Various changes to support settings dialog

pull/16/head
Bruce Leidl 9 years ago
parent a155427a84
commit d8f63bc60a

@ -7,6 +7,8 @@ import (
"github.com/subgraph/fw-daemon/Godeps/_workspace/src/github.com/godbus/dbus" "github.com/subgraph/fw-daemon/Godeps/_workspace/src/github.com/godbus/dbus"
"github.com/subgraph/fw-daemon/Godeps/_workspace/src/github.com/godbus/dbus/introspect" "github.com/subgraph/fw-daemon/Godeps/_workspace/src/github.com/godbus/dbus/introspect"
"github.com/subgraph/fw-daemon/Godeps/_workspace/src/github.com/op/go-logging"
"path"
) )
const introspectXml = ` const introspectXml = `
@ -15,9 +17,31 @@ const introspectXml = `
<method name="SetEnabled"> <method name="SetEnabled">
<arg name="enabled" direction="in" type="b" /> <arg name="enabled" direction="in" type="b" />
</method> </method>
<method name="IsEnabled"> <method name="IsEnabled">
<arg name="enabled" direction="out" type="b" /> <arg name="enabled" direction="out" type="b" />
</method> </method>
<method name="ListRules">
<arg name="rules" direction="out" type="a(ussus)" />
</method>
<method name="DeleteRule">
<arg name="id" direction="in" type="u" />
</method>
<method name="UpdateRule">
<arg name="rule" direction="in" type="(ussus)" />
</method>
<method name="GetConfig">
<arg name="config" direction="out" type="a{sv}" />
</method>
<method name="SetConfig">
<arg name="key" direction="in" type="s" />
<arg name="val" direction="in" type="v" />
</method>
</interface>` + </interface>` +
introspect.IntrospectDataString + introspect.IntrospectDataString +
`</node>` `</node>`
@ -27,10 +51,19 @@ const objectPath = "/com/subgraph/Firewall"
const interfaceName = "com.subgraph.Firewall" const interfaceName = "com.subgraph.Firewall"
type dbusServer struct { type dbusServer struct {
fw *Firewall
conn *dbus.Conn conn *dbus.Conn
prompter *prompter prompter *prompter
} }
type DbusRule struct {
Id uint32
App string
Path string
Verb uint32
Target string
}
func newDbusServer() (*dbusServer, error) { func newDbusServer() (*dbusServer, error) {
conn, err := dbus.SystemBus() conn, err := dbus.SystemBus()
if err != nil { if err != nil {
@ -88,13 +121,96 @@ func (ds *dbusServer) Introspect(msg dbus.Message) (string, *dbus.Error) {
} }
func (ds *dbusServer) SetEnabled(flag bool) *dbus.Error { func (ds *dbusServer) SetEnabled(flag bool) *dbus.Error {
log.Info("SetEnabled(%v) called", flag) log.Debug("SetEnabled(%v) called", flag)
ds.fw.setEnabled(flag)
return nil return nil
} }
func (ds *dbusServer) IsEnabled() (bool, *dbus.Error) { func (ds *dbusServer) IsEnabled() (bool, *dbus.Error) {
log.Info("IsEnabled() called") log.Debug("IsEnabled() called")
return true, nil return ds.fw.isEnabled(), nil
}
func createDbusRule(r *Rule) DbusRule {
return DbusRule{
Id: uint32(r.id),
App: path.Base(r.policy.path),
Path: r.policy.path,
Verb: uint32(r.rtype),
Target: r.AddrString(),
}
}
func (ds *dbusServer) ListRules() ([]DbusRule, *dbus.Error) {
ds.fw.lock.Lock()
defer ds.fw.lock.Unlock()
var result []DbusRule
for _, p := range ds.fw.policies {
for _, r := range p.rules {
result = append(result, createDbusRule(r))
}
}
return result, nil
}
func (ds *dbusServer) DeleteRule(id uint32) *dbus.Error {
ds.fw.lock.Lock()
r := ds.fw.rulesById[uint(id)]
ds.fw.lock.Unlock()
if r != nil {
r.policy.removeRule(r)
}
if !r.sessionOnly {
ds.fw.saveRules()
}
return nil
}
func (ds *dbusServer) UpdateRule(rule DbusRule) *dbus.Error {
log.Debug("UpdateRule %v", rule)
ds.fw.lock.Lock()
r := ds.fw.rulesById[uint(rule.Id)]
ds.fw.lock.Unlock()
if r != nil {
tmp := new(Rule)
tmp.addr = noAddress
if !tmp.parseTarget(rule.Target) {
log.Warning("Unable to parse target: %s", rule.Target)
return nil
}
r.policy.lock.Lock()
if rule.Verb == RULE_ALLOW || rule.Verb == RULE_DENY {
r.rtype = int(rule.Verb)
}
r.hostname = tmp.hostname
r.addr = tmp.addr
r.port = tmp.port
r.policy.lock.Unlock()
if !r.sessionOnly {
ds.fw.saveRules()
}
}
return nil
}
func (ds *dbusServer) GetConfig() (map[string]dbus.Variant, *dbus.Error) {
conf := make(map[string]dbus.Variant)
conf["loglevel"] = dbus.MakeVariant(int32(ds.fw.logBackend.GetLevel("sgfw")))
conf["logredact"] = dbus.MakeVariant(ds.fw.logRedact)
return conf, nil
}
func (ds *dbusServer) SetConfig(key string, val dbus.Variant) *dbus.Error {
switch key {
case "loglevel":
l := val.Value().(int32)
lvl := logging.Level(l)
ds.fw.logBackend.SetLevel(lvl, "sgfw")
case "logredact":
flag := val.Value().(bool)
ds.fw.logRedact = flag
}
return nil
} }
func (ds *dbusServer) prompt(p *Policy) { func (ds *dbusServer) prompt(p *Policy) {

@ -17,7 +17,7 @@ func setupIPTables() {
func addIPTRules(rules ...string) { func addIPTRules(rules ...string) {
for _, r := range rules { for _, r := range rules {
if(iptables('C', r)) { if iptables('C', r) {
log.Info("IPTables rule already present: %s", r) log.Info("IPTables rule already present: %s", r)
} else { } else {
log.Info("Installing IPTables rule: %s", r) log.Info("Installing IPTables rule: %s", r)

@ -8,10 +8,10 @@ import (
"github.com/subgraph/fw-daemon/Godeps/_workspace/src/github.com/op/go-logging" "github.com/subgraph/fw-daemon/Godeps/_workspace/src/github.com/op/go-logging"
"github.com/subgraph/fw-daemon/nfqueue" "github.com/subgraph/fw-daemon/nfqueue"
"github.com/subgraph/fw-daemon/proc"
"sync" "sync"
"syscall" "syscall"
"unsafe" "unsafe"
"github.com/subgraph/fw-daemon/proc"
) )
var log = logging.MustGetLogger("sgfw") var log = logging.MustGetLogger("sgfw")
@ -22,6 +22,7 @@ var logFormat = logging.MustStringFormatter(
var ttyFormat = logging.MustStringFormatter( var ttyFormat = logging.MustStringFormatter(
"%{color}%{time:15:04:05} â–¶ %{level:.4s} %{id:03x}%{color:reset} %{message}", "%{color}%{time:15:04:05} â–¶ %{level:.4s} %{id:03x}%{color:reset} %{message}",
) )
const ioctlReadTermios = 0x5401 const ioctlReadTermios = 0x5401
func isTerminal(fd int) bool { func isTerminal(fd int) bool {
@ -30,7 +31,7 @@ func isTerminal(fd int) bool {
return err == 0 return err == 0
} }
func init() { func setupLoggerBackend() logging.LeveledBackend {
format := logFormat format := logFormat
if isTerminal(int(os.Stderr.Fd())) { if isTerminal(int(os.Stderr.Fd())) {
format = ttyFormat format = ttyFormat
@ -38,16 +39,66 @@ func init() {
backend := logging.NewLogBackend(os.Stderr, "", 0) backend := logging.NewLogBackend(os.Stderr, "", 0)
formatter := logging.NewBackendFormatter(backend, format) formatter := logging.NewBackendFormatter(backend, format)
leveler := logging.AddModuleLevel(formatter) leveler := logging.AddModuleLevel(formatter)
log.SetBackend(leveler) return leveler
} }
type Firewall struct { type Firewall struct {
dbus *dbusServer dbus *dbusServer
dns *dnsCache dns *dnsCache
enabled bool
logRedact bool
logBackend logging.LeveledBackend
lock sync.Mutex lock sync.Mutex
policyMap map[string]*Policy policyMap map[string]*Policy
policies []*Policy policies []*Policy
ruleLock sync.Mutex
rulesById map[uint]*Rule
nextRuleId uint
}
func (fw *Firewall) setEnabled(flag bool) {
fw.lock.Lock()
defer fw.lock.Unlock()
fw.enabled = flag
}
func (fw *Firewall) isEnabled() bool {
fw.lock.Lock()
defer fw.lock.Unlock()
return fw.enabled
}
func (fw *Firewall) clearRules() {
fw.ruleLock.Lock()
defer fw.ruleLock.Unlock()
fw.rulesById = nil
fw.nextRuleId = 0
}
func (fw *Firewall) addRule(r *Rule) {
fw.ruleLock.Lock()
defer fw.ruleLock.Unlock()
r.id = fw.nextRuleId
fw.nextRuleId += 1
if fw.rulesById == nil {
fw.rulesById = make(map[uint]*Rule)
}
fw.rulesById[r.id] = r
}
func (fw *Firewall) getRuleById(id uint) *Rule {
fw.ruleLock.Lock()
defer fw.ruleLock.Unlock()
if fw.rulesById == nil {
return nil
}
return fw.rulesById[id]
} }
func (fw *Firewall) runFilter() { func (fw *Firewall) runFilter() {
@ -64,7 +115,11 @@ func (fw *Firewall) runFilter() {
for { for {
select { select {
case pkt := <-packets: case pkt := <-packets:
if fw.isEnabled() {
fw.filterPacket(pkt) fw.filterPacket(pkt)
} else {
pkt.Accept()
}
case <-sigs: case <-sigs:
return return
} }
@ -72,6 +127,8 @@ func (fw *Firewall) runFilter() {
} }
func main() { func main() {
logBackend := setupLoggerBackend()
log.SetBackend(logBackend)
proc.SetLogger(log) proc.SetLogger(log)
if os.Geteuid() != 0 { if os.Geteuid() != 0 {
@ -90,8 +147,12 @@ func main() {
fw := &Firewall{ fw := &Firewall{
dbus: ds, dbus: ds,
dns: NewDnsCache(), dns: NewDnsCache(),
enabled: true,
logRedact: false,
logBackend: logBackend,
policyMap: make(map[string]*Policy), policyMap: make(map[string]*Policy),
} }
ds.fw = fw
fw.loadRules() fw.loadRules()

@ -110,6 +110,34 @@ func (p *Policy) processNewRule(r *Rule, scope int32) bool {
return p.promptInProgress return p.promptInProgress
} }
func (p *Policy) parseRule(s string, add bool) (*Rule, error) {
r := new(Rule)
r.policy = p
if !r.parse(s) {
return nil, parseError(s)
}
if add {
p.lock.Lock()
defer p.lock.Unlock()
p.rules = append(p.rules, r)
}
p.fw.addRule(r)
return r, nil
}
func (p *Policy) removeRule(r *Rule) {
p.lock.Lock()
defer p.lock.Unlock()
var newRules RuleList
for _, rr := range p.rules {
if rr.id != r.id {
newRules = append(newRules, rr)
}
}
p.rules = newRules
}
func (p *Policy) filterPending(rule *Rule) { func (p *Policy) filterPending(rule *Rule) {
remaining := []*pendingPkt{} remaining := []*pendingPkt{}
for _, pp := range p.pendingQueue { for _, pp := range p.pendingQueue {

@ -100,18 +100,16 @@ func (p *prompter) processPacket(pp *pendingPkt) {
pp.policy.removePending(pp) pp.policy.removePending(pp)
pp.pkt.Mark = 1 pp.pkt.Mark = 1
pp.pkt.Accept() pp.pkt.Accept()
//pp.pkt.Drop()
return return
} }
log.Debug("Received prompt response: %s [%s]", printScope(scope), rule) log.Debug("Received prompt response: %s [%s]", printScope(scope), rule)
r, err := parseRule(rule) r, err := pp.policy.parseRule(rule, false)
if err != nil { if err != nil {
log.Warning("Error parsing rule string returned from dbus RequestPrompt: %v", err) log.Warning("Error parsing rule string returned from dbus RequestPrompt: %v", err)
pp.policy.removePending(pp) pp.policy.removePending(pp)
pp.pkt.Mark = 1 pp.pkt.Mark = 1
pp.pkt.Accept() pp.pkt.Accept()
//pp.pkt.Drop()
return return
} }
if scope == APPLY_SESSION { if scope == APPLY_SESSION {

@ -8,11 +8,11 @@ import (
"unicode" "unicode"
"github.com/subgraph/fw-daemon/nfqueue" "github.com/subgraph/fw-daemon/nfqueue"
"github.com/subgraph/fw-daemon/proc"
"io/ioutil" "io/ioutil"
"os" "os"
"strconv"
"path" "path"
"github.com/subgraph/fw-daemon/proc" "strconv"
) )
const ( const (
@ -24,6 +24,8 @@ const matchAny = 0
const noAddress = uint32(0xffffffff) const noAddress = uint32(0xffffffff)
type Rule struct { type Rule struct {
id uint
policy *Policy
sessionOnly bool sessionOnly bool
rtype int rtype int
hostname string hostname string
@ -32,10 +34,17 @@ type Rule struct {
} }
func (r *Rule) String() string { func (r *Rule) String() string {
addr := "*"
port := "*"
rtype := "DENY" rtype := "DENY"
if r.rtype == RULE_ALLOW {
rtype = "ALLOW"
}
return fmt.Sprintf("%s|%s", rtype, r.AddrString())
}
func (r *Rule) AddrString() string {
addr := "*"
port := "*"
if r.hostname != "" { if r.hostname != "" {
addr = r.hostname addr = r.hostname
} else if r.addr != matchAny && r.addr != noAddress { } else if r.addr != matchAny && r.addr != noAddress {
@ -48,11 +57,7 @@ func (r *Rule) String() string {
port = fmt.Sprintf("%d", r.port) port = fmt.Sprintf("%d", r.port)
} }
if r.rtype == RULE_ALLOW { return fmt.Sprintf("%s:%s", addr, port)
rtype = "ALLOW"
}
return fmt.Sprintf("%s|%s:%s", rtype, addr, port)
} }
type RuleList []*Rule type RuleList []*Rule
@ -154,21 +159,13 @@ func (r *Rule) parsePort(p string) bool {
} }
var err error var err error
port, err := strconv.ParseUint(p, 10, 16) port, err := strconv.ParseUint(p, 10, 16)
if err != nil { if err != nil || port == 0 || port > 0xFFFF {
return false return false
} }
r.port = uint16(port) r.port = uint16(port)
return true return true
} }
func parseRule(s string) (*Rule, error) {
r := new(Rule)
if !r.parse(s) {
return nil, parseError(s)
}
return r, nil
}
const ruleFile = "/var/lib/sgfw/sgfw_rules" const ruleFile = "/var/lib/sgfw/sgfw_rules"
func maybeCreateDir(dir string) error { func maybeCreateDir(dir string) error {
@ -239,6 +236,8 @@ func (fw *Firewall) loadRules() {
fw.lock.Lock() fw.lock.Lock()
defer fw.lock.Unlock() defer fw.lock.Unlock()
fw.clearRules()
p, err := rulesPath() p, err := rulesPath()
if err != nil { if err != nil {
log.Warning("Failed to open %s for reading: %v", p, err) log.Warning("Failed to open %s for reading: %v", p, err)
@ -275,12 +274,9 @@ func processRuleLine(policy *Policy, line string) {
log.Warning("Cannot process rule line without first seeing path line: %s", line) log.Warning("Cannot process rule line without first seeing path line: %s", line)
return return
} }
rule, err := parseRule(line) _, err := policy.parseRule(line, true)
if err != nil { if err != nil {
log.Warning("Error parsing rule (%s): %v", line, err) log.Warning("Error parsing rule (%s): %v", line, err)
return return
} }
policy.lock.Lock()
defer policy.lock.Unlock()
policy.rules = append(policy.rules, rule)
} }

Loading…
Cancel
Save