search

linux-application-whitelisting / fapolicyd

File Access Policy Daemon
GNU General Public License v3.0
192 stars 55 forks source link

Allow override of mounts file #300

Open jw3 opened 4 months ago

jw3 commented 4 months ago

When in debug mode the default /proc/mounts source can be overridden to customize the source of fanotify events. This allows for finer level of control than is achievable with filesystem type filtering.

The intent here is to restrict events to specific locations when testing to make interpreting the event stream easier.

The alternative mounts file will expect the same format as /proc/mounts, allowing us to head, tail, or grep sublists from /proc/mounts into a new file that fapolicyd will use as the mount source.

An example of restricting fapolicyd to only listen in a test directory

$ mount -t tmpfs tmpfs /tmp/test-dir
$ grep test-dir /proc/mounts > /tmp/my-test-mounts
$ fapolicyd --debug --mounts=/tmp/my-test-mounts
$ cat /tmp/my-test-mounts
tmpfs /tmp/test-dir tmpfs rw,relatime,inode64 0 0

Only enabling this for debug mode, as it's not intended to be a feature used outside of debugging and testing a system.

jw3 commented 4 months ago

I still have some cleanup to do in the arg parsing code, but wanted to get @stevegrubb @radosroka feedback on if this idea is sane.

radosroka commented 1 month ago

This make sense. Thank you for PR.

jw3 commented 1 month ago

Thanks @radosroka, it is ready.

radosroka commented 1 month ago

I haven't tried but I believe that --debug has to be first (before --mounts). Could you change it so it can be either way?

So fapolicyd --mounts=/tmp/my-test-mounts --debug works?

jw3 commented 1 month ago

I haven't tried but I believe that --debug has to be first

You are correct. I did add a note to the readme about this.

I looked briefly and there was not an obvious way, but I could take a closer look.

It's a matter of setting the debug flag in a separate loop, but then still having to allow for the debug flags in the original loop that processes the other args, so that we don't fall through to the error case in the final else.

jw3 commented 1 month ago

Broke the debug flag checks into a separate loop. See how that looks. :)

I removed the note about ordering from the readme.

Thanks for pointing it out, its better this way.

radosroka commented 1 month ago

Cool. I will merge PR later.