diff --git a/sgfw/prompt.go b/sgfw/prompt.go index 19100f0..e31f6e9 100644 --- a/sgfw/prompt.go +++ b/sgfw/prompt.go @@ -4,7 +4,7 @@ import ( "fmt" "os/user" "strconv" - "strings" + //"strings" "sync" "time" @@ -168,13 +168,28 @@ func (p *prompter) processConnection(pc pendingConnection) { return } + // the prompt sends: + // ALLOW|dest or DENY|dest + // + // rule string needs to be: + // VERB|dst|class|uid:gid|sandbox|[src] + + // sometimes there's a src + // this needs to be re-visited + + if pc.src() != nil { - if !strings.HasSuffix(rule, "SYSTEM") && !strings.HasSuffix(rule, "||") { - rule += "|" - } - rule += "||" + pc.src().String() - } + //if !strings.HasSuffix(rule, "SYSTEM") && !strings.HasSuffix(rule, "||") { + //rule += "||" + //} + //ule += "|||" + pc.src().String() + + rule += "||-1:-1||" + pc.src().String() + log.Warningf("Creating rule: %v", rule) + } else { + rule += "||-1:-1||" + } r, err := policy.parseRule(rule, false) if err != nil { log.Warningf("Error parsing rule string returned from dbus RequestPrompt: %v", err) @@ -199,6 +214,7 @@ func (p *prompter) processConnection(pc pendingConnection) { r.mode = RULE_MODE_PERMANENT policy.fw.saveRules() } + log.Warningf("Creating rule: %v", rule) dbusp.alertRule("sgfw prompt added new rule") } diff --git a/sgfw/rules.go b/sgfw/rules.go index 856dd16..8d7f477 100644 --- a/sgfw/rules.go +++ b/sgfw/rules.go @@ -37,6 +37,7 @@ type Rule struct { gid int uname string gname string + sandbox string } func (r *Rule) String() string { @@ -64,7 +65,15 @@ func (r *Rule) getString(redact bool) string { rpriv := fmt.Sprintf("|%d:%d", r.uid, r.gid) - return fmt.Sprintf("%s|%s%s%s%s", rtype, protostr, r.AddrString(redact), rmode, rpriv) + sbox := "|" + if r.sandbox != "" { + sbox = "|SANDBOX:"+sbox + } else { + log.Notice("sandbox is ", r.sandbox) + } + + + return fmt.Sprintf("%s|%s%s%s%s%s", rtype, protostr, r.AddrString(redact), rmode, rpriv, sbox) } func (r *Rule) AddrString(redact bool) string { @@ -151,9 +160,10 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint return FILTER_PROMPT } result := FILTER_PROMPT - sandboxed := strings.HasPrefix(optstr, "Sandbox") + sandboxed := strings.HasPrefix(optstr, "SOCKS5|Tor / Sandbox") for _, r := range *rl { log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr, "; pid ", pinfo.Pid, " vs rule pid ", r.pid) +log.Notice("r.saddr: ", r.saddr, "src: ", src , "sandboxed ", sandboxed, "optstr: ", optstr) if r.saddr == nil && src != nil && sandboxed { log.Notice("! Skipping comparison against incompatible rule types: rule src = ", r.saddr, " / packet src = ", src) continue @@ -209,7 +219,7 @@ func (r *Rule) parse(s string) bool { r.addr = noAddress r.saddr = nil parts := strings.Split(s, "|") - if len(parts) < 4 || len(parts) > 5 { + if len(parts) < 4 || len(parts) > 6 { log.Notice("invalid number ", len(parts), " of rule parts in line ", s) return false } @@ -227,13 +237,20 @@ func (r *Rule) parse(s string) bool { return false } + if !r.parseSandbox(parts[4]) { + log.Notice("invalid sandbox ", parts[4], "in line ", s) + return false + } + + log.Notice("parsed sandbox ", parts[4]) + //fmt.Printf("uid = %v, gid = %v, user = %v, group = %v, hostname = %v\n", r.uid, r.gid, r.uname, r.gname, r.hostname) - if len(parts) == 5 && len(strings.TrimSpace(parts[4])) > 0 { - r.saddr = net.ParseIP(parts[4]) + if len(parts) == 6 && len(strings.TrimSpace(parts[5])) > 0 { + r.saddr = net.ParseIP(parts[5]) if r.saddr == nil { - log.Notice("invalid source IP ", parts[4], " in line ", s) + log.Notice("invalid source IP ", parts[5], " in line ", s) return false } @@ -241,6 +258,19 @@ func (r *Rule) parse(s string) bool { return r.parseVerb(parts[0]) && r.parseTarget(parts[1]) } +func (r *Rule) parseSandbox(p string) bool { + if p == "" { + r.sandbox = "" + return true + } + toks := strings.Split(p, ":") + if len(toks) != 2 { + return false + } + r.sandbox = toks[1] + return true +} + func (r *Rule) parsePrivs(p string) bool { toks := strings.Split(p, ":") if len(toks) > 2 {