From 55338abba4c095b39365ae0b0d6ac9f495ca7218 Mon Sep 17 00:00:00 2001 From: Nathan Freitas Date: Tue, 3 May 2011 05:56:04 +0000 Subject: [PATCH] merged __sporkbomb's xclnt patch for fixing transproxy all mode svn:r24713 --- .../android/service/TorTransProxy.java | 277 ++++++++++++------ 1 file changed, 187 insertions(+), 90 deletions(-) diff --git a/src/org/torproject/android/service/TorTransProxy.java b/src/org/torproject/android/service/TorTransProxy.java index 003e933c..50d62465 100644 --- a/src/org/torproject/android/service/TorTransProxy.java +++ b/src/org/torproject/android/service/TorTransProxy.java @@ -125,19 +125,52 @@ public class TorTransProxy implements TorServiceConstants { } */ - public static int setTransparentProxyingByApp(Context context, TorifiedApp[] apps, boolean forceAll) throws Exception + public static int testOwnerModule(Context context) throws Exception { boolean runRoot = true; boolean waitFor = true; - //android.os.Debug.waitForDebugger(); + //redirectDNSResolvConf(); //not working yet + int torUid = context.getApplicationInfo().uid; + + String ipTablesPath = new File(context.getDir("bin", 0),"iptables").getAbsolutePath(); + StringBuilder script = new StringBuilder(); + + StringBuilder res = new StringBuilder(); + int code = -1; + + // Allow everything for Tor + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A OUTPUT"); + script.append(" -m owner --uid-owner "); + script.append(torUid); + script.append(" -j ACCEPT"); + script.append(" || exit\n"); + + String[] cmdAdd = {script.toString()}; + + code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor); + String msg = res.toString(); + TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg); + + + return code; + } + + + + public static int setTransparentProxyingByApp(Context context, TorifiedApp[] apps) throws Exception + { + + boolean runRoot = true; + boolean waitFor = true; + //redirectDNSResolvConf(); //not working yet String ipTablesPath = new File(context.getDir("bin", 0),"iptables").getAbsolutePath(); - - boolean ipTablesOld = false; StringBuilder script = new StringBuilder(); @@ -145,14 +178,12 @@ public class TorTransProxy implements TorServiceConstants { int code = -1; purgeIptables(context); - - script = new StringBuilder(); - + //build up array of shell cmds to execute under one root context for (int i = 0; i < apps.length; i++) { - if (forceAll || apps[i].isTorified()) //if "Tor Everything" on or app is set to true + if (apps[i].isTorified()) //if app is set to true { if (apps[i].getUsername().equals(TorServiceConstants.TOR_APP_USERNAME)) @@ -170,14 +201,8 @@ public class TorTransProxy implements TorServiceConstants { script.append(" -m owner --uid-owner "); script.append(apps[i].getUid()); script.append(" -m tcp --syn"); - - if (ipTablesOld) - script.append(" -j DNAT --to 127.0.0.1:"); - else - script.append(" -j REDIRECT --to-ports "); - + script.append(" -j REDIRECT --to-ports "); script.append(TOR_TRANSPROXY_PORT); - script.append(" || exit\n"); //DNS @@ -187,55 +212,35 @@ public class TorTransProxy implements TorServiceConstants { script.append(apps[i].getUid()); script.append(" -m udp --dport "); script.append(STANDARD_DNS_PORT); - - if (ipTablesOld) - script.append(" -j DNAT --to 127.0.0.1:"); - else - script.append(" -j REDIRECT --to-ports "); - + script.append(" -j REDIRECT --to-ports "); script.append(TOR_DNS_PORT); - script.append(" || exit\n"); + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A OUTPUT -p tcp"); + script.append(" -m owner --uid-owner "); + script.append(apps[i].getUid()); + script.append(" -m tcp --dport "); + script.append(TOR_TRANSPROXY_PORT); + script.append(" -j ACCEPT"); + script.append(" || exit\n"); - if (ipTablesOld) //for some reason this doesn't work on iptables 1.3.7 - { - script.append(ipTablesPath); - script.append(" -t nat"); - script.append(" -A OUTPUT -m owner --uid-owner "); - script.append(apps[i].getUid()); - script.append(" -j DROP"); - script.append(" || exit\n"); - } - else - { - script.append(ipTablesPath); - script.append(" -t filter"); - script.append(" -A OUTPUT -p tcp"); - script.append(" -m owner --uid-owner "); - script.append(apps[i].getUid()); - script.append(" -m tcp --dport "); - script.append(TOR_TRANSPROXY_PORT); - script.append(" -j ACCEPT"); - script.append(" || exit\n"); - - script.append(ipTablesPath); - script.append(" -t filter"); - script.append(" -A OUTPUT -p udp"); - script.append(" -m owner --uid-owner "); - script.append(apps[i].getUid()); - script.append(" -m udp --dport "); - script.append(TOR_DNS_PORT); - script.append(" -j ACCEPT"); - script.append(" || exit\n"); - - script.append(ipTablesPath); - script.append(" -t filter -A OUTPUT -m owner --uid-owner "); - script.append(apps[i].getUid()); - script.append(" -j DROP"); //drop all other packets as Tor won't handle them - script.append(" || exit\n"); - - } + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A OUTPUT -p udp"); + script.append(" -m owner --uid-owner "); + script.append(apps[i].getUid()); + script.append(" -m udp --dport "); + script.append(TOR_DNS_PORT); + script.append(" -j ACCEPT"); + script.append(" || exit\n"); + + script.append(ipTablesPath); + script.append(" -t filter -A OUTPUT -m owner --uid-owner "); + script.append(apps[i].getUid()); + script.append(" -j DROP"); //drop all other packets as Tor won't handle them + script.append(" || exit\n"); } @@ -260,19 +265,12 @@ public class TorTransProxy implements TorServiceConstants { //String baseDir = context.getDir("bin",0).getAbsolutePath() + '/'; String ipTablesPath = new File(context.getDir("bin", 0),"iptables").getAbsolutePath(); - - boolean ipTablesOld = false; StringBuilder script = new StringBuilder(); StringBuilder res = new StringBuilder(); int code = -1; - - String[] cmdFlush = {script.toString()}; - code = TorServiceUtils.doShellCommand(cmdFlush, res, true, true); - //String msg = res.toString(); //get stdout from command - - script = new StringBuilder(); + purgeIptables(context); //TCP //iptables -t nat -A PREROUTING -i eth0 -p tcp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumbe @@ -283,14 +281,8 @@ public class TorTransProxy implements TorServiceConstants { script.append(" --dport "); script.append(port); //script.append(" -m tcp --syn"); - - if (ipTablesOld) - script.append(" -j DNAT --to 127.0.0.1:"); - else - script.append(" -j REDIRECT --to-ports "); - + script.append(" -j REDIRECT --to-ports "); script.append(TOR_TRANSPROXY_PORT); - script.append(" || exit\n"); script.append(ipTablesPath); @@ -298,14 +290,8 @@ public class TorTransProxy implements TorServiceConstants { script.append(" -A OUTPUT -p udp"); script.append(" --dport "); script.append(port); - - if (ipTablesOld) - script.append(" -j DNAT --to 127.0.0.1:"); - else - script.append(" -j REDIRECT --to-ports "); - + script.append(" -j REDIRECT --to-ports "); script.append(TOR_TRANSPROXY_PORT); - script.append(" || exit\n"); //DNS @@ -314,14 +300,8 @@ public class TorTransProxy implements TorServiceConstants { script.append(" -A OUTPUT -p udp "); script.append(" -m udp --dport "); script.append(STANDARD_DNS_PORT); - - if (ipTablesOld) - script.append(" -j DNAT --to 127.0.0.1:"); - else - script.append(" -j REDIRECT --to-ports "); - + script.append(" -j REDIRECT --to-ports "); script.append(TOR_DNS_PORT); - script.append(" || exit\n"); @@ -331,7 +311,124 @@ public class TorTransProxy implements TorServiceConstants { TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg); return code; - } + } + + public static int setTransparentProxyingAll(Context context) throws Exception + { + boolean runRoot = true; + boolean waitFor = true; + + //redirectDNSResolvConf(); //not working yet + + String ipTablesPath = new File(context.getDir("bin", 0),"iptables").getAbsolutePath(); + + StringBuilder script = new StringBuilder(); + + StringBuilder res = new StringBuilder(); + int code = -1; + + purgeIptables(context); + + int torUid = context.getApplicationInfo().uid; + + // Set up port redirection + script.append(ipTablesPath); + script.append(" -t nat"); + script.append(" -A OUTPUT -p tcp"); + script.append(" -m owner ! --uid-owner "); + script.append(torUid); + script.append(" -m tcp --syn"); + script.append(" -j REDIRECT --to-ports "); + script.append(TOR_TRANSPROXY_PORT); + script.append(" || exit\n"); + + // Same for DNS + script.append(ipTablesPath); + script.append(" -t nat"); + script.append(" -A OUTPUT -p udp -m owner ! --uid-owner "); + script.append(torUid); + script.append(" -m udp --dport "); + script.append(STANDARD_DNS_PORT); + script.append(" -j REDIRECT --to-ports "); + script.append(TOR_DNS_PORT); + script.append(" || exit\n"); + + // Allow packets to localhost (contains all the port-redirected ones) + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A OUTPUT"); + script.append(" -p tcp"); + script.append(" -d 127.0.0.1"); + script.append(" -j ACCEPT"); + script.append(" || exit\n"); + + // Allow loopback + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A OUTPUT"); + script.append(" -p tcp"); + script.append(" -o lo"); + script.append(" -j ACCEPT"); + script.append(" || exit\n"); + + // Allow everything for Tor + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A OUTPUT"); + script.append(" -m owner --uid-owner "); + script.append(torUid); + script.append(" -j ACCEPT"); + script.append(" || exit\n"); + + if (TorService.ENABLE_DEBUG_LOG) + { + //XXX: Comment the following rules for non-debug builds + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A OUTPUT"); + script.append(" -p udp"); + script.append(" --dport "); + script.append(STANDARD_DNS_PORT); + script.append(" -j LOG"); + script.append(" --log-prefix='ORBOT_DNSLEAK_PROTECTION'"); + script.append(" --log-uid"); + script.append(" || exit\n"); + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A OUTPUT"); + script.append(" -p tcp"); + script.append(" -j LOG"); + script.append(" --log-prefix='ORBOT_TCPLEAK_PROTECTION'"); + script.append(" --log-uid"); + script.append(" || exit\n"); + } + + // Reject DNS that is not from Tor (order is important - first matched rule counts!) + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A OUTPUT"); + script.append(" -p udp"); + script.append(" --dport "); + script.append(STANDARD_DNS_PORT); + script.append(" -j REJECT"); + script.append(" || exit\n"); + + // Reject all other outbound TCP packets + script.append(ipTablesPath); + script.append(" -t filter"); + script.append(" -A OUTPUT"); + script.append(" -p tcp"); + script.append(" -j REJECT"); + script.append(" || exit\n"); + + String[] cmdAdd = {script.toString()}; + + code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor); + String msg = res.toString(); + TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg); + + return code; + } }