Implement redact addresses feature

pull/16/head
Bruce Leidl 9 years ago
parent c3a0e4de6c
commit d16b539bad

@ -137,7 +137,7 @@ func createDbusRule(r *Rule) DbusRule {
App: path.Base(r.policy.path), App: path.Base(r.policy.path),
Path: r.policy.path, Path: r.policy.path,
Verb: uint32(r.rtype), Verb: uint32(r.rtype),
Target: r.AddrString(), Target: r.AddrString(false),
} }
} }
@ -196,7 +196,7 @@ func (ds *dbusServer) UpdateRule(rule DbusRule) *dbus.Error {
func (ds *dbusServer) GetConfig() (map[string]dbus.Variant, *dbus.Error) { func (ds *dbusServer) GetConfig() (map[string]dbus.Variant, *dbus.Error) {
conf := make(map[string]dbus.Variant) conf := make(map[string]dbus.Variant)
conf["loglevel"] = dbus.MakeVariant(int32(ds.fw.logBackend.GetLevel("sgfw"))) conf["loglevel"] = dbus.MakeVariant(int32(ds.fw.logBackend.GetLevel("sgfw")))
conf["logredact"] = dbus.MakeVariant(ds.fw.logRedact) conf["logredact"] = dbus.MakeVariant(logRedact)
return conf, nil return conf, nil
} }
@ -208,7 +208,7 @@ func (ds *dbusServer) SetConfig(key string, val dbus.Variant) *dbus.Error {
ds.fw.logBackend.SetLevel(lvl, "sgfw") ds.fw.logBackend.SetLevel(lvl, "sgfw")
case "logredact": case "logredact":
flag := val.Value().(bool) flag := val.Value().(bool)
ds.fw.logRedact = flag logRedact = flag
} }
return nil return nil
} }

@ -54,7 +54,9 @@ func (dc *dnsCache) processRecordA(name string, answers []dnsRR) {
name = name[:len(name)-1] name = name[:len(name)-1]
} }
dc.ipMap[ip] = name dc.ipMap[ip] = name
if !logRedact {
log.Info("Adding %s: %s", name, ip) log.Info("Adding %s: %s", name, ip)
}
default: default:
log.Warning("Unexpected RR type in answer section of A response: %v", rec) log.Warning("Unexpected RR type in answer section of A response: %v", rec)
} }

@ -42,13 +42,14 @@ func setupLoggerBackend() logging.LeveledBackend {
return leveler return leveler
} }
var logRedact bool
type Firewall struct { type Firewall struct {
dbus *dbusServer dbus *dbusServer
dns *dnsCache dns *dnsCache
enabled bool enabled bool
logRedact bool
logBackend logging.LeveledBackend logBackend logging.LeveledBackend
lock sync.Mutex lock sync.Mutex
@ -148,7 +149,6 @@ func main() {
dbus: ds, dbus: ds,
dns: NewDnsCache(), dns: NewDnsCache(),
enabled: true, enabled: true,
logRedact: false,
logBackend: logBackend, logBackend: logBackend,
policyMap: make(map[string]*Policy), policyMap: make(map[string]*Policy),
} }

@ -47,7 +47,9 @@ func (p *Policy) processPacket(pkt *nfqueue.Packet, pinfo *proc.ProcInfo) {
p.lock.Lock() p.lock.Lock()
defer p.lock.Unlock() defer p.lock.Unlock()
name := p.fw.dns.Lookup(pkt.Dst) name := p.fw.dns.Lookup(pkt.Dst)
if !logRedact {
log.Info("Lookup(%s): %s", pkt.Dst.String(), name) log.Info("Lookup(%s): %s", pkt.Dst.String(), name)
}
result := p.rules.filter(pkt, pinfo, name) result := p.rules.filter(pkt, pinfo, name)
switch result { switch result {
case FILTER_DENY: case FILTER_DENY:
@ -142,7 +144,7 @@ func (p *Policy) filterPending(rule *Rule) {
remaining := []*pendingPkt{} remaining := []*pendingPkt{}
for _, pp := range p.pendingQueue { for _, pp := range p.pendingQueue {
if rule.match(pp.pkt, pp.hostname) { if rule.match(pp.pkt, pp.hostname) {
log.Info("Also applying %s to %s", rule, printPacket(pp.pkt, pp.hostname)) log.Info("Also applying %s to %s", rule.getString(logRedact), printPacket(pp.pkt, pp.hostname))
if rule.rtype == RULE_ALLOW { if rule.rtype == RULE_ALLOW {
pp.pkt.Accept() pp.pkt.Accept()
} else { } else {
@ -178,6 +180,10 @@ func printPacket(pkt *nfqueue.Packet, hostname string) string {
return "???" return "???"
} }
}() }()
if logRedact {
hostname = "[redacted]"
}
name := hostname name := hostname
if name == "" { if name == "" {
name = pkt.Dst.String() name = pkt.Dst.String()

@ -102,7 +102,6 @@ func (p *prompter) processPacket(pp *pendingPkt) {
pp.pkt.Accept() pp.pkt.Accept()
return return
} }
log.Debug("Received prompt response: %s [%s]", printScope(scope), rule)
r, err := pp.policy.parseRule(rule, false) r, err := pp.policy.parseRule(rule, false)
if err != nil { if err != nil {

@ -34,15 +34,19 @@ type Rule struct {
} }
func (r *Rule) String() string { func (r *Rule) String() string {
return r.getString(false)
}
func (r *Rule) getString(redact bool) string {
rtype := "DENY" rtype := "DENY"
if r.rtype == RULE_ALLOW { if r.rtype == RULE_ALLOW {
rtype = "ALLOW" rtype = "ALLOW"
} }
return fmt.Sprintf("%s|%s", rtype, r.AddrString()) return fmt.Sprintf("%s|%s", rtype, r.AddrString(redact))
} }
func (r *Rule) AddrString() string { func (r *Rule) AddrString(redact bool) string {
addr := "*" addr := "*"
port := "*" port := "*"
if r.hostname != "" { if r.hostname != "" {
@ -57,6 +61,10 @@ func (r *Rule) AddrString() string {
port = fmt.Sprintf("%d", r.port) port = fmt.Sprintf("%d", r.port)
} }
if redact && addr != "*" {
addr = "[redacted]"
}
return fmt.Sprintf("%s:%s", addr, port) return fmt.Sprintf("%s:%s", addr, port)
} }
@ -90,7 +98,11 @@ func (rl *RuleList) filter(p *nfqueue.Packet, pinfo *proc.ProcInfo, hostname str
result := FILTER_PROMPT result := FILTER_PROMPT
for _, r := range *rl { for _, r := range *rl {
if r.match(p, hostname) { if r.match(p, hostname) {
log.Info("%s (%s -> %s:%d)", r, pinfo.ExePath, p.Dst.String(), p.DstPort) dst := p.Dst.String()
if logRedact {
dst = "[redacted]"
}
log.Info("%s (%s -> %s:%d)", r.getString(logRedact), pinfo.ExePath, dst, p.DstPort)
if r.rtype == RULE_DENY { if r.rtype == RULE_DENY {
return FILTER_DENY return FILTER_DENY
} else if r.rtype == RULE_ALLOW { } else if r.rtype == RULE_ALLOW {

Loading…
Cancel
Save