Hello community, here is the log from the commit of package usbguard for openSUSE:Factory checked in at 2018-10-11 11:55:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/usbguard (Old) and /work/SRC/openSUSE:Factory/.usbguard.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "usbguard" Thu Oct 11 11:55:50 2018 rev:2 rq:640850 version:0.7.4 Changes: -------- --- /work/SRC/openSUSE:Factory/usbguard/usbguard.changes 2017-09-14 21:17:19.192805087 +0200 +++ /work/SRC/openSUSE:Factory/.usbguard.new/usbguard.changes 2018-10-11 11:55:58.177984041 +0200 @@ -1,0 +2,63 @@ +Tue Oct 9 09:48:44 UTC 2018 - Robert Frohl <[email protected]> + +- changed zsh completion location +- added rpmlint for zero size rules.conf + +------------------------------------------------------------------- +Tue Oct 9 08:05:02 UTC 2018 - Robert Frohl <[email protected]> + +- added signature verification of tarball + - add usbguard-0.7.4.tar.gz.sig + - add usbguard.keyring + +------------------------------------------------------------------- +Mon Oct 8 14:19:55 UTC 2018 - Robert Frohl <[email protected]> + +- update to 0.7.4 + - Changed + Fixed conditional manual page generation & installation + +- update to 0.7.3 + - Changed + usbguard-daemon will now exit with an error if it fails to open a logging file or audit event file. + Modified the present device enumeration algorithm to be more reliable. Enumeration timeouts won't cause usbguard-daemon process to exit anymore. + + - Added + umockdev based device manager capable of simulating devices based on umockdev-record files. + +- update to 0.7.2 + - Changed + Fixed memory leaks in usbguard::Hash class. + Fixed file descriptor leaks in usbguard::SysFSDevice class. + Skip audit backend logging when no backend was set. + + - Added + Added zsh completion & other scripts to the distribution tarball. + +- update to 0.7.1 + - Added + CLI: usbguard watch command now includes an -e <path> option to run an executable for every received event. Event data are passed to the executable via environment variables. + usbguard-daemon: added "-K" option which can disable logging to console. + Added zsh autocompletion support. + usbguard-daemon: added "-f" option which enabled double-fork daemonization procedure. + Added AuditBackend usbguard-daemon configuration option for selecting audit log backend. + Linux Audit support via new LinuxAudit backend. + Added missing RuleCondition.hpp header file to the public API headers. + + - Changed + Qt Applet: disabled session management + usbguard-daemon console logging output is enabled by default now. Previously, the -k option had to be passed to enable the output. + Replaced --enable-maintainer-mode configure option with --enable-full-test-suite option. When the new option is not used during the configure phase, only a basic set of test is run during the make check phase. + usbguard-daemon now opens configuration in read-only mode + Fixed UEventDeviceManager to work with Linux Kernel >= 4.13 + Refactored audit logging to support different audit log backends + Made the configuration parser strict. Unknown directives and wrong syntax will cause an error. + + +- Added usbguard-applet-qt package to allow easier user interaction +- Added usbguard-applet-qt_desktop_menu_categories.patch to fix category +- Updated usbguard-daemon.conf to upstream version +- Removed obsolte patch usbguard-fixes.patch + + +------------------------------------------------------------------- Old: ---- usbguard-0.6.2.tar.gz usbguard-fixes.patch New: ---- usbguard-0.7.4.tar.gz usbguard-0.7.4.tar.gz.sig usbguard-applet-qt_desktop_menu_categories.patch usbguard-rpmlintrc usbguard.keyring ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ usbguard.spec ++++++ --- /var/tmp/diff_new_pack.1rlCYV/_old 2018-10-11 11:55:59.025982963 +0200 +++ /var/tmp/diff_new_pack.1rlCYV/_new 2018-10-11 11:55:59.029982958 +0200 @@ -1,7 +1,7 @@ # # spec file for package usbguard # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -21,32 +21,45 @@ %define lname libusbguard0 Name: usbguard -Version: 0.6.2 +Version: 0.7.4 Release: 0 Summary: A tool for implementing USB device usage policy ## Not installed # src/ThirdParty/Catch: Boost Software License - Version 1.0 -License: GPL-2.0+ -Group: System Environment/Daemons -Url: https://dkopecek.github.io/usbguard -Source0: https://github.com/dkopecek/usbguard/archive/usbguard-%{version}.tar.gz -Source1: usbguard-daemon.conf -Source2: usbguard.service -Patch0: usbguard-fixes.patch +License: GPL-2.0-or-later +Group: System/Daemons +URL: https://usbguard.github.io +Source0: https://github.com/USBGuard/usbguard/releases/download/usbguard-%{version}/usbguard-%{version}.tar.gz +Source1: https://github.com/USBGuard/usbguard/releases/download/usbguard-%{version}/usbguard-%{version}.tar.gz.sig +Source2: usbguard.keyring +Source3: usbguard-daemon.conf +Source4: usbguard.service +Source5: usbguard-rpmlintrc +Patch0: usbguard-applet-qt_desktop_menu_categories.patch %{?systemd_requires} +BuildRequires: asciidoc +BuildRequires: aspell +BuildRequires: audit-devel +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: bash-completion-devel +BuildRequires: dbus-1-glib-devel BuildRequires: gcc-c++ -BuildRequires: autoconf automake libtool +BuildRequires: hicolor-icon-theme +BuildRequires: libQt5Widgets-devel BuildRequires: libcap-ng-devel -BuildRequires: pegtl-devel -BuildRequires: dbus-1-glib-devel -BuildRequires: libxml2-devel -BuildRequires: libxslt-devel -BuildRequires: polkit-devel BuildRequires: libqb-devel -BuildRequires: libudev-devel +BuildRequires: libqt5-linguist-devel +BuildRequires: libqt5-qtsvg-devel BuildRequires: libseccomp-devel BuildRequires: libsodium-devel +BuildRequires: libtool +BuildRequires: libudev-devel +BuildRequires: libxml2-devel +BuildRequires: libxslt-devel +BuildRequires: pegtl-devel +BuildRequires: polkit-devel #BuildRequires: spdlog-static BuildRequires: protobuf-devel @@ -57,7 +70,7 @@ %package -n %lname Summary: Library for implementing USB device usage policy -Group: System Environment/Daemons +Group: System/Daemons %description -n %lname The USBGuard software framework helps to protect your computer against rogue USB @@ -66,7 +79,7 @@ %package devel Summary: Development files for %{name} -Group: Development/Libraries +Group: Development/Libraries/C and C++ Requires: %lname = %{version} Requires: %{name} = %{version} Requires: libstdc++-devel @@ -78,18 +91,28 @@ %package tools Summary: USBGuard Tools -Group: Applications/System +Group: System/Management Requires: %{name} = %{version}-%{release} %description tools The %{name}-tools package contains optional tools from the USBGuard software framework. +%package applet-qt +Summary: USBGuard Qt 5.x Applet +Group: System/Management +Requires: %{name} = %{version}-%{release} +Obsoletes: usbguard-applet-qt <= 0.3 + +%description applet-qt +The %{name}-applet-qt package contains an optional Qt 5.x desktop applet +for interacting with the USBGuard daemon component. + %prep -%setup -q -n usbguard-usbguard-%version +%setup -q -n usbguard-%version %patch0 -p1 # Remove bundled library sources before build -#rm -rf src/ThirdParty/{json,spdlog} +#rm -rf src/ThirdParty/{Catch,PEGTL} %build mkdir -p ./m4 @@ -97,9 +120,10 @@ %configure \ --disable-silent-rules \ - --with-bundled-json \ - --with-bundled-spdlog \ --with-bundled-catch \ + --with-bundled-pegtl \ + --enable-systemd \ + --with-gui-qt=qt5 \ --without-dbus \ --disable-static @@ -116,14 +140,18 @@ # Install configuration mkdir -p %{buildroot}%{_sysconfdir}/usbguard -install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf +install -p -m 600 %{SOURCE3} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf # Install systemd unit mkdir -p %{buildroot}%{_unitdir} -install -p -m 644 %{SOURCE2} %{buildroot}%{_unitdir}/usbguard.service +install -p -m 644 %{SOURCE4} %{buildroot}%{_unitdir}/usbguard.service + +# zsh completion, currently needs manual intervention +mkdir -p %{buildroot}%{_datadir}/zsh/site-functions/ +install -p -m 644 scripts/usbguard-zsh-completion %{buildroot}%{_datadir}/zsh/site-functions/_usbguard # Cleanup -find %{buildroot} -name '*.la' -delete +find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' %preun %service_del_preun usbguard.service @@ -142,22 +170,23 @@ %files %defattr(-,root,root,-) -%doc README.md +%doc README.adoc CHANGELOG.md %license LICENSE %{_sbindir}/usbguard-daemon +%dir %{_localstatedir}/log/usbguard %dir %{_sysconfdir}/usbguard %{_sbindir}/rcusbguard -%config(noreplace) %{_sysconfdir}/usbguard/usbguard-daemon.conf +%dir %{_sysconfdir}/usbguard/IPCAccessControl.d +%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/usbguard-daemon.conf +%config(noreplace) %attr(0600,-,-) %{_sysconfdir}/usbguard/rules.conf %{_unitdir}/usbguard.service %{_datadir}/man/man8/usbguard-daemon.8.gz -%{_datadir}/man/man8/usbguard-dbus.8.gz %{_datadir}/man/man5/usbguard-daemon.conf.5.gz %{_datadir}/man/man5/usbguard-rules.conf.5.gz -#{_sbindir}/usbguard-dbus -#/usr/share/dbus-1/system-services/org.usbguard.service -#dir /usr/share/dbus-1/system.d -#/usr/share/dbus-1/system.d/org.usbguard.conf -#/usr/share/polkit-1/actions/org.usbguard.policy +%{_datadir}/bash-completion/completions/usbguard +%dir %{_datadir}/zsh +%dir %{_datadir}/zsh/site-functions +%{_datadir}/zsh/site-functions/_usbguard %files -n %lname %defattr(-,root,root,-) @@ -176,4 +205,14 @@ %{_bindir}/usbguard-rule-parser %{_datadir}/man/man1/usbguard.1.gz +%files applet-qt +%defattr(-,root,root,-) +%{_bindir}/usbguard-applet-qt +%{_mandir}/man1/usbguard-applet-qt.1.gz +%{_datadir}/applications/usbguard-applet-qt.desktop +%dir %{_datadir}/icons/hicolor +%dir %{_datadir}/icons/hicolor/scalable +%dir %{_datadir}/icons/hicolor/scalable/apps +%{_datadir}/icons/hicolor/scalable/apps/usbguard-icon.svg + %changelog ++++++ usbguard-0.6.2.tar.gz -> usbguard-0.7.4.tar.gz ++++++ ++++ 294726 lines of diff (skipped) ++++++ usbguard-applet-qt_desktop_menu_categories.patch ++++++ Index: usbguard-0.7.4/src/GUI.Qt/usbguard-applet-qt.desktop.in =================================================================== --- usbguard-0.7.4.orig/src/GUI.Qt/usbguard-applet-qt.desktop.in +++ usbguard-0.7.4/src/GUI.Qt/usbguard-applet-qt.desktop.in @@ -6,6 +6,6 @@ Comment=USBGuard Qt Applet TryExec=usbguard-applet-qt Exec=usbguard-applet-qt Icon=usbguard-icon -Categories=System; +Categories=System;Security; Keywords=USB;USBGuard;Applet;Qt; X-Desktop-File-Install-Version=@VERSION@ ++++++ usbguard-daemon.conf ++++++ --- /var/tmp/diff_new_pack.1rlCYV/_old 2018-10-11 11:55:59.397982490 +0200 +++ /var/tmp/diff_new_pack.1rlCYV/_new 2018-10-11 11:55:59.397982490 +0200 @@ -34,7 +34,7 @@ # * apply-policy - evaluate the ruleset for every present # device # -PresentDevicePolicy=keep +PresentDevicePolicy=apply-policy # # Present controller policy. @@ -49,7 +49,49 @@ # * apply-policy - evaluate the ruleset for every present # device # -PresentControllerPolicy=allow +PresentControllerPolicy=keep + +# +# Inserted device policy. +# +# How to treat USB devices that are already connected +# *after* the daemon starts. One of: +# +# * block - deauthorize every present device +# * reject - remove every present device +# * apply-policy - evaluate the ruleset for every present +# device +# +InsertedDevicePolicy=apply-policy + +# +# Restore controller device state. +# +# The USBGuard daemon modifies some attributes of controller +# devices like the default authorization state of new child device +# instances. Using this setting, you can controll whether the +# daemon will try to restore the attribute values to the state +# before modificaton on shutdown. +# +# SECURITY CONSIDERATIONS: If set to true, the USB authorization +# policy could be bypassed by performing some sort of attack on the +# daemon (via a local exploit or via a USB device) to make it shutdown +# and restore to the operating-system default state (known to be permissive). +# +RestoreControllerDeviceState=false + +# +# Device manager backend +# +# Which device manager backend implementation to use. One of: +# +# * uevent - Netlink based implementation which uses sysfs to scan for present +# devices and an uevent netlink socket for receiving USB device +# related events. +# * umockdev - umockdev based device manager capable of simulating devices based +# on umockdev-record files. Useful for testing. +# +DeviceManagerBackend=uevent #!!! WARNING: It's good practice to set at least one of the !!! #!!! two options bellow. If none of them are set, !!! @@ -65,6 +107,7 @@ # # IPCAllowedUsers=username1 username2 ... # +IPCAllowedUsers=root # # Groups allowed to use the IPC interface. @@ -74,4 +117,57 @@ # # IPCAllowedGroups=groupname1 groupname2 ... # -IPCAllowedGroups=wheel +IPCAllowedGroups= + +# +# IPC access control definition files path. +# +# The files at this location will be interpreted by the daemon +# as access control definition files. The (base)name of a file +# should be in the form: +# +# [user][:<group>] +# +# and should contain lines in the form: +# +# <section>=[privilege] ... +# +# This way each file defines who is able to connect to the IPC +# bus and what privileges he has. +# +IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/ + +# +# Generate device specific rules including the "via-port" +# attribute. +# +# This option modifies the behavior of the allowDevice +# action. When instructed to generate a permanent rule, +# the action can generate a port specific rule. Because +# some systems have unstable port numbering, the generated +# rule might not match the device after rebooting the system. +# +# If set to false, the generated rule will still contain +# the "parent-hash" attribute which also defines an association +# to the parent device. See usbguard-rules.conf(5) for more +# details. +# +DeviceRulesWithPort=false + +# +# USBGuard Audit events log backend +# +# One of: +# +# * FileAudit - Log audit events into a file specified by +# AuditFilePath setting (see below) +# * LinuxAudit - Log audit events using the Linux Audit +# subsystem (using audit_log_user_message) +# +AuditBackend=FileAudit + +# +# USBGuard audit events log file path. +# +AuditFilePath=/var/log/usbguard/usbguard-audit.log + ++++++ usbguard-rpmlintrc ++++++ # usbguard ships zero length rules.conf by default addFilter("zero-length /etc/usbguard/rules.conf")
