From ba35abfb4675ca4fa5f299216bf41a9867a979b0 Mon Sep 17 00:00:00 2001 From: shw Date: Wed, 10 May 2017 00:26:34 +0000 Subject: [PATCH] Name of sandboxed exe returned by procsnitch is now resolved to absolute pathname. --- sgfw/policy.go | 57 ++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 51 insertions(+), 6 deletions(-) diff --git a/sgfw/policy.go b/sgfw/policy.go index 4330962..c3463de 100644 --- a/sgfw/policy.go +++ b/sgfw/policy.go @@ -15,6 +15,7 @@ import ( "net" "syscall" "unsafe" + "os" ) var _interpreters = []string{ @@ -475,6 +476,22 @@ fmt.Println("XXX: opening: ", fname) return rlines, nil } +func getRealRoot(pathname string, pid int) string { + pfname := fmt.Sprintf("/proc/%d/root", pid) + lnk, err := os.Readlink(pfname) + + if err != nil { + fmt.Printf("Error reading link at %s: %v", pfname, err) + return pathname + } + + if strings.HasPrefix(pathname, lnk) { + return pathname[len(lnk):] + } + + return pathname +} + func findProcessForPacket(pkt *nfqueue.NFQPacket) (*procsnitch.Info, string) { srcip, dstip := getPacketIP4Addrs(pkt) srcp, dstp := getPacketPorts(pkt) @@ -485,13 +502,41 @@ func findProcessForPacket(pkt *nfqueue.NFQPacket) (*procsnitch.Info, string) { res := procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, nil) if res == nil { - extdata, err := getAllProcNetDataLocal() - if err != nil { - log.Warningf("Error looking up sandboxed /proc/net data: %v", err) - } else { - res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, extdata) - optstr = "[Sandboxed application]" + for i := 0; i < len(OzInitPids); i++ { + data := "" + fname := fmt.Sprintf("/proc/%d/net/tcp", OzInitPids[i]) +fmt.Println("XXX: opening: ", fname) + bdata, err := readFileDirect(fname) + + if err != nil { + fmt.Println("Error reading proc data from ", fname, ": ", err) + continue + } else { + data = string(bdata) + lines := strings.Split(data, "\n") + rlines := make([]string, 0) + + for l := 0; l < len(lines); l++ { + lines[l] = strings.TrimSpace(lines[l]) + ssplit := strings.Split(lines[l], ":") + + if len(ssplit) != 6 { + continue + } + + rlines = append(rlines, strings.Join(ssplit, ":")) + } + + res = procsnitch.LookupTCPSocketProcessAll(srcip, srcp, dstip, dstp, rlines) + + if res != nil { + optstr = "[Sandboxed application]" + res.ExePath = getRealRoot(res.ExePath, OzInitPids[i]) + break + } + } + } }