whonix: Added ability to run both gateway and workstation as AppVM's (not standalone)
This commit is contained in:
parent
60ccebc8b7
commit
4acca407d7
@ -103,20 +103,6 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: etc/apt/preferences.d
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: etc/apt/preferences.d/whonix_qubes
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: etc/hostname
|
||||
# owner: root
|
||||
# group: root
|
||||
@ -173,6 +159,13 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/bind-dirs.sh
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/init
|
||||
# owner: root
|
||||
# group: root
|
||||
@ -187,6 +180,13 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/init/qubes-whonix-bind.service
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: usr/lib/whonix/init/replace-ips
|
||||
# owner: root
|
||||
# group: root
|
||||
@ -201,6 +201,13 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/init/whonixcheck.service
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: usr/lib/whonix/init/network-proxy-setup.sh
|
||||
# owner: root
|
||||
# group: root
|
||||
|
58
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh
Executable file
58
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh
Executable file
@ -0,0 +1,58 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# To umount all binds, just pass any arg in $1
|
||||
#
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
# Don't run if started as a template
|
||||
if ! [ "${WHONIX}" == "template" ]; then
|
||||
# Array of directories to bind
|
||||
BINDS=(
|
||||
'/rw/srv/whonix/root/.whonix:/root/.whonix'
|
||||
'/rw/srv/whonix/root/.whonix.d:/root/.whonix.d'
|
||||
'/rw/srv/whonix/var/lib/whonix:/var/lib/whonix'
|
||||
'/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck'
|
||||
'/rw/srv/whonix/etc/tor:/etc/tor'
|
||||
)
|
||||
|
||||
for bind in ${BINDS[@]}; do
|
||||
rw_dir="${bind%%:*}"
|
||||
ro_dir="${bind##*:}"
|
||||
|
||||
# Make sure ro directory is not mounted
|
||||
umount "${ro_dir}" 2> /dev/null || true
|
||||
|
||||
if [ -n "${1}" ]; then
|
||||
echo "Umounting only..."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Make sure ro directory exists
|
||||
if ! [ -d "${ro_dir}" ]; then
|
||||
mkdir -p "${ro_dir}"
|
||||
fi
|
||||
|
||||
# Initially copy over data directories to /rw if rw directory does not exist
|
||||
if ! [ -d "${rw_dir}" ]; then
|
||||
mkdir -p "${rw_dir}"
|
||||
rsync -hax "${ro_dir}/." "${rw_dir}"
|
||||
fi
|
||||
|
||||
# Bind the directory
|
||||
sync
|
||||
mount --bind "${rw_dir}" "${ro_dir}"
|
||||
done
|
||||
sync
|
||||
fi
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||
# to allow choice of repo and prevent whonixcheck errors
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
sudo rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||
}
|
||||
fi
|
||||
|
||||
exit 0
|
@ -27,12 +27,4 @@ if [ "${WHONIX}" != "template" ]; then
|
||||
|
||||
# Make sure hostname is correct
|
||||
/bin/hostname host
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||
# to allow choice of repo and prevent whonixcheck errors
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||
}
|
||||
fi
|
||||
fi
|
||||
|
@ -47,7 +47,6 @@ if [ "${WHONIX}" == "gateway" ]; then
|
||||
|
||||
# Allow whonix-gateway to act as an update-proxy
|
||||
touch /var/run/qubes-service/qubes-updates-proxy
|
||||
#systemctl stop qubes-updates-proxy.service
|
||||
|
||||
# Search and replace tinyproxy error files so we can inject code that
|
||||
# we can use to identify that its a tor proxy so updates are secure
|
||||
|
@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=Qubes Whonix bind /rw to ro dirs script
|
||||
DefaultDependencies=no
|
||||
Before=sysinit.target
|
||||
After=qubes-sysinit.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/lib/whonix/init/bind-dirs.sh
|
||||
StandardOutput=syslog
|
||||
|
||||
[Install]
|
||||
WantedBy=sysinit.target
|
@ -0,0 +1,18 @@
|
||||
[Unit]
|
||||
Description=Checks many important aspects of Whonix.
|
||||
After=syslog.target network.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/run/whonixcheck
|
||||
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonixcheck
|
||||
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonix/whonixblog
|
||||
ExecStart=/usr/lib/whonixcheckdaemon
|
||||
PIDFile=/var/run/whonixcheck.pid
|
||||
User=user
|
||||
Group=user
|
||||
UMask=0007
|
||||
StandardOutput=syslog
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -2,57 +2,39 @@
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
if ! [ "${WHONIX}" == "template" ]; then
|
||||
sudo /usr/lib/whonix/bind-dirs.sh
|
||||
fi
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
if grep "^DisableNetwork 0$" /etc/tor/torrc ;then
|
||||
sudo service sdwdate restart
|
||||
sudo service tor restart
|
||||
else
|
||||
sudo service sdwdate restart
|
||||
sudo service tor stop
|
||||
sudo /usr/bin/whonixsetup && {
|
||||
enable_sysv tor
|
||||
sleep 1
|
||||
enable_sysv sdwdate
|
||||
} || {
|
||||
sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
|
||||
disable_sysv tor
|
||||
disable_sysv sdwdate
|
||||
sudo /sbin/poweroff
|
||||
}
|
||||
}
|
||||
|
||||
# Allow whonix-gateway to act as an update-proxy
|
||||
sudo systemctl status qubes-updates-proxy.service || {
|
||||
error_file="/usr/share/tinyproxy/default.html"
|
||||
|
||||
# Search and replace tinyproxy error files so we can inject code that
|
||||
# we can use to identify that its a tor proxy so updates are secure
|
||||
grep -q "${PROXY_META}" "${error_file}" || {
|
||||
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
|
||||
}
|
||||
|
||||
sudo touch /var/run/qubes-service/qubes-updates-proxy
|
||||
sudo iptables -t nat -N PR-QBS-SERVICES
|
||||
sudo systemctl start qubes-updates-proxy.service
|
||||
}
|
||||
sudo /usr/bin/whonixsetup
|
||||
fi
|
||||
|
||||
elif [ "${WHONIX}" == "workstation" ]; then
|
||||
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
|
||||
enable_sysv sdwdate
|
||||
sudo service sdwdate restart
|
||||
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
|
||||
sudo /usr/bin/whonixsetup
|
||||
fi
|
||||
|
||||
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
|
||||
# Set secure defaults.
|
||||
iptables -P INPUT DROP
|
||||
iptables -P FORWARD DROP
|
||||
iptables -P OUTPUT DROP
|
||||
sudo iptables -P INPUT DROP
|
||||
sudo iptables -P FORWARD DROP
|
||||
sudo iptables -P OUTPUT DROP
|
||||
|
||||
# Flush old rules.
|
||||
iptables -F
|
||||
iptables -X
|
||||
iptables -t nat -F
|
||||
iptables -t nat -X
|
||||
iptables -t mangle -F
|
||||
iptables -t mangle -X
|
||||
sudo iptables -F
|
||||
sudo iptables -X
|
||||
sudo iptables -t nat -F
|
||||
sudo iptables -t nat -X
|
||||
sudo iptables -t mangle -F
|
||||
sudo iptables -t mangle -X
|
||||
|
||||
# Display warning that netvm is not connected to a torvm
|
||||
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
|
||||
|
@ -152,6 +152,13 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/bind-dirs.sh
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/init
|
||||
# owner: root
|
||||
# group: root
|
||||
|
58
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh
Executable file
58
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh
Executable file
@ -0,0 +1,58 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# To umount all binds, just pass any arg in $1
|
||||
#
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
# Don't run if started as a template
|
||||
if ! [ "${WHONIX}" == "template" ]; then
|
||||
# Array of directories to bind
|
||||
BINDS=(
|
||||
'/rw/srv/whonix/root/.whonix:/root/.whonix'
|
||||
'/rw/srv/whonix/root/.whonix.d:/root/.whonix.d'
|
||||
'/rw/srv/whonix/var/lib/whonix:/var/lib/whonix'
|
||||
'/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck'
|
||||
'/rw/srv/whonix/etc/tor:/etc/tor'
|
||||
)
|
||||
|
||||
for bind in ${BINDS[@]}; do
|
||||
rw_dir="${bind%%:*}"
|
||||
ro_dir="${bind##*:}"
|
||||
|
||||
# Make sure ro directory is not mounted
|
||||
umount "${ro_dir}" 2> /dev/null || true
|
||||
|
||||
if [ -n "${1}" ]; then
|
||||
echo "Umounting only..."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Make sure ro directory exists
|
||||
if ! [ -d "${ro_dir}" ]; then
|
||||
mkdir -p "${ro_dir}"
|
||||
fi
|
||||
|
||||
# Initially copy over data directories to /rw if rw directory does not exist
|
||||
if ! [ -d "${rw_dir}" ]; then
|
||||
mkdir -p "${rw_dir}"
|
||||
rsync -hax "${ro_dir}/." "${rw_dir}"
|
||||
fi
|
||||
|
||||
# Bind the directory
|
||||
sync
|
||||
mount --bind "${rw_dir}" "${ro_dir}"
|
||||
done
|
||||
sync
|
||||
fi
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||
# to allow choice of repo and prevent whonixcheck errors
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
sudo rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||
}
|
||||
fi
|
||||
|
||||
exit 0
|
@ -27,12 +27,4 @@ if [ "${WHONIX}" != "template" ]; then
|
||||
|
||||
# Make sure hostname is correct
|
||||
/bin/hostname host
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||
# to allow choice of repo and prevent whonixcheck errors
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||
}
|
||||
fi
|
||||
fi
|
||||
|
@ -47,7 +47,6 @@ if [ "${WHONIX}" == "gateway" ]; then
|
||||
|
||||
# Allow whonix-gateway to act as an update-proxy
|
||||
touch /var/run/qubes-service/qubes-updates-proxy
|
||||
#systemctl stop qubes-updates-proxy.service
|
||||
|
||||
# Search and replace tinyproxy error files so we can inject code that
|
||||
# we can use to identify that its a tor proxy so updates are secure
|
||||
|
@ -2,57 +2,39 @@
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
if ! [ "${WHONIX}" == "template" ]; then
|
||||
sudo /usr/lib/whonix/bind-dirs.sh
|
||||
fi
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
if grep "^DisableNetwork 0$" /etc/tor/torrc ;then
|
||||
sudo service sdwdate restart
|
||||
sudo service tor restart
|
||||
else
|
||||
sudo service sdwdate restart
|
||||
sudo service tor stop
|
||||
sudo /usr/bin/whonixsetup && {
|
||||
enable_sysv tor
|
||||
sleep 1
|
||||
enable_sysv sdwdate
|
||||
} || {
|
||||
sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
|
||||
disable_sysv tor
|
||||
disable_sysv sdwdate
|
||||
sudo /sbin/poweroff
|
||||
}
|
||||
}
|
||||
|
||||
# Allow whonix-gateway to act as an update-proxy
|
||||
sudo systemctl status qubes-updates-proxy.service || {
|
||||
error_file="/usr/share/tinyproxy/default.html"
|
||||
|
||||
# Search and replace tinyproxy error files so we can inject code that
|
||||
# we can use to identify that its a tor proxy so updates are secure
|
||||
grep -q "${PROXY_META}" "${error_file}" || {
|
||||
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
|
||||
}
|
||||
|
||||
sudo touch /var/run/qubes-service/qubes-updates-proxy
|
||||
sudo iptables -t nat -N PR-QBS-SERVICES
|
||||
sudo systemctl start qubes-updates-proxy.service
|
||||
}
|
||||
sudo /usr/bin/whonixsetup
|
||||
fi
|
||||
|
||||
elif [ "${WHONIX}" == "workstation" ]; then
|
||||
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
|
||||
enable_sysv sdwdate
|
||||
sudo service sdwdate restart
|
||||
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
|
||||
sudo /usr/bin/whonixsetup
|
||||
fi
|
||||
|
||||
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
|
||||
# Set secure defaults.
|
||||
iptables -P INPUT DROP
|
||||
iptables -P FORWARD DROP
|
||||
iptables -P OUTPUT DROP
|
||||
sudo iptables -P INPUT DROP
|
||||
sudo iptables -P FORWARD DROP
|
||||
sudo iptables -P OUTPUT DROP
|
||||
|
||||
# Flush old rules.
|
||||
iptables -F
|
||||
iptables -X
|
||||
iptables -t nat -F
|
||||
iptables -t nat -X
|
||||
iptables -t mangle -F
|
||||
iptables -t mangle -X
|
||||
sudo iptables -F
|
||||
sudo iptables -X
|
||||
sudo iptables -t nat -F
|
||||
sudo iptables -t nat -X
|
||||
sudo iptables -t mangle -F
|
||||
sudo iptables -t mangle -X
|
||||
|
||||
# Display warning that netvm is not connected to a torvm
|
||||
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
|
||||
|
Loading…
Reference in New Issue
Block a user