Fix rule parsing, still working on this

shw_dev
dma 7 years ago
parent e8f5001483
commit a89f8118bf

@ -4,7 +4,7 @@ import (
"fmt" "fmt"
"os/user" "os/user"
"strconv" "strconv"
"strings" //"strings"
"sync" "sync"
"time" "time"
@ -168,13 +168,28 @@ func (p *prompter) processConnection(pc pendingConnection) {
return return
} }
// the prompt sends:
// ALLOW|dest or DENY|dest
//
// rule string needs to be:
// VERB|dst|class|uid:gid|sandbox|[src]
// sometimes there's a src
// this needs to be re-visited
if pc.src() != nil { if pc.src() != nil {
if !strings.HasSuffix(rule, "SYSTEM") && !strings.HasSuffix(rule, "||") {
rule += "|"
}
rule += "||" + pc.src().String()
}
//if !strings.HasSuffix(rule, "SYSTEM") && !strings.HasSuffix(rule, "||") {
//rule += "||"
//}
//ule += "|||" + pc.src().String()
rule += "||-1:-1||" + pc.src().String()
log.Warningf("Creating rule: %v", rule)
} else {
rule += "||-1:-1||"
}
r, err := policy.parseRule(rule, false) r, err := policy.parseRule(rule, false)
if err != nil { if err != nil {
log.Warningf("Error parsing rule string returned from dbus RequestPrompt: %v", err) log.Warningf("Error parsing rule string returned from dbus RequestPrompt: %v", err)
@ -199,6 +214,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
r.mode = RULE_MODE_PERMANENT r.mode = RULE_MODE_PERMANENT
policy.fw.saveRules() policy.fw.saveRules()
} }
log.Warningf("Creating rule: %v", rule)
dbusp.alertRule("sgfw prompt added new rule") dbusp.alertRule("sgfw prompt added new rule")
} }

@ -37,6 +37,7 @@ type Rule struct {
gid int gid int
uname string uname string
gname string gname string
sandbox string
} }
func (r *Rule) String() string { func (r *Rule) String() string {
@ -64,7 +65,15 @@ func (r *Rule) getString(redact bool) string {
rpriv := fmt.Sprintf("|%d:%d", r.uid, r.gid) rpriv := fmt.Sprintf("|%d:%d", r.uid, r.gid)
return fmt.Sprintf("%s|%s%s%s%s", rtype, protostr, r.AddrString(redact), rmode, rpriv) sbox := "|"
if r.sandbox != "" {
sbox = "|SANDBOX:"+sbox
} else {
log.Notice("sandbox is ", r.sandbox)
}
return fmt.Sprintf("%s|%s%s%s%s%s", rtype, protostr, r.AddrString(redact), rmode, rpriv, sbox)
} }
func (r *Rule) AddrString(redact bool) string { func (r *Rule) AddrString(redact bool) string {
@ -151,9 +160,10 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
return FILTER_PROMPT return FILTER_PROMPT
} }
result := FILTER_PROMPT result := FILTER_PROMPT
sandboxed := strings.HasPrefix(optstr, "Sandbox") sandboxed := strings.HasPrefix(optstr, "SOCKS5|Tor / Sandbox")
for _, r := range *rl { for _, r := range *rl {
log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr, "; pid ", pinfo.Pid, " vs rule pid ", r.pid) log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr, "; pid ", pinfo.Pid, " vs rule pid ", r.pid)
log.Notice("r.saddr: ", r.saddr, "src: ", src , "sandboxed ", sandboxed, "optstr: ", optstr)
if r.saddr == nil && src != nil && sandboxed { if r.saddr == nil && src != nil && sandboxed {
log.Notice("! Skipping comparison against incompatible rule types: rule src = ", r.saddr, " / packet src = ", src) log.Notice("! Skipping comparison against incompatible rule types: rule src = ", r.saddr, " / packet src = ", src)
continue continue
@ -209,7 +219,7 @@ func (r *Rule) parse(s string) bool {
r.addr = noAddress r.addr = noAddress
r.saddr = nil r.saddr = nil
parts := strings.Split(s, "|") parts := strings.Split(s, "|")
if len(parts) < 4 || len(parts) > 5 { if len(parts) < 4 || len(parts) > 6 {
log.Notice("invalid number ", len(parts), " of rule parts in line ", s) log.Notice("invalid number ", len(parts), " of rule parts in line ", s)
return false return false
} }
@ -227,13 +237,20 @@ func (r *Rule) parse(s string) bool {
return false return false
} }
if !r.parseSandbox(parts[4]) {
log.Notice("invalid sandbox ", parts[4], "in line ", s)
return false
}
log.Notice("parsed sandbox ", parts[4])
//fmt.Printf("uid = %v, gid = %v, user = %v, group = %v, hostname = %v\n", r.uid, r.gid, r.uname, r.gname, r.hostname) //fmt.Printf("uid = %v, gid = %v, user = %v, group = %v, hostname = %v\n", r.uid, r.gid, r.uname, r.gname, r.hostname)
if len(parts) == 5 && len(strings.TrimSpace(parts[4])) > 0 { if len(parts) == 6 && len(strings.TrimSpace(parts[5])) > 0 {
r.saddr = net.ParseIP(parts[4]) r.saddr = net.ParseIP(parts[5])
if r.saddr == nil { if r.saddr == nil {
log.Notice("invalid source IP ", parts[4], " in line ", s) log.Notice("invalid source IP ", parts[5], " in line ", s)
return false return false
} }
@ -241,6 +258,19 @@ func (r *Rule) parse(s string) bool {
return r.parseVerb(parts[0]) && r.parseTarget(parts[1]) return r.parseVerb(parts[0]) && r.parseTarget(parts[1])
} }
func (r *Rule) parseSandbox(p string) bool {
if p == "" {
r.sandbox = ""
return true
}
toks := strings.Split(p, ":")
if len(toks) != 2 {
return false
}
r.sandbox = toks[1]
return true
}
func (r *Rule) parsePrivs(p string) bool { func (r *Rule) parsePrivs(p string) bool {
toks := strings.Split(p, ":") toks := strings.Split(p, ":")
if len(toks) > 2 { if len(toks) > 2 {

Loading…
Cancel
Save