When the WM/DE is not properly configured, Qt does not load the system's
icon theme. In this scenario we try to use Qt's built-in icons.
Due to a bug, this was not working.
On the other hand, in order to display the icons of the system, one can
follow these instructions:
https://github.com/evilsocket/opensnitch/wiki/GUI-known-problems#no-icons-on-the-guiCloses#998
When answering a pop-up we generate the rule name based on the
properties of the connection.
When sending the rule to the daemon, the daemon verifies that the name
is unique and save it. If it's not, it generates a unique name.
However, if you responded to a pop-up and later modified any property of
the rule without changing the name, if the same connection tried to be
established again, you were prompted to allow/deny it, generating the
same name for the rule.
This could cause some confusion, because when sending the new rule to
the daemon the rule name was regenerated to be unique, but on the GUI
it was not updated, and even more, the old-personalized rule was
replaced with the new one.
When creating rules filtering by UID, there're 3 possible "modes":
- simple: 0, 1000, etc.
- user: root (0), opensnitch (1000)
- regexp: ^(0|1000)$
regexp was not being used correctly.
- Allow to use SSL certificates to secure unix sockets communications.
- Allow to use abstract users sockets for server and nodes.
Go gRPC doesn't seem to understand unix sockets addresses that start
with "unix-abstract:", and python gRPC doesn't seem to understand
"unix:@" addresses.
Therefore, on the server (python gRPC) we use the format "unix:@" to
specify the address where the server will listen on, and rewrite it to
"unix-abstract:" before starting the server.
Note about certs and abstract unix sockets:
When creating the SSL certificates, you'll have to specify the
address of the unix socket as the Common Name of the certificates:
Address: "unix:@my-abstract-socket"
Common Name: @my-abstract-socket
- Allow to receive and display errors when deleting app rules.
- Fixed error displaying notifications on the main window.
- Improvements to receive notifications on the fw dialog.
When selecting a user from the dropdown list, it should set the uid of
the user in the text line. But sometimes, the format "user (uid)" was
set (instead of just "uid").
- Added options to configure authentication type and certs from the
preferences dialog.
- Reorganize code a little bit to displaya message when restarting the
GUI is needed.
Allow to cypher channel communications with certificates.
There are 3 authentication types: simple, tls-simple and tls-mutual.
- 'simple' wont't cypher communications.
- 'tls-simple' uses a server key and certificate for the server, and a
common CA certificate or the server certificate to authenticate all
nodes.
- 'tls-mutual' uses a server key and certificate for the server, and a
client key and certificate per node.
There are 2 options to verify how gRPC validates credentials:
- SkipVerify: https://pkg.go.dev/crypto/tls#Config
- ClientAuthType: https://pkg.go.dev/crypto/tls#ClientAuthType
Example configuration:
"Server": {
"Address": "127.0.0.1:12345",
"Authentication": {
"Type": "tls-simple",
"TLSOptions": {
"CACert": "/etc/opensnitchd/auth/ca-cert.pem",
"ServerCert": "/etc/opensnitchd/auth/server-cert.pem",
"ClientCert": "/etc/opensnitchd/auth/client-cert.pem",
"ClientKey": "/etc/opensnitchd/auth/client-key.pem",
"SkipVerify": false,
"ClientAuthType": "req-and-verify-cert"
}
}
}
More info: https://github.com/evilsocket/opensnitch/wiki/Nodes
- Use Message util.
Maybe it'd be better to display a desktop notification for a more
better experience, or a dialog box if notify2 is not installed.
- Translate warning message.
* require pyxdg
* extend xdg, introduce autostart
* use xdg_current_desktop from opensnitch.utils.xdg
* control autostart in tray
* dont use pkill anymore
* check if os-ui is already running
* don't require pyxdg (for now)
* simplify xdg_current_desktop
* do not use pyxdg (for now), use some code from there
* update autostart status when menu is open
* fix possible SameFileError
There have been some issues (#673) informing that the notifications
timeout were not working on KDE.
On 843412d I wrote that the timeout unit is millisecond, as stated on
the docs here:
https://notify2.readthedocs.io/en/latest/#notify2.Notification.set_timeout
But after some trial and error:
- set_timeout() units are in seconds, at least for KDE 5.26.3, Xfce
4.18 and GNOME 43.
- not specifying the timeout with set_timeout() lets the Desktop
Environment handle the timeout for us, from their respective
preferences window.
So at least now there're some DEs where the notifications are closed as
expected.
- Previously we only supported multiple ICMP types on the same rule
by adding multiple keys:
Key: type
Value: echo-request
Key: type
Value: echo-reply
Now it's possible to specify them using ',':
Key: type
Value: echo-request,echo-reply
- Validate ICMP types before adding them.
* There was a situation where the details of an app rule was not being
displayed correctly:
- on the tab rules select any system fw rule.
- go to the Events tab
- double click on the Rule column to view the details.
- instead of the app rules details, the list of system fw rules was
displayed.
* On the other hand, when going back from the details view, the list of
rules was not being refreshed correctly.
In this situation now we select the Application rules view.
