Open wjhunter3 opened 3 months ago
It is possible to create the trust file on another system and then drop it in the trust.d directory. If we make any loopholes for fapolicyd-cli, it becomes a possible loophole that something else could use.
Our application is in a closed system, so having a "mirror" system to modify the trust DB and copy to the target system is not possible/practical.
The "loophole" would be for an extremely specific scenario - only for fapolicyd-cli, or the fapolicyd daemon itself, to open files for the purpose of measurement.
I was thinking you'd make that trust file as part of the deployment of the custom software. A second option would be to package the custom software so that it's installed by an rpm and then everything works. The last idea would be to add something as a rule like this:
allow perm=open exe=/usr/bin/fapolicyd-cli trust=1 : all
It would need to be near the top of the rules. So, put it in a file with a number in the 20's.
If there exist a rule against opening certain a certain file. i.e.:
then the file can't be added to the trust database with the command:
because the file must be opened in order to create a hash value to store in the trust database.
Similarly, if the rule is allow_audit a FANOTIFY audit event is created when the file is added to the trust database for the same reasons.
Is there a way that a file can be added to the trust database, other than manually with an a priori hash value, or stopping fapolicyd during the add/update operation?