Upgrade to 1.3.2

2023-10-19 16:44:08 +08:00 · 2023-10-19 16:44:08 +08:00 · d1e6faced1
commit d1e6faced1
parent 06240401f0
12 changed files with 23 additions and 210 deletions
--- a/Add-FAN_MARK_MOUNT-when-opting-out-of-FAN_MARK_FILESYSTEM.patch
+++ b/Add-FAN_MARK_MOUNT-when-opting-out-of-FAN_MARK_FILESYSTEM.patch
@ -1,29 +0,0 @@
 From 194ac1b87ba46ea9e26a865e8432e228cf8fefef Mon Sep 17 00:00:00 2001
 From: Steven Brzozowski <stevenbrz8@gmail.com>
 Date: Thu, 20 Oct 2022 17:55:30 -0400
 Subject: [PATCH] Add `FAN_MARK_MOUNT` when opting out of `FAN_MARK_FILESYSTEM`
 (#210)
 Without `FAN_MARK_MOUNT`, fapolicyd will not receive events for any subdirectories specified by the path parameter.
 ---
 src/daemon/notify.c | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/src/daemon/notify.c b/src/daemon/notify.c
 index 586b6df..5e4f160 100644
 --- a/src/daemon/notify.c
 +++ b/src/daemon/notify.c
@@ -128,10 +128,13 @@ int init_fanotify(const conf_t *conf, mlist *m)
 #if defined HAVE_DECL_FAN_MARK_FILESYSTEM && HAVE_DECL_FAN_MARK_FILESYSTEM != 0
 		if (conf->allow_filesystem_mark)
 		    flags |= FAN_MARK_FILESYSTEM;
 +		else
 +		    flags |= FAN_MARK_MOUNT;
 #else
 		if (conf->allow_filesystem_mark)
 			msg(LOG_ERR,
 	    "allow_filesystem_mark is unsupported for this kernel - ignoring");
 +		flags |= FAN_MARK_MOUNT;
 #endif
 		if (fanotify_mark(fd, flags, mask, -1, path) == -1) {
 			/*
--- a/Bugfixes-for-dnf-plugin.patch
+++ b/Bugfixes-for-dnf-plugin.patch
@ -1,31 +0,0 @@
 From 9e43b117bc7efed1e67a8fb4bb60d7e9bf9104b8 Mon Sep 17 00:00:00 2001
 From: Steven Brzozowski <stevenbrz8@gmail.com>
 Date: Fri, 7 Oct 2022 14:15:53 -0400
 Subject: [PATCH] Bugfixes for dnf plugin
 * Point to the correct fifo path
 * Write a newline to get fapolicyd to pick up the write
 ---
 dnf/fapolicyd-dnf-plugin.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/dnf/fapolicyd-dnf-plugin.py b/dnf/fapolicyd-dnf-plugin.py
 index 3de66518..650fe89d 100644
 --- a/dnf/fapolicyd-dnf-plugin.py
 +++ b/dnf/fapolicyd-dnf-plugin.py
@@ -8,7 +8,7 @@
 class Fapolicyd(dnf.Plugin):
     name = "fapolicyd"
 -    pipe = "/var/run/fapolicyd/fapolicyd.fifo"
 +    pipe = "/run/fapolicyd/fapolicyd.fifo"
     file = None
     def __init__(self, base, cli):
@@ -32,5 +32,5 @@ def transaction(self):
             sys.stderr.write("fapolicy-plugin does not have write permission: " + self.pipe + "\n")
             return
 -        self.file.write("1")
 +        self.file.write("1\n")
         self.file.close()
--- a/Fix-build-error.patch
+++ b/Fix-build-error.patch
@ -1,60 +0,0 @@
 From f334120c91a857f6200c4028cbb7bad2d2162792 Mon Sep 17 00:00:00 2001
 From: starlet-dx <15929766099@163.com>
 Date: Wed, 9 Nov 2022 18:32:54 +0800
 Subject: [PATCH 1/1] Fix build error
 ---
 src/daemon/notify.c         |  5 +++--
 src/library/daemon-config.c | 14 ++++++++------
 2 files changed, 11 insertions(+), 8 deletions(-)
 diff --git a/src/daemon/notify.c b/src/daemon/notify.c
 index c91abc4..586b6df 100644
 --- a/src/daemon/notify.c
 +++ b/src/daemon/notify.c
@@ -122,9 +122,10 @@ int init_fanotify(const conf_t *conf, mlist *m)
 	// Iterate through the mount points and add a mark
 	path = mlist_first(m);
 	while (path) {
 +		unsigned int flags;
 retry_mark:
 -		unsigned int flags = FAN_MARK_ADD;
 -#ifdef HAVE_DECL_FAN_MARK_FILESYSTEM
 +		flags = FAN_MARK_ADD;
 +#if defined HAVE_DECL_FAN_MARK_FILESYSTEM && HAVE_DECL_FAN_MARK_FILESYSTEM != 0
 		if (conf->allow_filesystem_mark)
 		    flags |= FAN_MARK_FILESYSTEM;
 #else
 diff --git a/src/library/daemon-config.c b/src/library/daemon-config.c
 index 89b7f68..ba8ade0 100644
 --- a/src/library/daemon-config.c
 +++ b/src/library/daemon-config.c
@@ -618,17 +618,19 @@ static int fs_mark_parser(const struct nv_pair *nv, int line,
 		conf_t *config)
 {
 	int rc = 0;
 -#ifndef HAVE_DECL_FAN_MARK_FILESYSTEM
 -	msg(LOG_WARNING,
 -	    "allow_filesystem_mark is unsupported on this kernel - ignoring");
 -#else
 -	rc = unsigned_int_parser(&(config->allow_filesystem_mark), nv->value, line);
 +#if defined HAVE_DECL_FAN_MARK_FILESYSTEM && HAVE_DECL_FAN_MARK_FILESYSTEM != 0
 +	rc = unsigned_int_parser(&(config->allow_filesystem_mark),
 +				 nv->value, line);
 	if (rc == 0 && config->allow_filesystem_mark > 1) {
 		msg(LOG_WARNING,
 -			"allow_filesystem_mark value reset to 0 - line %d", line);
 +			"allow_filesystem_mark value reset to 0 - line %d",
 +			line);
 		config->allow_filesystem_mark = 0;
 	}
 +#else
 +	msg(LOG_WARNING,
 +	    "allow_filesystem_mark is unsupported on this kernel - ignoring");
 #endif
 	return rc;
 -- 
 2.30.0
--- a/fapolicyd-1.1.5.tar.gz
+++ b/fapolicyd-1.1.5.tar.gz
--- a/fapolicyd-1.3.2.tar.gz
+++ b/fapolicyd-1.3.2.tar.gz
--- a/fapolicyd-selinux-0.4.tar.gz
+++ b/fapolicyd-selinux-0.4.tar.gz
--- a/fapolicyd-selinux-0.6.tar.gz
+++ b/fapolicyd-selinux-0.6.tar.gz
--- a/fapolicyd-selinux-allow-boot-home.patch
+++ b/fapolicyd-selinux-allow-boot-home.patch
@ -1,40 +0,0 @@
 From a1a9a59f93ebfe6d0c9d725ed0712210994e6d64 Mon Sep 17 00:00:00 2001
 From: Zdenek Pytela <zpytela@redhat.com>
 Date: Tue, 6 Apr 2021 16:06:48 +0200
 Subject: [PATCH] Allow fapolicyd watch boot and home directories
 The fapolicyd service needs watch_mount and watch_with_perm permissions
 for fanotify/inotify/dnotify calls on the following directories:
 - /boot and /boot/efi directories
 - /home directories
 Note the /boot/efi directory has the dosfs_t label.
 ---
 fapolicyd.te | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
 index f5d0052..c12f385 100644
 --- a/fapolicyd-selinux-0.4/fapolicyd.te
 +++ b/fapolicyd-selinux-0.4/fapolicyd.te
@@ -63,14 +63,20 @@ domain_read_all_domains_state(fapolicyd_t)
 files_mmap_usr_files(fapolicyd_t)
 files_read_all_files(fapolicyd_t)
 +files_watch_mount_boot_dirs(fapolicyd_t)
 +files_watch_with_perm_boot_dirs(fapolicyd_t)
 files_watch_mount_generic_tmp_dirs(fapolicyd_t)
 files_watch_with_perm_generic_tmp_dirs(fapolicyd_t)
 +files_watch_mount_home(fapolicyd_t)
 +files_watch_with_perm_home(fapolicyd_t)
 files_watch_mount_root_dirs(fapolicyd_t)
 files_watch_with_perm_root_dirs(fapolicyd_t)
 fs_getattr_xattr_fs(fapolicyd_t)
 fs_watch_mount_tmpfs_dirs(fapolicyd_t)
 fs_watch_with_perm_tmpfs_dirs(fapolicyd_t)
 +fs_watch_mount_dos_dirs(fapolicyd_t)
 +fs_watch_with_perm_dos_dirs(fapolicyd_t)
 logging_send_syslog_msg(fapolicyd_t)
 dbus_system_bus_client(fapolicyd_t)
--- a/fapolicyd-selinux-watch-perm.patch
+++ b/fapolicyd-selinux-watch-perm.patch
@ -1,31 +0,0 @@
 From 6a966a3ee89233a0a055712f39ca564ba91183bf Mon Sep 17 00:00:00 2001
 From: Zdenek Pytela <zpytela@redhat.com>
 Date: Thu, 15 Apr 2021 16:56:08 +0200
 Subject: [PATCH] Allow fapolicyd watch_mount/watch_with_perm all files and
 directories
 For the fanotify_mark() syscall, fapolicyd uses the FAN_MARK_MOUNT flag
 to mark the file's mount point to monitor. As this can be any file or
 directory on the filesystem, the SELinux watch_mount and watch_with_perm
 permissions are allowed for the file_type attribute.
 ---
 fapolicyd.te | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
 index c12f385..582e03f 100644
 --- a/fapolicyd-selinux-0.4/fapolicyd.te
 +++ b/fapolicyd-selinux-0.4/fapolicyd.te
@@ -36,6 +36,12 @@ allow fapolicyd_t self:process { setcap setsched };
 allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms;
 allow fapolicyd_t self:unix_dgram_socket create_socket_perms;
 +gen_require(`
 +	attribute file_type;
 +')
 +allow fapolicyd_t file_type:dir { watch_mount watch_with_perm };
 +allow fapolicyd_t file_type:file { watch_mount watch_with_perm };
 +
 manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
 logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
--- a/fapolicyd-uthash-bundle.patch
+++ b/fapolicyd-uthash-bundle.patch
@ -16,7 +16,7 @@ diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c
 --- ./src/library/rpm-backend.c.uthash	2022-09-29 11:57:26.297879027 +0200
 +++ ./src/library/rpm-backend.c	2022-09-29 11:58:45.470119807 +0200
@@ -32,7 +32,7 @@
- #include <rpm/rpmdb.h>
+ #include <rpm/rpmpgp.h>
 #include <fnmatch.h>
 -#include <uthash.h>
--- a/fapolicyd.spec
+++ b/fapolicyd.spec
@ -1,10 +1,10 @@
 %global selinuxtype targeted
 %global moduletype contrib
-%define semodule_version 0.4
+%define semodule_version 0.6
 Summary: Application Whitelisting Daemon
 Name:    fapolicyd
-Version: 1.1.5
+Version: 1.3.2
 Release: 1
 License: GPLv3+
 URL:     http://people.redhat.com/sgrubb/fapolicyd
@ -27,12 +27,8 @@ Requires(post): systemd-units
 Requires(preun): systemd-units
 Requires(postun): systemd-units
 Patch0: selinux.patch
 Patch1: fapolicyd-uthash-bundle.patch
 Patch2: fapolicyd-selinux-watch-perm.patch
 Patch3: fapolicyd-selinux-allow-boot-home.patch
 Patch4: Fix-build-error.patch
 Patch5: Add-FAN_MARK_MOUNT-when-opting-out-of-FAN_MARK_FILESYSTEM.patch
 Patch6: Bugfixes-for-dnf-plugin.patch
 %description
 Fapolicyd (File Access Policy Daemon) implements application whitelisting
@ -54,21 +50,13 @@ BuildArch: noarch
 The %{name}-selinux package contains selinux policy for the %{name} daemon.
 %prep
 %setup -q
 # selinux
 %setup -q -D -T -a 1
 %patch 0 -p1 -b .selinux
 %setup -q -D -T -a 2
-%patch1 -p1 -b .uthash
+%patch 1 -p1 -b .uthash
 %patch2 -p1 -b .watch-perm
 %patch3 -p1 -b .home
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 # generate rules for python
 sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
@ -176,6 +164,7 @@ fi
 %ghost %{_sysconfdir}/%{name}/%{name}.rules
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}-filter.conf
 %ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
 %attr(644,root,root) %{_unitdir}/%{name}.service
 %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
@ -184,7 +173,6 @@ fi
 %attr(755,root,root) %{_sbindir}/fagenrules
 %attr(644,root,root) %{_mandir}/man8/*
 %attr(644,root,root) %{_mandir}/man5/*
 %attr(644,root,root) %{_mandir}/man1/*
 %ghost %attr(440,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}-access.log
 %attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name}
 %attr(770,root,%{name}) %dir /run/%{name}
@ -210,5 +198,8 @@ fi
 %selinux_relabel_post -s %{selinuxtype}
 %changelog
 * Thu Oct 19 2023 yaoxin <yao_xin001@hoperun.com> - 1.3.2-1
 - Upgrade to 1.3.2
 * Wed Nov 09 2022 yaoxin <yaoxin30@h-partners.com> - 1.1.5-1
 - Package init
--- a/selinux.patch
+++ b/selinux.patch
@ -0,0 +1,13 @@
 diff -up ./fapolicyd-selinux-0.6/fapolicyd.te.fix ./fapolicyd-selinux-0.6/fapolicyd.te
 --- ./fapolicyd-selinux-0.6/fapolicyd.te.fix	2023-06-15 17:11:47.964646794 +0200
 +++ ./fapolicyd-selinux-0.6/fapolicyd.te	2023-06-15 17:13:10.426477653 +0200
@@ -50,6 +50,9 @@ ifdef(`watch_mount_dirs_pattern',`
 ifdef(`fs_watch_all_fs',`
     fs_watch_all_fs(fapolicyd_t)
 +')
 +
 +ifdef(`files_watch_sb_all_mountpoints',`
     files_watch_sb_all_mountpoints(fapolicyd_t)
 ')