Merge branch 'develop' into feature/winkext

2019-04-01 14:47:42 +02:00
parent 74e1b0e8e9 af2f6c2ebe
commit a702cd4824
13 changed files with 133 additions and 43 deletions
--- a/README.md
+++ b/README.md
@@ -75,3 +75,15 @@ Documentation _in progress_ can be found here: [docs.safing.io](http://docs.safi
  - debian/ubuntu:  `sudo apt-get install libnetfilter-queue-dev`
  - fedora:         `?`
  - arch:           `?`
+
+## TCP/UDP Ports
+
+The Portmaster (with Gate17) uses the following ports:
+- ` 17` Gate17 port for connecting to Gate17 nodes
+- ` 53` DNS server (local only)
+- `717` Gate17 entrypoint as the local endpoint for tunneled connections (local only)
+- `817` Portmaster API for integration with UI elements and other helpers (local only)
+
+Learn more about [why we chose these ports](https://docs.safing.io/docs/portmaster/os-integration.html).
+
+Gate17 nodes additionally uses other common ports like `80` and `443` to provide access in restricted network environments.
--- a/firewall/firewall.go
+++ b/firewall/firewall.go
@@ -28,8 +28,6 @@ var (
 	packetsDropped  *uint64

 	localNet4 *net.IPNet
-	// Yes, this would normally be 127.0.0.0/8
-	// TODO: figure out any side effects

 	localhost4 = net.IPv4(127, 0, 0, 1)
 	localhost6 = net.IPv6loopback
--- a/firewall/master.go
+++ b/firewall/master.go
@@ -36,6 +36,7 @@ func DecideOnCommunicationBeforeIntel(comm *network.Communication, fqdn string)

 	// check if communication needs reevaluation
 	if comm.NeedsReevaluation() {
+		log.Infof("firewall: re-evaluating verdict on %s", comm)
 		comm.ResetVerdict()
 	}

@@ -89,6 +90,7 @@ func DecideOnCommunicationBeforeIntel(comm *network.Communication, fqdn string)

 // DecideOnCommunicationAfterIntel makes a decision about a communication after the dns query is resolved and intel is gathered.
 func DecideOnCommunicationAfterIntel(comm *network.Communication, fqdn string, rrCache *intel.RRCache) {
+	// rrCache may be nil, when function is called for re-evaluation by DecideOnCommunication

 	// check if need to run
 	if comm.GetVerdict() != network.VerdictUndecided {
@@ -353,9 +355,16 @@ func FilterDNSResponse(comm *network.Communication, fqdn string, rrCache *intel.
 // DecideOnCommunication makes a decision about a communication with its first packet.
 func DecideOnCommunication(comm *network.Communication, pkt packet.Packet) {

-	// check if communication needs reevaluation
+	// check if communication needs reevaluation, if it's not with a domain
 	if comm.NeedsReevaluation() {
+		log.Infof("firewall: re-evaluating verdict on %s", comm)
 		comm.ResetVerdict()
+
+		// if communicating with a domain entity, re-evaluate with Before/AfterIntel
+		if strings.HasSuffix(comm.Domain, ".") {
+			DecideOnCommunicationBeforeIntel(comm, comm.Domain)
+			DecideOnCommunicationAfterIntel(comm, comm.Domain, nil)
+		}
 	}

 	// check if need to run
--- a/main.go
+++ b/main.go
@@ -31,7 +31,7 @@ func init() {
 func main() {

 	// Set Info
-	info.Set("Portmaster", "0.2.3", "AGPLv3", true)
+	info.Set("Portmaster", "0.2.4", "AGPLv3", true)

 	// Start
 	err := modules.Start()
--- a/network/communication.go
+++ b/network/communication.go
@@ -131,9 +131,13 @@ func (comm *Communication) NeedsReevaluation() bool {
 	comm.Lock()
 	defer comm.Unlock()

-	updateVersion := profile.GetUpdateVersion()
-	if comm.profileUpdateVersion != updateVersion {
-		comm.profileUpdateVersion = updateVersion
+	oldVersion := comm.profileUpdateVersion
+	comm.profileUpdateVersion = profile.GetUpdateVersion()
+
+	if oldVersion == 0 {
+		return false
+	}
+	if oldVersion != comm.profileUpdateVersion {
 		return true
 	}
 	return false
--- a/process/database.go
+++ b/process/database.go
@@ -70,16 +70,19 @@ func (p *Process) Delete() {
 	p.Lock()
 	defer p.Unlock()

+	// delete from internal storage
 	processesLock.Lock()
 	delete(processes, p.Pid)
 	processesLock.Unlock()

+	// propagate delete
 	p.Meta().Delete()
 	if dbControllerFlag.IsSet() {
 		go dbController.PushUpdate(p)
 	}

-	// TODO: this should not be necessary, as processes should always have a profileSet.
+	// deactivate profile
+	// TODO: check if there is another process using the same profile set
 	if p.profileSet != nil {
 		profile.DeactivateProfileSet(p.profileSet)
 	}
--- a/process/matching.go
+++ b/process/matching.go
@@ -1,6 +1,8 @@
 package process

 import (
+	"fmt"
+
 	"github.com/Safing/portbase/database"
 	"github.com/Safing/portbase/database/query"
 	"github.com/Safing/portbase/log"
@@ -64,7 +66,7 @@ func (p *Process) FindProfiles() error {
 	// FIXME: implement!

 	p.UserProfileKey = userProfile.Key()
-	p.profileSet = profile.NewSet(userProfile, nil)
+	p.profileSet = profile.NewSet(fmt.Sprintf("%d-%s", p.Pid, p.Path), userProfile, nil)
 	go p.Save()

 	return nil
--- a/profile/active.go
+++ b/profile/active.go
@@ -1,6 +1,10 @@
 package profile

-import "sync"
+import (
+	"sync"
+
+	"github.com/Safing/portbase/log"
+)

 var (
 	activeProfileSets     = make(map[string]*Set)
@@ -8,47 +12,64 @@ var (
 )

 func activateProfileSet(set *Set) {
-	set.Lock()
-	defer set.Unlock()
 	activeProfileSetsLock.Lock()
 	defer activeProfileSetsLock.Unlock()
-	activeProfileSets[set.profiles[0].ID] = set
+	set.Lock()
+	defer set.Unlock()
+	activeProfileSets[set.id] = set
+	log.Tracef("profile: activated profile set %s", set.id)
 }

 // DeactivateProfileSet marks a profile set as not active.
 func DeactivateProfileSet(set *Set) {
-	set.Lock()
-	defer set.Unlock()
 	activeProfileSetsLock.Lock()
 	defer activeProfileSetsLock.Unlock()
-	delete(activeProfileSets, set.profiles[0].ID)
+	set.Lock()
+	defer set.Unlock()
+	delete(activeProfileSets, set.id)
+	log.Tracef("profile: deactivated profile set %s", set.id)
 }

-func updateActiveUserProfile(profile *Profile) {
-	activeProfileSetsLock.RLock()
-	defer activeProfileSetsLock.RUnlock()
-	activeSet, ok := activeProfileSets[profile.ID]
-	if ok {
-		activeSet.Lock()
-		defer activeSet.Unlock()
-		activeSet.profiles[0] = profile
-	}
-}
-
-func updateActiveStampProfile(profile *Profile) {
+func updateActiveProfile(profile *Profile, userProfile bool) {
 	activeProfileSetsLock.RLock()
 	defer activeProfileSetsLock.RUnlock()

+	var activeProfile *Profile
+	var profilesUpdated bool
+
+	// iterate all active profile sets
 	for _, activeSet := range activeProfileSets {
 		activeSet.Lock()
-		activeProfile := activeSet.profiles[2]
+
+		if userProfile {
+			activeProfile = activeSet.profiles[0]
+		} else {
+			activeProfile = activeSet.profiles[2]
+		}
+
+		// check if profile exists (for stamp profiles)
 		if activeProfile != nil {
 			activeProfile.Lock()
+
+			// check if the stamp profile has the same ID
 			if activeProfile.ID == profile.ID {
-				activeSet.profiles[2] = profile
+				if userProfile {
+					activeSet.profiles[0] = profile
+					log.Infof("profile: updated active user profile %s (%s)", profile.ID, profile.LinkedPath)
+				} else {
+					activeSet.profiles[2] = profile
+					log.Infof("profile: updated active stamp profile %s", profile.ID)
+				}
+				profilesUpdated = true
 			}
+
 			activeProfile.Unlock()
 		}
+
 		activeSet.Unlock()
 	}
+
+	if profilesUpdated {
+		increaseUpdateVersion()
+	}
 }
--- a/profile/endpoints.go
+++ b/profile/endpoints.go
@@ -114,9 +114,16 @@ func (e Endpoints) CheckIP(domain string, ip net.IP, protocol uint8, port uint16
 }

 func (ep EndpointPermission) matchesDomainOnly(domain string) (matches bool, reason string) {
+	dotInFront := strings.HasPrefix(ep.Value, ".")
 	wildcardInFront := strings.HasPrefix(ep.Value, "*")
 	wildcardInBack := strings.HasSuffix(ep.Value, "*")
+
 	switch {
+	case dotInFront && !wildcardInFront && !wildcardInBack:
+		// subdomain or domain
+		if strings.HasSuffix(domain, ep.Value) || domain == strings.TrimPrefix(ep.Value, ".") {
+			return true, fmt.Sprintf("%s matches %s", domain, ep.Value)
+		}
 	case wildcardInFront && wildcardInBack:
 		if strings.Contains(domain, strings.Trim(ep.Value, "*")) {
 			return true, fmt.Sprintf("%s matches %s", domain, ep.Value)
--- a/profile/endpoints_test.go
+++ b/profile/endpoints_test.go
@@ -59,13 +59,39 @@ func TestEndpointMatching(t *testing.T) {
 	ep.Value = "*example.com."
 	testEndpointDomainMatch(t, ep, "example.com.", Permitted)
 	testEndpointIPMatch(t, ep, "example.com.", net.ParseIP("10.2.3.4"), 6, 443, Permitted)
+	testEndpointDomainMatch(t, ep, "abc.example.com.", Permitted)
+	testEndpointIPMatch(t, ep, "abc.example.com.", net.ParseIP("10.2.3.4"), 6, 443, Permitted)
+	testEndpointDomainMatch(t, ep, "abc-example.com.", Permitted)
+	testEndpointIPMatch(t, ep, "abc-example.com.", net.ParseIP("10.2.3.4"), 6, 443, Permitted)
+
+	ep.Value = "*.example.com."
+	testEndpointDomainMatch(t, ep, "example.com.", NoMatch)
+	testEndpointIPMatch(t, ep, "example.com.", net.ParseIP("10.2.3.4"), 6, 443, NoMatch)
+	testEndpointDomainMatch(t, ep, "abc.example.com.", Permitted)
+	testEndpointIPMatch(t, ep, "abc.example.com.", net.ParseIP("10.2.3.4"), 6, 443, Permitted)
+	testEndpointDomainMatch(t, ep, "abc-example.com.", NoMatch)
+	testEndpointIPMatch(t, ep, "abc-example.com.", net.ParseIP("10.2.3.4"), 6, 443, NoMatch)
+
+	ep.Value = ".example.com."
+	testEndpointDomainMatch(t, ep, "example.com.", Permitted)
+	testEndpointIPMatch(t, ep, "example.com.", net.ParseIP("10.2.3.4"), 6, 443, Permitted)
+	testEndpointDomainMatch(t, ep, "abc.example.com.", Permitted)
+	testEndpointIPMatch(t, ep, "abc.example.com.", net.ParseIP("10.2.3.4"), 6, 443, Permitted)
+	testEndpointDomainMatch(t, ep, "abc-example.com.", NoMatch)
+	testEndpointIPMatch(t, ep, "abc-example.com.", net.ParseIP("10.2.3.4"), 6, 443, NoMatch)

-	ep.Type = EptDomain
 	ep.Value = "example.*"
 	testEndpointDomainMatch(t, ep, "example.com.", Permitted)
 	testEndpointIPMatch(t, ep, "example.com.", net.ParseIP("10.2.3.4"), 6, 443, Permitted)
+	testEndpointDomainMatch(t, ep, "abc.example.com.", NoMatch)
+	testEndpointIPMatch(t, ep, "abc.example.com.", net.ParseIP("10.2.3.4"), 6, 443, NoMatch)
+
+	ep.Value = ".example.*"
+	testEndpointDomainMatch(t, ep, "example.com.", NoMatch)
+	testEndpointIPMatch(t, ep, "example.com.", net.ParseIP("10.2.3.4"), 6, 443, NoMatch)
+	testEndpointDomainMatch(t, ep, "abc.example.com.", NoMatch)
+	testEndpointIPMatch(t, ep, "abc.example.com.", net.ParseIP("10.2.3.4"), 6, 443, NoMatch)

-	ep.Type = EptDomain
 	ep.Value = "*.exampl*"
 	testEndpointDomainMatch(t, ep, "abc.example.com.", Permitted)
 	testEndpointIPMatch(t, ep, "abc.example.com.", net.ParseIP("10.2.3.4"), 6, 443, Permitted)
--- a/profile/set.go
+++ b/profile/set.go
@@ -15,6 +15,7 @@ var (
 type Set struct {
 	sync.Mutex

+	id       string
 	profiles [4]*Profile
 	// Application
 	// Global
@@ -26,8 +27,9 @@ type Set struct {
 }

 // NewSet returns a new profile set with given the profiles.
-func NewSet(user, stamp *Profile) *Set {
+func NewSet(id string, user, stamp *Profile) *Set {
 	new := &Set{
+		id: id,
 		profiles: [4]*Profile{
 			user,  // Application
 			nil,   // Global
--- a/profile/set_test.go
+++ b/profile/set_test.go
@@ -140,7 +140,7 @@ func testEndpointIP(t *testing.T, set *Set, domain string, ip net.IP, protocol u

 func TestProfileSet(t *testing.T) {

-	set := NewSet(testUserProfile, testStampProfile)
+	set := NewSet("[pid]-/path/to/bin", testUserProfile, testStampProfile)

 	set.Update(status.SecurityLevelDynamic)
 	testFlag(t, set, Whitelist, false)
--- a/profile/updates.go
+++ b/profile/updates.go
@@ -10,7 +10,7 @@ import (
 )

 func initUpdateListener() error {
-	sub, err := profileDB.Subscribe(query.New(MakeProfileKey(SpecialNamespace, "")))
+	sub, err := profileDB.Subscribe(query.New("core:profiles/"))
 	if err != nil {
 		return err
 	}
@@ -36,34 +36,40 @@ func updateListener(sub *database.Subscription) {
 				continue
 			}

+			log.Infof("profile: updated %s", profile.ID)
+
 			switch profile.DatabaseKey() {
 			case "profiles/special/global":
+
 				specialProfileLock.Lock()
 				globalProfile = profile
 				specialProfileLock.Unlock()
+
 			case "profiles/special/fallback":
+
 				profile.Lock()
-				if ensureServiceEndpointsDenyAll(profile) {
-					profile.Unlock()
+				profileChanged := ensureServiceEndpointsDenyAll(profile)
+				profile.Unlock()
+
+				if profileChanged {
 					profile.Save(SpecialNamespace)
 					continue
 				}
-				profile.Unlock()

 				specialProfileLock.Lock()
 				fallbackProfile = profile
 				specialProfileLock.Unlock()
+
 			default:
+
 				switch {
 				case strings.HasPrefix(profile.Key(), MakeProfileKey(UserNamespace, "")):
-					updateActiveUserProfile(profile)
-					increaseUpdateVersion()
+					updateActiveProfile(profile, true /* User Profile */)
 				case strings.HasPrefix(profile.Key(), MakeProfileKey(StampNamespace, "")):
-					updateActiveStampProfile(profile)
-					increaseUpdateVersion()
+					updateActiveProfile(profile, false /* Stamp Profile */)
 				}
-			}

+			}
 		}
 	}
 }