rpms
/
fapolicyd
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '70b4424ab4'
${ noResults }
fapolicyd/SOURCES/fapolicyd-falcon-sensor.patch

80 lines
2.8 KiB
Raw Normal View History Unescape

import fapolicyd-1.1.3-104.el9
2 years ago
From 2b13715219bbb6a84a73e007cea84f0d5d1d39ab Mon Sep 17 00:00:00 2001
From: Radovan Sroka <rsroka@redhat.com>
Date: Tue, 6 Dec 2022 15:09:44 +0100
Subject: [PATCH] Extend new_event state machine
- allow other opens before dynamic linker execution
- split original STATE_REOPEN to the new STATE_REOPEN and STATE_DEFAULT_REOPEN
- STATE_REOPEN now behaves as loop state for new opens (from the same subject),
uses skip_path
- STATE_DEFAULT_REOPEN is needed when dynamic linker is directly executed
in such scenario we need to be sure that non of the following opens will
skip the path
Signed-off-by: Radovan Sroka <rsroka@redhat.com>
---
src/library/event.c | 16 ++++++++++++++++
src/library/process.h | 3 ++-
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/src/library/event.c b/src/library/event.c
index 4d79eb98..649cb9d6 100644
--- a/src/library/event.c
+++ b/src/library/event.c
@@ -133,6 +133,12 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e)
(e->type & FAN_OPEN_PERM) && !rc) {
skip_path = 1;
s->info->state = STATE_REOPEN;
+
+ // special branch after ld_so exec
+ // next opens will go fall trough
+ if (s->info->path1 &&
+ (strcmp(s->info->path1, SYSTEM_LD_SO) == 0))
+ s->info->state = STATE_DEFAULT_REOPEN;
}
// If not same proc or we detect execution, evict
@@ -164,6 +170,7 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e)
skip_path = 1;
}
+
// If we've seen the reopen and its an execute and process
// has an interpreter and we're the same process, don't evict
// and don't collect the path since reopen interp will. The
@@ -172,10 +179,19 @@ int new_event(const struct fanotify_event_metadata *m, event_t *e)
if ((s->info->state == STATE_REOPEN) && !skip_path &&
(e->type & FAN_OPEN_EXEC_PERM) &&
(s->info->elf_info & HAS_INTERP) && !rc) {
+ s->info->state = STATE_DEFAULT_REOPEN;
evict = 0;
skip_path = 1;
}
+ // this is how STATE_REOPEN and
+ // STATE_DEFAULT_REOPEN differs
+ // in STATE_REOPEN path is always skipped
+ if ((s->info->state == STATE_REOPEN) && !skip_path &&
+ (e->type & FAN_OPEN_PERM) && !rc) {
+ skip_path = 1;
+ }
+
if (evict) {
lru_evict(subj_cache, key);
q_node = check_lru_cache(subj_cache, key);
diff --git a/src/library/process.h b/src/library/process.h
index daa9d0d0..a741d1ac 100644
--- a/src/library/process.h
+++ b/src/library/process.h
@@ -31,7 +31,8 @@
#include "gcc-attributes.h"
typedef enum { STATE_COLLECTING=0, // initial state - execute
- STATE_REOPEN, // anticipating open perm next
+ STATE_REOPEN, // anticipating open perm next, always skips the path
+ STATE_DEFAULT_REOPEN, // reopen after dyn. linker exec, never skips the path
STATE_STATIC_REOPEN, // static app aniticipating
STATE_PARTIAL, // second path collected
STATE_STATIC_PARTIAL, // second path collected