optimize linux tun capability

2025-12-18 04:54:38 +03:00 · 2023-07-25 13:31:26 +09:00
parent e8147589f7
commit f69fec5ac7
12 changed files with 86 additions and 61 deletions
--- a/cmake/linux/linux.cmake
+++ b/cmake/linux/linux.cmake
@@ -1 +1,2 @@
 set(PLATFORM_SOURCES sys/linux/LinuxCap.cpp)
 set(PLATFORM_LIBRARIES dl)
--- a/libs/package_debian.sh
+++ b/libs/package_debian.sh
@@ -19,31 +19,13 @@ Depends: libxcb-xinerama0, libqt5core5a, libqt5gui5, libqt5network5, libqt5widge
 Description: Qt based cross-platform GUI proxy configuration manager (backend: v2ray / sing-box)
 EOF
 # Start Tun Mode without password
 cat >nekoray/opt/nekoray/pkexec <<-EOF
 #!/bin/sh
 if [ \$1 = --help ]; then
  echo "This is not real pkexec."
  exit 0
 fi
 TO_EXEC="\$@"
 if [ \$1 = --keep-cwd ]; then
  TO_EXEC="\${@:2}"
 fi
 \$TO_EXEC
 EOF
 cat >nekoray/DEBIAN/postinst <<-EOF
 if [ ! -s /usr/share/applications/nekoray.desktop ]; then
    cat >/usr/share/applications/nekoray.desktop<<-END
 [Desktop Entry]
 Name=nekoray
 Comment=Qt based cross-platform GUI proxy configuration manager (backend: Xray / sing-box)
-Exec=sh -c "PATH=/opt/nekoray:\$PATH /opt/nekoray/nekoray -flag_linux_run_core_as_admin -appdata"
+Exec=sh -c "PATH=/opt/nekoray:\$PATH /opt/nekoray/nekoray -appdata"
 Icon=/opt/nekoray/nekoray.png
 Terminal=false
 Type=Application
@@ -52,8 +34,6 @@ END
 fi
 setcap cap_net_admin=ep /opt/nekoray/nekobox_core
 chmod +x /opt/nekoray/pkexec
 chmod 0755 /opt/nekoray/pkexec
 update-desktop-database
 EOF
--- a/main/NekoGui.cpp
+++ b/main/NekoGui.cpp
@@ -12,6 +12,9 @@
 #ifdef Q_OS_WIN
 #include "sys/windows/guihelper.h"
 #else
 #ifdef Q_OS_LINUX
 #include <sys/linux/LinuxCap.h>
 #endif
 #include <unistd.h>
 #endif
@@ -407,6 +410,8 @@ namespace NekoGui {
        return !username.trimmed().isEmpty() && !password.trimmed().isEmpty();
    }
    // System Utils
    QString FindCoreAsset(const QString &name) {
        QStringList search{NekoGui::dataStore->v2ray_asset_dir};
        search << QApplication::applicationDirPath();
@@ -428,15 +433,26 @@ namespace NekoGui {
        return {};
    }
    QString FindNekoBoxCoreRealPath() {
        auto fn = QApplication::applicationDirPath() + "/nekobox_core";
        auto fi = QFileInfo(fn);
        if (fi.isSymLink()) return fi.symLinkTarget();
        return fn;
    }
    short isAdminCache = -1;
-    bool isAdmin() {
+    // IsAdmin 主要判断：有无权限启动 Tun
    bool IsAdmin() {
        if (isAdminCache >= 0) return isAdminCache;
-        auto admin = NekoGui::dataStore->flag_linux_run_core_as_admin;
+        bool admin = false;
 #ifdef Q_OS_WIN
        admin = Windows_IsInAdmin();
 #else
 #ifdef Q_OS_LINUX
        admin |= Linux_GetCapString(FindNekoBoxCoreRealPath()).contains("cap_net_admin");
 #endif
        admin |= geteuid() == 0;
 #endif
--- a/main/NekoGui.hpp
+++ b/main/NekoGui.hpp
@@ -12,7 +12,9 @@ namespace NekoGui {
    QString FindCoreAsset(const QString &name);
-    bool isAdmin();
+    QString FindNekoBoxCoreRealPath();
    bool IsAdmin();
 } // namespace NekoGui
 #define IS_NEKO_BOX (NekoGui::coreType == NekoGui::CoreType::SING_BOX)
--- a/main/NekoGui_DataStore.hpp
+++ b/main/NekoGui_DataStore.hpp
@@ -86,7 +86,6 @@ namespace NekoGui {
        bool flag_many = false;
        bool flag_tray = false;
        bool flag_debug = false;
        bool flag_linux_run_core_as_admin = false;
        bool flag_restart_tun_on = false;
        bool flag_reorder = false;
--- a/main/main.cpp
+++ b/main/main.cpp
@@ -90,7 +90,6 @@ int main(int argc, char* argv[]) {
    }
    if (NekoGui::dataStore->argv.contains("-tray")) NekoGui::dataStore->flag_tray = true;
    if (NekoGui::dataStore->argv.contains("-debug")) NekoGui::dataStore->flag_debug = true;
    if (NekoGui::dataStore->argv.contains("-flag_linux_run_core_as_admin")) NekoGui::dataStore->flag_linux_run_core_as_admin = true;
    if (NekoGui::dataStore->argv.contains("-flag_restart_tun_on")) NekoGui::dataStore->flag_restart_tun_on = true;
    if (NekoGui::dataStore->argv.contains("-flag_reorder")) NekoGui::dataStore->flag_reorder = true;
 #ifdef NKR_CPP_USE_APPDATA
--- a/res/linux_pkexec.sh
+++ b/res/linux_pkexec.sh
@@ -1,9 +0,0 @@
 set -e
 command -v pkexec >/dev/null 2>&1 || echo "[Warning] pkexec not found"
 command -v pkill >/dev/null 2>&1 || echo "[Warning] pkill not found"
 BASEDIR="$(dirname -- "$(readlink -f -- "$0")")"
 pkexec --keep-cwd \
  bash "$BASEDIR"/linux_pkexec_root.sh $@
--- a/res/linux_pkexec_root.sh
+++ b/res/linux_pkexec_root.sh
@@ -1,9 +0,0 @@
 set -e
 if [ "$EUID" -ne 0 ]; then
  echo "[Warning] Not running as root"
 fi
 #echo $$ >$PID_FILE
 $@
--- a/sys/ExternalProcess.cpp
+++ b/sys/ExternalProcess.cpp
@@ -52,14 +52,6 @@ namespace NekoGui_sys {
            MW_show_log_ext(tag, "External core starting: " + env.join(" ") + " " + program + " " + arguments.join(" "));
        }
        QProcess::setEnvironment(env);
        if (NekoGui::dataStore->flag_linux_run_core_as_admin && dynamic_cast<CoreProcess *>(this) && program != "pkexec") {
            arguments.prepend(program);
            arguments.prepend("--keep-cwd");
            program = "pkexec";
        }
        QProcess::setEnvironment(env);
        QProcess::start(program, arguments);
    }
--- a/sys/linux/LinuxCap.cpp
+++ b/sys/linux/LinuxCap.cpp
@@ -0,0 +1,33 @@
 #include "LinuxCap.h"
 #include <QProcess>
 #define EXIT_CODE(p) (p.exitStatus() == QProcess::NormalExit ? p.exitCode() : -1)
 QString Linux_GetCapString(const QString &path) {
    QProcess p;
    p.setProgram("getcap");
    p.setArguments({path});
    p.start();
    p.waitForFinished(500);
    return p.readAllStandardOutput();
 }
 int Linux_Pkexec_SetCapString(const QString &path, const QString &cap) {
    QProcess p;
    p.setProgram("pkexec");
    p.setArguments({"setcap", cap, path});
    p.start();
    p.waitForFinished(-1);
    return EXIT_CODE(p);
 }
 bool Linux_HavePkexec() {
    QProcess p;
    p.setProgram("pkexec");
    p.setArguments({"--help"});
    p.setProcessChannelMode(QProcess::SeparateChannels);
    p.start();
    p.waitForFinished(500);
    return EXIT_CODE(p) == 0;
 }
--- a/sys/linux/LinuxCap.h
+++ b/sys/linux/LinuxCap.h
@@ -0,0 +1,9 @@
 #pragma once
 #include <QString>
 QString Linux_GetCapString(const QString &path);
 int Linux_Pkexec_SetCapString(const QString &path, const QString &cap);
 bool Linux_HavePkexec();
--- a/ui/mainwindow.cpp
+++ b/ui/mainwindow.cpp
@@ -30,6 +30,9 @@
 #ifdef Q_OS_WIN
 #include "3rdparty/WinCommander.hpp"
 #else
 #ifdef Q_OS_LINUX
 #include "sys/linux/LinuxCap.h"
 #endif
 #include <unistd.h>
 #endif
@@ -691,6 +694,7 @@ void MainWindow::on_menu_exit_triggered() {
            arguments.removeFirst();
            arguments.removeAll("-tray");
            arguments.removeAll("-flag_restart_tun_on");
            arguments.removeAll("-flag_reorder");
        }
        auto isLauncher = qEnvironmentVariable("NKR_FROM_LAUNCHER") == "1";
        if (isLauncher) arguments.prepend("--");
@@ -702,7 +706,6 @@ void MainWindow::on_menu_exit_triggered() {
 #ifdef Q_OS_WIN
            WinCommander::runProcessElevated(program, arguments, "", WinCommander::SW_NORMAL, false);
 #else
            arguments << "-flag_linux_run_core_as_admin";
            QProcess::startDetached(program, arguments);
 #endif
        } else {
@@ -756,19 +759,28 @@ void MainWindow::neko_set_spmode_vpn(bool enable, bool save) {
    if (enable != NekoGui::dataStore->spmode_vpn) {
        if (enable) {
            if (IS_NEKO_BOX_INTERNAL_TUN) {
-                bool requestPermission = !NekoGui::isAdmin();
+                bool requestPermission = !NekoGui::IsAdmin();
 #ifdef Q_OS_LINUX
                if (requestPermission && QProcess::execute("pkexec", {"--help"}) != 0) {
                    MessageBoxWarning(software_name, "Please install \"pkexec\" first.");
                    neko_set_spmode_FAILED
                }
 #endif
                if (requestPermission) {
 #ifdef Q_OS_LINUX
                    if (!Linux_HavePkexec()) {
                        MessageBoxWarning(software_name, "Please install \"pkexec\" first.");
                        neko_set_spmode_FAILED
                    }
                    auto ret = Linux_Pkexec_SetCapString(NekoGui::FindNekoBoxCoreRealPath(), "cap_net_admin=ep");
                    if (ret == 0) {
                        this->exit_reason = 3;
                        on_menu_exit_triggered();
                    } else {
                        MessageBoxWarning(software_name, "Setcap for Tun mode failed.\n\n1. You may canceled the dialog.\n2. You may be using an incompatible environment like AppImage.");
                    }
 #endif
 #ifdef Q_OS_WIN
                    auto n = QMessageBox::warning(GetMessageBoxParent(), software_name, tr("Please run NekoBox as admin"), QMessageBox::Yes | QMessageBox::No);
                    if (n == QMessageBox::Yes) {
                        this->exit_reason = 3;
                        on_menu_exit_triggered();
                    }
 #endif
                    neko_set_spmode_FAILED
                }
            } else {
@@ -854,7 +866,7 @@ void MainWindow::refresh_status(const QString &traffic_update) {
    auto make_title = [=](bool isTray) {
        QStringList tt;
-        if (!isTray && NekoGui::isAdmin()) tt << "[Admin]";
+        if (!isTray && NekoGui::IsAdmin()) tt << "[Admin]";
        if (select_mode) tt << "[" + tr("Select") + "]";
        if (!title_error.isEmpty()) tt << "[" + title_error + "]";
        if (NekoGui::dataStore->spmode_vpn) tt << "[VPN]";
`@@ -1 +1,2 @@`
		`set(PLATFORM_SOURCES sys/linux/LinuxCap.cpp)`
	`set(PLATFORM_LIBRARIES dl)`	`set(PLATFORM_LIBRARIES dl)`