usbguard initial package creation

Signed-off-by: basebuilder_pel7ppc64bebuilder0 <basebuilder@powerel.org>

SOURCES/usbguard-0.7.0-covscan-uninit-ctor.patch

@@ -0,0 +1,26 @@
+diff --git a/src/Library/DeviceManagerPrivate.cpp b/src/Library/DeviceManagerPrivate.cpp
+index d9f3395..579b3c7 100644
+--- a/src/Library/DeviceManagerPrivate.cpp
++++ b/src/Library/DeviceManagerPrivate.cpp
+@@ -41,6 +41,7 @@ namespace usbguard {
+     std::unique_lock<std::mutex> local_device_map_lock(_device_map_mutex);
+     std::unique_lock<std::mutex> remote_device_map_lock(rhs._device_map_mutex);
+     _device_map = rhs._device_map;
++    _restore_controller_device_state = rhs._restore_controller_device_state;
+     return *this;
+   }
+ 
+diff --git a/src/Library/Exception.hpp b/src/Library/Exception.hpp
+index 02e9622..f27dd63 100644
+--- a/src/Library/Exception.hpp
++++ b/src/Library/Exception.hpp
+@@ -128,7 +128,8 @@ namespace usbguard
+   {
+     public:
+       IPCException()
+-        : Exception("", "", "")
++        : Exception("", "", ""),
++	  _message_id(0)
+       {
+       }
+ 

SOURCES/usbguard-0.7.0-daemonization.patch

@@ -0,0 +1,472 @@
+diff --git a/Makefile.am b/Makefile.am
+index 1852983..b7aa1a3 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -15,6 +15,7 @@
+ ## along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ ##
+ ## Authors: Daniel Kopecek <dkopecek@redhat.com>
++##          Jiri Vymazal   <jvymazal@redhat.com>
+ ##
+ SUBDIRS=src/Tests/
+ 
+diff --git a/doc/usbguard-daemon.8 b/doc/usbguard-daemon.8
+index 18c72fe..dfdb285 100644
+--- a/doc/usbguard-daemon.8
++++ b/doc/usbguard-daemon.8
+@@ -1,4 +1,4 @@
+-.\" Automatically generated by Pandoc 1.17.0.3
++.\" Automatically generated by Pandoc 1.19.1
+ .\"
+ .TH "USBGUARD\-DAEMON" "8" "June 2016" "" ""
+ .hy
+@@ -25,6 +25,11 @@ Enable debugging messages in the log.
+ .RS
+ .RE
+ .TP
++.B \f[B]\-f\f[]
++Enable classical daemon behavior (fork at start, sysV compliant).
++.RS
++.RE
++.TP
+ .B \f[B]\-s\f[]
+ Log to syslog.
+ .RS
+@@ -41,7 +46,8 @@ Log to a file at \f[I]path\f[].
+ .RE
+ .TP
+ .B \f[B]\-p\f[] <\f[I]path\f[]>
+-Write PID to a file at \f[I]path\f[].
++Write PID to a file at \f[I]path\f[] (default:
++\f[I]/var/run/usbguard.pid\f[]).
+ .RS
+ .RE
+ .TP
+diff --git a/doc/usbguard-daemon.8.md b/doc/usbguard-daemon.8.md
+index 3e2fcaf..581613d 100644
+--- a/doc/usbguard-daemon.8.md
++++ b/doc/usbguard-daemon.8.md
+@@ -19,6 +19,9 @@ The **usbguard-daemon** is the main component of the USBGuard software framework
+ **-d**
+ :   Enable debugging messages in the log.
+ 
++**-f**
++:   Enable classical daemon behavior (fork at start, sysV compliant).
++
+ **-s**
+ :   Log to syslog.
+ 
+@@ -29,7 +32,7 @@ The **usbguard-daemon** is the main component of the USBGuard software framework
+ :   Log to a file at *path*.
+ 
+ **-p** <*path*>
+-:   Write PID to a file at *path*.
++:   Write PID to a file at *path* (default: */var/run/usbguard.pid*).
+ 
+ **-c** <*path*>
+ :   Load configuration from a file at *path* (default: */etc/usbguard/usbguard-daemon.conf*).
+diff --git a/src/Common/Utility.cpp b/src/Common/Utility.cpp
+index f84d2a8..237acfb 100644
+--- a/src/Common/Utility.cpp
++++ b/src/Common/Utility.cpp
+@@ -42,56 +42,6 @@
+ namespace usbguard
+ {
+ 
+-  void daemonize()
+-  {
+-    const ::pid_t pid = fork();
+-
+-    switch(pid) {
+-    case  0: /* child */
+-      break;
+-    case -1: /* error */
+-      ::exit(EXIT_FAILURE);
+-    default: /* parent */
+-      ::exit(EXIT_SUCCESS);
+-    }
+-    //
+-    // Decouple from parent environment
+-    // - chdir to /
+-    // - create new process session
+-    // - reset umask
+-    // - cleanup file descriptors
+-    // - ???
+-    // - consider using libdaemon
+-    //
+-    if (::chdir("/") != 0) {
+-      ::exit(EXIT_FAILURE);
+-    }
+-    const ::pid_t sid = ::setsid();
+-    if (sid != 0) {
+-      ::exit(EXIT_FAILURE);
+-    }
+-    ::umask(::umask(077)|022);
+-    struct rlimit rlim;
+-    if (::getrlimit(RLIMIT_NOFILE, &rlim) != 0) {
+-      ::exit(EXIT_FAILURE);
+-    }
+-    const int maxfd = (rlim.rlim_max == RLIM_INFINITY ? 1024 : rlim.rlim_max);
+-    for (int fd = 0; fd < maxfd; ++fd) {
+-      ::close(fd);
+-    }
+-    return;
+-  }
+-
+-  bool writePID(const std::string& filepath)
+-  {
+-    std::ofstream pidstream(filepath, std::ios_base::trunc);
+-    if (!pidstream) {
+-      return false;
+-    }
+-    pidstream << numberToString(getpid()) << std::endl;
+-    return true;
+-  }
+-
+   static void runCommandExecChild(const std::string& path, const std::vector<std::string>& args)
+   {
+     struct rlimit rlim;
+diff --git a/src/Common/Utility.hpp b/src/Common/Utility.hpp
+index f722b22..54e1ea1 100644
+--- a/src/Common/Utility.hpp
++++ b/src/Common/Utility.hpp
+@@ -41,25 +41,6 @@
+ namespace usbguard
+ {
+   /**
+-   * Create a background process.
+-   *
+-   * Performs the following actions:
+-   * 1) fork a new process (parent process exists with 0)
+-   * 2) chdir to /
+-   * 3) creates a new process session
+-   * 4) resets umask
+-   * 5) closes all file descriptors
+-   * 6) Reinitialize logging for the child
+-   */
+-  void daemonize(void);
+-
+-  /**
+-   * Writes the current PID to a file at filepath.
+-   * Returns true on success, otherwise returns false.
+-   */
+-  bool writePID(const std::string& filepath);
+-
+-  /**
+    * Wrappers for the __builtin_expect function.
+    */
+ #if defined(__GNUC__)
+diff --git a/src/Daemon/Daemon.cpp b/src/Daemon/Daemon.cpp
+index b317c85..2a9a37c 100644
+--- a/src/Daemon/Daemon.cpp
++++ b/src/Daemon/Daemon.cpp
+@@ -15,6 +15,7 @@
+ // along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ //
+ // Authors: Daniel Kopecek <dkopecek@redhat.com>
++//          Jiri Vymazal   <jvymazal@redhat.com>
+ //
+ #ifdef HAVE_BUILD_CONFIG_H
+ #include <build-config.h>
+@@ -27,6 +28,8 @@
+ #include "usbguard/RuleParser.hpp"
+ #include "usbguard/Audit.hpp"
+ 
++#include <array>
++
+ #include <sys/select.h>
+ #include <sys/time.h>
+ #include <sys/types.h>
+@@ -112,6 +115,8 @@ namespace usbguard
+ 
+     _device_rules_with_port = false;
+     _restore_controller_device_state = false;
++
++    pid_fd = -1;
+   }
+ 
+   Daemon::~Daemon()
+@@ -402,6 +407,10 @@ namespace usbguard
+       }
+     } while(!exit_loop);
+ 
++    if (pid_fd != -1) {
++        lockf(pid_fd, F_ULOCK, 0);
++        close(pid_fd);
++    }
+     IPCServer::stop();
+     _dm->stop();
+     USBGUARD_LOG(Trace) << "Leaving main loop.";
+@@ -411,6 +420,73 @@ namespace usbguard
+   {
+   }
+ 
++  void Daemon::daemonize(const std::string &pid_file)
++  {
++      USBGUARD_LOG(Trace) << "Starting daemonization";
++
++      pid_t pid = 0;
++      pid_t original_pid = getpid();
++
++      sigset_t mask;
++      sigemptyset(&mask);
++      sigaddset(&mask, SIGUSR1);
++      sigprocmask(SIG_BLOCK, &mask, nullptr);
++      USBGUARD_SYSCALL_THROW("Daemonize", (pid = fork()) < 0);
++      if (pid > 0) {
++        constexpr int timeout_val = 5;
++        struct timespec timeout {timeout_val,0};
++        const time_t start = time(nullptr);
++        siginfo_t info;
++        do {
++          const int signum = sigtimedwait(&mask, &info, &timeout);
++          if (signum == SIGUSR1 && info.si_signo == SIGUSR1 && info.si_pid == pid) {
++            USBGUARD_LOG(Trace) << "Finished daemonization";
++            exit(EXIT_SUCCESS);
++          }
++          if (signum == -1 && errno == EAGAIN) {
++            break; /* timed out */
++          }
++          timeout.tv_sec = timeout_val - difftime(time(nullptr), start); /* avoid potentially endless loop */
++        } while(true);
++        throw Exception("Deamonize", "signal",  "Waiting on pid file write timeout!");
++      }
++
++      /* Now we are forked */
++      USBGUARD_SYSCALL_THROW("Daemonize", setsid() < 0);
++      signal(SIGCHLD, SIG_IGN);
++
++      USBGUARD_SYSCALL_THROW("Daemonize", (pid_fd = open(pid_file.c_str(), O_RDWR|O_CREAT, 0640)) < 0);
++      USBGUARD_SYSCALL_THROW("Daemonize", (lockf(pid_fd, F_TLOCK, 0)) < 0);
++      USBGUARD_SYSCALL_THROW("Daemonize", (pid = fork()) < 0);
++      if (pid > 0) {
++        try {      
++          std::string pid_str = std::to_string(pid);
++          USBGUARD_SYSCALL_THROW("Daemonize", write(pid_fd, pid_str.c_str(), pid_str.size()) != static_cast<ssize_t>(pid_str.size()));
++          kill(original_pid, SIGUSR1);
++          exit(EXIT_SUCCESS);
++        }
++        catch(...) {
++          kill(pid, SIGKILL);
++          throw;
++        }
++      }
++
++      /* Now we are forked 2nd time */
++      umask(0047);  /* no need for world-accessible or executable files */ 
++      chdir("/");
++      const std::array<int,3> std_fds {{STDIN_FILENO, STDOUT_FILENO, STDERR_FILENO}};
++      int fd_null;
++      USBGUARD_SYSCALL_THROW("Daemonize", (fd_null = open("/dev/null", O_RDWR)) < 0);
++      /* We do not need to close all fds because there is only logging open at this point */
++      for (auto fd : std_fds) {
++        USBGUARD_SYSCALL_THROW("Daemonize", close(fd));
++        USBGUARD_SYSCALL_THROW("Daemonize", (dup2(fd_null, fd)) < 0);
++      }
++      close(fd_null);
++
++      USBGUARD_SYSCALL_THROW("Daemonize", (lockf(pid_fd, F_LOCK, 0)) < 0);
++  }
++
+   uint32_t Daemon::assignID()
+   {
+     return _ruleset.assignID();
+diff --git a/src/Daemon/Daemon.hpp b/src/Daemon/Daemon.hpp
+index cfd02d9..065deaf 100644
+--- a/src/Daemon/Daemon.hpp
++++ b/src/Daemon/Daemon.hpp
+@@ -15,6 +15,7 @@
+ // along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ //
+ // Authors: Daniel Kopecek <dkopecek@redhat.com>
++//          Jiri Vymazal   <jvymazal@redhat.com>
+ //
+ #pragma once
+ #ifdef HAVE_BUILD_CONFIG_H
+@@ -72,6 +73,8 @@ namespace usbguard
+     void run();
+     /* Stop the daemon */
+     void quit();
++    /* Handle process daemonization */
++    void daemonize(const std::string& pid_file);
+ 
+     uint32_t assignID();
+     uint32_t upsertRule(const std::string& match_spec, const std::string& rule_spec, bool parent_insensitive = false);
+@@ -112,6 +115,8 @@ namespace usbguard
+     ConfigFile _config;
+     RuleSet _ruleset;
+ 
++    int pid_fd;
++
+     std::string _device_manager_backend;
+     std::shared_ptr<DeviceManager> _dm;
+ 
+diff --git a/src/Daemon/main.cpp b/src/Daemon/main.cpp
+index 869c2e2..4b9b351 100644
+--- a/src/Daemon/main.cpp
++++ b/src/Daemon/main.cpp
+@@ -15,6 +15,7 @@
+ // along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ //
+ // Authors: Daniel Kopecek <dkopecek@redhat.com>
++//          Jiri Vymazal   <jvymazal@redhat.com>
+ //
+ #ifdef HAVE_BUILD_CONFIG_H
+ #include <build-config.h>
+@@ -37,9 +38,13 @@
+ static void setupCapabilities(void);
+ #endif
+ 
++#ifndef USBGUARD_PID_FILE
++#define USBGUARD_PID_FILE "/var/run/usbguard.pid"
++#endif
++
+ using namespace usbguard;
+ 
+-const char * const G_optstring = "dskl:p:c:hWC";
++const char * const G_optstring = "dfskl:p:c:hWC";
+ 
+ static void printUsage(std::ostream& stream, const char *arg0)
+ {
+@@ -47,6 +52,7 @@ static void printUsage(std::ostream& stream, const char *arg0)
+   stream << "Usage: " << filenameFromPath(std::string(arg0), true) << " [OPTIONS]" << std::endl;
+   stream << std::endl;
+   stream << "  -d         Enable debugging messages in the log." << std::endl;
++  stream << "  -f         Enable classical daemon forking behavior." << std::endl;
+   stream << "  -s         Log to syslog." << std::endl;
+   stream << "  -k         Log to console." << std::endl;
+   stream << "  -l <path>  Log to a file at `path'." << std::endl;
+@@ -68,8 +74,9 @@ int main(int argc, char *argv[])
+   bool log_file = false;
+   bool use_seccomp_whitelist = false;
+   bool drop_capabilities = false;
++  bool daemonize = false;
+   std::string log_file_path;
+-  std::string pid_file;
++  std::string pid_file = USBGUARD_PID_FILE;
+   std::string conf_file = "/etc/usbguard/usbguard-daemon.conf";
+   int opt;
+ 
+@@ -79,6 +86,9 @@ int main(int argc, char *argv[])
+       case 'd':
+ 	debug_mode = true;
+ 	break;
++      case 'f':
++        daemonize = true;
++        break;
+       case 's':
+ 	log_syslog = true;
+ 	break;
+@@ -144,6 +154,13 @@ int main(int argc, char *argv[])
+     if (!conf_file.empty()) {
+       daemon.loadConfiguration(conf_file);
+     }
++    if (daemonize) {
++      if (log_console && !log_syslog && !log_file) {
++        USBGUARD_LOG(Warning) << "You have selected to fork and log only to \
++	    console, nothing will be logged after forking!";
++      }
++      daemon.daemonize(pid_file);
++    }
+     daemon.run();
+     ret = EXIT_SUCCESS;
+   }
+diff --git a/src/Tests/Makefile.am b/src/Tests/Makefile.am
+index 7d93474..a952d18 100644
+--- a/src/Tests/Makefile.am
++++ b/src/Tests/Makefile.am
+@@ -40,6 +40,7 @@ EXTRA_DIST=\
+ 	$(top_srcdir)/src/Tests/UseCase/001_cli_policy.sh \
+ 	$(top_srcdir)/src/Tests/UseCase/002_cli_devices.sh \
+ 	$(top_srcdir)/src/Tests/UseCase/003_cli_devices_dummy.sh \
++	$(top_srcdir)/src/Tests/UseCase/004_daemonize.sh \
+ 	$(top_srcdir)/src/Tests/UseCase/DummyDevices
+ 
+ LOG_DRIVER=\
+@@ -62,7 +63,8 @@ TESTS=\
+ 	UseCase/000_executable.sh \
+ 	UseCase/001_cli_policy.sh \
+ 	UseCase/002_cli_devices.sh \
+-	UseCase/003_cli_devices_dummy.sh
++	UseCase/003_cli_devices_dummy.sh \
++	UseCase/004_daemonize.sh
+ 
+ check_PROGRAMS=\
+ 	test-unit \
+diff --git a/src/Tests/UseCase/004_daemonize.sh b/src/Tests/UseCase/004_daemonize.sh
+new file mode 100755
+index 0000000..d59dad1
+--- /dev/null
++++ b/src/Tests/UseCase/004_daemonize.sh
+@@ -0,0 +1,55 @@
++#!/bin/bash
++#
++#
++# Copyright (C) 2016 Red Hat, Inc.
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 2 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++#
++# Authors: Jiri Vymazal <jvymazal@redhat.com>
++#
++# Test whether the binaries are executable as expected (no linker errors, etc.)
++#
++source "${USBGUARD_TESTLIB_BASH}" || exit 129
++
++# TODO? Move to testlib
++export USBGUARD_TESTLIB_TMPDIR="$(mktemp -d --tmpdir usbguard-test.XXXXXX)"
++
++export config_path="${USBGUARD_TESTLIB_TMPDIR}/daemon.conf"
++export pidfile_path="${USBGUARD_TESTLIB_TMPDIR}/usbguard.pid"
++export logfile="${USBGUARD_TESTLIB_TMPDIR}/daemon.log"
++
++function test_cli_daemonize()
++{
++  sleep 5
++
++  if [ ! -f "$pidfile_path" ]; then
++    echo "Test error: PID file for usbguard not present"
++    exit 1
++  fi
++
++  if [ ! `pgrep usbguard` == `cat $pidfile_path` ]; then
++    echo "Test error: PID of usbguard daemon not present in PID file"
++    exit 1
++  fi
++}
++
++cat > "$config_path" <<EOF
++EOF
++
++schedule "${USBGUARD_DAEMON} -f -p $pidfile_path -d -P -l $logfile -c $config_path" :service
++schedule "test_cli_daemonize"
++execute 20
++retval=$?
++cat $pidfile_path | xargs kill -9
++exit $retval
+diff --git a/usbguard.service.in b/usbguard.service.in
+index 5bed4e6..f862d3b 100644
+--- a/usbguard.service.in
++++ b/usbguard.service.in
+@@ -4,8 +4,9 @@ Wants=systemd-udevd.service local-fs.target
+ Documentation=man:usbguard-daemon(8)
+ 
+ [Service]
+-Type=simple
+-ExecStart=%sbindir%/usbguard-daemon -k -c %sysconfdir%/usbguard/usbguard-daemon.conf
++Type=forking
++PIDFile=/var/run/usbguard.pid
++ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf
+ Restart=on-failure
+ 
+ [Install]

SOURCES/usbguard-0.7.0-fixed-usbguard-daemon-conf-man-page.patch

@@ -0,0 +1,88 @@
+From dbc20d4c4aae7302e9a714d1f1f7abdaa3583ef2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20Kope=C4=8Dek?= <dkopecek@redhat.com>
+Date: Fri, 12 May 2017 13:15:30 +0200
+Subject: [PATCH 1/2] Fixed usbguard-daemon.conf man page
+
+---
+ doc/usbguard-daemon.conf.5    | 22 +++++++++++++++-------
+ doc/usbguard-daemon.conf.5.md |  6 +++---
+ 2 files changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/doc/usbguard-daemon.conf.5 b/doc/usbguard-daemon.conf.5
+index f7434b1..476a31e 100644
+--- a/doc/usbguard-daemon.conf.5
++++ b/doc/usbguard-daemon.conf.5
+@@ -1,4 +1,7 @@
++.\" Automatically generated by Pandoc 1.17.0.3
++.\"
+ .TH "USBGUARD\-DAEMON.CONF" "5" "April 2017" "" ""
++.hy
+ .SH NAME
+ .PP
+ \f[B]usbguard\-daemon.conf\f[] \-\- USBGuard daemon configuration file
+@@ -52,8 +55,8 @@ One of \f[C]block\f[], \f[C]reject\f[], \f[C]apply\-policy\f[].
+ .B \f[B]RestoreControllerDeviceState\f[]=<\f[I]boolean\f[]>
+ The USBGuard daemon modifies some attributes of controller devices like
+ the default authorization state of new child device instances.
+-Using this setting, you can controll whether the daemon will try to
+-restore the attribute values to the state before modificaton on
++Using this setting, you can control whether the daemon will try to
++restore the attribute values to the state before modification on
+ shutdown.
+ .RS
+ .RE
+@@ -70,11 +73,6 @@ connections from.
+ .RS
+ .RE
+ .TP
+-.B \f[B]IPCAccessControlFiles\f[]=<\f[I]path\f[]>
+-Path to a directory holding the IPC access control files.
+-.RS
+-.RE
+-.TP
+ .B \f[B]DeviceManagerBackend\f[]=<\f[I]backend\f[]>
+ Which device manager backend implementation to use.
+ Backend should be one of \f[C]uevent\f[] (default) or \f[C]dummy\f[].
+@@ -88,6 +86,16 @@ See the \f[B]IPC ACCESS CONTROL\f[] section for more details.
+ .RS
+ .RE
+ .TP
++.B \f[B]DeviceRulesWithPort\f[]=<\f[I]boolean\f[]>
++Generate device specific rules including the "via\-port" attribute.
++This option modifies the behavior of the allowDevice action.
++When instructed to generate a permanent rule, the action can generate a
++port specific rule.
++Because some systems have unstable port numbering, the generated rule
++might not match the device after rebooting the system.
++.RS
++.RE
++.TP
+ .B \f[B]AuditFilePath\f[]=<\f[I]filepath\f[]>
+ USBGuard audit events log file path.
+ .RS
+diff --git a/doc/usbguard-daemon.conf.5.md b/doc/usbguard-daemon.conf.5.md
+index ea86ad1..58ca0ba 100644
+--- a/doc/usbguard-daemon.conf.5.md
++++ b/doc/usbguard-daemon.conf.5.md
+@@ -36,15 +36,15 @@ The **usbguard-daemon.conf** file is loaded by the USBGuard daemon after it pars
+ **IPCAllowedGroups**=<*groupname*> [<*groupname*> ...]
+ :   A space delimited list of groupnames that the daemon will accept IPC connections from.
+ 
+-**IPCAccessControlFiles**=<*path*>
+-:   Path to a directory holding the IPC access control files.
+-
+ **DeviceManagerBackend**=<*backend*>
+ :   Which device manager backend implementation to use. Backend should be one of `uevent` (default) or `dummy`.
+ 
+ **IPCAccessControlFiles**=<*path*>
+ :   The files at this location will be interpreted by the daemon as IPC access control definition files. See the **IPC ACCESS CONTROL** section for more details.
+ 
++**DeviceRulesWithPort**=<*boolean*>
++:   Generate device specific rules including the "via-port" attribute. This option modifies the behavior of the allowDevice action. When instructed to generate a permanent rule, the action can generate a port specific rule. Because some systems have unstable port numbering, the generated rule might not match the device after rebooting the system.
++
+ **AuditFilePath**=<*filepath*>
+ :   USBGuard audit events log file path.
+ 
+-- 
+2.9.3
+

SOURCES/usbguard-0.7.0-fixed-usbguard-daemon-man-page.patch

@@ -0,0 +1,59 @@
+From b6e6d374a5da571314e4b185ff8fdb38974aa9b0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20Kope=C4=8Dek?= <dkopecek@redhat.com>
+Date: Fri, 12 May 2017 13:20:55 +0200
+Subject: [PATCH 2/2] Fixed usbguard-daemon man page
+
+---
+ doc/usbguard-daemon.8    | 13 +++++++++++++
+ doc/usbguard-daemon.8.md |  6 ++++++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/doc/usbguard-daemon.8 b/doc/usbguard-daemon.8
+index ad9a2a9..18c72fe 100644
+--- a/doc/usbguard-daemon.8
++++ b/doc/usbguard-daemon.8
+@@ -1,4 +1,7 @@
++.\" Automatically generated by Pandoc 1.17.0.3
++.\"
+ .TH "USBGUARD\-DAEMON" "8" "June 2016" "" ""
++.hy
+ .SH NAME
+ .PP
+ \f[B]usbguard\-daemon\f[] \-\- USBGuard daemon
+@@ -48,6 +51,16 @@ Load configuration from a file at \f[I]path\f[] (default:
+ .RS
+ .RE
+ .TP
++.B \f[B]\-C\f[]
++Drop capabilities to limit privileges of the process.
++.RS
++.RE
++.TP
++.B \f[B]\-W\f[]
++Use a seccomp whitelist to limit available syscalls to the process.
++.RS
++.RE
++.TP
+ .B \f[B]\-h\f[]
+ Show the help/usage screen.
+ .RS
+diff --git a/doc/usbguard-daemon.8.md b/doc/usbguard-daemon.8.md
+index 40dc4be..3e2fcaf 100644
+--- a/doc/usbguard-daemon.8.md
++++ b/doc/usbguard-daemon.8.md
+@@ -34,6 +34,12 @@ The **usbguard-daemon** is the main component of the USBGuard software framework
+ **-c** <*path*>
+ :   Load configuration from a file at *path* (default: */etc/usbguard/usbguard-daemon.conf*).
+ 
++**-C**
++:   Drop capabilities to limit privileges of the process.
++
++**-W**
++:   Use a seccomp whitelist to limit available syscalls to the process.
++
+ **-h**
+ :   Show the help/usage screen.
+ 
+-- 
+2.9.3
+

SOURCES/usbguard-0.7.0-kernel-4.13-fix.patch

@@ -0,0 +1,68 @@
+diff -up usbguard-0.7.0/src/Library/SysFSDevice.cpp.kernel-fix usbguard-0.7.0/src/Library/SysFSDevice.cpp
+--- usbguard-0.7.0/src/Library/SysFSDevice.cpp.kernel-fix	2017-11-27 15:26:34.895791778 +0100
++++ usbguard-0.7.0/src/Library/SysFSDevice.cpp	2017-11-27 15:29:20.723171663 +0100
+@@ -130,6 +130,20 @@ namespace usbguard
+     return fd;
+   }
+ 
++  bool SysFSDevice::hasAttribute(const std::string& name) const
++  {
++    struct ::stat st;
++
++    if (::fstatat(_sysfs_dirfd, name.c_str(), &st, AT_SYMLINK_NOFOLLOW) != 0) {
++      if (errno == ENOENT) {
++        return false;
++      }
++      throw ErrnoException("SysFSDevice::hasAttribute", name, errno);
++    }
++
++    return S_ISREG(st.st_mode);
++  }
++ 
+   std::string SysFSDevice::readAttribute(const std::string& name, bool strip_last_null, bool optional) const
+   {
+     USBGUARD_LOG(Trace) << "name=" << name;
+diff -up usbguard-0.7.0/src/Library/SysFSDevice.hpp.kernel-fix usbguard-0.7.0/src/Library/SysFSDevice.hpp
+--- usbguard-0.7.0/src/Library/SysFSDevice.hpp.kernel-fix	2017-11-27 15:26:34.896791775 +0100
++++ usbguard-0.7.0/src/Library/SysFSDevice.hpp	2017-11-27 15:28:10.778433223 +0100
+@@ -42,6 +42,7 @@ namespace usbguard
+       const std::string& getName() const;
+       const UEvent& getUEvent() const;
+       const std::string& getParentPath() const;
++      bool hasAttribute(const std::string& name) const;
+       std::string readAttribute(const std::string& name, bool strip_last_null = false, bool optional = false) const;
+       void setAttribute(const std::string& name, const std::string& value);
+       int openAttribute(const std::string& name) const;
+diff -up usbguard-0.7.0/src/Library/UEventDeviceManager.cpp.kernel-fix usbguard-0.7.0/src/Library/UEventDeviceManager.cpp
+--- usbguard-0.7.0/src/Library/UEventDeviceManager.cpp.kernel-fix	2017-11-27 15:24:29.034262440 +0100
++++ usbguard-0.7.0/src/Library/UEventDeviceManager.cpp	2017-11-27 15:26:34.897791771 +0100
+@@ -580,7 +580,12 @@ namespace usbguard {
+     const std::string devtype = uevent.getAttribute("DEVTYPE");
+     const std::string action = uevent.getAttribute("ACTION");
+ 
+-    if (subsystem != "usb" || devtype != "usb_device") {
++    /*
++     * We don't care about the event if it's not from the "usb" subsystem.
++     * The device type attribute value is checked later based on the data
++     * read from the sysfs uevent file in the device directory.
++     */
++    if (subsystem != "usb") {
+       USBGUARD_LOG(Debug) << "Ignoring non-USB device:" 
+                           << " subsystem=" << subsystem
+                           << " devtype=" << devtype
+@@ -610,8 +615,13 @@ namespace usbguard {
+           if (sysfs_device.getUEvent().hasAttribute("DEVTYPE")) {
+             const std::string devtype = sysfs_device.getUEvent().getAttribute("DEVTYPE");
+             if (devtype != "usb_device") {
+-              USBGUARD_LOG(Warning) << sysfs_devpath << ": UEvent DEVTYPE mismatch."
+-                << " Expected \"usb_device\", got \"" << devtype << "\"";
++              USBGUARD_LOG(Debug) << sysfs_devpath << ": UEvent DEVTYPE != usb_device. Ignoring event.";
++              return;
++            }
++          }
++          else {
++            if (!sysfs_device.hasAttribute("descriptors")) {
++              USBGUARD_LOG(Debug) << sysfs_devpath << ": UEvent doesn't refer to a device with a descriptors file. Ignoring event.";
+               return;
+             }
+           }

SOURCES/usbguard-0.7.0-libaudit-version.patch

@@ -0,0 +1,12 @@
+diff -up usbguard-0.7.0/configure.ac.libaudit-version usbguard-0.7.0/configure.ac
+--- usbguard-0.7.0/configure.ac.libaudit-version	2017-12-13 10:31:18.738471922 +0100
++++ usbguard-0.7.0/configure.ac	2017-12-13 10:32:10.763256142 +0100
+@@ -230,7 +230,7 @@ AC_SUBST([crypto_LIBS])
+ #
+ # Check for optional libraries
+ #
+-PKG_CHECK_MODULES([audit], [audit >= 2.7.7],
++PKG_CHECK_MODULES([audit], [audit >= 2.7.0],
+ [AC_DEFINE([HAVE_LINUX_AUDIT], [1], [Linux Audit API available])
+ AC_CHECK_DECLS([audit_encode_nv_string], [], [], [[#include<libaudit.h>]])
+ libaudit_summary="system-wide; $audit_LIBS"],

SOURCES/usbguard-0.7.0-make-full-testsuite-conditional.patch

@@ -0,0 +1,99 @@
+diff --git a/Makefile.am b/Makefile.am
+index b7aa1a3..37273fb 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -670,15 +670,3 @@ analyze-clang:
+ 	  --status-bugs -maxloop 8 -disable-checker deadcode.DeadStores -o "$(abs_top_builddir)" \
+ 	  make -j$(JOBS)
+ 	rm -rf "$(ANALYSIS_ROOT)"
+-
+-if MAINTAINER_MODE
+-check-local: check-copyright
+-
+-check-copyright:
+-	$(eval GIT_CLONE_ROOT:=$(shell mktemp -d -t usbguard-git-clone.XXXXXX))
+-	git clone "$(abs_top_srcdir)" "$(GIT_CLONE_ROOT)" && \
+-	  $(top_srcdir)/src/Tests/Packaging/files-without-copyright.sh "$(GIT_CLONE_ROOT)"
+-	rm -rf "$(GIT_CLONE_ROOT)"
+-else
+-check-local:
+-endif
+diff --git a/configure.ac b/configure.ac
+index 287abf2..6ab0d9b 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -597,13 +597,15 @@ if test -z "$ASPELL"; then
+ fi
+ 
+ #
+-# Maintainer mode.
++# Full test suite mode.
+ #
+-# Runs several additional taks for certain make targets (e.g. tests)
++# Runs all available test when enabled. Some tests make assumption about
++# the environment they run in, so they might fail when these assumptions
++# are not met.
+ #
+-AC_ARG_ENABLE([maintainer-mode],
+-              [AS_HELP_STRING([--enable-maintainer-mode], [Enable maintainer mode (default=no)])],
+-              [maintainer_mode=$enableval], [maintainer_mode=no])
++AC_ARG_ENABLE([full-test-suite],
++              [AS_HELP_STRING([--enable-full-test-suite], [Run the full test suite (default=no)])],
++              [full_test_suite=$enableval], [full_test_suite=no])
+ 
+ # Checks for header files.
+ AC_LANG_PUSH([C++])
+@@ -713,8 +715,8 @@ AM_CONDITIONAL([SYSTEMD_SUPPORT_ENABLED], [test "x$systemd" = xyes ])
+ AM_CONDITIONAL([GUI_QT_ENABLED], [test "x$build_gui_qt" = xyes ])
+ AM_CONDITIONAL([DBUS_ENABLED], [test "x$with_dbus" = xyes ])
+ AM_CONDITIONAL([POLICYKIT_ENABLED], [test "x$with_polkit" = xyes])
+-AM_CONDITIONAL([MAINTAINER_MODE], [test "x$maintainer_mode" = xyes])
+-AM_CONDITIONAL([BASH_COMPLETION_ENABLED],[test "x$bash_completion" != "xno"])
++AM_CONDITIONAL([FULL_TEST_SUITE_ENABLED], [test "x$full_test_suite" = xyes])
++AM_CONDITIONAL([BASH_COMPLETION_ENABLED], [test "x$bash_completion" != xno])
+ 
+ CXXFLAGS="$CXXFLAGS -fvisibility=hidden $COMMON_WARNING_FLAGS $WARNING_CXXFLAGS"
+ CFLAGS="$CFLAGS -fvisibility=hidden $COMMON_WARNING_FLAGS $WARNING_CFLAGS"
+@@ -744,7 +746,7 @@ echo
+ echo "    Build Configuration Summary    "
+ echo "==================================="
+ echo
+-echo " Maintainer mode: $maintainer_mode"
++echo " Run full test suite: $full_test_suite"
+ echo
+ echo "## Libraries"
+ echo
+@@ -768,7 +770,8 @@ echo "   Bash completion dir: $BASH_COMPLETION_DIR"
+ echo
+ echo "## Compilation Flags"
+ echo
+-echo " Debug Mode: $debug"
++echo "Debug Build: $debug"
++echo "       DEFS: $DEFS"
+ echo "   CXXFLAGS: $CXXFLAGS"
+ echo "     CFLAGS: $CFLAGS"
+ echo "   CPPFLAGS: $CPPFLAGS"
+diff --git a/src/Tests/Makefile.am b/src/Tests/Makefile.am
+index a952d18..da7a35b 100644
+--- a/src/Tests/Makefile.am
++++ b/src/Tests/Makefile.am
+@@ -58,13 +58,17 @@ TESTS=\
+ 	test-unit \
+ 	test-regression \
+ 	USB/test-descriptor-parser.sh \
+-	Packaging/spell-check.sh \
+-	Rules/test-rules.sh \
++	Rules/test-rules.sh
++
++if FULL_TEST_SUITE_ENABLED
++TESTS+=\
++        Packaging/spell-check.sh \
+ 	UseCase/000_executable.sh \
+ 	UseCase/001_cli_policy.sh \
+ 	UseCase/002_cli_devices.sh \
+ 	UseCase/003_cli_devices_dummy.sh \
+ 	UseCase/004_daemonize.sh
++endif
+ 
+ check_PROGRAMS=\
+ 	test-unit \

SOURCES/usbguard-0.7.0-strict-configuration-parsing.patch

@@ -0,0 +1,59 @@
+diff -up usbguard-0.7.0/src/Library/ConfigFilePrivate.cpp.strict-config usbguard-0.7.0/src/Library/ConfigFilePrivate.cpp
+--- usbguard-0.7.0/src/Library/ConfigFilePrivate.cpp.strict-config	2017-11-03 10:43:09.528657179 +0100
++++ usbguard-0.7.0/src/Library/ConfigFilePrivate.cpp	2017-11-03 11:03:51.338013408 +0100
+@@ -23,6 +23,7 @@
+ #include "ConfigFilePrivate.hpp"
+ #include "Common/Utility.hpp"
+ 
++#include "usbguard/Exception.hpp"
+ #include "usbguard/Logger.hpp"
+ 
+ #include <stdexcept>
+@@ -53,7 +54,7 @@ namespace usbguard
+   {
+     _stream.open(path, std::ios::in|std::ios::out);
+     if (!_stream.is_open()) {
+-      throw std::runtime_error("Can't open " + path);
++      throw Exception("Configuration", path, "unable to open the configuration file");
+     }
+     _dirty = false;
+     parse();
+@@ -62,7 +63,7 @@ namespace usbguard
+   void ConfigFilePrivate::write()
+   {
+     if (!_stream.is_open()) {
+-      throw std::runtime_error("BUG: ConfigFilePrivate::write: write() before open()");
++      throw USBGUARD_BUG("ConfigFilePrivate::write: write() before open()");
+     }
+ 
+     if (_dirty) {
+@@ -116,21 +117,22 @@ namespace usbguard
+     while(std::getline(_stream, config_line)) {
+       ++config_line_number;
+       _lines.push_back(config_line);
++      config_line = trim(config_line);
++
++      if (config_line.size() < 1 || config_line[0] == '#') {
++        continue;
++      }
+ 
+       const size_t nv_separator = config_line.find_first_of("=");
+       if (nv_separator == std::string::npos) {
+-        continue;
++        throw Exception("Configuration", "line " + std::to_string(config_line_number), "syntax error");
+       }
+ 
+       std::string name = trim(config_line.substr(0, nv_separator));
+-      std::string value = config_line.substr(nv_separator + 1);
+-
+-      if (name[0] == '#') {
+-        continue;
+-      }
++      std::string value = trim(config_line.substr(nv_separator + 1));
+ 
+       if (!checkNVPair(name, value)) {
+-        continue;
++        throw Exception("Configuration", name, "unknown configuration directive");
+       }
+ 
+       NVPair& setting = _settings[name];

SOURCES/usbguard-daemon.conf

@@ -0,0 +1,173 @@
+#
+# Rule set file path.
+#
+# The USBGuard daemon will use this file to load the policy
+# rule set from it and to write new rules received via the
+# IPC interface.
+#
+# RuleFile=/path/to/rules.conf
+#
+RuleFile=/etc/usbguard/rules.conf
+
+#
+# Implicit policy target.
+#
+# How to treat devices that don't match any rule in the
+# policy. One of:
+#
+# * allow  - authorize the device
+# * block  - block the device
+# * reject - remove the device
+#
+ImplicitPolicyTarget=block
+
+#
+# Present device policy.
+#
+# How to treat devices that are already connected when the
+# daemon starts. One of:
+#
+# * allow        - authorize every present device
+# * block        - deauthorize every present device
+# * reject       - remove every present device
+# * keep         - just sync the internal state and leave it
+# * apply-policy - evaluate the ruleset for every present
+#                  device
+#
+PresentDevicePolicy=apply-policy
+
+#
+# Present controller policy.
+#
+# How to treat USB controllers that are already connected
+# when the daemon starts. One of:
+#
+# * allow        - authorize every present device
+# * block        - deauthorize every present device
+# * reject       - remove every present device
+# * keep         - just sync the internal state and leave it
+# * apply-policy - evaluate the ruleset for every present
+#                  device
+#
+PresentControllerPolicy=keep
+
+#
+# Inserted device policy.
+#
+# How to treat USB devices that are already connected
+# *after* the daemon starts. One of:
+#
+# * block        - deauthorize every present device
+# * reject       - remove every present device
+# * apply-policy - evaluate the ruleset for every present
+#                  device
+#
+InsertedDevicePolicy=apply-policy
+
+#
+# Restore controller device state.
+#
+# The USBGuard daemon modifies some attributes of controller
+# devices like the default authorization state of new child device
+# instances. Using this setting, you can controll whether the
+# daemon will try to restore the attribute values to the state
+# before modificaton on shutdown.
+#
+# SECURITY CONSIDERATIONS: If set to true, the USB authorization
+# policy could be bypassed by performing some sort of attack on the
+# daemon (via a local exploit or via a USB device) to make it shutdown
+# and restore to the operating-system default state (known to be permissive).
+#
+RestoreControllerDeviceState=false
+
+#
+# Device manager backend
+#
+# Which device manager backend implementation to use. One of:
+#
+# * uevent - Netlink based implementation which uses sysfs to scan for present
+#            devices and an uevent netlink socket for receiving USB device
+#            related events.
+# * dummy  - A dummy device manager which simulates several devices and device
+#            events. Useful for testing.
+#
+DeviceManagerBackend=uevent
+
+#!!! WARNING: It's good practice to set at least one of the !!!
+#!!!          two options bellow. If none of them are set,  !!!
+#!!!          the daemon will accept IPC connections from   !!!
+#!!!          anyone, thus allowing anyone to modify the    !!!
+#!!!          rule set and (de)authorize USB devices.       !!!
+
+#
+# Users allowed to use the IPC interface.
+#
+# A space delimited list of usernames that the daemon will
+# accept IPC connections from.
+#
+# IPCAllowedUsers=username1 username2 ...
+#
+IPCAllowedUsers=root
+
+#
+# Groups allowed to use the IPC interface.
+#
+# A space delimited list of groupnames that the daemon will
+# accept IPC connections from.
+#
+# IPCAllowedGroups=groupname1 groupname2 ...
+#
+IPCAllowedGroups=
+
+#
+# IPC access control definition files path.
+#
+# The files at this location will be interpreted by the daemon
+# as access control definition files. The (base)name of a file
+# should be in the form:
+#
+#   [user][:<group>]
+#
+# and should contain lines in the form:
+#
+#   <section>=[privilege] ...
+#
+# This way each file defines who is able to connect to the IPC
+# bus and what privileges he has.
+#
+IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/
+
+#
+# Generate device specific rules including the "via-port"
+# attribute.
+#
+# This option modifies the behavior of the allowDevice
+# action. When instructed to generate a permanent rule,
+# the action can generate a port specific rule. Because
+# some systems have unstable port numbering, the generated
+# rule might not match the device after rebooting the system.
+#
+# If set to false, the generated rule will still contain
+# the "parent-hash" attribute which also defines an association
+# to the parent device. See usbguard-rules.conf(5) for more
+# details.
+#
+DeviceRulesWithPort=false
+
+#
+# USBGuard Audit events log backend
+#
+# One of:
+#
+# * FileAudit - Log audit events into a file specified by
+#               AuditFilePath setting (see below)
+# * LinuxAudit - Log audit events using the Linux Audit
+#                subsystem (using audit_log_user_message)
+#
+AuditBackend=FileAudit
+
+#
+# USBGuard audit events log file path.
+#
+AuditFilePath=/var/log/usbguard/usbguard-audit.log
+

SPECS/usbguard.spec

@@ -0,0 +1,301 @@
+%global _hardened_build 1
+
+%define with_gui_qt5 0
+%define with_dbus    0
+
+Name:           usbguard
+Version:        0.7.0
+Release:        8%{?dist}
+Summary:        A tool for implementing USB device usage policy
+Group:          System Environment/Daemons
+License:        GPLv2+
+## Not installed
+# src/ThirdParty/Catch: Boost Software License - Version 1.0
+URL:            https://dkopecek.github.io/usbguard
+Source0:        https://github.com/dkopecek/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
+Source1:        usbguard-daemon.conf
+
+Requires: systemd
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+Requires(post): /sbin/ldconfig
+Requires(postun): /sbin/ldconfig
+
+BuildRequires: libqb-devel
+BuildRequires: libgcrypt-devel
+BuildRequires: libstdc++-devel
+BuildRequires: protobuf-devel protobuf-compiler
+BuildRequires: PEGTL-static
+BuildRequires: catch-devel
+BuildRequires: autoconf automake libtool
+BuildRequires: bash-completion
+BuildRequires: audit-libs-devel
+# For `pkg-config systemd` only
+BuildRequires: systemd
+
+%if 0%{with_gui_qt5}
+BuildRequires: qt5-qtbase-devel qt5-qtsvg-devel qt5-linguist
+%endif
+
+%if 0%{with_dbus}
+BuildRequires: dbus-glib-devel
+BuildRequires: dbus-devel
+BuildRequires: glib2-devel
+BuildRequires: polkit-devel
+BuildRequires: libxslt
+BuildRequires: libxml2
+%endif
+
+%if 0%{?fedora}
+BuildRequires: pandoc
+%endif
+
+%ifarch ppc
+#
+# We need atomic instruction emulation on the 32bit PPC arch
+#
+BuildRequires: libatomic
+%endif
+
+# 1444084 - New defects found in usbguard-0.7.0-1.el7
+Patch0: usbguard-0.7.0-covscan-uninit-ctor.patch
+# 1449344 - usbguard-daemon.conf(5) documentation issues in usbguard-0.7.0-2.el7
+Patch1: usbguard-0.7.0-fixed-usbguard-daemon-conf-man-page.patch
+Patch2: usbguard-0.7.0-fixed-usbguard-daemon-man-page.patch
+#
+# Apply upstream cleanup/refactoring changes to the 0.7.0 source
+# code to make it compatible with future upstream patches.
+#
+Patch3: usbguard-0.7.0-upstream-compat.patch
+# 1469399 - RFE: Use Type=forking instead of Type=simple in usbguard.service unit
+Patch4: usbguard-0.7.0-daemonization.patch
+#
+# Disable some tests that require a controlled environment or are not required to
+# be executed while building binary RPMs.
+#
+Patch5: usbguard-0.7.0-make-full-testsuite-conditional.patch
+# 1487230 - unknown usbguard-daemon.conf directives don't trigger an error
+Patch6: usbguard-0.7.0-strict-configuration-parsing.patch
+# 1491313 - [RFE] Integrate USBGuard with Linux Audit subsystem
+Patch7: usbguard-0.7.0-linux-audit-integration.patch
+# 1516930 - usbguard fails to start on aarch64 (RHEL-ALT)
+Patch8: usbguard-0.7.0-kernel-4.13-fix.patch
+# 1491313 - [RFE] Integrate USBGuard with Linux Audit subsystem
+Patch9: usbguard-0.7.0-libaudit-version.patch
+
+%description
+The USBGuard software framework helps to protect your computer against rogue USB
+devices by implementing basic whitelisting/blacklisting capabilities based on
+USB device attributes.
+
+%package        devel
+Summary:        Development files for %{name}
+Group:          Development/Libraries
+Requires:       %{name} = %{version}-%{release}
+Requires:       pkgconfig
+Requires:       libstdc++-devel
+
+%description    devel
+The %{name}-devel package contains libraries and header files for
+developing applications that use %{name}.
+
+%package        tools
+Summary:        USBGuard Tools
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+
+%description    tools
+The %{name}-tools package contains optional tools from the USBGuard
+software framework.
+
+%if 0%{with_gui_qt5}
+###
+%package        applet-qt
+Summary:        USBGuard Qt 5.x Applet
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+
+%description    applet-qt
+The %{name}-applet-qt package contains an optional Qt 5.x desktop applet
+for interacting with the USBGuard daemon component.
+###
+%endif
+
+%if 0%{with_dbus}
+###
+%package        dbus
+Summary:        USBGuard D-Bus Service
+Group:          Applications/System
+Requires:       %{name} = %{version}-%{release}
+Requires:       dbus
+Requires:       polkit
+
+%description    dbus
+The %{name}-dbus package contains an optional component that provides
+a D-Bus interface to the USBGuard daemon component.
+###
+%endif
+
+%prep
+%setup -q
+# Remove bundled library sources before build
+rm -rf src/ThirdParty/{Catch,PEGTL}
+
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+
+%build
+mkdir -p ./m4
+autoreconf -i -v --no-recursive ./
+%configure \
+    --disable-silent-rules \
+    --without-bundled-catch \
+    --without-bundled-pegtl \
+    --enable-systemd \
+%if 0%{with_gui_qt5}
+    --with-gui-qt=qt5 \
+%endif
+%if 0%{with_dbus}
+    --with-dbus \
+    --with-polkit \
+%else
+    --without-dbus \
+    --without-polkit \
+%endif
+    --with-crypto-library=gcrypt
+
+make %{?_smp_mflags}
+
+%check
+make check
+
+%install
+make install INSTALL='install -p' DESTDIR=%{buildroot}
+
+# Overwrite configuration with distribution defaults
+mkdir -p %{buildroot}%{_sysconfdir}/usbguard
+install -p -m 600 %{SOURCE1} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf
+
+# Cleanup
+find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';'
+
+%preun
+%systemd_preun usbguard.service
+
+%post
+/sbin/ldconfig
+%systemd_post usbguard.service
+
+%postun
+/sbin/ldconfig
+%systemd_postun usbguard.service
+
+%files
+%defattr(-,root,root,-)
+%doc README.md CHANGELOG.md
+%license LICENSE
+%{_libdir}/*.so.*
+%{_sbindir}/usbguard-daemon
+%{_bindir}/usbguard
+%dir %{_localstatedir}/log/usbguard
+%dir %{_sysconfdir}/usbguard
+%dir %{_sysconfdir}/usbguard/IPCAccessControl.d
+%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/usbguard-daemon.conf
+%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/rules.conf
+%{_unitdir}/usbguard.service
+%{_datadir}/man/man8/usbguard-daemon.8.gz
+%{_datadir}/man/man5/usbguard-daemon.conf.5.gz
+%{_datadir}/man/man5/usbguard-rules.conf.5.gz
+%{_datadir}/man/man1/usbguard.1.gz
+%{_datadir}/bash-completion/completions/usbguard
+
+%files devel
+%defattr(-,root,root,-)
+%{_includedir}/*
+%{_libdir}/*.so
+%{_libdir}/pkgconfig/*.pc
+
+%files tools
+%defattr(-,root,root,-)
+%{_bindir}/usbguard-rule-parser
+
+%if 0%{with_gui_qt5}
+###
+%files applet-qt
+%defattr(-,root,root,-)
+%{_bindir}/usbguard-applet-qt
+%{_mandir}/man1/usbguard-applet-qt.1.gz
+%{_datadir}/applications/usbguard-applet-qt.desktop
+%{_datadir}/icons/hicolor/scalable/apps/usbguard-icon.svg
+###
+%endif
+
+%if 0%{with_dbus}
+###
+%files dbus
+%defattr(-,root,root,-)
+%{_sbindir}/usbguard-dbus
+%{_datadir}/dbus-1/system-services/org.usbguard.service
+%{_datadir}/dbus-1/system.d/org.usbguard.conf
+%{_datadir}/polkit-1/actions/org.usbguard.policy
+%{_unitdir}/usbguard-dbus.service
+%{_mandir}/man8/usbguard-dbus.8.gz
+
+%preun dbus
+%systemd_preun usbguard-dbus.service
+
+%post dbus
+%systemd_post usbguard-dbus.service
+
+%postun dbus
+%systemd_postun_with_restart usbguard-dbus.service
+###
+%endif
+
+%changelog
+* Wed Dec 13 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-8
+- RHEL 7.5 erratum
+  - Require a lower version of libaudit during build-time
+  Resolves: rhbz#1491313
+
+* Mon Nov 27 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-7
+- RHEL 7.5 erratum
+  - Fixed usbguard-daemon on systems with kernel >= 4.13
+  - Use distribution specific usbguard-daemon.conf instead
+    of the upstream version
+  Resolves: rhbz#1516930
+
+* Fri Nov  3 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-6
+- RHEL 7.5 erratum
+  - Add Linux Audit integration
+  Resolves: rhbz#1491313
+
+* Thu Nov  2 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-5
+- RHEL 7.5 erratum
+  - Make parsing of configuration file strict
+  Resolves: rhbz#1487230
+
+* Tue Oct 17 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-4
+- RHEL 7.5 erratum
+  - Implemented double-fork daemonization support
+  Resolves: rhbz#1469399
+
+* Fri May 12 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-3
+- Fixed usbguard-daemon and usbguard-daemon.conf man-pages
+  Resolves: rhbz#1449344
+
+* Thu Apr 20 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-2
+- Fixed UNINIT_CTOR issues found by coverity scan
+  Resolves: rhbz#1444084
+
+* Fri Apr 14 2017 Daniel Kopeček <dkopecek@redhat.com> 0.7.0-1
+- Import