Up until now we had a way of customizing the views, by defining
"actions". See for context cba52cf3d8
The configuration syntax has not changed, but now every "action" is a
python plugin, for example when loading this configuration:
{
"name": "commonDelegateConfig",
"actions": {
"highlight": {
"enabled": true,
"cells": [
{
"text": ["allow", "✓ online"],
"color": "white",
"bgcolor: "green",
we'll try to load "highlight" as plugin, which should exist under
opensnitch/plugins/highligh/highlight.py
Three new plugins has been added:
- Highlight: colorize cells or rows based on patterns.
- Downloader: a simple downloader which downloads files to local
directories, for example to download blocklists.
- Virustotal: a plugin to analyze IPs, domains and checksums with the
API of virustotal when a new popup is fired.
There're 3 points where the plugins are configured and executed:
- opensnitch/service.py - _load_plugins() (background/global plugins)
- opensnitch/dialogs/prompt/__init__.py - _configure_plugins(), _post_popup_plugins()
- opensnitch/dialogs/processdetails.py - _configure_plugins()
Plugins can't be configured from the GUI (yet).
For more details, read:
opensnitch/plugins/__init__.py
opensnitch/actions/__init__.py
opensnitch/plugins/downloader/downloader.py
opensnitch/plugins/virustotal/virustotal.py
Since the name of the rule is used for the file name on the disk,
certain characters caused issues when saving the rule, like '/'.
Now if the user types or pastes '/' in the name field, a warning is
displayed, indicating that some characters are not allowed.
Closes#1166
When exporting rules, use rfc3339 format for the Created field.
We were exporting as timestamp, which caused issues when importing them.
Related:
58aa979cae
issue #1140
pyinotify has stopped working in python3.12, it fails loading with the
error:
ModuleNotFoundError: No module named 'asyncore'
For now, ignore this error and keep working as usual.
Applications icons will be loaded on GUI startup, but we loose the
ability of discovering the icons of applications while the GUI is
running.
Closes: #1132
Allow to configure from the preferences dialog:
- max stats and events.
- rules path (use default path if empty).
- internal GC percentage, flush connections on start.
Disabled daemon's DefaultDuration option when the daemon is not
connected to the server (GUI). By default is "once".
Improved configuration parsing.
Minor improvements to display status messages.
- Added "More information" label to the preferences dialog, and open a
link to our wiki with more information.
- Allow to configure node auth settings from the GUI:
When we added the authentication options (12b4cf3104,
6556eed1ae, f63d9dce72)
we allowed to configure auth options from the GUI, but only if the
nodes already had the options configured. If the auth options
received were empty, we simply disabled the auth options on the
preferences dialog.
Now we build the configuration in this scenario, and sent it back to
the nodes.
We only offered two options for the DefaultAction option: allow/deny.
Since a long time ago we support "reject"ing connections, but it was not
configurable as the DefaultAction.
Closes: #1108
If the pop-ups' target is to filter by cmdline, but the typed/launched
command is not absolute or it starts with /proc, also filter by the
absolute path to the binary.
If the path of a process starts with /tmp/.mount_*, which is the common
path for appimages, use it as the default target on the popups.
Previously it was only added to the list of targets, but preselecting it
will help users to create rules for appimages.
New option to save and display alerts/events received from the daemon,
like system fw errors or eBPF modules errors.
Until now we only displayed a desktop message, making it difficult to
review the message in detail, or other actions.
Up until now, the GUI was refreshed if:
- it was not minimized or hidden.
- if there were new events (even if we received events from the daemon,
they were filtered out if they were duplicated).
But still, there were scenarios where refreshing the views every second
(more or less) was too much, like when monitoring multiple machines.
Now it's possible to configure the views' refresh interval, regardless
of what the daemon sends.
Asked here: #1073
If the path of the process starts with /tmp/.mount, it typically
indicates that the application is an AppImage.
These apps create a random directory under /tmp, with the pattern
/tmp/.mount_<appId>XXXXXX, where the AppImage is mounted (it's not
always the case, but it usually is).
a0373541c1/runtime.c (L202)
The problem is that if you allow the path to the executable, the next
time you launch the AppImage, the path won't match the rule, and you'll
be prompted again to allow the outbound connection.
So as a helper for the users, if we find the path of the process starts
with /tmp/.mount_, we add an option to the combo box to select the path,
which creates a regular expression to match the AppImage.
Requested here: #1066, #543, #408
When the checksum of a binary changes, due to an update or something
else, you'll be prompted to allow the outbound connection if the
previous checksum of the rule doesn't match the new one.
Without a visual warning was almost impossible to know what was going
on. Besides, you had to dismiss that pop-up, find the rule, and update
the checksum.
Now there's a warning message, and you can update the rule from
the pop-up.
Related: #413
When cloning a rule, or applying a rule to a node, if the rule was of
type List (had multiple operators), the operators were not saved to the
DB.
Closes: #1027
Not deleting events from in-memory db can lead to a high mem usage under
certain scenarios.
Previous attempt to solve this issue wrote events to disk in a temporal
file (when using file::memory:?cache=shared).
Related issues: #844#857Closes: #1030
