If no initial watched mount points then new mount points are not properly watched #254

wjhunter3 · 2023-07-26T16:52:50Z

If there are no watched mount points when fapolicyd starts then new mount points are not properly watched. To re-create from a fresh install:

Stop fapolicyd:
# systemctl stop fapolicyd
Edit /etc/fapolicyd/fapolicyd.conf to set watch_fs to only ramfs:
watch_fs = ramfs
Start fapolicyd in debug mode:
# /usr/sbin/fapolicyd --debug
Mount a ramfs, and copy a binary to it:
# mkdir /tmp/test
# mount -t ramfs /dev/ram0 /tmp/test
# cp /bin/ls /tmp/test
View the output of fapolicyd and note there are no "rule=2 dec=allow..." messages
.
.
.
Mount change detected
Added /tmp/test mount point
(nothing more at this point)
Restart fapolicyd in debug mode, without unmounting /tmp/test:
# /usr/sbin/fapolicyd --debug
Execute the binary:
# /tmp/test/ls
View the output to see the proper messages:
.
.
.
added /tmp/test mount point
Starting to listen for events
rule=2 dec=allow perm=execute auid=0 pid=39632 exe=/usr/bin/bash : path=/tmp/test/ls ftype=application/x-executable trust=0
rule=2 dec=allow perm=open auid=0 pid=39632 exe=/usr/bin/bash : path=/tmp/test/ls ftype=application/x-executable trust=0

wjhunter3 · 2023-07-26T17:03:25Z

The attached patch will resolve the problem.
fapolicyd-1.3.1-issue-254.patch.txt

radosroka · 2023-07-27T11:56:30Z

Please create PR.

Move the block of code that initializes mark_flag out of the loop so that it's always initialized, even if no watched mount points are initially present.

sopos · 2023-08-09T21:45:15Z

finally I was able to create a tmt test plan with tests with destructive potential [1] where one of the tests it testing this issue and I was actually able to reproduce it on rhel-8 but not rhel-9 which is interesting

https://github.com/RedHat-SP-Security/tests/tree/master/fapolicyd/destructive

  # fapolicyd-1.3.2-100.el9
    report
        how: display
            pass /default-0/fapolicyd/destructive/library
                output.txt: /var/tmp/tmt/run-022/fapolicyd/destructive/plan/execute/data/guest/default-0/default-0/fapolicyd/destructive/library-1/output.txt
                journal.txt: /var/tmp/tmt/run-022/fapolicyd/destructive/plan/execute/data/guest/default-0/default-0/fapolicyd/destructive/library-1/journal.txt
            pass /default-1/fapolicyd/destructive/mount-umount-after-cli--update
                output.txt: /var/tmp/tmt/run-022/fapolicyd/destructive/plan/execute/data/guest/default-0/default-1/fapolicyd/destructive/mount-umount-after-cli--update-2/output.txt
                journal.txt: /var/tmp/tmt/run-022/fapolicyd/destructive/plan/execute/data/guest/default-0/default-1/fapolicyd/destructive/mount-umount-after-cli--update-2/journal.txt
            pass /default-1/fapolicyd/destructive/newly-mounted-fstype
                output.txt: /var/tmp/tmt/run-022/fapolicyd/destructive/plan/execute/data/guest/default-0/default-1/fapolicyd/destructive/newly-mounted-fstype-3/output.txt
                journal.txt: /var/tmp/tmt/run-022/fapolicyd/destructive/plan/execute/data/guest/default-0/default-1/fapolicyd/destructive/newly-mounted-fstype-3/journal.txt
        summary: 3 tests passed


  # fapolicyd-1.3.2-1.el8
    report
        how: display
            pass /default-0/fapolicyd/destructive/library
                output.txt: /var/tmp/tmt/run-024/fapolicyd/destructive/plan/execute/data/guest/default-0/default-0/fapolicyd/destructive/library-1/output.txt
                journal.txt: /var/tmp/tmt/run-024/fapolicyd/destructive/plan/execute/data/guest/default-0/default-0/fapolicyd/destructive/library-1/journal.txt
            pass /default-1/fapolicyd/destructive/mount-umount-after-cli--update
                output.txt: /var/tmp/tmt/run-024/fapolicyd/destructive/plan/execute/data/guest/default-0/default-1/fapolicyd/destructive/mount-umount-after-cli--update-2/output.txt
                journal.txt: /var/tmp/tmt/run-024/fapolicyd/destructive/plan/execute/data/guest/default-0/default-1/fapolicyd/destructive/mount-umount-after-cli--update-2/journal.txt
            fail /default-1/fapolicyd/destructive/newly-mounted-fstype
                output.txt: /var/tmp/tmt/run-024/fapolicyd/destructive/plan/execute/data/guest/default-0/default-1/fapolicyd/destructive/newly-mounted-fstype-3/output.txt
                journal.txt: /var/tmp/tmt/run-024/fapolicyd/destructive/plan/execute/data/guest/default-0/default-1/fapolicyd/destructive/newly-mounted-fstype-3/journal.txt
        summary: 2 tests passed and 1 test failed

…itelisting#254

stevegrubb · 2023-11-17T20:27:15Z

Can this issue be closed? Looks like it might be solved but can't tell.

stevegrubb pushed a commit that referenced this issue Aug 1, 2023

Update notify.c for issue #254 (#257)

00601b9

Move the block of code that initializes mark_flag out of the loop so that it's always initialized, even if no watched mount points are initially present.

wjhunter3 added a commit to wjhunter3/fapolicyd that referenced this issue Aug 11, 2023

Update notify.c to not remove previous patch for linux-application-wh…

f39c2ad

…itelisting#254

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

If no initial watched mount points then new mount points are not properly watched #254

If no initial watched mount points then new mount points are not properly watched #254

wjhunter3 commented Jul 26, 2023

wjhunter3 commented Jul 26, 2023

radosroka commented Jul 27, 2023

sopos commented Aug 9, 2023 •

edited

Loading

stevegrubb commented Nov 17, 2023

If no initial watched mount points then new mount points are not properly watched #254

If no initial watched mount points then new mount points are not properly watched #254

Comments

wjhunter3 commented Jul 26, 2023

wjhunter3 commented Jul 26, 2023

radosroka commented Jul 27, 2023

sopos commented Aug 9, 2023 • edited Loading

stevegrubb commented Nov 17, 2023

sopos commented Aug 9, 2023 •

edited

Loading