mighty-snitch

mighty-snitch

noticing and preventing network requests should be easy

github.com/nathants/mighty-snitch

why

noticing and preventing network requests should be easy.

how

interactively filter network requests with rules and visual prompts.

what

a linux security module communicates via netlink with the userspace snitch on each sendmsg/recvmsg.

snitch decides whether to allow or deny the network request.

rules are checked. if no rule exists, a visual prompt is displayed to the user.

finally snitch responds to the kernel and the request is allowed or denied.

demo

hardware

the primary test environments is arch

the primary test devices are thinkpad x1 and rog x670e-i

prior art

little-snitch which introduced me to this concept.

open-snitch which introduced me to nfq.

tiny-snitch which helped me understand what is possible with nfq and bpftrace.

uslm which helped me understand what is possible with lsm.

design

mighty-snitch uses lsm instead of nfq to filter network requests.

the primary advantage is that it has direct access to the pid, executable, and commandline of the process making the request.

the primary disadvantage is that it requires a custom kernel.

the visual prompt is a terminal application which responds to keyboard input. a new terminal is launched for each prompt and exits after y/n are pressed. st is used on x86_64 and foot is used on arm64, though any terminal should work.

the systems fails closed. when snitch isn't running, network requests are not possible.

dns packets received on udp 53 are read via nfq so that rules can specify domains in addition to ipv4 addresses.

constraints

the following are simplifying constraints. other configurations should be possible.

rules

snitch creates a rules file: ~/.snitch.rules

when this file is edited, snitch reloads the rules.

typically rules are created by choosing the forever duration in the visual prompt, but can also be directly added to the rules file.

address can be a wildcard up to three subdomains.

commandline can be a wildcard.

here are the rules for firefox to deny all the unprompted connections it makes:

send  deny  /usr/lib/firefox/firefox  content-signature-2.cdn.mozilla.net    443  tcp  /usr/lib/firefox/firefox
send  deny  /usr/lib/firefox/firefox  content-signature-2.cdn.mozilla.net    80   tcp  /usr/lib/firefox/firefox
send  deny  /usr/lib/firefox/firefox  contile.services.mozilla.com           443  tcp  /usr/lib/firefox/firefox
send  deny  /usr/lib/firefox/firefox  firefox.settings.services.mozilla.com  443  tcp  /usr/lib/firefox/firefox
send  deny  /usr/lib/firefox/firefox  firefox.settings.services.mozilla.com  443  udp  /usr/lib/firefox/firefox
send  deny  /usr/lib/firefox/firefox  getpocket.cdn.mozilla.net              443  tcp  /usr/lib/firefox/firefox
send  deny  /usr/lib/firefox/firefox  location.services.mozilla.com          443  tcp  /usr/lib/firefox/firefox
send  deny  /usr/lib/firefox/firefox  mozilla.cloudflare-dns.com             443  tcp  /usr/lib/firefox/firefox
send  deny  /usr/lib/firefox/firefox  normandy.cdn.mozilla.net               443  tcp  /usr/lib/firefox/firefox
send  deny  /usr/lib/firefox/firefox  push.services.mozilla.com              443  tcp  /usr/lib/firefox/firefox
send  deny  /usr/lib/firefox/firefox  shavar.services.mozilla.com            443  tcp  /usr/lib/firefox/firefox

build arch and install

cd ~
git clone https://github.com/nathants/mighty-snitch

cd ~/mighty-snitch/kernel/arch
makepkg -sCf
sudo pacman -U *.zst

cd ~/mighty-snitch/snitch-prompt
sudo pip install .

cd ~/mighty-snitch/snitch
bash snitch.sh