Commit 1ef8d52f authored by anonym's avatar anonym
Browse files

Always start Tor Launcher (refs: #17330).

In other words, always enable what we used to call "bridge mode",
i.e. that tor won't touch the network until the user has configured it
via Tor Launcher.

This also includes changing Tails Greeter's Network Configuration
setting to only be about whether to enable or disable networking.
parent f379a901
......@@ -27,18 +27,6 @@ systemctl stop tor@default.service
# tordate/20-time.sh), so deleting it seems like a Good Thing(TM).
rm -f "${TOR_LOG}"
# The Tor syscall sandbox is not compatible with managed proxies.
# We could possibly detect whether the user has configured any such
# thing via Tor Launcher later (e.g. in 60-tor-ready.sh),
# but then we would have to restart Tor again to enable the sandbox.
# Let's avoid doing that, and enable the Sandbox only if no special Tor
# configuration is needed. Too bad users who simply need to configure
# a HTTP proxy or allowed firewall ports won't get the sandboxing, but
# much better than nothing.
if [ "$(tails_netconf)" = "direct" ]; then
tor_set_in_torrc Sandbox 1
fi
# We would like Tor to be started during init time, even before the
# network is up, and then send it a SIGHUP here to make it start
# bootstrapping swiftly, but it doesn't work because of a bug in
......@@ -49,39 +37,26 @@ fi
# case below.
TOR_SYSTEMD_OVERRIDE_DIR="/lib/systemd/system/tor@default.service.d"
TOR_RESOLV_CONF_OVERRIDE="${TOR_SYSTEMD_OVERRIDE_DIR}/50-resolv-conf-override.conf"
if [ "$(tails_netconf)" = "obstacle" ]; then
# Override /etc/resolv.conf for tor only, so it can use a clearnet
# DNS server to resolve hostnames used for pluggable transport and
# proxies.
if [ ! -e "${TOR_RESOLV_CONF_OVERRIDE}" ]; then
mkdir -p "${TOR_SYSTEMD_OVERRIDE_DIR}"
cat > "${TOR_RESOLV_CONF_OVERRIDE}" <<EOF
# Override /etc/resolv.conf for tor only, so it can use a clearnet
# DNS server to resolve hostnames used for pluggable transport and
# proxies.
if [ ! -e "${TOR_RESOLV_CONF_OVERRIDE}" ]; then
mkdir -p "${TOR_SYSTEMD_OVERRIDE_DIR}"
cat > "${TOR_RESOLV_CONF_OVERRIDE}" <<EOF
[Service]
BindReadOnlyPaths=/etc/resolv-over-clearnet.conf:/etc/resolv.conf
EOF
systemctl daemon-reload
fi
# We do not use restart-tor since it validates that bootstraping
# succeeds. That cannot happen until Tor Launcher has started
# (below) and the user is done configuring it.
systemctl restart tor@default.service
systemctl daemon-reload
fi
# Enable the transports we support. We cannot do this in general,
# when bridge mode is not enabled, since we then use seccomp
# sandboxing.
tor_control_setconf 'ClientTransportPlugin="obfs2,obfs3,obfs4,meek_lite exec /usr/bin/obfs4proxy managed"'
# We do not use restart-tor since it validates that bootstraping
# succeeds. That cannot happen until Tor Launcher has started
# (below) and the user is done configuring it.
systemctl restart tor@default.service
/usr/local/sbin/tails-tor-launcher &
/usr/local/sbin/tails-tor-launcher &
# Wait until the user has done the Tor Launcher configuration.
until [ "$(tor_control_getconf DisableNetwork)" = 0 ]; do
sleep 1
done
else
if [ -e "${TOR_RESOLV_CONF_OVERRIDE}" ]; then
rm "${TOR_RESOLV_CONF_OVERRIDE}"
systemctl daemon-reload
fi
( restart-tor ) &
fi
# Wait until the user has done the Tor Launcher configuration.
until [ "$(tor_control_getconf DisableNetwork)" = 0 ]; do
sleep 1
done
......@@ -19,6 +19,13 @@ AutomapHostsSuffixes .exit,.onion
TransPort 9040
TransListenAddress 127.0.0.1
## Pluggable transports
ClientTransportPlugin obfs2,obfs3,obfs4,meek_lite exec /usr/bin/obfs4proxy managed
## The Tor syscall sandbox is not compatible with managed proxies,
## like we use for pluggable transports.
Sandbox 0
## Misc
AvoidDiskWrites 1
......@@ -34,3 +41,7 @@ WarnPlaintextPorts 23,109
## but we have some code that reads Tor's logs and only supports plaintext
## log files at the moment, so let's keep logging to a file.
Log notice file /var/log/tor/log
## Tor Launcher will enable the network access for Tor once the user
## has provided the configuration they desire.
DisableNetwork 1
......@@ -5,18 +5,12 @@ Documentation=https://tails.boum.org/contribute/design/MAC_address/
[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=/var/lib/gdm3/settings/tails.network
ExecStartPre=/bin/sh -c \
'if [ "${TAILS_NETCONF}" = "obstacle" ] ; then \
. /usr/local/lib/tails-shell-library/tor.sh ; \
tor_set_in_torrc "DisableNetwork" "1" ; \
fi'
# We sync to make sure the blacklist has disappeared from the
# filesystem
ExecStart=/bin/sh -c \
'if [ "${TAILS_NETCONF}" != "disabled" ] ; then \
'. /usr/local/lib/tails-shell-library/tails-greeter.sh ; \
if tails_network_enabled ; then \
/bin/rm -f /etc/modprobe.d/all-net-blacklist.conf ; \
/bin/touch /etc/modprobe.d ; \
/bin/sync ; \
......
import tailsgreeter.config
from tailsgreeter.settings.setting import StringSetting
from tailsgreeter.settings.setting import BooleanSetting
NETCONF_DIRECT = "direct"
NETCONF_OBSTACLE = "obstacle"
NETCONF_DISABLED = "disabled"
class NetworkSetting(StringSetting):
"""Setting controlling how Tails connects to Tor"""
class NetworkSetting(BooleanSetting):
"""Setting controlling if networking is enabled at all"""
def __init__(self):
super().__init__(tailsgreeter.config.network_setting_path, "TAILS_NETCONF")
super().__init__(tailsgreeter.config.network_setting_path, "TAILS_NETWORK")
......@@ -4,7 +4,6 @@ from tailsgreeter import TRANSLATION_DOMAIN
import tailsgreeter.config
import tailsgreeter.utils
from tailsgreeter.settings import SettingNotFoundError
from tailsgreeter.settings.network import NETCONF_DIRECT, NETCONF_DISABLED, NETCONF_OBSTACLE
from tailsgreeter.ui import _
from tailsgreeter.ui.setting import GreeterSetting
from tailsgreeter.ui.popover import Popover
......@@ -255,68 +254,51 @@ class NetworkSettingUI(AdditionalSetting):
@property
def value_for_display(self) -> str:
if self.value == NETCONF_DIRECT:
return _("Direct (default)")
if self.value == NETCONF_OBSTACLE:
return _("Bridge & Proxy")
if self.value == NETCONF_DISABLED:
return _("Offline")
if self.network_enabled:
return _("Enabled (default)")
else:
return _("Disabled")
def __init__(self, network_setting: "NetworkSetting"):
self._network_setting = network_setting
self.value = NETCONF_DIRECT
self.network_enabled = True
super().__init__()
self.accel_key = Gdk.KEY_n
self.icon_network_clear_chosen = self.builder.get_object('image_network_clear')
self.icon_network_specific_chosen = self.builder.get_object('image_network_specific')
self.icon_network_off_chosen = self.builder.get_object('image_network_off')
self.image_network_on = self.builder.get_object('image_network_on')
self.image_network_off = self.builder.get_object('image_network_off')
self.listbox_network_controls = self.builder.get_object('listbox_network_controls')
self.listbox_network_controls.connect('button-press-event', self.cb_listbox_button_press)
self.listbox_network_controls.connect('row-activated', self.cb_listbox_network_row_activated)
self.listboxrow_netconf_direct = self.builder.get_object('listboxrow_netconf_direct')
self.listboxrow_netconf_obstacle = self.builder.get_object('listboxrow_netconf_obstacle')
self.listboxrow_netconf_disabled = self.builder.get_object('listboxrow_netconf_disabled')
self.listbox_network_controls.connect('button-press-event', self.cb_listbox_button_press)
self.listboxrow_network_on = self.builder.get_object('listboxrow_network_on')
self.listboxrow_network_off = self.builder.get_object('listboxrow_network_off')
def apply(self):
self._network_setting.save(self.value)
is_bridge = self.value == NETCONF_OBSTACLE
self.main_window.set_bridge_infobar_visibility(is_bridge)
self._network_setting.save(self.network_enabled)
super().apply()
def load(self):
def load(self) -> bool:
try:
value = self._network_setting.load()
except SettingNotFoundError:
raise
# Select the correct listboxrow (used in the popover)
if value == NETCONF_DIRECT:
self.listbox_network_controls.select_row(self.listboxrow_netconf_direct)
elif value == NETCONF_OBSTACLE:
self.listbox_network_controls.select_row(self.listboxrow_netconf_obstacle)
elif value == NETCONF_DISABLED:
self.listbox_network_controls.select_row(self.listboxrow_netconf_disabled)
if self.value == value:
if value:
self.listbox_network_controls.select_row(self.listboxrow_network_on)
else:
self.listbox_network_controls.select_row(self.listboxrow_network_off)
if self.network_enabled == value:
return False
self.value = value
self.network_enabled = value
return True
def cb_listbox_network_row_activated(self, listbox, row, user_data=None):
self.icon_network_clear_chosen.set_visible(False)
self.icon_network_specific_chosen.set_visible(False)
self.icon_network_off_chosen.set_visible(False)
if row == self.listboxrow_netconf_direct:
self.value = NETCONF_DIRECT
self.icon_network_clear_chosen.set_visible(True)
elif row == self.listboxrow_netconf_obstacle:
self.value = NETCONF_OBSTACLE
self.icon_network_specific_chosen.set_visible(True)
elif row == self.listboxrow_netconf_disabled:
self.value = NETCONF_DISABLED
self.icon_network_off_chosen.set_visible(True)
self.network_enabled = row == self.listboxrow_network_on
self.image_network_on.set_visible(self.network_enabled)
self.image_network_off.set_visible(not self.network_enabled)
if self.has_popover() and self.popover.is_open():
self.popover.close(Gtk.ResponseType.YES)
......
......@@ -110,7 +110,6 @@ class GreeterMainWindow(Gtk.Window, TranslatableWindow):
self.box_storage_unlocked = builder.get_object('box_storage_unlocked')
self.entry_storage_passphrase = builder.get_object('entry_storage_passphrase')
self.frame_language = builder.get_object('frame_language')
self.infobar_network = builder.get_object('infobar_network')
self.infobar_settings_loaded = builder.get_object('infobar_settings_loaded')
self.label_settings_default = builder.get_object('label_settings_default')
self.listbox_add_setting = builder.get_object('listbox_add_setting')
......@@ -286,9 +285,6 @@ class GreeterMainWindow(Gtk.Window, TranslatableWindow):
self.button_start.grab_focus()
self.get_root_window().set_cursor(Gdk.Cursor.new(Gdk.CursorType.ARROW))
def set_bridge_infobar_visibility(self, value: bool):
self.infobar_network.set_visible(value)
# Callbacks
def cb_accelgroup_setting_activated(self, accel_group, accelerable,
......
......@@ -26,8 +26,10 @@ mac_spoof_is_enabled() {
[ "$(_get_tg_setting "${MACSPOOF_SETTING}" TAILS_MACSPOOF_ENABLED)" != false ]
}
tails_netconf() {
_get_tg_setting "${NETWORK_SETTING}" TAILS_NETCONF
tails_network_enabled() {
# Only return true when explicitly told so to increase failure
# safety.
[ "$(_get_tg_setting "${NETWORK_SETTING}" TAILS_NETWORK)" = true ]
}
unsafe_browser_is_enabled() {
......
......@@ -4,11 +4,10 @@ set -e
set -u
set -x
CONFIG_FILE=/var/lib/gdm3/settings/tails.network
NET_MODULES_BLACKLIST=/etc/modprobe.d/all-net-blacklist.conf
# Import the TAILS_NETCONF variable
. "$CONFIG_FILE"
# Import tails_network_enabled()
. /usr/local/lib/tails-shell-library/tails-greeter.sh
systemctl start tails-unblock-network.service
......@@ -18,7 +17,7 @@ systemctl start tails-unblock-network.service
# This might have been caused by an aufs weirdness (#9012),
# but this code is rather simple and it does not hurt to ensure
# our assumptions are verified.
if [ "${TAILS_NETCONF}" != "disabled" ]; then
if tails_network_enabled; then
echo "Waiting for ${NET_MODULES_BLACKLIST} to be gone..." >&2
while [ -e "${NET_MODULES_BLACKLIST}" ]; do
sleep 0.5
......
......@@ -324,7 +324,7 @@
<object class="GtkLabel" id="label_network_description">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="label" translatable="yes">If your Internet connection is censored, filtered, or proxied you can configure a Tor bridge or a local proxy. To work completely offline, you can disable all networking.</property>
<property name="label" translatable="yes">To work completely offline you can disable all networking using this setting.</property>
<property name="justify">fill</property>
<property name="wrap">True</property>
<property name="max_width_chars">50</property>
......@@ -348,11 +348,11 @@
<property name="can_focus">False</property>
<property name="selection_mode">browse</property>
<child>
<object class="GtkListBoxRow" id="listboxrow_netconf_direct">
<object class="GtkListBoxRow" id="listboxrow_network_on">
<property name="visible">True</property>
<property name="can_focus">True</property>
<child>
<object class="GtkBox" id="box_network_clear">
<object class="GtkBox" id="box_network_on">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="margin_left">6</property>
......@@ -361,10 +361,10 @@
<property name="margin_bottom">6</property>
<property name="spacing">12</property>
<child>
<object class="GtkLabel" id="label_network_clear">
<object class="GtkLabel" id="label_network_on">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="label" translatable="yes">Connect directly to the Tor network (default)</property>
<property translatable="yes" name="label">Network enabled (default)</property>
<property name="justify">fill</property>
<property name="wrap">True</property>
<property name="max_width_chars">45</property>
......@@ -377,7 +377,7 @@
</packing>
</child>
<child>
<object class="GtkImage" id="image_network_clear">
<object class="GtkImage" id="image_network_on">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="icon_name">emblem-ok-symbolic</property>
......@@ -394,51 +394,7 @@
</object>
</child>
<child>
<object class="GtkListBoxRow" id="listboxrow_netconf_obstacle">
<property name="visible">True</property>
<property name="can_focus">True</property>
<child>
<object class="GtkBox" id="box_network_specific">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="margin_left">6</property>
<property name="margin_right">6</property>
<property name="margin_top">6</property>
<property name="margin_bottom">6</property>
<property name="spacing">12</property>
<child>
<object class="GtkLabel" id="label_network_specific">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="label" translatable="yes">Configure a Tor bridge or local proxy</property>
<property name="wrap">True</property>
<property name="max_width_chars">45</property>
<property name="xalign">0</property>
</object>
<packing>
<property name="expand">True</property>
<property name="fill">True</property>
<property name="position">0</property>
</packing>
</child>
<child>
<object class="GtkImage" id="image_network_specific">
<property name="can_focus">False</property>
<property name="icon_name">emblem-ok-symbolic</property>
</object>
<packing>
<property name="expand">False</property>
<property name="fill">True</property>
<property name="pack_type">end</property>
<property name="position">2</property>
</packing>
</child>
</object>
</child>
</object>
</child>
<child>
<object class="GtkListBoxRow" id="listboxrow_netconf_disabled">
<object class="GtkListBoxRow" id="listboxrow_network_off">
<property name="visible">True</property>
<property name="can_focus">True</property>
<child>
......@@ -454,7 +410,7 @@
<object class="GtkLabel" id="label_network_off">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="label" translatable="yes">Disable all networking</property>
<property translatable="yes" name="label">Network disabled</property>
<property name="wrap">True</property>
<property name="max_width_chars">45</property>
<property name="xalign">0</property>
......
......@@ -129,74 +129,6 @@
<property name="position">1</property>
</packing>
</child>
<child>
<object class="GtkInfoBar" id="infobar_network">
<property name="app_paintable">True</property>
<property name="can_focus">False</property>
<property name="show_close_button">True</property>
<signal name="close" handler="cb_infobar_close" swapped="no"/>
<signal name="response" handler="cb_infobar_response" swapped="no"/>
<child internal-child="action_area">
<object class="GtkButtonBox" id="infobar_network-action_area">
<property name="can_focus">False</property>
<property name="spacing">6</property>
<property name="layout_style">end</property>
<child>
<placeholder/>
</child>
<child>
<placeholder/>
</child>
<child>
<placeholder/>
</child>
</object>
<packing>
<property name="expand">False</property>
<property name="fill">False</property>
<property name="position">0</property>
</packing>
</child>
<child internal-child="content_area">
<object class="GtkBox" id="infobar_network-content_area">
<property name="can_focus">False</property>
<property name="spacing">16</property>
<child>
<object class="GtkLabel" id="label_infobar_network">
<property name="visible">True</property>
<property name="can_focus">False</property>
<property name="label" translatable="yes">You will configure the Tor bridge and local proxy later on after connecting to a network.</property>
<property name="xalign">0</property>
</object>
<packing>
<property name="expand">False</property>
<property name="fill">True</property>
<property name="position">0</property>
</packing>
</child>
<child>
<placeholder/>
</child>
<child>
<placeholder/>
</child>
</object>
<packing>
<property name="expand">False</property>
<property name="fill">False</property>
<property name="position">0</property>
</packing>
</child>
<child>
<placeholder/>
</child>
</object>
<packing>
<property name="expand">False</property>
<property name="fill">True</property>
<property name="position">2</property>
</packing>
</child>
<child>
<object class="GtkBox" id="box_inner">
<property name="visible">True</property>
......
......@@ -34,7 +34,7 @@ non-default option called "My Internet Connection is
censored...". When activated, the following deviations from normal
Tails behaviour occur, in order:
0. The Welcome Screen adds `DisableNetwork 1` to torrc so Tor will not
0. Tails sessions begin with `DisableNetwork 1` in torrc so Tor will not
connect to the network without user intervention.
0. The `tor` process is configured to not use the system resolver
......@@ -61,8 +61,6 @@ Scripts:
* [[!tails_gitweb config/chroot_local-includes/usr/local/sbin/tails-tor-launcher]]
(Wrapper for Tor Launcher)
* [[!tails_gitweb config/chroot_local-includes/etc/gdm3/PostLogin/Default]] (sets `DisableNetwork`)
* [[!tails_gitweb config/chroot_local-includes/etc/NetworkManager/dispatcher.d/10-tor.sh]]
(Tor Launcher is started here)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment