import usbguard-1.0.0-10.el9_1.2

2 years ago · 27c8304040
parent c6bb5df54f
commit 27c8304040
4 changed files with 404 additions and 1 deletions
--- a/SOURCES/usbguard-dbus-CVE-leak.patch
+++ b/SOURCES/usbguard-dbus-CVE-leak.patch
@ -0,0 +1,31 @@
 diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp
 --- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig	2022-10-17 09:38:12.397308156 +0200
 +++ usbguard-1.0.0/src/DBus/DBusBridge.cpp	2022-10-17 09:38:46.947342059 +0200
@@ -434,12 +434,11 @@ namespace usbguard
     USBGUARD_LOG(Trace) << "Connecting with Polkit authority...";
     PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error);
 -    if (! authority || error) {
 +    if (! authority) {
       USBGUARD_LOG(Trace) << "Failed to connect to Polkit authority: " << formatGError(error) << ".";
       *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
       *authErrorMessage = "Failed to connect to Polkit authority";
       g_error_free(error);
 -      g_object_unref(authority);
       g_object_unref(subject);
       return false;
     }
@@ -470,12 +469,11 @@ namespace usbguard
         /*cancellable=*/ NULL,
         &error);
 -    if (! result || error) {
 +    if (! result) {
       USBGUARD_LOG(Trace) << "Failed to check back with Polkit for authoriation: " << formatGError(error) << ".";
       *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
       *authErrorMessage = "Failed to check back with Polkit for authoriation.";
       g_error_free(error);
 -      g_object_unref(result);
       g_object_unref(details);
       g_object_unref(authority);
       g_object_unref(subject);
--- a/SOURCES/usbguard-dbus-CVE.patch
+++ b/SOURCES/usbguard-dbus-CVE.patch
@ -0,0 +1,335 @@
 diff -up usbguard-1.0.0/configure.ac.orig usbguard-1.0.0/configure.ac
 --- usbguard-1.0.0/configure.ac.orig	2022-08-16 10:24:34.345570913 +0200
 +++ usbguard-1.0.0/configure.ac	2022-08-16 10:24:34.307571236 +0200
@@ -399,7 +399,7 @@ if test "x$with_dbus" = xyes; then
   #
   # Check for required D-Bus modules
   #
 -  PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0],
 +  PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0 polkit-gobject-1],
   [AC_DEFINE([HAVE_DBUS], [1], [Required GDBus API available])
   dbus_summary="system-wide; $dbus_CFLAGS $dbus_LIBS"],
   [AC_MSG_FAILURE([Required D-Bus modules (dbus-1, gio-2.0) not found!])]
 diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp
 --- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig	2022-08-16 10:24:34.312571194 +0200
 +++ usbguard-1.0.0/src/DBus/DBusBridge.cpp	2022-08-16 10:28:28.595587136 +0200
@@ -21,6 +21,8 @@
 #endif
 #include "DBusBridge.hpp"
 +#include <polkit/polkit.h>
 +
 namespace usbguard
 {
   DBusBridge::DBusBridge(GDBusConnection* const gdbus_connection,
@@ -74,9 +76,19 @@ namespace usbguard
     return;
   }
 +  #define DBUS_AUTH_CHECK \
 +      GDBusError authErrorCode = G_DBUS_ERROR_FAILED; \
 +      const gchar* authErrorMessage = NULL; \
 +      if (! isAuthorizedByPolkit(invocation, &authErrorCode, &authErrorMessage)) { \
 +        g_dbus_method_invocation_return_error_literal(invocation, G_DBUS_ERROR, authErrorCode, authErrorMessage); \
 +        return; \
 +      }
 +
   void DBusBridge::handleRootMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation)
   {
     if (method_name == "getParameter") {
 +      DBUS_AUTH_CHECK
 +
       const char* name_cstr = nullptr;
       g_variant_get(parameters, "(&s)", &name_cstr);
       std::string name(name_cstr);
@@ -86,6 +98,8 @@ namespace usbguard
     }
     if (method_name == "setParameter") {
 +      DBUS_AUTH_CHECK
 +
       const char* name_cstr = nullptr;
       const char* value_cstr = nullptr;
       g_variant_get(parameters, "(&s&s)", &name_cstr, &value_cstr);
@@ -104,6 +118,8 @@ namespace usbguard
   void DBusBridge::handlePolicyMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation)
   {
     if (method_name == "listRules") {
 +      DBUS_AUTH_CHECK
 +
       const char* label_cstr = nullptr;
       g_variant_get(parameters, "(&s)", &label_cstr);
       std::string label(label_cstr);
@@ -136,6 +152,8 @@ namespace usbguard
     }
     if (method_name == "appendRule") {
 +      DBUS_AUTH_CHECK
 +
       const char* rule_spec_cstr = nullptr;
       uint32_t parent_id = 0;
       gboolean temporary = false;
@@ -147,6 +165,8 @@ namespace usbguard
     }
     if (method_name == "removeRule") {
 +      DBUS_AUTH_CHECK
 +
       uint32_t rule_id = 0;
       g_variant_get(parameters, "(u)", &rule_id);
       removeRule(rule_id);
@@ -163,6 +183,8 @@ namespace usbguard
     GDBusMethodInvocation* invocation)
   {
     if (method_name == "listDevices") {
 +      DBUS_AUTH_CHECK
 +
       const char* query_cstr = nullptr;
       g_variant_get(parameters, "(&s)", &query_cstr);
       std::string query(query_cstr);
@@ -195,6 +217,8 @@ namespace usbguard
     }
     if (method_name == "applyDevicePolicy") {
 +      DBUS_AUTH_CHECK
 +
       uint32_t device_id = 0;
       uint32_t target_integer = 0;
       gboolean permanent = false;
@@ -344,6 +368,135 @@ namespace usbguard
     return builder;
   }
 +
 +  std::string DBusBridge::formatGError(GError* error)
 +  {
 +    if (error) {
 +      std::stringstream formatGError;
 +      formatGError << error->message << " (code " << error->code << ")";
 +      return formatGError.str();
 +    }
 +    else {
 +      return "unknown error";
 +    }
 +  }
 +
 +  bool DBusBridge::isAuthorizedByPolkit(GDBusMethodInvocation* invocation, GDBusError* authErrorCode,
 +    const gchar** authErrorMessage)
 +  {
 +    GError* error = NULL;
 +    USBGUARD_LOG(Trace) << "Extracting bus name...";
 +    const gchar* const /*no-free!*/ bus_name = g_dbus_method_invocation_get_sender (invocation);
 +
 +    if (! bus_name) {
 +      USBGUARD_LOG(Trace) << "Failed to extract bus name.";
 +      *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
 +      *authErrorMessage = "Failed to extract bus name.";
 +      return false;
 +    }
 +
 +    USBGUARD_LOG(Trace) << "Extracted bus name \"" << bus_name << "\".";
 +    USBGUARD_LOG(Trace) << "Extracting interface name...";
 +    const gchar* const /*no-free!*/ interfaceName = g_dbus_method_invocation_get_interface_name(invocation);
 +
 +    if (! interfaceName) {
 +      USBGUARD_LOG(Trace) << "Failed to extract interface name.";
 +      *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
 +      *authErrorMessage = "Failed to extract interface name.";
 +      return false;
 +    }
 +
 +    USBGUARD_LOG(Trace) << "Extracted interface name \"" << interfaceName << "\".";
 +    USBGUARD_LOG(Trace) << "Extracting method name...";
 +    const gchar* const /*no-free!*/ methodName = g_dbus_method_invocation_get_method_name(invocation);
 +
 +    if (! methodName) {
 +      USBGUARD_LOG(Trace) << "Failed to extract method name.";
 +      *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
 +      *authErrorMessage = "Failed to extract method name.";
 +      return false;
 +    }
 +
 +    std::stringstream action_id;
 +    action_id << interfaceName << "." << methodName;
 +    USBGUARD_LOG(Trace) << "Extracted method name \"" << methodName << "\".";
 +    USBGUARD_LOG(Trace) << "Creating a system bus Polkit subject...";
 +    PolkitSubject* const subject = polkit_system_bus_name_new(bus_name);
 +
 +    if (! subject) {
 +      USBGUARD_LOG(Trace) << "Failed to create Polkit subject.";
 +      *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
 +      *authErrorMessage = "Failed to create Polkit subject.";
 +      return false;
 +    }
 +
 +    USBGUARD_LOG(Trace) << "Created.";
 +    USBGUARD_LOG(Trace) << "Connecting with Polkit authority...";
 +    PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error);
 +
 +    if (! authority || error) {
 +      USBGUARD_LOG(Trace) << "Failed to connect to Polkit authority: " << formatGError(error) << ".";
 +      *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
 +      *authErrorMessage = "Failed to connect to Polkit authority";
 +      g_error_free(error);
 +      g_object_unref(authority);
 +      g_object_unref(subject);
 +      return false;
 +    }
 +
 +    USBGUARD_LOG(Trace) << "Connected.";
 +    USBGUARD_LOG(Trace) << "Customizing Polkit authentification dialog...";
 +    PolkitDetails* const details = polkit_details_new();
 +
 +    if (! details) {
 +      USBGUARD_LOG(Trace) << "Failed to customize the Polkit authentification dialog.";
 +      *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
 +      *authErrorMessage = "Failed to customize the Polkit authentication dialog.";
 +      g_object_unref(authority);
 +      g_object_unref(subject);
 +      return false;
 +    }
 +
 +    polkit_details_insert (details, "polkit.message", "This USBGuard action needs authorization");
 +    USBGUARD_LOG(Trace) << "Customized.";
 +    USBGUARD_LOG(Trace) << "Checking authorization of action \"" << action_id.str() << "\" with Polkit ...";
 +    const PolkitCheckAuthorizationFlags flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION;
 +    PolkitAuthorizationResult* const result = polkit_authority_check_authorization_sync
 +      (authority,
 +        subject,
 +        action_id.str().c_str(),
 +        details,
 +        flags,
 +        /*cancellable=*/ NULL,
 +        &error);
 +
 +    if (! result || error) {
 +      USBGUARD_LOG(Trace) << "Failed to check back with Polkit for authoriation: " << formatGError(error) << ".";
 +      *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
 +      *authErrorMessage = "Failed to check back with Polkit for authoriation.";
 +      g_error_free(error);
 +      g_object_unref(result);
 +      g_object_unref(details);
 +      g_object_unref(authority);
 +      g_object_unref(subject);
 +      return false;
 +    }
 +
 +    gboolean isAuthorized = polkit_authorization_result_get_is_authorized(result);
 +    USBGUARD_LOG(Trace) << (isAuthorized ? "Authorized" : "Not authorized") << ".";
 +
 +    if (! isAuthorized) {
 +      *authErrorCode = G_DBUS_ERROR_ACCESS_DENIED;
 +      *authErrorMessage = "Not authorized.";
 +    }
 +
 +    g_object_unref(result);
 +    g_object_unref(details);
 +    g_object_unref(authority);
 +    g_object_unref(subject);
 +    return isAuthorized;
 +  }
 +
 } /* namespace usbguard */
 /* vim: set ts=2 sw=2 et */
 diff -up usbguard-1.0.0/src/DBus/DBusBridge.hpp.orig usbguard-1.0.0/src/DBus/DBusBridge.hpp
 --- usbguard-1.0.0/src/DBus/DBusBridge.hpp.orig	2022-08-16 10:24:34.312571194 +0200
 +++ usbguard-1.0.0/src/DBus/DBusBridge.hpp	2022-08-16 10:28:33.514545528 +0200
@@ -83,6 +83,9 @@ namespace usbguard
       bool rule_match,
       uint32_t rule_id);
 +    static std::string formatGError(GError* error);
 +    static bool isAuthorizedByPolkit(GDBusMethodInvocation* invocation, GDBusError* authErrorCode,
 +    const gchar** authErrorMessage);
     GDBusConnection* const p_gdbus_connection;
     void(*p_ipc_callback)(bool);
 diff -up usbguard-1.0.0/src/DBus/org.usbguard1.policy.orig usbguard-1.0.0/src/DBus/org.usbguard1.policy
 --- usbguard-1.0.0/src/DBus/org.usbguard1.policy.orig	2022-08-16 10:24:34.312571194 +0200
 +++ usbguard-1.0.0/src/DBus/org.usbguard1.policy	2022-08-16 10:24:34.311571202 +0200
@@ -1,23 +1,23 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
         "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
 -        
 +
 <policyconfig>
   <vendor>The USBGuard Project</vendor>
   <vendor_url>https://github.org/USBGuard/usbguard</vendor_url>
   <action id="org.usbguard.Policy1.listRules">
     <description>List the rule set (policy) used by the USBGuard daemon</description>
 -    <message>Prevents from listing the USBGuard policy</message>
 +    <message>Prevents listing the USBGuard policy</message>
     <defaults>
       <allow_inactive>no</allow_inactive>
 -      <allow_active>auth_self_keep_session</allow_active>
 +      <allow_active>yes</allow_active>
     </defaults>
   </action>
   <action id="org.usbguard.Policy1.appendRule">
     <description>Append a new rule to the policy</description>
 -    <message>Prevents from appending rules to the USBGuard policy</message>
 +    <message>Prevents appending rules to the USBGuard policy</message>
     <defaults>
       <allow_inactive>no</allow_inactive>
       <allow_active>auth_admin</allow_active>
@@ -33,40 +33,41 @@
     </defaults>
   </action>
 -  <action id="org.usbguard.Devices1.listDevices">
 -    <description>List all USB devices recognized by the USBGuard daemon</description>
 -    <message>Prevents from listing USB devices recognized by the USBGuard daemon</message>
 +  <action id="org.usbguard.Devices1.applyDevicePolicy">
 +    <description>Apply a policy to a device in USBGuard</description>
 +    <message>Prevents applying a policy to a device in USBGuard</message>
     <defaults>
       <allow_inactive>no</allow_inactive>
 -      <allow_active>auth_self_keep_session</allow_active>
 +      <allow_active>auth_admin</allow_active>
     </defaults>
   </action>
 -  <action id="org.usbguard.Devices1.allowDevice">
 -    <description>Authorize a USB device via the USBGuard daemon to interact with the system</description>
 -    <message>Prevents from authorizing USB devices via the USBGuard daemon</message>
 +  <action id="org.usbguard.Devices1.listDevices">
 +    <description>List all USB devices recognized by the USBGuard daemon</description>
 +    <message>Prevents listing USB devices recognized by the USBGuard daemon</message>
     <defaults>
       <allow_inactive>no</allow_inactive>
 -      <allow_active>auth_admin</allow_active>
 +      <allow_active>yes</allow_active>
     </defaults>
   </action>
 -  <action id="org.usbguard.Devices1.blockDevice">
 -    <description>Deauthorize a USB device via the USBGuard daemon</description>
 -    <message>Prevents from deauthorizing USB devices via the USBGuard daemon</message>
 +  <action id="org.usbguard1.getParameter">
 +    <description>Get the value of a runtime parameter</description>
 +    <message>Prevents getting values of runtime USBGuard parameters</message>
     <defaults>
       <allow_inactive>no</allow_inactive>
 -      <allow_active>auth_admin</allow_active>
 +      <allow_active>yes</allow_active>
     </defaults>
   </action>
 -  <action id="org.usbguard.Devices1.rejectDevice">
 -    <description>Remove a USB device via the USBGuard daemon</description>
 -    <message>Prevents from removing USB devices via the USBGuard daemon</message>
 +  <action id="org.usbguard1.setParameter">
 +    <description>Set the value of a runtime parameter</description>
 +    <message>Prevents setting values of runtime USBGuard parameters</message>
     <defaults>
       <allow_inactive>no</allow_inactive>
       <allow_active>auth_admin</allow_active>
     </defaults>
   </action>
 +
 </policyconfig>
--- a/SOURCES/usbguard-selinux-dbus-CVE.patch
+++ b/SOURCES/usbguard-selinux-dbus-CVE.patch
@ -0,0 +1,26 @@
 diff -up usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te
 --- usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig	2022-08-17 09:17:13.995269603 +0200
 +++ usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te	2022-08-17 09:18:47.439260009 +0200
@@ -99,7 +99,6 @@ logging_log_filetrans(usbguard_t, usbgua
 logging_send_syslog_msg(usbguard_t)
 -dbus_system_domain(usbguard_t, usbguard_exec_t)
 usbguard_ipc_access(usbguard_t)
 tunable_policy(`usbguard_daemon_write_rules',`
@@ -110,6 +109,14 @@ tunable_policy(`usbguard_daemon_write_co
 	rw_files_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t)
 ')
 +optional_policy(`
 +	dbus_system_domain(usbguard_t, usbguard_exec_t)
 +
 +	optional_policy(`
 +		policykit_dbus_chat(usbguard_t)
 +	')
 +')
 +
 # Allow confined users to communicate with usbguard over unix socket
 optional_policy(`
     gen_require(`
--- a/SPECS/usbguard.spec
+++ b/SPECS/usbguard.spec
@ -8,7 +8,7 @@
 Name:           usbguard
 Version:        1.0.0
-Release:        10%{?dist}
+Release:        10%{?dist}.2
 Summary:        A tool for implementing USB device usage policy
 Group:          System Environment/Daemons
 License:        GPLv2+
@ -57,6 +57,9 @@ Patch4: usbguard-service-pidfile.patch
 Patch5: usbguard-ipc-override-fix.patch
 Patch6: usbguard-validate-acl.patch
 Patch7: usbguard-notifier-decrease-spam.patch
 Patch8: usbguard-dbus-CVE.patch
 Patch9: usbguard-selinux-dbus-CVE.patch
 Patch10: usbguard-dbus-CVE-leak.patch
 %description
 The USBGuard software framework helps to protect your computer against rogue USB
@ -140,6 +143,9 @@ rm -rf src/ThirdParty/{Catch,PEGTL}
 %patch5 -p1 -b .ipc-override-fix
 %patch6 -p1 -b .validate-acl
 %patch7 -p1 -b .notifier-decrease-spam
 %patch8 -p1 -b .dbus-CVE
 %patch9 -p1 -b .selinux-dbus-CVE
 %patch10 -p1 -b .dbus-CVE-leak
 %build
 mkdir -p ./m4
@ -304,6 +310,11 @@ fi
 %changelog
 * Tue Aug 16 2022 Attila Lakatos <alakatos@redhat.com> - 1.0.0-10.2
 - Fix dbus memory leak on connection failure
 - Fix unauthorized access via D-bus
 Resolves: rhbz#2127877
 * Mon Oct 25 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.0-10
 - fix DSP module definition in spec file
 Resolves: rhbz#2014442