From 90535c5c86d7944c018203c83f54787f424b43ae Mon Sep 17 00:00:00 2001 From: Patrick Pacher Date: Wed, 27 Mar 2024 12:55:31 +0100 Subject: [PATCH 1/2] Add support for --allowed-clients parameter to whitelist binaries that are allowed to talk to the Portmaster API --- service/firewall/api.go | 10 ++++++++++ service/firewall/module.go | 20 +++++++++++++++++++- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/service/firewall/api.go b/service/firewall/api.go index 949e168f..f5f0db0f 100644 --- a/service/firewall/api.go +++ b/service/firewall/api.go @@ -6,6 +6,7 @@ import ( "net" "net/http" "path/filepath" + "slices" "strings" "time" @@ -164,6 +165,15 @@ func authenticateAPIRequest(ctx context.Context, pktInfo *packet.Info) (retry bo default: // normal process // Check if the requesting process is in database root / updates dir. if realPath, err := filepath.EvalSymlinks(proc.Path); err == nil { + + // check if the client has been allowed by flag + if slices.Contains(allowedClients, realPath) { + log.Infof("filter: access to portmaster api allowed for configured client: %s", realPath) + return false, nil + } else if len(allowedClients) > 0 { + log.Warningf("filter: process is not in the allowed clients list: %s (list=%s)", realPath, allowedClients) + } + if strings.HasPrefix(realPath, authenticatedPath) { return false, nil } diff --git a/service/firewall/module.go b/service/firewall/module.go index 73292967..168ee7b8 100644 --- a/service/firewall/module.go +++ b/service/firewall/module.go @@ -2,7 +2,9 @@ package firewall import ( "context" + "flag" "fmt" + "path/filepath" "strings" "github.com/safing/portbase/config" @@ -16,7 +18,21 @@ import ( "github.com/safing/portmaster/spn/captain" ) -var module *modules.Module +type stringSliceFlag []string + +func (ss *stringSliceFlag) String() string { + return strings.Join(*ss, ":") +} + +func (ss *stringSliceFlag) Set(value string) error { + *ss = append(*ss, filepath.Clean(value)) + return nil +} + +var ( + module *modules.Module + allowedClients stringSliceFlag +) func init() { module = modules.Register("filter", prep, start, stop, "core", "interception", "intel", "netquery") @@ -28,6 +44,8 @@ func init() { "config:filter/", nil, ) + + flag.Var(&allowedClients, "allowed-clients", "A list of binaries that are allowed to connect to the Portmaster API") } func prep() error { From 8e6a99ba14fdfaa6ae199897de59da5d75b89fd3 Mon Sep 17 00:00:00 2001 From: Patrick Pacher Date: Wed, 27 Mar 2024 13:56:16 +0100 Subject: [PATCH 2/2] Fix logging in firewall api for allowed-clients --- service/firewall/api.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/service/firewall/api.go b/service/firewall/api.go index f5f0db0f..244ec2b8 100644 --- a/service/firewall/api.go +++ b/service/firewall/api.go @@ -168,10 +168,7 @@ func authenticateAPIRequest(ctx context.Context, pktInfo *packet.Info) (retry bo // check if the client has been allowed by flag if slices.Contains(allowedClients, realPath) { - log.Infof("filter: access to portmaster api allowed for configured client: %s", realPath) return false, nil - } else if len(allowedClients) > 0 { - log.Warningf("filter: process is not in the allowed clients list: %s (list=%s)", realPath, allowedClients) } if strings.HasPrefix(realPath, authenticatedPath) {