From b4ed11261f28c70042607247fc44489e4edd76d1 Mon Sep 17 00:00:00 2001 From: shw Date: Tue, 9 May 2017 20:04:54 +0000 Subject: [PATCH] Added extra display info for "Sandboxed application" in fw-prompt gnome shell GUI. fw-prompt GUI gracefully displays unknown PIDs and UIDs. Fixed stupid syntax error bug in oz-init PID management code. --- gnome-shell/firewall@subgraph.com/dialog.js | 16 ++++++++--- .../firewall@subgraph.com/extension.js | 5 ++-- sgfw/ipc.go | 2 +- sgfw/policy.go | 28 +++++++++++++------ sgfw/prompt.go | 4 +++ sgfw/socks_server_chain.go | 4 +++ 6 files changed, 43 insertions(+), 16 deletions(-) diff --git a/gnome-shell/firewall@subgraph.com/dialog.js b/gnome-shell/firewall@subgraph.com/dialog.js index c2c48c9..1ba44d4 100644 --- a/gnome-shell/firewall@subgraph.com/dialog.js +++ b/gnome-shell/firewall@subgraph.com/dialog.js @@ -30,6 +30,7 @@ const DetailSection = new Lang.Class({ this.pid = this._addDetails("Process ID:"); this.origin = this._addDetails("Origin:"); this.user = this._addDetails("User:"); + this.optstring = this._addDetails(""); }, _addDetails: function(text) { @@ -40,12 +41,19 @@ const DetailSection = new Lang.Class({ return msg; }, - setDetails: function(ip, path, pid, user, origin) { + setDetails: function(ip, path, pid, user, origin, optstring) { this.ipAddr.text = ip; this.path.text = path; - this.pid.text = pid.toString(); + + if (pid == -1) { + this.pid.text = '[unknown]'; + } else { + this.pid.text = pid.toString(); + } + this.origin.text = origin; this.user.text = user; + this.optstring.text = optstring } }); @@ -451,7 +459,7 @@ const PromptDialog = new Lang.Class({ } }, - update: function(application, icon, path, address, port, ip, origin, user, pid, proto, expanded, expert, action) { + update: function(application, icon, path, address, port, ip, origin, user, pid, proto, optstring, expanded, expert, action) { this._address = address; this._port = port; @@ -480,6 +488,6 @@ const PromptDialog = new Lang.Class({ } this.optionList.buttonGroup._setChecked(this.optionList.scopeToIdx(action)) - this.info.setDetails(ip, path, pid, user, origin); + this.info.setDetails(ip, path, pid, user, origin, optstring); }, }); diff --git a/gnome-shell/firewall@subgraph.com/extension.js b/gnome-shell/firewall@subgraph.com/extension.js index f93b935..981bc3f 100644 --- a/gnome-shell/firewall@subgraph.com/extension.js +++ b/gnome-shell/firewall@subgraph.com/extension.js @@ -53,6 +53,7 @@ const FirewallPromptInterface = ' \ \ \ \ + \ \ \ \ @@ -87,11 +88,11 @@ const FirewallPromptHandler = new Lang.Class({ }, RequestPromptAsync: function(params, invocation) { - let [app, icon, path, address, port, ip, origin, user, pid, expanded, expert, action] = params; + let [app, icon, path, address, port, ip, origin, user, pid, optstring, expanded, expert, action] = params; this._closeDialog(); this._dialog = new Dialog.PromptDialog(invocation); this._invocation = invocation; - this._dialog.update(app, icon, path, address, port, ip, origin, user, pid, "TCP", expanded, expert, action); + this._dialog.update(app, icon, path, address, port, ip, origin, user, pid, "TCP", optstring, expanded, expert, action); this._dialog.open(); }, diff --git a/sgfw/ipc.go b/sgfw/ipc.go index 5776cbf..339ed41 100644 --- a/sgfw/ipc.go +++ b/sgfw/ipc.go @@ -30,7 +30,7 @@ func addInitPid(pid int) { func removeInitPid(pid int) { for i := 0; i < len(OzInitPids); i++ { if OzInitPids[i] == pid { - OzInitPids = append(OzInitPids[:i], OzInitPids[i+1:]) + OzInitPids = append(OzInitPids[:i], OzInitPids[i+1:]...) return } } diff --git a/sgfw/policy.go b/sgfw/policy.go index 7b30e54..4330962 100644 --- a/sgfw/policy.go +++ b/sgfw/policy.go @@ -38,6 +38,7 @@ type pendingConnection interface { policy() *Policy procInfo() *procsnitch.Info hostname() string + getOptString() string src() net.IP dst() net.IP dstPort() uint16 @@ -51,11 +52,12 @@ type pendingPkt struct { name string pkt *nfqueue.NFQPacket pinfo *procsnitch.Info + optstring string } func getEmptyPInfo() *procsnitch.Info { pinfo := procsnitch.Info{} - pinfo.UID, pinfo.Pid, pinfo.ParentPid = 0, 0, 0 + pinfo.UID, pinfo.Pid, pinfo.ParentPid = -1, -1, -1 pinfo.ExePath = "[unknown-exe]" pinfo.CmdLine = "[unknown-cmdline]" pinfo.FirstArg = "[unknown-arg]" @@ -76,6 +78,10 @@ func (pp *pendingPkt) procInfo() *procsnitch.Info { return pp.pinfo } +func (pp *pendingPkt) getOptString() string { + return pp.optstring +} + func (pp *pendingPkt) hostname() string { return pp.name } @@ -159,7 +165,7 @@ func (fw *Firewall) policyForPath(path string) *Policy { return fw.policyMap[path] } -func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info) { +func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info, optstr string) { /* hbytes, err := pkt.GetHWAddr() if err != nil { @@ -193,7 +199,7 @@ if name == "" { case FILTER_ALLOW: pkt.Accept() case FILTER_PROMPT: - p.processPromptResult(&pendingPkt{pol: p, name: name, pkt: pkt, pinfo: pinfo}) + p.processPromptResult(&pendingPkt{pol: p, name: name, pkt: pkt, pinfo: pinfo, optstring: optstr}) default: log.Warningf("Unexpected filter result: %d", result) } @@ -370,9 +376,11 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) { ppath := "*" - pinfo := findProcessForPacket(pkt) + pinfo, optstring := findProcessForPacket(pkt) if pinfo == nil { pinfo = getEmptyPInfo() + ppath = "[unknown]" + optstring = "[Connection could not be mapped]" log.Warningf("No proc found for %s", printPacket(pkt, fw.dns.Lookup(dstip), nil)) // pkt.Accept() // return @@ -396,7 +404,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) { } policy := fw.PolicyForPath(ppath) //log.Notice("XXX: flunked basicallowpacket; policy = ", policy) - policy.processPacket(pkt, pinfo) + policy.processPacket(pkt, pinfo, optstring) } func readFileDirect(filename string) ([]byte, error) { @@ -467,9 +475,10 @@ fmt.Println("XXX: opening: ", fname) return rlines, nil } -func findProcessForPacket(pkt *nfqueue.NFQPacket) *procsnitch.Info { +func findProcessForPacket(pkt *nfqueue.NFQPacket) (*procsnitch.Info, string) { srcip, dstip := getPacketIP4Addrs(pkt) srcp, dstp := getPacketPorts(pkt) + optstr := "" if pkt.Packet.Layer(layers.LayerTypeTCP) != nil { // Try normal way first, before the more resource intensive/invasive way. @@ -482,17 +491,18 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket) *procsnitch.Info { log.Warningf("Error looking up sandboxed /proc/net data: %v", err) } else { res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, extdata) + optstr = "[Sandboxed application]" } } - return res + return res, optstr } else if pkt.Packet.Layer(layers.LayerTypeUDP) != nil { - return procsnitch.LookupUDPSocketProcess(srcp) + return procsnitch.LookupUDPSocketProcess(srcp), optstr } log.Warningf("Packet has unknown protocol: %d", pkt.Packet.NetworkLayer().LayerType()) //log.Warningf("Packet has unknown protocol: %d", pkt.Protocol) - return nil + return nil, optstr } func basicAllowPacket(pkt *nfqueue.NFQPacket) bool { diff --git a/sgfw/prompt.go b/sgfw/prompt.go index 5b09c10..8b83167 100644 --- a/sgfw/prompt.go +++ b/sgfw/prompt.go @@ -78,6 +78,7 @@ func (p *prompter) processConnection(pc pendingConnection) { pc.src().String(), uidToUser(pc.procInfo().UID), int32(pc.procInfo().Pid), + pc.getOptString(), FirewallConfig.PromptExpanded, FirewallConfig.PromptExpert, int32(FirewallConfig.DefaultActionID)) @@ -143,6 +144,9 @@ func (p *prompter) removePolicy(policy *Policy) { var userMap = make(map[int]string) func lookupUser(uid int) string { + if uid == -1 { + return "[unknown]" + } u, err := user.LookupId(strconv.Itoa(uid)) if err != nil { return fmt.Sprintf("%d", uid) diff --git a/sgfw/socks_server_chain.go b/sgfw/socks_server_chain.go index 338299a..1c97b48 100644 --- a/sgfw/socks_server_chain.go +++ b/sgfw/socks_server_chain.go @@ -59,6 +59,10 @@ func (sc *pendingSocksConnection) procInfo() *procsnitch.Info { return sc.pinfo } +func (sc *pendingSocksConnection) getOptString() string { + return "" +} + func (sc *pendingSocksConnection) hostname() string { return sc.hname }