Add support for --allowed-clients parameter to whitelist binaries that are allowed to talk to the Portmaster API

2024-03-27 12:55:31 +01:00
parent 3c0a362bff
commit 90535c5c86
2 changed files with 29 additions and 1 deletions
--- a/service/firewall/api.go
+++ b/service/firewall/api.go
@@ -6,6 +6,7 @@ import (
 	"net"
 	"net/http"
 	"path/filepath"
+	"slices"
 	"strings"
 	"time"

@@ -164,6 +165,15 @@ func authenticateAPIRequest(ctx context.Context, pktInfo *packet.Info) (retry bo
 			default: // normal process
 				// Check if the requesting process is in database root / updates dir.
 				if realPath, err := filepath.EvalSymlinks(proc.Path); err == nil {
+
+					// check if the client has been allowed by flag
+					if slices.Contains(allowedClients, realPath) {
+						log.Infof("filter: access to portmaster api allowed for configured client: %s", realPath)
+						return false, nil
+					} else if len(allowedClients) > 0 {
+						log.Warningf("filter: process is not in the allowed clients list: %s (list=%s)", realPath, allowedClients)
+					}
+
 					if strings.HasPrefix(realPath, authenticatedPath) {
 						return false, nil
 					}