whonix: Added ability to run both gateway and workstation as AppVM's (not standalone)
This commit is contained in:
parent
60ccebc8b7
commit
4acca407d7
@ -103,20 +103,6 @@ user::rwx
|
|||||||
group::r-x
|
group::r-x
|
||||||
other::r-x
|
other::r-x
|
||||||
|
|
||||||
# file: etc/apt/preferences.d
|
|
||||||
# owner: root
|
|
||||||
# group: root
|
|
||||||
user::rwx
|
|
||||||
group::r-x
|
|
||||||
other::r-x
|
|
||||||
|
|
||||||
# file: etc/apt/preferences.d/whonix_qubes
|
|
||||||
# owner: root
|
|
||||||
# group: root
|
|
||||||
user::rw-
|
|
||||||
group::r--
|
|
||||||
other::r--
|
|
||||||
|
|
||||||
# file: etc/hostname
|
# file: etc/hostname
|
||||||
# owner: root
|
# owner: root
|
||||||
# group: root
|
# group: root
|
||||||
@ -173,6 +159,13 @@ user::rwx
|
|||||||
group::r-x
|
group::r-x
|
||||||
other::r-x
|
other::r-x
|
||||||
|
|
||||||
|
# file: usr/lib/whonix/bind-dirs.sh
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
# file: usr/lib/whonix/init
|
# file: usr/lib/whonix/init
|
||||||
# owner: root
|
# owner: root
|
||||||
# group: root
|
# group: root
|
||||||
@ -187,6 +180,13 @@ user::rwx
|
|||||||
group::r-x
|
group::r-x
|
||||||
other::r-x
|
other::r-x
|
||||||
|
|
||||||
|
# file: usr/lib/whonix/init/qubes-whonix-bind.service
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rw-
|
||||||
|
group::r--
|
||||||
|
other::r--
|
||||||
|
|
||||||
# file: usr/lib/whonix/init/replace-ips
|
# file: usr/lib/whonix/init/replace-ips
|
||||||
# owner: root
|
# owner: root
|
||||||
# group: root
|
# group: root
|
||||||
@ -201,6 +201,13 @@ user::rwx
|
|||||||
group::r-x
|
group::r-x
|
||||||
other::r-x
|
other::r-x
|
||||||
|
|
||||||
|
# file: usr/lib/whonix/init/whonixcheck.service
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rw-
|
||||||
|
group::r--
|
||||||
|
other::r--
|
||||||
|
|
||||||
# file: usr/lib/whonix/init/network-proxy-setup.sh
|
# file: usr/lib/whonix/init/network-proxy-setup.sh
|
||||||
# owner: root
|
# owner: root
|
||||||
# group: root
|
# group: root
|
||||||
|
58
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh
Executable file
58
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh
Executable file
@ -0,0 +1,58 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# To umount all binds, just pass any arg in $1
|
||||||
|
#
|
||||||
|
|
||||||
|
. /usr/lib/whonix/utility_functions
|
||||||
|
|
||||||
|
# Don't run if started as a template
|
||||||
|
if ! [ "${WHONIX}" == "template" ]; then
|
||||||
|
# Array of directories to bind
|
||||||
|
BINDS=(
|
||||||
|
'/rw/srv/whonix/root/.whonix:/root/.whonix'
|
||||||
|
'/rw/srv/whonix/root/.whonix.d:/root/.whonix.d'
|
||||||
|
'/rw/srv/whonix/var/lib/whonix:/var/lib/whonix'
|
||||||
|
'/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck'
|
||||||
|
'/rw/srv/whonix/etc/tor:/etc/tor'
|
||||||
|
)
|
||||||
|
|
||||||
|
for bind in ${BINDS[@]}; do
|
||||||
|
rw_dir="${bind%%:*}"
|
||||||
|
ro_dir="${bind##*:}"
|
||||||
|
|
||||||
|
# Make sure ro directory is not mounted
|
||||||
|
umount "${ro_dir}" 2> /dev/null || true
|
||||||
|
|
||||||
|
if [ -n "${1}" ]; then
|
||||||
|
echo "Umounting only..."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Make sure ro directory exists
|
||||||
|
if ! [ -d "${ro_dir}" ]; then
|
||||||
|
mkdir -p "${ro_dir}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Initially copy over data directories to /rw if rw directory does not exist
|
||||||
|
if ! [ -d "${rw_dir}" ]; then
|
||||||
|
mkdir -p "${rw_dir}"
|
||||||
|
rsync -hax "${ro_dir}/." "${rw_dir}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Bind the directory
|
||||||
|
sync
|
||||||
|
mount --bind "${rw_dir}" "${ro_dir}"
|
||||||
|
done
|
||||||
|
sync
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${WHONIX}" == "gateway" ]; then
|
||||||
|
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||||
|
# to allow choice of repo and prevent whonixcheck errors
|
||||||
|
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||||
|
sudo rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
@ -27,12 +27,4 @@ if [ "${WHONIX}" != "template" ]; then
|
|||||||
|
|
||||||
# Make sure hostname is correct
|
# Make sure hostname is correct
|
||||||
/bin/hostname host
|
/bin/hostname host
|
||||||
|
|
||||||
if [ "${WHONIX}" == "gateway" ]; then
|
|
||||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
|
||||||
# to allow choice of repo and prevent whonixcheck errors
|
|
||||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
|
||||||
rm -f /var/lib/whonix/do_once/whonixsetup.done
|
|
||||||
}
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
@ -47,7 +47,6 @@ if [ "${WHONIX}" == "gateway" ]; then
|
|||||||
|
|
||||||
# Allow whonix-gateway to act as an update-proxy
|
# Allow whonix-gateway to act as an update-proxy
|
||||||
touch /var/run/qubes-service/qubes-updates-proxy
|
touch /var/run/qubes-service/qubes-updates-proxy
|
||||||
#systemctl stop qubes-updates-proxy.service
|
|
||||||
|
|
||||||
# Search and replace tinyproxy error files so we can inject code that
|
# Search and replace tinyproxy error files so we can inject code that
|
||||||
# we can use to identify that its a tor proxy so updates are secure
|
# we can use to identify that its a tor proxy so updates are secure
|
||||||
|
@ -0,0 +1,14 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Qubes Whonix bind /rw to ro dirs script
|
||||||
|
DefaultDependencies=no
|
||||||
|
Before=sysinit.target
|
||||||
|
After=qubes-sysinit.service
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/usr/lib/whonix/init/bind-dirs.sh
|
||||||
|
StandardOutput=syslog
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=sysinit.target
|
@ -0,0 +1,18 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Checks many important aspects of Whonix.
|
||||||
|
After=syslog.target network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=forking
|
||||||
|
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/run/whonixcheck
|
||||||
|
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonixcheck
|
||||||
|
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonix/whonixblog
|
||||||
|
ExecStart=/usr/lib/whonixcheckdaemon
|
||||||
|
PIDFile=/var/run/whonixcheck.pid
|
||||||
|
User=user
|
||||||
|
Group=user
|
||||||
|
UMask=0007
|
||||||
|
StandardOutput=syslog
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
@ -2,57 +2,39 @@
|
|||||||
|
|
||||||
. /usr/lib/whonix/utility_functions
|
. /usr/lib/whonix/utility_functions
|
||||||
|
|
||||||
|
if ! [ "${WHONIX}" == "template" ]; then
|
||||||
|
sudo /usr/lib/whonix/bind-dirs.sh
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "${WHONIX}" == "gateway" ]; then
|
if [ "${WHONIX}" == "gateway" ]; then
|
||||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
if grep "^DisableNetwork 0$" /etc/tor/torrc ;then
|
||||||
|
sudo service sdwdate restart
|
||||||
|
sudo service tor restart
|
||||||
|
else
|
||||||
sudo service sdwdate restart
|
sudo service sdwdate restart
|
||||||
sudo service tor stop
|
sudo service tor stop
|
||||||
sudo /usr/bin/whonixsetup && {
|
sudo /usr/bin/whonixsetup
|
||||||
enable_sysv tor
|
fi
|
||||||
sleep 1
|
|
||||||
enable_sysv sdwdate
|
|
||||||
} || {
|
|
||||||
sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
|
|
||||||
disable_sysv tor
|
|
||||||
disable_sysv sdwdate
|
|
||||||
sudo /sbin/poweroff
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow whonix-gateway to act as an update-proxy
|
|
||||||
sudo systemctl status qubes-updates-proxy.service || {
|
|
||||||
error_file="/usr/share/tinyproxy/default.html"
|
|
||||||
|
|
||||||
# Search and replace tinyproxy error files so we can inject code that
|
|
||||||
# we can use to identify that its a tor proxy so updates are secure
|
|
||||||
grep -q "${PROXY_META}" "${error_file}" || {
|
|
||||||
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
|
|
||||||
}
|
|
||||||
|
|
||||||
sudo touch /var/run/qubes-service/qubes-updates-proxy
|
|
||||||
sudo iptables -t nat -N PR-QBS-SERVICES
|
|
||||||
sudo systemctl start qubes-updates-proxy.service
|
|
||||||
}
|
|
||||||
|
|
||||||
elif [ "${WHONIX}" == "workstation" ]; then
|
elif [ "${WHONIX}" == "workstation" ]; then
|
||||||
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
|
|
||||||
enable_sysv sdwdate
|
|
||||||
sudo service sdwdate restart
|
sudo service sdwdate restart
|
||||||
|
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
|
||||||
sudo /usr/bin/whonixsetup
|
sudo /usr/bin/whonixsetup
|
||||||
fi
|
fi
|
||||||
|
|
||||||
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
|
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
|
||||||
# Set secure defaults.
|
# Set secure defaults.
|
||||||
iptables -P INPUT DROP
|
sudo iptables -P INPUT DROP
|
||||||
iptables -P FORWARD DROP
|
sudo iptables -P FORWARD DROP
|
||||||
iptables -P OUTPUT DROP
|
sudo iptables -P OUTPUT DROP
|
||||||
|
|
||||||
# Flush old rules.
|
# Flush old rules.
|
||||||
iptables -F
|
sudo iptables -F
|
||||||
iptables -X
|
sudo iptables -X
|
||||||
iptables -t nat -F
|
sudo iptables -t nat -F
|
||||||
iptables -t nat -X
|
sudo iptables -t nat -X
|
||||||
iptables -t mangle -F
|
sudo iptables -t mangle -F
|
||||||
iptables -t mangle -X
|
sudo iptables -t mangle -X
|
||||||
|
|
||||||
# Display warning that netvm is not connected to a torvm
|
# Display warning that netvm is not connected to a torvm
|
||||||
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
|
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
|
||||||
|
@ -152,6 +152,13 @@ user::rwx
|
|||||||
group::r-x
|
group::r-x
|
||||||
other::r-x
|
other::r-x
|
||||||
|
|
||||||
|
# file: usr/lib/whonix/bind-dirs.sh
|
||||||
|
# owner: root
|
||||||
|
# group: root
|
||||||
|
user::rwx
|
||||||
|
group::r-x
|
||||||
|
other::r-x
|
||||||
|
|
||||||
# file: usr/lib/whonix/init
|
# file: usr/lib/whonix/init
|
||||||
# owner: root
|
# owner: root
|
||||||
# group: root
|
# group: root
|
||||||
|
58
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh
Executable file
58
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh
Executable file
@ -0,0 +1,58 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# To umount all binds, just pass any arg in $1
|
||||||
|
#
|
||||||
|
|
||||||
|
. /usr/lib/whonix/utility_functions
|
||||||
|
|
||||||
|
# Don't run if started as a template
|
||||||
|
if ! [ "${WHONIX}" == "template" ]; then
|
||||||
|
# Array of directories to bind
|
||||||
|
BINDS=(
|
||||||
|
'/rw/srv/whonix/root/.whonix:/root/.whonix'
|
||||||
|
'/rw/srv/whonix/root/.whonix.d:/root/.whonix.d'
|
||||||
|
'/rw/srv/whonix/var/lib/whonix:/var/lib/whonix'
|
||||||
|
'/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck'
|
||||||
|
'/rw/srv/whonix/etc/tor:/etc/tor'
|
||||||
|
)
|
||||||
|
|
||||||
|
for bind in ${BINDS[@]}; do
|
||||||
|
rw_dir="${bind%%:*}"
|
||||||
|
ro_dir="${bind##*:}"
|
||||||
|
|
||||||
|
# Make sure ro directory is not mounted
|
||||||
|
umount "${ro_dir}" 2> /dev/null || true
|
||||||
|
|
||||||
|
if [ -n "${1}" ]; then
|
||||||
|
echo "Umounting only..."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Make sure ro directory exists
|
||||||
|
if ! [ -d "${ro_dir}" ]; then
|
||||||
|
mkdir -p "${ro_dir}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Initially copy over data directories to /rw if rw directory does not exist
|
||||||
|
if ! [ -d "${rw_dir}" ]; then
|
||||||
|
mkdir -p "${rw_dir}"
|
||||||
|
rsync -hax "${ro_dir}/." "${rw_dir}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Bind the directory
|
||||||
|
sync
|
||||||
|
mount --bind "${rw_dir}" "${ro_dir}"
|
||||||
|
done
|
||||||
|
sync
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${WHONIX}" == "gateway" ]; then
|
||||||
|
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||||
|
# to allow choice of repo and prevent whonixcheck errors
|
||||||
|
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||||
|
sudo rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
@ -27,12 +27,4 @@ if [ "${WHONIX}" != "template" ]; then
|
|||||||
|
|
||||||
# Make sure hostname is correct
|
# Make sure hostname is correct
|
||||||
/bin/hostname host
|
/bin/hostname host
|
||||||
|
|
||||||
if [ "${WHONIX}" == "gateway" ]; then
|
|
||||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
|
||||||
# to allow choice of repo and prevent whonixcheck errors
|
|
||||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
|
||||||
rm -f /var/lib/whonix/do_once/whonixsetup.done
|
|
||||||
}
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
@ -47,7 +47,6 @@ if [ "${WHONIX}" == "gateway" ]; then
|
|||||||
|
|
||||||
# Allow whonix-gateway to act as an update-proxy
|
# Allow whonix-gateway to act as an update-proxy
|
||||||
touch /var/run/qubes-service/qubes-updates-proxy
|
touch /var/run/qubes-service/qubes-updates-proxy
|
||||||
#systemctl stop qubes-updates-proxy.service
|
|
||||||
|
|
||||||
# Search and replace tinyproxy error files so we can inject code that
|
# Search and replace tinyproxy error files so we can inject code that
|
||||||
# we can use to identify that its a tor proxy so updates are secure
|
# we can use to identify that its a tor proxy so updates are secure
|
||||||
|
@ -2,57 +2,39 @@
|
|||||||
|
|
||||||
. /usr/lib/whonix/utility_functions
|
. /usr/lib/whonix/utility_functions
|
||||||
|
|
||||||
|
if ! [ "${WHONIX}" == "template" ]; then
|
||||||
|
sudo /usr/lib/whonix/bind-dirs.sh
|
||||||
|
fi
|
||||||
|
|
||||||
if [ "${WHONIX}" == "gateway" ]; then
|
if [ "${WHONIX}" == "gateway" ]; then
|
||||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
if grep "^DisableNetwork 0$" /etc/tor/torrc ;then
|
||||||
|
sudo service sdwdate restart
|
||||||
|
sudo service tor restart
|
||||||
|
else
|
||||||
sudo service sdwdate restart
|
sudo service sdwdate restart
|
||||||
sudo service tor stop
|
sudo service tor stop
|
||||||
sudo /usr/bin/whonixsetup && {
|
sudo /usr/bin/whonixsetup
|
||||||
enable_sysv tor
|
fi
|
||||||
sleep 1
|
|
||||||
enable_sysv sdwdate
|
|
||||||
} || {
|
|
||||||
sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
|
|
||||||
disable_sysv tor
|
|
||||||
disable_sysv sdwdate
|
|
||||||
sudo /sbin/poweroff
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow whonix-gateway to act as an update-proxy
|
|
||||||
sudo systemctl status qubes-updates-proxy.service || {
|
|
||||||
error_file="/usr/share/tinyproxy/default.html"
|
|
||||||
|
|
||||||
# Search and replace tinyproxy error files so we can inject code that
|
|
||||||
# we can use to identify that its a tor proxy so updates are secure
|
|
||||||
grep -q "${PROXY_META}" "${error_file}" || {
|
|
||||||
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
|
|
||||||
}
|
|
||||||
|
|
||||||
sudo touch /var/run/qubes-service/qubes-updates-proxy
|
|
||||||
sudo iptables -t nat -N PR-QBS-SERVICES
|
|
||||||
sudo systemctl start qubes-updates-proxy.service
|
|
||||||
}
|
|
||||||
|
|
||||||
elif [ "${WHONIX}" == "workstation" ]; then
|
elif [ "${WHONIX}" == "workstation" ]; then
|
||||||
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
|
|
||||||
enable_sysv sdwdate
|
|
||||||
sudo service sdwdate restart
|
sudo service sdwdate restart
|
||||||
|
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
|
||||||
sudo /usr/bin/whonixsetup
|
sudo /usr/bin/whonixsetup
|
||||||
fi
|
fi
|
||||||
|
|
||||||
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
|
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
|
||||||
# Set secure defaults.
|
# Set secure defaults.
|
||||||
iptables -P INPUT DROP
|
sudo iptables -P INPUT DROP
|
||||||
iptables -P FORWARD DROP
|
sudo iptables -P FORWARD DROP
|
||||||
iptables -P OUTPUT DROP
|
sudo iptables -P OUTPUT DROP
|
||||||
|
|
||||||
# Flush old rules.
|
# Flush old rules.
|
||||||
iptables -F
|
sudo iptables -F
|
||||||
iptables -X
|
sudo iptables -X
|
||||||
iptables -t nat -F
|
sudo iptables -t nat -F
|
||||||
iptables -t nat -X
|
sudo iptables -t nat -X
|
||||||
iptables -t mangle -F
|
sudo iptables -t mangle -F
|
||||||
iptables -t mangle -X
|
sudo iptables -t mangle -X
|
||||||
|
|
||||||
# Display warning that netvm is not connected to a torvm
|
# Display warning that netvm is not connected to a torvm
|
||||||
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
|
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
|
||||||
|
Loading…
Reference in New Issue
Block a user