diff --git a/.fapolicyd.metadata b/.fapolicyd.metadata index e32261e..871a2d0 100644 --- a/.fapolicyd.metadata +++ b/.fapolicyd.metadata @@ -1,2 +1,2 @@ -1fa6cf3f0a15bbef745438c1ba7b685ebf7e75f1 SOURCES/fapolicyd-1.1.tar.gz +3887d3f97a4f506ad6bf7dcef36b01cc7897a692 SOURCES/fapolicyd-1.1.3.tar.gz bdbe20a4db2cd58073abf17a537e3a6766cdea21 SOURCES/fapolicyd-selinux-0.4.tar.gz diff --git a/.gitignore b/.gitignore index cb0435c..b3fd084 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/fapolicyd-1.1.tar.gz +SOURCES/fapolicyd-1.1.3.tar.gz SOURCES/fapolicyd-selinux-0.4.tar.gz diff --git a/SOURCES/fapolicyd-1.1.1-ld_so.patch b/SOURCES/fapolicyd-1.1.1-ld_so.patch deleted file mode 100644 index a79cca7..0000000 --- a/SOURCES/fapolicyd-1.1.1-ld_so.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -urp fapolicyd-1.1.1.orig/fapolicyd.spec fapolicyd-1.1.1/fapolicyd.spec ---- fapolicyd-1.1.1.orig/fapolicyd.spec 2022-01-28 15:17:55.000000000 -0500 -+++ fapolicyd-1.1.1/fapolicyd.spec 2022-01-28 15:19:31.594155397 -0500 -@@ -30,7 +30,7 @@ makes use of the kernel's fanotify inter - # generate rules for python - sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules - sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules --sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules -+sed -i "s/%ld_so_path%/`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev | sed 's/\//\\\\\//g'`/g" rules.d/*.rules - - %build - %configure \ -diff -urp fapolicyd-1.1.1.orig/m4/dyn_linker.m4 fapolicyd-1.1.1/m4/dyn_linker.m4 ---- fapolicyd-1.1.1.orig/m4/dyn_linker.m4 2022-01-28 15:17:55.000000000 -0500 -+++ fapolicyd-1.1.1/m4/dyn_linker.m4 2022-01-28 15:20:02.048609672 -0500 -@@ -1,6 +1,10 @@ - AC_DEFUN([LD_SO_PATH], - [ -- xpath=`realpath /usr/lib64/ld-2.*.so` -+ xpath1=`readelf -e /usr/bin/bash | grep Requesting | sed 's/.$//' | rev | cut -d" " -f1 | rev` -+ xpath=`realpath $xpath1` -+ if test ! -f "$xpath" ; then -+ AC_MSG_ERROR([Cant find the dynamic linker]) -+ fi - echo "dynamic linker is.....$xpath" - AC_DEFINE_UNQUOTED(SYSTEM_LD_SO, ["$xpath"], [dynamic linker]) - ]) diff --git a/SOURCES/fapolicyd-1.1.1-static.patch b/SOURCES/fapolicyd-1.1.1-static.patch deleted file mode 100644 index 49c371b..0000000 --- a/SOURCES/fapolicyd-1.1.1-static.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -urp fapolicyd-1.1.1.orig/src/library/event.c fapolicyd-1.1.1/src/library/event.c ---- fapolicyd-1.1.1.orig/src/library/event.c 2022-01-28 15:23:58.000000000 -0500 -+++ fapolicyd-1.1.1/src/library/event.c 2022-01-30 20:11:05.516785465 -0500 -@@ -140,7 +140,14 @@ int new_event(const struct fanotify_even - - // We need to reset everything now that execve has finished - if (s->info->state == STATE_STATIC_PARTIAL && !rc) { -- s->info->state = STATE_STATIC; -+ // If the static app itself launches an app right -+ // away, go back to collecting. -+ if (e->type & FAN_OPEN_EXEC_PERM) -+ s->info->state = STATE_COLLECTING; -+ else { -+ s->info->state = STATE_STATIC; -+ skip_path = 1; -+ } - evict = 0; - skip_path = 1; - subject_reset(s, EXE); diff --git a/SOURCES/fapolicyd-cli-segfault.patch b/SOURCES/fapolicyd-cli-segfault.patch new file mode 100644 index 0000000..45c4699 --- /dev/null +++ b/SOURCES/fapolicyd-cli-segfault.patch @@ -0,0 +1,11 @@ +diff -up ./src/cli/fapolicyd-cli.c.segfault ./src/cli/fapolicyd-cli.c +--- ./src/cli/fapolicyd-cli.c.segfault 2022-08-03 17:51:54.903081124 +0200 ++++ ./src/cli/fapolicyd-cli.c 2022-08-03 17:55:18.256458750 +0200 +@@ -77,6 +77,7 @@ static struct option long_opts[] = + {"ftype", 1, NULL, 't'}, + {"list", 0, NULL, 'l'}, + {"update", 0, NULL, 'u'}, ++ {NULL, 0, NULL, 0 } + }; + + static const char *_pipe = "/run/fapolicyd/fapolicyd.fifo"; diff --git a/SOURCES/fapolicyd-fgets-update-thread.patch b/SOURCES/fapolicyd-fgets-update-thread.patch new file mode 100644 index 0000000..bd8d8ec --- /dev/null +++ b/SOURCES/fapolicyd-fgets-update-thread.patch @@ -0,0 +1,215 @@ +diff -up ./src/cli/fapolicyd-cli.c.upgrade-thread ./src/cli/fapolicyd-cli.c +--- ./src/cli/fapolicyd-cli.c.upgrade-thread 2022-08-03 18:00:02.374999369 +0200 ++++ ./src/cli/fapolicyd-cli.c 2022-08-03 18:00:09.802830497 +0200 +@@ -482,7 +482,7 @@ static int do_update(void) + } + } + +- ssize_t ret = write(fd, "1", 2); ++ ssize_t ret = write(fd, "1\n", 3); + + if (ret == -1) { + fprintf(stderr, "Write: %s -> %s\n", _pipe, strerror(errno)); +diff -up ./src/library/database.c.upgrade-thread ./src/library/database.c +--- ./src/library/database.c.upgrade-thread 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/library/database.c 2022-08-03 17:58:04.034689808 +0200 +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -43,6 +44,7 @@ + #include "message.h" + #include "llist.h" + #include "file.h" ++#include "fd-fgets.h" + + #include "fapolicyd-backend.h" + #include "backend-manager.h" +@@ -1181,6 +1183,7 @@ static void *update_thread_main(void *ar + return NULL; + } + ++ fcntl(ffd[0].fd, F_SETFL, O_NONBLOCK); + ffd[0].events = POLLIN; + + while (!stop) { +@@ -1200,97 +1203,102 @@ static void *update_thread_main(void *ar + } else { + msg(LOG_ERR, "Update poll error (%s)", + strerror_r(errno, err_buff, BUFFER_SIZE)); +- goto err_out; ++ goto finalize; + } + } else if (rc == 0) { + #ifdef DEBUG + msg(LOG_DEBUG, "Update poll timeout expired"); + #endif +- if (db_operation != DB_NO_OP) +- goto handle_db_ops; + continue; + } else { + if (ffd[0].revents & POLLIN) { +- ssize_t count = read(ffd[0].fd, buff, +- BUFFER_SIZE-1); + +- if (count == -1) { +- msg(LOG_ERR, +- "Failed to read from a pipe %s (%s)", +- fifo_path, +- strerror_r(errno, err_buff, +- BUFFER_SIZE)); +- goto err_out; +- } ++ do { ++ fd_fgets_rewind(); ++ int res = fd_fgets(buff, sizeof(buff), ffd[0].fd); + +- if (count == 0) { +-#ifdef DEBUG +- msg(LOG_DEBUG, +- "Buffer contains zero bytes!"); +-#endif +- continue; +- } else // Manually terminate buff +- buff[count] = 0; +-#ifdef DEBUG +- msg(LOG_DEBUG, "Buffer contains: \"%s\"", buff); +-#endif +- for (int i = 0 ; i < count ; i++) { +- // assume file name +- // operation = 0 +- if (buff[i] == '/') { +- db_operation = ONE_FILE; ++ // nothing to read ++ if (res == -1) + break; +- } ++ else if (res > 0) { ++ char* end = strchr(buff, '\n'); + +- if (buff[i] == '1') { +- db_operation = RELOAD_DB; +- break; ++ if (end == NULL) { ++ msg(LOG_ERR, "Too long line?"); ++ continue; ++ } ++ ++ int count = end - buff; ++ ++ *end = '\0'; ++ ++ for (int i = 0 ; i < count ; i++) { ++ // assume file name ++ // operation = 0 ++ if (buff[i] == '/') { ++ db_operation = ONE_FILE; ++ break; ++ } ++ ++ if (buff[i] == '1') { ++ db_operation = RELOAD_DB; ++ break; ++ } ++ ++ if (buff[i] == '2') { ++ db_operation = FLUSH_CACHE; ++ break; ++ } ++ ++ if (isspace(buff[i])) ++ continue; ++ ++ msg(LOG_ERR, "Cannot handle data \"%s\" from pipe", buff); ++ break; ++ } ++ ++ *end = '\n'; ++ ++ // got "1" -> reload db ++ if (db_operation == RELOAD_DB) { ++ db_operation = DB_NO_OP; ++ msg(LOG_INFO, ++ "It looks like there was an update of the system... Syncing DB."); ++ ++ backend_close(); ++ backend_init(config); ++ backend_load(config); ++ ++ if ((rc = update_database(config))) { ++ msg(LOG_ERR, ++ "Cannot update trust database!"); ++ close(ffd[0].fd); ++ backend_close(); ++ unlink_fifo(); ++ exit(rc); ++ } ++ ++ msg(LOG_INFO, "Updated"); ++ ++ // Conserve memory ++ backend_close(); ++ // got "2" -> flush cache ++ } else if (db_operation == FLUSH_CACHE) { ++ db_operation = DB_NO_OP; ++ needs_flush = true; ++ } else if (db_operation == ONE_FILE) { ++ db_operation = DB_NO_OP; ++ if (handle_record(buff)) ++ continue; ++ } + } + +- if (buff[i] == '2') { +- db_operation = FLUSH_CACHE; +- break; +- } +- } +- +-handle_db_ops: +- // got "1" -> reload db +- if (db_operation == RELOAD_DB) { +- db_operation = DB_NO_OP; +- msg(LOG_INFO, +- "It looks like there was an update of the system... Syncing DB."); +- +- backend_close(); +- backend_init(config); +- backend_load(config); +- +- if ((rc = update_database(config))) { +- msg(LOG_ERR, +- "Cannot update trust database!"); +- close(ffd[0].fd); +- backend_close(); +- unlink_fifo(); +- exit(rc); +- } else +- msg(LOG_INFO, "Updated"); +- +- // Conserve memory +- backend_close(); +- // got "2" -> flush cache +- } else if (db_operation == FLUSH_CACHE) { +- db_operation = DB_NO_OP; +- needs_flush = true; +- } else if (db_operation == ONE_FILE) { +- db_operation = DB_NO_OP; +- if (handle_record(buff)) +- continue; +- } ++ } while(!fd_fgets_eof()); + } + } +- + } + +-err_out: ++finalize: + close(ffd[0].fd); + unlink_fifo(); + diff --git a/SOURCES/fapolicyd-openssl.patch b/SOURCES/fapolicyd-openssl.patch new file mode 100644 index 0000000..9ef8ea2 --- /dev/null +++ b/SOURCES/fapolicyd-openssl.patch @@ -0,0 +1,195 @@ +diff -up ./BUILD.md.openssl ./BUILD.md +--- ./BUILD.md.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./BUILD.md 2022-08-02 14:10:48.092466542 +0200 +@@ -16,7 +16,8 @@ BUILD-TIME DEPENDENCIES (fedora and RHEL + * libudev-devel + * kernel-headers + * systemd-devel +-* libgcrypt-devel ++* libgcrypt-devel ( <= fapolicyd-1.1.3) ++* openssl ( >= fapolicyd-1.1.4) + * rpm-devel (optional) + * file + * file-devel +diff -U0 ./ChangeLog.openssl ./ChangeLog +diff -up ./configure.ac.openssl ./configure.ac +--- ./configure.ac.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./configure.ac 2022-08-02 14:10:48.092466542 +0200 +@@ -87,7 +87,7 @@ AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERRO + echo . + echo Checking for required libraries + AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev) +-AC_CHECK_LIB(gcrypt, gcry_md_open, , [AC_MSG_ERROR([libgcrypt not found])], -lgcrypt) ++AC_CHECK_LIB(crypto, SHA256, , [AC_MSG_ERROR([openssl libcrypto not found])], -lcrypto) + AC_CHECK_LIB(magic, magic_descriptor, , [AC_MSG_ERROR([libmagic not found])], -lmagic) + AC_CHECK_LIB(cap-ng, capng_change_id, , [AC_MSG_ERROR([libcap-ng not found])], -lcap-ng) + AC_CHECK_LIB(seccomp, seccomp_rule_add, , [AC_MSG_ERROR([libseccomp not found])], -lseccomp) +diff -up ./fapolicyd.spec.openssl ./fapolicyd.spec +--- ./fapolicyd.spec.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./fapolicyd.spec 2022-08-02 14:10:48.092466542 +0200 +@@ -8,7 +8,7 @@ Source0: https://people.redhat.com/sgrub + BuildRequires: gcc + BuildRequires: kernel-headers + BuildRequires: autoconf automake make gcc libtool +-BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file ++BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file + BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel + BuildRequires: python3-devel + BuildRequires: uthash-devel +diff -up ./src/cli/fapolicyd-cli.c.openssl ./src/cli/fapolicyd-cli.c +--- ./src/cli/fapolicyd-cli.c.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/cli/fapolicyd-cli.c 2022-08-02 14:10:48.093466520 +0200 +@@ -39,7 +39,6 @@ + #include + #include + #include +-#include + #include "policy.h" + #include "database.h" + #include "file-cli.h" +@@ -670,11 +669,6 @@ static int check_trustdb(void) + if (rc) + return 1; + +- // Initialize libgcrypt +- gcry_check_version(NULL); +- gcry_control(GCRYCTL_DISABLE_SECMEM, 0); +- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); +- + do { + unsigned int tsource; // unused + off_t size; +diff -up ./src/library/database.c.openssl ./src/library/database.c +--- ./src/library/database.c.openssl 2022-08-02 14:10:48.090466587 +0200 ++++ ./src/library/database.c 2022-08-02 14:13:11.995236110 +0200 +@@ -35,7 +35,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -244,26 +244,18 @@ static void abort_transaction(MDB_txn *t + static char *path_to_hash(const char *path, const size_t path_len) MALLOCLIKE; + static char *path_to_hash(const char *path, const size_t path_len) + { +- gcry_md_hd_t h; +- unsigned int len; +- unsigned char *hptr; ++ unsigned char hptr[80]; + char *digest; + +- if (gcry_md_open(&h, GCRY_MD_SHA512, GCRY_MD_FLAG_SECURE)) ++ if (path_len == 0) + return NULL; + +- gcry_md_write(h, path, path_len); +- hptr = gcry_md_read(h, GCRY_MD_SHA512); +- +- len = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * sizeof(char); +- digest = malloc((2 * len) + 1); +- if (digest == NULL) { +- gcry_md_close(h); ++ SHA512((unsigned char *)path, path_len, (unsigned char *)&hptr); ++ digest = malloc((SHA512_LEN * 2) + 1); ++ if (digest == NULL) + return digest; +- } + +- bytes2hex(digest, hptr, len); +- gcry_md_close(h); ++ bytes2hex(digest, hptr, SHA512_LEN); + + return digest; + } +@@ -296,7 +288,7 @@ static int write_db(const char *idx, con + if (hash == NULL) + return 5; + key.mv_data = (void *)hash; +- key.mv_size = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * 2 + 1; ++ key.mv_size = (SHA512_LEN * 2) + 1; + } else { + key.mv_data = (void *)idx; + key.mv_size = len; +@@ -416,7 +408,7 @@ static char *lt_read_db(const char *inde + if (hash == NULL) + return NULL; + key.mv_data = (void *)hash; +- key.mv_size = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * 2 + 1; ++ key.mv_size = (SHA512_LEN * 2) + 1; + } else { + key.mv_data = (void *)index; + key.mv_size = len; +diff -up ./src/library/file.c.openssl ./src/library/file.c +--- ./src/library/file.c.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/library/file.c 2022-08-02 14:10:48.094466497 +0200 +@@ -31,7 +31,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -51,7 +51,6 @@ static struct udev *udev; + magic_t magic_cookie; + struct cache { dev_t device; const char *devname; }; + static struct cache c = { 0, NULL }; +-static size_t hash_size = 32; // init so cli doesn't need to call file_init + + // readelf -l path-to-app | grep 'Requesting' | cut -d':' -f2 | tr -d ' ]'; + static const char *interpreters[] = { +@@ -96,12 +95,6 @@ void file_init(void) + msg(LOG_ERR, "Unable to load magic database"); + exit(1); + } +- +- // Initialize libgcrypt +- gcry_check_version(NULL); +- gcry_control(GCRYCTL_DISABLE_SECMEM, 0); +- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); +- hash_size = gcry_md_get_algo_dlen(GCRY_MD_SHA256) * sizeof(char); + } + + +@@ -445,12 +438,12 @@ char *get_hash_from_fd2(int fd, size_t s + if (mapped != MAP_FAILED) { + unsigned char hptr[40]; + +- gcry_md_hash_buffer(GCRY_MD_SHA256, &hptr, mapped, size); ++ SHA256(mapped, size, (unsigned char *)&hptr); + munmap(mapped, size); +- digest = malloc(65); ++ digest = malloc((SHA256_LEN * 2) + 1); + + // Convert to ASCII string +- bytes2hex(digest, hptr, hash_size); ++ bytes2hex(digest, hptr, SHA256_LEN); + } + return digest; + } +@@ -476,7 +469,7 @@ int get_ima_hash(int fd, char *sha) + } + + // Looks like it what we want... +- bytes2hex(sha, &tmp[2], 32); ++ bytes2hex(sha, &tmp[2], SHA256_LEN); + return 1; + } + +diff -up ./src/library/file.h.openssl ./src/library/file.h +--- ./src/library/file.h.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/library/file.h 2022-08-02 14:10:48.094466497 +0200 +@@ -40,6 +40,9 @@ struct file_info + struct timespec time; + }; + ++#define SHA256_LEN 32 ++#define SHA512_LEN 64 ++ + void file_init(void); + void file_close(void); + struct file_info *stat_file_entry(int fd) MALLOCLIKE; diff --git a/SOURCES/fapolicyd-readme.patch b/SOURCES/fapolicyd-readme.patch new file mode 100644 index 0000000..5d93547 --- /dev/null +++ b/SOURCES/fapolicyd-readme.patch @@ -0,0 +1,30 @@ +From b4618d133f473b9bbc36f2a5e94b8b0f257ba3e0 Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Fri, 5 Aug 2022 14:49:30 +0200 +Subject: [PATCH] Add mention that using of names requires name resolution + +- using of user and group names as uid and gid attributes + requires correct name resolution + +Signed-off-by: Radovan Sroka +--- + README.md | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/README.md b/README.md +index d932e00..abc5eee 100644 +--- a/README.md ++++ b/README.md +@@ -131,6 +131,12 @@ You can similarly do this for trusted users that have to execute things in + the home dir. You can create a trusted_user group, add them the group, + and then write a rule allowing them to execute from their home dir. + ++When you want to use user or group name (as a string). You have to guarantee ++that these names were correctly resolved. In case of systemd, you need to add ++a new after target 'After=nss-user-lookup.target'. ++To achieve that you can use `systemctl edit --full fapolicyd`, ++uncomment the respective line and save the change. ++ + ``` + allow perm=any gid=trusted_user : ftype=%languages dir=/home + deny_audit perm=any all : ftype=%languages dir=/home diff --git a/SOURCES/fapolicyd-reorder-rules.patch b/SOURCES/fapolicyd-reorder-rules.patch deleted file mode 100644 index 53a797c..0000000 --- a/SOURCES/fapolicyd-reorder-rules.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 609ffa1d2ed490c7d5c77d2dd2dfdc50f415b935 Mon Sep 17 00:00:00 2001 -From: Radovan Sroka -Date: Thu, 24 Mar 2022 09:59:05 +0100 -Subject: [PATCH] Reorder loop holes with patterns in rules.d - -- this keeps backwards compatibility with older wersions of rules -- the ld_so pattern was applied to root -- it caused problems with running ldd as root(previously unrestricted) - -Signed-off-by: Radovan Sroka ---- - fapolicyd.spec | 6 +++--- - rules.d/{30-dracut.rules => 20-dracut.rules} | 0 - rules.d/{30-updaters.rules => 21-updaters.rules} | 0 - rules.d/{20-patterns.rules => 30-patterns.rules} | 0 - rules.d/Makefile.am | 4 ++-- - rules.d/README-rules | 16 ++++++++-------- - 6 files changed, 13 insertions(+), 13 deletions(-) - rename rules.d/{30-dracut.rules => 20-dracut.rules} (100%) - rename rules.d/{30-updaters.rules => 21-updaters.rules} (100%) - rename rules.d/{20-patterns.rules => 30-patterns.rules} (100%) - -diff --git a/fapolicyd.spec b/fapolicyd.spec -index c2aae21..261b780 100644 ---- a/fapolicyd.spec -+++ b/fapolicyd.spec -@@ -66,9 +66,9 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then - if [ "$files" -eq 0 ] ; then - ## Install the known libs policy - cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/ --cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/ --cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/ --cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/ -+cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/ -+cp %{_datadir}/%{name}/sample-rules/21-updaters.rules %{_sysconfdir}/%{name}/rules.d/ -+cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/ -diff --git a/rules.d/30-dracut.rules b/rules.d/20-dracut.rules -similarity index 100% -rename from rules.d/30-dracut.rules -rename to rules.d/20-dracut.rules -diff --git a/rules.d/30-updaters.rules b/rules.d/21-updaters.rules -similarity index 100% -rename from rules.d/30-updaters.rules -rename to rules.d/21-updaters.rules -diff --git a/rules.d/20-patterns.rules b/rules.d/30-patterns.rules -similarity index 100% -rename from rules.d/20-patterns.rules -rename to rules.d/30-patterns.rules -diff --git a/rules.d/Makefile.am b/rules.d/Makefile.am -index 76b5377..9bb61a7 100644 ---- a/rules.d/Makefile.am -+++ b/rules.d/Makefile.am -@@ -23,8 +23,8 @@ - - CONFIG_CLEAN_FILES = *.rej *.orig - --EXTRA_DIST = README-rules 10-languages.rules 20-patterns.rules \ -- 30-dracut.rules 30-updaters.rules \ -+EXTRA_DIST = README-rules 10-languages.rules 20-dracut.rules \ -+ 21-updaters.rules 30-patterns.rules \ - 40-bad-elf.rules 41-shared-obj.rules 42-trusted-elf.rules \ - 43-known-elf.rules \ - 70-trusted-lang.rules 71-known-python.rules 72-shell.rules \ -diff --git a/rules.d/README-rules b/rules.d/README-rules -index c03c02b..30fcd01 100644 ---- a/rules.d/README-rules -+++ b/rules.d/README-rules -@@ -5,8 +5,8 @@ sort order. To make things easier to use, the files in this directory are - organized into groups with the following meanings: - - 10 - macros --20 - patterns --30 - loop holes -+20 - loop holes -+30 - patterns - 40 - ELF rules - 50 - user/group access rules - 60 - application access rules -@@ -25,9 +25,9 @@ You can reconstruct the old policy files by including the following: - fapolicyd.rules.known-libs - -------------------------- - 10-languages.rules --20-patterns.rules --30-dracut.rules --30-updaters.rules -+20-dracut.rules -+21-updaters.rules -+30-patterns.rules - 40-bad-elf.rules - 41-shared-obj.rules - 42-trusted-elf.rules -@@ -39,9 +39,9 @@ fapolicyd.rules.known-libs - fapolicyd.rules.restrictive - --------------------------- - 10-languages.rules --20-patterns.rules --30-dracut.rules --30-updaters.rules -+20-dracut.rules -+21-updaters.rules -+30-patterns.rules - 40-bad-elf.rules - 41-shared-obj.rules - 43-known-elf.rules --- -2.35.1 - diff --git a/SOURCES/fapolicyd-selinux.patch b/SOURCES/fapolicyd-selinux.patch index 26fafeb..2ece2d2 100644 --- a/SOURCES/fapolicyd-selinux.patch +++ b/SOURCES/fapolicyd-selinux.patch @@ -1,9 +1,12 @@ -diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te ---- a/fapolicyd-selinux-0.4/fapolicyd.te 2021-03-23 10:21:31.000000000 +0100 -+++ b/fapolicyd-selinux-0.4/fapolicyd.te 2021-11-19 10:24:20.000002248 +0100 -@@ -63,23 +63,13 @@ +diff -up ./fapolicyd-selinux-0.4/fapolicyd.te.selinux ./fapolicyd-selinux-0.4/fapolicyd.te +--- ./fapolicyd-selinux-0.4/fapolicyd.te.selinux 2021-03-23 10:21:31.000000000 +0100 ++++ ./fapolicyd-selinux-0.4/fapolicyd.te 2022-06-29 12:06:57.958124735 +0200 +@@ -61,25 +61,15 @@ corecmd_exec_bin(fapolicyd_t) - files_mmap_usr_files(fapolicyd_t) + domain_read_all_domains_state(fapolicyd_t) + +-files_mmap_usr_files(fapolicyd_t) ++files_mmap_all_files(fapolicyd_t) files_read_all_files(fapolicyd_t) -files_watch_mount_generic_tmp_dirs(fapolicyd_t) -files_watch_with_perm_generic_tmp_dirs(fapolicyd_t) diff --git a/SOURCES/fapolicyd-sighup.patch b/SOURCES/fapolicyd-sighup.patch new file mode 100644 index 0000000..47ee190 --- /dev/null +++ b/SOURCES/fapolicyd-sighup.patch @@ -0,0 +1,141 @@ +diff -up ./src/daemon/fapolicyd.c.sighup ./src/daemon/fapolicyd.c +--- ./src/daemon/fapolicyd.c.sighup 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/daemon/fapolicyd.c 2022-08-04 11:07:10.245069443 +0200 +@@ -527,6 +527,7 @@ int main(int argc, const char *argv[]) + while (!stop) { + if (hup) { + hup = 0; ++ msg(LOG_INFO, "Got SIGHUP"); + reconfigure(); + } + rc = poll(pfd, 2, -1); +diff -up ./src/library/database.c.sighup ./src/library/database.c +--- ./src/library/database.c.sighup 2022-08-04 11:07:10.237069609 +0200 ++++ ./src/library/database.c 2022-08-04 11:08:44.852057119 +0200 +@@ -68,7 +68,7 @@ static int lib_symlink=0, lib64_symlink= + static struct pollfd ffd[1] = { {0, 0, 0} }; + static const char *fifo_path = "/run/fapolicyd/fapolicyd.fifo"; + static integrity_t integrity; +-static atomic_int db_operation; ++static atomic_int reload_db = 0; + + static pthread_t update_thread; + static pthread_mutex_t update_lock; +@@ -1147,7 +1147,31 @@ static int handle_record(const char * bu + + void update_trust_database(void) + { +- db_operation = RELOAD_DB; ++ reload_db = 1; ++} ++ ++static void do_reload_db(conf_t* config) ++{ ++ msg(LOG_INFO,"It looks like there was an update of the system... Syncing DB."); ++ ++ int rc; ++ backend_close(); ++ backend_init(config); ++ backend_load(config); ++ ++ if ((rc = update_database(config))) { ++ msg(LOG_ERR, ++ "Cannot update trust database!"); ++ close(ffd[0].fd); ++ backend_close(); ++ unlink_fifo(); ++ exit(rc); ++ } ++ ++ msg(LOG_INFO, "Updated"); ++ ++ // Conserve memory ++ backend_close(); + } + + static void *update_thread_main(void *arg) +@@ -1158,6 +1182,8 @@ static void *update_thread_main(void *ar + char err_buff[BUFFER_SIZE]; + conf_t *config = (conf_t *)arg; + ++ int do_operation = DB_NO_OP;; ++ + #ifdef DEBUG + msg(LOG_DEBUG, "Update thread main started"); + #endif +@@ -1182,6 +1208,12 @@ static void *update_thread_main(void *ar + + rc = poll(ffd, 1, 1000); + ++ // got SIGHUP ++ if (reload_db) { ++ reload_db = 0; ++ do_reload_db(config); ++ } ++ + #ifdef DEBUG + msg(LOG_DEBUG, "Update poll interrupted"); + #endif +@@ -1228,17 +1260,17 @@ static void *update_thread_main(void *ar + // assume file name + // operation = 0 + if (buff[i] == '/') { +- db_operation = ONE_FILE; ++ do_operation = ONE_FILE; + break; + } + + if (buff[i] == '1') { +- db_operation = RELOAD_DB; ++ do_operation = RELOAD_DB; + break; + } + + if (buff[i] == '2') { +- db_operation = FLUSH_CACHE; ++ do_operation = FLUSH_CACHE; + break; + } + +@@ -1252,34 +1284,16 @@ static void *update_thread_main(void *ar + *end = '\n'; + + // got "1" -> reload db +- if (db_operation == RELOAD_DB) { +- db_operation = DB_NO_OP; +- msg(LOG_INFO, +- "It looks like there was an update of the system... Syncing DB."); +- +- backend_close(); +- backend_init(config); +- backend_load(config); +- +- if ((rc = update_database(config))) { +- msg(LOG_ERR, +- "Cannot update trust database!"); +- close(ffd[0].fd); +- backend_close(); +- unlink_fifo(); +- exit(rc); +- } +- +- msg(LOG_INFO, "Updated"); ++ if (do_operation == RELOAD_DB) { ++ do_operation = DB_NO_OP; ++ do_reload_db(config); + +- // Conserve memory +- backend_close(); + // got "2" -> flush cache +- } else if (db_operation == FLUSH_CACHE) { +- db_operation = DB_NO_OP; ++ } else if (do_operation == FLUSH_CACHE) { ++ do_operation = DB_NO_OP; + needs_flush = true; +- } else if (db_operation == ONE_FILE) { +- db_operation = DB_NO_OP; ++ } else if (do_operation == ONE_FILE) { ++ do_operation = DB_NO_OP; + if (handle_record(buff)) + continue; + } diff --git a/SOURCES/fapolicyd-user-group-doc.patch b/SOURCES/fapolicyd-user-group-doc.patch new file mode 100644 index 0000000..c8cdd75 --- /dev/null +++ b/SOURCES/fapolicyd-user-group-doc.patch @@ -0,0 +1,47 @@ +From fb4c274f4857f2d652014b0189abafb1df4b001a Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 19 Jul 2022 12:18:18 -0400 +Subject: [PATCH] Add documentation describing support for user/group names + +--- + doc/fapolicyd.rules.5 | 6 +++--- + init/fapolicyd.service | 2 ++ + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/doc/fapolicyd.rules.5 b/doc/fapolicyd.rules.5 +index aa77177..3b8ec09 100644 +--- a/doc/fapolicyd.rules.5 ++++ b/doc/fapolicyd.rules.5 +@@ -35,13 +35,13 @@ The subject is the process that is performing actions on system resources. The f + This matches against any subject. When used, this must be the only subject in the rule. + .TP + .B auid +-This is the login uid that the audit system assigns users when they log in to the system. Daemons have a value of -1. ++This is the login uid that the audit system assigns users when they log in to the system. Daemons have a value of -1. The given value may be numeric or the account name. + .TP + .B uid +-This is the user id that the program is running under. ++This is the user id that the program is running under. The given value may be numeric or the account name. + .TP + .B gid +-This is the group id that the program is running under. ++This is the group id that the program is running under. The given value may be numeric or the group name. + .TP + .B sessionid + This is the numeric session id that the audit system assigns to users when they log in. Daemons have a value of -1. +diff --git a/init/fapolicyd.service b/init/fapolicyd.service +index 715de98..a5a6a3f 100644 +--- a/init/fapolicyd.service ++++ b/init/fapolicyd.service +@@ -11,6 +11,8 @@ PIDFile=/run/fapolicyd.pid + ExecStartPre=/usr/sbin/fagenrules + ExecStart=/usr/sbin/fapolicyd + Restart=on-abnormal ++# Uncomment the following line if rules need user/group name lookup ++#After=nss-user-lookup.target + + [Install] + WantedBy=multi-user.target +-- +2.37.1 + diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec index 020524c..648724e 100644 --- a/SPECS/fapolicyd.spec +++ b/SPECS/fapolicyd.spec @@ -2,11 +2,10 @@ %global moduletype contrib %define semodule_version 0.4 - Summary: Application Whitelisting Daemon Name: fapolicyd -Version: 1.1 -Release: 6%{?dist}.1 +Version: 1.1.3 +Release: 8%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -14,7 +13,7 @@ Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/relea BuildRequires: gcc BuildRequires: kernel-headers BuildRequires: autoconf automake make gcc libtool -BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file +BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel BuildRequires: python3-devel BuildRequires: python2-devel @@ -32,12 +31,14 @@ Requires(postun): systemd-units # the fapolicyd package because it provides safe upgrade path Patch1: fapolicyd-dnf-plugin.patch Patch2: fapolicyd-selinux.patch -Patch3: fapolicyd-reorder-rules.patch -Patch4: fagenrules-group.patch -# 2069120 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.6.0] -Patch5: fapolicyd-1.1.1-ld_so.patch -# 2084548 - Faulty handling of static applications [rhel-8.6.0.z] -Patch6: fapolicyd-1.1.1-static.patch +Patch3: fagenrules-group.patch + +Patch4: fapolicyd-fgets-update-thread.patch +Patch5: fapolicyd-openssl.patch +Patch6: fapolicyd-user-group-doc.patch +Patch7: fapolicyd-cli-segfault.patch +Patch8: fapolicyd-sighup.patch +Patch9: fapolicyd-readme.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting @@ -66,10 +67,13 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon. %patch1 -p1 -b .plugin %patch2 -p1 -b .selinux -%patch3 -p1 -b .rules -%patch4 -p1 -b .group -%patch5 -p1 -b .ld_so -%patch6 -p1 -b .static +%patch3 -p1 -b .group +%patch4 -p1 -b .update-thread +%patch5 -p1 -b .openssl +%patch6 -p1 -b .user-group +%patch7 -p1 -b .segfault +%patch8 -p1 -b .sighup +%patch9 -p1 -b .readme # generate rules for python sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules @@ -100,7 +104,7 @@ popd %check make check -# selinux +# Selinux %pre selinux %selinux_relabel_pre -s %{selinuxtype} @@ -188,7 +192,7 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then # restore correct label /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/* fi - fagenrules > /dev/null 2>&1 + fagenrules >/dev/null fi fi %systemd_post %{name}.service @@ -258,20 +262,30 @@ fi %selinux_relabel_post -s %{selinuxtype} %changelog -* Thu May 12 2022 Radovan Sroka - 1.1-6.1 -RHEL 8.6.Z ERRATUM +* Fri Aug 05 2022 Radovan Sroka - 1.1.3-8 +RHEL 8.7.0 ERRATUM +- rebase fapolicyd to the latest stable vesion +Resolves: rhbz#2100087 +- fapolicyd does not correctly handle SIGHUP +Resolves: rhbz#2070639 +- fapolicyd often breaks package updates +Resolves: rhbz#2111243 +- drop libgcrypt in favour of openssl +Resolves: rhbz#2111935 +- fapolicyd.rules doesn't advertise that using a username/groupname instead of uid/gid also works +Resolves: rhbz#2103914 +- fapolicyd gets way too easily killed by OOM killer +Resolves: rhbz#2100089 +- compiled.rules file ownership and mode +Resolves: rhbz#2066653 - Faulty handling of static applications -Resolves: rhbz#2084548 - -* Wed Apr 06 2022 Radovan Sroka - 1.1-6 -RHEL 8.6.0 ERRATUM -- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path -Resolves: rhbz#2069120 - -* Sat Apr 02 2022 Radovan Sroka - 1.1-4 -RHEL 8.6.0 ERRATUM -- fapolicyd denies access to /usr/lib64/ld-2.28.so -Resolves: rhbz#2066300 +Resolves: rhbz#2084497 +- Introduce ppid rule attribute +Resolves: rhbz#2102563 +- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.7.0] +Resolves: rhbz#2069121 +- Fapolicyd denies access to /usr/lib64/ld-2.28.so [rhel-8.7.0] +Resolves: rhbz#2068105 * Wed Feb 16 2022 Radovan Sroka - 1.1-1 RHEL 8.6.0 ERRATUM