10-tor.sh 3.2 KB
Newer Older
1 2 3 4 5 6
#!/bin/sh

# We don't start Tor automatically so *this* is the time
# when it is supposed to start.

# Run only when the interface is not "lo":
7
if [ -z "$1" ] || [ "$1" = "lo" ]; then
anonym's avatar
anonym committed
8
    exit 0
9 10
fi

11
if [ "$2" = "up" ]; then
12 13 14 15 16
    : # go on, that's what this script is for
elif [ "${2}" = "down" ]; then
    systemctl --no-block stop tails-tor-has-bootstrapped.target
    exit 0
else
anonym's avatar
anonym committed
17
    exit 0
18 19
fi

20
# Import tor_control_setconf(), TOR_LOG
21 22
. /usr/local/lib/tails-shell-library/tor.sh

23
# Import tails_netconf()
24
. /usr/local/lib/tails-shell-library/tails-greeter.sh
25

26
# It's safest that Tor is not running when messing with its logs.
27
systemctl stop tor@default.service
28

29 30 31 32
# We depend on grepping stuff from the Tor log (especially for
# tordate/20-time.sh), so deleting it seems like a Good Thing(TM).
rm -f "${TOR_LOG}"

33 34
# The Tor syscall sandbox is not compatible with managed proxies.
# We could possibly detect whether the user has configured any such
35
# thing via Tor Launcher later (e.g. in 60-tor-ready.sh),
36 37 38 39 40 41
# but then we would have to restart Tor again to enable the sandbox.
# Let's avoid doing that, and enable the Sandbox only if no special Tor
# configuration is needed. Too bad users who simply need to configure
# a HTTP proxy or allowed firewall ports won't get the sandboxing, but
# much better than nothing.
if [ "$(tails_netconf)" = "direct" ]; then
42
    tor_set_in_torrc Sandbox 1
43 44
fi

45 46 47 48
# We would like Tor to be started during init time, even before the
# network is up, and then send it a SIGHUP here to make it start
# bootstrapping swiftly, but it doesn't work because of a bug in
# Tor. Details:
49 50
# * https://trac.torproject.org/projects/tor/ticket/1247
# * https://tails.boum.org/bugs/tor_vs_networkmanager/
anonym's avatar
anonym committed
51
# To work around this we restart Tor, in various ways, no matter the
52
# case below.
53 54
TOR_SYSTEMD_OVERRIDE_DIR="/lib/systemd/system/tor@default.service.d"
TOR_RESOLV_CONF_OVERRIDE="${TOR_SYSTEMD_OVERRIDE_DIR}/50-resolv-conf-override.conf"
55
if [ "$(tails_netconf)" = "obstacle" ]; then
56 57 58 59 60 61 62 63 64 65 66 67
    # Override /etc/resolv.conf for tor only, so it can use a clearnet
    # DNS server to resolve hostnames used for pluggable transport and
    # proxies.
    if [ ! -e "${TOR_RESOLV_CONF_OVERRIDE}" ]; then
        mkdir -p "${TOR_SYSTEMD_OVERRIDE_DIR}"
        cat > "${TOR_RESOLV_CONF_OVERRIDE}" <<EOF
[Service]
BindReadOnlyPaths=/etc/resolv-over-clearnet.conf:/etc/resolv.conf
EOF
        systemctl daemon-reload
    fi

intrigeri's avatar
intrigeri committed
68
    # We do not use restart-tor since it validates that bootstraping
anonym's avatar
anonym committed
69 70
    # succeeds. That cannot happen until Tor Launcher has started
    # (below) and the user is done configuring it.
71
    systemctl restart tor@default.service
72

anonym's avatar
anonym committed
73 74 75
    # Enable the transports we support. We cannot do this in general,
    # when bridge mode is not enabled, since we then use seccomp
    # sandboxing.
anonym's avatar
anonym committed
76
    tor_control_setconf 'ClientTransportPlugin="obfs2,obfs3,obfs4,meek_lite exec /usr/bin/obfs4proxy managed"'
77

anonym's avatar
anonym committed
78
    /usr/local/sbin/tails-tor-launcher &
79

anonym's avatar
anonym committed
80 81 82 83
    # Wait until the user has done the Tor Launcher configuration.
    until [ "$(tor_control_getconf DisableNetwork)" = 0 ]; do
        sleep 1
    done
84
else
85 86 87 88
    if [ -e "${TOR_RESOLV_CONF_OVERRIDE}" ]; then
        rm "${TOR_RESOLV_CONF_OVERRIDE}"
        systemctl daemon-reload
    fi
89
    ( restart-tor ) &
90
fi