QubesOS/qubes-linux-template-builder
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

debian: Completely refactored Debian and Whonix

Browse Source 
- New refactor allow qubuntu to share most of Debian's codebase
- Installation now more closely mimiks Debian's installation methods
- Added a shared functions lib named distributions.sh
- Any portions of Whonix that may need to be updatable have been moved
  to a new package named qubes-whonix which will be updatable via Debian
  package manager.  qubes-whonix is also added as part of installation
  process
This commit is contained in:
Jason Mehring 2015-02-10 10:18:02 -05:00
parent d6b87ecacb
commit 78a903b1f7
80 changed files with 1409 additions and 2833 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
appmenus_jessie/vm-whitelisted-appmenus.list
View File

@ -1,3 +1,5 @@
gnome-terminal.desktop
nautilus.desktop
org.gnome.Nautilus.desktop
iceweasel.desktop
icedove.desktop
yelp.desktop

2
appmenus_wheezy/vm-whitelisted-appmenus.list
View File

@ -1,3 +1,5 @@
gnome-terminal.desktop
iceweasel.desktop
icedove.desktop
nautilus.desktop
yelp.desktop

99
scripts_debian/00_prepare.sh
View File

@ -1,45 +1,82 @@
#!/bin/bash -x
#!/bin/bash -e
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
source "${SCRIPTSDIR}/vars.sh"
source "${SCRIPTSDIR}/distribution.sh"
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
INSTALLDIR="$(readlink -m mnt)"
umount_kill "${INSTALLDIR}" || :
# ------------------------------------------------------------------------------
# Make sure ${INSTALLDIR} is not mounted
umount_all "${INSTALLDIR}" || true
# ==============================================================================
# Execute any template flavor or sub flavor 'pre' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "pre"
# ==============================================================================
buildStep "${0}" "pre"
# ------------------------------------------------------------------------------
# Force overwrite of an existing image for now if debootstrap did not seem to complete...
# ------------------------------------------------------------------------------
debug "Determine if ${IMG} should be reused or deleted..."
if [ -f "${IMG}" ]; then
# Assume a failed debootstrap installation if .prepare_debootstrap does not exist
# ==============================================================================
# Use a snapshot of the debootstraped debian image
# ==============================================================================
manage_snapshot() {
local snapshot="${1}"
umount_kill "${INSTALLDIR}" || true
mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1
if ! [ -f "${INSTALLDIR}/tmp/.prepared_debootstrap" ]; then
warn "Last build failed. Deleting ${IMG}"
rm -f "${IMG}"
# Remove old snapshots if groups completed
if [ -e "${INSTALLDIR}/${TMPDIR}/.prepared_groups" ]; then
outputc stout "Removing stale snapshots"
umount_kill "${INSTALLDIR}" || true
rm -rf "${debootstrap_snapshot}"
rm -rf "${packages_snapshot}"
return
fi
# Umount image; don't fail if its already umounted
umount_kill "${INSTALLDIR}" || :
outputc stout "Replacing ${IMG} with snapshot ${snapshot}"
umount_kill "${INSTALLDIR}" || true
cp -f "${snapshot}" "${IMG}"
}
# ==============================================================================
# Determine if a snapshot should be used, reuse an existing image or
# delete the existing image to start fresh based on configuration options
#
# SNAPSHOT=1 - Use snapshots; Will remove after successful build
# If debootstrap did not complete, the existing image will be deleted
# ==============================================================================
splitPath "${IMG}" path_parts
packages_snapshot="${path_parts[dir]}${path_parts[base]}-packages${path_parts[dotext]}"
debootstrap_snapshot="${path_parts[dir]}${path_parts[base]}-debootstrap${path_parts[dotext]}"
if [ -f "${IMG}" ]; then
if [ -f "${packages_snapshot}" -a "${SNAPSHOT}" == "1" ]; then
# Use 'packages' snapshot
manage_snapshot "${packages_snapshot}"
elif [ -f "${debootstrap_snapshot}" -a "${SNAPSHOT}" == "1" ]; then
# Use 'debootstrap' snapshot
manage_snapshot "${debootstrap_snapshot}"
else
# Use '$IMG' if debootstrap did not fail
mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1
# Assume a failed debootstrap installation if .prepared_debootstrap does not exist
if [ -e "${INSTALLDIR}/${TMPDIR}/.prepared_debootstrap" ]; then
debug "Reusing existing image ${IMG}"
else
outputc stout "Removing stale or incomplete ${IMG}"
umount_kill "${INSTALLDIR}" || true
rm -f "${IMG}"
fi
# Umount image; don't fail if its already umounted
umount_kill "${INSTALLDIR}" || true
fi
fi
# ------------------------------------------------------------------------------
# ==============================================================================
# Execute any template flavor or sub flavor 'post' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "post"
# ==============================================================================
buildStep "${0}" "post"

89
scripts_debian/01_install_core.sh
View File

@ -1,38 +1,71 @@
#!/bin/sh
#!/bin/bash -e
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
source "${SCRIPTSDIR}/vars.sh"
source "${SCRIPTSDIR}/distribution.sh"
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
##### '-------------------------------------------------------------------------
debug ' Installing base system using debootstrap'
##### '-------------------------------------------------------------------------
# ------------------------------------------------------------------------------
# ==============================================================================
# Execute any template flavor or sub flavor 'pre' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "pre"
# ==============================================================================
buildStep "${0}" "pre"
# ------------------------------------------------------------------------------
# Install base debian system
# ------------------------------------------------------------------------------
if ! [ -f "${INSTALLDIR}/tmp/.prepared_debootstrap" ]; then
debug "Installing base ${DEBIANVERSION} system"
COMPONENTS="" debootstrap --arch=amd64 --include=ncurses-term \
--components=main --keyring="${SCRIPTSDIR}/keys/${DEBIANVERSION}-debian-archive-keyring.gpg" \
"${DEBIANVERSION}" "${INSTALLDIR}" "${DEBIAN_MIRROR}" || { error "Debootstrap failed!"; exit 1; }
chroot "${INSTALLDIR}" chmod 0666 "/dev/null"
touch "${INSTALLDIR}/tmp/.prepared_debootstrap"
if ! [ -f "${INSTALLDIR}/${TMPDIR}/.prepared_debootstrap" ]; then
if [ "${LXC_ENABLE}" == "1" ]; then
#### "------------------------------------------------------------------
info " $(templateName): LXC: Installing base '${DISTRIBUTION}-${DIST}' system"
#### "------------------------------------------------------------------
lxc-create -P "${LXC_DIR}" --dir="${INSTALLDIR}" -t download -n "${DIST}" -- \
--dist "${DISTRIBUTION}" --release "${DIST}" --arch amd64
else
#### "------------------------------------------------------------------
info " $(templateName): Installing base '${DISTRIBUTION}-${DIST}' system"
#### "------------------------------------------------------------------
COMPONENTS="" debootstrap \
--arch=amd64 \
--include="ncurses-term locales tasksel" \
--components=main \
--keyring="${SCRIPTSDIR}/keys/${DIST}-${DISTRIBUTION}-archive-keyring.gpg" \
"${DIST}" "${INSTALLDIR}" "${DEBIAN_MIRROR}" || {
error "Debootstrap failed!";
exit 1;
}
fi
#### '----------------------------------------------------------------------
info ' Configure keyboard'
#### '----------------------------------------------------------------------
configureKeyboard
#### '----------------------------------------------------------------------
info ' Update locales'
#### '----------------------------------------------------------------------
updateLocale
#### '----------------------------------------------------------------------
info 'Link mtab'
#### '----------------------------------------------------------------------
chroot rm -f /etc/mtab
chroot ln -s /proc/self/mounts /etc/mtab
# TMPDIR is set in vars. /tmp should not be used since it will be cleared
# if building template with LXC contaniners on a reboot
mkdir -p "${INSTALLDIR}/${TMPDIR}"
# Mark section as complete
touch "${INSTALLDIR}/${TMPDIR}/.prepared_debootstrap"
# If SNAPSHOT=1, Create a snapshot of the already debootstraped image
createSnapshot "debootstrap"
fi
# ------------------------------------------------------------------------------
# ==============================================================================
# Execute any template flavor or sub flavor 'post' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "post"
# ==============================================================================
buildStep "${0}" "post"

237
scripts_debian/02_install_groups.sh
View File

@ -1,201 +1,84 @@
#!/bin/sh
#!/bin/bash -e
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
source "${SCRIPTSDIR}/vars.sh"
source "${SCRIPTSDIR}/distribution.sh"
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
##### "=========================================================================
debug " Configuring and Installing packages for ${DIST}"
##### "=========================================================================
# ------------------------------------------------------------------------------
# If .prepared_debootstrap has not been completed, don't continue
# ------------------------------------------------------------------------------
if ! [ -f "${INSTALLDIR}/tmp/.prepared_debootstrap" ]; then
error "prepared_debootstrap installataion has not completed!... Exiting"
umount_kill "${INSTALLDIR}" || :
exit 1
fi
exitOnNoFile "${INSTALLDIR}/${TMPDIR}/.prepared_debootstrap" "prepared_debootstrap installataion has not completed!... Exiting"
# ------------------------------------------------------------------------------
# Mount system mount points
# ------------------------------------------------------------------------------
for fs in /dev /dev/pts /proc /sys; do mount -B $fs "${INSTALLDIR}/$fs"; done
mount -t tmpfs none "${INSTALLDIR}/run"
# Create system mount points
prepareChroot
# ------------------------------------------------------------------------------
# Make sure there is a resolv.conf with network of this AppVM for building
createResolvConf
# ==============================================================================
# Execute any template flavor or sub flavor 'pre' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "pre"
# ==============================================================================
buildStep "${0}" "pre"
if ! [ -f "${INSTALLDIR}/tmp/.prepared_groups" ]; then
# ------------------------------------------------------------------------------
# Cleanup function
# ------------------------------------------------------------------------------
function cleanup() {
error "Install groups error and umount"
rm -f "${INSTALLDIR}/usr/sbin/policy-rc.d"
umount_kill "${INSTALLDIR}" || :
exit 1
}
# ==============================================================================
# Configure base system and install any adddtional packages which could
# include +TEMPLATE_FLAVOR such as gnome as set in configuration file
# ==============================================================================
if ! [ -f "${INSTALLDIR}/${TMPDIR}/.prepared_groups" ]; then
#### '----------------------------------------------------------------------
info ' Trap ERR and EXIT signals and cleanup (umount)'
#### '----------------------------------------------------------------------
trap cleanup ERR
trap cleanup EXIT
# ------------------------------------------------------------------------------
# Set up a temporary policy-rc.d to prevent apt from starting services
# on package installation
# ------------------------------------------------------------------------------
cat > "${INSTALLDIR}/usr/sbin/policy-rc.d" <<EOF
#!/bin/sh
return 101 # Action forbidden by policy
EOF
chmod 755 "${INSTALLDIR}/usr/sbin/policy-rc.d"
# ------------------------------------------------------------------------------
# Ensure umask set in /etc/login.defs is used (022)
# ------------------------------------------------------------------------------
echo "session optional pam_umask.so" >> "${INSTALLDIR}/etc/pam.d/common-session"
# ------------------------------------------------------------------------------
# Add debian security repository
# ------------------------------------------------------------------------------
debug "Adding debian-security repository."
source="deb http://security.debian.org ${DEBIANVERSION}/updates main"
if ! grep -r -q "$source" "${INSTALLDIR}/etc/apt/sources.list"*; then
touch "${INSTALLDIR}/etc/apt/sources.list"
echo "$source" >> "${INSTALLDIR}/etc/apt/sources.list"
fi
source="deb-src http://security.debian.org ${DEBIANVERSION}/updates main"
if ! grep -r -q "$source" "${INSTALLDIR}/etc/apt/sources.list"*; then
touch "${INSTALLDIR}/etc/apt/sources.list"
echo "$source" >> "${INSTALLDIR}/etc/apt/sources.list"
#### '----------------------------------------------------------------------
info 'Install standard Debian packages'
#### '----------------------------------------------------------------------
if ! [ -f "${INSTALLDIR}/${TMPDIR}/.debian_packages" ]; then
packages="$(chroot tasksel --new-install --task-packages standard)"
aptInstall ${packages}
touch "${INSTALLDIR}/${TMPDIR}/.debian_packages"
fi
# ------------------------------------------------------------------------------
# Upgrade system
# ------------------------------------------------------------------------------
debug "Upgrading system"
chroot "${INSTALLDIR}" apt-get update
true "${stout}"
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} dist-upgrade
#### '----------------------------------------------------------------------
info ' Distribution specific steps (install systemd, add sources, etc)'
#### '----------------------------------------------------------------------
buildStep "$0" "${DIST}"
# ------------------------------------------------------------------------------
# Configure keyboard
# ------------------------------------------------------------------------------
debug "Setting keyboard layout"
chroot "${INSTALLDIR}" debconf-set-selections <<EOF
keyboard-configuration keyboard-configuration/variant select English (US)
keyboard-configuration keyboard-configuration/layout select English (US)
keyboard-configuration keyboard-configuration/model select Generic 105-key (Intl) PC
keyboard-configuration keyboard-configuration/modelcode string pc105
keyboard-configuration keyboard-configuration/layoutcode string us
keyboard-configuration keyboard-configuration/variantcode string
keyboard-configuration keyboard-configuration/optionscode string
EOF
#### '----------------------------------------------------------------------
info " Installing extra packages in script_${DIST}/packages.list file"
#### '----------------------------------------------------------------------
installPackages
createSnapshot "packages"
touch "${INSTALLDIR}/${TMPDIR}/.prepared_packages"
# ------------------------------------------------------------------------------
# Install extra packages in script_${DEBIANVERSION}/packages.list file
# -and / or- TEMPLATE_FLAVOR directories
# ------------------------------------------------------------------------------
getFileLocations packages_list "packages.list" "${DIST}"
if [ -z "${packages_list}" ]; then
error "Can not locate a package.list file!"
umount_kill "${INSTALLDIR}" || :
exit 1
fi
for package_list in ${packages_list[@]}; do
debug "Installing extra packages from: ${package_list}"
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
xargs chroot ${INSTALLDIR} apt-get ${APT_GET_OPTIONS} install < "${package_list}"
done
# ------------------------------------------------------------------------------
# Execute any template flavor or sub flavor scripts after packages are installed
# (Whonix needs dependancies installed before installation)
# ------------------------------------------------------------------------------
#### '----------------------------------------------------------------------
info ' Execute any template flavor or sub flavor scripts after packages are installed'
#### '----------------------------------------------------------------------
buildStep "$0" "packages_installed"
# ------------------------------------------------------------------------------
# Install systemd
# ------------------------------------------------------------------------------
# - sysvinit gives problems with qubes initramfs, we depend on systemd
# for now. Apt *really* doesn't want to replace sysvinit in wheezy.
# For jessie and newer, sysvinit is provided by sysvinit-core which
# is not an essential package.
# ------------------------------------------------------------------------------
debug "Installing systemd for debian (${DEBIANVERSION})"
if [ "${DEBIANVERSION}" == "wheezy" ]; then
echo 'Yes, do as I say!' | DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} remove sysvinit
else
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} remove sysvinit
fi
#### '----------------------------------------------------------------------
info ' apt-get dist-upgrade'
#### '----------------------------------------------------------------------
aptDistUpgrade
# Prevent sysvinit from being re-installed
debug "Preventing sysvinit re-installation"
chroot "${INSTALLDIR}" apt-mark hold sysvinit
# Pin sysvinit to prevent being re-installed
cat > "${INSTALLDIR}/etc/apt/preferences.d/qubes_sysvinit" <<EOF
Package: sysvinit
Pin: version *
Pin-Priority: -100
EOF
chmod 0644 "${INSTALLDIR}/etc/apt/preferences.d/qubes_sysvinit"
chroot "${INSTALLDIR}" apt-get update
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} install systemd-sysv
# ------------------------------------------------------------------------------
# Set multu-user.target as the default target (runlevel 3)
# ------------------------------------------------------------------------------
chroot "${INSTALLDIR}" rm -f /etc/systemd/system/default.target
chroot "${INSTALLDIR}" ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
# ------------------------------------------------------------------------------
# Qubes is now being built with some SID packages; grab backport for wheezy
# ------------------------------------------------------------------------------
if [ "${DEBIANVERSION}" == "wheezy" ]; then
debug "Adding wheezy backports repository."
source="deb ${DEBIAN_MIRROR} wheezy-backports main"
if ! grep -r -q "$source" "${INSTALLDIR}/etc/apt/sources.list"*; then
touch "${INSTALLDIR}/etc/apt/sources.list"
echo "$source" >> "${INSTALLDIR}/etc/apt/sources.list"
fi
chroot ${INSTALLDIR} apt-get update
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot ${INSTALLDIR} apt-get ${APT_GET_OPTIONS} -t wheezy-backports install init-system-helpers
fi
# ------------------------------------------------------------------------------
# Cleanup
# ------------------------------------------------------------------------------
# Remove temporary policy layer so services can start normally in the
# deployed template.
rm -f "${INSTALLDIR}/usr/sbin/policy-rc.d"
touch "${INSTALLDIR}/tmp/.prepared_groups"
#### '----------------------------------------------------------------------
info ' Cleanup'
#### '----------------------------------------------------------------------
touch "${INSTALLDIR}/${TMPDIR}/.prepared_groups"
trap - ERR EXIT
trap
# Kill all processes and umount all mounts within ${INSTALLDIR},
# but not ${INSTALLDIR} itself (extra '/' prevents ${INSTALLDIR} from being
# umounted itself)
umount_kill "${INSTALLDIR}/" || :
fi
# ------------------------------------------------------------------------------
# ==============================================================================
# Execute any template flavor or sub flavor 'post' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "post"
# ==============================================================================
buildStep "${0}" "post"
# ==============================================================================
# Kill all processes and umount all mounts within ${INSTALLDIR}, but not
# ${INSTALLDIR} itself (extra '/' prevents ${INSTALLDIR} from being umounted)
# ==============================================================================
umount_all "${INSTALLDIR}/" || true

36
scripts_debian/02_install_groups_jessie.sh Executable file
View File

@ -0,0 +1,36 @@
#!/bin/bash -e
# vim: set ts=4 sw=4 sts=4 et :
source "${SCRIPTSDIR}/vars.sh"
source "${SCRIPTSDIR}/distribution.sh"
##### "=========================================================================
debug " Installing custom packages and customizing ${DIST}"
##### "=========================================================================
#### '--------------------------------------------------------------------------
info ' Adding contrib, non-free and Debian security to repository.'
#### '--------------------------------------------------------------------------
updateDebianSourceList
aptUpdate
##### '=========================================================================
debug ' Replacing sysvinit with systemd'
##### '=========================================================================
#### '--------------------------------------------------------------------------
info ' Remove sysvinit'
#### '--------------------------------------------------------------------------
aptRemove sysvinit
#### '--------------------------------------------------------------------------
info ' Install Systemd'
#### '--------------------------------------------------------------------------
aptUpdate
aptInstall systemd-sysv
#### '--------------------------------------------------------------------------
info ' Set multu-user.target as the default target (runlevel 3)'
#### '--------------------------------------------------------------------------
chroot rm -f /etc/systemd/system/default.target
chroot ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target

89
scripts_debian/02_install_groups_wheezy.sh Executable file
View File

@ -0,0 +1,89 @@
#!/bin/bash -e
# vim: set ts=4 sw=4 sts=4 et :
source "${SCRIPTSDIR}/vars.sh"
source "${SCRIPTSDIR}/distribution.sh"
##### "=========================================================================
debug " Installing custom packages and customizing ${DIST}"
##### "=========================================================================
#### '--------------------------------------------------------------------------
info ' Adding contrib, non-free and Debian security to repository.'
#### '--------------------------------------------------------------------------
updateDebianSourceList
#### '----------------------------------------------------------------------
info ' Adding wheezy backports repository.'
#### '----------------------------------------------------------------------
source="deb ${DEBIAN_MIRROR} wheezy-backports main"
if ! grep -r -q "$source" "${INSTALLDIR}/etc/apt/sources.list"*; then
touch "${INSTALLDIR}/etc/apt/sources.list"
echo "$source" >> "${INSTALLDIR}/etc/apt/sources.list"
fi
aptUpdate
##### '=========================================================================
debug ' Replace sysvinit with systemd'
##### '=========================================================================
#### '----------------------------------------------------------------------
info ' Remove sysvinit'
#### '----------------------------------------------------------------------
echo 'Yes, do as I say!' | aptRemove sysvinit
#### '----------------------------------------------------------------------
info ' Preventing sysvinit re-installation'
#### '----------------------------------------------------------------------
chroot apt-mark hold sysvinit
#### '----------------------------------------------------------------------
info ' Pin sysvinit to prevent being re-installed'
#### '----------------------------------------------------------------------
cat > "${INSTALLDIR}/etc/apt/preferences.d/qubes_sysvinit" <<EOF
Package: sysvinit
Pin: version *
Pin-Priority: -100
EOF
chmod 0644 "${INSTALLDIR}/etc/apt/preferences.d/qubes_sysvinit"
#### '----------------------------------------------------------------------
info ' Install Systemd'
#### '----------------------------------------------------------------------
aptUpdate
aptInstall systemd-sysv
#### '----------------------------------------------------------------------
info ' Set multu-user.target as the default target (runlevel 3)'
#### '----------------------------------------------------------------------
chroot rm -f /etc/systemd/system/default.target
chroot ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
# ==============================================================================
# Install backports
#
# NOTE: This needs to be done after systemd has been installed or risk backport
# being un-installed
# ==============================================================================
#### '----------------------------------------------------------------------
info ' Installing init-system-helpers'
#### '----------------------------------------------------------------------
aptUpdate
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot apt-get ${APT_GET_OPTIONS} -t wheezy-backports install init-system-helpers
#### '----------------------------------------------------------------------
info ' Installing pulseaudo backport'
#### '----------------------------------------------------------------------
# /usr/lib/pulse-4.0/modules/
# start-pulseaudio-with-vchan
#DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
# chroot apt-get ${APT_GET_OPTIONS} -t wheezy-backports install pulseaudio \
# libpulse0 \
# pulseaudio-utils \
# libpulse-mainloop-glib0 \
# pulseaudio-module-x11

183
scripts_debian/04_install_qubes.sh
View File

@ -1,154 +1,61 @@
#!/bin/sh
#!/bin/bash -e
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
source "${SCRIPTSDIR}/vars.sh"
source "${SCRIPTSDIR}/distribution.sh"
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
##### '-------------------------------------------------------------------------
debug ' Installing Qubes packages'
##### '-------------------------------------------------------------------------
# ------------------------------------------------------------------------------
# If .prepared_groups has not been completed, don't continue
# ------------------------------------------------------------------------------
if ! [ -f "${INSTALLDIR}/tmp/.prepared_groups" ]; then
error "prepared_groups installataion has not completed!... Exiting"
exit 1
fi
# If .prepared_debootstrap has not been completed, don't continue
exitOnNoFile "${INSTALLDIR}/${TMPDIR}/.prepared_groups" "prepared_groups installataion has not completed!... Exiting"
# ------------------------------------------------------------------------------
# Mount system mount points
# ------------------------------------------------------------------------------
for fs in /dev /dev/pts /proc /sys; do mount -B $fs "${INSTALLDIR}/$fs"; done
mount -t tmpfs none "${INSTALLDIR}/run"
# Create system mount points
prepareChroot
# ------------------------------------------------------------------------------
# ==============================================================================
# Execute any template flavor or sub flavor 'pre' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "pre"
# ==============================================================================
buildStep "${0}" "pre"
# ------------------------------------------------------------------------------
# Install Qubes Packages
# ------------------------------------------------------------------------------
if ! [ -f "${INSTALLDIR}/tmp/.prepared_qubes" ]; then
debug "Installing qbues modules"
if ! [ -f "${INSTALLDIR}/${TMPDIR}/.prepared_qubes" ]; then
#### '----------------------------------------------------------------------
info ' Trap ERR and EXIT signals and cleanup (umount)'
#### '----------------------------------------------------------------------
trap cleanup ERR
trap cleanup EXIT
# --------------------------------------------------------------------------
# Set up a temporary policy-rc.d to prevent apt from starting services
# on package installation
# --------------------------------------------------------------------------
cat > "${INSTALLCHROOT}/usr/sbin/policy-rc.d" <<EOF
#!/bin/sh
return 101 # Action forbidden by policy
EOF
chmod 755 ${INSTALLCHROOT}/usr/sbin/policy-rc.d
#### '----------------------------------------------------------------------
info ' Install Qubes packages listed in packages_qubes.list file(s)'
#### '----------------------------------------------------------------------
installQubesRepo
aptUpdate
installPackages packages_qubes.list
uninstallQubesRepo
# --------------------------------------------------------------------------
# Generate locales
# --------------------------------------------------------------------------
debug "Generate locales"
echo "en_US.UTF-8 UTF-8" >> "${INSTALLDIR}/etc/locale.gen"
chroot "${INSTALLDIR}" locale-gen
chroot "${INSTALLDIR}" update-locale LANG=en_US.UTF-8
#### '----------------------------------------------------------------------
info ' Re-update locales'
# Locales get reset during package installation sometimes
#### '----------------------------------------------------------------------
updateLocale
# --------------------------------------------------------------------------
# Link mtab
# --------------------------------------------------------------------------
rm -f "${INSTALLDIR}/etc/mtab"
ln -s "../proc/self/mounts" "${INSTALLDIR}/etc/mtab"
# --------------------------------------------------------------------------
# Start of Qubes package installation
# --------------------------------------------------------------------------
debug "Installing qubes packages"
export CUSTOMREPO="${PWD}/yum_repo_qubes/${DIST}"
# --------------------------------------------------------------------------
# Install keyrings
# --------------------------------------------------------------------------
if ! [ -e "${CACHEDIR}/repo-secring.gpg" ]; then
mkdir -p "${CACHEDIR}"
gpg --gen-key --batch <<EOF
Key-Type: RSA
Key-Length: 1024
Key-Usage: sign
Name-Real: Qubes builder
Expire-Date: 0
%pubring ${CACHEDIR}/repo-pubring.gpg
%secring ${CACHEDIR}/repo-secring.gpg
%commit
EOF
fi
gpg -abs --no-default-keyring \
--secret-keyring "${CACHEDIR}/repo-secring.gpg" \
--keyring "${CACHEDIR}/repo-pubring.gpg" \
-o "${CUSTOMREPO}/dists/${DIST}/Release.gpg" \
"${CUSTOMREPO}/dists/${DIST}/Release"
cp "${CACHEDIR}/repo-pubring.gpg" "${INSTALLDIR}/etc/apt/trusted.gpg.d/qubes-builder.gpg"
# --------------------------------------------------------------------------
# Mount local qubes_repo
# --------------------------------------------------------------------------
mkdir -p "${INSTALLDIR}/tmp/qubes_repo"
mount --bind "${CUSTOMREPO}" "${INSTALLDIR}/tmp/qubes_repo"
# --------------------------------------------------------------------------
# Include qubes repo for apt
# --------------------------------------------------------------------------
cat > "${INSTALLDIR}/etc/apt/sources.list.d/qubes-builder.list" <<EOF
deb file:/tmp/qubes_repo ${DEBIANVERSION} main
EOF
# --------------------------------------------------------------------------
# Update system; exit is not successful
# --------------------------------------------------------------------------
chroot "${INSTALLDIR}" apt-get update || { umount_kill "${INSTALLDIR}"; exit 1; }
# --------------------------------------------------------------------------
# Install Qubes packages
# --------------------------------------------------------------------------
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} install $(cat ${SCRIPTSDIR}/packages_qubes.list) || \
{ umount_kill "${INSTALLDIR}"; exit 1; }
# --------------------------------------------------------------------------
# Remove Qubes Builder repo from sources.list.d
# --------------------------------------------------------------------------
umount_kill "${INSTALLDIR}/tmp/qubes_repo"
rm -f "${INSTALLDIR}/etc/apt/sources.list.d/qubes-builder.list"
chroot "${INSTALLDIR}" apt-get update || exit 1
# --------------------------------------------------------------------------
# Remove temporary policy layer so services can start normally in the
# deployed template.
# --------------------------------------------------------------------------
rm -f "${INSTALLDIR}/usr/sbin/policy-rc.d"
# --------------------------------------------------------------------------
# Copy extra files to installation directory. Contains:
# - font fixes for display issues
# --------------------------------------------------------------------------
copyTree "qubes-files" "${SCRIPTSDIR}" "${INSTALLDIR}"
touch "${INSTALLDIR}/tmp/.prepared_qubes"
#### '----------------------------------------------------------------------
info ' Cleanup'
#### '----------------------------------------------------------------------
umount_all "${INSTALLDIR}/" || true
touch "${INSTALLDIR}/${TMPDIR}/.prepared_qubes"
trap - ERR EXIT
trap
fi
# ------------------------------------------------------------------------------
# ==============================================================================
# Execute any template flavor or sub flavor 'post' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "post"
# ==============================================================================
buildStep "${0}" "post"
# ------------------------------------------------------------------------------
# ==============================================================================
# Kill all processes and umount all mounts within ${INSTALLDIR}, but not
# ${INSTALLDIR} itself (extra '/' prevents ${INSTALLDIR} from being umounted itself)
# ------------------------------------------------------------------------------
umount_kill "${INSTALLDIR}/" || :
# ${INSTALLDIR} itself (extra '/' prevents ${INSTALLDIR} from being umounted)
# ==============================================================================
umount_all "${INSTALLDIR}/" || true

38
scripts_debian/09_cleanup.sh
View File

@ -1,33 +1,27 @@
#!/bin/sh
#!/bin/bash -e
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
source "${SCRIPTSDIR}/vars.sh"
source "${SCRIPTSDIR}/distribution.sh"
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
##### '=========================================================================
debug ' Cleaning up...'
##### '=========================================================================
# ------------------------------------------------------------------------------
# ==============================================================================
# Execute any template flavor or sub flavor 'pre' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "pre"
# ==============================================================================
buildStep "${0}" "pre"
# ------------------------------------------------------------------------------
# Cleanup any left over files from installation
# ------------------------------------------------------------------------------
#### '-------------------------------------------------------------------------
info ' Cleaning up any left over files from installation'
#### '-------------------------------------------------------------------------
rm -rf "${INSTALLDIR}/var/cache/apt/archives/*"
rm -f "${INSTALLDIR}/etc/apt/sources.list.d/qubes-builder.list"
rm -f "${INSTALLDIR}/etc/apt/trusted.gpg.d/qubes-builder.gpg"
rm -rf "${INSTALLDIR}/${TMPDIR}"
# ------------------------------------------------------------------------------
# ==============================================================================
# Execute any template flavor or sub flavor 'post' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "post"
# ==============================================================================
buildStep "${0}" "post"

75
scripts_debian/NOTES Normal file
View File

@ -0,0 +1,75 @@
issues
------
Think it makes most sense to run whonix setup right after qubes, then whonix can install qubes-whonix last.
hook into bfore qubes removes its links to repo
installing whonix after qubes-whonix; wq thinks its a template; tries to use proxy. Need to add
a chroot option maybe' touch /var/run/qubes/qubes-service/choot and ignore everything; maybe even
in postinit? -- gotta be sure IP addresses don't get changed
tests
-----
test all the vms listed below plus make sure each works with:
- netvm
- proxyvm
- sound
- notifications
NOTE: Backup EXISTING jessie-gnome; its what I use for web access!
Make a special version name; test with that and copy my root.img to it after test as my future template to keep
wheezy
wheezy+gnome
jessie
jessie+gnome
whonix-gateway
whonix-workstation
# Before building ubuntu again; combine code base again
trusty
trusty+gnome
utopic
utopic+gnome
test qubes-whonix package update... at first just add a local file base repo in appvm
ubuntu fixups
-------------
network manager
application menus
- can I convert the hvm? -- or install real ubuntu from live but automated?
- combine codebase of ubuntu / debian
whonix fixups
-------------
move code to qhonix-qubes that can go there
see if I can get rid of grub yet with new APT-opts command
review all snapshot code; remove remerences to /run; swap with tmp
todo
----
add firfox, etc to installed apps like fedora has - gnome only build; keep minimum debian builds
flashplayer
mirror list
automated test? build, deploy to dom0, install guest + appvm, run some tests in appvm
add in qubes-apps-linux-* during qubes-setup; maybe need to remove thunderbird?
duplicate 01proxy
fix the gui-linux commmit
restore dash -- fix any qubes scripts to use dash or indicated they need bash
fix any qubes scripts that use sysconfig; since we dont
condsider
---------
salt module; maybe can use for tests
merge
-----
merge to debian first
then from debian to master
then from master to ubuntu -- rebase whonix again

528
scripts_debian/distribution.sh Normal file
View File

@ -0,0 +1,528 @@
#!/bin/bash -e
# vim: set ts=4 sw=4 sts=4 et :
source ./functions.sh >/dev/null
source ./umount_kill.sh >/dev/null
setVerboseMode
output "${bold}${under}INFO: ${SCRIPTSDIR}/distribution.sh imported by: ${0}${reset}"
# ==============================================================================
# Cleanup function
# ==============================================================================
function cleanup() {
errval=$?
trap - ERR EXIT
trap
error "${1:-"${0}: Error. Cleaning up and un-mounting any existing mounts"}"
umount_all || true
# Return xtrace to original state
[[ -n "${XTRACE}" ]] && [[ "${XTRACE}" -eq 0 ]] && set -x || set +x
exit $errval
}
# ==============================================================================
# If .prepared_debootstrap has not been completed, don't continue
# ==============================================================================
function exitOnNoFile() {
file="${1}"
message="${2}"
if ! [ -f "${file}" ]; then
error "${message}"
umount_all || true
exit 1
fi
}
# ==============================================================================
# Umount everthing within INSTALLDIR or $1 but kill all processes within first
# ==============================================================================
function umount_all() {
directory="${1:-"${INSTALLDIR}"}"
# Only remove dirvert policies, etc if base INSTALLDIR mount is being umounted
if [ "${directory}" == "${INSTALLDIR}" -o "${directory}" == "${INSTALLDIR}/" ]; then
if [ -n "$(mountPoints)" ]; then
removeDbusUuid
removeDivertPolicy
fi
fi
if [ "${directory}" == "${INSTALLDIR}" -a "${LXC_ENABLE}" == "1" ]; then
lxcStop
fi
umount_kill "${directory}" || true
}
# ==============================================================================
# Create snapshot
# ==============================================================================
function createSnapshot() {
snapshot_name="${1}"
if [ "${SNAPSHOT}" == "1" ]; then
splitPath "${IMG}" path_parts
snapshot_path="${path_parts[dir]}${path_parts[base]}-${snapshot_name}${path_parts[dotext]}"
# create snapshot
info "Creating snapshot of ${IMG} to ${snapshot_path}"
sync
cp -f "${IMG}" "${snapshot_path}"
fi
}
# ==============================================================================
# Create DBUS uuid
# ==============================================================================
function createDbusUuid() {
outputc green "Creating DBUS uuid..."
removeDbusUuid
if [ -e "${INSTALLDIR}/bin/dbus-uuidgen" ]; then
chroot dbus-uuidgen --ensure 1>/dev/null 2>&1
fi
}
# ==============================================================================
# Remove DBUS uuid
# ==============================================================================
function removeDbusUuid() {
if [ -e "${INSTALLDIR}"/var/lib/dbus/machine-id ]; then
outputc red "Removing generated machine uuid..."
rm -f "${INSTALLDIR}/var/lib/dbus/machine-id"
fi
}
# ==============================================================================
# Set up a temporary dpkg-divert policy to prevent apt from starting services
# on package installation
# ==============================================================================
function addDivertPolicy() {
outputc green "Deactivating initctl..."
chroot dpkg-divert --local --rename --add /sbin/initctl || true
# Only move if its a regualr file; not soft link
#if [ -f "${INSTALLDIR}/sbin/initctl" ]; then
# mv "${INSTALLDIR}"/sbin/initctl "${INSTALLDIR}"/sbin/initctl.dist
#else
# rm -f "${INSTALLDIR}"/sbin/initctl || true
#fi
#chroot ln -fs /bin/true /sbin/initctl
# utopic systemd install still broken...
outputc green "Hacking invoke-rc.d to ignore missing init scripts..."
chroot sed -i -e "s/exit 100/exit 0 #exit 100/" /usr/sbin/invoke-rc.d
}
# ==============================================================================
# Remove temporary dpkg-divert policy
# ==============================================================================
function removeDivertPolicy() {
outputc red "Reactivating initctl..."
#if [ -f "${INSTALLDIR}/sbin/initctl.dist" ]; then
# rm -f "${INSTALLDIR}"/sbin/initctl || true
# mv "${INSTALLDIR}"/sbin/initctl.dist "${INSTALLDIR}"/sbin/initctl
#fi
chroot dpkg-divert --local --rename --remove /sbin/initctl || true
outputc red "Restoring invoke-rc.d..."
chroot sed -i -e "s/exit 0 #exit 100/exit 100/" /usr/sbin/invoke-rc.d
}
# ==============================================================================
# Create system mount points
# ==============================================================================
function prepareChroot() {
# Make sure nothing is mounted within $INSTALLDIR
umount_kill "${INSTALLDIR}/"
#mkdir -p "${INSTALLDIR}/lib/modules"
#mount --bind /lib/modules "${INSTALLDIR}/lib/modules"
if [ "${LXC_ENABLE}" == "1" ]; then
# Shutdown lxc container if its running
chroot echo && lxcStop || true
# Start lxc container
lxcStart
sleep 3
debug "lxc root: /proc/$(lxc-info -P "${LXC_DIR}" -n ${DIST} -p -H)/root"
else
mount -t tmpfs none "${INSTALLDIR}/run"
if [ "${SYSTEMD_NSPAWN_ENABLE}" != "1" ]; then
#mount --bind /dev "${INSTALLDIR}/dev"
###mount --bind /dev/pts "${INSTALLDIR}/dev/pts"
mount -t proc proc "${INSTALLDIR}/proc"
mount -t sysfs sys "${INSTALLDIR}/sys"
fi
createDbusUuid
addDivertPolicy
fi
# Does lxc need this; moving away for now
###createDbusUuid
}
# ==============================================================================
# apt-get upgrade
# ==============================================================================
function aptUpgrade() {
aptUpdate
#DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
# chroot apt-get ${APT_GET_OPTIONS} upgrade
DEBIAN_FRONTEND="noninteractive" DEBIAN_PRIORITY="critical" DEBCONF_NOWARNINGS="yes" \
chroot env APT_LISTCHANGES_FRONTEND=none apt-get dist-upgrade -u -y --force-yes
}
# ==============================================================================
# apt-get dist-upgrade
# ==============================================================================
function aptDistUpgrade() {
aptUpdate
#DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
# chroot apt-get ${APT_GET_OPTIONS} dist-upgrade
DEBIAN_FRONTEND="noninteractive" DEBIAN_PRIORITY="critical" DEBCONF_NOWARNINGS="yes" \
chroot env APT_LISTCHANGES_FRONTEND=none apt-get dist-upgrade -u -y --force-yes
}
# ==============================================================================
# apt-get update
# ==============================================================================
function aptUpdate() {
debug "Updating system"
#DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
DEBIAN_FRONTEND="noninteractive" DEBIAN_PRIORITY="critical" DEBCONF_NOWARNINGS="yes" \
chroot apt-get update
}
# ==============================================================================
# apt-get remove
# ==============================================================================
function aptRemove() {
files="$@"
#DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
DEBIAN_FRONTEND="noninteractive" DEBIAN_PRIORITY="critical" DEBCONF_NOWARNINGS="yes" \
chroot apt-get ${APT_GET_OPTIONS} remove ${files[@]}
}
# ==============================================================================
# apt-get install
# ==============================================================================
function aptInstall() {
files="$@"
#DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
DEBIAN_FRONTEND="noninteractive" DEBIAN_PRIORITY="critical" DEBCONF_NOWARNINGS="yes" \
chroot apt-get ${APT_GET_OPTIONS} install ${files[@]}
}
# ==============================================================================
# Install extra packages in script_${DIST}/packages.list file
# -and / or- TEMPLATE_FLAVOR directories
# ==============================================================================
function installPackages() {
if [ -n "${1}" ]; then
# Locate packages within sub dirs
if [ ${#@} == "1" ]; then
getFileLocations packages_list "${1}" ""
else
packages_list="$@"
fi
else
getFileLocations packages_list "packages.list" "${DIST}"
if [ -z "${packages_list}" ]; then
error "Can not locate a package.list file!"
umount_all || true
exit 1
fi
fi
for package_list in ${packages_list[@]}; do
debug "Installing extra packages from: ${package_list}"
declare -a packages
readarray -t packages < "${package_list}"
info "Packages: "${packages[@]}""
aptInstall "${packages[@]}" || return $?
done
}
# ==============================================================================
# Install Systemd
# ==============================================================================
function installSystemd() {
buildStep "$0" "pre-systemd"
chroot apt-get update
aptInstall systemd
createDbusUuid
# Set multi-user.target as default target
chroot rm -f /etc/systemd/system/default.target
chroot ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
# XXX: TEMP lets see how stuff work with upstart in control for now
# Boot using systemd
chroot rm -f /sbin/init
chroot ln -sf /lib/systemd/systemd /sbin/init
if [ "${LXC_ENABLE}" == "1" ]; then
# XXX: Patch resolvconf (may only be trusy specific; if so move into buildStep
sed -i 's/RUN_CANONICALDIR/RUN_DIR/g' "${INSTALLDIR}/sbin/resolvconf"
# Enable resolvconf
chroot systemctl enable resolvconf
# XXX: Do I really need to restart it?
# Restart lxc container
lxcRestart
fi
buildStep "$0" "post-systemd"
}
# ==============================================================================
# Destroy LXC container
# ==============================================================================
function lxcDestroy() {
if [ "${LXC_ENABLE}" == "1" ]; then
warn "Destroying LXC container..."
lxc-destroy -P "${LXC_DIR}" -n "${DIST}" || true
mkdir -p "${INSTALLDIR}"
fi
}
# ==============================================================================
# Restart LXC container and wait for network
# ==============================================================================
function lxcRestart() {
lxcStop
lxcStart
prepareChroot
}
# ==============================================================================
# Start LXC container and wait for network
# ==============================================================================
function lxcStart() {
LXC_IF=eth0
info "Launching lxc-wait in background..."
lxc-wait -P "${LXC_DIR}" -n "${DIST}" -s RUNNING &
lxc_wait_pid=$!
info "Starting LXC container..."
lxc-start -d -P "${LXC_DIR}" -n "${DIST}"
info "Waiting for LXC container RUNNING state..."
wait ${lxc_wait_pid}
sleep 1
info "Waiting for LXC container network ${LXC_IF} up state..."
lxc-attach -P "${LXC_DIR}" -n "${DIST}" -- \
su -c "while ! ip a | sed -rn '/: '"${LXC_IF}"':.*state UP/{N;N;s/.*inet (\S*).*/\1/p}' | grep -q '.'; do printf '.'; sleep 1; done; echo ''" || sleep 3
info "Network state is active."
# Re-map install directory to lxc container
###ORIG_INSTALLDIR="${INSTALLDIR}"
###INSTALLDIR="/proc/$(lxc-info -P "${LXC_DIR}" -n ${DIST} -p -H)/root"
}
# ==============================================================================
# Start LXC container and wait for network
# ==============================================================================
function lxcStop() {
# XXX - Should not umount here in case of restart
# umount anything in the lxc container (using _kill, not _all)
umount_kill "${INSTALLDIR}/"
# XXX: Is this needed
#rm -rf "${INSTALLDIR}/run/*" | true
# Re-set install directory to original location
###INSTALLDIR="${ORIG_INSTALLDIR-"${INSTALLDIR}"}"
info "Launching lxc-wait in background..."
lxc-wait -P "${LXC_DIR}" -n "${DIST}" -s STOPPED &
lxc_wait_pid=$!
info "Stopping LXC container..."
sync
lxc-stop --kill -P "${LXC_DIR}" -n "${DIST}" || true
info "Waiting for LXC container STOPPED state..."
wait ${lxc_wait_pid}
sleep 1
info "LXC container stopped."
}
# ==============================================================================
# ------------------------------------------------------------------------------
# C O N F I G U R A T I O N R E L A T E D
# ------------------------------------------------------------------------------
# ==============================================================================
# ==============================================================================
# Add universe to sources.list
# ==============================================================================
function updateDebianSourceList() {
# Add contrib and non-free component to repository
touch "${INSTALLDIR}/etc/apt/sources.list"
sed -i "s/${DIST} main$/${DIST} main contrib non-free/g" "${INSTALLDIR}/etc/apt/sources.list"
# Add Debian security repositories
source="deb http://security.debian.org ${DEBIANVERSION}/updates main"
if ! grep -r -q "$source" "${INSTALLDIR}/etc/apt/sources.list"*; then
touch "${INSTALLDIR}/etc/apt/sources.list"
echo "$source" >> "${INSTALLDIR}/etc/apt/sources.list"
fi
source="deb-src http://security.debian.org ${DEBIANVERSION}/updates main"
if ! grep -r -q "$source" "${INSTALLDIR}/etc/apt/sources.list"*; then
touch "${INSTALLDIR}/etc/apt/sources.list"
echo "$source" >> "${INSTALLDIR}/etc/apt/sources.list"
fi
}
# ==============================================================================
# Add universe to sources.list
# ==============================================================================
function updateQubuntuSourceList() {
sed -i "s/${DIST} main$/${DIST} main universe multiverse restricted/g" "${INSTALLDIR}/etc/apt/sources.list"
source="deb http://archive.canonical.com/ubuntu ${DIST} partner"
if ! grep -r -q "$source" "${INSTALLDIR}/etc/apt/sources.list"*; then
touch "${INSTALLDIR}/etc/apt/sources.list"
echo "$source" >> "${INSTALLDIR}/etc/apt/sources.list"
fi
source="deb-src http://archive.canonical.com/ubuntu ${DIST} partner"
if ! grep -r -q "$source" "${INSTALLDIR}/etc/apt/sources.list"*; then
touch "${INSTALLDIR}/etc/apt/sources.list"
echo "$source" >> "${INSTALLDIR}/etc/apt/sources.list"
fi
chroot apt-get update
}
# ==============================================================================
# Make sure there is a resolv.conf with network of this AppVM for building
# ==============================================================================
function createResolvConf() {
if [ "${LXC_ENABLE}" != "1" ]; then
rm -f "${INSTALLDIR}/etc/resolv.conf"
cp /etc/resolv.conf "${INSTALLDIR}/etc/resolv.conf"
fi
}
# ==============================================================================
# Ensure umask set in /etc/login.defs is used (022)
# ==============================================================================
function configureUmask() {
echo "session optional pam_umask.so" >> "${INSTALLDIR}/etc/pam.d/common-session"
}
# ==============================================================================
# Configure keyboard
# ==============================================================================
function configureKeyboard() {
debug "Setting keyboard layout"
cat > "${INSTALLDIR}/tmp/keyboard.conf" <<'EOF'
keyboard-configuration keyboard-configuration/variant select English (US)
keyboard-configuration keyboard-configuration/layout select English (US)
keyboard-configuration keyboard-configuration/model select Generic 105-key (Intl) PC
keyboard-configuration keyboard-configuration/modelcode string pc105
keyboard-configuration keyboard-configuration/layoutcode string us
keyboard-configuration keyboard-configuration/variantcode string
keyboard-configuration keyboard-configuration/optionscode string
EOF
chroot debconf-set-selections /tmp/keyboard.conf
}
# ==============================================================================
# Update locale
# ==============================================================================
function updateLocale() {
debug "Updating locales"
#echo "en_US.UTF-8 UTF-8" >> "${INSTALLDIR}/etc/locale.gen"
#chroot "${INSTALLDIR}" locale-gen
#chroot "${INSTALLDIR}" update-locale LANG=en_US.UTF-8
chroot localedef -f UTF-8 -i en_US -c en_US.UTF-8
chroot update-locale LC_ALL=en_US.UTF-8
}
# ==============================================================================
# ------------------------------------------------------------------------------
# Q U B E S S P E C I F I C F U N C T I O N S
# ------------------------------------------------------------------------------
# ==============================================================================
# ==============================================================================
# Install Keyrings
# ==============================================================================
function installKeyrings() {
if ! [ -e "${CACHEDIR}/repo-secring.gpg" ]; then
mkdir -p "${CACHEDIR}"
gpg --gen-key --batch <<EOF
Key-Type: RSA
Key-Length: 1024
Key-Usage: sign
Name-Real: Qubes builder
Expire-Date: 0
%pubring ${CACHEDIR}/repo-pubring.gpg
%secring ${CACHEDIR}/repo-secring.gpg
%commit
EOF
fi
if [ ! -e "${CUSTOMREPO}/dists/${DIST}/Release.gpg" ]; then
gpg -abs --no-default-keyring \
--secret-keyring "${CACHEDIR}/repo-secring.gpg" \
--keyring "${CACHEDIR}/repo-pubring.gpg" \
-o "${CUSTOMREPO}/dists/${DIST}/Release.gpg" \
"${CUSTOMREPO}/dists/${DIST}/Release"
cp "${CACHEDIR}/repo-pubring.gpg" "${INSTALLDIR}/etc/apt/trusted.gpg.d/qubes-builder.gpg"
fi
}
# ==============================================================================
# Install Qubes Repo
# ==============================================================================
installQubesRepo() {
info " Defining Qubes CUSTOMREPO Location: ${PWD}/yum_repo_qubes/${DIST}"
export CUSTOMREPO="${PWD}/yum_repo_qubes/${DIST}"
# info ' Installing keyrings' # Relies on $CUSTOMREPO
# installKeyrings
info "Mounting local qubes_repo"
mkdir -p "${INSTALLDIR}/tmp/qubes_repo"
mount --bind "${CUSTOMREPO}" "${INSTALLDIR}/tmp/qubes_repo"
cat > "${INSTALLDIR}/etc/apt/sources.list.d/qubes-builder.list" <<EOF
deb file:/tmp/qubes_repo ${DIST} main
EOF
# XXX: Moved keyring install last in process; not sure if mount was ready
# all the time in its previous place
info ' Installing keyrings' # Relies on $CUSTOMREPO
installKeyrings
}
# ==============================================================================
# Uninstall Qubes Repo
# ==============================================================================
uninstallQubesRepo() {
info ' Removing Quebes build repo from sources.list.d'
# Lets not umount; we do that anyway when 04 exits
umount_kill "${INSTALLDIR}/tmp/qubes_repo"
rm -f "${INSTALLDIR}/etc/apt/sources.list.d/qubes-builder.list"
}

10
scripts_debian/flash/02_install_groups_packages_installed.sh Executable file
View File

@ -0,0 +1,10 @@
#!/bin/bash -e
# vim: set ts=4 sw=4 sts=4 et :
source "${SCRIPTSDIR}/vars.sh"
source "${SCRIPTSDIR}/distribution.sh"
#### '----------------------------------------------------------------------
info ' Installing flash plugin'
#### '----------------------------------------------------------------------
aptInstall flashplugin-nonfree

13
scripts_debian/gnome/02_install_groups_packages_installed.sh Executable file
View File

@ -0,0 +1,13 @@
#!/bin/bash -e
# vim: set ts=4 sw=4 sts=4 et :
source "${SCRIPTSDIR}/vars.sh"
source "${SCRIPTSDIR}/distribution.sh"
#### '----------------------------------------------------------------------
info ' Installing Gnome'
#### '----------------------------------------------------------------------
#packages="$(chroot tasksel --new-install --task-packages desktop)"
#packages+=" $(chroot tasksel --new-install --task-packages gnome-desktop)"
packages="$(chroot tasksel --new-install --task-packages gnome-desktop)"
aptInstall ${packages}

2
scripts_debian/gnome/packages_jessie.list
View File

@ -1,2 +0,0 @@
gnome-desktop-environment
gnome-accessibility-themes

2
scripts_debian/gnome/packages_wheezy.list
View File

@ -1,2 +0,0 @@
gnome-desktop-environment
gnome-accessibility-themes

26
scripts_debian/packages_jessie.list
View File

@ -1,10 +1,22 @@
gnome-terminal
locales
ncurses-term
aptitude
tasksel
sudo
locales
dmsetup
psmisc
ncurses-term
xserver-xorg-core
x11-xserver-utils
xinit
acpid
emacs
vim-nox
gnupg
iceweasel
icedove
keepassx
git
gnome-terminal
xterm
libfile-mimeinfo-perl
libglib2.0-bin
ltrace
strace
haveged
firmware-linux

7
scripts_debian/packages_qubes.list
View File

@ -6,3 +6,10 @@ xsettingsd
gnome-packagekit
chrony
ntpdate
libxvmc1
x11-session-utils
xfonts-100dpi
xfonts-75dpi
xfonts-scalable

26
scripts_debian/packages_wheezy.list
View File

@ -1,10 +1,22 @@
gnome-terminal
locales
ncurses-term
aptitude
tasksel
sudo
locales
dmsetup
psmisc
ncurses-term
xserver-xorg-core
x11-xserver-utils
xinit
acpid
emacs
vim-nox
gnupg
iceweasel
icedove
keepassx
git
gnome-terminal
xterm
libfile-mimeinfo-perl
libglib2.0-bin
ltrace
strace
haveged
firmware-linux

70
scripts_debian/qubes-files/.facl
View File

@ -1,70 +0,0 @@
# file: .
# owner: user
# group: user
user::rwx
group::r-x
other::r-x
# file: etc
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg/Xresources
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/xdg/fonts.conf
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/xdg/xsettingsd
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/X11
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/X11/Xsession.d
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/X11/Xsession.d/25xdg-qubes-settings
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: .facl
# owner: root
# group: root
user::rw-
group::r--
other::r--

34
scripts_debian/vars.sh Executable file → Normal file
View File

@ -1,18 +1,36 @@
#!/bin/bash
#!/bin/bash -e
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
source ./functions.sh
# ==============================================================================
# Global variables and functions
# ==============================================================================
# ------------------------------------------------------------------------------
# Temp directory to place installation files and progress markers
# (Do not use /tmp since if built in a real VM, /tmp will be empty on a reboot)
# ------------------------------------------------------------------------------
TMPDIR="/var/lib/qubes-whonix/install"
. ./functions.sh
# ------------------------------------------------------------------------------
# The codename of the debian version to install.
# jessie = testing, wheezy = stable
# ------------------------------------------------------------------------------
DEBIANVERSION=${DIST}
# Location to grab debian packages
# ------------------------------------------------------------------------------
# Location to grab Debian packages
# ------------------------------------------------------------------------------
DEBIAN_MIRROR=http://ftp.us.debian.org/debian
#DEBIAN_MIRROR=http://http.debian.net/debian
#DEBIAN_MIRROR=http://ftp.ca.debian.org/debian
APT_GET_OPTIONS="-o Dpkg::Options::="--force-confnew" --force-yes -y"
# TODO: Not yet implemented
DEBIAN_MIRRORS=('http://ftp.us.debian.org/debian',
'http://http.debian.net/debian,
'http://ftp.ca.debian.org/debian,
)
# ------------------------------------------------------------------------------
# apt-get configuration options
# ------------------------------------------------------------------------------
APT_GET_OPTIONS="-o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes --yes"

1
scripts_debian/wheezy+whonix-gateway/00_prepare_pre.sh
View File

@ -1 +0,0 @@
../wheezy+whonix/00_prepare_pre.sh

1
scripts_debian/wheezy+whonix-gateway/01_install_core_post.sh
View File

@ -1 +0,0 @@
../wheezy+whonix/01_install_core_post.sh

1
scripts_debian/wheezy+whonix-gateway/02_install_groups_packages_installed.sh
View File

@ -1 +0,0 @@
../wheezy+whonix/02_install_groups_packages_installed.sh

246
scripts_debian/wheezy+whonix-gateway/02_install_groups_wheezy.sh Executable file
View File

@ -0,0 +1,246 @@
#!/bin/bash -e
# vim: set ts=4 sw=4 sts=4 et :
source "${SCRIPTSDIR}/vars.sh"
source "${SCRIPTSDIR}/distribution.sh"
##### '-------------------------------------------------------------------------
debug ' Installing and building Whonix'
##### '-------------------------------------------------------------------------
#### '--------------------------------------------------------------------------
info ' Trap ERR and EXIT signals and cleanup (umount)'
#### '--------------------------------------------------------------------------
trap cleanup ERR
trap cleanup EXIT
if ! [ -f "${INSTALLDIR}/${TMPDIR}/.whonix_prepared_groups" ]; then
#### '----------------------------------------------------------------------
info ' Installing extra packages in packages_whonix.list file'
#### '----------------------------------------------------------------------
installPackages packages_whonix.list
touch "${INSTALLDIR}/${TMPDIR}/.whonix_prepared_groups"
fi
# ------------------------------------------------------------------------------
# chroot Whonix build script
# ------------------------------------------------------------------------------
read -r -d '' WHONIX_BUILD_SCRIPT <<'EOF' || true
################################################################################
# Pre Fixups
sudo mkdir -p /boot/grub2
sudo touch /boot/grub2/grub.cfg
sudo mkdir -p /boot/grub
sudo touch /boot/grub/grub.cfg
sudo mkdir --parents --mode=g+rw "/tmp/uwt"
# Whonix seems to re-install sysvinit even though there is a hold
# on the package. Things seem to work anyway. BUT hopfully the
# hold on grub* don't get removed
sudo apt-mark hold sysvinit
sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common
# Whonix expects haveged to be started
sudo /etc/init.d/haveged start
################################################################################
# Whonix installation
export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1"
pushd ~/Whonix
sudo ~/Whonix/whonix_build \
--build $1 \
--64bit-linux \
--current-sources \
--enable-whonix-apt-repository \
--whonix-apt-repository-distribution $2 \
--install-to-root \
--skip-verifiable \
--minimal-report \
--skip-sanity-tests || { exit 1; }
popd
EOF
##### '-------------------------------------------------------------------------
debug ' Preparing Whonix for installation'
##### '-------------------------------------------------------------------------
if [ -f "${INSTALLDIR}/${TMPDIR}/.whonix_prepared_groups" ] && ! [ -f "${INSTALLDIR}/${TMPDIR}/.whonix_prepared" ]; then
info "Preparing Whonix system"
#### '----------------------------------------------------------------------
info ' Initializing Whonix submodules'
#### '----------------------------------------------------------------------
pushd "${WHONIX_DIR}"
{
git add Makefile || true
git commit Makefile -m 'Added Makefile' || true
su $(logname) -c "git submodule update --init --recursive";
}
popd
#### '----------------------------------------------------------------------
info ' Faking grub installation since Whonix has depends on grub-pc'
#### '----------------------------------------------------------------------
mkdir -p "${INSTALLDIR}/boot/grub"
cp "${INSTALLDIR}/usr/lib/grub/i386-pc/"* "${INSTALLDIR}/boot/grub"
rm -f "${INSTALLDIR}/usr/sbin/update-grub"
chroot ln -s /bin/true /usr/sbin/update-grub
#### '----------------------------------------------------------------------
info ' Adding a user account for Whonix to build with'
#### '----------------------------------------------------------------------
chroot id -u 'user' >/dev/null 2>&1 || \
{
# UID needs match host user to have access to Whonix sources
chroot groupadd -f user
[ -n "$SUDO_UID" ] && USER_OPTS="-u $SUDO_UID"
chroot useradd -g user $USER_OPTS -G sudo,audio -m -s /bin/bash user
if [ `chroot id -u user` != 1000 ]; then
chroot useradd -g user -u 1000 -M -s /bin/bash user-placeholder
fi
}
#### '----------------------------------------------------------------------
info ' Installing Whonix build scripts'
#### '----------------------------------------------------------------------
echo "${WHONIX_BUILD_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_build.sh"
chmod 0755 "${INSTALLDIR}/home/user/whonix_build.sh"
#### '----------------------------------------------------------------------
info ' Removing apt-listchanges if it exists,so no prompts appear'
#### '----------------------------------------------------------------------
# Whonix does not handle this properly, but aptInstall packages will
aptRemove apt-listchanges || true
#### '----------------------------------------------------------------------
info ' Copying additional files required for build'
#### '----------------------------------------------------------------------
copyTree "files"
touch "${INSTALLDIR}/${TMPDIR}/.whonix_prepared"
fi
##### '-------------------------------------------------------------------------
debug ' Installing Whonix code base'
##### '-------------------------------------------------------------------------
if [ -f "${INSTALLDIR}/${TMPDIR}/.whonix_prepared" ] && ! [ -f "${INSTALLDIR}/${TMPDIR}/.whonix_installed" ]; then
if ! [ -d "${INSTALLDIR}/home/user/Whonix" ]; then
chroot su user -c 'mkdir /home/user/Whonix'
fi
mount --bind "../Whonix" "${INSTALLDIR}/home/user/Whonix"
if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then
BUILD_TYPE="--torgateway"
elif [ "${TEMPLATE_FLAVOR}" == "whonix-workstation" ]; then
BUILD_TYPE="--torworkstation"
else
error "Incorrent Whonix type \"${TEMPLATE_FLAVOR}\" selected. Not building Whonix modules"
error "You need to set TEMPLATE_FLAVOR environment variable to either"
error "whonix-gateway OR whonix-workstation"
exit 1
fi
# Whonix needs /dev/pts mounted during build
mount --bind /dev "${INSTALLDIR}/dev"
mount --bind /dev/pts "${INSTALLDIR}/dev/pts"
chroot su user -c "cd ~; ./whonix_build.sh ${BUILD_TYPE} ${DIST}" || { exit 1; }
touch "${INSTALLDIR}/${TMPDIR}/.whonix_installed"
fi
##### '-------------------------------------------------------------------------
debug ' Whonix Post Installation Configurations'
##### '-------------------------------------------------------------------------
if [ -f "${INSTALLDIR}/${TMPDIR}/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/${TMPDIR}/.whonix_post" ]; then
#### '----------------------------------------------------------------------
info ' Restoring original network interfaces'
#### '----------------------------------------------------------------------
pushd "${INSTALLDIR}/etc/network"
{
rm -f interfaces;
ln -s interfaces.backup interfaces;
}
popd
#### '----------------------------------------------------------------------
info ' Temporarily retore original resolv.conf for remainder of install process'
info ' (Will be restored back in wheezy+whonix/04_qubes_install_post.sh)'
#### '----------------------------------------------------------------------
pushd "${INSTALLDIR}/etc"
{
rm -f resolv.conf;
cp -p resolv.conf.backup resolv.conf;
}
popd
#### '----------------------------------------------------------------------
info ' Temporarily retore original hosts for remainder of install process'
info ' (Will be restored on initial boot)'
#### '----------------------------------------------------------------------
pushd "${INSTALLDIR}/etc"
{
rm -f hosts;
cp -p hosts.anondist-orig hosts;
}
popd
#### '----------------------------------------------------------------------
info ' Restore default user UID set to so same in all builds regardless of build host'
#### '----------------------------------------------------------------------
if [ -n "`chroot id -u user-placeholder`" ]; then
chroot userdel user-placeholder
chroot usermod -u 1000 user
fi
#### '----------------------------------------------------------------------
info ' Enable some aliases in .bashrc'
#### '----------------------------------------------------------------------
sed -i "s/^# export/export/g" "${INSTALLDIR}/root/.bashrc"
sed -i "s/^# eval/eval/g" "${INSTALLDIR}/root/.bashrc"
sed -i "s/^# alias/alias/g" "${INSTALLDIR}/root/.bashrc"
sed -i "s/^#force_color_prompt/force_color_prompt/g" "${INSTALLDIR}/home/user/.bashrc"
sed -i "s/#alias/alias/g" "${INSTALLDIR}/home/user/.bashrc"
sed -i "s/alias l='ls -CF'/alias l='ls -l'/g" "${INSTALLDIR}/home/user/.bashrc"
#### '----------------------------------------------------------------------
info ' Remove apt-cacher-ng'
#### '----------------------------------------------------------------------
chroot service apt-cacher-ng stop || :
chroot update-rc.d apt-cacher-ng disable || :
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot apt-get.anondist-orig -y --force-yes remove --purge apt-cacher-ng
#### '----------------------------------------------------------------------
info ' Remove original sources.list (Whonix copied them to .../debian.list)'
#### '----------------------------------------------------------------------
rm -f "${INSTALLDIR}/etc/apt/sources.list"
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot apt-get.anondist-orig update
touch "${INSTALLDIR}/${TMPDIR}/.whonix_post"
fi
##### '-------------------------------------------------------------------------
debug ' Temporarily retore original apt-get for remainder of install process'
##### '-------------------------------------------------------------------------
pushd "${INSTALLDIR}/usr/bin"
{
rm -f apt-get;
cp -p apt-get.anondist-orig apt-get;
}
popd
#### '----------------------------------------------------------------------
info ' Cleanup'
#### '----------------------------------------------------------------------
trap - ERR EXIT
trap

1
scripts_debian/wheezy+whonix-gateway/04_install_qubes_post.sh
View File

@ -1 +0,0 @@
../wheezy+whonix/04_install_qubes_post.sh

40
scripts_debian/wheezy+whonix-gateway/04_install_qubes_post.sh Executable file
View File

@ -0,0 +1,40 @@
#!/bin/bash -e
# vim: set ts=4 sw=4 sts=4 et :
source "${SCRIPTSDIR}/vars.sh"
source "${SCRIPTSDIR}/distribution.sh"
##### '-------------------------------------------------------------------------
debug ' Installing qubes-whonix package(s)'
##### '-------------------------------------------------------------------------
# If .prepared_debootstrap has not been completed, don't continue
exitOnNoFile "${INSTALLDIR}/${TMPDIR}/.prepared_qubes" "prepared_qubes installataion has not completed!... Exiting"
# Create system mount points.
prepareChroot
#### '--------------------------------------------------------------------------
info ' Trap ERR and EXIT signals and cleanup (umount)'
#### '--------------------------------------------------------------------------
trap cleanup ERR
trap cleanup EXIT
#### '--------------------------------------------------------------------------
info ' Installing qubes-whonix and other required packages'
#### '--------------------------------------------------------------------------
# whonix-setup-wizard expects '/usr/local/share/applications' directory to exist
chroot mkdir -p '/usr/local/share/applications' # whonix-setup-wizard needs this
installQubesRepo
aptInstall python-guimessages whonix-setup-wizard qubes-whonix
uninstallQubesRepo
#### '--------------------------------------------------------------------------
info ' Cleanup'
#### '--------------------------------------------------------------------------
umount_all "${INSTALLDIR}/" || true
trap - ERR EXIT
trap

1
scripts_debian/wheezy+whonix-gateway/09_cleanup_post.sh
View File

@ -1 +0,0 @@
../wheezy+whonix/09_cleanup_post.sh

40
scripts_debian/wheezy+whonix-gateway/09_cleanup_post.sh Executable file
View File

@ -0,0 +1,40 @@
#!/bin/bash -e
# vim: set ts=4 sw=4 sts=4 et :
source "${SCRIPTSDIR}/vars.sh"
source "${SCRIPTSDIR}/distribution.sh"
##### '-------------------------------------------------------------------------
debug ' Whonix post installation cleanup'
##### '-------------------------------------------------------------------------
#### '--------------------------------------------------------------------------
info ' Restoring Whonix apt-get'
#### '--------------------------------------------------------------------------
pushd "${INSTALLDIR}/usr/bin"
{
rm -f apt-get;
cp -p apt-get.anondist apt-get;
}
popd
#### '--------------------------------------------------------------------------
info ' Restoring Whonix resolv.conf'
#### '--------------------------------------------------------------------------
pushd "${INSTALLDIR}/etc"
{
rm -f resolv.conf;
cp -p resolv.conf.anondist resolv.conf;
}
popd
#### '--------------------------------------------------------------------------
info ' Removing files created during installation that are no longer required'
#### '--------------------------------------------------------------------------
rm -rf "${INSTALLDIR}/home.orig/user/Whonix"
rm -rf "${INSTALLDIR}/home.orig/user/whonix_binary"
rm -f "${INSTALLDIR}/home.orig/user/whonix_fix"
rm -f "${INSTALLDIR}/home.orig/user/whonix_build.sh"
rm -f "${INSTALLDIR}/etc/sudoers.d/whonix-build"
rm -f "${TMPDIR}/etc/sudoers.d/whonix-build"

28
scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh
View File

@ -1,28 +0,0 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
# ------------------------------------------------------------------------------
# whonix-netvm-gateway contains last known IP used to search and replace
# ------------------------------------------------------------------------------
if [ -f "${INSTALLDIR}/tmp/.whonix_post" -a ! -f "${INSTALLDIR}/tmp/.whonix_custom_configurations" ]; then
# --------------------------------------------------------------------------
# Install Custom Configurations
# --------------------------------------------------------------------------
echo "10.152.152.10" > "${INSTALLDIR}/etc/whonix-netvm-gateway"
touch "${INSTALLDIR}/tmp/.whonix_custom_configurations"
fi

233
scripts_debian/wheezy+whonix-gateway/files/.facl
View File

@ -1,108 +1,3 @@
# file: .
# owner: user
# group: user
user::rwx
group::r-x
other::r-x
# file: lib
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd/system
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd/system/qubes-whonix-firewall.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: lib/systemd/system/qubes-whonix-network.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: lib/systemd/system/qubes-whonix-init.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/hosts
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/uwt.d
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/uwt.d/50_uwt_default
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/xdg
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg/autostart
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg/autostart/qubes-whonixsetup.desktop
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/apt
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/hostname
# owner: root
# group: root
@ -114,7 +9,7 @@ other::r--
# owner: root
# group: root
user::rwx
group::r-x
group::--x
other::---
# file: etc/sudoers.d/whonix-build
@ -124,129 +19,3 @@ user::r--
group::r--
other::---
# file: .facl
# owner: user
# group: user
user::rw-
group::r--
other::r--
# file: usr
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/utility_functions
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/bind-dirs.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/qubes-whonix-firewall.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/qubes-whonix-bind.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr/lib/whonix/init/replace-ips
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/init.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/whonixcheck.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr/lib/whonix/init/network-proxy-setup.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/qubes-whonix-tor.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr/lib/whonix/messages.yaml
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr/lib/whonix/alert
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/qubes-whonixsetup
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/enable-iptables-logging.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

7
scripts_debian/wheezy+whonix-gateway/files/etc/hosts
View File

@ -1,7 +0,0 @@
## Anonymity Distribution /etc/hosts
## Anonymity Distribution specific
127.0.0.1 host.localdomain host
## End of Anonymity Distribution specific
## End of Anonymity Distribution /etc/hosts

6
scripts_debian/wheezy+whonix-gateway/files/etc/uwt.d/50_uwt_default
View File

@ -1,6 +0,0 @@
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "1" ]; then
uwtwrapper["/usr/bin/apt-get"]="0"
fi

8
scripts_debian/wheezy+whonix-gateway/files/etc/xdg/autostart/qubes-whonixsetup.desktop
View File

@ -1,8 +0,0 @@
## This file is part of Whonix.
## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
[Desktop Entry]
Type=Application
Terminal=false
Exec=/usr/lib/whonix/qubes-whonixsetup

12
scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service
View File

@ -1,12 +0,0 @@
[Unit]
Description=Qubes Whonix firewall updater
After=qubes-whonix-network.service
Before=network.target
[Service]
ExecStart=/usr/lib/whonix/init/qubes-whonix-firewall.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target
Alias=qubes-firewall.service

13
scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-init.service
View File

@ -1,13 +0,0 @@
[Unit]
Description=Qubes Whonix initialization script
After=qubes-whonix-network.service
Before=qubes-whonix-firewall.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/whonix/init/init.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

15
scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service
View File

@ -1,15 +0,0 @@
[Unit]
Description=Qubes Whonix network proxy setup
ConditionPathExists=/var/run/qubes-service/qubes-network
Before=network.target
After=iptables.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/whonix/init/network-proxy-setup.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target
Alias=qubes-network.service

90
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/alert
View File

@ -1,90 +0,0 @@
#!/usr/bin/python
#
# Copyright 2014 Jason Mehring (nrgaway@gmail.com)
#
from PyQt4 import QtGui
import locale
import yaml
DEFAULT_LANG = 'en'
class Messages():
filename = None
data = None
language = DEFAULT_LANG
title = None
icon = None
message = None
def __init__(self, section, filename):
self.filename = filename
language = locale.getdefaultlocale()[0].split('_')[0]
if language:
self.language = language
try:
stream = file(filename, 'r')
data = yaml.load(stream)
if section in data.keys():
section = data[section]
self.icon = section.get('icon', None)
language = section.get(self.language, DEFAULT_LANG)
self.title = language.get('title', None)
self.message = language.get('message', None)
except (IOError):
pass
except (yaml.scanner.ScannerError, yaml.parser.ParserError):
pass
class WhonixMessageBox(QtGui.QMessageBox):
def __init__(self, message):
super(WhonixMessageBox, self).__init__()
self.message = message
self.initUI()
def initUI(self):
message = self.message
if message.title:
self.setWindowTitle(message.title)
if message.icon:
self.setIcon(getattr(QtGui.QMessageBox, message.icon))
if message.message:
self.setText(message.message)
self.exec_()
import argparse
import sys
def main():
parser = argparse.ArgumentParser(description='Display a QT Message Box')
parser.add_argument('section', help="Message section")
parser.add_argument('filename', help="File including full path")
args = parser.parse_args()
if not args.filename and args.section:
print parser.usage()
sys.exit(1)
app = QtGui.QApplication(sys.argv)
message = Messages(args.section, args.filename)
dialog = WhonixMessageBox(message)
sys.exit()
if __name__ == "__main__":
main()

58
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh
View File

@ -1,58 +0,0 @@
#!/bin/bash
#
# To umount all binds, just pass any arg in $1
#
. /usr/lib/whonix/utility_functions
# Don't run if started as a template
if ! [ "${WHONIX}" == "template" ]; then
# Array of directories to bind
BINDS=(
'/rw/srv/whonix/root/.whonix:/root/.whonix'
'/rw/srv/whonix/root/.whonix.d:/root/.whonix.d'
'/rw/srv/whonix/var/lib/whonix:/var/lib/whonix'
'/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck'
'/rw/srv/whonix/etc/tor:/etc/tor'
)
for bind in ${BINDS[@]}; do
rw_dir="${bind%%:*}"
ro_dir="${bind##*:}"
# Make sure ro directory is not mounted
umount "${ro_dir}" 2> /dev/null || true
if [ -n "${1}" ]; then
echo "Umounting only..."
exit 0
fi
# Make sure ro directory exists
if ! [ -d "${ro_dir}" ]; then
mkdir -p "${ro_dir}"
fi
# Initially copy over data directories to /rw if rw directory does not exist
if ! [ -d "${rw_dir}" ]; then
mkdir -p "${rw_dir}"
rsync -hax "${ro_dir}/." "${rw_dir}"
fi
# Bind the directory
sync
mount --bind "${rw_dir}" "${ro_dir}"
done
sync
fi
if [ "${WHONIX}" == "gateway" ]; then
# Make sure we remove whonixsetup.done if Tor is not enabled
# to allow choice of repo and prevent whonixcheck errors
grep "^DisableNetwork 0$" /etc/tor/torrc || {
sudo rm -f /var/lib/whonix/do_once/whonixsetup.done
}
fi
exit 0

30
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh
View File

@ -1,30 +0,0 @@
#!/bin/bash
# Check /var/log/kern.log for logging results
LOG_IP4=1
LOG_IP6=0
# for IPv4
if [ "$LOG_IP4" == "1" ]; then
iptables -t raw -A OUTPUT -p icmp -j TRACE
iptables -t raw -A PREROUTING -p icmp -j TRACE
modprobe ipt_LOG
fi
# for IPv6
if [ "$LOG_IP6" == "1" ]; then
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
modprobe ip6t_LOG
fi
# Redirect local port to remote via socat
#apt-get install socat
#socat TCP4-LISTEN:8082,fork,mode=0666,user=root,group=root TCP4:10.137.255.254:8082
#
# Works
# localhost/loopback maps localhost port 8082 to localhost port 8888
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888

30
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh
View File

@ -1,30 +0,0 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" != "template" ]; then
# Files that will have the immutable bit set
# since we don't want them modified by other programs
IMMUTABLE_FILES=(
'/etc/resolv.conf'
'/etc/hostname'
'/etc/hosts'
)
# Make sure all .anondist files in list are immutable
immutableFilesEnable "${IMMUTABLE_FILES}"
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
# Make sure we are using a copy of the annondist file and if not
# copy the annondist file and set it immutable
copyAnondist "/etc/resolv.conf"
copyAnondist "/etc/hosts"
copyAnondist "/etc/hostname"
# Replace IP addresses in known configuration files / scripts to
# currently discovered one
/usr/lib/whonix/init/replace-ips
# Make sure hostname is correct
/bin/hostname host
fi

57
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh
View File

@ -1,57 +0,0 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
INTERFACE="eth1"
if [ "${WHONIX}" == "gateway" ]; then
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
# Setup Xen / Qubes proxy
network=$(xenstore-read qubes-netvm-network 2>/dev/null)
if [ "x$network" != "x" ]; then
gateway=$(xenstore-read qubes-netvm-gateway)
netmask=$(xenstore-read qubes-netvm-netmask)
secondary_dns=$(xenstore-read qubes-netvm-secondary-dns)
modprobe netbk 2> /dev/null || modprobe xen-netback
echo "NS1=$gateway" > /var/run/qubes/qubes-ns
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
#/usr/lib/qubes/qubes-setup-dnat-to-ns
echo "0" > /proc/sys/net/ipv4/ip_forward
/sbin/ethtool -K eth0 sg off || :
fi
# Now, assign it the netvm-gateway IP address
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
if [ x${ip} != x ]; then
# Create a dummy eth1 interface so tor can bind to it if there
# are no DOMU virtual machines connected at the moment
/sbin/ip link add ${INTERFACE} type dummy
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
/sbin/ifconfig ${INTERFACE} up
/sbin/ethtool -K ${INTERFACE} sg off || true
/sbin/ethtool -K ${INTERFACE} tx off || true
ip link set ${INTERFACE} up
fi
echo "0" > /proc/sys/net/ipv4/ip_forward
# Allow whonix-gateway to act as an update-proxy
touch /var/run/qubes-service/qubes-updates-proxy
# Search and replace tinyproxy error files so we can inject code that
# we can use to identify that its a tor proxy so updates are secure
error_file="/usr/share/tinyproxy/default.html"
grep -q "${PROXY_META}" "${error_file}" || {
sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
}
fi

49
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh
View File

@ -1,49 +0,0 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
# Make sure IP forwarding is disabled
echo "0" > /proc/sys/net/ipv4/ip_forward
if [ "${WHONIX}" != "template" ]; then
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
# Start Whonix Firewall
if [ "${WHONIX}" == "gateway" ]; then
export INT_IF="vif+"
export INT_TIF="vif+"
# Inject custom firewall rules into whonix_firewall
sed -i -f - /usr/bin/whonix_firewall <<-EOF
/^## IPv4 DROP INVALID INCOMING PACKAGES/,/######################################/c \\
## IPv4 DROP INVALID INCOMING PACKAGES \\
## \\
## --- THE FOLLOWING WS INJECTED --- \\
## Qubes Tiny Proxy Updater \\
iptables -t nat -N PR-QBS-SERVICES \\
iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\
\\
# Route any traffic FROM netvm TO netvm BACK-TO localhost \\
# Allows localhost access to tor network \\
#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
######################################
EOF
fi
# Load the firewall
# XXX: TODO: Take down all network accesss if firewall fails
/usr/bin/whonix_firewall
systemctl restart qubes-updates-proxy.service
fi

16
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-tor.service
View File

@ -1,16 +0,0 @@
[Unit]
Description = Anonymizing overlay network for TCP
After = syslog.target network.target nss-lookup.target
[Service]
Type = simple
ExecStart = /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --quiet
ExecReload = /bin/kill -HUP ${MAINPID}
ExecStop = /bin/kill -INT ${MAINPID}
TimeoutSec = 60
Restart = on-failure
LimitNOFILE = 32768
[Install]
WantedBy = multi-user.target
Alias=tor.service

118
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/replace-ips
View File

@ -1,118 +0,0 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
# Search though files and updates IP address to the current
# IP address(es)
FILES=(
'/usr/lib/leaktest-workstation/simple_ping.py'
'/usr/lib/whonixcheck/preparation'
'/usr/share/anon-kde-streamiso/share/config/kioslaverc'
'/usr/bin/whonix_firewall'
'/etc/whonix_firewall.d/30_default'
'/usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh'
'/usr/bin/uwt'
'/etc/uwt.d/30_uwt_default'
'/usr/share/tor/tor-service-defaults-torrc.anondist'
'/usr/bin/update-torbrowser'
'/etc/network/interfaces.whonix'
'/etc/resolv.conf.anondist'
'/etc/sdwdate.d/31_anon_dist_stream_isolation_plugin'
'/etc/rinetd.conf.anondist'
'/etc/network/interfaces.whonix'
'/usr/share/anon-torchat/.torchat/torchat.ini'
)
# sed search and replace. return 0 if replace happened, otherwise 1
search_replace() {
local search="${1}"
local replace="${2}"
local file="${3}"
local retval=1
if ! [ -L "${file}" ]; then
ls_attrs="$(lsattr "${file}")"
ls_attrs=${ls_attrs:4:1}
if [ "${ls_attrs}" == "i" ]; then
chattr -i "${file}"
fi
fi
sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}"
retval=$?
if [ "${ls_attrs}" = "i" ]; then
chattr +i "${file}"
fi
return $retval
}
function replace_ips()
{
local search_ip="${1}"
local replace_ip="${2}"
local files=("${!3}")
local retval=1
# If IP is 10.152.152.10, network is 10.152.152.0
search_network="${search_ip%[.]*}.0"
replace_network="${replace_ip%[.]*}.0"
if ! [ "${search_ip}" = "${replace_ip}" ]; then
for file in "${files[@]}"; do
if [ -f "$file" ]; then
search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0
search_replace "${search_network}" "${replace_network}" "${file}" && retval=0
fi
done
fi
return $retval
}
update_ip() {
ip=${1}
echo "${ip}" > /etc/whonix-netvm-gateway
grep '^DisableNetwork 0$' /etc/tor/torrc && {
service tor status && {
service tor reload || true;
}
}
}
if [ "${WHONIX}" == "gateway" ]; then
ip="$(xenstore-read qubes-netvm-gateway)"
if [ x${ip} != x ]; then
# Compare to current IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}"
# Do again; checking for original 10.152.152.10 incase of update
replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}"
# Do again; checking for original 10.152.152.11 incase of update
replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}"
fi
elif [ "${WHONIX}" == "workstation" ]; then
ip="$(xenstore-read qubes-ip)"
gateway="$(xenstore-read qubes-gateway)"
if [ x${ip} != x ]; then
# Compare to current IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
# Do again; checking for original 10.152.152.11 incase of update
replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
fi
if [ x${gateway} != x ]; then
# Compare to current gateway IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
# Do again; checking for original 10.152.152.10 incase of update
replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
fi
fi

18
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/whonixcheck.service
View File

@ -1,18 +0,0 @@
[Unit]
Description=Checks many important aspects of Whonix.
After=syslog.target network.target
[Service]
Type=forking
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/run/whonixcheck
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonixcheck
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonix/whonixblog
ExecStart=/usr/lib/whonixcheckdaemon
PIDFile=/var/run/whonixcheck.pid
User=user
Group=user
UMask=0007
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

9
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml
View File

@ -1,9 +0,0 @@
update:
icon: Critical
en:
title: Tor netvm required for updates
message: |
<p><B>Tor netvm required for updates!</B></p>
<p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
<p>No updates are possible without an active (running) Whonix gateway VM.</p>

41
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup
View File

@ -1,41 +0,0 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if ! [ "${WHONIX}" == "template" ]; then
sudo /usr/lib/whonix/bind-dirs.sh
fi
if [ "${WHONIX}" == "gateway" ]; then
if grep "^DisableNetwork 0$" /etc/tor/torrc ;then
sudo service sdwdate restart
sudo service tor restart
else
sudo service sdwdate restart
sudo service tor stop
sudo /usr/bin/whonixsetup
fi
elif [ "${WHONIX}" == "workstation" ]; then
sudo service sdwdate restart
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
sudo /usr/bin/whonixsetup
fi
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
# Set secure defaults.
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP
# Flush old rules.
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
# Display warning that netvm is not connected to a torvm
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
fi

94
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/utility_functions
View File

@ -1,94 +0,0 @@
#!/bin/bash
# /etc/uwt.d/50_uwt_default relies on this in order to allow connection
# to proxy for template
PROXY_SERVER="http://10.137.255.254:8082/"
PROXY_META='<meta name=\"application-name\" content=\"tor proxy\"\/>'
if [ -f "/var/run/qubes-service/updates-proxy-setup" ]; then
WHONIX="template"
elif [ -f "/usr/share/anon-gw-base-files/gateway" ]; then
WHONIX="gateway"
elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
WHONIX="workstation"
else
WHONIX="unknown"
fi
if [ "${WHONIX}" == "template" ]; then
curl.anondist-orig "${PROXY_SERVER}" | grep -q "${PROXY_META}" && {
PROXY_SECURE=1
} || {
PROXY_SECURE=0
}
fi
immutableFilesEnable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
sudo chattr +i "${file}${suffix}"
fi
done
}
immutableFilesDisable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
sudo chattr -i "${file}${suffix}"
fi
done
}
copyAnondist() {
file="${1}"
suffix="${2-.anondist}"
# Remove any softlinks first
if [ -L "${file}" ]; then
sudo rm -f "${file}"
fi
if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then
sudo chattr -i "${file}"
sudo rm -f "${file}"
sudo cp -p "${file}${suffix}" "${file}"
sudo chattr +i "${file}"
elif ! [ -f "${file}" ]; then
sudo cp -p "${file}${suffix}" "${file}"
sudo chattr +i "${file}"
fi
}
# Will only enable / disable if service is not already in that state
enable_sysv() {
servicename=${1}
disable=${2-0}
# Check to see if the service is already enabled and if not, enable it
string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}"
if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then
case ${disable} in
0)
echo "${1} is currently disabled; enabling it"
sudo systemctl --quiet enable ${servicename}
;;
1)
echo "${1} is currently enabled; disabling it"
sudo service ${servicename} stop
sudo systemctl --quiet disable ${servicename}
;;
esac
fi
}
disable_sysv() {
enable_sysv ${1} 1
}

1
scripts_debian/wheezy+whonix-gateway/packages_wheezy.list
View File

@ -1 +0,0 @@
../wheezy+whonix/packages_wheezy.list

10
scripts_debian/wheezy+whonix/packages_wheezy.list → scripts_debian/wheezy+whonix-gateway/packages_whonix.list
View File

@ -1,7 +1,8 @@
git
curl
sudo
locales
haveged
curl
console-data
console-common
initramfs-tools
@ -12,17 +13,14 @@ less
lsof
most
pciutils
strace
sysfsutils
usbutils
lsb-release
acpi-support-base
haveged
build-essential:native
gcc
fakeroot
lintian
rsync
grub-pc

1
scripts_debian/wheezy+whonix-workstation Symbolic link
View File

@ -0,0 +1 @@
wheezy+whonix-gateway

1
scripts_debian/wheezy+whonix-workstation/00_prepare_pre.sh
View File

@ -1 +0,0 @@
../wheezy+whonix/00_prepare_pre.sh

1
scripts_debian/wheezy+whonix-workstation/01_install_core_post.sh
View File

@ -1 +0,0 @@
../wheezy+whonix/01_install_core_post.sh

1
scripts_debian/wheezy+whonix-workstation/02_install_groups_packages_installed.sh
View File

@ -1 +0,0 @@
../wheezy+whonix/02_install_groups_packages_installed.sh

1
scripts_debian/wheezy+whonix-workstation/04_install_qubes_post.sh
View File

@ -1 +0,0 @@
../wheezy+whonix/04_install_qubes_post.sh

1
scripts_debian/wheezy+whonix-workstation/09_cleanup_post.sh
View File

@ -1 +0,0 @@
../wheezy+whonix/09_cleanup_post.sh

30
scripts_debian/wheezy+whonix-workstation/99_custom_configuration.sh
View File

@ -1,30 +0,0 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
# ------------------------------------------------------------------------------
# whonix-netvm-gateway contains last known IP used to search and replace
# ------------------------------------------------------------------------------
if [ -f "${INSTALLDIR}/tmp/.whonix_prepared" -a ! -f "${INSTALLDIR}/tmp/.whonix_custom_configurations" ]; then
# --------------------------------------------------------------------------
# Install Custom Configurations
# --------------------------------------------------------------------------
echo "10.152.152.11" > "${INSTALLDIR}/etc/whonix-ip"
echo "10.152.152.10" > "${INSTALLDIR}/etc/whonix-netvm-gateway"
touch "${INSTALLDIR}/tmp/.whonix_custom_configurations"
fi

224
scripts_debian/wheezy+whonix-workstation/files/.facl
View File

@ -1,224 +0,0 @@
# file: .
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd/system
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd/system/qubes-whonix-firewall.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: lib/systemd/system/qubes-whonix-network.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: lib/systemd/system/qubes-whonix-init.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/hosts
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/uwt.d
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/uwt.d/50_uwt_default
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/xdg
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg/autostart
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg/autostart/qubes-whonixsetup.desktop
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/hostname
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/sudoers.d
# owner: root
# group: root
user::rwx
group::r-x
other::---
# file: etc/sudoers.d/whonix-build
# owner: root
# group: root
user::r--
group::r--
other::---
# file: .facl
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/utility_functions
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/bind-dirs.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/qubes-whonix-firewall.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/replace-ips
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/init.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/network-proxy-setup.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/messages.yaml
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr/lib/whonix/alert
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/qubes-whonixsetup
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/enable-iptables-logging.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

1
scripts_debian/wheezy+whonix-workstation/files/etc/hostname
View File

@ -1 +0,0 @@
host

7
scripts_debian/wheezy+whonix-workstation/files/etc/hosts
View File

@ -1,7 +0,0 @@
## Anonymity Distribution /etc/hosts
## Anonymity Distribution specific
127.0.0.1 host.localdomain host
## End of Anonymity Distribution specific
## End of Anonymity Distribution /etc/hosts

1
scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/whonix-build
View File

@ -1 +0,0 @@
user ALL=(ALL) NOPASSWD: ALL

6
scripts_debian/wheezy+whonix-workstation/files/etc/uwt.d/50_uwt_default
View File

@ -1,6 +0,0 @@
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "1" ]; then
uwtwrapper["/usr/bin/apt-get"]="0"
fi

8
scripts_debian/wheezy+whonix-workstation/files/etc/xdg/autostart/qubes-whonixsetup.desktop
View File

@ -1,8 +0,0 @@
## This file is part of Whonix.
## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
[Desktop Entry]
Type=Application
Terminal=false
Exec=/usr/lib/whonix/qubes-whonixsetup

12
scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service
View File

@ -1,12 +0,0 @@
[Unit]
Description=Qubes Whonix firewall updater
After=qubes-whonix-network.service
Before=network.target
[Service]
ExecStart=/usr/lib/whonix/init/qubes-whonix-firewall.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target
Alias=qubes-firewall.service

13
scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-init.service
View File

@ -1,13 +0,0 @@
[Unit]
Description=Qubes Whonix initialization script
After=qubes-whonix-network.service
Before=qubes-whonix-firewall.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/whonix/init/init.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

15
scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service
View File

@ -1,15 +0,0 @@
[Unit]
Description=Qubes Whonix network proxy setup
ConditionPathExists=/var/run/qubes-service/qubes-network
Before=network.target
After=iptables.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/whonix/init/network-proxy-setup.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target
Alias=qubes-network.service

90
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/alert
View File

@ -1,90 +0,0 @@
#!/usr/bin/python
#
# Copyright 2014 Jason Mehring (nrgaway@gmail.com)
#
from PyQt4 import QtGui
import locale
import yaml
DEFAULT_LANG = 'en'
class Messages():
filename = None
data = None
language = DEFAULT_LANG
title = None
icon = None
message = None
def __init__(self, section, filename):
self.filename = filename
language = locale.getdefaultlocale()[0].split('_')[0]
if language:
self.language = language
try:
stream = file(filename, 'r')
data = yaml.load(stream)
if section in data.keys():
section = data[section]
self.icon = section.get('icon', None)
language = section.get(self.language, DEFAULT_LANG)
self.title = language.get('title', None)
self.message = language.get('message', None)
except (IOError):
pass
except (yaml.scanner.ScannerError, yaml.parser.ParserError):
pass
class WhonixMessageBox(QtGui.QMessageBox):
def __init__(self, message):
super(WhonixMessageBox, self).__init__()
self.message = message
self.initUI()
def initUI(self):
message = self.message
if message.title:
self.setWindowTitle(message.title)
if message.icon:
self.setIcon(getattr(QtGui.QMessageBox, message.icon))
if message.message:
self.setText(message.message)
self.exec_()
import argparse
import sys
def main():
parser = argparse.ArgumentParser(description='Display a QT Message Box')
parser.add_argument('section', help="Message section")
parser.add_argument('filename', help="File including full path")
args = parser.parse_args()
if not args.filename and args.section:
print parser.usage()
sys.exit(1)
app = QtGui.QApplication(sys.argv)
message = Messages(args.section, args.filename)
dialog = WhonixMessageBox(message)
sys.exit()
if __name__ == "__main__":
main()

58
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh
View File

@ -1,58 +0,0 @@
#!/bin/bash
#
# To umount all binds, just pass any arg in $1
#
. /usr/lib/whonix/utility_functions
# Don't run if started as a template
if ! [ "${WHONIX}" == "template" ]; then
# Array of directories to bind
BINDS=(
'/rw/srv/whonix/root/.whonix:/root/.whonix'
'/rw/srv/whonix/root/.whonix.d:/root/.whonix.d'
'/rw/srv/whonix/var/lib/whonix:/var/lib/whonix'
'/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck'
'/rw/srv/whonix/etc/tor:/etc/tor'
)
for bind in ${BINDS[@]}; do
rw_dir="${bind%%:*}"
ro_dir="${bind##*:}"
# Make sure ro directory is not mounted
umount "${ro_dir}" 2> /dev/null || true
if [ -n "${1}" ]; then
echo "Umounting only..."
exit 0
fi
# Make sure ro directory exists
if ! [ -d "${ro_dir}" ]; then
mkdir -p "${ro_dir}"
fi
# Initially copy over data directories to /rw if rw directory does not exist
if ! [ -d "${rw_dir}" ]; then
mkdir -p "${rw_dir}"
rsync -hax "${ro_dir}/." "${rw_dir}"
fi
# Bind the directory
sync
mount --bind "${rw_dir}" "${ro_dir}"
done
sync
fi
if [ "${WHONIX}" == "gateway" ]; then
# Make sure we remove whonixsetup.done if Tor is not enabled
# to allow choice of repo and prevent whonixcheck errors
grep "^DisableNetwork 0$" /etc/tor/torrc || {
sudo rm -f /var/lib/whonix/do_once/whonixsetup.done
}
fi
exit 0

30
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh
View File

@ -1,30 +0,0 @@
#!/bin/bash
# Check /var/log/kern.log for logging results
LOG_IP4=1
LOG_IP6=0
# for IPv4
if [ "$LOG_IP4" == "1" ]; then
iptables -t raw -A OUTPUT -p icmp -j TRACE
iptables -t raw -A PREROUTING -p icmp -j TRACE
modprobe ipt_LOG
fi
# for IPv6
if [ "$LOG_IP6" == "1" ]; then
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
modprobe ip6t_LOG
fi
# Redirect local port to remote via socat
#apt-get install socat
#socat TCP4-LISTEN:8082,fork,mode=0666,user=root,group=root TCP4:10.137.255.254:8082
#
# Works
# localhost/loopback maps localhost port 8082 to localhost port 8888
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888

30
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh
View File

@ -1,30 +0,0 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" != "template" ]; then
# Files that will have the immutable bit set
# since we don't want them modified by other programs
IMMUTABLE_FILES=(
'/etc/resolv.conf'
'/etc/hostname'
'/etc/hosts'
)
# Make sure all .anondist files in list are immutable
immutableFilesEnable "${IMMUTABLE_FILES}"
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
# Make sure we are using a copy of the annondist file and if not
# copy the annondist file and set it immutable
copyAnondist "/etc/resolv.conf"
copyAnondist "/etc/hosts"
copyAnondist "/etc/hostname"
# Replace IP addresses in known configuration files / scripts to
# currently discovered one
/usr/lib/whonix/init/replace-ips
# Make sure hostname is correct
/bin/hostname host
fi

57
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh
View File

@ -1,57 +0,0 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
INTERFACE="eth1"
if [ "${WHONIX}" == "gateway" ]; then
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
# Setup Xen / Qubes proxy
network=$(xenstore-read qubes-netvm-network 2>/dev/null)
if [ "x$network" != "x" ]; then
gateway=$(xenstore-read qubes-netvm-gateway)
netmask=$(xenstore-read qubes-netvm-netmask)
secondary_dns=$(xenstore-read qubes-netvm-secondary-dns)
modprobe netbk 2> /dev/null || modprobe xen-netback
echo "NS1=$gateway" > /var/run/qubes/qubes-ns
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
#/usr/lib/qubes/qubes-setup-dnat-to-ns
echo "0" > /proc/sys/net/ipv4/ip_forward
/sbin/ethtool -K eth0 sg off || :
fi
# Now, assign it the netvm-gateway IP address
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
if [ x${ip} != x ]; then
# Create a dummy eth1 interface so tor can bind to it if there
# are no DOMU virtual machines connected at the moment
/sbin/ip link add ${INTERFACE} type dummy
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
/sbin/ifconfig ${INTERFACE} up
/sbin/ethtool -K ${INTERFACE} sg off || true
/sbin/ethtool -K ${INTERFACE} tx off || true
ip link set ${INTERFACE} up
fi
echo "0" > /proc/sys/net/ipv4/ip_forward
# Allow whonix-gateway to act as an update-proxy
touch /var/run/qubes-service/qubes-updates-proxy
# Search and replace tinyproxy error files so we can inject code that
# we can use to identify that its a tor proxy so updates are secure
error_file="/usr/share/tinyproxy/default.html"
grep -q "${PROXY_META}" "${error_file}" || {
sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
}
fi

49
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh
View File

@ -1,49 +0,0 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
# Make sure IP forwarding is disabled
echo "0" > /proc/sys/net/ipv4/ip_forward
if [ "${WHONIX}" != "template" ]; then
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
# Start Whonix Firewall
if [ "${WHONIX}" == "gateway" ]; then
export INT_IF="vif+"
export INT_TIF="vif+"
# Inject custom firewall rules into whonix_firewall
sed -i -f - /usr/bin/whonix_firewall <<-EOF
/^## IPv4 DROP INVALID INCOMING PACKAGES/,/######################################/c \\
## IPv4 DROP INVALID INCOMING PACKAGES \\
## \\
## --- THE FOLLOWING WS INJECTED --- \\
## Qubes Tiny Proxy Updater \\
iptables -t nat -N PR-QBS-SERVICES \\
iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\
\\
# Route any traffic FROM netvm TO netvm BACK-TO localhost \\
# Allows localhost access to tor network \\
#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
######################################
EOF
fi
# Load the firewall
# XXX: TODO: Take down all network accesss if firewall fails
/usr/bin/whonix_firewall
systemctl restart qubes-updates-proxy.service
fi

118
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/replace-ips
View File

@ -1,118 +0,0 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
# Search though files and updates IP address to the current
# IP address(es)
FILES=(
'/usr/lib/leaktest-workstation/simple_ping.py'
'/usr/lib/whonixcheck/preparation'
'/usr/share/anon-kde-streamiso/share/config/kioslaverc'
'/usr/bin/whonix_firewall'
'/etc/whonix_firewall.d/30_default'
'/usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh'
'/usr/bin/uwt'
'/etc/uwt.d/30_uwt_default'
'/usr/share/tor/tor-service-defaults-torrc.anondist'
'/usr/bin/update-torbrowser'
'/etc/network/interfaces.whonix'
'/etc/resolv.conf.anondist'
'/etc/sdwdate.d/31_anon_dist_stream_isolation_plugin'
'/etc/rinetd.conf.anondist'
'/etc/network/interfaces.whonix'
'/usr/share/anon-torchat/.torchat/torchat.ini'
)
# sed search and replace. return 0 if replace happened, otherwise 1
search_replace() {
local search="${1}"
local replace="${2}"
local file="${3}"
local retval=1
if ! [ -L "${file}" ]; then
ls_attrs="$(lsattr "${file}")"
ls_attrs=${ls_attrs:4:1}
if [ "${ls_attrs}" == "i" ]; then
chattr -i "${file}"
fi
fi
sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}"
retval=$?
if [ "${ls_attrs}" = "i" ]; then
chattr +i "${file}"
fi
return $retval
}
function replace_ips()
{
local search_ip="${1}"
local replace_ip="${2}"
local files=("${!3}")
local retval=1
# If IP is 10.152.152.10, network is 10.152.152.0
search_network="${search_ip%[.]*}.0"
replace_network="${replace_ip%[.]*}.0"
if ! [ "${search_ip}" = "${replace_ip}" ]; then
for file in "${files[@]}"; do
if [ -f "$file" ]; then
search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0
search_replace "${search_network}" "${replace_network}" "${file}" && retval=0
fi
done
fi
return $retval
}
update_ip() {
ip=${1}
echo "${ip}" > /etc/whonix-netvm-gateway
grep '^DisableNetwork 0$' /etc/tor/torrc && {
service tor status && {
service tor reload || true;
}
}
}
if [ "${WHONIX}" == "gateway" ]; then
ip="$(xenstore-read qubes-netvm-gateway)"
if [ x${ip} != x ]; then
# Compare to current IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}"
# Do again; checking for original 10.152.152.10 incase of update
replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}"
# Do again; checking for original 10.152.152.11 incase of update
replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}"
fi
elif [ "${WHONIX}" == "workstation" ]; then
ip="$(xenstore-read qubes-ip)"
gateway="$(xenstore-read qubes-gateway)"
if [ x${ip} != x ]; then
# Compare to current IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
# Do again; checking for original 10.152.152.11 incase of update
replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
fi
if [ x${gateway} != x ]; then
# Compare to current gateway IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
# Do again; checking for original 10.152.152.10 incase of update
replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
fi
fi

9
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml
View File

@ -1,9 +0,0 @@
update:
icon: Critical
en:
title: Tor netvm required for updates
message: |
<p><B>Tor netvm required for updates!</B></p>
<p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
<p>No updates are possible without an active (running) Whonix gateway VM.</p>

41
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup
View File

@ -1,41 +0,0 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if ! [ "${WHONIX}" == "template" ]; then
sudo /usr/lib/whonix/bind-dirs.sh
fi
if [ "${WHONIX}" == "gateway" ]; then
if grep "^DisableNetwork 0$" /etc/tor/torrc ;then
sudo service sdwdate restart
sudo service tor restart
else
sudo service sdwdate restart
sudo service tor stop
sudo /usr/bin/whonixsetup
fi
elif [ "${WHONIX}" == "workstation" ]; then
sudo service sdwdate restart
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
sudo /usr/bin/whonixsetup
fi
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
# Set secure defaults.
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP
# Flush old rules.
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
# Display warning that netvm is not connected to a torvm
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
fi

94
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/utility_functions
View File

@ -1,94 +0,0 @@
#!/bin/bash
# /etc/uwt.d/50_uwt_default relies on this in order to allow connection
# to proxy for template
PROXY_SERVER="http://10.137.255.254:8082/"
PROXY_META='<meta name=\"application-name\" content=\"tor proxy\"\/>'
if [ -f "/var/run/qubes-service/updates-proxy-setup" ]; then
WHONIX="template"
elif [ -f "/usr/share/anon-gw-base-files/gateway" ]; then
WHONIX="gateway"
elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
WHONIX="workstation"
else
WHONIX="unknown"
fi
if [ "${WHONIX}" == "template" ]; then
curl.anondist-orig "${PROXY_SERVER}" | grep -q "${PROXY_META}" && {
PROXY_SECURE=1
} || {
PROXY_SECURE=0
}
fi
immutableFilesEnable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
sudo chattr +i "${file}${suffix}"
fi
done
}
immutableFilesDisable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
sudo chattr -i "${file}${suffix}"
fi
done
}
copyAnondist() {
file="${1}"
suffix="${2-.anondist}"
# Remove any softlinks first
if [ -L "${file}" ]; then
sudo rm -f "${file}"
fi
if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then
sudo chattr -i "${file}"
sudo rm -f "${file}"
sudo cp -p "${file}${suffix}" "${file}"
sudo chattr +i "${file}"
elif ! [ -f "${file}" ]; then
sudo cp -p "${file}${suffix}" "${file}"
sudo chattr +i "${file}"
fi
}
# Will only enable / disable if service is not already in that state
enable_sysv() {
servicename=${1}
disable=${2-0}
# Check to see if the service is already enabled and if not, enable it
string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}"
if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then
case ${disable} in
0)
echo "${1} is currently disabled; enabling it"
sudo systemctl --quiet enable ${servicename}
;;
1)
echo "${1} is currently enabled; disabling it"
sudo service ${servicename} stop
sudo systemctl --quiet disable ${servicename}
;;
esac
fi
}
disable_sysv() {
enable_sysv ${1} 1
}

1
scripts_debian/wheezy+whonix-workstation/packages_wheezy.list
View File

@ -1 +0,0 @@
../wheezy+whonix/packages_wheezy.list

73
scripts_debian/wheezy+whonix/00_prepare_pre.sh
View File

@ -1,73 +0,0 @@
#!/bin/bash -x
# vim: set ts=4 sw=4 sts=4 et :
################################################################################
# Allows a pre-built image to be used (if it exists) for installing
# Whonix. This option is useful only for debugging Whonix installations
#
# To use, first create a regualr wheezy template and manually copy the prepared
# image to debian-7-x64-prepard.img
#
# Example:
# cp ~/qubes-builder/qubes-src/linux-template-builder/prepared_images/debian-7-x64.img ~/qubes-builder/qubes-src/linux-template-builder/prepared_images/debian-7-x64-whonix-gateway-prepard.img
################################################################################
# ------------------------------------------------------------------------------
# Return if SNAPSHOT is not "1"
# ------------------------------------------------------------------------------
# This script is only used if SNAPSHOT is set
if [ ! "${SNAPSHOT}" == "1" ]; then
exit 0
fi
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
INSTALLDIR="$(readlink -m mnt)"
# ------------------------------------------------------------------------------
# Use a snapshot of the debootstraped debian image to install Whonix (for DEBUGGING)
# ------------------------------------------------------------------------------
manage_snapshot() {
umount_kill "${INSTALLDIR}" || :
mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1
# Remove old snapshots if whonix completed
if [ -f "${INSTALLDIR}/tmp/.whonix_post" ]; then
warn "Removing stale snapshots"
umount_kill "${INSTALLDIR}" || :
rm -rf "$debootstrap_snapshot"
rm -rf "$updated_snapshot"
return
fi
warn "Copying $1 to ${IMG}"
mount -o loop "$1" "${INSTALLDIR}" || exit 1
rm -f "${INSTALLDIR}/tmp/.prepared_groups"
umount_kill "${INSTALLDIR}" || :
cp -f "$1" "${IMG}"
}
splitPath "${IMG}" path_parts
debootstrap_snapshot="${path_parts[dir]}${path_parts[base]}-debootstrap${path_parts[dotext]}"
updated_snapshot="${path_parts[dir]}${path_parts[base]}-updated${path_parts[dotext]}"
if [ -f "$updated_snapshot" ]; then
manage_snapshot "$updated_snapshot"
elif [ -f "$debootstrap_snapshot" ]; then
manage_snapshot "$debootstrap_snapshot"
fi

38
scripts_debian/wheezy+whonix/01_install_core_post.sh
View File

@ -1,38 +0,0 @@
#!/bin/sh
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Return if SNAPSHOT is not "1"
# ------------------------------------------------------------------------------
# This script is only used if SNAPSHOT is set
if [ ! "${SNAPSHOT}" == "1" ]; then
exit 0
fi
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
# ------------------------------------------------------------------------------
# Create a snapshot of the already debootstraped image
# ------------------------------------------------------------------------------
splitPath "${IMG}" path_parts
PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-debootstrap${path_parts[dotext]}"
if ! [ -f "${PREPARED_IMG}" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_post" ]; then
umount_kill "${INSTALLDIR}" || :
warn "Copying ${IMG} to ${PREPARED_IMG}"
cp -f "${IMG}" "${PREPARED_IMG}"
mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1
fi

310
scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh
View File

@ -1,310 +0,0 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
# ------------------------------------------------------------------------------
# XXX: Create a snapshot - Only for DEBUGGING!
# ------------------------------------------------------------------------------
# Only execute if SNAPSHOT is set
if [ "${SNAPSHOT}" == "1" ]; then
splitPath "${IMG}" path_parts
PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-updated${path_parts[dotext]}"
if ! [ -f "${PREPARED_IMG}" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then
umount_kill "${INSTALLDIR}" || :
warn "Copying ${IMG} to ${PREPARED_IMG}"
cp -f "${IMG}" "${PREPARED_IMG}"
mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1
for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "${INSTALLDIR}/$fs"; done
fi
fi
# ------------------------------------------------------------------------------
# chroot Whonix build script
# ------------------------------------------------------------------------------
read -r -d '' WHONIX_BUILD_SCRIPT <<'EOF' || true
################################################################################
# Pre Fixups
sudo mkdir -p /boot/grub2
sudo touch /boot/grub2/grub.cfg
sudo mkdir -p /boot/grub
sudo touch /boot/grub/grub.cfg
sudo mkdir --parents --mode=g+rw "/tmp/uwt"
# Whonix seems to re-install sysvinit even though there is a hold
# on the package. Things seem to work anyway. BUT hopfully the
# hold on grub* don't get removed
sudo apt-mark hold sysvinit
sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common
# Whonix expects haveged to be started
sudo /etc/init.d/haveged start
# Whonix does not always fix permissions after writing as sudo, especially
# when running whonixsetup so /var/lib/whonix/done_once is not readable by
# user, so set defualt umask for sudo
#sudo su -c 'echo "Defaults umask = 0002" >> /etc/sudoers'
#sudo su -c 'echo "Defaults umask_override" >> /etc/sudoers'
################################################################################
# Whonix installation
export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1"
pushd ~/Whonix
sudo ~/Whonix/whonix_build \
--build $1 \
--64bit-linux \
--current-sources \
--enable-whonix-apt-repository \
--whonix-apt-repository-distribution $2 \
--install-to-root \
--skip-verifiable \
--minimal-report \
--skip-sanity-tests || { exit 1; }
popd
EOF
# ------------------------------------------------------------------------------
# Cleanup function
# ------------------------------------------------------------------------------
function cleanup() {
error "Whonix error; umounting ${INSTALLDIR} to prevent further writes"
umount_kill "${INSTALLDIR}" || :
exit 1
}
trap cleanup ERR
trap cleanup EXIT
# ------------------------------------------------------------------------------
# Mount devices, etc required for Whonix installation
# ------------------------------------------------------------------------------
if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then
info "Preparing Whonix system"
# --------------------------------------------------------------------------
# Initialize Whonix submodules
# --------------------------------------------------------------------------
pushd "${WHONIX_DIR}"
{
git add Makefile || true
git commit Makefile -m 'Added Makefile' || true
su $(logname) -c "git submodule update --init --recursive";
}
popd
# --------------------------------------------------------------------------
# Fake grub installation since Whonix has depends on grub-pc
# --------------------------------------------------------------------------
mkdir -p "${INSTALLDIR}/boot/grub"
cp "${INSTALLDIR}/usr/lib/grub/i386-pc/"* "${INSTALLDIR}/boot/grub"
rm -f "${INSTALLDIR}/usr/sbin/update-grub"
chroot "${INSTALLDIR}" ln -s /bin/true /usr/sbin/update-grub
# --------------------------------------------------------------------------
# sed search and replace. return 0 if replace happened, otherwise 1
# --------------------------------------------------------------------------
search_replace() {
local search="$1"
local replace="$2"
local file="$3"
sed -i.bak '/'"$search"'/,${s//'"$replace"'/;b};$q1' "$file"
}
# --------------------------------------------------------------------------
# Whonix system config dependancies
# --------------------------------------------------------------------------
# Qubes needs a user named 'user'
debug "Whonix Add user"
chroot "${INSTALLDIR}" id -u 'user' >/dev/null 2>&1 || \
{
# UID needs match host user to have access to Whonix sources
chroot "${INSTALLDIR}" groupadd -f user
[ -n "$SUDO_UID" ] && USER_OPTS="-u $SUDO_UID"
chroot "${INSTALLDIR}" useradd -g user $USER_OPTS -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user
if [ `chroot "${INSTALLDIR}" id -u user` != 1000 ]; then
chroot "${INSTALLDIR}" useradd -g user -u 1000 -M -s /bin/bash user-placeholder
fi
}
# Install Whonix build scripts
echo "${WHONIX_BUILD_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_build.sh"
chmod 0755 "${INSTALLDIR}/home/user/whonix_build.sh"
# ------------------------------------------------------------------------------
# Copy over any extra files
# ------------------------------------------------------------------------------
copyTree "files"
touch "${INSTALLDIR}/tmp/.whonix_prepared"
fi
# ------------------------------------------------------------------------------
# Install Whonix
# ------------------------------------------------------------------------------
if [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_installed" ]; then
info "Installing Whonix system"
# --------------------------------------------------------------------------
# Install Whonix code base
# --------------------------------------------------------------------------
if ! [ -d "${INSTALLDIR}/home/user/Whonix" ]; then
debug "Installing Whonix build environment..."
chroot "${INSTALLDIR}" su user -c 'mkdir /home/user/Whonix'
fi
if [ -d "${INSTALLDIR}/home/user/Whonix" ]; then
debug "Building Whonix..."
mount --bind "../Whonix" "${INSTALLDIR}/home/user/Whonix"
fi
if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then
BUILD_TYPE="--torgateway"
elif [ "${TEMPLATE_FLAVOR}" == "whonix-workstation" ]; then
BUILD_TYPE="--torworkstation"
else
error "Incorrent Whonix type \"${TEMPLATE_FLAVOR}\" selected. Not building Whonix modules"
error "You need to set TEMPLATE_FLAVOR environment variable to either"
error "whonix-gateway OR whonix-workstation"
exit 1
fi
chroot "${INSTALLDIR}" su user -c "cd ~; ./whonix_build.sh ${BUILD_TYPE} ${DIST}" || { exit 1; }
touch "${INSTALLDIR}/tmp/.whonix_installed"
fi
# ------------------------------------------------------------------------------
# Whonix Post Installation Configurations
# ------------------------------------------------------------------------------
if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_post" ]; then
info "Post Configuring Whonix System"
# Don't need Whonix interfaces; restore original
pushd "${INSTALLDIR}/etc/network"
{
rm -f interfaces;
ln -s interfaces.backup interfaces;
}
popd
# Qubes installation will need a normal resolv.conf; will be restored back
# in 04_qubes_install_post.sh within the wheezy+whonix-* directories
pushd "${INSTALLDIR}/etc"
{
rm -f resolv.conf;
cp -p resolv.conf.backup resolv.conf;
}
popd
# Remove link to hosts file and copy original back
# Will get set back to Whonix hosts file when the
# /usr/lib/whonix/setup-ip is run on startup
pushd "${INSTALLDIR}/etc"
{
rm -f hosts;
cp -p hosts.anondist-orig hosts;
}
popd
# Enable Tor
#if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then
# sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "${INSTALLDIR}/etc/tor/torrc"
#fi
# Restore default user UID to have the same in all builds regardless of build host
if [ -n "`chroot "${INSTALLDIR}" id -u user-placeholder`" ]; then
chroot "${INSTALLDIR}" userdel user-placeholder
chroot "${INSTALLDIR}" usermod -u 1000 user
fi
# Enable aliases in .bashrc
sed -i "s/^# export/export/g" "${INSTALLDIR}/root/.bashrc"
sed -i "s/^# eval/eval/g" "${INSTALLDIR}/root/.bashrc"
sed -i "s/^# alias/alias/g" "${INSTALLDIR}/root/.bashrc"
sed -i "s/^#force_color_prompt/force_color_prompt/g" "${INSTALLDIR}/home/user/.bashrc"
sed -i "s/#alias/alias/g" "${INSTALLDIR}/home/user/.bashrc"
sed -i "s/alias l='ls -CF'/alias l='ls -l'/g" "${INSTALLDIR}/home/user/.bashrc"
# Fake that initializer was already run
mkdir -p "${INSTALLDIR}/root/.whonix"
touch "${INSTALLDIR}/root/.whonix/first_run_initializer.done"
# Prevent whonixcheck error
echo 'WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"' >> "${INSTALLDIR}/etc/whonix.d/30_whonixcheck_default"
# Use gdialog as an alternative for dialog
mv -f "${INSTALLDIR}/usr/bin/dialog" "${INSTALLDIR}/usr/bin/dialog.dist"
chroot "${INSTALLDIR}" update-alternatives --force --install /usr/bin/dialog dialog /usr/bin/gdialog 999
# Disable unwanted applications
chroot "${INSTALLDIR}" update-rc.d network-manager disable || :
chroot "${INSTALLDIR}" update-rc.d spice-vdagent disable || :
chroot "${INSTALLDIR}" update-rc.d swap-file-creator disable || :
chroot "${INSTALLDIR}" update-rc.d whonix-initializer disable || :
chroot "${INSTALLDIR}" service apt-cacher-ng stop || :
chroot "${INSTALLDIR}" update-rc.d apt-cacher-ng disable || :
# Tor will be re-enabled upon initial configuration
chroot "${INSTALLDIR}" update-rc.d tor disable || :
chroot "${INSTALLDIR}" update-rc.d sdwdate disable || :
# Remove apt-cacher-ng
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot ${INSTALLDIR} apt-get.anondist-orig -y --force-yes remove --purge apt-cacher-ng
# Remove original sources.list
rm -f "${INSTALLDIR}/etc/apt/sources.list"
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot ${INSTALLDIR} apt-get.anondist-orig update
touch "${INSTALLDIR}/tmp/.whonix_post"
fi
# ------------------------------------------------------------------------------
# Execute any template flavor or sub flavor scripts
# ------------------------------------------------------------------------------
buildStep "99_custom_configuration.sh"
# ------------------------------------------------------------------------------
# Bring back original apt-get for installation of Qubues
# ------------------------------------------------------------------------------
pushd "${INSTALLDIR}/usr/bin"
{
rm -f apt-get;
cp -p apt-get.anondist-orig apt-get;
}
popd
# ------------------------------------------------------------------------------
# Make sure the temporary policy-rc.d to prevent apt from starting services
# on package installation is still active; Whonix may have reset it
# ------------------------------------------------------------------------------
cat > "${INSTALLDIR}/usr/sbin/policy-rc.d" <<EOF
#!/bin/sh
return 101 # Action forbidden by policy
EOF
chmod 755 "${INSTALLDIR}/usr/sbin/policy-rc.d"
# ------------------------------------------------------------------------------
# Leave cleanup to calling function
# ------------------------------------------------------------------------------
trap - ERR EXIT
trap

59
scripts_debian/wheezy+whonix/04_install_qubes_post.sh
View File

@ -1,59 +0,0 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
#
# Whonix Post Install Steps (after qubes install)
#
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
# ------------------------------------------------------------------------------
# Enable Qubes-Whonix services
# ------------------------------------------------------------------------------
chroot "${INSTALLDIR}" systemctl disable qubes-whonix-network.service || :
chroot "${INSTALLDIR}" systemctl enable qubes-whonix-network.service || :
chroot "${INSTALLDIR}" systemctl disable qubes-whonix-firewall.service || :
chroot "${INSTALLDIR}" systemctl enable qubes-whonix-firewall.service || :
chroot "${INSTALLDIR}" systemctl enable qubes-whonix-init.service || :
# ------------------------------------------------------------------------------
# Restore Whonix apt-get
# ------------------------------------------------------------------------------
pushd "${INSTALLDIR}/usr/bin"
{
rm -f apt-get;
cp -p apt-get.anondist apt-get;
}
popd
# ------------------------------------------------------------------------------
# Restore whonix resolv.conf
# ------------------------------------------------------------------------------
pushd "${INSTALLDIR}/etc"
{
rm -f resolv.conf;
cp -p resolv.conf.anondist resolv.conf;
}
popd
# ------------------------------------------------------------------------------
# Cleanup Whonix Installation
# ------------------------------------------------------------------------------
rm -rf "${INSTALLDIR}"/home/user/Whonix
rm -rf "${INSTALLDIR}"/home/user/whonix_binary
rm -f "${INSTALLDIR}"/home/user/whonix_fix
rm -f "${INSTALLDIR}"/home/user/whonix_build.sh

18
scripts_debian/wheezy+whonix/09_cleanup_post.sh
View File

@ -1,18 +0,0 @@
#!/bin/sh
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
rm -f "${INSTALLDIR}/etc/sudoers.d/whonix-build"