matth
/
fw-daemon
mirror of https://github.com/subgraph/fw-daemon
1
1
Fork 0
Code Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd7df165517'
${ noResults }
fw-daemon/sgfw/prompt.go

538 lines
12 KiB
Raw Normal View History Unescape

Moved fw-daemon to command/lib
8 years ago
package sgfw
Initial commit
9 years ago
import (
"fmt"
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
"os"
Initial commit
9 years ago
"os/user"
"strconv"
Support for TLSGuard in prompter
7 years ago
"strings"
Initial commit
9 years ago
"sync"
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
"syscall"
Squashed (some) noisy debug output.
8 years ago
"time"
Initial commit
9 years ago
Refactor...
8 years ago
"github.com/godbus/dbus"
Added per-process (ephemeral) rule support. (proc coroner now has support for multiple callbacks)
8 years ago
"github.com/subgraph/fw-daemon/proc-coroner"
Initial commit
9 years ago
)
func newPrompter(conn *dbus.Conn) *prompter {
p := new(prompter)
p.cond = sync.NewCond(&p.lock)
p.dbusObj = conn.Object("com.subgraph.FirewallPrompt", "/com/subgraph/FirewallPrompt")
p.policyMap = make(map[string]*Policy)
go p.promptLoop()
return p
}
type prompter struct {
dbusObj dbus.BusObject
lock sync.Mutex
cond *sync.Cond
policyMap map[string]*Policy
policyQueue []*Policy
}
func (p *prompter) prompt(policy *Policy) {
p.lock.Lock()
defer p.lock.Unlock()
Re-sync to master.
7 years ago
_, ok := p.policyMap[policy.sandbox+"|"+policy.path]
Initial commit
9 years ago
if ok {
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
p.cond.Signal()
Initial commit
9 years ago
return
}
Re-sync to master.
7 years ago
p.policyMap[policy.sandbox+"|"+policy.path] = policy
Merge newest branch changes with latest changes to master.
7 years ago
log.Debugf("Saving policy key:" + policy.sandbox + "|" + policy.path)
Initial commit
9 years ago
p.policyQueue = append(p.policyQueue, policy)
p.cond.Signal()
}
func (p *prompter) promptLoop() {
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
// p.lock.Lock()
Initial commit
9 years ago
for {
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
p.processNextPacket()
Initial commit
9 years ago
}
}
func (p *prompter) processNextPacket() bool {
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
//fmt.Println("processNextPacket()")
Very noisy, experimental support for asynchronous multi-rule firewall prompting. Fixed prompted rule removal bug in fw-prompt.
8 years ago
var pc pendingConnection = nil
empty := true
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
Very noisy, experimental support for asynchronous multi-rule firewall prompting. Fixed prompted rule removal bug in fw-prompt.
8 years ago
for {
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
p.lock.Lock()
Very noisy, experimental support for asynchronous multi-rule firewall prompting. Fixed prompted rule removal bug in fw-prompt.
8 years ago
pc, empty = p.nextConnection()
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
p.lock.Unlock()
AddRuleAsync DBus calls now include reference guid for proper application of "once" rules. Deletes of fw-prompt entries at root of tree now fold up the first child entry into the deleted parent entry. Fixed fw-prompt bug resulting in return of improper scope. Application name is no longer editable in fw-prompt. Icon mapping properly supported for symlinked application paths. Removed spurious warnings for valid fw-prompt removal requests. Awful hacked up fix to make icons for non-existent applications properly blank and remove GTK warnings. Removed old/deprecated Oz firewall rules routines.
7 years ago
if pc != nil {
fmt.Println("GOT NON NIL")
}
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
//fmt.Println("XXX: processNextPacket() loop; empty = ", empty, " / pc = ", pc)
Very noisy, experimental support for asynchronous multi-rule firewall prompting. Fixed prompted rule removal bug in fw-prompt.
8 years ago
if pc == nil && empty {
return false
} else if pc == nil {
continue
} else if pc != nil {
break
}
Initial commit
9 years ago
}
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
if pc.getPrompting() {
log.Debugf("Skipping over already prompted connection")
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
return false
Very noisy, experimental support for asynchronous multi-rule firewall prompting. Fixed prompted rule removal bug in fw-prompt.
8 years ago
}
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
Re-sync to master.
7 years ago
pc.setPrompting(true)
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
fmt.Println("processConnection")
Re-sync to master.
7 years ago
go p.processConnection(pc)
Initial commit
9 years ago
return true
}
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
type PC2FDMapping struct {
guid string
inode uint64
fd int
fdpath string
prompter *prompter
}
var PC2FDMap = map[string]PC2FDMapping{}
var PC2FDMapLock = &sync.Mutex{}
var PC2FDMapRunning = false
func monitorPromptFDs(pc pendingConnection) {
guid := pc.getGUID()
pid := pc.procInfo().Pid
inode := pc.procInfo().Inode
fd := pc.procInfo().FD
prompter := pc.getPrompter()
fmt.Printf("ADD TO MONITOR: %v | %v / %v / %v\n", pc.policy().application, guid, pid, fd)
if pid == -1 || fd == -1 || prompter == nil {
log.Warning("Unexpected error condition occurred while adding socket fd to monitor")
return
}
PC2FDMapLock.Lock()
defer PC2FDMapLock.Unlock()
fdpath := fmt.Sprintf("/proc/%d/fd/%d", pid, fd)
PC2FDMap[guid] = PC2FDMapping{guid: guid, inode: inode, fd: fd, fdpath: fdpath, prompter: prompter}
return
}
func monitorPromptFDLoop() {
fmt.Println("++++++++++= monitorPromptFDLoop()")
for true {
delete_guids := []string{}
PC2FDMapLock.Lock()
fmt.Println("++++ nentries = ", len(PC2FDMap))
for guid, fdmon := range PC2FDMap {
fmt.Println("ENTRY:", fdmon)
lsb, err := os.Stat(fdmon.fdpath)
if err != nil {
log.Warningf("Error looking up socket \"%s\": %v\n", fdmon.fdpath, err)
delete_guids = append(delete_guids, guid)
continue
}
sb, ok := lsb.Sys().(*syscall.Stat_t)
if !ok {
log.Warning("Not a syscall.Stat_t")
delete_guids = append(delete_guids, guid)
continue
}
inode := sb.Ino
Fixed TLS extension parsing routines. Added lots of constant values to TLSGuard; general code cleanup.
7 years ago
// fmt.Println("+++ INODE = ", inode)
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
if inode != fdmon.inode {
fmt.Printf("inode mismatch: %v vs %v\n", inode, fdmon.inode)
delete_guids = append(delete_guids, guid)
}
}
fmt.Println("guids to delete: ", delete_guids)
saved_mappings := []PC2FDMapping{}
for _, guid := range delete_guids {
saved_mappings = append(saved_mappings, PC2FDMap[guid])
delete(PC2FDMap, guid)
}
PC2FDMapLock.Unlock()
for _, mapping := range saved_mappings {
call := mapping.prompter.dbusObj.Call("com.subgraph.FirewallPrompt.RemovePrompt", 0, mapping.guid)
fmt.Println("DISPOSING CALL = ", call)
prompter := mapping.prompter
prompter.lock.Lock()
for _, policy := range prompter.policyQueue {
policy.lock.Lock()
pcind := 0
for pcind < len(policy.pendingQueue) {
if policy.pendingQueue[pcind].getGUID() == mapping.guid {
fmt.Println("-------------- found guid to remove")
policy.pendingQueue = append(policy.pendingQueue[:pcind], policy.pendingQueue[pcind+1:]...)
} else {
pcind++
}
}
policy.lock.Unlock()
}
prompter.lock.Unlock()
}
fmt.Println("++++++++++= monitorPromptFDLoop WAIT")
time.Sleep(5 * time.Second)
}
}
Refactor to support more than one type of 'connection' Created and interface pendingConnection which represents either a pending packet or socks connection.
9 years ago
func (p *prompter) processConnection(pc pendingConnection) {
Initial commit
9 years ago
var scope int32
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
var dres bool
Initial commit
9 years ago
var rule string
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
if !PC2FDMapRunning {
PC2FDMapLock.Lock()
if !PC2FDMapRunning {
PC2FDMapRunning = true
PC2FDMapLock.Unlock()
go monitorPromptFDLoop()
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
} else {
PC2FDMapLock.Unlock()
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
}
}
Added new RemovePrompt DBus call to complement RequestPrompt (GUID-based prompt removal). The addition of a rule matching multiple pending connections in fw-prompt now removes all of them. fw-prompter now increments ref# column for identical prompt requests. Fixed/cleaned up/updated TLSGuard code. Added TLSGuard toggle option to fw-prompt GUI (default for SOCKS connections). fw-prompt now displays icon of filtered application. DBus RequestPrompt() now "works" asynchronously. TLSGuard fixed under certain conditions but still very buggy. Fixed some fw-prompt crash conditions with treeview mutex locking. Fixed SOCKS connection panic condition linked to closed channel. Cleanup of unused data structures/values.
7 years ago
if pc.getPrompter() == nil {
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
pc.setPrompter(p)
Added new RemovePrompt DBus call to complement RequestPrompt (GUID-based prompt removal). The addition of a rule matching multiple pending connections in fw-prompt now removes all of them. fw-prompter now increments ref# column for identical prompt requests. Fixed/cleaned up/updated TLSGuard code. Added TLSGuard toggle option to fw-prompt GUI (default for SOCKS connections). fw-prompt now displays icon of filtered application. DBus RequestPrompt() now "works" asynchronously. TLSGuard fixed under certain conditions but still very buggy. Fixed some fw-prompt crash conditions with treeview mutex locking. Fixed SOCKS connection panic condition linked to closed channel. Cleanup of unused data structures/values.
7 years ago
}
Refactor to support more than one type of 'connection' Created and interface pendingConnection which represents either a pending packet or socks connection.
9 years ago
addr := pc.hostname()
Initial commit
9 years ago
if addr == "" {
Refactor to support more than one type of 'connection' Created and interface pendingConnection which represents either a pending packet or socks connection.
9 years ago
addr = pc.dst().String()
Initial commit
9 years ago
}
Refactor to support more than one type of 'connection' Created and interface pendingConnection which represents either a pending packet or socks connection.
9 years ago
policy := pc.policy()
Initial commit
9 years ago
Incorporated TLSGuard and turned it on by default for all outbound SOCKS5 connections. Fixed display of nil IPs (when only hostname is passed via SOCKS5 connect).
8 years ago
dststr := ""
if pc.dst() != nil {
dststr = pc.dst().String()
Support for TLSGuard in prompter
7 years ago
} else {
Added new RemovePrompt DBus call to complement RequestPrompt (GUID-based prompt removal). The addition of a rule matching multiple pending connections in fw-prompt now removes all of them. fw-prompter now increments ref# column for identical prompt requests. Fixed/cleaned up/updated TLSGuard code. Added TLSGuard toggle option to fw-prompt GUI (default for SOCKS connections). fw-prompt now displays icon of filtered application. DBus RequestPrompt() now "works" asynchronously. TLSGuard fixed under certain conditions but still very buggy. Fixed some fw-prompt crash conditions with treeview mutex locking. Fixed SOCKS connection panic condition linked to closed channel. Cleanup of unused data structures/values.
7 years ago
dststr = addr + " (via proxy resolver)"
Incorporated TLSGuard and turned it on by default for all outbound SOCKS5 connections. Fixed display of nil IPs (when only hostname is passed via SOCKS5 connect).
8 years ago
}
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
monitorPromptFDs(pc)
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
call := p.dbusObj.Call("com.subgraph.FirewallPrompt.RequestPromptAsync", 0,
Added new RemovePrompt DBus call to complement RequestPrompt (GUID-based prompt removal). The addition of a rule matching multiple pending connections in fw-prompt now removes all of them. fw-prompter now increments ref# column for identical prompt requests. Fixed/cleaned up/updated TLSGuard code. Added TLSGuard toggle option to fw-prompt GUI (default for SOCKS connections). fw-prompt now displays icon of filtered application. DBus RequestPrompt() now "works" asynchronously. TLSGuard fixed under certain conditions but still very buggy. Fixed some fw-prompt crash conditions with treeview mutex locking. Fixed SOCKS connection panic condition linked to closed channel. Cleanup of unused data structures/values.
7 years ago
pc.getGUID(),
Refactor to support more than one type of 'connection' Created and interface pendingConnection which represents either a pending packet or socks connection.
9 years ago
policy.application,
policy.icon,
policy.path,
Initial commit
9 years ago
addr,
Refactor to support more than one type of 'connection' Created and interface pendingConnection which represents either a pending packet or socks connection.
9 years ago
int32(pc.dstPort()),
Incorporated TLSGuard and turned it on by default for all outbound SOCKS5 connections. Fixed display of nil IPs (when only hostname is passed via SOCKS5 connect).
8 years ago
dststr,
Added ephemeral oz sandbox/fw-daemon rules that can be updated via IPC connection. fw-daemon prompter is now updated with source address of originating packet. Fixed bug in decoding DNS data. Packets are dropped properly (by marking and then calling Accept()).
8 years ago
pc.src().String(),
Full support for multiple protocol types (UDP, ICMP). Cleared up awkward fw-settings/fwprompt GUI language caused by introduction of UDP/ICMP ("connection"-less) rules. fw-daemon automatically passes through all ICMP traffic sent to same address. Added (temporary) rule for passing through all UDP-based DNS server traffic. Updated developers' README documentation.
8 years ago
pc.proto(),
Support for firewall rule matching by uid/gid and/or user/group name value. fw-daemon prompt GUI and fw-settings now include user/uid and group/gid info. sgfw prompt GUI now displays username instead of real name. Fixed bug in parsing IP addresses as CIDR values. sgfw_rules entries can now be commented out. Upgraded bundled go-procsnitch API.
8 years ago
int32(pc.procInfo().UID),
int32(pc.procInfo().GID),
Refactor to support more than one type of 'connection' Created and interface pendingConnection which represents either a pending packet or socks connection.
9 years ago
uidToUser(pc.procInfo().UID),
Support for firewall rule matching by uid/gid and/or user/group name value. fw-daemon prompt GUI and fw-settings now include user/uid and group/gid info. sgfw prompt GUI now displays username instead of real name. Fixed bug in parsing IP addresses as CIDR values. sgfw_rules entries can now be commented out. Upgraded bundled go-procsnitch API.
8 years ago
gidToGroup(pc.procInfo().GID),
ADDED: System rules ADDED: Persistant configs ADDED: Prompt configurations (default action, advanced options, auto expand) FIXED: Default focus on prompt FIXED: Bug in display of *:<port> rule FIXED: Updated ui to gnome >= 3.20
8 years ago
int32(pc.procInfo().Pid),
Support for TLSGuard in prompter
7 years ago
pc.sandbox(),
Re-sync to master.
7 years ago
pc.socks(),
Added connection timestamps to firewall prompting. Disabled old synchronous RequestPrompt Dbus method in fw-prompt. fw-prompt GUI now (as originally) remains above other windows when there are pending decisions. Fixed improper traversal of pending connections in fw-prompt GUI. Consolidated redundant code blocks in fw-prompt GUI.
7 years ago
pc.getTimestamp(),
Added extra display info for "Sandboxed application" in fw-prompt gnome shell GUI. fw-prompt GUI gracefully displays unknown PIDs and UIDs. Fixed stupid syntax error bug in oz-init PID management code.
8 years ago
pc.getOptString(),
ADDED: System rules ADDED: Persistant configs ADDED: Prompt configurations (default action, advanced options, auto expand) FIXED: Default focus on prompt FIXED: Bug in display of *:<port> rule FIXED: Updated ui to gnome >= 3.20
8 years ago
FirewallConfig.PromptExpanded,
FirewallConfig.PromptExpert,
Golint...
8 years ago
int32(FirewallConfig.DefaultActionID))
Added new RemovePrompt DBus call to complement RequestPrompt (GUID-based prompt removal). The addition of a rule matching multiple pending connections in fw-prompt now removes all of them. fw-prompter now increments ref# column for identical prompt requests. Fixed/cleaned up/updated TLSGuard code. Added TLSGuard toggle option to fw-prompt GUI (default for SOCKS connections). fw-prompt now displays icon of filtered application. DBus RequestPrompt() now "works" asynchronously. TLSGuard fixed under certain conditions but still very buggy. Fixed some fw-prompt crash conditions with treeview mutex locking. Fixed SOCKS connection panic condition linked to closed channel. Cleanup of unused data structures/values.
7 years ago
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
err := call.Store(&dres)
if err != nil {
log.Warningf("Error sending dbus async RequestPrompt message: %v", err)
policy.removePending(pc)
pc.drop()
return
}
Added new RemovePrompt DBus call to complement RequestPrompt (GUID-based prompt removal). The addition of a rule matching multiple pending connections in fw-prompt now removes all of them. fw-prompter now increments ref# column for identical prompt requests. Fixed/cleaned up/updated TLSGuard code. Added TLSGuard toggle option to fw-prompt GUI (default for SOCKS connections). fw-prompt now displays icon of filtered application. DBus RequestPrompt() now "works" asynchronously. TLSGuard fixed under certain conditions but still very buggy. Fixed some fw-prompt crash conditions with treeview mutex locking. Fixed SOCKS connection panic condition linked to closed channel. Cleanup of unused data structures/values.
7 years ago
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
if !dres {
fmt.Println("Unexpected: fw-prompt async RequestPrompt message returned:", dres)
}
Added new RemovePrompt DBus call to complement RequestPrompt (GUID-based prompt removal). The addition of a rule matching multiple pending connections in fw-prompt now removes all of them. fw-prompter now increments ref# column for identical prompt requests. Fixed/cleaned up/updated TLSGuard code. Added TLSGuard toggle option to fw-prompt GUI (default for SOCKS connections). fw-prompt now displays icon of filtered application. DBus RequestPrompt() now "works" asynchronously. TLSGuard fixed under certain conditions but still very buggy. Fixed some fw-prompt crash conditions with treeview mutex locking. Fixed SOCKS connection panic condition linked to closed channel. Cleanup of unused data structures/values.
7 years ago
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
return
Added new RemovePrompt DBus call to complement RequestPrompt (GUID-based prompt removal). The addition of a rule matching multiple pending connections in fw-prompt now removes all of them. fw-prompter now increments ref# column for identical prompt requests. Fixed/cleaned up/updated TLSGuard code. Added TLSGuard toggle option to fw-prompt GUI (default for SOCKS connections). fw-prompt now displays icon of filtered application. DBus RequestPrompt() now "works" asynchronously. TLSGuard fixed under certain conditions but still very buggy. Fixed some fw-prompt crash conditions with treeview mutex locking. Fixed SOCKS connection panic condition linked to closed channel. Cleanup of unused data structures/values.
7 years ago
Re-sync to master.
7 years ago
// the prompt sends:
// ALLOW|dest or DENY|dest
//
// rule string needs to be:
// VERB|dst|class|uid:gid|sandbox|[src]
Fix rule parsing, still working on this
7 years ago
Re-sync to master.
7 years ago
// sometimes there's a src
// this needs to be re-visited
Fix rule parsing, still working on this
7 years ago
Support for TLSGuard in prompter
7 years ago
toks := strings.Split(rule, "|")
//verb := toks[0]
//target := toks[1]
sandbox := ""
if len(toks) > 2 {
sandbox = toks[2]
}
Fix rule parsing, still working on this
7 years ago
Re-sync to master.
7 years ago
tempRule := fmt.Sprintf("%s|%s", toks[0], toks[1])
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
tempRule += "||-1:-1|" + sandbox + "|"
Re-sync to master.
7 years ago
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
if pc.src() != nil && !pc.src().IsLoopback() && sandbox != "" {
Garbage dump commit of current progress.
8 years ago
Fix rule parsing, still working on this
7 years ago
//if !strings.HasSuffix(rule, "SYSTEM") && !strings.HasSuffix(rule, "||") {
Re-sync to master.
7 years ago
//rule += "||"
Fix rule parsing, still working on this
7 years ago
//}
//ule += "|||" + pc.src().String()
Re-sync to master.
7 years ago
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
// tempRule += "||-1:-1|" + sandbox + "|" + pc.src().String()
tempRule += pc.src().String()
Fix rule parsing, still working on this
7 years ago
} else {
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
// tempRule += "||-1:-1|" + sandbox + "|"
Fix rule parsing, still working on this
7 years ago
}
Support for TLSGuard in prompter
7 years ago
r, err := policy.parseRule(tempRule, false)
Initial commit
9 years ago
if err != nil {
Update to new logging library API, Warning() -> Warningf() etc...
9 years ago
log.Warningf("Error parsing rule string returned from dbus RequestPrompt: %v", err)
Refactor to support more than one type of 'connection' Created and interface pendingConnection which represents either a pending packet or socks connection.
9 years ago
policy.removePending(pc)
pc.drop()
Initial commit
9 years ago
return
}
Refactor...
8 years ago
fscope := FilterScope(scope)
if fscope == APPLY_SESSION {
ADDED: System rules ADDED: Persistant configs ADDED: Prompt configurations (default action, advanced options, auto expand) FIXED: Default focus on prompt FIXED: Bug in display of *:<port> rule FIXED: Updated ui to gnome >= 3.20
8 years ago
r.mode = RULE_MODE_SESSION
Added per-process (ephemeral) rule support. (proc coroner now has support for multiple callbacks)
8 years ago
} else if fscope == APPLY_PROCESS {
r.mode = RULE_MODE_PROCESS
r.pid = pc.procInfo().Pid
pcoroner.MonitorProcess(r.pid)
Initial commit
9 years ago
}
Refactor...
8 years ago
if !policy.processNewRule(r, fscope) {
Initial commit
9 years ago
p.lock.Lock()
defer p.lock.Unlock()
Refactor to support more than one type of 'connection' Created and interface pendingConnection which represents either a pending packet or socks connection.
9 years ago
p.removePolicy(pc.policy())
Initial commit
9 years ago
}
Refactor...
8 years ago
if fscope == APPLY_FOREVER {
Fix bugs related to parsing rules file and saving rules file
7 years ago
r.mode = RULE_MODE_PERMANENT
Refactor to support more than one type of 'connection' Created and interface pendingConnection which represents either a pending packet or socks connection.
9 years ago
policy.fw.saveRules()
Initial commit
9 years ago
}
Merged with latest commits to master.
7 years ago
//log.Warningf("Prompt returning rule: %v", tempRule)
Added requisite Dbus code so that fw-settings automatically refreshes its rulelist on fw-daemon update. (there is an intermittent bug in here somewhere... seems to be a GTK-related fatal race condition)
8 years ago
dbusp.alertRule("sgfw prompt added new rule")
Initial commit
9 years ago
}
Very noisy, experimental support for asynchronous multi-rule firewall prompting. Fixed prompted rule removal bug in fw-prompt.
8 years ago
func (p *prompter) nextConnection() (pendingConnection, bool) {
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
pind := 0
if len(p.policyQueue) == 0 {
return nil, true
}
fmt.Println("policy queue len = ", len(p.policyQueue))
for pind < len(p.policyQueue) {
AddRuleAsync DBus calls now include reference guid for proper application of "once" rules. Deletes of fw-prompt entries at root of tree now fold up the first child entry into the deleted parent entry. Fixed fw-prompt bug resulting in return of improper scope. Application name is no longer editable in fw-prompt. Icon mapping properly supported for symlinked application paths. Removed spurious warnings for valid fw-prompt removal requests. Awful hacked up fix to make icons for non-existent applications properly blank and remove GTK warnings. Removed old/deprecated Oz firewall rules routines.
7 years ago
fmt.Printf("policy loop %d of %d\n", pind, len(p.policyQueue))
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
//fmt.Printf("XXX: pind = %v of %v\n", pind, len(p.policyQueue))
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
policy := p.policyQueue[pind]
Very noisy, experimental support for asynchronous multi-rule firewall prompting. Fixed prompted rule removal bug in fw-prompt.
8 years ago
pc, qempty := policy.nextPending()
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
Very noisy, experimental support for asynchronous multi-rule firewall prompting. Fixed prompted rule removal bug in fw-prompt.
8 years ago
if pc == nil && qempty {
Initial commit
9 years ago
p.removePolicy(policy)
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
continue
Initial commit
9 years ago
} else {
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
pind++
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
AddRuleAsync DBus calls now include reference guid for proper application of "once" rules. Deletes of fw-prompt entries at root of tree now fold up the first child entry into the deleted parent entry. Fixed fw-prompt bug resulting in return of improper scope. Application name is no longer editable in fw-prompt. Icon mapping properly supported for symlinked application paths. Removed spurious warnings for valid fw-prompt removal requests. Awful hacked up fix to make icons for non-existent applications properly blank and remove GTK warnings. Removed old/deprecated Oz firewall rules routines.
7 years ago
pendingOnce := make([]PendingRule, 0)
pendingOther := make([]PendingRule, 0)
for _, r := range policy.rulesPending {
if r.scope == int(APPLY_ONCE) {
pendingOnce = append(pendingOnce, r)
} else {
pendingOther = append(pendingOther, r)
}
}
fmt.Printf("# pending once = %d, other = %d, pc = %p / policy = %p\n", len(pendingOnce), len(pendingOther), pc, policy)
policy.rulesPending = pendingOther
// One time filters are all applied right here, at once.
for _, pr := range pendingOnce {
toks := strings.Split(pr.rule, "|")
sandbox := ""
if len(toks) > 2 {
sandbox = toks[2]
}
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
AddRuleAsync DBus calls now include reference guid for proper application of "once" rules. Deletes of fw-prompt entries at root of tree now fold up the first child entry into the deleted parent entry. Fixed fw-prompt bug resulting in return of improper scope. Application name is no longer editable in fw-prompt. Icon mapping properly supported for symlinked application paths. Removed spurious warnings for valid fw-prompt removal requests. Awful hacked up fix to make icons for non-existent applications properly blank and remove GTK warnings. Removed old/deprecated Oz firewall rules routines.
7 years ago
tempRule := fmt.Sprintf("%s|%s", toks[0], toks[1])
tempRule += "||-1:-1|" + sandbox + "|"
r, err := policy.parseRule(tempRule, false)
if err != nil {
log.Warningf("Error parsing rule string returned from dbus RequestPrompt: %v", err)
continue
}
r.mode = RuleMode(pr.scope)
fmt.Println("+++++++ processing one time rule: ", pr.rule)
policy.processNewRuleOnce(r, pr.guid)
}
// if pc == nil && !qempty {
if len(policy.rulesPending) > 0 {
fmt.Println("non/once policy rules pending = ", len(policy.rulesPending))
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
prule := policy.rulesPending[0]
policy.rulesPending = append(policy.rulesPending[:0], policy.rulesPending[1:]...)
toks := strings.Split(prule.rule, "|")
sandbox := ""
if len(toks) > 2 {
sandbox = toks[2]
}
tempRule := fmt.Sprintf("%s|%s", toks[0], toks[1])
tempRule += "||-1:-1|" + sandbox + "|"
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
/*if pc.src() != nil && !pc.src().IsLoopback() && sandbox != "" {
tempRule += "||-1:-1|" + sandbox + "|" + pc.src().String()
} else {
tempRule += "||-1:-1|" + sandbox + "|"
}*/
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
r, err := policy.parseRule(tempRule, false)
if err != nil {
log.Warningf("Error parsing rule string returned from dbus RequestPrompt: %v", err)
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
continue
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
// policy.removePending(pc)
// pc.drop()
// return
} else {
fscope := FilterScope(prule.scope)
if fscope == APPLY_SESSION {
r.mode = RULE_MODE_SESSION
} else if fscope == APPLY_PROCESS {
r.mode = RULE_MODE_PROCESS
Various code cleanups (still buggy/WIP). Fixed lock/race condition in fw-prompt; consolidated redundant rule action code. Started fuller TLS implementation in TLSGuard; probably broke a lot of stuff in the process. Removal/reorganization of old/stale/unused code.
7 years ago
/*r.pid = pc.procInfo().Pid
pcoroner.MonitorProcess(r.pid)*/
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
}
if !policy.processNewRule(r, fscope) {
// p.lock.Lock()
// defer p.lock.Unlock()
// p.removePolicy(pc.policy())
}
if fscope == APPLY_FOREVER {
r.mode = RULE_MODE_PERMANENT
policy.fw.saveRules()
}
Merged with latest commits to master.
7 years ago
//log.Warningf("Prompt returning rule: %v", tempRule)
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
dbusp.alertRule("sgfw prompt added new rule")
}
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
}
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
if pc == nil && !qempty {
// log.Errorf("FIX ME: I NEED TO SLEEP ON A WAKEABLE CONDITION PROPERLY!!")
time.Sleep(time.Millisecond * 300)
continue
}
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
if pc != nil && pc.getPrompting() {
fmt.Println("SKIPPING PROMPTED")
continue
Squashed (some) noisy debug output.
8 years ago
}
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
Very noisy, experimental support for asynchronous multi-rule firewall prompting. Fixed prompted rule removal bug in fw-prompt.
8 years ago
return pc, qempty
Initial commit
9 years ago
}
}
*WORK IN PROGRESS*: New file descriptor monitor thread removes prompt requests if associated socket closes/dies before user reacts. fw-prompt request entries are now properly tethered to their default rule scope included by SGFW. pendingConnection now operates on prompter instead of raw DBus object. Fixed prompter bug in cycling through pending connections. Fixed inadequacies in SGFW rules parsing/error handling. go fmt.
7 years ago
return nil, true
Initial commit
9 years ago
}
func (p *prompter) removePolicy(policy *Policy) {
Very noisy, experimental support for asynchronous multi-rule firewall prompting. Fixed prompted rule removal bug in fw-prompt.
8 years ago
var newQueue []*Policy = nil
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
// if DoMultiPrompt {
if len(p.policyQueue) == 0 {
log.Debugf("Skipping over zero length policy queue")
newQueue = make([]*Policy, 0, 0)
Very noisy, experimental support for asynchronous multi-rule firewall prompting. Fixed prompted rule removal bug in fw-prompt.
8 years ago
}
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
// }
Very noisy, experimental support for asynchronous multi-rule firewall prompting. Fixed prompted rule removal bug in fw-prompt.
8 years ago
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
// if !DoMultiPrompt || newQueue == nil {
if newQueue == nil {
Very noisy, experimental support for asynchronous multi-rule firewall prompting. Fixed prompted rule removal bug in fw-prompt.
8 years ago
newQueue = make([]*Policy, 0, len(p.policyQueue)-1)
}
Initial commit
9 years ago
for _, pol := range p.policyQueue {
if pol != policy {
newQueue = append(newQueue, pol)
}
}
p.policyQueue = newQueue
Re-sync to master.
7 years ago
delete(p.policyMap, policy.sandbox+"|"+policy.path)
Initial commit
9 years ago
}
var userMap = make(map[int]string)
Support for firewall rule matching by uid/gid and/or user/group name value. fw-daemon prompt GUI and fw-settings now include user/uid and group/gid info. sgfw prompt GUI now displays username instead of real name. Fixed bug in parsing IP addresses as CIDR values. sgfw_rules entries can now be commented out. Upgraded bundled go-procsnitch API.
8 years ago
var groupMap = make(map[int]string)
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
var userMapLock = &sync.Mutex{}
var groupMapLock = &sync.Mutex{}
Initial commit
9 years ago
func lookupUser(uid int) string {
Added extra display info for "Sandboxed application" in fw-prompt gnome shell GUI. fw-prompt GUI gracefully displays unknown PIDs and UIDs. Fixed stupid syntax error bug in oz-init PID management code.
8 years ago
if uid == -1 {
return "[unknown]"
}
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
userMapLock.Lock()
defer userMapLock.Unlock()
Initial commit
9 years ago
u, err := user.LookupId(strconv.Itoa(uid))
if err != nil {
return fmt.Sprintf("%d", uid)
}
Support for firewall rule matching by uid/gid and/or user/group name value. fw-daemon prompt GUI and fw-settings now include user/uid and group/gid info. sgfw prompt GUI now displays username instead of real name. Fixed bug in parsing IP addresses as CIDR values. sgfw_rules entries can now be commented out. Upgraded bundled go-procsnitch API.
8 years ago
return u.Username
}
func lookupGroup(gid int) string {
if gid == -1 {
return "[unknown]"
}
*Very experimental*/under-dev release of new fully asynchronous multi-prompter. New Dbus method "RequestPromptAsync" to handle "return-less" prompter invocations in fw-prompt. Proper GUI locking in fw-prompt eliminates old race/crash conditions. New DBus method "GetPendingRequests" in SGFW allows prompter to retrieve pending connections. Policies now maintain rulesPending list of unapplied asynchronously submitted FW rules from the prompter. Fixed reentrance/crash bug in UID and GID to name lookups.
7 years ago
groupMapLock.Lock()
defer groupMapLock.Unlock()
Support for firewall rule matching by uid/gid and/or user/group name value. fw-daemon prompt GUI and fw-settings now include user/uid and group/gid info. sgfw prompt GUI now displays username instead of real name. Fixed bug in parsing IP addresses as CIDR values. sgfw_rules entries can now be commented out. Upgraded bundled go-procsnitch API.
8 years ago
g, err := user.LookupGroupId(strconv.Itoa(gid))
if err != nil {
return fmt.Sprintf("%d", gid)
}
return g.Name
Initial commit
9 years ago
}
func uidToUser(uid int) string {
uname, ok := userMap[uid]
if ok {
return uname
}
uname = lookupUser(uid)
userMap[uid] = uname
return uname
}
Support for firewall rule matching by uid/gid and/or user/group name value. fw-daemon prompt GUI and fw-settings now include user/uid and group/gid info. sgfw prompt GUI now displays username instead of real name. Fixed bug in parsing IP addresses as CIDR values. sgfw_rules entries can now be commented out. Upgraded bundled go-procsnitch API.
8 years ago
func gidToGroup(gid int) string {
gname, ok := groupMap[gid]
if ok {
return gname
}
gname = lookupGroup(gid)
groupMap[gid] = gname
return gname
}