Bug 1554021 - Review Request: usbauth - USB firewall against BadUSB attacks
Summary: Review Request: usbauth - USB firewall against BadUSB attacks
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Robert-André Mauchin 🐧
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1553496 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-10 19:42 UTC by Stefan Koch
Modified: 2021-07-04 15:23 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-04 15:23:09 UTC
Type: ---
Embargoed:
zebob.m: fedora-review+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1553496 0 unspecified CLOSED Review Request: libusbauth-configparser, usbauth, usbauth-notifier - USB Firewall including flex/bison parser 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1554020 0 unspecified CLOSED Review Request: libusbauth-configparser - Library for USB Firewall including flex/bison parser 2021-07-04 15:22:24 UTC
Red Hat Bugzilla 1554022 0 unspecified CLOSED Review Request: usbauth-notifier - Notifier for USB Firewall to use with desktop environments 2021-07-10 11:03:21 UTC

Internal Links: 1553496 1554020 1554022

Description Stefan Koch 2018-03-10 19:42:34 UTC
### usbauth ###

Spec URL: https://copr-be.cloud.fedoraproject.org/results/kochstefan/usbauth-all/fedora-27-x86_64/00726579-usbauth/usbauth.spec

SRPM URL: https://copr-be.cloud.fedoraproject.org/results/kochstefan/usbauth-all/fedora-27-x86_64/00726579-usbauth/usbauth-1.0-1.fc27.src.rpm

Description: It is a firewall against BadUSB attacks. A config file descibes in which way USB interfaces would be accepted or denied.
To the kernel an interface authorization was developed with this firewall.
The firewall sets the authorization mask according to the rules.

#######################

Hi

I want to add the packages libusbauth-configparser, usbauth, usbauth-notifier to Fedora. I need a review and a sponsor for packaging these packages.

The usbauth packages already part of openSUSE Tumbleweed, Debian Sid and Ubuntu 18.04 (pre).

This work was initially created for SUSE in 2015. Part of it was the USB interface authorization for the Linux kernel. It's contained in Linux since kernel version 4.4.
There are the following packages libusbauth-configparser, usbauth, usbauth-notifier.

GIT Repository: https://github.com/kochstefan/usbauth-all.git

NOTICE aboud usbguard and usbauth:
The usbguard project provides an USB firewall, too. It is already packaged within debian.
The usbguard development was supported by RedHat and usbauth was 
supported by SUSE. Historical, usbguard was published while the working 
on usbauth has already been started.
The main difference is that usbguard works with USB devices and usbauth works with USB interfaces.

usbauth could allow/deny usb interfaces using the new usb interface 
authorization mechanism that is part of linux 4.4 and above.
See also: 
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/?h=v4.4.94&qt=grep&q=interface+auth

Examples:
* allow a storage functionality of a USB device and deny USB Ethernet of 
the same device
* allow audio/video functionality of an USB TV card and deny using the 
remote control functionality
* allow USB printing/scanning and deny USB storage usage of a 
multifunction printer (BTW: the interface mechanism supports denying 
user space triggered actions (using USB claiming) like scanning)

usbguard could allow/deny USB devices using the usb device authorization 
mechanism of the Linux kernel.
It allows to denying a whole device if one interface of it is considered 
as bad (usbauth supports this, too)
usbguard allows creating actions that is not supported by usbauth.

If you can understand German language you could read 
a detailed description: 
https://epub.uni-bayreuth.de/3048/1/koch2017sicherheitsaspekte.pdf

Thank you

Stefan Koch

Comment 1 Stefan Koch 2018-03-10 19:50:29 UTC
A first review was done by Robert-André Mauchin with Bug 1553496 (complete usbauth suite review request). I have changed the spec files now.
There are new build available on COPR.
See Bugs:
1554020 libusbauth-configparser review request
1554021 usbauth review request
1554022 usbauth-notifier review request
(these bugs will replace bug 1553496)

Comment 2 Stefan Koch 2018-03-10 19:52:31 UTC
*** Bug 1553496 has been marked as a duplicate of this bug. ***

Comment 3 Robert-André Mauchin 🐧 2018-10-04 22:31:35 UTC
 - Please space out your changelog entry, they are difficult to read

 - I would rather have you not mix Suse stuff with Fedora stuff.

 - Install the license file with %license, not %doc

%doc README
%license COPYING


 - Your %changelog entry must contain the release-version:

* Sat Mar 10 2018 stefan.koch10 - 1.0-1

 - Add a BR for gcc

 - Split the description to stay below 80 characters per line and fix the typo:

usbauth.src: W: spelling-error %description -l en_US descibes -> describes, describe, Delibes
usbauth.src: E: description-line-too-long C It is a firewall against BadUSB attacks. A config file descibes in which way devices would be accepted.


Package Review
==============

Legend:
[x] = Pass, [!] = Fail, [-] = Not applicable, [?] = Not evaluated
[ ] = Manual review needed


Issues:
=======
- If your application is a C or C++ application you must list a
  BuildRequires against gcc, gcc-c++ or clang.
  Note: No gcc, gcc-c++ or clang found in BuildRequires
  See: https://fedoraproject.org/wiki/Packaging:C_and_C%2B%2B
- If (and only if) the source package includes the text of the license(s)
  in its own file, then that file, containing the text of the license(s)
  for the package is included in %license.
  Note: License file COPYING is not marked as %license
  See:
  http://fedoraproject.org/wiki/Packaging/LicensingGuidelines#License_Text


===== MUST items =====

C/C++:
[x]: Package does not contain kernel modules.
[x]: Package contains no static executables.
[x]: Package does not contain any libtool archives (.la)
[x]: Rpath absent or only used for internal libs.

Generic:
[x]: Package is licensed with an open-source compatible license and meets
     other legal requirements as defined in the legal section of Packaging
     Guidelines.
[x]: License field in the package spec file matches the actual license.
     Note: Checking patched sources after %prep for licenses. Licenses
     found: "GPL (v2)", "Unknown or generated". 10 files have unknown
     license. Detailed output of licensecheck in
     /home/bob/packaging/review/usbauth/review-usbauth/licensecheck.txt
[x]: License file installed when any subpackage combination is installed.
[x]: %build honors applicable compiler flags or justifies otherwise.
[x]: Package contains no bundled libraries without FPC exception.
[x]: Changelog in prescribed format.
[x]: Sources contain only permissible code or content.
[-]: %config files are marked noreplace or the reason is justified.
     Note: No (noreplace) in %config
     /etc/dbus-1/system.d/org.opensuse.usbauth.conf
[-]: Package contains desktop file if it is a GUI application.
[-]: Development files must be in a -devel package
[x]: Package uses nothing in %doc for runtime.
[x]: Package consistently uses macros (instead of hard-coded directory
     names).
[x]: Package is named according to the Package Naming Guidelines.
[x]: Package does not generate any conflict.
[x]: Package obeys FHS, except libexecdir and /usr/target.
[-]: If the package is a rename of another package, proper Obsoletes and
     Provides are present.
[x]: Requires correct, justified where necessary.
[x]: Spec file is legible and written in American English.
[-]: Package contains systemd file(s) if in need.
[x]: Useful -debuginfo package or justification otherwise.
[x]: Package is not known to require an ExcludeArch tag.
[-]: Large documentation must go in a -doc subpackage. Large could be size
     (~1MB) or number of files.
     Note: Documentation size is 30720 bytes in 2 files.
[x]: Package complies to the Packaging Guidelines
[x]: Package successfully compiles and builds into binary rpms on at least
     one supported primary architecture.
[x]: Rpmlint is run on all rpms the build produces.
     Note: There are rpmlint messages (see attachment).
[x]: Package requires other packages for directories it uses.
[x]: Package does not own files or directories owned by other packages.
[x]: Package uses either %{buildroot} or $RPM_BUILD_ROOT
[x]: Package does not run rm -rf %{buildroot} (or $RPM_BUILD_ROOT) at the
     beginning of %install.
[x]: Macros in Summary, %description expandable at SRPM build time.
[x]: Package does not contain duplicates in %files.
[x]: Permissions on files are set properly.
[x]: Package use %makeinstall only when make install DESTDIR=... doesn't
     work.
[x]: Package is named using only allowed ASCII characters.
[x]: No %config files under /usr.
[x]: Package does not use a name that already exists.
[x]: Package is not relocatable.
[x]: Sources used to build the package match the upstream source, as
     provided in the spec URL.
[x]: Spec file name must match the spec package %{name}, in the format
     %{name}.spec.
[x]: File names are valid UTF-8.
[x]: Packages must not store files under /srv, /opt or /usr/local

===== SHOULD items =====

Generic:
[-]: Buildroot is not present
     Note: Invalid buildroot found: %{_tmppath}/%{name}-%{version}-build
     See: http://fedoraproject.org/wiki/Packaging/Guidelines#BuildRoot_tag
[-]: If the source package does not include license text(s) as a separate
     file from upstream, the packager SHOULD query upstream to include it.
[x]: Final provides and requires are sane (see attachments).
[-]: Fully versioned dependency in subpackages if applicable.
     Note: No Requires: %{name}%{?_isa} = %{version}-%{release} in usbauth-
     debuginfo , usbauth-debugsource
[?]: Package functions as described.
[x]: Latest version is packaged.
[x]: Package does not include license text files separate from upstream.
[-]: Description and summary sections in the package spec file contains
     translations for supported Non-English languages, if available.
[x]: Package should compile and build into binary rpms on all supported
     architectures.
[-]: %check is present and all tests pass.
[x]: Packages should try to preserve timestamps of original installed
     files.
[x]: Reviewer should test that the package builds in mock.
[x]: Package has no %clean section with rm -rf %{buildroot} (or
     $RPM_BUILD_ROOT)
[x]: No file requires outside of /etc, /bin, /sbin, /usr/bin, /usr/sbin.
[x]: Packager, Vendor, PreReq, Copyright tags should not be in spec file
[x]: SourceX is a working URL.
[x]: Spec use %global instead of %define unless justified.

===== EXTRA items =====

Generic:
[x]: Rpmlint is run on all installed packages.
[x]: Large data in /usr/share should live in a noarch subpackage if package
     is arched.
[x]: Package should not use obsolete m4 macros
[x]: Spec file according to URL is the same as in SRPM.


Rpmlint
-------
Checking: usbauth-1.0-1.fc30.x86_64.rpm
          usbauth-debuginfo-1.0-1.fc30.x86_64.rpm
          usbauth-debugsource-1.0-1.fc30.x86_64.rpm
          usbauth-1.0-1.fc30.src.rpm
usbauth.x86_64: W: spelling-error %description -l en_US descibes -> describes, describe, Delibes
usbauth.x86_64: E: description-line-too-long C It is a firewall against BadUSB attacks. A config file descibes in which way devices would be accepted.
usbauth.x86_64: W: incoherent-version-in-changelog tefan.koch10 ['1.0-1.fc30', '1.0-1']
usbauth.x86_64: W: conffile-without-noreplace-flag /etc/dbus-1/system.d/org.opensuse.usbauth.conf
usbauth.src: W: spelling-error %description -l en_US descibes -> describes, describe, Delibes
usbauth.src: E: description-line-too-long C It is a firewall against BadUSB attacks. A config file descibes in which way devices would be accepted.
usbauth.src:65: W: setup-not-quiet
usbauth.src: W: invalid-url Source0: usbauth-1.0.tar.bz2
4 packages and 0 specfiles checked; 2 errors, 6 warnings.

Comment 4 Robert-André Mauchin 🐧 2018-10-04 22:55:26 UTC
 - Use %autosetup or %setup -q to make the setup quiet:

Comment 5 Stefan Koch 2019-01-24 20:42:37 UTC
I have added an new revised build at:
https://copr.fedorainfracloud.org/coprs/kochstefan/usbauth-all/build/849729

Comment 6 Dominik 'Rathann' Mierzejewski 2019-02-09 01:15:42 UTC
Out of curiosity, how is this different than usbguard which is already packaged: https://apps.fedoraproject.org/packages/usbguard ?

Comment 7 Stefan Koch 2019-02-21 22:11:39 UTC
The main difference is that usbguard uses the USB device authorization mechanism. usbauth uses the USB interface authorization mechanism, that was introduced since kernel 4.4.
Historical, usbguard was published while the working on usbauth has already been started.

usbauth could allow/deny usb interfaces using the new usb interface authorization mechanism that is part of linux 4.4 and above.
See also: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/?h=v4.4.94&qt=grep&q=interface+auth

Examples:
* allow a storage functionality of a USB device and deny USB Ethernet of the same device
* allow audio/video functionality of an USB TV card and deny using the remote control functionality
* allow USB printing/scanning and deny USB storage usage of a multifunction printer (BTW: the interface mechanism supports denying user space triggered actions (using USB claiming) like scanning)

usbguard could allow/deny USB devices using the usb device authorization mechanism of the Linux kernel.
It allows to denying a whole device if one interface of it is considered as bad (usbauth supports this, too)
usbguard allows creating actions that is not supported by usbauth.

I hope this helps. If you can understand German language you could read a detailed description: https://epub.uni-bayreuth.de/3048/1/koch2017sicherheitsaspekte.pdf

Currently the usbauth suite is packaged for openSUSE Leap 15.0, Debian Buster including ubuntu 18.04

Comment 8 Robert-André Mauchin 🐧 2019-04-27 18:53:44 UTC
Package approved.

Comment 9 Robert-André Mauchin 🐧 2019-09-18 17:02:48 UTC
Refreshing flag

Comment 10 Gwyn Ciesla 2019-09-20 14:47:44 UTC
(fedscm-admin):  The Pagure repository was created at https://src.fedoraproject.org/rpms/usbauth

Comment 11 Mattia Verga 2021-07-04 15:23:09 UTC
Package is in repos


Note You need to log in before you can comment on or make changes to this bug.