diff options
-rw-r--r-- | changes/bug-block-ipv6-clientside | 1 | ||||
-rw-r--r-- | changes/feature-5689-psutil-compat | 1 | ||||
-rw-r--r-- | changes/feature_5692-fix-nameserver-restoring | 1 | ||||
-rw-r--r-- | docs/man/bitmask-root.1.rst | 54 | ||||
-rw-r--r-- | docs/man/bitmask.1.rst | 22 | ||||
-rwxr-xr-x | pkg/linux/bitmask-root | 13 | ||||
-rw-r--r-- | pkg/requirements.pip | 5 | ||||
-rwxr-xr-x | setup.py | 6 | ||||
-rw-r--r-- | src/leap/bitmask/services/eip/vpnprocess.py | 10 |
9 files changed, 90 insertions, 23 deletions
diff --git a/changes/bug-block-ipv6-clientside b/changes/bug-block-ipv6-clientside new file mode 100644 index 00000000..9e6b88c4 --- /dev/null +++ b/changes/bug-block-ipv6-clientside @@ -0,0 +1 @@ +- Block ipv6 traffic for the moment. Closes: #5693 diff --git a/changes/feature-5689-psutil-compat b/changes/feature-5689-psutil-compat new file mode 100644 index 00000000..be11aea3 --- /dev/null +++ b/changes/feature-5689-psutil-compat @@ -0,0 +1 @@ +- Make use of cmdline in psutil backwards-compatible. Closes: #5689 diff --git a/changes/feature_5692-fix-nameserver-restoring b/changes/feature_5692-fix-nameserver-restoring new file mode 100644 index 00000000..10ce3427 --- /dev/null +++ b/changes/feature_5692-fix-nameserver-restoring @@ -0,0 +1 @@ +- Fix nameserver restoring. Closes: #5692 diff --git a/docs/man/bitmask-root.1.rst b/docs/man/bitmask-root.1.rst new file mode 100644 index 00000000..7ed53aa9 --- /dev/null +++ b/docs/man/bitmask-root.1.rst @@ -0,0 +1,54 @@ +============ +bitmask-root +============ + +------------------------------------------------------------------------ +privileged helper for bitmask, the encrypted internet access toolkit. +------------------------------------------------------------------------ + +:Author: LEAP Encryption Access Project https://leap.se +:Date: 2014-05-19 +:Copyright: GPLv3+ +:Version: 0.5.1 +:Manual section: 1 +:Manual group: General Commands Manual + +SYNOPSIS +======== + +bitmask-root [openvpn | firewall | isup ] [start | stop] [ARGS] + +DESCRIPTION +=========== + +*bitmask-root* is a privileged helper for bitmask. + +It is used to start or stop openvpn and the bitmask firewall. + + +OPTIONS +======= + +openvpn +-------- + +**start** [ARGS] Starts openvpn. All args are passed to openvpn, and + filtered against a list of allowed args. + +**stop** Stops openvpn. + + +firewall +--------- + +**start** [GATEWAYS] Starts the firewall. GATEWAYS is a list of EIP + gateways to allow in the firewall. + +**stop** Stops the firewall. + + + +BUGS +==== + +Please report any bugs to https://leap.se/code diff --git a/docs/man/bitmask.1.rst b/docs/man/bitmask.1.rst index ed4f7133..38da64af 100644 --- a/docs/man/bitmask.1.rst +++ b/docs/man/bitmask.1.rst @@ -7,9 +7,9 @@ graphical client to control LEAP, the encrypted internet access toolkit. ------------------------------------------------------------------------ :Author: LEAP Encryption Access Project https://leap.se -:Date: 2013-08-23 +:Date: 2014-05-19 :Copyright: GPLv3+ -:Version: 0.3.1 +:Version: 0.5.1 :Manual section: 1 :Manual group: General Commands Manual @@ -80,26 +80,20 @@ WARNING This software is still in its early phases of testing. So don't trust your life to it! -At the current time, Bitmask is not compatible with ``openresolv``, but it works with ``resolvconf``. FILES ===== -/etc/leap/resolv-update ------------------------ -Post up/down script passed to openvpn. It writes /etc/resolv.conf to avoid dns leaks, and restores the original resolv.conf on exit. -/etc/leap/resolv-head ---------------------- -/etc/leap/resolv-tail ---------------------- +/usr/share/polkit-1/actions/se.leap.bitmask.policy +------------------------------------------------------- -Custom entries that will appear in the written resolv.conf +PolicyKit policy file, used for granting access to bitmask-root without the need of entering a password each time. -/usr/share/polkit-1/actions/net.openvpn.gui.leap.policy -------------------------------------------------------- +/usr/sbin/bitmask-root +------------------------ -PolicyKit policy file, used for granting access to openvpn without the need of entering a password each time. +Helper to launch and stop openvpn and the bitmask firewall. ~/.config/leap/ --------------- diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root index 136fd6a4..6d296ecf 100755 --- a/pkg/linux/bitmask-root +++ b/pkg/linux/bitmask-root @@ -566,7 +566,7 @@ class NameserverRestorer(Daemon): A daemon that will restore the previous nameservers. """ - def run(self): + def run(self, *args): """ Run when daemonized. """ @@ -765,6 +765,17 @@ def firewall_start(args): "--dport", "53", "--destination", allowed_dns, "--jump", "ACCEPT") + # workaround for ipv6 servers being blocked and not falling back to ipv4. + # See #5693 + ip6tables("--append", "OUTPUT", "--jump", "REJECT", + "-s", "::/0", "-d", "::/0", + "-p", "tcp", + "--reject-with", "icmp6-port-unreachable") + ip6tables("--append", "OUTPUT", "--jump", "REJECT", + "-s", "::/0", "-d", "::/0", + "-p", "udp", + "--reject-with", "icmp6-port-unreachable") + def firewall_stop(): """ diff --git a/pkg/requirements.pip b/pkg/requirements.pip index 70427e63..3d6b33a3 100644 --- a/pkg/requirements.pip +++ b/pkg/requirements.pip @@ -11,10 +11,7 @@ srp>=1.0.2 pyopenssl python-dateutil -# since gnupg requires exactly 1.2.1, this chokes if we -# don't specify a version. Selecting something lesser than -# 2.0 is equivalent to pick 1.2.1. See #5489 -psutil<2.0 +psutil ipaddr twisted @@ -203,9 +203,9 @@ if IS_LINUX: # globally. Or make specific install command. See #3805 data_files = [ ("share/polkit-1/actions", - ["pkg/linux/polkit/net.openvpn.gui.leap.policy"]), - ("etc/leap/", - ["pkg/linux/resolv-update"]), + ["pkg/linux/polkit/se.leap.bitmask.policy"]), + ("/usr/sbin", + ["pkg/linux/bitmask-root"]), ] diff --git a/src/leap/bitmask/services/eip/vpnprocess.py b/src/leap/bitmask/services/eip/vpnprocess.py index 1559ea8b..734b88df 100644 --- a/src/leap/bitmask/services/eip/vpnprocess.py +++ b/src/leap/bitmask/services/eip/vpnprocess.py @@ -30,9 +30,11 @@ import psutil try: # psutil < 2.0.0 from psutil.error import AccessDenied as psutil_AccessDenied + PSUTIL_2 = False except ImportError: # psutil >= 2.0.0 from psutil import AccessDenied as psutil_AccessDenied + PSUTIL_2 = True from leap.bitmask.config import flags from leap.bitmask.config.providerconfig import ProviderConfig @@ -676,7 +678,13 @@ class VPNManager(object): # we need to be able to filter out arguments in the form # --openvpn-foo, since otherwise we are shooting ourselves # in the feet. - if any(map(lambda s: s.find("LEAPOPENVPN") != -1, p.cmdline)): + + if PSUTIL_2: + cmdline = p.cmdline() + else: + cmdline = p.cmdline + if any(map(lambda s: s.find( + "LEAPOPENVPN") != -1, cmdline)): openvpn_process = p break except psutil_AccessDenied: |