Rules for "python" applications type ? #17

jonau01 · 2020-05-09T23:55:43Z

Hi,

I have an application call blink when initiated "ps -ef" shows it as : /app/bin/python27 /apt/bin/blink.

Opensnitch sees it as an "/app/bin/python27" .

My question is if I want to

allow : /app/bin/python27 /apt/bin/blink
deny : /app/bin/python27 /apt/bin/xyz ( another application )

How can I do that ?

Thank You

gustavo-iniguez-goya · 2020-05-10T09:53:35Z

Maybe you can filter by command line:

You can also edit the rule on disk, and use regular expressions to match the process and command line:

{
  "name": "allow-blink",
  "enabled": true,
  "action": "allow",
  "duration": "always",
  "operator": {
    "type": "list",
    "operand": "list",
    "data": "[{\"type\": \"simple\", \"operand\": \"process.path\", \"data\": \"/app/bin/python27\"}, {\"type\": \"regexp\", \"operand\": \"process.command\", \"data\": \"/apt/bin/.*\"}",
    "list": [
      {
        "type": "simple",
        "operand": "process.path",
        "data": "/app/bin/python27",
        "list": null
      },
      {
        "type": "regexp",
        "operand": "process.command",
        "data": "/apt/bin/.*",
        "list": null
      }
   ]
}

Soon we'll be able to edit it from the GUI:

jonau01 · 2020-05-10T14:51:17Z

Thank you for your reply

I made a mistake in my original post and I would like to correct it :
From : "I have an application call blink when initiated "ps -ef" shows it as : /app/bin/python27 /apt/bin/blink."
To : "I have an application call blink when initiated "ps -ef" shows it as : /app/bin/python2 /apt/bin/blink."

Also I would like to add : this is a flatpak application

I don't know json at all so I simply copy and paste your suggestion to a file /etc/opensnitchd/rules/allow-simple-blink.json.
When I restarted opensnitchd it failed to start and gave the following error ( found /var/log/opensnitchd.log)
"Error while parsing rule from /etc/opensnitchd/rules/allow-simple-blink.json: unexpected end of JSON input
"
Long story short after several attempts I ended up with this version
{
"name": "allow-blink",
"enabled": true,
"action": "allow",
"duration": "always",
"operator": {
"type": "list",
"operand": "list",
"data": "{"type": "simple", "operand": "process.path", "data": "/app/bin/python2.7"}, {"type": "regexp", "operand": "process.command", "data": "/app/bin/blink"}",
"list": [
{
"type": "simple",
"operand": "process.path",
"data": "/app/bin/python2.7",
"list": null
},
{
"type": "regexp",
"operand": "process.command",
"data": "/app/bin/blink",
"list": null
}
]
}}

So this version seems to work partially and here are my tests :

when I start blink : opensnitch allows it
when I start blink2 : opensnitch also allows it ( when I should not I think )
when I start xyz : opensnich open a dialup screen asking for Allow or Deny

My next question : how should I modify the rule file so it will allow only blink and not blink2 or blink* ?

Comment or suggestion on the side : may be opensnitchd should not fail to start when there is an invalid rule, it should rather ignore it and flag it as invalid somewhere in OpenSnitch UI.

gustavo-iniguez-goya · 2020-05-10T19:31:35Z

Comment or suggestion on the side : may be opensnitchd should not fail to start when there is an invalid rule, it should rather ignore it and flag it as invalid somewhere in OpenSnitch UI.

I agree with you here. I'll take a look and make it not fail if there's any invalid rule.

On the other hand, take a look a #9 . I've just added a rules editor, to allow configure rules from the UI. It should ease the process of rules creation.

jonau01 · 2020-05-10T21:04:58Z

Thank you for adding rules editor. I presume that it will be in the next release.

In the mean time I still don't understand how to fix my current rule to allow only blink.
As I mentionned previously the created rule works partially : it allows anything that start with /app/bin/blink (example : /app/bin/blink2 is also allowed) when want it to allow /app/bin/blink only .

Is it doable ?

gustavo-iniguez-goya · 2020-05-10T21:41:14Z

Try it with a regex:

{
  "name": "allow-blink",
  "enabled": true,
  "action": "allow",
  "duration": "always",
  "operator": {
    "type": "list",
    "operand": "list",
    "data": "[{\"type\": \"simple\", \"operand\": \"process.path\", \"data\": \"/app/bin/python2.7\"}, {\"type\": \"regexp\", \"operand\": \"process.command\", \"data\": \"/app/bin/blink$\"}]",
  "list": [
  {
    "type": "simple",
    "operand": "process.path",
    "data": "/app/bin/python2.7",
    "list": null
  },
  {
    "type": "regexp",
    "operand": "process.command",
    "data": "/app/bin/blink$",
    "list": null
  }
 ]}
}

The idea is to match the command line that ends in "blink" (hence the $).

@jonau01

Don't exist if a rule is malformed. Reported by @jonau01 here #17

jonau01 · 2020-05-12T17:45:04Z

It works . Thank you.

Notes on the side : I tested on both linux mint 19.3 and Manjaro 20.0.1

gustavo-iniguez-goya added a commit that referenced this issue May 11, 2020

ignore malformed rules

061d7a2

Don't exist if a rule is malformed. Reported by @jonau01 here #17

jonau01 closed this as completed May 12, 2020

jonau01 mentioned this issue May 25, 2020

From This Command Line? #31

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Rules for "python" applications type ? #17

Rules for "python" applications type ? #17

jonau01 commented May 9, 2020

gustavo-iniguez-goya commented May 10, 2020

jonau01 commented May 10, 2020

gustavo-iniguez-goya commented May 10, 2020

jonau01 commented May 10, 2020

gustavo-iniguez-goya commented May 10, 2020

jonau01 commented May 12, 2020

Rules for "python" applications type ? #17

Rules for "python" applications type ? #17

Comments

jonau01 commented May 9, 2020

gustavo-iniguez-goya commented May 10, 2020

jonau01 commented May 10, 2020

gustavo-iniguez-goya commented May 10, 2020

jonau01 commented May 10, 2020

gustavo-iniguez-goya commented May 10, 2020

jonau01 commented May 12, 2020