diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/leap/bitmask/vpn/constants.py | 7 | ||||
-rw-r--r-- | src/leap/bitmask/vpn/fw/firewall.py | 25 | ||||
-rw-r--r-- | src/leap/bitmask/vpn/helpers/__init__.py | 21 | ||||
-rw-r--r-- | src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy | 23 | ||||
-rw-r--r-- | src/leap/bitmask/vpn/launchers/linux.py | 18 | ||||
-rw-r--r-- | src/leap/bitmask/vpn/process.py | 1 |
6 files changed, 77 insertions, 18 deletions
diff --git a/src/leap/bitmask/vpn/constants.py b/src/leap/bitmask/vpn/constants.py index dce5e81c..a380bc3c 100644 --- a/src/leap/bitmask/vpn/constants.py +++ b/src/leap/bitmask/vpn/constants.py @@ -23,10 +23,15 @@ from leap.bitmask.system import IS_LINUX if IS_LINUX: BITMASK_ROOT_SYSTEM = '/usr/sbin/bitmask-root' BITMASK_ROOT_LOCAL = '/usr/local/sbin/bitmask-root' + # this should change when bitmask is also a snap. for now, + # snap is only RiseupVPN + BITMASK_ROOT_SNAP = '/snap/bin/riseup-vpn.bitmask-root' + OPENVPN_SYSTEM = '/usr/sbin/openvpn' OPENVPN_LOCAL = '/usr/local/sbin/leap-openvpn' # this should change when bitmask is also a snap. for now, - # snap means RiseupVPN + # snap is only RiseupVPN OPENVPN_SNAP = '/snap/bin/riseup-vpn.openvpn' POLKIT_LOCAL = '/usr/share/polkit-1/actions/se.leap.bitmask.bundle.policy' POLKIT_SYSTEM = '/usr/share/polkit-1/actions/se.leap.bitmask.policy' + POLKIT_SNAP = '/usr/share/polkit-1/actions/se.leap.bitmask.riseupvpn.policy' diff --git a/src/leap/bitmask/vpn/fw/firewall.py b/src/leap/bitmask/vpn/fw/firewall.py index 98b317b0..cc5d76d0 100644 --- a/src/leap/bitmask/vpn/fw/firewall.py +++ b/src/leap/bitmask/vpn/fw/firewall.py @@ -25,7 +25,10 @@ import subprocess from twisted.logger import Logger -from leap.bitmask.system import IS_MAC, IS_LINUX +from leap.bitmask.system import IS_MAC, IS_LINUX, IS_SNAP +from leap.bitmask.vpn.constants import BITMASK_ROOT_SYSTEM +from leap.bitmask.vpn.constants import BITMASK_ROOT_LOCAL +from leap.bitmask.vpn.constants import BITMASK_ROOT_SNAP from leap.common.events import catalog, emit_async from leap.bitmask.vpn.launchers import darwin @@ -87,11 +90,23 @@ class _LinuxFirewallManager(object): This allows us to achieve fail close on a vpn connection. """ - _SYSTEM_BITMASK_ROOT = '/usr/sbin/bitmask-root' - if os.path.isfile(_SYSTEM_BITMASK_ROOT): - BITMASK_ROOT = _SYSTEM_BITMASK_ROOT + # TODO factor out choosing a version of bitmask-root. + # together with linux vpnlauncher. + + if IS_SNAP: + # snap has its own version under /snap + BITMASK_ROOT = BITMASK_ROOT_SNAP + elif IS_STANDALONE and os.path.isfile(BITMASK_ROOT_LOCAL): + # if this is a bundle, we pick local. bundles ask to install it there. + BITMASK_ROOT = BITMASK_ROOT_LOCAL else: - BITMASK_ROOT = "/usr/local/sbin/bitmask-root" + if os.path.isfile(BITMASK_ROOT_SYSTEM): + # we can be running from the debian package, + # or some other distro. it's the maintainer responsibility to put bitmask-root there. + BITMASK_ROOT = BITMASK_ROOT_SYSTEM + else: + # as a last case, we fall back to installing into the /usr/local/sbin version. + BITMASK_ROOT = BITMASK_ROOT_LOCAL def __init__(self, remotes): """ diff --git a/src/leap/bitmask/vpn/helpers/__init__.py b/src/leap/bitmask/vpn/helpers/__init__.py index e932422d..96ec4f2e 100644 --- a/src/leap/bitmask/vpn/helpers/__init__.py +++ b/src/leap/bitmask/vpn/helpers/__init__.py @@ -18,13 +18,15 @@ if IS_LINUX: from leap.bitmask.vpn.constants import BITMASK_ROOT_SYSTEM from leap.bitmask.vpn.constants import BITMASK_ROOT_LOCAL + from leap.bitmask.vpn.constants import BITMASK_ROOT_SNAP from leap.bitmask.vpn.constants import OPENVPN_SYSTEM, OPENVPN_LOCAL from leap.bitmask.vpn.constants import OPENVPN_SNAP - from leap.bitmask.vpn.constants import POLKIT_SYSTEM, POLKIT_LOCAL + from leap.bitmask.vpn.constants import POLKIT_SYSTEM, POLKIT_LOCAL, POLKIT_SNAP from leap.bitmask.vpn.privilege import is_pkexec_in_system from leap.bitmask.vpn.privilege import LinuxPolicyChecker def install(): + print('installing bitmask helpers...') helper_from = _config.get_bitmask_helper_path() polkit_from = _config.get_bitmask_polkit_policy_path() openvpn_from = _config.get_bitmask_openvpn_path() @@ -86,7 +88,7 @@ if IS_LINUX: return True if IS_SNAP: - if os.path.isfile(BITMASK_ROOT_LOCAL): + if os.path.isfile(BITMASK_ROOT_SNAP): return True log.error('Cannot find bitmask-root in snap') return False @@ -131,12 +133,17 @@ if IS_LINUX: return False def _check_polkit_file_exist(): - # XXX: we are just checking if there is any policy file installed not - # if it's valid or if it's the correct one that will be used. - # (if LOCAL is used if /usr/local/sbin/bitmask-root is used and SYSTEM - # if /usr/sbin/bitmask-root) + """ + We are just checking if there is any policy file installed not + if it's valid or if it's the correct one that will be used. + + If LOCAL: we use /usr/local/sbin/bitmask-root + If SYSTEM: we use /usr/sbin/bitmask-root, and + if SNAP: we use /snap/bin/riseup-vpn.bitmask-root + """ return (os.path.exists(POLKIT_LOCAL) or - os.path.exists(POLKIT_SYSTEM)) + os.path.exists(POLKIT_SYSTEM) or + os.path.exists(POLKIT_SNAP)) def _exists_and_can_read(file_path): return access(file_path, R_OK) diff --git a/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy new file mode 100644 index 00000000..3bdf06a6 --- /dev/null +++ b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy @@ -0,0 +1,23 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE policyconfig PUBLIC + "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" + "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd"> +<policyconfig> + + <vendor>LEAP Project</vendor> + <vendor_url>http://leap.se/</vendor_url> + + <action id="se.leap.bitmask.riseupvpn.policy"> + <description>Runs bitmask helper to launch firewall and openvpn (RiseupVPN)</description> + <description xml:lang="es">Ejecuta el asistente de bitmask para lanzar el firewall y openvpn (RiseupVPN)</description> + <message>RiseupVPN needs that you authenticate to start</message> + <message xml:lang="es">RiseupVPN necesita autorizacion para comenzar</message> + <icon_name>package-x-generic</icon_name> + <defaults> + <allow_any>yes</allow_any> + <allow_inactive>yes</allow_inactive> + <allow_active>yes</allow_active> + </defaults> + <annotate key="org.freedesktop.policykit.exec.path">/snap/bin/riseup-vpn.bitmask-root</annotate> + </action> +</policyconfig> diff --git a/src/leap/bitmask/vpn/launchers/linux.py b/src/leap/bitmask/vpn/launchers/linux.py index 748fe858..db8ffce7 100644 --- a/src/leap/bitmask/vpn/launchers/linux.py +++ b/src/leap/bitmask/vpn/launchers/linux.py @@ -86,15 +86,16 @@ class LinuxVPNLauncher(VPNLauncher): class BITMASK_ROOT(object): def __call__(self): - current_version = self._version(_config.get_bitmask_helper_path()) _sys = constants.BITMASK_ROOT_SYSTEM _sys_version = 0 _local = constants.BITMASK_ROOT_LOCAL _local_version = 0 + _snap = constants.BITMASK_ROOT_SNAP + _snap_version = 0 if IS_SNAP: - return _local + return _snap if os.path.isfile(_sys): _sys_version = self._version(_sys) @@ -182,13 +183,22 @@ class LinuxVPNLauncher(VPNLauncher): openvpn_verb) if IS_SNAP: - return ["pkexec", "/usr/local/sbin/bitmask-root", + # cannot reference bitmask_root because 'local variable command + # referenced before assignment' XXX bug! + # this should change when bitmask is also a snap. for now, + # snap means RiseupVPN + return ["pkexec", constants.BITMASK_ROOT_SNAP, "openvpn", "start"] + command - command.insert(0, force_eval(kls.BITMASK_ROOT)) + bitmask_root = force_eval(kls.BITMASK_ROOT) + command.insert(0, bitmask_root) command.insert(1, "openvpn") command.insert(2, "start") + # this is a workaround for integration tests, since it's not + # trivial to run polkit inside docker containers. + # however, you might want to run bitmask as root under certain + # environments, like embedded devices. if os.getuid() != 0: policyChecker = LinuxPolicyChecker() pkexec = policyChecker.get_usable_pkexec() diff --git a/src/leap/bitmask/vpn/process.py b/src/leap/bitmask/vpn/process.py index 17d8fddc..d1d929d7 100644 --- a/src/leap/bitmask/vpn/process.py +++ b/src/leap/bitmask/vpn/process.py @@ -293,7 +293,6 @@ class _VPNProcess(protocol.ProcessProtocol): :rtype: list of str """ - print("GETTING COMMAND", self._launcher) try: command = self._launcher.get_vpn_command( vpnconfig=self._vpnconfig, |