diff --git a/.fapolicyd.metadata b/.fapolicyd.metadata index 6c6ff97..69bf84e 100644 --- a/.fapolicyd.metadata +++ b/.fapolicyd.metadata @@ -1,3 +1,3 @@ -1fa6cf3f0a15bbef745438c1ba7b685ebf7e75f1 SOURCES/fapolicyd-1.1.tar.gz +3887d3f97a4f506ad6bf7dcef36b01cc7897a692 SOURCES/fapolicyd-1.1.3.tar.gz bdbe20a4db2cd58073abf17a537e3a6766cdea21 SOURCES/fapolicyd-selinux-0.4.tar.gz fbafa356359ace80787ce6634d84425b40d90907 SOURCES/uthash-2.3.0.tar.gz diff --git a/.gitignore b/.gitignore index f9a4168..fe11fe7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -SOURCES/fapolicyd-1.1.tar.gz +SOURCES/fapolicyd-1.1.3.tar.gz SOURCES/fapolicyd-selinux-0.4.tar.gz SOURCES/uthash-2.3.0.tar.gz diff --git a/SOURCES/fagenrules-group.patch b/SOURCES/fagenrules-group.patch new file mode 100644 index 0000000..744bb64 --- /dev/null +++ b/SOURCES/fagenrules-group.patch @@ -0,0 +1,13 @@ +diff -up ./init/fagenrules.fix ./init/fagenrules +--- ./init/fagenrules.fix 2022-04-01 16:12:50.512164904 +0200 ++++ ./init/fagenrules 2022-04-01 16:21:07.924712100 +0200 +@@ -117,7 +117,8 @@ fi + + # We copy the file so that it gets the right selinux label + cp ${TmpRules} ${DestinationFile} +-chmod 0640 ${DestinationFile} ++chmod 0644 ${DestinationFile} ++chgrp fapolicyd ${DestinationFile} + + # Restore context on MLS system. + # /tmp is SystemLow & fapolicyd.rules is SystemHigh diff --git a/SOURCES/fapolicyd-cli-segfault.patch b/SOURCES/fapolicyd-cli-segfault.patch new file mode 100644 index 0000000..45c4699 --- /dev/null +++ b/SOURCES/fapolicyd-cli-segfault.patch @@ -0,0 +1,11 @@ +diff -up ./src/cli/fapolicyd-cli.c.segfault ./src/cli/fapolicyd-cli.c +--- ./src/cli/fapolicyd-cli.c.segfault 2022-08-03 17:51:54.903081124 +0200 ++++ ./src/cli/fapolicyd-cli.c 2022-08-03 17:55:18.256458750 +0200 +@@ -77,6 +77,7 @@ static struct option long_opts[] = + {"ftype", 1, NULL, 't'}, + {"list", 0, NULL, 'l'}, + {"update", 0, NULL, 'u'}, ++ {NULL, 0, NULL, 0 } + }; + + static const char *_pipe = "/run/fapolicyd/fapolicyd.fifo"; diff --git a/SOURCES/fapolicyd-fgets-update-thread.patch b/SOURCES/fapolicyd-fgets-update-thread.patch new file mode 100644 index 0000000..bd8d8ec --- /dev/null +++ b/SOURCES/fapolicyd-fgets-update-thread.patch @@ -0,0 +1,215 @@ +diff -up ./src/cli/fapolicyd-cli.c.upgrade-thread ./src/cli/fapolicyd-cli.c +--- ./src/cli/fapolicyd-cli.c.upgrade-thread 2022-08-03 18:00:02.374999369 +0200 ++++ ./src/cli/fapolicyd-cli.c 2022-08-03 18:00:09.802830497 +0200 +@@ -482,7 +482,7 @@ static int do_update(void) + } + } + +- ssize_t ret = write(fd, "1", 2); ++ ssize_t ret = write(fd, "1\n", 3); + + if (ret == -1) { + fprintf(stderr, "Write: %s -> %s\n", _pipe, strerror(errno)); +diff -up ./src/library/database.c.upgrade-thread ./src/library/database.c +--- ./src/library/database.c.upgrade-thread 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/library/database.c 2022-08-03 17:58:04.034689808 +0200 +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -43,6 +44,7 @@ + #include "message.h" + #include "llist.h" + #include "file.h" ++#include "fd-fgets.h" + + #include "fapolicyd-backend.h" + #include "backend-manager.h" +@@ -1181,6 +1183,7 @@ static void *update_thread_main(void *ar + return NULL; + } + ++ fcntl(ffd[0].fd, F_SETFL, O_NONBLOCK); + ffd[0].events = POLLIN; + + while (!stop) { +@@ -1200,97 +1203,102 @@ static void *update_thread_main(void *ar + } else { + msg(LOG_ERR, "Update poll error (%s)", + strerror_r(errno, err_buff, BUFFER_SIZE)); +- goto err_out; ++ goto finalize; + } + } else if (rc == 0) { + #ifdef DEBUG + msg(LOG_DEBUG, "Update poll timeout expired"); + #endif +- if (db_operation != DB_NO_OP) +- goto handle_db_ops; + continue; + } else { + if (ffd[0].revents & POLLIN) { +- ssize_t count = read(ffd[0].fd, buff, +- BUFFER_SIZE-1); + +- if (count == -1) { +- msg(LOG_ERR, +- "Failed to read from a pipe %s (%s)", +- fifo_path, +- strerror_r(errno, err_buff, +- BUFFER_SIZE)); +- goto err_out; +- } ++ do { ++ fd_fgets_rewind(); ++ int res = fd_fgets(buff, sizeof(buff), ffd[0].fd); + +- if (count == 0) { +-#ifdef DEBUG +- msg(LOG_DEBUG, +- "Buffer contains zero bytes!"); +-#endif +- continue; +- } else // Manually terminate buff +- buff[count] = 0; +-#ifdef DEBUG +- msg(LOG_DEBUG, "Buffer contains: \"%s\"", buff); +-#endif +- for (int i = 0 ; i < count ; i++) { +- // assume file name +- // operation = 0 +- if (buff[i] == '/') { +- db_operation = ONE_FILE; ++ // nothing to read ++ if (res == -1) + break; +- } ++ else if (res > 0) { ++ char* end = strchr(buff, '\n'); + +- if (buff[i] == '1') { +- db_operation = RELOAD_DB; +- break; ++ if (end == NULL) { ++ msg(LOG_ERR, "Too long line?"); ++ continue; ++ } ++ ++ int count = end - buff; ++ ++ *end = '\0'; ++ ++ for (int i = 0 ; i < count ; i++) { ++ // assume file name ++ // operation = 0 ++ if (buff[i] == '/') { ++ db_operation = ONE_FILE; ++ break; ++ } ++ ++ if (buff[i] == '1') { ++ db_operation = RELOAD_DB; ++ break; ++ } ++ ++ if (buff[i] == '2') { ++ db_operation = FLUSH_CACHE; ++ break; ++ } ++ ++ if (isspace(buff[i])) ++ continue; ++ ++ msg(LOG_ERR, "Cannot handle data \"%s\" from pipe", buff); ++ break; ++ } ++ ++ *end = '\n'; ++ ++ // got "1" -> reload db ++ if (db_operation == RELOAD_DB) { ++ db_operation = DB_NO_OP; ++ msg(LOG_INFO, ++ "It looks like there was an update of the system... Syncing DB."); ++ ++ backend_close(); ++ backend_init(config); ++ backend_load(config); ++ ++ if ((rc = update_database(config))) { ++ msg(LOG_ERR, ++ "Cannot update trust database!"); ++ close(ffd[0].fd); ++ backend_close(); ++ unlink_fifo(); ++ exit(rc); ++ } ++ ++ msg(LOG_INFO, "Updated"); ++ ++ // Conserve memory ++ backend_close(); ++ // got "2" -> flush cache ++ } else if (db_operation == FLUSH_CACHE) { ++ db_operation = DB_NO_OP; ++ needs_flush = true; ++ } else if (db_operation == ONE_FILE) { ++ db_operation = DB_NO_OP; ++ if (handle_record(buff)) ++ continue; ++ } + } + +- if (buff[i] == '2') { +- db_operation = FLUSH_CACHE; +- break; +- } +- } +- +-handle_db_ops: +- // got "1" -> reload db +- if (db_operation == RELOAD_DB) { +- db_operation = DB_NO_OP; +- msg(LOG_INFO, +- "It looks like there was an update of the system... Syncing DB."); +- +- backend_close(); +- backend_init(config); +- backend_load(config); +- +- if ((rc = update_database(config))) { +- msg(LOG_ERR, +- "Cannot update trust database!"); +- close(ffd[0].fd); +- backend_close(); +- unlink_fifo(); +- exit(rc); +- } else +- msg(LOG_INFO, "Updated"); +- +- // Conserve memory +- backend_close(); +- // got "2" -> flush cache +- } else if (db_operation == FLUSH_CACHE) { +- db_operation = DB_NO_OP; +- needs_flush = true; +- } else if (db_operation == ONE_FILE) { +- db_operation = DB_NO_OP; +- if (handle_record(buff)) +- continue; +- } ++ } while(!fd_fgets_eof()); + } + } +- + } + +-err_out: ++finalize: + close(ffd[0].fd); + unlink_fifo(); + diff --git a/SOURCES/fapolicyd-openssl.patch b/SOURCES/fapolicyd-openssl.patch new file mode 100644 index 0000000..9ef8ea2 --- /dev/null +++ b/SOURCES/fapolicyd-openssl.patch @@ -0,0 +1,195 @@ +diff -up ./BUILD.md.openssl ./BUILD.md +--- ./BUILD.md.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./BUILD.md 2022-08-02 14:10:48.092466542 +0200 +@@ -16,7 +16,8 @@ BUILD-TIME DEPENDENCIES (fedora and RHEL + * libudev-devel + * kernel-headers + * systemd-devel +-* libgcrypt-devel ++* libgcrypt-devel ( <= fapolicyd-1.1.3) ++* openssl ( >= fapolicyd-1.1.4) + * rpm-devel (optional) + * file + * file-devel +diff -U0 ./ChangeLog.openssl ./ChangeLog +diff -up ./configure.ac.openssl ./configure.ac +--- ./configure.ac.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./configure.ac 2022-08-02 14:10:48.092466542 +0200 +@@ -87,7 +87,7 @@ AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERRO + echo . + echo Checking for required libraries + AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev) +-AC_CHECK_LIB(gcrypt, gcry_md_open, , [AC_MSG_ERROR([libgcrypt not found])], -lgcrypt) ++AC_CHECK_LIB(crypto, SHA256, , [AC_MSG_ERROR([openssl libcrypto not found])], -lcrypto) + AC_CHECK_LIB(magic, magic_descriptor, , [AC_MSG_ERROR([libmagic not found])], -lmagic) + AC_CHECK_LIB(cap-ng, capng_change_id, , [AC_MSG_ERROR([libcap-ng not found])], -lcap-ng) + AC_CHECK_LIB(seccomp, seccomp_rule_add, , [AC_MSG_ERROR([libseccomp not found])], -lseccomp) +diff -up ./fapolicyd.spec.openssl ./fapolicyd.spec +--- ./fapolicyd.spec.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./fapolicyd.spec 2022-08-02 14:10:48.092466542 +0200 +@@ -8,7 +8,7 @@ Source0: https://people.redhat.com/sgrub + BuildRequires: gcc + BuildRequires: kernel-headers + BuildRequires: autoconf automake make gcc libtool +-BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file ++BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file + BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel + BuildRequires: python3-devel + BuildRequires: uthash-devel +diff -up ./src/cli/fapolicyd-cli.c.openssl ./src/cli/fapolicyd-cli.c +--- ./src/cli/fapolicyd-cli.c.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/cli/fapolicyd-cli.c 2022-08-02 14:10:48.093466520 +0200 +@@ -39,7 +39,6 @@ + #include + #include + #include +-#include + #include "policy.h" + #include "database.h" + #include "file-cli.h" +@@ -670,11 +669,6 @@ static int check_trustdb(void) + if (rc) + return 1; + +- // Initialize libgcrypt +- gcry_check_version(NULL); +- gcry_control(GCRYCTL_DISABLE_SECMEM, 0); +- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); +- + do { + unsigned int tsource; // unused + off_t size; +diff -up ./src/library/database.c.openssl ./src/library/database.c +--- ./src/library/database.c.openssl 2022-08-02 14:10:48.090466587 +0200 ++++ ./src/library/database.c 2022-08-02 14:13:11.995236110 +0200 +@@ -35,7 +35,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -244,26 +244,18 @@ static void abort_transaction(MDB_txn *t + static char *path_to_hash(const char *path, const size_t path_len) MALLOCLIKE; + static char *path_to_hash(const char *path, const size_t path_len) + { +- gcry_md_hd_t h; +- unsigned int len; +- unsigned char *hptr; ++ unsigned char hptr[80]; + char *digest; + +- if (gcry_md_open(&h, GCRY_MD_SHA512, GCRY_MD_FLAG_SECURE)) ++ if (path_len == 0) + return NULL; + +- gcry_md_write(h, path, path_len); +- hptr = gcry_md_read(h, GCRY_MD_SHA512); +- +- len = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * sizeof(char); +- digest = malloc((2 * len) + 1); +- if (digest == NULL) { +- gcry_md_close(h); ++ SHA512((unsigned char *)path, path_len, (unsigned char *)&hptr); ++ digest = malloc((SHA512_LEN * 2) + 1); ++ if (digest == NULL) + return digest; +- } + +- bytes2hex(digest, hptr, len); +- gcry_md_close(h); ++ bytes2hex(digest, hptr, SHA512_LEN); + + return digest; + } +@@ -296,7 +288,7 @@ static int write_db(const char *idx, con + if (hash == NULL) + return 5; + key.mv_data = (void *)hash; +- key.mv_size = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * 2 + 1; ++ key.mv_size = (SHA512_LEN * 2) + 1; + } else { + key.mv_data = (void *)idx; + key.mv_size = len; +@@ -416,7 +408,7 @@ static char *lt_read_db(const char *inde + if (hash == NULL) + return NULL; + key.mv_data = (void *)hash; +- key.mv_size = gcry_md_get_algo_dlen(GCRY_MD_SHA512) * 2 + 1; ++ key.mv_size = (SHA512_LEN * 2) + 1; + } else { + key.mv_data = (void *)index; + key.mv_size = len; +diff -up ./src/library/file.c.openssl ./src/library/file.c +--- ./src/library/file.c.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/library/file.c 2022-08-02 14:10:48.094466497 +0200 +@@ -31,7 +31,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -51,7 +51,6 @@ static struct udev *udev; + magic_t magic_cookie; + struct cache { dev_t device; const char *devname; }; + static struct cache c = { 0, NULL }; +-static size_t hash_size = 32; // init so cli doesn't need to call file_init + + // readelf -l path-to-app | grep 'Requesting' | cut -d':' -f2 | tr -d ' ]'; + static const char *interpreters[] = { +@@ -96,12 +95,6 @@ void file_init(void) + msg(LOG_ERR, "Unable to load magic database"); + exit(1); + } +- +- // Initialize libgcrypt +- gcry_check_version(NULL); +- gcry_control(GCRYCTL_DISABLE_SECMEM, 0); +- gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0); +- hash_size = gcry_md_get_algo_dlen(GCRY_MD_SHA256) * sizeof(char); + } + + +@@ -445,12 +438,12 @@ char *get_hash_from_fd2(int fd, size_t s + if (mapped != MAP_FAILED) { + unsigned char hptr[40]; + +- gcry_md_hash_buffer(GCRY_MD_SHA256, &hptr, mapped, size); ++ SHA256(mapped, size, (unsigned char *)&hptr); + munmap(mapped, size); +- digest = malloc(65); ++ digest = malloc((SHA256_LEN * 2) + 1); + + // Convert to ASCII string +- bytes2hex(digest, hptr, hash_size); ++ bytes2hex(digest, hptr, SHA256_LEN); + } + return digest; + } +@@ -476,7 +469,7 @@ int get_ima_hash(int fd, char *sha) + } + + // Looks like it what we want... +- bytes2hex(sha, &tmp[2], 32); ++ bytes2hex(sha, &tmp[2], SHA256_LEN); + return 1; + } + +diff -up ./src/library/file.h.openssl ./src/library/file.h +--- ./src/library/file.h.openssl 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/library/file.h 2022-08-02 14:10:48.094466497 +0200 +@@ -40,6 +40,9 @@ struct file_info + struct timespec time; + }; + ++#define SHA256_LEN 32 ++#define SHA512_LEN 64 ++ + void file_init(void); + void file_close(void); + struct file_info *stat_file_entry(int fd) MALLOCLIKE; diff --git a/SOURCES/fapolicyd-readme.patch b/SOURCES/fapolicyd-readme.patch new file mode 100644 index 0000000..5d93547 --- /dev/null +++ b/SOURCES/fapolicyd-readme.patch @@ -0,0 +1,30 @@ +From b4618d133f473b9bbc36f2a5e94b8b0f257ba3e0 Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Fri, 5 Aug 2022 14:49:30 +0200 +Subject: [PATCH] Add mention that using of names requires name resolution + +- using of user and group names as uid and gid attributes + requires correct name resolution + +Signed-off-by: Radovan Sroka +--- + README.md | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/README.md b/README.md +index d932e00..abc5eee 100644 +--- a/README.md ++++ b/README.md +@@ -131,6 +131,12 @@ You can similarly do this for trusted users that have to execute things in + the home dir. You can create a trusted_user group, add them the group, + and then write a rule allowing them to execute from their home dir. + ++When you want to use user or group name (as a string). You have to guarantee ++that these names were correctly resolved. In case of systemd, you need to add ++a new after target 'After=nss-user-lookup.target'. ++To achieve that you can use `systemctl edit --full fapolicyd`, ++uncomment the respective line and save the change. ++ + ``` + allow perm=any gid=trusted_user : ftype=%languages dir=/home + deny_audit perm=any all : ftype=%languages dir=/home diff --git a/SOURCES/fapolicyd-selinux.patch b/SOURCES/fapolicyd-selinux.patch index 58b3146..5f5fea5 100644 --- a/SOURCES/fapolicyd-selinux.patch +++ b/SOURCES/fapolicyd-selinux.patch @@ -1,6 +1,6 @@ -diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.if b/fapolicyd-selinux-0.4/fapolicyd.if ---- a/fapolicyd-selinux-0.4/fapolicyd.if 2021-03-23 10:21:31.000000000 +0100 -+++ b/fapolicyd-selinux-0.4/fapolicyd.if 2021-12-14 13:35:17.842430123 +0100 +diff -up ./fapolicyd-selinux-0.4/fapolicyd.if.selinux ./fapolicyd-selinux-0.4/fapolicyd.if +--- ./fapolicyd-selinux-0.4/fapolicyd.if.selinux 2021-03-23 10:21:31.000000000 +0100 ++++ ./fapolicyd-selinux-0.4/fapolicyd.if 2022-06-30 10:52:05.112355159 +0200 @@ -2,6 +2,122 @@ ######################################## @@ -124,9 +124,9 @@ diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.if b/fapolicyd-selinux-0.4/fa ## Execute fapolicyd_exec_t in the fapolicyd domain. ## ## -diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te ---- a/fapolicyd-selinux-0.4/fapolicyd.te 2021-03-23 10:21:31.000000000 +0100 -+++ b/fapolicyd-selinux-0.4/fapolicyd.te 2021-12-14 13:35:17.842430123 +0100 +diff -up ./fapolicyd-selinux-0.4/fapolicyd.te.selinux ./fapolicyd-selinux-0.4/fapolicyd.te +--- ./fapolicyd-selinux-0.4/fapolicyd.te.selinux 2021-03-23 10:21:31.000000000 +0100 ++++ ./fapolicyd-selinux-0.4/fapolicyd.te 2022-06-30 10:53:01.693055971 +0200 @@ -1,5 +1,6 @@ policy_module(fapolicyd, 1.0.0) @@ -134,7 +134,7 @@ diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fa ######################################## # # Declarations -@@ -36,6 +37,12 @@ +@@ -36,6 +37,12 @@ allow fapolicyd_t self:process { setcap allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms; allow fapolicyd_t self:unix_dgram_socket create_socket_perms; @@ -147,9 +147,12 @@ diff --color -ru a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fa manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t) logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file) -@@ -63,14 +70,20 @@ +@@ -61,16 +68,22 @@ corecmd_exec_bin(fapolicyd_t) - files_mmap_usr_files(fapolicyd_t) + domain_read_all_domains_state(fapolicyd_t) + +-files_mmap_usr_files(fapolicyd_t) ++files_mmap_all_files(fapolicyd_t) files_read_all_files(fapolicyd_t) +files_watch_mount_boot_dirs(fapolicyd_t) +files_watch_with_perm_boot_dirs(fapolicyd_t) diff --git a/SOURCES/fapolicyd-sighup.patch b/SOURCES/fapolicyd-sighup.patch new file mode 100644 index 0000000..47ee190 --- /dev/null +++ b/SOURCES/fapolicyd-sighup.patch @@ -0,0 +1,141 @@ +diff -up ./src/daemon/fapolicyd.c.sighup ./src/daemon/fapolicyd.c +--- ./src/daemon/fapolicyd.c.sighup 2022-06-21 16:55:47.000000000 +0200 ++++ ./src/daemon/fapolicyd.c 2022-08-04 11:07:10.245069443 +0200 +@@ -527,6 +527,7 @@ int main(int argc, const char *argv[]) + while (!stop) { + if (hup) { + hup = 0; ++ msg(LOG_INFO, "Got SIGHUP"); + reconfigure(); + } + rc = poll(pfd, 2, -1); +diff -up ./src/library/database.c.sighup ./src/library/database.c +--- ./src/library/database.c.sighup 2022-08-04 11:07:10.237069609 +0200 ++++ ./src/library/database.c 2022-08-04 11:08:44.852057119 +0200 +@@ -68,7 +68,7 @@ static int lib_symlink=0, lib64_symlink= + static struct pollfd ffd[1] = { {0, 0, 0} }; + static const char *fifo_path = "/run/fapolicyd/fapolicyd.fifo"; + static integrity_t integrity; +-static atomic_int db_operation; ++static atomic_int reload_db = 0; + + static pthread_t update_thread; + static pthread_mutex_t update_lock; +@@ -1147,7 +1147,31 @@ static int handle_record(const char * bu + + void update_trust_database(void) + { +- db_operation = RELOAD_DB; ++ reload_db = 1; ++} ++ ++static void do_reload_db(conf_t* config) ++{ ++ msg(LOG_INFO,"It looks like there was an update of the system... Syncing DB."); ++ ++ int rc; ++ backend_close(); ++ backend_init(config); ++ backend_load(config); ++ ++ if ((rc = update_database(config))) { ++ msg(LOG_ERR, ++ "Cannot update trust database!"); ++ close(ffd[0].fd); ++ backend_close(); ++ unlink_fifo(); ++ exit(rc); ++ } ++ ++ msg(LOG_INFO, "Updated"); ++ ++ // Conserve memory ++ backend_close(); + } + + static void *update_thread_main(void *arg) +@@ -1158,6 +1182,8 @@ static void *update_thread_main(void *ar + char err_buff[BUFFER_SIZE]; + conf_t *config = (conf_t *)arg; + ++ int do_operation = DB_NO_OP;; ++ + #ifdef DEBUG + msg(LOG_DEBUG, "Update thread main started"); + #endif +@@ -1182,6 +1208,12 @@ static void *update_thread_main(void *ar + + rc = poll(ffd, 1, 1000); + ++ // got SIGHUP ++ if (reload_db) { ++ reload_db = 0; ++ do_reload_db(config); ++ } ++ + #ifdef DEBUG + msg(LOG_DEBUG, "Update poll interrupted"); + #endif +@@ -1228,17 +1260,17 @@ static void *update_thread_main(void *ar + // assume file name + // operation = 0 + if (buff[i] == '/') { +- db_operation = ONE_FILE; ++ do_operation = ONE_FILE; + break; + } + + if (buff[i] == '1') { +- db_operation = RELOAD_DB; ++ do_operation = RELOAD_DB; + break; + } + + if (buff[i] == '2') { +- db_operation = FLUSH_CACHE; ++ do_operation = FLUSH_CACHE; + break; + } + +@@ -1252,34 +1284,16 @@ static void *update_thread_main(void *ar + *end = '\n'; + + // got "1" -> reload db +- if (db_operation == RELOAD_DB) { +- db_operation = DB_NO_OP; +- msg(LOG_INFO, +- "It looks like there was an update of the system... Syncing DB."); +- +- backend_close(); +- backend_init(config); +- backend_load(config); +- +- if ((rc = update_database(config))) { +- msg(LOG_ERR, +- "Cannot update trust database!"); +- close(ffd[0].fd); +- backend_close(); +- unlink_fifo(); +- exit(rc); +- } +- +- msg(LOG_INFO, "Updated"); ++ if (do_operation == RELOAD_DB) { ++ do_operation = DB_NO_OP; ++ do_reload_db(config); + +- // Conserve memory +- backend_close(); + // got "2" -> flush cache +- } else if (db_operation == FLUSH_CACHE) { +- db_operation = DB_NO_OP; ++ } else if (do_operation == FLUSH_CACHE) { ++ do_operation = DB_NO_OP; + needs_flush = true; +- } else if (db_operation == ONE_FILE) { +- db_operation = DB_NO_OP; ++ } else if (do_operation == ONE_FILE) { ++ do_operation = DB_NO_OP; + if (handle_record(buff)) + continue; + } diff --git a/SOURCES/fapolicyd-user-group-doc.patch b/SOURCES/fapolicyd-user-group-doc.patch new file mode 100644 index 0000000..c8cdd75 --- /dev/null +++ b/SOURCES/fapolicyd-user-group-doc.patch @@ -0,0 +1,47 @@ +From fb4c274f4857f2d652014b0189abafb1df4b001a Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 19 Jul 2022 12:18:18 -0400 +Subject: [PATCH] Add documentation describing support for user/group names + +--- + doc/fapolicyd.rules.5 | 6 +++--- + init/fapolicyd.service | 2 ++ + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/doc/fapolicyd.rules.5 b/doc/fapolicyd.rules.5 +index aa77177..3b8ec09 100644 +--- a/doc/fapolicyd.rules.5 ++++ b/doc/fapolicyd.rules.5 +@@ -35,13 +35,13 @@ The subject is the process that is performing actions on system resources. The f + This matches against any subject. When used, this must be the only subject in the rule. + .TP + .B auid +-This is the login uid that the audit system assigns users when they log in to the system. Daemons have a value of -1. ++This is the login uid that the audit system assigns users when they log in to the system. Daemons have a value of -1. The given value may be numeric or the account name. + .TP + .B uid +-This is the user id that the program is running under. ++This is the user id that the program is running under. The given value may be numeric or the account name. + .TP + .B gid +-This is the group id that the program is running under. ++This is the group id that the program is running under. The given value may be numeric or the group name. + .TP + .B sessionid + This is the numeric session id that the audit system assigns to users when they log in. Daemons have a value of -1. +diff --git a/init/fapolicyd.service b/init/fapolicyd.service +index 715de98..a5a6a3f 100644 +--- a/init/fapolicyd.service ++++ b/init/fapolicyd.service +@@ -11,6 +11,8 @@ PIDFile=/run/fapolicyd.pid + ExecStartPre=/usr/sbin/fagenrules + ExecStart=/usr/sbin/fapolicyd + Restart=on-abnormal ++# Uncomment the following line if rules need user/group name lookup ++#After=nss-user-lookup.target + + [Install] + WantedBy=multi-user.target +-- +2.37.1 + diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec index b462f40..229a5dd 100644 --- a/SPECS/fapolicyd.spec +++ b/SPECS/fapolicyd.spec @@ -4,8 +4,8 @@ Summary: Application Whitelisting Daemon Name: fapolicyd -Version: 1.1 -Release: 100%{?dist} +Version: 1.1.3 +Release: 102%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -15,7 +15,7 @@ Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/ BuildRequires: gcc BuildRequires: kernel-headers BuildRequires: autoconf automake make gcc libtool -BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel file +BuildRequires: systemd-devel openssl-devel rpm-devel file-devel file BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel BuildRequires: python3-devel @@ -32,6 +32,13 @@ Requires(postun): systemd-units Patch1: fapolicyd-uthash-bundle.patch Patch2: fapolicyd-selinux.patch +Patch3: fagenrules-group.patch +Patch4: fapolicyd-fgets-update-thread.patch +Patch5: fapolicyd-openssl.patch +Patch6: fapolicyd-user-group-doc.patch +Patch7: fapolicyd-cli-segfault.patch +Patch8: fapolicyd-sighup.patch +Patch9: fapolicyd-readme.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting @@ -51,19 +58,6 @@ BuildArch: noarch %description selinux The %{name}-selinux package contains selinux policy for the %{name} daemon. -%package dnf-plugin -Summary: Fapolicyd dnf plugin -Group: Applications/System -Requires: %{name} = %{version}-%{release} -BuildArch: noarch -Provides: %{name}-plugin - -%description dnf-plugin -The %{name}-dnf-plugin notifies %{name} daemon about dnf update. -The dnf plugin will be replaced with rpm plugin later. -Don't use dnf and rpm plugin together. - - %prep %setup -q @@ -78,10 +72,25 @@ Don't use dnf and rpm plugin together. %endif %patch2 -p1 -b .selinux - -sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules -sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules -sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-linux-*.so.*' | sed 's/\//\\\\\//g'`/g" rules.d/*.rules +%patch3 -p1 -b .group +%patch4 -p1 -b .update-thread +%patch5 -p1 -b .openssl +%patch6 -p1 -b .user-group-doc +%patch7 -p1 -b .cli-segfault +%patch8 -p1 -b .sighup +%patch9 -p1 -b .readme + +# generate rules for python +sed -i "s|%python2_path%|`readlink -f %{__python2}`|g" rules.d/*.rules +sed -i "s|%python3_path%|`readlink -f %{__python3}`|g" rules.d/*.rules + +interpret=`readelf -e /usr/bin/bash \ + | grep Requesting \ + | sed 's/.$//' \ + | rev | cut -d" " -f1 \ + | rev` + +sed -i "s|%ld_so_path%|`realpath $interpret`|g" rules.d/*.rules %build ./autogen.sh @@ -106,14 +115,17 @@ make check %install %make_install -mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/ -install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/ install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name} mkdir -p %{buildroot}/run/%{name} mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d - +# get list of file names between known-libs and restrictive from sample-rules/README-rules +cat %{buildroot}/%{_datadir}/%{name}/sample-rules/README-rules \ + | grep -A 100 'known-libs' \ + | grep -B 100 'restrictive' \ + | grep '^[0-9]' > %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs +chmod 644 %{buildroot}/%{_datadir}/%{name}/default-ruleset.known-libs # selinux install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} @@ -124,8 +136,49 @@ install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_ #cleanup find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete +%define manage_default_rules default_changed=0 \ + # check changed fapolicyd.rules \ + if [ -e %{_sysconfdir}/%{name}/%{name}.rules ]; then \ + diff %{_sysconfdir}/%{name}/%{name}.rules %{_datadir}/%{name}/%{name}.rules.known-libs >/dev/null 2>&1 || { \ + default_changed=1; \ + #echo "change detected in fapolicyd.rules"; \ + } \ + fi \ + if [ -e %{_sysconfdir}/%{name}/rules.d ]; then \ + default_ruleset='' \ + # get listing of default rule files in known-libs \ + [ -e %{_datadir}/%{name}/default-ruleset.known-libs ] && default_ruleset=`cat %{_datadir}/%{name}/default-ruleset.known-libs` \ + # check for removed or added files \ + default_count=`echo "$default_ruleset" | wc -l` \ + current_count=`ls -1 %{_sysconfdir}/%{name}/rules.d/*.rules | wc -l` \ + [ $default_count -eq $current_count ] || { \ + default_changed=1; \ + #echo "change detected in number of rule files d:$default_count vs c:$current_count"; \ + } \ + for file in %{_sysconfdir}/%{name}/rules.d/*.rules; do \ + if echo "$default_ruleset" | grep -q "`basename $file`"; then \ + # compare content of the rule files \ + diff $file %{_datadir}/%{name}/sample-rules/`basename $file` >/dev/null 2>&1 || { \ + default_changed=1; \ + #echo "change detected in `basename $file`"; \ + } \ + else \ + # added file detected \ + default_changed=1 \ + #echo "change detected in added rules file `basename $file`"; \ + fi \ + done \ + fi \ + # remove files if no change against default rules detected \ + [ $default_changed -eq 0 ] && rm -rf %{_sysconfdir}/%{name}/%{name}.rules %{_sysconfdir}/%{name}/rules.d/* || : \ + + %pre getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} +if [ $1 -eq 2 ]; then +# detect changed default rules in case of upgrade +%manage_default_rules +fi %post # if no pre-existing rule file @@ -134,29 +187,27 @@ if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then # Only if no pre-existing component rules if [ "$files" -eq 0 ] ; then ## Install the known libs policy - cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/20-patterns.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/30-dracut.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/30-updaters.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/70-trusted-lang.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/72-shell.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/90-deny-execute.rules %{_sysconfdir}/%{name}/rules.d/ - cp %{_datadir}/%{name}/sample-rules/95-allow-open.rules %{_sysconfdir}/%{name}/rules.d/ + for rulesfile in `cat %{_datadir}/%{name}/default-ruleset.known-libs`; do + cp %{_datadir}/%{name}/sample-rules/$rulesfile %{_sysconfdir}/%{name}/rules.d/ + done chgrp %{name} %{_sysconfdir}/%{name}/rules.d/* if [ -x /usr/sbin/restorecon ] ; then # restore correct label /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/* fi - fagenrules --load + fagenrules >/dev/null fi fi %systemd_post %{name}.service %preun %systemd_preun %{name}.service +if [ $1 -eq 0 ]; then +# detect changed default rules in case of uninstall +%manage_default_rules +else + [ -e %{_sysconfdir}/%{name}/%{name}.rules ] && rm -rf %{_sysconfdir}/%{name}/rules.d/* || : +fi %postun %systemd_postun_with_restart %{name}.service @@ -167,13 +218,14 @@ fi %license COPYING %attr(755,root,%{name}) %dir %{_datadir}/%{name} %attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules +%attr(644,root,%{name}) %{_datadir}/%{name}/default-ruleset.known-libs %attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/* %attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d -%ghost %{_sysconfdir}/%{name}/rules.d/* -%ghost %{_sysconfdir}/%{name}/%{name}.rules +%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rules.d/* +%ghost %verify(not md5 size mtime) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust %ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules @@ -210,12 +262,38 @@ fi %posttrans selinux %selinux_relabel_post -s %{selinuxtype} -%files dnf-plugin -%{python3_sitelib}/dnf-plugins/%{name}-dnf-plugin.py -%{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc - - %changelog +* Fri Aug 05 2022 Radovan Sroka - 1.1.3-102 +RHEL 9.1.0 ERRATUM +- rebase fapolicyd to the latest stable vesion +Resolves: rhbz#2100041 +- fapolicyd gets way too easily killed by OOM killer +Resolves: rhbz#2097385 +- fapolicyd does not correctly handle SIGHUP +Resolves: rhbz#2070655 +- Introduce ppid rule attribute +Resolves: rhbz#2102558 +- fapolicyd often breaks package updates +Resolves: rhbz#2111244 +- drop libgcrypt in favour of openssl +Resolves: rhbz#2111938 +- Remove dnf plugin +Resolves: rhbz#2113959 +- fapolicyd.rules doesn't advertise that using a username/groupname instead of uid/gid also works +Resolves: rhbz#2115849 + +* Thu Jun 16 2022 Radovan Sroka - 1.1-104 +RHEL 9.1.0 ERRATUM +- CVE-2022-1117 fapolicyd: fapolicyd wrongly prepares ld.so path +Resolves: rhbz#2069123 +- Faulty handling of static applications +Resolves: rhbz#2096457 + +* Sun Apr 3 2022 Radovan Sroka - 1.1-101 +RHEL 9.1.0 ERRATUM +- fapolicyd denies access to /usr/lib64/ld-2.28.so +Resolves: rhbz#2067493 + * Wed Feb 16 2022 Radovan Sroka - 1.1-100 RHEL 9.0.0 ERRATUM - rebase to 1.1