Verified Commit 3fae5a6f authored by meskio's avatar meskio

[feat] update bitmask-root if needed

Chech the hash of the installed bitmask root and sign as not installed
if doesn't match the one we have in the bundle. Also for running
bitmask-root, if there is more than one (in /usr/local/sbin and
/usr/sbin) run the one with higher version number.

- Resolves: #9020
parent 90e72e19
Pipeline #7143 passed with stages
in 85 minutes and 11 seconds
from os import remove, chmod
from os import remove, chmod, access, R_OK
from shutil import copyfile
from hashlib import sha512
import os.path
import sys
......@@ -32,32 +33,52 @@ if IS_LINUX:
copyfile(openvpn_from, OPENVPN_LOCAL)
chmod(OPENVPN_LOCAL, 0700)
chmod(OPENVPN_LOCAL, 0744)
def uninstall():
def check():
helper = (
os.path.exists(BITMASK_ROOT_LOCAL) or
polkit = (
os.path.exists(POLKIT_LOCAL) or
openvpn = (
os.path.exists(OPENVPN_LOCAL) or
helper = _is_up_to_date(_config.get_bitmask_helper_path(),
polkit = _is_up_to_date(_config.get_bitmask_polkit_policy_path(),
openvpn = (os.path.exists(OPENVPN_SYSTEM) or
return is_pkexec_in_system() and helper and polkit and openvpn
if IS_MAC:
def _is_up_to_date(src, local, system):
if src is None or not access(src, R_OK):
return True
src_digest = digest(src)
if access(system, R_OK) and src_digest == digest(system):
return True
if access(local, R_OK) and src_digest == digest(local):
return True
return False
elif IS_MAC:
def check():
# XXX check if bitmask-helper is running
return True
def digest(path):
with open(path, 'r') as f:
s =
return sha512(s).digest()
def main():
if sys.argv[-1] == 'install':
......@@ -22,14 +22,15 @@ Linux VPN launcher implementation.
import os
import psutil
import subprocess
from twisted.internet import defer, reactor
from twisted.internet.endpoints import clientFromString, connectProtocol
from twisted.logger import Logger
from leap.bitmask.util import STANDALONE
from leap.bitmask.vpn.utils import first, force_eval
from leap.bitmask.vpn import constants
from leap.bitmask.vpn import _config
from leap.bitmask.vpn.privilege import LinuxPolicyChecker
from import ManagementProtocol
from leap.bitmask.vpn.launcher import VPNLauncher
......@@ -85,15 +86,33 @@ class LinuxVPNLauncher(VPNLauncher):
class BITMASK_ROOT(object):
def __call__(self):
current_version = self._version(_config.get_bitmask_helper_path())
_sys = constants.BITMASK_ROOT_SYSTEM
_local = constants.BITMASK_ROOT_LOCAL
_sys_version = 0
if os.path.isfile(_sys):
_sys_version = self._version(_sys)
_local = constants.BITMASK_ROOT_LOCAL
_local_version = 0
if os.path.isfile(_local):
_local_version = self._version(_local)
if _sys_version == current_version:
return _sys
elif _local_version == current_version:
return _local
elif _sys_version != 0 and _sys_version >= _local_version:
return _sys
elif os.path.isfile(_local):
elif _local_version != 0:
return _local
return 'bitmask-root'
def _version(self, bitmask_root):
out = subprocess.check_output(['python', bitmask_root, "version"])
return int(out)
class OPENVPN_BIN_PATH(object):
def __call__(self):
_sys = constants.OPENVPN_SYSTEM
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment