Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Write ancillary trust file and signal fapolicyd to reload. Steps applied during deployment back up trust file to user data dir write ancillary state to the fapolicyd.trust file signal fapolicyd Required a bit of additional configuration work to sketch in the application config. The app config consists of user specific settings and paths. For example in this PR is the users application data directory where we will store backup snapshots of the trust file. This is not currently taking a backup of the fapolicyd lmdb directory, only the ancillary trust file. It may be determined that the fapolicyd db needs a snapshot as well, but for now there is no need for that. closes #41 closes #42
- Loading branch information
Showing
10 changed files
with
96 additions
and
24 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,42 @@ | ||
from fapolicy_analyzer import * | ||
import pathlib | ||
import itertools as it | ||
from fapolicy_analyzer import * | ||
|
||
# config is loaded from $HOME/.config/fapolicy-analyzer/fapolicy-analyzer.toml | ||
|
||
# a system represents the state of the host sytems | ||
s1 = System() | ||
print(f"system1 has {len(s1.ancillary_trust())} trust entries") | ||
|
||
xs = Changeset() | ||
for p in pathlib.Path("/bin").iterdir(): | ||
xs.add_trust(str(p)) | ||
print(f"adding {xs.len()} trust entries") | ||
# changeset represents changes to trust | ||
xs1 = Changeset() | ||
for p in it.islice(pathlib.Path("/bin").iterdir(), 5): | ||
xs1.add_trust(str(p)) | ||
print(f"adding {xs1.len()} trust entries") | ||
|
||
# changesets are inexpensive | ||
xs2 = Changeset() | ||
for p in it.islice(pathlib.Path("/bin").iterdir(), 5, 10): | ||
xs2.add_trust(str(p)) | ||
print(f"adding {xs2.len()} trust entries") | ||
|
||
s2 = s1.apply_changeset(xs) | ||
# changesets get applied to a system, producing a new system | ||
s2 = s1.apply_changeset(xs1) | ||
print(f"system2 has {len(s2.ancillary_trust())} trust entries") | ||
for t in s2.ancillary_trust(): | ||
print(f"{t.status} {t.path} {t.size} {t.hash}") | ||
|
||
# the new system can have changes applied to it | ||
s3 = s2.apply_changeset(xs2) | ||
print(f"system3 has {len(s3.ancillary_trust())} trust entries") | ||
|
||
# a system is deployed, updating the fapolicyd ancillary trust | ||
# s2.deploy() | ||
|
||
# the output is | ||
# ================================== | ||
# system1 has 0 trust entries | ||
# adding 5 trust entries | ||
# adding 5 trust entries | ||
# applying changeset to current state... | ||
# system2 has 5 trust entries | ||
# applying changeset to current state... | ||
# system3 has 10 trust entries |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
from fapolicy_analyzer import * | ||
|
||
# config is loaded from $HOME/.config/fapolicy-analyzer/fapolicy-analyzer.toml | ||
s1 = System() | ||
for t in s1.ancillary_trust(): | ||
print(f"{t.path} {t.size} {t.hash}") | ||
|
||
print(f"found {len(s1.ancillary_trust())} ancillary trust entries") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,14 +1,20 @@ | ||
use serde::Deserialize; | ||
use serde::Serialize; | ||
|
||
use crate::app; | ||
use crate::sys; | ||
|
||
pub const PROJECT_NAME: &str = "fapolicy-analyzer"; | ||
|
||
/// All configuration loaded from the user toml under XDG config dir | ||
#[derive(Clone, Serialize, Deserialize, Default)] | ||
pub struct All { | ||
pub system: sys::Config, | ||
pub application: app::Config, | ||
} | ||
|
||
pub fn load() -> All { | ||
confy::load("fapolicy-analyzer").expect("unable to load user configuration") | ||
impl All { | ||
pub fn data_dir(&self) -> &str { | ||
self.application.data_dir.as_str() | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters