Merge pull request #483 from safing/feature/network-rating-system

Add support to enable/disable the network rating system

profile/config.go

@@ -103,6 +103,22 @@ var (
 	cfgOptionUseSPNOrder = 129
 )
 
+// A list of all security level settings.
+var securityLevelSettings = []string{
+	CfgOptionBlockScopeInternetKey,
+	CfgOptionBlockScopeLANKey,
+	CfgOptionBlockScopeLocalKey,
+	CfgOptionBlockP2PKey,
+	CfgOptionBlockInboundKey,
+	CfgOptionFilterSubDomainsKey,
+	CfgOptionFilterCNAMEKey,
+	CfgOptionRemoveOutOfScopeDNSKey,
+	CfgOptionRemoveBlockedDNSKey,
+	CfgOptionDomainHeuristicsKey,
+	CfgOptionPreventBypassingKey,
+	CfgOptionDisableAutoPermitKey,
+}
+
 func registerConfiguration() error {
 	// Default Filter Action
 	// permit - blocklist mode: everything is allowed unless blocked

profile/migrations.go

@@ -0,0 +1,47 @@
+package profile
+
+import (
+	"context"
+
+	"github.com/hashicorp/go-version"
+	"github.com/safing/portbase/config"
+	"github.com/safing/portbase/database"
+	"github.com/safing/portbase/database/migration"
+	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/status"
+)
+
+func registerMigrations() error {
+	return migrations.Add(
+		migration.Migration{
+			Description: "Migrate to configurable network rating system",
+			Version:     "v1.0.0",
+			MigrateFunc: migrateNetworkRatingSystem,
+		},
+	)
+}
+
+func migrateNetworkRatingSystem(ctx context.Context, _, _ *version.Version, db *database.Interface) error {
+	// determine the default value for the network rating system by searching for
+	// a global security level setting that is not set to the default.
+	networkRatingEnabled := false
+	for _, cfgkey := range securityLevelSettings {
+		def, err := config.GetOption(cfgkey)
+		if err != nil {
+			return err
+		}
+
+		intValue := config.Concurrent.GetAsInt(cfgkey, 0)()
+		if def.DefaultValue.(uint8) != uint8(intValue) {
+			log.Tracer(ctx).Infof("found global security level setting with changed value. 0x%2x (default) != 0x%2x (current)", def.DefaultValue, intValue)
+			networkRatingEnabled = true
+			break
+		}
+	}
+
+	if networkRatingEnabled {
+		status.SetNetworkRating(networkRatingEnabled)
+	}
+
+	return nil
+}

profile/module.go

@@ -3,6 +3,7 @@ package profile
 import (
 	"os"
 
+	"github.com/safing/portbase/database/migration"
 	"github.com/safing/portbase/log"
 	"github.com/safing/portbase/modules"
 	"github.com/safing/portmaster/updates"
@@ -12,6 +13,7 @@ import (
 )
 
 var (
+	migrations  = migration.New("core:migrations/profile")
 	module      *modules.Module
 	updatesPath string
 )
@@ -21,13 +23,15 @@ func init() {
 }
 
 func prep() error {
-	err := registerConfiguration()
+	if err := registerConfiguration(); err != nil {
-	if err != nil {
 		return err
 	}
 
-	err = registerConfigUpdater()
+	if err := registerConfigUpdater(); err != nil {
-	if err != nil {
+		return err
+	}
+
+	if err := registerMigrations(); err != nil {
 		return err
 	}
 
@@ -40,6 +44,10 @@ func start() error {
 		updatesPath += string(os.PathSeparator)
 	}
 
+	if err := migrations.Migrate(module.Ctx); err != nil {
+		return err
+	}
+
 	err := registerValidationDBHook()
 	if err != nil {
 		return err

status/config.go

@@ -0,0 +1,38 @@
+package status
+
+import "github.com/safing/portbase/config"
+
+var (
+	CfgEnableNetworkRatingSystemKey = "core/enableNetworkRating"
+	cfgEnableNetworkRatingSystem    config.BoolOption
+)
+
+func registerConfig() error {
+	if err := config.Register(&config.Option{
+		Name:           "Enable Network Rating System",
+		Key:            CfgEnableNetworkRatingSystemKey,
+		Description:    "Enables the Network Rating System, which allows you to quickly increase security and privacy throughout the settings by changing your the network rating level in the top left. Please note that this feature is now in the sunset phase and will be replaced by a superior and easier to understand system in the future.",
+		OptType:        config.OptTypeBool,
+		ExpertiseLevel: config.ExpertiseLevelExpert,
+		ReleaseLevel:   config.ReleaseLevelStable,
+		DefaultValue:   false,
+		Annotations: config.Annotations{
+			config.DisplayOrderAnnotation: 514,
+		},
+	}); err != nil {
+		return err
+	}
+	cfgEnableNetworkRatingSystem = config.Concurrent.GetAsBool(CfgEnableNetworkRatingSystemKey, false)
+
+	return nil
+}
+
+// NetworkRatingEnabled returns true if the network rating system has been enabled.
+func NetworkRatingEnabled() bool {
+	return cfgEnableNetworkRatingSystem()
+}
+
+// SetNetworkRating enables or disables the network rating system.
+func SetNetworkRating(enabled bool) {
+	config.SetConfigOption(CfgEnableNetworkRatingSystemKey, enabled)
+}

status/module.go

@@ -14,7 +14,7 @@ var (
 )
 
 func init() {
-	module = modules.Register("status", nil, start, nil, "base")
+	module = modules.Register("status", prepare, start, nil, "base", "config")
 }
 
 func start() error {
@@ -26,7 +26,7 @@ func start() error {
 
 	triggerAutopilot()
 
-	err := module.RegisterEventHook(
+	if err := module.RegisterEventHook(
 		netenv.ModuleName,
 		netenv.OnlineStatusChangedEvent,
 		"update online status in system status",
@@ -34,8 +34,30 @@ func start() error {
 			triggerAutopilot()
 			return nil
 		},
-	)
+	); err != nil {
-	if err != nil {
+		return err
+	}
+
+	if err := module.RegisterEventHook(
+		"config",
+		"config change",
+		"Update network rating system",
+		func(_ context.Context, _ interface{}) error {
+			if !NetworkRatingEnabled() && ActiveSecurityLevel() != SecurityLevelNormal {
+				setSelectedLevel(SecurityLevelNormal)
+				triggerAutopilot()
+			}
+			return nil
+		},
+	); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func prepare() error {
+	if err := registerConfig(); err != nil {
 		return err
 	}
 

status/provider.go

@@ -54,6 +54,12 @@ func setSelectedSecurityLevel(r record.Record) (record.Record, error) {
 		}
 	}
 
+	// if the network rating system is not used at all we always force the security
+	// level to trusted.
+	if !NetworkRatingEnabled() {
+		upd.SelectedSecurityLevel = SecurityLevelNormal
+	}
+
 	if !IsValidSecurityLevel(upd.SelectedSecurityLevel) {
 		return nil, fmt.Errorf("invalid security level: %d", upd.SelectedSecurityLevel)
 	}

updates/helper/electron.go

@@ -23,10 +23,14 @@ func EnsureChromeSandboxPermissions(reg *updater.ResourceRegistry) error {
 		return nil
 	}
 
-	if checkSysctl("kernel.unprivileged_userns_clone", '1') {
+	_, err := os.Stat("/proc/self/ns/user")
-		log.Debug("updates: kernel support for unprivileged USERNS_CLONE is enabled")
+	if err == nil {
 		return nil
 	}
+	if !os.IsNotExist(err) {
+		return err
+	}
+	// err == ENOENT
 
 	if pmElectronUpdate != nil && !pmElectronUpdate.UpgradeAvailable() {
 		return nil
@@ -35,7 +39,6 @@ func EnsureChromeSandboxPermissions(reg *updater.ResourceRegistry) error {
 
 	log.Debug("updates: kernel support for unprivileged USERNS_CLONE disabled")
 
-	var err error
 	pmElectronUpdate, err = reg.GetFile(identifier)
 	if err != nil {
 		return err