Commit 16b3d9dc authored by intrigeri's avatar intrigeri
Browse files

Remove the restricted network detector.

As explained on https://labs.riseup.net/code/issues/8328#note-5, it's
been broken for 16 months, it is still broken after the partial fix that
went in Tails 1.6, and the logic on which the detector is based cannot
work anymore. Reintroducing and porting this feature is now tracked
on #10560.

Closes: #8328
Refs: #10560
parent ee67ef32
[Unit]
Description=Detect restricted networks that may block spoofed MAC addresses
Documentation=https://tails.boum.org/contribute/design/MAC_address/
[Service]
Type=simple
EnvironmentFile=/var/lib/gdm3/tails.physical_security
ExecStartPre=/bin/sh -c '[ "${TAILS_MACSPOOF_ENABLED}" = true ]'
ExecStart=/bin/sh -c 'journalctl \
--unit=NetworkManager.service \
--output=json-pretty --follow \
| jq \
--monochrome-output --unbuffered --raw-output \
.MESSAGE \
| /usr/local/sbin/tails-restricted-network-detector'
CapabilityBoundingSet=~CAP_SYS_ADMIN
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
[Unit] [Unit]
Description=Unblock network device drivers Description=Unblock network device drivers
Documentation=https://tails.boum.org/contribute/design/MAC_address/ Documentation=https://tails.boum.org/contribute/design/MAC_address/
# Note that we do *not* Requires=tails-restricted-network-detector.service,
# since that service fails to start unless MAC address spoofing is enabled.
After=tails-restricted-network-detector.service
[Service] [Service]
Type=oneshot Type=oneshot
......
#!/usr/bin/env perl
use strict;
use warnings;
#man{{{
=head1 NAME
tails-restricted-network-detector
=head1 VERSION
Version X.XX
=head1 AUTHOR
Tails dev team <tails@boum.org>
See https://tails.boum.org/.
=cut
#}}}
use IPC::System::Simple qw(runx);
use Locale::gettext;
use I18N::Langinfo qw{langinfo CODESET};
use Encode qw{decode find_encoding};
use POSIX;
setlocale(LC_MESSAGES, "");
textdomain("tails");
sub notify_maybe_blocked {
my $encoding = find_encoding(langinfo(CODESET()));
my $summary = $encoding->decode(gettext('Network connection blocked?'));
my $body = $encoding->decode(gettext(
'It looks like you are blocked from the network. This may be ' .
'related to the MAC spoofing feature. For more information, see the ' .
'<a href=\"file:///usr/share/doc/tails/website/doc/first_steps/' .
'startup_options/mac_spoofing.en.html#blocked\">MAC spoofing ' .
'documentation</a>.'));
# XXX: this script could now be run as a dedicated user whose only special
# privilege would be to run tails-notify-user.
# We can't use Desktop::Notify since this script is supposed to be run
# as root (for access to syslog), started in an env without DESKTOP etc,
# which also causes issues with opening links in the text body.
# All this works fine with tails-notify-user.
runx('/usr/local/sbin/tails-notify-user', ($summary, $body, '30000'));
}
my %state;
while(my $text = <STDIN>) {
if ($text =~ /Activation \(([^)]+)\) starting connection/) {
# The beginning of *all* (not only wireless) new
# connections. We drop any previous state so it won't
# interfere.
$state{$1} = "";
} elsif ($text =~ /\(([^)]+)\): supplicant (?:connection|interface) state: \S+ -> (\S+)/ ||
$text =~ /\(([^)]+)\): device state change: \S+ -> (\S+)/) {
# NetworkManager logs state transitions with the above
# messages, but the really important part is that we
# accurately log the state changes *to* and *from*
# "associating" (for the next case). Hence the safest bet
# seems to be to deal with all observed types of transitions
# that NetworkManager logs.
$state{$1} = $2;
} elsif ($text =~ /Activation \(([^)]+)\/[^)]*\): association took too long/) {
# Wireless connection failure. If it happens during
# "associating" it *may* indicate that the AP is blocking the
# MAC address in use.
if ($state{$1} eq "associating") {
notify_maybe_blocked();
}
}
}
#!/bin/sh #!/bin/sh
systemctl --no-block start tails-restricted-network-detector.service
systemctl start tails-unblock-network.service systemctl start tails-unblock-network.service
# Without this, network is sometimes not unblocked, probably due to some # Without this, network is sometimes not unblocked, probably due to some
......
...@@ -45,8 +45,6 @@ xclip ...@@ -45,8 +45,6 @@ xclip
libnotify-bin libnotify-bin
# needed by tails-documentation # needed by tails-documentation
yelp yelp
# for tails-restricted-network-detector-wrapper
jq
# needed by live-persist # needed by live-persist
acl acl
# needed by the Unsafe Browser # needed by the Unsafe Browser
......
...@@ -5,8 +5,7 @@ set -u ...@@ -5,8 +5,7 @@ set -u
PERL_PROGS="/usr/local/bin/gpgApplet /usr/local/bin/tails-security-check \ PERL_PROGS="/usr/local/bin/gpgApplet /usr/local/bin/tails-security-check \
/usr/local/bin/tails-htp-notify-user \ /usr/local/bin/tails-htp-notify-user \
/usr/local/bin/tails-virt-notify-user \ /usr/local/bin/tails-virt-notify-user"
/usr/local/sbin/tails-restricted-network-detector"
PYTHON_PROGS="/etc/whisperback/config.py \ PYTHON_PROGS="/etc/whisperback/config.py \
/usr/local/bin/tails-about /usr/local/sbin/tails-additional-software" /usr/local/bin/tails-about /usr/local/sbin/tails-additional-software"
SHELL_PROGS="/etc/NetworkManager/dispatcher.d/60-tor-ready.sh \ SHELL_PROGS="/etc/NetworkManager/dispatcher.d/60-tor-ready.sh \
......
...@@ -517,6 +517,11 @@ This section deals with AvoidConnectionProbs. The goal is to somehow ...@@ -517,6 +517,11 @@ This section deals with AvoidConnectionProbs. The goal is to somehow
identify connection errors that are related to MAC spoofing, and identify connection errors that are related to MAC spoofing, and
notify the user when this happens. notify the user when this happens.
**Note**: the implementation described below had to be disabled:
* [[!tails_ticket 8328#note-5]]
* [[!tails_ticket 10560]]
Due to lack of hooks into NetworkManager's connection error handling Due to lack of hooks into NetworkManager's connection error handling
we currently use a simple monitoring script that's started when MAC we currently use a simple monitoring script that's started when MAC
spoofing is enabled. It scans the NetworkManager unit's journal for spoofing is enabled. It scans the NetworkManager unit's journal for
...@@ -531,12 +536,3 @@ At the moment this script only deals with wireless connections. It ...@@ -531,12 +536,3 @@ At the moment this script only deals with wireless connections. It
successfully distinguishes between MAC-spoof related errors and errors successfully distinguishes between MAC-spoof related errors and errors
when entering the wrong passphrase, so no false positives in that when entering the wrong passphrase, so no false positives in that
(relatively common) case. (relatively common) case.
Scripts:
* [[!tails_gitweb config/chroot_local-includes/usr/local/sbin/tails-restricted-network-detector]]
* [[!tails_gitweb config/chroot_local-includes/lib/systemd/system/tails-restricted-network-detector.service]]
* [[!greeter_gitweb PostLogin.default]]
(`tails-restricted-network-detector` started from this script)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment