vikarti.anatra/safing-portmaster
1
0
Fork 0
mirror of https://github.com/safing/portmaster synced 2025-09-02 10:39:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Implement review changes

Browse source
This commit is contained in:
Patrick Pacher 2020-04-17 11:52:53 +02:00
parent 58ad3eb88b
commit ea3e327c27
No known key found for this signature in database
GPG key ID: E8CD2DA160925A6D
4 changed files with 43 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
firewall/bypassing.go Normal file
View file

@ -0,0 +1,19 @@
package firewall
import (
"strings"
"github.com/safing/portmaster/network"
"github.com/safing/portmaster/profile/endpoints"
)
// PreventBypassing checks if the connection should be denied or permitted
// based on some bypass protection checks.
func PreventBypassing(conn *network.Connection) (endpoints.EPResult, string) {
// Block firefox canary domain to disable DoH
if strings.ToLower(conn.Entity.Domain) == "use-application-dns.net." {
return endpoints.Denied, "blocked canary domain to prevent enabling DNS-over-HTTPs"
}
return endpoints.NoMatch, ""
}

25
firewall/master.go
View file

@ -141,16 +141,21 @@ func DecideOnConnection(conn *network.Connection, pkt packet.Packet) { //nolint:
} }
} }
// check for bypass protection var result endpoints.EPResult
result, reason := p.MatchBypassProtection(conn.Entity) var reason string
switch result {
case endpoints.Denied: if p.PreventBypassing() {
conn.Block("bypass prevention: " + reason) // check for bypass protection
return result, reason := PreventBypassing(conn)
case endpoints.Permitted: switch result {
conn.Accept("bypass prevention: " + reason) case endpoints.Denied:
return conn.Block("bypass prevention: " + reason)
case endpoints.NoMatch: return
case endpoints.Permitted:
conn.Accept("bypass prevention: " + reason)
return
case endpoints.NoMatch:
}
} }
// check endpoints list // check endpoints list

14
profile/config.go
View file

@ -54,8 +54,8 @@ var (
CfgOptionRemoveBlockedDNSKey = "filter/removeBlockedDNS" CfgOptionRemoveBlockedDNSKey = "filter/removeBlockedDNS"
cfgOptionRemoveBlockedDNS config.IntOption // security level option cfgOptionRemoveBlockedDNS config.IntOption // security level option
CfgOptionBypassProtectionKey = "filter/preventBypassing" CfgOptionPreventBypassingKey = "filter/preventBypassing"
cfgOptionBypassProtection config.IntOption // security level option cfgOptionPreventBypassing config.IntOption // security level option
) )
func registerConfiguration() error { func registerConfiguration() error {
@ -330,20 +330,20 @@ Examples:
err = config.Register(&config.Option{ err = config.Register(&config.Option{
Name: "Prevent Bypassing", Name: "Prevent Bypassing",
Key: CfgOptionBypassProtectionKey, Key: CfgOptionPreventBypassingKey,
Description: "Prevent apps from bypassing the privacy filter:\n- Firefox: Disable DNS-over-HTTPs", Description: "Prevent apps from bypassing the privacy filter: Firefox by disabling DNS-over-HTTPs",
OptType: config.OptTypeInt, OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelUser, ExpertiseLevel: config.ExpertiseLevelUser,
ReleaseLevel: config.ReleaseLevelBeta, ReleaseLevel: config.ReleaseLevelBeta,
ExternalOptType: "security level", ExternalOptType: "security level",
DefaultValue: status.SecurityLevelsAll, DefaultValue: status.SecurityLevelsAll,
ValidationRegex: "^(7|6|4|0)", ValidationRegex: "^(7|6|4)",
}) })
if err != nil { if err != nil {
return err return err
} }
cfgOptionBypassProtection = config.Concurrent.GetAsInt((CfgOptionBypassProtectionKey), int64(status.SecurityLevelsAll)) cfgOptionPreventBypassing = config.Concurrent.GetAsInt((CfgOptionPreventBypassingKey), int64(status.SecurityLevelsAll))
cfgIntOptions[CfgOptionBypassProtectionKey] = cfgOptionBypassProtection cfgIntOptions[CfgOptionPreventBypassingKey] = cfgOptionPreventBypassing
return nil return nil
} }

21
profile/profile-layered.go
View file

@ -1,7 +1,6 @@
package profile package profile
import ( import (
"strings"
"sync" "sync"
"sync/atomic" "sync/atomic"
@ -101,8 +100,8 @@ func NewLayeredProfile(localProfile *Profile) *LayeredProfile {
cfgOptionFilterSubDomains, cfgOptionFilterSubDomains,
) )
new.PreventBypassing = new.wrapSecurityLevelOption( new.PreventBypassing = new.wrapSecurityLevelOption(
CfgOptionBypassProtectionKey, CfgOptionPreventBypassingKey,
cfgOptionBypassProtection, cfgOptionPreventBypassing,
) )
// TODO: load linked profiles. // TODO: load linked profiles.
@ -259,22 +258,6 @@ func (lp *LayeredProfile) MatchFilterLists(entity *intel.Entity) (endpoints.EPRe
return endpoints.NoMatch, "" return endpoints.NoMatch, ""
} }
// MatchBypassProtection checks if the entity should be denied or permitted
// based on some bypass protection checks.
func (lp *LayeredProfile) MatchBypassProtection(entity *intel.Entity) (endpoints.EPResult, string) {
if !lp.PreventBypassing() {
return endpoints.NoMatch, ""
}
// Block firefox canary domain to disable DoH
if strings.ToLower(entity.Domain) == "use-application-dns.net." {
log.Warningf("bypass protection for firefox canary")
return endpoints.Denied, "Firefox canary domain"
}
return endpoints.NoMatch, ""
}
// AddEndpoint adds an endpoint to the local endpoint list, saves the local profile and reloads the configuration. // AddEndpoint adds an endpoint to the local endpoint list, saves the local profile and reloads the configuration.
func (lp *LayeredProfile) AddEndpoint(newEntry string) { func (lp *LayeredProfile) AddEndpoint(newEntry string) {
lp.localProfile.AddEndpoint(newEntry) lp.localProfile.AddEndpoint(newEntry)