summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoranonym <anonym@riseup.net>2018-01-18 13:45:31 +0100
committeranonym <anonym@riseup.net>2018-01-26 12:08:00 +0100
commitc95c30b56d37fe1a18b93b7ef0f2ddf746f9346f (patch)
tree3438ec5f9710b08419d49afea7aaccd66c170ddd
parentd54c1a9f502bfcd5c9d9679db3223e8a33b38408 (diff)
Keep clearnet DNS server configured /etc/resolv-over-clearnet.conf.
This is cleaner, and will help us on our path to #8775. Refs: #8775
-rwxr-xr-xconfig/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-resolv-over-clearnet27
-rwxr-xr-xconfig/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-save-env15
-rw-r--r--config/chroot_local-includes/usr/local/lib/tails-shell-library/chroot-browser.sh14
-rwxr-xr-xconfig/chroot_local-includes/usr/local/sbin/unsafe-browser32
4 files changed, 35 insertions, 53 deletions
diff --git a/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-resolv-over-clearnet b/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-resolv-over-clearnet
new file mode 100755
index 0000000..5f2da2e
--- /dev/null
+++ b/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-resolv-over-clearnet
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+# This file is needed by the Unsafe Browser.
+
+# Run only when the interface is not "lo":
+if [ -z "$1" ] || [ "$1" = "lo" ]; then
+ exit 0
+fi
+
+# Run whenever an interface gets "up", not otherwise:
+if [ "$2" != "up" ]; then
+ exit 0
+fi
+
+RESOLV_CLEARNET_CONF=/etc/resolv-over-clearnet.conf
+# We are truncating the file as opposed to deleting + recreating it
+# for a reason: we mount-bind this file over /etc/resolv.conf for
+# processes (via mount namespaces) that we want to give clearnet DNS
+# resolving, and deleting + recreating it would mean that the
+# bind-mount would remain outdated.
+echo -n > "${RESOLV_CLEARNET_CONF}"
+IP4_REGEX='[0-9]{1,3}(\.[0-9]{1,3}){3}'
+for ns in ${IP4_NAMESERVERS}; do
+ if echo "${ns}" | grep --extended-regexp -q "^${IP4_REGEX}$"; then
+ echo "nameserver ${ns}" >> "${RESOLV_CLEARNET_CONF}"
+ fi
+done
diff --git a/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-save-env b/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-save-env
deleted file mode 100755
index 0cad002..0000000
--- a/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-save-env
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/bin/sh
-
-# This information is needed by the Unsafe Browser.
-
-# Run only when the interface is not "lo":
-if [ -z "$1" ] || [ "$1" = "lo" ]; then
- exit 0
-fi
-
-# Run whenever an interface gets "up", not otherwise:
-if [ "$2" != "up" ]; then
- exit 0
-fi
-
-echo "IP4_NAMESERVERS=\"${IP4_NAMESERVERS}\"" > /var/lib/NetworkManager/env
diff --git a/config/chroot_local-includes/usr/local/lib/tails-shell-library/chroot-browser.sh b/config/chroot_local-includes/usr/local/lib/tails-shell-library/chroot-browser.sh
index 90c6df5..f042bfa 100644
--- a/config/chroot_local-includes/usr/local/lib/tails-shell-library/chroot-browser.sh
+++ b/config/chroot_local-includes/usr/local/lib/tails-shell-library/chroot-browser.sh
@@ -87,18 +87,6 @@ chroot_browser_profile_dir () {
echo "${conf_dir}/profile.default"
}
-# Set the chroot's DNS servers (IPv4 only)
-configure_chroot_dns_servers () {
- local chroot="${1}" ; shift
- local ip4_nameservers="${@}"
-
- rm -f "${chroot}/etc/resolv.conf"
- for ns in ${ip4_nameservers}; do
- echo "nameserver ${ns}" >> "${chroot}/etc/resolv.conf"
- done
- chmod a+r "${chroot}/etc/resolv.conf"
-}
-
set_chroot_browser_permissions () {
local chroot="${1}"
local browser_name="${2}"
@@ -219,12 +207,10 @@ configure_chroot_browser () {
local browser_name="${1}" ; shift
local human_readable_name="${1}" ; shift
local home_page="${1}" ; shift
- local dns_servers="${1}" ; shift
# Now $@ is a list of paths (that must be valid after chrooting)
# to extensions to enable.
local best_locale="$(guess_best_tor_browser_locale)"
- configure_chroot_dns_servers "${chroot}" "${dns_servers}"
configure_chroot_browser_profile "${chroot}" "${browser_name}" \
"${browser_user}" "${home_page}" "${@}"
set_chroot_browser_locale "${chroot}" "${browser_name}" "${browser_user}" \
diff --git a/config/chroot_local-includes/usr/local/sbin/unsafe-browser b/config/chroot_local-includes/usr/local/sbin/unsafe-browser
index 81211f2..97514c6 100755
--- a/config/chroot_local-includes/usr/local/sbin/unsafe-browser
+++ b/config/chroot_local-includes/usr/local/sbin/unsafe-browser
@@ -92,28 +92,6 @@ if ! flock -x -n 9; then
error "`gettext \"Another Unsafe Browser is currently running, or being cleaned up. Please retry in a while.\"`"
fi
-# Get the DNS servers that was obtained from NetworkManager, if any...
-if [ -r "${NM_ENV_FILE}" ]; then
- # We also check that the file we are gonna *source* doesn't
- # contain any unexpected data, like (potentially malicious) shell
- # script. Note that while the regex used for deciding IP addresses
- # is far from perfect, it serves our purpose here.
- IP4_REGEX='[0-9]{1,3}(\.[0-9]{1,3}){3}'
- NAMESERVERS_REGEX="^IP4_NAMESERVERS=\"(${IP4_REGEX}( ${IP4_REGEX})*)?\"$"
- if grep --extended-regexp -qv "${NAMESERVERS_REGEX}" "${NM_ENV_FILE}"; then
- error "`gettext \"NetworkManager passed us garbage data when trying to deduce the clearnet DNS server.\"`"
- fi
- # Import the IP4_NAMESERVERS variable.
- eval "$(grep --extended-regexp "${NAMESERVERS_REGEX}" "${NM_ENV_FILE}")"
-fi
-# ... otherwise fail.
-# FIXME: Or would it make sense to fallback to Google's DNS or OpenDNS?
-# Some stupid captive portals may allow DNS to any host, but chances are
-# that only the portal's DNS would forward to the login page.
-if [ -z "${IP4_NAMESERVERS:-}" ]; then
- error "`gettext \"No DNS server was obtained through DHCP or manually configured in NetworkManager.\"`"
-fi
-
verify_start
show_start_notification
@@ -123,9 +101,15 @@ setup_chroot_for_browser "${CHROOT}" "${COW}" "${BROWSER_USER}" || \
echo "* Configuring chroot"
configure_chroot_browser "${CHROOT}" "${BROWSER_USER}" "${BROWSER_NAME}" \
- "${HUMAN_READABLE_NAME}" "${HOME_PAGE}" "${IP4_NAMESERVERS}" \
- "${TBB_EXT}"/langpack-*.xpi || \
+ "${HUMAN_READABLE_NAME}" "${HOME_PAGE}" "${TBB_EXT}"/langpack-*.xpi || \
error "`gettext \"Failed to configure browser.\"`"
+# If /etc/resolv-over-clearnet.conf file is empty or doesn't exist, we
+# have no clearnet DNS server.
+if [ "$(stat --format=%s /etc/resolv-over-clearnet.conf || echo 0)" -gt 0 ]; then
+ cp /etc/resolv-over-clearnet.conf "${CHROOT}"/etc/resolv.conf
+else
+ error "`gettext \"No DNS server was obtained through DHCP or manually configured in NetworkManager.\"`"
+fi
echo "* Starting Unsafe Browser"
run_browser_in_chroot "${CHROOT}" "${BROWSER_NAME}" "${BROWSER_USER}" \