Send connman mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/connman
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. Re: [RFC] vpn: Restrict connman-vpnd capabilities (Patrik Flykt)
2. Re: [PATCH] vpn: Add an optional configuration option to the
VPN plugin for choosing the device type. (Patrik Flykt)
----------------------------------------------------------------------
Message: 1
Date: Mon, 08 Feb 2016 11:08:02 +0200
From: Patrik Flykt <[email protected]>
To: Andrew Bibb <[email protected]>
Cc: [email protected]
Subject: Re: [RFC] vpn: Restrict connman-vpnd capabilities
Message-ID: <[email protected]>
Content-Type: text/plain; charset="UTF-8"
Hi,
On Sun, 2016-02-07 at 13:26 -0500, Andrew Bibb wrote:
> Actually need to remove all three lines, not just the two I mentioned.
> I reverted the file back to the way it was in 1.30, and I initially
> thought it was only the two lines that were different.
>
> Sorry about the initial misinformation.
>
> -
> Andrew
>
> On 2/7/2016 10:51 AM, Andrew Bibb wrote:
> > I'm sorry about being late to the party, but now that 1.31 is out I've
> > discovered that this change seems to make OpenVPN not work. I had an
> > OpenVPN config file that works fine in 1.30 but not 1.31. Removing the
> > ProtectHome and ProtectSystem lines from the .service file allows
> > OpenVPN to work in 1.31.
> >
> > I also have a functional PPTP config file and that works in both 1.30
> > and 1.31 without modification.
> >
> > Thanks
> > Andrew
> >
> > On 12/1/2015 8:32 AM, Patrik Flykt wrote:
> >> Have systemd set /home and /run/users read only as VPN certificates can
> >> be stored also in these directories. Protect other directories in the
> >> system by making also them read only. The directory options affect also
> >> all VPN applications started by connman-vpnd.
> >>
> >> Restrict capabilities to a subset necessary for normal operations.
> >> ---
> >>
> >> ProtectSystem=full means the VPN applications cannot write anything to
> >> /usr or /etc. Let's hope this works out for all VPN daemons.
> >>
> >> Please test,
> >>
> >> Patrik
> >>
> >>
> >> vpn/connman-vpn.service.in | 3 +++
> >> 1 file changed, 3 insertions(+)
> >>
> >> diff --git a/vpn/connman-vpn.service.in b/vpn/connman-vpn.service.in
> >> index 120245e..e98fb71 100644
> >> --- a/vpn/connman-vpn.service.in
> >> +++ b/vpn/connman-vpn.service.in
> >> @@ -6,6 +6,9 @@ Type=dbus
> >> BusName=net.connman.vpn
> >> ExecStart=@sbindir@/connman-vpnd -n
> >> StandardOutput=null
> >> +CapabilityBoundingSet=CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE
> >> CAP_NET_RAW
> >> +ProtectHome=read-only
> >> +ProtectSystem=full
Where does your openvpn instance store its config? Where does it write
its temporary files? A decently configured system should only write
to /var/, as by definition all the other locations should be read-only.
There should not be anything a system wide daemon needs from /home/
either.
Might it be that the capabilities were causing this?
Cheers,
Patrik
------------------------------
Message: 2
Date: Mon, 08 Feb 2016 12:13:49 +0200
From: Patrik Flykt <[email protected]>
To: Hendrik Donner <[email protected]>
Cc: [email protected]
Subject: Re: [PATCH] vpn: Add an optional configuration option to the
VPN plugin for choosing the device type.
Message-ID: <[email protected]>
Content-Type: text/plain; charset="UTF-8"
Hi,
On Wed, 2016-02-03 at 19:56 +0100, Hendrik Donner wrote:
> On 01/10/2016 03:50 PM, Hendrik Donner wrote:
> > This allows to use virtual tap devices and removes the hardcoded default to
> > virtual tun devices.
> >
> > Signed-off-by: Hendrik Donner <[email protected]>
> > ---
> > Only tested with OpenVPN. I have no idea if one of the other VPN plugins
> > would benefit from tap device support.
> >
> > doc/connman-vpn-provider.config.5.in | 6 +++++-
> > doc/vpn-config-format.txt | 2 ++
> > vpn/plugins/openvpn.c | 2 +-
> > vpn/plugins/vpn.c | 18 ++++++++++++------
> > 4 files changed, 20 insertions(+), 8 deletions(-)
> >
> > diff --git a/doc/connman-vpn-provider.config.5.in
> > b/doc/connman-vpn-provider.config.5.in
> > index 5393260..c50fc46 100644
> > --- a/doc/connman-vpn-provider.config.5.in
> > +++ b/doc/connman-vpn-provider.config.5.in
> > @@ -48,12 +48,16 @@ VPN server IP address.
> > .BI Domain= domain
> > Domain name for the VPN service.
> > .TP
> > -The following field is optional:
> > +The following fields are optional:
> > .TP
> > .BI Networks= network / netmask / gateway [,...]
> > Networks behind the VPN. If all traffic should go through the VPN, this
> > field can be left out. The gateway can be left out. For IPv6 addresses,
> > only the prefix length is accepted as the netmask.
> > +.TP
> > +.BI DeviceType= tun \fR|\fB tap
> > +Whether the VPN should use a tun (OSI layer 3) or tap (OSI layer 2) device.
> > +Defaults to tun if omitted.
> > .SS OpenConnect
> > The following keys can be used for \fBopenconnect\fP(8) networks:
> > .TP
The man page changes could be in it's own patch.
> > diff --git a/doc/vpn-config-format.txt b/doc/vpn-config-format.txt
> > index 1f5bac8..e33acfc 100644
> > --- a/doc/vpn-config-format.txt
> > +++ b/doc/vpn-config-format.txt
> > @@ -44,6 +44,8 @@ VPN related parameters (M = mandatory, O = optional):
> > is network/netmask/gateway. The gateway can be left out. (O)
> > Example: 192.168.100.0/24/10.1.0.1,192.168.200.0/255.255.255.0/10.1.0.2
> > For IPv6 addresses only prefix length is accepted like this
> > 2001:db8::1/64
> > +- DeviceType: Whether the VPN should use a tun (OSI layer 3) or tap
> > + (OSI layer 2) device. Value is "tun" (default) or "tap" (O)
This documentation explains what the changes aim at, it should be the
first patch.
> > OpenConnect VPN supports following options (see openconnect(8) for
> > details):
> > Option name OpenConnect option Description
> > diff --git a/vpn/plugins/openvpn.c b/vpn/plugins/openvpn.c
> > index 9ee5795..c920dc3 100644
> > --- a/vpn/plugins/openvpn.c
> > +++ b/vpn/plugins/openvpn.c
> > @@ -71,6 +71,7 @@ struct {
> > { "OpenVPN.CompLZO", "--comp-lzo", 0 },
> > { "OpenVPN.RemoteCertTls", "--remote-cert-tls", 1 },
> > { "OpenVPN.ConfigFile", "--config", 1 },
> > + { "DeviceType", "--dev-type", 1 },
Checked the man pages, and tun/tap selection can be made for openvpn and
vpnc but not for openconnect. So this option needs to use the OpenVPN
and VPNC prefixes.
> > };
> >
> > struct nameserver_entry {
> > @@ -362,7 +363,6 @@ static int ov_connect(struct vpn_provider *provider,
> > connman_task_get_path(task));
> >
> > connman_task_add_argument(task, "--dev", if_name);
> > - connman_task_add_argument(task, "--dev-type", "tun");
> >
> > connman_task_add_argument(task, "--persist-tun", NULL);
> >
> > diff --git a/vpn/plugins/vpn.c b/vpn/plugins/vpn.c
> > index 1b5af6e..a031c42 100644
> > --- a/vpn/plugins/vpn.c
> > +++ b/vpn/plugins/vpn.c
> > @@ -56,6 +56,7 @@ struct vpn_data {
> > unsigned int watch;
> > enum vpn_state state;
> > struct connman_task *task;
> > + int tun_flags;
> > };
> >
> > struct vpn_driver_data {
> > @@ -89,7 +90,7 @@ static int stop_vpn(struct vpn_provider *provider)
> > return 0;
> >
> > memset(&ifr, 0, sizeof(ifr));
> > - ifr.ifr_flags = IFF_TUN | IFF_NO_PI;
> > + ifr.ifr_flags = data->tun_flags | IFF_NO_PI;
> > sprintf(ifr.ifr_name, "%s", data->if_name);
> >
> > fd = open("/dev/net/tun", O_RDWR | O_CLOEXEC);
> > @@ -335,7 +336,7 @@ static DBusMessage *vpn_notify(struct connman_task
> > *task,
> > return NULL;
> > }
> >
> > -static int vpn_create_tun(struct vpn_provider *provider)
> > +static int vpn_create_tun(struct vpn_provider *provider, int flags)
> > {
> > struct vpn_data *data = vpn_provider_get_data(provider);
> > struct ifreq ifr;
> > @@ -355,7 +356,7 @@ static int vpn_create_tun(struct vpn_provider *provider)
> > }
> >
> > memset(&ifr, 0, sizeof(ifr));
> > - ifr.ifr_flags = IFF_TUN | IFF_NO_PI;
> > + ifr.ifr_flags = flags | IFF_NO_PI;
> >
> > for (i = 0; i < 256; i++) {
> > sprintf(ifr.ifr_name, "vpn%d", i);
> > @@ -371,6 +372,7 @@ static int vpn_create_tun(struct vpn_provider *provider)
> > goto exist_err;
> > }
> >
> > + data->tun_flags = flags;
> > data->if_name = (char *)g_strdup(ifr.ifr_name);
> > if (!data->if_name) {
> > connman_error("Failed to allocate memory");
> > @@ -411,8 +413,8 @@ static int vpn_connect(struct vpn_provider *provider,
> > {
> > struct vpn_data *data = vpn_provider_get_data(provider);
> > struct vpn_driver_data *vpn_driver_data;
> > - const char *name;
> > - int ret = 0;
> > + const char *name, *tun;
> > + int ret = 0, tun_flags = IFF_TUN;
> > enum vpn_state state = VPN_STATE_UNKNOWN;
> >
> > if (data)
> > @@ -460,7 +462,11 @@ static int vpn_connect(struct vpn_provider *provider,
> > }
> >
> > if (vpn_driver_data->vpn_driver->flags != VPN_FLAG_NO_TUN) {
> > - ret = vpn_create_tun(provider);
> > + tun = vpn_provider_get_string(provider, "DeviceType");
As only the specific VPN implementation knows about the variable name,
there then needs to be a function that the VPN implementation can use
that will set this flag.
> > + if (g_str_equal(tun, "tap")) {
> > + tun_flags = IFF_TAP;
> > + }
> > + ret = vpn_create_tun(provider, tun_flags);
> > if (ret < 0)
> > goto exist_err;
> > }
> >
>
> Ping, i got no reaction so far.
Yes, lost in my inbox. Sorry!
Patrik
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list
[email protected]
https://lists.01.org/mailman/listinfo/connman
------------------------------
End of connman Digest, Vol 4, Issue 10
**************************************
