matth
/
fw-daemon
mirror of https://github.com/subgraph/fw-daemon
1
1
Fork 0
Code Releases Activity

Fmt..

Browse Source
shw-merge
xSmurf 7 years ago
parent 68e6d57c9b
commit 6e6e265fae
18 changed files with 230 additions and 236 deletions
Show Stats Download Patch File Download Diff File

5
fw-ozcli/fw-ozcli.go
Unescape View File

@ -1,12 +1,12 @@
package main
import (
"fmt"
"flag"
"strconv"
"fmt"
"io"
"log"
"net"
"strconv"
)
const ReceiverSocketPath = "/var/run/fw-daemon/fwoz.sock"
@ -87,4 +87,3 @@ func main() {
}
}

6
fw-prompt/dbus.go
Unescape View File

@ -4,10 +4,9 @@ import (
"errors"
"github.com/godbus/dbus"
"log"
// "github.com/gotk3/gotk3/glib"
// "github.com/gotk3/gotk3/glib"
)
type dbusServer struct {
conn *dbus.Conn
run bool
@ -34,7 +33,6 @@ type promptData struct {
Action int
}
func newDbusServer() (*dbusServer, error) {
conn, err := dbus.SystemBus()
@ -75,6 +73,6 @@ func (ds *dbusServer) RequestPrompt(application, icon, path, address string, por
}
log.Print("Decision returned: ", decision.Rule)
decision.Cond.L.Unlock()
// glib.IdleAdd(func, data)
// glib.IdleAdd(func, data)
return int32(decision.Scope), decision.Rule, nil
}

63
fw-prompt/fw-prompt.go
Unescape View File

@ -1,24 +1,22 @@
package main
import (
"github.com/gotk3/gotk3/gtk"
"encoding/json"
"errors"
"fmt"
"github.com/gotk3/gotk3/glib"
"github.com/gotk3/gotk3/gtk"
"io/ioutil"
"log"
"fmt"
"strings"
"strconv"
"os"
"io/ioutil"
"encoding/json"
"os/user"
"strconv"
"strings"
"sync"
"errors"
"github.com/subgraph/fw-daemon/sgfw"
)
type fpPreferences struct {
Winheight uint
Winwidth uint
@ -49,7 +47,6 @@ type ruleColumns struct {
Scope int
}
var userPrefs fpPreferences
var mainWin *gtk.Window
var Notebook *gtk.Notebook
@ -63,7 +60,6 @@ var radioOnce, radioProcess, radioParent, radioSession, radioPermanent *gtk.Radi
var btnApprove, btnDeny, btnIgnore *gtk.Button
var chkUser, chkGroup *gtk.CheckButton
func dumpDecisions() {
fmt.Println("XXX Total of decisions pending: ", len(decisionWaiters))
for i := 0; i < len(decisionWaiters); i++ {
@ -80,7 +76,7 @@ func addDecision() *decisionWaiter {
func promptInfo(msg string) {
dialog := gtk.MessageDialogNew(mainWin, 0, gtk.MESSAGE_INFO, gtk.BUTTONS_OK, "Displaying full log info:")
// dialog.SetDefaultGeometry(500, 200)
// dialog.SetDefaultGeometry(500, 200)
tv, err := gtk.TextViewNew()
@ -117,7 +113,7 @@ func promptInfo(msg string) {
dialog.ShowAll()
dialog.Run()
dialog.Destroy()
//self.set_default_size(150, 100)
//self.set_default_size(150, 100)
}
func promptChoice(msg string) int {
@ -137,7 +133,7 @@ func getConfigPath() string {
usr, err := user.Current()
if err != nil {
fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file:", err, "\n");
fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file:", err, "\n")
return ""
}
@ -149,7 +145,7 @@ func savePreferences() bool {
usr, err := user.Current()
if err != nil {
fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file:", err, "\n");
fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file:", err, "\n")
return false
}
@ -176,7 +172,7 @@ func loadPreferences() bool {
usr, err := user.Current()
if err != nil {
fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file: %v", err, "\n");
fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file: %v", err, "\n")
return false
}
@ -416,7 +412,7 @@ func setup_settings() {
fmt.Println("CLICKED")
if err != nil {
promptError("Unexpected error saving log file info: "+err.Error())
promptError("Unexpected error saving log file info: " + err.Error())
return
}
@ -508,7 +504,6 @@ func toggleValidRuleState() {
}
}
btnApprove.SetSensitive(ok)
btnDeny.SetSensitive(ok)
btnIgnore.SetSensitive(ok)
@ -554,7 +549,7 @@ func createCurrentRule() (ruleColumns, error) {
rule.UID, rule.GID = 0, 0
rule.Uname, rule.Gname = "", ""
/* Pid int
/* Pid int
Origin string */
return rule, nil
@ -690,7 +685,7 @@ func getSelectedRule() (ruleColumns, int, error) {
func main() {
decisionWaiters = make([]*decisionWaiter, 0)
_, err := newDbusServer();
_, err := newDbusServer()
if err != nil {
log.Fatal("Error:", err)
return
@ -751,7 +746,6 @@ func main() {
scrollbox.Add(box)
tv, err := gtk.TreeViewNew()
if err != nil {
@ -867,13 +861,13 @@ func main() {
btnApprove.Connect("clicked", func() {
rule, idx, err := getSelectedRule()
if err != nil {
promptError("Error occurred processing request: "+err.Error())
promptError("Error occurred processing request: " + err.Error())
return
}
rule, err = createCurrentRule()
if err != nil {
promptError("Error occurred constructing new rule: "+err.Error())
promptError("Error occurred constructing new rule: " + err.Error())
return
}
@ -886,20 +880,20 @@ func main() {
if err == nil {
clearEditor()
} else {
promptError("Error setting new rule: "+err.Error())
promptError("Error setting new rule: " + err.Error())
}
})
btnDeny.Connect("clicked", func() {
rule, idx, err := getSelectedRule()
if err != nil {
promptError("Error occurred processing request: "+err.Error())
promptError("Error occurred processing request: " + err.Error())
return
}
rule, err = createCurrentRule()
if err != nil {
promptError("Error occurred constructing new rule: "+err.Error())
promptError("Error occurred constructing new rule: " + err.Error())
return
}
@ -912,14 +906,14 @@ func main() {
if err == nil {
clearEditor()
} else {
promptError("Error setting new rule: "+err.Error())
promptError("Error setting new rule: " + err.Error())
}
})
btnIgnore.Connect("clicked", func() {
_, idx, err := getSelectedRule()
if err != nil {
promptError("Error occurred processing request: "+err.Error())
promptError("Error occurred processing request: " + err.Error())
return
}
@ -929,15 +923,15 @@ func main() {
if err == nil {
clearEditor()
} else {
promptError("Error setting new rule: "+err.Error())
promptError("Error setting new rule: " + err.Error())
}
})
// tv.SetActivateOnSingleClick(true)
// tv.SetActivateOnSingleClick(true)
tv.Connect("row-activated", func() {
seldata, _, err := getSelectedRule()
if err != nil {
promptError("Unexpected error reading selected rule: "+err.Error())
promptError("Unexpected error reading selected rule: " + err.Error())
return
}
@ -980,14 +974,13 @@ func main() {
return
})
scrollbox.SetSizeRequest(600, 400)
Notebook.AppendPage(scrollbox, nbLabel)
// setup_settings()
// setup_settings()
mainWin.Add(Notebook)
if userPrefs.Winheight > 0 && userPrefs.Winwidth > 0 {
// fmt.Printf("height was %d, width was %d\n", userPrefs.Winheight, userPrefs.Winwidth)
// fmt.Printf("height was %d, width was %d\n", userPrefs.Winheight, userPrefs.Winwidth)
mainWin.Resize(int(userPrefs.Winwidth), int(userPrefs.Winheight))
} else {
mainWin.SetDefaultSize(850, 450)
@ -998,6 +991,6 @@ func main() {
}
mainWin.ShowAll()
// mainWin.SetKeepAbove(true)
// mainWin.SetKeepAbove(true)
gtk.Main()
}

3
fw-settings/dbus.go
Unescape View File

@ -3,12 +3,11 @@ package main
import (
"errors"
"fmt"
"github.com/subgraph/fw-daemon/sgfw"
"github.com/godbus/dbus"
"github.com/gotk3/gotk3/glib"
"github.com/subgraph/fw-daemon/sgfw"
)
type dbusObject struct {
dbus.BusObject
}

4
fw-settings/main.go
Unescape View File

@ -108,7 +108,7 @@ func repopulateWin() {
rlSystem.loadRules(sgfw.RULE_MODE_SYSTEM)
loadConfig(win, fwsbuilder, dbus)
// app.AddWindow(win)
// app.AddWindow(win)
win.ShowAll()
}
@ -179,7 +179,7 @@ func main() {
}
app.Connect("activate", activate)
_, err = newDbusServer();
_, err = newDbusServer()
if err != nil {
panic(fmt.Sprintf("Error initializing Dbus server: %v", err))

4
fw-settings/rules.go
Unescape View File

@ -3,8 +3,8 @@ package main
import (
"fmt"
"os"
"strings"
"strconv"
"strings"
"github.com/subgraph/fw-daemon/sgfw"
@ -122,7 +122,7 @@ func (rr *ruleRow) update() {
}
rr.gtkLabelApp.SetTooltipText(rr.rule.Path)
rr.gtkLabelVerb.SetText(getVerbText(rr.rule))
if (rr.rule.Proto == "tcp") {
if rr.rule.Proto == "tcp" {
rr.gtkLabelOrigin.SetText(rr.rule.Origin)
} else {
rr.gtkLabelOrigin.SetText(rr.rule.Origin + " (" + rr.rule.Proto + ")")

18
proc-coroner/pcoroner.go
Unescape View File

@ -2,15 +2,14 @@ package pcoroner
import (
"fmt"
"time"
"strings"
"os"
"strconv"
"strings"
"sync"
"os"
"syscall"
"time"
)
type WatchProcess struct {
Pid int
Inode uint64
@ -25,14 +24,11 @@ type CallbackEntry struct {
type procCB func(int, interface{})
var Callbacks []CallbackEntry
var pmutex = &sync.Mutex{}
var pidMap map[int]WatchProcess = make(map[int]WatchProcess)
func MonitorProcess(pid int) bool {
pmutex.Lock()
defer pmutex.Unlock()
@ -68,14 +64,14 @@ func AddCallback(cbfunc procCB, param interface{}) {
func MonitorThread(cbfunc procCB, param interface{}) {
for {
/* if len(pidMap) == 0 {
/* if len(pidMap) == 0 {
fmt.Println("TICK")
} else { fmt.Println("len = ", len(pidMap)) } */
pmutex.Lock()
pmutex.Unlock()
for pkey, pval := range pidMap {
// fmt.Printf("PID %v -> %v\n", pkey, pval)
// fmt.Printf("PID %v -> %v\n", pkey, pval)
res := checkProcess(&pval, false)
if !res {
@ -100,7 +96,7 @@ func checkProcess(proc *WatchProcess, init bool) bool {
ppath := fmt.Sprintf("/proc/%d/stat", proc.Pid)
f, err := os.Open(ppath)
if err != nil {
// fmt.Printf("Error opening path %s: %s\n", ppath, err)
// fmt.Printf("Error opening path %s: %s\n", ppath, err)
return false
}
defer f.Close()
@ -133,7 +129,7 @@ func checkProcess(proc *WatchProcess, init bool) bool {
}
bstr := string(buf[:])
// fmt.Println("sstr = ", bstr)
// fmt.Println("sstr = ", bstr)
fields := strings.Split(bstr, " ")

14
sgfw/const.go
Unescape View File

@ -12,17 +12,20 @@ const (
//RuleAction is the action to apply to a rule
type RuleAction uint16
const (
RULE_ACTION_DENY RuleAction = iota
RULE_ACTION_ALLOW
RULE_ACTION_ALLOW_TLSONLY
)
// RuleActionString is used to get a string from an action id
var RuleActionString = map[RuleAction]string{
RULE_ACTION_DENY: "DENY",
RULE_ACTION_ALLOW: "ALLOW",
RULE_ACTION_ALLOW_TLSONLY: "ALLOW_TLSONLY",
}
// RuleActionValue is used to get an action id using the action string
var RuleActionValue = map[string]RuleAction{
RuleActionString[RULE_ACTION_DENY]: RULE_ACTION_DENY,
@ -32,12 +35,14 @@ var RuleActionValue = map[string]RuleAction{
//RuleMode contains the time scope of a rule
type RuleMode uint16
const (
RULE_MODE_SESSION RuleMode = iota
RULE_MODE_PROCESS
RULE_MODE_PERMANENT
RULE_MODE_SYSTEM
)
// RuleModeString is used to get a rule mode string from its id
var RuleModeString = map[RuleMode]string{
RULE_MODE_SESSION: "SESSION",
@ -45,6 +50,7 @@ var RuleModeString = map[RuleMode]string{
RULE_MODE_PERMANENT: "PERMANENT",
RULE_MODE_SYSTEM: "SYSTEM",
}
// RuleModeValue converts a mode string to its id
var RuleModeValue = map[string]RuleMode{
RuleModeString[RULE_MODE_SESSION]: RULE_MODE_SESSION,
@ -55,12 +61,14 @@ var RuleModeValue = map[string]RuleMode{
//FilterScope contains a filter's time scope
type FilterScope uint16
const (
APPLY_ONCE FilterScope = iota
APPLY_SESSION
APPLY_PROCESS
APPLY_FOREVER
)
// FilterScopeString converts a filter scope ID to its string
var FilterScopeString = map[FilterScope]string{
APPLY_ONCE: "ONCE",
@ -68,6 +76,7 @@ var FilterScopeString = map[FilterScope]string{
APPLY_PROCESS: "PROCESS",
APPLY_FOREVER: "FOREVER",
}
// FilterScopeString converts a filter scope string to its ID
var FilterScopeValue = map[string]FilterScope{
FilterScopeString[APPLY_ONCE]: APPLY_ONCE,
@ -75,6 +84,7 @@ var FilterScopeValue = map[string]FilterScope{
FilterScopeString[APPLY_PROCESS]: APPLY_PROCESS,
FilterScopeString[APPLY_FOREVER]: APPLY_FOREVER,
}
// GetFilterScopeString is used to safely return a filter scope string
func GetFilterScopeString(scope FilterScope) string {
if val, ok := FilterScopeString[scope]; ok {
@ -82,6 +92,7 @@ func GetFilterScopeString(scope FilterScope) string {
}
return FilterScopeString[APPLY_SESSION]
}
// GetFilterScopeValue is used to safely return a filter scope ID
func GetFilterScopeValue(scope string) FilterScope {
scope = strings.ToUpper(scope)
@ -93,12 +104,14 @@ func GetFilterScopeValue(scope string) FilterScope {
//FilterResult contains the filtering resulting action
type FilterResult uint16
const (
FILTER_DENY FilterResult = iota
FILTER_ALLOW
FILTER_PROMPT
FILTER_ALLOW_TLSONLY
)
// FilterResultString converts a filter value ID to its string
var FilterResultString = map[FilterResult]string{
FILTER_DENY: "DENY",
@ -106,6 +119,7 @@ var FilterResultString = map[FilterResult]string{
FILTER_PROMPT: "PROMPT",
FILTER_ALLOW_TLSONLY: "ALLOW_TLSONLY",
}
// FilterResultValue converts a filter value string to its ID
var FilterResultValue = map[string]FilterResult{
FilterResultString[FILTER_DENY]: FILTER_DENY,

1
sgfw/dbus.go
Unescape View File

@ -62,7 +62,6 @@ func newDbusObjectPrompt() (*dbusObjectP, error) {
return &dbusObjectP{conn.Object("com.subgraph.fwprompt.EventNotifier", "/com/subgraph/fwprompt/EventNotifier")}, nil
}
type dbusServer struct {
fw *Firewall
conn *dbus.Conn

14
sgfw/dns.go
Unescape View File

@ -1,17 +1,17 @@
package sgfw
import (
"encoding/binary"
"net"
"strings"
"sync"
"time"
"encoding/binary"
// "github.com/subgraph/go-nfnetlink"
// "github.com/subgraph/go-nfnetlink"
"github.com/google/gopacket/layers"
"github.com/subgraph/fw-daemon/proc-coroner"
nfqueue "github.com/subgraph/go-nfnetlink/nfqueue"
"github.com/subgraph/go-procsnitch"
"github.com/subgraph/fw-daemon/proc-coroner"
)
type dnsEntry struct {
@ -73,7 +73,7 @@ func (dc *dnsCache) processDNS(pkt *nfqueue.NFQPacket) {
return
}
}
//log.Notice("XXX: PROCESS LOOKUP -> ", pinfo)
//log.Notice("XXX: PROCESS LOOKUP -> ", pinfo)
dc.processRecordAddress(q.Name, dns.answer, pinfo.Pid)
return
}
@ -166,7 +166,7 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
entry, ok := dc.ipMap[pid][ip.String()]
if ok {
if now.Before(entry.exp) {
// log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp)
// log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp)
return entry.name
} else {
log.Warningf("Skipping expired per-pid (%d) DNS cache entry: %s -> %s / exp. %v (%ds)\n",
@ -180,13 +180,13 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
if ok {
if now.Before(entry.exp) {
str = entry.name
// log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp)
// log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp)
} else {
log.Warningf("Skipping expired global DNS cache entry: %s -> %s / exp. %v (%ds)\n",
ip.String(), entry.name, entry.exp, entry.ttl)
}
}
//log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v\n", ip.String(), str)
//log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v\n", ip.String(), str)
return str
}

32
sgfw/ipc.go
Unescape View File

@ -1,20 +1,19 @@
package sgfw
import (
"bufio"
"errors"
"fmt"
"net"
"os"
"bufio"
"strings"
"strconv"
"errors"
"strings"
"github.com/subgraph/oz/ipc"
)
const ReceiverSocketPath = "/var/run/fw-daemon/fwoz.sock"
type OzInitProc struct {
Name string
Pid int
@ -23,9 +22,8 @@ type OzInitProc struct {
var OzInitPids []OzInitProc = []OzInitProc{}
func addInitPid(pid int, name string, sboxid int) {
fmt.Println("::::::::::: init pid added: ", pid, " -> ", name)
fmt.Println("::::::::::: init pid added: ", pid, " -> ", name)
for i := 0; i < len(OzInitPids); i++ {
if OzInitPids[i].Pid == pid {
return
@ -37,7 +35,7 @@ fmt.Println("::::::::::: init pid added: ", pid, " -> ", name)
}
func removeInitPid(pid int) {
fmt.Println("::::::::::: removing PID: ", pid)
fmt.Println("::::::::::: removing PID: ", pid)
for i := 0; i < len(OzInitPids); i++ {
if OzInitPids[i].Pid == pid {
OzInitPids = append(OzInitPids[:i], OzInitPids[i+1:]...)
@ -63,7 +61,7 @@ func addFWRule(fw *Firewall, whitelist bool, srchost, dsthost, dstport string) e
}
func removeAllByIP(fw *Firewall, srcip string) bool {
log.Notice("XXX: Attempting to remove all rules associated with Oz interface: ", srcip)
log.Notice("XXX: Attempting to remove all rules associated with Oz interface: ", srcip)
saddr := net.ParseIP(srcip)
if saddr == nil {
@ -102,10 +100,10 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
data := string(buf)
log.Notice("Received incoming IPC:",data)
log.Notice("Received incoming IPC:", data)
if data[len(data)-1] == '\n' {
data = data[0:len(data)-1]
data = data[0 : len(data)-1]
}
if data == "dump" {
@ -141,7 +139,7 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
c.Write([]byte(ruledesc))
}
/* for i := 0; i < len(sandboxRules); i++ {
/* for i := 0; i < len(sandboxRules); i++ {
rulestr := ""
if sandboxRules[i].Whitelist {
@ -177,7 +175,7 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
sboxid, err := strconv.Atoi(tokens[3])
if err != nil {
log.Notice("IPC received invalid oz sbox number: ",tokens[3])
log.Notice("IPC received invalid oz sbox number: ", tokens[3])
log.Notice("Data: %v", data)
c.Write([]byte("Bad command: sandbox id was invalid"))
return
@ -234,7 +232,7 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
if srcip == nil {
log.Notice("IP conversion failed: ", srchost)
srcip = net.IP{0,0,0,0}
srcip = net.IP{0, 0, 0, 0}
}
dstport := tokens[4]
@ -246,7 +244,7 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
return
}
/* initp := tokens[5]
/* initp := tokens[5]
initpid, err := strconv.Atoi(initp)
if err != nil {
@ -257,7 +255,7 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
if add {
log.Noticef("Adding new rule to oz sandbox/fw: %v / %v -> %v : %v", w, srchost, dsthost, dstport)
// addInitPid(initpid)
// addInitPid(initpid)
err := addFWRule(fw, w, srchost, dsthost, dstport)
if err != nil {
log.Error("Error adding dynamic OZ firewall rule to fw-daemon: ", err)
@ -268,13 +266,11 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
log.Notice("Removing new rule from oz sandbox/fw... ")
}
log.Notice("IPC received command: " + data)
c.Write([]byte("OK.\n"))
return
}
}
}
@ -317,7 +313,6 @@ func OzReceiver(fw *Firewall) {
}
type ListProxiesMsg struct {
_ string "ListProxies"
}
@ -339,6 +334,7 @@ func ListProxies() ([]string, error) {
}
const OzSocketName = "@oz-control"
var bSockName = OzSocketName
var messageFactory = ipc.NewMsgFactory(

2
sgfw/log.go
Unescape View File

@ -1,10 +1,10 @@
package sgfw
import (
"fmt"
"os"
"syscall"
"unsafe"
"fmt"
"github.com/op/go-logging"
)

4
sgfw/policy.go
Unescape View File

@ -212,7 +212,7 @@ func (fw *Firewall) policyForPathAndSandbox(path string, sandbox string) *Policy
p.icon = entry.icon
}
fw.policyMap[policykey] = p
log.Infof("Creating new policy for path and sandbox: %s\n",policykey)
log.Infof("Creating new policy for path and sandbox: %s\n", policykey)
fw.policies = append(fw.policies, p)
}
return fw.policyMap[policykey]
@ -502,7 +502,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
return
}
*/
policy := fw.PolicyForPathAndSandbox(ppath,pinfo.Sandbox)
policy := fw.PolicyForPathAndSandbox(ppath, pinfo.Sandbox)
//log.Notice("XXX: flunked basicallowpacket; policy = ", policy)
policy.processPacket(pkt, pinfo, optstring)
}

33
sgfw/prompt.go
Unescape View File

@ -13,9 +13,10 @@ import (
"github.com/subgraph/fw-daemon/proc-coroner"
)
var DoMultiPrompt = true
const MAX_PROMPTS = 3
var outstandingPrompts = 0
var promptLock = &sync.Mutex{}
@ -39,12 +40,12 @@ type prompter struct {
func (p *prompter) prompt(policy *Policy) {
p.lock.Lock()
defer p.lock.Unlock()
_, ok := p.policyMap[policy.sandbox + "|" + policy.path]
_, ok := p.policyMap[policy.sandbox+"|"+policy.path]
if ok {
return
}
p.policyMap[policy.sandbox + "|" + policy.path] = policy
fmt.Println("Saving policy key:"+policy.sandbox + "|" + policy.path)
p.policyMap[policy.sandbox+"|"+policy.path] = policy
fmt.Println("Saving policy key:" + policy.sandbox + "|" + policy.path)
p.policyQueue = append(p.policyQueue, policy)
p.cond.Signal()
}
@ -52,11 +53,11 @@ func (p *prompter) prompt(policy *Policy) {
func (p *prompter) promptLoop() {
p.lock.Lock()
for {
fmt.Println("promptLoop() outer")
fmt.Println("promptLoop() outer")
for p.processNextPacket() {
fmt.Println("promptLoop() inner")
fmt.Println("promptLoop() inner")
}
fmt.Println("promptLoop() wait")
fmt.Println("promptLoop() wait")
p.cond.Wait()
}
}
@ -78,7 +79,7 @@ func (p *prompter) processNextPacket() bool {
empty := true
for {
pc, empty = p.nextConnection()
fmt.Println("processNextPacket() loop; empty = ", empty, " / pc = ", pc)
fmt.Println("processNextPacket() loop; empty = ", empty, " / pc = ", pc)
if pc == nil && empty {
return false
} else if pc == nil {
@ -109,14 +110,14 @@ fmt.Println("processNextPacket() loop; empty = ", empty, " / pc = ", pc)
outstandingPrompts++
fmt.Println("Incremented outstanding to ", outstandingPrompts)
promptLock.Unlock()
// if !pc.getPrompting() {
// if !pc.getPrompting() {
pc.setPrompting(true)
go p.processConnection(pc)
// }
// }
return true
}
func processReturn (pc pendingConnection) {
func processReturn(pc pendingConnection) {
promptLock.Lock()
outstandingPrompts--
fmt.Println("Return decremented outstanding to ", outstandingPrompts)
@ -191,18 +192,18 @@ func (p *prompter) processConnection(pc pendingConnection) {
sandbox = toks[2]
}
tempRule := fmt.Sprintf("%s|%s",toks[0],toks[1])
tempRule := fmt.Sprintf("%s|%s", toks[0], toks[1])
if (pc.src() != nil && !pc.src().Equal(net.ParseIP("127.0.0.1")) && sandbox != "") {
if pc.src() != nil && !pc.src().Equal(net.ParseIP("127.0.0.1")) && sandbox != "" {
//if !strings.HasSuffix(rule, "SYSTEM") && !strings.HasSuffix(rule, "||") {
//rule += "||"
//}
//ule += "|||" + pc.src().String()
tempRule += "||-1:-1|"+sandbox+"|" + pc.src().String()
tempRule += "||-1:-1|" + sandbox + "|" + pc.src().String()
} else {
tempRule += "||-1:-1|"+sandbox+"|"
tempRule += "||-1:-1|" + sandbox + "|"
}
r, err := policy.parseRule(tempRule, false)
if err != nil {
@ -270,7 +271,7 @@ func (p *prompter) removePolicy(policy *Policy) {
}
}
p.policyQueue = newQueue
delete(p.policyMap, policy.sandbox + "|" + policy.path)
delete(p.policyMap, policy.sandbox+"|"+policy.path)
}
var userMap = make(map[int]string)

6
sgfw/rules.go
Unescape View File

@ -169,7 +169,7 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
}
// sandboxed := strings.HasPrefix(optstr, "SOCKS5|Tor / Sandbox")
for _, r := range *rl {
log.Notice("fuck ",r)
log.Notice("fuck ", r)
nfqproto := ""
log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr, "; pid ", pinfo.Pid, " vs rule pid ", r.pid)
log.Notice("r.saddr: ", r.saddr, "src: ", src, "sandboxed ", sandboxed, "optstr: ", optstr)
@ -439,7 +439,7 @@ func savePolicy(f *os.File, p *Policy) {
if !p.hasPersistentRules() {
return
}
log.Warningf("p.path: ",p.path)
log.Warningf("p.path: ", p.path)
if !writeLine(f, "["+p.sandbox+"|"+p.path+"]") {
return
}
@ -495,7 +495,7 @@ func (fw *Firewall) loadRules() {
func (fw *Firewall) processPathLine(line string) *Policy {
pathLine := line[1 : len(line)-1]
toks := strings.Split(pathLine, "|")
policy := fw.policyForPathAndSandbox(toks[1],toks[0])
policy := fw.policyForPathAndSandbox(toks[1], toks[0])
policy.lock.Lock()
defer policy.lock.Unlock()
policy.rules = nil

16
sgfw/socks_server_chain.go
Unescape View File

@ -8,8 +8,8 @@ import (
"time"
"github.com/subgraph/go-procsnitch"
"strings"
"strconv"
"strings"
)
type socksChainConfig struct {
@ -105,7 +105,7 @@ func (sc *pendingSocksConnection) accept() { sc.deliverVerdict(socksVerdictAccep
// need to generalize special accept
func (sc *pendingSocksConnection) acceptTLSOnly() {sc.deliverVerdict(socksVerdictAcceptTLSOnly) }
func (sc *pendingSocksConnection) acceptTLSOnly() { sc.deliverVerdict(socksVerdictAcceptTLSOnly) }
func (sc *pendingSocksConnection) drop() { sc.deliverVerdict(socksVerdictDrop) }
@ -172,7 +172,7 @@ func (c *socksChainSession) sessionWorker() {
if len(c.req.Auth.Uname) == 0 && len(c.req.Auth.Passwd) == 0 {
// Randomize username and password to force a new TOR circuit with each connection
rndbytes := []byte("sgfw" + strconv.Itoa(int(time.Now().UnixNano()) ^ os.Getpid()))
rndbytes := []byte("sgfw" + strconv.Itoa(int(time.Now().UnixNano())^os.Getpid()))
c.req.Auth.Uname = rndbytes
c.req.Auth.Passwd = rndbytes
}
@ -230,7 +230,7 @@ func findProxyEndpoint(pdata []string, conn net.Conn) (*procsnitch.Info, string)
s1, d1, s2, d2 := toks[0], toks[2], toks[3], toks[5]
if strings.HasSuffix(d1, ",") {
d1 = d1[0:len(d1)-1]
d1 = d1[0 : len(d1)-1]
}
if conn.LocalAddr().String() == d2 && conn.RemoteAddr().String() == s2 {
@ -296,15 +296,15 @@ func (c *socksChainSession) filterConnect() (bool, bool) {
optstr = "[Via SOCKS5: " + c.cfg.Name + "] " + optstr
}
log.Warningf("Lookup policy for %v %v",pinfo.ExePath,pinfo.Sandbox)
policy := c.server.fw.PolicyForPathAndSandbox(GetRealRoot(pinfo.ExePath,pinfo.Pid),pinfo.Sandbox)
log.Warningf("Lookup policy for %v %v", pinfo.ExePath, pinfo.Sandbox)
policy := c.server.fw.PolicyForPathAndSandbox(GetRealRoot(pinfo.ExePath, pinfo.Pid), pinfo.Sandbox)
hostname, ip, port := c.addressDetails()
if ip == nil && hostname == "" {
return false, false
}
result := policy.rules.filter(nil, nil, ip, port, hostname, pinfo, optstr)
log.Errorf("result %v",result)
log.Errorf("result %v", result)
switch result {
case FILTER_DENY:
return false, false
@ -315,7 +315,7 @@ func (c *socksChainSession) filterConnect() (bool, bool) {
case FILTER_PROMPT:
caddr := c.clientConn.RemoteAddr().String()
caddrt := strings.Split(caddr, ":")
caddrIP := net.IP{0,0,0,0}
caddrIP := net.IP{0, 0, 0, 0}
caddrPort := uint16(0)
if len(caddrt) != 2 {

21
sgfw/tlsguard.go
Unescape View File

@ -2,15 +2,14 @@ package sgfw
import (
"crypto/x509"
"errors"
"io"
"net"
"errors"
)
func TLSGuard(conn, conn2 net.Conn, fqdn string) error {
// Should this be a requirement?
// if strings.HasSuffix(request.DestAddr.FQDN, "onion") {
// Should this be a requirement?
// if strings.HasSuffix(request.DestAddr.FQDN, "onion") {
handshakeByte, err := readNBytes(conn, 1)
if err != nil {
@ -118,7 +117,7 @@ func TLSGuard(conn, conn2 net.Conn, fqdn string) error {
for remaining > 0 {
certLen := int(int(pos[0])<<16 | int(pos[1])<<8 | int(pos[2]))
// fmt.Printf("Certs chain len %d, cert 1 len %d:\n", certChainLen, certLen)
// fmt.Printf("Certs chain len %d, cert 1 len %d:\n", certChainLen, certLen)
cert := pos[3 : 3+certLen]
certs, err := x509.ParseCertificates(cert)
if remaining == certChainLen {
@ -143,18 +142,18 @@ func TLSGuard(conn, conn2 net.Conn, fqdn string) error {
} else {
valid = true
}
// else if s == 0x0d { fmt.Printf("found a client cert request, sending buf to client\n") }
// else if s == 0x0d { fmt.Printf("found a client cert request, sending buf to client\n") }
} else if s == 0x0e {
sendToClient = true
} else if s == 0x0d {
sendToClient = true
}
// fmt.Printf("Version bytes: %x %x\n", responseBuf[1], responseBuf[2])
// fmt.Printf("Len bytes: %x %x\n", responseBuf[3], responseBuf[4])
// fmt.Printf("Message type: %x\n", responseBuf[5])
// fmt.Printf("Message len: %x %x %x\n", responseBuf[6], responseBuf[7], responseBuf[8])
// fmt.Printf("Message body: %v\n", responseBuf[9:])
// fmt.Printf("Version bytes: %x %x\n", responseBuf[1], responseBuf[2])
// fmt.Printf("Len bytes: %x %x\n", responseBuf[3], responseBuf[4])
// fmt.Printf("Message type: %x\n", responseBuf[5])
// fmt.Printf("Message len: %x %x %x\n", responseBuf[6], responseBuf[7], responseBuf[8])
// fmt.Printf("Message body: %v\n", responseBuf[9:])
conn.Write(responseBuf)
responseBuf = []byte{}
}

Write Preview
Loading…
Cancel
Save