commit 2996fb2078cd86d101cdb32948b7d58ea5a06bca
Author: Nathan Freitas <[email protected]>
Date: Thu Apr 17 10:16:03 2014 -0400
ensure ipv6 packets are dropped and shell cmds exit
---
.../torproject/android/service/TorTransProxy.java | 96 ++++++++++++++++++--
1 file changed, 86 insertions(+), 10 deletions(-)
diff --git a/src/org/torproject/android/service/TorTransProxy.java
b/src/org/torproject/android/service/TorTransProxy.java
index 5a11ebf..aa30bd2 100644
--- a/src/org/torproject/android/service/TorTransProxy.java
+++ b/src/org/torproject/android/service/TorTransProxy.java
@@ -21,6 +21,8 @@ public class TorTransProxy implements TorServiceConstants {
private TorService mTorService = null;
private File mFileXtables = null;
+ private final static String ALLOW_LOCAL = " ! -o lo ! -d 127.0.0.1 ! -s
127.0.0.1 ";
+
public TorTransProxy (TorService torService, File fileXTables)
{
mTorService = torService;
@@ -49,7 +51,31 @@ public class TorTransProxy implements TorServiceConstants {
return ipTablesPath;
}
+
+ public String getIp6TablesPath (Context context)
+ {
+
+ String ipTablesPath = null;
+
+ SharedPreferences prefs =
TorService.getSharedPrefs(context.getApplicationContext());
+ useSystemIpTables =
prefs.getBoolean(TorConstants.PREF_USE_SYSTEM_IPTABLES, false);
+
+ if (useSystemIpTables)
+ {
+ ipTablesPath = findSystemIP6Tables();
+ }
+ else
+ {
+ ipTablesPath = mFileXtables.getAbsolutePath();
+ ipTablesPath += " ip6tables"; //append subcommand since
we are using xtables now
+
+ }
+
+ return ipTablesPath;
+
+ }
+
private String findSystemIPTables ()
{
if (mSysIptables != null)
@@ -77,6 +103,29 @@ public class TorTransProxy implements TorServiceConstants {
return mSysIptables;
}
+
+
+ private String findSystemIP6Tables ()
+ {
+
+ //if the user wants us to use the built-in iptables, then we
have to find it
+ File fileIpt = new File("/system/xbin/ip6tables");
+
+ if (fileIpt.exists())
+ mSysIptables = fileIpt.getAbsolutePath();
+ else
+ {
+
+ fileIpt = new File("/system/bin/ip6tables");
+
+ if (fileIpt.exists())
+ mSysIptables = fileIpt.getAbsolutePath();
+ }
+
+
+ return mSysIptables;
+ }
+
/*
public int flushIptablesAll(Context context) throws Exception {
@@ -321,6 +370,7 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -t nat");
script.append(" -A ").append(srcChainName);
script.append(" -p tcp");
+ script.append(ALLOW_LOCAL);
script.append(" -m owner --uid-owner ");
script.append(tApp.getUid());
script.append(" -m tcp --syn");
@@ -335,7 +385,7 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -t nat");
script.append(" -A ").append(srcChainName);
script.append(" -p udp");
- script.append(" ! -d 127.0.0.1"); //allow
access to localhost
+ script.append(ALLOW_LOCAL); //allow access to
localhost
script.append(" -m owner ! --uid-owner ");
script.append(tApp.getUid());
script.append(" -m udp --dport ");
@@ -367,7 +417,6 @@ public class TorTransProxy implements TorServiceConstants {
script = new StringBuilder();
}
- // Allow packets to localhost (contains all the
port-redirected ones)
script.append(ipTablesPath);
script.append(" -t filter");
script.append(" -A ").append(srcChainName);
@@ -387,6 +436,7 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -A ").append(srcChainName);
script.append(" -m owner --uid-owner ");
script.append(tApp.getUid());
+ script.append(ALLOW_LOCAL);
script.append(" -j DROP");
lastExit = executeCommand (shell,
script.toString());
@@ -403,7 +453,7 @@ public class TorTransProxy implements TorServiceConstants {
private int executeCommand (Shell shell, String cmdString) throws
IOException, TimeoutException
{
- SimpleCommand cmd = new SimpleCommand(cmdString);
+ SimpleCommand cmd = new SimpleCommand(cmdString + "|| exit");
shell.add(cmd);
cmd.waitForFinish();
logMessage(cmdString + "; exit=" + cmd.getExitCode() +
";output=" + cmd.getOutput());
@@ -523,11 +573,36 @@ public class TorTransProxy implements TorServiceConstants
{
}
- public int setTransparentProxyingAll(Context context) throws Exception
+ public int dropAllIPv6Traffic (Context context) throws Exception
{
+
+ String ip6tablesPath = getIp6TablesPath(context);
+ Shell shell = Shell.startRootShell();
+
+ StringBuilder script;
+
+ // Allow everything for Tor
- //redirectDNSResolvConf(); //not working yet
+ script = new StringBuilder();
+ script.append(ip6tablesPath);
+ script.append(" -A INPUT -j DROP");
+ executeCommand (shell, script.toString());
+
+ script = new StringBuilder();
+ script.append(ip6tablesPath);
+ script.append(" -A OUTPUT -j DROP");
+ int lastExit = executeCommand (shell, script.toString());
+
+ shell.close();
+
+ return lastExit;
+ }
+
+ public int setTransparentProxyingAll(Context context) throws Exception
+ {
+
+ dropAllIPv6Traffic(context);
String ipTablesPath = getIpTablesPath(context);
@@ -567,7 +642,7 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -t nat");
script.append(" -A ").append(srcChainName);
script.append(" -p tcp");
- script.append(" ! -d 127.0.0.1"); //allow access to localhost
+ script.append(ALLOW_LOCAL); //allow access to localhost
script.append(" -m owner ! --uid-owner ");
script.append(torUid);
script.append(" -m tcp --syn");
@@ -582,7 +657,7 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -t nat");
script.append(" -A ").append(srcChainName);
script.append(" -p udp");
- script.append(" ! -d 127.0.0.1"); //allow access to localhost
+ script.append(ALLOW_LOCAL); //allow access to localhost
script.append(" -m owner ! --uid-owner ");
script.append(torUid);
script.append(" -m udp --dport ");
@@ -684,17 +759,18 @@ public class TorTransProxy implements TorServiceConstants
{
script = new StringBuilder();
- // Reject all other outbound UDP packets
+ // Reject all other packets
script.append(ipTablesPath);
script.append(" -t filter");
script.append(" -A ").append(srcChainName);
script.append(" -m owner ! --uid-owner ");
script.append(torUid);
- script.append(" -j DROP");
+ script.append(ALLOW_LOCAL); //allow access to localhost
+ script.append(" -j REJECT");
int lastExit = executeCommand (shell, script.toString());
- fixTransproxyLeak (context);
+ // fixTransproxyLeak (context);
shell.close();
_______________________________________________
tor-commits mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
