Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

can not load kde with opensnichd service enabled (default action is deny) #402

Closed
Maziar123 opened this issue Apr 25, 2021 · 14 comments
Closed

Comments

@Maziar123
Copy link

Maziar123 commented Apr 25, 2021

I use manjaro 21 with kernel 5.11 install via http://aur.archlinux.org/packages/opensnitch-git

opensnich version : 1.4.0rc1
when enabling opensnichd.service

after login kde show blank screen with cursor

@gustavo-iniguez-goya
Copy link
Collaborator

Hi @Maziar123 ,

What's the Default Action of the daemon? /etc/opensnitchd/default-action.json If you have it configure to deny, try changing it to allow.
Is it the first time you install it, or did you upgrade it?
Also check /var/log/opensnitchd.log for any errors when the problem occurs. Or post the log.

@Maziar123
Copy link
Author

Hi last use it in last stable version in Ubuntu
but now in manjaro seems have problem with graphic or x windows

the /etc/opensnitchd/default-action.json is set to deny

For fix this problem daemon must load later ...
i do it manually in kde

@Maziar123 Maziar123 changed the title can not load kde with opensnichd service enabled ! can not load kde with opensnichd service enabled (default action is deny) Apr 26, 2021
@gustavo-iniguez-goya
Copy link
Collaborator

gustavo-iniguez-goya commented Apr 26, 2021

the /etc/opensnitchd/default-action.json is set to deny

ok, try to set it to allow please, and let me know if kde loads properly. If it does, add the following rule to /etc/opensnitchd/rules/000-allow-system-cmds to allow dirmngr, host and xbrlapi:

{
  "created": "2021-04-26T09:58:03.704090244+02:00",
  "updated": "2021-04-26T09:58:03.704216578+02:00",
  "name": "000-allow-system-cmds",
  "enabled": true,
  "precedence": true,
  "action": "allow",
  "duration": "always",
  "operator": {
    "type": "regexp",
    "operand": "process.path",
    "sensitive": false,
    "data": "^(/usr/bin/host|/usr/bin/xbrlapi|/usr/bin/dirmngr)",
    "list": []
  }
}

@Maziar123
Copy link
Author

the /etc/opensnitchd/default-action.json is set to deny

ok, try to set it to allow please, and let me know if kde loads properly. If it does, add the following rule to /etc/opensnitchd/rules/000-allow-system-cmds to allow dirmngr, host and xbrlapi:

{
  "created": "2021-04-26T09:58:03.704090244+02:00",
  "updated": "2021-04-26T09:58:03.704216578+02:00",
  "name": "000-allow-system-cmds",
  "enabled": true,
  "precedence": true,
  "action": "allow",
  "duration": "always",
  "operator": {
    "type": "regexp",
    "operand": "process.path",
    "sensitive": false,
    "data": "^(/usr/bin/host|/usr/bin/xbrlapi|/usr/bin/dirmngr)",
    "list": []
  }
}

Hi

I test it work for me

@Maziar123 Maziar123 reopened this Apr 29, 2021
@Maziar123
Copy link
Author

I open this issue again !

yes wit last setting kde boot

but 2nd monitor desktop not work !

disable by " systemctl disable opensnitchd" fix 2nd monitor problem

@gustavo-iniguez-goya
Copy link
Collaborator

oops, could you make a copy of the file /var/log/opensnitchd.log just after boot when the error occurs, and post it here?

Set it to debug level before reboot. Thank you in advance!

@Maziar123
Copy link
Author

Hi

Sorry for late answer .

i do some check it after add /etc/opensnitchd/default-action.json

in default deny in boot problem solved but continue my test show
when default action is allow or deny when logout / login error back again :(
logfile in dbug mode :

osout.log

@gustavo-iniguez-goya
Copy link
Collaborator

Thank you for the logs @Maziar123

I don't quite understand the logs to be honest, it looks like the GUI is getting killed after logging in (just a guess).
I'll try to reproduce the issue.

@Maziar123
Copy link
Author

Maziar123 commented May 3, 2021

for you info perhaps help find problem : I write one script with sudores permission to autostart opensnichd after gui load

this gone my problem

sleep 15
systemctl start opensnitchd
sleep 10
opensnitch-ui &

@gustavo-iniguez-goya
Copy link
Collaborator

Sorry, I couldn't reproduced the problem. It worked as expected for me.

Thank you for the script/workaround, I'm glad you solved it temporary.

yes wit last setting kde boot
but 2nd monitor desktop not work !

Could you explain a little bit what's the problem here? KDE works correctly, but the second monitor does not?

Try adding a new rule to allow everything to 127.0.0.1 ([x] To this IP/Net: 127.0.0.1)

@Danny3
Copy link

Danny3 commented May 4, 2021

I don't think this problem exist on Kubuntu, but there are others like:

  1. Sometimes I can open it from systray only with two clicks (like the first time) and sometimes only one click is required.
    This is confusing.
  2. It caches normal dolphin actions like browsing the local files and it asks me if I want to allow it or not.
    Denying it it will make Dolphin's windows unresponsive and must be killed.
    I have not set any remote server in Dolphin and I have not clicket on the Network location in the left sidebar.

But I don't know if this is an Opensnitch problem, like catching too much, like intercepting too much or it's a KDE problem where they use some networking protocols when they shouldn't.
the requested connection permission is to localhost (127.0.0.1), but it still doesn't make too much sense why this is required to browse my local files.
Seen on latest version of Kubuntu and OpenSnitch.

@Maziar123
Copy link
Author

Try adding a new rule to allow everything to 127.0.0.1 ([x] To this IP/Net: 127.0.0.1)

seems this help yo fix this ,to now i don't see error again

my check show problem happen between opensnich and mesa or amdgpu device or windows manager !

@gustavo-iniguez-goya
Copy link
Collaborator

gustavo-iniguez-goya commented May 5, 2021

Sometimes I can open it from systray only with two clicks (like the first time) and sometimes only one click is required.
This is confusing.

Yep, I've also observed this behaviour on KDE. Will be fixed.

the requested connection permission is to localhost (127.0.0.1), but it still doesn't make too much sense why this is required to browse my local files.

As in the @Maziar123 case, many of the connections to localhost are part of the IPC (InterProcessCommunication) architecture of many programs. They use it to send and receive data, configurations, etc. Other apps use Unix sockets, others memory shared segments, etc. In that case, maybe component1 (GUI) is telling component2 (daemon) to list files, so when component2 list the files it send the list back to component1 via a port in localhost.

Besides adding rules to allow everything to localhost, or to allow certain system apps (dirmngr, xbrlapi, host, etc), you can add a system rule to bypass interception altogether by editing the file /etc/opensnitchd/system-fw.json, for example:

        {
            "Rule": {
                "Description": "Allow connections to localhost",
                "Table": "mangle",
                "Chain": "OUTPUT",
                "Parameters": "-d 127.0.0.0/8",
                "Target": "ACCEPT",
                "TargetParameters": ""
            }
        }

They' re just regular firewall rules (iptables right now, nftables in the near future, probably with a nice GUI to edit them easily, we'll see...). More on system rules: https://github.com/evilsocket/opensnitch/wiki/System-rules

@Maziar123
Copy link
Author

seems with this setting problem solved pleas add it to mainstream

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants