Sometimes when a new connection is about to be established, we don't get
the PID of the process using the eBPF proc monitor method. But in some
rare situations, the kernel still holds information about the connection
(sock_diag struct basically). We assume that these connections are
initiated from kernel space.
Per some debugging, this doesn't seem to be always the root cause, so
these connections will only be shown if InterceptUnknown config field is
set to true.
As we've added eBPF interception method, we need go iovisor ebpf package,
which is not packaged for Debian yet, so the way I was compiling it
differs a little bit (instead of using gbp buildpackage,
dpkg-buildpackage is used).
Aside from that, there'll be a new eBPF module (.o ELF), which must be
packaged with the packages. Will be compiled on the fly, but maybe it
could be hosted in the repo, because it won't change that much.
- disable clicks when the user enters into the details of an item
(process, host, user, etc).
- fixed displaying the button to inspect a process.
- improved listing connections of a process.
- By default there was no limit of events to display. If the user had
the GUI opened for a long period of time, that could lead to an
excessive CPU usage and thus a bad user experience. So by default
set it to 50.
- pop-ups: Fixed crash when getting malformed icons from .desktop
files.
My OS comes with grpcio-tools 1.36.1, which seems to work fine, so it
would be nice to allow the ui to use that instead of building 1.10.1
specifically for opensnitch.
- pop-ups: allow to configure if the "advanced view" is displayed
by default or not.
- pop-ups: allow to configure 3 more fields to filter connections by.
- services.py: fixed typo that caused an error when displaying a
message.
closes#399.
On systems that have been running for a long time (for example 552
days) we were failing parsing the starttime field:
```
Could not find or convert Starttime. This should never happen.
Please report this incident to the Opensnitch developers:
strconv.Atoi: parsing "4242026842": value out of range
```
- extra: fixed tests.
- Updates of the GUI must occur on the main thread of the app. AskRule,
Ping, Subscribe and Notifications runs on a different thread.
- Fixed paused state when the daemon is running (and paused) and the GUI
is launched.
- Moved functionality to its own file/class.
- removed unused import time.
- allow to pause/start interception from tray contextual menu.
- improved case when the daemon is in paused state, and the GUI is
launched.
There's more work yet to do to improve the states when there're several
nodes connected.
closes#398
problem:
- after losing network connectivity node<->server, the node didn't restore
the connection. In reality, the connection with the server was not
closed, but the notifications channel was closed due to inactivity
after 20s.
set inactivity timeouts to 20s on both node and server. Previous
timeouts were 2h for the main connection and 20s for the streaming
channels (notifications).
- get rid of the logic to determine if the server is alive or not based
on sending pings.
Instead, use the connection events when a node connects/disconnects
(Subscribe).
The Ping call is still used to send the statistics.
other:
- fixed exception when updating the status of a node.
- fixed remote nodes rules editing.
- improved notifications when a node is not connected and an action is
performed on it (edit a rule, disable/enable a rule, etc).
If we change the monitor method from the GUI, and it fails to start
(eBPF, audit or ftrace), use the old configured method and don't save
the configuration to disk, to avoid configuring a monitor method that
doesn't work.
* Use ebpf program to find PID of new connections.
before running the branch you have to compile ebpf_prog/opensnitch.c
opensnitch.c is an eBPF program. Compilation requires getting kernel source.
cd opensnitch
wget https://github.com/torvalds/linux/archive/v5.8.tar.gz
tar -xf v5.8.tar.gz
patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch
cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf
cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min)
cd samples/bpf && make
objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect
llvm-strip -g opensnitch.o #remove debug info
sudo cp opensnitch.o /etc/opensnitchd
cd ../../../daemon
--opensnitchd expects to find opensnitch.o in /etc/opensnitchd/
--start opensnitchd with:
opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf
Co-authored-by: themighty1 <you@example.com>
Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
- ui: fixed error getting the icon of an app.
- ui: fixed getting the list of pids of an app.
- ui: improved proc details start/stop icon behaviour.
- daemon: improved error message when we fail getting the details of a
process.
others:
- changed icon search by system-search.
When building the project with protoc-gen-go version 1.5.1,
it fails with the following:
```
protoc -I. ui.proto --go_out=plugins=grpc:../daemon/ui/protocol/
protoc-gen-go: unable to determine Go import path for "ui.proto"
Please specify either:
• a "go_package" option in the .proto source file, or
• a "M" argument on the command line.
See https://developers.google.com/protocol-buffers/docs/reference/go-generated#package for more information.
--go_out: protoc-gen-go: Plugin failed with status code 1.
```
This can be fixed by adding the full go package as an option in the
proto file. To make sure the code is generated to the correct path,
we also have to add add the `paths=source_relative` option to the
protoc plugin.
After this, the code is generated correctly, but the generated code
references classes like grpc.ClientConnInterface which were introduced
in 1.27.0.
- don't clean cache by number of items.
- clean inodes from cache every 2' if the descriptor symlink doesn't exist
anymore, or if the lastSeen time is more than 5 minutes.
- launch cache cleaners before start a new process monitoring method,
and start it only once for the life time of the daemon.
- do not store in cache the Time objects, only the nanoseconds of
the last updated time.
- if the inode of a connection is found in cache, reorder the
descriptors to push the descritptor to the top of the list.
Also add cached the inode.
It turns out that when a new connection is about to be established,
when the process resolves the domain, the same inode is used to open the
tcp connection to the target. So if it's cached we save CPU cycles.
This also occurs when we block a connection and the process retries it,
or when a connection timeouts and the process retries it
(telnet 1.1.1.1).
