usbguard/usbguard.changes

356 lines
16 KiB
Plaintext

-------------------------------------------------------------------
Thu Jun 6 18:02:42 UTC 2024 - Robert Frohl <rfrohl@suse.com>
- update to 1.1.3
* Fix typo in CLI --help message: "privilges" -> "privileges"
* Harden service file: Set OOMScoreAdjust to -1000
* Specify what happens when neither RuleFile nor RuleFolder is set
* The parent process should wait for the first child process to finish in forking mode(-f)
* dbus: check whether the client wanted interactive authentication
* Add missing .adoc files to the tarball
* Replace problematic terms with alternatives
* Fix CI by fixing calls to ldap-utils
* Describe comments in the manual page
* Store permanent rules even if RuleFile is not set but RuleFolder is.
* Fix build for GCC 13 + make GitHub Actions cover build with GCC 13
* Bump GitHub Actions off deprecated actions/checkout@v2
* Actions(deps): Bump actions/checkout from 3.5.2 to 4.1.1
* Add "--version" option to the usbguard CLI
* ruleset: detect integer overflow of the ID and bail out
* Enable RuleFolder by default
* Fix CI and RuleSet::assignID regressions
- Removed build_gcc13.patch, included upstream
-------------------------------------------------------------------
Tue Feb 20 15:58:57 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- Use %autosetup macro. Allows to eliminate the usage of deprecated
%patchN
-------------------------------------------------------------------
Tue Mar 28 08:25:34 UTC 2023 - Robert Frohl <rfrohl@suse.com>
- Fix build failure with gcc13, add build_gcc13.patch.
-------------------------------------------------------------------
Mon Sep 5 08:55:51 UTC 2022 - Robert Frohl <rfrohl@suse.com>
- update to 1.1.2
* Fixed
- Polkit: Always allow getParameter/listDevices/listRules in active sessions
- D-Bus: Send reply on auth failure
- Polkit: Unreference PolkitAuthorizationResult and PolkitAuthority structs if needed
-------------------------------------------------------------------
Tue Apr 5 12:26:09 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
- When running autoreconf, do it complete so that it does not trip
over different versions of libtool being used.
-------------------------------------------------------------------
Wed Mar 16 13:02:20 UTC 2022 - Robert Frohl <rfrohl@suse.com>
- update to 1.1.1
* Fixed/Changed
- Use authentication instead of authentification
- Restore support for access control filenames without a group
-------------------------------------------------------------------
Tue Mar 1 16:31:24 UTC 2022 - Robert Frohl <rfrohl@suse.com>
- Enable dbus support (bsc#1196621, jsc#PED-3824).
-------------------------------------------------------------------
Fri Feb 25 10:43:56 UTC 2022 - Robert Frohl <rfrohl@suse.com>
- Fix build for Leap and SLE by using newer gcc version
-------------------------------------------------------------------
Thu Feb 24 14:49:05 UTC 2022 - Robert Frohl <rfrohl@suse.com>
- update to 1.1.0
* Added
- Started building with C++17
- Tree-like list-devices output
- Added CAP_AUDIT_WRITE capability to service file
- Added support for lower OpenSSL versions prior to 1.1.0
- Added a new signal: DevicePolicyApplied
* Fixed/Changed
- Moved PIDFile from /var/run to /run
- Fixed linker isssues with disable-static
- Enhanced bash-completion script
- Make username/group checking consistent with useradd manual page definition (with addition of capital letters)
- Fixed multiple IPC related bugs
- Fixed race condition when accessing port/connect_type for USB devices
- Using bundled catch v2.13.8
- Using bundled PEGTL v3.2.5
- Fixed usbguard-rule-parser file opening
- CVE-2019-25058: Fix unauthorized access via D-Bus (boo#1196460)
- remove usbguard.service.in.patch applied upstream
-------------------------------------------------------------------
Thu Aug 5 15:26:54 UTC 2021 - Robert Frohl <rfrohl@suse.com>
- move usbguard.pid from /var/run to /run
added usbguard.service.in.patch
-------------------------------------------------------------------
Wed Jan 13 16:05:00 UTC 2021 - Robert Frohl <rfrohl@suse.com>
- update to 1.0.0
* Added openssl support
* Starting with libtool versioning
* Added interface for IPC permission query
* Introduced partial rule concept fo CLI
* Added WithConnectType for ldap rule
* Daemon does not apply the policy when "change" action event appears anymore
* IPCClientPrivate@disconnect is thread safe
* Enforced loading of files from .d/ direcory in alfabetical order
* Improved CLI behaviour to be consistent
* Clarified rule's label documentation
-------------------------------------------------------------------
Fri Oct 2 15:12:06 UTC 2020 - pgajdos@suse.com
- drop useless build dependency on aspell (aspell is going to be
removed from tumbleweed)
-------------------------------------------------------------------
Thu Jul 9 12:57:34 UTC 2020 - Robert Frohl <rfrohl@suse.com>
- disable system call filtering in systemd service file for Leap 15.X (boo#1173750)
* daemon wont start on Leap otherwise
-------------------------------------------------------------------
Tue Jun 16 11:40:03 UTC 2020 - Robert Frohl <rfrohl@suse.com>
- update to 0.7.8
+ Fixed segfaults with rules.d feature
- update to 0.7.7
+ Added readwritepath to service file
+ Added match-all keyword to rules language
+ Added rules.d feature: daemon can load multiple rule files from rules.d/
+ Included with-connect-type in dbus signal
+ Fixed sigwaitinfo handling
+ Fixed possible data corruption on stack with appendRule via dbus
+ Fixed ENOBUFS errno handling on netlink socket: daemon can survive and wait until socket is readable again
+ Dropped unused PIDFile from service file
+ Dropped deprecated dbus-glib dependency
-------------------------------------------------------------------
Thu Jan 30 18:26:34 UTC 2020 - Stefan Brüns <stefan.bruens@rwth-aachen.de>
- update to 0.7.6
+ Added missing options in manpage usbguard-daemon(8)
+ Extended the functionality of allow/block/reject commands
The command can handle rule as a param and not only its ID e.g.
in case of allow, command will allow each device that matches
provided rule
+ Added debug info for malformed descriptors
+ Changed default backend to uevent
+ Fixed handling of add uevents during scanning
Now we are sure that the enumeration is completed before
processing any uevent we are trying to avoid a race where
the kernel is still enumerating the devices and send the
uevent while the parent is being authorised
+ Silenced 'bind' and 'unbind' uevents
- Remove PEGTL build dependency, the package already uses the
bundled version, and there is hardly any reason to unbundle
a template (header only) library.
- Remove Qt5 build dependencies, Qt applet is a separate package.
- Use pkgconfig(udev) instead of udev-devel to allow shortcut
via udev-mini.
-------------------------------------------------------------------
Mon Jul 22 09:54:57 UTC 2019 - Robert Frohl <rfrohl@suse.com>
- update to 0.7.5
- Added daemon configuration option HidePII
- Added check to avoid conflict between ASAN and TSAN
- Added daemon configuration option for authorized_default
- Added devpath option to generate-policy
- Added # line comments to the rule grammar
- Added ImplicitPolicyTarget to get/set parameter methods
- Added option to filter rules by label when listing
- Added the label attribute to rule
- Added PropertyParameterChanged signal
- Added support for portX/connect_type attribute
- Added temporary option to append-rule
- Added versioning to DBus service
- Added optional LDAP support
- Fixed invalid return value in Rule::Attribute::setSolveEqualsOrdered
- Fixed KeyValueParser to validate keys only when known names are set
- Fixed uninitialized variables found by coverity
- Fixes and cleanups based on LGTM.com report
- Hardened systemd service
- Rename ListRules parameter 'query' to 'label'
- Skip empty lines in usbguard-rule-parser
- The proof-of-concept Qt applet was removed. It is going to be maintained
in a simplified form as a separate project.
Removed: usbguard-applet-qt_desktop_menu_categories.patch
Modified: usbguard-pthread.patch
- Updated usbguard.keyring to add new gpg key for upstream: 5A2EC3932A983910
-------------------------------------------------------------------
Mon Jul 22 09:50:04 UTC 2019 - Marcus Meissner <meissner@suse.com>
- link against libpthread to make it build (bsc#1141377)
- added usbguard-pthread.patch
-------------------------------------------------------------------
Wed May 22 13:38:28 UTC 2019 - Christophe Giboudeaux <christophe@krop.fr>
- Run spec-cleaner
- Add the missing systemd build requirement.
-------------------------------------------------------------------
Tue Jan 15 16:28:33 UTC 2019 - Robert Frohl <rfrohl@suse.com>
- use upstream usbguard.service instead of hardcoded version (bsc#1120969)
-------------------------------------------------------------------
Wed Nov 7 17:38:38 UTC 2018 - Jan Engelhardt <jengelh@inai.de>
- Fix RPM groups. Avoid pointless shelling out to /bin/rm.
-------------------------------------------------------------------
Tue Oct 9 09:48:44 UTC 2018 - Robert Frohl <rfrohl@suse.com>
- changed zsh completion location
- added rpmlint for zero size rules.conf
-------------------------------------------------------------------
Tue Oct 9 08:05:02 UTC 2018 - Robert Frohl <rfrohl@suse.com>
- added signature verification of tarball
- add usbguard-0.7.4.tar.gz.sig
- add usbguard.keyring
-------------------------------------------------------------------
Mon Oct 8 14:19:55 UTC 2018 - Robert Frohl <rfrohl@suse.com>
- update to 0.7.4
- Changed
Fixed conditional manual page generation & installation
- update to 0.7.3
- Changed
usbguard-daemon will now exit with an error if it fails to open a logging file or audit event file.
Modified the present device enumeration algorithm to be more reliable. Enumeration timeouts won't cause usbguard-daemon process to exit anymore.
- Added
umockdev based device manager capable of simulating devices based on umockdev-record files.
- update to 0.7.2
- Changed
Fixed memory leaks in usbguard::Hash class.
Fixed file descriptor leaks in usbguard::SysFSDevice class.
Skip audit backend logging when no backend was set.
- Added
Added zsh completion & other scripts to the distribution tarball.
- update to 0.7.1
- Added
CLI: usbguard watch command now includes an -e <path> option to run an executable for every received event. Event data are passed to the executable via environment variables.
usbguard-daemon: added "-K" option which can disable logging to console.
Added zsh autocompletion support.
usbguard-daemon: added "-f" option which enabled double-fork daemonization procedure.
Added AuditBackend usbguard-daemon configuration option for selecting audit log backend.
Linux Audit support via new LinuxAudit backend.
Added missing RuleCondition.hpp header file to the public API headers.
- Changed
Qt Applet: disabled session management
usbguard-daemon console logging output is enabled by default now. Previously, the -k option had to be passed to enable the output.
Replaced --enable-maintainer-mode configure option with --enable-full-test-suite option. When the new option is not used during the configure phase, only a basic set of test is run during the make check phase.
usbguard-daemon now opens configuration in read-only mode
Fixed UEventDeviceManager to work with Linux Kernel >= 4.13
Refactored audit logging to support different audit log backends
Made the configuration parser strict. Unknown directives and wrong syntax will cause an error.
- Added usbguard-applet-qt package to allow easier user interaction
- Added usbguard-applet-qt_desktop_menu_categories.patch to fix category
- Updated usbguard-daemon.conf to upstream version
- Removed obsolte patch usbguard-fixes.patch
- Added rules.conf, fixing bsc#1071076
-------------------------------------------------------------------
Wed Sep 6 10:48:23 UTC 2017 - meissner@suse.com
- updated to 0.7.0
- Added
Added InsertedDevicePolicy configuration option to control the policy method for inserted devices.
Added RestoreControllerDeviceState configuration option.
Added DeviceManagerBackend configuration option. This option can be used to select from several device manager backend implementations.
Implemented an uevent based device manager backend.
Added setParameter, getParameter IPC (incl. D-Bus) methods.
Added set-parameter, get-parameter CLI subcommands.
Qt Applet: Added Spanish (es_AR) translation.
Create empty rules.conf file at install time (make install).
Support for numeric UID/GID values in IPCAllowedUsers and IPCAllowedGroups settings.
If bash completion support is detected at configure time, install the bash completion script during make install.
Added new configuration setting: IPCAccessControlFiles.
IPC access is now configurable down to a section and privilege level per user and/or group.
Added add-user, remove-user usbuard CLI subcommands for creating, removing IPC access control files.
Added AuditFilePath configuration option for setting the location of the USBGuard audit events log file path. If set, the usbguard-daemon will log policy and device related actions and whether they succeeded or not.
- Removed
Removed UDev based device manager backend and UDev related dependencies.
Removed UDev development files/API dependecy
- Changed
Reset Linux root hub bcdDevice value before updating device hash. This is a backwards incompatible change because it changes how the device hash is computed for Linux root hub devices.
Refactored low-level USB device handling into SysFSDevice class which represents a device in the /sys filesystem (sysfs).
Removed usage of readdir_r because it's obsolete. Replaced with readdir with the assumption that its usage is thread-safe if the directory handle passed to it is not shared between threads.
Extended test suite with use case tests.
Install the usbguard-daemon configuration and policy file with strict file permissions to prevent policy leaks.
Fixed several memory leaks.
Don't pre-resolve user and group names in IPCAllowedUsers and IPCAllowedGroups settings. Instead, resolve the name during the IPC authentication phase.
- Updated to 0.6.2
Wait for disconnect in IPCClient dtor if needed
Qt Applet: Fixed loading of decision method and default decision settings
- Updated to 0.6.1
- Changed
Refactored logging subsystem
Fixed handling of IPC disconnect in the IPCClient class
Qt Applet: Fixed handling of main window minimization and maximization
Fixed building on architectures that don't provide required atomic operations.
The libatomic emulation library will be used in such cases.
Fixed several typos in the documentation
- Added
Implemented a simple internal logger
Access to the logger via public API
Improved logging coverage. Logging output can be enabled either via
CLI options or by setting the USBGUARD_DEBUG environment variable to 1.
Qt Applet: UI translation support.
Qt Applet: Czech (cs_CZ) translation
- Removed
Removed spdlog dependency
- .... ommitted changes from 0.5* series ..
-------------------------------------------------------------------
Tue Mar 1 12:08:51 UTC 2016 - meissner@suse.com
- split off a library package libusbguard0
-------------------------------------------------------------------
Sun Jan 31 09:40:56 UTC 2016 - meissner@suse.com
- a daemon and framework and tools to guard against bad usb
devices.