Added extra display info for "Sandboxed application" in fw-prompt gnome shell GUI.

fw-prompt GUI gracefully displays unknown PIDs and UIDs. Fixed stupid syntax error bug in oz-init PID management code.
8 years ago · b4ed11261f
parent 7a1851419c
commit b4ed11261f
6 changed files with 43 additions and 16 deletions
--- a/gnome-shell/firewall@subgraph.com/dialog.js
+++ b/gnome-shell/firewall@subgraph.com/dialog.js
@ -30,6 +30,7 @@ const DetailSection = new Lang.Class({
        this.pid = this._addDetails("Process ID:");
 	this.origin = this._addDetails("Origin:");
        this.user = this._addDetails("User:");
        this.optstring = this._addDetails("");
    },
    _addDetails: function(text) {
@ -40,12 +41,19 @@ const DetailSection = new Lang.Class({
        return msg;
    },
-    setDetails: function(ip, path, pid, user, origin) {
+    setDetails: function(ip, path, pid, user, origin, optstring) {
        this.ipAddr.text = ip;
        this.path.text = path;
 	if (pid == -1) {
 		this.pid.text = '[unknown]';
 	} else {
 		this.pid.text = pid.toString();
 	}
 	this.origin.text = origin;
        this.user.text = user;
 	this.optstring.text = optstring
    }
 });
@ -451,7 +459,7 @@ const PromptDialog = new Lang.Class({
        }
    },
-    update: function(application, icon, path, address, port, ip, origin, user, pid, proto, expanded, expert, action) {
+    update: function(application, icon, path, address, port, ip, origin, user, pid, proto, optstring, expanded, expert, action) {
        this._address = address;
        this._port = port;
@ -480,6 +488,6 @@ const PromptDialog = new Lang.Class({
        }
        this.optionList.buttonGroup._setChecked(this.optionList.scopeToIdx(action))
-        this.info.setDetails(ip, path, pid, user, origin);
+        this.info.setDetails(ip, path, pid, user, origin, optstring);
    },
 });
--- a/gnome-shell/firewall@subgraph.com/extension.js
+++ b/gnome-shell/firewall@subgraph.com/extension.js
@ -53,6 +53,7 @@ const FirewallPromptInterface = '<node> \
        <arg type="s" direction="in" name="origin" /> \
        <arg type="s" direction="in" name="user" /> \
        <arg type="i" direction="in" name="pid" /> \
        <arg type="s" direction="in" name="optstring" /> \
        <arg type="b" direction="in" name="expanded" /> \
        <arg type="b" direction="in" name="expert" /> \
        <arg type="i" direction="in" name="action" /> \
@ -87,11 +88,11 @@ const FirewallPromptHandler = new Lang.Class({
    },
    RequestPromptAsync: function(params, invocation) {
-        let [app, icon, path, address, port, ip, origin, user, pid, expanded, expert, action] = params;
+        let [app, icon, path, address, port, ip, origin, user, pid, optstring, expanded, expert, action] = params;
        this._closeDialog();
        this._dialog = new Dialog.PromptDialog(invocation);
        this._invocation = invocation;
-        this._dialog.update(app, icon, path, address, port, ip, origin, user, pid, "TCP", expanded, expert, action);
+        this._dialog.update(app, icon, path, address, port, ip, origin, user, pid, "TCP", optstring, expanded, expert, action);
        this._dialog.open();
    },
--- a/sgfw/ipc.go
+++ b/sgfw/ipc.go
@ -30,7 +30,7 @@ func addInitPid(pid int) {
 func removeInitPid(pid int) {
 	for i := 0; i < len(OzInitPids); i++ {
 		if OzInitPids[i] == pid {
-			OzInitPids = append(OzInitPids[:i], OzInitPids[i+1:])
+			OzInitPids = append(OzInitPids[:i], OzInitPids[i+1:]...)
 			return
 		}
 	}
--- a/sgfw/policy.go
+++ b/sgfw/policy.go
@ -38,6 +38,7 @@ type pendingConnection interface {
 	policy() *Policy
 	procInfo() *procsnitch.Info
 	hostname() string
 	getOptString() string
 	src() net.IP
 	dst() net.IP
 	dstPort() uint16
@ -51,11 +52,12 @@ type pendingPkt struct {
 	name  string
 	pkt   *nfqueue.NFQPacket
 	pinfo *procsnitch.Info
 	optstring string
 }
 func getEmptyPInfo() *procsnitch.Info {
 	pinfo := procsnitch.Info{}
-	pinfo.UID, pinfo.Pid, pinfo.ParentPid = 0, 0, 0
+	pinfo.UID, pinfo.Pid, pinfo.ParentPid = -1, -1, -1
 	pinfo.ExePath = "[unknown-exe]"
 	pinfo.CmdLine = "[unknown-cmdline]"
 	pinfo.FirstArg = "[unknown-arg]"
@ -76,6 +78,10 @@ func (pp *pendingPkt) procInfo() *procsnitch.Info {
 	return pp.pinfo
 }
 func (pp *pendingPkt) getOptString() string {
 	return pp.optstring
 }
 func (pp *pendingPkt) hostname() string {
 	return pp.name
 }
@ -159,7 +165,7 @@ func (fw *Firewall) policyForPath(path string) *Policy {
 	return fw.policyMap[path]
 }
-func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info) {
+func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info, optstr string) {
 /*	hbytes, err := pkt.GetHWAddr()
 	if err != nil {
@ -193,7 +199,7 @@ if name == "" {
 	case FILTER_ALLOW:
 		pkt.Accept()
 	case FILTER_PROMPT:
-		p.processPromptResult(&pendingPkt{pol: p, name: name, pkt: pkt, pinfo: pinfo})
+		p.processPromptResult(&pendingPkt{pol: p, name: name, pkt: pkt, pinfo: pinfo, optstring: optstr})
 	default:
 		log.Warningf("Unexpected filter result: %d", result)
 	}
@ -370,9 +376,11 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
 	ppath := "*"
-	pinfo := findProcessForPacket(pkt)
+	pinfo, optstring := findProcessForPacket(pkt)
 	if pinfo == nil {
 		pinfo = getEmptyPInfo()
 		ppath = "[unknown]"
 		optstring = "[Connection could not be mapped]"
 		log.Warningf("No proc found for %s", printPacket(pkt, fw.dns.Lookup(dstip), nil))
 //		pkt.Accept()
 //		return
@ -396,7 +404,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
 	}
 	policy := fw.PolicyForPath(ppath)
 //log.Notice("XXX: flunked basicallowpacket; policy = ", policy)
-	policy.processPacket(pkt, pinfo)
+	policy.processPacket(pkt, pinfo, optstring)
 }
 func readFileDirect(filename string) ([]byte, error) {
@ -467,9 +475,10 @@ fmt.Println("XXX: opening: ", fname)
 	return rlines, nil
 }
-func findProcessForPacket(pkt *nfqueue.NFQPacket) *procsnitch.Info {
+func findProcessForPacket(pkt *nfqueue.NFQPacket) (*procsnitch.Info, string) {
 	srcip, dstip := getPacketIP4Addrs(pkt)
 	srcp, dstp := getPacketPorts(pkt)
 	optstr := ""
 	if pkt.Packet.Layer(layers.LayerTypeTCP) != nil {
 		// Try normal way first, before the more resource intensive/invasive way.
@ -482,17 +491,18 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket) *procsnitch.Info {
 				log.Warningf("Error looking up sandboxed /proc/net data: %v", err)
 			} else {
 				res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, extdata)
 				optstr = "[Sandboxed application]"
 			}
 		}
-		return res
+		return res, optstr
 	} else if pkt.Packet.Layer(layers.LayerTypeUDP) != nil {
-		return procsnitch.LookupUDPSocketProcess(srcp)
+		return procsnitch.LookupUDPSocketProcess(srcp), optstr
 	}
 	log.Warningf("Packet has unknown protocol: %d", pkt.Packet.NetworkLayer().LayerType())
 	//log.Warningf("Packet has unknown protocol: %d", pkt.Protocol)
-	return nil
+	return nil, optstr
 }
 func basicAllowPacket(pkt *nfqueue.NFQPacket) bool {
--- a/sgfw/prompt.go
+++ b/sgfw/prompt.go
@ -78,6 +78,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
 		pc.src().String(),
 		uidToUser(pc.procInfo().UID),
 		int32(pc.procInfo().Pid),
 		pc.getOptString(),
 		FirewallConfig.PromptExpanded,
 		FirewallConfig.PromptExpert,
 		int32(FirewallConfig.DefaultActionID))
@ -143,6 +144,9 @@ func (p *prompter) removePolicy(policy *Policy) {
 var userMap = make(map[int]string)
 func lookupUser(uid int) string {
 	if uid == -1 {
 		return "[unknown]"
 	}
 	u, err := user.LookupId(strconv.Itoa(uid))
 	if err != nil {
 		return fmt.Sprintf("%d", uid)
--- a/sgfw/socks_server_chain.go
+++ b/sgfw/socks_server_chain.go
@ -59,6 +59,10 @@ func (sc *pendingSocksConnection) procInfo() *procsnitch.Info {
 	return sc.pinfo
 }
 func (sc *pendingSocksConnection) getOptString() string {
 	return ""
 }
 func (sc *pendingSocksConnection) hostname() string {
 	return sc.hname
 }