From 3169015c5f5eaed5f2ad48e486b1fe96e1eb6bbe Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Tue, 3 Apr 2018 02:45:34 +0200 Subject: several fixes for riseupvpn snap - move snap folder to root folder, to allow automated builds - install only polkit file outside of snap - change path of bitmask-root accordingly in bitmask - fix check for polkit file inside snap - change and document the algorithm for picking bitmask-root in linux - add LD_LIBRARY_PATH as an environment entry for bitmask-systray --- .gitignore | 8 ++ Makefile | 7 ++ docs/changelog.rst | 9 ++ pkg/riseupvpn/Makefile | 8 +- pkg/riseupvpn/README.rst | 20 ++-- pkg/riseupvpn/pack_installers | 34 +++---- pkg/riseupvpn/snap/.snapcraft/state | 3 - pkg/riseupvpn/snap/gui/riseup-vpn.desktop | 15 --- pkg/riseupvpn/snap/gui/riseupvpn.svg | 80 --------------- pkg/riseupvpn/snap/hooks/remove | 7 -- pkg/riseupvpn/snap/snapcraft.yaml | 94 ------------------ snap/gui/riseup-vpn.desktop | 15 +++ snap/gui/riseupvpn.svg | 80 +++++++++++++++ snap/hooks/install | 11 +++ snap/hooks/remove | 6 ++ snap/snapcraft.yaml | 108 +++++++++++++++++++++ src/leap/bitmask/vpn/constants.py | 7 +- src/leap/bitmask/vpn/fw/firewall.py | 25 ++++- src/leap/bitmask/vpn/helpers/__init__.py | 21 ++-- .../helpers/linux/se.leap.bitmask.riseupvpn.policy | 23 +++++ src/leap/bitmask/vpn/launchers/linux.py | 18 +++- src/leap/bitmask/vpn/process.py | 1 - 22 files changed, 349 insertions(+), 251 deletions(-) delete mode 100644 pkg/riseupvpn/snap/.snapcraft/state delete mode 100644 pkg/riseupvpn/snap/gui/riseup-vpn.desktop delete mode 100644 pkg/riseupvpn/snap/gui/riseupvpn.svg delete mode 100755 pkg/riseupvpn/snap/hooks/remove delete mode 100644 pkg/riseupvpn/snap/snapcraft.yaml create mode 100644 snap/gui/riseup-vpn.desktop create mode 100644 snap/gui/riseupvpn.svg create mode 100755 snap/hooks/install create mode 100755 snap/hooks/remove create mode 100644 snap/snapcraft.yaml create mode 100644 src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy diff --git a/.gitignore b/.gitignore index fc1463e4..9fa8da01 100644 --- a/.gitignore +++ b/.gitignore @@ -56,3 +56,11 @@ NOTES # temporary home folders for functional tests /tmp/ + +# snaps +parts +prime +stage +*.snap +*.tar.bz2 +snap/.snapcraft diff --git a/Makefile b/Makefile index f6895358..153d6130 100644 --- a/Makefile +++ b/Makefile @@ -119,6 +119,13 @@ bundle_in_docker_virtualenv: cp -r bitmaskbuild/$(DIST_VERSION) dist/ rm -rf bitmaskbuild +snap_in_docker: + cd pkg/riseupvpn && ./pack_installers && cd .. + sudo docker run -v $(PWD):$(PWD) -w $(PWD) snapcore/snapcraft snapcraft + +snap_clean: + sudo rm -rf stage prime parts + upload: python setup.py sdist bdist_wheel --universal upload --sign -i kali@leap.se -r pypi diff --git a/docs/changelog.rst b/docs/changelog.rst index 04778592..de4c7f94 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -5,6 +5,15 @@ Changelog ------------------------------- .. note:: This version is not yet released and is under active development. +Misc +~~~~ +- Fix snap bug in install hook when python2 was not installed. +- Install only the polkit file outside of classic confinement snap. +- Document algorithm for picking bitmask-root. +- Use LD_LIBRARY_PATH for bitmask_systray in RiseupVPN snap (makes snap run fine in bionic). +- Move snap folder to topmost folder. + + 0.10.5 ------------------------------- diff --git a/pkg/riseupvpn/Makefile b/pkg/riseupvpn/Makefile index 58079cc6..6c0e5855 100644 --- a/pkg/riseupvpn/Makefile +++ b/pkg/riseupvpn/Makefile @@ -3,13 +3,13 @@ # We have to use classic confinement because it does not seem to be another way, at the moment, # to use policykit. -build: helpers - # for speeding up build, see https://tribaal.io/making-lxd-fly-on-ubuntu-as-well.html - sudo snapcraft cleanbuild helpers: ./pack_installers +build: helpers + # for speeding up build, see https://tribaal.io/making-lxd-fly-on-ubuntu-as-well.html + cd ../.. && sudo snapcraft cleanbuild install: - sudo snap install riseup-vpn_*.snap --dangerous --classic + cd ../.. && sudo snap install riseup-vpn_*.snap --dangerous --classic uninstall: sudo snap remove riseup-vpn deps: diff --git a/pkg/riseupvpn/README.rst b/pkg/riseupvpn/README.rst index 085ffe39..29ced8f9 100644 --- a/pkg/riseupvpn/README.rst +++ b/pkg/riseupvpn/README.rst @@ -12,21 +12,25 @@ minimalistic systray written in golang https://0xacab.org/leap/bitmask-systray that makes use of libappindicator for displaying notifications. Currently, RiseupVPN is distributed as a snap package. It uses classic -confinement because it needs to install bitmask-root in the system, and a -polkit policy file so that bitmask-root and openvpn can be executed without -asking user for permission each time. +confinement because it needs to install a polkit policy file so that +bitmask-root and openvpn can be executed without asking user for permission +each time. Usage ----- -Until the snap package gets approved in the snap store, you can use the snap as follows:: +You can get the snap from the store:: - wget https://downloads.leap.se/RiseupVPN/linux/riseup-vpn_0.10.4_amd64.snap sudo apt install snapd - sudo snap install riseup-vpn_0.10.4_amd64.snap --dangerous --classic + sudo snap install riseup-vpn --classic -That should have made a new application called RiseupVPN in your launchers. -You can also launch it manually like this:: +If you want to build the local snap:: + + make build + sudo snap install riseup-vpn_*.snap --classic + +That should have added a new application called RiseupVPN in your desktop +launchers. You can also launch it manually like this:: /snap/bin/riseup-vpn.launcher diff --git a/pkg/riseupvpn/pack_installers b/pkg/riseupvpn/pack_installers index eb3a08bb..629e4157 100755 --- a/pkg/riseupvpn/pack_installers +++ b/pkg/riseupvpn/pack_installers @@ -1,37 +1,27 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 import os import subprocess from base64 import encodestring as encode HELPDIR = '../../src/leap/bitmask/vpn/helpers/linux/' -INSTALL = './snap/hooks/install' +INSTALL = '../../snap/hooks/install' +POLKIT_FILE = 'se.leap.bitmask.riseupvpn.policy' -with open(os.path.join(HELPDIR, 'bitmask-root')) as bmroot: - b64_bmroot = encode(bmroot.read()) - -with open(os.path.join(HELPDIR, 'se.leap.bitmask.bundle.policy')) as polkit: - b64_polkit = encode(polkit.read()) +with open(os.path.join(HELPDIR, POLKIT_FILE)) as polkit: + b64_polkit = encode(polkit.read().encode()) with open(INSTALL, 'w') as install: - install.write('#!/usr/bin/env python\n') + install.write('#!/usr/bin/env python3\n') install.write('# This helper installs bitmask-root and polkit policy file\n') install.write('import subprocess\n') install.write('from base64 import decodestring as decode\n') install.write(""" -BMROOT = \"\"\"{bmroot}\"\"\" -POLKIT = \"\"\"{polkit}\"\"\" -BMROOT_DEST = "/usr/local/sbin/bitmask-root" -with open(BMROOT_DEST, "w") as bmroot: - lines = str(decode(BMROOT)).split("\\n") - for i, line in enumerate(lines): - bmroot.write(line) - if i + 1 != len(lines): - bmroot.write("\\n") -with open('/usr/share/polkit-1/actions/se.leap.bitmask.bundle.policy', 'w') as polkit: - lines = str(decode(POLKIT)).split("\\n") +POLKIT = {polkit} + +with open('/usr/share/polkit-1/actions/{polkit_file}', 'w') as polkit: + lines = decode(POLKIT).split(b"\\n") for line in lines: - polkit.write(line + "\\n") -""".format(bmroot=b64_bmroot, polkit=b64_polkit)) - install.write('subprocess.Popen(["chmod", "+x", BMROOT_DEST])\n') + polkit.write(line.decode() + "\\n") +""".format(polkit=b64_polkit, polkit_file=POLKIT_FILE)) subprocess.Popen(["chmod", "+x", INSTALL]) print("done packing installers into the snap install hook...") diff --git a/pkg/riseupvpn/snap/.snapcraft/state b/pkg/riseupvpn/snap/.snapcraft/state deleted file mode 100644 index 34977889..00000000 --- a/pkg/riseupvpn/snap/.snapcraft/state +++ /dev/null @@ -1,3 +0,0 @@ -!GlobalState -assets: - build-packages: [] diff --git a/pkg/riseupvpn/snap/gui/riseup-vpn.desktop b/pkg/riseupvpn/snap/gui/riseup-vpn.desktop deleted file mode 100644 index e325b204..00000000 --- a/pkg/riseupvpn/snap/gui/riseup-vpn.desktop +++ /dev/null @@ -1,15 +0,0 @@ -[Desktop Entry] -Version=1.0 -Type=Application -Name=RiseupVPN -Comment=Anonymous VPN -Comment[es]=VPN Anonima -Comment[de]=Anonymous VPN -Path=/snap/bin -Exec=riseup-vpn.launcher -Terminal=false -Icon=/snap/riseup-vpn/current/snap/gui/riseupvpn.svg -Categories=Network;Application; -StartupNotify=true -Keywords=VPN;riseup;leap - diff --git a/pkg/riseupvpn/snap/gui/riseupvpn.svg b/pkg/riseupvpn/snap/gui/riseupvpn.svg deleted file mode 100644 index a19c6c61..00000000 --- a/pkg/riseupvpn/snap/gui/riseupvpn.svg +++ /dev/null @@ -1,80 +0,0 @@ - - - - - - - - - - - - image/svg+xml - - - - - - - - - - - diff --git a/pkg/riseupvpn/snap/hooks/remove b/pkg/riseupvpn/snap/hooks/remove deleted file mode 100755 index c7442a26..00000000 --- a/pkg/riseupvpn/snap/hooks/remove +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -set -e - -echo "Executing remove hook for RiseupVPN" -rm "/usr/local/sbin/bitmask-root" -rm "/usr/share/polkit-1/actions/se.leap.bitmask.bundle.policy" -echo "done" diff --git a/pkg/riseupvpn/snap/snapcraft.yaml b/pkg/riseupvpn/snap/snapcraft.yaml deleted file mode 100644 index 064a48ae..00000000 --- a/pkg/riseupvpn/snap/snapcraft.yaml +++ /dev/null @@ -1,94 +0,0 @@ -name: riseup-vpn -version: '0.10.4' -epoch: 0 -summary: RiseupVPN, anonymous VPN. Powered by Bitmask. -description: | - RiseupVPN is an easy, fast, and secure VPN service from riseup.net. - RiseupVPN does not require a user account, keep logs, or track you in - any way. The service is paid for entirely by donations from users like - you. - -grade: stable # must be 'stable' to release into candidate/stable channels. switch to devel in snap branch. -confinement: classic -icon: snap/gui/riseupvpn.svg - -parts: - - bitmask: - plugin: python - python-version: python2 - source-branch: master - source: https://0xacab.org/leap/bitmask-dev.git - requirements: pkg/requirements-vpn.pip - stage-packages: - # this seems to trigger https://bugs.launchpad.net/snapcraft/+bug/1676684 - - python2.7-dev - - libsqlcipher-dev - - libffi-dev - - libsqlite3-dev - - libzmq3-dev - prime: - - -usr/include - - -usr/lib/locale - - -usr/share/X11/locale - - -usr/share/doc - - -usr/share/locale - - -usr/share/man - #- -usr/share/icons - openvpn: - plugin: nil - stage-packages: - - openvpn - prime: - - -usr/share/doc - - -usr/share/man - bitmask-systray: - plugin: go - source: https://0xacab.org/leap/bitmask-systray.git - build-packages: - - pkg-config - - patchelf - - libzmq5 - - libzmq3-dev - - libsodium-dev - - libappindicator3-dev - - libgtk-3-dev - stage-packages: - - libzmq5 - - libsodium18 - - libappindicator3-1 - install: | - TRIPLET_PATH="$SNAPCRAFT_PART_INSTALL/usr/lib/$(gcc -print-multiarch)" - LIBZMQ=$(readlink -n $TRIPLET_PATH/libzmq.so.5) - LIBSOD=$(readlink -n $TRIPLET_PATH/libsodium.so.18) - ln -s "../usr/lib/$(gcc -print-multiarch)/$LIBZMQ" $SNAPCRAFT_PART_INSTALL/bin/libzmq.so.5 - ln -s "../usr/lib/$(gcc -print-multiarch)/$LIBSOD" $SNAPCRAFT_PART_INSTALL/bin/libsodium.so.18 - patchelf --set-rpath /snap/riseup-vpn/current/bin/ $SNAPCRAFT_PART_INSTALL/bin/bitmask-systray.git - prime: - - -usr/include - - -usr/lib/locale - - -usr/share/X11/locale - - -usr/share/doc - - -usr/share/locale - - -usr/share/man - #- -usr/share/icons - desktop-gtk3: - prime: - - -usr/include - - -usr/lib/locale - - -usr/share/X11/locale - - -usr/share/doc - - -usr/share/locale - - -usr/share/man - #- -usr/share/icons - - '*' - -apps: - launcher: - command: ./bin/bitmask_anonvpn - openvpn: - command: ./usr/sbin/openvpn - bitmaskd: - command: ./bin/bitmaskd - bitmask-systray: - command: ./bin/bitmask-systray.git diff --git a/snap/gui/riseup-vpn.desktop b/snap/gui/riseup-vpn.desktop new file mode 100644 index 00000000..e325b204 --- /dev/null +++ b/snap/gui/riseup-vpn.desktop @@ -0,0 +1,15 @@ +[Desktop Entry] +Version=1.0 +Type=Application +Name=RiseupVPN +Comment=Anonymous VPN +Comment[es]=VPN Anonima +Comment[de]=Anonymous VPN +Path=/snap/bin +Exec=riseup-vpn.launcher +Terminal=false +Icon=/snap/riseup-vpn/current/snap/gui/riseupvpn.svg +Categories=Network;Application; +StartupNotify=true +Keywords=VPN;riseup;leap + diff --git a/snap/gui/riseupvpn.svg b/snap/gui/riseupvpn.svg new file mode 100644 index 00000000..a19c6c61 --- /dev/null +++ b/snap/gui/riseupvpn.svg @@ -0,0 +1,80 @@ + + + + + + + + + + + + image/svg+xml + + + + + + + + + + + diff --git a/snap/hooks/install b/snap/hooks/install new file mode 100755 index 00000000..95207387 --- /dev/null +++ b/snap/hooks/install @@ -0,0 +1,11 @@ +#!/usr/bin/env python3 +# This helper installs bitmask-root and polkit policy file +import subprocess +from base64 import decodestring as decode + +POLKIT = b'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBvbGljeWNv\nbmZpZyBQVUJMSUMKICItLy9mcmVlZGVza3RvcC8vRFREIFBvbGljeUtpdCBQb2xpY3kgQ29uZmln\ndXJhdGlvbiAxLjAvL0VOIgogImh0dHA6Ly93d3cuZnJlZWRlc2t0b3Aub3JnL3N0YW5kYXJkcy9Q\nb2xpY3lLaXQvMS9wb2xpY3ljb25maWcuZHRkIj4KPHBvbGljeWNvbmZpZz4KCiAgPHZlbmRvcj5M\nRUFQIFByb2plY3Q8L3ZlbmRvcj4KICA8dmVuZG9yX3VybD5odHRwOi8vbGVhcC5zZS88L3ZlbmRv\ncl91cmw+CgogIDxhY3Rpb24gaWQ9InNlLmxlYXAuYml0bWFzay5yaXNldXB2cG4ucG9saWN5Ij4K\nICAgIDxkZXNjcmlwdGlvbj5SdW5zIGJpdG1hc2sgaGVscGVyIHRvIGxhdW5jaCBmaXJld2FsbCBh\nbmQgb3BlbnZwbiAoUmlzZXVwVlBOKTwvZGVzY3JpcHRpb24+CiAgICA8ZGVzY3JpcHRpb24geG1s\nOmxhbmc9ImVzIj5FamVjdXRhIGVsIGFzaXN0ZW50ZSBkZSBiaXRtYXNrIHBhcmEgbGFuemFyIGVs\nIGZpcmV3YWxsIHkgb3BlbnZwbiAoUmlzZXVwVlBOKTwvZGVzY3JpcHRpb24+CiAgICA8bWVzc2Fn\nZT5SaXNldXBWUE4gbmVlZHMgdGhhdCB5b3UgYXV0aGVudGljYXRlIHRvIHN0YXJ0PC9tZXNzYWdl\nPgogICAgPG1lc3NhZ2UgeG1sOmxhbmc9ImVzIj5SaXNldXBWUE4gbmVjZXNpdGEgYXV0b3JpemFj\naW9uIHBhcmEgY29tZW56YXI8L21lc3NhZ2U+CiAgICA8aWNvbl9uYW1lPnBhY2thZ2UteC1nZW5l\ncmljPC9pY29uX25hbWU+IAogICAgPGRlZmF1bHRzPgogICAgICA8YWxsb3dfYW55PnllczwvYWxs\nb3dfYW55PgogICAgICA8YWxsb3dfaW5hY3RpdmU+eWVzPC9hbGxvd19pbmFjdGl2ZT4KICAgICAg\nPGFsbG93X2FjdGl2ZT55ZXM8L2FsbG93X2FjdGl2ZT4KICAgIDwvZGVmYXVsdHM+CiAgICA8YW5u\nb3RhdGUga2V5PSJvcmcuZnJlZWRlc2t0b3AucG9saWN5a2l0LmV4ZWMucGF0aCI+L3NuYXAvYmlu\nL3Jpc2V1cC12cG4uYml0bWFzay1yb290PC9hbm5vdGF0ZT4KICA8L2FjdGlvbj4KPC9wb2xpY3lj\nb25maWc+Cg==\n' + +with open('/usr/share/polkit-1/actions/se.leap.bitmask.riseupvpn.policy', 'w') as polkit: + lines = decode(POLKIT).split(b"\n") + for line in lines: + polkit.write(line.decode() + "\n") diff --git a/snap/hooks/remove b/snap/hooks/remove new file mode 100755 index 00000000..6aebbe10 --- /dev/null +++ b/snap/hooks/remove @@ -0,0 +1,6 @@ +#!/bin/sh +set -e + +echo "Executing remove hook for RiseupVPN" +rm "/usr/share/polkit-1/actions/se.leap.bitmask.snap.policy" +echo "done" diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml new file mode 100644 index 00000000..3702bed0 --- /dev/null +++ b/snap/snapcraft.yaml @@ -0,0 +1,108 @@ +name: riseup-vpn +version: '0.10.5+git' +epoch: 1 +summary: RiseupVPN, secure VPN. Powered by Bitmask. +description: | + RiseupVPN is an easy, fast, and secure VPN service from riseup.net. + RiseupVPN does not require a user account, keep logs, or track you in + any way. The service is paid for entirely by donations from users like + you. + +grade: stable +confinement: classic +icon: snap/gui/riseupvpn.svg + +parts: + desktop-gtk3: + prime: + - '*' + - -usr/include + - -usr/lib/locale + - -usr/share/X11/locale + - -usr/share/doc + - -usr/share/locale + - -usr/share/man + + bitmask: + #after: [gnome-3-26, desktop-gtk3] + after: [desktop-gtk3] + plugin: python + python-version: python2 + source-branch: master + source: . + requirements: pkg/requirements-vpn.pip + stage-packages: + # this seems to trigger https://bugs.launchpad.net/snapcraft/+bug/1676684 + - python2.7-dev + - libsqlcipher-dev + - libffi-dev + - libsqlite3-dev + - libzmq3-dev + prime: + - -usr/include + - -usr/lib/locale + - -usr/share/X11/locale + - -usr/share/doc + - -usr/share/locale + - -usr/share/man + + openvpn: + plugin: nil + stage-packages: + - openvpn + prime: + - -usr/share/doc + - -usr/share/man + bitmask-systray: + after: [desktop-gtk3] + plugin: go + source: https://0xacab.org/leap/bitmask-systray.git + # prepare: XXX run systray tests here + build-packages: + - pkg-config + - patchelf + - libzmq5 + - libzmq3-dev + - libsodium-dev + - libpcre3-dev + - libappindicator3-dev + - libgtk-3-dev + stage-packages: + - libzmq5 + - libsodium18 + - libpcre3 + - libappindicator3-1 + # prime: + # prime:-etc/fonts + # prime:-usr/include + # prime:-usr/bin + # prime:-usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/ + # prime:-usr/lib/x86_64-linux-gnu/glib-2.0/ + # prime:-usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules/ + # prime:-usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/printbackends/ + # prime:-usr/lib/x86_64-linux-gnu/libgtk-3-0/gtk-query-immodules-3.0 + # prime:-usr/lib/x86_64-linux-gnu/libwayland-* + # prime:-usr/sbin/update-icon-caches + # prime:-usr/share/doc + # prime:-usr/share/glib-2.0/schemas + # prime:-usr/share/icons + # prime:-usr/share/lintian + # prime:-usr/share/pkgconfig + # prime:-usr/share/theme + # prime:-usr/share/mime + # prime:-usr/lib/locale + # prime:-usr/share/locale + +apps: + launcher: + command: ./bin/bitmask_anonvpn + openvpn: + command: ./usr/sbin/openvpn + bitmaskd: + command: ./bin/bitmaskd + bitmask-systray: + command: ./bin/bitmask-systray.git + environment: + LD_LIBRARY_PATH: "$SNAP/usr/lib/$(gcc -print-multiarch):$SNAP/lib/$(gcc -print-multiarch):$LD_LIBRARY_PATH" + bitmask-root: + command: ./lib/python2.7/site-packages/leap/bitmask/vpn/helpers/linux/bitmask-root diff --git a/src/leap/bitmask/vpn/constants.py b/src/leap/bitmask/vpn/constants.py index dce5e81c..a380bc3c 100644 --- a/src/leap/bitmask/vpn/constants.py +++ b/src/leap/bitmask/vpn/constants.py @@ -23,10 +23,15 @@ from leap.bitmask.system import IS_LINUX if IS_LINUX: BITMASK_ROOT_SYSTEM = '/usr/sbin/bitmask-root' BITMASK_ROOT_LOCAL = '/usr/local/sbin/bitmask-root' + # this should change when bitmask is also a snap. for now, + # snap is only RiseupVPN + BITMASK_ROOT_SNAP = '/snap/bin/riseup-vpn.bitmask-root' + OPENVPN_SYSTEM = '/usr/sbin/openvpn' OPENVPN_LOCAL = '/usr/local/sbin/leap-openvpn' # this should change when bitmask is also a snap. for now, - # snap means RiseupVPN + # snap is only RiseupVPN OPENVPN_SNAP = '/snap/bin/riseup-vpn.openvpn' POLKIT_LOCAL = '/usr/share/polkit-1/actions/se.leap.bitmask.bundle.policy' POLKIT_SYSTEM = '/usr/share/polkit-1/actions/se.leap.bitmask.policy' + POLKIT_SNAP = '/usr/share/polkit-1/actions/se.leap.bitmask.riseupvpn.policy' diff --git a/src/leap/bitmask/vpn/fw/firewall.py b/src/leap/bitmask/vpn/fw/firewall.py index 98b317b0..cc5d76d0 100644 --- a/src/leap/bitmask/vpn/fw/firewall.py +++ b/src/leap/bitmask/vpn/fw/firewall.py @@ -25,7 +25,10 @@ import subprocess from twisted.logger import Logger -from leap.bitmask.system import IS_MAC, IS_LINUX +from leap.bitmask.system import IS_MAC, IS_LINUX, IS_SNAP +from leap.bitmask.vpn.constants import BITMASK_ROOT_SYSTEM +from leap.bitmask.vpn.constants import BITMASK_ROOT_LOCAL +from leap.bitmask.vpn.constants import BITMASK_ROOT_SNAP from leap.common.events import catalog, emit_async from leap.bitmask.vpn.launchers import darwin @@ -87,11 +90,23 @@ class _LinuxFirewallManager(object): This allows us to achieve fail close on a vpn connection. """ - _SYSTEM_BITMASK_ROOT = '/usr/sbin/bitmask-root' - if os.path.isfile(_SYSTEM_BITMASK_ROOT): - BITMASK_ROOT = _SYSTEM_BITMASK_ROOT + # TODO factor out choosing a version of bitmask-root. + # together with linux vpnlauncher. + + if IS_SNAP: + # snap has its own version under /snap + BITMASK_ROOT = BITMASK_ROOT_SNAP + elif IS_STANDALONE and os.path.isfile(BITMASK_ROOT_LOCAL): + # if this is a bundle, we pick local. bundles ask to install it there. + BITMASK_ROOT = BITMASK_ROOT_LOCAL else: - BITMASK_ROOT = "/usr/local/sbin/bitmask-root" + if os.path.isfile(BITMASK_ROOT_SYSTEM): + # we can be running from the debian package, + # or some other distro. it's the maintainer responsibility to put bitmask-root there. + BITMASK_ROOT = BITMASK_ROOT_SYSTEM + else: + # as a last case, we fall back to installing into the /usr/local/sbin version. + BITMASK_ROOT = BITMASK_ROOT_LOCAL def __init__(self, remotes): """ diff --git a/src/leap/bitmask/vpn/helpers/__init__.py b/src/leap/bitmask/vpn/helpers/__init__.py index e932422d..96ec4f2e 100644 --- a/src/leap/bitmask/vpn/helpers/__init__.py +++ b/src/leap/bitmask/vpn/helpers/__init__.py @@ -18,13 +18,15 @@ if IS_LINUX: from leap.bitmask.vpn.constants import BITMASK_ROOT_SYSTEM from leap.bitmask.vpn.constants import BITMASK_ROOT_LOCAL + from leap.bitmask.vpn.constants import BITMASK_ROOT_SNAP from leap.bitmask.vpn.constants import OPENVPN_SYSTEM, OPENVPN_LOCAL from leap.bitmask.vpn.constants import OPENVPN_SNAP - from leap.bitmask.vpn.constants import POLKIT_SYSTEM, POLKIT_LOCAL + from leap.bitmask.vpn.constants import POLKIT_SYSTEM, POLKIT_LOCAL, POLKIT_SNAP from leap.bitmask.vpn.privilege import is_pkexec_in_system from leap.bitmask.vpn.privilege import LinuxPolicyChecker def install(): + print('installing bitmask helpers...') helper_from = _config.get_bitmask_helper_path() polkit_from = _config.get_bitmask_polkit_policy_path() openvpn_from = _config.get_bitmask_openvpn_path() @@ -86,7 +88,7 @@ if IS_LINUX: return True if IS_SNAP: - if os.path.isfile(BITMASK_ROOT_LOCAL): + if os.path.isfile(BITMASK_ROOT_SNAP): return True log.error('Cannot find bitmask-root in snap') return False @@ -131,12 +133,17 @@ if IS_LINUX: return False def _check_polkit_file_exist(): - # XXX: we are just checking if there is any policy file installed not - # if it's valid or if it's the correct one that will be used. - # (if LOCAL is used if /usr/local/sbin/bitmask-root is used and SYSTEM - # if /usr/sbin/bitmask-root) + """ + We are just checking if there is any policy file installed not + if it's valid or if it's the correct one that will be used. + + If LOCAL: we use /usr/local/sbin/bitmask-root + If SYSTEM: we use /usr/sbin/bitmask-root, and + if SNAP: we use /snap/bin/riseup-vpn.bitmask-root + """ return (os.path.exists(POLKIT_LOCAL) or - os.path.exists(POLKIT_SYSTEM)) + os.path.exists(POLKIT_SYSTEM) or + os.path.exists(POLKIT_SNAP)) def _exists_and_can_read(file_path): return access(file_path, R_OK) diff --git a/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy new file mode 100644 index 00000000..3bdf06a6 --- /dev/null +++ b/src/leap/bitmask/vpn/helpers/linux/se.leap.bitmask.riseupvpn.policy @@ -0,0 +1,23 @@ + + + + + LEAP Project + http://leap.se/ + + + Runs bitmask helper to launch firewall and openvpn (RiseupVPN) + Ejecuta el asistente de bitmask para lanzar el firewall y openvpn (RiseupVPN) + RiseupVPN needs that you authenticate to start + RiseupVPN necesita autorizacion para comenzar + package-x-generic + + yes + yes + yes + + /snap/bin/riseup-vpn.bitmask-root + + diff --git a/src/leap/bitmask/vpn/launchers/linux.py b/src/leap/bitmask/vpn/launchers/linux.py index 748fe858..db8ffce7 100644 --- a/src/leap/bitmask/vpn/launchers/linux.py +++ b/src/leap/bitmask/vpn/launchers/linux.py @@ -86,15 +86,16 @@ class LinuxVPNLauncher(VPNLauncher): class BITMASK_ROOT(object): def __call__(self): - current_version = self._version(_config.get_bitmask_helper_path()) _sys = constants.BITMASK_ROOT_SYSTEM _sys_version = 0 _local = constants.BITMASK_ROOT_LOCAL _local_version = 0 + _snap = constants.BITMASK_ROOT_SNAP + _snap_version = 0 if IS_SNAP: - return _local + return _snap if os.path.isfile(_sys): _sys_version = self._version(_sys) @@ -182,13 +183,22 @@ class LinuxVPNLauncher(VPNLauncher): openvpn_verb) if IS_SNAP: - return ["pkexec", "/usr/local/sbin/bitmask-root", + # cannot reference bitmask_root because 'local variable command + # referenced before assignment' XXX bug! + # this should change when bitmask is also a snap. for now, + # snap means RiseupVPN + return ["pkexec", constants.BITMASK_ROOT_SNAP, "openvpn", "start"] + command - command.insert(0, force_eval(kls.BITMASK_ROOT)) + bitmask_root = force_eval(kls.BITMASK_ROOT) + command.insert(0, bitmask_root) command.insert(1, "openvpn") command.insert(2, "start") + # this is a workaround for integration tests, since it's not + # trivial to run polkit inside docker containers. + # however, you might want to run bitmask as root under certain + # environments, like embedded devices. if os.getuid() != 0: policyChecker = LinuxPolicyChecker() pkexec = policyChecker.get_usable_pkexec() diff --git a/src/leap/bitmask/vpn/process.py b/src/leap/bitmask/vpn/process.py index 17d8fddc..d1d929d7 100644 --- a/src/leap/bitmask/vpn/process.py +++ b/src/leap/bitmask/vpn/process.py @@ -293,7 +293,6 @@ class _VPNProcess(protocol.ProcessProtocol): :rtype: list of str """ - print("GETTING COMMAND", self._launcher) try: command = self._launcher.get_vpn_command( vpnconfig=self._vpnconfig, -- cgit v1.2.3