Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow override of mounts file #300

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Allow override of mounts file #300

wants to merge 1 commit into from

Conversation

jw3
Copy link
Contributor

@jw3 jw3 commented May 3, 2024

When in debug mode the default /proc/mounts source can be overridden to customize the source of fanotify events. This allows for finer level of control than is achievable with filesystem type filtering.

The intent here is to restrict events to specific locations when testing to make interpreting the event stream easier.

The alternative mounts file will expect the same format as /proc/mounts, allowing us to head, tail, or grep sublists from /proc/mounts into a new file that fapolicyd will use as the mount source.

An example of restricting fapolicyd to only listen in a test directory

$ mount -t tmpfs tmpfs /tmp/test-dir
$ grep test-dir /proc/mounts > /tmp/my-test-mounts
$ fapolicyd --debug --mounts=/tmp/my-test-mounts

$ cat /tmp/my-test-mounts
tmpfs /tmp/test-dir tmpfs rw,relatime,inode64 0 0

Only enabling this for debug mode, as it's not intended to be a feature used outside of debugging and testing a system.

@jw3
Copy link
Contributor Author

jw3 commented May 3, 2024

I still have some cleanup to do in the arg parsing code, but wanted to get @stevegrubb @radosroka feedback on if this idea is sane.

@radosroka
Copy link
Member

This make sense. Thank you for PR.

@jw3
Copy link
Contributor Author

jw3 commented Jul 24, 2024

Thanks @radosroka, it is ready.

@radosroka
Copy link
Member

radosroka commented Jul 24, 2024
edited
Loading

I haven't tried but I believe that --debug has to be first (before --mounts). Could you change it so it can be either way?

So fapolicyd --mounts=/tmp/my-test-mounts --debug works?

@jw3
Copy link
Contributor Author

jw3 commented Jul 24, 2024

I haven't tried but I believe that --debug has to be first

You are correct. I did add a note to the readme about this.

I looked briefly and there was not an obvious way, but I could take a closer look.

It's a matter of setting the debug flag in a separate loop, but then still having to allow for the debug flags in the original loop that processes the other args, so that we don't fall through to the error case in the final else.

@jw3
Copy link
Contributor Author

jw3 commented Jul 24, 2024
edited
Loading

Broke the debug flag checks into a separate loop. See how that looks. :)

I removed the note about ordering from the readme.

Thanks for pointing it out, its better this way.

@jw3
Allow override of mounts file
0b8a111 
When debugging you can specify an alternative mounts file to the deamon
to watch for event notifications. This allows for finer level of control
than is achievable by filtering by filesystem type.

The alternative mounts file will expect the same format as `/proc/mounts`,
which allows us to select entries from `/proc/mounts` into a new file which
fapolicyd will use as the mount source.

For example, use grep to select a single mount point:
```
mount -t tmpfs tmpfs /tmp/my-test-dir
grep my-test-dir /proc/mounts > /tmp/my-test-mounts
fapolicyd --debug --mounts=/tmp/my-test-mounts
```

Here we mount a tmpfs for testing in `/tmp`, and grep it from `/proc/mounts`
into the overriding mounts file, then run fapolicyd in debug mode while
specifying the override file. The result is fapolicyd only receives events
that occur in `/tmp/my-test-dir`.

Note: The `--mounts` flag must come after `--debug` in the arg list.
@radosroka
Copy link
Member

Cool. I will merge PR later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@radosroka radosroka radosroka approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jw3 @radosroka