starting to add realmsd integration

shw-merge
dma 6 years ago
parent 6a6f3b75e5
commit 04bd4ec052

@ -283,14 +283,14 @@ func OzReceiver(fw *Firewall) {
log.Warning("Adding existing Oz sandbox init pids...")
for s := 0; s < len(sboxes); s++ {
//profname := fmt.Sprintf("%s (%d)", sboxes[s].Profile, sboxes[s].Id)
addInitPid(sboxes[s].InitPid, sboxes[s].Profile, sboxes[s].Id)
addInitPid(sboxes[s].InitPid, sboxes[s].Name, sboxes[s].Id)
}
} else {
log.Warning("It does not appear there were any Oz sandboxed processes already launched.")
}
}
/*
os.Remove(ReceiverSocketPath)
lfd, err := net.Listen("unix", ReceiverSocketPath)
if err != nil {
@ -305,7 +305,7 @@ func OzReceiver(fw *Firewall) {
go ReceiverLoop(fw, fd)
}
*/
}
type ListProxiesMsg struct {

@ -680,7 +680,7 @@ func getAllProcNetDataLocal() ([]string, error) {
OzInitPidsLock.Lock()
for i := 0; i < len(OzInitPids); i++ {
fname := fmt.Sprintf("/proc/%d/net/tcp", OzInitPids[i])
fname := fmt.Sprintf("/proc/%d/root/proc/1/net/tcp", OzInitPids[i])
//fmt.Println("XXX: opening: ", fname)
bdata, err := readFileDirect(fname)
@ -743,7 +743,7 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro
for i := 0; i < len(OzInitPids); i++ {
data := ""
fname := fmt.Sprintf("/proc/%d/net/%s", OzInitPids[i].Pid, proto)
fname := fmt.Sprintf("/proc/%d/root/proc/1/net/%s", OzInitPids[i].Pid, proto)
//fmt.Println("XXX: opening: ", fname)
bdata, err := readFileDirect(fname)
@ -838,7 +838,8 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket, reverse bool, strictness int)
// Try normal way first, before the more resource intensive/invasive way.
if proto == "tcp" {
res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, nil)
//log.Warningf("%v %v %v %v %v",srcip, srcp, dstip, dstp, reverse)
res = procsnitch.LookupTCPSocketProcess(srcp, dstip, dstp)
} else if proto == "udp" {
res = procsnitch.LookupUDPSocketProcessAll(srcip, srcp, dstip, dstp, nil, strictness)
} else if proto == "icmp" {
@ -851,7 +852,7 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket, reverse bool, strictness int)
for i := 0; i < len(OzInitPids); i++ {
data := ""
fname := fmt.Sprintf("/proc/%d/net/%s", OzInitPids[i].Pid, proto)
fname := fmt.Sprintf("/proc/%d/root/proc/1/net/%s", OzInitPids[i].Pid, proto)
//fmt.Println("XXX: opening: ", fname)
bdata, err := readFileDirect(fname)
@ -880,7 +881,8 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket, reverse bool, strictness int)
}
if proto == "tcp" {
res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, rlines)
//res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, rlines)
res = procsnitch.L2(srcp, dstip, dstp, rlines)
} else if proto == "udp" {
res = procsnitch.LookupUDPSocketProcessAll(srcip, srcp, dstip, dstp, rlines, strictness)
} else if proto == "icmp" {
@ -888,7 +890,7 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket, reverse bool, strictness int)
}
if res != nil {
optstr = "Sandbox: " + OzInitPids[i].Name
optstr = "Realm: " + OzInitPids[i].Name
res.ExePath = GetRealRoot(res.ExePath, OzInitPids[i].Pid)
break
}

@ -157,8 +157,11 @@ func monitorPromptFDs(pc pendingConnection) {
//fmt.Printf("ADD TO MONITOR: %v | %v / %v / %v\n", pc.policy().application, guid, pid, fd)
if pid == -1 || fd == -1 || prompter == nil {
log.Warning("Unexpected error condition occurred while adding socket fd to monitor")
log.Warning("Unexpected error condition occurred while adding socket fd to monitor: %d %d %v",pid, fd, prompter)
return
} else
{
log.Warning("No unexpected errors");
}
PC2FDMapLock.Lock()

@ -182,7 +182,7 @@ func Main() {
fw.dbus.emitRefresh("init")
//go OzReceiver(fw)
go OzReceiver(fw)
fw.runFilter()

@ -2,6 +2,12 @@ package sgfw
import (
"github.com/subgraph/ozipc"
"strings"
"fmt"
"os"
"bufio"
"strconv"
"github.com/godbus/dbus"
)
type ListSandboxesMsg struct {
@ -11,9 +17,11 @@ type ListSandboxesMsg struct {
type SandboxInfo struct {
Id int
Address string
Name string
Profile string
Mounts []string
InitPid int
Pid string
}
type ListSandboxesResp struct {
@ -28,6 +36,30 @@ var ozCtrlFactory = ipc.NewMsgFactory(
)
func getSandboxes() ([]SandboxInfo, error) {
f, err := os.Open("/run/realms/network-clear")
if err != nil {
fmt.Print("no realms network file")
}
defer f.Close()
scanner := bufio.NewScanner(f)
scanner.Split(bufio.ScanLines)
var sboxes []SandboxInfo
i := 0;
var db,_ = dbus.SystemBus()
obj := db.Object("com.subgraph.realms", "/")
for scanner.Scan() {
var leaderpid string
s := strings.Split(scanner.Text(), ":")
obj.Call("com.subgraph.realms.Manager.LeaderPidFromIP", 0, s[1]).Store(&leaderpid)
p, _ := strconv.Atoi(leaderpid)
sboxes = append(sboxes,SandboxInfo{Id: i, Name: s[0], Address: s[1], InitPid: p})
fmt.Print(s[0], s[1], leaderpid)
i++;
}
/*
c, err := ipc.Connect(socketPath, ozCtrlFactory, nil)
if err != nil {
return nil, err
@ -43,4 +75,6 @@ func getSandboxes() ([]SandboxInfo, error) {
rr.Done()
sboxes := resp.Body.(*ListSandboxesResp)
return sboxes.Sandboxes, nil
*/
return sboxes, nil
}

@ -85,6 +85,7 @@ func LookupICMPSocketProcessAll(srcAddr net.IP, dstAddr net.IP, code int, custda
return pcache.lookup(ss.inode)
}
// LookupUDPSocketProcessAll searches for a UDP socket a given source port, destination IP, and destination port - AND source destination
func LookupUDPSocketProcessAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort uint16, custdata []string, strictness int) *Info {
ss := findUDPSocketAll(srcAddr, srcPort, dstAddr, dstPort, custdata, strictness)
@ -121,6 +122,15 @@ func LookupTCPSocketProcess(srcPort uint16, dstAddr net.IP, dstPort uint16) *Inf
return pcache.lookup(ss.inode)
}
func L2(srcPort uint16, dstAddr net.IP, dstPort uint16, custdata []string) *Info {
ss := f2(srcPort, dstAddr, dstPort, custdata)
if ss == nil {
return nil
}
return pcache.lookup(ss.inode)
}
// LookupUNIXSocketProcess searches for a UNIX domain socket with a given filename
func LookupUNIXSocketProcess(socketFile string) *Info {
ss := findUNIXSocket(socketFile)

@ -186,7 +186,9 @@ func (pi *Info) loadProcessInfo() bool {
conn, _ := dbus.SystemBus()
obj := conn.Object("com.subgraph.realms", "/")
realm := "Realm: unknown"
realm := "unknown"
//leaderpid := ""
obj.Call("com.subgraph.realms.Manager.RealmFromContainerPid", 0, fmt.Sprintf("%d",pi.Pid)).Store(&realm)
finfo, err := os.Stat(fmt.Sprintf("/proc/%d", pi.Pid))
@ -203,6 +205,7 @@ func (pi *Info) loadProcessInfo() bool {
pi.ExePath = exePath
pi.Realm = realm
pi.Sandbox = realm
//pi.Leaderpid = leaderpid
pi.CmdLine = string(bcs)
pi.loaded = true
return true

@ -3,7 +3,7 @@ package procsnitch
import (
"errors"
"fmt"
"github.com/godbus/dbus"
// "github.com/godbus/dbus"
"io/ioutil"
"net"
"strconv"
@ -221,12 +221,15 @@ func findTCPSocketAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort ui
}
// HACK
// var sockets []*socketStatus
conn, _ := dbus.SystemBus()
var leaderpid string
obj := conn.Object("com.subgraph.realms", "/")
//conn2, _ := dbus.SystemBus()
leaderpid := ""
/*var db,_ = dbus.SystemBus()
obj := db.Object("com.subgraph.realms", "/")
obj.Call("com.subgraph.realms.Manager.LeaderPidFromIP", 0, srcAddr.String()).Store(&leaderpid)
*/
if leaderpid != "" {
if custdata == nil {
log.Warningf("%v",leaderpid)
return findSocketPid(proto, leaderpid, func(ss socketStatus) bool {
return ss.remote.port == dstPort && ss.remote.ip.Equal(dstAddr) && ss.local.port == srcPort && ss.local.ip.Equal(srcAddr)
})
@ -249,6 +252,13 @@ func findTCPSocketAll(srcAddr net.IP, srcPort uint16, dstAddr net.IP, dstPort ui
return nil
}
func f2(srcPort uint16, dstAddr net.IP, dstPort uint16, custdata[]string) *socketStatus {
proto := "tcp"
return findSocketCustom(proto, custdata, func(ss socketStatus) bool {
return ss.remote.port == dstPort && ss.remote.ip.Equal(dstAddr) && ss.local.port == srcPort
})
}
func findUNIXSocket(socketFile string) *socketStatus {
proto := "unix"
@ -395,7 +405,7 @@ func (ss *socketStatus) parseUnixProcLine(line string) error {
}
func getSocketLines(proto string) []string {
path := fmt.Sprintf("/proc/2047/root/proc/1/net/%s", proto)
path := fmt.Sprintf("/proc/net/%s", proto)
data, err := ioutil.ReadFile(path)
if err != nil {
log.Warningf("Error reading %s: %v", path, err)

Loading…
Cancel
Save