tailscale

Commit Graph

Author	SHA1	Message	Date
James Tucker	0f3b2e7b86	util/expvarx: add a time and concurrency limiting expvar.Func wrapper expvarx.SafeFunc wraps an expvar.Func with a time limit. On reaching the time limit, calls to Value return nil, and no new concurrent calls to the underlying expvar.Func will be started until the call completes. Updates tailscale/corp#16999 Signed-off-by: James Tucker <james@tailscale.com>	4 months ago
as2643	832e5c781d	util/nocasemaps: add AppendSliceElem method to nocasemaps (#10871 ) Updates #7667 Signed-off-by: Anishka Singh <anishkasingh66@gmail.com>	5 months ago
Andrew Dunham	2ac7c0161b	util/slicesx: add Filter function For use in corp, where we appear to have re-implemented this in a few places with varying signatures. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Id863a87e674f3caa87945519be8e09650e9c1d76	5 months ago
James Tucker	38a1cf748a	control/controlclient,util/execqueue: extract execqueue into a package This is a useful primitive for asynchronous execution of ordered work I want to use in another change. Updates tailscale/corp#16833 Signed-off-by: James Tucker <james@tailscale.com>	5 months ago
Joe Tsai	c25968e1c5	all: make use of ctxkey everywhere (#10846 ) Also perform minor cleanups on the ctxkey package itself. Provide guidance on when to use ctxkey.Key[T] over ctxkey.New. Also, allow for interface kinds because the value wrapping trick also happens to fix edge cases with interfaces in Go. Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	5 months ago
Joe Tsai	241a541864	util/ctxkey: add package for type-safe context keys (#10841 ) The lack of type-safety in context.WithValue leads to the common pattern of defining of package-scoped type to ensure global uniqueness: type fooKey struct{} func withFoo(ctx context, v Foo) context.Context { return context.WithValue(ctx, fooKey{}, v) } func fooValue(ctx context) Foo { v, _ := ctx.Value(fooKey{}).(Foo) return v } where usage becomes: ctx = withFoo(ctx, foo) foo := fooValue(ctx) With many different context keys, this can be quite tedious. Using generics, we can simplify this as: var fooKey = ctxkey.New("mypkg.fooKey", Foo{}) where usage becomes: ctx = fooKey.WithValue(ctx, foo) foo := fooKey.Value(ctx) See https://go.dev/issue/49189 Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	5 months ago
Aaron Klotz	aed2cfec4e	util/winutil: add some missing docs to restartmgr errors Just a quick #cleanup. Signed-off-by: Aaron Klotz <aaron@tailscale.com>	5 months ago
Aaron Klotz	5812093d31	util/winutil: publicize existing functions for opening read-only connections to the Windows Service Control Manager We're going to need to access these from code outside winutil. Updates #10215 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	5 months ago
Andrew Lytvynov	2716250ee8	all: cleanup unused code, part 2 (#10670 ) And enable U1000 check in staticcheck. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Andrew Lytvynov	1302bd1181	all: cleanup unused code, part 1 (#10661 ) Run `staticcheck` with `U1000` to find unused code. This cleans up about a half of it. I'll do the other half separately to keep PRs manageable. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	6 months ago
Andrew Dunham	a661287c4b	util/cmpx: remove code that's in the stdlib now The cmpx.Compare function (and associated interface) are now available in the standard library as cmp.Compare. Remove our version of it and use the version from the standard library. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I4be3ac63d466c05eb7a0babb25cb0d41816fbd53	6 months ago
Irbe Krumina	0cdc8e20d6	util/linuxfw: return created chain (#10563 ) Ensure that if getOrCreateChain creates a new chain, it actually returns the created chain Updates tailscale/tailscale#10399 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Adrian Dewhurst	86aa0485a6	ipn/ipnlocal, util/syspolicy: make run exit node a preference option Previously, the "RunExitNode" policy merely controlled the visibility of the "run as exit node" menu item, not the setting itself. This migrates that setting to a preference option named "AdvertiseExitNode". Updates ENG-2138 Change-Id: Ia6a125beb6b4563d380c6162637ce4088f1117a0 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	6 months ago
Andrea Gottardo	646d17ac8d	util/syspolicy: rename client metric keys (#10516 ) Updates ENG-2513. Renames client metrics keys used on Windows for consistency with Apple platforms. Signed-off-by: Andrea Gottardo <andrea@tailscale.com>	6 months ago
Andrew Dunham	9fd29f15c7	util/cache: add package for general-purpose caching This package allows caching arbitrary key/value pairs in-memory, along with an interface implemented by the cache types. Extracted from #7493 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ic8ca820927c456721cf324a0c8f3882a57752cc9	6 months ago
Adrian Dewhurst	f706a3abd0	ipn/ipnlocal, util/syspolicy: add auto update policy Due to the Sparkle preference naming convention, macsys already has a policy key named "ApplyUpdates" that merely shows or hides the menu item that controls if auto updates are installed, rather than directly controlling the setting. For other platforms, we are going to use "InstallUpdates" instead because it seemed better than the other options that were considered. Updates ENG-2127 Updates tailscale/corp#16247 Change-Id: Ia6a125beb6b4563d380c6162637ce4088f1117a0 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	6 months ago
Adrian Dewhurst	af32d1c120	ipn/ipnlocal: better enforce system policies Previously, policies affected the default prefs for a new profile, but that does not affect existing profiles. This change ensures that policies are applied whenever preferences are loaded or changed, so a CLI or GUI client that does not respect the policies will still be overridden. Exit node IP is dropped from this PR as it was implemented elsewhere in #10172. Fixes tailscale/corp#15585 Change-Id: Ide4c3a4b00a64e43f506fa1fab70ef591407663f Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	6 months ago
Naman Sood	d46a4eced5	util/linuxfw, wgengine: allow ingress to magicsock UDP port on Linux (#10370 ) * util/linuxfw, wgengine: allow ingress to magicsock UDP port on Linux Updates #9084. Currently, we have to tell users to manually open UDP ports on Linux when certain firewalls (like ufw) are enabled. This change automates the process of adding and updating those firewall rules as magicsock changes what port it listens on. Signed-off-by: Naman Sood <mail@nsood.in>	6 months ago
Claire Wang	47db67fef5	util/syspolicy: add policy counters (#10471 ) Fixes tailscale/corp#16138 Signed-off-by: Claire Wang <claire@tailscale.com>	6 months ago
Naman Sood	0a59754eda	linuxfw,wgengine/route,ipn: add c2n and nodeattrs to control linux netfilter Updates tailscale/corp#14029. Signed-off-by: Naman Sood <mail@nsood.in>	6 months ago
Adrian Dewhurst	94a64c0017	util/syspolicy: rename incorrectly named policy keys These keys were intended to match the Apple platforms, but accidentally used the wrong name. Updates ENG-2133 Change-Id: I9ed7a17919e34e2d8896a5c64efc4d0c0003166e Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	6 months ago
Aaron Klotz	db39a43f06	util/winutil: add support for restarting Windows processes in specific sessions This PR is all about adding functionality that will enable the installer's upgrade sequence to terminate processes belonging to the previous version, and then subsequently restart instances belonging to the new version within the session(s) corresponding to the processes that were killed. There are multiple parts to this: * We add support for the Restart Manager APIs, which allow us to query the OS for a list of processes locking specific files; * We add the RestartableProcess and RestartableProcesses types that query additional information about the running processes that will allow us to correctly restart them in the future. These types also provide the ability to terminate the processes. * We add the StartProcessInSession family of APIs that permit us to create new processes within specific sessions. This is needed in order to properly attach a new GUI process to the same RDP session and desktop that its previously-terminated counterpart would have been running in. * I tweaked the winutil token APIs again. * A lot of this stuff is pretty hard to test without a very elaborate harness, but I added a unit test for the most complicated part (though it requires LocalSystem to run). Updates https://github.com/tailscale/corp/issues/13998 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	6 months ago
Claire Wang	8af503b0c5	syspolicy: add exit node related policies (#10172 ) Adds policy keys ExitNodeID and ExitNodeIP. Uses the policy keys to determine the exit node in preferences. Fixes tailscale/corp#15683 Signed-off-by: Claire Wang <claire@tailscale.com>	6 months ago
Andrew Dunham	5aa7687b21	util/httpm: don't run test if .git doesn't exist Updates #9635 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I9089200f9327605036c88fc12834acece0c11694	6 months ago
Andrew Lytvynov	2c1f14d9e6	util/set: implement json.Marshaler/Unmarshaler (#10308 ) Marshal as a JSON list instead of a map. Because set elements are `comparable` and not `cmp.Ordered`, we cannot easily sort the items before marshaling. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
Claire Wang	b8a2aedccd	util/syspolicy: add caching handler (#10288 ) Fixes tailscale/corp#15850 Co-authored-by: Adrian Dewhurst <adrian@tailscale.com> Signed-off-by: Claire Wang <claire@tailscale.com>	7 months ago
Adrian Dewhurst	b8ac3c5191	util/syspolicy: add some additional policy keys These policy keys are supported on Apple platforms in Swift code; in order to support them on platforms using Go (e.g. Windows), they also need to be recorded here. This does not affect any code, it simply adds the constants for now. Updates ENG-2240 Updates ENG-2127 Updates ENG-2133 Change-Id: I0aa9863a3641e5844479da3b162761452db1ef42 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	7 months ago
Adrian Dewhurst	1ef5bd5381	util/osdiag, util/winutil: expose Windows policy key The Windows base registry key is already exported but the policy key was not. util/osdiag currently replicates the string rather than the preferred approach of reusing the constant. Updates #cleanup Change-Id: I6c1c45337896c744059b85643da2364fb3f232f2 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	7 months ago
Aaron Klotz	855f79fad7	cmd/tailscaled, util/winutil: changes to process and token APIs in winutil This PR changes the internal getTokenInfo function to use generics. I also removed our own implementations for obtaining a token's user and primary group in favour of calling the ones now available in x/sys/windows. Furthermore, I added two new functions for working with tokens, logon session IDs, and Terminal Services / RDP session IDs. I modified our privilege enabling code to allow enabling of multiple privileges via one single function call. Finally, I added the ProcessImageName function and updated the code in tailscaled_windows.go to use that instead of directly calling the underlying API. All of these changes will be utilized by subsequent PRs pertaining to this issue. Updates https://github.com/tailscale/corp/issues/13998 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	7 months ago
Andrew Lytvynov	1fc1077052	ssh/tailssh,util: extract new osuser package from ssh code (#10170 ) This package is a wrapper for os/user that handles non-cgo builds, gokrazy and user shells. Updates tailscale/corp#15405 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
Andrew Lytvynov	aba4bd0c62	util/winutil: simplify dropping privileges after use (#10099 ) To safely request and drop privileges, runtime.Lock/UnlockOSThread and windows.Impersonate/RevertToSelf should be called. Add these calls to winutil.EnableCurrentThreadPrivilege so that callers don't need to worry about it. Updates https://github.com/tailscale/corp/issues/15488 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
Claire Wang	5de8650466	syspolicy: add Allow LAN Access visibility key (#10113 ) Fixes tailscale/corp#15594 Signed-off-by: Claire Wang <claire@tailscale.com>	7 months ago
Aaron Klotz	fbc18410ad	ipn/ipnauth: improve the Windows token administrator check (Token).IsAdministrator is supposed to return true even when the user is running with a UAC limited token. The idea is that, for the purposes of this check, we don't care whether the user is currently* running with full Admin rights, we just want to know whether the user can potentially do so. We accomplish this by querying for the token's "linked token," which should be the fully-elevated variant, and checking its group memberships. We also switch ipn/ipnserver/(*Server).connIsLocalAdmin to use the elevation check to preserve those semantics for tailscale serve; I want the IsAdministrator check to be used for less sensitive things like toggling auto-update on and off. Fixes #10036 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	7 months ago
Brad Fitzpatrick	673ff2cb0b	util/groupmember: fail earlier if group doesn't exist, use slices.Contains Noticed both while re-reading this code. Updates #cleanup Change-Id: I3b70f1d5dc372853fa292ae1adbdee8cfc6a9a7b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Chris Palmer	3a9f5c02bf	util/set: make Clone a method (#10044 ) Updates #cleanup Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	7 months ago
Chris Palmer	00375f56ea	util/set: add some more Set operations (#10022 ) Updates #cleanup Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	7 months ago
Maisem Ali	62d580f0e8	util/linuxfw: add missing error checks in tests This would surface as panics when run on Fly. Still fail, but at least don't panic. Updates #10003 Signed-off-by: Maisem Ali <maisem@tailscale.com>	7 months ago
Andrea Gottardo	741d7bcefe	Revert "ipn/ipnlocal: add new DNS and subnet router policies" (#9962 ) This reverts commit `32194cdc70`. Signed-off-by: Nick O'Neill <nick@tailscale.com>	7 months ago
Adrian Dewhurst	32194cdc70	ipn/ipnlocal: add new DNS and subnet router policies In addition to the new policy keys for the new options, some already-in-use but missing policy keys are also being added to util/syspolicy. Updates ENG-2133 Change-Id: Iad08ca47f839ea6a65f81b76b4f9ef21183ebdc6 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	7 months ago
Maisem Ali	c3a8e63100	util/linuxfw: add additional nftable detection logic We were previously using the netlink API to see if there are chains/rules that already exist. This works fine in environments where there is either full nftable support or no support at all. However, we have identified certain environments which have partial nftable support and the only feasible way of detecting such an environment is to try to create some of the chains that we need. This adds a check to create a dummy postrouting chain which is immediately deleted. The goal of the check is to ensure we are able to use nftables and that it won't error out later. This check is only done in the path where we detected that the system has no preexisting nftable rules. Updates #5621 Updates #8555 Updates #8762 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Maisem Ali	b47cf04624	util/linuxfw: fix broken tests These tests were broken at HEAD. CI currently does not run these as root, will figure out how to do that in a followup. Updates #5621 Updates #8555 Updates #8762 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Kristoffer Dalby	e06f2f1873	ipn/ipnlocal: change serial number policy to be PreferenceOption This commit changes the PostureChecking syspolicy key to be a PreferenceOption(user-defined, always, never) instead of Bool. This aligns better with the defaults implementation on macOS allowing CLI arguments to be read when user-defined or no defaults is set. Updates #tailscale/tailscale/5902 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	8 months ago
Joe Tsai	9cb6c5bb78	util/httphdr: add new package for parsing HTTP headers (#9797 ) This adds support for parsing Range and Content-Range headers according to RFC 7230. The package could be extended in the future to handle other headers. Updates tailscale/corp#14772 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	8 months ago
Claire Wang	754fb9a8a8	tailcfg: add tailnet field to register request (#9675 ) Updates tailscale/corp#10967 Signed-off-by: Claire Wang <claire@tailscale.com>	8 months ago
James Tucker	11348fbe72	util/nocasemaps: import nocasemaps from corp This is a dependency of other code being imported later. Updates tailscale/corp#15043 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago
Maisem Ali	fbfee6a8c0	cmd/containerboot: use linuxfw.NetfilterRunner This migrates containerboot to reuse the NetfilterRunner used by tailscaled instead of manipulating iptables rule itself. This has the added advantage of now working with nftables and we can potentially drop the `iptables` command from the container image in the future. Updates #9310 Co-authored-by: Irbe Krumina <irbe@tailscale.com> Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Maisem Ali	aad3584319	util/linuxfw: move fake runner into pkg This allows using the fake runner in different packages that need to manage filter rules. Updates #cleanup Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Paul Scott	4e083e4548	util/cmpver: only consider ascii numerals (#9741 ) Fixes #9740 Signed-off-by: Paul Scott <paul@tailscale.com>	8 months ago
Maisem Ali	05a1f5bf71	util/linuxfw: move detection logic Just a refactor to consolidate the firewall detection logic in a single package so that it can be reused in a later commit by containerboot. Updates #9310 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
James Tucker	ba6ec42f6d	util/linuxfw: add missing input rule to the tailscale tun Add an explicit accept rule for input to the tun interface, as a mirror to the explicit rule to accept output from the tun interface. The rule matches any packet in to our tun interface and accepts it, and the rule is positioned and prioritized such that it should be evaluated prior to conventional ufw/iptables/nft rules. Updates #391 Fixes #7332 Updates #9084 Signed-off-by: James Tucker <james@tailscale.com>	8 months ago

1 2 3 4 5 ...

308 Commits (13f8a669d5cd3bd2af39c693f4878ecbbb4d56d1)