From 6e6e265faef5186b8b6351f26910cf552b70b09e Mon Sep 17 00:00:00 2001 From: xSmurf Date: Tue, 12 Sep 2017 00:33:23 +0000 Subject: [PATCH] Fmt.. --- fw-ozcli/fw-ozcli.go | 9 ++-- fw-prompt/dbus.go | 10 ++-- fw-prompt/fw-prompt.go | 107 +++++++++++++++++-------------------- fw-settings/dbus.go | 7 ++- fw-settings/main.go | 6 +-- fw-settings/rules.go | 4 +- proc-coroner/pcoroner.go | 22 ++++---- sgfw/const.go | 34 ++++++++---- sgfw/dbus.go | 1 - sgfw/dns.go | 20 +++---- sgfw/dnsmsg.go | 16 +++--- sgfw/ipc.go | 84 ++++++++++++++--------------- sgfw/log.go | 2 +- sgfw/policy.go | 8 +-- sgfw/prompt.go | 57 ++++++++++---------- sgfw/rules.go | 14 ++--- sgfw/socks_server_chain.go | 44 +++++++-------- sgfw/tlsguard.go | 21 ++++---- 18 files changed, 230 insertions(+), 236 deletions(-) diff --git a/fw-ozcli/fw-ozcli.go b/fw-ozcli/fw-ozcli.go index ced280d..4502442 100644 --- a/fw-ozcli/fw-ozcli.go +++ b/fw-ozcli/fw-ozcli.go @@ -1,12 +1,12 @@ package main import ( - "fmt" "flag" - "strconv" + "fmt" "io" "log" "net" + "strconv" ) const ReceiverSocketPath = "/var/run/fw-daemon/fwoz.sock" @@ -19,8 +19,8 @@ func reader(r io.Reader) { if err != nil { return } - fmt.Println(string(buf[0:n])) - } + fmt.Println(string(buf[0:n])) + } } func main() { @@ -87,4 +87,3 @@ func main() { } } - diff --git a/fw-prompt/dbus.go b/fw-prompt/dbus.go index 9227f2e..b4bfc38 100644 --- a/fw-prompt/dbus.go +++ b/fw-prompt/dbus.go @@ -4,13 +4,12 @@ import ( "errors" "github.com/godbus/dbus" "log" -// "github.com/gotk3/gotk3/glib" + // "github.com/gotk3/gotk3/glib" ) - type dbusServer struct { conn *dbus.Conn - run bool + run bool } type promptData struct { @@ -34,7 +33,6 @@ type promptData struct { Action int } - func newDbusServer() (*dbusServer, error) { conn, err := dbus.SystemBus() @@ -65,7 +63,7 @@ func newDbusServer() (*dbusServer, error) { } func (ds *dbusServer) RequestPrompt(application, icon, path, address string, port int32, ip, origin, proto string, uid, gid int32, username, groupname string, pid int32, sandbox string, - optstring string, expanded, expert bool, action int32) (int32, string, *dbus.Error) { + optstring string, expanded, expert bool, action int32) (int32, string, *dbus.Error) { log.Printf("request prompt: app = %s, icon = %s, path = %s, address = %s, action = %v\n", application, icon, path, address, action) decision := addRequest(nil, path, proto, int(pid), ip, address, int(port), int(uid), int(gid), origin, optstring, sandbox) log.Print("Waiting on decision...") @@ -75,6 +73,6 @@ func (ds *dbusServer) RequestPrompt(application, icon, path, address string, por } log.Print("Decision returned: ", decision.Rule) decision.Cond.L.Unlock() -// glib.IdleAdd(func, data) + // glib.IdleAdd(func, data) return int32(decision.Scope), decision.Rule, nil } diff --git a/fw-prompt/fw-prompt.go b/fw-prompt/fw-prompt.go index 9a53812..c8c5e8a 100644 --- a/fw-prompt/fw-prompt.go +++ b/fw-prompt/fw-prompt.go @@ -1,37 +1,35 @@ package main - import ( - "github.com/gotk3/gotk3/gtk" + "encoding/json" + "errors" + "fmt" "github.com/gotk3/gotk3/glib" + "github.com/gotk3/gotk3/gtk" + "io/ioutil" "log" - "fmt" - "strings" - "strconv" "os" - "io/ioutil" - "encoding/json" "os/user" + "strconv" + "strings" "sync" - "errors" "github.com/subgraph/fw-daemon/sgfw" ) - type fpPreferences struct { Winheight uint - Winwidth uint - Wintop uint - Winleft uint + Winwidth uint + Wintop uint + Winleft uint } type decisionWaiter struct { - Cond *sync.Cond - Lock sync.Locker - Ready bool - Scope int - Rule string + Cond *sync.Cond + Lock sync.Locker + Ready bool + Scope int + Rule string } type ruleColumns struct { @@ -46,10 +44,9 @@ type ruleColumns struct { Uname string Gname string Origin string - Scope int + Scope int } - var userPrefs fpPreferences var mainWin *gtk.Window var Notebook *gtk.Notebook @@ -63,7 +60,6 @@ var radioOnce, radioProcess, radioParent, radioSession, radioPermanent *gtk.Radi var btnApprove, btnDeny, btnIgnore *gtk.Button var chkUser, chkGroup *gtk.CheckButton - func dumpDecisions() { fmt.Println("XXX Total of decisions pending: ", len(decisionWaiters)) for i := 0; i < len(decisionWaiters); i++ { @@ -80,7 +76,7 @@ func addDecision() *decisionWaiter { func promptInfo(msg string) { dialog := gtk.MessageDialogNew(mainWin, 0, gtk.MESSAGE_INFO, gtk.BUTTONS_OK, "Displaying full log info:") -// dialog.SetDefaultGeometry(500, 200) + // dialog.SetDefaultGeometry(500, 200) tv, err := gtk.TextViewNew() @@ -117,7 +113,7 @@ func promptInfo(msg string) { dialog.ShowAll() dialog.Run() dialog.Destroy() -//self.set_default_size(150, 100) + //self.set_default_size(150, 100) } func promptChoice(msg string) int { @@ -137,7 +133,7 @@ func getConfigPath() string { usr, err := user.Current() if err != nil { - fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file:", err, "\n"); + fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file:", err, "\n") return "" } @@ -149,7 +145,7 @@ func savePreferences() bool { usr, err := user.Current() if err != nil { - fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file:", err, "\n"); + fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file:", err, "\n") return false } @@ -176,7 +172,7 @@ func loadPreferences() bool { usr, err := user.Current() if err != nil { - fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file: %v", err, "\n"); + fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file: %v", err, "\n") return false } @@ -192,7 +188,7 @@ func loadPreferences() bool { err = json.Unmarshal(jfile, &userPrefs) if err != nil { - fmt.Fprintf(os.Stderr, "Error: could not load preferences data from file: %v", err, "\n") + fmt.Fprintf(os.Stderr, "Error: could not load preferences data from file: %v", err, "\n") return false } @@ -201,23 +197,23 @@ func loadPreferences() bool { } func get_hbox() *gtk.Box { - hbox, err := gtk.BoxNew(gtk.ORIENTATION_HORIZONTAL, 0) + hbox, err := gtk.BoxNew(gtk.ORIENTATION_HORIZONTAL, 0) - if err != nil { - log.Fatal("Unable to create horizontal box:", err) - } + if err != nil { + log.Fatal("Unable to create horizontal box:", err) + } - return hbox + return hbox } func get_vbox() *gtk.Box { - vbox, err := gtk.BoxNew(gtk.ORIENTATION_VERTICAL, 0) + vbox, err := gtk.BoxNew(gtk.ORIENTATION_VERTICAL, 0) - if err != nil { - log.Fatal("Unable to create vertical box:", err) - } + if err != nil { + log.Fatal("Unable to create vertical box:", err) + } - return vbox + return vbox } func get_checkbox(text string, activated bool) *gtk.CheckButton { @@ -416,7 +412,7 @@ func setup_settings() { fmt.Println("CLICKED") if err != nil { - promptError("Unexpected error saving log file info: "+err.Error()) + promptError("Unexpected error saving log file info: " + err.Error()) return } @@ -508,7 +504,6 @@ func toggleValidRuleState() { } } - btnApprove.SetSensitive(ok) btnDeny.SetSensitive(ok) btnIgnore.SetSensitive(ok) @@ -554,8 +549,8 @@ func createCurrentRule() (ruleColumns, error) { rule.UID, rule.GID = 0, 0 rule.Uname, rule.Gname = "", "" -/* Pid int - Origin string */ + /* Pid int + Origin string */ return rule, nil } @@ -690,7 +685,7 @@ func getSelectedRule() (ruleColumns, int, error) { func main() { decisionWaiters = make([]*decisionWaiter, 0) - _, err := newDbusServer(); + _, err := newDbusServer() if err != nil { log.Fatal("Error:", err) return @@ -711,7 +706,7 @@ func main() { mainWin.Connect("destroy", func() { fmt.Println("Shutting down...") savePreferences() - gtk.MainQuit() + gtk.MainQuit() }) mainWin.Connect("configure-event", func() { @@ -751,7 +746,6 @@ func main() { scrollbox.Add(box) - tv, err := gtk.TreeViewNew() if err != nil { @@ -867,13 +861,13 @@ func main() { btnApprove.Connect("clicked", func() { rule, idx, err := getSelectedRule() if err != nil { - promptError("Error occurred processing request: "+err.Error()) + promptError("Error occurred processing request: " + err.Error()) return } rule, err = createCurrentRule() if err != nil { - promptError("Error occurred constructing new rule: "+err.Error()) + promptError("Error occurred constructing new rule: " + err.Error()) return } @@ -886,20 +880,20 @@ func main() { if err == nil { clearEditor() } else { - promptError("Error setting new rule: "+err.Error()) + promptError("Error setting new rule: " + err.Error()) } }) btnDeny.Connect("clicked", func() { rule, idx, err := getSelectedRule() if err != nil { - promptError("Error occurred processing request: "+err.Error()) + promptError("Error occurred processing request: " + err.Error()) return } rule, err = createCurrentRule() if err != nil { - promptError("Error occurred constructing new rule: "+err.Error()) + promptError("Error occurred constructing new rule: " + err.Error()) return } @@ -912,14 +906,14 @@ func main() { if err == nil { clearEditor() } else { - promptError("Error setting new rule: "+err.Error()) + promptError("Error setting new rule: " + err.Error()) } }) btnIgnore.Connect("clicked", func() { _, idx, err := getSelectedRule() if err != nil { - promptError("Error occurred processing request: "+err.Error()) + promptError("Error occurred processing request: " + err.Error()) return } @@ -929,15 +923,15 @@ func main() { if err == nil { clearEditor() } else { - promptError("Error setting new rule: "+err.Error()) + promptError("Error setting new rule: " + err.Error()) } }) -// tv.SetActivateOnSingleClick(true) + // tv.SetActivateOnSingleClick(true) tv.Connect("row-activated", func() { seldata, _, err := getSelectedRule() if err != nil { - promptError("Unexpected error reading selected rule: "+err.Error()) + promptError("Unexpected error reading selected rule: " + err.Error()) return } @@ -980,14 +974,13 @@ func main() { return }) - scrollbox.SetSizeRequest(600, 400) Notebook.AppendPage(scrollbox, nbLabel) -// setup_settings() + // setup_settings() mainWin.Add(Notebook) if userPrefs.Winheight > 0 && userPrefs.Winwidth > 0 { -// fmt.Printf("height was %d, width was %d\n", userPrefs.Winheight, userPrefs.Winwidth) + // fmt.Printf("height was %d, width was %d\n", userPrefs.Winheight, userPrefs.Winwidth) mainWin.Resize(int(userPrefs.Winwidth), int(userPrefs.Winheight)) } else { mainWin.SetDefaultSize(850, 450) @@ -998,6 +991,6 @@ func main() { } mainWin.ShowAll() -// mainWin.SetKeepAbove(true) + // mainWin.SetKeepAbove(true) gtk.Main() } diff --git a/fw-settings/dbus.go b/fw-settings/dbus.go index 102dc3c..1e877b1 100644 --- a/fw-settings/dbus.go +++ b/fw-settings/dbus.go @@ -3,12 +3,11 @@ package main import ( "errors" "fmt" - "github.com/subgraph/fw-daemon/sgfw" "github.com/godbus/dbus" "github.com/gotk3/gotk3/glib" + "github.com/subgraph/fw-daemon/sgfw" ) - type dbusObject struct { dbus.BusObject } @@ -19,7 +18,7 @@ type dbusObjectP struct { type dbusServer struct { conn *dbus.Conn - run bool + run bool } func newDbusObject() (*dbusObject, error) { @@ -114,5 +113,5 @@ func (ds *dbusServer) Alert(data string) *dbus.Error { } func (ob *dbusObjectP) alertRule(data string) { - ob.Call("com.subgraph.fwprompt.EventNotifier.Alert", 0, data) + ob.Call("com.subgraph.fwprompt.EventNotifier.Alert", 0, data) } diff --git a/fw-settings/main.go b/fw-settings/main.go index 05fe3b8..07142d4 100644 --- a/fw-settings/main.go +++ b/fw-settings/main.go @@ -108,7 +108,7 @@ func repopulateWin() { rlSystem.loadRules(sgfw.RULE_MODE_SYSTEM) loadConfig(win, fwsbuilder, dbus) -// app.AddWindow(win) + // app.AddWindow(win) win.ShowAll() } @@ -179,11 +179,11 @@ func main() { } app.Connect("activate", activate) - _, err = newDbusServer(); + _, err = newDbusServer() if err != nil { panic(fmt.Sprintf("Error initializing Dbus server: %v", err)) - } + } app.Run(os.Args) } diff --git a/fw-settings/rules.go b/fw-settings/rules.go index 38f2397..c184a4a 100644 --- a/fw-settings/rules.go +++ b/fw-settings/rules.go @@ -3,8 +3,8 @@ package main import ( "fmt" "os" - "strings" "strconv" + "strings" "github.com/subgraph/fw-daemon/sgfw" @@ -122,7 +122,7 @@ func (rr *ruleRow) update() { } rr.gtkLabelApp.SetTooltipText(rr.rule.Path) rr.gtkLabelVerb.SetText(getVerbText(rr.rule)) - if (rr.rule.Proto == "tcp") { + if rr.rule.Proto == "tcp" { rr.gtkLabelOrigin.SetText(rr.rule.Origin) } else { rr.gtkLabelOrigin.SetText(rr.rule.Origin + " (" + rr.rule.Proto + ")") diff --git a/proc-coroner/pcoroner.go b/proc-coroner/pcoroner.go index 23e7a7d..077777e 100644 --- a/proc-coroner/pcoroner.go +++ b/proc-coroner/pcoroner.go @@ -2,15 +2,14 @@ package pcoroner import ( "fmt" - "time" - "strings" + "os" "strconv" + "strings" "sync" - "os" "syscall" + "time" ) - type WatchProcess struct { Pid int Inode uint64 @@ -25,14 +24,11 @@ type CallbackEntry struct { type procCB func(int, interface{}) - var Callbacks []CallbackEntry - var pmutex = &sync.Mutex{} var pidMap map[int]WatchProcess = make(map[int]WatchProcess) - func MonitorProcess(pid int) bool { pmutex.Lock() defer pmutex.Unlock() @@ -68,14 +64,14 @@ func AddCallback(cbfunc procCB, param interface{}) { func MonitorThread(cbfunc procCB, param interface{}) { for { -/* if len(pidMap) == 0 { - fmt.Println("TICK") - } else { fmt.Println("len = ", len(pidMap)) } */ + /* if len(pidMap) == 0 { + fmt.Println("TICK") + } else { fmt.Println("len = ", len(pidMap)) } */ pmutex.Lock() pmutex.Unlock() for pkey, pval := range pidMap { -// fmt.Printf("PID %v -> %v\n", pkey, pval) + // fmt.Printf("PID %v -> %v\n", pkey, pval) res := checkProcess(&pval, false) if !res { @@ -100,7 +96,7 @@ func checkProcess(proc *WatchProcess, init bool) bool { ppath := fmt.Sprintf("/proc/%d/stat", proc.Pid) f, err := os.Open(ppath) if err != nil { -// fmt.Printf("Error opening path %s: %s\n", ppath, err) + // fmt.Printf("Error opening path %s: %s\n", ppath, err) return false } defer f.Close() @@ -133,7 +129,7 @@ func checkProcess(proc *WatchProcess, init bool) bool { } bstr := string(buf[:]) -// fmt.Println("sstr = ", bstr) + // fmt.Println("sstr = ", bstr) fields := strings.Split(bstr, " ") diff --git a/sgfw/const.go b/sgfw/const.go index cb0d8f0..21a68b1 100644 --- a/sgfw/const.go +++ b/sgfw/const.go @@ -12,32 +12,37 @@ const ( //RuleAction is the action to apply to a rule type RuleAction uint16 + const ( RULE_ACTION_DENY RuleAction = iota RULE_ACTION_ALLOW RULE_ACTION_ALLOW_TLSONLY ) + // RuleActionString is used to get a string from an action id var RuleActionString = map[RuleAction]string{ - RULE_ACTION_DENY: "DENY", - RULE_ACTION_ALLOW: "ALLOW", + RULE_ACTION_DENY: "DENY", + RULE_ACTION_ALLOW: "ALLOW", RULE_ACTION_ALLOW_TLSONLY: "ALLOW_TLSONLY", } + // RuleActionValue is used to get an action id using the action string var RuleActionValue = map[string]RuleAction{ - RuleActionString[RULE_ACTION_DENY]: RULE_ACTION_DENY, - RuleActionString[RULE_ACTION_ALLOW]: RULE_ACTION_ALLOW, + RuleActionString[RULE_ACTION_DENY]: RULE_ACTION_DENY, + RuleActionString[RULE_ACTION_ALLOW]: RULE_ACTION_ALLOW, RuleActionString[RULE_ACTION_ALLOW_TLSONLY]: RULE_ACTION_ALLOW_TLSONLY, } //RuleMode contains the time scope of a rule type RuleMode uint16 + const ( RULE_MODE_SESSION RuleMode = iota RULE_MODE_PROCESS RULE_MODE_PERMANENT RULE_MODE_SYSTEM ) + // RuleModeString is used to get a rule mode string from its id var RuleModeString = map[RuleMode]string{ RULE_MODE_SESSION: "SESSION", @@ -45,6 +50,7 @@ var RuleModeString = map[RuleMode]string{ RULE_MODE_PERMANENT: "PERMANENT", RULE_MODE_SYSTEM: "SYSTEM", } + // RuleModeValue converts a mode string to its id var RuleModeValue = map[string]RuleMode{ RuleModeString[RULE_MODE_SESSION]: RULE_MODE_SESSION, @@ -55,12 +61,14 @@ var RuleModeValue = map[string]RuleMode{ //FilterScope contains a filter's time scope type FilterScope uint16 + const ( APPLY_ONCE FilterScope = iota APPLY_SESSION APPLY_PROCESS APPLY_FOREVER ) + // FilterScopeString converts a filter scope ID to its string var FilterScopeString = map[FilterScope]string{ APPLY_ONCE: "ONCE", @@ -68,6 +76,7 @@ var FilterScopeString = map[FilterScope]string{ APPLY_PROCESS: "PROCESS", APPLY_FOREVER: "FOREVER", } + // FilterScopeString converts a filter scope string to its ID var FilterScopeValue = map[string]FilterScope{ FilterScopeString[APPLY_ONCE]: APPLY_ONCE, @@ -75,6 +84,7 @@ var FilterScopeValue = map[string]FilterScope{ FilterScopeString[APPLY_PROCESS]: APPLY_PROCESS, FilterScopeString[APPLY_FOREVER]: APPLY_FOREVER, } + // GetFilterScopeString is used to safely return a filter scope string func GetFilterScopeString(scope FilterScope) string { if val, ok := FilterScopeString[scope]; ok { @@ -82,6 +92,7 @@ func GetFilterScopeString(scope FilterScope) string { } return FilterScopeString[APPLY_SESSION] } + // GetFilterScopeValue is used to safely return a filter scope ID func GetFilterScopeValue(scope string) FilterScope { scope = strings.ToUpper(scope) @@ -93,24 +104,27 @@ func GetFilterScopeValue(scope string) FilterScope { //FilterResult contains the filtering resulting action type FilterResult uint16 + const ( FILTER_DENY FilterResult = iota FILTER_ALLOW FILTER_PROMPT FILTER_ALLOW_TLSONLY ) + // FilterResultString converts a filter value ID to its string var FilterResultString = map[FilterResult]string{ - FILTER_DENY: "DENY", - FILTER_ALLOW: "ALLOW", - FILTER_PROMPT: "PROMPT", + FILTER_DENY: "DENY", + FILTER_ALLOW: "ALLOW", + FILTER_PROMPT: "PROMPT", FILTER_ALLOW_TLSONLY: "ALLOW_TLSONLY", } + // FilterResultValue converts a filter value string to its ID var FilterResultValue = map[string]FilterResult{ - FilterResultString[FILTER_DENY]: FILTER_DENY, - FilterResultString[FILTER_ALLOW]: FILTER_ALLOW, - FilterResultString[FILTER_PROMPT]: FILTER_PROMPT, + FilterResultString[FILTER_DENY]: FILTER_DENY, + FilterResultString[FILTER_ALLOW]: FILTER_ALLOW, + FilterResultString[FILTER_PROMPT]: FILTER_PROMPT, FilterResultString[FILTER_ALLOW_TLSONLY]: FILTER_ALLOW_TLSONLY, } diff --git a/sgfw/dbus.go b/sgfw/dbus.go index d445c01..6736715 100644 --- a/sgfw/dbus.go +++ b/sgfw/dbus.go @@ -62,7 +62,6 @@ func newDbusObjectPrompt() (*dbusObjectP, error) { return &dbusObjectP{conn.Object("com.subgraph.fwprompt.EventNotifier", "/com/subgraph/fwprompt/EventNotifier")}, nil } - type dbusServer struct { fw *Firewall conn *dbus.Conn diff --git a/sgfw/dns.go b/sgfw/dns.go index aaa1355..b68e1c2 100644 --- a/sgfw/dns.go +++ b/sgfw/dns.go @@ -1,23 +1,23 @@ package sgfw import ( + "encoding/binary" "net" "strings" "sync" "time" - "encoding/binary" -// "github.com/subgraph/go-nfnetlink" + // "github.com/subgraph/go-nfnetlink" "github.com/google/gopacket/layers" + "github.com/subgraph/fw-daemon/proc-coroner" nfqueue "github.com/subgraph/go-nfnetlink/nfqueue" "github.com/subgraph/go-procsnitch" - "github.com/subgraph/fw-daemon/proc-coroner" ) type dnsEntry struct { name string - ttl uint32 - exp time.Time + ttl uint32 + exp time.Time } type dnsCache struct { @@ -66,14 +66,14 @@ func (dc *dnsCache) processDNS(pkt *nfqueue.NFQPacket) { srcip, _ := getPacketIPAddrs(pkt) pinfo := getEmptyPInfo() if !isNSTrusted(srcip) { - pinfo, _ = findProcessForPacket(pkt, true, procsnitch.MATCH_LOOSEST) + pinfo, _ = findProcessForPacket(pkt, true, procsnitch.MATCH_LOOSEST) if pinfo == nil { log.Warningf("Skipping attempted DNS cache entry for process that can't be found: %v -> %v\n", q.Name, dns.answer) return } } -//log.Notice("XXX: PROCESS LOOKUP -> ", pinfo) + //log.Notice("XXX: PROCESS LOOKUP -> ", pinfo) dc.processRecordAddress(q.Name, dns.answer, pinfo.Pid) return } @@ -166,7 +166,7 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string { entry, ok := dc.ipMap[pid][ip.String()] if ok { if now.Before(entry.exp) { -// log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp) + // log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp) return entry.name } else { log.Warningf("Skipping expired per-pid (%d) DNS cache entry: %s -> %s / exp. %v (%ds)\n", @@ -180,13 +180,13 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string { if ok { if now.Before(entry.exp) { str = entry.name -// log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp) + // log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp) } else { log.Warningf("Skipping expired global DNS cache entry: %s -> %s / exp. %v (%ds)\n", ip.String(), entry.name, entry.exp, entry.ttl) } } -//log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v\n", ip.String(), str) + //log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v\n", ip.String(), str) return str } diff --git a/sgfw/dnsmsg.go b/sgfw/dnsmsg.go index ece43fe..e59551d 100644 --- a/sgfw/dnsmsg.go +++ b/sgfw/dnsmsg.go @@ -758,14 +758,14 @@ func unpackRR(msg []byte, off int) (rr dnsRR, off1 int, ok bool) { // A manually-unpacked version of (id, bits). // This is in its own struct for easy printing. type dnsMsgHdr struct { - id uint16 - response bool - opcode int - authoritative bool - truncated bool - recursionDesired bool - recursionAvailable bool - rcode int + id uint16 + response bool + opcode int + authoritative bool + truncated bool + recursionDesired bool + recursionAvailable bool + rcode int } func (h *dnsMsgHdr) Walk(f func(v interface{}, name, tag string) bool) bool { diff --git a/sgfw/ipc.go b/sgfw/ipc.go index 8c80036..cabe8f8 100644 --- a/sgfw/ipc.go +++ b/sgfw/ipc.go @@ -1,31 +1,29 @@ package sgfw import ( + "bufio" + "errors" "fmt" "net" "os" - "bufio" - "strings" "strconv" - "errors" + "strings" - "github.com/subgraph/oz/ipc" + "github.com/subgraph/oz/ipc" ) const ReceiverSocketPath = "/var/run/fw-daemon/fwoz.sock" - type OzInitProc struct { - Name string - Pid int + Name string + Pid int SandboxID int } var OzInitPids []OzInitProc = []OzInitProc{} - func addInitPid(pid int, name string, sboxid int) { -fmt.Println("::::::::::: init pid added: ", pid, " -> ", name) + fmt.Println("::::::::::: init pid added: ", pid, " -> ", name) for i := 0; i < len(OzInitPids); i++ { if OzInitPids[i].Pid == pid { return @@ -37,7 +35,7 @@ fmt.Println("::::::::::: init pid added: ", pid, " -> ", name) } func removeInitPid(pid int) { -fmt.Println("::::::::::: removing PID: ", pid) + fmt.Println("::::::::::: removing PID: ", pid) for i := 0; i < len(OzInitPids); i++ { if OzInitPids[i].Pid == pid { OzInitPids = append(OzInitPids[:i], OzInitPids[i+1:]...) @@ -63,7 +61,7 @@ func addFWRule(fw *Firewall, whitelist bool, srchost, dsthost, dstport string) e } func removeAllByIP(fw *Firewall, srcip string) bool { -log.Notice("XXX: Attempting to remove all rules associated with Oz interface: ", srcip) + log.Notice("XXX: Attempting to remove all rules associated with Oz interface: ", srcip) saddr := net.ParseIP(srcip) if saddr == nil { @@ -73,13 +71,13 @@ log.Notice("XXX: Attempting to remove all rules associated with Oz interface: ", policy := fw.PolicyForPath("*") nrm := 0 - for _, rr := range policy.rules { + for _, rr := range policy.rules { if rr.saddr != nil && rr.saddr.Equal(saddr) { log.Notice("XXX: removing ephemeral rules by Oz interface ", srcip, ": ", rr) policy.removeRule(rr) nrm++ } - } + } if nrm == 0 { log.Notice("XXX: did not remove any rules for interface") @@ -102,10 +100,10 @@ func ReceiverLoop(fw *Firewall, c net.Conn) { data := string(buf) - log.Notice("Received incoming IPC:",data) + log.Notice("Received incoming IPC:", data) if data[len(data)-1] == '\n' { - data = data[0:len(data)-1] + data = data[0 : len(data)-1] } if data == "dump" { @@ -141,18 +139,18 @@ func ReceiverLoop(fw *Firewall, c net.Conn) { c.Write([]byte(ruledesc)) } -/* for i := 0; i < len(sandboxRules); i++ { - rulestr := "" + /* for i := 0; i < len(sandboxRules); i++ { + rulestr := "" - if sandboxRules[i].Whitelist { - rulestr += "whitelist" - } else { - rulestr += "blacklist" - } + if sandboxRules[i].Whitelist { + rulestr += "whitelist" + } else { + rulestr += "blacklist" + } - rulestr += " " + sandboxRules[i].SrcIf.String() + " -> " + sandboxRules[i].DstIP.String() + " : " + strconv.Itoa(int(sandboxRules[i].DstPort)) + "\n" - c.Write([]byte(rulestr)) - } */ + rulestr += " " + sandboxRules[i].SrcIf.String() + " -> " + sandboxRules[i].DstIP.String() + " : " + strconv.Itoa(int(sandboxRules[i].DstPort)) + "\n" + c.Write([]byte(rulestr)) + } */ return } else { @@ -166,7 +164,7 @@ func ReceiverLoop(fw *Firewall, c net.Conn) { if tokens[0] == "register-init" && len(tokens) >= 3 { initp := tokens[1] - + initpid, err := strconv.Atoi(initp) if err != nil { @@ -177,7 +175,7 @@ func ReceiverLoop(fw *Firewall, c net.Conn) { sboxid, err := strconv.Atoi(tokens[3]) if err != nil { - log.Notice("IPC received invalid oz sbox number: ",tokens[3]) + log.Notice("IPC received invalid oz sbox number: ", tokens[3]) log.Notice("Data: %v", data) c.Write([]byte("Bad command: sandbox id was invalid")) return @@ -234,30 +232,30 @@ func ReceiverLoop(fw *Firewall, c net.Conn) { if srcip == nil { log.Notice("IP conversion failed: ", srchost) - srcip = net.IP{0,0,0,0} + srcip = net.IP{0, 0, 0, 0} } dstport := tokens[4] dstp, err := strconv.Atoi(dstport) - if dstport != "*" && (err != nil || dstp < 0 || dstp > 65535) { + if dstport != "*" && (err != nil || dstp < 0 || dstp > 65535) { log.Notice("IPC received invalid destination port: ", tokens[4]) c.Write([]byte("Bad command: dst port was invalid")) return } -/* initp := tokens[5] - initpid, err := strconv.Atoi(initp) + /* initp := tokens[5] + initpid, err := strconv.Atoi(initp) - if err != nil { - log.Notice("IPC received invalid oz-init pid: ", initp) - c.Write([]byte("Bad command: init pid was invalid")) - return - } */ + if err != nil { + log.Notice("IPC received invalid oz-init pid: ", initp) + c.Write([]byte("Bad command: init pid was invalid")) + return + } */ if add { log.Noticef("Adding new rule to oz sandbox/fw: %v / %v -> %v : %v", w, srchost, dsthost, dstport) -// addInitPid(initpid) + // addInitPid(initpid) err := addFWRule(fw, w, srchost, dsthost, dstport) if err != nil { log.Error("Error adding dynamic OZ firewall rule to fw-daemon: ", err) @@ -268,13 +266,11 @@ func ReceiverLoop(fw *Firewall, c net.Conn) { log.Notice("Removing new rule from oz sandbox/fw... ") } - log.Notice("IPC received command: " + data) c.Write([]byte("OK.\n")) return } - } } @@ -303,7 +299,7 @@ func OzReceiver(fw *Firewall) { os.Remove(ReceiverSocketPath) lfd, err := net.Listen("unix", ReceiverSocketPath) if err != nil { - log.Fatal("Could not open oz receiver socket:", err) + log.Fatal("Could not open oz receiver socket:", err) } for { @@ -313,11 +309,10 @@ func OzReceiver(fw *Firewall) { } go ReceiverLoop(fw, fd) - } + } } - type ListProxiesMsg struct { _ string "ListProxies" } @@ -339,11 +334,12 @@ func ListProxies() ([]string, error) { } const OzSocketName = "@oz-control" + var bSockName = OzSocketName var messageFactory = ipc.NewMsgFactory( - new(ListProxiesMsg), - new(ListProxiesResp), + new(ListProxiesMsg), + new(ListProxiesResp), ) func clientConnect() (*ipc.MsgConn, error) { diff --git a/sgfw/log.go b/sgfw/log.go index 54b1111..f91f0a8 100644 --- a/sgfw/log.go +++ b/sgfw/log.go @@ -1,10 +1,10 @@ package sgfw import ( + "fmt" "os" "syscall" "unsafe" - "fmt" "github.com/op/go-logging" ) diff --git a/sgfw/policy.go b/sgfw/policy.go index 8c61f72..39e7c01 100644 --- a/sgfw/policy.go +++ b/sgfw/policy.go @@ -175,7 +175,7 @@ func (pp *pendingPkt) print() string { type Policy struct { fw *Firewall path string - sandbox string + sandbox string application string icon string rules RuleList @@ -194,7 +194,7 @@ func (fw *Firewall) PolicyForPath(path string) *Policy { func (fw *Firewall) PolicyForPathAndSandbox(path string, sandbox string) *Policy { fw.lock.Lock() defer fw.lock.Unlock() - + return fw.policyForPathAndSandbox(path, sandbox) } @@ -212,7 +212,7 @@ func (fw *Firewall) policyForPathAndSandbox(path string, sandbox string) *Policy p.icon = entry.icon } fw.policyMap[policykey] = p - log.Infof("Creating new policy for path and sandbox: %s\n",policykey) + log.Infof("Creating new policy for path and sandbox: %s\n", policykey) fw.policies = append(fw.policies, p) } return fw.policyMap[policykey] @@ -502,7 +502,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) { return } */ - policy := fw.PolicyForPathAndSandbox(ppath,pinfo.Sandbox) + policy := fw.PolicyForPathAndSandbox(ppath, pinfo.Sandbox) //log.Notice("XXX: flunked basicallowpacket; policy = ", policy) policy.processPacket(pkt, pinfo, optstring) } diff --git a/sgfw/prompt.go b/sgfw/prompt.go index 2e662f4..b929b73 100644 --- a/sgfw/prompt.go +++ b/sgfw/prompt.go @@ -13,9 +13,10 @@ import ( "github.com/subgraph/fw-daemon/proc-coroner" ) - var DoMultiPrompt = true + const MAX_PROMPTS = 3 + var outstandingPrompts = 0 var promptLock = &sync.Mutex{} @@ -39,12 +40,12 @@ type prompter struct { func (p *prompter) prompt(policy *Policy) { p.lock.Lock() defer p.lock.Unlock() - _, ok := p.policyMap[policy.sandbox + "|" + policy.path] + _, ok := p.policyMap[policy.sandbox+"|"+policy.path] if ok { return } - p.policyMap[policy.sandbox + "|" + policy.path] = policy - fmt.Println("Saving policy key:"+policy.sandbox + "|" + policy.path) + p.policyMap[policy.sandbox+"|"+policy.path] = policy + fmt.Println("Saving policy key:" + policy.sandbox + "|" + policy.path) p.policyQueue = append(p.policyQueue, policy) p.cond.Signal() } @@ -52,11 +53,11 @@ func (p *prompter) prompt(policy *Policy) { func (p *prompter) promptLoop() { p.lock.Lock() for { -fmt.Println("promptLoop() outer") + fmt.Println("promptLoop() outer") for p.processNextPacket() { -fmt.Println("promptLoop() inner") + fmt.Println("promptLoop() inner") } -fmt.Println("promptLoop() wait") + fmt.Println("promptLoop() wait") p.cond.Wait() } } @@ -78,7 +79,7 @@ func (p *prompter) processNextPacket() bool { empty := true for { pc, empty = p.nextConnection() -fmt.Println("processNextPacket() loop; empty = ", empty, " / pc = ", pc) + fmt.Println("processNextPacket() loop; empty = ", empty, " / pc = ", pc) if pc == nil && empty { return false } else if pc == nil { @@ -109,14 +110,14 @@ fmt.Println("processNextPacket() loop; empty = ", empty, " / pc = ", pc) outstandingPrompts++ fmt.Println("Incremented outstanding to ", outstandingPrompts) promptLock.Unlock() -// if !pc.getPrompting() { - pc.setPrompting(true) - go p.processConnection(pc) -// } + // if !pc.getPrompting() { + pc.setPrompting(true) + go p.processConnection(pc) + // } return true } -func processReturn (pc pendingConnection) { +func processReturn(pc pendingConnection) { promptLock.Lock() outstandingPrompts-- fmt.Println("Return decremented outstanding to ", outstandingPrompts) @@ -173,14 +174,14 @@ func (p *prompter) processConnection(pc pendingConnection) { return } - // the prompt sends: - // ALLOW|dest or DENY|dest - // - // rule string needs to be: - // VERB|dst|class|uid:gid|sandbox|[src] + // the prompt sends: + // ALLOW|dest or DENY|dest + // + // rule string needs to be: + // VERB|dst|class|uid:gid|sandbox|[src] - // sometimes there's a src - // this needs to be re-visited + // sometimes there's a src + // this needs to be re-visited toks := strings.Split(rule, "|") //verb := toks[0] @@ -190,19 +191,19 @@ func (p *prompter) processConnection(pc pendingConnection) { if len(toks) > 2 { sandbox = toks[2] } - - tempRule := fmt.Sprintf("%s|%s",toks[0],toks[1]) - if (pc.src() != nil && !pc.src().Equal(net.ParseIP("127.0.0.1")) && sandbox != "") { + tempRule := fmt.Sprintf("%s|%s", toks[0], toks[1]) + + if pc.src() != nil && !pc.src().Equal(net.ParseIP("127.0.0.1")) && sandbox != "" { //if !strings.HasSuffix(rule, "SYSTEM") && !strings.HasSuffix(rule, "||") { - //rule += "||" + //rule += "||" //} //ule += "|||" + pc.src().String() - - tempRule += "||-1:-1|"+sandbox+"|" + pc.src().String() + + tempRule += "||-1:-1|" + sandbox + "|" + pc.src().String() } else { - tempRule += "||-1:-1|"+sandbox+"|" + tempRule += "||-1:-1|" + sandbox + "|" } r, err := policy.parseRule(tempRule, false) if err != nil { @@ -270,7 +271,7 @@ func (p *prompter) removePolicy(policy *Policy) { } } p.policyQueue = newQueue - delete(p.policyMap, policy.sandbox + "|" + policy.path) + delete(p.policyMap, policy.sandbox+"|"+policy.path) } var userMap = make(map[int]string) diff --git a/sgfw/rules.go b/sgfw/rules.go index c568ee6..1059605 100644 --- a/sgfw/rules.go +++ b/sgfw/rules.go @@ -169,7 +169,7 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint } // sandboxed := strings.HasPrefix(optstr, "SOCKS5|Tor / Sandbox") for _, r := range *rl { - log.Notice("fuck ",r) + log.Notice("fuck ", r) nfqproto := "" log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr, "; pid ", pinfo.Pid, " vs rule pid ", r.pid) log.Notice("r.saddr: ", r.saddr, "src: ", src, "sandboxed ", sandboxed, "optstr: ", optstr) @@ -222,14 +222,14 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint result = FILTER_ALLOW return result /* - if r.saddr != nil { - return result - } + if r.saddr != nil { + return result + } */ } else if r.rtype == RULE_ACTION_ALLOW_TLSONLY { result = FILTER_ALLOW_TLSONLY return result - } + } } else { log.Notice("+ MATCH FAILED") } @@ -439,7 +439,7 @@ func savePolicy(f *os.File, p *Policy) { if !p.hasPersistentRules() { return } - log.Warningf("p.path: ",p.path) + log.Warningf("p.path: ", p.path) if !writeLine(f, "["+p.sandbox+"|"+p.path+"]") { return } @@ -495,7 +495,7 @@ func (fw *Firewall) loadRules() { func (fw *Firewall) processPathLine(line string) *Policy { pathLine := line[1 : len(line)-1] toks := strings.Split(pathLine, "|") - policy := fw.policyForPathAndSandbox(toks[1],toks[0]) + policy := fw.policyForPathAndSandbox(toks[1], toks[0]) policy.lock.Lock() defer policy.lock.Unlock() policy.rules = nil diff --git a/sgfw/socks_server_chain.go b/sgfw/socks_server_chain.go index 537879b..11b166f 100644 --- a/sgfw/socks_server_chain.go +++ b/sgfw/socks_server_chain.go @@ -8,8 +8,8 @@ import ( "time" "github.com/subgraph/go-procsnitch" - "strings" "strconv" + "strings" ) type socksChainConfig struct { @@ -17,7 +17,7 @@ type socksChainConfig struct { TargetSocksAddr string ListenSocksNet string ListenSocksAddr string - Name string + Name string } type socksChain struct { @@ -36,27 +36,27 @@ type socksChainSession struct { bndAddr *Address optData []byte procInfo procsnitch.ProcInfo - pinfo *procsnitch.Info + pinfo *procsnitch.Info server *socksChain } const ( - socksVerdictDrop = 1 - socksVerdictAccept = 2 + socksVerdictDrop = 1 + socksVerdictAccept = 2 socksVerdictAcceptTLSOnly = 3 ) type pendingSocksConnection struct { - pol *Policy - hname string - srcIP net.IP - destIP net.IP + pol *Policy + hname string + srcIP net.IP + destIP net.IP sourcePort uint16 - destPort uint16 - pinfo *procsnitch.Info - verdict chan int - prompting bool - optstr string + destPort uint16 + pinfo *procsnitch.Info + verdict chan int + prompting bool + optstr string } func (sc *pendingSocksConnection) sandbox() string { @@ -103,9 +103,9 @@ func (sc *pendingSocksConnection) deliverVerdict(v int) { func (sc *pendingSocksConnection) accept() { sc.deliverVerdict(socksVerdictAccept) } -// need to generalize special accept +// need to generalize special accept -func (sc *pendingSocksConnection) acceptTLSOnly() {sc.deliverVerdict(socksVerdictAcceptTLSOnly) } +func (sc *pendingSocksConnection) acceptTLSOnly() { sc.deliverVerdict(socksVerdictAcceptTLSOnly) } func (sc *pendingSocksConnection) drop() { sc.deliverVerdict(socksVerdictDrop) } @@ -172,7 +172,7 @@ func (c *socksChainSession) sessionWorker() { if len(c.req.Auth.Uname) == 0 && len(c.req.Auth.Passwd) == 0 { // Randomize username and password to force a new TOR circuit with each connection - rndbytes := []byte("sgfw" + strconv.Itoa(int(time.Now().UnixNano()) ^ os.Getpid())) + rndbytes := []byte("sgfw" + strconv.Itoa(int(time.Now().UnixNano())^os.Getpid())) c.req.Auth.Uname = rndbytes c.req.Auth.Passwd = rndbytes } @@ -230,7 +230,7 @@ func findProxyEndpoint(pdata []string, conn net.Conn) (*procsnitch.Info, string) s1, d1, s2, d2 := toks[0], toks[2], toks[3], toks[5] if strings.HasSuffix(d1, ",") { - d1 = d1[0:len(d1)-1] + d1 = d1[0 : len(d1)-1] } if conn.LocalAddr().String() == d2 && conn.RemoteAddr().String() == s2 { @@ -296,15 +296,15 @@ func (c *socksChainSession) filterConnect() (bool, bool) { optstr = "[Via SOCKS5: " + c.cfg.Name + "] " + optstr } - log.Warningf("Lookup policy for %v %v",pinfo.ExePath,pinfo.Sandbox) - policy := c.server.fw.PolicyForPathAndSandbox(GetRealRoot(pinfo.ExePath,pinfo.Pid),pinfo.Sandbox) + log.Warningf("Lookup policy for %v %v", pinfo.ExePath, pinfo.Sandbox) + policy := c.server.fw.PolicyForPathAndSandbox(GetRealRoot(pinfo.ExePath, pinfo.Pid), pinfo.Sandbox) hostname, ip, port := c.addressDetails() if ip == nil && hostname == "" { return false, false } result := policy.rules.filter(nil, nil, ip, port, hostname, pinfo, optstr) - log.Errorf("result %v",result) + log.Errorf("result %v", result) switch result { case FILTER_DENY: return false, false @@ -315,7 +315,7 @@ func (c *socksChainSession) filterConnect() (bool, bool) { case FILTER_PROMPT: caddr := c.clientConn.RemoteAddr().String() caddrt := strings.Split(caddr, ":") - caddrIP := net.IP{0,0,0,0} + caddrIP := net.IP{0, 0, 0, 0} caddrPort := uint16(0) if len(caddrt) != 2 { diff --git a/sgfw/tlsguard.go b/sgfw/tlsguard.go index 84333be..9e0e348 100644 --- a/sgfw/tlsguard.go +++ b/sgfw/tlsguard.go @@ -2,15 +2,14 @@ package sgfw import ( "crypto/x509" + "errors" "io" "net" - "errors" ) - func TLSGuard(conn, conn2 net.Conn, fqdn string) error { -// Should this be a requirement? -// if strings.HasSuffix(request.DestAddr.FQDN, "onion") { + // Should this be a requirement? + // if strings.HasSuffix(request.DestAddr.FQDN, "onion") { handshakeByte, err := readNBytes(conn, 1) if err != nil { @@ -118,7 +117,7 @@ func TLSGuard(conn, conn2 net.Conn, fqdn string) error { for remaining > 0 { certLen := int(int(pos[0])<<16 | int(pos[1])<<8 | int(pos[2])) -// fmt.Printf("Certs chain len %d, cert 1 len %d:\n", certChainLen, certLen) + // fmt.Printf("Certs chain len %d, cert 1 len %d:\n", certChainLen, certLen) cert := pos[3 : 3+certLen] certs, err := x509.ParseCertificates(cert) if remaining == certChainLen { @@ -143,18 +142,18 @@ func TLSGuard(conn, conn2 net.Conn, fqdn string) error { } else { valid = true } -// else if s == 0x0d { fmt.Printf("found a client cert request, sending buf to client\n") } + // else if s == 0x0d { fmt.Printf("found a client cert request, sending buf to client\n") } } else if s == 0x0e { sendToClient = true } else if s == 0x0d { sendToClient = true } -// fmt.Printf("Version bytes: %x %x\n", responseBuf[1], responseBuf[2]) -// fmt.Printf("Len bytes: %x %x\n", responseBuf[3], responseBuf[4]) -// fmt.Printf("Message type: %x\n", responseBuf[5]) -// fmt.Printf("Message len: %x %x %x\n", responseBuf[6], responseBuf[7], responseBuf[8]) -// fmt.Printf("Message body: %v\n", responseBuf[9:]) + // fmt.Printf("Version bytes: %x %x\n", responseBuf[1], responseBuf[2]) + // fmt.Printf("Len bytes: %x %x\n", responseBuf[3], responseBuf[4]) + // fmt.Printf("Message type: %x\n", responseBuf[5]) + // fmt.Printf("Message len: %x %x %x\n", responseBuf[6], responseBuf[7], responseBuf[8]) + // fmt.Printf("Message body: %v\n", responseBuf[9:]) conn.Write(responseBuf) responseBuf = []byte{} }