-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Internal network firewall #335
Comments
Introduced new patch 00Internal-firewall.patch to perform filtering of http calls made by the browser based on a configurable list. the goal is to take advantage of the internal logic of mapping each individual call via currently under patch should, along with Add browser policy, help in removing patches that hinder a fast rebase from one version to another normally caused by removal patches. should also be considered uazo/bromite-buildtools#131 @chirayudesai I'd be happy if you could take a look at it |
Do I understand this feature correct: it should be able to permanently block some requests? But what do you expect to be able to block this way? Internal requests to Google? |
It would be great to either enforce or have some options to have Bromite:
Modern Android app versions uses eBPF, which I do not know, but rules I describe can be converted to NFTables and/or eBPF. I am not familar with neither NFTables nor eBPF syntax. I think eBPF rules are applied or can be applied on per-app basis. If that is so, then I guess that's the kind of firewall Bromite/Chromium can utilize. |
that is the goal, but requests made 'browser-side', not directly related to features exposed on the blink side, but rather to features necessary for blink to work or features exposed to the user via ui. in any case, these are not the only ways that chromium communicates, a future patch will deal with the exchange of intent and use of services in android, while in windows I will have to check whether there is any data exchange via COM. I know that ungoogled chromium (but also bromite, not me) have the 'Automated-domain-substitution': my patch could just be used to test the effectiveness of that solution. as far as I am concerned, as I gained experience, I realised that
each individual request is detailed with a traffic annotation (list), there are a variety of them.
the majority, but I don't know for sure, we can verify it. |
@GY8VSdYYzvL8-K6T is not really a network firewall. I would like if you would explain in another issue why those rules should be applied to the browser |
ungoogled-chromium uses "trk:" scheme for catching potentially harmfull connections: https://github.com/ungoogled-software/ungoogled-chromium/blob/master/patches/core/iridium-browser/all-add-trk-prefixes-to-possibly-evil-connections.patch. Still having two independent implementations would be a great idea to verify the effectiveness of each. |
for the next step (firewall on android context), remember that there is
in windows: |
Hi @uazo , with the internal firewall enabled, 9gag.com doesn't load.. had to disable the internal firewall before the site loads.. With the 9gag tab still open, re-enabling firework and restarting chromite, the site still works.. but if u close the tab and reopen a new tab, the site stops loading.. |
interesting. tried with my android and windows opens and works. technically there is no reason, what I block are browser calls and not from blink, to understand, ancillary calls not directly related to browsing. However, if this is the case, it is tracked in the log |
add rules as uazo/bromite-buildtools#34 (comment) |
Another bug I found in the internal firewall.. when I visit epic games store website (to claim free games), the website refuses to log me in with the firewall enabled.. had to disable the firewall so that the captcha will work.. And, after login, if I re-enable the firewall, the website refuses to remember that I'm logged in and I am no longer able to access the login page.. disabling the firewall allows epic store to remember that I was logged in.. |
@eskimododo please follow istructions #335 |
Android 13, Oppo Find N, ColorOS 13.1 Attaching the logs.. |
thank you!
|
check |
new call intercepted in v114 (back_navigation_cache_query)
|
check also |
actually breaks component build try with
|
some update.
intercepting calls to android services doesn't seem to useful. the first point is basically dealt with by the code in I have not found a way to verify the binders, I will probably have to restore the patches that removes the google libraries and try again, however I assume that it is not possible to make a list of "non-malicious" binders to allow, I don't know, I will see. I also found some code that makes calls to the network but is not tracked by any wip patch in https://gist.github.com/uazo/d8208d8d6fd732cf1173459a4464f143 |
some update.
intercepting calls to android services doesn't seem to useful. the first point is basically dealt with by the code in I have not found a way to verify the binders, I will probably have to restore the patches that removes the google libraries and try again, however I assume that it is not possible to make a list of "non-malicious" binders to allow, I don't know, I will see. I also found some code that makes calls to the network but is not tracked by any wip patch in https://gist.github.com/uazo/d8208d8d6fd732cf1173459a4464f143 |
chromium is adding a NetworkAnnotationMonitor (https://source.chromium.org/chromium/chromium/src/+/46c798c3b301f1b9dc876d4b75da883fda8a0bfa). they mark the call in |
continue from bromite#2525
The text was updated successfully, but these errors were encountered: