shw-merge
xSmurf 7 years ago
parent 68e6d57c9b
commit 6e6e265fae

@ -1,12 +1,12 @@
package main
import (
"fmt"
"flag"
"strconv"
"fmt"
"io"
"log"
"net"
"strconv"
)
const ReceiverSocketPath = "/var/run/fw-daemon/fwoz.sock"
@ -19,8 +19,8 @@ func reader(r io.Reader) {
if err != nil {
return
}
fmt.Println(string(buf[0:n]))
}
fmt.Println(string(buf[0:n]))
}
}
func main() {
@ -87,4 +87,3 @@ func main() {
}
}

@ -4,13 +4,12 @@ import (
"errors"
"github.com/godbus/dbus"
"log"
// "github.com/gotk3/gotk3/glib"
// "github.com/gotk3/gotk3/glib"
)
type dbusServer struct {
conn *dbus.Conn
run bool
run bool
}
type promptData struct {
@ -34,7 +33,6 @@ type promptData struct {
Action int
}
func newDbusServer() (*dbusServer, error) {
conn, err := dbus.SystemBus()
@ -65,7 +63,7 @@ func newDbusServer() (*dbusServer, error) {
}
func (ds *dbusServer) RequestPrompt(application, icon, path, address string, port int32, ip, origin, proto string, uid, gid int32, username, groupname string, pid int32, sandbox string,
optstring string, expanded, expert bool, action int32) (int32, string, *dbus.Error) {
optstring string, expanded, expert bool, action int32) (int32, string, *dbus.Error) {
log.Printf("request prompt: app = %s, icon = %s, path = %s, address = %s, action = %v\n", application, icon, path, address, action)
decision := addRequest(nil, path, proto, int(pid), ip, address, int(port), int(uid), int(gid), origin, optstring, sandbox)
log.Print("Waiting on decision...")
@ -75,6 +73,6 @@ func (ds *dbusServer) RequestPrompt(application, icon, path, address string, por
}
log.Print("Decision returned: ", decision.Rule)
decision.Cond.L.Unlock()
// glib.IdleAdd(func, data)
// glib.IdleAdd(func, data)
return int32(decision.Scope), decision.Rule, nil
}

@ -1,37 +1,35 @@
package main
import (
"github.com/gotk3/gotk3/gtk"
"encoding/json"
"errors"
"fmt"
"github.com/gotk3/gotk3/glib"
"github.com/gotk3/gotk3/gtk"
"io/ioutil"
"log"
"fmt"
"strings"
"strconv"
"os"
"io/ioutil"
"encoding/json"
"os/user"
"strconv"
"strings"
"sync"
"errors"
"github.com/subgraph/fw-daemon/sgfw"
)
type fpPreferences struct {
Winheight uint
Winwidth uint
Wintop uint
Winleft uint
Winwidth uint
Wintop uint
Winleft uint
}
type decisionWaiter struct {
Cond *sync.Cond
Lock sync.Locker
Ready bool
Scope int
Rule string
Cond *sync.Cond
Lock sync.Locker
Ready bool
Scope int
Rule string
}
type ruleColumns struct {
@ -46,10 +44,9 @@ type ruleColumns struct {
Uname string
Gname string
Origin string
Scope int
Scope int
}
var userPrefs fpPreferences
var mainWin *gtk.Window
var Notebook *gtk.Notebook
@ -63,7 +60,6 @@ var radioOnce, radioProcess, radioParent, radioSession, radioPermanent *gtk.Radi
var btnApprove, btnDeny, btnIgnore *gtk.Button
var chkUser, chkGroup *gtk.CheckButton
func dumpDecisions() {
fmt.Println("XXX Total of decisions pending: ", len(decisionWaiters))
for i := 0; i < len(decisionWaiters); i++ {
@ -80,7 +76,7 @@ func addDecision() *decisionWaiter {
func promptInfo(msg string) {
dialog := gtk.MessageDialogNew(mainWin, 0, gtk.MESSAGE_INFO, gtk.BUTTONS_OK, "Displaying full log info:")
// dialog.SetDefaultGeometry(500, 200)
// dialog.SetDefaultGeometry(500, 200)
tv, err := gtk.TextViewNew()
@ -117,7 +113,7 @@ func promptInfo(msg string) {
dialog.ShowAll()
dialog.Run()
dialog.Destroy()
//self.set_default_size(150, 100)
//self.set_default_size(150, 100)
}
func promptChoice(msg string) int {
@ -137,7 +133,7 @@ func getConfigPath() string {
usr, err := user.Current()
if err != nil {
fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file:", err, "\n");
fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file:", err, "\n")
return ""
}
@ -149,7 +145,7 @@ func savePreferences() bool {
usr, err := user.Current()
if err != nil {
fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file:", err, "\n");
fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file:", err, "\n")
return false
}
@ -176,7 +172,7 @@ func loadPreferences() bool {
usr, err := user.Current()
if err != nil {
fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file: %v", err, "\n");
fmt.Fprintf(os.Stderr, "Error: could not determine location of user preferences file: %v", err, "\n")
return false
}
@ -192,7 +188,7 @@ func loadPreferences() bool {
err = json.Unmarshal(jfile, &userPrefs)
if err != nil {
fmt.Fprintf(os.Stderr, "Error: could not load preferences data from file: %v", err, "\n")
fmt.Fprintf(os.Stderr, "Error: could not load preferences data from file: %v", err, "\n")
return false
}
@ -201,23 +197,23 @@ func loadPreferences() bool {
}
func get_hbox() *gtk.Box {
hbox, err := gtk.BoxNew(gtk.ORIENTATION_HORIZONTAL, 0)
hbox, err := gtk.BoxNew(gtk.ORIENTATION_HORIZONTAL, 0)
if err != nil {
log.Fatal("Unable to create horizontal box:", err)
}
if err != nil {
log.Fatal("Unable to create horizontal box:", err)
}
return hbox
return hbox
}
func get_vbox() *gtk.Box {
vbox, err := gtk.BoxNew(gtk.ORIENTATION_VERTICAL, 0)
vbox, err := gtk.BoxNew(gtk.ORIENTATION_VERTICAL, 0)
if err != nil {
log.Fatal("Unable to create vertical box:", err)
}
if err != nil {
log.Fatal("Unable to create vertical box:", err)
}
return vbox
return vbox
}
func get_checkbox(text string, activated bool) *gtk.CheckButton {
@ -416,7 +412,7 @@ func setup_settings() {
fmt.Println("CLICKED")
if err != nil {
promptError("Unexpected error saving log file info: "+err.Error())
promptError("Unexpected error saving log file info: " + err.Error())
return
}
@ -508,7 +504,6 @@ func toggleValidRuleState() {
}
}
btnApprove.SetSensitive(ok)
btnDeny.SetSensitive(ok)
btnIgnore.SetSensitive(ok)
@ -554,8 +549,8 @@ func createCurrentRule() (ruleColumns, error) {
rule.UID, rule.GID = 0, 0
rule.Uname, rule.Gname = "", ""
/* Pid int
Origin string */
/* Pid int
Origin string */
return rule, nil
}
@ -690,7 +685,7 @@ func getSelectedRule() (ruleColumns, int, error) {
func main() {
decisionWaiters = make([]*decisionWaiter, 0)
_, err := newDbusServer();
_, err := newDbusServer()
if err != nil {
log.Fatal("Error:", err)
return
@ -711,7 +706,7 @@ func main() {
mainWin.Connect("destroy", func() {
fmt.Println("Shutting down...")
savePreferences()
gtk.MainQuit()
gtk.MainQuit()
})
mainWin.Connect("configure-event", func() {
@ -751,7 +746,6 @@ func main() {
scrollbox.Add(box)
tv, err := gtk.TreeViewNew()
if err != nil {
@ -867,13 +861,13 @@ func main() {
btnApprove.Connect("clicked", func() {
rule, idx, err := getSelectedRule()
if err != nil {
promptError("Error occurred processing request: "+err.Error())
promptError("Error occurred processing request: " + err.Error())
return
}
rule, err = createCurrentRule()
if err != nil {
promptError("Error occurred constructing new rule: "+err.Error())
promptError("Error occurred constructing new rule: " + err.Error())
return
}
@ -886,20 +880,20 @@ func main() {
if err == nil {
clearEditor()
} else {
promptError("Error setting new rule: "+err.Error())
promptError("Error setting new rule: " + err.Error())
}
})
btnDeny.Connect("clicked", func() {
rule, idx, err := getSelectedRule()
if err != nil {
promptError("Error occurred processing request: "+err.Error())
promptError("Error occurred processing request: " + err.Error())
return
}
rule, err = createCurrentRule()
if err != nil {
promptError("Error occurred constructing new rule: "+err.Error())
promptError("Error occurred constructing new rule: " + err.Error())
return
}
@ -912,14 +906,14 @@ func main() {
if err == nil {
clearEditor()
} else {
promptError("Error setting new rule: "+err.Error())
promptError("Error setting new rule: " + err.Error())
}
})
btnIgnore.Connect("clicked", func() {
_, idx, err := getSelectedRule()
if err != nil {
promptError("Error occurred processing request: "+err.Error())
promptError("Error occurred processing request: " + err.Error())
return
}
@ -929,15 +923,15 @@ func main() {
if err == nil {
clearEditor()
} else {
promptError("Error setting new rule: "+err.Error())
promptError("Error setting new rule: " + err.Error())
}
})
// tv.SetActivateOnSingleClick(true)
// tv.SetActivateOnSingleClick(true)
tv.Connect("row-activated", func() {
seldata, _, err := getSelectedRule()
if err != nil {
promptError("Unexpected error reading selected rule: "+err.Error())
promptError("Unexpected error reading selected rule: " + err.Error())
return
}
@ -980,14 +974,13 @@ func main() {
return
})
scrollbox.SetSizeRequest(600, 400)
Notebook.AppendPage(scrollbox, nbLabel)
// setup_settings()
// setup_settings()
mainWin.Add(Notebook)
if userPrefs.Winheight > 0 && userPrefs.Winwidth > 0 {
// fmt.Printf("height was %d, width was %d\n", userPrefs.Winheight, userPrefs.Winwidth)
// fmt.Printf("height was %d, width was %d\n", userPrefs.Winheight, userPrefs.Winwidth)
mainWin.Resize(int(userPrefs.Winwidth), int(userPrefs.Winheight))
} else {
mainWin.SetDefaultSize(850, 450)
@ -998,6 +991,6 @@ func main() {
}
mainWin.ShowAll()
// mainWin.SetKeepAbove(true)
// mainWin.SetKeepAbove(true)
gtk.Main()
}

@ -3,12 +3,11 @@ package main
import (
"errors"
"fmt"
"github.com/subgraph/fw-daemon/sgfw"
"github.com/godbus/dbus"
"github.com/gotk3/gotk3/glib"
"github.com/subgraph/fw-daemon/sgfw"
)
type dbusObject struct {
dbus.BusObject
}
@ -19,7 +18,7 @@ type dbusObjectP struct {
type dbusServer struct {
conn *dbus.Conn
run bool
run bool
}
func newDbusObject() (*dbusObject, error) {
@ -114,5 +113,5 @@ func (ds *dbusServer) Alert(data string) *dbus.Error {
}
func (ob *dbusObjectP) alertRule(data string) {
ob.Call("com.subgraph.fwprompt.EventNotifier.Alert", 0, data)
ob.Call("com.subgraph.fwprompt.EventNotifier.Alert", 0, data)
}

@ -108,7 +108,7 @@ func repopulateWin() {
rlSystem.loadRules(sgfw.RULE_MODE_SYSTEM)
loadConfig(win, fwsbuilder, dbus)
// app.AddWindow(win)
// app.AddWindow(win)
win.ShowAll()
}
@ -179,11 +179,11 @@ func main() {
}
app.Connect("activate", activate)
_, err = newDbusServer();
_, err = newDbusServer()
if err != nil {
panic(fmt.Sprintf("Error initializing Dbus server: %v", err))
}
}
app.Run(os.Args)
}

@ -3,8 +3,8 @@ package main
import (
"fmt"
"os"
"strings"
"strconv"
"strings"
"github.com/subgraph/fw-daemon/sgfw"
@ -122,7 +122,7 @@ func (rr *ruleRow) update() {
}
rr.gtkLabelApp.SetTooltipText(rr.rule.Path)
rr.gtkLabelVerb.SetText(getVerbText(rr.rule))
if (rr.rule.Proto == "tcp") {
if rr.rule.Proto == "tcp" {
rr.gtkLabelOrigin.SetText(rr.rule.Origin)
} else {
rr.gtkLabelOrigin.SetText(rr.rule.Origin + " (" + rr.rule.Proto + ")")

@ -2,15 +2,14 @@ package pcoroner
import (
"fmt"
"time"
"strings"
"os"
"strconv"
"strings"
"sync"
"os"
"syscall"
"time"
)
type WatchProcess struct {
Pid int
Inode uint64
@ -25,14 +24,11 @@ type CallbackEntry struct {
type procCB func(int, interface{})
var Callbacks []CallbackEntry
var pmutex = &sync.Mutex{}
var pidMap map[int]WatchProcess = make(map[int]WatchProcess)
func MonitorProcess(pid int) bool {
pmutex.Lock()
defer pmutex.Unlock()
@ -68,14 +64,14 @@ func AddCallback(cbfunc procCB, param interface{}) {
func MonitorThread(cbfunc procCB, param interface{}) {
for {
/* if len(pidMap) == 0 {
fmt.Println("TICK")
} else { fmt.Println("len = ", len(pidMap)) } */
/* if len(pidMap) == 0 {
fmt.Println("TICK")
} else { fmt.Println("len = ", len(pidMap)) } */
pmutex.Lock()
pmutex.Unlock()
for pkey, pval := range pidMap {
// fmt.Printf("PID %v -> %v\n", pkey, pval)
// fmt.Printf("PID %v -> %v\n", pkey, pval)
res := checkProcess(&pval, false)
if !res {
@ -100,7 +96,7 @@ func checkProcess(proc *WatchProcess, init bool) bool {
ppath := fmt.Sprintf("/proc/%d/stat", proc.Pid)
f, err := os.Open(ppath)
if err != nil {
// fmt.Printf("Error opening path %s: %s\n", ppath, err)
// fmt.Printf("Error opening path %s: %s\n", ppath, err)
return false
}
defer f.Close()
@ -133,7 +129,7 @@ func checkProcess(proc *WatchProcess, init bool) bool {
}
bstr := string(buf[:])
// fmt.Println("sstr = ", bstr)
// fmt.Println("sstr = ", bstr)
fields := strings.Split(bstr, " ")

@ -12,32 +12,37 @@ const (
//RuleAction is the action to apply to a rule
type RuleAction uint16
const (
RULE_ACTION_DENY RuleAction = iota
RULE_ACTION_ALLOW
RULE_ACTION_ALLOW_TLSONLY
)
// RuleActionString is used to get a string from an action id
var RuleActionString = map[RuleAction]string{
RULE_ACTION_DENY: "DENY",
RULE_ACTION_ALLOW: "ALLOW",
RULE_ACTION_DENY: "DENY",
RULE_ACTION_ALLOW: "ALLOW",
RULE_ACTION_ALLOW_TLSONLY: "ALLOW_TLSONLY",
}
// RuleActionValue is used to get an action id using the action string
var RuleActionValue = map[string]RuleAction{
RuleActionString[RULE_ACTION_DENY]: RULE_ACTION_DENY,
RuleActionString[RULE_ACTION_ALLOW]: RULE_ACTION_ALLOW,
RuleActionString[RULE_ACTION_DENY]: RULE_ACTION_DENY,
RuleActionString[RULE_ACTION_ALLOW]: RULE_ACTION_ALLOW,
RuleActionString[RULE_ACTION_ALLOW_TLSONLY]: RULE_ACTION_ALLOW_TLSONLY,
}
//RuleMode contains the time scope of a rule
type RuleMode uint16
const (
RULE_MODE_SESSION RuleMode = iota
RULE_MODE_PROCESS
RULE_MODE_PERMANENT
RULE_MODE_SYSTEM
)
// RuleModeString is used to get a rule mode string from its id
var RuleModeString = map[RuleMode]string{
RULE_MODE_SESSION: "SESSION",
@ -45,6 +50,7 @@ var RuleModeString = map[RuleMode]string{
RULE_MODE_PERMANENT: "PERMANENT",
RULE_MODE_SYSTEM: "SYSTEM",
}
// RuleModeValue converts a mode string to its id
var RuleModeValue = map[string]RuleMode{
RuleModeString[RULE_MODE_SESSION]: RULE_MODE_SESSION,
@ -55,12 +61,14 @@ var RuleModeValue = map[string]RuleMode{
//FilterScope contains a filter's time scope
type FilterScope uint16
const (
APPLY_ONCE FilterScope = iota
APPLY_SESSION
APPLY_PROCESS
APPLY_FOREVER
)
// FilterScopeString converts a filter scope ID to its string
var FilterScopeString = map[FilterScope]string{
APPLY_ONCE: "ONCE",
@ -68,6 +76,7 @@ var FilterScopeString = map[FilterScope]string{
APPLY_PROCESS: "PROCESS",
APPLY_FOREVER: "FOREVER",
}
// FilterScopeString converts a filter scope string to its ID
var FilterScopeValue = map[string]FilterScope{
FilterScopeString[APPLY_ONCE]: APPLY_ONCE,
@ -75,6 +84,7 @@ var FilterScopeValue = map[string]FilterScope{
FilterScopeString[APPLY_PROCESS]: APPLY_PROCESS,
FilterScopeString[APPLY_FOREVER]: APPLY_FOREVER,
}
// GetFilterScopeString is used to safely return a filter scope string
func GetFilterScopeString(scope FilterScope) string {
if val, ok := FilterScopeString[scope]; ok {
@ -82,6 +92,7 @@ func GetFilterScopeString(scope FilterScope) string {
}
return FilterScopeString[APPLY_SESSION]
}
// GetFilterScopeValue is used to safely return a filter scope ID
func GetFilterScopeValue(scope string) FilterScope {
scope = strings.ToUpper(scope)
@ -93,24 +104,27 @@ func GetFilterScopeValue(scope string) FilterScope {
//FilterResult contains the filtering resulting action
type FilterResult uint16
const (
FILTER_DENY FilterResult = iota
FILTER_ALLOW
FILTER_PROMPT
FILTER_ALLOW_TLSONLY
)
// FilterResultString converts a filter value ID to its string
var FilterResultString = map[FilterResult]string{
FILTER_DENY: "DENY",
FILTER_ALLOW: "ALLOW",
FILTER_PROMPT: "PROMPT",
FILTER_DENY: "DENY",
FILTER_ALLOW: "ALLOW",
FILTER_PROMPT: "PROMPT",
FILTER_ALLOW_TLSONLY: "ALLOW_TLSONLY",
}
// FilterResultValue converts a filter value string to its ID
var FilterResultValue = map[string]FilterResult{
FilterResultString[FILTER_DENY]: FILTER_DENY,
FilterResultString[FILTER_ALLOW]: FILTER_ALLOW,
FilterResultString[FILTER_PROMPT]: FILTER_PROMPT,
FilterResultString[FILTER_DENY]: FILTER_DENY,
FilterResultString[FILTER_ALLOW]: FILTER_ALLOW,
FilterResultString[FILTER_PROMPT]: FILTER_PROMPT,
FilterResultString[FILTER_ALLOW_TLSONLY]: FILTER_ALLOW_TLSONLY,
}

@ -62,7 +62,6 @@ func newDbusObjectPrompt() (*dbusObjectP, error) {
return &dbusObjectP{conn.Object("com.subgraph.fwprompt.EventNotifier", "/com/subgraph/fwprompt/EventNotifier")}, nil
}
type dbusServer struct {
fw *Firewall
conn *dbus.Conn

@ -1,23 +1,23 @@
package sgfw
import (
"encoding/binary"
"net"
"strings"
"sync"
"time"
"encoding/binary"
// "github.com/subgraph/go-nfnetlink"
// "github.com/subgraph/go-nfnetlink"
"github.com/google/gopacket/layers"
"github.com/subgraph/fw-daemon/proc-coroner"
nfqueue "github.com/subgraph/go-nfnetlink/nfqueue"
"github.com/subgraph/go-procsnitch"
"github.com/subgraph/fw-daemon/proc-coroner"
)
type dnsEntry struct {
name string
ttl uint32
exp time.Time
ttl uint32
exp time.Time
}
type dnsCache struct {
@ -66,14 +66,14 @@ func (dc *dnsCache) processDNS(pkt *nfqueue.NFQPacket) {
srcip, _ := getPacketIPAddrs(pkt)
pinfo := getEmptyPInfo()
if !isNSTrusted(srcip) {
pinfo, _ = findProcessForPacket(pkt, true, procsnitch.MATCH_LOOSEST)
pinfo, _ = findProcessForPacket(pkt, true, procsnitch.MATCH_LOOSEST)
if pinfo == nil {
log.Warningf("Skipping attempted DNS cache entry for process that can't be found: %v -> %v\n", q.Name, dns.answer)
return
}
}
//log.Notice("XXX: PROCESS LOOKUP -> ", pinfo)
//log.Notice("XXX: PROCESS LOOKUP -> ", pinfo)
dc.processRecordAddress(q.Name, dns.answer, pinfo.Pid)
return
}
@ -166,7 +166,7 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
entry, ok := dc.ipMap[pid][ip.String()]
if ok {
if now.Before(entry.exp) {
// log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp)
// log.Noticef("XXX: LOOKUP on %v / %v = %v, ttl = %v / %v\n", pid, ip.String(), entry.name, entry.ttl, entry.exp)
return entry.name
} else {
log.Warningf("Skipping expired per-pid (%d) DNS cache entry: %s -> %s / exp. %v (%ds)\n",
@ -180,13 +180,13 @@ func (dc *dnsCache) Lookup(ip net.IP, pid int) string {
if ok {
if now.Before(entry.exp) {
str = entry.name
// log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp)
// log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v, ttl = %v / %v\n", ip.String(), str, entry.ttl, entry.exp)
} else {
log.Warningf("Skipping expired global DNS cache entry: %s -> %s / exp. %v (%ds)\n",
ip.String(), entry.name, entry.exp, entry.ttl)
}
}
//log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v\n", ip.String(), str)
//log.Noticef("XXX: LOOKUP on %v / 0 RETURNING %v\n", ip.String(), str)
return str
}

@ -758,14 +758,14 @@ func unpackRR(msg []byte, off int) (rr dnsRR, off1 int, ok bool) {
// A manually-unpacked version of (id, bits).
// This is in its own struct for easy printing.
type dnsMsgHdr struct {
id uint16
response bool
opcode int
authoritative bool
truncated bool
recursionDesired bool
recursionAvailable bool
rcode int
id uint16
response bool
opcode int
authoritative bool
truncated bool
recursionDesired bool
recursionAvailable bool
rcode int
}
func (h *dnsMsgHdr) Walk(f func(v interface{}, name, tag string) bool) bool {

@ -1,31 +1,29 @@
package sgfw
import (
"bufio"
"errors"
"fmt"
"net"
"os"
"bufio"
"strings"
"strconv"
"errors"
"strings"
"github.com/subgraph/oz/ipc"
"github.com/subgraph/oz/ipc"
)
const ReceiverSocketPath = "/var/run/fw-daemon/fwoz.sock"
type OzInitProc struct {
Name string
Pid int
Name string
Pid int
SandboxID int
}
var OzInitPids []OzInitProc = []OzInitProc{}
func addInitPid(pid int, name string, sboxid int) {
fmt.Println("::::::::::: init pid added: ", pid, " -> ", name)
fmt.Println("::::::::::: init pid added: ", pid, " -> ", name)
for i := 0; i < len(OzInitPids); i++ {
if OzInitPids[i].Pid == pid {
return
@ -37,7 +35,7 @@ fmt.Println("::::::::::: init pid added: ", pid, " -> ", name)
}
func removeInitPid(pid int) {
fmt.Println("::::::::::: removing PID: ", pid)
fmt.Println("::::::::::: removing PID: ", pid)
for i := 0; i < len(OzInitPids); i++ {
if OzInitPids[i].Pid == pid {
OzInitPids = append(OzInitPids[:i], OzInitPids[i+1:]...)
@ -63,7 +61,7 @@ func addFWRule(fw *Firewall, whitelist bool, srchost, dsthost, dstport string) e
}
func removeAllByIP(fw *Firewall, srcip string) bool {
log.Notice("XXX: Attempting to remove all rules associated with Oz interface: ", srcip)
log.Notice("XXX: Attempting to remove all rules associated with Oz interface: ", srcip)
saddr := net.ParseIP(srcip)
if saddr == nil {
@ -73,13 +71,13 @@ log.Notice("XXX: Attempting to remove all rules associated with Oz interface: ",
policy := fw.PolicyForPath("*")
nrm := 0
for _, rr := range policy.rules {
for _, rr := range policy.rules {
if rr.saddr != nil && rr.saddr.Equal(saddr) {
log.Notice("XXX: removing ephemeral rules by Oz interface ", srcip, ": ", rr)
policy.removeRule(rr)
nrm++
}
}
}
if nrm == 0 {
log.Notice("XXX: did not remove any rules for interface")
@ -102,10 +100,10 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
data := string(buf)
log.Notice("Received incoming IPC:",data)
log.Notice("Received incoming IPC:", data)
if data[len(data)-1] == '\n' {
data = data[0:len(data)-1]
data = data[0 : len(data)-1]
}
if data == "dump" {
@ -141,18 +139,18 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
c.Write([]byte(ruledesc))
}
/* for i := 0; i < len(sandboxRules); i++ {
rulestr := ""
/* for i := 0; i < len(sandboxRules); i++ {
rulestr := ""
if sandboxRules[i].Whitelist {
rulestr += "whitelist"
} else {
rulestr += "blacklist"
}
if sandboxRules[i].Whitelist {
rulestr += "whitelist"
} else {
rulestr += "blacklist"
}
rulestr += " " + sandboxRules[i].SrcIf.String() + " -> " + sandboxRules[i].DstIP.String() + " : " + strconv.Itoa(int(sandboxRules[i].DstPort)) + "\n"
c.Write([]byte(rulestr))
} */
rulestr += " " + sandboxRules[i].SrcIf.String() + " -> " + sandboxRules[i].DstIP.String() + " : " + strconv.Itoa(int(sandboxRules[i].DstPort)) + "\n"
c.Write([]byte(rulestr))
} */
return
} else {
@ -177,7 +175,7 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
sboxid, err := strconv.Atoi(tokens[3])
if err != nil {
log.Notice("IPC received invalid oz sbox number: ",tokens[3])
log.Notice("IPC received invalid oz sbox number: ", tokens[3])
log.Notice("Data: %v", data)
c.Write([]byte("Bad command: sandbox id was invalid"))
return
@ -234,30 +232,30 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
if srcip == nil {
log.Notice("IP conversion failed: ", srchost)
srcip = net.IP{0,0,0,0}
srcip = net.IP{0, 0, 0, 0}
}
dstport := tokens[4]
dstp, err := strconv.Atoi(dstport)
if dstport != "*" && (err != nil || dstp < 0 || dstp > 65535) {
if dstport != "*" && (err != nil || dstp < 0 || dstp > 65535) {
log.Notice("IPC received invalid destination port: ", tokens[4])
c.Write([]byte("Bad command: dst port was invalid"))
return
}
/* initp := tokens[5]
initpid, err := strconv.Atoi(initp)
/* initp := tokens[5]
initpid, err := strconv.Atoi(initp)
if err != nil {
log.Notice("IPC received invalid oz-init pid: ", initp)
c.Write([]byte("Bad command: init pid was invalid"))
return
} */
if err != nil {
log.Notice("IPC received invalid oz-init pid: ", initp)
c.Write([]byte("Bad command: init pid was invalid"))
return
} */
if add {
log.Noticef("Adding new rule to oz sandbox/fw: %v / %v -> %v : %v", w, srchost, dsthost, dstport)
// addInitPid(initpid)
// addInitPid(initpid)
err := addFWRule(fw, w, srchost, dsthost, dstport)
if err != nil {
log.Error("Error adding dynamic OZ firewall rule to fw-daemon: ", err)
@ -268,13 +266,11 @@ func ReceiverLoop(fw *Firewall, c net.Conn) {
log.Notice("Removing new rule from oz sandbox/fw... ")
}
log.Notice("IPC received command: " + data)
c.Write([]byte("OK.\n"))
return
}
}
}
@ -303,7 +299,7 @@ func OzReceiver(fw *Firewall) {
os.Remove(ReceiverSocketPath)
lfd, err := net.Listen("unix", ReceiverSocketPath)
if err != nil {
log.Fatal("Could not open oz receiver socket:", err)
log.Fatal("Could not open oz receiver socket:", err)
}
for {
@ -313,11 +309,10 @@ func OzReceiver(fw *Firewall) {
}
go ReceiverLoop(fw, fd)
}
}
}
type ListProxiesMsg struct {
_ string "ListProxies"
}
@ -339,11 +334,12 @@ func ListProxies() ([]string, error) {
}
const OzSocketName = "@oz-control"
var bSockName = OzSocketName
var messageFactory = ipc.NewMsgFactory(
new(ListProxiesMsg),
new(ListProxiesResp),
new(ListProxiesMsg),
new(ListProxiesResp),
)
func clientConnect() (*ipc.MsgConn, error) {

@ -1,10 +1,10 @@
package sgfw
import (
"fmt"
"os"
"syscall"
"unsafe"
"fmt"
"github.com/op/go-logging"
)

@ -175,7 +175,7 @@ func (pp *pendingPkt) print() string {
type Policy struct {
fw *Firewall
path string
sandbox string
sandbox string
application string
icon string
rules RuleList
@ -212,7 +212,7 @@ func (fw *Firewall) policyForPathAndSandbox(path string, sandbox string) *Policy
p.icon = entry.icon
}
fw.policyMap[policykey] = p
log.Infof("Creating new policy for path and sandbox: %s\n",policykey)
log.Infof("Creating new policy for path and sandbox: %s\n", policykey)
fw.policies = append(fw.policies, p)
}
return fw.policyMap[policykey]
@ -502,7 +502,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
return
}
*/
policy := fw.PolicyForPathAndSandbox(ppath,pinfo.Sandbox)
policy := fw.PolicyForPathAndSandbox(ppath, pinfo.Sandbox)
//log.Notice("XXX: flunked basicallowpacket; policy = ", policy)
policy.processPacket(pkt, pinfo, optstring)
}

@ -13,9 +13,10 @@ import (
"github.com/subgraph/fw-daemon/proc-coroner"
)
var DoMultiPrompt = true
const MAX_PROMPTS = 3
var outstandingPrompts = 0
var promptLock = &sync.Mutex{}
@ -39,12 +40,12 @@ type prompter struct {
func (p *prompter) prompt(policy *Policy) {
p.lock.Lock()
defer p.lock.Unlock()
_, ok := p.policyMap[policy.sandbox + "|" + policy.path]
_, ok := p.policyMap[policy.sandbox+"|"+policy.path]
if ok {
return
}
p.policyMap[policy.sandbox + "|" + policy.path] = policy
fmt.Println("Saving policy key:"+policy.sandbox + "|" + policy.path)
p.policyMap[policy.sandbox+"|"+policy.path] = policy
fmt.Println("Saving policy key:" + policy.sandbox + "|" + policy.path)
p.policyQueue = append(p.policyQueue, policy)
p.cond.Signal()
}
@ -52,11 +53,11 @@ func (p *prompter) prompt(policy *Policy) {
func (p *prompter) promptLoop() {
p.lock.Lock()
for {
fmt.Println("promptLoop() outer")
fmt.Println("promptLoop() outer")
for p.processNextPacket() {
fmt.Println("promptLoop() inner")
fmt.Println("promptLoop() inner")
}
fmt.Println("promptLoop() wait")
fmt.Println("promptLoop() wait")
p.cond.Wait()
}
}
@ -78,7 +79,7 @@ func (p *prompter) processNextPacket() bool {
empty := true
for {
pc, empty = p.nextConnection()
fmt.Println("processNextPacket() loop; empty = ", empty, " / pc = ", pc)
fmt.Println("processNextPacket() loop; empty = ", empty, " / pc = ", pc)
if pc == nil && empty {
return false
} else if pc == nil {
@ -109,14 +110,14 @@ fmt.Println("processNextPacket() loop; empty = ", empty, " / pc = ", pc)
outstandingPrompts++
fmt.Println("Incremented outstanding to ", outstandingPrompts)
promptLock.Unlock()
// if !pc.getPrompting() {
pc.setPrompting(true)
go p.processConnection(pc)
// }
// if !pc.getPrompting() {
pc.setPrompting(true)
go p.processConnection(pc)
// }
return true
}
func processReturn (pc pendingConnection) {
func processReturn(pc pendingConnection) {
promptLock.Lock()
outstandingPrompts--
fmt.Println("Return decremented outstanding to ", outstandingPrompts)
@ -173,14 +174,14 @@ func (p *prompter) processConnection(pc pendingConnection) {
return
}
// the prompt sends:
// ALLOW|dest or DENY|dest
//
// rule string needs to be:
// VERB|dst|class|uid:gid|sandbox|[src]
// the prompt sends:
// ALLOW|dest or DENY|dest
//
// rule string needs to be:
// VERB|dst|class|uid:gid|sandbox|[src]
// sometimes there's a src
// this needs to be re-visited
// sometimes there's a src
// this needs to be re-visited
toks := strings.Split(rule, "|")
//verb := toks[0]
@ -191,18 +192,18 @@ func (p *prompter) processConnection(pc pendingConnection) {
sandbox = toks[2]
}
tempRule := fmt.Sprintf("%s|%s",toks[0],toks[1])
tempRule := fmt.Sprintf("%s|%s", toks[0], toks[1])
if (pc.src() != nil && !pc.src().Equal(net.ParseIP("127.0.0.1")) && sandbox != "") {
if pc.src() != nil && !pc.src().Equal(net.ParseIP("127.0.0.1")) && sandbox != "" {
//if !strings.HasSuffix(rule, "SYSTEM") && !strings.HasSuffix(rule, "||") {
//rule += "||"
//rule += "||"
//}
//ule += "|||" + pc.src().String()
tempRule += "||-1:-1|"+sandbox+"|" + pc.src().String()
tempRule += "||-1:-1|" + sandbox + "|" + pc.src().String()
} else {
tempRule += "||-1:-1|"+sandbox+"|"
tempRule += "||-1:-1|" + sandbox + "|"
}
r, err := policy.parseRule(tempRule, false)
if err != nil {
@ -270,7 +271,7 @@ func (p *prompter) removePolicy(policy *Policy) {
}
}
p.policyQueue = newQueue
delete(p.policyMap, policy.sandbox + "|" + policy.path)
delete(p.policyMap, policy.sandbox+"|"+policy.path)
}
var userMap = make(map[int]string)

@ -169,7 +169,7 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
}
// sandboxed := strings.HasPrefix(optstr, "SOCKS5|Tor / Sandbox")
for _, r := range *rl {
log.Notice("fuck ",r)
log.Notice("fuck ", r)
nfqproto := ""
log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr, "; pid ", pinfo.Pid, " vs rule pid ", r.pid)
log.Notice("r.saddr: ", r.saddr, "src: ", src, "sandboxed ", sandboxed, "optstr: ", optstr)
@ -222,14 +222,14 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
result = FILTER_ALLOW
return result
/*
if r.saddr != nil {
return result
}
if r.saddr != nil {
return result
}
*/
} else if r.rtype == RULE_ACTION_ALLOW_TLSONLY {
result = FILTER_ALLOW_TLSONLY
return result
}
}
} else {
log.Notice("+ MATCH FAILED")
}
@ -439,7 +439,7 @@ func savePolicy(f *os.File, p *Policy) {
if !p.hasPersistentRules() {
return
}
log.Warningf("p.path: ",p.path)
log.Warningf("p.path: ", p.path)
if !writeLine(f, "["+p.sandbox+"|"+p.path+"]") {
return
}
@ -495,7 +495,7 @@ func (fw *Firewall) loadRules() {
func (fw *Firewall) processPathLine(line string) *Policy {
pathLine := line[1 : len(line)-1]
toks := strings.Split(pathLine, "|")
policy := fw.policyForPathAndSandbox(toks[1],toks[0])
policy := fw.policyForPathAndSandbox(toks[1], toks[0])
policy.lock.Lock()
defer policy.lock.Unlock()
policy.rules = nil

@ -8,8 +8,8 @@ import (
"time"
"github.com/subgraph/go-procsnitch"
"strings"
"strconv"
"strings"
)
type socksChainConfig struct {
@ -17,7 +17,7 @@ type socksChainConfig struct {
TargetSocksAddr string
ListenSocksNet string
ListenSocksAddr string
Name string
Name string
}
type socksChain struct {
@ -36,27 +36,27 @@ type socksChainSession struct {
bndAddr *Address
optData []byte
procInfo procsnitch.ProcInfo
pinfo *procsnitch.Info
pinfo *procsnitch.Info
server *socksChain
}
const (
socksVerdictDrop = 1
socksVerdictAccept = 2
socksVerdictDrop = 1
socksVerdictAccept = 2
socksVerdictAcceptTLSOnly = 3
)
type pendingSocksConnection struct {
pol *Policy
hname string
srcIP net.IP
destIP net.IP
pol *Policy
hname string
srcIP net.IP
destIP net.IP
sourcePort uint16
destPort uint16
pinfo *procsnitch.Info
verdict chan int
prompting bool
optstr string
destPort uint16
pinfo *procsnitch.Info
verdict chan int
prompting bool
optstr string
}
func (sc *pendingSocksConnection) sandbox() string {
@ -105,7 +105,7 @@ func (sc *pendingSocksConnection) accept() { sc.deliverVerdict(socksVerdictAccep
// need to generalize special accept
func (sc *pendingSocksConnection) acceptTLSOnly() {sc.deliverVerdict(socksVerdictAcceptTLSOnly) }
func (sc *pendingSocksConnection) acceptTLSOnly() { sc.deliverVerdict(socksVerdictAcceptTLSOnly) }
func (sc *pendingSocksConnection) drop() { sc.deliverVerdict(socksVerdictDrop) }
@ -172,7 +172,7 @@ func (c *socksChainSession) sessionWorker() {
if len(c.req.Auth.Uname) == 0 && len(c.req.Auth.Passwd) == 0 {
// Randomize username and password to force a new TOR circuit with each connection
rndbytes := []byte("sgfw" + strconv.Itoa(int(time.Now().UnixNano()) ^ os.Getpid()))
rndbytes := []byte("sgfw" + strconv.Itoa(int(time.Now().UnixNano())^os.Getpid()))
c.req.Auth.Uname = rndbytes
c.req.Auth.Passwd = rndbytes
}
@ -230,7 +230,7 @@ func findProxyEndpoint(pdata []string, conn net.Conn) (*procsnitch.Info, string)
s1, d1, s2, d2 := toks[0], toks[2], toks[3], toks[5]
if strings.HasSuffix(d1, ",") {
d1 = d1[0:len(d1)-1]
d1 = d1[0 : len(d1)-1]
}
if conn.LocalAddr().String() == d2 && conn.RemoteAddr().String() == s2 {
@ -296,15 +296,15 @@ func (c *socksChainSession) filterConnect() (bool, bool) {
optstr = "[Via SOCKS5: " + c.cfg.Name + "] " + optstr
}
log.Warningf("Lookup policy for %v %v",pinfo.ExePath,pinfo.Sandbox)
policy := c.server.fw.PolicyForPathAndSandbox(GetRealRoot(pinfo.ExePath,pinfo.Pid),pinfo.Sandbox)
log.Warningf("Lookup policy for %v %v", pinfo.ExePath, pinfo.Sandbox)
policy := c.server.fw.PolicyForPathAndSandbox(GetRealRoot(pinfo.ExePath, pinfo.Pid), pinfo.Sandbox)
hostname, ip, port := c.addressDetails()
if ip == nil && hostname == "" {
return false, false
}
result := policy.rules.filter(nil, nil, ip, port, hostname, pinfo, optstr)
log.Errorf("result %v",result)
log.Errorf("result %v", result)
switch result {
case FILTER_DENY:
return false, false
@ -315,7 +315,7 @@ func (c *socksChainSession) filterConnect() (bool, bool) {
case FILTER_PROMPT:
caddr := c.clientConn.RemoteAddr().String()
caddrt := strings.Split(caddr, ":")
caddrIP := net.IP{0,0,0,0}
caddrIP := net.IP{0, 0, 0, 0}
caddrPort := uint16(0)
if len(caddrt) != 2 {

@ -2,15 +2,14 @@ package sgfw
import (
"crypto/x509"
"errors"
"io"
"net"
"errors"
)
func TLSGuard(conn, conn2 net.Conn, fqdn string) error {
// Should this be a requirement?
// if strings.HasSuffix(request.DestAddr.FQDN, "onion") {
// Should this be a requirement?
// if strings.HasSuffix(request.DestAddr.FQDN, "onion") {
handshakeByte, err := readNBytes(conn, 1)
if err != nil {
@ -118,7 +117,7 @@ func TLSGuard(conn, conn2 net.Conn, fqdn string) error {
for remaining > 0 {
certLen := int(int(pos[0])<<16 | int(pos[1])<<8 | int(pos[2]))
// fmt.Printf("Certs chain len %d, cert 1 len %d:\n", certChainLen, certLen)
// fmt.Printf("Certs chain len %d, cert 1 len %d:\n", certChainLen, certLen)
cert := pos[3 : 3+certLen]
certs, err := x509.ParseCertificates(cert)
if remaining == certChainLen {
@ -143,18 +142,18 @@ func TLSGuard(conn, conn2 net.Conn, fqdn string) error {
} else {
valid = true
}
// else if s == 0x0d { fmt.Printf("found a client cert request, sending buf to client\n") }
// else if s == 0x0d { fmt.Printf("found a client cert request, sending buf to client\n") }
} else if s == 0x0e {
sendToClient = true
} else if s == 0x0d {
sendToClient = true
}
// fmt.Printf("Version bytes: %x %x\n", responseBuf[1], responseBuf[2])
// fmt.Printf("Len bytes: %x %x\n", responseBuf[3], responseBuf[4])
// fmt.Printf("Message type: %x\n", responseBuf[5])
// fmt.Printf("Message len: %x %x %x\n", responseBuf[6], responseBuf[7], responseBuf[8])
// fmt.Printf("Message body: %v\n", responseBuf[9:])
// fmt.Printf("Version bytes: %x %x\n", responseBuf[1], responseBuf[2])
// fmt.Printf("Len bytes: %x %x\n", responseBuf[3], responseBuf[4])
// fmt.Printf("Message type: %x\n", responseBuf[5])
// fmt.Printf("Message len: %x %x %x\n", responseBuf[6], responseBuf[7], responseBuf[8])
// fmt.Printf("Message body: %v\n", responseBuf[9:])
conn.Write(responseBuf)
responseBuf = []byte{}
}

Loading…
Cancel
Save