dan
/
tor-android
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

rewrote transproxy rules to use user-defined Orbot chain

This commit is contained in:
n8fr8 2012-10-25 15:29:55 +05:30
parent 0e5b24e6d9
commit b4d815f2cb
1 changed files with 138 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

189
src/org/torproject/android/service/TorTransProxy.java
View File

@ -13,14 +13,29 @@ import android.util.Log;
public class TorTransProxy implements TorServiceConstants { public class TorTransProxy implements TorServiceConstants {
private boolean useSystemIpTables = false;
private boolean mBundledFailed = false;
private String mSysIptables = null;
private TorService mTorService = null;
public TorTransProxy (TorService torService)
{
mTorService = torService;
}
public TorTransProxy ()
{
}
public String getIpTablesPath (Context context) public String getIpTablesPath (Context context)
{ {
String ipTablesPath = null; String ipTablesPath = null;
SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(context); SharedPreferences prefs = PreferenceManager.getDefaultSharedPreferences(context);
boolean useSystemIpTables = prefs.getBoolean(TorConstants.PREF_USE_SYSTEM_IPTABLES, false); useSystemIpTables = prefs.getBoolean(TorConstants.PREF_USE_SYSTEM_IPTABLES, false);
if (useSystemIpTables) if (useSystemIpTables || mBundledFailed)
{ {
ipTablesPath = findSystemIPTables(); ipTablesPath = findSystemIPTables();
} }
@ -33,11 +48,15 @@ public class TorTransProxy implements TorServiceConstants {
try try
{ {
if (testOwnerModule(context,ipTablesPath) != 0) if (testOwnerModule(context,ipTablesPath) != 0)
{
mBundledFailed = true;
ipTablesPath = findSystemIPTables(); ipTablesPath = findSystemIPTables();
} }
}
catch (Exception e) catch (Exception e)
{ {
ipTablesPath = findSystemIPTables(); ipTablesPath = findSystemIPTables();
mBundledFailed = true;
} }
} }
@ -46,23 +65,29 @@ public class TorTransProxy implements TorServiceConstants {
private String findSystemIPTables () private String findSystemIPTables ()
{ {
String path = null; if (mSysIptables != null)
{
return mSysIptables;
}
else
{
//if the user wants us to use the built-in iptables, then we have to find it //if the user wants us to use the built-in iptables, then we have to find it
File fileIpt = new File("/system/bin/iptables"); File fileIpt = new File("/system/bin/iptables");
if (fileIpt.exists()) if (fileIpt.exists())
path = fileIpt.getAbsolutePath(); mSysIptables = fileIpt.getAbsolutePath();
else else
{ {
fileIpt = new File("/system/xbin/iptables"); fileIpt = new File("/system/xbin/iptables");
if (fileIpt.exists()) if (fileIpt.exists())
path = fileIpt.getAbsolutePath(); mSysIptables = fileIpt.getAbsolutePath();
}
} }
return path; return mSysIptables;
} }
/* /*
@ -213,7 +238,9 @@ public class TorTransProxy implements TorServiceConstants {
code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor); code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
String msg = res.toString(); String msg = res.toString();
TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
if (mTorService != null)
logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
return code; return code;
@ -244,11 +271,22 @@ public class TorTransProxy implements TorServiceConstants {
StringBuilder res = new StringBuilder(); StringBuilder res = new StringBuilder();
int code = -1; int code = -1;
String modCmd = " -" + cmd + " OUTPUT"; String chainName = "ORBOT";
String jumpChainName = "OUTPUT";
// flushIptables(context); if (cmd.equals("A")) //only if we are adding rules
{
script.append(ipTablesPath);
script.append(" -N ").append(chainName); //create user-defined chain
script.append(" || exit\n");
int torUid = context.getApplicationInfo().uid; script.append(ipTablesPath);
script.append(" -A ").append(jumpChainName);
script.append(" -j ").append(chainName);
script.append(" || exit\n");
}
String modCmd = " -" + cmd + " " + chainName;
//build up array of shell cmds to execute under one root context //build up array of shell cmds to execute under one root context
for (TorifiedApp tApp:apps) for (TorifiedApp tApp:apps)
@ -260,11 +298,11 @@ public class TorTransProxy implements TorServiceConstants {
) //if app is set to true ) //if app is set to true
{ {
TorService.logMessage("enabling transproxy for app: " + tApp.getUsername() + "(" + tApp.getUid() + ")"); logMessage("enabling transproxy for app: " + tApp.getUsername() + "(" + tApp.getUid() + ")");
// Set up port redirection // Set up port redirection
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(modCmd); script.append(" -" + cmd + " ").append(jumpChainName);
script.append(" -t nat"); script.append(" -t nat");
script.append(" -p tcp"); script.append(" -p tcp");
script.append(" ! -d 127.0.0.1"); //allow access to localhost script.append(" ! -d 127.0.0.1"); //allow access to localhost
@ -277,7 +315,7 @@ public class TorTransProxy implements TorServiceConstants {
// Same for DNS // Same for DNS
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(modCmd); script.append(" -" + cmd + " ").append(jumpChainName);
script.append(" -t nat"); script.append(" -t nat");
script.append(" -p udp -m owner --uid-owner "); script.append(" -p udp -m owner --uid-owner ");
script.append(tApp.getUid()); script.append(tApp.getUid());
@ -316,20 +354,6 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -j ACCEPT"); script.append(" -j ACCEPT");
script.append(" || exit\n"); script.append(" || exit\n");
// Reject DNS that is not from Tor (order is important - first matched rule counts!)
/*
script.append(ipTablesPath);
script.append(modCmd);
script.append(" -t filter");
script.append(" -m owner --uid-owner ");
script.append(tApp.getUid());
script.append(" -p udp");
script.append(" --dport ");
script.append(STANDARD_DNS_PORT);
script.append(" -j REJECT");
script.append(" || exit\n");
*/
// Reject all other outbound TCP packets // Reject all other outbound TCP packets
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(modCmd); script.append(modCmd);
@ -355,22 +379,30 @@ public class TorTransProxy implements TorServiceConstants {
} }
} }
/* if (cmd.equals("D"))
// Allow everything for Tor {
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(modCmd); script.append(" --flush ").append(chainName); //delete previous user-defined chain
script.append(" -t filter");
script.append(" -m owner --uid-owner ");
script.append(torUid);
script.append(" -j ACCEPT");
script.append(" || exit\n"); script.append(" || exit\n");
*/
script.append(ipTablesPath);
script.append(" -D ").append(jumpChainName);
script.append(" -j ").append(chainName);
script.append(" || exit\n");
script.append(ipTablesPath);
script.append(" -X ").append(chainName); //delete previous user-defined chain
script.append(" || exit\n");
}
String[] cmdAdd = {script.toString()}; String[] cmdAdd = {script.toString()};
code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor); code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
String msg = res.toString(); String msg = res.toString();
TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
return code; return code;
} }
@ -471,12 +503,20 @@ public class TorTransProxy implements TorServiceConstants {
code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor); code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
String msg = res.toString(); String msg = res.toString();
TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg); logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
return code; return code;
} }
private void logMessage (String msg)
{
if (mTorService != null)
mTorService.logMessage(msg);
else
Log.w(TorConstants.TAG,msg);
}
public int setTransparentProxyingAll(Context context) throws Exception public int setTransparentProxyingAll(Context context) throws Exception
{ {
return modifyTransparentProxyingAll(context, "A"); return modifyTransparentProxyingAll(context, "A");
@ -490,6 +530,7 @@ public class TorTransProxy implements TorServiceConstants {
public int modifyTransparentProxyingAll(Context context, String cmd) throws Exception public int modifyTransparentProxyingAll(Context context, String cmd) throws Exception
{ {
boolean runRoot = true; boolean runRoot = true;
boolean waitFor = true; boolean waitFor = true;
@ -502,13 +543,26 @@ public class TorTransProxy implements TorServiceConstants {
StringBuilder res = new StringBuilder(); StringBuilder res = new StringBuilder();
int code = -1; int code = -1;
//flushIptables(context);
int torUid = context.getApplicationInfo().uid; int torUid = context.getApplicationInfo().uid;
String chainName = "ORBOT";
String jumpChainName = "OUTPUT";
if (cmd.equals("A")) //only if we are adding rules
{
script.append(ipTablesPath);
script.append(" -N ").append(chainName); //create user-defined chain
script.append(" || exit\n");
script.append(ipTablesPath);
script.append(" -A ").append(jumpChainName);
script.append(" -j ").append(chainName);
script.append(" || exit\n");
}
// Allow everything for Tor // Allow everything for Tor
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(" -" + cmd + " OUTPUT"); script.append(" -" + cmd + " ").append(chainName);
script.append(" -t filter"); script.append(" -t filter");
script.append(" -m owner --uid-owner "); script.append(" -m owner --uid-owner ");
script.append(torUid); script.append(torUid);
@ -517,7 +571,7 @@ public class TorTransProxy implements TorServiceConstants {
// Set up port redirection // Set up port redirection
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(" -" + cmd + " OUTPUT"); script.append(" -" + cmd + " ").append(jumpChainName);
script.append(" -t nat"); script.append(" -t nat");
script.append(" -p tcp"); script.append(" -p tcp");
script.append(" ! -d 127.0.0.1"); //allow access to localhost script.append(" ! -d 127.0.0.1"); //allow access to localhost
@ -530,7 +584,7 @@ public class TorTransProxy implements TorServiceConstants {
// Same for DNS // Same for DNS
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(" -" + cmd + " OUTPUT"); script.append(" -" + cmd + " ").append(jumpChainName);
script.append(" -t nat"); script.append(" -t nat");
script.append(" -p udp -m owner ! --uid-owner "); script.append(" -p udp -m owner ! --uid-owner ");
script.append(torUid); script.append(torUid);
@ -546,7 +600,7 @@ public class TorTransProxy implements TorServiceConstants {
{ {
// Allow packets to localhost (contains all the port-redirected ones) // Allow packets to localhost (contains all the port-redirected ones)
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(" -" + cmd + " OUTPUT"); script.append(" -" + cmd + " ").append(chainName);
script.append(" -t filter"); script.append(" -t filter");
script.append(" -m owner ! --uid-owner "); script.append(" -m owner ! --uid-owner ");
script.append(torUid); script.append(torUid);
@ -561,7 +615,7 @@ public class TorTransProxy implements TorServiceConstants {
// Allow loopback // Allow loopback
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(" -" + cmd + " OUTPUT"); script.append(" -" + cmd + " ").append(chainName);
script.append(" -t filter"); script.append(" -t filter");
script.append(" -p tcp"); script.append(" -p tcp");
script.append(" -o lo"); script.append(" -o lo");
@ -573,7 +627,7 @@ public class TorTransProxy implements TorServiceConstants {
{ {
//XXX: Comment the following rules for non-debug builds //XXX: Comment the following rules for non-debug builds
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(" -" + cmd + " OUTPUT"); script.append(" -" + cmd + " ").append(chainName);
script.append(" -t filter"); script.append(" -t filter");
script.append(" -p udp"); script.append(" -p udp");
script.append(" --dport "); script.append(" --dport ");
@ -582,9 +636,10 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" --log-prefix='ORBOT_DNSLEAK_PROTECTION'"); script.append(" --log-prefix='ORBOT_DNSLEAK_PROTECTION'");
script.append(" --log-uid"); script.append(" --log-uid");
script.append(" || exit\n"); script.append(" || exit\n");
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(" -" + cmd + " ").append(chainName);
script.append(" -t filter"); script.append(" -t filter");
script.append(" -A OUTPUT");
script.append(" -p tcp"); script.append(" -p tcp");
script.append(" -j LOG"); script.append(" -j LOG");
script.append(" --log-prefix='ORBOT_TCPLEAK_PROTECTION'"); script.append(" --log-prefix='ORBOT_TCPLEAK_PROTECTION'");
@ -592,23 +647,10 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" || exit\n"); script.append(" || exit\n");
} }
// Reject DNS that is not from Tor (order is important - first matched rule counts!)
/*
script.append(ipTablesPath);
script.append(" -" + cmd + " OUTPUT");
script.append(" -t filter");
script.append(" -m owner ! --uid-owner ");
script.append(torUid);
script.append(" -p udp");
script.append(" --dport ");
script.append(STANDARD_DNS_PORT);
script.append(" -j REJECT");
script.append(" || exit\n");
*/
// Reject all other outbound TCP packets // Reject all other outbound TCP packets
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(" -" + cmd + " OUTPUT"); script.append(" -" + cmd + " ").append(chainName);
script.append(" -t filter"); script.append(" -t filter");
script.append(" -m owner ! --uid-owner "); script.append(" -m owner ! --uid-owner ");
script.append(torUid); script.append(torUid);
@ -619,7 +661,7 @@ public class TorTransProxy implements TorServiceConstants {
// Reject all other outbound UDP packets // Reject all other outbound UDP packets
script.append(ipTablesPath); script.append(ipTablesPath);
script.append(" -" + cmd + " OUTPUT"); script.append(" -" + cmd + " ").append(chainName);
script.append(" -t filter"); script.append(" -t filter");
script.append(" -m owner ! --uid-owner "); script.append(" -m owner ! --uid-owner ");
script.append(torUid); script.append(torUid);
@ -628,11 +670,30 @@ public class TorTransProxy implements TorServiceConstants {
script.append(" -j REJECT"); script.append(" -j REJECT");
script.append(" || exit\n"); script.append(" || exit\n");
String[] cmdAdd = {script.toString()}; if (cmd.equals("D"))
{
code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor); script.append(ipTablesPath);
script.append(" --flush ").append(chainName); //delete previous user-defined chain
script.append(" || exit\n");
script.append(ipTablesPath);
script.append(" -D ").append(jumpChainName);
script.append(" -j ").append(chainName);
script.append(" || exit\n");
script.append(ipTablesPath);
script.append(" -X ").append(chainName); //delete previous user-defined chain
script.append(" || exit\n");
}
String[] cmdExec = {script.toString()};
code = TorServiceUtils.doShellCommand(cmdExec, res, runRoot, waitFor);
String msg = res.toString(); String msg = res.toString();
TorService.logMessage(cmdAdd[0] + ";errCode=" + code + ";resp=" + msg);
logMessage("Exec resp: errCode=" + code + ";resp=" + msg);
return code; return code;
} }