Added extra display info for "Sandboxed application" in fw-prompt gnome shell GUI.

fw-prompt GUI gracefully displays unknown PIDs and UIDs.
Fixed stupid syntax error bug in oz-init PID management code.
shw_dev
shw 8 years ago
parent 7a1851419c
commit b4ed11261f

@ -30,6 +30,7 @@ const DetailSection = new Lang.Class({
this.pid = this._addDetails("Process ID:"); this.pid = this._addDetails("Process ID:");
this.origin = this._addDetails("Origin:"); this.origin = this._addDetails("Origin:");
this.user = this._addDetails("User:"); this.user = this._addDetails("User:");
this.optstring = this._addDetails("");
}, },
_addDetails: function(text) { _addDetails: function(text) {
@ -40,12 +41,19 @@ const DetailSection = new Lang.Class({
return msg; return msg;
}, },
setDetails: function(ip, path, pid, user, origin) { setDetails: function(ip, path, pid, user, origin, optstring) {
this.ipAddr.text = ip; this.ipAddr.text = ip;
this.path.text = path; this.path.text = path;
if (pid == -1) {
this.pid.text = '[unknown]';
} else {
this.pid.text = pid.toString(); this.pid.text = pid.toString();
}
this.origin.text = origin; this.origin.text = origin;
this.user.text = user; this.user.text = user;
this.optstring.text = optstring
} }
}); });
@ -451,7 +459,7 @@ const PromptDialog = new Lang.Class({
} }
}, },
update: function(application, icon, path, address, port, ip, origin, user, pid, proto, expanded, expert, action) { update: function(application, icon, path, address, port, ip, origin, user, pid, proto, optstring, expanded, expert, action) {
this._address = address; this._address = address;
this._port = port; this._port = port;
@ -480,6 +488,6 @@ const PromptDialog = new Lang.Class({
} }
this.optionList.buttonGroup._setChecked(this.optionList.scopeToIdx(action)) this.optionList.buttonGroup._setChecked(this.optionList.scopeToIdx(action))
this.info.setDetails(ip, path, pid, user, origin); this.info.setDetails(ip, path, pid, user, origin, optstring);
}, },
}); });

@ -53,6 +53,7 @@ const FirewallPromptInterface = '<node> \
<arg type="s" direction="in" name="origin" /> \ <arg type="s" direction="in" name="origin" /> \
<arg type="s" direction="in" name="user" /> \ <arg type="s" direction="in" name="user" /> \
<arg type="i" direction="in" name="pid" /> \ <arg type="i" direction="in" name="pid" /> \
<arg type="s" direction="in" name="optstring" /> \
<arg type="b" direction="in" name="expanded" /> \ <arg type="b" direction="in" name="expanded" /> \
<arg type="b" direction="in" name="expert" /> \ <arg type="b" direction="in" name="expert" /> \
<arg type="i" direction="in" name="action" /> \ <arg type="i" direction="in" name="action" /> \
@ -87,11 +88,11 @@ const FirewallPromptHandler = new Lang.Class({
}, },
RequestPromptAsync: function(params, invocation) { RequestPromptAsync: function(params, invocation) {
let [app, icon, path, address, port, ip, origin, user, pid, expanded, expert, action] = params; let [app, icon, path, address, port, ip, origin, user, pid, optstring, expanded, expert, action] = params;
this._closeDialog(); this._closeDialog();
this._dialog = new Dialog.PromptDialog(invocation); this._dialog = new Dialog.PromptDialog(invocation);
this._invocation = invocation; this._invocation = invocation;
this._dialog.update(app, icon, path, address, port, ip, origin, user, pid, "TCP", expanded, expert, action); this._dialog.update(app, icon, path, address, port, ip, origin, user, pid, "TCP", optstring, expanded, expert, action);
this._dialog.open(); this._dialog.open();
}, },

@ -30,7 +30,7 @@ func addInitPid(pid int) {
func removeInitPid(pid int) { func removeInitPid(pid int) {
for i := 0; i < len(OzInitPids); i++ { for i := 0; i < len(OzInitPids); i++ {
if OzInitPids[i] == pid { if OzInitPids[i] == pid {
OzInitPids = append(OzInitPids[:i], OzInitPids[i+1:]) OzInitPids = append(OzInitPids[:i], OzInitPids[i+1:]...)
return return
} }
} }

@ -38,6 +38,7 @@ type pendingConnection interface {
policy() *Policy policy() *Policy
procInfo() *procsnitch.Info procInfo() *procsnitch.Info
hostname() string hostname() string
getOptString() string
src() net.IP src() net.IP
dst() net.IP dst() net.IP
dstPort() uint16 dstPort() uint16
@ -51,11 +52,12 @@ type pendingPkt struct {
name string name string
pkt *nfqueue.NFQPacket pkt *nfqueue.NFQPacket
pinfo *procsnitch.Info pinfo *procsnitch.Info
optstring string
} }
func getEmptyPInfo() *procsnitch.Info { func getEmptyPInfo() *procsnitch.Info {
pinfo := procsnitch.Info{} pinfo := procsnitch.Info{}
pinfo.UID, pinfo.Pid, pinfo.ParentPid = 0, 0, 0 pinfo.UID, pinfo.Pid, pinfo.ParentPid = -1, -1, -1
pinfo.ExePath = "[unknown-exe]" pinfo.ExePath = "[unknown-exe]"
pinfo.CmdLine = "[unknown-cmdline]" pinfo.CmdLine = "[unknown-cmdline]"
pinfo.FirstArg = "[unknown-arg]" pinfo.FirstArg = "[unknown-arg]"
@ -76,6 +78,10 @@ func (pp *pendingPkt) procInfo() *procsnitch.Info {
return pp.pinfo return pp.pinfo
} }
func (pp *pendingPkt) getOptString() string {
return pp.optstring
}
func (pp *pendingPkt) hostname() string { func (pp *pendingPkt) hostname() string {
return pp.name return pp.name
} }
@ -159,7 +165,7 @@ func (fw *Firewall) policyForPath(path string) *Policy {
return fw.policyMap[path] return fw.policyMap[path]
} }
func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info) { func (p *Policy) processPacket(pkt *nfqueue.NFQPacket, pinfo *procsnitch.Info, optstr string) {
/* hbytes, err := pkt.GetHWAddr() /* hbytes, err := pkt.GetHWAddr()
if err != nil { if err != nil {
@ -193,7 +199,7 @@ if name == "" {
case FILTER_ALLOW: case FILTER_ALLOW:
pkt.Accept() pkt.Accept()
case FILTER_PROMPT: case FILTER_PROMPT:
p.processPromptResult(&pendingPkt{pol: p, name: name, pkt: pkt, pinfo: pinfo}) p.processPromptResult(&pendingPkt{pol: p, name: name, pkt: pkt, pinfo: pinfo, optstring: optstr})
default: default:
log.Warningf("Unexpected filter result: %d", result) log.Warningf("Unexpected filter result: %d", result)
} }
@ -370,9 +376,11 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
ppath := "*" ppath := "*"
pinfo := findProcessForPacket(pkt) pinfo, optstring := findProcessForPacket(pkt)
if pinfo == nil { if pinfo == nil {
pinfo = getEmptyPInfo() pinfo = getEmptyPInfo()
ppath = "[unknown]"
optstring = "[Connection could not be mapped]"
log.Warningf("No proc found for %s", printPacket(pkt, fw.dns.Lookup(dstip), nil)) log.Warningf("No proc found for %s", printPacket(pkt, fw.dns.Lookup(dstip), nil))
// pkt.Accept() // pkt.Accept()
// return // return
@ -396,7 +404,7 @@ func (fw *Firewall) filterPacket(pkt *nfqueue.NFQPacket) {
} }
policy := fw.PolicyForPath(ppath) policy := fw.PolicyForPath(ppath)
//log.Notice("XXX: flunked basicallowpacket; policy = ", policy) //log.Notice("XXX: flunked basicallowpacket; policy = ", policy)
policy.processPacket(pkt, pinfo) policy.processPacket(pkt, pinfo, optstring)
} }
func readFileDirect(filename string) ([]byte, error) { func readFileDirect(filename string) ([]byte, error) {
@ -467,9 +475,10 @@ fmt.Println("XXX: opening: ", fname)
return rlines, nil return rlines, nil
} }
func findProcessForPacket(pkt *nfqueue.NFQPacket) *procsnitch.Info { func findProcessForPacket(pkt *nfqueue.NFQPacket) (*procsnitch.Info, string) {
srcip, dstip := getPacketIP4Addrs(pkt) srcip, dstip := getPacketIP4Addrs(pkt)
srcp, dstp := getPacketPorts(pkt) srcp, dstp := getPacketPorts(pkt)
optstr := ""
if pkt.Packet.Layer(layers.LayerTypeTCP) != nil { if pkt.Packet.Layer(layers.LayerTypeTCP) != nil {
// Try normal way first, before the more resource intensive/invasive way. // Try normal way first, before the more resource intensive/invasive way.
@ -482,17 +491,18 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket) *procsnitch.Info {
log.Warningf("Error looking up sandboxed /proc/net data: %v", err) log.Warningf("Error looking up sandboxed /proc/net data: %v", err)
} else { } else {
res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, extdata) res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, extdata)
optstr = "[Sandboxed application]"
} }
} }
return res return res, optstr
} else if pkt.Packet.Layer(layers.LayerTypeUDP) != nil { } else if pkt.Packet.Layer(layers.LayerTypeUDP) != nil {
return procsnitch.LookupUDPSocketProcess(srcp) return procsnitch.LookupUDPSocketProcess(srcp), optstr
} }
log.Warningf("Packet has unknown protocol: %d", pkt.Packet.NetworkLayer().LayerType()) log.Warningf("Packet has unknown protocol: %d", pkt.Packet.NetworkLayer().LayerType())
//log.Warningf("Packet has unknown protocol: %d", pkt.Protocol) //log.Warningf("Packet has unknown protocol: %d", pkt.Protocol)
return nil return nil, optstr
} }
func basicAllowPacket(pkt *nfqueue.NFQPacket) bool { func basicAllowPacket(pkt *nfqueue.NFQPacket) bool {

@ -78,6 +78,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
pc.src().String(), pc.src().String(),
uidToUser(pc.procInfo().UID), uidToUser(pc.procInfo().UID),
int32(pc.procInfo().Pid), int32(pc.procInfo().Pid),
pc.getOptString(),
FirewallConfig.PromptExpanded, FirewallConfig.PromptExpanded,
FirewallConfig.PromptExpert, FirewallConfig.PromptExpert,
int32(FirewallConfig.DefaultActionID)) int32(FirewallConfig.DefaultActionID))
@ -143,6 +144,9 @@ func (p *prompter) removePolicy(policy *Policy) {
var userMap = make(map[int]string) var userMap = make(map[int]string)
func lookupUser(uid int) string { func lookupUser(uid int) string {
if uid == -1 {
return "[unknown]"
}
u, err := user.LookupId(strconv.Itoa(uid)) u, err := user.LookupId(strconv.Itoa(uid))
if err != nil { if err != nil {
return fmt.Sprintf("%d", uid) return fmt.Sprintf("%d", uid)

@ -59,6 +59,10 @@ func (sc *pendingSocksConnection) procInfo() *procsnitch.Info {
return sc.pinfo return sc.pinfo
} }
func (sc *pendingSocksConnection) getOptString() string {
return ""
}
func (sc *pendingSocksConnection) hostname() string { func (sc *pendingSocksConnection) hostname() string {
return sc.hname return sc.hname
} }

Loading…
Cancel
Save