.gitignore

@@ -1,3 +1,3 @@
 SOURCES/usbguard-1.0.0.tar.gz
 SOURCES/usbguard-notifier-0.0.6.tar.gz
-SOURCES/usbguard-selinux-0.0.3.tar.gz
+SOURCES/usbguard-selinux-0.0.4.tar.gz

.usbguard.metadata

@@ -1,3 +1,3 @@
 bf909799daae6798634e1b01efaaadc5781b9755 SOURCES/usbguard-1.0.0.tar.gz
 7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz
-e223495a2c41013bc786a5ceae730f2574aeba1b SOURCES/usbguard-selinux-0.0.3.tar.gz
+40db29405c2236791ca5ce616d9e563a8309356e SOURCES/usbguard-selinux-0.0.4.tar.gz

SOURCES/usbguard-dbus-CVE-leak.patch

@@ -1,6 +1,6 @@
 diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp
---- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig	2022-10-18 10:33:04.498762878 +0200
-+++ usbguard-1.0.0/src/DBus/DBusBridge.cpp	2022-10-18 10:33:36.920785285 +0200
+--- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig	2022-11-23 08:57:40.119760422 +0100
++++ usbguard-1.0.0/src/DBus/DBusBridge.cpp	2022-11-23 08:58:22.380845720 +0100
 @@ -434,12 +434,11 @@ namespace usbguard
      USBGUARD_LOG(Trace) << "Connecting with Polkit authority...";
      PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error);

SOURCES/usbguard-disable-console-log.patch

@@ -1,12 +1,12 @@
 diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
---- usbguard-1.0.0/usbguard.service.in.orig	2023-01-12 13:17:14.200064956 +0100
-+++ usbguard-1.0.0/usbguard.service.in	2023-01-12 13:17:22.588078994 +0100
+--- usbguard-1.0.0/usbguard.service.in.orig	2023-01-12 13:22:23.032554498 +0100
++++ usbguard-1.0.0/usbguard.service.in	2023-01-12 13:22:33.082568210 +0100
 @@ -8,7 +8,7 @@ OOMScoreAdjust=-1000
  AmbientCapabilities=
  CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
  DevicePolicy=closed
 -ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
 +ExecStart=%sbindir%/usbguard-daemon -f -s -K -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ IPAddressDeny=any
  LockPersonality=yes
  MemoryDenyWriteExecute=yes
- NoNewPrivileges=yes

SOURCES/usbguard-ipaddressdeny.patch

@@ -1,11 +0,0 @@
-diff --color -ru a/usbguard.service.in b/usbguard.service.in
---- a/usbguard.service.in	2021-09-07 16:33:49.911540537 +0200
-+++ b/usbguard.service.in	2021-09-07 16:37:20.788885123 +0200
-@@ -8,7 +8,6 @@
- CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
- DevicePolicy=closed
- ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
--IPAddressDeny=any
- LockPersonality=yes
- MemoryDenyWriteExecute=yes
- NoNewPrivileges=yes

SOURCES/usbguard-ipc-override-fix.patch

@@ -1,6 +1,6 @@
 diff --color -ru a/src/Library/IPCServerPrivate.cpp b/src/Library/IPCServerPrivate.cpp
 --- a/src/Library/IPCServerPrivate.cpp	2020-11-23 15:56:12.979847655 +0100
-+++ b/src/Library/IPCServerPrivate.cpp	2021-09-15 10:02:51.641082533 +0200
++++ b/src/Library/IPCServerPrivate.cpp	2021-10-14 12:33:12.462503822 +0200
 @@ -567,10 +567,12 @@
    bool IPCServerPrivate::authenticateIPCConnectionDAC(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr) const
    {

SOURCES/usbguard-notifier-decrease-spam.patch

@@ -1,6 +1,6 @@
 diff --color -ru a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 b/usbguard-notifier-0.0.6/man/usbguard-notifier.1
---- a/usbguard-notifier-0.0.6/man/usbguard-notifier.1	2021-09-24 13:08:23.304639109 +0200
-+++ b/usbguard-notifier-0.0.6/man/usbguard-notifier.1	2021-09-24 13:16:14.177186425 +0200
+--- a/usbguard-notifier-0.0.6/man/usbguard-notifier.1	2021-10-14 12:44:57.816146101 +0200
++++ b/usbguard-notifier-0.0.6/man/usbguard-notifier.1	2021-10-14 12:46:14.442519466 +0200
 @@ -39,7 +39,12 @@
  .PP
  \fB\-w, \-\-wait\fR
@@ -82,7 +82,7 @@ diff --color -ru a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 b/usbguard-no
  usbguard(1)
 diff --color -ru a/usbguard-notifier-0.0.6/src/Main.cpp b/usbguard-notifier-0.0.6/src/Main.cpp
 --- a/usbguard-notifier-0.0.6/src/Main.cpp	2020-03-04 08:59:49.138771474 +0100
-+++ b/usbguard-notifier-0.0.6/src/Main.cpp	2021-09-24 13:07:41.322966320 +0200
++++ b/usbguard-notifier-0.0.6/src/Main.cpp	2021-10-14 12:46:14.443519484 +0200
 @@ -20,6 +20,7 @@
  #include "Log.hpp"
  #include "Notifier.hpp"
@@ -170,7 +170,7 @@ diff --color -ru a/usbguard-notifier-0.0.6/src/Main.cpp b/usbguard-notifier-0.0.
  }
 diff --color -ru a/usbguard-notifier-0.0.6/usbguard-notifier.service.in b/usbguard-notifier-0.0.6/usbguard-notifier.service.in
 --- a/usbguard-notifier-0.0.6/usbguard-notifier.service.in	2020-03-04 09:00:32.019254871 +0100
-+++ b/usbguard-notifier-0.0.6/usbguard-notifier.service.in	2021-09-24 13:07:41.322966320 +0200
++++ b/usbguard-notifier-0.0.6/usbguard-notifier.service.in	2021-10-14 12:46:14.444519502 +0200
 @@ -3,7 +3,7 @@
  After=usbguard.service
  

SOURCES/usbguard-notifier-icon-injection.patch

@@ -1,82 +0,0 @@
-diff --color -ru a/usbguard-notifier-0.0.6/Makefile.am b/usbguard-notifier-0.0.6/Makefile.am
---- a/usbguard-notifier-0.0.6/Makefile.am	2021-11-18 11:38:43.704876330 +0100
-+++ b/usbguard-notifier-0.0.6/Makefile.am	2021-11-18 11:35:39.108500175 +0100
-@@ -35,6 +35,7 @@
- 	src/ThirdParty/Catch2/single_include/catch2
- 
- usbguard_notifier_SOURCES = \
-+	src/usbguard-icon.hpp \
- 	src/Notifier.hpp \
- 	src/NotifyWrapper.hpp \
- 	src/Serializer.hpp \
-@@ -43,8 +44,7 @@
- 	src/Notifier.cpp \
- 	src/NotifyWrapper.cpp \
- 	src/Serializer.cpp \
--	src/Log.cpp \
--	icons/usbguard-icon.svg
-+	src/Log.cpp
- 
- usbguard_notifier_LDFLAGS = \
- 	@rsvg_LIBS@ \
-@@ -65,7 +65,8 @@
- endif
- 
- BUILT_SOURCES = \
--	src/BuildConfig.h
-+	src/BuildConfig.h \
-+	src/usbguard-icon.hpp
- 
- usbguard_notifier_cli_SOURCES = \
- 	src/Serializer.hpp \
-@@ -109,8 +110,16 @@
- #
- # usbguard icon
- #
--.svg.o:
--	$(LD) -r -b binary -o $@ $<
-+EXTRA_DIST += \
-+	$(top_builddir)/icons/usbguard-icon.svg
-+
-+$(top_builddir)/src/usbguard-icon.hpp: $(top_builddir)/icons/usbguard-icon.svg
-+	echo -e "#ifndef ICON_HPP\n#define ICON_HPP\nnamespace notify {\nconst char *icon =" > $@
-+	$(SED) 's/"/\\"/g' $^ | $(SED) 's/^/"/' | $(SED) 's/$$/\\n"/' >> $@
-+	echo -e ";\n}\n#endif" >> $@
-+
-+CLEANFILES += \
-+	$(top_builddir)/src/usbguard-icon.hpp
- 
- #
- # unit file
-diff --color -ru a/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp b/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp
---- a/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp	2020-03-02 11:55:25.932999263 +0100
-+++ b/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp	2021-11-18 11:29:52.825157237 +0100
-@@ -18,14 +18,13 @@
-  */
- 
- #include "NotifyWrapper.hpp"
-+#include "usbguard-icon.hpp"
- 
-+#include <cstring>
- #include <stdexcept>
- 
- #include <librsvg-2.0/librsvg/rsvg.h>
- 
--extern char _binary_icons_usbguard_icon_svg_start[];
--extern char _binary_icons_usbguard_icon_svg_end[];
--
- namespace notify
- {
- 
-@@ -54,10 +53,7 @@
- Notification::Notification(const std::string& summary, const std::string& body)
-     : _n(notify_notification_new(summary.c_str(), body.c_str(), nullptr))
- {
--    RsvgHandle* handle = rsvg_handle_new_from_data(
--            (const guint8*)(_binary_icons_usbguard_icon_svg_start),
--            _binary_icons_usbguard_icon_svg_end - _binary_icons_usbguard_icon_svg_start,
--            nullptr);
-+    RsvgHandle* handle = rsvg_handle_new_from_data((const guint8*)icon, std::strlen(icon), nullptr);
-     if (!handle) {
-         throw std::runtime_error("Failed to obtain rsvg handle");
-     }

SOURCES/usbguard-selinux-audit-capability.patch

@@ -1,6 +1,6 @@
-diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te
---- usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig	2021-03-17 15:08:59.975712403 +0100
-+++ usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te	2021-03-17 15:09:21.565708348 +0100
+diff -up usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te
+--- usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig	2021-03-23 10:32:56.239139027 +0100
++++ usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te	2021-03-23 10:33:05.718229143 +0100
 @@ -68,7 +68,7 @@ files_pid_file(usbguard_var_run_t)
  # Local policy
  #

SOURCES/usbguard-selinux-cpuinfo.patch

@@ -1,12 +0,0 @@
-diff -up ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo ./usbguard-selinux-0.0.3/usbguard.te
---- ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo	2020-06-18 15:53:40.161615146 +0200
-+++ ./usbguard-selinux-0.0.3/usbguard.te	2020-06-18 15:54:28.399982328 +0200
-@@ -77,6 +77,8 @@ auth_read_passwd(usbguard_t)
- dev_list_sysfs(usbguard_t)
- dev_rw_sysfs(usbguard_t)
- 
-+kernel_read_system_state(usbguard_t)
-+
- list_dirs_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
- read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
- dontaudit usbguard_t usbguard_conf_t:file write;

SOURCES/usbguard-selinux-dbus-CVE.patch

@@ -1,7 +1,7 @@
-diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te
---- usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig	2022-08-24 16:14:30.810875871 +0200
-+++ usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te	2022-08-24 16:15:50.064906117 +0200
-@@ -100,7 +100,6 @@ logging_log_filetrans(usbguard_t, usbgua
+diff -up usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te
+--- usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig	2022-08-17 09:17:13.995269603 +0200
++++ usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te	2022-08-17 09:18:47.439260009 +0200
+@@ -99,7 +99,6 @@ logging_log_filetrans(usbguard_t, usbgua
  
  logging_send_syslog_msg(usbguard_t)
  
@@ -9,7 +9,7 @@ diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/u
  usbguard_ipc_access(usbguard_t)
  
  tunable_policy(`usbguard_daemon_write_rules',`
-@@ -111,6 +110,15 @@ tunable_policy(`usbguard_daemon_write_co
+@@ -110,6 +109,14 @@ tunable_policy(`usbguard_daemon_write_co
  	rw_files_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t)
  ')
  
@@ -20,7 +20,6 @@ diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/u
 +		policykit_dbus_chat(usbguard_t)
 +	')
 +')
-+
 +
  # Allow confined users to communicate with usbguard over unix socket
  optional_policy(`

SOURCES/usbguard-selinux-list-dir.patch

@@ -1,11 +0,0 @@
-diff -up ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir ./usbguard-selinux-0.0.3/usbguard.te
---- ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir	2020-06-09 10:53:03.191977241 +0200
-+++ ./usbguard-selinux-0.0.3/usbguard.te	2020-06-09 10:54:21.441965315 +0200
-@@ -81,6 +81,7 @@ list_dirs_pattern(usbguard_t,usbguard_co
- read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
- dontaudit usbguard_t usbguard_conf_t:file write;
- 
-+list_dirs_pattern(usbguard_t,usbguard_rules_t,usbguard_rules_t)
- read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_rules_t)
- 
- manage_dirs_pattern(usbguard_t, usbguard_var_run_t, usbguard_var_run_t)

SOURCES/usbguard-selinux-rules-d.patch

@@ -1,22 +0,0 @@
-From 008af22f238bfb97f6d337759732ac87bdef7b24 Mon Sep 17 00:00:00 2001
-From: alakatos <alakatos@redhat.com>
-Date: Mon, 25 May 2020 15:27:38 +0200
-Subject: [PATCH] /etc/usrbuard/rules.d(/.*)? has usbguard_rules_t label right
- after the installation
-
----
- usbguard.fc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/usbguard.fc b/usbguard.fc
-index bce3e8c..3e14720 100644
---- a/usbguard-selinux-0.0.3/usbguard.fc
-+++ b/usbguard-selinux-0.0.3/usbguard.fc
-@@ -13,6 +13,7 @@
- # You should have received a copy of the GNU General Public License
- # along with this program.  If not, see <http://www.gnu.org/licenses/>.
- 
-+/etc/usbguard/rules\.d(/.*)?                 gen_context(system_u:object_r:usbguard_rules_t,s0)
- /etc/usbguard/rules.conf                  -- gen_context(system_u:object_r:usbguard_rules_t,s0)
- /etc/usbguard(/.*)?                          gen_context(system_u:object_r:usbguard_conf_t,s0)
- /dev/shm/qb-usbguard-.*                   -- gen_context(system_u:object_r:usbguard_tmpfs_t,s0)

SOURCES/usbguard-service-pidfile.patch

@@ -0,0 +1,24 @@
+From 6a596441eb91215898542bce4aadabfe396a3875 Mon Sep 17 00:00:00 2001
+From: Birger Schacht <1143280+b1rger@users.noreply.github.com>
+Date: Mon, 18 Jan 2021 15:00:47 +0000
+Subject: [PATCH] Write PIDFile to /run instead of /var/run
+
+According to https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s13.html regarding /var/run:
+This directory was once intended for system information data describing the system since it was booted. These functions have been moved to /run; this directory exists to ensure compatibility with systems and software using an older version of this specification.
+---
+ usbguard.service.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/usbguard.service.in b/usbguard.service.in
+index 0d7e193c..2ec8c633 100644
+--- a/usbguard.service.in
++++ b/usbguard.service.in
+@@ -12,7 +12,7 @@ IPAddressDeny=any
+ LockPersonality=yes
+ MemoryDenyWriteExecute=yes
+ NoNewPrivileges=yes
+-PIDFile=/var/run/usbguard.pid
++PIDFile=/run/usbguard.pid
+ PrivateDevices=yes
+ PrivateTmp=yes
+ ProtectControlGroups=yes

SOURCES/usbguard-validate-acl.patch

@@ -1,6 +1,6 @@
 diff --color -ru a/doc/man/usbguard.1.adoc b/doc/man/usbguard.1.adoc
---- a/doc/man/usbguard.1.adoc	2021-09-20 09:08:55.134538747 +0200
-+++ b/doc/man/usbguard.1.adoc	2021-09-20 16:46:48.266557561 +0200
+--- a/doc/man/usbguard.1.adoc	2020-11-23 15:56:12.977847682 +0100
++++ b/doc/man/usbguard.1.adoc	2021-10-14 12:39:11.949947187 +0200
 @@ -282,6 +282,7 @@
  ....
  
@@ -10,8 +10,8 @@ diff --color -ru a/doc/man/usbguard.1.adoc b/doc/man/usbguard.1.adoc
  
  === *remove-user* 'name' ['OPTIONS']
 diff --color -ru a/doc/man/usbguard-daemon.conf.5.adoc b/doc/man/usbguard-daemon.conf.5.adoc
---- a/doc/man/usbguard-daemon.conf.5.adoc	2021-09-20 09:08:55.135538763 +0200
-+++ b/doc/man/usbguard-daemon.conf.5.adoc	2021-09-20 13:20:09.788855176 +0200
+--- a/doc/man/usbguard-daemon.conf.5.adoc	2020-11-23 15:56:12.977847682 +0100
++++ b/doc/man/usbguard-daemon.conf.5.adoc	2021-10-14 12:39:11.953947259 +0200
 @@ -162,6 +162,8 @@
  
   ** list: Get values of run-time parameters.
@@ -22,8 +22,8 @@ diff --color -ru a/doc/man/usbguard-daemon.conf.5.adoc b/doc/man/usbguard-daemon
  It allows one to modify USB device authorization state (`Devices=modify`), list USB devices (`Devices=list`), listen to USB device related events (`Devices=listen`), list USB authorization policy rules (`Policy=list`) and listen to exception events (`Exceptions=listen`):
  
 diff --color -ru a/src/Library/public/usbguard/IPCServer.cpp b/src/Library/public/usbguard/IPCServer.cpp
---- a/src/Library/public/usbguard/IPCServer.cpp	2021-09-20 09:08:55.206539917 +0200
-+++ b/src/Library/public/usbguard/IPCServer.cpp	2021-09-22 10:38:28.703655497 +0200
+--- a/src/Library/public/usbguard/IPCServer.cpp	2020-11-23 15:56:12.979847655 +0100
++++ b/src/Library/public/usbguard/IPCServer.cpp	2021-10-14 12:39:11.954947277 +0200
 @@ -159,18 +159,25 @@
        throw USBGUARD_BUG("Cannot set privileges for NONE section");
      }
@@ -83,8 +83,8 @@ diff --color -ru a/src/Library/public/usbguard/IPCServer.cpp b/src/Library/publi
      : d_pointer(usbguard::make_unique<IPCServerPrivate>(*this))
    {
 diff --color -ru a/src/Library/public/usbguard/IPCServer.hpp b/src/Library/public/usbguard/IPCServer.hpp
---- a/src/Library/public/usbguard/IPCServer.hpp	2021-09-20 09:08:55.200539819 +0200
-+++ b/src/Library/public/usbguard/IPCServer.hpp	2021-09-20 13:11:31.476803776 +0200
+--- a/src/Library/public/usbguard/IPCServer.hpp	2020-10-11 17:43:43.519295669 +0200
++++ b/src/Library/public/usbguard/IPCServer.hpp	2021-10-14 12:39:11.955947295 +0200
 @@ -278,6 +278,17 @@
        };
  

SPECS/usbguard.spec

@@ -1,14 +1,14 @@
 %global _hardened_build 1
 %global selinuxtype targeted
 %global moduletype contrib
-%define semodule_version 0.0.3
+%define semodule_version 0.0.4
 %define notifier_version 0.0.6
 
 %bcond_without check
 
 Name:           usbguard
 Version:        1.0.0
-Release:        13%{?dist}
+Release:        15%{?dist}
 Summary:        A tool for implementing USB device usage policy
 Group:          System Environment/Daemons
 License:        GPLv2+
@@ -51,25 +51,21 @@ BuildRequires: libxslt
 BuildRequires: libxml2
 
 Patch1: usbguard-0.7.6-notifier.patch
-Patch2: usbguard-selinux-rules-d.patch
-Patch3: usbguard-selinux-list-dir.patch
-Patch4: usbguard-selinux-cpuinfo.patch
-Patch5: usbguard-audit-capability.patch
-Patch6: usbguard-selinux-audit-capability.patch
-Patch7: usbguard-ipaddressdeny.patch
-Patch8: usbguard-ipc-override-fix.patch
-Patch9: usbguard-validate-acl.patch
-Patch10: usbguard-notifier-decrease-spam.patch
-Patch11: usbguard-notifier-icon-injection.patch
-Patch12: usbguard-dbus-CVE.patch
-Patch13: usbguard-selinux-dbus-CVE.patch
-Patch14: usbguard-dbus-CVE-leak.patch
-Patch15: usbguard-daemon-race-condition.patch
-Patch16: usbguard-OOMScoreAdjust.patch
-Patch17: usbguard-consistent-rules.patch
-Patch18: usbguard-missing-doc.patch
-Patch19: usbguard-permanent-rules.patch
-Patch20: usbguard-disable-console-log.patch
+Patch2: usbguard-audit-capability.patch
+Patch3: usbguard-selinux-audit-capability.patch
+Patch4: usbguard-service-pidfile.patch
+Patch5: usbguard-ipc-override-fix.patch
+Patch6: usbguard-validate-acl.patch
+Patch7: usbguard-notifier-decrease-spam.patch
+Patch8: usbguard-dbus-CVE.patch
+Patch9: usbguard-selinux-dbus-CVE.patch
+Patch10: usbguard-dbus-CVE-leak.patch
+Patch11: usbguard-OOMScoreAdjust.patch
+Patch12: usbguard-daemon-race-condition.patch
+Patch13: usbguard-consistent-rules.patch
+Patch14: usbguard-missing-doc.patch
+Patch15: usbguard-permanent-rules.patch
+Patch16: usbguard-disable-console-log.patch
 
 %description
 The USBGuard software framework helps to protect your computer against rogue USB
@@ -147,25 +143,21 @@ device presence changes and displays them as pop-up notifications.
 rm -rf src/ThirdParty/{Catch,PEGTL}
 
 %patch1 -p1 -b .notifier
-%patch2 -p1 -b .rules-d-selinux
-%patch3 -p1 -b .list-dir
-%patch4 -p1 -b .cpuinfo
-%patch5 -p1 -b .audit-capability
-%patch6 -p1 -b .selinux-audit-capability
-%patch7 -p1 -b .ipaddressdeny
-%patch8 -p1 -b .ipc-override-fix
-%patch9 -p1 -b .validate-acl
-%patch10 -p1 -b .notifier-decrease-spam
-%patch11 -p1 -b .notifier-icon-injection
-%patch12 -p1 -b .dbus-CVE
-%patch13 -p1 -b .selinux-dbus-CVE
-%patch14 -p1 -b .dbus-CVE-leak
-%patch15 -p1 -b .daemon-race
-%patch16 -p1 -b .OOMScoreAdjust
-%patch17 -p1 -b .consistent-rules
-%patch18 -p1 -b .missing-doc
-%patch19 -p1 -b .permanent-rules
-%patch20 -p1 -b .disable-syslog
+%patch2 -p1 -b .audit-write
+%patch3 -p1 -b .selinux-audit-write
+%patch4 -p1 -b .pidfile
+%patch5 -p1 -b .ipc-override-fix
+%patch6 -p1 -b .validate-acl
+%patch7 -p1 -b .notifier-decrease-spam
+%patch8 -p1 -b .dbus-CVE
+%patch9 -p1 -b .selinux-dbus-CVE
+%patch10 -p1 -b .dbus-CVE-leak
+%patch11 -p1 -b .oomscore-adjust
+%patch12 -p1 -b .race-condition
+%patch13 -p1 -b .consistent-rules
+%patch14 -p1 -b .missing-doc
+%patch15 -p1 -b .permanent-rules
+%patch16 -p1 -b .disable-syslog
 
 %build
 mkdir -p ./m4
@@ -330,104 +322,146 @@ fi
 
 
 %changelog
-* Thu Jan 12 2023 Attila Lakatos <alakatos@redhat.com> - 1.0.0-13
-- Set OOMScoreAdjust to -1000 in service file
-Resolves: rhbz#2159411
-- Fix race condition in usbguard-daemon when forking
-Resolves: rhbz#2159409
-- Add missing files to documentation
-Resolves: rhbz#2159412
+* Thu Jan 12 2023 Attila Lakatos <alakatos@redhat.com> - 1.0.0-15
 - Disable logging to console, logging to syslog is still enabled
+Resolves: rhbz#2122109
 - Store permanent rules even if RuleFile is not set but RuleFolder is
+Resolves: rhbz#2155910
+
+* Mon Nov 28 2022 Attila Lakatos <alakatos@redhat.com> - 1.0.0-12
+- Set OOMScoreAdjust to -1000 in service file
+Resolves: rhbz#2097419
+- Fix race condition in usbguard-daemon when forking
+Resolves: rhbz#2042345
+- Add missing files to documentation
+Resolves: rhbz#2122107
 - Neither RuleFolder nor RuleFile exists bugfix
-Resolves: rhbz#2159413
+Resolves: rhbz#2122109
 - Remove build for i686 arch
-Resolves: rhbz#2105091
+Resolves: rhbz#2126622
 
-* Wed Aug 24 2022 Attila Lakatos <alakatos@redhat.com> - 1.0.0-10
+* Tue Aug 16 2022 Attila Lakatos <alakatos@redhat.com> - 1.0.0-11
 - Fix unauthorized access via D-bus
-- Fix memory leaks on connection failure to D-bus
-Resolves: rhbz#2059067
+- Fix memory leak when connection to dbus is broken
+Resolves: rhbz#2059068
 
-* Mon Nov 29 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.0-8
-- change usbguard icon injection
+* Mon Oct 25 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.0-10
 - fix DSP module definition in spec file
-Resolves: rhbz#2014441
-- add execstack to spec
-- remove IPAddressDeny from usbguard service
-Resolves: rhbz#1929364
-- fix file conflict when installing usbguard on rhel
-Resolves: rhbz#1963271
+Resolves: rhbz#2014442
 - fix IPC access control files override
-Resolves: rhbz#2004511
+Resolves: rhbz#2009227
 - validate ACL permission existence
-Resolves: rhbz#2005020
+Resolves: rhbz#2009229
 - decrease usbguard-notifier spam when denied connection
-Resolves: rhbz#2000000
+Resolves: rhbz#2009226
 
-* Wed Mar 17 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-2
-- Add CAP_AUDIT_WRITE capability to service file
-Resolves: rhbz#1940060
+* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.0-8
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
 
-* Tue Jan 19 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-1
-- Rebase to 1.0.0
-Resolves: rhbz#1887448
-- Filtering rules by attribute
-Resolves: rhbz#1873953
-- Change device policy of multiple devices using rule instead of ID
-Resolves: rhbz#1852568
+* Wed Jul 28 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.0-7
+RHEL 9 BETA
+- starting usbguard service complains about PIDFile= references a path below legacy directory /var/run/
+Resolves: rhbz#1985627
+- file conflict when installing usbguard on rhel
+Resolves: rhbz#1986785
 
-* Tue Aug 11 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-7
-- Do not cause segfault in case of an empty rulesd folder
-Resolves: rhbz#1738590
+* Fri Apr 16 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-6
+- Clear executable stack flag on usbguard-notifier
+Resolves: rhbz#1917544
 
-* Wed Aug 05 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-6
-- RHEL 8.3.0 ERRATUM
-- Removed execstack from .spec
-- Removed AuthorizedDefault=wired from the usbguard
-Resolves: rhbz#1852539
-- Missing error message on bad configuration
-Resolves: rhbz#1857299
-- /etc/usbguard/usbguard-daemon.conf file does not contain all default options
-Resolves: rhbz#1862907
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.0-5
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
 
-* Wed Jun 17 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-5
-- RHEL 8.3.0 ERRATUM
-- Use old-fasioned forking style in unit file
-Resolves: rhbz#1846885
-- Allow usbguard to read /proc/cpuinfo
-Resolves: rhbz#1847870
-- Removed notifier's Requires for usbguard-devel
-Resolves: rhbz#1667395
-- Allow usbguard to read /dev/urandom
-Resolves: rhbz#1848618
+* Fri Feb 19 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-4
+- sync with rhel-8.4.0 branch
+- bundle usbguard-notifier as subpackage
+Resolves: rhbz#1917544
 
-* Wed May 06 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-4
-- RHEL 8.3.0 ERRATUM
-- Spec file clean up
-- Rebase to 0.7.8
-Resolves: rhbz#1738590
-- Added selinux subpackage
-Resolves: rhbz#1683567
-- Added notifier subpackage
-- Installing /etc/usbguard/rules.d/
-Resolves: rhbz#1667395
-- Fixed sigwaitinfo handling
-Resolves: rhbz#1835210
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
-* Mon Nov 25 2019 Marek Tamaskovic <mtamasko@redhat.com> - 0.7.4-4
-- add match-all keyword
+* Sat Jan 16 12:49:32 CET 2021 Adrian Reber <adrian@lisas.de> - 1.0.0-2
+- Rebuilt for protobuf 3.14
 
-* Tue May 21 2019 Daniel Kopeček <dkopecek@redhat.com> - 0.7.4-3
-- spec: make the check phase conditional
+* Thu Jan 14 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.0-1
+- rebase usbguard to 1.0.0
+- added support for rules covering combination of classes
+- fix usbguard being killed
+Resolves: rhbz#1916039
+Resolves: rhbz#1861330
+Resolves: rhbz#1905257
 
-* Fri Dec 14 2018 Jiri Vymazal <jvymazal@redhat.com> - 0.7.4-2
-  Resolves: rhbz#1643057 - usbguard fails to report invalid value in IPCAccessControlFiles directive
+* Wed Jan 13 14:43:57 CET 2021 Adrian Reber <adrian@lisas.de> - 0.7.8-6
+- Rebuilt for protobuf 3.14
 
-* Wed Jul 11 2018 Daniel Kopeček <dkopecek@redhat.com> - 0.7.4-1
-- Update to 0.7.4
-- Replaced asciidoctor dependency with asciidoc
-- Disabled Qt applet
+* Thu Sep 24 2020 Adrian Reber <adrian@lisas.de> - 0.7.8-5
+- Rebuilt for protobuf 3.13
+
+* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.8-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jun 24 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-3
+- rebase selinux tarball to v0.0.4
+- enable forking style in unit file
+- set DevicePolicy to closed in unit file
+- usbguard prevented from writing conf via dontaudit rule
+Resolves: rhbz#1804713
+Resolves: rhbz#1789923
+
+* Sun Jun 14 2020 Adrian Reber <adrian@lisas.de> - 0.7.8-2
+- Rebuilt for protobuf 3.12
+
+* Tue May 19 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-1
+- rebase usbguard to 0.7.8
+- rebase usbguard-selinux to 0.0.3
+- added rules.d/ directory
+Resolves: rhbz#1808527
+
+* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.6-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Dec 19 2019 Orion Poplawski <orion@nwra.com> - 0.7.6-7
+- Rebuild for protobuf 3.11
+
+* Wed Dec 18 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-6
+- fix selinux problems
+
+* Mon Dec 02 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-5
+- obsolete applet-qt subpackage
+
+* Mon Nov 25 2019 Attila Lakatos <alakatos@redhat.com> - 0.7.6-4
+- added patch for libqb related permission issues
+  resolves: rhbz#1776357
+- added patch to ensure that usbguard-daemons is still running after locked screen
+  resolves: rhbz#1751861
+- added patch to fix permanent device policy changes
+
+* Wed Nov 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-3
+- fixed typo in specfile
+- usbguard.conf was generated incorrectly
+
+* Wed Nov 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-2
+- added selinux subpackage
+
+* Mon Nov 11 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-1
+- rebase to 0.7.6
+- removed usbguard-applet subpackage which is not in upstream anymore
+
+* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Wed Nov 21 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.7.2-6
+- Rebuild for protobuf 3.6
+
+* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Apr 05 2018 Daniel Kopeček <dkopecek@redhat.com> - 0.7.2-4
+- Update to latest PEGTL API
 
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild