You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

285 lines
6.2 KiB

package sgfw
import (
const ReceiverSocketPath = "/tmp/fwoz.sock"
var OzInitPids []int = []int{}
func addInitPid(pid int) {
fmt.Println("::::::::::: init pid added: ", pid)
for i := 0; i < len(OzInitPids); i++ {
if OzInitPids[i] == pid {
OzInitPids = append(OzInitPids, pid)
func removeInitPid(pid int) {
for i := 0; i < len(OzInitPids); i++ {
if OzInitPids[i] == pid {
OzInitPids = append(OzInitPids[:i], OzInitPids[i+1:])
func addFWRule(fw *Firewall, whitelist bool, srchost, dsthost, dstport string) error {
policy := fw.PolicyForPath("*")
rulestr := ""
if whitelist {
rulestr += "ALLOW"
} else {
rulestr += "DENY"
rulestr += "|" + dsthost + ":" + dstport + "|SESSION|" + srchost
_, err := policy.parseRule(rulestr, true)
return err
func removeAllByIP(fw *Firewall, srcip string) bool {
log.Notice("XXX: Attempting to remove all rules associated with Oz interface: ", srcip)
saddr := net.ParseIP(srcip)
if saddr == nil {
return false
policy := fw.PolicyForPath("*")
nrm := 0
for _, rr := range policy.rules {
if rr.saddr != nil && rr.saddr.Equal(saddr) {
log.Notice("XXX: removing ephemeral rules by Oz interface ", srcip, ": ", rr)
if nrm == 0 {
log.Notice("XXX: did not remove any rules for interface")
return true
func ReceiverLoop(fw *Firewall, c net.Conn) {
defer c.Close()
bio := bufio.NewReader(c)
for {
buf, err := bio.ReadBytes('\n')
if err != nil {
log.Notice("Error reading data from IPC client: ", err)
data := string(buf)
if data[len(data)-1] == '\n' {
data = data[0:len(data)-1]
if data == "dump" {
log.Notice("Dumping oz-firewall rule set to client...")
rl := fw.PolicyForPath("*").rules
totalIRules := 0
for r := 0; r < len(rl); r++ {
if rl[r].saddr != nil {
banner := fmt.Sprintf("There are a total of %d rule(s).\n", totalIRules)
for r := 0; r < len(rl); r++ {
ip := make([]byte, 4)
binary.BigEndian.PutUint32(ip, rl[r].addr)
hostname := ""
if rl[r].hostname != "" {
hostname = " (" + rl[r].hostname + ") "
portstr := strconv.Itoa(int(rl[r].port))
if rl[r].port == 0 {
portstr = "*"
ruledesc := fmt.Sprintf("id %v, %v | %v, src:%v -> %v%v: %v\n", rl[r].id, RuleModeString[rl[r].mode], RuleActionString[rl[r].rtype], rl[r].saddr, net.IP(ip), hostname, portstr)
/* for i := 0; i < len(sandboxRules); i++ {
rulestr := ""
if sandboxRules[i].Whitelist {
rulestr += "whitelist"
} else {
rulestr += "blacklist"
rulestr += " " + sandboxRules[i].SrcIf.String() + " -> " + sandboxRules[i].DstIP.String() + " : " + strconv.Itoa(int(sandboxRules[i].DstPort)) + "\n"
} */
} else {
tokens := strings.Split(data, " ")
if len(tokens) == 2 && tokens[0] == "removeall" {
log.Notice("Attempting to remove all: ", tokens[1])
removeAllByIP(fw, tokens[1])
if tokens[0] == "register-init" && len(tokens) == 2 {
initp := tokens[1]
initpid, err := strconv.Atoi(initp)
if err != nil {
log.Notice("IPC received invalid oz-init pid: ", initp)
c.Write([]byte("Bad command: init pid was invalid"))
if len(tokens) != 6 {
log.Notice("IPC received invalid command: " + data)
c.Write([]byte("Received bad number of parameters.\n"))
} else if tokens[0] != "add" && tokens[0] != "remove" {
log.Notice("IPC received invalid command: " + data)
c.Write([]byte("Unrecognized command.\n"))
} else if tokens[1] != "whitelist" && tokens[1] != "blacklist" {
log.Notice("IPC received invalid command: " + data)
c.Write([]byte("Bad command: must specify either whitelist or blacklist.\n"))
add := true
if tokens[0] == "remove" {
add = false
w := true
if tokens[1] == "blacklist" {
w = false
srchost := tokens[2]
dsthost := tokens[3]
srcip := net.ParseIP(srchost)
if srcip == nil {
log.Notice("IP conversion failed: ", srchost)
srcip = net.IP{0,0,0,0}
dstport := tokens[4]
dstp, err := strconv.Atoi(dstport)
if dstport != "*" && (err != nil || dstp < 0 || dstp > 65535) {
log.Notice("IPC received invalid destination port: ", tokens[4])
c.Write([]byte("Bad command: dst port was invalid"))
/* initp := tokens[5]
initpid, err := strconv.Atoi(initp)
if err != nil {
log.Notice("IPC received invalid oz-init pid: ", initp)
c.Write([]byte("Bad command: init pid was invalid"))
} */
if add {
log.Noticef("Adding new rule to oz sandbox/fw: %v / %v -> %v : %v", w, srchost, dsthost, dstport)
// addInitPid(initpid)
err := addFWRule(fw, w, srchost, dsthost, dstport)
if err != nil {
log.Error("Error adding dynamic OZ firewall rule to fw-daemon: ", err)
} else {
log.Notice("XXX: rule also successfully added to fw-daemon")
} else {
log.Notice("Removing new rule from oz sandbox/fw... ")
log.Notice("IPC received command: " + data)
func OzReceiver(fw *Firewall) {
log.Notice("XXX: dispatching oz receiver...")
sboxes, err := getSandboxes()
if err != nil {
log.Warning("Error retrieving list of running Oz sandbox init processes: ", err)
} else {
if len(sboxes) > 0 {
log.Warning("Adding existing Oz sandbox init pids...")
for s := 0; s < len(sboxes); s++ {
} else {
log.Warning("It does not appear there were any Oz sandboxed processes already launched.")
lfd, err := net.Listen("unix", ReceiverSocketPath)
if err != nil {
log.Fatal("Could not open oz receiver socket:", err)
for {
fd, err := lfd.Accept()
if err != nil {
log.Fatal("Could not accept receiver client:", err)
go ReceiverLoop(fw, fd)