TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-08-11 13:18:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

tailfs: disable TailFSForLocal via policy

Browse Source 
Adds support for node attribute tailfs:access. If this attribute is
not present, Tailscale will not accept connections to the local TailFS
server at 100.100.100.100:8080.

Updates tailscale/corp#16827

Signed-off-by: Percy Wegmann <percy@tailscale.com>
This commit is contained in:
Percy Wegmann
2024-02-09 16:23:42 -06:00
committed by Percy Wegmann
parent abab0d4197
commit ddcffaef7a
4 changed files with 31 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ipn/ipnlocal/local.go
View File

@@ -3341,6 +3341,10 @@ func (b *LocalBackend) TCPHandlerForDst(src, dst netip.AddrPort) (handler func(c
fs, ok := b.sys.TailFSForLocal.GetOK()
if ok {
return func(conn net.Conn) error {
if !b.TailFSAccessEnabled() {
conn.Close()
return nil
}
return fs.HandleConn(conn, conn.RemoteAddr())
}, opts
}

19
ipn/ipnlocal/tailfs.go
View File

@@ -46,7 +46,20 @@ func (b *LocalBackend) TailFSSharingEnabled() bool {
}
func (b *LocalBackend) tailFSSharingEnabledLocked() bool {
return b.netMap != nil && b.netMap.SelfNode.HasCap(tailcfg.NodeAttrsTailFSSharingEnabled)
return b.netMap != nil && b.netMap.SelfNode.HasCap(tailcfg.NodeAttrsTailFSShare)
}
// TailFSAccessEnabled reports whether accessing TailFS shares on remote nodes
// is enabled. This is currently based on checking for the tailfs:access node
// attribute.
func (b *LocalBackend) TailFSAccessEnabled() bool {
b.mu.Lock()
defer b.mu.Unlock()
return b.tailFSAccessEnabledLocked()
}
func (b *LocalBackend) tailFSAccessEnabledLocked() bool {
return b.netMap != nil && b.netMap.SelfNode.HasCap(tailcfg.NodeAttrsTailFSAccess)
}
// TailFSSetFileServerAddr tells tailfs to use the given address for connecting
@@ -272,6 +285,10 @@ func (b *LocalBackend) newTailFSListener(ctx context.Context, fs tailfs.FileSyst
logf: logf,
handler: func(conn net.Conn) error {
if !b.TailFSAccessEnabled() {
conn.Close()
return nil
}
return fs.HandleConn(conn, conn.RemoteAddr())
},
bo: backoff.NewBackoff(fmt.Sprintf("tailfs-listener-%d", ap.Port()), logf, 30*time.Second),