How can I add vscode server to the fapolicyd allow-list for all our users?

Question

We are required to use fapolicyd on our linux servers. This prevents running code from our home directory. We do not want to exempt the entire home directory from fapolicyd, but I'm having trouble finding a flexible way to allow just vscode and a few extensions.

I tried using a shared read-only vscode-server directory to limit the scope, but every user needs write access, which makes this no better than exempting the entire home directory.

I cannot use globs in the fapolicyd rules, so I can't add /home//.vscode-server/code- (et. al).

We have many potential users, and that number fluctuates, so I really don't want to enumerate /home/user1/..., /home/user2/..., etc.

Is there a better solution for this?

Answer 1

I've found the lack of glob or regexp support in fapolicyd frustrating as well for exactly the same reason. I've succeeded as follows. The first bit is fairly clean but the second part is a bit of a hack. I'd love to know if someone else has come up with a more elegant solution

1. Enable the downloaded executable to be run. I add the following rule to 06-custom_allow.rules (where $gituserid is the user id of the developer and $username is the username):

   allow_audit perm=execute gid=$gituserid exe=/usr/bin/bash : ftype=application/x-executable dir=/home/$username/.vscode-server/

2. Enable VS Code Server to run. This is harder because the create a whole new directory and set of files whenever the extension is updated. To get round this I run the following script every time it stops working due to an extension update

# /usr/bin/bash
if [[ -z $1 ]]
then
    echo 'Specify the user to enable with VS Code Server'
    exit
fi
echo "Enabling $1 for VS Code Server.  This script must be run with SUDO permissions to be effective"
# Clean up previous trust
rm /etc/fapolicyd/trust.d/vscode-server
# Establish trust on updated vscode-server
fapolicyd-cli --file add "/home/$1/.vscode-server/bin/"  --trust-file vscode-server
fapolicyd-cli --update
systemctl restart fapolicyd

Every now and then you probably need to clean up the .vscode-server/bin directory or it will accumulate different versions and making the vscode-server trust file long

Answer 2

[enter code here~]# cat /etc/fapolicyd/fapolicyd-filter.conf

Default filter file for fedora

+ /
- usr/include/
- usr/share/
  # Python byte code
  + *.py?
  # Python text files
  + *.py
  # Some apps have a private libexec
  + */libexec/*
  # Ruby
  + *.rb
  # Perl
  + *.pl
  # System tap
  + *.stp
  # Javascript
  + *.js
  # Java archive
  + *.jar
  # M4
  + *.m4
  # PHP
  + *.php
  # Perl Modules
  + *.pm
  # Lua
  + *.lua
  # Java
  + *.class
  # Typescript
  + *.ts
  # Typescript JSX
  + *.tsx
  # Lisp
  + *.el
  # Compiled Lisp
  + *.elc
  # vscode
  + code
- usr/src/kernel*/
  + */scripts/*
  + */tools/objtool/*

Note: If the code package is already installed:

fapolicyd-cli –-update
fapolicyd-cli -d
systemctl restart fapolicyd

Answer 3

Learning how to inset code here for first time - ignore previous post.
#> cat /etc/fapolicyd/fapolicyd-filter.conf
# default filter file for fedora

+ /
 - usr/include/
 - usr/share/
  # Python byte code
  + *.py?
  # Python text files
  + *.py
  # Some apps have a private libexec
  + */libexec/*
  # Ruby
  + *.rb
  # Perl
  + *.pl
  # System tap
  + *.stp
  # Javascript
  + *.js
  # Java archive
  + *.jar
  # M4
  + *.m4
  # PHP
  + *.php
  # Perl Modules
  + *.pm
  # Lua
  + *.lua
  # Java
  + *.class
  # Typescript
  + *.ts
  # Typescript JSX
  + *.tsx
  # Lisp
  + *.el
  # Compiled Lisp
  + *.elc
  # vscode           <-- Add for /usr/share/code
  + code/             <-- Add for /usr/share/code 
 - usr/src/kernel*/
  + */scripts/*
  + */tools/objtool/*


Note: If code package is already installed:
fapolicyd-cli –-update
fapolicyd-cli --delete-db
systemctl restart fapolicyd
fapolicyd-cli -D|grep '/usr/share/code' <-- Verify files are detected by faolicy