diff --git a/.fapolicyd.metadata b/.fapolicyd.metadata new file mode 100644 index 0000000..6f3e985 --- /dev/null +++ b/.fapolicyd.metadata @@ -0,0 +1 @@ +1b52ecddcc248f1981d8ceb5cf3bc4c3e839be3c SOURCES/fapolicyd-0.9.1.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c89a875 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/fapolicyd-0.9.1.tar.gz diff --git a/SOURCES/fapolicyd-elf-parser.patch b/SOURCES/fapolicyd-elf-parser.patch new file mode 100644 index 0000000..f0feac3 --- /dev/null +++ b/SOURCES/fapolicyd-elf-parser.patch @@ -0,0 +1,39 @@ +From 2caac530f13bf69a988f65eb109f26a7311936c6 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Thu, 20 Feb 2020 17:58:55 -0500 +Subject: [PATCH] Sanity check e_phentsize in ELF parser + +--- + src/file.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/file.c b/src/file.c +index 3c9d084..e0d4f85 100644 +--- a/src/file.c ++++ b/src/file.c +@@ -469,6 +469,12 @@ uint32_t gather_elf(int fd, off_t size) + // We want to do a basic size check to make sure + unsigned long sz = + (unsigned)hdr->e_phentsize * (unsigned)hdr->e_phnum; ++ /* Verify the entry size is right */ ++ if ((unsigned)hdr->e_phentsize != sizeof(Elf32_Phdr)) { ++ info |= HAS_ERROR; ++ free(hdr); ++ goto rewind_out; ++ } + if (sz > ((unsigned long)size - sizeof(Elf32_Ehdr))) { + info |= HAS_ERROR; + free(hdr); +@@ -600,6 +606,12 @@ uint32_t gather_elf(int fd, off_t size) + // We want to do a basic size check to make sure + unsigned long sz = + (unsigned)hdr->e_phentsize * (unsigned)hdr->e_phnum; ++ /* Verify the entry size is right */ ++ if ((unsigned)hdr->e_phentsize != sizeof(Elf64_Phdr)) { ++ info |= HAS_ERROR; ++ free(hdr); ++ goto rewind_out; ++ } + if (sz > ((unsigned long)size - sizeof(Elf64_Ehdr))) { + info |= HAS_ERROR; + free(hdr); diff --git a/SOURCES/fapolicyd-rules.patch b/SOURCES/fapolicyd-rules.patch new file mode 100644 index 0000000..eefcde1 --- /dev/null +++ b/SOURCES/fapolicyd-rules.patch @@ -0,0 +1,25 @@ +diff -up ./init/fapolicyd.rules.fix ./init/fapolicyd.rules +--- ./init/fapolicyd.rules.fix 2020-02-11 20:53:48.151150561 +0100 ++++ ./init/fapolicyd.rules 2020-02-11 20:55:02.451575384 +0100 +@@ -39,6 +39,10 @@ allow exe=/usr/bin/python2.7 : ftype=app + deny_audit perm=any all : ftype=text/x-python + #deny_audit perm=any all : ftype=application/octet-stream path=*.pyc + ++# Allow shell script but block all other languages ++allow perm=execute all : ftype=text/x-shellscript ++allow perm=any all : ftype=text/plain ++ + # + # In this next optional languages section, choose either to + # block (default) or allow by commenting or uncommenting the +@@ -66,10 +70,6 @@ deny_audit perm=any exe=/usr/bin/ruby : + #allow perm=open all : ftype=text/x-ruby trust=1 + #deny_audit perm=any all : ftype=text/x-ruby + +-# Allow shell script but block all other languages +-allow perm=execute all : ftype=text/x-shellscript trust=1 +-allow perm=execute all : ftype=text/plain trust=1 +- + # This is a workaround for kernel thinking this is being executed. We + # catch actual execution in rule 3. + allow perm=execute all : path=/usr/lib64/ld-2.30.so trust=1 diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec new file mode 100644 index 0000000..2b67eb2 --- /dev/null +++ b/SPECS/fapolicyd.spec @@ -0,0 +1,161 @@ +Summary: Application Whitelisting Daemon +Name: fapolicyd +Version: 0.9.1 +Release: 4%{?dist} +License: GPLv3+ +URL: http://people.redhat.com/sgrubb/fapolicyd +Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz +BuildRequires: kernel-headers +BuildRequires: autoconf automake make gcc libtool +BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel +BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel +BuildRequires: python3-devel +BuildRequires: python2-devel +Requires(pre): shadow-utils +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +Patch1: fapolicyd-rules.patch +Patch2: fapolicyd-elf-parser.patch + +%description +Fapolicyd (File Access Policy Daemon) implements application whitelisting +to decide file access rights. Applications that are known via a reputation +source are allowed access while unknown applications are not. The daemon +makes use of the kernel's fanotify interface to determine file access rights. + + +%prep +%setup -q + +%patch1 -p1 -F3 +%patch2 -p1 -b .elf-parser + +# generate rules for python +sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules +sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules +sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules + +%build +./autogen.sh +%configure --with-audit +make CFLAGS="%{optflags}" %{?_smp_mflags} + +%install +make DESTDIR="%{buildroot}" INSTALL='install -p' install +mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/ +install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/ +install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf +mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name} +mkdir -p %{buildroot}/run/%{name} + +%pre +getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} + +%post +%systemd_post %{name}.service + +%preun +%systemd_preun %{name}.service + +%postun +%systemd_postun_with_restart %{name}.service + +%files +%doc README.md +%{!?_licensedir:%global license %%doc} +%license COPYING +%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} +%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules +%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf +%attr(644,root,root) %{_unitdir}/%{name}.service +%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf +%attr(755,root,root) %{_sbindir}/%{name} +%attr(755,root,root) %{_sbindir}/%{name}-cli +%attr(644,root,root) %{_mandir}/man8/* +%attr(644,root,root) %{_mandir}/man5/* +%attr(644,root,root) %{_mandir}/man1/* +%ghost %{_localstatedir}/log/%{name}-access.log +%attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name} +%attr(770,root,%{name}) %dir /run/%{name} +%ghost %{_localstatedir}/run/%{name}/%{name}.fifo +%ghost %{_localstatedir}/lib/%{name}/data.mdb +%ghost %{_localstatedir}/lib/%{name}/lock.mdb +%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py +%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc + +%changelog +* Tue Mar 03 2020 Radovan Sroka - 0.9.1-4 +RHEL 8.2 ERRATUM +- fixed possible heap buffer overflow in elf parser +Resolves: rhbz#1807912 + +* Tue Feb 11 2020 Radovan Sroka - 0.9.1-3 +RHEL 8.2 ERRATUM +- fixed build time python interpreter detection (spec) +- added python2-devel as a BuildRequires (spec) +- allow running bash scripts in home directories +Resolves: rhbz#1801872 + +* Wed Nov 20 2019 Radovan Sroka - 0.9.1-2 +RHEL 8.2 ERRATUM +- rebase to v0.9.1 +- updated default configuration with new syntax +- removed daemon mounts configuration +Resolves: rhbz#1759895 +- default fapolicyd policy prevents Ansible from running +- added ansible rule to default ruleset +Resolves: rhbz#1746464 +- suspicious logs on service start +Resolves: rhbz#1747494 +- fapolicyd blocks dracut from generating initramfs +- added dracut rule to default configuration +Resolves: rhbz#1757736 +- fapolicyd fails to identify perl interpreter +Resolves: rhbz#1765039 + +* Wed Jul 24 2019 Radovan Sroka - 0.8.10-3 +- added missing manpage for fapolicyd-cli +Resolves: rhbz#1708015 + +* Mon Jul 22 2019 Radovan Sroka - 0.8.10-2 +- Convert hashes to lowercase like sha256sum outputs +- Stop littering STDOUT output for dnf plugin in fapolicyd +Resolves: rhbz#1721496 + +* Tue Jun 18 2019 Radovan Sroka - 0.8.10-1 +- new upstream release +Resolves: rhbz#1673323 + +* Mon May 06 2019 Radovan Sroka - 0.8.9-1 +- New upstream release +- imported from fedora30 + resolves: rhbz#1673323 + +* Wed Mar 13 2019 Radovan Sroka - 0.8.8-2 +- backport some patches to resolve dac_override for fapolicyd + +* Mon Mar 11 2019 Radovan Sroka - 0.8.8-1 +- New upstream release +- Added new DNF plugin that can update the trust database when rpms are installed +- Added support for FAN_OPEN_EXEC_PERM + +* Thu Jan 31 2019 Fedora Release Engineering - 0.8.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + + +* Wed Oct 03 2018 Steve Grubb 0.8.7-1 +- New upstream bugfix release + +* Fri Jul 13 2018 Fedora Release Engineering - 0.8.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jun 07 2018 Steve Grubb 0.8.6-1 +- New upstream feature release + +* Fri May 18 2018 Steve Grubb 0.8.5-2 +- Add dist tag (#1579362) + +* Fri Feb 16 2018 Steve Grubb 0.8.5-1 +- New release