Profiler and rule generation images and observations.

[tparchambault]

I'm just using this discussion to capture my observations and images while I work with a generic processing pipeline comprised of custom untrusted executables.

[tparchambault]

Executing the pipeline control wrapper script while fapd (w/default rules as shipped in FC39) was running:

$ ./PipelineCtl.py -s
Single xfer execution: Input file successfully transferred
$ sudo systemctl status fapolicyd.service 
[sudo] password for toma: 
○ fapolicyd.service - File Access Policy Daemon
     Loaded: loaded (/usr/lib/systemd/system/fapolicyd.service; disabled; prese>
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: inactive (dead)
       Docs: man:fapolicyd(8)
$ sudo systemctl start fapolicyd.service 
$ ./PipelineCtl.py -s
-bash: ./PipelineCtl.py: Operation not permitted
$

[tparchambault]

The generic pipeline is comprised of the following locally developed binaries:

$ ls bin
client  input_xlator  output_xlator  p_unit  server
toma@fc39-1-5-reference:~/Development/GenericProcessingPipeline$ ./PipelineCtl.py -s
-bash: ./PipelineCtl.py: Operation not permitted
toma@fc39-1-5-reference:~/Development/GenericProcessingPipeline$

The relevant section of the python wrapper script that executes the sequential processes of the generic pipeline:
<Edited - Original code used PWD as the location for xfer files; I want to demonstrate a rule using disparate directories w/unknown tmp filenames e.g. those that use uuids.>

# single_xfer_client_server_ene2end #############################
def single_xfer_client_server_ene2end():
    logging.debug("single_xfer_client_server_ene2end()")

    # Initialize environment
    os.system("rm -f input_xlator.out")
    os.system("rm -f p_unit_1.out")
    os.system("rm -f p_unit_2.out")
    os.system("rm -f server.out")

    artifact_opt = "-a" if gbArtifacts else ""
    
    # Execute single file test, starting up processes w/listening sockets first.
    # server, listens on 31338
    logging.debug("Starting the server on port 31338...")
    pServer = subprocess.Popen(['bin/server',
                                '-o', '/tmp/pipeline/server.out',
                                '-p','31338'])

    # input_translator, listens on 31337, writes to /tmp/pipeline/it_p0/ dir
    logging.debug("Starting the input_xlator on port 31337...")
    pInXLator = subprocess.Popen(['bin/input_xlator',
                                  '-O', '/tmp/pipeline/it_p0/',
                                  '-o', 'input_xlator.out',
                                  '-p', '31337'])

    # client, sends file to IT via tcp/ip
    time.sleep(3)
    logging.debug("Starting the client, sending test/test_input.xml via 31337")
    pClient = subprocess.Popen(['bin/client',
                                '-i', 'test/test_input.xml',
                                '-p', '31337'])
    pClient.wait(10)
    pInXLator.wait(5)
    
    # First processing unit, /tmp/pipeline/{read:it_p0/, write dir:p0_p1/}
    logging.debug("Starting the first p_unit...")
    pPUnit0 = subprocess.Popen(['bin/p_unit',
                                '-I', '/tmp/pipeline/it_p0/',
                                '-i', 'input_xlator.out',
                                '-O', '/tmp/pipeline/p0_p1/',
                                '-o', 'p_unit_0.out',
                                '-T', '/tmp/pipeline/p0_working/',
                                artifact_opt])
    pPUnit0.wait(5)

    # Second processing unit, /tmp/pipeline/{read:p0_p1/, write dir:p1_ot/}
    logging.debug("Starting the second p_unit...")
    pPUnit1 = subprocess.Popen(['bin/p_unit',
                                '-I', '/tmp/pipeline/p0_p1/',
                                '-i', 'p_unit_0.out',
                                '-O', '/tmp/pipeline/p1_ot/',
                                '-o', 'p_unit_1.out',
                                '-T', '/tmp/pipeline/p1_working/',
                                artifact_opt])
    pPUnit1.wait(5)

    # output_translator, send to srvr at 31337, read from /tmp/pipeline/p1_ot/
    logging.debug("Starting the output translator, sending to port 31338")
    pOutXLator = subprocess.Popen(['bin/output_xlator',
                                   '-S', '127.0.0.1',
                                   '-I', '/tmp/pipeline/p1_ot/',
                                   '-i', 'p_unit_1.out',
                                   '-p','31338'])
    pOutXLator.wait(5)

    
    logging.debug("/usr/bin/diff -q test/test_input.xml server.out")
    if os.system("/usr/bin/diff -q test/test_input.xml server.out") == 0:
        print("Single xfer execution: Input file successfully transferred")
    else:
        print("Single xfer execution: Fail")

[tparchambault]

Config file syslog format line exchanges the auid, (actual user ID) field specifier with the effective user and group ID field specifiers, uid,gid

[tparchambault]

Pre-execution population of the Profiler:

[tparchambault]

Post successful execution of the pipeline:

Edit: Attempting fix broken image link w/an edit. Click through on image results in private image not found. So much for cut/paste editing... Faux edit, fixed image click through, fwiw.

[tparchambault]

The event log associated with the above session:

fapa1709048416.events.txt

From the Profiler view's log pane:

Loading rule file:
## This file is automatically generated from /etc/fapolicyd/rules.d
%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,text/x-java,application/x-java-applet,application/javascript,text/javascript,text/x-awk,text/x-gawk,text/x-lisp,application/x-elc,text/x-lua,text/x-m4,text/x-nftables,text/x-perl,text/x-php,text/x-python,text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap
allow perm=any uid=0 : dir=/var/tmp/
allow perm=any uid=0 trust=1 : all
allow perm=open exe=/usr/bin/rpm : all
allow perm=open exe=/usr/bin/python3.12 comm=dnf : all
deny_audit perm=any pattern=ld_so : all
deny_audit perm=any all : ftype=application/x-bad-elf
allow perm=open all : ftype=application/x-sharedlib trust=1
deny_audit perm=open all : ftype=application/x-sharedlib
allow perm=execute all : trust=1
allow perm=open all : ftype=%languages trust=1
deny_audit perm=any all : ftype=%languages
allow perm=any all : ftype=text/x-shellscript
deny_audit perm=open exe=/usr/bin/cat : path=/home/toma/.bashrc.bak
deny_audit perm=execute all : all
allow perm=open all : all
Loaded 15 rules

[tparchambault]

[tparchambault]

The language specifier:

10-languages.rules]
# This file contains the list of all identified languages on the system
%languages=application/x-bytecode.ocaml,application/x-bytecode.python,application/java-archive,\
text/x-java,application/x-java- applet,application/javascript,text/javascript,text/x-awk,text/x-gawk,text/x-lisp,\
application/x-elc,text/x-lua,text/x-m4,text/x- nftables,text/x-perl,text/x-php,text/x-python,\
text/x-R,text/x-ruby,text/x-script.guile,text/x-tcl,text/x-luatex,text/x-systemtap

[jw3]

fapolicyd rules.d: https://github.com/linux-application-whitelisting/fapolicyd/tree/main/rules.d

[tparchambault]

First Profiler analysis screen:

[tparchambault]

The Python script PipelineCtl.py creates subprocesses from the client, input_xlator, p_unit (twice!), output_xlator, and server binaries.

[jw3]

The results under the python subject can be skewed because the fapolicy-analyzer is executing from a top-level python process.

This is clearly seen if executing a bash script, but I think for the sake of a whitepaper I like the approach taken here with a python wrapper script.

[tparchambault]

The first process in the chain, is the client program. Besides the shared object libraries, it only opens and reads its input file test_input.xml; its output will be a TCP stream connection to the next executable in the chain, input_xlator.

[jw3]

The shared libraries that are untrusted but allowed are symptom of a known issue where the analyzer does not properly follow symlinks when building the analysis matrix.

[tparchambault]

Similarly, but inversely, the input_xlator receives a TCP stream input, and writes to the tmp file input_xlator.out.part' which is renamed to input_xlator.outafter thewrite()s`` are completed. Note that the *.part file has no attributes available because after the rename operation, that absolute path no longer exists on the file system.

[tparchambault]

The input_xlator writes the file, input_xlator.out.part which as above is renamed upon completion. This file becomes the first input to the first p_unit instance which subsequently feeds its output file, p_unit_0.out, to the second instance of a p_unit which generates its working output file, p_unit_1.out.part. And as with the previous *.part, the file will be renamed, stripping off the part suffix to indicate that the data write()s have been completed.

[tparchambault]

The p_unit executables actually don't do anything meaningful. They represent general processing blocks, expecting an input file, transferring that file to a scratch/working version of that file in the /tmp/pipeline/pN_working/ directory (where N is the p_unit instance), and generating a 'processed' output file. The working copy has a generated non-deterministic uuid filename. Upon completing the data transfer out of the scratch/working file, that file is deleted. Note that there are two uuid named files: one was created for each p_unit instance.

[tparchambault]

After all processing has been completed, the last p_unit block transfers a file, p_unit_1.out, to the output_xlator which reads it and outputs a TCP stream to the server process.

[tparchambault]

Finally the server outputs a file, server.out.

[tparchambault]

To summarize the file access events, from the above analysis images:

client: reads an input file, specified via command-line argument, test_input.xml.; No file writes.
input_xlator: No file reads; writes: input_xlator.out
p_unit (instance 0): reads input_xlator.out; writes the working file, <uuid generated file 0>. after processing has completed reads the working file <uuid generated file 0>, and writes the command line specified, p_unit_0.out.
p_unit (instance 1): reads p_unit_0.out; writes its working file, <uuid generated file 1>. after processing has completed reads the working file <uuid generated file 1>, and writes the command line specified, p_unit_1.out.
output_xlator: reads p_unit_1.out; No file writes (outputs to a TCP stream connection with the server
server: No file reads; Writes server.out