Unsafe Browser: set up networking via a new namespace.

Networking is now fully functional! But for some reason accessibility
is now broken. :/

config/chroot_local-includes/usr/local/lib/tails-shell-library/chroot-browser.sh

@@ -265,8 +265,35 @@ run_browser_in_chroot () {
     local wm_class="${5}"
     local profile="$(browser_profile_dir ${browser_name} ${chroot_user})"
 
+    # Here we set up a network namespace, linking it with the host
+    # network namespace via two virtual interfaces, and we enable NAT
+    # so we can reach the clearnet.
+    # XXX: we'll use 10.123.42.0/24 for the two devices, with the hope
+    # that nothing else will interfere with this range.
+    if [ ! -e /var/run/netns/clearnet ]; then
+        ip netns add clearnet
+        ip netns exec clearnet ip link set lo up
+        ip link add veth-host type veth peer name veth-clearnet
+        ip link set veth-clearnet netns clearnet
+        ip addr add 10.123.42.1/24 dev veth-host
+        ip netns exec clearnet ip addr add 10.123.42.2/24 dev veth-clearnet
+        ip link set veth-host up
+        ip netns exec clearnet ip link set veth-clearnet up
+        ip netns exec clearnet ip route add default via 10.123.42.1
+    fi
+    # XXX: we could probably lock the iptables rules down more,
+    # e.g. DNS + TCP only.
+    # XXX: these rules must be made persistent, otherwise NAT will
+    # break if an interface is up:ed while the Unsafe Browser is
+    # running due to the 00-firewall.sh NetworkManager hook.
+    iptables -A FORWARD -i veth-host -j ACCEPT
+    iptables -A FORWARD -o veth-host -j ACCEPT
+    iptables -t nat -A POSTROUTING -s 10.123.42.2/24 -j MASQUERADE
+    sysctl net.ipv4.ip_forward=1
+
     systemd-nspawn --directory="${chroot}" \
                    --bind=/tmp/.X11-unix \
+                   --network-namespace-path=/var/run/netns/clearnet \
                    --user="${chroot_user}" \
                    --setenv=TOR_TRANSPROXY=1 \
                    --setenv=DISPLAY=$DISPLAY \