rpms
/
usbguard
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import usbguard-1.0.0-10.el9

Browse Source
c9 imports/c9/usbguard-1.0.0-10.el9
CentOS Sources 3 years ago committed by MSVSphere Packaging Team
commit c6bb5df54f
11 changed files with 1234 additions and 0 deletions
Show Stats Download Patch File Download Diff File

3
.gitignore vendored
Unescape View File

@ -0,0 +1,3 @@
SOURCES/usbguard-1.0.0.tar.gz
SOURCES/usbguard-notifier-0.0.6.tar.gz
SOURCES/usbguard-selinux-0.0.4.tar.gz

3
.usbguard.metadata
Unescape View File

@ -0,0 +1,3 @@
bf909799daae6798634e1b01efaaadc5781b9755 SOURCES/usbguard-1.0.0.tar.gz
7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz
40db29405c2236791ca5ce616d9e563a8309356e SOURCES/usbguard-selinux-0.0.4.tar.gz

88
SOURCES/usbguard-0.7.6-notifier.patch
Unescape View File

@ -0,0 +1,88 @@
diff -up ./usbguard-notifier-0.0.6/configure.ac.notifier ./usbguard-notifier-0.0.6/configure.ac
--- ./usbguard-notifier-0.0.6/configure.ac.notifier 2020-04-29 07:35:43.057914703 +0200
+++ ./usbguard-notifier-0.0.6/configure.ac 2020-06-17 16:27:53.577151720 +0200
@@ -44,6 +44,32 @@ AC_ARG_WITH(
[notificaiton_path="/tmp/usbguard-notifier"]
)
+# usbguard-devel
+# Add the path to where your usbguard-devel includes are
+# You might need this option when you want to package usbguard-notifier
+# together with usbguard at the same time
+AC_ARG_WITH(
+ [usbguard-devel],
+ AS_HELP_STRING([--with-usbguard-devel], [Select to compile notifier from source usbguard devel files(only top level directory)]),
+ [usbguard_CFLAGS="-I$withval/src/Library/public/"
+ usbguard_LIBS=""
+ usbguard_LA="$withval/libusbguard.la"
+ libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"
+ AC_SUBST([usbguard_CFLAGS])
+ AC_SUBST([usbguard_LIBS])
+ AC_SUBST([usbguard_LA])
+ custom_usbguard_devel_enabled=yes
+ ],
+ [
+ PKG_CHECK_MODULES(
+ [usbguard],
+ [libusbguard >= 0.7.2],
+ [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"],
+ [AC_MSG_FAILURE([libusbguard development files not found])]
+ )
+ ]
+)
+
# Build notifier-cli, default is yes
AC_ARG_ENABLE([notifier-cli],
[AC_HELP_STRING([--enable-notifier-cli], [enable notifier cli(default=yes)])],
@@ -81,14 +107,6 @@ PKG_CHECK_MODULES(
[AC_MSG_FAILURE([libnotify development files not found])]
)
-# usbguard
-PKG_CHECK_MODULES(
- [usbguard],
- [libusbguard >= 0.7.2],
- [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"],
- [AC_MSG_FAILURE([libusbguard development files not found])]
-)
-
# asciidoc
AC_CHECK_PROGS(A2X, [a2x])
if test -z "$A2X"; then
@@ -162,6 +180,7 @@ AC_SUBST(config_PATH, $prefix/.config)
AC_SUBST(NOTIFICATION_PATH, $notification_path)
AM_CONDITIONAL([NOTIFIER_CLI_ENABLED], [test "x$notifier_cli_enabled" = xyes ])
+AM_CONDITIONAL([CUSTOM_USBGUARD_DEVEL_ENABLED], [test "x$custom_usbguard_devel_enabled" = "xyes"])
AC_CONFIG_FILES([
Makefile
diff -up ./usbguard-notifier-0.0.6/Makefile.am.notifier ./usbguard-notifier-0.0.6/Makefile.am
--- ./usbguard-notifier-0.0.6/Makefile.am.notifier 2020-04-29 07:18:21.024388188 +0200
+++ ./usbguard-notifier-0.0.6/Makefile.am 2020-06-17 16:27:53.592151848 +0200
@@ -57,6 +57,13 @@ usbguard_notifier_CXXFLAGS = \
@usbguard_CFLAGS@ \
-fPIC
+if CUSTOM_USBGUARD_DEVEL_ENABLED
+usbguard_notifier_LDADD = \
+ @usbguard_LA@
+usbguard_notifier_cli_LDADD = \
+ @usbguard_LA@
+endif
+
BUILT_SOURCES = \
src/BuildConfig.h
diff -up ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier ./usbguard-notifier-0.0.6/man/usbguard-notifier.1
--- ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier 2020-06-17 19:55:54.621855004 +0200
+++ ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 2020-06-17 19:56:46.551297432 +0200
@@ -53,7 +53,7 @@ Show help\&.
.RE
.SH "SEE ALSO"
.sp
-usbguard\-notifier\-cli(1), usbguard(1)
+usbguard(1)
.SH "BUGS"
.sp
If you find a bug in this software or if you\(cqd like to request a feature to be implemented, please file a ticket at https://github\&.com/Cropi/usbguard\-notifier/issues/new\&.

12
SOURCES/usbguard-audit-capability.patch
Unescape View File

@ -0,0 +1,12 @@
diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
--- usbguard-1.0.0/usbguard.service.in.orig 2021-03-17 14:16:21.675374844 +0100
+++ usbguard-1.0.0/usbguard.service.in 2021-03-17 14:16:29.056373213 +0100
@@ -5,7 +5,7 @@ Documentation=man:usbguard-daemon(8)
[Service]
AmbientCapabilities=
-CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
DevicePolicy=closed
ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
IPAddressDeny=any

211
SOURCES/usbguard-daemon.conf
Unescape View File

@ -0,0 +1,211 @@
#
# Rule set file path.
#
# The USBGuard daemon will use this file to load the policy
# rule set from it and to write new rules received via the
# IPC interface.
#
# RuleFile=/path/to/rules.conf
#
RuleFile=/etc/usbguard/rules.conf
#
# Rule set folder path.
#
# The USBGuard daemon will use this folder to load the policy
# rule set from it and to write new rules received via the
# IPC interface. Usually, we set the option to
# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to
# behave like any other standard Linux daemon therefore it
# loads rule files in alpha-numeric order. File names inside
# RuleFolder directory should start with a two-digit number
# prefix indicating the position, in which the rules are
# scanned by the daemon.
#
# RuleFolder=/path/to/rulesfolder/
#
RuleFolder=/etc/usbguard/rules.d/
#
# Implicit policy target.
#
# How to treat devices that don't match any rule in the
# policy. One of:
#
# * allow - authorize the device
# * block - block the device
# * reject - remove the device
#
ImplicitPolicyTarget=block
#
# Present device policy.
#
# How to treat devices that are already connected when the
# daemon starts. One of:
#
# * allow - authorize every present device
# * block - deauthorize every present device
# * reject - remove every present device
# * keep - just sync the internal state and leave it
# * apply-policy - evaluate the ruleset for every present
# device
#
PresentDevicePolicy=apply-policy
#
# Present controller policy.
#
# How to treat USB controllers that are already connected
# when the daemon starts. One of:
#
# * allow - authorize every present device
# * block - deauthorize every present device
# * reject - remove every present device
# * keep - just sync the internal state and leave it
# * apply-policy - evaluate the ruleset for every present
# device
#
PresentControllerPolicy=keep
#
# Inserted device policy.
#
# How to treat USB devices that are already connected
# *after* the daemon starts. One of:
#
# * block - deauthorize every present device
# * reject - remove every present device
# * apply-policy - evaluate the ruleset for every present
# device
#
InsertedDevicePolicy=apply-policy
#
# Control which devices are authorized by default.
#
# The USBGuard daemon modifies some the default authorization state attributes
# of controller devices. This setting, enables you to define what value the
# default authorization is set to.
#
# * keep - do not change the authorization state
# * none - every new device starts out deauthorized
# * all - every new device starts out authorized
# * internal - internal devices start out authorized, external devices start
# out deauthorized (this requires the ACPI tables to properly
# label internal devices, and kernel support)
#
#AuthorizedDefault=none
#
# Restore controller device state.
#
# The USBGuard daemon modifies some attributes of controller
# devices like the default authorization state of new child device
# instances. Using this setting, you can control whether the
# daemon will try to restore the attribute values to the state
# before modification on shutdown.
#
# SECURITY CONSIDERATIONS: If set to true, the USB authorization
# policy could be bypassed by performing some sort of attack on the
# daemon (via a local exploit or via a USB device) to make it shutdown
# and restore to the operating-system default state (known to be permissive).
#
RestoreControllerDeviceState=false
#
# Device manager backend
#
# Which device manager backend implementation to use. One of:
#
# * uevent - Netlink based implementation which uses sysfs to scan for present
# devices and an uevent netlink socket for receiving USB device
# related events.
# * umockdev - umockdev based device manager capable of simulating devices based
# on umockdev-record files. Useful for testing.
#
DeviceManagerBackend=uevent
#!!! WARNING: It's good practice to set at least one of the !!!
#!!! two options bellow. If none of them are set, !!!
#!!! the daemon will accept IPC connections from !!!
#!!! anyone, thus allowing anyone to modify the !!!
#!!! rule set and (de)authorize USB devices. !!!
#
# Users allowed to use the IPC interface.
#
# A space delimited list of usernames that the daemon will
# accept IPC connections from.
#
# IPCAllowedUsers=username1 username2 ...
#
IPCAllowedUsers=root
#
# Groups allowed to use the IPC interface.
#
# A space delimited list of groupnames that the daemon will
# accept IPC connections from.
#
# IPCAllowedGroups=groupname1 groupname2 ...
#
IPCAllowedGroups=wheel
#
# IPC access control definition files path.
#
# The files at this location will be interpreted by the daemon
# as access control definition files. The (base)name of a file
# should be in the form:
#
# [user][:<group>]
#
# and should contain lines in the form:
#
# <section>=[privilege] ...
#
# This way each file defines who is able to connect to the IPC
# bus and what privileges he has.
#
IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/
#
# Generate device specific rules including the "via-port"
# attribute.
#
# This option modifies the behavior of the allowDevice
# action. When instructed to generate a permanent rule,
# the action can generate a port specific rule. Because
# some systems have unstable port numbering, the generated
# rule might not match the device after rebooting the system.
#
# If set to false, the generated rule will still contain
# the "parent-hash" attribute which also defines an association
# to the parent device. See usbguard-rules.conf(5) for more
# details.
#
DeviceRulesWithPort=false
#
# USBGuard Audit events log backend
#
# One of:
#
# * FileAudit - Log audit events into a file specified by
# AuditFilePath setting (see below)
# * LinuxAudit - Log audit events using the Linux Audit
# subsystem (using audit_log_user_message)
#
AuditBackend=FileAudit
#
# USBGuard audit events log file path.
#
AuditFilePath=/var/log/usbguard/usbguard-audit.log
#
# Hides personally identifiable information such as device serial numbers and
# hashes of descriptors (which include the serial number) from audit entries.
#
#HidePII=false

20
SOURCES/usbguard-ipc-override-fix.patch
Unescape View File

@ -0,0 +1,20 @@
diff --color -ru a/src/Library/IPCServerPrivate.cpp b/src/Library/IPCServerPrivate.cpp
--- a/src/Library/IPCServerPrivate.cpp 2020-11-23 15:56:12.979847655 +0100
+++ b/src/Library/IPCServerPrivate.cpp 2021-10-14 12:33:12.462503822 +0200
@@ -567,10 +567,12 @@
bool IPCServerPrivate::authenticateIPCConnectionDAC(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr) const
{
USBGUARD_LOG(Trace) << "uid=" << uid << " gid=" << gid << " ac_ptr=" << ac_ptr;
- return \
- matchACLByUID(uid, ac_ptr) || \
- matchACLByGID(gid, ac_ptr) || \
- matchACLByName(uid, gid, ac_ptr);
+
+ bool matched_uid = matchACLByUID(uid, ac_ptr);
+ bool matched_gid = matchACLByGID(gid, ac_ptr);
+ bool matched_name = matchACLByName(uid, gid, ac_ptr);
+
+ return matched_uid || matched_gid || matched_name;
}
bool IPCServerPrivate::matchACLByUID(uid_t uid, IPCServer::AccessControl* const ac_ptr) const

182
SOURCES/usbguard-notifier-decrease-spam.patch
Unescape View File

@ -0,0 +1,182 @@
diff --color -ru a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 b/usbguard-notifier-0.0.6/man/usbguard-notifier.1
--- a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 2021-10-14 12:44:57.816146101 +0200
+++ b/usbguard-notifier-0.0.6/man/usbguard-notifier.1 2021-10-14 12:46:14.442519466 +0200
@@ -39,7 +39,12 @@
.PP
\fB\-w, \-\-wait\fR
.RS 4
-Wait until an active IPC connection is estabilished\&.
+Wait until an active IPC connection is estabilished\&. ie\&. infinite number of attempts\&.
+.RE
+.PP
+\fB\-n, \-\-num\-attempts\fR \fInum\fR
+.RS 4
+Number of IPC connection attempts. Window between each attempt is 1 second\&. The default number of attempts is 3\&.
.RE
.PP
\fB\-d, \-\-debug\fR
@@ -51,6 +56,64 @@
.RS 4
Show help\&.
.RE
+.SH "HOW TO START"
+.sp
+In order to make usbguard\-notifier work properly, you will need to perform certain actions:
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 1.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP " 1." 4.2
+.\}
+Each user who wants to run usbguard\-notifier service needs to have sufficient IPC privileges to connect to the usbguard IPC interface\&. To allow a specific user to listen to the device signals you can use the following command:
+
+
+\fB$ sudo usbguard add\-user\fR
+\fIUSER\fR
+\fB\-d listen\fR
+
+Or you can allow a group of users:
+
+
+\fB$ sudo usbguard add\-user \-g\fR
+\fIGROUP\fR
+\fB\-d listen\fR
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 2.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP " 2." 4.2
+.\}
+Now, you need a running usbguard\-daemon instance to connect to\&. Start the usbguard service or restart it if it is already running\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 3.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP " 3." 4.2
+.\}
+After configuring IPC privileges and starting up the usbguard\-daemon, the user can now start the usbguard\-notifier service:
+
+
+\fB$ systemctl start \-\-user usbguard\-notifier\&.service\fR
+
+Optionally, the user can enable the usbguard\-notifier service to start automatically after the login:
+
+
+\fB$ systemctl enable \-\-user usbguard\-notifier\&.service\fR
+.RE
+.sp
+The usbguard\-notifier should now be running\&. Anytime a USB device gets inserted/ejected or allowed/blocked a message will pop up in the user\(cqs graphical interface\&.
.SH "SEE ALSO"
.sp
usbguard(1)
diff --color -ru a/usbguard-notifier-0.0.6/src/Main.cpp b/usbguard-notifier-0.0.6/src/Main.cpp
--- a/usbguard-notifier-0.0.6/src/Main.cpp 2020-03-04 08:59:49.138771474 +0100
+++ b/usbguard-notifier-0.0.6/src/Main.cpp 2021-10-14 12:46:14.443519484 +0200
@@ -20,6 +20,7 @@
#include "Log.hpp"
#include "Notifier.hpp"
+#include <cstdlib>
#include <getopt.h>
#include <iostream>
#include <libgen.h>
@@ -27,10 +28,11 @@
#include <usbguard/Exception.hpp>
-static const char* short_options = "wdh";
+static const char* short_options = "wn:dh";
static const struct ::option long_options[] = {
{ "wait", no_argument, nullptr, 'w' },
+ { "num-attempts", required_argument, nullptr, 'n' },
{ "debug", no_argument, nullptr, 'd' },
{ "help", no_argument, nullptr, 'h' }
};
@@ -40,22 +42,26 @@
out << "Usage: " << app_name << " [OPTIONS]" << std::endl;
out << std::endl;
out << "Options:" << std::endl;
- out << " -w, --wait Wait until an active IPC connection is estabilished." << std::endl;
- out << " -d, --debug Enable debug mode." << std::endl;
- out << " -h, --help Show this usage message." << std::endl;
+ out << " -w, --wait Wait until an active IPC connection is estabilished." << std::endl;
+ out << " -n, --num-attempts <num> Number of IPC connection attempts." << std::endl;
+ out << " -d, --debug Enable debug mode." << std::endl;
+ out << " -h, --help Show this usage message." << std::endl;
}
int main(int argc, char** argv)
{
const std::string app_name(::basename(*argv));
bool wait_connection = false, debug = false;
- int opt;
+ int opt, num_attempts = 3;
while ((opt = getopt_long(argc, argv, short_options, long_options, nullptr)) != -1) {
switch (opt) {
case 'w':
wait_connection = true;
break;
+ case 'n':
+ num_attempts = std::atoi(optarg);
+ break;
case 'd':
debug = true;
break;
@@ -71,23 +77,26 @@
}
NOTIFIER_LOGGER.setDebugMode(debug);
- for (;;) {
+ bool print_err = true;
+ for (int i = 0; wait_connection || i < num_attempts; ++i) {
try {
usbguardNotifier::Notifier notifier(app_name);
notifier.connect();
std::cout << "Connection has been established" << std::endl;
+ print_err = true;
+ i = 0;
notifier.wait();
} catch (const std::runtime_error& e) {
std::cerr << "Error:" << e.what() << std::endl;
return EXIT_FAILURE;
} catch (const usbguard::Exception& e) {
- std::cerr << "IPC connection failure!" << e.message() << std::endl;
- std::cerr << "Check if usbguard-daemon is running in the background" << std::endl;
- if (!wait_connection) {
- break;
+ if (print_err) {
+ print_err = false;
+ std::cerr << "IPC connection failure!" << e.message() << std::endl;
+ std::cerr << "Check if usbguard-daemon is running in the background" << std::endl;
}
- sleep(1);
}
+ sleep(1);
}
return EXIT_SUCCESS;
}
diff --color -ru a/usbguard-notifier-0.0.6/usbguard-notifier.service.in b/usbguard-notifier-0.0.6/usbguard-notifier.service.in
--- a/usbguard-notifier-0.0.6/usbguard-notifier.service.in 2020-03-04 09:00:32.019254871 +0100
+++ b/usbguard-notifier-0.0.6/usbguard-notifier.service.in 2021-10-14 12:46:14.444519502 +0200
@@ -3,7 +3,7 @@
After=usbguard.service
[Service]
-ExecStart=%bindir%/usbguard-notifier -w
+ExecStart=%bindir%/usbguard-notifier
[Install]
WantedBy=default.target

12
SOURCES/usbguard-selinux-audit-capability.patch
Unescape View File

@ -0,0 +1,12 @@
diff -up usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te
--- usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig 2021-03-23 10:32:56.239139027 +0100
+++ usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te 2021-03-23 10:33:05.718229143 +0100
@@ -68,7 +68,7 @@ files_pid_file(usbguard_var_run_t)
# Local policy
#
-allow usbguard_t self:capability { chown fowner };
+allow usbguard_t self:capability { chown fowner audit_write };
allow usbguard_t self:netlink_kobject_uevent_socket { bind create setopt read };
allow usbguard_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };

24
SOURCES/usbguard-service-pidfile.patch
Unescape View File

@ -0,0 +1,24 @@
From 6a596441eb91215898542bce4aadabfe396a3875 Mon Sep 17 00:00:00 2001
From: Birger Schacht <1143280+b1rger@users.noreply.github.com>
Date: Mon, 18 Jan 2021 15:00:47 +0000
Subject: [PATCH] Write PIDFile to /run instead of /var/run
According to https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s13.html regarding /var/run:
This directory was once intended for system information data describing the system since it was booted. These functions have been moved to /run; this directory exists to ensure compatibility with systems and software using an older version of this specification.
---
usbguard.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/usbguard.service.in b/usbguard.service.in
index 0d7e193c..2ec8c633 100644
--- a/usbguard.service.in
+++ b/usbguard.service.in
@@ -12,7 +12,7 @@ IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
-PIDFile=/var/run/usbguard.pid
+PIDFile=/run/usbguard.pid
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes

105
SOURCES/usbguard-validate-acl.patch
Unescape View File

@ -0,0 +1,105 @@
diff --color -ru a/doc/man/usbguard.1.adoc b/doc/man/usbguard.1.adoc
--- a/doc/man/usbguard.1.adoc 2020-11-23 15:56:12.977847682 +0100
+++ b/doc/man/usbguard.1.adoc 2021-10-14 12:39:11.949947187 +0200
@@ -282,6 +282,7 @@
....
Consult the usbguard-daemon.conf(5) man-page for a detailed list of available privileges in each section.
+You can also use 'ALL' instead of 'privileges' to automatically assign all relevant privileges to a given section.
=== *remove-user* 'name' ['OPTIONS']
diff --color -ru a/doc/man/usbguard-daemon.conf.5.adoc b/doc/man/usbguard-daemon.conf.5.adoc
--- a/doc/man/usbguard-daemon.conf.5.adoc 2020-11-23 15:56:12.977847682 +0100
+++ b/doc/man/usbguard-daemon.conf.5.adoc 2021-10-14 12:39:11.953947259 +0200
@@ -162,6 +162,8 @@
** list: Get values of run-time parameters.
+ ** listen: Listen to property parameter changes.
+
The following is a generally usable and reasonably safe example of an access control file.
It allows one to modify USB device authorization state (`Devices=modify`), list USB devices (`Devices=list`), listen to USB device related events (`Devices=listen`), list USB authorization policy rules (`Policy=list`) and listen to exception events (`Exceptions=listen`):
diff --color -ru a/src/Library/public/usbguard/IPCServer.cpp b/src/Library/public/usbguard/IPCServer.cpp
--- a/src/Library/public/usbguard/IPCServer.cpp 2020-11-23 15:56:12.979847655 +0100
+++ b/src/Library/public/usbguard/IPCServer.cpp 2021-10-14 12:39:11.954947277 +0200
@@ -159,18 +159,25 @@
throw USBGUARD_BUG("Cannot set privileges for NONE section");
}
+ const uint8_t p = static_cast<uint8_t>(privilege);
+
if (section == Section::ALL) {
- for (const auto& value : {
+ for (const auto& s : {
Section::POLICY,
Section::PARAMETERS,
Section::EXCEPTIONS,
Section::DEVICES
}) {
- _access_control[value] |= static_cast<uint8_t>(privilege);
+ _access_control[s] |= p & ~ac_mask(s);
}
}
else {
- _access_control[section] |= static_cast<uint8_t>(privilege);
+ if (privilege != Privilege::ALL && (p & ac_mask(section))) {
+ throw std::runtime_error("Invalid privilege " +
+ privilegeToString(privilege) + " for section " +
+ sectionToString(section));
+ }
+ _access_control[section] |= p & ~ac_mask(section);
}
}
@@ -254,6 +261,28 @@
merge(access_control);
}
+ uint8_t IPCServer::AccessControl::ac_mask(IPCServer::AccessControl::Section section) const
+ {
+ const uint8_t MODIFY = static_cast<uint8_t>(Privilege::MODIFY);
+ const uint8_t LIST = static_cast<uint8_t>(Privilege::LIST);
+ const uint8_t LISTEN = static_cast<uint8_t>(Privilege::LISTEN);
+
+ switch (section) {
+ case Section::DEVICES:
+ return ~(MODIFY | LIST | LISTEN);
+ case Section::POLICY:
+ return ~(MODIFY | LIST);
+ case Section::EXCEPTIONS:
+ return ~(LISTEN);
+ case Section::PARAMETERS:
+ return ~(MODIFY | LIST | LISTEN);
+ case Section::ALL:
+ case Section::NONE:
+ default:
+ return 0xff;
+ }
+ }
+
IPCServer::IPCServer()
: d_pointer(usbguard::make_unique<IPCServerPrivate>(*this))
{
diff --color -ru a/src/Library/public/usbguard/IPCServer.hpp b/src/Library/public/usbguard/IPCServer.hpp
--- a/src/Library/public/usbguard/IPCServer.hpp 2020-10-11 17:43:43.519295669 +0200
+++ b/src/Library/public/usbguard/IPCServer.hpp 2021-10-14 12:39:11.955947295 +0200
@@ -278,6 +278,17 @@
};
/**
+ * @brief Get a privilege mask for given section
+ *
+ * For example, if the section is POLICY that has privileges MODIFY
+ * and LIST, the mask would be ~(MODIFY | LIST)
+ *
+ * @param section Section for which the privilege mask should be returned
+ * @return Privilege mask for section
+ */
+ uint8_t ac_mask(Section section) const;
+
+ /**
* @brief Access control represented by unordered map of
* tuples (Section, 8b privileges).
*

574
SPECS/usbguard.spec
Unescape View File

@ -0,0 +1,574 @@
%global _hardened_build 1
%global selinuxtype targeted
%global moduletype contrib
%define semodule_version 0.0.4
%define notifier_version 0.0.6
%bcond_without check
Name: usbguard
Version: 1.0.0
Release: 10%{?dist}
Summary: A tool for implementing USB device usage policy
Group: System Environment/Daemons
License: GPLv2+
## Not installed
# src/ThirdParty/Catch: Boost Software License - Version 1.0
URL: https://usbguard.github.io/
Source0: https://github.com/USBGuard/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
Source1: https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz
Source2: https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz
Source3: usbguard-daemon.conf
Requires: systemd
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
Recommends: (%{name}-selinux if selinux-policy-%{selinuxtype})
Conflicts: %{name}
BuildRequires: gcc-c++
BuildRequires: libqb-devel
BuildRequires: libgcrypt-devel
BuildRequires: libstdc++-devel
BuildRequires: protobuf-devel protobuf-compiler
BuildRequires: PEGTL-static
BuildRequires: catch1-devel
BuildRequires: autoconf automake libtool
BuildRequires: bash-completion
BuildRequires: asciidoc
BuildRequires: audit-libs-devel
# For `pkg-config systemd` only
BuildRequires: systemd
BuildRequires: dbus-glib-devel
BuildRequires: dbus-devel
BuildRequires: glib2-devel
BuildRequires: polkit-devel
BuildRequires: libxslt
BuildRequires: libxml2
Patch1: usbguard-0.7.6-notifier.patch
Patch2: usbguard-audit-capability.patch
Patch3: usbguard-selinux-audit-capability.patch
Patch4: usbguard-service-pidfile.patch
Patch5: usbguard-ipc-override-fix.patch
Patch6: usbguard-validate-acl.patch
Patch7: usbguard-notifier-decrease-spam.patch
%description
The USBGuard software framework helps to protect your computer against rogue USB
devices by implementing basic whitelisting/blacklisting capabilities based on
USB device attributes.
%package devel
Summary: Development files for %{name}
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
Requires: pkgconfig
Requires: libstdc++-devel
%description devel
The %{name}-devel package contains libraries and header files for
developing applications that use %{name}.
%package tools
Summary: USBGuard Tools
Group: Applications/System
Requires: %{name} = %{version}-%{release}
%description tools
The %{name}-tools package contains optional tools from the USBGuard
software framework.
%package dbus
Summary: USBGuard D-Bus Service
Group: Applications/System
Requires: %{name} = %{version}-%{release}
Requires: dbus
Requires: polkit
%description dbus
The %{name}-dbus package contains an optional component that provides
a D-Bus interface to the USBGuard daemon component.
%package selinux
Summary: USBGuard selinux
Group: Applications/System
Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype}
BuildRequires: selinux-policy-devel
BuildArch: noarch
%{?selinux_requires}
%description selinux
The %{name}-selinux package contains selinux policy for the USBGuard
daemon.
%package notifier
Summary: A tool for detecting usbguard policy and device presence changes
Group: Applications/System
Requires: %{name} = %{version}-%{release}
Requires: systemd
BuildRequires: librsvg2-devel
BuildRequires: libnotify-devel
BuildRequires: execstack
%description notifier
The %{name}-notifier package detects usbguard policy modifications as well as
device presence changes and displays them as pop-up notifications.
# usbguard
%prep
%setup -q
# selinux
%setup -q -D -T -a 1
# notifier
%setup -q -D -T -a 2
# Remove bundled library sources before build
rm -rf src/ThirdParty/{Catch,PEGTL}
%patch1 -p1 -b .notifier
%patch2 -p1 -b .audit-write
%patch3 -p1 -b .selinux-audit-write
%patch4 -p1 -b .pidfile
%patch5 -p1 -b .ipc-override-fix
%patch6 -p1 -b .validate-acl
%patch7 -p1 -b .notifier-decrease-spam
%build
mkdir -p ./m4
autoreconf -i -v --no-recursive ./
%configure \
--disable-silent-rules \
--without-bundled-catch \
--without-bundled-pegtl \
--enable-systemd \
--with-dbus \
--with-polkit \
--with-crypto-library=gcrypt
make %{?_smp_mflags}
# selinux
pushd %{name}-selinux-%{semodule_version}
make
popd
# notifier
pushd %{name}-notifier-%{notifier_version}
mkdir -p ./m4
autoreconf -i -v --no-recursive ./
export CXXFLAGS="$RPM_OPT_FLAGS"
%configure \
--disable-silent-rules \
--without-bundled-catch \
--enable-debug-build \
--disable-notifier-cli \
--with-usbguard-devel="../"
%set_build_flags
make %{?_smp_mflags}
popd
%if %{with check}
%check
make check
%endif
# selinux
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%install
make install INSTALL='install -p' DESTDIR=%{buildroot}
# Overwrite configuration with distribution defaults
mkdir -p %{buildroot}%{_sysconfdir}/usbguard
mkdir -p %{buildroot}%{_sysconfdir}/usbguard/rules.d
mkdir -p %{buildroot}%{_sysconfdir}/usbguard/IPCAccessControl.d
install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
# selinux
install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
# notifier
pushd %{name}-notifier-%{notifier_version}
make install INSTALL='install -p' DESTDIR=%{buildroot}
execstack -c %{buildroot}%{_bindir}/%{name}-notifier
popd
# Cleanup
find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
%preun
%systemd_preun usbguard.service
%post
/sbin/ldconfig
%systemd_post usbguard.service
%postun
/sbin/ldconfig
%systemd_postun usbguard.service
%files
%defattr(-,root,root,-)
%doc README.adoc CHANGELOG.md
%license LICENSE
%{_libdir}/*.so.*
%{_sbindir}/usbguard-daemon
%{_bindir}/usbguard
%dir %{_localstatedir}/log/usbguard
%dir %{_sysconfdir}/usbguard
%dir %{_sysconfdir}/usbguard/rules.d/
%dir %{_sysconfdir}/usbguard/IPCAccessControl.d
%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/usbguard-daemon.conf
%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/rules.conf
%{_unitdir}/usbguard.service
%{_datadir}/man/man8/usbguard-daemon.8.gz
%{_datadir}/man/man5/usbguard-daemon.conf.5.gz
%{_datadir}/man/man5/usbguard-rules.conf.5.gz
%{_datadir}/man/man1/usbguard.1.gz
%{_datadir}/bash-completion/completions/usbguard
%files devel
%defattr(-,root,root,-)
%{_includedir}/*
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc
%files tools
%defattr(-,root,root,-)
%{_bindir}/usbguard-rule-parser
%files dbus
%defattr(-,root,root,-)
%{_sbindir}/usbguard-dbus
%{_datadir}/dbus-1/system-services/org.usbguard1.service
%{_datadir}/dbus-1/system.d/org.usbguard1.conf
%{_datadir}/polkit-1/actions/org.usbguard1.policy
%{_unitdir}/usbguard-dbus.service
%{_mandir}/man8/usbguard-dbus.8.gz
%preun dbus
%systemd_preun usbguard-dbus.service
%post dbus
%systemd_post usbguard-dbus.service
%postun dbus
%systemd_postun_with_restart usbguard-dbus.service
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{name}
fi
%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
%files notifier
%defattr(-,root,root,-)
%doc %{name}-notifier-%{notifier_version}/README.md %{name}-notifier-%{notifier_version}/CHANGELOG.md
%license %{name}-notifier-%{notifier_version}/LICENSE
%{_bindir}/%{name}-notifier
%{_mandir}/man1/%{name}-notifier.1.gz
%{_userunitdir}/%{name}-notifier.service
%post notifier
%systemd_user_post \--preset-mode=disable-only %{name}-notifier.service
%preun notifier
%systemd_user_preun %{name}-notifier.service
%postun notifier
%systemd_user_postun_with_restart %{name}-notifier.service
%changelog
* Mon Oct 25 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.0-10
- fix DSP module definition in spec file
Resolves: rhbz#2014442
- fix IPC access control files override
Resolves: rhbz#2009227
- validate ACL permission existence
Resolves: rhbz#2009229
- decrease usbguard-notifier spam when denied connection
Resolves: rhbz#2009226
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.0-8
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jul 28 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.0-7
RHEL 9 BETA
- starting usbguard service complains about PIDFile= references a path below legacy directory /var/run/
Resolves: rhbz#1985627
- file conflict when installing usbguard on rhel
Resolves: rhbz#1986785
* Fri Apr 16 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-6
- Clear executable stack flag on usbguard-notifier
Resolves: rhbz#1917544
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.0-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Fri Feb 19 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-4
- sync with rhel-8.4.0 branch
- bundle usbguard-notifier as subpackage
Resolves: rhbz#1917544
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Sat Jan 16 12:49:32 CET 2021 Adrian Reber <adrian@lisas.de> - 1.0.0-2
- Rebuilt for protobuf 3.14
* Thu Jan 14 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.0-1
- rebase usbguard to 1.0.0
- added support for rules covering combination of classes
- fix usbguard being killed
Resolves: rhbz#1916039
Resolves: rhbz#1861330
Resolves: rhbz#1905257
* Wed Jan 13 14:43:57 CET 2021 Adrian Reber <adrian@lisas.de> - 0.7.8-6
- Rebuilt for protobuf 3.14
* Thu Sep 24 2020 Adrian Reber <adrian@lisas.de> - 0.7.8-5
- Rebuilt for protobuf 3.13
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.8-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jun 24 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-3
- rebase selinux tarball to v0.0.4
- enable forking style in unit file
- set DevicePolicy to closed in unit file
- usbguard prevented from writing conf via dontaudit rule
Resolves: rhbz#1804713
Resolves: rhbz#1789923
* Sun Jun 14 2020 Adrian Reber <adrian@lisas.de> - 0.7.8-2
- Rebuilt for protobuf 3.12
* Tue May 19 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-1
- rebase usbguard to 0.7.8
- rebase usbguard-selinux to 0.0.3
- added rules.d/ directory
Resolves: rhbz#1808527
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.6-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Dec 19 2019 Orion Poplawski <orion@nwra.com> - 0.7.6-7
- Rebuild for protobuf 3.11
* Wed Dec 18 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-6
- fix selinux problems
* Mon Dec 02 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-5
- obsolete applet-qt subpackage
* Mon Nov 25 2019 Attila Lakatos <alakatos@redhat.com> - 0.7.6-4
- added patch for libqb related permission issues
resolves: rhbz#1776357
- added patch to ensure that usbguard-daemons is still running after locked screen
resolves: rhbz#1751861
- added patch to fix permanent device policy changes
* Wed Nov 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-3
- fixed typo in specfile
- usbguard.conf was generated incorrectly
* Wed Nov 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-2
- added selinux subpackage
* Mon Nov 11 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-1
- rebase to 0.7.6
- removed usbguard-applet subpackage which is not in upstream anymore
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Nov 21 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.7.2-6
- Rebuild for protobuf 3.6
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Apr 05 2018 Daniel Kopeček <dkopecek@redhat.com> - 0.7.2-4
- Update to latest PEGTL API
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Tue Jan 23 2018 Daniel Kopeček <dkopecek@redhat.com> - 0.7.2-2
- Escape rpm macros mentioned in changelog section
* Tue Jan 23 2018 Daniel Kopeček <dkopecek@redhat.com> - 0.7.2-1
- Update to 0.7.2
- Don't use --enable-werror downstream
- Removed patches related to compiler warnings
* Mon Jan 15 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.7.1-2
- catch → catch1
* Wed Dec 06 2017 Daniel Kopeček <dkopecek@redhat.com> - 0.7.1-1
- Update to 0.7.1
* Wed Nov 29 2017 Igor Gnatenko <ignatenko@redhat.com> - 0.7.0-9
- Rebuild for protobuf 3.5
* Mon Nov 13 2017 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.7.0-8
- Rebuild for protobuf 3.4
* Mon Oct 16 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-7
- Fix enumeration timeout on kernel >= 4.13
Resolves: rhbz#1499052
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Thu Jul 13 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-4
- Added patch to disable unused parameter warning for protobuf
generated sources to fix compilation with newer protobuf version
* Tue Jun 13 2017 Orion Poplawski <orion@cora.nwra.com> - 0.7.0-3
- Rebuild for protobuf 3.3.1
* Mon May 15 2017 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_27_Mass_Rebuild
* Thu Apr 13 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-1
- Update to 0.7.0
- changed PresentDevicePolicy setting from keep to apply-policy
- added AuditFilePath configuration option pointing to
/var/log/usbguard/usbguard-audit.log file
- install bash-completion script
- use 0600 file permissions for usbguard-daemon.conf and rules.conf
* Sun Mar 19 2017 Daniel Kopeček <dkopecek@redhat.com> 0.6.3-0.1.20170319
- Update to latest git snapshot
* Fri Mar 17 2017 Daniel Kopeček <dkopecek@redhat.com> 0.6.3-0.1.20170317
- Update to latest git snapshot
- Use --enable-werror configure option as the upstream default
changed to not use -Werror.
* Thu Mar 02 2017 Daniel Kopeček <dkopecek@redhat.com> 0.6.3-0.1.20170301
- Update to latest git snapshot
- Disabled upstream alignment warning compiler flag
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.2-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Jan 26 2017 Orion Poplawski <orion@cora.nwra.com> - 0.6.2-3
- Rebuild for protobuf 3.2.0
* Sat Nov 19 2016 Orion Poplawski <orion@cora.nwra.com> - 0.6.2-2
- Rebuild for protobuf 3.1.0
* Sun Sep 18 2016 Daniel Kopeček <dkopecek@redhat.com> 0.6.2-1
- Update to 0.6.2
* Fri Sep 16 2016 Daniel Kopeček <dkopecek@redhat.com> 0.6.1-1
- Update to 0.6.1
* Sun Sep 04 2016 Daniel Kopeček <dkopecek@redhat.com> 0.6.0-1
- Update to 0.6.0
* Thu Aug 18 2016 Daniel Kopeček <dkopecek@redhat.com> 0.5.14-1
- Update to 0.5.14
* Tue Aug 16 2016 Daniel Kopeček <dkopecek@redhat.com> 0.5.13-1
- Update to 0.5.13
* Sun Aug 14 2016 Daniel Kopeček <dkopecek@redhat.com> 0.5.12-1
- Update to 0.5.12
* Sat Aug 13 2016 Daniel Kopeček <dkopecek@redhat.com> 0.5.11-2
- Update source tarball
- Ship CHANGELOG.md
* Sat Aug 13 2016 Daniel Kopeček <dkopecek@redhat.com> 0.5.11-1
- Update to 0.5.11
- Use libgcrypt instead of libsodium for crypto
* Thu Jul 21 2016 Daniel Kopecek <dkopecek@redhat.com> 0.5.10-2
- Adjust the default configuration to keep the authorization state
of present controller devices.
* Sat Jul 09 2016 Daniel Kopecek <dkopecek@redhat.com> 0.5.10-1
- Update to release 0.5.10
* Mon Mar 07 2016 Remi Collet <remi@fedoraproject.org> - 0.4-5
- rebuild for new libsodium soname
* Sun Feb 07 2016 Daniel Kopecek <dkopecek@redhat.com> 0.4-4
- Update to version 0.4
- added usbguard CLI
- added a tools subpackage with usbguard-rule-parser binary
* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.3p3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.3p3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Tue Apr 14 2015 Daniel Kopecek <dkopecek@redhat.com> 0.3p3-1
- Update to version 0.3p3
- added %%check section
- removed explicit -devel requires on systemd, libqb and
libsodium devel files
- added -devel requires on libstdc++-devel
* Sat Apr 11 2015 Daniel Kopecek <dkopecek@redhat.com> 0.3p2-1
- Update to version 0.3p2
- use system-wide json and spdlog packages
* Fri Apr 10 2015 Daniel Kopecek <dkopecek@redhat.com> 0.3p1-1
- Update to version 0.3p1
- removed bundled cppformat copylib
* Thu Apr 09 2015 Daniel Kopecek <dkopecek@redhat.com> 0.3-1
- Update to version 0.3
- disabled silent rules
- install license file
- added man pages
- use _hardened_build 1 instead of custom compilation flags
- fix file permissions on files in /etc
- do not install an empty rule set file
* Fri Apr 03 2015 Daniel Kopecek <dkopecek@redhat.com> 0.2-1
- Update to version 0.2
- Updated description
- Corrected package group
* Tue Mar 17 2015 Daniel Kopecek <dkopecek@redhat.com> 0.1-1
- Initial package
Write Preview
Loading…
Cancel
Save