From c8075c471d47f9fba77b7be178dcd5528ea7f720 Mon Sep 17 00:00:00 2001 From: Radovan Sroka Date: May 06 2019 10:27:39 +0000 Subject: New upstream release This release features: - systemd usage updates - file permission adjustments based on selinux policy review - unterminated reads of auid & sessionid values was fixed - ld_preload pattern is deprecated for now --- diff --git a/.gitignore b/.gitignore index 0cd01fe..a36b54f 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /fapolicyd-0.8.6.tar.gz /fapolicyd-0.8.7.tar.gz /fapolicyd-0.8.8.tar.gz +/fapolicyd-0.8.9.tar.gz diff --git a/0001-Fix-the-spec-file-to-use-run-instead-of-var-run.patch b/0001-Fix-the-spec-file-to-use-run-instead-of-var-run.patch deleted file mode 100644 index c5e52dd..0000000 --- a/0001-Fix-the-spec-file-to-use-run-instead-of-var-run.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 76b68d4bb5b1fc75c3621f3761721380ef8c76a4 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Tue, 12 Mar 2019 11:08:38 -0400 -Subject: [PATCH 01/11] Fix the spec file to use /run instead of /var/run - ---- - fapolicyd.spec | 6 +++--- - src/database.c | 2 +- - src/fapolicyd-cli.c | 2 +- - src/fapolicyd.c | 2 +- - 4 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/src/database.c b/src/database.c -index 649f6fd..87ba376 100644 ---- a/src/database.c -+++ b/src/database.c -@@ -60,7 +60,7 @@ static int lib_symlink=0, lib64_symlink=0, bin_symlink=0, sbin_symlink=0; - // External variables - extern volatile atomic_bool stop; - --static const char* fifo_path = "/var/run/fapolicyd/fapolicyd.fifo"; -+static const char* fifo_path = "/run/fapolicyd/fapolicyd.fifo"; - - - static pthread_t update_thread; -diff --git a/src/fapolicyd-cli.c b/src/fapolicyd-cli.c -index 17a9055..06e7464 100644 ---- a/src/fapolicyd-cli.c -+++ b/src/fapolicyd-cli.c -@@ -37,7 +37,7 @@ const char * usage = - "-u\t--update\t\tNotifies fapolicyd to perform update of database\n" - ; - --const char * _pipe = "/var/run/fapolicyd/fapolicyd.fifo"; -+const char * _pipe = "/run/fapolicyd/fapolicyd.fifo"; - - int main(int argc, char const *argv[]) - { -diff --git a/src/fapolicyd.c b/src/fapolicyd.c -index dee339f..53d4273 100644 ---- a/src/fapolicyd.c -+++ b/src/fapolicyd.c -@@ -60,7 +60,7 @@ int debug = 0, permissive = 0; - volatile atomic_bool stop = 0; - - // Local variables --static const char *pidfile = "/var/run/fapolicyd.pid"; -+static const char *pidfile = "/run/fapolicyd.pid"; - #define REPORT "/var/log/fapolicyd-access.log" - static struct daemon_conf config; - --- -2.20.1 - diff --git a/0002-Fix-service-file-to-use-run-instead-of-var-run.patch b/0002-Fix-service-file-to-use-run-instead-of-var-run.patch deleted file mode 100644 index 66459be..0000000 --- a/0002-Fix-service-file-to-use-run-instead-of-var-run.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 557244e37f856a3d374ac6bc0d4d05fbbbcc2700 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Tue, 12 Mar 2019 11:10:29 -0400 -Subject: [PATCH 02/11] Fix service file to use /run instead of /var/run - ---- - init/fapolicyd.service | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/init/fapolicyd.service b/init/fapolicyd.service -index 169ce3c..461f0ba 100644 ---- a/init/fapolicyd.service -+++ b/init/fapolicyd.service -@@ -5,7 +5,7 @@ After=local-fs.target systemd-tmpfiles-setup.service - - [Service] - Type=forking --PIDFile=/var/run/fapolicyd.pid -+PIDFile=/run/fapolicyd.pid - Restart=on-abnormal - ExecStart=/usr/sbin/fapolicyd - --- -2.20.1 - diff --git a/0003-Install-a-usr-lib-tmpfiles.d-fapolicyd.conf-for-run-.patch b/0003-Install-a-usr-lib-tmpfiles.d-fapolicyd.conf-for-run-.patch deleted file mode 100644 index 8c50d18..0000000 --- a/0003-Install-a-usr-lib-tmpfiles.d-fapolicyd.conf-for-run-.patch +++ /dev/null @@ -1,35 +0,0 @@ -From b820c237a8fefdc159dcbad4198232156a5180d9 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Tue, 12 Mar 2019 11:58:33 -0400 -Subject: [PATCH 03/11] Install a /usr/lib/tmpfiles.d/fapolicyd.conf for - /run/fapolicyd - ---- - fapolicyd.spec | 2 ++ - init/Makefile.am | 3 +-- - init/fapolicyd-tmpfiles.conf | 1 + - 3 files changed, 4 insertions(+), 2 deletions(-) - create mode 100644 init/fapolicyd-tmpfiles.conf - -diff --git a/init/Makefile.am b/init/Makefile.am -index 29037c1..659142e 100644 ---- a/init/Makefile.am -++ b/init/Makefile.am -@@ -1,6 +1,5 @@ --EXTRA_DIST = fapolicyd.rules fapolicyd.mounts fapolicyd.service fapolicyd.conf -+EXTRA_DIST = fapolicyd.rules fapolicyd.mounts fapolicyd.service fapolicyd.conf fapolicyd-tmpfiles.conf - fapolicyddir = $(sysconfdir)/fapolicyd - dist_fapolicyd_DATA = fapolicyd.rules fapolicyd.mounts fapolicyd.conf - systemdservicedir = $(systemdsystemunitdir) - dist_systemdservice_DATA = fapolicyd.service -- -diff --git a/init/fapolicyd-tmpfiles.conf b/init/fapolicyd-tmpfiles.conf -new file mode 100644 -index 0000000..24459d3 ---- /dev/null -+++ b/init/fapolicyd-tmpfiles.conf -@@ -0,0 +1 @@ -+d /run/fapolicyd 0770 root fapolicyd - --- -2.20.1 - diff --git a/0004-remove-fifo-on-all-exit-paths-for-update-thread.patch b/0004-remove-fifo-on-all-exit-paths-for-update-thread.patch deleted file mode 100644 index 77c340e..0000000 --- a/0004-remove-fifo-on-all-exit-paths-for-update-thread.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 8d2dc2210c866bcf21362bc7c5686a60ca6938b3 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Tue, 12 Mar 2019 12:29:08 -0400 -Subject: [PATCH 04/11] remove fifo on all exit paths for update thread - ---- - src/database.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/src/database.c b/src/database.c -index 87ba376..1b3dc1a 100644 ---- a/src/database.c -+++ b/src/database.c -@@ -743,6 +743,7 @@ static void *update_thread_main(void *arg) - - if ((pfd[0].fd = open(fifo_path, O_RDWR)) == -1) { - msg(LOG_ERR, "Failed to open a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE)); -+ unlink(fifo_path); - return NULL; - } - -@@ -759,8 +760,7 @@ static void *update_thread_main(void *arg) - continue; - } else { - msg(LOG_ERR, "Update poll error (%s)", strerror_r(errno, err_buff, BUFFER_SIZE)); -- close(pfd[0].fd); -- return NULL; -+ goto err_out; - } - } else if (rc == 0) { - msg(LOG_DEBUG, "Update poll timeout expired"); -@@ -772,7 +772,7 @@ static void *update_thread_main(void *arg) - - if (count == -1) { - msg(LOG_ERR, "Failed to read from a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE)); -- return NULL; -+ goto err_out; - } - - if (count == 0) { -@@ -796,6 +796,7 @@ static void *update_thread_main(void *arg) - - if ((rc = update_database(config))) { - msg(LOG_ERR, "Cannot update a database!"); -+ close(pfd[0].fd); - unlink(fifo_path); - exit(rc); - } else { -@@ -806,5 +807,10 @@ static void *update_thread_main(void *arg) - } - - } -+ -+err_out: -+ close(pfd[0].fd); -+ unlink(fifo_path); -+ - return NULL; - } --- -2.20.1 - diff --git a/0005-Move-some-debug-messages-under-ifdef-DEBUG-24.patch b/0005-Move-some-debug-messages-under-ifdef-DEBUG-24.patch deleted file mode 100644 index 15b4a43..0000000 --- a/0005-Move-some-debug-messages-under-ifdef-DEBUG-24.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 4aded37a3901a1f076f3b88834c3dfd994086e62 Mon Sep 17 00:00:00 2001 -From: Radovan Sroka -Date: Wed, 13 Mar 2019 17:49:21 +0100 -Subject: [PATCH 05/11] Move some debug messages under #ifdef DEBUG (#24) - ---- - src/database.c | 25 ++++++++++++++++++------- - src/fapolicyd.c | 5 +++-- - 2 files changed, 21 insertions(+), 9 deletions(-) - -diff --git a/src/database.c b/src/database.c -index 1b3dc1a..2a0c029 100644 ---- a/src/database.c -+++ b/src/database.c -@@ -732,7 +732,9 @@ static void *update_thread_main(void *arg) - - struct daemon_conf *config = (struct daemon_conf *)arg; - -- msg(LOG_INFO, "Update thread main started"); -+#ifdef DEBUG -+ msg(LOG_DEBUG, "Update thread main started"); -+#endif - - /* Make sure that there is no such file/fifo */ - unlink(fifo_path); -@@ -752,18 +754,25 @@ static void *update_thread_main(void *arg) - while (!stop) { - - rc = poll(pfd, 1, 1000); -- msg(LOG_DEBUG, "Update poll interupted"); -+ -+#ifdef DEBUG -+ msg(LOG_DEBUG, "Update poll interrupted"); -+#endif - - if (rc < 0) { - if (errno == EINTR) { -+#ifdef DEBUG - msg(LOG_DEBUG, "update poll rc = EINTR"); -+#endif - continue; - } else { - msg(LOG_ERR, "Update poll error (%s)", strerror_r(errno, err_buff, BUFFER_SIZE)); - goto err_out; - } - } else if (rc == 0) { -+#ifdef DEBUG - msg(LOG_DEBUG, "Update poll timeout expired"); -+#endif - continue; - } else { - if (pfd[0].revents & POLLIN) { -@@ -776,12 +785,14 @@ static void *update_thread_main(void *arg) - } - - if (count == 0) { -- msg(LOG_DEBUG, "Buffer contains zero bytes!"); -+#ifdef DEBUG -+ msg(LOG_DEBUG, "Buffer contains zero bytes!"); -+#endif - continue; - } -- -+#ifdef DEBUG - msg(LOG_DEBUG, "Buffer contains: \"%s\"", buff); -- -+#endif - int check = 1; - for (int i = 0 ; i < count ; i++) { - if (buff[i] != '1' && buff[i] != '\n' && buff[i] != '\0') { -@@ -792,7 +803,7 @@ static void *update_thread_main(void *arg) - } - - if (check) { -- msg(LOG_DEBUG, "It looks like there was an update of the system... Syncing DB."); -+ msg(LOG_INFO, "It looks like there was an update of the system... Syncing DB."); - - if ((rc = update_database(config))) { - msg(LOG_ERR, "Cannot update a database!"); -@@ -800,7 +811,7 @@ static void *update_thread_main(void *arg) - unlink(fifo_path); - exit(rc); - } else { -- msg(LOG_DEBUG, "Updated"); -+ msg(LOG_INFO, "Updated"); - } - } - } -diff --git a/src/fapolicyd.c b/src/fapolicyd.c -index 53d4273..6e1e987 100644 ---- a/src/fapolicyd.c -+++ b/src/fapolicyd.c -@@ -389,8 +389,9 @@ int main(int argc, char *argv[]) - while (!stop) { - rc = poll(pfd, 1, -1); - -- msg(LOG_DEBUG, "Main poll interupted"); -- -+#ifdef DEBUG -+ msg(LOG_DEBUG, "Main poll interrupted"); -+#endif - if (rc < 0) { - if (errno == EINTR) - continue; --- -2.20.1 - diff --git a/0006-Get-rid-of-trailing-whitespaces-25.patch b/0006-Get-rid-of-trailing-whitespaces-25.patch deleted file mode 100644 index af5fe71..0000000 --- a/0006-Get-rid-of-trailing-whitespaces-25.patch +++ /dev/null @@ -1,1247 +0,0 @@ -From c8fd541877daa54d1afd6921b454f3ff08628a20 Mon Sep 17 00:00:00 2001 -From: Radovan Sroka -Date: Wed, 13 Mar 2019 18:28:09 +0100 -Subject: [PATCH 06/11] Get rid of trailing whitespaces (#25) - ---- - fapolicyd.spec | 3 +-- - src/daemon-config.c | 31 +++++++++++++------------ - src/daemon-config.h | 4 ++-- - src/database.c | 4 ++-- - src/database.h | 2 +- - src/event.c | 11 +++++---- - src/event.h | 2 +- - src/fapolicyd.c | 15 ++++++------- - src/file.c | 27 +++++++++++----------- - src/file.h | 2 +- - src/lru.c | 55 ++++++++++++++++++++++----------------------- - src/lru.h | 2 +- - src/message.c | 5 ++--- - src/message.h | 3 +-- - src/mounts.c | 9 ++++---- - src/mounts.h | 2 +- - src/notify.c | 7 +++--- - src/notify.h | 2 +- - src/nv.h | 2 +- - src/object-attr.c | 5 ++--- - src/object-attr.h | 2 +- - src/object.c | 5 ++--- - src/object.h | 3 +-- - src/policy.c | 5 ++--- - src/policy.h | 2 +- - src/process.c | 5 ++--- - src/process.h | 2 +- - src/queue.c | 6 ++--- - src/queue.h | 10 ++++----- - src/rules.c | 11 +++++---- - src/rules.h | 3 +-- - src/subject-attr.c | 5 ++--- - src/subject-attr.h | 5 ++--- - src/subject.c | 7 +++--- - src/temporary_db.h | 2 +- - 35 files changed, 123 insertions(+), 143 deletions(-) - -diff --git a/src/daemon-config.c b/src/daemon-config.c -index dc89739..ced3963 100644 ---- a/src/daemon-config.c -+++ b/src/daemon-config.c -@@ -16,11 +16,11 @@ - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software -- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - * - * Authors: - * Steve Grubb -- * -+ * - */ - - #include "config.h" -@@ -44,14 +44,14 @@ struct nv_pair - const char *value; - }; - --struct kw_pair -+struct kw_pair - { - const char *name; - int (*parser)(struct nv_pair *, int, struct daemon_conf *); - }; - - struct nv_list --{ -+{ - const char *name; - int option; - }; -@@ -60,7 +60,7 @@ static char *get_line(FILE *f, char *buf, unsigned size, int *lineno, - const char *file); - static int nv_split(char *buf, struct nv_pair *nv); - static const struct kw_pair *kw_lookup(const char *val); --static int permissive_parser(struct nv_pair *nv, int line, -+static int permissive_parser(struct nv_pair *nv, int line, - struct daemon_conf *config); - static int nice_val_parser(struct nv_pair *nv, int line, - struct daemon_conf *config); -@@ -81,7 +81,7 @@ static int obj_cache_size_parser(struct nv_pair *nv, int line, - static int do_stat_report_parser(struct nv_pair *nv, int line, - struct daemon_conf *config); - --static const struct kw_pair keywords[] = -+static const struct kw_pair keywords[] = - { - {"permissive", permissive_parser }, - {"nice_val", nice_val_parser }, -@@ -125,7 +125,7 @@ int load_daemon_config(struct daemon_conf *config) - fd = open(CONFIG_FILE, O_RDONLY|O_NOFOLLOW); - if (fd < 0) { - if (errno != ENOENT) { -- msg(LOG_ERR, "Error opening config file (%s)", -+ msg(LOG_ERR, "Error opening config file (%s)", - strerror(errno)); - return 1; - } -@@ -137,7 +137,7 @@ int load_daemon_config(struct daemon_conf *config) - /* Make into FILE struct and read line by line */ - f = fdopen(fd, "rm"); - if (f == NULL) { -- msg(LOG_ERR, "Error - fdopen failed (%s)", -+ msg(LOG_ERR, "Error - fdopen failed (%s)", - strerror(errno)); - close(fd); - return 1; -@@ -152,17 +152,17 @@ int load_daemon_config(struct daemon_conf *config) - case 0: // fine - break; - case 1: // not the right number of tokens. -- msg(LOG_ERR, -- "Wrong number of arguments for line %d in %s", -+ msg(LOG_ERR, -+ "Wrong number of arguments for line %d in %s", - lineno, CONFIG_FILE); - break; - case 2: // no '=' sign -- msg(LOG_ERR, -- "Missing equal sign for line %d in %s", -+ msg(LOG_ERR, -+ "Missing equal sign for line %d in %s", - lineno, CONFIG_FILE); - break; -- default: // something else went wrong... -- msg(LOG_ERR, "Unknown error for line %d in %s", -+ default: // something else went wrong... -+ msg(LOG_ERR, "Unknown error for line %d in %s", - lineno, CONFIG_FILE); - break; - } -@@ -310,7 +310,7 @@ static const struct kw_pair *kw_lookup(const char *val) - } - return &keywords[i]; - } -- -+ - void free_daemon_config(struct daemon_conf *config) - { - // free((void*)config->file); -@@ -482,4 +482,3 @@ static int do_stat_report_parser(struct nv_pair *nv, int line, - } - return rc; - } -- -diff --git a/src/daemon-config.h b/src/daemon-config.h -index 75839cd..481b6ce 100644 ---- a/src/daemon-config.h -+++ b/src/daemon-config.h -@@ -1,4 +1,4 @@ --/* daemon-config.h -- -+/* daemon-config.h -- - * Copyright 2018 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * -@@ -18,7 +18,7 @@ - * - * Authors: - * Steve Grubb -- * -+ * - */ - - #ifndef DAEMON_CONFIG_H -diff --git a/src/database.c b/src/database.c -index 2a0c029..64a9fda 100644 ---- a/src/database.c -+++ b/src/database.c -@@ -360,7 +360,7 @@ static rpmts ts = NULL; - static rpmdbMatchIterator mi = NULL; - static int init_rpm(void) - { -- return rpmReadConfigFiles ((const char *)NULL, (const char *)NULL); -+ return rpmReadConfigFiles ((const char *)NULL, (const char *)NULL); - } - - static Header h = NULL; -@@ -642,7 +642,7 @@ int check_trust_database(const char *path) - // problem. These are sorted from most likely to least. - if (strncmp(path, "/usr/", 5) == 0) { - if ((lib64_symlink && -- strncmp(&path[5], "lib64/", 6) == 0) || -+ strncmp(&path[5], "lib64/", 6) == 0) || - (lib_symlink && - strncmp(&path[5], "lib/", 4) == 0) || - (bin_symlink && -diff --git a/src/database.h b/src/database.h -index 2048cf1..eca7b0d 100644 ---- a/src/database.h -+++ b/src/database.h -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -diff --git a/src/event.c b/src/event.c -index abc0c38..0775b6e 100644 ---- a/src/event.c -+++ b/src/event.c -@@ -1,7 +1,7 @@ - /* - * event.c - Functions to access event attributes - * Copyright (c) 2016,2018 Red Hat Inc., Durham, North Carolina. -- * All Rights Reserved. -+ * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the - * terms of the GNU General Public License as published by the Free -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -135,7 +135,7 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e) - if (finfo == NULL) - return 1; - -- // Just using inodes don't give a good key. It needs -+ // Just using inodes don't give a good key. It needs - // conditioning to use more slots in the cache. - unsigned long magic = finfo->inode + finfo->time.tv_nsec + finfo->size; - key = compute_object_key(obj_cache, magic); -@@ -289,7 +289,7 @@ object_attr_t *get_obj_attr(event_t *e, object_type_t t) - if (on) - obj.o = strdup(on->o); - else { -- ptr = get_file_from_fd(e->fd, e->pid, -+ ptr = get_file_from_fd(e->fd, e->pid, - sizeof(buf), buf); - if (ptr) - obj.o = strdup(buf); -@@ -302,7 +302,7 @@ object_attr_t *get_obj_attr(event_t *e, object_type_t t) - sizeof(buf), buf); - if (ptr) - obj.o = strdup(buf); -- else -+ else - obj.o = strdup("?"); - break; - case FTYPE: -@@ -428,4 +428,3 @@ void run_usage_report(struct daemon_conf *config, FILE *f) - print_queue_stats(f, subj_cache); - fprintf(f, "\n"); - } -- -diff --git a/src/event.h b/src/event.h -index 5fdf1ed..98a7a7c 100644 ---- a/src/event.h -+++ b/src/event.h -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -diff --git a/src/fapolicyd.c b/src/fapolicyd.c -index 6e1e987..ad9f2f2 100644 ---- a/src/fapolicyd.c -+++ b/src/fapolicyd.c -@@ -1,7 +1,7 @@ - /* - * fapolicyd.c - Main file for the program - * Copyright (c) 2016,2018 Red Hat Inc., Durham, North Carolina. -- * All Rights Reserved. -+ * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the - * terms of the GNU General Public License as published by the Free -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -32,7 +32,7 @@ - #include - #include - #include --#include -+#include - #include - #include - #include -@@ -103,7 +103,7 @@ static void term_handler(int sig) - stop = 1 + sig; // Just so its used... - } - --// This is a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=643031 -+// This is a workaround for https://bugzilla.redhat.com/show_bug.cgi?id=643031 - #define UNUSED(x) (void)(x) - extern int rpmsqEnable (int signum, void *handler); - int rpmsqEnable (int signum, void *handler) -@@ -256,9 +256,9 @@ int main(int argc, char *argv[]) - if (isdigit(*argv[i])) { - errno = 0; - struct passwd *pw; -- -+ - config.uid = strtoul(argv[i], NULL, 10); -- -+ - if (errno) { - msg(LOG_ERR, - "Error converting user value"); -@@ -411,7 +411,7 @@ int main(int argc, char *argv[]) - // link against librpm. Turns out that librpm masks - // signals to prevent corrupted databases during an - // update. Since we only do read access, we can turn -- // them back on. -+ // them back on. - sigaction(SIGTERM, &sa, NULL); - sigaction(SIGINT, &sa, NULL); - } -@@ -444,4 +444,3 @@ int main(int argc, char *argv[]) - - return 0; - } -- -diff --git a/src/file.c b/src/file.c -index 4aed92b..39d3a58 100644 ---- a/src/file.c -+++ b/src/file.c -@@ -1,7 +1,7 @@ - /* - * file.c - functions for accessing attributes of files - * Copyright (c) 2016,2018 Red Hat Inc., Durham, North Carolina. -- * All Rights Reserved. -+ * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the - * terms of the GNU General Public License as published by the Free -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -66,7 +66,7 @@ void file_init(void) - MAGIC_NO_CHECK_ELF); - if (magic_cookie == NULL) { - msg(LOG_ERR, "Unable to init libmagic"); -- exit(1); -+ exit(1); - } - if (magic_load(magic_cookie, NULL) != 0) { - msg(LOG_ERR, "Unable to load magic database"); -@@ -192,7 +192,7 @@ char *get_file_from_fd(int fd, pid_t pid, size_t blen, char *buf) - char procfd_path[PATH_MAX+1]; - ssize_t path_len; - -- snprintf(procfd_path, sizeof(procfd_path)-1, -+ snprintf(procfd_path, sizeof(procfd_path)-1, - "/proc/self/fd/%d", fd); - path_len = readlink(procfd_path, buf, blen - 1); - if (path_len < 0) -@@ -262,7 +262,7 @@ char *get_file_type_from_fd(int fd, size_t blen, char *buf) - *str = 0; - } else - return NULL; -- -+ - lseek(fd, 0, SEEK_SET); - return buf; - } -@@ -312,7 +312,7 @@ char *get_hash_from_fd(int fd) - if (len != 4096) - break; - } -- -+ - // Ask for the grand total to be calculated - gcry_md_final(ctx); - -@@ -401,7 +401,7 @@ uint32_t gather_elf(int fd, off_t size) - if (e_ident[EI_CLASS] == ELFCLASS32) { - unsigned i; - Elf32_Phdr *ph_tbl = NULL; -- -+ - Elf32_Ehdr *hdr = read_header32(fd); - if (hdr == NULL) { - info |= HAS_ERROR; -@@ -410,7 +410,7 @@ uint32_t gather_elf(int fd, off_t size) - - // Look for program header information - // We want to do a basic size check to make sure -- unsigned long sz = -+ unsigned long sz = - (unsigned)hdr->e_phentsize * (unsigned)hdr->e_phnum; - if (sz > (unsigned long)size) { - info |= HAS_ERROR; -@@ -504,8 +504,8 @@ uint32_t gather_elf(int fd, off_t size) - break; - } - j++; -- } -- free(dyn_tbl); -+ } -+ free(dyn_tbl); - } - if (info & HAS_RPATH) - break; -@@ -522,7 +522,7 @@ done32: - } else if (e_ident[EI_CLASS] == ELFCLASS64) { - unsigned i; - Elf64_Phdr *ph_tbl; -- -+ - Elf64_Ehdr *hdr = read_header64(fd); - if (hdr == NULL) { - info |= HAS_ERROR; -@@ -531,7 +531,7 @@ done32: - - // Look for program header information - // We want to do a basic size check to make sure -- unsigned long sz = -+ unsigned long sz = - (unsigned)hdr->e_phentsize * (unsigned)hdr->e_phnum; - if (sz > (unsigned long)size) { - info |= HAS_ERROR; -@@ -622,7 +622,7 @@ done32: - } - j++; - } -- free(dyn_tbl); -+ free(dyn_tbl); - } - if (info & HAS_RPATH) - break; -@@ -640,4 +640,3 @@ done64: - lseek(fd, 0, SEEK_SET); - return info; - } -- -diff --git a/src/file.h b/src/file.h -index 1727dc4..e5666b4 100644 ---- a/src/file.h -+++ b/src/file.h -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -diff --git a/src/lru.c b/src/lru.c -index 777ac67..8c866a8 100644 ---- a/src/lru.c -+++ b/src/lru.c -@@ -1,7 +1,7 @@ - /* - * lru.c - LRU cache implementation - * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. -- * All Rights Reserved. -+ * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the - * terms of the GNU General Public License as published by the Free -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -29,7 +29,7 @@ - #include "message.h" - - //#define DEBUG -- -+ - // Local declarations - static void dequeue(Queue *queue); - -@@ -41,13 +41,13 @@ static QNode *new_QNode(void) - return temp; - temp->item = NULL; - temp->uses = 1; // Setting to 1 because its being used -- -+ - // Initialize prev and next as NULL - temp->prev = temp->next = NULL; -- -+ - return temp; - } -- -+ - static Hash *create_hash(unsigned int hsize) - { - unsigned int i; -@@ -61,11 +61,11 @@ static Hash *create_hash(unsigned int hsize) - free(hash); - return NULL; - } -- -+ - // Initialize all hash entries as empty - for (i = 0; i < hsize; i++) - hash->array[i] = NULL; -- -+ - return hash; - } - -@@ -74,7 +74,7 @@ static void destroy_hash(Hash *hash) - free(hash->array); - free(hash); - } -- -+ - static void dump_queue_stats(const Queue *q) - { - msg(LOG_DEBUG, "%s cache size: %u", q->name, q->total); -@@ -89,19 +89,19 @@ static Queue *create_queue(unsigned int qsize, const char *name) - Queue *queue = malloc(sizeof(Queue)); - if (queue == NULL) - return queue; -- -+ - // The queue is empty - queue->count = 0; - queue->hits = 0; - queue->misses = 0; - queue->evictions = 0; - queue->front = queue->end = NULL; -- -+ - // Number of slots that can be stored in memory - queue->total = qsize; - - queue->name = name; -- -+ - return queue; - } - -@@ -114,12 +114,12 @@ static void destroy_queue(Queue *queue) - - free(queue); - } -- -+ - static unsigned int are_all_slots_full(const Queue *queue) - { - return queue->count == queue->total; - } -- -+ - static unsigned int queue_is_empty(const Queue *queue) - { - return queue->end == NULL; -@@ -228,7 +228,7 @@ out: - sanity_check_queue(queue, "2 remove_node"); - } - --// Remove from the end of the queue -+// Remove from the end of the queue - static void dequeue(Queue *queue) - { - QNode *temp = queue->end; -@@ -238,14 +238,14 @@ static void dequeue(Queue *queue) - - remove_node(queue, queue->end); - -- queue->cleanup(temp->item); -+ queue->cleanup(temp->item); - free(temp->item); - free(temp); -- -+ - // decrement the total of full slots by 1 - queue->count--; - } -- -+ - // Remove front of the queue because its a mismatch - void lru_evict(Queue *queue, unsigned int key) - { -@@ -254,7 +254,7 @@ void lru_evict(Queue *queue, unsigned int key) - - if (queue_is_empty(queue)) - return; -- -+ - hash->array[key] = NULL; - remove_node(queue, queue->front); - -@@ -285,13 +285,13 @@ static void enqueue(Queue *queue, unsigned int key) - // And add the new node to the front of queue - temp = new_QNode(); - -- insert_beginning(queue, temp); -+ insert_beginning(queue, temp); - hash->array[key] = temp; -- -+ - // increment number of full slots - queue->count++; - } -- -+ - // This function is called needing an item from cache. - // There are two scenarios: - // 1. Item is not in cache, so add it to the front of the queue -@@ -307,19 +307,19 @@ QNode *check_lru_cache(Queue *queue, unsigned int key) - } - - reqPage = hash->array[key]; -- -+ - // item is not in cache, make new spot for it - if (reqPage == NULL) { - enqueue(queue, key); - queue->misses++; -- -+ - // item is there but not at front. Move it - } else if (reqPage != queue->front) { - remove_node(queue, reqPage); -- reqPage->next = NULL; -- reqPage->prev = NULL; -+ reqPage->next = NULL; -+ reqPage->prev = NULL; - insert_beginning(queue, reqPage); -- -+ - // Increment cached object metrics - queue->front->uses++; - queue->hits++; -@@ -366,4 +366,3 @@ unsigned long compute_object_key(const Queue *queue, unsigned long num) - else - return 0; - } -- -diff --git a/src/lru.h b/src/lru.h -index b202ca5..7dafe6e 100644 ---- a/src/lru.h -+++ b/src/lru.h -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -diff --git a/src/message.c b/src/message.c -index b403a2f..6ae53cf 100644 ---- a/src/message.c -+++ b/src/message.c -@@ -1,7 +1,7 @@ - /* - * message.c - function to syslog or write to stderr - * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. -- * All Rights Reserved. -+ * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the - * terms of the GNU General Public License as published by the Free -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -58,4 +58,3 @@ void msg(int priority, const char *fmt, ...) - } - va_end( ap ); - } -- -diff --git a/src/message.h b/src/message.h -index 738558b..c6e778b 100644 ---- a/src/message.h -+++ b/src/message.h -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -39,4 +39,3 @@ void msg(int priority, const char *fmt, ...) - #endif - - #endif -- -diff --git a/src/mounts.c b/src/mounts.c -index d3a3e21..f3cbecc 100644 ---- a/src/mounts.c -+++ b/src/mounts.c -@@ -1,7 +1,7 @@ - /* - * mounts.c - Minimal linked list set of mount points - * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. -- * All Rights Reserved. -+ * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the - * terms of the GNU General Public License as published by the Free -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -142,7 +142,7 @@ int load_mounts(void) - if (stat(ptr, &sb) == -1) { - msg(LOG_INFO, "Invalid entry \"%s\". " - "Failed to stat object, %s." -- " Skipping", ptr, -+ " Skipping", ptr, - strerror(errno)); - continue; /* Don't return to caller */ - } -@@ -164,7 +164,7 @@ int load_mounts(void) - fclose(f); - - /* Only return true if no mounts found in configuration file */ -- if (mounts.cnt == 0) { -+ if (mounts.cnt == 0) { - msg(LOG_INFO, "No mount points - exiting"); - return 1; - } -@@ -211,4 +211,3 @@ void clear_mounts(void) - l->cur = NULL; - l->cnt = 0; - } -- -diff --git a/src/mounts.h b/src/mounts.h -index 276ecf2..5bb3d37 100644 ---- a/src/mounts.h -+++ b/src/mounts.h -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -diff --git a/src/notify.c b/src/notify.c -index 5b2e546..6c93349 100644 ---- a/src/notify.c -+++ b/src/notify.c -@@ -1,7 +1,7 @@ - /* - * notify.c - functions handle recieving and enqueuing events - * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina. -- * All Rights Reserved. -+ * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the - * terms of the GNU General Public License as published by the Free -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -130,7 +130,7 @@ int init_fanotify(struct daemon_conf *conf) - retry_mark: - if (fanotify_mark(fd, FAN_MARK_ADD | FAN_MARK_MOUNT, - mask, -1, path) == -1) { -- /* -+ /* - * The FAN_OPEN_EXEC_PERM mask is not supported by - * all kernel releases prior to 5.0. Retry setting - * up the mark using only the legacy FAN_OPEN_PERM -@@ -366,4 +366,3 @@ void handle_events(void) - metadata = FAN_EVENT_NEXT(metadata, len); - } - } -- -diff --git a/src/notify.h b/src/notify.h -index 59f1fef..3d1e90e 100644 ---- a/src/notify.h -+++ b/src/notify.h -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -diff --git a/src/nv.h b/src/nv.h -index 2ac68dd..f3f9aad 100644 ---- a/src/nv.h -+++ b/src/nv.h -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -diff --git a/src/object-attr.c b/src/object-attr.c -index d463f22..3ee93e8 100644 ---- a/src/object-attr.c -+++ b/src/object-attr.c -@@ -1,7 +1,7 @@ - /* - * object-attr.c - abstract object attribute access - * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. -- * All Rights Reserved. -+ * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the - * terms of the GNU General Public License as published by the Free -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -57,4 +57,3 @@ const char *obj_val_to_name(unsigned int v) - - return NULL; - } -- -diff --git a/src/object-attr.h b/src/object-attr.h -index aeca9e4..8849d81 100644 ---- a/src/object-attr.h -+++ b/src/object-attr.h -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -diff --git a/src/object.c b/src/object.c -index c99f562..698b678 100644 ---- a/src/object.c -+++ b/src/object.c -@@ -1,7 +1,7 @@ - /* - * object.c - Minimal linked list set of object attributes - * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. --* All Rights Reserved. -+* All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the - * terms of the GNU General Public License as published by the Free -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the --* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -120,4 +120,3 @@ void object_clear(o_array *a) - free(a->obj); - a->cnt = 0; - } -- -diff --git a/src/object.h b/src/object.h -index f4ba4e7..ee7e432 100644 ---- a/src/object.h -+++ b/src/object.h -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the --* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -43,4 +43,3 @@ void object_clear(o_array *a); - static inline int type_is_obj(int type) {if (type >= OBJ_START) return 1; else return 0;} - - #endif -- -diff --git a/src/policy.c b/src/policy.c -index ef26157..4350064 100644 ---- a/src/policy.c -+++ b/src/policy.c -@@ -1,7 +1,7 @@ - /* - * policy.c - functions that encapsulate the notion of a policy - * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. -- * All Rights Reserved. -+ * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the - * terms of the GNU General Public License as published by the Free -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -185,4 +185,3 @@ void destroy_config(void) - { - rules_clear(&rules); - } -- -diff --git a/src/policy.h b/src/policy.h -index 960e878..3a521bc 100644 ---- a/src/policy.h -+++ b/src/policy.h -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -diff --git a/src/process.c b/src/process.c -index 2b2f166..05c530f 100644 ---- a/src/process.c -+++ b/src/process.c -@@ -1,7 +1,7 @@ - /* - * process.c - functions to access attributes of processes - * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. -- * All Rights Reserved. -+ * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the - * terms of the GNU General Public License as published by the Free -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -247,4 +247,3 @@ uid_t get_program_uid_from_pid(pid_t pid) - } - return uid; - } -- -diff --git a/src/process.h b/src/process.h -index 63fa51d..73edaa7 100644 ---- a/src/process.h -+++ b/src/process.h -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -diff --git a/src/queue.c b/src/queue.c -index f74332e..bcefd12 100644 ---- a/src/queue.c -+++ b/src/queue.c -@@ -1,4 +1,5 @@ --/* queue.c - a simple queue implementation -+/* -+ * queue.c - a simple queue implementation - * Copyright 2016,2018 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * -@@ -14,7 +15,7 @@ - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -175,4 +176,3 @@ size_t q_queue_length(const struct queue *q) - { - return q->queue_length; - } -- -diff --git a/src/queue.h b/src/queue.h -index 10a7d06..44704f1 100644 ---- a/src/queue.h -+++ b/src/queue.h -@@ -1,4 +1,5 @@ --/* queue.h -- a queue abstraction -+/* -+ * queue.h -- a queue abstraction - * Copyright 2016,2018 Red Hat Inc., Durham, North Carolina. - * All Rights Reserved. - * -@@ -14,7 +15,7 @@ - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -53,7 +54,7 @@ void q_report(FILE *f); - /* Add DATA to tail of Q. Return 0 on success, -1 on error and set errno. */ - int q_append(struct queue *q, const struct fanotify_event_metadata *data); - --/* Peek at head of Q, storing it into BUF of SIZE. Return 1 if an entry -+/* Peek at head of Q, storing it into BUF of SIZE. Return 1 if an entry - * exists, 0 if queue is empty. On error, return -1 and set errno. */ - int q_peek(const struct queue *q, struct fanotify_event_metadata *data); - -@@ -61,7 +62,6 @@ int q_peek(const struct queue *q, struct fanotify_event_metadata *data); - int q_drop_head(struct queue *q); - - /* Return the number of entries in Q. */ --size_t q_queue_length(const struct queue *q); -+size_t q_queue_length(const struct queue *q); - - #endif -- -diff --git a/src/rules.c b/src/rules.c -index ca98550..3c3b294 100644 ---- a/src/rules.c -+++ b/src/rules.c -@@ -1,7 +1,7 @@ - /* - * rules.c - Minimal linked list set of rules - * Copyright (c) 2016,2018 Red Hat Inc., Durham, North Carolina. --* All Rights Reserved. -+* All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the - * terms of the GNU General Public License as published by the Free -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -64,7 +64,7 @@ void rules_first(llist *l) - void rules_last(llist *l) - { - register lnode* window; -- -+ - if (l->head == NULL) - return; - -@@ -336,7 +336,7 @@ static int nv_split(char *buf, lnode *n, int lineno) - msg(LOG_ERR, "Object is missing in line %d", lineno); - return 6; - } -- return 0; -+ return 0; - } - - // Returns 0 if success and 1 on rule failure. -@@ -524,7 +524,7 @@ msg(LOG_DEBUG, "path2: %s", pinfo->path2); - || (pinfo->elf_info & HAS_RPATH)) - // ld.so normally checks cache first - pinfo->state = STATE_NORMAL; -- else -+ else - // but preload does the preload - pinfo->state = STATE_LD_PRELOAD; - } else -@@ -714,4 +714,3 @@ void rules_clear(llist *l) - l->cur = NULL; - l->cnt = 0; - } -- -diff --git a/src/rules.h b/src/rules.h -index 6c25335..bf8044e 100644 ---- a/src/rules.h -+++ b/src/rules.h -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the --* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -63,4 +63,3 @@ void rules_unsupport_audit(llist *l); - void rules_clear(llist* l); - - #endif -- -diff --git a/src/subject-attr.c b/src/subject-attr.c -index b9ce55e..0efc4a4 100644 ---- a/src/subject-attr.c -+++ b/src/subject-attr.c -@@ -1,7 +1,7 @@ - /* - * rules.c - functions to abstract subject attributes - * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. -- * All Rights Reserved. -+ * All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the - * terms of the GNU General Public License as published by the Free -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -61,4 +61,3 @@ const char *subj_val_to_name(unsigned int v) - - return NULL; - } -- -diff --git a/src/subject-attr.h b/src/subject-attr.h -index 374016f..66828d1 100644 ---- a/src/subject-attr.h -+++ b/src/subject-attr.h -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -29,7 +29,7 @@ - #include "nv.h" - - // Top is numbers, bottom is strings --typedef enum { ALL_SUBJ = SUBJ_START, AUID, UID, SESSIONID, PID, PATTERN, -+typedef enum { ALL_SUBJ = SUBJ_START, AUID, UID, SESSIONID, PID, PATTERN, - COMM, EXE, EXE_DIR, EXE_TYPE, EXE_DEVICE } subject_type_t; - - #define SUBJ_END EXE_DEVICE -@@ -46,4 +46,3 @@ int subj_name_to_val(const char *name); - const char *subj_val_to_name(unsigned int v); - - #endif -- -diff --git a/src/subject.c b/src/subject.c -index c4aa378..6bac2ac 100644 ---- a/src/subject.c -+++ b/src/subject.c -@@ -1,7 +1,7 @@ - /* - * subject.c - Minimal linked list set of subject attributes - * Copyright (c) 2016 Red Hat Inc., Durham, North Carolina. --* All Rights Reserved. -+* All Rights Reserved. - * - * This software may be freely redistributed and/or modified under the - * terms of the GNU General Public License as published by the Free -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the --* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: -@@ -86,7 +86,7 @@ int subject_add(s_array *a, subject_attr_t *subj) - newnode->val = subj->val; - } else - return 1; -- } else -+ } else - return 1; - - a->subj[t - SUBJ_START] = newnode; -@@ -155,4 +155,3 @@ void subject_reset(s_array *a, subject_type_t t) - sanity_check_array(a, "subject_reset2"); - } - } -- -diff --git a/src/temporary_db.h b/src/temporary_db.h -index 23bc16d..41f87da 100644 ---- a/src/temporary_db.h -+++ b/src/temporary_db.h -@@ -15,7 +15,7 @@ - * - * You should have received a copy of the GNU General Public License - * along with this program; see the file COPYING. If not, write to the -- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor -+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor - * Boston, MA 02110-1335, USA. - * - * Authors: --- -2.20.1 - diff --git a/0007-Add-some-documentation-about-how-ELF-startup-works.patch b/0007-Add-some-documentation-about-how-ELF-startup-works.patch deleted file mode 100644 index 6f9bec4..0000000 --- a/0007-Add-some-documentation-about-how-ELF-startup-works.patch +++ /dev/null @@ -1,84 +0,0 @@ -From b430ebc0cec78e01ea1ab139001020335314283f Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Wed, 13 Mar 2019 15:55:10 -0400 -Subject: [PATCH 07/11] Add some documentation about how ELF startup works. - ---- - src/rules.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 61 insertions(+) - -diff --git a/src/rules.c b/src/rules.c -index 3c3b294..66c1df7 100644 ---- a/src/rules.c -+++ b/src/rules.c -@@ -449,6 +449,67 @@ static int subj_dir_test(subject_attr_t *s, subject_attr_t *subj) - return 1; - } - -+/* -+ * Notes about elf program startup -+ * =============================== -+ * The run time linker will do the folowing: -+ * 1) kernel loads executable -+ * 2) kernel attaches ld-2.2x.so to executable memory and turns over execution -+ * 3) rtl loads LD_AUDIT libs -+ * 4) rtl loads LD_PRELOAD libs -+ * 5) rtl next loads /etc/ld.so.preload libs -+ * -+ * Then for each dependency: -+ * Call into LD_AUDIT la_objsearch() to modify path/name and try -+ * 1) RPATH in object -+ * 2) RPATH in executable -+ * 3) LD_LIBRARY_PATH: for each path, iterate permutations of -+ * tls, x86_64, haswell, & plain path -+ * 4) RUNPATH in object -+ * 5) Try the name as found in the object -+ * 6) Consult /etc/ld.so.cache -+ * 7) Try default path (can't find where string table is) -+ * -+ * LD_AUDIT modules can add arbitrary early file system actions because -+ * the may also call open. They can also trigger loading another copy of -+ * libc.so.6. -+ * -+ * Patterns -+ * ======== -+ * Normal: -+ * exe=/usr/bin/bash file=/usr/bin/ls -+ * exe=/usr/bin/bash file=/usr/lib64/ld-2.27.so -+ * exe=/usr/bin/ls file=/etc/ld.so.cache -+ * exe=/usr/bin/ls file=/usr/lib64/libselinux.so.1 -+ * -+ * runtime linker started: -+ * exe=/usr/bin/bash file=/usr/lib64/ld-2.27.so -+ * exe=/usr/bin/bash file=/usr/bin/ls -+ * exe=/usr/lib64/ld-2.27.so file=/etc/ld.so.cache -+ * exe=/usr/lib64/ld-2.27.so file=/usr/lib64/libselinux.so.1 -+ * -+ * LD_PRELOAD=libaudit no LD_LIBRARY_PATH: -+ * exe=/usr/bin/bash file=/usr/bin/ls -+ * exe=/usr/bin/bash file=/usr/lib64/ld-2.27.so -+ * exe=/usr/bin/ls file=/usr/lib64/libaudit.so.1.0.0 -+ * exe=/usr/bin/ls file=/etc/ld.so.cache -+ * exe=/usr/bin/ls file=/usr/lib64/libselinux.so.1 -+ * -+ * LD_PRELOAD=libaudit with LD_LIBRARY_PATH: -+ * exe=/usr/bin/bash file=/usr/bin/ls -+ * exe=/usr/bin/bash file=/usr/lib64/ld-2.28.so -+ * exe=/usr/bin/ls file=/usr/lib64/libaudit.so.1.0.0 -+ * exe=/usr/bin/ls file=/usr/lib64/libselinux.so.1 -+ * -+ * /etc/ld.so.preload: -+ * exe=/usr/bin/bash file=/usr/bin/ls -+ * exe=/usr/bin/bash file=/usr/lib64/ld-2.27.so -+ * exe=/usr/bin/ls file=/etc/ld.so.preload -+ * exe=/usr/bin/ls file=/usr/lib64/libaudit.so.1.0.0 -+ * -+ * This means only first two can be counted on. Looking for ld.so.cache -+ * is no good because its almost the last option. -+ */ - - //#define NEW_WAY 1 - --- -2.20.1 - diff --git a/0008-Change-fifo-mode-to-0660-26.patch b/0008-Change-fifo-mode-to-0660-26.patch deleted file mode 100644 index f3d3b2d..0000000 --- a/0008-Change-fifo-mode-to-0660-26.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 36ad6b8dd2a8effba70fccbaf1d580a75a167e6d Mon Sep 17 00:00:00 2001 -From: Radovan Sroka -Date: Wed, 13 Mar 2019 20:57:37 +0100 -Subject: [PATCH 08/11] Change fifo mode to 0660 (#26) - -- fapolicyd-cli requires fapolicyd.fifo to have 0660 permissions ---- - src/database.c | 9 +++++++-- - src/fapolicyd-cli.c | 32 ++++++++++++++++++++++++++++++++ - 2 files changed, 39 insertions(+), 2 deletions(-) - -diff --git a/src/database.c b/src/database.c -index 64a9fda..52deda4 100644 ---- a/src/database.c -+++ b/src/database.c -@@ -738,8 +738,13 @@ static void *update_thread_main(void *arg) - - /* Make sure that there is no such file/fifo */ - unlink(fifo_path); -- if ((rc = mkfifo(fifo_path, 0600)) != 0) { -- msg(LOG_ERR, "Failed to create a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE)); -+ -+ mode_t old_mask = umask(0); -+ rc = mkfifo(fifo_path, 0660); -+ (void) umask(old_mask); -+ -+ if (rc != 0) { -+ msg(LOG_ERR, "Failed to create a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE)); - return NULL; - } - -diff --git a/src/fapolicyd-cli.c b/src/fapolicyd-cli.c -index 06e7464..529b63b 100644 ---- a/src/fapolicyd-cli.c -+++ b/src/fapolicyd-cli.c -@@ -76,6 +76,38 @@ int main(int argc, char const *argv[]) - close(fd); - return 1; - } -+ // we will require pipe to have 0660 permissions -+ if (!( -+ (s.st_mode & S_IRUSR) && -+ (s.st_mode & S_IWUSR) && -+ !(s.st_mode & S_IXUSR) && -+ -+ (s.st_mode & S_IRGRP) && -+ (s.st_mode & S_IWGRP) && -+ !(s.st_mode & S_IXGRP) && -+ -+ !(s.st_mode & S_IROTH) && -+ !(s.st_mode & S_IWOTH) && -+ !(s.st_mode & S_IXOTH) -+ )) { -+ fprintf(stderr, "File: %s has 0%d%d%d instead of 0660 \n" -+ , _pipe -+ , -+ ((s.st_mode & S_IRUSR) ? 4 : 0) + -+ ((s.st_mode & S_IWUSR) ? 2 : 0) + -+ ((s.st_mode & S_IXUSR) ? 1 : 0) -+ , -+ ((s.st_mode & S_IRGRP) ? 4 : 0) + -+ ((s.st_mode & S_IWGRP) ? 2 : 0) + -+ ((s.st_mode & S_IXGRP) ? 1 : 0) -+ , -+ ((s.st_mode & S_IROTH) ? 4 : 0) + -+ ((s.st_mode & S_IWOTH) ? 2 : 0) + -+ ((s.st_mode & S_IXOTH) ? 1 : 0) -+ ); -+ close(fd); -+ return 1; -+ } - } - - ssize_t ret = write(fd, "1", 2); --- -2.20.1 - diff --git a/0009-Let-lmdb-create-writable-db-27.patch b/0009-Let-lmdb-create-writable-db-27.patch deleted file mode 100644 index 84b2deb..0000000 --- a/0009-Let-lmdb-create-writable-db-27.patch +++ /dev/null @@ -1,28 +0,0 @@ -From d6797522257d5a295f47f6b1d0f4e9334d31fdb7 Mon Sep 17 00:00:00 2001 -From: Radovan Sroka -Date: Wed, 13 Mar 2019 20:59:08 +0100 -Subject: [PATCH 09/11] Let lmdb create writable db (#27) - ---- - src/database.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/database.c b/src/database.c -index 52deda4..70c0611 100644 ---- a/src/database.c -+++ b/src/database.c -@@ -100,7 +100,10 @@ static int init_db(struct daemon_conf *config) - if (mdb_env_set_maxreaders(env, 4)) - return 4; - -- if (mdb_env_open(env, data_dir, MDB_MAPASYNC|MDB_NOSYNC , 0664)) -+ mode_t old_mode = umask(0); -+ int rc = mdb_env_open(env, data_dir, MDB_MAPASYNC|MDB_NOSYNC , 0664); -+ (void) umask(old_mode); -+ if (rc) - return 5; - - lib_symlink = is_link("/lib"); --- -2.20.1 - diff --git a/0010-Add-a-note-to-rules-file-how-to-handle-systems-with-.patch b/0010-Add-a-note-to-rules-file-how-to-handle-systems-with-.patch deleted file mode 100644 index 164cbea..0000000 --- a/0010-Add-a-note-to-rules-file-how-to-handle-systems-with-.patch +++ /dev/null @@ -1,27 +0,0 @@ -From c7c5700d5afc0f828a0152ad3171a3b2c3655b2a Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Wed, 13 Mar 2019 16:15:11 -0400 -Subject: [PATCH 10/11] Add a note to rules file how to handle systems with - LD_LIBRARY_PATH - ---- - init/fapolicyd.rules | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/init/fapolicyd.rules b/init/fapolicyd.rules -index 57fff97..27a5d6d 100644 ---- a/init/fapolicyd.rules -+++ b/init/fapolicyd.rules -@@ -24,6 +24,9 @@ deny_audit exe_dir=execdirs exe=untrusted all - allow all dir=execdirs ftype=application/x-executable - deny_audit all ftype=application/x-executable - -+# If you have a LD_LIBRARY_PATH, you may need to allow those here -+# allow all dir=/usr/local/cuda/lib64 ftype=application/x-sharedlib -+ - # Only allow system ELF libs - allow all dir=execdirs ftype=application/x-sharedlib - deny_audit all ftype=application/x-sharedlib --- -2.20.1 - diff --git a/0011-In-order-to-create-the-correct-permissions-on-the-fi.patch b/0011-In-order-to-create-the-correct-permissions-on-the-fi.patch deleted file mode 100644 index dadf446..0000000 --- a/0011-In-order-to-create-the-correct-permissions-on-the-fi.patch +++ /dev/null @@ -1,176 +0,0 @@ -From abb747485f436f8d16eb88745f6f02225ffb1201 Mon Sep 17 00:00:00 2001 -From: Steve Grubb -Date: Wed, 13 Mar 2019 17:33:19 -0400 -Subject: [PATCH 11/11] In order to create the correct permissions on the fifo, - we need to do this while we are still root. Move the fifo construction to its - own function, then call it when we are about to change uid. Meanwhile, still - create it in the usual spot if we are staying root. - -One change added was renaming the variable from pfd to ffd. This was done -as a preventive measure to ensure no symbol collision with pfd in -fapolicyd.c ---- - src/database.c | 72 +++++++++++++++++++++++++++++++++---------------- - src/database.h | 1 + - src/fapolicyd.c | 2 ++ - 3 files changed, 52 insertions(+), 23 deletions(-) - -diff --git a/src/database.c b/src/database.c -index 70c0611..c360119 100644 ---- a/src/database.c -+++ b/src/database.c -@@ -56,6 +56,7 @@ static int dbi_init = 0; - const char *data_dir = "/var/lib/fapolicyd"; - const char *db = "trust.db"; - static int lib_symlink=0, lib64_symlink=0, bin_symlink=0, sbin_symlink=0; -+static struct pollfd ffd[1] = { {0, 0, 0} }; - - // External variables - extern volatile atomic_bool stop; -@@ -86,6 +87,45 @@ static int is_link(const char *path) - return 0; - } - -+int preconstruct_fifo(struct daemon_conf *config) -+{ -+ int rc; -+ char err_buff[BUFFER_SIZE]; -+ -+ /* Make sure that there is no such file/fifo */ -+ unlink(fifo_path); -+ -+ mode_t old_mask = umask(0); -+ rc = mkfifo(fifo_path, 0660); -+ (void) umask(old_mask); -+ -+ if (rc != 0) { -+ msg(LOG_ERR, "Failed to create a pipe %s (%s)", fifo_path, -+ strerror_r(errno, err_buff, BUFFER_SIZE)); -+ return 1; -+ } -+ -+ if ((ffd[0].fd = open(fifo_path, O_RDWR)) == -1) { -+ msg(LOG_ERR, "Failed to open a pipe %s (%s)", fifo_path, -+ strerror_r(errno, err_buff, BUFFER_SIZE)); -+ unlink(fifo_path); -+ return 1; -+ } -+ -+ if (config->gid != getgid()) { -+ if ((fchown(ffd[0].fd, 0, config->gid))) { -+ msg(LOG_ERR, "Failed to fix ownership of pipe %s (%s)", -+ fifo_path, strerror_r(errno, err_buff, -+ BUFFER_SIZE)); -+ unlink(fifo_path); -+ close(ffd[0].fd); -+ return 1; -+ } -+ } -+ -+ return 0; -+} -+ - static int init_db(struct daemon_conf *config) - { - if (mdb_env_create(&env)) -@@ -728,7 +768,6 @@ int update_database(struct daemon_conf *config) - static void *update_thread_main(void *arg) - { - int rc; -- struct pollfd pfd[1]; - char buff[BUFFER_SIZE]; - - char err_buff[BUFFER_SIZE]; -@@ -739,29 +778,16 @@ static void *update_thread_main(void *arg) - msg(LOG_DEBUG, "Update thread main started"); - #endif - -- /* Make sure that there is no such file/fifo */ -- unlink(fifo_path); -- -- mode_t old_mask = umask(0); -- rc = mkfifo(fifo_path, 0660); -- (void) umask(old_mask); -- -- if (rc != 0) { -- msg(LOG_ERR, "Failed to create a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE)); -- return NULL; -- } -- -- if ((pfd[0].fd = open(fifo_path, O_RDWR)) == -1) { -- msg(LOG_ERR, "Failed to open a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE)); -- unlink(fifo_path); -- return NULL; -+ if (ffd[0].fd == 0) { -+ if (preconstruct_fifo(config)) -+ return NULL; - } - -- pfd[0].events = POLLIN; -+ ffd[0].events = POLLIN; - - while (!stop) { - -- rc = poll(pfd, 1, 1000); -+ rc = poll(ffd, 1, 1000); - - #ifdef DEBUG - msg(LOG_DEBUG, "Update poll interrupted"); -@@ -783,9 +809,9 @@ static void *update_thread_main(void *arg) - #endif - continue; - } else { -- if (pfd[0].revents & POLLIN) { -+ if (ffd[0].revents & POLLIN) { - memset(buff, 0, BUFFER_SIZE); -- ssize_t count = read(pfd[0].fd, buff, BUFFER_SIZE); -+ ssize_t count = read(ffd[0].fd, buff, BUFFER_SIZE); - - if (count == -1) { - msg(LOG_ERR, "Failed to read from a pipe %s (%s)", fifo_path, strerror_r(errno, err_buff, BUFFER_SIZE)); -@@ -815,7 +841,7 @@ static void *update_thread_main(void *arg) - - if ((rc = update_database(config))) { - msg(LOG_ERR, "Cannot update a database!"); -- close(pfd[0].fd); -+ close(ffd[0].fd); - unlink(fifo_path); - exit(rc); - } else { -@@ -828,7 +854,7 @@ static void *update_thread_main(void *arg) - } - - err_out: -- close(pfd[0].fd); -+ close(ffd[0].fd); - unlink(fifo_path); - - return NULL; -diff --git a/src/database.h b/src/database.h -index eca7b0d..13881e9 100644 ---- a/src/database.h -+++ b/src/database.h -@@ -31,6 +31,7 @@ - void lock_update_thread(void); - void unlock_update_thread(void); - -+int preconstruct_fifo(struct daemon_conf *config); - int init_database(struct daemon_conf *config); - int update_database(struct daemon_conf *config); - int check_trust_database(const char *path); -diff --git a/src/fapolicyd.c b/src/fapolicyd.c -index ad9f2f2..f327386 100644 ---- a/src/fapolicyd.c -+++ b/src/fapolicyd.c -@@ -357,6 +357,8 @@ int main(int argc, char *argv[]) - - // If we are not going to be root, then setup necessary capabilities - if (config.uid != 0) { -+ if (preconstruct_fifo(&config)) -+ exit(1); - capng_clear(CAPNG_SELECT_BOTH); - capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, - CAP_DAC_OVERRIDE, CAP_SYS_ADMIN, CAP_SYS_PTRACE, --- -2.20.1 - diff --git a/fapolicyd.spec b/fapolicyd.spec index de11dba..8838008 100644 --- a/fapolicyd.spec +++ b/fapolicyd.spec @@ -1,7 +1,7 @@ Summary: Application Whitelisting Daemon Name: fapolicyd -Version: 0.8.8 -Release: 2%{?dist} +Version: 0.8.9 +Release: 1%{?dist} License: GPLv3+ URL: http://people.redhat.com/sgrubb/fapolicyd Source0: https://people.redhat.com/sgrubb/fapolicyd/%{name}-%{version}.tar.gz @@ -15,17 +15,6 @@ Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units -Patch1: 0001-Fix-the-spec-file-to-use-run-instead-of-var-run.patch -Patch2: 0002-Fix-service-file-to-use-run-instead-of-var-run.patch -Patch3: 0003-Install-a-usr-lib-tmpfiles.d-fapolicyd.conf-for-run-.patch -Patch4: 0004-remove-fifo-on-all-exit-paths-for-update-thread.patch -Patch5: 0005-Move-some-debug-messages-under-ifdef-DEBUG-24.patch -Patch6: 0006-Get-rid-of-trailing-whitespaces-25.patch -Patch7: 0007-Add-some-documentation-about-how-ELF-startup-works.patch -Patch8: 0008-Change-fifo-mode-to-0660-26.patch -Patch9: 0009-Let-lmdb-create-writable-db-27.patch -Patch10: 0010-Add-a-note-to-rules-file-how-to-handle-systems-with-.patch -Patch11: 0011-In-order-to-create-the-correct-permissions-on-the-fi.patch %description Fapolicyd (File Access Policy Daemon) implements application whitelisting @@ -36,18 +25,6 @@ makes use of the kernel's fanotify interface to determine file access rights. %prep %setup -q -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 - %build ./autogen.sh %configure --with-audit @@ -97,6 +74,9 @@ getent passwd %{name} >/dev/null || useradd -r -M -d %{_localstatedir}/lib/%{nam %{python3_sitelib}/dnf-plugins/__pycache__/%{name}-dnf-plugin.*.pyc %changelog +* Mon May 06 2019 Radovan Sroka - 0.8.9-1 +- New upstream release + * Wed Mar 13 2019 Radovan Sroka - 0.8.8-2 - backport some patches to resolve dac_override for fapolicyd diff --git a/sources b/sources index 29b8c92..fe31a7d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (fapolicyd-0.8.8.tar.gz) = 1aefdcea23862d7d18a6dbe8433f975d40047828674cc5f6a87e2190132eaa6ea4457be994a090597c248343936eb5c687a8dd732a8e6c8a254c242f28f1ad88 +SHA512 (fapolicyd-0.8.9.tar.gz) = de3f9aaac36fb7d2b00bc873d4b0cb68fabf5f3bb74812d530ec7f66b3c3690a0cc51f35922a3f0a212c670ecae719956e26bfb0b14cab76d8356ea058709dc5