!1 初始化fapolicyd代码仓

From: @starlet-dx Reviewed-by: @zhujianwei001 Signed-off-by: @zhujianwei001
2022-11-10 01:20:40 +00:00 · 2022-11-10 01:20:40 +00:00 · 06240401f0
commit 06240401f0
parent b7c51a0a28 7f46ce2b46
11 changed files with 448 additions and 0 deletions
--- a/Add-FAN_MARK_MOUNT-when-opting-out-of-FAN_MARK_FILESYSTEM.patch
+++ b/Add-FAN_MARK_MOUNT-when-opting-out-of-FAN_MARK_FILESYSTEM.patch
@ -0,0 +1,29 @@
+From 194ac1b87ba46ea9e26a865e8432e228cf8fefef Mon Sep 17 00:00:00 2001
+From: Steven Brzozowski <stevenbrz8@gmail.com>
+Date: Thu, 20 Oct 2022 17:55:30 -0400
+Subject: [PATCH] Add `FAN_MARK_MOUNT` when opting out of `FAN_MARK_FILESYSTEM`
+ (#210)
+
+Without `FAN_MARK_MOUNT`, fapolicyd will not receive events for any subdirectories specified by the path parameter.
+---
+ src/daemon/notify.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/daemon/notify.c b/src/daemon/notify.c
+index 586b6df..5e4f160 100644
+--- a/src/daemon/notify.c
+++ b/src/daemon/notify.c
+@@ -128,10 +128,13 @@ int init_fanotify(const conf_t *conf, mlist *m)
+ #if defined HAVE_DECL_FAN_MARK_FILESYSTEM && HAVE_DECL_FAN_MARK_FILESYSTEM != 0
+ 		if (conf->allow_filesystem_mark)
+ 		    flags |= FAN_MARK_FILESYSTEM;
+		else
+		    flags |= FAN_MARK_MOUNT;
+ #else
+ 		if (conf->allow_filesystem_mark)
+ 			msg(LOG_ERR,
+ 	    "allow_filesystem_mark is unsupported for this kernel - ignoring");
+		flags |= FAN_MARK_MOUNT;
+ #endif
+ 		if (fanotify_mark(fd, flags, mask, -1, path) == -1) {
+ 			/*
--- a/Bugfixes-for-dnf-plugin.patch
+++ b/Bugfixes-for-dnf-plugin.patch
@ -0,0 +1,31 @@
+From 9e43b117bc7efed1e67a8fb4bb60d7e9bf9104b8 Mon Sep 17 00:00:00 2001
+From: Steven Brzozowski <stevenbrz8@gmail.com>
+Date: Fri, 7 Oct 2022 14:15:53 -0400
+Subject: [PATCH] Bugfixes for dnf plugin
+
+* Point to the correct fifo path
+* Write a newline to get fapolicyd to pick up the write
+---
+ dnf/fapolicyd-dnf-plugin.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/dnf/fapolicyd-dnf-plugin.py b/dnf/fapolicyd-dnf-plugin.py
+index 3de66518..650fe89d 100644
+--- a/dnf/fapolicyd-dnf-plugin.py
+++ b/dnf/fapolicyd-dnf-plugin.py
+@@ -8,7 +8,7 @@
+ class Fapolicyd(dnf.Plugin):
+ 
+     name = "fapolicyd"
+-    pipe = "/var/run/fapolicyd/fapolicyd.fifo"
+    pipe = "/run/fapolicyd/fapolicyd.fifo"
+     file = None
+ 
+     def __init__(self, base, cli):
+@@ -32,5 +32,5 @@ def transaction(self):
+             sys.stderr.write("fapolicy-plugin does not have write permission: " + self.pipe + "\n")
+             return
+ 
+-        self.file.write("1")
+        self.file.write("1\n")
+         self.file.close()
--- a/Fix-build-error.patch
+++ b/Fix-build-error.patch
@ -0,0 +1,60 @@
+From f334120c91a857f6200c4028cbb7bad2d2162792 Mon Sep 17 00:00:00 2001
+From: starlet-dx <15929766099@163.com>
+Date: Wed, 9 Nov 2022 18:32:54 +0800
+Subject: [PATCH 1/1] Fix build error
+
+---
+ src/daemon/notify.c         |  5 +++--
+ src/library/daemon-config.c | 14 ++++++++------
+ 2 files changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/src/daemon/notify.c b/src/daemon/notify.c
+index c91abc4..586b6df 100644
+--- a/src/daemon/notify.c
+++ b/src/daemon/notify.c
+@@ -122,9 +122,10 @@ int init_fanotify(const conf_t *conf, mlist *m)
+ 	// Iterate through the mount points and add a mark
+ 	path = mlist_first(m);
+ 	while (path) {
+		unsigned int flags;
+ retry_mark:
+-		unsigned int flags = FAN_MARK_ADD;
+-#ifdef HAVE_DECL_FAN_MARK_FILESYSTEM
+		flags = FAN_MARK_ADD;
+#if defined HAVE_DECL_FAN_MARK_FILESYSTEM && HAVE_DECL_FAN_MARK_FILESYSTEM != 0
+ 		if (conf->allow_filesystem_mark)
+ 		    flags |= FAN_MARK_FILESYSTEM;
+ #else
+diff --git a/src/library/daemon-config.c b/src/library/daemon-config.c
+index 89b7f68..ba8ade0 100644
+--- a/src/library/daemon-config.c
+++ b/src/library/daemon-config.c
+@@ -618,17 +618,19 @@ static int fs_mark_parser(const struct nv_pair *nv, int line,
+ 		conf_t *config)
+ {
+ 	int rc = 0;
+-#ifndef HAVE_DECL_FAN_MARK_FILESYSTEM
+-	msg(LOG_WARNING,
+-	    "allow_filesystem_mark is unsupported on this kernel - ignoring");
+-#else
+-	rc = unsigned_int_parser(&(config->allow_filesystem_mark), nv->value, line);
+#if defined HAVE_DECL_FAN_MARK_FILESYSTEM && HAVE_DECL_FAN_MARK_FILESYSTEM != 0
+	rc = unsigned_int_parser(&(config->allow_filesystem_mark),
+				 nv->value, line);
+ 
+ 	if (rc == 0 && config->allow_filesystem_mark > 1) {
+ 		msg(LOG_WARNING,
+-			"allow_filesystem_mark value reset to 0 - line %d", line);
+			"allow_filesystem_mark value reset to 0 - line %d",
+			line);
+ 		config->allow_filesystem_mark = 0;
+ 	}
+#else
+	msg(LOG_WARNING,
+	    "allow_filesystem_mark is unsupported on this kernel - ignoring");
+ #endif
+ 
+ 	return rc;
+-- 
+2.30.0
+
--- a/fapolicyd-1.1.5.tar.gz
+++ b/fapolicyd-1.1.5.tar.gz
--- a/fapolicyd-selinux-0.4.tar.gz
+++ b/fapolicyd-selinux-0.4.tar.gz
--- a/fapolicyd-selinux-allow-boot-home.patch
+++ b/fapolicyd-selinux-allow-boot-home.patch
@ -0,0 +1,40 @@
+From a1a9a59f93ebfe6d0c9d725ed0712210994e6d64 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Tue, 6 Apr 2021 16:06:48 +0200
+Subject: [PATCH] Allow fapolicyd watch boot and home directories
+
+The fapolicyd service needs watch_mount and watch_with_perm permissions
+for fanotify/inotify/dnotify calls on the following directories:
+- /boot and /boot/efi directories
+- /home directories
+
+Note the /boot/efi directory has the dosfs_t label.
+---
+ fapolicyd.te | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
+index f5d0052..c12f385 100644
+--- a/fapolicyd-selinux-0.4/fapolicyd.te
+++ b/fapolicyd-selinux-0.4/fapolicyd.te
+@@ -63,14 +63,20 @@ domain_read_all_domains_state(fapolicyd_t)
+ 
+ files_mmap_usr_files(fapolicyd_t)
+ files_read_all_files(fapolicyd_t)
+files_watch_mount_boot_dirs(fapolicyd_t)
+files_watch_with_perm_boot_dirs(fapolicyd_t)
+ files_watch_mount_generic_tmp_dirs(fapolicyd_t)
+ files_watch_with_perm_generic_tmp_dirs(fapolicyd_t)
+files_watch_mount_home(fapolicyd_t)
+files_watch_with_perm_home(fapolicyd_t)
+ files_watch_mount_root_dirs(fapolicyd_t)
+ files_watch_with_perm_root_dirs(fapolicyd_t)
+ 
+ fs_getattr_xattr_fs(fapolicyd_t)
+ fs_watch_mount_tmpfs_dirs(fapolicyd_t)
+ fs_watch_with_perm_tmpfs_dirs(fapolicyd_t)
+fs_watch_mount_dos_dirs(fapolicyd_t)
+fs_watch_with_perm_dos_dirs(fapolicyd_t)
+ 
+ logging_send_syslog_msg(fapolicyd_t)
+ dbus_system_bus_client(fapolicyd_t)
--- a/fapolicyd-selinux-watch-perm.patch
+++ b/fapolicyd-selinux-watch-perm.patch
@ -0,0 +1,31 @@
+From 6a966a3ee89233a0a055712f39ca564ba91183bf Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Thu, 15 Apr 2021 16:56:08 +0200
+Subject: [PATCH] Allow fapolicyd watch_mount/watch_with_perm all files and
+ directories
+
+For the fanotify_mark() syscall, fapolicyd uses the FAN_MARK_MOUNT flag
+to mark the file's mount point to monitor. As this can be any file or
+directory on the filesystem, the SELinux watch_mount and watch_with_perm
+permissions are allowed for the file_type attribute.
+---
+ fapolicyd.te | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te
+index c12f385..582e03f 100644
+--- a/fapolicyd-selinux-0.4/fapolicyd.te
+++ b/fapolicyd-selinux-0.4/fapolicyd.te
+@@ -36,6 +36,12 @@ allow fapolicyd_t self:process { setcap setsched };
+ allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms;
+ allow fapolicyd_t self:unix_dgram_socket create_socket_perms;
+ 
+gen_require(`
+	attribute file_type;
+')
+allow fapolicyd_t file_type:dir { watch_mount watch_with_perm };
+allow fapolicyd_t file_type:file { watch_mount watch_with_perm };
+
+ manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t)
+ logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)
+ 
--- a/fapolicyd-uthash-bundle.patch
+++ b/fapolicyd-uthash-bundle.patch
@ -0,0 +1,39 @@
+diff -up ./configure.ac.uthash ./configure.ac
+--- ./configure.ac.uthash	2022-09-27 16:34:59.000000000 +0200
+++ ./configure.ac	2022-09-29 11:57:26.297879027 +0200
+@@ -81,10 +81,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS
+ ["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )])
+ AC_CHECK_FUNCS(fexecve, [], [])
+ 
+-AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR(
+-["Couldn't find uthash.h...uthash-devel is missing"] )])
+-
+-
+ echo .
+ echo Checking for required libraries
+ AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev)
+diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c
+--- ./src/library/rpm-backend.c.uthash	2022-09-29 11:57:26.297879027 +0200
+++ ./src/library/rpm-backend.c	2022-09-29 11:58:45.470119807 +0200
+@@ -32,7 +32,7 @@
+ #include <rpm/rpmdb.h>
+ #include <fnmatch.h>
+ 
+-#include <uthash.h>
+#include "uthash.h"
+ 
+ #include "message.h"
+ #include "gcc-attributes.h"
+diff -up ./src/Makefile.am.uthash ./src/Makefile.am
+--- ./src/Makefile.am.uthash	2022-09-27 16:34:59.000000000 +0200
+++ ./src/Makefile.am	2022-09-29 11:57:26.297879027 +0200
+@@ -5,6 +5,9 @@ AM_CPPFLAGS = \
+ 	-I${top_srcdir} \
+ 	-I${top_srcdir}/src/library
+ 
+AM_CPPFLAGS += \
+	-I${top_srcdir}/uthash-2.3.0/include
+
+ sbin_PROGRAMS = fapolicyd fapolicyd-cli
+ lib_LTLIBRARIES= libfapolicyd.la
+ 
--- a/fapolicyd.spec
+++ b/fapolicyd.spec
@ -0,0 +1,214 @@
+%global selinuxtype targeted
+%global moduletype contrib
+%define semodule_version 0.4
+
+Summary: Application Whitelisting Daemon
+Name:    fapolicyd
+Version: 1.1.5
+Release: 1
+License: GPLv3+
+URL:     http://people.redhat.com/sgrubb/fapolicyd
+Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz
+Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz
+# we bundle uthash for rhel9
+Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/uthash-2.3.0.tar.gz
+BuildRequires: gcc
+BuildRequires: kernel-headers
+BuildRequires: autoconf automake make gcc libtool
+BuildRequires: systemd systemd-devel openssl-devel rpm-devel file-devel file
+BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel
+BuildRequires: python3-devel
+BuildRequires: uthash-devel
+
+Requires: rpm
+Recommends: %{name}-selinux
+Requires(pre): shadow-utils
+Requires(post): systemd-units
+Requires(preun): systemd-units
+Requires(postun): systemd-units
+
+Patch1: fapolicyd-uthash-bundle.patch
+Patch2: fapolicyd-selinux-watch-perm.patch
+Patch3: fapolicyd-selinux-allow-boot-home.patch
+Patch4: Fix-build-error.patch
+Patch5: Add-FAN_MARK_MOUNT-when-opting-out-of-FAN_MARK_FILESYSTEM.patch
+Patch6: Bugfixes-for-dnf-plugin.patch
+
+%description
+Fapolicyd (File Access Policy Daemon) implements application whitelisting
+to decide file access rights. Applications that are known via a reputation
+source are allowed access while unknown applications are not. The daemon
+makes use of the kernel's fanotify interface to determine file access rights.
+
+%package        selinux
+Summary:        Fapolicyd selinux
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+Requires:       selinux-policy-%{selinuxtype}
+Requires(post): selinux-policy-%{selinuxtype}
+BuildRequires:  selinux-policy-devel
+BuildArch: noarch
+%{?selinux_requires}
+
+%description    selinux
+The %{name}-selinux package contains selinux policy for the %{name} daemon.
+
+%prep
+
+%setup -q
+
+# selinux
+%setup -q -D -T -a 1
+
+%setup -q -D -T -a 2
+%patch1 -p1 -b .uthash
+
+%patch2 -p1 -b .watch-perm
+%patch3 -p1 -b .home
+
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+
+# generate rules for python
+sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules
+
+# Detect run time linker directly from bash
+interpret=`readelf -e /usr/bin/bash \
+    | grep Requesting \
+    | sed 's/.$//' \
+    | rev | cut -d" " -f1 \
+    | rev`
+
+sed -i "s|%ld_so_path%|`realpath $interpret`|g" rules.d/*.rules
+
+%build
+cp INSTALL INSTALL.tmp
+./autogen.sh
+%configure \
+    --with-audit \
+    --with-rpm \
+    --disable-shared
+
+%make_build
+
+# selinux
+pushd %{name}-selinux-%{semodule_version}
+make
+popd
+
+%check
+make check
+
+# selinux
+%pre selinux
+%selinux_relabel_pre -s %{selinuxtype}
+
+%install
+%make_install
+install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf
+mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name}
+mkdir -p %{buildroot}/run/%{name}
+mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d
+mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d
+
+
+# selinux
+install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}
+install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
+
+#cleanup
+find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete
+
+%pre
+getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name}
+
+%post
+# if no pre-existing rule file
+if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then
+ files=`ls %{_sysconfdir}/%{name}/rules.d/ 2>/dev/null | wc -w`
+ # Only if no pre-existing component rules
+ if [ "$files" -eq 0 ] ; then
+  ## Install the known libs policy
+  cp %{_datadir}/%{name}/sample-rules/10-languages.rules  %{_sysconfdir}/%{name}/rules.d/
+  cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/
+  cp %{_datadir}/%{name}/sample-rules/21-updaters.rules  %{_sysconfdir}/%{name}/rules.d/
+  cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/
+  cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules  %{_sysconfdir}/%{name}/rules.d/
+  cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules  %{_sysconfdir}/%{name}/rules.d/
+  cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules  %{_sysconfdir}/%{name}/rules.d/
+  cp %{_datadir}/%{name}/sample-rules/70-trusted-lang.rules  %{_sysconfdir}/%{name}/rules.d/
+  cp %{_datadir}/%{name}/sample-rules/72-shell.rules  %{_sysconfdir}/%{name}/rules.d/
+  cp %{_datadir}/%{name}/sample-rules/90-deny-execute.rules %{_sysconfdir}/%{name}/rules.d/
+  cp %{_datadir}/%{name}/sample-rules/95-allow-open.rules  %{_sysconfdir}/%{name}/rules.d/
+  chgrp %{name} %{_sysconfdir}/%{name}/rules.d/*
+  if [ -x /usr/sbin/restorecon ] ; then
+   # restore correct label
+   /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/*
+  fi
+  fagenrules --load
+ fi
+fi
+%systemd_post %{name}.service
+
+%preun
+%systemd_preun %{name}.service
+
+%postun
+%systemd_postun_with_restart %{name}.service
+
+%files
+%doc README.md
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%attr(755,root,%{name}) %dir %{_datadir}/%{name}
+%attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules
+%attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/*
+%attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc
+%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
+%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d
+%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d
+%attr(644,root,root) %{_sysconfdir}/bash_completion.d/*
+%ghost %{_sysconfdir}/%{name}/rules.d/*
+%ghost %{_sysconfdir}/%{name}/%{name}.rules
+%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
+%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
+%ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules
+%attr(644,root,root) %{_unitdir}/%{name}.service
+%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf
+%attr(755,root,root) %{_sbindir}/%{name}
+%attr(755,root,root) %{_sbindir}/%{name}-cli
+%attr(755,root,root) %{_sbindir}/fagenrules
+%attr(644,root,root) %{_mandir}/man8/*
+%attr(644,root,root) %{_mandir}/man5/*
+%attr(644,root,root) %{_mandir}/man1/*
+%ghost %attr(440,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}-access.log
+%attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name}
+%attr(770,root,%{name}) %dir /run/%{name}
+%ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo
+%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb
+%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb
+
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
+%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%selinux_relabel_post -s %{selinuxtype}
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{name}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+
+%changelog
+* Wed Nov 09 2022 yaoxin <yaoxin30@h-partners.com> - 1.1.5-1
+- Package init
--- a/fapolicyd.yaml
+++ b/fapolicyd.yaml
@ -0,0 +1,4 @@
+version_control: github
+src_repo: linux-application-whitelisting/fapolicyd
+tag_prefix: ^v
+separator: .
--- a/uthash-2.3.0.tar.gz
+++ b/uthash-2.3.0.tar.gz