matth
/
fw-daemon
mirror of https://github.com/subgraph/fw-daemon
1
1
Fork 0
Code Releases Activity

Merge newest branch changes with latest changes to master.

Browse Source
shw_dev
Stephen Watt 7 years ago
parent 2fc7525cc7
commit 2f5e10d53d
9 changed files with 176 additions and 155 deletions
Show Stats Download Patch File Download Diff File

20
gnome-shell/firewall@subgraph.com/dialog.js
Unescape View File

@ -157,7 +157,7 @@ const OptionList = new Lang.Class({
setOptionText: function(idx, text) {
if(this.items.length <= idx) {
log("attempt to setOptionText with idx = "+ idx + " when this.items.length = "+ this.items.length)
//log("SGFW: attempt to setOptionText with idx = "+ idx + " when this.items.length = "+ this.items.length)
return;
}
this.items[idx].setText(text);
@ -232,7 +232,7 @@ const OptionList = new Lang.Class({
case 3:
return RuleScope.APPLY_PROCESS;
default:
log("unexpected scope value "+ this.buttonGroup._selected);
log("SGFW: unexpected scope value "+ this.buttonGroup._selected);
return RuleScope.APPLY_SESSION;
}
},
@ -248,7 +248,7 @@ const OptionList = new Lang.Class({
case RuleScope.APPLY_FOREVER:
return 0;
default:
log("unexpected scope value "+ scope);
log("SGFW: unexpected scope value "+ scope);
return 1;
}
}
@ -458,7 +458,8 @@ const PromptDialog = new Lang.Class({
Name: 'PromptDialog',
Extends: ModalDialog.ModalDialog,
_init: function(invocation, pid_known, sandboxed, tlsguard) {
_init: function(invocation, pid_known, sandboxed, tlsguard, cbClose) {
this.cbClose = cbClose;
this.parent({ styleClass: 'fw-prompt-dialog' });
this._invocation = invocation;
this.header = new PromptDialogHeader();
@ -483,9 +484,6 @@ const PromptDialog = new Lang.Class({
this.optionList.addTLSOption(true);
}
// let tlsGuard = new OptionListItem("Drop connection if not TLS with valid certificate.",0);
//box.add_child(optionList.actor);
this._initialKeyFocusDestroyId = 1;
this.setButtons([
{ label: "Allow", action: Lang.bind(this, this.onAllow) },
@ -494,11 +492,17 @@ const PromptDialog = new Lang.Class({
},
onAllow: function() {
if (this.cbClose !== undefined && this.cbClose !== null) {
this.cbClose();
}
this.close();
this.sendReturnValue(true);
},
onDeny: function() {
if (this.cbClose !== undefined && this.cbClose !== null) {
this.cbClose();
}
this.close();
this.sendReturnValue(false);
},
@ -590,8 +594,8 @@ const PromptDialog = new Lang.Class({
} else {
this.optionList.setOptionText(0, "Only "+ address + " on "+ port_str);
}
if (expert) {
if (expert) {
if (proto == "icmp") {
this.optionList.setOptionText(1, "Only "+ address + " with any ICMP code");
} else if (proto == "udp") {

49
gnome-shell/firewall@subgraph.com/extension.js
Unescape View File

@ -4,7 +4,7 @@ const Gio = imports.gi.Gio;
const Extension = imports.misc.extensionUtils.getCurrentExtension();
const Dialog = Extension.imports.dialog;
const Menu = Extension.imports.menu;
const ConnectionMonitor = Extension.imports.cmonitor;
//const ConnectionMonitor = Extension.imports.cmonitor;
function init() {
@ -16,7 +16,7 @@ const FirewallSupport = new Lang.Class({
_init: function() {
this.menu = new Menu.FirewallMenu();
this.cmon = new ConnectionMonitor.ConnectionMonitor();
//this.cmon = new ConnectionMonitor.ConnectionMonitor();
this.handler = null;
},
@ -29,12 +29,12 @@ const FirewallSupport = new Lang.Class({
enable: function() {
this._destroyHandler();
this.handler = new FirewallPromptHandler();
this.cmon.install();
//this.cmon.install();
this.menu.install();
},
disable: function() {
this.menu.destroy();
this.cmon.remove();
//this.cmon.remove();
this._destroyHandler();
}
});
@ -78,39 +78,48 @@ const FirewallPromptHandler = new Lang.Class({
this._dbusImpl = Gio.DBusExportedObject.wrapJSObject(FirewallPromptInterface, this);
this._dbusImpl.export(Gio.DBus.system, '/com/subgraph/FirewallPrompt');
Gio.bus_own_name_on_connection(Gio.DBus.system, 'com.subgraph.FirewallPrompt', Gio.BusNameOwnerFlags.REPLACE, null, null);
this._dialog = null;
this._dialogs = new Array();
},
destroy: function() {
this._closeDialog();
this._closeDialogs();
this._dbusImpl.unexport();
},
_closeDialog: function() {
if (this._dialog) {
this._dialog.close();
this._dialog = null;
_closeDialogs: function() {
if (this._dialogs.length > 0) {
dialog = this._dialogs.shift();
dialog.close();
}
},
RequestPromptAsync: function(params, invocation) {
let [app, icon, path, address, port, ip, origin, proto, uid, gid, user, group, pid, sandbox, tlsguard, optstring, expanded, expert, action] = params;
// this._closeDialog();
this._dialog = new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""), tlsguard);
this._invocation = invocation;
this._dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action);
this._dialog.open();
let cbfn = function(self) {
return function() { return self.onCloseDialog(); }
}(this)
let l = this._dialogs.push(new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""), tlsguard, cbfn));
let dialog = this._dialogs[l-1]
dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action);
if (this._dialogs.length == 1) {
dialog.open();
}
},
onCloseDialog: function() {
this._dialogs.shift();
if (this._dialogs.length > 0) {
this._dialogs[0].open();
}
},
CloseAsync: function(params, invocation) {
this._closeDialog();
this._closeDialogs();
},
TestPrompt: function(params, invocation) {
this._closeDialog();
this._dialog = new Dialog.PromptDialog(nil);
this._dialog.update("Firefox", "firefox", "/usr/bin/firefox-esr", "242.12.111.18", "443", "linux", "2342", "TCP", true, true);
this._dialog.open();
this.RequestPromptAsync(["Firefox", "firefox", "/usr/bin/firefox-esr", "242.12.111.18", "443", "linux", "2342", "TCP", true, true], nil);
}
});

19
sgfw/policy.go
Unescape View File

@ -288,6 +288,8 @@ func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info, o
dstip := net.IP(dstb)
srcip := net.IP(pkt.Packet.NetworkLayer().NetworkFlow().Src().Raw())
name := p.fw.dns.Lookup(dstip, pinfo.Pid)
log.Infof("Lookup(%s): %s", dstip.String(), name)
if !FirewallConfig.LogRedact {
log.Infof("Lookup(%s): %s", dstip.String(), name)
}
@ -406,7 +408,7 @@ func (p *Policy) removeRule(r *Rule) {
func (p *Policy) filterPending(rule *Rule) {
remaining := []pendingConnection{}
for _, pc := range p.pendingQueue {
if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.procInfo().UID), gidToGroup(pc.procInfo().GID)) {
if rule.match(pc.src(), pc.dst(), pc.dstPort(), pc.hostname(), pc.proto(), pc.procInfo().UID, pc.procInfo().GID, uidToUser(pc.procInfo().UID), gidToGroup(pc.procInfo().GID), pc.procInfo().Sandbox) {
prompter := pc.getPrompter()
if prompter == nil {
@ -489,13 +491,22 @@ func printPacket(pkt *nfqueue.NFQPacket, hostname string, pinfo *procsnitch.Info
}
func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
isudp := pkt.Packet.Layer(layers.LayerTypeUDP) != nil
if basicAllowPacket(pkt) {
if isudp {
srcport, _ := getPacketUDPPorts(pkt)
if srcport == 53 {
fw.dns.processDNS(pkt)
}
}
pkt.Accept()
return
}
isudp := pkt.Packet.Layer(layers.LayerTypeUDP) != nil
if isudp {
/* if isudp {
srcport, _ := getPacketUDPPorts(pkt)
if srcport == 53 {
@ -505,6 +516,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
}
}
*/
_, dstip := getPacketIPAddrs(pkt)
/* _, dstp := getPacketPorts(pkt)
fwo := eatchAgainstOzRules(srcip, dstip, dstp)
@ -834,6 +846,7 @@ func basicAllowPacket(pkt *nfqueue.NFQPacket) bool {
if pkt.Packet.Layer(layers.LayerTypeUDP) != nil {
_, dport := getPacketUDPPorts(pkt)
if dport == 53 {
// fw.dns.processDNS(pkt)
return true
}
}

8
sgfw/prompt.go
Unescape View File

@ -71,7 +71,7 @@ func (p *prompter) prompt(policy *Policy) {
return
}
p.policyMap[policy.sandbox+"|"+policy.path] = policy
fmt.Println("Saving policy key:" + policy.sandbox + "|" + policy.path)
log.Debugf("Saving policy key:" + policy.sandbox + "|" + policy.path)
p.policyQueue = append(p.policyQueue, policy)
p.cond.Signal()
}
@ -125,7 +125,7 @@ func (p *prompter) processNextPacket() bool {
}
if pc.getPrompting() {
fmt.Println("Skipping over already prompted connection")
log.Debugf("Skipping over already prompted connection")
promptLock.Unlock()
continue
}
@ -342,7 +342,7 @@ func (p *prompter) nextConnection() (pendingConnection, bool) {
p.removePolicy(policy)
} else {
if pc == nil && !qempty {
fmt.Println("FIX ME: I NEED TO SLEEP ON A WAKEABLE CONDITION PROPERLY!!")
log.Errorf("FIX ME: I NEED TO SLEEP ON A WAKEABLE CONDITION PROPERLY!!")
time.Sleep(time.Millisecond * 300)
}
return pc, qempty
@ -355,7 +355,7 @@ func (p *prompter) removePolicy(policy *Policy) {
if DoMultiPrompt {
if len(p.policyQueue) == 0 {
fmt.Println("Skipping over zero length policy queue")
log.Debugf("Skipping over zero length policy queue")
newQueue = make([]*Policy, 0, 0)
}
}

17
sgfw/rules.go
Unescape View File

@ -52,13 +52,7 @@ func (r *Rule) getString(redact bool) string {
} else if r.rtype == RULE_ACTION_ALLOW_TLSONLY {
rtype = RuleActionString[RULE_ACTION_ALLOW_TLSONLY]
}
rmode := ""
if r.mode == RULE_MODE_SYSTEM {
rmode = "|" + RuleModeString[RULE_MODE_SYSTEM]
}
if r.mode == RULE_MODE_PERMANENT {
rmode = "|" + RuleModeString[RULE_MODE_PERMANENT]
}
rmode := "|" + RuleModeString[r.mode]
protostr := ""
@ -103,7 +97,10 @@ func (r *Rule) AddrString(redact bool) string {
type RuleList []*Rule
func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, proto string, uid, gid int, uname, gname string) bool {
func (r *Rule) match(src net.IP, dst net.IP, dstPort uint16, hostname string, proto string, uid, gid int, uname, gname string, sandbox string) bool {
if r.policy.sandbox != sandbox {
return false
}
if r.proto != proto {
return false
}
@ -202,7 +199,7 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
//log.Notice("! Skipping comparison of mismatching PIDs")
continue
}
if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID)) {
if r.match(src, dst, dstPort, hostname, nfqproto, pinfo.UID, pinfo.GID, uidToUser(pinfo.UID), gidToGroup(pinfo.GID), pinfo.Sandbox) {
// log.Notice("+ MATCH SUCCEEDED")
dstStr := dst.String()
if FirewallConfig.LogRedact {
@ -450,7 +447,7 @@ func savePolicy(f *os.File, p *Policy) {
return
}
for _, r := range p.rules {
if r.mode != RULE_MODE_SESSION {
if r.mode == RULE_MODE_PERMANENT || r.mode == RULE_MODE_SYSTEM {
if !writeLine(f, r.String()) {
return
}

14
sgfw/socks_server_chain.go
Unescape View File

@ -158,7 +158,7 @@ func (s *socksChain) start() {
var err error
s.listener, err = net.Listen(s.cfg.ListenSocksNet, s.cfg.ListenSocksAddr)
if err != nil {
log.Errorf("ERR/socks: Failed to listen on the socks address: %v", err)
log.Errorf("SOCKS: Failed to listen on the socks address: %v", err)
os.Exit(1)
}
@ -174,7 +174,7 @@ func (s *socksChain) socksAcceptLoop() error {
conn, err := s.listener.Accept()
if err != nil {
if e, ok := err.(net.Error); ok && !e.Temporary() {
log.Infof("ERR/socks: Failed to Accept(): %v", err)
log.Errorf("SOCKS: Failed to Accept(): %v", err)
return err
}
continue
@ -188,12 +188,12 @@ func (c *socksChainSession) sessionWorker() {
defer c.clientConn.Close()
clientAddr := c.clientConn.RemoteAddr()
log.Infof("INFO/socks: New connection from: %v", clientAddr)
log.Debugf("SOCKS: New connection from: %v", clientAddr)
// Do the SOCKS handshake with the client, and read the command.
var err error
if c.req, err = Handshake(c.clientConn); err != nil {
log.Infof("ERR/socks: Failed SOCKS5 handshake: %v", err)
log.Errorf("SOCKS: Failed SOCKS5 handshake: %v", err)
return
}
@ -223,7 +223,7 @@ func (c *socksChainSession) sessionWorker() {
c.handleConnect(tls)
default:
// Should *NEVER* happen, validated as part of handshake.
log.Infof("BUG/socks: Unsupported SOCKS command: 0x%02x", c.req.Cmd)
log.Warningf("SOCKS: Unsupported SOCKS command: 0x%02x", c.req.Cmd)
c.req.Reply(ReplyCommandNotSupported)
}
}
@ -407,7 +407,7 @@ func (c *socksChainSession) handleConnect(tls bool) {
if c.optData != nil {
if _, err = c.upstreamConn.Write(c.optData); err != nil {
log.Infof("ERR/socks: Failed writing OptData: %v", err)
log.Errorf("SOCKS: Failed writing OptData: %v", err)
return
}
c.optData = nil
@ -416,7 +416,7 @@ func (c *socksChainSession) handleConnect(tls bool) {
// A upstream connection has been established, push data back and forth
// till the session is done.
c.forwardTraffic(tls)
log.Infof("INFO/socks: Closed SOCKS connection from: %v", c.clientConn.RemoteAddr())
log.Debugf("SOCKS: Closed SOCKS connection from: %v", c.clientConn.RemoteAddr())
}
func (c *socksChainSession) forwardTraffic(tls bool) {

4
sources/etc/dbus-1/system.d/com.Subgraph.fwprompt.EventNotifier.conf → sources/etc/dbus-1/system.d/com.subgraph.fwprompt.EventNotifier.conf
Unescape View File

@ -11,10 +11,8 @@
</policy>
<!-- Anyone can send messages to com.subgraph.fwprompt.EventNotifier -->
<policy user="0">
<policy context="default">
<allow send_destination="com.subgraph.fwprompt.EventNotifier"/>
</policy>
</busconfig>
Write Preview
Loading…
Cancel
Save