Path trimmer option

[skosachiov]

Path trimmer option specifies the path transformation before adding to the database and before file checking. For example, if all users on the host use certain software, e.g. flatpak, from their home directories, you might want to exclude /home/ or may be /mnt/nfs/home from the file path checking. POSIX-compatible regex mode is used, the resulting value is the last capturing regex group. For example, expression /(home|mnt/nfs/home)/[^/]+/(.*) returns the same relative paths to applications for all users. Note that there is no need to enclose the expression in quotation marks, a single $ sign will be interpreted as an match nothing expression. The default value is the match nothing.

add dir:

[root@localhost fapolicyd]# fapolicyd-cli -f add /home/jdoe --trust-file home.trust

check db:

[root@localhost fapolicyd]# /usr/local/sbin/fapolicyd-cli -D | grep kubectl
filedb Downloads/kubectl 51454104 7c3807c0f5c1b30110a2ff1e55da1d112a6d0096201f1beb81b269f582b5d1c5

debug:

05/14/2024 13:32:13 [ DEBUG ]: rule=9 dec=allow perm=execute auid=1001 pid=5741 exe=/usr/bin/bash : path=Downloads/kubectl ftype=application/x-executable trust=1
05/14/2024 13:32:13 [ DEBUG ]: rule=14 dec=allow perm=open auid=1001 pid=5741 exe=/usr/bin/bash : path=Downloads/kubectl ftype=application/x-executable trust=1

[stevegrubb]

Possibly related issue #74.

[radosroka]

This will be tricky with integrity. @skosachiov have you considered it?

[skosachiov]

I agree. A regular expression with a matching group is too vague. I will withdraw the request. I think I could modify request #309 (fnmatch) so that fapolicyd-cli -f add /home/dummy/.wine/drive_c/Program\ Files/SomeSoft added the keys like /home/*/.wine/drive_c/Program\ Files/SomeSoft/Some.exe ... to trust.d database.