Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package usbguard for openSUSE:Factory checked in at 2024-06-07 15:03:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/usbguard (Old) and /work/SRC/openSUSE:Factory/.usbguard.new.24587 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "usbguard" Fri Jun 7 15:03:59 2024 rev:22 rq:1179064 version:1.1.3 Changes: -------- --- /work/SRC/openSUSE:Factory/usbguard/usbguard.changes 2024-02-21 17:57:08.060861037 +0100 +++ /work/SRC/openSUSE:Factory/.usbguard.new.24587/usbguard.changes 2024-06-07 15:04:30.646273300 +0200 @@ -1,0 +2,23 @@ +Thu Jun 6 18:02:42 UTC 2024 - Robert Frohl <[email protected]> + +- update to 1.1.3 + * Fix typo in CLI --help message: "privilges" -> "privileges" + * Harden service file: Set OOMScoreAdjust to -1000 + * Specify what happens when neither RuleFile nor RuleFolder is set + * The parent process should wait for the first child process to finish in forking mode(-f) + * dbus: check whether the client wanted interactive authentication + * Add missing .adoc files to the tarball + * Replace problematic terms with alternatives + * Fix CI by fixing calls to ldap-utils + * Describe comments in the manual page + * Store permanent rules even if RuleFile is not set but RuleFolder is. + * Fix build for GCC 13 + make GitHub Actions cover build with GCC 13 + * Bump GitHub Actions off deprecated actions/checkout@v2 + * Actions(deps): Bump actions/checkout from 3.5.2 to 4.1.1 + * Add "--version" option to the usbguard CLI + * ruleset: detect integer overflow of the ID and bail out + * Enable RuleFolder by default + * Fix CI and RuleSet::assignID regressions +- Removed build_gcc13.patch, included upstream + +------------------------------------------------------------------- Old: ---- build_gcc13.patch usbguard-1.1.2.tar.gz usbguard-1.1.2.tar.gz.sum.asc New: ---- usbguard-1.1.3.tar.gz usbguard-1.1.3.tar.gz.sum.asc BETA DEBUG BEGIN: Old: * Fix CI and RuleSet::assignID regressions - Removed build_gcc13.patch, included upstream BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ usbguard.spec ++++++ --- /var/tmp/diff_new_pack.4gI55z/_old 2024-06-07 15:04:31.446302445 +0200 +++ /var/tmp/diff_new_pack.4gI55z/_new 2024-06-07 15:04:31.450302590 +0200 @@ -1,7 +1,7 @@ # # spec file for package usbguard # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %global _hardened_build 1 %define lname libusbguard1 Name: usbguard -Version: 1.1.2 +Version: 1.1.3 Release: 0 Summary: A tool for implementing USB device usage policy ## Not installed @@ -33,7 +33,6 @@ Source3: usbguard-daemon.conf Source4: usbguard-rpmlintrc Patch0: usbguard-pthread.patch -Patch1: build_gcc13.patch BuildRequires: asciidoc BuildRequires: audit-devel BuildRequires: autoconf ++++++ usbguard-1.1.2.tar.gz -> usbguard-1.1.3.tar.gz ++++++ ++++ 1743 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/CHANGELOG.md new/usbguard-1.1.3/CHANGELOG.md --- old/usbguard-1.1.2/CHANGELOG.md 2022-09-02 18:25:09.523144575 +0200 +++ new/usbguard-1.1.3/CHANGELOG.md 2024-06-06 16:34:06.244731446 +0200 @@ -1,5 +1,20 @@ # Change Log +## 1.1.3 - 2024-06-06 + +### Fixed +- Addressed several cases where either RuleFile or RuleFolder was not set. +- Resolved a race condition during fork where the parent process did not wait until everything was initialized in the child process. +- Included missing documentation in the tarball. +- Fixed compatibility issues with GCC 13+. + +### Added +- Implemented detection of integer overflow for device IDs to ensure that each device can be uniquely identified by a single ID. +- Enhanced the service file to disable the Linux kernel's Out-Of-Memory (OOM) killing of processes for this unit. +- D-bus: check if the client requested interactive authentication, as some clients do not prompt for passwords. +- Made minor adjustments to the documentation. +- RuleFolder is enabled by default. At startup, the path to folder must exist and be accessible by the daemon. + ## 1.1.2 - 2022-09-02 ### Fixed @@ -406,7 +421,7 @@ ## 0.4 - 2016-02-07 ### Changed - The daemon is now capable of dropping process capabilities and uses a seccomp - based syscall whitelist. Options to enable these features were added to the + based syscall allowlist. Options to enable these features were added to the usbguard-daemon command. - Devices connected at the start of the daemon are now recognized and the DevicePresent signal is sent for each of them. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/Makefile.am new/usbguard-1.1.3/Makefile.am --- old/usbguard-1.1.2/Makefile.am 2022-09-02 17:52:26.090980404 +0200 +++ new/usbguard-1.1.3/Makefile.am 2024-05-30 13:13:34.971556679 +0200 @@ -71,7 +71,10 @@ $(man_ADOC_FILES:.adoc=.roff) EXTRA_DIST+=\ - $(man_ADOC_FILES) + $(man_ADOC_FILES) \ + doc/man/example-allow-device.adoc \ + doc/man/example-initial-policy.adoc \ + doc/man/footer.adoc CLEANFILES+=\ $(man_ROFF_FILES) \ @@ -430,7 +433,9 @@ src/CLI/usbguard-add-user.cpp \ src/CLI/usbguard-add-user.hpp \ src/CLI/usbguard-remove-user.cpp \ - src/CLI/usbguard-remove-user.hpp + src/CLI/usbguard-remove-user.hpp \ + src/CLI/usbguard-print-version.cpp \ + src/CLI/usbguard-print-version.hpp usbguard_CXXFLAGS=\ $(PTHREAD_CFLAGS) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/README.adoc new/usbguard-1.1.3/README.adoc --- old/usbguard-1.1.2/README.adoc 2022-09-02 17:52:26.090980404 +0200 +++ new/usbguard-1.1.3/README.adoc 2024-05-30 13:13:34.971556679 +0200 @@ -47,7 +47,7 @@ Optionally, you may want to install: - * https://github.com/seccomp/libseccomp[libseccomp] - used to implement a syscall whitelist + * https://github.com/seccomp/libseccomp[libseccomp] - used to implement a syscall allowlist * https://people.redhat.com/sgrubb/libcap-ng/[libcap-ng] - used to drop process capabilities If you are on a Debian based GNU/Linux distribution like Ubuntu 21.10, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/VERSION new/usbguard-1.1.3/VERSION --- old/usbguard-1.1.2/VERSION 2022-09-02 18:17:58.787904432 +0200 +++ new/usbguard-1.1.3/VERSION 2024-06-06 16:31:06.089035982 +0200 @@ -1 +1 @@ -1.1.2 +1.1.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/configure.ac new/usbguard-1.1.3/configure.ac --- old/usbguard-1.1.2/configure.ac 2022-09-02 17:52:26.094980351 +0200 +++ new/usbguard-1.1.3/configure.ac 2024-05-30 13:13:34.983556787 +0200 @@ -467,7 +467,7 @@ # # Check for required D-Bus modules # - PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0 polkit-gobject-1], + PKG_CHECK_MODULES([dbus], [dbus-1 gio-2.0 >= 2.46 polkit-gobject-1], [AC_DEFINE([HAVE_DBUS], [1], [Required GDBus API available]) dbus_summary="system-wide; $dbus_CFLAGS $dbus_LIBS"], [AC_MSG_FAILURE([Required D-Bus modules (dbus-1, gio-2.0, polkit-gobject-1) not found!])] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/doc/man/example-allow-device.adoc new/usbguard-1.1.3/doc/man/example-allow-device.adoc --- old/usbguard-1.1.2/doc/man/example-allow-device.adoc 1970-01-01 01:00:00.000000000 +0100 +++ new/usbguard-1.1.3/doc/man/example-allow-device.adoc 2024-05-30 13:13:34.983556787 +0200 @@ -0,0 +1,6 @@ +.... + # Allow a device by ID(it is the very first number from the list-devices command output) + $ sudo usbguard allow-device 10 + # Allow all devices named "Dell Wired Multimedia Keyboard" + $ sudo usbguard allow-device name \"Dell Wired Multimedia Keyboard\" +.... diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/doc/man/example-initial-policy.adoc new/usbguard-1.1.3/doc/man/example-initial-policy.adoc --- old/usbguard-1.1.2/doc/man/example-initial-policy.adoc 1970-01-01 01:00:00.000000000 +0100 +++ new/usbguard-1.1.3/doc/man/example-initial-policy.adoc 2024-05-30 13:13:34.984556796 +0200 @@ -0,0 +1,7 @@ +.... + $ sudo usbguard generate-policy > rules.conf + $ vi rules.conf + (review/modify the rule set) + $ sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf + $ sudo systemctl restart usbguard +.... diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/doc/man/footer.adoc new/usbguard-1.1.3/doc/man/footer.adoc --- old/usbguard-1.1.2/doc/man/footer.adoc 1970-01-01 01:00:00.000000000 +0100 +++ new/usbguard-1.1.3/doc/man/footer.adoc 2024-05-30 13:13:34.984556796 +0200 @@ -0,0 +1,18 @@ +== BUGS +If you find a bug in this software or if you'd like to request a feature to be implemented, please file a ticket at <https://github.com/USBGuard/usbguard/issues/new>. + + +== AUTHOR +USBGuard was originally written by Daniel KopeÄek. +Many people have contributed to it. + + +== RESOURCES +Main web site: <https://usbguard.github.io/> + + +== COPYING +Copyright © 2015-{docyear} Red Hat, Inc. + +License GPLv2+: GNU GPL version 2 or later http://gnu.org/licenses/gpl.html. + +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/doc/man/usbguard-daemon.8.adoc new/usbguard-1.1.3/doc/man/usbguard-daemon.8.adoc --- old/usbguard-1.1.2/doc/man/usbguard-daemon.8.adoc 2022-09-02 17:52:26.094980351 +0200 +++ new/usbguard-1.1.3/doc/man/usbguard-daemon.8.adoc 2024-05-30 13:13:34.984556796 +0200 @@ -50,7 +50,7 @@ Drop capabilities to limit privileges of the process. *-W*:: - Use a seccomp whitelist to limit available syscalls to the process. + Use a seccomp allowlist to limit available syscalls to the process. *-h*:: Show the help/usage screen. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/doc/man/usbguard-daemon.conf.5.adoc new/usbguard-1.1.3/doc/man/usbguard-daemon.conf.5.adoc --- old/usbguard-1.1.2/doc/man/usbguard-daemon.conf.5.adoc 2022-09-02 17:52:26.094980351 +0200 +++ new/usbguard-1.1.3/doc/man/usbguard-daemon.conf.5.adoc 2024-05-30 13:13:34.984556796 +0200 @@ -27,7 +27,12 @@ behave like any other standard Linux daemon therefore it loads rule files in alpha-numeric order. File names inside `RuleFolder` directory should start with a two-digit number prefix indicating the position, in which the rules - are scanned by the daemon. + are scanned by the daemon. Using RuleFile and RuleFolder at the same time is + permitted. However, modification of the permanent policy is not possible if + one of the following conditions are met: + ** Neither RuleFile nor RuleFolder are specified. + ** RuleFile is not specified, RuleFolder is but it does not contain any files, + where we could save permanent rules. *ImplicitPolicyTarget*='target':: How to treat USB devices that don't match any rule in the policy. Target diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/doc/man/usbguard-rules.conf.5.adoc new/usbguard-1.1.3/doc/man/usbguard-rules.conf.5.adoc --- old/usbguard-1.1.2/doc/man/usbguard-rules.conf.5.adoc 2022-09-02 17:52:26.094980351 +0200 +++ new/usbguard-1.1.3/doc/man/usbguard-rules.conf.5.adoc 2024-05-30 13:13:34.985556805 +0200 @@ -245,6 +245,9 @@ Partial rule is a rule without a rule target. Partial rules may by used by some commands of *usbguard* CLI tool. +=== Comments +In order to easily understand the meaning of each rule, comments can be used. +Everything after the "#" character is ignored by the rule parser. == Initial policy Using the *usbguard* CLI tool and its *generate-policy* subcommand, you can generate an initial policy for your system instead of writing one from scratch. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/scripts/bash_completion/usbguard new/usbguard-1.1.3/scripts/bash_completion/usbguard --- old/usbguard-1.1.2/scripts/bash_completion/usbguard 2022-09-02 17:52:26.095980338 +0200 +++ new/usbguard-1.1.3/scripts/bash_completion/usbguard 2024-05-30 13:13:34.986556814 +0200 @@ -251,7 +251,7 @@ # If there was no positional argument provided yet, complete commands if [[ $args -eq 1 ]]; then opts="get-parameter set-parameter list-devices allow-device block-device reject-device list-rules append-rule" - opts="${opts} remove-rule generate-policy watch read-descriptor add-user remove-user" + opts="${opts} remove-rule generate-policy watch read-descriptor add-user remove-user --version" else opts='-h --help' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/scripts/usbguard-zsh-completion new/usbguard-1.1.3/scripts/usbguard-zsh-completion --- old/usbguard-1.1.2/scripts/usbguard-zsh-completion 2022-09-02 17:52:26.095980338 +0200 +++ new/usbguard-1.1.3/scripts/usbguard-zsh-completion 2024-05-30 13:13:34.989556842 +0200 @@ -32,7 +32,7 @@ "generate-policy:Generate a rule set (policy) based on the connected USB devices." "watch:Watch for IPC interface events and print them to stdout." "read-descriptor:Read a USB descriptor from a file and print it in human-readable form." - "add-user:Add USBGuard IPC user/group (requires root privilges)" + "add-user:Add USBGuard IPC user/group (requires root privileges)" "remove-user:Remove USBGuard IPC user/group (requires root privileges)" ) _describe -t subcommands 'usbguard subcommands' _subcommands && ret=0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/src/CLI/usbguard-print-version.cpp new/usbguard-1.1.3/src/CLI/usbguard-print-version.cpp --- old/usbguard-1.1.2/src/CLI/usbguard-print-version.cpp 1970-01-01 01:00:00.000000000 +0100 +++ new/usbguard-1.1.3/src/CLI/usbguard-print-version.cpp 2024-05-30 13:13:34.992556869 +0200 @@ -0,0 +1,83 @@ +// +// Copyright (C) 2022 Red Hat, Inc. +// +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; either version 2 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. +// +// Authors: Attila Lakatos <[email protected]> +// +#ifdef HAVE_BUILD_CONFIG_H + #include <build-config.h> +#endif + +#include "usbguard.hpp" +#include "usbguard-print-version.hpp" + +#include "usbguard/IPCClient.hpp" + +#include <iostream> +#include <map> +#include <vector> + + +namespace usbguard +{ + static std::string toHumanReadable(const int enabled) + { + return enabled ? "enabled" : "disabled"; + } + + int usbguard_print_version(__attribute__((unused)) int argc, __attribute__((unused)) char* argv[]) + { + if (argc != 1) { + return EXIT_FAILURE; + } + + int audit = 0, libcapng = 0, seccomp = 0, systemd = 0, umockdev = 0; + std::string crypto; +#ifdef HAVE_LINUX_AUDIT + audit = 1; +#endif +#ifdef HAVE_LIBCAPNG + libcapng = 1; +#endif +#ifdef HAVE_SECCOMP + seccomp = 1; +#endif +#ifdef SYSTEMD_SUPPORT_ENABLED + systemd = 1; +#endif +#ifdef HAVE_UMOCKDEV + umockdev = 1; +#endif +#ifdef USBGUARD_USE_LIBGCRYPT + crypto = "libgcrypt"; +#elif USBGUARD_USE_LIBSODIUM + crypto = "libsodium"; +#elif USBGUARD_USE_OPENSSL + crypto = "openssl"; +#else + crypto = "unknown"; +#endif + std::cout << "usbguard " << PACKAGE_VERSION << " compiled with:" << std::endl; + std::cout << " Linux audit support: " << toHumanReadable(audit) << std::endl; + std::cout << " Libcapng support: " << toHumanReadable(libcapng) << std::endl; + std::cout << " Seccomp support: " << toHumanReadable(seccomp) << std::endl; + std::cout << " Systemd support: " << toHumanReadable(systemd) << std::endl; + std::cout << " Umockdev support: " << toHumanReadable(umockdev) << std::endl; + std::cout << " Crypto backend library: " << crypto << std::endl; + return EXIT_SUCCESS; + } +} /* namespace usbguard */ + +/* vim: set ts=2 sw=2 et */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/src/CLI/usbguard-print-version.hpp new/usbguard-1.1.3/src/CLI/usbguard-print-version.hpp --- old/usbguard-1.1.2/src/CLI/usbguard-print-version.hpp 1970-01-01 01:00:00.000000000 +0100 +++ new/usbguard-1.1.3/src/CLI/usbguard-print-version.hpp 2024-05-30 13:13:34.992556869 +0200 @@ -0,0 +1,29 @@ +// +// Copyright (C) 2022 Red Hat, Inc. +// +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; either version 2 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License +// along with this program. If not, see <http://www.gnu.org/licenses/>. +// +// Authors: Attila Lakatos <[email protected]> +// +#pragma once +#ifdef HAVE_BUILD_CONFIG_H + #include <build-config.h> +#endif + +namespace usbguard +{ + int usbguard_print_version(int argc, char** argv); +} /* namespace usbguard */ + +/* vim: set ts=2 sw=2 et */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/src/CLI/usbguard.cpp new/usbguard-1.1.3/src/CLI/usbguard.cpp --- old/usbguard-1.1.2/src/CLI/usbguard.cpp 2022-09-02 17:52:26.097980311 +0200 +++ new/usbguard-1.1.3/src/CLI/usbguard.cpp 2024-05-30 13:13:34.994556887 +0200 @@ -52,6 +52,7 @@ #include "usbguard-read-descriptor.hpp" #include "usbguard-add-user.hpp" #include "usbguard-remove-user.hpp" +#include "usbguard-print-version.hpp" namespace usbguard { @@ -71,7 +72,8 @@ { "watch", &usbguard_watch }, { "read-descriptor", &usbguard_read_descriptor }, { "add-user", &usbguard_add_user }, - { "remove-user", &usbguard_remove_user } + { "remove-user", &usbguard_remove_user }, + { "--version", &usbguard_print_version } }; static void showTopLevelHelp(std::ostream& stream = std::cout) @@ -98,7 +100,7 @@ stream << " read-descriptor Read a USB descriptor from a file and print it in human-readable form." << std::endl; stream << std::endl; - stream << " add-user <name> Add USBGuard IPC user/group (requires root privilges)" << std::endl; + stream << " add-user <name> Add USBGuard IPC user/group (requires root privileges)" << std::endl; stream << " remove-user <name> Remove USBGuard IPC user/group (requires root privileges)" << std::endl; stream << std::endl; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/src/DBus/DBusBridge.cpp new/usbguard-1.1.3/src/DBus/DBusBridge.cpp --- old/usbguard-1.1.2/src/DBus/DBusBridge.cpp 2022-09-02 17:52:26.098980298 +0200 +++ new/usbguard-1.1.3/src/DBus/DBusBridge.cpp 2024-05-30 13:13:34.995556896 +0200 @@ -517,7 +517,11 @@ polkit_details_insert (details, "polkit.message", "This USBGuard action needs authorization"); USBGUARD_LOG(Trace) << "Customized."; USBGUARD_LOG(Trace) << "Checking authorization of action \"" << action_id.str() << "\" with Polkit ..."; - const PolkitCheckAuthorizationFlags flags = POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION; + GDBusMessage* const message = g_dbus_method_invocation_get_message (invocation); + const PolkitCheckAuthorizationFlags flags = (g_dbus_message_get_flags (message) & + G_DBUS_MESSAGE_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION) + ? POLKIT_CHECK_AUTHORIZATION_FLAGS_ALLOW_USER_INTERACTION + : POLKIT_CHECK_AUTHORIZATION_FLAGS_NONE; PolkitAuthorizationResult* const result = polkit_authority_check_authorization_sync (authority, subject, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/src/Daemon/Daemon.cpp new/usbguard-1.1.3/src/Daemon/Daemon.cpp --- old/usbguard-1.1.2/src/Daemon/Daemon.cpp 2022-09-02 17:52:26.098980298 +0200 +++ new/usbguard-1.1.3/src/Daemon/Daemon.cpp 2024-05-30 13:13:34.996556905 +0200 @@ -39,6 +39,7 @@ #include <sys/time.h> #include <sys/types.h> #include <sys/poll.h> +#include <sys/wait.h> #include <unistd.h> #include <signal.h> #include <string.h> @@ -577,7 +578,7 @@ break; case SIGSYS: - USBGUARD_LOG(Error) << "Received SIGSYS: Seccomp whitelist violation!"; + USBGUARD_LOG(Error) << "Received SIGSYS: Seccomp allowlist violation!"; exit_loop = false; break; @@ -622,6 +623,7 @@ const int signum = sigtimedwait(&mask, &info, &timeout); if (signum == SIGUSR1 && info.si_signo == SIGUSR1 && info.si_pid == pid) { + waitpid(pid, nullptr, 0); USBGUARD_LOG(Trace) << "Finished daemonization"; exit(EXIT_SUCCESS); } @@ -756,7 +758,7 @@ /* TODO: reevaluate the firewall rules for all active devices */ const uint32_t id = _policy.appendRule(rule, parent_id); - if (_config.hasSettingValue("RuleFile") && permanent) { + if ((_config.hasSettingValue("RuleFile") || _config.hasSettingValue("RuleFolder")) && permanent) { _policy.save(); } @@ -769,7 +771,7 @@ USBGUARD_LOG(Trace) << "id=" << id; _policy.removeRule(id); - if (_config.hasSettingValue("RuleFile")) { + if (_config.hasSettingValue("RuleFile") || _config.hasSettingValue("RuleFolder")) { _policy.save(); } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/src/Daemon/RuleSetFactory.cpp new/usbguard-1.1.3/src/Daemon/RuleSetFactory.cpp --- old/usbguard-1.1.2/src/Daemon/RuleSetFactory.cpp 2022-09-02 17:52:26.099980284 +0200 +++ new/usbguard-1.1.3/src/Daemon/RuleSetFactory.cpp 2024-05-30 13:13:34.997556914 +0200 @@ -75,8 +75,24 @@ } } + /* + * This means one of the following: + * - Neither RuleFile nor RuleFolder are specified + * - RuleFile not specified, RuleFolder is but it does not contain any files, + * where we could save permanent rules + */ if (ruleSet.empty()) { - USBGUARD_LOG(Warning) << "RuleFile not set; Modification of the permanent policy won't be possible."; + std::string msg; + + if (ns.getRulesPath().empty() && ns.getRulesDirPath().empty()) { + msg = "Neither RuleFile nor RuleFolder are set."; + } + else { + msg = "RuleFile is not set, RuleFolder is but it does not contain any rule files."; + } + + USBGUARD_LOG(Warning) << "Modification of the permanent policy won't be possible." + << " Reason: " << msg; ruleSet = generateDefaultRuleSet(); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/src/Library/Base64.cpp new/usbguard-1.1.3/src/Library/Base64.cpp --- old/usbguard-1.1.2/src/Library/Base64.cpp 2022-09-02 17:52:26.099980284 +0200 +++ new/usbguard-1.1.3/src/Library/Base64.cpp 2024-05-30 13:13:34.998556923 +0200 @@ -22,7 +22,6 @@ #include "Base64.hpp" #include <stdexcept> -#include <cstdint> namespace usbguard { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/src/Library/Base64.hpp new/usbguard-1.1.3/src/Library/Base64.hpp --- old/usbguard-1.1.2/src/Library/Base64.hpp 2022-09-02 17:52:26.099980284 +0200 +++ new/usbguard-1.1.3/src/Library/Base64.hpp 2024-05-30 13:13:34.998556923 +0200 @@ -23,6 +23,7 @@ #endif #include <string> +#include <cstdint> #include <cstddef> namespace usbguard diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/src/Library/public/usbguard/RuleSet.cpp new/usbguard-1.1.3/src/Library/public/usbguard/RuleSet.cpp --- old/usbguard-1.1.2/src/Library/public/usbguard/RuleSet.cpp 2022-09-02 17:52:26.104980218 +0200 +++ new/usbguard-1.1.3/src/Library/public/usbguard/RuleSet.cpp 2024-06-06 15:09:28.441305458 +0200 @@ -223,7 +223,14 @@ uint32_t RuleSet::assignID() { - return _id_next++; + const auto next_id = _id_next + 1; + + if (next_id >= Rule::LastID) { + throw std::out_of_range("Rule ID too high"); + } + + _id_next = next_id; + return next_id - 1; } void RuleSet::setWritable() diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/src/Tests/LDAP/ldap.sh new/usbguard-1.1.3/src/Tests/LDAP/ldap.sh --- old/usbguard-1.1.2/src/Tests/LDAP/ldap.sh 2022-09-02 17:52:26.107980178 +0200 +++ new/usbguard-1.1.3/src/Tests/LDAP/ldap.sh 2024-05-30 13:13:35.010557032 +0200 @@ -13,12 +13,12 @@ #ping -q -c 1 $HOST 2>&1 >/dev/null if [ "$1" = "delete" ]; then - ldapdelete -h $HOST -D $USER -w $PASS -r $USBGUARD_BASE + ldapdelete -H "ldap://${HOST}/"; -D $USER -w $PASS -r $USBGUARD_BASE exit fi if [ "$1" = "setup" ]; then - ldapadd -v -h $HOST -D $USER -w $PASS <<EOF + ldapadd -v -H "ldap://${HOST}/"; -D $USER -w $PASS <<EOF #dn: dc=example,dc=com #objectclass: dcObject #objectclass: organization @@ -41,7 +41,7 @@ else exit fi - ldapadd -v -h $HOST -D $USER -w $PASS -f $POLICY + ldapadd -v -H "ldap://${HOST}/"; -D $USER -w $PASS -f $POLICY exit fi @@ -50,6 +50,6 @@ if [ "$2" ]; then FILTER=$2 fi - ldapsearch -h $HOST -D $USER -b $BASE -w $PASS $FILTER + ldapsearch -H "ldap://${HOST}/"; -D $USER -b $BASE -w $PASS $FILTER exit fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/usbguard-daemon.conf.in new/usbguard-1.1.3/usbguard-daemon.conf.in --- old/usbguard-1.1.2/usbguard-daemon.conf.in 2022-09-02 17:52:26.130979873 +0200 +++ new/usbguard-1.1.3/usbguard-daemon.conf.in 2024-06-06 15:09:28.441305458 +0200 @@ -24,7 +24,7 @@ # # RuleFolder=/path/to/rulesfolder/ # -#RuleFolder=%sysconfdir%/usbguard/rules.d/ +RuleFolder=%sysconfdir%/usbguard/rules.d/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/usbguard-1.1.2/usbguard.service.in new/usbguard-1.1.3/usbguard.service.in --- old/usbguard-1.1.2/usbguard.service.in 2022-09-02 17:52:26.130979873 +0200 +++ new/usbguard-1.1.3/usbguard.service.in 2024-05-30 13:13:35.027557186 +0200 @@ -4,6 +4,7 @@ Documentation=man:usbguard-daemon(8) [Service] +OOMScoreAdjust=-1000 AmbientCapabilities= CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE DevicePolicy=closed ++++++ usbguard-1.1.2.tar.gz.sum.asc -> usbguard-1.1.3.tar.gz.sum.asc ++++++ --- /work/SRC/openSUSE:Factory/usbguard/usbguard-1.1.2.tar.gz.sum.asc 2022-09-05 21:22:08.181154381 +0200 +++ /work/SRC/openSUSE:Factory/.usbguard.new.24587/usbguard-1.1.3.tar.gz.sum.asc 2024-06-07 15:04:30.582270969 +0200 @@ -1,15 +1,15 @@ -----BEGIN PGP SIGNED MESSAGE----- -Hash: SHA512 +Hash: SHA256 -dcf5c90f3f93030e04df1baeb8d388b678c40dd48b135ea12a7be7dee8944934 usbguard-1.1.2.tar.gz +707dad2938923202697f636c2b4e0be80f192242039a2af3fc7ac35d03f78551 usbguard-1.1.3.tar.gz -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEE42iwrWP0zIT/S4Xa9XeK14XjWB8FAmMSMD8ACgkQ9XeK14Xj -WB/TSQf+Jk+yjED9WxT58f2l7NKlkpVcFpzREimri0PhzW+oTNjyX+eSwcFst1yA -BVH9yxBp79ZX7JwM2MKTuaYZpwNLFTjSEzXJ+yLs5TqFXNMkM5ysKVr8pngv+cdH -SL/W0ibOV+cLSj2Jmv0ZD6FrSIulA2kWweZa/J+9y5cUyRpuZi/ir/uJ6Wzvdhfe -rsEvWFAN0D4q8sfG4+BfII74vqDojraG2gJLeERl4u8dDYXDway0sdAuWs9kWOfd -sEOmjpI8SVb68icJykYcU73CLsBvHEKzv+T5gd5RXVvNHVw5Jc+WrsnXvAiL+G4W -bQm5DoszYGF82ZN8OeXmt5JLMhRoIA== -=lpkl +iQEzBAEBCAAdFiEE42iwrWP0zIT/S4Xa9XeK14XjWB8FAmZhyycACgkQ9XeK14Xj +WB+5uQf/aJcNck4JNAWtoIwbxYvZO+eQdir+73SF611d7ixkc9woPnsnPzKXgmsl +JZi0+bzcoJl96Eu/C7hANaRFgamJhlxiV8VgtPiaMi9OIa+4SbqHoHaIjFKovM0G +5QmJGAuZ92nalgy0nSg0dHCK3skEfGzVdr6yxtC494Di8otiCvqrZh8iPFAQLLpW +n0qtM1drOo25S8jb232sVRc1kMfI7D88gtK/kFkSWALwJBB1W/YwqYVao0z2pifR +g9WyqWHJHOE/v2+myQcuW4drYJC9G2/N12AH8duPmnUPaLljk2S9K3131UYoP9wi +Xg8AhQlYXdVvvWI//TyXafgv8p97GQ== +=LYjm -----END PGP SIGNATURE-----
