From 2d52c9e97e5f18256d248f528350d9e373f2e31c Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 11 2022 04:11:52 +0000
Subject: import fapolicyd-1.1.3-8.el8_7.1


---

diff --git a/SOURCES/fapolicyd-static-app.patch b/SOURCES/fapolicyd-static-app.patch
new file mode 100644
index 0000000..34f4510
--- /dev/null
+++ b/SOURCES/fapolicyd-static-app.patch
@@ -0,0 +1,22 @@
+From 67c116d07ed4e73127392a2100a042882488585a Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Tue, 27 Sep 2022 10:32:28 -0400
+Subject: [PATCH] Detect trusted static apps running programs by ld.so
+
+---
+ ChangeLog           | 1 +
+ src/library/event.c | 1 -
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/library/event.c b/src/library/event.c
+index cbb4292..4d79eb9 100644
+--- a/src/library/event.c
++++ b/src/library/event.c
+@@ -149,7 +149,6 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e)
+ 				skip_path = 1;
+ 			}
+ 			evict = 0;
+-			skip_path = 1;
+ 			subject_reset(s, EXE);
+ 			subject_reset(s, COMM);
+ 			subject_reset(s, EXE_TYPE);
diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec
index 648724e..5c6408d 100644
--- a/SPECS/fapolicyd.spec
+++ b/SPECS/fapolicyd.spec
@@ -5,7 +5,7 @@
 Summary: Application Whitelisting Daemon
 Name: fapolicyd
 Version: 1.1.3
-Release: 8%{?dist}
+Release: 8%{?dist}.1
 License: GPLv3+
 URL: http://people.redhat.com/sgrubb/fapolicyd
 Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
@@ -40,6 +40,9 @@ Patch7: fapolicyd-cli-segfault.patch
 Patch8: fapolicyd-sighup.patch
 Patch9: fapolicyd-readme.patch
 
+# 2137251 - statically linked app can execute untrusted app [rhel-8.7.0.z]
+Patch10: fapolicyd-static-app.patch
+
 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
 to decide file access rights. Applications that are known via a reputation
@@ -75,6 +78,8 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon.
 %patch8 -p1 -b .sighup
 %patch9 -p1 -b .readme
 
+%patch10 -p1 -b .static
+
 # generate rules for python
 sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules
 sed -i "s|%python3_path%|`readlink -f %{__python3}`|g" rules.d/*.rules
@@ -262,6 +267,11 @@ fi
 %selinux_relabel_post -s %{selinuxtype}
 
 %changelog
+* Wed Oct 26 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-8.1
+RHEL 8.7.0.Z ERRATUM
+- statically linked app can execute untrusted app
+Resolves: rhbz#2137251
+
 * Fri Aug 05 2022 Radovan Sroka <rsroka@redhat.com> - 1.1.3-8
 RHEL 8.7.0 ERRATUM
 - rebase fapolicyd to the latest stable vesion