search

linux-application-whitelisting / fapolicyd

File Access Policy Daemon
GNU General Public License v3.0
192 stars 55 forks source link

Allow rules to express paths using globbing (fnmatch) #309

Closed skosachiov closed 1 week ago

skosachiov commented 2 months ago

You can use wildcards for untrusted files e.g. /media//smb/scripts/, however this may result in poor performance and negative security implications.

skosachiov commented 2 months ago

Example

#!/usr/bin/python
print("hello")

Rules

13. allow_syslog perm=any all : ftype=text/x-python path=/opt/*/scr/* 
14. deny_syslog perm=any all : ftype=text/x-python path=/opt/*/fs/*

Run

[user@pc](mailto:user@astra-uefi):~$ /opt/user1/fs/hello.py  
bash: /opt/user1/fs/hello.py: /usr/bin/python: bad interpreter: Operation not permitted

[user@pc](mailto:user@astra-uefi):~$ /opt/user1/scr/hello.py     
hello

Log

Jun 28 15:13:53 pc fapolicyd[16883]: rule=14 dec=deny_syslog perm=execute auid=1003 pid=16892 exe=/usr/bin/bash : path=/opt/*/fs/* ftype=text/x-python trust=0
Jun 28 15:14:12 pc fapolicyd[16883]: rule=13 dec=allow_syslog perm=execute auid=1003 pid=16893 exe=/usr/bin/bash : path=/opt/*/scr/* ftype=text/x-python trust=0