unsafe-browser 4.44 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
#!/bin/bash

SQUASH=/live/image/live/filesystem.squashfs
ROFS=/live/rofs
COW=/live/cow-unsafe
CHROOT=/live/unsafe-chroot
CLEARNET_USER=clearnet
OFFENDING_ADDONS="xul-ext-foxyproxy-standard xul-ext-torbutton"
TOR_DIR=/var/lib/tor
TOR_DESCRIPTORS=${TOR_DIR}/cached-descriptors
TOR_WORKING=""

cleanup () {
14
15
16
17
    # Break down the chroot and kill all of its processes
    local counter=0
    local ret=0
    while [ "${counter}" -le 10 ] && pgrep -u ${CLEARNET_USER} &>/dev/null; do
18
        pkill -u ${CLEARNET_USER} &>/dev/null
19
        ret=${?}
20
        sleep 1
21
        counter=$[${counter}+1]
22
    done
23
    [ ${ret} -eq 0 ] || pkill -9 -u ${CLEARNET_USER} &>/dev/null
24
    for mnt in ${CHROOT}{/dev,/proc,} ${COW} ${ROFS}; do
25
26
        counter=0
        while [ "${counter}" -le 10 ] && mountpoint ${mnt} &>/dev/null; do
27
28
            umount ${mnt} &>/dev/null
            sleep 1
29
            counter=$[${counter}+1]
30
31
32
33
34
35
        done
    done
    rmdir ${ROFS} ${COW} ${CHROOT} &>/dev/null
}

error () {
36
    local cli_text="${0}: error: ${@}"
Tails developers's avatar
Tails developers committed
37
    local dialog_text="${@}
38
39

Unsafe Browser will exit now."
40
41
    echo "${cli_text}" >&2
    zenity --error --title "" --text "${dialog_text}"
42
43
44
45
46
    cleanup
    exit 1
}

warning () {
47
48
49
    local text="${@}"
    echo "${0}: warning: ${text}" >&2
    zenity --warning --title "" --text "${text}"
50
51
}

52
53
54
verify_start () {
    # Make sure the user really wants to start the browser
    local dialog_msg="<b>Do you really want to launch the Unsafe Browser?</b>
55
56

Any activity within the Unsafe Browser will <i>not</i> be anonymous. This may be necessary if you have to login or register in order to activate your Internet connection."
57
58
59
60
    if ! zenity --question --title "" --text "${dialog_msg}"; then
        exit 0
    fi
}
61

62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
setup_chroot () {
    # Setup a chroot on an aufs "fork" of the filesystem.
    # FIXME: When LXC matures to the point where it becomes a viable option
    # for creating isolated jails, the chroot can be used as its rootfs.
    mkdir -p ${ROFS} ${COW} ${CHROOT} && \
    mount -t squashfs -o loop ${SQUASH} ${ROFS} && \
    mount -t tmpfs tmpfs ${COW} && \
    mount -t aufs -o noatime,noxino,dirs=${COW}=rw:${ROFS}=rr+wh aufs ${CHROOT} && \
    mount -t proc proc ${CHROOT}/proc && \
    mount --bind /dev ${CHROOT}/dev || error "Failed to setup chroot"
}

configure_chroot () {
    # Set the chroot's DNS servers to those obtained through DHCP
    rm -f ${CHROOT}/etc/resolv.conf
    for NS in ${DHCP4_DOMAIN_NAME_SERVERS}; do
        echo "nameserver ${NS}" >> ${CHROOT}/etc/resolv.conf
    done
    chmod a+r ${CHROOT}/etc/resolv.conf

    # Disable problematic Iceweasel addons and proxying in the chroot
    chroot ${CHROOT} apt-get remove --yes ${OFFENDING_ADDONS} &>/dev/null
    sed -i '/^pref("network.proxy.type",/d' \
        ${CHROOT}/etc/iceweasel/pref/iceweasel.js
    echo 'pref("network.proxy.type", 0);' >> \
        ${CHROOT}/etc/iceweasel/pref/iceweasel.js
}

start_browser_in_chroot () {
    # Start Iceweasel in the chroot
    sudo -u ${SUDO_USER} xhost +SI:localuser:${CLEARNET_USER} &>/dev/null
    chroot ${CHROOT} sudo -u ${CLEARNET_USER} iceweasel -DISPLAY=:0.0
    sudo -u ${SUDO_USER} xhost -SI:localuser:${CLEARNET_USER} &>/dev/null
}

tor_is_working() {
    # FIXME: the approach is stolen from is_tor_working() in the 20-time
    # NM hook -- we should move things like this to a shell script library
    # FIXME: how to determine this reliably? this approach doesn't work
    # if $TOR_DIR is persistent.
    [ -e $TOR_DESCRIPTORS ]
}

maybe_restart_tor () {
    # Restart Tor if it's not working (a captive portal may have prevented
    # Tor from bootstrapping, and a restart is the fastest way to get
    # wheels turning)
    if ! tor_is_working; then
        service tor restart &>/dev/null
        until nc -z localhost 9051 &>/dev/null; do sleep 1; done
        /etc/NetworkManager/dispatcher.d/60-vidalia.sh clearnet up &>/dev/null
    fi
}
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129

# Get the DNS servers that was obtained through DHCP from NetworkManager,
# if any...
NM_ENV=/var/lib/NetworkManager/env
if [ -r "${NM_ENV}" ]; then
    . ${NM_ENV}
fi
# ... otherwise fail.
# FIXME: Or would it make sense to fallback to Google's DNS or OpenDNS?
# Some stupid captive portals may allow DNS to any host, but chances are
# that only the portal's DNS would forward to the login page.
if [ -z "${DHCP4_DOMAIN_NAME_SERVERS}" ]; then
    error "No DNS server was obtained through DHCP."
fi

130
verify_start
131
trap cleanup SIGINT
132
133
134
setup_chroot
configure_chroot
start_browser_in_chroot
135
cleanup
136
maybe_restart_tor
137
138

exit 0