Fixes https://github.com/subgraph/fw-daemon/issues/52 + redacts logs per config

7 years ago · 139c4a08b8
parent 71c17675f5
commit 139c4a08b8
2 changed files with 21 additions and 3 deletions
--- a/sgfw/ipc.go
+++ b/sgfw/ipc.go
@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"sync"
 	"os"
 	"strconv"
 	"strings"
@ -21,9 +22,13 @@ type OzInitProc struct {
 }

 var OzInitPids []OzInitProc = []OzInitProc{}
+var OzInitPidsLock = sync.Mutex{}

 func addInitPid(pid int, name string, sboxid int) {
 	fmt.Println("::::::::::: init pid added: ", pid, " -> ", name)
+	OzInitPidsLock.Lock()
+	defer OzInitPidsLock.Unlock()
+
 	for i := 0; i < len(OzInitPids); i++ {
 		if OzInitPids[i].Pid == pid {
 			return
@ -36,6 +41,9 @@ func addInitPid(pid int, name string, sboxid int) {

 func removeInitPid(pid int) {
 	fmt.Println("::::::::::: removing PID: ", pid)
+	OzInitPidsLock.Lock()
+	defer OzInitPidsLock.Unlock()
+
 	for i := 0; i < len(OzInitPids); i++ {
 		if OzInitPids[i].Pid == pid {
 			OzInitPids = append(OzInitPids[:i], OzInitPids[i+1:]...)
--- a/sgfw/policy.go
+++ b/sgfw/policy.go
@ -252,7 +252,6 @@ func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info, o
 	dstip := net.IP(dstb)
 	srcip := net.IP(pkt.Packet.NetworkLayer().NetworkFlow().Src().Raw())
 	name := p.fw.dns.Lookup(dstip, pinfo.Pid)
-	log.Infof("Lookup(%s): %s", dstip.String(), name)

 	if !FirewallConfig.LogRedact {
 		log.Infof("Lookup(%s): %s", dstip.String(), name)
@ -380,8 +379,12 @@ func (p *Policy) filterPending(rule *Rule) {
 				pc.acceptTLSOnly()
 			} else {
 				srcs := pc.src().String() + ":" + strconv.Itoa(int(pc.srcPort()))
-				log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d (user prompt) %v",
-					pc.procInfo().ExePath, pc.proto(), srcs, pc.dst(), pc.dstPort, rule.rtype)
+				dests := STR_REDACTED
+        			if !FirewallConfig.LogRedact {
+					dests = fmt.Sprintf("%s%d",pc.dst(), pc.dstPort)
+        			}
+				log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s (user prompt) %v",
+					pc.procInfo().ExePath, pc.proto(), srcs, dests, rule.rtype)
 				pc.drop()
 			}
 		} else {
@ -573,6 +576,8 @@ func readFileDirect(filename string) ([]byte, error) {
 func getAllProcNetDataLocal() ([]string, error) {
 	data := ""

+	OzInitPidsLock.Lock()
+
 	for i := 0; i < len(OzInitPids); i++ {
 		fname := fmt.Sprintf("/proc/%d/net/tcp", OzInitPids[i])
 		//fmt.Println("XXX: opening: ", fname)
@ -584,6 +589,8 @@ func getAllProcNetDataLocal() ([]string, error) {
 			data += string(bdata)
 		}

+	OzInitPidsLock.Unlock()
+
 	}

 	lines := strings.Split(data, "\n")
@ -631,6 +638,7 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro
 	var res *procsnitch.Info = nil
 	var optstr string
 	removePids := make([]int, 0)
+	OzInitPidsLock.Lock()

 	for i := 0; i < len(OzInitPids); i++ {
 		data := ""
@ -685,6 +693,8 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro

 	}

+	OzInitPidsLock.Unlock()
+
 	for _, p := range removePids {
 		removeInitPid(p)
 	}