Does the program understand processes hierarchy ?

[Danny3]

Hello everyone !

I have seen the the program's pop-ups sometimes show generic tools want to connect to the internet, like http, curl, etc. So it got me wondering... What if we have two programs: Program 1 Program 2 And both take advantage by a third party tool like CURL (or wget)

It looks to me that if I want to allow Program 1, but deny Program 2, it would seem to me that I need to also allow CURL for Program 1 to work. But doing it so, I don't see what's stopping Program 2 to use the allowed CURL too to send and receive data it wants even though Program 2 is denied ?

Can OpenSnitch look at who (which program) called CURL and allow or deny its connection based on allowed / denied permission of the caller, making the permission for CURL dynamic ?

From what I know systemd should have a hierarchy with which programs started which programs, but I don't know if it can track who called who

Does OpenSnitch has such capability or could it be implemented in the future with the help of systemd or other tool ?

[gustavo-iniguez-goya]

Hi @Danny3 !

Right now we don't track the Parent PID of a process that's trying to open a new connection. So if you allow Program1 or Program2, you don't explicity allow all the children initiated by these processes (curl, wget, nc, telnet, etc).

For example Spotify. If you allow Spotify, you'll still be prompted to allow wget. But if you allow wget only by name (wget) or by path (/usr/bin/wget), then Edge (just an example) would be able to use wget freely.

For now what you can do is to deny/allow wget/curl/etc not only by path, but also by path + arguments + dest IP + dest port. That way, you can allow/deny connections made by Program1 using curl/wget, but restricting to where it can connect to. If Program2 launches a wget/curl to open a new connection, you'll be prompted to allow/deny it.

What's not possible right now is to block or deny connections initiated by children of another process.

We could study it for future releases.

[Danny3]

Thank you very much @gustavo-iniguez-goya for the reply ! "deny/allow wget/curl/etc not only by path, but also by path + arguments + dest IP + dest port." Could I do that from the GUI ? Because I see drop-downs only for one option at a time, I don't know how can I add multiple ones and I think it will be better for me to just wait for something more user friendly (easier to understand how to do it).

My desktop environment is KDE Plasma that has the possibility to optionally use systemd for startup, which I have activated. https://invent.kde.org/plasma/plasma-workspace/-/merge_requests/47 I can see now in KSysGuard ( its sytem monitor), in tree view, that the processes are displayed in the right hierarchy like: systemd | ----------plasmashell | ------------------------- Firefox | ---------- Child 1 of Firefox | ----------- Child 2 of Firefox and so on .............................................................. I assume is taking advantage of Cgroups as explained here: https://blog.davidedmundson.co.uk/blog/plasma-and-the-systemd-startup/ And here (by clicking on the " cgroups for applications" in the above article): https://blog.davidedmundson.co.uk/blog/modern-process-management-on-the-desktop/

Could all this work done by the KDE developers to start programs in their own CGroups (if I got that right) help in any way in the future OpenSnitch to track and maybe control together programs and their children ? Or could CGroups be used anyway, so it works on all desktop environments, non only in the fortunate cases like KDE Plasma ?

[gustavo-iniguez-goya]

Could I do that from the GUI ?

Yes, you can either do it from the pop-ups by clicking on the [+] button:

Or you can allow it and edit it later from the Rules Tab -> Permanent or Temporary, by double clicking on the rule, or right click on the rule -> Edit.

As you can see there're plenty of options to configure it. If you have installed OpenSnitch recently get used to it, it's not complicated (well, a firewall is something complicated anyway, but we try our best to ease its usage).

Could all this work done by the KDE developers to start programs in their own CGroups (if I got that right) help in any way in the future OpenSnitch to track and maybe control together programs and their children ?

No, I don't think it's related. We could track Parent PIDs regardless of how they display the processes' hierarchy or how they group (containerize) processes. This is already happening if you use firejail, systemd (yes, many system services are already containerized) or docker/podman/k8s, etc.

But that'd be a new feature, something like: [x] Allow connections from childs of this process , or [x] Allow connections from these childs of Program1: [x] wget [x] curl

[BetweenTheKeyboardAndChair]

I have a different use case where the ParentID would be useful.

I would like to be able to set the duration to "this instance of the app", where the instance includes any child processes.

Use case: When I open an app, e.g. a browser I would like it to have access until I close the browser. (I close my browser many times a day.) Whenever I am using a less trusted app (e.g. tax software), I ensure the browser is closed. This way I can catch any attempts to piggyback out through the browser. e.g. A button that when clicked, tries to use the default browser to their URL.

I find this also makes configuring apps a bit easier. An app update often starts many processes, so the "once" isn't a great solution. I can guess at the time the updates will take. I find it easier to do the updates and then restart the process to reset the firewall permissions. Now I know if the app tries anything after the update and before the timer expires.

[gustavo-iniguez-goya]

Interesting use case @BetweenTheKeyboardAndChair , thank you for sharing.

Filtering by "this instance of an app" is an old (ooold) request. I want to finish some things first, but it's definitely a feature that would be great to have.

[gustavo-iniguez-goya]

It turns out that today while being away from the computer I had an alert of a not answered output connection:

what is interesting here is the domain that gvfsd-http has tried to connect to: i.scdn.co, which is a domain of Spotify. If we'd have logged the PPid, probably it'd have been of the spotify.

[deliciouslytyped]

I'm currently looking for solutions for whitelisting connections / firewall the network of containers / firejail / bubblewrap / etc, I would very much need / like this.

Do you know any alternative solutions? My google searches have yielded very little information.

[gustavo-iniguez-goya]

Hi @deliciouslytyped !

OpenSnitch should be able to intercept connections from applications launched from firejail/bubblewrap. I'm using chromium/firefox sandboxed with firejail and connections are intercepted just fine.

For containers (like docker) we need to add a fw rule: https://github.com/evilsocket/opensnitch/wiki/System-rules-legacy#intercepting-connections-from-containers