diff --git a/Add-FAN_MARK_MOUNT-when-opting-out-of-FAN_MARK_FILESYSTEM.patch b/Add-FAN_MARK_MOUNT-when-opting-out-of-FAN_MARK_FILESYSTEM.patch new file mode 100644 index 0000000..b9f4429 --- /dev/null +++ b/Add-FAN_MARK_MOUNT-when-opting-out-of-FAN_MARK_FILESYSTEM.patch @@ -0,0 +1,29 @@ +From 194ac1b87ba46ea9e26a865e8432e228cf8fefef Mon Sep 17 00:00:00 2001 +From: Steven Brzozowski +Date: Thu, 20 Oct 2022 17:55:30 -0400 +Subject: [PATCH] Add `FAN_MARK_MOUNT` when opting out of `FAN_MARK_FILESYSTEM` + (#210) + +Without `FAN_MARK_MOUNT`, fapolicyd will not receive events for any subdirectories specified by the path parameter. +--- + src/daemon/notify.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/daemon/notify.c b/src/daemon/notify.c +index 586b6df..5e4f160 100644 +--- a/src/daemon/notify.c ++++ b/src/daemon/notify.c +@@ -128,10 +128,13 @@ int init_fanotify(const conf_t *conf, mlist *m) + #if defined HAVE_DECL_FAN_MARK_FILESYSTEM && HAVE_DECL_FAN_MARK_FILESYSTEM != 0 + if (conf->allow_filesystem_mark) + flags |= FAN_MARK_FILESYSTEM; ++ else ++ flags |= FAN_MARK_MOUNT; + #else + if (conf->allow_filesystem_mark) + msg(LOG_ERR, + "allow_filesystem_mark is unsupported for this kernel - ignoring"); ++ flags |= FAN_MARK_MOUNT; + #endif + if (fanotify_mark(fd, flags, mask, -1, path) == -1) { + /* diff --git a/Bugfixes-for-dnf-plugin.patch b/Bugfixes-for-dnf-plugin.patch new file mode 100644 index 0000000..dfc6759 --- /dev/null +++ b/Bugfixes-for-dnf-plugin.patch @@ -0,0 +1,31 @@ +From 9e43b117bc7efed1e67a8fb4bb60d7e9bf9104b8 Mon Sep 17 00:00:00 2001 +From: Steven Brzozowski +Date: Fri, 7 Oct 2022 14:15:53 -0400 +Subject: [PATCH] Bugfixes for dnf plugin + +* Point to the correct fifo path +* Write a newline to get fapolicyd to pick up the write +--- + dnf/fapolicyd-dnf-plugin.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/dnf/fapolicyd-dnf-plugin.py b/dnf/fapolicyd-dnf-plugin.py +index 3de66518..650fe89d 100644 +--- a/dnf/fapolicyd-dnf-plugin.py ++++ b/dnf/fapolicyd-dnf-plugin.py +@@ -8,7 +8,7 @@ + class Fapolicyd(dnf.Plugin): + + name = "fapolicyd" +- pipe = "/var/run/fapolicyd/fapolicyd.fifo" ++ pipe = "/run/fapolicyd/fapolicyd.fifo" + file = None + + def __init__(self, base, cli): +@@ -32,5 +32,5 @@ def transaction(self): + sys.stderr.write("fapolicy-plugin does not have write permission: " + self.pipe + "\n") + return + +- self.file.write("1") ++ self.file.write("1\n") + self.file.close() diff --git a/Fix-build-error.patch b/Fix-build-error.patch new file mode 100644 index 0000000..c7b0046 --- /dev/null +++ b/Fix-build-error.patch @@ -0,0 +1,60 @@ +From f334120c91a857f6200c4028cbb7bad2d2162792 Mon Sep 17 00:00:00 2001 +From: starlet-dx <15929766099@163.com> +Date: Wed, 9 Nov 2022 18:32:54 +0800 +Subject: [PATCH 1/1] Fix build error + +--- + src/daemon/notify.c | 5 +++-- + src/library/daemon-config.c | 14 ++++++++------ + 2 files changed, 11 insertions(+), 8 deletions(-) + +diff --git a/src/daemon/notify.c b/src/daemon/notify.c +index c91abc4..586b6df 100644 +--- a/src/daemon/notify.c ++++ b/src/daemon/notify.c +@@ -122,9 +122,10 @@ int init_fanotify(const conf_t *conf, mlist *m) + // Iterate through the mount points and add a mark + path = mlist_first(m); + while (path) { ++ unsigned int flags; + retry_mark: +- unsigned int flags = FAN_MARK_ADD; +-#ifdef HAVE_DECL_FAN_MARK_FILESYSTEM ++ flags = FAN_MARK_ADD; ++#if defined HAVE_DECL_FAN_MARK_FILESYSTEM && HAVE_DECL_FAN_MARK_FILESYSTEM != 0 + if (conf->allow_filesystem_mark) + flags |= FAN_MARK_FILESYSTEM; + #else +diff --git a/src/library/daemon-config.c b/src/library/daemon-config.c +index 89b7f68..ba8ade0 100644 +--- a/src/library/daemon-config.c ++++ b/src/library/daemon-config.c +@@ -618,17 +618,19 @@ static int fs_mark_parser(const struct nv_pair *nv, int line, + conf_t *config) + { + int rc = 0; +-#ifndef HAVE_DECL_FAN_MARK_FILESYSTEM +- msg(LOG_WARNING, +- "allow_filesystem_mark is unsupported on this kernel - ignoring"); +-#else +- rc = unsigned_int_parser(&(config->allow_filesystem_mark), nv->value, line); ++#if defined HAVE_DECL_FAN_MARK_FILESYSTEM && HAVE_DECL_FAN_MARK_FILESYSTEM != 0 ++ rc = unsigned_int_parser(&(config->allow_filesystem_mark), ++ nv->value, line); + + if (rc == 0 && config->allow_filesystem_mark > 1) { + msg(LOG_WARNING, +- "allow_filesystem_mark value reset to 0 - line %d", line); ++ "allow_filesystem_mark value reset to 0 - line %d", ++ line); + config->allow_filesystem_mark = 0; + } ++#else ++ msg(LOG_WARNING, ++ "allow_filesystem_mark is unsupported on this kernel - ignoring"); + #endif + + return rc; +-- +2.30.0 + diff --git a/fapolicyd-1.1.5.tar.gz b/fapolicyd-1.1.5.tar.gz new file mode 100644 index 0000000..86b8c8f Binary files /dev/null and b/fapolicyd-1.1.5.tar.gz differ diff --git a/fapolicyd-selinux-0.4.tar.gz b/fapolicyd-selinux-0.4.tar.gz new file mode 100644 index 0000000..02fa38c Binary files /dev/null and b/fapolicyd-selinux-0.4.tar.gz differ diff --git a/fapolicyd-selinux-allow-boot-home.patch b/fapolicyd-selinux-allow-boot-home.patch new file mode 100644 index 0000000..f676d59 --- /dev/null +++ b/fapolicyd-selinux-allow-boot-home.patch @@ -0,0 +1,40 @@ +From a1a9a59f93ebfe6d0c9d725ed0712210994e6d64 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 6 Apr 2021 16:06:48 +0200 +Subject: [PATCH] Allow fapolicyd watch boot and home directories + +The fapolicyd service needs watch_mount and watch_with_perm permissions +for fanotify/inotify/dnotify calls on the following directories: +- /boot and /boot/efi directories +- /home directories + +Note the /boot/efi directory has the dosfs_t label. +--- + fapolicyd.te | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te +index f5d0052..c12f385 100644 +--- a/fapolicyd-selinux-0.4/fapolicyd.te ++++ b/fapolicyd-selinux-0.4/fapolicyd.te +@@ -63,14 +63,20 @@ domain_read_all_domains_state(fapolicyd_t) + + files_mmap_usr_files(fapolicyd_t) + files_read_all_files(fapolicyd_t) ++files_watch_mount_boot_dirs(fapolicyd_t) ++files_watch_with_perm_boot_dirs(fapolicyd_t) + files_watch_mount_generic_tmp_dirs(fapolicyd_t) + files_watch_with_perm_generic_tmp_dirs(fapolicyd_t) ++files_watch_mount_home(fapolicyd_t) ++files_watch_with_perm_home(fapolicyd_t) + files_watch_mount_root_dirs(fapolicyd_t) + files_watch_with_perm_root_dirs(fapolicyd_t) + + fs_getattr_xattr_fs(fapolicyd_t) + fs_watch_mount_tmpfs_dirs(fapolicyd_t) + fs_watch_with_perm_tmpfs_dirs(fapolicyd_t) ++fs_watch_mount_dos_dirs(fapolicyd_t) ++fs_watch_with_perm_dos_dirs(fapolicyd_t) + + logging_send_syslog_msg(fapolicyd_t) + dbus_system_bus_client(fapolicyd_t) diff --git a/fapolicyd-selinux-watch-perm.patch b/fapolicyd-selinux-watch-perm.patch new file mode 100644 index 0000000..4128b8e --- /dev/null +++ b/fapolicyd-selinux-watch-perm.patch @@ -0,0 +1,31 @@ +From 6a966a3ee89233a0a055712f39ca564ba91183bf Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Thu, 15 Apr 2021 16:56:08 +0200 +Subject: [PATCH] Allow fapolicyd watch_mount/watch_with_perm all files and + directories + +For the fanotify_mark() syscall, fapolicyd uses the FAN_MARK_MOUNT flag +to mark the file's mount point to monitor. As this can be any file or +directory on the filesystem, the SELinux watch_mount and watch_with_perm +permissions are allowed for the file_type attribute. +--- + fapolicyd.te | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fapolicyd-selinux-0.4/fapolicyd.te b/fapolicyd-selinux-0.4/fapolicyd.te +index c12f385..582e03f 100644 +--- a/fapolicyd-selinux-0.4/fapolicyd.te ++++ b/fapolicyd-selinux-0.4/fapolicyd.te +@@ -36,6 +36,12 @@ allow fapolicyd_t self:process { setcap setsched }; + allow fapolicyd_t self:unix_stream_socket create_stream_socket_perms; + allow fapolicyd_t self:unix_dgram_socket create_socket_perms; + ++gen_require(` ++ attribute file_type; ++') ++allow fapolicyd_t file_type:dir { watch_mount watch_with_perm }; ++allow fapolicyd_t file_type:file { watch_mount watch_with_perm }; ++ + manage_files_pattern(fapolicyd_t, fapolicyd_log_t, fapolicyd_log_t) + logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file) + diff --git a/fapolicyd-uthash-bundle.patch b/fapolicyd-uthash-bundle.patch new file mode 100644 index 0000000..81c4ea8 --- /dev/null +++ b/fapolicyd-uthash-bundle.patch @@ -0,0 +1,39 @@ +diff -up ./configure.ac.uthash ./configure.ac +--- ./configure.ac.uthash 2022-09-27 16:34:59.000000000 +0200 ++++ ./configure.ac 2022-09-29 11:57:26.297879027 +0200 +@@ -81,10 +81,6 @@ AC_CHECK_HEADER(sys/fanotify.h, , [AC_MS + ["Couldn't find sys/fanotify.h...your kernel might not be new enough"] )]) + AC_CHECK_FUNCS(fexecve, [], []) + +-AC_CHECK_HEADER(uthash.h, , [AC_MSG_ERROR( +-["Couldn't find uthash.h...uthash-devel is missing"] )]) +- +- + echo . + echo Checking for required libraries + AC_CHECK_LIB(udev, udev_device_get_devnode, , [AC_MSG_ERROR([libudev not found])], -ludev) +diff -up ./src/library/rpm-backend.c.uthash ./src/library/rpm-backend.c +--- ./src/library/rpm-backend.c.uthash 2022-09-29 11:57:26.297879027 +0200 ++++ ./src/library/rpm-backend.c 2022-09-29 11:58:45.470119807 +0200 +@@ -32,7 +32,7 @@ + #include + #include + +-#include ++#include "uthash.h" + + #include "message.h" + #include "gcc-attributes.h" +diff -up ./src/Makefile.am.uthash ./src/Makefile.am +--- ./src/Makefile.am.uthash 2022-09-27 16:34:59.000000000 +0200 ++++ ./src/Makefile.am 2022-09-29 11:57:26.297879027 +0200 +@@ -5,6 +5,9 @@ AM_CPPFLAGS = \ + -I${top_srcdir} \ + -I${top_srcdir}/src/library + ++AM_CPPFLAGS += \ ++ -I${top_srcdir}/uthash-2.3.0/include ++ + sbin_PROGRAMS = fapolicyd fapolicyd-cli + lib_LTLIBRARIES= libfapolicyd.la + diff --git a/fapolicyd.spec b/fapolicyd.spec new file mode 100644 index 0000000..5b10d3f --- /dev/null +++ b/fapolicyd.spec @@ -0,0 +1,214 @@ +%global selinuxtype targeted +%global moduletype contrib +%define semodule_version 0.4 + +Summary: Application Whitelisting Daemon +Name: fapolicyd +Version: 1.1.5 +Release: 1 +License: GPLv3+ +URL: http://people.redhat.com/sgrubb/fapolicyd +Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz +Source1: https://github.com/linux-application-whitelisting/%{name}-selinux/releases/download/v%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz +# we bundle uthash for rhel9 +Source2: https://github.com/troydhanson/uthash/archive/refs/tags/v2.3.0.tar.gz#/uthash-2.3.0.tar.gz +BuildRequires: gcc +BuildRequires: kernel-headers +BuildRequires: autoconf automake make gcc libtool +BuildRequires: systemd systemd-devel openssl-devel rpm-devel file-devel file +BuildRequires: libcap-ng-devel libseccomp-devel lmdb-devel +BuildRequires: python3-devel +BuildRequires: uthash-devel + +Requires: rpm +Recommends: %{name}-selinux +Requires(pre): shadow-utils +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units + +Patch1: fapolicyd-uthash-bundle.patch +Patch2: fapolicyd-selinux-watch-perm.patch +Patch3: fapolicyd-selinux-allow-boot-home.patch +Patch4: Fix-build-error.patch +Patch5: Add-FAN_MARK_MOUNT-when-opting-out-of-FAN_MARK_FILESYSTEM.patch +Patch6: Bugfixes-for-dnf-plugin.patch + +%description +Fapolicyd (File Access Policy Daemon) implements application whitelisting +to decide file access rights. Applications that are known via a reputation +source are allowed access while unknown applications are not. The daemon +makes use of the kernel's fanotify interface to determine file access rights. + +%package selinux +Summary: Fapolicyd selinux +Group: Applications/System +Requires: %{name} = %{version}-%{release} +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +BuildArch: noarch +%{?selinux_requires} + +%description selinux +The %{name}-selinux package contains selinux policy for the %{name} daemon. + +%prep + +%setup -q + +# selinux +%setup -q -D -T -a 1 + +%setup -q -D -T -a 2 +%patch1 -p1 -b .uthash + +%patch2 -p1 -b .watch-perm +%patch3 -p1 -b .home + +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 + +# generate rules for python +sed -i "s/%python2_path%/`readlink -f %{__python2} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules +sed -i "s/%python3_path%/`readlink -f %{__python3} | sed 's/\//\\\\\//g'`/g" rules.d/*.rules + +# Detect run time linker directly from bash +interpret=`readelf -e /usr/bin/bash \ + | grep Requesting \ + | sed 's/.$//' \ + | rev | cut -d" " -f1 \ + | rev` + +sed -i "s|%ld_so_path%|`realpath $interpret`|g" rules.d/*.rules + +%build +cp INSTALL INSTALL.tmp +./autogen.sh +%configure \ + --with-audit \ + --with-rpm \ + --disable-shared + +%make_build + +# selinux +pushd %{name}-selinux-%{semodule_version} +make +popd + +%check +make check + +# selinux +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%install +%make_install +install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf +mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name} +mkdir -p %{buildroot}/run/%{name} +mkdir -p %{buildroot}%{_sysconfdir}/%{name}/trust.d +mkdir -p %{buildroot}%{_sysconfdir}/%{name}/rules.d + + +# selinux +install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} +install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if + +#cleanup +find %{buildroot} \( -name '*.la' -o -name '*.a' \) -delete + +%pre +getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} + +%post +# if no pre-existing rule file +if [ ! -e %{_sysconfdir}/%{name}/%{name}.rules ] ; then + files=`ls %{_sysconfdir}/%{name}/rules.d/ 2>/dev/null | wc -w` + # Only if no pre-existing component rules + if [ "$files" -eq 0 ] ; then + ## Install the known libs policy + cp %{_datadir}/%{name}/sample-rules/10-languages.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/20-dracut.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/21-updaters.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/30-patterns.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/40-bad-elf.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/41-shared-obj.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/42-trusted-elf.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/70-trusted-lang.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/72-shell.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/90-deny-execute.rules %{_sysconfdir}/%{name}/rules.d/ + cp %{_datadir}/%{name}/sample-rules/95-allow-open.rules %{_sysconfdir}/%{name}/rules.d/ + chgrp %{name} %{_sysconfdir}/%{name}/rules.d/* + if [ -x /usr/sbin/restorecon ] ; then + # restore correct label + /usr/sbin/restorecon -F %{_sysconfdir}/%{name}/rules.d/* + fi + fagenrules --load + fi +fi +%systemd_post %{name}.service + +%preun +%systemd_preun %{name}.service + +%postun +%systemd_postun_with_restart %{name}.service + +%files +%doc README.md +%{!?_licensedir:%global license %%doc} +%license COPYING +%attr(755,root,%{name}) %dir %{_datadir}/%{name} +%attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules +%attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/* +%attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc +%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name} +%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d +%attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d +%attr(644,root,root) %{_sysconfdir}/bash_completion.d/* +%ghost %{_sysconfdir}/%{name}/rules.d/* +%ghost %{_sysconfdir}/%{name}/%{name}.rules +%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf +%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust +%ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules +%attr(644,root,root) %{_unitdir}/%{name}.service +%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf +%attr(755,root,root) %{_sbindir}/%{name} +%attr(755,root,root) %{_sbindir}/%{name}-cli +%attr(755,root,root) %{_sbindir}/fagenrules +%attr(644,root,root) %{_mandir}/man8/* +%attr(644,root,root) %{_mandir}/man5/* +%attr(644,root,root) %{_mandir}/man1/* +%ghost %attr(440,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}-access.log +%attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name} +%attr(770,root,%{name}) %dir /run/%{name} +%ghost %attr(660,root,%{name}) /run/%{name}/%{name}.fifo +%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/data.mdb +%ghost %attr(660,%{name},%{name}) %verify(not md5 size mtime) %{_localstatedir}/lib/%{name}/lock.mdb + +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{name} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + +%changelog +* Wed Nov 09 2022 yaoxin - 1.1.5-1 +- Package init diff --git a/fapolicyd.yaml b/fapolicyd.yaml new file mode 100644 index 0000000..e13a102 --- /dev/null +++ b/fapolicyd.yaml @@ -0,0 +1,4 @@ +version_control: github +src_repo: linux-application-whitelisting/fapolicyd +tag_prefix: ^v +separator: . diff --git a/uthash-2.3.0.tar.gz b/uthash-2.3.0.tar.gz new file mode 100644 index 0000000..166cd5f Binary files /dev/null and b/uthash-2.3.0.tar.gz differ