search

evilsocket / opensnitch

OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.
GNU General Public License v3.0
10.74k stars 498 forks source link

some applications bypass opensnitch like wget or #171

Closed TraxXavier closed 3 years ago

TraxXavier commented 6 years ago

Some applications bypass opensnitch like wget or transmission, while for firefox it works fine. It seams to be a major issue as ofcause no application should be able to bypass the tool

evilsocket commented 6 years ago

any log you can provide?

TraxXavier commented 6 years ago

<-[2m[2018-05-08 17:23:27]<-[0m <-[97m<-[104m IMP <-[0m Starting opensnitch-daemon v1.0.0b <-[2m[2018-05-08 17:23:27]<-[0m <-[97m<-[42m INF <-[0m Loading rules from /etc/opensnitchd/rules ... <-[2m[2018-05-08 17:23:28]<-[0m <-[97m<-[42m INF <-[0m Running on netfilter queue #0 ... <-[2m[2018-05-08 17:23:41]<-[0m <-[97m<-[42m INF <-[0m Connected to the UI service on /tmp/osui.sock <-[2m[2018-05-08 17:25:14]<-[0m <-[97m<-[104m IMP <-[0m Saved new rule: <-[32mallow<-[0m if <-[1mprocess.path<-[0m is '<-[33m/lib/systemd/systemd-resolved<-[0m' <-[2m[2018-05-08 17:25:14]<-[0m <-[97m<-[104m IMP <-[0m Ruleset changed due to allow-simple-libsystemdsystemd-resolved.json, reloading ... <-[2m[2018-05-08 17:25:24]<-[0m <-[97m<-[104m IMP <-[0m Ruleset changed due to allow-simple-usrlibfirefoxfirefox.json, reloading ... <-[2m[2018-05-08 17:25:24]<-[0m <-[97m<-[104m IMP <-[0m Saved new rule: <-[32mallow<-[0m if <-[1mprocess.path<-[0m is '<-[33m/usr/lib/firefox/firefox<-[0m' <-[2m[2018-05-08 17:26:57]<-[0m <-[97m<-[104m IMP <-[0m Ruleset changed due to allow-simple-snapcore4571usrlibsnapdsnapd.json, reloading ... <-[2m[2018-05-08 17:26:57]<-[0m <-[97m<-[104m IMP <-[0m Saved new rule: <-[32mallow<-[0m if <-[1mprocess.path<-[0m is '<-[33m/snap/core/4571/usr/lib/snapd/snapd<-[0m' <-[2m[2018-05-08 17:27:06]<-[0m <-[97m<-[104m IMP <-[0m Saved new rule: <-[32mallow<-[0m if <-[1mprocess.path<-[0m is '<-[33m/usr/bin/gnome-software<-[0m' <-[2m[2018-05-08 17:27:06]<-[0m <-[97m<-[104m IMP <-[0m Ruleset changed due to allow-simple-usrbingnome-software.json, reloading ... <-[2m[2018-05-08 17:30:06]<-[0m <-[97m<-[104m IMP <-[0m Saved new rule: <-[32mallow<-[0m if <-[1mprocess.path<-[0m is '<-[33m/usr/sbin/NetworkManager<-[0m' <-[2m[2018-05-08 17:30:06]<-[0m <-[97m<-[104m IMP <-[0m Ruleset changed due to allow-simple-usrsbinnetworkmanager.json, reloading ...

<-[2m[2018-05-08 17:39:31]<-[0m <-[97m<-[104m IMP <-[0m Got signal: terminated <-[2m[2018-05-08 17:39:31]<-[0m <-[97m<-[42m INF <-[0m Cleaning up ... <-[2m[2018-05-08 17:40:31]<-[0m <-[97m<-[104m IMP <-[0m Starting opensnitch-daemon v1.0.0b <-[2m[2018-05-08 17:40:31]<-[0m <-[97m<-[42m INF <-[0m Loading rules from /etc/opensnitchd/rules ... <-[2m[2018-05-08 17:40:36]<-[0m <-[97m<-[42m INF <-[0m Running on netfilter queue #0 ... <-[2m[2018-05-08 17:41:25]<-[0m <-[97m<-[42m INF <-[0m Connected to the UI service on /tmp/osui.sock

my than i already downloaded two files with wget

evilsocket commented 6 years ago

can you attach the contents of your /etc/opensnitchd/rules folder as well please?

TraxXavier commented 6 years ago

Its empty, for this test i removed all rules and rebooted, after reboot the only process i allowed temporarly was "/lib/systemd/systemd-resolved" after that wget could download files over http and transmission could connect to torrent peers, no other prompts than for the systemd-resolved were generated by the ui

evilsocket commented 6 years ago

oh i see ... may i ask you to repeat the test with debug logging enabled ( -debug ) then?

TraxXavier commented 6 years ago

sure, where do i add the -debug to? trying to start opensnitch-ui complains about a unrecognized commandline how do i pass it to the daemon?

TraxXavier commented 6 years ago

I noticed that when I restart the service after reboot it shows a message for get just fine. only after reboot it does not see it

evilsocket commented 6 years ago

yes it's an argument for the daemon

TraxXavier commented 6 years ago

how do i pass a parameter to a deamon that is being started at boot? what file do i have to add the parameter to?

evilsocket commented 6 years ago

change the command line on /etc/systemd/system/opensnitchd.service

TraxXavier commented 6 years ago

`[2018-05-08 17:23:27]  IMP  Starting opensnitch-daemon v1.0.0b [2018-05-08 17:23:27]  INF  Loading rules from /etc/opensnitchd/rules ... [2018-05-08 17:23:28]  INF  Running on netfilter queue #0 ... [2018-05-08 17:23:41]  INF  Connected to the UI service on /tmp/osui.sock [2018-05-08 17:25:14]  IMP  Saved new rule: allow if process.path is '/lib/systemd/systemd-resolved' [2018-05-08 17:25:14]  IMP  Ruleset changed due to allow-simple-libsystemdsystemd-resolved.json, reloading ... [2018-05-08 17:25:24]  IMP  Ruleset changed due to allow-simple-usrlibfirefoxfirefox.json, reloading ... [2018-05-08 17:25:24]  IMP  Saved new rule: allow if process.path is '/usr/lib/firefox/firefox' [2018-05-08 17:26:57]  IMP  Ruleset changed due to allow-simple-snapcore4571usrlibsnapdsnapd.json, reloading ... [2018-05-08 17:26:57]  IMP  Saved new rule: allow if process.path is '/snap/core/4571/usr/lib/snapd/snapd' [2018-05-08 17:27:06]  IMP  Saved new rule: allow if process.path is '/usr/bin/gnome-software' [2018-05-08 17:27:06]  IMP  Ruleset changed due to allow-simple-usrbingnome-software.json, reloading ... [2018-05-08 17:30:06]  IMP  Saved new rule: allow if process.path is '/usr/sbin/NetworkManager' [2018-05-08 17:30:06]  IMP  Ruleset changed due to allow-simple-usrsbinnetworkmanager.json, reloading ...

[2018-05-08 17:39:31]  IMP  Got signal: terminated [2018-05-08 17:39:31]  INF  Cleaning up ... [2018-05-08 17:40:31]  IMP  Starting opensnitch-daemon v1.0.0b [2018-05-08 17:40:31]  INF  Loading rules from /etc/opensnitchd/rules ... [2018-05-08 17:40:36]  INF  Running on netfilter queue #0 ... [2018-05-08 17:41:25]  INF  Connected to the UI service on /tmp/osui.sock

[2018-05-12 07:52:35]  IMP  Got signal: terminated [2018-05-12 07:52:35]  INF  Cleaning up ... [2018-05-12 07:53:37]  IMP  Starting opensnitch-daemon v1.0.0b [2018-05-12 07:53:37]  INF  Loading rules from /etc/opensnitchd/rules ... [2018-05-12 07:53:37]  DBG  Reading rule from /etc/opensnitchd/rules/allow-simple-libsystemdsystemd-resolved.json [2018-05-12 07:53:37]  DBG  Loaded rule from /etc/opensnitchd/rules/allow-simple-libsystemdsystemd-resolved.json: allow-simple-libsystemdsystemd-resolved: if(process.path is '/lib/systemd/systemd-resolved'){ allow always } [2018-05-12 07:53:37]  DBG  Reading rule from /etc/opensnitchd/rules/allow-simple-snapcore4571usrlibsnapdsnapd.json [2018-05-12 07:53:37]  DBG  Loaded rule from /etc/opensnitchd/rules/allow-simple-snapcore4571usrlibsnapdsnapd.json: allow-simple-snapcore4571usrlibsnapdsnapd: if(process.path is '/snap/core/4571/usr/lib/snapd/snapd'){ allow always } [2018-05-12 07:53:37]  DBG  Reading rule from /etc/opensnitchd/rules/allow-simple-usrbingnome-software.json [2018-05-12 07:53:37]  DBG  Loaded rule from /etc/opensnitchd/rules/allow-simple-usrbingnome-software.json: allow-simple-usrbingnome-software: if(process.path is '/usr/bin/gnome-software'){ allow always } [2018-05-12 07:53:37]  DBG  Reading rule from /etc/opensnitchd/rules/allow-simple-usrlibfirefoxfirefox.json [2018-05-12 07:53:37]  DBG  Loaded rule from /etc/opensnitchd/rules/allow-simple-usrlibfirefoxfirefox.json: allow-simple-usrlibfirefoxfirefox: if(process.path is '/usr/lib/firefox/firefox'){ allow always } [2018-05-12 07:53:37]  DBG  Reading rule from /etc/opensnitchd/rules/allow-simple-usrsbinnetworkmanager.json [2018-05-12 07:53:37]  DBG  Loaded rule from /etc/opensnitchd/rules/allow-simple-usrsbinnetworkmanager.json: allow-simple-usrsbinnetworkmanager: if(process.path is '/usr/sbin/NetworkManager'){ allow always } [2018-05-12 07:53:37]  DBG  Starting 16 workers ... [2018-05-12 07:53:37]  DBG  Worker #1 started. [2018-05-12 07:53:37]  DBG  Rules watcher started on path /etc/opensnitchd/rules ... [2018-05-12 07:53:37]  DBG  Stats worker #0 started. [2018-05-12 07:53:37]  DBG  Stats worker #1 started. [2018-05-12 07:53:37]  DBG  Stats worker #2 started. [2018-05-12 07:53:37]  DBG  Worker #15 started. [2018-05-12 07:53:37]  DBG  Stats worker #3 started. [2018-05-12 07:53:37]  DBG  Worker #2 started. [2018-05-12 07:53:37]  DBG  Worker #0 started. [2018-05-12 07:53:37]  DBG  Worker #8 started. [2018-05-12 07:53:37]  DBG  Worker #3 started. [2018-05-12 07:53:37]  DBG  Worker #4 started. [2018-05-12 07:53:37]  DBG  Worker #5 started. [2018-05-12 07:53:37]  DBG  Worker #6 started. [2018-05-12 07:53:37]  DBG  Worker #7 started. [2018-05-12 07:53:37]  DBG  Worker #11 started. [2018-05-12 07:53:37]  DBG  Worker #9 started. [2018-05-12 07:53:37]  DBG  Worker #10 started. [2018-05-12 07:53:37]  DBG  Worker #13 started. [2018-05-12 07:53:37]  DBG  Worker #12 started. [2018-05-12 07:53:37]  DBG  Worker #14 started. [2018-05-12 07:53:42]  INF  Running on netfilter queue #0 ... [2018-05-12 07:53:42]  DBG  UI service poller started for socket /tmp/osui.sock [2018-05-12 07:53:54]  DBG  ✔ /lib/systemd/systemd-resolved -> 10.70.0.1:53 (allow-simple-libsystemdsystemd-resolved) [2018-05-12 07:53:54]  DBG  ✔ /lib/systemd/systemd-resolved -> 10.70.0.1:53 (allow-simple-libsystemdsystemd-resolved) [2018-05-12 07:53:54]  DBG  New DNS record: 91.189.91.157 -> ntp.ubuntu.com [2018-05-12 07:53:54]  DBG  New DNS record: 91.189.89.199 -> ntp.ubuntu.com [2018-05-12 07:53:54]  DBG  New DNS record: 91.189.94.4 -> ntp.ubuntu.com [2018-05-12 07:53:54]  DBG  New DNS record: 91.189.89.198 -> ntp.ubuntu.com [2018-05-12 07:53:54]  DBG  New DNS record: 91.189.91.157 -> ntp.ubuntu.com [2018-05-12 07:53:54]  DBG  New DNS record: 91.189.89.199 -> ntp.ubuntu.com [2018-05-12 07:53:54]  DBG  New DNS record: 91.189.94.4 -> ntp.ubuntu.com [2018-05-12 07:53:54]  DBG  New DNS record: 91.189.89.198 -> ntp.ubuntu.com [2018-05-12 07:53:54]  DBG  New DNS record: 2001:67c:1560:8003::c7 -> ntp.ubuntu.com [2018-05-12 07:53:54]  DBG  New DNS record: 2001:67c:1560:8003::c8 -> ntp.ubuntu.com [2018-05-12 07:53:54]  DBG  New DNS record: 2001:67c:1560:8003::c7 -> ntp.ubuntu.com [2018-05-12 07:53:54]  DBG  New DNS record: 2001:67c:1560:8003::c8 -> ntp.ubuntu.com [2018-05-12 07:53:54]  DBG  Could not find netstat entry for: 10.70.0.34 ->(udp)-> ntp.ubuntu.com:123 [2018-05-12 07:54:26]  DBG  Could not find netstat entry for: 10.70.0.34 ->(udp)-> ntp.ubuntu.com:123 [2018-05-12 07:54:28]  DBG  ✔ /usr/sbin/NetworkManager -> 104.198.143.177:80 (allow-simple-usrsbinnetworkmanager) [2018-05-12 07:54:29]  INF  Connected to the UI service on /tmp/osui.sock [2018-05-12 07:55:17]  DBG  ✔ /lib/systemd/systemd-resolved -> 10.70.0.1:53 (allow-simple-libsystemdsystemd-resolved) [2018-05-12 07:55:17]  DBG  ✔ /lib/systemd/systemd-resolved -> 10.70.0.1:53 (allow-simple-libsystemdsystemd-resolved) [2018-05-12 07:55:17]  DBG  New DNS record: 131.186.113.136 -> checkip.dyndns.com [2018-05-12 07:55:17]  DBG  New DNS record: 216.146.43.71 -> checkip.dyndns.com [2018-05-12 07:55:17]  DBG  New DNS record: 216.146.38.70 -> checkip.dyndns.com [2018-05-12 07:55:17]  DBG  New DNS record: 131.186.113.135 -> checkip.dyndns.com [2018-05-12 07:55:17]  DBG  New DNS record: 162.88.96.194 -> checkip.dyndns.com [2018-05-12 07:55:17]  DBG  New DNS record: 162.88.100.200 -> checkip.dyndns.com [2018-05-12 07:55:17]  DBG  New DNS record: 162.88.100.200 -> checkip.dyndns.com [2018-05-12 07:55:17]  DBG  New DNS record: 162.88.96.194 -> checkip.dyndns.com [2018-05-12 07:55:17]  DBG  New DNS record: 131.186.113.135 -> checkip.dyndns.com [2018-05-12 07:55:17]  DBG  New DNS record: 216.146.38.70 -> checkip.dyndns.com [2018-05-12 07:55:17]  DBG  New DNS record: 216.146.43.71 -> checkip.dyndns.com [2018-05-12 07:55:17]  DBG  New DNS record: 131.186.113.136 -> checkip.dyndns.com [2018-05-12 07:55:17]  DBG  ✔ /lib/systemd/systemd-resolved -> 10.70.0.1:53 (allow-simple-libsystemdsystemd-resolved) [2018-05-12 07:55:17]  DBG  Could not find process id for: 10.70.0.34 (uid:1000) ->(tcp)-> checkip.dyndns.com:80 [2018-05-12 07:55:30]  DBG  Could not find netstat entry for: 10.70.0.34 ->(udp)-> ntp.ubuntu.com:123 [2018-05-12 07:55:41]  DBG  New DNS record: 162.88.100.200 -> checkip.dyndns.com [2018-05-12 07:55:41]  DBG  New DNS record: 162.88.96.194 -> checkip.dyndns.com [2018-05-12 07:55:41]  DBG  New DNS record: 131.186.113.135 -> checkip.dyndns.com [2018-05-12 07:55:41]  DBG  New DNS record: 216.146.38.70 -> checkip.dyndns.com [2018-05-12 07:55:41]  DBG  New DNS record: 216.146.43.71 -> checkip.dyndns.com [2018-05-12 07:55:41]  DBG  New DNS record: 131.186.113.136 -> checkip.dyndns.com [2018-05-12 07:55:41]  DBG  Could not find process id for: 10.70.0.34 (uid:1000) ->(tcp)-> checkip.dyndns.com:80`

TraxXavier commented 6 years ago

"Could not find process id for" sounds to me as it may be the root of the problem

after i restart the service it works fine: [2018-05-12 07:58:19]  WAR  ✘ /usr/bin/wget -> checkip.dyndns.com:80 (deny-simple-usrbinwget)

The issue is reproducibly only present after reboot (i remember that the first start after compile also had that issue)

Cheers Trax

evilsocket commented 6 years ago

yep, there're some cases when that happens and that's pretty much the only reason why this is still not 1.0.0, i'm trying to fix that but it's not easy :)

TraxXavier commented 6 years ago

How about in such cases still showing the prompt (with no option to make a permanent rule) and just say unidentified application cause than the user at least would have the option to allow or deny it anyways.

letmebecome commented 6 years ago

It's really bug, old version working well. But new version don't catch any application.

J0hnnyb0y86 commented 6 years ago

same problem, i have reinstalled it today.

warkruid commented 6 years ago

Same problem, no logging or activity at all on any outgoing connection.

dreamcat4 commented 6 years ago

Very patchy. Even for those subset of applications that work. A very large proportion of the traffic is being missed. And other applications are missed entirely. If I knew how to install the old version instead, (being on ubuntu 18.04). Then I would certainly try that. But at best, it's really complex to install for the uninitiated. Due to it's required dependencies and certain other idiosyncrasies

evilsocket commented 6 years ago

@dreamcat4 remember this software is free and open source, you're welcome to send your contributions to improve it!

dreamcat4 commented 6 years ago

Thank you for the offer @evilsocket. But that's a decline from me. For certain other reasons which I would not wish to bother you with.... It's only so annoying because you seem so close! And due to the lack of similar options in this space, why it's so important for your project to succeed.

evilsocket commented 6 years ago

if it's annoying, you can help, or you can decide not to use this software ... complaining that way, without even a log one can use to debug the issues you're experiencing, doesn't change much i'm afraid.

gustavo-iniguez-goya commented 5 years ago

Hi all,

I'm having this problem with chromium on Debian. What I've realized is that the simbolic link in /proc is broken:

[2019-06-18 08:19:54] DBG Could not find process by its pid 11511 for: 192.168.1.37 (uid:1010) ->(udp)-> 1.1.1.1:53

v@:~/go/src/github.com/evilsocket/opensnitch/daemon$ file /proc/11511/exe 
/proc/11511/exe: symbolic link to /usr/lib/chromium/chromium (deleted)
v@:~/go/src/github.com/evilsocket/opensnitch/daemon$ ls -l /proc/11511/exe 
lrwxrwxrwx 1 v v 0 jun 15 13:21 /proc/11511/exe -> '/usr/lib/chromium/chromium (deleted)'
v@:~/go/src/github.com/evilsocket/opensnitch/daemon$ ls -l /usr/lib/chromium/chromium 
-rwxr-xr-x 1 root root 173887520 jun 14 02:10 /usr/lib/chromium/chromium
v@:~/go/src/github.com/evilsocket/opensnitch/daemon$ ps -p 11511
  PID TTY          TIME CMD
11511 tty2     01:16:28 chromium
v@:~/go/src/github.com/evilsocket/opensnitch/daemon$ 
v@:~/go/src/github.com/evilsocket/opensnitch/daemon$ stat /proc/11511/exe 
  Fichero: /proc/11511/exe -> /usr/lib/chromium/chromium (deleted)
  Tamaño: 0             Bloques: 0          Bloque E/S: 1024   enlace simbólico
Dispositivo: 4h/4d  Nodo-i: 13786214    Enlaces: 1
Acceso: (0777/lrwxrwxrwx)  Uid: ( 1010/      v)   Gid: ( 1010/      v)
      Acceso: 2019-06-17 19:11:45.984026784 +0200
Modificación: 2019-06-15 13:21:10.723839469 +0200
      Cambio: 2019-06-15 13:21:10.723839469 +0200
    Creación: -

In my case I'm runnning chromium under firejail, I don't know if it causes the "broken" symbolic link.

gustavo-iniguez-goya commented 5 years ago

One possible solution/workaround would be to Stat the file, and maybe get rid of the " (deleted)" part. Also, if it still fails, then we could parse /proc/%d/cmdline, even if we only display the first part of a process name with spaces. And as a final option, I would even use the pid of the process, because we won't see what's the process name but at least you can see to what port and IP your PC is connecting to.

diff --git a/daemon/procmon/parse.go b/daemon/procmon/parse.go
index cca9d6d..00ae6fc 100644
--- a/daemon/procmon/parse.go
+++ b/daemon/procmon/parse.go
@@ -7,6 +7,7 @@ import (
    "strings"

    "github.com/evilsocket/opensnitch/daemon/core"
+   "github.com/evilsocket/opensnitch/daemon/log"
 )

 func GetPIDFromINode(inode int) int {
@@ -70,13 +71,24 @@ func FindProcess(pid int) *Process {
        return nil
    }

-   if link, err := os.Readlink(linkName); err == nil && core.Exists(link) == true {
-       proc := NewProcess(pid, link)
+    if _, err := os.Stat(linkName); err == nil {
+        link, err := os.Readlink(linkName)
+        if err == nil {
+            proc := NewProcess(pid, link)

-       parseCmdLine(proc)
-       parseEnv(proc)
-
-       return proc
-   }
+            parseCmdLine(proc)
+            parseEnv(proc)
+            return proc
+        } else {
+            proc := NewProcess(pid, linkName)
+            parseCmdLine(proc)
+            parseEnv(proc)
+            return proc
+        }
+    } else if os.IsNotExist(err) {
+        log.Error("FindProcess does not exist error", linkName, err)
+    } else {
+        log.Error("FindProcess error", linkName, err)
+    }
    return nil
 }
namaneko commented 5 years ago

Hello. I am noticing the same issue and it seems to be random as far as what sneaks through. It is catching a lot of system stuff fine (gnome, networkmonitor, pacman) but most user level apps are getting through (firefox, spotify, vlc, discord). I did a reboot and it picked up Firefox but it did not pick up Spotify or Discord or any other apps. Rebooted again and it did not pick up anything.

Anything I can do to help isolate the issue better? I am not a programmer but I love this software and want to be useful if there's a way for me to be so.

gustavo-iniguez-goya commented 3 years ago

We have discussed in deep detail this problem here: https://github.com/gustavo-iniguez-goya/opensnitch/issues/84

Most of these errors should be fixed with latest packages, but we still have work to do: https://github.com/evilsocket/opensnitch/releases

There's a new check ([x] Intercept unknown connections) which if you enable it a pop-up will appear when one connection can not be bind to a program.