Provided by: fapolicyd_1.3.2+20231212+git973a86d1b4-1build2_amd64 bug

NAME
       fapolicyd-filter.conf - fapolicyd filter configuration file


DESCRIPTION
       The file /etc/fapolicyd/fapolicyd-filter.conf contains configuration of the filter for the
       application allowlisting daemon. This filter specifies an allow or exclude list  of  files
       from  a  trust  source. Valid line starts with character '+', '-' or '#' for comments. The
       rest of the line contains a path specification. Space can be used as  indentation  to  add
       more  specific  filters to the previous one. Note, that only one space is required for one
       level of an indent. If  there are multiple specifications on the  same  indentation  level
       they  extend  the previous line with lower indentation, usually a directory.  The path may
       be specified using the glob pattern. A directory specification has to  end  with  a  slash
       ‘/’.

       The  filters are processed as follows: Starting from the up the to bottom while in case of
       a match the result (+/-) is set unless there is an indented  block  which  describes  more
       detailed  specification of the parent level match. The same processing logic is applied to
       the inner filters definitions. If there is no match, the parent’s result is set. If  there
       is no match at all, the default result is minus (-).

       If  the  result was a plus (+), the respective file from a trust source is imported to the
       TrustDB. Vice versa, if the result was a minus (-), the respective file is not imported.

       From a performance point of view it is better to design an indented filter because in  the
       ideal  situation  each  component  of the path is compared only once. In contrast to it, a
       filter without any indentation has to contain a full path which  makes  the  pattern  more
       complicated  and  thus slower to process. The motivation behind this is to have a flexible
       configuration and keep the TrustDB as small as possible to make the look-ups faster.

       # this is simple allow list
       - /usr/bin/some_binary1
       - /usr/bin/some_binary2
       + /

       # this is the same
       + /
        + usr/bin/
         - some_binary1
         - some_binary2

       # this is similar allow list with a wildcard
       - /usr/bin/some_binary?
       + /

       # this is similar with another wildcard
       + /
        - usr/bin/some_binary*

       # keeps everything except usr/share except python and perl files
       # /usr/bin/ls - result is '+'
       # /usr/share/something - result is '-'
       # /usr/share/abcd.py - result is '+'
       + /
        - usr/share/
         + *.py
         + *.pl


SEE ALSO
       fapolicyd(8), fapolicyd-cli(1) fapolicy.rules(5) and glob(7)


AUTHOR
       Radovan Sroka