picosnitch

Recent Commits

• Eric Lesiuta (04 Jun 26)

  release: 2.1.1

• Eric Lesiuta (04 Jun 26)

  fix loading libbpf on non-FHS installs (e.g. Nix)

• Eric Lesiuta (04 Jun 26)

  release: 2.1.0

• Eric Lesiuta (03 Jun 26)

  feat: make conn map size configurable and warn on near-capacity conn_map_max_entries (default 65536) resizes the in-kernel aggregation maps at load. the lru maps evict silently when full, so warn when a drain comes back near capacity since connections may have been dropped.

• Eric Lesiuta (03 Jun 26)

  fix: use toml config names in error strings the missed-event warning and a hash-fallback comment still referenced the old json config names.

• Eric Lesiuta (03 Jun 26)

  feat(bpf): capture dest addr/port for unconnected udp sendto without connect leaves the peer in the msghdr msg_name rather than the sock, so dport/daddr were recorded as zero. fall back to reading msg_name when the sock has no dest.

• Eric Lesiuta (03 Jun 26)

  perf(bpf): aggregate per-connection bytes and packets in-kernel Sum send/recv bytes and packets in conn_stats4/conn_stats6 LRU hash maps keyed by connection identity, then drain them on a fixed interval with bpf_map_lookup_and_delete_elem (atomic per entry). userspace emits one event per connection per drain instead of one per packet, so the process-ancestry walk and pickling run once per connection rather than per packet. the events column now carries the kernel send/recv call count so it stays meaningful after aggregation.

• Eric Lesiuta (03 Jun 26)

  fix(bpf): record send bytes via inet_sendmsg The send probe was on the exported sock_sendmsg, which the sendmsg/sendto/ write syscalls no longer reach, so every send recorded 0 bytes. Hook inet_sendmsg / inet6_sendmsg instead, the per-family sendmsg dispatch point, covering tcp, udp, raw and icmp sends plus write()/writev() in one hook per family without double counting. Recv stays on sock_recvmsg. trace_sendrecv now takes a struct sock * directly; the old sock_sendmsg + sock_write_iter pair is removed.

• Eric Lesiuta (03 Jun 26)

  release: 2.0.3

• Eric Lesiuta (03 Jun 26)

  update urls and remove dependencies table (no dependencies required)

• Eric Lesiuta (03 Jun 26)

  update cli strings

• Eric Lesiuta (03 Jun 26)

  fix(service): grant CAP_SYS_PTRACE so exe paths resolve readlink /proc/<pid>/exe requires CAP_SYS_PTRACE for non-dumpable (e.g. sshd) or other-uid processes. without it, those connections recorded an empty exe path while PATH binaries still resolved via comm fallback, masking the cause. add the cap to both the packaged unit and the cli-generated unit.

• Eric Lesiuta (02 Jun 26)

  fix(monitor): resolve exe for worker-thread events, better multi-call support - retry _find_exe_by_inode with the thread group leader's comm from /proc/<pid>/comm when the BPF thread comm matches no binary (tokio-rt-worker -> node, etc), via new _read_tgid_comm() - _resolve_when_proc_gone() gathers the post-readlink fallbacks: comm only locates a candidate, whose (dev, ino) is re-checked against the kernel event inode by _find_exe_by_inode, so a spoofed comm can't point at a different binary -- at worst it names another hardlink of the same inode (same bytes, same hash), the process's own claimed name, which we keep - with no comm match, fall back to dev_ino_fallback keyed by (dev, ino) alone and classified by _classify_inode_fallback(): symlink aliases collapse to one canonical path (nlink == 1); a hardlink multi-call inode (uutils, nlink > 1) has no name to give without comm and gets a '<multi-call:dev,ino>' sentinel. proc_exe (live readlink) stays preferred and is the only authoritative per-process path - stop caching empty exe values, which had been masking later lookups - add /usr/libexec to _find_exe_by_inode, prefix get_fd errors with 'monitor.get_fd:', add tests/test_monitor.py

• Eric Lesiuta (02 Jun 26)

  fix(notifier): tag errors, honor desktop.notifications=false error.log was being flooded with desktop-notification body text. Root cause was the notifications subprocess falling back to logging.warning for the message body, which the daemon's root WARNING handler then appended to error.log verbatim with no indication it originated from the toast path. Notifications subprocess (run_notifications): - desktop.notifications=false: silently drain q_in so a disabled config never produces error.log noise and never lets _toast() back up. - desktop.notifications=true, notify-send missing: emit a single tagged q_error with remediation, then keep draining; emit a matching 'now available' message if notify-send later appears. - capture notify-send stderr (was DEVNULL) and report a non-zero rc or a raised invocation once per distinct signature instead of silently dropping or repeating. - close the inherited fan_fd before dropping root. - all notifier-origin q_error lines are prefixed 'notifier:' so error.log provenance is unambiguous. primary._toast: - drop the logging fallback entirely; on q_notify put failure surface a tagged 'primary: q_notify.put failed' line via q_error (q_notify is unbounded so this only happens during shutdown / broken pipe, where the inner put may also fail and is intentionally ignored).

• Eric Lesiuta (02 Jun 26)

  main_loop: SIGUSR1 for immediate monitor restart Add SIGUSR1 handler so a sleep hook or 'kill -USR1' can recover the BPF monitor without waiting 20s (or if the suspend was <20s)

• Eric Lesiuta (28 May 26)

  release: 2.0.2

• Eric Lesiuta (28 May 26)

  docs: desktop notification method

• Eric Lesiuta (28 May 26)

  Include vendored vmlinux.h in sdist; unify bpf_target_arch naming

• Eric Lesiuta (27 May 26)

  fix distro builds - fix Fedora and openSUSE builds on COPR - remove pipx suggestion from package dependencies

• Eric Lesiuta (27 May 26)

  release: 2.0.1

• Eric Lesiuta (27 May 26)

  docs: drop redundant image-link wrappers so glightbox can intercept clicks The mkdocs-glightbox plugin only auto-wraps bare images; if the image already sits inside a [](href) markdown link, the plugin leaves it alone and the click falls through to a release-asset download instead of opening the lightbox.

• Eric Lesiuta (27 May 26)

  doc chores drop 'pipx ensurepath --global' from install steps since it uses /usr/local/bin and already on PATH for every mainstream distro enable glightbox so clicking screenshots zooms in-page previously clicking an image navigated to the raw release-asset URL, which GitHub serves with Content-Disposition: attachment, forcing a download also link gallery images to screenshots page instead of raw assets

• Eric Lesiuta (27 May 26)

  fix distro builds (rpm/deb): vendor per-arch vmlinux.h The 2.0.0 RPM/Deb builds (COPR, Launchpad PPA) were broken: - rpm/picosnitch.spec still pointed to picosnitch.tar.gz which was generated with our old workflow to have a fixed hash - debian/compat conflicted with debhelper-compat in control under debhelper >=13.31 (now an error) - Mock/sbuild chroots have no network, vendor vmlinux.h since we can't grab from libbpf-bootstrap at build time Vendored per-arch vmlinux.h headers come from https://github.com/libbpf/libbpf-bootstrap currently pinned at libbpf/vmlinux.h@991dd4b wget -O src/picosnitch/bpf/vmlinux_x86.h \ https://raw.githubusercontent.com/libbpf/vmlinux.h/991dd4b8dfd8c9d62ce8999521b24f61d9b7fc52/include/x86/vmlinux_6.18.h wget -O src/picosnitch/bpf/vmlinux_arm64.h \ https://raw.githubusercontent.com/libbpf/vmlinux.h/991dd4b8dfd8c9d62ce8999521b24f61d9b7fc52/include/aarch64/vmlinux_6.18.h

• Eric Lesiuta (27 May 26)

  fix for python 3.14 which changed multiprocessing default fork -> forkserver closes https://github.com/elesiuta/picosnitch/issues/46 picosnitch's subprocess model relies on fork semantics: * the fanotify fd is inherited implicitly by all children * ProcessManager instances (containing already-started Process objects) are passed as init_args to other subprocesses Python 3.14 changed the default start method from "fork" to "forkserver" (gh-84559) because fork() in multi-threaded programs is unsafe (it only clones the calling thread, leaving locks held by other threads frozen). picosnitch forks before spawning any threads so the safety concern does not apply here; switching to forkserver would require restructuring the subprocess wiring (explicit fd passing, no live-object init_args) and is not worth the churn. Force fork explicitly.

• Eric Lesiuta (26 May 26)

  ci: update pages, screenshots - drop release trigger; github-pages env restricts deploys - add webui-by-exe-1d and webui-overview-1h to release uploads

• Eric Lesiuta (26 May 26)

  release: 2.0.0

• Eric Lesiuta (26 May 26)

  docs: clarify picosnitch[sql] install and top auto-daemon behaviour

• Eric Lesiuta (26 May 26)

  docs: minor polish and pages workflow speedup - README: add 'sudo pipx ensurepath --global' to install steps; drop the '(Linux 5.8+)' qualifier since we use newer libbpf/CO-RE features; generalize the webui screenshot caption - docs/index.md: add 'sudo pipx ensurepath --global' to install steps - docs/how-it-works.md: rework the architecture diagram to flow top-down so it fits without sideways scroll - pages workflow: skip screenshot/video generation on docs pushes; the site only embeds release-asset URLs now

• Eric Lesiuta (26 May 26)

  update docs - refresh docs for v2.0.0 - attach curated screenshots on release - only connection table name is configurable for external db - switch site from jekyll-cayman to mkdocs-material - add Configuration, How it works, Database schema, Screenshots pages - bump tui.tape splash sleep 3s -> 6s so tui-executables.png renders the executable view instead of the splash

• Eric Lesiuta (26 May 26)

  security: harden log opens, sqlite readonly, and dropped-priv subprocesses - Open all log files under LOG_DIR with O_NOFOLLOW (new safe_log_open helper in utils.py used by flush_logs, secondary.run_secondary, cli error-log handler, and the picosnitch-top mon log / stderr redirect). Prevents a non-root user who owns LOG_DIR (via [data].owner) from swapping a log file for a symlink and having the root daemon append to an arbitrary path. - Pass fan_fd into run_fuse, run_notifications, run_virustotal and close it immediately so a dropped-privilege subprocess never holds a privileged fanotify handle (defense in depth; the kernel rechecks caps at event-fd creation today). - Reorder connect_db_readonly to try mode=ro first, then mode=ro&immutable=1, with plain RW only as a last-resort fallback, so read-only callers cannot accidentally obtain a writable handle.