[orbot/master] Merge branch 'fixiptables' of https://github.com/Unpublished/orbot into Unpublished-fixiptables

2 Mar 2017

commit 970710d03cbe5ef167c71c6f4329e134cbd28224
Merge: ff61d66 639bc32
Author: Nathan Freitas <nathan@freitas.net>
Date:   Fri Jan 13 22:13:10 2017 -0500

    Merge branch 'fixiptables' of https://github.com/Unpublished/orbot into Unpublished-fixiptables

 .../android/service/transproxy/TorTransProxy.java  | 27 ++++++++--------------
 1 file changed, 10 insertions(+), 17 deletions(-)

diff --cc orbotservice/src/main/java/org/torproject/android/service/transproxy/TorTransProxy.java
index da0a4a7,0000000..ca6d830
mode 100644,000000..100644

--- a/orbotservice/src/main/java/org/torproject/android/service/transproxy/TorTransProxy.java
+++ b/orbotservice/src/main/java/org/torproject/android/service/transproxy/TorTransProxy.java
@@@ -1,1004 -1,0 +1,997 @@@
 +package org.torproject.android.service.transproxy;
 +
 +import java.io.DataOutputStream;
 +import java.io.File;
 +import java.io.IOException;
 +import java.util.ArrayList;
 +import java.util.Arrays;
 +import java.util.Collections;
 +import java.util.Iterator;
 +import java.util.List;
 +import java.util.StringTokenizer;
 +
 +import android.content.Context;
 +import android.content.SharedPreferences;
 +import android.content.pm.ApplicationInfo;
 +import android.content.pm.PackageInfo;
 +import android.content.pm.PackageManager;
 +
 +import org.sufficientlysecure.rootcommands.Shell;
 +import org.sufficientlysecure.rootcommands.command.SimpleCommand;
 +import org.torproject.android.service.OrbotConstants;
 +import org.torproject.android.service.util.Prefs;
 +import org.torproject.android.service.TorService;
 +import org.torproject.android.service.TorServiceConstants;
 +
 +public class TorTransProxy implements TorServiceConstants {
 +	
 +	private String mSysIptables = null;
 +	private TorService mTorService = null;
 +	private File mFileXtables = null;
 +	
 +	private final static String ALLOW_LOCAL = " ! -d 127.0.0.1";
 +
 +	private int mTransProxyPort = TOR_TRANSPROXY_PORT_DEFAULT;
 +	private int mDNSPort = TOR_DNS_PORT_DEFAULT;
 +
 +	private Shell mShell;
 +
 +    public TorTransProxy (TorService torService, File fileXTables) throws IOException
 +	{
 +		mTorService = torService;
 +		mFileXtables = fileXTables;
 +
 +		// start root shell
 +		mShell = Shell.startRootShell();
 +
 +	}
 +
 +    public static boolean testRoot () throws IOException
 +    {
 +        Runtime.getRuntime().exec("su");
 +        return true;
 +    }
 +	
 +	public void setTransProxyPort (int transProxyPort)
 +	{
 +		mTransProxyPort = transProxyPort;
 +	}
 +	
 +	public void setDNSPort (int dnsPort)
 +	{
 +		mDNSPort = dnsPort;
 +	}
 +	
 +	public String getIpTablesPath (Context context)
 +	{
 +
 +		String ipTablesPath = null;
 +
 +		if (Prefs.useSystemIpTables())
 +		{
 +			ipTablesPath = findSystemIPTables();
 +		}
 +		else
 +		{
 +			ipTablesPath = mFileXtables.getAbsolutePath();
 +			ipTablesPath += " iptables"; //append subcommand since we are using xtables now
 +			
 +		}
 +			
 +		return ipTablesPath;
 +	}
 +	
 +	public String getIp6TablesPath (Context context)
 +	{
 +
 +		String ipTablesPath = null;
 +		
 +		if (Prefs.useSystemIpTables())
 +		{
 +			ipTablesPath = findSystemIP6Tables();
 +		}
 +		else
 +		{
 +			ipTablesPath = mFileXtables.getAbsolutePath();
 +			ipTablesPath += " ip6tables"; //append subcommand since we are using xtables now
 +			
 +		}
 +			
 +		return ipTablesPath;
 +	
 +	}
 +	
 +	private String findSystemIPTables ()
 +	{
- 		if (mSysIptables != null)
- 		{
- 			return mSysIptables;
- 		}
++
++		//if the user wants us to use the built-in iptables, then we have to find it
++		File fileIpt = new File("/system/xbin/iptables");
++
++		if (fileIpt.exists())
++			mSysIptables = fileIpt.getAbsolutePath();
 +		else
 +		{
- 		
- 			//if the user wants us to use the built-in iptables, then we have to find it
- 			File fileIpt = new File("/system/xbin/iptables");
- 			
++
++			fileIpt = new File("/system/bin/iptables");
++
 +			if (fileIpt.exists())
 +				mSysIptables = fileIpt.getAbsolutePath();
- 			else
- 			{
- 			
- 				fileIpt = new File("/system/bin/iptables");
- 				
- 				if (fileIpt.exists())
- 					mSysIptables = fileIpt.getAbsolutePath();
- 			}
 +		}
- 		
++
 +		return mSysIptables;
 +	}
 +	
 +
 +	
 +	private String findSystemIP6Tables ()
 +	{
 +		
 +		//if the user wants us to use the built-in iptables, then we have to find it
 +		File fileIpt = new File("/system/xbin/ip6tables");
 +		
 +		if (fileIpt.exists())
 +			mSysIptables = fileIpt.getAbsolutePath();
 +		else
 +		{
 +		
 +			fileIpt = new File("/system/bin/ip6tables");
 +			
 +			if (fileIpt.exists())
 +				mSysIptables = fileIpt.getAbsolutePath();
 +		}
 +		
 +		
 +		return mSysIptables;
 +	}
 +	
 +	/*
 +	public int flushIptablesAll(Context context) throws Exception {
 +		
 +		String ipTablesPath = getIpTablesPath(context);
 +	
 +    	final StringBuilder script = new StringBuilder();
 +    	
 +    	StringBuilder res = new StringBuilder();
 +    	int code = -1;
 +
 +		script.append(ipTablesPath);
 +		script.append(" -t nat");
 +		script.append(" -F || exit\n");
 +	
 +		script.append(ipTablesPath);
 +		script.append(" -t filter");
 +		script.append(" -F || exit\n");
 +    	
 +    	String[] cmd = {script.toString()};	    	
 +		code = TorServiceUtils.doShellCommand(cmd, res, true, true);		
 +		String msg = res.toString();
 +		
 +		TorService.logMessage(cmd[0] + ";errCode=" + code + ";resp=" + msg);
 +			
 +		
 +		return code;
 +	
 +	}*/
 +	
 +	/*
 +	public static int purgeIptablesByApp(Context context, TorifiedApp[] apps) throws Exception {
 +
 +		//restoreDNSResolvConf(); //not working yet
 +		
 +		String ipTablesPath = new File(context.getDir("bin", 0),"iptables").getAbsolutePath();
 +		
 +    	final StringBuilder script = new StringBuilder();
 +    	
 +    	StringBuilder res = new StringBuilder();
 +    	int code = -1;
 +    	
 +		for (int i = 0; i < apps.length; i++)
 +		{
 +			//flush nat for every app
 +			script.append(ipTablesPath);
 +			script.append(" -t nat -m owner --uid-owner ");
 +			script.append(tApp.getUid());
 +			script.append(" -F || exit\n");
 +    public static ArrayList<TorifiedApp> getApps (Context context, SharedPreferences prefs)
 +    {
 +
 +        String tordAppString = prefs.getString(PREFS_KEY_TORIFIED, "");
 +        String[] tordApps;
 +
 +        StringTokenizer st = new StringTokenizer(tordAppString,"|");
 +        tordApps = new String[st.countTokens()];
 +        int tordIdx = 0;
 +        while (st.hasMoreTokens())
 +        {
 +            tordApps[tordIdx++] = st.nextToken();
 +        }
 +
 +        Arrays.sort(tordApps);
 +
 +        //else load the apps up
 +        PackageManager pMgr = context.getPackageManager();
 +
 +        List<ApplicationInfo> lAppInfo = pMgr.getInstalledApplications(0);
 +
 +        Iterator<ApplicationInfo> itAppInfo = lAppInfo.iterator();
 +
 +        ArrayList<TorifiedApp> apps = new ArrayList<TorifiedApp>();
 +
 +        ApplicationInfo aInfo = null;
 +
 +        int appIdx = 0;
 +        TorifiedApp app = null;
 +
 +        while (itAppInfo.hasNext())
 +        {
 +            aInfo = itAppInfo.next();
 +
 +            app = new TorifiedApp();
 +
 +            try {
 +                PackageInfo pInfo = pMgr.getPackageInfo(aInfo.packageName, PackageManager.GET_PERMISSIONS);
 +
 +                if (pInfo != null && pInfo.requestedPermissions != null)
 +                {
 +                    for (String permInfo:pInfo.requestedPermissions)
 +                    {
 +                        if (permInfo.equals("android.permission.INTERNET"))
 +                        {
 +                            app.setUsesInternet(true);
 +
 +                        }
 +                    }
 +
 +                }
 +
 +
 +            } catch (Exception e) {
 +                // TODO Auto-generated catch block
 +                e.printStackTrace();
 +            }
 +
 +            if ((aInfo.flags & ApplicationInfo.FLAG_SYSTEM) == 1)
 +            {
 +                //System app
 +                app.setUsesInternet(true);
 +            }
 +
 +
 +            if (!app.usesInternet())
 +                continue;
 +            else
 +            {
 +                apps.add(app);
 +            }
 +
 +
 +            app.setEnabled(aInfo.enabled);
 +            app.setUid(aInfo.uid);
 +            app.setUsername(pMgr.getNameForUid(app.getUid()));
 +            app.setProcname(aInfo.processName);
 +            app.setPackageName(aInfo.packageName);
 +
 +            try
 +            {
 +                app.setName(pMgr.getApplicationLabel(aInfo).toString());
 +            }
 +            catch (Exception e)
 +            {
 +                app.setName(aInfo.packageName);
 +            }
 +
 +
 +            //app.setIcon(pMgr.getApplicationIcon(aInfo));
 +
 +            // check if this application is allowed
 +            if (Arrays.binarySearch(tordApps, app.getUsername()) >= 0) {
 +                app.setTorified(true);
 +            }
 +            else
 +            {
 +                app.setTorified(false);
 +            }
 +
 +            appIdx++;
 +        }
 +
 +        Collections.sort(apps);
 +
 +        return apps;
 +    }
 +
 +		
 +			script.append(ipTablesPath);
 +			script.append(" -t filter -m owner --uid-owner ");
 +			script.append(tApp.getUid());
 +			script.append(" -F || exit\n");
 +				
 +		}
 +		
 +    	
 +    	String[] cmd = {script.toString()};	    	
 +		code = TorServiceUtils.doShellCommand(cmd, res, true, true);		
 +		String msg = res.toString();
 +		logNotice(cmd[0] + ";errCode=" + code + ";resp=" + msg);
 +			
 +		
 +		return code;
 +		
 +	}*/
 +	
 +	
 +	/*
 +	 // 9/19/2010 - NF This code is in process... /etc path on System partition
 +	 // is read-only on Android for now.
 +	public static int redirectDNSResolvConf () throws Exception
 +	{
 +    	StringBuilder script = new StringBuilder();
 +    	StringBuilder res = new StringBuilder();
 +    	int code = -1;
 +    	
 +		//mv resolv.conf to resolve.conf.bak
 +		String cmd = "mv /etc/resolv.conf /etc/resolv.conf.bak";
 +		script.append(cmd);
 +		
 +		//create new resolve.conf pointing to localhost/127.0.0.1
 +		cmd = "echo \"nameserver 127.0.0.1\" > /etc/resolv.conf";
 +		script.append(cmd);
 +		
 +		String[] cmdFlush = {script.toString()};
 +		code = TorServiceUtils.doShellCommand(cmdFlush, res, true, true);
 +		//String msg = res.toString(); //get stdout from command
 +		
 +		
 +		return code;
 +	}
 +	
 +	public static int restoreDNSResolvConf () throws Exception
 +	{
 +		StringBuilder script = new StringBuilder();
 +    	StringBuilder res = new StringBuilder();
 +    	int code = -1;
 +    	
 +		//mv resolv.conf to resolve.conf.bak
 +		String cmd = "mv /etc/resolv.conf.bak /etc/resolv.conf";
 +		script.append(cmd);
 +		script.append(" || exit\n");
 +		
 +		String[] cmdFlush = {script.toString()};
 +		code = TorServiceUtils.doShellCommand(cmdFlush, res, true, true);
 +		//String msg = res.toString(); //get stdout from command
 +		
 +		return code;
 +	}
 +	*/
 +	/*
 +	public int testOwnerModule(Context context, String ipTablesPath) throws Exception
 +	{
 +
 +		TorBinaryInstaller.assertIpTablesBinaries(context, false);
 +		
 +		boolean runRoot = true;
 +    	boolean waitFor = true;
 +    	
 +    	int torUid = context.getApplicationInfo().uid;
 +
 +    	StringBuilder script = new StringBuilder();
 +    	
 +    	StringBuilder res = new StringBuilder();
 +    	int code = -1;
 +    	
 +    	// Allow everything for Tor
 +		script.append(ipTablesPath);
 +		script.append(" -A OUTPUT");
 +		script.append(" -t filter");
 +		script.append(" -m owner --uid-owner ");
 +		script.append(torUid);
 +		script.append(" -j ACCEPT");
 +		script.append(" || exit\n");
 +		
 +		script.append(ipTablesPath);
 +		script.append(" -D OUTPUT");
 +		script.append(" -t filter");
 +		script.append(" -m owner --uid-owner ");
 +		script.append(torUid);
 +		script.append(" -j ACCEPT");
 +		script.append(" || exit\n");
 +		
 +		String[] cmdAdd = {script.toString()};    	
 +    	
 +		code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
 +		String msg = res.toString();
 +		
 +		if (mTorService != null)
 +		logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
 +		
 +		
 +		return code;
 +    }	
 +	*/
 +	
 +	/*
 +	public int clearTransparentProxyingByApp (Context context, ArrayList<TorifiedApp> apps) throws Exception
 +	{
 +		boolean runRoot = true;
 +    	boolean waitFor = true;
 +    	
 +		String ipTablesPath = getIpTablesPath(context);
 +		
 +    	StringBuilder script = new StringBuilder();
 +    	
 +    	StringBuilder res = new StringBuilder();
 +    	int code = -1;
 +    	
 +    	String chainName = "ORBOT";
 +		String jumpChainName = "OUTPUT";
 +		
 +		script.append(ipTablesPath);
 +    	script.append(" --flush ").append(chainName); //delete previous user-defined chain
 +    	script.append(" || exit\n");
 +    	
 +		script.append(ipTablesPath);
 +    	script.append(" -D ").append(jumpChainName);
 +    	script.append(" -j ").append(chainName);
 +    	script.append(" || exit\n");
 +    	
 +    	script.append(ipTablesPath);
 +    	script.append(" -X ").append(chainName); //delete previous user-defined chain
 +    	script.append(" || exit\n");
 +
 +		String[] cmdAdd = {script.toString()};    	
 +    		
 +		code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
 +		String msg = res.toString();
 +		
 +		logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
 +		
 +		return code;
 +	}*/
 +	
 +	public int setTransparentProxyingByApp(Context context, ArrayList<TorifiedApp> apps, boolean enableRule) throws Exception
 +	{
 +		String ipTablesPath = getIpTablesPath(context);
 +		
 +    	//StringBuilder script = new StringBuilder();
 +    	
 +		String action = " -A ";
 +    	String srcChainName = "OUTPUT";
 +
 +		if (!enableRule)
 +			action = " -D ";
 +		
 +    	//run the delete commands in a separate process as it might error out
 +    	//String[] cmdExecClear = {script.toString()};    	    	
 +		//code = TorServiceUtils.doShellCommand(cmdExecClear, res, runRoot, waitFor);
 +		
 +		//reset script
 +		
 +    	int lastExit = -1;
 +    	StringBuilder script;    	
 +    	
 +
 +		// Same for DNS
 +		script = new StringBuilder();
 +		script.append(ipTablesPath);
 +		script.append(" -t nat");
 +		script.append(action).append(srcChainName);
 +		script.append(" -p udp");
 +		//script.append(" -m owner --uid-owner ");
 +		//script.append(tApp.getUid());
 +		//script.append(" -m udp --dport "); 
 +		script.append(" --dport ");
 +		script.append(STANDARD_DNS_PORT);
 +		script.append(" -j REDIRECT --to-ports ");
 +		script.append(mDNSPort);
 +		executeCommand (script.toString());
 +		
 +    	// Allow everything for Tor
 +    	
 +		//build up array of shell cmds to execute under one root context
 +		for (TorifiedApp tApp:apps)
 +		{
 +
 +			if (((!enableRule) || tApp.isTorified())
 +					&& (!tApp.getUsername().equals(TOR_APP_USERNAME))
 +					) //if app is set to true
 +			{
 +				
 +				
 +				logMessage("transproxy for app: " + tApp.getUsername() + " (" + tApp.getUid() + "): enable=" + enableRule);
 +				
 +				dropAllIPv6Traffic(context, tApp.getUid(),enableRule);
 +				
 +		    	script = new StringBuilder();
 +
 +				// Allow loopback
 +		    	/**
 +				script.append(ipTablesPath);
 +				script.append(" -t filter");
 +		        script.append(action).append(srcChainName);
 +				script.append(" -m owner --uid-owner ");
 +				script.append(tApp.getUid());
 +				script.append(" -o lo");
 +				script.append(" -j ACCEPT");
 +
 +				executeCommand (shell, script.toString());
 +				script = new StringBuilder();
 +				**/
 +				
 +				// Set up port redirection
 +		    	script.append(ipTablesPath);
 +		    	script.append(" -t nat");
 +		    	script.append(action).append(srcChainName);				
 +				script.append(" -p tcp");
 +				script.append(ALLOW_LOCAL);
 +				script.append(" -m owner --uid-owner ");
 +				script.append(tApp.getUid());
 +				script.append(" -m tcp --syn");
 +				script.append(" -j REDIRECT --to-ports ");
 +				script.append(mTransProxyPort);
 +				
 +				executeCommand (script.toString());
 +				
 +				
 +				script = new StringBuilder();
 +				
 +				// Reject all other outbound packets
 +				script.append(ipTablesPath);
 +				script.append(" -t filter");
 +		        script.append(action).append(srcChainName);
 +				script.append(" -m owner --uid-owner ");
 +				script.append(tApp.getUid());				
 +				script.append(ALLOW_LOCAL);
 +				script.append(" -j REJECT");
 +
 +				lastExit = executeCommand (script.toString());
 +				
 +		
 +			}		
 +		}		
 +		
 +		return lastExit;
 +    }	
 +	
 +	private int executeCommand (String cmdString) throws Exception {
 +
 +		SimpleCommand command = new SimpleCommand(cmdString);
 +
 +		mShell.add(command).waitForFinish();
 +
 +		logMessage("Command Exec: " + cmdString);
 +		logMessage("Output: " + command.getOutput());
 +		logMessage("Exit code: " + command.getExitCode());
 +		
 +		return 0;
 +	}
 +
 +    public void closeShell () throws IOException
 +    {
 +        mShell.close();
 +    }
 +
 +	public int enableTetheringRules (Context context) throws Exception
 +	{
 +		
 +		String ipTablesPath = getIpTablesPath(context);
 +		
 +    	StringBuilder script = new StringBuilder();
 +    
 +    	String[] hwinterfaces = {"usb0","wl0.1"};
 +    	
 +    	
 +    	int lastExit = -1;
 +    	
 +    	for (int i = 0; i < hwinterfaces.length; i++)
 +    	{
 +
 +			script = new StringBuilder();
 +	    	script.append(ipTablesPath);
 +			script.append(" -t nat -A PREROUTING -i ");
 +			script.append(hwinterfaces[i]);
 +			script.append(" -p udp --dport 53 -j REDIRECT --to-ports ");
 +			script.append(mDNSPort);
 +			
 +			executeCommand (script.toString());
 +			script = new StringBuilder();
 +			
 +			
 +			script = new StringBuilder();
 +			script.append(ipTablesPath);
 +			script.append(" -t nat -A PREROUTING -i ");
 +			script.append(hwinterfaces[i]);
 +			script.append(" -p tcp -j REDIRECT --to-ports ");
 +			script.append(mTransProxyPort);
 +			
 +			lastExit = executeCommand (script.toString());
 +			script = new StringBuilder();
 +			
 +			
 +    	}
 +    	
 +		return lastExit;
 +	}
 +	
 +	private void logMessage (String msg)
 +	{
 +		if (mTorService != null)
 +			mTorService.debug(msg);
 +	}
 +	
 +
 +	
 +	public int fixTransproxyLeak (Context context) throws Exception
 +	{
 +		String ipTablesPath = getIpTablesPath(context);
 +		
 +    	StringBuilder script = new StringBuilder();
 +    	script.append(ipTablesPath);
 +		script.append(" -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP");
 +		
 +		executeCommand (script.toString());
 +		script = new StringBuilder();
 +		
 +		script = new StringBuilder();
 +		script.append(ipTablesPath);
 +		script.append(" -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP");
 +		
 +		int lastExit = executeCommand (script.toString());
 +		script = new StringBuilder();
 +		
 +		return lastExit;
 +		 
 +	}
 +	
 +	public int dropAllIPv6Traffic (Context context, int appUid, boolean enableDrop) throws Exception {
 +
 +		String action = " -A ";
 +		String chain = "OUTPUT";
 +		
 +		if (!enableDrop)
 +			action = " -D ";
 +		
 +		String ip6tablesPath = getIp6TablesPath(context);
 +    	
 +    	StringBuilder script;
 +
 +		script = new StringBuilder();
 +		script.append(ip6tablesPath);			
 +		script.append(action);
 +		script.append(chain);
 +
 +		if (appUid != -1)
 +		{
 +			script.append(" -m owner --uid-owner ");
 +			script.append(appUid);	
 +		}
 +		
 +		script.append(" -j DROP");
 +		
 +		int lastExit = executeCommand (script.toString());
 +		
 +		return lastExit;
 +	}
 +	
 +	/*
 +	public int clearAllIPv6Filters (Context context) throws Exception
 +	{
 +
 +		String ip6tablesPath = getIp6TablesPath(context);
 +		Shell shell = Shell.startRootShell();
 +    	
 +    	StringBuilder script;
 +
 +		script = new StringBuilder();
 +		script.append(ip6tablesPath);			
 +		script.append(" -t filter");
 +		script.append(" -F OUTPUT");
 +		int lastExit = executeCommand (shell, script.toString());
 +		
 +		shell.close();
 +		
 +		return lastExit;
 +	}*/
 +	
 +	public int flushTransproxyRules (Context context) throws Exception {
 +		int exit = -1;
 +		
 +		String ipTablesPath = getIpTablesPath(context);
 +
 +		StringBuilder script = new StringBuilder();
 +		script.append(ipTablesPath);			
 +		script.append(" -t nat ");
 +		script.append(" -F ");
 +		
 +    	executeCommand (script.toString());
 +		
 +		script = new StringBuilder();
 +		script.append(ipTablesPath);			
 +		script.append(" -t filter ");
 +		script.append(" -F ");
 +		executeCommand (script.toString());
 +		
 +		dropAllIPv6Traffic(context,-1,false);
 +		dropAllIPv6Traffic(context,-1,false);
 +
 +		
 +		return exit;
 +	}
 +	
 +	public int setTransparentProxyingAll(Context context, boolean enable) throws Exception
 +	{
 +	  	
 +		String action = " -A ";
 +    	String srcChainName = "OUTPUT";
 +
 +		if (!enable)
 +			action = " -D ";
 +
 +		dropAllIPv6Traffic(context,-1,enable);
 +		
 +		String ipTablesPath = getIpTablesPath(context);
 +		
 +    	
 +    	int torUid = context.getApplicationInfo().uid;
 +    	
 +    	StringBuilder script = new StringBuilder();
 +    	
 +		// Allow everything for Tor
 +    	
 +		script.append(ipTablesPath);			
 +		script.append(" -t nat");
 +		script.append(action).append(srcChainName);
 +		script.append(" -m owner --uid-owner ");
 +		script.append(torUid);
 +		script.append(" -j ACCEPT");
 +		
 +		executeCommand (script.toString());
 +		script = new StringBuilder();
 +
 +		// Allow loopback
 +		
 +		script.append(ipTablesPath);
 +		script.append(" -t nat");
 +		script.append(action).append(srcChainName);
 +		script.append(" -o lo");
 +		script.append(" -j ACCEPT");
 +
 +		executeCommand (script.toString());
 +		script = new StringBuilder();
 +		
 +    	// Set up port redirection    	
 +		script.append(ipTablesPath);		
 +		script.append(" -t nat");
 +		script.append(action).append(srcChainName);
 +		script.append(" -p tcp");
 +		script.append(ALLOW_LOCAL); //allow access to localhost
 +		script.append(" -m owner ! --uid-owner ");
 +		script.append(torUid);
 +		script.append(" -m tcp --syn");
 +		script.append(" -j REDIRECT --to-ports ");
 +		script.append(mTransProxyPort);
 +
 +		executeCommand (script.toString());
 +		script = new StringBuilder();
 +		
 +		// Same for DNS
 +		script.append(ipTablesPath);
 +		script.append(" -t nat");
 +		script.append(action).append(srcChainName);
 +		script.append(" -p udp");
 +		script.append(ALLOW_LOCAL); //allow access to localhost
 +		script.append(" -m owner ! --uid-owner ");
 +		script.append(torUid);
 +		//script.append(" -m udp --dport "); 
 +		script.append(" --dport ");
 +		script.append(STANDARD_DNS_PORT);
 +		script.append(" -j REDIRECT --to-ports ");
 +		script.append(mDNSPort);
 +
 +		executeCommand (script.toString());
 +		script = new StringBuilder();
 +		
 +
 +        /**
 +		if (Prefs.useDebugLogging())
 +		{
 +			//XXX: Comment the following rules for non-debug builds
 +			script.append(ipTablesPath);			
 +			script.append(" -t filter");
 +			script.append(action).append(srcChainName);
 +			script.append(" -p udp");
 +			script.append(" --dport ");
 +			script.append(STANDARD_DNS_PORT);
 +			script.append(" -j LOG");
 +			script.append(" --log-prefix='ORBOT_DNSLEAK_PROTECTION'");
 +			script.append(" --log-uid");
 +
 +			executeCommand (script.toString());
 +			script = new StringBuilder();
 +			
 +			script.append(ipTablesPath);			
 +			script.append(" -t filter");
 +			script.append(action).append(srcChainName);
 +	    	script.append(" -p tcp");
 +			script.append(" -j LOG");
 +			script.append(" --log-prefix='ORBOT_TCPLEAK_PROTECTION'");
 +			script.append(" --log-uid");
 +
 +			executeCommand (script.toString());
 +			script = new StringBuilder();
 +
 +		}**/
 +
 +		//allow access to transproxy port
 +		script.append(ipTablesPath);
 +		script.append(" -t filter");
 +		script.append(action).append(srcChainName);
 +		script.append(" -p tcp");
 +		script.append(" -m tcp");
 +		script.append(" --dport ").append(mTransProxyPort);
 +		script.append(" -j ACCEPT");
 +
 +		executeCommand (script.toString());
 +		script = new StringBuilder();
 +		
 +		//allow access to local HTTP port
 +		script.append(ipTablesPath);
 +		script.append(" -t filter");
 +		script.append(action).append(srcChainName);
 +		script.append(" -p tcp");
 +		script.append(" -m tcp");
 +		script.append(" --dport ").append(mTorService.getHTTPPort());
 +		script.append(" -j ACCEPT");
 +
 +		executeCommand (script.toString());
 +		script = new StringBuilder();
 +		
 +		//allow access to local SOCKS port
 +		script.append(ipTablesPath);
 +		script.append(" -t filter");
 +		script.append(action).append(srcChainName);
 +		script.append(" -p tcp");
 +		script.append(" -m tcp");
 +		script.append(" --dport ").append(mTorService.getSOCKSPort());
 +		script.append(" -j ACCEPT");
 +
 +		executeCommand (script.toString());
 +		script = new StringBuilder();
 +		
 +		//allow access to local DNS port
 +		script.append(ipTablesPath);
 +		script.append(" -t filter");
 +		script.append(action).append(srcChainName);
 +		script.append(" -p udp");
 +		script.append(" -m udp");
 +		script.append(" --dport ").append(mDNSPort);
 +		script.append(" -j ACCEPT");
 +
 +		executeCommand (script.toString());
 +		script = new StringBuilder();
 +		
 +		// Reject all other packets
 +		script.append(ipTablesPath);
 +		script.append(" -t filter");
 +		script.append(action).append(srcChainName);
 +		script.append(" -m owner ! --uid-owner ");
 +		script.append(torUid);
 +		script.append(ALLOW_LOCAL); //allow access to localhost
 +		script.append(" -j REJECT");
 +
 +		int lastExit = executeCommand (script.toString());
 +		
 +	//	fixTransproxyLeak (context);
 +		
 +    	return lastExit;
 +	}
 +
 +
 +	public static ArrayList<TorifiedApp> getApps (Context context, SharedPreferences prefs)
 +	{
 +
 +		String tordAppString = prefs.getString(OrbotConstants.PREFS_KEY_TORIFIED, "");
 +		String[] tordApps;
 +
 +		StringTokenizer st = new StringTokenizer(tordAppString,"|");
 +		tordApps = new String[st.countTokens()];
 +		int tordIdx = 0;
 +		while (st.hasMoreTokens())
 +		{
 +			tordApps[tordIdx++] = st.nextToken();
 +		}
 +
 +		Arrays.sort(tordApps);
 +
 +		//else load the apps up
 +		PackageManager pMgr = context.getPackageManager();
 +
 +		List<ApplicationInfo> lAppInfo = pMgr.getInstalledApplications(0);
 +
 +		Iterator<ApplicationInfo> itAppInfo = lAppInfo.iterator();
 +
 +		ArrayList<TorifiedApp> apps = new ArrayList<TorifiedApp>();
 +
 +		ApplicationInfo aInfo = null;
 +
 +		int appIdx = 0;
 +		TorifiedApp app = null;
 +
 +		while (itAppInfo.hasNext())
 +		{
 +			aInfo = itAppInfo.next();
 +
 +			app = new TorifiedApp();
 +
 +			try {
 +				PackageInfo pInfo = pMgr.getPackageInfo(aInfo.packageName, PackageManager.GET_PERMISSIONS);
 +
 +				if (pInfo != null && pInfo.requestedPermissions != null)
 +				{
 +					for (String permInfo:pInfo.requestedPermissions)
 +					{
 +						if (permInfo.equals("android.permission.INTERNET"))
 +						{
 +							app.setUsesInternet(true);
 +
 +						}
 +					}
 +
 +				}
 +
 +
 +			} catch (Exception e) {
 +				// TODO Auto-generated catch block
 +				e.printStackTrace();
 +			}
 +
 +			if ((aInfo.flags & ApplicationInfo.FLAG_SYSTEM) == 1)
 +			{
 +				//System app
 +				app.setUsesInternet(true);
 +			}
 +
 +
 +			if (!app.usesInternet())
 +				continue;
 +			else
 +			{
 +				apps.add(app);
 +			}
 +
 +
 +			app.setEnabled(aInfo.enabled);
 +			app.setUid(aInfo.uid);
 +			app.setUsername(pMgr.getNameForUid(app.getUid()));
 +			app.setProcname(aInfo.processName);
 +			app.setPackageName(aInfo.packageName);
 +
 +			try
 +			{
 +				app.setName(pMgr.getApplicationLabel(aInfo).toString());
 +			}
 +			catch (Exception e)
 +			{
 +				app.setName(aInfo.packageName);
 +			}
 +
 +
 +			//app.setIcon(pMgr.getApplicationIcon(aInfo));
 +
 +			// check if this application is allowed
 +			if (Arrays.binarySearch(tordApps, app.getUsername()) >= 0) {
 +				app.setTorified(true);
 +			}
 +			else
 +			{
 +				app.setTorified(false);
 +			}
 +
 +			appIdx++;
 +		}
 +
 +		Collections.sort(apps);
 +
 +		return apps;
 +	}
 +
 +}

    

n8fr8＠torproject.org

tags

participants (1)