Does the program understand processes hierarchy ? #406
Comments
|
Hi @Danny3 ! Right now we don't track the Parent PID of a process that's trying to open a new connection. So if you allow Program1 or Program2, you don't explicity allow all the children initiated by these processes (curl, wget, nc, telnet, etc). For example Spotify. If you allow Spotify, you'll still be prompted to allow wget. But if you allow wget only by name ( For now what you can do is to deny/allow wget/curl/etc not only by path, but also by path + arguments + dest IP + dest port. What's not possible right now is to block or deny connections initiated by children of another process. We could study it for future releases. |
|
Thank you very much @gustavo-iniguez-goya for the reply ! My desktop environment is KDE Plasma that has the possibility to optionally use systemd for startup, which I have activated. Could all this work done by the KDE developers to start programs in their own CGroups (if I got that right) help in any way in the future OpenSnitch to track and maybe control together programs and their children ? |
Yes, you can either do it from the pop-ups by clicking on the [+] button: Or you can allow it and edit it later from the Rules Tab -> Permanent or Temporary, by double clicking on the rule, or right click on the rule -> Edit. As you can see there're plenty of options to configure it. If you have installed OpenSnitch recently get used to it, it's not complicated (well, a firewall is something complicated anyway, but we try our best to ease its usage).
No, I don't think it's related. We could track Parent PIDs regardless of how they display the processes' hierarchy or how they group (containerize) processes. This is already happening if you use firejail, systemd (yes, many system services are already containerized) or docker/podman/k8s, etc. But that'd be a new feature, something like: |
|
I have a different use case where the ParentID would be useful. I would like to be able to set the duration to "this instance of the app", where the instance includes any child processes. Use case: When I open an app, e.g. a browser I would like it to have access until I close the browser. (I close my browser many times a day.) Whenever I am using a less trusted app (e.g. tax software), I ensure the browser is closed. This way I can catch any attempts to piggyback out through the browser. e.g. A button that when clicked, tries to use the default browser to their URL. I find this also makes configuring apps a bit easier. An app update often starts many processes, so the "once" isn't a great solution. I can guess at the time the updates will take. I find it easier to do the updates and then restart the process to reset the firewall permissions. Now I know if the app tries anything after the update and before the timer expires. |
|
Interesting use case @BetweenTheKeyboardAndChair , thank you for sharing. Filtering by "this instance of an app" is an old (ooold) request. I want to finish some things first, but it's definitely a feature that would be great to have. |
|
It turns out that today while being away from the computer I had an alert of a not answered output connection:
what is interesting here is the domain that gvfsd-http has tried to connect to: i.scdn.co, which is a domain of Spotify. If we'd have logged the PPid, probably it'd have been of the spotify. |
|
I'm currently looking for solutions for whitelisting connections / firewall the network of containers / firejail / bubblewrap / etc, I would very much need / like this. Do you know any alternative solutions? My google searches have yielded very little information. |
|
Hi @deliciouslytyped ! OpenSnitch should be able to intercept connections from applications launched from firejail/bubblewrap. I'm using chromium/firefox sandboxed with firejail and connections are intercepted just fine. For containers (like docker) we need to add a fw rule: https://github.com/evilsocket/opensnitch/wiki/System-rules-legacy#intercepting-connections-from-containers |
Some use cases:
- Reject connections initiated by certain paths:
Deny all connections initiated by cron*:
/usr/sbin/cron
/usr/bin/curl
"action": "reject",
"operator: {
"type": "list",
"operand": "list",
"data": "",
"list": [
{
"type": "regexp",
"operand": "process.parent.path",
// /usr/bin/crond , /usr/bin/crontab, ...
"data": "^/usr/(s|)bin/cron"
}
]
}
- Reject or Allow connections of binaries launched by another app:
"action": "allow",
"operator": {
"type": "list",
"operand": "list",
"data": "",
"list": [
{
"type": "simple",
"operand": "process.parent.path",
"data": "/opt/spotify/bin/spotify"
},
{
"type": "simple",
"operand": "process.path",
"data": "/usr/bin/wget"
}
]
}
You can also combine multiple parent paths, to allow a command launched
from a specific chain of processes:
/usr/lib/systemd/systemd
/usr/sbin/cron
/bin/sh
/usr/bin/curl
The order is checked from the newest process to the oldest (curl -> sh
-> cron -> systemd)
The operand can be used with any of the existing types (simple, regexp,
etc).
Related: #406
Hello everyone !
I have seen the the program's pop-ups sometimes show generic tools want to connect to the internet, like http, curl, etc.
So it got me wondering...
What if we have two programs:
Program 1
Program 2
And both take advantage by a third party tool like CURL (or wget)
It looks to me that if I want to allow Program 1, but deny Program 2, it would seem to me that I need to also allow CURL for Program 1 to work.
But doing it so, I don't see what's stopping Program 2 to use the allowed CURL too to send and receive data it wants even though Program 2 is denied ?
Can OpenSnitch look at who (which program) called CURL and allow or deny its connection based on allowed / denied permission of the caller, making the permission for CURL dynamic ?
From what I know systemd should have a hierarchy with which programs started which programs, but I don't know if it can track who called who
Does OpenSnitch has such capability or could it be implemented in the future with the help of systemd or other tool ?
The text was updated successfully, but these errors were encountered: