Reload rules with signal #877
Labels
enhancement
New feature or request
fapolicyd-feature
New feature in fapolicyd that is not yet supported.
Milestone
Comments
jw3
added
enhancement
|
Does the Profiler use the same unit file? I'm thinking of the use-case where we are dry running a proposed rule set (if that's even a thing on the roadmap.) |
This was referenced Dec 19, 2023
Closed
jw3
added a commit
that referenced
this issue
Dec 19, 2023
Expands the fapolicyd fifo pipe signaling machinery to include cache flush and rule reload. This also fixes a bug from #672 where the trust reload was not including a new line character. This supports work that will take place for #877 to integrate the rule reload with the profiler execution. Closes #964
jw3
added a commit
to jw3/fapolicy-analyzer
that referenced
this issue
Dec 27, 2023
Expands the fapolicyd fifo pipe signaling machinery to include cache flush and rule reload. This also fixes a bug from ctc-oss#672 where the trust reload was not including a new line character. This supports work that will take place for ctc-oss#877 to integrate the rule reload with the profiler execution. Closes ctc-oss#964
Merged
jw3
added a commit
that referenced
this issue
Dec 29, 2023
First release of forked el8 This commit rolls up changes from master which are listed below. There are also some additional changes to support the el8 build. - Release v1.2.2 (#969) - Try harder to create rules backup (#967) Add a fallback for when a rename does not succeed. In the case where tempdir is on a different filesystem the `std::fs::rename` call will fail. ``` This function will return an error in the following situations, but is not limited to just these cases: - from does not exist. - The user lacks permissions to view contents. - from and to are on separate filesystems. ``` https://doc.rust-lang.org/std/fs/fn.rename.html This commit updates the logic to fallback to a copy and delete. Closes #965 - Update fapolicyd pipe commands (#966) Expands the fapolicyd fifo pipe signaling machinery to include cache flush and rule reload. This also fixes a bug from #672 where the trust reload was not including a new line character. This supports work that will take place for #877 to integrate the rule reload with the profiler execution. Closes #964 - Handle escapes in syslog entries (#959) Adds tests to ensure escapes in syslog entries are being parsed properly Closes #781 - Vendor updates (#957) Updates crate vendoring to be sourced only from Fedora packages Closes #958 - Build with Mock (#955) Uses Fedora Mock to build RPMs in a clean chroot environment. This commit modifies the GitHub CI RPM build by replacing the direct use of rpmbuild with Fedora Mock through a Podman container. This approach aligns our CI with the same approach used in Copr and Koji. Mock is also recommended as an upstream best practice, and is required for consistent behavior after the move to use `%cargo_generate_buildrequires`. Closes #952 - All arch support (#953) Fixes an issue building auparse bindings for i686 and removes all excluded arches from spec An updated Rust ring crate made it possible to build on s390 and power64 arches. That update was present in #905 but was not enabled in the spec until now. Closes #947 Closes #948 - Update packaging for latest Rust and Legal guidelines (#951) A couple of updates brought over from the rpm repo. Update Rust build dependencies to use `%cargo_generate_buildrequires` to generate, rather than explicitly listing dependencies. Projects with subcrates were not originally supported but have been now for a while. Update the license listing to include Rust statically linked licenses. See https://src.fedoraproject.org/rpms/fapolicy-analyzer/pull-request/16 Closes #949
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Rules can now be reloaded with a signal rather than full daemon reload.
linux-application-whitelisting/fapolicyd#243
Flashback: Trust was moved to using the full daemon reload because Rules required it. Now that Rules can be signaled, Trust could return to a signal. This opens the door for deployments without a daemon reload.
There could be other impacts there though, for example if bad rules were deployed, there might not be a way to write compiled.rules without stopping the daemon. Daemon stopping could become a fallback, with the optimization of not stopping becoming the first attempt.
The summary is that its not clear-cut that this needs to be supported, needs some though.
After a quick read of the linked PR it is not obvious whether rules.d is recalculated in any way, or if compiled.rules is the only thing being reloaded. Ill dig deeper later, but either way we are good, since we are writing still writing our own compiled.rules. This could impact the validity of #555.
The text was updated successfully, but these errors were encountered: