diff --git a/.fapolicyd.metadata b/.fapolicyd.metadata index 2e63c76..6f3e985 100644 --- a/.fapolicyd.metadata +++ b/.fapolicyd.metadata @@ -1 +1 @@ -aadfc739f31ef5497d77174fa95c36b2b98d398b SOURCES/fapolicyd-0.8.10.tar.gz +1b52ecddcc248f1981d8ceb5cf3bc4c3e839be3c SOURCES/fapolicyd-0.9.1.tar.gz diff --git a/.gitignore b/.gitignore index cb03610..c89a875 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/fapolicyd-0.8.10.tar.gz +SOURCES/fapolicyd-0.9.1.tar.gz diff --git a/SOURCES/fapolicyd-dnf-output.patch b/SOURCES/fapolicyd-dnf-output.patch deleted file mode 100644 index 354d733..0000000 --- a/SOURCES/fapolicyd-dnf-output.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 5c4efd4cff0459ea65914ce07d7307589206b0cd Mon Sep 17 00:00:00 2001 -From: Radovan Sroka -Date: Mon, 22 Jul 2019 17:21:59 +0200 -Subject: [PATCH] Removed stdout output for dnf plugin - -DNF stdout shouldn't be affected by its plugin. ---- - dnf/fapolicyd-dnf-plugin.py | 16 ++++++---------- - 1 file changed, 6 insertions(+), 10 deletions(-) - -diff --git a/dnf/fapolicyd-dnf-plugin.py b/dnf/fapolicyd-dnf-plugin.py -index 2c9d65e..3de6651 100644 ---- a/dnf/fapolicyd-dnf-plugin.py -+++ b/dnf/fapolicyd-dnf-plugin.py -@@ -3,6 +3,7 @@ - import dnf - import os - import stat -+import sys - - class Fapolicyd(dnf.Plugin): - -@@ -11,30 +12,25 @@ class Fapolicyd(dnf.Plugin): - file = None - - def __init__(self, base, cli): -- print("fapolicyd-plugin is installed and active") - pass - - def transaction(self): -- print("fapolicy-plugin: sending signal to fapolicy daemon") - - if not os.path.exists(self.pipe): -- print("Pipe does not exist (" + self.pipe + ")") -- print("Perhaps fapolicy-plugin does not have enough permission") -- print("or fapolicyd is not running...") -+ sys.stderr.write("Pipe does not exist (" + self.pipe + ")\n") -+ sys.stderr.write("Perhaps fapolicy-plugin does not have enough permissions\n") -+ sys.stderr.write("or fapolicyd is not running...\n") - return - - if not stat.S_ISFIFO(os.stat(self.pipe).st_mode): -- print(self.pipe + ": is not a pipe!") -+ sys.stderr.write(self.pipe + ": is not a pipe!\n") - return - - try: - self.file = open(self.pipe, "w") - except PermissionError: -- print("fapolicy-plugin does not have write permission: " + self.pipe) -+ sys.stderr.write("fapolicy-plugin does not have write permission: " + self.pipe + "\n") - return - - self.file.write("1") - self.file.close() -- -- print("Fapolicyd was notified") -- diff --git a/SOURCES/fapolicyd-dracut.patch b/SOURCES/fapolicyd-dracut.patch deleted file mode 100644 index 0f1ccd7..0000000 --- a/SOURCES/fapolicyd-dracut.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up ./init/fapolicyd.rules.fix ./init/fapolicyd.rules ---- ./init/fapolicyd.rules.fix 2020-01-20 13:39:06.082916773 +0100 -+++ ./init/fapolicyd.rules 2020-01-20 13:41:45.088018967 +0100 -@@ -5,6 +5,10 @@ - # versions of python and the update utilities may need adjusting for - # your distribution. - -+# enable dracut -+allow uid=0 dir=/var/tmp/ -+allow uid=0 exe=/usr/lib64/ld-2.28.so dir=systemdirs -+ - # Prevent execution by ld.so - deny_audit pattern=ld_so all - diff --git a/SOURCES/fapolicyd-elf-parser.patch b/SOURCES/fapolicyd-elf-parser.patch new file mode 100644 index 0000000..f0feac3 --- /dev/null +++ b/SOURCES/fapolicyd-elf-parser.patch @@ -0,0 +1,39 @@ +From 2caac530f13bf69a988f65eb109f26a7311936c6 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Thu, 20 Feb 2020 17:58:55 -0500 +Subject: [PATCH] Sanity check e_phentsize in ELF parser + +--- + src/file.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/src/file.c b/src/file.c +index 3c9d084..e0d4f85 100644 +--- a/src/file.c ++++ b/src/file.c +@@ -469,6 +469,12 @@ uint32_t gather_elf(int fd, off_t size) + // We want to do a basic size check to make sure + unsigned long sz = + (unsigned)hdr->e_phentsize * (unsigned)hdr->e_phnum; ++ /* Verify the entry size is right */ ++ if ((unsigned)hdr->e_phentsize != sizeof(Elf32_Phdr)) { ++ info |= HAS_ERROR; ++ free(hdr); ++ goto rewind_out; ++ } + if (sz > ((unsigned long)size - sizeof(Elf32_Ehdr))) { + info |= HAS_ERROR; + free(hdr); +@@ -600,6 +606,12 @@ uint32_t gather_elf(int fd, off_t size) + // We want to do a basic size check to make sure + unsigned long sz = + (unsigned)hdr->e_phentsize * (unsigned)hdr->e_phnum; ++ /* Verify the entry size is right */ ++ if ((unsigned)hdr->e_phentsize != sizeof(Elf64_Phdr)) { ++ info |= HAS_ERROR; ++ free(hdr); ++ goto rewind_out; ++ } + if (sz > ((unsigned long)size - sizeof(Elf64_Ehdr))) { + info |= HAS_ERROR; + free(hdr); diff --git a/SOURCES/fapolicyd-hash.patch b/SOURCES/fapolicyd-hash.patch deleted file mode 100644 index 8ec1693..0000000 --- a/SOURCES/fapolicyd-hash.patch +++ /dev/null @@ -1,53 +0,0 @@ -From f5bca29fb408fce7297656c5bb01f70cd452a9d7 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Thu, 20 Jun 2019 14:46:36 -0400 -Subject: [PATCH] Convert hashes to lowercase like sha256sum outputs - ---- - ChangeLog | 1 + - doc/fapolicyd.rules.5 | 2 +- - src/file.c | 5 +++-- - 3 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/doc/fapolicyd.rules.5 b/doc/fapolicyd.rules.5 -index 6b12f03..887bdf7 100644 ---- a/doc/fapolicyd.rules.5 -+++ b/doc/fapolicyd.rules.5 -@@ -115,7 +115,7 @@ This option will match against the device that the file being accessed resides o - This option matches against the mime type of the file being accessed. See \fBexe_type\fP for more information on determining the mime type. - .TP - .B sha256hash --This option matches against the sha256 hash of the file being accessed. -+This option matches against the sha256 hash of the file being accessed. The hash in the rules should be all lowercase letters and do NOT start with 0x. Lowercase is the default output of sha256sum. - .RE - - .SH EXAMPLES -diff --git a/src/file.c b/src/file.c -index 39d3a58..68e6bf5 100644 ---- a/src/file.c -+++ b/src/file.c -@@ -1,6 +1,6 @@ - /* - * file.c - functions for accessing attributes of files -- * Copyright (c) 2016,2018 Red Hat Inc., Durham, North Carolina. -+ * Copyright (c) 2016,2018-19 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the -@@ -272,7 +272,7 @@ static char *bytes2hex(char *final, const char *buf, unsigned int size) - { - unsigned int i; - char *ptr = final; -- const char *hex = "0123456789ABCDEF"; -+ const char *hex = "0123456789abcdef"; - - for (i=0; i>4]; /* Upper nibble */ -@@ -307,6 +307,7 @@ char *get_hash_from_fd(int fd) - return NULL; - - // read in a buffer at a time and hand to gcrypt -+ lseek(fd, 0, SEEK_SET); - while ((len = safe_read(fd, fbuf, 4096)) > 0) { - gcry_md_write(ctx, fbuf, len); - if (len != 4096) diff --git a/SOURCES/fapolicyd-manpage.patch b/SOURCES/fapolicyd-manpage.patch deleted file mode 100644 index 0c268d7..0000000 --- a/SOURCES/fapolicyd-manpage.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 51bfe6f1336d8924ebfab5839412833387a618e1 Mon Sep 17 00:00:00 2001 -From: Scorpion -Date: Wed, 10 Jul 2019 16:20:13 +0200 -Subject: [PATCH] manpage for fapolicyd-cli added (#38) - ---- - doc/Makefile.am | 2 +- - doc/fapolicyd-cli.1 | 22 ++++++++++++++++++++++ - doc/fapolicyd.8 | 3 ++- - doc/fapolicyd.conf.5 | 7 ++++--- - doc/fapolicyd.rules.5 | 5 +++-- - fapolicyd.spec | 1 + - 6 files changed, 33 insertions(+), 7 deletions(-) - create mode 100644 doc/fapolicyd-cli.1 - -diff --git a/doc/Makefile.am b/doc/Makefile.am -index 7fabe91..bd56170 100644 ---- a/doc/Makefile.am -+++ b/doc/Makefile.am -@@ -22,5 +22,5 @@ - - EXTRA_DIST = $(man_MANS) - --man_MANS = fapolicyd.8 fapolicyd.rules.5 fapolicyd.conf.5 -+man_MANS = fapolicyd.8 fapolicyd-cli.1 fapolicyd.rules.5 fapolicyd.conf.5 - -diff --git a/doc/fapolicyd-cli.1 b/doc/fapolicyd-cli.1 -new file mode 100644 -index 0000000..85d29cf ---- /dev/null -+++ b/doc/fapolicyd-cli.1 -@@ -0,0 +1,22 @@ -+.TH "FAPOLICYD-CLI" "1" "July 2019" "Red Hat" "System Administration Utilities" -+.SH NAME -+fapolicyd-cli \- Fapolicyd CLI Tool -+.SH SYNOPSIS -+\fBfapolicyd-cli\fP [\fIoptions\fP] -+.SH DESCRIPTION -+Fapolicyd CLI Tool. -+.SH OPTIONS -+.TP -+.B \-h, \-\-help -+Prints this help message. -+.TP -+.B \-u, \-\-update -+Notifies fapolicyd to perform update of database. -+.SH "SEE ALSO" -+.BR fapolicyd (8), -+.BR fapolicyd.rules (5) -+and -+.BR fapolicyd.conf (5) -+ -+.SH AUTHOR -+Zoltan Fridrich -diff --git a/doc/fapolicyd.8 b/doc/fapolicyd.8 -index 01745d4..3cfaaef 100644 ---- a/doc/fapolicyd.8 -+++ b/doc/fapolicyd.8 -@@ -1,4 +1,4 @@ --.TH "FAPOLICYD" "8" "June 2018" "Red Hat" "System Administration Utilities" -+.TH "FAPOLICYD" "8" "July 2019" "Red Hat" "System Administration Utilities" - .SH NAME - fapolicyd \- File Access Policy Daemon - .SH SYNOPSIS -@@ -58,6 +58,7 @@ To get audit events, you must have auditing enabled and at least one systemcall - - information about what was being accessed. - - .SH "SEE ALSO" -+.BR fapolicyd-cli (1), - .BR fapolicyd.rules (5) - and - .BR fapolicyd.conf (5) -diff --git a/doc/fapolicyd.conf.5 b/doc/fapolicyd.conf.5 -index 2e758cc..87e994c 100644 ---- a/doc/fapolicyd.conf.5 -+++ b/doc/fapolicyd.conf.5 -@@ -1,4 +1,4 @@ --.TH FAPOLICYD.CONF: "5" "June 2018" "Red Hat" "System Administration Utilities" -+.TH FAPOLICYD.CONF: "5" "July 2019" "Red Hat" "System Administration Utilities" - .SH NAME - fapolicyd.conf \- fapolicyd configuration file - .SH DESCRIPTION -@@ -47,9 +47,10 @@ This option controls how many entries the subject cache holds. You want the size - This option controls how many entries the object cache holds. You want the size to be big enough that you are not getting too many evictions compared to hits. But you don't want to waste memory. Whenever there is an eviction, fapolicyd has to regenerate information about the subject and this slows performance. The default value is 4096. - - .SH "SEE ALSO" --.BR fapolicyd(8) -+.BR fapolicyd (8), -+.BR fapolicyd-cli (1) - and --.BR fapolicy.rules(5). -+.BR fapolicy.rules (5). - - .SH AUTHOR - Steve Grubb -diff --git a/doc/fapolicyd.rules.5 b/doc/fapolicyd.rules.5 -index 887bdf7..067fa43 100644 ---- a/doc/fapolicyd.rules.5 -+++ b/doc/fapolicyd.rules.5 -@@ -1,4 +1,4 @@ --.TH FAPOLICYD.RULES: "7" "May 2016" "Red Hat" "System Administration Utilities" -+.TH FAPOLICYD.RULES: "7" "July 2019" "Red Hat" "System Administration Utilities" - .SH NAME - fapolicyd.rules \- fapolicyd rules to determine access rights - .SH DESCRIPTION -@@ -129,7 +129,8 @@ The following rules show how rules may look. - .fi - - .SH "SEE ALSO" --.BR fapolicyd (8) -+.BR fapolicyd (8), -+.BR fapolicyd-cli (1) - and - .BR fapolicyd.conf (5) - -diff --git a/fapolicyd.spec b/fapolicyd.spec -index 66656b6..fed4dd4 100644 ---- a/fapolicyd.spec -+++ b/fapolicyd.spec -@@ -61,6 +61,7 @@ getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{nam - %attr(755,root,root) %{_sbindir}/%{name}-cli - %attr(644,root,root) %{_mandir}/man8/* - %attr(644,root,root) %{_mandir}/man5/* -+%attr(644,root,root) %{_mandir}/man1/* - %ghost %{_localstatedir}/log/%{name}-access.log - %attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name} - %attr(770,root,%{name}) %dir /run/%{name} diff --git a/SOURCES/fapolicyd-rules.patch b/SOURCES/fapolicyd-rules.patch new file mode 100644 index 0000000..eefcde1 --- /dev/null +++ b/SOURCES/fapolicyd-rules.patch @@ -0,0 +1,25 @@ +diff -up ./init/fapolicyd.rules.fix ./init/fapolicyd.rules +--- ./init/fapolicyd.rules.fix 2020-02-11 20:53:48.151150561 +0100 ++++ ./init/fapolicyd.rules 2020-02-11 20:55:02.451575384 +0100 +@@ -39,6 +39,10 @@ allow exe=/usr/bin/python2.7 : ftype=app + deny_audit perm=any all : ftype=text/x-python + #deny_audit perm=any all : ftype=application/octet-stream path=*.pyc + ++# Allow shell script but block all other languages ++allow perm=execute all : ftype=text/x-shellscript ++allow perm=any all : ftype=text/plain ++ + # + # In this next optional languages section, choose either to + # block (default) or allow by commenting or uncommenting the +@@ -66,10 +70,6 @@ deny_audit perm=any exe=/usr/bin/ruby : + #allow perm=open all : ftype=text/x-ruby trust=1 + #deny_audit perm=any all : ftype=text/x-ruby + +-# Allow shell script but block all other languages +-allow perm=execute all : ftype=text/x-shellscript trust=1 +-allow perm=execute all : ftype=text/plain trust=1 +- + # This is a workaround for kernel thinking this is being executed. We + # catch actual execution in rule 3. + allow perm=execute all : path=/usr/lib64/ld-2.30.so trust=1 diff --git a/SPECS/fapolicyd.spec b/SPECS/fapolicyd.spec index aef1899..2b67eb2 100644 --- a/SPECS/fapolicyd.spec +++ b/SPECS/fapolicyd.spec @@ -1,7 +1,7 @@ Summary: Application Whitelisting Daemon Name: fapolicyd -Version: 0.8.10 -Release: 3%{?dist}.3 +Version: 0.9.1 +Release: 4%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -10,23 +10,14 @@ BuildRequires: autoconf automake make gcc libtool BuildRequires: systemd-devel libgcrypt-devel rpm-devel file-devel BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel BuildRequires: python3-devel +BuildRequires: python2-devel Requires(pre): shadow-utils Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units -# Convert hashes to lowercase like sha256sum outputs -Patch1: fapolicyd-hash.patch - -# Removed stdout output for dnf plugin -# 1721496 - Stop littering STDOUT output for dnf plugin in fapolicyd -Patch2: fapolicyd-dnf-output.patch - -# Added missing manpage for fapolicyd-cli -Patch3: fapolicyd-manpage.patch - -# Allow dracut in fapolicyd.rules -Patch4: fapolicyd-dracut.patch +Patch1: fapolicyd-rules.patch +Patch2: fapolicyd-elf-parser.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting @@ -34,13 +25,17 @@ to decide file access rights. Applications that are known via a reputation source are allowed access while unknown applications are not. The daemon makes use of the kernel's fanotify interface to determine file access rights. + %prep %setup -q -%patch1 -p1 -b .hash -%patch2 -p1 -b .dnf-output -%patch3 -p1 -b .manpage -%patch4 -p1 -b .dracut +%patch1 -p1 -F3 +%patch2 -p1 -b .elf-parser + +# generate rules for python +sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules +sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" init/%{name}.rules +sed -i "s/%ld_so_path%/`find /usr/lib64/ -type f -name 'ld-2\.*.so' | sed 's/\//\\\\\//g'`/g" init/%{name}.rules %build ./autogen.sh @@ -73,7 +68,6 @@ getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{nam %license COPYING %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.rules -%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.mounts %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf %attr(644,root,root) %{_unitdir}/%{name}.service %attr(644,root,root) %{_tmpfilesdir}/%{name}.conf @@ -92,17 +86,34 @@ getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{nam %{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc %changelog -* Tue Mar 03 2020 Radovan Sroka - 0.8.10-3.3 -RHEL 8.1.0.Z -- fixed typo in dracut rule -- changed default fapolicyd.rules -Resolves: rhbz#1809844 - -* Mon Jan 20 2020 Radovan Sroka - 0.8.10-3.1 -RHEL 8.1.Z -- fixed: fapolicyd blocks dracut from generating initramfs -- changed default fapolicyd.rules -Resolves: rhbz#1791856 +* Tue Mar 03 2020 Radovan Sroka - 0.9.1-4 +RHEL 8.2 ERRATUM +- fixed possible heap buffer overflow in elf parser +Resolves: rhbz#1807912 + +* Tue Feb 11 2020 Radovan Sroka - 0.9.1-3 +RHEL 8.2 ERRATUM +- fixed build time python interpreter detection (spec) +- added python2-devel as a BuildRequires (spec) +- allow running bash scripts in home directories +Resolves: rhbz#1801872 + +* Wed Nov 20 2019 Radovan Sroka - 0.9.1-2 +RHEL 8.2 ERRATUM +- rebase to v0.9.1 +- updated default configuration with new syntax +- removed daemon mounts configuration +Resolves: rhbz#1759895 +- default fapolicyd policy prevents Ansible from running +- added ansible rule to default ruleset +Resolves: rhbz#1746464 +- suspicious logs on service start +Resolves: rhbz#1747494 +- fapolicyd blocks dracut from generating initramfs +- added dracut rule to default configuration +Resolves: rhbz#1757736 +- fapolicyd fails to identify perl interpreter +Resolves: rhbz#1765039 * Wed Jul 24 2019 Radovan Sroka - 0.8.10-3 - added missing manpage for fapolicyd-cli