QubesOS/qubes-linux-template-builder
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

whonix: Added ability to run both gateway and workstation as AppVM's (not standalone)

Browse Source
This commit is contained in:
Jason Mehring 2014-11-13 19:13:51 -05:00
parent 60ccebc8b7
commit 4acca407d7
12 changed files with 216 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
scripts_debian/wheezy+whonix-gateway/files/.facl
View File

@ -103,20 +103,6 @@ user::rwx
group::r-x
other::r-x
# file: etc/apt/preferences.d
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/apt/preferences.d/whonix_qubes
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/hostname
# owner: root
# group: root
@ -173,6 +159,13 @@ user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/bind-dirs.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init
# owner: root
# group: root
@ -187,6 +180,13 @@ user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/qubes-whonix-bind.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr/lib/whonix/init/replace-ips
# owner: root
# group: root
@ -201,6 +201,13 @@ user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/whonixcheck.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr/lib/whonix/init/network-proxy-setup.sh
# owner: root
# group: root

58
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
#
# To umount all binds, just pass any arg in $1
#
. /usr/lib/whonix/utility_functions
# Don't run if started as a template
if ! [ "${WHONIX}" == "template" ]; then
# Array of directories to bind
BINDS=(
'/rw/srv/whonix/root/.whonix:/root/.whonix'
'/rw/srv/whonix/root/.whonix.d:/root/.whonix.d'
'/rw/srv/whonix/var/lib/whonix:/var/lib/whonix'
'/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck'
'/rw/srv/whonix/etc/tor:/etc/tor'
)
for bind in ${BINDS[@]}; do
rw_dir="${bind%%:*}"
ro_dir="${bind##*:}"
# Make sure ro directory is not mounted
umount "${ro_dir}" 2> /dev/null || true
if [ -n "${1}" ]; then
echo "Umounting only..."
exit 0
fi
# Make sure ro directory exists
if ! [ -d "${ro_dir}" ]; then
mkdir -p "${ro_dir}"
fi
# Initially copy over data directories to /rw if rw directory does not exist
if ! [ -d "${rw_dir}" ]; then
mkdir -p "${rw_dir}"
rsync -hax "${ro_dir}/." "${rw_dir}"
fi
# Bind the directory
sync
mount --bind "${rw_dir}" "${ro_dir}"
done
sync
fi
if [ "${WHONIX}" == "gateway" ]; then
# Make sure we remove whonixsetup.done if Tor is not enabled
# to allow choice of repo and prevent whonixcheck errors
grep "^DisableNetwork 0$" /etc/tor/torrc || {
sudo rm -f /var/lib/whonix/do_once/whonixsetup.done
}
fi
exit 0

8
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh
View File

@ -27,12 +27,4 @@ if [ "${WHONIX}" != "template" ]; then
# Make sure hostname is correct
/bin/hostname host
if [ "${WHONIX}" == "gateway" ]; then
# Make sure we remove whonixsetup.done if Tor is not enabled
# to allow choice of repo and prevent whonixcheck errors
grep "^DisableNetwork 0$" /etc/tor/torrc || {
rm -f /var/lib/whonix/do_once/whonixsetup.done
}
fi
fi

1
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh
View File

@ -47,7 +47,6 @@ if [ "${WHONIX}" == "gateway" ]; then
# Allow whonix-gateway to act as an update-proxy
touch /var/run/qubes-service/qubes-updates-proxy
#systemctl stop qubes-updates-proxy.service
# Search and replace tinyproxy error files so we can inject code that
# we can use to identify that its a tor proxy so updates are secure

14
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-bind.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=Qubes Whonix bind /rw to ro dirs script
DefaultDependencies=no
Before=sysinit.target
After=qubes-sysinit.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/whonix/init/bind-dirs.sh
StandardOutput=syslog
[Install]
WantedBy=sysinit.target

18
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/whonixcheck.service Normal file
View File

@ -0,0 +1,18 @@
[Unit]
Description=Checks many important aspects of Whonix.
After=syslog.target network.target
[Service]
Type=forking
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/run/whonixcheck
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonixcheck
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonix/whonixblog
ExecStart=/usr/lib/whonixcheckdaemon
PIDFile=/var/run/whonixcheck.pid
User=user
Group=user
UMask=0007
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

58
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup
View File

@ -2,57 +2,39 @@
. /usr/lib/whonix/utility_functions
if ! [ "${WHONIX}" == "template" ]; then
sudo /usr/lib/whonix/bind-dirs.sh
fi
if [ "${WHONIX}" == "gateway" ]; then
grep "^DisableNetwork 0$" /etc/tor/torrc || {
if grep "^DisableNetwork 0$" /etc/tor/torrc ;then
sudo service sdwdate restart
sudo service tor restart
else
sudo service sdwdate restart
sudo service tor stop
sudo /usr/bin/whonixsetup && {
enable_sysv tor
sleep 1
enable_sysv sdwdate
} || {
sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
disable_sysv tor
disable_sysv sdwdate
sudo /sbin/poweroff
}
}
# Allow whonix-gateway to act as an update-proxy
sudo systemctl status qubes-updates-proxy.service || {
error_file="/usr/share/tinyproxy/default.html"
# Search and replace tinyproxy error files so we can inject code that
# we can use to identify that its a tor proxy so updates are secure
grep -q "${PROXY_META}" "${error_file}" || {
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
}
sudo touch /var/run/qubes-service/qubes-updates-proxy
sudo iptables -t nat -N PR-QBS-SERVICES
sudo systemctl start qubes-updates-proxy.service
}
sudo /usr/bin/whonixsetup
fi
elif [ "${WHONIX}" == "workstation" ]; then
sudo service sdwdate restart
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
enable_sysv sdwdate
sudo service sdwdate restart
sudo /usr/bin/whonixsetup
fi
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
# Set secure defaults.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP
# Flush old rules.
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
# Display warning that netvm is not connected to a torvm
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml

7
scripts_debian/wheezy+whonix-workstation/files/.facl
View File

@ -152,6 +152,13 @@ user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/bind-dirs.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init
# owner: root
# group: root

58
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
#
# To umount all binds, just pass any arg in $1
#
. /usr/lib/whonix/utility_functions
# Don't run if started as a template
if ! [ "${WHONIX}" == "template" ]; then
# Array of directories to bind
BINDS=(
'/rw/srv/whonix/root/.whonix:/root/.whonix'
'/rw/srv/whonix/root/.whonix.d:/root/.whonix.d'
'/rw/srv/whonix/var/lib/whonix:/var/lib/whonix'
'/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck'
'/rw/srv/whonix/etc/tor:/etc/tor'
)
for bind in ${BINDS[@]}; do
rw_dir="${bind%%:*}"
ro_dir="${bind##*:}"
# Make sure ro directory is not mounted
umount "${ro_dir}" 2> /dev/null || true
if [ -n "${1}" ]; then
echo "Umounting only..."
exit 0
fi
# Make sure ro directory exists
if ! [ -d "${ro_dir}" ]; then
mkdir -p "${ro_dir}"
fi
# Initially copy over data directories to /rw if rw directory does not exist
if ! [ -d "${rw_dir}" ]; then
mkdir -p "${rw_dir}"
rsync -hax "${ro_dir}/." "${rw_dir}"
fi
# Bind the directory
sync
mount --bind "${rw_dir}" "${ro_dir}"
done
sync
fi
if [ "${WHONIX}" == "gateway" ]; then
# Make sure we remove whonixsetup.done if Tor is not enabled
# to allow choice of repo and prevent whonixcheck errors
grep "^DisableNetwork 0$" /etc/tor/torrc || {
sudo rm -f /var/lib/whonix/do_once/whonixsetup.done
}
fi
exit 0

8
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh
View File

@ -27,12 +27,4 @@ if [ "${WHONIX}" != "template" ]; then
# Make sure hostname is correct
/bin/hostname host
if [ "${WHONIX}" == "gateway" ]; then
# Make sure we remove whonixsetup.done if Tor is not enabled
# to allow choice of repo and prevent whonixcheck errors
grep "^DisableNetwork 0$" /etc/tor/torrc || {
rm -f /var/lib/whonix/do_once/whonixsetup.done
}
fi
fi

1
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh
View File

@ -47,7 +47,6 @@ if [ "${WHONIX}" == "gateway" ]; then
# Allow whonix-gateway to act as an update-proxy
touch /var/run/qubes-service/qubes-updates-proxy
#systemctl stop qubes-updates-proxy.service
# Search and replace tinyproxy error files so we can inject code that
# we can use to identify that its a tor proxy so updates are secure

58
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup
View File

@ -2,57 +2,39 @@
. /usr/lib/whonix/utility_functions
if ! [ "${WHONIX}" == "template" ]; then
sudo /usr/lib/whonix/bind-dirs.sh
fi
if [ "${WHONIX}" == "gateway" ]; then
grep "^DisableNetwork 0$" /etc/tor/torrc || {
if grep "^DisableNetwork 0$" /etc/tor/torrc ;then
sudo service sdwdate restart
sudo service tor restart
else
sudo service sdwdate restart
sudo service tor stop
sudo /usr/bin/whonixsetup && {
enable_sysv tor
sleep 1
enable_sysv sdwdate
} || {
sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
disable_sysv tor
disable_sysv sdwdate
sudo /sbin/poweroff
}
}
# Allow whonix-gateway to act as an update-proxy
sudo systemctl status qubes-updates-proxy.service || {
error_file="/usr/share/tinyproxy/default.html"
# Search and replace tinyproxy error files so we can inject code that
# we can use to identify that its a tor proxy so updates are secure
grep -q "${PROXY_META}" "${error_file}" || {
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
}
sudo touch /var/run/qubes-service/qubes-updates-proxy
sudo iptables -t nat -N PR-QBS-SERVICES
sudo systemctl start qubes-updates-proxy.service
}
sudo /usr/bin/whonixsetup
fi
elif [ "${WHONIX}" == "workstation" ]; then
sudo service sdwdate restart
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
enable_sysv sdwdate
sudo service sdwdate restart
sudo /usr/bin/whonixsetup
fi
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
# Set secure defaults.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP
# Flush old rules.
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
# Display warning that netvm is not connected to a torvm
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml