From 139c4a08b843799cb13d63d1f0c053ab5dd6c4ca Mon Sep 17 00:00:00 2001 From: dma Date: Sun, 1 Oct 2017 17:56:01 +0000 Subject: [PATCH] Fixes https://github.com/subgraph/fw-daemon/issues/52 + redacts logs per config --- sgfw/ipc.go | 8 ++++++++ sgfw/policy.go | 16 +++++++++++++--- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/sgfw/ipc.go b/sgfw/ipc.go index cabe8f8..67db1ea 100644 --- a/sgfw/ipc.go +++ b/sgfw/ipc.go @@ -5,6 +5,7 @@ import ( "errors" "fmt" "net" + "sync" "os" "strconv" "strings" @@ -21,9 +22,13 @@ type OzInitProc struct { } var OzInitPids []OzInitProc = []OzInitProc{} +var OzInitPidsLock = sync.Mutex{} func addInitPid(pid int, name string, sboxid int) { fmt.Println("::::::::::: init pid added: ", pid, " -> ", name) + OzInitPidsLock.Lock() + defer OzInitPidsLock.Unlock() + for i := 0; i < len(OzInitPids); i++ { if OzInitPids[i].Pid == pid { return @@ -36,6 +41,9 @@ func addInitPid(pid int, name string, sboxid int) { func removeInitPid(pid int) { fmt.Println("::::::::::: removing PID: ", pid) + OzInitPidsLock.Lock() + defer OzInitPidsLock.Unlock() + for i := 0; i < len(OzInitPids); i++ { if OzInitPids[i].Pid == pid { OzInitPids = append(OzInitPids[:i], OzInitPids[i+1:]...) diff --git a/sgfw/policy.go b/sgfw/policy.go index b1174fa..0d98385 100644 --- a/sgfw/policy.go +++ b/sgfw/policy.go @@ -252,7 +252,6 @@ func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info, o dstip := net.IP(dstb) srcip := net.IP(pkt.Packet.NetworkLayer().NetworkFlow().Src().Raw()) name := p.fw.dns.Lookup(dstip, pinfo.Pid) - log.Infof("Lookup(%s): %s", dstip.String(), name) if !FirewallConfig.LogRedact { log.Infof("Lookup(%s): %s", dstip.String(), name) @@ -380,8 +379,12 @@ func (p *Policy) filterPending(rule *Rule) { pc.acceptTLSOnly() } else { srcs := pc.src().String() + ":" + strconv.Itoa(int(pc.srcPort())) - log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d (user prompt) %v", - pc.procInfo().ExePath, pc.proto(), srcs, pc.dst(), pc.dstPort, rule.rtype) + dests := STR_REDACTED + if !FirewallConfig.LogRedact { + dests = fmt.Sprintf("%s%d",pc.dst(), pc.dstPort) + } + log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s (user prompt) %v", + pc.procInfo().ExePath, pc.proto(), srcs, dests, rule.rtype) pc.drop() } } else { @@ -573,6 +576,8 @@ func readFileDirect(filename string) ([]byte, error) { func getAllProcNetDataLocal() ([]string, error) { data := "" + OzInitPidsLock.Lock() + for i := 0; i < len(OzInitPids); i++ { fname := fmt.Sprintf("/proc/%d/net/tcp", OzInitPids[i]) //fmt.Println("XXX: opening: ", fname) @@ -584,6 +589,8 @@ func getAllProcNetDataLocal() ([]string, error) { data += string(bdata) } + OzInitPidsLock.Unlock() + } lines := strings.Split(data, "\n") @@ -631,6 +638,7 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro var res *procsnitch.Info = nil var optstr string removePids := make([]int, 0) + OzInitPidsLock.Lock() for i := 0; i < len(OzInitPids); i++ { data := "" @@ -685,6 +693,8 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro } + OzInitPidsLock.Unlock() + for _, p := range removePids { removeInitPid(p) }