Internal network firewall

Question

Internal network firewall

uazo opened this issue a year ago · 20 comments

Answer 1 · 2023-04-16T15:12:43.000Z

Introduced new patch 00Internal-firewall.patch to perform filtering of http calls made by the browser based on a configurable list.

the goal is to take advantage of the internal logic of mapping each individual call via NetworkTrafficAnnotationTags so that selective blocking is possible before the actual call.
the http response in that case will be timeout and the calling code can perform the normal code related to the lack of connection.
in the log the related information is written to verify and actually study the related code to allow or eliminate it.
through this patch I discovered #146

currently under enable-firewall flag disabled by default: an analysis of the calls actually involved and a check of the blocked functions will have to be done.

patch should, along with Add browser policy, help in removing patches that hinder a fast rebase from one version to another normally caused by removal patches.

should also be considered #131

@chirayudesai I'd be happy if you could take a look at it
@PF4Public although I can't 100% guarantee that it's already okay for linux as well, but maybe we could work on it, it might be of interest to you as well

Answer 2 · 2023-04-16T17:07:56.000Z

@PF4Public although I can't 100% guarantee that it's already okay for linux as well, but maybe we could work on it, it might be of interest to you as well

Do I understand this feature correct: it should be able to permanently block some requests? But what do you expect to be able to block this way? Internal requests to Google?

Answer 3 · 2023-04-16T21:44:39.000Z

It would be great to either enforce or have some options to have Bromite:

Drop all new (non-established, non-related) inbound traffic
Drop all invalid traffic
Drop all bad TCP packets equivalent to the following IPTables rules:

-p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-p tcp -m tcp --tcp-flags ACK,PSH PSH -j DROP
-p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP

Drop all multicast traffic (Layer 3 and/or Layer 2 if possible)
Isolate Bromite traffic (Layer 3 and/or Layer 2 if possible)

Modern Android app versions uses eBPF, which I do not know, but rules I describe can be converted to NFTables and/or eBPF. I am not familar with neither NFTables nor eBPF syntax. I think eBPF rules are applied or can be applied on per-app basis. If that is so, then I guess that's the kind of firewall Bromite/Chromium can utilize.

Answer 4 · 2023-04-17T07:47:08.000Z

it should be able to permanently block some requests?

that is the goal, but requests made 'browser-side', not directly related to features exposed on the blink side, but rather to features necessary for blink to work or features exposed to the user via ui.
sync, safe-browsing, but also integration with ecommerce or log sending, anything else for which a connection is made via http outside the application.

in any case, these are not the only ways that chromium communicates, a future patch will deal with the exchange of intent and use of services in android, while in windows I will have to check whether there is any data exchange via COM.

I know that ungoogled chromium (but also bromite, not me) have the 'Automated-domain-substitution': my patch could just be used to test the effectiveness of that solution.

as far as I am concerned, as I gained experience, I realised that

tracking changes to blink features is easier because the changes are detailed in https://chromestatus.com/roadmap
the same does not apply to changes to the browser for which I have not yet found a source, and browser changes may require communication to external servers.
my guess is that the changes that are made with patches similar to Disable-safe-browsing.patch, work but not because the removal of the code is sufficient, but simply because the flags that deactivate the function developed by google are actually working. That patch I think is useless because that code is not being called, and we are removing dead code, unnecessarily, wasting time between rebases.

But what do you expect to be able to block this way?

each individual request is detailed with a traffic annotation (list), there are a variety of them.

Internal requests to Google?

the majority, but I don't know for sure, we can verify it.

Answer 5 · 2023-04-17T08:15:37.000Z

@GY8VSdYYzvL8-K6T is not really a network firewall. I would like if you would explain in another issue why those rules should be applied to the browser

Answer 6 · 2023-04-17T09:49:07.000Z

ungoogled-chromium uses "trk:" scheme for catching potentially harmfull connections: https://github.com/ungoogled-software/ungoogled-chromium/blob/master/patches/core/iridium-browser/all-add-trk-prefixes-to-possibly-evil-connections.patch. Still having two independent implementations would be a great idea to verify the effectiveness of each.

Answer 7 · 2023-05-04T10:27:03.000Z

for the next step (firewall on android context), remember that there is

context.startActivity(intent);
example launchGmsUpdate
context.getSystemService()
queryIntentActivities in base/android/java/src/org/chromium/base/PackageManagerUtils.java
see isGsaAvailable
org.chromium.ui.base.WindowAndroid.showIntent

in windows:

GetActivationFactory

Answer 8 · 2023-05-06T04:07:04.000Z

Hi @uazo , with the internal firewall enabled, 9gag.com doesn't load.. had to disable the internal firewall before the site loads..

With the 9gag tab still open, re-enabling firework and restarting chromite, the site still works.. but if u close the tab and reopen a new tab, the site stops loading..

Answer 9 · 2023-05-06T06:50:22.000Z

but if u close the tab and reopen a new tab, the site stops loading..

interesting. tried with my android and windows opens and works.
give me android version and device i will try with browerstack.
and log result with chrome://crashes, can you generate one manually.
it would also be interesting to check with developer tools, are you able?

technically there is no reason, what I block are browser calls and not from blink, to understand, ancillary calls not directly related to browsing. However, if this is the case, it is tracked in the log

Answer 10 · 2023-05-08T14:02:23.000Z

add rules as #34 (comment)

Answer 11 · 2023-05-11T03:13:02.000Z

Another bug I found in the internal firewall.. when I visit epic games store website (to claim free games), the website refuses to log me in with the firewall enabled.. had to disable the firewall so that the captcha will work..

And, after login, if I re-enable the firewall, the website refuses to remember that I'm logged in and I am no longer able to access the login page.. disabling the firewall allows epic store to remember that I was logged in..

Answer 12 · 2023-05-11T07:03:12.000Z

@eskimododo please follow istructions #147 (comment)
I would need to know which call was blocked.

Answer 13 · 2023-05-16T07:07:08.000Z

Android 13, Oppo Find N, ColorOS 13.1

Attaching the logs..

d8077a98-b553-46c1-accb-eae2ce58945f.zip

Answer 14 · 2023-05-16T07:14:11.000Z

thank you!

05-16 15:04:06.804  9397 17826 I chromium: [INFO:url_request_http_job.cc(554)] ---ABORTED 
URLRequestHttpJob: service_worker_navigation_preload(129872904) url: 
HTTP://WEBADDRESS.ELIDED path: content/browser/service_worker/service_worker_fetch_dispatcher.cc

Answer 15 · 2023-06-02T11:32:11.000Z

check ResourceFetcher::DetermineRequestContext()
some destinations are grouped as SUBRESOURCE (see #104)

Answer 16 · 2023-06-06T13:55:32.000Z

new call intercepted in v114 (back_navigation_cache_query)

[8944:8672:0606/155211.569:INFO:simple_url_loader.cc(1687)] ---ABORTED SimpleURLLoaderImpl: 
no-name(122067755) url: https://www.google.com/search?q=bla+bla+bla&ie=UTF-8&hl=en path: no-path

Answer 17 · 2023-06-20T08:07:23.000Z

check also TCPConnectedSocket::ConnectWithSocket

Answer 18 · 2023-06-22T12:37:38.000Z

actually breaks component build

try with

gn gen --args="is_debug=false target_os=\"linux\"" --filters="//components/subresource_filter/tools:subresource_filter_tools" out/linux
autoninja -C out/linux subresource_filter_tools

Answer 19 · 2023-07-02T14:02:31.000Z

some update.
I am testing the approach mentioned in #147 (comment), which is to intercept calls that the browser makes externally via android's api.
what i understand is that there are basically two different ways

via intent
via binders

intercepting calls to android services doesn't seem to useful.

the first point is basically dealt with by the code in components/external_intents/android/java/src/org/chromium/components/external_intents and I found some information (as referrals) that I can ask the user whether to delete. the idea is to leave it that way, so that it is the upstream code that checks all possible ways to exploit it as fingerprinting and change only the launching of the intents (which occur after chromium actually decides to open the application).

I have not found a way to verify the binders, I will probably have to restore the patches that removes the google libraries and try again, however I assume that it is not possible to make a list of "non-malicious" binders to allow, I don't know, I will see.

I also found some code that makes calls to the network but is not tracked by any TrafficAnnotationTag: this seems strange to me, I will probably ask the devs if there is a reason for this

wip patch in https://gist.github.com/uazo/d8208d8d6fd732cf1173459a4464f143

Answer 20 · 2023-07-02T14:02:57.000Z