[Feature Request] Load rules from per-user directory about opensnitch HOT 5 CLOSED

opensnitchd --help

-rules-path string
    Path to load JSON rules from. (default "rules")

This reminds me:

I have not tested environment variables with this argument but they do not work with list of Domains rules

New rule > $HOME/myrules/ UI returns "Lists field must be a directory"

Same with $SUDO_USER

from opensnitch.

That's an option for the system-wide daemon, right? I want there to be system-wide rules managed by the sysadmin and per-user rules managed by the user; I don't think I can do that with the existing options.

from opensnitch.

What distro do you use? with systemd, create a user service with the args above

https://wiki.archlinux.org/title/Systemd/User

/usr/lib/systemd/system/opensnitchd.service:
ExecStart=/usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules

from opensnitch.

NixOS, so yes I have systemd, but unless you're saying it's possible to run two opensnitchd processes at the same time (one for the entire system regardless of who is at the seat, one for the current user) that unfortunately isn't what I'm asking for.

from opensnitch.

Hi all,

I think the main problem is, that by default any user can launch the GUI and view all the rules. There's no per-user authentication mechanism. By default, we assume that the GUI is used by the admin(s).
If there're more users on the same computer, right now you'll have to restrict the use of the GUI to the admins.

If the rules are stored in a world-readable location is a another issue. Rules are not world-readable, and one can remove world-readable permissions to the rules directory if needed.

By the way @rhendric , could you explain in detail the use case of this feature request? just out of curiosity O:)

So I'd love it if there were a configurable secondary rule location in the user's home that, on startup, the OpenSnitch GUI would read and then send to the daemon as until-restart rules (perhaps also restricted to the current user?). The rule editor should allow for a rule to be saved as a system or a user rule and, in the case of the latter, persist the rule file to this secondary location if it is permanent.

We should add the concept of users to the GUI, separate privileges for read (view) and write rules by user.

Right now adding a secondary rule location per user wouldn't make any difference, because you can view and edit all the rules with the GUI.

Previous discussions: #388 , #983

from opensnitch.