summaryrefslogtreecommitdiff
path: root/src/leap/bitmask/vpn/fw/osx
diff options
context:
space:
mode:
Diffstat (limited to 'src/leap/bitmask/vpn/fw/osx')
-rwxr-xr-xsrc/leap/bitmask/vpn/fw/osx/bitmask-helper438
-rw-r--r--src/leap/bitmask/vpn/fw/osx/bitmask.pf.conf17
2 files changed, 0 insertions, 455 deletions
diff --git a/src/leap/bitmask/vpn/fw/osx/bitmask-helper b/src/leap/bitmask/vpn/fw/osx/bitmask-helper
deleted file mode 100755
index 2990219..0000000
--- a/src/leap/bitmask/vpn/fw/osx/bitmask-helper
+++ /dev/null
@@ -1,438 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-#
-# Author: Kali Kaneko
-# Copyright (C) 2015-2017 LEAP Encryption Access Project
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-"""
-This is a privileged helper script for safely running certain commands as root
-under OSX.
-
-It should be run by launchd, and it exposes a Unix Domain Socket to where
-the following commmands can be written by the Bitmask application:
-
- firewall_start [restart] GATEWAY1 GATEWAY2 ...
- firewall_stop
- openvpn_start CONFIG1 CONFIG1 ...
- openvpn_stop
- fw_email_start uid
- fw_email_stop
-
-To load it manually:
-
- sudo launchctl load /Library/LaunchDaemons/se.leap.bitmask-helper
-
-To see the loaded rules:
-
- sudo pfctl -s rules -a bitmask
-
-To test the commands, you can write directly to the unix socket. Remember to
-terminate the command properly:
-
- echo 'firewall_stop/CMD' | socat - UNIX-CONNECT:/tmp/bitmask-helper.socket
-
-"""
-import os
-import socket
-import signal
-import subprocess
-import syslog
-import threading
-
-from commands import getoutput as exec_cmd
-from functools import partial
-
-import daemon
-
-VERSION = "1"
-SCRIPT = "bitmask-helper"
-NAMESERVER = "10.42.0.1"
-BITMASK_ANCHOR = "com.apple/250.BitmaskFirewall"
-BITMASK_ANCHOR_EMAIL = "bitmask_email"
-
-OPENVPN_USER = 'nobody'
-OPENVPN_GROUP = 'nogroup'
-LEAPOPENVPN = 'LEAPOPENVPN'
-APP_PATH = '/Applications/Bitmask.app/'
-RESOURCES_PATH = APP_PATH + 'Contents/Resources/'
-OPENVPN_LEAP_BIN = RESOURCES_PATH + 'openvpn.leap'
-
-FIXED_FLAGS = [
- "--setenv", "LEAPOPENVPN", "1",
- "--nobind",
- "--client",
- "--tls-client",
- "--remote-cert-tls", "server",
- "--management-signal",
- "--script-security", "1",
- "--user", "nobody",
- "--remap-usr1", "SIGTERM",
- "--group", OPENVPN_GROUP,
-]
-
-ALLOWED_FLAGS = {
- "--remote": ["IP", "NUMBER", "PROTO"],
- "--tls-cipher": ["CIPHER"],
- "--cipher": ["CIPHER"],
- "--auth": ["CIPHER"],
- "--management": ["DIR", "UNIXSOCKET"],
- "--management-client-user": ["USER"],
- "--cert": ["FILE"],
- "--key": ["FILE"],
- "--ca": ["FILE"],
- "--fragment": ["NUMBER"]
-}
-
-PARAM_FORMATS = {
- "NUMBER": lambda s: re.match("^\d+$", s),
- "PROTO": lambda s: re.match("^(tcp|udp)$", s),
- "IP": lambda s: is_valid_address(s),
- "CIPHER": lambda s: re.match("^[A-Z0-9-]+$", s),
- "USER": lambda s: re.match(
- "^[a-zA-Z0-9_\.\@][a-zA-Z0-9_\-\.\@]*\$?$", s), # IEEE Std 1003.1-2001
- "FILE": lambda s: os.path.isfile(s),
- "DIR": lambda s: os.path.isdir(os.path.split(s)[0]),
- "UNIXSOCKET": lambda s: s == "unix",
- "UID": lambda s: re.match("^[a-zA-Z0-9]+$", s)
-}
-
-#
-# paths (must use absolute paths, since this script is run as root)
-#
-
-PFCTL = '/sbin/pfctl'
-ROUTE = '/sbin/route'
-AWK = '/usr/bin/awk'
-GREP = '/usr/bin/grep'
-CAT = '/bin/cat'
-
-UID = os.getuid()
-SERVER_ADDRESS = '/tmp/bitmask-helper.socket'
-
-
-#
-# COMMAND DISPATCH
-#
-
-def serve_forever():
- try:
- os.unlink(SERVER_ADDRESS)
- except OSError:
- if os.path.exists(SERVER_ADDRESS):
- raise
-
- syslog.syslog(syslog.LOG_WARNING, "serving forever")
- # XXX should check permissions on the socket file
- sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
- sock.bind(SERVER_ADDRESS)
- sock.listen(1)
- syslog.syslog(syslog.LOG_WARNING, "Binded to %s" % SERVER_ADDRESS)
-
- while True:
- connection, client_address = sock.accept()
- thread = threading.Thread(target=handle_command, args=[connection])
- thread.daemon = True
- thread.start()
-
-def recv_until_marker(sock):
- end = '/CMD'
- total_data=[]
- data=''
- while True:
- data=sock.recv(8192)
- if end in data:
- total_data.append(data[:data.find(end)])
- break
- total_data.append(data)
- if len(total_data)>1:
- #check if end_of_data was split
- last_pair=total_data[-2]+total_data[-1]
- if end in last_pair:
- total_data[-2] = last_pair[:last_pair.find(end)]
- total_data.pop()
- break
- return ''.join(total_data)
-
-
-def handle_command(sock):
- syslog.syslog(syslog.LOG_WARNING, "handle")
-
- received = recv_until_marker(sock)
- syslog.syslog(syslog.LOG_WARNING, "GOT -----> %s" % received)
- line = received.replace('\n', '').split(' ')
-
- command, args = line[0], line[1:]
- syslog.syslog(syslog.LOG_WARNING, 'command %s' % (command))
-
- cmd_dict = {
- 'firewall_start': (firewall_start, args),
- 'firewall_stop': (firewall_stop, []),
- 'firewall_isup': (firewall_isup, []),
- 'openvpn_start': (openvpn_start, args),
- 'openvpn_stop': (openvpn_stop, []),
- 'openvpn_force_stop': (openvpn_stop, ['KILL']),
- 'openvpn_set_watcher': (openvpn_set_watcher, args)
- }
-
- cmd_call = cmd_dict.get(command, None)
- syslog.syslog(syslog.LOG_WARNING, 'call: %s' % (str(cmd_call)))
- try:
- if cmd_call:
- syslog.syslog(
- syslog.LOG_WARNING, 'GOT "%s"' % (command))
- cmd, args = cmd_call
- if args:
- cmd = partial(cmd, *args)
-
- # TODO Use a MUTEX in here
- result = cmd()
- syslog.syslog(syslog.LOG_WARNING, "Executed")
- syslog.syslog(syslog.LOG_WARNING, "Result: %s" % (str(result)))
- if result == 'YES':
- sock.sendall("%s: YES\n" % command)
- elif result == 'NO':
- sock.sendall("%s: NO\n" % command)
- else:
- sock.sendall("%s: OK\n" % command)
-
- else:
- syslog.syslog(syslog.LOG_WARNING, 'invalid command: %s' % (command,))
- sock.sendall("%s: ERROR\n" % command)
- except Exception as exc:
- syslog.syslog(syslog.LOG_WARNING, "error executing function %r" % (exc))
- finally:
- sock.close()
-
-
-
-#
-# OPENVPN
-#
-
-
-openvpn_proc = None
-openvpn_watcher_pid = None
-
-
-def openvpn_start(*args):
- """
- Sanitize input and run openvpn as a subprocess of this long-running daemon.
- Keeps a reference to the subprocess Popen class instance.
-
- :param args: arguments to be passed to openvpn
- :type args: list
- """
- syslog.syslog(syslog.LOG_WARNING, "OPENVPN START")
- opts = list(args[1:])
-
- opts += ['--dhcp-option', 'DNS', '10.42.0.1',
- '--up', RESOURCES_PATH + 'client.up.sh',
- '--down', RESOURCES_PATH + 'client.down.sh']
- opts += ["--dev", "tun"]
- binary = [RESOURCES_PATH + 'openvpn.leap']
- cmd = binary + opts
- #syslog.syslog(syslog.LOG_WARNING, 'LAUNCHING VPN: ' + ' '.join(cmd))
-
- # TODO sanitize options
- global openvpn_proc
- openvpn_proc = subprocess.Popen(cmd, shell=False, bufsize=-1)
- #try:
- # result = subprocess.check_output(cmd, shell=False, stderr=subprocess.STDOUT)
- #except Exception as exc:
- # syslog.syslog(syslog.LOG_WARNING, exc.output)
- #syslog.syslog(syslog.LOG_WARNING, "OpenVPN PID: %s" % str(openvpn_proc.pid))
-
-
-def openvpn_stop(sig='TERM'):
- """
- Stop the openvpn that has been launched by this privileged helper.
-
- :param args: arguments to openvpn
- :type args: list
- """
- global openvpn_proc
-
- if openvpn_proc:
- syslog.syslog(syslog.LOG_WARNING, "OVPN PROC: %s" % str(openvpn_proc.pid))
-
- if sig == 'KILL':
- stop_signal = signal.SIGKILL
- openvpn_proc.kill()
- elif sig == 'TERM':
- stop_signal = signal.SIGTERM
- openvpn_proc.terminate()
-
- returncode = openvpn_proc.wait()
- syslog.syslog(syslog.LOG_WARNING, "openvpn return code: %s" % str(returncode))
- syslog.syslog(syslog.LOG_WARNING, "openvpn_watcher_pid: %s" % str(openvpn_watcher_pid))
- if openvpn_watcher_pid:
- os.kill(openvpn_watcher_pid, stop_signal)
-
-
-def openvpn_set_watcher(pid, *args):
- global openvpn_watcher_pid
- openvpn_watcher_pid = int(pid)
- syslog.syslog(syslog.LOG_WARNING, "Watcher PID: %s" % pid)
-
-
-#
-# FIREWALL
-#
-
-
-def firewall_start(*gateways):
- """
- Bring up the firewall.
-
- :param gws: list of gateways, to be sanitized.
- :type gws: list
- """
-
- gateways = get_gateways(gateways)
-
- if not gateways:
- return False
-
- _enable_pf()
- _reset_bitmask_gateways_table(gateways)
-
- default_device = _get_default_device()
- _load_bitmask_anchor(default_device)
-
-
-def firewall_stop():
- """
- Flush everything from anchor bitmask
- """
- cmd = '{pfctl} -a {anchor} -F all'.format(
- pfctl=PFCTL, anchor=BITMASK_ANCHOR)
- return exec_cmd(cmd)
-
-
-def firewall_isup():
- """
- Return YES if anchor bitmask is loaded with rules
- """
- syslog.syslog(syslog.LOG_WARNING, 'PID---->%s' % os.getpid())
- cmd = '{pfctl} -s rules -a {anchor} | wc -l'.format(
- pfctl=PFCTL, anchor=BITMASK_ANCHOR)
- output = exec_cmd(cmd)
- rules = output[-1]
- if int(rules) > 0:
- return 'YES'
- else:
- return 'NO'
-
-
-def _enable_pf():
- exec_cmd('{pfctl} -e'.format(pfctl=PFCTL))
-
-
-def _reset_bitmask_gateways_table(gateways):
- cmd = '{pfctl} -a {anchor} -t bitmask_gateways -T delete'.format(
- pfctl=PFCTL, anchor=BITMASK_ANCHOR)
- output = exec_cmd(cmd)
-
- for gateway in gateways:
- cmd = '{pfctl} -a {anchor} -t bitmask_gateways -T add {gw}'.format(
- pfctl=PFCTL, anchor=BITMASK_ANCHOR, gw=gateway)
- output = exec_cmd(cmd)
- syslog.syslog(syslog.LOG_WARNING, "adding gw %s" % gateway)
-
- #cmd = '{pfctl} -a {anchor} -t bitmask_nameservers -T delete'.format(
- # pfctl=PFCTL, anchor=BITMASK_ANCHOR)
- #output = exec_cmd(cmd)
-
- cmd = '{pfctl} -a {anchor} -t bitmask_gateways -T add {ns}'.format(
- pfctl=PFCTL, anchor=BITMASK_ANCHOR, ns=NAMESERVER)
- output = exec_cmd(cmd)
- syslog.syslog(syslog.LOG_WARNING, "adding ns %s" % NAMESERVER)
-
-def _load_bitmask_anchor(default_device):
- cmd = ('{pfctl} -D default_device={defaultdevice} '
- '-a {anchor} -f {rulefile}').format(
- pfctl=PFCTL, defaultdevice=default_device,
- anchor=BITMASK_ANCHOR,
- rulefile=RESOURCES_PATH + 'bitmask-helper/bitmask.pf.conf')
- syslog.syslog(syslog.LOG_WARNING, "LOADING CMD: %s" % cmd)
- return exec_cmd(cmd)
-
-
-def _get_default_device():
- """
- Retrieve the current default network device.
-
- :rtype: str
- """
- cmd_def_device = (
- '{route} -n get -net default | '
- '{grep} interface | {awk} "{{print $2}}"').format(
- route=ROUTE, grep=GREP, awk=AWK)
- iface = exec_cmd(cmd_def_device)
- iface = iface.replace("interface: ", "").strip()
- syslog.syslog(syslog.LOG_WARNING, "default device %s" % iface)
- return iface
-
-
-
-#
-# UTILITY
-#
-
-
-def is_valid_address(value):
- """
- Validate that the passed ip is a valid IP address.
-
- :param value: the value to be validated
- :type value: str
- :rtype: bool
- """
- try:
- socket.inet_aton(value)
- return True
- except Exception:
- syslog.syslog(syslog.LOG_WARNING, 'MALFORMED IP: %s!' % (value))
- return False
-
-
-#
-# FIREWALL
-#
-
-
-def get_gateways(gateways):
- """
- Filter a passed sequence of gateways, returning only the valid ones.
-
- :param gateways: a sequence of gateways to filter.
- :type gateways: iterable
- :rtype: iterable
- """
- syslog.syslog(syslog.LOG_WARNING, 'Filtering %s' % str(gateways))
- result = filter(is_valid_address, gateways)
- if not result:
- syslog.syslog(syslog.LOG_ERR, 'No valid gateways specified')
- return False
- else:
- return result
-
-
-
-if __name__ == "__main__":
- with daemon.DaemonContext():
- syslog.syslog(syslog.LOG_WARNING, "Serving...")
- serve_forever()
diff --git a/src/leap/bitmask/vpn/fw/osx/bitmask.pf.conf b/src/leap/bitmask/vpn/fw/osx/bitmask.pf.conf
deleted file mode 100644
index eb0e858..0000000
--- a/src/leap/bitmask/vpn/fw/osx/bitmask.pf.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-default_device = "en99"
-
-set block-policy drop
-set skip on lo0
-
-# block all traffic on default device
-block out on $default_device all
-
-# allow traffic to gateways
-pass out on $default_device to <bitmask_gateways>
-
-# allow traffic to local networks over the default device
-pass out on $default_device to $default_device:network
-
-# block all DNS, except to the gateways
-block out proto udp to any port 53
-pass out proto udp to <bitmask_gateways> port 53