diff --git a/scripts_debian/NOTES.old b/scripts_debian/NOTES.old deleted file mode 100644 index 6e1021e..0000000 --- a/scripts_debian/NOTES.old +++ /dev/null @@ -1,106 +0,0 @@ -===================================================================== -These are my original notes for steps to intergrate Whonix into Qubes -===================================================================== - -Read README.whonix qubes-builder package for build instructions - -None of the notes below apply at this point but I am saving them -until whonix intergration is complete since there still may be some -valid steps I will need to intergrate ubuntu as well - -===================================================================== -# Build depends -sudo yum install rpmdevtools rpm-build createrepo rpm-sign - -# Additional for debian template -sudo yum install debootstrap dpkg-dev - -# Build -# https://qubes-os.org/wiki/BuildingArchlinuxTemplate -# --------------------------------------------------- -clean all -clean all rpms -sudo umount chroot-wheezy/proc -sudo rm -r chroot-wheezy -cd qubes-src/linus-template-builder -sudo umount mnt -sudo rm prepared_images/... - -make get-sources - -make vmm-xen-vm -make core-vchan-xen-vm -make linux-utils-vm -make core-agent-linux-vm -make gui-common-vm -make gui-agent-linux-vm - -make linux-template-builder - - -# builder.conf -# ------------ -GIT_SUBDIR=marmarek -COMPONENTS:=$(filter-out desktop-linux-kde desktop-linux-xfce,$(COMPONENTS)) -DISTS_VM=wheezy -NO_SIGN="1" -DEBUG="1" -VERBOSE=2 - - -# Changed (XXX: Marks the spot!) -# ------------------------------ -# Makefile.debian -# - wheezy repo dir does not get created... -# prepare-chroot-debian -# - chroot /dev/null should be 0666 - - -# Wheezy needs a keyring -# ---------------------- -# Create in keys_debian -# Get from https://ftp-master.debian.org/keys.html -gpg --no-default-keyring --keyring=wheezy-debian-archive-keyring.gpg --import wheezy-archive-key-7.0.asc -# move from /user/home/.gnupgp to keys_debian - - -# Wheezy Hacks -# ------------ -# Need 2.0 pulse audio drivers -# *add to source list* -cd qubes-src -git clone --branch v2.0 git://anongit.freedesktop.org/pulseaudio/pulseaudio -cp -prf pulseaudio/src/pulsecore gui-agent-linux/pulse/pulsecore-2.0 -cd .. - -# Add to... -# module-vchan-sink-symdef.h - -#elif PA_CHECK_VERSION(2,0,0) -bool pa__load_once(void); - -# Add to.. -# Makefile - - -# Build errors - template -# ----------------------- -make[1]: *** [update-repo] Error 32 -make: *** [linux-template-builder] Error 1 -mount: mount(2) failed: No such file or directory - -- remove all mounts and try again. Some mounts may need to be tried multiple times - -$ sudo umount chroot-wheezy/proc/ -$ sudo umount chroot-wheezy/proc/ -umount: chroot-wheezy/proc/: not mounted - -$ sudo umount chroot-wheezy/tmp/qubes-apt-repo/ -$ sudo umount chroot-wheezy/tmp/qubes-apt-repo/ -umount: chroot-wheezy/tmp/qubes-apt-repo/: not mounted - -$ sudo umount chroot-wheezy/tmp/qubes-deb/ -$ sudo umount chroot-wheezy/tmp/qubes-deb/ -$ sudo umount chroot-wheezy/tmp/qubes-deb/ -umount: chroot-wheezy/tmp/qubes-deb/: not mounted - diff --git a/scripts_debian/gnome/04_install_qubes_post.sh b/scripts_debian/gnome/04_install_qubes_post.sh deleted file mode 100755 index fcb309e..0000000 --- a/scripts_debian/gnome/04_install_qubes_post.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# vim: set ts=4 sw=4 sts=4 et : - -# -# Whonix Post Install Steps (after qubes install) -# - -# ------------------------------------------------------------------------------ -# Source external scripts -# ------------------------------------------------------------------------------ -. ${SCRIPTSDIR}/vars.sh - -# ------------------------------------------------------------------------------ -# Configurations -# ------------------------------------------------------------------------------ -if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then - set -x -else - set -e -fi - -# ------------------------------------------------------------------------------ -# Disable gnome network-manager since it will prevent networking -# ------------------------------------------------------------------------------ -debug "Disabling gnome network-manager" -chroot "${INSTALLDIR}" systemctl disable network-manager diff --git a/scripts_debian/proxy/files/.facl b/scripts_debian/proxy/files/.facl deleted file mode 100644 index 4e26d4d..0000000 --- a/scripts_debian/proxy/files/.facl +++ /dev/null @@ -1,42 +0,0 @@ -# file: . -# owner: user -# group: user -user::rwx -group::r-x -other::r-x - -# file: etc -# owner: root -# group: root -user::rwx -group::r-x -other::r-x - -# file: etc/udev -# owner: root -# group: root -user::rwx -group::r-x -other::r-x - -# file: etc/udev/rules.d -# owner: root -# group: root -user::rwx -group::r-x -other::r-x - -# file: etc/udev/rules.d/xen-backend.rules -# owner: root -# group: root -user::rw- -group::r-- -other::r-- - -# file: etc/udev/rules.d/98-kexec.rules -# owner: root -# group: root -user::rw- -group::r-- -other::r-- - diff --git a/scripts_debian/proxy/files/etc/udev/rules.d/xen-backend.rules b/scripts_debian/proxy/files/etc/udev/rules.d/xen-backend.rules deleted file mode 100644 index 40f2658..0000000 --- a/scripts_debian/proxy/files/etc/udev/rules.d/xen-backend.rules +++ /dev/null @@ -1,16 +0,0 @@ -SUBSYSTEM=="xen-backend", KERNEL=="tap*", RUN+="/etc/xen/scripts/blktap $env{ACTION}" -SUBSYSTEM=="xen-backend", KERNEL=="vbd*", RUN+="/etc/xen/scripts/block $env{ACTION}" -SUBSYSTEM=="xen-backend", KERNEL=="vtpm*", RUN+="/etc/xen/scripts/vtpm $env{ACTION}" -SUBSYSTEM=="xen-backend", KERNEL=="vif2-*", RUN+="/etc/xen/scripts/vif2 $env{ACTION}" -SUBSYSTEM=="xen-backend", KERNEL=="vif-*", ACTION=="online", RUN+="/etc/xen/scripts/vif-setup online type_if=vif" -SUBSYSTEM=="xen-backend", KERNEL=="vif-*", ACTION=="offline", RUN+="/etc/xen/scripts/vif-setup offline type_if=vif" -SUBSYSTEM=="xen-backend", KERNEL=="vscsi*", RUN+="/etc/xen/scripts/vscsi $env{ACTION}" -SUBSYSTEM=="xen-backend", ACTION=="remove", RUN+="/etc/xen/scripts/xen-hotplug-cleanup" -KERNEL=="evtchn", NAME="xen/%k" -SUBSYSTEM=="xen", KERNEL=="blktap[0-9]*", NAME="xen/%k", MODE="0600" -SUBSYSTEM=="blktap2", KERNEL=="blktap[0-9]*", NAME="xen/blktap-2/%k", MODE="0600" -KERNEL=="blktap-control", NAME="xen/blktap-2/control", MODE="0600" -KERNEL=="gntdev", NAME="xen/%k", MODE="0600" -KERNEL=="pci_iomul", NAME="xen/%k", MODE="0600" -KERNEL=="tapdev[a-z]*", NAME="xen/blktap-2/tapdev%m", MODE="0600" -SUBSYSTEM=="net", KERNEL=="tap*", ACTION=="add", RUN+="/etc/xen/scripts/vif-setup $env{ACTION} type_if=tap" diff --git a/scripts_debian/wheezy+whonix-gateway/files/.facl b/scripts_debian/wheezy+whonix-gateway/files/.facl index ece4cc6..b580d19 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/.facl +++ b/scripts_debian/wheezy+whonix-gateway/files/.facl @@ -5,91 +5,105 @@ user::rwx group::r-x other::r-x -# file: etc +# file: lib # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/hosts +# file: lib/systemd # owner: root # group: root -user::rw- -group::r-- -other::r-- +user::rwx +group::r-x +other::r-x -# file: etc/uwt.d +# file: lib/systemd/system # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/uwt.d/50_uwt_default +# file: lib/systemd/system/qubes-whonix-firewall.service # owner: root # group: root user::rw- group::r-- other::r-- -# file: etc/xdg +# file: lib/systemd/system/qubes-whonix-network.service +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/xdg/autostart +# file: etc/hosts +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/uwt.d # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/xdg/autostart/qubes-whonixsetup.desktop +# file: etc/uwt.d/50_uwt_default # owner: root # group: root user::rw- group::r-- other::r-- -# file: etc/apt +# file: etc/xdg # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/apt/preferences.d +# file: etc/xdg/autostart # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/apt/preferences.d/whonix_qubes +# file: etc/xdg/autostart/qubes-whonixsetup.desktop # owner: root # group: root user::rw- group::r-- other::r-- -# file: etc/udev +# file: etc/apt # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/udev/rules.d +# file: etc/apt/preferences.d # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/udev/rules.d/99-qubes-whonix.rules +# file: etc/apt/preferences.d/whonix_qubes # owner: root # group: root user::rw- @@ -152,34 +166,55 @@ user::rwx group::r-x other::r-x -# file: usr/lib/whonix/setup-ip +# file: usr/lib/whonix/whonix.sh # owner: root # group: root user::rwx group::r-x other::r-x -# file: usr/lib/whonix/tests.sh +# file: usr/lib/whonix/init # owner: root # group: root user::rwx group::r-x other::r-x -# file: usr/lib/whonix/messages.yaml +# file: usr/lib/whonix/init/replace-ips # owner: root # group: root -user::rw- -group::r-- -other::r-- +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/init/init.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/init/network-proxy-setup.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x -# file: usr/lib/whonix/replace-ips +# file: usr/lib/whonix/init/qubes-firewall-user-script # owner: root # group: root user::rwx group::r-x other::r-x +# file: usr/lib/whonix/messages.yaml +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: usr/lib/whonix/alert # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules b/scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules deleted file mode 100644 index 8bcf97d..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules +++ /dev/null @@ -1 +0,0 @@ -SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip" diff --git a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service new file mode 100644 index 0000000..649fe7a --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service @@ -0,0 +1,14 @@ +[Unit] +Description=Qubes Whonix firewall updater +After=qubes-whonix-network.service +Before=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStartPre=/usr/lib/whonix/init/init.sh +ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service new file mode 100644 index 0000000..245e031 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service @@ -0,0 +1,14 @@ +[Unit] +Description=Qubes Whonix network proxy setup +ConditionPathExists=/var/run/qubes-service/qubes-network +Before=network.target +After=qubes-firewall.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/lib/whonix/init/network-proxy-setup.sh +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh new file mode 100755 index 0000000..2727847 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +if [ "${WHONIX}" != "template" ]; then + # Files that will have the immutable bit set + # since we don't want them modified by other programs + IMMUTABLE_FILES=( + '/etc/resolv.conf' + '/etc/hostname' + '/etc/hosts' + ) + + # Make sure all .anondist files in list are immutable + immutableFilesEnable "${IMMUTABLE_FILES}" + immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" + + # Make sure we are using a copy of the annondist file and if not + # copy the annondist file and set it immutable + copyAnondist "/etc/resolv.conf" + copyAnondist "/etc/hosts" + copyAnondist "/etc/hostname" + + # Replace IP addresses in known configuration files / scripts to + # currently discovered one + /usr/lib/whonix/init/replace-ips + + # Make sure hostname is correct + /bin/hostname host + + if [ "${WHONIX}" == "gateway" ]; then + # Make sure we remove whonixsetup.done if Tor is not enabled + # to allow choice of repo and prevent whonixcheck errors + grep "^DisableNetwork 0$" /etc/tor/torrc || { + rm -f /var/lib/whonix/do_once/whonixsetup.done + } + fi +fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh new file mode 100755 index 0000000..a08322d --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +# Or just enable them :) +#ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service' +#ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service' +#ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service' + + +INTERFACE="eth1" + +if [ "${WHONIX}" == "gateway" ]; then + + if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" + else + XENSTORE_READ="/usr/bin/xenstore-read" + fi + + # Setup Xen / Qubes proxy + network=$(xenstore-read qubes-netvm-network 2>/dev/null) + if [ "x$network" != "x" ]; then + gateway=$(xenstore-read qubes-netvm-gateway) + netmask=$(xenstore-read qubes-netvm-netmask) + secondary_dns=$(xenstore-read qubes-netvm-secondary-dns) + modprobe netbk 2> /dev/null || modprobe xen-netback + echo "NS1=$gateway" > /var/run/qubes/qubes-ns + echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns + #/usr/lib/qubes/qubes-setup-dnat-to-ns + echo "0" > /proc/sys/net/ipv4/ip_forward + /sbin/ethtool -K eth0 sg off || : + fi + + # Now, assign it the netvm-gateway IP address + ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) + if [ x${ip} != x ]; then + # Create a dummy eth1 interface so tor can bind to it if there + # are no DOMU virtual machines connected at the moment + /sbin/ip link add ${INTERFACE} type dummy + + netmask=$(${XENSTORE_READ} qubes-netvm-netmask) + gateway=$(${XENSTORE_READ} qubes-netvm-gateway) + /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 + /sbin/ifconfig ${INTERFACE} up + /sbin/ethtool -K ${INTERFACE} sg off || true + /sbin/ethtool -K ${INTERFACE} tx off || true + + ip link set ${INTERFACE} up + fi + + echo "0" > /proc/sys/net/ipv4/ip_forward + + # Allow whonix-gateway to act as an update-proxy + touch /var/run/qubes-service/qubes-updates-proxy + #systemctl stop qubes-updates-proxy.service + + # Search and replace tinyproxy error files so we can inject code that + # we can use to identify that its a tor proxy so updates are secure + error_file="/usr/share/tinyproxy/default.html" + grep -q "${PROXY_META}" "${error_file}" || { + sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" + } +fi + +# Copy firewall script so Qubes will reload it when it reloads +cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-firewall-user-script b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-firewall-user-script new file mode 100755 index 0000000..6863a9e --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-firewall-user-script @@ -0,0 +1,47 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +if [ "${WHONIX}" != "template" ]; then + # Make sure IP forwarding is disabled + echo "0" > /proc/sys/net/ipv4/ip_forward + + if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" + else + XENSTORE_READ="/usr/bin/xenstore-read" + fi + + ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) + + # Start Whonix Firewall + if [ "${WHONIX}" == "gateway" ]; then + export INT_IF="vif+" + export INT_TIF="vif+" + + # Inject custom firewall rules into whonix_firewall + sed -i -f - /usr/bin/whonix_firewall <<-EOF +/^## IPv4 DROP INVALID INCOMING PACKAGES/,/######################################/c \\ +## IPv4 DROP INVALID INCOMING PACKAGES \\ +## \\ +## --- THE FOLLOWING WS INJECTED --- \\ +## Qubes Tiny Proxy Updater \\ +iptables -t nat -N PR-QBS-SERVICES \\ +iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\ +iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\ +iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\ +iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\ +\\ +# Route any traffic FROM netvm TO netvm BACK-TO localhost \\ +# Allows localhost access to tor network \\ +iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\ +###################################### +EOF + fi + + # Load the firewall + # XXX: TODO: Take down all network accesss if firewall fails + /usr/bin/whonix_firewall + + systemctl restart qubes-updates-proxy.service +fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/replace-ips similarity index 100% rename from scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips rename to scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/replace-ips diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip deleted file mode 100755 index 989ccd8..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/bash - -. /usr/lib/whonix/utility_functions - -if [ "${WHONIX}" == "gateway" ]; then - if [ -x /usr/sbin/xenstore-read ]; then - XENSTORE_READ="/usr/sbin/xenstore-read" - else - XENSTORE_READ="/usr/bin/xenstore-read" - fi - - INTERFACE="eth1" - ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) - - # Create a dummy eth1 interface so tor can bind to it if there - # are no DOMU virtual machines connected at the moment - ip link show ${INTERFACE} >> /dev/null || { - /sbin/ip link add ${INTERFACE} type dummy - - # Now, assign it the netvm-gateway IP address - if [ x${ip} != x ]; then - netmask=$(${XENSTORE_READ} qubes-netvm-netmask) - gateway=$(${XENSTORE_READ} qubes-netvm-gateway) - /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 - /sbin/ifconfig ${INTERFACE} up - /sbin/ethtool -K ${INTERFACE} sg off || true - /sbin/ethtool -K ${INTERFACE} tx off || true - fi - - ip link set ${INTERFACE} up - } -fi - -if [ "${WHONIX}" != "template" ]; then - # Files that will have the immutable bit set - # since we don't want them modified by other programs - IMMUTABLE_FILES=( - '/etc/resolv.conf' - '/etc/hostname' - '/etc/hosts' - ) - - # Make sure all .anondist files in list are immutable - immutableFilesEnable "${IMMUTABLE_FILES}" - immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" - - # Make sure we are using a copy of the annondist file and if not - # copy the annondist file and set it immutable - copyAnondist "/etc/resolv.conf" - copyAnondist "/etc/hosts" - copyAnondist "/etc/hostname" - - # Replace IP addresses in known configuration files / scripts to - # currently discovered one - /usr/lib/whonix/replace-ips - - # Make sure hostname is correct - /bin/hostname host - - # Start Whonix Firewall - if [ "${WHONIX}" == "gateway" ]; then - export INT_IF="vif+" - export INT_TIF="vif+" - fi - /usr/bin/whonix_firewall - - if [ "${WHONIX}" == "gateway" ]; then - # Route any traffic FROM netvm TO netvm BACK-TO localhost - # Allows localhost access to tor network - iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 - fi - - # Make sure we remove whonixsetup.done if Tor is not enabled - # to allow choice of repo and prevent whonixcheck errors - grep "^DisableNetwork 0$" /etc/tor/torrc || { - rm -f /var/lib/whonix/do_once/whonixsetup.done - } -fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh deleted file mode 100755 index 6570b49..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/bash - -. /usr/lib/whonix/utility_functions - -#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" -#disable_sysv tor -#disable_sysv sdwdate - -iptables -F -iptables -t nat -F - -LOG_IP4=1 -LOG_IP6=0 - -# for IPv4 -if [ "$LOG_IP4" == "1" ]; then - iptables -t raw -A OUTPUT -p icmp -j TRACE - iptables -t raw -A PREROUTING -p icmp -j TRACE - modprobe ipt_LOG -fi - -# for IPv6 -if [ "$LOG_IP6" == "1" ]; then - ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE - ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE - ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE - ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE - modprobe ip6t_LOG -fi - -sysctl -w net.ipv4.ip_forward=1 - -iptables -A FORWARD -i eth0 -j ACCEPT -iptables -A FORWARD -o eth0 -j ACCEPT -iptables -A FORWARD -i lo -j ACCEPT -iptables -A FORWARD -o lo -j ACCEPT - -#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - -#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105 -#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 - - -#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 - -#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT" -#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT" - -#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT -#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT -#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT -#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT -#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082 - -#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 - -#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 -#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 -#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 -#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 - -# Works -# localhost/loopback maps localhost port 8082 to localhost port 8888 -#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888 - -# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082 - -# Remap ALL traffic -#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082 - - -#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105 -#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 -#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 - -#iptables -v -L -#iptables -v -t nat -L -#telnet 127.0.0.1 9105 -#telnet 10.137.2.1 8082 -#telnet 127.0.0.1 8082 -#tail -100 /var/log/kern.log diff --git a/scripts_debian/wheezy+whonix-workstation/files/.facl b/scripts_debian/wheezy+whonix-workstation/files/.facl index d173e0d..d33107e 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/.facl +++ b/scripts_debian/wheezy+whonix-workstation/files/.facl @@ -5,70 +5,84 @@ user::rwx group::r-x other::r-x -# file: etc +# file: lib # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/hosts +# file: lib/systemd # owner: root # group: root -user::rw- -group::r-- -other::r-- +user::rwx +group::r-x +other::r-x -# file: etc/uwt.d +# file: lib/systemd/system # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/uwt.d/50_uwt_default +# file: lib/systemd/system/qubes-whonix-firewall.service # owner: root # group: root user::rw- group::r-- other::r-- -# file: etc/xdg +# file: lib/systemd/system/qubes-whonix-network.service +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/xdg/autostart +# file: etc/hosts +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/uwt.d # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/xdg/autostart/qubes-whonixsetup.desktop +# file: etc/uwt.d/50_uwt_default # owner: root # group: root user::rw- group::r-- other::r-- -# file: etc/udev +# file: etc/xdg # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/udev/rules.d +# file: etc/xdg/autostart # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/udev/rules.d/99-qubes-whonix.rules +# file: etc/xdg/autostart/qubes-whonixsetup.desktop # owner: root # group: root user::rw- @@ -131,27 +145,55 @@ user::rwx group::r-x other::r-x -# file: usr/lib/whonix/setup-ip +# file: usr/lib/whonix/whonix.sh # owner: root # group: root user::rwx group::r-x other::r-x -# file: usr/lib/whonix/messages.yaml +# file: usr/lib/whonix/init # owner: root # group: root -user::rw- -group::r-- -other::r-- +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/init/replace-ips +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/init/init.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/init/network-proxy-setup.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x -# file: usr/lib/whonix/replace-ips +# file: usr/lib/whonix/init/qubes-firewall-user-script # owner: root # group: root user::rwx group::r-x other::r-x +# file: usr/lib/whonix/messages.yaml +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: usr/lib/whonix/alert # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/udev/rules.d/99-qubes-whonix.rules b/scripts_debian/wheezy+whonix-workstation/files/etc/udev/rules.d/99-qubes-whonix.rules deleted file mode 100644 index 8bcf97d..0000000 --- a/scripts_debian/wheezy+whonix-workstation/files/etc/udev/rules.d/99-qubes-whonix.rules +++ /dev/null @@ -1 +0,0 @@ -SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip" diff --git a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service new file mode 100644 index 0000000..649fe7a --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service @@ -0,0 +1,14 @@ +[Unit] +Description=Qubes Whonix firewall updater +After=qubes-whonix-network.service +Before=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStartPre=/usr/lib/whonix/init/init.sh +ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service new file mode 100644 index 0000000..245e031 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service @@ -0,0 +1,14 @@ +[Unit] +Description=Qubes Whonix network proxy setup +ConditionPathExists=/var/run/qubes-service/qubes-network +Before=network.target +After=qubes-firewall.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/lib/whonix/init/network-proxy-setup.sh +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh new file mode 100755 index 0000000..2727847 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +if [ "${WHONIX}" != "template" ]; then + # Files that will have the immutable bit set + # since we don't want them modified by other programs + IMMUTABLE_FILES=( + '/etc/resolv.conf' + '/etc/hostname' + '/etc/hosts' + ) + + # Make sure all .anondist files in list are immutable + immutableFilesEnable "${IMMUTABLE_FILES}" + immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" + + # Make sure we are using a copy of the annondist file and if not + # copy the annondist file and set it immutable + copyAnondist "/etc/resolv.conf" + copyAnondist "/etc/hosts" + copyAnondist "/etc/hostname" + + # Replace IP addresses in known configuration files / scripts to + # currently discovered one + /usr/lib/whonix/init/replace-ips + + # Make sure hostname is correct + /bin/hostname host + + if [ "${WHONIX}" == "gateway" ]; then + # Make sure we remove whonixsetup.done if Tor is not enabled + # to allow choice of repo and prevent whonixcheck errors + grep "^DisableNetwork 0$" /etc/tor/torrc || { + rm -f /var/lib/whonix/do_once/whonixsetup.done + } + fi +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh new file mode 100755 index 0000000..a08322d --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +# Or just enable them :) +#ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service' +#ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service' +#ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service' + + +INTERFACE="eth1" + +if [ "${WHONIX}" == "gateway" ]; then + + if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" + else + XENSTORE_READ="/usr/bin/xenstore-read" + fi + + # Setup Xen / Qubes proxy + network=$(xenstore-read qubes-netvm-network 2>/dev/null) + if [ "x$network" != "x" ]; then + gateway=$(xenstore-read qubes-netvm-gateway) + netmask=$(xenstore-read qubes-netvm-netmask) + secondary_dns=$(xenstore-read qubes-netvm-secondary-dns) + modprobe netbk 2> /dev/null || modprobe xen-netback + echo "NS1=$gateway" > /var/run/qubes/qubes-ns + echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns + #/usr/lib/qubes/qubes-setup-dnat-to-ns + echo "0" > /proc/sys/net/ipv4/ip_forward + /sbin/ethtool -K eth0 sg off || : + fi + + # Now, assign it the netvm-gateway IP address + ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) + if [ x${ip} != x ]; then + # Create a dummy eth1 interface so tor can bind to it if there + # are no DOMU virtual machines connected at the moment + /sbin/ip link add ${INTERFACE} type dummy + + netmask=$(${XENSTORE_READ} qubes-netvm-netmask) + gateway=$(${XENSTORE_READ} qubes-netvm-gateway) + /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 + /sbin/ifconfig ${INTERFACE} up + /sbin/ethtool -K ${INTERFACE} sg off || true + /sbin/ethtool -K ${INTERFACE} tx off || true + + ip link set ${INTERFACE} up + fi + + echo "0" > /proc/sys/net/ipv4/ip_forward + + # Allow whonix-gateway to act as an update-proxy + touch /var/run/qubes-service/qubes-updates-proxy + #systemctl stop qubes-updates-proxy.service + + # Search and replace tinyproxy error files so we can inject code that + # we can use to identify that its a tor proxy so updates are secure + error_file="/usr/share/tinyproxy/default.html" + grep -q "${PROXY_META}" "${error_file}" || { + sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" + } +fi + +# Copy firewall script so Qubes will reload it when it reloads +cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-firewall-user-script b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-firewall-user-script new file mode 100755 index 0000000..6863a9e --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-firewall-user-script @@ -0,0 +1,47 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +if [ "${WHONIX}" != "template" ]; then + # Make sure IP forwarding is disabled + echo "0" > /proc/sys/net/ipv4/ip_forward + + if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" + else + XENSTORE_READ="/usr/bin/xenstore-read" + fi + + ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) + + # Start Whonix Firewall + if [ "${WHONIX}" == "gateway" ]; then + export INT_IF="vif+" + export INT_TIF="vif+" + + # Inject custom firewall rules into whonix_firewall + sed -i -f - /usr/bin/whonix_firewall <<-EOF +/^## IPv4 DROP INVALID INCOMING PACKAGES/,/######################################/c \\ +## IPv4 DROP INVALID INCOMING PACKAGES \\ +## \\ +## --- THE FOLLOWING WS INJECTED --- \\ +## Qubes Tiny Proxy Updater \\ +iptables -t nat -N PR-QBS-SERVICES \\ +iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\ +iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\ +iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\ +iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\ +\\ +# Route any traffic FROM netvm TO netvm BACK-TO localhost \\ +# Allows localhost access to tor network \\ +iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\ +###################################### +EOF + fi + + # Load the firewall + # XXX: TODO: Take down all network accesss if firewall fails + /usr/bin/whonix_firewall + + systemctl restart qubes-updates-proxy.service +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/replace-ips similarity index 100% rename from scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips rename to scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/replace-ips diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip deleted file mode 100755 index 989ccd8..0000000 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/bash - -. /usr/lib/whonix/utility_functions - -if [ "${WHONIX}" == "gateway" ]; then - if [ -x /usr/sbin/xenstore-read ]; then - XENSTORE_READ="/usr/sbin/xenstore-read" - else - XENSTORE_READ="/usr/bin/xenstore-read" - fi - - INTERFACE="eth1" - ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) - - # Create a dummy eth1 interface so tor can bind to it if there - # are no DOMU virtual machines connected at the moment - ip link show ${INTERFACE} >> /dev/null || { - /sbin/ip link add ${INTERFACE} type dummy - - # Now, assign it the netvm-gateway IP address - if [ x${ip} != x ]; then - netmask=$(${XENSTORE_READ} qubes-netvm-netmask) - gateway=$(${XENSTORE_READ} qubes-netvm-gateway) - /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 - /sbin/ifconfig ${INTERFACE} up - /sbin/ethtool -K ${INTERFACE} sg off || true - /sbin/ethtool -K ${INTERFACE} tx off || true - fi - - ip link set ${INTERFACE} up - } -fi - -if [ "${WHONIX}" != "template" ]; then - # Files that will have the immutable bit set - # since we don't want them modified by other programs - IMMUTABLE_FILES=( - '/etc/resolv.conf' - '/etc/hostname' - '/etc/hosts' - ) - - # Make sure all .anondist files in list are immutable - immutableFilesEnable "${IMMUTABLE_FILES}" - immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" - - # Make sure we are using a copy of the annondist file and if not - # copy the annondist file and set it immutable - copyAnondist "/etc/resolv.conf" - copyAnondist "/etc/hosts" - copyAnondist "/etc/hostname" - - # Replace IP addresses in known configuration files / scripts to - # currently discovered one - /usr/lib/whonix/replace-ips - - # Make sure hostname is correct - /bin/hostname host - - # Start Whonix Firewall - if [ "${WHONIX}" == "gateway" ]; then - export INT_IF="vif+" - export INT_TIF="vif+" - fi - /usr/bin/whonix_firewall - - if [ "${WHONIX}" == "gateway" ]; then - # Route any traffic FROM netvm TO netvm BACK-TO localhost - # Allows localhost access to tor network - iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 - fi - - # Make sure we remove whonixsetup.done if Tor is not enabled - # to allow choice of repo and prevent whonixcheck errors - grep "^DisableNetwork 0$" /etc/tor/torrc || { - rm -f /var/lib/whonix/do_once/whonixsetup.done - } -fi