From 350555f843b255c499f1946ce8acb8e46a130d04 Mon Sep 17 00:00:00 2001 From: Daniel Date: Fri, 24 Apr 2020 09:59:36 +0200 Subject: [PATCH 01/17] Fix concurrent map read/write, maybe --- network/clean.go | 11 +++++++---- network/database.go | 6 ++++++ 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/network/clean.go b/network/clean.go index ec51b611..3b1bbac9 100644 --- a/network/clean.go +++ b/network/clean.go @@ -41,8 +41,14 @@ func cleanConnections() (activePIDs map[int]struct{}) { now := time.Now().Unix() deleteOlderThan := time.Now().Add(-deleteConnsAfterEndedThreshold).Unix() - // network connections + // lock both together because we cannot fully guarantee in which map a connection lands + // of course every connection should land in the correct map, but this increases resilience connsLock.Lock() + defer connsLock.Unlock() + dnsConnsLock.Lock() + defer dnsConnsLock.Unlock() + + // network connections for key, conn := range conns { conn.Lock() @@ -67,10 +73,8 @@ func cleanConnections() (activePIDs map[int]struct{}) { conn.Unlock() } - connsLock.Unlock() // dns requests - dnsConnsLock.Lock() for _, conn := range dnsConns { conn.Lock() @@ -82,7 +86,6 @@ func cleanConnections() (activePIDs map[int]struct{}) { conn.Unlock() } - dnsConnsLock.Unlock() return nil }) diff --git a/network/database.go b/network/database.go index 073dcbc0..ee42a5b1 100644 --- a/network/database.go +++ b/network/database.go @@ -77,9 +77,11 @@ func (s *StorageInterface) processQuery(q *query.Query, it *iterator.Iterator) { if slashes <= 1 { // processes for _, proc := range process.All() { + proc.Lock() if q.Matches(proc) { it.Next <- proc } + proc.Unlock() } } @@ -87,9 +89,11 @@ func (s *StorageInterface) processQuery(q *query.Query, it *iterator.Iterator) { // dns scopes only dnsConnsLock.RLock() for _, dnsConn := range dnsConns { + dnsConn.Lock() if q.Matches(dnsConn) { it.Next <- dnsConn } + dnsConn.Unlock() } dnsConnsLock.RUnlock() } @@ -98,9 +102,11 @@ func (s *StorageInterface) processQuery(q *query.Query, it *iterator.Iterator) { // connections connsLock.RLock() for _, conn := range conns { + conn.Lock() if q.Matches(conn) { it.Next <- conn } + conn.Unlock() } connsLock.RUnlock() } From d2d69139b91b60e35bd2d43eb8a1870d758eb7bb Mon Sep 17 00:00:00 2001 From: Daniel Date: Fri, 24 Apr 2020 10:02:07 +0200 Subject: [PATCH 02/17] Add control db interface for triggering hooks, add shutdown/restart hooks --- core/control.go | 100 ++++++++++++++++++++++++++++++++++++++++++++++ core/core.go | 9 +++++ core/databases.go | 2 +- core/events.go | 46 +++++++++++++++++++++ 4 files changed, 156 insertions(+), 1 deletion(-) create mode 100644 core/control.go create mode 100644 core/events.go diff --git a/core/control.go b/core/control.go new file mode 100644 index 00000000..b94163d9 --- /dev/null +++ b/core/control.go @@ -0,0 +1,100 @@ +package core + +import ( + "fmt" + "strings" + "sync" + + "github.com/safing/portbase/database" + "github.com/safing/portbase/database/record" + "github.com/safing/portbase/database/storage" +) + +// StorageInterface provices a storage.Interface to the storage manager. +type StorageInterface struct { + storage.InjectBase +} + +// Get returns a database record. +func (s *StorageInterface) Get(key string) (record.Record, error) { + msg := newMessage(key) + splittedKey := strings.Split(key, "/") + + switch splittedKey[0] { + case "module": + return controlModule(msg, splittedKey) + default: + return nil, storage.ErrNotFound + } +} + +func controlModule(msg *MessageRecord, splittedKey []string) (record.Record, error) { + // format: module/moduleName/action/param + var moduleName string + var action string + var param string + var err error + + // parse elements + switch len(splittedKey) { + case 4: + param = splittedKey[3] + fallthrough + case 3: + moduleName = splittedKey[1] + action = splittedKey[2] + default: + return nil, storage.ErrNotFound + } + + // execute + switch action { + case "trigger": + err = module.InjectEvent(fmt.Sprintf("user triggered the '%s/%s' event", moduleName, param), moduleName, param, nil) + default: + return nil, storage.ErrNotFound + } + + if err != nil { + msg.Message = err.Error() + } else { + msg.Success = true + } + + return msg, nil +} + +func registerControlDatabase() error { + _, err := database.Register(&database.Database{ + Name: "control", + Description: "Control Interface for the Portmaster", + StorageType: "injected", + PrimaryAPI: "", + }) + if err != nil { + return err + } + + _, err = database.InjectDatabase("control", &StorageInterface{}) + if err != nil { + return err + } + + return nil +} + +// MessageRecord is a simple record used for control database feedback +type MessageRecord struct { + record.Base + sync.Mutex + + Success bool + Message string +} + +func newMessage(key string) *MessageRecord { + m := &MessageRecord{} + m.SetKey("control:" + key) + m.UpdateMeta() + return m +} diff --git a/core/core.go b/core/core.go index d70569f0..039758e0 100644 --- a/core/core.go +++ b/core/core.go @@ -31,10 +31,19 @@ func init() { ) } +func prep() error { + registerEvents() + return nil +} + func start() error { if err := startPlatformSpecific(); err != nil { return fmt.Errorf("failed to start plattform-specific components: %s", err) } + if err := registerEventHooks(); err != nil { + return err + } + return nil } diff --git a/core/databases.go b/core/databases.go index 941aa97a..df8f37ae 100644 --- a/core/databases.go +++ b/core/databases.go @@ -46,5 +46,5 @@ func registerDatabases() error { // return err // } - return nil + return registerControlDatabase() } diff --git a/core/events.go b/core/events.go new file mode 100644 index 00000000..908347fd --- /dev/null +++ b/core/events.go @@ -0,0 +1,46 @@ +package core + +import ( + "context" + + "github.com/safing/portbase/log" + "github.com/safing/portbase/modules" +) + +const ( + eventShutdown = "shutdown" + eventRestart = "restart" + restartCode = 23 +) + +func registerEvents() { + module.RegisterEvent(eventShutdown) + module.RegisterEvent(eventRestart) +} + +func registerEventHooks() error { + err := module.RegisterEventHook("core", eventShutdown, "execute shutdown", shutdown) + if err != nil { + return err + } + + err = module.RegisterEventHook("core", eventRestart, "execute shutdown", restart) + if err != nil { + return err + } + + return nil +} + +func shutdown(ctx context.Context, _ interface{}) error { + log.Warning("core: user requested shutdown") + go modules.Shutdown() //nolint:errcheck + return nil +} + +func restart(ctx context.Context, data interface{}) error { + log.Info("core: user requested restart") + modules.SetExitStatusCode(restartCode) + go modules.Shutdown() //nolint:errcheck + return nil +} From 5c7739e28a0c34df9cfc271bbc1c5f7266012f37 Mon Sep 17 00:00:00 2001 From: Daniel Date: Fri, 24 Apr 2020 10:04:08 +0200 Subject: [PATCH 03/17] Add hook to re/unload UI assets --- ui/module.go | 40 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/ui/module.go b/ui/module.go index 75a127a2..76a130ef 100644 --- a/ui/module.go +++ b/ui/module.go @@ -1,13 +1,51 @@ package ui import ( + "context" + + resources "github.com/cookieo9/resources-go" + "github.com/safing/portbase/log" "github.com/safing/portbase/modules" ) +const ( + eventReload = "reload" +) + +var ( + module *modules.Module +) + func init() { - modules.Register("ui", prep, nil, nil, "api", "updates") + module = modules.Register("ui", prep, start, nil, "api", "updates") } func prep() error { + module.RegisterEvent(eventReload) + return registerRoutes() } + +func start() error { + return module.RegisterEventHook("ui", eventReload, "reload assets", reloadUI) +} + +func reloadUI(ctx context.Context, _ interface{}) error { + log.Info("core: user/UI requested UI reload") + + appsLock.Lock() + defer appsLock.Unlock() + + // close all bundles + for id, bundle := range apps { + err := bundle.Close() + if err != nil { + log.Warningf("ui: failed to close bundle %s: %s", id, err) + } + } + + // reset index + apps = make(map[string]*resources.BundleSequence) + + return nil +} From 95041d217cc82dd882189afe348adfdf58611d43 Mon Sep 17 00:00:00 2001 From: Daniel Date: Fri, 24 Apr 2020 10:17:15 +0200 Subject: [PATCH 04/17] Fix module dependencies, split filter into interception and filter modules --- core/core.go | 14 +++++- firewall/filter.go | 47 ++++++++++++++++++++ firewall/{firewall.go => interception.go} | 53 ++++++++--------------- firewall/ports.go | 2 +- intel/filterlists/module.go | 7 ++- nameserver/nameserver.go | 2 +- network/module.go | 2 +- profile/module.go | 2 +- 8 files changed, 89 insertions(+), 40 deletions(-) create mode 100644 firewall/filter.go rename firewall/{firewall.go => interception.go} (88%) diff --git a/core/core.go b/core/core.go index 039758e0..f7a6d13a 100644 --- a/core/core.go +++ b/core/core.go @@ -20,7 +20,19 @@ var ( func init() { modules.Register("base", nil, registerDatabases, nil, "database", "config", "rng") - module = modules.Register("core", nil, start, nil, "base", "subsystems", "status", "updates", "api", "notifications", "ui") + // For prettier subsystem graph, printed with --print-subsystem-graph + /* + subsystems.Register( + "base", + "Base", + "THE GROUND.", + baseModule, + "", + nil, + ) + */ + + module = modules.Register("core", prep, start, nil, "base", "subsystems", "status", "updates", "api", "notifications", "ui", "netenv", "network", "interception") subsystems.Register( "core", "Core", diff --git a/firewall/filter.go b/firewall/filter.go new file mode 100644 index 00000000..6302401c --- /dev/null +++ b/firewall/filter.go @@ -0,0 +1,47 @@ +package firewall + +import ( + "github.com/safing/portbase/config" + "github.com/safing/portbase/modules/subsystems" + + "github.com/safing/portbase/modules" + + // module dependencies + _ "github.com/safing/portmaster/core" + _ "github.com/safing/portmaster/profile" +) + +var ( + filterModule *modules.Module + filterEnabled config.BoolOption +) + +func init() { + filterModule = modules.Register("filter", filterPrep, nil, nil, "core", "intel") + subsystems.Register( + "filter", + "Privacy Filter", + "DNS and Network Filter", + filterModule, + "config:filter/", + &config.Option{ + Name: "Enable Privacy Filter", + Key: CfgOptionEnableFilterKey, + Description: "Enable the Privacy Filter Subsystem to filter DNS queries and network requests.", + OptType: config.OptTypeBool, + ExpertiseLevel: config.ExpertiseLevelUser, + ReleaseLevel: config.ReleaseLevelBeta, + DefaultValue: true, + }, + ) +} + +func filterPrep() (err error) { + err = registerConfig() + if err != nil { + return err + } + + filterEnabled = config.GetAsBool(CfgOptionEnableFilterKey, true) + return nil +} diff --git a/firewall/firewall.go b/firewall/interception.go similarity index 88% rename from firewall/firewall.go rename to firewall/interception.go index 923e87f2..f7bf1f1d 100644 --- a/firewall/firewall.go +++ b/firewall/interception.go @@ -7,9 +7,6 @@ import ( "sync/atomic" "time" - "github.com/safing/portbase/config" - "github.com/safing/portbase/modules/subsystems" - "github.com/safing/portbase/log" "github.com/safing/portbase/modules" "github.com/safing/portmaster/firewall/inspection" @@ -23,7 +20,7 @@ import ( ) var ( - module *modules.Module + interceptionModule *modules.Module // localNet net.IPNet // localhost net.IP @@ -45,33 +42,12 @@ var ( ) func init() { - module = modules.Register("filter", prep, start, stop, "core", "network", "nameserver", "intel") - subsystems.Register( - "filter", - "Privacy Filter", - "DNS and Network Filter", - module, - "config:filter/", - &config.Option{ - Name: "Enable Privacy Filter", - Key: CfgOptionEnableFilterKey, - Description: "Enable the Privacy Filter Subsystem to filter DNS queries and network requests.", - OptType: config.OptTypeBool, - ExpertiseLevel: config.ExpertiseLevelUser, - ReleaseLevel: config.ReleaseLevelBeta, - DefaultValue: true, - }, - ) + interceptionModule = modules.Register("interception", interceptionPrep, interceptionStart, interceptionStop, "base") network.SetDefaultFirewallHandler(defaultHandler) } -func prep() (err error) { - err = registerConfig() - if err != nil { - return err - } - +func interceptionPrep() (err error) { err = prepAPIAuth() if err != nil { return err @@ -101,20 +77,20 @@ func prep() (err error) { return nil } -func start() error { +func interceptionStart() error { startAPIAuth() - module.StartWorker("stat logger", func(ctx context.Context) error { + interceptionModule.StartWorker("stat logger", func(ctx context.Context) error { statLogger() return nil }) - module.StartWorker("packet handler", func(ctx context.Context) error { + interceptionModule.StartWorker("packet handler", func(ctx context.Context) error { run() return nil }) - module.StartWorker("ports state cleaner", func(ctx context.Context) error { + interceptionModule.StartWorker("ports state cleaner", func(ctx context.Context) error { portsInUseCleaner() return nil }) @@ -122,7 +98,7 @@ func start() error { return interception.Start() } -func stop() error { +func interceptionStop() error { return interception.Stop() } @@ -248,6 +224,15 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) { return } + // check if filtering is enabled + if !filterEnabled() { + conn.Inspecting = false + conn.SetVerdict(network.VerdictAccept, "privacy filter disabled", nil) + conn.StopFirewallHandler() + issueVerdict(conn, pkt, 0, true) + return + } + log.Tracer(pkt.Ctx()).Trace("filter: starting decision process") DecideOnConnection(conn, pkt) conn.Inspecting = false // TODO: enable inspecting again @@ -350,7 +335,7 @@ func issueVerdict(conn *network.Connection, pkt packet.Packet, verdict network.V func run() { for { select { - case <-module.Stopping(): + case <-interceptionModule.Stopping(): return case pkt := <-interception.Packets: handlePacket(pkt) @@ -361,7 +346,7 @@ func run() { func statLogger() { for { select { - case <-module.Stopping(): + case <-interceptionModule.Stopping(): return case <-time.After(10 * time.Second): log.Tracef( diff --git a/firewall/ports.go b/firewall/ports.go index 50b39d31..c0e3eb65 100644 --- a/firewall/ports.go +++ b/firewall/ports.go @@ -72,7 +72,7 @@ func GetPermittedPort() uint16 { func portsInUseCleaner() { for { select { - case <-module.Stopping(): + case <-interceptionModule.Stopping(): return case <-time.After(cleanerTickDuration): cleanPortsInUse() diff --git a/intel/filterlists/module.go b/intel/filterlists/module.go index 9b74c5c4..38d9deaa 100644 --- a/intel/filterlists/module.go +++ b/intel/filterlists/module.go @@ -33,7 +33,7 @@ var ( func init() { ignoreNetEnvEvents.Set() - module = modules.Register("filterlists", prep, start, nil, "core", "netenv") + module = modules.Register("filterlists", prep, start, stop, "core") } func prep() error { @@ -98,3 +98,8 @@ func start() error { return nil } + +func stop() error { + filterListsLoaded = make(chan struct{}) + return nil +} diff --git a/nameserver/nameserver.go b/nameserver/nameserver.go index 03d71701..82f3077e 100644 --- a/nameserver/nameserver.go +++ b/nameserver/nameserver.go @@ -32,7 +32,7 @@ var ( ) func init() { - module = modules.Register("nameserver", prep, start, stop, "core", "resolver", "network", "netenv") + module = modules.Register("nameserver", prep, start, stop, "core", "resolver") subsystems.Register( "dns", "Secure DNS", diff --git a/network/module.go b/network/module.go index 8b2c8309..70f2fd24 100644 --- a/network/module.go +++ b/network/module.go @@ -16,7 +16,7 @@ var ( ) func init() { - module = modules.Register("network", nil, start, nil, "core", "processes") + module = modules.Register("network", nil, start, nil, "base", "processes") } // SetDefaultFirewallHandler sets the default firewall handler. diff --git a/profile/module.go b/profile/module.go index 8d962a8a..1cc83688 100644 --- a/profile/module.go +++ b/profile/module.go @@ -14,7 +14,7 @@ var ( ) func init() { - module = modules.Register("profiles", prep, start, nil, "core") + module = modules.Register("profiles", prep, start, nil, "base") } func prep() error { From 5209a090c448fe95c0d3bef78c4cd82518f4c98a Mon Sep 17 00:00:00 2001 From: Daniel Date: Fri, 24 Apr 2020 10:55:49 +0200 Subject: [PATCH 05/17] Update config options, add options to turn off system notifications --- core/config.go | 17 +++++++++++++++++ firewall/config.go | 45 ++++++++++++++++++++++++++++++++++----------- firewall/prompt.go | 6 +++--- process/config.go | 1 + profile/config.go | 4 ++-- updates/config.go | 6 ++++++ 6 files changed, 63 insertions(+), 16 deletions(-) diff --git a/core/config.go b/core/config.go index 0ee6921f..0383d68f 100644 --- a/core/config.go +++ b/core/config.go @@ -11,6 +11,8 @@ import ( var ( CfgDevModeKey = "core/devMode" defaultDevMode bool + + CfgUseSystemNotificationsKey = "core/useSystemNotifications" ) func init() { @@ -28,6 +30,7 @@ func registerConfig() error { Name: "Development Mode", Key: CfgDevModeKey, Description: "In Development Mode security restrictions are lifted/softened to enable easier access to Portmaster for debugging and testing purposes.", + Order: 127, OptType: config.OptTypeBool, ExpertiseLevel: config.ExpertiseLevelDeveloper, ReleaseLevel: config.ReleaseLevelStable, @@ -37,5 +40,19 @@ func registerConfig() error { return err } + err = config.Register(&config.Option{ + Name: "Use System Notifications", + Key: CfgUseSystemNotificationsKey, + Description: "Send notifications to your operating system's notification system. When this setting is turned off, notifications will only be visible in the Portmaster App. This affects both alerts from the Portmaster and questions from the Privacy Filter.", + Order: 32, + OptType: config.OptTypeBool, + ExpertiseLevel: config.ExpertiseLevelUser, + ReleaseLevel: config.ReleaseLevelStable, + DefaultValue: true, // TODO: turn off by default on unsupported systems + }) + if err != nil { + return err + } + return nil } diff --git a/firewall/config.go b/firewall/config.go index 53d607e5..2a9308b3 100644 --- a/firewall/config.go +++ b/firewall/config.go @@ -1,16 +1,23 @@ package firewall import ( + "github.com/safing/portbase/api" "github.com/safing/portbase/config" + "github.com/safing/portmaster/core" ) // Configuration Keys var ( CfgOptionEnableFilterKey = "filter/enable" - CfgOptionPromptTimeoutKey = "filter/promptTimeout" - CfgOptionPromptTimeoutOrder = 2 - promptTimeout config.IntOption + CfgOptionAskWithSystemNotificationsKey = "filter/askWithSystemNotifications" + CfgOptionAskWithSystemNotificationsOrder = 2 + askWithSystemNotifications config.BoolOption + useSystemNotifications config.BoolOption + + CfgOptionAskTimeoutKey = "filter/askTimeout" + CfgOptionAskTimeoutOrder = 3 + askTimeout config.IntOption CfgOptionPermanentVerdictsKey = "filter/permanentVerdicts" CfgOptionPermanentVerdictsOrder = 128 @@ -37,22 +44,38 @@ func registerConfig() error { permanentVerdicts = config.Concurrent.GetAsBool(CfgOptionPermanentVerdictsKey, true) err = config.Register(&config.Option{ - Name: "Timeout for prompt notifications", - Key: CfgOptionPromptTimeoutKey, - Description: "Amount of time how long Portmaster will wait for a response when prompting about a connection via a notification. In seconds.", - Order: CfgOptionPromptTimeoutOrder, + Name: "Ask with System Notifications", + Key: CfgOptionAskWithSystemNotificationsKey, + Description: `Ask about connections using your operating system's notification system. For this to be enabled, the setting "Use System Notifications" must enabled too. This only affects questions from the Privacy Filter, and does not affect alerts from the Portmaster.`, + Order: CfgOptionAskWithSystemNotificationsOrder, + OptType: config.OptTypeBool, + ExpertiseLevel: config.ExpertiseLevelUser, + ReleaseLevel: config.ReleaseLevelStable, + DefaultValue: true, + }) + if err != nil { + return err + } + askWithSystemNotifications = config.Concurrent.GetAsBool(CfgOptionAskWithSystemNotificationsKey, true) + useSystemNotifications = config.Concurrent.GetAsBool(core.CfgUseSystemNotificationsKey, true) + + err = config.Register(&config.Option{ + Name: "Timeout for Ask Notifications", + Key: CfgOptionAskTimeoutKey, + Description: "Amount of time (in seconds) how long the Portmaster will wait for a response when prompting about a connection via a notification. Please note that system notifications might not respect this or have it's own limits.", + Order: CfgOptionAskTimeoutOrder, OptType: config.OptTypeInt, ExpertiseLevel: config.ExpertiseLevelUser, - ReleaseLevel: config.ReleaseLevelBeta, + ReleaseLevel: config.ReleaseLevelStable, DefaultValue: 60, }) if err != nil { return err } - promptTimeout = config.Concurrent.GetAsInt(CfgOptionPromptTimeoutKey, 60) + askTimeout = config.Concurrent.GetAsInt(CfgOptionAskTimeoutKey, 60) - devMode = config.Concurrent.GetAsBool("core/devMode", false) - apiListenAddress = config.GetAsString("api/listenAddress", "") + devMode = config.Concurrent.GetAsBool(core.CfgDevModeKey, false) + apiListenAddress = config.GetAsString(api.CfgDefaultListenAddressKey, "") return nil } diff --git a/firewall/prompt.go b/firewall/prompt.go index 210b63a9..bc4f7109 100644 --- a/firewall/prompt.go +++ b/firewall/prompt.go @@ -26,16 +26,16 @@ const ( ) func prompt(conn *network.Connection, pkt packet.Packet) { //nolint:gocognit // TODO - nTTL := time.Duration(promptTimeout()) * time.Second + nTTL := time.Duration(askTimeout()) * time.Second // first check if there is an existing notification for this. // build notification ID var nID string switch { case conn.Inbound, conn.Entity.Domain == "": // connection to/from IP - nID = fmt.Sprintf("firewall-prompt-%d-%s-%s", conn.Process().Pid, conn.Scope, pkt.Info().RemoteIP()) + nID = fmt.Sprintf("filter:prompt-%d-%s-%s", conn.Process().Pid, conn.Scope, pkt.Info().RemoteIP()) default: // connection to domain - nID = fmt.Sprintf("firewall-prompt-%d-%s", conn.Process().Pid, conn.Scope) + nID = fmt.Sprintf("filter:prompt-%d-%s", conn.Process().Pid, conn.Scope) } n := notifications.Get(nID) saveResponse := true diff --git a/process/config.go b/process/config.go index 9329eddb..a4d8c205 100644 --- a/process/config.go +++ b/process/config.go @@ -17,6 +17,7 @@ func registerConfiguration() error { Name: "Enable Process Detection", Key: CfgOptionEnableProcessDetectionKey, Description: "This option enables the attribution of network traffic to processes. This should be always enabled, and effectively disables app profiles if disabled.", + Order: 144, OptType: config.OptTypeBool, ExpertiseLevel: config.ExpertiseLevelDeveloper, DefaultValue: true, diff --git a/profile/config.go b/profile/config.go index 9f0e3ad3..aaf11b2c 100644 --- a/profile/config.go +++ b/profile/config.go @@ -300,7 +300,7 @@ Examples: err = config.Register(&config.Option{ Name: "Block Peer to Peer Connections", Key: CfgOptionBlockP2PKey, - Description: "Block peer to peer connections. These are connections that are established directly to an IP address on the Internet without resolving a domain name via DNS first.", + Description: "These are connections that are established directly to an IP address on the Internet without resolving a domain name via DNS first.", Order: cfgOptionBlockP2POrder, OptType: config.OptTypeInt, ExternalOptType: "security level", @@ -317,7 +317,7 @@ Examples: err = config.Register(&config.Option{ Name: "Block Inbound Connections", Key: CfgOptionBlockInboundKey, - Description: "Block inbound connections to your device. This will usually only be the case if you are running a network service or are using peer to peer software.", + Description: "Connections initiated towards your device. This will usually only be the case if you are running a network service or are using peer to peer software.", Order: cfgOptionBlockInboundOrder, OptType: config.OptTypeInt, ExternalOptType: "security level", diff --git a/updates/config.go b/updates/config.go index 59955549..86d78a2f 100644 --- a/updates/config.go +++ b/updates/config.go @@ -8,6 +8,10 @@ import ( "github.com/safing/portbase/log" ) +const ( + cfgDevModeKey = "core/devMode" +) + var ( releaseChannel config.StringOption devMode config.BoolOption @@ -23,6 +27,7 @@ func registerConfig() error { Name: "Release Channel", Key: releaseChannelKey, Description: "The Release Channel changes which updates are applied. When using beta, you will receive new features earlier and Portmaster will update more frequently. Some beta or experimental features are also available in the stable release channel.", + Order: 1, OptType: config.OptTypeString, ExpertiseLevel: config.ExpertiseLevelExpert, ReleaseLevel: config.ReleaseLevelBeta, @@ -39,6 +44,7 @@ func registerConfig() error { Name: "Disable Updates", Key: disableUpdatesKey, Description: "Disable automatic updates.", + Order: 64, OptType: config.OptTypeBool, ExpertiseLevel: config.ExpertiseLevelExpert, ReleaseLevel: config.ReleaseLevelStable, From d89b612e3de8a72aa30532e47574d3072cb07d84 Mon Sep 17 00:00:00 2001 From: Daniel Date: Fri, 24 Apr 2020 10:56:10 +0200 Subject: [PATCH 06/17] Fix updates config handling --- updates/config.go | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/updates/config.go b/updates/config.go index 86d78a2f..9852aa5e 100644 --- a/updates/config.go +++ b/updates/config.go @@ -61,9 +61,13 @@ func registerConfig() error { func initConfig() { releaseChannel = config.GetAsString(releaseChannelKey, releaseChannelStable) - disableUpdates = config.GetAsBool(disableUpdatesKey, false) + previousReleaseChannel = releaseChannel() - devMode = config.GetAsBool("core/devMode", false) + disableUpdates = config.GetAsBool(disableUpdatesKey, false) + updatesCurrentlyDisabled = disableUpdates() + + devMode = config.GetAsBool(cfgDevModeKey, false) + previousDevMode = devMode() } func updateRegistryConfig(_ context.Context, _ interface{}) error { @@ -96,8 +100,8 @@ func updateRegistryConfig(_ context.Context, _ interface{}) error { module.Resolve(updateFailed) _ = TriggerUpdate() log.Infof("updates: automatic updates enabled again.") - } else { - module.Warning(updateFailed, "Updates are disabled!") + } else if updatesCurrentlyDisabled { + module.Warning(updateFailed, "Automatic updates are disabled! This also affects security updates and threat intelligence.") log.Warningf("updates: automatic updates are now disabled.") } } From 3b0d60b6117159e21872cdfb71372eb28757dbb6 Mon Sep 17 00:00:00 2001 From: Daniel Date: Fri, 24 Apr 2020 10:56:30 +0200 Subject: [PATCH 07/17] Update restart exit code in pmctl --- pmctl/run.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pmctl/run.go b/pmctl/run.go index 1f9ffcfc..53133697 100644 --- a/pmctl/run.go +++ b/pmctl/run.go @@ -17,6 +17,10 @@ import ( "github.com/tevino/abool" ) +const ( + restartCode = 23 +) + var ( runningInConsole bool onWindows = runtime.GOOS == "windows" @@ -375,7 +379,7 @@ func execute(opts *Options, args []string) (cont bool, err error) { case 1: // error exit return true, fmt.Errorf("error during execution: %s", err) - case 2357427: // Leet Speak for "restart" + case restartCode: // restart request log.Printf("restarting %s\n", opts.Identifier) return true, nil From 542577314b637741e0b14219c48ab700b5c94ec8 Mon Sep 17 00:00:00 2001 From: Daniel Date: Fri, 24 Apr 2020 10:57:24 +0200 Subject: [PATCH 08/17] Rename reason ctx to prevent confusion with context.Ctx --- network/connection.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/network/connection.go b/network/connection.go index bbc088dc..f24a22e9 100644 --- a/network/connection.go +++ b/network/connection.go @@ -236,11 +236,11 @@ func (conn *Connection) Failed(reason string) { } // SetVerdict sets a new verdict for the connection, making sure it does not interfere with previous verdicts. -func (conn *Connection) SetVerdict(newVerdict Verdict, reason string, ctx interface{}) (ok bool) { +func (conn *Connection) SetVerdict(newVerdict Verdict, reason string, reasonCtx interface{}) (ok bool) { if newVerdict >= conn.Verdict { conn.Verdict = newVerdict conn.Reason = reason - conn.ReasonContext = ctx + conn.ReasonContext = reasonCtx return true } return false From fe7d14636065ec743738720c69d5e11d61ada9eb Mon Sep 17 00:00:00 2001 From: Daniel Date: Fri, 24 Apr 2020 10:58:39 +0200 Subject: [PATCH 09/17] Switch from ACCEPT to RETURN when accepting a packet/connection with iptables This will ensure the Portmaster will not circumvent existing firewall rules. --- firewall/interception/nfqueue_linux.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/firewall/interception/nfqueue_linux.go b/firewall/interception/nfqueue_linux.go index 48cebadc..312478cb 100644 --- a/firewall/interception/nfqueue_linux.go +++ b/firewall/interception/nfqueue_linux.go @@ -45,14 +45,14 @@ func init() { "mangle C171 -m mark --mark 0 -j NFQUEUE --queue-num 17140 --queue-bypass", "filter C17 -m mark --mark 0 -j DROP", - "filter C17 -m mark --mark 1700 -j ACCEPT", + "filter C17 -m mark --mark 1700 -j RETURN", "filter C17 -m mark --mark 1701 -j REJECT --reject-with icmp-host-prohibited", "filter C17 -m mark --mark 1702 -j DROP", "filter C17 -j CONNMARK --save-mark", - "filter C17 -m mark --mark 1710 -j ACCEPT", + "filter C17 -m mark --mark 1710 -j RETURN", "filter C17 -m mark --mark 1711 -j REJECT --reject-with icmp-host-prohibited", "filter C17 -m mark --mark 1712 -j DROP", - "filter C17 -m mark --mark 1717 -j ACCEPT", + "filter C17 -m mark --mark 1717 -j RETURN", } v4once = []string{ @@ -80,14 +80,14 @@ func init() { "mangle C171 -m mark --mark 0 -j NFQUEUE --queue-num 17160 --queue-bypass", "filter C17 -m mark --mark 0 -j DROP", - "filter C17 -m mark --mark 1700 -j ACCEPT", + "filter C17 -m mark --mark 1700 -j RETURN", "filter C17 -m mark --mark 1701 -j REJECT --reject-with icmp6-adm-prohibited", "filter C17 -m mark --mark 1702 -j DROP", "filter C17 -j CONNMARK --save-mark", - "filter C17 -m mark --mark 1710 -j ACCEPT", + "filter C17 -m mark --mark 1710 -j RETURN", "filter C17 -m mark --mark 1711 -j REJECT --reject-with icmp6-adm-prohibited", "filter C17 -m mark --mark 1712 -j DROP", - "filter C17 -m mark --mark 1717 -j ACCEPT", + "filter C17 -m mark --mark 1717 -j RETURN", } v6once = []string{ From 6d6b03cac306650189276c09b3b629658e0bfdbd Mon Sep 17 00:00:00 2001 From: Daniel Date: Fri, 24 Apr 2020 11:31:26 +0200 Subject: [PATCH 10/17] Remove deprecated code --- status/module.go | 2 -- status/set.go | 42 ------------------------------------------ status/set_test.go | 2 -- status/status.go | 8 -------- status/updates.go | 18 ------------------ 5 files changed, 72 deletions(-) delete mode 100644 status/updates.go diff --git a/status/module.go b/status/module.go index da3486e9..a3b64085 100644 --- a/status/module.go +++ b/status/module.go @@ -37,8 +37,6 @@ func start() error { // load status into atomic getters atomicUpdateSelectedSecurityLevel(status.SelectedSecurityLevel) - atomicUpdatePortmasterStatus(status.PortmasterStatus) - atomicUpdateGate17Status(status.Gate17Status) // update status status.updateThreatMitigationLevel() diff --git a/status/set.go b/status/set.go index 036995d4..a7815bef 100644 --- a/status/set.go +++ b/status/set.go @@ -45,40 +45,6 @@ func setSelectedSecurityLevel(level uint8) { } } -// SetPortmasterStatus sets the current Portmaster status. -func SetPortmasterStatus(pmStatus uint8, msg string) { - switch pmStatus { - case StatusOff, StatusError, StatusWarning, StatusOk: - status.Lock() - defer status.Unlock() - - status.PortmasterStatus = pmStatus - status.PortmasterStatusMsg = msg - atomicUpdatePortmasterStatus(pmStatus) - - go status.Save() - default: - log.Errorf("status: tried to set portmaster to invalid status: %d", pmStatus) - } -} - -// SetGate17Status sets the current Gate17 status. -func SetGate17Status(g17Status uint8, msg string) { - switch g17Status { - case StatusOff, StatusError, StatusWarning, StatusOk: - status.Lock() - defer status.Unlock() - - status.Gate17Status = g17Status - status.Gate17StatusMsg = msg - atomicUpdateGate17Status(g17Status) - - go status.Save() - default: - log.Errorf("status: tried to set gate17 to invalid status: %d", g17Status) - } -} - // update functions for atomic stuff func atomicUpdateActiveSecurityLevel(level uint8) { atomic.StoreUint32(activeSecurityLevel, uint32(level)) @@ -87,11 +53,3 @@ func atomicUpdateActiveSecurityLevel(level uint8) { func atomicUpdateSelectedSecurityLevel(level uint8) { atomic.StoreUint32(selectedSecurityLevel, uint32(level)) } - -func atomicUpdatePortmasterStatus(status uint8) { - atomic.StoreUint32(portmasterStatus, uint32(status)) -} - -func atomicUpdateGate17Status(status uint8) { - atomic.StoreUint32(gate17Status, uint32(status)) -} diff --git a/status/set_test.go b/status/set_test.go index 3502c152..7bb70f41 100644 --- a/status/set_test.go +++ b/status/set_test.go @@ -7,7 +7,5 @@ func TestSet(t *testing.T) { // only test for panics // TODO: write real tests setSelectedSecurityLevel(0) - SetPortmasterStatus(0, "") - SetGate17Status(0, "") } diff --git a/status/status.go b/status/status.go index f25981e5..544b764b 100644 --- a/status/status.go +++ b/status/status.go @@ -28,16 +28,8 @@ type SystemStatus struct { ActiveSecurityLevel uint8 SelectedSecurityLevel uint8 - PortmasterStatus uint8 - PortmasterStatusMsg string - - Gate17Status uint8 - Gate17StatusMsg string - ThreatMitigationLevel uint8 Threats map[string]*Threat - - UpdateStatus string } // Save saves the SystemStatus to the database diff --git a/status/updates.go b/status/updates.go deleted file mode 100644 index 2b9ef79f..00000000 --- a/status/updates.go +++ /dev/null @@ -1,18 +0,0 @@ -package status - -// Update status options -const ( - UpdateStatusCurrentStable = "stable" - UpdateStatusCurrentBeta = "beta" - UpdateStatusAvailable = "available" // restart or reboot required - UpdateStatusFailed = "failed" // check logs -) - -// SetUpdateStatus updates the system status with a new update status. -func SetUpdateStatus(newStatus string) { - status.Lock() - status.UpdateStatus = newStatus - status.Unlock() - - go status.Save() -} From 97a8475364e3cab5229c73090ef1902f0518f0ce Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 28 Apr 2020 09:56:23 +0200 Subject: [PATCH 11/17] Fix hierarchical config handling --- profile/config-update.go | 14 ++++++++++---- profile/database.go | 5 +++++ profile/profile.go | 2 +- 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/profile/config-update.go b/profile/config-update.go index b4c3f5e4..6a515753 100644 --- a/profile/config-update.go +++ b/profile/config-update.go @@ -5,6 +5,8 @@ import ( "fmt" "sync" + "github.com/safing/portbase/config" + "github.com/safing/portmaster/intel/filterlists" "github.com/safing/portmaster/profile/endpoints" ) @@ -77,20 +79,24 @@ func updateGlobalConfigProfile(ctx context.Context, data interface{}) error { internalSave: true, } + newConfig := make(map[string]interface{}) // fill profile config options for key, value := range cfgStringOptions { - profile.Config[key] = value() + newConfig[key] = value() } for key, value := range cfgStringArrayOptions { - profile.Config[key] = value() + newConfig[key] = value() } for key, value := range cfgIntOptions { - profile.Config[key] = value() + newConfig[key] = value() } for key, value := range cfgBoolOptions { - profile.Config[key] = value() + newConfig[key] = value() } + // expand and assign + profile.Config = config.Expand(newConfig) + // save profile err = profile.Save() if err != nil && lastErr == nil { diff --git a/profile/database.go b/profile/database.go index 1d6e0a09..75414f1f 100644 --- a/profile/database.go +++ b/profile/database.go @@ -5,6 +5,8 @@ import ( "errors" "strings" + "github.com/safing/portbase/config" + "github.com/safing/portbase/database" "github.com/safing/portbase/database/query" "github.com/safing/portbase/database/record" @@ -87,6 +89,9 @@ func (h *databaseHook) PrePut(r record.Record) (record.Record, error) { return nil, err } + // clean config + config.CleanHierarchicalConfig(profile.Config) + // prepare config err = profile.prepConfig() if err != nil { diff --git a/profile/profile.go b/profile/profile.go index bf228fdb..0a66e8f1 100644 --- a/profile/profile.go +++ b/profile/profile.go @@ -237,7 +237,7 @@ func (profile *Profile) addEndpointyEntry(cfgKey, newEntry string) { endpointList = make([]string, 0, 1) } endpointList = append(endpointList, newEntry) - profile.Config[cfgKey] = endpointList + config.PutValueIntoHierarchicalConfig(profile.Config, cfgKey, endpointList) profile.Unlock() err := profile.Save() From 0e30d70d55db1439881251862d35ed71b624d2da Mon Sep 17 00:00:00 2001 From: Daniel Date: Tue, 28 Apr 2020 09:56:52 +0200 Subject: [PATCH 12/17] Improve config help text --- profile/config.go | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/profile/config.go b/profile/config.go index aaf11b2c..0fc06c05 100644 --- a/profile/config.go +++ b/profile/config.go @@ -131,7 +131,7 @@ func registerConfiguration() error { "+": permit "-": block Host Matching: - IP, CIDR, Country Code, ASN, "*" for any + IP, CIDR, Country Code, ASN, Filterlist, "*" for any Domains: "example.com": exact match ".example.com": exact match + subdomains @@ -144,7 +144,11 @@ func registerConfiguration() error { Examples: + .example.com */HTTP - .example.com - + 192.168.0.1/24`, + + 192.168.0.1/24 + - L:MAL + - AS0 + + AT + - *`, Order: cfgOptionEndpointsOrder, OptType: config.OptTypeStringArray, DefaultValue: []string{}, @@ -167,7 +171,7 @@ Examples: "+": permit "-": block Host Matching: - IP, CIDR, Country Code, ASN, "*" for any + IP, CIDR, Country Code, ASN, Filterlist, "*" for any Domains: "example.com": exact match ".example.com": exact match + subdomains @@ -180,7 +184,11 @@ Examples: Examples: + .example.com */HTTP - .example.com - + 192.168.0.1/24`, + + 192.168.0.1/24 + - L:MAL + - AS0 + + AT + - *`, Order: cfgOptionServiceEndpointsOrder, OptType: config.OptTypeStringArray, DefaultValue: []string{}, From 580144a6764daea58fac72bca58dd6483bfb776c Mon Sep 17 00:00:00 2001 From: Daniel Date: Wed, 29 Apr 2020 17:06:57 +0200 Subject: [PATCH 13/17] Populate connection Inbound attribute --- network/connection.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/network/connection.go b/network/connection.go index f24a22e9..bb5529f1 100644 --- a/network/connection.go +++ b/network/connection.go @@ -146,13 +146,13 @@ func NewConnectionFromFirstPacket(pkt packet.Packet) *Connection { } } - timestamp := time.Now().Unix() return &Connection{ ID: pkt.GetConnectionID(), Scope: scope, + Inbound: inbound, Entity: entity, process: proc, - Started: timestamp, + Started: time.Now().Unix(), } } From 20e836b8ffdabf9e7d205c1bad57bebca7388f90 Mon Sep 17 00:00:00 2001 From: Daniel Date: Thu, 30 Apr 2020 14:15:10 +0200 Subject: [PATCH 14/17] Fix BlockP2P to only bock connections to the Internet --- firewall/master.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/firewall/master.go b/firewall/master.go index 06a0f5f1..5297c9fe 100644 --- a/firewall/master.go +++ b/firewall/master.go @@ -163,8 +163,8 @@ func checkConnectionType(conn *network.Connection, _ packet.Packet) bool { } return true } - case network.PeerLAN, network.PeerInternet, network.PeerInvalid: - // Important: PeerHost is and should be missing! + case network.PeerInternet: + // BlockP2P only applies to connections to the Internet if p.BlockP2P() { conn.Block("direct connections (P2P) blocked") return true From 0cf10b6d9dc5c5626cec8cdd8c071398b684d4f0 Mon Sep 17 00:00:00 2001 From: Daniel Date: Thu, 30 Apr 2020 14:15:43 +0200 Subject: [PATCH 15/17] Improve network scope filter options --- profile/config.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/profile/config.go b/profile/config.go index 0fc06c05..6a7fc56d 100644 --- a/profile/config.go +++ b/profile/config.go @@ -257,9 +257,10 @@ Examples: err = config.Register(&config.Option{ Name: "Block Scope Local", Key: CfgOptionBlockScopeLocalKey, - Description: "Block connections to your own device, ie. localhost.", + Description: "Block connections internally on own device, ie. localhost.", Order: cfgOptionBlockScopeLocalOrder, OptType: config.OptTypeInt, + ExpertiseLevel: config.ExpertiseLevelExpert, ExternalOptType: "security level", DefaultValue: status.SecurityLevelOff, ValidationRegex: "^(0|4|6|7)$", @@ -278,7 +279,7 @@ Examples: Order: cfgOptionBlockScopeLANOrder, OptType: config.OptTypeInt, ExternalOptType: "security level", - DefaultValue: status.SecurityLevelOff, + DefaultValue: status.SecurityLevelsNormalAndExtreme, ValidationRegex: "^(0|4|6|7)$", }) if err != nil { From b91b8fcdc972eacd71379ab70413f7bdb93afda5 Mon Sep 17 00:00:00 2001 From: Daniel Date: Thu, 30 Apr 2020 14:16:06 +0200 Subject: [PATCH 16/17] Fix IP classification for LAN multicast --- network/netutils/ip.go | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/network/netutils/ip.go b/network/netutils/ip.go index 586dc185..8e40447c 100644 --- a/network/netutils/ip.go +++ b/network/netutils/ip.go @@ -14,7 +14,7 @@ const ( ) // ClassifyIP returns the classification for the given IP address. -func ClassifyIP(ip net.IP) int8 { +func ClassifyIP(ip net.IP) int8 { //nolint:gocognit if ip4 := ip.To4(); ip4 != nil { // IPv4 switch { @@ -36,11 +36,18 @@ func ClassifyIP(ip net.IP) int8 { case ip4[0] == 224: // 224.0.0.0/8 return LocalMulticast - case ip4[0] >= 225 && ip4[0] <= 239: - // 225.0.0.0/8 - 239.0.0.0/8 + case ip4[0] >= 225 && ip4[0] <= 238: + // 225.0.0.0/8 - 238.0.0.0/8 return GlobalMulticast + case ip4[0] == 239: + // 239.0.0.0/8 + // RFC2365 - https://tools.ietf.org/html/rfc2365 + return LocalMulticast + case ip4[0] == 255 && ip4[1] == 255 && ip4[2] == 255 && ip4[3] == 255: + // 255.255.255.255/32 + return LocalMulticast case ip4[0] >= 240: - // 240.0.0.0/8 - 255.0.0.0/8 + // 240.0.0.0/8 - 255.0.0.0/8 (minus 255.255.255.255/32) return Invalid default: return Global From 0030a43cabe9f4ab5f028232ef94180684ebd43e Mon Sep 17 00:00:00 2001 From: Daniel Date: Thu, 30 Apr 2020 16:29:32 +0200 Subject: [PATCH 17/17] Implement review suggestions --- profile/config.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/profile/config.go b/profile/config.go index 6a7fc56d..4464a513 100644 --- a/profile/config.go +++ b/profile/config.go @@ -257,7 +257,7 @@ Examples: err = config.Register(&config.Option{ Name: "Block Scope Local", Key: CfgOptionBlockScopeLocalKey, - Description: "Block connections internally on own device, ie. localhost.", + Description: "Block internal connections on your own device, ie. localhost.", Order: cfgOptionBlockScopeLocalOrder, OptType: config.OptTypeInt, ExpertiseLevel: config.ExpertiseLevelExpert, @@ -279,7 +279,7 @@ Examples: Order: cfgOptionBlockScopeLANOrder, OptType: config.OptTypeInt, ExternalOptType: "security level", - DefaultValue: status.SecurityLevelsNormalAndExtreme, + DefaultValue: status.SecurityLevelsHighAndExtreme, ValidationRegex: "^(0|4|6|7)$", }) if err != nil {