powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity

usbguard initial package creation 

Signed-off-by: basebuilder_pel7ppc64bebuilder0 <basebuilder@powerel.org>
master
basebuilder_pel7ppc64bebuilder0 2018-05-29 17:08:54 +02:00
parent 206926239f
commit 1a2fb481d3
12 changed files with 19493 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
SOURCES/usbguard-0.7.0-covscan-uninit-ctor.patch Normal file
View File

@ -0,0 +1,26 @@
diff --git a/src/Library/DeviceManagerPrivate.cpp b/src/Library/DeviceManagerPrivate.cpp
index d9f3395..579b3c7 100644
--- a/src/Library/DeviceManagerPrivate.cpp
+++ b/src/Library/DeviceManagerPrivate.cpp
@@ -41,6 +41,7 @@ namespace usbguard {
std::unique_lock<std::mutex> local_device_map_lock(_device_map_mutex);
std::unique_lock<std::mutex> remote_device_map_lock(rhs._device_map_mutex);
_device_map = rhs._device_map;
+ _restore_controller_device_state = rhs._restore_controller_device_state;
return *this;
}
diff --git a/src/Library/Exception.hpp b/src/Library/Exception.hpp
index 02e9622..f27dd63 100644
--- a/src/Library/Exception.hpp
+++ b/src/Library/Exception.hpp
@@ -128,7 +128,8 @@ namespace usbguard
{
public:
IPCException()
- : Exception("", "", "")
+ : Exception("", "", ""),
+ _message_id(0)
{
}

472
SOURCES/usbguard-0.7.0-daemonization.patch Normal file
View File

@ -0,0 +1,472 @@
diff --git a/Makefile.am b/Makefile.am
index 1852983..b7aa1a3 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -15,6 +15,7 @@
## along with this program. If not, see <http://www.gnu.org/licenses/>.
##
## Authors: Daniel Kopecek <dkopecek@redhat.com>
+## Jiri Vymazal <jvymazal@redhat.com>
##
SUBDIRS=src/Tests/
diff --git a/doc/usbguard-daemon.8 b/doc/usbguard-daemon.8
index 18c72fe..dfdb285 100644
--- a/doc/usbguard-daemon.8
+++ b/doc/usbguard-daemon.8
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pandoc 1.17.0.3
+.\" Automatically generated by Pandoc 1.19.1
.\"
.TH "USBGUARD\-DAEMON" "8" "June 2016" "" ""
.hy
@@ -25,6 +25,11 @@ Enable debugging messages in the log.
.RS
.RE
.TP
+.B \f[B]\-f\f[]
+Enable classical daemon behavior (fork at start, sysV compliant).
+.RS
+.RE
+.TP
.B \f[B]\-s\f[]
Log to syslog.
.RS
@@ -41,7 +46,8 @@ Log to a file at \f[I]path\f[].
.RE
.TP
.B \f[B]\-p\f[] <\f[I]path\f[]>
-Write PID to a file at \f[I]path\f[].
+Write PID to a file at \f[I]path\f[] (default:
+\f[I]/var/run/usbguard.pid\f[]).
.RS
.RE
.TP
diff --git a/doc/usbguard-daemon.8.md b/doc/usbguard-daemon.8.md
index 3e2fcaf..581613d 100644
--- a/doc/usbguard-daemon.8.md
+++ b/doc/usbguard-daemon.8.md
@@ -19,6 +19,9 @@ The **usbguard-daemon** is the main component of the USBGuard software framework
**-d**
: Enable debugging messages in the log.
+**-f**
+: Enable classical daemon behavior (fork at start, sysV compliant).
+
**-s**
: Log to syslog.
@@ -29,7 +32,7 @@ The **usbguard-daemon** is the main component of the USBGuard software framework
: Log to a file at *path*.
**-p** <*path*>
-: Write PID to a file at *path*.
+: Write PID to a file at *path* (default: */var/run/usbguard.pid*).
**-c** <*path*>
: Load configuration from a file at *path* (default: */etc/usbguard/usbguard-daemon.conf*).
diff --git a/src/Common/Utility.cpp b/src/Common/Utility.cpp
index f84d2a8..237acfb 100644
--- a/src/Common/Utility.cpp
+++ b/src/Common/Utility.cpp
@@ -42,56 +42,6 @@
namespace usbguard
{
- void daemonize()
- {
- const ::pid_t pid = fork();
-
- switch(pid) {
- case 0: /* child */
- break;
- case -1: /* error */
- ::exit(EXIT_FAILURE);
- default: /* parent */
- ::exit(EXIT_SUCCESS);
- }
- //
- // Decouple from parent environment
- // - chdir to /
- // - create new process session
- // - reset umask
- // - cleanup file descriptors
- // - ???
- // - consider using libdaemon
- //
- if (::chdir("/") != 0) {
- ::exit(EXIT_FAILURE);
- }
- const ::pid_t sid = ::setsid();
- if (sid != 0) {
- ::exit(EXIT_FAILURE);
- }
- ::umask(::umask(077)|022);
- struct rlimit rlim;
- if (::getrlimit(RLIMIT_NOFILE, &rlim) != 0) {
- ::exit(EXIT_FAILURE);
- }
- const int maxfd = (rlim.rlim_max == RLIM_INFINITY ? 1024 : rlim.rlim_max);
- for (int fd = 0; fd < maxfd; ++fd) {
- ::close(fd);
- }
- return;
- }
-
- bool writePID(const std::string& filepath)
- {
- std::ofstream pidstream(filepath, std::ios_base::trunc);
- if (!pidstream) {
- return false;
- }
- pidstream << numberToString(getpid()) << std::endl;
- return true;
- }
-
static void runCommandExecChild(const std::string& path, const std::vector<std::string>& args)
{
struct rlimit rlim;
diff --git a/src/Common/Utility.hpp b/src/Common/Utility.hpp
index f722b22..54e1ea1 100644
--- a/src/Common/Utility.hpp
+++ b/src/Common/Utility.hpp
@@ -41,25 +41,6 @@
namespace usbguard
{
/**
- * Create a background process.
- *
- * Performs the following actions:
- * 1) fork a new process (parent process exists with 0)
- * 2) chdir to /
- * 3) creates a new process session
- * 4) resets umask
- * 5) closes all file descriptors
- * 6) Reinitialize logging for the child
- */
- void daemonize(void);
-
- /**
- * Writes the current PID to a file at filepath.
- * Returns true on success, otherwise returns false.
- */
- bool writePID(const std::string& filepath);
-
- /**
* Wrappers for the __builtin_expect function.
*/
#if defined(__GNUC__)
diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp
index b317c85..2a9a37c 100644
--- a/src/Daemon/Daemon.cpp
+++ b/src/Daemon/Daemon.cpp
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Jiri Vymazal <jvymazal@redhat.com>
//
#ifdef HAVE_BUILD_CONFIG_H
#include <build-config.h>
@@ -27,6 +28,8 @@
#include "usbguard/RuleParser.hpp"
#include "usbguard/Audit.hpp"
+#include <array>
+
#include <sys/select.h>
#include <sys/time.h>
#include <sys/types.h>
@@ -112,6 +115,8 @@ namespace usbguard
_device_rules_with_port = false;
_restore_controller_device_state = false;
+
+ pid_fd = -1;
}
Daemon::~Daemon()
@@ -402,6 +407,10 @@ namespace usbguard
}
} while(!exit_loop);
+ if (pid_fd != -1) {
+ lockf(pid_fd, F_ULOCK, 0);
+ close(pid_fd);
+ }
IPCServer::stop();
_dm->stop();
USBGUARD_LOG(Trace) << "Leaving main loop.";
@@ -411,6 +420,73 @@ namespace usbguard
{
}
+ void Daemon::daemonize(const std::string &pid_file)
+ {
+ USBGUARD_LOG(Trace) << "Starting daemonization";
+
+ pid_t pid = 0;
+ pid_t original_pid = getpid();
+
+ sigset_t mask;
+ sigemptyset(&mask);
+ sigaddset(&mask, SIGUSR1);
+ sigprocmask(SIG_BLOCK, &mask, nullptr);
+ USBGUARD_SYSCALL_THROW("Daemonize", (pid = fork()) < 0);
+ if (pid > 0) {
+ constexpr int timeout_val = 5;
+ struct timespec timeout {timeout_val,0};
+ const time_t start = time(nullptr);
+ siginfo_t info;
+ do {
+ const int signum = sigtimedwait(&mask, &info, &timeout);
+ if (signum == SIGUSR1 && info.si_signo == SIGUSR1 && info.si_pid == pid) {
+ USBGUARD_LOG(Trace) << "Finished daemonization";
+ exit(EXIT_SUCCESS);
+ }
+ if (signum == -1 && errno == EAGAIN) {
+ break; /* timed out */
+ }
+ timeout.tv_sec = timeout_val - difftime(time(nullptr), start); /* avoid potentially endless loop */
+ } while(true);
+ throw Exception("Deamonize", "signal", "Waiting on pid file write timeout!");
+ }
+
+ /* Now we are forked */
+ USBGUARD_SYSCALL_THROW("Daemonize", setsid() < 0);
+ signal(SIGCHLD, SIG_IGN);
+
+ USBGUARD_SYSCALL_THROW("Daemonize", (pid_fd = open(pid_file.c_str(), O_RDWR|O_CREAT, 0640)) < 0);
+ USBGUARD_SYSCALL_THROW("Daemonize", (lockf(pid_fd, F_TLOCK, 0)) < 0);
+ USBGUARD_SYSCALL_THROW("Daemonize", (pid = fork()) < 0);
+ if (pid > 0) {
+ try {
+ std::string pid_str = std::to_string(pid);
+ USBGUARD_SYSCALL_THROW("Daemonize", write(pid_fd, pid_str.c_str(), pid_str.size()) != static_cast<ssize_t>(pid_str.size()));
+ kill(original_pid, SIGUSR1);
+ exit(EXIT_SUCCESS);
+ }
+ catch(...) {
+ kill(pid, SIGKILL);
+ throw;
+ }
+ }
+
+ /* Now we are forked 2nd time */
+ umask(0047); /* no need for world-accessible or executable files */
+ chdir("/");
+ const std::array<int,3> std_fds {{STDIN_FILENO, STDOUT_FILENO, STDERR_FILENO}};
+ int fd_null;
+ USBGUARD_SYSCALL_THROW("Daemonize", (fd_null = open("/dev/null", O_RDWR)) < 0);
+ /* We do not need to close all fds because there is only logging open at this point */
+ for (auto fd : std_fds) {
+ USBGUARD_SYSCALL_THROW("Daemonize", close(fd));
+ USBGUARD_SYSCALL_THROW("Daemonize", (dup2(fd_null, fd)) < 0);
+ }
+ close(fd_null);
+
+ USBGUARD_SYSCALL_THROW("Daemonize", (lockf(pid_fd, F_LOCK, 0)) < 0);
+ }
+
uint32_t Daemon::assignID()
{
return _ruleset.assignID();
diff --git a/src/Daemon/Daemon.hpp b/src/Daemon/Daemon.hpp
index cfd02d9..065deaf 100644
--- a/src/Daemon/Daemon.hpp
+++ b/src/Daemon/Daemon.hpp
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Jiri Vymazal <jvymazal@redhat.com>
//
#pragma once
#ifdef HAVE_BUILD_CONFIG_H
@@ -72,6 +73,8 @@ namespace usbguard
void run();
/* Stop the daemon */
void quit();
+ /* Handle process daemonization */
+ void daemonize(const std::string& pid_file);
uint32_t assignID();
uint32_t upsertRule(const std::string& match_spec, const std::string& rule_spec, bool parent_insensitive = false);
@@ -112,6 +115,8 @@ namespace usbguard
ConfigFile _config;
RuleSet _ruleset;
+ int pid_fd;
+
std::string _device_manager_backend;
std::shared_ptr<DeviceManager> _dm;
diff --git a/src/Daemon/main.cpp b/src/Daemon/main.cpp
index 869c2e2..4b9b351 100644
--- a/src/Daemon/main.cpp
+++ b/src/Daemon/main.cpp
@@ -15,6 +15,7 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
// Authors: Daniel Kopecek <dkopecek@redhat.com>
+// Jiri Vymazal <jvymazal@redhat.com>
//
#ifdef HAVE_BUILD_CONFIG_H
#include <build-config.h>
@@ -37,9 +38,13 @@
static void setupCapabilities(void);
#endif
+#ifndef USBGUARD_PID_FILE
+#define USBGUARD_PID_FILE "/var/run/usbguard.pid"
+#endif
+
using namespace usbguard;
-const char * const G_optstring = "dskl:p:c:hWC";
+const char * const G_optstring = "dfskl:p:c:hWC";
static void printUsage(std::ostream& stream, const char *arg0)
{
@@ -47,6 +52,7 @@ static void printUsage(std::ostream& stream, const char *arg0)
stream << "Usage: " << filenameFromPath(std::string(arg0), true) << " [OPTIONS]" << std::endl;
stream << std::endl;
stream << " -d Enable debugging messages in the log." << std::endl;
+ stream << " -f Enable classical daemon forking behavior." << std::endl;
stream << " -s Log to syslog." << std::endl;
stream << " -k Log to console." << std::endl;
stream << " -l <path> Log to a file at `path'." << std::endl;
@@ -68,8 +74,9 @@ int main(int argc, char *argv[])
bool log_file = false;
bool use_seccomp_whitelist = false;
bool drop_capabilities = false;
+ bool daemonize = false;
std::string log_file_path;
- std::string pid_file;
+ std::string pid_file = USBGUARD_PID_FILE;
std::string conf_file = "/etc/usbguard/usbguard-daemon.conf";
int opt;
@@ -79,6 +86,9 @@ int main(int argc, char *argv[])
case 'd':
debug_mode = true;
break;
+ case 'f':
+ daemonize = true;
+ break;
case 's':
log_syslog = true;
break;
@@ -144,6 +154,13 @@ int main(int argc, char *argv[])
if (!conf_file.empty()) {
daemon.loadConfiguration(conf_file);
}
+ if (daemonize) {
+ if (log_console && !log_syslog && !log_file) {
+ USBGUARD_LOG(Warning) << "You have selected to fork and log only to \
+ console, nothing will be logged after forking!";
+ }
+ daemon.daemonize(pid_file);
+ }
daemon.run();
ret = EXIT_SUCCESS;
}
diff --git a/src/Tests/Makefile.am b/src/Tests/Makefile.am
index 7d93474..a952d18 100644
--- a/src/Tests/Makefile.am
+++ b/src/Tests/Makefile.am
@@ -40,6 +40,7 @@ EXTRA_DIST=\
$(top_srcdir)/src/Tests/UseCase/001_cli_policy.sh \
$(top_srcdir)/src/Tests/UseCase/002_cli_devices.sh \
$(top_srcdir)/src/Tests/UseCase/003_cli_devices_dummy.sh \
+ $(top_srcdir)/src/Tests/UseCase/004_daemonize.sh \
$(top_srcdir)/src/Tests/UseCase/DummyDevices
LOG_DRIVER=\
@@ -62,7 +63,8 @@ TESTS=\
UseCase/000_executable.sh \
UseCase/001_cli_policy.sh \
UseCase/002_cli_devices.sh \
- UseCase/003_cli_devices_dummy.sh
+ UseCase/003_cli_devices_dummy.sh \
+ UseCase/004_daemonize.sh
check_PROGRAMS=\
test-unit \
diff --git a/src/Tests/UseCase/004_daemonize.sh b/src/Tests/UseCase/004_daemonize.sh
new file mode 100755
index 0000000..d59dad1
--- /dev/null
+++ b/src/Tests/UseCase/004_daemonize.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+#
+#
+# Copyright (C) 2016 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+# Authors: Jiri Vymazal <jvymazal@redhat.com>
+#
+# Test whether the binaries are executable as expected (no linker errors, etc.)
+#
+source "${USBGUARD_TESTLIB_BASH}" || exit 129
+
+# TODO? Move to testlib
+export USBGUARD_TESTLIB_TMPDIR="$(mktemp -d --tmpdir usbguard-test.XXXXXX)"
+
+export config_path="${USBGUARD_TESTLIB_TMPDIR}/daemon.conf"
+export pidfile_path="${USBGUARD_TESTLIB_TMPDIR}/usbguard.pid"
+export logfile="${USBGUARD_TESTLIB_TMPDIR}/daemon.log"
+
+function test_cli_daemonize()
+{
+ sleep 5
+
+ if [ ! -f "$pidfile_path" ]; then
+ echo "Test error: PID file for usbguard not present"
+ exit 1
+ fi
+
+ if [ ! `pgrep usbguard` == `cat $pidfile_path` ]; then
+ echo "Test error: PID of usbguard daemon not present in PID file"
+ exit 1
+ fi
+}
+
+cat > "$config_path" <<EOF
+EOF
+
+schedule "${USBGUARD_DAEMON} -f -p $pidfile_path -d -P -l $logfile -c $config_path" :service
+schedule "test_cli_daemonize"
+execute 20
+retval=$?
+cat $pidfile_path | xargs kill -9
+exit $retval
diff --git a/usbguard.service.in b/usbguard.service.in
index 5bed4e6..f862d3b 100644
--- a/usbguard.service.in
+++ b/usbguard.service.in
@@ -4,8 +4,9 @@ Wants=systemd-udevd.service local-fs.target
Documentation=man:usbguard-daemon(8)
[Service]
-Type=simple
-ExecStart=%sbindir%/usbguard-daemon -k -c %sysconfdir%/usbguard/usbguard-daemon.conf
+Type=forking
+PIDFile=/var/run/usbguard.pid
+ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
Restart=on-failure
[Install]

88
SOURCES/usbguard-0.7.0-fixed-usbguard-daemon-conf-man-page.patch Normal file
View File

@ -0,0 +1,88 @@
From dbc20d4c4aae7302e9a714d1f1f7abdaa3583ef2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Kope=C4=8Dek?= <dkopecek@redhat.com>
Date: Fri, 12 May 2017 13:15:30 +0200
Subject: [PATCH 1/2] Fixed usbguard-daemon.conf man page

---
doc/usbguard-daemon.conf.5 | 22 +++++++++++++++-------
doc/usbguard-daemon.conf.5.md | 6 +++---
2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/doc/usbguard-daemon.conf.5 b/doc/usbguard-daemon.conf.5
index f7434b1..476a31e 100644
--- a/doc/usbguard-daemon.conf.5
+++ b/doc/usbguard-daemon.conf.5
@@ -1,4 +1,7 @@
+.\" Automatically generated by Pandoc 1.17.0.3
+.\"
.TH "USBGUARD\-DAEMON.CONF" "5" "April 2017" "" ""
+.hy
.SH NAME
.PP
\f[B]usbguard\-daemon.conf\f[] \-\- USBGuard daemon configuration file
@@ -52,8 +55,8 @@ One of \f[C]block\f[], \f[C]reject\f[], \f[C]apply\-policy\f[].
.B \f[B]RestoreControllerDeviceState\f[]=<\f[I]boolean\f[]>
The USBGuard daemon modifies some attributes of controller devices like
the default authorization state of new child device instances.
-Using this setting, you can controll whether the daemon will try to
-restore the attribute values to the state before modificaton on
+Using this setting, you can control whether the daemon will try to
+restore the attribute values to the state before modification on
shutdown.
.RS
.RE
@@ -70,11 +73,6 @@ connections from.
.RS
.RE
.TP
-.B \f[B]IPCAccessControlFiles\f[]=<\f[I]path\f[]>
-Path to a directory holding the IPC access control files.
-.RS
-.RE
-.TP
.B \f[B]DeviceManagerBackend\f[]=<\f[I]backend\f[]>
Which device manager backend implementation to use.
Backend should be one of \f[C]uevent\f[] (default) or \f[C]dummy\f[].
@@ -88,6 +86,16 @@ See the \f[B]IPC ACCESS CONTROL\f[] section for more details.
.RS
.RE
.TP
+.B \f[B]DeviceRulesWithPort\f[]=<\f[I]boolean\f[]>
+Generate device specific rules including the "via\-port" attribute.
+This option modifies the behavior of the allowDevice action.
+When instructed to generate a permanent rule, the action can generate a
+port specific rule.
+Because some systems have unstable port numbering, the generated rule
+might not match the device after rebooting the system.
+.RS
+.RE
+.TP
.B \f[B]AuditFilePath\f[]=<\f[I]filepath\f[]>
USBGuard audit events log file path.
.RS
diff --git a/doc/usbguard-daemon.conf.5.md b/doc/usbguard-daemon.conf.5.md
index ea86ad1..58ca0ba 100644
--- a/doc/usbguard-daemon.conf.5.md
+++ b/doc/usbguard-daemon.conf.5.md
@@ -36,15 +36,15 @@ The **usbguard-daemon.conf** file is loaded by the USBGuard daemon after it pars
**IPCAllowedGroups**=<*groupname*> [<*groupname*> ...]
: A space delimited list of groupnames that the daemon will accept IPC connections from.
-**IPCAccessControlFiles**=<*path*>
-: Path to a directory holding the IPC access control files.
-
**DeviceManagerBackend**=<*backend*>
: Which device manager backend implementation to use. Backend should be one of `uevent` (default) or `dummy`.
**IPCAccessControlFiles**=<*path*>
: The files at this location will be interpreted by the daemon as IPC access control definition files. See the **IPC ACCESS CONTROL** section for more details.
+**DeviceRulesWithPort**=<*boolean*>
+: Generate device specific rules including the "via-port" attribute. This option modifies the behavior of the allowDevice action. When instructed to generate a permanent rule, the action can generate a port specific rule. Because some systems have unstable port numbering, the generated rule might not match the device after rebooting the system.
+
**AuditFilePath**=<*filepath*>
: USBGuard audit events log file path.
--
2.9.3

59
SOURCES/usbguard-0.7.0-fixed-usbguard-daemon-man-page.patch Normal file
View File

@ -0,0 +1,59 @@
From b6e6d374a5da571314e4b185ff8fdb38974aa9b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Kope=C4=8Dek?= <dkopecek@redhat.com>
Date: Fri, 12 May 2017 13:20:55 +0200
Subject: [PATCH 2/2] Fixed usbguard-daemon man page

---
doc/usbguard-daemon.8 | 13 +++++++++++++
doc/usbguard-daemon.8.md | 6 ++++++
2 files changed, 19 insertions(+)

diff --git a/doc/usbguard-daemon.8 b/doc/usbguard-daemon.8
index ad9a2a9..18c72fe 100644
--- a/doc/usbguard-daemon.8
+++ b/doc/usbguard-daemon.8
@@ -1,4 +1,7 @@
+.\" Automatically generated by Pandoc 1.17.0.3
+.\"
.TH "USBGUARD\-DAEMON" "8" "June 2016" "" ""
+.hy
.SH NAME
.PP
\f[B]usbguard\-daemon\f[] \-\- USBGuard daemon
@@ -48,6 +51,16 @@ Load configuration from a file at \f[I]path\f[] (default:
.RS
.RE
.TP
+.B \f[B]\-C\f[]
+Drop capabilities to limit privileges of the process.
+.RS
+.RE
+.TP
+.B \f[B]\-W\f[]
+Use a seccomp whitelist to limit available syscalls to the process.
+.RS
+.RE
+.TP
.B \f[B]\-h\f[]
Show the help/usage screen.
.RS
diff --git a/doc/usbguard-daemon.8.md b/doc/usbguard-daemon.8.md
index 40dc4be..3e2fcaf 100644
--- a/doc/usbguard-daemon.8.md
+++ b/doc/usbguard-daemon.8.md
@@ -34,6 +34,12 @@ The **usbguard-daemon** is the main component of the USBGuard software framework
**-c** <*path*>
: Load configuration from a file at *path* (default: */etc/usbguard/usbguard-daemon.conf*).
+**-C**
+: Drop capabilities to limit privileges of the process.
+
+**-W**
+: Use a seccomp whitelist to limit available syscalls to the process.
+
**-h**
: Show the help/usage screen.
--
2.9.3

68
SOURCES/usbguard-0.7.0-kernel-4.13-fix.patch Normal file
View File

@ -0,0 +1,68 @@
diff -up usbguard-0.7.0/src/Library/SysFSDevice.cpp.kernel-fix usbguard-0.7.0/src/Library/SysFSDevice.cpp
--- usbguard-0.7.0/src/Library/SysFSDevice.cpp.kernel-fix 2017-11-27 15:26:34.895791778 +0100
+++ usbguard-0.7.0/src/Library/SysFSDevice.cpp 2017-11-27 15:29:20.723171663 +0100
@@ -130,6 +130,20 @@ namespace usbguard
return fd;
}
+ bool SysFSDevice::hasAttribute(const std::string& name) const
+ {
+ struct ::stat st;
+
+ if (::fstatat(_sysfs_dirfd, name.c_str(), &st, AT_SYMLINK_NOFOLLOW) != 0) {
+ if (errno == ENOENT) {
+ return false;
+ }
+ throw ErrnoException("SysFSDevice::hasAttribute", name, errno);
+ }
+
+ return S_ISREG(st.st_mode);
+ }
+
std::string SysFSDevice::readAttribute(const std::string& name, bool strip_last_null, bool optional) const
{
USBGUARD_LOG(Trace) << "name=" << name;
diff -up usbguard-0.7.0/src/Library/SysFSDevice.hpp.kernel-fix usbguard-0.7.0/src/Library/SysFSDevice.hpp
--- usbguard-0.7.0/src/Library/SysFSDevice.hpp.kernel-fix 2017-11-27 15:26:34.896791775 +0100
+++ usbguard-0.7.0/src/Library/SysFSDevice.hpp 2017-11-27 15:28:10.778433223 +0100
@@ -42,6 +42,7 @@ namespace usbguard
const std::string& getName() const;
const UEvent& getUEvent() const;
const std::string& getParentPath() const;
+ bool hasAttribute(const std::string& name) const;
std::string readAttribute(const std::string& name, bool strip_last_null = false, bool optional = false) const;
void setAttribute(const std::string& name, const std::string& value);
int openAttribute(const std::string& name) const;
diff -up usbguard-0.7.0/src/Library/UEventDeviceManager.cpp.kernel-fix usbguard-0.7.0/src/Library/UEventDeviceManager.cpp
--- usbguard-0.7.0/src/Library/UEventDeviceManager.cpp.kernel-fix 2017-11-27 15:24:29.034262440 +0100
+++ usbguard-0.7.0/src/Library/UEventDeviceManager.cpp 2017-11-27 15:26:34.897791771 +0100
@@ -580,7 +580,12 @@ namespace usbguard {
const std::string devtype = uevent.getAttribute("DEVTYPE");
const std::string action = uevent.getAttribute("ACTION");
- if (subsystem != "usb" || devtype != "usb_device") {
+ /*
+ * We don't care about the event if it's not from the "usb" subsystem.
+ * The device type attribute value is checked later based on the data
+ * read from the sysfs uevent file in the device directory.
+ */
+ if (subsystem != "usb") {
USBGUARD_LOG(Debug) << "Ignoring non-USB device:"
<< " subsystem=" << subsystem
<< " devtype=" << devtype
@@ -610,8 +615,13 @@ namespace usbguard {
if (sysfs_device.getUEvent().hasAttribute("DEVTYPE")) {
const std::string devtype = sysfs_device.getUEvent().getAttribute("DEVTYPE");
if (devtype != "usb_device") {
- USBGUARD_LOG(Warning) << sysfs_devpath << ": UEvent DEVTYPE mismatch."
- << " Expected \"usb_device\", got \"" << devtype << "\"";
+ USBGUARD_LOG(Debug) << sysfs_devpath << ": UEvent DEVTYPE != usb_device. Ignoring event.";
+ return;
+ }
+ }
+ else {
+ if (!sysfs_device.hasAttribute("descriptors")) {
+ USBGUARD_LOG(Debug) << sysfs_devpath << ": UEvent doesn't refer to a device with a descriptors file. Ignoring event.";
return;
}
}

12
SOURCES/usbguard-0.7.0-libaudit-version.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up usbguard-0.7.0/configure.ac.libaudit-version usbguard-0.7.0/configure.ac
--- usbguard-0.7.0/configure.ac.libaudit-version 2017-12-13 10:31:18.738471922 +0100
+++ usbguard-0.7.0/configure.ac 2017-12-13 10:32:10.763256142 +0100
@@ -230,7 +230,7 @@ AC_SUBST([crypto_LIBS])
#
# Check for optional libraries
#
-PKG_CHECK_MODULES([audit], [audit >= 2.7.7],
+PKG_CHECK_MODULES([audit], [audit >= 2.7.0],
[AC_DEFINE([HAVE_LINUX_AUDIT], [1], [Linux Audit API available])
AC_CHECK_DECLS([audit_encode_nv_string], [], [], [[#include<libaudit.h>]])
libaudit_summary="system-wide; $audit_LIBS"],

1197
SOURCES/usbguard-0.7.0-linux-audit-integration.patch Normal file
View File

File diff suppressed because it is too large Load Diff

99
SOURCES/usbguard-0.7.0-make-full-testsuite-conditional.patch Normal file
View File

@ -0,0 +1,99 @@
diff --git a/Makefile.am b/Makefile.am
index b7aa1a3..37273fb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -670,15 +670,3 @@ analyze-clang:
--status-bugs -maxloop 8 -disable-checker deadcode.DeadStores -o "$(abs_top_builddir)" \
make -j$(JOBS)
rm -rf "$(ANALYSIS_ROOT)"
-
-if MAINTAINER_MODE
-check-local: check-copyright
-
-check-copyright:
- $(eval GIT_CLONE_ROOT:=$(shell mktemp -d -t usbguard-git-clone.XXXXXX))
- git clone "$(abs_top_srcdir)" "$(GIT_CLONE_ROOT)" && \
- $(top_srcdir)/src/Tests/Packaging/files-without-copyright.sh "$(GIT_CLONE_ROOT)"
- rm -rf "$(GIT_CLONE_ROOT)"
-else
-check-local:
-endif
diff --git a/configure.ac b/configure.ac
index 287abf2..6ab0d9b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -597,13 +597,15 @@ if test -z "$ASPELL"; then
fi
#
-# Maintainer mode.
+# Full test suite mode.
#
-# Runs several additional taks for certain make targets (e.g. tests)
+# Runs all available test when enabled. Some tests make assumption about
+# the environment they run in, so they might fail when these assumptions
+# are not met.
#
-AC_ARG_ENABLE([maintainer-mode],
- [AS_HELP_STRING([--enable-maintainer-mode], [Enable maintainer mode (default=no)])],
- [maintainer_mode=$enableval], [maintainer_mode=no])
+AC_ARG_ENABLE([full-test-suite],
+ [AS_HELP_STRING([--enable-full-test-suite], [Run the full test suite (default=no)])],
+ [full_test_suite=$enableval], [full_test_suite=no])
# Checks for header files.
AC_LANG_PUSH([C++])
@@ -713,8 +715,8 @@ AM_CONDITIONAL([SYSTEMD_SUPPORT_ENABLED], [test "x$systemd" = xyes ])
AM_CONDITIONAL([GUI_QT_ENABLED], [test "x$build_gui_qt" = xyes ])
AM_CONDITIONAL([DBUS_ENABLED], [test "x$with_dbus" = xyes ])
AM_CONDITIONAL([POLICYKIT_ENABLED], [test "x$with_polkit" = xyes])
-AM_CONDITIONAL([MAINTAINER_MODE], [test "x$maintainer_mode" = xyes])
-AM_CONDITIONAL([BASH_COMPLETION_ENABLED],[test "x$bash_completion" != "xno"])
+AM_CONDITIONAL([FULL_TEST_SUITE_ENABLED], [test "x$full_test_suite" = xyes])
+AM_CONDITIONAL([BASH_COMPLETION_ENABLED], [test "x$bash_completion" != xno])
CXXFLAGS="$CXXFLAGS -fvisibility=hidden $COMMON_WARNING_FLAGS $WARNING_CXXFLAGS"
CFLAGS="$CFLAGS -fvisibility=hidden $COMMON_WARNING_FLAGS $WARNING_CFLAGS"
@@ -744,7 +746,7 @@ echo
echo " Build Configuration Summary "
echo "==================================="
echo
-echo " Maintainer mode: $maintainer_mode"
+echo " Run full test suite: $full_test_suite"
echo
echo "## Libraries"
echo
@@ -768,7 +770,8 @@ echo " Bash completion dir: $BASH_COMPLETION_DIR"
echo
echo "## Compilation Flags"
echo
-echo " Debug Mode: $debug"
+echo "Debug Build: $debug"
+echo " DEFS: $DEFS"
echo " CXXFLAGS: $CXXFLAGS"
echo " CFLAGS: $CFLAGS"
echo " CPPFLAGS: $CPPFLAGS"
diff --git a/src/Tests/Makefile.am b/src/Tests/Makefile.am
index a952d18..da7a35b 100644
--- a/src/Tests/Makefile.am
+++ b/src/Tests/Makefile.am
@@ -58,13 +58,17 @@ TESTS=\
test-unit \
test-regression \
USB/test-descriptor-parser.sh \
- Packaging/spell-check.sh \
- Rules/test-rules.sh \
+ Rules/test-rules.sh
+
+if FULL_TEST_SUITE_ENABLED
+TESTS+=\
+ Packaging/spell-check.sh \
UseCase/000_executable.sh \
UseCase/001_cli_policy.sh \
UseCase/002_cli_devices.sh \
UseCase/003_cli_devices_dummy.sh \
UseCase/004_daemonize.sh
+endif
check_PROGRAMS=\
test-unit \

59
SOURCES/usbguard-0.7.0-strict-configuration-parsing.patch Normal file
View File

@ -0,0 +1,59 @@
diff -up usbguard-0.7.0/src/Library/ConfigFilePrivate.cpp.strict-config usbguard-0.7.0/src/Library/ConfigFilePrivate.cpp
--- usbguard-0.7.0/src/Library/ConfigFilePrivate.cpp.strict-config 2017-11-03 10:43:09.528657179 +0100
+++ usbguard-0.7.0/src/Library/ConfigFilePrivate.cpp 2017-11-03 11:03:51.338013408 +0100
@@ -23,6 +23,7 @@
#include "ConfigFilePrivate.hpp"
#include "Common/Utility.hpp"
+#include "usbguard/Exception.hpp"
#include "usbguard/Logger.hpp"
#include <stdexcept>
@@ -53,7 +54,7 @@ namespace usbguard
{
_stream.open(path, std::ios::in|std::ios::out);
if (!_stream.is_open()) {
- throw std::runtime_error("Can't open " + path);
+ throw Exception("Configuration", path, "unable to open the configuration file");
}
_dirty = false;
parse();
@@ -62,7 +63,7 @@ namespace usbguard
void ConfigFilePrivate::write()
{
if (!_stream.is_open()) {
- throw std::runtime_error("BUG: ConfigFilePrivate::write: write() before open()");
+ throw USBGUARD_BUG("ConfigFilePrivate::write: write() before open()");
}
if (_dirty) {
@@ -116,21 +117,22 @@ namespace usbguard
while(std::getline(_stream, config_line)) {
++config_line_number;
_lines.push_back(config_line);
+ config_line = trim(config_line);
+
+ if (config_line.size() < 1 || config_line[0] == '#') {
+ continue;
+ }
const size_t nv_separator = config_line.find_first_of("=");
if (nv_separator == std::string::npos) {
- continue;
+ throw Exception("Configuration", "line " + std::to_string(config_line_number), "syntax error");
}
std::string name = trim(config_line.substr(0, nv_separator));
- std::string value = config_line.substr(nv_separator + 1);
-
- if (name[0] == '#') {
- continue;
- }
+ std::string value = trim(config_line.substr(nv_separator + 1));
if (!checkNVPair(name, value)) {
- continue;
+ throw Exception("Configuration", name, "unknown configuration directive");
}
NVPair& setting = _settings[name];

16939
SOURCES/usbguard-0.7.0-upstream-compat.patch Normal file
View File

File diff suppressed because it is too large Load Diff

173
SOURCES/usbguard-daemon.conf Normal file
View File

@ -0,0 +1,173 @@
#
# Rule set file path.
#
# The USBGuard daemon will use this file to load the policy
# rule set from it and to write new rules received via the
# IPC interface.
#
# RuleFile=/path/to/rules.conf
#
RuleFile=/etc/usbguard/rules.conf

#
# Implicit policy target.
#
# How to treat devices that don't match any rule in the
# policy. One of:
#
# * allow - authorize the device
# * block - block the device
# * reject - remove the device
#
ImplicitPolicyTarget=block

#
# Present device policy.
#
# How to treat devices that are already connected when the
# daemon starts. One of:
#
# * allow - authorize every present device
# * block - deauthorize every present device
# * reject - remove every present device
# * keep - just sync the internal state and leave it
# * apply-policy - evaluate the ruleset for every present
# device
#
PresentDevicePolicy=apply-policy

#
# Present controller policy.
#
# How to treat USB controllers that are already connected
# when the daemon starts. One of:
#
# * allow - authorize every present device
# * block - deauthorize every present device
# * reject - remove every present device
# * keep - just sync the internal state and leave it
# * apply-policy - evaluate the ruleset for every present
# device
#
PresentControllerPolicy=keep

#
# Inserted device policy.
#
# How to treat USB devices that are already connected
# *after* the daemon starts. One of:
#
# * block - deauthorize every present device
# * reject - remove every present device
# * apply-policy - evaluate the ruleset for every present
# device
#
InsertedDevicePolicy=apply-policy

#
# Restore controller device state.
#
# The USBGuard daemon modifies some attributes of controller
# devices like the default authorization state of new child device
# instances. Using this setting, you can controll whether the
# daemon will try to restore the attribute values to the state
# before modificaton on shutdown.
#
# SECURITY CONSIDERATIONS: If set to true, the USB authorization
# policy could be bypassed by performing some sort of attack on the
# daemon (via a local exploit or via a USB device) to make it shutdown
# and restore to the operating-system default state (known to be permissive).
#
RestoreControllerDeviceState=false

#
# Device manager backend
#
# Which device manager backend implementation to use. One of:
#
# * uevent - Netlink based implementation which uses sysfs to scan for present
# devices and an uevent netlink socket for receiving USB device
# related events.
# * dummy - A dummy device manager which simulates several devices and device
# events. Useful for testing.
#
DeviceManagerBackend=uevent

#!!! WARNING: It's good practice to set at least one of the !!!
#!!! two options bellow. If none of them are set, !!!
#!!! the daemon will accept IPC connections from !!!
#!!! anyone, thus allowing anyone to modify the !!!
#!!! rule set and (de)authorize USB devices. !!!

#
# Users allowed to use the IPC interface.
#
# A space delimited list of usernames that the daemon will
# accept IPC connections from.
#
# IPCAllowedUsers=username1 username2 ...
#
IPCAllowedUsers=root

#
# Groups allowed to use the IPC interface.
#
# A space delimited list of groupnames that the daemon will
# accept IPC connections from.
#
# IPCAllowedGroups=groupname1 groupname2 ...
#
IPCAllowedGroups=

#
# IPC access control definition files path.
#
# The files at this location will be interpreted by the daemon
# as access control definition files. The (base)name of a file
# should be in the form:
#
# [user][:<group>]
#
# and should contain lines in the form:
#
# <section>=[privilege] ...
#
# This way each file defines who is able to connect to the IPC
# bus and what privileges he has.
#
IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/

#
# Generate device specific rules including the "via-port"
# attribute.
#
# This option modifies the behavior of the allowDevice
# action. When instructed to generate a permanent rule,
# the action can generate a port specific rule. Because
# some systems have unstable port numbering, the generated
# rule might not match the device after rebooting the system.
#
# If set to false, the generated rule will still contain
# the "parent-hash" attribute which also defines an association
# to the parent device. See usbguard-rules.conf(5) for more
# details.
#
DeviceRulesWithPort=false

#
# USBGuard Audit events log backend
#
# One of:
#
# * FileAudit - Log audit events into a file specified by
# AuditFilePath setting (see below)
# * LinuxAudit - Log audit events using the Linux Audit
# subsystem (using audit_log_user_message)
#
AuditBackend=FileAudit

#
# USBGuard audit events log file path.
#
AuditFilePath=/var/log/usbguard/usbguard-audit.log

301
SPECS/usbguard.spec Normal file
View File

@ -0,0 +1,301 @@
%global _hardened_build 1

%define with_gui_qt5 0
%define with_dbus 0

Name: usbguard
Version: 0.7.0
Release: 8%{?dist}
Summary: A tool for implementing USB device usage policy
Group: System Environment/Daemons
License: GPLv2+
## Not installed
# src/ThirdParty/Catch: Boost Software License - Version 1.0
URL: https://dkopecek.github.io/usbguard
Source0: https://github.com/dkopecek/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
Source1: usbguard-daemon.conf

Requires: systemd
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
Requires(post): /sbin/ldconfig
Requires(postun): /sbin/ldconfig

BuildRequires: libqb-devel
BuildRequires: libgcrypt-devel
BuildRequires: libstdc++-devel
BuildRequires: protobuf-devel protobuf-compiler
BuildRequires: PEGTL-static
BuildRequires: catch-devel
BuildRequires: autoconf automake libtool
BuildRequires: bash-completion
BuildRequires: audit-libs-devel
# For `pkg-config systemd` only
BuildRequires: systemd

%if 0%{with_gui_qt5}
BuildRequires: qt5-qtbase-devel qt5-qtsvg-devel qt5-linguist
%endif

%if 0%{with_dbus}
BuildRequires: dbus-glib-devel
BuildRequires: dbus-devel
BuildRequires: glib2-devel
BuildRequires: polkit-devel
BuildRequires: libxslt
BuildRequires: libxml2
%endif

%if 0%{?fedora}
BuildRequires: pandoc
%endif

%ifarch ppc
#
# We need atomic instruction emulation on the 32bit PPC arch
#
BuildRequires: libatomic
%endif

# 1444084 - New defects found in usbguard-0.7.0-1.el7
Patch0: usbguard-0.7.0-covscan-uninit-ctor.patch
# 1449344 - usbguard-daemon.conf(5) documentation issues in usbguard-0.7.0-2.el7
Patch1: usbguard-0.7.0-fixed-usbguard-daemon-conf-man-page.patch
Patch2: usbguard-0.7.0-fixed-usbguard-daemon-man-page.patch
#
# Apply upstream cleanup/refactoring changes to the 0.7.0 source
# code to make it compatible with future upstream patches.
#
Patch3: usbguard-0.7.0-upstream-compat.patch
# 1469399 - RFE: Use Type=forking instead of Type=simple in usbguard.service unit
Patch4: usbguard-0.7.0-daemonization.patch
#
# Disable some tests that require a controlled environment or are not required to
# be executed while building binary RPMs.
#
Patch5: usbguard-0.7.0-make-full-testsuite-conditional.patch
# 1487230 - unknown usbguard-daemon.conf directives don't trigger an error
Patch6: usbguard-0.7.0-strict-configuration-parsing.patch
# 1491313 - [RFE] Integrate USBGuard with Linux Audit subsystem
Patch7: usbguard-0.7.0-linux-audit-integration.patch
# 1516930 - usbguard fails to start on aarch64 (RHEL-ALT)
Patch8: usbguard-0.7.0-kernel-4.13-fix.patch
# 1491313 - [RFE] Integrate USBGuard with Linux Audit subsystem
Patch9: usbguard-0.7.0-libaudit-version.patch

%description
The USBGuard software framework helps to protect your computer against rogue USB
devices by implementing basic whitelisting/blacklisting capabilities based on
USB device attributes.

%package devel
Summary: Development files for %{name}
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
Requires: pkgconfig
Requires: libstdc++-devel

%description devel
The %{name}-devel package contains libraries and header files for
developing applications that use %{name}.

%package tools
Summary: USBGuard Tools
Group: Applications/System
Requires: %{name} = %{version}-%{release}

%description tools
The %{name}-tools package contains optional tools from the USBGuard
software framework.

%if 0%{with_gui_qt5}
###
%package applet-qt
Summary: USBGuard Qt 5.x Applet
Group: Applications/System
Requires: %{name} = %{version}-%{release}

%description applet-qt
The %{name}-applet-qt package contains an optional Qt 5.x desktop applet
for interacting with the USBGuard daemon component.
###
%endif

%if 0%{with_dbus}
###
%package dbus
Summary: USBGuard D-Bus Service
Group: Applications/System
Requires: %{name} = %{version}-%{release}
Requires: dbus
Requires: polkit

%description dbus
The %{name}-dbus package contains an optional component that provides
a D-Bus interface to the USBGuard daemon component.
###
%endif

%prep
%setup -q
# Remove bundled library sources before build
rm -rf src/ThirdParty/{Catch,PEGTL}

%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1

%build
mkdir -p ./m4
autoreconf -i -v --no-recursive ./
%configure \
--disable-silent-rules \
--without-bundled-catch \
--without-bundled-pegtl \
--enable-systemd \
%if 0%{with_gui_qt5}
--with-gui-qt=qt5 \
%endif
%if 0%{with_dbus}
--with-dbus \
--with-polkit \
%else
--without-dbus \
--without-polkit \
%endif
--with-crypto-library=gcrypt

make %{?_smp_mflags}

%check
make check

%install
make install INSTALL='install -p' DESTDIR=%{buildroot}

# Overwrite configuration with distribution defaults
mkdir -p %{buildroot}%{_sysconfdir}/usbguard
install -p -m 600 %{SOURCE1} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf

# Cleanup
find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'

%preun
%systemd_preun usbguard.service

%post
/sbin/ldconfig
%systemd_post usbguard.service

%postun
/sbin/ldconfig
%systemd_postun usbguard.service

%files
%defattr(-,root,root,-)
%doc README.md CHANGELOG.md
%license LICENSE
%{_libdir}/*.so.*
%{_sbindir}/usbguard-daemon
%{_bindir}/usbguard
%dir %{_localstatedir}/log/usbguard
%dir %{_sysconfdir}/usbguard
%dir %{_sysconfdir}/usbguard/IPCAccessControl.d
%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/usbguard-daemon.conf
%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/rules.conf
%{_unitdir}/usbguard.service
%{_datadir}/man/man8/usbguard-daemon.8.gz
%{_datadir}/man/man5/usbguard-daemon.conf.5.gz
%{_datadir}/man/man5/usbguard-rules.conf.5.gz
%{_datadir}/man/man1/usbguard.1.gz
%{_datadir}/bash-completion/completions/usbguard

%files devel
%defattr(-,root,root,-)
%{_includedir}/*
%{_libdir}/*.so
%{_libdir}/pkgconfig/*.pc

%files tools
%defattr(-,root,root,-)
%{_bindir}/usbguard-rule-parser

%if 0%{with_gui_qt5}
###
%files applet-qt
%defattr(-,root,root,-)
%{_bindir}/usbguard-applet-qt
%{_mandir}/man1/usbguard-applet-qt.1.gz
%{_datadir}/applications/usbguard-applet-qt.desktop
%{_datadir}/icons/hicolor/scalable/apps/usbguard-icon.svg
###
%endif

%if 0%{with_dbus}
###
%files dbus
%defattr(-,root,root,-)
%{_sbindir}/usbguard-dbus
%{_datadir}/dbus-1/system-services/org.usbguard.service
%{_datadir}/dbus-1/system.d/org.usbguard.conf
%{_datadir}/polkit-1/actions/org.usbguard.policy
%{_unitdir}/usbguard-dbus.service
%{_mandir}/man8/usbguard-dbus.8.gz

%preun dbus
%systemd_preun usbguard-dbus.service

%post dbus
%systemd_post usbguard-dbus.service

%postun dbus
%systemd_postun_with_restart usbguard-dbus.service
###
%endif

%changelog
* Wed Dec 13 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-8
- RHEL 7.5 erratum
- Require a lower version of libaudit during build-time
Resolves: rhbz#1491313

* Mon Nov 27 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-7
- RHEL 7.5 erratum
- Fixed usbguard-daemon on systems with kernel >= 4.13
- Use distribution specific usbguard-daemon.conf instead
of the upstream version
Resolves: rhbz#1516930

* Fri Nov 3 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-6
- RHEL 7.5 erratum
- Add Linux Audit integration
Resolves: rhbz#1491313

* Thu Nov 2 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-5
- RHEL 7.5 erratum
- Make parsing of configuration file strict
Resolves: rhbz#1487230

* Tue Oct 17 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-4
- RHEL 7.5 erratum
- Implemented double-fork daemonization support
Resolves: rhbz#1469399

* Fri May 12 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-3
- Fixed usbguard-daemon and usbguard-daemon.conf man-pages
Resolves: rhbz#1449344

* Thu Apr 20 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-2
- Fixed UNINIT_CTOR issues found by coverity scan
Resolves: rhbz#1444084

* Fri Apr 14 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-1
- Import