search

subgraph / subgraph-os-issues

Subgraph OS issues repository
73 stars 10 forks source link

Defector doesn't seem active #89

Open willscott opened 8 years ago

willscott commented 8 years ago

connected to a network with a captive portal, and couldn't figure out any way to log in. it looks like this should be handled by https://github.com/subgraph/defector

dma commented 8 years ago

FYI we hope to get this finished in the next week or two. It is a must-have for the alpha release.

xSmurf commented 8 years ago

For what it's worth until the captive portal tool (defector) is finished you can use the following hack to use iceweasel as a clearnet browser.

PLEASE TAKE NOTE THAT I DO NOT GUARANTEE THIS WILL NOT RESULT IN DATA LEAKAGE!

Make sure you have iceweasel installed before you need the captive portal/clearnet browser (it isn't installed by default in the alpha release), otherwise you will be an unhappy camper ;)

Create the following new files:

# /etc/sysctl.d/15-oz-net.conf

net.ipv4.ip_forward=1

(You may want to run sudo sysctl net.ipv4.ip_forward=1 right away.)

# /etc/ferm/ferm.d/30-clear-bridge.conf

@def $EXTIFS = (`ls /sys/class/net/ | grep -E '^((wl|en)[opsx]{1}).*$'`);

domain ip {
    table nat {
        chain POSTROUTING {
            outerface ($EXTIFS) {
                MASQUERADE;
            }
        }
    }

    chain OUTPUT {
        outerface oz0 ACCEPT;
    }

    chain FORWARD {
        interface oz0 outerface $EXTIFS ACCEPT;
        outerface oz0 interface $EXTIFS ACCEPT;
        REJECT reject-with icmp-port-unreachable;
    }   
}

You may then reload the ferm rules: sudo systemctl reload ferm.service.

# /etc/NetworkManager/dispatcher.d/02_dhcp_dns

#!/bin/sh
set -e

[ -L /etc/resolv.dhcp.conf ] && exit 2
[ -z "${CONNECTION_UUID}" ] && exit 0
[ -z "$(nmcli connection show ${CONNECTION_UUID} | fgrep 'DHCP')" ] && exit 0

case "$2" in
    up)
        for dnsentry in $(nmcli connect show ${CONNECTION_UUID} | fgrep '.DNS' | awk '{print $2}'); do
            echo "nameserver $dnsentry" >> /etc/resolv.dhcp.conf
        done
    ;;
    down)
        for dnsentry in $(nmcli connect show ${CONNECTION_UUID} | fgrep '.DNS' | awk '{print $2}'); do
            sed -i -e "0,/^nameserver $dnsentry$/d" /etc/resolv.dhcp.conf
        done
    ;;
    *)
        exit 0
    ;;
esac

Make sure it is executable: sudo chmod a+x /etc/NetworkManager/dispatcher.d/02_dhcp_dns

Now modify the iceweasel profile in /var/lib/oz/cells.d/iceweasel.json to:

{
"path": "/usr/bin/iceweasel"
, "xserver": {
    "enabled": true
    , "tray_icon":"/usr/share/icons/hicolor/scalable/apps/iceweasel.svg"
}
, "networking":{
    "type":"bridge"
}
, "whitelist": [
    {"path": "/etc/resolv.dhcp.conf", "target": "/run/resolvconf/resolv.conf", "force": true}
]
, "blacklist": []
, "environment": []
, "seccomp": {
    "mode":"blacklist"
    , "enforce": true
}
}

Modify the /etc/rc.local to add the follow right before exit 0

if [ ! -L /etc/resolv.dhcp.conf ]; then
    echo -n > /etc/resolv.dhcp.conf
fi

Last but not least, ensure that unshare: 1 inside of /etc/oz/blacklist-generic.seccomp is removed/commented.

You will now need to restart the oz-daemon (which will kill any running sandboxes! save your work!): sudo systemctl restart oz-daemon.service.

AGAIN: PLEASE TAKE NOTE THAT I DO NOT GUARANTEE THIS WILL NOT RESULT IN DATA LEAKAGE!

Anything happening in iceweasel will be destroyed once the sandbox exits, but note that anything happening inside of iceweasel will go over clearnet! As will any sandbox which is reconfigured to use the bridge networking mode!

With all that said, I've used this hack while we were traveling on multiple occasions and it has served me well :)

xSmurf commented 8 years ago

Updated OZ profile for iceweasel > firefox migration:

Create a new file under /var/lib/oz/cells.d/firefox.json:

{
"name": "firefox"
, "path": "/usr/bin/firefox-esr"
, "xserver": {
    "enabled": true
    , "tray_icon":"/usr/share/icons/hicolor/128x128/apps/firefox-esr.png"
}
, "networking":{
    "type":"bridge"
}
, "whitelist": [
    {"path": "/etc/resolv.dhcp.conf", "target": "/run/resolvconf/resolv.conf", "force": true}
]
, "blacklist": [
]
, "environment": [
]
, "seccomp": {
    "mode":"blacklist"
    , "enforce": true
}
}

Run sudo oz-setup install firefox

Add the follow pax rules to /etc/paxrat/paxrat.conf:

  "/usr/lib/firefox-esr/firefox-esr": {
    "flags": "m",
    "nonroot": false
  },
  "/usr/lib/iceweasel/plugin-container": {
    "flags": "m",
    "nonroot": false
  }

Run sudo paxrat -c /etc/paxrat/paxrat.conf.

This should cover the migration to ESR.

burdges commented 8 years ago

In the long run, it's maybe worth doing this sort of thing under a different browser name, maybe nakedweasel, or maybe a different build, not sure if that's what the firefox switch is doing.

xSmurf commented 8 years ago

@burdges we are currently working on a custom captive portal browser called Defector. What is described here is just a hack until we release it. The firefox switch/rename is related to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815006