From d16b539bad16b9bb3483a9b1ee056a305987d17d Mon Sep 17 00:00:00 2001
From: Bruce Leidl <bruce@subgraph.com>
Date: Wed, 24 Feb 2016 02:29:11 +0000
Subject: [PATCH] Implement redact addresses feature

---
 dbus.go   |  6 +++---
 dns.go    |  4 +++-
 main.go   |  4 ++--
 policy.go | 10 ++++++++--
 prompt.go |  1 -
 rules.go  | 18 +++++++++++++++---
 6 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/dbus.go b/dbus.go
index 55b5829..f70b628 100644
--- a/dbus.go
+++ b/dbus.go
@@ -137,7 +137,7 @@ func createDbusRule(r *Rule) DbusRule {
 		App:    path.Base(r.policy.path),
 		Path:   r.policy.path,
 		Verb:   uint32(r.rtype),
-		Target: r.AddrString(),
+		Target: r.AddrString(false),
 	}
 }
 
@@ -196,7 +196,7 @@ func (ds *dbusServer) UpdateRule(rule DbusRule) *dbus.Error {
 func (ds *dbusServer) GetConfig() (map[string]dbus.Variant, *dbus.Error) {
 	conf := make(map[string]dbus.Variant)
 	conf["loglevel"] = dbus.MakeVariant(int32(ds.fw.logBackend.GetLevel("sgfw")))
-	conf["logredact"] = dbus.MakeVariant(ds.fw.logRedact)
+	conf["logredact"] = dbus.MakeVariant(logRedact)
 	return conf, nil
 }
 
@@ -208,7 +208,7 @@ func (ds *dbusServer) SetConfig(key string, val dbus.Variant) *dbus.Error {
 		ds.fw.logBackend.SetLevel(lvl, "sgfw")
 	case "logredact":
 		flag := val.Value().(bool)
-		ds.fw.logRedact = flag
+		logRedact = flag
 	}
 	return nil
 }
diff --git a/dns.go b/dns.go
index 4bb2245..fb6664f 100644
--- a/dns.go
+++ b/dns.go
@@ -54,7 +54,9 @@ func (dc *dnsCache) processRecordA(name string, answers []dnsRR) {
 				name = name[:len(name)-1]
 			}
 			dc.ipMap[ip] = name
-			log.Info("Adding %s: %s", name, ip)
+			if !logRedact {
+				log.Info("Adding %s: %s", name, ip)
+			}
 		default:
 			log.Warning("Unexpected RR type in answer section of A response: %v", rec)
 		}
diff --git a/main.go b/main.go
index 71fd102..cd41f7f 100644
--- a/main.go
+++ b/main.go
@@ -42,13 +42,14 @@ func setupLoggerBackend() logging.LeveledBackend {
 	return leveler
 }
 
+var logRedact bool
+
 type Firewall struct {
 	dbus *dbusServer
 	dns  *dnsCache
 
 	enabled bool
 
-	logRedact  bool
 	logBackend logging.LeveledBackend
 
 	lock      sync.Mutex
@@ -148,7 +149,6 @@ func main() {
 		dbus:       ds,
 		dns:        NewDnsCache(),
 		enabled:    true,
-		logRedact:  false,
 		logBackend: logBackend,
 		policyMap:  make(map[string]*Policy),
 	}
diff --git a/policy.go b/policy.go
index 424b67b..bec5f0f 100644
--- a/policy.go
+++ b/policy.go
@@ -47,7 +47,9 @@ func (p *Policy) processPacket(pkt *nfqueue.Packet, pinfo *proc.ProcInfo) {
 	p.lock.Lock()
 	defer p.lock.Unlock()
 	name := p.fw.dns.Lookup(pkt.Dst)
-	log.Info("Lookup(%s): %s", pkt.Dst.String(), name)
+	if !logRedact {
+		log.Info("Lookup(%s): %s", pkt.Dst.String(), name)
+	}
 	result := p.rules.filter(pkt, pinfo, name)
 	switch result {
 	case FILTER_DENY:
@@ -142,7 +144,7 @@ func (p *Policy) filterPending(rule *Rule) {
 	remaining := []*pendingPkt{}
 	for _, pp := range p.pendingQueue {
 		if rule.match(pp.pkt, pp.hostname) {
-			log.Info("Also applying %s to %s", rule, printPacket(pp.pkt, pp.hostname))
+			log.Info("Also applying %s to %s", rule.getString(logRedact), printPacket(pp.pkt, pp.hostname))
 			if rule.rtype == RULE_ALLOW {
 				pp.pkt.Accept()
 			} else {
@@ -178,6 +180,10 @@ func printPacket(pkt *nfqueue.Packet, hostname string) string {
 			return "???"
 		}
 	}()
+
+	if logRedact {
+		hostname = "[redacted]"
+	}
 	name := hostname
 	if name == "" {
 		name = pkt.Dst.String()
diff --git a/prompt.go b/prompt.go
index c3f6b18..f82ae08 100644
--- a/prompt.go
+++ b/prompt.go
@@ -102,7 +102,6 @@ func (p *prompter) processPacket(pp *pendingPkt) {
 		pp.pkt.Accept()
 		return
 	}
-	log.Debug("Received prompt response: %s [%s]", printScope(scope), rule)
 
 	r, err := pp.policy.parseRule(rule, false)
 	if err != nil {
diff --git a/rules.go b/rules.go
index 85ce1da..418264a 100644
--- a/rules.go
+++ b/rules.go
@@ -34,15 +34,19 @@ type Rule struct {
 }
 
 func (r *Rule) String() string {
+	return r.getString(false)
+}
+
+func (r *Rule) getString(redact bool) string {
 	rtype := "DENY"
 	if r.rtype == RULE_ALLOW {
 		rtype = "ALLOW"
 	}
 
-	return fmt.Sprintf("%s|%s", rtype, r.AddrString())
+	return fmt.Sprintf("%s|%s", rtype, r.AddrString(redact))
 }
 
-func (r *Rule) AddrString() string {
+func (r *Rule) AddrString(redact bool) string {
 	addr := "*"
 	port := "*"
 	if r.hostname != "" {
@@ -57,6 +61,10 @@ func (r *Rule) AddrString() string {
 		port = fmt.Sprintf("%d", r.port)
 	}
 
+	if redact && addr != "*" {
+		addr = "[redacted]"
+	}
+
 	return fmt.Sprintf("%s:%s", addr, port)
 }
 
@@ -90,7 +98,11 @@ func (rl *RuleList) filter(p *nfqueue.Packet, pinfo *proc.ProcInfo, hostname str
 	result := FILTER_PROMPT
 	for _, r := range *rl {
 		if r.match(p, hostname) {
-			log.Info("%s (%s -> %s:%d)", r, pinfo.ExePath, p.Dst.String(), p.DstPort)
+			dst := p.Dst.String()
+			if logRedact {
+				dst = "[redacted]"
+			}
+			log.Info("%s (%s -> %s:%d)", r.getString(logRedact), pinfo.ExePath, dst, p.DstPort)
 			if r.rtype == RULE_DENY {
 				return FILTER_DENY
 			} else if r.rtype == RULE_ALLOW {