Fixed GUI loading behaviour when DE's autologin is on.
Background:
Sometimes the system tray is not available, so our app's icon
does not show up. In this case we show the GUI to allow the user
manage the rules and view connections.
If the user activated the autologin option, on KDE (and probably others)
our service was launched before the panel was ready, so the system tray was
not available yet and we were showing the Events window.
Changes:
- Delay 10s the check to see if the system tray is available, to give it
time to load.
- Add X-KDE-Autostart-after=panel to kcm_opensnitch.desktop, to launch
the GUI only after the panel is loaded.
- Misc: removed OpenSnitch entry from System Settings on KDE, and update
the categories where the app is shown in the menus.
Closes#535
On Fedora 34, without the appindicator extension installed, when the GUI
was displayed it crashed with the following error:
TypeError: index 0 has type 'float' but 'int' is expected.
related: #526
Don't overwrite rules when adding or editing rules, to avoid losing
already added rules.
- When adding a rule, check if there's already a rule with the same
name.
- After adding a new rule, enter into EDIT mode, to allow changes to the
rule without closing the dialog.
- If the user changes the name after adding a rule, check if there's a
rule with the same name.
- When editing a rule and the user changes the name, check if there's a
rule with the same name.
issue #512
- Fixed reloading process monitor method if the configuration changes on
disk. This can occur in two situations: 1) if it's changed from the
UI, 2) if the user changes it manually.
- Ensure that we don't crash if there's an error changing the
method and ebpf is active.
- When changing monitor method to ebpf and it fails to start, stop it
anyway. It helps cleaning up kprobes and avoiding the error
"cannot write...: file exists".
When the daemon connects to the GUI, use the default action
configured on the GUI to apply a verdict on new connections.
We were using daemon's default action, so if it was Allow but the user
had configured Deny on the GUI it was allowing connections, causing some
confusion (#489)
TODO: apply this action not only on connecting to the GUI, but also when
saving the configuration from the GUI.
When adding a new rule we were getting the duration as it appeared on
the combo box. It was used to create a Golang time.
However translators were translating the duration strings (30s, 5m,
etc), causing errors when saving the rule.
Now we just look for the index of the selected duration.
- The firewall rules defined in /etc/opensnitchd/system-fw.json take
precedence over the interception rules, but we were inserting the
interception rules before the system's ones. With this change #455
should be fixed.
- On the other hand, the DefaultAction was not being applied correctly
in all cases. As of today the DefaultAction is applied in 2 scenarios:
* When the daemon is connected to the GUI and the user doesn't answer
a pop-up.
* When the daemon is not connected to the GUI.
However as we don't parse all network protocols, even if the GUI is
connected we may end up parsing a connection and don't know what to do
with it. In this case the DefaultAction was always Deny.
Now in the above scenario, i.e.: when the GUI is connected but we
can't parse a connection, we'll apply the DefaultAction configured by
the user.
Remove \r\n\t\s from the end of each line of a blocklist.
If the entries of a list had these characters caused to not match
connections and not apply the rule.
closes#429
Previous behaviour:
1) Before version 1.0.0b the daemon kept a list of processes that had
established connections. The list was displayed on the GUI as is, so
the maximum number of connections displayed were 100 (hardcoded).
2) When the intercepted connections reached 100, the last entry of the
list was removed, and a new one was inserted on the top.
After v1.0.0 we started saving connections to a DB on the GUI side, to
get rid of the hardcoded connections limit. However, the point 2) was
still present that caused some problems:
- When the backlog was full we kept inserting and deleting connections
from it continuously, one by one.
- If there was a connections burst we could end up missing some
connections.
New behaviour:
- The statisics are deleted from the daemon everytime we send them to
the GUI, because we don't need them on the daemon anymore.
- If the GUI is not connected, the connections will be added to the
backlog as in the point 2).
- When the backlog reaches the limit, it'll keep deleting the last
one in order to insert a new one.
- The number of connections to keep on the backlog is configurable.
- If the statistics configuration is missing, default values will be
150 (maxEvents) and 25 (maxStats).
Notes:
If the GUI is saving the data to memory (default), there won't be
any noticeable side effect.
If the GUI is configured to save the connections to a DB on disk, and
the daemon sends all the backlog at once, the GUI may experience a
delay and a high CPU spike. This can occur on connecting to the daemon
(because the backlog will be full), or when an app sends too many
connections per second (like nmap).
On KDE the events window was not restored to previous state when the
window was minimized to the taskbar.
This was fixed by @themighty1 in this PR #315, but there was an
unexpected behaviour on others DE.
As I haven't seen this error in others DE, we apply the original
fix, but only when the DE in use is KDE.
- Fixed typos in the preferences dialog (#465).
- Fixed hiding/showing rules combobox.
- Keep opensnitchd/default-config.json format when saving node's
configuration from the GUI.
Before this change, we tried to determine what firewall to use based on
the version of iptables (if -V legacy -> nftables, otherwise iptables).
This caused problems (#455), and as there's no support yet for nftables
system firewall rules, it can't be configured to workaround these
errors.
Now the default firewall to use will be iptables.
If it's not available (installed), can't be used or the configuration
option is empty/missing, we'll use nftables.
- Now the columns names of the details views can be translated (#465).
- Fixed columns size restoring when clicking on the Events tab to view
the details of an item (process, rule or node).
There was an annoying bug that increased the pop-up height a little bit
everytime a new pop-up was displayed.
Hopefully this time it's fixed, while maintaining compatiblitiy on the
mobile (i.e.: displaying the buttons at the bottom and the connection
information at the top of the pop-up).
One of the steps of PIDs discovering is knowing what's the socket inode
of a connection. The first try is to dump the active connections in the
kernel, using NETLINK_SOCK_DIAG via netlink.
Sometimes when a source port was reused, the kernel could return multiple
entries with the same source port, leading us to associate connections with
the wrong application.
This change fixes this problem, while allowing us to discover other
apps.
More information:
https://github.com/evilsocket/opensnitch/issues/387#issuecomment-888663121
Note: this problem shouldn't occur using the procs monitor method eBPF.
* Preferences:
- Allow to configure the columns of the Events tab.
- Fixed displaying labels on small screens.
* Rules:
- Added combo to select the type of rules to list (all, permanent,
temporary) when the left panel is hidden.
* Main window:
- Improved tabs widgets positioning.
* Misc:
- Improved code to avoid typos.
- Added option to ignore temporary rules. All or only of duration
"once".
You can still use them when answering a pop-up, but if you check the
option, the rules won't be added to the rules list.
- Fixed wrong behaviour when adding rules to the db/gui.
When changing a rule duration (always->30s, 30s->always), if there
were connections matching that rule, the rule was re-added to the
db/rules list with the old duration, ending up with 2 rules in the
list.
This was caused by how stats are sent to the GUI. When populating the
db with the stats, we were also adding the rules.
Now we don't add the rules when adding the stats. Rules are added to
the db everytime a node connects to the GUI, when answering a pop-up
or whenever the user performs an operation on them.
Performance has increased a little bit due to this.
- Fixed applying configuration to all nodes at once.
- Added help menu to the preferences dialog.
- Removed lists grid.
- A little bit of code reorganization.
- Fixed multiple race conditions when using the cache of PIDs.
- Improved the chances to hit the cache of inodes, which helps to keep
down the times to get the PID of a connection to <= 30us.
These caches are mainly used when not using "ebpf" proc monitor method.
