summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoranonym <anonym@riseup.net>2018-01-18 14:05:42 +0100
committeranonym <anonym@riseup.net>2018-01-26 12:08:00 +0100
commit4fc2cd479c8ca6b7b2bb6d61309455e863fb9a3d (patch)
tree877ab0cc24610e7ef5be59877844dc98578dc049
parentc95c30b56d37fe1a18b93b7ef0f2ddf746f9346f (diff)
Tor: enable clearnet DNS resolution in bridge mode.
So now users can input a human-readable hostname for proxies and bridges (and we can support meek_lite!). Will-fix: #8775 Refs: #8243
-rwxr-xr-xconfig/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-resolv-over-clearnet3
-rwxr-xr-xconfig/chroot_local-includes/etc/NetworkManager/dispatcher.d/10-tor.sh18
-rw-r--r--config/chroot_local-includes/etc/ferm/ferm.conf1
-rw-r--r--config/chroot_local-patches/apparmor-adjust-tor-profile.diff5
4 files changed, 25 insertions, 2 deletions
diff --git a/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-resolv-over-clearnet b/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-resolv-over-clearnet
index 5f2da2e..3045574 100755
--- a/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-resolv-over-clearnet
+++ b/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-resolv-over-clearnet
@@ -1,6 +1,7 @@
#!/bin/sh
-# This file is needed by the Unsafe Browser.
+# This file is needed by the Unsafe Browser, and Tor while in bridge
+# mode.
# Run only when the interface is not "lo":
if [ -z "$1" ] || [ "$1" = "lo" ]; then
diff --git a/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/10-tor.sh b/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/10-tor.sh
index adfca27..61730f0 100755
--- a/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/10-tor.sh
+++ b/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/10-tor.sh
@@ -54,7 +54,21 @@ fi
# * https://tails.boum.org/bugs/tor_vs_networkmanager/
# To work around this we restart Tor, in various ways, no matter the
# case below.
+TOR_SYSTEMD_OVERRIDE_DIR="/lib/systemd/system/tor@default.service.d"
+TOR_RESOLV_CONF_OVERRIDE="${TOR_SYSTEMD_OVERRIDE_DIR}/50-resolv-conf-override.conf"
if [ "$(tails_netconf)" = "obstacle" ]; then
+ # Override /etc/resolv.conf for tor only, so it can use a clearnet
+ # DNS server to resolve hostnames used for pluggable transport and
+ # proxies.
+ if [ ! -e "${TOR_RESOLV_CONF_OVERRIDE}" ]; then
+ mkdir -p "${TOR_SYSTEMD_OVERRIDE_DIR}"
+ cat > "${TOR_RESOLV_CONF_OVERRIDE}" <<EOF
+[Service]
+BindReadOnlyPaths=/etc/resolv-over-clearnet.conf:/etc/resolv.conf
+EOF
+ systemctl daemon-reload
+ fi
+
# We do not use restart-tor since it validates that bootstraping
# succeeds. That cannot happen until Tor Launcher has started
# (below) and the user is done configuring it.
@@ -79,5 +93,9 @@ if [ "$(tails_netconf)" = "obstacle" ]; then
sleep 1
done
else
+ if [ -e "${TOR_RESOLV_CONF_OVERRIDE}" ]; then
+ rm "${TOR_RESOLV_CONF_OVERRIDE}"
+ systemctl daemon-reload
+ fi
( restart-tor ) &
fi
diff --git a/config/chroot_local-includes/etc/ferm/ferm.conf b/config/chroot_local-includes/etc/ferm/ferm.conf
index 3673c77..79e4909 100644
--- a/config/chroot_local-includes/etc/ferm/ferm.conf
+++ b/config/chroot_local-includes/etc/ferm/ferm.conf
@@ -114,6 +114,7 @@ domain ip {
# Tor is allowed to do anything it wants to.
mod owner uid-owner debian-tor {
proto tcp syn mod state state (NEW) ACCEPT;
+ proto udp dport domain ACCEPT;
}
# Everything else is logged and dropped.
diff --git a/config/chroot_local-patches/apparmor-adjust-tor-profile.diff b/config/chroot_local-patches/apparmor-adjust-tor-profile.diff
index 4fdf893..d984659 100644
--- a/config/chroot_local-patches/apparmor-adjust-tor-profile.diff
+++ b/config/chroot_local-patches/apparmor-adjust-tor-profile.diff
@@ -1,6 +1,6 @@
--- a/etc/apparmor.d/system_tor 2016-06-01 21:34:23.000000000 +0000
+++ b/etc/apparmor.d/system_tor 2016-06-10 11:09:09.249017739 +0000
-@@ -4,6 +4,15 @@
+@@ -4,6 +4,18 @@
profile system_tor flags=(attach_disconnected) {
#include <abstractions/tor>
@@ -13,6 +13,9 @@
+ # with permissions 0600 once it's been saved by Tor Launcher.
+ capability dac_read_search,
+
++ # Used by Tor to do clearnet DNS lookups while in bridge mode (#8775).
++ /etc/resolv-over-clearnet.conf r,
++
owner /var/lib/tor/** rwk,
owner /var/lib/tor/ r,
owner /var/log/tor/* w,