[tor-commits] [orbot/master] fix issues with per-app filtering and ipv6
n8fr8 at torproject.org
n8fr8 at torproject.org
Thu Apr 17 15:36:58 UTC 2014
commit 2628565b45a6a757e8e8f48605b7d2f31a3b515b
Author: Nathan Freitas <nathan at freitas.net>
Date: Thu Apr 17 11:34:31 2014 -0400
fix issues with per-app filtering and ipv6
---
.../torproject/android/service/TorTransProxy.java | 93 +++++++++-----------
1 file changed, 44 insertions(+), 49 deletions(-)
diff --git a/src/org/torproject/android/service/TorTransProxy.java b/src/org/torproject/android/service/TorTransProxy.java
index aa30bd2..f7fd535 100644
--- a/src/org/torproject/android/service/TorTransProxy.java
+++ b/src/org/torproject/android/service/TorTransProxy.java
@@ -330,6 +330,8 @@ public class TorTransProxy implements TorServiceConstants {
String srcChainName = "OUTPUT";
+ int torUid = context.getApplicationInfo().uid;
+
//run the delete commands in a separate process as it might error out
//String[] cmdExecClear = {script.toString()};
//code = TorServiceUtils.doShellCommand(cmdExecClear, res, runRoot, waitFor);
@@ -338,6 +340,10 @@ public class TorTransProxy implements TorServiceConstants {
Shell shell = Shell.startRootShell();
int lastExit = -1;
+ StringBuilder script;
+
+
+ // Allow everything for Tor
//build up array of shell cmds to execute under one root context
for (TorifiedApp tApp:apps)
@@ -348,10 +354,12 @@ public class TorTransProxy implements TorServiceConstants {
) //if app is set to true
{
- StringBuilder script = new StringBuilder();
logMessage("enabling transproxy for app: " + tApp.getUsername() + "(" + tApp.getUid() + ")");
+ dropAllIPv6Traffic(context, tApp.getUid());
+
+ script = new StringBuilder();
// Allow loopback
script.append(ipTablesPath);
@@ -385,7 +393,6 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -t nat");
script.append(" -A ").append(srcChainName);
script.append(" -p udp");
- script.append(ALLOW_LOCAL); //allow access to localhost
script.append(" -m owner ! --uid-owner ");
script.append(tApp.getUid());
script.append(" -m udp --dport ");
@@ -393,40 +400,6 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -j REDIRECT --to-ports ");
script.append(TOR_DNS_PORT);
-
- executeCommand (shell, script.toString());
- script = new StringBuilder();
-
-
- int[] ports = {TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP};
-
- for (int port : ports)
- {
- // Allow packets to localhost (contains all the port-redirected ones)
- script.append(ipTablesPath);
- script.append(" -t filter");
- script.append(" -A ").append(srcChainName);
- script.append(" -p tcp");
- script.append(" -m owner --uid-owner ");
- script.append(tApp.getUid());
- script.append(" --dport ");
- script.append(port);
- script.append(" -j ACCEPT");
-
- executeCommand (shell, script.toString());
- script = new StringBuilder();
- }
-
- script.append(ipTablesPath);
- script.append(" -t filter");
- script.append(" -A ").append(srcChainName);
- script.append(" -p udp");
- script.append(" -m owner --uid-owner ");
- script.append(tApp.getUid());
- script.append(" --dport ");
- script.append(TOR_DNS_PORT);
- script.append(" -j ACCEPT");
-
executeCommand (shell, script.toString());
script = new StringBuilder();
@@ -437,10 +410,9 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -m owner --uid-owner ");
script.append(tApp.getUid());
script.append(ALLOW_LOCAL);
- script.append(" -j DROP");
+ script.append(" -j REJECT");
lastExit = executeCommand (shell, script.toString());
- script = new StringBuilder();
}
@@ -455,8 +427,7 @@ public class TorTransProxy implements TorServiceConstants {
{
SimpleCommand cmd = new SimpleCommand(cmdString + "|| exit");
shell.add(cmd);
- cmd.waitForFinish();
- logMessage(cmdString + "; exit=" + cmd.getExitCode() + ";output=" + cmd.getOutput());
+ logMessage(cmdString);// + "; exit=" + cmd.getExitCode() + ";output=" + cmd.getOutput());
return cmd.getExitCode();
}
@@ -543,6 +514,8 @@ public class TorTransProxy implements TorServiceConstants {
int lastExit = executeCommand (shell, script.toString());
shell.close();
+
+ clearAllIPv6Filters(context);
return lastExit;
}
@@ -573,7 +546,7 @@ public class TorTransProxy implements TorServiceConstants {
}
- public int dropAllIPv6Traffic (Context context) throws Exception
+ public int dropAllIPv6Traffic (Context context, int appUid) throws Exception
{
String ip6tablesPath = getIp6TablesPath(context);
@@ -581,17 +554,39 @@ public class TorTransProxy implements TorServiceConstants {
StringBuilder script;
-
- // Allow everything for Tor
-
- script = new StringBuilder();
+
+ script = new StringBuilder();
script.append(ip6tablesPath);
- script.append(" -A INPUT -j DROP");
- executeCommand (shell, script.toString());
+ script.append(" -A OUTPUT");
+
+ if (appUid != -1)
+ {
+ script.append(" -m owner --uid-owner ");
+ script.append(appUid);
+ }
+
+ script.append(" -j DROP");
+
+ int lastExit = executeCommand (shell, script.toString());
+
+ shell.close();
+
+ return lastExit;
+ }
+
+ public int clearAllIPv6Filters (Context context) throws Exception
+ {
+
+ String ip6tablesPath = getIp6TablesPath(context);
+ Shell shell = Shell.startRootShell();
+
+
+ StringBuilder script;
script = new StringBuilder();
script.append(ip6tablesPath);
- script.append(" -A OUTPUT -j DROP");
+ script.append(" -t filter");
+ script.append(" -F OUTPUT");
int lastExit = executeCommand (shell, script.toString());
shell.close();
@@ -602,7 +597,7 @@ public class TorTransProxy implements TorServiceConstants {
public int setTransparentProxyingAll(Context context) throws Exception
{
- dropAllIPv6Traffic(context);
+ dropAllIPv6Traffic(context,-1);
String ipTablesPath = getIpTablesPath(context);
More information about the tor-commits
mailing list