diff --git a/fw-prompt/fw-prompt.go b/fw-prompt/fw-prompt.go index adc215d..d3bf8c1 100644 --- a/fw-prompt/fw-prompt.go +++ b/fw-prompt/fw-prompt.go @@ -1194,7 +1194,7 @@ func main() { mainWin.Add(Notebook) if userPrefs.Winheight > 0 && userPrefs.Winwidth > 0 { - // fmt.Printf("height was %d, width was %d\n", userPrefs.Winheight, userPrefs.Winwidth) + // fmt.Printf("height was %d, width was %d\n", userPrefs.Winheight, userPrefs.Winwidth) mainWin.Resize(int(userPrefs.Winwidth), int(userPrefs.Winheight)) } else { mainWin.SetDefaultSize(850, 450) diff --git a/gnome-shell/firewall@subgraph.com/dialog.js b/gnome-shell/firewall@subgraph.com/dialog.js index a1fd55d..87b2728 100644 --- a/gnome-shell/firewall@subgraph.com/dialog.js +++ b/gnome-shell/firewall@subgraph.com/dialog.js @@ -29,14 +29,14 @@ const DetailSection = new Lang.Class({ this.ipAddr = this._addDetails("IP Address:"); this.path = this._addDetails("Path:"); this.pid = this._addDetails("Process ID:"); - this.origin = this._addDetails("Origin:"); + this.origin = this._addDetails("Origin:"); this.user = this._addDetails("User:"); this.group = this._addDetails("Group:"); - this.sandboxed = sandboxed; + this.sandboxed = sandboxed; - if (sandboxed) { - this.sandbox = this._addDetails("Sandbox:"); - } + if (sandboxed) { + this.sandbox = this._addDetails("Sandbox:"); + } this.optstring = this._addDetails(""); }, @@ -52,37 +52,37 @@ const DetailSection = new Lang.Class({ this.ipAddr.text = ip; this.path.text = path; - if (pid == -1) { - this.pid.text = '[unknown]'; - } else { - this.pid.text = pid.toString(); - } - - this.origin.text = origin; - - if (user != "") { - this.user.text = user; - if (uid != -1) { - this.user.text += " (" + uid.toString() + ")"; - } - } else { - this.user.text = "uid:" + uid.toString(); - } - - if (group != "") { - this.group.text = group; - if (gid != -1) { - this.group.text += " (" + gid.toString() + ")"; - } - } else { - this.group.text = "gid:" + gid.toString(); - } - - if (sandbox != "") { - this.sandbox.text = sandbox; - } - - this.optstring.text = optstring + if (pid == -1) { + this.pid.text = '[unknown]'; + } else { + this.pid.text = pid.toString(); + } + + this.origin.text = origin; + + if (user != "") { + this.user.text = user; + if (uid != -1) { + this.user.text += " (" + uid.toString() + ")"; + } + } else { + this.user.text = "uid:" + uid.toString(); + } + + if (group != "") { + this.group.text = group; + if (gid != -1) { + this.group.text += " (" + gid.toString() + ")"; + } + } else { + this.group.text = "gid:" + gid.toString(); + } + + if (sandbox != "") { + this.sandbox.text = sandbox; + } + + this.optstring.text = optstring } }); @@ -141,23 +141,23 @@ const OptionList = new Lang.Class({ _init: function(pid_known, sandboxed) { this.actor = new St.BoxLayout({vertical: true, style_class: 'fw-option-list'}); - if (pid_known) { - this.buttonGroup = new ButtonGroup("Forever", "Session", "Once", "PID"); - } else { - this.buttonGroup = new ButtonGroup("Forever", "Session", "Once"); - } + if (pid_known) { + this.buttonGroup = new ButtonGroup("Forever", "Session", "Once", "PID"); + } else { + this.buttonGroup = new ButtonGroup("Forever", "Session", "Once"); + } this.actor.add_child(this.buttonGroup.actor); this.items = []; this._selected; this.tlsGuard = false; - if (sandboxed) { - this.tlsGuard = true; - } + if (sandboxed) { + this.tlsGuard = true; + } }, setOptionText: function(idx, text) { if(this.items.length <= idx) { - log("attempt to setOptionText with idx = "+ idx + " when this.items.length = "+ this.items.length) + //log("SGFW: attempt to setOptionText with idx = "+ idx + " when this.items.length = "+ this.items.length) return; } this.items[idx].setText(text); @@ -165,12 +165,12 @@ const OptionList = new Lang.Class({ addTLSOption: function(tlsGuardEnabled) { let tlsg = new OptionListItem("Drop connection if not TLS with valid certificate",0); - tlsg.setSelected(tlsGuardEnabled); - tlsg.connect('selected', Lang.bind(this, function() { - this._toggleTLSGuard(tlsg); - })); - let emptyRow = new OptionListItem("",0); - this.actor.add_child(emptyRow.actor); + tlsg.setSelected(tlsGuardEnabled); + tlsg.connect('selected', Lang.bind(this, function() { + this._toggleTLSGuard(tlsg); + })); + let emptyRow = new OptionListItem("",0); + this.actor.add_child(emptyRow.actor); this.actor.add_child(tlsg.actor); }, @@ -182,7 +182,7 @@ const OptionList = new Lang.Class({ } else { this.tlsGuard = true; item.actor.add_style_pseudo_class('selected'); - item.setSelected(true) + item.setSelected(true) } }, @@ -232,7 +232,7 @@ const OptionList = new Lang.Class({ case 3: return RuleScope.APPLY_PROCESS; default: - log("unexpected scope value "+ this.buttonGroup._selected); + log("SGFW: unexpected scope value "+ this.buttonGroup._selected); return RuleScope.APPLY_SESSION; } }, @@ -248,7 +248,7 @@ const OptionList = new Lang.Class({ case RuleScope.APPLY_FOREVER: return 0; default: - log("unexpected scope value "+ scope); + log("SGFW: unexpected scope value "+ scope); return 1; } } @@ -458,7 +458,8 @@ const PromptDialog = new Lang.Class({ Name: 'PromptDialog', Extends: ModalDialog.ModalDialog, - _init: function(invocation, pid_known, sandboxed, tlsguard) { + _init: function(invocation, pid_known, sandboxed, tlsguard, cbClose) { + this.cbClose = cbClose; this.parent({ styleClass: 'fw-prompt-dialog' }); this._invocation = invocation; this.header = new PromptDialogHeader(); @@ -479,12 +480,9 @@ const PromptDialog = new Lang.Class({ "Only PORT", "Any Connection"]); - if (tlsguard) { - this.optionList.addTLSOption(true); - } - - // let tlsGuard = new OptionListItem("Drop connection if not TLS with valid certificate.",0); - //box.add_child(optionList.actor); + if (tlsguard) { + this.optionList.addTLSOption(true); + } this._initialKeyFocusDestroyId = 1; this.setButtons([ @@ -494,11 +492,17 @@ const PromptDialog = new Lang.Class({ }, onAllow: function() { + if (this.cbClose !== undefined && this.cbClose !== null) { + this.cbClose(); + } this.close(); this.sendReturnValue(true); }, onDeny: function() { + if (this.cbClose !== undefined && this.cbClose !== null) { + this.cbClose(); + } this.close(); this.sendReturnValue(false); }, @@ -509,25 +513,25 @@ const PromptDialog = new Lang.Class({ } let verb = "DENY"; if(allow) { - verb = "ALLOW"; - if (this.optionList.tlsGuard) { - verb = "ALLOW_TLSONLY"; - } else { - verb = "ALLOW"; - } + verb = "ALLOW"; + if (this.optionList.tlsGuard) { + verb = "ALLOW_TLSONLY"; + } else { + verb = "ALLOW"; + } } let rule = verb + "|" + this.ruleTarget() + "|" + this.ruleSandbox(); - + let scope = this.optionList.selectedScope(); this._invocation.return_value(GLib.Variant.new('(is)', [scope, rule])); this._invocation = null; }, ruleTarget: function() { - let base = ""; - if(this._proto != "tcp") { - base = this._proto + ":"; - } + let base = ""; + if(this._proto != "tcp") { + base = this._proto + ":"; + } switch(this.optionList.selectedIdx()) { case 0: return base + this._address + ":" + this._port; @@ -541,7 +545,7 @@ const PromptDialog = new Lang.Class({ }, ruleSandbox: function() { - return this._sandbox; + return this._sandbox; }, ruleTLSGuard: function() { @@ -551,29 +555,29 @@ const PromptDialog = new Lang.Class({ update: function(application, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action) { this._address = address; this._port = port; - this._proto = proto; - this._sandbox = sandbox; - this._tlsGuard = tlsguard; + this._proto = proto; + this._sandbox = sandbox; + this._tlsGuard = tlsguard; let port_str = (proto+"").toUpperCase() + " Port "+ port; if (proto == "icmp") { - port_str = (proto+"").toUpperCase() + " Code "+ port; - } + port_str = (proto+"").toUpperCase() + " Code "+ port; + } - if (sandbox != "") { - application = application + " (sandboxed)" - } + if (sandbox != "") { + application = application + " (sandboxed)" + } this.header.setTitle(application); - if (proto == "tcp") { - this.header.setMessage("Wants to connect to "+ address + " on " + port_str); - } else if (proto == "udp") { - this.header.setMessage("Wants to send data to "+ address + " on " + port_str); - } else if (proto == "icmp") { - this.header.setMessage("Wants to send data to "+ address + " with " + port_str); - } + if (proto == "tcp") { + this.header.setMessage("Wants to connect to "+ address + " on " + port_str); + } else if (proto == "udp") { + this.header.setMessage("Wants to send data to "+ address + " on " + port_str); + } else if (proto == "icmp") { + this.header.setMessage("Wants to send data to "+ address + " with " + port_str); + } if (expanded) { this.details.isOpen = false; @@ -590,8 +594,8 @@ const PromptDialog = new Lang.Class({ } else { this.optionList.setOptionText(0, "Only "+ address + " on "+ port_str); } - if (expert) { + if (expert) { if (proto == "icmp") { this.optionList.setOptionText(1, "Only "+ address + " with any ICMP code"); } else if (proto == "udp") { @@ -608,7 +612,7 @@ const PromptDialog = new Lang.Class({ if (proto != "tcp") { this.optionList.setOptionText(3, "Any " + proto.toUpperCase() + " data"); - } + } this.optionList.buttonGroup._setChecked(this.optionList.scopeToIdx(action)) this.info.setDetails(ip, path, pid, uid, gid, user, group, origin, proto, optstring, sandbox); diff --git a/gnome-shell/firewall@subgraph.com/extension.js b/gnome-shell/firewall@subgraph.com/extension.js index b5444a7..580e23e 100644 --- a/gnome-shell/firewall@subgraph.com/extension.js +++ b/gnome-shell/firewall@subgraph.com/extension.js @@ -4,7 +4,7 @@ const Gio = imports.gi.Gio; const Extension = imports.misc.extensionUtils.getCurrentExtension(); const Dialog = Extension.imports.dialog; const Menu = Extension.imports.menu; -const ConnectionMonitor = Extension.imports.cmonitor; +//const ConnectionMonitor = Extension.imports.cmonitor; function init() { @@ -16,7 +16,7 @@ const FirewallSupport = new Lang.Class({ _init: function() { this.menu = new Menu.FirewallMenu(); - this.cmon = new ConnectionMonitor.ConnectionMonitor(); + //this.cmon = new ConnectionMonitor.ConnectionMonitor(); this.handler = null; }, @@ -29,12 +29,12 @@ const FirewallSupport = new Lang.Class({ enable: function() { this._destroyHandler(); this.handler = new FirewallPromptHandler(); - this.cmon.install(); + //this.cmon.install(); this.menu.install(); }, disable: function() { this.menu.destroy(); - this.cmon.remove(); + //this.cmon.remove(); this._destroyHandler(); } }); @@ -57,8 +57,8 @@ const FirewallPromptInterface = ' \ \ \ \ - \ - \ + \ + \ \ \ \ @@ -78,39 +78,48 @@ const FirewallPromptHandler = new Lang.Class({ this._dbusImpl = Gio.DBusExportedObject.wrapJSObject(FirewallPromptInterface, this); this._dbusImpl.export(Gio.DBus.system, '/com/subgraph/FirewallPrompt'); Gio.bus_own_name_on_connection(Gio.DBus.system, 'com.subgraph.FirewallPrompt', Gio.BusNameOwnerFlags.REPLACE, null, null); - this._dialog = null; + this._dialogs = new Array(); }, destroy: function() { - this._closeDialog(); + this._closeDialogs(); this._dbusImpl.unexport(); }, - _closeDialog: function() { - if (this._dialog) { - this._dialog.close(); - this._dialog = null; + _closeDialogs: function() { + if (this._dialogs.length > 0) { + dialog = this._dialogs.shift(); + dialog.close(); } }, RequestPromptAsync: function(params, invocation) { let [app, icon, path, address, port, ip, origin, proto, uid, gid, user, group, pid, sandbox, tlsguard, optstring, expanded, expert, action] = params; -// this._closeDialog(); - this._dialog = new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""), tlsguard); - this._invocation = invocation; - this._dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action); - this._dialog.open(); + let cbfn = function(self) { + return function() { return self.onCloseDialog(); } + }(this) + + let l = this._dialogs.push(new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""), tlsguard, cbfn)); + let dialog = this._dialogs[l-1] + dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action); + if (this._dialogs.length == 1) { + dialog.open(); + } + }, + + onCloseDialog: function() { + this._dialogs.shift(); + if (this._dialogs.length > 0) { + this._dialogs[0].open(); + } }, CloseAsync: function(params, invocation) { - this._closeDialog(); + this._closeDialogs(); }, TestPrompt: function(params, invocation) { - this._closeDialog(); - this._dialog = new Dialog.PromptDialog(nil); - this._dialog.update("Firefox", "firefox", "/usr/bin/firefox-esr", "242.12.111.18", "443", "linux", "2342", "TCP", true, true); - this._dialog.open(); + this.RequestPromptAsync(["Firefox", "firefox", "/usr/bin/firefox-esr", "242.12.111.18", "443", "linux", "2342", "TCP", true, true], nil); } }); diff --git a/sgfw/dns.go b/sgfw/dns.go index b68e1c2..05df439 100644 --- a/sgfw/dns.go +++ b/sgfw/dns.go @@ -166,7 +166,7 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string { entry, ok := dc.ipMap[pid][ip.String()] if ok { if now.Before(entry.exp) { - // log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp) + // log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp) return entry.name } else { log.Warningf("Skipping expired per-pid (%d) DNS cache entry: %s -> %s / exp. %v (%ds)\n", @@ -180,7 +180,7 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string { if ok { if now.Before(entry.exp) { str = entry.name - // log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp) + // log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp) } else { log.Warningf("Skipping expired global DNS cache entry: %s -> %s / exp. %v (%ds)\n", ip.String(), entry.name, entry.exp, entry.ttl) diff --git a/sgfw/policy.go b/sgfw/policy.go index 7863e61..bfcddd6 100644 --- a/sgfw/policy.go +++ b/sgfw/policy.go @@ -288,6 +288,8 @@ func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info, o dstip := net.IP(dstb) srcip := net.IP(pkt.Packet.NetworkLayer().NetworkFlow().Src().Raw()) name := p.fw.dns.Lookup(dstip, pinfo.Pid) + log.Infof("Lookup(%s): %s", dstip.String(), name) + if !FirewallConfig.LogRedact { log.Infof("Lookup(%s): %s", dstip.String(), name) } @@ -406,7 +408,7 @@ func (p *Policy) removeRule(r *Rule) { func (p *Policy) filterPending(rule *Rule) { remaining := []pendingConnection{} for _, pc := range p.pendingQueue { - if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.procInfo().UID), gidToGroup(pc.procInfo().GID)) { + if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.procInfo().UID), gidToGroup(pc.procInfo().GID), pc.procInfo().Sandbox) { prompter := pc.getPrompter() if prompter == nil { @@ -419,7 +421,7 @@ func (p *Policy) filterPending(rule *Rule) { } log.Infof("Adding rule for: %s", rule.getString(FirewallConfig.LogRedact)) - // log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print()) + // log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print()) if rule.rtype == RULE_ACTION_ALLOW { pc.accept() } else if rule.rtype == RULE_ACTION_ALLOW_TLSONLY { @@ -489,13 +491,22 @@ func printPacket(pkt *nfqueue.NFQPacket, hostname string, pinfo *procsnitch.Info } func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) { + isudp := pkt.Packet.Layer(layers.LayerTypeUDP) != nil + if basicAllowPacket(pkt) { + if isudp { + srcport, _ := getPacketUDPPorts(pkt) + + if srcport == 53 { + fw.dns.processDNS(pkt) + } + } + pkt.Accept() return } - isudp := pkt.Packet.Layer(layers.LayerTypeUDP) != nil - if isudp { + /* if isudp { srcport, _ := getPacketUDPPorts(pkt) if srcport == 53 { @@ -505,6 +516,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) { } } + */ _, dstip := getPacketIPAddrs(pkt) /* _, dstp := getPacketPorts(pkt) fwo := eatchAgainstOzRules(srcip, dstip, dstp) @@ -697,7 +709,7 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro rlines = append(rlines, strings.Join(ssplit, ":")) } - // log.Warningf("Looking for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data) + // log.Warningf("Looking for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data) if proto == "tcp" { res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, rlines) @@ -834,6 +846,7 @@ func basicAllowPacket(pkt *nfqueue.NFQPacket) bool { if pkt.Packet.Layer(layers.LayerTypeUDP) != nil { _, dport := getPacketUDPPorts(pkt) if dport == 53 { + // fw.dns.processDNS(pkt) return true } } diff --git a/sgfw/prompt.go b/sgfw/prompt.go index 1061d5b..14945dd 100644 --- a/sgfw/prompt.go +++ b/sgfw/prompt.go @@ -71,7 +71,7 @@ func (p *prompter) prompt(policy *Policy) { return } p.policyMap[policy.sandbox+"|"+policy.path] = policy - fmt.Println("Saving policy key:" + policy.sandbox + "|" + policy.path) + log.Debugf("Saving policy key:" + policy.sandbox + "|" + policy.path) p.policyQueue = append(p.policyQueue, policy) p.cond.Signal() } @@ -79,11 +79,11 @@ func (p *prompter) prompt(policy *Policy) { func (p *prompter) promptLoop() { p.lock.Lock() for { - // fmt.Println("XXX: promptLoop() outer") + // fmt.Println("XXX: promptLoop() outer") for p.processNextPacket() { - // fmt.Println("XXX: promptLoop() inner") + // fmt.Println("XXX: promptLoop() inner") } - // fmt.Println("promptLoop() wait") + // fmt.Println("promptLoop() wait") p.cond.Wait() } } @@ -105,7 +105,7 @@ func (p *prompter) processNextPacket() bool { empty := true for { pc, empty = p.nextConnection() - // fmt.Println("XXX: processNextPacket() loop; empty = ", empty, " / pc = ", pc) + // fmt.Println("XXX: processNextPacket() loop; empty = ", empty, " / pc = ", pc) if pc == nil && empty { return false } else if pc == nil { @@ -116,7 +116,7 @@ func (p *prompter) processNextPacket() bool { } p.lock.Unlock() defer p.lock.Lock() - // fmt.Println("XXX: Waiting for prompt lock go...") + // fmt.Println("XXX: Waiting for prompt lock go...") for { promptLock.Lock() if outstandingPrompts >= MAX_PROMPTS { @@ -125,16 +125,16 @@ func (p *prompter) processNextPacket() bool { } if pc.getPrompting() { - fmt.Println("Skipping over already prompted connection") + log.Debugf("Skipping over already prompted connection") promptLock.Unlock() continue } break } - // fmt.Println("XXX: Passed prompt lock!") + // fmt.Println("XXX: Passed prompt lock!") outstandingPrompts++ - // fmt.Println("XXX: Incremented outstanding to ", outstandingPrompts) + // fmt.Println("XXX: Incremented outstanding to ", outstandingPrompts) promptLock.Unlock() // if !pc.getPrompting() { pc.setPrompting(true) @@ -146,7 +146,7 @@ func (p *prompter) processNextPacket() bool { func processReturn(pc pendingConnection) { promptLock.Lock() outstandingPrompts-- - // fmt.Println("XXX: Return decremented outstanding to ", outstandingPrompts) + // fmt.Println("XXX: Return decremented outstanding to ", outstandingPrompts) promptLock.Unlock() pc.setPrompting(false) } @@ -342,7 +342,7 @@ func (p *prompter) nextConnection() (pendingConnection, bool) { p.removePolicy(policy) } else { if pc == nil && !qempty { - fmt.Println("FIX ME: I NEED TO SLEEP ON A WAKEABLE CONDITION PROPERLY!!") + log.Errorf("FIX ME: I NEED TO SLEEP ON A WAKEABLE CONDITION PROPERLY!!") time.Sleep(time.Millisecond * 300) } return pc, qempty @@ -355,7 +355,7 @@ func (p *prompter) removePolicy(policy *Policy) { if DoMultiPrompt { if len(p.policyQueue) == 0 { - fmt.Println("Skipping over zero length policy queue") + log.Debugf("Skipping over zero length policy queue") newQueue = make([]*Policy, 0, 0) } } diff --git a/sgfw/rules.go b/sgfw/rules.go index db237d4..adeb3f7 100644 --- a/sgfw/rules.go +++ b/sgfw/rules.go @@ -52,13 +52,7 @@ func (r *Rule) getString(redact bool) string { } else if r.rtype == RULE_ACTION_ALLOW_TLSONLY { rtype = RuleActionString[RULE_ACTION_ALLOW_TLSONLY] } - rmode := "" - if r.mode == RULE_MODE_SYSTEM { - rmode = "|" + RuleModeString[RULE_MODE_SYSTEM] - } - if r.mode == RULE_MODE_PERMANENT { - rmode = "|" + RuleModeString[RULE_MODE_PERMANENT] - } + rmode := "|" + RuleModeString[r.mode] protostr := "" @@ -103,7 +97,10 @@ func (r *Rule) AddrString(redact bool) string { type RuleList []*Rule -func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, proto string, uid, gid int, uname, gname string) bool { +func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, proto string, uid, gid int, uname, gname string, sandbox string) bool { + if r.policy.sandbox != sandbox { + return false + } if r.proto != proto { return false } @@ -184,7 +181,7 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint nfqproto = getNFQProto(pkt) } else { if r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname) { - // log.Notice("+ Socks5 MATCH SUCCEEDED") + // log.Notice("+ Socks5 MATCH SUCCEEDED") if r.rtype == RULE_ACTION_DENY { return FILTER_DENY } else if r.rtype == RULE_ACTION_ALLOW { @@ -202,8 +199,8 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint //log.Notice("! Skipping comparison of mismatching PIDs") continue } - if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID)) { - // log.Notice("+ MATCH SUCCEEDED") + if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID), pinfo.Sandbox) { + // log.Notice("+ MATCH SUCCEEDED") dstStr := dst.String() if FirewallConfig.LogRedact { dstStr = STR_REDACTED @@ -214,7 +211,7 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint srcp, _ := getPacketPorts(pkt) srcStr = fmt.Sprintf("%s:%d", srcip, srcp) } - // log.Noticef("%s > %s %s %s -> %s:%d", + // log.Noticef("%s > %s %s %s -> %s:%d", //r.getString(FirewallConfig.LogRedact), pinfo.ExePath, r.proto, srcStr, dstStr, dstPort) if r.rtype == RULE_ACTION_DENY { //TODO: Optionally redact below log entry @@ -450,7 +447,7 @@ func savePolicy(f *os.File, p *Policy) { return } for _, r := range p.rules { - if r.mode != RULE_MODE_SESSION { + if r.mode == RULE_MODE_PERMANENT || r.mode == RULE_MODE_SYSTEM { if !writeLine(f, r.String()) { return } diff --git a/sgfw/socks_server_chain.go b/sgfw/socks_server_chain.go index 9c35540..9a2a2dd 100644 --- a/sgfw/socks_server_chain.go +++ b/sgfw/socks_server_chain.go @@ -158,7 +158,7 @@ func (s *socksChain) start() { var err error s.listener, err = net.Listen(s.cfg.ListenSocksNet, s.cfg.ListenSocksAddr) if err != nil { - log.Errorf("ERR/socks: Failed to listen on the socks address: %v", err) + log.Errorf("SOCKS: Failed to listen on the socks address: %v", err) os.Exit(1) } @@ -174,7 +174,7 @@ func (s *socksChain) socksAcceptLoop() error { conn, err := s.listener.Accept() if err != nil { if e, ok := err.(net.Error); ok && !e.Temporary() { - log.Infof("ERR/socks: Failed to Accept(): %v", err) + log.Errorf("SOCKS: Failed to Accept(): %v", err) return err } continue @@ -188,12 +188,12 @@ func (c *socksChainSession) sessionWorker() { defer c.clientConn.Close() clientAddr := c.clientConn.RemoteAddr() - log.Infof("INFO/socks: New connection from: %v", clientAddr) + log.Debugf("SOCKS: New connection from: %v", clientAddr) // Do the SOCKS handshake with the client, and read the command. var err error if c.req, err = Handshake(c.clientConn); err != nil { - log.Infof("ERR/socks: Failed SOCKS5 handshake: %v", err) + log.Errorf("SOCKS: Failed SOCKS5 handshake: %v", err) return } @@ -223,7 +223,7 @@ func (c *socksChainSession) sessionWorker() { c.handleConnect(tls) default: // Should *NEVER* happen, validated as part of handshake. - log.Infof("BUG/socks: Unsupported SOCKS command: 0x%02x", c.req.Cmd) + log.Warningf("SOCKS: Unsupported SOCKS command: 0x%02x", c.req.Cmd) c.req.Reply(ReplyCommandNotSupported) } } @@ -407,7 +407,7 @@ func (c *socksChainSession) handleConnect(tls bool) { if c.optData != nil { if _, err = c.upstreamConn.Write(c.optData); err != nil { - log.Infof("ERR/socks: Failed writing OptData: %v", err) + log.Errorf("SOCKS: Failed writing OptData: %v", err) return } c.optData = nil @@ -416,7 +416,7 @@ func (c *socksChainSession) handleConnect(tls bool) { // A upstream connection has been established, push data back and forth // till the session is done. c.forwardTraffic(tls) - log.Infof("INFO/socks: Closed SOCKS connection from: %v", c.clientConn.RemoteAddr()) + log.Debugf("SOCKS: Closed SOCKS connection from: %v", c.clientConn.RemoteAddr()) } func (c *socksChainSession) forwardTraffic(tls bool) { diff --git a/sources/etc/dbus-1/system.d/com.Subgraph.fwprompt.EventNotifier.conf b/sources/etc/dbus-1/system.d/com.subgraph.fwprompt.EventNotifier.conf similarity index 94% rename from sources/etc/dbus-1/system.d/com.Subgraph.fwprompt.EventNotifier.conf rename to sources/etc/dbus-1/system.d/com.subgraph.fwprompt.EventNotifier.conf index 04ffad0..7456404 100644 --- a/sources/etc/dbus-1/system.d/com.Subgraph.fwprompt.EventNotifier.conf +++ b/sources/etc/dbus-1/system.d/com.subgraph.fwprompt.EventNotifier.conf @@ -11,10 +11,8 @@ - + - -