ui,popups: improved checksums verification

gustavo-iniguez-goya · gustavo-iniguez-goya · commit f87c3ae655a5 · 2025-06-12T00:28:58.000+02:00
Verify the checksum of complex rules. Previously we only verified rules
of type Simple.
diff --git a/ui/opensnitch/dialogs/prompt/__init__.py b/ui/opensnitch/dialogs/prompt/__init__.py
@@ -360,36 +360,53 @@ def _set_cmd_action_text(self):
     def _display_checksums_warning(self, peer, con):
         self.messageLabel.setStyleSheet('')
         self.labelChecksumStatus.setText('')
+        is_valid = True
+        checksums = con.process_checksums
+        expected_list = []
 
         records = self._rules.get_by_field(peer, "operator_data", con.process_path)
 
         if records != None and records.first():
-            rule = Rule.new_from_records(records)
-            validates, expected = _checksums.verify(con, rule)
-            if not validates:
-                self.messageLabel.setStyleSheet('color: red')
-                self.messageLabel.setText(
-                    QC.translate("popups", "WARNING, bad checksum (<a href='#warning-checksum'>More info</a>)"
-                                 )
-                )
-                self.labelChecksumNote.setText(
-                    QC.translate("popups", "<font color=\"red\">WARNING, checksums differ.</font><br><br>Current process ({0}):<br>{1}<br><br>Expected from the rule:<br>{2}"
-                                 .format(
-                                     con.process_id,
-                                     con.process_checksums[Config.OPERAND_PROCESS_HASH_MD5],
-                                     expected
-                )))
-
-                self.comboChecksumRule.clear()
-                self.comboChecksumRule.addItem(rule.name)
-                while records.next():
-                    rule = Rule.new_from_records(records)
-                    self.comboChecksumRule.addItem(rule.name)
-
-                return "<b>WARNING</b><br>bad md5<br>This process:{0}<br>Expected from rule: {1}<br><br>".format(
-                    con.process_checksums[Config.OPERAND_PROCESS_HASH_MD5],
-                    expected
-                )
+            rules_names = []
+            while True:
+                if not records.next():
+                    break
+                rule = Rule.new_from_records(records)
+
+                if not rule.enabled:
+                    continue
+                rules_names.append(rule.name)
+                validates, expected = _checksums.verify(checksums, rule)
+                if not validates:
+                    expected_list.append(expected)
+                is_valid &= validates
+
+            if is_valid:
+                return ""
+
+            self.messageLabel.setStyleSheet('color: red')
+            self.messageLabel.setText(
+                QC.translate("popups", "WARNING, bad checksum (<a href='#warning-checksum'>More info</a>)"
+                                )
+            )
+            self.labelChecksumNote.setText(
+                QC.translate(
+                    "popups",
+                    "<font color=\"red\">WARNING, checksums differ for at least one rule.</font><br><br>Current process ({0}):<br>{1}<br><br>Expected from the rule:<br>{2}"
+                    .format(
+                        con.process_id,
+                        checksums[Config.OPERAND_PROCESS_HASH_MD5],
+                        expected_list
+                    ))
+            )
+
+            self.comboChecksumRule.clear()
+            self.comboChecksumRule.addItems(rules_names)
+
+            return "<b>WARNING</b><br>bad md5<br>This process:{0}<br>Expected from rule: {1}<br><br>".format(
+                checksums[Config.OPERAND_PROCESS_HASH_MD5],
+                expected
+            )
 
         return ""
 
diff --git a/ui/opensnitch/dialogs/prompt/_checksums.py b/ui/opensnitch/dialogs/prompt/_checksums.py
@@ -2,7 +2,7 @@
 from opensnitch.config import Config
 from opensnitch.rules import Rule
 
-def verify(con, rule):
+def verify(checksums, rule):
     """return true if the checksum of a rule matches the one of the process
     opening a connection.
     """
@@ -13,12 +13,14 @@ def verify(con, rule):
 
     # checksum will be empty if the daemon failed to calculate it.
     # in this case assume that it's ok (ignore it).
-    if con.process_checksums[Config.OPERAND_PROCESS_HASH_MD5] == "":
+    if checksums[Config.OPERAND_PROCESS_HASH_MD5] == "":
         return True, ""
 
+    if not rule.enabled:
+        return True, ""
     for ro in rule.operator.list:
         if ro.type == Config.RULE_TYPE_SIMPLE and ro.operand == Config.OPERAND_PROCESS_HASH_MD5:
-            if ro.data != con.process_checksums[Config.OPERAND_PROCESS_HASH_MD5]:
+            if ro.data != checksums[Config.OPERAND_PROCESS_HASH_MD5]:
                 return False, ro.data
 
     return True, ""
