auditd events provides the parent pid of a process which has created
a connection. If we don't find the socket inode under the pid of the
process, use the ppid.
This is normally the case when systemd-* spawns a new process which
creates a new connection.
mozilla/libaudit-go does not support i386/arm/etc, and we were using it
only for parsing audit messages.
So do not use it and parse raw messages directly. WIP.
Use auditd events to keep a list of PIDs which open sockets, reading
them from the audisp af_unix plugin.
- Install auditd and audisp-plugins
- Enable the af_unix plugin (/etc/audisp-plugin/af_unix, active = yes)
- Start opensnitch with -process-monitor-method audit.
If the choosen method is audit but it's not active or not installed,
it'll fallback to /proc anyway.
If it's properly configured, a debug trace will be written to the logs:
"PID found via audit events ..."
Until now OpenSnitch used ftrace(debugfs) to search for running
processes (PIDs) and obtain the process path.
On some systems, this filesystem is not mounted or available, so we have
to rely on /proc.
After several weeks of use, I think that it's faster and more accurate
the 2nd method, search pids/cmdlines in /proc. So we offer the user to
choose which one to use.
If we can't communicate with the server (UI), apply the default
configured action. For example, if the UI is doing too much work and it
reaches the timeout, or if there's a programming error (python exception
for instance).
Sometimes the INPUT rule for to queue DNS responses was not deleted.
The code has also been reorganized.
And a minor tweak to make an if{} more idiomatic.
* Purge files when using apt remove --purge
* Display a message to uninstall installed pkgs from pypi when invoking
apt remove
* link autostart .desktop file to /usr/share/applications instead of
copying it
We parse .desktop files to get the icon of a program, but sometimes we
can't parse the Name translation due to unicode encoding problems.
Besides, on some distributions there're .desktop files without Exec=
line, so we also crash.
With this workaround we miss (mainly) the icon of a program, but at
least we won't crash.
It should help with #5.
This should fix the warning message:
"Attribute Qt::AA_EnableHighDpiScaling must be set before
QCoreApplication is created."
Which should fix the small fonts reported by some users.
We may also need AA_UseHighDpiPixmaps.
man sock_diag:
"If the nlmsg_flags field of the struct nlmsghdr header has the
NLM_F_DUMP flag set, it means that a list of sockets is being
requested; otherwise it is a query about an individual socket."
