unsafe-browser 3.95 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
#!/bin/bash

SQUASH=/live/image/live/filesystem.squashfs
ROFS=/live/rofs
COW=/live/cow-unsafe
CHROOT=/live/unsafe-chroot
CLEARNET_USER=clearnet
OFFENDING_ADDONS="xul-ext-foxyproxy-standard xul-ext-torbutton"
TOR_DIR=/var/lib/tor
TOR_DESCRIPTORS=${TOR_DIR}/cached-descriptors
TOR_WORKING=""

cleanup () {
    # Break down the chroot
    while pgrep -u ${CLEARNET_USER} &>/dev/null; do
        pkill -u ${CLEARNET_USER} &>/dev/null
        sleep 1
    done
    for mnt in ${CHROOT}{/dev,/proc,} ${COW} ${ROFS}; do
        while mountpoint ${mnt} &>/dev/null; do
            umount ${mnt} &>/dev/null
            sleep 1
        done
    done
    rmdir ${ROFS} ${COW} ${CHROOT} &>/dev/null
}

error () {
29 30
    local cli_text="${0}: error: ${@}"
    local dialog_text= "${@}
31 32

Unsafe Browser will exit now."
33 34
    echo "${cli_text}" >&2
    zenity --error --title "" --text "${dialog_text}"
35 36 37 38 39
    cleanup
    exit 1
}

warning () {
40 41 42
    local text="${@}"
    echo "${0}: warning: ${text}" >&2
    zenity --warning --title "" --text "${text}"
43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120
}

# First make sure the user really wants this
DIALOG_TEXT="<b>Do you really want to launch the Unsafe Browser?</b>

Any activity within the Unsafe Browser will <i>not</i> be anonymous. This may be necessary if you have to login or register in order to activate your Internet connection."
if ! zenity --question --title "" --text "${DIALOG_TEXT}"; then
    exit 0
fi

# Set $TOR_WORKING to non-emtpy iff Tor is working right now. We need to
# know whether we must restart Tor later (a captive portal may have
# prevented Tor from bootstrapping, and a restart is the fastest way to
# get wheels turning)
# FIXME: how to determine this reliably? this approach doesn't work
# if $TOR_DIR is persistent
# FIXME: the approach is stolen from is_tor_working() in the 20-time
# NM hook -- we should move things like this to a shell script library
if [ -e "${TOR_DESCRIPTORS}" ]; then
    TOR_WORKING="yes"
fi

# Get the DNS servers that was obtained through DHCP from NetworkManager,
# if any...
NM_ENV=/var/lib/NetworkManager/env
if [ -r "${NM_ENV}" ]; then
    . ${NM_ENV}
fi
# ... otherwise fail.
# FIXME: Or would it make sense to fallback to Google's DNS or OpenDNS?
# Some stupid captive portals may allow DNS to any host, but chances are
# that only the portal's DNS would forward to the login page.
if [ -z "${DHCP4_DOMAIN_NAME_SERVERS}" ]; then
    error "No DNS server was obtained through DHCP."
fi

trap cleanup SIGINT

# Setup a chroot on an aufs "fork" of the filesystem.
# FIXME: When LXC matures to the point where it becomes a viable option
# for creating isolated jails, the chroot can be used as its rootfs.
mkdir -p ${ROFS} ${COW} ${CHROOT} && \
mount -t squashfs -o loop ${SQUASH} ${ROFS} && \
mount -t tmpfs tmpfs ${COW} && \
mount -t aufs -o noatime,noxino,dirs=${COW}=rw:${ROFS}=rr+wh aufs ${CHROOT} && \
mount -t proc proc ${CHROOT}/proc && \
mount --bind /dev ${CHROOT}/dev || error "Failed to setup chroot"

# Set the chroot's DNS servers to those obtained through DHCP
rm -f ${CHROOT}/etc/resolv.conf
for NS in ${DHCP4_DOMAIN_NAME_SERVERS}; do
    echo "nameserver ${NS}" >> ${CHROOT}/etc/resolv.conf
done
chmod a+r ${CHROOT}/etc/resolv.conf

# Disable problematic Iceweasel addons and proxying in the chroot
chroot ${CHROOT} apt-get remove --yes ${OFFENDING_ADDONS} &>/dev/null
sed -i '/^pref("network.proxy.type",/d' \
    ${CHROOT}/etc/iceweasel/pref/iceweasel.js
echo 'pref("network.proxy.type", 0);' >> \
    ${CHROOT}/etc/iceweasel/pref/iceweasel.js

# Start Iceweasel in the chroot
sudo -u ${SUDO_USER} xhost +SI:localuser:${CLEARNET_USER} &>/dev/null
chroot ${CHROOT} sudo -u ${CLEARNET_USER} iceweasel -DISPLAY=:0.0
sudo -u ${SUDO_USER} xhost -SI:localuser:${CLEARNET_USER} &>/dev/null

cleanup

# Restart Tor if it wasn't working when the Unsafe Browser was started
if [ -z "${TOR_WORKING}" ] ; then
    service tor restart &>/dev/null
    until nc -z localhost 9051 &>/dev/null; do sleep 1; done
    /etc/NetworkManager/dispatcher.d/60-vidalia.sh clearnet up &>/dev/null
fi

exit 0