tailfs: disable TailFSForLocal via policy

Adds support for node attribute tailfs:access. If this attribute is not present, Tailscale will not accept connections to the local TailFS server at 100.100.100.100:8080. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>
10 months ago · ddcffaef7a
parent abab0d4197
commit ddcffaef7a
4 changed files with 31 additions and 3 deletions
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@ -3341,6 +3341,10 @@ func (b *LocalBackend) TCPHandlerForDst(src, dst netip.AddrPort) (handler func(c
 		fs, ok := b.sys.TailFSForLocal.GetOK()
 		if ok {
 			return func(conn net.Conn) error {
 				if !b.TailFSAccessEnabled() {
 					conn.Close()
 					return nil
 				}
 				return fs.HandleConn(conn, conn.RemoteAddr())
 			}, opts
 		}
--- a/ipn/ipnlocal/tailfs.go
+++ b/ipn/ipnlocal/tailfs.go
@ -46,7 +46,20 @@ func (b *LocalBackend) TailFSSharingEnabled() bool {
 }
 func (b *LocalBackend) tailFSSharingEnabledLocked() bool {
-	return b.netMap != nil && b.netMap.SelfNode.HasCap(tailcfg.NodeAttrsTailFSSharingEnabled)
+	return b.netMap != nil && b.netMap.SelfNode.HasCap(tailcfg.NodeAttrsTailFSShare)
 }
 // TailFSAccessEnabled reports whether accessing TailFS shares on remote nodes
 // is enabled. This is currently based on checking for the tailfs:access node
 // attribute.
 func (b *LocalBackend) TailFSAccessEnabled() bool {
 	b.mu.Lock()
 	defer b.mu.Unlock()
 	return b.tailFSAccessEnabledLocked()
 }
 func (b *LocalBackend) tailFSAccessEnabledLocked() bool {
 	return b.netMap != nil && b.netMap.SelfNode.HasCap(tailcfg.NodeAttrsTailFSAccess)
 }
 // TailFSSetFileServerAddr tells tailfs to use the given address for connecting
@ -272,6 +285,10 @@ func (b *LocalBackend) newTailFSListener(ctx context.Context, fs tailfs.FileSyst
 		logf:   logf,
 		handler: func(conn net.Conn) error {
 			if !b.TailFSAccessEnabled() {
 				conn.Close()
 				return nil
 			}
 			return fs.HandleConn(conn, conn.RemoteAddr())
 		},
 		bo: backoff.NewBackoff(fmt.Sprintf("tailfs-listener-%d", ap.Port()), logf, 30*time.Second),
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@ -2211,8 +2211,11 @@ const (
 	// tail end of an active direct connection in magicsock.
 	NodeAttrProbeUDPLifetime NodeCapability = "probe-udp-lifetime"
-	// NodeAttrsTailFSSharingEnabled enables sharing via TailFS.
+	// NodeAttrsTailFSShare enables sharing via TailFS.
-	NodeAttrsTailFSSharingEnabled NodeCapability = "tailfs:share"
+	NodeAttrsTailFSShare NodeCapability = "tailfs:share"
 	// NodeAttrsTailFSAccess enables accessing shares via TailFS.
 	NodeAttrsTailFSAccess NodeCapability = "tailfs:access"
 )
 // SetDNSRequest is a request to add a DNS record.
--- a/wgengine/netstack/netstack.go
+++ b/wgengine/netstack/netstack.go
@ -932,6 +932,10 @@ func (ns *Impl) acceptTCP(r *tcp.ForwarderRequest) {
 		if hittingDNS {
 			go ns.dns.HandleTCPConn(c, addrPort)
 		} else if hittingTailFS {
 			if !ns.lb.TailFSAccessEnabled() {
 				c.Close()
 				return
 			}
 			err := ns.tailFSForLocal.HandleConn(c, net.TCPAddrFromAddrPort(addrPort))
 			if err != nil {
 				ns.logf("netstack: tailfs.HandleConn: %v", err)