matth
/
fw-daemon
mirror of https://github.com/subgraph/fw-daemon
1
1
Fork 0
Code Releases Activity

Merge newest branch changes with latest changes to master.

Browse Source
shw_dev
Stephen Watt 7 years ago
parent 2fc7525cc7
commit 2f5e10d53d
9 changed files with 176 additions and 155 deletions
Show Stats Download Patch File Download Diff File

20
gnome-shell/firewall@subgraph.com/dialog.js
Unescape View File

@ -157,7 +157,7 @@ const OptionList = new Lang.Class({
setOptionText: function(idx, text) { setOptionText: function(idx, text) {
if(this.items.length <= idx) { if(this.items.length <= idx) {
log("attempt to setOptionText with idx = "+ idx + " when this.items.length = "+ this.items.length) //log("SGFW: attempt to setOptionText with idx = "+ idx + " when this.items.length = "+ this.items.length)
return; return;
} }
this.items[idx].setText(text); this.items[idx].setText(text);
@ -232,7 +232,7 @@ const OptionList = new Lang.Class({
case 3: case 3:
return RuleScope.APPLY_PROCESS; return RuleScope.APPLY_PROCESS;
default: default:
log("unexpected scope value "+ this.buttonGroup._selected); log("SGFW: unexpected scope value "+ this.buttonGroup._selected);
return RuleScope.APPLY_SESSION; return RuleScope.APPLY_SESSION;
} }
}, },
@ -248,7 +248,7 @@ const OptionList = new Lang.Class({
case RuleScope.APPLY_FOREVER: case RuleScope.APPLY_FOREVER:
return 0; return 0;
default: default:
log("unexpected scope value "+ scope); log("SGFW: unexpected scope value "+ scope);
return 1; return 1;
} }
} }
@ -458,7 +458,8 @@ const PromptDialog = new Lang.Class({
Name: 'PromptDialog', Name: 'PromptDialog',
Extends: ModalDialog.ModalDialog, Extends: ModalDialog.ModalDialog,
_init: function(invocation, pid_known, sandboxed, tlsguard) { _init: function(invocation, pid_known, sandboxed, tlsguard, cbClose) {
this.cbClose = cbClose;
this.parent({ styleClass: 'fw-prompt-dialog' }); this.parent({ styleClass: 'fw-prompt-dialog' });
this._invocation = invocation; this._invocation = invocation;
this.header = new PromptDialogHeader(); this.header = new PromptDialogHeader();
@ -483,9 +484,6 @@ const PromptDialog = new Lang.Class({
this.optionList.addTLSOption(true); this.optionList.addTLSOption(true);
} }
// let tlsGuard = new OptionListItem("Drop connection if not TLS with valid certificate.",0);
//box.add_child(optionList.actor);
this._initialKeyFocusDestroyId = 1; this._initialKeyFocusDestroyId = 1;
this.setButtons([ this.setButtons([
{ label: "Allow", action: Lang.bind(this, this.onAllow) }, { label: "Allow", action: Lang.bind(this, this.onAllow) },
@ -494,11 +492,17 @@ const PromptDialog = new Lang.Class({
}, },
onAllow: function() { onAllow: function() {
if (this.cbClose !== undefined && this.cbClose !== null) {
this.cbClose();
}
this.close(); this.close();
this.sendReturnValue(true); this.sendReturnValue(true);
}, },
onDeny: function() { onDeny: function() {
if (this.cbClose !== undefined && this.cbClose !== null) {
this.cbClose();
}
this.close(); this.close();
this.sendReturnValue(false); this.sendReturnValue(false);
}, },
@ -590,8 +594,8 @@ const PromptDialog = new Lang.Class({
} else { } else {
this.optionList.setOptionText(0, "Only "+ address + " on "+ port_str); this.optionList.setOptionText(0, "Only "+ address + " on "+ port_str);
} }
if (expert) {
if (expert) {
if (proto == "icmp") { if (proto == "icmp") {
this.optionList.setOptionText(1, "Only "+ address + " with any ICMP code"); this.optionList.setOptionText(1, "Only "+ address + " with any ICMP code");
} else if (proto == "udp") { } else if (proto == "udp") {

49
gnome-shell/firewall@subgraph.com/extension.js
Unescape View File

@ -4,7 +4,7 @@ const Gio = imports.gi.Gio;
const Extension = imports.misc.extensionUtils.getCurrentExtension(); const Extension = imports.misc.extensionUtils.getCurrentExtension();
const Dialog = Extension.imports.dialog; const Dialog = Extension.imports.dialog;
const Menu = Extension.imports.menu; const Menu = Extension.imports.menu;
const ConnectionMonitor = Extension.imports.cmonitor; //const ConnectionMonitor = Extension.imports.cmonitor;
function init() { function init() {
@ -16,7 +16,7 @@ const FirewallSupport = new Lang.Class({
_init: function() { _init: function() {
this.menu = new Menu.FirewallMenu(); this.menu = new Menu.FirewallMenu();
this.cmon = new ConnectionMonitor.ConnectionMonitor(); //this.cmon = new ConnectionMonitor.ConnectionMonitor();
this.handler = null; this.handler = null;
}, },
@ -29,12 +29,12 @@ const FirewallSupport = new Lang.Class({
enable: function() { enable: function() {
this._destroyHandler(); this._destroyHandler();
this.handler = new FirewallPromptHandler(); this.handler = new FirewallPromptHandler();
this.cmon.install(); //this.cmon.install();
this.menu.install(); this.menu.install();
}, },
disable: function() { disable: function() {
this.menu.destroy(); this.menu.destroy();
this.cmon.remove(); //this.cmon.remove();
this._destroyHandler(); this._destroyHandler();
} }
}); });
@ -78,39 +78,48 @@ const FirewallPromptHandler = new Lang.Class({
this._dbusImpl = Gio.DBusExportedObject.wrapJSObject(FirewallPromptInterface, this); this._dbusImpl = Gio.DBusExportedObject.wrapJSObject(FirewallPromptInterface, this);
this._dbusImpl.export(Gio.DBus.system, '/com/subgraph/FirewallPrompt'); this._dbusImpl.export(Gio.DBus.system, '/com/subgraph/FirewallPrompt');
Gio.bus_own_name_on_connection(Gio.DBus.system, 'com.subgraph.FirewallPrompt', Gio.BusNameOwnerFlags.REPLACE, null, null); Gio.bus_own_name_on_connection(Gio.DBus.system, 'com.subgraph.FirewallPrompt', Gio.BusNameOwnerFlags.REPLACE, null, null);
this._dialog = null; this._dialogs = new Array();
}, },
destroy: function() { destroy: function() {
this._closeDialog(); this._closeDialogs();
this._dbusImpl.unexport(); this._dbusImpl.unexport();
}, },
_closeDialog: function() { _closeDialogs: function() {
if (this._dialog) { if (this._dialogs.length > 0) {
this._dialog.close(); dialog = this._dialogs.shift();
this._dialog = null; dialog.close();
} }
}, },
RequestPromptAsync: function(params, invocation) { RequestPromptAsync: function(params, invocation) {
let [app, icon, path, address, port, ip, origin, proto, uid, gid, user, group, pid, sandbox, tlsguard, optstring, expanded, expert, action] = params; let [app, icon, path, address, port, ip, origin, proto, uid, gid, user, group, pid, sandbox, tlsguard, optstring, expanded, expert, action] = params;
// this._closeDialog(); let cbfn = function(self) {
this._dialog = new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""), tlsguard); return function() { return self.onCloseDialog(); }
this._invocation = invocation; }(this)
this._dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action);
this._dialog.open(); let l = this._dialogs.push(new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""), tlsguard, cbfn));
let dialog = this._dialogs[l-1]
dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action);
if (this._dialogs.length == 1) {
dialog.open();
}
},
onCloseDialog: function() {
this._dialogs.shift();
if (this._dialogs.length > 0) {
this._dialogs[0].open();
}
}, },
CloseAsync: function(params, invocation) { CloseAsync: function(params, invocation) {
this._closeDialog(); this._closeDialogs();
}, },
TestPrompt: function(params, invocation) { TestPrompt: function(params, invocation) {
this._closeDialog(); this.RequestPromptAsync(["Firefox", "firefox", "/usr/bin/firefox-esr", "242.12.111.18", "443", "linux", "2342", "TCP", true, true], nil);
this._dialog = new Dialog.PromptDialog(nil);
this._dialog.update("Firefox", "firefox", "/usr/bin/firefox-esr", "242.12.111.18", "443", "linux", "2342", "TCP", true, true);
this._dialog.open();
} }
}); });

19
sgfw/policy.go
Unescape View File

@ -288,6 +288,8 @@ func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info, o
dstip := net.IP(dstb) dstip := net.IP(dstb)
srcip := net.IP(pkt.Packet.NetworkLayer().NetworkFlow().Src().Raw()) srcip := net.IP(pkt.Packet.NetworkLayer().NetworkFlow().Src().Raw())
name := p.fw.dns.Lookup(dstip, pinfo.Pid) name := p.fw.dns.Lookup(dstip, pinfo.Pid)
log.Infof("Lookup(%s): %s", dstip.String(), name)
if !FirewallConfig.LogRedact { if !FirewallConfig.LogRedact {
log.Infof("Lookup(%s): %s", dstip.String(), name) log.Infof("Lookup(%s): %s", dstip.String(), name)
} }
@ -406,7 +408,7 @@ func (p *Policy) removeRule(r *Rule) {
func (p *Policy) filterPending(rule *Rule) { func (p *Policy) filterPending(rule *Rule) {
remaining := []pendingConnection{} remaining := []pendingConnection{}
for _, pc := range p.pendingQueue { for _, pc := range p.pendingQueue {
if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.procInfo().UID), gidToGroup(pc.procInfo().GID)) { if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.procInfo().UID), gidToGroup(pc.procInfo().GID), pc.procInfo().Sandbox) {
prompter := pc.getPrompter() prompter := pc.getPrompter()
if prompter == nil { if prompter == nil {
@ -489,13 +491,22 @@ func printPacket(pkt *nfqueue.NFQPacket, hostname string, pinfo *procsnitch.Info
} }
func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) { func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
isudp := pkt.Packet.Layer(layers.LayerTypeUDP) != nil
if basicAllowPacket(pkt) { if basicAllowPacket(pkt) {
if isudp {
srcport, _ := getPacketUDPPorts(pkt)
if srcport == 53 {
fw.dns.processDNS(pkt)
}
}
pkt.Accept() pkt.Accept()
return return
} }
isudp := pkt.Packet.Layer(layers.LayerTypeUDP) != nil /* if isudp {
if isudp {
srcport, _ := getPacketUDPPorts(pkt) srcport, _ := getPacketUDPPorts(pkt)
if srcport == 53 { if srcport == 53 {
@ -505,6 +516,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
} }
} }
*/
_, dstip := getPacketIPAddrs(pkt) _, dstip := getPacketIPAddrs(pkt)
/* _, dstp := getPacketPorts(pkt) /* _, dstp := getPacketPorts(pkt)
fwo := eatchAgainstOzRules(srcip, dstip, dstp) fwo := eatchAgainstOzRules(srcip, dstip, dstp)
@ -834,6 +846,7 @@ func basicAllowPacket(pkt *nfqueue.NFQPacket) bool {
if pkt.Packet.Layer(layers.LayerTypeUDP) != nil { if pkt.Packet.Layer(layers.LayerTypeUDP) != nil {
_, dport := getPacketUDPPorts(pkt) _, dport := getPacketUDPPorts(pkt)
if dport == 53 { if dport == 53 {
// fw.dns.processDNS(pkt)
return true return true
} }
} }

8
sgfw/prompt.go
Unescape View File

@ -71,7 +71,7 @@ func (p *prompter) prompt(policy *Policy) {
return return
} }
p.policyMap[policy.sandbox+"|"+policy.path] = policy p.policyMap[policy.sandbox+"|"+policy.path] = policy
fmt.Println("Saving policy key:" + policy.sandbox + "|" + policy.path) log.Debugf("Saving policy key:" + policy.sandbox + "|" + policy.path)
p.policyQueue = append(p.policyQueue, policy) p.policyQueue = append(p.policyQueue, policy)
p.cond.Signal() p.cond.Signal()
} }
@ -125,7 +125,7 @@ func (p *prompter) processNextPacket() bool {
} }
if pc.getPrompting() { if pc.getPrompting() {
fmt.Println("Skipping over already prompted connection") log.Debugf("Skipping over already prompted connection")
promptLock.Unlock() promptLock.Unlock()
continue continue
} }
@ -342,7 +342,7 @@ func (p *prompter) nextConnection() (pendingConnection, bool) {
p.removePolicy(policy) p.removePolicy(policy)
} else { } else {
if pc == nil && !qempty { if pc == nil && !qempty {
fmt.Println("FIX ME: I NEED TO SLEEP ON A WAKEABLE CONDITION PROPERLY!!") log.Errorf("FIX ME: I NEED TO SLEEP ON A WAKEABLE CONDITION PROPERLY!!")
time.Sleep(time.Millisecond * 300) time.Sleep(time.Millisecond * 300)
} }
return pc, qempty return pc, qempty
@ -355,7 +355,7 @@ func (p *prompter) removePolicy(policy *Policy) {
if DoMultiPrompt { if DoMultiPrompt {
if len(p.policyQueue) == 0 { if len(p.policyQueue) == 0 {
fmt.Println("Skipping over zero length policy queue") log.Debugf("Skipping over zero length policy queue")
newQueue = make([]*Policy, 0, 0) newQueue = make([]*Policy, 0, 0)
} }
} }

17
sgfw/rules.go
Unescape View File

@ -52,13 +52,7 @@ func (r *Rule) getString(redact bool) string {
} else if r.rtype == RULE_ACTION_ALLOW_TLSONLY { } else if r.rtype == RULE_ACTION_ALLOW_TLSONLY {
rtype = RuleActionString[RULE_ACTION_ALLOW_TLSONLY] rtype = RuleActionString[RULE_ACTION_ALLOW_TLSONLY]
} }
rmode := "" rmode := "|" + RuleModeString[r.mode]
if r.mode == RULE_MODE_SYSTEM {
rmode = "|" + RuleModeString[RULE_MODE_SYSTEM]
}
if r.mode == RULE_MODE_PERMANENT {
rmode = "|" + RuleModeString[RULE_MODE_PERMANENT]
}
protostr := "" protostr := ""
@ -103,7 +97,10 @@ func (r *Rule) AddrString(redact bool) string {
type RuleList []*Rule type RuleList []*Rule
func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, proto string, uid, gid int, uname, gname string) bool { func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, proto string, uid, gid int, uname, gname string, sandbox string) bool {
if r.policy.sandbox != sandbox {
return false
}
if r.proto != proto { if r.proto != proto {
return false return false
} }
@ -202,7 +199,7 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
//log.Notice("! Skipping comparison of mismatching PIDs") //log.Notice("! Skipping comparison of mismatching PIDs")
continue continue
} }
if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID)) { if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID), pinfo.Sandbox) {
// log.Notice("+ MATCH SUCCEEDED") // log.Notice("+ MATCH SUCCEEDED")
dstStr := dst.String() dstStr := dst.String()
if FirewallConfig.LogRedact { if FirewallConfig.LogRedact {
@ -450,7 +447,7 @@ func savePolicy(f *os.File, p *Policy) {
return return
} }
for _, r := range p.rules { for _, r := range p.rules {
if r.mode != RULE_MODE_SESSION { if r.mode == RULE_MODE_PERMANENT || r.mode == RULE_MODE_SYSTEM {
if !writeLine(f, r.String()) { if !writeLine(f, r.String()) {
return return
} }

14
sgfw/socks_server_chain.go
Unescape View File

@ -158,7 +158,7 @@ func (s *socksChain) start() {
var err error var err error
s.listener, err = net.Listen(s.cfg.ListenSocksNet, s.cfg.ListenSocksAddr) s.listener, err = net.Listen(s.cfg.ListenSocksNet, s.cfg.ListenSocksAddr)
if err != nil { if err != nil {
log.Errorf("ERR/socks: Failed to listen on the socks address: %v", err) log.Errorf("SOCKS: Failed to listen on the socks address: %v", err)
os.Exit(1) os.Exit(1)
} }
@ -174,7 +174,7 @@ func (s *socksChain) socksAcceptLoop() error {
conn, err := s.listener.Accept() conn, err := s.listener.Accept()
if err != nil { if err != nil {
if e, ok := err.(net.Error); ok && !e.Temporary() { if e, ok := err.(net.Error); ok && !e.Temporary() {
log.Infof("ERR/socks: Failed to Accept(): %v", err) log.Errorf("SOCKS: Failed to Accept(): %v", err)
return err return err
} }
continue continue
@ -188,12 +188,12 @@ func (c *socksChainSession) sessionWorker() {
defer c.clientConn.Close() defer c.clientConn.Close()
clientAddr := c.clientConn.RemoteAddr() clientAddr := c.clientConn.RemoteAddr()
log.Infof("INFO/socks: New connection from: %v", clientAddr) log.Debugf("SOCKS: New connection from: %v", clientAddr)
// Do the SOCKS handshake with the client, and read the command. // Do the SOCKS handshake with the client, and read the command.
var err error var err error
if c.req, err = Handshake(c.clientConn); err != nil { if c.req, err = Handshake(c.clientConn); err != nil {
log.Infof("ERR/socks: Failed SOCKS5 handshake: %v", err) log.Errorf("SOCKS: Failed SOCKS5 handshake: %v", err)
return return
} }
@ -223,7 +223,7 @@ func (c *socksChainSession) sessionWorker() {
c.handleConnect(tls) c.handleConnect(tls)
default: default:
// Should *NEVER* happen, validated as part of handshake. // Should *NEVER* happen, validated as part of handshake.
log.Infof("BUG/socks: Unsupported SOCKS command: 0x%02x", c.req.Cmd) log.Warningf("SOCKS: Unsupported SOCKS command: 0x%02x", c.req.Cmd)
c.req.Reply(ReplyCommandNotSupported) c.req.Reply(ReplyCommandNotSupported)
} }
} }
@ -407,7 +407,7 @@ func (c *socksChainSession) handleConnect(tls bool) {
if c.optData != nil { if c.optData != nil {
if _, err = c.upstreamConn.Write(c.optData); err != nil { if _, err = c.upstreamConn.Write(c.optData); err != nil {
log.Infof("ERR/socks: Failed writing OptData: %v", err) log.Errorf("SOCKS: Failed writing OptData: %v", err)
return return
} }
c.optData = nil c.optData = nil
@ -416,7 +416,7 @@ func (c *socksChainSession) handleConnect(tls bool) {
// A upstream connection has been established, push data back and forth // A upstream connection has been established, push data back and forth
// till the session is done. // till the session is done.
c.forwardTraffic(tls) c.forwardTraffic(tls)
log.Infof("INFO/socks: Closed SOCKS connection from: %v", c.clientConn.RemoteAddr()) log.Debugf("SOCKS: Closed SOCKS connection from: %v", c.clientConn.RemoteAddr())
} }
func (c *socksChainSession) forwardTraffic(tls bool) { func (c *socksChainSession) forwardTraffic(tls bool) {

4
sources/etc/dbus-1/system.d/com.Subgraph.fwprompt.EventNotifier.conf → sources/etc/dbus-1/system.d/com.subgraph.fwprompt.EventNotifier.conf
Unescape View File

@ -11,10 +11,8 @@
</policy> </policy>
<!-- Anyone can send messages to com.subgraph.fwprompt.EventNotifier --> <!-- Anyone can send messages to com.subgraph.fwprompt.EventNotifier -->
<policy user="0"> <policy context="default">
<allow send_destination="com.subgraph.fwprompt.EventNotifier"/> <allow send_destination="com.subgraph.fwprompt.EventNotifier"/>
</policy> </policy>
</busconfig> </busconfig>
Write Preview
Loading…
Cancel
Save