search

linux-application-whitelisting / fapolicyd

File Access Policy Daemon
GNU General Public License v3.0
192 stars 55 forks source link

If no initial watched mount points then new mount points are not properly watched #254

Open wjhunter3 opened 1 year ago

wjhunter3 commented 1 year ago

If there are no watched mount points when fapolicyd starts then new mount points are not properly watched. To re-create from a fresh install:

wjhunter3 commented 1 year ago

The attached patch will resolve the problem. fapolicyd-1.3.1-issue-254.patch.txt

radosroka commented 1 year ago

Please create PR.

sopos commented 1 year ago

finally I was able to create a tmt test plan with tests with destructive potential [1] where one of the tests it testing this issue and I was actually able to reproduce it on rhel-8 but not rhel-9 which is interesting

  1. https://github.com/RedHat-SP-Security/tests/tree/master/fapolicyd/destructive
  # fapolicyd-1.3.2-100.el9
    report
        how: display
            pass /default-0/fapolicyd/destructive/library
                output.txt: /var/tmp/tmt/run-022/fapolicyd/destructive/plan/execute/data/guest/default-0/default-0/fapolicyd/destructive/library-1/output.txt
                journal.txt: /var/tmp/tmt/run-022/fapolicyd/destructive/plan/execute/data/guest/default-0/default-0/fapolicyd/destructive/library-1/journal.txt
            pass /default-1/fapolicyd/destructive/mount-umount-after-cli--update
                output.txt: /var/tmp/tmt/run-022/fapolicyd/destructive/plan/execute/data/guest/default-0/default-1/fapolicyd/destructive/mount-umount-after-cli--update-2/output.txt
                journal.txt: /var/tmp/tmt/run-022/fapolicyd/destructive/plan/execute/data/guest/default-0/default-1/fapolicyd/destructive/mount-umount-after-cli--update-2/journal.txt
            pass /default-1/fapolicyd/destructive/newly-mounted-fstype
                output.txt: /var/tmp/tmt/run-022/fapolicyd/destructive/plan/execute/data/guest/default-0/default-1/fapolicyd/destructive/newly-mounted-fstype-3/output.txt
                journal.txt: /var/tmp/tmt/run-022/fapolicyd/destructive/plan/execute/data/guest/default-0/default-1/fapolicyd/destructive/newly-mounted-fstype-3/journal.txt
        summary: 3 tests passed

  # fapolicyd-1.3.2-1.el8
    report
        how: display
            pass /default-0/fapolicyd/destructive/library
                output.txt: /var/tmp/tmt/run-024/fapolicyd/destructive/plan/execute/data/guest/default-0/default-0/fapolicyd/destructive/library-1/output.txt
                journal.txt: /var/tmp/tmt/run-024/fapolicyd/destructive/plan/execute/data/guest/default-0/default-0/fapolicyd/destructive/library-1/journal.txt
            pass /default-1/fapolicyd/destructive/mount-umount-after-cli--update
                output.txt: /var/tmp/tmt/run-024/fapolicyd/destructive/plan/execute/data/guest/default-0/default-1/fapolicyd/destructive/mount-umount-after-cli--update-2/output.txt
                journal.txt: /var/tmp/tmt/run-024/fapolicyd/destructive/plan/execute/data/guest/default-0/default-1/fapolicyd/destructive/mount-umount-after-cli--update-2/journal.txt
            fail /default-1/fapolicyd/destructive/newly-mounted-fstype
                output.txt: /var/tmp/tmt/run-024/fapolicyd/destructive/plan/execute/data/guest/default-0/default-1/fapolicyd/destructive/newly-mounted-fstype-3/output.txt
                journal.txt: /var/tmp/tmt/run-024/fapolicyd/destructive/plan/execute/data/guest/default-0/default-1/fapolicyd/destructive/newly-mounted-fstype-3/journal.txt
        summary: 2 tests passed and 1 test failed
stevegrubb commented 10 months ago

Can this issue be closed? Looks like it might be solved but can't tell.