[tor-commits] [orbot/master] ensure ipv6 packets are dropped and shell cmds exit

n8fr8 at torproject.org n8fr8 at torproject.org
Thu Apr 17 15:36:58 UTC 2014 

commit 2996fb2078cd86d101cdb32948b7d58ea5a06bca
Author: Nathan Freitas <nathan at freitas.net>
Date:   Thu Apr 17 10:16:03 2014 -0400

    ensure ipv6 packets are dropped and shell cmds exit
---
 .../torproject/android/service/TorTransProxy.java  |   96 ++++++++++++++++++--
 1 file changed, 86 insertions(+), 10 deletions(-)

diff --git a/src/org/torproject/android/service/TorTransProxy.java b/src/org/torproject/android/service/TorTransProxy.java
index 5a11ebf..aa30bd2 100644
--- a/src/org/torproject/android/service/TorTransProxy.java
+++ b/src/org/torproject/android/service/TorTransProxy.java
@@ -21,6 +21,8 @@ public class TorTransProxy implements TorServiceConstants {
 	private TorService mTorService = null;
 	private File mFileXtables = null;
 	
+	private final static String ALLOW_LOCAL = " ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 ";
+
 	public TorTransProxy (TorService torService, File fileXTables)
 	{
 		mTorService = torService;
@@ -49,7 +51,31 @@ public class TorTransProxy implements TorServiceConstants {
 			
 		return ipTablesPath;
 	}
+	
+	public String getIp6TablesPath (Context context)
+	{
+
+		String ipTablesPath = null;
+		
+		SharedPreferences prefs = TorService.getSharedPrefs(context.getApplicationContext());
 
+		useSystemIpTables = prefs.getBoolean(TorConstants.PREF_USE_SYSTEM_IPTABLES, false);
+		
+		if (useSystemIpTables)
+		{
+			ipTablesPath = findSystemIP6Tables();
+		}
+		else
+		{
+			ipTablesPath = mFileXtables.getAbsolutePath();
+			ipTablesPath += " ip6tables"; //append subcommand since we are using xtables now
+			
+		}
+			
+		return ipTablesPath;
+	
+	}
+	
 	private String findSystemIPTables ()
 	{
 		if (mSysIptables != null)
@@ -77,6 +103,29 @@ public class TorTransProxy implements TorServiceConstants {
 		return mSysIptables;
 	}
 	
+
+	
+	private String findSystemIP6Tables ()
+	{
+		
+		//if the user wants us to use the built-in iptables, then we have to find it
+		File fileIpt = new File("/system/xbin/ip6tables");
+		
+		if (fileIpt.exists())
+			mSysIptables = fileIpt.getAbsolutePath();
+		else
+		{
+		
+			fileIpt = new File("/system/bin/ip6tables");
+			
+			if (fileIpt.exists())
+				mSysIptables = fileIpt.getAbsolutePath();
+		}
+		
+		
+		return mSysIptables;
+	}
+	
 	/*
 	public int flushIptablesAll(Context context) throws Exception {
 		
@@ -321,6 +370,7 @@ public class TorTransProxy implements TorServiceConstants {
 		    	script.append(" -t nat");
 		    	script.append(" -A ").append(srcChainName);				
 				script.append(" -p tcp");
+				script.append(ALLOW_LOCAL);
 				script.append(" -m owner --uid-owner ");
 				script.append(tApp.getUid());
 				script.append(" -m tcp --syn");
@@ -335,7 +385,7 @@ public class TorTransProxy implements TorServiceConstants {
 				script.append(" -t nat");
 				script.append(" -A ").append(srcChainName);
 				script.append(" -p udp");
-				script.append(" ! -d 127.0.0.1"); //allow access to localhost
+				script.append(ALLOW_LOCAL); //allow access to localhost
 				script.append(" -m owner ! --uid-owner ");
 				script.append(tApp.getUid());
 				script.append(" -m udp --dport "); 
@@ -367,7 +417,6 @@ public class TorTransProxy implements TorServiceConstants {
 					script = new StringBuilder();
 				}
 				
-				// Allow packets to localhost (contains all the port-redirected ones)
 				script.append(ipTablesPath);
 				script.append(" -t filter");
 		        script.append(" -A ").append(srcChainName);
@@ -387,6 +436,7 @@ public class TorTransProxy implements TorServiceConstants {
 		        script.append(" -A ").append(srcChainName);
 				script.append(" -m owner --uid-owner ");
 				script.append(tApp.getUid());				
+				script.append(ALLOW_LOCAL);
 				script.append(" -j DROP");
 
 				lastExit = executeCommand (shell, script.toString());
@@ -403,7 +453,7 @@ public class TorTransProxy implements TorServiceConstants {
 	
 	private int executeCommand (Shell shell, String cmdString) throws IOException, TimeoutException
 	{
-		SimpleCommand cmd = new SimpleCommand(cmdString);
+		SimpleCommand cmd = new SimpleCommand(cmdString +  "|| exit");
 		shell.add(cmd);
 		cmd.waitForFinish();
 		logMessage(cmdString + "; exit=" + cmd.getExitCode() + ";output=" + cmd.getOutput());
@@ -523,11 +573,36 @@ public class TorTransProxy implements TorServiceConstants {
 		 
 	}
 	
-	public int setTransparentProxyingAll(Context context) throws Exception 
+	public int dropAllIPv6Traffic (Context context) throws Exception
 	{
+
+		String ip6tablesPath = getIp6TablesPath(context);
+		Shell shell = Shell.startRootShell();
+    	
 		
+    	StringBuilder script;
+    	
+		// Allow everything for Tor
     	
-		//redirectDNSResolvConf(); //not working yet
+    	script = new StringBuilder();
+		script.append(ip6tablesPath);			
+		script.append(" -A INPUT -j DROP");
+		executeCommand (shell, script.toString());
+
+		script = new StringBuilder();
+		script.append(ip6tablesPath);			
+		script.append(" -A OUTPUT -j DROP");
+		int lastExit = executeCommand (shell, script.toString());
+		
+		shell.close();
+		
+		return lastExit;
+	}
+	
+	public int setTransparentProxyingAll(Context context) throws Exception 
+	{
+		
+		dropAllIPv6Traffic(context);
 		
 		String ipTablesPath = getIpTablesPath(context);
 		
@@ -567,7 +642,7 @@ public class TorTransProxy implements TorServiceConstants {
 		script.append(" -t nat");
 		script.append(" -A ").append(srcChainName);
 		script.append(" -p tcp");
-		script.append(" ! -d 127.0.0.1"); //allow access to localhost
+		script.append(ALLOW_LOCAL); //allow access to localhost
 		script.append(" -m owner ! --uid-owner ");
 		script.append(torUid);
 		script.append(" -m tcp --syn");
@@ -582,7 +657,7 @@ public class TorTransProxy implements TorServiceConstants {
 		script.append(" -t nat");
 		script.append(" -A ").append(srcChainName);
 		script.append(" -p udp");
-		script.append(" ! -d 127.0.0.1"); //allow access to localhost
+		script.append(ALLOW_LOCAL); //allow access to localhost
 		script.append(" -m owner ! --uid-owner ");
 		script.append(torUid);
 		script.append(" -m udp --dport "); 
@@ -684,17 +759,18 @@ public class TorTransProxy implements TorServiceConstants {
 		script = new StringBuilder();
 		
 		
-		// Reject all other outbound UDP packets
+		// Reject all other packets
 		script.append(ipTablesPath);
 		script.append(" -t filter");
 		script.append(" -A ").append(srcChainName);
 		script.append(" -m owner ! --uid-owner ");
 		script.append(torUid);
-		script.append(" -j DROP");
+		script.append(ALLOW_LOCAL); //allow access to localhost
+		script.append(" -j REJECT");
 
 		int lastExit = executeCommand (shell, script.toString());
 		
-		fixTransproxyLeak (context);
+	//	fixTransproxyLeak (context);
 		
 		shell.close();

More information about the tor-commits mailing list