://github.com/USBGuard/usbguard/issues/new>.
+
+
+== AUTHOR
+USBGuard was originally written by Daniel Kopeček.
+Many people have contributed to it.
+
+
+== RESOURCES
+Main web site: <https://usbguard.github.io/>
+
+
+== COPYING
+Copyright © 2015-{docyear} Red Hat, Inc. +
+License GPLv2+: GNU GPL version 2 or later http://gnu.org/licenses/gpl.html. +
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.
--- a/SOURCES/usbguard-notifier-decrease-spam.patch
+++ b/SOURCES/usbguard-notifier-decrease-spam.patch
@ -0,0 +1,182 @@
+diff --color -ru a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 b/usbguard-notifier-0.0.6/man/usbguard-notifier.1
+--- a/usbguard-notifier-0.0.6/man/usbguard-notifier.1	2021-09-24 13:08:23.304639109 +0200
+++ b/usbguard-notifier-0.0.6/man/usbguard-notifier.1	2021-09-24 13:16:14.177186425 +0200
+@@ -39,7 +39,12 @@
+ .PP
+ \fB\-w, \-\-wait\fR
+ .RS 4
+-Wait until an active IPC connection is estabilished\&.
+Wait until an active IPC connection is estabilished\&. ie\&. infinite number of attempts\&.
+.RE
+.PP
+\fB\-n, \-\-num\-attempts\fR \fInum\fR
+.RS 4
+Number of IPC connection attempts. Window between each attempt is 1 second\&. The default number of attempts is 3\&.
+ .RE
+ .PP
+ \fB\-d, \-\-debug\fR
+@@ -51,6 +56,64 @@
+ .RS 4
+ Show help\&.
+ .RE
+.SH "HOW TO START"
+.sp
+In order to make usbguard\-notifier work properly, you will need to perform certain actions:
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 1.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP "  1." 4.2
+.\}
+Each user who wants to run usbguard\-notifier service needs to have sufficient IPC privileges to connect to the usbguard IPC interface\&. To allow a specific user to listen to the device signals you can use the following command:
+
+
+\fB$ sudo usbguard add\-user\fR
+\fIUSER\fR
+\fB\-d listen\fR
+
+Or you can allow a group of users:
+
+
+\fB$ sudo usbguard add\-user \-g\fR
+\fIGROUP\fR
+\fB\-d listen\fR
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 2.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP "  2." 4.2
+.\}
+Now, you need a running usbguard\-daemon instance to connect to\&. Start the usbguard service or restart it if it is already running\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 3.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP "  3." 4.2
+.\}
+After configuring IPC privileges and starting up the usbguard\-daemon, the user can now start the usbguard\-notifier service:
+
+
+\fB$ systemctl start \-\-user usbguard\-notifier\&.service\fR
+
+Optionally, the user can enable the usbguard\-notifier service to start automatically after the login:
+
+
+\fB$ systemctl enable \-\-user usbguard\-notifier\&.service\fR
+.RE
+.sp
+The usbguard\-notifier should now be running\&. Anytime a USB device gets inserted/ejected or allowed/blocked a message will pop up in the user\(cqs graphical interface\&.
+ .SH "SEE ALSO"
+ .sp
+ usbguard(1)
+diff --color -ru a/usbguard-notifier-0.0.6/src/Main.cpp b/usbguard-notifier-0.0.6/src/Main.cpp
+--- a/usbguard-notifier-0.0.6/src/Main.cpp	2020-03-04 08:59:49.138771474 +0100
+++ b/usbguard-notifier-0.0.6/src/Main.cpp	2021-09-24 13:07:41.322966320 +0200
+@@ -20,6 +20,7 @@
+ #include "Log.hpp"
+ #include "Notifier.hpp"
+ 
+#include <cstdlib>
+ #include <getopt.h>
+ #include <iostream>
+ #include <libgen.h>
+@@ -27,10 +28,11 @@
+ 
+ #include <usbguard/Exception.hpp>
+ 
+-static const char* short_options = "wdh";
+static const char* short_options = "wn:dh";
+ 
+ static const struct ::option long_options[] = {
+     { "wait",  no_argument, nullptr, 'w' },
+    { "num-attempts", required_argument, nullptr, 'n' },
+     { "debug", no_argument, nullptr, 'd' },
+     { "help",  no_argument, nullptr, 'h' }
+ };
+@@ -40,22 +42,26 @@
+     out << "Usage: " << app_name << " [OPTIONS]" << std::endl;
+     out << std::endl;
+     out << "Options:" << std::endl;
+-    out << "    -w, --wait      Wait until an active IPC connection is estabilished." << std::endl;
+-    out << "    -d, --debug     Enable debug mode." << std::endl;
+-    out << "    -h, --help      Show this usage message." << std::endl;
+    out << "    -w, --wait               Wait until an active IPC connection is estabilished." << std::endl;
+    out << "    -n, --num-attempts <num> Number of IPC connection attempts." << std::endl;
+    out << "    -d, --debug              Enable debug mode." << std::endl;
+    out << "    -h, --help               Show this usage message." << std::endl;
+ }
+ 
+ int main(int argc, char** argv)
+ {
+     const std::string app_name(::basename(*argv));
+     bool wait_connection = false, debug = false;
+-    int opt;
+    int opt, num_attempts = 3;
+ 
+     while ((opt = getopt_long(argc, argv, short_options, long_options, nullptr)) != -1) {
+         switch (opt) {
+         case 'w':
+             wait_connection = true;
+             break;
+        case 'n':
+            num_attempts = std::atoi(optarg);
+            break;
+         case 'd':
+             debug = true;
+             break;
+@@ -71,23 +77,26 @@
+     }
+     NOTIFIER_LOGGER.setDebugMode(debug);
+ 
+-    for (;;) {
+    bool print_err = true;
+    for (int i = 0; wait_connection || i < num_attempts; ++i) {
+         try {
+             usbguardNotifier::Notifier notifier(app_name);
+             notifier.connect();
+             std::cout << "Connection has been established" << std::endl;
+            print_err = true;
+            i = 0;
+             notifier.wait();
+         } catch (const std::runtime_error& e) {
+             std::cerr << "Error:" << e.what() << std::endl;
+             return EXIT_FAILURE;
+         } catch (const usbguard::Exception& e) {
+-            std::cerr << "IPC connection failure!" << e.message() << std::endl;
+-            std::cerr << "Check if usbguard-daemon is running in the background" << std::endl;
+-            if (!wait_connection) {
+-                break;
+            if (print_err) {
+                print_err = false;
+                std::cerr << "IPC connection failure!" << e.message() << std::endl;
+                std::cerr << "Check if usbguard-daemon is running in the background" << std::endl;
+             }
+-            sleep(1);
+         }
+        sleep(1);
+     }
+     return EXIT_SUCCESS;
+ }
+diff --color -ru a/usbguard-notifier-0.0.6/usbguard-notifier.service.in b/usbguard-notifier-0.0.6/usbguard-notifier.service.in
+--- a/usbguard-notifier-0.0.6/usbguard-notifier.service.in	2020-03-04 09:00:32.019254871 +0100
+++ b/usbguard-notifier-0.0.6/usbguard-notifier.service.in	2021-09-24 13:07:41.322966320 +0200
+@@ -3,7 +3,7 @@
+ After=usbguard.service
+ 
+ [Service]
+-ExecStart=%bindir%/usbguard-notifier -w
+ExecStart=%bindir%/usbguard-notifier
+ 
+ [Install]
+ WantedBy=default.target
--- a/SOURCES/usbguard-notifier-icon-injection.patch
+++ b/SOURCES/usbguard-notifier-icon-injection.patch
@ -0,0 +1,82 @@
+diff --color -ru a/usbguard-notifier-0.0.6/Makefile.am b/usbguard-notifier-0.0.6/Makefile.am
+--- a/usbguard-notifier-0.0.6/Makefile.am	2021-11-18 11:38:43.704876330 +0100
+++ b/usbguard-notifier-0.0.6/Makefile.am	2021-11-18 11:35:39.108500175 +0100
+@@ -35,6 +35,7 @@
+ 	src/ThirdParty/Catch2/single_include/catch2
+ 
+ usbguard_notifier_SOURCES = \
+	src/usbguard-icon.hpp \
+ 	src/Notifier.hpp \
+ 	src/NotifyWrapper.hpp \
+ 	src/Serializer.hpp \
+@@ -43,8 +44,7 @@
+ 	src/Notifier.cpp \
+ 	src/NotifyWrapper.cpp \
+ 	src/Serializer.cpp \
+-	src/Log.cpp \
+-	icons/usbguard-icon.svg
+	src/Log.cpp
+ 
+ usbguard_notifier_LDFLAGS = \
+ 	@rsvg_LIBS@ \
+@@ -65,7 +65,8 @@
+ endif
+ 
+ BUILT_SOURCES = \
+-	src/BuildConfig.h
+	src/BuildConfig.h \
+	src/usbguard-icon.hpp
+ 
+ usbguard_notifier_cli_SOURCES = \
+ 	src/Serializer.hpp \
+@@ -109,8 +110,16 @@
+ #
+ # usbguard icon
+ #
+-.svg.o:
+-	$(LD) -r -b binary -o $@ $<
+EXTRA_DIST += \
+	$(top_builddir)/icons/usbguard-icon.svg
+
+$(top_builddir)/src/usbguard-icon.hpp: $(top_builddir)/icons/usbguard-icon.svg
+	echo -e "#ifndef ICON_HPP\n#define ICON_HPP\nnamespace notify {\nconst char *icon =" > $@
+	$(SED) 's/"/\\"/g' $^ | $(SED) 's/^/"/' | $(SED) 's/$$/\\n"/' >> $@
+	echo -e ";\n}\n#endif" >> $@
+
+CLEANFILES += \
+	$(top_builddir)/src/usbguard-icon.hpp
+ 
+ #
+ # unit file
+diff --color -ru a/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp b/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp
+--- a/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp	2020-03-02 11:55:25.932999263 +0100
+++ b/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp	2021-11-18 11:29:52.825157237 +0100
+@@ -18,14 +18,13 @@
+  */
+ 
+ #include "NotifyWrapper.hpp"
+#include "usbguard-icon.hpp"
+ 
+#include <cstring>
+ #include <stdexcept>
+ 
+ #include <librsvg-2.0/librsvg/rsvg.h>
+ 
+-extern char _binary_icons_usbguard_icon_svg_start[];
+-extern char _binary_icons_usbguard_icon_svg_end[];
+-
+ namespace notify
+ {
+ 
+@@ -54,10 +53,7 @@
+ Notification::Notification(const std::string& summary, const std::string& body)
+     : _n(notify_notification_new(summary.c_str(), body.c_str(), nullptr))
+ {
+-    RsvgHandle* handle = rsvg_handle_new_from_data(
+-            (const guint8*)(_binary_icons_usbguard_icon_svg_start),
+-            _binary_icons_usbguard_icon_svg_end - _binary_icons_usbguard_icon_svg_start,
+-            nullptr);
+    RsvgHandle* handle = rsvg_handle_new_from_data((const guint8*)icon, std::strlen(icon), nullptr);
+     if (!handle) {
+         throw std::runtime_error("Failed to obtain rsvg handle");
+     }
--- a/SOURCES/usbguard-permanent-rules.patch
+++ b/SOURCES/usbguard-permanent-rules.patch
@ -0,0 +1,68 @@
+diff -up usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc.orig usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc
+--- usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc.orig	2023-01-05 10:58:24.684407437 +0100
+++ usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc	2023-01-05 10:58:42.323426745 +0100
+@@ -27,7 +27,12 @@ It may be overridden using the *-c* comm
+     behave like any other standard Linux daemon therefore it loads rule files in
+     alpha-numeric order. File names inside `RuleFolder` directory should start
+     with a two-digit number prefix indicating the position, in which the rules
+-    are scanned by the daemon.
+    are scanned by the daemon. Using RuleFile and RuleFolder at the same time is
+    permitted. However, modification of the permanent policy is not possible if
+    one of the following conditions are met:
+    ** Neither RuleFile nor RuleFolder are specified.
+    ** RuleFile is not specified, RuleFolder is but it does not contain any files,
+       where we could save permanent rules.
+ 
+ *ImplicitPolicyTarget*='target'::
+     How to treat USB devices that don't match any rule in the policy. Target
+diff -up usbguard-1.0.0/src/Daemon/Daemon.cpp.orig usbguard-1.0.0/src/Daemon/Daemon.cpp
+--- usbguard-1.0.0/src/Daemon/Daemon.cpp.orig	2023-01-05 10:58:49.689434809 +0100
+++ usbguard-1.0.0/src/Daemon/Daemon.cpp	2023-01-05 10:59:18.991466884 +0100
+@@ -742,7 +742,7 @@ namespace usbguard
+     /* TODO: reevaluate the firewall rules for all active devices */
+     const uint32_t id = _policy.appendRule(rule, parent_id);
+ 
+-    if (_config.hasSettingValue("RuleFile") && permanent) {
+    if ((_config.hasSettingValue("RuleFile") || _config.hasSettingValue("RuleFolder")) && permanent) {
+       _policy.save();
+     }
+ 
+@@ -755,7 +755,7 @@ namespace usbguard
+     USBGUARD_LOG(Trace) << "id=" << id;
+     _policy.removeRule(id);
+ 
+-    if (_config.hasSettingValue("RuleFile")) {
+    if (_config.hasSettingValue("RuleFile") || _config.hasSettingValue("RuleFolder")) {
+       _policy.save();
+     }
+   }
+diff -up usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp
+--- usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig	2023-01-05 10:59:27.117475780 +0100
+++ usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp	2023-01-05 10:59:46.228496702 +0100
+@@ -75,8 +75,24 @@ namespace usbguard
+         }
+       }
+ 
+-      if (ruleSet.empty()){
+-        USBGUARD_LOG(Warning) << "Neither RuleFile nor RuleFolder are set; Modification of the permanent policy won't be possible.";
+      /*
+       * This means one of the following:
+       *  - Neither RuleFile nor RuleFolder are specified
+       *  - RuleFile not specified, RuleFolder is but it does not contain any files,
+       *    where we could save permanent rules
+       */
+      if (ruleSet.empty()) {
+        std::string msg;
+
+        if (ns.getRulesPath().empty() && ns.getRulesDirPath().empty()) {
+          msg = "Neither RuleFile nor RuleFolder are set.";
+        }
+        else {
+          msg = "RuleFile is not set, RuleFolder is but it does not contain any rule files.";
+        }
+
+        USBGUARD_LOG(Warning) << "Modification of the permanent policy won't be possible."
+          << " Reason: " << msg;
+         ruleSet = generateDefaultRuleSet();
+       }
+ 
--- a/SOURCES/usbguard-selinux-audit-capability.patch
+++ b/SOURCES/usbguard-selinux-audit-capability.patch
@ -0,0 +1,12 @@
+diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te
+--- usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig	2021-03-17 15:08:59.975712403 +0100
+++ usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te	2021-03-17 15:09:21.565708348 +0100
+@@ -68,7 +68,7 @@ files_pid_file(usbguard_var_run_t)
+ # Local policy
+ #
+ 
+-allow usbguard_t self:capability { chown fowner };
+allow usbguard_t self:capability { chown fowner audit_write };
+ allow usbguard_t self:netlink_kobject_uevent_socket { bind create setopt read };
+ allow usbguard_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+ 
--- a/SOURCES/usbguard-selinux-cpuinfo.patch
+++ b/SOURCES/usbguard-selinux-cpuinfo.patch
@ -0,0 +1,12 @@
+diff -up ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo ./usbguard-selinux-0.0.3/usbguard.te
+--- ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo	2020-06-18 15:53:40.161615146 +0200
+++ ./usbguard-selinux-0.0.3/usbguard.te	2020-06-18 15:54:28.399982328 +0200
+@@ -77,6 +77,8 @@ auth_read_passwd(usbguard_t)
+ dev_list_sysfs(usbguard_t)
+ dev_rw_sysfs(usbguard_t)
+ 
+kernel_read_system_state(usbguard_t)
+
+ list_dirs_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
+ read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
+ dontaudit usbguard_t usbguard_conf_t:file write;
--- a/SOURCES/usbguard-selinux-dbus-CVE.patch
+++ b/SOURCES/usbguard-selinux-dbus-CVE.patch
@ -0,0 +1,27 @@
+diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te
+--- usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig	2022-08-24 16:14:30.810875871 +0200
+++ usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te	2022-08-24 16:15:50.064906117 +0200
+@@ -100,7 +100,6 @@ logging_log_filetrans(usbguard_t, usbgua
+ 
+ logging_send_syslog_msg(usbguard_t)
+ 
+-dbus_system_domain(usbguard_t, usbguard_exec_t)
+ usbguard_ipc_access(usbguard_t)
+ 
+ tunable_policy(`usbguard_daemon_write_rules',`
+@@ -111,6 +110,15 @@ tunable_policy(`usbguard_daemon_write_co
+ 	rw_files_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t)
+ ')
+ 
+optional_policy(`
+	dbus_system_domain(usbguard_t, usbguard_exec_t)
+
+	optional_policy(`
+		policykit_dbus_chat(usbguard_t)
+	')
+')
+
+
+ # Allow confined users to communicate with usbguard over unix socket
+ optional_policy(`
+     gen_require(`
--- a/SOURCES/usbguard-selinux-list-dir.patch
+++ b/SOURCES/usbguard-selinux-list-dir.patch
@ -0,0 +1,11 @@
+diff -up ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir ./usbguard-selinux-0.0.3/usbguard.te
+--- ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir	2020-06-09 10:53:03.191977241 +0200
+++ ./usbguard-selinux-0.0.3/usbguard.te	2020-06-09 10:54:21.441965315 +0200
+@@ -81,6 +81,7 @@ list_dirs_pattern(usbguard_t,usbguard_co
+ read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
+ dontaudit usbguard_t usbguard_conf_t:file write;
+ 
+list_dirs_pattern(usbguard_t,usbguard_rules_t,usbguard_rules_t)
+ read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_rules_t)
+ 
+ manage_dirs_pattern(usbguard_t, usbguard_var_run_t, usbguard_var_run_t)
--- a/SOURCES/usbguard-selinux-rules-d.patch
+++ b/SOURCES/usbguard-selinux-rules-d.patch
@ -0,0 +1,22 @@
+From 008af22f238bfb97f6d337759732ac87bdef7b24 Mon Sep 17 00:00:00 2001
+From: alakatos <alakatos@redhat.com>
+Date: Mon, 25 May 2020 15:27:38 +0200
+Subject: [PATCH] /etc/usrbuard/rules.d(/.*)? has usbguard_rules_t label right
+ after the installation
+
+---
+ usbguard.fc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/usbguard.fc b/usbguard.fc
+index bce3e8c..3e14720 100644
+--- a/usbguard-selinux-0.0.3/usbguard.fc
+++ b/usbguard-selinux-0.0.3/usbguard.fc
+@@ -13,6 +13,7 @@
+ # You should have received a copy of the GNU General Public License
+ # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ 
+/etc/usbguard/rules\.d(/.*)?                 gen_context(system_u:object_r:usbguard_rules_t,s0)
+ /etc/usbguard/rules.conf                  -- gen_context(system_u:object_r:usbguard_rules_t,s0)
+ /etc/usbguard(/.*)?                          gen_context(system_u:object_r:usbguard_conf_t,s0)
+ /dev/shm/qb-usbguard-.*                   -- gen_context(system_u:object_r:usbguard_tmpfs_t,s0)
--- a/SOURCES/usbguard-validate-acl.patch
+++ b/SOURCES/usbguard-validate-acl.patch
@ -0,0 +1,105 @@
+diff --color -ru a/doc/man/usbguard.1.adoc b/doc/man/usbguard.1.adoc
+--- a/doc/man/usbguard.1.adoc	2021-09-20 09:08:55.134538747 +0200
+++ b/doc/man/usbguard.1.adoc	2021-09-20 16:46:48.266557561 +0200
+@@ -282,6 +282,7 @@
+ ....
+ 
+ Consult the usbguard-daemon.conf(5) man-page for a detailed list of available privileges in each section.
+You can also use 'ALL' instead of 'privileges' to automatically assign all relevant privileges to a given section.
+ 
+ 
+ === *remove-user* 'name' ['OPTIONS']
+diff --color -ru a/doc/man/usbguard-daemon.conf.5.adoc b/doc/man/usbguard-daemon.conf.5.adoc
+--- a/doc/man/usbguard-daemon.conf.5.adoc	2021-09-20 09:08:55.135538763 +0200
+++ b/doc/man/usbguard-daemon.conf.5.adoc	2021-09-20 13:20:09.788855176 +0200
+@@ -162,6 +162,8 @@
+ 
+  ** list: Get values of run-time parameters.
+ 
+ ** listen: Listen to property parameter changes.
+
+ The following is a generally usable and reasonably safe example of an access control file.
+ It allows one to modify USB device authorization state (`Devices=modify`), list USB devices (`Devices=list`), listen to USB device related events (`Devices=listen`), list USB authorization policy rules (`Policy=list`) and listen to exception events (`Exceptions=listen`):
+ 
+diff --color -ru a/src/Library/public/usbguard/IPCServer.cpp b/src/Library/public/usbguard/IPCServer.cpp
+--- a/src/Library/public/usbguard/IPCServer.cpp	2021-09-20 09:08:55.206539917 +0200
+++ b/src/Library/public/usbguard/IPCServer.cpp	2021-09-22 10:38:28.703655497 +0200
+@@ -159,18 +159,25 @@
+       throw USBGUARD_BUG("Cannot set privileges for NONE section");
+     }
+ 
+    const uint8_t p = static_cast<uint8_t>(privilege);
+
+     if (section == Section::ALL) {
+-      for (const auto& value : {
+      for (const auto& s : {
+           Section::POLICY,
+           Section::PARAMETERS,
+           Section::EXCEPTIONS,
+           Section::DEVICES
+         }) {
+-        _access_control[value] |= static_cast<uint8_t>(privilege);
+        _access_control[s] |= p & ~ac_mask(s);
+       }
+     }
+     else {
+-      _access_control[section] |= static_cast<uint8_t>(privilege);
+      if (privilege != Privilege::ALL && (p & ac_mask(section))) {
+        throw std::runtime_error("Invalid privilege " +
+                privilegeToString(privilege) + " for section " +
+                sectionToString(section));
+      }
+      _access_control[section] |= p & ~ac_mask(section);
+     }
+   }
+ 
+@@ -254,6 +261,28 @@
+     merge(access_control);
+   }
+ 
+  uint8_t IPCServer::AccessControl::ac_mask(IPCServer::AccessControl::Section section) const
+  {
+    const uint8_t MODIFY = static_cast<uint8_t>(Privilege::MODIFY);
+    const uint8_t LIST = static_cast<uint8_t>(Privilege::LIST);
+    const uint8_t LISTEN = static_cast<uint8_t>(Privilege::LISTEN);
+
+    switch (section) {
+    case Section::DEVICES:
+      return ~(MODIFY | LIST | LISTEN);
+    case Section::POLICY:
+      return ~(MODIFY | LIST);
+    case Section::EXCEPTIONS:
+      return ~(LISTEN);
+    case Section::PARAMETERS:
+      return ~(MODIFY | LIST | LISTEN);
+    case Section::ALL:
+    case Section::NONE:
+    default:
+      return 0xff;
+    }
+  }
+
+   IPCServer::IPCServer()
+     : d_pointer(usbguard::make_unique<IPCServerPrivate>(*this))
+   {
+diff --color -ru a/src/Library/public/usbguard/IPCServer.hpp b/src/Library/public/usbguard/IPCServer.hpp
+--- a/src/Library/public/usbguard/IPCServer.hpp	2021-09-20 09:08:55.200539819 +0200
+++ b/src/Library/public/usbguard/IPCServer.hpp	2021-09-20 13:11:31.476803776 +0200
+@@ -278,6 +278,17 @@
+       };
+ 
+       /**
+       * @brief Get a privilege mask for given section
+       * 
+       * For example, if the section is POLICY that has privileges MODIFY
+       * and LIST, the mask would be ~(MODIFY | LIST)
+       *
+       * @param section Section for which the privilege mask should be returned
+       * @return Privilege mask for section
+       */
+      uint8_t ac_mask(Section section) const;
+
+      /**
+        * @brief Access control represented by unordered map of
+        * tuples (Section, 8b privileges).
+        *
--- a/SPECS/usbguard.spec
+++ b/SPECS/usbguard.spec
@ -1,22 +1,25 @@
 %global _hardened_build 1
 %global selinuxtype targeted
 %global moduletype contrib
-%define semodule_version 0.0.5
-%define notifier_version 0.1.1
+%define semodule_version 0.0.3
+%define notifier_version 0.0.6
+
+%bcond_without check

 Name:           usbguard
-Version:        1.1.3
-Release:        6%{?dist}
+Version:        1.0.0
+Release:        13%{?dist}
 Summary:        A tool for implementing USB device usage policy
-License:        GPL-2.0-or-later
+Group:          System Environment/Daemons
+License:        GPLv2+
 ## Not installed
 # src/ThirdParty/Catch: Boost Software License - Version 1.0
 URL:            https://usbguard.github.io/
 Source0:        https://github.com/USBGuard/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
-Source1:        https://github.com/USBGuard/usbguard-selinux/archive/refs/tags/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz
+Source1:        https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz
 Source2:        https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz
 Source3:        usbguard-daemon.conf
-ExcludeArch:    i686
+ExcludeArch: i686

 Requires: systemd
 Requires(post): systemd
@ -24,15 +27,11 @@ Requires(preun): systemd
 Requires(postun): systemd
 Requires(post): /sbin/ldconfig
 Requires(postun): /sbin/ldconfig
-
 Recommends: (%{name}-selinux if selinux-policy-%{selinuxtype})
-Obsoletes: %{name}-applet-qt < 0.7.6

-BuildRequires: make
-BuildRequires: gcc
 BuildRequires: gcc-c++
 BuildRequires: libqb-devel
-BuildRequires: openssl-devel
+BuildRequires: libgcrypt-devel
 BuildRequires: libstdc++-devel
 BuildRequires: protobuf-devel protobuf-compiler
 BuildRequires: PEGTL-static
@ -44,9 +43,33 @@ BuildRequires: audit-libs-devel
 # For `pkg-config systemd` only
 BuildRequires: systemd

-Patch1: usbguard-revert-catch.patch
-Patch2: disable-console-logging.patch
-Patch3: tmpfiles.patch
+BuildRequires: dbus-glib-devel
+BuildRequires: dbus-devel
+BuildRequires: glib2-devel
+BuildRequires: polkit-devel
+BuildRequires: libxslt
+BuildRequires: libxml2
+
+Patch1: usbguard-0.7.6-notifier.patch
+Patch2: usbguard-selinux-rules-d.patch
+Patch3: usbguard-selinux-list-dir.patch
+Patch4: usbguard-selinux-cpuinfo.patch
+Patch5: usbguard-audit-capability.patch
+Patch6: usbguard-selinux-audit-capability.patch
+Patch7: usbguard-ipaddressdeny.patch
+Patch8: usbguard-ipc-override-fix.patch
+Patch9: usbguard-validate-acl.patch
+Patch10: usbguard-notifier-decrease-spam.patch
+Patch11: usbguard-notifier-icon-injection.patch
+Patch12: usbguard-dbus-CVE.patch
+Patch13: usbguard-selinux-dbus-CVE.patch
+Patch14: usbguard-dbus-CVE-leak.patch
+Patch15: usbguard-daemon-race-condition.patch
+Patch16: usbguard-OOMScoreAdjust.patch
+Patch17: usbguard-consistent-rules.patch
+Patch18: usbguard-missing-doc.patch
+Patch19: usbguard-permanent-rules.patch
+Patch20: usbguard-disable-console-log.patch

 %description
 The USBGuard software framework helps to protect your computer against rogue USB
@ -55,6 +78,7 @@ USB device attributes.

 %package        devel
 Summary:        Development files for %{name}
+Group:          Development/Libraries
 Requires:       %{name} = %{version}-%{release}
 Requires:       pkgconfig
 Requires:       libstdc++-devel
@ -65,21 +89,17 @@ developing applications that use %{name}.

 %package        tools
 Summary:        USBGuard Tools
+Group:          Applications/System
 Requires:       %{name} = %{version}-%{release}

 %description    tools
 The %{name}-tools package contains optional tools from the USBGuard
 software framework.

-# dbus
 %package        dbus
 Summary:        USBGuard D-Bus Service
+Group:          Applications/System
 Requires:       %{name} = %{version}-%{release}
-BuildRequires:	dbus-devel
-BuildRequires:	glib2-devel
-BuildRequires:	polkit-devel
-BuildRequires:	libxslt
-BuildRequires:	libxml2
 Requires:       dbus
 Requires:       polkit

@ -113,9 +133,8 @@ BuildRequires:  execstack
 The %{name}-notifier package detects usbguard policy modifications as well as
 device presence changes and displays them as pop-up notifications.

-%prep
-
 # usbguard
+%prep
 %setup -q

 # selinux
@ -124,16 +143,31 @@ device presence changes and displays them as pop-up notifications.
 # notifier
 %setup -q -D -T -a 2

-%patch -P 1 -p1 -b .catch
-%patch -P 2 -p1
-%patch -P 3 -p1
-
 # Remove bundled library sources before build
 rm -rf src/ThirdParty/{Catch,PEGTL}

-%build
+%patch1 -p1 -b .notifier
+%patch2 -p1 -b .rules-d-selinux
+%patch3 -p1 -b .list-dir
+%patch4 -p1 -b .cpuinfo
+%patch5 -p1 -b .audit-capability
+%patch6 -p1 -b .selinux-audit-capability
+%patch7 -p1 -b .ipaddressdeny
+%patch8 -p1 -b .ipc-override-fix
+%patch9 -p1 -b .validate-acl
+%patch10 -p1 -b .notifier-decrease-spam
+%patch11 -p1 -b .notifier-icon-injection
+%patch12 -p1 -b .dbus-CVE
+%patch13 -p1 -b .selinux-dbus-CVE
+%patch14 -p1 -b .dbus-CVE-leak
+%patch15 -p1 -b .daemon-race
+%patch16 -p1 -b .OOMScoreAdjust
+%patch17 -p1 -b .consistent-rules
+%patch18 -p1 -b .missing-doc
+%patch19 -p1 -b .permanent-rules
+%patch20 -p1 -b .disable-syslog

-# usbguard
+%build
 mkdir -p ./m4
 autoreconf -i -v --no-recursive ./
 %configure \
@ -143,7 +177,7 @@ autoreconf -i -v --no-recursive ./
    --enable-systemd \
    --with-dbus \
    --with-polkit \
-    --with-crypto-library=openssl
+    --with-crypto-library=gcrypt

 make %{?_smp_mflags}

@ -168,8 +202,10 @@ export CXXFLAGS="$RPM_OPT_FLAGS"
 make %{?_smp_mflags}
 popd

+%if %{with check}
 %check
 make check
+%endif

 # selinux
 %pre selinux
@ -203,14 +239,15 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
 %systemd_preun usbguard.service

 %post
-%{?ldconfig}
+/sbin/ldconfig
 %systemd_post usbguard.service

 %postun
-%{?ldconfig}
+/sbin/ldconfig
 %systemd_postun usbguard.service

 %files
+%defattr(-,root,root,-)
 %doc README.adoc CHANGELOG.md
 %license LICENSE
 %{_libdir}/*.so.*
@ -228,18 +265,20 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
 %{_datadir}/man/man5/usbguard-rules.conf.5.gz
 %{_datadir}/man/man1/usbguard.1.gz
 %{_datadir}/bash-completion/completions/usbguard
-%attr(640,root,root) %{_tmpfilesdir}/usbguard.conf

 %files devel
+%defattr(-,root,root,-)
 %{_includedir}/*
 %{_libdir}/*.so
 %{_libdir}/pkgconfig/*.pc

 %files tools
+%defattr(-,root,root,-)
 %{_bindir}/usbguard-rule-parser

-# dbus
+
 %files dbus
+%defattr(-,root,root,-)
 %{_sbindir}/usbguard-dbus
 %{_datadir}/dbus-1/system-services/org.usbguard1.service
 %{_datadir}/dbus-1/system.d/org.usbguard1.conf
@ -291,170 +330,104 @@ fi


 %changelog
-* Thu Feb 06 2025 Attila Lakatos <alakatos@redhat.com> - 1.1.3-6
- Install usbguard-tmpfles.conf
-  Resolves: RHEL-78183
+* Thu Jan 12 2023 Attila Lakatos <alakatos@redhat.com> - 1.0.0-13
+- Set OOMScoreAdjust to -1000 in service file
+Resolves: rhbz#2159411
+- Fix race condition in usbguard-daemon when forking
+Resolves: rhbz#2159409
+- Add missing files to documentation
+Resolves: rhbz#2159412
+- Disable logging to console, logging to syslog is still enabled
+- Store permanent rules even if RuleFile is not set but RuleFolder is
+- Neither RuleFolder nor RuleFile exists bugfix
+Resolves: rhbz#2159413
+- Remove build for i686 arch
+Resolves: rhbz#2105091

-* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.1.3-5
- Bump release for October 2024 mass rebuild:
-  Resolves: RHEL-64018
+* Wed Aug 24 2022 Attila Lakatos <alakatos@redhat.com> - 1.0.0-10
+- Fix unauthorized access via D-bus
+- Fix memory leaks on connection failure to D-bus
+Resolves: rhbz#2059067

-* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.1.3-4
- Bump release for June 2024 mass rebuild
+* Mon Nov 29 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.0-8
+- change usbguard icon injection
+- fix DSP module definition in spec file
+Resolves: rhbz#2014441
+- add execstack to spec
+- remove IPAddressDeny from usbguard service
+Resolves: rhbz#1929364
+- fix file conflict when installing usbguard on rhel
+Resolves: rhbz#1963271
+- fix IPC access control files override
+Resolves: rhbz#2004511
+- validate ACL permission existence
+Resolves: rhbz#2005020
+- decrease usbguard-notifier spam when denied connection
+Resolves: rhbz#2000000

-* Tue Jun 18 2024 Attila Lakatos <alakatos@redhat.com> - 1.1.3-3
- Disable building for i686
- Update Requires list on selinux subpackage
-Resolves: RHEL-37322
+* Wed Mar 17 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-2
+- Add CAP_AUDIT_WRITE capability to service file
+Resolves: rhbz#1940060

-* Fri Jun 07 2024 Attila Lakatos <alakatos@redhat.com> - 1.1.3-2
- Rebase to 1.1.3
- Update usbguard-selinux subpackage
- Include usbguard-notifier subpackage
-Resolves: RHEL-37322
- Disable logging to console
+* Tue Jan 19 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-1
+- Rebase to 1.0.0
+Resolves: rhbz#1887448
+- Filtering rules by attribute
+Resolves: rhbz#1873953
+- Change device policy of multiple devices using rule instead of ID
+Resolves: rhbz#1852568

-* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+* Tue Aug 11 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-7
+- Do not cause segfault in case of an empty rulesd folder
+Resolves: rhbz#1738590

-* Thu Jul 27 2023 Attila Lakatos <alakatos@redhat.com> - 1.1.2-1
- Rebase to 1.1.2
-Resolves: rhbz#2064543
+* Wed Aug 05 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-6
+- RHEL 8.3.0 ERRATUM
+- Removed execstack from .spec
+- Removed AuthorizedDefault=wired from the usbguard
+Resolves: rhbz#1852539
+- Missing error message on bad configuration
+Resolves: rhbz#1857299
+- /etc/usbguard/usbguard-daemon.conf file does not contain all default options
+Resolves: rhbz#1862907

-* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+* Wed Jun 17 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-5
+- RHEL 8.3.0 ERRATUM
+- Use old-fasioned forking style in unit file
+Resolves: rhbz#1846885
+- Allow usbguard to read /proc/cpuinfo
+Resolves: rhbz#1847870
+- Removed notifier's Requires for usbguard-devel
+Resolves: rhbz#1667395
+- Allow usbguard to read /dev/urandom
+Resolves: rhbz#1848618

-* Wed May 10 2023 Tomas Popela <tpopela@redhat.com> - 1.1.0-7
- Drop BR on dbus-glib as the requirement was dropped in 0.7.7
+* Wed May 06 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-4
+- RHEL 8.3.0 ERRATUM
+- Spec file clean up
+- Rebase to 0.7.8
+Resolves: rhbz#1738590
+- Added selinux subpackage
+Resolves: rhbz#1683567
+- Added notifier subpackage
+- Installing /etc/usbguard/rules.d/
+Resolves: rhbz#1667395
+- Fixed sigwaitinfo handling
+Resolves: rhbz#1835210

-* Mon Feb 20 2023 Attila Lakatos <alakatos@redhat.com> - 1.1.0-6
- Rebuild
-Resolves: rhbz#2171749
+* Mon Nov 25 2019 Marek Tamaskovic <mtamasko@redhat.com> - 0.7.4-4
+- add match-all keyword

-* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+* Tue May 21 2019 Daniel Kopeček <dkopecek@redhat.com> - 0.7.4-3
+- spec: make the check phase conditional

-* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+* Fri Dec 14 2018 Jiri Vymazal <jvymazal@redhat.com> - 0.7.4-2
+  Resolves: rhbz#1643057 - usbguard fails to report invalid value in IPCAccessControlFiles directive

-* Tue Mar 29 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.0-3
- usbguard requires selinux subpackage
- this ensures that the selinux package and all its dependencies are
-  not pulled into containers and other systems that do not use SELinux
-
-* Tue Mar 15 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.0-2
- selinux: allow policykit dbus comunnication
- restore support for access control filenames without a group
-
-* Thu Mar 03 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.0-1
- rebase to 1.1.0
-Resolves: rhbz#2058450
- fixed CVE-2019-25058 usbguard: Fix unauthorized access via D-Bus
-Resolves: rhbz#2058466
-
-* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.0-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
-
-* Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 1.0.0-8
- Rebuilt for protobuf 3.19.0
-
-* Mon Oct 25 2021 Adrian Reber <adrian@lisas.de> - 1.0.0-7
- Rebuilt for protobuf 3.18.1
-
-* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Wed Mar 31 2021 Jonathan Wakely <jwakely@redhat.com> - 1.0.0-5
- Rebuilt for removed libstdc++ symbols (#1937698)
-
-* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.0.0-4
- Rebuilt for updated systemd-rpm-macros
-  See https://pagure.io/fesco/issue/2583.
-
-* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Sat Jan 16 12:49:32 CET 2021 Adrian Reber <adrian@lisas.de> - 1.0.0-2
- Rebuilt for protobuf 3.14
-
-* Thu Jan 14 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.0-1
- rebase usbguard to 1.0.0
- added support for rules covering combination of classes
- fix usbguard being killed
-Resolves: rhbz#1916039
-Resolves: rhbz#1861330
-Resolves: rhbz#1905257
-
-* Wed Jan 13 14:43:57 CET 2021 Adrian Reber <adrian@lisas.de> - 0.7.8-6
- Rebuilt for protobuf 3.14
-
-* Thu Sep 24 2020 Adrian Reber <adrian@lisas.de> - 0.7.8-5
- Rebuilt for protobuf 3.13
-
-* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.8-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Wed Jun 24 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-3
- rebase selinux tarball to v0.0.4
- enable forking style in unit file
- set DevicePolicy to closed in unit file
- usbguard prevented from writing conf via dontaudit rule
-Resolves: rhbz#1804713
-Resolves: rhbz#1789923
-
-* Sun Jun 14 2020 Adrian Reber <adrian@lisas.de> - 0.7.8-2
- Rebuilt for protobuf 3.12
-
-* Tue May 19 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-1
- rebase usbguard to 0.7.8
- rebase usbguard-selinux to 0.0.3
- added rules.d/ directory
-Resolves: rhbz#1808527
-
-* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.6-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Thu Dec 19 2019 Orion Poplawski <orion@nwra.com> - 0.7.6-7
- Rebuild for protobuf 3.11
-
-* Wed Dec 18 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-6
- fix selinux problems
-
-* Mon Dec 02 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-5
- obsolete applet-qt subpackage
-
-* Mon Nov 25 2019 Attila Lakatos <alakatos@redhat.com> - 0.7.6-4
- added patch for libqb related permission issues
-  resolves: rhbz#1776357
- added patch to ensure that usbguard-daemons is still running after locked screen
-  resolves: rhbz#1751861
- added patch to fix permanent device policy changes
-
-* Wed Nov 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-3
- fixed typo in specfile
- usbguard.conf was generated incorrectly
-
-* Wed Nov 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-2
- added selinux subpackage
-
-* Mon Nov 11 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-1
- rebase to 0.7.6
- removed usbguard-applet subpackage which is not in upstream anymore
-
-* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Wed Nov 21 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.7.2-6
- Rebuild for protobuf 3.6
-
-* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Thu Apr 05 2018 Daniel Kopeček <dkopecek@redhat.com> - 0.7.2-4
- Update to latest PEGTL API
+* Wed Jul 11 2018 Daniel Kopeček <dkopecek@redhat.com> - 0.7.4-1
+- Update to 0.7.4
+- Replaced asciidoctor dependency with asciidoc
+- Disabled Qt applet

 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
--- a/ci_tests.fmf
+++ b/ci_tests.fmf
@ -1,12 +0,0 @@
-/e2e:
-  plan:
-    import:
-      url: https://github.com/RedHat-SP-Security/usbguard-plans.git
-      name: /generic/e2e_ci
-
-/rpmverify:
-  plan:
-    import:
-      url: https://github.com/RedHat-SP-Security/usbguard-plans.git
-      name: /generic/rpmverify
-
--- a/gating.yaml
+++ b/gating.yaml
@ -1,6 +0,0 @@
--- !Policy
-product_versions:
-  - rhel-10
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/3
+++ b/3
@ -1,3 +0,0 @@
-SHA512 (usbguard-notifier-0.1.1.tar.gz) = 5540739301f4f4c83f7443b740cf7345be7928f3ed697878094dee1752eac7dedfab9eb652856bfa555be9bfa24687c4b74194afa022973848af13328f0ca1ba
-SHA512 (usbguard-1.1.3.tar.gz) = 530bfea12ec8497c30d530c73f868207aad8b0e0e917cb7c7506f6148681a6a4ff12de5cddcfea458eb2b91ce8bb8b0e68d42e2590a4dc6b15f43c18f8256cf1
-SHA512 (usbguard-selinux-0.0.5.tar.gz) = 72b12e6a44dddfd863909f82e288170f935c4e941cb65678cd544fd0fa33ecce0a794c4b620dea9f496a45f2035d3b3b6dde662319db200eaff38e26999c4496
--- a/tmpfiles.patch
+++ b/tmpfiles.patch
@ -1,58 +0,0 @@
-From 306cad81aee91d6adb61acdb9f1a9900fe2a13cd Mon Sep 17 00:00:00 2001
-From: Cropi <alakatos@redhat.com>
-Date: Thu, 6 Feb 2025 08:00:59 +0100
-Subject: [PATCH] =?UTF-8?q?At=20boot=20time,=20systemd=E2=80=91tmpfiles=20?=
- =?UTF-8?q?processes=20this=20file=20and=20creates=20/var/log/usbguard=20s?=
- =?UTF-8?q?o=20that=20the=20usbguard=20service=20can=20start=20successfull?=
- =?UTF-8?q?y.?=
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
---
- Makefile.am            | 13 +++++++++++--
- usbguard-tmpfiles.conf |  1 +
- 2 files changed, 12 insertions(+), 2 deletions(-)
- create mode 100644 usbguard-tmpfiles.conf
-
-diff --git a/Makefile.am b/Makefile.am
-index 7dc6849..2a8bfeb 100644
--- a/Makefile.am
-+++ b/Makefile.am
-@@ -90,8 +90,8 @@ $(top_builddir)/%.roff: %.adoc
- 	$(INSTALL) -m 644 $(top_builddir)/$(@:.roff=) $(top_builddir)/$@
- endif
- 
-install-data-hook: install-daemon-conf install-systemd-service install-data-dbus
-uninstall-hook: uninstall-daemon-conf uninstall-systemd-service uninstall-data-dbus
-+install-data-hook: install-daemon-conf install-systemd-service install-data-dbus install-tmpfiles
-+uninstall-hook: uninstall-daemon-conf uninstall-systemd-service uninstall-data-dbus uninstall-tmpfiles
- 
- CLEANFILES+=\
- 	$(top_builddir)/usbguard-daemon.conf
-@@ -106,6 +106,15 @@ usbguard_confdir= $(sysconfdir)/usbguard
- 
- distuninstallcheck_listfiles= find . -type f ! -name rules.conf -print
- 
-+EXTRA_DIST+=usbguard-tmpfiles.conf
-+
-+install-tmpfiles:
-+	mkdir -p ${DESTDIR}$(prefix)/lib/tmpfiles.d/
-+	$(INSTALL_DATA) -m 640 ${srcdir}/usbguard-tmpfiles.conf ${DESTDIR}$(prefix)/lib/tmpfiles.d/usbguard.conf
-+
-+uninstall-tmpfiles:
-+	rm ${DESTDIR}$(prefix)/lib/tmpfiles.d/usbguard.conf
-+
- install-daemon-conf: $(top_builddir)/usbguard-daemon.conf
- 	$(MKDIR_P) $(DESTDIR)/$(usbguard_confdir)
- 	$(MKDIR_P) $(DESTDIR)/$(usbguard_confdir)/IPCAccessControl.d
-diff --git a/usbguard-tmpfiles.conf b/usbguard-tmpfiles.conf
-new file mode 100644
-index 0000000..e90908f
--- /dev/null
-+++ b/usbguard-tmpfiles.conf
-@@ -0,0 +1 @@
-+d /var/log/usbguard 0700 root root - -
-- 
-2.48.1
-
--- a/usbguard-revert-catch.patch
+++ b/usbguard-revert-catch.patch
@ -1,17 +0,0 @@
-diff -up ./configure.ac.fix ./configure.ac
--- ./configure.ac.fix	2022-03-03 15:05:03.357194713 +0100
-+++ ./configure.ac	2022-03-03 15:06:02.849787794 +0100
-@@ -394,11 +394,11 @@ if test "x$with_bundled_catch" = xyes; t
- 	catch_summary="bundled; $catch_CFLAGS $catch_LIBS"
- else
- 	SAVE_CPPFLAGS=$CPPFLAGS
-	CPPFLAGS="-std=c++17 $CPPFLAGS -I/usr/include/catch2"
-+	CPPFLAGS="-std=c++17 $CPPFLAGS -I/usr/include/catch"
- 	AC_LANG_PUSH([C++])
- 	AC_CHECK_HEADER([catch.hpp], [], [AC_MSG_FAILURE(catch.hpp not found or not usable. Re-run with --with-bundled-catch to use the bundled library.)])
- 	AC_LANG_POP
-	catch_CFLAGS="-I/usr/include/catch2"
-+	catch_CFLAGS="-I/usr/include/catch"
- 	catch_LIBS=""
- 	CPPFLAGS=$SAVE_CPPFLAGS
- 	catch_summary="system-wide; $catch_CFLAGS $catch_LIBS"