fapolicyd icon indicating copy to clipboard operation
fapolicyd copied to clipboard
verified publisher icon linux-application-whitelisting

Can't trust files that violate open permission rules

Open wjhunter3 opened this issue 1 year ago • 3 comments

If there exist a rule against opening certain a certain file. i.e.:

 deny_audit perm=open all : ftype=%languages trust=0

then the file can't be added to the trust database with the command:

 fapolicyd-cli --file add </path/to/file>

because the file must be opened in order to create a hash value to store in the trust database.

Similarly, if the rule is allow_audit a FANOTIFY audit event is created when the file is added to the trust database for the same reasons.

Is there a way that a file can be added to the trust database, other than manually with an a priori hash value, or stopping fapolicyd during the add/update operation?

wjhunter3 avatar May 13 '24 19:05 wjhunter3

It is possible to create the trust file on another system and then drop it in the trust.d directory. If we make any loopholes for fapolicyd-cli, it becomes a possible loophole that something else could use.

stevegrubb avatar May 14 '24 19:05 stevegrubb

Our application is in a closed system, so having a "mirror" system to modify the trust DB and copy to the target system is not possible/practical.

The "loophole" would be for an extremely specific scenario - only for fapolicyd-cli, or the fapolicyd daemon itself, to open files for the purpose of measurement.

wjhunter3 avatar May 15 '24 13:05 wjhunter3

I was thinking you'd make that trust file as part of the deployment of the custom software. A second option would be to package the custom software so that it's installed by an rpm and then everything works. The last idea would be to add something as a rule like this:

allow perm=open exe=/usr/bin/fapolicyd-cli trust=1 : all

It would need to be near the top of the rules. So, put it in a file with a number in the 20's.

stevegrubb avatar May 15 '24 22:05 stevegrubb

Been a while on this. If you don't want the audit event on allowing access, just make the decision "allow" no audit. Also, a rule could be created to allow fapolicyd-cli access to any file:

allow perm=open exe=/usr/bin/fapolicyd-cli trust=1 : all

Might not be a bad idea to add this to our normal rules.

stevegrubb avatar Oct 19 '25 16:10 stevegrubb

Checked our rules, the allow access to all grants access. I'd suggest delivering a trust file as part of the software installation. I don't there's much else we can do. Feel free to re-open this if there are new observations.

stevegrubb avatar Oct 22 '25 00:10 stevegrubb