OpenSnitch lies about what rule caused packets to be approved #1140
Description
Describe the bug
The OpenSnitch UI statistics panel is lying about what rule caused connections to be allowed.
This also has the catastrophic effect that nothing at all is blocked or prompted.
OpenSnitch version - 1.6.5.1
OS: NixOS
Version: 24.11.20240524 Vicuña
Window Manager: GNOME shell
Kernel version: Linux asahimbp 6.8.9-asahi #1-NixOS SMP PREEMPT_DYNAMIC Tue Jan 1 00:00:00 UTC 1980 aarch64 GNU/Linux
Steps to reproduce the behavior:
- Enable OpenSnitch using the equivalent of the following configuration:
NixOS module:
{
pkgs,
lib,
config,
...
}:
# TODO: Find out what is causing every connection to be accepted on account of the last rule?
let
settings = {
Server = {
Address = "unix:///tmp/osui.sock";
};
# Unnecessary as we are not modifying the system firewall
# FwOptions.ConfigPath = "/etc/opensnitchd/system-fw_alt.json";
# TODO: Fix this. We should be able to use eBPF. This may require a kernel PR
# https://github.com/evilsocket/opensnitch/issues/1138
# ProcMonitorMethod = "ebpf";
Ebpf.ModulesPath = "${config.boot.kernelPackages.opensnitch-ebpf}/etc/opensnitchd";
ProcMonitorMethod = "proc";
Rules.Path = "/var/lib/opensnitch/rules";
InterceptUnknown = true;
};
in {
# Kernel module necessary for OpenSnitch to pick up wireguard connections
# and assign them to the correct process
# TODO: Fix this (uncomment this line)
# boot.extraModulePackages = [config.boot.kernelPackages.opensnitch-ebpf];
# List of options required to enable: https://github.com/evilsocket/opensnitch/issues/774
boot.kernelPatches = [
{
name = "opensnitch_enable";
patch = null;
extraStructuredConfig = with lib.kernel; {
FTRACE = yes;
KPROBES = yes;
HAVE_KPROBES = yes;
# TODO: Fix this
# Unfortunately not supported yet on arm64
# https://github.com/torvalds/linux/blob/master/Documentation/features/debug/kprobes-on-ftrace/arch-support.txt
KPROBES_ON_FTRACE = yes;
HAVE_KPROBES_ON_FTRACE = yes;
# end of unsupported options
KPROBE_EVENTS = yes;
HAVE_SYSCALL_TRACEPOINTS = yes;
FTRACE_SYSCALLS = yes;
UPROBE_EVENTS = yes;
INET_DIAG = yes;
INET_TCP_DIAG = yes;
INET_UDP_DIAG = yes;
INET_DIAG_DESTROY = yes;
};
}
];
services.opensnitch = {
inherit settings;
enable = true;
rules = (import ./rules.nix) {inherit pkgs lib;};
};
systemd.services.opensnitchd.serviceConfig.ExecStart = let
format = pkgs.formats.json {};
default_settings = builtins.fromJSON (builtins.unsafeDiscardStringContext (builtins.readFile "${pkgs.opensnitch}/etc/opensnitchd/default-config.json"));
config_file = format.generate "default-config.json" (default_settings // settings);
in [
""
"${pkgs.opensnitch}/bin/opensnitchd --config-file ${config_file}"
];
# Not necessary because we do not need to modify the system firewall
# environment.etc."opensnitchd/system-fw_alt.json" = {
# text = builtins.toJSON (import ./system_fw.nix {});
# mode = "0440";
# };
}That is, InterceptUnknown as true, ProcMonitorMethod as "proc", and everything else set to the default.
Also, place the following set of rules in /var/lib/opensnitch/rules to replicate the rules generated by Nix:
(directly exported from OpenSnitch)
vscodium_openvsx.json
vscodium_github.json
systemd-timesyncd_all.json
systemd-resolved_all.json
openvpn_all.json
mullvad_all.json
git-remote-http_github.json
firefox_all.json
evolution-data-server_umich-instructure.json
evolution-data-server_google-calendar.json
dhcpcd_all.json
avahi-daemon_all.json
-
Start the OpenSnitch daemon and UI.
-
Turn off all VPNs.
-
ping google.com. Notice that instead of prompting you to allow or deny the connection, OpenSnitch allows it and for some reason attributes it to the last alphabetical rule,vscodium_openvsx.
Expected behavior (optional)
OpenSnitch prompts me to allow or deny the connection or correctly labels it according to a rule that actually applies.
Screenshots
Attached below: