Merge remote-tracking branch 'nrgaway/wheezy' into wheezy
This commit is contained in:
Marek Marczykowski-Górecki
commit
162f3bfec1
@ -1,48 +1,55 @@
|
||||
#!/bin/bash
|
||||
# vim: set ts=4 sw=4 sts=4 et :
|
||||
|
||||
#
|
||||
# Creates a small script to copy to dom0 to retrieve the generated template rpm's
|
||||
#
|
||||
|
||||
TEMPLATES="./rpm/install-templates.sh"
|
||||
template_dir="$(readlink -m ./rpm/install-templates.sh)"
|
||||
files=( $(ls rpm/noarch) )
|
||||
name=$(xenstore-read name)
|
||||
|
||||
write() {
|
||||
echo "$1" >> "$TEMPLATES"
|
||||
}
|
||||
# -----------------------------------------------------------------------------
|
||||
# Write $vars
|
||||
# -----------------------------------------------------------------------------
|
||||
cat << EOF > "${template_dir}"
|
||||
#!/bin/bash
|
||||
|
||||
if [ -x /usr/sbin/xenstore-read ]; then
|
||||
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||
else
|
||||
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||
fi
|
||||
# Use the following command in DOM0 to retreive this file:
|
||||
# qvm-run --pass-io ${name} 'cat ${template_dir}' > install-templates.sh
|
||||
|
||||
TEMPLATES="$(readlink -m $TEMPLATES)"
|
||||
VERSION="-$(cat ./version)"
|
||||
name=$($XENSTORE_READ name)
|
||||
path="$(readlink -m .)"
|
||||
files=$(ls rpm/noarch)
|
||||
files="
|
||||
$(printf "%s \n" ${files[@]})
|
||||
"
|
||||
|
||||
#
|
||||
# Write to install-templates
|
||||
#
|
||||
path="$(readlink -m .)/rpm/noarch"
|
||||
version="-$(cat ./version)"
|
||||
name="${name}"
|
||||
EOF
|
||||
|
||||
echo "#!/bin/bash" > "$TEMPLATES"
|
||||
write ""
|
||||
# -----------------------------------------------------------------------------
|
||||
# Write installation function
|
||||
# -----------------------------------------------------------------------------
|
||||
cat << 'EOF' >> "${template_dir}"
|
||||
|
||||
for file in ${files[@]}; do
|
||||
write "qvm-run --pass-io development-qubes 'cat ${path}/rpm/noarch/${file}' > ${file}"
|
||||
write ""
|
||||
write "sudo yum erase $(echo "$file" | sed -r "s/($VERSION).+$//")"
|
||||
write ""
|
||||
write "sudo yum install ${file}"
|
||||
write ""
|
||||
write ""
|
||||
if [ ! -e ${file} ]; then
|
||||
echo "Copying ${file} from ${name} to ${PWD}/${file}..."
|
||||
qvm-run --pass-io development-qubes "cat ${path}/${file}" > ${file}
|
||||
fi
|
||||
|
||||
sudo yum erase $(echo "${file}" | sed -r "s/(${version}).+$//") && {
|
||||
sudo yum install ${file} && {
|
||||
rm -f ${file}
|
||||
}
|
||||
}
|
||||
done
|
||||
|
||||
write "# Use the following command in DOM0 to retreive this file:"
|
||||
write "# qvm-run --pass-io $name 'cat ${TEMPLATES}' > install-templates.sh"
|
||||
|
||||
EOF
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Display instructions
|
||||
# -----------------------------------------------------------------------------
|
||||
echo "Use the following command in DOM0 to retreive this file:"
|
||||
echo "qvm-run --pass-io $name 'cat ${TEMPLATES}' > install-templates.sh"
|
||||
echo "qvm-run --pass-io ${name} 'cat ${template_dir}' > install-templates.sh"
|
||||
|
||||
|
||||
|
||||
@ -67,8 +67,7 @@ if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
|
||||
chroot() {
|
||||
local retval
|
||||
true ${blue}
|
||||
/usr/sbin/chroot "$@"
|
||||
retval=$?
|
||||
/usr/sbin/chroot "$@" && { retval=$?; true; } || { retval=$?; true; }
|
||||
true ${reset}
|
||||
return $retval
|
||||
}
|
||||
|
||||
@ -26,7 +26,7 @@ buildStep "$0" "pre"
|
||||
if ! [ -f "${INSTALLDIR}/tmp/.prepared_debootstrap" ]; then
|
||||
debug "Installing base ${DEBIANVERSION} system"
|
||||
COMPONENTS="" debootstrap --arch=amd64 --include=ncurses-term \
|
||||
--components=main --keyring="${SCRIPTSDIR}/keys/debian-${DEBIANVERSION}-archive-keyring.gpg" \
|
||||
--components=main --keyring="${SCRIPTSDIR}/keys/${DEBIANVERSION}-debian-archive-keyring.gpg" \
|
||||
"${DEBIANVERSION}" "${INSTALLDIR}" "${DEBIAN_MIRROR}" || { error "Debootstrap failed!"; exit 1; }
|
||||
chroot "${INSTALLDIR}" chmod 0666 "/dev/null"
|
||||
touch "${INSTALLDIR}/tmp/.prepared_debootstrap"
|
||||
|
||||
@ -11,8 +11,8 @@
|
||||
DEBIANVERSION=${DIST}
|
||||
|
||||
# Location to grab debian packages
|
||||
DEBIAN_MIRROR=http://ftp.us.debian.org/debian/
|
||||
DEBIAN_MIRROR=http://ftp.us.debian.org/debian
|
||||
#DEBIAN_MIRROR=http://http.debian.net/debian
|
||||
#DEBIAN_MIRROR=http://ftp.ca.debian.org/debian/
|
||||
#DEBIAN_MIRROR=http://ftp.ca.debian.org/debian
|
||||
|
||||
APT_GET_OPTIONS="-o Dpkg::Options::="--force-confnew" --force-yes -y"
|
||||
|
||||
@ -40,6 +40,13 @@ user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: lib/systemd/system/qubes-whonix-init.service
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: etc
|
||||
# owner: root
|
||||
# group: root
|
||||
@ -166,14 +173,14 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/whonix.sh
|
||||
# file: usr/lib/whonix/init
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/init
|
||||
# file: usr/lib/whonix/init/qubes-whonix-firewall.sh
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
@ -201,12 +208,12 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/init/qubes-firewall-user-script
|
||||
# file: usr/lib/whonix/init/qubes-whonix-tor.service
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: usr/lib/whonix/messages.yaml
|
||||
# owner: root
|
||||
|
||||
@ -4,11 +4,9 @@ After=qubes-whonix-network.service
|
||||
Before=network.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStartPre=/usr/lib/whonix/init/init.sh
|
||||
ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script
|
||||
ExecStart=/usr/lib/whonix/init/qubes-whonix-firewall.sh
|
||||
StandardOutput=syslog
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Alias=qubes-firewall.service
|
||||
|
||||
@ -0,0 +1,13 @@
|
||||
[Unit]
|
||||
Description=Qubes Whonix initialization script
|
||||
After=qubes-whonix-network.service
|
||||
Before=qubes-whonix-firewall.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/lib/whonix/init/init.sh
|
||||
StandardOutput=syslog
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@ -2,7 +2,7 @@
|
||||
Description=Qubes Whonix network proxy setup
|
||||
ConditionPathExists=/var/run/qubes-service/qubes-network
|
||||
Before=network.target
|
||||
After=qubes-firewall.service
|
||||
After=iptables.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
@ -12,3 +12,4 @@ StandardOutput=syslog
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Alias=qubes-network.service
|
||||
|
||||
@ -53,9 +53,6 @@ if [ "${WHONIX}" == "gateway" ]; then
|
||||
# we can use to identify that its a tor proxy so updates are secure
|
||||
error_file="/usr/share/tinyproxy/default.html"
|
||||
grep -q "${PROXY_META}" "${error_file}" || {
|
||||
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
|
||||
sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
|
||||
}
|
||||
fi
|
||||
|
||||
# Copy firewall script so Qubes will reload it when it reloads
|
||||
cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script
|
||||
|
||||
@ -2,16 +2,16 @@
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
if [ -x /usr/sbin/xenstore-read ]; then
|
||||
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||
else
|
||||
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||
fi
|
||||
|
||||
# Make sure IP forwarding is disabled
|
||||
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
if [ "${WHONIX}" != "template" ]; then
|
||||
# Make sure IP forwarding is disabled
|
||||
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
if [ -x /usr/sbin/xenstore-read ]; then
|
||||
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||
else
|
||||
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||
fi
|
||||
|
||||
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
||||
|
||||
# Start Whonix Firewall
|
||||
@ -31,10 +31,12 @@ iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
|
||||
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
|
||||
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
|
||||
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
|
||||
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\
|
||||
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\
|
||||
\\
|
||||
# Route any traffic FROM netvm TO netvm BACK-TO localhost \\
|
||||
# Allows localhost access to tor network \\
|
||||
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
|
||||
#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
|
||||
######################################
|
||||
EOF
|
||||
fi
|
||||
@ -0,0 +1,16 @@
|
||||
[Unit]
|
||||
Description = Anonymizing overlay network for TCP
|
||||
After = syslog.target network.target nss-lookup.target
|
||||
|
||||
[Service]
|
||||
Type = simple
|
||||
ExecStart = /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --quiet
|
||||
ExecReload = /bin/kill -HUP ${MAINPID}
|
||||
ExecStop = /bin/kill -INT ${MAINPID}
|
||||
TimeoutSec = 60
|
||||
Restart = on-failure
|
||||
LimitNOFILE = 32768
|
||||
|
||||
[Install]
|
||||
WantedBy = multi-user.target
|
||||
Alias=tor.service
|
||||
@ -7,6 +7,3 @@ update:
|
||||
<p><B>Tor netvm required for updates!</B></p>
|
||||
<p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
|
||||
<p>No updates are possible without an active (running) Whonix gateway VM.</p>
|
||||
<p/>
|
||||
<p><b>Template will now power off</b></p>
|
||||
|
||||
|
||||
@ -41,6 +41,19 @@ elif [ "${WHONIX}" == "workstation" ]; then
|
||||
fi
|
||||
|
||||
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
|
||||
# Set secure defaults.
|
||||
iptables -P INPUT DROP
|
||||
iptables -P FORWARD DROP
|
||||
iptables -P OUTPUT DROP
|
||||
|
||||
# Flush old rules.
|
||||
iptables -F
|
||||
iptables -X
|
||||
iptables -t nat -F
|
||||
iptables -t nat -X
|
||||
iptables -t mangle -F
|
||||
iptables -t mangle -X
|
||||
|
||||
# Display warning that netvm is not connected to a torvm
|
||||
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
|
||||
#sudo /sbin/poweroff
|
||||
fi
|
||||
|
||||
@ -40,6 +40,13 @@ user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: lib/systemd/system/qubes-whonix-init.service
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: etc
|
||||
# owner: root
|
||||
# group: root
|
||||
@ -145,14 +152,14 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/whonix.sh
|
||||
# file: usr/lib/whonix/init
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/init
|
||||
# file: usr/lib/whonix/init/qubes-whonix-firewall.sh
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
@ -180,13 +187,6 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/init/qubes-firewall-user-script
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/messages.yaml
|
||||
# owner: root
|
||||
# group: root
|
||||
|
||||
@ -4,11 +4,9 @@ After=qubes-whonix-network.service
|
||||
Before=network.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStartPre=/usr/lib/whonix/init/init.sh
|
||||
ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script
|
||||
ExecStart=/usr/lib/whonix/init/qubes-whonix-firewall.sh
|
||||
StandardOutput=syslog
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Alias=qubes-firewall.service
|
||||
|
||||
@ -0,0 +1,13 @@
|
||||
[Unit]
|
||||
Description=Qubes Whonix initialization script
|
||||
After=qubes-whonix-network.service
|
||||
Before=qubes-whonix-firewall.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/lib/whonix/init/init.sh
|
||||
StandardOutput=syslog
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@ -2,7 +2,7 @@
|
||||
Description=Qubes Whonix network proxy setup
|
||||
ConditionPathExists=/var/run/qubes-service/qubes-network
|
||||
Before=network.target
|
||||
After=qubes-firewall.service
|
||||
After=iptables.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
@ -12,3 +12,4 @@ StandardOutput=syslog
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
Alias=qubes-network.service
|
||||
|
||||
@ -2,12 +2,6 @@
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
# Or just enable them :)
|
||||
#ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service'
|
||||
#ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service'
|
||||
#ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service'
|
||||
|
||||
|
||||
INTERFACE="eth1"
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
@ -59,9 +53,6 @@ if [ "${WHONIX}" == "gateway" ]; then
|
||||
# we can use to identify that its a tor proxy so updates are secure
|
||||
error_file="/usr/share/tinyproxy/default.html"
|
||||
grep -q "${PROXY_META}" "${error_file}" || {
|
||||
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
|
||||
sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
|
||||
}
|
||||
fi
|
||||
|
||||
# Copy firewall script so Qubes will reload it when it reloads
|
||||
cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script
|
||||
|
||||
@ -2,16 +2,16 @@
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
if [ -x /usr/sbin/xenstore-read ]; then
|
||||
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||
else
|
||||
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||
fi
|
||||
|
||||
# Make sure IP forwarding is disabled
|
||||
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
if [ "${WHONIX}" != "template" ]; then
|
||||
# Make sure IP forwarding is disabled
|
||||
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
if [ -x /usr/sbin/xenstore-read ]; then
|
||||
XENSTORE_READ="/usr/sbin/xenstore-read"
|
||||
else
|
||||
XENSTORE_READ="/usr/bin/xenstore-read"
|
||||
fi
|
||||
|
||||
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
|
||||
|
||||
# Start Whonix Firewall
|
||||
@ -31,10 +31,12 @@ iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
|
||||
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
|
||||
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
|
||||
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
|
||||
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\
|
||||
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\
|
||||
\\
|
||||
# Route any traffic FROM netvm TO netvm BACK-TO localhost \\
|
||||
# Allows localhost access to tor network \\
|
||||
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
|
||||
#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
|
||||
######################################
|
||||
EOF
|
||||
fi
|
||||
@ -7,6 +7,3 @@ update:
|
||||
<p><B>Tor netvm required for updates!</B></p>
|
||||
<p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
|
||||
<p>No updates are possible without an active (running) Whonix gateway VM.</p>
|
||||
<p/>
|
||||
<p><b>Template will now power off</b></p>
|
||||
|
||||
|
||||
@ -41,6 +41,19 @@ elif [ "${WHONIX}" == "workstation" ]; then
|
||||
fi
|
||||
|
||||
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
|
||||
# Set secure defaults.
|
||||
iptables -P INPUT DROP
|
||||
iptables -P FORWARD DROP
|
||||
iptables -P OUTPUT DROP
|
||||
|
||||
# Flush old rules.
|
||||
iptables -F
|
||||
iptables -X
|
||||
iptables -t nat -F
|
||||
iptables -t nat -X
|
||||
iptables -t mangle -F
|
||||
iptables -t mangle -X
|
||||
|
||||
# Display warning that netvm is not connected to a torvm
|
||||
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
|
||||
#sudo /sbin/poweroff
|
||||
fi
|
||||
|
||||
@ -19,11 +19,21 @@ else
|
||||
set -e
|
||||
fi
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Make sure IP forwarding is disabled (Qubes enables it by default)
|
||||
# ------------------------------------------------------------------------------
|
||||
echo "0" > /proc/sys/net/ipv4/ip_forward
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Enable Qubes-Whonix services
|
||||
# ------------------------------------------------------------------------------
|
||||
chroot "${INSTALLDIR}" systemctl disable qubes-whonix-network.service || :
|
||||
chroot "${INSTALLDIR}" systemctl enable qubes-whonix-network.service || :
|
||||
chroot "${INSTALLDIR}" systemctl enable qubes-whonix-firewall || :
|
||||
|
||||
chroot "${INSTALLDIR}" systemctl disable qubes-whonix-firewall.service || :
|
||||
chroot "${INSTALLDIR}" systemctl enable qubes-whonix-firewall.service || :
|
||||
|
||||
chroot "${INSTALLDIR}" systemctl enable qubes-whonix-init.service || :
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Restore Whonix apt-get
|
||||
|
||||
Loading…
Reference in New Issue
Block a user