Added extra display info for "Sandboxed application" in fw-prompt gnome shell GUI.

fw-prompt GUI gracefully displays unknown PIDs and UIDs.
Fixed stupid syntax error bug in oz-init PID management code.
shw_dev
shw 8 years ago
parent 7a1851419c
commit b4ed11261f

@ -30,6 +30,7 @@ const DetailSection = new Lang.Class({
this.pid = this._addDetails("Process ID:");
this.origin = this._addDetails("Origin:");
this.user = this._addDetails("User:");
this.optstring = this._addDetails("");
},
_addDetails: function(text) {
@ -40,12 +41,19 @@ const DetailSection = new Lang.Class({
return msg;
},
setDetails: function(ip, path, pid, user, origin) {
setDetails: function(ip, path, pid, user, origin, optstring) {
this.ipAddr.text = ip;
this.path.text = path;
this.pid.text = pid.toString();
if (pid == -1) {
this.pid.text = '[unknown]';
} else {
this.pid.text = pid.toString();
}
this.origin.text = origin;
this.user.text = user;
this.optstring.text = optstring
}
});
@ -451,7 +459,7 @@ const PromptDialog = new Lang.Class({
}
},
update: function(application, icon, path, address, port, ip, origin, user, pid, proto, expanded, expert, action) {
update: function(application, icon, path, address, port, ip, origin, user, pid, proto, optstring, expanded, expert, action) {
this._address = address;
this._port = port;
@ -480,6 +488,6 @@ const PromptDialog = new Lang.Class({
}
this.optionList.buttonGroup._setChecked(this.optionList.scopeToIdx(action))
this.info.setDetails(ip, path, pid, user, origin);
this.info.setDetails(ip, path, pid, user, origin, optstring);
},
});

@ -53,6 +53,7 @@ const FirewallPromptInterface = '<node> \
<arg type="s" direction="in" name="origin" /> \
<arg type="s" direction="in" name="user" /> \
<arg type="i" direction="in" name="pid" /> \
<arg type="s" direction="in" name="optstring" /> \
<arg type="b" direction="in" name="expanded" /> \
<arg type="b" direction="in" name="expert" /> \
<arg type="i" direction="in" name="action" /> \
@ -87,11 +88,11 @@ const FirewallPromptHandler = new Lang.Class({
},
RequestPromptAsync: function(params, invocation) {
let [app, icon, path, address, port, ip, origin, user, pid, expanded, expert, action] = params;
let [app, icon, path, address, port, ip, origin, user, pid, optstring, expanded, expert, action] = params;
this._closeDialog();
this._dialog = new Dialog.PromptDialog(invocation);
this._invocation = invocation;
this._dialog.update(app, icon, path, address, port, ip, origin, user, pid, "TCP", expanded, expert, action);
this._dialog.update(app, icon, path, address, port, ip, origin, user, pid, "TCP", optstring, expanded, expert, action);
this._dialog.open();
},

@ -30,7 +30,7 @@ func addInitPid(pid int) {
func removeInitPid(pid int) {
for i := 0; i < len(OzInitPids); i++ {
if OzInitPids[i] == pid {
OzInitPids = append(OzInitPids[:i], OzInitPids[i+1:])
OzInitPids = append(OzInitPids[:i], OzInitPids[i+1:]...)
return
}
}

@ -38,6 +38,7 @@ type pendingConnection interface {
policy() *Policy
procInfo() *procsnitch.Info
hostname() string
getOptString() string
src() net.IP
dst() net.IP
dstPort() uint16
@ -51,11 +52,12 @@ type pendingPkt struct {
name string
pkt *nfqueue.NFQPacket
pinfo *procsnitch.Info
optstring string
}
func getEmptyPInfo() *procsnitch.Info {
pinfo := procsnitch.Info{}
pinfo.UID, pinfo.Pid, pinfo.ParentPid = 0, 0, 0
pinfo.UID, pinfo.Pid, pinfo.ParentPid = -1, -1, -1
pinfo.ExePath = "[unknown-exe]"
pinfo.CmdLine = "[unknown-cmdline]"
pinfo.FirstArg = "[unknown-arg]"
@ -76,6 +78,10 @@ func (pp *pendingPkt) procInfo() *procsnitch.Info {
return pp.pinfo
}
func (pp *pendingPkt) getOptString() string {
return pp.optstring
}
func (pp *pendingPkt) hostname() string {
return pp.name
}
@ -159,7 +165,7 @@ func (fw *Firewall) policyForPath(path string) *Policy {
return fw.policyMap[path]
}
func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info) {
func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info, optstr string) {
/* hbytes, err := pkt.GetHWAddr()
if err != nil {
@ -193,7 +199,7 @@ if name == "" {
case FILTER_ALLOW:
pkt.Accept()
case FILTER_PROMPT:
p.processPromptResult(&pendingPkt{pol: p, name: name, pkt: pkt, pinfo: pinfo})
p.processPromptResult(&pendingPkt{pol: p, name: name, pkt: pkt, pinfo: pinfo, optstring: optstr})
default:
log.Warningf("Unexpected filter result: %d", result)
}
@ -370,9 +376,11 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
ppath := "*"
pinfo := findProcessForPacket(pkt)
pinfo, optstring := findProcessForPacket(pkt)
if pinfo == nil {
pinfo = getEmptyPInfo()
ppath = "[unknown]"
optstring = "[Connection could not be mapped]"
log.Warningf("No proc found for %s", printPacket(pkt, fw.dns.Lookup(dstip), nil))
// pkt.Accept()
// return
@ -396,7 +404,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
}
policy := fw.PolicyForPath(ppath)
//log.Notice("XXX: flunked basicallowpacket; policy = ", policy)
policy.processPacket(pkt, pinfo)
policy.processPacket(pkt, pinfo, optstring)
}
func readFileDirect(filename string) ([]byte, error) {
@ -467,9 +475,10 @@ fmt.Println("XXX: opening: ", fname)
return rlines, nil
}
func findProcessForPacket(pkt *nfqueue.NFQPacket) *procsnitch.Info {
func findProcessForPacket(pkt *nfqueue.NFQPacket) (*procsnitch.Info, string) {
srcip, dstip := getPacketIP4Addrs(pkt)
srcp, dstp := getPacketPorts(pkt)
optstr := ""
if pkt.Packet.Layer(layers.LayerTypeTCP) != nil {
// Try normal way first, before the more resource intensive/invasive way.
@ -482,17 +491,18 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket) *procsnitch.Info {
log.Warningf("Error looking up sandboxed /proc/net data: %v", err)
} else {
res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, extdata)
optstr = "[Sandboxed application]"
}
}
return res
return res, optstr
} else if pkt.Packet.Layer(layers.LayerTypeUDP) != nil {
return procsnitch.LookupUDPSocketProcess(srcp)
return procsnitch.LookupUDPSocketProcess(srcp), optstr
}
log.Warningf("Packet has unknown protocol: %d", pkt.Packet.NetworkLayer().LayerType())
//log.Warningf("Packet has unknown protocol: %d", pkt.Protocol)
return nil
return nil, optstr
}
func basicAllowPacket(pkt *nfqueue.NFQPacket) bool {

@ -78,6 +78,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
pc.src().String(),
uidToUser(pc.procInfo().UID),
int32(pc.procInfo().Pid),
pc.getOptString(),
FirewallConfig.PromptExpanded,
FirewallConfig.PromptExpert,
int32(FirewallConfig.DefaultActionID))
@ -143,6 +144,9 @@ func (p *prompter) removePolicy(policy *Policy) {
var userMap = make(map[int]string)
func lookupUser(uid int) string {
if uid == -1 {
return "[unknown]"
}
u, err := user.LookupId(strconv.Itoa(uid))
if err != nil {
return fmt.Sprintf("%d", uid)

@ -59,6 +59,10 @@ func (sc *pendingSocksConnection) procInfo() *procsnitch.Info {
return sc.pinfo
}
func (sc *pendingSocksConnection) getOptString() string {
return ""
}
func (sc *pendingSocksConnection) hostname() string {
return sc.hname
}

Loading…
Cancel
Save