Fix rule parsing, still working on this

sgfw/prompt.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"os/user"
 	"strconv"
-	"strings"
+	//"strings"
 	"sync"
 	"time"
 
@@ -168,13 +168,28 @@ func (p *prompter) processConnection(pc pendingConnection) {
 		return
 	}
 
+        // the prompt sends: 
+        // ALLOW|dest or DENY|dest
+        //
+        // rule string needs to be:
+        // VERB|dst|class|uid:gid|sandbox|[src]
+
+        // sometimes there's a src 
+        // this needs to be re-visited
+
+
 	if pc.src() != nil {
-		if !strings.HasSuffix(rule, "SYSTEM") && !strings.HasSuffix(rule, "||") {
-			rule += "|"
-		}
-		rule += "||" + pc.src().String()
-	}
 
+		//if !strings.HasSuffix(rule, "SYSTEM") && !strings.HasSuffix(rule, "||") {
+			//rule += "||"
+		//}
+		//ule += "|||" + pc.src().String()
+
+		rule += "||-1:-1||" + pc.src().String()
+		log.Warningf("Creating rule: %v", rule)
+	} else {
+		rule += "||-1:-1||"
+	}
 	r, err := policy.parseRule(rule, false)
 	if err != nil {
 		log.Warningf("Error parsing rule string returned from dbus RequestPrompt: %v", err)
@@ -199,6 +214,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
 		r.mode = RULE_MODE_PERMANENT
 		policy.fw.saveRules()
 	}
+	log.Warningf("Creating rule: %v", rule)
 	dbusp.alertRule("sgfw prompt added new rule")
 }
 

sgfw/rules.go

@@ -37,6 +37,7 @@ type Rule struct {
 	gid      int
 	uname    string
 	gname    string
+	sandbox	 string
 }
 
 func (r *Rule) String() string {
@@ -64,7 +65,15 @@ func (r *Rule) getString(redact bool) string {
 
 	rpriv := fmt.Sprintf("|%d:%d", r.uid, r.gid)
 
-	return fmt.Sprintf("%s|%s%s%s%s", rtype, protostr, r.AddrString(redact), rmode, rpriv)
+	sbox := "|"
+	if r.sandbox != "" {
+		sbox = "|SANDBOX:"+sbox
+	} else {
+		log.Notice("sandbox is ", r.sandbox)
+	}
+
+
+	return fmt.Sprintf("%s|%s%s%s%s%s", rtype, protostr, r.AddrString(redact), rmode, rpriv, sbox)
 }
 
 func (r *Rule) AddrString(redact bool) string {
@@ -151,9 +160,10 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
 		return FILTER_PROMPT
 	}
 	result := FILTER_PROMPT
-	sandboxed := strings.HasPrefix(optstr, "Sandbox")
+	sandboxed := strings.HasPrefix(optstr, "SOCKS5|Tor / Sandbox")
 	for _, r := range *rl {
 log.Notice("------------ trying match of src ", src, " against: ", r, " | ", r.saddr, " / optstr = ", optstr, "; pid ", pinfo.Pid, " vs rule pid ", r.pid)
+log.Notice("r.saddr: ", r.saddr, "src: ", src , "sandboxed ", sandboxed, "optstr: ", optstr)
 		if r.saddr == nil && src != nil && sandboxed {
 log.Notice("! Skipping comparison against incompatible rule types: rule src = ", r.saddr, " / packet src = ", src)
 			continue
@@ -209,7 +219,7 @@ func (r *Rule) parse(s string) bool {
 	r.addr = noAddress
 	r.saddr = nil
 	parts := strings.Split(s, "|")
-	if len(parts) < 4 || len(parts) > 5 {
+	if len(parts) < 4 || len(parts) > 6 {
 		log.Notice("invalid number ", len(parts), " of rule parts in line ", s)
 		return false
 	}
@@ -227,13 +237,20 @@ func (r *Rule) parse(s string) bool {
 		return false
 	}
 
+	if !r.parseSandbox(parts[4]) {
+		log.Notice("invalid sandbox ", parts[4], "in line ", s)
+		return false
+	}
+
+	log.Notice("parsed sandbox ", parts[4])
+
 //fmt.Printf("uid = %v, gid = %v, user = %v, group = %v, hostname = %v\n", r.uid, r.gid, r.uname, r.gname, r.hostname)
 
-	if len(parts) == 5 && len(strings.TrimSpace(parts[4])) > 0 {
-		r.saddr = net.ParseIP(parts[4])
+	if len(parts) == 6 && len(strings.TrimSpace(parts[5])) > 0 {
+		r.saddr = net.ParseIP(parts[5])
 
 		if r.saddr == nil {
-			log.Notice("invalid source IP ", parts[4], " in line ", s)
+			log.Notice("invalid source IP ", parts[5], " in line ", s)
 			return false
 		}
 
@@ -241,6 +258,19 @@ func (r *Rule) parse(s string) bool {
 	return r.parseVerb(parts[0]) && r.parseTarget(parts[1])
 }
 
+func (r *Rule) parseSandbox(p string) bool {
+	if p == "" {
+		r.sandbox = ""
+		return true
+	}
+	toks := strings.Split(p, ":")
+	if len(toks) != 2 {
+		return false
+	}
+	r.sandbox = toks[1]
+	return true
+}
+
 func (r *Rule) parsePrivs(p string) bool {
 	toks := strings.Split(p, ":")
 	if len(toks) > 2 {