Implementation of filtering and prompting for Socks connections

socks-filter
Bruce Leidl 9 years ago
parent 5d44cd4e2f
commit c779cc6b9b

@ -13,10 +13,10 @@ import (
"time" "time"
"unsafe" "unsafe"
"github.com/op/go-logging"
"github.com/subgraph/fw-daemon/nfqueue" "github.com/subgraph/fw-daemon/nfqueue"
"github.com/subgraph/go-procsnitch" "github.com/subgraph/go-procsnitch"
// "github.com/subgraph/fw-daemon/Godeps/_workspace/src/github.com/op/go-logging" // "github.com/subgraph/fw-daemon/Godeps/_workspace/src/github.com/op/go-logging"
"github.com/op/go-logging"
) )
var log = logging.MustGetLogger("sgfw") var log = logging.MustGetLogger("sgfw")
@ -172,10 +172,10 @@ func loadConfiguration(configFilePath string) (*SocksJsonConfig, error) {
func getSocksChainConfig(config *SocksJsonConfig) *socksChainConfig { func getSocksChainConfig(config *SocksJsonConfig) *socksChainConfig {
// XXX // XXX
fields := strings.Split(config.TorSocks, ":") fields := strings.Split(config.TorSocks, "|")
torSocksNet := fields[0] torSocksNet := fields[0]
torSocksAddr := fields[1] torSocksAddr := fields[1]
fields = strings.Split(config.SocksListener, ":") fields = strings.Split(config.SocksListener, "|")
socksListenNet := fields[0] socksListenNet := fields[0]
socksListenAddr := fields[1] socksListenAddr := fields[1]
socksConfig := socksChainConfig{ socksConfig := socksChainConfig{
@ -233,7 +233,7 @@ func main() {
*/ */
wg := sync.WaitGroup{} wg := sync.WaitGroup{}
chain := NewSocksChain(socksConfig, &wg, ds) chain := NewSocksChain(socksConfig, &wg, fw)
chain.start() chain.start()
fw.runFilter() fw.runFilter()

@ -1,7 +1,6 @@
package main package main
import ( import (
"fmt"
"io" "io"
"net" "net"
"os" "os"
@ -9,6 +8,7 @@ import (
"github.com/subgraph/fw-daemon/socks5" "github.com/subgraph/fw-daemon/socks5"
"github.com/subgraph/go-procsnitch" "github.com/subgraph/go-procsnitch"
"strconv"
) )
type socksChainConfig struct { type socksChainConfig struct {
@ -20,14 +20,10 @@ type socksChainConfig struct {
type socksChain struct { type socksChain struct {
cfg *socksChainConfig cfg *socksChainConfig
dbus *dbusServer fw *Firewall
listener net.Listener listener net.Listener
wg *sync.WaitGroup wg *sync.WaitGroup
procInfo procsnitch.ProcInfo procInfo procsnitch.ProcInfo
lock sync.Mutex
policyMap map[string]*Policy
policies []*Policy
} }
type socksChainSession struct { type socksChainSession struct {
@ -41,13 +37,56 @@ type socksChainSession struct {
server *socksChain server *socksChain
} }
func NewSocksChain(cfg *socksChainConfig, wg *sync.WaitGroup, dbus *dbusServer) *socksChain { const (
socksVerdictDrop = 1
socksVerdictAccept = 2
)
type pendingSocksConnection struct {
pol *Policy
hname string
destIP net.IP
destPort uint16
pinfo *procsnitch.Info
verdict chan int
}
func (sc *pendingSocksConnection) policy() *Policy {
return sc.pol
}
func (sc *pendingSocksConnection) procInfo() *procsnitch.Info {
return sc.pinfo
}
func (sc *pendingSocksConnection) hostname() string {
return sc.hname
}
func (sc *pendingSocksConnection) dst() net.IP {
return sc.destIP
}
func (sc *pendingSocksConnection) dstPort() uint16 {
return sc.destPort
}
func (sc *pendingSocksConnection) deliverVerdict(v int) {
sc.verdict <- v
close(sc.verdict)
}
func (sc *pendingSocksConnection) accept() { sc.deliverVerdict(socksVerdictAccept) }
func (sc *pendingSocksConnection) drop() { sc.deliverVerdict(socksVerdictDrop) }
func (sc *pendingSocksConnection) print() string { return "socks connection" }
func NewSocksChain(cfg *socksChainConfig, wg *sync.WaitGroup, fw *Firewall) *socksChain {
chain := socksChain{ chain := socksChain{
cfg: cfg, cfg: cfg,
dbus: dbus, fw: fw,
wg: wg, wg: wg,
procInfo: procsnitch.SystemProcInfo{}, procInfo: procsnitch.SystemProcInfo{},
policyMap: make(map[string]*Policy),
} }
return &chain return &chain
} }
@ -58,7 +97,7 @@ func (s *socksChain) start() {
var err error var err error
s.listener, err = net.Listen(s.cfg.ListenSocksNet, s.cfg.ListenSocksAddr) s.listener, err = net.Listen(s.cfg.ListenSocksNet, s.cfg.ListenSocksAddr)
if err != nil { if err != nil {
log.Error("ERR/socks: Failed to listen on the socks address: %v", err) log.Errorf("ERR/socks: Failed to listen on the socks address: %v", err)
os.Exit(1) os.Exit(1)
} }
@ -74,7 +113,7 @@ func (s *socksChain) socksAcceptLoop() error {
conn, err := s.listener.Accept() conn, err := s.listener.Accept()
if err != nil { if err != nil {
if e, ok := err.(net.Error); ok && !e.Temporary() { if e, ok := err.(net.Error); ok && !e.Temporary() {
log.Info("ERR/socks: Failed to Accept(): %v", err) log.Infof("ERR/socks: Failed to Accept(): %v", err)
return err return err
} }
continue continue
@ -88,30 +127,15 @@ func (c *socksChainSession) sessionWorker() {
defer c.clientConn.Close() defer c.clientConn.Close()
clientAddr := c.clientConn.RemoteAddr() clientAddr := c.clientConn.RemoteAddr()
log.Info("INFO/socks: New connection from: %v", clientAddr) log.Infof("INFO/socks: New connection from: %v", clientAddr)
// Do the SOCKS handshake with the client, and read the command. // Do the SOCKS handshake with the client, and read the command.
var err error var err error
if c.req, err = socks5.Handshake(c.clientConn); err != nil { if c.req, err = socks5.Handshake(c.clientConn); err != nil {
log.Info("ERR/socks: Failed SOCKS5 handshake: %v", err) log.Infof("ERR/socks: Failed SOCKS5 handshake: %v", err)
return return
} }
pinfo := procsnitch.FindProcessForConnection(c.clientConn, c.procInfo)
if pinfo == nil {
log.Warning("No proc found for connection from: %s", c.clientConn.RemoteAddr())
return
}
// XXX work-in-progress
// Determine policy for the connection
// if destination not specified in existing policy
// then prompt user for policy ALLOW/DENY for that destination
c.server.lock.Lock()
policy := c.policyForPath(pinfo.ExePath)
c.server.lock.Unlock()
fmt.Printf("policyForPath %s is %s\n", pinfo.ExePath, policy)
switch c.req.Cmd { switch c.req.Cmd {
case socks5.CommandTorResolve, socks5.CommandTorResolvePTR: case socks5.CommandTorResolve, socks5.CommandTorResolvePTR:
err = c.dispatchTorSOCKS() err = c.dispatchTorSOCKS()
@ -121,16 +145,78 @@ func (c *socksChainSession) sessionWorker() {
// Successfully even, send the response back with the addresc. // Successfully even, send the response back with the addresc.
c.req.ReplyAddr(socks5.ReplySucceeded, c.bndAddr) c.req.ReplyAddr(socks5.ReplySucceeded, c.bndAddr)
} }
return
case socks5.CommandConnect: case socks5.CommandConnect:
if !c.filterConnect() {
c.req.Reply(socks5.ReplyConnectionRefused)
return
}
c.handleConnect()
default: default:
// Should *NEVER* happen, validated as part of handshake. // Should *NEVER* happen, validated as part of handshake.
log.Info("BUG/socks: Unsupported SOCKS command: 0x%02x", c.req.Cmd) log.Infof("BUG/socks: Unsupported SOCKS command: 0x%02x", c.req.Cmd)
c.req.Reply(socks5.ReplyCommandNotSupported) c.req.Reply(socks5.ReplyCommandNotSupported)
return
} }
}
func (c *socksChainSession) addressDetails() (string, net.IP, uint16) {
addr := c.req.Addr
host, pstr := addr.HostPort()
port, err := strconv.ParseUint(pstr, 10, 16)
if err != nil || port == 0 || port > 0xFFFF {
log.Warningf("Illegal port value in socks address: %v", addr)
return "", nil, 0
}
if addr.Type() == 3 {
return host, nil, uint16(port)
}
ip := net.ParseIP(host)
if ip == nil {
log.Warningf("Failed to extract address information from socks address: %v", addr)
}
return "", ip, uint16(port)
}
err = c.dispatchTorSOCKS() func (c *socksChainSession) filterConnect() bool {
pinfo := procsnitch.FindProcessForConnection(c.clientConn, c.procInfo)
if pinfo == nil {
log.Warningf("No proc found for connection from: %s", c.clientConn.RemoteAddr())
return false
}
policy := c.server.fw.PolicyForPath(pinfo.ExePath)
hostname, ip, port := c.addressDetails()
if ip == nil && hostname == "" {
return false
}
result := policy.rules.filter(ip, port, hostname, pinfo)
switch result {
case FILTER_DENY:
return false
case FILTER_ALLOW:
return true
case FILTER_PROMPT:
pending := &pendingSocksConnection{
pol: policy,
hname: hostname,
destIP: ip,
destPort: port,
pinfo: pinfo,
verdict: make(chan int),
}
policy.processPromptResult(pending)
v := <-pending.verdict
if v == socksVerdictAccept {
return true
}
}
return false
}
func (c *socksChainSession) handleConnect() {
err := c.dispatchTorSOCKS()
if err != nil { if err != nil {
return return
} }
@ -139,7 +225,7 @@ func (c *socksChainSession) sessionWorker() {
if c.optData != nil { if c.optData != nil {
if _, err = c.upstreamConn.Write(c.optData); err != nil { if _, err = c.upstreamConn.Write(c.optData); err != nil {
log.Info("ERR/socks: Failed writing OptData: %v", err) log.Infof("ERR/socks: Failed writing OptData: %v", err)
return return
} }
c.optData = nil c.optData = nil
@ -147,6 +233,11 @@ func (c *socksChainSession) sessionWorker() {
// A upstream connection has been established, push data back and forth // A upstream connection has been established, push data back and forth
// till the session is done. // till the session is done.
c.forwardTraffic()
log.Infof("INFO/socks: Closed SOCKS connection from: %v", c.clientConn.RemoteAddr())
}
func (c *socksChainSession) forwardTraffic() {
var wg sync.WaitGroup var wg sync.WaitGroup
wg.Add(2) wg.Add(2)
@ -160,7 +251,6 @@ func (c *socksChainSession) sessionWorker() {
go copyLoop(c.clientConn, c.upstreamConn) go copyLoop(c.clientConn, c.upstreamConn)
wg.Wait() wg.Wait()
log.Info("INFO/socks: Closed SOCKS connection from: %v", clientAddr)
} }
func (c *socksChainSession) dispatchTorSOCKS() (err error) { func (c *socksChainSession) dispatchTorSOCKS() (err error) {
@ -170,24 +260,3 @@ func (c *socksChainSession) dispatchTorSOCKS() (err error) {
} }
return return
} }
func (s *socksChainSession) policyForPath(path string) *Policy {
s.server.lock.Lock()
defer s.server.lock.Unlock()
if _, ok := s.server.policyMap[path]; !ok {
p := new(Policy)
// XXX is fw needed?
// p.fw = fw
p.path = path
p.application = path
entry := entryForPath(path)
if entry != nil {
p.application = entry.name
p.icon = entry.icon
}
s.server.policyMap[path] = p
s.server.policies = append(s.server.policies, p)
}
return s.server.policyMap[path]
}

Loading…
Cancel
Save