vikarti.anatra/safing-portmaster
1
0
Fork 0
mirror of https://github.com/safing/portmaster synced 2025-09-04 03:29:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Implement review suggestions

Browse source
This commit is contained in:
Daniel 2020-04-20 13:57:07 +02:00
parent 033dceab5b
commit a33808685c
15 changed files with 90 additions and 61 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
firewall/firewall.go
View file

@ -233,7 +233,7 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
if ps.isMe { if ps.isMe {
// approve // approve
conn.Accept("internally approved") conn.Accept("internally approved")
conn.Hidden = true conn.Internal = true
// finish // finish
conn.StopFirewallHandler() conn.StopFirewallHandler()
issueVerdict(conn, pkt, 0, true) issueVerdict(conn, pkt, 0, true)

4
firewall/master.go
View file

@ -50,7 +50,7 @@ func DecideOnConnection(conn *network.Connection, pkt packet.Packet) { //nolint:
if conn.Process().Pid == os.Getpid() { if conn.Process().Pid == os.Getpid() {
log.Infof("filter: granting own connection %s", conn) log.Infof("filter: granting own connection %s", conn)
conn.Verdict = network.VerdictAccept conn.Verdict = network.VerdictAccept
conn.Hidden = true conn.Internal = true
return return
} }
@ -76,7 +76,7 @@ func DecideOnConnection(conn *network.Connection, pkt packet.Packet) { //nolint:
log.Warningf("filter: failed to find load local peer process with PID %d: %s", otherPid, err) log.Warningf("filter: failed to find load local peer process with PID %d: %s", otherPid, err)
} else if otherProcess.Pid == conn.Process().Pid { } else if otherProcess.Pid == conn.Process().Pid {
conn.Accept("connection to self") conn.Accept("connection to self")
conn.Hidden = true conn.Internal = true
return return
} }
} }

2
network/connection.go
View file

@ -41,7 +41,7 @@ type Connection struct { //nolint:maligned // TODO: fix alignment
VerdictPermanent bool VerdictPermanent bool
Inspecting bool Inspecting bool
Encrypted bool // TODO Encrypted bool // TODO
Hidden bool Internal bool // Portmaster internal connections are marked in order to easily filter these out in the UI
pktQueue chan packet.Packet pktQueue chan packet.Packet
firewallHandler FirewallHandler firewallHandler FirewallHandler

14
network/dns.go
View file

@ -5,6 +5,8 @@ import (
"strconv" "strconv"
"sync" "sync"
"time" "time"
"github.com/safing/portmaster/process"
) )
var ( var (
@ -16,6 +18,9 @@ var (
// duration after which DNS requests without a following connection are logged // duration after which DNS requests without a following connection are logged
openDNSRequestLimit = 3 * time.Second openDNSRequestLimit = 3 * time.Second
// scope prefix
unidentifiedProcessScopePrefix = strconv.Itoa(process.UnidentifiedProcessID) + "/"
) )
func removeOpenDNSRequest(pid int, fqdn string) { func removeOpenDNSRequest(pid int, fqdn string) {
@ -26,12 +31,9 @@ func removeOpenDNSRequest(pid int, fqdn string) {
_, ok := openDNSRequests[key] _, ok := openDNSRequests[key]
if ok { if ok {
delete(openDNSRequests, key) delete(openDNSRequests, key)
return } else if pid != process.UnidentifiedProcessID {
} // check if there is an open dns request from an unidentified process
delete(openDNSRequests, unidentifiedProcessScopePrefix+fqdn)
// check if there is an open dns request from an unidentified process
if pid >= 0 {
delete(openDNSRequests, "-1/"+fqdn)
} }
} }

15
process/database.go
View file

@ -53,16 +53,13 @@ func (p *Process) Save() {
p.Lock() p.Lock()
defer p.Unlock() defer p.Unlock()
p.UpdateMeta()
if !p.KeyIsSet() { if !p.KeyIsSet() {
// set key
p.SetKey(fmt.Sprintf("%s/%d", processDatabaseNamespace, p.Pid)) p.SetKey(fmt.Sprintf("%s/%d", processDatabaseNamespace, p.Pid))
p.CreateMeta()
}
processesLock.RLock() // save
_, ok := processes[p.Pid]
processesLock.RUnlock()
if !ok {
processesLock.Lock() processesLock.Lock()
processes[p.Pid] = p processes[p.Pid] = p
processesLock.Unlock() processesLock.Unlock()
@ -113,7 +110,9 @@ func CleanProcessStorage(activePIDs map[int]struct{}) {
_, active := activePIDs[p.Pid] _, active := activePIDs[p.Pid]
switch { switch {
case p.Pid <= 0: case p.Pid == UnidentifiedProcessID:
// internal
case p.Pid == SystemProcessID:
// internal // internal
case active: case active:
// process in system process table or recently seen on the network // process in system process table or recently seen on the network

4
process/find.go
View file

@ -49,7 +49,7 @@ func GetPidByPacket(pkt packet.Packet) (pid int, direction bool, err error) {
case pkt.Info().Protocol == packet.UDP && pkt.Info().Version == packet.IPv6: case pkt.Info().Protocol == packet.UDP && pkt.Info().Version == packet.IPv6:
return getUDP6PacketInfo(localIP, localPort, remoteIP, remotePort, pkt.IsInbound()) return getUDP6PacketInfo(localIP, localPort, remoteIP, remotePort, pkt.IsInbound())
default: default:
return -1, false, errors.New("unsupported protocol for finding process") return UnidentifiedProcessID, false, errors.New("unsupported protocol for finding process")
} }
} }
@ -107,7 +107,7 @@ func GetPidByEndpoints(localIP net.IP, localPort uint16, remoteIP net.IP, remote
case protocol == packet.UDP && ipVersion == packet.IPv6: case protocol == packet.UDP && ipVersion == packet.IPv6:
return getUDP6PacketInfo(localIP, localPort, remoteIP, remotePort, false) return getUDP6PacketInfo(localIP, localPort, remoteIP, remotePort, false)
default: default:
return -1, false, errors.New("unsupported protocol for finding process") return UnidentifiedProcessID, false, errors.New("unsupported protocol for finding process")
} }
} }

26
process/iphelper/get.go
View file

@ -9,6 +9,10 @@ import (
"time" "time"
) )
const (
unidentifiedProcessID = -1
)
var ( var (
tcp4Connections []*ConnectionEntry tcp4Connections []*ConnectionEntry
tcp4Listeners []*ConnectionEntry tcp4Listeners []*ConnectionEntry
@ -55,7 +59,7 @@ func GetTCP4PacketInfo(localIP net.IP, localPort uint16, remoteIP net.IP, remote
} }
lock.Unlock() lock.Unlock()
if err != nil { if err != nil {
return -1, pktDirection, err return unidentifiedProcessID, pktDirection, err
} }
// search // search
@ -67,7 +71,7 @@ func GetTCP4PacketInfo(localIP net.IP, localPort uint16, remoteIP net.IP, remote
time.Sleep(waitTime) time.Sleep(waitTime)
} }
return -1, pktDirection, nil return unidentifiedProcessID, pktDirection, nil
} }
// GetTCP6PacketInfo returns the pid of the given IPv6/TCP connection. // GetTCP6PacketInfo returns the pid of the given IPv6/TCP connection.
@ -91,7 +95,7 @@ func GetTCP6PacketInfo(localIP net.IP, localPort uint16, remoteIP net.IP, remote
} }
lock.Unlock() lock.Unlock()
if err != nil { if err != nil {
return -1, pktDirection, err return unidentifiedProcessID, pktDirection, err
} }
// search // search
@ -103,7 +107,7 @@ func GetTCP6PacketInfo(localIP net.IP, localPort uint16, remoteIP net.IP, remote
time.Sleep(waitTime) time.Sleep(waitTime)
} }
return -1, pktDirection, nil return unidentifiedProcessID, pktDirection, nil
} }
// GetUDP4PacketInfo returns the pid of the given IPv4/UDP connection. // GetUDP4PacketInfo returns the pid of the given IPv4/UDP connection.
@ -127,7 +131,7 @@ func GetUDP4PacketInfo(localIP net.IP, localPort uint16, remoteIP net.IP, remote
} }
lock.Unlock() lock.Unlock()
if err != nil { if err != nil {
return -1, pktDirection, err return unidentifiedProcessID, pktDirection, err
} }
// search // search
@ -139,7 +143,7 @@ func GetUDP4PacketInfo(localIP net.IP, localPort uint16, remoteIP net.IP, remote
time.Sleep(waitTime) time.Sleep(waitTime)
} }
return -1, pktDirection, nil return unidentifiedProcessID, pktDirection, nil
} }
// GetUDP6PacketInfo returns the pid of the given IPv6/UDP connection. // GetUDP6PacketInfo returns the pid of the given IPv6/UDP connection.
@ -163,7 +167,7 @@ func GetUDP6PacketInfo(localIP net.IP, localPort uint16, remoteIP net.IP, remote
} }
lock.Unlock() lock.Unlock()
if err != nil { if err != nil {
return -1, pktDirection, err return unidentifiedProcessID, pktDirection, err
} }
// search // search
@ -175,7 +179,7 @@ func GetUDP6PacketInfo(localIP net.IP, localPort uint16, remoteIP net.IP, remote
time.Sleep(waitTime) time.Sleep(waitTime)
} }
return -1, pktDirection, nil return unidentifiedProcessID, pktDirection, nil
} }
func search(connections, listeners []*ConnectionEntry, localIP, remoteIP net.IP, localPort, remotePort uint16, pktDirection bool) (pid int, direction bool) { //nolint:unparam // TODO: use direction, it may not be used because results caused problems, investigate. func search(connections, listeners []*ConnectionEntry, localIP, remoteIP net.IP, localPort, remotePort uint16, pktDirection bool) (pid int, direction bool) { //nolint:unparam // TODO: use direction, it may not be used because results caused problems, investigate.
@ -204,7 +208,7 @@ func search(connections, listeners []*ConnectionEntry, localIP, remoteIP net.IP,
} }
} }
return -1, pktDirection return unidentifiedProcessID, pktDirection
} }
func searchConnections(list []*ConnectionEntry, localIP, remoteIP net.IP, localPort, remotePort uint16) (pid int) { func searchConnections(list []*ConnectionEntry, localIP, remoteIP net.IP, localPort, remotePort uint16) (pid int) {
@ -218,7 +222,7 @@ func searchConnections(list []*ConnectionEntry, localIP, remoteIP net.IP, localP
} }
} }
return -1 return unidentifiedProcessID
} }
func searchListeners(list []*ConnectionEntry, localIP net.IP, localPort uint16) (pid int) { func searchListeners(list []*ConnectionEntry, localIP net.IP, localPort uint16) (pid int) {
@ -231,7 +235,7 @@ func searchListeners(list []*ConnectionEntry, localIP net.IP, localPort uint16)
} }
} }
return -1 return unidentifiedProcessID
} }
// GetActiveConnectionIDs returns all currently active connection IDs. // GetActiveConnectionIDs returns all currently active connection IDs.

8
process/proc/gather.go
View file

@ -33,7 +33,7 @@ func GetPidOfConnection(localIP net.IP, localPort uint16, protocol uint8) (pid i
} }
} }
if !ok { if !ok {
return -1, NoSocket return unidentifiedProcessID, NoSocket
} }
} }
@ -45,7 +45,7 @@ func GetPidOfConnection(localIP net.IP, localPort uint16, protocol uint8) (pid i
pid, ok = GetPidOfInode(uid, inode) pid, ok = GetPidOfInode(uid, inode)
} }
if !ok { if !ok {
return -1, NoProcess return unidentifiedProcessID, NoProcess
} }
return return
@ -64,7 +64,7 @@ func GetPidOfIncomingConnection(localIP net.IP, localPort uint16, protocol uint8
} }
if !ok { if !ok {
return -1, NoSocket return unidentifiedProcessID, NoSocket
} }
} }
@ -76,7 +76,7 @@ func GetPidOfIncomingConnection(localIP net.IP, localPort uint16, protocol uint8
pid, ok = GetPidOfInode(uid, inode) pid, ok = GetPidOfInode(uid, inode)
} }
if !ok { if !ok {
return -1, NoProcess return unidentifiedProcessID, NoProcess
} }
return return

10
process/proc/get.go
View file

@ -7,6 +7,10 @@ import (
"net" "net"
) )
const (
unidentifiedProcessID = -1
)
// GetTCP4PacketInfo searches the network state tables for a TCP4 connection // GetTCP4PacketInfo searches the network state tables for a TCP4 connection
func GetTCP4PacketInfo(localIP net.IP, localPort uint16, remoteIP net.IP, remotePort uint16, pktDirection bool) (pid int, direction bool, err error) { func GetTCP4PacketInfo(localIP net.IP, localPort uint16, remoteIP net.IP, remotePort uint16, pktDirection bool) (pid int, direction bool, err error) {
return search(TCP4, localIP, localPort, pktDirection) return search(TCP4, localIP, localPort, pktDirection)
@ -52,11 +56,11 @@ func search(protocol uint8, localIP net.IP, localPort uint16, pktDirection bool)
switch status { switch status {
case NoSocket: case NoSocket:
return -1, direction, errors.New("could not find socket") return unidentifiedProcessID, direction, errors.New("could not find socket")
case NoProcess: case NoProcess:
return -1, direction, errors.New("could not find PID") return unidentifiedProcessID, direction, errors.New("could not find PID")
default: default:
return -1, direction, nil return unidentifiedProcessID, direction, nil
} }
} }

2
process/proc/processfinder.go
View file

@ -77,7 +77,7 @@ func GetPidOfInode(uid, inode int) (int, bool) { //nolint:gocognit // TODO
} }
} }
return -1, false return unidentifiedProcessID, false
} }
func findSocketFromPid(pid, inode int) bool { func findSocketFromPid(pid, inode int) bool {

6
process/proc/sockets.go
View file

@ -100,7 +100,7 @@ func getConnectionSocket(localIP net.IP, localPort uint16, protocol uint8) (int,
socketData, err := os.Open(procFile) socketData, err := os.Open(procFile)
if err != nil { if err != nil {
log.Warningf("process/proc: could not read %s: %s", procFile, err) log.Warningf("process/proc: could not read %s: %s", procFile, err)
return -1, -1, false return unidentifiedProcessID, unidentifiedProcessID, false
} }
defer socketData.Close() defer socketData.Close()
@ -146,7 +146,7 @@ func getConnectionSocket(localIP net.IP, localPort uint16, protocol uint8) (int,
} }
return -1, -1, false return unidentifiedProcessID, unidentifiedProcessID, false
} }
@ -187,7 +187,7 @@ func getListeningSocket(localIP net.IP, localPort uint16, protocol uint8) (uid,
return data[0], data[1], true return data[0], data[1], true
} }
return -1, -1, false return unidentifiedProcessID, unidentifiedProcessID, false
} }
func procDelimiter(c rune) bool { func procDelimiter(c rune) bool {

19
process/process.go
View file

@ -75,10 +75,10 @@ func (p *Process) String() string {
func GetOrFindPrimaryProcess(ctx context.Context, pid int) (*Process, error) { func GetOrFindPrimaryProcess(ctx context.Context, pid int) (*Process, error) {
log.Tracer(ctx).Tracef("process: getting primary process for PID %d", pid) log.Tracer(ctx).Tracef("process: getting primary process for PID %d", pid)
if pid <= -1 { switch pid {
case UnidentifiedProcessID:
return GetUnidentifiedProcess(ctx), nil return GetUnidentifiedProcess(ctx), nil
} case SystemProcessID:
if pid == 0 {
return GetSystemProcess(ctx), nil return GetSystemProcess(ctx), nil
} }
@ -121,10 +121,10 @@ func GetOrFindPrimaryProcess(ctx context.Context, pid int) (*Process, error) {
func GetOrFindProcess(ctx context.Context, pid int) (*Process, error) { func GetOrFindProcess(ctx context.Context, pid int) (*Process, error) {
log.Tracer(ctx).Tracef("process: getting process for PID %d", pid) log.Tracer(ctx).Tracef("process: getting process for PID %d", pid)
if pid <= -1 { switch pid {
case UnidentifiedProcessID:
return GetUnidentifiedProcess(ctx), nil return GetUnidentifiedProcess(ctx), nil
} case SystemProcessID:
if pid == 0 {
return GetSystemProcess(ctx), nil return GetSystemProcess(ctx), nil
} }
@ -184,10 +184,11 @@ func deduplicateRequest(ctx context.Context, pid int) (finishRequest func()) {
} }
func loadProcess(ctx context.Context, pid int) (*Process, error) { func loadProcess(ctx context.Context, pid int) (*Process, error) {
if pid <= -1 {
switch pid {
case UnidentifiedProcessID:
return GetUnidentifiedProcess(ctx), nil return GetUnidentifiedProcess(ctx), nil
} case SystemProcessID:
if pid == 0 {
return GetSystemProcess(ctx), nil return GetSystemProcess(ctx), nil
} }

35
process/special.go
View file

@ -8,35 +8,52 @@ import (
"github.com/safing/portmaster/profile" "github.com/safing/portmaster/profile"
) )
// Special Process IDs
const (
UnidentifiedProcessID = -1
SystemProcessID = 0
)
var ( var (
// unidentifiedProcess is used when a process cannot be found. // unidentifiedProcess is used when a process cannot be found.
unidentifiedProcess = &Process{ unidentifiedProcess = &Process{
UserID: -1, UserID: UnidentifiedProcessID,
UserName: "Unknown", UserName: "Unknown",
Pid: -1, Pid: UnidentifiedProcessID,
ParentPid: -1, ParentPid: UnidentifiedProcessID,
Name: "Unidentified Processes", Name: "Unidentified Processes",
} }
// systemProcess is used to represent the Kernel. // systemProcess is used to represent the Kernel.
systemProcess = &Process{ systemProcess = &Process{
UserID: 0, UserID: SystemProcessID,
UserName: "Kernel", UserName: "Kernel",
Pid: 0, Pid: SystemProcessID,
ParentPid: 0, ParentPid: SystemProcessID,
Name: "Operating System", Name: "Operating System",
} }
) )
// GetUnidentifiedProcess returns the special process assigned to unidentified processes.
func GetUnidentifiedProcess(ctx context.Context) *Process { func GetUnidentifiedProcess(ctx context.Context) *Process {
return getSpecialProcess(ctx, unidentifiedProcess, profile.GetUnidentifiedProfile) return getSpecialProcess(ctx, UnidentifiedProcessID, unidentifiedProcess, profile.GetUnidentifiedProfile)
} }
// GetSystemProcess returns the special process used for the Kernel.
func GetSystemProcess(ctx context.Context) *Process { func GetSystemProcess(ctx context.Context) *Process {
return getSpecialProcess(ctx, systemProcess, profile.GetSystemProfile) return getSpecialProcess(ctx, SystemProcessID, systemProcess, profile.GetSystemProfile)
} }
func getSpecialProcess(ctx context.Context, p *Process, getProfile func() *profile.Profile) *Process { func getSpecialProcess(ctx context.Context, pid int, template *Process, getProfile func() *profile.Profile) *Process {
// check storage
p, ok := GetProcessFromStorage(pid)
if ok {
return p
}
// assign template
p = template
p.Lock() p.Lock()
defer p.Unlock() defer p.Unlock()

2
profile/active.go
View file

@ -50,7 +50,7 @@ func markActiveProfileAsOutdated(scopedID string) {
} }
} }
func cleanActiveProfiles(ctx context.Context) error { //nolint:param // need to conform to interface func cleanActiveProfiles(ctx context.Context) error {
for { for {
select { select {
case <-time.After(activeProfileCleanerTickDuration): case <-time.After(activeProfileCleanerTickDuration):

2
profile/special.go
View file

@ -9,6 +9,7 @@ const (
systemProfileID = "_system" systemProfileID = "_system"
) )
// GetUnidentifiedProfile returns the special profile assigned to unidentified processes.
func GetUnidentifiedProfile() *Profile { func GetUnidentifiedProfile() *Profile {
// get profile // get profile
profile, err := GetProfile(SourceLocal, unidentifiedProfileID) profile, err := GetProfile(SourceLocal, unidentifiedProfileID)
@ -31,6 +32,7 @@ func GetUnidentifiedProfile() *Profile {
return profile return profile
} }
// GetSystemProfile returns the special profile used for the Kernel.
func GetSystemProfile() *Profile { func GetSystemProfile() *Profile {
// get profile // get profile
profile, err := GetProfile(SourceLocal, systemProfileID) profile, err := GetProfile(SourceLocal, systemProfileID)