matth
/
fw-daemon
mirror of https://github.com/subgraph/fw-daemon
1
1
Fork 0
Code Releases Activity

Merge newest branch changes with latest changes to master.

Browse Source
shw_dev
Stephen Watt 7 years ago
parent 2fc7525cc7
commit 2f5e10d53d
9 changed files with 176 additions and 155 deletions
Show Stats Download Patch File Download Diff File

2
fw-prompt/fw-prompt.go
Unescape View File

@ -1194,7 +1194,7 @@ func main() {
mainWin.Add(Notebook)
if userPrefs.Winheight > 0 && userPrefs.Winwidth > 0 {
// fmt.Printf("height was %d, width was %d\n", userPrefs.Winheight, userPrefs.Winwidth)
// fmt.Printf("height was %d, width was %d\n", userPrefs.Winheight, userPrefs.Winwidth)
mainWin.Resize(int(userPrefs.Winwidth), int(userPrefs.Winheight))
} else {
mainWin.SetDefaultSize(850, 450)

184
gnome-shell/firewall@subgraph.com/dialog.js
Unescape View File

@ -29,14 +29,14 @@ const DetailSection = new Lang.Class({
this.ipAddr = this._addDetails("IP Address:");
this.path = this._addDetails("Path:");
this.pid = this._addDetails("Process ID:");
this.origin = this._addDetails("Origin:");
this.origin = this._addDetails("Origin:");
this.user = this._addDetails("User:");
this.group = this._addDetails("Group:");
this.sandboxed = sandboxed;
this.sandboxed = sandboxed;
if (sandboxed) {
this.sandbox = this._addDetails("Sandbox:");
}
if (sandboxed) {
this.sandbox = this._addDetails("Sandbox:");
}
this.optstring = this._addDetails("");
},
@ -52,37 +52,37 @@ const DetailSection = new Lang.Class({
this.ipAddr.text = ip;
this.path.text = path;
if (pid == -1) {
this.pid.text = '[unknown]';
} else {
this.pid.text = pid.toString();
}
this.origin.text = origin;
if (user != "") {
this.user.text = user;
if (uid != -1) {
this.user.text += " (" + uid.toString() + ")";
}
} else {
this.user.text = "uid:" + uid.toString();
}
if (group != "") {
this.group.text = group;
if (gid != -1) {
this.group.text += " (" + gid.toString() + ")";
}
} else {
this.group.text = "gid:" + gid.toString();
}
if (sandbox != "") {
this.sandbox.text = sandbox;
}
this.optstring.text = optstring
if (pid == -1) {
this.pid.text = '[unknown]';
} else {
this.pid.text = pid.toString();
}
this.origin.text = origin;
if (user != "") {
this.user.text = user;
if (uid != -1) {
this.user.text += " (" + uid.toString() + ")";
}
} else {
this.user.text = "uid:" + uid.toString();
}
if (group != "") {
this.group.text = group;
if (gid != -1) {
this.group.text += " (" + gid.toString() + ")";
}
} else {
this.group.text = "gid:" + gid.toString();
}
if (sandbox != "") {
this.sandbox.text = sandbox;
}
this.optstring.text = optstring
}
});
@ -141,23 +141,23 @@ const OptionList = new Lang.Class({
_init: function(pid_known, sandboxed) {
this.actor = new St.BoxLayout({vertical: true, style_class: 'fw-option-list'});
if (pid_known) {
this.buttonGroup = new ButtonGroup("Forever", "Session", "Once", "PID");
} else {
this.buttonGroup = new ButtonGroup("Forever", "Session", "Once");
}
if (pid_known) {
this.buttonGroup = new ButtonGroup("Forever", "Session", "Once", "PID");
} else {
this.buttonGroup = new ButtonGroup("Forever", "Session", "Once");
}
this.actor.add_child(this.buttonGroup.actor);
this.items = [];
this._selected;
this.tlsGuard = false;
if (sandboxed) {
this.tlsGuard = true;
}
if (sandboxed) {
this.tlsGuard = true;
}
},
setOptionText: function(idx, text) {
if(this.items.length <= idx) {
log("attempt to setOptionText with idx = "+ idx + " when this.items.length = "+ this.items.length)
//log("SGFW: attempt to setOptionText with idx = "+ idx + " when this.items.length = "+ this.items.length)
return;
}
this.items[idx].setText(text);
@ -165,12 +165,12 @@ const OptionList = new Lang.Class({
addTLSOption: function(tlsGuardEnabled) {
let tlsg = new OptionListItem("Drop connection if not TLS with valid certificate",0);
tlsg.setSelected(tlsGuardEnabled);
tlsg.connect('selected', Lang.bind(this, function() {
this._toggleTLSGuard(tlsg);
}));
let emptyRow = new OptionListItem("",0);
this.actor.add_child(emptyRow.actor);
tlsg.setSelected(tlsGuardEnabled);
tlsg.connect('selected', Lang.bind(this, function() {
this._toggleTLSGuard(tlsg);
}));
let emptyRow = new OptionListItem("",0);
this.actor.add_child(emptyRow.actor);
this.actor.add_child(tlsg.actor);
},
@ -182,7 +182,7 @@ const OptionList = new Lang.Class({
} else {
this.tlsGuard = true;
item.actor.add_style_pseudo_class('selected');
item.setSelected(true)
item.setSelected(true)
}
},
@ -232,7 +232,7 @@ const OptionList = new Lang.Class({
case 3:
return RuleScope.APPLY_PROCESS;
default:
log("unexpected scope value "+ this.buttonGroup._selected);
log("SGFW: unexpected scope value "+ this.buttonGroup._selected);
return RuleScope.APPLY_SESSION;
}
},
@ -248,7 +248,7 @@ const OptionList = new Lang.Class({
case RuleScope.APPLY_FOREVER:
return 0;
default:
log("unexpected scope value "+ scope);
log("SGFW: unexpected scope value "+ scope);
return 1;
}
}
@ -458,7 +458,8 @@ const PromptDialog = new Lang.Class({
Name: 'PromptDialog',
Extends: ModalDialog.ModalDialog,
_init: function(invocation, pid_known, sandboxed, tlsguard) {
_init: function(invocation, pid_known, sandboxed, tlsguard, cbClose) {
this.cbClose = cbClose;
this.parent({ styleClass: 'fw-prompt-dialog' });
this._invocation = invocation;
this.header = new PromptDialogHeader();
@ -479,12 +480,9 @@ const PromptDialog = new Lang.Class({
"Only PORT",
"Any Connection"]);
if (tlsguard) {
this.optionList.addTLSOption(true);
}
// let tlsGuard = new OptionListItem("Drop connection if not TLS with valid certificate.",0);
//box.add_child(optionList.actor);
if (tlsguard) {
this.optionList.addTLSOption(true);
}
this._initialKeyFocusDestroyId = 1;
this.setButtons([
@ -494,11 +492,17 @@ const PromptDialog = new Lang.Class({
},
onAllow: function() {
if (this.cbClose !== undefined && this.cbClose !== null) {
this.cbClose();
}
this.close();
this.sendReturnValue(true);
},
onDeny: function() {
if (this.cbClose !== undefined && this.cbClose !== null) {
this.cbClose();
}
this.close();
this.sendReturnValue(false);
},
@ -509,25 +513,25 @@ const PromptDialog = new Lang.Class({
}
let verb = "DENY";
if(allow) {
verb = "ALLOW";
if (this.optionList.tlsGuard) {
verb = "ALLOW_TLSONLY";
} else {
verb = "ALLOW";
}
verb = "ALLOW";
if (this.optionList.tlsGuard) {
verb = "ALLOW_TLSONLY";
} else {
verb = "ALLOW";
}
}
let rule = verb + "|" + this.ruleTarget() + "|" + this.ruleSandbox();
let scope = this.optionList.selectedScope();
this._invocation.return_value(GLib.Variant.new('(is)', [scope, rule]));
this._invocation = null;
},
ruleTarget: function() {
let base = "";
if(this._proto != "tcp") {
base = this._proto + ":";
}
let base = "";
if(this._proto != "tcp") {
base = this._proto + ":";
}
switch(this.optionList.selectedIdx()) {
case 0:
return base + this._address + ":" + this._port;
@ -541,7 +545,7 @@ const PromptDialog = new Lang.Class({
},
ruleSandbox: function() {
return this._sandbox;
return this._sandbox;
},
ruleTLSGuard: function() {
@ -551,29 +555,29 @@ const PromptDialog = new Lang.Class({
update: function(application, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action) {
this._address = address;
this._port = port;
this._proto = proto;
this._sandbox = sandbox;
this._tlsGuard = tlsguard;
this._proto = proto;
this._sandbox = sandbox;
this._tlsGuard = tlsguard;
let port_str = (proto+"").toUpperCase() + " Port "+ port;
if (proto == "icmp") {
port_str = (proto+"").toUpperCase() + " Code "+ port;
}
port_str = (proto+"").toUpperCase() + " Code "+ port;
}
if (sandbox != "") {
application = application + " (sandboxed)"
}
if (sandbox != "") {
application = application + " (sandboxed)"
}
this.header.setTitle(application);
if (proto == "tcp") {
this.header.setMessage("Wants to connect to "+ address + " on " + port_str);
} else if (proto == "udp") {
this.header.setMessage("Wants to send data to "+ address + " on " + port_str);
} else if (proto == "icmp") {
this.header.setMessage("Wants to send data to "+ address + " with " + port_str);
}
if (proto == "tcp") {
this.header.setMessage("Wants to connect to "+ address + " on " + port_str);
} else if (proto == "udp") {
this.header.setMessage("Wants to send data to "+ address + " on " + port_str);
} else if (proto == "icmp") {
this.header.setMessage("Wants to send data to "+ address + " with " + port_str);
}
if (expanded) {
this.details.isOpen = false;
@ -590,8 +594,8 @@ const PromptDialog = new Lang.Class({
} else {
this.optionList.setOptionText(0, "Only "+ address + " on "+ port_str);
}
if (expert) {
if (expert) {
if (proto == "icmp") {
this.optionList.setOptionText(1, "Only "+ address + " with any ICMP code");
} else if (proto == "udp") {
@ -608,7 +612,7 @@ const PromptDialog = new Lang.Class({
if (proto != "tcp") {
this.optionList.setOptionText(3, "Any " + proto.toUpperCase() + " data");
}
}
this.optionList.buttonGroup._setChecked(this.optionList.scopeToIdx(action))
this.info.setDetails(ip, path, pid, uid, gid, user, group, origin, proto, optstring, sandbox);

53
gnome-shell/firewall@subgraph.com/extension.js
Unescape View File

@ -4,7 +4,7 @@ const Gio = imports.gi.Gio;
const Extension = imports.misc.extensionUtils.getCurrentExtension();
const Dialog = Extension.imports.dialog;
const Menu = Extension.imports.menu;
const ConnectionMonitor = Extension.imports.cmonitor;
//const ConnectionMonitor = Extension.imports.cmonitor;
function init() {
@ -16,7 +16,7 @@ const FirewallSupport = new Lang.Class({
_init: function() {
this.menu = new Menu.FirewallMenu();
this.cmon = new ConnectionMonitor.ConnectionMonitor();
//this.cmon = new ConnectionMonitor.ConnectionMonitor();
this.handler = null;
},
@ -29,12 +29,12 @@ const FirewallSupport = new Lang.Class({
enable: function() {
this._destroyHandler();
this.handler = new FirewallPromptHandler();
this.cmon.install();
//this.cmon.install();
this.menu.install();
},
disable: function() {
this.menu.destroy();
this.cmon.remove();
//this.cmon.remove();
this._destroyHandler();
}
});
@ -57,8 +57,8 @@ const FirewallPromptInterface = '<node> \
<arg type="s" direction="in" name="user" /> \
<arg type="s" direction="in" name="group" /> \
<arg type="i" direction="in" name="pid" /> \
<arg type="s" direction="in" name="sandbox" /> \
<arg type="b" direction="in" name="tlsguard" /> \
<arg type="s" direction="in" name="sandbox" /> \
<arg type="b" direction="in" name="tlsguard" /> \
<arg type="s" direction="in" name="optstring" /> \
<arg type="b" direction="in" name="expanded" /> \
<arg type="b" direction="in" name="expert" /> \
@ -78,39 +78,48 @@ const FirewallPromptHandler = new Lang.Class({
this._dbusImpl = Gio.DBusExportedObject.wrapJSObject(FirewallPromptInterface, this);
this._dbusImpl.export(Gio.DBus.system, '/com/subgraph/FirewallPrompt');
Gio.bus_own_name_on_connection(Gio.DBus.system, 'com.subgraph.FirewallPrompt', Gio.BusNameOwnerFlags.REPLACE, null, null);
this._dialog = null;
this._dialogs = new Array();
},
destroy: function() {
this._closeDialog();
this._closeDialogs();
this._dbusImpl.unexport();
},
_closeDialog: function() {
if (this._dialog) {
this._dialog.close();
this._dialog = null;
_closeDialogs: function() {
if (this._dialogs.length > 0) {
dialog = this._dialogs.shift();
dialog.close();
}
},
RequestPromptAsync: function(params, invocation) {
let [app, icon, path, address, port, ip, origin, proto, uid, gid, user, group, pid, sandbox, tlsguard, optstring, expanded, expert, action] = params;
// this._closeDialog();
this._dialog = new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""), tlsguard);
this._invocation = invocation;
this._dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action);
this._dialog.open();
let cbfn = function(self) {
return function() { return self.onCloseDialog(); }
}(this)
let l = this._dialogs.push(new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""), tlsguard, cbfn));
let dialog = this._dialogs[l-1]
dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action);
if (this._dialogs.length == 1) {
dialog.open();
}
},
onCloseDialog: function() {
this._dialogs.shift();
if (this._dialogs.length > 0) {
this._dialogs[0].open();
}
},
CloseAsync: function(params, invocation) {
this._closeDialog();
this._closeDialogs();
},
TestPrompt: function(params, invocation) {
this._closeDialog();
this._dialog = new Dialog.PromptDialog(nil);
this._dialog.update("Firefox", "firefox", "/usr/bin/firefox-esr", "242.12.111.18", "443", "linux", "2342", "TCP", true, true);
this._dialog.open();
this.RequestPromptAsync(["Firefox", "firefox", "/usr/bin/firefox-esr", "242.12.111.18", "443", "linux", "2342", "TCP", true, true], nil);
}
});

4
sgfw/dns.go
Unescape View File

@ -166,7 +166,7 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
entry, ok := dc.ipMap[pid][ip.String()]
if ok {
if now.Before(entry.exp) {
// log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp)
// log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp)
return entry.name
} else {
log.Warningf("Skipping expired per-pid (%d) DNS cache entry: %s -> %s / exp. %v (%ds)\n",
@ -180,7 +180,7 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
if ok {
if now.Before(entry.exp) {
str = entry.name
// log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp)
// log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp)
} else {
log.Warningf("Skipping expired global DNS cache entry: %s -> %s / exp. %v (%ds)\n",
ip.String(), entry.name, entry.exp, entry.ttl)

23
sgfw/policy.go
Unescape View File

@ -288,6 +288,8 @@ func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info, o
dstip := net.IP(dstb)
srcip := net.IP(pkt.Packet.NetworkLayer().NetworkFlow().Src().Raw())
name := p.fw.dns.Lookup(dstip, pinfo.Pid)
log.Infof("Lookup(%s): %s", dstip.String(), name)
if !FirewallConfig.LogRedact {
log.Infof("Lookup(%s): %s", dstip.String(), name)
}
@ -406,7 +408,7 @@ func (p *Policy) removeRule(r *Rule) {
func (p *Policy) filterPending(rule *Rule) {
remaining := []pendingConnection{}
for _, pc := range p.pendingQueue {
if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.procInfo().UID), gidToGroup(pc.procInfo().GID)) {
if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.procInfo().UID), gidToGroup(pc.procInfo().GID), pc.procInfo().Sandbox) {
prompter := pc.getPrompter()
if prompter == nil {
@ -419,7 +421,7 @@ func (p *Policy) filterPending(rule *Rule) {
}
log.Infof("Adding rule for: %s", rule.getString(FirewallConfig.LogRedact))
// log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print())
// log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print())
if rule.rtype == RULE_ACTION_ALLOW {
pc.accept()
} else if rule.rtype == RULE_ACTION_ALLOW_TLSONLY {
@ -489,13 +491,22 @@ func printPacket(pkt *nfqueue.NFQPacket, hostname string, pinfo *procsnitch.Info
}
func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
isudp := pkt.Packet.Layer(layers.LayerTypeUDP) != nil
if basicAllowPacket(pkt) {
if isudp {
srcport, _ := getPacketUDPPorts(pkt)
if srcport == 53 {
fw.dns.processDNS(pkt)
}
}
pkt.Accept()
return
}
isudp := pkt.Packet.Layer(layers.LayerTypeUDP) != nil
if isudp {
/* if isudp {
srcport, _ := getPacketUDPPorts(pkt)
if srcport == 53 {
@ -505,6 +516,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
}
}
*/
_, dstip := getPacketIPAddrs(pkt)
/* _, dstp := getPacketPorts(pkt)
fwo := eatchAgainstOzRules(srcip, dstip, dstp)
@ -697,7 +709,7 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro
rlines = append(rlines, strings.Join(ssplit, ":"))
}
// log.Warningf("Looking for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data)
// log.Warningf("Looking for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data)
if proto == "tcp" {
res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, rlines)
@ -834,6 +846,7 @@ func basicAllowPacket(pkt *nfqueue.NFQPacket) bool {
if pkt.Packet.Layer(layers.LayerTypeUDP) != nil {
_, dport := getPacketUDPPorts(pkt)
if dport == 53 {
// fw.dns.processDNS(pkt)
return true
}
}

24
sgfw/prompt.go
Unescape View File

@ -71,7 +71,7 @@ func (p *prompter) prompt(policy *Policy) {
return
}
p.policyMap[policy.sandbox+"|"+policy.path] = policy
fmt.Println("Saving policy key:" + policy.sandbox + "|" + policy.path)
log.Debugf("Saving policy key:" + policy.sandbox + "|" + policy.path)
p.policyQueue = append(p.policyQueue, policy)
p.cond.Signal()
}
@ -79,11 +79,11 @@ func (p *prompter) prompt(policy *Policy) {
func (p *prompter) promptLoop() {
p.lock.Lock()
for {
// fmt.Println("XXX: promptLoop() outer")
// fmt.Println("XXX: promptLoop() outer")
for p.processNextPacket() {
// fmt.Println("XXX: promptLoop() inner")
// fmt.Println("XXX: promptLoop() inner")
}
// fmt.Println("promptLoop() wait")
// fmt.Println("promptLoop() wait")
p.cond.Wait()
}
}
@ -105,7 +105,7 @@ func (p *prompter) processNextPacket() bool {
empty := true
for {
pc, empty = p.nextConnection()
// fmt.Println("XXX: processNextPacket() loop; empty = ", empty, " / pc = ", pc)
// fmt.Println("XXX: processNextPacket() loop; empty = ", empty, " / pc = ", pc)
if pc == nil && empty {
return false
} else if pc == nil {
@ -116,7 +116,7 @@ func (p *prompter) processNextPacket() bool {
}
p.lock.Unlock()
defer p.lock.Lock()
// fmt.Println("XXX: Waiting for prompt lock go...")
// fmt.Println("XXX: Waiting for prompt lock go...")
for {
promptLock.Lock()
if outstandingPrompts >= MAX_PROMPTS {
@ -125,16 +125,16 @@ func (p *prompter) processNextPacket() bool {
}
if pc.getPrompting() {
fmt.Println("Skipping over already prompted connection")
log.Debugf("Skipping over already prompted connection")
promptLock.Unlock()
continue
}
break
}
// fmt.Println("XXX: Passed prompt lock!")
// fmt.Println("XXX: Passed prompt lock!")
outstandingPrompts++
// fmt.Println("XXX: Incremented outstanding to ", outstandingPrompts)
// fmt.Println("XXX: Incremented outstanding to ", outstandingPrompts)
promptLock.Unlock()
// if !pc.getPrompting() {
pc.setPrompting(true)
@ -146,7 +146,7 @@ func (p *prompter) processNextPacket() bool {
func processReturn(pc pendingConnection) {
promptLock.Lock()
outstandingPrompts--
// fmt.Println("XXX: Return decremented outstanding to ", outstandingPrompts)
// fmt.Println("XXX: Return decremented outstanding to ", outstandingPrompts)
promptLock.Unlock()
pc.setPrompting(false)
}
@ -342,7 +342,7 @@ func (p *prompter) nextConnection() (pendingConnection, bool) {
p.removePolicy(policy)
} else {
if pc == nil && !qempty {
fmt.Println("FIX ME: I NEED TO SLEEP ON A WAKEABLE CONDITION PROPERLY!!")
log.Errorf("FIX ME: I NEED TO SLEEP ON A WAKEABLE CONDITION PROPERLY!!")
time.Sleep(time.Millisecond * 300)
}
return pc, qempty
@ -355,7 +355,7 @@ func (p *prompter) removePolicy(policy *Policy) {
if DoMultiPrompt {
if len(p.policyQueue) == 0 {
fmt.Println("Skipping over zero length policy queue")
log.Debugf("Skipping over zero length policy queue")
newQueue = make([]*Policy, 0, 0)
}
}

23
sgfw/rules.go
Unescape View File

@ -52,13 +52,7 @@ func (r *Rule) getString(redact bool) string {
} else if r.rtype == RULE_ACTION_ALLOW_TLSONLY {
rtype = RuleActionString[RULE_ACTION_ALLOW_TLSONLY]
}
rmode := ""
if r.mode == RULE_MODE_SYSTEM {
rmode = "|" + RuleModeString[RULE_MODE_SYSTEM]
}
if r.mode == RULE_MODE_PERMANENT {
rmode = "|" + RuleModeString[RULE_MODE_PERMANENT]
}
rmode := "|" + RuleModeString[r.mode]
protostr := ""
@ -103,7 +97,10 @@ func (r *Rule) AddrString(redact bool) string {
type RuleList []*Rule
func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, proto string, uid, gid int, uname, gname string) bool {
func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, proto string, uid, gid int, uname, gname string, sandbox string) bool {
if r.policy.sandbox != sandbox {
return false
}
if r.proto != proto {
return false
}
@ -184,7 +181,7 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
nfqproto = getNFQProto(pkt)
} else {
if r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname) {
// log.Notice("+ Socks5 MATCH SUCCEEDED")
// log.Notice("+ Socks5 MATCH SUCCEEDED")
if r.rtype == RULE_ACTION_DENY {
return FILTER_DENY
} else if r.rtype == RULE_ACTION_ALLOW {
@ -202,8 +199,8 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
//log.Notice("! Skipping comparison of mismatching PIDs")
continue
}
if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID)) {
// log.Notice("+ MATCH SUCCEEDED")
if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID), pinfo.Sandbox) {
// log.Notice("+ MATCH SUCCEEDED")
dstStr := dst.String()
if FirewallConfig.LogRedact {
dstStr = STR_REDACTED
@ -214,7 +211,7 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
srcp, _ := getPacketPorts(pkt)
srcStr = fmt.Sprintf("%s:%d", srcip, srcp)
}
// log.Noticef("%s > %s %s %s -> %s:%d",
// log.Noticef("%s > %s %s %s -> %s:%d",
//r.getString(FirewallConfig.LogRedact), pinfo.ExePath, r.proto, srcStr, dstStr, dstPort)
if r.rtype == RULE_ACTION_DENY {
//TODO: Optionally redact below log entry
@ -450,7 +447,7 @@ func savePolicy(f *os.File, p *Policy) {
return
}
for _, r := range p.rules {
if r.mode != RULE_MODE_SESSION {
if r.mode == RULE_MODE_PERMANENT || r.mode == RULE_MODE_SYSTEM {
if !writeLine(f, r.String()) {
return
}

14
sgfw/socks_server_chain.go
Unescape View File

@ -158,7 +158,7 @@ func (s *socksChain) start() {
var err error
s.listener, err = net.Listen(s.cfg.ListenSocksNet, s.cfg.ListenSocksAddr)
if err != nil {
log.Errorf("ERR/socks: Failed to listen on the socks address: %v", err)
log.Errorf("SOCKS: Failed to listen on the socks address: %v", err)
os.Exit(1)
}
@ -174,7 +174,7 @@ func (s *socksChain) socksAcceptLoop() error {
conn, err := s.listener.Accept()
if err != nil {
if e, ok := err.(net.Error); ok && !e.Temporary() {
log.Infof("ERR/socks: Failed to Accept(): %v", err)
log.Errorf("SOCKS: Failed to Accept(): %v", err)
return err
}
continue
@ -188,12 +188,12 @@ func (c *socksChainSession) sessionWorker() {
defer c.clientConn.Close()
clientAddr := c.clientConn.RemoteAddr()
log.Infof("INFO/socks: New connection from: %v", clientAddr)
log.Debugf("SOCKS: New connection from: %v", clientAddr)
// Do the SOCKS handshake with the client, and read the command.
var err error
if c.req, err = Handshake(c.clientConn); err != nil {
log.Infof("ERR/socks: Failed SOCKS5 handshake: %v", err)
log.Errorf("SOCKS: Failed SOCKS5 handshake: %v", err)
return
}
@ -223,7 +223,7 @@ func (c *socksChainSession) sessionWorker() {
c.handleConnect(tls)
default:
// Should *NEVER* happen, validated as part of handshake.
log.Infof("BUG/socks: Unsupported SOCKS command: 0x%02x", c.req.Cmd)
log.Warningf("SOCKS: Unsupported SOCKS command: 0x%02x", c.req.Cmd)
c.req.Reply(ReplyCommandNotSupported)
}
}
@ -407,7 +407,7 @@ func (c *socksChainSession) handleConnect(tls bool) {
if c.optData != nil {
if _, err = c.upstreamConn.Write(c.optData); err != nil {
log.Infof("ERR/socks: Failed writing OptData: %v", err)
log.Errorf("SOCKS: Failed writing OptData: %v", err)
return
}
c.optData = nil
@ -416,7 +416,7 @@ func (c *socksChainSession) handleConnect(tls bool) {
// A upstream connection has been established, push data back and forth
// till the session is done.
c.forwardTraffic(tls)
log.Infof("INFO/socks: Closed SOCKS connection from: %v", c.clientConn.RemoteAddr())
log.Debugf("SOCKS: Closed SOCKS connection from: %v", c.clientConn.RemoteAddr())
}
func (c *socksChainSession) forwardTraffic(tls bool) {

4
sources/etc/dbus-1/system.d/com.Subgraph.fwprompt.EventNotifier.conf → sources/etc/dbus-1/system.d/com.subgraph.fwprompt.EventNotifier.conf
Unescape View File

@ -11,10 +11,8 @@
</policy>
<!-- Anyone can send messages to com.subgraph.fwprompt.EventNotifier -->
<policy user="0">
<policy context="default">
<allow send_destination="com.subgraph.fwprompt.EventNotifier"/>
</policy>
</busconfig>
Write Preview
Loading…
Cancel
Save