summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/leap/bitmask/vpn/constants.py7
-rw-r--r--src/leap/bitmask/vpn/fw/firewall.py25
-rw-r--r--src/leap/bitmask/vpn/helpers/__init__.py21
-rw-r--r--src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy23
-rw-r--r--src/leap/bitmask/vpn/launchers/linux.py18
-rw-r--r--src/leap/bitmask/vpn/process.py1
6 files changed, 77 insertions, 18 deletions
diff --git a/src/leap/bitmask/vpn/constants.py b/src/leap/bitmask/vpn/constants.py
index dce5e81c..a380bc3c 100644
--- a/src/leap/bitmask/vpn/constants.py
+++ b/src/leap/bitmask/vpn/constants.py
@@ -23,10 +23,15 @@ from leap.bitmask.system import IS_LINUX
if IS_LINUX:
BITMASK_ROOT_SYSTEM = '/usr/sbin/bitmask-root'
BITMASK_ROOT_LOCAL = '/usr/local/sbin/bitmask-root'
+ # this should change when bitmask is also a snap. for now,
+ # snap is only RiseupVPN
+ BITMASK_ROOT_SNAP = '/snap/bin/riseup-vpn.bitmask-root'
+
OPENVPN_SYSTEM = '/usr/sbin/openvpn'
OPENVPN_LOCAL = '/usr/local/sbin/leap-openvpn'
# this should change when bitmask is also a snap. for now,
- # snap means RiseupVPN
+ # snap is only RiseupVPN
OPENVPN_SNAP = '/snap/bin/riseup-vpn.openvpn'
POLKIT_LOCAL = '/usr/share/polkit-1/actions/se.leap.bitmask.bundle.policy'
POLKIT_SYSTEM = '/usr/share/polkit-1/actions/se.leap.bitmask.policy'
+ POLKIT_SNAP = '/usr/share/polkit-1/actions/se.leap.bitmask.riseupvpn.policy'
diff --git a/src/leap/bitmask/vpn/fw/firewall.py b/src/leap/bitmask/vpn/fw/firewall.py
index 98b317b0..cc5d76d0 100644
--- a/src/leap/bitmask/vpn/fw/firewall.py
+++ b/src/leap/bitmask/vpn/fw/firewall.py
@@ -25,7 +25,10 @@ import subprocess
from twisted.logger import Logger
-from leap.bitmask.system import IS_MAC, IS_LINUX
+from leap.bitmask.system import IS_MAC, IS_LINUX, IS_SNAP
+from leap.bitmask.vpn.constants import BITMASK_ROOT_SYSTEM
+from leap.bitmask.vpn.constants import BITMASK_ROOT_LOCAL
+from leap.bitmask.vpn.constants import BITMASK_ROOT_SNAP
from leap.common.events import catalog, emit_async
from leap.bitmask.vpn.launchers import darwin
@@ -87,11 +90,23 @@ class _LinuxFirewallManager(object):
This allows us to achieve fail close on a vpn connection.
"""
- _SYSTEM_BITMASK_ROOT = '/usr/sbin/bitmask-root'
- if os.path.isfile(_SYSTEM_BITMASK_ROOT):
- BITMASK_ROOT = _SYSTEM_BITMASK_ROOT
+ # TODO factor out choosing a version of bitmask-root.
+ # together with linux vpnlauncher.
+
+ if IS_SNAP:
+ # snap has its own version under /snap
+ BITMASK_ROOT = BITMASK_ROOT_SNAP
+ elif IS_STANDALONE and os.path.isfile(BITMASK_ROOT_LOCAL):
+ # if this is a bundle, we pick local. bundles ask to install it there.
+ BITMASK_ROOT = BITMASK_ROOT_LOCAL
else:
- BITMASK_ROOT = "/usr/local/sbin/bitmask-root"
+ if os.path.isfile(BITMASK_ROOT_SYSTEM):
+ # we can be running from the debian package,
+ # or some other distro. it's the maintainer responsibility to put bitmask-root there.
+ BITMASK_ROOT = BITMASK_ROOT_SYSTEM
+ else:
+ # as a last case, we fall back to installing into the /usr/local/sbin version.
+ BITMASK_ROOT = BITMASK_ROOT_LOCAL
def __init__(self, remotes):
"""
diff --git a/src/leap/bitmask/vpn/helpers/__init__.py b/src/leap/bitmask/vpn/helpers/__init__.py
index e932422d..96ec4f2e 100644
--- a/src/leap/bitmask/vpn/helpers/__init__.py
+++ b/src/leap/bitmask/vpn/helpers/__init__.py
@@ -18,13 +18,15 @@ if IS_LINUX:
from leap.bitmask.vpn.constants import BITMASK_ROOT_SYSTEM
from leap.bitmask.vpn.constants import BITMASK_ROOT_LOCAL
+ from leap.bitmask.vpn.constants import BITMASK_ROOT_SNAP
from leap.bitmask.vpn.constants import OPENVPN_SYSTEM, OPENVPN_LOCAL
from leap.bitmask.vpn.constants import OPENVPN_SNAP
- from leap.bitmask.vpn.constants import POLKIT_SYSTEM, POLKIT_LOCAL
+ from leap.bitmask.vpn.constants import POLKIT_SYSTEM, POLKIT_LOCAL, POLKIT_SNAP
from leap.bitmask.vpn.privilege import is_pkexec_in_system
from leap.bitmask.vpn.privilege import LinuxPolicyChecker
def install():
+ print('installing bitmask helpers...')
helper_from = _config.get_bitmask_helper_path()
polkit_from = _config.get_bitmask_polkit_policy_path()
openvpn_from = _config.get_bitmask_openvpn_path()
@@ -86,7 +88,7 @@ if IS_LINUX:
return True
if IS_SNAP:
- if os.path.isfile(BITMASK_ROOT_LOCAL):
+ if os.path.isfile(BITMASK_ROOT_SNAP):
return True
log.error('Cannot find bitmask-root in snap')
return False
@@ -131,12 +133,17 @@ if IS_LINUX:
return False
def _check_polkit_file_exist():
- # XXX: we are just checking if there is any policy file installed not
- # if it's valid or if it's the correct one that will be used.
- # (if LOCAL is used if /usr/local/sbin/bitmask-root is used and SYSTEM
- # if /usr/sbin/bitmask-root)
+ """
+ We are just checking if there is any policy file installed not
+ if it's valid or if it's the correct one that will be used.
+
+ If LOCAL: we use /usr/local/sbin/bitmask-root
+ If SYSTEM: we use /usr/sbin/bitmask-root, and
+ if SNAP: we use /snap/bin/riseup-vpn.bitmask-root
+ """
return (os.path.exists(POLKIT_LOCAL) or
- os.path.exists(POLKIT_SYSTEM))
+ os.path.exists(POLKIT_SYSTEM) or
+ os.path.exists(POLKIT_SNAP))
def _exists_and_can_read(file_path):
return access(file_path, R_OK)
diff --git a/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy
new file mode 100644
index 00000000..3bdf06a6
--- /dev/null
+++ b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC
+ "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
+<policyconfig>
+
+ <vendor>LEAP Project</vendor>
+ <vendor_url>http://leap.se/</vendor_url>
+
+ <action id="se.leap.bitmask.riseupvpn.policy">
+ <description>Runs bitmask helper to launch firewall and openvpn (RiseupVPN)</description>
+ <description xml:lang="es">Ejecuta el asistente de bitmask para lanzar el firewall y openvpn (RiseupVPN)</description>
+ <message>RiseupVPN needs that you authenticate to start</message>
+ <message xml:lang="es">RiseupVPN necesita autorizacion para comenzar</message>
+ <icon_name>package-x-generic</icon_name>
+ <defaults>
+ <allow_any>yes</allow_any>
+ <allow_inactive>yes</allow_inactive>
+ <allow_active>yes</allow_active>
+ </defaults>
+ <annotate key="org.freedesktop.policykit.exec.path">/snap/bin/riseup-vpn.bitmask-root</annotate>
+ </action>
+</policyconfig>
diff --git a/src/leap/bitmask/vpn/launchers/linux.py b/src/leap/bitmask/vpn/launchers/linux.py
index 748fe858..db8ffce7 100644
--- a/src/leap/bitmask/vpn/launchers/linux.py
+++ b/src/leap/bitmask/vpn/launchers/linux.py
@@ -86,15 +86,16 @@ class LinuxVPNLauncher(VPNLauncher):
class BITMASK_ROOT(object):
def __call__(self):
-
current_version = self._version(_config.get_bitmask_helper_path())
_sys = constants.BITMASK_ROOT_SYSTEM
_sys_version = 0
_local = constants.BITMASK_ROOT_LOCAL
_local_version = 0
+ _snap = constants.BITMASK_ROOT_SNAP
+ _snap_version = 0
if IS_SNAP:
- return _local
+ return _snap
if os.path.isfile(_sys):
_sys_version = self._version(_sys)
@@ -182,13 +183,22 @@ class LinuxVPNLauncher(VPNLauncher):
openvpn_verb)
if IS_SNAP:
- return ["pkexec", "/usr/local/sbin/bitmask-root",
+ # cannot reference bitmask_root because 'local variable command
+ # referenced before assignment' XXX bug!
+ # this should change when bitmask is also a snap. for now,
+ # snap means RiseupVPN
+ return ["pkexec", constants.BITMASK_ROOT_SNAP,
"openvpn", "start"] + command
- command.insert(0, force_eval(kls.BITMASK_ROOT))
+ bitmask_root = force_eval(kls.BITMASK_ROOT)
+ command.insert(0, bitmask_root)
command.insert(1, "openvpn")
command.insert(2, "start")
+ # this is a workaround for integration tests, since it's not
+ # trivial to run polkit inside docker containers.
+ # however, you might want to run bitmask as root under certain
+ # environments, like embedded devices.
if os.getuid() != 0:
policyChecker = LinuxPolicyChecker()
pkexec = policyChecker.get_usable_pkexec()
diff --git a/src/leap/bitmask/vpn/process.py b/src/leap/bitmask/vpn/process.py
index 17d8fddc..d1d929d7 100644
--- a/src/leap/bitmask/vpn/process.py
+++ b/src/leap/bitmask/vpn/process.py
@@ -293,7 +293,6 @@ class _VPNProcess(protocol.ProcessProtocol):
:rtype: list of str
"""
- print("GETTING COMMAND", self._launcher)
try:
command = self._launcher.get_vpn_command(
vpnconfig=self._vpnconfig,