diff --git a/.fapolicyd.metadata b/.fapolicyd.metadata new file mode 100644 index 0000000..2e63c76 --- /dev/null +++ b/.fapolicyd.metadata @@ -0,0 +1 @@ +aadfc739f31ef5497d77174fa95c36b2b98d398b SOURCES/fapolicyd-0.8.10.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..cb03610 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/fapolicyd-0.8.10.tar.gz diff --git a/SOURCES/fapolicyd-dnf-output.patch b/SOURCES/fapolicyd-dnf-output.patch new file mode 100644 index 0000000..354d733 --- /dev/null +++ b/SOURCES/fapolicyd-dnf-output.patch @@ -0,0 +1,58 @@ +From 5c4efd4cff0459ea65914ce07d7307589206b0cd Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Mon, 22 Jul 2019 17:21:59 +0200 +Subject: [PATCH] Removed stdout output for dnf plugin + +DNF stdout shouldn't be affected by its plugin. +--- + dnf/fapolicyd-dnf-plugin.py | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/dnf/fapolicyd-dnf-plugin.py b/dnf/fapolicyd-dnf-plugin.py +index 2c9d65e..3de6651 100644 +--- a/dnf/fapolicyd-dnf-plugin.py ++++ b/dnf/fapolicyd-dnf-plugin.py +@@ -3,6 +3,7 @@ + import dnf + import os + import stat ++import sys + + class Fapolicyd(dnf.Plugin): + +@@ -11,30 +12,25 @@ class Fapolicyd(dnf.Plugin): + file = None + + def __init__(self, base, cli): +- print("fapolicyd-plugin is installed and active") + pass + + def transaction(self): +- print("fapolicy-plugin: sending signal to fapolicy daemon") + + if not os.path.exists(self.pipe): +- print("Pipe does not exist (" + self.pipe + ")") +- print("Perhaps fapolicy-plugin does not have enough permission") +- print("or fapolicyd is not running...") ++ sys.stderr.write("Pipe does not exist (" + self.pipe + ")\n") ++ sys.stderr.write("Perhaps fapolicy-plugin does not have enough permissions\n") ++ sys.stderr.write("or fapolicyd is not running...\n") + return + + if not stat.S_ISFIFO(os.stat(self.pipe).st_mode): +- print(self.pipe + ": is not a pipe!") ++ sys.stderr.write(self.pipe + ": is not a pipe!\n") + return + + try: + self.file = open(self.pipe, "w") + except PermissionError: +- print("fapolicy-plugin does not have write permission: " + self.pipe) ++ sys.stderr.write("fapolicy-plugin does not have write permission: " + self.pipe + "\n") + return + + self.file.write("1") + self.file.close() +- +- print("Fapolicyd was notified") +- diff --git a/SOURCES/fapolicyd-hash.patch b/SOURCES/fapolicyd-hash.patch new file mode 100644 index 0000000..8ec1693 --- /dev/null +++ b/SOURCES/fapolicyd-hash.patch @@ -0,0 +1,53 @@ +From f5bca29fb408fce7297656c5bb01f70cd452a9d7 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Thu, 20 Jun 2019 14:46:36 -0400 +Subject: [PATCH] Convert hashes to lowercase like sha256sum outputs + +--- + ChangeLog | 1 + + doc/fapolicyd.rules.5 | 2 +- + src/file.c | 5 +++-- + 3 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/doc/fapolicyd.rules.5 b/doc/fapolicyd.rules.5 +index 6b12f03..887bdf7 100644 +--- a/doc/fapolicyd.rules.5 ++++ b/doc/fapolicyd.rules.5 +@@ -115,7 +115,7 @@ This option will match against the device that the file being accessed resides o + This option matches against the mime type of the file being accessed. See \fBexe_type\fP for more information on determining the mime type. + .TP + .B sha256hash +-This option matches against the sha256 hash of the file being accessed. ++This option matches against the sha256 hash of the file being accessed. The hash in the rules should be all lowercase letters and do NOT start with 0x. Lowercase is the default output of sha256sum. + .RE + + .SH EXAMPLES +diff --git a/src/file.c b/src/file.c +index 39d3a58..68e6bf5 100644 +--- a/src/file.c ++++ b/src/file.c +@@ -1,6 +1,6 @@ + /* + * file.c - functions for accessing attributes of files +- * Copyright (c) 2016,2018 Red Hat Inc., Durham, North Carolina. ++ * Copyright (c) 2016,2018-19 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the +@@ -272,7 +272,7 @@ static char *bytes2hex(char *final, const char *buf, unsigned int size) + { + unsigned int i; + char *ptr = final; +- const char *hex = "0123456789ABCDEF"; ++ const char *hex = "0123456789abcdef"; + + for (i=0; i>4]; /* Upper nibble */ +@@ -307,6 +307,7 @@ char *get_hash_from_fd(int fd) + return NULL; + + // read in a buffer at a time and hand to gcrypt ++ lseek(fd, 0, SEEK_SET); + while ((len = safe_read(fd, fbuf, 4096)) > 0) { + gcry_md_write(ctx, fbuf, len); + if (len != 4096) diff --git a/SOURCES/fapolicyd-manpage.patch b/SOURCES/fapolicyd-manpage.patch new file mode 100644 index 0000000..0c268d7 --- /dev/null +++ b/SOURCES/fapolicyd-manpage.patch @@ -0,0 +1,127 @@ +From 51bfe6f1336d8924ebfab5839412833387a618e1 Mon Sep 17 00:00:00 2001 +From: Scorpion +Date: Wed, 10 Jul 2019 16:20:13 +0200 +Subject: [PATCH] manpage for fapolicyd-cli added (#38) + +--- + doc/Makefile.am | 2 +- + doc/fapolicyd-cli.1 | 22 ++++++++++++++++++++++ + doc/fapolicyd.8 | 3 ++- + doc/fapolicyd.conf.5 | 7 ++++--- + doc/fapolicyd.rules.5 | 5 +++-- + fapolicyd.spec | 1 + + 6 files changed, 33 insertions(+), 7 deletions(-) + create mode 100644 doc/fapolicyd-cli.1 + +diff --git a/doc/Makefile.am b/doc/Makefile.am +index 7fabe91..bd56170 100644 +--- a/doc/Makefile.am ++++ b/doc/Makefile.am +@@ -22,5 +22,5 @@ + + EXTRA_DIST = $(man_MANS) + +-man_MANS = fapolicyd.8 fapolicyd.rules.5 fapolicyd.conf.5 ++man_MANS = fapolicyd.8 fapolicyd-cli.1 fapolicyd.rules.5 fapolicyd.conf.5 + +diff --git a/doc/fapolicyd-cli.1 b/doc/fapolicyd-cli.1 +new file mode 100644 +index 0000000..85d29cf +--- /dev/null ++++ b/doc/fapolicyd-cli.1 +@@ -0,0 +1,22 @@ ++.TH "FAPOLICYD-CLI" "1" "July 2019" "Red Hat" "System Administration Utilities" ++.SH NAME ++fapolicyd-cli \- Fapolicyd CLI Tool ++.SH SYNOPSIS ++\fBfapolicyd-cli\fP [\fIoptions\fP] ++.SH DESCRIPTION ++Fapolicyd CLI Tool. ++.SH OPTIONS ++.TP ++.B \-h, \-\-help ++Prints this help message. ++.TP ++.B \-u, \-\-update ++Notifies fapolicyd to perform update of database. ++.SH "SEE ALSO" ++.BR fapolicyd (8), ++.BR fapolicyd.rules (5) ++and ++.BR fapolicyd.conf (5) ++ ++.SH AUTHOR ++Zoltan Fridrich +diff --git a/doc/fapolicyd.8 b/doc/fapolicyd.8 +index 01745d4..3cfaaef 100644 +--- a/doc/fapolicyd.8 ++++ b/doc/fapolicyd.8 +@@ -1,4 +1,4 @@ +-.TH "FAPOLICYD" "8" "June 2018" "Red Hat" "System Administration Utilities" ++.TH "FAPOLICYD" "8" "July 2019" "Red Hat" "System Administration Utilities" + .SH NAME + fapolicyd \- File Access Policy Daemon + .SH SYNOPSIS +@@ -58,6 +58,7 @@ To get audit events, you must have auditing enabled and at least one systemcall + - information about what was being accessed. + + .SH "SEE ALSO" ++.BR fapolicyd-cli (1), + .BR fapolicyd.rules (5) + and + .BR fapolicyd.conf (5) +diff --git a/doc/fapolicyd.conf.5 b/doc/fapolicyd.conf.5 +index 2e758cc..87e994c 100644 +--- a/doc/fapolicyd.conf.5 ++++ b/doc/fapolicyd.conf.5 +@@ -1,4 +1,4 @@ +-.TH FAPOLICYD.CONF: "5" "June 2018" "Red Hat" "System Administration Utilities" ++.TH FAPOLICYD.CONF: "5" "July 2019" "Red Hat" "System Administration Utilities" + .SH NAME + fapolicyd.conf \- fapolicyd configuration file + .SH DESCRIPTION +@@ -47,9 +47,10 @@ This option controls how many entries the subject cache holds. You want the size + This option controls how many entries the object cache holds. You want the size to be big enough that you are not getting too many evictions compared to hits. But you don't want to waste memory. Whenever there is an eviction, fapolicyd has to regenerate information about the subject and this slows performance. The default value is 4096. + + .SH "SEE ALSO" +-.BR fapolicyd(8) ++.BR fapolicyd (8), ++.BR fapolicyd-cli (1) + and +-.BR fapolicy.rules(5). ++.BR fapolicy.rules (5). + + .SH AUTHOR + Steve Grubb +diff --git a/doc/fapolicyd.rules.5 b/doc/fapolicyd.rules.5 +index 887bdf7..067fa43 100644 +--- a/doc/fapolicyd.rules.5 ++++ b/doc/fapolicyd.rules.5 +@@ -1,4 +1,4 @@ +-.TH FAPOLICYD.RULES: "7" "May 2016" "Red Hat" "System Administration Utilities" ++.TH FAPOLICYD.RULES: "7" "July 2019" "Red Hat" "System Administration Utilities" + .SH NAME + fapolicyd.rules \- fapolicyd rules to determine access rights + .SH DESCRIPTION +@@ -129,7 +129,8 @@ The following rules show how rules may look. + .fi + + .SH "SEE ALSO" +-.BR fapolicyd (8) ++.BR fapolicyd (8), ++.BR fapolicyd-cli (1) + and + .BR fapolicyd.conf (5) + +diff --git a/fapolicyd.spec b/fapolicyd.spec +index 66656b6..fed4dd4 100644 +--- a/fapolicyd.spec ++++ b/fapolicyd.spec +@@ -61,6 +61,7 @@ getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{nam + %attr(755,root,root) %{_sbindir}/%{name}-cli + %attr(644,root,root) %{_mandir}/man8/* + %attr(644,root,root) %{_mandir}/man5/* ++%attr(644,root,root) %{_mandir}/man1/* + %ghost %{_localstatedir}/log/%{name}-access.log + %attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name} + %attr(770,root,%{name}) %dir /run/%{name} diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec new file mode 100644 index 0000000..e407dcf --- /dev/null +++ b/SPECS/fapolicyd.spec @@ -0,0 +1,134 @@ +Summary: Application Whitelisting Daemon +Name: fapolicyd +Version: 0.8.10 +Release: 3%{?dist} +License: GPLv3+ +URL: http://people.redhat.com/sgrubb/fapolicyd +Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz +BuildRequires: kernel-headers +BuildRequires: autoconf automake make gcc libtool +BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel +BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel +BuildRequires: python3-devel +Requires(pre): shadow-utils +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +# Convert hashes to lowercase like sha256sum outputs +Patch1: fapolicyd-hash.patch + +# Removed stdout output for dnf plugin +# 1721496 - Stop littering STDOUT output for dnf plugin in fapolicyd +Patch2: fapolicyd-dnf-output.patch + +# Added missing manpage for fapolicyd-cli +Patch3: fapolicyd-manpage.patch + +%description +Fapolicyd (File Access Policy Daemon) implements application whitelisting +to decide file access rights. Applications that are known via a reputation +source are allowed access while unknown applications are not. The daemon +makes use of the kernel's fanotify interface to determine file access rights. + +%prep +%setup -q + +%patch1 -p1 -b .hash +%patch2 -p1 -b .dnf-output +%patch3 -p1 -b .manpage + +%build +./autogen.sh +%configure --with-audit +make CFLAGS="%{optflags}" %{?_smp_mflags} + +%install +make DESTDIR="%{buildroot}" INSTALL='install -p' install +mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/ +install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/ +install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf +mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name} +mkdir -p %{buildroot}/run/%{name} + +%pre +getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} + +%post +%systemd_post %{name}.service + +%preun +%systemd_preun %{name}.service + +%postun +%systemd_postun_with_restart %{name}.service + +%files +%doc README.md +%{!?_licensedir:%global license %%doc} +%license COPYING +%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} +%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules +%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.mounts +%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf +%attr(644,root,root) %{_unitdir}/%{name}.service +%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf +%attr(755,root,root) %{_sbindir}/%{name} +%attr(755,root,root) %{_sbindir}/%{name}-cli +%attr(644,root,root) %{_mandir}/man8/* +%attr(644,root,root) %{_mandir}/man5/* +%attr(644,root,root) %{_mandir}/man1/* +%ghost %{_localstatedir}/log/%{name}-access.log +%attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name} +%attr(770,root,%{name}) %dir /run/%{name} +%ghost %{_localstatedir}/run/%{name}/%{name}.fifo +%ghost %{_localstatedir}/lib/%{name}/data.mdb +%ghost %{_localstatedir}/lib/%{name}/lock.mdb +%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py +%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc + +%changelog +* Wed Jul 24 2019 Radovan Sroka - 0.8.10-3 +- added missing manpage for fapolicyd-cli +Resolves: rhbz#1708015 + +* Mon Jul 22 2019 Radovan Sroka - 0.8.10-2 +- Convert hashes to lowercase like sha256sum outputs +- Stop littering STDOUT output for dnf plugin in fapolicyd +Resolves: rhbz#1721496 + +* Tue Jun 18 2019 Radovan Sroka - 0.8.10-1 +- new upstream release +Resolves: rhbz#1673323 + +* Mon May 06 2019 Radovan Sroka - 0.8.9-1 +- New upstream release +- imported from fedora30 + resolves: rhbz#1673323 + +* Wed Mar 13 2019 Radovan Sroka - 0.8.8-2 +- backport some patches to resolve dac_override for fapolicyd + +* Mon Mar 11 2019 Radovan Sroka - 0.8.8-1 +- New upstream release +- Added new DNF plugin that can update the trust database when rpms are installed +- Added support for FAN_OPEN_EXEC_PERM + +* Thu Jan 31 2019 Fedora Release Engineering - 0.8.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + + +* Wed Oct 03 2018 Steve Grubb 0.8.7-1 +- New upstream bugfix release + +* Fri Jul 13 2018 Fedora Release Engineering - 0.8.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Thu Jun 07 2018 Steve Grubb 0.8.6-1 +- New upstream feature release + +* Fri May 18 2018 Steve Grubb 0.8.5-2 +- Add dist tag (#1579362) + +* Fri Feb 16 2018 Steve Grubb 0.8.5-1 +- New release