You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Rules could only compare exe and path attributes exactly, so policies could
not describe stable layouts containing per-user or versioned path components.
Track whether immutable string sets contain glob metacharacters, preserve ex
act AVL lookup as the fast path, and evaluate exe and path patterns with pathnam
e and leading-period boundaries. Concrete event paths and trust database keys re
main unchanged.
Add rule and attribute-set coverage for wildcard semantics, exact compatibil
ity, named sets, ordering, and path immutability. Document safe use, trust requi
rements, CLI behavior, and unsupported recursive globbing.
Copy file name to clipboardExpand all lines: README.md
+11Lines changed: 11 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -224,6 +224,17 @@ allow, use the macro set support as illustrated in this last example. This puts
224
224
the list into a sorted AVL tree so that searching is cut to a minimum number
225
225
of compares.
226
226
227
+
The `exe` and `path` rule attributes also accept `fnmatch` glob patterns for
228
+
paths with a necessary variable component, such as
229
+
`/opt/vendor/product-*/bin/tool`. Wildcards do not cross `/` or implicitly
230
+
match a leading period, and `**` recursive matching is not supported. Continue
231
+
to use `dir` for a complete subtree under a fixed directory and exact values or
232
+
sets when the paths are known. A `dir` value containing glob metacharacters is
233
+
a rule error reported by `fapolicyd-cli --check-rules`; use subject `exe` or
234
+
object `path` when glob matching is required.
235
+
236
+
A glob selects matching paths but does not trust them. In particular, it is not advisable to allow execution from a user-writable path solely because its name matches a glob. It is strongly suggested to pair an object `path` allow with object `trust=1` or an explicit `FILE_HASH`; pair a subject `exe` glob in a user-writable location with subject `trust=1`. The trust database continues to contain concrete paths; see the `fapolicyd.rules(5)` man page for the complete globbing contract.
237
+
227
238
One last note, the rule engine is a first match wins system. If you are adding
228
239
rules to allow something but it gets denied by a rule higher up, then move
229
240
your rule above the thing that denies it. But again, if you are writing rules
Copy file name to clipboardExpand all lines: doc/fapolicyd-cli.8
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -76,7 +76,7 @@ matching the \fB%languages\fP macro. A non-zero status is returned when risky
76
76
entries are found so automated workflows can gate changes.
77
77
.TP
78
78
.B\-\-check-rules[path]
79
-
Parse the rules file with the daemon policy parser without loading it into the daemon. If \fIpath\fP is omitted, the command checks the active rules file, using \fI/etc/fapolicyd/fapolicyd.rules\fP when present and \fI/etc/fapolicyd/compiled.rules\fP otherwise. If both installed rules files exist, the command reports a path configuration error unless \fB\-\-lint\fP is also used. A zero exit status means the file is valid.
79
+
Parse the rules file with the daemon policy parser without loading it into the daemon. If \fIpath\fP is omitted, the command checks the active rules file, using \fI/etc/fapolicyd/fapolicyd.rules\fP when present and \fI/etc/fapolicyd/compiled.rules\fP otherwise. If both installed rules files exist, the command reports a path configuration error unless \fB\-\-lint\fP is also used. A zero exit status means the file is valid. Glob values for \fBexe\fP and \fBpath\fP are accepted as rule syntax, but this command does not expand them or simulate which concrete paths they match. Glob metacharacters in \fBdir\fP values are rejected.
80
80
.TP
81
81
.B\-\-lint
82
82
When used with \fB\-\-check-rules\fP, also emit policy-shape warnings for executable or programmatic content that can reach the default-allow path. The option may be placed before or after \fB\-\-check-rules\fP. A warning causes a non-zero exit status.
Copy file name to clipboardExpand all lines: doc/fapolicyd.rules.5
+102-2Lines changed: 102 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -59,7 +59,11 @@ This is a boolean describing whether it is required for the subject to be in the
59
59
This is the shortened command name. When an interpreter starts a program, it usually renames the program to the script rather than the interpreter.
60
60
.TP
61
61
.Bexe
62
-
This is the full path to the executable. Globbing is not supported. You may also use the special keyword \fBuntrusted\fP to match on the subject not being listed in the rpm database.
62
+
This is the full path to the executable. Exact paths and glob patterns are
63
+
supported. See
64
+
.BPATHGLOBBING
65
+
below. You may also use the special keyword \fBuntrusted\fP to match on the
66
+
subject not being listed in the rpm database.
63
67
.TP
64
68
.Bdir
65
69
If you wish to match a directory, then use this by giving the full path to the directory. Its recommended to end with the / to ensure it matches a directory. There are 3 keywords that \fIdir\fP supports: \fBexecdirs\fP, \fBsystemdirs\fP, \fBuntrusted\fP.
@@ -129,7 +133,11 @@ The object is the file that the subject is interacting with. The fields in the r
129
133
This matches against any obbject. When used, this must be the only object in the rule.
130
134
.TP
131
135
.Bpath
132
-
This is the full path to the file that will be accessed. Globbing is not supported. You may also use the special keyword \fBuntrusted\fP to match on the object not being listed in the rpm database.
136
+
This is the full path to the file that will be accessed. Exact paths and glob
137
+
patterns are supported. See
138
+
.BPATHGLOBBING
139
+
below. You may also use the special keyword \fBuntrusted\fP to match on the
140
+
object not being listed in the rpm database.
133
141
.TP
134
142
.Bdir
135
143
If you wish to match on access to any file in a directory, then use this by giving the full path to the directory. Its recommended to end with the / to ensure it matches a directory. There are 3 keywords that \fIdir\fP supports: \fBexecdirs\fP, \fBsystemdirs\fP, \fBuntrusted\fP. See the \fBdir\fP option under Subject for an explanation of these keywords.
@@ -150,6 +158,97 @@ is still accepted)
150
158
This option matches against the hash of the file being accessed. The accepted hash length follows the trust source, so RPM entries built with SHA512 store SHA512 digests while other sources may continue to provide SHA256. The hash in the rules should be all lowercase letters and do NOT start with 0x. Lowercase is the default output of sha256sum and sha512sum. The SHA256HASH keyword remains for compatibility but is deprecated; prefer FILE_HASH for new rules.
151
159
.RE
152
160
161
+
.SH PATH GLOBBING
162
+
Glob patterns are supported only by the subject
163
+
.Bexe
164
+
and object
165
+
.Bpath
166
+
attributes. The
167
+
.Bdir
168
+
attribute remains a literal directory prefix; use it instead of a glob when a
169
+
rule applies to a complete subtree rooted at a fixed directory. A
170
+
.Bdir
171
+
value containing a glob metacharacter is rejected, including when the value
172
+
comes from a named set. Use subject
173
+
.Bexe
174
+
or object
175
+
.Bpath
176
+
when glob matching is required.
177
+
178
+
Patterns use
179
+
.BR fnmatch (3)
180
+
syntax. A
181
+
.B*
182
+
matches zero or more characters,
183
+
.B?
184
+
matches one character, and bracket expressions such as
185
+
.B[0-9]
186
+
match one character from the expression. Matching is case-sensitive and must
187
+
cover the complete path. Wildcards do not match a slash, so each variable path
188
+
component must be written explicitly. A wildcard does not match a leading
189
+
period in a path component unless the period appears explicitly in the
190
+
pattern. Backslash quotes a metacharacter. Recursive
191
+
.B**
192
+
globstar matching is not supported.
193
+
194
+
Bracket ranges such as
195
+
.B[a-z]
196
+
and named character classes such as
197
+
.B[[:alpha:]]
198
+
use the locale active in the daemon. Avoid ranges and named classes when policy
199
+
must produce identical matches in every locale; use exact alternatives or
200
+
enumerate the intended characters instead.
201
+
202
+
For example,
203
+
.B/home/*/bin/tool
204
+
matches
205
+
.B/home/alice/bin/tool
206
+
but not
207
+
.B/home/alice/project/bin/tool
208
+
or
209
+
.BR /home/.admin/bin/tool .
210
+
Glob values may appear in comma-separated attribute values and in named string
211
+
sets. Rule order is unchanged: rules are evaluated from top to bottom, and the
212
+
first complete rule match determines the decision.
213
+
214
+
The concrete object
215
+
.Bpath
216
+
is obtained from the event file descriptor through
217
+
.IR /proc/self/fd/ ,
218
+
and the subject
219
+
.Bexe
220
+
path is obtained through
221
+
.IR /proc/PID/exe .
222
+
Symbolic links have therefore already been followed, so a rule normally matches
223
+
the reported target path rather than the symbolic link name used by the
224
+
application. Hard links and mount aliases can expose different concrete paths
225
+
for the same inode; policy that must cover those aliases needs an exact value or
226
+
pattern for each reported path.
227
+
228
+
Globbing selects paths; it does not expand the pattern, alter the path reported
229
+
in logs, or make matching files trusted. Trust database entries continue to use
230
+
concrete paths. An allow rule for a user-writable location should normally pair
231
+
an object
232
+
.Bpath
233
+
glob with object
234
+
.Btrust=1
235
+
or an explicit
236
+
.BFILE_HASH
237
+
constraint. A subject
238
+
.Bexe
239
+
glob in a user-writable location should normally require subject
240
+
.BR trust=1 .
241
+
Otherwise, any file whose name fits the pattern can receive the allow decision.
242
+
Prefer exact paths, named sets of exact paths, or
243
+
.Bdir
244
+
when they express the policy because exact and prefix matching are less
Set is a named group of values of the same type. Fapolicyd internally distinguishes between INT and STRING set types. You can define your own set and use it as a value for a specific rule attribute. The definition is in key=value syntax and starts with a set name. The set name has to start with '%' and the rest is alphanumeric or '_'. The value is a comma separated list. The set type is inherited from the first item in the list. If that can be turned into number then whole list is expected to carry numbers. One can use these sets as a value for subject and object attributes. It is also possible to use a plain list as an attribute value without previous definition. The assigned set has to match the attribute type. It is not possible set groups for TRUST and PATTERN attributes.
155
254
@@ -202,6 +301,7 @@ The following rules illustrate the rule syntax.
0 commit comments