packages/usbguard
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to 1.1.2

Browse Source
This commit is contained in:
lyn1001 2023-04-21 10:21:40 +08:00
parent 0141e8d533
commit 0fc4660ba1
15 changed files with 137 additions and 1139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

567
0001-Update-to-latest-PEGTL-API.patch
View File

@ -1,567 +0,0 @@
diff --git a/configure.ac b/configure.ac
index a135e01..f565b87 100644
--- a/configure.ac
+++ b/configure.ac
@@ -290,54 +290,28 @@ AC_SUBST([catch_LIBS])
#
AC_ARG_WITH([bundled-pegtl], AS_HELP_STRING([--with-bundled-pegtl], [Build using the bundled PEGTL library]), [with_bundled_pegtl=$withval], [with_bundled_pegtl=no])
if test "x$with_bundled_pegtl" = xyes; then
- pegtl_CFLAGS="-I\$(top_srcdir)/src/ThirdParty/PEGTL"
- pegtl_AC_CFLAGS="-I$srcdir/src/ThirdParty/PEGTL"
+ pegtl_CFLAGS="-I\$(top_srcdir)/src/ThirdParty/PEGTL/include"
+ pegtl_AC_CFLAGS="-I$srcdir/src/ThirdParty/PEGTL/include"
pegtl_LIBS=""
AC_MSG_NOTICE([Using bundled PEGTL library])
pegtl_summary="bundled; $pegtl_CFLAGS $pegtl_LIBS"
else
- SAVE_CPPFLAGS=$CPPFLAGS
- CPPFLAGS="-std=c++11 $CPPFLAGS"
- AC_LANG_PUSH([C++])
- AC_CHECK_HEADER([pegtl.hh], [], [AC_MSG_FAILURE(pegtl.hh not found or not usable. Re-run with --with-bundled-pegtl to use the bundled library.)])
- AC_LANG_POP
pegtl_CFLAGS=""
pegtl_AC_CFLAGS=""
pegtl_LIBS=""
- CPPFLAGS=$SAVE_CPPFLAGS
pegtl_summary="system-wide; $pegtl_CFLAGS $pegtl_LIBS"
fi
AC_SUBST([pegtl_CFLAGS])
AC_SUBST([pegtl_AC_CFLAGS])
AC_SUBST([pegtl_LIBS])
-#
-# Check whether the available PEGTL library is compatible
-# with version 1.3.1 or older.
-#
SAVE_CPPFLAGS=$CPPFLAGS
-CPPFLAGS="-std=c++11 $pegtl_AC_CFLAGS"
+CPPFLAGS="-std=c++11 $CPPFLAGS $pegtl_AC_CFLAGS"
AC_LANG_PUSH([C++])
-AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
-#include <pegtl.hh>
-#include <string>
-int main(void)
-{
- struct grammar
- : pegtl::one<'g'> {};
- try {
- pegtl::parse_string<grammar>(std::string(), std::string());
- } catch(const pegtl::parse_error& ex) {
- auto b = ex.positions[0].byte_in_line;
- }
- return 0;
-}
-]])],
-[have_pegtl_lte_131=no], [have_pegtl_lte_131=yes])
+AC_CHECK_HEADER([tao/pegtl.hpp],
+ [AC_DEFINE([HAVE_TAO_PEGTL_HPP], [1], [PEGTL header file with .hpp extension is present])],
+ [AC_MSG_FAILURE(PEGTL header file not found or not usable. Re-run with --with-bundled-pegtl to use the bundled library.)])
AC_LANG_POP
-if test "x$have_pegtl_lte_131" = xyes; then
- AC_DEFINE([HAVE_PEGTL_LTE_1_3_1], [1], [PEGTL version less than or equal to 1.3.1])
-fi
CPPFLAGS=$SAVE_CPPFLAGS
#
diff --git a/src/Library/RuleParser/Actions.hpp b/src/Library/RuleParser/Actions.hpp
index 3e185f4..2b21bd2 100644
--- a/src/Library/RuleParser/Actions.hpp
+++ b/src/Library/RuleParser/Actions.hpp
@@ -24,7 +24,7 @@
#include "Utility.hpp"
#include "Common/Utility.hpp"
-#include <pegtl.hh>
+#include <tao/pegtl.hpp>
namespace usbguard
{
@@ -47,7 +47,7 @@ namespace usbguard
struct str_if;
template<typename Rule>
- struct rule_parser_actions : pegtl::nothing<Rule> {};
+ struct rule_parser_actions : tao::pegtl::nothing<Rule> {};
template<>
struct rule_parser_actions<target> {
@@ -58,7 +58,7 @@ namespace usbguard
rule.setTarget(Rule::targetFromString(in.string()));
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
@@ -75,7 +75,7 @@ namespace usbguard
rule.setDeviceID(device_id);
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
@@ -87,7 +87,7 @@ namespace usbguard
}
template<typename Rule>
- struct name_actions : pegtl::nothing<Rule> {};
+ struct name_actions : tao::pegtl::nothing<Rule> {};
template<>
struct name_actions<str_name> {
@@ -95,7 +95,7 @@ namespace usbguard
static void apply(const Input& in, Rule& rule)
{
if (!rule.attributeName().empty()) {
- throw pegtl::parse_error("name attribute already defined", in);
+ throw tao::pegtl::parse_error("name attribute already defined", in);
}
}
};
@@ -109,7 +109,7 @@ namespace usbguard
rule.attributeName().append(stringValueFromRule(in.string()));
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
@@ -123,13 +123,13 @@ namespace usbguard
rule.attributeName().setSetOperator(Rule::setOperatorFromString(in.string()));
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
template<typename Rule>
- struct id_actions : pegtl::nothing<Rule> {};
+ struct id_actions : tao::pegtl::nothing<Rule> {};
template<>
struct id_actions<str_id> {
@@ -137,7 +137,7 @@ namespace usbguard
static void apply(const Input& in, Rule& rule)
{
if (!rule.attributeDeviceID().empty()) {
- throw pegtl::parse_error("id attribute already defined", in);
+ throw tao::pegtl::parse_error("id attribute already defined", in);
}
}
};
@@ -154,7 +154,7 @@ namespace usbguard
rule.attributeDeviceID().append(device_id);
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
@@ -168,13 +168,13 @@ namespace usbguard
rule.attributeDeviceID().setSetOperator(Rule::setOperatorFromString(in.string()));
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
template<typename Rule>
- struct hash_actions : pegtl::nothing<Rule> {};
+ struct hash_actions : tao::pegtl::nothing<Rule> {};
template<>
struct hash_actions<str_hash> {
@@ -182,7 +182,7 @@ namespace usbguard
static void apply(const Input& in, Rule& rule)
{
if (!rule.attributeHash().empty()) {
- throw pegtl::parse_error("hash attribute already defined", in);
+ throw tao::pegtl::parse_error("hash attribute already defined", in);
}
}
};
@@ -196,7 +196,7 @@ namespace usbguard
rule.attributeHash().append(stringValueFromRule(in.string()));
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
@@ -210,13 +210,13 @@ namespace usbguard
rule.attributeHash().setSetOperator(Rule::setOperatorFromString(in.string()));
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
template<typename Rule>
- struct parent_hash_actions : pegtl::nothing<Rule> {};
+ struct parent_hash_actions : tao::pegtl::nothing<Rule> {};
template<>
struct parent_hash_actions<str_parent_hash> {
@@ -224,7 +224,7 @@ namespace usbguard
static void apply(const Input& in, Rule& rule)
{
if (!rule.attributeParentHash().empty()) {
- throw pegtl::parse_error("parent-hash attribute already defined", in);
+ throw tao::pegtl::parse_error("parent-hash attribute already defined", in);
}
}
};
@@ -238,7 +238,7 @@ namespace usbguard
rule.attributeParentHash().append(stringValueFromRule(in.string()));
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
@@ -252,13 +252,13 @@ namespace usbguard
rule.attributeParentHash().setSetOperator(Rule::setOperatorFromString(in.string()));
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
template<typename Rule>
- struct serial_actions : pegtl::nothing<Rule> {};
+ struct serial_actions : tao::pegtl::nothing<Rule> {};
template<>
struct serial_actions<str_serial> {
@@ -266,7 +266,7 @@ namespace usbguard
static void apply(const Input& in, Rule& rule)
{
if (!rule.attributeSerial().empty()) {
- throw pegtl::parse_error("serial attribute already defined", in);
+ throw tao::pegtl::parse_error("serial attribute already defined", in);
}
}
};
@@ -280,7 +280,7 @@ namespace usbguard
rule.attributeSerial().append(stringValueFromRule(in.string()));
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
@@ -294,13 +294,13 @@ namespace usbguard
rule.attributeSerial().setSetOperator(Rule::setOperatorFromString(in.string()));
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
template<typename Rule>
- struct via_port_actions : pegtl::nothing<Rule> {};
+ struct via_port_actions : tao::pegtl::nothing<Rule> {};
template<>
struct via_port_actions<str_via_port> {
@@ -308,7 +308,7 @@ namespace usbguard
static void apply(const Input& in, Rule& rule)
{
if (!rule.attributeViaPort().empty()) {
- throw pegtl::parse_error("via-port attribute already defined", in);
+ throw tao::pegtl::parse_error("via-port attribute already defined", in);
}
}
};
@@ -322,7 +322,7 @@ namespace usbguard
rule.attributeViaPort().append(stringValueFromRule(in.string()));
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
@@ -336,13 +336,13 @@ namespace usbguard
rule.attributeViaPort().setSetOperator(Rule::setOperatorFromString(in.string()));
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
template<typename Rule>
- struct with_interface_actions : pegtl::nothing<Rule> {};
+ struct with_interface_actions : tao::pegtl::nothing<Rule> {};
template<>
struct with_interface_actions<str_with_interface> {
@@ -350,7 +350,7 @@ namespace usbguard
static void apply(const Input& in, Rule& rule)
{
if (!rule.attributeWithInterface().empty()) {
- throw pegtl::parse_error("with-interface attribute already defined", in);
+ throw tao::pegtl::parse_error("with-interface attribute already defined", in);
}
}
};
@@ -365,7 +365,7 @@ namespace usbguard
rule.attributeWithInterface().append(interface_type);
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
@@ -379,13 +379,13 @@ namespace usbguard
rule.attributeWithInterface().setSetOperator(Rule::setOperatorFromString(in.string()));
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
template<typename Rule>
- struct condition_actions : pegtl::nothing<Rule> {};
+ struct condition_actions : tao::pegtl::nothing<Rule> {};
template<>
struct condition_actions<str_if> {
@@ -393,7 +393,7 @@ namespace usbguard
static void apply(const Input& in, Rule& rule)
{
if (!rule.attributeConditions().empty()) {
- throw pegtl::parse_error("conditions already defined", in);
+ throw tao::pegtl::parse_error("conditions already defined", in);
}
}
};
@@ -407,7 +407,7 @@ namespace usbguard
rule.attributeConditions().append(RuleCondition(in.string()));
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
@@ -421,7 +421,7 @@ namespace usbguard
rule.attributeConditions().setSetOperator(Rule::setOperatorFromString(in.string()));
}
catch (const std::exception& ex) {
- throw pegtl::parse_error(ex.what(), in);
+ throw tao::pegtl::parse_error(ex.what(), in);
}
}
};
diff --git a/src/Library/RuleParser/Grammar.hpp b/src/Library/RuleParser/Grammar.hpp
index 9bd4a15..4d785c0 100644
--- a/src/Library/RuleParser/Grammar.hpp
+++ b/src/Library/RuleParser/Grammar.hpp
@@ -22,37 +22,37 @@
#endif
#include "Actions.hpp"
-#include <pegtl.hh>
-using namespace pegtl;
+#include <tao/pegtl.hpp>
namespace usbguard
{
namespace RuleParser
{
+ using namespace tao::pegtl;
/*
* Rule language keywords
*/
- struct str_allow : pegtl_string_t("allow") {};
- struct str_block : pegtl_string_t("block") {};
- struct str_reject : pegtl_string_t("reject") {};
- struct str_match : pegtl_string_t("match") {};
- struct str_device : pegtl_string_t("device") {};
-
- struct str_name : pegtl_string_t("name") {};
- struct str_hash : pegtl_string_t("hash") {};
- struct str_parent_hash : pegtl_string_t("parent-hash") {};
- struct str_via_port : pegtl_string_t("via-port") {};
- struct str_with_interface : pegtl_string_t("with-interface") {};
- struct str_serial : pegtl_string_t("serial") {};
- struct str_if : pegtl_string_t("if") {};
- struct str_id : pegtl_string_t("id") {};
-
- struct str_all_of : pegtl_string_t("all-of") {};
- struct str_one_of : pegtl_string_t("one-of") {};
- struct str_none_of : pegtl_string_t("none-of") {};
- struct str_equals : pegtl_string_t("equals") {};
- struct str_equals_ordered : pegtl_string_t("equals-ordered") {};
+ struct str_allow : TAOCPP_PEGTL_STRING("allow") {};
+ struct str_block : TAOCPP_PEGTL_STRING("block") {};
+ struct str_reject : TAOCPP_PEGTL_STRING("reject") {};
+ struct str_match : TAOCPP_PEGTL_STRING("match") {};
+ struct str_device : TAOCPP_PEGTL_STRING("device") {};
+
+ struct str_name : TAOCPP_PEGTL_STRING("name") {};
+ struct str_hash : TAOCPP_PEGTL_STRING("hash") {};
+ struct str_parent_hash : TAOCPP_PEGTL_STRING("parent-hash") {};
+ struct str_via_port : TAOCPP_PEGTL_STRING("via-port") {};
+ struct str_with_interface : TAOCPP_PEGTL_STRING("with-interface") {};
+ struct str_serial : TAOCPP_PEGTL_STRING("serial") {};
+ struct str_if : TAOCPP_PEGTL_STRING("if") {};
+ struct str_id : TAOCPP_PEGTL_STRING("id") {};
+
+ struct str_all_of : TAOCPP_PEGTL_STRING("all-of") {};
+ struct str_one_of : TAOCPP_PEGTL_STRING("one-of") {};
+ struct str_none_of : TAOCPP_PEGTL_STRING("none-of") {};
+ struct str_equals : TAOCPP_PEGTL_STRING("equals") {};
+ struct str_equals_ordered : TAOCPP_PEGTL_STRING("equals-ordered") {};
/*
* Generic rule attribute
diff --git a/src/Library/UEventParser.cpp b/src/Library/UEventParser.cpp
index 2e0ce39..aebe948 100644
--- a/src/Library/UEventParser.cpp
+++ b/src/Library/UEventParser.cpp
@@ -27,7 +27,9 @@
#include "usbguard/Logger.hpp"
#include <fstream>
-#include <pegtl/trace.hh>
+
+#include <tao/pegtl/contrib/tracer.hpp>
+using namespace tao;
namespace usbguard
{
@@ -114,25 +116,14 @@ namespace usbguard
void parseUEventFromString(const std::string& uevent_string, UEvent& uevent, bool trace)
{
try {
-#if HAVE_PEGTL_LTE_1_3_1
+ tao::pegtl::string_input<> in(uevent_string, std::string());
if (!trace) {
- pegtl::parse<G, UEventParser::actions>(uevent_string, std::string(), uevent);
+ tao::pegtl::parse<G, UEventParser::actions>(in, uevent);
}
else {
- pegtl::parse<G, UEventParser::actions, pegtl::tracer>(uevent_string, std::string(), uevent);
- }
-
-#else
-
- if (!trace) {
- pegtl::parse_string<G, UEventParser::actions>(uevent_string, std::string(), uevent);
+ tao::pegtl::parse<G, UEventParser::actions, tao::pegtl::tracer>(in, uevent);
}
- else {
- pegtl::parse_string<G, UEventParser::actions, pegtl::tracer>(uevent_string, std::string(), uevent);
- }
-
-#endif
}
catch (...) {
throw;
diff --git a/src/Library/UEventParser.hpp b/src/Library/UEventParser.hpp
index 856d5ff..4261bd5 100644
--- a/src/Library/UEventParser.hpp
+++ b/src/Library/UEventParser.hpp
@@ -23,9 +23,7 @@
#include "usbguard/Typedefs.hpp"
-#include <pegtl.hh>
-
-using namespace pegtl;
+#include <tao/pegtl.hpp>
namespace usbguard
{
@@ -33,6 +31,8 @@ namespace usbguard
namespace UEventParser
{
+ using namespace tao::pegtl;
+
struct value
: seq<not_one<'\0', '\n'>, star<not_one<'\0', '\n'>>> {};
diff --git a/src/Library/public/usbguard/RuleParser.cpp b/src/Library/public/usbguard/RuleParser.cpp
index 4061e01..140bf14 100644
--- a/src/Library/public/usbguard/RuleParser.cpp
+++ b/src/Library/public/usbguard/RuleParser.cpp
@@ -34,7 +34,7 @@
#include <stdexcept>
#include <stdlib.h>
-#include <pegtl/trace.hh>
+#include <tao/pegtl/contrib/tracer.hpp>
namespace usbguard
{
@@ -42,35 +42,21 @@ namespace usbguard
{
try {
Rule rule;
-#if HAVE_PEGTL_LTE_1_3_1
+ tao::pegtl::string_input<> input(rule_spec, file);
if (!trace) {
- pegtl::parse<RuleParser::rule_grammar, RuleParser::rule_parser_actions>(rule_spec, file, rule);
+ tao::pegtl::parse<RuleParser::rule_grammar, RuleParser::rule_parser_actions>(input, rule);
}
else {
- pegtl::parse<RuleParser::rule_grammar, RuleParser::rule_parser_actions, pegtl::tracer>(rule_spec, file, rule);
+ tao::pegtl::parse<RuleParser::rule_grammar, RuleParser::rule_parser_actions, tao::pegtl::tracer>(input, rule);
}
-#else
-
- if (!trace) {
- pegtl::parse_string<RuleParser::rule_grammar, RuleParser::rule_parser_actions>(rule_spec, file, rule);
- }
- else {
- pegtl::parse_string<RuleParser::rule_grammar, RuleParser::rule_parser_actions, pegtl::tracer>(rule_spec, file, rule);
- }
-
-#endif
return rule;
}
- catch (const pegtl::parse_error& ex) {
+ catch (const tao::pegtl::parse_error& ex) {
RuleParserError error(rule_spec);
error.setHint(ex.what());
-#if HAVE_PEGTL_LTE_1_3_1
- error.setOffset(ex.positions[0].column);
-#else
error.setOffset(ex.positions[0].byte_in_line);
-#endif
if (!file.empty() || line != 0) {
error.setFileInfo(file, line);
--
2.13.6

32
CVE-2019-25058-1.patch
View File

@ -1,32 +0,0 @@
From 0db713da6c44426902961b023a925563f40b6ec7 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 6 Feb 2022 01:15:26 +0100
Subject: [PATCH] dbus: Replace unsupported "auth_self_keep_session" by
"auth_self_keep"
---
src/DBus/org.usbguard.policy | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/DBus/org.usbguard.policy b/src/DBus/org.usbguard.policy
index ce842393..f1bed538 100644
--- a/src/DBus/org.usbguard.policy
+++ b/src/DBus/org.usbguard.policy
@@ -11,7 +11,7 @@
<message>Prevents from listing the USBGuard policy</message>
<defaults>
<allow_inactive>no</allow_inactive>
- <allow_active>auth_self_keep_session</allow_active>
+ <allow_active>auth_self_keep</allow_active>
</defaults>
</action>
@@ -38,7 +38,7 @@
<message>Prevents from listing USB devices recognized by the USBGuard daemon</message>
<defaults>
<allow_inactive>no</allow_inactive>
- <allow_active>auth_self_keep_session</allow_active>
+ <allow_active>auth_self_keep</allow_active>
</defaults>
</action>

49
CVE-2019-25058-2.patch
View File

@ -1,49 +0,0 @@
From d2839e8f6f9096c889c4fbd09b08dc6deff5eab2 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sat, 5 Feb 2022 21:40:17 +0100
Subject: [PATCH] dbus: Drop policies of removed D-Bus methods
---
src/DBus/org.usbguard.policy | 27 ---------------------------
1 file changed, 27 deletions(-)
diff --git a/src/DBus/org.usbguard.policy b/src/DBus/org.usbguard.policy
index 7704583..b89c96e 100644
--- a/src/DBus/org.usbguard.policy
+++ b/src/DBus/org.usbguard.policy
@@ -41,32 +41,5 @@
<allow_active>auth_self_keep</allow_active>
</defaults>
</action>
-
- <action id="org.usbguard.Devices.allowDevice">
- <description>Authorize a USB device via the USBGuard daemon to interact with the system</description>
- <message>Prevents from authorizing USB devices via the USBGuard daemon</message>
- <defaults>
- <allow_inactive>no</allow_inactive>
- <allow_active>auth_admin</allow_active>
- </defaults>
- </action>
-
- <action id="org.usbguard.Devices.blockDevice">
- <description>Deauthorize a USB device via the USBGuard daemon</description>
- <message>Prevents from deauthorizing USB devices via the USBGuard daemon</message>
- <defaults>
- <allow_inactive>no</allow_inactive>
- <allow_active>auth_admin</allow_active>
- </defaults>
- </action>
-
- <action id="org.usbguard.Devices.rejectDevice">
- <description>Remove a USB device via the USBGuard daemon</description>
- <message>Prevents from removing USB devices via the USBGuard daemon</message>
- <defaults>
- <allow_inactive>no</allow_inactive>
- <allow_active>auth_admin</allow_active>
- </defaults>
- </action>
</policyconfig>
--
2.23.0

43
CVE-2019-25058-3.patch
View File

@ -1,43 +0,0 @@
From d8a1b1ff967864a6cd8531c57e027c903ee31c23 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 6 Feb 2022 01:17:15 +0100
Subject: [PATCH] dbus: Improve language in <message> tags
---
src/DBus/org.usbguard.policy | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/DBus/org.usbguard.policy b/src/DBus/org.usbguard.policy
index b89c96e..28206bd 100644
--- a/src/DBus/org.usbguard.policy
+++ b/src/DBus/org.usbguard.policy
@@ -8,7 +8,7 @@
<action id="org.usbguard.Policy.listRules">
<description>List the rule set (policy) used by the USBGuard daemon</description>
- <message>Prevents from listing the USBGuard policy</message>
+ <message>Prevents listing the USBGuard policy</message>
<defaults>
<allow_inactive>no</allow_inactive>
<allow_active>auth_self_keep</allow_active>
@@ -17,7 +17,7 @@
<action id="org.usbguard.Policy.appendRule">
<description>Append a new rule to the policy</description>
- <message>Prevents from appending rules to the USBGuard policy</message>
+ <message>Prevents appending rules to the USBGuard policy</message>
<defaults>
<allow_inactive>no</allow_inactive>
<allow_active>auth_admin</allow_active>
@@ -35,7 +35,7 @@
<action id="org.usbguard.Devices.listDevices">
<description>List all USB devices recognized by the USBGuard deaemon</description>
- <message>Prevents from listing USB devices recognized by the USBGuard daemon</message>
+ <message>Prevents listing USB devices recognized by the USBGuard daemon</message>
<defaults>
<allow_inactive>no</allow_inactive>
<allow_active>auth_self_keep</allow_active>
--
2.23.0

22
CVE-2019-25058-4.patch
View File

@ -1,22 +0,0 @@
From 17f04c6088c1b05618db99733ff8152e43206004 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 6 Feb 2022 00:00:11 +0100
Subject: [PATCH] dbus: Fix whitespace in file "org.usbguard1.policy"
---
src/DBus/org.usbguard.policy | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/DBus/org.usbguard.policy b/src/DBus/org.usbguard.policy
index ff504b54..75119606 100644
--- a/src/DBus/org.usbguard.policy
+++ b/src/DBus/org.usbguard.policy
@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
-
+
<policyconfig>
<vendor>The USBGuard Project</vendor>
<vendor_url>https://github.org/USBGuard/usbguard</vendor_url>

56
CVE-2019-25058-5.patch
View File

@ -1,56 +0,0 @@
From 23c44b90ff9a49eb6bc91210b6668519ad421865 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Sun, 6 Feb 2022 01:19:08 +0100
Subject: [PATCH] dbus: Add missing action policies
---
src/DBus/org.usbguard.policy | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/src/DBus/org.usbguard.policy b/src/DBus/org.usbguard.policy
index e326c5a..4fc33c5 100644
--- a/src/DBus/org.usbguard.policy
+++ b/src/DBus/org.usbguard.policy
@@ -33,6 +33,15 @@
</defaults>
</action>
+ <action id="org.usbguard.Devices.applyDevicePolicy"
+ <description>Apply a policy to a device in USBGuard</description>
+ <message>Prevents applying a policy to a device in USBGuard</message>
+ <defaults>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin</allow_active>
+ </defaults>
+ </action>
+
<action id="org.usbguard.Devices.listDevices">
<description>List all USB devices recognized by the USBGuard deaemon</description>
<message>Prevents listing USB devices recognized by the USBGuard daemon</message>
@@ -41,5 +50,23 @@
<allow_active>auth_self_keep</allow_active>
</defaults>
</action>
+
+ <action id="org.usbguard1.getParameter">
+ <description>Get the value of a runtime parameter</description>
+ <message>Prevents getting values of runtime USBGuard parameters</message>
+ <defaults>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_self_keep</allow_active>
+ </defaults>
+ </action>
+
+ <action id="org.usbguard1.setParameter">
+ <description>Set the value of a runtime parameter</description>
+ <message>Prevents setting values of runtime USBGuard parameters</message>
+ <defaults>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin</allow_active>
+ </defaults>
+ </action>
</policyconfig>
--
2.23.0

84
CVE-2019-25058-6.patch
View File

@ -1,84 +0,0 @@
From d3e7d6609a8e63c21e85abf135d237a3bdd30913 Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Tue, 8 Feb 2022 16:13:48 +0100
Subject: [PATCH] polkit.yml: Make GitHub Actions detect Polkit policy parse
error regressions
---
.github/workflows/polkit.yml | 67 ++++++++++++++++++++++++++++++++++++
1 file changed, 67 insertions(+)
create mode 100644 .github/workflows/polkit.yml
diff --git a/.github/workflows/polkit.yml b/.github/workflows/polkit.yml
new file mode 100644
index 00000000..fc4b4fe3
--- /dev/null
+++ b/.github/workflows/polkit.yml
@@ -0,0 +1,67 @@
+##
+## Copyright (c) 2022 Sebastian Pipping <sebastian@pipping.org>
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+name: Check for Polkit policy parse errors
+
+on:
+ push:
+ pull_request:
+
+jobs:
+ polkit_policies:
+
+ name: Check for Polkit policy parse errors
+ runs-on: ubuntu-20.04
+
+ steps:
+ - uses: actions/checkout@v2
+
+ - name: Install runtime dependencies
+ run: |
+ set -x
+ sudo apt-get update
+ sudo apt-get install --no-install-recommends --yes -V expat
+
+ - name: Check for Polkit policy parse errors
+ run: |
+ # This will work around pkaction exiting with unjustified(?)
+ # code 1 on Ubuntu 20.04
+ check_polkit_action() { pkaction -v -a "$1" | tee /dev/stderr | fgrep -q 'implicit any' ; }
+
+ set -x
+ actions=(
+ org.usbguard.Devices.listDevices
+ org.usbguard.Devices.applyDevicePolicy
+ org.usbguard.Policy.appendRule
+ org.usbguard.Policy.listRules
+ org.usbguard.Policy.removeRule
+ org.usbguard.getParameter
+ org.usbguard.setParameter
+ )
+
+ # Self-test: Assert that prior to installation, our Polkit "actions"
+ # are unknown to PolKit.
+ ! check_polkit_action "${actions[0]}"
+
+ # Install the policy so that polkin can find it
+ xmlwf src/DBus/org.usbguard.policy
+ sudo cp -v src/DBus/org.usbguard.policy /usr/share/polkit-1/actions/
+
+ # Assert that after installation, all of our Polkit "actions" are known.
+ # This detects parse error regressions.
+ for action in "${actions[@]}"; do
+ check_polkit_action "${action}"
+ done

250
CVE-2019-25058-7.patch
View File

@ -1,250 +0,0 @@
From df5f01c6ed0c20d269f7239901d21883cc871bbb Mon Sep 17 00:00:00 2001
From: Sebastian Pipping <sebastian@pipping.org>
Date: Wed, 9 Feb 2022 02:10:40 +0100
Subject: [PATCH] dbus: Add missing checks for authorization using Polkit
---
configure.ac | 2 +-
src/DBus/DBusBridge.cpp | 137 ++++++++++++++++++++++++++++++++++++++++
src/DBus/DBusBridge.hpp | 2 +
3 files changed, 140 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index f565b87..a45174a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -405,7 +405,7 @@ if test "x$with_dbus" = xyes; then
#
# Check for required D-Bus modules
#
- PKG_CHECK_MODULES([dbus], [dbus-1 dbus-glib-1 >= 0.100 gio-2.0],
+ PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0 polkit-gobject-1],
[AC_DEFINE([HAVE_DBUS], [1], [Required GLib DBus API available])
dbus_summary="system-wide; $dbus_CFLAGS $dbus_LIBS"],
[AC_MSG_FAILURE([Required D-Bus modules (dbus-1, dbus-glib-1, gio-2.0) not found!])]
diff --git a/src/DBus/DBusBridge.cpp b/src/DBus/DBusBridge.cpp
index f9209f7..696d906 100644
--- a/src/DBus/DBusBridge.cpp
+++ b/src/DBus/DBusBridge.cpp
@@ -15,12 +15,14 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Authors: Sebastian Pipping <sebastian@pipping.org>
//
#ifdef HAVE_BUILD_CONFIG_H
#include <build-config.h>
#endif
#include "DBusBridge.hpp"
+#include <polkit/polkit.h>
namespace usbguard
{
@@ -78,6 +80,10 @@ namespace usbguard
void DBusBridge::handleRootMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation)
{
if (method_name == "getParameter") {
+ if (! isAuthorizedByPolkit(invocation)) {
+ return;
+ }
+
const char* name_cstr = nullptr;
g_variant_get(parameters, "(&s)", &name_cstr);
std::string name(name_cstr);
@@ -87,6 +93,10 @@ namespace usbguard
}
if (method_name == "setParameter") {
+ if (! isAuthorizedByPolkit(invocation)) {
+ return;
+ }
+
const char* name_cstr = nullptr;
const char* value_cstr = nullptr;
g_variant_get(parameters, "(&s&s)", &name_cstr, &value_cstr);
@@ -105,6 +115,10 @@ namespace usbguard
void DBusBridge::handlePolicyMethodCall(const std::string& method_name, GVariant* parameters, GDBusMethodInvocation* invocation)
{
if (method_name == "listRules") {
+ if (! isAuthorizedByPolkit(invocation)) {
+ return;
+ }
+
const char* query_cstr = nullptr;
g_variant_get(parameters, "(&s)", &query_cstr);
std::string query(query_cstr);
@@ -138,6 +152,10 @@ namespace usbguard
}
if (method_name == "appendRule") {
+ if (! isAuthorizedByPolkit(invocation)) {
+ return;
+ }
+
const char* rule_spec_cstr = nullptr;
uint32_t parent_id = 0;
g_variant_get(parameters, "(&su)", &rule_spec_cstr, &parent_id);
@@ -148,6 +166,10 @@ namespace usbguard
}
if (method_name == "removeRule") {
+ if (! isAuthorizedByPolkit(invocation)) {
+ return;
+ }
+
uint32_t rule_id = 0;
g_variant_get(parameters, "(u)", &rule_id);
removeRule(rule_id);
@@ -164,6 +186,10 @@ namespace usbguard
GDBusMethodInvocation* invocation)
{
if (method_name == "listDevices") {
+ if (! isAuthorizedByPolkit(invocation)) {
+ return;
+ }
+
const char* query_cstr = nullptr;
g_variant_get(parameters, "(&s)", &query_cstr);
std::string query(query_cstr);
@@ -196,6 +222,10 @@ namespace usbguard
}
if (method_name == "applyDevicePolicy") {
+ if (! isAuthorizedByPolkit(invocation)) {
+ return;
+ }
+
uint32_t device_id = 0;
uint32_t target_integer = 0;
gboolean permanent = false;
@@ -327,6 +357,113 @@ namespace usbguard
with_interface_string.c_str());
return builder;
}
+
+ std::string DBusBridge::formatGError(GError* error)
+ {
+ if (error) {
+ std::stringstream formatGError;
+ formatGError << error->message << " (code " << error->code << ")";
+ return formatGError.str();
+ }
+ else {
+ return "unknown error";
+ }
+ }
+
+ bool DBusBridge::isAuthorizedByPolkit(GDBusMethodInvocation* invocation)
+ {
+ GError* error = NULL;
+ USBGUARD_LOG(Trace) << "Extracting bus name...";
+ const gchar* const /*no-free!*/ bus_name = g_dbus_method_invocation_get_sender (invocation);
+
+ if (! bus_name) {
+ USBGUARD_LOG(Trace) << "Failed to extract bus name.";
+ return false;
+ }
+
+ USBGUARD_LOG(Trace) << "Extracted bus name \"" << bus_name << "\".";
+ USBGUARD_LOG(Trace) << "Extracting interface name...";
+ const gchar* const /*no-free!*/ interfaceName = g_dbus_method_invocation_get_interface_name(invocation);
+
+ if (! interfaceName) {
+ USBGUARD_LOG(Trace) << "Failed to extract interface name.";
+ return false;
+ }
+
+ USBGUARD_LOG(Trace) << "Extracted interface name \"" << interfaceName << "\".";
+ USBGUARD_LOG(Trace) << "Extracting method name...";
+ const gchar* const /*no-free!*/ methodName = g_dbus_method_invocation_get_method_name(invocation);
+
+ if (! methodName) {
+ USBGUARD_LOG(Trace) << "Failed to extract method name.";
+ return false;
+ }
+
+ std::stringstream action_id;
+ action_id << interfaceName << "." << methodName;
+ USBGUARD_LOG(Trace) << "Extracted method name \"" << methodName << "\".";
+ USBGUARD_LOG(Trace) << "Creating a system bus Polkit subject...";
+ PolkitSubject* const subject = polkit_system_bus_name_new(bus_name);
+
+ if (! subject) {
+ USBGUARD_LOG(Trace) << "Failed to create Polkit subject.";
+ return false;
+ }
+
+ USBGUARD_LOG(Trace) << "Created.";
+ USBGUARD_LOG(Trace) << "Connecting with Polkit authority...";
+ PolkitAuthority* const authority = polkit_authority_get_sync(/*cancellable=*/ NULL, &error);
+
+ if (! authority || error) {
+ USBGUARD_LOG(Trace) << "Failed to connect to Polkit authority: " << formatGError(error) << ".";
+ g_error_free(error);
+ g_object_unref(authority);
+ g_object_unref(subject);
+ return false;
+ }
+
+ USBGUARD_LOG(Trace) << "Connected.";
+ USBGUARD_LOG(Trace) << "Customizing Polkit authentification dialog...";
+ PolkitDetails* const details = polkit_details_new();
+
+ if (! details) {
+ USBGUARD_LOG(Trace) << "Failed to customize the Polkit authentification dialog.";
+ g_object_unref(authority);
+ g_object_unref(subject);
+ return false;
+ }
+
+ polkit_details_insert (details, "polkit.message", "This USBGuard action needs authorization");
+ USBGUARD_LOG(Trace) << "Customized.";
+ USBGUARD_LOG(Trace) << "Checking authorization of action \"" << action_id.str() << "\" with Polkit ...";
+ const PolkitCheckAuthorizationFlags flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION;
+ PolkitAuthorizationResult* const result = polkit_authority_check_authorization_sync
+ (authority,
+ subject,
+ action_id.str().c_str(),
+ details,
+ flags,
+ /*cancellable=*/ NULL,
+ &error);
+
+ if (! result || error) {
+ USBGUARD_LOG(Trace) << "Failed to check back with Polkit for authoriation: " << formatGError(error) << ".";
+ g_error_free(error);
+ g_object_unref(result);
+ g_object_unref(details);
+ g_object_unref(authority);
+ g_object_unref(subject);
+ return false;
+ }
+
+ gboolean isAuthorized = polkit_authorization_result_get_is_authorized(result);
+ USBGUARD_LOG(Trace) << (isAuthorized ? "Authorized" : "Not authorized") << ".";
+ g_object_unref(result);
+ g_object_unref(details);
+ g_object_unref(authority);
+ g_object_unref(subject);
+ return isAuthorized;
+ }
} /* namespace usbguard */
/* vim: set ts=2 sw=2 et */
diff --git a/src/DBus/DBusBridge.hpp b/src/DBus/DBusBridge.hpp
index bb9d96a..838ab34 100644
--- a/src/DBus/DBusBridge.hpp
+++ b/src/DBus/DBusBridge.hpp
@@ -71,6 +71,8 @@ namespace usbguard
bool rule_match,
uint32_t rule_id);
+ static std::string formatGError(GError* error);
+ static bool isAuthorizedByPolkit(GDBusMethodInvocation* invocation);
GDBusConnection* const p_gdbus_connection;
void(*p_ipc_callback)(bool);
--
2.23.0

22
policykit-dbus-chat-selinux.patch Normal file
View File

@ -0,0 +1,22 @@
diff -up ./usbguard-selinux-0.0.4/usbguard.te.policykit ./usbguard-selinux-0.0.4/usbguard.te
--- ./usbguard-selinux-0.0.4/usbguard.te.policykit 2022-03-15 10:32:21.002852930 +0100
+++ ./usbguard-selinux-0.0.4/usbguard.te 2022-03-15 10:36:47.844040559 +0100
@@ -99,9 +99,17 @@ logging_log_filetrans(usbguard_t, usbgua
logging_send_syslog_msg(usbguard_t)
-dbus_system_domain(usbguard_t, usbguard_exec_t)
usbguard_ipc_access(usbguard_t)
+optional_policy(`
+ dbus_system_domain(usbguard_t, usbguard_exec_t)
+
+ optional_policy(`
+ policykit_dbus_chat(usbguard_t)
+ ')
+')
+
+
tunable_policy(`usbguard_daemon_write_rules',`
rw_files_pattern(usbguard_t, usbguard_rules_t, usbguard_rules_t)
')

BIN
usbguard-0.7.2.tar.gz
View File

Binary file not shown.

BIN
usbguard-1.1.2.tar.gz Normal file
View File

Binary file not shown.

18
usbguard-daemon.conf
View File

@ -9,6 +9,19 @@
# #
RuleFile=/etc/usbguard/rules.conf RuleFile=/etc/usbguard/rules.conf
#
# Rule set folder path.
#
# The USBGuard daemon will use this folder to load the policy
# rule set from it and to write new rules received via the
# IPC interface.
#
# RuleFolder=/path/to/rulesfolder/
#
RuleFolder=/etc/usbguard/rules.d/
# #
# Implicit policy target. # Implicit policy target.
# #
@ -171,3 +184,8 @@ AuditBackend=FileAudit
# #
AuditFilePath=/var/log/usbguard/usbguard-audit.log AuditFilePath=/var/log/usbguard/usbguard-audit.log
#
# Hides personally identifiable information such as device serial numbers and
# hashes of descriptors (which include the serial number) from audit entries.
#
HidePII=false

17
usbguard-revert-catch.patch Normal file
View File

@ -0,0 +1,17 @@
diff -up ./configure.ac.fix ./configure.ac
--- ./configure.ac.fix 2022-03-03 15:05:03.357194713 +0100
+++ ./configure.ac 2022-03-03 15:06:02.849787794 +0100
@@ -394,11 +394,11 @@ if test "x$with_bundled_catch" = xyes; t
catch_summary="bundled; $catch_CFLAGS $catch_LIBS"
else
SAVE_CPPFLAGS=$CPPFLAGS
- CPPFLAGS="-std=c++17 $CPPFLAGS -I/usr/include/catch2"
+ CPPFLAGS="-std=c++17 $CPPFLAGS -I/usr/include/catch"
AC_LANG_PUSH([C++])
AC_CHECK_HEADER([catch.hpp], [], [AC_MSG_FAILURE(catch.hpp not found or not usable. Re-run with --with-bundled-catch to use the bundled library.)])
AC_LANG_POP
- catch_CFLAGS="-I/usr/include/catch2"
+ catch_CFLAGS="-I/usr/include/catch"
catch_LIBS=""
CPPFLAGS=$SAVE_CPPFLAGS
catch_summary="system-wide; $catch_CFLAGS $catch_LIBS"

116
usbguard.spec
View File

@ -1,26 +1,29 @@
%global _hardened_build 1 %global selinuxtype targeted
%global moduletype contrib
%define semodule_version 0.0.4
Name: usbguard Name: usbguard
Version: 0.7.2 Version: 1.1.2
Release: 7 Release: 1
Summary: A tool for computer usb guard Summary: A tool for computer usb guard
License: GPLv2+ License: GPLv2+
URL: https://usbguard.github.io/ URL: https://usbguard.github.io/
Source0: https://github.com/USBGuard/usbguard/releases/download/usbguard-%{version}/usbguard-%{version}.tar.gz Source0: https://github.com/USBGuard/usbguard/releases/download/usbguard-%{version}/usbguard-%{version}.tar.gz
Source1: usbguard-daemon.conf Source1: https://github.com/USBGuard/usbguard-selinux/archive/refs/tags/v%{semodule_version}.tar.gz
Patch0000: 0001-Update-to-latest-PEGTL-API.patch Source2: usbguard-daemon.conf
Patch0001: CVE-2019-25058-1.patch Patch0000: usbguard-revert-catch.patch
Patch0002: CVE-2019-25058-2.patch Patch0001: policykit-dbus-chat-selinux.patch
Patch0003: CVE-2019-25058-3.patch
Patch0004: CVE-2019-25058-4.patch BuildRequires: libqb-devel libgcrypt-devel libstdc++-devel protobuf-devel protobuf-compiler PEGTL-static gcc gcc-c++
Patch0005: CVE-2019-25058-5.patch BuildRequires: catch1-devel autoconf automake libtool bash-completion asciidoc audit-libs-devel systemd make
Patch0006: CVE-2019-25058-6.patch
Patch0007: CVE-2019-25058-7.patch
BuildRequires: libqb-devel libgcrypt-devel libstdc++-devel protobuf-devel protobuf-compiler PEGTL-static
BuildRequires: catch1-devel autoconf automake libtool bash-completion asciidoctor audit-libs-devel systemd
BuildRequires: qt5-qtbase-devel qt5-qtsvg-devel qt5-linguist dbus-glib-devel dbus-devel glib2-devel
BuildRequires: polkit-devel libxslt libxml2
Requires: systemd Requires: systemd
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
Obsoletes: %{name}-applet-qt < 0.7.6
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig
%description %description
USBGuard helps to protect your computer against rogue USB devices. USBGuard helps to protect your computer against rogue USB devices.
@ -39,21 +42,29 @@ Requires: usbguard = %{version}-%{release}
%description tools %description tools
Optional tools from the USBGuard software framework. Optional tools from the USBGuard software framework.
%package applet-qt
Summary: USBGuard Qt 5.x Applet
Requires: usbguard = %{version}-%{release}
Obsoletes: usbguard-applet-qt <= 0.3
%description applet-qt
Optional Qt 5.x desktop applet for interacting with the USBGuard daemon component.
%package dbus %package dbus
Summary: USBGuard D-Bus Service Summary: USBGuard D-Bus Service
BuildRequires: dbus-glib-devel dbus-devel glib2-devel
BuildRequires: polkit-devel libxslt libxml2
Requires: usbguard = %{version}-%{release} dbus polkit Requires: usbguard = %{version}-%{release} dbus polkit
%description dbus %description dbus
Optional component that provides a D-Bus interface to the USBGuard daemon component. Optional component that provides a D-Bus interface to the USBGuard daemon component.
%package selinux
Summary: USBGuard selinux
Group: Applications/System
Requires: %{name} = %{version}-%{release}
BuildRequires: selinux-policy-devel
Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype}
BuildArch: noarch
%{?selinux_requires}
%description selinux
The %{name}-selinux package contains selinux policy for the USBGuard daemon.
%package help %package help
Summary: Documentation for usbguard Summary: Documentation for usbguard
Requires: usbguard = %{version}-%{release} Requires: usbguard = %{version}-%{release}
@ -62,28 +73,43 @@ Requires: usbguard = %{version}-%{release}
Documentation for usbguard Documentation for usbguard
%prep %prep
%autosetup -n usbguard-%{version} -p1 %setup -q
rm -rf src/ThirdParty/{Catch,PEGTL}
%setup -q -D -T -a 1
%patch0000 -p1 -b .catch
%patch0001 -p1 -b .policykit
%build %build
install -d ./m4 install -d ./m4
autoreconf -i -v --no-recursive ./ autoreconf -i -v --no-recursive ./
%configure --disable-silent-rules --without-bundled-catch --without-bundled-pegtl \ %configure --disable-silent-rules --without-bundled-catch --without-bundled-pegtl \
--enable-systemd --with-gui-qt=qt5 --with-dbus --with-polkit \ --enable-systemd --with-dbus --with-polkit \
--with-crypto-library=gcrypt --with-crypto-library=gcrypt
%make_build %make_build
pushd %{name}-selinux-%{semodule_version}
make
popd
%check %check
make check make check
%install %install
%make_install %make_install
mkdir -p %{buildroot}%{_sysconfdir}/usbguard/rules.d
install -d %{buildroot}%{_sysconfdir}/usbguard/IPCAccessControl.d install -d %{buildroot}%{_sysconfdir}/usbguard/IPCAccessControl.d
cp %{SOURCE1} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf cp %{SOURCE2} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
chmod 644 %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf chmod 644 %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
%delete_la %delete_la
%preun %preun
@ -106,6 +132,20 @@ chmod 644 %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
%postun dbus %postun dbus
%systemd_postun_with_restart usbguard-dbus.service %systemd_postun_with_restart usbguard-dbus.service
%pre selinux
%selinux_relabel_pre -s %{selinuxtype}
%post selinux
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%postun selinux
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{name}
fi
%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
%files %files
%doc LICENSE %doc LICENSE
%exclude %{_libdir}/*.a %exclude %{_libdir}/*.a
@ -114,6 +154,7 @@ chmod 644 %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
%{_bindir}/usbguard %{_bindir}/usbguard
%dir %{_localstatedir}/log/usbguard %dir %{_localstatedir}/log/usbguard
%dir %{_sysconfdir}/usbguard %dir %{_sysconfdir}/usbguard
%dir %{_sysconfdir}/usbguard/rules.d/
%dir %{_sysconfdir}/usbguard/IPCAccessControl.d %dir %{_sysconfdir}/usbguard/IPCAccessControl.d
%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/usbguard-daemon.conf %config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/usbguard-daemon.conf
%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/rules.conf %config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/rules.conf
@ -128,23 +169,26 @@ chmod 644 %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
%files tools %files tools
%{_bindir}/usbguard-rule-parser %{_bindir}/usbguard-rule-parser
%files applet-qt
%{_bindir}/usbguard-applet-qt
%{_datadir}/applications/usbguard-applet-qt.desktop
%{_datadir}/icons/hicolor/scalable/apps/usbguard-icon.svg
%files dbus %files dbus
%{_sbindir}/usbguard-dbus %{_sbindir}/usbguard-dbus
%{_datadir}/dbus-1/system-services/org.usbguard.service %{_datadir}/dbus-1/system-services/org.usbguard1.service
%{_datadir}/dbus-1/system.d/org.usbguard.conf %{_datadir}/dbus-1/system.d/org.usbguard1.conf
%{_datadir}/polkit-1/actions/org.usbguard.policy %{_datadir}/polkit-1/actions/org.usbguard1.policy
%{_unitdir}/usbguard-dbus.service %{_unitdir}/usbguard-dbus.service
%files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
%files help %files help
%doc README.adoc CHANGELOG.md %doc README.adoc CHANGELOG.md
%{_mandir}/*/* %{_mandir}/*/*
%changelog %changelog
* Thu Apr 20 2023 liyanan <thistleslyn@163.com> - 1.1.2-1
- upgrade 1.1.2
* Mon Mar 07 2022 houyingchao <houyingchao@huawei.com> - 0.7.2-7 * Mon Mar 07 2022 houyingchao <houyingchao@huawei.com> - 0.7.2-7
- Fix CVE-2019-25058 - Fix CVE-2019-25058

BIN
v0.0.4.tar.gz Normal file
View File

Binary file not shown.