diff --git a/TODO b/TODO index b3b843f..f752c9d 100644 --- a/TODO +++ b/TODO @@ -5,8 +5,6 @@ fw-daemon: fw-prompt: - apply once rules still do not work because they the DBus invocation requires the guid to be passed - more nesting for similar prompts (by application, pid, target host, etc) diff --git a/sgfw/ipc.go b/sgfw/ipc.go index 0c87701..06f599c 100644 --- a/sgfw/ipc.go +++ b/sgfw/ipc.go @@ -8,6 +8,7 @@ import ( "os" "strconv" "strings" + "sync" "github.com/subgraph/oz/ipc" ) @@ -21,9 +22,14 @@ type OzInitProc struct { } var OzInitPids []OzInitProc = []OzInitProc{} +var OzInitPidsLock = sync.Mutex{} + func addInitPid(pid int, name string, sboxid int) { fmt.Println("::::::::::: init pid added: ", pid, " -> ", name) + OzInitPidsLock.Lock() + defer OzInitPidsLock.Unlock() + for i := 0; i < len(OzInitPids); i++ { if OzInitPids[i].Pid == pid { return @@ -36,6 +42,9 @@ func addInitPid(pid int, name string, sboxid int) { func removeInitPid(pid int) { fmt.Println("::::::::::: removing PID: ", pid) + OzInitPidsLock.Lock() + defer OzInitPidsLock.Unlock() + for i := 0; i < len(OzInitPids); i++ { if OzInitPids[i].Pid == pid { OzInitPids = append(OzInitPids[:i], OzInitPids[i+1:]...) diff --git a/sgfw/policy.go b/sgfw/policy.go index 78765da..7d642f0 100644 --- a/sgfw/policy.go +++ b/sgfw/policy.go @@ -656,6 +656,7 @@ func readFileDirect(filename string) ([]byte, error) { func getAllProcNetDataLocal() ([]string, error) { data := "" + OzInitPidsLock.Lock() for i := 0; i < len(OzInitPids); i++ { fname := fmt.Sprintf("/proc/%d/net/tcp", OzInitPids[i]) @@ -670,6 +671,8 @@ func getAllProcNetDataLocal() ([]string, error) { } + OzInitPidsLock.Unlock() + lines := strings.Split(data, "\n") rlines := make([]string, 0) ctr := 1 @@ -715,6 +718,7 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro var res *procsnitch.Info = nil var optstr string removePids := make([]int, 0) + OzInitPidsLock.Lock() for i := 0; i < len(OzInitPids); i++ { data := "" @@ -769,6 +773,8 @@ func LookupSandboxProc(srcip net.IP, srcp uint16, dstip net.IP, dstp uint16, pro } + OzInitPidsLock.Unlock() + for _, p := range removePids { removeInitPid(p) } @@ -820,6 +826,7 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket, reverse bool, strictness int) if res == nil { removePids := make([]int, 0) + OzInitPidsLock.Lock() for i := 0; i < len(OzInitPids); i++ { data := "" @@ -868,6 +875,8 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket, reverse bool, strictness int) } + OzInitPidsLock.Unlock() + for _, p := range removePids { removeInitPid(p) }