From fabbcd7fb5bb64ef82348c47170825180bef0c43 Mon Sep 17 00:00:00 2001 From: Pekka Helenius Date: Tue, 8 Jun 2021 08:53:02 +0300 Subject: [PATCH] Add files for enforced DNS --- anbox_files/dns_enforced/README.md | 9 ++++++ anbox_files/dns_enforced/anbox-exec.sh | 29 +++++++++++++++++++ anbox_files/dns_enforced/anbox-restart.sh | 7 +++++ .../dns_enforced/anbox-session-manager | 13 +++++++++ anbox_files/dns_enforced/local-iptables | 4 +++ 5 files changed, 62 insertions(+) create mode 100644 anbox_files/dns_enforced/README.md create mode 100644 anbox_files/dns_enforced/anbox-exec.sh create mode 100644 anbox_files/dns_enforced/anbox-restart.sh create mode 100644 anbox_files/dns_enforced/anbox-session-manager create mode 100644 anbox_files/dns_enforced/local-iptables diff --git a/anbox_files/dns_enforced/README.md b/anbox_files/dns_enforced/README.md new file mode 100644 index 0000000..6de9f17 --- /dev/null +++ b/anbox_files/dns_enforced/README.md @@ -0,0 +1,9 @@ +## Installation + +`anbox-restart.sh` -> `/usr/local/bin/anbox-restart` and `chmod +x $(which anbox-restart)` + +`anbox-exec` -> `/usr/local/bin/anbox-exec` and `chmod +x $(which anbox-exec)` + +`anbox-session-manager` -> `/usr/local/bin/anbox-session-manager` and `chmod +x $(which anbox-session-manager)` + +`local-iptables` -> apply rules to your iptables, or allow DNS for `anbox0` interface by other means diff --git a/anbox_files/dns_enforced/anbox-exec.sh b/anbox_files/dns_enforced/anbox-exec.sh new file mode 100644 index 0000000..893fd81 --- /dev/null +++ b/anbox_files/dns_enforced/anbox-exec.sh @@ -0,0 +1,29 @@ +#!/bin/sh + +DNS_LOCAL="192.168.250.1.53" + +if [ "$(id -u)" -ne 0 ]; then + echo "ERROR: You need to run this script as root!" + exit 1 +fi + +CONTAINER_PATH="$SNAP_COMMON/containers" +CONTAINER_NAME=default + +if [ -z "$SNAP" ] ; then + CONTAINER_PATH=/var/lib/anbox/containers +fi + +state=$(lxc-info -P "$CONTAINER_PATH" -n "$CONTAINER_NAME" -s | cut -d':' -f 2 | tr -d '[:space:]') +if [ "$state" != "RUNNING" ] ; then + echo "ERROR: Cannot attach to container as it is not running" + exit 1 +fi + +exec lxc-attach \ + -P "$CONTAINER_PATH" \ + -n "$CONTAINER_NAME" \ + --clear-env -- \ +/system/bin/sh -c \ +"/system/bin/iptables -t nat -A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j DNAT --to-destination ${DNS_LOCAL} +/system/bin/iptables -t nat -A OUTPUT -o eth0 -p udp -m udp --dport 53 -j DNAT --to-destination ${DNS_LOCAL}" diff --git a/anbox_files/dns_enforced/anbox-restart.sh b/anbox_files/dns_enforced/anbox-restart.sh new file mode 100644 index 0000000..81e65a4 --- /dev/null +++ b/anbox_files/dns_enforced/anbox-restart.sh @@ -0,0 +1,7 @@ +#!/bin/env bash + +sudo systemctl restart anbox-container-manager.service +sleep 2 +systemctl --user restart anbox-session-manager +sleep 2 +sudo anbox-exec diff --git a/anbox_files/dns_enforced/anbox-session-manager b/anbox_files/dns_enforced/anbox-session-manager new file mode 100644 index 0000000..b252282 --- /dev/null +++ b/anbox_files/dns_enforced/anbox-session-manager @@ -0,0 +1,13 @@ +#!/bin/env bash + +# This is a simple wrapper workaround. If we launch Anbox session manager before a desktop/Xorg session, +# the session simply fails to launch, complaining about insufficient drm permissions (permission denied 13) +# in a Xorg log file. + +# Use this script as start-up program in your desktop session start-up application menu. It ensures that +# Xorg session starts BEFORE Anbox session manager, and both succeed to launch. + +if [[ $(systemctl is-active anbox-container-manager.service) ]]; then + systemctl --user start anbox-session-manager + anbox-exec +fi diff --git a/anbox_files/dns_enforced/local-iptables b/anbox_files/dns_enforced/local-iptables new file mode 100644 index 0000000..0d29aae --- /dev/null +++ b/anbox_files/dns_enforced/local-iptables @@ -0,0 +1,4 @@ +# These rules apply to a local DNS server, running on the same computer than Anbox + +-A INPUT -i anbox0 -p tcp --dport 53 -j ACCEPT +-A INPUT -i anbox0 -p udp --dport 53 -j ACCEPT