Bug #11593: Network disabling does not always work

Bug #11593

Network disabling does not always work

Added by bertagaz 2016-07-22 05:36:00 . Updated 2016-09-20 16:47:40 .

Status:

Resolved

Priority:

Elevated

Assignee:

Category:

Target version:

Tails_2.6

Start date:

2016-07-22

Due date:

% Done:

100%

Feature Branch:

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

The test suite has reported once that it found eth0 to be up while the network disabling option was selected in the greeter. There is probably a problem in this feature. Debug log and infos can be found in the 2016 June fragile test referencing ticket (~~Bug #11087~~).


  Scenario: The Tails Greeter "disable all networking" option disables networking within Tails      # features/checks.feature:99
calling as root: echo 'hello?'
call returned: [0, "hello?\n", ""]
[log] CLICK on (1024,384)
calling as root: /sbin/ifconfig eth0 | grep -q 'inet addr'
call returned: [1, "", "eth0: error fetching interface information: Device not found\n"]
calling as root: date -s '@1465635115'
call returned: [0, "Sat Jun 11 08:51:55 UTC 2016\n", ""]
    Given I have started Tails from DVD without network and stopped at Tails Greeter's login screen # features/step_definitions/snapshots.rb:199
[log] CLICK on (433,404)
    And I enable more Tails Greeter options                                                         # features/step_definitions/common_steps.rb:308
[log] CLICK on (643,447)
    And I disable all networking in the Tails Greeter                                               # features/step_definitions/checks.rb:240
[log] CLICK on (512,671)
[log] CLICK on (812,712)
calling as root: test -e '/etc/sudoers.d/tails-greeter' -o -e '/etc/sudoers.d/tails-greeter-no-password-lecture'
call returned: [1, "", ""]
calling as root: test -e '/etc/sudoers.d/tails-greeter' -o -e '/etc/sudoers.d/tails-greeter-no-password-lecture'
call returned: [0, "", ""]
calling as amnesia: gsettings set org.gnome.desktop.session idle-delay 0
call returned: [0, "", ""]
calling as amnesia: gsettings set org.gnome.desktop.interface toolkit-accessibility true
call returned: [0, "", ""]
calling as amnesia: xdotool search --all --onlyvisible --maxdepth 1 --classname 'Florence'
call returned: [1, "", ""]
    And I log in to a new session                                                                   # features/step_definitions/common_steps.rb:292
calling as root: . /usr/local/lib/tails-shell-library/hardware.sh && get_all_ethernet_nics
call returned: [0, "eth0\n", ""]
    Then no network interfaces are enabled                                                          # features/step_definitions/mac_spoofing.rb:75
      <0> expected but was
      <1>. (Test::Unit::AssertionFailedError)
      ./features/step_definitions/mac_spoofing.rb:79:in `/^(\d+|no) network interface(?:s)? (?:is|are) enabled$/'
      features/checks.feature:104:in `Then no network interfaces are enabled'
      Scenario failed at time 00:58:11

      Screenshot: https://jenkins.tails.boum.org/job/test_Tails_ISO_devel/400/artifact/build-artifacts/00:58:11_The_Tails_Greeter__disable_all_networking__option_disables_networking_within_Tails.png

      Video: https://jenkins.tails.boum.org/job/test_Tails_ISO_devel/400/artifact/build-artifacts/00:58:11_The_Tails_Greeter__disable_all_networking__option_disables_networking_within_Tails.mkv

Subtasks

Related issues

Related to Tails - ~~Feature #6811~~: Add Tails Greeter option for disabling networking	Resolved	2014-05-11
Related to Tails - Bug #10774: MAC address spoofing failure notifications are not always displayed	Confirmed	2015-12-18

History

#1 Updated by intrigeri 2016-07-22 11:28:34

related to ~~Feature #6811~~: Add Tails Greeter option for disabling networking added

#2 Updated by intrigeri 2016-07-22 11:33:45

Assignee set to anonym
Priority changed from Normal to Elevated

Raising severity as this seems to be a potential security issue (violation of security expectations clearly communicated by the user).

Assigning to anonym, who added that feature. I’ll probably propose a patch that hides this option if there’s no progress on this ticket during the 2.6 release cycle: this will give anonym more time to research and fix this bug, without the pressure.

#3 Updated by intrigeri 2016-08-31 04:32:30

Description updated

#4 Updated by intrigeri 2016-08-31 04:38:05

There seem to be two possible explanations:

Could it be that the callback called in the Greeter when clicking “disable all networking” is not fast enough, and then we click “Login” before the Greeter has registered the user’s decision? If that’s the case, then 1. the bug is in the Greeter, not in the test suite; and 2. all other options such as using Tor bridges, and disabling MAC spoofing, are affected.
The code that implements the offline feature is buggy and sometimes enables network when it should not => double check that.

#5 Updated by anonym 2016-08-31 04:49:27

I think we have a race in the greeter:

    def set_options_and_login(self):
        """Activate the selected options if they are valid"""
        if self.validate_options():
            self.greeter.login()
            self.set_password()
            self.set_macspoof()
            self.set_netconf()

I guess we’ve been relying on that login() will take enough time before it’s done and the PostLogin script is called before some of the set_ functions are done. Notice that set_netconf is run last.

#6 Updated by intrigeri 2016-08-31 04:57:29

related to Bug #10774: MAC address spoofing failure notifications are not always displayed added

#7 Updated by anonym 2016-09-13 13:12:35

Status changed from Confirmed to Fix committed
Assignee deleted (~~anonym~~)
% Done changed from 0 to 100

A probable fix for this potential race is present in Tails Greeter 0.8.28, part of Tails 2.6~rc1. Let’s consider it as an actual fix unless proven otherwise.

#8 Updated by anonym 2016-09-20 16:47:41

Status changed from Fix committed to Resolved
QA Check set to Pass