From ed8c25440495d2ee1daf95341332a1c17249f17a Mon Sep 17 00:00:00 2001 From: dma Date: Wed, 13 Sep 2017 20:23:45 +0000 Subject: [PATCH] Add TLSGuard to SOCKS5 filter clients not coming from oz-daemon --- gnome-shell/firewall@subgraph.com/dialog.js | 10 +++++----- gnome-shell/firewall@subgraph.com/extension.js | 7 ++++--- sgfw/policy.go | 5 +++++ sgfw/prompt.go | 3 ++- sgfw/rules.go | 14 +++++++++++++- sgfw/socks_server_chain.go | 6 +++++- 6 files changed, 34 insertions(+), 11 deletions(-) diff --git a/gnome-shell/firewall@subgraph.com/dialog.js b/gnome-shell/firewall@subgraph.com/dialog.js index f4d3b58..a1fd55d 100644 --- a/gnome-shell/firewall@subgraph.com/dialog.js +++ b/gnome-shell/firewall@subgraph.com/dialog.js @@ -458,7 +458,7 @@ const PromptDialog = new Lang.Class({ Name: 'PromptDialog', Extends: ModalDialog.ModalDialog, - _init: function(invocation, pid_known, sandboxed) { + _init: function(invocation, pid_known, sandboxed, tlsguard) { this.parent({ styleClass: 'fw-prompt-dialog' }); this._invocation = invocation; this.header = new PromptDialogHeader(); @@ -471,7 +471,7 @@ const PromptDialog = new Lang.Class({ this.info = new DetailSection(sandboxed); box.add_child(this.info.actor); - this.optionList = new OptionList(pid_known, sandboxed); + this.optionList = new OptionList(pid_known, tlsguard); box.add_child(this.optionList.actor); this.optionList.addOptions([ "Only PORT AND ADDRESS", @@ -479,7 +479,7 @@ const PromptDialog = new Lang.Class({ "Only PORT", "Any Connection"]); - if (sandboxed) { + if (tlsguard) { this.optionList.addTLSOption(true); } @@ -548,12 +548,12 @@ const PromptDialog = new Lang.Class({ return this.optionList.tlsGuard; }, - update: function(application, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, optstring, sandbox, expanded, expert, action) { + update: function(application, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action) { this._address = address; this._port = port; this._proto = proto; this._sandbox = sandbox; - this._tlsGuard; + this._tlsGuard = tlsguard; let port_str = (proto+"").toUpperCase() + " Port "+ port; diff --git a/gnome-shell/firewall@subgraph.com/extension.js b/gnome-shell/firewall@subgraph.com/extension.js index 59d63b9..b5444a7 100644 --- a/gnome-shell/firewall@subgraph.com/extension.js +++ b/gnome-shell/firewall@subgraph.com/extension.js @@ -58,6 +58,7 @@ const FirewallPromptInterface = ' \ \ \ \ + \ \ \ \ @@ -93,11 +94,11 @@ const FirewallPromptHandler = new Lang.Class({ }, RequestPromptAsync: function(params, invocation) { - let [app, icon, path, address, port, ip, origin, proto, uid, gid, user, group, pid, sandbox, optstring, expanded, expert, action] = params; + let [app, icon, path, address, port, ip, origin, proto, uid, gid, user, group, pid, sandbox, tlsguard, optstring, expanded, expert, action] = params; // this._closeDialog(); - this._dialog = new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != "")); + this._dialog = new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""), tlsguard); this._invocation = invocation; - this._dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, optstring, sandbox, expanded, expert, action); + this._dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action); this._dialog.open(); }, diff --git a/sgfw/policy.go b/sgfw/policy.go index cdccb19..6df2bda 100644 --- a/sgfw/policy.go +++ b/sgfw/policy.go @@ -46,6 +46,7 @@ type pendingConnection interface { dst() net.IP dstPort() uint16 sandbox() string + socks() bool accept() acceptTLSOnly() drop() @@ -78,6 +79,10 @@ func (pp *pendingPkt) sandbox() string { return pp.pinfo.Sandbox } +func (pp *pendingPkt) socks() bool { + return false +} + func (pp *pendingPkt) policy() *Policy { return pp.pol } diff --git a/sgfw/prompt.go b/sgfw/prompt.go index b929b73..18a0a09 100644 --- a/sgfw/prompt.go +++ b/sgfw/prompt.go @@ -162,6 +162,7 @@ func (p *prompter) processConnection(pc pendingConnection) { gidToGroup(pc.procInfo().GID), int32(pc.procInfo().Pid), pc.sandbox(), + pc.socks(), pc.getOptString(), FirewallConfig.PromptExpanded, FirewallConfig.PromptExpert, @@ -229,7 +230,7 @@ func (p *prompter) processConnection(pc pendingConnection) { r.mode = RULE_MODE_PERMANENT policy.fw.saveRules() } - log.Warningf("Prompt returning rule: %v", rule) + log.Warningf("Prompt returning rule: %v", tempRule) dbusp.alertRule("sgfw prompt added new rule") } diff --git a/sgfw/rules.go b/sgfw/rules.go index 1059605..abed5f9 100644 --- a/sgfw/rules.go +++ b/sgfw/rules.go @@ -187,7 +187,19 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint if pkt != nil { nfqproto = getNFQProto(pkt) } else { - log.Notice("Weird state.") + log.Noticef("Weird state: %v %v %v %v",r.port, dstPort, hostname, r.hostname) + if (r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname)) { + log.Notice("+ Socks5 MATCH SUCCEEDED") + if r.rtype == RULE_ACTION_DENY { + return FILTER_DENY + } else if r.rtype == RULE_ACTION_ALLOW { + return FILTER_ALLOW + } else if r.rtype == RULE_ACTION_ALLOW_TLSONLY { + return FILTER_ALLOW_TLSONLY + } + } else { + return FILTER_PROMPT + } } } log.Notice("r.saddr = ", r.saddr, "src = ", src, "\n") diff --git a/sgfw/socks_server_chain.go b/sgfw/socks_server_chain.go index 5bea5c0..ecf6e7f 100644 --- a/sgfw/socks_server_chain.go +++ b/sgfw/socks_server_chain.go @@ -63,6 +63,10 @@ func (sc *pendingSocksConnection) sandbox() string { return sc.pinfo.Sandbox } +func (sc *pendingSocksConnection) socks() bool { + return true +} + func (sc *pendingSocksConnection) policy() *Policy { return sc.pol } @@ -312,7 +316,7 @@ func (c *socksChainSession) filterConnect() (bool, bool) { return false, false } result := policy.rules.filter(nil, nil, ip, port, hostname, pinfo, optstr) - log.Errorf("result %v", result) + log.Errorf("result %v len(RuleList): %d", result, len(policy.rules)) switch result { case FILTER_DENY: return false, false