1. 17 Mar, 2021 13 commits
    • Jussi Laakkonen's avatar
      Merge branch 'jb48769' into 'master' · 15e368f1
      Jussi Laakkonen authored
      [connman] Prevent IPv4 only VPN data and DNS leak to IPv6. Fixes JB#48769
      
      See merge request !257
      15e368f1
    • Jussi Laakkonen's avatar
      [unit] Adopt to service.c and provider changes in service test. JB#48769 · 93f0a73d
      Jussi Laakkonen authored
      Remove use of the VPN dependency from the unit test. Remove connection.c
      build dependency and replace functions with dummies.
      
      Add provider family and VPN phy index dummies.
      
      Use service_hash and add provider dummy to have the service_hash
      supported within the test.
      93f0a73d
    • Jussi Laakkonen's avatar
      service: Toggle VPN transport IPv6 when split routing changes · 7a2c4378
      Jussi Laakkonen authored
      [service] Toggle VPN transport IPv6 when split routing changes. JB#48769
      
      Enable/disable IPv6 on VPNs transport when the split routing value is
      changed. This is important in both cases when a connected IPv4 VPN has
      the value changed as with split routing -> non-split routing IPv6 should
      be disabled as well as non-split-routing -> split routed IPv6 should be
      re-enabled.
      7a2c4378
    • Jussi Laakkonen's avatar
      provider: Toggle IPv6 on the transport of IPv4 VPN connection · d68291d6
      Jussi Laakkonen authored
      [provider] Toggle IPv6 on the transport of IPV4 VPN. JB#48769
      
      Add support to disable/enable IPv6 on the transport of the VPN that uses
      IPv4. This change eliminates the data and DNS leak to IPv6 when
      dual-stack transport is used on a IPv4 only VPN. Otherwise with an AAAA
      record for a requested hostname the traffic can bypass the VPN to
      transport's IPv6 network if the DNS server of the VPN serves both A
      and AAAA requests.
      
      If multiple connection technologies (SingleConnectedTechnology omitted
      or false) are in use IPv6 support is changed on system level. The value
      of SingleConnectedTechnology does not change run-time so there should
      not be a possibility for inconsistent state.
      
      To get the transport utilize the recorded transport from plugins/vpn.c.
      
      Disable IPv6 when state changes to READY (also ONLINE but that is never
      used with VPNs) for IPv4 provider. Record the old IPv6 method for
      re-enabling the IPv6 on the used transport.
      
      When provider state changes to DISCONNECT or FAILURE re-enable IPv6 the
      transport using the recorded method.
      d68291d6
    • Jussi Laakkonen's avatar
      service: Sort VPNs using the transport service if connected · f839c26f
      Jussi Laakkonen authored
      [service] Sort VPNs using the transport service if connected. JB#48769
      
      Use the transport to verify the order of the connected VPN services. If
      there is a transport service in use that ranks lower than an another
      service it means that the order must be changed based on comparing the
      transport and the service instead of comparing VPN and the service. This
      is because the higher ranking service should then become the transport
      of the VPN.
      
      This ensures that when the list is sorted the transport check in
      plugins/vpn.c will make VPN to switch to the new transport that is
      enabled to be the default. Use of the service ident from hash table for
      searching is used because the index cannot be retrieved from the list
      while sorting the list.
      f839c26f
    • Jussi Laakkonen's avatar
      vpn: Return transport ident with get_property() · 0d574b05
      Jussi Laakkonen authored
      [vpn] Return transport ident with get_property(). JB#48769
      
      Return the service_ident with "Transport" keyword given to
      get_property(). Plugin tracks the transport and this is can be used
      elsewhere as well.
      
      It is important to free the service_ident after notifying provider about
      state change as the service_ident is useful for IPv6 checks when
      disconnecting.
      0d574b05
    • Jussi Laakkonen's avatar
      service: Add IPv6 configuration notify function · 5b7e6fc0
      Jussi Laakkonen authored
      [service] Add IPv6 configuration notify function
      
      Similar to what is for IPv4.
      5b7e6fc0
    • Jussi Laakkonen's avatar
      dnsproxy: Enable DNS servers on connected VPN split routing changes · 9addbe62
      Jussi Laakkonen authored
      [dnsproxy] Enable DNS servers on conn VPN split routing changes. JB#48769
      
      If split routing is enabled on a connected VPN the DNS servers of the
      VPN should be enabled as well when the default service is switched to be
      the transport service.
      9addbe62
    • Jussi Laakkonen's avatar
      [dnsproxy] Remove VPN index list use as unnecessary. JB#48769 · 1b9ebd21
      Jussi Laakkonen authored
      Removed the use of VPN index list. This is because after the split
      routing and default route functionality was combined there is no need
      for the list anymore. The split routing status can handle the scenario
      as it was intended.
      1b9ebd21
    • Saurav Babu's avatar
      service: Enable ipconfig only for the changed IP type · 6b29293d
      Saurav Babu authored
      When IPv6.Configuration is changed to "off" then connman starts fresh
      DHCP Requests for service after changing its state to Configuration.
      In an ideal scenario IPv4 Configurations should not be affected on
      changing IPv6.Configuration property.
      
      This patch only enables ipconfig for the changed IP type and leaves
      other IP type unchanged
      6b29293d
    • Jussi Laakkonen's avatar
      [service] Remove VPN transport dependency and improve sorting. JB#48769 · 924bf7c0
      Jussi Laakkonen authored
      There is no need to use the VPN transport dependency in service.c
      anymore as plugins/vpn.c handle the transport checks. Also dnsproxy.c
      manages the DNS servers using the split routing property.
      
      Improved sorting to take account the lack of the transport dependency
      and to use order when doing the sorting with preferred lists.
      924bf7c0
    • Jussi Laakkonen's avatar
      network: Support ipconfig changes for IPv6 force toggle · 2031f665
      Jussi Laakkonen authored
      [network] Support ipconfig changes for IPv6 force toggle. JB#48769
      
      Add "false" to all functions using
      __connman_ipconfig_{enable,disable}_ipv6() except with
      __connman_network_enable_ipconfig(), in which the parameter is set by
      the caller. This is passed to autoconf_ipv6_set() to get IPv6 properly
      enabled again, when requested. Utilize the input force value with
      FIXED, MANUAL, DHCP and AUTO ipconfig method types when enabling
      ipconfig via network.c.
      2031f665
    • Jussi Laakkonen's avatar
      ipconfig: Support complete disabling of IPv6 and refactor · 8471ac67
      Jussi Laakkonen authored
      [ipconfig] Support complete disabling of IPv6 and refactor. JB#48769
      
      Support complete disabling of IPv6 on both system and interface levels.
      Disabling of IPv6 completely albeit temporarily is required when there
      can be multiple connected technologies and a VPN is connected over IPv4
      using an dual-stack transport and/or there is another technology with
      dual-stack or only IPv6 in use. This approach effectively ensures that
      no data from an IPv4 VPN leaks to any other interface. A DNS server
      returning replies to AAAA requests may return an IPv6 address, which
      could be then used over IPv6 routing on another technolology that is not
      acting as the transport of the VPN.
      
      Add a "ipv6_force_disabled" toggle to indicate that the particular
      device tied to ipconfig should not have IPv6 enabled. This toggle is to
      be used in scenarios where IPv6 should be prevented from reinstating
      unless forcefully enabled. The __connman_ipconfig_{enable,disable}_ipv6()
      now have additional boolean to control this behavior, and the enabling
      function returns either -EINVAL or -EOPNOTSUPP for errors and 0 when
      success.
      
      When checking IPv6 enabled state return false if ipv6_force_disabled is
      set as that is the real status of IPv6. The /proc disable_ipv6 can
      change when kernel processes ICMPv6 (RA/RS) packets and brings the IPv6
      interface up so using only the disable_ipv6 value is not consistent
      enough in case when IPv6 has been forcefully disabled.
      
      This change will prevent from changing the IPv6 status until it has
      it has been forcefully enabled. The most prominent use case for this
      is to prevent data as well as DNS leak to IPv6 when IPv4 only VPN is
      connected over a transport supporting both IPv4 and IPv6 connectivity.
      
      In addition to changing disable_ipv6 value also the autoconf option is
      managed. This is done in order to control the address setup for the
      interface. Also accept_ra is managed to prevent from setting up the
      addressing according to route advertizements. The accept_ra value is
      backed up before disabling in order to restore it to the correct value
      when re-enabling. It is worthy to note that disable_ipv6 may be
      temporarily set to 0 by the kernel when RS packets are received and LL
      addess is temporarily set as a typical behavior of IPv6 on some
      configurations, and after a while the value of disable_ipv6 as well as
      LL address are reset/removed by kernel.
      
      Also refactor getting and setting the proc conf values, have read and
      write in their own respective general functions. If write/read is
      issued without interface name (NULL) then "all" section is used to
      follow the old behavior.
      8471ac67
  2. 12 Mar, 2021 17 commits
    • Daniel Wagner's avatar
      resolver: Don't export domain or nameserver duplicates · 0bc8a25f
      Daniel Wagner authored
      Track exported elements and do not append the same domain or
      nameserver twice.
      
      connman_resolver_append() is called several times during connection
      bring up and might include domains or nameserver already in the
      resolvfile_list. This happens for example if two interfaces are
      brought up which happend to have the same
      configuration (e.g. nameserver 8.8.8.8).
      
      connmand[9080]: enp4s0 {newlink} index 2 operstate 6 <UP>
      connmand[9080]: src/resolver.c:connman_resolver_append() index 2 domain (null) server 192.168.154.1
      connmand[9080]: src/resolver.c:append_resolver() index 2 domain (null) server 192.168.154.1 lifetime 0 flags 0
      connmand[9080]: src/resolver.c:__connman_resolvfile_append() index 2 domain (null) server 192.168.154.1
      connmand[9080]: Cannot create /var/run/connman/resolv.conf falling back to /etc/resolv.conf
      connmand[9080]: src/resolver.c:connman_resolver_append() index 2 domain lan server (null)
      connmand[9080]: src/resolver.c:append_resolver() index 2 domain lan server (null) lifetime 0 flags 0
      connmand[9080]: src/resolver.c:__connman_resolvfile_append() index 2 domain lan server (null)
      connmand[9080]: Setting hostname to beryllium
      connmand[9080]: Setting domainname to lan
      connmand[9080]: enp4s0 {add} address 192.168.154.174/24 label enp4s0 family 2
      connmand[9080]: src/resolver.c:connman_resolver_remove() index 2 domain (null) server 192.168.154.1
      connmand[9080]: src/resolver.c:__connman_resolvfile_remove() index 2 domain (null) server 192.168.154.1
      connmand[9080]: src/resolver.c:connman_resolver_remove() index 2 domain lan server (null)
      connmand[9080]: src/resolver.c:__connman_resolvfile_remove() index 2 domain lan server (null)
      connmand[9080]: src/resolver.c:connman_resolver_append() index 2 domain (null) server 192.168.154.1
      connmand[9080]: src/resolver.c:append_resolver() index 2 domain (null) server 192.168.154.1 lifetime 0 flags 0
      connmand[9080]: src/resolver.c:__connman_resolvfile_append() index 2 domain (null) server 192.168.154.1
      connmand[9080]: src/resolver.c:connman_resolver_append() index 2 domain lan server (null)
      connmand[9080]: src/resolver.c:append_resolver() index 2 domain lan server (null) lifetime 0 flags 0
      connmand[9080]: src/resolver.c:__connman_resolvfile_append() index 2
      domain lan server (null)
      [...]
      connmand[9080]: wlan0 {newlink} index 7 operstate 6 <UP>
      connmand[9080]: src/resolver.c:connman_resolver_append() index 7 domain (null) server 192.168.154.1
      connmand[9080]: src/resolver.c:append_resolver() index 7 domain (null) server 192.168.154.1 lifetime 0 flags 0
      connmand[9080]: src/resolver.c:__connman_resolvfile_append() index 7 domain (null) server 192.168.154.1
      connmand[9080]: src/resolver.c:connman_resolver_append() index 7 domain lan server (null)
      connmand[9080]: src/resolver.c:append_resolver() index 7 domain lan server (null) lifetime 0 flags 0
      connmand[9080]: src/resolver.c:__connman_resolvfile_append() index 7 domain lan server (null)
      0bc8a25f
    • Daniel Wagner's avatar
      service: Handle NULL pointer in __connman_service_set_{domain|host}name · 97a4dd8e
      Daniel Wagner authored
      516af0fd1586 ("service: Sanitize input for hostname and domainname")
      address the shutdown path:
      
      connmand[12534]: ++++++++ backtrace ++++++++
      connmand[12534]: #0  0x7fefba7195c0 in /lib64/libc.so.6
      connmand[12534]: #1  0x7fefbab8caa4 in /lib64/libglib-2.0.so.0
      connmand[12534]: #2  0x44c600 in __connman_service_set_domainname() at src/service.c:2664
      connmand[12534]: #3  0x462d16 in apply_dhcp_invalidate_on_network() at src/dhcp.c:110
      connmand[12534]: #4  0x463c87 in dhcp_free() at src/dhcp.c:70
      connmand[12534]: #5  0x442bd8 in set_disconnected() at src/network.c:1009
      connmand[12534]: #6  0x442e10 in network_remove() at src/network.c:1120
      connmand[12534]: #7  0x442e77 in connman_network_driver_unregister() at src/network.c:1211
      connmand[12534]: #8  0x41cf88 in ethernet_exit() at plugins/ethernet.c:462
      connmand[12534]: #9  0x43f1d9 in __connman_plugin_cleanup() at src/plugin.c:202
      connmand[12534]: #10 0x4113f4 in main() at src/main.c:874
      connmand[12534]: #11 0x7fefba705413 in /lib64/libc.so.6
      97a4dd8e
    • Daniel Wagner's avatar
      service: Do complete state transition on disconnect with error code. · 6db7b976
      Daniel Wagner authored
      Normally, connman_agent_report_error() will report -EINPROGRESS. In this
      case we return early from service_indicate_state() and miss to call
      __connman_notifier_disconnect(). By missing to call
      __connman_notifier_disconnect() we end up in an inconsistent state
      machine.
      
      This was observed when wpa_supplicant reported a disconnect with
      reason code 1 (blocked) and connman_agent_reported_error() return
      -EINPROGRESS.
      
      Reported and tested by Henrik Persson.
      6db7b976
    • Daniel Wagner's avatar
      service: Move service_schedule_changed() up · 6cf9c410
      Daniel Wagner authored
      In order to be able to call service_schedule_changed() from
      move_service() we need to move service_schedule_chnaged() including
      the dependencies in front of move_service(). This avoids static
      function decleration.
      6cf9c410
    • Daniel Wagner's avatar
      dnsproxy: Free gresolv on exit · fd81ce7c
      Daniel Wagner authored
      valgrind reported a leak in __connman_wpad_start(). Though the resolv
      object will be reused and therefore valgrind is reported the wrong
      leaker. dnsproxy happely allocates the resolver but never releases it.
      fd81ce7c
    • Benoît Monin's avatar
      service: Do not reply twice to Connect · 566716df
      Benoît Monin authored
      Calling Connect an a service sometime triggers the following error message:
      
      dbus-daemon[591]: [system] Rejected send message, 0 matched rules;
      type="method_return", sender=":1.139" (uid=0 pid=27373
      comm="/usr/sbin/connmand ") interface="(unset)" member="(unset)" error
      name="(unset)" requested_reply="0" destination=":1.141" (uid=0 pid=27384
      comm="/usr/bin/connmanctl ")
      
      This is caused by ConnMan replying twice to the Connect method. It can be
      reproduced by calling connect on a manually configured ethernet service while
      checking the D-Bus exchange with dbus-monitor. The D-Bus daemon rejects the
      second reply since there is no corresponding method call.
      
      Fix this by moving the call to reply_pending out of __connman_service_connect
      to connect_service and removing the direct (and maybe duplicated) reply.
      
      Also remove the reply_pending call in __connman_service_disconnect, this is
      already done in service_indicate_state when entering the state
      CONNMAN_SERVICE_STATE_DISCONNECT.
      566716df
    • Peter Meerwald-Stadler's avatar
      service: Fix wrong use of wrong enum type in __connman_service_reset_ipconfig() · 0682b6de
      Peter Meerwald-Stadler authored
      address_updated() takes enum connman_ipconfig_type, not
      enum connman_ipconfig_method.
      
      CID 1393449
      0682b6de
    • vvavrychuk's avatar
      network: Fix noisy warning on every connect · baa54030
      vvavrychuk authored
      On every connect I get 'Skipping disconnect of ..., network is connecting'.
      This is happening because __connman_network_connect sets connecting
      flag before __connman_device_disconnect. The last function then prints
      warning due to this connecting flag.
      
      Changed order of assigning connecting and __connman_device_disconnect
      fixes this. Connman logic is not effected due to the way how flags
      connected and associating are handled in __connman_network_connect
      and __connman_network_disconnect.
      baa54030
    • Niraj Kumar Goit's avatar
      network: Wait 4 seconds for RA before re-sending RS messages · a3a4a14d
      Niraj Kumar Goit authored
      As per RFC 4861, a host should transmit up to 3 Router Solicitation
      messages, each separated by at least RTR_SOLICITATION_INTERVAL(4)
      seconds to obtain RA for IPv6 auto-configuration.
      a3a4a14d
    • Patrik Flykt's avatar
      service: Always call ipconfig notifier · a4aedf9c
      Patrik Flykt authored
      Always call the ipconfig notifier whether the code is waiting to
      announce the service for the first time with ServicesChanged
      signal or not.
      a4aedf9c
    • Patrik Flykt's avatar
      service: Remove additional network state check · 62ca0e86
      Patrik Flykt authored
      Network state indication is tracked with
      __connman_service_ipconfig_indicate_state().
      62ca0e86
    • Patrik Flykt's avatar
      service: Update nameservers and timeservers with address change · 76fb18dd
      Patrik Flykt authored
      When the IP address changes, nameservers need to be removed and
      re-added in order for them to pick up the changed IP address. The
      same applies to timeservers, restart the query for those as well.
      
      Reported by Måns Rullgård.
      76fb18dd
    • Patrik Flykt's avatar
      service: Update nameservers automatically · 1826c496
      Patrik Flykt authored
      Automatically update nameserver information when they are appended
      or removed to the resolver code so that nameservers for IPv6 can be
      signalled after IPv4 has moved the service to state 'ready'. Create
      a zero second timeout so that nameservers can be appended or removed
      in a loop one by one with only one D-Bus PropertyChanged signal
      being sent.
      
      Verify that the service is either connected or the nameservers have
      been removed when the service is inactive before sending the
      PropertyChanged signal.
      1826c496
    • Nishant Chaprana's avatar
    • Sam Nazarko's avatar
    • Jussi Laakkonen's avatar
      Merge branch 'jb53294' into 'master' · 60dcd1b6
      Jussi Laakkonen authored
      Fix crashing when removing service caused by double removal via inotify
      
      See merge request !311
      60dcd1b6
    • Jussi Laakkonen's avatar
      [storage] Add helper for getting user/system subdir list. JB#53294 · f5ea074e
      Jussi Laakkonen authored
      Replace separate if-else structures with a simple helper function.
      f5ea074e
  3. 11 Mar, 2021 2 commits
    • Jussi Laakkonen's avatar
      [storage] Ignore inotify if service is already removed. Fixes JB#53294 · fabe37b9
      Jussi Laakkonen authored
      Ignore inotify for a service that has been already removed. This may
      happen in cases when the service is removed normally using storage.c
      functionality but inotify still gets the notify about the removal of a
      dir as it is triggered by the actual removal.
      
      With this change the processing of the event is simply stopped if it
      does not exist anymore. Otherwise it would result in double freeing of
      the service causing connmand later on to segfault with:
      
      Thread 1 "connmand" received signal SIGSEGV, Segmentation fault.
      0x0007fb64 in __connman_access_service_policy_check (p=0xf7ac60, method=CONNMAN_ACCESS_SERVICE_GET_PROPERTY, arg=0x9c2a0 "Passphrase", sender=0x0,
          default_access=CONNMAN_ACCESS_DENY) at src/access.c:250
      250		if (p && p->driver->service_policy_check)
      (gdb) bt
      0  0x0007fb64 in __connman_access_service_policy_check (p=0xf7ac60, method=CONNMAN_ACCESS_SERVICE_GET_PROPERTY, arg=0x9c2a0 "Passphrase", sender=0x0,
          default_access=CONNMAN_ACCESS_DENY) at src/access.c:250
      1  0x00047552 in can_get_property (service=0xf05f30, default_access=<optimized out>, sender=0x0, name=<optimized out>) at src/service.c:3101
      2  restricted_string_changed (service=service@entry=0xf05f30, name=<optimized out>, value=value@entry=0x0, default_get_access=<optimized out>) at src/service.c:3142
      3  0x0004fbd2 in __connman_service_remove (service=0xf05f30) at src/service.c:5918
      4  0x000507cc in __connman_service_unload_services (services=<optimized out>, len=1) at src/service.c:9609
      5  0x00064ad8 in storage_inotify_cb (event=0xffaebc74, ident=<optimized out>, user_data=<optimized out>) at src/storage.c:528
      6  0x000793f0 in inotify_data (channel=<optimized out>, user_data=<optimized out>, cond=<optimized out>) at src/inotify.c:140
      7  0xeb9da982 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0
      8  0xeb9dabf0 in ?? () from /usr/lib/libglib-2.0.so.0
      9  0xeb9dae34 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
      10 0x00023982 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:994
      fabe37b9
    • Jussi Laakkonen's avatar
      [storage] Unregister service inotify prior to removal. JB#53294 · 9f0799a8
      Jussi Laakkonen authored
      In __connman_storage_remove_service() the service inotify should be
      removed always prior to removal of the service. Otherwise it may result
      in double attempt to remove the service, as inotify calls
      storage_inotify_cb() to remove the service after the file has been
      removed from disk.
      9f0799a8
  4. 08 Feb, 2021 4 commits
  5. 18 Dec, 2020 2 commits
    • Jussi Laakkonen's avatar
      Merge branch 'jb52008' into 'master' · 98e483b6
      Jussi Laakkonen authored
      [connman-vpn] Remove PrivateUsers option from service file. Contributes to JB#52008
      
      See merge request !306
      98e483b6
    • Igor Zhbanov's avatar
      [connman-vpn] Remove PrivateUsers option from service file. Contributes to JB#52008 · c98169c7
      Igor Zhbanov authored
      Remove PrivateUsers option from connman-vpn.service because this breaks
      connman-vpnd process access to the user's WLAN and VPN settings files.
      
      When enabled this option creates new user namespace, but the process loses all
      of the capabilities in the host (root) namespace. This means that connman-vpnd
      loses CAP_DAC_IGNORE which prevents it from entering e.g. /home/defaultuser
      directory. And because of the it can't access the saved WLAN and VPN settings,
      so the connman service "forgets" all saved networks.
      
      Also this option is not working on the old kernels like 3.10 making service
      start fail.
      Signed-off-by: Igor Zhbanov's avatarIgor Zhbanov <i.zhbanov@omprussia.ru>
      c98169c7
  6. 17 Dec, 2020 2 commits