Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1553496 - Review Request: libusbauth-configparser, usbauth, usbauth-notifier - USB Firewall including flex/bison parser
Summary: Review Request: libusbauth-configparser, usbauth, usbauth-notifier - USB Fire...
Keywords:
Status: CLOSED DUPLICATE of bug 1554021
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: FE-NEEDSPONSOR
TreeView+ depends on / blocked
 
Reported: 2018-03-09 00:17 UTC by Stefan Koch
Modified: 2018-03-10 19:52 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-10 19:52:31 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1554020 0 unspecified CLOSED Review Request: libusbauth-configparser - Library for USB Firewall including flex/bison parser 2022-05-16 11:32:56 UTC
Red Hat Bugzilla 1554021 0 unspecified CLOSED Review Request: usbauth - USB firewall against BadUSB attacks 2022-05-16 11:32:56 UTC
Red Hat Bugzilla 1554022 0 unspecified CLOSED Review Request: usbauth-notifier - Notifier for USB Firewall to use with desktop environments 2022-05-16 11:32:56 UTC

Internal Links: 1554020 1554021 1554022

Description Stefan Koch 2018-03-09 00:17:39 UTC 
Fedora Account System Username: kochstefan

### libusbauth-configparser ###
Spec URL: https://copr-be.cloud.fedoraproject.org/results/kochstefan/usbauth-all/fedora-27-x86_64/00725929-libusbauth-configparser/libusbauth-configparser.spec

SRPM URL: https://copr-be.cloud.fedoraproject.org/results/kochstefan/usbauth-all/fedora-27-x86_64/00725929-libusbauth-configparser/libusbauth-configparser-1.0-0.src.rpm

Description: The library is used to read the usbauth config file into data structures and is used by usbauth and YaST.

### usbauth ###

Spec URL: https://copr-be.cloud.fedoraproject.org/results/kochstefan/usbauth-all/fedora-27-x86_64/00725931-usbauth/usbauth.spec

SRPM URL: https://copr-be.cloud.fedoraproject.org/results/kochstefan/usbauth-all/fedora-27-x86_64/00725931-usbauth/usbauth-1.0-0.src.rpm

Description: It is a firewall against BadUSB attacks. A config file descibes in which way USB interfaces would be accepted or denied.
To the kernel an interface authorization was developed with this firewall.
The firewall sets the authorization mask according to the rules.

### usbauth-notifier ###

Spec URL: https://copr-be.cloud.fedoraproject.org/results/kochstefan/usbauth-all/fedora-27-x86_64/00725932-usbauth-notifier/usbauth-notifier.spec
SRPM URL: https://copr-be.cloud.fedoraproject.org/results/kochstefan/usbauth-all/fedora-27-x86_64/00725932-usbauth-notifier/usbauth-notifier-1.0-0.src.rpm

Description: A notifier for the usbauth firewall against BadUSB attacks. The user could manually allow or deny USB devices.
Every user that wants use the notifier must be added to the usbauth group.


Detailed Description:
Hi

I want to add the described packages to Fedora. I need a review and a sponsor for packaging these packages.

The usbauth packages already part of openSUSE Tumbleweed, Debian Sid and Ubuntu 18.04 (pre).

This work was initially created for SUSE in 2015. Part of it was the USB interface authorization for the Linux kernel. It's contained in Linux since kernel version 4.4.
There are the following packages libusbauth-configparser, usbauth, usbauth-notifier.

GIT Repository: https://github.com/kochstefan/usbauth-all.git

NOTICE aboud usbguard and usbauth:
The usbguard project provides an USB firewall, too. It is already packaged within debian.
The usbguard development was supported by RedHat and usbauth was 
supported by SUSE. Historical, usbguard was published while the working 
on usbauth has already been started.
The main difference is that usbguard works with USB devices and usbauth works with USB interfaces.

usbauth could allow/deny usb interfaces using the new usb interface 
authorization mechanism that is part of linux 4.4 and above.
See also: 
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/?h=v4.4.94&qt=grep&q=interface+auth

Examples:
* allow a storage functionality of a USB device and deny USB Ethernet of 
the same device
* allow audio/video functionality of an USB TV card and deny using the 
remote control functionality
* allow USB printing/scanning and deny USB storage usage of a 
multifunction printer (BTW: the interface mechanism supports denying 
user space triggered actions (using USB claiming) like scanning)

usbguard could allow/deny USB devices using the usb device authorization 
mechanism of the Linux kernel.
It allows to denying a whole device if one interface of it is considered 
as bad (usbauth supports this, too)
usbguard allows creating actions that is not supported by usbauth.

If you can understand German language you could read 
a detailed description: 
https://epub.uni-bayreuth.de/3048/1/koch2017sicherheitsaspekte.pdf

Thank you

Stefan Koch
Comment 1 Robert-André Mauchin 🐧 2018-03-09 17:01:40 UTC 
1 Review per bug, please open 3 bugs if you have 3 packages to review.

 - Not needed in Fedora:
   - Group: 
   - BuildRoot:      %{_tmppath}/%{name}-%{version}-build
   - %defattr(-,root,root)

 - If you install libraries, you must run %ldconfig_scriptlets after %install instead of:

%post -n %{name}1 -p /sbin/ldconfig

%postun -n %{name}1 -p /sbin/ldconfig

 - What do you create a "%{name}1" subpackage? This is useless, putthe files in the main package.

 - Release must start at 1 and contains %{?dist}:

Release:   1%{?dist}

 - Not needed: %{!?_udevrulesdir: %global _udevrulesdir %(pkg-config --variable=udevdir udev)/rules.d }

 - Don't mix SUSE stuff in a Fedora package

 - %config → %config(noreplace)

 - Not needed:

%post
%{?udev_rules_update:%udev_rules_update}

%postun
%{?udev_rules_update:%udev_rules_update}

 - Source0: must be an URL pointing to the upstream archive. For ex:

Source0: https://github.com/kochstefan/usbauth-all/archive/v%{version}/%{name}-%{version}.tar.gz

 - License:        LGPL-2.1 License:        GPL-2.0 

These are not valid license shourthand. See the list of valid license: https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#SoftwareLicenses

 - Changelog must not be empty.

 - See https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Dynamic_allocation for how to add users and groups
Comment 2 Stefan Koch 2018-03-10 19:52:31 UTC 

*** This bug has been marked as a duplicate of bug 1554021 ***
Note You need to log in before you can comment on or make changes to this bug.