summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoranonym <anonym@riseup.net>2020-10-07 13:40:11 +0200
committeranonym <anonym@riseup.net>2020-10-07 14:45:13 +0200
commit88c5ef7ea375f083b79616d2ae2558c8c77580c1 (patch)
treef535090ae0b281960d9c6176398ba84a033ef6ad
parent327dff5b199e904d1e2969a9e0177443a6fd76b6 (diff)
Unsafe Browser: set up networking via a new namespace.wip/12213-wayland
Networking is now fully functional! But for some reason accessibility is now broken. :/
-rw-r--r--config/chroot_local-includes/usr/local/lib/tails-shell-library/chroot-browser.sh27
1 files changed, 27 insertions, 0 deletions
diff --git a/config/chroot_local-includes/usr/local/lib/tails-shell-library/chroot-browser.sh b/config/chroot_local-includes/usr/local/lib/tails-shell-library/chroot-browser.sh
index 8ccdf95..0fcf32a 100644
--- a/config/chroot_local-includes/usr/local/lib/tails-shell-library/chroot-browser.sh
+++ b/config/chroot_local-includes/usr/local/lib/tails-shell-library/chroot-browser.sh
@@ -265,8 +265,35 @@ run_browser_in_chroot () {
local wm_class="${5}"
local profile="$(browser_profile_dir ${browser_name} ${chroot_user})"
+ # Here we set up a network namespace, linking it with the host
+ # network namespace via two virtual interfaces, and we enable NAT
+ # so we can reach the clearnet.
+ # XXX: we'll use 10.123.42.0/24 for the two devices, with the hope
+ # that nothing else will interfere with this range.
+ if [ ! -e /var/run/netns/clearnet ]; then
+ ip netns add clearnet
+ ip netns exec clearnet ip link set lo up
+ ip link add veth-host type veth peer name veth-clearnet
+ ip link set veth-clearnet netns clearnet
+ ip addr add 10.123.42.1/24 dev veth-host
+ ip netns exec clearnet ip addr add 10.123.42.2/24 dev veth-clearnet
+ ip link set veth-host up
+ ip netns exec clearnet ip link set veth-clearnet up
+ ip netns exec clearnet ip route add default via 10.123.42.1
+ fi
+ # XXX: we could probably lock the iptables rules down more,
+ # e.g. DNS + TCP only.
+ # XXX: these rules must be made persistent, otherwise NAT will
+ # break if an interface is up:ed while the Unsafe Browser is
+ # running due to the 00-firewall.sh NetworkManager hook.
+ iptables -A FORWARD -i veth-host -j ACCEPT
+ iptables -A FORWARD -o veth-host -j ACCEPT
+ iptables -t nat -A POSTROUTING -s 10.123.42.2/24 -j MASQUERADE
+ sysctl net.ipv4.ip_forward=1
+
systemd-nspawn --directory="${chroot}" \
--bind=/tmp/.X11-unix \
+ --network-namespace-path=/var/run/netns/clearnet \
--user="${chroot_user}" \
--setenv=TOR_TRANSPROXY=1 \
--setenv=DISPLAY=$DISPLAY \