VERSION.txt: this is v1.68.1

Signed-off-by: Percy Wegmann <percy@tailscale.com>
ssh/tailssh: check IsSELinuxEnforcing in tailscaled process
2024-06-14 06:47:24 -05:00 · 2024-06-13 12:14:15 -05:00 · 2024-06-13 18:04:43 +01:00 · 2024-06-12 11:03:59 -06:00
4 changed files with 50 additions and 19 deletions
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.67.0
+1.68.1
--- a/ssh/tailssh/incubator.go
+++ b/ssh/tailssh/incubator.go
@@ -121,6 +121,13 @@ func (ss *sshSession) newIncubatorCommand(logf logger.Logf) (cmd *exec.Cmd, err
 		"--tty-name=",     // updated in-place by startWithPTY
 	}

+	// We have to check the below outside of the incubator process, because it
+	// relies on the "getenforce" command being on the PATH, which it is not
+	// when in the incubator.
+	if runtime.GOOS == "linux" && hostinfo.IsSELinuxEnforcing() {
+		incubatorArgs = append(incubatorArgs, "--is-selinux-enforcing")
+	}
+
 	forceV1Behavior := ss.conn.srv.lb.NetMap().HasCap(tailcfg.NodeAttrSSHBehaviorV1)
 	if forceV1Behavior {
 		incubatorArgs = append(incubatorArgs, "--force-v1-behavior")
@@ -167,20 +174,21 @@ func (stdRWC) Close() error {
 }

 type incubatorArgs struct {
-	loginShell      string
-	uid             int
-	gid             int
-	gids            []int
-	localUser       string
-	remoteUser      string
-	remoteIP        string
-	ttyName         string
-	hasTTY          bool
-	cmd             string
-	isSFTP          bool
-	isShell         bool
-	forceV1Behavior bool
-	debugTest       bool
+	loginShell         string
+	uid                int
+	gid                int
+	gids               []int
+	localUser          string
+	remoteUser         string
+	remoteIP           string
+	ttyName            string
+	hasTTY             bool
+	cmd                string
+	isSFTP             bool
+	isShell            bool
+	forceV1Behavior    bool
+	debugTest          bool
+	isSELinuxEnforcing bool
 }

 func parseIncubatorArgs(args []string) (incubatorArgs, error) {
@@ -202,6 +210,7 @@ func parseIncubatorArgs(args []string) (incubatorArgs, error) {
 	flags.BoolVar(&ia.isSFTP, "sftp", false, "run sftp server (cmd is ignored)")
 	flags.BoolVar(&ia.forceV1Behavior, "force-v1-behavior", false, "allow falling back to the su command if login is unavailable")
 	flags.BoolVar(&ia.debugTest, "debug-test", false, "should debug in test mode")
+	flags.BoolVar(&ia.isSELinuxEnforcing, "is-selinux-enforcing", false, "whether SELinux is in enforcing mode")
 	flags.Parse(args)

 	for _, g := range strings.Split(groups, ",") {
@@ -338,7 +347,7 @@ func shouldAttemptLoginShell(dlogf logger.Logf, ia incubatorArgs) bool {
 		return false
 	}

-	return runningAsRoot() && !hostinfo.IsSELinuxEnforcing()
+	return runningAsRoot() && !ia.isSELinuxEnforcing
 }

 func runningAsRoot() bool {
--- a/ssh/tailssh/testcontainers/Dockerfile
+++ b/ssh/tailssh/testcontainers/Dockerfile
@@ -31,9 +31,22 @@ RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegra
 RUN echo "Then run tests as non-root user testuser and make sure tests still pass."
 RUN chown testuser:groupone /tmp/tailscalessh.log
 RUN TAILSCALED_PATH=`pwd`tailscaled su -m testuser -c "./tailssh.test -test.v -test.run TestIntegration TestDoDropPrivileges"
+RUN chown root:root /tmp/tailscalessh.log
+
+RUN echo "Then run tests in a system that's pretending to be SELinux in enforcing mode"
+RUN mv /usr/bin/login /tmp/login_orig
+# Use nonsense for /usr/bin/login so that it fails.
+# It's not the same failure mode as in SELinux, but failure is good enough for test.
+RUN echo "adsfasdfasdf" > /usr/bin/login
+RUN chmod 755 /usr/bin/login
+# Simulate getenforce command
+RUN printf "#!/bin/bash\necho 'Enforcing'" > /usr/bin/getenforce
+RUN chmod 755 /usr/bin/getenforce
+RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegration
+RUN mv /tmp/login_orig /usr/bin/login
+RUN rm /usr/bin/getenforce

 RUN echo "Then remove the login command and make sure tests still pass."
-RUN chown root:root /tmp/tailscalessh.log
 RUN rm `which login`
 RUN rm -Rf /home/testuser
 RUN TAILSCALED_PATH=`pwd`tailscaled ./tailssh.test -test.v -test.run TestIntegrationSFTP
--- a/wgengine/netstack/netstack.go
+++ b/wgengine/netstack/netstack.go
@@ -831,9 +831,18 @@ func (ns *Impl) inject() {
 				// Only send to the host if this 4via6 route is
 				// something this node handles.
 				if ns.lb != nil && ns.lb.ShouldHandleViaIP(srcIP) {
-					sendToHost = true
+					dstIP := netip.AddrFrom16(v.DestinationAddress().As16())
+					// Also, only forward to the host if
+					// the packet is destined for a local
+					// IP; otherwise, we'd send traffic
+					// that's intended for another peer
+					// from the local 4via6 address to the
+					// host instead of outbound to
+					// WireGuard. See:
+					// https://github.com/tailscale/tailscale/issues/12448
+					sendToHost = ns.isLocalIP(dstIP)
 					if debugNetstack() {
-						ns.logf("netstack: sending 4via6 packet to host: %v", srcIP)
+						ns.logf("netstack: sending 4via6 packet to host: src=%v dst=%v", srcIP, dstIP)
 					}
 				}
 			}
Author	SHA1	Message	Date
Percy Wegmann	92eacec73f	VERSION.txt: this is v1.68.1 Signed-off-by: Percy Wegmann <percy@tailscale.com>	2024-06-14 06:47:24 -05:00
Percy Wegmann	a334efa41e	ssh/tailssh: check IsSELinuxEnforcing in tailscaled process Checking in the incubator as this used to do fails because the getenforce command is not on the PATH. Updates #12442 Signed-off-by: Percy Wegmann <percy@tailscale.com> (cherry picked from commit `d7fdc01f7f`)	2024-06-13 12:14:15 -05:00
Irbe Krumina	87a6138de9	wgengine/netstack: fix 4via6 subnet routes (#12454 ) (#12455 ) Fix a bug where, for a subnet router that advertizes 4via6 route, all packets with a source IP matching the 4via6 address were being sent to the host itself. Instead, only send to host packets whose destination address is host's local address. Fixes tailscale/tailscale#12448 Signed-off-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Andrew Dunham <andrew@du.nham.ca> (cherry picked from commit `88f2d234a4`)	2024-06-13 18:04:43 +01:00
Mario Minardi	52ddf0d016	VERSION.txt: this is v1.68.0 Signed-off-by: Mario Minardi <mario@tailscale.com>	2024-06-12 11:03:59 -06:00
@@ -1 +1 @@
 .67.0
 .68.1