Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
This is exactly the things we are aiming for, as Portmaster is intended to be as easy to use as possible.
We currently already have support for AppImage and Snap packages on Linux and Windows Store apps and "svchost.exe services" on Windows. Additionally, we can detect common interpreters on Linux and correctly match the script file instead of the interpreter.
The support for these systems is implemented as "tags", which are attached to a process internally in Portmaster. These tags are then used to match a settings profile.
You can find the implementations here: https://github.com/safing/portmaster/tree/develop/process/ta...
We almost had an implementation ready for what you want (matching the parent process), but we had to abort due to some difficulties in matching: The questions we could find a good answer for, was where do we put the information whether which binaries are merged into / inherit from the parent? The ideal scenario from a UX perspective would be to declare it on the parent as an "include all sub-processes" option. But this would mean we would need to fully resolve all parent processes including their settings every time we evaluate a process. We deemed this to be too slow and too complex for a quick and clean solution. If you or anyone else has a great idea, I'd be happy to have a call to discuss.
I'm a happy user of Opensnitch, but there's one important feature I miss: https://github.com/evilsocket/opensnitch/issues/406
Suppose `curl` makes an outbound connection. I can add a rule for `curl`, but the rule cannot make use of the parent process hierarchy. Without this, any application could proxy through curl to evade firewall rules. For example if the process tree is git -> perl -> curl, I probably want to allow it, but spotify -> curl I want to deny. Another example is I probably want to allow (explicitly started) bash -> curl, but deny spotify -> bash -> curl.
Does Portmaster support this? If so I'll take it for a spin!