UI improvements

[themighty1]

I noticed that the popup has a "Executed from" field which shows the current working dir.
Is this by design?
I would expect to see a full path to the executable there.
If I launch an app from an app menu on my desktop, "Executed from" always shows the path to the root of my home dir.

[gustavo-iniguez-goya]

I would expect to see a full path to the executable there.

The full of the process should appear under the name

quoting man procfs:

       /proc/[pid]/cwd
              This  is  a symbolic link to the current working directory of the process.  To find out the current working directory of process 20, for instance, you can do
              this:
                  $ cd /proc/20/cwd; pwd -P
              In a multithreaded process, the contents of this symbolic link  are  not  available  if  the  main  thread  has  already  terminated  (typically  by  calling
              pthread_exit(3)).

              Permission to dereference or read (readlink(2)) this symbolic link is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2).

I don't know exactly the inner working of it. If you execute a command from /tmp it'll show that directory. But other processes can change it on execution time, as well as the arguments.

[themighty1]

Hmm, I dont have that second line in parens. Only line 1 and 3 . Will look into it.

[gustavo-iniguez-goya]

The full path is only added if the full path to the binary is not part of the command line.

$ cat /proc/28712/cmdline 
fusermount-orw,nosuid,nodev,fsname=portal,auto_unmount,subtype=portal--/root/.cache/doc

$ ls -l /proc/28712/exe
lrwxrwxrwx. 1 root root 0 dic 27 20:26 /proc/28712/exe -> /bin/fusermount3

Otherwise in some cases we wouldn't know the full path of the binary.

[gustavo-iniguez-goya]

The idea behind parsing CWD was to be able to create rules to block everything from a directory, or allow connections only from certain directories.

/dev/shm, /tmp and /var/tmp are common directories to download and execute malware. While you can mount them with noexec, you can not prevent to execute scripts that open connections.

The problem is that CWD only informs from where a command was executed, so if you execute cd /; python3 /dev/shm/malware.py you're f****d. We should parse the path of the binary, and apply a rule to it, if we wanted this feature.

Another thing I haven't tested yet is how connections made from webshells are reported, or reverse shells from inside an app that the attacker can't control (like a webserver).

[gustavo-iniguez-goya]

Another UI improvement: allow to copy a row, or the all the rows to the clipboard.

[themighty1]

right-click a rule, "Copy rule as text" and then put the json into the clipboard. Ok

[gustavo-iniguez-goya]

Another thing I haven't tested yet is how connections made from webshells are reported, or reverse shells from inside an app that the attacker can't control (like a webserver).

tested:

The CWD field is useful in these situations. In this case it's a reverse shell, so the webshell opens the connection to a remote ip. If the webshell opens a port for incoming connections we don't intercept it.

[gustavo-iniguez-goya]

what about a simpler pop-up? and let the user choose in the preferences dialog between Simple or Advance.