In b93051026e we disabled sending/parsing
list operators as JSON strings. Instead, now it's sent/parsed as
protobuf Rule, and saved to disk as JSON array, which ease the task of
manually creating new rules if needed.
This change was missing in the previous commit.
(cherry picked from commit 2fc9ed276b)
Previously when creating a new rule we followed these steps:
- Create a new protobuf Rule object from the ruleseditor or the
pop-ups.
- If the rule contained more than one operator, we converted the
list of operators to a JSON string.
- This JSON string was sent back to the daemon, and saved to the
DB.
- The list of operators were never expanded on the GUI, i.e., they
were not saved as a list of protobuf Operator objects.
- Once received in the daemon, the JSON string was parsed and
converted to a protobuf Operator list of objects.
Both, the JSON string and the list of protobuf Operator objects were
saved to disk, but the JSON string was ignored when loading the
rules.
Saving the list of operators as a JSON string was a problem if you
wanted to create or modify rules without the GUI.
Now when creating or modifying rules from the GUI, the list of operators
is no longer converted to JSON string. Instead the list is sent to the
daemon as a list of protobuf Operators, and saved as JSON objects.
Notes:
- The JSON string is no longer saved to disk as part of the rules.
- The list of operators is still saved as JSON string to the DB.
- About not enabled rules:
Previously, not enabled rules only had the list of operators as JSON
string, with the field list:[] empty.
Now the list of operators is saved as JSON objects, but if the rule
is not enabled, it won't be parsed/loaded.
Closes#1047
(cherry picked from commit b93051026e)
When exporting rules, use rfc3339 format for the Created field.
We were exporting it as timestamp, which caused issues when
importing the rules.
Related:
58aa979cae
issue #1140
(cherry picked from commit 552aed5bc5)
When exporting rules from the GUI, the Created field was exported as
timestamp. Importing rules worked fine, because json.Marshall() accepts
the timestamp format.
However, when the daemon was loading a rule with the Created field as
timestamp, since the field was defined as time.Time, it expected a RFC3339
string (https://pkg.go.dev/time#Time.UnmarshalJSON)
so it failed to parse the timestamp and the rule was not loaded.
Now the field is defined as string, it's always saved as RFC3339, and if
we fail to parse these fields we'll use a temporary date instead of
failing loading the rule.
More info:
https://github.com/evilsocket/opensnitch/issues/1140#issuecomment-2140904847
(cherry picked from commit 58aa979cae)
pyinotify has stopped working in python3.12, it fails loading with the
error:
ModuleNotFoundError: No module named 'asyncore'
For now, ignore this error and keep working as usual.
Applications icons will be loaded on GUI startup, but we loose the
ability of discovering the icons of applications while the GUI is
running.
(cherry picked from commit ad8e2f5371)
- Added "More information" label to the preferences dialog, and open a
link to our wiki with more information.
- Allow to configure node auth settings from the GUI:
When we added the authentication options (12b4cf3104,
6556eed1ae, f63d9dce72)
we allowed to configure auth options from the GUI, but only if the
nodes already had the options configured. If the auth options
received were empty, we simply disabled the auth options on the
preferences dialog.
Now we build the configuration in this scenario, and sent it back to
the nodes.
(cherry picked from commit 8c25c3f7df)
When clicking [x] Autostart the GUI upon login, ignore the exception if
src and dst (opensnitch_ui.desktop) are the same file.
(cherry picked from commit 0c8935c6e8)
google.golang.org/protobuf/cmd/protoc-gen-go@v1.34.2 generates
protobuffers incompatible with go1.17, it fails with the error:
"ui/protocol/ui.pb.go:2716:47: predeclared any requires go1.18 or later
(-lang was set to go1.17; check go.mod)"
Notes:
- consider using go1.18 as min required version if there's no problem
compiling the daemon on Debian <= 13 and other distros.
- github.com/golang/protobuf is deprecated and we should get rid of
it.
In f5f30b1e58 we added the option to
reject connections as DefaultAction.
If configured, load and set it in the preferences dialog.
(cherry picked from commit a21a316e34)
We only offered two options for the DefaultAction option: allow/deny.
Since a long time ago we support "reject"ing connections, but it was not
configurable as the DefaultAction.
(cherry picked from commit f5f30b1e58)
if an invalid opensnitch-procs.o module was loaded, we were flooding
the log with errors.
In these cases stop processing events after 20 errors (random, we should
have no errors).
This may occur if the module is malformed (valid .o ebpf module but
different structs, etc), or when loading modules from other versions.
(cherry picked from commit 0a911ef791)
We were sending to userspace unnecessary exit events, consuming
unnecessary CPU cycles.
We only intercept execve and execveat, but sched_process_exit is invoked
by more functions (sched_process_exit, clone, ...), so we were receiving
on the daemon events that we did nothing with them, apart from consuming
CPU cycles.
On some scenarios like on servers running saltstack (as salt-master),
this caused to consume more CPU than needed.
When comparing UI/daemon versions to see if they're compatible, we only
use the first 2 components (1.7.xxx), so discard the rest to allow
different versions (1.6.5.1, 1.6.5-1, 1.6.5-rc1, etc)
When a new pop-up is triggered from a remote node, the GUI crashed.
This error was introduced by this commit 9fc1da5.
Thanks to @zero77 for reporting it super fast (#1093).
If the pop-ups' target is to filter by cmdline, but the typed/launched
command is not absolute or it starts with /proc, also filter by the
absolute path to the binary.
If the path of a process starts with /tmp/.mount_*, which is the common
path for appimages, use it as the default target on the popups.
Previously it was only added to the list of targets, but preselecting it
will help users to create rules for appimages.
(cherry picked from commit 016f4842ff)
We were not handling configuration upgrades properly on rpm based
systems.
Now local changes to default-config.json and system-fw.json are kept,
and if the distributed files changes in the future, new files will be
created with the extension .rpmnew
(cherry picked from commit dddfdc924e)
We were not reacting to common exit signals, only to kill/interrupt
signals, so the DNS uprobes were never properly removed. Each uprobe
has the PID of the daemon in the identifier, so in theory, there
shouldn't be conflicts, but better clean our probes on exit.
previous to this commit with the daemon running
(and lot of starts/stops):
~ # cat /sys/kernel/debug/tracing/uprobe_events |wc -l
367
after stopping the daemon:
~ # cat /sys/kernel/debug/tracing/uprobe_events |wc -l
364
~ # > /sys/kernel/debug/tracing/uprobe_events
~ # cat /sys/kernel/debug/tracing/uprobe_events |wc -l
0
~ # cp opensnitchd-new /usr/bin/opensnitchd ; service opensnitchd start
~ # cat /sys/kernel/debug/tracing/uprobe_events |wc -l
3
~ # service opensnitchd stop
~ # cat /sys/kernel/debug/tracing/uprobe_events |wc -l
0
(cherry picked from commit 785500cd08)
On 68c2c8ae1a we excluded failed execve*
calls from being delivered to userspace, in order to get the binary that
was executed and avoid errors/confusion.
But on aarch64, it seems that we fail to save the exec event to a map,
so the event is never delivered to userspace.
So for the time being, send the exec events as soon as they arrive on
aarch64, without checking if the call failed.
(cherry picked from commit c118058dd8)
On the previus commit we just disabled dns uprobes for armhf/i386 to
avoid loading errors. A better fix is to initialized the structs used.
On armhf still fails after loading it, when attaching to the uprobes
(offsets?), and on i386 it doesn't seem to send anything to userspace
(more analysis needed).
- Increased the number of IPs associated with a domain that are
delivered to userspace. (getfedora.org returns 30 ipv4+ipv6).
- Fixed getting the aliases of a domain when using gethostbyname().
(cherry picked from commit 27509d6fe0)
Added the path to the libc as well as the calculated offset for the
uprobe.
Don't return on the first error found loading a uprobe, instead try all
the uprobes and return if the loaded uprobes are 0.
(cherry picked from commit 55678b4d3b)
The opensnitch-dns module was not loading on i386/arm architectures.
With the following changes it loads and some uprobes are attached.
for-loops unrolling doesn't still work though on i386/armhf (help
needed).
And on armhf the perf_output channel fails to load for some uprobes.
(cherry picked from commit d55e567dd8)
There's a long running task that monitors established connections every
~2s.
When a connection is not found via ebpf or proc, sometimes it's found
there so we can use the inode to search for the process.
However on some systems the netlink call to dump the sockets may fail
continuously, wasting resources. It'll also fail if you block connections
to port 0 (common case for ICMP packets).
So if there're too many errors dumpng the sockets, stop this task for
these cases.
We track new processes execution by intercepting the enter and exit
of the functions, but sometimes the exit hook is not called, so the
corresponding entry was not being removed from the map.
In this situation the map becomes full and accepts no new entries.
Now the entry is deleted from the map once the process exits, if it
still exists in the map.
(cherry picked from commit 9446d191f0)
We were not deleting DNS entries from the hash map, so when it reached
the maximum capacity (12k entries), we couldn't allocate new entries,
resulting in events not being sent to userspace.
(cherry picked from commit 1518cb39de)
Now it's possible to configure eBPF modules path from the
default-config.json file:
"Ebpf": {
"ModulesPath": "..."
}
If the option is not provided, or if it's empty, we'll keep loading from
the default directories:
- /usr/local/lib/opensnitchd/ebpf
- /usr/lib/opensnitchd/ebpf
- /etc/opensnitchd/ebpf (deprecated, will be removed in the future).
Closes#928
(cherry picked from commit ffb76683aa)
