tailscale

Commit Graph

Author	SHA1	Message	Date
Adrian Dewhurst	b8ac3c5191	util/syspolicy: add some additional policy keys These policy keys are supported on Apple platforms in Swift code; in order to support them on platforms using Go (e.g. Windows), they also need to be recorded here. This does not affect any code, it simply adds the constants for now. Updates ENG-2240 Updates ENG-2127 Updates ENG-2133 Change-Id: I0aa9863a3641e5844479da3b162761452db1ef42 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	7 months ago
Adrian Dewhurst	1ef5bd5381	util/osdiag, util/winutil: expose Windows policy key The Windows base registry key is already exported but the policy key was not. util/osdiag currently replicates the string rather than the preferred approach of reusing the constant. Updates #cleanup Change-Id: I6c1c45337896c744059b85643da2364fb3f232f2 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	7 months ago
Aaron Klotz	855f79fad7	cmd/tailscaled, util/winutil: changes to process and token APIs in winutil This PR changes the internal getTokenInfo function to use generics. I also removed our own implementations for obtaining a token's user and primary group in favour of calling the ones now available in x/sys/windows. Furthermore, I added two new functions for working with tokens, logon session IDs, and Terminal Services / RDP session IDs. I modified our privilege enabling code to allow enabling of multiple privileges via one single function call. Finally, I added the ProcessImageName function and updated the code in tailscaled_windows.go to use that instead of directly calling the underlying API. All of these changes will be utilized by subsequent PRs pertaining to this issue. Updates https://github.com/tailscale/corp/issues/13998 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	7 months ago
Andrew Lytvynov	1fc1077052	ssh/tailssh,util: extract new osuser package from ssh code (#10170 ) This package is a wrapper for os/user that handles non-cgo builds, gokrazy and user shells. Updates tailscale/corp#15405 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Andrew Lytvynov	aba4bd0c62	util/winutil: simplify dropping privileges after use (#10099 ) To safely request and drop privileges, runtime.Lock/UnlockOSThread and windows.Impersonate/RevertToSelf should be called. Add these calls to winutil.EnableCurrentThreadPrivilege so that callers don't need to worry about it. Updates https://github.com/tailscale/corp/issues/15488 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	8 months ago
Claire Wang	5de8650466	syspolicy: add Allow LAN Access visibility key (#10113 ) Fixes tailscale/corp#15594 Signed-off-by: Claire Wang <claire@tailscale.com>	8 months ago
Aaron Klotz	fbc18410ad	ipn/ipnauth: improve the Windows token administrator check (Token).IsAdministrator is supposed to return true even when the user is running with a UAC limited token. The idea is that, for the purposes of this check, we don't care whether the user is currently* running with full Admin rights, we just want to know whether the user can potentially do so. We accomplish this by querying for the token's "linked token," which should be the fully-elevated variant, and checking its group memberships. We also switch ipn/ipnserver/(*Server).connIsLocalAdmin to use the elevation check to preserve those semantics for tailscale serve; I want the IsAdministrator check to be used for less sensitive things like toggling auto-update on and off. Fixes #10036 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	8 months ago
Brad Fitzpatrick	673ff2cb0b	util/groupmember: fail earlier if group doesn't exist, use slices.Contains Noticed both while re-reading this code. Updates #cleanup Change-Id: I3b70f1d5dc372853fa292ae1adbdee8cfc6a9a7b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	8 months ago
Chris Palmer	3a9f5c02bf	util/set: make Clone a method (#10044 ) Updates #cleanup Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	8 months ago
Chris Palmer	00375f56ea	util/set: add some more Set operations (#10022 ) Updates #cleanup Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	8 months ago
Maisem Ali	62d580f0e8	util/linuxfw: add missing error checks in tests This would surface as panics when run on Fly. Still fail, but at least don't panic. Updates #10003 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Andrea Gottardo	741d7bcefe	Revert "ipn/ipnlocal: add new DNS and subnet router policies" (#9962 ) This reverts commit `32194cdc70`. Signed-off-by: Nick O'Neill <nick@tailscale.com>	8 months ago
Adrian Dewhurst	32194cdc70	ipn/ipnlocal: add new DNS and subnet router policies In addition to the new policy keys for the new options, some already-in-use but missing policy keys are also being added to util/syspolicy. Updates ENG-2133 Change-Id: Iad08ca47f839ea6a65f81b76b4f9ef21183ebdc6 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	8 months ago
Maisem Ali	c3a8e63100	util/linuxfw: add additional nftable detection logic We were previously using the netlink API to see if there are chains/rules that already exist. This works fine in environments where there is either full nftable support or no support at all. However, we have identified certain environments which have partial nftable support and the only feasible way of detecting such an environment is to try to create some of the chains that we need. This adds a check to create a dummy postrouting chain which is immediately deleted. The goal of the check is to ensure we are able to use nftables and that it won't error out later. This check is only done in the path where we detected that the system has no preexisting nftable rules. Updates #5621 Updates #8555 Updates #8762 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Maisem Ali	b47cf04624	util/linuxfw: fix broken tests These tests were broken at HEAD. CI currently does not run these as root, will figure out how to do that in a followup. Updates #5621 Updates #8555 Updates #8762 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Kristoffer Dalby	e06f2f1873	ipn/ipnlocal: change serial number policy to be PreferenceOption This commit changes the PostureChecking syspolicy key to be a PreferenceOption(user-defined, always, never) instead of Bool. This aligns better with the defaults implementation on macOS allowing CLI arguments to be read when user-defined or no defaults is set. Updates #tailscale/tailscale/5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	8 months ago
Joe Tsai	9cb6c5bb78	util/httphdr: add new package for parsing HTTP headers (#9797 ) This adds support for parsing Range and Content-Range headers according to RFC 7230. The package could be extended in the future to handle other headers. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	9 months ago
Claire Wang	754fb9a8a8	tailcfg: add tailnet field to register request (#9675 ) Updates tailscale/corp#10967 Signed-off-by: Claire Wang <claire@tailscale.com>	9 months ago
James Tucker	11348fbe72	util/nocasemaps: import nocasemaps from corp This is a dependency of other code being imported later. Updates tailscale/corp#15043 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Maisem Ali	fbfee6a8c0	cmd/containerboot: use linuxfw.NetfilterRunner This migrates containerboot to reuse the NetfilterRunner used by tailscaled instead of manipulating iptables rule itself. This has the added advantage of now working with nftables and we can potentially drop the `iptables` command from the container image in the future. Updates #9310 Co-authored-by: Irbe Krumina <irbe@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Maisem Ali	aad3584319	util/linuxfw: move fake runner into pkg This allows using the fake runner in different packages that need to manage filter rules. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
Paul Scott	4e083e4548	util/cmpver: only consider ascii numerals (#9741 ) Fixes #9740 Signed-off-by: Paul Scott <paul@tailscale.com>	9 months ago
Maisem Ali	05a1f5bf71	util/linuxfw: move detection logic Just a refactor to consolidate the firewall detection logic in a single package so that it can be reused in a later commit by containerboot. Updates #9310 Signed-off-by: Maisem Ali <maisem@tailscale.com>	9 months ago
James Tucker	ba6ec42f6d	util/linuxfw: add missing input rule to the tailscale tun Add an explicit accept rule for input to the tun interface, as a mirror to the explicit rule to accept output from the tun interface. The rule matches any packet in to our tun interface and accepts it, and the rule is positioned and prioritized such that it should be evaluated prior to conventional ufw/iptables/nft rules. Updates #391 Fixes #7332 Updates #9084 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Kristoffer Dalby	7f540042d5	ipn/ipnlocal: use syspolicy to determine collection of posture data Updates #5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	9 months ago
Andrew Dunham	5902d51ba4	util/race: add test to confirm we don't leak goroutines Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Iff147268db50251d498fff5213adb8d4b8c999d4	9 months ago
Andrew Dunham	286c6ce27c	net/dns/resolver: race UDP and TCP queries (#9544 ) Instead of just falling back to making a TCP query to an upstream DNS server when the UDP query returns a truncated query, also start a TCP query in parallel with the UDP query after a given race timeout. This ensures that if the upstream DNS server does not reply over UDP (or if the response packet is blocked, or there's an error), we can still make queries if the server replies to TCP queries. This also adds a new package, util/race, to contain the logic required for racing two different functions and returning the first non-error answer. Updates tailscale/corp#14809 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I4311702016c1093b1beaa31b135da1def6d86316	9 months ago
Brad Fitzpatrick	b775a3799e	util/httpm, all: add a test to make sure httpm is used consistently Updates #cleanup Change-Id: I7dbf8a02de22fc6b317ab5e29cc97792dd75352c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Brad Fitzpatrick	5f5c9142cc	util/slicesx: add EqualSameNil, like slices.Equal but same nilness Then use it in tailcfg which had it duplicated a couple times. I think we have it a few other places too. And use slices.Equal in wgengine/router too. (found while looking for callers) Updates #cleanup Change-Id: If5350eee9b3ef071882a3db29a305081e4cd9d23 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	9 months ago
Claire Wang	a56e58c244	util/syspolicy: add read boolean setting (#9592 )	9 months ago
Chris Palmer	8833dc51f1	util/set: add some useful utility functions for Set (#9535 ) Also give each type of set its own file. Updates #cleanup Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	9 months ago
Claire Wang	32c0156311	util: add syspolicy package (#9550 ) Add a more generalized package for getting policies. Updates tailcale/corp#10967 Signed-off-by: Claire Wang <claire@tailscale.com> Co-authored-by: Adrian Dewhurst <adrian@tailscale.com>	9 months ago
James Tucker	2066f9fbb2	util/linuxfw: fix crash in DelSNATRule when no rules are found Appears to be a missing nil handling case. I looked back over other usage of findRule and the others all have nil guards. findRule returns nil when no rules are found matching the arguments. Fixes #9553 Signed-off-by: James Tucker <james@tailscale.com>	9 months ago
Claire Wang	e3d6236606	winutil: refactor methods to get values from registry to also return (#9536 ) errors Updates tailscale/corp#14879 Signed-off-by: Claire Wang <claire@tailscale.com>	9 months ago
David Anderson	ed50f360db	util/lru: update c.head when deleting the most recently used entry Fixes tailscale/corp#14747 Signed-off-by: David Anderson <danderson@tailscale.com> Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com> Signed-off-by: David Anderson <danderson@tailscale.com>	9 months ago
Brad Fitzpatrick	dc7aa98b76	all: use set.Set consistently instead of map[T]struct{} I didn't clean up the more idiomatic map[T]bool with true values, at least yet. I just converted the relatively awkward struct{}-valued maps. Updates #cleanup Change-Id: I758abebd2bb1f64bc7a9d0f25c32298f4679c14f Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
David Anderson	95082a8dde	util/lru, util/limiter: add debug helper to dump state as HTML For use in tsweb debug handlers, so that we can easily inspect cache and limiter state when troubleshooting. Updates tailscale/corp#3601 Signed-off-by: David Anderson <danderson@tailscale.com>	10 months ago
Craig Rodrigues	8452d273e3	util/linuxfw: Fix comment which lists supported linux arches Only arm64 and amd64 are supported Signed-off-by: Craig Rodrigues <rodrigc@crodrigues.org>	10 months ago
David Anderson	0909e90890	util/lru: replace container/list with a custom ring implementation pre-generics container/list is quite unpleasant to use, and the pointer manipulation operations for an LRU are simple enough to implement directly now that we have generic types. With this change, the LRU uses a ring (aka circularly linked list) rather than a simple doubly-linked list as its internals, because the ring makes list manipulation edge cases more regular: the only remaining edge case is the transition between 0 and 1 elements, rather than also having to deal specially with manipulating the first and last members of the list. While the primary purpose was improved readability of the code, as it turns out removing the indirection through an interface box also speeds up the LRU: │ before.txt │ after.txt │ │ sec/op │ sec/op vs base │ LRU-32 67.05n ± 2% 59.73n ± 2% -10.90% (p=0.000 n=20) │ before.txt │ after.txt │ │ B/op │ B/op vs base │ LRU-32 21.00 ± 0% 10.00 ± 0% -52.38% (p=0.000 n=20) │ before.txt │ after.txt │ │ allocs/op │ allocs/op vs base │ LRU-32 0.000 ± 0% 0.000 ± 0% ~ (p=1.000 n=20) ¹ Updates #cleanup Signed-off-by: David Anderson <danderson@tailscale.com>	10 months ago
David Anderson	472eb6f6f5	util/lru: add a microbenchmark The benchmark simulates an LRU being queries with uniformly random inputs, in a set that's too large for the LRU, which should stress the eviction codepath. Signed-off-by: David Anderson <danderson@tailscale.com>	10 months ago
David Anderson	96c2cd2ada	util/limiter: add a keyed token bucket rate limiter Updates tailscale/corp#3601 Signed-off-by: David Anderson <danderson@tailscale.com>	10 months ago
Anton Tolchanov	86b0fc5295	util/cmpver: add a few tests covering different OS versions Updates tailscale/corp#14491 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	10 months ago
Brad Fitzpatrick	7175f06e62	util/rands: add package with HexString func We use it a number of places in different repos. Might as well make one. Another use is coming. Updates #cleanup Change-Id: Ib7ce38de0db35af998171edee81ca875102349a4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Craig Rodrigues	8683ce78c2	client/web, clientupdate, util/linuxfw, wgengine/magicsock: Use %v verb for errors Replace %w verb with %v verb when logging errors. Use %w only for wrapping errors with fmt.Errorf() Fixes: #9213 Signed-off-by: Craig Rodrigues <rodrigc@crodrigues.org>	10 months ago
Maisem Ali	306b85b9a3	cmd/k8s-operator: add metrics to track usage Updates #502 Signed-off-by: Maisem Ali <maisem@tailscale.com>	10 months ago
Brad Fitzpatrick	4af22f3785	util/deephash: add IncludeFields, ExcludeFields HasherForType Options Updates tailscale/corp#6198 Change-Id: Iafc18c5b947522cf07a42a56f35c0319cc7b1c94 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago
Aaron Klotz	6b6a8cf843	util/osdiag: add query for Windows page file configuration and status It's very common for OOM crashes on Windows to be caused by lack of page file space (the NT kernel does not overcommit). Since Windows automatically manages page file space by default, unless the machine is out of disk space, this is typically caused by manual page file configurations that are too small. This patch obtains the current page file size, the amount of free page file space, and also determines whether the page file is automatically or manually managed. Fixes #9090 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	10 months ago
Aaron Klotz	5fb1695bcb	util/osdiag, util/osdiag/internal/wsc: add code to probe the Windows Security Center for installed software The Windows Security Center is a component that manages the registration of security products on a Windows system. Only products that have obtained a special cert from Microsoft may register themselves using the WSC API. Practically speaking, most vendors do in fact sign up for the program as it enhances their legitimacy. From our perspective, this is useful because it gives us a high-signal source of information to query for the security products installed on the system. I've tied this query into the osdiag package and is run during bugreports. It uses COM bindings that were automatically generated by my prototype metadata processor, however that program still has a few bugs, so I had to make a few manual tweaks. I dropped those binding into an internal package because (for the moment, at least) they are effectively purpose-built for the osdiag use case. We also update the wingoes dependency to pick up BSTR. Fixes #10646 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	10 months ago
Aaron Klotz	ea693eacb6	util/winutil: add RegisterForRestart, allowing programs to indicate their preferences to the Windows restart manager In order for the installer to restart the GUI correctly post-upgrade, we need the GUI to be able to register its restart preferences. This PR adds API support for doing so. I'm adding it to OSS so that it is available should we need to do any such registrations on OSS binaries in the future. Updates https://github.com/tailscale/corp/issues/13998 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	10 months ago
Brad Fitzpatrick	1b223566dd	util/linuxfw: fix typo in unexported doc comment And flesh it out and use idiomatic doc style ("whether" for bools) and end in a period while there anyway. Updates #cleanup Change-Id: Ieb82f13969656e2340c3510e7b102dc8e6932611 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	10 months ago

1 2 3 4 5 ...

282 Commits (kradalby-keys-db-interface)