diff --git a/0001-Fix-the-spec-file-to-use-run-instead-of-var-run.patch b/0001-Fix-the-spec-file-to-use-run-instead-of-var-run.patch new file mode 100644 index 0000000..c5e52dd --- /dev/null +++ b/0001-Fix-the-spec-file-to-use-run-instead-of-var-run.patch @@ -0,0 +1,54 @@ +From 76b68d4bb5b1fc75c3621f3761721380ef8c76a4 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 12 Mar 2019 11:08:38 -0400 +Subject: [PATCH 01/11] Fix the spec file to use /run instead of /var/run + +--- + fapolicyd.spec | 6 +++--- + src/database.c | 2 +- + src/fapolicyd-cli.c | 2 +- + src/fapolicyd.c | 2 +- + 4 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/database.c b/src/database.c +index 649f6fd..87ba376 100644 +--- a/src/database.c ++++ b/src/database.c +@@ -60,7 +60,7 @@ static int lib_symlink=0, lib64_symlink=0, bin_symlink=0, sbin_symlink=0; + // External variables + extern volatile atomic_bool stop; + +-static const char* fifo_path = "/var/run/fapolicyd/fapolicyd.fifo"; ++static const char* fifo_path = "/run/fapolicyd/fapolicyd.fifo"; + + + static pthread_t update_thread; +diff --git a/src/fapolicyd-cli.c b/src/fapolicyd-cli.c +index 17a9055..06e7464 100644 +--- a/src/fapolicyd-cli.c ++++ b/src/fapolicyd-cli.c +@@ -37,7 +37,7 @@ const char * usage = + "-u\t--update\t\tNotifies fapolicyd to perform update of database\n" + ; + +-const char * _pipe = "/var/run/fapolicyd/fapolicyd.fifo"; ++const char * _pipe = "/run/fapolicyd/fapolicyd.fifo"; + + int main(int argc, char const *argv[]) + { +diff --git a/src/fapolicyd.c b/src/fapolicyd.c +index dee339f..53d4273 100644 +--- a/src/fapolicyd.c ++++ b/src/fapolicyd.c +@@ -60,7 +60,7 @@ int debug = 0, permissive = 0; + volatile atomic_bool stop = 0; + + // Local variables +-static const char *pidfile = "/var/run/fapolicyd.pid"; ++static const char *pidfile = "/run/fapolicyd.pid"; + #define REPORT "/var/log/fapolicyd-access.log" + static struct daemon_conf config; + +-- +2.20.1 + diff --git a/0002-Fix-service-file-to-use-run-instead-of-var-run.patch b/0002-Fix-service-file-to-use-run-instead-of-var-run.patch new file mode 100644 index 0000000..66459be --- /dev/null +++ b/0002-Fix-service-file-to-use-run-instead-of-var-run.patch @@ -0,0 +1,25 @@ +From 557244e37f856a3d374ac6bc0d4d05fbbbcc2700 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 12 Mar 2019 11:10:29 -0400 +Subject: [PATCH 02/11] Fix service file to use /run instead of /var/run + +--- + init/fapolicyd.service | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/init/fapolicyd.service b/init/fapolicyd.service +index 169ce3c..461f0ba 100644 +--- a/init/fapolicyd.service ++++ b/init/fapolicyd.service +@@ -5,7 +5,7 @@ After=local-fs.target systemd-tmpfiles-setup.service + + [Service] + Type=forking +-PIDFile=/var/run/fapolicyd.pid ++PIDFile=/run/fapolicyd.pid + Restart=on-abnormal + ExecStart=/usr/sbin/fapolicyd + +-- +2.20.1 + diff --git a/0003-Install-a-usr-lib-tmpfiles.d-fapolicyd.conf-for-run-.patch b/0003-Install-a-usr-lib-tmpfiles.d-fapolicyd.conf-for-run-.patch new file mode 100644 index 0000000..8c50d18 --- /dev/null +++ b/0003-Install-a-usr-lib-tmpfiles.d-fapolicyd.conf-for-run-.patch @@ -0,0 +1,35 @@ +From b820c237a8fefdc159dcbad4198232156a5180d9 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 12 Mar 2019 11:58:33 -0400 +Subject: [PATCH 03/11] Install a /usr/lib/tmpfiles.d/fapolicyd.conf for + /run/fapolicyd + +--- + fapolicyd.spec | 2 ++ + init/Makefile.am | 3 +-- + init/fapolicyd-tmpfiles.conf | 1 + + 3 files changed, 4 insertions(+), 2 deletions(-) + create mode 100644 init/fapolicyd-tmpfiles.conf + +diff --git a/init/Makefile.am b/init/Makefile.am +index 29037c1..659142e 100644 +--- a/init/Makefile.am +++ b/init/Makefile.am +@@ -1,6 +1,5 @@ +-EXTRA_DIST = fapolicyd.rules fapolicyd.mounts fapolicyd.service fapolicyd.conf ++EXTRA_DIST = fapolicyd.rules fapolicyd.mounts fapolicyd.service fapolicyd.conf fapolicyd-tmpfiles.conf + fapolicyddir = $(sysconfdir)/fapolicyd + dist_fapolicyd_DATA = fapolicyd.rules fapolicyd.mounts fapolicyd.conf + systemdservicedir = $(systemdsystemunitdir) + dist_systemdservice_DATA = fapolicyd.service +- +diff --git a/init/fapolicyd-tmpfiles.conf b/init/fapolicyd-tmpfiles.conf +new file mode 100644 +index 0000000..24459d3 +--- /dev/null ++++ b/init/fapolicyd-tmpfiles.conf +@@ -0,0 +1 @@ ++d /run/fapolicyd 0770 root fapolicyd - +-- +2.20.1 + diff --git a/0004-remove-fifo-on-all-exit-paths-for-update-thread.patch b/0004-remove-fifo-on-all-exit-paths-for-update-thread.patch new file mode 100644 index 0000000..77c340e --- /dev/null +++ b/0004-remove-fifo-on-all-exit-paths-for-update-thread.patch @@ -0,0 +1,62 @@ +From 8d2dc2210c866bcf21362bc7c5686a60ca6938b3 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 12 Mar 2019 12:29:08 -0400 +Subject: [PATCH 04/11] remove fifo on all exit paths for update thread + +--- + src/database.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/database.c b/src/database.c +index 87ba376..1b3dc1a 100644 +--- a/src/database.c ++++ b/src/database.c +@@ -743,6 +743,7 @@ static void *update_thread_main(void *arg) + + if ((pfd[0].fd = open(fifo_path, O_RDWR)) == -1) { + msg(LOG_ERR, "Failed to open a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE)); ++ unlink(fifo_path); + return NULL; + } + +@@ -759,8 +760,7 @@ static void *update_thread_main(void *arg) + continue; + } else { + msg(LOG_ERR, "Update poll error (%s)", strerror_r(errno, err_buff, BUFFER_SIZE)); +- close(pfd[0].fd); +- return NULL; ++ goto err_out; + } + } else if (rc == 0) { + msg(LOG_DEBUG, "Update poll timeout expired"); +@@ -772,7 +772,7 @@ static void *update_thread_main(void *arg) + + if (count == -1) { + msg(LOG_ERR, "Failed to read from a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE)); +- return NULL; ++ goto err_out; + } + + if (count == 0) { +@@ -796,6 +796,7 @@ static void *update_thread_main(void *arg) + + if ((rc = update_database(config))) { + msg(LOG_ERR, "Cannot update a database!"); ++ close(pfd[0].fd); + unlink(fifo_path); + exit(rc); + } else { +@@ -806,5 +807,10 @@ static void *update_thread_main(void *arg) + } + + } ++ ++err_out: ++ close(pfd[0].fd); ++ unlink(fifo_path); ++ + return NULL; + } +-- +2.20.1 + diff --git a/0005-Move-some-debug-messages-under-ifdef-DEBUG-24.patch b/0005-Move-some-debug-messages-under-ifdef-DEBUG-24.patch new file mode 100644 index 0000000..15b4a43 --- /dev/null +++ b/0005-Move-some-debug-messages-under-ifdef-DEBUG-24.patch @@ -0,0 +1,107 @@ +From 4aded37a3901a1f076f3b88834c3dfd994086e62 Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Wed, 13 Mar 2019 17:49:21 +0100 +Subject: [PATCH 05/11] Move some debug messages under #ifdef DEBUG (#24) + +--- + src/database.c | 25 ++++++++++++++++++------- + src/fapolicyd.c | 5 +++-- + 2 files changed, 21 insertions(+), 9 deletions(-) + +diff --git a/src/database.c b/src/database.c +index 1b3dc1a..2a0c029 100644 +--- a/src/database.c ++++ b/src/database.c +@@ -732,7 +732,9 @@ static void *update_thread_main(void *arg) + + struct daemon_conf *config = (struct daemon_conf *)arg; + +- msg(LOG_INFO, "Update thread main started"); ++#ifdef DEBUG ++ msg(LOG_DEBUG, "Update thread main started"); ++#endif + + /* Make sure that there is no such file/fifo */ + unlink(fifo_path); +@@ -752,18 +754,25 @@ static void *update_thread_main(void *arg) + while (!stop) { + + rc = poll(pfd, 1, 1000); +- msg(LOG_DEBUG, "Update poll interupted"); ++ ++#ifdef DEBUG ++ msg(LOG_DEBUG, "Update poll interrupted"); ++#endif + + if (rc < 0) { + if (errno == EINTR) { ++#ifdef DEBUG + msg(LOG_DEBUG, "update poll rc = EINTR"); ++#endif + continue; + } else { + msg(LOG_ERR, "Update poll error (%s)", strerror_r(errno, err_buff, BUFFER_SIZE)); + goto err_out; + } + } else if (rc == 0) { ++#ifdef DEBUG + msg(LOG_DEBUG, "Update poll timeout expired"); ++#endif + continue; + } else { + if (pfd[0].revents & POLLIN) { +@@ -776,12 +785,14 @@ static void *update_thread_main(void *arg) + } + + if (count == 0) { +- msg(LOG_DEBUG, "Buffer contains zero bytes!"); ++#ifdef DEBUG ++ msg(LOG_DEBUG, "Buffer contains zero bytes!"); ++#endif + continue; + } +- ++#ifdef DEBUG + msg(LOG_DEBUG, "Buffer contains: \"%s\"", buff); +- ++#endif + int check = 1; + for (int i = 0 ; i < count ; i++) { + if (buff[i] != '1' && buff[i] != '\n' && buff[i] != '\0') { +@@ -792,7 +803,7 @@ static void *update_thread_main(void *arg) + } + + if (check) { +- msg(LOG_DEBUG, "It looks like there was an update of the system... Syncing DB."); ++ msg(LOG_INFO, "It looks like there was an update of the system... Syncing DB."); + + if ((rc = update_database(config))) { + msg(LOG_ERR, "Cannot update a database!"); +@@ -800,7 +811,7 @@ static void *update_thread_main(void *arg) + unlink(fifo_path); + exit(rc); + } else { +- msg(LOG_DEBUG, "Updated"); ++ msg(LOG_INFO, "Updated"); + } + } + } +diff --git a/src/fapolicyd.c b/src/fapolicyd.c +index 53d4273..6e1e987 100644 +--- a/src/fapolicyd.c ++++ b/src/fapolicyd.c +@@ -389,8 +389,9 @@ int main(int argc, char *argv[]) + while (!stop) { + rc = poll(pfd, 1, -1); + +- msg(LOG_DEBUG, "Main poll interupted"); +- ++#ifdef DEBUG ++ msg(LOG_DEBUG, "Main poll interrupted"); ++#endif + if (rc < 0) { + if (errno == EINTR) + continue; +-- +2.20.1 + diff --git a/0006-Get-rid-of-trailing-whitespaces-25.patch b/0006-Get-rid-of-trailing-whitespaces-25.patch new file mode 100644 index 0000000..af5fe71 --- /dev/null +++ b/0006-Get-rid-of-trailing-whitespaces-25.patch @@ -0,0 +1,1247 @@ +From c8fd541877daa54d1afd6921b454f3ff08628a20 Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Wed, 13 Mar 2019 18:28:09 +0100 +Subject: [PATCH 06/11] Get rid of trailing whitespaces (#25) + +--- + fapolicyd.spec | 3 +-- + src/daemon-config.c | 31 +++++++++++++------------ + src/daemon-config.h | 4 ++-- + src/database.c | 4 ++-- + src/database.h | 2 +- + src/event.c | 11 +++++---- + src/event.h | 2 +- + src/fapolicyd.c | 15 ++++++------- + src/file.c | 27 +++++++++++----------- + src/file.h | 2 +- + src/lru.c | 55 ++++++++++++++++++++++----------------------- + src/lru.h | 2 +- + src/message.c | 5 ++--- + src/message.h | 3 +-- + src/mounts.c | 9 ++++---- + src/mounts.h | 2 +- + src/notify.c | 7 +++--- + src/notify.h | 2 +- + src/nv.h | 2 +- + src/object-attr.c | 5 ++--- + src/object-attr.h | 2 +- + src/object.c | 5 ++--- + src/object.h | 3 +-- + src/policy.c | 5 ++--- + src/policy.h | 2 +- + src/process.c | 5 ++--- + src/process.h | 2 +- + src/queue.c | 6 ++--- + src/queue.h | 10 ++++----- + src/rules.c | 11 +++++---- + src/rules.h | 3 +-- + src/subject-attr.c | 5 ++--- + src/subject-attr.h | 5 ++--- + src/subject.c | 7 +++--- + src/temporary_db.h | 2 +- + 35 files changed, 123 insertions(+), 143 deletions(-) + +diff --git a/src/daemon-config.c b/src/daemon-config.c +index dc89739..ced3963 100644 +--- a/src/daemon-config.c ++++ b/src/daemon-config.c +@@ -16,11 +16,11 @@ + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software +- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb +- * ++ * + */ + + #include "config.h" +@@ -44,14 +44,14 @@ struct nv_pair + const char *value; + }; + +-struct kw_pair ++struct kw_pair + { + const char *name; + int (*parser)(struct nv_pair *, int, struct daemon_conf *); + }; + + struct nv_list +-{ ++{ + const char *name; + int option; + }; +@@ -60,7 +60,7 @@ static char *get_line(FILE *f, char *buf, unsigned size, int *lineno, + const char *file); + static int nv_split(char *buf, struct nv_pair *nv); + static const struct kw_pair *kw_lookup(const char *val); +-static int permissive_parser(struct nv_pair *nv, int line, ++static int permissive_parser(struct nv_pair *nv, int line, + struct daemon_conf *config); + static int nice_val_parser(struct nv_pair *nv, int line, + struct daemon_conf *config); +@@ -81,7 +81,7 @@ static int obj_cache_size_parser(struct nv_pair *nv, int line, + static int do_stat_report_parser(struct nv_pair *nv, int line, + struct daemon_conf *config); + +-static const struct kw_pair keywords[] = ++static const struct kw_pair keywords[] = + { + {"permissive", permissive_parser }, + {"nice_val", nice_val_parser }, +@@ -125,7 +125,7 @@ int load_daemon_config(struct daemon_conf *config) + fd = open(CONFIG_FILE, O_RDONLY|O_NOFOLLOW); + if (fd < 0) { + if (errno != ENOENT) { +- msg(LOG_ERR, "Error opening config file (%s)", ++ msg(LOG_ERR, "Error opening config file (%s)", + strerror(errno)); + return 1; + } +@@ -137,7 +137,7 @@ int load_daemon_config(struct daemon_conf *config) + /* Make into FILE struct and read line by line */ + f = fdopen(fd, "rm"); + if (f == NULL) { +- msg(LOG_ERR, "Error - fdopen failed (%s)", ++ msg(LOG_ERR, "Error - fdopen failed (%s)", + strerror(errno)); + close(fd); + return 1; +@@ -152,17 +152,17 @@ int load_daemon_config(struct daemon_conf *config) + case 0: // fine + break; + case 1: // not the right number of tokens. +- msg(LOG_ERR, +- "Wrong number of arguments for line %d in %s", ++ msg(LOG_ERR, ++ "Wrong number of arguments for line %d in %s", + lineno, CONFIG_FILE); + break; + case 2: // no '=' sign +- msg(LOG_ERR, +- "Missing equal sign for line %d in %s", ++ msg(LOG_ERR, ++ "Missing equal sign for line %d in %s", + lineno, CONFIG_FILE); + break; +- default: // something else went wrong... +- msg(LOG_ERR, "Unknown error for line %d in %s", ++ default: // something else went wrong... ++ msg(LOG_ERR, "Unknown error for line %d in %s", + lineno, CONFIG_FILE); + break; + } +@@ -310,7 +310,7 @@ static const struct kw_pair *kw_lookup(const char *val) + } + return &keywords[i]; + } +- ++ + void free_daemon_config(struct daemon_conf *config) + { + // free((void*)config->file); +@@ -482,4 +482,3 @@ static int do_stat_report_parser(struct nv_pair *nv, int line, + } + return rc; + } +- +diff --git a/src/daemon-config.h b/src/daemon-config.h +index 75839cd..481b6ce 100644 +--- a/src/daemon-config.h ++++ b/src/daemon-config.h +@@ -1,4 +1,4 @@ +-/* daemon-config.h -- ++/* daemon-config.h -- + * Copyright 2018 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * +@@ -18,7 +18,7 @@ + * + * Authors: + * Steve Grubb +- * ++ * + */ + + #ifndef DAEMON_CONFIG_H +diff --git a/src/database.c b/src/database.c +index 2a0c029..64a9fda 100644 +--- a/src/database.c ++++ b/src/database.c +@@ -360,7 +360,7 @@ static rpmts ts = NULL; + static rpmdbMatchIterator mi = NULL; + static int init_rpm(void) + { +- return rpmReadConfigFiles ((const char *)NULL, (const char *)NULL); ++ return rpmReadConfigFiles ((const char *)NULL, (const char *)NULL); + } + + static Header h = NULL; +@@ -642,7 +642,7 @@ int check_trust_database(const char *path) + // problem. These are sorted from most likely to least. + if (strncmp(path, "/usr/", 5) == 0) { + if ((lib64_symlink && +- strncmp(&path[5], "lib64/", 6) == 0) || ++ strncmp(&path[5], "lib64/", 6) == 0) || + (lib_symlink && + strncmp(&path[5], "lib/", 4) == 0) || + (bin_symlink && +diff --git a/src/database.h b/src/database.h +index 2048cf1..eca7b0d 100644 +--- a/src/database.h ++++ b/src/database.h +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +diff --git a/src/event.c b/src/event.c +index abc0c38..0775b6e 100644 +--- a/src/event.c ++++ b/src/event.c +@@ -1,7 +1,7 @@ + /* + * event.c - Functions to access event attributes + * Copyright (c) 2016,2018 Red Hat Inc., Durham, North Carolina. +- * All Rights Reserved. ++ * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -135,7 +135,7 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e) + if (finfo == NULL) + return 1; + +- // Just using inodes don't give a good key. It needs ++ // Just using inodes don't give a good key. It needs + // conditioning to use more slots in the cache. + unsigned long magic = finfo->inode + finfo->time.tv_nsec + finfo->size; + key = compute_object_key(obj_cache, magic); +@@ -289,7 +289,7 @@ object_attr_t *get_obj_attr(event_t *e, object_type_t t) + if (on) + obj.o = strdup(on->o); + else { +- ptr = get_file_from_fd(e->fd, e->pid, ++ ptr = get_file_from_fd(e->fd, e->pid, + sizeof(buf), buf); + if (ptr) + obj.o = strdup(buf); +@@ -302,7 +302,7 @@ object_attr_t *get_obj_attr(event_t *e, object_type_t t) + sizeof(buf), buf); + if (ptr) + obj.o = strdup(buf); +- else ++ else + obj.o = strdup("?"); + break; + case FTYPE: +@@ -428,4 +428,3 @@ void run_usage_report(struct daemon_conf *config, FILE *f) + print_queue_stats(f, subj_cache); + fprintf(f, "\n"); + } +- +diff --git a/src/event.h b/src/event.h +index 5fdf1ed..98a7a7c 100644 +--- a/src/event.h ++++ b/src/event.h +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +diff --git a/src/fapolicyd.c b/src/fapolicyd.c +index 6e1e987..ad9f2f2 100644 +--- a/src/fapolicyd.c ++++ b/src/fapolicyd.c +@@ -1,7 +1,7 @@ + /* + * fapolicyd.c - Main file for the program + * Copyright (c) 2016,2018 Red Hat Inc., Durham, North Carolina. +- * All Rights Reserved. ++ * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -32,7 +32,7 @@ + #include + #include + #include +-#include ++#include + #include + #include + #include +@@ -103,7 +103,7 @@ static void term_handler(int sig) + stop = 1 + sig; // Just so its used... + } + +-// This is a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=643031 ++// This is a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=643031 + #define UNUSED(x) (void)(x) + extern int rpmsqEnable (int signum, void *handler); + int rpmsqEnable (int signum, void *handler) +@@ -256,9 +256,9 @@ int main(int argc, char *argv[]) + if (isdigit(*argv[i])) { + errno = 0; + struct passwd *pw; +- ++ + config.uid = strtoul(argv[i], NULL, 10); +- ++ + if (errno) { + msg(LOG_ERR, + "Error converting user value"); +@@ -411,7 +411,7 @@ int main(int argc, char *argv[]) + // link against librpm. Turns out that librpm masks + // signals to prevent corrupted databases during an + // update. Since we only do read access, we can turn +- // them back on. ++ // them back on. + sigaction(SIGTERM, &sa, NULL); + sigaction(SIGINT, &sa, NULL); + } +@@ -444,4 +444,3 @@ int main(int argc, char *argv[]) + + return 0; + } +- +diff --git a/src/file.c b/src/file.c +index 4aed92b..39d3a58 100644 +--- a/src/file.c ++++ b/src/file.c +@@ -1,7 +1,7 @@ + /* + * file.c - functions for accessing attributes of files + * Copyright (c) 2016,2018 Red Hat Inc., Durham, North Carolina. +- * All Rights Reserved. ++ * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -66,7 +66,7 @@ void file_init(void) + MAGIC_NO_CHECK_ELF); + if (magic_cookie == NULL) { + msg(LOG_ERR, "Unable to init libmagic"); +- exit(1); ++ exit(1); + } + if (magic_load(magic_cookie, NULL) != 0) { + msg(LOG_ERR, "Unable to load magic database"); +@@ -192,7 +192,7 @@ char *get_file_from_fd(int fd, pid_t pid, size_t blen, char *buf) + char procfd_path[PATH_MAX+1]; + ssize_t path_len; + +- snprintf(procfd_path, sizeof(procfd_path)-1, ++ snprintf(procfd_path, sizeof(procfd_path)-1, + "/proc/self/fd/%d", fd); + path_len = readlink(procfd_path, buf, blen - 1); + if (path_len < 0) +@@ -262,7 +262,7 @@ char *get_file_type_from_fd(int fd, size_t blen, char *buf) + *str = 0; + } else + return NULL; +- ++ + lseek(fd, 0, SEEK_SET); + return buf; + } +@@ -312,7 +312,7 @@ char *get_hash_from_fd(int fd) + if (len != 4096) + break; + } +- ++ + // Ask for the grand total to be calculated + gcry_md_final(ctx); + +@@ -401,7 +401,7 @@ uint32_t gather_elf(int fd, off_t size) + if (e_ident[EI_CLASS] == ELFCLASS32) { + unsigned i; + Elf32_Phdr *ph_tbl = NULL; +- ++ + Elf32_Ehdr *hdr = read_header32(fd); + if (hdr == NULL) { + info |= HAS_ERROR; +@@ -410,7 +410,7 @@ uint32_t gather_elf(int fd, off_t size) + + // Look for program header information + // We want to do a basic size check to make sure +- unsigned long sz = ++ unsigned long sz = + (unsigned)hdr->e_phentsize * (unsigned)hdr->e_phnum; + if (sz > (unsigned long)size) { + info |= HAS_ERROR; +@@ -504,8 +504,8 @@ uint32_t gather_elf(int fd, off_t size) + break; + } + j++; +- } +- free(dyn_tbl); ++ } ++ free(dyn_tbl); + } + if (info & HAS_RPATH) + break; +@@ -522,7 +522,7 @@ done32: + } else if (e_ident[EI_CLASS] == ELFCLASS64) { + unsigned i; + Elf64_Phdr *ph_tbl; +- ++ + Elf64_Ehdr *hdr = read_header64(fd); + if (hdr == NULL) { + info |= HAS_ERROR; +@@ -531,7 +531,7 @@ done32: + + // Look for program header information + // We want to do a basic size check to make sure +- unsigned long sz = ++ unsigned long sz = + (unsigned)hdr->e_phentsize * (unsigned)hdr->e_phnum; + if (sz > (unsigned long)size) { + info |= HAS_ERROR; +@@ -622,7 +622,7 @@ done32: + } + j++; + } +- free(dyn_tbl); ++ free(dyn_tbl); + } + if (info & HAS_RPATH) + break; +@@ -640,4 +640,3 @@ done64: + lseek(fd, 0, SEEK_SET); + return info; + } +- +diff --git a/src/file.h b/src/file.h +index 1727dc4..e5666b4 100644 +--- a/src/file.h ++++ b/src/file.h +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +diff --git a/src/lru.c b/src/lru.c +index 777ac67..8c866a8 100644 +--- a/src/lru.c ++++ b/src/lru.c +@@ -1,7 +1,7 @@ + /* + * lru.c - LRU cache implementation + * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. +- * All Rights Reserved. ++ * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -29,7 +29,7 @@ + #include "message.h" + + //#define DEBUG +- ++ + // Local declarations + static void dequeue(Queue *queue); + +@@ -41,13 +41,13 @@ static QNode *new_QNode(void) + return temp; + temp->item = NULL; + temp->uses = 1; // Setting to 1 because its being used +- ++ + // Initialize prev and next as NULL + temp->prev = temp->next = NULL; +- ++ + return temp; + } +- ++ + static Hash *create_hash(unsigned int hsize) + { + unsigned int i; +@@ -61,11 +61,11 @@ static Hash *create_hash(unsigned int hsize) + free(hash); + return NULL; + } +- ++ + // Initialize all hash entries as empty + for (i = 0; i < hsize; i++) + hash->array[i] = NULL; +- ++ + return hash; + } + +@@ -74,7 +74,7 @@ static void destroy_hash(Hash *hash) + free(hash->array); + free(hash); + } +- ++ + static void dump_queue_stats(const Queue *q) + { + msg(LOG_DEBUG, "%s cache size: %u", q->name, q->total); +@@ -89,19 +89,19 @@ static Queue *create_queue(unsigned int qsize, const char *name) + Queue *queue = malloc(sizeof(Queue)); + if (queue == NULL) + return queue; +- ++ + // The queue is empty + queue->count = 0; + queue->hits = 0; + queue->misses = 0; + queue->evictions = 0; + queue->front = queue->end = NULL; +- ++ + // Number of slots that can be stored in memory + queue->total = qsize; + + queue->name = name; +- ++ + return queue; + } + +@@ -114,12 +114,12 @@ static void destroy_queue(Queue *queue) + + free(queue); + } +- ++ + static unsigned int are_all_slots_full(const Queue *queue) + { + return queue->count == queue->total; + } +- ++ + static unsigned int queue_is_empty(const Queue *queue) + { + return queue->end == NULL; +@@ -228,7 +228,7 @@ out: + sanity_check_queue(queue, "2 remove_node"); + } + +-// Remove from the end of the queue ++// Remove from the end of the queue + static void dequeue(Queue *queue) + { + QNode *temp = queue->end; +@@ -238,14 +238,14 @@ static void dequeue(Queue *queue) + + remove_node(queue, queue->end); + +- queue->cleanup(temp->item); ++ queue->cleanup(temp->item); + free(temp->item); + free(temp); +- ++ + // decrement the total of full slots by 1 + queue->count--; + } +- ++ + // Remove front of the queue because its a mismatch + void lru_evict(Queue *queue, unsigned int key) + { +@@ -254,7 +254,7 @@ void lru_evict(Queue *queue, unsigned int key) + + if (queue_is_empty(queue)) + return; +- ++ + hash->array[key] = NULL; + remove_node(queue, queue->front); + +@@ -285,13 +285,13 @@ static void enqueue(Queue *queue, unsigned int key) + // And add the new node to the front of queue + temp = new_QNode(); + +- insert_beginning(queue, temp); ++ insert_beginning(queue, temp); + hash->array[key] = temp; +- ++ + // increment number of full slots + queue->count++; + } +- ++ + // This function is called needing an item from cache. + // There are two scenarios: + // 1. Item is not in cache, so add it to the front of the queue +@@ -307,19 +307,19 @@ QNode *check_lru_cache(Queue *queue, unsigned int key) + } + + reqPage = hash->array[key]; +- ++ + // item is not in cache, make new spot for it + if (reqPage == NULL) { + enqueue(queue, key); + queue->misses++; +- ++ + // item is there but not at front. Move it + } else if (reqPage != queue->front) { + remove_node(queue, reqPage); +- reqPage->next = NULL; +- reqPage->prev = NULL; ++ reqPage->next = NULL; ++ reqPage->prev = NULL; + insert_beginning(queue, reqPage); +- ++ + // Increment cached object metrics + queue->front->uses++; + queue->hits++; +@@ -366,4 +366,3 @@ unsigned long compute_object_key(const Queue *queue, unsigned long num) + else + return 0; + } +- +diff --git a/src/lru.h b/src/lru.h +index b202ca5..7dafe6e 100644 +--- a/src/lru.h ++++ b/src/lru.h +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +diff --git a/src/message.c b/src/message.c +index b403a2f..6ae53cf 100644 +--- a/src/message.c ++++ b/src/message.c +@@ -1,7 +1,7 @@ + /* + * message.c - function to syslog or write to stderr + * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. +- * All Rights Reserved. ++ * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -58,4 +58,3 @@ void msg(int priority, const char *fmt, ...) + } + va_end( ap ); + } +- +diff --git a/src/message.h b/src/message.h +index 738558b..c6e778b 100644 +--- a/src/message.h ++++ b/src/message.h +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -39,4 +39,3 @@ void msg(int priority, const char *fmt, ...) + #endif + + #endif +- +diff --git a/src/mounts.c b/src/mounts.c +index d3a3e21..f3cbecc 100644 +--- a/src/mounts.c ++++ b/src/mounts.c +@@ -1,7 +1,7 @@ + /* + * mounts.c - Minimal linked list set of mount points + * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. +- * All Rights Reserved. ++ * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -142,7 +142,7 @@ int load_mounts(void) + if (stat(ptr, &sb) == -1) { + msg(LOG_INFO, "Invalid entry \"%s\". " + "Failed to stat object, %s." +- " Skipping", ptr, ++ " Skipping", ptr, + strerror(errno)); + continue; /* Don't return to caller */ + } +@@ -164,7 +164,7 @@ int load_mounts(void) + fclose(f); + + /* Only return true if no mounts found in configuration file */ +- if (mounts.cnt == 0) { ++ if (mounts.cnt == 0) { + msg(LOG_INFO, "No mount points - exiting"); + return 1; + } +@@ -211,4 +211,3 @@ void clear_mounts(void) + l->cur = NULL; + l->cnt = 0; + } +- +diff --git a/src/mounts.h b/src/mounts.h +index 276ecf2..5bb3d37 100644 +--- a/src/mounts.h ++++ b/src/mounts.h +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +diff --git a/src/notify.c b/src/notify.c +index 5b2e546..6c93349 100644 +--- a/src/notify.c ++++ b/src/notify.c +@@ -1,7 +1,7 @@ + /* + * notify.c - functions handle recieving and enqueuing events + * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina. +- * All Rights Reserved. ++ * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -130,7 +130,7 @@ int init_fanotify(struct daemon_conf *conf) + retry_mark: + if (fanotify_mark(fd, FAN_MARK_ADD | FAN_MARK_MOUNT, + mask, -1, path) == -1) { +- /* ++ /* + * The FAN_OPEN_EXEC_PERM mask is not supported by + * all kernel releases prior to 5.0. Retry setting + * up the mark using only the legacy FAN_OPEN_PERM +@@ -366,4 +366,3 @@ void handle_events(void) + metadata = FAN_EVENT_NEXT(metadata, len); + } + } +- +diff --git a/src/notify.h b/src/notify.h +index 59f1fef..3d1e90e 100644 +--- a/src/notify.h ++++ b/src/notify.h +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +diff --git a/src/nv.h b/src/nv.h +index 2ac68dd..f3f9aad 100644 +--- a/src/nv.h ++++ b/src/nv.h +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +diff --git a/src/object-attr.c b/src/object-attr.c +index d463f22..3ee93e8 100644 +--- a/src/object-attr.c ++++ b/src/object-attr.c +@@ -1,7 +1,7 @@ + /* + * object-attr.c - abstract object attribute access + * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. +- * All Rights Reserved. ++ * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -57,4 +57,3 @@ const char *obj_val_to_name(unsigned int v) + + return NULL; + } +- +diff --git a/src/object-attr.h b/src/object-attr.h +index aeca9e4..8849d81 100644 +--- a/src/object-attr.h ++++ b/src/object-attr.h +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +diff --git a/src/object.c b/src/object.c +index c99f562..698b678 100644 +--- a/src/object.c ++++ b/src/object.c +@@ -1,7 +1,7 @@ + /* + * object.c - Minimal linked list set of object attributes + * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. +-* All Rights Reserved. ++* All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +-* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -120,4 +120,3 @@ void object_clear(o_array *a) + free(a->obj); + a->cnt = 0; + } +- +diff --git a/src/object.h b/src/object.h +index f4ba4e7..ee7e432 100644 +--- a/src/object.h ++++ b/src/object.h +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +-* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -43,4 +43,3 @@ void object_clear(o_array *a); + static inline int type_is_obj(int type) {if (type >= OBJ_START) return 1; else return 0;} + + #endif +- +diff --git a/src/policy.c b/src/policy.c +index ef26157..4350064 100644 +--- a/src/policy.c ++++ b/src/policy.c +@@ -1,7 +1,7 @@ + /* + * policy.c - functions that encapsulate the notion of a policy + * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. +- * All Rights Reserved. ++ * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -185,4 +185,3 @@ void destroy_config(void) + { + rules_clear(&rules); + } +- +diff --git a/src/policy.h b/src/policy.h +index 960e878..3a521bc 100644 +--- a/src/policy.h ++++ b/src/policy.h +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +diff --git a/src/process.c b/src/process.c +index 2b2f166..05c530f 100644 +--- a/src/process.c ++++ b/src/process.c +@@ -1,7 +1,7 @@ + /* + * process.c - functions to access attributes of processes + * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. +- * All Rights Reserved. ++ * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -247,4 +247,3 @@ uid_t get_program_uid_from_pid(pid_t pid) + } + return uid; + } +- +diff --git a/src/process.h b/src/process.h +index 63fa51d..73edaa7 100644 +--- a/src/process.h ++++ b/src/process.h +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +diff --git a/src/queue.c b/src/queue.c +index f74332e..bcefd12 100644 +--- a/src/queue.c ++++ b/src/queue.c +@@ -1,4 +1,5 @@ +-/* queue.c - a simple queue implementation ++/* ++ * queue.c - a simple queue implementation + * Copyright 2016,2018 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * +@@ -14,7 +15,7 @@ + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -175,4 +176,3 @@ size_t q_queue_length(const struct queue *q) + { + return q->queue_length; + } +- +diff --git a/src/queue.h b/src/queue.h +index 10a7d06..44704f1 100644 +--- a/src/queue.h ++++ b/src/queue.h +@@ -1,4 +1,5 @@ +-/* queue.h -- a queue abstraction ++/* ++ * queue.h -- a queue abstraction + * Copyright 2016,2018 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * +@@ -14,7 +15,7 @@ + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -53,7 +54,7 @@ void q_report(FILE *f); + /* Add DATA to tail of Q. Return 0 on success, -1 on error and set errno. */ + int q_append(struct queue *q, const struct fanotify_event_metadata *data); + +-/* Peek at head of Q, storing it into BUF of SIZE. Return 1 if an entry ++/* Peek at head of Q, storing it into BUF of SIZE. Return 1 if an entry + * exists, 0 if queue is empty. On error, return -1 and set errno. */ + int q_peek(const struct queue *q, struct fanotify_event_metadata *data); + +@@ -61,7 +62,6 @@ int q_peek(const struct queue *q, struct fanotify_event_metadata *data); + int q_drop_head(struct queue *q); + + /* Return the number of entries in Q. */ +-size_t q_queue_length(const struct queue *q); ++size_t q_queue_length(const struct queue *q); + + #endif +- +diff --git a/src/rules.c b/src/rules.c +index ca98550..3c3b294 100644 +--- a/src/rules.c ++++ b/src/rules.c +@@ -1,7 +1,7 @@ + /* + * rules.c - Minimal linked list set of rules + * Copyright (c) 2016,2018 Red Hat Inc., Durham, North Carolina. +-* All Rights Reserved. ++* All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -64,7 +64,7 @@ void rules_first(llist *l) + void rules_last(llist *l) + { + register lnode* window; +- ++ + if (l->head == NULL) + return; + +@@ -336,7 +336,7 @@ static int nv_split(char *buf, lnode *n, int lineno) + msg(LOG_ERR, "Object is missing in line %d", lineno); + return 6; + } +- return 0; ++ return 0; + } + + // Returns 0 if success and 1 on rule failure. +@@ -524,7 +524,7 @@ msg(LOG_DEBUG, "path2: %s", pinfo->path2); + || (pinfo->elf_info & HAS_RPATH)) + // ld.so normally checks cache first + pinfo->state = STATE_NORMAL; +- else ++ else + // but preload does the preload + pinfo->state = STATE_LD_PRELOAD; + } else +@@ -714,4 +714,3 @@ void rules_clear(llist *l) + l->cur = NULL; + l->cnt = 0; + } +- +diff --git a/src/rules.h b/src/rules.h +index 6c25335..bf8044e 100644 +--- a/src/rules.h ++++ b/src/rules.h +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +-* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -63,4 +63,3 @@ void rules_unsupport_audit(llist *l); + void rules_clear(llist* l); + + #endif +- +diff --git a/src/subject-attr.c b/src/subject-attr.c +index b9ce55e..0efc4a4 100644 +--- a/src/subject-attr.c ++++ b/src/subject-attr.c +@@ -1,7 +1,7 @@ + /* + * rules.c - functions to abstract subject attributes + * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. +- * All Rights Reserved. ++ * All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -61,4 +61,3 @@ const char *subj_val_to_name(unsigned int v) + + return NULL; + } +- +diff --git a/src/subject-attr.h b/src/subject-attr.h +index 374016f..66828d1 100644 +--- a/src/subject-attr.h ++++ b/src/subject-attr.h +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -29,7 +29,7 @@ + #include "nv.h" + + // Top is numbers, bottom is strings +-typedef enum { ALL_SUBJ = SUBJ_START, AUID, UID, SESSIONID, PID, PATTERN, ++typedef enum { ALL_SUBJ = SUBJ_START, AUID, UID, SESSIONID, PID, PATTERN, + COMM, EXE, EXE_DIR, EXE_TYPE, EXE_DEVICE } subject_type_t; + + #define SUBJ_END EXE_DEVICE +@@ -46,4 +46,3 @@ int subj_name_to_val(const char *name); + const char *subj_val_to_name(unsigned int v); + + #endif +- +diff --git a/src/subject.c b/src/subject.c +index c4aa378..6bac2ac 100644 +--- a/src/subject.c ++++ b/src/subject.c +@@ -1,7 +1,7 @@ + /* + * subject.c - Minimal linked list set of subject attributes + * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. +-* All Rights Reserved. ++* All Rights Reserved. + * + * This software may be freely redistributed and/or modified under the + * terms of the GNU General Public License as published by the Free +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +-* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +@@ -86,7 +86,7 @@ int subject_add(s_array *a, subject_attr_t *subj) + newnode->val = subj->val; + } else + return 1; +- } else ++ } else + return 1; + + a->subj[t - SUBJ_START] = newnode; +@@ -155,4 +155,3 @@ void subject_reset(s_array *a, subject_type_t t) + sanity_check_array(a, "subject_reset2"); + } + } +- +diff --git a/src/temporary_db.h b/src/temporary_db.h +index 23bc16d..41f87da 100644 +--- a/src/temporary_db.h ++++ b/src/temporary_db.h +@@ -15,7 +15,7 @@ + * + * You should have received a copy of the GNU General Public License + * along with this program; see the file COPYING. If not, write to the +- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor ++ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor + * Boston, MA 02110-1335, USA. + * + * Authors: +-- +2.20.1 + diff --git a/0007-Add-some-documentation-about-how-ELF-startup-works.patch b/0007-Add-some-documentation-about-how-ELF-startup-works.patch new file mode 100644 index 0000000..6f9bec4 --- /dev/null +++ b/0007-Add-some-documentation-about-how-ELF-startup-works.patch @@ -0,0 +1,84 @@ +From b430ebc0cec78e01ea1ab139001020335314283f Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Wed, 13 Mar 2019 15:55:10 -0400 +Subject: [PATCH 07/11] Add some documentation about how ELF startup works. + +--- + src/rules.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 61 insertions(+) + +diff --git a/src/rules.c b/src/rules.c +index 3c3b294..66c1df7 100644 +--- a/src/rules.c ++++ b/src/rules.c +@@ -449,6 +449,67 @@ static int subj_dir_test(subject_attr_t *s, subject_attr_t *subj) + return 1; + } + ++/* ++ * Notes about elf program startup ++ * =============================== ++ * The run time linker will do the folowing: ++ * 1) kernel loads executable ++ * 2) kernel attaches ld-2.2x.so to executable memory and turns over execution ++ * 3) rtl loads LD_AUDIT libs ++ * 4) rtl loads LD_PRELOAD libs ++ * 5) rtl next loads /etc/ld.so.preload libs ++ * ++ * Then for each dependency: ++ * Call into LD_AUDIT la_objsearch() to modify path/name and try ++ * 1) RPATH in object ++ * 2) RPATH in executable ++ * 3) LD_LIBRARY_PATH: for each path, iterate permutations of ++ * tls, x86_64, haswell, & plain path ++ * 4) RUNPATH in object ++ * 5) Try the name as found in the object ++ * 6) Consult /etc/ld.so.cache ++ * 7) Try default path (can't find where string table is) ++ * ++ * LD_AUDIT modules can add arbitrary early file system actions because ++ * the may also call open. They can also trigger loading another copy of ++ * libc.so.6. ++ * ++ * Patterns ++ * ======== ++ * Normal: ++ * exe=/usr/bin/bash file=/usr/bin/ls ++ * exe=/usr/bin/bash file=/usr/lib64/ld-2.27.so ++ * exe=/usr/bin/ls file=/etc/ld.so.cache ++ * exe=/usr/bin/ls file=/usr/lib64/libselinux.so.1 ++ * ++ * runtime linker started: ++ * exe=/usr/bin/bash file=/usr/lib64/ld-2.27.so ++ * exe=/usr/bin/bash file=/usr/bin/ls ++ * exe=/usr/lib64/ld-2.27.so file=/etc/ld.so.cache ++ * exe=/usr/lib64/ld-2.27.so file=/usr/lib64/libselinux.so.1 ++ * ++ * LD_PRELOAD=libaudit no LD_LIBRARY_PATH: ++ * exe=/usr/bin/bash file=/usr/bin/ls ++ * exe=/usr/bin/bash file=/usr/lib64/ld-2.27.so ++ * exe=/usr/bin/ls file=/usr/lib64/libaudit.so.1.0.0 ++ * exe=/usr/bin/ls file=/etc/ld.so.cache ++ * exe=/usr/bin/ls file=/usr/lib64/libselinux.so.1 ++ * ++ * LD_PRELOAD=libaudit with LD_LIBRARY_PATH: ++ * exe=/usr/bin/bash file=/usr/bin/ls ++ * exe=/usr/bin/bash file=/usr/lib64/ld-2.28.so ++ * exe=/usr/bin/ls file=/usr/lib64/libaudit.so.1.0.0 ++ * exe=/usr/bin/ls file=/usr/lib64/libselinux.so.1 ++ * ++ * /etc/ld.so.preload: ++ * exe=/usr/bin/bash file=/usr/bin/ls ++ * exe=/usr/bin/bash file=/usr/lib64/ld-2.27.so ++ * exe=/usr/bin/ls file=/etc/ld.so.preload ++ * exe=/usr/bin/ls file=/usr/lib64/libaudit.so.1.0.0 ++ * ++ * This means only first two can be counted on. Looking for ld.so.cache ++ * is no good because its almost the last option. ++ */ + + //#define NEW_WAY 1 + +-- +2.20.1 + diff --git a/0008-Change-fifo-mode-to-0660-26.patch b/0008-Change-fifo-mode-to-0660-26.patch new file mode 100644 index 0000000..f3d3b2d --- /dev/null +++ b/0008-Change-fifo-mode-to-0660-26.patch @@ -0,0 +1,77 @@ +From 36ad6b8dd2a8effba70fccbaf1d580a75a167e6d Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Wed, 13 Mar 2019 20:57:37 +0100 +Subject: [PATCH 08/11] Change fifo mode to 0660 (#26) + +- fapolicyd-cli requires fapolicyd.fifo to have 0660 permissions +--- + src/database.c | 9 +++++++-- + src/fapolicyd-cli.c | 32 ++++++++++++++++++++++++++++++++ + 2 files changed, 39 insertions(+), 2 deletions(-) + +diff --git a/src/database.c b/src/database.c +index 64a9fda..52deda4 100644 +--- a/src/database.c ++++ b/src/database.c +@@ -738,8 +738,13 @@ static void *update_thread_main(void *arg) + + /* Make sure that there is no such file/fifo */ + unlink(fifo_path); +- if ((rc = mkfifo(fifo_path, 0600)) != 0) { +- msg(LOG_ERR, "Failed to create a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE)); ++ ++ mode_t old_mask = umask(0); ++ rc = mkfifo(fifo_path, 0660); ++ (void) umask(old_mask); ++ ++ if (rc != 0) { ++ msg(LOG_ERR, "Failed to create a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE)); + return NULL; + } + +diff --git a/src/fapolicyd-cli.c b/src/fapolicyd-cli.c +index 06e7464..529b63b 100644 +--- a/src/fapolicyd-cli.c ++++ b/src/fapolicyd-cli.c +@@ -76,6 +76,38 @@ int main(int argc, char const *argv[]) + close(fd); + return 1; + } ++ // we will require pipe to have 0660 permissions ++ if (!( ++ (s.st_mode & S_IRUSR) && ++ (s.st_mode & S_IWUSR) && ++ !(s.st_mode & S_IXUSR) && ++ ++ (s.st_mode & S_IRGRP) && ++ (s.st_mode & S_IWGRP) && ++ !(s.st_mode & S_IXGRP) && ++ ++ !(s.st_mode & S_IROTH) && ++ !(s.st_mode & S_IWOTH) && ++ !(s.st_mode & S_IXOTH) ++ )) { ++ fprintf(stderr, "File: %s has 0%d%d%d instead of 0660 \n" ++ , _pipe ++ , ++ ((s.st_mode & S_IRUSR) ? 4 : 0) + ++ ((s.st_mode & S_IWUSR) ? 2 : 0) + ++ ((s.st_mode & S_IXUSR) ? 1 : 0) ++ , ++ ((s.st_mode & S_IRGRP) ? 4 : 0) + ++ ((s.st_mode & S_IWGRP) ? 2 : 0) + ++ ((s.st_mode & S_IXGRP) ? 1 : 0) ++ , ++ ((s.st_mode & S_IROTH) ? 4 : 0) + ++ ((s.st_mode & S_IWOTH) ? 2 : 0) + ++ ((s.st_mode & S_IXOTH) ? 1 : 0) ++ ); ++ close(fd); ++ return 1; ++ } + } + + ssize_t ret = write(fd, "1", 2); +-- +2.20.1 + diff --git a/0009-Let-lmdb-create-writable-db-27.patch b/0009-Let-lmdb-create-writable-db-27.patch new file mode 100644 index 0000000..84b2deb --- /dev/null +++ b/0009-Let-lmdb-create-writable-db-27.patch @@ -0,0 +1,28 @@ +From d6797522257d5a295f47f6b1d0f4e9334d31fdb7 Mon Sep 17 00:00:00 2001 +From: Radovan Sroka +Date: Wed, 13 Mar 2019 20:59:08 +0100 +Subject: [PATCH 09/11] Let lmdb create writable db (#27) + +--- + src/database.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/database.c b/src/database.c +index 52deda4..70c0611 100644 +--- a/src/database.c ++++ b/src/database.c +@@ -100,7 +100,10 @@ static int init_db(struct daemon_conf *config) + if (mdb_env_set_maxreaders(env, 4)) + return 4; + +- if (mdb_env_open(env, data_dir, MDB_MAPASYNC|MDB_NOSYNC , 0664)) ++ mode_t old_mode = umask(0); ++ int rc = mdb_env_open(env, data_dir, MDB_MAPASYNC|MDB_NOSYNC , 0664); ++ (void) umask(old_mode); ++ if (rc) + return 5; + + lib_symlink = is_link("/lib"); +-- +2.20.1 + diff --git a/0010-Add-a-note-to-rules-file-how-to-handle-systems-with-.patch b/0010-Add-a-note-to-rules-file-how-to-handle-systems-with-.patch new file mode 100644 index 0000000..164cbea --- /dev/null +++ b/0010-Add-a-note-to-rules-file-how-to-handle-systems-with-.patch @@ -0,0 +1,27 @@ +From c7c5700d5afc0f828a0152ad3171a3b2c3655b2a Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Wed, 13 Mar 2019 16:15:11 -0400 +Subject: [PATCH 10/11] Add a note to rules file how to handle systems with + LD_LIBRARY_PATH + +--- + init/fapolicyd.rules | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/init/fapolicyd.rules b/init/fapolicyd.rules +index 57fff97..27a5d6d 100644 +--- a/init/fapolicyd.rules ++++ b/init/fapolicyd.rules +@@ -24,6 +24,9 @@ deny_audit exe_dir=execdirs exe=untrusted all + allow all dir=execdirs ftype=application/x-executable + deny_audit all ftype=application/x-executable + ++# If you have a LD_LIBRARY_PATH, you may need to allow those here ++# allow all dir=/usr/local/cuda/lib64 ftype=application/x-sharedlib ++ + # Only allow system ELF libs + allow all dir=execdirs ftype=application/x-sharedlib + deny_audit all ftype=application/x-sharedlib +-- +2.20.1 + diff --git a/0011-In-order-to-create-the-correct-permissions-on-the-fi.patch b/0011-In-order-to-create-the-correct-permissions-on-the-fi.patch new file mode 100644 index 0000000..dadf446 --- /dev/null +++ b/0011-In-order-to-create-the-correct-permissions-on-the-fi.patch @@ -0,0 +1,176 @@ +From abb747485f436f8d16eb88745f6f02225ffb1201 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Wed, 13 Mar 2019 17:33:19 -0400 +Subject: [PATCH 11/11] In order to create the correct permissions on the fifo, + we need to do this while we are still root. Move the fifo construction to its + own function, then call it when we are about to change uid. Meanwhile, still + create it in the usual spot if we are staying root. + +One change added was renaming the variable from pfd to ffd. This was done +as a preventive measure to ensure no symbol collision with pfd in +fapolicyd.c +--- + src/database.c | 72 +++++++++++++++++++++++++++++++++---------------- + src/database.h | 1 + + src/fapolicyd.c | 2 ++ + 3 files changed, 52 insertions(+), 23 deletions(-) + +diff --git a/src/database.c b/src/database.c +index 70c0611..c360119 100644 +--- a/src/database.c ++++ b/src/database.c +@@ -56,6 +56,7 @@ static int dbi_init = 0; + const char *data_dir = "/var/lib/fapolicyd"; + const char *db = "trust.db"; + static int lib_symlink=0, lib64_symlink=0, bin_symlink=0, sbin_symlink=0; ++static struct pollfd ffd[1] = { {0, 0, 0} }; + + // External variables + extern volatile atomic_bool stop; +@@ -86,6 +87,45 @@ static int is_link(const char *path) + return 0; + } + ++int preconstruct_fifo(struct daemon_conf *config) ++{ ++ int rc; ++ char err_buff[BUFFER_SIZE]; ++ ++ /* Make sure that there is no such file/fifo */ ++ unlink(fifo_path); ++ ++ mode_t old_mask = umask(0); ++ rc = mkfifo(fifo_path, 0660); ++ (void) umask(old_mask); ++ ++ if (rc != 0) { ++ msg(LOG_ERR, "Failed to create a pipe %s (%s)", fifo_path, ++ strerror_r(errno, err_buff, BUFFER_SIZE)); ++ return 1; ++ } ++ ++ if ((ffd[0].fd = open(fifo_path, O_RDWR)) == -1) { ++ msg(LOG_ERR, "Failed to open a pipe %s (%s)", fifo_path, ++ strerror_r(errno, err_buff, BUFFER_SIZE)); ++ unlink(fifo_path); ++ return 1; ++ } ++ ++ if (config->gid != getgid()) { ++ if ((fchown(ffd[0].fd, 0, config->gid))) { ++ msg(LOG_ERR, "Failed to fix ownership of pipe %s (%s)", ++ fifo_path, strerror_r(errno, err_buff, ++ BUFFER_SIZE)); ++ unlink(fifo_path); ++ close(ffd[0].fd); ++ return 1; ++ } ++ } ++ ++ return 0; ++} ++ + static int init_db(struct daemon_conf *config) + { + if (mdb_env_create(&env)) +@@ -728,7 +768,6 @@ int update_database(struct daemon_conf *config) + static void *update_thread_main(void *arg) + { + int rc; +- struct pollfd pfd[1]; + char buff[BUFFER_SIZE]; + + char err_buff[BUFFER_SIZE]; +@@ -739,29 +778,16 @@ static void *update_thread_main(void *arg) + msg(LOG_DEBUG, "Update thread main started"); + #endif + +- /* Make sure that there is no such file/fifo */ +- unlink(fifo_path); +- +- mode_t old_mask = umask(0); +- rc = mkfifo(fifo_path, 0660); +- (void) umask(old_mask); +- +- if (rc != 0) { +- msg(LOG_ERR, "Failed to create a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE)); +- return NULL; +- } +- +- if ((pfd[0].fd = open(fifo_path, O_RDWR)) == -1) { +- msg(LOG_ERR, "Failed to open a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE)); +- unlink(fifo_path); +- return NULL; ++ if (ffd[0].fd == 0) { ++ if (preconstruct_fifo(config)) ++ return NULL; + } + +- pfd[0].events = POLLIN; ++ ffd[0].events = POLLIN; + + while (!stop) { + +- rc = poll(pfd, 1, 1000); ++ rc = poll(ffd, 1, 1000); + + #ifdef DEBUG + msg(LOG_DEBUG, "Update poll interrupted"); +@@ -783,9 +809,9 @@ static void *update_thread_main(void *arg) + #endif + continue; + } else { +- if (pfd[0].revents & POLLIN) { ++ if (ffd[0].revents & POLLIN) { + memset(buff, 0, BUFFER_SIZE); +- ssize_t count = read(pfd[0].fd, buff, BUFFER_SIZE); ++ ssize_t count = read(ffd[0].fd, buff, BUFFER_SIZE); + + if (count == -1) { + msg(LOG_ERR, "Failed to read from a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE)); +@@ -815,7 +841,7 @@ static void *update_thread_main(void *arg) + + if ((rc = update_database(config))) { + msg(LOG_ERR, "Cannot update a database!"); +- close(pfd[0].fd); ++ close(ffd[0].fd); + unlink(fifo_path); + exit(rc); + } else { +@@ -828,7 +854,7 @@ static void *update_thread_main(void *arg) + } + + err_out: +- close(pfd[0].fd); ++ close(ffd[0].fd); + unlink(fifo_path); + + return NULL; +diff --git a/src/database.h b/src/database.h +index eca7b0d..13881e9 100644 +--- a/src/database.h ++++ b/src/database.h +@@ -31,6 +31,7 @@ + void lock_update_thread(void); + void unlock_update_thread(void); + ++int preconstruct_fifo(struct daemon_conf *config); + int init_database(struct daemon_conf *config); + int update_database(struct daemon_conf *config); + int check_trust_database(const char *path); +diff --git a/src/fapolicyd.c b/src/fapolicyd.c +index ad9f2f2..f327386 100644 +--- a/src/fapolicyd.c ++++ b/src/fapolicyd.c +@@ -357,6 +357,8 @@ int main(int argc, char *argv[]) + + // If we are not going to be root, then setup necessary capabilities + if (config.uid != 0) { ++ if (preconstruct_fifo(&config)) ++ exit(1); + capng_clear(CAPNG_SELECT_BOTH); + capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, + CAP_DAC_OVERRIDE, CAP_SYS_ADMIN, CAP_SYS_PTRACE, +-- +2.20.1 + diff --git a/fapolicyd.spec b/fapolicyd.spec index bdd4c3b..de11dba 100644 --- a/fapolicyd.spec +++ b/fapolicyd.spec @@ -1,7 +1,7 @@ Summary: Application Whitelisting Daemon Name: fapolicyd Version: 0.8.8 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -15,6 +15,18 @@ Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units +Patch1: 0001-Fix-the-spec-file-to-use-run-instead-of-var-run.patch +Patch2: 0002-Fix-service-file-to-use-run-instead-of-var-run.patch +Patch3: 0003-Install-a-usr-lib-tmpfiles.d-fapolicyd.conf-for-run-.patch +Patch4: 0004-remove-fifo-on-all-exit-paths-for-update-thread.patch +Patch5: 0005-Move-some-debug-messages-under-ifdef-DEBUG-24.patch +Patch6: 0006-Get-rid-of-trailing-whitespaces-25.patch +Patch7: 0007-Add-some-documentation-about-how-ELF-startup-works.patch +Patch8: 0008-Change-fifo-mode-to-0660-26.patch +Patch9: 0009-Let-lmdb-create-writable-db-27.patch +Patch10: 0010-Add-a-note-to-rules-file-how-to-handle-systems-with-.patch +Patch11: 0011-In-order-to-create-the-correct-permissions-on-the-fi.patch + %description Fapolicyd (File Access Policy Daemon) implements application whitelisting to decide file access rights. Applications that are known via a reputation @@ -24,6 +36,18 @@ makes use of the kernel's fanotify interface to determine file access rights. %prep %setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 + %build ./autogen.sh %configure --with-audit @@ -33,11 +57,12 @@ make CFLAGS="%{optflags}" %{?_smp_mflags} make DESTDIR="%{buildroot}" INSTALL='install -p' install mkdir -p %{buildroot}/%{python3_sitelib}/dnf-plugins/ install -p -m 644 dnf/%{name}-dnf-plugin.py %{buildroot}/%{python3_sitelib}/dnf-plugins/ +install -p -m 644 -D init/%{name}-tmpfiles.conf %{buildroot}/%{_tmpfilesdir}/%{name}.conf mkdir -p %{buildroot}/%{_localstatedir}/lib/%{name} -mkdir -p %{buildroot}/%{_localstatedir}/run/%{name} +mkdir -p %{buildroot}/run/%{name} %pre -getent passwd %{name} >/dev/null || useradd -r -M -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} +getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{name} -s /sbin/nologin -c "Application Whitelisting Daemon" %{name} %post %systemd_post %{name}.service @@ -57,13 +82,14 @@ getent passwd %{name} >/dev/null || useradd -r -M -s /sbin/nologin -c "Applicati %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.mounts %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf %attr(644,root,root) %{_unitdir}/%{name}.service +%attr(644,root,root) %{_tmpfilesdir}/%{name}.conf %attr(755,root,root) %{_sbindir}/%{name} %attr(755,root,root) %{_sbindir}/%{name}-cli %attr(644,root,root) %{_mandir}/man8/* %attr(644,root,root) %{_mandir}/man5/* %ghost %{_localstatedir}/log/%{name}-access.log %attr(770,root,%{name}) %dir %{_localstatedir}/lib/%{name} -%attr(770,root,%{name}) %dir %{_localstatedir}/run/%{name} +%attr(770,root,%{name}) %dir /run/%{name} %ghost %{_localstatedir}/run/%{name}/%{name}.fifo %ghost %{_localstatedir}/lib/%{name}/data.mdb %ghost %{_localstatedir}/lib/%{name}/lock.mdb @@ -71,6 +97,9 @@ getent passwd %{name} >/dev/null || useradd -r -M -s /sbin/nologin -c "Applicati %{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc %changelog +* Wed Mar 13 2019 Radovan Sroka - 0.8.8-2 +- backport some patches to resolve dac_override for fapolicyd + * Mon Mar 11 2019 Radovan Sroka - 0.8.8-1 - New upstream release - Added new DNF plugin that can update the trust database when rpms are installed @@ -94,5 +123,3 @@ getent passwd %{name} >/dev/null || useradd -r -M -s /sbin/nologin -c "Applicati * Fri Feb 16 2018 Steve Grubb 0.8.5-1 - New release - -