Commit 88c5ef7e authored by anonym's avatar anonym
Browse files

Unsafe Browser: set up networking via a new namespace.

Networking is now fully functional! But for some reason accessibility
is now broken. :/
parent 327dff5b
......@@ -265,8 +265,35 @@ run_browser_in_chroot () {
local wm_class="${5}"
local profile="$(browser_profile_dir ${browser_name} ${chroot_user})"
# Here we set up a network namespace, linking it with the host
# network namespace via two virtual interfaces, and we enable NAT
# so we can reach the clearnet.
# XXX: we'll use 10.123.42.0/24 for the two devices, with the hope
# that nothing else will interfere with this range.
if [ ! -e /var/run/netns/clearnet ]; then
ip netns add clearnet
ip netns exec clearnet ip link set lo up
ip link add veth-host type veth peer name veth-clearnet
ip link set veth-clearnet netns clearnet
ip addr add 10.123.42.1/24 dev veth-host
ip netns exec clearnet ip addr add 10.123.42.2/24 dev veth-clearnet
ip link set veth-host up
ip netns exec clearnet ip link set veth-clearnet up
ip netns exec clearnet ip route add default via 10.123.42.1
fi
# XXX: we could probably lock the iptables rules down more,
# e.g. DNS + TCP only.
# XXX: these rules must be made persistent, otherwise NAT will
# break if an interface is up:ed while the Unsafe Browser is
# running due to the 00-firewall.sh NetworkManager hook.
iptables -A FORWARD -i veth-host -j ACCEPT
iptables -A FORWARD -o veth-host -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.123.42.2/24 -j MASQUERADE
sysctl net.ipv4.ip_forward=1
systemd-nspawn --directory="${chroot}" \
--bind=/tmp/.X11-unix \
--network-namespace-path=/var/run/netns/clearnet \
--user="${chroot_user}" \
--setenv=TOR_TRANSPROXY=1 \
--setenv=DISPLAY=$DISPLAY \
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment