2018-04-02 05:25:32 +02:00
|
|
|
package ui
|
|
|
|
|
|
|
|
|
|
import (
|
2018-04-02 18:26:04 +02:00
|
|
|
"fmt"
|
2018-04-02 05:25:32 +02:00
|
|
|
"net"
|
2018-04-07 01:52:43 +02:00
|
|
|
"strings"
|
2018-04-02 05:25:32 +02:00
|
|
|
"sync"
|
|
|
|
|
"time"
|
|
|
|
|
|
2019-10-20 21:51:35 +02:00
|
|
|
"github.com/gustavo-iniguez-goya/opensnitch/daemon/conman"
|
|
|
|
|
"github.com/gustavo-iniguez-goya/opensnitch/daemon/log"
|
|
|
|
|
"github.com/gustavo-iniguez-goya/opensnitch/daemon/rule"
|
|
|
|
|
"github.com/gustavo-iniguez-goya/opensnitch/daemon/statistics"
|
|
|
|
|
"github.com/gustavo-iniguez-goya/opensnitch/daemon/ui/protocol"
|
2018-04-02 18:11:36 +02:00
|
|
|
|
2019-11-01 01:00:10 +01:00
|
|
|
"github.com/fsnotify/fsnotify"
|
2020-04-19 20:13:31 +02:00
|
|
|
"golang.org/x/net/context"
|
2018-04-02 05:25:32 +02:00
|
|
|
"google.golang.org/grpc"
|
2018-04-02 18:11:36 +02:00
|
|
|
"google.golang.org/grpc/connectivity"
|
2018-04-02 05:25:32 +02:00
|
|
|
)
|
|
|
|
|
|
2018-04-07 13:52:25 +02:00
|
|
|
var (
|
2020-03-16 01:37:33 +01:00
|
|
|
configFile = "/etc/opensnitchd/default-config.json"
|
2020-06-19 18:02:09 +02:00
|
|
|
dummyOperator, _ = rule.NewOperator(rule.Simple, rule.OpTrue, "", make([]rule.Operator, 0))
|
|
|
|
|
clientDisconnectedRule = rule.Create("ui.client.disconnected", true, rule.Allow, rule.Once, dummyOperator)
|
|
|
|
|
clientErrorRule = rule.Create("ui.client.error", true, rule.Allow, rule.Once, dummyOperator)
|
2020-03-16 01:37:33 +01:00
|
|
|
config Config
|
2018-04-07 13:52:25 +02:00
|
|
|
)
|
2018-04-02 18:11:36 +02:00
|
|
|
|
2020-03-16 01:37:33 +01:00
|
|
|
// Config holds the values loaded from configFile
|
2019-07-02 23:41:41 +02:00
|
|
|
type Config struct {
|
2019-11-01 01:00:10 +01:00
|
|
|
sync.RWMutex
|
2020-03-16 01:37:33 +01:00
|
|
|
DefaultAction string
|
|
|
|
|
DefaultDuration string
|
|
|
|
|
InterceptUnknown bool
|
|
|
|
|
ProcMonitorMethod string
|
2020-06-01 01:54:08 +02:00
|
|
|
LogLevel *uint32
|
2019-07-02 23:41:41 +02:00
|
|
|
}
|
|
|
|
|
|
2020-03-16 01:37:33 +01:00
|
|
|
// Client holds the connection information of a client.
|
2018-04-02 05:25:32 +02:00
|
|
|
type Client struct {
|
|
|
|
|
sync.Mutex
|
|
|
|
|
|
2020-05-30 01:36:43 +02:00
|
|
|
stats *statistics.Statistics
|
|
|
|
|
rules *rule.Loader
|
|
|
|
|
socketPath string
|
|
|
|
|
isUnixSocket bool
|
|
|
|
|
con *grpc.ClientConn
|
|
|
|
|
client protocol.UIClient
|
|
|
|
|
configWatcher *fsnotify.Watcher
|
|
|
|
|
streamNotifications protocol.UI_NotificationsClient
|
2018-04-02 05:25:32 +02:00
|
|
|
}
|
|
|
|
|
|
2020-03-16 01:37:33 +01:00
|
|
|
// NewClient creates and configures a new client.
|
2020-05-10 17:17:05 +02:00
|
|
|
func NewClient(path string, stats *statistics.Statistics, rules *rule.Loader) *Client {
|
2018-04-02 05:25:32 +02:00
|
|
|
c := &Client{
|
2018-04-07 01:52:43 +02:00
|
|
|
socketPath: path,
|
2020-03-16 01:37:33 +01:00
|
|
|
stats: stats,
|
2020-05-10 17:17:05 +02:00
|
|
|
rules: rules,
|
2018-04-07 01:52:43 +02:00
|
|
|
isUnixSocket: false,
|
2018-04-02 05:25:32 +02:00
|
|
|
}
|
2019-11-01 01:00:10 +01:00
|
|
|
if watcher, err := fsnotify.NewWatcher(); err == nil {
|
|
|
|
|
c.configWatcher = watcher
|
|
|
|
|
}
|
2018-04-07 01:52:43 +02:00
|
|
|
if strings.HasPrefix(c.socketPath, "unix://") == true {
|
|
|
|
|
c.isUnixSocket = true
|
|
|
|
|
c.socketPath = c.socketPath[7:]
|
|
|
|
|
}
|
2020-04-19 20:13:31 +02:00
|
|
|
c.loadDiskConfiguration(false)
|
2018-04-07 01:52:43 +02:00
|
|
|
|
2018-04-02 05:25:32 +02:00
|
|
|
go c.poller()
|
|
|
|
|
return c
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-16 01:37:33 +01:00
|
|
|
// ProcMonitorMethod returns the monitor method configured.
|
|
|
|
|
// If it's not present in the config file, it'll return an emptry string.
|
|
|
|
|
func (c *Client) ProcMonitorMethod() string {
|
|
|
|
|
config.RLock()
|
|
|
|
|
defer config.RUnlock()
|
|
|
|
|
return config.ProcMonitorMethod
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// InterceptUnknown returns
|
2019-11-01 01:00:10 +01:00
|
|
|
func (c *Client) InterceptUnknown() bool {
|
|
|
|
|
config.RLock()
|
|
|
|
|
defer config.RUnlock()
|
2020-03-16 01:37:33 +01:00
|
|
|
return config.InterceptUnknown
|
2019-07-02 23:41:41 +02:00
|
|
|
}
|
|
|
|
|
|
2020-03-16 01:37:33 +01:00
|
|
|
// DefaultAction returns the default configured action for
|
2019-10-21 00:04:15 +02:00
|
|
|
func (c *Client) DefaultAction() rule.Action {
|
|
|
|
|
return clientDisconnectedRule.Action
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-16 01:37:33 +01:00
|
|
|
// DefaultDuration returns the default duration configured for a rule.
|
|
|
|
|
// For example it can be: once, always, "until restart".
|
2019-10-21 00:04:15 +02:00
|
|
|
func (c *Client) DefaultDuration() rule.Duration {
|
|
|
|
|
return clientDisconnectedRule.Duration
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-16 01:37:33 +01:00
|
|
|
// Connected checks if the client has established a connection with the server.
|
2018-04-06 14:48:43 +02:00
|
|
|
func (c *Client) Connected() bool {
|
|
|
|
|
c.Lock()
|
|
|
|
|
defer c.Unlock()
|
|
|
|
|
if c.con == nil || c.con.GetState() != connectivity.Ready {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-02 05:25:32 +02:00
|
|
|
func (c *Client) poller() {
|
|
|
|
|
log.Debug("UI service poller started for socket %s", c.socketPath)
|
2018-04-06 14:48:43 +02:00
|
|
|
wasConnected := false
|
2018-04-06 18:34:33 +02:00
|
|
|
for true {
|
2018-04-06 14:48:43 +02:00
|
|
|
isConnected := c.Connected()
|
|
|
|
|
if wasConnected != isConnected {
|
|
|
|
|
c.onStatusChange(isConnected)
|
|
|
|
|
wasConnected = isConnected
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-29 13:55:44 +02:00
|
|
|
if c.Connected() == false {
|
2019-10-20 23:25:21 +02:00
|
|
|
// connect and create the client if needed
|
|
|
|
|
if err := c.connect(); err != nil {
|
|
|
|
|
log.Warning("Error while connecting to UI service: %s", err)
|
|
|
|
|
}
|
2020-04-19 20:13:31 +02:00
|
|
|
}
|
|
|
|
|
if c.Connected() == true {
|
2018-04-06 14:48:43 +02:00
|
|
|
// if the client is connected and ready, send a ping
|
2018-04-06 18:34:33 +02:00
|
|
|
if err := c.ping(time.Now()); err != nil {
|
2018-04-02 18:26:04 +02:00
|
|
|
log.Warning("Error while pinging UI service: %s", err)
|
|
|
|
|
}
|
2018-04-02 05:25:32 +02:00
|
|
|
}
|
2018-04-06 18:34:33 +02:00
|
|
|
|
|
|
|
|
time.Sleep(1 * time.Second)
|
2018-04-02 05:25:32 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-06 14:48:43 +02:00
|
|
|
func (c *Client) onStatusChange(connected bool) {
|
|
|
|
|
if connected {
|
|
|
|
|
log.Info("Connected to the UI service on %s", c.socketPath)
|
2020-04-19 20:13:31 +02:00
|
|
|
go c.Subscribe()
|
2018-04-06 14:48:43 +02:00
|
|
|
} else {
|
|
|
|
|
log.Error("Connection to the UI service lost.")
|
2019-10-20 23:25:21 +02:00
|
|
|
c.client = nil
|
|
|
|
|
c.con.Close()
|
2018-04-06 14:48:43 +02:00
|
|
|
}
|
|
|
|
|
}
|
2018-04-02 05:25:32 +02:00
|
|
|
|
2018-04-06 14:48:43 +02:00
|
|
|
func (c *Client) connect() (err error) {
|
|
|
|
|
if c.Connected() {
|
2018-04-02 05:25:32 +02:00
|
|
|
return
|
|
|
|
|
}
|
2019-06-29 13:55:44 +02:00
|
|
|
c.Lock()
|
2019-10-20 23:25:21 +02:00
|
|
|
defer c.Unlock()
|
2019-06-29 13:55:44 +02:00
|
|
|
|
2019-10-20 23:25:21 +02:00
|
|
|
if c.con != nil {
|
|
|
|
|
if c.con.GetState() == connectivity.TransientFailure || c.con.GetState() == connectivity.Shutdown {
|
|
|
|
|
c.client = nil
|
|
|
|
|
c.con.Close()
|
|
|
|
|
} else {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-04-02 05:25:32 +02:00
|
|
|
|
2018-04-07 01:52:43 +02:00
|
|
|
if c.isUnixSocket {
|
|
|
|
|
c.con, err = grpc.Dial(c.socketPath, grpc.WithInsecure(),
|
|
|
|
|
grpc.WithDialer(func(addr string, timeout time.Duration) (net.Conn, error) {
|
|
|
|
|
return net.DialTimeout("unix", addr, timeout)
|
|
|
|
|
}))
|
|
|
|
|
} else {
|
|
|
|
|
c.con, err = grpc.Dial(c.socketPath, grpc.WithInsecure())
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-02 05:25:32 +02:00
|
|
|
if err != nil {
|
2019-10-20 23:25:21 +02:00
|
|
|
if c.con != nil {
|
|
|
|
|
c.con.Close()
|
|
|
|
|
}
|
2018-04-02 05:25:32 +02:00
|
|
|
c.con = nil
|
2019-10-20 23:25:21 +02:00
|
|
|
c.client = nil
|
2018-04-02 18:11:36 +02:00
|
|
|
return err
|
2018-04-02 05:25:32 +02:00
|
|
|
}
|
|
|
|
|
|
2019-10-20 23:25:21 +02:00
|
|
|
if c.client == nil {
|
|
|
|
|
c.client = protocol.NewUIClient(c.con)
|
|
|
|
|
}
|
2018-04-02 18:11:36 +02:00
|
|
|
return nil
|
2018-04-02 05:25:32 +02:00
|
|
|
}
|
|
|
|
|
|
2018-04-02 18:26:04 +02:00
|
|
|
func (c *Client) ping(ts time.Time) (err error) {
|
2018-04-06 14:48:43 +02:00
|
|
|
if c.Connected() == false {
|
2020-03-16 01:37:33 +01:00
|
|
|
return fmt.Errorf("service is not connected")
|
2018-04-02 18:26:04 +02:00
|
|
|
}
|
|
|
|
|
|
2018-04-06 14:48:43 +02:00
|
|
|
c.Lock()
|
|
|
|
|
defer c.Unlock()
|
|
|
|
|
|
2018-04-02 18:26:04 +02:00
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Second)
|
|
|
|
|
defer cancel()
|
2020-03-16 01:37:33 +01:00
|
|
|
reqID := uint64(ts.UnixNano())
|
2018-04-06 01:44:15 +02:00
|
|
|
|
2019-10-20 23:25:21 +02:00
|
|
|
pReq := &protocol.PingRequest{
|
2020-03-16 01:37:33 +01:00
|
|
|
Id: reqID,
|
2018-04-08 15:32:20 +02:00
|
|
|
Stats: c.stats.Serialize(),
|
2019-06-29 13:46:26 +02:00
|
|
|
}
|
2019-10-20 23:25:21 +02:00
|
|
|
c.stats.RLock()
|
|
|
|
|
pong, err := c.client.Ping(ctx, pReq)
|
|
|
|
|
c.stats.RUnlock()
|
2018-04-02 18:26:04 +02:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-16 01:37:33 +01:00
|
|
|
if pong.Id != reqID {
|
|
|
|
|
return fmt.Errorf("Expected pong with id 0x%x, got 0x%x", reqID, pong.Id)
|
2018-04-02 18:26:04 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-16 01:37:33 +01:00
|
|
|
// Ask sends a request to the server, with the values of a connection to be
|
|
|
|
|
// allowed or denied.
|
2018-04-03 14:51:58 +02:00
|
|
|
func (c *Client) Ask(con *conman.Connection) (*rule.Rule, bool) {
|
2018-04-06 14:48:43 +02:00
|
|
|
if c.Connected() == false {
|
2018-04-03 14:51:58 +02:00
|
|
|
return clientDisconnectedRule, false
|
2018-04-02 18:11:36 +02:00
|
|
|
}
|
|
|
|
|
|
2018-04-06 14:48:43 +02:00
|
|
|
c.Lock()
|
|
|
|
|
defer c.Unlock()
|
|
|
|
|
|
2020-06-04 00:38:11 +02:00
|
|
|
// FIXME: if timeout is fired, the rule is not added to the list in the GUI
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), time.Second*120)
|
2018-04-02 18:11:36 +02:00
|
|
|
defer cancel()
|
2018-04-08 15:32:20 +02:00
|
|
|
reply, err := c.client.AskRule(ctx, con.Serialize())
|
2018-04-02 18:11:36 +02:00
|
|
|
if err != nil {
|
2020-06-04 00:38:11 +02:00
|
|
|
log.Warning("Error while asking for rule: %s - %v", err, con)
|
|
|
|
|
return nil, false
|
2018-04-02 18:11:36 +02:00
|
|
|
}
|
2018-04-02 05:25:32 +02:00
|
|
|
|
2020-06-19 18:02:09 +02:00
|
|
|
r, err := rule.Deserialize(reply)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, false
|
|
|
|
|
}
|
|
|
|
|
return r, true
|
2018-04-02 05:25:32 +02:00
|
|
|
}
|
2019-11-01 01:00:10 +01:00
|
|
|
|
2020-03-16 01:37:33 +01:00
|
|
|
func (c *Client) monitorConfigWorker() {
|
2019-11-01 01:00:10 +01:00
|
|
|
for {
|
|
|
|
|
select {
|
|
|
|
|
case event := <-c.configWatcher.Events:
|
|
|
|
|
if (event.Op&fsnotify.Write == fsnotify.Write) || (event.Op&fsnotify.Remove == fsnotify.Remove) {
|
2020-04-19 20:13:31 +02:00
|
|
|
c.loadDiskConfiguration(true)
|
2019-11-01 01:00:10 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
