Unverified Commit d856c736 authored by intrigeri's avatar intrigeri
Browse files

Merge remote-tracking branch 'origin/web/release-4.17'

parents ee4c43dd 7cbec99a
......@@ -21,7 +21,7 @@ AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC spl
AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
# Kernel version
KERNEL_VERSION='5.10.0-3'
KERNEL_VERSION='5.10.0-0.bpo.3'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
......
This diff is collapsed.
......@@ -68,7 +68,7 @@ Pin: release o=Debian,n=buster-backports
Pin-Priority: 999
Package: linux-compiler-* linux-headers-* linux-image-* linux-kbuild-* linux-source-*
Pin: release o=Debian,n=bullseye
Pin: release o=Debian,n=buster-backports
Pin-Priority: 999
Explanation: src:live-boot (#15477)
......
......@@ -15,6 +15,7 @@ systemctl enable tails-allow-external-TailsData-access.service
systemctl enable tails-synchronize-data-to-new-persistent-volume-on-shutdown.service
systemctl enable tails-autotest-broken-Xorg.service
systemctl enable tails-autotest-remote-shell.service
systemctl enable tails-create-netns.service
systemctl enable tails-remove-overlayfs-dirs.service
systemctl enable tails-set-wireless-devices-state.service
systemctl enable tails-shutdown-on-media-removal.service
......@@ -34,6 +35,7 @@ systemctl --global enable tails-security-check.service
systemctl --global enable tails-upgrade-frontend.service
systemctl --global enable tails-virt-notify-user.service
systemctl --global enable tails-wait-until-tor-has-bootstrapped.service
systemctl --global enable tails-a11y-proxy-netns@onioncircs.service
# Use socket activation only, to delay the startup of cupsd.
# In practice, this means that cupsd is started during
......
......@@ -4,6 +4,15 @@ set -e
echo "Generating blocklist for all network devices"
is_allowed() {
mod="$(basename "$1" .ko)"
shift
# the heredoc is the allowlist
grep -qwF "$mod" <<END
veth
END
}
is_net_module() {
# Here we assume that if any of the patterns below are matched, it
# is a network driver. This is not comprehensive, but should be
......@@ -14,11 +23,18 @@ is_net_module() {
-e "^depends:\s*(cfg|lib|mac)80211" \
-e "^parm:\s*ifname:"
}
net_module_filter() {
local path
while read path; do
if is_net_module "${path}"; then
if ! is_allowed "${path}" && is_net_module "${path}"; then
echo "${path}"
fi
done
}
remove_allowlist_filter() {
local path
while read path; do
if ! is_allowed "${path}"; then
echo "${path}"
fi
done
......@@ -37,6 +53,7 @@ BLACKLIST=/etc/modprobe.d/all-net-blacklist.conf
(
find /lib/modules/*/kernel/drivers/net -name "*.ko" | \
remove_allowlist_filter | \
generate_blocking_line && \
# Let's try to find the network drivers in the staging directory as well
......
......@@ -18,6 +18,12 @@ domain ip {
# Traffic on the loopback interface is accepted.
interface lo ACCEPT;
# netns configuration; see config/chroot_local-includes/usr/local/lib/tails-create-netns
interface veth-tbb saddr 10.200.1.2 daddr 10.200.1.1 proto tcp mod multiport destination-ports (9050 9051) ACCEPT;
interface veth-onioncircs saddr 10.200.1.6 daddr 10.200.1.5 proto tcp mod multiport destination-ports (9051) ACCEPT;
interface veth-torlaunch saddr 10.200.1.10 daddr 10.200.1.9 proto tcp mod multiport destination-ports (9051) ACCEPT;
interface veth-onionshare saddr 10.200.1.14 daddr 10.200.1.13 proto tcp mod multiport destination-ports (9050 9051) ACCEPT;
}
chain OUTPUT {
......
---
- apparmor-profiles:
- '/usr/bin/onioncircuits'
users:
- 'amnesia'
- hosts:
- '10.200.1.6'
commands:
GETINFO:
- 'version'
......
amnesia ALL = NOPASSWD: /usr/local/bin/onioncircuits ""
......@@ -2,8 +2,9 @@ Cmnd_Alias INSTALL_IUK = /bin/dd, /bin/mount, /bin/umount, /bin/rm, /lib/live/mo
Cmnd_Alias IUK_GET_TARGET_FILE = /usr/local/bin/tails-iuk-get-target-file
Cmnd_Alias UPGRADE_FRONTEND = /usr/local/bin/tails-upgrade-frontend ""
Defaults!IUK_GET_TARGET_FILE env_keep+="HARNESS_ACTIVE DISABLE_PROXY"
Defaults!UPGRADE_FRONTEND env_keep+="DISABLE_PROXY SSL_NO_VERIFY"
## Settings that might be useful for developers
# Defaults!IUK_GET_TARGET_FILE env_keep+="HARNESS_ACTIVE DISABLE_PROXY"
# Defaults!UPGRADE_FRONTEND env_keep+="DISABLE_PROXY"
amnesia ALL = (tails-upgrade-frontend) NOPASSWD: UPGRADE_FRONTEND
tails-upgrade-frontend ALL = NOPASSWD: /usr/local/bin/tails-shutdown-network ""
......
......@@ -7,8 +7,7 @@ SocksPort 127.0.0.1:9150 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth
## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
ControlPort 9052
ControlListenAddress 127.0.0.1
ControlPort 127.0.0.1:9052
## Torified DNS
DNSPort 5353
......@@ -16,16 +15,11 @@ AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion
## Transparent proxy
TransPort 9040
TransListenAddress 127.0.0.1
TransPort 127.0.0.1:9040
## Misc
AvoidDiskWrites 1
## We don't care if applications do their own DNS lookups since our Tor
## enforcement will handle it safely.
WarnUnsafeSocks 0
## Disable default warnings on StartTLS for email. Let's not train our
## users to click through security warnings.
WarnPlaintextPorts 23,109
......
......@@ -4,7 +4,7 @@ Documentation=https://tails.boum.org/contribute/design/
[Service]
Type=simple
ExecStart=/usr/local/lib/onion-grater
ExecStart=/usr/local/lib/onion-grater --listen-address 0.0.0.0
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SYS_PTRACE
PrivateDevices=yes
PrivateTmp=yes
......
[Unit]
Description=Prepare network namespaces
Documentation=https://gitlab.tails.boum.org/tails/tails/-/issues/18123
Wants=network.target
Before=network.target
Before=NetworkManager.service
Before=onion-grater.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/lib/tails-create-netns start
ExecStop=/usr/local/lib/tails-create-netns stop
[Install]
WantedBy=sysinit.target
#!/usr/bin/python3
import os
import shlex
import subprocess
def _gnome_sh_wrapper(cmd):
def _gnome_sh_wrapper(cmd) -> str:
command = shlex.split(
"env -i sh -c '. {lib} && {cmd}'".format(lib=GNOME_SH_PATH, cmd=cmd)
)
......@@ -13,7 +12,8 @@ def _gnome_sh_wrapper(cmd):
GNOME_SH_PATH = "/usr/local/lib/tails-shell-library/gnome.sh"
GNOME_ENV_VARS = _gnome_sh_wrapper("echo ${GNOME_ENV_VARS}").strip().split()
def gnome_env_vars():
def gnome_env_vars() -> list:
ret = []
for line in _gnome_sh_wrapper("export_gnome_env && env").split("\n"):
(key, _, value) = line.rstrip().partition("=")
......
[Unit]
Description=Proxy AT-SPI bus inside a netns
After=at-spi-dbus-bus.service
Requires=at-spi-dbus-bus.service
[Service]
Type=notify
NotifyAccess=all
ExecStart=/usr/local/bin/a11y-proxy-netns --log-level DEBUG %i
ExecStop=/bin/kill -INT $MAINPID
[Install]
WantedBy=desktop.target
#!/usr/bin/python3
import os.path
import time
import subprocess
from logging import getLogger, basicConfig
from argparse import ArgumentParser
import dbus
log = getLogger(os.path.basename(__file__))
def get_parser():
p = ArgumentParser()
p.add_argument(
"--log-level", choices=["DEBUG", "INFO", "WARNING", "ERROR"], default="DEBUG"
)
p.add_argument("netns")
return p
def get_bus() -> str:
bus = dbus.SessionBus()
obj = bus.get_object("org.a11y.Bus", "/org/a11y/bus")
iface = dbus.Interface(obj, dbus_interface="org.a11y.Bus")
response = iface.GetAddress()
return str(response)
def netns_exists(name: str) -> bool:
return os.path.exists(os.path.join("/var/run/netns", name))
def wait_netns(name: str, sleep_time=1):
notified = False
while not netns_exists(name):
if not notified:
log.info("Waiting for netns %s to be ready", name)
time.sleep(1)
def systemd_ready():
try:
# XXX: discard stdout/stderr
subprocess.Popen(["systemd-notify", "--ready"])
except FileNotFoundError:
# systemd not installed
pass
else:
log.info("systemd was notified")
def main():
args = get_parser().parse_args()
basicConfig(level=args.log_level)
wait_netns(args.netns)
log.debug("get address")
at_bus_address = get_bus()
log.debug("address got! %s", at_bus_address)
dirname = os.path.join("/tmp/netns-specific/", args.netns)
os.makedirs(dirname, exist_ok=True)
dest_bus_path = os.path.join(dirname, "at.sock")
log.debug("Binding at %s", dest_bus_path)
if os.path.exists(dest_bus_path):
os.unlink(dest_bus_path)
args = ["xdg-dbus-proxy", at_bus_address, dest_bus_path]
log.debug("Running %r", args)
# we fork-exec to handle systemd notifications. though not strictly needed, they are nice!
p = subprocess.Popen(args)
log.debug("Started!")
# XXX: we could wait for dest_bus_path to appear, before signaling us ready.
systemd_ready()
try:
p.communicate()
except KeyboardInterrupt:
# this except clause will handle SIGINT, but not other signals
# we should probably explicitly do that!
p.kill()
log.debug("Killed %s", args[0])
return
if __name__ == "__main__":
main()
#!/usr/bin/env python3
import os
import logging
from tailslib.gnome import gnome_env_vars
def run_in_netns(*args, netns, user="amnesia"):
# base bwrap sharing most of the system
bwrap = ["bwrap", "--bind", "/", "/", "--proc", "/proc", "--dev", "/dev"]
# passes data to us
bwrap += [
"--bind",
os.path.join("/tmp/netns-specific/", netns),
"/tmp/shared-with-me/",
]
# hide data not for us
bwrap += ["--tmpfs", "/tmp/netns-specific/"]
cmd = [
"/bin/ip",
"netns",
"exec",
netns,
"/sbin/runuser",
"-u",
user,
"--",
*bwrap,
"/usr/bin/env",
*gnome_env_vars(),
"AT_SPI_BUS_ADDRESS=unix:path=/tmp/shared-with-me/at.sock",
*args,
]
logging.info("Running %s", cmd)
os.execvp(cmd[0], cmd)
def drop_and_run():
run_in_netns("/usr/bin/onioncircuits", netns="onioncircs")
def main():
if os.getuid() == 0:
drop_and_run()
else:
os.execlp("sudo", "sudo", "--non-interactive", "/usr/local/bin/onioncircuits")
if __name__ == "__main__":
logging.basicConfig(level=logging.INFO)
main()
......@@ -43,6 +43,7 @@ mkdir -p /mnt/live/run
# Finally, really unmount relevant filesystems
/bin/umount /oldroot
/bin/umount /mnt/live/medium
# Debugging
/bin/mount
......
#!/bin/sh
#ns=tbbNs
guestVeth="veth0"
set -ue
increment_ip_address() {
echo "$1" | \
python3 -c 'base, host = input().rsplit(".", 1); print("%s.%s" % (base, int(host)+1))'
}
decrement_ip_address() {
echo "$1" | \
python3 -c 'base, host = input().rsplit(".", 1); print("%s.%s" % (base, int(host)-1))'
}
get_netns_guest_address() {
ns="$1"
ip netns exec "$ns" ip -4 a show dev "$guestVeth" | grep -Po 'inet \K[\d.]+'
}
get_netns_host_address() {
ns="$1"
decrement_ip_address "$(get_netns_guest_address "$ns")"
}
expose() {
if [ $# -ne 3 ]
then
echo 'Wrong expose usage' >&2
exit 2
fi
ns="$1"
guestPort="$2"
hostPort="$3"
hostAddress="$(get_netns_host_address "$ns")"
guestAddress="$(get_netns_guest_address "$ns")"
hostVeth="veth-${ns}"
# $1 is netNs name
# $2 is netNs port
# $3 is host port
ip netns exec "$ns" iptables -t nat \
-A OUTPUT -o lo -d 127.0.0.1 -p tcp --dport "$guestPort" \
-j DNAT --to-destination "$hostAddress:$hostPort"
}
delete_netns() {
# $1 = netns basename
basename="$1"
nsName="${basename}"
hostVeth="veth-${basename}"
ip link del "$hostVeth" || true
ip netns del "$nsName" || true
}
create_netns() {
# $1 = netns basename
# $2 = first address; implies /30
if ! [ $# -eq 2 ]; then
echo "Wrong usage for create_netns" >&2
exit 2
fi
basename="$1"
hostAddress="$2"
netmask=30
nsName="${basename}"
hostVeth="veth-${basename}"
if [ "${#hostVeth}" -ge 16 ]
then
echo "netns name too long '${hostVeth}'; it would have a veth name >= 16"
exit 2
fi
guestAddress="$(increment_ip_address "$hostAddress")"
ip netns add "$nsName"
# create veth
ip netns exec "$nsName" ip link set dev lo up
ip link add "$hostVeth" type veth peer name "$guestVeth"
# setup veth
ip link set veth0 netns "$nsName"
ip addr add "${hostAddress}/$netmask" dev "$hostVeth"
ip link set dev "$hostVeth" up
ip netns exec "$nsName" ip addr add "${guestAddress}/$netmask" dev "$guestVeth"
ip netns exec "$nsName" ip link set dev "$guestVeth" up
# setup iptables
## forbid IP spoofing
ip netns exec "$nsName" iptables -A OUTPUT -o veth0 ! --src "$guestAddress" -j REJECT
ip netns exec "$nsName" sysctl net.ipv4.ip_forward=0
ip netns exec "$nsName" sysctl net.ipv4.conf.all.forwarding=0
ip netns exec "$nsName" sysctl net.ipv4.conf.lo.forwarding=0
ip netns exec "$nsName" sysctl net.ipv4.conf.all.route_localnet=1
ip netns exec "$nsName" iptables -t nat -A POSTROUTING -j MASQUERADE
sysctl net.ipv4.ip_forward=0
sysctl net.ipv4.conf.all.forwarding=0
sysctl "net.ipv4.conf.${hostVeth}.forwarding=0"
}
if [ "$#" -ne 1 ]
then
echo "Wrong usage: $0 start|stop" >&2
exit 2
fi
if [ "$1" = stop ]
then
delete_netns tbb
delete_netns onioncircs
delete_netns torlaunch
delete_netns onionshare
exit
fi
if [ "$1" = start ]
then
modprobe veth
modprobe xt_MASQUERADE
modprobe xt_nat
netBase='10.200.1'
create_netns tbb "${netBase}.1"
create_netns onioncircs "${netBase}.5"
create_netns torlaunch "${netBase}.9"
create_netns onionshare "${netBase}.13"
# Exposing specific services to applications confined in netns
expose tbb 9050 9050
expose tbb 9051 9051
expose onioncircs 9051 9051
expose torlaunch 9051 9051
expose onionshare 9050 9050
expose onionshare 9051 9051
fi
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment