From 139c4a08b843799cb13d63d1f0c053ab5dd6c4ca Mon Sep 17 00:00:00 2001
From: dma <dma@subgraph.com>
Date: Sun, 1 Oct 2017 17:56:01 +0000
Subject: [PATCH] Fixes https://github.com/subgraph/fw-daemon/issues/52 +
 redacts logs per config

---
 sgfw/ipc.go    |  8 ++++++++
 sgfw/policy.go | 16 +++++++++++++---
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/sgfw/ipc.go b/sgfw/ipc.go
index cabe8f8..67db1ea 100644
--- a/sgfw/ipc.go
+++ b/sgfw/ipc.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"sync"
 	"os"
 	"strconv"
 	"strings"
@@ -21,9 +22,13 @@ type OzInitProc struct {
 }
 
 var OzInitPids []OzInitProc = []OzInitProc{}
+var OzInitPidsLock = sync.Mutex{}
 
 func addInitPid(pid int, name string, sboxid int) {
 	fmt.Println("::::::::::: init pid added: ", pid, " -> ", name)
+	OzInitPidsLock.Lock()
+	defer OzInitPidsLock.Unlock()
+
 	for i := 0; i < len(OzInitPids); i++ {
 		if OzInitPids[i].Pid == pid {
 			return
@@ -36,6 +41,9 @@ func addInitPid(pid int, name string, sboxid int) {
 
 func removeInitPid(pid int) {
 	fmt.Println("::::::::::: removing PID: ", pid)
+	OzInitPidsLock.Lock()
+	defer OzInitPidsLock.Unlock()
+
 	for i := 0; i < len(OzInitPids); i++ {
 		if OzInitPids[i].Pid == pid {
 			OzInitPids = append(OzInitPids[:i], OzInitPids[i+1:]...)
diff --git a/sgfw/policy.go b/sgfw/policy.go
index b1174fa..0d98385 100644
--- a/sgfw/policy.go
+++ b/sgfw/policy.go
@@ -252,7 +252,6 @@ func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info, o
 	dstip := net.IP(dstb)
 	srcip := net.IP(pkt.Packet.NetworkLayer().NetworkFlow().Src().Raw())
 	name := p.fw.dns.Lookup(dstip, pinfo.Pid)
-	log.Infof("Lookup(%s): %s", dstip.String(), name)
 
 	if !FirewallConfig.LogRedact {
 		log.Infof("Lookup(%s): %s", dstip.String(), name)
@@ -380,8 +379,12 @@ func (p *Policy) filterPending(rule *Rule) {
 				pc.acceptTLSOnly()
 			} else {
 				srcs := pc.src().String() + ":" + strconv.Itoa(int(pc.srcPort()))
-				log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s:%d (user prompt) %v",
-					pc.procInfo().ExePath, pc.proto(), srcs, pc.dst(), pc.dstPort, rule.rtype)
+				dests := STR_REDACTED
+        			if !FirewallConfig.LogRedact {
+					dests = fmt.Sprintf("%s%d",pc.dst(), pc.dstPort)
+        			}
+				log.Warningf("DENIED outgoing connection attempt by %s from %s %s -> %s (user prompt) %v",
+					pc.procInfo().ExePath, pc.proto(), srcs, dests, rule.rtype)
 				pc.drop()
 			}
 		} else {
@@ -573,6 +576,8 @@ func readFileDirect(filename string) ([]byte, error) {
 func getAllProcNetDataLocal() ([]string, error) {
 	data := ""
 
+	OzInitPidsLock.Lock()
+
 	for i := 0; i < len(OzInitPids); i++ {
 		fname := fmt.Sprintf("/proc/%d/net/tcp", OzInitPids[i])
 		//fmt.Println("XXX: opening: ", fname)
@@ -584,6 +589,8 @@ func getAllProcNetDataLocal() ([]string, error) {
 			data += string(bdata)
 		}
 
+	OzInitPidsLock.Unlock()
+
 	}
 
 	lines := strings.Split(data, "\n")
@@ -631,6 +638,7 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro
 	var res *procsnitch.Info = nil
 	var optstr string
 	removePids := make([]int, 0)
+	OzInitPidsLock.Lock()
 
 	for i := 0; i < len(OzInitPids); i++ {
 		data := ""
@@ -685,6 +693,8 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro
 
 	}
 
+	OzInitPidsLock.Unlock()
+
 	for _, p := range removePids {
 		removeInitPid(p)
 	}