summaryrefslogtreecommitdiff
path: root/src/leap/bitmask
diff options
context:
space:
mode:
authorKali Kaneko <kali@leap.se>2014-05-05 12:18:09 -0500
committerKali Kaneko <kali@leap.se>2014-05-12 11:25:01 -0500
commit0c2f23bd8a76ec8e36639c965ccc15303bd66b10 (patch)
treed1f34757f9a2ebf478b069d6f6d48cdf20f82b2b /src/leap/bitmask
parent71936c911502abdb6411e614bf2eabc06ca8d367 (diff)
use bitmask-root to bring up the firewall
Diffstat (limited to 'src/leap/bitmask')
-rw-r--r--src/leap/bitmask/services/eip/linuxvpnlauncher.py23
-rw-r--r--src/leap/bitmask/services/eip/vpnprocess.py30
2 files changed, 43 insertions, 10 deletions
diff --git a/src/leap/bitmask/services/eip/linuxvpnlauncher.py b/src/leap/bitmask/services/eip/linuxvpnlauncher.py
index 988970a5..ef670303 100644
--- a/src/leap/bitmask/services/eip/linuxvpnlauncher.py
+++ b/src/leap/bitmask/services/eip/linuxvpnlauncher.py
@@ -101,7 +101,12 @@ leapfile = lambda f: "%s/%s" % (SYSTEM_CONFIG, f)
class LinuxVPNLauncher(VPNLauncher):
PKEXEC_BIN = 'pkexec'
+
+ # FIXME should get the absolute path to openvpn. See #5592
OPENVPN_BIN = 'openvpn'
+ BITMASK_ROOT = "/usr/sbin/bitmask-root"
+
+ # FIXME get ABSOLUTE PATH
OPENVPN_BIN_PATH = os.path.join(
get_path_prefix(), "..", "apps", "eip", OPENVPN_BIN)
@@ -114,23 +119,23 @@ class LinuxVPNLauncher(VPNLauncher):
OPENVPN_DOWN_ROOT_BASE,
OPENVPN_DOWN_ROOT_FILE)
- UPDOWN_FILE = "vpn-updown"
-
- # vpn-up and vpn-down are hard-links to vpn-updown
- UP_FILE = "vpn-up"
- DOWN_FILE = "vpn-down"
- UP_SCRIPT = leapfile(UP_FILE)
- DOWN_SCRIPT = leapfile(DOWN_FILE)
-
+ # XXX Should be able to pick the right resolvconf script
+ # on the fly.
RESOLV_UPDATE_FILE = "resolv-update"
RESOLV_UPDATE_SCRIPT = leapfile(RESOLV_UPDATE_FILE)
RESOLVCONF_FILE = "update-resolv-conf"
RESOLVCONF_SCRIPT = leapfile(RESOLVCONF_FILE)
+ UP_SCRIPT = RESOLVCONF_SCRIPT
+ DOWN_SCRIPT = RESOLVCONF_SCRIPT
+
UPDOWN_FILES = (UP_SCRIPT, DOWN_SCRIPT)
+
+ # XXX GET BOTH POLKIT FILES: the one for vpn and the other for the wrapper
POLKIT_PATH = LinuxPolicyChecker.get_polkit_path()
- OTHER_FILES = (POLKIT_PATH, RESOLV_UPDATE_SCRIPT, RESOLVCONF_SCRIPT)
+ OTHER_FILES = (POLKIT_PATH, RESOLV_UPDATE_SCRIPT, RESOLVCONF_SCRIPT,
+ BITMASK_ROOT)
@classmethod
def maybe_pkexec(kls):
diff --git a/src/leap/bitmask/services/eip/vpnprocess.py b/src/leap/bitmask/services/eip/vpnprocess.py
index c7b8071c..71a21cdb 100644
--- a/src/leap/bitmask/services/eip/vpnprocess.py
+++ b/src/leap/bitmask/services/eip/vpnprocess.py
@@ -21,6 +21,7 @@ import logging
import os
import shutil
import socket
+import subprocess
import sys
from itertools import chain, repeat
@@ -36,10 +37,11 @@ except ImportError:
from leap.bitmask.config import flags
from leap.bitmask.config.providerconfig import ProviderConfig
from leap.bitmask.services.eip import get_vpn_launcher
+from leap.bitmask.services.eip import linuxvpnlauncher
from leap.bitmask.services.eip.eipconfig import EIPConfig
from leap.bitmask.services.eip.udstelnet import UDSTelnet
from leap.bitmask.util import first
-from leap.bitmask.platform_init import IS_MAC
+from leap.bitmask.platform_init import IS_MAC, IS_LINUX
from leap.common.check import leap_assert, leap_assert_type
logger = logging.getLogger(__name__)
@@ -181,6 +183,14 @@ class VPN(object):
logger.info("Another vpn process is running. Will try to stop it.")
vpnproc.stop_if_already_running()
+ # XXX we try to bring the firewall up
+ if IS_LINUX:
+ firewall_up = self._launch_firewall()
+ if not firewall_up:
+ logger.error("Could not bring firewall up, "
+ "aborting openvpn launch.")
+ return
+
cmd = vpnproc.getCommand()
env = os.environ
for key, val in vpnproc.vpn_env.items():
@@ -198,6 +208,24 @@ class VPN(object):
self._pollers.extend(poll_list)
self._start_pollers()
+ def _launch_firewall(self):
+ """
+ Launch the firewall using the privileged wrapper.
+
+ :returns: True if the exitcode of calling the root helper in a
+ subprocess is 0.
+ :rtype: bool
+ """
+ # XXX this is a temporary solution for being able to use the root
+ # helper while we still control the openvpn process.
+
+ # XXX could check for wrapper existence, check it's root owned etc.
+ # XXX could check that the iptables rules are in place.
+
+ BM_ROOT = linuxvpnlauncher.LinuxVPNLauncher.BITMASK_ROOT
+ exitCode = subprocess.call([BM_ROOT, "firewall", "start"])
+ return True if exitCode is 0 else False
+
def _kill_if_left_alive(self, tries=0):
"""
Check if the process is still alive, and sends a