Merge branch 'develop' into feature/new-kext

.github/workflows/angular.yml

@@ -17,7 +17,7 @@ on:
 
 jobs:
   lint:
-    name: Linter
+    name: Lint
     runs-on: ubuntu-latest
     defaults:
       run:
@@ -56,4 +56,4 @@ jobs:
         password: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Build angular projects
-      run: earthly --ci --remote-cache=ghcr.io/safing/build-cache --push +build-angular
+      run: earthly --ci --remote-cache=ghcr.io/safing/build-cache --push +angular-release

.github/workflows/go.yml

@@ -48,7 +48,7 @@ jobs:
       run: go vet ./...
 
   test:
-    name: Test
+    name: Test & Build
     runs-on: ubuntu-latest
     steps:
     - uses: earthly/actions-setup@v1
@@ -63,5 +63,5 @@ jobs:
         username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
 
-    - name: Run Go Tests
-      run: earthly --ci --remote-cache=ghcr.io/safing/build-cache --push +test-go
+    - name: Run Go Tests & Build
+      run: earthly --ci --remote-cache=ghcr.io/safing/build-cache --push +go-ci

Earthfile

@@ -15,14 +15,15 @@ ARG --global outputDir = "./dist"
 # to GOOS, GOARCH and GOARM when building go binaries. See the +RUST_TO_GO_ARCH_STRING
 # helper method at the bottom of the file.
 
-
 ARG --global architectures = "x86_64-unknown-linux-gnu" \
                              "aarch64-unknown-linux-gnu" \
                              "x86_64-pc-windows-gnu"
-
-# Compile errors here:
-#                             "armv7-unknown-linux-gnueabihf" \
-#                             "arm-unknown-linux-gnueabi" \
+                             # TODO: Compile errors here:
+                             # "aarch64-pc-windows-gnu" \
+                             # "x86_64-apple-darwin" \
+                             # "aarch64-apple-darwin"
+                             # "armv7-unknown-linux-gnueabihf" \
+                             # "arm-unknown-linux-gnueabi"
 
 # Import the earthly rust lib since it already provides some useful
 # build-targets and methods to initialize the rust toolchain.
@@ -84,7 +85,7 @@ go-base:
     SAVE IMAGE --cache-hint
 
 # updates all go dependencies and runs go mod tidy, saving go.mod and go.sum locally.
-update-go-deps:
+go-update-deps:
     FROM +go-base
 
     RUN go get -u ./..
@@ -100,9 +101,9 @@ mod-tidy:
     SAVE ARTIFACT go.mod AS LOCAL go.mod
     SAVE ARTIFACT --if-exists go.sum AS LOCAL go.sum
 
-# build-go runs 'go build ./cmds/...', saving artifacts locally.
+# go-build runs 'go build ./cmds/...', saving artifacts locally.
 # If --CMDS is not set, it defaults to building portmaster-start, portmaster-core and hub
-build-go:
+go-build:
     FROM +go-base
 
     # Arguments for cross-compilation.
@@ -136,10 +137,10 @@ build-go:
 
 # Test one or more go packages.
 # Test are always run as -short, as "long" tests require a full desktop system.
-# Run `earthly +test-go` to test all packages
-# Run `earthly +test-go --PKG="service/firewall"` to only test a specific package.
-# Run `earthly +test-go --TESTFLAGS="-args arg1"` to add custom flags to go test (-args in this case)
-test-go:
+# Run `earthly +go-test` to test all packages
+# Run `earthly +go-test --PKG="service/firewall"` to only test a specific package.
+# Run `earthly +go-test --TESTFLAGS="-args arg1"` to add custom flags to go test (-args in this case)
+go-test:
     FROM +go-base
 
     ARG GOOS=linux
@@ -155,16 +156,16 @@ test-go:
         RUN --no-cache go test -cover -short ${pkg} ${TESTFLAGS}
     END
 
-test-go-all-platforms:
+go-test-all:
     FROM ${work_image}
 
     FOR arch IN ${architectures}
         DO +RUST_TO_GO_ARCH_STRING --rustTarget="${arch}"
-        BUILD +test-go --GOARCH="${GOARCH}" --GOOS="${GOOS}" --GOARM="${GOARM}"
+        BUILD +go-test --GOARCH="${GOARCH}" --GOOS="${GOOS}" --GOARM="${GOARM}"
     END
 
 # Builds portmaster-start, portmaster-core, hub and notifier for all supported platforms
-build-go-release:
+go-release:
     FROM ${work_image}
 
     FOR arch IN ${architectures}
@@ -178,14 +179,19 @@ build-go-release:
             RUN echo "Failed to extract GOOS for ${arch}"; exit 1
         END
 
-        BUILD +build-go --GOARCH="${GOARCH}" --GOOS="${GOOS}" --GOARM="${GOARM}"
+        BUILD +go-build --GOARCH="${GOARCH}" --GOOS="${GOOS}" --GOARM="${GOARM}"
     END
 
 # Builds all binaries from the cmds/ folder for linux/windows AMD64
 # Most utility binaries are never needed on other platforms.
-build-utils:
-    BUILD +build-go --CMDS="" --GOARCH=amd64 --GOOS=linux
-    BUILD +build-go --CMDS="" --GOARCH=amd64 --GOOS=windows
+go-build-utils:
+    BUILD +go-build --CMDS="" --GOARCH=amd64 --GOOS=linux
+    BUILD +go-build --CMDS="" --GOARCH=amd64 --GOOS=windows
+
+# All targets that should run in CI for go.
+go-ci:
+    BUILD +go-release
+    BUILD +go-test
 
 # Prepares the angular project by installing dependencies
 angular-deps:
@@ -361,7 +367,7 @@ tauri-src:
     # Explicitly cache here.
     SAVE IMAGE --cache-hint
 
-build-tauri:
+tauri-build:
     FROM +tauri-src
 
     ARG --required target
@@ -383,7 +389,7 @@ build-tauri:
     # the app. Make sure we copy portmaster-start and portmaster-core in all architectures supported.
     # See documentation for externalBins for more information on how tauri searches for the binaries.
 
-    COPY (+build-go/output --GOOS="${GOOS}" --CMDS="portmaster-start portmaster-core" --GOARCH="${GOARCH}" --GOARM="${GOARM}") /tmp/gobuild
+    COPY (+go-build/output --GOOS="${GOOS}" --CMDS="portmaster-start portmaster-core" --GOARCH="${GOARCH}" --GOARM="${GOARM}") /tmp/gobuild
 
     # Place them in the correct folder with the rust target tripple attached.
     FOR bin IN $(ls /tmp/gobuild)
@@ -445,11 +451,11 @@ tauri-release:
     ARG bundle="none"
 
     FOR arch IN ${architectures}
-        BUILD +build-tauri --target="${arch}" --bundle="${bundle}"
+        BUILD +tauri-build --target="${arch}" --bundle="${bundle}"
     END
 
-build-all:
-    BUILD +build-go-release
+build:
+    BUILD +go-release
     BUILD +angular-release
     BUILD +tauri-release
 
@@ -493,14 +499,17 @@ RUST_TO_GO_ARCH_STRING:
     LET goos=""
     IF [ -z "${rustTarget##*linux*}" ]
         SET goos="linux"
-    ELSE
+    ELSE IF [ -z "${rustTarget##*windows*}" ]
         SET goos="windows"
+    ELSE IF [ -z "${rustTarget##*darwin*}" ]
+        SET goos="darwin"
+    ELSE
+        RUN echo "GOOS not detected"; \
+            exit 1;
     END
 
-
     LET goarch=""
     LET goarm=""
-
     IF [ -z "${rustTarget##*x86_64*}" ]
         SET goarch="amd64"
     ELSE IF [ -z "${rustTarget##*arm*}" ]

desktop/angular/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "portmaster",
-  "version": "0.8.3",
+  "version": "0.8.5",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "portmaster",
-      "version": "0.8.3",
+      "version": "0.8.5",
       "dependencies": {
         "@angular/animations": "^16.0.1",
         "@angular/cdk": "^16.0.1",

desktop/angular/package.json

@@ -1,6 +1,6 @@
 {
   "name": "portmaster",
-  "version": "0.8.3",
+  "version": "0.8.5",
   "scripts": {
     "ng": "ng",
     "start": "npm install && npm run build-libs:dev && ng serve --proxy-config ./proxy.json",

desktop/angular/projects/safing/portmaster-api/src/lib/app-profile.types.ts

@@ -50,7 +50,7 @@ export interface TagDescription {
 }
 
 export interface Icon {
-  Type: 'database' | 'path' | 'api';
+  Type: '' | 'database' | 'path' | 'api';
   Source: '' | 'user' | 'import' | 'core' | 'ui';
   Value: string;
 }

desktop/angular/src/app/shared/app-icon/app-icon.ts

@@ -1,4 +1,3 @@
-import { Min } from './../../../../dist-lib/safing/portmaster-api/lib/netquery.service.d';
 import {
   ChangeDetectionStrategy,
   ChangeDetectorRef,
@@ -19,10 +18,10 @@ import {
   Record,
   deepClone,
 } from '@safing/portmaster-api';
-import { Subscription, map, of, throwError } from 'rxjs';
-import { catchError, switchMap } from 'rxjs/operators';
-import { INTEGRATION_SERVICE, ProcessInfo } from 'src/app/integration';
+import { Subscription, map, of } from 'rxjs';
+import { switchMap } from 'rxjs/operators';
 import { AppIconResolver } from './app-icon-resolver';
+import { AppProfile } from 'projects/safing/portmaster-api/src/public-api';
 
 // Interface that must be satisfied for the profile-input
 // of app-icon.
@@ -40,7 +39,7 @@ export interface IDandName {
 // Some icons we don't want to show on the UI.
 // Note that this works on a best effort basis and might
 // start breaking with updates to the built-in icons...
-const iconsToIngore = [
+const iconBlobsToIgnore = [
   'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAABU0lEQVRYhe2WTUrEQBCF36i4ctm4FsdTKF5AEFxL0knuILgQXAy4ELxDfgTXguAFRG/hDXKCAbtcOB3aSVenMjPRTb5NvdCE97oq3QQYGflnJlbc3T/QXxrfXF9NAGBraKPTk2Nvtey4D1l8OUiIo8ODX/Xt/cMfQCk1SAAi8upWgLquWy8rpbB7+yk2m8+mYvNWAAB4fnlt9MX5WaP397ZhCPgygCFa1IUmwJifCgB5nrMBtdbhAK6pi9QcALIs8+5c1AEOqTmwZge4EUjNiQhpmjbarcvaG4AbgcTcUhSFfwFAHMfhABxScwBIkgRA9wnwBgiOQGBORCjLkl2PoigcgB2BwNzifmi97wEOqTkRoaoqdr2zA9wIJOYWrTW785VPQR+WO2B3vdYIpBBRc9Qkp2Cw/4GVR+BjPpt23u19tUXUgU2aBzuQPz5J8oyMjGyUb9+FOUOmulVPAAAAAElFTkSuQmCC',
   'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAYAAACqaXHeAAACLElEQVR4nO2av07DMBDGP1DFxtaFmbeg6gtUqtQZtU3yDkgMSAxIDEi8Q/8gMVdC4m1YYO0TMNQspErdOG3Md25c7rc0st3E353v7EsLKIqiKIqiKMq/5MRueHx6NoeYSCjubm82NJ8eaiISdDtX6HauKq9tWsFmF4DPr6+d1zalBshG18RpNYfJy+tW21GFgA+lK6DdboeeBwVjyvO3qx1wGGC5XO71wCYZykc8QEqCZ/cfjNs4+X64rOz3FQ/sMMDi7R2Dfg+Lt/eN9kG/tzX24rwFA8AYYGXM+nr9aQADs9mG37FWW3HsqqBhMpnsFFRGkiTOvkoD5ELLBNtIiLcdmGXZ5jP/4Pkc2i4gIb5KRl3xrnbaQSiEeN8QGI/Hzj5aDgjh+SzLaJ7P4eWAiJZ9EVoIhBA/nU695uYdAnUI4fk0TUvbXeP3gZcDhMS7CLIL1DsHyIv3DYHRaOTs44YAZD2fpik9EfIOQohn2Rch5wBZ8bPZzOObfwiBurWAtOftoqaO511jaSEgJd4FQzwgmAQlxPuGwHA4dPbJ1QICnk+ShOb5HJlaoOHLvgi/FhAUP5/P9xpbteRtyDlA1vN2UVPH8+K7gJR45/MI4gHyK7HYxANsA7BuVvkcnniAXAtIwxYPRPTboIR4IBIDMMSL7wIhYZbF0RmgsS9EQtDY1+L5r7esCUrGvA3xHBCfeIBkgBjEi+0CMYsHHDmg7N9UiqIoiqIoiqIcFT++NKIXgDvowAAAAABJRU5ErkJggg==',
   'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACgAAAAoCAYAAACM/rhtAAABqUlEQVRYhe2XP2rDMBSHfymhU0dDD5BbJOQCgUDmEv+7Q6FDoUOgQ6F3cJxC50Agt+nSrD5BBr8OqVyrtfWkl8ShoG+SjJE+/95DwoDH4/nf9NTg+eWVLinym8eH+x4AXF1i8/FoiPFoaBwr+p3bAfjc7dixQhNMw7szatmTvb1XY00wCILOZYjIONcEi6JoXSgIAlw/fYhF9ouBsxzQ0IPrzRaz6QTrzbZ6NptOqvHtTR8EQklAWQIl4WdOQEkEqsaHefm9b5Zl7IfEcWwWVDJ1Ke0rHeXqmaRpeljDIrlWQQ5XufreNglGUWQW5EoslQOAJEm0uagHuRJL5YgIy+Wycc06bIIcEjmFStCUnPGYASxKLJQDYJVgGIZmQZsSS+SAv0eIKblWQQ6pHBEhz3N2fTZBrsQSOYVK0JQc24N2JXaXA2CV4Hw+NwtySOUA/QixvU1kPSiQIyKsViv2vaMTlMgpoihik2N7kEMqB6AxwXpiVlfduSAi7Qix7cGL/DS5XHWdC7rIAY4l3i8GTk1+zLsKpwS7lnMS7ErOeMzU/0c9Ho/nNHwBdUH2gB9vJRsAAAAASUVORK5CYII=',
@@ -48,6 +47,15 @@ const iconsToIngore = [
   'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAByUlEQVRYhe1WQUoDQRCs2UTwEBS8R//gwU+I4DFXX2AENRgQEcGr8RFCHuPRFxgPnkQ0F9Ht9rAzsz0zO8luTFzB1GHDZENXdVX3EGCJ/w7VO+3eJKrZrYOc+GuQ/Ab57t5+4Weiml111jvmy6vrRWsoxMV5H0ktzAJNeRgOhxiPxwCAVquFTqcDANi5e8bTewqAwQzoB8BwvxPn9loD9webE+sGAuQLidHbpy0OBpg5e8GsxRhNpH8HjF5pat1AQBREBV2yIwrM+mgEcanSpSJgyjoN7JekDDDrrtk+JtYNBMSs4jT18jadSydycbnQyXUDATEYB2xRMwfCbmX5dVyYZwRpaomd/MUwknTBy//HEZjq7LjgzQS0U0ap0DCHCMgOnPLXECyIEbozBZW2AGBQgf0sZsM5VxUQj4CyFbMbaIZSv5eDV6H7QEAMZghtZ8RahEuWRaWFzCIgHgF5q+YNonDEnY+KAqIXkZ4BsiKKtiEXMvM9EIXegnzfxVXMDAUlruFFbEFKTubGZmVsB3lxlOIOBcQiaK+v4PHlQxPlXZK/DQJbG6vVBcTw0N8uVWwW1P6XTPVOjgZJ0jisg5yIb+vgXeJv4RvrxrtwzfCUqAAAAABJRU5ErkJggg==',
   'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAADo0lEQVRYhe2Wu28cVRTGf+fcuzZeY0NCUqTgD3C8mzRU0KDQEgmqoBSGhoKWAlFEKYyQAAkrTRRqOpCQkOhAkUCio4D4IYSAzkkKB+wQbLy7c8+hmNmd2WecDQoFfNJodGfn7vc4Z84M/I9/GfLeB1cutdqH7zxSUli9fOntd4EsmrVXL1xcodVqAf6PEl37+AveWDk/dP78s08vA1eBvSgSDnd3bs49DJGKICIg+dod3J3XXn6Ogz9+49WXnu07F1gA9mOWJRqNBrNRcJ8mAQF8ZHYyuBYhI/DlV9cBAqARnBAj2agdjwARoBaETnK+/eY7NMwfaaPZPueefwaA73+4MfKeM80GAC+8+QkA19cukCQOC+ga1zDPR1//jIgjWhzBEQWNBupoNESdldNn2dm5w/FjT/SIpkEcvLAwX0PUQRwNXQGOBCvXoVpxZ31jc2ICEwWY+1y19AvzEQr3GgAtiLUUo8F690tB5DhC3sgiw800f2p/fAJ/tTtoyMOo1yOqnscdnINOIqNDO+vQbrdwMTRWEnBhfXNyAvOn9qmfOBgvwKxwC9TnAskTN3f32PnzHi1robEbv6HFUVGQJ+AOIvkQgL4U6icOqC9OSKCKu4cH/HT7Nh3P0GiEWkEcc+LBEhylB+qL+ywe+328gGrFNre3kWiE6EjsOi5EqPVS6EGEZrOJW0JVR5KMIy8TqCjQmlUcl7GLlvGrlgLcYWNzY2ICk1CUoFSgtdRPHAwtYteQeimUCuDsmebEMX7l3Pv3E1BCY+lUgqNaFZJ663ID3Fh/6ARKhFrqNVq15lVy1dRP1FjGRaZ6lQwnEKqkw+Si/QLMATwnHxhA7o65k2UJM0NwanOP30dATAPkhmjlmuYiuhCcja0fR7prNhqA4W5Fjwz3ydBTEGLZaKoV99p13y8AnGZjeeT4dfd8LrnnCYyoUQTQQsGtW7/y+tPnR7oZxPb2LywvncRd2dzaGnnP6aUlzBLJvKt1tIAsObUAF195kZ2dO0cSsLx0EgAz6yWQO3aSGeZOJ8swS5gNj+c+AeYwE4QgxlPHF6nNzkBKpGQ4EGMAnSksOGCA41nisJP/eTfuVIjAHQRCCITiPaPjBAC0kwMKMkvW7vuJTgZQffSkOBRCLqeL0cN4PKLA6trah2/FGB97wL05oSohKCEEzMBSRkpp4gf+3d3dq+SOTIAZ4Enyz+QwjYgpkIB7wF6RIxGo8eAJTgsDOpB/jP+38TcKdstukjAxWQAAAABJRU5ErkJggg==',
 ];
+const iconIDsToIgnore = [
+  "a27898ddfa4e0481b62c69faa196919a738fcade",
+	"5a3eea8bcd08b9336ce9c5083f26185164268ee9",
+	"573393d6ad238d255b20dc1c1b303c95debe6965",
+	"d459b2cb23c27cc31ccab5025533048d5d8301bf",
+	"d35a0d91ebfda81df5286f68ec5ddb1d6ad6b850",
+	"cc33187385498384f1b648e23be5ef1a2e9f5f71",
+];
+
 
 const profilesToIgnore = ['local/_unidentified', 'local/_unsolicited'];
 
@@ -86,7 +94,7 @@ export class AppIconComponent implements OnInit, OnDestroy {
     this._profile = p || null;
 
     if (this.initDone) {
-      this.updateView();
+      this.updateView(true);
     }
   }
   get profile(): IDandName | null | undefined {
@@ -98,11 +106,11 @@ export class AppIconComponent implements OnInit, OnDestroy {
   isIgnoredProfile = false;
 
   /** If not icon is available, this holds the first - uppercased - letter of the app - name */
-  letter: string = '';
+  letter = '';
 
   /** @private The background color of the component, based on icon availability and generated by ID */
   @HostBinding('style.background-color')
-  color: string = 'var(--text-tertiary)';
+  color = 'var(--text-tertiary)';
 
   constructor(
     private profileService: AppProfileService,
@@ -125,7 +133,7 @@ export class AppIconComponent implements OnInit, OnDestroy {
     }
 
     this.requestedAnimationFrame = requestAnimationFrame(() => {
-      this.__updateView();
+      this.__updateView(skipIcon);
     })
   }
 
@@ -158,7 +166,7 @@ export class AppIconComponent implements OnInit, OnDestroy {
       }
 
       if (!skipIcon) {
-        this.tryGetSystemIcon(p);
+        this.tryGetSystemIcon();
       }
 
     } else {
@@ -195,7 +203,7 @@ export class AppIconComponent implements OnInit, OnDestroy {
       return null;
     }
 
-    let id = this.profile.ID;
+    const id = this.profile.ID;
     if (!id) {
       return null;
     }
@@ -206,7 +214,7 @@ export class AppIconComponent implements OnInit, OnDestroy {
     }
 
     // otherwise, ID likely contains the source
-    let [source, ...rest] = id.split('/');
+    const [source, ...rest] = id.split('/');
     if (rest.length > 0) {
       return [source, rest.join('/')];
     }
@@ -220,7 +228,7 @@ export class AppIconComponent implements OnInit, OnDestroy {
    * Tries to get the application icon form the system.
    * Requires the app to be running in the electron wrapper.
    */
-  private tryGetSystemIcon(p: IDandName) {
+  private tryGetSystemIcon() {
     const sourceAndId = this.getIDAndSource();
     if (sourceAndId === null) {
       return;
@@ -231,7 +239,7 @@ export class AppIconComponent implements OnInit, OnDestroy {
     this.sub = this.profileService
       .watchAppProfile(sourceAndId[0], sourceAndId[1])
       .pipe(
-        switchMap((profile) => {
+        switchMap((profile: AppProfile) => {
           this.updateLetter(profile);
 
           if (!!profile.Icons?.length) {
@@ -252,6 +260,14 @@ export class AppIconComponent implements OnInit, OnDestroy {
               case 'api':
                 return of(`${this.httpAPI}/v1/profile/icon/${firstIcon.Value}`);
 
+              case 'path':
+                // TODO: Silently ignore for now.
+                return of('');
+
+              case '':
+                // Icon is not set.
+                return of('');
+
               default:
                 console.error(`Icon type ${firstIcon.Type} not yet supported`);
             }
@@ -266,7 +282,13 @@ export class AppIconComponent implements OnInit, OnDestroy {
       )
       .subscribe({
         next: (icon) => {
-          if (iconsToIngore.some((i) => i === icon)) {
+          if (iconBlobsToIgnore.some((i) => i === icon)) {
+            icon = '';
+          } else if (iconIDsToIgnore.some((i) => icon.includes(i))) {
+            // TODO: This just checks if the value (blob, URL, etc.) contains
+            // the SHA1 sum of the icon, which is used in the URL of api icon types.
+            // This is very unlikely to have false positivies, but this could still
+            // be done a lot cleaner.
             icon = '';
           }
           if (icon !== '') {

service/firewall/packet_handler.go

@@ -111,12 +111,17 @@ func resetAllConnectionVerdicts() {
 func resetConnectionVerdict(ctx context.Context, conn *network.Connection) (verdictChanged bool) {
 	tracer := log.Tracer(ctx)
 
-	// Remove any active prompt as we settings are being re-evaluated.
+	// Remove any active prompt as the settings are being re-evaluated.
 	conn.RemovePrompt()
 
 	conn.Lock()
 	defer conn.Unlock()
 
+	// Do not re-evaluate connection that have already ended.
+	if conn.Ended > 0 {
+		return false
+	}
+
 	// Update feature flags.
 	if err := conn.UpdateFeatures(); err != nil && !errors.Is(err, access.ErrNotLoggedIn) {
 		tracer.Warningf("filter: failed to update connection feature flags: %s", err)

service/profile/api.go

@@ -100,7 +100,12 @@ func handleGetProfileIcon(ar *api.Request) (data []byte, err error) {
 
 	// Get profile icon.
 	data, err = binmeta.GetProfileIcon(name)
-	if err != nil {
+	switch {
+	case err == nil:
+		// Continue
+	case errors.Is(err, binmeta.ErrIconIgnored):
+		return nil, api.ErrorWithStatus(err, http.StatusNotFound)
+	default:
 		return nil, err
 	}
 

service/profile/binmeta/icons.go

@@ -19,6 +19,9 @@ import (
 // Must not be changed once set.
 var ProfileIconStoragePath = ""
 
+// ErrIconIgnored is returned when the icon should be ignored.
+var ErrIconIgnored = errors.New("icon is ignored")
+
 // GetProfileIcon returns the profile icon with the given ID and extension.
 func GetProfileIcon(name string) (data []byte, err error) {
 	// Check if enabled.
@@ -26,6 +29,11 @@ func GetProfileIcon(name string) (data []byte, err error) {
 		return nil, errors.New("api icon storage not configured")
 	}
 
+	// Check if icon should be ignored.
+	if IgnoreIcon(name) {
+		return nil, ErrIconIgnored
+	}
+
 	// Build storage path.
 	iconPath := filepath.Clean(
 		filepath.Join(ProfileIconStoragePath, name),
@@ -59,6 +67,11 @@ func UpdateProfileIcon(data []byte, ext string) (filename string, err error) {
 	}
 	sum := hex.EncodeToString(h.Sum(nil))
 
+	// Check if icon should be ignored.
+	if IgnoreIcon(sum) {
+		return "", ErrIconIgnored
+	}
+
 	// Check ext.
 	ext = strings.ToLower(ext)
 	switch ext {

service/profile/binmeta/ignore.go

@@ -0,0 +1,30 @@
+package binmeta
+
+import (
+	"strings"
+)
+
+var ignoreIcons = map[string]struct{}{
+	// Windows Default Icons.
+	"a27898ddfa4e0481b62c69faa196919a738fcade": {},
+	"5a3eea8bcd08b9336ce9c5083f26185164268ee9": {},
+	"573393d6ad238d255b20dc1c1b303c95debe6965": {},
+	"d459b2cb23c27cc31ccab5025533048d5d8301bf": {},
+	"d35a0d91ebfda81df5286f68ec5ddb1d6ad6b850": {},
+	"cc33187385498384f1b648e23be5ef1a2e9f5f71": {},
+}
+
+// IgnoreIcon returns whether an icon should be ignored or not.
+func IgnoreIcon(name string) bool {
+	// Make lower case.
+	name = strings.ToLower(name)
+	// Remove extension.
+	extIndex := strings.Index(name, ".")
+	if extIndex > 0 {
+		name = name[:extIndex]
+	}
+
+	// Check if ID is in list.
+	_, found := ignoreIcons[name]
+	return found
+}

service/profile/profile.go

@@ -515,7 +515,13 @@ func (profile *Profile) updateMetadataFromSystem(ctx context.Context, md Matchin
 
 	// Get binary icon and name.
 	newIcon, newName, err := binmeta.GetIconAndName(ctx, profile.PresentationPath, home)
-	if err != nil {
+	switch {
+	case err == nil:
+		// Continue
+	case errors.Is(err, binmeta.ErrIconIgnored):
+		newIcon = nil
+		// Continue
+	default:
 		log.Warningf("profile: failed to get binary icon/name for %s: %s", profile.PresentationPath, err)
 	}