From 7c5e78b239fbfb9aeb892ab7b2e8abbcc22fd0a9 Mon Sep 17 00:00:00 2001 From: Patrick Pacher Date: Mon, 7 Sep 2020 15:29:34 +0200 Subject: [PATCH] Update app profile icons. Switch to new portbase options --- core/config.go | 8 +- firewall/config.go | 19 +- process/config.go | 4 +- profile/config.go | 343 ++++++++++++++++++------------- profile/database.go | 8 +- profile/endpoints/annotations.go | 24 +++ profile/profile.go | 88 +++++--- resolver/config.go | 98 +++++---- status/const.go | 42 +++- status/get.go | 14 +- updates/config.go | 23 ++- 11 files changed, 416 insertions(+), 255 deletions(-) create mode 100644 profile/endpoints/annotations.go diff --git a/core/config.go b/core/config.go index 0383d68f..bb6280be 100644 --- a/core/config.go +++ b/core/config.go @@ -30,11 +30,13 @@ func registerConfig() error { Name: "Development Mode", Key: CfgDevModeKey, Description: "In Development Mode security restrictions are lifted/softened to enable easier access to Portmaster for debugging and testing purposes.", - Order: 127, OptType: config.OptTypeBool, ExpertiseLevel: config.ExpertiseLevelDeveloper, ReleaseLevel: config.ReleaseLevelStable, DefaultValue: defaultDevMode, + Annotations: config.Annotations{ + config.DisplayOrderAnnotation: 127, + }, }) if err != nil { return err @@ -44,11 +46,13 @@ func registerConfig() error { Name: "Use System Notifications", Key: CfgUseSystemNotificationsKey, Description: "Send notifications to your operating system's notification system. When this setting is turned off, notifications will only be visible in the Portmaster App. This affects both alerts from the Portmaster and questions from the Privacy Filter.", - Order: 32, OptType: config.OptTypeBool, ExpertiseLevel: config.ExpertiseLevelUser, ReleaseLevel: config.ReleaseLevelStable, DefaultValue: true, // TODO: turn off by default on unsupported systems + Annotations: config.Annotations{ + config.DisplayOrderAnnotation: 32, + }, }) if err != nil { return err diff --git a/firewall/config.go b/firewall/config.go index 19d1b9c4..6dc4ba1f 100644 --- a/firewall/config.go +++ b/firewall/config.go @@ -11,14 +11,14 @@ var ( CfgOptionEnableFilterKey = "filter/enable" CfgOptionAskWithSystemNotificationsKey = "filter/askWithSystemNotifications" - CfgOptionAskWithSystemNotificationsOrder = 2 + cfgOptionAskWithSystemNotificationsOrder = 2 CfgOptionAskTimeoutKey = "filter/askTimeout" - CfgOptionAskTimeoutOrder = 3 + cfgOptionAskTimeoutOrder = 3 askTimeout config.IntOption CfgOptionPermanentVerdictsKey = "filter/permanentVerdicts" - CfgOptionPermanentVerdictsOrder = 128 + cfgOptionPermanentVerdictsOrder = 128 permanentVerdicts config.BoolOption devMode config.BoolOption @@ -30,11 +30,13 @@ func registerConfig() error { Name: "Permanent Verdicts", Key: CfgOptionPermanentVerdictsKey, Description: "With permanent verdicts, control of a connection is fully handed back to the OS after the initial decision. This brings a great performance increase, but makes it impossible to change the decision of a link later on.", - Order: CfgOptionPermanentVerdictsOrder, OptType: config.OptTypeBool, ExpertiseLevel: config.ExpertiseLevelExpert, ReleaseLevel: config.ReleaseLevelExperimental, DefaultValue: true, + Annotations: config.Annotations{ + config.DisplayOrderAnnotation: cfgOptionPermanentVerdictsOrder, + }, }) if err != nil { return err @@ -45,11 +47,13 @@ func registerConfig() error { Name: "Ask with System Notifications", Key: CfgOptionAskWithSystemNotificationsKey, Description: `Ask about connections using your operating system's notification system. For this to be enabled, the setting "Use System Notifications" must enabled too. This only affects questions from the Privacy Filter, and does not affect alerts from the Portmaster.`, - Order: CfgOptionAskWithSystemNotificationsOrder, OptType: config.OptTypeBool, ExpertiseLevel: config.ExpertiseLevelUser, ReleaseLevel: config.ReleaseLevelExperimental, DefaultValue: true, + Annotations: config.Annotations{ + config.DisplayOrderAnnotation: cfgOptionAskWithSystemNotificationsOrder, + }, }) if err != nil { return err @@ -59,11 +63,14 @@ func registerConfig() error { Name: "Timeout for Ask Notifications", Key: CfgOptionAskTimeoutKey, Description: "Amount of time (in seconds) how long the Portmaster will wait for a response when prompting about a connection via a notification. Please note that system notifications might not respect this or have it's own limits.", - Order: CfgOptionAskTimeoutOrder, OptType: config.OptTypeInt, ExpertiseLevel: config.ExpertiseLevelUser, ReleaseLevel: config.ReleaseLevelExperimental, DefaultValue: 60, + Annotations: config.Annotations{ + config.DisplayOrderAnnotation: cfgOptionAskTimeoutOrder, + config.UnitAnnotation: "seconds", + }, }) if err != nil { return err diff --git a/process/config.go b/process/config.go index a4d8c205..d96d65f2 100644 --- a/process/config.go +++ b/process/config.go @@ -17,10 +17,12 @@ func registerConfiguration() error { Name: "Enable Process Detection", Key: CfgOptionEnableProcessDetectionKey, Description: "This option enables the attribution of network traffic to processes. This should be always enabled, and effectively disables app profiles if disabled.", - Order: 144, OptType: config.OptTypeBool, ExpertiseLevel: config.ExpertiseLevelDeveloper, DefaultValue: true, + Annotations: config.Annotations{ + config.DisplayOrderAnnotation: 144, + }, }) if err != nil { return err diff --git a/profile/config.go b/profile/config.go index 2095a893..96d421c2 100644 --- a/profile/config.go +++ b/profile/config.go @@ -2,6 +2,7 @@ package profile import ( "github.com/safing/portbase/config" + "github.com/safing/portmaster/profile/endpoints" "github.com/safing/portmaster/status" ) @@ -93,15 +94,33 @@ func registerConfiguration() error { // ask - ask mode: if not verdict is found, the user is consulted // block - allowlist mode: everything is blocked unless permitted err := config.Register(&config.Option{ - Name: "Default Filter Action", - Key: CfgOptionDefaultActionKey, - Description: `The default filter action when nothing else permits or blocks a connection.`, - Order: cfgOptionDefaultActionOrder, - OptType: config.OptTypeString, - ReleaseLevel: config.ReleaseLevelExperimental, - DefaultValue: "permit", - ExternalOptType: "string list", - ValidationRegex: "^(permit|ask|block)$", + Name: "Default Filter Action", + Key: CfgOptionDefaultActionKey, + Description: `The default filter action when nothing else permits or blocks a connection.`, + OptType: config.OptTypeString, + ReleaseLevel: config.ReleaseLevelExperimental, + DefaultValue: "permit", + Annotations: config.Annotations{ + config.DisplayHintAnnotation: config.DisplayHintOneOf, + config.DisplayOrderAnnotation: cfgOptionDefaultActionOrder, + }, + PossibleValues: []config.PossibleValue{ + { + Name: "Permit", + Value: "permit", + Description: "Permit all connections", + }, + { + Name: "Ask", + Value: "ask", + Description: "Always ask for a decision", + }, + { + Name: "Block", + Value: "block", + Description: "Block all connections", + }, + }, }) if err != nil { return err @@ -111,14 +130,16 @@ func registerConfiguration() error { // Disable Auto Permit err = config.Register(&config.Option{ - Name: "Disable Auto Permit", - Key: CfgOptionDisableAutoPermitKey, - Description: "Auto Permit searches for a relation between an app and the destionation of a connection - if there is a correlation, the connection will be permitted. This setting is negated in order to provide a streamlined user experience, where higher settings are better.", - Order: cfgOptionDisableAutoPermitOrder, - OptType: config.OptTypeInt, - ExternalOptType: "security level", - DefaultValue: status.SecurityLevelsAll, - ValidationRegex: "^(4|6|7)$", + Name: "Disable Auto Permit", + Key: CfgOptionDisableAutoPermitKey, + Description: "Auto Permit searches for a relation between an app and the destionation of a connection - if there is a correlation, the connection will be permitted. This setting is negated in order to provide a streamlined user experience, where higher settings are better.", + OptType: config.OptTypeInt, + DefaultValue: status.SecurityLevelsAll, + Annotations: config.Annotations{ + config.DisplayOrderAnnotation: cfgOptionDisableAutoPermitOrder, + config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, + }, + PossibleValues: status.SecurityLevelValues, }) if err != nil { return err @@ -154,14 +175,16 @@ Examples: // Endpoint Filter List err = config.Register(&config.Option{ - Name: "Endpoint Filter List", - Key: CfgOptionEndpointsKey, - Description: "Filter outgoing connections by matching the destination endpoint. Network Scope restrictions still apply.", - Help: filterListHelp, - Order: cfgOptionEndpointsOrder, - OptType: config.OptTypeStringArray, - DefaultValue: []string{}, - ExternalOptType: "endpoint list", + Name: "Endpoint Filter List", + Key: CfgOptionEndpointsKey, + Description: "Filter outgoing connections by matching the destination endpoint. Network Scope restrictions still apply.", + Help: filterListHelp, + OptType: config.OptTypeStringArray, + DefaultValue: []string{}, + Annotations: config.Annotations{ + config.DisplayHintAnnotation: endpoints.DisplayHintEndpointList, + config.DisplayOrderAnnotation: cfgOptionEndpointsOrder, + }, ValidationRegex: `^(\+|\-) [A-z0-9\.:\-*/]+( [A-z0-9/]+)?$`, }) if err != nil { @@ -172,14 +195,16 @@ Examples: // Service Endpoint Filter List err = config.Register(&config.Option{ - Name: "Service Endpoint Filter List", - Key: CfgOptionServiceEndpointsKey, - Description: "Filter incoming connections by matching the source endpoint. Network Scope restrictions and the inbound permission still apply. Also not that the implicit default action of this list is to always block.", - Help: filterListHelp, - Order: cfgOptionServiceEndpointsOrder, - OptType: config.OptTypeStringArray, - DefaultValue: []string{"+ Localhost"}, - ExternalOptType: "endpoint list", + Name: "Service Endpoint Filter List", + Key: CfgOptionServiceEndpointsKey, + Description: "Filter incoming connections by matching the source endpoint. Network Scope restrictions and the inbound permission still apply. Also not that the implicit default action of this list is to always block.", + Help: filterListHelp, + OptType: config.OptTypeStringArray, + DefaultValue: []string{"+ Localhost"}, + Annotations: config.Annotations{ + config.DisplayHintAnnotation: endpoints.DisplayHintEndpointList, + config.DisplayOrderAnnotation: cfgOptionServiceEndpointsOrder, + }, ValidationRegex: `^(\+|\-) [A-z0-9\.:\-*/]+( [A-z0-9/]+)?$`, }) if err != nil { @@ -190,13 +215,15 @@ Examples: // Filter list IDs err = config.Register(&config.Option{ - Name: "Filter List", - Key: CfgOptionFilterListsKey, - Description: "Filter connections by matching the endpoint against configured filterlists", - Order: cfgOptionFilterListsOrder, - OptType: config.OptTypeStringArray, - DefaultValue: []string{"TRAC", "MAL"}, - ExternalOptType: "filter list", + Name: "Filter List", + Key: CfgOptionFilterListsKey, + Description: "Filter connections by matching the endpoint against configured filterlists", + OptType: config.OptTypeStringArray, + DefaultValue: []string{"TRAC", "MAL"}, + Annotations: config.Annotations{ + config.DisplayHintAnnotation: "filter list", + config.DisplayOrderAnnotation: cfgOptionFilterListsOrder, + }, ValidationRegex: `^[a-zA-Z0-9\-]+$`, }) if err != nil { @@ -207,15 +234,17 @@ Examples: // Include CNAMEs err = config.Register(&config.Option{ - Name: "Filter CNAMEs", - Key: CfgOptionFilterCNAMEKey, - Description: "Also filter requests where a CNAME would be blocked", - Order: cfgOptionFilterCNAMEOrder, - OptType: config.OptTypeInt, - ExternalOptType: "security level", - DefaultValue: status.SecurityLevelsAll, - ValidationRegex: "^(4|6|7)$", - ExpertiseLevel: config.ExpertiseLevelExpert, + Name: "Filter CNAMEs", + Key: CfgOptionFilterCNAMEKey, + Description: "Also filter requests where a CNAME would be blocked", + OptType: config.OptTypeInt, + DefaultValue: status.SecurityLevelsAll, + ExpertiseLevel: config.ExpertiseLevelExpert, + Annotations: config.Annotations{ + config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, + config.DisplayOrderAnnotation: cfgOptionFilterCNAMEOrder, + }, + PossibleValues: status.SecurityLevelValues, }) if err != nil { return err @@ -225,14 +254,16 @@ Examples: // Include subdomains err = config.Register(&config.Option{ - Name: "Filter Subdomains", - Key: CfgOptionFilterSubDomainsKey, - Description: "Also filter a domain if any parent domain is blocked by a filter list", - Order: cfgOptionFilterSubDomainsOrder, - OptType: config.OptTypeInt, - ExternalOptType: "security level", - DefaultValue: status.SecurityLevelsAll, - ValidationRegex: "^(4|6|7)$", + Name: "Filter Subdomains", + Key: CfgOptionFilterSubDomainsKey, + Description: "Also filter a domain if any parent domain is blocked by a filter list", + OptType: config.OptTypeInt, + DefaultValue: status.SecurityLevelsAll, + PossibleValues: status.SecurityLevelValues, + Annotations: config.Annotations{ + config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, + config.DisplayOrderAnnotation: cfgOptionFilterSubDomainsOrder, + }, }) if err != nil { return err @@ -242,15 +273,17 @@ Examples: // Block Scope Local err = config.Register(&config.Option{ - Name: "Block Scope Local", - Key: CfgOptionBlockScopeLocalKey, - Description: "Block internal connections on your own device, ie. localhost.", - Order: cfgOptionBlockScopeLocalOrder, - OptType: config.OptTypeInt, - ExpertiseLevel: config.ExpertiseLevelExpert, - ExternalOptType: "security level", - DefaultValue: status.SecurityLevelOff, - ValidationRegex: "^(0|4|6|7)$", + Name: "Block Scope Local", + Key: CfgOptionBlockScopeLocalKey, + Description: "Block internal connections on your own device, ie. localhost.", + OptType: config.OptTypeInt, + ExpertiseLevel: config.ExpertiseLevelExpert, + DefaultValue: status.SecurityLevelOff, + PossibleValues: status.AllSecurityLevelValues, + Annotations: config.Annotations{ + config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, + config.DisplayOrderAnnotation: cfgOptionBlockScopeLocalOrder, + }, }) if err != nil { return err @@ -260,14 +293,16 @@ Examples: // Block Scope LAN err = config.Register(&config.Option{ - Name: "Block Scope LAN", - Key: CfgOptionBlockScopeLANKey, - Description: "Block connections to the Local Area Network.", - Order: cfgOptionBlockScopeLANOrder, - OptType: config.OptTypeInt, - ExternalOptType: "security level", - DefaultValue: status.SecurityLevelsHighAndExtreme, - ValidationRegex: "^(0|4|6|7)$", + Name: "Block Scope LAN", + Key: CfgOptionBlockScopeLANKey, + Description: "Block connections to the Local Area Network.", + OptType: config.OptTypeInt, + DefaultValue: status.SecurityLevelsHighAndExtreme, + PossibleValues: status.AllSecurityLevelValues, + Annotations: config.Annotations{ + config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, + config.DisplayOrderAnnotation: cfgOptionBlockScopeLANOrder, + }, }) if err != nil { return err @@ -277,14 +312,16 @@ Examples: // Block Scope Internet err = config.Register(&config.Option{ - Name: "Block Scope Internet", - Key: CfgOptionBlockScopeInternetKey, - Description: "Block connections to the Internet.", - Order: cfgOptionBlockScopeInternetOrder, - OptType: config.OptTypeInt, - ExternalOptType: "security level", - DefaultValue: status.SecurityLevelOff, - ValidationRegex: "^(0|4|6|7)$", + Name: "Block Scope Internet", + Key: CfgOptionBlockScopeInternetKey, + Description: "Block connections to the Internet.", + OptType: config.OptTypeInt, + DefaultValue: status.SecurityLevelOff, + PossibleValues: status.AllSecurityLevelValues, + Annotations: config.Annotations{ + config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, + config.DisplayOrderAnnotation: cfgOptionBlockScopeInternetOrder, + }, }) if err != nil { return err @@ -294,14 +331,16 @@ Examples: // Block Peer to Peer Connections err = config.Register(&config.Option{ - Name: "Block Peer to Peer Connections", - Key: CfgOptionBlockP2PKey, - Description: "These are connections that are established directly to an IP address on the Internet without resolving a domain name via DNS first.", - Order: cfgOptionBlockP2POrder, - OptType: config.OptTypeInt, - ExternalOptType: "security level", - DefaultValue: status.SecurityLevelExtreme, - ValidationRegex: "^(4|6|7)$", + Name: "Block Peer to Peer Connections", + Key: CfgOptionBlockP2PKey, + Description: "These are connections that are established directly to an IP address on the Internet without resolving a domain name via DNS first.", + OptType: config.OptTypeInt, + DefaultValue: status.SecurityLevelExtreme, + PossibleValues: status.SecurityLevelValues, + Annotations: config.Annotations{ + config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, + config.DisplayOrderAnnotation: cfgOptionBlockP2POrder, + }, }) if err != nil { return err @@ -311,14 +350,16 @@ Examples: // Block Inbound Connections err = config.Register(&config.Option{ - Name: "Block Inbound Connections", - Key: CfgOptionBlockInboundKey, - Description: "Connections initiated towards your device from the LAN or Internet. This will usually only be the case if you are running a network service or are using peer to peer software.", - Order: cfgOptionBlockInboundOrder, - OptType: config.OptTypeInt, - ExternalOptType: "security level", - DefaultValue: status.SecurityLevelsHighAndExtreme, - ValidationRegex: "^(4|6|7)$", + Name: "Block Inbound Connections", + Key: CfgOptionBlockInboundKey, + Description: "Connections initiated towards your device from the LAN or Internet. This will usually only be the case if you are running a network service or are using peer to peer software.", + OptType: config.OptTypeInt, + DefaultValue: status.SecurityLevelsHighAndExtreme, + PossibleValues: status.SecurityLevelValues, + Annotations: config.Annotations{ + config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, + config.DisplayOrderAnnotation: cfgOptionBlockInboundOrder, + }, }) if err != nil { return err @@ -328,15 +369,17 @@ Examples: // Enforce SPN err = config.Register(&config.Option{ - Name: "Enforce SPN", - Key: CfgOptionEnforceSPNKey, - Description: "This setting enforces connections to be routed over the SPN. If this is not possible for any reason, connections will be blocked.", - Order: cfgOptionEnforceSPNOrder, - OptType: config.OptTypeInt, - ReleaseLevel: config.ReleaseLevelExperimental, - ExternalOptType: "security level", - DefaultValue: status.SecurityLevelOff, - ValidationRegex: "^(0|4|6|7)$", + Name: "Enforce SPN", + Key: CfgOptionEnforceSPNKey, + Description: "This setting enforces connections to be routed over the SPN. If this is not possible for any reason, connections will be blocked.", + OptType: config.OptTypeInt, + ReleaseLevel: config.ReleaseLevelExperimental, + DefaultValue: status.SecurityLevelOff, + PossibleValues: status.AllSecurityLevelValues, + Annotations: config.Annotations{ + config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, + config.DisplayOrderAnnotation: cfgOptionEnforceSPNOrder, + }, }) if err != nil { return err @@ -346,16 +389,18 @@ Examples: // Filter Out-of-Scope DNS Records err = config.Register(&config.Option{ - Name: "Filter Out-of-Scope DNS Records", - Key: CfgOptionRemoveOutOfScopeDNSKey, - Description: "Filter DNS answers that are outside of the scope of the server. A server on the public Internet may not respond with a private LAN address.", - Order: cfgOptionRemoveOutOfScopeDNSOrder, - OptType: config.OptTypeInt, - ExpertiseLevel: config.ExpertiseLevelExpert, - ReleaseLevel: config.ReleaseLevelBeta, - ExternalOptType: "security level", - DefaultValue: status.SecurityLevelsAll, - ValidationRegex: "^(4|6|7)$", + Name: "Filter Out-of-Scope DNS Records", + Key: CfgOptionRemoveOutOfScopeDNSKey, + Description: "Filter DNS answers that are outside of the scope of the server. A server on the public Internet may not respond with a private LAN address.", + OptType: config.OptTypeInt, + ExpertiseLevel: config.ExpertiseLevelExpert, + ReleaseLevel: config.ReleaseLevelBeta, + DefaultValue: status.SecurityLevelsAll, + PossibleValues: status.SecurityLevelValues, + Annotations: config.Annotations{ + config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, + config.DisplayOrderAnnotation: cfgOptionRemoveOutOfScopeDNSOrder, + }, }) if err != nil { return err @@ -365,16 +410,18 @@ Examples: // Filter DNS Records that would be blocked err = config.Register(&config.Option{ - Name: "Filter DNS Records that would be blocked", - Key: CfgOptionRemoveBlockedDNSKey, - Description: "Pre-filter DNS answers that an application would not be allowed to connect to.", - Order: cfgOptionRemoveBlockedDNSOrder, - OptType: config.OptTypeInt, - ExpertiseLevel: config.ExpertiseLevelExpert, - ReleaseLevel: config.ReleaseLevelBeta, - ExternalOptType: "security level", - DefaultValue: status.SecurityLevelsAll, - ValidationRegex: "^(4|6|7)$", + Name: "Filter DNS Records that would be blocked", + Key: CfgOptionRemoveBlockedDNSKey, + Description: "Pre-filter DNS answers that an application would not be allowed to connect to.", + OptType: config.OptTypeInt, + ExpertiseLevel: config.ExpertiseLevelExpert, + ReleaseLevel: config.ReleaseLevelBeta, + DefaultValue: status.SecurityLevelsAll, + PossibleValues: status.SecurityLevelValues, + Annotations: config.Annotations{ + config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, + config.DisplayOrderAnnotation: cfgOptionRemoveBlockedDNSOrder, + }, }) if err != nil { return err @@ -384,15 +431,17 @@ Examples: // Domain heuristics err = config.Register(&config.Option{ - Name: "Enable Domain Heuristics", - Key: CfgOptionDomainHeuristicsKey, - Description: "Domain Heuristics checks for suspicious looking domain names and blocks them. Ths option currently targets domains generated by malware and DNS data tunnels.", - Order: cfgOptionDomainHeuristicsOrder, - OptType: config.OptTypeInt, - ExpertiseLevel: config.ExpertiseLevelExpert, - ExternalOptType: "security level", - DefaultValue: status.SecurityLevelsAll, - ValidationRegex: "^(0|4|6|7)$", + Name: "Enable Domain Heuristics", + Key: CfgOptionDomainHeuristicsKey, + Description: "Domain Heuristics checks for suspicious looking domain names and blocks them. Ths option currently targets domains generated by malware and DNS data tunnels.", + OptType: config.OptTypeInt, + ExpertiseLevel: config.ExpertiseLevelExpert, + DefaultValue: status.SecurityLevelsAll, + PossibleValues: status.AllSecurityLevelValues, + Annotations: config.Annotations{ + config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, + config.DisplayOrderAnnotation: cfgOptionDomainHeuristicsOrder, + }, }) if err != nil { return err @@ -401,16 +450,18 @@ Examples: // Bypass prevention err = config.Register(&config.Option{ - Name: "Prevent Bypassing", - Key: CfgOptionPreventBypassingKey, - Description: "Prevent apps from bypassing the privacy filter: Firefox by disabling DNS-over-HTTPs", - Order: cfgOptionPreventBypassingOrder, - OptType: config.OptTypeInt, - ExpertiseLevel: config.ExpertiseLevelUser, - ReleaseLevel: config.ReleaseLevelBeta, - ExternalOptType: "security level", - DefaultValue: status.SecurityLevelsAll, - ValidationRegex: "^(4|6|7)", + Name: "Prevent Bypassing", + Key: CfgOptionPreventBypassingKey, + Description: "Prevent apps from bypassing the privacy filter: Firefox by disabling DNS-over-HTTPs", + OptType: config.OptTypeInt, + ExpertiseLevel: config.ExpertiseLevelUser, + ReleaseLevel: config.ReleaseLevelBeta, + DefaultValue: status.SecurityLevelsAll, + PossibleValues: status.SecurityLevelValues, + Annotations: config.Annotations{ + config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, + config.DisplayOrderAnnotation: cfgOptionPreventBypassingOrder, + }, }) if err != nil { return err diff --git a/profile/database.go b/profile/database.go index 75414f1f..1bff3ddb 100644 --- a/profile/database.go +++ b/profile/database.go @@ -24,12 +24,12 @@ var ( profileDB = database.NewInterface(nil) ) -func makeScopedID(source, id string) string { - return source + "/" + id +func makeScopedID(source profileSource, id string) string { + return string(source) + "/" + id } -func makeProfileKey(source, id string) string { - return profilesDBPath + source + "/" + id +func makeProfileKey(source profileSource, id string) string { + return profilesDBPath + string(source) + "/" + id } func registerValidationDBHook() (err error) { diff --git a/profile/endpoints/annotations.go b/profile/endpoints/annotations.go new file mode 100644 index 00000000..bb37d048 --- /dev/null +++ b/profile/endpoints/annotations.go @@ -0,0 +1,24 @@ +package endpoints + +// DisplayHintEndpointList marks an option as an endpoint +// list option. It's meant to be used with DisplayHintAnnotation. +const DisplayHintEndpointList = "endpoint list" + +// EndpointListAnnotation is the annotation identifier used in configuration +// options to hint the UI on available endpoint list types. If configured, only +// the specified set of entities is allowed to be used. The value is expected +// to be a single string or []string. If this annotation is missing, all +// values are expected to be allowed. +const EndpointListAnnotation = "safing/portmaster:ui:endpoint-list" + +// Allowed values for the EndpointListAnnotation. +const ( + EndpointListIP = "ip" + EndpointListAsn = "asn" + EndpointListCountry = "country" + EndpointListDomain = "domain" + EndpointListIPRange = "iprange" + EndpointListLists = "lists" + EndpointListScopes = "scopes" + EndpointListProtocolAndPorts = "protocol-port" +) diff --git a/profile/profile.go b/profile/profile.go index f13c8b4c..b0623a55 100644 --- a/profile/profile.go +++ b/profile/profile.go @@ -20,12 +20,15 @@ var ( lastUsedUpdateThreshold = 24 * time.Hour ) +// profileSource is the source of the profile. +type profileSource string + // Profile Sources const ( - SourceLocal string = "local" // local, editable - SourceSpecial string = "special" // specials (read-only) - SourceCommunity string = "community" - SourceEnterprise string = "enterprise" + SourceLocal profileSource = "local" // local, editable + SourceSpecial profileSource = "special" // specials (read-only) + SourceCommunity profileSource = "community" + SourceEnterprise profileSource = "enterprise" ) // Default Action IDs @@ -36,35 +39,65 @@ const ( DefaultActionPermit uint8 = 3 ) +// iconType describes the type of the Icon property +// of a profile. +type iconType string + +// Supported icon types. +const ( + IconTypeFile iconType = "path" + IconTypeDatabase iconType = "database" + IconTypeBlob iconType = "blob" +) + // Profile is used to predefine a security profile for applications. type Profile struct { //nolint:maligned // not worth the effort record.Base sync.Mutex - - // Identity - ID string - Source string - - // App Information - Name string + // ID is a unique identifier for the profile. + ID string + // Source describes the source of the profile. + Source profileSource + // Name is a human readable name of the profile. It + // defaults to the basename of the application. + Name string + // Description may holds an optional description of the + // profile or the purpose of the application. Description string - Homepage string - // Icon is a path to the icon and is either prefixed "f:" for filepath, "d:" for a database path or "e:" for the encoded data. + // Homepage may refer the the website of the application + // vendor. + Homepage string + // Icon holds the icon of the application. The value + // may either be a filepath, a database key or a blob URL. + // See IconType for more information. Icon string - + // IconType describes the type of the Icon property. + IconType iconType // References - local profiles only - // LinkedPath is a filesystem path to the executable this profile was created for. + // LinkedPath is a filesystem path to the executable this + // profile was created for. LinkedPath string // LinkedProfiles is a list of other profiles LinkedProfiles []string - - // Fingerprints - // TODO: Fingerprints []*Fingerprint - - // Configuration - // The mininum security level to apply to connections made with this profile + // SecurityLevel is the mininum security level to apply to + // connections made with this profile. + // Note(ppacher): we may deprecate this one as it can easily + // be "simulated" by adjusting the settings + // directly. SecurityLevel uint8 - Config map[string]interface{} + // Config holds profile specific setttings. It's a nested + // object with keys defining the settings database path. All keys + // until the actual settings value (which is everything that is not + // an object) need to be concatinated for the settings database + // path. + Config map[string]interface{} + // ApproxLastUsed holds a UTC timestamp in seconds of + // when this Profile was approximately last used. + // For performance reasons not every single usage is saved. + ApproxLastUsed int64 + // Created holds the UTC timestamp in seconds when the + // profile has been created. + Created int64 // Interpreted Data configPerspective *config.Perspective @@ -78,15 +111,6 @@ type Profile struct { //nolint:maligned // not worth the effort outdated *abool.AtomicBool lastUsed time.Time - // Framework - // If a Profile is declared as a Framework (i.e. an Interpreter and the likes), then the real process/actor must be found - // TODO: Framework *Framework - - // When this Profile was approximately last used. - // For performance reasons not every single usage is saved. - ApproxLastUsed int64 - Created int64 - internalSave bool } @@ -254,7 +278,7 @@ func (profile *Profile) addEndpointyEntry(cfgKey, newEntry string) { } // GetProfile loads a profile from the database. -func GetProfile(source, id string) (*Profile, error) { +func GetProfile(source profileSource, id string) (*Profile, error) { return GetProfileByScopedID(makeScopedID(source, id)) } diff --git a/resolver/config.go b/resolver/config.go index e2205728..f17a4d91 100644 --- a/resolver/config.go +++ b/resolver/config.go @@ -106,12 +106,14 @@ Parameters: refused: server replies with Refused status zeroip: server replies with an IP address, but it is zero `, - Order: cfgOptionNameServersOrder, OptType: config.OptTypeStringArray, ExpertiseLevel: config.ExpertiseLevelExpert, ReleaseLevel: config.ReleaseLevelStable, DefaultValue: defaultNameServers, ValidationRegex: fmt.Sprintf("^(%s|%s|%s)://.*", ServerTypeDoT, ServerTypeDNS, ServerTypeTCP), + Annotations: config.Annotations{ + config.DisplayOrderAnnotation: cfgOptionNameServersOrder, + }, }) if err != nil { return err @@ -120,13 +122,15 @@ Parameters: err = config.Register(&config.Option{ Name: "DNS Server Retry Rate", - Key: CfgOptionNameserverRetryRateKey, Description: "Rate at which to retry failed DNS Servers, in seconds.", - Order: cfgOptionNameserverRetryRateOrder, OptType: config.OptTypeInt, ExpertiseLevel: config.ExpertiseLevelExpert, ReleaseLevel: config.ReleaseLevelStable, DefaultValue: 600, + Annotations: config.Annotations{ + config.DisplayOrderAnnotation: cfgOptionNameserverRetryRateOrder, + config.UnitAnnotation: "seconds", + }, }) if err != nil { return err @@ -134,16 +138,18 @@ Parameters: nameserverRetryRate = config.Concurrent.GetAsInt(CfgOptionNameserverRetryRateKey, 600) err = config.Register(&config.Option{ - Name: "Do not use Multicast DNS", - Key: CfgOptionNoMulticastDNSKey, - Description: "Multicast DNS queries other devices in the local network", - Order: cfgOptionNoMulticastDNSOrder, - OptType: config.OptTypeInt, - ExpertiseLevel: config.ExpertiseLevelExpert, - ReleaseLevel: config.ReleaseLevelStable, - ExternalOptType: "security level", - DefaultValue: status.SecurityLevelsHighAndExtreme, - ValidationRegex: "^(4|6|7)$", + Name: "Do not use Multicast DNS", + Key: CfgOptionNoMulticastDNSKey, + Description: "Multicast DNS queries other devices in the local network", + OptType: config.OptTypeInt, + ExpertiseLevel: config.ExpertiseLevelExpert, + ReleaseLevel: config.ReleaseLevelStable, + DefaultValue: status.SecurityLevelsHighAndExtreme, + PossibleValues: status.SecurityLevelValues, + Annotations: config.Annotations{ + config.DisplayOrderAnnotation: cfgOptionNoMulticastDNSOrder, + config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, + }, }) if err != nil { return err @@ -151,16 +157,18 @@ Parameters: noMulticastDNS = status.ConfigIsActiveConcurrent(CfgOptionNoMulticastDNSKey) err = config.Register(&config.Option{ - Name: "Do not use assigned Nameservers", - Key: CfgOptionNoAssignedNameserversKey, - Description: "that were acquired by the network (dhcp) or system", - Order: cfgOptionNoAssignedNameserversOrder, - OptType: config.OptTypeInt, - ExpertiseLevel: config.ExpertiseLevelExpert, - ReleaseLevel: config.ReleaseLevelStable, - ExternalOptType: "security level", - DefaultValue: status.SecurityLevelsHighAndExtreme, - ValidationRegex: "^(4|6|7)$", + Name: "Do not use assigned Nameservers", + Key: CfgOptionNoAssignedNameserversKey, + Description: "that were acquired by the network (dhcp) or system", + OptType: config.OptTypeInt, + ExpertiseLevel: config.ExpertiseLevelExpert, + ReleaseLevel: config.ReleaseLevelStable, + DefaultValue: status.SecurityLevelsHighAndExtreme, + PossibleValues: status.SecurityLevelValues, + Annotations: config.Annotations{ + config.DisplayOrderAnnotation: cfgOptionNoAssignedNameserversOrder, + config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, + }, }) if err != nil { return err @@ -168,16 +176,18 @@ Parameters: noAssignedNameservers = status.ConfigIsActiveConcurrent(CfgOptionNoAssignedNameserversKey) err = config.Register(&config.Option{ - Name: "Do not resolve insecurely", - Key: CfgOptionNoInsecureProtocolsKey, - Description: "Do not resolve domains with insecure protocols, ie. plain DNS", - Order: cfgOptionNoInsecureProtocolsOrder, - OptType: config.OptTypeInt, - ExpertiseLevel: config.ExpertiseLevelExpert, - ReleaseLevel: config.ReleaseLevelStable, - ExternalOptType: "security level", - DefaultValue: status.SecurityLevelsHighAndExtreme, - ValidationRegex: "^(4|6|7)$", + Name: "Do not resolve insecurely", + Key: CfgOptionNoInsecureProtocolsKey, + Description: "Do not resolve domains with insecure protocols, ie. plain DNS", + OptType: config.OptTypeInt, + ExpertiseLevel: config.ExpertiseLevelExpert, + ReleaseLevel: config.ReleaseLevelStable, + DefaultValue: status.SecurityLevelsHighAndExtreme, + PossibleValues: status.SecurityLevelValues, + Annotations: config.Annotations{ + config.DisplayOrderAnnotation: cfgOptionNoInsecureProtocolsOrder, + config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, + }, }) if err != nil { return err @@ -185,16 +195,18 @@ Parameters: noInsecureProtocols = status.ConfigIsActiveConcurrent(CfgOptionNoInsecureProtocolsKey) err = config.Register(&config.Option{ - Name: "Do not resolve special domains", - Key: CfgOptionDontResolveSpecialDomainsKey, - Description: fmt.Sprintf("Do not resolve the special top level domains %s", formatScopeList(specialServiceDomains)), - Order: cfgOptionDontResolveSpecialDomainsOrder, - OptType: config.OptTypeInt, - ExpertiseLevel: config.ExpertiseLevelExpert, - ReleaseLevel: config.ReleaseLevelStable, - ExternalOptType: "security level", - DefaultValue: status.SecurityLevelsAll, - ValidationRegex: "^(4|6|7)$", + Name: "Do not resolve special domains", + Key: CfgOptionDontResolveSpecialDomainsKey, + Description: fmt.Sprintf("Do not resolve the special top level domains %s", formatScopeList(specialServiceDomains)), + OptType: config.OptTypeInt, + ExpertiseLevel: config.ExpertiseLevelExpert, + ReleaseLevel: config.ReleaseLevelStable, + DefaultValue: status.SecurityLevelsAll, + PossibleValues: status.SecurityLevelValues, + Annotations: config.Annotations{ + config.DisplayOrderAnnotation: cfgOptionDontResolveSpecialDomainsOrder, + config.DisplayHintAnnotation: status.DisplayHintSecurityLevel, + }, }) if err != nil { return err diff --git a/status/const.go b/status/const.go index c3b1c01b..96537903 100644 --- a/status/const.go +++ b/status/const.go @@ -1,9 +1,16 @@ package status -// Definitions of Security and Status Levels. -const ( - SecurityLevelOff uint8 = 0 +import ( + "github.com/safing/portbase/config" +) +// DisplayHintSecurityLevel is an external option hint for security levels. +// It's meant to be used as a value for config.DisplayHintAnnotation. +const DisplayHintSecurityLevel string = "security level" + +// Security levels +const ( + SecurityLevelOff uint8 = 0 SecurityLevelNormal uint8 = 1 SecurityLevelHigh uint8 = 2 SecurityLevelExtreme uint8 = 4 @@ -12,7 +19,36 @@ const ( SecurityLevelsNormalAndExtreme uint8 = SecurityLevelNormal | SecurityLevelExtreme SecurityLevelsHighAndExtreme uint8 = SecurityLevelHigh | SecurityLevelExtreme SecurityLevelsAll uint8 = SecurityLevelNormal | SecurityLevelHigh | SecurityLevelExtreme +) +// SecurityLevelValues defines all possible security levels. +var SecurityLevelValues = []config.PossibleValue{ + { + Name: "Normal", + Value: SecurityLevelsAll, + }, + { + Name: "High", + Value: SecurityLevelsHighAndExtreme, + }, + { + Name: "Extreme", + Value: SecurityLevelExtreme, + }, +} + +// AllSecurityLevelValues is like SecurityLevelValues but also includes Off. +var AllSecurityLevelValues = append([]config.PossibleValue{ + { + Name: "Off", + Value: SecurityLevelOff, + }, +}, + SecurityLevelValues..., +) + +// Status constants +const ( StatusOff uint8 = 0 StatusError uint8 = 1 StatusWarning uint8 = 2 diff --git a/status/get.go b/status/get.go index c42da3b2..24d5300c 100644 --- a/status/get.go +++ b/status/get.go @@ -5,20 +5,10 @@ import ( ) var ( - activeSecurityLevel *uint32 - selectedSecurityLevel *uint32 + activeSecurityLevel = new(uint32) + selectedSecurityLevel = new(uint32) ) -func init() { - var ( - activeSecurityLevelValue uint32 - selectedSecurityLevelValue uint32 - ) - - activeSecurityLevel = &activeSecurityLevelValue - selectedSecurityLevel = &selectedSecurityLevelValue -} - // ActiveSecurityLevel returns the current security level. func ActiveSecurityLevel() uint8 { return uint8(atomic.LoadUint32(activeSecurityLevel)) diff --git a/updates/config.go b/updates/config.go index 9852aa5e..5c81ffa4 100644 --- a/updates/config.go +++ b/updates/config.go @@ -2,7 +2,6 @@ package updates import ( "context" - "fmt" "github.com/safing/portbase/config" "github.com/safing/portbase/log" @@ -27,14 +26,25 @@ func registerConfig() error { Name: "Release Channel", Key: releaseChannelKey, Description: "The Release Channel changes which updates are applied. When using beta, you will receive new features earlier and Portmaster will update more frequently. Some beta or experimental features are also available in the stable release channel.", - Order: 1, OptType: config.OptTypeString, ExpertiseLevel: config.ExpertiseLevelExpert, ReleaseLevel: config.ReleaseLevelBeta, RequiresRestart: false, DefaultValue: releaseChannelStable, - ExternalOptType: "string list", - ValidationRegex: fmt.Sprintf("^(%s|%s)$", releaseChannelStable, releaseChannelBeta), + PossibleValues: []config.PossibleValue{ + { + Name: "Stable", + Value: releaseChannelStable, + }, + { + Name: "Beta", + Value: releaseChannelBeta, + }, + }, + Annotations: config.Annotations{ + config.DisplayOrderAnnotation: 1, + config.DisplayHintAnnotation: config.DisplayHintOneOf, + }, }) if err != nil { return err @@ -44,13 +54,14 @@ func registerConfig() error { Name: "Disable Updates", Key: disableUpdatesKey, Description: "Disable automatic updates.", - Order: 64, OptType: config.OptTypeBool, ExpertiseLevel: config.ExpertiseLevelExpert, ReleaseLevel: config.ReleaseLevelStable, RequiresRestart: false, DefaultValue: false, - ExternalOptType: "disable updates", + Annotations: config.Annotations{ + config.DisplayOrderAnnotation: 64, + }, }) if err != nil { return err