vikarti.anatra/safing-portmaster
1
0
Fork 0
mirror of https://github.com/safing/portmaster synced 2025-09-02 18:49:14 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #143 from safing/fix/options

Browse source 
Update app profile icons. Switch to new portbase options
This commit is contained in:
Patrick Pacher 2020-09-16 08:49:23 +02:00 committed by GitHub
commit ae67bb553b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 416 additions and 255 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
core/config.go
View file

@ -30,11 +30,13 @@ func registerConfig() error {
Name: "Development Mode", Name: "Development Mode",
Key: CfgDevModeKey, Key: CfgDevModeKey,
Description: "In Development Mode security restrictions are lifted/softened to enable easier access to Portmaster for debugging and testing purposes.", Description: "In Development Mode security restrictions are lifted/softened to enable easier access to Portmaster for debugging and testing purposes.",
Order: 127,
OptType: config.OptTypeBool, OptType: config.OptTypeBool,
ExpertiseLevel: config.ExpertiseLevelDeveloper, ExpertiseLevel: config.ExpertiseLevelDeveloper,
ReleaseLevel: config.ReleaseLevelStable, ReleaseLevel: config.ReleaseLevelStable,
DefaultValue: defaultDevMode, DefaultValue: defaultDevMode,
Annotations: config.Annotations{
config.DisplayOrderAnnotation: 127,
},
}) })
if err != nil { if err != nil {
return err return err
@ -44,11 +46,13 @@ func registerConfig() error {
Name: "Use System Notifications", Name: "Use System Notifications",
Key: CfgUseSystemNotificationsKey, Key: CfgUseSystemNotificationsKey,
Description: "Send notifications to your operating system's notification system. When this setting is turned off, notifications will only be visible in the Portmaster App. This affects both alerts from the Portmaster and questions from the Privacy Filter.", Description: "Send notifications to your operating system's notification system. When this setting is turned off, notifications will only be visible in the Portmaster App. This affects both alerts from the Portmaster and questions from the Privacy Filter.",
Order: 32,
OptType: config.OptTypeBool, OptType: config.OptTypeBool,
ExpertiseLevel: config.ExpertiseLevelUser, ExpertiseLevel: config.ExpertiseLevelUser,
ReleaseLevel: config.ReleaseLevelStable, ReleaseLevel: config.ReleaseLevelStable,
DefaultValue: true, // TODO: turn off by default on unsupported systems DefaultValue: true, // TODO: turn off by default on unsupported systems
Annotations: config.Annotations{
config.DisplayOrderAnnotation: 32,
},
}) })
if err != nil { if err != nil {
return err return err

19
firewall/config.go
View file

@ -11,14 +11,14 @@ var (
CfgOptionEnableFilterKey = "filter/enable" CfgOptionEnableFilterKey = "filter/enable"
CfgOptionAskWithSystemNotificationsKey = "filter/askWithSystemNotifications" CfgOptionAskWithSystemNotificationsKey = "filter/askWithSystemNotifications"
CfgOptionAskWithSystemNotificationsOrder = 2 cfgOptionAskWithSystemNotificationsOrder = 2
CfgOptionAskTimeoutKey = "filter/askTimeout" CfgOptionAskTimeoutKey = "filter/askTimeout"
CfgOptionAskTimeoutOrder = 3 cfgOptionAskTimeoutOrder = 3
askTimeout config.IntOption askTimeout config.IntOption
CfgOptionPermanentVerdictsKey = "filter/permanentVerdicts" CfgOptionPermanentVerdictsKey = "filter/permanentVerdicts"
CfgOptionPermanentVerdictsOrder = 128 cfgOptionPermanentVerdictsOrder = 128
permanentVerdicts config.BoolOption permanentVerdicts config.BoolOption
devMode config.BoolOption devMode config.BoolOption
@ -30,11 +30,13 @@ func registerConfig() error {
Name: "Permanent Verdicts", Name: "Permanent Verdicts",
Key: CfgOptionPermanentVerdictsKey, Key: CfgOptionPermanentVerdictsKey,
Description: "With permanent verdicts, control of a connection is fully handed back to the OS after the initial decision. This brings a great performance increase, but makes it impossible to change the decision of a link later on.", Description: "With permanent verdicts, control of a connection is fully handed back to the OS after the initial decision. This brings a great performance increase, but makes it impossible to change the decision of a link later on.",
Order: CfgOptionPermanentVerdictsOrder,
OptType: config.OptTypeBool, OptType: config.OptTypeBool,
ExpertiseLevel: config.ExpertiseLevelExpert, ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelExperimental, ReleaseLevel: config.ReleaseLevelExperimental,
DefaultValue: true, DefaultValue: true,
Annotations: config.Annotations{
config.DisplayOrderAnnotation: cfgOptionPermanentVerdictsOrder,
},
}) })
if err != nil { if err != nil {
return err return err
@ -45,11 +47,13 @@ func registerConfig() error {
Name: "Ask with System Notifications", Name: "Ask with System Notifications",
Key: CfgOptionAskWithSystemNotificationsKey, Key: CfgOptionAskWithSystemNotificationsKey,
Description: `Ask about connections using your operating system's notification system. For this to be enabled, the setting "Use System Notifications" must enabled too. This only affects questions from the Privacy Filter, and does not affect alerts from the Portmaster.`, Description: `Ask about connections using your operating system's notification system. For this to be enabled, the setting "Use System Notifications" must enabled too. This only affects questions from the Privacy Filter, and does not affect alerts from the Portmaster.`,
Order: CfgOptionAskWithSystemNotificationsOrder,
OptType: config.OptTypeBool, OptType: config.OptTypeBool,
ExpertiseLevel: config.ExpertiseLevelUser, ExpertiseLevel: config.ExpertiseLevelUser,
ReleaseLevel: config.ReleaseLevelExperimental, ReleaseLevel: config.ReleaseLevelExperimental,
DefaultValue: true, DefaultValue: true,
Annotations: config.Annotations{
config.DisplayOrderAnnotation: cfgOptionAskWithSystemNotificationsOrder,
},
}) })
if err != nil { if err != nil {
return err return err
@ -59,11 +63,14 @@ func registerConfig() error {
Name: "Timeout for Ask Notifications", Name: "Timeout for Ask Notifications",
Key: CfgOptionAskTimeoutKey, Key: CfgOptionAskTimeoutKey,
Description: "Amount of time (in seconds) how long the Portmaster will wait for a response when prompting about a connection via a notification. Please note that system notifications might not respect this or have it's own limits.", Description: "Amount of time (in seconds) how long the Portmaster will wait for a response when prompting about a connection via a notification. Please note that system notifications might not respect this or have it's own limits.",
Order: CfgOptionAskTimeoutOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelUser, ExpertiseLevel: config.ExpertiseLevelUser,
ReleaseLevel: config.ReleaseLevelExperimental, ReleaseLevel: config.ReleaseLevelExperimental,
DefaultValue: 60, DefaultValue: 60,
Annotations: config.Annotations{
config.DisplayOrderAnnotation: cfgOptionAskTimeoutOrder,
config.UnitAnnotation: "seconds",
},
}) })
if err != nil { if err != nil {
return err return err

4
process/config.go
View file

@ -17,10 +17,12 @@ func registerConfiguration() error {
Name: "Enable Process Detection", Name: "Enable Process Detection",
Key: CfgOptionEnableProcessDetectionKey, Key: CfgOptionEnableProcessDetectionKey,
Description: "This option enables the attribution of network traffic to processes. This should be always enabled, and effectively disables app profiles if disabled.", Description: "This option enables the attribution of network traffic to processes. This should be always enabled, and effectively disables app profiles if disabled.",
Order: 144,
OptType: config.OptTypeBool, OptType: config.OptTypeBool,
ExpertiseLevel: config.ExpertiseLevelDeveloper, ExpertiseLevel: config.ExpertiseLevelDeveloper,
DefaultValue: true, DefaultValue: true,
Annotations: config.Annotations{
config.DisplayOrderAnnotation: 144,
},
}) })
if err != nil { if err != nil {
return err return err

147
profile/config.go
View file

@ -2,6 +2,7 @@ package profile
import ( import (
"github.com/safing/portbase/config" "github.com/safing/portbase/config"
"github.com/safing/portmaster/profile/endpoints"
"github.com/safing/portmaster/status" "github.com/safing/portmaster/status"
) )
@ -96,12 +97,30 @@ func registerConfiguration() error {
Name: "Default Filter Action", Name: "Default Filter Action",
Key: CfgOptionDefaultActionKey, Key: CfgOptionDefaultActionKey,
Description: `The default filter action when nothing else permits or blocks a connection.`, Description: `The default filter action when nothing else permits or blocks a connection.`,
Order: cfgOptionDefaultActionOrder,
OptType: config.OptTypeString, OptType: config.OptTypeString,
ReleaseLevel: config.ReleaseLevelExperimental, ReleaseLevel: config.ReleaseLevelExperimental,
DefaultValue: "permit", DefaultValue: "permit",
ExternalOptType: "string list", Annotations: config.Annotations{
ValidationRegex: "^(permit|ask|block)$", config.DisplayHintAnnotation: config.DisplayHintOneOf,
config.DisplayOrderAnnotation: cfgOptionDefaultActionOrder,
},
PossibleValues: []config.PossibleValue{
{
Name: "Permit",
Value: "permit",
Description: "Permit all connections",
},
{
Name: "Ask",
Value: "ask",
Description: "Always ask for a decision",
},
{
Name: "Block",
Value: "block",
Description: "Block all connections",
},
},
}) })
if err != nil { if err != nil {
return err return err
@ -114,11 +133,13 @@ func registerConfiguration() error {
Name: "Disable Auto Permit", Name: "Disable Auto Permit",
Key: CfgOptionDisableAutoPermitKey, Key: CfgOptionDisableAutoPermitKey,
Description: "Auto Permit searches for a relation between an app and the destionation of a connection - if there is a correlation, the connection will be permitted. This setting is negated in order to provide a streamlined user experience, where higher settings are better.", Description: "Auto Permit searches for a relation between an app and the destionation of a connection - if there is a correlation, the connection will be permitted. This setting is negated in order to provide a streamlined user experience, where higher settings are better.",
Order: cfgOptionDisableAutoPermitOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExternalOptType: "security level",
DefaultValue: status.SecurityLevelsAll, DefaultValue: status.SecurityLevelsAll,
ValidationRegex: "^(4|6|7)$", Annotations: config.Annotations{
config.DisplayOrderAnnotation: cfgOptionDisableAutoPermitOrder,
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
},
PossibleValues: status.SecurityLevelValues,
}) })
if err != nil { if err != nil {
return err return err
@ -158,10 +179,12 @@ Examples:
Key: CfgOptionEndpointsKey, Key: CfgOptionEndpointsKey,
Description: "Filter outgoing connections by matching the destination endpoint. Network Scope restrictions still apply.", Description: "Filter outgoing connections by matching the destination endpoint. Network Scope restrictions still apply.",
Help: filterListHelp, Help: filterListHelp,
Order: cfgOptionEndpointsOrder,
OptType: config.OptTypeStringArray, OptType: config.OptTypeStringArray,
DefaultValue: []string{}, DefaultValue: []string{},
ExternalOptType: "endpoint list", Annotations: config.Annotations{
config.DisplayHintAnnotation: endpoints.DisplayHintEndpointList,
config.DisplayOrderAnnotation: cfgOptionEndpointsOrder,
},
ValidationRegex: `^(\+|\-) [A-z0-9\.:\-*/]+( [A-z0-9/]+)?$`, ValidationRegex: `^(\+|\-) [A-z0-9\.:\-*/]+( [A-z0-9/]+)?$`,
}) })
if err != nil { if err != nil {
@ -176,10 +199,12 @@ Examples:
Key: CfgOptionServiceEndpointsKey, Key: CfgOptionServiceEndpointsKey,
Description: "Filter incoming connections by matching the source endpoint. Network Scope restrictions and the inbound permission still apply. Also not that the implicit default action of this list is to always block.", Description: "Filter incoming connections by matching the source endpoint. Network Scope restrictions and the inbound permission still apply. Also not that the implicit default action of this list is to always block.",
Help: filterListHelp, Help: filterListHelp,
Order: cfgOptionServiceEndpointsOrder,
OptType: config.OptTypeStringArray, OptType: config.OptTypeStringArray,
DefaultValue: []string{"+ Localhost"}, DefaultValue: []string{"+ Localhost"},
ExternalOptType: "endpoint list", Annotations: config.Annotations{
config.DisplayHintAnnotation: endpoints.DisplayHintEndpointList,
config.DisplayOrderAnnotation: cfgOptionServiceEndpointsOrder,
},
ValidationRegex: `^(\+|\-) [A-z0-9\.:\-*/]+( [A-z0-9/]+)?$`, ValidationRegex: `^(\+|\-) [A-z0-9\.:\-*/]+( [A-z0-9/]+)?$`,
}) })
if err != nil { if err != nil {
@ -193,10 +218,12 @@ Examples:
Name: "Filter List", Name: "Filter List",
Key: CfgOptionFilterListsKey, Key: CfgOptionFilterListsKey,
Description: "Filter connections by matching the endpoint against configured filterlists", Description: "Filter connections by matching the endpoint against configured filterlists",
Order: cfgOptionFilterListsOrder,
OptType: config.OptTypeStringArray, OptType: config.OptTypeStringArray,
DefaultValue: []string{"TRAC", "MAL"}, DefaultValue: []string{"TRAC", "MAL"},
ExternalOptType: "filter list", Annotations: config.Annotations{
config.DisplayHintAnnotation: "filter list",
config.DisplayOrderAnnotation: cfgOptionFilterListsOrder,
},
ValidationRegex: `^[a-zA-Z0-9\-]+$`, ValidationRegex: `^[a-zA-Z0-9\-]+$`,
}) })
if err != nil { if err != nil {
@ -210,12 +237,14 @@ Examples:
Name: "Filter CNAMEs", Name: "Filter CNAMEs",
Key: CfgOptionFilterCNAMEKey, Key: CfgOptionFilterCNAMEKey,
Description: "Also filter requests where a CNAME would be blocked", Description: "Also filter requests where a CNAME would be blocked",
Order: cfgOptionFilterCNAMEOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExternalOptType: "security level",
DefaultValue: status.SecurityLevelsAll, DefaultValue: status.SecurityLevelsAll,
ValidationRegex: "^(4|6|7)$",
ExpertiseLevel: config.ExpertiseLevelExpert, ExpertiseLevel: config.ExpertiseLevelExpert,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionFilterCNAMEOrder,
},
PossibleValues: status.SecurityLevelValues,
}) })
if err != nil { if err != nil {
return err return err
@ -228,11 +257,13 @@ Examples:
Name: "Filter Subdomains", Name: "Filter Subdomains",
Key: CfgOptionFilterSubDomainsKey, Key: CfgOptionFilterSubDomainsKey,
Description: "Also filter a domain if any parent domain is blocked by a filter list", Description: "Also filter a domain if any parent domain is blocked by a filter list",
Order: cfgOptionFilterSubDomainsOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExternalOptType: "security level",
DefaultValue: status.SecurityLevelsAll, DefaultValue: status.SecurityLevelsAll,
ValidationRegex: "^(4|6|7)$", PossibleValues: status.SecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionFilterSubDomainsOrder,
},
}) })
if err != nil { if err != nil {
return err return err
@ -245,12 +276,14 @@ Examples:
Name: "Block Scope Local", Name: "Block Scope Local",
Key: CfgOptionBlockScopeLocalKey, Key: CfgOptionBlockScopeLocalKey,
Description: "Block internal connections on your own device, ie. localhost.", Description: "Block internal connections on your own device, ie. localhost.",
Order: cfgOptionBlockScopeLocalOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert, ExpertiseLevel: config.ExpertiseLevelExpert,
ExternalOptType: "security level",
DefaultValue: status.SecurityLevelOff, DefaultValue: status.SecurityLevelOff,
ValidationRegex: "^(0|4|6|7)$", PossibleValues: status.AllSecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionBlockScopeLocalOrder,
},
}) })
if err != nil { if err != nil {
return err return err
@ -263,11 +296,13 @@ Examples:
Name: "Block Scope LAN", Name: "Block Scope LAN",
Key: CfgOptionBlockScopeLANKey, Key: CfgOptionBlockScopeLANKey,
Description: "Block connections to the Local Area Network.", Description: "Block connections to the Local Area Network.",
Order: cfgOptionBlockScopeLANOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExternalOptType: "security level",
DefaultValue: status.SecurityLevelsHighAndExtreme, DefaultValue: status.SecurityLevelsHighAndExtreme,
ValidationRegex: "^(0|4|6|7)$", PossibleValues: status.AllSecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionBlockScopeLANOrder,
},
}) })
if err != nil { if err != nil {
return err return err
@ -280,11 +315,13 @@ Examples:
Name: "Block Scope Internet", Name: "Block Scope Internet",
Key: CfgOptionBlockScopeInternetKey, Key: CfgOptionBlockScopeInternetKey,
Description: "Block connections to the Internet.", Description: "Block connections to the Internet.",
Order: cfgOptionBlockScopeInternetOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExternalOptType: "security level",
DefaultValue: status.SecurityLevelOff, DefaultValue: status.SecurityLevelOff,
ValidationRegex: "^(0|4|6|7)$", PossibleValues: status.AllSecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionBlockScopeInternetOrder,
},
}) })
if err != nil { if err != nil {
return err return err
@ -297,11 +334,13 @@ Examples:
Name: "Block Peer to Peer Connections", Name: "Block Peer to Peer Connections",
Key: CfgOptionBlockP2PKey, Key: CfgOptionBlockP2PKey,
Description: "These are connections that are established directly to an IP address on the Internet without resolving a domain name via DNS first.", Description: "These are connections that are established directly to an IP address on the Internet without resolving a domain name via DNS first.",
Order: cfgOptionBlockP2POrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExternalOptType: "security level",
DefaultValue: status.SecurityLevelExtreme, DefaultValue: status.SecurityLevelExtreme,
ValidationRegex: "^(4|6|7)$", PossibleValues: status.SecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionBlockP2POrder,
},
}) })
if err != nil { if err != nil {
return err return err
@ -314,11 +353,13 @@ Examples:
Name: "Block Inbound Connections", Name: "Block Inbound Connections",
Key: CfgOptionBlockInboundKey, Key: CfgOptionBlockInboundKey,
Description: "Connections initiated towards your device from the LAN or Internet. This will usually only be the case if you are running a network service or are using peer to peer software.", Description: "Connections initiated towards your device from the LAN or Internet. This will usually only be the case if you are running a network service or are using peer to peer software.",
Order: cfgOptionBlockInboundOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExternalOptType: "security level",
DefaultValue: status.SecurityLevelsHighAndExtreme, DefaultValue: status.SecurityLevelsHighAndExtreme,
ValidationRegex: "^(4|6|7)$", PossibleValues: status.SecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionBlockInboundOrder,
},
}) })
if err != nil { if err != nil {
return err return err
@ -331,12 +372,14 @@ Examples:
Name: "Enforce SPN", Name: "Enforce SPN",
Key: CfgOptionEnforceSPNKey, Key: CfgOptionEnforceSPNKey,
Description: "This setting enforces connections to be routed over the SPN. If this is not possible for any reason, connections will be blocked.", Description: "This setting enforces connections to be routed over the SPN. If this is not possible for any reason, connections will be blocked.",
Order: cfgOptionEnforceSPNOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ReleaseLevel: config.ReleaseLevelExperimental, ReleaseLevel: config.ReleaseLevelExperimental,
ExternalOptType: "security level",
DefaultValue: status.SecurityLevelOff, DefaultValue: status.SecurityLevelOff,
ValidationRegex: "^(0|4|6|7)$", PossibleValues: status.AllSecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionEnforceSPNOrder,
},
}) })
if err != nil { if err != nil {
return err return err
@ -349,13 +392,15 @@ Examples:
Name: "Filter Out-of-Scope DNS Records", Name: "Filter Out-of-Scope DNS Records",
Key: CfgOptionRemoveOutOfScopeDNSKey, Key: CfgOptionRemoveOutOfScopeDNSKey,
Description: "Filter DNS answers that are outside of the scope of the server. A server on the public Internet may not respond with a private LAN address.", Description: "Filter DNS answers that are outside of the scope of the server. A server on the public Internet may not respond with a private LAN address.",
Order: cfgOptionRemoveOutOfScopeDNSOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert, ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelBeta, ReleaseLevel: config.ReleaseLevelBeta,
ExternalOptType: "security level",
DefaultValue: status.SecurityLevelsAll, DefaultValue: status.SecurityLevelsAll,
ValidationRegex: "^(4|6|7)$", PossibleValues: status.SecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionRemoveOutOfScopeDNSOrder,
},
}) })
if err != nil { if err != nil {
return err return err
@ -368,13 +413,15 @@ Examples:
Name: "Filter DNS Records that would be blocked", Name: "Filter DNS Records that would be blocked",
Key: CfgOptionRemoveBlockedDNSKey, Key: CfgOptionRemoveBlockedDNSKey,
Description: "Pre-filter DNS answers that an application would not be allowed to connect to.", Description: "Pre-filter DNS answers that an application would not be allowed to connect to.",
Order: cfgOptionRemoveBlockedDNSOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert, ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelBeta, ReleaseLevel: config.ReleaseLevelBeta,
ExternalOptType: "security level",
DefaultValue: status.SecurityLevelsAll, DefaultValue: status.SecurityLevelsAll,
ValidationRegex: "^(4|6|7)$", PossibleValues: status.SecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionRemoveBlockedDNSOrder,
},
}) })
if err != nil { if err != nil {
return err return err
@ -387,12 +434,14 @@ Examples:
Name: "Enable Domain Heuristics", Name: "Enable Domain Heuristics",
Key: CfgOptionDomainHeuristicsKey, Key: CfgOptionDomainHeuristicsKey,
Description: "Domain Heuristics checks for suspicious looking domain names and blocks them. Ths option currently targets domains generated by malware and DNS data tunnels.", Description: "Domain Heuristics checks for suspicious looking domain names and blocks them. Ths option currently targets domains generated by malware and DNS data tunnels.",
Order: cfgOptionDomainHeuristicsOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert, ExpertiseLevel: config.ExpertiseLevelExpert,
ExternalOptType: "security level",
DefaultValue: status.SecurityLevelsAll, DefaultValue: status.SecurityLevelsAll,
ValidationRegex: "^(0|4|6|7)$", PossibleValues: status.AllSecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionDomainHeuristicsOrder,
},
}) })
if err != nil { if err != nil {
return err return err
@ -404,13 +453,15 @@ Examples:
Name: "Prevent Bypassing", Name: "Prevent Bypassing",
Key: CfgOptionPreventBypassingKey, Key: CfgOptionPreventBypassingKey,
Description: "Prevent apps from bypassing the privacy filter: Firefox by disabling DNS-over-HTTPs", Description: "Prevent apps from bypassing the privacy filter: Firefox by disabling DNS-over-HTTPs",
Order: cfgOptionPreventBypassingOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelUser, ExpertiseLevel: config.ExpertiseLevelUser,
ReleaseLevel: config.ReleaseLevelBeta, ReleaseLevel: config.ReleaseLevelBeta,
ExternalOptType: "security level",
DefaultValue: status.SecurityLevelsAll, DefaultValue: status.SecurityLevelsAll,
ValidationRegex: "^(4|6|7)", PossibleValues: status.SecurityLevelValues,
Annotations: config.Annotations{
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
config.DisplayOrderAnnotation: cfgOptionPreventBypassingOrder,
},
}) })
if err != nil { if err != nil {
return err return err

8
profile/database.go
View file

@ -24,12 +24,12 @@ var (
profileDB = database.NewInterface(nil) profileDB = database.NewInterface(nil)
) )
func makeScopedID(source, id string) string { func makeScopedID(source profileSource, id string) string {
return source + "/" + id return string(source) + "/" + id
} }
func makeProfileKey(source, id string) string { func makeProfileKey(source profileSource, id string) string {
return profilesDBPath + source + "/" + id return profilesDBPath + string(source) + "/" + id
} }
func registerValidationDBHook() (err error) { func registerValidationDBHook() (err error) {

24
profile/endpoints/annotations.go Normal file
View file

@ -0,0 +1,24 @@
package endpoints
// DisplayHintEndpointList marks an option as an endpoint
// list option. It's meant to be used with DisplayHintAnnotation.
const DisplayHintEndpointList = "endpoint list"
// EndpointListAnnotation is the annotation identifier used in configuration
// options to hint the UI on available endpoint list types. If configured, only
// the specified set of entities is allowed to be used. The value is expected
// to be a single string or []string. If this annotation is missing, all
// values are expected to be allowed.
const EndpointListAnnotation = "safing/portmaster:ui:endpoint-list"
// Allowed values for the EndpointListAnnotation.
const (
EndpointListIP = "ip"
EndpointListAsn = "asn"
EndpointListCountry = "country"
EndpointListDomain = "domain"
EndpointListIPRange = "iprange"
EndpointListLists = "lists"
EndpointListScopes = "scopes"
EndpointListProtocolAndPorts = "protocol-port"
)

80
profile/profile.go
View file

@ -20,12 +20,15 @@ var (
lastUsedUpdateThreshold = 24 * time.Hour lastUsedUpdateThreshold = 24 * time.Hour
) )
// profileSource is the source of the profile.
type profileSource string
// Profile Sources // Profile Sources
const ( const (
SourceLocal string = "local" // local, editable SourceLocal profileSource = "local" // local, editable
SourceSpecial string = "special" // specials (read-only) SourceSpecial profileSource = "special" // specials (read-only)
SourceCommunity string = "community" SourceCommunity profileSource = "community"
SourceEnterprise string = "enterprise" SourceEnterprise profileSource = "enterprise"
) )
// Default Action IDs // Default Action IDs
@ -36,35 +39,65 @@ const (
DefaultActionPermit uint8 = 3 DefaultActionPermit uint8 = 3
) )
// iconType describes the type of the Icon property
// of a profile.
type iconType string
// Supported icon types.
const (
IconTypeFile iconType = "path"
IconTypeDatabase iconType = "database"
IconTypeBlob iconType = "blob"
)
// Profile is used to predefine a security profile for applications. // Profile is used to predefine a security profile for applications.
type Profile struct { //nolint:maligned // not worth the effort type Profile struct { //nolint:maligned // not worth the effort
record.Base record.Base
sync.Mutex sync.Mutex
// ID is a unique identifier for the profile.
// Identity
ID string ID string
Source string // Source describes the source of the profile.
Source profileSource
// App Information // Name is a human readable name of the profile. It
// defaults to the basename of the application.
Name string Name string
// Description may holds an optional description of the
// profile or the purpose of the application.
Description string Description string
// Homepage may refer the the website of the application
// vendor.
Homepage string Homepage string
// Icon is a path to the icon and is either prefixed "f:" for filepath, "d:" for a database path or "e:" for the encoded data. // Icon holds the icon of the application. The value
// may either be a filepath, a database key or a blob URL.
// See IconType for more information.
Icon string Icon string
// IconType describes the type of the Icon property.
IconType iconType
// References - local profiles only // References - local profiles only
// LinkedPath is a filesystem path to the executable this profile was created for. // LinkedPath is a filesystem path to the executable this
// profile was created for.
LinkedPath string LinkedPath string
// LinkedProfiles is a list of other profiles // LinkedProfiles is a list of other profiles
LinkedProfiles []string LinkedProfiles []string
// SecurityLevel is the mininum security level to apply to
// Fingerprints // connections made with this profile.
// TODO: Fingerprints []*Fingerprint // Note(ppacher): we may deprecate this one as it can easily
// be "simulated" by adjusting the settings
// Configuration // directly.
// The mininum security level to apply to connections made with this profile
SecurityLevel uint8 SecurityLevel uint8
// Config holds profile specific setttings. It's a nested
// object with keys defining the settings database path. All keys
// until the actual settings value (which is everything that is not
// an object) need to be concatinated for the settings database
// path.
Config map[string]interface{} Config map[string]interface{}
// ApproxLastUsed holds a UTC timestamp in seconds of
// when this Profile was approximately last used.
// For performance reasons not every single usage is saved.
ApproxLastUsed int64
// Created holds the UTC timestamp in seconds when the
// profile has been created.
Created int64
// Interpreted Data // Interpreted Data
configPerspective *config.Perspective configPerspective *config.Perspective
@ -78,15 +111,6 @@ type Profile struct { //nolint:maligned // not worth the effort
outdated *abool.AtomicBool outdated *abool.AtomicBool
lastUsed time.Time lastUsed time.Time
// Framework
// If a Profile is declared as a Framework (i.e. an Interpreter and the likes), then the real process/actor must be found
// TODO: Framework *Framework
// When this Profile was approximately last used.
// For performance reasons not every single usage is saved.
ApproxLastUsed int64
Created int64
internalSave bool internalSave bool
} }
@ -254,7 +278,7 @@ func (profile *Profile) addEndpointyEntry(cfgKey, newEntry string) {
} }
// GetProfile loads a profile from the database. // GetProfile loads a profile from the database.
func GetProfile(source, id string) (*Profile, error) { func GetProfile(source profileSource, id string) (*Profile, error) {
return GetProfileByScopedID(makeScopedID(source, id)) return GetProfileByScopedID(makeScopedID(source, id))
} }

42
resolver/config.go
View file

@ -106,12 +106,14 @@ Parameters:
refused: server replies with Refused status refused: server replies with Refused status
zeroip: server replies with an IP address, but it is zero zeroip: server replies with an IP address, but it is zero
`, `,
Order: cfgOptionNameServersOrder,
OptType: config.OptTypeStringArray, OptType: config.OptTypeStringArray,
ExpertiseLevel: config.ExpertiseLevelExpert, ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelStable, ReleaseLevel: config.ReleaseLevelStable,
DefaultValue: defaultNameServers, DefaultValue: defaultNameServers,
ValidationRegex: fmt.Sprintf("^(%s|%s|%s)://.*", ServerTypeDoT, ServerTypeDNS, ServerTypeTCP), ValidationRegex: fmt.Sprintf("^(%s|%s|%s)://.*", ServerTypeDoT, ServerTypeDNS, ServerTypeTCP),
Annotations: config.Annotations{
config.DisplayOrderAnnotation: cfgOptionNameServersOrder,
},
}) })
if err != nil { if err != nil {
return err return err
@ -120,13 +122,15 @@ Parameters:
err = config.Register(&config.Option{ err = config.Register(&config.Option{
Name: "DNS Server Retry Rate", Name: "DNS Server Retry Rate",
Key: CfgOptionNameserverRetryRateKey,
Description: "Rate at which to retry failed DNS Servers, in seconds.", Description: "Rate at which to retry failed DNS Servers, in seconds.",
Order: cfgOptionNameserverRetryRateOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert, ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelStable, ReleaseLevel: config.ReleaseLevelStable,
DefaultValue: 600, DefaultValue: 600,
Annotations: config.Annotations{
config.DisplayOrderAnnotation: cfgOptionNameserverRetryRateOrder,
config.UnitAnnotation: "seconds",
},
}) })
if err != nil { if err != nil {
return err return err
@ -137,13 +141,15 @@ Parameters:
Name: "Do not use Multicast DNS", Name: "Do not use Multicast DNS",
Key: CfgOptionNoMulticastDNSKey, Key: CfgOptionNoMulticastDNSKey,
Description: "Multicast DNS queries other devices in the local network", Description: "Multicast DNS queries other devices in the local network",
Order: cfgOptionNoMulticastDNSOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert, ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelStable, ReleaseLevel: config.ReleaseLevelStable,
ExternalOptType: "security level",
DefaultValue: status.SecurityLevelsHighAndExtreme, DefaultValue: status.SecurityLevelsHighAndExtreme,
ValidationRegex: "^(4|6|7)$", PossibleValues: status.SecurityLevelValues,
Annotations: config.Annotations{
config.DisplayOrderAnnotation: cfgOptionNoMulticastDNSOrder,
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
},
}) })
if err != nil { if err != nil {
return err return err
@ -154,13 +160,15 @@ Parameters:
Name: "Do not use assigned Nameservers", Name: "Do not use assigned Nameservers",
Key: CfgOptionNoAssignedNameserversKey, Key: CfgOptionNoAssignedNameserversKey,
Description: "that were acquired by the network (dhcp) or system", Description: "that were acquired by the network (dhcp) or system",
Order: cfgOptionNoAssignedNameserversOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert, ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelStable, ReleaseLevel: config.ReleaseLevelStable,
ExternalOptType: "security level",
DefaultValue: status.SecurityLevelsHighAndExtreme, DefaultValue: status.SecurityLevelsHighAndExtreme,
ValidationRegex: "^(4|6|7)$", PossibleValues: status.SecurityLevelValues,
Annotations: config.Annotations{
config.DisplayOrderAnnotation: cfgOptionNoAssignedNameserversOrder,
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
},
}) })
if err != nil { if err != nil {
return err return err
@ -171,13 +179,15 @@ Parameters:
Name: "Do not resolve insecurely", Name: "Do not resolve insecurely",
Key: CfgOptionNoInsecureProtocolsKey, Key: CfgOptionNoInsecureProtocolsKey,
Description: "Do not resolve domains with insecure protocols, ie. plain DNS", Description: "Do not resolve domains with insecure protocols, ie. plain DNS",
Order: cfgOptionNoInsecureProtocolsOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert, ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelStable, ReleaseLevel: config.ReleaseLevelStable,
ExternalOptType: "security level",
DefaultValue: status.SecurityLevelsHighAndExtreme, DefaultValue: status.SecurityLevelsHighAndExtreme,
ValidationRegex: "^(4|6|7)$", PossibleValues: status.SecurityLevelValues,
Annotations: config.Annotations{
config.DisplayOrderAnnotation: cfgOptionNoInsecureProtocolsOrder,
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
},
}) })
if err != nil { if err != nil {
return err return err
@ -188,13 +198,15 @@ Parameters:
Name: "Do not resolve special domains", Name: "Do not resolve special domains",
Key: CfgOptionDontResolveSpecialDomainsKey, Key: CfgOptionDontResolveSpecialDomainsKey,
Description: fmt.Sprintf("Do not resolve the special top level domains %s", formatScopeList(specialServiceDomains)), Description: fmt.Sprintf("Do not resolve the special top level domains %s", formatScopeList(specialServiceDomains)),
Order: cfgOptionDontResolveSpecialDomainsOrder,
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelExpert, ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelStable, ReleaseLevel: config.ReleaseLevelStable,
ExternalOptType: "security level",
DefaultValue: status.SecurityLevelsAll, DefaultValue: status.SecurityLevelsAll,
ValidationRegex: "^(4|6|7)$", PossibleValues: status.SecurityLevelValues,
Annotations: config.Annotations{
config.DisplayOrderAnnotation: cfgOptionDontResolveSpecialDomainsOrder,
config.DisplayHintAnnotation: status.DisplayHintSecurityLevel,
},
}) })
if err != nil { if err != nil {
return err return err

40
status/const.go
View file

@ -1,9 +1,16 @@
package status package status
// Definitions of Security and Status Levels. import (
"github.com/safing/portbase/config"
)
// DisplayHintSecurityLevel is an external option hint for security levels.
// It's meant to be used as a value for config.DisplayHintAnnotation.
const DisplayHintSecurityLevel string = "security level"
// Security levels
const ( const (
SecurityLevelOff uint8 = 0 SecurityLevelOff uint8 = 0
SecurityLevelNormal uint8 = 1 SecurityLevelNormal uint8 = 1
SecurityLevelHigh uint8 = 2 SecurityLevelHigh uint8 = 2
SecurityLevelExtreme uint8 = 4 SecurityLevelExtreme uint8 = 4
@ -12,7 +19,36 @@ const (
SecurityLevelsNormalAndExtreme uint8 = SecurityLevelNormal | SecurityLevelExtreme SecurityLevelsNormalAndExtreme uint8 = SecurityLevelNormal | SecurityLevelExtreme
SecurityLevelsHighAndExtreme uint8 = SecurityLevelHigh | SecurityLevelExtreme SecurityLevelsHighAndExtreme uint8 = SecurityLevelHigh | SecurityLevelExtreme
SecurityLevelsAll uint8 = SecurityLevelNormal | SecurityLevelHigh | SecurityLevelExtreme SecurityLevelsAll uint8 = SecurityLevelNormal | SecurityLevelHigh | SecurityLevelExtreme
)
// SecurityLevelValues defines all possible security levels.
var SecurityLevelValues = []config.PossibleValue{
{
Name: "Normal",
Value: SecurityLevelsAll,
},
{
Name: "High",
Value: SecurityLevelsHighAndExtreme,
},
{
Name: "Extreme",
Value: SecurityLevelExtreme,
},
}
// AllSecurityLevelValues is like SecurityLevelValues but also includes Off.
var AllSecurityLevelValues = append([]config.PossibleValue{
{
Name: "Off",
Value: SecurityLevelOff,
},
},
SecurityLevelValues...,
)
// Status constants
const (
StatusOff uint8 = 0 StatusOff uint8 = 0
StatusError uint8 = 1 StatusError uint8 = 1
StatusWarning uint8 = 2 StatusWarning uint8 = 2

14
status/get.go
View file

@ -5,20 +5,10 @@ import (
) )
var ( var (
activeSecurityLevel *uint32 activeSecurityLevel = new(uint32)
selectedSecurityLevel *uint32 selectedSecurityLevel = new(uint32)
) )
func init() {
var (
activeSecurityLevelValue uint32
selectedSecurityLevelValue uint32
)
activeSecurityLevel = &activeSecurityLevelValue
selectedSecurityLevel = &selectedSecurityLevelValue
}
// ActiveSecurityLevel returns the current security level. // ActiveSecurityLevel returns the current security level.
func ActiveSecurityLevel() uint8 { func ActiveSecurityLevel() uint8 {
return uint8(atomic.LoadUint32(activeSecurityLevel)) return uint8(atomic.LoadUint32(activeSecurityLevel))

23
updates/config.go
View file

@ -2,7 +2,6 @@ package updates
import ( import (
"context" "context"
"fmt"
"github.com/safing/portbase/config" "github.com/safing/portbase/config"
"github.com/safing/portbase/log" "github.com/safing/portbase/log"
@ -27,14 +26,25 @@ func registerConfig() error {
Name: "Release Channel", Name: "Release Channel",
Key: releaseChannelKey, Key: releaseChannelKey,
Description: "The Release Channel changes which updates are applied. When using beta, you will receive new features earlier and Portmaster will update more frequently. Some beta or experimental features are also available in the stable release channel.", Description: "The Release Channel changes which updates are applied. When using beta, you will receive new features earlier and Portmaster will update more frequently. Some beta or experimental features are also available in the stable release channel.",
Order: 1,
OptType: config.OptTypeString, OptType: config.OptTypeString,
ExpertiseLevel: config.ExpertiseLevelExpert, ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelBeta, ReleaseLevel: config.ReleaseLevelBeta,
RequiresRestart: false, RequiresRestart: false,
DefaultValue: releaseChannelStable, DefaultValue: releaseChannelStable,
ExternalOptType: "string list", PossibleValues: []config.PossibleValue{
ValidationRegex: fmt.Sprintf("^(%s|%s)$", releaseChannelStable, releaseChannelBeta), {
Name: "Stable",
Value: releaseChannelStable,
},
{
Name: "Beta",
Value: releaseChannelBeta,
},
},
Annotations: config.Annotations{
config.DisplayOrderAnnotation: 1,
config.DisplayHintAnnotation: config.DisplayHintOneOf,
},
}) })
if err != nil { if err != nil {
return err return err
@ -44,13 +54,14 @@ func registerConfig() error {
Name: "Disable Updates", Name: "Disable Updates",
Key: disableUpdatesKey, Key: disableUpdatesKey,
Description: "Disable automatic updates.", Description: "Disable automatic updates.",
Order: 64,
OptType: config.OptTypeBool, OptType: config.OptTypeBool,
ExpertiseLevel: config.ExpertiseLevelExpert, ExpertiseLevel: config.ExpertiseLevelExpert,
ReleaseLevel: config.ReleaseLevelStable, ReleaseLevel: config.ReleaseLevelStable,
RequiresRestart: false, RequiresRestart: false,
DefaultValue: false, DefaultValue: false,
ExternalOptType: "disable updates", Annotations: config.Annotations{
config.DisplayOrderAnnotation: 64,
},
}) })
if err != nil { if err != nil {
return err return err