linux-application-whitelisting · Kangie · Dec 2, 2023 · Dec 3, 2025 · Dec 3, 2025 · Dec 3, 2025
diff --git a/Makefile.am b/Makefile.am
@@ -5,7 +5,7 @@ TEST_FIXTURES = \
 src/tests/fixtures/filter-minimal.conf \
 src/tests/fixtures/filter-cases.txt \
 src/tests/fixtures/broken-filter.conf \
-init/fapolicyd-filter.conf \
+init/data/fapolicyd-filter.conf \
 src/tests/fixtures/rules-valid.rules
 
 EXTRA_DIST = ChangeLog AUTHORS NEWS README.md INSTALL fapolicyd.spec \

diff --git a/README.md b/README.md
diff --git a/configure.ac b/configure.ac
@@ -150,7 +150,21 @@ if test x$use_deb = xyes ; then
 fi
 AM_CONDITIONAL(WITH_DEB, test x$use_deb = xyes)
 
-AM_CONDITIONAL(NEED_MD5, test x$use_deb = xyes)
+withval=""
+AC_ARG_WITH(ebuild,
+AS_HELP_STRING([--with-ebuild],[Use the ebuild database as a trust source]),
+use_ebuild=$withval,use_ebuild=no)
+
+if test x$use_ebuild = xyes ; then
+    AC_DEFINE(USE_EBUILD,1,[Define if you want to use the ebuild database as trust source.])
+    AC_CHECK_LIB(md, MD5Final, , [AC_MSG_ERROR([libmd is missing])], -lmd)
+fi
+AM_CONDITIONAL(WITH_EBUILD, test x$use_ebuild = xyes)
+
+if test x$use_deb = xyes || test x$use_ebuild = xyes ; then
+    AC_DEFINE(NEED_MD5, 1, [Define if MD5 hashing is needed])
+fi
+AM_CONDITIONAL(NEED_MD5, test x$use_deb = xyes || test x$use_ebuild = xyes)
 
 dnl FIXME some day pass this on the command line
 def_systemdsystemunitdir=${prefix}/lib/systemd/system

diff --git a/fapolicyd.spec b/fapolicyd.spec
@@ -250,11 +250,13 @@ fi
 %doc README.md
 %{!?_licensedir:%global license %%doc}
 %license COPYING
-%attr(755,root,root) %dir %{_datadir}/%{name}
-%attr(755,root,root) %dir %{_datadir}/%{name}/sample-rules
-%attr(644,root,root) %{_datadir}/%{name}/default-ruleset.known-libs
-%attr(644,root,root) %{_datadir}/%{name}/sample-rules/*
-%attr(644,root,root) %{_datadir}/%{name}/fapolicyd-magic.mgc
+%attr(755,root,%{name}) %dir %{_datadir}/%{name}
+%attr(755,root,%{name}) %dir %{_datadir}/%{name}/sample-rules
+%attr(644,root,%{name}) %{_datadir}/%{name}/default-ruleset.known-libs
+%attr(644,root,%{name}) %{_datadir}/%{name}/sample-rules/*
+%attr(644,root,%{name}) %{_datadir}/%{name}/fapolicyd-magic.mgc
+%exclude %{_sysconfdir}/init.d/%{name}
+%exclude %{_sysconfdir}/conf.d/%{name}
 %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}
 %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/trust.d
 %attr(750,root,%{name}) %dir %{_sysconfdir}/%{name}/rules.d

diff --git a/init/Makefile.am b/init/Makefile.am
@@ -1,8 +1,10 @@
 EXTRA_DIST = \
-	fapolicyd.service \
-	fapolicyd.conf \
-	fapolicyd-filter.conf \
-	fapolicyd.trust \
+	data/fapolicyd-filter.conf \
+	data/fapolicyd.conf \
+	data/fapolicyd.trust \
+	openrc/conf.d/fapolicyd \
+	openrc/init.d/fapolicyd \
+	systemd/fapolicyd.service \
 	fapolicyd-tmpfiles.conf \
 	fapolicyd-magic \
 	fapolicyd.bash_completion \
@@ -11,20 +13,25 @@ EXTRA_DIST = \
 fapolicyddir = $(sysconfdir)/fapolicyd
 
 dist_fapolicyd_DATA = \
-	fapolicyd.conf \
-	fapolicyd-filter.conf \
-	fapolicyd.trust
+	data/fapolicyd.conf \
+	data/fapolicyd-filter.conf \
+	data/fapolicyd.trust
 
 systemdservicedir = $(systemdsystemunitdir)
-dist_systemdservice_DATA = fapolicyd.service
+dist_systemdservice_DATA = systemd/fapolicyd.service
+
+openrcinitdir = $(sysconfdir)/init.d
+dist_openrcinit_DATA = openrc/init.d/fapolicyd
+openrcconfdir = $(sysconfdir)/conf.d
+dist_openrcconf_DATA = openrc/conf.d/fapolicyd
 
 sbin_SCRIPTS = fagenrules
 
 completiondir = $(sysconfdir)/bash_completion.d/
 dist_completion_DATA = fapolicyd.bash_completion
 
 MAGIC = fapolicyd-magic.mgc
-pkgdata_DATA = ${MAGIC} 
+pkgdata_DATA = ${MAGIC}
 CLEANFILES = ${MAGIC}
 
 ${MAGIC}: $(EXTRA_DIST)

diff --git a/init/fapolicyd-filter.conf → init/data/fapolicyd-filter.conf b/init/fapolicyd-filter.conf → init/data/fapolicyd-filter.conf
diff --git a/init/fapolicyd.conf → init/data/fapolicyd.conf b/init/fapolicyd.conf → init/data/fapolicyd.conf
diff --git a/init/fapolicyd.trust → init/data/fapolicyd.trust b/init/fapolicyd.trust → init/data/fapolicyd.trust
diff --git a/init/fapolicyd-magic b/init/fapolicyd-magic
@@ -13,7 +13,7 @@
 0	string/wt	#!\ /bin/rc		Plan 9 shell script text executable
 !:mime	text/x-plan9-shellscript
 
-0	string/wb	#!\ /usr/bin/ocamlrun	Ocaml byte-compiled executable 
+0	string/wb	#!\ /usr/bin/ocamlrun	Ocaml byte-compiled executable
 !:mime	application/x-bytecode.ocaml
 
 0	string/wt	#!\ /usr/bin/lua	Lua script text executable

diff --git a/init/openrc/conf.d/fapolicyd b/init/openrc/conf.d/fapolicyd
@@ -0,0 +1 @@
+fapolicyd_opts="--permissive --debug"
diff --git a/init/openrc/init.d/fapolicyd b/init/openrc/init.d/fapolicyd
@@ -0,0 +1,19 @@
+#!/sbin/openrc-run
+
+name=$RC_SVCNAME
+cfgfile="/etc/$RC_SVCNAME/$RC_SVCNAME.conf"
+command="/usr/sbin/fapolicyd"
+command_args="${fapolicyd_opts}"
+command_user="fapolicyd"
+pidfile="/run/$RC_SVCNAME/$RC_SVCNAME.pid"
+
+# Depend on local disks being mounted
+depend() {
+	need localmount
+}
+
+# Before starting the service update the rulesfile in /etc/fapolicyd
+# from the fragments in /etc/fapolicyd/rules.d
+start_pre() {
+	/usr/sbin/fagenrules
+}
diff --git a/init/fapolicyd.service → init/systemd/fapolicyd.service b/init/fapolicyd.service → init/systemd/fapolicyd.service