Merge newest branch changes with latest changes to master.

shw_dev
Stephen Watt 7 years ago
parent 2fc7525cc7
commit 2f5e10d53d

@ -1194,7 +1194,7 @@ func main() {
mainWin.Add(Notebook) mainWin.Add(Notebook)
if userPrefs.Winheight > 0 && userPrefs.Winwidth > 0 { if userPrefs.Winheight > 0 && userPrefs.Winwidth > 0 {
// fmt.Printf("height was %d, width was %d\n", userPrefs.Winheight, userPrefs.Winwidth) // fmt.Printf("height was %d, width was %d\n", userPrefs.Winheight, userPrefs.Winwidth)
mainWin.Resize(int(userPrefs.Winwidth), int(userPrefs.Winheight)) mainWin.Resize(int(userPrefs.Winwidth), int(userPrefs.Winheight))
} else { } else {
mainWin.SetDefaultSize(850, 450) mainWin.SetDefaultSize(850, 450)

@ -29,14 +29,14 @@ const DetailSection = new Lang.Class({
this.ipAddr = this._addDetails("IP Address:"); this.ipAddr = this._addDetails("IP Address:");
this.path = this._addDetails("Path:"); this.path = this._addDetails("Path:");
this.pid = this._addDetails("Process ID:"); this.pid = this._addDetails("Process ID:");
this.origin = this._addDetails("Origin:"); this.origin = this._addDetails("Origin:");
this.user = this._addDetails("User:"); this.user = this._addDetails("User:");
this.group = this._addDetails("Group:"); this.group = this._addDetails("Group:");
this.sandboxed = sandboxed; this.sandboxed = sandboxed;
if (sandboxed) { if (sandboxed) {
this.sandbox = this._addDetails("Sandbox:"); this.sandbox = this._addDetails("Sandbox:");
} }
this.optstring = this._addDetails(""); this.optstring = this._addDetails("");
}, },
@ -52,37 +52,37 @@ const DetailSection = new Lang.Class({
this.ipAddr.text = ip; this.ipAddr.text = ip;
this.path.text = path; this.path.text = path;
if (pid == -1) { if (pid == -1) {
this.pid.text = '[unknown]'; this.pid.text = '[unknown]';
} else { } else {
this.pid.text = pid.toString(); this.pid.text = pid.toString();
} }
this.origin.text = origin; this.origin.text = origin;
if (user != "") { if (user != "") {
this.user.text = user; this.user.text = user;
if (uid != -1) { if (uid != -1) {
this.user.text += " (" + uid.toString() + ")"; this.user.text += " (" + uid.toString() + ")";
} }
} else { } else {
this.user.text = "uid:" + uid.toString(); this.user.text = "uid:" + uid.toString();
} }
if (group != "") { if (group != "") {
this.group.text = group; this.group.text = group;
if (gid != -1) { if (gid != -1) {
this.group.text += " (" + gid.toString() + ")"; this.group.text += " (" + gid.toString() + ")";
} }
} else { } else {
this.group.text = "gid:" + gid.toString(); this.group.text = "gid:" + gid.toString();
} }
if (sandbox != "") { if (sandbox != "") {
this.sandbox.text = sandbox; this.sandbox.text = sandbox;
} }
this.optstring.text = optstring this.optstring.text = optstring
} }
}); });
@ -141,23 +141,23 @@ const OptionList = new Lang.Class({
_init: function(pid_known, sandboxed) { _init: function(pid_known, sandboxed) {
this.actor = new St.BoxLayout({vertical: true, style_class: 'fw-option-list'}); this.actor = new St.BoxLayout({vertical: true, style_class: 'fw-option-list'});
if (pid_known) { if (pid_known) {
this.buttonGroup = new ButtonGroup("Forever", "Session", "Once", "PID"); this.buttonGroup = new ButtonGroup("Forever", "Session", "Once", "PID");
} else { } else {
this.buttonGroup = new ButtonGroup("Forever", "Session", "Once"); this.buttonGroup = new ButtonGroup("Forever", "Session", "Once");
} }
this.actor.add_child(this.buttonGroup.actor); this.actor.add_child(this.buttonGroup.actor);
this.items = []; this.items = [];
this._selected; this._selected;
this.tlsGuard = false; this.tlsGuard = false;
if (sandboxed) { if (sandboxed) {
this.tlsGuard = true; this.tlsGuard = true;
} }
}, },
setOptionText: function(idx, text) { setOptionText: function(idx, text) {
if(this.items.length <= idx) { if(this.items.length <= idx) {
log("attempt to setOptionText with idx = "+ idx + " when this.items.length = "+ this.items.length) //log("SGFW: attempt to setOptionText with idx = "+ idx + " when this.items.length = "+ this.items.length)
return; return;
} }
this.items[idx].setText(text); this.items[idx].setText(text);
@ -165,12 +165,12 @@ const OptionList = new Lang.Class({
addTLSOption: function(tlsGuardEnabled) { addTLSOption: function(tlsGuardEnabled) {
let tlsg = new OptionListItem("Drop connection if not TLS with valid certificate",0); let tlsg = new OptionListItem("Drop connection if not TLS with valid certificate",0);
tlsg.setSelected(tlsGuardEnabled); tlsg.setSelected(tlsGuardEnabled);
tlsg.connect('selected', Lang.bind(this, function() { tlsg.connect('selected', Lang.bind(this, function() {
this._toggleTLSGuard(tlsg); this._toggleTLSGuard(tlsg);
})); }));
let emptyRow = new OptionListItem("",0); let emptyRow = new OptionListItem("",0);
this.actor.add_child(emptyRow.actor); this.actor.add_child(emptyRow.actor);
this.actor.add_child(tlsg.actor); this.actor.add_child(tlsg.actor);
}, },
@ -182,7 +182,7 @@ const OptionList = new Lang.Class({
} else { } else {
this.tlsGuard = true; this.tlsGuard = true;
item.actor.add_style_pseudo_class('selected'); item.actor.add_style_pseudo_class('selected');
item.setSelected(true) item.setSelected(true)
} }
}, },
@ -232,7 +232,7 @@ const OptionList = new Lang.Class({
case 3: case 3:
return RuleScope.APPLY_PROCESS; return RuleScope.APPLY_PROCESS;
default: default:
log("unexpected scope value "+ this.buttonGroup._selected); log("SGFW: unexpected scope value "+ this.buttonGroup._selected);
return RuleScope.APPLY_SESSION; return RuleScope.APPLY_SESSION;
} }
}, },
@ -248,7 +248,7 @@ const OptionList = new Lang.Class({
case RuleScope.APPLY_FOREVER: case RuleScope.APPLY_FOREVER:
return 0; return 0;
default: default:
log("unexpected scope value "+ scope); log("SGFW: unexpected scope value "+ scope);
return 1; return 1;
} }
} }
@ -458,7 +458,8 @@ const PromptDialog = new Lang.Class({
Name: 'PromptDialog', Name: 'PromptDialog',
Extends: ModalDialog.ModalDialog, Extends: ModalDialog.ModalDialog,
_init: function(invocation, pid_known, sandboxed, tlsguard) { _init: function(invocation, pid_known, sandboxed, tlsguard, cbClose) {
this.cbClose = cbClose;
this.parent({ styleClass: 'fw-prompt-dialog' }); this.parent({ styleClass: 'fw-prompt-dialog' });
this._invocation = invocation; this._invocation = invocation;
this.header = new PromptDialogHeader(); this.header = new PromptDialogHeader();
@ -479,12 +480,9 @@ const PromptDialog = new Lang.Class({
"Only PORT", "Only PORT",
"Any Connection"]); "Any Connection"]);
if (tlsguard) { if (tlsguard) {
this.optionList.addTLSOption(true); this.optionList.addTLSOption(true);
} }
// let tlsGuard = new OptionListItem("Drop connection if not TLS with valid certificate.",0);
//box.add_child(optionList.actor);
this._initialKeyFocusDestroyId = 1; this._initialKeyFocusDestroyId = 1;
this.setButtons([ this.setButtons([
@ -494,11 +492,17 @@ const PromptDialog = new Lang.Class({
}, },
onAllow: function() { onAllow: function() {
if (this.cbClose !== undefined && this.cbClose !== null) {
this.cbClose();
}
this.close(); this.close();
this.sendReturnValue(true); this.sendReturnValue(true);
}, },
onDeny: function() { onDeny: function() {
if (this.cbClose !== undefined && this.cbClose !== null) {
this.cbClose();
}
this.close(); this.close();
this.sendReturnValue(false); this.sendReturnValue(false);
}, },
@ -509,12 +513,12 @@ const PromptDialog = new Lang.Class({
} }
let verb = "DENY"; let verb = "DENY";
if(allow) { if(allow) {
verb = "ALLOW"; verb = "ALLOW";
if (this.optionList.tlsGuard) { if (this.optionList.tlsGuard) {
verb = "ALLOW_TLSONLY"; verb = "ALLOW_TLSONLY";
} else { } else {
verb = "ALLOW"; verb = "ALLOW";
} }
} }
let rule = verb + "|" + this.ruleTarget() + "|" + this.ruleSandbox(); let rule = verb + "|" + this.ruleTarget() + "|" + this.ruleSandbox();
@ -524,10 +528,10 @@ const PromptDialog = new Lang.Class({
}, },
ruleTarget: function() { ruleTarget: function() {
let base = ""; let base = "";
if(this._proto != "tcp") { if(this._proto != "tcp") {
base = this._proto + ":"; base = this._proto + ":";
} }
switch(this.optionList.selectedIdx()) { switch(this.optionList.selectedIdx()) {
case 0: case 0:
return base + this._address + ":" + this._port; return base + this._address + ":" + this._port;
@ -541,7 +545,7 @@ const PromptDialog = new Lang.Class({
}, },
ruleSandbox: function() { ruleSandbox: function() {
return this._sandbox; return this._sandbox;
}, },
ruleTLSGuard: function() { ruleTLSGuard: function() {
@ -551,29 +555,29 @@ const PromptDialog = new Lang.Class({
update: function(application, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action) { update: function(application, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action) {
this._address = address; this._address = address;
this._port = port; this._port = port;
this._proto = proto; this._proto = proto;
this._sandbox = sandbox; this._sandbox = sandbox;
this._tlsGuard = tlsguard; this._tlsGuard = tlsguard;
let port_str = (proto+"").toUpperCase() + " Port "+ port; let port_str = (proto+"").toUpperCase() + " Port "+ port;
if (proto == "icmp") { if (proto == "icmp") {
port_str = (proto+"").toUpperCase() + " Code "+ port; port_str = (proto+"").toUpperCase() + " Code "+ port;
} }
if (sandbox != "") { if (sandbox != "") {
application = application + " (sandboxed)" application = application + " (sandboxed)"
} }
this.header.setTitle(application); this.header.setTitle(application);
if (proto == "tcp") { if (proto == "tcp") {
this.header.setMessage("Wants to connect to "+ address + " on " + port_str); this.header.setMessage("Wants to connect to "+ address + " on " + port_str);
} else if (proto == "udp") { } else if (proto == "udp") {
this.header.setMessage("Wants to send data to "+ address + " on " + port_str); this.header.setMessage("Wants to send data to "+ address + " on " + port_str);
} else if (proto == "icmp") { } else if (proto == "icmp") {
this.header.setMessage("Wants to send data to "+ address + " with " + port_str); this.header.setMessage("Wants to send data to "+ address + " with " + port_str);
} }
if (expanded) { if (expanded) {
this.details.isOpen = false; this.details.isOpen = false;
@ -590,8 +594,8 @@ const PromptDialog = new Lang.Class({
} else { } else {
this.optionList.setOptionText(0, "Only "+ address + " on "+ port_str); this.optionList.setOptionText(0, "Only "+ address + " on "+ port_str);
} }
if (expert) {
if (expert) {
if (proto == "icmp") { if (proto == "icmp") {
this.optionList.setOptionText(1, "Only "+ address + " with any ICMP code"); this.optionList.setOptionText(1, "Only "+ address + " with any ICMP code");
} else if (proto == "udp") { } else if (proto == "udp") {
@ -608,7 +612,7 @@ const PromptDialog = new Lang.Class({
if (proto != "tcp") { if (proto != "tcp") {
this.optionList.setOptionText(3, "Any " + proto.toUpperCase() + " data"); this.optionList.setOptionText(3, "Any " + proto.toUpperCase() + " data");
} }
this.optionList.buttonGroup._setChecked(this.optionList.scopeToIdx(action)) this.optionList.buttonGroup._setChecked(this.optionList.scopeToIdx(action))
this.info.setDetails(ip, path, pid, uid, gid, user, group, origin, proto, optstring, sandbox); this.info.setDetails(ip, path, pid, uid, gid, user, group, origin, proto, optstring, sandbox);

@ -4,7 +4,7 @@ const Gio = imports.gi.Gio;
const Extension = imports.misc.extensionUtils.getCurrentExtension(); const Extension = imports.misc.extensionUtils.getCurrentExtension();
const Dialog = Extension.imports.dialog; const Dialog = Extension.imports.dialog;
const Menu = Extension.imports.menu; const Menu = Extension.imports.menu;
const ConnectionMonitor = Extension.imports.cmonitor; //const ConnectionMonitor = Extension.imports.cmonitor;
function init() { function init() {
@ -16,7 +16,7 @@ const FirewallSupport = new Lang.Class({
_init: function() { _init: function() {
this.menu = new Menu.FirewallMenu(); this.menu = new Menu.FirewallMenu();
this.cmon = new ConnectionMonitor.ConnectionMonitor(); //this.cmon = new ConnectionMonitor.ConnectionMonitor();
this.handler = null; this.handler = null;
}, },
@ -29,12 +29,12 @@ const FirewallSupport = new Lang.Class({
enable: function() { enable: function() {
this._destroyHandler(); this._destroyHandler();
this.handler = new FirewallPromptHandler(); this.handler = new FirewallPromptHandler();
this.cmon.install(); //this.cmon.install();
this.menu.install(); this.menu.install();
}, },
disable: function() { disable: function() {
this.menu.destroy(); this.menu.destroy();
this.cmon.remove(); //this.cmon.remove();
this._destroyHandler(); this._destroyHandler();
} }
}); });
@ -57,8 +57,8 @@ const FirewallPromptInterface = '<node> \
<arg type="s" direction="in" name="user" /> \ <arg type="s" direction="in" name="user" /> \
<arg type="s" direction="in" name="group" /> \ <arg type="s" direction="in" name="group" /> \
<arg type="i" direction="in" name="pid" /> \ <arg type="i" direction="in" name="pid" /> \
<arg type="s" direction="in" name="sandbox" /> \ <arg type="s" direction="in" name="sandbox" /> \
<arg type="b" direction="in" name="tlsguard" /> \ <arg type="b" direction="in" name="tlsguard" /> \
<arg type="s" direction="in" name="optstring" /> \ <arg type="s" direction="in" name="optstring" /> \
<arg type="b" direction="in" name="expanded" /> \ <arg type="b" direction="in" name="expanded" /> \
<arg type="b" direction="in" name="expert" /> \ <arg type="b" direction="in" name="expert" /> \
@ -78,39 +78,48 @@ const FirewallPromptHandler = new Lang.Class({
this._dbusImpl = Gio.DBusExportedObject.wrapJSObject(FirewallPromptInterface, this); this._dbusImpl = Gio.DBusExportedObject.wrapJSObject(FirewallPromptInterface, this);
this._dbusImpl.export(Gio.DBus.system, '/com/subgraph/FirewallPrompt'); this._dbusImpl.export(Gio.DBus.system, '/com/subgraph/FirewallPrompt');
Gio.bus_own_name_on_connection(Gio.DBus.system, 'com.subgraph.FirewallPrompt', Gio.BusNameOwnerFlags.REPLACE, null, null); Gio.bus_own_name_on_connection(Gio.DBus.system, 'com.subgraph.FirewallPrompt', Gio.BusNameOwnerFlags.REPLACE, null, null);
this._dialog = null; this._dialogs = new Array();
}, },
destroy: function() { destroy: function() {
this._closeDialog(); this._closeDialogs();
this._dbusImpl.unexport(); this._dbusImpl.unexport();
}, },
_closeDialog: function() { _closeDialogs: function() {
if (this._dialog) { if (this._dialogs.length > 0) {
this._dialog.close(); dialog = this._dialogs.shift();
this._dialog = null; dialog.close();
} }
}, },
RequestPromptAsync: function(params, invocation) { RequestPromptAsync: function(params, invocation) {
let [app, icon, path, address, port, ip, origin, proto, uid, gid, user, group, pid, sandbox, tlsguard, optstring, expanded, expert, action] = params; let [app, icon, path, address, port, ip, origin, proto, uid, gid, user, group, pid, sandbox, tlsguard, optstring, expanded, expert, action] = params;
// this._closeDialog(); let cbfn = function(self) {
this._dialog = new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""), tlsguard); return function() { return self.onCloseDialog(); }
this._invocation = invocation; }(this)
this._dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action);
this._dialog.open(); let l = this._dialogs.push(new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""), tlsguard, cbfn));
let dialog = this._dialogs[l-1]
dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action);
if (this._dialogs.length == 1) {
dialog.open();
}
},
onCloseDialog: function() {
this._dialogs.shift();
if (this._dialogs.length > 0) {
this._dialogs[0].open();
}
}, },
CloseAsync: function(params, invocation) { CloseAsync: function(params, invocation) {
this._closeDialog(); this._closeDialogs();
}, },
TestPrompt: function(params, invocation) { TestPrompt: function(params, invocation) {
this._closeDialog(); this.RequestPromptAsync(["Firefox", "firefox", "/usr/bin/firefox-esr", "242.12.111.18", "443", "linux", "2342", "TCP", true, true], nil);
this._dialog = new Dialog.PromptDialog(nil);
this._dialog.update("Firefox", "firefox", "/usr/bin/firefox-esr", "242.12.111.18", "443", "linux", "2342", "TCP", true, true);
this._dialog.open();
} }
}); });

@ -166,7 +166,7 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
entry, ok := dc.ipMap[pid][ip.String()] entry, ok := dc.ipMap[pid][ip.String()]
if ok { if ok {
if now.Before(entry.exp) { if now.Before(entry.exp) {
// log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp) // log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp)
return entry.name return entry.name
} else { } else {
log.Warningf("Skipping expired per-pid (%d) DNS cache entry: %s -> %s / exp. %v (%ds)\n", log.Warningf("Skipping expired per-pid (%d) DNS cache entry: %s -> %s / exp. %v (%ds)\n",
@ -180,7 +180,7 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
if ok { if ok {
if now.Before(entry.exp) { if now.Before(entry.exp) {
str = entry.name str = entry.name
// log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp) // log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp)
} else { } else {
log.Warningf("Skipping expired global DNS cache entry: %s -> %s / exp. %v (%ds)\n", log.Warningf("Skipping expired global DNS cache entry: %s -> %s / exp. %v (%ds)\n",
ip.String(), entry.name, entry.exp, entry.ttl) ip.String(), entry.name, entry.exp, entry.ttl)

@ -288,6 +288,8 @@ func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info, o
dstip := net.IP(dstb) dstip := net.IP(dstb)
srcip := net.IP(pkt.Packet.NetworkLayer().NetworkFlow().Src().Raw()) srcip := net.IP(pkt.Packet.NetworkLayer().NetworkFlow().Src().Raw())
name := p.fw.dns.Lookup(dstip, pinfo.Pid) name := p.fw.dns.Lookup(dstip, pinfo.Pid)
log.Infof("Lookup(%s): %s", dstip.String(), name)
if !FirewallConfig.LogRedact { if !FirewallConfig.LogRedact {
log.Infof("Lookup(%s): %s", dstip.String(), name) log.Infof("Lookup(%s): %s", dstip.String(), name)
} }
@ -406,7 +408,7 @@ func (p *Policy) removeRule(r *Rule) {
func (p *Policy) filterPending(rule *Rule) { func (p *Policy) filterPending(rule *Rule) {
remaining := []pendingConnection{} remaining := []pendingConnection{}
for _, pc := range p.pendingQueue { for _, pc := range p.pendingQueue {
if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.procInfo().UID), gidToGroup(pc.procInfo().GID)) { if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.procInfo().UID), gidToGroup(pc.procInfo().GID), pc.procInfo().Sandbox) {
prompter := pc.getPrompter() prompter := pc.getPrompter()
if prompter == nil { if prompter == nil {
@ -419,7 +421,7 @@ func (p *Policy) filterPending(rule *Rule) {
} }
log.Infof("Adding rule for: %s", rule.getString(FirewallConfig.LogRedact)) log.Infof("Adding rule for: %s", rule.getString(FirewallConfig.LogRedact))
// log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print()) // log.Noticef("%s > %s", rule.getString(FirewallConfig.LogRedact), pc.print())
if rule.rtype == RULE_ACTION_ALLOW { if rule.rtype == RULE_ACTION_ALLOW {
pc.accept() pc.accept()
} else if rule.rtype == RULE_ACTION_ALLOW_TLSONLY { } else if rule.rtype == RULE_ACTION_ALLOW_TLSONLY {
@ -489,13 +491,22 @@ func printPacket(pkt *nfqueue.NFQPacket, hostname string, pinfo *procsnitch.Info
} }
func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) { func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
isudp := pkt.Packet.Layer(layers.LayerTypeUDP) != nil
if basicAllowPacket(pkt) { if basicAllowPacket(pkt) {
if isudp {
srcport, _ := getPacketUDPPorts(pkt)
if srcport == 53 {
fw.dns.processDNS(pkt)
}
}
pkt.Accept() pkt.Accept()
return return
} }
isudp := pkt.Packet.Layer(layers.LayerTypeUDP) != nil /* if isudp {
if isudp {
srcport, _ := getPacketUDPPorts(pkt) srcport, _ := getPacketUDPPorts(pkt)
if srcport == 53 { if srcport == 53 {
@ -505,6 +516,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
} }
} }
*/
_, dstip := getPacketIPAddrs(pkt) _, dstip := getPacketIPAddrs(pkt)
/* _, dstp := getPacketPorts(pkt) /* _, dstp := getPacketPorts(pkt)
fwo := eatchAgainstOzRules(srcip, dstip, dstp) fwo := eatchAgainstOzRules(srcip, dstip, dstp)
@ -697,7 +709,7 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro
rlines = append(rlines, strings.Join(ssplit, ":")) rlines = append(rlines, strings.Join(ssplit, ":"))
} }
// log.Warningf("Looking for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data) // log.Warningf("Looking for %s:%d => %s:%d \n %s\n******\n", srcip, srcp, dstip, dstp, data)
if proto == "tcp" { if proto == "tcp" {
res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, rlines) res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, rlines)
@ -834,6 +846,7 @@ func basicAllowPacket(pkt *nfqueue.NFQPacket) bool {
if pkt.Packet.Layer(layers.LayerTypeUDP) != nil { if pkt.Packet.Layer(layers.LayerTypeUDP) != nil {
_, dport := getPacketUDPPorts(pkt) _, dport := getPacketUDPPorts(pkt)
if dport == 53 { if dport == 53 {
// fw.dns.processDNS(pkt)
return true return true
} }
} }

@ -71,7 +71,7 @@ func (p *prompter) prompt(policy *Policy) {
return return
} }
p.policyMap[policy.sandbox+"|"+policy.path] = policy p.policyMap[policy.sandbox+"|"+policy.path] = policy
fmt.Println("Saving policy key:" + policy.sandbox + "|" + policy.path) log.Debugf("Saving policy key:" + policy.sandbox + "|" + policy.path)
p.policyQueue = append(p.policyQueue, policy) p.policyQueue = append(p.policyQueue, policy)
p.cond.Signal() p.cond.Signal()
} }
@ -79,11 +79,11 @@ func (p *prompter) prompt(policy *Policy) {
func (p *prompter) promptLoop() { func (p *prompter) promptLoop() {
p.lock.Lock() p.lock.Lock()
for { for {
// fmt.Println("XXX: promptLoop() outer") // fmt.Println("XXX: promptLoop() outer")
for p.processNextPacket() { for p.processNextPacket() {
// fmt.Println("XXX: promptLoop() inner") // fmt.Println("XXX: promptLoop() inner")
} }
// fmt.Println("promptLoop() wait") // fmt.Println("promptLoop() wait")
p.cond.Wait() p.cond.Wait()
} }
} }
@ -105,7 +105,7 @@ func (p *prompter) processNextPacket() bool {
empty := true empty := true
for { for {
pc, empty = p.nextConnection() pc, empty = p.nextConnection()
// fmt.Println("XXX: processNextPacket() loop; empty = ", empty, " / pc = ", pc) // fmt.Println("XXX: processNextPacket() loop; empty = ", empty, " / pc = ", pc)
if pc == nil && empty { if pc == nil && empty {
return false return false
} else if pc == nil { } else if pc == nil {
@ -116,7 +116,7 @@ func (p *prompter) processNextPacket() bool {
} }
p.lock.Unlock() p.lock.Unlock()
defer p.lock.Lock() defer p.lock.Lock()
// fmt.Println("XXX: Waiting for prompt lock go...") // fmt.Println("XXX: Waiting for prompt lock go...")
for { for {
promptLock.Lock() promptLock.Lock()
if outstandingPrompts >= MAX_PROMPTS { if outstandingPrompts >= MAX_PROMPTS {
@ -125,16 +125,16 @@ func (p *prompter) processNextPacket() bool {
} }
if pc.getPrompting() { if pc.getPrompting() {
fmt.Println("Skipping over already prompted connection") log.Debugf("Skipping over already prompted connection")
promptLock.Unlock() promptLock.Unlock()
continue continue
} }
break break
} }
// fmt.Println("XXX: Passed prompt lock!") // fmt.Println("XXX: Passed prompt lock!")
outstandingPrompts++ outstandingPrompts++
// fmt.Println("XXX: Incremented outstanding to ", outstandingPrompts) // fmt.Println("XXX: Incremented outstanding to ", outstandingPrompts)
promptLock.Unlock() promptLock.Unlock()
// if !pc.getPrompting() { // if !pc.getPrompting() {
pc.setPrompting(true) pc.setPrompting(true)
@ -146,7 +146,7 @@ func (p *prompter) processNextPacket() bool {
func processReturn(pc pendingConnection) { func processReturn(pc pendingConnection) {
promptLock.Lock() promptLock.Lock()
outstandingPrompts-- outstandingPrompts--
// fmt.Println("XXX: Return decremented outstanding to ", outstandingPrompts) // fmt.Println("XXX: Return decremented outstanding to ", outstandingPrompts)
promptLock.Unlock() promptLock.Unlock()
pc.setPrompting(false) pc.setPrompting(false)
} }
@ -342,7 +342,7 @@ func (p *prompter) nextConnection() (pendingConnection, bool) {
p.removePolicy(policy) p.removePolicy(policy)
} else { } else {
if pc == nil && !qempty { if pc == nil && !qempty {
fmt.Println("FIX ME: I NEED TO SLEEP ON A WAKEABLE CONDITION PROPERLY!!") log.Errorf("FIX ME: I NEED TO SLEEP ON A WAKEABLE CONDITION PROPERLY!!")
time.Sleep(time.Millisecond * 300) time.Sleep(time.Millisecond * 300)
} }
return pc, qempty return pc, qempty
@ -355,7 +355,7 @@ func (p *prompter) removePolicy(policy *Policy) {
if DoMultiPrompt { if DoMultiPrompt {
if len(p.policyQueue) == 0 { if len(p.policyQueue) == 0 {
fmt.Println("Skipping over zero length policy queue") log.Debugf("Skipping over zero length policy queue")
newQueue = make([]*Policy, 0, 0) newQueue = make([]*Policy, 0, 0)
} }
} }

@ -52,13 +52,7 @@ func (r *Rule) getString(redact bool) string {
} else if r.rtype == RULE_ACTION_ALLOW_TLSONLY { } else if r.rtype == RULE_ACTION_ALLOW_TLSONLY {
rtype = RuleActionString[RULE_ACTION_ALLOW_TLSONLY] rtype = RuleActionString[RULE_ACTION_ALLOW_TLSONLY]
} }
rmode := "" rmode := "|" + RuleModeString[r.mode]
if r.mode == RULE_MODE_SYSTEM {
rmode = "|" + RuleModeString[RULE_MODE_SYSTEM]
}
if r.mode == RULE_MODE_PERMANENT {
rmode = "|" + RuleModeString[RULE_MODE_PERMANENT]
}
protostr := "" protostr := ""
@ -103,7 +97,10 @@ func (r *Rule) AddrString(redact bool) string {
type RuleList []*Rule type RuleList []*Rule
func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, proto string, uid, gid int, uname, gname string) bool { func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, proto string, uid, gid int, uname, gname string, sandbox string) bool {
if r.policy.sandbox != sandbox {
return false
}
if r.proto != proto { if r.proto != proto {
return false return false
} }
@ -184,7 +181,7 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
nfqproto = getNFQProto(pkt) nfqproto = getNFQProto(pkt)
} else { } else {
if r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname) { if r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname) {
// log.Notice("+ Socks5 MATCH SUCCEEDED") // log.Notice("+ Socks5 MATCH SUCCEEDED")
if r.rtype == RULE_ACTION_DENY { if r.rtype == RULE_ACTION_DENY {
return FILTER_DENY return FILTER_DENY
} else if r.rtype == RULE_ACTION_ALLOW { } else if r.rtype == RULE_ACTION_ALLOW {
@ -202,8 +199,8 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
//log.Notice("! Skipping comparison of mismatching PIDs") //log.Notice("! Skipping comparison of mismatching PIDs")
continue continue
} }
if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID)) { if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID), pinfo.Sandbox) {
// log.Notice("+ MATCH SUCCEEDED") // log.Notice("+ MATCH SUCCEEDED")
dstStr := dst.String() dstStr := dst.String()
if FirewallConfig.LogRedact { if FirewallConfig.LogRedact {
dstStr = STR_REDACTED dstStr = STR_REDACTED
@ -214,7 +211,7 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
srcp, _ := getPacketPorts(pkt) srcp, _ := getPacketPorts(pkt)
srcStr = fmt.Sprintf("%s:%d", srcip, srcp) srcStr = fmt.Sprintf("%s:%d", srcip, srcp)
} }
// log.Noticef("%s > %s %s %s -> %s:%d", // log.Noticef("%s > %s %s %s -> %s:%d",
//r.getString(FirewallConfig.LogRedact), pinfo.ExePath, r.proto, srcStr, dstStr, dstPort) //r.getString(FirewallConfig.LogRedact), pinfo.ExePath, r.proto, srcStr, dstStr, dstPort)
if r.rtype == RULE_ACTION_DENY { if r.rtype == RULE_ACTION_DENY {
//TODO: Optionally redact below log entry //TODO: Optionally redact below log entry
@ -450,7 +447,7 @@ func savePolicy(f *os.File, p *Policy) {
return return
} }
for _, r := range p.rules { for _, r := range p.rules {
if r.mode != RULE_MODE_SESSION { if r.mode == RULE_MODE_PERMANENT || r.mode == RULE_MODE_SYSTEM {
if !writeLine(f, r.String()) { if !writeLine(f, r.String()) {
return return
} }

@ -158,7 +158,7 @@ func (s *socksChain) start() {
var err error var err error
s.listener, err = net.Listen(s.cfg.ListenSocksNet, s.cfg.ListenSocksAddr) s.listener, err = net.Listen(s.cfg.ListenSocksNet, s.cfg.ListenSocksAddr)
if err != nil { if err != nil {
log.Errorf("ERR/socks: Failed to listen on the socks address: %v", err) log.Errorf("SOCKS: Failed to listen on the socks address: %v", err)
os.Exit(1) os.Exit(1)
} }
@ -174,7 +174,7 @@ func (s *socksChain) socksAcceptLoop() error {
conn, err := s.listener.Accept() conn, err := s.listener.Accept()
if err != nil { if err != nil {
if e, ok := err.(net.Error); ok && !e.Temporary() { if e, ok := err.(net.Error); ok && !e.Temporary() {
log.Infof("ERR/socks: Failed to Accept(): %v", err) log.Errorf("SOCKS: Failed to Accept(): %v", err)
return err return err
} }
continue continue
@ -188,12 +188,12 @@ func (c *socksChainSession) sessionWorker() {
defer c.clientConn.Close() defer c.clientConn.Close()
clientAddr := c.clientConn.RemoteAddr() clientAddr := c.clientConn.RemoteAddr()
log.Infof("INFO/socks: New connection from: %v", clientAddr) log.Debugf("SOCKS: New connection from: %v", clientAddr)
// Do the SOCKS handshake with the client, and read the command. // Do the SOCKS handshake with the client, and read the command.
var err error var err error
if c.req, err = Handshake(c.clientConn); err != nil { if c.req, err = Handshake(c.clientConn); err != nil {
log.Infof("ERR/socks: Failed SOCKS5 handshake: %v", err) log.Errorf("SOCKS: Failed SOCKS5 handshake: %v", err)
return return
} }
@ -223,7 +223,7 @@ func (c *socksChainSession) sessionWorker() {
c.handleConnect(tls) c.handleConnect(tls)
default: default:
// Should *NEVER* happen, validated as part of handshake. // Should *NEVER* happen, validated as part of handshake.
log.Infof("BUG/socks: Unsupported SOCKS command: 0x%02x", c.req.Cmd) log.Warningf("SOCKS: Unsupported SOCKS command: 0x%02x", c.req.Cmd)
c.req.Reply(ReplyCommandNotSupported) c.req.Reply(ReplyCommandNotSupported)
} }
} }
@ -407,7 +407,7 @@ func (c *socksChainSession) handleConnect(tls bool) {
if c.optData != nil { if c.optData != nil {
if _, err = c.upstreamConn.Write(c.optData); err != nil { if _, err = c.upstreamConn.Write(c.optData); err != nil {
log.Infof("ERR/socks: Failed writing OptData: %v", err) log.Errorf("SOCKS: Failed writing OptData: %v", err)
return return
} }
c.optData = nil c.optData = nil
@ -416,7 +416,7 @@ func (c *socksChainSession) handleConnect(tls bool) {
// A upstream connection has been established, push data back and forth // A upstream connection has been established, push data back and forth
// till the session is done. // till the session is done.
c.forwardTraffic(tls) c.forwardTraffic(tls)
log.Infof("INFO/socks: Closed SOCKS connection from: %v", c.clientConn.RemoteAddr()) log.Debugf("SOCKS: Closed SOCKS connection from: %v", c.clientConn.RemoteAddr())
} }
func (c *socksChainSession) forwardTraffic(tls bool) { func (c *socksChainSession) forwardTraffic(tls bool) {

@ -11,10 +11,8 @@
</policy> </policy>
<!-- Anyone can send messages to com.subgraph.fwprompt.EventNotifier --> <!-- Anyone can send messages to com.subgraph.fwprompt.EventNotifier -->
<policy user="0"> <policy context="default">
<allow send_destination="com.subgraph.fwprompt.EventNotifier"/> <allow send_destination="com.subgraph.fwprompt.EventNotifier"/>
</policy> </policy>
</busconfig> </busconfig>
Loading…
Cancel
Save