From bb2a0f96a437cfa8564020425918177af7415fe1 Mon Sep 17 00:00:00 2001 From: Bruce Leidl Date: Mon, 25 Jan 2016 00:58:01 +0000 Subject: [PATCH 01/16] Set a flag to avoid reloading process information --- proc_pid.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/proc_pid.go b/proc_pid.go index 899e235..9d0fa06 100644 --- a/proc_pid.go +++ b/proc_pid.go @@ -11,7 +11,7 @@ import ( type ProcInfo struct { pid int - uid int + loaded bool exePath string cmdLine string } @@ -101,6 +101,9 @@ func readdir(dir string) []string { } func (pi *ProcInfo) loadProcessInfo() bool { + if pi.loaded { + return true + } exePath, err := os.Readlink(fmt.Sprintf("/proc/%d/exe", pi.pid)) if err != nil { @@ -126,6 +129,6 @@ func (pi *ProcInfo) loadProcessInfo() bool { finfo.Sys() pi.exePath = exePath pi.cmdLine = string(bs) - // TODO finish... - return false + pi.loaded = true + return true } From 30a21eaa570b03e9bae5e372c5c3b919a917c21a Mon Sep 17 00:00:00 2001 From: Bruce Leidl Date: Mon, 25 Jan 2016 18:24:23 +0000 Subject: [PATCH 02/16] Moved /proc parsing code into a new package --- main.go | 2 ++ policy.go | 19 +++++++++-------- proc.go => proc/proc.go | 37 +++++++++++++++++++++++++-------- proc_pid.go => proc/proc_pid.go | 31 ++++++++++++++------------- prompt.go | 4 ++-- rules.go | 5 +++-- 6 files changed, 61 insertions(+), 37 deletions(-) rename proc.go => proc/proc.go (92%) rename proc_pid.go => proc/proc_pid.go (78%) diff --git a/main.go b/main.go index 403a147..dd6f3d6 100644 --- a/main.go +++ b/main.go @@ -11,6 +11,7 @@ import ( "sync" "syscall" "unsafe" + "github.com/subgraph/fw-daemon/proc" ) var log = logging.MustGetLogger("sgfw") @@ -71,6 +72,7 @@ func (fw *Firewall) runFilter() { } func main() { + proc.SetLogger(log) if os.Geteuid() != 0 { log.Error("Must be run as root") diff --git a/policy.go b/policy.go index d9b829b..c523fd5 100644 --- a/policy.go +++ b/policy.go @@ -5,13 +5,14 @@ import ( "sync" "github.com/subgraph/fw-daemon/nfqueue" + "github.com/subgraph/fw-daemon/proc" ) type pendingPkt struct { policy *Policy hostname string pkt *nfqueue.Packet - proc *ProcInfo + pinfo *proc.ProcInfo } type Policy struct { @@ -42,12 +43,12 @@ func (fw *Firewall) policyForPath(path string) *Policy { return fw.policyMap[path] } -func (p *Policy) processPacket(pkt *nfqueue.Packet, proc *ProcInfo) { +func (p *Policy) processPacket(pkt *nfqueue.Packet, pinfo *proc.ProcInfo) { p.lock.Lock() defer p.lock.Unlock() name := p.fw.dns.Lookup(pkt.Dst) log.Info("Lookup(%s): %s", pkt.Dst.String(), name) - result := p.rules.filter(pkt, proc, name) + result := p.rules.filter(pkt, pinfo, name) switch result { case FILTER_DENY: pkt.Mark = 1 @@ -55,7 +56,7 @@ func (p *Policy) processPacket(pkt *nfqueue.Packet, proc *ProcInfo) { case FILTER_ALLOW: pkt.Accept() case FILTER_PROMPT: - p.processPromptResult(&pendingPkt{policy: p, hostname: name, pkt: pkt, proc: proc}) + p.processPromptResult(&pendingPkt{policy: p, hostname: name, pkt: pkt, pinfo: pinfo}) default: log.Warning("Unexpected filter result: %d", result) } @@ -162,21 +163,21 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.Packet) { fw.dns.processDNS(pkt) return } - proc := findProcessForPacket(pkt) - if proc == nil { + pinfo := proc.FindProcessForPacket(pkt) + if pinfo == nil { log.Warning("No proc found for %s", printPacket(pkt, fw.dns.Lookup(pkt.Dst))) pkt.Accept() return } - log.Debug("filterPacket [%s] %s", proc.exePath, printPacket(pkt, fw.dns.Lookup(pkt.Dst))) + log.Debug("filterPacket [%s] %s", pinfo.ExePath, printPacket(pkt, fw.dns.Lookup(pkt.Dst))) if basicAllowPacket(pkt) { pkt.Accept() return } fw.lock.Lock() - policy := fw.policyForPath(proc.exePath) + policy := fw.policyForPath(pinfo.ExePath) fw.lock.Unlock() - policy.processPacket(pkt, proc) + policy.processPacket(pkt, pinfo) } func basicAllowPacket(pkt *nfqueue.Packet) bool { diff --git a/proc.go b/proc/proc.go similarity index 92% rename from proc.go rename to proc/proc.go index 4ae0497..503d01f 100644 --- a/proc.go +++ b/proc/proc.go @@ -1,4 +1,4 @@ -package main +package proc import ( "encoding/hex" @@ -10,10 +10,15 @@ import ( "path/filepath" "strconv" "strings" - + "github.com/subgraph/fw-daemon/Godeps/_workspace/src/github.com/op/go-logging" "github.com/subgraph/fw-daemon/nfqueue" ) +var log = logging.MustGetLogger("proc") +func SetLogger(logger *logging.Logger) { + log = logger +} + type socketAddr struct { ip net.IP port uint16 @@ -47,7 +52,7 @@ func (ci *ConnectionInfo) String() string { return fmt.Sprintf("%v %s %s", ci.proc, ci.local, ci.remote) } -func findProcessForPacket(pkt *nfqueue.Packet) *ProcInfo { +func FindProcessForPacket(pkt *nfqueue.Packet) *ProcInfo { ss := getSocketForPacket(pkt) if ss == nil { return nil @@ -79,10 +84,10 @@ func findProcessForSocket(ss *socketStatus) *ProcInfo { } finfo.Sys() return &ProcInfo{ - pid: ss.pid, - uid: ss.uid, - exePath: exePath, - cmdLine: string(bs), + Pid: ss.pid, + Uid: ss.uid, + ExePath: exePath, + CmdLine: string(bs), } } @@ -153,6 +158,20 @@ func (ss *socketStatus) parseLine(line string) error { return nil } +func printPacket(pkt *nfqueue.Packet) string { + proto := func() string { + switch pkt.Protocol { + case nfqueue.TCP: + return "TCP" + case nfqueue.UDP: + return "UDP" + default: + return "???" + } + }() + return fmt.Sprintf("(%s %s:%d --> %s:%d)", proto, pkt.Src, pkt.SrcPort, pkt.Dst.String(), pkt.DstPort) +} + func getSocketForPacket(pkt *nfqueue.Packet) *socketStatus { ss := findSocket(pkt) if ss == nil { @@ -163,7 +182,7 @@ func getSocketForPacket(pkt *nfqueue.Packet) *socketStatus { ss.pid = pid return ss } - log.Info("Unable to find socket link socket:[%d] %s", ss.inode, printPacket(pkt, "")) + log.Info("Unable to find socket link socket:[%d] %s", ss.inode, printPacket(pkt)) log.Info("Line was %s", ss.line) return nil } @@ -181,7 +200,7 @@ func findSocket(pkt *nfqueue.Packet) *socketStatus { return &status } } - log.Info("Failed to find socket for packet: %s", printPacket(pkt, "")) + log.Info("Failed to find socket for packet: %s", printPacket(pkt)) return nil } diff --git a/proc_pid.go b/proc/proc_pid.go similarity index 78% rename from proc_pid.go rename to proc/proc_pid.go index 9d0fa06..e247153 100644 --- a/proc_pid.go +++ b/proc/proc_pid.go @@ -1,4 +1,5 @@ -package main +package proc + import ( "os" "strconv" @@ -10,13 +11,13 @@ import ( type ProcInfo struct { - pid int + Uid int + Pid int loaded bool - exePath string - cmdLine string + ExePath string + CmdLine string } - var cacheMap = make(map[uint64]*ProcInfo) func pidCacheLookup(inode uint64) *ProcInfo { @@ -79,10 +80,10 @@ func extractSocket(name string, pid int) { func cacheAddPid(inode uint64, pid int) { pi,ok := cacheMap[inode] - if ok && pi.pid == pid { + if ok && pi.Pid == pid { return } - cacheMap[inode] = &ProcInfo{ pid: pid } + cacheMap[inode] = &ProcInfo{ Pid: pid } } func readdir(dir string) []string { @@ -105,14 +106,14 @@ func (pi *ProcInfo) loadProcessInfo() bool { return true } - exePath, err := os.Readlink(fmt.Sprintf("/proc/%d/exe", pi.pid)) + exePath, err := os.Readlink(fmt.Sprintf("/proc/%d/exe", pi.Pid)) if err != nil { - log.Warning("Error reading exe link for pid %d: %v", pi.pid, err) + log.Warning("Error reading exe link for pid %d: %v", pi.Pid, err) return false } - bs, err := ioutil.ReadFile(fmt.Sprintf("/proc/%d/cmdline", pi.pid)) + bs, err := ioutil.ReadFile(fmt.Sprintf("/proc/%d/cmdline", pi.Pid)) if err != nil { - log.Warning("Error reading cmdline for pid %d: %v", pi.pid, err) + log.Warning("Error reading cmdline for pid %d: %v", pi.Pid, err) return false } for i, b := range bs { @@ -121,14 +122,14 @@ func (pi *ProcInfo) loadProcessInfo() bool { } } - finfo, err := os.Stat(fmt.Sprintf("/proc/%d", pi.pid)) + finfo, err := os.Stat(fmt.Sprintf("/proc/%d", pi.Pid)) if err != nil { - log.Warning("Could not stat /proc/%d: %v", pi.pid, err) + log.Warning("Could not stat /proc/%d: %v", pi.Pid, err) return false } finfo.Sys() - pi.exePath = exePath - pi.cmdLine = string(bs) + pi.ExePath = exePath + pi.CmdLine = string(bs) pi.loaded = true return true } diff --git a/prompt.go b/prompt.go index 00c3e21..04edd86 100644 --- a/prompt.go +++ b/prompt.go @@ -92,8 +92,8 @@ func (p *prompter) processPacket(pp *pendingPkt) { addr, int32(pp.pkt.DstPort), pp.pkt.Dst.String(), - uidToUser(pp.proc.uid), - int32(pp.proc.pid)) + uidToUser(pp.pinfo.Uid), + int32(pp.pinfo.Pid)) err := call.Store(&scope, &rule) if err != nil { log.Warning("Error sending dbus RequestPrompt message: %v", err) diff --git a/rules.go b/rules.go index 6c378da..21dd45a 100644 --- a/rules.go +++ b/rules.go @@ -12,6 +12,7 @@ import ( "os" "strconv" "path" + "github.com/subgraph/fw-daemon/proc" ) const ( @@ -77,14 +78,14 @@ const ( FILTER_PROMPT ) -func (rl *RuleList) filter(p *nfqueue.Packet, proc *ProcInfo, hostname string) FilterResult { +func (rl *RuleList) filter(p *nfqueue.Packet, pinfo *proc.ProcInfo, hostname string) FilterResult { if rl == nil { return FILTER_PROMPT } result := FILTER_PROMPT for _, r := range *rl { if r.match(p, hostname) { - log.Info("%s (%s -> %s:%d)", r, proc.exePath, p.Dst.String(), p.DstPort) + log.Info("%s (%s -> %s:%d)", r, pinfo.ExePath, p.Dst.String(), p.DstPort) if r.rtype == RULE_DENY { return FILTER_DENY } else if r.rtype == RULE_ALLOW { From 0054afb826c5ba09381cb2ffeb3285b6f5b50585 Mon Sep 17 00:00:00 2001 From: Bruce Leidl Date: Tue, 26 Jan 2016 01:57:47 +0000 Subject: [PATCH 03/16] refactor of proc reading code --- policy.go | 16 +++- proc/proc.go | 200 ++++------------------------------------------- proc/proc_pid.go | 65 +++++++++------ proc/socket.go | 95 ++++++++++++++++++++++ 4 files changed, 164 insertions(+), 212 deletions(-) create mode 100644 proc/socket.go diff --git a/policy.go b/policy.go index c523fd5..0650439 100644 --- a/policy.go +++ b/policy.go @@ -163,7 +163,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.Packet) { fw.dns.processDNS(pkt) return } - pinfo := proc.FindProcessForPacket(pkt) + pinfo := findProcessForPacket(pkt) if pinfo == nil { log.Warning("No proc found for %s", printPacket(pkt, fw.dns.Lookup(pkt.Dst))) pkt.Accept() @@ -180,6 +180,20 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.Packet) { policy.processPacket(pkt, pinfo) } +func findProcessForPacket(pkt *nfqueue.Packet) *proc.ProcInfo { + proto := "" + switch pkt.Protocol { + case nfqueue.TCP: + proto = "tcp" + case nfqueue.UDP: + proto = "udp" + default: + log.Warning("Packet has unknown protocol: %d", pkt.Protocol) + return nil + } + return proc.LookupSocketProcess(proto, pkt.SrcPort, pkt.Dst, pkt.DstPort) +} + func basicAllowPacket(pkt *nfqueue.Packet) bool { return pkt.Dst.IsLoopback() || pkt.Dst.IsLinkLocalMulticast() || diff --git a/proc/proc.go b/proc/proc.go index 503d01f..3164b76 100644 --- a/proc/proc.go +++ b/proc/proc.go @@ -19,101 +19,24 @@ func SetLogger(logger *logging.Logger) { log = logger } -type socketAddr struct { - ip net.IP - port uint16 -} - -func (sa socketAddr) String() string { - return fmt.Sprintf("%v:%d", sa.ip, sa.port) -} +var pcache = &pidCache{} -type socketStatus struct { - local socketAddr - remote socketAddr - uid int - inode uint64 - pid int - // XXX debugging - line string -} - -func (ss *socketStatus) String() string { - return fmt.Sprintf("%s -> %s uid=%d inode=%d pid=%d", ss.local, ss.remote, ss.uid, ss.inode, ss.pid) +func LookupSocketProcess(proto string, srcPort uint16, dstAddr net.IP, dstPort uint16) *ProcInfo { + ss := findSocket(proto, srcPort, dstAddr, dstPort) + if ss == nil { + return nil + } + return pcache.lookup(ss.inode) } type ConnectionInfo struct { - proc *ProcInfo + pinfo *ProcInfo local *socketAddr remote *socketAddr } func (ci *ConnectionInfo) String() string { - return fmt.Sprintf("%v %s %s", ci.proc, ci.local, ci.remote) -} - -func FindProcessForPacket(pkt *nfqueue.Packet) *ProcInfo { - ss := getSocketForPacket(pkt) - if ss == nil { - return nil - } - return findProcessForSocket(ss) -} -func findProcessForSocket(ss *socketStatus) *ProcInfo { - - exePath, err := os.Readlink(fmt.Sprintf("/proc/%d/exe", ss.pid)) - if err != nil { - log.Warning("Error reading exe link for pid %d: %v", ss.pid, err) - return nil - } - bs, err := ioutil.ReadFile(fmt.Sprintf("/proc/%d/cmdline", ss.pid)) - if err != nil { - log.Warning("Error reading cmdline for pid %d: %v", ss.pid, err) - return nil - } - for i, b := range bs { - if b == 0 { - bs[i] = byte(' ') - } - } - - finfo, err := os.Stat(fmt.Sprintf("/proc/%d", ss.pid)) - if err != nil { - log.Warning("Could not stat /proc/%d: %v", ss.pid, err) - return nil - } - finfo.Sys() - return &ProcInfo{ - Pid: ss.pid, - Uid: ss.uid, - ExePath: exePath, - CmdLine: string(bs), - } -} - -func getSocketLinesForPacket(pkt *nfqueue.Packet) []string { - if pkt.Protocol == nfqueue.TCP { - return getSocketLines("tcp") - } else if pkt.Protocol == nfqueue.UDP { - return getSocketLines("udp") - } else { - log.Warning("Cannot lookup socket for protocol %s", pkt.Protocol) - return nil - } -} - -func getSocketLines(proto string) []string { - path := fmt.Sprintf("/proc/net/%s", proto) - data, err := ioutil.ReadFile(path) - if err != nil { - log.Warning("Error reading %s: %v", path, err) - return nil - } - lines := strings.Split(string(data), "\n") - if len(lines) > 0 { - lines = lines[1:] - } - return lines + return fmt.Sprintf("%v %s %s", ci.pinfo, ci.local, ci.remote) } func (sa *socketAddr) parse(s string) error { @@ -134,29 +57,6 @@ func (sa *socketAddr) parse(s string) error { return nil } -func (ss *socketStatus) parseLine(line string) error { - fs := strings.Fields(line) - if len(fs) < 10 { - return errors.New("insufficient fields") - } - if err := ss.local.parse(fs[1]); err != nil { - return err - } - if err := ss.remote.parse(fs[2]); err != nil { - return err - } - uid, err := strconv.ParseUint(fs[7], 10, 32) - if err != nil { - return err - } - ss.uid = int(uid) - inode, err := strconv.ParseUint(fs[9], 10, 64) - if err != nil { - return err - } - ss.inode = inode - return nil -} func printPacket(pkt *nfqueue.Packet) string { proto := func() string { @@ -172,38 +72,6 @@ func printPacket(pkt *nfqueue.Packet) string { return fmt.Sprintf("(%s %s:%d --> %s:%d)", proto, pkt.Src, pkt.SrcPort, pkt.Dst.String(), pkt.DstPort) } -func getSocketForPacket(pkt *nfqueue.Packet) *socketStatus { - ss := findSocket(pkt) - if ss == nil { - return nil - } - pid := findPidForInode(ss.inode) - if pid > 0 { - ss.pid = pid - return ss - } - log.Info("Unable to find socket link socket:[%d] %s", ss.inode, printPacket(pkt)) - log.Info("Line was %s", ss.line) - return nil -} - -func findSocket(pkt *nfqueue.Packet) *socketStatus { - var status socketStatus - for _, line := range getSocketLinesForPacket(pkt) { - if len(line) == 0 { - continue - } - if err := status.parseLine(line); err != nil { - log.Warning("Unable to parse line [%s]: %v", line, err) - } else if status.remote.ip.Equal(pkt.Dst) && status.remote.port == pkt.DstPort && status.local.ip.Equal(pkt.Src) && status.local.port == pkt.SrcPort { - status.line = line - return &status - } - } - log.Info("Failed to find socket for packet: %s", printPacket(pkt)) - return nil -} - func ParseIp(ip string) (net.IP, error) { var result net.IP dst, err := hex.DecodeString(ip) @@ -227,48 +95,6 @@ func ParsePort(port string) (uint16, error) { return uint16(p64), nil } -func findPidForInode(inode uint64) int { - search := fmt.Sprintf("socket:[%d]", inode) - for _, pid := range getAllPids() { - if matchesSocketLink(pid, search) { - return pid - } - } - return -1 -} - -func matchesSocketLink(pid int, search string) bool { - paths, _ := filepath.Glob(fmt.Sprintf("/proc/%d/fd/*", pid)) - for _, p := range paths { - link, err := os.Readlink(p) - if err == nil && link == search { - return true - } - } - return false -} - -func getAllPids() []int { - var pids []int - d, err := os.Open("/proc") - if err != nil { - log.Warning("Error opening /proc: %v", err) - return nil - } - defer d.Close() - names, err := d.Readdirnames(0) - if err != nil { - log.Warning("Error reading directory names from /proc: %v", err) - return nil - } - for _, n := range names { - if pid, err := strconv.ParseUint(n, 10, 32); err == nil { - pids = append(pids, int(pid)) - } - } - return pids -} - func getConnections() ([]*ConnectionInfo, error) { conns,err := readConntrack() if err != nil { @@ -288,12 +114,14 @@ func resolveProcinfo(conns []*ConnectionInfo) { if err := ss.parseLine(line); err != nil { log.Warning("Unable to parse line [%s]: %v", line, err) } else { + /* pid := findPidForInode(ss.inode) if pid > 0 { ss.pid = pid fmt.Println("Socket", ss) sockets = append(sockets, ss) } + */ } } for _,ci := range conns { @@ -301,9 +129,9 @@ func resolveProcinfo(conns []*ConnectionInfo) { if ss == nil { continue } - proc := findProcessForSocket(ss) - if proc != nil { - ci.proc = proc + pinfo := pcache.lookup(ss.inode) + if pinfo != nil { + ci.pinfo = pinfo } } } diff --git a/proc/proc_pid.go b/proc/proc_pid.go index e247153..1536b8c 100644 --- a/proc/proc_pid.go +++ b/proc/proc_pid.go @@ -7,35 +7,51 @@ import ( "strings" "path" "io/ioutil" + "sync" + "syscall" ) type ProcInfo struct { - Uid int + Uid int Pid int loaded bool ExePath string CmdLine string } -var cacheMap = make(map[uint64]*ProcInfo) +type pidCache struct { + cacheMap map[uint64]*ProcInfo + lock sync.Mutex +} -func pidCacheLookup(inode uint64) *ProcInfo { - pi,ok := cacheMap[inode] - if ok { +func (pc *pidCache) lookup(inode uint64) *ProcInfo { + pc.lock.Lock() + defer pc.lock.Unlock() + pi,ok := pc.cacheMap[inode] + if ok && pi.loadProcessInfo() { + return pi + } + pc.cacheMap = loadCache() + pi,ok = pc.cacheMap[inode] + if ok && pi.loadProcessInfo() { return pi } - pidCacheReload() - return cacheMap[inode] + return nil } -func pidCacheReload() { +func loadCache() map[uint64]*ProcInfo { + cmap := make(map[uint64]*ProcInfo) for _, n := range readdir("/proc") { pid := toPid(n) if pid != 0 { - scrapePid(pid) + pinfo := &ProcInfo{Pid: pid} + for _,inode := range inodesFromPid(pid) { + cmap[inode] = pinfo + } } } + return cmap } func toPid(name string) int { @@ -54,36 +70,34 @@ func toPid(name string) int { return (int)(pid) } -func scrapePid(pid int) { +func inodesFromPid(pid int) []uint64 { + var inodes []uint64 fdpath := fmt.Sprintf("/proc/%d/fd", pid) for _, n := range readdir(fdpath) { if link, err := os.Readlink(path.Join(fdpath, n)); err != nil { - log.Warning("Error reading link %s: %v", n, err) + if !os.IsNotExist(err) { + log.Warning("Error reading link %s: %v", n, err) + } } else { - extractSocket(link, pid) + if inode := extractSocket(link); inode > 0 { + inodes = append(inodes, inode) + } } } + return inodes } -func extractSocket(name string, pid int) { +func extractSocket(name string) uint64 { if !strings.HasPrefix(name, "socket:[") || !strings.HasSuffix(name, "]") { - return + return 0 } val := name[8:len(name)-1] inode,err := strconv.ParseUint(val, 10, 64) if err != nil { log.Warning("Error parsing inode value from %s: %v", name, err) - return - } - cacheAddPid(inode, pid) -} - -func cacheAddPid(inode uint64, pid int) { - pi,ok := cacheMap[inode] - if ok && pi.Pid == pid { - return + return 0 } - cacheMap[inode] = &ProcInfo{ Pid: pid } + return inode } func readdir(dir string) []string { @@ -127,7 +141,8 @@ func (pi *ProcInfo) loadProcessInfo() bool { log.Warning("Could not stat /proc/%d: %v", pi.Pid, err) return false } - finfo.Sys() + sys := finfo.Sys().(*syscall.Stat_t) + pi.Uid = int(sys.Uid) pi.ExePath = exePath pi.CmdLine = string(bs) pi.loaded = true diff --git a/proc/socket.go b/proc/socket.go new file mode 100644 index 0000000..7a39eb8 --- /dev/null +++ b/proc/socket.go @@ -0,0 +1,95 @@ +package proc +import ( + "net" + "fmt" + "io/ioutil" + "strings" + "errors" + "strconv" +) + +type socketAddr struct { + ip net.IP + port uint16 +} + +func (sa socketAddr) String() string { + return fmt.Sprintf("%v:%d", sa.ip, sa.port) +} + +type socketStatus struct { + local socketAddr + remote socketAddr + uid int + inode uint64 + line string +} + +func (ss *socketStatus) String() string { + return fmt.Sprintf("%s -> %s uid=%d inode=%d", ss.local, ss.remote, ss.uid, ss.inode) +} + +func findUDPSocket(srcPort uint16, dstAddr net.IP, dstPort uint16) *socketStatus { + return findSocket("udp", srcPort, dstAddr, dstPort) +} + +func findTCPSocket(srcPort uint16, dstAddr net.IP, dstPort uint16) *socketStatus { + return findSocket("tcp", srcPort, dstAddr, dstPort) +} + +func findSocket(proto string, srcPort uint16, dstAddr net.IP, dstPort uint16) *socketStatus { + var ss socketStatus + for _,line := range getSocketLines(proto) { + if len(line) == 0 { + continue + } + if err := ss.parseLine(line); err != nil { + log.Warning("Unable to parse line from /proc/net/%s [%s]: %v", proto, line, err) + continue + } + if ss.remote.port == dstPort && ss.remote.ip.Equal(dstAddr) && ss.local.port == srcPort { + ss.line = line + return &ss + } + } + return nil +} + +func (ss *socketStatus) parseLine(line string) error { + fs := strings.Fields(line) + if len(fs) < 10 { + return errors.New("insufficient fields") + } + if err := ss.local.parse(fs[1]); err != nil { + return err + } + if err := ss.remote.parse(fs[2]); err != nil { + return err + } + uid, err := strconv.ParseUint(fs[7], 10, 32) + if err != nil { + return err + } + ss.uid = int(uid) + inode, err := strconv.ParseUint(fs[9], 10, 64) + if err != nil { + return err + } + ss.inode = inode + return nil +} + + +func getSocketLines(proto string) []string { + path := fmt.Sprintf("/proc/net/%s", proto) + data, err := ioutil.ReadFile(path) + if err != nil { + log.Warning("Error reading %s: %v", path, err) + return nil + } + lines := strings.Split(string(data), "\n") + if len(lines) > 0 { + lines = lines[1:] + } + return lines +} From b4fb258d0da69f3cf89218e7ecba17c6008b5a4f Mon Sep 17 00:00:00 2001 From: Bruce Leidl Date: Tue, 26 Jan 2016 02:12:20 +0000 Subject: [PATCH 04/16] unused imports --- proc/proc.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/proc/proc.go b/proc/proc.go index 3164b76..57eafe6 100644 --- a/proc/proc.go +++ b/proc/proc.go @@ -6,8 +6,6 @@ import ( "fmt" "io/ioutil" "net" - "os" - "path/filepath" "strconv" "strings" "github.com/subgraph/fw-daemon/Godeps/_workspace/src/github.com/op/go-logging" From 65f65d2a42dc668a45edcf0bff4d9af6149c4fd7 Mon Sep 17 00:00:00 2001 From: Bruce Leidl Date: Tue, 26 Jan 2016 17:20:06 +0000 Subject: [PATCH 05/16] Different matching strategies for TCP and UDP sockets --- policy.go | 6 ++---- proc/proc.go | 28 +++++++++++----------------- proc/socket.go | 14 +++++++++----- 3 files changed, 22 insertions(+), 26 deletions(-) diff --git a/policy.go b/policy.go index 0650439..d1a298b 100644 --- a/policy.go +++ b/policy.go @@ -181,17 +181,15 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.Packet) { } func findProcessForPacket(pkt *nfqueue.Packet) *proc.ProcInfo { - proto := "" switch pkt.Protocol { case nfqueue.TCP: - proto = "tcp" + return proc.LookupTCPSocketProcess(pkt.SrcPort, pkt.Dst, pkt.DstPort) case nfqueue.UDP: - proto = "udp" + return proc.LookupUDPSocketProcess(pkt.SrcPort) default: log.Warning("Packet has unknown protocol: %d", pkt.Protocol) return nil } - return proc.LookupSocketProcess(proto, pkt.SrcPort, pkt.Dst, pkt.DstPort) } func basicAllowPacket(pkt *nfqueue.Packet) bool { diff --git a/proc/proc.go b/proc/proc.go index 57eafe6..a3406dd 100644 --- a/proc/proc.go +++ b/proc/proc.go @@ -9,7 +9,6 @@ import ( "strconv" "strings" "github.com/subgraph/fw-daemon/Godeps/_workspace/src/github.com/op/go-logging" - "github.com/subgraph/fw-daemon/nfqueue" ) var log = logging.MustGetLogger("proc") @@ -19,8 +18,17 @@ func SetLogger(logger *logging.Logger) { var pcache = &pidCache{} -func LookupSocketProcess(proto string, srcPort uint16, dstAddr net.IP, dstPort uint16) *ProcInfo { - ss := findSocket(proto, srcPort, dstAddr, dstPort) + +func LookupUDPSocketProcess(srcPort uint16) *ProcInfo { + ss := findUDPSocket(srcPort) + if ss == nil { + return nil + } + return pcache.lookup(ss.inode) +} + +func LookupTCPSocketProcess(srcPort uint16, dstAddr net.IP, dstPort uint16) *ProcInfo { + ss := findTCPSocket(srcPort, dstAddr, dstPort) if ss == nil { return nil } @@ -56,20 +64,6 @@ func (sa *socketAddr) parse(s string) error { } -func printPacket(pkt *nfqueue.Packet) string { - proto := func() string { - switch pkt.Protocol { - case nfqueue.TCP: - return "TCP" - case nfqueue.UDP: - return "UDP" - default: - return "???" - } - }() - return fmt.Sprintf("(%s %s:%d --> %s:%d)", proto, pkt.Src, pkt.SrcPort, pkt.Dst.String(), pkt.DstPort) -} - func ParseIp(ip string) (net.IP, error) { var result net.IP dst, err := hex.DecodeString(ip) diff --git a/proc/socket.go b/proc/socket.go index 7a39eb8..a8a0d4d 100644 --- a/proc/socket.go +++ b/proc/socket.go @@ -29,15 +29,19 @@ func (ss *socketStatus) String() string { return fmt.Sprintf("%s -> %s uid=%d inode=%d", ss.local, ss.remote, ss.uid, ss.inode) } -func findUDPSocket(srcPort uint16, dstAddr net.IP, dstPort uint16) *socketStatus { - return findSocket("udp", srcPort, dstAddr, dstPort) +func findUDPSocket(srcPort uint16) *socketStatus { + return findSocket("udp", func(ss socketStatus) bool { + return ss.local.port == srcPort + }) } func findTCPSocket(srcPort uint16, dstAddr net.IP, dstPort uint16) *socketStatus { - return findSocket("tcp", srcPort, dstAddr, dstPort) + return findSocket("tcp", func(ss socketStatus) bool { + return ss.remote.port == dstPort && ss.remote.ip.Equal(dstAddr) && ss.local.port == srcPort + }) } -func findSocket(proto string, srcPort uint16, dstAddr net.IP, dstPort uint16) *socketStatus { +func findSocket(proto string, matcher func(socketStatus) bool) *socketStatus { var ss socketStatus for _,line := range getSocketLines(proto) { if len(line) == 0 { @@ -47,7 +51,7 @@ func findSocket(proto string, srcPort uint16, dstAddr net.IP, dstPort uint16) *s log.Warning("Unable to parse line from /proc/net/%s [%s]: %v", proto, line, err) continue } - if ss.remote.port == dstPort && ss.remote.ip.Equal(dstAddr) && ss.local.port == srcPort { + if matcher(ss) { ss.line = line return &ss } From a155427a8470b0558514b23662eb4135288576b4 Mon Sep 17 00:00:00 2001 From: Bruce Leidl Date: Wed, 24 Feb 2016 01:19:40 +0000 Subject: [PATCH 06/16] Launch settings, remove connection monitor Also track state of firewall enabled button correctly --- gnome-shell/firewall@subgraph.com/menu.js | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/gnome-shell/firewall@subgraph.com/menu.js b/gnome-shell/firewall@subgraph.com/menu.js index 8a49bef..06e0644 100644 --- a/gnome-shell/firewall@subgraph.com/menu.js +++ b/gnome-shell/firewall@subgraph.com/menu.js @@ -3,6 +3,7 @@ const Gio = imports.gi.Gio; const Main = imports.ui.main; const PopupMenu = imports.ui.popupMenu; +const Util = imports.misc.util; const FirewallInterface = ' \ \ @@ -33,6 +34,14 @@ const FirewallMenu = new Lang.Class({ install: function() { this.createMenu(); + this.menu.connect('open-state-changed', Lang.bind(this, this.openStateChanged)); + let idx = this.findMenu(this.aggregate._power.menu); + if(idx >= 0) { + this.aggregate.menu.addMenuItem(this.menu, idx); + } + }, + + openStateChanged: function() { this.proxy.IsEnabledRemote(Lang.bind(this, function(result, err) { if(err) { log(err.message); @@ -41,10 +50,6 @@ const FirewallMenu = new Lang.Class({ let [enabled] = result; this.toggle.setToggleState(enabled); })); - let idx = this.findMenu(this.aggregate._power.menu); - if(idx >= 0) { - this.aggregate.menu.addMenuItem(this.menu, idx); - } }, destroy: function() { @@ -75,7 +80,7 @@ const FirewallMenu = new Lang.Class({ this.toggle.connect('toggled', Lang.bind(this, this.onToggle)); this.item.menu.addMenuItem(this.toggle); - this.item.menu.addAction("Connection Monitor", Lang.bind(this, this.onMonitor)); + //this.item.menu.addAction("Connection Monitor", Lang.bind(this, this.onMonitor)); this.item.menu.addAction("Firewall Settings", Lang.bind(this, this.onSettings)); this.menu.addMenuItem(this.item); }, @@ -90,10 +95,10 @@ const FirewallMenu = new Lang.Class({ }, onSettings: function() { - log("Firewall Settings clicked"); + Util.spawnCommandLine("/usr/bin/fw-settings") }, onMonitor: function() { log("Connection monitor clicked"); }, -}); \ No newline at end of file +}); From d8f63bc60a730115a34b7ecb12bdaf2ccf6f5f72 Mon Sep 17 00:00:00 2001 From: Bruce Leidl Date: Wed, 24 Feb 2016 01:22:37 +0000 Subject: [PATCH 07/16] Various changes to support settings dialog --- dbus.go | 122 ++++++++++++++++++++++++++++++++++++++++++++++++++-- iptables.go | 2 +- main.go | 81 +++++++++++++++++++++++++++++----- policy.go | 30 ++++++++++++- prompt.go | 4 +- rules.go | 46 +++++++++----------- 6 files changed, 242 insertions(+), 43 deletions(-) diff --git a/dbus.go b/dbus.go index ea169f4..55b5829 100644 --- a/dbus.go +++ b/dbus.go @@ -7,6 +7,8 @@ import ( "github.com/subgraph/fw-daemon/Godeps/_workspace/src/github.com/godbus/dbus" "github.com/subgraph/fw-daemon/Godeps/_workspace/src/github.com/godbus/dbus/introspect" + "github.com/subgraph/fw-daemon/Godeps/_workspace/src/github.com/op/go-logging" + "path" ) const introspectXml = ` @@ -15,9 +17,31 @@ const introspectXml = ` + + + + + + + + + + + + + + + + + + + + + + ` + introspect.IntrospectDataString + `` @@ -27,10 +51,19 @@ const objectPath = "/com/subgraph/Firewall" const interfaceName = "com.subgraph.Firewall" type dbusServer struct { + fw *Firewall conn *dbus.Conn prompter *prompter } +type DbusRule struct { + Id uint32 + App string + Path string + Verb uint32 + Target string +} + func newDbusServer() (*dbusServer, error) { conn, err := dbus.SystemBus() if err != nil { @@ -88,13 +121,96 @@ func (ds *dbusServer) Introspect(msg dbus.Message) (string, *dbus.Error) { } func (ds *dbusServer) SetEnabled(flag bool) *dbus.Error { - log.Info("SetEnabled(%v) called", flag) + log.Debug("SetEnabled(%v) called", flag) + ds.fw.setEnabled(flag) return nil } func (ds *dbusServer) IsEnabled() (bool, *dbus.Error) { - log.Info("IsEnabled() called") - return true, nil + log.Debug("IsEnabled() called") + return ds.fw.isEnabled(), nil +} + +func createDbusRule(r *Rule) DbusRule { + return DbusRule{ + Id: uint32(r.id), + App: path.Base(r.policy.path), + Path: r.policy.path, + Verb: uint32(r.rtype), + Target: r.AddrString(), + } +} + +func (ds *dbusServer) ListRules() ([]DbusRule, *dbus.Error) { + ds.fw.lock.Lock() + defer ds.fw.lock.Unlock() + var result []DbusRule + for _, p := range ds.fw.policies { + for _, r := range p.rules { + result = append(result, createDbusRule(r)) + } + } + return result, nil +} + +func (ds *dbusServer) DeleteRule(id uint32) *dbus.Error { + ds.fw.lock.Lock() + r := ds.fw.rulesById[uint(id)] + ds.fw.lock.Unlock() + if r != nil { + r.policy.removeRule(r) + } + if !r.sessionOnly { + ds.fw.saveRules() + } + return nil +} + +func (ds *dbusServer) UpdateRule(rule DbusRule) *dbus.Error { + log.Debug("UpdateRule %v", rule) + ds.fw.lock.Lock() + r := ds.fw.rulesById[uint(rule.Id)] + ds.fw.lock.Unlock() + if r != nil { + tmp := new(Rule) + tmp.addr = noAddress + if !tmp.parseTarget(rule.Target) { + log.Warning("Unable to parse target: %s", rule.Target) + return nil + } + r.policy.lock.Lock() + if rule.Verb == RULE_ALLOW || rule.Verb == RULE_DENY { + r.rtype = int(rule.Verb) + } + r.hostname = tmp.hostname + r.addr = tmp.addr + r.port = tmp.port + r.policy.lock.Unlock() + if !r.sessionOnly { + ds.fw.saveRules() + } + } + return nil +} + +func (ds *dbusServer) GetConfig() (map[string]dbus.Variant, *dbus.Error) { + conf := make(map[string]dbus.Variant) + conf["loglevel"] = dbus.MakeVariant(int32(ds.fw.logBackend.GetLevel("sgfw"))) + conf["logredact"] = dbus.MakeVariant(ds.fw.logRedact) + return conf, nil +} + +func (ds *dbusServer) SetConfig(key string, val dbus.Variant) *dbus.Error { + switch key { + case "loglevel": + l := val.Value().(int32) + lvl := logging.Level(l) + ds.fw.logBackend.SetLevel(lvl, "sgfw") + case "logredact": + flag := val.Value().(bool) + ds.fw.logRedact = flag + } + return nil } func (ds *dbusServer) prompt(p *Policy) { diff --git a/iptables.go b/iptables.go index cdf943d..2a4e2d0 100644 --- a/iptables.go +++ b/iptables.go @@ -17,7 +17,7 @@ func setupIPTables() { func addIPTRules(rules ...string) { for _, r := range rules { - if(iptables('C', r)) { + if iptables('C', r) { log.Info("IPTables rule already present: %s", r) } else { log.Info("Installing IPTables rule: %s", r) diff --git a/main.go b/main.go index dd6f3d6..71fd102 100644 --- a/main.go +++ b/main.go @@ -8,10 +8,10 @@ import ( "github.com/subgraph/fw-daemon/Godeps/_workspace/src/github.com/op/go-logging" "github.com/subgraph/fw-daemon/nfqueue" + "github.com/subgraph/fw-daemon/proc" "sync" "syscall" "unsafe" - "github.com/subgraph/fw-daemon/proc" ) var log = logging.MustGetLogger("sgfw") @@ -22,6 +22,7 @@ var logFormat = logging.MustStringFormatter( var ttyFormat = logging.MustStringFormatter( "%{color}%{time:15:04:05} ▶ %{level:.4s} %{id:03x}%{color:reset} %{message}", ) + const ioctlReadTermios = 0x5401 func isTerminal(fd int) bool { @@ -30,7 +31,7 @@ func isTerminal(fd int) bool { return err == 0 } -func init() { +func setupLoggerBackend() logging.LeveledBackend { format := logFormat if isTerminal(int(os.Stderr.Fd())) { format = ttyFormat @@ -38,16 +39,66 @@ func init() { backend := logging.NewLogBackend(os.Stderr, "", 0) formatter := logging.NewBackendFormatter(backend, format) leveler := logging.AddModuleLevel(formatter) - log.SetBackend(leveler) + return leveler } type Firewall struct { dbus *dbusServer dns *dnsCache + enabled bool + + logRedact bool + logBackend logging.LeveledBackend + lock sync.Mutex policyMap map[string]*Policy policies []*Policy + + ruleLock sync.Mutex + rulesById map[uint]*Rule + nextRuleId uint +} + +func (fw *Firewall) setEnabled(flag bool) { + fw.lock.Lock() + defer fw.lock.Unlock() + fw.enabled = flag +} + +func (fw *Firewall) isEnabled() bool { + fw.lock.Lock() + defer fw.lock.Unlock() + return fw.enabled +} + +func (fw *Firewall) clearRules() { + fw.ruleLock.Lock() + defer fw.ruleLock.Unlock() + fw.rulesById = nil + fw.nextRuleId = 0 +} + +func (fw *Firewall) addRule(r *Rule) { + fw.ruleLock.Lock() + defer fw.ruleLock.Unlock() + + r.id = fw.nextRuleId + fw.nextRuleId += 1 + if fw.rulesById == nil { + fw.rulesById = make(map[uint]*Rule) + } + fw.rulesById[r.id] = r +} + +func (fw *Firewall) getRuleById(id uint) *Rule { + fw.ruleLock.Lock() + defer fw.ruleLock.Unlock() + + if fw.rulesById == nil { + return nil + } + return fw.rulesById[id] } func (fw *Firewall) runFilter() { @@ -64,7 +115,11 @@ func (fw *Firewall) runFilter() { for { select { case pkt := <-packets: - fw.filterPacket(pkt) + if fw.isEnabled() { + fw.filterPacket(pkt) + } else { + pkt.Accept() + } case <-sigs: return } @@ -72,6 +127,8 @@ func (fw *Firewall) runFilter() { } func main() { + logBackend := setupLoggerBackend() + log.SetBackend(logBackend) proc.SetLogger(log) if os.Geteuid() != 0 { @@ -88,17 +145,21 @@ func main() { } fw := &Firewall{ - dbus: ds, - dns: NewDnsCache(), - policyMap: make(map[string]*Policy), + dbus: ds, + dns: NewDnsCache(), + enabled: true, + logRedact: false, + logBackend: logBackend, + policyMap: make(map[string]*Policy), } + ds.fw = fw fw.loadRules() /* - go func() { - http.ListenAndServe("localhost:6060", nil) - }() + go func() { + http.ListenAndServe("localhost:6060", nil) + }() */ fw.runFilter() diff --git a/policy.go b/policy.go index d1a298b..424b67b 100644 --- a/policy.go +++ b/policy.go @@ -12,7 +12,7 @@ type pendingPkt struct { policy *Policy hostname string pkt *nfqueue.Packet - pinfo *proc.ProcInfo + pinfo *proc.ProcInfo } type Policy struct { @@ -110,6 +110,34 @@ func (p *Policy) processNewRule(r *Rule, scope int32) bool { return p.promptInProgress } +func (p *Policy) parseRule(s string, add bool) (*Rule, error) { + r := new(Rule) + r.policy = p + if !r.parse(s) { + return nil, parseError(s) + } + if add { + p.lock.Lock() + defer p.lock.Unlock() + p.rules = append(p.rules, r) + } + p.fw.addRule(r) + return r, nil +} + +func (p *Policy) removeRule(r *Rule) { + p.lock.Lock() + defer p.lock.Unlock() + + var newRules RuleList + for _, rr := range p.rules { + if rr.id != r.id { + newRules = append(newRules, rr) + } + } + p.rules = newRules +} + func (p *Policy) filterPending(rule *Rule) { remaining := []*pendingPkt{} for _, pp := range p.pendingQueue { diff --git a/prompt.go b/prompt.go index 04edd86..c3f6b18 100644 --- a/prompt.go +++ b/prompt.go @@ -100,18 +100,16 @@ func (p *prompter) processPacket(pp *pendingPkt) { pp.policy.removePending(pp) pp.pkt.Mark = 1 pp.pkt.Accept() - //pp.pkt.Drop() return } log.Debug("Received prompt response: %s [%s]", printScope(scope), rule) - r, err := parseRule(rule) + r, err := pp.policy.parseRule(rule, false) if err != nil { log.Warning("Error parsing rule string returned from dbus RequestPrompt: %v", err) pp.policy.removePending(pp) pp.pkt.Mark = 1 pp.pkt.Accept() - //pp.pkt.Drop() return } if scope == APPLY_SESSION { diff --git a/rules.go b/rules.go index 21dd45a..85ce1da 100644 --- a/rules.go +++ b/rules.go @@ -8,11 +8,11 @@ import ( "unicode" "github.com/subgraph/fw-daemon/nfqueue" + "github.com/subgraph/fw-daemon/proc" "io/ioutil" "os" - "strconv" "path" - "github.com/subgraph/fw-daemon/proc" + "strconv" ) const ( @@ -24,6 +24,8 @@ const matchAny = 0 const noAddress = uint32(0xffffffff) type Rule struct { + id uint + policy *Policy sessionOnly bool rtype int hostname string @@ -32,10 +34,17 @@ type Rule struct { } func (r *Rule) String() string { - addr := "*" - port := "*" rtype := "DENY" + if r.rtype == RULE_ALLOW { + rtype = "ALLOW" + } + return fmt.Sprintf("%s|%s", rtype, r.AddrString()) +} + +func (r *Rule) AddrString() string { + addr := "*" + port := "*" if r.hostname != "" { addr = r.hostname } else if r.addr != matchAny && r.addr != noAddress { @@ -48,11 +57,7 @@ func (r *Rule) String() string { port = fmt.Sprintf("%d", r.port) } - if r.rtype == RULE_ALLOW { - rtype = "ALLOW" - } - - return fmt.Sprintf("%s|%s:%s", rtype, addr, port) + return fmt.Sprintf("%s:%s", addr, port) } type RuleList []*Rule @@ -154,25 +159,17 @@ func (r *Rule) parsePort(p string) bool { } var err error port, err := strconv.ParseUint(p, 10, 16) - if err != nil { + if err != nil || port == 0 || port > 0xFFFF { return false } r.port = uint16(port) return true } -func parseRule(s string) (*Rule, error) { - r := new(Rule) - if !r.parse(s) { - return nil, parseError(s) - } - return r, nil -} - const ruleFile = "/var/lib/sgfw/sgfw_rules" func maybeCreateDir(dir string) error { - _,err := os.Stat(dir) + _, err := os.Stat(dir) if os.IsNotExist(err) { return os.MkdirAll(dir, 0755) } @@ -190,7 +187,7 @@ func (fw *Firewall) saveRules() { fw.lock.Lock() defer fw.lock.Unlock() - p,err := rulesPath() + p, err := rulesPath() if err != nil { log.Warning("Failed to open %s for writing: %v", p, err) return @@ -239,7 +236,9 @@ func (fw *Firewall) loadRules() { fw.lock.Lock() defer fw.lock.Unlock() - p,err := rulesPath() + fw.clearRules() + + p, err := rulesPath() if err != nil { log.Warning("Failed to open %s for reading: %v", p, err) return @@ -275,12 +274,9 @@ func processRuleLine(policy *Policy, line string) { log.Warning("Cannot process rule line without first seeing path line: %s", line) return } - rule, err := parseRule(line) + _, err := policy.parseRule(line, true) if err != nil { log.Warning("Error parsing rule (%s): %v", line, err) return } - policy.lock.Lock() - defer policy.lock.Unlock() - policy.rules = append(policy.rules, rule) } From 86784190267c901d22244e56c2749ea6ca4852f6 Mon Sep 17 00:00:00 2001 From: Bruce Leidl Date: Wed, 24 Feb 2016 01:26:31 +0000 Subject: [PATCH 08/16] Initial commit of settings dialog --- fw-settings/builder.go | 114 ++++++++++++++ fw-settings/config.go | 57 +++++++ fw-settings/dbus.go | 65 ++++++++ fw-settings/definitions/Dialog.xml | 187 ++++++++++++++++++++++ fw-settings/definitions/Makefile | 8 + fw-settings/definitions/RuleEdit.xml | 201 ++++++++++++++++++++++++ fw-settings/definitions/RuleItem.xml | 89 +++++++++++ fw-settings/definitions/dialog.go | 200 ++++++++++++++++++++++++ fw-settings/definitions/generate.rb | 47 ++++++ fw-settings/definitions/management.go | 25 +++ fw-settings/definitions/rule_edit.go | 214 ++++++++++++++++++++++++++ fw-settings/definitions/rule_item.go | 101 ++++++++++++ fw-settings/main.go | 60 ++++++++ fw-settings/rule_edit.go | 161 +++++++++++++++++++ fw-settings/rules.go | 147 ++++++++++++++++++ 15 files changed, 1676 insertions(+) create mode 100644 fw-settings/builder.go create mode 100644 fw-settings/config.go create mode 100644 fw-settings/dbus.go create mode 100644 fw-settings/definitions/Dialog.xml create mode 100644 fw-settings/definitions/Makefile create mode 100644 fw-settings/definitions/RuleEdit.xml create mode 100644 fw-settings/definitions/RuleItem.xml create mode 100644 fw-settings/definitions/dialog.go create mode 100644 fw-settings/definitions/generate.rb create mode 100644 fw-settings/definitions/management.go create mode 100644 fw-settings/definitions/rule_edit.go create mode 100644 fw-settings/definitions/rule_item.go create mode 100644 fw-settings/main.go create mode 100644 fw-settings/rule_edit.go create mode 100644 fw-settings/rules.go diff --git a/fw-settings/builder.go b/fw-settings/builder.go new file mode 100644 index 0000000..05a321d --- /dev/null +++ b/fw-settings/builder.go @@ -0,0 +1,114 @@ +package main + +import ( + "bufio" + "fmt" + "log" + "os" + "path/filepath" + "reflect" + + "github.com/gotk3/gotk3/glib" + "github.com/gotk3/gotk3/gtk" + "github.com/subgraph/fw-daemon/fw-settings/definitions" +) + +const ( + defsFolder = "definitions" + xmlExtension = ".xml" +) + +func getDefinitionWithFileFallback(uiName string) string { + // this makes sure a missing definition wont break only when the app is released + uiDef := getDefinition(uiName) + + fileName := filepath.Join(defsFolder, uiName+xmlExtension) + if fileNotFound(fileName) { + log.Printf("gui: loading compiled definition %q\n", uiName) + return uiDef.String() + } + + return readFile(fileName) +} + +// This must be called from the UI thread - otherwise bad things will happen sooner or later +func builderForDefinition(uiName string) *gtk.Builder { + // assertInUIThread() + + template := getDefinitionWithFileFallback(uiName) + + builder, err := gtk.BuilderNew() + if err != nil { + //We cant recover from this + panic(err) + } + + err = builder.AddFromString(template) + if err != nil { + //This is a programming error + panic(fmt.Sprintf("gui: failed load %s: %s\n", uiName, err.Error())) + } + + return builder +} + +func fileNotFound(fileName string) bool { + _, fnf := os.Stat(fileName) + return os.IsNotExist(fnf) +} + +func readFile(fileName string) string { + file, _ := os.Open(fileName) + reader := bufio.NewScanner(file) + var content string + for reader.Scan() { + content = content + reader.Text() + } + file.Close() + return content +} + +func getDefinition(uiName string) fmt.Stringer { + def, ok := definitions.Get(uiName) + if !ok { + panic(fmt.Sprintf("No definition found for %s", uiName)) + } + + return def +} + +type builder struct { + *gtk.Builder +} + +func newBuilder(uiName string) *builder { + return &builder{builderForDefinition(uiName)} +} + +func (b *builder) getItem(name string, target interface{}) { + v := reflect.ValueOf(target) + if v.Kind() != reflect.Ptr { + panic("builder.getItem() target argument must be a pointer") + } + elem := v.Elem() + elem.Set(reflect.ValueOf(b.get(name))) +} + +func (b *builder) getItems(args ...interface{}) { + for len(args) >= 2 { + name, ok := args[0].(string) + if !ok { + panic("string argument expected in builder.getItems()") + } + b.getItem(name, args[1]) + args = args[2:] + } +} + +func (b *builder) get(name string) glib.IObject { + obj, err := b.GetObject(name) + if err != nil { + panic("builder.GetObject() failed: " + err.Error()) + } + return obj +} diff --git a/fw-settings/config.go b/fw-settings/config.go new file mode 100644 index 0000000..6aa2542 --- /dev/null +++ b/fw-settings/config.go @@ -0,0 +1,57 @@ +package main + +import ( + "github.com/gotk3/gotk3/gtk" + "github.com/op/go-logging" +) + +var levelToId = map[int32]string{ + int32(logging.ERROR): "error", + int32(logging.WARNING): "warning", + int32(logging.NOTICE): "notice", + int32(logging.INFO): "info", + int32(logging.DEBUG): "debug", +} + +var idToLevel = func() map[string]int32 { + m := make(map[string]int32) + for k, v := range levelToId { + m[v] = k + } + return m +}() + +func loadConfig(win *gtk.Window, b *builder, dbus *dbusObject) { + var levelCombo *gtk.ComboBoxText + var redactCheck *gtk.CheckButton + + b.getItems( + "level_combo", &levelCombo, + "redact_checkbox", &redactCheck, + ) + + conf, err := dbus.getConfig() + if err != nil { + failDialog(win, "Failed to load config from fw daemon: %v", err) + } + + if lvl, ok := conf["loglevel"].(int32); ok { + if id, ok := levelToId[lvl]; ok { + levelCombo.SetActiveID(id) + } + } + if v, ok := conf["logredact"].(bool); ok { + redactCheck.SetActive(v) + } + b.ConnectSignals(map[string]interface{}{ + "on_level_combo_changed": func() { + if lvl, ok := idToLevel[levelCombo.GetActiveID()]; ok { + dbus.setConfig("loglevel", lvl) + } + }, + "on_redact_checkbox_toggled": func() { + dbus.setConfig("logredact", redactCheck.GetActive()) + }, + }) + +} diff --git a/fw-settings/dbus.go b/fw-settings/dbus.go new file mode 100644 index 0000000..5010ce7 --- /dev/null +++ b/fw-settings/dbus.go @@ -0,0 +1,65 @@ +package main + +import ( + "github.com/godbus/dbus" +) + +type dbusObject struct { + dbus.BusObject +} + +type dbusRule struct { + Id uint32 + App string + Path string + Verb uint32 + Target string +} + +func newDbusObject() (*dbusObject, error) { + conn, err := dbus.SystemBus() + if err != nil { + return nil, err + } + return &dbusObject{conn.Object("com.subgraph.Firewall", "/com/subgraph/Firewall")}, nil +} + +func (ob *dbusObject) isEnabled() (bool, error) { + var flag bool + if err := ob.Call("com.subgraph.Firewall.IsEnabled", 0).Store(&flag); err != nil { + return false, err + } + return flag, nil +} + +func (ob *dbusObject) listRules() ([]dbusRule, error) { + rules := []dbusRule{} + if err := ob.Call("com.subgraph.Firewall.ListRules", 0).Store(&rules); err != nil { + return nil, err + } + return rules, nil +} + +func (ob *dbusObject) deleteRule(id uint32) { + ob.Call("com.subgraph.Firewall.DeleteRule", 0, id) +} + +func (ob *dbusObject) updateRule(rule *dbusRule) { + ob.Call("com.subgraph.Firewall.UpdateRule", 0, rule) +} + +func (ob *dbusObject) getConfig() (map[string]interface{}, error) { + res := make(map[string]dbus.Variant) + if err := ob.Call("com.subgraph.Firewall.GetConfig", 0).Store(&res); err != nil { + return nil, err + } + config := make(map[string]interface{}) + for k, v := range res { + config[k] = v.Value() + } + return config, nil +} + +func (ob *dbusObject) setConfig(key string, val interface{}) { + ob.Call("com.subgraph.Firewall.SetConfig", 0, key, dbus.MakeVariant(val)) +} diff --git a/fw-settings/definitions/Dialog.xml b/fw-settings/definitions/Dialog.xml new file mode 100644 index 0000000..867b072 --- /dev/null +++ b/fw-settings/definitions/Dialog.xml @@ -0,0 +1,187 @@ + + + + + + False + True + Firewall Settings + 600 + 400 + dialog + + + True + True + 5 + + + True + False + 12 + 12 + 12 + 12 + + + True + False + Firewall Rules + 0 + + + + + + 0 + 0 + + + + + True + False + 12 + 12 + 8 + True + True + + + True + True + True + True + never + in + + + 0 + 0 + + + + + 0 + 1 + + + + + 1 + + + + + True + False + Rules + + + 1 + False + + + + + True + False + 12 + 12 + + + True + False + 12 + 8 + 6 + 6 + + + True + False + start + Log Level: + + + 0 + 0 + + + + + True + False + 0 + + Error + Warning + Notice + Info + Debug + + + + + 1 + 0 + + + + + Remove host names and addresses from logs + True + True + False + 0 + True + + + + 0 + 1 + 2 + + + + + 0 + 1 + + + + + True + False + Logging + start + 0 + + + + + + 0 + 0 + + + + + 1 + + + + + True + False + Options + + + 1 + False + + + + + + diff --git a/fw-settings/definitions/Makefile b/fw-settings/definitions/Makefile new file mode 100644 index 0000000..ae97f5d --- /dev/null +++ b/fw-settings/definitions/Makefile @@ -0,0 +1,8 @@ +generate: + ruby ./generate.rb + +touch: + ls *.xml | xargs -n1 touch + +doctor: touch generate + git diff --exit-code . \ No newline at end of file diff --git a/fw-settings/definitions/RuleEdit.xml b/fw-settings/definitions/RuleEdit.xml new file mode 100644 index 0000000..2ad8738 --- /dev/null +++ b/fw-settings/definitions/RuleEdit.xml @@ -0,0 +1,201 @@ + + + + + + False + Edit Rule + dialog + + + False + vertical + 2 + + + False + end + + + Cancel + True + True + True + + + True + True + 0 + + + + + Ok + True + True + True + 0.60000002384185791 + + + True + True + 1 + + + + + False + False + 0 + + + + + True + False + 12 + 12 + 12 + 24 + 24 + + + True + False + Enter changes for firewall rule below. The character <b>*</b> can entered alone into either the <b>host</b> or <b>port</b> fields to match any value. + + True + True + 40 + + + 0 + 0 + 2 + + + + + True + False + True + 0 + + + 1 + 1 + + + + + True + False + 12 + 10 + + + True + False + 0 + + Allow + Deny + + + + 0 + 0 + + + + + True + False + Connections to <b>host:</b> + True + + + 1 + 0 + + + + + True + True + 34 + hostname or ip address + + + + 2 + 0 + + + + + True + False + on <b>port:</b> + True + + + 3 + 0 + + + + + True + True + 5 + 4 + 5 + Port + + + + + 4 + 0 + + + + + 0 + 2 + 2 + + + + + True + False + 12 + 10 + Path: + 1 + + + + + + 0 + 1 + + + + + False + True + 1 + + + + + + cancel_button + ok_button + + + diff --git a/fw-settings/definitions/RuleItem.xml b/fw-settings/definitions/RuleItem.xml new file mode 100644 index 0000000..7fdbd75 --- /dev/null +++ b/fw-settings/definitions/RuleItem.xml @@ -0,0 +1,89 @@ + + + + + + True + False + True + + + True + False + start + 8 + 10 + 0 + + + 0 + 0 + + + + + True + False + 10 + 1 + + + 1 + 0 + + + + + True + False + start + True + 0 + + + 2 + 0 + + + + + True + True + True + none + + + + True + False + document-properties-symbolic + + + + + 3 + 0 + + + + + True + True + True + none + + + + True + False + edit-delete-symbolic + + + + + 4 + 0 + + + + diff --git a/fw-settings/definitions/dialog.go b/fw-settings/definitions/dialog.go new file mode 100644 index 0000000..546f865 --- /dev/null +++ b/fw-settings/definitions/dialog.go @@ -0,0 +1,200 @@ +package definitions + +func init() { + add(`Dialog`, &defDialog{}) +} + +type defDialog struct{} + +func (*defDialog) String() string { + return ` + + + + + + False + True + Firewall Settings + 600 + 400 + dialog + + + True + True + 5 + + + True + False + 12 + 12 + 12 + 12 + + + True + False + Firewall Rules + 0 + + + + + + 0 + 0 + + + + + True + False + 12 + 12 + 8 + True + True + + + True + True + True + True + never + in + + + 0 + 0 + + + + + 0 + 1 + + + + + 1 + + + + + True + False + Rules + + + 1 + False + + + + + True + False + 12 + 12 + + + True + False + 12 + 8 + 6 + 6 + + + True + False + start + Log Level: + + + 0 + 0 + + + + + True + False + 0 + + Error + Warning + Notice + Info + Debug + + + + + 1 + 0 + + + + + Remove host names and addresses from logs + True + True + False + 0 + True + + + + 0 + 1 + 2 + + + + + 0 + 1 + + + + + True + False + Logging + start + 0 + + + + + + 0 + 0 + + + + + 1 + + + + + True + False + Options + + + 1 + False + + + + + + + +` +} diff --git a/fw-settings/definitions/generate.rb b/fw-settings/definitions/generate.rb new file mode 100644 index 0000000..12857fe --- /dev/null +++ b/fw-settings/definitions/generate.rb @@ -0,0 +1,47 @@ +#!/usr/bin/env ruby + +require 'fileutils' + +def parse_go_name(file_name) + File.basename(file_name, ".xml"). + gsub(/([A-Z]+)([A-Z][a-z])/,'\1_\2'). + gsub(/([a-z\d])([A-Z])/,'\1_\2'). + tr("-", "_"). + gsub(/\/_/, '/'). + downcase + ".go" +end + +def gen_go_file(xml_file, go_file) + xml_definition = File.read(xml_file) + ui_name = File.basename(xml_file, '.xml') + File.open(go_file, 'w+') do |target| + target.puts <