Better process detection: the Framework system

discussion

#1

Hello,

now that the Portmaster is in Alpha, we get to work on the really fun Problems. Have you noticed, that if you run a python/ruby/whatever script, that only the python/ruby/whatever interpreter shows up in Portmaster. Well, that was expected, but not what we actually want.

What we want is that the entity that is executing is correctly identified, whether that has us going up (the parent process of a curl call) or down (that python script) the process tree.

The following is a first proposal how such a system could work. It shall primarly spark discussion and get us all talking.


Framework

copied from docs.safing.io on 19.02.2019

When a Profile with a Framework is evaluated, the executable path will be rewritten and the a new Profile will be searched for with this path.

Going down the process tree - eg. finding the actual script of an interpreter:

  • Find: Regex to find match groups within the path.
  • Build: String that uses the regex match groups to build a new path. The resulting path is checked if it exists.
  • Virtual: Do not check if the built path exists. This is useful to construct virtual namespaces for special categories of applications, like containerized/sandboxed applications. Usual the current Profile would be used if the resulting path does not exist.

Going up the process tree, using the path of the parent process to match a profile:

  • Find parent level: Defines the number of levels to traverse the process tree up.
  • Merge with parent: If true, view connections of this process as a part of the identified parent process.

What do you think?