commit abfa93d60fba348b47ba47ed074a3e95c35e6e7d Author: CentOS Sources Date: Tue May 16 06:08:37 2023 +0000 import usbguard-1.0.0-13.el8 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1da3842 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +SOURCES/usbguard-1.0.0.tar.gz +SOURCES/usbguard-notifier-0.0.6.tar.gz +SOURCES/usbguard-selinux-0.0.3.tar.gz diff --git a/.usbguard.metadata b/.usbguard.metadata new file mode 100644 index 0000000..91463cb --- /dev/null +++ b/.usbguard.metadata @@ -0,0 +1,3 @@ +bf909799daae6798634e1b01efaaadc5781b9755 SOURCES/usbguard-1.0.0.tar.gz +7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz +e223495a2c41013bc786a5ceae730f2574aeba1b SOURCES/usbguard-selinux-0.0.3.tar.gz diff --git a/SOURCES/usbguard-0.7.6-notifier.patch b/SOURCES/usbguard-0.7.6-notifier.patch new file mode 100644 index 0000000..9d21147 --- /dev/null +++ b/SOURCES/usbguard-0.7.6-notifier.patch @@ -0,0 +1,88 @@ +diff -up ./usbguard-notifier-0.0.6/configure.ac.notifier ./usbguard-notifier-0.0.6/configure.ac +--- ./usbguard-notifier-0.0.6/configure.ac.notifier 2020-04-29 07:35:43.057914703 +0200 ++++ ./usbguard-notifier-0.0.6/configure.ac 2020-06-17 16:27:53.577151720 +0200 +@@ -44,6 +44,32 @@ AC_ARG_WITH( + [notificaiton_path="/tmp/usbguard-notifier"] + ) + ++# usbguard-devel ++# Add the path to where your usbguard-devel includes are ++# You might need this option when you want to package usbguard-notifier ++# together with usbguard at the same time ++AC_ARG_WITH( ++ [usbguard-devel], ++ AS_HELP_STRING([--with-usbguard-devel], [Select to compile notifier from source usbguard devel files(only top level directory)]), ++ [usbguard_CFLAGS="-I$withval/src/Library/public/" ++ usbguard_LIBS="" ++ usbguard_LA="$withval/libusbguard.la" ++ libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS" ++ AC_SUBST([usbguard_CFLAGS]) ++ AC_SUBST([usbguard_LIBS]) ++ AC_SUBST([usbguard_LA]) ++ custom_usbguard_devel_enabled=yes ++ ], ++ [ ++ PKG_CHECK_MODULES( ++ [usbguard], ++ [libusbguard >= 0.7.2], ++ [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"], ++ [AC_MSG_FAILURE([libusbguard development files not found])] ++ ) ++ ] ++) ++ + # Build notifier-cli, default is yes + AC_ARG_ENABLE([notifier-cli], + [AC_HELP_STRING([--enable-notifier-cli], [enable notifier cli(default=yes)])], +@@ -81,14 +107,6 @@ PKG_CHECK_MODULES( + [AC_MSG_FAILURE([libnotify development files not found])] + ) + +-# usbguard +-PKG_CHECK_MODULES( +- [usbguard], +- [libusbguard >= 0.7.2], +- [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"], +- [AC_MSG_FAILURE([libusbguard development files not found])] +-) +- + # asciidoc + AC_CHECK_PROGS(A2X, [a2x]) + if test -z "$A2X"; then +@@ -162,6 +180,7 @@ AC_SUBST(config_PATH, $prefix/.config) + AC_SUBST(NOTIFICATION_PATH, $notification_path) + + AM_CONDITIONAL([NOTIFIER_CLI_ENABLED], [test "x$notifier_cli_enabled" = xyes ]) ++AM_CONDITIONAL([CUSTOM_USBGUARD_DEVEL_ENABLED], [test "x$custom_usbguard_devel_enabled" = "xyes"]) + + AC_CONFIG_FILES([ + Makefile +diff -up ./usbguard-notifier-0.0.6/Makefile.am.notifier ./usbguard-notifier-0.0.6/Makefile.am +--- ./usbguard-notifier-0.0.6/Makefile.am.notifier 2020-04-29 07:18:21.024388188 +0200 ++++ ./usbguard-notifier-0.0.6/Makefile.am 2020-06-17 16:27:53.592151848 +0200 +@@ -57,6 +57,13 @@ usbguard_notifier_CXXFLAGS = \ + @usbguard_CFLAGS@ \ + -fPIC + ++if CUSTOM_USBGUARD_DEVEL_ENABLED ++usbguard_notifier_LDADD = \ ++ @usbguard_LA@ ++usbguard_notifier_cli_LDADD = \ ++ @usbguard_LA@ ++endif ++ + BUILT_SOURCES = \ + src/BuildConfig.h + +diff -up ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 +--- ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier 2020-06-17 19:55:54.621855004 +0200 ++++ ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 2020-06-17 19:56:46.551297432 +0200 +@@ -53,7 +53,7 @@ Show help\&. + .RE + .SH "SEE ALSO" + .sp +-usbguard\-notifier\-cli(1), usbguard(1) ++usbguard(1) + .SH "BUGS" + .sp + If you find a bug in this software or if you\(cqd like to request a feature to be implemented, please file a ticket at https://github\&.com/Cropi/usbguard\-notifier/issues/new\&. diff --git a/SOURCES/usbguard-OOMScoreAdjust.patch b/SOURCES/usbguard-OOMScoreAdjust.patch new file mode 100644 index 0000000..d101768 --- /dev/null +++ b/SOURCES/usbguard-OOMScoreAdjust.patch @@ -0,0 +1,11 @@ +diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in +--- usbguard-1.0.0/usbguard.service.in.orig 2022-11-28 10:21:35.889977314 +0100 ++++ usbguard-1.0.0/usbguard.service.in 2022-11-28 10:21:52.711987716 +0100 +@@ -4,6 +4,7 @@ Wants=systemd-udevd.service local-fs.tar + Documentation=man:usbguard-daemon(8) + + [Service] ++OOMScoreAdjust=-1000 + AmbientCapabilities= + CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE + DevicePolicy=closed diff --git a/SOURCES/usbguard-audit-capability.patch b/SOURCES/usbguard-audit-capability.patch new file mode 100644 index 0000000..934a25a --- /dev/null +++ b/SOURCES/usbguard-audit-capability.patch @@ -0,0 +1,12 @@ +diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in +--- usbguard-1.0.0/usbguard.service.in.orig 2021-03-17 14:16:21.675374844 +0100 ++++ usbguard-1.0.0/usbguard.service.in 2021-03-17 14:16:29.056373213 +0100 +@@ -5,7 +5,7 @@ Documentation=man:usbguard-daemon(8) + + [Service] + AmbientCapabilities= +-CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER ++CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE + DevicePolicy=closed + ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf + IPAddressDeny=any diff --git a/SOURCES/usbguard-consistent-rules.patch b/SOURCES/usbguard-consistent-rules.patch new file mode 100644 index 0000000..7420215 --- /dev/null +++ b/SOURCES/usbguard-consistent-rules.patch @@ -0,0 +1,12 @@ +diff -up usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp +--- usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig 2022-11-28 10:35:44.052560664 +0100 ++++ usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp 2022-11-28 10:35:55.510568939 +0100 +@@ -76,7 +76,7 @@ namespace usbguard + } + + if (ruleSet.empty()){ +- USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible."; ++ USBGUARD_LOG(Warning) << "Neither RuleFile nor RuleFolder are set; Modification of the permanent policy won't be possible."; + ruleSet = generateDefaultRuleSet(); + } + diff --git a/SOURCES/usbguard-daemon-race-condition.patch b/SOURCES/usbguard-daemon-race-condition.patch new file mode 100644 index 0000000..40e5645 --- /dev/null +++ b/SOURCES/usbguard-daemon-race-condition.patch @@ -0,0 +1,19 @@ +diff -up usbguard-1.0.0/src/Daemon/Daemon.cpp.orig usbguard-1.0.0/src/Daemon/Daemon.cpp +--- usbguard-1.0.0/src/Daemon/Daemon.cpp.orig 2022-11-28 10:25:01.044104150 +0100 ++++ usbguard-1.0.0/src/Daemon/Daemon.cpp 2022-11-28 10:25:34.736124980 +0100 +@@ -40,6 +40,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -606,6 +607,7 @@ namespace usbguard + const int signum = sigtimedwait(&mask, &info, &timeout); + + if (signum == SIGUSR1 && info.si_signo == SIGUSR1 && info.si_pid == pid) { ++ waitpid(pid, nullptr, 0); + USBGUARD_LOG(Trace) << "Finished daemonization"; + exit(EXIT_SUCCESS); + } diff --git a/SOURCES/usbguard-daemon.conf b/SOURCES/usbguard-daemon.conf new file mode 100644 index 0000000..ae5a6a2 --- /dev/null +++ b/SOURCES/usbguard-daemon.conf @@ -0,0 +1,211 @@ +# +# Rule set file path. +# +# The USBGuard daemon will use this file to load the policy +# rule set from it and to write new rules received via the +# IPC interface. +# +# RuleFile=/path/to/rules.conf +# +RuleFile=/etc/usbguard/rules.conf + +# +# Rule set folder path. +# +# The USBGuard daemon will use this folder to load the policy +# rule set from it and to write new rules received via the +# IPC interface. Usually, we set the option to +# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to +# behave like any other standard Linux daemon therefore it +# loads rule files in alpha-numeric order. File names inside +# RuleFolder directory should start with a two-digit number +# prefix indicating the position, in which the rules are +# scanned by the daemon. +# +# RuleFolder=/path/to/rulesfolder/ +# +RuleFolder=/etc/usbguard/rules.d/ + +# +# Implicit policy target. +# +# How to treat devices that don't match any rule in the +# policy. One of: +# +# * allow - authorize the device +# * block - block the device +# * reject - remove the device +# +ImplicitPolicyTarget=block + +# +# Present device policy. +# +# How to treat devices that are already connected when the +# daemon starts. One of: +# +# * allow - authorize every present device +# * block - deauthorize every present device +# * reject - remove every present device +# * keep - just sync the internal state and leave it +# * apply-policy - evaluate the ruleset for every present +# device +# +PresentDevicePolicy=apply-policy + +# +# Present controller policy. +# +# How to treat USB controllers that are already connected +# when the daemon starts. One of: +# +# * allow - authorize every present device +# * block - deauthorize every present device +# * reject - remove every present device +# * keep - just sync the internal state and leave it +# * apply-policy - evaluate the ruleset for every present +# device +# +PresentControllerPolicy=keep + +# +# Inserted device policy. +# +# How to treat USB devices that are already connected +# *after* the daemon starts. One of: +# +# * block - deauthorize every present device +# * reject - remove every present device +# * apply-policy - evaluate the ruleset for every present +# device +# +InsertedDevicePolicy=apply-policy + +# +# Control which devices are authorized by default. +# +# The USBGuard daemon modifies some the default authorization state attributes +# of controller devices. This setting, enables you to define what value the +# default authorization is set to. +# +# * keep - do not change the authorization state +# * none - every new device starts out deauthorized +# * all - every new device starts out authorized +# * internal - internal devices start out authorized, external devices start +# out deauthorized (this requires the ACPI tables to properly +# label internal devices, and kernel support) +# +#AuthorizedDefault=none + +# +# Restore controller device state. +# +# The USBGuard daemon modifies some attributes of controller +# devices like the default authorization state of new child device +# instances. Using this setting, you can control whether the +# daemon will try to restore the attribute values to the state +# before modification on shutdown. +# +# SECURITY CONSIDERATIONS: If set to true, the USB authorization +# policy could be bypassed by performing some sort of attack on the +# daemon (via a local exploit or via a USB device) to make it shutdown +# and restore to the operating-system default state (known to be permissive). +# +RestoreControllerDeviceState=false + +# +# Device manager backend +# +# Which device manager backend implementation to use. One of: +# +# * uevent - Netlink based implementation which uses sysfs to scan for present +# devices and an uevent netlink socket for receiving USB device +# related events. +# * umockdev - umockdev based device manager capable of simulating devices based +# on umockdev-record files. Useful for testing. +# +DeviceManagerBackend=uevent + +#!!! WARNING: It's good practice to set at least one of the !!! +#!!! two options bellow. If none of them are set, !!! +#!!! the daemon will accept IPC connections from !!! +#!!! anyone, thus allowing anyone to modify the !!! +#!!! rule set and (de)authorize USB devices. !!! + +# +# Users allowed to use the IPC interface. +# +# A space delimited list of usernames that the daemon will +# accept IPC connections from. +# +# IPCAllowedUsers=username1 username2 ... +# +IPCAllowedUsers=root + +# +# Groups allowed to use the IPC interface. +# +# A space delimited list of groupnames that the daemon will +# accept IPC connections from. +# +# IPCAllowedGroups=groupname1 groupname2 ... +# +IPCAllowedGroups=wheel + +# +# IPC access control definition files path. +# +# The files at this location will be interpreted by the daemon +# as access control definition files. The (base)name of a file +# should be in the form: +# +# [user][:] +# +# and should contain lines in the form: +# +#
=[privilege] ... +# +# This way each file defines who is able to connect to the IPC +# bus and what privileges he has. +# +IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/ + +# +# Generate device specific rules including the "via-port" +# attribute. +# +# This option modifies the behavior of the allowDevice +# action. When instructed to generate a permanent rule, +# the action can generate a port specific rule. Because +# some systems have unstable port numbering, the generated +# rule might not match the device after rebooting the system. +# +# If set to false, the generated rule will still contain +# the "parent-hash" attribute which also defines an association +# to the parent device. See usbguard-rules.conf(5) for more +# details. +# +DeviceRulesWithPort=false + +# +# USBGuard Audit events log backend +# +# One of: +# +# * FileAudit - Log audit events into a file specified by +# AuditFilePath setting (see below) +# * LinuxAudit - Log audit events using the Linux Audit +# subsystem (using audit_log_user_message) +# +AuditBackend=FileAudit + +# +# USBGuard audit events log file path. +# +AuditFilePath=/var/log/usbguard/usbguard-audit.log + +# +# Hides personally identifiable information such as device serial numbers and +# hashes of descriptors (which include the serial number) from audit entries. +# +#HidePII=false diff --git a/SOURCES/usbguard-dbus-CVE-leak.patch b/SOURCES/usbguard-dbus-CVE-leak.patch new file mode 100644 index 0000000..f34290a --- /dev/null +++ b/SOURCES/usbguard-dbus-CVE-leak.patch @@ -0,0 +1,31 @@ +diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp +--- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig 2022-10-18 10:33:04.498762878 +0200 ++++ usbguard-1.0.0/src/DBus/DBusBridge.cpp 2022-10-18 10:33:36.920785285 +0200 +@@ -434,12 +434,11 @@ namespace usbguard + USBGUARD_LOG(Trace) << "Connecting with Polkit authority..."; + PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error); + +- if (! authority || error) { ++ if (! authority) { + USBGUARD_LOG(Trace) << "Failed to connect to Polkit authority: " << formatGError(error) << "."; + *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; + *authErrorMessage = "Failed to connect to Polkit authority"; + g_error_free(error); +- g_object_unref(authority); + g_object_unref(subject); + return false; + } +@@ -470,12 +469,11 @@ namespace usbguard + /*cancellable=*/ NULL, + &error); + +- if (! result || error) { ++ if (! result) { + USBGUARD_LOG(Trace) << "Failed to check back with Polkit for authoriation: " << formatGError(error) << "."; + *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; + *authErrorMessage = "Failed to check back with Polkit for authoriation."; + g_error_free(error); +- g_object_unref(result); + g_object_unref(details); + g_object_unref(authority); + g_object_unref(subject); diff --git a/SOURCES/usbguard-dbus-CVE.patch b/SOURCES/usbguard-dbus-CVE.patch new file mode 100644 index 0000000..ed2747a --- /dev/null +++ b/SOURCES/usbguard-dbus-CVE.patch @@ -0,0 +1,335 @@ +diff -up usbguard-1.0.0/configure.ac.orig usbguard-1.0.0/configure.ac +--- usbguard-1.0.0/configure.ac.orig 2022-08-16 10:24:34.345570913 +0200 ++++ usbguard-1.0.0/configure.ac 2022-08-16 10:24:34.307571236 +0200 +@@ -399,7 +399,7 @@ if test "x$with_dbus" = xyes; then + # + # Check for required D-Bus modules + # +- PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0], ++ PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0 polkit-gobject-1], + [AC_DEFINE([HAVE_DBUS], [1], [Required GDBus API available]) + dbus_summary="system-wide; $dbus_CFLAGS $dbus_LIBS"], + [AC_MSG_FAILURE([Required D-Bus modules (dbus-1, gio-2.0) not found!])] +diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp +--- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig 2022-08-16 10:24:34.312571194 +0200 ++++ usbguard-1.0.0/src/DBus/DBusBridge.cpp 2022-08-16 10:28:28.595587136 +0200 +@@ -21,6 +21,8 @@ + #endif + + #include "DBusBridge.hpp" ++#include ++ + namespace usbguard + { + DBusBridge::DBusBridge(GDBusConnection* const gdbus_connection, +@@ -74,9 +76,19 @@ namespace usbguard + return; + } + ++ #define DBUS_AUTH_CHECK \ ++ GDBusError authErrorCode = G_DBUS_ERROR_FAILED; \ ++ const gchar* authErrorMessage = NULL; \ ++ if (! isAuthorizedByPolkit(invocation, &authErrorCode, &authErrorMessage)) { \ ++ g_dbus_method_invocation_return_error_literal(invocation, G_DBUS_ERROR, authErrorCode, authErrorMessage); \ ++ return; \ ++ } ++ + void DBusBridge::handleRootMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation) + { + if (method_name == "getParameter") { ++ DBUS_AUTH_CHECK ++ + const char* name_cstr = nullptr; + g_variant_get(parameters, "(&s)", &name_cstr); + std::string name(name_cstr); +@@ -86,6 +98,8 @@ namespace usbguard + } + + if (method_name == "setParameter") { ++ DBUS_AUTH_CHECK ++ + const char* name_cstr = nullptr; + const char* value_cstr = nullptr; + g_variant_get(parameters, "(&s&s)", &name_cstr, &value_cstr); +@@ -104,6 +118,8 @@ namespace usbguard + void DBusBridge::handlePolicyMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation) + { + if (method_name == "listRules") { ++ DBUS_AUTH_CHECK ++ + const char* label_cstr = nullptr; + g_variant_get(parameters, "(&s)", &label_cstr); + std::string label(label_cstr); +@@ -136,6 +152,8 @@ namespace usbguard + } + + if (method_name == "appendRule") { ++ DBUS_AUTH_CHECK ++ + const char* rule_spec_cstr = nullptr; + uint32_t parent_id = 0; + gboolean temporary = false; +@@ -147,6 +165,8 @@ namespace usbguard + } + + if (method_name == "removeRule") { ++ DBUS_AUTH_CHECK ++ + uint32_t rule_id = 0; + g_variant_get(parameters, "(u)", &rule_id); + removeRule(rule_id); +@@ -163,6 +183,8 @@ namespace usbguard + GDBusMethodInvocation* invocation) + { + if (method_name == "listDevices") { ++ DBUS_AUTH_CHECK ++ + const char* query_cstr = nullptr; + g_variant_get(parameters, "(&s)", &query_cstr); + std::string query(query_cstr); +@@ -195,6 +217,8 @@ namespace usbguard + } + + if (method_name == "applyDevicePolicy") { ++ DBUS_AUTH_CHECK ++ + uint32_t device_id = 0; + uint32_t target_integer = 0; + gboolean permanent = false; +@@ -344,6 +368,135 @@ namespace usbguard + + return builder; + } ++ ++ std::string DBusBridge::formatGError(GError* error) ++ { ++ if (error) { ++ std::stringstream formatGError; ++ formatGError << error->message << " (code " << error->code << ")"; ++ return formatGError.str(); ++ } ++ else { ++ return "unknown error"; ++ } ++ } ++ ++ bool DBusBridge::isAuthorizedByPolkit(GDBusMethodInvocation* invocation, GDBusError* authErrorCode, ++ const gchar** authErrorMessage) ++ { ++ GError* error = NULL; ++ USBGUARD_LOG(Trace) << "Extracting bus name..."; ++ const gchar* const /*no-free!*/ bus_name = g_dbus_method_invocation_get_sender (invocation); ++ ++ if (! bus_name) { ++ USBGUARD_LOG(Trace) << "Failed to extract bus name."; ++ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; ++ *authErrorMessage = "Failed to extract bus name."; ++ return false; ++ } ++ ++ USBGUARD_LOG(Trace) << "Extracted bus name \"" << bus_name << "\"."; ++ USBGUARD_LOG(Trace) << "Extracting interface name..."; ++ const gchar* const /*no-free!*/ interfaceName = g_dbus_method_invocation_get_interface_name(invocation); ++ ++ if (! interfaceName) { ++ USBGUARD_LOG(Trace) << "Failed to extract interface name."; ++ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; ++ *authErrorMessage = "Failed to extract interface name."; ++ return false; ++ } ++ ++ USBGUARD_LOG(Trace) << "Extracted interface name \"" << interfaceName << "\"."; ++ USBGUARD_LOG(Trace) << "Extracting method name..."; ++ const gchar* const /*no-free!*/ methodName = g_dbus_method_invocation_get_method_name(invocation); ++ ++ if (! methodName) { ++ USBGUARD_LOG(Trace) << "Failed to extract method name."; ++ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; ++ *authErrorMessage = "Failed to extract method name."; ++ return false; ++ } ++ ++ std::stringstream action_id; ++ action_id << interfaceName << "." << methodName; ++ USBGUARD_LOG(Trace) << "Extracted method name \"" << methodName << "\"."; ++ USBGUARD_LOG(Trace) << "Creating a system bus Polkit subject..."; ++ PolkitSubject* const subject = polkit_system_bus_name_new(bus_name); ++ ++ if (! subject) { ++ USBGUARD_LOG(Trace) << "Failed to create Polkit subject."; ++ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; ++ *authErrorMessage = "Failed to create Polkit subject."; ++ return false; ++ } ++ ++ USBGUARD_LOG(Trace) << "Created."; ++ USBGUARD_LOG(Trace) << "Connecting with Polkit authority..."; ++ PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error); ++ ++ if (! authority || error) { ++ USBGUARD_LOG(Trace) << "Failed to connect to Polkit authority: " << formatGError(error) << "."; ++ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; ++ *authErrorMessage = "Failed to connect to Polkit authority"; ++ g_error_free(error); ++ g_object_unref(authority); ++ g_object_unref(subject); ++ return false; ++ } ++ ++ USBGUARD_LOG(Trace) << "Connected."; ++ USBGUARD_LOG(Trace) << "Customizing Polkit authentification dialog..."; ++ PolkitDetails* const details = polkit_details_new(); ++ ++ if (! details) { ++ USBGUARD_LOG(Trace) << "Failed to customize the Polkit authentification dialog."; ++ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; ++ *authErrorMessage = "Failed to customize the Polkit authentication dialog."; ++ g_object_unref(authority); ++ g_object_unref(subject); ++ return false; ++ } ++ ++ polkit_details_insert (details, "polkit.message", "This USBGuard action needs authorization"); ++ USBGUARD_LOG(Trace) << "Customized."; ++ USBGUARD_LOG(Trace) << "Checking authorization of action \"" << action_id.str() << "\" with Polkit ..."; ++ const PolkitCheckAuthorizationFlags flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION; ++ PolkitAuthorizationResult* const result = polkit_authority_check_authorization_sync ++ (authority, ++ subject, ++ action_id.str().c_str(), ++ details, ++ flags, ++ /*cancellable=*/ NULL, ++ &error); ++ ++ if (! result || error) { ++ USBGUARD_LOG(Trace) << "Failed to check back with Polkit for authoriation: " << formatGError(error) << "."; ++ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED; ++ *authErrorMessage = "Failed to check back with Polkit for authoriation."; ++ g_error_free(error); ++ g_object_unref(result); ++ g_object_unref(details); ++ g_object_unref(authority); ++ g_object_unref(subject); ++ return false; ++ } ++ ++ gboolean isAuthorized = polkit_authorization_result_get_is_authorized(result); ++ USBGUARD_LOG(Trace) << (isAuthorized ? "Authorized" : "Not authorized") << "."; ++ ++ if (! isAuthorized) { ++ *authErrorCode = G_DBUS_ERROR_ACCESS_DENIED; ++ *authErrorMessage = "Not authorized."; ++ } ++ ++ g_object_unref(result); ++ g_object_unref(details); ++ g_object_unref(authority); ++ g_object_unref(subject); ++ return isAuthorized; ++ } ++ + } /* namespace usbguard */ + + /* vim: set ts=2 sw=2 et */ +diff -up usbguard-1.0.0/src/DBus/DBusBridge.hpp.orig usbguard-1.0.0/src/DBus/DBusBridge.hpp +--- usbguard-1.0.0/src/DBus/DBusBridge.hpp.orig 2022-08-16 10:24:34.312571194 +0200 ++++ usbguard-1.0.0/src/DBus/DBusBridge.hpp 2022-08-16 10:28:33.514545528 +0200 +@@ -83,6 +83,9 @@ namespace usbguard + bool rule_match, + uint32_t rule_id); + ++ static std::string formatGError(GError* error); ++ static bool isAuthorizedByPolkit(GDBusMethodInvocation* invocation, GDBusError* authErrorCode, ++ const gchar** authErrorMessage); + + GDBusConnection* const p_gdbus_connection; + void(*p_ipc_callback)(bool); +diff -up usbguard-1.0.0/src/DBus/org.usbguard1.policy.orig usbguard-1.0.0/src/DBus/org.usbguard1.policy +--- usbguard-1.0.0/src/DBus/org.usbguard1.policy.orig 2022-08-16 10:24:34.312571194 +0200 ++++ usbguard-1.0.0/src/DBus/org.usbguard1.policy 2022-08-16 10:24:34.311571202 +0200 +@@ -1,23 +1,23 @@ + + +- ++ + + The USBGuard Project + https://github.org/USBGuard/usbguard + + + List the rule set (policy) used by the USBGuard daemon +- Prevents from listing the USBGuard policy ++ Prevents listing the USBGuard policy + + no +- auth_self_keep_session ++ yes + + + + + Append a new rule to the policy +- Prevents from appending rules to the USBGuard policy ++ Prevents appending rules to the USBGuard policy + + no + auth_admin +@@ -33,40 +33,41 @@ + + + +- +- List all USB devices recognized by the USBGuard daemon +- Prevents from listing USB devices recognized by the USBGuard daemon ++ ++ Apply a policy to a device in USBGuard ++ Prevents applying a policy to a device in USBGuard + + no +- auth_self_keep_session ++ auth_admin + + + +- +- Authorize a USB device via the USBGuard daemon to interact with the system +- Prevents from authorizing USB devices via the USBGuard daemon ++ ++ List all USB devices recognized by the USBGuard daemon ++ Prevents listing USB devices recognized by the USBGuard daemon + + no +- auth_admin ++ yes + + + +- +- Deauthorize a USB device via the USBGuard daemon +- Prevents from deauthorizing USB devices via the USBGuard daemon ++ ++ Get the value of a runtime parameter ++ Prevents getting values of runtime USBGuard parameters + + no +- auth_admin ++ yes + + + +- +- Remove a USB device via the USBGuard daemon +- Prevents from removing USB devices via the USBGuard daemon ++ ++ Set the value of a runtime parameter ++ Prevents setting values of runtime USBGuard parameters + + no + auth_admin + + ++ + + diff --git a/SOURCES/usbguard-disable-console-log.patch b/SOURCES/usbguard-disable-console-log.patch new file mode 100644 index 0000000..4eda60b --- /dev/null +++ b/SOURCES/usbguard-disable-console-log.patch @@ -0,0 +1,12 @@ +diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in +--- usbguard-1.0.0/usbguard.service.in.orig 2023-01-12 13:17:14.200064956 +0100 ++++ usbguard-1.0.0/usbguard.service.in 2023-01-12 13:17:22.588078994 +0100 +@@ -8,7 +8,7 @@ OOMScoreAdjust=-1000 + AmbientCapabilities= + CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE + DevicePolicy=closed +-ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf ++ExecStart=%sbindir%/usbguard-daemon -f -s -K -c %sysconfdir%/usbguard/usbguard-daemon.conf + LockPersonality=yes + MemoryDenyWriteExecute=yes + NoNewPrivileges=yes diff --git a/SOURCES/usbguard-ipaddressdeny.patch b/SOURCES/usbguard-ipaddressdeny.patch new file mode 100644 index 0000000..85a78b3 --- /dev/null +++ b/SOURCES/usbguard-ipaddressdeny.patch @@ -0,0 +1,11 @@ +diff --color -ru a/usbguard.service.in b/usbguard.service.in +--- a/usbguard.service.in 2021-09-07 16:33:49.911540537 +0200 ++++ b/usbguard.service.in 2021-09-07 16:37:20.788885123 +0200 +@@ -8,7 +8,6 @@ + CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE + DevicePolicy=closed + ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf +-IPAddressDeny=any + LockPersonality=yes + MemoryDenyWriteExecute=yes + NoNewPrivileges=yes diff --git a/SOURCES/usbguard-ipc-override-fix.patch b/SOURCES/usbguard-ipc-override-fix.patch new file mode 100644 index 0000000..4083c7d --- /dev/null +++ b/SOURCES/usbguard-ipc-override-fix.patch @@ -0,0 +1,20 @@ +diff --color -ru a/src/Library/IPCServerPrivate.cpp b/src/Library/IPCServerPrivate.cpp +--- a/src/Library/IPCServerPrivate.cpp 2020-11-23 15:56:12.979847655 +0100 ++++ b/src/Library/IPCServerPrivate.cpp 2021-09-15 10:02:51.641082533 +0200 +@@ -567,10 +567,12 @@ + bool IPCServerPrivate::authenticateIPCConnectionDAC(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr) const + { + USBGUARD_LOG(Trace) << "uid=" << uid << " gid=" << gid << " ac_ptr=" << ac_ptr; +- return \ +- matchACLByUID(uid, ac_ptr) || \ +- matchACLByGID(gid, ac_ptr) || \ +- matchACLByName(uid, gid, ac_ptr); ++ ++ bool matched_uid = matchACLByUID(uid, ac_ptr); ++ bool matched_gid = matchACLByGID(gid, ac_ptr); ++ bool matched_name = matchACLByName(uid, gid, ac_ptr); ++ ++ return matched_uid || matched_gid || matched_name; + } + + bool IPCServerPrivate::matchACLByUID(uid_t uid, IPCServer::AccessControl* const ac_ptr) const diff --git a/SOURCES/usbguard-missing-doc.patch b/SOURCES/usbguard-missing-doc.patch new file mode 100644 index 0000000..138a3cb --- /dev/null +++ b/SOURCES/usbguard-missing-doc.patch @@ -0,0 +1,43 @@ +diff -up usbguard-1.0.0/doc/man/example-allow-device.adoc.orig usbguard-1.0.0/doc/man/example-allow-device.adoc +--- usbguard-1.0.0/doc/man/example-allow-device.adoc.orig 2022-11-28 12:00:26.695561514 +0100 ++++ usbguard-1.0.0/doc/man/example-allow-device.adoc 2022-11-28 11:57:01.120457773 +0100 +@@ -0,0 +1,6 @@ ++.... ++ # Allow a device by ID(it is the very first number from the list-devices command output) ++ $ sudo usbguard allow-device 10 ++ # Allow all devices named "Dell Wired Multimedia Keyboard" ++ $ sudo usbguard allow-device name \"Dell Wired Multimedia Keyboard\" ++.... +diff -up usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig usbguard-1.0.0/doc/man/example-initial-policy.adoc +--- usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig 2022-11-28 12:00:31.781564080 +0100 ++++ usbguard-1.0.0/doc/man/example-initial-policy.adoc 2022-11-28 11:57:25.353470002 +0100 +@@ -0,0 +1,7 @@ ++.... ++ $ sudo usbguard generate-policy > rules.conf ++ $ vi rules.conf ++ (review/modify the rule set) ++ $ sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf ++ $ sudo systemctl restart usbguard ++.... +diff -up usbguard-1.0.0/doc/man/footer.adoc.orig usbguard-1.0.0/doc/man/footer.adoc +--- usbguard-1.0.0/doc/man/footer.adoc.orig 2022-11-28 11:54:21.495377220 +0100 ++++ usbguard-1.0.0/doc/man/footer.adoc 2022-11-28 11:55:51.960422872 +0100 +@@ -0,0 +1,18 @@ ++== BUGS ++If you find a bug in this software or if you'd like to request a feature to be implemented, please file a ticket at . ++ ++ ++== AUTHOR ++USBGuard was originally written by Daniel Kopeček. ++Many people have contributed to it. ++ ++ ++== RESOURCES ++Main web site: ++ ++ ++== COPYING ++Copyright © 2015-{docyear} Red Hat, Inc. + ++License GPLv2+: GNU GPL version 2 or later http://gnu.org/licenses/gpl.html. + ++This is free software: you are free to change and redistribute it. ++There is NO WARRANTY, to the extent permitted by law. diff --git a/SOURCES/usbguard-notifier-decrease-spam.patch b/SOURCES/usbguard-notifier-decrease-spam.patch new file mode 100644 index 0000000..4b4015b --- /dev/null +++ b/SOURCES/usbguard-notifier-decrease-spam.patch @@ -0,0 +1,182 @@ +diff --color -ru a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 b/usbguard-notifier-0.0.6/man/usbguard-notifier.1 +--- a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 2021-09-24 13:08:23.304639109 +0200 ++++ b/usbguard-notifier-0.0.6/man/usbguard-notifier.1 2021-09-24 13:16:14.177186425 +0200 +@@ -39,7 +39,12 @@ + .PP + \fB\-w, \-\-wait\fR + .RS 4 +-Wait until an active IPC connection is estabilished\&. ++Wait until an active IPC connection is estabilished\&. ie\&. infinite number of attempts\&. ++.RE ++.PP ++\fB\-n, \-\-num\-attempts\fR \fInum\fR ++.RS 4 ++Number of IPC connection attempts. Window between each attempt is 1 second\&. The default number of attempts is 3\&. + .RE + .PP + \fB\-d, \-\-debug\fR +@@ -51,6 +56,64 @@ + .RS 4 + Show help\&. + .RE ++.SH "HOW TO START" ++.sp ++In order to make usbguard\-notifier work properly, you will need to perform certain actions: ++.sp ++.RS 4 ++.ie n \{\ ++\h'-04' 1.\h'+01'\c ++.\} ++.el \{\ ++.sp -1 ++.IP " 1." 4.2 ++.\} ++Each user who wants to run usbguard\-notifier service needs to have sufficient IPC privileges to connect to the usbguard IPC interface\&. To allow a specific user to listen to the device signals you can use the following command: ++ ++ ++\fB$ sudo usbguard add\-user\fR ++\fIUSER\fR ++\fB\-d listen\fR ++ ++Or you can allow a group of users: ++ ++ ++\fB$ sudo usbguard add\-user \-g\fR ++\fIGROUP\fR ++\fB\-d listen\fR ++.RE ++.sp ++.RS 4 ++.ie n \{\ ++\h'-04' 2.\h'+01'\c ++.\} ++.el \{\ ++.sp -1 ++.IP " 2." 4.2 ++.\} ++Now, you need a running usbguard\-daemon instance to connect to\&. Start the usbguard service or restart it if it is already running\&. ++.RE ++.sp ++.RS 4 ++.ie n \{\ ++\h'-04' 3.\h'+01'\c ++.\} ++.el \{\ ++.sp -1 ++.IP " 3." 4.2 ++.\} ++After configuring IPC privileges and starting up the usbguard\-daemon, the user can now start the usbguard\-notifier service: ++ ++ ++\fB$ systemctl start \-\-user usbguard\-notifier\&.service\fR ++ ++Optionally, the user can enable the usbguard\-notifier service to start automatically after the login: ++ ++ ++\fB$ systemctl enable \-\-user usbguard\-notifier\&.service\fR ++.RE ++.sp ++The usbguard\-notifier should now be running\&. Anytime a USB device gets inserted/ejected or allowed/blocked a message will pop up in the user\(cqs graphical interface\&. + .SH "SEE ALSO" + .sp + usbguard(1) +diff --color -ru a/usbguard-notifier-0.0.6/src/Main.cpp b/usbguard-notifier-0.0.6/src/Main.cpp +--- a/usbguard-notifier-0.0.6/src/Main.cpp 2020-03-04 08:59:49.138771474 +0100 ++++ b/usbguard-notifier-0.0.6/src/Main.cpp 2021-09-24 13:07:41.322966320 +0200 +@@ -20,6 +20,7 @@ + #include "Log.hpp" + #include "Notifier.hpp" + ++#include + #include + #include + #include +@@ -27,10 +28,11 @@ + + #include + +-static const char* short_options = "wdh"; ++static const char* short_options = "wn:dh"; + + static const struct ::option long_options[] = { + { "wait", no_argument, nullptr, 'w' }, ++ { "num-attempts", required_argument, nullptr, 'n' }, + { "debug", no_argument, nullptr, 'd' }, + { "help", no_argument, nullptr, 'h' } + }; +@@ -40,22 +42,26 @@ + out << "Usage: " << app_name << " [OPTIONS]" << std::endl; + out << std::endl; + out << "Options:" << std::endl; +- out << " -w, --wait Wait until an active IPC connection is estabilished." << std::endl; +- out << " -d, --debug Enable debug mode." << std::endl; +- out << " -h, --help Show this usage message." << std::endl; ++ out << " -w, --wait Wait until an active IPC connection is estabilished." << std::endl; ++ out << " -n, --num-attempts Number of IPC connection attempts." << std::endl; ++ out << " -d, --debug Enable debug mode." << std::endl; ++ out << " -h, --help Show this usage message." << std::endl; + } + + int main(int argc, char** argv) + { + const std::string app_name(::basename(*argv)); + bool wait_connection = false, debug = false; +- int opt; ++ int opt, num_attempts = 3; + + while ((opt = getopt_long(argc, argv, short_options, long_options, nullptr)) != -1) { + switch (opt) { + case 'w': + wait_connection = true; + break; ++ case 'n': ++ num_attempts = std::atoi(optarg); ++ break; + case 'd': + debug = true; + break; +@@ -71,23 +77,26 @@ + } + NOTIFIER_LOGGER.setDebugMode(debug); + +- for (;;) { ++ bool print_err = true; ++ for (int i = 0; wait_connection || i < num_attempts; ++i) { + try { + usbguardNotifier::Notifier notifier(app_name); + notifier.connect(); + std::cout << "Connection has been established" << std::endl; ++ print_err = true; ++ i = 0; + notifier.wait(); + } catch (const std::runtime_error& e) { + std::cerr << "Error:" << e.what() << std::endl; + return EXIT_FAILURE; + } catch (const usbguard::Exception& e) { +- std::cerr << "IPC connection failure!" << e.message() << std::endl; +- std::cerr << "Check if usbguard-daemon is running in the background" << std::endl; +- if (!wait_connection) { +- break; ++ if (print_err) { ++ print_err = false; ++ std::cerr << "IPC connection failure!" << e.message() << std::endl; ++ std::cerr << "Check if usbguard-daemon is running in the background" << std::endl; + } +- sleep(1); + } ++ sleep(1); + } + return EXIT_SUCCESS; + } +diff --color -ru a/usbguard-notifier-0.0.6/usbguard-notifier.service.in b/usbguard-notifier-0.0.6/usbguard-notifier.service.in +--- a/usbguard-notifier-0.0.6/usbguard-notifier.service.in 2020-03-04 09:00:32.019254871 +0100 ++++ b/usbguard-notifier-0.0.6/usbguard-notifier.service.in 2021-09-24 13:07:41.322966320 +0200 +@@ -3,7 +3,7 @@ + After=usbguard.service + + [Service] +-ExecStart=%bindir%/usbguard-notifier -w ++ExecStart=%bindir%/usbguard-notifier + + [Install] + WantedBy=default.target diff --git a/SOURCES/usbguard-notifier-icon-injection.patch b/SOURCES/usbguard-notifier-icon-injection.patch new file mode 100644 index 0000000..daf5411 --- /dev/null +++ b/SOURCES/usbguard-notifier-icon-injection.patch @@ -0,0 +1,82 @@ +diff --color -ru a/usbguard-notifier-0.0.6/Makefile.am b/usbguard-notifier-0.0.6/Makefile.am +--- a/usbguard-notifier-0.0.6/Makefile.am 2021-11-18 11:38:43.704876330 +0100 ++++ b/usbguard-notifier-0.0.6/Makefile.am 2021-11-18 11:35:39.108500175 +0100 +@@ -35,6 +35,7 @@ + src/ThirdParty/Catch2/single_include/catch2 + + usbguard_notifier_SOURCES = \ ++ src/usbguard-icon.hpp \ + src/Notifier.hpp \ + src/NotifyWrapper.hpp \ + src/Serializer.hpp \ +@@ -43,8 +44,7 @@ + src/Notifier.cpp \ + src/NotifyWrapper.cpp \ + src/Serializer.cpp \ +- src/Log.cpp \ +- icons/usbguard-icon.svg ++ src/Log.cpp + + usbguard_notifier_LDFLAGS = \ + @rsvg_LIBS@ \ +@@ -65,7 +65,8 @@ + endif + + BUILT_SOURCES = \ +- src/BuildConfig.h ++ src/BuildConfig.h \ ++ src/usbguard-icon.hpp + + usbguard_notifier_cli_SOURCES = \ + src/Serializer.hpp \ +@@ -109,8 +110,16 @@ + # + # usbguard icon + # +-.svg.o: +- $(LD) -r -b binary -o $@ $< ++EXTRA_DIST += \ ++ $(top_builddir)/icons/usbguard-icon.svg ++ ++$(top_builddir)/src/usbguard-icon.hpp: $(top_builddir)/icons/usbguard-icon.svg ++ echo -e "#ifndef ICON_HPP\n#define ICON_HPP\nnamespace notify {\nconst char *icon =" > $@ ++ $(SED) 's/"/\\"/g' $^ | $(SED) 's/^/"/' | $(SED) 's/$$/\\n"/' >> $@ ++ echo -e ";\n}\n#endif" >> $@ ++ ++CLEANFILES += \ ++ $(top_builddir)/src/usbguard-icon.hpp + + # + # unit file +diff --color -ru a/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp b/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp +--- a/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp 2020-03-02 11:55:25.932999263 +0100 ++++ b/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp 2021-11-18 11:29:52.825157237 +0100 +@@ -18,14 +18,13 @@ + */ + + #include "NotifyWrapper.hpp" ++#include "usbguard-icon.hpp" + ++#include + #include + + #include + +-extern char _binary_icons_usbguard_icon_svg_start[]; +-extern char _binary_icons_usbguard_icon_svg_end[]; +- + namespace notify + { + +@@ -54,10 +53,7 @@ + Notification::Notification(const std::string& summary, const std::string& body) + : _n(notify_notification_new(summary.c_str(), body.c_str(), nullptr)) + { +- RsvgHandle* handle = rsvg_handle_new_from_data( +- (const guint8*)(_binary_icons_usbguard_icon_svg_start), +- _binary_icons_usbguard_icon_svg_end - _binary_icons_usbguard_icon_svg_start, +- nullptr); ++ RsvgHandle* handle = rsvg_handle_new_from_data((const guint8*)icon, std::strlen(icon), nullptr); + if (!handle) { + throw std::runtime_error("Failed to obtain rsvg handle"); + } diff --git a/SOURCES/usbguard-permanent-rules.patch b/SOURCES/usbguard-permanent-rules.patch new file mode 100644 index 0000000..845c702 --- /dev/null +++ b/SOURCES/usbguard-permanent-rules.patch @@ -0,0 +1,68 @@ +diff -up usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc.orig usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc +--- usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc.orig 2023-01-05 10:58:24.684407437 +0100 ++++ usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc 2023-01-05 10:58:42.323426745 +0100 +@@ -27,7 +27,12 @@ It may be overridden using the *-c* comm + behave like any other standard Linux daemon therefore it loads rule files in + alpha-numeric order. File names inside `RuleFolder` directory should start + with a two-digit number prefix indicating the position, in which the rules +- are scanned by the daemon. ++ are scanned by the daemon. Using RuleFile and RuleFolder at the same time is ++ permitted. However, modification of the permanent policy is not possible if ++ one of the following conditions are met: ++ ** Neither RuleFile nor RuleFolder are specified. ++ ** RuleFile is not specified, RuleFolder is but it does not contain any files, ++ where we could save permanent rules. + + *ImplicitPolicyTarget*='target':: + How to treat USB devices that don't match any rule in the policy. Target +diff -up usbguard-1.0.0/src/Daemon/Daemon.cpp.orig usbguard-1.0.0/src/Daemon/Daemon.cpp +--- usbguard-1.0.0/src/Daemon/Daemon.cpp.orig 2023-01-05 10:58:49.689434809 +0100 ++++ usbguard-1.0.0/src/Daemon/Daemon.cpp 2023-01-05 10:59:18.991466884 +0100 +@@ -742,7 +742,7 @@ namespace usbguard + /* TODO: reevaluate the firewall rules for all active devices */ + const uint32_t id = _policy.appendRule(rule, parent_id); + +- if (_config.hasSettingValue("RuleFile") && permanent) { ++ if ((_config.hasSettingValue("RuleFile") || _config.hasSettingValue("RuleFolder")) && permanent) { + _policy.save(); + } + +@@ -755,7 +755,7 @@ namespace usbguard + USBGUARD_LOG(Trace) << "id=" << id; + _policy.removeRule(id); + +- if (_config.hasSettingValue("RuleFile")) { ++ if (_config.hasSettingValue("RuleFile") || _config.hasSettingValue("RuleFolder")) { + _policy.save(); + } + } +diff -up usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp +--- usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig 2023-01-05 10:59:27.117475780 +0100 ++++ usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp 2023-01-05 10:59:46.228496702 +0100 +@@ -75,8 +75,24 @@ namespace usbguard + } + } + +- if (ruleSet.empty()){ +- USBGUARD_LOG(Warning) << "Neither RuleFile nor RuleFolder are set; Modification of the permanent policy won't be possible."; ++ /* ++ * This means one of the following: ++ * - Neither RuleFile nor RuleFolder are specified ++ * - RuleFile not specified, RuleFolder is but it does not contain any files, ++ * where we could save permanent rules ++ */ ++ if (ruleSet.empty()) { ++ std::string msg; ++ ++ if (ns.getRulesPath().empty() && ns.getRulesDirPath().empty()) { ++ msg = "Neither RuleFile nor RuleFolder are set."; ++ } ++ else { ++ msg = "RuleFile is not set, RuleFolder is but it does not contain any rule files."; ++ } ++ ++ USBGUARD_LOG(Warning) << "Modification of the permanent policy won't be possible." ++ << " Reason: " << msg; + ruleSet = generateDefaultRuleSet(); + } + diff --git a/SOURCES/usbguard-selinux-audit-capability.patch b/SOURCES/usbguard-selinux-audit-capability.patch new file mode 100644 index 0000000..46bc72e --- /dev/null +++ b/SOURCES/usbguard-selinux-audit-capability.patch @@ -0,0 +1,12 @@ +diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te +--- usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig 2021-03-17 15:08:59.975712403 +0100 ++++ usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te 2021-03-17 15:09:21.565708348 +0100 +@@ -68,7 +68,7 @@ files_pid_file(usbguard_var_run_t) + # Local policy + # + +-allow usbguard_t self:capability { chown fowner }; ++allow usbguard_t self:capability { chown fowner audit_write }; + allow usbguard_t self:netlink_kobject_uevent_socket { bind create setopt read }; + allow usbguard_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; + diff --git a/SOURCES/usbguard-selinux-cpuinfo.patch b/SOURCES/usbguard-selinux-cpuinfo.patch new file mode 100644 index 0000000..2371d64 --- /dev/null +++ b/SOURCES/usbguard-selinux-cpuinfo.patch @@ -0,0 +1,12 @@ +diff -up ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo ./usbguard-selinux-0.0.3/usbguard.te +--- ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo 2020-06-18 15:53:40.161615146 +0200 ++++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-18 15:54:28.399982328 +0200 +@@ -77,6 +77,8 @@ auth_read_passwd(usbguard_t) + dev_list_sysfs(usbguard_t) + dev_rw_sysfs(usbguard_t) + ++kernel_read_system_state(usbguard_t) ++ + list_dirs_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t) + read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t) + dontaudit usbguard_t usbguard_conf_t:file write; diff --git a/SOURCES/usbguard-selinux-dbus-CVE.patch b/SOURCES/usbguard-selinux-dbus-CVE.patch new file mode 100644 index 0000000..24d378e --- /dev/null +++ b/SOURCES/usbguard-selinux-dbus-CVE.patch @@ -0,0 +1,27 @@ +diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te +--- usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig 2022-08-24 16:14:30.810875871 +0200 ++++ usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te 2022-08-24 16:15:50.064906117 +0200 +@@ -100,7 +100,6 @@ logging_log_filetrans(usbguard_t, usbgua + + logging_send_syslog_msg(usbguard_t) + +-dbus_system_domain(usbguard_t, usbguard_exec_t) + usbguard_ipc_access(usbguard_t) + + tunable_policy(`usbguard_daemon_write_rules',` +@@ -111,6 +110,15 @@ tunable_policy(`usbguard_daemon_write_co + rw_files_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t) + ') + ++optional_policy(` ++ dbus_system_domain(usbguard_t, usbguard_exec_t) ++ ++ optional_policy(` ++ policykit_dbus_chat(usbguard_t) ++ ') ++') ++ ++ + # Allow confined users to communicate with usbguard over unix socket + optional_policy(` + gen_require(` diff --git a/SOURCES/usbguard-selinux-list-dir.patch b/SOURCES/usbguard-selinux-list-dir.patch new file mode 100644 index 0000000..9334b45 --- /dev/null +++ b/SOURCES/usbguard-selinux-list-dir.patch @@ -0,0 +1,11 @@ +diff -up ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir ./usbguard-selinux-0.0.3/usbguard.te +--- ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir 2020-06-09 10:53:03.191977241 +0200 ++++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-09 10:54:21.441965315 +0200 +@@ -81,6 +81,7 @@ list_dirs_pattern(usbguard_t,usbguard_co + read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t) + dontaudit usbguard_t usbguard_conf_t:file write; + ++list_dirs_pattern(usbguard_t,usbguard_rules_t,usbguard_rules_t) + read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_rules_t) + + manage_dirs_pattern(usbguard_t, usbguard_var_run_t, usbguard_var_run_t) diff --git a/SOURCES/usbguard-selinux-rules-d.patch b/SOURCES/usbguard-selinux-rules-d.patch new file mode 100644 index 0000000..5d56573 --- /dev/null +++ b/SOURCES/usbguard-selinux-rules-d.patch @@ -0,0 +1,22 @@ +From 008af22f238bfb97f6d337759732ac87bdef7b24 Mon Sep 17 00:00:00 2001 +From: alakatos +Date: Mon, 25 May 2020 15:27:38 +0200 +Subject: [PATCH] /etc/usrbuard/rules.d(/.*)? has usbguard_rules_t label right + after the installation + +--- + usbguard.fc | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/usbguard.fc b/usbguard.fc +index bce3e8c..3e14720 100644 +--- a/usbguard-selinux-0.0.3/usbguard.fc ++++ b/usbguard-selinux-0.0.3/usbguard.fc +@@ -13,6 +13,7 @@ + # You should have received a copy of the GNU General Public License + # along with this program. If not, see . + ++/etc/usbguard/rules\.d(/.*)? gen_context(system_u:object_r:usbguard_rules_t,s0) + /etc/usbguard/rules.conf -- gen_context(system_u:object_r:usbguard_rules_t,s0) + /etc/usbguard(/.*)? gen_context(system_u:object_r:usbguard_conf_t,s0) + /dev/shm/qb-usbguard-.* -- gen_context(system_u:object_r:usbguard_tmpfs_t,s0) diff --git a/SOURCES/usbguard-validate-acl.patch b/SOURCES/usbguard-validate-acl.patch new file mode 100644 index 0000000..b2b5bd4 --- /dev/null +++ b/SOURCES/usbguard-validate-acl.patch @@ -0,0 +1,105 @@ +diff --color -ru a/doc/man/usbguard.1.adoc b/doc/man/usbguard.1.adoc +--- a/doc/man/usbguard.1.adoc 2021-09-20 09:08:55.134538747 +0200 ++++ b/doc/man/usbguard.1.adoc 2021-09-20 16:46:48.266557561 +0200 +@@ -282,6 +282,7 @@ + .... + + Consult the usbguard-daemon.conf(5) man-page for a detailed list of available privileges in each section. ++You can also use 'ALL' instead of 'privileges' to automatically assign all relevant privileges to a given section. + + + === *remove-user* 'name' ['OPTIONS'] +diff --color -ru a/doc/man/usbguard-daemon.conf.5.adoc b/doc/man/usbguard-daemon.conf.5.adoc +--- a/doc/man/usbguard-daemon.conf.5.adoc 2021-09-20 09:08:55.135538763 +0200 ++++ b/doc/man/usbguard-daemon.conf.5.adoc 2021-09-20 13:20:09.788855176 +0200 +@@ -162,6 +162,8 @@ + + ** list: Get values of run-time parameters. + ++ ** listen: Listen to property parameter changes. ++ + The following is a generally usable and reasonably safe example of an access control file. + It allows one to modify USB device authorization state (`Devices=modify`), list USB devices (`Devices=list`), listen to USB device related events (`Devices=listen`), list USB authorization policy rules (`Policy=list`) and listen to exception events (`Exceptions=listen`): + +diff --color -ru a/src/Library/public/usbguard/IPCServer.cpp b/src/Library/public/usbguard/IPCServer.cpp +--- a/src/Library/public/usbguard/IPCServer.cpp 2021-09-20 09:08:55.206539917 +0200 ++++ b/src/Library/public/usbguard/IPCServer.cpp 2021-09-22 10:38:28.703655497 +0200 +@@ -159,18 +159,25 @@ + throw USBGUARD_BUG("Cannot set privileges for NONE section"); + } + ++ const uint8_t p = static_cast(privilege); ++ + if (section == Section::ALL) { +- for (const auto& value : { ++ for (const auto& s : { + Section::POLICY, + Section::PARAMETERS, + Section::EXCEPTIONS, + Section::DEVICES + }) { +- _access_control[value] |= static_cast(privilege); ++ _access_control[s] |= p & ~ac_mask(s); + } + } + else { +- _access_control[section] |= static_cast(privilege); ++ if (privilege != Privilege::ALL && (p & ac_mask(section))) { ++ throw std::runtime_error("Invalid privilege " + ++ privilegeToString(privilege) + " for section " + ++ sectionToString(section)); ++ } ++ _access_control[section] |= p & ~ac_mask(section); + } + } + +@@ -254,6 +261,28 @@ + merge(access_control); + } + ++ uint8_t IPCServer::AccessControl::ac_mask(IPCServer::AccessControl::Section section) const ++ { ++ const uint8_t MODIFY = static_cast(Privilege::MODIFY); ++ const uint8_t LIST = static_cast(Privilege::LIST); ++ const uint8_t LISTEN = static_cast(Privilege::LISTEN); ++ ++ switch (section) { ++ case Section::DEVICES: ++ return ~(MODIFY | LIST | LISTEN); ++ case Section::POLICY: ++ return ~(MODIFY | LIST); ++ case Section::EXCEPTIONS: ++ return ~(LISTEN); ++ case Section::PARAMETERS: ++ return ~(MODIFY | LIST | LISTEN); ++ case Section::ALL: ++ case Section::NONE: ++ default: ++ return 0xff; ++ } ++ } ++ + IPCServer::IPCServer() + : d_pointer(usbguard::make_unique(*this)) + { +diff --color -ru a/src/Library/public/usbguard/IPCServer.hpp b/src/Library/public/usbguard/IPCServer.hpp +--- a/src/Library/public/usbguard/IPCServer.hpp 2021-09-20 09:08:55.200539819 +0200 ++++ b/src/Library/public/usbguard/IPCServer.hpp 2021-09-20 13:11:31.476803776 +0200 +@@ -278,6 +278,17 @@ + }; + + /** ++ * @brief Get a privilege mask for given section ++ * ++ * For example, if the section is POLICY that has privileges MODIFY ++ * and LIST, the mask would be ~(MODIFY | LIST) ++ * ++ * @param section Section for which the privilege mask should be returned ++ * @return Privilege mask for section ++ */ ++ uint8_t ac_mask(Section section) const; ++ ++ /** + * @brief Access control represented by unordered map of + * tuples (Section, 8b privileges). + * diff --git a/SPECS/usbguard.spec b/SPECS/usbguard.spec new file mode 100644 index 0000000..52c652e --- /dev/null +++ b/SPECS/usbguard.spec @@ -0,0 +1,581 @@ +%global _hardened_build 1 +%global selinuxtype targeted +%global moduletype contrib +%define semodule_version 0.0.3 +%define notifier_version 0.0.6 + +%bcond_without check + +Name: usbguard +Version: 1.0.0 +Release: 13%{?dist} +Summary: A tool for implementing USB device usage policy +Group: System Environment/Daemons +License: GPLv2+ +## Not installed +# src/ThirdParty/Catch: Boost Software License - Version 1.0 +URL: https://usbguard.github.io/ +Source0: https://github.com/USBGuard/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz +Source1: https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz +Source2: https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz +Source3: usbguard-daemon.conf +ExcludeArch: i686 + +Requires: systemd +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires(post): /sbin/ldconfig +Requires(postun): /sbin/ldconfig +Recommends: (%{name}-selinux if selinux-policy-%{selinuxtype}) + +BuildRequires: gcc-c++ +BuildRequires: libqb-devel +BuildRequires: libgcrypt-devel +BuildRequires: libstdc++-devel +BuildRequires: protobuf-devel protobuf-compiler +BuildRequires: PEGTL-static +BuildRequires: catch1-devel +BuildRequires: autoconf automake libtool +BuildRequires: bash-completion +BuildRequires: asciidoc +BuildRequires: audit-libs-devel +# For `pkg-config systemd` only +BuildRequires: systemd + +BuildRequires: dbus-glib-devel +BuildRequires: dbus-devel +BuildRequires: glib2-devel +BuildRequires: polkit-devel +BuildRequires: libxslt +BuildRequires: libxml2 + +Patch1: usbguard-0.7.6-notifier.patch +Patch2: usbguard-selinux-rules-d.patch +Patch3: usbguard-selinux-list-dir.patch +Patch4: usbguard-selinux-cpuinfo.patch +Patch5: usbguard-audit-capability.patch +Patch6: usbguard-selinux-audit-capability.patch +Patch7: usbguard-ipaddressdeny.patch +Patch8: usbguard-ipc-override-fix.patch +Patch9: usbguard-validate-acl.patch +Patch10: usbguard-notifier-decrease-spam.patch +Patch11: usbguard-notifier-icon-injection.patch +Patch12: usbguard-dbus-CVE.patch +Patch13: usbguard-selinux-dbus-CVE.patch +Patch14: usbguard-dbus-CVE-leak.patch +Patch15: usbguard-daemon-race-condition.patch +Patch16: usbguard-OOMScoreAdjust.patch +Patch17: usbguard-consistent-rules.patch +Patch18: usbguard-missing-doc.patch +Patch19: usbguard-permanent-rules.patch +Patch20: usbguard-disable-console-log.patch + +%description +The USBGuard software framework helps to protect your computer against rogue USB +devices by implementing basic whitelisting/blacklisting capabilities based on +USB device attributes. + +%package devel +Summary: Development files for %{name} +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} +Requires: pkgconfig +Requires: libstdc++-devel + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + +%package tools +Summary: USBGuard Tools +Group: Applications/System +Requires: %{name} = %{version}-%{release} + +%description tools +The %{name}-tools package contains optional tools from the USBGuard +software framework. + +%package dbus +Summary: USBGuard D-Bus Service +Group: Applications/System +Requires: %{name} = %{version}-%{release} +Requires: dbus +Requires: polkit + +%description dbus +The %{name}-dbus package contains an optional component that provides +a D-Bus interface to the USBGuard daemon component. + +%package selinux +Summary: USBGuard selinux +Group: Applications/System +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +BuildArch: noarch +%{?selinux_requires} + +%description selinux +The %{name}-selinux package contains selinux policy for the USBGuard +daemon. + +%package notifier +Summary: A tool for detecting usbguard policy and device presence changes +Group: Applications/System +Requires: %{name} = %{version}-%{release} +Requires: systemd +BuildRequires: librsvg2-devel +BuildRequires: libnotify-devel +BuildRequires: execstack + +%description notifier +The %{name}-notifier package detects usbguard policy modifications as well as +device presence changes and displays them as pop-up notifications. + +# usbguard +%prep +%setup -q + +# selinux +%setup -q -D -T -a 1 + +# notifier +%setup -q -D -T -a 2 + +# Remove bundled library sources before build +rm -rf src/ThirdParty/{Catch,PEGTL} + +%patch1 -p1 -b .notifier +%patch2 -p1 -b .rules-d-selinux +%patch3 -p1 -b .list-dir +%patch4 -p1 -b .cpuinfo +%patch5 -p1 -b .audit-capability +%patch6 -p1 -b .selinux-audit-capability +%patch7 -p1 -b .ipaddressdeny +%patch8 -p1 -b .ipc-override-fix +%patch9 -p1 -b .validate-acl +%patch10 -p1 -b .notifier-decrease-spam +%patch11 -p1 -b .notifier-icon-injection +%patch12 -p1 -b .dbus-CVE +%patch13 -p1 -b .selinux-dbus-CVE +%patch14 -p1 -b .dbus-CVE-leak +%patch15 -p1 -b .daemon-race +%patch16 -p1 -b .OOMScoreAdjust +%patch17 -p1 -b .consistent-rules +%patch18 -p1 -b .missing-doc +%patch19 -p1 -b .permanent-rules +%patch20 -p1 -b .disable-syslog + +%build +mkdir -p ./m4 +autoreconf -i -v --no-recursive ./ +%configure \ + --disable-silent-rules \ + --without-bundled-catch \ + --without-bundled-pegtl \ + --enable-systemd \ + --with-dbus \ + --with-polkit \ + --with-crypto-library=gcrypt + +make %{?_smp_mflags} + +# selinux +pushd %{name}-selinux-%{semodule_version} +make +popd + +# notifier +pushd %{name}-notifier-%{notifier_version} +mkdir -p ./m4 +autoreconf -i -v --no-recursive ./ +export CXXFLAGS="$RPM_OPT_FLAGS" +%configure \ + --disable-silent-rules \ + --without-bundled-catch \ + --enable-debug-build \ + --disable-notifier-cli \ + --with-usbguard-devel="../" + +%set_build_flags +make %{?_smp_mflags} +popd + +%if %{with check} +%check +make check +%endif + +# selinux +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%install +make install INSTALL='install -p' DESTDIR=%{buildroot} + +# Overwrite configuration with distribution defaults +mkdir -p %{buildroot}%{_sysconfdir}/usbguard +mkdir -p %{buildroot}%{_sysconfdir}/usbguard/rules.d +mkdir -p %{buildroot}%{_sysconfdir}/usbguard/IPCAccessControl.d +install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf + +# selinux +install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} +install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if + +# notifier +pushd %{name}-notifier-%{notifier_version} +make install INSTALL='install -p' DESTDIR=%{buildroot} +execstack -c %{buildroot}%{_bindir}/%{name}-notifier +popd + +# Cleanup +find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' + +%preun +%systemd_preun usbguard.service + +%post +/sbin/ldconfig +%systemd_post usbguard.service + +%postun +/sbin/ldconfig +%systemd_postun usbguard.service + +%files +%defattr(-,root,root,-) +%doc README.adoc CHANGELOG.md +%license LICENSE +%{_libdir}/*.so.* +%{_sbindir}/usbguard-daemon +%{_bindir}/usbguard +%dir %{_localstatedir}/log/usbguard +%dir %{_sysconfdir}/usbguard +%dir %{_sysconfdir}/usbguard/rules.d/ +%dir %{_sysconfdir}/usbguard/IPCAccessControl.d +%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/usbguard-daemon.conf +%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/rules.conf +%{_unitdir}/usbguard.service +%{_datadir}/man/man8/usbguard-daemon.8.gz +%{_datadir}/man/man5/usbguard-daemon.conf.5.gz +%{_datadir}/man/man5/usbguard-rules.conf.5.gz +%{_datadir}/man/man1/usbguard.1.gz +%{_datadir}/bash-completion/completions/usbguard + +%files devel +%defattr(-,root,root,-) +%{_includedir}/* +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc + +%files tools +%defattr(-,root,root,-) +%{_bindir}/usbguard-rule-parser + + +%files dbus +%defattr(-,root,root,-) +%{_sbindir}/usbguard-dbus +%{_datadir}/dbus-1/system-services/org.usbguard1.service +%{_datadir}/dbus-1/system.d/org.usbguard1.conf +%{_datadir}/polkit-1/actions/org.usbguard1.policy +%{_unitdir}/usbguard-dbus.service +%{_mandir}/man8/usbguard-dbus.8.gz + +%preun dbus +%systemd_preun usbguard-dbus.service + +%post dbus +%systemd_post usbguard-dbus.service + +%postun dbus +%systemd_postun_with_restart usbguard-dbus.service + +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + +%files notifier +%defattr(-,root,root,-) +%doc %{name}-notifier-%{notifier_version}/README.md %{name}-notifier-%{notifier_version}/CHANGELOG.md +%license %{name}-notifier-%{notifier_version}/LICENSE +%{_bindir}/%{name}-notifier +%{_mandir}/man1/%{name}-notifier.1.gz +%{_userunitdir}/%{name}-notifier.service + +%post notifier +%systemd_user_post \--preset-mode=disable-only %{name}-notifier.service + +%preun notifier +%systemd_user_preun %{name}-notifier.service + +%postun notifier +%systemd_user_postun_with_restart %{name}-notifier.service + + +%changelog +* Thu Jan 12 2023 Attila Lakatos - 1.0.0-13 +- Set OOMScoreAdjust to -1000 in service file +Resolves: rhbz#2159411 +- Fix race condition in usbguard-daemon when forking +Resolves: rhbz#2159409 +- Add missing files to documentation +Resolves: rhbz#2159412 +- Disable logging to console, logging to syslog is still enabled +- Store permanent rules even if RuleFile is not set but RuleFolder is +- Neither RuleFolder nor RuleFile exists bugfix +Resolves: rhbz#2159413 +- Remove build for i686 arch +Resolves: rhbz#2105091 + +* Wed Aug 24 2022 Attila Lakatos - 1.0.0-10 +- Fix unauthorized access via D-bus +- Fix memory leaks on connection failure to D-bus +Resolves: rhbz#2059067 + +* Mon Nov 29 2021 Zoltan Fridrich - 1.0.0-8 +- change usbguard icon injection +- fix DSP module definition in spec file +Resolves: rhbz#2014441 +- add execstack to spec +- remove IPAddressDeny from usbguard service +Resolves: rhbz#1929364 +- fix file conflict when installing usbguard on rhel +Resolves: rhbz#1963271 +- fix IPC access control files override +Resolves: rhbz#2004511 +- validate ACL permission existence +Resolves: rhbz#2005020 +- decrease usbguard-notifier spam when denied connection +Resolves: rhbz#2000000 + +* Wed Mar 17 2021 Attila Lakatos - 1.0.0-2 +- Add CAP_AUDIT_WRITE capability to service file +Resolves: rhbz#1940060 + +* Tue Jan 19 2021 Attila Lakatos - 1.0.0-1 +- Rebase to 1.0.0 +Resolves: rhbz#1887448 +- Filtering rules by attribute +Resolves: rhbz#1873953 +- Change device policy of multiple devices using rule instead of ID +Resolves: rhbz#1852568 + +* Tue Aug 11 2020 Attila Lakatos - 0.7.8-7 +- Do not cause segfault in case of an empty rulesd folder +Resolves: rhbz#1738590 + +* Wed Aug 05 2020 Radovan Sroka - 0.7.8-6 +- RHEL 8.3.0 ERRATUM +- Removed execstack from .spec +- Removed AuthorizedDefault=wired from the usbguard +Resolves: rhbz#1852539 +- Missing error message on bad configuration +Resolves: rhbz#1857299 +- /etc/usbguard/usbguard-daemon.conf file does not contain all default options +Resolves: rhbz#1862907 + +* Wed Jun 17 2020 Radovan Sroka - 0.7.8-5 +- RHEL 8.3.0 ERRATUM +- Use old-fasioned forking style in unit file +Resolves: rhbz#1846885 +- Allow usbguard to read /proc/cpuinfo +Resolves: rhbz#1847870 +- Removed notifier's Requires for usbguard-devel +Resolves: rhbz#1667395 +- Allow usbguard to read /dev/urandom +Resolves: rhbz#1848618 + +* Wed May 06 2020 Attila Lakatos - 0.7.8-4 +- RHEL 8.3.0 ERRATUM +- Spec file clean up +- Rebase to 0.7.8 +Resolves: rhbz#1738590 +- Added selinux subpackage +Resolves: rhbz#1683567 +- Added notifier subpackage +- Installing /etc/usbguard/rules.d/ +Resolves: rhbz#1667395 +- Fixed sigwaitinfo handling +Resolves: rhbz#1835210 + +* Mon Nov 25 2019 Marek Tamaskovic - 0.7.4-4 +- add match-all keyword + +* Tue May 21 2019 Daniel Kopeček - 0.7.4-3 +- spec: make the check phase conditional + +* Fri Dec 14 2018 Jiri Vymazal - 0.7.4-2 + Resolves: rhbz#1643057 - usbguard fails to report invalid value in IPCAccessControlFiles directive + +* Wed Jul 11 2018 Daniel Kopeček - 0.7.4-1 +- Update to 0.7.4 +- Replaced asciidoctor dependency with asciidoc +- Disabled Qt applet + +* Fri Feb 09 2018 Fedora Release Engineering - 0.7.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Jan 23 2018 Daniel Kopeček - 0.7.2-2 +- Escape rpm macros mentioned in changelog section + +* Tue Jan 23 2018 Daniel Kopeček - 0.7.2-1 +- Update to 0.7.2 +- Don't use --enable-werror downstream +- Removed patches related to compiler warnings + +* Mon Jan 15 2018 Igor Gnatenko - 0.7.1-2 +- catch → catch1 + +* Wed Dec 06 2017 Daniel Kopeček - 0.7.1-1 +- Update to 0.7.1 + +* Wed Nov 29 2017 Igor Gnatenko - 0.7.0-9 +- Rebuild for protobuf 3.5 + +* Mon Nov 13 2017 Igor Gnatenko - 0.7.0-8 +- Rebuild for protobuf 3.4 + +* Mon Oct 16 2017 Daniel Kopeček 0.7.0-7 +- Fix enumeration timeout on kernel >= 4.13 + Resolves: rhbz#1499052 + +* Thu Aug 03 2017 Fedora Release Engineering - 0.7.0-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 0.7.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Jul 13 2017 Daniel Kopeček 0.7.0-4 +- Added patch to disable unused parameter warning for protobuf + generated sources to fix compilation with newer protobuf version + +* Tue Jun 13 2017 Orion Poplawski - 0.7.0-3 +- Rebuild for protobuf 3.3.1 + +* Mon May 15 2017 Fedora Release Engineering - 0.7.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_27_Mass_Rebuild + +* Thu Apr 13 2017 Daniel Kopeček 0.7.0-1 +- Update to 0.7.0 + - changed PresentDevicePolicy setting from keep to apply-policy + - added AuditFilePath configuration option pointing to + /var/log/usbguard/usbguard-audit.log file + - install bash-completion script + - use 0600 file permissions for usbguard-daemon.conf and rules.conf + +* Sun Mar 19 2017 Daniel Kopeček 0.6.3-0.1.20170319 +- Update to latest git snapshot + +* Fri Mar 17 2017 Daniel Kopeček 0.6.3-0.1.20170317 +- Update to latest git snapshot +- Use --enable-werror configure option as the upstream default + changed to not use -Werror. + +* Thu Mar 02 2017 Daniel Kopeček 0.6.3-0.1.20170301 +- Update to latest git snapshot +- Disabled upstream alignment warning compiler flag + +* Sat Feb 11 2017 Fedora Release Engineering - 0.6.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Jan 26 2017 Orion Poplawski - 0.6.2-3 +- Rebuild for protobuf 3.2.0 + +* Sat Nov 19 2016 Orion Poplawski - 0.6.2-2 +- Rebuild for protobuf 3.1.0 + +* Sun Sep 18 2016 Daniel Kopeček 0.6.2-1 +- Update to 0.6.2 + +* Fri Sep 16 2016 Daniel Kopeček 0.6.1-1 +- Update to 0.6.1 + +* Sun Sep 04 2016 Daniel Kopeček 0.6.0-1 +- Update to 0.6.0 + +* Thu Aug 18 2016 Daniel Kopeček 0.5.14-1 +- Update to 0.5.14 + +* Tue Aug 16 2016 Daniel Kopeček 0.5.13-1 +- Update to 0.5.13 + +* Sun Aug 14 2016 Daniel Kopeček 0.5.12-1 +- Update to 0.5.12 + +* Sat Aug 13 2016 Daniel Kopeček 0.5.11-2 +- Update source tarball +- Ship CHANGELOG.md + +* Sat Aug 13 2016 Daniel Kopeček 0.5.11-1 +- Update to 0.5.11 +- Use libgcrypt instead of libsodium for crypto + +* Thu Jul 21 2016 Daniel Kopecek 0.5.10-2 +- Adjust the default configuration to keep the authorization state + of present controller devices. + +* Sat Jul 09 2016 Daniel Kopecek 0.5.10-1 +- Update to release 0.5.10 + +* Mon Mar 07 2016 Remi Collet - 0.4-5 +- rebuild for new libsodium soname + +* Sun Feb 07 2016 Daniel Kopecek 0.4-4 +- Update to version 0.4 +- added usbguard CLI +- added a tools subpackage with usbguard-rule-parser binary + +* Fri Feb 05 2016 Fedora Release Engineering - 0.3p3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jun 19 2015 Fedora Release Engineering - 0.3p3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Apr 14 2015 Daniel Kopecek 0.3p3-1 +- Update to version 0.3p3 +- added %%check section +- removed explicit -devel requires on systemd, libqb and + libsodium devel files +- added -devel requires on libstdc++-devel + +* Sat Apr 11 2015 Daniel Kopecek 0.3p2-1 +- Update to version 0.3p2 +- use system-wide json and spdlog packages + +* Fri Apr 10 2015 Daniel Kopecek 0.3p1-1 +- Update to version 0.3p1 +- removed bundled cppformat copylib + +* Thu Apr 09 2015 Daniel Kopecek 0.3-1 +- Update to version 0.3 +- disabled silent rules +- install license file +- added man pages +- use _hardened_build 1 instead of custom compilation flags +- fix file permissions on files in /etc +- do not install an empty rule set file + +* Fri Apr 03 2015 Daniel Kopecek 0.2-1 +- Update to version 0.2 +- Updated description +- Corrected package group + +* Tue Mar 17 2015 Daniel Kopecek 0.1-1 +- Initial package