compiled.rules - compiled fapolicyd rules to determine access
rights fapolicyd.rules - deprecated fapolicyd rules to determine access
rights
compiled.rules is a file that is compiled by
fagenrules which contains the rules that fapolicyd uses to
make decisions about access rights. The rules follow a simple format of:
decision perm subject : object
They are evaluated from top to bottom with the first rule to match
being used for the access control decision. The colon is mandatory to
separate subject and object since they share keywords.
The decision is either allow, deny,
allow_audit, deny_audit, allow_syslog,
deny_syslog, allow_log, or deny_log. If the rule
triggers, this is the access decision that fapolicyd will tell the kernel.
If the decision is one of the audit variety, then the decision will trigger
a FANOTIFY audit event with all relevant information. You must have at
least one audit rule loaded to generate an audit event. If the decision
is one of the syslog variety, then the decision will trigger writing an
event into syslog. If the decision is of one the log variety, then it will
create an audit event and a syslog event. Regardless of the notification,
any rule with a deny in the keyword will deny access and any with an allow
in the keyword will allow access.
Perm describes what kind permission is being asked for. The
permission is either open, execute, or any. If none are
given, then open is assumed.
The subject is the process that is performing actions on system
resources. The fields in the rule that describe the subject are written in a
name=value format. There can be one or more subject fields. Each field is
and'ed with others to decide if a rule triggers. The name values can be any
of the following:
- all
- This matches against any subject. When used, this must be the only subject
in the rule.
- auid
- This is the login uid that the audit system assigns users when they log in
to the system. Daemons have a value of -1. The given value may be numeric
or the account name.
- uid
- This is the user id that the program is running under. The given value may
be numeric or the account name.
- gid
- This is the group id that the program is running under. The given value
may be numeric or the group name.
- sessionid
- This is the numeric session id that the audit system assigns to users when
they log in. Daemons have a value of -1.
- pid
- This is the numeric process id that a program has.
- ppid
- This is the numeric process id of the program's parent. Note that programs
that are orphaned or started directly from systemd have a ppid value of 1.
Kernel threads have a ppid value of 2.
- trust
- This is a boolean describing whether it is required for the subject to be
in the trust database or not. A value of 1 means its required while 0
means its not. Trust checking is extended by the integrity setting in
fapolicyd.conf. When trust is used on the subject, it could be a daemon.
If that daemon gets updated on disk, the trustdb will be updated to the
new SHA256 hash. If the integrity setting is not none, the running daemon
is not likely to be trusted unless it gets restarted. The default rules
are not written in a way that this would happen. But this needs to be
highlighted as it may not be obvious when writing a new rule.
- comm
- This is the shortened command name. When an interpreter starts a program,
it usually renames the program to the script rather than the
interpreter.
- exe
- This is the full path to the executable. Globbing is not supported. You
may also use the special keyword untrusted to match on the subject
not being listed in the rpm database.
- dir
- If you wish to match a directory, then use this by giving the full path to
the directory. Its recommended to end with the / to ensure it matches a
directory. There are 3 keywords that dir supports: execdirs,
systemdirs, untrusted.
- execdirs
- The execdirs option will match against the following list of
directories:
- /usr/
- /bin/ /sbin/ /lib/ /lib64/ /usr/libexec/
- systemdirs
- The systemdirs option will match against the same list as
execdirs but also includes /etc/.
- untrusted
- The untrusted option will look up the current executable's full
path in the rpm database to see if the executable is known to the system.
The rule will trigger if the file in question is not in the trust
database. This option is deprecated in favor of using obj_trust
with execute permission when writing rules.
- ftype
- This option takes the mime type of a file as an argument. If you wish to
check the mime type of a file while writing rules, run the following
command:
fapolicyd-cli --ftype /path-to-file
- device
- This option will match against the device that the executable resides on.
To use it, start with /dev/ and add the target device name.
- pattern
- There are various ways that an attacker may try to execute code that may
reveal itself in the pattern of file accesses made during program startup.
This rule can take one of several options depending on which access
patterns is wished to be blocked. Fapolicyd is able to detect these
different access patterns and provide the access decision as soon as it
identifies the pattern. The pattern type can be any of:
- normal
- This matches against any ELF program that is dynamically linked.
- ld_so
- This matches against access patterns that indicate that the program is
being started directly by the runtime linker.
- ld_preload
- This matches against access patterns that indicate that the program is
being started with either LD_PRELOAD or LD_AUDIT present in the
environment. Note that even without this rule, you have protection against
LD_PRELOAD of unknown binaries when the rules are written such that trust
is used to determine if a library should be opened. In that case, the
preloaded library would be denied but the application will still execute.
This rule makes it so that even trusted libraries can be denied and the
application will not execute.
- static
- This matches against ELF files that are statically linked.
The object is the file that the subject is interacting with. The
fields in the rule that describe the object are written in a name=value
format. There can be one or more object fields. Each field is and'ed with
others to decide if a rule triggers. The name values can be any of the
following:
- all
- This matches against any obbject. When used, this must be the only object
in the rule.
- path
- This is the full path to the file that will be accessed. Globbing is not
supported. You may also use the special keyword untrusted to match
on the object not being listed in the rpm database.
- dir
- If you wish to match on access to any file in a directory, then use this
by giving the full path to the directory. Its recommended to end with the
/ to ensure it matches a directory. There are 3 keywords that dir
supports: execdirs, systemdirs, untrusted. See the
dir option under Subject for an explanation of these keywords.
- device
- This option will match against the device that the file being accessed
resides on. To use it, start with /dev/ and add the target device
name.
- ftype
- This option matches against the mime type of the file being accessed. See
ftype under Subject for more information on determining the mime
type.
- trust
- This is a boolean describing whether it is required for the object to be
in the trust database or not. A value of 1 means its required while 0
means its not. Trust checking is extended by the integrity setting in
fapolicyd.conf.
- sha256hash
- This option matches against the sha256 hash of the file being accessed.
The hash in the rules should be all lowercase letters and do NOT start
with 0x. Lowercase is the default output of sha256sum.
Set is a named group of values of the same type. Fapolicyd
internally distinguishes between INT and STRING set types. You can define
your own set and use it as a value for a specific rule attribute. The
definition is in key=value syntax and starts with a set name. The set name
has to start with '%' and the rest is alphanumeric or '_'. The value is a
comma separated list. The set type is inherited from the first item in the
list. If that can be turned into number then whole list is expected to carry
numbers. One can use these sets as a value for subject and object
attributes. It is also possible to use a plain list as an attribute value
without previous definition. The assigned set has to match the attribute
type. It is not possible set groups for TRUST and PATTERN attributes.
# definition
%python=/usr/bin/python2.7,/usr/bin/python3.6
allow exe=%python : all trust=1
#
# definition
# number set
%uuids=0,1000
allow uid=%uuids : all
When writing rules, you should keep them focused to one goal and
store them in one file. These rule files are kept in the
/etc/fapolicyd/rules.d directory. During daemon startup, fagenrules
will run and compile all these component files into one master file,
compiled.rules. See the fagenrules man page for more information.
When you are writing a rule for the execute permission, remember
that the file to be executed is an object. For example, you type ssh
into the shell. The shell calls execve on /usr/bin/ssh. At that instant in
time, ssh is the object that bash is working on. However, if you are
blocking execution from a specific program, then you would normally
state the program on the subject side and use all for the object
side.
If you are writing rules that use patterns, just select any
as the permission to be clear that this applies to anything. In reality,
pattern matching ignores the permission but the suggestion is for
documentation purposes.
Some interpreters do not immediately read all lines of input.
Rather, they read content as needed until they get to end of file. This
means that if they do stuff like networking or sleeping or anything that
takes time, someone with the privileges to modify the file can add to it
after the file's integrity has been checked. This is not unique to
fapolicyd, it's simply how things work. Make sure that trusted file
permissions are not excessive so that no unexpected file content
modifications can occur.
The following rules illustrate the rule syntax.
deny_audit perm=open exe=/usr/bin/wget : dir=/tmp
allow perm=open exe=/usr/bin/python3.7 : ftype=text/x-python trust=1
deny_audit perm=any pattern ld_so : all
deny perm=any all : all