Commit 4fc2cd47 authored by anonym's avatar anonym
Browse files

Tor: enable clearnet DNS resolution in bridge mode.

So now users can input a human-readable hostname for proxies and
bridges (and we can support meek_lite!).

Will-fix: #8775
Refs: #8243
parent c95c30b5
#!/bin/sh
# This file is needed by the Unsafe Browser.
# This file is needed by the Unsafe Browser, and Tor while in bridge
# mode.
# Run only when the interface is not "lo":
if [ -z "$1" ] || [ "$1" = "lo" ]; then
......
......@@ -54,7 +54,21 @@ fi
# * https://tails.boum.org/bugs/tor_vs_networkmanager/
# To work around this we restart Tor, in various ways, no matter the
# case below.
TOR_SYSTEMD_OVERRIDE_DIR="/lib/systemd/system/tor@default.service.d"
TOR_RESOLV_CONF_OVERRIDE="${TOR_SYSTEMD_OVERRIDE_DIR}/50-resolv-conf-override.conf"
if [ "$(tails_netconf)" = "obstacle" ]; then
# Override /etc/resolv.conf for tor only, so it can use a clearnet
# DNS server to resolve hostnames used for pluggable transport and
# proxies.
if [ ! -e "${TOR_RESOLV_CONF_OVERRIDE}" ]; then
mkdir -p "${TOR_SYSTEMD_OVERRIDE_DIR}"
cat > "${TOR_RESOLV_CONF_OVERRIDE}" <<EOF
[Service]
BindReadOnlyPaths=/etc/resolv-over-clearnet.conf:/etc/resolv.conf
EOF
systemctl daemon-reload
fi
# We do not use restart-tor since it validates that bootstraping
# succeeds. That cannot happen until Tor Launcher has started
# (below) and the user is done configuring it.
......@@ -79,5 +93,9 @@ if [ "$(tails_netconf)" = "obstacle" ]; then
sleep 1
done
else
if [ -e "${TOR_RESOLV_CONF_OVERRIDE}" ]; then
rm "${TOR_RESOLV_CONF_OVERRIDE}"
systemctl daemon-reload
fi
( restart-tor ) &
fi
......@@ -114,6 +114,7 @@ domain ip {
# Tor is allowed to do anything it wants to.
mod owner uid-owner debian-tor {
proto tcp syn mod state state (NEW) ACCEPT;
proto udp dport domain ACCEPT;
}
# Everything else is logged and dropped.
......
--- a/etc/apparmor.d/system_tor 2016-06-01 21:34:23.000000000 +0000
+++ b/etc/apparmor.d/system_tor 2016-06-10 11:09:09.249017739 +0000
@@ -4,6 +4,15 @@
@@ -4,6 +4,18 @@
profile system_tor flags=(attach_disconnected) {
#include <abstractions/tor>
......@@ -12,6 +12,9 @@
+ # at least when using bridges as torrc is owned by debian-tor:debian-tor
+ # with permissions 0600 once it's been saved by Tor Launcher.
+ capability dac_read_search,
+
+ # Used by Tor to do clearnet DNS lookups while in bridge mode (#8775).
+ /etc/resolv-over-clearnet.conf r,
+
owner /var/lib/tor/** rwk,
owner /var/lib/tor/ r,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment