From 86063bb284be06fa948ad4ab4ca2ed6a100ae97b Mon Sep 17 00:00:00 2001
From: Andy Lau <liuyang01@kylinos.cn>
Date: Fri, 6 Dec 2024 15:49:43 +0800
Subject: [PATCH] backport validate service name of rich rule

---
 ...t-validate-service-name-of-rich-rule.patch | 70 +++++++++++++++++++
 firewalld.spec                                |  9 ++-
 2 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 backport-validate-service-name-of-rich-rule.patch

diff --git a/backport-validate-service-name-of-rich-rule.patch b/backport-validate-service-name-of-rich-rule.patch
new file mode 100644
index 0000000..9a17fc4
--- /dev/null
+++ b/backport-validate-service-name-of-rich-rule.patch
@@ -0,0 +1,70 @@
+From 69cea8ae9097b8006d48984e5376b352a0e98b70 Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Tue, 12 Dec 2023 14:58:07 +0100
+Subject: [PATCH] fix(rich): validate service name of rich rule
+
+Previously, validation of valid service names was not done.
+That meant:
+
+  $ firewall-cmd --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="listen" accept' --permanent
+  success
+  $ firewall-cmd --reload
+  Error: INVALID_SERVICE: listen
+
+which left firewalld in a bad state.
+
+Now:
+
+  $ firewall-cmd --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="listen" accept' --permanent
+  Error: INVALID_SERVICE: Zone 'public': 'listen' not among existing services
+
+https://issues.redhat.com/browse/RHEL-5790
+---
+ src/firewall/core/io/policy.py   | 8 ++++++++
+ src/tests/features/rich_rules.at | 7 ++++++-
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py
+index 158b636..d689ed6 100644
+--- a/src/firewall/core/io/policy.py
++++ b/src/firewall/core/io/policy.py
+@@ -469,6 +469,14 @@ def common_check_config(obj, config, item, all_config, all_io_objects):
+                             log.debug1("{} (unsupported)".format(ex))
+                         else:
+                             raise ex
++                elif isinstance(obj_rich.element, rich.Rich_Service):
++                    if obj_rich.element.name not in all_io_objects["services"]:
++                        raise FirewallError(
++                            errors.INVALID_SERVICE,
++                            "{} '{}': '{}' not among existing services".format(
++                                obj_type, obj.name, obj_rich.element.name
++                            ),
++                        )
+ 
+ def common_writer(obj, handler):
+     # short
+diff --git a/src/tests/features/rich_rules.at b/src/tests/features/rich_rules.at
+index fd38046..3ca361c 100644
+--- a/src/tests/features/rich_rules.at
++++ b/src/tests/features/rich_rules.at
+@@ -46,6 +46,10 @@ FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priorit
+ FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=0  source address=10.10.10.13 drop'], 0, ignore)
+ FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=-1 source address=10.10.10.14 accept'], 0, ignore)
+ FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=1  source address=10.10.10.15 accept'], 0, ignore)
++
++dnl Invalid service name is rejected.
++FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="bogusservice" accept'], 101, ignore, ignore)
++
+ FWD_RELOAD
+ NFT_LIST_RULES([inet], [filter_IN_policy_foobar_pre], 0, [dnl
+     table inet firewalld {
+@@ -319,4 +323,5 @@ IP6TABLES_LIST_RULES([filter], [IN_foobar_post], 0, [dnl
+     ACCEPT all ::/0 ::/0
+ ])
+ 
+-FWD_END_TEST([-e '/ERROR: INVALID_ZONE:/d'])
++FWD_END_TEST([-e '/ERROR: INVALID_ZONE:/d' dnl
++              -e "/ERROR: INVALID_SERVICE: Policy 'foobar': 'bogusservice' not among existing services/d"])
+-- 
+2.43.0
+
diff --git a/firewalld.spec b/firewalld.spec
index 3452893..c3d0321 100644
--- a/firewalld.spec
+++ b/firewalld.spec
@@ -1,6 +1,6 @@
 Name:      firewalld
 Version:   1.2.6
-Release:   6
+Release:   7
 Summary:   A firewall daemon with D-Bus interface providing a dynamic firewall
 License:   GPLv2+
 URL:       http://www.firewalld.org
@@ -14,6 +14,7 @@ Patch4:    backport-chore-nftables-add-delete-table-helper.patch
 Patch5:    backport-fix-nftables-always-flush-main-table-on-start.patch
 Patch6:    backport-fix-service-update-highest-port-number-for-ceph.patch
 Patch7:    backport-fix-nm-release-NM-client-after-a-timeout.patch
+Patch8:    backport-validate-service-name-of-rich-rule.patch
 
 BuildArch:     noarch
 BuildRequires: autoconf automake desktop-file-utils gettext intltool glib2 glib2-devel systemd-units docbook-style-xsl
@@ -243,6 +244,12 @@ sed -i "s/CleanupModulesOnExit=no/CleanupModulesOnExit=yes/g" %{_sysconfdir}/fir
 %{_datadir}/firewalld/testsuite/python/firewalld_test.py
 
 %changelog
+* Fri Dec 6 2024 andy <liuyang01@kylinos.cn> - 1.2.6-7
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:backport validate service name of rich rule
+
 * Tue Aug 27 2024 zhouyihang <zhouyihang3@h-partners.com> - 1.2.6-6
 - Type:bugfix
 - CVE:NA
-- 
Gitee