Merge pull request #143 from safing/fix/options

Update app profile icons. Switch to new portbase options
2025-09-02 10:39:22 +00:00 · 2020-09-16 08:49:23 +02:00 · 2020-09-16 08:49:23 +02:00 · ae67bb553b
commit ae67bb553b
parent e9881e2f15 7c5e78b239
11 changed files with 416 additions and 255 deletions
--- a/core/config.go
+++ b/core/config.go
@ -30,11 +30,13 @@ func registerConfig() error {
 		Name:           "Development Mode",
 		Key:            CfgDevModeKey,
 		Description:    "In Development Mode security restrictions are lifted/softened to enable easier access to Portmaster for debugging and testing purposes.",
-		Order:          127,
 		OptType:        config.OptTypeBool,
 		ExpertiseLevel: config.ExpertiseLevelDeveloper,
 		ReleaseLevel:   config.ReleaseLevelStable,
 		DefaultValue:   defaultDevMode,
+		Annotations: config.Annotations{
+			config.DisplayOrderAnnotation: 127,
+		},
 	})
 	if err != nil {
 		return err
@ -44,11 +46,13 @@ func registerConfig() error {
 		Name:           "Use System Notifications",
 		Key:            CfgUseSystemNotificationsKey,
 		Description:    "Send notifications to your operating system's notification system. When this setting is turned off, notifications will only be visible in the Portmaster App. This affects both alerts from the Portmaster and questions from the Privacy Filter.",
-		Order:          32,
 		OptType:        config.OptTypeBool,
 		ExpertiseLevel: config.ExpertiseLevelUser,
 		ReleaseLevel:   config.ReleaseLevelStable,
 		DefaultValue:   true, // TODO: turn off by default on unsupported systems
+		Annotations: config.Annotations{
+			config.DisplayOrderAnnotation: 32,
+		},
 	})
 	if err != nil {
 		return err
--- a/firewall/config.go
+++ b/firewall/config.go
@ -11,14 +11,14 @@ var (
 	CfgOptionEnableFilterKey = "filter/enable"

 	CfgOptionAskWithSystemNotificationsKey   = "filter/askWithSystemNotifications"
-	CfgOptionAskWithSystemNotificationsOrder = 2
+	cfgOptionAskWithSystemNotificationsOrder = 2

 	CfgOptionAskTimeoutKey   = "filter/askTimeout"
-	CfgOptionAskTimeoutOrder = 3
+	cfgOptionAskTimeoutOrder = 3
 	askTimeout               config.IntOption

 	CfgOptionPermanentVerdictsKey   = "filter/permanentVerdicts"
-	CfgOptionPermanentVerdictsOrder = 128
+	cfgOptionPermanentVerdictsOrder = 128
 	permanentVerdicts               config.BoolOption

 	devMode          config.BoolOption
@ -30,11 +30,13 @@ func registerConfig() error {
 		Name:           "Permanent Verdicts",
 		Key:            CfgOptionPermanentVerdictsKey,
 		Description:    "With permanent verdicts, control of a connection is fully handed back to the OS after the initial decision. This brings a great performance increase, but makes it impossible to change the decision of a link later on.",
-		Order:          CfgOptionPermanentVerdictsOrder,
 		OptType:        config.OptTypeBool,
 		ExpertiseLevel: config.ExpertiseLevelExpert,
 		ReleaseLevel:   config.ReleaseLevelExperimental,
 		DefaultValue:   true,
+		Annotations: config.Annotations{
+			config.DisplayOrderAnnotation: cfgOptionPermanentVerdictsOrder,
+		},
 	})
 	if err != nil {
 		return err
@ -45,11 +47,13 @@ func registerConfig() error {
 		Name:           "Ask with System Notifications",
 		Key:            CfgOptionAskWithSystemNotificationsKey,
 		Description:    `Ask about connections using your operating system's notification system. For this to be enabled, the setting "Use System Notifications" must enabled too. This only affects questions from the Privacy Filter, and does not affect alerts from the Portmaster.`,
-		Order:          CfgOptionAskWithSystemNotificationsOrder,
 		OptType:        config.OptTypeBool,
 		ExpertiseLevel: config.ExpertiseLevelUser,
 		ReleaseLevel:   config.ReleaseLevelExperimental,
 		DefaultValue:   true,
+		Annotations: config.Annotations{
+			config.DisplayOrderAnnotation: cfgOptionAskWithSystemNotificationsOrder,
+		},
 	})
 	if err != nil {
 		return err
@ -59,11 +63,14 @@ func registerConfig() error {
 		Name:           "Timeout for Ask Notifications",
 		Key:            CfgOptionAskTimeoutKey,
 		Description:    "Amount of time (in seconds) how long the Portmaster will wait for a response when prompting about a connection via a notification. Please note that system notifications might not respect this or have it's own limits.",
-		Order:          CfgOptionAskTimeoutOrder,
 		OptType:        config.OptTypeInt,
 		ExpertiseLevel: config.ExpertiseLevelUser,
 		ReleaseLevel:   config.ReleaseLevelExperimental,
 		DefaultValue:   60,
+		Annotations: config.Annotations{
+			config.DisplayOrderAnnotation: cfgOptionAskTimeoutOrder,
+			config.UnitAnnotation:         "seconds",
+		},
 	})
 	if err != nil {
 		return err
--- a/process/config.go
+++ b/process/config.go
@ -17,10 +17,12 @@ func registerConfiguration() error {
 		Name:           "Enable Process Detection",
 		Key:            CfgOptionEnableProcessDetectionKey,
 		Description:    "This option enables the attribution of network traffic to processes. This should be always enabled, and effectively disables app profiles if disabled.",
-		Order:          144,
 		OptType:        config.OptTypeBool,
 		ExpertiseLevel: config.ExpertiseLevelDeveloper,
 		DefaultValue:   true,
+		Annotations: config.Annotations{
+			config.DisplayOrderAnnotation: 144,
+		},
 	})
 	if err != nil {
 		return err
--- a/profile/config.go
+++ b/profile/config.go
@ -2,6 +2,7 @@ package profile

 import (
 	"github.com/safing/portbase/config"
+	"github.com/safing/portmaster/profile/endpoints"
 	"github.com/safing/portmaster/status"
 )

@ -96,12 +97,30 @@ func registerConfiguration() error {
 		Name:         "Default Filter Action",
 		Key:          CfgOptionDefaultActionKey,
 		Description:  `The default filter action when nothing else permits or blocks a connection.`,
-		Order:           cfgOptionDefaultActionOrder,
 		OptType:      config.OptTypeString,
 		ReleaseLevel: config.ReleaseLevelExperimental,
 		DefaultValue: "permit",
-		ExternalOptType: "string list",
-		ValidationRegex: "^(permit|ask|block)$",
+		Annotations: config.Annotations{
+			config.DisplayHintAnnotation:  config.DisplayHintOneOf,
+			config.DisplayOrderAnnotation: cfgOptionDefaultActionOrder,
+		},
+		PossibleValues: []config.PossibleValue{
+			{
+				Name:        "Permit",
+				Value:       "permit",
+				Description: "Permit all connections",
+			},
+			{
+				Name:        "Ask",
+				Value:       "ask",
+				Description: "Always ask for a decision",
+			},
+			{
+				Name:        "Block",
+				Value:       "block",
+				Description: "Block all connections",
+			},
+		},
 	})
 	if err != nil {
 		return err
@ -114,11 +133,13 @@ func registerConfiguration() error {
 		Name:         "Disable Auto Permit",
 		Key:          CfgOptionDisableAutoPermitKey,
 		Description:  "Auto Permit searches for a relation between an app and the destionation of a connection - if there is a correlation, the connection will be permitted. This setting is negated in order to provide a streamlined user experience, where higher settings are better.",
-		Order:           cfgOptionDisableAutoPermitOrder,
 		OptType:      config.OptTypeInt,
-		ExternalOptType: "security level",
 		DefaultValue: status.SecurityLevelsAll,
-		ValidationRegex: "^(4|6|7)$",
+		Annotations: config.Annotations{
+			config.DisplayOrderAnnotation: cfgOptionDisableAutoPermitOrder,
+			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,
+		},
+		PossibleValues: status.SecurityLevelValues,
 	})
 	if err != nil {
 		return err
@ -158,10 +179,12 @@ Examples:
 		Key:          CfgOptionEndpointsKey,
 		Description:  "Filter outgoing connections by matching the destination endpoint. Network Scope restrictions still apply.",
 		Help:         filterListHelp,
-		Order:           cfgOptionEndpointsOrder,
 		OptType:      config.OptTypeStringArray,
 		DefaultValue: []string{},
-		ExternalOptType: "endpoint list",
+		Annotations: config.Annotations{
+			config.DisplayHintAnnotation:  endpoints.DisplayHintEndpointList,
+			config.DisplayOrderAnnotation: cfgOptionEndpointsOrder,
+		},
 		ValidationRegex: `^(\+|\-) [A-z0-9\.:\-*/]+( [A-z0-9/]+)?$`,
 	})
 	if err != nil {
@ -176,10 +199,12 @@ Examples:
 		Key:          CfgOptionServiceEndpointsKey,
 		Description:  "Filter incoming connections by matching the source endpoint. Network Scope restrictions and the inbound permission still apply. Also not that the implicit default action of this list is to always block.",
 		Help:         filterListHelp,
-		Order:           cfgOptionServiceEndpointsOrder,
 		OptType:      config.OptTypeStringArray,
 		DefaultValue: []string{"+ Localhost"},
-		ExternalOptType: "endpoint list",
+		Annotations: config.Annotations{
+			config.DisplayHintAnnotation:  endpoints.DisplayHintEndpointList,
+			config.DisplayOrderAnnotation: cfgOptionServiceEndpointsOrder,
+		},
 		ValidationRegex: `^(\+|\-) [A-z0-9\.:\-*/]+( [A-z0-9/]+)?$`,
 	})
 	if err != nil {
@ -193,10 +218,12 @@ Examples:
 		Name:         "Filter List",
 		Key:          CfgOptionFilterListsKey,
 		Description:  "Filter connections by matching the endpoint against configured filterlists",
-		Order:           cfgOptionFilterListsOrder,
 		OptType:      config.OptTypeStringArray,
 		DefaultValue: []string{"TRAC", "MAL"},
-		ExternalOptType: "filter list",
+		Annotations: config.Annotations{
+			config.DisplayHintAnnotation:  "filter list",
+			config.DisplayOrderAnnotation: cfgOptionFilterListsOrder,
+		},
 		ValidationRegex: `^[a-zA-Z0-9\-]+$`,
 	})
 	if err != nil {
@ -210,12 +237,14 @@ Examples:
 		Name:           "Filter CNAMEs",
 		Key:            CfgOptionFilterCNAMEKey,
 		Description:    "Also filter requests where a CNAME would be blocked",
-		Order:           cfgOptionFilterCNAMEOrder,
 		OptType:        config.OptTypeInt,
-		ExternalOptType: "security level",
 		DefaultValue:   status.SecurityLevelsAll,
-		ValidationRegex: "^(4|6|7)$",
 		ExpertiseLevel: config.ExpertiseLevelExpert,
+		Annotations: config.Annotations{
+			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,
+			config.DisplayOrderAnnotation: cfgOptionFilterCNAMEOrder,
+		},
+		PossibleValues: status.SecurityLevelValues,
 	})
 	if err != nil {
 		return err
@ -228,11 +257,13 @@ Examples:
 		Name:           "Filter Subdomains",
 		Key:            CfgOptionFilterSubDomainsKey,
 		Description:    "Also filter a domain if any parent domain is blocked by a filter list",
-		Order:           cfgOptionFilterSubDomainsOrder,
 		OptType:        config.OptTypeInt,
-		ExternalOptType: "security level",
 		DefaultValue:   status.SecurityLevelsAll,
-		ValidationRegex: "^(4|6|7)$",
+		PossibleValues: status.SecurityLevelValues,
+		Annotations: config.Annotations{
+			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,
+			config.DisplayOrderAnnotation: cfgOptionFilterSubDomainsOrder,
+		},
 	})
 	if err != nil {
 		return err
@ -245,12 +276,14 @@ Examples:
 		Name:           "Block Scope Local",
 		Key:            CfgOptionBlockScopeLocalKey,
 		Description:    "Block internal connections on your own device, ie. localhost.",
-		Order:           cfgOptionBlockScopeLocalOrder,
 		OptType:        config.OptTypeInt,
 		ExpertiseLevel: config.ExpertiseLevelExpert,
-		ExternalOptType: "security level",
 		DefaultValue:   status.SecurityLevelOff,
-		ValidationRegex: "^(0|4|6|7)$",
+		PossibleValues: status.AllSecurityLevelValues,
+		Annotations: config.Annotations{
+			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,
+			config.DisplayOrderAnnotation: cfgOptionBlockScopeLocalOrder,
+		},
 	})
 	if err != nil {
 		return err
@ -263,11 +296,13 @@ Examples:
 		Name:           "Block Scope LAN",
 		Key:            CfgOptionBlockScopeLANKey,
 		Description:    "Block connections to the Local Area Network.",
-		Order:           cfgOptionBlockScopeLANOrder,
 		OptType:        config.OptTypeInt,
-		ExternalOptType: "security level",
 		DefaultValue:   status.SecurityLevelsHighAndExtreme,
-		ValidationRegex: "^(0|4|6|7)$",
+		PossibleValues: status.AllSecurityLevelValues,
+		Annotations: config.Annotations{
+			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,
+			config.DisplayOrderAnnotation: cfgOptionBlockScopeLANOrder,
+		},
 	})
 	if err != nil {
 		return err
@ -280,11 +315,13 @@ Examples:
 		Name:           "Block Scope Internet",
 		Key:            CfgOptionBlockScopeInternetKey,
 		Description:    "Block connections to the Internet.",
-		Order:           cfgOptionBlockScopeInternetOrder,
 		OptType:        config.OptTypeInt,
-		ExternalOptType: "security level",
 		DefaultValue:   status.SecurityLevelOff,
-		ValidationRegex: "^(0|4|6|7)$",
+		PossibleValues: status.AllSecurityLevelValues,
+		Annotations: config.Annotations{
+			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,
+			config.DisplayOrderAnnotation: cfgOptionBlockScopeInternetOrder,
+		},
 	})
 	if err != nil {
 		return err
@ -297,11 +334,13 @@ Examples:
 		Name:           "Block Peer to Peer Connections",
 		Key:            CfgOptionBlockP2PKey,
 		Description:    "These are connections that are established directly to an IP address on the Internet without resolving a domain name via DNS first.",
-		Order:           cfgOptionBlockP2POrder,
 		OptType:        config.OptTypeInt,
-		ExternalOptType: "security level",
 		DefaultValue:   status.SecurityLevelExtreme,
-		ValidationRegex: "^(4|6|7)$",
+		PossibleValues: status.SecurityLevelValues,
+		Annotations: config.Annotations{
+			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,
+			config.DisplayOrderAnnotation: cfgOptionBlockP2POrder,
+		},
 	})
 	if err != nil {
 		return err
@ -314,11 +353,13 @@ Examples:
 		Name:           "Block Inbound Connections",
 		Key:            CfgOptionBlockInboundKey,
 		Description:    "Connections initiated towards your device from the LAN or Internet. This will usually only be the case if you are running a network service or are using peer to peer software.",
-		Order:           cfgOptionBlockInboundOrder,
 		OptType:        config.OptTypeInt,
-		ExternalOptType: "security level",
 		DefaultValue:   status.SecurityLevelsHighAndExtreme,
-		ValidationRegex: "^(4|6|7)$",
+		PossibleValues: status.SecurityLevelValues,
+		Annotations: config.Annotations{
+			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,
+			config.DisplayOrderAnnotation: cfgOptionBlockInboundOrder,
+		},
 	})
 	if err != nil {
 		return err
@ -331,12 +372,14 @@ Examples:
 		Name:           "Enforce SPN",
 		Key:            CfgOptionEnforceSPNKey,
 		Description:    "This setting enforces connections to be routed over the SPN. If this is not possible for any reason, connections will be blocked.",
-		Order:           cfgOptionEnforceSPNOrder,
 		OptType:        config.OptTypeInt,
 		ReleaseLevel:   config.ReleaseLevelExperimental,
-		ExternalOptType: "security level",
 		DefaultValue:   status.SecurityLevelOff,
-		ValidationRegex: "^(0|4|6|7)$",
+		PossibleValues: status.AllSecurityLevelValues,
+		Annotations: config.Annotations{
+			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,
+			config.DisplayOrderAnnotation: cfgOptionEnforceSPNOrder,
+		},
 	})
 	if err != nil {
 		return err
@ -349,13 +392,15 @@ Examples:
 		Name:           "Filter Out-of-Scope DNS Records",
 		Key:            CfgOptionRemoveOutOfScopeDNSKey,
 		Description:    "Filter DNS answers that are outside of the scope of the server. A server on the public Internet may not respond with a private LAN address.",
-		Order:           cfgOptionRemoveOutOfScopeDNSOrder,
 		OptType:        config.OptTypeInt,
 		ExpertiseLevel: config.ExpertiseLevelExpert,
 		ReleaseLevel:   config.ReleaseLevelBeta,
-		ExternalOptType: "security level",
 		DefaultValue:   status.SecurityLevelsAll,
-		ValidationRegex: "^(4|6|7)$",
+		PossibleValues: status.SecurityLevelValues,
+		Annotations: config.Annotations{
+			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,
+			config.DisplayOrderAnnotation: cfgOptionRemoveOutOfScopeDNSOrder,
+		},
 	})
 	if err != nil {
 		return err
@ -368,13 +413,15 @@ Examples:
 		Name:           "Filter DNS Records that would be blocked",
 		Key:            CfgOptionRemoveBlockedDNSKey,
 		Description:    "Pre-filter DNS answers that an application would not be allowed to connect to.",
-		Order:           cfgOptionRemoveBlockedDNSOrder,
 		OptType:        config.OptTypeInt,
 		ExpertiseLevel: config.ExpertiseLevelExpert,
 		ReleaseLevel:   config.ReleaseLevelBeta,
-		ExternalOptType: "security level",
 		DefaultValue:   status.SecurityLevelsAll,
-		ValidationRegex: "^(4|6|7)$",
+		PossibleValues: status.SecurityLevelValues,
+		Annotations: config.Annotations{
+			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,
+			config.DisplayOrderAnnotation: cfgOptionRemoveBlockedDNSOrder,
+		},
 	})
 	if err != nil {
 		return err
@ -387,12 +434,14 @@ Examples:
 		Name:           "Enable Domain Heuristics",
 		Key:            CfgOptionDomainHeuristicsKey,
 		Description:    "Domain Heuristics checks for suspicious looking domain names and blocks them. Ths option currently targets domains generated by malware and DNS data tunnels.",
-		Order:           cfgOptionDomainHeuristicsOrder,
 		OptType:        config.OptTypeInt,
 		ExpertiseLevel: config.ExpertiseLevelExpert,
-		ExternalOptType: "security level",
 		DefaultValue:   status.SecurityLevelsAll,
-		ValidationRegex: "^(0|4|6|7)$",
+		PossibleValues: status.AllSecurityLevelValues,
+		Annotations: config.Annotations{
+			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,
+			config.DisplayOrderAnnotation: cfgOptionDomainHeuristicsOrder,
+		},
 	})
 	if err != nil {
 		return err
@ -404,13 +453,15 @@ Examples:
 		Name:           "Prevent Bypassing",
 		Key:            CfgOptionPreventBypassingKey,
 		Description:    "Prevent apps from bypassing the privacy filter: Firefox by disabling DNS-over-HTTPs",
-		Order:           cfgOptionPreventBypassingOrder,
 		OptType:        config.OptTypeInt,
 		ExpertiseLevel: config.ExpertiseLevelUser,
 		ReleaseLevel:   config.ReleaseLevelBeta,
-		ExternalOptType: "security level",
 		DefaultValue:   status.SecurityLevelsAll,
-		ValidationRegex: "^(4|6|7)",
+		PossibleValues: status.SecurityLevelValues,
+		Annotations: config.Annotations{
+			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,
+			config.DisplayOrderAnnotation: cfgOptionPreventBypassingOrder,
+		},
 	})
 	if err != nil {
 		return err
--- a/profile/database.go
+++ b/profile/database.go
@ -24,12 +24,12 @@ var (
 	profileDB = database.NewInterface(nil)
 )

-func makeScopedID(source, id string) string {
-	return source + "/" + id
+func makeScopedID(source profileSource, id string) string {
+	return string(source) + "/" + id
 }

-func makeProfileKey(source, id string) string {
-	return profilesDBPath + source + "/" + id
+func makeProfileKey(source profileSource, id string) string {
+	return profilesDBPath + string(source) + "/" + id
 }

 func registerValidationDBHook() (err error) {
--- a/profile/endpoints/annotations.go
+++ b/profile/endpoints/annotations.go
@ -0,0 +1,24 @@
+package endpoints
+
+// DisplayHintEndpointList marks an option as an endpoint
+// list option. It's meant to be used with DisplayHintAnnotation.
+const DisplayHintEndpointList = "endpoint list"
+
+// EndpointListAnnotation is the annotation identifier used in configuration
+// options to hint the UI on available endpoint list types. If configured, only
+// the specified set of entities is allowed to be used. The value is expected
+// to be a single string or []string. If this annotation is missing, all
+// values are expected to be allowed.
+const EndpointListAnnotation = "safing/portmaster:ui:endpoint-list"
+
+// Allowed values for the EndpointListAnnotation.
+const (
+	EndpointListIP               = "ip"
+	EndpointListAsn              = "asn"
+	EndpointListCountry          = "country"
+	EndpointListDomain           = "domain"
+	EndpointListIPRange          = "iprange"
+	EndpointListLists            = "lists"
+	EndpointListScopes           = "scopes"
+	EndpointListProtocolAndPorts = "protocol-port"
+)
--- a/profile/profile.go
+++ b/profile/profile.go
@ -20,12 +20,15 @@ var (
 	lastUsedUpdateThreshold = 24 * time.Hour
 )

+// profileSource is the source of the profile.
+type profileSource string
+
 // Profile Sources
 const (
-	SourceLocal      string = "local"   // local, editable
-	SourceSpecial    string = "special" // specials (read-only)
-	SourceCommunity  string = "community"
-	SourceEnterprise string = "enterprise"
+	SourceLocal      profileSource = "local"   // local, editable
+	SourceSpecial    profileSource = "special" // specials (read-only)
+	SourceCommunity  profileSource = "community"
+	SourceEnterprise profileSource = "enterprise"
 )

 // Default Action IDs
@ -36,35 +39,65 @@ const (
 	DefaultActionPermit uint8 = 3
 )

+// iconType describes the type of the Icon property
+// of a profile.
+type iconType string
+
+// Supported icon types.
+const (
+	IconTypeFile     iconType = "path"
+	IconTypeDatabase iconType = "database"
+	IconTypeBlob     iconType = "blob"
+)
+
 // Profile is used to predefine a security profile for applications.
 type Profile struct { //nolint:maligned // not worth the effort
 	record.Base
 	sync.Mutex
-
-	// Identity
+	// ID is a unique identifier for the profile.
 	ID string
-	Source string
-
-	// App Information
+	// Source describes the source of the profile.
+	Source profileSource
+	// Name is a human readable name of the profile. It
+	// defaults to the basename of the application.
 	Name string
+	// Description may holds an optional description of the
+	// profile or the purpose of the application.
 	Description string
+	// Homepage may refer the the website of the application
+	// vendor.
 	Homepage string
-	// Icon is a path to the icon and is either prefixed "f:" for filepath, "d:" for a database path or "e:" for the encoded data.
+	// Icon holds the icon of the application. The value
+	// may either be a filepath, a database key or a blob URL.
+	// See IconType for more information.
 	Icon string
-
+	// IconType describes the type of the Icon property.
+	IconType iconType
 	// References - local profiles only
-	// LinkedPath is a filesystem path to the executable this profile was created for.
+	// LinkedPath is a filesystem path to the executable this
+	// profile was created for.
 	LinkedPath string
 	// LinkedProfiles is a list of other profiles
 	LinkedProfiles []string
-
-	// Fingerprints
-	// TODO: Fingerprints []*Fingerprint
-
-	// Configuration
-	// The mininum security level to apply to connections made with this profile
+	// SecurityLevel is the mininum security level to apply to
+	// connections made with this profile.
+	// Note(ppacher): we may deprecate this one as it can easily
+	//			      be "simulated" by adjusting the settings
+	//				  directly.
 	SecurityLevel uint8
+	// Config holds profile specific setttings. It's a nested
+	// object with keys defining the settings database path. All keys
+	// until the actual settings value (which is everything that is not
+	// an object) need to be concatinated for the settings database
+	// path.
 	Config map[string]interface{}
+	// ApproxLastUsed holds a UTC timestamp in seconds of
+	// when this Profile was approximately last used.
+	// For performance reasons not every single usage is saved.
+	ApproxLastUsed int64
+	// Created holds the UTC timestamp in seconds when the
+	// profile has been created.
+	Created int64

 	// Interpreted Data
 	configPerspective *config.Perspective
@ -78,15 +111,6 @@ type Profile struct { //nolint:maligned // not worth the effort
 	outdated *abool.AtomicBool
 	lastUsed time.Time

-	// Framework
-	// If a Profile is declared as a Framework (i.e. an Interpreter and the likes), then the real process/actor must be found
-	// TODO: Framework *Framework
-
-	// When this Profile was approximately last used.
-	// For performance reasons not every single usage is saved.
-	ApproxLastUsed int64
-	Created        int64
-
 	internalSave bool
 }

@ -254,7 +278,7 @@ func (profile *Profile) addEndpointyEntry(cfgKey, newEntry string) {
 }

 // GetProfile loads a profile from the database.
-func GetProfile(source, id string) (*Profile, error) {
+func GetProfile(source profileSource, id string) (*Profile, error) {
 	return GetProfileByScopedID(makeScopedID(source, id))
 }

--- a/resolver/config.go
+++ b/resolver/config.go
@ -106,12 +106,14 @@ Parameters:
 		refused: server replies with Refused status
 		zeroip: server replies with an IP address, but it is zero
 `,
-		Order:           cfgOptionNameServersOrder,
 		OptType:         config.OptTypeStringArray,
 		ExpertiseLevel:  config.ExpertiseLevelExpert,
 		ReleaseLevel:    config.ReleaseLevelStable,
 		DefaultValue:    defaultNameServers,
 		ValidationRegex: fmt.Sprintf("^(%s|%s|%s)://.*", ServerTypeDoT, ServerTypeDNS, ServerTypeTCP),
+		Annotations: config.Annotations{
+			config.DisplayOrderAnnotation: cfgOptionNameServersOrder,
+		},
 	})
 	if err != nil {
 		return err
@ -120,13 +122,15 @@ Parameters:

 	err = config.Register(&config.Option{
 		Name:           "DNS Server Retry Rate",
-		Key:            CfgOptionNameserverRetryRateKey,
 		Description:    "Rate at which to retry failed DNS Servers, in seconds.",
-		Order:          cfgOptionNameserverRetryRateOrder,
 		OptType:        config.OptTypeInt,
 		ExpertiseLevel: config.ExpertiseLevelExpert,
 		ReleaseLevel:   config.ReleaseLevelStable,
 		DefaultValue:   600,
+		Annotations: config.Annotations{
+			config.DisplayOrderAnnotation: cfgOptionNameserverRetryRateOrder,
+			config.UnitAnnotation:         "seconds",
+		},
 	})
 	if err != nil {
 		return err
@ -137,13 +141,15 @@ Parameters:
 		Name:           "Do not use Multicast DNS",
 		Key:            CfgOptionNoMulticastDNSKey,
 		Description:    "Multicast DNS queries other devices in the local network",
-		Order:           cfgOptionNoMulticastDNSOrder,
 		OptType:        config.OptTypeInt,
 		ExpertiseLevel: config.ExpertiseLevelExpert,
 		ReleaseLevel:   config.ReleaseLevelStable,
-		ExternalOptType: "security level",
 		DefaultValue:   status.SecurityLevelsHighAndExtreme,
-		ValidationRegex: "^(4|6|7)$",
+		PossibleValues: status.SecurityLevelValues,
+		Annotations: config.Annotations{
+			config.DisplayOrderAnnotation: cfgOptionNoMulticastDNSOrder,
+			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,
+		},
 	})
 	if err != nil {
 		return err
@ -154,13 +160,15 @@ Parameters:
 		Name:           "Do not use assigned Nameservers",
 		Key:            CfgOptionNoAssignedNameserversKey,
 		Description:    "that were acquired by the network (dhcp) or system",
-		Order:           cfgOptionNoAssignedNameserversOrder,
 		OptType:        config.OptTypeInt,
 		ExpertiseLevel: config.ExpertiseLevelExpert,
 		ReleaseLevel:   config.ReleaseLevelStable,
-		ExternalOptType: "security level",
 		DefaultValue:   status.SecurityLevelsHighAndExtreme,
-		ValidationRegex: "^(4|6|7)$",
+		PossibleValues: status.SecurityLevelValues,
+		Annotations: config.Annotations{
+			config.DisplayOrderAnnotation: cfgOptionNoAssignedNameserversOrder,
+			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,
+		},
 	})
 	if err != nil {
 		return err
@ -171,13 +179,15 @@ Parameters:
 		Name:           "Do not resolve insecurely",
 		Key:            CfgOptionNoInsecureProtocolsKey,
 		Description:    "Do not resolve domains with insecure protocols, ie. plain DNS",
-		Order:           cfgOptionNoInsecureProtocolsOrder,
 		OptType:        config.OptTypeInt,
 		ExpertiseLevel: config.ExpertiseLevelExpert,
 		ReleaseLevel:   config.ReleaseLevelStable,
-		ExternalOptType: "security level",
 		DefaultValue:   status.SecurityLevelsHighAndExtreme,
-		ValidationRegex: "^(4|6|7)$",
+		PossibleValues: status.SecurityLevelValues,
+		Annotations: config.Annotations{
+			config.DisplayOrderAnnotation: cfgOptionNoInsecureProtocolsOrder,
+			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,
+		},
 	})
 	if err != nil {
 		return err
@ -188,13 +198,15 @@ Parameters:
 		Name:           "Do not resolve special domains",
 		Key:            CfgOptionDontResolveSpecialDomainsKey,
 		Description:    fmt.Sprintf("Do not resolve the special top level domains %s", formatScopeList(specialServiceDomains)),
-		Order:           cfgOptionDontResolveSpecialDomainsOrder,
 		OptType:        config.OptTypeInt,
 		ExpertiseLevel: config.ExpertiseLevelExpert,
 		ReleaseLevel:   config.ReleaseLevelStable,
-		ExternalOptType: "security level",
 		DefaultValue:   status.SecurityLevelsAll,
-		ValidationRegex: "^(4|6|7)$",
+		PossibleValues: status.SecurityLevelValues,
+		Annotations: config.Annotations{
+			config.DisplayOrderAnnotation: cfgOptionDontResolveSpecialDomainsOrder,
+			config.DisplayHintAnnotation:  status.DisplayHintSecurityLevel,
+		},
 	})
 	if err != nil {
 		return err
--- a/status/const.go
+++ b/status/const.go
@ -1,9 +1,16 @@
 package status

-// Definitions of Security and Status Levels.
+import (
+	"github.com/safing/portbase/config"
+)
+
+// DisplayHintSecurityLevel is an external option hint for security levels.
+// It's meant to be used as a value for config.DisplayHintAnnotation.
+const DisplayHintSecurityLevel string = "security level"
+
+// Security levels
 const (
 	SecurityLevelOff     uint8 = 0
-
 	SecurityLevelNormal  uint8 = 1
 	SecurityLevelHigh    uint8 = 2
 	SecurityLevelExtreme uint8 = 4
@ -12,7 +19,36 @@ const (
 	SecurityLevelsNormalAndExtreme uint8 = SecurityLevelNormal | SecurityLevelExtreme
 	SecurityLevelsHighAndExtreme   uint8 = SecurityLevelHigh | SecurityLevelExtreme
 	SecurityLevelsAll              uint8 = SecurityLevelNormal | SecurityLevelHigh | SecurityLevelExtreme
+)

+// SecurityLevelValues defines all possible security levels.
+var SecurityLevelValues = []config.PossibleValue{
+	{
+		Name:  "Normal",
+		Value: SecurityLevelsAll,
+	},
+	{
+		Name:  "High",
+		Value: SecurityLevelsHighAndExtreme,
+	},
+	{
+		Name:  "Extreme",
+		Value: SecurityLevelExtreme,
+	},
+}
+
+// AllSecurityLevelValues is like SecurityLevelValues but also includes Off.
+var AllSecurityLevelValues = append([]config.PossibleValue{
+	{
+		Name:  "Off",
+		Value: SecurityLevelOff,
+	},
+},
+	SecurityLevelValues...,
+)
+
+// Status constants
+const (
 	StatusOff     uint8 = 0
 	StatusError   uint8 = 1
 	StatusWarning uint8 = 2
--- a/status/get.go
+++ b/status/get.go
@ -5,20 +5,10 @@ import (
 )

 var (
-	activeSecurityLevel   *uint32
-	selectedSecurityLevel *uint32
+	activeSecurityLevel   = new(uint32)
+	selectedSecurityLevel = new(uint32)
 )

-func init() {
-	var (
-		activeSecurityLevelValue   uint32
-		selectedSecurityLevelValue uint32
-	)
-
-	activeSecurityLevel = &activeSecurityLevelValue
-	selectedSecurityLevel = &selectedSecurityLevelValue
-}
-
 // ActiveSecurityLevel returns the current security level.
 func ActiveSecurityLevel() uint8 {
 	return uint8(atomic.LoadUint32(activeSecurityLevel))
--- a/updates/config.go
+++ b/updates/config.go
@ -2,7 +2,6 @@ package updates

 import (
 	"context"
-	"fmt"

 	"github.com/safing/portbase/config"
 	"github.com/safing/portbase/log"
@ -27,14 +26,25 @@ func registerConfig() error {
 		Name:            "Release Channel",
 		Key:             releaseChannelKey,
 		Description:     "The Release Channel changes which updates are applied. When using beta, you will receive new features earlier and Portmaster will update more frequently. Some beta or experimental features are also available in the stable release channel.",
-		Order:           1,
 		OptType:         config.OptTypeString,
 		ExpertiseLevel:  config.ExpertiseLevelExpert,
 		ReleaseLevel:    config.ReleaseLevelBeta,
 		RequiresRestart: false,
 		DefaultValue:    releaseChannelStable,
-		ExternalOptType: "string list",
-		ValidationRegex: fmt.Sprintf("^(%s|%s)$", releaseChannelStable, releaseChannelBeta),
+		PossibleValues: []config.PossibleValue{
+			{
+				Name:  "Stable",
+				Value: releaseChannelStable,
+			},
+			{
+				Name:  "Beta",
+				Value: releaseChannelBeta,
+			},
+		},
+		Annotations: config.Annotations{
+			config.DisplayOrderAnnotation: 1,
+			config.DisplayHintAnnotation:  config.DisplayHintOneOf,
+		},
 	})
 	if err != nil {
 		return err
@ -44,13 +54,14 @@ func registerConfig() error {
 		Name:            "Disable Updates",
 		Key:             disableUpdatesKey,
 		Description:     "Disable automatic updates.",
-		Order:           64,
 		OptType:         config.OptTypeBool,
 		ExpertiseLevel:  config.ExpertiseLevelExpert,
 		ReleaseLevel:    config.ReleaseLevelStable,
 		RequiresRestart: false,
 		DefaultValue:    false,
-		ExternalOptType: "disable updates",
+		Annotations: config.Annotations{
+			config.DisplayOrderAnnotation: 64,
+		},
 	})
 	if err != nil {
 		return err