From 04bd4ec052a336dc31319789a51774d11675ca6f Mon Sep 17 00:00:00 2001 From: dma Date: Fri, 9 Nov 2018 14:20:13 -0500 Subject: [PATCH] starting to add realmsd integration --- sgfw/ipc.go | 6 ++-- sgfw/policy.go | 16 +++++---- sgfw/prompt.go | 5 ++- sgfw/sgfw.go | 2 +- sgfw/snitch-ext.go | 34 +++++++++++++++++++ .../github.com/subgraph/go-procsnitch/proc.go | 10 ++++++ .../subgraph/go-procsnitch/proc_pid.go | 5 ++- .../subgraph/go-procsnitch/socket.go | 20 ++++++++--- 8 files changed, 80 insertions(+), 18 deletions(-) diff --git a/sgfw/ipc.go b/sgfw/ipc.go index 2034810..e20ddd5 100644 --- a/sgfw/ipc.go +++ b/sgfw/ipc.go @@ -283,14 +283,14 @@ func OzReceiver(fw *Firewall) { log.Warning("Adding existing Oz sandbox init pids...") for s := 0; s < len(sboxes); s++ { //profname := fmt.Sprintf("%s (%d)", sboxes[s].Profile, sboxes[s].Id) - addInitPid(sboxes[s].InitPid, sboxes[s].Profile, sboxes[s].Id) + addInitPid(sboxes[s].InitPid, sboxes[s].Name, sboxes[s].Id) } } else { log.Warning("It does not appear there were any Oz sandboxed processes already launched.") } } - +/* os.Remove(ReceiverSocketPath) lfd, err := net.Listen("unix", ReceiverSocketPath) if err != nil { @@ -305,7 +305,7 @@ func OzReceiver(fw *Firewall) { go ReceiverLoop(fw, fd) } - +*/ } type ListProxiesMsg struct { diff --git a/sgfw/policy.go b/sgfw/policy.go index ccd2ab7..979560d 100644 --- a/sgfw/policy.go +++ b/sgfw/policy.go @@ -680,7 +680,7 @@ func getAllProcNetDataLocal() ([]string, error) { OzInitPidsLock.Lock() for i := 0; i < len(OzInitPids); i++ { - fname := fmt.Sprintf("/proc/%d/net/tcp", OzInitPids[i]) + fname := fmt.Sprintf("/proc/%d/root/proc/1/net/tcp", OzInitPids[i]) //fmt.Println("XXX: opening: ", fname) bdata, err := readFileDirect(fname) @@ -743,7 +743,7 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro for i := 0; i < len(OzInitPids); i++ { data := "" - fname := fmt.Sprintf("/proc/%d/net/%s", OzInitPids[i].Pid, proto) + fname := fmt.Sprintf("/proc/%d/root/proc/1/net/%s", OzInitPids[i].Pid, proto) //fmt.Println("XXX: opening: ", fname) bdata, err := readFileDirect(fname) @@ -838,7 +838,8 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket, reverse bool, strictness int) // Try normal way first, before the more resource intensive/invasive way. if proto == "tcp" { - res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, nil) + //log.Warningf("%v %v %v %v %v",srcip, srcp, dstip, dstp, reverse) + res = procsnitch.LookupTCPSocketProcess(srcp, dstip, dstp) } else if proto == "udp" { res = procsnitch.LookupUDPSocketProcessAll(srcip, srcp, dstip, dstp, nil, strictness) } else if proto == "icmp" { @@ -848,10 +849,10 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket, reverse bool, strictness int) if res == nil { removePids := make([]int, 0) OzInitPidsLock.Lock() - + for i := 0; i < len(OzInitPids); i++ { data := "" - fname := fmt.Sprintf("/proc/%d/net/%s", OzInitPids[i].Pid, proto) + fname := fmt.Sprintf("/proc/%d/root/proc/1/net/%s", OzInitPids[i].Pid, proto) //fmt.Println("XXX: opening: ", fname) bdata, err := readFileDirect(fname) @@ -880,7 +881,8 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket, reverse bool, strictness int) } if proto == "tcp" { - res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, rlines) + //res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, rlines) + res = procsnitch.L2(srcp, dstip, dstp, rlines) } else if proto == "udp" { res = procsnitch.LookupUDPSocketProcessAll(srcip, srcp, dstip, dstp, rlines, strictness) } else if proto == "icmp" { @@ -888,7 +890,7 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket, reverse bool, strictness int) } if res != nil { - optstr = "Sandbox: " + OzInitPids[i].Name + optstr = "Realm: " + OzInitPids[i].Name res.ExePath = GetRealRoot(res.ExePath, OzInitPids[i].Pid) break } diff --git a/sgfw/prompt.go b/sgfw/prompt.go index 3cde5c2..464cc01 100644 --- a/sgfw/prompt.go +++ b/sgfw/prompt.go @@ -157,8 +157,11 @@ func monitorPromptFDs(pc pendingConnection) { //fmt.Printf("ADD TO MONITOR: %v | %v / %v / %v\n", pc.policy().application, guid, pid, fd) if pid == -1 || fd == -1 || prompter == nil { - log.Warning("Unexpected error condition occurred while adding socket fd to monitor") + log.Warning("Unexpected error condition occurred while adding socket fd to monitor: %d %d %v",pid, fd, prompter) return + } else + { + log.Warning("No unexpected errors"); } PC2FDMapLock.Lock() diff --git a/sgfw/sgfw.go b/sgfw/sgfw.go index a8022aa..a29acd5 100644 --- a/sgfw/sgfw.go +++ b/sgfw/sgfw.go @@ -182,7 +182,7 @@ func Main() { fw.dbus.emitRefresh("init") - //go OzReceiver(fw) + go OzReceiver(fw) fw.runFilter() diff --git a/sgfw/snitch-ext.go b/sgfw/snitch-ext.go index 7080953..d64fcec 100644 --- a/sgfw/snitch-ext.go +++ b/sgfw/snitch-ext.go @@ -2,6 +2,12 @@ package sgfw import ( "github.com/subgraph/ozipc" + "strings" + "fmt" + "os" + "bufio" + "strconv" + "github.com/godbus/dbus" ) type ListSandboxesMsg struct { @@ -11,9 +17,11 @@ type ListSandboxesMsg struct { type SandboxInfo struct { Id int Address string + Name string Profile string Mounts []string InitPid int + Pid string } type ListSandboxesResp struct { @@ -28,6 +36,30 @@ var ozCtrlFactory = ipc.NewMsgFactory( ) func getSandboxes() ([]SandboxInfo, error) { + + f, err := os.Open("/run/realms/network-clear") + if err != nil { + fmt.Print("no realms network file") + } + defer f.Close() + scanner := bufio.NewScanner(f) + scanner.Split(bufio.ScanLines) + var sboxes []SandboxInfo + i := 0; + var db,_ = dbus.SystemBus() + obj := db.Object("com.subgraph.realms", "/") + for scanner.Scan() { + var leaderpid string + s := strings.Split(scanner.Text(), ":") + obj.Call("com.subgraph.realms.Manager.LeaderPidFromIP", 0, s[1]).Store(&leaderpid) + p, _ := strconv.Atoi(leaderpid) + sboxes = append(sboxes,SandboxInfo{Id: i, Name: s[0], Address: s[1], InitPid: p}) + fmt.Print(s[0], s[1], leaderpid) + i++; + } + + + /* c, err := ipc.Connect(socketPath, ozCtrlFactory, nil) if err != nil { return nil, err @@ -43,4 +75,6 @@ func getSandboxes() ([]SandboxInfo, error) { rr.Done() sboxes := resp.Body.(*ListSandboxesResp) return sboxes.Sandboxes, nil + */ + return sboxes, nil } diff --git a/vendor/github.com/subgraph/go-procsnitch/proc.go b/vendor/github.com/subgraph/go-procsnitch/proc.go index 0c7e73f..411c52a 100644 --- a/vendor/github.com/subgraph/go-procsnitch/proc.go +++ b/vendor/github.com/subgraph/go-procsnitch/proc.go @@ -85,6 +85,7 @@ func LookupICMPSocketProcessAll(srcAddr net.IP, dstAddr net.IP, code int, custda return pcache.lookup(ss.inode) } + // LookupUDPSocketProcessAll searches for a UDP socket a given source port, destination IP, and destination port - AND source destination func LookupUDPSocketProcessAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort uint16, custdata []string, strictness int) *Info { ss := findUDPSocketAll(srcAddr, srcPort, dstAddr, dstPort, custdata, strictness) @@ -121,6 +122,15 @@ func LookupTCPSocketProcess(srcPort uint16, dstAddr net.IP, dstPort uint16) *Inf return pcache.lookup(ss.inode) } + +func L2(srcPort uint16, dstAddr net.IP, dstPort uint16, custdata []string) *Info { + ss := f2(srcPort, dstAddr, dstPort, custdata) + if ss == nil { + return nil + } + return pcache.lookup(ss.inode) +} + // LookupUNIXSocketProcess searches for a UNIX domain socket with a given filename func LookupUNIXSocketProcess(socketFile string) *Info { ss := findUNIXSocket(socketFile) diff --git a/vendor/github.com/subgraph/go-procsnitch/proc_pid.go b/vendor/github.com/subgraph/go-procsnitch/proc_pid.go index e0c4b03..b6d9dcd 100644 --- a/vendor/github.com/subgraph/go-procsnitch/proc_pid.go +++ b/vendor/github.com/subgraph/go-procsnitch/proc_pid.go @@ -186,7 +186,9 @@ func (pi *Info) loadProcessInfo() bool { conn, _ := dbus.SystemBus() obj := conn.Object("com.subgraph.realms", "/") - realm := "Realm: unknown" + realm := "unknown" + //leaderpid := "" + obj.Call("com.subgraph.realms.Manager.RealmFromContainerPid", 0, fmt.Sprintf("%d",pi.Pid)).Store(&realm) finfo, err := os.Stat(fmt.Sprintf("/proc/%d", pi.Pid)) @@ -203,6 +205,7 @@ func (pi *Info) loadProcessInfo() bool { pi.ExePath = exePath pi.Realm = realm pi.Sandbox = realm + //pi.Leaderpid = leaderpid pi.CmdLine = string(bcs) pi.loaded = true return true diff --git a/vendor/github.com/subgraph/go-procsnitch/socket.go b/vendor/github.com/subgraph/go-procsnitch/socket.go index 36055a3..7faa815 100644 --- a/vendor/github.com/subgraph/go-procsnitch/socket.go +++ b/vendor/github.com/subgraph/go-procsnitch/socket.go @@ -3,7 +3,7 @@ package procsnitch import ( "errors" "fmt" - "github.com/godbus/dbus" +// "github.com/godbus/dbus" "io/ioutil" "net" "strconv" @@ -221,12 +221,15 @@ func findTCPSocketAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort ui } // HACK // var sockets []*socketStatus - conn, _ := dbus.SystemBus() - var leaderpid string - obj := conn.Object("com.subgraph.realms", "/") + //conn2, _ := dbus.SystemBus() + leaderpid := "" + /*var db,_ = dbus.SystemBus() + obj := db.Object("com.subgraph.realms", "/") obj.Call("com.subgraph.realms.Manager.LeaderPidFromIP", 0, srcAddr.String()).Store(&leaderpid) +*/ if leaderpid != "" { if custdata == nil { + log.Warningf("%v",leaderpid) return findSocketPid(proto, leaderpid, func(ss socketStatus) bool { return ss.remote.port == dstPort && ss.remote.ip.Equal(dstAddr) && ss.local.port == srcPort && ss.local.ip.Equal(srcAddr) }) @@ -249,6 +252,13 @@ func findTCPSocketAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort ui return nil } +func f2(srcPort uint16, dstAddr net.IP, dstPort uint16, custdata[]string) *socketStatus { + proto := "tcp" + return findSocketCustom(proto, custdata, func(ss socketStatus) bool { + return ss.remote.port == dstPort && ss.remote.ip.Equal(dstAddr) && ss.local.port == srcPort + }) +} + func findUNIXSocket(socketFile string) *socketStatus { proto := "unix" @@ -395,7 +405,7 @@ func (ss *socketStatus) parseUnixProcLine(line string) error { } func getSocketLines(proto string) []string { - path := fmt.Sprintf("/proc/2047/root/proc/1/net/%s", proto) + path := fmt.Sprintf("/proc/net/%s", proto) data, err := ioutil.ReadFile(path) if err != nil { log.Warningf("Error reading %s: %v", path, err)