Provided by: fapolicyd_1.1.7-2_amd64 
NAME
compiled.rules - compiled fapolicyd rules to determine access rights fapolicyd.rules -
deprecated fapolicyd rules to determine access rights
DESCRIPTION
compiled.rules is a file that is compiled by fagenrules which contains the rules that
fapolicyd uses to make decisions about access rights. The rules follow a simple format of:
decision perm subject : object
They are evaluated from top to bottom with the first rule to match being used for the
access control decision. The colon is mandatory to separate subject and object since they
share keywords.
Decision
The decision is either allow, deny, allow_audit, deny_audit, allow_syslog, deny_syslog,
allow_log, or deny_log. If the rule triggers, this is the access decision that fapolicyd
will tell the kernel. If the decision is one of the audit variety, then the decision will
trigger a FANOTIFY audit event with all relevant information. You must have at least one
audit rule loaded to generate an audit event. If the decision is one of the syslog
variety, then the decision will trigger writing an event into syslog. If the decision is
of one the log variety, then it will create an audit event and a syslog event. Regardless
of the notification, any rule with a deny in the keyword will deny access and any with an
allow in the keyword will allow access.
Perm
Perm describes what kind permission is being asked for. The permission is either open,
execute, or any. If none are given, then open is assumed.
Subject
The subject is the process that is performing actions on system resources. The fields in
the rule that describe the subject are written in a name=value format. There can be one or
more subject fields. Each field is and'ed with others to decide if a rule triggers. The
name values can be any of the following:
all This matches against any subject. When used, this must be the only
subject in the rule.
auid This is the login uid that the audit system assigns users when they log
in to the system. Daemons have a value of -1. The given value may be
numeric or the account name.
uid This is the user id that the program is running under. The given value
may be numeric or the account name.
gid This is the group id that the program is running under. The given value
may be numeric or the group name.
sessionid This is the numeric session id that the audit system assigns to users
when they log in. Daemons have a value of -1.
pid This is the numeric process id that a program has.
ppid This is the numeric process id of the program's parent. Note that
programs that are orphaned or started directly from systemd have a ppid
value of 1. Kernel threads have a ppid value of 2.
trust This is a boolean describing whether it is required for the subject to
be in the trust database or not. A value of 1 means its required while
0 means its not. Trust checking is extended by the integrity setting in
fapolicyd.conf. When trust is used on the subject, it could be a
daemon. If that daemon gets updated on disk, the trustdb will be
updated to the new SHA256 hash. If the integrity setting is not none,
the running daemon is not likely to be trusted unless it gets
restarted. The default rules are not written in a way that this would
happen. But this needs to be highlighted as it may not be obvious when
writing a new rule.
comm This is the shortened command name. When an interpreter starts a
program, it usually renames the program to the script rather than the
interpreter.
exe This is the full path to the executable. Globbing is not supported. You
may also use the special keyword untrusted to match on the subject not
being listed in the rpm database.
dir If you wish to match a directory, then use this by giving the full path
to the directory. Its recommended to end with the / to ensure it
matches a directory. There are 3 keywords that dir supports: execdirs,
systemdirs, untrusted.
execdirs The execdirs option will match against the following list
of directories:
/usr/ /bin/ /sbin/ /lib/ /lib64/ /usr/libexec/
systemdirs The systemdirs option will match against the same list as
execdirs but also includes /etc/.
untrusted The untrusted option will look up the current executable's
full path in the rpm database to see if the executable is
known to the system. The rule will trigger if the file in
question is not in the trust database. This option is
deprecated in favor of using obj_trust with execute
permission when writing rules.
ftype This option takes the mime type of a file as an argument. If you wish
to check the mime type of a file while writing rules, run the following
command:
fapolicyd-cli --ftype /path-to-file
device This option will match against the device that the executable resides
on. To use it, start with /dev/ and add the target device name.
pattern There are various ways that an attacker may try to execute code that
may reveal itself in the pattern of file accesses made during program
startup. This rule can take one of several options depending on which
access patterns is wished to be blocked. Fapolicyd is able to detect
these different access patterns and provide the access decision as soon
as it identifies the pattern. The pattern type can be any of:
normal This matches against any ELF program that is dynamically
linked.
ld_so This matches against access patterns that indicate that the
program is being started directly by the runtime linker.
ld_preload This matches against access patterns that indicate that the
program is being started with either LD_PRELOAD or LD_AUDIT
present in the environment. Note that even without this
rule, you have protection against LD_PRELOAD of unknown
binaries when the rules are written such that trust is used
to determine if a library should be opened. In that case,
the preloaded library would be denied but the application
will still execute. This rule makes it so that even trusted
libraries can be denied and the application will not
execute.
static This matches against ELF files that are statically linked.
Object
The object is the file that the subject is interacting with. The fields in the rule that
describe the object are written in a name=value format. There can be one or more object
fields. Each field is and'ed with others to decide if a rule triggers. The name values can
be any of the following:
all This matches against any obbject. When used, this must be the only
object in the rule.
path This is the full path to the file that will be accessed. Globbing is
not supported. You may also use the special keyword untrusted to match
on the object not being listed in the rpm database.
dir If you wish to match on access to any file in a directory, then use
this by giving the full path to the directory. Its recommended to end
with the / to ensure it matches a directory. There are 3 keywords that
dir supports: execdirs, systemdirs, untrusted. See the dir option under
Subject for an explanation of these keywords.
device This option will match against the device that the file being accessed
resides on. To use it, start with /dev/ and add the target device name.
ftype This option matches against the mime type of the file being accessed.
See ftype under Subject for more information on determining the mime
type.
trust This is a boolean describing whether it is required for the object to
be in the trust database or not. A value of 1 means its required while
0 means its not. Trust checking is extended by the integrity setting in
fapolicyd.conf.
sha256hash This option matches against the sha256 hash of the file being accessed.
The hash in the rules should be all lowercase letters and do NOT start
with 0x. Lowercase is the default output of sha256sum.
SETS
Set is a named group of values of the same type. Fapolicyd internally distinguishes
between INT and STRING set types. You can define your own set and use it as a value for a
specific rule attribute. The definition is in key=value syntax and starts with a set name.
The set name has to start with '%' and the rest is alphanumeric or '_'. The value is a
comma separated list. The set type is inherited from the first item in the list. If that
can be turned into number then whole list is expected to carry numbers. One can use these
sets as a value for subject and object attributes. It is also possible to use a plain list
as an attribute value without previous definition. The assigned set has to match the
attribute type. It is not possible set groups for TRUST and PATTERN attributes.
SETS EXAMPLES
# definition
%python=/usr/bin/python2.7,/usr/bin/python3.6
allow exe=%python : all trust=1
#
# definition
# number set
%uuids=0,1000
allow uid=%uuids : all
NOTES
When writing rules, you should keep them focused to one goal and store them in one file.
These rule files are kept in the /etc/fapolicyd/rules.d directory. During daemon startup,
fagenrules will run and compile all these component files into one master file,
compiled.rules. See the fagenrules man page for more information.
When you are writing a rule for the execute permission, remember that the file to be
executed is an object. For example, you type ssh into the shell. The shell calls execve
on /usr/bin/ssh. At that instant in time, ssh is the object that bash is working on.
However, if you are blocking execution from a specific program, then you would normally
state the program on the subject side and use all for the object side.
If you are writing rules that use patterns, just select any as the permission to be clear
that this applies to anything. In reality, pattern matching ignores the permission but the
suggestion is for documentation purposes.
Some interpreters do not immediately read all lines of input. Rather, they read content as
needed until they get to end of file. This means that if they do stuff like networking or
sleeping or anything that takes time, someone with the privileges to modify the file can
add to it after the file's integrity has been checked. This is not unique to fapolicyd,
it's simply how things work. Make sure that trusted file permissions are not excessive so
that no unexpected file content modifications can occur.
EXAMPLES
The following rules illustrate the rule syntax.
deny_audit perm=open exe=/usr/bin/wget : dir=/tmp
allow perm=open exe=/usr/bin/python3.7 : ftype=text/x-python trust=1
deny_audit perm=any pattern ld_so : all
deny perm=any all : all
SEE ALSO
fapolicyd(8), fagenrules (8), fapolicyd-cli(8), and fapolicyd.conf(5)
AUTHOR
Steve Grubb