Gustavo Iñiguez Goia 2509d21e30 daemon: allow to filter connections by parent path ... Some use cases: - Reject connections initiated by certain paths: Deny all connections initiated by cron*: /usr/sbin/cron /usr/bin/curl "action": "reject", "operator: { "type": "list", "operand": "list", "data": "", "list": [ { "type": "regexp", "operand": "process.parent.path", // /usr/bin/crond , /usr/bin/crontab, ... "data": "^/usr/(s|)bin/cron" } ] } - Reject or Allow connections of binaries launched by another app: "action": "allow", "operator": { "type": "list", "operand": "list", "data": "", "list": [ { "type": "simple", "operand": "process.parent.path", "data": "/opt/spotify/bin/spotify" }, { "type": "simple", "operand": "process.path", "data": "/usr/bin/wget" } ] } You can also combine multiple parent paths, to allow a command launched from a specific chain of processes: /usr/lib/systemd/systemd /usr/sbin/cron /bin/sh /usr/bin/curl The order is checked from the newest process to the oldest (curl -> sh -> cron -> systemd) The operand can be used with any of the existing types (simple, regexp, etc). Related: #406		2025-02-13 01:23:31 +01:00
..
testdata	rules: improved operator list parsing and conversion	2023-10-09 14:55:15 +02:00
loader.go	exclude disabled rules from the active rules	2025-02-08 15:12:11 +01:00
loader_test.go	exclude disabled rules from the active rules	2025-02-08 15:12:11 +01:00
operator.go	daemon: allow to filter connections by parent path	2025-02-13 01:23:31 +01:00
operator_lists.go	allow to use lists of md5s to block connections	2025-01-24 00:47:02 +01:00
operator_test.go	updated rules tests	2023-09-22 01:21:27 +02:00
rule.go	fixed loading rules when Created field is a timestamp	2024-06-10 23:54:54 +02:00
rule_test.go	deserialize rules operator list correctly	2023-11-11 02:16:08 +01:00