Commit 16b3d9dc authored by intrigeri's avatar intrigeri

Remove the restricted network detector.

As explained on, it's
been broken for 16 months, it is still broken after the partial fix that
went in Tails 1.6, and the logic on which the detector is based cannot
work anymore. Reintroducing and porting this feature is now tracked
on #10560.

Closes: #8328
Refs: #10560
parent ee67ef32
Description=Detect restricted networks that may block spoofed MAC addresses
ExecStartPre=/bin/sh -c '[ "${TAILS_MACSPOOF_ENABLED}" = true ]'
ExecStart=/bin/sh -c 'journalctl \
--unit=NetworkManager.service \
--output=json-pretty --follow \
| jq \
--monochrome-output --unbuffered --raw-output \
| /usr/local/sbin/tails-restricted-network-detector'
Description=Unblock network device drivers
# Note that we do *not* Requires=tails-restricted-network-detector.service,
# since that service fails to start unless MAC address spoofing is enabled.
#!/usr/bin/env perl
use strict;
use warnings;
=head1 NAME
=head1 VERSION
Version X.XX
=head1 AUTHOR
Tails dev team <>
use IPC::System::Simple qw(runx);
use Locale::gettext;
use I18N::Langinfo qw{langinfo CODESET};
use Encode qw{decode find_encoding};
use POSIX;
setlocale(LC_MESSAGES, "");
sub notify_maybe_blocked {
my $encoding = find_encoding(langinfo(CODESET()));
my $summary = $encoding->decode(gettext('Network connection blocked?'));
my $body = $encoding->decode(gettext(
'It looks like you are blocked from the network. This may be ' .
'related to the MAC spoofing feature. For more information, see the ' .
'<a href=\"file:///usr/share/doc/tails/website/doc/first_steps/' .
'startup_options/mac_spoofing.en.html#blocked\">MAC spoofing ' .
# XXX: this script could now be run as a dedicated user whose only special
# privilege would be to run tails-notify-user.
# We can't use Desktop::Notify since this script is supposed to be run
# as root (for access to syslog), started in an env without DESKTOP etc,
# which also causes issues with opening links in the text body.
# All this works fine with tails-notify-user.
runx('/usr/local/sbin/tails-notify-user', ($summary, $body, '30000'));
my %state;
while(my $text = <STDIN>) {
if ($text =~ /Activation \(([^)]+)\) starting connection/) {
# The beginning of *all* (not only wireless) new
# connections. We drop any previous state so it won't
# interfere.
$state{$1} = "";
} elsif ($text =~ /\(([^)]+)\): supplicant (?:connection|interface) state: \S+ -> (\S+)/ ||
$text =~ /\(([^)]+)\): device state change: \S+ -> (\S+)/) {
# NetworkManager logs state transitions with the above
# messages, but the really important part is that we
# accurately log the state changes *to* and *from*
# "associating" (for the next case). Hence the safest bet
# seems to be to deal with all observed types of transitions
# that NetworkManager logs.
$state{$1} = $2;
} elsif ($text =~ /Activation \(([^)]+)\/[^)]*\): association took too long/) {
# Wireless connection failure. If it happens during
# "associating" it *may* indicate that the AP is blocking the
# MAC address in use.
if ($state{$1} eq "associating") {
systemctl --no-block start tails-restricted-network-detector.service
systemctl start tails-unblock-network.service
# Without this, network is sometimes not unblocked, probably due to some
......@@ -45,8 +45,6 @@ xclip
# needed by tails-documentation
# for tails-restricted-network-detector-wrapper
# needed by live-persist
# needed by the Unsafe Browser
......@@ -5,8 +5,7 @@ set -u
PERL_PROGS="/usr/local/bin/gpgApplet /usr/local/bin/tails-security-check \
/usr/local/bin/tails-htp-notify-user \
/usr/local/bin/tails-virt-notify-user \
PYTHON_PROGS="/etc/whisperback/ \
/usr/local/bin/tails-about /usr/local/sbin/tails-additional-software"
SHELL_PROGS="/etc/NetworkManager/dispatcher.d/ \
......@@ -517,6 +517,11 @@ This section deals with AvoidConnectionProbs. The goal is to somehow
identify connection errors that are related to MAC spoofing, and
notify the user when this happens.
**Note**: the implementation described below had to be disabled:
* [[!tails_ticket 8328#note-5]]
* [[!tails_ticket 10560]]
Due to lack of hooks into NetworkManager's connection error handling
we currently use a simple monitoring script that's started when MAC
spoofing is enabled. It scans the NetworkManager unit's journal for
......@@ -531,12 +536,3 @@ At the moment this script only deals with wireless connections. It
successfully distinguishes between MAC-spoof related errors and errors
when entering the wrong passphrase, so no false positives in that
(relatively common) case.
* [[!tails_gitweb config/chroot_local-includes/usr/local/sbin/tails-restricted-network-detector]]
* [[!tails_gitweb config/chroot_local-includes/lib/systemd/system/tails-restricted-network-detector.service]]
* [[!greeter_gitweb PostLogin.default]]
(`tails-restricted-network-detector` started from this script)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment