From 0c2f23bd8a76ec8e36639c965ccc15303bd66b10 Mon Sep 17 00:00:00 2001
From: Kali Kaneko <kali@leap.se>
Date: Mon, 5 May 2014 12:18:09 -0500
Subject: use bitmask-root to bring up the firewall

---
 src/leap/bitmask/services/eip/linuxvpnlauncher.py | 23 ++++++++++-------
 src/leap/bitmask/services/eip/vpnprocess.py       | 30 ++++++++++++++++++++++-
 2 files changed, 43 insertions(+), 10 deletions(-)

(limited to 'src/leap/bitmask')

diff --git a/src/leap/bitmask/services/eip/linuxvpnlauncher.py b/src/leap/bitmask/services/eip/linuxvpnlauncher.py
index 988970a5..ef670303 100644
--- a/src/leap/bitmask/services/eip/linuxvpnlauncher.py
+++ b/src/leap/bitmask/services/eip/linuxvpnlauncher.py
@@ -101,7 +101,12 @@ leapfile = lambda f: "%s/%s" % (SYSTEM_CONFIG, f)
 
 class LinuxVPNLauncher(VPNLauncher):
     PKEXEC_BIN = 'pkexec'
+
+    # FIXME should get the absolute path to openvpn. See #5592
     OPENVPN_BIN = 'openvpn'
+    BITMASK_ROOT = "/usr/sbin/bitmask-root"
+
+    # FIXME get ABSOLUTE PATH
     OPENVPN_BIN_PATH = os.path.join(
         get_path_prefix(), "..", "apps", "eip", OPENVPN_BIN)
 
@@ -114,23 +119,23 @@ class LinuxVPNLauncher(VPNLauncher):
         OPENVPN_DOWN_ROOT_BASE,
         OPENVPN_DOWN_ROOT_FILE)
 
-    UPDOWN_FILE = "vpn-updown"
-
-    # vpn-up and vpn-down are hard-links to vpn-updown
-    UP_FILE = "vpn-up"
-    DOWN_FILE = "vpn-down"
-    UP_SCRIPT = leapfile(UP_FILE)
-    DOWN_SCRIPT = leapfile(DOWN_FILE)
-
+    # XXX Should be able to pick the right resolvconf script
+    # on the fly.
     RESOLV_UPDATE_FILE = "resolv-update"
     RESOLV_UPDATE_SCRIPT = leapfile(RESOLV_UPDATE_FILE)
 
     RESOLVCONF_FILE = "update-resolv-conf"
     RESOLVCONF_SCRIPT = leapfile(RESOLVCONF_FILE)
 
+    UP_SCRIPT = RESOLVCONF_SCRIPT
+    DOWN_SCRIPT = RESOLVCONF_SCRIPT
+
     UPDOWN_FILES = (UP_SCRIPT, DOWN_SCRIPT)
+
+    # XXX GET BOTH POLKIT FILES: the one for vpn and the other for the wrapper
     POLKIT_PATH = LinuxPolicyChecker.get_polkit_path()
-    OTHER_FILES = (POLKIT_PATH, RESOLV_UPDATE_SCRIPT, RESOLVCONF_SCRIPT)
+    OTHER_FILES = (POLKIT_PATH, RESOLV_UPDATE_SCRIPT, RESOLVCONF_SCRIPT,
+                   BITMASK_ROOT)
 
     @classmethod
     def maybe_pkexec(kls):
diff --git a/src/leap/bitmask/services/eip/vpnprocess.py b/src/leap/bitmask/services/eip/vpnprocess.py
index c7b8071c..71a21cdb 100644
--- a/src/leap/bitmask/services/eip/vpnprocess.py
+++ b/src/leap/bitmask/services/eip/vpnprocess.py
@@ -21,6 +21,7 @@ import logging
 import os
 import shutil
 import socket
+import subprocess
 import sys
 
 from itertools import chain, repeat
@@ -36,10 +37,11 @@ except ImportError:
 from leap.bitmask.config import flags
 from leap.bitmask.config.providerconfig import ProviderConfig
 from leap.bitmask.services.eip import get_vpn_launcher
+from leap.bitmask.services.eip import linuxvpnlauncher
 from leap.bitmask.services.eip.eipconfig import EIPConfig
 from leap.bitmask.services.eip.udstelnet import UDSTelnet
 from leap.bitmask.util import first
-from leap.bitmask.platform_init import IS_MAC
+from leap.bitmask.platform_init import IS_MAC, IS_LINUX
 from leap.common.check import leap_assert, leap_assert_type
 
 logger = logging.getLogger(__name__)
@@ -181,6 +183,14 @@ class VPN(object):
             logger.info("Another vpn process is running. Will try to stop it.")
             vpnproc.stop_if_already_running()
 
+        # XXX we try to bring the firewall up
+        if IS_LINUX:
+            firewall_up = self._launch_firewall()
+            if not firewall_up:
+                logger.error("Could not bring firewall up, "
+                             "aborting openvpn launch.")
+                return
+
         cmd = vpnproc.getCommand()
         env = os.environ
         for key, val in vpnproc.vpn_env.items():
@@ -198,6 +208,24 @@ class VPN(object):
         self._pollers.extend(poll_list)
         self._start_pollers()
 
+    def _launch_firewall(self):
+        """
+        Launch the firewall using the privileged wrapper.
+
+        :returns: True if the exitcode of calling the root helper in a
+                  subprocess is 0.
+        :rtype: bool
+        """
+        # XXX this is a temporary solution for being able to use the root
+        # helper while we still control the openvpn process.
+
+        # XXX could check for wrapper existence, check it's root owned etc.
+        # XXX could check that the iptables rules are in place.
+
+        BM_ROOT = linuxvpnlauncher.LinuxVPNLauncher.BITMASK_ROOT
+        exitCode = subprocess.call([BM_ROOT, "firewall", "start"])
+        return True if exitCode is 0 else False
+
     def _kill_if_left_alive(self, tries=0):
         """
         Check if the process is still alive, and sends a
-- 
cgit v1.2.3