diff options
| -rw-r--r-- | changes/feature-bitmask-root-versioning | 1 | ||||
| -rw-r--r-- | docs/man/bitmask-root.1.rst | 17 | ||||
| -rw-r--r-- | docs/man/bitmask.1.rst | 4 | ||||
| -rw-r--r-- | docs/release_checklist.wiki | 1 | ||||
| -rwxr-xr-x | pkg/linux/bitmask-root | 41 | 
5 files changed, 47 insertions, 17 deletions
| diff --git a/changes/feature-bitmask-root-versioning b/changes/feature-bitmask-root-versioning new file mode 100644 index 00000000..bfe69041 --- /dev/null +++ b/changes/feature-bitmask-root-versioning @@ -0,0 +1 @@ +- Add versioning support to bitmask-root. diff --git a/docs/man/bitmask-root.1.rst b/docs/man/bitmask-root.1.rst index 7ed53aa9..c18cc4d6 100644 --- a/docs/man/bitmask-root.1.rst +++ b/docs/man/bitmask-root.1.rst @@ -7,23 +7,24 @@ privileged helper for bitmask, the encrypted internet access toolkit.  ------------------------------------------------------------------------  :Author: LEAP Encryption Access Project https://leap.se -:Date:   2014-05-19 +:Date:   2014-06-05  :Copyright: GPLv3+ -:Version: 0.5.1 +:Version: 0.5.2  :Manual section: 1  :Manual group: General Commands Manual  SYNOPSIS  ======== -bitmask-root [openvpn | firewall | isup ] [start | stop] [ARGS] +bitmask-root [openvpn | firewall | version] [start | stop | isup] [ARGS]  DESCRIPTION  ===========  *bitmask-root* is a privileged helper for bitmask. -It is used to start or stop openvpn and the bitmask firewall. +It is used to start or stop openvpn and the bitmask firewall. To operate, it +needs to be executed with root privileges.  OPTIONS @@ -33,7 +34,9 @@ openvpn  --------  **start** [ARGS]       Starts openvpn. All args are passed to openvpn, and -                       filtered against a list of allowed args. +                       filtered against a list of allowed args. If the next +                       argument is `restart`, the firewall will not be teared +                       down in the case of errors lauching openvpn.  **stop**               Stops openvpn. @@ -46,6 +49,10 @@ firewall  **stop**               Stops the firewall. +version +-------- + +**version**             Prints the `bitmask-root` version string.  BUGS diff --git a/docs/man/bitmask.1.rst b/docs/man/bitmask.1.rst index 38da64af..6eae7ff5 100644 --- a/docs/man/bitmask.1.rst +++ b/docs/man/bitmask.1.rst @@ -7,9 +7,9 @@ graphical client to control LEAP, the encrypted internet access toolkit.  ------------------------------------------------------------------------  :Author: LEAP Encryption Access Project https://leap.se -:Date:   2014-05-19 +:Date:   2014-06-05  :Copyright: GPLv3+ -:Version: 0.5.1 +:Version: 0.5.2  :Manual section: 1  :Manual group: General Commands Manual diff --git a/docs/release_checklist.wiki b/docs/release_checklist.wiki index fc99fdf0..075591a7 100644 --- a/docs/release_checklist.wiki +++ b/docs/release_checklist.wiki @@ -1,5 +1,6 @@  = Bitmask Release Checklist (*) =    * [ ] Check that all tests are passing! +  * [ ] Check that the version in bitmask_client/pkg/linux/bitmask-root is bumped if needed.    * [ ] Tag everything      * Should be done for the following packages, in order:        * [ ] 1. leap.common diff --git a/pkg/linux/bitmask-root b/pkg/linux/bitmask-root index d1bf656e..1929b51b 100755 --- a/pkg/linux/bitmask-root +++ b/pkg/linux/bitmask-root @@ -51,6 +51,7 @@ cmdcheck = subprocess.check_output  ## CONSTANTS  ## +VERSION = "1"  SCRIPT = "bitmask-root"  NAMESERVER = "10.42.0.1"  BITMASK_CHAIN = "bitmask" @@ -764,11 +765,13 @@ def firewall_start(args):                    "--jump", "ACCEPT")          # allow multicast Simple Service Discovery Protocol          ip4tables("--append", BITMASK_CHAIN, -                  "--protocol", "udp", "--destination", "239.255.255.250", "--dport", "1900", +                  "--protocol", "udp", +                  "--destination", "239.255.255.250", "--dport", "1900",                    "-o", default_device, "--jump", "RETURN")          # allow multicast Bonjour/mDNS          ip4tables("--append", BITMASK_CHAIN, -                  "--protocol", "udp", "--destination", "224.0.0.251", "--dport", "5353", +                  "--protocol", "udp", +                  "--destination", "224.0.0.251", "--dport", "5353",                    "-o", default_device, "--jump", "RETURN")      if local_network_ipv6:          ip6tables("--append", BITMASK_CHAIN, @@ -776,11 +779,13 @@ def firewall_start(args):                    "--jump", "ACCEPT")          # allow multicast Simple Service Discovery Protocol          ip6tables("--append", BITMASK_CHAIN, -                  "--protocol", "udp", "--destination", "FF05::C", "--dport", "1900", +                  "--protocol", "udp", +                  "--destination", "FF05::C", "--dport", "1900",                    "-o", default_device, "--jump", "RETURN")          # allow multicast Bonjour/mDNS          ip6tables("--append", BITMASK_CHAIN, -                  "--protocol", "udp", "--destination", "FF02::FB", "--dport", "5353", +                  "--protocol", "udp", +                  "--destination", "FF02::FB", "--dport", "5353",                    "-o", default_device, "--jump", "RETURN")      # allow ipv4 traffic to gateways @@ -791,15 +796,19 @@ def firewall_start(args):      # log rejected packets to syslog      if DEBUG:          iptables("--append", BITMASK_CHAIN, "-o", default_device, -                 "--jump", "LOG", "--log-prefix", "iptables denied: ", "--log-level", "7") +                 "--jump", "LOG", "--log-prefix", "iptables denied: ", +                 "--log-level", "7") -    # for now, ensure all other ipv6 packets get rejected (regardless of device) +    # for now, ensure all other ipv6 packets get rejected (regardless of +    # device)      # (not sure why, but "-p any" doesn't work)      ip6tables("--append", BITMASK_CHAIN, "-p", "tcp", "--jump", "REJECT")      ip6tables("--append", BITMASK_CHAIN, "-p", "udp", "--jump", "REJECT")      # reject all other ipv4 sent over the default device -    ip4tables("--append", BITMASK_CHAIN, "-o", default_device, "--jump", "REJECT") +    ip4tables("--append", BITMASK_CHAIN, "-o", +              default_device, "--jump", "REJECT") +  def firewall_stop():      """ @@ -819,7 +828,12 @@ def firewall_stop():  def main(): -    if len(sys.argv) >= 3: +    """ +    Entry point for cmdline execution. +    """ +    # TODO use argparse instead. + +    if len(sys.argv) >= 2:          command = "_".join(sys.argv[1:3])          args = sys.argv[3:] @@ -828,6 +842,13 @@ def main():              is_restart = True              args.remove('restart') +        if command == "version": +            print(VERSION) +            exit(0) + +        if os.getuid() != 0: +            bail("ERROR: must be run as root") +          if command == "openvpn_start":              openvpn_start(args) @@ -840,8 +861,8 @@ def main():                  nameserver_setter.start(NAMESERVER)              except Exception as ex:                  if not is_restart: -		    nameserver_restorer.start() -		    firewall_stop() +                    nameserver_restorer.start() +                    firewall_stop()                  bail("ERROR: could not start firewall", ex)          elif command == "firewall_stop": | 
