tomFlowee/isolationRunner
1
Fork 0
Code Issues Pull Requests Releases Activity
Files
master
isolationRunner/IsolationManager.h
T
tomFlowee c0f579ff6d add VPN feature 
This allows a jail to have a VPN config associated and as a result we start
a new net namespace, completely isolating the jails networking.
We then start an openVPN client to route between the main network and the
jails' network.

The main limitation here is that we don't setup DNS, which basically means
that the VPN will route DNS calls to the other side, but since we don't
remount resolv.conf this depends on the vpn provider actually mapping the
nameserver we use. For people that use a nameserver like 192.168.100.1,
this most of the time works just fine.

Improvement is possible.
2026-04-11 15:06:44 +02:00

137 lines
3.5 KiB
C++
Raw Permalink Blame History

#ifndef SECURITYMANAGER_H
#define SECURITYMANAGER_H
#include "RemoteRunner.h"
#include "DBusConnection.h"
#include <QObject>
#include <QSettings>
#include <QDir>
#include <QFileSystemWatcher>
class QWidget;
/**
* The isolation-manager is the biggest part of the
* server. It is the listener and it drops root priviledges
* before even loading Qt.
*
* This class uses DBus to listen to any requests and after
* processing them sends data via the pipes to the second
* part of the server (largely in main.cpp and Runner).
*
*/
class IsolationManager : public QObject
{
Q_OBJECT
public:
explicit IsolationManager(int inputId, int outputId);
struct AppEntry {
int appId = -1;
QString profileName;
QString pathToExe;
QStringList denied;
QStringList allowed;
QString initScript;
QString jailPassword;
QString vpnConf; // the ovpn file-path
QString vpnAc; // the access credentials file-path
bool autoDelete = false;
// defaults as read from the rules file
QMap<QString, bool> defaults;
bool isAllowed(const QString &tag) const;
// set the list of denied permissions, filtering out only the known types
void setDenied(const QStringList &entries);
// set the list of allowed permissions, filtering out only the known types
void setAllowed(const QStringList &entries);
bool isKnownPermission(const QString &perm) const;
};
QString startApplicationRequest(AppEntry &dbEntry, const QStringList &arguments);
enum LookupBehavior {
OnlyExisting,
MaybeCreate
};
AppEntry lookupApp(const QString &path, LookupBehavior behavior);
std::unique_ptr<QSettings> startEditApp(const QString &profileName, LookupBehavior behavior);
struct ProfileInfo {
int jailId = 0;
QString name;
QString exe;
QDateTime lastRun;
bool active = false;
};
// list profiles and known apps we have hosted in the past.
QList<ProfileInfo> listProfiles() const;
QDir dbDir() const;
QString stateFile(int jailId) const;
QString pipeFilePath(int jailId) const;
QString jailDir(int jailId) const;
QString rulesDir() const;
void setRulesDir(const QString &dir);
private slots:
void receivedMessageFromRunner(const QByteArray &data);
private:
void applyRules(AppEntry &context, Message &message, const QString &ruleFile) const;
QString expandVars(const AppEntry &context, const QString &path) const;
RemoteRunner m_runner;
DBusConnection m_listener;
QString m_rulesDir;
QString m_basedir;
QString m_dbdir;
int m_nextJailId = 0;
};
class AutoDeleter : public QObject
{
Q_OBJECT
public:
explicit AutoDeleter(IsolationManager::AppEntry appEntry, IsolationManager *parent);
private slots:
void startMonitor();
void jailClosed(const QString &pipeFile);
private:
const IsolationManager *m_parent;
const IsolationManager::AppEntry m_jail;
int m_try = 0;
QFileSystemWatcher m_watcher;
};
class DelayedApp : public QObject
{
Q_OBJECT
public:
explicit DelayedApp(IsolationManager::AppEntry appEntry, const QStringList &arguments, IsolationManager *parent);
void askPassword();
private slots:
void cancelPressed();
void passwordEntered(const QString &text);
private:
IsolationManager *m_parent;
IsolationManager::AppEntry m_jail;
const QStringList m_arguments;
QWidget *m_win = nullptr;
};
#endif
Reference in New Issue View Git Blame Copy Permalink