[Feature Request] Add file-access firewalling

evilsocket / opensnitch

OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.

GNU General Public License v3.0

10.85k stars 509 forks source link

[Feature Request] Add file-access firewalling #657

Open BillDietrich opened 2 years ago

BillDietrich commented 2 years ago

Summary:

Please add support for rules to control file access instead of network access. And support good regex on the file path specification.

For example, I'd like a rule that says "deny always Firefox access to any files outside home/Downloads and home/.mozilla" (on Linux).

gustavo-iniguez-goya commented 2 years ago

Hi @BillDietrich ,

I think this feature is out of scope of OpenSnitch. Personally I'd run Firefox/Chromium/etc sandboxed, with firejail for example. It allows you run an application isolated from your filesystem: https://firejail.wordpress.com/documentation-2/basic-usage/#filesystem

BillDietrich commented 2 years ago

I agree this would stretch the scope of OpenSnitch. But it seems it would fit fairly naturally into the existing OpenSnitch structure and UI. Just a new type of rule, and a different set of BPF hooks (I don't know much about that).

I have used Firejail and AppArmor and SELinux and various other mechanisms. But doing it in OpenSnitch would mean one GUI for both types of activity, one place to control network and file activity of application X. Convenient for users.

Please keep this request open and think about it, let's see if anyone else comments. Thanks.

gustavo-iniguez-goya commented 2 years ago

The easiest way of implementing it would be by using fanotify:

https://man7.org/linux/man-pages/man7/fanotify.7.html https://pkg.go.dev/github.com/docker-slim/docker-slim/pkg/third_party/madmo/fanotify

wrouesnel commented 2 years ago

I'd like to add a +1 to this but with a twist: what I'd really like to be able to do is redirect some types of file access requests. The use-case would be for a related feature #437 : for a big category of applications, what I want to do is inject MITM certificates - i.e. when using something like mitmproxy - without making system-wide changes or applying such changes globally.

So the ideal model would be setting rules which can remap which file gets opened by a request based on context, and pair that with a rule which will force the connection out through a proxy transparently.