Provided by: fapolicyd_1.3.2+20231212+git973a86d1b4-1build2_amd64 bug

NAME
       fapolicyd-filter.conf - fapolicyd filter configuration file


DESCRIPTION
       The  file  /etc/fapolicyd/fapolicyd-filter.conf  contains configuration of the filter for the application
       allowlisting daemon. This filter specifies an allow or exclude list of files from a trust  source.  Valid
       line  starts  with  character  '+',  '-'  or  '#'  for  comments.  The  rest  of the line contains a path
       specification. Space can be used as indentation to add more specific filters to the previous  one.  Note,
       that  only one space is required for one level of an indent. If  there are multiple specifications on the
       same indentation level they extend the previous line with lower indentation, usually  a  directory.   The
       path may be specified using the glob pattern. A directory specification has to end with a slash ‘/’.

       The  filters  are  processed  as follows: Starting from the up the to bottom while in case of a match the
       result (+/-) is set unless there is an indented block which describes more detailed specification of  the
       parent level match. The same processing logic is applied to the inner filters definitions. If there is no
       match, the parent’s result is set. If there is no match at all, the default result is minus (-).

       If  the  result  was a plus (+), the respective file from a trust source is imported to the TrustDB. Vice
       versa, if the result was a minus (-), the respective file is not imported.

       From a performance point of view it is better to design an indented filter because in the ideal situation
       each component of the path is compared only once. In contrast to it, a filter without any indentation has
       to contain a full path which makes  the  pattern  more  complicated  and  thus  slower  to  process.  The
       motivation  behind  this is to have a flexible configuration and keep the TrustDB as small as possible to
       make the look-ups faster.

       # this is simple allow list
       - /usr/bin/some_binary1
       - /usr/bin/some_binary2
       + /

       # this is the same
       + /
        + usr/bin/
         - some_binary1
         - some_binary2

       # this is similar allow list with a wildcard
       - /usr/bin/some_binary?
       + /

       # this is similar with another wildcard
       + /
        - usr/bin/some_binary*

       # keeps everything except usr/share except python and perl files
       # /usr/bin/ls - result is '+'
       # /usr/share/something - result is '-'
       # /usr/share/abcd.py - result is '+'
       + /
        - usr/share/
         + *.py
         + *.pl


SEE ALSO
       fapolicyd(8), fapolicyd-cli(1) fapolicy.rules(5) and glob(7)


AUTHOR
       Radovan Sroka

Red Hat                                             June 2023                          FAPOLICYD_FILTER.CONF:(5)