Suppose `curl` makes an outbound connection. I can add a rule for `curl`, but the rule cannot make use of the parent process hierarchy. Without this, any application could proxy through curl to evade firewall rules. For example if the process tree is git -> perl -> curl, I probably want to allow it, but spotify -> curl I want to deny. Another example is I probably want to allow (explicitly started) bash -> curl, but deny spotify -> bash -> curl.
Does Portmaster support this? If so I'll take it for a spin!
This is exactly the things we are aiming for, as Portmaster is intended to be as easy to use as possible.
We currently already have special support for AppImage and Snap packages on Linux and Windows Store apps and "svchost.exe services" on Windows. Additionally, we can detect common interpreters on Linux and correctly match the script file instead of the interpreter.
The support for these systems is implemented as "tags", which are attached to a process internally in Portmaster. These tags are then used to match a settings profile.
We almost had an implementation ready for what you want (matching the parent process), but we had to abort due to some difficulties in matching: The questions we could find a good answer for, was where do we put the information whether which binaries are merged into / inherit from the parent? The ideal scenario from a UX perspective would be to declare it on the parent as an "include all sub-processes" option. But this would mean we would need to fully resolve all parent processes including their settings every time we evaluate a process. We deemed this to be too slow and too complex for a quick and clean solution. If you or anyone else has a great idea, I'd be happy to have a call to discuss.
deny spotify the capability to start other processes?
although i don't quite understand your example. spotify needs network access to be useful, doesn't it? so what would blocking spotify -> curl protect against?
in general though, if a program doesn't have the capability to start outbound connections, then any child processes won't have it either. there is also a distinction which capabilities are inherited so that you can have a process with networkaccess, but without being able to pass that on to child processes.
Suppose `curl` makes an outbound connection. I can add a rule for `curl`, but the rule cannot make use of the parent process hierarchy. Without this, any application could proxy through curl to evade firewall rules. For example if the process tree is git -> perl -> curl, I probably want to allow it, but spotify -> curl I want to deny. Another example is I probably want to allow (explicitly started) bash -> curl, but deny spotify -> bash -> curl.
Does Portmaster support this? If so I'll take it for a spin!