Add TLSGuard to SOCKS5 filter clients not coming from oz-daemon

shw-merge
dma 7 years ago
parent e7a803f84f
commit ed8c254404

@ -458,7 +458,7 @@ const PromptDialog = new Lang.Class({
Name: 'PromptDialog', Name: 'PromptDialog',
Extends: ModalDialog.ModalDialog, Extends: ModalDialog.ModalDialog,
_init: function(invocation, pid_known, sandboxed) { _init: function(invocation, pid_known, sandboxed, tlsguard) {
this.parent({ styleClass: 'fw-prompt-dialog' }); this.parent({ styleClass: 'fw-prompt-dialog' });
this._invocation = invocation; this._invocation = invocation;
this.header = new PromptDialogHeader(); this.header = new PromptDialogHeader();
@ -471,7 +471,7 @@ const PromptDialog = new Lang.Class({
this.info = new DetailSection(sandboxed); this.info = new DetailSection(sandboxed);
box.add_child(this.info.actor); box.add_child(this.info.actor);
this.optionList = new OptionList(pid_known, sandboxed); this.optionList = new OptionList(pid_known, tlsguard);
box.add_child(this.optionList.actor); box.add_child(this.optionList.actor);
this.optionList.addOptions([ this.optionList.addOptions([
"Only PORT AND ADDRESS", "Only PORT AND ADDRESS",
@ -479,7 +479,7 @@ const PromptDialog = new Lang.Class({
"Only PORT", "Only PORT",
"Any Connection"]); "Any Connection"]);
if (sandboxed) { if (tlsguard) {
this.optionList.addTLSOption(true); this.optionList.addTLSOption(true);
} }
@ -548,12 +548,12 @@ const PromptDialog = new Lang.Class({
return this.optionList.tlsGuard; return this.optionList.tlsGuard;
}, },
update: function(application, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, optstring, sandbox, expanded, expert, action) { update: function(application, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action) {
this._address = address; this._address = address;
this._port = port; this._port = port;
this._proto = proto; this._proto = proto;
this._sandbox = sandbox; this._sandbox = sandbox;
this._tlsGuard; this._tlsGuard = tlsguard;
let port_str = (proto+"").toUpperCase() + " Port "+ port; let port_str = (proto+"").toUpperCase() + " Port "+ port;

@ -58,6 +58,7 @@ const FirewallPromptInterface = '<node> \
<arg type="s" direction="in" name="group" /> \ <arg type="s" direction="in" name="group" /> \
<arg type="i" direction="in" name="pid" /> \ <arg type="i" direction="in" name="pid" /> \
<arg type="s" direction="in" name="sandbox" /> \ <arg type="s" direction="in" name="sandbox" /> \
<arg type="b" direction="in" name="tlsguard" /> \
<arg type="s" direction="in" name="optstring" /> \ <arg type="s" direction="in" name="optstring" /> \
<arg type="b" direction="in" name="expanded" /> \ <arg type="b" direction="in" name="expanded" /> \
<arg type="b" direction="in" name="expert" /> \ <arg type="b" direction="in" name="expert" /> \
@ -93,11 +94,11 @@ const FirewallPromptHandler = new Lang.Class({
}, },
RequestPromptAsync: function(params, invocation) { RequestPromptAsync: function(params, invocation) {
let [app, icon, path, address, port, ip, origin, proto, uid, gid, user, group, pid, sandbox, optstring, expanded, expert, action] = params; let [app, icon, path, address, port, ip, origin, proto, uid, gid, user, group, pid, sandbox, tlsguard, optstring, expanded, expert, action] = params;
// this._closeDialog(); // this._closeDialog();
this._dialog = new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != "")); this._dialog = new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""), tlsguard);
this._invocation = invocation; this._invocation = invocation;
this._dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, optstring, sandbox, expanded, expert, action); this._dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action);
this._dialog.open(); this._dialog.open();
}, },

@ -46,6 +46,7 @@ type pendingConnection interface {
dst() net.IP dst() net.IP
dstPort() uint16 dstPort() uint16
sandbox() string sandbox() string
socks() bool
accept() accept()
acceptTLSOnly() acceptTLSOnly()
drop() drop()
@ -78,6 +79,10 @@ func (pp *pendingPkt) sandbox() string {
return pp.pinfo.Sandbox return pp.pinfo.Sandbox
} }
func (pp *pendingPkt) socks() bool {
return false
}
func (pp *pendingPkt) policy() *Policy { func (pp *pendingPkt) policy() *Policy {
return pp.pol return pp.pol
} }

@ -162,6 +162,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
gidToGroup(pc.procInfo().GID), gidToGroup(pc.procInfo().GID),
int32(pc.procInfo().Pid), int32(pc.procInfo().Pid),
pc.sandbox(), pc.sandbox(),
pc.socks(),
pc.getOptString(), pc.getOptString(),
FirewallConfig.PromptExpanded, FirewallConfig.PromptExpanded,
FirewallConfig.PromptExpert, FirewallConfig.PromptExpert,
@ -229,7 +230,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
r.mode = RULE_MODE_PERMANENT r.mode = RULE_MODE_PERMANENT
policy.fw.saveRules() policy.fw.saveRules()
} }
log.Warningf("Prompt returning rule: %v", rule) log.Warningf("Prompt returning rule: %v", tempRule)
dbusp.alertRule("sgfw prompt added new rule") dbusp.alertRule("sgfw prompt added new rule")
} }

@ -187,7 +187,19 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
if pkt != nil { if pkt != nil {
nfqproto = getNFQProto(pkt) nfqproto = getNFQProto(pkt)
} else { } else {
log.Notice("Weird state.") log.Noticef("Weird state: %v %v %v %v",r.port, dstPort, hostname, r.hostname)
if (r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname)) {
log.Notice("+ Socks5 MATCH SUCCEEDED")
if r.rtype == RULE_ACTION_DENY {
return FILTER_DENY
} else if r.rtype == RULE_ACTION_ALLOW {
return FILTER_ALLOW
} else if r.rtype == RULE_ACTION_ALLOW_TLSONLY {
return FILTER_ALLOW_TLSONLY
}
} else {
return FILTER_PROMPT
}
} }
} }
log.Notice("r.saddr = ", r.saddr, "src = ", src, "\n") log.Notice("r.saddr = ", r.saddr, "src = ", src, "\n")

@ -63,6 +63,10 @@ func (sc *pendingSocksConnection) sandbox() string {
return sc.pinfo.Sandbox return sc.pinfo.Sandbox
} }
func (sc *pendingSocksConnection) socks() bool {
return true
}
func (sc *pendingSocksConnection) policy() *Policy { func (sc *pendingSocksConnection) policy() *Policy {
return sc.pol return sc.pol
} }
@ -312,7 +316,7 @@ func (c *socksChainSession) filterConnect() (bool, bool) {
return false, false return false, false
} }
result := policy.rules.filter(nil, nil, ip, port, hostname, pinfo, optstr) result := policy.rules.filter(nil, nil, ip, port, hostname, pinfo, optstr)
log.Errorf("result %v", result) log.Errorf("result %v len(RuleList): %d", result, len(policy.rules))
switch result { switch result {
case FILTER_DENY: case FILTER_DENY:
return false, false return false, false

Loading…
Cancel
Save