commit b4d815f2cb8498681ffd43cbdb3d221189a89d2a
Author: n8fr8 <[email protected]>
Date: Thu Oct 25 15:29:55 2012 +0530
rewrote transproxy rules to use user-defined Orbot chain
---
.../torproject/android/service/TorTransProxy.java | 215 +++++++++++++-------
1 files changed, 138 insertions(+), 77 deletions(-)
diff --git a/src/org/torproject/android/service/TorTransProxy.java
b/src/org/torproject/android/service/TorTransProxy.java
index 78094c3..9be6cc2 100644
--- a/src/org/torproject/android/service/TorTransProxy.java
+++ b/src/org/torproject/android/service/TorTransProxy.java
@@ -13,14 +13,29 @@ import android.util.Log;
public class TorTransProxy implements TorServiceConstants {
+ private boolean useSystemIpTables = false;
+ private boolean mBundledFailed = false;
+ private String mSysIptables = null;
+ private TorService mTorService = null;
+
+ public TorTransProxy (TorService torService)
+ {
+ mTorService = torService;
+ }
+
+ public TorTransProxy ()
+ {
+ }
+
public String getIpTablesPath (Context context)
{
+
String ipTablesPath = null;
SharedPreferences prefs =
PreferenceManager.getDefaultSharedPreferences(context);
- boolean useSystemIpTables =
prefs.getBoolean(TorConstants.PREF_USE_SYSTEM_IPTABLES, false);
+ useSystemIpTables =
prefs.getBoolean(TorConstants.PREF_USE_SYSTEM_IPTABLES, false);
- if (useSystemIpTables)
+ if (useSystemIpTables || mBundledFailed)
{
ipTablesPath = findSystemIPTables();
}
@@ -33,11 +48,15 @@ public class TorTransProxy implements TorServiceConstants {
try
{
if (testOwnerModule(context,ipTablesPath) != 0)
+ {
+ mBundledFailed = true;
ipTablesPath = findSystemIPTables();
+ }
}
catch (Exception e)
{
ipTablesPath = findSystemIPTables();
+ mBundledFailed = true;
}
}
@@ -46,23 +65,29 @@ public class TorTransProxy implements TorServiceConstants {
private String findSystemIPTables ()
{
- String path = null;
-
- //if the user wants us to use the built-in iptables, then we
have to find it
- File fileIpt = new File("/system/bin/iptables");
-
- if (fileIpt.exists())
- path = fileIpt.getAbsolutePath();
+ if (mSysIptables != null)
+ {
+ return mSysIptables;
+ }
else
{
- fileIpt = new File("/system/xbin/iptables");
+ //if the user wants us to use the built-in iptables,
then we have to find it
+ File fileIpt = new File("/system/bin/iptables");
if (fileIpt.exists())
- path = fileIpt.getAbsolutePath();
+ mSysIptables = fileIpt.getAbsolutePath();
+ else
+ {
+
+ fileIpt = new File("/system/xbin/iptables");
+
+ if (fileIpt.exists())
+ mSysIptables =
fileIpt.getAbsolutePath();
+ }
}
- return path;
+ return mSysIptables;
}
/*
@@ -213,7 +238,9 @@ public class TorTransProxy implements TorServiceConstants {
code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot,
waitFor);
String msg = res.toString();
- TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp="
+ msg);
+
+ if (mTorService != null)
+ logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
return code;
@@ -244,12 +271,23 @@ public class TorTransProxy implements TorServiceConstants
{
StringBuilder res = new StringBuilder();
int code = -1;
- String modCmd = " -" + cmd + " OUTPUT";
-
- // flushIptables(context);
-
- int torUid = context.getApplicationInfo().uid;
+ String chainName = "ORBOT";
+ String jumpChainName = "OUTPUT";
+
+ if (cmd.equals("A")) //only if we are adding rules
+ {
+ script.append(ipTablesPath);
+ script.append(" -N ").append(chainName); //create user-defined
chain
+ script.append(" || exit\n");
+ script.append(ipTablesPath);
+ script.append(" -A ").append(jumpChainName);
+ script.append(" -j ").append(chainName);
+ script.append(" || exit\n");
+ }
+
+ String modCmd = " -" + cmd + " " + chainName;
+
//build up array of shell cmds to execute under one root context
for (TorifiedApp tApp:apps)
{
@@ -260,11 +298,11 @@ public class TorTransProxy implements TorServiceConstants
{
) //if app is set to true
{
- TorService.logMessage("enabling transproxy for
app: " + tApp.getUsername() + "(" + tApp.getUid() + ")");
+ logMessage("enabling transproxy for app: " +
tApp.getUsername() + "(" + tApp.getUid() + ")");
// Set up port redirection
script.append(ipTablesPath);
- script.append(modCmd);
+ script.append(" -" + cmd + " ").append(jumpChainName);
script.append(" -t nat");
script.append(" -p tcp");
script.append(" ! -d 127.0.0.1"); //allow
access to localhost
@@ -277,7 +315,7 @@ public class TorTransProxy implements TorServiceConstants {
// Same for DNS
script.append(ipTablesPath);
- script.append(modCmd);
+ script.append(" -" + cmd + " ").append(jumpChainName);
script.append(" -t nat");
script.append(" -p udp -m owner --uid-owner ");
script.append(tApp.getUid());
@@ -316,20 +354,6 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -j ACCEPT");
script.append(" || exit\n");
- // Reject DNS that is not from Tor (order is
important - first matched rule counts!)
- /*
- script.append(ipTablesPath);
- script.append(modCmd);
- script.append(" -t filter");
- script.append(" -m owner --uid-owner ");
- script.append(tApp.getUid());
- script.append(" -p udp");
- script.append(" --dport ");
- script.append(STANDARD_DNS_PORT);
- script.append(" -j REJECT");
- script.append(" || exit\n");
- */
-
// Reject all other outbound TCP packets
script.append(ipTablesPath);
script.append(modCmd);
@@ -353,24 +377,32 @@ public class TorTransProxy implements TorServiceConstants
{
script.append(" || exit\n");
}
- }
+ }
- /*
- // Allow everything for Tor
- script.append(ipTablesPath);
- script.append(modCmd);
- script.append(" -t filter");
- script.append(" -m owner --uid-owner ");
- script.append(torUid);
- script.append(" -j ACCEPT");
- script.append(" || exit\n");
- */
+ if (cmd.equals("D"))
+ {
+
+ script.append(ipTablesPath);
+ script.append(" --flush ").append(chainName); //delete previous
user-defined chain
+ script.append(" || exit\n");
+
+ script.append(ipTablesPath);
+ script.append(" -D ").append(jumpChainName);
+ script.append(" -j ").append(chainName);
+ script.append(" || exit\n");
+
+ script.append(ipTablesPath);
+ script.append(" -X ").append(chainName); //delete previous
user-defined chain
+ script.append(" || exit\n");
+
+ }
String[] cmdAdd = {script.toString()};
code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot,
waitFor);
String msg = res.toString();
- TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp="
+ msg);
+
+ logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
return code;
}
@@ -471,12 +503,20 @@ public class TorTransProxy implements TorServiceConstants
{
code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot,
waitFor);
String msg = res.toString();
- TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp="
+ msg);
+ logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
return code;
}
+ private void logMessage (String msg)
+ {
+ if (mTorService != null)
+ mTorService.logMessage(msg);
+ else
+ Log.w(TorConstants.TAG,msg);
+ }
+
public int setTransparentProxyingAll(Context context) throws Exception
{
return modifyTransparentProxyingAll(context, "A");
@@ -490,6 +530,7 @@ public class TorTransProxy implements TorServiceConstants {
public int modifyTransparentProxyingAll(Context context, String cmd)
throws Exception
{
+
boolean runRoot = true;
boolean waitFor = true;
@@ -502,13 +543,26 @@ public class TorTransProxy implements TorServiceConstants
{
StringBuilder res = new StringBuilder();
int code = -1;
- //flushIptables(context);
-
int torUid = context.getApplicationInfo().uid;
+ String chainName = "ORBOT";
+ String jumpChainName = "OUTPUT";
+
+ if (cmd.equals("A")) //only if we are adding rules
+ {
+ script.append(ipTablesPath);
+ script.append(" -N ").append(chainName); //create user-defined
chain
+ script.append(" || exit\n");
+
+ script.append(ipTablesPath);
+ script.append(" -A ").append(jumpChainName);
+ script.append(" -j ").append(chainName);
+ script.append(" || exit\n");
+ }
+
// Allow everything for Tor
script.append(ipTablesPath);
- script.append(" -" + cmd + " OUTPUT");
+ script.append(" -" + cmd + " ").append(chainName);
script.append(" -t filter");
script.append(" -m owner --uid-owner ");
script.append(torUid);
@@ -517,7 +571,7 @@ public class TorTransProxy implements TorServiceConstants {
// Set up port redirection
script.append(ipTablesPath);
- script.append(" -" + cmd + " OUTPUT");
+ script.append(" -" + cmd + " ").append(jumpChainName);
script.append(" -t nat");
script.append(" -p tcp");
script.append(" ! -d 127.0.0.1"); //allow access to localhost
@@ -530,7 +584,7 @@ public class TorTransProxy implements TorServiceConstants {
// Same for DNS
script.append(ipTablesPath);
- script.append(" -" + cmd + " OUTPUT");
+ script.append(" -" + cmd + " ").append(jumpChainName);
script.append(" -t nat");
script.append(" -p udp -m owner ! --uid-owner ");
script.append(torUid);
@@ -546,7 +600,7 @@ public class TorTransProxy implements TorServiceConstants {
{
// Allow packets to localhost (contains all the
port-redirected ones)
script.append(ipTablesPath);
- script.append(" -" + cmd + " OUTPUT");
+ script.append(" -" + cmd + " ").append(chainName);
script.append(" -t filter");
script.append(" -m owner ! --uid-owner ");
script.append(torUid);
@@ -561,7 +615,7 @@ public class TorTransProxy implements TorServiceConstants {
// Allow loopback
script.append(ipTablesPath);
- script.append(" -" + cmd + " OUTPUT");
+ script.append(" -" + cmd + " ").append(chainName);
script.append(" -t filter");
script.append(" -p tcp");
script.append(" -o lo");
@@ -573,7 +627,7 @@ public class TorTransProxy implements TorServiceConstants {
{
//XXX: Comment the following rules for non-debug builds
script.append(ipTablesPath);
- script.append(" -" + cmd + " OUTPUT");
+ script.append(" -" + cmd + " ").append(chainName);
script.append(" -t filter");
script.append(" -p udp");
script.append(" --dport ");
@@ -582,33 +636,21 @@ public class TorTransProxy implements TorServiceConstants
{
script.append("
--log-prefix='ORBOT_DNSLEAK_PROTECTION'");
script.append(" --log-uid");
script.append(" || exit\n");
+
script.append(ipTablesPath);
- script.append(" -t filter");
- script.append(" -A OUTPUT");
- script.append(" -p tcp");
+ script.append(" -" + cmd + " ").append(chainName);
+ script.append(" -t filter");
+ script.append(" -p tcp");
script.append(" -j LOG");
script.append("
--log-prefix='ORBOT_TCPLEAK_PROTECTION'");
script.append(" --log-uid");
script.append(" || exit\n");
}
- // Reject DNS that is not from Tor (order is important - first
matched rule counts!)
- /*
- script.append(ipTablesPath);
- script.append(" -" + cmd + " OUTPUT");
- script.append(" -t filter");
- script.append(" -m owner ! --uid-owner ");
- script.append(torUid);
- script.append(" -p udp");
- script.append(" --dport ");
- script.append(STANDARD_DNS_PORT);
- script.append(" -j REJECT");
- script.append(" || exit\n");
- */
// Reject all other outbound TCP packets
script.append(ipTablesPath);
- script.append(" -" + cmd + " OUTPUT");
+ script.append(" -" + cmd + " ").append(chainName);
script.append(" -t filter");
script.append(" -m owner ! --uid-owner ");
script.append(torUid);
@@ -619,7 +661,7 @@ public class TorTransProxy implements TorServiceConstants {
// Reject all other outbound UDP packets
script.append(ipTablesPath);
- script.append(" -" + cmd + " OUTPUT");
+ script.append(" -" + cmd + " ").append(chainName);
script.append(" -t filter");
script.append(" -m owner ! --uid-owner ");
script.append(torUid);
@@ -628,11 +670,30 @@ public class TorTransProxy implements TorServiceConstants
{
script.append(" -j REJECT");
script.append(" || exit\n");
- String[] cmdAdd = {script.toString()};
+ if (cmd.equals("D"))
+ {
+
+ script.append(ipTablesPath);
+ script.append(" --flush ").append(chainName); //delete previous
user-defined chain
+ script.append(" || exit\n");
+
+ script.append(ipTablesPath);
+ script.append(" -D ").append(jumpChainName);
+ script.append(" -j ").append(chainName);
+ script.append(" || exit\n");
+
+ script.append(ipTablesPath);
+ script.append(" -X ").append(chainName); //delete previous
user-defined chain
+ script.append(" || exit\n");
+
+ }
+
+ String[] cmdExec = {script.toString()};
- code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot,
waitFor);
+ code = TorServiceUtils.doShellCommand(cmdExec, res, runRoot,
waitFor);
String msg = res.toString();
- TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp="
+ msg);
+
+ logMessage("Exec resp: errCode=" + code + ";resp=" + msg);
return code;
}
_______________________________________________
tor-commits mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
