path (original) (raw)

This is a follow-up to this addition: #1066 (comment)

I've added an option to the pop-ups, to automatically create a regular expression to match the path of AppImages, if the path of the process starts with /tmp/.mount_.

As far as I can tell, as explained in the commit, the pattern is /tmp/._mountXXXXXX/.*binary, where only XXXXXX is random. For example IPTVnator -> /tmp/.mount_IPTVnaD8In31/iptvnator, or Siril -> /tmp/.mount_Siril-Cykpw0/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2

As established, most Appimages will randomly generate a /tmp/ path with 6 random characters in the filepath on launch. OpenSnitch now correctly catches this and provides a prompt with an expression to block outgoing connections with a matching filepath with any 6 random characters:

^/tmp/\.mount_example\.[0-9A-Za-z]{6}\/.*example$

This, however, does not stop appimages (or other executables) that create /tmp/ filepaths with more than 6 randomly generated characters such as:

/tmp/.mount_example.aMxuCxD/usr/bin/example

Because of this OpenSnitch will continually bombard the user with block prompts because the rule it creates does not recognize the filepath.

Editing the expression from a 6 to a 7 (in this example) solves the issue, but it should be expanded to catch any length of randomly generated characters.

^/tmp/\.mount_example\.[0-9A-Za-z]{7}\/.*example$