Rename filter file in fapolicyd

- from rpm-filter.conf to fapolicyd-filter.conf

Signed-off-by: Radovan Sroka <[email protected]>

doc/Makefile.am

@@ -29,4 +29,4 @@ man_MANS = \
 	fapolicyd.rules.5 \
 	fapolicyd.trust.5 \
 	fapolicyd.conf.5 \
-	rpm-filter.conf.5
+	fapolicyd.filter.5

doc/fapolicyd.8

@@ -90,7 +90,7 @@ If you are running in the debug mode and wish to compare rule numbers reported i
 .BR fapolicyd-cli (8),
 .BR fapolicyd.rules (5),
 .BR fapolicyd.trust (5),
-.BR rpm-filter.conf (5),
+.BR fapolicyd.filter (5),
 .BR fagenrules (8),
 and
 .BR fapolicyd.conf (5)

doc/fapolicyd.filter.5

@@ -0,0 +1,63 @@
+.TH FAPOLICYD.FILTER: "26" "April 2023" "Red Hat" "System Administration Utilities"
+.SH NAME
+fapolicyd.filter \- fapolicyd filter configuration file
+.SH DESCRIPTION
+The file
+.I /etc/fapolicyd/fapolicyd.filter
+contains configuration of the filter for the application allowlisting daemon. This filter specifies an allow or exclude list of files from a trust source. Valid line starts with character '+', '-' or '#' for comments. The rest of the line contains a path specification. Space can be used as indentation to add more specific filters to the previous one. Note, that only one space is required for one level of an indent. If  there are multiple specifications on the same indentation level they extend the previous line with lower indentation, usually a directory.  The path may be specified using the glob pattern. A directory specification has to end with a slash ‘/’.
+
+The filters are processed as follows: Starting from the up the to bottom while in case of a match the result (+/-) is set unless there is an indented block which describes more detailed specification of the parent level match. The same processing logic is applied to the inner filters definitions. If there is no match, the parent’s result is set. If there is no match at all, the default result is minus (-).
+
+If the result was a plus (+), the respective file from a trust source is imported to the TrustDB. Vice versa, if the result was a minus (-), the respective file is not imported.
+
+From a performance point of view it is better to design an indented filter because in the ideal situation each component of the path is compared only once. In contrast to it, a filter without any indentation has to contain a full path which makes the pattern more complicated and thus slower to process. The motivation behind this is to have a flexible configuration and keep the TrustDB as small as possible to make the look-ups faster.
+
+
+
+.nf
+.B # this is simple allow list
+.B - /usr/bin/some_binary1
+.B - /usr/bin/some_binary2
+.B + /
+.fi
+
+.nf
+.B # this is the same
+.B + /
+.B \ + usr/bin/
+.B \ \ - some_binary1
+.B \ \ - some_binary2
+.fi
+
+.nf
+.B # this is similar allow list with a wildcard
+.B - /usr/bin/some_binary?
+.B + /
+.fi
+
+.nf
+.B # this is similar with another wildcard
+.B + /
+.B \ - usr/bin/some_binary*
+.fi
+
+.nf
+.B # keeps everything except usr/share except python and perl files
+.B # /usr/bin/ls - result is '+'
+.B # /usr/share/something - result is '-'
+.B # /usr/share/abcd.py - result is '+'
+.B + /
+.B \ - usr/share/
+.B \ \ + *.py
+.B \ \ + *.pl
+.fi
+
+.SH "SEE ALSO"
+.BR fapolicyd (8),
+.BR fapolicyd-cli (1)
+.BR fapolicy.rules (5)
+and
+.BR glob (7)
+
+.SH AUTHOR
+Radovan Sroka

doc/rpm-filter.conf.5

@@ -1,56 +1,15 @@
-.TH RPM_FILTER.CONF: "5" "January 2023" "Red Hat" "System Administration Utilities"
+.TH FAPOLICYD.FILTER: "26" "April 2023" "Red Hat" "System Administration Utilities"
 .SH NAME
-rpm-filter.conf \- fapolicyd filter configuration file
+fapolicyd.filter \- fapolicyd filter configuration file
 .SH DESCRIPTION
 The file
-.I /etc/fapolicyd/rpm-filter.conf
-contains configuration of the filter for the application allowlisting daemon. This filter specifies an allow or exclude list of files from rpm. Valid line starts with character '+', '-' or '#' for comments. The rest of the line contains a path specification. Space can be used as indentation to add more specific filters to the previous one. Note, that only one space is required for one level of an indent. If  there are multiple specifications on the same indentation level they extend the previous line with lower indentation, usually a directory.  The path may be specified using the glob pattern. A directory specification has to end with a slash ‘/’.
+.I /etc/fapolicyd/rpm-filter.filter.conf
+was migrated to
+.I /etc/fapolicyd/fapolicyd-filter.conf
+or see
+.BR fapolicyd.filter(5).
 
-The filters are processed as follows: Starting from the up the to bottom while in case of a match the result (+/-) is set unless there is an indented block which describes more detailed specification of the parent level match. The same processing logic is applied to the inner filters definitions. If there is no match, the parent’s result is set. If there is no match at all, the default result is minus (-).
 
-If the result was a plus (+), the respective file from the rpmdb is imported to the TrustDB. Vice versa, if the result was a minus (-), the respective file is not imported.
-
-From a performance point of view it is better to design an indented filter because in the ideal situation each component of the path is compared only once. In contrast to it, a filter without any indentation has to contain a full path which makes the pattern more complicated and thus slower to process. The motivation behind this is to have a flexible configuration and keep the TrustDB as small as possible to make the look-ups faster.
-
-
-
-.nf
-.B # this is simple allow list
-.B - /usr/bin/some_binary1
-.B - /usr/bin/some_binary2
-.B + /
-.fi
-
-.nf
-.B # this is the same
-.B + /
-.B \ + usr/bin/
-.B \ \ - some_binary1
-.B \ \ - some_binary2
-.fi
-
-.nf
-.B # this is similar allow list with a wildcard
-.B - /usr/bin/some_binary?
-.B + /
-.fi
-
-.nf
-.B # this is similar with another wildcard
-.B + /
-.B \ - usr/bin/some_binary*
-.fi
-
-.nf
-.B # keeps everything except usr/share except python and perl files
-.B # /usr/bin/ls - result is '+'
-.B # /usr/share/something - result is '-'
-.B # /usr/share/abcd.py - result is '+'
-.B + /
-.B \ - usr/share/
-.B \ \ + *.py
-.B \ \ + *.pl
-.fi
 
 .SH "SEE ALSO"
 .BR fapolicyd (8),

fapolicyd.spec

@@ -114,7 +114,7 @@ fi
 %attr(644,root,root) %{_sysconfdir}/bash_completion.d/*
 %ghost %{_sysconfdir}/%{name}/rules.d/*
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.conf
-%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/rpm-filter.conf
+%config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/fapolicyd.filter
 %config(noreplace) %attr(644,root,%{name}) %{_sysconfdir}/%{name}/%{name}.trust
 %ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/fapolicyd.rules
 %ghost %attr(644,root,%{name}) %{_sysconfdir}/%{name}/compiled.rules

init/Makefile.am

@@ -1,7 +1,7 @@
 EXTRA_DIST = \
 	fapolicyd.service \
 	fapolicyd.conf \
-	rpm-filter.conf \
+	fapolicyd.filter \
 	fapolicyd.trust \
 	fapolicyd-tmpfiles.conf \
 	fapolicyd-magic \
@@ -12,7 +12,7 @@ fapolicyddir = $(sysconfdir)/fapolicyd
 
 dist_fapolicyd_DATA = \
 	fapolicyd.conf \
-	rpm-filter.conf \
+	fapolicyd.filter \
 	fapolicyd.trust
 
 systemdservicedir = $(systemdsystemunitdir)

src/Makefile.am

@@ -69,8 +69,8 @@ libfapolicyd_la_SOURCES = \
 if WITH_RPM
 libfapolicyd_la_SOURCES += \
 	library/rpm-backend.c \
-	library/rpm-filter.c \
-	library/rpm-filter.h
+	library/filter.c \
+	library/filter.h
 
 endif
 

src/library/rpm-filter.c → src/library/filter.c

@@ -1,5 +1,5 @@
 /*
-* rpm-filter.c - filter for rpm trust source
+* filter.c - filter for a trust source
 * Copyright (c) 2023 Red Hat Inc., Durham, North Carolina.
 * All Rights Reserved.
 *
@@ -22,7 +22,7 @@
 *   Radovan Sroka <[email protected]>
 */
 
-#include "rpm-filter.h"
+#include "filter.h"
 
 #include <stdio.h>
 #include <string.h>
@@ -34,13 +34,13 @@
 #include "message.h"
 #include "string-util.h"
 
+#define OLD_FILTER_FILE "/etc/fapolicyd/rpm-filter.conf"
+#define FILTER_FILE "/etc/fapolicyd/fapolicyd-filter.conf"
 
-#define RPM_FILTER_FILE "/etc/fapolicyd/rpm-filter.conf"
+filter_t *global_filter = NULL;
 
-rpm_filter_t *global_filter = NULL;
-
-static rpm_filter_t *filter_create_obj(void);
-static void filter_destroy_obj(rpm_filter_t *_filter);
+static filter_t *filter_create_obj(void);
+static void filter_destroy_obj(filter_t *_filter);
 
 // init fuction of this module
 int filter_init(void)
@@ -60,9 +60,9 @@ void filter_destroy(void)
 }
 
 // alocate new filter object and fill with the defaults
-static rpm_filter_t *filter_create_obj(void)
+static filter_t *filter_create_obj(void)
 {
-	rpm_filter_t *filter = malloc(sizeof(rpm_filter_t));
+	filter_t *filter = malloc(sizeof(filter_t));
 	if (filter) {
 		filter->type = NONE;
 		filter->path = NULL;
@@ -75,19 +75,19 @@ static rpm_filter_t *filter_create_obj(void)
 }
 
 // free all nested filters
-static void filter_destroy_obj(rpm_filter_t *_filter)
+static void filter_destroy_obj(filter_t *_filter)
 {
 	if (_filter == NULL)
 		return;
 
-	rpm_filter_t *filter = _filter;
+	filter_t *filter = _filter;
 	stack_t stack;
 	stack_init(&stack);
 
 	stack_push(&stack, filter);
 
 	while (!stack_is_empty(&stack)) {
-		filter = (rpm_filter_t*)stack_top(&stack);
+		filter = (filter_t*)stack_top(&stack);
 		if (filter->processed) {
 			(void)free(filter->path);
 			// asume that item->data is NULL
@@ -99,7 +99,7 @@ static void filter_destroy_obj(rpm_filter_t *_filter)
 
 		list_item_t *item = list_get_first(&filter->list);
 		for (; item != NULL ; item = item->next) {
-				rpm_filter_t *next_filter = (rpm_filter_t*)item->data;
+				filter_t *next_filter = (filter_t*)item->data;
 				// we can use list_empty() later
 				// we dont want to free filter right now
 				// it will freed after popping
@@ -112,7 +112,7 @@ static void filter_destroy_obj(rpm_filter_t *_filter)
 }
 
 // create struct and push it to the top of stack
-static void stack_push_vars(stack_t *_stack, int _level, int _offset, rpm_filter_t *_filter)
+static void stack_push_vars(stack_t *_stack, int _level, int _offset, filter_t *_filter)
 {
 	if (_stack == NULL)
 		return;
@@ -183,7 +183,7 @@ int filter_check(const char *_path)
 		return 0;
 	}
 
-	rpm_filter_t *filter = global_filter;
+	filter_t *filter = global_filter;
 	char *path = strdup(_path);
 	size_t path_len = strlen(_path);
 	size_t offset = 0;
@@ -206,7 +206,7 @@ int filter_check(const char *_path)
 			list_item_t *item = list_get_first(&filter->list);
 			// push all the descendants to the stack
 			for (; item != NULL ; item = item->next) {
-				rpm_filter_t *next_filter = (rpm_filter_t*)item->data;
+				filter_t *next_filter = (filter_t*)item->data;
 				stack_push_vars(&stack, level+1, offset, next_filter);
 			}
 
@@ -289,7 +289,7 @@ int filter_check(const char *_path)
 
 				// push descendants to the stack
 				for (; item != NULL ; item = item->next) {
-					rpm_filter_t *next_filter = (rpm_filter_t*)item->data;
+					filter_t *next_filter = (filter_t*)item->data;
 					stack_push_vars(&stack, level, offset, next_filter);
 				}
 
@@ -334,15 +334,22 @@ int filter_check(const char *_path)
 	return res;
 }
 
-// load rpm filter configuration file and fill the filter structure
+// load filter configuration file and fill the filter structure
 int filter_load_file(void)
 {
 	int res = 0;
-	FILE *stream = fopen(RPM_FILTER_FILE, "r");
+	FILE *stream = fopen(OLD_FILTER_FILE, "r");
 
 	if (stream == NULL) {
-		msg(LOG_ERR, "Cannot open filter file %s", RPM_FILTER_FILE);
-		return 1;
+
+		stream = fopen(FILTER_FILE, "r");
+		if (stream == NULL) {
+			msg(LOG_ERR, "Cannot open filter file %s", FILTER_FILE);
+			return 1;
+		}
+	} else {
+		msg(LOG_INFO, "Using old filter file: %s, use the new one: %s", OLD_FILTER_FILE, FILTER_FILE);
+		msg(LOG_INFO, "Consider 'mv %s %s'", OLD_FILTER_FILE, FILTER_FILE);
 	}
 
 	ssize_t nread;
@@ -373,7 +380,7 @@ int filter_load_file(void)
 
 		int level = 1;
 		char * rest = line;
-		rpm_filter_type_t type = NONE;
+		filter_type_t type = NONE;
 
 		for (size_t i = 0 ; i < len ; i++) {
 			switch (line[i]) {
@@ -415,7 +422,7 @@ int filter_load_file(void)
 			goto bad;
 		}
 
-		rpm_filter_t * filter = filter_create_obj();
+		filter_t * filter = filter_create_obj();
 
 		if (filter) {
 			filter->path = strdup(rest);
@@ -481,7 +488,7 @@ int filter_load_file(void)
 	stack_pop_all_vars(&stack);
 	stack_destroy(&stack);
 	if (global_filter->list.count == 0) {
-		msg(LOG_ERR, "filter_load_file: no valid filter provided in %s", RPM_FILTER_FILE);
+		msg(LOG_ERR, "filter_load_file: no valid filter provided in %s", FILTER_FILE);
 	}
 	return res;
 }

src/library/rpm-filter.h → src/library/filter.h

@@ -1,5 +1,5 @@
 /*
-* rpm-filter.h - Header for rpm filter implementation
+* filter.h - Header for a filter implementation
 * Copyright (c) 2023 Red Hat Inc., Durham, North Carolina.
 * All Rights Reserved.
 *
@@ -30,31 +30,31 @@
 
 #include "llist.h"
 
-typedef enum rpm_filter_type
+typedef enum filter_type
 {
 	NONE,
 	ADD,
 	SUB,
 	COMMENT,
 	BAD,
-} rpm_filter_type_t;
+} filter_type_t;
 
-typedef struct _rpm_filter
+typedef struct _filter
 {
-	rpm_filter_type_t type;
+	filter_type_t type;
 	char * path;
 	size_t len;
 	int processed;
 	int matched;
 	list_t list;
-} rpm_filter_t;
+} filter_t;
 
 
 typedef struct _stack_item
 {
 	int level;
 	int offset;
-	rpm_filter_t *filter;
+	filter_t *filter;
 } stack_item_t;