tailscale

Commit Graph

Author	SHA1	Message	Date
Andrew Dunham	c1c50cfcc0	util/cloudenv: add support for DigitalOcean Updates #4984 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ib229eb40af36a80e6b0fd1dd0cabb07f0d50a7d1	4 months ago
James Tucker	24bac27632	util/rands: add Shuffle and Perm functions with on-stack RNG state The new math/rand/v2 package includes an m-local global random number generator that can not be reseeded by the user, which is suitable for most uses without the RNG pools we have in a number of areas of the code base. The new API still does not have an allocation-free way of performing a seeded operations, due to the long term compiler bug around interface parameter escapes, and the Source interface. This change introduces the two APIs that math/rand/v2 can not yet replace efficiently: seeded Perm() and Shuffle() operations. This implementation chooses to use the PCG random source from math/rand/v2, as with sufficient compiler optimization, this source should boil down to only two on-stack registers for random state under ideal conditions. Updates #17243 Signed-off-by: James Tucker <james@tailscale.com>	4 months ago
Joe Tsai	94a4f701c2	all: use reflect.TypeFor now available in Go 1.22 (#11078 ) Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	4 months ago
Joe Tsai	efddad7d7d	util/deephash: cleanup TODO in TestHash (#11080 ) Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	4 months ago
Brad Fitzpatrick	2bd3c1474b	util/cmpx: delete now that we're using Go 1.22 Updates #11058 Change-Id: I09dea8e86f03ec148b715efca339eab8b1f0f644 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 months ago
James Tucker	0b16620b80	.github/workflows: add privileged tests workflow We had missed regressions from privileged tests not running, now they can run. Updates #cleanup Signed-off-by: James Tucker <james@tailscale.com>	4 months ago
Joe Tsai	60657ac83f	util/deephash: tighten up SelfHasher API (#11012 ) Providing a hash.Block512 is an implementation detail of how deephash works today, but providing an opaque type with mostly equivalent API (i.e., HashUint8, HashBytes, etc. methods) is still sensible. Thus, define a public Hasher type that exposes exactly the API that an implementation of SelfHasher would want to call. This gives us freedom to change the hashing algorithm of deephash at some point in the future. Also, this type is likely going to be called by types that are going to memoize their own hash results, we additionally add a HashSum method to simplify this use case. Add documentation to SelfHasher on how a type might implement it. Updates: corp#16409 Signed-off-by: Joe Tsai <joetsai@digital-static.net>	4 months ago
Joe Tsai	84f8311bcd	util/deephash: document pathological deephash behavior (#11010 ) Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	4 months ago
Tom DNetto	2aeef4e610	util/deephash: implement SelfHasher to allow types to hash themselves Updates: corp#16409 Signed-off-by: Tom DNetto <tom@tailscale.com>	4 months ago
James Tucker	0f3b2e7b86	util/expvarx: add a time and concurrency limiting expvar.Func wrapper expvarx.SafeFunc wraps an expvar.Func with a time limit. On reaching the time limit, calls to Value return nil, and no new concurrent calls to the underlying expvar.Func will be started until the call completes. Updates tailscale/corp#16999 Signed-off-by: James Tucker <james@tailscale.com>	4 months ago
as2643	832e5c781d	util/nocasemaps: add AppendSliceElem method to nocasemaps (#10871 ) Updates #7667 Signed-off-by: Anishka Singh <anishkasingh66@gmail.com>	4 months ago
Andrew Dunham	2ac7c0161b	util/slicesx: add Filter function For use in corp, where we appear to have re-implemented this in a few places with varying signatures. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Id863a87e674f3caa87945519be8e09650e9c1d76	4 months ago
James Tucker	38a1cf748a	control/controlclient,util/execqueue: extract execqueue into a package This is a useful primitive for asynchronous execution of ordered work I want to use in another change. Updates tailscale/corp#16833 Signed-off-by: James Tucker <james@tailscale.com>	4 months ago
Joe Tsai	c25968e1c5	all: make use of ctxkey everywhere (#10846 ) Also perform minor cleanups on the ctxkey package itself. Provide guidance on when to use ctxkey.Key[T] over ctxkey.New. Also, allow for interface kinds because the value wrapping trick also happens to fix edge cases with interfaces in Go. Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	5 months ago
Joe Tsai	241a541864	util/ctxkey: add package for type-safe context keys (#10841 ) The lack of type-safety in context.WithValue leads to the common pattern of defining of package-scoped type to ensure global uniqueness: type fooKey struct{} func withFoo(ctx context, v Foo) context.Context { return context.WithValue(ctx, fooKey{}, v) } func fooValue(ctx context) Foo { v, _ := ctx.Value(fooKey{}).(Foo) return v } where usage becomes: ctx = withFoo(ctx, foo) foo := fooValue(ctx) With many different context keys, this can be quite tedious. Using generics, we can simplify this as: var fooKey = ctxkey.New("mypkg.fooKey", Foo{}) where usage becomes: ctx = fooKey.WithValue(ctx, foo) foo := fooKey.Value(ctx) See https://go.dev/issue/49189 Updates #cleanup Signed-off-by: Joe Tsai <joetsai@digital-static.net>	5 months ago
Aaron Klotz	aed2cfec4e	util/winutil: add some missing docs to restartmgr errors Just a quick #cleanup. Signed-off-by: Aaron Klotz <aaron@tailscale.com>	5 months ago
Aaron Klotz	5812093d31	util/winutil: publicize existing functions for opening read-only connections to the Windows Service Control Manager We're going to need to access these from code outside winutil. Updates #10215 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	5 months ago
Andrew Lytvynov	2716250ee8	all: cleanup unused code, part 2 (#10670 ) And enable U1000 check in staticcheck. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Andrew Lytvynov	1302bd1181	all: cleanup unused code, part 1 (#10661 ) Run `staticcheck` with `U1000` to find unused code. This cleans up about a half of it. I'll do the other half separately to keep PRs manageable. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	5 months ago
Andrew Dunham	a661287c4b	util/cmpx: remove code that's in the stdlib now The cmpx.Compare function (and associated interface) are now available in the standard library as cmp.Compare. Remove our version of it and use the version from the standard library. Updates #cleanup Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I4be3ac63d466c05eb7a0babb25cb0d41816fbd53	5 months ago
Irbe Krumina	0cdc8e20d6	util/linuxfw: return created chain (#10563 ) Ensure that if getOrCreateChain creates a new chain, it actually returns the created chain Updates tailscale/tailscale#10399 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	6 months ago
Adrian Dewhurst	86aa0485a6	ipn/ipnlocal, util/syspolicy: make run exit node a preference option Previously, the "RunExitNode" policy merely controlled the visibility of the "run as exit node" menu item, not the setting itself. This migrates that setting to a preference option named "AdvertiseExitNode". Updates ENG-2138 Change-Id: Ia6a125beb6b4563d380c6162637ce4088f1117a0 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	6 months ago
Andrea Gottardo	646d17ac8d	util/syspolicy: rename client metric keys (#10516 ) Updates ENG-2513. Renames client metrics keys used on Windows for consistency with Apple platforms. Signed-off-by: Andrea Gottardo <andrea@tailscale.com>	6 months ago
Andrew Dunham	9fd29f15c7	util/cache: add package for general-purpose caching This package allows caching arbitrary key/value pairs in-memory, along with an interface implemented by the cache types. Extracted from #7493 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ic8ca820927c456721cf324a0c8f3882a57752cc9	6 months ago
Adrian Dewhurst	f706a3abd0	ipn/ipnlocal, util/syspolicy: add auto update policy Due to the Sparkle preference naming convention, macsys already has a policy key named "ApplyUpdates" that merely shows or hides the menu item that controls if auto updates are installed, rather than directly controlling the setting. For other platforms, we are going to use "InstallUpdates" instead because it seemed better than the other options that were considered. Updates ENG-2127 Updates tailscale/corp#16247 Change-Id: Ia6a125beb6b4563d380c6162637ce4088f1117a0 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	6 months ago
Adrian Dewhurst	af32d1c120	ipn/ipnlocal: better enforce system policies Previously, policies affected the default prefs for a new profile, but that does not affect existing profiles. This change ensures that policies are applied whenever preferences are loaded or changed, so a CLI or GUI client that does not respect the policies will still be overridden. Exit node IP is dropped from this PR as it was implemented elsewhere in #10172. Fixes tailscale/corp#15585 Change-Id: Ide4c3a4b00a64e43f506fa1fab70ef591407663f Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	6 months ago
Naman Sood	d46a4eced5	util/linuxfw, wgengine: allow ingress to magicsock UDP port on Linux (#10370 ) * util/linuxfw, wgengine: allow ingress to magicsock UDP port on Linux Updates #9084. Currently, we have to tell users to manually open UDP ports on Linux when certain firewalls (like ufw) are enabled. This change automates the process of adding and updating those firewall rules as magicsock changes what port it listens on. Signed-off-by: Naman Sood <mail@nsood.in>	6 months ago
Claire Wang	47db67fef5	util/syspolicy: add policy counters (#10471 ) Fixes tailscale/corp#16138 Signed-off-by: Claire Wang <claire@tailscale.com>	6 months ago
Naman Sood	0a59754eda	linuxfw,wgengine/route,ipn: add c2n and nodeattrs to control linux netfilter Updates tailscale/corp#14029. Signed-off-by: Naman Sood <mail@nsood.in>	6 months ago
Adrian Dewhurst	94a64c0017	util/syspolicy: rename incorrectly named policy keys These keys were intended to match the Apple platforms, but accidentally used the wrong name. Updates ENG-2133 Change-Id: I9ed7a17919e34e2d8896a5c64efc4d0c0003166e Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	6 months ago
Aaron Klotz	db39a43f06	util/winutil: add support for restarting Windows processes in specific sessions This PR is all about adding functionality that will enable the installer's upgrade sequence to terminate processes belonging to the previous version, and then subsequently restart instances belonging to the new version within the session(s) corresponding to the processes that were killed. There are multiple parts to this: * We add support for the Restart Manager APIs, which allow us to query the OS for a list of processes locking specific files; * We add the RestartableProcess and RestartableProcesses types that query additional information about the running processes that will allow us to correctly restart them in the future. These types also provide the ability to terminate the processes. * We add the StartProcessInSession family of APIs that permit us to create new processes within specific sessions. This is needed in order to properly attach a new GUI process to the same RDP session and desktop that its previously-terminated counterpart would have been running in. * I tweaked the winutil token APIs again. * A lot of this stuff is pretty hard to test without a very elaborate harness, but I added a unit test for the most complicated part (though it requires LocalSystem to run). Updates https://github.com/tailscale/corp/issues/13998 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	6 months ago
Claire Wang	8af503b0c5	syspolicy: add exit node related policies (#10172 ) Adds policy keys ExitNodeID and ExitNodeIP. Uses the policy keys to determine the exit node in preferences. Fixes tailscale/corp#15683 Signed-off-by: Claire Wang <claire@tailscale.com>	6 months ago
Andrew Dunham	5aa7687b21	util/httpm: don't run test if .git doesn't exist Updates #9635 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I9089200f9327605036c88fc12834acece0c11694	6 months ago
Andrew Lytvynov	2c1f14d9e6	util/set: implement json.Marshaler/Unmarshaler (#10308 ) Marshal as a JSON list instead of a map. Because set elements are `comparable` and not `cmp.Ordered`, we cannot easily sort the items before marshaling. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	6 months ago
Claire Wang	b8a2aedccd	util/syspolicy: add caching handler (#10288 ) Fixes tailscale/corp#15850 Co-authored-by: Adrian Dewhurst <adrian@tailscale.com> Signed-off-by: Claire Wang <claire@tailscale.com>	7 months ago
Adrian Dewhurst	b8ac3c5191	util/syspolicy: add some additional policy keys These policy keys are supported on Apple platforms in Swift code; in order to support them on platforms using Go (e.g. Windows), they also need to be recorded here. This does not affect any code, it simply adds the constants for now. Updates ENG-2240 Updates ENG-2127 Updates ENG-2133 Change-Id: I0aa9863a3641e5844479da3b162761452db1ef42 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	7 months ago
Adrian Dewhurst	1ef5bd5381	util/osdiag, util/winutil: expose Windows policy key The Windows base registry key is already exported but the policy key was not. util/osdiag currently replicates the string rather than the preferred approach of reusing the constant. Updates #cleanup Change-Id: I6c1c45337896c744059b85643da2364fb3f232f2 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	7 months ago
Aaron Klotz	855f79fad7	cmd/tailscaled, util/winutil: changes to process and token APIs in winutil This PR changes the internal getTokenInfo function to use generics. I also removed our own implementations for obtaining a token's user and primary group in favour of calling the ones now available in x/sys/windows. Furthermore, I added two new functions for working with tokens, logon session IDs, and Terminal Services / RDP session IDs. I modified our privilege enabling code to allow enabling of multiple privileges via one single function call. Finally, I added the ProcessImageName function and updated the code in tailscaled_windows.go to use that instead of directly calling the underlying API. All of these changes will be utilized by subsequent PRs pertaining to this issue. Updates https://github.com/tailscale/corp/issues/13998 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	7 months ago
Andrew Lytvynov	1fc1077052	ssh/tailssh,util: extract new osuser package from ssh code (#10170 ) This package is a wrapper for os/user that handles non-cgo builds, gokrazy and user shells. Updates tailscale/corp#15405 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
Andrew Lytvynov	aba4bd0c62	util/winutil: simplify dropping privileges after use (#10099 ) To safely request and drop privileges, runtime.Lock/UnlockOSThread and windows.Impersonate/RevertToSelf should be called. Add these calls to winutil.EnableCurrentThreadPrivilege so that callers don't need to worry about it. Updates https://github.com/tailscale/corp/issues/15488 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	7 months ago
Claire Wang	5de8650466	syspolicy: add Allow LAN Access visibility key (#10113 ) Fixes tailscale/corp#15594 Signed-off-by: Claire Wang <claire@tailscale.com>	7 months ago
Aaron Klotz	fbc18410ad	ipn/ipnauth: improve the Windows token administrator check (Token).IsAdministrator is supposed to return true even when the user is running with a UAC limited token. The idea is that, for the purposes of this check, we don't care whether the user is currently* running with full Admin rights, we just want to know whether the user can potentially do so. We accomplish this by querying for the token's "linked token," which should be the fully-elevated variant, and checking its group memberships. We also switch ipn/ipnserver/(*Server).connIsLocalAdmin to use the elevation check to preserve those semantics for tailscale serve; I want the IsAdministrator check to be used for less sensitive things like toggling auto-update on and off. Fixes #10036 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	7 months ago
Brad Fitzpatrick	673ff2cb0b	util/groupmember: fail earlier if group doesn't exist, use slices.Contains Noticed both while re-reading this code. Updates #cleanup Change-Id: I3b70f1d5dc372853fa292ae1adbdee8cfc6a9a7b Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Chris Palmer	3a9f5c02bf	util/set: make Clone a method (#10044 ) Updates #cleanup Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	7 months ago
Chris Palmer	00375f56ea	util/set: add some more Set operations (#10022 ) Updates #cleanup Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	7 months ago
Maisem Ali	62d580f0e8	util/linuxfw: add missing error checks in tests This would surface as panics when run on Fly. Still fail, but at least don't panic. Updates #10003 Signed-off-by: Maisem Ali <maisem@tailscale.com>	7 months ago
Andrea Gottardo	741d7bcefe	Revert "ipn/ipnlocal: add new DNS and subnet router policies" (#9962 ) This reverts commit `32194cdc70`. Signed-off-by: Nick O'Neill <nick@tailscale.com>	7 months ago
Adrian Dewhurst	32194cdc70	ipn/ipnlocal: add new DNS and subnet router policies In addition to the new policy keys for the new options, some already-in-use but missing policy keys are also being added to util/syspolicy. Updates ENG-2133 Change-Id: Iad08ca47f839ea6a65f81b76b4f9ef21183ebdc6 Signed-off-by: Adrian Dewhurst <adrian@tailscale.com>	7 months ago
Maisem Ali	c3a8e63100	util/linuxfw: add additional nftable detection logic We were previously using the netlink API to see if there are chains/rules that already exist. This works fine in environments where there is either full nftable support or no support at all. However, we have identified certain environments which have partial nftable support and the only feasible way of detecting such an environment is to try to create some of the chains that we need. This adds a check to create a dummy postrouting chain which is immediately deleted. The goal of the check is to ensure we are able to use nftables and that it won't error out later. This check is only done in the path where we detected that the system has no preexisting nftable rules. Updates #5621 Updates #8555 Updates #8762 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago
Maisem Ali	b47cf04624	util/linuxfw: fix broken tests These tests were broken at HEAD. CI currently does not run these as root, will figure out how to do that in a followup. Updates #5621 Updates #8555 Updates #8762 Signed-off-by: Maisem Ali <maisem@tailscale.com>	8 months ago

1 2 3 4 5 ...

317 Commits (f4e3ee53ea4605d400df2ef6b6005b026661f96b)