From 82a68e9c876f83168fe14b1e9e9e2583379189ff Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Wed, 29 Oct 2014 12:53:35 -0400 Subject: [PATCH] Added initial configuration dialog setup for whonix-gateway --- .../wheezy+whonix-gateway/files/.facl | 113 ++++++++++++- .../files/etc/apt/preferences.d/whonix_qubes | 15 ++ .../xdg/autostart/qubes-whonixsetup.desktop | 8 + .../files/home/user/.whonix_build.sh.swp | Bin 0 -> 12288 bytes .../user/build-steps.d/1000_qubes-patches.sh | 92 ++++++++++ .../2900_qubes-post-installation.sh | 60 +++++++ .../files/home/user/whonix_build.sh | 41 +++++ .../files/home/user/whonix_fix.sh | 3 + .../files/usr/lib/whonix/qubes-whonixsetup | 23 +++ .../files/usr/lib/whonix/replace-ips | 31 ++-- .../files/usr/lib/whonix/setup-ip | 46 +++-- .../files/home/user/whonix_build.sh | 41 +++++ .../files/usr/lib/whonix/replace-ips | 23 ++- .../files/usr/lib/whonix/setup-ip | 5 +- .../02_install_groups_packages_installed.sh | 22 ++- ...groups_packages_installed.sh.build-steps.d | 157 ++++++++++++++++++ 16 files changed, 629 insertions(+), 51 deletions(-) create mode 100644 scripts_debian/wheezy+whonix-gateway/files/etc/apt/preferences.d/whonix_qubes create mode 100644 scripts_debian/wheezy+whonix-gateway/files/etc/xdg/autostart/qubes-whonixsetup.desktop create mode 100644 scripts_debian/wheezy+whonix-gateway/files/home/user/.whonix_build.sh.swp create mode 100755 scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/1000_qubes-patches.sh create mode 100755 scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/2900_qubes-post-installation.sh create mode 100755 scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_build.sh create mode 100755 scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_fix.sh create mode 100755 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup create mode 100755 scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh create mode 100755 scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh.build-steps.d diff --git a/scripts_debian/wheezy+whonix-gateway/files/.facl b/scripts_debian/wheezy+whonix-gateway/files/.facl index 9e5e47b..e81b167 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/.facl +++ b/scripts_debian/wheezy+whonix-gateway/files/.facl @@ -1,6 +1,6 @@ # file: . -# owner: root -# group: root +# owner: user +# group: user user::rwx group::r-x other::r-x @@ -19,6 +19,48 @@ user::rw- group::r-- other::r-- +# file: etc/xdg +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/xdg/autostart +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/xdg/autostart/qubes-whonixsetup.desktop +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/apt +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/apt/preferences.d +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/apt/preferences.d/whonix_qubes +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: etc/udev # owner: root # group: root @@ -49,7 +91,7 @@ other::r-- # file: etc/sudoers.d # owner: root -# group: user +# group: root user::rwx group::r-x other::r-x @@ -61,9 +103,65 @@ user::r-- group::r-- other::--- -# file: .facl +# file: home # owner: root # group: root +user::rwx +group::r-x +other::r-x + +# file: home/user +# owner: user +# group: user +user::rwx +group::r-x +other::r-x + +# file: home/user/whonix_fix.sh +# owner: user +# group: user +user::rwx +group::r-x +other::r-x + +# file: home/user/build-steps.d +# owner: user +# group: user +user::rwx +group::r-x +other::r-x + +# file: home/user/build-steps.d/1000_qubes-patches.sh +# owner: user +# group: user +user::rwx +group::r-x +other::r-x + +# file: home/user/build-steps.d/2900_qubes-post-installation.sh +# owner: user +# group: user +user::rwx +group::r-x +other::r-x + +# file: home/user/whonix_build.sh +# owner: user +# group: user +user::rwx +group::r-x +other::r-x + +# file: home/user/.whonix_build.sh.swp +# owner: user +# group: user +user::rw- +group::r-- +other::r-- + +# file: .facl +# owner: user +# group: user user::rw- group::r-- other::r-- @@ -103,6 +201,13 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/qubes-whonixsetup +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + # file: usr/lib/whonix/enable-iptables-logging.sh # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-gateway/files/etc/apt/preferences.d/whonix_qubes b/scripts_debian/wheezy+whonix-gateway/files/etc/apt/preferences.d/whonix_qubes new file mode 100644 index 0000000..9bc0b6c --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/etc/apt/preferences.d/whonix_qubes @@ -0,0 +1,15 @@ +Package: grub-pc +Pin: version * +Pin-Priority: -100 + +Package: grub-pc-bin +Pin: version * +Pin-Priority: -100 + +Package: grub-common +Pin: version * +Pin-Priority: -100 + +Package: grub2-common +Pin: version * +Pin-Priority: -100 diff --git a/scripts_debian/wheezy+whonix-gateway/files/etc/xdg/autostart/qubes-whonixsetup.desktop b/scripts_debian/wheezy+whonix-gateway/files/etc/xdg/autostart/qubes-whonixsetup.desktop new file mode 100644 index 0000000..260635d --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/etc/xdg/autostart/qubes-whonixsetup.desktop @@ -0,0 +1,8 @@ +## This file is part of Whonix. +## Copyright (C) 2012 - 2014 Patrick Schleizer +## See the file COPYING for copying conditions. + +[Desktop Entry] +Type=Application +Terminal=false +Exec=/usr/lib/whonix/qubes-whonixsetup diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/.whonix_build.sh.swp b/scripts_debian/wheezy+whonix-gateway/files/home/user/.whonix_build.sh.swp new file mode 100644 index 0000000000000000000000000000000000000000..e88a6478eef4588aedea9c84d9e00d26bc6d0228 GIT binary patch literal 12288 zcmeI2&5j&35XYT_3kiW09Jm%Uk&rg>^zIOmL?{vo8(?ABti&uq2sG*sPq&%wwqv{J zBZMF>2zUT4z=ap!!~wwp9)Ks{&P#Bi+}$&~iB?(;bIGbK{imm0<#PGg_DHR%XzPRB z_uy*p3d6R+*!3Uwhp)f5!8YDutg^!R?vq-ktUJla+aLOX!M!RHmPeJ$lhvIyagfWh znsX-#org}W9Bgc)c6OAANQPxF%Y?YUxID{LDd#*z&sn$##xfT+$W$SMdXC0Cswe5$ z?EfT3K1AR&6R6ynU%SX&>2GiOWp+C+!3)nHoaPnN+K2!VAOb{y2oM1xKm>>Y5qOM% z(`VQh*mt(=-)ygE9=o=;bRhynfCvx)B0vO)01+SpM1Tko0U|&Io`T-L^#MZK-i;Vq_`VI9d>MH7= zXBhhf^*w5aGN^kfK%GbZdV#TTQQx5Mqdq|mP}fj^`WJKi3-t@?N7PrS5vtDl31m(w z69FPX1c(3;AOb|-bP~`?Ck(K0ZYNT68J5Y+uG1jyE>AUPMHNyq;*C{m6NK3OZ`<8 zQTm|#*g-3&xH3kRj$2ikSlCtnt5+iFcwM==>Z^-R;nFsC*eX%*Ft}S6t77S@uUT!1 zQqia@n(8OtUV(6NfCtARwJe;9R3w1s!nnf+ ziaQH)u&^{^j*)1b1it>&yVReSA~X}oRGvU;s)*}&dF7EToA0qI3OqmF-sjEDapUd6 zPJK?8LmjUjvI&VQUv`iR2SyZXiqm%ijV=?Q!*~*=q6aX{WSLs9LKJ|x&J?BD?@OBHsG7k__;b&1*n)y*ifV2?S$+ZBA2|g-3Q#$k~ z-Qu@GCE`YU+0395xIzcj%ypW@I#tCP1QGt~1Rh2G(Tm4vV{Sv~BOb?(>z_QZj|<$# Pbl;ToN?X=lb7TJj93u3Z literal 0 HcmV?d00001 diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/1000_qubes-patches.sh b/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/1000_qubes-patches.sh new file mode 100755 index 0000000..30c5f71 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/1000_qubes-patches.sh @@ -0,0 +1,92 @@ +#!/bin/bash +# vim: set ts=4 sw=4 sts=4 et : + +set -x + +WHONIX_DIR="$(readlink -m .)" + +# -------------------------------------------------------------------------- +# Initialize Whonix submodules +# -------------------------------------------------------------------------- +pushd "${WHONIX_DIR}" +{ + sudo git submodule update --init --recursive; +} +popd + +# -------------------------------------------------------------------------- +# Patch Whonix submodules +# -------------------------------------------------------------------------- + +# Chekout a branch; create a branch first if it does not exist +checkout_branch() { + branch=$(git symbolic-ref --short -q HEAD) + if ! [ "${branch}" == "${1}" ]; then + sudo -u "${user_name}" git checkout "${1}" >/dev/null 2>&1 || \ + { + sudo -u "${user_name}" git branch "${1}" + sudo -u "${user_name}" git checkout "${1}" + } + fi +} + +# sed search and replace. return 0 if replace happened, otherwise 1 +search_replace() { + local search="${1}" + local replace="${2}" + local file="${3}" + + sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" +} + +# Patch anon-meta-packages to not depend on grub-pc +pushd "${WHONIX_DIR}" +{ + search_replace "grub-pc" "" "grml_packages" || : +} +popd + +pushd "${WHONIX_DIR}/packages/anon-meta-packages/debian" +{ + search1=" grub-pc,"; + replace=""; + + #checkout_branch qubes + search_replace "${search1}" "${replace}" control && \ + { + cd "${WHONIX_DIR}/packages/anon-meta-packages"; + : + #sudo -E -u "${user_name}" make deb-pkg || : + #su "${user_name}" -c "dpkg-source --commit" || : + #git add . + #su "${user_name}" -c "git commit -am 'removed grub-pc depend'" + } || : +} +popd + +pushd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub/usr/lib/anon-dist/chroot-scripts-post.d" +{ + search1="update-grub"; + replace=":"; + + #checkout_branch qubes + search_replace "${search1}" "${replace}" 85_update_grub && \ + { + cd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub"; + sudo -E -u "${user_name}" make deb-pkg || : + su "${user_name}" -c "EDITOR=/bin/true dpkg-source -q --commit . no_grub"; + #git add . ; + #su "${user_name}" -c "git commit -am 'removed grub-pc depend'" + } || : +} +popd + +pushd "${WHONIX_DIR}/build-steps.d" +{ + search1=" check_for_uncommited_changes"; + replace=" #check_for_uncommited_changes"; + + search_replace "${search1}" "${replace}" 1200_create-debian-packages || : + } +popd + diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/2900_qubes-post-installation.sh b/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/2900_qubes-post-installation.sh new file mode 100755 index 0000000..654b9a5 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/2900_qubes-post-installation.sh @@ -0,0 +1,60 @@ +#!/bin/bash +# vim: set ts=4 sw=4 sts=4 et : + +# ------------------------------------------------------------------------------ +# Whonix Post Installation Configurations +# ------------------------------------------------------------------------------ +echo "Post Configuring Whonix System" + +pushd "/etc/network" +{ + rm -f interfaces; + ln -s interfaces.backup interfaces; +} +popd + +pushd "/etc" +{ + rm -f resolv.conf; + cp -p resolv.conf.backup resolv.conf; +} +popd + +# Enable Tor +#if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then +# sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "/etc/tor/torrc" +#fi + +# Fake that whonixsetup was already run +#mkdir -p "/var/lib/whonix/do_once" +#touch "/var/lib/whonix/do_once/whonixsetup.done" + +# Fake that initializer was already run +mkdir -p "/root/.whonix" +touch "/root/.whonix/first_run_initializer.done" + +# Prevent whonixcheck error +echo 'WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"' >> "/etc/whonix.d/30_whonixcheck_default" + +# Use gdialog as an alternative for dialog +update-alternatives --install /usr/bin/dialog dialog /usr/bin/gdialog 999 + +# Disable unwanted applications +update-rc.d network-manager disable || : +update-rc.d spice-vdagent disable || : +update-rc.d swap-file-creator disable || : +update-rc.d whonix-initializer disable || : + +service apt-cacher-ng stop || : +update-rc.d apt-cacher-ng disable || : + +# Remove apt-cacher-ng +DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + apt-get.anondist-orig -y --force-yes remove --purge apt-cacher-ng + +# Remove original sources.list +rm -f "/etc/apt/sources.list" + +DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + apt-get.anondist-orig update + diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_build.sh b/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_build.sh new file mode 100755 index 0000000..0fdf086 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_build.sh @@ -0,0 +1,41 @@ +################################################################################ +# Pre Fixups +sudo mkdir -p /boot/grub2 +sudo touch /boot/grub2/grub.cfg +sudo mkdir -p /boot/grub +sudo touch /boot/grub/grub.cfg +sudo mkdir --parents --mode=g+rw "/tmp/uwt" + +# Whonix seems to re-install sysvinit even though there is a hold +# on the package. Things seem to work anyway. BUT hopfully the +# hold on grub* don't get removed +sudo apt-mark hold sysvinit +sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common + +# Whonix expects haveged to be started +sudo /etc/init.d/haveged start + +# ------------------------------------------------------------------------------ +# Link our build steps into Whonix build directory +# ------------------------------------------------------------------------------ +#pushd /home/user/Whonix/build-steps.d +#cp -pf /home/user/build-steps.d/* . +#popd + +# ------------------------------------------------------------------------------ +# Whonix installation +# ------------------------------------------------------------------------------ +export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1" + +pushd ~/Whonix +sudo ~/Whonix/whonix_build \ + --build $1 \ + --64bit-linux \ + --current-sources \ + --enable-whonix-apt-repository \ + --whonix-apt-repository-distribution $2 \ + --install-to-root \ + --skip-verifiable \ + --minimal-report \ + --skip-sanity-tests || { exit 1; } +popd diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_fix.sh b/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_fix.sh new file mode 100755 index 0000000..508180a --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_fix.sh @@ -0,0 +1,3 @@ +DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + sudo apt-get -y --force-yes remove grub-pc grub-common grub-pc-bin grub2-common + sudo apt-mark hold grub-common grub-pc-bin grub2-common diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup new file mode 100755 index 0000000..681c889 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup @@ -0,0 +1,23 @@ +#/bin/bash + +# XXX: TODO: +# - Make sure we can't just run this from setup-ip +# - Alternatives? instead of deleting dialog? +# +# INSTALLATION NOTES: +# - Make sure /etc/tor/torrc is disabled initially +# - Make sure /var/lib/whonix/do_once/whonixsetup.done does not exist +# so repo questions will be asked +# - /etc/xdg/autostart/qubes-whonixsetup must be in place +# - this file must be in place +# - gdialog must have over-written dialog +# - patches to setup-ip: +# - bring eth1 up +# - remove old code that was trying to get setup working + +grep "^DisableNetwork 0$" /etc/tor/torrc || { + sudo systemctl stop whonixcheck + sudo systemctl stop tor + sudo /usr/lib/whonix/setup-ip + sudo /usr/bin/whonixsetup +} diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips index d41f88a..f2e4076 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips @@ -52,7 +52,7 @@ function replace_ips() local search_ip="${1}" local replace_ip="${2}" local files=("${!3}") - local restart_tor=0 + local retval=1 # If IP is 10.152.152.10, network is 10.152.152.0 search_network="${search_ip%[.]*}.0" @@ -61,29 +61,32 @@ function replace_ips() if ! [ "${search_ip}" == "${replace_ip}" ]; then for file in "${files[@]}"; do if [ -f "$file" ]; then - search_replace "${search_ip}" "${replace_ip}" "${file}" && restart_tor=1 - search_replace "${search_network}" "${replace_network}" "${file}" && restart_tor=1 + search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0 + search_replace "${search_network}" "${replace_network}" "${file}" && retval=0 fi done - - if [ "${restart_tor}" == "1" ]; then - echo "${replace_ip}" > /etc/whonix-netvm-gateway - grep "^DisableNetwork 0$" /etc/tor/torrc && { - service tor reload || true; - #sleep 1; - } - fi fi + + return $retval +} + +update_ip() { + ip=${1} + + echo "${ip}" > /etc/whonix-netvm-gateway + grep '^DisableNetwork 0$' /etc/tor/torrc && { + service tor reload || true; + } } ip="$(xenstore-read qubes-netvm-gateway)" # Compare to current IP address assiged by Qubes -replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] +replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}" # Do again; checking for original 10.152.152.10 incase of update -replace_ips "10.152.152.10" "${ip}" FILES[@] +replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}" # Do again; checking for original 10.152.152.11 incase of update -replace_ips "10.152.152.11" "${ip}" FILES[@] +replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}" diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip index 0aadc68..9a098f7 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip @@ -23,6 +23,8 @@ ip link show ${INTERFACE} >> /dev/null || { /sbin/ethtool -K ${INTERFACE} sg off /sbin/ethtool -K ${INTERFACE} tx off fi + + ip link set ${INTERFACE} up } # Files that will have the immutable bit set @@ -90,7 +92,7 @@ copyAnondist "/etc/hostname" /usr/lib/whonix/replace-ips # Make sure hostname is correct -/bin/hostname -b host +/bin/hostname host # Start Whonix Firewall export INT_IF="vif+" @@ -101,21 +103,39 @@ export INT_TIF="vif+" # Allows localhost access to tor network iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 -enable() { +# Will only enable / disable if service is not already in that state +enable_sysv() { servicename=${1} + disable=${2-0} - grep "^DisableNetwork 0$" /etc/tor/torrc && { - # Check to see if the service is already enabled and if not, enable it - string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}" + # Check to see if the service is already enabled and if not, enable it + string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}" - if ! [ $(find $string 2>/dev/null | wc -l) -eq 1 ] ; then - echo "${1} is currently disabled; enabling it" - systemctl --quiet enable ${servicename} - fi - } + if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then + case ${disable} in + 0) + echo "${1} is currently disabled; enabling it" + systemctl --quiet enable ${servicename} + ;; + 1) + echo "${1} is currently enabled; disabling it" + systemctl --quiet disable ${servicename} + ;; + esac + fi } -#enable tor -#enable whonixcheck -#enable sdwdate +disable_sysv() { + enable_sysv ${1} 1 +} +# This would be a really good place to apply any hacks required and remove them +# from template build script +grep "^DisableNetwork 0$" /etc/tor/torrc && { + #enable_sysv tor + #enable_sysv whonixcheck + #enable_sysv sdwdate + : +} || { + : +} diff --git a/scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh b/scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh new file mode 100755 index 0000000..0fdf086 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh @@ -0,0 +1,41 @@ +################################################################################ +# Pre Fixups +sudo mkdir -p /boot/grub2 +sudo touch /boot/grub2/grub.cfg +sudo mkdir -p /boot/grub +sudo touch /boot/grub/grub.cfg +sudo mkdir --parents --mode=g+rw "/tmp/uwt" + +# Whonix seems to re-install sysvinit even though there is a hold +# on the package. Things seem to work anyway. BUT hopfully the +# hold on grub* don't get removed +sudo apt-mark hold sysvinit +sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common + +# Whonix expects haveged to be started +sudo /etc/init.d/haveged start + +# ------------------------------------------------------------------------------ +# Link our build steps into Whonix build directory +# ------------------------------------------------------------------------------ +#pushd /home/user/Whonix/build-steps.d +#cp -pf /home/user/build-steps.d/* . +#popd + +# ------------------------------------------------------------------------------ +# Whonix installation +# ------------------------------------------------------------------------------ +export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1" + +pushd ~/Whonix +sudo ~/Whonix/whonix_build \ + --build $1 \ + --64bit-linux \ + --current-sources \ + --enable-whonix-apt-repository \ + --whonix-apt-repository-distribution $2 \ + --install-to-root \ + --skip-verifiable \ + --minimal-report \ + --skip-sanity-tests || { exit 1; } +popd diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips index 3a43484..bc44984 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips @@ -24,9 +24,9 @@ FILES=( # sed search and replace. return 0 if replace happened, otherwise 1 search_replace() { - local search="$1" - local replace="$2" - local file="$3" + local search="${1}" + local replace="${2}" + local file="${3}" local retval=1 if ! [ -L "${file}" ]; then @@ -36,7 +36,7 @@ search_replace() { chattr -i "${file}" fi fi - + sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" retval=$? @@ -52,22 +52,22 @@ function replace_ips() local search_ip="${1}" local replace_ip="${2}" local files=("${!3}") - local replaced=0 + local retval=1 # If IP is 10.152.152.10, network is 10.152.152.0 - replace_network="${replace_ip%.*}.0" - search_network="${search_ip%.*}.0" + search_network="${search_ip%[.]*}.0" + replace_network="${replace_ip%[.]*}.0" if ! [ "${search_ip}" == "${replace_ip}" ]; then for file in "${files[@]}"; do if [ -f "$file" ]; then - search_replace "${search_ip}" "${replace_ip}" "${file}" && replaced=1 - search_replace "${search_network}" "${replace_network}" "${file}" && replaced=1 + search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0 + search_replace "${search_network}" "${replace_network}" "${file}" && retval=0 fi done fi - - return $replaced + + return $retval } ip="$(xenstore-read qubes-ip)" @@ -85,4 +85,3 @@ replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${ # Do again; checking for original 10.152.152.10 incase of update replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway - diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip index d8aa2ba..2dca037 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip @@ -3,7 +3,6 @@ # Files that will have the immutable bit set # since we don't want them modified by other programs IMMUTABLE_FILES=( - '/etc/resolv.conf' '/etc/hostname' '/etc/hosts' ) @@ -56,7 +55,6 @@ immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" # Make sure we are using a copy of the annondist file and if not # copy the annondist file and set it immutable -copyAnondist "/etc/resolv.conf" copyAnondist "/etc/hosts" copyAnondist "/etc/hostname" @@ -65,7 +63,8 @@ copyAnondist "/etc/hostname" /usr/lib/whonix/replace-ips # Make sure hostname is correct -/bin/hostname -b host +/bin/hostname host # Start Whonix Firewall /usr/bin/whonix_firewall + diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index e25ced8..7cda7ca 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -276,7 +276,7 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ] && ! [ -f "${INSTALLDIR}/tmp/.who exit 1 fi - chroot "${INSTALLDIR}" su user -c "cd ~; ./whonix_build ${BUILD_TYPE} ${DIST}" || { exit 1; } + chroot "${INSTALLDIR}" su user -c "cd ~; ./whonix_build.sh ${BUILD_TYPE} ${DIST}" || { exit 1; } touch "${INSTALLDIR}/tmp/.whonix_installed" fi @@ -302,13 +302,21 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh popd # Enable Tor - if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then - sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "${INSTALLDIR}/etc/tor/torrc" - fi + #if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then + # sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "${INSTALLDIR}/etc/tor/torrc" + #fi + + # Enable aliases in .bashrc + sed -i "s/^# export/export/g" "${INSTALLDIR}/root/.bashrc" + sed -i "s/^# eval/eval/g" "${INSTALLDIR}/root/.bashrc" + sed -i "s/^# alias/alias/g" "${INSTALLDIR}/root/.bashrc" + sed -i "s/^#force_color_prompt/force_color_prompt/g" "${INSTALLDIR}/home/user/.bashrc" + sed -i "s/#alias/alias/g" "${INSTALLDIR}/home/user/.bashrc" + sed -i "s/alias l='ls -CF'/alias l='ls -l'/g" "${INSTALLDIR}/home/user/.bashrc" # Fake that whonixsetup was already run mkdir -p "${INSTALLDIR}/var/lib/whonix/do_once" - touch "${INSTALLDIR}/var/lib/whonix/do_once/whonixsetup.done" + #touch "${INSTALLDIR}/var/lib/whonix/do_once/whonixsetup.done" # Fake that initializer was already run mkdir -p "${INSTALLDIR}/root/.whonix" @@ -317,6 +325,10 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh # Prevent whonixcheck error echo 'WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"' >> "${INSTALLDIR}/etc/whonix.d/30_whonixcheck_default" + # Use gdialog as an alternative for dialog + mv -f "${INSTALLDIR}/usr/bin/dialog" "${INSTALLDIR}/usr/bin/dialog.dist" + chroot "${INSTALLDIR}" update-alternatives --force --install /usr/bin/dialog dialog /usr/bin/gdialog 999 + # Disable unwanted applications chroot "${INSTALLDIR}" update-rc.d network-manager disable || : chroot "${INSTALLDIR}" update-rc.d spice-vdagent disable || : diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh.build-steps.d b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh.build-steps.d new file mode 100755 index 0000000..8cd88f0 --- /dev/null +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh.build-steps.d @@ -0,0 +1,157 @@ +#!/bin/bash +# vim: set ts=4 sw=4 sts=4 et : + +# ------------------------------------------------------------------------------ +# Source external scripts +# ------------------------------------------------------------------------------ +. ${SCRIPTSDIR}/vars.sh +. ./umount_kill.sh >/dev/null + +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then + set -x +else + set -e +fi + +# ------------------------------------------------------------------------------ +# XXX: Create a snapshot - Only for DEBUGGING! +# ------------------------------------------------------------------------------ +# Only execute if SNAPSHOT is set +if [ "${SNAPSHOT}" == "1" ]; then + splitPath "${IMG}" path_parts + PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-updated${path_parts[dotext]}" + + if ! [ -f "${PREPARED_IMG}" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then + umount_kill "${INSTALLDIR}" || : + warn "Copying ${IMG} to ${PREPARED_IMG}" + cp -f "${IMG}" "${PREPARED_IMG}" + mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1 + for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "${INSTALLDIR}/$fs"; done + fi +fi + +# ------------------------------------------------------------------------------ +# Set defualts for apt not to install recommended or extra packages +# ------------------------------------------------------------------------------ +#read -r -d '' WHONIX_APT_PREFERENCES <<'EOF' +#Acquire::Languages "none"; +#APT::Install-Recommends "false"; +#APT::Install-Suggests "false"; +#Dpkg::Options "--force-confold"; +#EOF + +# ------------------------------------------------------------------------------ +# Cleanup function +# ------------------------------------------------------------------------------ +function cleanup() { + error "Whonix error; umounting ${INSTALLDIR} to prevent further writes" + umount_kill "${INSTALLDIR}" || : + exit 1 +} +trap cleanup ERR +trap cleanup EXIT + +# ------------------------------------------------------------------------------ +# Mount devices, etc required for Whonix installation +# ------------------------------------------------------------------------------ +if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then + info "Preparing Whonix system" + + # -------------------------------------------------------------------------- + # Qubes needs a user named 'user' + # -------------------------------------------------------------------------- + debug "Whonix Add user" + chroot "${INSTALLDIR}" id -u 'user' >/dev/null 2>&1 || \ + { + chroot "${INSTALLDIR}" groupadd -f user + chroot "${INSTALLDIR}" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user + } + + # ------------------------------------------------------------------------------ + # Copy over any extra files + # ------------------------------------------------------------------------------ + copyTree "files" + + touch "${INSTALLDIR}/tmp/.whonix_prepared" +fi + +# ------------------------------------------------------------------------------ +# Install Whonix +# ------------------------------------------------------------------------------ +if [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_installed" ]; then + info "Installing Whonix system" + + # ------------------------------------------------------------------------------ + # Create Whonix mount point + # ------------------------------------------------------------------------------ + if ! [ -d "${INSTALLDIR}/home/user/Whonix" ]; then + debug "Installing Whonix build environment..." + chroot "${INSTALLDIR}" su user -c 'mkdir /home/user/Whonix' + fi + + # -------------------------------------------------------------------------- + # Install Whonix code base + # -------------------------------------------------------------------------- + if [ -d "${INSTALLDIR}/home/user/Whonix" ]; then + debug "Building Whonix..." + mount --bind "../Whonix" "${INSTALLDIR}/home/user/Whonix" + sync + sleep 1 + fi + + # ------------------------------------------------------------------------------ + # Determine type of Whonix build + # ------------------------------------------------------------------------------ + if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then + BUILD_TYPE="--torgateway" + elif [ "${TEMPLATE_FLAVOR}" == "whonix-workstation" ]; then + BUILD_TYPE="--torworkstation" + else + error "Incorrent Whonix type \"${TEMPLATE_FLAVOR}\" selected. Not building Whonix modules" + error "You need to set TEMPLATE_FLAVOR environment variable to either" + error "whonix-gateway OR whonix-workstation" + exit 1 + fi + + # ------------------------------------------------------------------------------ + # Start Whonix build process + # ------------------------------------------------------------------------------ + chroot "${INSTALLDIR}" su user -c "cd ~; ./whonix_build.sh ${BUILD_TYPE} ${DIST}" || { exit 1; } + + touch "${INSTALLDIR}/tmp/.whonix_installed" + touch "${INSTALLDIR}/tmp/.whonix_post" +fi + +# ------------------------------------------------------------------------------ +# Execute any template flavor or sub flavor scripts +# ------------------------------------------------------------------------------ +buildStep "99_custom_configuration.sh" + +# ------------------------------------------------------------------------------ +# Bring back original apt-get for installation of Qubues +# ------------------------------------------------------------------------------ +pushd "${INSTALLDIR}/usr/bin" +{ + rm -f apt-get; + cp -p apt-get.anondist-orig apt-get; +} +popd + +# ------------------------------------------------------------------------------ +# Make sure the temporary policy-rc.d to prevent apt from starting services +# on package installation is still active; Whonix may have reset it +# ------------------------------------------------------------------------------ +cat > "${INSTALLDIR}/usr/sbin/policy-rc.d" <