From 4066d92395c18ad435ee6ff8e1da2745a68bacc1 Mon Sep 17 00:00:00 2001

From: Radovan Sroka <rsroka@redhat.com>

Date: Fri, 24 Jun 2022 15:03:28 +0200

Subject: [PATCH] Introduce filtering of rpmdb

- this feature introduces very flexible filter syntax

- original filter was compiled in so this is very useful

- filter needs to keep a minimal set of files that will be excuted

  on the system eventually

- all the configuration can be done in /etc/fapolicyd/rpm-filter.conf

Signed-off-by: Radovan Sroka <rsroka@redhat.com>

---

 doc/Makefile.am           |   3 +-

 doc/rpm-filter.conf.5     |  63 +++++

 fapolicyd.spec            |   1 +

 init/Makefile.am          |   2 +

 init/rpm-filter.conf      |  42 ++++

 src/Makefile.am           |   8 +-

 src/library/llist.c       |  23 +-

 src/library/llist.h       |   1 +

 src/library/rpm-backend.c |  79 ++-----

 src/library/rpm-filter.c  | 487 ++++++++++++++++++++++++++++++++++++++

 src/library/rpm-filter.h  |  67 ++++++

 src/library/stack.c       |  89 +++++++

 src/library/stack.h       |  41 ++++

 13 files changed, 837 insertions(+), 69 deletions(-)

 create mode 100644 doc/rpm-filter.conf.5

 create mode 100644 init/rpm-filter.conf

 create mode 100644 src/library/rpm-filter.c

 create mode 100644 src/library/rpm-filter.h

 create mode 100644 src/library/stack.c

 create mode 100644 src/library/stack.h

diff --git a/doc/Makefile.am b/doc/Makefile.am

index f0b79080..726218ed 100644

--- a/doc/Makefile.am

+++ b/doc/Makefile.am

@@ -28,4 +28,5 @@ man_MANS = \

 	fapolicyd-cli.1 \

 	fapolicyd.rules.5 \

 	fapolicyd.trust.5 \

-	fapolicyd.conf.5

+	fapolicyd.conf.5 \

+	rpm-filter.conf.5

diff --git a/doc/rpm-filter.conf.5 b/doc/rpm-filter.conf.5

new file mode 100644

index 00000000..d415bd80

--- /dev/null

+++ b/doc/rpm-filter.conf.5

@@ -0,0 +1,63 @@

+.TH RPM_FILTER.CONF: "5" "January 2023" "Red Hat" "System Administration Utilities"

+.SH NAME

+rpm-filter.conf \- fapolicyd filter configuration file

+.SH DESCRIPTION

+The file

+.I /etc/fapolicyd/rpm-filter.conf

+contains configuration of the filter for the application allowlisting daemon. This filter specifies an allow or exclude list of files from rpm. Valid line starts with character '+', '-' or '#' for comments. The rest of the line contains a path specification. Space can be used as indentation to add more specific filters to the previous one. Note, that only one space is required for one level of an indent. If  there are multiple specifications on the same indentation level they extend the previous line with lower indentation, usually a directory.  The path may be specified using the glob pattern. A directory specification has to end with a slash ‘/’.

+

+The filters are processed as follows: Starting from the up the to bottom while in case of a match the result (+/-) is set unless there is an indented block which describes more detailed specification of the parent level match. The same processing logic is applied to the inner filters definitions. If there is no match, the parent’s result is set. If there is no match at all, the default result is minus (-).

+

+If the result was a plus (+), the respective file from the rpmdb is imported to the TrustDB. Vice versa, if the result was a minus (-), the respective file is not imported.

+

+From a performance point of view it is better to design an indented filter because in the ideal situation each component of the path is compared only once. In contrast to it, a filter without any indentation has to contain a full path which makes the pattern more complicated and thus slower to process. The motivation behind this is to have a flexible configuration and keep the TrustDB as small as possible to make the look-ups faster.

+

+

+

+.nf

+.B # this is simple allow list

+.B - /usr/bin/some_binary1

+.B - /usr/bin/some_binary2

+.B + /

+.fi

+

+.nf

+.B # this is the same

+.B + /

+.B \ + usr/bin/

+.B \ \ - some_binary1

+.B \ \ - some_binary2

+.fi

+

+.nf

+.B # this is similar allow list with a wildcard

+.B - /usr/bin/some_binary?

+.B + /

+.fi

+

+.nf

+.B # this is similar with another wildcard

+.B + /

+.B \ - usr/bin/some_binary*

+.fi

+

+.nf

+.B # keeps everything except usr/share except python and perl files

+.B # /usr/bin/ls - result is '+'

+.B # /usr/share/something - result is '-'

+.B # /usr/share/abcd.py - result is '+'

+.B + /

+.B \ - usr/share/

+.B \ \ + *.py

+.B \ \ + *.pl

+.fi

+

+.SH "SEE ALSO"

+.BR fapolicyd (8),

+.BR fapolicyd-cli (1)

+.BR fapolicy.rules (5)

+and

+.BR glob (7)

+

+.SH AUTHOR

+Radovan Sroka

diff --git a/init/Makefile.am b/init/Makefile.am

index da948e4e..1f23dffe 100644

--- a/init/Makefile.am

+++ b/init/Makefile.am

@@ -1,6 +1,7 @@

 EXTRA_DIST = \

 	fapolicyd.service \

 	fapolicyd.conf \

+	rpm-filter.conf \

 	fapolicyd.trust \

 	fapolicyd-tmpfiles.conf \

 	fapolicyd-magic \

@@ -11,6 +12,7 @@ fapolicyddir = $(sysconfdir)/fapolicyd

 dist_fapolicyd_DATA = \

 	fapolicyd.conf \

+	rpm-filter.conf \

 	fapolicyd.trust

 systemdservicedir = $(systemdsystemunitdir)

diff --git a/init/rpm-filter.conf b/init/rpm-filter.conf

new file mode 100644

index 00000000..0c8fca40

--- /dev/null

+++ b/init/rpm-filter.conf

@@ -0,0 +1,42 @@

+# default filter file for fedora

+

++ /

+ - usr/include/

+ - usr/share/

+  # Python byte code

+  + *.py?

+  # Python text files

+  + *.py

+  # Some apps have a private libexec

+  + */libexec/*

+  # Ruby

+  + *.rb

+  # Perl

+  + *.pl

+  # System tap

+  + *.stp

+  # Javascript

+  + *.js

+  # Java archive

+  + *.jar

+  # M4

+  + *.m4

+  # PHP

+  + *.php

+  # Perl Modules

+  + *.pm

+  # Lua

+  + *.lua

+  # Java

+  + *.class

+  # Typescript

+  + *.ts

+  # Typescript JSX

+  + *.tsx

+  # Lisp

+  + *.el

+  # Compiled Lisp

+  + *.elc

+ - usr/src/kernel*/

+  + */scripts/*

+  + */tools/objtool/*

diff --git a/src/Makefile.am b/src/Makefile.am

index 547ea486..fd08eb06 100644

--- a/src/Makefile.am

+++ b/src/Makefile.am

@@ -62,13 +62,19 @@ libfapolicyd_la_SOURCES = \

 	library/subject-attr.h \

 	library/subject.c \

 	library/subject.h \

+	library/stack.c \

+	library/stack.h \

 	library/string-util.c \

 	library/string-util.h \

 	library/trust-file.c \

 	library/trust-file.h

 if WITH_RPM

-libfapolicyd_la_SOURCES += library/rpm-backend.c

+libfapolicyd_la_SOURCES += \

+	library/rpm-backend.c \

+	library/rpm-filter.c \

+	library/rpm-filter.h

+

 endif

 libfapolicyd_la_CFLAGS = $(fapolicyd_CFLAGS)

diff --git a/src/library/llist.c b/src/library/llist.c

index 6132805a..44cfb4a3 100644

--- a/src/library/llist.c

+++ b/src/library/llist.c

@@ -45,19 +45,36 @@ list_item_t *list_get_first(const list_t *list)

 	return list->first;

 }

-

-int list_append(list_t *list, const char *index, const char *data)

+static list_item_t * create_item(const char *index, const char *data)

 {

 	list_item_t *item = malloc(sizeof(list_item_t));

 	if (!item) {

 		msg(LOG_ERR, "Malloc failed");

-		return 1;

+		return item;

 	}

 	item->index = index;

 	item->data = data;

 	item->next = NULL;

+	return item;

+}

+

+int list_prepend(list_t *list, const char *index, const char *data)

+{

+	list_item_t *item = create_item(index, data);

+

+	item->next = list->first;

+	list->first = item;

+

+	++list->count;

+	return 0;

+}

+

+int list_append(list_t *list, const char *index, const char *data)

+{

+	list_item_t *item = create_item(index, data);

+

 	if (list->first) {

 		list->last->next = item;

 		list->last = item;

diff --git a/src/library/llist.h b/src/library/llist.h

index 0c1d85a7..59eccf17 100644

--- a/src/library/llist.h

+++ b/src/library/llist.h

@@ -40,6 +40,7 @@ typedef struct list_header {

 void list_init(list_t *list);

 list_item_t *list_get_first(const list_t *list);

+int list_prepend(list_t *list, const char *index, const char *data);

 int list_append(list_t *list, const char *index, const char *data);

 void list_destroy_item(list_item_t **item);

 void list_empty(list_t *list);

diff --git a/src/library/rpm-backend.c b/src/library/rpm-backend.c

index 7f1af438..0887d36a 100644

--- a/src/library/rpm-backend.c

+++ b/src/library/rpm-backend.c

@@ -40,6 +40,8 @@

 #include "fapolicyd-backend.h"

 #include "llist.h"

+#include "rpm-filter.h"

+

 static int rpm_init_backend(void);

 static int rpm_load_list(const conf_t *);

 static int rpm_destroy_backend(void);

@@ -176,69 +178,6 @@ static void close_rpm(void)

 	rpmlogClose();

 }

-// This function will check a passed file name to see if the path should

-// be kept or dropped. 1 means discard it, and 0 means keep it.

-static int drop_path(const char *file_name)

-{

-	const char *p = file_name;

-	if (!strncmp(p, "/usr", 4)) {

-		p += 4;

-

-		// Drop anything in /usr/include

-		if (!strncmp(p, "/include", 8))

-			return 1;

-

-		// Only keep languages from /usr/share

-		if (!strncmp(p, "/share", 6)) {

-			p += 6;

-			

-			// These are roughly ordered by quantity

-			static const char *arr_share[] = {

-				"*.py?",       // Python byte code

-				"*.py",        // Python text files

-				"*/libexec/*", // Some apps have a private libexec

-				"*.rb",        // Ruby

-				"*.pl",        // Perl

-				"*.stp",       // System tap

-				"*.js",        // Javascript

-				"*.jar",       // Java archive

-				"*.m4",        // M4

-				"*.php",       // PHP

-				"*.pm",        // Perl Modules

-				"*.lua",       // Lua

-				"*.class",     // Java

-				"*.ts",        // Typescript

-				"*.tsx",       // Typescript JSX

-				"*.el",        // Lisp

-				"*.elc",       // Compiled Lisp

-				NULL

-			};

-

-			for (int i = 0; arr_share[i]; ++i)

-				if (!fnmatch(arr_share[i], p, 0))

-					return 0;

-			return 1;

-		}

-

-		// Akmod needs scripts in /usr/src/kernel

-		if (!strncmp(p, "/src/kernel", 11)) {

-			p += 11;

-			

-			static const char *arr_src_kernel[] = {

-				"*/scripts/*",

-				"*/tools/objtool/*",

-				NULL

-			};

-			

-			for (int i = 0; arr_src_kernel[i]; ++i)

-				if (!fnmatch(arr_src_kernel[i], p, 0))

-					return 0;

-			return 1;

-		}

-	}

-	return 0;

-}

-

 struct _hash_record {

 	const char * key;

 	UT_hash_handle hh;

@@ -290,7 +229,8 @@ static int rpm_load_list(const conf_t *conf)

 			if (file_name == NULL)

 				continue;

-			if (drop_path(file_name)) {

+			// should we drop a path?

+			if (!filter_check(file_name)) {

 				free((void *)file_name);

 				free((void *)sha);

 				continue;

@@ -358,12 +298,23 @@ static int rpm_load_list(const conf_t *conf)

 static int rpm_init_backend(void)

 {

+	if (filter_init())

+		return 1;

+

+	if (filter_load_file()) {

+		filter_destroy();

+		return 1;

+	}

+

+

 	list_init(&rpm_backend.list);

+

 	return 0;

 }

 static int rpm_destroy_backend(void)

 {

+	filter_destroy();

 	list_empty(&rpm_backend.list);

 	return 0;

 }

diff --git a/src/library/rpm-filter.c b/src/library/rpm-filter.c

new file mode 100644

index 00000000..e3e3eb38

--- /dev/null

+++ b/src/library/rpm-filter.c

@@ -0,0 +1,487 @@

+/*

+* rpm-filter.c - filter for rpm trust source

+* Copyright (c) 2023 Red Hat Inc., Durham, North Carolina.

+* All Rights Reserved.

+*

+* This software may be freely redistributed and/or modified under the

+* terms of the GNU General Public License as published by the Free

+* Software Foundation; either version 2, or (at your option) any

+* later version.

+*

+* This program is distributed in the hope that it will be useful,

+* but WITHOUT ANY WARRANTY; without even the implied warranty of

+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+* GNU General Public License for more details.

+*

+* You should have received a copy of the GNU General Public License

+* along with this program; see the file COPYING. If not, write to the

+* Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor

+* Boston, MA 02110-1335, USA.

+*

+* Authors:

+*   Radovan Sroka <rsroka@redhat.com>

+*/

+

+#include "rpm-filter.h"

+

+#include <stdio.h>

+#include <string.h>

+#include <ctype.h>

+#include <fnmatch.h>

+

+#include "llist.h"

+#include "stack.h"

+#include "message.h"

+#include "string-util.h"

+

+

+#define RPM_FILTER_FILE "/etc/fapolicyd/rpm-filter.conf"

+

+rpm_filter_t *global_filter = NULL;

+

+static rpm_filter_t *filter_create_obj(void);

+static void filter_destroy_obj(rpm_filter_t *_filter);

+

+// init fuction of this module

+int filter_init(void)

+{

+	global_filter = filter_create_obj();

+	if (global_filter == NULL)

+		return 1;

+

+	return 0;

+}

+

+// destroy funtion of this module

+void filter_destroy(void)

+{

+	filter_destroy_obj(global_filter);

+	global_filter = NULL;

+}

+

+// alocate new filter object and fill with the defaults

+static rpm_filter_t *filter_create_obj(void)

+{

+	rpm_filter_t *filter = malloc(sizeof(rpm_filter_t));

+	if (filter) {

+		filter->type = NONE;

+		filter->path = NULL;

+		filter->len = 0;

+		filter->matched = 0;

+		filter->processed = 0;

+		list_init(&filter->list);

+	}

+	return filter;

+}

+

+// free all nested filters

+static void filter_destroy_obj(rpm_filter_t *_filter)

+{

+	if (_filter == NULL)

+		return;

+

+	rpm_filter_t *filter = _filter;

+	stack_t stack;

+	stack_init(&stack);

+

+	stack_push(&stack, filter);

+

+	while (!stack_is_empty(&stack)) {

+		filter = (rpm_filter_t*)stack_top(&stack);

+		if (filter->processed) {

+			(void)free(filter->path);

+			// asume that item->data is NULL

+			list_empty(&filter->list);

+			(void)free(filter);

+			stack_pop(&stack);

+			continue;

+		}

+

+		list_item_t *item = list_get_first(&filter->list);

+		for (; item != NULL ; item = item->next) {

+				rpm_filter_t *next_filter = (rpm_filter_t*)item->data;

+				// we can use list_empty() later

+				// we dont want to free filter right now

+				// it will freed after popping

+				item->data = NULL;

+				stack_push(&stack, next_filter);

+		}

+		filter->processed = 1;

+	}

+	stack_destroy(&stack);

+}

+

+// create struct and push it to the top of stack

+static void stack_push_vars(stack_t *_stack, int _level, int _offset, rpm_filter_t *_filter)

+{

+	if (_stack == NULL)

+		return;

+

+	stack_item_t *item = malloc(sizeof(stack_item_t));

+	if (item == NULL)

+		return;

+

+	item->level = _level;

+	item->offset = _offset;

+	item->filter = _filter;

+

+	stack_push(_stack, item);

+}

+

+// pop stack_item_t and free it

+static void stack_pop_vars(stack_t *_stack)

+{

+	if (_stack == NULL)

+		return;

+

+	stack_item_t * item = (stack_item_t*)stack_top(_stack);

+	free(item);

+	stack_pop(_stack);

+}

+

+// pop all the stack_item_t and free them

+static void stack_pop_all_vars(stack_t *_stack)

+{

+	if (_stack == NULL)

+		return;

+

+	while (!stack_is_empty(_stack))

+		stack_pop_vars(_stack);

+}

+

+// reset filter to default, pop top and free

+static void stack_pop_reset(stack_t *_stack)

+{

+	if (_stack == NULL)

+		return;

+

+	stack_item_t *stack_item = (stack_item_t*)stack_top(_stack);

+	if (stack_item) {

+		stack_item->filter->matched = 0;

+		stack_item->filter->processed = 0;

+	}

+	free(stack_item);

+	stack_pop(_stack);

+}

+

+// reset and pop all the stack_item_t

+static void stack_pop_all_reset(stack_t *_stack)

+{

+	if (_stack == NULL)

+		return;

+

+	while (!stack_is_empty(_stack))

+		stack_pop_reset(_stack);

+}

+

+// this funtion gets full path and checks it against filter

+// returns 1 for keeping the file and 0 for dropping it

+int filter_check(const char *_path)

+{

+	if (_path == NULL) {

+		msg(LOG_ERR, "filter_check: path is NULL, something is wrong!");

+		return 0;

+	}

+

+	rpm_filter_t *filter = global_filter;

+	char *path = strdup(_path);

+	size_t path_len = strlen(_path);

+	size_t offset = 0;

+	// Create a stack to store the filters that need to be checked

+	stack_t stack;

+	stack_init(&stack);

+

+	int res = 0;

+	int level = 0;

+

+	stack_push_vars(&stack, level, offset, filter);

+

+	while(!stack_is_empty(&stack)) {

+		int matched = 0;

+		filter->processed = 1;

+

+		// this is starting branch of the algo

+		// assuming that in root filter filter->path is NULL

+		if (filter->path == NULL) {

+			list_item_t *item = list_get_first(&filter->list);

+			// push all the descendants to the stack

+			for (; item != NULL ; item = item->next) {

+				rpm_filter_t *next_filter = (rpm_filter_t*)item->data;

+				stack_push_vars(&stack, level+1, offset, next_filter);

+			}

+

+		// usual branch, start with processing

+		} else {

+			// wildcard contition

+			char *is_wildcard = strpbrk(filter->path, "?*[");

+			if (is_wildcard) {

+				int count = 0;

+				char *filter_lim, *filter_old_lim;

+				filter_lim = filter_old_lim = filter->path;

+

+				char *path_lim, *path_old_lim;

+				path_lim = path_old_lim = path+offset;

+

+				// there can be wildcard in the dir name as well

+				// we need to count how many chars can be eaten by wildcard

+				while(1) {

+					filter_lim = strchr(filter_lim, '/');

+					path_lim = strchr(path_lim, '/');

+

+					if (filter_lim) {

+						count++;

+						filter_old_lim = filter_lim;

+						filter_lim++;

+					} else

+						break;

+

+					if (path_lim) {

+						path_old_lim = path_lim;

+						path_lim++;

+					} else

+						break;

+

+				}

+				// put 0 after the last /

+				char tmp = '\0';

+				if (count && *(filter_old_lim+1) == '\0') {

+					 tmp = *(path_old_lim+1);

+					*(path_old_lim+1) = '\0';

+				}

+

+				// check fnmatch

+				matched = !fnmatch(filter->path, path+offset, 0);

+

+				// and set back

+				if (count && *(filter_old_lim+1) == '\0')

+					*(path_old_lim+1) = tmp;

+

+				if (matched) {

+					offset = path_old_lim - path+offset;

+				}

+			} else {

+				// match normal path or just specific part of it

+				matched = !strncmp(path+offset, filter->path, filter->len);

+				if (matched)

+					offset += filter->len;

+			}

+

+			if (matched) {

+				level++;

+				filter->matched = 1;

+

+				// if matched we need ot push descendants to the stack

+				list_item_t *item = list_get_first(&filter->list);

+

+				// if there are no descendants and it is a wildcard then it's a match

+				if (item == NULL && is_wildcard) {

+					// if '+' ret 1 and if '-' ret 0

+					res = filter->type == ADD ? 1 : 0;

+					goto end;

+				}

+

+				// no descendants, and already compared whole path string so its a match

+				if (item == NULL && path_len == offset) {

+					// if '+' ret 1 and if '-' ret 0

+					res = filter->type == ADD ? 1 : 0;

+					goto end;

+				}

+

+				// push descendants to the stack

+				for (; item != NULL ; item = item->next) {

+					rpm_filter_t *next_filter = (rpm_filter_t*)item->data;

+					stack_push_vars(&stack, level, offset, next_filter);

+				}

+

+			}

+

+		}

+

+		stack_item_t * stack_item = NULL;

+		// popping processed filters from the top of the stack

+		do {

+			if (stack_item) {

+				filter = stack_item->filter;

+				offset = stack_item->offset;

+				level = stack_item->level;

+

+				// assuimg that nothing has matched on the upper level so it's a directory match

+				if (filter->matched && filter->path[filter->len-1] == '/') {

+					res = filter->type == ADD ? 1 : 0;

+					goto end;

+				}

+

+				// reset processed flag

+				stack_pop_reset(&stack);

+			}

+

+			stack_item = (stack_item_t*)stack_top(&stack);

+		} while(stack_item && stack_item->filter->processed);

+

+		if (!stack_item)

+			break;

+

+		filter = stack_item->filter;

+		offset = stack_item->offset;

+		level = stack_item->level;

+	}

+

+end:

+	// Clean up the stack

+	stack_pop_all_reset(&stack);

+	stack_destroy(&stack);

+	free(path);

+	return res;