tailscale

Commit Graph

Author	SHA1	Message	Date
Nick Khyl	551d6ae0f3	ipn, ipn/ipnauth: implement API surface for LocalBackend access checking We have a lot of access checks spread around the ipnserver, ipnlocal, localapi, and ipnauth packages, with a significant number of platform-specific checks that are used exclusively on either Windows or Unix-like platforms. Additionally, with the exception of a few Windows-specific checks, most of these checks are per-device rather than per-profile, which is not always correct even on single-user/single-session environments, but even more problematic on multi-user/multi-session environments such as Windows. We initially attempted to map all possible operations onto the permitRead/permitWrite access flags. However, these flags are not utilized on Windows and prove insufficient on Unix machines. Specifically, on Windows, the first user to connect is granted full access, while subsequent logged-in users have no access to the LocalAPI at all. This restriction applies regardless of the environment, local user roles (e.g., whether a Windows user is a local admin), or whether they are the active user on a shared Windows client device. Conversely, on Unix, we introduced the permitCert flag to enable granting non-root web servers (such as www-data, caddy, nginx, etc.) access to certificates. We also added additional access check to distinguish local admins (root on Unix-like platforms, elevated admins on Windows) from users with permitWrite access, and used it as a fix for the serve path LPE. A more fine-grained access control system could better suit our current and future needs, especially in improving the UX across various scenarios on corporate and personal Windows devices. This adds an API surface in ipnauth that will be used in LocalBackend to check access to individual Tailscale profiles as well as any device-wide information and operations. Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com>	4 weeks ago
Nick Khyl	9e1c86901b	wgengine\router: fix the Tailscale-In firewall rule to work on domain networks The Network Location Awareness service identifies networks authenticated against an Active Directory domain and categorizes them as "Domain Authenticated". This includes the Tailscale network if a Domain Controller is reachable through it. If a network is categories as NLM_NETWORK_CATEGORY_DOMAIN_AUTHENTICATED, it is not possible to override its category, and we shouldn't attempt to do so. Additionally, our Windows Firewall rules should be compatible with both private and domain networks. This fixes both issues. Fixes #11813 Signed-off-by: Nick Khyl <nickk@tailscale.com>	4 weeks ago
Andrew Lytvynov	bff527622d	ipn/ipnlocal,clientupdate: disallow auto-updates in containers (#11814 ) Containers are typically immutable and should be updated as a whole (and not individual packages within). Deny enablement of auto-updates in containers. Also, add the missing check in EditPrefs in LocalAPI, to catch cases like tailnet default auto-updates getting enabled for nodes that don't support it. Updates #11544 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	4 weeks ago
Andrew Lytvynov	b3fb3bf084	clientupdate: return OS-specific version from LatestTailscaleVersion (#11812 ) We don't always have the same latest version for all platforms (like with 1.64.2 is only Synology+Windows), so we should use the OS-specific result from pkgs JSON response instead of the main Version field. Updates #11795 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	4 weeks ago
Irbe Krumina	bbe194c80d	cmd/k8s-operator: correctly determine cluster domain (#11512 ) Kubernetes cluster domain defaults to 'cluster.local', but can also be customized. We need to determine cluster domain to set up in-cluster forwarding to our egress proxies. This was previously hardcoded to 'cluster.local', so was the egress proxies were not usable in clusters with custom domains. This PR ensures that we attempt to determine the cluster domain by parsing /etc/resolv.conf. In case the cluster domain cannot be determined from /etc/resolv.conf, we fall back to 'cluster.local'. Updates tailscale/tailscale#10399,tailscale/tailscale#11445 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	4 weeks ago
Percy Wegmann	d16c1293e9	ipn/ipnlocal: remove origin and referer headers from Taildrive requests peerapi does not want these, but rclone includes them. Removing them allows rclone to work with Taildrive configured as a WebDAV remote. Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 weeks ago
Percy Wegmann	94c0403104	ipn/ipnlocal: strip origin and referer headers from Taildrive requests peerapi does not want these, but rclone includes them. Stripping them out allows rclone to work with Taildrive configured as a WebDAV remote. Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 weeks ago
Percy Wegmann	787f8c08ec	drive: rewrite Location headers This ensures that MOVE, LOCK and any other verbs that use the Location header work correctly. Fixes #11758 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 weeks ago
Claire Wang	c24f2eee34	tailcfg: rename exit node destination network flow log node attribute (#11779 ) Updates tailscale/corp#18625 Signed-off-by: Claire Wang <claire@tailscale.com>	4 weeks ago
kari-ts	048cb61dd0	interfaces: create android impl (#11784 ) -Move Android impl into interfaces_android.go -Instead of using ip route to get the interface name, use the one passed in by Android (ip route is restricted in Android 13+ per termux/termux-app#2993) Follow-up will be to do the same for router Fixes tailscale/corp#19215 Fixes tailscale/corp#19124 Signed-off-by: kari-ts <kari@tailscale.com>	4 weeks ago
Aaron Klotz	7132b782d4	hostinfo: use Distro field for distinguishing Windows Server builds Some editions of Windows server share the same build number as their client counterpart; we must use an additional field found in the OS version information to distinguish between them. Even though "Distro" has Linux connotations, it is the most appropriate hostinfo field. What is Windows Server if not an alternate distribution of Windows? This PR populates Distro with "Server" when applicable. Fixes #11785 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	4 weeks ago
Percy Wegmann	02c6af2a69	cmd/tailscale: clarify Taildrive grants in help text Fixes #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 weeks ago
Chris Palmer	bdfaef4879	safeweb: allow object-src: self in CSP (#11782 ) This change is safe (self is still safe, by definition), and makes the code match the comment. Updates #cleanup Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	4 weeks ago
Andrew Lytvynov	e775de3c63	go.mod: bump golang.org/x/net (#11775 ) One more place to pick up a fix for https://pkg.go.dev/vuln/GO-2024-2687. Updates https://github.com/tailscale/corp/issues/18893 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	4 weeks ago
Adrian Dewhurst	c8b0adb382	docs/windows/policy: add missing key expiration warning interval Fixes #11345 Change-Id: Ib53b639690b77d1b7d857304dca2119f197227ce Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	4 weeks ago
Brad Fitzpatrick	03d5d1f0f9	wgengine/magicsock: disable portmapper in tunchan-faked tests Most of the magicsock tests fake the network, simulating packets going out and coming in. There's no reason to actually hit your router to do UPnP/NAT-PMP/PCP during in tests. But while debugging thousands of iterations of tests to deflake some things, I saw it slamming my router. This stops that. Updates #11762 Change-Id: I59b9f48f8f5aff1fa16b4935753d786342e87744 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 weeks ago
Andrew Lytvynov	22bd506129	ipn/ipnlocal: hold the mutex when in onTailnetDefaultAutoUpdate (#11786 ) Turns out, profileManager is not safe for concurrent use and I missed all the locking infrastructure in LocalBackend, oops. I was not able to reproduce the race even with `go test -count 100`, but this seems like an obvious fix. Fixes #11773 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	4 weeks ago
Chris Palmer	88a7767492	safeweb: set SameSite=Strict, with an option for Lax (#11781 ) Fixes #11780 Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	4 weeks ago
dependabot[bot]	dd48cad89a	build(deps-dev): bump vite from 5.1.4 to 5.1.7 in /client/web Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 5.1.4 to 5.1.7. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v5.1.7/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v5.1.7/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>	1 month ago
Andrew Dunham	b85c2b2313	net/dns/resolver: use SystemDial in DoH forwarder This ensures that we close the underlying connection(s) when a major link change happens. If we don't do this, on mobile platforms switching between WiFi and cellular can result in leftover connections in the http.Client's connection pool which are bound to the "wrong" interface. Updates #10821 Updates tailscale/corp#19124 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ibd51ce2efcaf4bd68e14f6fdeded61d4e99f9a01	1 month ago
Paul Scott	82394debb7	cmd/tailscale: add shell tab-completion The approach is lifted from cobra: `tailscale completion bash` emits a bash script for configuring the shell's autocomplete: . <( tailscale completion bash ) so that typing: tailscale st<TAB> invokes: tailscale completion __complete -- st RELNOTE=tailscale CLI now supports shell tab-completion Fixes #3793 Signed-off-by: Paul Scott <paul@tailscale.com>	1 month ago
Brad Fitzpatrick	21a0fe1b9b	ipn/store: omit AWS & Kubernetes support on 'small' Linux GOARCHes This removes AWS and Kubernetes support from Linux binaries by default on GOARCH values where people don't typically run on AWS or use Kubernetes, such as 32-bit mips CPUs. It primarily focuses on optimizing for the static binaries we distribute. But for people building it themselves, they can set ts_kube or ts_aws (the opposite of ts_omit_kube or ts_omit_aws) to force it back on. Makes tailscaled binary ~2.3MB (~7%) smaller. Updates #7272, #10627 etc Change-Id: I42a8775119ce006fa321462cb2d28bc985d1c146 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
dependabot[bot]	449be38e03	build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 (#11410 ) * build(deps): bump google.golang.org/protobuf from 1.32.0 to 1.33.0 Bumps google.golang.org/protobuf from 1.32.0 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * cmd/{derper,stund}: update depaware.txt Signed-off-by: Andrew Lytvynov <awly@tailscale.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Andrew Lytvynov <awly@tailscale.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Andrew Lytvynov <awly@tailscale.com>	1 month ago
Irbe Krumina	3ef7f895c8	go.{mod,sum}: bump nftables to the latest commit (#11772 ) Updates#deps Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 month ago
Andrew Dunham	226486eb9a	net/interfaces: handle removed interfaces in State.Equal This wasn't previously handling the case where an interface in s2 was removed and not present in s1, and would cause the Equal method to incorrectly return that the states were equal. Updates tailscale/corp#19124 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I3af22bc631015d1ddd0a1d01bfdf312161b9532d	1 month ago
Paul Scott	454a03a766	cmd/tailscale/cli: prepend "tailscale" to usage errors Updates #11626 Signed-off-by: Paul Scott <paul@tailscale.com>	1 month ago
Paul Scott	d07ede461a	cmd/tailscale/cli: fix "subcommand required" errors when typod Fixes #11672 Signed-off-by: Paul Scott <paul@tailscale.com>	1 month ago
Paul Scott	3ff3445e9d	cmd/tailscale/cli: improve ShortHelp/ShortUsage unit test, fix new errors Updates #11364 Signed-off-by: Paul Scott <paul@tailscale.com>	1 month ago
Paul Scott	eb34b8a173	cmd/tailscale/cli: remove explicit usageFunc - its default Updates #cleanup Signed-off-by: Paul Scott <paul@tailscale.com>	1 month ago
Paul Scott	a50e4e604e	cmd/tailscale/cli: remove duplicate "tailscale " in drive subcmd usage Updates #cleanup Signed-off-by: Paul Scott <paul@tailscale.com>	1 month ago
Paul Scott	62d4be873d	cmd/tailscale/cli: fix drive --help usage identation Updates #cleanup Signed-off-by: Paul Scott <paul@tailscale.com>	1 month ago
Brad Fitzpatrick	7c1d6e35a5	all: use Go 1.22 range-over-int Updates #11058 Change-Id: I35e7ef9b90e83cac04ca93fd964ad00ed5b48430 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	068db1f972	net/interfaces: delete unused unexported function It should've been deleted in `11ece02f52`. Updates #9040 Change-Id: If8a136bdb6c82804af658c9d2b0a8c63ce02d509 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Jonathan Nobels	7e2b4268d6	ipn/{localapi, ipnlocal}: forget the prior exit node when localAPI is used to zero the ExitNodeID (#11681 ) Updates tailscale/corp#18724 When localAPI clients directly set ExitNodeID to "", the expected behaviour is that the prior exit node also gets zero'd - effectively setting the UI state back to 'no exit node was ever selected' The IntenalExitNodePrior has been changed to be a non-opaque type, as it is read by the UI to render the users last selected exit node, and must be concrete. Future-us can either break this, or deprecate it and replace it with something more interesting. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	1 month ago
Brad Fitzpatrick	0fba9e7570	cmd/tailscale/cli: prevent concurrent Start calls in 'up' Seems to deflake tstest/integration tests. I can't reproduce it anymore on one of my VMs that was consistently flaking after a dozen runs before. Now I can run hundreds of times. Updates #11649 Fixes #7036 Change-Id: I2f7d4ae97500d507bdd78af9e92cd1242e8e44b8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Irbe Krumina	26f9bbc02b	cmd/k8s-operator,k8s-operator: document tailscale.com Custom Resource Definitions better. (#11665 ) Updates tailscale/tailscale#10880 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 month ago
Adrian Dewhurst	ca5cb41b43	tailcfg: document use of CapMap for peers Updates tailscale/corp#17516 Updates #11508 Change-Id: Iad2dafb38ffb9948bc2f3dfaf9c268f7d772cf56 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	1 month ago
Brad Fitzpatrick	3c1e2bba5b	ipn/ipnlocal: remove outdated iOS hacky workaround in Start We haven't needed this hack for quite some time Andrea says. Updates #11649 Change-Id: Ie854b7edd0a01e92495669daa466c7c0d57e7438 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	dd6c76ea24	ipn: remove unused Options.LegacyMigrationPrefs I'm on a mission to simplify LocalBackend.Start and its locking and deflake some tests. I noticed this hasn't been used since March 2023 when it was removed from the Windows client in corp 66be796d33c. So, delete. Updates #11649 Change-Id: I40f2cb75fb3f43baf23558007655f65a8ec5e1b2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	7ec0dc3834	ipn/ipnlocal: make StartLoginInteractive take (yet unused) context In prep for future fix to undermentioned issue. Updates tailscale/tailscale#7036 Change-Id: Ide114db917dcba43719482ffded6a9a54630d99e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Claire Wang	9171b217ba	cmd/tailscale, ipn/ipnlocal: add suggest exit node CLI option (#11407 ) Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>	1 month ago
Charlotte Brandhorst-Satzkorn	449f46c207	wgengine/magicsock: rebind/restun if a syscall.EPERM error is returned (#11711 ) We have seen in macOS client logs that the "operation not permitted", a syscall.EPERM error, is being returned when traffic is attempted to be sent. This may be caused by security software on the client. This change will perform a rebind and restun if we receive a syscall.EPERM error on clients running darwin. Rebinds will only be called if we haven't performed one specifically for an EPERM error in the past 5 seconds. Updates #11710 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	1 month ago
Will Norris	14c8b674ea	Revert "licenses: add gliderlabs/ssh license" The gliderlabs/ssh license is actually already included in the standard package listing. I'm not sure why I thought it wasn't. Updates tailscale/corp#5780 This reverts commit `11dca08e93`. Signed-off-by: Will Norris <will@tailscale.com>	1 month ago
Brad Fitzpatrick	952e06aa46	wgengine/router: don't attempt route cleanup on Synology Trying to run iptables/nftables on Synology pauses for minutes with lots of errors and ultimately does nothing as it's not used and we lack permissions. This fixes a regression from `db760d0bac` (#11601) that landed between Synology testing on unstable 1.63.110 and 1.64.0 being cut. Fixes #11737 Change-Id: Iaf9563363b8e45319a9b6fe94c8d5ffaecc9ccef Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Irbe Krumina	38fb23f120	cmd/k8s-operator,k8s-operator: allow users to configure proxy env vars via ProxyClass (#11743 ) Adds new ProxyClass.spec.statefulSet.pod.{tailscaleContainer,tailscaleInitContainer}.Env field that allow users to provide key, value pairs that will be set as env vars for the respective containers. Allow overriding all containerboot env vars, but warn that this is not supported and might break (in docs + a warning when validating ProxyClass). Updates tailscale/tailscale#10709 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	1 month ago
Brad Fitzpatrick	9258bcc360	Makefile: fix default SYNO_ARCH in Makefile It was broken with the move to dist in `32e0ba5e68` which doesn't accept amd64 anymore. Updates #cleanup Change-Id: Iaaaba2d73c6a09a226934fe8e5c18b16731ee7a6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	b9aa7421d6	ipn/ipnlocal: remove some dead code (legacyBackend methods) from LocalBackend Nothing used it. Updates #11649 Change-Id: Ic1c331d947974cd7d4738ff3aafe9c498853689e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	a6739c49df	paths: set default state path on AIX Updates #11361 Change-Id: I196727a540be6b7c75303f9958490b1d76189fd6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	271cfdb3d3	util/syspolicy: clean up doc grammar and consistency Updates #cleanup Change-Id: I912574cbd5ef4d8b7417b8b2a9b9a2ccfef88840 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago
Brad Fitzpatrick	bad3159b62	ipn/ipnlocal: delete useless SetControlClientGetterForTesting use Updates #11649 Change-Id: I56c069b9c97bd3e30ff87ec6655ec57e1698427c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 month ago

1 2 3 4 5 ...

7444 Commits (nickkhyl/ipn-user-identity) All Branches Search

7444 Commits (nickkhyl/ipn-user-identity)

All Branches