Merge remote-tracking branch 'nrgaway/wheezy' into wheezy

create_template_list.sh

@@ -1,48 +1,55 @@
 #!/bin/bash
+# vim: set ts=4 sw=4 sts=4 et :
 
 #
 # Creates a small script to copy to dom0 to retrieve the generated template rpm's
 #
 
-TEMPLATES="./rpm/install-templates.sh"
+template_dir="$(readlink -m ./rpm/install-templates.sh)"
+files=( $(ls rpm/noarch) )
+name=$(xenstore-read name)
 
-write() {
-    echo "$1" >> "$TEMPLATES"
-}
+# -----------------------------------------------------------------------------
+# Write $vars
+# -----------------------------------------------------------------------------
+cat << EOF > "${template_dir}"
+#!/bin/bash
 
-if [ -x /usr/sbin/xenstore-read ]; then
-        XENSTORE_READ="/usr/sbin/xenstore-read"
-else
-        XENSTORE_READ="/usr/bin/xenstore-read"
-fi
+# Use the following command in DOM0 to retreive this file:
+# qvm-run --pass-io ${name} 'cat ${template_dir}' > install-templates.sh
 
-TEMPLATES="$(readlink -m $TEMPLATES)"
-VERSION="-$(cat ./version)"
-name=$($XENSTORE_READ name)
-path="$(readlink -m .)"
-files=$(ls rpm/noarch)
+files="
+$(printf "%s \n" ${files[@]})
+"
 
-#
-# Write to install-templates
-#
+path="$(readlink -m .)/rpm/noarch"
+version="-$(cat ./version)"
+name="${name}"
+EOF
 
-echo "#!/bin/bash" > "$TEMPLATES"
-write ""
+# -----------------------------------------------------------------------------
+# Write installation function
+# -----------------------------------------------------------------------------
+cat << 'EOF' >> "${template_dir}"
 
 for file in ${files[@]}; do
-    write "qvm-run --pass-io development-qubes 'cat ${path}/rpm/noarch/${file}' > ${file}"
-    write ""
-    write "sudo yum erase $(echo "$file" | sed -r "s/($VERSION).+$//")"
-    write ""
-    write "sudo yum install ${file}"
-    write ""
-    write ""
+    if [ ! -e ${file} ]; then
+        echo "Copying ${file} from ${name} to ${PWD}/${file}..."
+        qvm-run --pass-io development-qubes "cat ${path}/${file}" > ${file}
+    fi
+
+    sudo yum erase $(echo "${file}" | sed -r "s/(${version}).+$//") && {
+        sudo yum install ${file} && {
+            rm -f ${file}
+        }
+    }
 done
-
-write "# Use the following command in DOM0 to retreive this file:"
-write "# qvm-run --pass-io $name 'cat ${TEMPLATES}' > install-templates.sh"
-
+EOF
+ 
+# -----------------------------------------------------------------------------
+# Display instructions
+# -----------------------------------------------------------------------------
 echo "Use the following command in DOM0 to retreive this file:"
-echo "qvm-run --pass-io $name 'cat ${TEMPLATES}' > install-templates.sh"
+echo "qvm-run --pass-io ${name} 'cat ${template_dir}' > install-templates.sh"
 
 

functions.sh

@@ -67,8 +67,7 @@ if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
     chroot() {
         local retval
         true ${blue}
-        /usr/sbin/chroot "$@"
-        retval=$?
+        /usr/sbin/chroot "$@" && { retval=$?; true; } || { retval=$?; true; }
         true ${reset}
         return $retval
     }

scripts_debian/01_install_core.sh

@@ -26,7 +26,7 @@ buildStep "$0" "pre"
 if ! [ -f "${INSTALLDIR}/tmp/.prepared_debootstrap" ]; then
     debug "Installing base ${DEBIANVERSION} system"
     COMPONENTS="" debootstrap --arch=amd64 --include=ncurses-term \
-        --components=main --keyring="${SCRIPTSDIR}/keys/debian-${DEBIANVERSION}-archive-keyring.gpg" \
+        --components=main --keyring="${SCRIPTSDIR}/keys/${DEBIANVERSION}-debian-archive-keyring.gpg" \
         "${DEBIANVERSION}" "${INSTALLDIR}" "${DEBIAN_MIRROR}" || { error "Debootstrap failed!"; exit 1; }
     chroot "${INSTALLDIR}" chmod 0666 "/dev/null"
     touch "${INSTALLDIR}/tmp/.prepared_debootstrap"

scripts_debian/vars.sh

@@ -11,8 +11,8 @@
 DEBIANVERSION=${DIST}
 
 # Location to grab debian packages
-DEBIAN_MIRROR=http://ftp.us.debian.org/debian/
+DEBIAN_MIRROR=http://ftp.us.debian.org/debian
 #DEBIAN_MIRROR=http://http.debian.net/debian
-#DEBIAN_MIRROR=http://ftp.ca.debian.org/debian/
+#DEBIAN_MIRROR=http://ftp.ca.debian.org/debian
 
 APT_GET_OPTIONS="-o Dpkg::Options::="--force-confnew" --force-yes -y"

scripts_debian/wheezy+whonix-gateway/files/.facl

@@ -40,6 +40,13 @@ user::rw-
 group::r--
 other::r--
 
+# file: lib/systemd/system/qubes-whonix-init.service
+# owner: root
+# group: root
+user::rw-
+group::r--
+other::r--
+
 # file: etc
 # owner: root
 # group: root
@@ -166,14 +173,14 @@ user::rwx
 group::r-x
 other::r-x
 
-# file: usr/lib/whonix/whonix.sh
+# file: usr/lib/whonix/init
 # owner: root
 # group: root
 user::rwx
 group::r-x
 other::r-x
 
-# file: usr/lib/whonix/init
+# file: usr/lib/whonix/init/qubes-whonix-firewall.sh
 # owner: root
 # group: root
 user::rwx
@@ -201,12 +208,12 @@ user::rwx
 group::r-x
 other::r-x
 
-# file: usr/lib/whonix/init/qubes-firewall-user-script
+# file: usr/lib/whonix/init/qubes-whonix-tor.service
 # owner: root
 # group: root
-user::rwx
-group::r-x
-other::r-x
+user::rw-
+group::r--
+other::r--
 
 # file: usr/lib/whonix/messages.yaml
 # owner: root

scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service

@@ -4,11 +4,9 @@ After=qubes-whonix-network.service
 Before=network.target
 
 [Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStartPre=/usr/lib/whonix/init/init.sh
-ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script
+ExecStart=/usr/lib/whonix/init/qubes-whonix-firewall.sh
 StandardOutput=syslog
 
 [Install]
 WantedBy=multi-user.target
+Alias=qubes-firewall.service

scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-init.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Qubes Whonix initialization script
+After=qubes-whonix-network.service
+Before=qubes-whonix-firewall.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/whonix/init/init.sh
+StandardOutput=syslog
+
+[Install]
+WantedBy=multi-user.target

scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service

@@ -2,7 +2,7 @@
 Description=Qubes Whonix network proxy setup
 ConditionPathExists=/var/run/qubes-service/qubes-network
 Before=network.target
-After=qubes-firewall.service
+After=iptables.service
 
 [Service]
 Type=oneshot
@@ -12,3 +12,4 @@ StandardOutput=syslog
 
 [Install]
 WantedBy=multi-user.target
+Alias=qubes-network.service

scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh

@@ -53,9 +53,6 @@ if [ "${WHONIX}" == "gateway" ]; then
     # we can use to identify that its a tor proxy so updates are secure
     error_file="/usr/share/tinyproxy/default.html"
     grep -q "${PROXY_META}" "${error_file}" || {
-        sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
+        sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
     }
 fi
-
-# Copy firewall script so Qubes will reload it when it reloads
-cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script

scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh

@@ -2,16 +2,16 @@
 
 . /usr/lib/whonix/utility_functions
 
-if [ "${WHONIX}" != "template" ]; then
-    # Make sure IP forwarding is disabled
-    echo "0" > /proc/sys/net/ipv4/ip_forward
+if [ -x /usr/sbin/xenstore-read ]; then
+    XENSTORE_READ="/usr/sbin/xenstore-read"
+else
+    XENSTORE_READ="/usr/bin/xenstore-read"
+fi
 
-    if [ -x /usr/sbin/xenstore-read ]; then
-        XENSTORE_READ="/usr/sbin/xenstore-read"
-    else
-        XENSTORE_READ="/usr/bin/xenstore-read"
-    fi
+# Make sure IP forwarding is disabled
+echo "0" > /proc/sys/net/ipv4/ip_forward
 
+if [ "${WHONIX}" != "template" ]; then
     ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
 
     # Start Whonix Firewall
@@ -31,10 +31,12 @@ iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
 iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
 iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
 iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
+iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\
+iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\
 \\
 # Route any traffic FROM netvm TO netvm BACK-TO localhost \\
 # Allows localhost access to tor network \\
-iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
+#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
 ######################################
 EOF
     fi

scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-tor.service

@@ -0,0 +1,16 @@
+[Unit]
+Description = Anonymizing overlay network for TCP
+After = syslog.target network.target nss-lookup.target
+
+[Service]
+Type = simple
+ExecStart = /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --quiet
+ExecReload = /bin/kill -HUP ${MAINPID}
+ExecStop = /bin/kill -INT ${MAINPID}
+TimeoutSec = 60
+Restart = on-failure
+LimitNOFILE = 32768
+
+[Install]
+WantedBy = multi-user.target
+Alias=tor.service

scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml

@@ -7,6 +7,3 @@ update:
       <p><B>Tor netvm required for updates!</B></p>
       <p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
       <p>No updates are possible without an active (running) Whonix gateway VM.</p>
-      <p/>
-      <p><b>Template will now power off</b></p>
-

scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup

@@ -41,6 +41,19 @@ elif [ "${WHONIX}" == "workstation" ]; then
     fi
 
 elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
+    # Set secure defaults.
+    iptables -P INPUT DROP
+    iptables -P FORWARD DROP
+    iptables -P OUTPUT DROP
+
+    # Flush old rules.
+    iptables -F
+    iptables -X
+    iptables -t nat -F
+    iptables -t nat -X
+    iptables -t mangle -F
+    iptables -t mangle -X
+
+    # Display warning that netvm is not connected to a torvm
     /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
-    #sudo /sbin/poweroff 
 fi

scripts_debian/wheezy+whonix-workstation/files/.facl

@@ -40,6 +40,13 @@ user::rw-
 group::r--
 other::r--
 
+# file: lib/systemd/system/qubes-whonix-init.service
+# owner: root
+# group: root
+user::rw-
+group::r--
+other::r--
+
 # file: etc
 # owner: root
 # group: root
@@ -145,14 +152,14 @@ user::rwx
 group::r-x
 other::r-x
 
-# file: usr/lib/whonix/whonix.sh
+# file: usr/lib/whonix/init
 # owner: root
 # group: root
 user::rwx
 group::r-x
 other::r-x
 
-# file: usr/lib/whonix/init
+# file: usr/lib/whonix/init/qubes-whonix-firewall.sh
 # owner: root
 # group: root
 user::rwx
@@ -180,13 +187,6 @@ user::rwx
 group::r-x
 other::r-x
 
-# file: usr/lib/whonix/init/qubes-firewall-user-script
-# owner: root
-# group: root
-user::rwx
-group::r-x
-other::r-x
-
 # file: usr/lib/whonix/messages.yaml
 # owner: root
 # group: root

scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service

@@ -4,11 +4,9 @@ After=qubes-whonix-network.service
 Before=network.target
 
 [Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStartPre=/usr/lib/whonix/init/init.sh
-ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script
+ExecStart=/usr/lib/whonix/init/qubes-whonix-firewall.sh
 StandardOutput=syslog
 
 [Install]
 WantedBy=multi-user.target
+Alias=qubes-firewall.service

scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-init.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Qubes Whonix initialization script
+After=qubes-whonix-network.service
+Before=qubes-whonix-firewall.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/whonix/init/init.sh
+StandardOutput=syslog
+
+[Install]
+WantedBy=multi-user.target

scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service

@@ -2,7 +2,7 @@
 Description=Qubes Whonix network proxy setup
 ConditionPathExists=/var/run/qubes-service/qubes-network
 Before=network.target
-After=qubes-firewall.service
+After=iptables.service
 
 [Service]
 Type=oneshot
@@ -12,3 +12,4 @@ StandardOutput=syslog
 
 [Install]
 WantedBy=multi-user.target
+Alias=qubes-network.service

scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh

@@ -2,12 +2,6 @@
 
 . /usr/lib/whonix/utility_functions
 
-# Or just enable them :)
-#ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service'
-#ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service'
-#ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service'
-
-
 INTERFACE="eth1"
 
 if [ "${WHONIX}" == "gateway" ]; then
@@ -59,9 +53,6 @@ if [ "${WHONIX}" == "gateway" ]; then
     # we can use to identify that its a tor proxy so updates are secure
     error_file="/usr/share/tinyproxy/default.html"
     grep -q "${PROXY_META}" "${error_file}" || {
-        sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
+        sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
     }
 fi
-
-# Copy firewall script so Qubes will reload it when it reloads
-cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script

scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh

@@ -2,16 +2,16 @@
 
 . /usr/lib/whonix/utility_functions
 
-if [ "${WHONIX}" != "template" ]; then
-    # Make sure IP forwarding is disabled
-    echo "0" > /proc/sys/net/ipv4/ip_forward
+if [ -x /usr/sbin/xenstore-read ]; then
+    XENSTORE_READ="/usr/sbin/xenstore-read"
+else
+    XENSTORE_READ="/usr/bin/xenstore-read"
+fi
 
-    if [ -x /usr/sbin/xenstore-read ]; then
-        XENSTORE_READ="/usr/sbin/xenstore-read"
-    else
-        XENSTORE_READ="/usr/bin/xenstore-read"
-    fi
+# Make sure IP forwarding is disabled
+echo "0" > /proc/sys/net/ipv4/ip_forward
 
+if [ "${WHONIX}" != "template" ]; then
     ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
 
     # Start Whonix Firewall
@@ -31,10 +31,12 @@ iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
 iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
 iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
 iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
+iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\
+iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\
 \\
 # Route any traffic FROM netvm TO netvm BACK-TO localhost \\
 # Allows localhost access to tor network \\
-iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
+#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
 ######################################
 EOF
     fi

scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml

@@ -7,6 +7,3 @@ update:
       <p><B>Tor netvm required for updates!</B></p>
       <p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
       <p>No updates are possible without an active (running) Whonix gateway VM.</p>
-      <p/>
-      <p><b>Template will now power off</b></p>
-

scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup

@@ -41,6 +41,19 @@ elif [ "${WHONIX}" == "workstation" ]; then
     fi
 
 elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
+    # Set secure defaults.
+    iptables -P INPUT DROP
+    iptables -P FORWARD DROP
+    iptables -P OUTPUT DROP
+
+    # Flush old rules.
+    iptables -F
+    iptables -X
+    iptables -t nat -F
+    iptables -t nat -X
+    iptables -t mangle -F
+    iptables -t mangle -X
+
+    # Display warning that netvm is not connected to a torvm
     /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
-    #sudo /sbin/poweroff 
 fi

scripts_debian/wheezy+whonix/04_install_qubes_post.sh

@@ -19,11 +19,21 @@ else
     set -e
 fi
 
+# ------------------------------------------------------------------------------
+# Make sure IP forwarding is disabled (Qubes enables it by default)
+# ------------------------------------------------------------------------------
+echo "0" > /proc/sys/net/ipv4/ip_forward
+
 # ------------------------------------------------------------------------------
 # Enable Qubes-Whonix services
 # ------------------------------------------------------------------------------
+chroot "${INSTALLDIR}" systemctl disable qubes-whonix-network.service || :
 chroot "${INSTALLDIR}" systemctl enable qubes-whonix-network.service || :
-chroot "${INSTALLDIR}" systemctl enable qubes-whonix-firewall || :
+
+chroot "${INSTALLDIR}" systemctl disable qubes-whonix-firewall.service || :
+chroot "${INSTALLDIR}" systemctl enable qubes-whonix-firewall.service || :
+
+chroot "${INSTALLDIR}" systemctl enable qubes-whonix-init.service || :
 
 # ------------------------------------------------------------------------------
 # Restore Whonix apt-get