From 004358c4f16a20aa4ab14c7c2da336cff7fe22c0 Mon Sep 17 00:00:00 2001 From: wenyuzifang Date: Tue, 26 Aug 2025 00:04:28 +0800 Subject: [PATCH] Update code from upstream --- smartdnotify | 8 +- smartmon.fc | 11 ++ smartmon.if | 68 +++++++++++ smartmon.te | 195 ++++++++++++++++++++++++++++++++ smartmontools-7.5-a2a45dc.patch | 116 +++++++++++++++++++ smartmontools.spec | 12 +- smartmontools.sysconf | 4 +- 7 files changed, 406 insertions(+), 8 deletions(-) create mode 100644 smartmon.fc create mode 100644 smartmon.if create mode 100644 smartmon.te create mode 100644 smartmontools-7.5-a2a45dc.patch diff --git a/smartdnotify b/smartdnotify index c64e9ec..86d786b 100644 --- a/smartdnotify +++ b/smartdnotify @@ -1,11 +1,11 @@ #! /bin/sh - + # Send mail if which mail >/dev/null 2>&1 then echo "$SMARTD_FULLMESSAGE" | mail -s "$SMARTD_SUBJECT" "$SMARTD_ADDRESS" fi - + # Notify desktop user MESSAGE="SMART Disk monitor:" case "$SMARTD_FAILTYPE" in @@ -23,7 +23,7 @@ case "$SMARTD_FAILTYPE" in # "FailedReadSmartSelfTestLog", // 8 exit 0 esac - + echo "$MESSAGE $SMARTD_MESSAGE" | wall -n 2>/dev/null ||: - + diff --git a/smartmon.fc b/smartmon.fc new file mode 100644 index 0000000..eb186b6 --- /dev/null +++ b/smartmon.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/(smartd|smartmontools) -- gen_context(system_u:object_r:fsdaemon_initrc_exec_t,s0) + +/usr/sbin/smartd -- gen_context(system_u:object_r:fsdaemon_exec_t,s0) + +/var/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_var_run_t,s0) + +/var/lib/smartmontools(/.*)? gen_context(system_u:object_r:fsdaemon_var_lib_t,s0) + +/etc/smartmontools/smartd_warning.(sh|d/.*) gen_context(system_u:object_r:smartdwarn_script_t,s0) +/usr/libexec/smartmontools/smartdnotify -- gen_context(system_u:object_r:smartdwarn_script_t,s0) + diff --git a/smartmon.if b/smartmon.if new file mode 100644 index 0000000..541a45a --- /dev/null +++ b/smartmon.if @@ -0,0 +1,68 @@ +## Smart disk monitoring daemon. + +####################################### +## +## Read smartmon temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`smartmon_read_tmp_files',` + gen_require(` + type fsdaemon_tmp_t; + ') + + files_search_tmp($1) + allow $1 fsdaemon_tmp_t:file read_file_perms; +') + +######################################## +## +## All of the rules required to +## administrate an smartmon environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`smartmon_admin',` + gen_require(` + type fsdaemon_t, fsdaemon_tmp_t, fsdaemon_var_run_t; + type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t; + type smartdwarn_t, smartdwarn_script_t; + ') + + allow $1 fsdaemon_t:process signal_perms; + ps_process_pattern($1, fsdaemon_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 fsdaemon_t:process ptrace; + ') + + init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fsdaemon_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, smartdwarn_script_t) + + files_list_tmp($1) + admin_pattern($1, fsdaemon_tmp_t) + + files_list_pids($1) + admin_pattern($1, fsdaemon_var_run_t) + + files_list_var_lib($1) + admin_pattern($1, fsdaemon_var_lib_t) +') diff --git a/smartmon.te b/smartmon.te new file mode 100644 index 0000000..df14317 --- /dev/null +++ b/smartmon.te @@ -0,0 +1,195 @@ +policy_module(smartmon, 1.13.0) + +######################################## +# +# Declarations +# + +## +##

+## Determine whether smartmon can support +## devices on 3ware controllers. +##

+## +gen_tunable(smartmon_3ware, false) + +require { + class capability dac_override; + type tty_device_t, user_devpts_t, system_mail_t; +} + +type fsdaemon_t; +type fsdaemon_exec_t; +init_daemon_domain(fsdaemon_t, fsdaemon_exec_t) + +type fsdaemon_initrc_exec_t; +init_script_file(fsdaemon_initrc_exec_t) + +# runs smartd_warning.sh and smartd_warning.d/* +type smartdwarn_t; +type smartdwarn_script_t; +type_transition fsdaemon_t smartdwarn_script_t:process smartdwarn_t; +role system_r types smartdwarn_t; + +files_type(smartdwarn_script_t) + +application_domain(smartdwarn_t, smartdwarn_script_t) +domtrans_pattern(fsdaemon_t, smartdwarn_script_t, smartdwarn_t) + +corecmd_exec_bin(smartdwarn_t) +corecmd_exec_shell(smartdwarn_t) + +# reads list of users +auth_read_passwd_file(smartdwarn_t) + +hostname_domtrans(smartdwarn_t) + +# smartd_warning.sh to run smartd_warning.d/* scripts +allow smartdwarn_t smartdwarn_script_t:file execute_no_trans; + +# for wall cmd +init_read_utmp(smartdwarn_t) +allow smartdwarn_t tty_device_t:chr_file { open write }; +allow smartdwarn_t user_devpts_t:chr_file { open write }; +allow smartdwarn_t self:capability { setgid dac_override }; +files_manage_generic_tmp_files(smartdwarn_t) +term_open_unallocated_ttys(smartdwarn_t) +term_search_ptys(smartdwarn_t) +userdom_use_user_terminals(smartdwarn_t) + + +optional_policy(` + systemd_exec_systemctl(smartdwarn_t) +') + +optional_policy(` + mta_send_mail(smartdwarn_t) + mta_manage_home_rw(smartdwarn_t) +') + +# optional_policy(` +# unconfined_domain(smartdwarn_t) +# ') + + +type fsdaemon_var_run_t; +files_pid_file(fsdaemon_var_run_t) + +type fsdaemon_var_lib_t; +files_type(fsdaemon_var_lib_t) + +type fsdaemon_tmp_t; +files_tmp_file(fsdaemon_tmp_t) + +ifdef(`enable_mls',` + init_ranged_daemon_domain(fsdaemon_t, fsdaemon_exec_t, mls_systemhigh) +') + +######################################## +# +# Local policy +# + +allow fsdaemon_t self:capability { dac_read_search dac_override kill setpcap setgid sys_rawio sys_admin }; +dontaudit fsdaemon_t self:capability sys_tty_config; +allow fsdaemon_t self:process { getcap setcap signal_perms }; +allow fsdaemon_t self:fifo_file rw_fifo_file_perms; +allow fsdaemon_t self:unix_stream_socket { accept listen }; + +manage_dirs_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) +manage_files_pattern(fsdaemon_t, fsdaemon_tmp_t, fsdaemon_tmp_t) +files_tmp_filetrans(fsdaemon_t, fsdaemon_tmp_t, { file dir }) + +manage_files_pattern(fsdaemon_t, fsdaemon_var_run_t, fsdaemon_var_run_t) +files_pid_filetrans(fsdaemon_t, fsdaemon_var_run_t, file) + +manage_dirs_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t) +manage_files_pattern(fsdaemon_t, fsdaemon_var_lib_t, fsdaemon_var_lib_t) +files_var_lib_filetrans(fsdaemon_t, fsdaemon_var_lib_t, { dir file }) + +kernel_read_kernel_sysctls(fsdaemon_t) +kernel_read_network_state(fsdaemon_t) +kernel_read_software_raid_state(fsdaemon_t) +kernel_read_system_state(fsdaemon_t) + +auth_use_nsswitch(fsdaemon_t) + +corecmd_exec_all_executables(fsdaemon_t) + +corenet_all_recvfrom_netlabel(fsdaemon_t) +corenet_udp_sendrecv_generic_if(fsdaemon_t) +corenet_udp_sendrecv_generic_node(fsdaemon_t) +corenet_udp_sendrecv_all_ports(fsdaemon_t) + +dev_read_sysfs(fsdaemon_t) +dev_read_urand(fsdaemon_t) + +domain_use_interactive_fds(fsdaemon_t) + +files_exec_etc_files(fsdaemon_t) +files_read_etc_runtime_files(fsdaemon_t) + +fs_getattr_all_fs(fsdaemon_t) +fs_search_auto_mountpoints(fsdaemon_t) +fs_read_removable_files(fsdaemon_t) + +mls_file_read_all_levels(fsdaemon_t) + +storage_create_fixed_disk_dev(fsdaemon_t) +storage_dev_filetrans_named_fixed_disk(fsdaemon_t) +storage_raw_read_fixed_disk(fsdaemon_t) +storage_raw_write_fixed_disk(fsdaemon_t) +storage_raw_read_removable_device(fsdaemon_t) +storage_read_scsi_generic(fsdaemon_t) +storage_write_scsi_generic(fsdaemon_t) + +term_dontaudit_search_ptys(fsdaemon_t) + +domain_signull_all_domains(fsdaemon_t) + +auth_read_passwd(fsdaemon_t) + +init_read_utmp(fsdaemon_t) + +libs_exec_ld_so(fsdaemon_t) +libs_exec_lib_files(fsdaemon_t) + +logging_send_syslog_msg(fsdaemon_t) + +seutil_sigchld_newrole(fsdaemon_t) + +sysnet_dns_name_resolve(fsdaemon_t) + +userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t) +userdom_dontaudit_search_user_home_dirs(fsdaemon_t) +userdom_dontaudit_manage_admin_dir(fsdaemon_t) +userdom_use_user_terminals(fsdaemon_t) + +tunable_policy(`smartmon_3ware',` + allow fsdaemon_t self:process setfscreate; + + storage_create_fixed_disk_dev(fsdaemon_t) + storage_delete_fixed_disk_dev(fsdaemon_t) + storage_dev_filetrans_fixed_disk(fsdaemon_t) + + selinux_validate_context(fsdaemon_t) + + seutil_read_file_contexts(fsdaemon_t) +') + +# this should be no longer needed with smartdwarn_t +# optional_policy(` +# mta_send_mail(fsdaemon_t) +# mta_manage_home_rw(fsdaemon_t) +# ') +# still creator of the pipe (stdout, stderr) for smartd_warning and mail +allow system_mail_t fsdaemon_t:fifo_file { getattr read write append ioctl lock }; + + +optional_policy(` + udev_read_db(fsdaemon_t) +') + +optional_policy(` + virt_read_images(fsdaemon_t) +') diff --git a/smartmontools-7.5-a2a45dc.patch b/smartmontools-7.5-a2a45dc.patch new file mode 100644 index 0000000..a5e0f2c --- /dev/null +++ b/smartmontools-7.5-a2a45dc.patch @@ -0,0 +1,116 @@ +diff --git a/smartmontools/scsicmds.cpp.fix b/smartmontools/scsicmds.cpp +index f5579156f..c4569f1c0 100644 +--- a/smartmontools/scsicmds.cpp.fix ++++ b/smartmontools/scsicmds.cpp +@@ -755,6 +755,7 @@ scsi_decode_lu_dev_id(const unsigned char * b, int blen, char * s, int slen, + return -1; + } + ++#define SLEN(a, b) ((a) > (b) ? ((a) - (b)) : 0) + s[0] = '\0'; + int si = 0; + int have_scsi_ns = 0; +@@ -764,7 +765,7 @@ scsi_decode_lu_dev_id(const unsigned char * b, int blen, char * s, int slen, + const unsigned char * ucp = b + off; + int i_len = ucp[3]; + if ((off + i_len + 4) > blen) { +- snprintf(s+si, slen-si, "error: designator length"); ++ snprintf(s+si, SLEN(slen, si), "error: designator length"); + return -1; + } + int assoc = ((ucp[1] >> 4) & 0x3); +@@ -783,52 +784,52 @@ scsi_decode_lu_dev_id(const unsigned char * b, int blen, char * s, int slen, + break; + case 2: /* EUI-64 based */ + if ((8 != i_len) && (12 != i_len) && (16 != i_len)) { +- snprintf(s+si, slen-si, "error: EUI-64 length"); ++ snprintf(s+si, SLEN(slen, si), "error: EUI-64 length"); + return -1; + } + if (have_scsi_ns) + si = 0; +- si += snprintf(s+si, slen-si, "0x"); ++ si += snprintf(s+si, SLEN(slen, si), "0x"); + for (int m = 0; m < i_len; ++m) +- si += snprintf(s+si, slen-si, "%02x", (unsigned int)ip[m]); ++ si += snprintf(s+si, SLEN(slen, si), "%02x", (unsigned int)ip[m]); + break; + case 3: /* NAA */ + if (1 != c_set) { +- snprintf(s+si, slen-si, "error: NAA bad code_set"); ++ snprintf(s+si, SLEN(slen, si), "error: NAA bad code_set"); + return -1; + } + naa = (ip[0] >> 4) & 0xff; + if ((naa < 2) || (naa > 6) || (4 == naa)) { +- snprintf(s+si, slen-si, "error: unexpected NAA"); ++ snprintf(s+si, SLEN(slen, si), "error: unexpected NAA"); + return -1; + } + if (have_scsi_ns) + si = 0; + if (2 == naa) { /* NAA IEEE Extended */ + if (8 != i_len) { +- snprintf(s+si, slen-si, "error: NAA 2 length"); ++ snprintf(s+si, SLEN(slen, si), "error: NAA 2 length"); + return -1; + } +- si += snprintf(s+si, slen-si, "0x"); ++ si += snprintf(s+si, SLEN(slen, si), "0x"); + for (int m = 0; m < 8; ++m) +- si += snprintf(s+si, slen-si, "%02x", (unsigned int)ip[m]); ++ si += snprintf(s+si, SLEN(slen, si), "%02x", (unsigned int)ip[m]); + } else if ((3 == naa ) || (5 == naa)) { + /* NAA=3 Locally assigned; NAA=5 IEEE Registered */ + if (8 != i_len) { +- snprintf(s+si, slen-si, "error: NAA 3 or 5 length"); ++ snprintf(s+si, SLEN(slen, si), "error: NAA 3 or 5 length"); + return -1; + } +- si += snprintf(s+si, slen-si, "0x"); ++ si += snprintf(s+si, SLEN(slen, si), "0x"); + for (int m = 0; m < 8; ++m) +- si += snprintf(s+si, slen-si, "%02x", (unsigned int)ip[m]); ++ si += snprintf(s+si, SLEN(slen, si), "%02x", (unsigned int)ip[m]); + } else if (6 == naa) { /* NAA IEEE Registered extended */ + if (16 != i_len) { +- snprintf(s+si, slen-si, "error: NAA 6 length"); ++ snprintf(s+si, SLEN(slen, si), "error: NAA 6 length"); + return -1; + } +- si += snprintf(s+si, slen-si, "0x"); ++ si += snprintf(s+si, SLEN(slen, si), "0x"); + for (int m = 0; m < 16; ++m) +- si += snprintf(s+si, slen-si, "%02x", (unsigned int)ip[m]); ++ si += snprintf(s+si, SLEN(slen, si), "%02x", (unsigned int)ip[m]); + } + break; + case 4: /* Relative target port */ +@@ -838,12 +839,12 @@ scsi_decode_lu_dev_id(const unsigned char * b, int blen, char * s, int slen, + break; + case 8: /* SCSI name string */ + if (3 != c_set) { +- snprintf(s+si, slen-si, "error: SCSI name string"); ++ snprintf(s+si, SLEN(slen, si), "error: SCSI name string"); + return -1; + } + /* does %s print out UTF-8 ok?? */ + if (si == 0) { +- si += snprintf(s+si, slen-si, "%s", (const char *)ip); ++ si += snprintf(s+si, SLEN(slen, si), "%s", (const char *)ip); + ++have_scsi_ns; + } + break; +@@ -852,10 +853,11 @@ scsi_decode_lu_dev_id(const unsigned char * b, int blen, char * s, int slen, + } + } + if (-2 == u) { +- snprintf(s+si, slen-si, "error: bad structure"); ++ snprintf(s+si, SLEN(slen, si), "error: bad structure"); + return -1; + } + return 0; ++#undef SLEN + } + + /* Sends LOG SENSE command. Returns 0 if ok, 1 if device NOT READY, 2 if diff --git a/smartmontools.spec b/smartmontools.spec index f252b52..6ab371b 100644 --- a/smartmontools.spec +++ b/smartmontools.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 Name: smartmontools Version: 7.4 @@ -12,14 +12,22 @@ Source1: smartmontools.sysconf Source2: smartdnotify # https://sourceforge.net/p/smartmontools/code/HEAD/tree/trunk/smartmontools/drivedb.h?format=raw%20Source5:drivedb.h Source3: drivedb.h +Source4: smartmon.te +Source5: http://downloads.sourceforge.net/smartmontools/smartmontools-7.4.tar.gz +Source6: smartmon.if +Source7: smartmon.fc # Refer to https://gitlab.com/redhat/centos-stream/rpms/smartmontools/-/commit/991ed6d19817dfae652607ba458639ad26d81ceb Patch0001: smartmontools-7.4-fix_sast.patch +Patch2: smartmontools-7.5-a2a45dc.patch BuildRequires: make BuildRequires: gcc-c++ readline-devel ncurses-devel automake util-linux groff gettext BuildRequires: libselinux-devel libcap-ng-devel BuildRequires: systemd systemd-devel +BuildRequires: selinux-policy +BuildRequires: pkgconfig(systemd) +BuildRequires: selinux-policy-devel %description @@ -106,6 +114,8 @@ mkdir -p $RPM_BUILD_ROOT%{_sharedstatedir}/%{name} %doc AUTHORS ChangeLog INSTALL NEWS README TODO %changelog +* Tue Aug 26 2025 Wenyu Zifang - 1:7.4-2 +- Apply patch to prevent buffer overflows and enhance security during SCSI ID parsing * Tue Feb 18 2025 Chang Gao - 7.4-1 - Update to 7.4 - Update drivedb.h and add patch to fix some bug diff --git a/smartmontools.sysconf b/smartmontools.sysconf index fdf6e9b..01698be 100644 --- a/smartmontools.sysconf +++ b/smartmontools.sysconf @@ -1,5 +1,3 @@ # command line options for smartd -# Add -s /var/lib/smartmontools to enable state persistence +# Add -s /var/lib/smartmontools/ to enable state persistence smartd_opts="-q never --capabilities=mail" -# autogenerated config file options -# smartd_conf_opts="-H -m root" -- Gitee