Network disabling does not always work
|Type of work:||Code||Affected tool:|
The test suite has reported once that it found eth0 to be up while the network disabling option was selected in the greeter. There is probably a problem in this feature. Debug log and infos can be found in the 2016 June fragile test referencing ticket (#11087).
Scenario: The Tails Greeter "disable all networking" option disables networking within Tails # features/checks.feature:99 calling as root: echo 'hello?' call returned: [0, "hello?\n", ""] [log] CLICK on (1024,384) calling as root: /sbin/ifconfig eth0 | grep -q 'inet addr' call returned: [1, "", "eth0: error fetching interface information: Device not found\n"] calling as root: date -s '@1465635115' call returned: [0, "Sat Jun 11 08:51:55 UTC 2016\n", ""] Given I have started Tails from DVD without network and stopped at Tails Greeter's login screen # features/step_definitions/snapshots.rb:199 [log] CLICK on (433,404) And I enable more Tails Greeter options # features/step_definitions/common_steps.rb:308 [log] CLICK on (643,447) And I disable all networking in the Tails Greeter # features/step_definitions/checks.rb:240 [log] CLICK on (512,671) [log] CLICK on (812,712) calling as root: test -e '/etc/sudoers.d/tails-greeter' -o -e '/etc/sudoers.d/tails-greeter-no-password-lecture' call returned: [1, "", ""] calling as root: test -e '/etc/sudoers.d/tails-greeter' -o -e '/etc/sudoers.d/tails-greeter-no-password-lecture' call returned: [0, "", ""] calling as amnesia: gsettings set org.gnome.desktop.session idle-delay 0 call returned: [0, "", ""] calling as amnesia: gsettings set org.gnome.desktop.interface toolkit-accessibility true call returned: [0, "", ""] calling as amnesia: xdotool search --all --onlyvisible --maxdepth 1 --classname 'Florence' call returned: [1, "", ""] And I log in to a new session # features/step_definitions/common_steps.rb:292 calling as root: . /usr/local/lib/tails-shell-library/hardware.sh && get_all_ethernet_nics call returned: [0, "eth0\n", ""] Then no network interfaces are enabled # features/step_definitions/mac_spoofing.rb:75 <0> expected but was <1>. (Test::Unit::AssertionFailedError) ./features/step_definitions/mac_spoofing.rb:79:in `/^(\d+|no) network interface(?:s)? (?:is|are) enabled$/' features/checks.feature:104:in `Then no network interfaces are enabled' Scenario failed at time 00:58:11 Screenshot: https://jenkins.tails.boum.org/job/test_Tails_ISO_devel/400/artifact/build-artifacts/00:58:11_The_Tails_Greeter__disable_all_networking__option_disables_networking_within_Tails.png Video: https://jenkins.tails.boum.org/job/test_Tails_ISO_devel/400/artifact/build-artifacts/00:58:11_The_Tails_Greeter__disable_all_networking__option_disables_networking_within_Tails.mkv
- Assignee set to anonym
- Priority changed from Normal to Elevated
Raising severity as this seems to be a potential security issue (violation of security expectations clearly communicated by the user).
Assigning to anonym, who added that feature. I'll probably propose a patch that hides this option if there's no progress on this ticket during the 2.6 release cycle: this will give anonym more time to research and fix this bug, without the pressure.
There seem to be two possible explanations:
- Could it be that the callback called in the Greeter when clicking "disable all networking" is not fast enough, and then we click "Login" before the Greeter has registered the user's decision? If that's the case, then 1. the bug is in the Greeter, not in the test suite; and 2. all other options such as using Tor bridges, and disabling MAC spoofing, are affected.
- The code that implements the offline feature is buggy and sometimes enables network when it should not => double check that.
I think we have a race in the greeter:
def set_options_and_login(self): """Activate the selected options if they are valid""" if self.validate_options(): self.greeter.login() self.set_password() self.set_macspoof() self.set_netconf()
I guess we've been relying on that
login()will take enough time before it's done and the
PostLoginscript is called before some of the
set_functions are done. Notice that
set_netconfis run last.