fapolicyd on Ubuntu

[darrinh]

I have been able to build fapolicyd on Ubuntu, it starts and shows what it would allow or deny. The issue is I'm getting an error in relation to dbi:

Loaded 32 rules Changed to uid 998 Initializing the trust database fapolicyd integrity is 0 rpmdb backend not supported, skipping! backend file registered Loading file backend Creating trust database Loading trust data from file backend Permission denied open_dbi:Permission denied Trust database at 5972309550% capacity - might want to increase db_max_size setting added / mount point added /dev/shm mount point added /run/lock mount point added /boot/efi mount point added /run/snapd/ns mount point added /run/user/1000 mount point Starting to listen for events

---

Any ideas on what could be causing that error? It creates the actual db file but then seems unable to access it after that.

[darrinh]

Have converted an rpm to deb and installed fapolicyd, and the db error seems to have stopped. However permissive mode doesn't seem to work, unless i have 'allow perm=open all : all' as the first rule, otherwise the instance freezes requiring a restart. If i try:

rule=0 dec=no-opinion perm=execute auid=1000 pid=1082 exe=/usr/bin/bash : path=/usr/bin/ls ftype=application/x-executable rule=4 dec=allow perm=open auid=1000 pid=1082 exe=/usr/bin/bash : path=/usr/bin/ls ftype=application/x-executable rule=0 dec=no-opinion perm=execute auid=1000 pid=1082 exe=/usr/bin/bash : path=/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 ftype=application/x-sharedlib Permission denied open_dbi:Permission denied rule=3 dec=deny_audit perm=open auid=1000 pid=1082 exe=/usr/bin/bash : path=/usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 ftype=application/x-sharedlib

it freezes and complains about the db again.

[darrinh]

so, think I can see the issue, I think its to do with the fact that in the conf i have only set:

trust = file

which is empty, so there are no trust rules for ubuntu.

[iwamatsu]

Permission denied open_dbi:Permission denied Trust database at 5972309550% capacity - might want to increase db_max_size setting

This error comes out in the first startup. By rebuilding the DB, this error will not come out from the next startup.

sudo fapolicyd-cli --update

[darrinh]

Thanks iwamatsu, its working now but with the disadvantage of using only the trust file as there is no apt-backend as there is the rpm-backup for RHEL.

cheers Darrin

[darrinh]

how do the rules around using uid for example work? If i add:

allow perm=execute uid=1000 : trust=1 path=/usr/bin/ping deny_audit perm=execute all : trust=1 path=/usr/bin/ping

then anyone can still run ping. if i remove ping from the trust file, then only root can run it.

[stevegrubb]

We would like to have an APT backend, but documentation on a library and how to use it seems very hard to find.

The uid in the rules is "anded" with the rest of the rule. If the user id is 1000 and it's trusted, and the path is to ping, then allow execution. Without the trust, it should still be limited to uid 1000. But you have no idea if ping has been modified or an allowed program.

[darrinh]

Hi Steve, Yes, info/docs on APT/dpkg are sketchy. I've just had to load up the trust file with a baseline on whats already installed then use apt hooks to maintain the trust file when a package is remove,added or upgraded. Seems to be working ok now but would prefer not to have to use the trust file like that. cheers Darrin

[radosroka]

Hi Steve, Yes, info/docs on APT/dpkg are sketchy. I've just had to load up the trust file with a baseline on whats already installed then use apt hooks to maintain the trust file when a package is remove,added or upgraded. Seems to be working ok now but would prefer not to have to use the trust file like that. cheers Darrin

If you can get the data you can simply implement these methods in new backend in fapolicyd: https://github.com/linux-application-whitelisting/fapolicyd/blob/78680d481cececb15718d004d62b685c418d237c/src/library/fapolicyd-backend.h#L36#L43

https://github.com/linux-application-whitelisting/fapolicyd/blob/main/src/library/backend-manager.c#L41

https://github.com/linux-application-whitelisting/fapolicyd/blob/main/src/library/file-backend.c

https://github.com/linux-application-whitelisting/fapolicyd/blob/main/src/library/rpm-backend.c

You can take inspiration from one of the backends that are there. It's just about putting files into the list and eventually free them.

[darrinh]

Thanks radosroka, for the RPM backend, does it use the file hash as provided by the RPM package ? And is there some kind of test harness so the backends can be loaded and tested separately?

thanks Darrin

[radosroka]

Thanks radosroka, for the RPM backend, does it use the file hash as provided by the RPM package ? And is there some kind of test harness so the backends can be loaded and tested separately?

thanks Darrin

Yes rpm backend uses hash from rpmdb, hash is part of the file metadata. You can set backend in configuration file.

https://github.com/linux-application-whitelisting/fapolicyd/blob/78680d481cececb15718d004d62b685c418d237c/init/fapolicyd.conf#L17

[darrinh]

Thanks, seems that apt/dpkg uses md5 for checksums, so would need to create an option for fapolicyd to use md5.

[radosroka]

Well hash is actually used only when integrity is on. So we would need to extend integrity to use md5. But what about file backend should we keep using sha256 alongside with md5 from ubuntu apt? or add possibility to add files to trust with md5? Or use both hashes in trust file so we can choose later?

Not sure what is the best idea. I have feeling that we could go backwards with introduction of md5 in fapolicyd.

[stevegrubb]

The issue with MD5 is that many of the people that are interested in fapolicyd are also required to run in FIPS mode. MD5 is not FIPS approved. That said, I don't know of any MD5 collisions that work while maintaining the file's original size. This is why we collect file size information - it's to double check that a collision has not taken place. We could maybe add a --with-md5 configure option so that it is not used by accident where SHA256 information is present.