From 4da63fae464086d786eaf67d9effdb70d8131a18 Mon Sep 17 00:00:00 2001 From: Christopher Laprise Date: Sat, 30 Dec 2017 15:36:49 -0500 Subject: Add anti-leak rules for qubes-firewall --- src/leap/bitmask/vpn/helpers/linux/bitmask-root | 31 +++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/src/leap/bitmask/vpn/helpers/linux/bitmask-root b/src/leap/bitmask/vpn/helpers/linux/bitmask-root index ee838164..938fcb89 100755 --- a/src/leap/bitmask/vpn/helpers/linux/bitmask-root +++ b/src/leap/bitmask/vpn/helpers/linux/bitmask-root @@ -51,6 +51,7 @@ import socket import syslog import subprocess import sys +import stat import traceback cmdcheck = subprocess.check_output @@ -148,6 +149,18 @@ PARAM_FORMATS = { "UID": lambda s: re.match("^[a-zA-Z0-9]+$", s) } +# Determine Qubes OS version, if any +if os.path.isdir("/etc/qubes"): + QUBES_CFG = "/rw/config/" + QUBES_IPHOOK = QUBES_CFG + "qubes-ip-change-hook" + QUBES_FW_SCRIPT = QUBES_CFG + "qubes-firewall-user-script" + if subprocess.call([IPTABLES, "--list", "QBS-FORWARD"]) == 0: + QUBES_VER = 4 + else: + QUBES_VER = 3 +else: + QUBES_VER = 0 + DEBUG = os.getenv("DEBUG") TEST = os.getenv("TEST") @@ -706,6 +719,24 @@ def firewall_start(args): ip4tables("--append", BITMASK_CHAIN, "-o", default_device, "--jump", "REJECT") + # On Qubes OS, add anti-leak rules for proxyVM qubes-firewall.service + # Must stay on 'top' of chain! + if QUBES_VER >= 3 and not os.access(QUBES_FW_SCRIPT, os.X_OK): + with open(QUBES_FW_SCRIPT, mode="w") as qfile: + qfile.write("#!/bin/sh\n") + qfile.write("# Anti-leak rules installed by bitmask.\n") + qfile.write("iptables --insert FORWARD -i eth0 -j DROP\n") + qfile.write("iptables --insert FORWARD -o eth0 -j DROP\n") + qfile.write("ip6tables --insert FORWARD -i eth0 -j DROP\n") + qfile.write("ip6tables --insert FORWARD -o eth0 -j DROP\n") + os.chmod(QUBES_FW_SCRIPT, stat.S_IRWXU) + if not os.path.exists(QUBES_IPHOOK): + os.symlink(QUBES_FW_SCRIPT, QUBES_IPHOOK) + if QUBES_VER = 4: + run(QUBES_FW_SCRIPT) + elif QUBES_VER = 3: + run("systemctl", ["restart", "qubes-firewall.service"]) + def firewall_stop(): """ -- cgit v1.2.3