tailscale

Commit Graph

Author	SHA1	Message	Date
Nick Khyl	551d6ae0f3	ipn, ipn/ipnauth: implement API surface for LocalBackend access checking We have a lot of access checks spread around the ipnserver, ipnlocal, localapi, and ipnauth packages, with a significant number of platform-specific checks that are used exclusively on either Windows or Unix-like platforms. Additionally, with the exception of a few Windows-specific checks, most of these checks are per-device rather than per-profile, which is not always correct even on single-user/single-session environments, but even more problematic on multi-user/multi-session environments such as Windows. We initially attempted to map all possible operations onto the permitRead/permitWrite access flags. However, these flags are not utilized on Windows and prove insufficient on Unix machines. Specifically, on Windows, the first user to connect is granted full access, while subsequent logged-in users have no access to the LocalAPI at all. This restriction applies regardless of the environment, local user roles (e.g., whether a Windows user is a local admin), or whether they are the active user on a shared Windows client device. Conversely, on Unix, we introduced the permitCert flag to enable granting non-root web servers (such as www-data, caddy, nginx, etc.) access to certificates. We also added additional access check to distinguish local admins (root on Unix-like platforms, elevated admins on Windows) from users with permitWrite access, and used it as a fix for the serve path LPE. A more fine-grained access control system could better suit our current and future needs, especially in improving the UX across various scenarios on corporate and personal Windows devices. This adds an API surface in ipnauth that will be used in LocalBackend to check access to individual Tailscale profiles as well as any device-wide information and operations. Updates tailscale/corp#18342 Signed-off-by: Nick Khyl <nickk@tailscale.com>	2 months ago
Andrew Lytvynov	bff527622d	ipn/ipnlocal,clientupdate: disallow auto-updates in containers (#11814 ) Containers are typically immutable and should be updated as a whole (and not individual packages within). Deny enablement of auto-updates in containers. Also, add the missing check in EditPrefs in LocalAPI, to catch cases like tailnet default auto-updates getting enabled for nodes that don't support it. Updates #11544 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Percy Wegmann	d16c1293e9	ipn/ipnlocal: remove origin and referer headers from Taildrive requests peerapi does not want these, but rclone includes them. Removing them allows rclone to work with Taildrive configured as a WebDAV remote. Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Percy Wegmann	94c0403104	ipn/ipnlocal: strip origin and referer headers from Taildrive requests peerapi does not want these, but rclone includes them. Stripping them out allows rclone to work with Taildrive configured as a WebDAV remote. Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>	2 months ago
Andrew Lytvynov	22bd506129	ipn/ipnlocal: hold the mutex when in onTailnetDefaultAutoUpdate (#11786 ) Turns out, profileManager is not safe for concurrent use and I missed all the locking infrastructure in LocalBackend, oops. I was not able to reproduce the race even with `go test -count 100`, but this seems like an obvious fix. Fixes #11773 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 months ago
Brad Fitzpatrick	21a0fe1b9b	ipn/store: omit AWS & Kubernetes support on 'small' Linux GOARCHes This removes AWS and Kubernetes support from Linux binaries by default on GOARCH values where people don't typically run on AWS or use Kubernetes, such as 32-bit mips CPUs. It primarily focuses on optimizing for the static binaries we distribute. But for people building it themselves, they can set ts_kube or ts_aws (the opposite of ts_omit_kube or ts_omit_aws) to force it back on. Makes tailscaled binary ~2.3MB (~7%) smaller. Updates #7272, #10627 etc Change-Id: I42a8775119ce006fa321462cb2d28bc985d1c146 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	7c1d6e35a5	all: use Go 1.22 range-over-int Updates #11058 Change-Id: I35e7ef9b90e83cac04ca93fd964ad00ed5b48430 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Jonathan Nobels	7e2b4268d6	ipn/{localapi, ipnlocal}: forget the prior exit node when localAPI is used to zero the ExitNodeID (#11681 ) Updates tailscale/corp#18724 When localAPI clients directly set ExitNodeID to "", the expected behaviour is that the prior exit node also gets zero'd - effectively setting the UI state back to 'no exit node was ever selected' The IntenalExitNodePrior has been changed to be a non-opaque type, as it is read by the UI to render the users last selected exit node, and must be concrete. Future-us can either break this, or deprecate it and replace it with something more interesting. Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>	2 months ago
Brad Fitzpatrick	3c1e2bba5b	ipn/ipnlocal: remove outdated iOS hacky workaround in Start We haven't needed this hack for quite some time Andrea says. Updates #11649 Change-Id: Ie854b7edd0a01e92495669daa466c7c0d57e7438 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	dd6c76ea24	ipn: remove unused Options.LegacyMigrationPrefs I'm on a mission to simplify LocalBackend.Start and its locking and deflake some tests. I noticed this hasn't been used since March 2023 when it was removed from the Windows client in corp 66be796d33c. So, delete. Updates #11649 Change-Id: I40f2cb75fb3f43baf23558007655f65a8ec5e1b2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	7ec0dc3834	ipn/ipnlocal: make StartLoginInteractive take (yet unused) context In prep for future fix to undermentioned issue. Updates tailscale/tailscale#7036 Change-Id: Ide114db917dcba43719482ffded6a9a54630d99e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Claire Wang	9171b217ba	cmd/tailscale, ipn/ipnlocal: add suggest exit node CLI option (#11407 ) Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>	2 months ago
Brad Fitzpatrick	b9aa7421d6	ipn/ipnlocal: remove some dead code (legacyBackend methods) from LocalBackend Nothing used it. Updates #11649 Change-Id: Ic1c331d947974cd7d4738ff3aafe9c498853689e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	bad3159b62	ipn/ipnlocal: delete useless SetControlClientGetterForTesting use Updates #11649 Change-Id: I56c069b9c97bd3e30ff87ec6655ec57e1698427c Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	8186cd0349	ipn/ipnlocal: delete redundant TestStatusWithoutPeers We have tstest/integration nowadays. And this test was one of the lone holdouts using the to-be-nuked SetControlClientGetterForTesting. Updates #11649 Change-Id: Icf8a6a2e9b8ae1ac534754afa898c00dc0b7623b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	68043a17c2	ipn/ipnlocal: centralize assignments to cc + ccAuto in new method cc vs ccAuto is a mess. It needs to go. But this is a baby step towards getting there. Updates #11649 Change-Id: I34f33934844e580bd823a7d8f2b945cf26c87b3b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	970b1e21d0	ipn/ipnlocal: inline assertClientLocked into its now sole caller Updates #11649 Change-Id: I8e2a5e59125a0cad5c0a8c9ed8930585f1735d03 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	170c618483	ipn/ipnlocal: remove dead code now that Android uses LocalAPI instead The new Android app and its libtailscale don't use this anymore; it uses LocalAPI like other clients now. Updates #11649 Change-Id: Ic9f42b41e0e0280b82294329093dc6c275f41d50 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
kari-ts	1cd51f95c7	ipnlocal: enable allow LAN for android (#11709 ) Updates tailscale/corp#18984 Updates tailscale/corp#18202	2 months ago
Brad Fitzpatrick	a5e1f7d703	ipn/{ipnlocal,localapi}: add API to toggle use of exit node This is primarily for GUIs, so they don't need to remember the most recently used exit node themselves. This adds some CLI commands, but they're disabled and behind the WIP envknob, as we need to consider naming (on/off is ambiguous with running an exit node, etc) as well as automatic exit node selection in the future. For now the CLI commands are effectively developer debug things to test the LocalAPI. Updates tailscale/corp#18724 Change-Id: I9a32b00e3ffbf5b29bfdcad996a4296b5e37be7e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	aa084a29c6	ipn/ipnlocal: name the unlockOnce type, plumb more, add Unlock method This names the func() that Once-unlocked LocalBackend.mu. It does so both for docs and because it can then have a method: Unlock, for the few points that need to explicitly unlock early (the cause of all this mess). This makes those ugly points easy to find, and also can then make them stricter, panicking if the mutex is already unlocked. So a normal call to the func just once-releases the mutex, returning false if it's already done, but the Unlock method is the strict one. Then this uses it more, so most the b.mu.Unlock calls remaining are simple cases and usually defers. Updates #11649 Change-Id: Ia070db66c54a55e59d2f76fdc26316abf0dd4627 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	5e7c0b025c	ipn/ipnlocal: add some "lockedOnEntry" helpers + guardrails, fix bug A number of methods in LocalBackend (with suffixed "LockedOnEntry") require b.mu be held but unlock it on the way out. That's asymmetric and atypical and error prone. This adds a helper method to LocalBackend that locks the mutex and returns a sync.OnceFunc that unlocks the mutex. Then we pass around that unlocker func down the chain to make it explicit (and somewhat type check the passing of ownership) but also let the caller defer unlock it, in the case of errors/panics that happen before the callee gets around to calling the unlock. This revealed a latent bug in LocalBackend.DeleteProfile which double unlocked the mutex. Updates #11649 Change-Id: I002f77567973bd77b8906bfa4ec9a2049b89836a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	38377c37b5	ipn/localapi: sort localapi handler map keys Updates #cleanup Change-Id: I750ed8d033954f1f8786fb35dd16895bb1c5af8e Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Charlotte Brandhorst-Satzkorn	8c75da27fc	drive: move normalizeShareName into pkg drive and make func public (#11638 ) This change makes the normalizeShareName function public, so it can be used for validation in control. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	3 months ago
Charlotte Brandhorst-Satzkorn	98cf71cd73	tailscale: switch tailfs to drive syntax for api and logs (#11625 ) This change switches the api to /drive, rather than the previous /tailfs as well as updates the log lines to reflect the new value. It also cleans up some existing tailfs references. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	3 months ago
Charlotte Brandhorst-Satzkorn	93618a3518	tailscale: update tailfs functions and vars to use drive naming (#11597 ) This change updates all tailfs functions and the majority of the tailfs variables to use the new drive naming. Updates tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	3 months ago
Brad Fitzpatrick	b9611461e5	ipn/ipnlocal: q-encode (RFC 2047) Tailscale serve header values Updates #11603 RELNOTE=Tailscale serve headers are now RFC 2047 Q-encoded Change-Id: I1314b65ecf5d39a5a601676346ec2c334fdef042 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Claire Wang	262fa8a01e	ipn/ipnlocal: populate peers' capabilities (#11365 ) Populates capabilties field of peers in ipn status. Updates tailscale/corp#17516 Signed-off-by: Claire Wang <claire@tailscale.com>	3 months ago
Charlotte Brandhorst-Satzkorn	14683371ee	tailscale: update tailfs file and package names (#11590 ) This change updates the tailfs file and package names to their new naming convention. Updates #tailscale/corp#16827 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	3 months ago
James Tucker	7558a1d594	ipn/ipnlocal: disable sockstats on (unstable) mobile by default We're tracking down a new instance of memory usage, and excessive memory usage from sockstats is definitely not going to help with debugging, so disable it by default on mobile. Updates tailscale/corp#18514 Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Percy Wegmann	66e4d843c1	ipn/localapi: add support for multipart POST to file-put This allows sending multiple files via Taildrop in one request. Progress is tracked via ipn.Notify. Updates tailscale/corp#18202 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Percy Wegmann	bed818a978	ipn/localapi: add support for multipart POST to file-put This allows sending multiple files via Taildrop in one request. Progress is tracked via ipn.Notify. Updates tailscale/corp#18202 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Percy Wegmann	eb42a16da9	ipn/ipnlocal: report Taildrive access message on failed responses For example, if we get a 404 when downloading a file, we'll report access. Also, to reduce verbosty of logs, this elides 0 length files. Updates tailscale/corp#17818 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Charlotte Brandhorst-Satzkorn	acb611f034	ipn/localipn: introduce logs for tailfs (#11496 ) This change introduces some basic logging into the access and share pathways for tailfs. Updates tailscale/corp#17818 Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>	3 months ago
Brad Fitzpatrick	a36cfb4d3d	tailcfg, ipn/ipnlocal, wgengine/magicsock: add only-tcp-443 node attr Updates tailscale/corp#17879 Change-Id: I0dc305d147b76c409cf729b599a94fa723aef0e0 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	7b34154df2	all: deprecate Node.Capabilities (more), remove PeerChange.Capabilities [capver 89] First we had Capabilities []string. Then https://tailscale.com/blog/acl-grants (#4217) brought CapMap, a superset of Capabilities. Except we never really finished the transition inside the codebase to go all-in on CapMap. This does so. Notably, this coverts Capabilities on the wire early to CapMap internally so the code can only deal in CapMap, even against an old control server. In the process, this removes PeerChange.Capabilities support, which no known control plane sent anyway. They can and should use PeerChange.CapMap instead. Updates #11508 Updates #4217 Change-Id: I872074e226b873f9a578d9603897b831d50b25d9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	b104688e04	ipn/ipnlocal, types/netmap: replace hasCapability with set lookup on NetworkMap When node attributes were super rare, the O(n) slice scans looking for node attributes was more acceptable. But now more code and more users are using increasingly more node attributes. Time to make it a map. Noticed while working on tailscale/corp#17879 Updates #cleanup Change-Id: Ic17c80341f418421002fbceb47490729048756d2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Percy Wegmann	8c88853db6	ipn/ipnlocal: add c2n /debug/pprof/allocs endpoint This behaves the same as typical debug/pprof/allocs. Updates tailscale/corp#18514 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
James Tucker	e0f97738ee	localapi: reduce garbage production in bus watcher Updates #optimization Signed-off-by: James Tucker <james@tailscale.com>	3 months ago
Brad Fitzpatrick	6a860cfb35	ipn/ipnlocal: add c2n pprof option to force a GC Like net/http/pprof has. Updates tailscale/corp#18514 Change-Id: I264adb6dcf5732d19707783b29b7273b4ca69cf4 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Percy Wegmann	067ed0bf6f	ipnlocal: ensure TailFS share notifications are non-nil This allows the UI to distinguish between 'no shares' versus 'not being notified about shares'. Updates ENG-2843 Signed-off-by: Percy Wegmann <percy@tailscale.com>	3 months ago
Irbe Krumina	b0c3e6f6c5	cmd/k8s-operator,ipn/conf.go: fix --accept-routes for proxies (#11453 ) Fix a bug where all proxies got configured with --accept-routes set to true. The bug was introduced in https://github.com/tailscale/tailscale/pull/11238. Updates#cleanup Signed-off-by: Irbe Krumina <irbe@tailscale.com>	3 months ago
Mario Minardi	d2ccfa4edd	cmd/tailscale,ipn/ipnlocal: enable web client over quad 100 by default (#11419 ) Enable the web client over 100.100.100.100 by default. Accepting traffic from [tailnet IP]:5252 still requires setting the `webclient` user pref. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	3 months ago
Mario Minardi	e0886ad167	ipn/ipnlocal, tailcfg: add disable-web-client node attribute (#11418 ) Add a disable-web-client node attribute and add handling for disabling the web client when this node attribute is set. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	3 months ago
Andrew Lytvynov	decd9893e4	ipn/ipnlocal: validate domain of PopBrowserURL on default control URL (#11394 ) If the client uses the default Tailscale control URL, validate that all PopBrowserURLs are under tailscale.com or *.tailscale.com. This reduces the risk of a compromised control plane opening phishing pages for example. The client trusts control for many other things, but this is one easy way to reduce that trust a bit. Fixes #11393 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	3 months ago
Brad Fitzpatrick	ad33e47270	ipn/{ipnlocal,localapi}: add debug verb to force spam IPN bus NetMap To force the problem in its worst case scenario before fixing it. Updates tailscale/corp#17859 Change-Id: I2c8b8e5f15c7801e1ab093feeafac52ec175a763 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
Percy Wegmann	e496451928	ipn,cmd/tailscale,client/tailscale: add support for renaming TailFS shares - Updates API to support renaming TailFS shares. - Adds a CLI rename subcommand for renaming a share. - Renames the CLI subcommand 'add' to 'set' to make it clear that this is an add or update. - Adds a unit test for TailFS in ipnlocal Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Percy Wegmann	6c160e6321	ipn,tailfs: tie TailFS share configuration to user profile Previously, the configuration of which folders to share persisted across profile changes. Now, it is tied to the user's profile. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Percy Wegmann	fd942b5384	ipn/ipnlocal: reduce allocations in TailFS share notifications This eliminates unnecessary map.Clone() calls and also eliminates repetitive notifications about the same set of shares. Updates tailscale/corp#16827 Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago
Percy Wegmann	6f66f5a75a	ipn: add comment about thread-safety to StateStore Updates #cleanup Signed-off-by: Percy Wegmann <percy@tailscale.com>	4 months ago

1 2 3 4 5 ...

1378 Commits (551d6ae0f3c08b4e3ccc1214dffd5ec2bba01f30)