-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow override of mounts file #300
base: main
Are you sure you want to change the base?
Conversation
I still have some cleanup to do in the arg parsing code, but wanted to get @stevegrubb @radosroka feedback on if this idea is sane. |
This make sense. Thank you for PR. |
Thanks @radosroka, it is ready. |
I haven't tried but I believe that So |
You are correct. I did add a note to the readme about this. I looked briefly and there was not an obvious way, but I could take a closer look. It's a matter of setting the debug flag in a separate loop, but then still having to allow for the debug flags in the original loop that processes the other args, so that we don't fall through to the error case in the final else. |
Broke the debug flag checks into a separate loop. See how that looks. :) I removed the note about ordering from the readme. Thanks for pointing it out, its better this way. |
When debugging you can specify an alternative mounts file to the deamon to watch for event notifications. This allows for finer level of control than is achievable by filtering by filesystem type. The alternative mounts file will expect the same format as `/proc/mounts`, which allows us to select entries from `/proc/mounts` into a new file which fapolicyd will use as the mount source. For example, use grep to select a single mount point: ``` mount -t tmpfs tmpfs /tmp/my-test-dir grep my-test-dir /proc/mounts > /tmp/my-test-mounts fapolicyd --debug --mounts=/tmp/my-test-mounts ``` Here we mount a tmpfs for testing in `/tmp`, and grep it from `/proc/mounts` into the overriding mounts file, then run fapolicyd in debug mode while specifying the override file. The result is fapolicyd only receives events that occur in `/tmp/my-test-dir`. Note: The `--mounts` flag must come after `--debug` in the arg list.
Cool. I will merge PR later. |
When in debug mode the default /proc/mounts source can be overridden to customize the source of fanotify events. This allows for finer level of control than is achievable with filesystem type filtering.
The intent here is to restrict events to specific locations when testing to make interpreting the event stream easier.
The alternative mounts file will expect the same format as /proc/mounts, allowing us to head, tail, or grep sublists from /proc/mounts into a new file that fapolicyd will use as the mount source.
An example of restricting fapolicyd to only listen in a test directory
Only enabling this for debug mode, as it's not intended to be a feature used outside of debugging and testing a system.