Add TLSGuard to SOCKS5 filter clients not coming from oz-daemon

gnome-shell/firewall@subgraph.com/dialog.js

@@ -458,7 +458,7 @@ const PromptDialog = new Lang.Class({
     Name: 'PromptDialog',
     Extends: ModalDialog.ModalDialog,
 
-    _init: function(invocation, pid_known, sandboxed) {
+    _init: function(invocation, pid_known, sandboxed, tlsguard) {
         this.parent({ styleClass: 'fw-prompt-dialog' });
         this._invocation = invocation;
         this.header = new PromptDialogHeader();
@@ -471,7 +471,7 @@ const PromptDialog = new Lang.Class({
         this.info = new DetailSection(sandboxed);
         box.add_child(this.info.actor);
 
-        this.optionList = new OptionList(pid_known, sandboxed);
+        this.optionList = new OptionList(pid_known, tlsguard);
         box.add_child(this.optionList.actor);
         this.optionList.addOptions([
             "Only PORT AND ADDRESS",
@@ -479,7 +479,7 @@ const PromptDialog = new Lang.Class({
             "Only PORT",
             "Any Connection"]);
 
-	if (sandboxed) {
+	if (tlsguard) {
 		this.optionList.addTLSOption(true);
 	}
 
@@ -548,12 +548,12 @@ const PromptDialog = new Lang.Class({
         return this.optionList.tlsGuard;
     },
 
-    update: function(application, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, optstring, sandbox, expanded, expert, action) {
+    update: function(application, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action) {
         this._address = address;
         this._port = port;
 	this._proto = proto;
 	this._sandbox = sandbox;
-	this._tlsGuard;
+	this._tlsGuard = tlsguard;
 
         let port_str = (proto+"").toUpperCase() + " Port "+ port;
 

gnome-shell/firewall@subgraph.com/extension.js

@@ -58,6 +58,7 @@ const FirewallPromptInterface = '<node> \
         <arg type="s" direction="in" name="group" /> \
         <arg type="i" direction="in" name="pid" /> \
 	<arg type="s" direction="in" name="sandbox" /> \
+	<arg type="b" direction="in" name="tlsguard" /> \
         <arg type="s" direction="in" name="optstring" /> \
         <arg type="b" direction="in" name="expanded" /> \
         <arg type="b" direction="in" name="expert" /> \
@@ -93,11 +94,11 @@ const FirewallPromptHandler = new Lang.Class({
     },
 
     RequestPromptAsync: function(params, invocation) {
-        let [app, icon, path, address, port, ip, origin, proto, uid, gid, user, group, pid, sandbox, optstring, expanded, expert, action] = params;
+        let [app, icon, path, address, port, ip, origin, proto, uid, gid, user, group, pid, sandbox, tlsguard, optstring, expanded, expert, action] = params;
 //        this._closeDialog();
-        this._dialog = new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""));
+        this._dialog = new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""), tlsguard);
         this._invocation = invocation;
-        this._dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, optstring, sandbox, expanded, expert, action);
+        this._dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action);
         this._dialog.open();
     },
 

sgfw/policy.go

@@ -46,6 +46,7 @@ type pendingConnection interface {
 	dst() net.IP
 	dstPort() uint16
 	sandbox() string
+	socks() bool
 	accept()
 	acceptTLSOnly()
 	drop()
@@ -78,6 +79,10 @@ func (pp *pendingPkt) sandbox() string {
 	return pp.pinfo.Sandbox
 }
 
+func (pp *pendingPkt) socks() bool {
+	return false
+}
+
 func (pp *pendingPkt) policy() *Policy {
 	return pp.pol
 }

sgfw/prompt.go

@@ -162,6 +162,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
 		gidToGroup(pc.procInfo().GID),
 		int32(pc.procInfo().Pid),
 		pc.sandbox(),
+		pc.socks(),
 		pc.getOptString(),
 		FirewallConfig.PromptExpanded,
 		FirewallConfig.PromptExpert,
@@ -229,7 +230,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
 		r.mode = RULE_MODE_PERMANENT
 		policy.fw.saveRules()
 	}
-	log.Warningf("Prompt returning rule: %v", rule)
+	log.Warningf("Prompt returning rule: %v", tempRule)
 	dbusp.alertRule("sgfw prompt added new rule")
 }
 

sgfw/rules.go

@@ -187,7 +187,19 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
 			if pkt != nil {
 				nfqproto = getNFQProto(pkt)
 			} else {
-				log.Notice("Weird state.")
+				log.Noticef("Weird state: %v %v %v %v",r.port, dstPort, hostname, r.hostname)
+				if (r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname)) {
+					log.Notice("+ Socks5 MATCH SUCCEEDED")
+						if r.rtype == RULE_ACTION_DENY {
+							return FILTER_DENY
+						} else if r.rtype == RULE_ACTION_ALLOW {
+							return FILTER_ALLOW
+						} else if r.rtype == RULE_ACTION_ALLOW_TLSONLY {
+							return FILTER_ALLOW_TLSONLY
+						}
+				} else {
+					return FILTER_PROMPT
+				}
 			}
 		}
 		log.Notice("r.saddr = ", r.saddr, "src = ", src, "\n")

sgfw/socks_server_chain.go

@@ -63,6 +63,10 @@ func (sc *pendingSocksConnection) sandbox() string {
 	return sc.pinfo.Sandbox
 }
 
+func (sc *pendingSocksConnection) socks() bool {
+	return true
+}
+
 func (sc *pendingSocksConnection) policy() *Policy {
 	return sc.pol
 }
@@ -312,7 +316,7 @@ func (c *socksChainSession) filterConnect() (bool, bool) {
 		return false, false
 	}
 	result := policy.rules.filter(nil, nil, ip, port, hostname, pinfo, optstr)
-	log.Errorf("result %v", result)
+	log.Errorf("result %v len(RuleList): %d", result, len(policy.rules))
 	switch result {
 	case FILTER_DENY:
 		return false, false