whonix: Added ability to run both gateway and workstation as AppVM's (not standalone)

10 years ago · 4acca407d7
parent 60ccebc8b7
commit 4acca407d7
12 changed files with 216 additions and 108 deletions
--- a/scripts_debian/wheezy+whonix-gateway/files/.facl
+++ b/scripts_debian/wheezy+whonix-gateway/files/.facl
@ -103,20 +103,6 @@ user::rwx
 group::r-x
 other::r-x

-# file: etc/apt/preferences.d
-# owner: root
-# group: root
-user::rwx
-group::r-x
-other::r-x
-
-# file: etc/apt/preferences.d/whonix_qubes
-# owner: root
-# group: root
-user::rw-
-group::r--
-other::r--
-
 # file: etc/hostname
 # owner: root
 # group: root
@ -173,6 +159,13 @@ user::rwx
 group::r-x
 other::r-x

+# file: usr/lib/whonix/bind-dirs.sh
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
 # file: usr/lib/whonix/init
 # owner: root
 # group: root
@ -187,6 +180,13 @@ user::rwx
 group::r-x
 other::r-x

+# file: usr/lib/whonix/init/qubes-whonix-bind.service
+# owner: root
+# group: root
+user::rw-
+group::r--
+other::r--
+
 # file: usr/lib/whonix/init/replace-ips
 # owner: root
 # group: root
@ -201,6 +201,13 @@ user::rwx
 group::r-x
 other::r-x

+# file: usr/lib/whonix/init/whonixcheck.service
+# owner: root
+# group: root
+user::rw-
+group::r--
+other::r--
+
 # file: usr/lib/whonix/init/network-proxy-setup.sh
 # owner: root
 # group: root
--- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh
@ -0,0 +1,58 @@
+#!/bin/bash
+
+#
+# To umount all binds, just pass any arg in $1
+#
+
+. /usr/lib/whonix/utility_functions
+
+# Don't run if started as a template
+if ! [ "${WHONIX}" == "template" ]; then
+    # Array of directories to bind
+    BINDS=(
+        '/rw/srv/whonix/root/.whonix:/root/.whonix'
+        '/rw/srv/whonix/root/.whonix.d:/root/.whonix.d'
+        '/rw/srv/whonix/var/lib/whonix:/var/lib/whonix'
+        '/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck'
+        '/rw/srv/whonix/etc/tor:/etc/tor'
+    )
+
+    for bind in ${BINDS[@]}; do
+        rw_dir="${bind%%:*}"
+        ro_dir="${bind##*:}"
+    
+        # Make sure ro directory is not mounted
+        umount "${ro_dir}" 2> /dev/null || true
+    
+        if [ -n "${1}" ]; then
+            echo "Umounting only..."
+            exit 0
+        fi
+    
+        # Make sure ro directory exists
+        if ! [ -d "${ro_dir}" ]; then
+            mkdir -p "${ro_dir}" 
+        fi
+
+        # Initially copy over data directories to /rw if rw directory does not exist
+        if ! [ -d "${rw_dir}" ]; then
+            mkdir -p "${rw_dir}"
+            rsync -hax "${ro_dir}/." "${rw_dir}"
+        fi
+        
+        # Bind the directory
+        sync
+        mount --bind "${rw_dir}" "${ro_dir}"
+    done
+    sync
+fi
+
+if [ "${WHONIX}" == "gateway" ]; then
+    # Make sure we remove whonixsetup.done if Tor is not enabled
+    # to allow choice of repo and prevent whonixcheck errors
+    grep "^DisableNetwork 0$" /etc/tor/torrc || {
+        sudo rm -f /var/lib/whonix/do_once/whonixsetup.done
+    }
+fi
+
+exit 0
--- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh
@ -27,12 +27,4 @@ if [ "${WHONIX}" != "template" ]; then

    # Make sure hostname is correct
    /bin/hostname host
-
-    if [ "${WHONIX}" == "gateway" ]; then
-        # Make sure we remove whonixsetup.done if Tor is not enabled
-        # to allow choice of repo and prevent whonixcheck errors
-        grep "^DisableNetwork 0$" /etc/tor/torrc || {
-            rm -f /var/lib/whonix/do_once/whonixsetup.done
-        }
-    fi
 fi
--- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh
@ -47,7 +47,6 @@ if [ "${WHONIX}" == "gateway" ]; then

    # Allow whonix-gateway to act as an update-proxy
    touch /var/run/qubes-service/qubes-updates-proxy
-    #systemctl stop qubes-updates-proxy.service

    # Search and replace tinyproxy error files so we can inject code that
    # we can use to identify that its a tor proxy so updates are secure
--- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-bind.service
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-bind.service
@ -0,0 +1,14 @@
+[Unit]
+Description=Qubes Whonix bind /rw to ro dirs script
+DefaultDependencies=no
+Before=sysinit.target
+After=qubes-sysinit.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/whonix/init/bind-dirs.sh
+StandardOutput=syslog
+
+[Install]
+WantedBy=sysinit.target
--- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/whonixcheck.service
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/whonixcheck.service
@ -0,0 +1,18 @@
+[Unit]
+Description=Checks many important aspects of Whonix.
+After=syslog.target network.target
+
+[Service]
+Type=forking
+ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/run/whonixcheck
+ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonixcheck
+ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonix/whonixblog
+ExecStart=/usr/lib/whonixcheckdaemon
+PIDFile=/var/run/whonixcheck.pid
+User=user
+Group=user
+UMask=0007
+StandardOutput=syslog
+
+[Install]
+WantedBy=multi-user.target
--- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup
@ -2,57 +2,39 @@

 . /usr/lib/whonix/utility_functions

+if ! [ "${WHONIX}" == "template" ]; then
+    sudo /usr/lib/whonix/bind-dirs.sh
+fi
+
 if [ "${WHONIX}" == "gateway" ]; then
-    grep "^DisableNetwork 0$" /etc/tor/torrc || {
+    if grep "^DisableNetwork 0$" /etc/tor/torrc ;then
+        sudo service sdwdate restart
+        sudo service tor restart 
+    else
        sudo service sdwdate restart
        sudo service tor stop
-        sudo /usr/bin/whonixsetup && {
-            enable_sysv tor
-            sleep 1
-            enable_sysv sdwdate
-        } || {
-            sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
-            disable_sysv tor
-            disable_sysv sdwdate
-            sudo /sbin/poweroff
-        }
-    }
-
-    # Allow whonix-gateway to act as an update-proxy
-    sudo systemctl status qubes-updates-proxy.service || {
-        error_file="/usr/share/tinyproxy/default.html"
-
-        # Search and replace tinyproxy error files so we can inject code that
-        # we can use to identify that its a tor proxy so updates are secure
-        grep -q "${PROXY_META}" "${error_file}" || {
-            sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
-        }
-
-        sudo touch /var/run/qubes-service/qubes-updates-proxy
-        sudo iptables -t nat -N PR-QBS-SERVICES
-        sudo systemctl start qubes-updates-proxy.service
-    }
+        sudo /usr/bin/whonixsetup
+    fi

 elif [ "${WHONIX}" == "workstation" ]; then
+    sudo service sdwdate restart
    if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
-        enable_sysv sdwdate
-        sudo service sdwdate restart
        sudo /usr/bin/whonixsetup
    fi

 elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
    # Set secure defaults.
-    iptables -P INPUT DROP
-    iptables -P FORWARD DROP
-    iptables -P OUTPUT DROP
+    sudo iptables -P INPUT DROP
+    sudo iptables -P FORWARD DROP
+    sudo iptables -P OUTPUT DROP

    # Flush old rules.
-    iptables -F
-    iptables -X
-    iptables -t nat -F
-    iptables -t nat -X
-    iptables -t mangle -F
-    iptables -t mangle -X
+    sudo iptables -F
+    sudo iptables -X
+    sudo iptables -t nat -F
+    sudo iptables -t nat -X
+    sudo iptables -t mangle -F
+    sudo iptables -t mangle -X

    # Display warning that netvm is not connected to a torvm
    /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
--- a/scripts_debian/wheezy+whonix-workstation/files/.facl
+++ b/scripts_debian/wheezy+whonix-workstation/files/.facl
@ -152,6 +152,13 @@ user::rwx
 group::r-x
 other::r-x

+# file: usr/lib/whonix/bind-dirs.sh
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
 # file: usr/lib/whonix/init
 # owner: root
 # group: root
--- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh
+++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh
@ -0,0 +1,58 @@
+#!/bin/bash
+
+#
+# To umount all binds, just pass any arg in $1
+#
+
+. /usr/lib/whonix/utility_functions
+
+# Don't run if started as a template
+if ! [ "${WHONIX}" == "template" ]; then
+    # Array of directories to bind
+    BINDS=(
+        '/rw/srv/whonix/root/.whonix:/root/.whonix'
+        '/rw/srv/whonix/root/.whonix.d:/root/.whonix.d'
+        '/rw/srv/whonix/var/lib/whonix:/var/lib/whonix'
+        '/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck'
+        '/rw/srv/whonix/etc/tor:/etc/tor'
+    )
+
+    for bind in ${BINDS[@]}; do
+        rw_dir="${bind%%:*}"
+        ro_dir="${bind##*:}"
+    
+        # Make sure ro directory is not mounted
+        umount "${ro_dir}" 2> /dev/null || true
+    
+        if [ -n "${1}" ]; then
+            echo "Umounting only..."
+            exit 0
+        fi
+    
+        # Make sure ro directory exists
+        if ! [ -d "${ro_dir}" ]; then
+            mkdir -p "${ro_dir}" 
+        fi
+
+        # Initially copy over data directories to /rw if rw directory does not exist
+        if ! [ -d "${rw_dir}" ]; then
+            mkdir -p "${rw_dir}"
+            rsync -hax "${ro_dir}/." "${rw_dir}"
+        fi
+        
+        # Bind the directory
+        sync
+        mount --bind "${rw_dir}" "${ro_dir}"
+    done
+    sync
+fi
+
+if [ "${WHONIX}" == "gateway" ]; then
+    # Make sure we remove whonixsetup.done if Tor is not enabled
+    # to allow choice of repo and prevent whonixcheck errors
+    grep "^DisableNetwork 0$" /etc/tor/torrc || {
+        sudo rm -f /var/lib/whonix/do_once/whonixsetup.done
+    }
+fi
+
+exit 0
--- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh
+++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh
@ -27,12 +27,4 @@ if [ "${WHONIX}" != "template" ]; then

    # Make sure hostname is correct
    /bin/hostname host
-
-    if [ "${WHONIX}" == "gateway" ]; then
-        # Make sure we remove whonixsetup.done if Tor is not enabled
-        # to allow choice of repo and prevent whonixcheck errors
-        grep "^DisableNetwork 0$" /etc/tor/torrc || {
-            rm -f /var/lib/whonix/do_once/whonixsetup.done
-        }
-    fi
 fi
--- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh
+++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh
@ -47,7 +47,6 @@ if [ "${WHONIX}" == "gateway" ]; then

    # Allow whonix-gateway to act as an update-proxy
    touch /var/run/qubes-service/qubes-updates-proxy
-    #systemctl stop qubes-updates-proxy.service

    # Search and replace tinyproxy error files so we can inject code that
    # we can use to identify that its a tor proxy so updates are secure
--- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup
+++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup
@ -2,57 +2,39 @@

 . /usr/lib/whonix/utility_functions

+if ! [ "${WHONIX}" == "template" ]; then
+    sudo /usr/lib/whonix/bind-dirs.sh
+fi
+
 if [ "${WHONIX}" == "gateway" ]; then
-    grep "^DisableNetwork 0$" /etc/tor/torrc || {
+    if grep "^DisableNetwork 0$" /etc/tor/torrc ;then
+        sudo service sdwdate restart
+        sudo service tor restart 
+    else
        sudo service sdwdate restart
        sudo service tor stop
-        sudo /usr/bin/whonixsetup && {
-            enable_sysv tor
-            sleep 1
-            enable_sysv sdwdate
-        } || {
-            sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
-            disable_sysv tor
-            disable_sysv sdwdate
-            sudo /sbin/poweroff
-        }
-    }
-
-    # Allow whonix-gateway to act as an update-proxy
-    sudo systemctl status qubes-updates-proxy.service || {
-        error_file="/usr/share/tinyproxy/default.html"
-
-        # Search and replace tinyproxy error files so we can inject code that
-        # we can use to identify that its a tor proxy so updates are secure
-        grep -q "${PROXY_META}" "${error_file}" || {
-            sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
-        }
-
-        sudo touch /var/run/qubes-service/qubes-updates-proxy
-        sudo iptables -t nat -N PR-QBS-SERVICES
-        sudo systemctl start qubes-updates-proxy.service
-    }
+        sudo /usr/bin/whonixsetup
+    fi

 elif [ "${WHONIX}" == "workstation" ]; then
+    sudo service sdwdate restart
    if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
-        enable_sysv sdwdate
-        sudo service sdwdate restart
        sudo /usr/bin/whonixsetup
    fi

 elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
    # Set secure defaults.
-    iptables -P INPUT DROP
-    iptables -P FORWARD DROP
-    iptables -P OUTPUT DROP
+    sudo iptables -P INPUT DROP
+    sudo iptables -P FORWARD DROP
+    sudo iptables -P OUTPUT DROP

    # Flush old rules.
-    iptables -F
-    iptables -X
-    iptables -t nat -F
-    iptables -t nat -X
-    iptables -t mangle -F
-    iptables -t mangle -X
+    sudo iptables -F
+    sudo iptables -X
+    sudo iptables -t nat -F
+    sudo iptables -t nat -X
+    sudo iptables -t mangle -F
+    sudo iptables -t mangle -X

    # Display warning that netvm is not connected to a torvm
    /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml