- Fixed multiple race conditions when using the cache of PIDs.
- Improved the chances to hit the cache of inodes, which helps to keep
down the times to get the PID of a connection to <= 30us.
These caches are mainly used when not using "ebpf" proc monitor method.
- don't clean cache by number of items.
- clean inodes from cache every 2' if the descriptor symlink doesn't exist
anymore, or if the lastSeen time is more than 5 minutes.
- launch cache cleaners before start a new process monitoring method,
and start it only once for the life time of the daemon.
- do not store in cache the Time objects, only the nanoseconds of
the last updated time.
- if the inode of a connection is found in cache, reorder the
descriptors to push the descritptor to the top of the list.
Also add cached the inode.
It turns out that when a new connection is about to be established,
when the process resolves the domain, the same inode is used to open the
tcp connection to the target. So if it's cached we save CPU cycles.
This also occurs when we block a connection and the process retries it,
or when a connection timeouts and the process retries it
(telnet 1.1.1.1).
- update the descriptors/inodes of a PID when it's found in cache.
- when a descriptor/inode is found in cache, push it to the top
of the descriptors list. The next time it's found in cache it'll be in
the 1st position of the list, saving CPU time.
- added test cases and benchmark helpers to help analyzing performance.
(1/2)
We start receiving notifications from the UI, which allow us to change
configurations and perform actions on the daemon.
The concept of Node has also been introduced, which identifies every
daemon (client) connected to the UI (server).
These options has been added:
- Enable/Disable firewall interception (for all nodes)
- Change daemons (clients) configuration. globally or per node.
- Change prompt dialog options.
We have fixed some bugs along the way:
- Close audit client connection gracefully.
- Exclude our own connections from being intercepted.
- Better handling of client connection status with the UI.
We probably has also introduced some other bugs (not listed here).
Use auditd events to keep a list of PIDs which open sockets, reading
them from the audisp af_unix plugin.
- Install auditd and audisp-plugins
- Enable the af_unix plugin (/etc/audisp-plugin/af_unix, active = yes)
- Start opensnitch with -process-monitor-method audit.
If the choosen method is audit but it's not active or not installed,
it'll fallback to /proc anyway.
If it's properly configured, a debug trace will be written to the logs:
"PID found via audit events ..."
