rpms
/
usbguard
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: rpms:i8c
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
rpms:i9c-beta
rpms:c9-beta
..
compare: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
rpms:i9c-beta
rpms:c9-beta

No commits in common. 'i8c' and 'c9' have entirely different histories.
i8c ... c9

16 changed files with 211 additions and 295 deletions
Show Stats

2
.gitignore vendored
Unescape View File

@ -1,3 +1,3 @@
SOURCES/usbguard-1.0.0.tar.gz SOURCES/usbguard-1.0.0.tar.gz
SOURCES/usbguard-notifier-0.0.6.tar.gz SOURCES/usbguard-notifier-0.0.6.tar.gz
SOURCES/usbguard-selinux-0.0.3.tar.gz SOURCES/usbguard-selinux-0.0.4.tar.gz

2
.usbguard.metadata
Unescape View File

@ -1,3 +1,3 @@
bf909799daae6798634e1b01efaaadc5781b9755 SOURCES/usbguard-1.0.0.tar.gz bf909799daae6798634e1b01efaaadc5781b9755 SOURCES/usbguard-1.0.0.tar.gz
7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz 7bd5b72c6fd73472ef1230977b9358345ce442d3 SOURCES/usbguard-notifier-0.0.6.tar.gz
e223495a2c41013bc786a5ceae730f2574aeba1b SOURCES/usbguard-selinux-0.0.3.tar.gz 40db29405c2236791ca5ce616d9e563a8309356e SOURCES/usbguard-selinux-0.0.4.tar.gz

4
SOURCES/usbguard-dbus-CVE-leak.patch
Unescape View File

@ -1,6 +1,6 @@
diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp diff -up usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig usbguard-1.0.0/src/DBus/DBusBridge.cpp
--- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig 2022-10-18 10:33:04.498762878 +0200 --- usbguard-1.0.0/src/DBus/DBusBridge.cpp.orig 2022-11-23 08:57:40.119760422 +0100
+++ usbguard-1.0.0/src/DBus/DBusBridge.cpp 2022-10-18 10:33:36.920785285 +0200 +++ usbguard-1.0.0/src/DBus/DBusBridge.cpp 2022-11-23 08:58:22.380845720 +0100
@@ -434,12 +434,11 @@ namespace usbguard @@ -434,12 +434,11 @@ namespace usbguard
USBGUARD_LOG(Trace) << "Connecting with Polkit authority..."; USBGUARD_LOG(Trace) << "Connecting with Polkit authority...";
PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error); PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error);

6
SOURCES/usbguard-disable-console-log.patch
Unescape View File

@ -1,12 +1,12 @@
diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in diff -up usbguard-1.0.0/usbguard.service.in.orig usbguard-1.0.0/usbguard.service.in
--- usbguard-1.0.0/usbguard.service.in.orig 2023-01-12 13:17:14.200064956 +0100 --- usbguard-1.0.0/usbguard.service.in.orig 2023-01-12 13:22:23.032554498 +0100
+++ usbguard-1.0.0/usbguard.service.in 2023-01-12 13:17:22.588078994 +0100 +++ usbguard-1.0.0/usbguard.service.in 2023-01-12 13:22:33.082568210 +0100
@@ -8,7 +8,7 @@ OOMScoreAdjust=-1000 @@ -8,7 +8,7 @@ OOMScoreAdjust=-1000
AmbientCapabilities= AmbientCapabilities=
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
DevicePolicy=closed DevicePolicy=closed
-ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf -ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ExecStart=%sbindir%/usbguard-daemon -f -s -K -c %sysconfdir%/usbguard/usbguard-daemon.conf +ExecStart=%sbindir%/usbguard-daemon -f -s -K -c %sysconfdir%/usbguard/usbguard-daemon.conf
IPAddressDeny=any
LockPersonality=yes LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
NoNewPrivileges=yes

11
SOURCES/usbguard-ipaddressdeny.patch
Unescape View File

@ -1,11 +0,0 @@
diff --color -ru a/usbguard.service.in b/usbguard.service.in
--- a/usbguard.service.in 2021-09-07 16:33:49.911540537 +0200
+++ b/usbguard.service.in 2021-09-07 16:37:20.788885123 +0200
@@ -8,7 +8,6 @@
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE
DevicePolicy=closed
ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
-IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes

2
SOURCES/usbguard-ipc-override-fix.patch
Unescape View File

@ -1,6 +1,6 @@
diff --color -ru a/src/Library/IPCServerPrivate.cpp b/src/Library/IPCServerPrivate.cpp diff --color -ru a/src/Library/IPCServerPrivate.cpp b/src/Library/IPCServerPrivate.cpp
--- a/src/Library/IPCServerPrivate.cpp 2020-11-23 15:56:12.979847655 +0100 --- a/src/Library/IPCServerPrivate.cpp 2020-11-23 15:56:12.979847655 +0100
+++ b/src/Library/IPCServerPrivate.cpp 2021-09-15 10:02:51.641082533 +0200 +++ b/src/Library/IPCServerPrivate.cpp 2021-10-14 12:33:12.462503822 +0200
@@ -567,10 +567,12 @@ @@ -567,10 +567,12 @@
bool IPCServerPrivate::authenticateIPCConnectionDAC(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr) const bool IPCServerPrivate::authenticateIPCConnectionDAC(uid_t uid, gid_t gid, IPCServer::AccessControl* const ac_ptr) const
{ {

8
SOURCES/usbguard-notifier-decrease-spam.patch
Unescape View File

@ -1,6 +1,6 @@
diff --color -ru a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 b/usbguard-notifier-0.0.6/man/usbguard-notifier.1 diff --color -ru a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 b/usbguard-notifier-0.0.6/man/usbguard-notifier.1
--- a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 2021-09-24 13:08:23.304639109 +0200 --- a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 2021-10-14 12:44:57.816146101 +0200
+++ b/usbguard-notifier-0.0.6/man/usbguard-notifier.1 2021-09-24 13:16:14.177186425 +0200 +++ b/usbguard-notifier-0.0.6/man/usbguard-notifier.1 2021-10-14 12:46:14.442519466 +0200
@@ -39,7 +39,12 @@ @@ -39,7 +39,12 @@
.PP .PP
\fB\-w, \-\-wait\fR \fB\-w, \-\-wait\fR
@ -82,7 +82,7 @@ diff --color -ru a/usbguard-notifier-0.0.6/man/usbguard-notifier.1 b/usbguard-no
usbguard(1) usbguard(1)
diff --color -ru a/usbguard-notifier-0.0.6/src/Main.cpp b/usbguard-notifier-0.0.6/src/Main.cpp diff --color -ru a/usbguard-notifier-0.0.6/src/Main.cpp b/usbguard-notifier-0.0.6/src/Main.cpp
--- a/usbguard-notifier-0.0.6/src/Main.cpp 2020-03-04 08:59:49.138771474 +0100 --- a/usbguard-notifier-0.0.6/src/Main.cpp 2020-03-04 08:59:49.138771474 +0100
+++ b/usbguard-notifier-0.0.6/src/Main.cpp 2021-09-24 13:07:41.322966320 +0200 +++ b/usbguard-notifier-0.0.6/src/Main.cpp 2021-10-14 12:46:14.443519484 +0200
@@ -20,6 +20,7 @@ @@ -20,6 +20,7 @@
#include "Log.hpp" #include "Log.hpp"
#include "Notifier.hpp" #include "Notifier.hpp"
@ -170,7 +170,7 @@ diff --color -ru a/usbguard-notifier-0.0.6/src/Main.cpp b/usbguard-notifier-0.0.
} }
diff --color -ru a/usbguard-notifier-0.0.6/usbguard-notifier.service.in b/usbguard-notifier-0.0.6/usbguard-notifier.service.in diff --color -ru a/usbguard-notifier-0.0.6/usbguard-notifier.service.in b/usbguard-notifier-0.0.6/usbguard-notifier.service.in
--- a/usbguard-notifier-0.0.6/usbguard-notifier.service.in 2020-03-04 09:00:32.019254871 +0100 --- a/usbguard-notifier-0.0.6/usbguard-notifier.service.in 2020-03-04 09:00:32.019254871 +0100
+++ b/usbguard-notifier-0.0.6/usbguard-notifier.service.in 2021-09-24 13:07:41.322966320 +0200 +++ b/usbguard-notifier-0.0.6/usbguard-notifier.service.in 2021-10-14 12:46:14.444519502 +0200
@@ -3,7 +3,7 @@ @@ -3,7 +3,7 @@
After=usbguard.service After=usbguard.service

82
SOURCES/usbguard-notifier-icon-injection.patch
Unescape View File

@ -1,82 +0,0 @@
diff --color -ru a/usbguard-notifier-0.0.6/Makefile.am b/usbguard-notifier-0.0.6/Makefile.am
--- a/usbguard-notifier-0.0.6/Makefile.am 2021-11-18 11:38:43.704876330 +0100
+++ b/usbguard-notifier-0.0.6/Makefile.am 2021-11-18 11:35:39.108500175 +0100
@@ -35,6 +35,7 @@
src/ThirdParty/Catch2/single_include/catch2
usbguard_notifier_SOURCES = \
+ src/usbguard-icon.hpp \
src/Notifier.hpp \
src/NotifyWrapper.hpp \
src/Serializer.hpp \
@@ -43,8 +44,7 @@
src/Notifier.cpp \
src/NotifyWrapper.cpp \
src/Serializer.cpp \
- src/Log.cpp \
- icons/usbguard-icon.svg
+ src/Log.cpp
usbguard_notifier_LDFLAGS = \
@rsvg_LIBS@ \
@@ -65,7 +65,8 @@
endif
BUILT_SOURCES = \
- src/BuildConfig.h
+ src/BuildConfig.h \
+ src/usbguard-icon.hpp
usbguard_notifier_cli_SOURCES = \
src/Serializer.hpp \
@@ -109,8 +110,16 @@
#
# usbguard icon
#
-.svg.o:
- $(LD) -r -b binary -o $@ $<
+EXTRA_DIST += \
+ $(top_builddir)/icons/usbguard-icon.svg
+
+$(top_builddir)/src/usbguard-icon.hpp: $(top_builddir)/icons/usbguard-icon.svg
+ echo -e "#ifndef ICON_HPP\n#define ICON_HPP\nnamespace notify {\nconst char *icon =" > $@
+ $(SED) 's/"/\\"/g' $^ | $(SED) 's/^/"/' | $(SED) 's/$$/\\n"/' >> $@
+ echo -e ";\n}\n#endif" >> $@
+
+CLEANFILES += \
+ $(top_builddir)/src/usbguard-icon.hpp
#
# unit file
diff --color -ru a/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp b/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp
--- a/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp 2020-03-02 11:55:25.932999263 +0100
+++ b/usbguard-notifier-0.0.6/src/NotifyWrapper.cpp 2021-11-18 11:29:52.825157237 +0100
@@ -18,14 +18,13 @@
*/
#include "NotifyWrapper.hpp"
+#include "usbguard-icon.hpp"
+#include <cstring>
#include <stdexcept>
#include <librsvg-2.0/librsvg/rsvg.h>
-extern char _binary_icons_usbguard_icon_svg_start[];
-extern char _binary_icons_usbguard_icon_svg_end[];
-
namespace notify
{
@@ -54,10 +53,7 @@
Notification::Notification(const std::string& summary, const std::string& body)
: _n(notify_notification_new(summary.c_str(), body.c_str(), nullptr))
{
- RsvgHandle* handle = rsvg_handle_new_from_data(
- (const guint8*)(_binary_icons_usbguard_icon_svg_start),
- _binary_icons_usbguard_icon_svg_end - _binary_icons_usbguard_icon_svg_start,
- nullptr);
+ RsvgHandle* handle = rsvg_handle_new_from_data((const guint8*)icon, std::strlen(icon), nullptr);
if (!handle) {
throw std::runtime_error("Failed to obtain rsvg handle");
}

6
SOURCES/usbguard-selinux-audit-capability.patch
Unescape View File

@ -1,6 +1,6 @@
diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te diff -up usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te
--- usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig 2021-03-17 15:08:59.975712403 +0100 --- usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig 2021-03-23 10:32:56.239139027 +0100
+++ usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te 2021-03-17 15:09:21.565708348 +0100 +++ usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te 2021-03-23 10:33:05.718229143 +0100
@@ -68,7 +68,7 @@ files_pid_file(usbguard_var_run_t) @@ -68,7 +68,7 @@ files_pid_file(usbguard_var_run_t)
# Local policy # Local policy
# #

12
SOURCES/usbguard-selinux-cpuinfo.patch
Unescape View File

@ -1,12 +0,0 @@
diff -up ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo ./usbguard-selinux-0.0.3/usbguard.te
--- ./usbguard-selinux-0.0.3/usbguard.te.cpuinfo 2020-06-18 15:53:40.161615146 +0200
+++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-18 15:54:28.399982328 +0200
@@ -77,6 +77,8 @@ auth_read_passwd(usbguard_t)
dev_list_sysfs(usbguard_t)
dev_rw_sysfs(usbguard_t)
+kernel_read_system_state(usbguard_t)
+
list_dirs_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
dontaudit usbguard_t usbguard_conf_t:file write;

11
SOURCES/usbguard-selinux-dbus-CVE.patch
Unescape View File

@ -1,7 +1,7 @@
diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te diff -up usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te
--- usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig 2022-08-24 16:14:30.810875871 +0200 --- usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te.orig 2022-08-17 09:17:13.995269603 +0200
+++ usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te 2022-08-24 16:15:50.064906117 +0200 +++ usbguard-1.0.0/usbguard-selinux-0.0.4/usbguard.te 2022-08-17 09:18:47.439260009 +0200
@@ -100,7 +100,6 @@ logging_log_filetrans(usbguard_t, usbgua @@ -99,7 +99,6 @@ logging_log_filetrans(usbguard_t, usbgua
logging_send_syslog_msg(usbguard_t) logging_send_syslog_msg(usbguard_t)
@ -9,7 +9,7 @@ diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/u
usbguard_ipc_access(usbguard_t) usbguard_ipc_access(usbguard_t)
tunable_policy(`usbguard_daemon_write_rules',` tunable_policy(`usbguard_daemon_write_rules',`
@@ -111,6 +110,15 @@ tunable_policy(`usbguard_daemon_write_co @@ -110,6 +109,14 @@ tunable_policy(`usbguard_daemon_write_co
rw_files_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t) rw_files_pattern(usbguard_t, usbguard_conf_t, usbguard_conf_t)
') ')
@ -20,7 +20,6 @@ diff -up usbguard-1.0.0/usbguard-selinux-0.0.3/usbguard.te.orig usbguard-1.0.0/u
+ policykit_dbus_chat(usbguard_t) + policykit_dbus_chat(usbguard_t)
+ ') + ')
+') +')
+
+ +
# Allow confined users to communicate with usbguard over unix socket # Allow confined users to communicate with usbguard over unix socket
optional_policy(` optional_policy(`

11
SOURCES/usbguard-selinux-list-dir.patch
Unescape View File

@ -1,11 +0,0 @@
diff -up ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir ./usbguard-selinux-0.0.3/usbguard.te
--- ./usbguard-selinux-0.0.3/usbguard.te.selinux-read-dir 2020-06-09 10:53:03.191977241 +0200
+++ ./usbguard-selinux-0.0.3/usbguard.te 2020-06-09 10:54:21.441965315 +0200
@@ -81,6 +81,7 @@ list_dirs_pattern(usbguard_t,usbguard_co
read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_conf_t)
dontaudit usbguard_t usbguard_conf_t:file write;
+list_dirs_pattern(usbguard_t,usbguard_rules_t,usbguard_rules_t)
read_files_pattern(usbguard_t,usbguard_conf_t,usbguard_rules_t)
manage_dirs_pattern(usbguard_t, usbguard_var_run_t, usbguard_var_run_t)

22
SOURCES/usbguard-selinux-rules-d.patch
Unescape View File

@ -1,22 +0,0 @@
From 008af22f238bfb97f6d337759732ac87bdef7b24 Mon Sep 17 00:00:00 2001
From: alakatos <alakatos@redhat.com>
Date: Mon, 25 May 2020 15:27:38 +0200
Subject: [PATCH] /etc/usrbuard/rules.d(/.*)? has usbguard_rules_t label right
after the installation
---
usbguard.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/usbguard.fc b/usbguard.fc
index bce3e8c..3e14720 100644
--- a/usbguard-selinux-0.0.3/usbguard.fc
+++ b/usbguard-selinux-0.0.3/usbguard.fc
@@ -13,6 +13,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+/etc/usbguard/rules\.d(/.*)? gen_context(system_u:object_r:usbguard_rules_t,s0)
/etc/usbguard/rules.conf -- gen_context(system_u:object_r:usbguard_rules_t,s0)
/etc/usbguard(/.*)? gen_context(system_u:object_r:usbguard_conf_t,s0)
/dev/shm/qb-usbguard-.* -- gen_context(system_u:object_r:usbguard_tmpfs_t,s0)

24
SOURCES/usbguard-service-pidfile.patch
Unescape View File

@ -0,0 +1,24 @@
From 6a596441eb91215898542bce4aadabfe396a3875 Mon Sep 17 00:00:00 2001
From: Birger Schacht <1143280+b1rger@users.noreply.github.com>
Date: Mon, 18 Jan 2021 15:00:47 +0000
Subject: [PATCH] Write PIDFile to /run instead of /var/run
According to https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch05s13.html regarding /var/run:
This directory was once intended for system information data describing the system since it was booted. These functions have been moved to /run; this directory exists to ensure compatibility with systems and software using an older version of this specification.
---
usbguard.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/usbguard.service.in b/usbguard.service.in
index 0d7e193c..2ec8c633 100644
--- a/usbguard.service.in
+++ b/usbguard.service.in
@@ -12,7 +12,7 @@ IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
-PIDFile=/var/run/usbguard.pid
+PIDFile=/run/usbguard.pid
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes

16
SOURCES/usbguard-validate-acl.patch
Unescape View File

@ -1,6 +1,6 @@
diff --color -ru a/doc/man/usbguard.1.adoc b/doc/man/usbguard.1.adoc diff --color -ru a/doc/man/usbguard.1.adoc b/doc/man/usbguard.1.adoc
--- a/doc/man/usbguard.1.adoc 2021-09-20 09:08:55.134538747 +0200 --- a/doc/man/usbguard.1.adoc 2020-11-23 15:56:12.977847682 +0100
+++ b/doc/man/usbguard.1.adoc 2021-09-20 16:46:48.266557561 +0200 +++ b/doc/man/usbguard.1.adoc 2021-10-14 12:39:11.949947187 +0200
@@ -282,6 +282,7 @@ @@ -282,6 +282,7 @@
.... ....
@ -10,8 +10,8 @@ diff --color -ru a/doc/man/usbguard.1.adoc b/doc/man/usbguard.1.adoc
=== *remove-user* 'name' ['OPTIONS'] === *remove-user* 'name' ['OPTIONS']
diff --color -ru a/doc/man/usbguard-daemon.conf.5.adoc b/doc/man/usbguard-daemon.conf.5.adoc diff --color -ru a/doc/man/usbguard-daemon.conf.5.adoc b/doc/man/usbguard-daemon.conf.5.adoc
--- a/doc/man/usbguard-daemon.conf.5.adoc 2021-09-20 09:08:55.135538763 +0200 --- a/doc/man/usbguard-daemon.conf.5.adoc 2020-11-23 15:56:12.977847682 +0100
+++ b/doc/man/usbguard-daemon.conf.5.adoc 2021-09-20 13:20:09.788855176 +0200 +++ b/doc/man/usbguard-daemon.conf.5.adoc 2021-10-14 12:39:11.953947259 +0200
@@ -162,6 +162,8 @@ @@ -162,6 +162,8 @@
** list: Get values of run-time parameters. ** list: Get values of run-time parameters.
@ -22,8 +22,8 @@ diff --color -ru a/doc/man/usbguard-daemon.conf.5.adoc b/doc/man/usbguard-daemon
It allows one to modify USB device authorization state (`Devices=modify`), list USB devices (`Devices=list`), listen to USB device related events (`Devices=listen`), list USB authorization policy rules (`Policy=list`) and listen to exception events (`Exceptions=listen`): It allows one to modify USB device authorization state (`Devices=modify`), list USB devices (`Devices=list`), listen to USB device related events (`Devices=listen`), list USB authorization policy rules (`Policy=list`) and listen to exception events (`Exceptions=listen`):
diff --color -ru a/src/Library/public/usbguard/IPCServer.cpp b/src/Library/public/usbguard/IPCServer.cpp diff --color -ru a/src/Library/public/usbguard/IPCServer.cpp b/src/Library/public/usbguard/IPCServer.cpp
--- a/src/Library/public/usbguard/IPCServer.cpp 2021-09-20 09:08:55.206539917 +0200 --- a/src/Library/public/usbguard/IPCServer.cpp 2020-11-23 15:56:12.979847655 +0100
+++ b/src/Library/public/usbguard/IPCServer.cpp 2021-09-22 10:38:28.703655497 +0200 +++ b/src/Library/public/usbguard/IPCServer.cpp 2021-10-14 12:39:11.954947277 +0200
@@ -159,18 +159,25 @@ @@ -159,18 +159,25 @@
throw USBGUARD_BUG("Cannot set privileges for NONE section"); throw USBGUARD_BUG("Cannot set privileges for NONE section");
} }
@ -83,8 +83,8 @@ diff --color -ru a/src/Library/public/usbguard/IPCServer.cpp b/src/Library/publi
: d_pointer(usbguard::make_unique<IPCServerPrivate>(*this)) : d_pointer(usbguard::make_unique<IPCServerPrivate>(*this))
{ {
diff --color -ru a/src/Library/public/usbguard/IPCServer.hpp b/src/Library/public/usbguard/IPCServer.hpp diff --color -ru a/src/Library/public/usbguard/IPCServer.hpp b/src/Library/public/usbguard/IPCServer.hpp
--- a/src/Library/public/usbguard/IPCServer.hpp 2021-09-20 09:08:55.200539819 +0200 --- a/src/Library/public/usbguard/IPCServer.hpp 2020-10-11 17:43:43.519295669 +0200
+++ b/src/Library/public/usbguard/IPCServer.hpp 2021-09-20 13:11:31.476803776 +0200 +++ b/src/Library/public/usbguard/IPCServer.hpp 2021-10-14 12:39:11.955947295 +0200
@@ -278,6 +278,17 @@ @@ -278,6 +278,17 @@
}; };

287
SPECS/usbguard.spec
Unescape View File

@ -1,14 +1,14 @@
%global _hardened_build 1 %global _hardened_build 1
%global selinuxtype targeted %global selinuxtype targeted
%global moduletype contrib %global moduletype contrib
%define semodule_version 0.0.3 %define semodule_version 0.0.4
%define notifier_version 0.0.6 %define notifier_version 0.0.6
%bcond_without check %bcond_without check
Name: usbguard Name: usbguard
Version: 1.0.0 Version: 1.0.0
Release: 13%{?dist} Release: 15%{?dist}
Summary: A tool for implementing USB device usage policy Summary: A tool for implementing USB device usage policy
Group: System Environment/Daemons Group: System Environment/Daemons
License: GPLv2+ License: GPLv2+
@ -51,25 +51,21 @@ BuildRequires: libxslt
BuildRequires: libxml2 BuildRequires: libxml2
Patch1: usbguard-0.7.6-notifier.patch Patch1: usbguard-0.7.6-notifier.patch
Patch2: usbguard-selinux-rules-d.patch Patch2: usbguard-audit-capability.patch
Patch3: usbguard-selinux-list-dir.patch Patch3: usbguard-selinux-audit-capability.patch
Patch4: usbguard-selinux-cpuinfo.patch Patch4: usbguard-service-pidfile.patch
Patch5: usbguard-audit-capability.patch Patch5: usbguard-ipc-override-fix.patch
Patch6: usbguard-selinux-audit-capability.patch Patch6: usbguard-validate-acl.patch
Patch7: usbguard-ipaddressdeny.patch Patch7: usbguard-notifier-decrease-spam.patch
Patch8: usbguard-ipc-override-fix.patch Patch8: usbguard-dbus-CVE.patch
Patch9: usbguard-validate-acl.patch Patch9: usbguard-selinux-dbus-CVE.patch
Patch10: usbguard-notifier-decrease-spam.patch Patch10: usbguard-dbus-CVE-leak.patch
Patch11: usbguard-notifier-icon-injection.patch Patch11: usbguard-OOMScoreAdjust.patch
Patch12: usbguard-dbus-CVE.patch Patch12: usbguard-daemon-race-condition.patch
Patch13: usbguard-selinux-dbus-CVE.patch Patch13: usbguard-consistent-rules.patch
Patch14: usbguard-dbus-CVE-leak.patch Patch14: usbguard-missing-doc.patch
Patch15: usbguard-daemon-race-condition.patch Patch15: usbguard-permanent-rules.patch
Patch16: usbguard-OOMScoreAdjust.patch Patch16: usbguard-disable-console-log.patch
Patch17: usbguard-consistent-rules.patch
Patch18: usbguard-missing-doc.patch
Patch19: usbguard-permanent-rules.patch
Patch20: usbguard-disable-console-log.patch
%description %description
The USBGuard software framework helps to protect your computer against rogue USB The USBGuard software framework helps to protect your computer against rogue USB
@ -147,25 +143,21 @@ device presence changes and displays them as pop-up notifications.
rm -rf src/ThirdParty/{Catch,PEGTL} rm -rf src/ThirdParty/{Catch,PEGTL}
%patch1 -p1 -b .notifier %patch1 -p1 -b .notifier
%patch2 -p1 -b .rules-d-selinux %patch2 -p1 -b .audit-write
%patch3 -p1 -b .list-dir %patch3 -p1 -b .selinux-audit-write
%patch4 -p1 -b .cpuinfo %patch4 -p1 -b .pidfile
%patch5 -p1 -b .audit-capability %patch5 -p1 -b .ipc-override-fix
%patch6 -p1 -b .selinux-audit-capability %patch6 -p1 -b .validate-acl
%patch7 -p1 -b .ipaddressdeny %patch7 -p1 -b .notifier-decrease-spam
%patch8 -p1 -b .ipc-override-fix %patch8 -p1 -b .dbus-CVE
%patch9 -p1 -b .validate-acl %patch9 -p1 -b .selinux-dbus-CVE
%patch10 -p1 -b .notifier-decrease-spam %patch10 -p1 -b .dbus-CVE-leak
%patch11 -p1 -b .notifier-icon-injection %patch11 -p1 -b .oomscore-adjust
%patch12 -p1 -b .dbus-CVE %patch12 -p1 -b .race-condition
%patch13 -p1 -b .selinux-dbus-CVE %patch13 -p1 -b .consistent-rules
%patch14 -p1 -b .dbus-CVE-leak %patch14 -p1 -b .missing-doc
%patch15 -p1 -b .daemon-race %patch15 -p1 -b .permanent-rules
%patch16 -p1 -b .OOMScoreAdjust %patch16 -p1 -b .disable-syslog
%patch17 -p1 -b .consistent-rules
%patch18 -p1 -b .missing-doc
%patch19 -p1 -b .permanent-rules
%patch20 -p1 -b .disable-syslog
%build %build
mkdir -p ./m4 mkdir -p ./m4
@ -330,107 +322,146 @@ fi
%changelog %changelog
* Wed Jul 26 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 1.0.0-13 * Thu Jan 12 2023 Attila Lakatos <alakatos@redhat.com> - 1.0.0-15
- Rebuilt for MSVSphere 8.8 - Disable logging to console, logging to syslog is still enabled
Resolves: rhbz#2122109
- Store permanent rules even if RuleFile is not set but RuleFolder is
Resolves: rhbz#2155910
* Thu Jan 12 2023 Attila Lakatos <alakatos@redhat.com> - 1.0.0-13 * Mon Nov 28 2022 Attila Lakatos <alakatos@redhat.com> - 1.0.0-12
- Set OOMScoreAdjust to -1000 in service file - Set OOMScoreAdjust to -1000 in service file
Resolves: rhbz#2159411 Resolves: rhbz#2097419
- Fix race condition in usbguard-daemon when forking - Fix race condition in usbguard-daemon when forking
Resolves: rhbz#2159409 Resolves: rhbz#2042345
- Add missing files to documentation - Add missing files to documentation
Resolves: rhbz#2159412 Resolves: rhbz#2122107
- Disable logging to console, logging to syslog is still enabled
- Store permanent rules even if RuleFile is not set but RuleFolder is
- Neither RuleFolder nor RuleFile exists bugfix - Neither RuleFolder nor RuleFile exists bugfix
Resolves: rhbz#2159413 Resolves: rhbz#2122109
- Remove build for i686 arch - Remove build for i686 arch
Resolves: rhbz#2105091 Resolves: rhbz#2126622
* Wed Aug 24 2022 Attila Lakatos <alakatos@redhat.com> - 1.0.0-10 * Tue Aug 16 2022 Attila Lakatos <alakatos@redhat.com> - 1.0.0-11
- Fix unauthorized access via D-bus - Fix unauthorized access via D-bus
- Fix memory leaks on connection failure to D-bus - Fix memory leak when connection to dbus is broken
Resolves: rhbz#2059067 Resolves: rhbz#2059068
* Mon Nov 29 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.0-8 * Mon Oct 25 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.0-10
- change usbguard icon injection
- fix DSP module definition in spec file - fix DSP module definition in spec file
Resolves: rhbz#2014441 Resolves: rhbz#2014442
- add execstack to spec
- remove IPAddressDeny from usbguard service
Resolves: rhbz#1929364
- fix file conflict when installing usbguard on rhel
Resolves: rhbz#1963271
- fix IPC access control files override - fix IPC access control files override
Resolves: rhbz#2004511 Resolves: rhbz#2009227
- validate ACL permission existence - validate ACL permission existence
Resolves: rhbz#2005020 Resolves: rhbz#2009229
- decrease usbguard-notifier spam when denied connection - decrease usbguard-notifier spam when denied connection
Resolves: rhbz#2000000 Resolves: rhbz#2009226
* Wed Mar 17 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-2 * Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.0-8
- Add CAP_AUDIT_WRITE capability to service file - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Resolves: rhbz#1940060 Related: rhbz#1991688
* Tue Jan 19 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-1 * Wed Jul 28 2021 Radovan Sroka <rsroka@redhat.com> - 1.0.0-7
- Rebase to 1.0.0 RHEL 9 BETA
Resolves: rhbz#1887448 - starting usbguard service complains about PIDFile= references a path below legacy directory /var/run/
- Filtering rules by attribute Resolves: rhbz#1985627
Resolves: rhbz#1873953 - file conflict when installing usbguard on rhel
- Change device policy of multiple devices using rule instead of ID Resolves: rhbz#1986785
Resolves: rhbz#1852568
* Fri Apr 16 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-6
* Tue Aug 11 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-7 - Clear executable stack flag on usbguard-notifier
- Do not cause segfault in case of an empty rulesd folder Resolves: rhbz#1917544
Resolves: rhbz#1738590
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.0.0-5
* Wed Aug 05 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-6 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
- RHEL 8.3.0 ERRATUM
- Removed execstack from .spec * Fri Feb 19 2021 Attila Lakatos <alakatos@redhat.com> - 1.0.0-4
- Removed AuthorizedDefault=wired from the usbguard - sync with rhel-8.4.0 branch
Resolves: rhbz#1852539 - bundle usbguard-notifier as subpackage
- Missing error message on bad configuration Resolves: rhbz#1917544
Resolves: rhbz#1857299
- /etc/usbguard/usbguard-daemon.conf file does not contain all default options * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0.0-3
Resolves: rhbz#1862907 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jun 17 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-5 * Sat Jan 16 12:49:32 CET 2021 Adrian Reber <adrian@lisas.de> - 1.0.0-2
- RHEL 8.3.0 ERRATUM - Rebuilt for protobuf 3.14
- Use old-fasioned forking style in unit file
Resolves: rhbz#1846885 * Thu Jan 14 2021 Zoltan Fridrich <zfridric@redhat.com> - 1.0.0-1
- Allow usbguard to read /proc/cpuinfo - rebase usbguard to 1.0.0
Resolves: rhbz#1847870 - added support for rules covering combination of classes
- Removed notifier's Requires for usbguard-devel - fix usbguard being killed
Resolves: rhbz#1667395 Resolves: rhbz#1916039
- Allow usbguard to read /dev/urandom Resolves: rhbz#1861330
Resolves: rhbz#1848618 Resolves: rhbz#1905257
* Wed May 06 2020 Attila Lakatos <alakatos@redhat.com> - 0.7.8-4 * Wed Jan 13 14:43:57 CET 2021 Adrian Reber <adrian@lisas.de> - 0.7.8-6
- RHEL 8.3.0 ERRATUM - Rebuilt for protobuf 3.14
- Spec file clean up
- Rebase to 0.7.8 * Thu Sep 24 2020 Adrian Reber <adrian@lisas.de> - 0.7.8-5
Resolves: rhbz#1738590 - Rebuilt for protobuf 3.13
- Added selinux subpackage
Resolves: rhbz#1683567 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.8-4
- Added notifier subpackage - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
- Installing /etc/usbguard/rules.d/
Resolves: rhbz#1667395 * Wed Jun 24 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-3
- Fixed sigwaitinfo handling - rebase selinux tarball to v0.0.4
Resolves: rhbz#1835210 - enable forking style in unit file
- set DevicePolicy to closed in unit file
* Mon Nov 25 2019 Marek Tamaskovic <mtamasko@redhat.com> - 0.7.4-4 - usbguard prevented from writing conf via dontaudit rule
- add match-all keyword Resolves: rhbz#1804713
Resolves: rhbz#1789923
* Tue May 21 2019 Daniel Kopeček <dkopecek@redhat.com> - 0.7.4-3
- spec: make the check phase conditional * Sun Jun 14 2020 Adrian Reber <adrian@lisas.de> - 0.7.8-2
- Rebuilt for protobuf 3.12
* Fri Dec 14 2018 Jiri Vymazal <jvymazal@redhat.com> - 0.7.4-2
Resolves: rhbz#1643057 - usbguard fails to report invalid value in IPCAccessControlFiles directive * Tue May 19 2020 Radovan Sroka <rsroka@redhat.com> - 0.7.8-1
- rebase usbguard to 0.7.8
* Wed Jul 11 2018 Daniel Kopeček <dkopecek@redhat.com> - 0.7.4-1 - rebase usbguard-selinux to 0.0.3
- Update to 0.7.4 - added rules.d/ directory
- Replaced asciidoctor dependency with asciidoc Resolves: rhbz#1808527
- Disabled Qt applet
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.6-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Dec 19 2019 Orion Poplawski <orion@nwra.com> - 0.7.6-7
- Rebuild for protobuf 3.11
* Wed Dec 18 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-6
- fix selinux problems
* Mon Dec 02 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-5
- obsolete applet-qt subpackage
* Mon Nov 25 2019 Attila Lakatos <alakatos@redhat.com> - 0.7.6-4
- added patch for libqb related permission issues
resolves: rhbz#1776357
- added patch to ensure that usbguard-daemons is still running after locked screen
resolves: rhbz#1751861
- added patch to fix permanent device policy changes
* Wed Nov 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-3
- fixed typo in specfile
- usbguard.conf was generated incorrectly
* Wed Nov 13 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-2
- added selinux subpackage
* Mon Nov 11 2019 Radovan Sroka <rsroka@redhat.com> - 0.7.6-1
- rebase to 0.7.6
- removed usbguard-applet subpackage which is not in upstream anymore
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Wed Nov 21 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.7.2-6
- Rebuild for protobuf 3.6
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Apr 05 2018 Daniel Kopeček <dkopecek@redhat.com> - 0.7.2-4
- Update to latest PEGTL API
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-3 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

Write Preview
Loading…
Cancel
Save