From patchwork Mon Dec  9 23:36:59 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Tremer <michael.tremer@ipfire.org>
X-Patchwork-Id: 2635
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 47X03966qWz43cj
	for <patchwork@web04.haj.ipfire.org>; Mon,  9 Dec 2019 23:37:09 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 47X0380f56z2QS;
	Mon,  9 Dec 2019 23:37:08 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 47X0376R4Lz2yTX;
	Mon,  9 Dec 2019 23:37:07 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 47X0361fMMz2xlf
 for <development@lists.ipfire.org>; Mon,  9 Dec 2019 23:37:06 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (Client did not present a certificate)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 47X0352r4Hz2QS;
 Mon,  9 Dec 2019 23:37:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909rsa;
 t=1575934625;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc; bh=fCIfHBUNFyxQsM+LdHyhR+N/1Hs6AjdIF68D/YAFQfE=;
 b=kuQ4uexzGefn3jRCbVUhzJJygzMkFfS4CQnDfrh8XxTpUzYf9iE3XNj+7GEi70ENv/LYBx
 KOYXok9bzhU2oQ9704Hx+x0TMy81yzPKAMOIdIfuSisMfjeAT6mW+wEuBbbwazVW1gpJYQ
 ee/RN5wV6pSfk/NH/2K7+tYF8xzgiDIrHy4CU1He7SGmplwogkfCcomZ/JD8E0qORgWEiM
 l09VaKAPKTfMqjsiGV7snRg2wTnhDbYh3ZMCUzCNdIuoNjhSf7arTYdihnk1q2rZeRpV9R
 T1JasdcYxX93t0eqZW6cypXz0IPMZZsFgpMstXlbxDntasCu06Sqa2aYKR4n8g==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=201909ed25519; t=1575934625;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc; bh=fCIfHBUNFyxQsM+LdHyhR+N/1Hs6AjdIF68D/YAFQfE=;
 b=Tls9yRw9hHYWv2+lybGaoQW6kJxtu2XF8xn9XE+6Da1oqjv1kPoUI5lxNB3pYxeyXtQil/
 qubRkfda6CXtFnAA==
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] unbound: Configure Safe Search dynamically
Date: Mon,  9 Dec 2019 23:36:59 +0000
Message-Id: <20191209233659.3767-1-michael.tremer@ipfire.org>
Authentication-Results: mail01.ipfire.org;
 auth=pass smtp.auth=ms smtp.mailfrom=michael.tremer@ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

The safe search code relied on working DNS resolution, but
was executed before unbound was even started and no network
was brought up.

That resulted in no records being created and nothing being
filtered.

This will now set/reset safe search when the system connects
to the Internet.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/rootfiles/common/aarch64/initscripts      |   1 +
 config/rootfiles/common/armv5tel/initscripts     |   1 +
 config/rootfiles/common/i586/initscripts         |   1 +
 config/rootfiles/common/x86_64/initscripts       |   1 +
 src/initscripts/networking/red.up/06-safe-search |   3 +
 src/initscripts/system/unbound                   | 100 +++++++++++++----------
 6 files changed, 65 insertions(+), 42 deletions(-)
 create mode 100644 src/initscripts/networking/red.up/06-safe-search

diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts
index 202da7372..6b08fcac6 100644
--- a/config/rootfiles/common/aarch64/initscripts
+++ b/config/rootfiles/common/aarch64/initscripts
@@ -51,6 +51,7 @@ etc/rc.d/init.d/networking/red.down/99-beep
 #etc/rc.d/init.d/networking/red.up
 etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
 etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
+etc/rc.d/init.d/networking/red.up/06-safe-search
 etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts
index 202da7372..6b08fcac6 100644
--- a/config/rootfiles/common/armv5tel/initscripts
+++ b/config/rootfiles/common/armv5tel/initscripts
@@ -51,6 +51,7 @@ etc/rc.d/init.d/networking/red.down/99-beep
 #etc/rc.d/init.d/networking/red.up
 etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
 etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
+etc/rc.d/init.d/networking/red.up/06-safe-search
 etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts
index 9d4f7e5f3..23b1938f4 100644
--- a/config/rootfiles/common/i586/initscripts
+++ b/config/rootfiles/common/i586/initscripts
@@ -51,6 +51,7 @@ etc/rc.d/init.d/networking/red.down/99-beep
 #etc/rc.d/init.d/networking/red.up
 etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
 etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
+etc/rc.d/init.d/networking/red.up/06-safe-search
 etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts
index 9d4f7e5f3..23b1938f4 100644
--- a/config/rootfiles/common/x86_64/initscripts
+++ b/config/rootfiles/common/x86_64/initscripts
@@ -51,6 +51,7 @@ etc/rc.d/init.d/networking/red.down/99-beep
 #etc/rc.d/init.d/networking/red.up
 etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
 etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
+etc/rc.d/init.d/networking/red.up/06-safe-search
 etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
diff --git a/src/initscripts/networking/red.up/06-safe-search b/src/initscripts/networking/red.up/06-safe-search
new file mode 100644
index 000000000..14ff93b45
--- /dev/null
+++ b/src/initscripts/networking/red.up/06-safe-search
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+exec /etc/init.d/unbound update-safe-search
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 8eaf3734a..61d62beb1 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -549,7 +549,7 @@ resolve() {
 }
 
 # Sets up Safe Search for various search engines
-write_safe_search_conf() {
+update_safe_search() {
 	local google_tlds=(
 		google.ad
 		google.ae
@@ -746,51 +746,59 @@ write_safe_search_conf() {
 		google.ws
 	)
 
-	(
-		# Nothing to do if safe search is not enabled
-		if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
-			exit 0
-		fi
+	# Cleanup previous settings
+	unbound-control local_zone_remove "bing.com" >/dev/null
+	unbound-control local_zone_remove "duckduckgo.com" >/dev/null
+	unbound-control local_zone_remove "yandex.com" >/dev/null
+	unbound-control local_zone_remove "yandex.ru" >/dev/null
+	unbound-control local_zone_remove "youtube.com" >/dev/null
 
-		# This all belongs into the server: section
-		echo "server:"
+	local domain
+	for domain in ${google_tlds[@]}; do
+		unbound-control local_zone_remove "${domain}"
+	done >/dev/null
 
-		# Bing
-		echo "	local-zone: bing.com transparent"
-		for address in $(resolve "strict.bing.com"); do
-			echo "	local-data: \"www.bing.com ${LOCAL_TTL} IN A ${address}\""
-		done
+	# Nothing to do if safe search is not enabled
+	if [ "${ENABLE_SAFE_SEARCH}" != "on" ]; then
+		return 0
+	fi
 
-		# DuckDuckGo
-		echo "	local-zone: duckduckgo.com typetransparent"
-		for address in $(resolve "safe.duckduckgo.com"); do
-			echo "	local-data: \"duckduckgo.com ${LOCAL_TTL} IN A ${address}\""
-		done
+	# Bing
+	unbound-control bing.com transparent >/dev/null
+	for address in $(resolve "strict.bing.com"); do
+		unbound-control local_data "www.bing.com ${LOCAL_TTL} IN A ${address}"
+	done >/dev/null
+
+	# DuckDuckGo
+	unbound-control local_zone duckduckgo.com typetransparent >/dev/null
+	for address in $(resolve "safe.duckduckgo.com"); do
+		unbound-control local_data "duckduckgo.com ${LOCAL_TTL} IN A ${address}"
+	done >/dev/null
+
+	# Google
+	local addresses="$(resolve "forcesafesearch.google.com")"
+	for domain in ${google_tlds[@]}; do
+		unbound-control local_zone "${domain}" transparent >/dev/null
+		for address in ${addresses}; do
+			unbound-control local_data: "www.${domain} ${LOCAL_TTL} IN A ${address}"
+		done >/dev/null
+	done
 
-		# Google
-		addresses="$(resolve "forcesafesearch.google.com")"
-		local domain
-		for domain in ${google_tlds[@]}; do
-			echo "	local-zone: ${domain} transparent"
-			for address in ${addresses}; do
-				echo "	local-data: \"www.${domain} ${LOCAL_TTL} IN A ${address}\""
-			done
-		done
+	# Yandex
+	for domain in yandex.com yandex.ru; do
+		unbound-control local_zone "${domain}" typetransparent >/dev/null
+		for address in $(resolve "familysearch.${domain}"); do
+			unbound-control local_data "${domain} ${LOCAL_TTL} IN A ${address}"
+		done >/dev/null
+	done
 
-		# Yandex
-		for domain in yandex.com yandex.ru; do
-			echo "	local-zone: ${domain} typetransparent"
-			for address in $(resolve "familysearch.${domain}"); do
-				echo "	local-data: \"${domain} ${LOCAL_TTL} IN A ${address}\""
-			done
-		done
+	# YouTube
+	unbound-control local_zone youtube.com transparent >/dev/null
+	for address in $(resolve "restrictmoderate.youtube.com"); do
+		unbound-control local_data "www.youtube.com ${LOCAL_TTL} IN A ${address}"
+	done >/dev/null
 
-		# YouTube
-		echo "	local-zone: youtube.com transparent"
-		for address in $(resolve "restrictmoderate.youtube.com"); do
-			echo "	local-data: \"www.youtube.com ${LOCAL_TTL} IN A ${address}\""
-		done
-	) > /etc/unbound/safe-search.conf
+	return 0
 }
 
 case "$1" in
@@ -806,7 +814,6 @@ case "$1" in
 		# Update configuration files
 		write_tuning_conf
 		write_forward_conf
-		write_safe_search_conf
 
 		boot_mesg "Starting Unbound DNS Proxy..."
 		loadproc /usr/sbin/unbound || exit $?
@@ -817,6 +824,11 @@ case "$1" in
 		# Update any known forwarding name servers
 		update_forwarders
 
+		# Install Safe Search rules when the system is already online
+		if [ -e "/var/ipfire/red/active" ]; then
+			update_safe_search
+		fi
+
 		# Update hosts
 		update_hosts
 
@@ -905,8 +917,12 @@ case "$1" in
 		resolve "${2}"
 		;;
 
+	update-safe-search)
+		update_safe_search
+		;;
+
 	*)
-		echo "Usage: $0 {start|stop|restart|status|update-forwarders|remove-forwarders|test-name-server|resolve}"
+		echo "Usage: $0 {start|stop|restart|status|update-forwarders|remove-forwarders|test-name-server|resolve|update-safe-search}"
 		exit 1
 		;;
 esac