diff --git a/SOURCES/fapolicyd-deleted-suffix.patch b/SOURCES/fapolicyd-deleted-suffix.patch new file mode 100644 index 0000000..1c450ea --- /dev/null +++ b/SOURCES/fapolicyd-deleted-suffix.patch @@ -0,0 +1,49 @@ +From 8b7ea120670525d9ac7f1698ae7482d691e840a4 Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Mon, 9 Nov 2020 17:02:22 +0100 +Subject: [PATCH] Added check for " (deleted)" suffix in get_program_from_fd() + (#97) + +- get rid of this suffix + +Signed-off-by: Radovan Sroka + +Removed strstr (#102) +--- + src/library/process.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/src/library/process.c b/src/library/process.c +index edd2cca..6406610 100644 +--- a/src/library/process.c ++++ b/src/library/process.c +@@ -146,10 +146,24 @@ char *get_program_from_pid(pid_t pid, size_t blen, char *buf) + + return buf; + } ++ ++ size_t len = 0; + if ((size_t)path_len < blen) +- buf[path_len] = 0; ++ len = path_len; + else +- buf[blen-1] = '\0'; ++ len = blen-1; ++ ++ buf[len] = '\0'; ++ // some binaries can be deleted after execution ++ // then we need to delete the suffix so they are ++ // trusted even after deletion ++ ++ // strlen(" deleted") == 10 ++ if (buf[len-1] == ')' && len > 10) { ++ ++ if (strcmp(&buf[len - 10], " (deleted)") == 0) ++ buf[len - 10] = '\0'; ++ } + + return buf; + } +-- +2.26.2 + diff --git a/SOURCES/fapolicyd-rules-root.patch b/SOURCES/fapolicyd-rules-root.patch deleted file mode 100644 index 7870cec..0000000 --- a/SOURCES/fapolicyd-rules-root.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -up ./init/fapolicyd.rules.known-libs.root ./init/fapolicyd.rules.known-libs ---- ./init/fapolicyd.rules.known-libs.root 2020-11-06 22:38:10.308866211 +0100 -+++ ./init/fapolicyd.rules.known-libs 2020-11-06 22:39:17.857469844 +0100 -@@ -6,8 +6,7 @@ - %languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/javascript,text/x-awk,text/x-gawk,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap - - # Carve out an exception for dracut initramfs building --allow perm=any uid=0 : dir=/var/tmp/ --allow perm=any uid=0 trust=1 : all -+allow perm=any uid=0 : all - - # Prevent execution by ld.so - deny_audit perm=any pattern=ld_so : all -diff -up ./init/fapolicyd.rules.restrictive.root ./init/fapolicyd.rules.restrictive ---- ./init/fapolicyd.rules.restrictive.root 2020-11-06 22:38:14.562904224 +0100 -+++ ./init/fapolicyd.rules.restrictive 2020-11-06 22:38:58.440296333 +0100 -@@ -18,8 +18,7 @@ - %languages=application/x-bytecode.ocaml,application/java-archive,text/javascript,text/x-java,text/x-lisp,text/x-lua,text/x-m4,text/x-perl,text/x-php,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap - - # Carve out an exception for dracut --allow perm=any uid=0 : dir=/var/tmp/ --allow perm=any uid=0 trust=1 : all -+allow perm=any uid=0 : all - - # Prevent execution by ld.so - deny_audit perm=any pattern=ld_so : all diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec index d2602fd..b3e36c1 100644 --- a/SPECS/fapolicyd.spec +++ b/SPECS/fapolicyd.spec @@ -6,7 +6,7 @@ Summary: Application Whitelisting Daemon Name: fapolicyd Version: 1.0 -Release: 3%{?dist}.2 +Release: 3%{?dist}.3 License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -38,7 +38,7 @@ Patch10: fapolicyd-cli-big-buffer.patch Patch11: fapolicyd-get-line.patch Patch12: fapolicyd-man-page-trust.patch -Patch13: fapolicyd-rules-root.patch +Patch13: fapolicyd-deleted-suffix.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting @@ -68,7 +68,6 @@ Requires(post): policycoreutils-python %endif - %description selinux The %{name}-selinux package contains selinux policy for the %{name} daemon. @@ -98,9 +97,8 @@ sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\// %patch11 -p1 -b .get-line %patch12 -p1 -b .man-page-trust - # zstream -%patch13 -p1 -b .root +%patch13 -p1 -b .deleted %build ./autogen.sh @@ -141,33 +139,34 @@ find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %pre getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} -%pretrans -c=/etc/fapolicyd/fapolicyd.rules -if test -e $c; then - cat $c | grep -Em1 '^allow' | grep -q 'uid=0 : all' || { - if systemctl is-active fapolicyd &> dev/null; then - tmp=`mktemp` - rpm -qV fapolicyd | grep -q $c || touch /tmp/fapolicyd-cleanup - cat $c > $tmp - echo "allow perm=any uid=0 : all" > $c - cat $tmp >> $c - rm -f $tmp - systemctl restart fapolicyd +%pretrans -p +if posix.access("/run/fapolicyd.pid", "f") then + os.execute([[ + c=/etc/fapolicyd/fapolicyd.rules + release=/etc/redhat-release + rule="allow perm=any uid=0 : all" + if test -e $release; then + if grep -q '8.1' $release; then + rule="allow uid=0 all" + fi fi - } -fi + if test -e $c; then + if systemctl is-active fapolicyd &> /dev/null; then + tmp=`mktemp` + cat $c > $tmp + echo "$rule" > $c + cat $tmp >> $c + systemctl restart fapolicyd || true + cat $tmp > $c + rm -f $tmp + fi + fi + ]]) +end %post %systemd_post %{name}.service -c=/etc/fapolicyd/fapolicyd.rules -if test -e /tmp/fapolicyd-cleanup; then - cat ${c}.rpmnew > $c - touch -d "`stat -c %y ${c}.rpmnew`" $c - rm -f /tmp/fapolicyd-cleanup ${c}.rpmnew - systemctl restart fapolicyd -fi - %preun %systemd_preun %{name}.service @@ -220,6 +219,10 @@ fi %selinux_relabel_post -s %{selinuxtype} %changelog +* Fri Nov 13 2020 Radovan Sroka - 1.0-3.3 +RHEL 8.3.Z ERRATUM +Resolves: rhbz#1897090 + * Fri Nov 06 2020 Radovan Sroka - 1.0-3.2 RHEL 8.3.Z ERRATUM - selinux requires inlined