Add TLSGuard to SOCKS5 filter clients not coming from oz-daemon

7 years ago · ed8c254404
parent e7a803f84f
commit ed8c254404
6 changed files with 34 additions and 11 deletions
--- a/gnome-shell/firewall@subgraph.com/dialog.js
+++ b/gnome-shell/firewall@subgraph.com/dialog.js
@ -458,7 +458,7 @@ const PromptDialog = new Lang.Class({
    Name: 'PromptDialog',
    Extends: ModalDialog.ModalDialog,
-    _init: function(invocation, pid_known, sandboxed) {
+    _init: function(invocation, pid_known, sandboxed, tlsguard) {
        this.parent({ styleClass: 'fw-prompt-dialog' });
        this._invocation = invocation;
        this.header = new PromptDialogHeader();
@ -471,7 +471,7 @@ const PromptDialog = new Lang.Class({
        this.info = new DetailSection(sandboxed);
        box.add_child(this.info.actor);
-        this.optionList = new OptionList(pid_known, sandboxed);
+        this.optionList = new OptionList(pid_known, tlsguard);
        box.add_child(this.optionList.actor);
        this.optionList.addOptions([
            "Only PORT AND ADDRESS",
@ -479,7 +479,7 @@ const PromptDialog = new Lang.Class({
            "Only PORT",
            "Any Connection"]);
-	if (sandboxed) {
+	if (tlsguard) {
 		this.optionList.addTLSOption(true);
 	}
@ -548,12 +548,12 @@ const PromptDialog = new Lang.Class({
        return this.optionList.tlsGuard;
    },
-    update: function(application, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, optstring, sandbox, expanded, expert, action) {
+    update: function(application, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action) {
        this._address = address;
        this._port = port;
 	this._proto = proto;
 	this._sandbox = sandbox;
-	this._tlsGuard;
+	this._tlsGuard = tlsguard;
        let port_str = (proto+"").toUpperCase() + " Port "+ port;
--- a/gnome-shell/firewall@subgraph.com/extension.js
+++ b/gnome-shell/firewall@subgraph.com/extension.js
@ -58,6 +58,7 @@ const FirewallPromptInterface = '<node> \
        <arg type="s" direction="in" name="group" /> \
        <arg type="i" direction="in" name="pid" /> \
 	<arg type="s" direction="in" name="sandbox" /> \
 	<arg type="b" direction="in" name="tlsguard" /> \
        <arg type="s" direction="in" name="optstring" /> \
        <arg type="b" direction="in" name="expanded" /> \
        <arg type="b" direction="in" name="expert" /> \
@ -93,11 +94,11 @@ const FirewallPromptHandler = new Lang.Class({
    },
    RequestPromptAsync: function(params, invocation) {
-        let [app, icon, path, address, port, ip, origin, proto, uid, gid, user, group, pid, sandbox, optstring, expanded, expert, action] = params;
+        let [app, icon, path, address, port, ip, origin, proto, uid, gid, user, group, pid, sandbox, tlsguard, optstring, expanded, expert, action] = params;
 //        this._closeDialog();
-        this._dialog = new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""));
+        this._dialog = new Dialog.PromptDialog(invocation, (pid >= 0), (sandbox != ""), tlsguard);
        this._invocation = invocation;
-        this._dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, optstring, sandbox, expanded, expert, action);
+        this._dialog.update(app, icon, path, address, port, ip, origin, uid, gid, user, group, pid, proto, tlsguard, optstring, sandbox, expanded, expert, action);
        this._dialog.open();
    },
--- a/sgfw/policy.go
+++ b/sgfw/policy.go
@ -46,6 +46,7 @@ type pendingConnection interface {
 	dst() net.IP
 	dstPort() uint16
 	sandbox() string
 	socks() bool
 	accept()
 	acceptTLSOnly()
 	drop()
@ -78,6 +79,10 @@ func (pp *pendingPkt) sandbox() string {
 	return pp.pinfo.Sandbox
 }
 func (pp *pendingPkt) socks() bool {
 	return false
 }
 func (pp *pendingPkt) policy() *Policy {
 	return pp.pol
 }
--- a/sgfw/prompt.go
+++ b/sgfw/prompt.go
@ -162,6 +162,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
 		gidToGroup(pc.procInfo().GID),
 		int32(pc.procInfo().Pid),
 		pc.sandbox(),
 		pc.socks(),
 		pc.getOptString(),
 		FirewallConfig.PromptExpanded,
 		FirewallConfig.PromptExpert,
@ -229,7 +230,7 @@ func (p *prompter) processConnection(pc pendingConnection) {
 		r.mode = RULE_MODE_PERMANENT
 		policy.fw.saveRules()
 	}
-	log.Warningf("Prompt returning rule: %v", rule)
+	log.Warningf("Prompt returning rule: %v", tempRule)
 	dbusp.alertRule("sgfw prompt added new rule")
 }
--- a/sgfw/rules.go
+++ b/sgfw/rules.go
@ -187,7 +187,19 @@ func (rl *RuleList) filter(pkt *nfqueue.NFQPacket, src, dst net.IP, dstPort uint
 			if pkt != nil {
 				nfqproto = getNFQProto(pkt)
 			} else {
-				log.Notice("Weird state.")
+				log.Noticef("Weird state: %v %v %v %v",r.port, dstPort, hostname, r.hostname)
 				if (r.saddr == nil && src == nil && sandboxed == false && (r.port == dstPort || r.port == matchAny) && (r.addr.Equal(anyAddress) || r.hostname == "" || r.hostname == hostname)) {
 					log.Notice("+ Socks5 MATCH SUCCEEDED")
 						if r.rtype == RULE_ACTION_DENY {
 							return FILTER_DENY
 						} else if r.rtype == RULE_ACTION_ALLOW {
 							return FILTER_ALLOW
 						} else if r.rtype == RULE_ACTION_ALLOW_TLSONLY {
 							return FILTER_ALLOW_TLSONLY
 						}
 				} else {
 					return FILTER_PROMPT
 				}
 			}
 		}
 		log.Notice("r.saddr = ", r.saddr, "src = ", src, "\n")
--- a/sgfw/socks_server_chain.go
+++ b/sgfw/socks_server_chain.go
@ -63,6 +63,10 @@ func (sc *pendingSocksConnection) sandbox() string {
 	return sc.pinfo.Sandbox
 }
 func (sc *pendingSocksConnection) socks() bool {
 	return true
 }
 func (sc *pendingSocksConnection) policy() *Policy {
 	return sc.pol
 }
@ -312,7 +316,7 @@ func (c *socksChainSession) filterConnect() (bool, bool) {
 		return false, false
 	}
 	result := policy.rules.filter(nil, nil, ip, port, hostname, pinfo, optstr)
-	log.Errorf("result %v", result)
+	log.Errorf("result %v len(RuleList): %d", result, len(policy.rules))
 	switch result {
 	case FILTER_DENY:
 		return false, false