Whonix setup GUI now run on first start to allow configuration

Added alternate for dialag (gdialog) so some of Whonix programs run
Changed sudo permissions to fix umask and not use QT shared memory
Changed whonix to use basic hosts file
Added detection if template is active for updating
Added startup code for tinyproxy
Added code to disable uwt so apt-get can be used as proxy
Created a python GUI Message Alert using yaml for messages (internationalization)
This commit is contained in:
Jason Mehring 2014-11-02 16:14:36 -05:00
parent 82a68e9c87
commit 0e53e2954f
30 changed files with 1044 additions and 572 deletions

View File

@ -19,6 +19,20 @@ user::rw-
group::r-- group::r--
other::r-- other::r--
# file: etc/uwt.d
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/uwt.d/50_uwt_default
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/xdg # file: etc/xdg
# owner: root # owner: root
# group: root # group: root
@ -94,7 +108,7 @@ other::r--
# group: root # group: root
user::rwx user::rwx
group::r-x group::r-x
other::r-x other::---
# file: etc/sudoers.d/qubes # file: etc/sudoers.d/qubes
# owner: root # owner: root
@ -103,62 +117,6 @@ user::r--
group::r-- group::r--
other::--- other::---
# file: home
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: home/user
# owner: user
# group: user
user::rwx
group::r-x
other::r-x
# file: home/user/whonix_fix.sh
# owner: user
# group: user
user::rwx
group::r-x
other::r-x
# file: home/user/build-steps.d
# owner: user
# group: user
user::rwx
group::r-x
other::r-x
# file: home/user/build-steps.d/1000_qubes-patches.sh
# owner: user
# group: user
user::rwx
group::r-x
other::r-x
# file: home/user/build-steps.d/2900_qubes-post-installation.sh
# owner: user
# group: user
user::rwx
group::r-x
other::r-x
# file: home/user/whonix_build.sh
# owner: user
# group: user
user::rwx
group::r-x
other::r-x
# file: home/user/.whonix_build.sh.swp
# owner: user
# group: user
user::rw-
group::r--
other::r--
# file: .facl # file: .facl
# owner: user # owner: user
# group: user # group: user
@ -187,6 +145,13 @@ user::rwx
group::r-x group::r-x
other::r-x other::r-x
# file: usr/lib/whonix/utility_functions
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/setup-ip # file: usr/lib/whonix/setup-ip
# owner: root # owner: root
# group: root # group: root
@ -194,6 +159,20 @@ user::rwx
group::r-x group::r-x
other::r-x other::r-x
# file: usr/lib/whonix/tests.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/messages.yaml
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr/lib/whonix/replace-ips # file: usr/lib/whonix/replace-ips
# owner: root # owner: root
# group: root # group: root
@ -201,6 +180,13 @@ user::rwx
group::r-x group::r-x
other::r-x other::r-x
# file: usr/lib/whonix/alert
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/qubes-whonixsetup # file: usr/lib/whonix/qubes-whonixsetup
# owner: root # owner: root
# group: root # group: root

View File

@ -1,14 +1,5 @@
## Anonymity Distribution /etc/hosts ## Anonymity Distribution /etc/hosts
## Defaults
127.0.0.1 host
::1 host ip6-host ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
## End of defaults
## Anonymity Distribution specific ## Anonymity Distribution specific
127.0.0.1 host.localdomain host 127.0.0.1 host.localdomain host
## End of Anonymity Distribution specific ## End of Anonymity Distribution specific

View File

@ -0,0 +1,6 @@
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "1" ]; then
uwtwrapper["/usr/bin/apt-get"]="0"
fi

View File

@ -1,92 +0,0 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
set -x
WHONIX_DIR="$(readlink -m .)"
# --------------------------------------------------------------------------
# Initialize Whonix submodules
# --------------------------------------------------------------------------
pushd "${WHONIX_DIR}"
{
sudo git submodule update --init --recursive;
}
popd
# --------------------------------------------------------------------------
# Patch Whonix submodules
# --------------------------------------------------------------------------
# Chekout a branch; create a branch first if it does not exist
checkout_branch() {
branch=$(git symbolic-ref --short -q HEAD)
if ! [ "${branch}" == "${1}" ]; then
sudo -u "${user_name}" git checkout "${1}" >/dev/null 2>&1 || \
{
sudo -u "${user_name}" git branch "${1}"
sudo -u "${user_name}" git checkout "${1}"
}
fi
}
# sed search and replace. return 0 if replace happened, otherwise 1
search_replace() {
local search="${1}"
local replace="${2}"
local file="${3}"
sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}"
}
# Patch anon-meta-packages to not depend on grub-pc
pushd "${WHONIX_DIR}"
{
search_replace "grub-pc" "" "grml_packages" || :
}
popd
pushd "${WHONIX_DIR}/packages/anon-meta-packages/debian"
{
search1=" grub-pc,";
replace="";
#checkout_branch qubes
search_replace "${search1}" "${replace}" control && \
{
cd "${WHONIX_DIR}/packages/anon-meta-packages";
:
#sudo -E -u "${user_name}" make deb-pkg || :
#su "${user_name}" -c "dpkg-source --commit" || :
#git add .
#su "${user_name}" -c "git commit -am 'removed grub-pc depend'"
} || :
}
popd
pushd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub/usr/lib/anon-dist/chroot-scripts-post.d"
{
search1="update-grub";
replace=":";
#checkout_branch qubes
search_replace "${search1}" "${replace}" 85_update_grub && \
{
cd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub";
sudo -E -u "${user_name}" make deb-pkg || :
su "${user_name}" -c "EDITOR=/bin/true dpkg-source -q --commit . no_grub";
#git add . ;
#su "${user_name}" -c "git commit -am 'removed grub-pc depend'"
} || :
}
popd
pushd "${WHONIX_DIR}/build-steps.d"
{
search1=" check_for_uncommited_changes";
replace=" #check_for_uncommited_changes";
search_replace "${search1}" "${replace}" 1200_create-debian-packages || :
}
popd

View File

@ -1,60 +0,0 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Whonix Post Installation Configurations
# ------------------------------------------------------------------------------
echo "Post Configuring Whonix System"
pushd "/etc/network"
{
rm -f interfaces;
ln -s interfaces.backup interfaces;
}
popd
pushd "/etc"
{
rm -f resolv.conf;
cp -p resolv.conf.backup resolv.conf;
}
popd
# Enable Tor
#if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then
# sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "/etc/tor/torrc"
#fi
# Fake that whonixsetup was already run
#mkdir -p "/var/lib/whonix/do_once"
#touch "/var/lib/whonix/do_once/whonixsetup.done"
# Fake that initializer was already run
mkdir -p "/root/.whonix"
touch "/root/.whonix/first_run_initializer.done"
# Prevent whonixcheck error
echo 'WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"' >> "/etc/whonix.d/30_whonixcheck_default"
# Use gdialog as an alternative for dialog
update-alternatives --install /usr/bin/dialog dialog /usr/bin/gdialog 999
# Disable unwanted applications
update-rc.d network-manager disable || :
update-rc.d spice-vdagent disable || :
update-rc.d swap-file-creator disable || :
update-rc.d whonix-initializer disable || :
service apt-cacher-ng stop || :
update-rc.d apt-cacher-ng disable || :
# Remove apt-cacher-ng
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
apt-get.anondist-orig -y --force-yes remove --purge apt-cacher-ng
# Remove original sources.list
rm -f "/etc/apt/sources.list"
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
apt-get.anondist-orig update

View File

@ -1,41 +0,0 @@
################################################################################
# Pre Fixups
sudo mkdir -p /boot/grub2
sudo touch /boot/grub2/grub.cfg
sudo mkdir -p /boot/grub
sudo touch /boot/grub/grub.cfg
sudo mkdir --parents --mode=g+rw "/tmp/uwt"
# Whonix seems to re-install sysvinit even though there is a hold
# on the package. Things seem to work anyway. BUT hopfully the
# hold on grub* don't get removed
sudo apt-mark hold sysvinit
sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common
# Whonix expects haveged to be started
sudo /etc/init.d/haveged start
# ------------------------------------------------------------------------------
# Link our build steps into Whonix build directory
# ------------------------------------------------------------------------------
#pushd /home/user/Whonix/build-steps.d
#cp -pf /home/user/build-steps.d/* .
#popd
# ------------------------------------------------------------------------------
# Whonix installation
# ------------------------------------------------------------------------------
export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1"
pushd ~/Whonix
sudo ~/Whonix/whonix_build \
--build $1 \
--64bit-linux \
--current-sources \
--enable-whonix-apt-repository \
--whonix-apt-repository-distribution $2 \
--install-to-root \
--skip-verifiable \
--minimal-report \
--skip-sanity-tests || { exit 1; }
popd

View File

@ -1,3 +0,0 @@
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
sudo apt-get -y --force-yes remove grub-pc grub-common grub-pc-bin grub2-common
sudo apt-mark hold grub-common grub-pc-bin grub2-common

View File

@ -0,0 +1,90 @@
#!/usr/bin/python
#
# Copyright 2014 Jason Mehring (nrgaway@gmail.com)
#
from PyQt4 import QtGui
import locale
import yaml
DEFAULT_LANG = 'en'
class Messages():
filename = None
data = None
language = DEFAULT_LANG
title = None
icon = None
message = None
def __init__(self, section, filename):
self.filename = filename
language = locale.getdefaultlocale()[0].split('_')[0]
if language:
self.language = language
try:
stream = file(filename, 'r')
data = yaml.load(stream)
if section in data.keys():
section = data[section]
self.icon = section.get('icon', None)
language = section.get(self.language, DEFAULT_LANG)
self.title = language.get('title', None)
self.message = language.get('message', None)
except (IOError):
pass
except (yaml.scanner.ScannerError, yaml.parser.ParserError):
pass
class WhonixMessageBox(QtGui.QMessageBox):
def __init__(self, message):
super(WhonixMessageBox, self).__init__()
self.message = message
self.initUI()
def initUI(self):
message = self.message
if message.title:
self.setWindowTitle(message.title)
if message.icon:
self.setIcon(getattr(QtGui.QMessageBox, message.icon))
if message.message:
self.setText(message.message)
self.exec_()
import argparse
import sys
def main():
parser = argparse.ArgumentParser(description='Display a QT Message Box')
parser.add_argument('section', help="Message section")
parser.add_argument('filename', help="File including full path")
args = parser.parse_args()
if not args.filename and args.section:
print parser.usage()
sys.exit(1)
app = QtGui.QApplication(sys.argv)
message = Messages(args.section, args.filename)
dialog = WhonixMessageBox(message)
sys.exit()
if __name__ == "__main__":
main()

View File

@ -20,3 +20,11 @@ if [ "$LOG_IP6" == "1" ]; then
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
modprobe ip6t_LOG modprobe ip6t_LOG
fi fi
# Redirect local port to remote via socat
#apt-get install socat
#socat TCP4-LISTEN:8082,fork,mode=0666,user=root,group=root TCP4:10.137.255.254:8082
#
# Works
# localhost/loopback maps localhost port 8082 to localhost port 8888
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888

View File

@ -0,0 +1,12 @@
update:
icon: Critical
en:
title: Tor netvm required for updates
message: |
<p><B>Tor netvm required for updates!</B></p>
<p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
<p>No updates are possible without an active (running) Whonix gateway VM.</p>
<p/>
<p><b>Template will now power off</b></p>

View File

@ -1,23 +1,46 @@
#/bin/bash #!/bin/bash
# XXX: TODO: . /usr/lib/whonix/utility_functions
# - Make sure we can't just run this from setup-ip
# - Alternatives? instead of deleting dialog?
#
# INSTALLATION NOTES:
# - Make sure /etc/tor/torrc is disabled initially
# - Make sure /var/lib/whonix/do_once/whonixsetup.done does not exist
# so repo questions will be asked
# - /etc/xdg/autostart/qubes-whonixsetup must be in place
# - this file must be in place
# - gdialog must have over-written dialog
# - patches to setup-ip:
# - bring eth1 up
# - remove old code that was trying to get setup working
if [ "${WHONIX}" == "gateway" ]; then
grep "^DisableNetwork 0$" /etc/tor/torrc || { grep "^DisableNetwork 0$" /etc/tor/torrc || {
sudo systemctl stop whonixcheck sudo service sdwdate restart
sudo systemctl stop tor sudo service tor stop
sudo /usr/lib/whonix/setup-ip sudo /usr/bin/whonixsetup && {
sudo /usr/bin/whonixsetup enable_sysv tor
sleep 1
enable_sysv sdwdate
} || {
sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
disable_sysv tor
disable_sysv sdwdate
sudo /sbin/poweroff
} }
}
# Allow whonix-gateway to act as an update-proxy
sudo systemctl status qubes-updates-proxy.service || {
error_file="/usr/share/tinyproxy/default.html"
# Search and replace tinyproxy error files so we can inject code that
# we can use to identify that its a tor proxy so updates are secure
grep -q "${PROXY_META}" "${error_file}" || {
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
}
sudo touch /var/run/qubes-service/qubes-updates-proxy
sudo iptables -t nat -N PR-QBS-SERVICES
sudo systemctl start qubes-updates-proxy.service
}
elif [ "${WHONIX}" == "workstation" ]; then
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
enable_sysv sdwdate
sudo service sdwdate restart
sudo /usr/bin/whonixsetup
fi
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
sudo /sbin/poweroff
fi

View File

@ -1,7 +1,9 @@
#!/bin/bash #!/bin/bash
. /usr/lib/whonix/utility_functions
# Search though files and updates IP address to the current # Search though files and updates IP address to the current
# 'qubes-netvm-gateway' IP address # IP address(es)
FILES=( FILES=(
'/usr/lib/leaktest-workstation/simple_ping.py' '/usr/lib/leaktest-workstation/simple_ping.py'
@ -40,7 +42,7 @@ search_replace() {
sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}"
retval=$? retval=$?
if [ "${ls_attrs}" == "i" ]; then if [ "${ls_attrs}" = "i" ]; then
chattr +i "${file}" chattr +i "${file}"
fi fi
@ -58,7 +60,7 @@ function replace_ips()
search_network="${search_ip%[.]*}.0" search_network="${search_ip%[.]*}.0"
replace_network="${replace_ip%[.]*}.0" replace_network="${replace_ip%[.]*}.0"
if ! [ "${search_ip}" == "${replace_ip}" ]; then if ! [ "${search_ip}" = "${replace_ip}" ]; then
for file in "${files[@]}"; do for file in "${files[@]}"; do
if [ -f "$file" ]; then if [ -f "$file" ]; then
search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0 search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0
@ -75,12 +77,15 @@ update_ip() {
echo "${ip}" > /etc/whonix-netvm-gateway echo "${ip}" > /etc/whonix-netvm-gateway
grep '^DisableNetwork 0$' /etc/tor/torrc && { grep '^DisableNetwork 0$' /etc/tor/torrc && {
service tor status && {
service tor reload || true; service tor reload || true;
} }
} }
}
if [ "${WHONIX}" == "gateway" ]; then
ip="$(xenstore-read qubes-netvm-gateway)" ip="$(xenstore-read qubes-netvm-gateway)"
if [ x${ip} != x ]; then
# Compare to current IP address assiged by Qubes # Compare to current IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}" replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}"
@ -89,4 +94,25 @@ replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}"
# Do again; checking for original 10.152.152.11 incase of update # Do again; checking for original 10.152.152.11 incase of update
replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}" replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}"
fi
elif [ "${WHONIX}" == "workstation" ]; then
ip="$(xenstore-read qubes-ip)"
gateway="$(xenstore-read qubes-gateway)"
if [ x${ip} != x ]; then
# Compare to current IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
# Do again; checking for original 10.152.152.11 incase of update
replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
fi
if [ x${gateway} != x ]; then
# Compare to current gateway IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
# Do again; checking for original 10.152.152.10 incase of update
replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
fi
fi

View File

@ -1,5 +1,8 @@
#!/bin/bash #!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" == "gateway" ]; then
if [ -x /usr/sbin/xenstore-read ]; then if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read" XENSTORE_READ="/usr/sbin/xenstore-read"
else else
@ -20,13 +23,15 @@ ip link show ${INTERFACE} >> /dev/null || {
gateway=$(${XENSTORE_READ} qubes-netvm-gateway) gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
/sbin/ifconfig ${INTERFACE} up /sbin/ifconfig ${INTERFACE} up
/sbin/ethtool -K ${INTERFACE} sg off /sbin/ethtool -K ${INTERFACE} sg off || true
/sbin/ethtool -K ${INTERFACE} tx off /sbin/ethtool -K ${INTERFACE} tx off || true
fi fi
ip link set ${INTERFACE} up ip link set ${INTERFACE} up
} }
fi
if [ "${WHONIX}" != "template" ]; then
# Files that will have the immutable bit set # Files that will have the immutable bit set
# since we don't want them modified by other programs # since we don't want them modified by other programs
IMMUTABLE_FILES=( IMMUTABLE_FILES=(
@ -35,48 +40,6 @@ IMMUTABLE_FILES=(
'/etc/hosts' '/etc/hosts'
) )
immutableFilesEnable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
chattr +i "${file}${suffix}"
fi
done
}
immutableFilesDisable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
chattr -i "${file}${suffix}"
fi
done
}
copyAnondist() {
file="${1}"
suffix="${2-.anondist}"
# Remove any softlinks first
if [ -L "${file}" ]; then
rm -f "${file}"
fi
if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then
chattr -i "${file}"
rm -f "${file}"
cp -p "${file}${suffix}" "${file}"
chattr +i "${file}"
elif ! [ -f "${file}" ]; then
cp -p "${file}${suffix}" "${file}"
chattr +i "${file}"
fi
}
# Make sure all .anondist files in list are immutable # Make sure all .anondist files in list are immutable
immutableFilesEnable "${IMMUTABLE_FILES}" immutableFilesEnable "${IMMUTABLE_FILES}"
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
@ -95,47 +58,21 @@ copyAnondist "/etc/hostname"
/bin/hostname host /bin/hostname host
# Start Whonix Firewall # Start Whonix Firewall
if [ "${WHONIX}" == "gateway" ]; then
export INT_IF="vif+" export INT_IF="vif+"
export INT_TIF="vif+" export INT_TIF="vif+"
fi
/usr/bin/whonix_firewall /usr/bin/whonix_firewall
if [ "${WHONIX}" == "gateway" ]; then
# Route any traffic FROM netvm TO netvm BACK-TO localhost # Route any traffic FROM netvm TO netvm BACK-TO localhost
# Allows localhost access to tor network # Allows localhost access to tor network
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1
# Will only enable / disable if service is not already in that state
enable_sysv() {
servicename=${1}
disable=${2-0}
# Check to see if the service is already enabled and if not, enable it
string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}"
if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then
case ${disable} in
0)
echo "${1} is currently disabled; enabling it"
systemctl --quiet enable ${servicename}
;;
1)
echo "${1} is currently enabled; disabling it"
systemctl --quiet disable ${servicename}
;;
esac
fi fi
}
disable_sysv() { # Make sure we remove whonixsetup.done if Tor is not enabled
enable_sysv ${1} 1 # to allow choice of repo and prevent whonixcheck errors
} grep "^DisableNetwork 0$" /etc/tor/torrc || {
rm -f /var/lib/whonix/do_once/whonixsetup.done
# This would be a really good place to apply any hacks required and remove them
# from template build script
grep "^DisableNetwork 0$" /etc/tor/torrc && {
#enable_sysv tor
#enable_sysv whonixcheck
#enable_sysv sdwdate
:
} || {
:
} }
fi

View File

@ -0,0 +1,95 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
#disable_sysv tor
#disable_sysv sdwdate
iptables -F
iptables -t nat -F
LOG_IP4=1
LOG_IP6=0
# for IPv4
if [ "$LOG_IP4" == "1" ]; then
iptables -t raw -A OUTPUT -p icmp -j TRACE
iptables -t raw -A PREROUTING -p icmp -j TRACE
modprobe ipt_LOG
fi
# for IPv6
if [ "$LOG_IP6" == "1" ]; then
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
modprobe ip6t_LOG
fi
sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -o eth0 -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT"
#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT"
#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT
#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT
#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
# Works
# localhost/loopback maps localhost port 8082 to localhost port 8888
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082
# Remap ALL traffic
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
#iptables -v -L
#iptables -v -t nat -L
#telnet 127.0.0.1 9105
#telnet 10.137.2.1 8082
#telnet 127.0.0.1 8082
#tail -100 /var/log/kern.log

View File

@ -0,0 +1,94 @@
#!/bin/bash
# /etc/uwt.d/50_uwt_default relies on this in order to allow connection
# to proxy for template
PROXY_SERVER="http://10.137.255.254:8082/"
PROXY_META='<meta name=\"application-name\" content=\"tor proxy\"\/>'
if [ -f "/var/run/qubes-service/updates-proxy-setup" ]; then
WHONIX="template"
elif [ -f "/usr/share/anon-gw-base-files/gateway" ]; then
WHONIX="gateway"
elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
WHONIX="workstation"
else
WHONIX="unknown"
fi
if [ "${WHONIX}" == "template" ]; then
curl.anondist-orig "${PROXY_SERVER}" | grep -q "${PROXY_META}" && {
PROXY_SECURE=1
} || {
PROXY_SECURE=0
}
fi
immutableFilesEnable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
sudo chattr +i "${file}${suffix}"
fi
done
}
immutableFilesDisable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
sudo chattr -i "${file}${suffix}"
fi
done
}
copyAnondist() {
file="${1}"
suffix="${2-.anondist}"
# Remove any softlinks first
if [ -L "${file}" ]; then
sudo rm -f "${file}"
fi
if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then
sudo chattr -i "${file}"
sudo rm -f "${file}"
sudo cp -p "${file}${suffix}" "${file}"
sudo chattr +i "${file}"
elif ! [ -f "${file}" ]; then
sudo cp -p "${file}${suffix}" "${file}"
sudo chattr +i "${file}"
fi
}
# Will only enable / disable if service is not already in that state
enable_sysv() {
servicename=${1}
disable=${2-0}
# Check to see if the service is already enabled and if not, enable it
string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}"
if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then
case ${disable} in
0)
echo "${1} is currently disabled; enabling it"
sudo systemctl --quiet enable ${servicename}
;;
1)
echo "${1} is currently enabled; disabling it"
sudo service ${servicename} stop
sudo systemctl --quiet disable ${servicename}
;;
esac
fi
}
disable_sysv() {
enable_sysv ${1} 1
}

View File

@ -19,6 +19,20 @@ user::rw-
group::r-- group::r--
other::r-- other::r--
# file: etc/uwt.d
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/uwt.d/50_uwt_default
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/udev # file: etc/udev
# owner: root # owner: root
# group: root # group: root
@ -49,10 +63,10 @@ other::r--
# file: etc/sudoers.d # file: etc/sudoers.d
# owner: root # owner: root
# group: user # group: root
user::rwx user::rwx
group::r-x group::r-x
other::r-x other::---
# file: etc/sudoers.d/qubes # file: etc/sudoers.d/qubes
# owner: root # owner: root
@ -89,6 +103,13 @@ user::rwx
group::r-x group::r-x
other::r-x other::r-x
# file: usr/lib/whonix/utility_functions
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/setup-ip # file: usr/lib/whonix/setup-ip
# owner: root # owner: root
# group: root # group: root
@ -96,6 +117,20 @@ user::rwx
group::r-x group::r-x
other::r-x other::r-x
# file: usr/lib/whonix/tests.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/messages.yaml
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr/lib/whonix/replace-ips # file: usr/lib/whonix/replace-ips
# owner: root # owner: root
# group: root # group: root
@ -103,6 +138,20 @@ user::rwx
group::r-x group::r-x
other::r-x other::r-x
# file: usr/lib/whonix/alert
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/qubes-whonixsetup
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/enable-iptables-logging.sh # file: usr/lib/whonix/enable-iptables-logging.sh
# owner: root # owner: root
# group: root # group: root

View File

@ -1,14 +1,5 @@
## Anonymity Distribution /etc/hosts ## Anonymity Distribution /etc/hosts
## Defaults
127.0.0.1 host
::1 host ip6-host ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
## End of defaults
## Anonymity Distribution specific ## Anonymity Distribution specific
127.0.0.1 host.localdomain host 127.0.0.1 host.localdomain host
## End of Anonymity Distribution specific ## End of Anonymity Distribution specific

View File

@ -0,0 +1,6 @@
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "1" ]; then
uwtwrapper["/usr/bin/apt-get"]="0"
fi

View File

@ -1,41 +0,0 @@
################################################################################
# Pre Fixups
sudo mkdir -p /boot/grub2
sudo touch /boot/grub2/grub.cfg
sudo mkdir -p /boot/grub
sudo touch /boot/grub/grub.cfg
sudo mkdir --parents --mode=g+rw "/tmp/uwt"
# Whonix seems to re-install sysvinit even though there is a hold
# on the package. Things seem to work anyway. BUT hopfully the
# hold on grub* don't get removed
sudo apt-mark hold sysvinit
sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common
# Whonix expects haveged to be started
sudo /etc/init.d/haveged start
# ------------------------------------------------------------------------------
# Link our build steps into Whonix build directory
# ------------------------------------------------------------------------------
#pushd /home/user/Whonix/build-steps.d
#cp -pf /home/user/build-steps.d/* .
#popd
# ------------------------------------------------------------------------------
# Whonix installation
# ------------------------------------------------------------------------------
export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1"
pushd ~/Whonix
sudo ~/Whonix/whonix_build \
--build $1 \
--64bit-linux \
--current-sources \
--enable-whonix-apt-repository \
--whonix-apt-repository-distribution $2 \
--install-to-root \
--skip-verifiable \
--minimal-report \
--skip-sanity-tests || { exit 1; }
popd

View File

@ -0,0 +1,90 @@
#!/usr/bin/python
#
# Copyright 2014 Jason Mehring (nrgaway@gmail.com)
#
from PyQt4 import QtGui
import locale
import yaml
DEFAULT_LANG = 'en'
class Messages():
filename = None
data = None
language = DEFAULT_LANG
title = None
icon = None
message = None
def __init__(self, section, filename):
self.filename = filename
language = locale.getdefaultlocale()[0].split('_')[0]
if language:
self.language = language
try:
stream = file(filename, 'r')
data = yaml.load(stream)
if section in data.keys():
section = data[section]
self.icon = section.get('icon', None)
language = section.get(self.language, DEFAULT_LANG)
self.title = language.get('title', None)
self.message = language.get('message', None)
except (IOError):
pass
except (yaml.scanner.ScannerError, yaml.parser.ParserError):
pass
class WhonixMessageBox(QtGui.QMessageBox):
def __init__(self, message):
super(WhonixMessageBox, self).__init__()
self.message = message
self.initUI()
def initUI(self):
message = self.message
if message.title:
self.setWindowTitle(message.title)
if message.icon:
self.setIcon(getattr(QtGui.QMessageBox, message.icon))
if message.message:
self.setText(message.message)
self.exec_()
import argparse
import sys
def main():
parser = argparse.ArgumentParser(description='Display a QT Message Box')
parser.add_argument('section', help="Message section")
parser.add_argument('filename', help="File including full path")
args = parser.parse_args()
if not args.filename and args.section:
print parser.usage()
sys.exit(1)
app = QtGui.QApplication(sys.argv)
message = Messages(args.section, args.filename)
dialog = WhonixMessageBox(message)
sys.exit()
if __name__ == "__main__":
main()

View File

@ -20,3 +20,11 @@ if [ "$LOG_IP6" == "1" ]; then
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
modprobe ip6t_LOG modprobe ip6t_LOG
fi fi
# Redirect local port to remote via socat
#apt-get install socat
#socat TCP4-LISTEN:8082,fork,mode=0666,user=root,group=root TCP4:10.137.255.254:8082
#
# Works
# localhost/loopback maps localhost port 8082 to localhost port 8888
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888

View File

@ -0,0 +1,12 @@
update:
icon: Critical
en:
title: Tor netvm required for updates
message: |
<p><B>Tor netvm required for updates!</B></p>
<p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
<p>No updates are possible without an active (running) Whonix gateway VM.</p>
<p/>
<p><b>Template will now power off</b></p>

View File

@ -0,0 +1,46 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" == "gateway" ]; then
grep "^DisableNetwork 0$" /etc/tor/torrc || {
sudo service sdwdate restart
sudo service tor stop
sudo /usr/bin/whonixsetup && {
enable_sysv tor
sleep 1
enable_sysv sdwdate
} || {
sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
disable_sysv tor
disable_sysv sdwdate
sudo /sbin/poweroff
}
}
# Allow whonix-gateway to act as an update-proxy
sudo systemctl status qubes-updates-proxy.service || {
error_file="/usr/share/tinyproxy/default.html"
# Search and replace tinyproxy error files so we can inject code that
# we can use to identify that its a tor proxy so updates are secure
grep -q "${PROXY_META}" "${error_file}" || {
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
}
sudo touch /var/run/qubes-service/qubes-updates-proxy
sudo iptables -t nat -N PR-QBS-SERVICES
sudo systemctl start qubes-updates-proxy.service
}
elif [ "${WHONIX}" == "workstation" ]; then
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
enable_sysv sdwdate
sudo service sdwdate restart
sudo /usr/bin/whonixsetup
fi
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
sudo /sbin/poweroff
fi

View File

@ -1,7 +1,9 @@
#!/bin/bash #!/bin/bash
. /usr/lib/whonix/utility_functions
# Search though files and updates IP address to the current # Search though files and updates IP address to the current
# 'qubes-netvm-gateway' IP address # IP address(es)
FILES=( FILES=(
'/usr/lib/leaktest-workstation/simple_ping.py' '/usr/lib/leaktest-workstation/simple_ping.py'
@ -40,7 +42,7 @@ search_replace() {
sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}"
retval=$? retval=$?
if [ "${ls_attrs}" == "i" ]; then if [ "${ls_attrs}" = "i" ]; then
chattr +i "${file}" chattr +i "${file}"
fi fi
@ -58,7 +60,7 @@ function replace_ips()
search_network="${search_ip%[.]*}.0" search_network="${search_ip%[.]*}.0"
replace_network="${replace_ip%[.]*}.0" replace_network="${replace_ip%[.]*}.0"
if ! [ "${search_ip}" == "${replace_ip}" ]; then if ! [ "${search_ip}" = "${replace_ip}" ]; then
for file in "${files[@]}"; do for file in "${files[@]}"; do
if [ -f "$file" ]; then if [ -f "$file" ]; then
search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0 search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0
@ -70,18 +72,47 @@ function replace_ips()
return $retval return $retval
} }
update_ip() {
ip=${1}
echo "${ip}" > /etc/whonix-netvm-gateway
grep '^DisableNetwork 0$' /etc/tor/torrc && {
service tor status && {
service tor reload || true;
}
}
}
if [ "${WHONIX}" == "gateway" ]; then
ip="$(xenstore-read qubes-netvm-gateway)"
if [ x${ip} != x ]; then
# Compare to current IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}"
# Do again; checking for original 10.152.152.10 incase of update
replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}"
# Do again; checking for original 10.152.152.11 incase of update
replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}"
fi
elif [ "${WHONIX}" == "workstation" ]; then
ip="$(xenstore-read qubes-ip)" ip="$(xenstore-read qubes-ip)"
gateway="$(xenstore-read qubes-gateway)" gateway="$(xenstore-read qubes-gateway)"
if [ x${ip} != x ]; then
# Compare to current IP address assiged by Qubes # Compare to current IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
# Do again; checking for original 10.152.152.11 incase of update # Do again; checking for original 10.152.152.11 incase of update
replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
fi
if [ x${gateway} != x ]; then
# Compare to current gateway IP address assiged by Qubes # Compare to current gateway IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
# Do again; checking for original 10.152.152.10 incase of update # Do again; checking for original 10.152.152.10 incase of update
replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
fi
fi

View File

@ -1,60 +1,52 @@
#!/bin/bash #!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" == "gateway" ]; then
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
INTERFACE="eth1"
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
# Create a dummy eth1 interface so tor can bind to it if there
# are no DOMU virtual machines connected at the moment
ip link show ${INTERFACE} >> /dev/null || {
/sbin/ip link add ${INTERFACE} type dummy
# Now, assign it the netvm-gateway IP address
if [ x${ip} != x ]; then
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
/sbin/ifconfig ${INTERFACE} up
/sbin/ethtool -K ${INTERFACE} sg off || true
/sbin/ethtool -K ${INTERFACE} tx off || true
fi
ip link set ${INTERFACE} up
}
fi
if [ "${WHONIX}" != "template" ]; then
# Files that will have the immutable bit set # Files that will have the immutable bit set
# since we don't want them modified by other programs # since we don't want them modified by other programs
IMMUTABLE_FILES=( IMMUTABLE_FILES=(
'/etc/resolv.conf'
'/etc/hostname' '/etc/hostname'
'/etc/hosts' '/etc/hosts'
) )
immutableFilesEnable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
chattr +i "${file}${suffix}"
fi
done
}
immutableFilesDisable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
chattr -i "${file}${suffix}"
fi
done
}
copyAnondist() {
file="${1}"
suffix="${2-.anondist}"
# Remove any softlinks first
if [ -L "${file}" ]; then
rm -f "${file}"
fi
if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then
chattr -i "${file}"
rm -f "${file}"
cp -p "${file}${suffix}" "${file}"
chattr +i "${file}"
elif ! [ -f "${file}" ]; then
cp -p "${file}${suffix}" "${file}"
chattr +i "${file}"
fi
}
# Make sure all .anondist files in list are immutable # Make sure all .anondist files in list are immutable
immutableFilesEnable "${IMMUTABLE_FILES}" immutableFilesEnable "${IMMUTABLE_FILES}"
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
# Make sure we are using a copy of the annondist file and if not # Make sure we are using a copy of the annondist file and if not
# copy the annondist file and set it immutable # copy the annondist file and set it immutable
copyAnondist "/etc/resolv.conf"
copyAnondist "/etc/hosts" copyAnondist "/etc/hosts"
copyAnondist "/etc/hostname" copyAnondist "/etc/hostname"
@ -66,5 +58,21 @@ copyAnondist "/etc/hostname"
/bin/hostname host /bin/hostname host
# Start Whonix Firewall # Start Whonix Firewall
if [ "${WHONIX}" == "gateway" ]; then
export INT_IF="vif+"
export INT_TIF="vif+"
fi
/usr/bin/whonix_firewall /usr/bin/whonix_firewall
if [ "${WHONIX}" == "gateway" ]; then
# Route any traffic FROM netvm TO netvm BACK-TO localhost
# Allows localhost access to tor network
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1
fi
# Make sure we remove whonixsetup.done if Tor is not enabled
# to allow choice of repo and prevent whonixcheck errors
grep "^DisableNetwork 0$" /etc/tor/torrc || {
rm -f /var/lib/whonix/do_once/whonixsetup.done
}
fi

View File

@ -0,0 +1,95 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
#disable_sysv tor
#disable_sysv sdwdate
iptables -F
iptables -t nat -F
LOG_IP4=1
LOG_IP6=0
# for IPv4
if [ "$LOG_IP4" == "1" ]; then
iptables -t raw -A OUTPUT -p icmp -j TRACE
iptables -t raw -A PREROUTING -p icmp -j TRACE
modprobe ipt_LOG
fi
# for IPv6
if [ "$LOG_IP6" == "1" ]; then
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
modprobe ip6t_LOG
fi
sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -o eth0 -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT"
#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT"
#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT
#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT
#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
# Works
# localhost/loopback maps localhost port 8082 to localhost port 8888
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082
# Remap ALL traffic
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
#iptables -v -L
#iptables -v -t nat -L
#telnet 127.0.0.1 9105
#telnet 10.137.2.1 8082
#telnet 127.0.0.1 8082
#tail -100 /var/log/kern.log

View File

@ -0,0 +1,94 @@
#!/bin/bash
# /etc/uwt.d/50_uwt_default relies on this in order to allow connection
# to proxy for template
PROXY_SERVER="http://10.137.255.254:8082/"
PROXY_META='<meta name=\"application-name\" content=\"tor proxy\"\/>'
if [ -f "/var/run/qubes-service/updates-proxy-setup" ]; then
WHONIX="template"
elif [ -f "/usr/share/anon-gw-base-files/gateway" ]; then
WHONIX="gateway"
elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
WHONIX="workstation"
else
WHONIX="unknown"
fi
if [ "${WHONIX}" == "template" ]; then
curl.anondist-orig "${PROXY_SERVER}" | grep -q "${PROXY_META}" && {
PROXY_SECURE=1
} || {
PROXY_SECURE=0
}
fi
immutableFilesEnable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
sudo chattr +i "${file}${suffix}"
fi
done
}
immutableFilesDisable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
sudo chattr -i "${file}${suffix}"
fi
done
}
copyAnondist() {
file="${1}"
suffix="${2-.anondist}"
# Remove any softlinks first
if [ -L "${file}" ]; then
sudo rm -f "${file}"
fi
if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then
sudo chattr -i "${file}"
sudo rm -f "${file}"
sudo cp -p "${file}${suffix}" "${file}"
sudo chattr +i "${file}"
elif ! [ -f "${file}" ]; then
sudo cp -p "${file}${suffix}" "${file}"
sudo chattr +i "${file}"
fi
}
# Will only enable / disable if service is not already in that state
enable_sysv() {
servicename=${1}
disable=${2-0}
# Check to see if the service is already enabled and if not, enable it
string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}"
if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then
case ${disable} in
0)
echo "${1} is currently disabled; enabling it"
sudo systemctl --quiet enable ${servicename}
;;
1)
echo "${1} is currently enabled; disabling it"
sudo service ${servicename} stop
sudo systemctl --quiet disable ${servicename}
;;
esac
fi
}
disable_sysv() {
enable_sysv ${1} 1
}

View File

@ -55,6 +55,12 @@ sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common
# Whonix expects haveged to be started # Whonix expects haveged to be started
sudo /etc/init.d/haveged start sudo /etc/init.d/haveged start
# Whonix does not always fix permissions after writing as sudo, especially
# when running whonixsetup so /var/lib/whonix/done_once is not readable by
# user, so set defualt umask for sudo
#sudo su -c 'echo "Defaults umask = 0002" >> /etc/sudoers'
#sudo su -c 'echo "Defaults umask_override" >> /etc/sudoers'
################################################################################ ################################################################################
# Whonix installation # Whonix installation
export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1" export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1"
@ -74,17 +80,8 @@ popd
EOF EOF
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# chroot Whonix fix script (Make sure set -e is not set) # Pin grub so it won't install
# Run ../whonix_fix when whonix gives grub-pc error
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# TODO: Do something in whonix build to automatically run fixups and
# ignore certain errors
read -r -d '' WHONIX_FIX_SCRIPT <<'EOF'
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
sudo apt-get -y --force-yes remove grub-pc grub-common grub-pc-bin grub2-common
sudo apt-mark hold grub-common grub-pc-bin grub2-common
EOF
read -r -d '' WHONIX_APT_PIN <<'EOF' read -r -d '' WHONIX_APT_PIN <<'EOF'
Package: grub-pc Package: grub-pc
Pin: version * Pin: version *
@ -230,13 +227,9 @@ if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then
echo "${WHONIX_APT_PIN}" > "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes" echo "${WHONIX_APT_PIN}" > "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes"
chmod 0644 "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes" chmod 0644 "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes"
# Install Whonix fix script
echo "${WHONIX_FIX_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_fix"
chmod 0755 "${INSTALLDIR}/home/user/whonix_fix"
# Install Whonix build scripts # Install Whonix build scripts
echo "${WHONIX_BUILD_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_build" echo "${WHONIX_BUILD_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_build.sh"
chmod 0755 "${INSTALLDIR}/home/user/whonix_build" chmod 0755 "${INSTALLDIR}/home/user/whonix_build.sh"
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# Copy over any extra files # Copy over any extra files
@ -287,6 +280,7 @@ fi
if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_post" ]; then if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_post" ]; then
info "Post Configuring Whonix System" info "Post Configuring Whonix System"
# Don't need Whonix interfaces; restore original
pushd "${INSTALLDIR}/etc/network" pushd "${INSTALLDIR}/etc/network"
{ {
rm -f interfaces; rm -f interfaces;
@ -294,6 +288,8 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh
} }
popd popd
# Qubes installation will need a normal resolv.conf; will be restored back
# in 04_qubes_install_post.sh within the wheezy+whonix-* directories
pushd "${INSTALLDIR}/etc" pushd "${INSTALLDIR}/etc"
{ {
rm -f resolv.conf; rm -f resolv.conf;
@ -301,6 +297,17 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh
} }
popd popd
# Remove link to hosts file and copy original back
# Will get set back to Whonix hosts file when the
# /usr/lib/whonix/setup-ip is run on startup
pushd "${INSTALLDIR}/etc"
{
rm -f hosts;
cp -p hosts.anondist-orig hosts;
}
popd
# Enable Tor # Enable Tor
#if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then #if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then
# sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "${INSTALLDIR}/etc/tor/torrc" # sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "${INSTALLDIR}/etc/tor/torrc"
@ -315,7 +322,7 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh
sed -i "s/alias l='ls -CF'/alias l='ls -l'/g" "${INSTALLDIR}/home/user/.bashrc" sed -i "s/alias l='ls -CF'/alias l='ls -l'/g" "${INSTALLDIR}/home/user/.bashrc"
# Fake that whonixsetup was already run # Fake that whonixsetup was already run
mkdir -p "${INSTALLDIR}/var/lib/whonix/do_once" #mkdir -p "${INSTALLDIR}/var/lib/whonix/do_once"
#touch "${INSTALLDIR}/var/lib/whonix/do_once/whonixsetup.done" #touch "${INSTALLDIR}/var/lib/whonix/do_once/whonixsetup.done"
# Fake that initializer was already run # Fake that initializer was already run
@ -338,6 +345,10 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh
chroot "${INSTALLDIR}" service apt-cacher-ng stop || : chroot "${INSTALLDIR}" service apt-cacher-ng stop || :
chroot "${INSTALLDIR}" update-rc.d apt-cacher-ng disable || : chroot "${INSTALLDIR}" update-rc.d apt-cacher-ng disable || :
# Tor will be re-enabled upon initial configuration
chroot "${INSTALLDIR}" update-rc.d tor disable || :
chroot "${INSTALLDIR}" update-rc.d sdwdate disable || :
# Remove apt-cacher-ng # Remove apt-cacher-ng
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot ${INSTALLDIR} apt-get.anondist-orig -y --force-yes remove --purge apt-cacher-ng chroot ${INSTALLDIR} apt-get.anondist-orig -y --force-yes remove --purge apt-cacher-ng

View File

@ -45,4 +45,4 @@ popd
rm -rf "${INSTALLDIR}"/home/user/Whonix rm -rf "${INSTALLDIR}"/home/user/Whonix
rm -rf "${INSTALLDIR}"/home/user/whonix_binary rm -rf "${INSTALLDIR}"/home/user/whonix_binary
rm -f "${INSTALLDIR}"/home/user/whonix_fix rm -f "${INSTALLDIR}"/home/user/whonix_fix
rm -f "${INSTALLDIR}"/home/user/whonix_build rm -f "${INSTALLDIR}"/home/user/whonix_build.sh