Ftype issue

[Thomasw2802]

Hello,

I want to talk about a issue I encountered while using fapolicyd.

I tried to make rules using ftype option but I found out that it's very easy to manipulate a file ftype.
For instance, if I have a python file and I write on my first line #!/bin/bash, the ftype detected will be text/x-shellscript.
So, if I have a rule that deny python ftype it will be easy for an attacker to bypass it.

Is it safe to use this option ?

[stevegrubb]

What happens when you try to run that file with bash?

[Thomasw2802]

It doesn't work because the syntax is python but if i run it with python it works (i have a rule that deny python ftype).

I can have a text/plain ftype with a python script as well because ftype is based on magic number if i'm not mistaken.

[Tronde]

Hi, I would like to add another example to this thread that shows how easily one can avoid being blocked by fapolicyd. For the following example I used fapolicyd-1.3.3-100.el9 on some RHEL 9.6 box.

Files containing a python shebang are recognized and blocked

$ cat << EOF > /home/tronde/hello.py
> #!/usr/bin/env python3.9
> print("Hello World")
> EOF
$ chmod u+x /home/tronde/hello.py
$ /usr/bin/python3.9 /home/tronde/hello.py
/usr/bin/python3.9: can't open file '/home/tronde/hello.py': [Errno 1] Operation not permitted
$ file hello.py 
hello.py: writable, executable, regular file, no read permission

Same code runs when omitting the shebang

$ file hello2.py 
hello2.py: ASCII text
$ cat hello2.py 
print("Hello Sysadmin.")
$ /usr/bin/python3.9 hello2.py 
Hello Sysadmin.

Conclusion

Based on the provided observations, it's evident that fapolicyd on the tested RHEL 9.6 system blocks the execution of a Python script when it's directly invoked and contains a shebang, even when the script is executable. However, the same script can be successfully executed when the shebang is omitted and the script is passed as an argument to the Python interpreter. This demonstrates a potential weakness in fapolicyd's enforcement mechanism, as it appears to rely on the presence of the shebang to identify and block the execution of unauthorized scripts, allowing for a straightforward bypass.

Do you see any option to prevent this?