On Fri, 2020-05-22 at 10:30 -0400, Steve Grubb wrote: > Hello, > > I am working on our application whitelisting daemon. It uses the > rpmdb to > derive trust in what's on disk. If we use the whole rpmdb, then the > number of > files is large. So, to prune the amount of entries in the trust db > down to a > reasonable number, I thought we could jettison anything in > /usr/share. > > According to the Filesystem Hierarchy Standard [1] it says this about > /usr/ > share: > > The /usr/share hierarchy is for all read-only architecture > independent data > files. > > But what I'm finding in practice is that cinnamon places its > javascript there, > there are libexec dirs that contain executable code, there are python > and > byte compiled python over there. In short, the system doesn't work > because > critical executables are in /usr/share. > > The question is what should be done about this? Do we care that > things are in > /usr/share that are not following the Filesystem Hierarchy Standard? > If we > do, what is the proper fix this this? Should bz be opened against > each > component? > > Best Regards, > -Steve > > > 1 - https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s11.html
Hi Steve Your email talks about "application whitelisting" and "executables", and this thread seems to be getting in to the weeds about things like the distinction between scripts vs machine code, and modules vs scripts; code vs data. Would it be helpful to approach this from a higher-level point of view? Presumably your goal is to enforce some kind of security boundary, along the lines of "only blessed things can be run". What is that boundary? What kinds of threat do you have in mind, and how might this whitelisting daemon block them? (is there a web page somewhere for the project?) (also: what's the user experience?) Some more awkward examples, in case these haven't already been mentioned in the thread: - what about machine code plugins to existing binaries? - what about Python modules that aren't executable scripts, but which are in the import path and might be used by executable scripts? (and which might modify the import path) - what about embedded interpreters? Hope this is constructive Dave _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
