diff --git a/SOURCES/fapolicyd-1.1.1-static.patch b/SOURCES/fapolicyd-1.1.1-static.patch new file mode 100644 index 0000000..49c371b --- /dev/null +++ b/SOURCES/fapolicyd-1.1.1-static.patch @@ -0,0 +1,19 @@ +diff -urp fapolicyd-1.1.1.orig/src/library/event.c fapolicyd-1.1.1/src/library/event.c +--- fapolicyd-1.1.1.orig/src/library/event.c 2022-01-28 15:23:58.000000000 -0500 ++++ fapolicyd-1.1.1/src/library/event.c 2022-01-30 20:11:05.516785465 -0500 +@@ -140,7 +140,14 @@ int new_event(const struct fanotify_even + + // We need to reset everything now that execve has finished + if (s->info->state == STATE_STATIC_PARTIAL && !rc) { +- s->info->state = STATE_STATIC; ++ // If the static app itself launches an app right ++ // away, go back to collecting. ++ if (e->type & FAN_OPEN_EXEC_PERM) ++ s->info->state = STATE_COLLECTING; ++ else { ++ s->info->state = STATE_STATIC; ++ skip_path = 1; ++ } + evict = 0; + skip_path = 1; + subject_reset(s, EXE); diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec index 0dbbc56..020524c 100644 --- a/SPECS/fapolicyd.spec +++ b/SPECS/fapolicyd.spec @@ -6,7 +6,7 @@ Summary: Application Whitelisting Daemon Name: fapolicyd Version: 1.1 -Release: 6%{?dist} +Release: 6%{?dist}.1 License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -36,6 +36,8 @@ Patch3: fapolicyd-reorder-rules.patch Patch4: fagenrules-group.patch # 2069120 - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path [rhel-8.6.0] Patch5: fapolicyd-1.1.1-ld_so.patch +# 2084548 - Faulty handling of static applications [rhel-8.6.0.z] +Patch6: fapolicyd-1.1.1-static.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting @@ -67,6 +69,7 @@ The %{name}-selinux package contains selinux policy for the %{name} daemon. %patch3 -p1 -b .rules %patch4 -p1 -b .group %patch5 -p1 -b .ld_so +%patch6 -p1 -b .static # generate rules for python sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules @@ -255,7 +258,13 @@ fi %selinux_relabel_post -s %{selinuxtype} %changelog +* Thu May 12 2022 Radovan Sroka - 1.1-6.1 +RHEL 8.6.Z ERRATUM +- Faulty handling of static applications +Resolves: rhbz#2084548 + * Wed Apr 06 2022 Radovan Sroka - 1.1-6 +RHEL 8.6.0 ERRATUM - CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path Resolves: rhbz#2069120