rpms
/
usbguard
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
rpms:i9c-beta
rpms:c9-beta
..
compare: rpms:cs10
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
rpms:i9c-beta
rpms:c9-beta

No commits in common. 'c9' and 'cs10' have entirely different histories.
c9 ... cs10

21 changed files with 143 additions and 1148 deletions
Show Stats

6
.gitignore vendored
Unescape View File

@ -1,3 +1,3 @@
SOURCES/usbguard-1.0.0.tar.gz
SOURCES/usbguard-notifier-0.0.6.tar.gz
SOURCES/usbguard-selinux-0.0.4.tar.gz
SOURCES/usbguard-1.1.3.tar.gz
SOURCES/usbguard-notifier-0.1.1.tar.gz
SOURCES/usbguard-selinux-0.0.5.tar.gz

6
.usbguard.metadata
Unescape View File

@ -1,3 +1,3 @@
bf909799daae6798634e1b01efaaadc5781b9755 SOURCES/usbguard-1.0.0.tar.gz
7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz
40db29405c2236791ca5ce616d9e563a8309356e SOURCES/usbguard-selinux-0.0.4.tar.gz
9fa6a2aaa71a515df9f49ce169ad0216a5ca0938 SOURCES/usbguard-1.1.3.tar.gz
5c316478b16dda001603536a53347b253b484da1 SOURCES/usbguard-notifier-0.1.1.tar.gz
1e1b42e55b931e1665b8132937266c84a8050c57 SOURCES/usbguard-selinux-0.0.5.tar.gz

6
SOURCES/usbguard-disable-console-log.patch → SOURCES/disable-console-logging.patch
Unescape View File

@ -1,6 +1,6 @@
diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
--- usbguard-1.0.0/usbguard.service.in.orig 2023-01-12 13:22:23.032554498 +0100
+++ usbguard-1.0.0/usbguard.service.in 2023-01-12 13:22:33.082568210 +0100
diff -up usbguard-1.1.3/usbguard.service.in.orig usbguard-1.1.3/usbguard.service.in
--- usbguard-1.1.3/usbguard.service.in.orig 2024-06-12 14:36:13.192536970 +0200
+++ usbguard-1.1.3/usbguard.service.in 2024-06-12 14:36:21.110609346 +0200
@@ -8,7 +8,7 @@ OOMScoreAdjust=-1000
AmbientCapabilities=
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE

88
SOURCES/usbguard-0.7.6-notifier.patch
Unescape View File

@ -1,88 +0,0 @@
diff -up ./usbguard-notifier-0.0.6/configure.ac.notifier ./usbguard-notifier-0.0.6/configure.ac
--- ./usbguard-notifier-0.0.6/configure.ac.notifier 2020-04-29 07:35:43.057914703 +0200
+++ ./usbguard-notifier-0.0.6/configure.ac 2020-06-17 16:27:53.577151720 +0200
@@ -44,6 +44,32 @@ AC_ARG_WITH(
[notificaiton_path="/tmp/usbguard-notifier"]
)
+# usbguard-devel
+# Add the path to where your usbguard-devel includes are
+# You might need this option when you want to package usbguard-notifier
+# together with usbguard at the same time
+AC_ARG_WITH(
+ [usbguard-devel],
+ AS_HELP_STRING([--with-usbguard-devel], [Select to compile notifier from source usbguard devel files(only top level directory)]),
+ [usbguard_CFLAGS="-I$withval/src/Library/public/"
+ usbguard_LIBS=""
+ usbguard_LA="$withval/libusbguard.la"
+ libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"
+ AC_SUBST([usbguard_CFLAGS])
+ AC_SUBST([usbguard_LIBS])
+ AC_SUBST([usbguard_LA])
+ custom_usbguard_devel_enabled=yes
+ ],
+ [
+ PKG_CHECK_MODULES(
+ [usbguard],
+ [libusbguard >= 0.7.2],
+ [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"],
+ [AC_MSG_FAILURE([libusbguard development files not found])]
+ )
+ ]
+)
+
# Build notifier-cli, default is yes
AC_ARG_ENABLE([notifier-cli],
[AC_HELP_STRING([--enable-notifier-cli], [enable notifier cli(default=yes)])],
@@ -81,14 +107,6 @@ PKG_CHECK_MODULES(
[AC_MSG_FAILURE([libnotify development files not found])]
)
-# usbguard
-PKG_CHECK_MODULES(
- [usbguard],
- [libusbguard >= 0.7.2],
- [libusbguard_summary="$usbguard_CFLAGS $usbguard_LIBS"],
- [AC_MSG_FAILURE([libusbguard development files not found])]
-)
-
# asciidoc
AC_CHECK_PROGS(A2X, [a2x])
if test -z "$A2X"; then
@@ -162,6 +180,7 @@ AC_SUBST(config_PATH, $prefix/.config)
AC_SUBST(NOTIFICATION_PATH, $notification_path)
AM_CONDITIONAL([NOTIFIER_CLI_ENABLED], [test "x$notifier_cli_enabled" = xyes ])
+AM_CONDITIONAL([CUSTOM_USBGUARD_DEVEL_ENABLED], [test "x$custom_usbguard_devel_enabled" = "xyes"])
AC_CONFIG_FILES([
Makefile
diff -up ./usbguard-notifier-0.0.6/Makefile.am.notifier ./usbguard-notifier-0.0.6/Makefile.am
--- ./usbguard-notifier-0.0.6/Makefile.am.notifier 2020-04-29 07:18:21.024388188 +0200
+++ ./usbguard-notifier-0.0.6/Makefile.am 2020-06-17 16:27:53.592151848 +0200
@@ -57,6 +57,13 @@ usbguard_notifier_CXXFLAGS = \
@usbguard_CFLAGS@ \
-fPIC
+if CUSTOM_USBGUARD_DEVEL_ENABLED
+usbguard_notifier_LDADD = \
+ @usbguard_LA@
+usbguard_notifier_cli_LDADD = \
+ @usbguard_LA@
+endif
+
BUILT_SOURCES = \
src/BuildConfig.h
diff -up ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier ./usbguard-notifier-0.0.6/man/usbguard-notifier.1
--- ./usbguard-notifier-0.0.6/man/usbguard-notifier.1.notifier 2020-06-17 19:55:54.621855004 +0200
+++ ./usbguard-notifier-0.0.6/man/usbguard-notifier.1 2020-06-17 19:56:46.551297432 +0200
@@ -53,7 +53,7 @@ Show help\&.
.RE
.SH "SEE ALSO"
.sp
-usbguard\-notifier\-cli(1), usbguard(1)
+usbguard(1)
.SH "BUGS"
.sp
If you find a bug in this software or if you\(cqd like to request a feature to be implemented, please file a ticket at https://github\&.com/Cropi/usbguard\-notifier/issues/new\&.

11
SOURCES/usbguard-OOMScoreAdjust.patch
Unescape View File

@ -1,11 +0,0 @@
diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
--- usbguard-1.0.0/usbguard.service.in.orig 2022-11-28 10:21:35.889977314 +0100
+++ usbguard-1.0.0/usbguard.service.in 2022-11-28 10:21:52.711987716 +0100
@@ -4,6 +4,7 @@ Wants=systemd-udevd.service local-fs.tar
Documentation=man:usbguard-daemon(8)
[Service]
+OOMScoreAdjust=-1000
AmbientCapabilities=
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
DevicePolicy=closed

12
SOURCES/usbguard-audit-capability.patch
Unescape View File

@ -1,12 +0,0 @@
diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
--- usbguard-1.0.0/usbguard.service.in.orig 2021-03-17 14:16:21.675374844 +0100
+++ usbguard-1.0.0/usbguard.service.in 2021-03-17 14:16:29.056373213 +0100
@@ -5,7 +5,7 @@ Documentation=man:usbguard-daemon(8)
[Service]
AmbientCapabilities=
-CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER
+CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
DevicePolicy=closed
ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
IPAddressDeny=any

12
SOURCES/usbguard-consistent-rules.patch
Unescape View File

@ -1,12 +0,0 @@
diff -up usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp
--- usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig 2022-11-28 10:35:44.052560664 +0100
+++ usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp 2022-11-28 10:35:55.510568939 +0100
@@ -76,7 +76,7 @@ namespace usbguard
}
if (ruleSet.empty()){
- USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible.";
+ USBGUARD_LOG(Warning) << "Neither RuleFile nor RuleFolder are set; Modification of the permanent policy won't be possible.";
ruleSet = generateDefaultRuleSet();
}

19
SOURCES/usbguard-daemon-race-condition.patch
Unescape View File

@ -1,19 +0,0 @@
diff -up usbguard-1.0.0/src/Daemon/Daemon.cpp.orig usbguard-1.0.0/src/Daemon/Daemon.cpp
--- usbguard-1.0.0/src/Daemon/Daemon.cpp.orig 2022-11-28 10:25:01.044104150 +0100
+++ usbguard-1.0.0/src/Daemon/Daemon.cpp 2022-11-28 10:25:34.736124980 +0100
@@ -40,6 +40,7 @@
#include <sys/types.h>
#include <sys/poll.h>
#include <unistd.h>
+#include <sys/wait.h>
#include <signal.h>
#include <string.h>
#include <sys/stat.h>
@@ -606,6 +607,7 @@ namespace usbguard
const int signum = sigtimedwait(&mask, &info, &timeout);
if (signum == SIGUSR1 && info.si_signo == SIGUSR1 && info.si_pid == pid) {
+ waitpid(pid, nullptr, 0);
USBGUARD_LOG(Trace) << "Finished daemonization";
exit(EXIT_SUCCESS);
}

42
SOURCES/usbguard-daemon.conf
Unescape View File

@ -14,18 +14,14 @@ RuleFile=/etc/usbguard/rules.conf
#
# The USBGuard daemon will use this folder to load the policy
# rule set from it and to write new rules received via the
# IPC interface. Usually, we set the option to
# /etc/usbguard/rules.d/. The USBGuard daemon is supposed to
# behave like any other standard Linux daemon therefore it
# loads rule files in alpha-numeric order. File names inside
# RuleFolder directory should start with a two-digit number
# prefix indicating the position, in which the rules are
# scanned by the daemon.
# IPC interface.
#
# RuleFolder=/path/to/rulesfolder/
#
RuleFolder=/etc/usbguard/rules.d/
#
# Implicit policy target.
#
@ -81,30 +77,14 @@ PresentControllerPolicy=keep
#
InsertedDevicePolicy=apply-policy
#
# Control which devices are authorized by default.
#
# The USBGuard daemon modifies some the default authorization state attributes
# of controller devices. This setting, enables you to define what value the
# default authorization is set to.
#
# * keep - do not change the authorization state
# * none - every new device starts out deauthorized
# * all - every new device starts out authorized
# * internal - internal devices start out authorized, external devices start
# out deauthorized (this requires the ACPI tables to properly
# label internal devices, and kernel support)
#
#AuthorizedDefault=none
#
# Restore controller device state.
#
# The USBGuard daemon modifies some attributes of controller
# devices like the default authorization state of new child device
# instances. Using this setting, you can control whether the
# instances. Using this setting, you can controll whether the
# daemon will try to restore the attribute values to the state
# before modification on shutdown.
# before modificaton on shutdown.
#
# SECURITY CONSIDERATIONS: If set to true, the USB authorization
# policy could be bypassed by performing some sort of attack on the
@ -118,11 +98,11 @@ RestoreControllerDeviceState=false
#
# Which device manager backend implementation to use. One of:
#
# * uevent - Netlink based implementation which uses sysfs to scan for present
# devices and an uevent netlink socket for receiving USB device
# related events.
# * umockdev - umockdev based device manager capable of simulating devices based
# on umockdev-record files. Useful for testing.
# * uevent - Netlink based implementation which uses sysfs to scan for present
# devices and an uevent netlink socket for receiving USB device
# related events.
# * dummy - A dummy device manager which simulates several devices and device
# events. Useful for testing.
#
DeviceManagerBackend=uevent
@ -208,4 +188,4 @@ AuditFilePath=/var/log/usbguard/usbguard-audit.log
# Hides personally identifiable information such as device serial numbers and
# hashes of descriptors (which include the serial number) from audit entries.
#
#HidePII=false
HidePII=false

31
SOURCES/usbguard-dbus-CVE-leak.patch
Unescape View File

@ -1,31 +0,0 @@
diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp
--- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig 2022-11-23 08:57:40.119760422 +0100
+++ usbguard-1.0.0/src/DBus/DBusBridge.cpp 2022-11-23 08:58:22.380845720 +0100
@@ -434,12 +434,11 @@ namespace usbguard
USBGUARD_LOG(Trace) << "Connecting with Polkit authority...";
PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error);
- if (! authority || error) {
+ if (! authority) {
USBGUARD_LOG(Trace) << "Failed to connect to Polkit authority: " << formatGError(error) << ".";
*authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
*authErrorMessage = "Failed to connect to Polkit authority";
g_error_free(error);
- g_object_unref(authority);
g_object_unref(subject);
return false;
}
@@ -470,12 +469,11 @@ namespace usbguard
/*cancellable=*/ NULL,
&error);
- if (! result || error) {
+ if (! result) {
USBGUARD_LOG(Trace) << "Failed to check back with Polkit for authoriation: " << formatGError(error) << ".";
*authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
*authErrorMessage = "Failed to check back with Polkit for authoriation.";
g_error_free(error);
- g_object_unref(result);
g_object_unref(details);
g_object_unref(authority);
g_object_unref(subject);

335
SOURCES/usbguard-dbus-CVE.patch
Unescape View File

@ -1,335 +0,0 @@
diff -up usbguard-1.0.0/configure.ac.orig usbguard-1.0.0/configure.ac
--- usbguard-1.0.0/configure.ac.orig 2022-08-16 10:24:34.345570913 +0200
+++ usbguard-1.0.0/configure.ac 2022-08-16 10:24:34.307571236 +0200
@@ -399,7 +399,7 @@ if test "x$with_dbus" = xyes; then
#
# Check for required D-Bus modules
#
- PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0],
+ PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0 polkit-gobject-1],
[AC_DEFINE([HAVE_DBUS], [1], [Required GDBus API available])
dbus_summary="system-wide; $dbus_CFLAGS $dbus_LIBS"],
[AC_MSG_FAILURE([Required D-Bus modules (dbus-1, gio-2.0) not found!])]
diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp
--- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig 2022-08-16 10:24:34.312571194 +0200
+++ usbguard-1.0.0/src/DBus/DBusBridge.cpp 2022-08-16 10:28:28.595587136 +0200
@@ -21,6 +21,8 @@
#endif
#include "DBusBridge.hpp"
+#include <polkit/polkit.h>
+
namespace usbguard
{
DBusBridge::DBusBridge(GDBusConnection* const gdbus_connection,
@@ -74,9 +76,19 @@ namespace usbguard
return;
}
+ #define DBUS_AUTH_CHECK \
+ GDBusError authErrorCode = G_DBUS_ERROR_FAILED; \
+ const gchar* authErrorMessage = NULL; \
+ if (! isAuthorizedByPolkit(invocation, &authErrorCode, &authErrorMessage)) { \
+ g_dbus_method_invocation_return_error_literal(invocation, G_DBUS_ERROR, authErrorCode, authErrorMessage); \
+ return; \
+ }
+
void DBusBridge::handleRootMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation)
{
if (method_name == "getParameter") {
+ DBUS_AUTH_CHECK
+
const char* name_cstr = nullptr;
g_variant_get(parameters, "(&s)", &name_cstr);
std::string name(name_cstr);
@@ -86,6 +98,8 @@ namespace usbguard
}
if (method_name == "setParameter") {
+ DBUS_AUTH_CHECK
+
const char* name_cstr = nullptr;
const char* value_cstr = nullptr;
g_variant_get(parameters, "(&s&s)", &name_cstr, &value_cstr);
@@ -104,6 +118,8 @@ namespace usbguard
void DBusBridge::handlePolicyMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation)
{
if (method_name == "listRules") {
+ DBUS_AUTH_CHECK
+
const char* label_cstr = nullptr;
g_variant_get(parameters, "(&s)", &label_cstr);
std::string label(label_cstr);
@@ -136,6 +152,8 @@ namespace usbguard
}
if (method_name == "appendRule") {
+ DBUS_AUTH_CHECK
+
const char* rule_spec_cstr = nullptr;
uint32_t parent_id = 0;
gboolean temporary = false;
@@ -147,6 +165,8 @@ namespace usbguard
}
if (method_name == "removeRule") {
+ DBUS_AUTH_CHECK
+
uint32_t rule_id = 0;
g_variant_get(parameters, "(u)", &rule_id);
removeRule(rule_id);
@@ -163,6 +183,8 @@ namespace usbguard
GDBusMethodInvocation* invocation)
{
if (method_name == "listDevices") {
+ DBUS_AUTH_CHECK
+
const char* query_cstr = nullptr;
g_variant_get(parameters, "(&s)", &query_cstr);
std::string query(query_cstr);
@@ -195,6 +217,8 @@ namespace usbguard
}
if (method_name == "applyDevicePolicy") {
+ DBUS_AUTH_CHECK
+
uint32_t device_id = 0;
uint32_t target_integer = 0;
gboolean permanent = false;
@@ -344,6 +368,135 @@ namespace usbguard
return builder;
}
+
+ std::string DBusBridge::formatGError(GError* error)
+ {
+ if (error) {
+ std::stringstream formatGError;
+ formatGError << error->message << " (code " << error->code << ")";
+ return formatGError.str();
+ }
+ else {
+ return "unknown error";
+ }
+ }
+
+ bool DBusBridge::isAuthorizedByPolkit(GDBusMethodInvocation* invocation, GDBusError* authErrorCode,
+ const gchar** authErrorMessage)
+ {
+ GError* error = NULL;
+ USBGUARD_LOG(Trace) << "Extracting bus name...";
+ const gchar* const /*no-free!*/ bus_name = g_dbus_method_invocation_get_sender (invocation);
+
+ if (! bus_name) {
+ USBGUARD_LOG(Trace) << "Failed to extract bus name.";
+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
+ *authErrorMessage = "Failed to extract bus name.";
+ return false;
+ }
+
+ USBGUARD_LOG(Trace) << "Extracted bus name \"" << bus_name << "\".";
+ USBGUARD_LOG(Trace) << "Extracting interface name...";
+ const gchar* const /*no-free!*/ interfaceName = g_dbus_method_invocation_get_interface_name(invocation);
+
+ if (! interfaceName) {
+ USBGUARD_LOG(Trace) << "Failed to extract interface name.";
+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
+ *authErrorMessage = "Failed to extract interface name.";
+ return false;
+ }
+
+ USBGUARD_LOG(Trace) << "Extracted interface name \"" << interfaceName << "\".";
+ USBGUARD_LOG(Trace) << "Extracting method name...";
+ const gchar* const /*no-free!*/ methodName = g_dbus_method_invocation_get_method_name(invocation);
+
+ if (! methodName) {
+ USBGUARD_LOG(Trace) << "Failed to extract method name.";
+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
+ *authErrorMessage = "Failed to extract method name.";
+ return false;
+ }
+
+ std::stringstream action_id;
+ action_id << interfaceName << "." << methodName;
+ USBGUARD_LOG(Trace) << "Extracted method name \"" << methodName << "\".";
+ USBGUARD_LOG(Trace) << "Creating a system bus Polkit subject...";
+ PolkitSubject* const subject = polkit_system_bus_name_new(bus_name);
+
+ if (! subject) {
+ USBGUARD_LOG(Trace) << "Failed to create Polkit subject.";
+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
+ *authErrorMessage = "Failed to create Polkit subject.";
+ return false;
+ }
+
+ USBGUARD_LOG(Trace) << "Created.";
+ USBGUARD_LOG(Trace) << "Connecting with Polkit authority...";
+ PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error);
+
+ if (! authority || error) {
+ USBGUARD_LOG(Trace) << "Failed to connect to Polkit authority: " << formatGError(error) << ".";
+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
+ *authErrorMessage = "Failed to connect to Polkit authority";
+ g_error_free(error);
+ g_object_unref(authority);
+ g_object_unref(subject);
+ return false;
+ }
+
+ USBGUARD_LOG(Trace) << "Connected.";
+ USBGUARD_LOG(Trace) << "Customizing Polkit authentification dialog...";
+ PolkitDetails* const details = polkit_details_new();
+
+ if (! details) {
+ USBGUARD_LOG(Trace) << "Failed to customize the Polkit authentification dialog.";
+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
+ *authErrorMessage = "Failed to customize the Polkit authentication dialog.";
+ g_object_unref(authority);
+ g_object_unref(subject);
+ return false;
+ }
+
+ polkit_details_insert (details, "polkit.message", "This USBGuard action needs authorization");
+ USBGUARD_LOG(Trace) << "Customized.";
+ USBGUARD_LOG(Trace) << "Checking authorization of action \"" << action_id.str() << "\" with Polkit ...";
+ const PolkitCheckAuthorizationFlags flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION;
+ PolkitAuthorizationResult* const result = polkit_authority_check_authorization_sync
+ (authority,
+ subject,
+ action_id.str().c_str(),
+ details,
+ flags,
+ /*cancellable=*/ NULL,
+ &error);
+
+ if (! result || error) {
+ USBGUARD_LOG(Trace) << "Failed to check back with Polkit for authoriation: " << formatGError(error) << ".";
+ *authErrorCode = G_DBUS_ERROR_AUTH_FAILED;
+ *authErrorMessage = "Failed to check back with Polkit for authoriation.";
+ g_error_free(error);
+ g_object_unref(result);
+ g_object_unref(details);
+ g_object_unref(authority);
+ g_object_unref(subject);
+ return false;
+ }
+
+ gboolean isAuthorized = polkit_authorization_result_get_is_authorized(result);
+ USBGUARD_LOG(Trace) << (isAuthorized ? "Authorized" : "Not authorized") << ".";
+
+ if (! isAuthorized) {
+ *authErrorCode = G_DBUS_ERROR_ACCESS_DENIED;
+ *authErrorMessage = "Not authorized.";
+ }
+
+ g_object_unref(result);
+ g_object_unref(details);
+ g_object_unref(authority);
+ g_object_unref(subject);
+ return isAuthorized;
+ }
+
} /* namespace usbguard */
/* vim: set ts=2 sw=2 et */
diff -up usbguard-1.0.0/src/DBus/DBusBridge.hpp.orig usbguard-1.0.0/src/DBus/DBusBridge.hpp
--- usbguard-1.0.0/src/DBus/DBusBridge.hpp.orig 2022-08-16 10:24:34.312571194 +0200
+++ usbguard-1.0.0/src/DBus/DBusBridge.hpp 2022-08-16 10:28:33.514545528 +0200
@@ -83,6 +83,9 @@ namespace usbguard
bool rule_match,
uint32_t rule_id);
+ static std::string formatGError(GError* error);
+ static bool isAuthorizedByPolkit(GDBusMethodInvocation* invocation, GDBusError* authErrorCode,
+ const gchar** authErrorMessage);
GDBusConnection* const p_gdbus_connection;
void(*p_ipc_callback)(bool);
diff -up usbguard-1.0.0/src/DBus/org.usbguard1.policy.orig usbguard-1.0.0/src/DBus/org.usbguard1.policy
--- usbguard-1.0.0/src/DBus/org.usbguard1.policy.orig 2022-08-16 10:24:34.312571194 +0200
+++ usbguard-1.0.0/src/DBus/org.usbguard1.policy 2022-08-16 10:24:34.311571202 +0200
@@ -1,23 +1,23 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
-
+
<policyconfig>
<vendor>The USBGuard Project</vendor>
<vendor_url>https://github.org/USBGuard/usbguard</vendor_url>
<action id="org.usbguard.Policy1.listRules">
<description>List the rule set (policy) used by the USBGuard daemon</description>
- <message>Prevents from listing the USBGuard policy</message>
+ <message>Prevents listing the USBGuard policy</message>
<defaults>
<allow_inactive>no</allow_inactive>
- <allow_active>auth_self_keep_session</allow_active>
+ <allow_active>yes</allow_active>
</defaults>
</action>
<action id="org.usbguard.Policy1.appendRule">
<description>Append a new rule to the policy</description>
- <message>Prevents from appending rules to the USBGuard policy</message>
+ <message>Prevents appending rules to the USBGuard policy</message>
<defaults>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin</allow_active>
@@ -33,40 +33,41 @@
</defaults>
</action>
- <action id="org.usbguard.Devices1.listDevices">
- <description>List all USB devices recognized by the USBGuard daemon</description>
- <message>Prevents from listing USB devices recognized by the USBGuard daemon</message>
+ <action id="org.usbguard.Devices1.applyDevicePolicy">
+ <description>Apply a policy to a device in USBGuard</description>
+ <message>Prevents applying a policy to a device in USBGuard</message>
<defaults>
<allow_inactive>no</allow_inactive>
- <allow_active>auth_self_keep_session</allow_active>
+ <allow_active>auth_admin</allow_active>
</defaults>
</action>
- <action id="org.usbguard.Devices1.allowDevice">
- <description>Authorize a USB device via the USBGuard daemon to interact with the system</description>
- <message>Prevents from authorizing USB devices via the USBGuard daemon</message>
+ <action id="org.usbguard.Devices1.listDevices">
+ <description>List all USB devices recognized by the USBGuard daemon</description>
+ <message>Prevents listing USB devices recognized by the USBGuard daemon</message>
<defaults>
<allow_inactive>no</allow_inactive>
- <allow_active>auth_admin</allow_active>
+ <allow_active>yes</allow_active>
</defaults>
</action>
- <action id="org.usbguard.Devices1.blockDevice">
- <description>Deauthorize a USB device via the USBGuard daemon</description>
- <message>Prevents from deauthorizing USB devices via the USBGuard daemon</message>
+ <action id="org.usbguard1.getParameter">
+ <description>Get the value of a runtime parameter</description>
+ <message>Prevents getting values of runtime USBGuard parameters</message>
<defaults>
<allow_inactive>no</allow_inactive>
- <allow_active>auth_admin</allow_active>
+ <allow_active>yes</allow_active>
</defaults>
</action>
- <action id="org.usbguard.Devices1.rejectDevice">
- <description>Remove a USB device via the USBGuard daemon</description>
- <message>Prevents from removing USB devices via the USBGuard daemon</message>
+ <action id="org.usbguard1.setParameter">
+ <description>Set the value of a runtime parameter</description>
+ <message>Prevents setting values of runtime USBGuard parameters</message>
<defaults>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin</allow_active>
</defaults>
</action>
+
</policyconfig>

20
SOURCES/usbguard-ipc-override-fix.patch
Unescape View File

@ -1,20 +0,0 @@
diff --color -ru a/src/Library/IPCServerPrivate.cpp b/src/Library/IPCServerPrivate.cpp
--- a/src/Library/IPCServerPrivate.cpp 2020-11-23 15:56:12.979847655 +0100
+++ b/src/Library/IPCServerPrivate.cpp 2021-10-14 12:33:12.462503822 +0200
@@ -567,10 +567,12 @@
bool IPCServerPrivate::authenticateIPCConnectionDAC(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr) const
{
USBGUARD_LOG(Trace) << "uid=" << uid << " gid=" << gid << " ac_ptr=" << ac_ptr;
- return \
- matchACLByUID(uid, ac_ptr) || \
- matchACLByGID(gid, ac_ptr) || \
- matchACLByName(uid, gid, ac_ptr);
+
+ bool matched_uid = matchACLByUID(uid, ac_ptr);
+ bool matched_gid = matchACLByGID(gid, ac_ptr);
+ bool matched_name = matchACLByName(uid, gid, ac_ptr);
+
+ return matched_uid || matched_gid || matched_name;
}
bool IPCServerPrivate::matchACLByUID(uid_t uid, IPCServer::AccessControl* const ac_ptr) const

43
SOURCES/usbguard-missing-doc.patch
Unescape View File

@ -1,43 +0,0 @@
diff -up usbguard-1.0.0/doc/man/example-allow-device.adoc.orig usbguard-1.0.0/doc/man/example-allow-device.adoc
--- usbguard-1.0.0/doc/man/example-allow-device.adoc.orig 2022-11-28 12:00:26.695561514 +0100
+++ usbguard-1.0.0/doc/man/example-allow-device.adoc 2022-11-28 11:57:01.120457773 +0100
@@ -0,0 +1,6 @@
+....
+ # Allow a device by ID(it is the very first number from the list-devices command output)
+ $ sudo usbguard allow-device 10
+ # Allow all devices named "Dell Wired Multimedia Keyboard"
+ $ sudo usbguard allow-device name \"Dell Wired Multimedia Keyboard\"
+....
diff -up usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig usbguard-1.0.0/doc/man/example-initial-policy.adoc
--- usbguard-1.0.0/doc/man/example-initial-policy.adoc.orig 2022-11-28 12:00:31.781564080 +0100
+++ usbguard-1.0.0/doc/man/example-initial-policy.adoc 2022-11-28 11:57:25.353470002 +0100
@@ -0,0 +1,7 @@
+....
+ $ sudo usbguard generate-policy > rules.conf
+ $ vi rules.conf
+ (review/modify the rule set)
+ $ sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf
+ $ sudo systemctl restart usbguard
+....
diff -up usbguard-1.0.0/doc/man/footer.adoc.orig usbguard-1.0.0/doc/man/footer.adoc
--- usbguard-1.0.0/doc/man/footer.adoc.orig 2022-11-28 11:54:21.495377220 +0100
+++ usbguard-1.0.0/doc/man/footer.adoc 2022-11-28 11:55:51.960422872 +0100
@@ -0,0 +1,18 @@
+== BUGS
+If you find a bug in this software or if you'd like to request a feature to be implemented, please file a ticket at <https://github.com/USBGuard/usbguard/issues/new>.
+
+
+== AUTHOR
+USBGuard was originally written by Daniel Kopeček.
+Many people have contributed to it.
+
+
+== RESOURCES
+Main web site: <https://usbguard.github.io/>
+
+
+== COPYING
+Copyright © 2015-{docyear} Red Hat, Inc. +
+License GPLv2+: GNU GPL version 2 or later http://gnu.org/licenses/gpl.html. +
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.

182
SOURCES/usbguard-notifier-decrease-spam.patch
Unescape View File

@ -1,182 +0,0 @@
diff --color -ru a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 b/usbguard-notifier-0.0.6/man/usbguard-notifier.1
--- a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 2021-10-14 12:44:57.816146101 +0200
+++ b/usbguard-notifier-0.0.6/man/usbguard-notifier.1 2021-10-14 12:46:14.442519466 +0200
@@ -39,7 +39,12 @@
.PP
\fB\-w, \-\-wait\fR
.RS 4
-Wait until an active IPC connection is estabilished\&.
+Wait until an active IPC connection is estabilished\&. ie\&. infinite number of attempts\&.
+.RE
+.PP
+\fB\-n, \-\-num\-attempts\fR \fInum\fR
+.RS 4
+Number of IPC connection attempts. Window between each attempt is 1 second\&. The default number of attempts is 3\&.
.RE
.PP
\fB\-d, \-\-debug\fR
@@ -51,6 +56,64 @@
.RS 4
Show help\&.
.RE
+.SH "HOW TO START"
+.sp
+In order to make usbguard\-notifier work properly, you will need to perform certain actions:
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 1.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP " 1." 4.2
+.\}
+Each user who wants to run usbguard\-notifier service needs to have sufficient IPC privileges to connect to the usbguard IPC interface\&. To allow a specific user to listen to the device signals you can use the following command:
+
+
+\fB$ sudo usbguard add\-user\fR
+\fIUSER\fR
+\fB\-d listen\fR
+
+Or you can allow a group of users:
+
+
+\fB$ sudo usbguard add\-user \-g\fR
+\fIGROUP\fR
+\fB\-d listen\fR
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 2.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP " 2." 4.2
+.\}
+Now, you need a running usbguard\-daemon instance to connect to\&. Start the usbguard service or restart it if it is already running\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04' 3.\h'+01'\c
+.\}
+.el \{\
+.sp -1
+.IP " 3." 4.2
+.\}
+After configuring IPC privileges and starting up the usbguard\-daemon, the user can now start the usbguard\-notifier service:
+
+
+\fB$ systemctl start \-\-user usbguard\-notifier\&.service\fR
+
+Optionally, the user can enable the usbguard\-notifier service to start automatically after the login:
+
+
+\fB$ systemctl enable \-\-user usbguard\-notifier\&.service\fR
+.RE
+.sp
+The usbguard\-notifier should now be running\&. Anytime a USB device gets inserted/ejected or allowed/blocked a message will pop up in the user\(cqs graphical interface\&.
.SH "SEE ALSO"
.sp
usbguard(1)
diff --color -ru a/usbguard-notifier-0.0.6/src/Main.cpp b/usbguard-notifier-0.0.6/src/Main.cpp
--- a/usbguard-notifier-0.0.6/src/Main.cpp 2020-03-04 08:59:49.138771474 +0100
+++ b/usbguard-notifier-0.0.6/src/Main.cpp 2021-10-14 12:46:14.443519484 +0200
@@ -20,6 +20,7 @@
#include "Log.hpp"
#include "Notifier.hpp"
+#include <cstdlib>
#include <getopt.h>
#include <iostream>
#include <libgen.h>
@@ -27,10 +28,11 @@
#include <usbguard/Exception.hpp>
-static const char* short_options = "wdh";
+static const char* short_options = "wn:dh";
static const struct ::option long_options[] = {
{ "wait", no_argument, nullptr, 'w' },
+ { "num-attempts", required_argument, nullptr, 'n' },
{ "debug", no_argument, nullptr, 'd' },
{ "help", no_argument, nullptr, 'h' }
};
@@ -40,22 +42,26 @@
out << "Usage: " << app_name << " [OPTIONS]" << std::endl;
out << std::endl;
out << "Options:" << std::endl;
- out << " -w, --wait Wait until an active IPC connection is estabilished." << std::endl;
- out << " -d, --debug Enable debug mode." << std::endl;
- out << " -h, --help Show this usage message." << std::endl;
+ out << " -w, --wait Wait until an active IPC connection is estabilished." << std::endl;
+ out << " -n, --num-attempts <num> Number of IPC connection attempts." << std::endl;
+ out << " -d, --debug Enable debug mode." << std::endl;
+ out << " -h, --help Show this usage message." << std::endl;
}
int main(int argc, char** argv)
{
const std::string app_name(::basename(*argv));
bool wait_connection = false, debug = false;
- int opt;
+ int opt, num_attempts = 3;
while ((opt = getopt_long(argc, argv, short_options, long_options, nullptr)) != -1) {
switch (opt) {
case 'w':
wait_connection = true;
break;
+ case 'n':
+ num_attempts = std::atoi(optarg);
+ break;
case 'd':
debug = true;
break;
@@ -71,23 +77,26 @@
}
NOTIFIER_LOGGER.setDebugMode(debug);
- for (;;) {
+ bool print_err = true;
+ for (int i = 0; wait_connection || i < num_attempts; ++i) {
try {
usbguardNotifier::Notifier notifier(app_name);
notifier.connect();
std::cout << "Connection has been established" << std::endl;
+ print_err = true;
+ i = 0;
notifier.wait();
} catch (const std::runtime_error& e) {
std::cerr << "Error:" << e.what() << std::endl;
return EXIT_FAILURE;
} catch (const usbguard::Exception& e) {
- std::cerr << "IPC connection failure!" << e.message() << std::endl;
- std::cerr << "Check if usbguard-daemon is running in the background" << std::endl;
- if (!wait_connection) {
- break;
+ if (print_err) {
+ print_err = false;
+ std::cerr << "IPC connection failure!" << e.message() << std::endl;
+ std::cerr << "Check if usbguard-daemon is running in the background" << std::endl;
}
- sleep(1);
}
+ sleep(1);
}
return EXIT_SUCCESS;
}
diff --color -ru a/usbguard-notifier-0.0.6/usbguard-notifier.service.in b/usbguard-notifier-0.0.6/usbguard-notifier.service.in
--- a/usbguard-notifier-0.0.6/usbguard-notifier.service.in 2020-03-04 09:00:32.019254871 +0100
+++ b/usbguard-notifier-0.0.6/usbguard-notifier.service.in 2021-10-14 12:46:14.444519502 +0200
@@ -3,7 +3,7 @@
After=usbguard.service
[Service]
-ExecStart=%bindir%/usbguard-notifier -w
+ExecStart=%bindir%/usbguard-notifier
[Install]
WantedBy=default.target

68
SOURCES/usbguard-permanent-rules.patch
Unescape View File

@ -1,68 +0,0 @@
diff -up usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc.orig usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc
--- usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc.orig 2023-01-05 10:58:24.684407437 +0100
+++ usbguard-1.0.0/doc/man/usbguard-daemon.conf.5.adoc 2023-01-05 10:58:42.323426745 +0100
@@ -27,7 +27,12 @@ It may be overridden using the *-c* comm
behave like any other standard Linux daemon therefore it loads rule files in
alpha-numeric order. File names inside `RuleFolder` directory should start
with a two-digit number prefix indicating the position, in which the rules
- are scanned by the daemon.
+ are scanned by the daemon. Using RuleFile and RuleFolder at the same time is
+ permitted. However, modification of the permanent policy is not possible if
+ one of the following conditions are met:
+ ** Neither RuleFile nor RuleFolder are specified.
+ ** RuleFile is not specified, RuleFolder is but it does not contain any files,
+ where we could save permanent rules.
*ImplicitPolicyTarget*='target'::
How to treat USB devices that don't match any rule in the policy. Target
diff -up usbguard-1.0.0/src/Daemon/Daemon.cpp.orig usbguard-1.0.0/src/Daemon/Daemon.cpp
--- usbguard-1.0.0/src/Daemon/Daemon.cpp.orig 2023-01-05 10:58:49.689434809 +0100
+++ usbguard-1.0.0/src/Daemon/Daemon.cpp 2023-01-05 10:59:18.991466884 +0100
@@ -742,7 +742,7 @@ namespace usbguard
/* TODO: reevaluate the firewall rules for all active devices */
const uint32_t id = _policy.appendRule(rule, parent_id);
- if (_config.hasSettingValue("RuleFile") && permanent) {
+ if ((_config.hasSettingValue("RuleFile") || _config.hasSettingValue("RuleFolder")) && permanent) {
_policy.save();
}
@@ -755,7 +755,7 @@ namespace usbguard
USBGUARD_LOG(Trace) << "id=" << id;
_policy.removeRule(id);
- if (_config.hasSettingValue("RuleFile")) {
+ if (_config.hasSettingValue("RuleFile") || _config.hasSettingValue("RuleFolder")) {
_policy.save();
}
}
diff -up usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp
--- usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp.orig 2023-01-05 10:59:27.117475780 +0100
+++ usbguard-1.0.0/src/Daemon/RuleSetFactory.cpp 2023-01-05 10:59:46.228496702 +0100
@@ -75,8 +75,24 @@ namespace usbguard
}
}
- if (ruleSet.empty()){
- USBGUARD_LOG(Warning) << "Neither RuleFile nor RuleFolder are set; Modification of the permanent policy won't be possible.";
+ /*
+ * This means one of the following:
+ * - Neither RuleFile nor RuleFolder are specified
+ * - RuleFile not specified, RuleFolder is but it does not contain any files,
+ * where we could save permanent rules
+ */
+ if (ruleSet.empty()) {
+ std::string msg;
+
+ if (ns.getRulesPath().empty() && ns.getRulesDirPath().empty()) {
+ msg = "Neither RuleFile nor RuleFolder are set.";
+ }
+ else {
+ msg = "RuleFile is not set, RuleFolder is but it does not contain any rule files.";
+ }
+
+ USBGUARD_LOG(Warning) << "Modification of the permanent policy won't be possible."
+ << " Reason: " << msg;
ruleSet = generateDefaultRuleSet();
}

17
SOURCES/usbguard-revert-catch.patch
Unescape View File

@ -0,0 +1,17 @@
diff -up ./configure.ac.fix ./configure.ac
--- ./configure.ac.fix 2022-03-03 15:05:03.357194713 +0100
+++ ./configure.ac 2022-03-03 15:06:02.849787794 +0100
@@ -394,11 +394,11 @@ if test "x$with_bundled_catch" = xyes; t
catch_summary="bundled; $catch_CFLAGS $catch_LIBS"
else
SAVE_CPPFLAGS=$CPPFLAGS
- CPPFLAGS="-std=c++17 $CPPFLAGS -I/usr/include/catch2"
+ CPPFLAGS="-std=c++17 $CPPFLAGS -I/usr/include/catch"
AC_LANG_PUSH([C++])
AC_CHECK_HEADER([catch.hpp], [], [AC_MSG_FAILURE(catch.hpp not found or not usable. Re-run with --with-bundled-catch to use the bundled library.)])
AC_LANG_POP
- catch_CFLAGS="-I/usr/include/catch2"
+ catch_CFLAGS="-I/usr/include/catch"
catch_LIBS=""
CPPFLAGS=$SAVE_CPPFLAGS
catch_summary="system-wide; $catch_CFLAGS $catch_LIBS"

12
SOURCES/usbguard-selinux-audit-capability.patch
Unescape View File

@ -1,12 +0,0 @@
diff -up usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te
--- usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig 2021-03-23 10:32:56.239139027 +0100
+++ usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te 2021-03-23 10:33:05.718229143 +0100
@@ -68,7 +68,7 @@ files_pid_file(usbguard_var_run_t)
# Local policy
#
-allow usbguard_t self:capability { chown fowner };
+allow usbguard_t self:capability { chown fowner audit_write };
allow usbguard_t self:netlink_kobject_uevent_socket { bind create setopt read };
allow usbguard_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };

26
SOURCES/usbguard-selinux-dbus-CVE.patch
Unescape View File

@ -1,26 +0,0 @@
diff -up usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te
--- usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig 2022-08-17 09:17:13.995269603 +0200
+++ usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te 2022-08-17 09:18:47.439260009 +0200
@@ -99,7 +99,6 @@ logging_log_filetrans(usbguard_t, usbgua
logging_send_syslog_msg(usbguard_t)
-dbus_system_domain(usbguard_t, usbguard_exec_t)
usbguard_ipc_access(usbguard_t)
tunable_policy(`usbguard_daemon_write_rules',`
@@ -110,6 +109,14 @@ tunable_policy(`usbguard_daemon_write_co
rw_files_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t)
')
+optional_policy(`
+ dbus_system_domain(usbguard_t, usbguard_exec_t)
+
+ optional_policy(`
+ policykit_dbus_chat(usbguard_t)
+ ')
+')
+
# Allow confined users to communicate with usbguard over unix socket
optional_policy(`
gen_require(`

24
SOURCES/usbguard-service-pidfile.patch
Unescape View File

@ -1,24 +0,0 @@
From 6a596441eb91215898542bce4aadabfe396a3875 Mon Sep 17 00:00:00 2001
From: Birger Schacht <1143280+b1rger@users.noreply.github.com>
Date: Mon, 18 Jan 2021 15:00:47 +0000
Subject: [PATCH] Write PIDFile to /run instead of /var/run
According to https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s13.html regarding /var/run:
This directory was once intended for system information data describing the system since it was booted. These functions have been moved to /run; this directory exists to ensure compatibility with systems and software using an older version of this specification.
---
usbguard.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/usbguard.service.in b/usbguard.service.in
index 0d7e193c..2ec8c633 100644
--- a/usbguard.service.in
+++ b/usbguard.service.in
@@ -12,7 +12,7 @@ IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
-PIDFile=/var/run/usbguard.pid
+PIDFile=/run/usbguard.pid
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes

105
SOURCES/usbguard-validate-acl.patch
Unescape View File

@ -1,105 +0,0 @@
diff --color -ru a/doc/man/usbguard.1.adoc b/doc/man/usbguard.1.adoc
--- a/doc/man/usbguard.1.adoc 2020-11-23 15:56:12.977847682 +0100
+++ b/doc/man/usbguard.1.adoc 2021-10-14 12:39:11.949947187 +0200
@@ -282,6 +282,7 @@
....
Consult the usbguard-daemon.conf(5) man-page for a detailed list of available privileges in each section.
+You can also use 'ALL' instead of 'privileges' to automatically assign all relevant privileges to a given section.
=== *remove-user* 'name' ['OPTIONS']
diff --color -ru a/doc/man/usbguard-daemon.conf.5.adoc b/doc/man/usbguard-daemon.conf.5.adoc
--- a/doc/man/usbguard-daemon.conf.5.adoc 2020-11-23 15:56:12.977847682 +0100
+++ b/doc/man/usbguard-daemon.conf.5.adoc 2021-10-14 12:39:11.953947259 +0200
@@ -162,6 +162,8 @@
** list: Get values of run-time parameters.
+ ** listen: Listen to property parameter changes.
+
The following is a generally usable and reasonably safe example of an access control file.
It allows one to modify USB device authorization state (`Devices=modify`), list USB devices (`Devices=list`), listen to USB device related events (`Devices=listen`), list USB authorization policy rules (`Policy=list`) and listen to exception events (`Exceptions=listen`):
diff --color -ru a/src/Library/public/usbguard/IPCServer.cpp b/src/Library/public/usbguard/IPCServer.cpp
--- a/src/Library/public/usbguard/IPCServer.cpp 2020-11-23 15:56:12.979847655 +0100
+++ b/src/Library/public/usbguard/IPCServer.cpp 2021-10-14 12:39:11.954947277 +0200
@@ -159,18 +159,25 @@
throw USBGUARD_BUG("Cannot set privileges for NONE section");
}
+ const uint8_t p = static_cast<uint8_t>(privilege);
+
if (section == Section::ALL) {
- for (const auto& value : {
+ for (const auto& s : {
Section::POLICY,
Section::PARAMETERS,
Section::EXCEPTIONS,
Section::DEVICES
}) {
- _access_control[value] |= static_cast<uint8_t>(privilege);
+ _access_control[s] |= p & ~ac_mask(s);
}
}
else {
- _access_control[section] |= static_cast<uint8_t>(privilege);
+ if (privilege != Privilege::ALL && (p & ac_mask(section))) {
+ throw std::runtime_error("Invalid privilege " +
+ privilegeToString(privilege) + " for section " +
+ sectionToString(section));
+ }
+ _access_control[section] |= p & ~ac_mask(section);
}
}
@@ -254,6 +261,28 @@
merge(access_control);
}
+ uint8_t IPCServer::AccessControl::ac_mask(IPCServer::AccessControl::Section section) const
+ {
+ const uint8_t MODIFY = static_cast<uint8_t>(Privilege::MODIFY);
+ const uint8_t LIST = static_cast<uint8_t>(Privilege::LIST);
+ const uint8_t LISTEN = static_cast<uint8_t>(Privilege::LISTEN);
+
+ switch (section) {
+ case Section::DEVICES:
+ return ~(MODIFY | LIST | LISTEN);
+ case Section::POLICY:
+ return ~(MODIFY | LIST);
+ case Section::EXCEPTIONS:
+ return ~(LISTEN);
+ case Section::PARAMETERS:
+ return ~(MODIFY | LIST | LISTEN);
+ case Section::ALL:
+ case Section::NONE:
+ default:
+ return 0xff;
+ }
+ }
+
IPCServer::IPCServer()
: d_pointer(usbguard::make_unique<IPCServerPrivate>(*this))
{
diff --color -ru a/src/Library/public/usbguard/IPCServer.hpp b/src/Library/public/usbguard/IPCServer.hpp
--- a/src/Library/public/usbguard/IPCServer.hpp 2020-10-11 17:43:43.519295669 +0200
+++ b/src/Library/public/usbguard/IPCServer.hpp 2021-10-14 12:39:11.955947295 +0200
@@ -278,6 +278,17 @@
};
/**
+ * @brief Get a privilege mask for given section
+ *
+ * For example, if the section is POLICY that has privileges MODIFY
+ * and LIST, the mask would be ~(MODIFY | LIST)
+ *
+ * @param section Section for which the privilege mask should be returned
+ * @return Privilege mask for section
+ */
+ uint8_t ac_mask(Section section) const;
+
+ /**
* @brief Access control represented by unordered map of
* tuples (Section, 8b privileges).
*

226
SPECS/usbguard.spec
Unescape View File

@ -1,25 +1,22 @@
%global _hardened_build 1
%global selinuxtype targeted
%global moduletype contrib
%define semodule_version 0.0.4
%define notifier_version 0.0.6
%bcond_without check
%define semodule_version 0.0.5
%define notifier_version 0.1.1
Name: usbguard
Version: 1.0.0
Release: 15%{?dist}
Version: 1.1.3
Release: 5%{?dist}
Summary: A tool for implementing USB device usage policy
Group: System Environment/Daemons
License: GPLv2+
License: GPL-2.0-or-later
## Not installed
# src/ThirdParty/Catch: Boost Software License - Version 1.0
URL: https://usbguard.github.io/
Source0: https://github.com/USBGuard/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
Source1: https://github.com/USBGuard/%{name}-selinux/archive/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz
Source1: https://github.com/USBGuard/usbguard-selinux/archive/refs/tags/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz
Source2: https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz
Source3: usbguard-daemon.conf
ExcludeArch: i686
ExcludeArch: i686
Requires: systemd
Requires(post): systemd
@ -27,11 +24,15 @@ Requires(preun): systemd
Requires(postun): systemd
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
Recommends: (%{name}-selinux if selinux-policy-%{selinuxtype})
Obsoletes: %{name}-applet-qt < 0.7.6
BuildRequires: make
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: libqb-devel
BuildRequires: libgcrypt-devel
BuildRequires: openssl-devel
BuildRequires: libstdc++-devel
BuildRequires: protobuf-devel protobuf-compiler
BuildRequires: PEGTL-static
@ -43,29 +44,8 @@ BuildRequires: audit-libs-devel
# For `pkg-config systemd` only
BuildRequires: systemd
BuildRequires: dbus-glib-devel
BuildRequires: dbus-devel
BuildRequires: glib2-devel
BuildRequires: polkit-devel
BuildRequires: libxslt
BuildRequires: libxml2
Patch1: usbguard-0.7.6-notifier.patch
Patch2: usbguard-audit-capability.patch
Patch3: usbguard-selinux-audit-capability.patch
Patch4: usbguard-service-pidfile.patch
Patch5: usbguard-ipc-override-fix.patch
Patch6: usbguard-validate-acl.patch
Patch7: usbguard-notifier-decrease-spam.patch
Patch8: usbguard-dbus-CVE.patch
Patch9: usbguard-selinux-dbus-CVE.patch
Patch10: usbguard-dbus-CVE-leak.patch
Patch11: usbguard-OOMScoreAdjust.patch
Patch12: usbguard-daemon-race-condition.patch
Patch13: usbguard-consistent-rules.patch
Patch14: usbguard-missing-doc.patch
Patch15: usbguard-permanent-rules.patch
Patch16: usbguard-disable-console-log.patch
Patch1: usbguard-revert-catch.patch
Patch2: disable-console-logging.patch
%description
The USBGuard software framework helps to protect your computer against rogue USB
@ -74,7 +54,6 @@ USB device attributes.
%package devel
Summary: Development files for %{name}
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
Requires: pkgconfig
Requires: libstdc++-devel
@ -85,17 +64,21 @@ developing applications that use %{name}.
%package tools
Summary: USBGuard Tools
Group: Applications/System
Requires: %{name} = %{version}-%{release}
%description tools
The %{name}-tools package contains optional tools from the USBGuard
software framework.
# dbus
%package dbus
Summary: USBGuard D-Bus Service
Group: Applications/System
Requires: %{name} = %{version}-%{release}
BuildRequires: dbus-devel
BuildRequires: glib2-devel
BuildRequires: polkit-devel
BuildRequires: libxslt
BuildRequires: libxml2
Requires: dbus
Requires: polkit
@ -129,8 +112,9 @@ BuildRequires: execstack
The %{name}-notifier package detects usbguard policy modifications as well as
device presence changes and displays them as pop-up notifications.
# usbguard
%prep
# usbguard
%setup -q
# selinux
@ -139,27 +123,15 @@ device presence changes and displays them as pop-up notifications.
# notifier
%setup -q -D -T -a 2
%patch -P 1 -p1 -b .catch
%patch -P 2 -p1
# Remove bundled library sources before build
rm -rf src/ThirdParty/{Catch,PEGTL}
%patch1 -p1 -b .notifier
%patch2 -p1 -b .audit-write
%patch3 -p1 -b .selinux-audit-write
%patch4 -p1 -b .pidfile
%patch5 -p1 -b .ipc-override-fix
%patch6 -p1 -b .validate-acl
%patch7 -p1 -b .notifier-decrease-spam
%patch8 -p1 -b .dbus-CVE
%patch9 -p1 -b .selinux-dbus-CVE
%patch10 -p1 -b .dbus-CVE-leak
%patch11 -p1 -b .oomscore-adjust
%patch12 -p1 -b .race-condition
%patch13 -p1 -b .consistent-rules
%patch14 -p1 -b .missing-doc
%patch15 -p1 -b .permanent-rules
%patch16 -p1 -b .disable-syslog
%build
# usbguard
mkdir -p ./m4
autoreconf -i -v --no-recursive ./
%configure \
@ -169,7 +141,7 @@ autoreconf -i -v --no-recursive ./
--enable-systemd \
--with-dbus \
--with-polkit \
--with-crypto-library=gcrypt
--with-crypto-library=openssl
make %{?_smp_mflags}
@ -194,10 +166,8 @@ export CXXFLAGS="$RPM_OPT_FLAGS"
make %{?_smp_mflags}
popd
%if %{with check}
%check
make check
%endif
# selinux
%pre selinux
@ -231,15 +201,14 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
%systemd_preun usbguard.service
%post
/sbin/ldconfig
%{?ldconfig}
%systemd_post usbguard.service
%postun
/sbin/ldconfig
%{?ldconfig}
%systemd_postun usbguard.service
%files
%defattr(-,root,root,-)
%doc README.adoc CHANGELOG.md
%license LICENSE
%{_libdir}/*.so.*
@ -259,18 +228,15 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
%{_datadir}/bash-completion/completions/usbguard
%files devel
%defattr(-,root,root,-)
%{_includedir}/*
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc
%files tools
%defattr(-,root,root,-)
%{_bindir}/usbguard-rule-parser
# dbus
%files dbus
%defattr(-,root,root,-)
%{_sbindir}/usbguard-dbus
%{_datadir}/dbus-1/system-services/org.usbguard1.service
%{_datadir}/dbus-1/system.d/org.usbguard1.conf
@ -322,61 +288,81 @@ fi
%changelog
* Thu Jan 12 2023 Attila Lakatos <alakatos@redhat.com> - 1.0.0-15
- Disable logging to console, logging to syslog is still enabled
Resolves: rhbz#2122109
- Store permanent rules even if RuleFile is not set but RuleFolder is
Resolves: rhbz#2155910
* Mon Nov 28 2022 Attila Lakatos <alakatos@redhat.com> - 1.0.0-12
- Set OOMScoreAdjust to -1000 in service file
Resolves: rhbz#2097419
- Fix race condition in usbguard-daemon when forking
Resolves: rhbz#2042345
- Add missing files to documentation
Resolves: rhbz#2122107
- Neither RuleFolder nor RuleFile exists bugfix
Resolves: rhbz#2122109
- Remove build for i686 arch
Resolves: rhbz#2126622
* Tue Aug 16 2022 Attila Lakatos <alakatos@redhat.com> - 1.0.0-11
- Fix unauthorized access via D-bus
- Fix memory leak when connection to dbus is broken
Resolves: rhbz#2059068
* Mon Oct 25 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.0-10
- fix DSP module definition in spec file
Resolves: rhbz#2014442
- fix IPC access control files override
Resolves: rhbz#2009227
- validate ACL permission existence
Resolves: rhbz#2009229
- decrease usbguard-notifier spam when denied connection
Resolves: rhbz#2009226
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.0-8
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Jul 28 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.0-7
RHEL 9 BETA
- starting usbguard service complains about PIDFile= references a path below legacy directory /var/run/
Resolves: rhbz#1985627
- file conflict when installing usbguard on rhel
Resolves: rhbz#1986785
* Fri Apr 16 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-6
- Clear executable stack flag on usbguard-notifier
Resolves: rhbz#1917544
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.0-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Fri Feb 19 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-4
- sync with rhel-8.4.0 branch
- bundle usbguard-notifier as subpackage
Resolves: rhbz#1917544
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1.1.3-5
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.1.3-4
- Bump release for June 2024 mass rebuild
* Tue Jun 18 2024 Attila Lakatos <alakatos@redhat.com> - 1.1.3-3
- Disable building for i686
- Update Requires list on selinux subpackage
Resolves: RHEL-37322
* Fri Jun 07 2024 Attila Lakatos <alakatos@redhat.com> - 1.1.3-2
- Rebase to 1.1.3
- Update usbguard-selinux subpackage
- Include usbguard-notifier subpackage
Resolves: RHEL-37322
- Disable logging to console
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.2-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Jul 27 2023 Attila Lakatos <alakatos@redhat.com> - 1.1.2-1
- Rebase to 1.1.2
Resolves: rhbz#2064543
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed May 10 2023 Tomas Popela <tpopela@redhat.com> - 1.1.0-7
- Drop BR on dbus-glib as the requirement was dropped in 0.7.7
* Mon Feb 20 2023 Attila Lakatos <alakatos@redhat.com> - 1.1.0-6
- Rebuild
Resolves: rhbz#2171749
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Tue Mar 29 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.0-3
- usbguard requires selinux subpackage
- this ensures that the selinux package and all its dependencies are
not pulled into containers and other systems that do not use SELinux
* Tue Mar 15 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.0-2
- selinux: allow policykit dbus comunnication
- restore support for access control filenames without a group
* Thu Mar 03 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.0-1
- rebase to 1.1.0
Resolves: rhbz#2058450
- fixed CVE-2019-25058 usbguard: Fix unauthorized access via D-Bus
Resolves: rhbz#2058466
* Sat Jan 22 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.0-9
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Sat Nov 06 2021 Adrian Reber <adrian@lisas.de> - 1.0.0-8
- Rebuilt for protobuf 3.19.0
* Mon Oct 25 2021 Adrian Reber <adrian@lisas.de> - 1.0.0-7
- Rebuilt for protobuf 3.18.1
* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Wed Mar 31 2021 Jonathan Wakely <jwakely@redhat.com> - 1.0.0-5
- Rebuilt for removed libstdc++ symbols (#1937698)
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.0.0-4
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

Write Preview
Loading…
Cancel
Save