1FAPOLICYD_FILTER.CONF:(15S)ystem Administration UtilitiFeAsPOLICYD_FILTER.CONF:(15)
2
3
4

NAME

6       fapolicyd-filter.conf - fapolicyd filter configuration file
7

DESCRIPTION

9       The file /etc/fapolicyd/fapolicyd-filter.conf contains configuration of
10       the filter for the application allowlisting daemon. This filter  speci‐
11       fies  an allow or exclude list of files from a trust source. Valid line
12       starts with character '+', '-' or '#' for comments.  The  rest  of  the
13       line contains a path specification. Space can be used as indentation to
14       add more specific filters to the previous  one.  Note,  that  only  one
15       space  is  required  for one level of an indent. If  there are multiple
16       specifications on the same indentation level they extend  the  previous
17       line  with  lower  indentation,  usually  a directory.  The path may be
18       specified using the glob pattern. A directory specification has to  end
19       with a slash ‘/’.
20
21       The  filters are processed as follows: Starting from the up the to bot‐
22       tom while in case of a match the result (+/-) is set unless there is an
23       indented  block which describes more detailed specification of the par‐
24       ent level match. The same processing logic is applied to the inner fil‐
25       ters  definitions. If there is no match, the parent’s result is set. If
26       there is no match at all, the default result is minus (-).
27
28       If the result was a plus (+), the respective file from a  trust  source
29       is  imported to the TrustDB. Vice versa, if the result was a minus (-),
30       the respective file is not imported.
31
32       From a performance point of view it is better  to  design  an  indented
33       filter  because  in  the  ideal situation each component of the path is
34       compared only once. In contrast to it, a filter without any indentation
35       has to contain a full path which makes the pattern more complicated and
36       thus slower to process. The motivation behind this is to have a  flexi‐
37       ble configuration and keep the TrustDB as small as possible to make the
38       look-ups faster.
39
40
41
42       # this is simple allow list
43       - /usr/bin/some_binary1
44       - /usr/bin/some_binary2
45       + /
46
47       # this is the same
48       + /
49        + usr/bin/
50         - some_binary1
51         - some_binary2
52
53       # this is similar allow list with a wildcard
54       - /usr/bin/some_binary?
55       + /
56
57       # this is similar with another wildcard
58       + /
59        - usr/bin/some_binary*
60
61       # keeps everything except usr/share except python and perl files
62       # /usr/bin/ls - result is '+'
63       # /usr/share/something - result is '-'
64       # /usr/share/abcd.py - result is '+'
65       + /
66        - usr/share/
67         + *.py
68         + *.pl
69
70

SEE ALSO

72       fapolicyd(8), fapolicyd-cli(1) fapolicy.rules(5) and glob(7)
73
74

AUTHOR

76       Radovan Sroka
77
78
79
80Red Hat                            June 2023        FAPOLICYD_FILTER.CONF:(15)