From 9e91084ef21e24292680e946d54647a6630cf79f Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Tue, 14 Oct 2014 12:02:12 -0400 Subject: [PATCH 01/83] Debian Wheezy template addition and refactoring to allow Whonix TEMPLATE_FLAVOR --- .../netvm-whitelisted-appmenus.list | 1 + appmenus_wheezy/vm-whitelisted-appmenus.list | 1 + appmenus_wheezy/whitelisted-appmenus.list | 1 + cleanup_image | 1 + prepare_image | 77 ++- qubeize_image | 105 ++-- scripts_debian/00_prepare.sh | 48 +- scripts_debian/01_install_core.sh | 32 +- scripts_debian/02_install_groups.sh | 192 ++++++-- scripts_debian/04_install_qubes.sh | 238 +++++++--- scripts_debian/09_cleanup.sh | 23 +- scripts_debian/NOTES | 5 + .../02_install_groups_packages_installed.sh | 1 + .../04_install_qubes_post.sh | 1 + .../99_custom_configuration.sh | 20 + .../etc/udev/rules.d/99-qubes-whonix.rules | 2 + .../usr/lib/whonix/replace-ips | 60 +++ .../usr/lib/whonix/setup-ip | 38 ++ .../02_install_groups_packages_installed.sh | 1 + .../04_install_qubes_post.sh | 1 + .../99_custom_configuration.sh | 12 + .../02_install_groups_packages_installed.sh | 216 +++++++++ .../04_install_qubes_post.sh | 55 +++ .../etc/udev/rules.d/98-kexec.rules | 4 + .../etc/udev/rules.d/xen-backend.rules | 16 + .../extra-qubes-files/etc/xen/scripts/blktap | 94 ++++ .../extra-qubes-files/etc/xen/scripts/block | 354 ++++++++++++++ .../etc/xen/scripts/block-common.sh | 125 +++++ .../etc/xen/scripts/block-enbd | 27 ++ .../etc/xen/scripts/block-nbd | 27 ++ .../etc/xen/scripts/external-device-migrate | 98 ++++ .../etc/xen/scripts/hotplugpath.sh | 10 + .../etc/xen/scripts/locking.sh | 110 +++++ .../etc/xen/scripts/logging.sh | 22 + .../etc/xen/scripts/network-bridge | 337 +++++++++++++ .../etc/xen/scripts/network-nat | 124 +++++ .../etc/xen/scripts/network-route | 28 ++ .../etc/xen/scripts/vif-bridge | 108 +++++ .../etc/xen/scripts/vif-common.sh | 190 ++++++++ .../extra-qubes-files/etc/xen/scripts/vif-nat | 192 ++++++++ .../etc/xen/scripts/vif-route | 56 +++ .../etc/xen/scripts/vif-route-qubes | 65 +++ .../etc/xen/scripts/vif-setup | 9 + .../extra-qubes-files/etc/xen/scripts/vif2 | 46 ++ .../extra-qubes-files/etc/xen/scripts/vscsi | 22 + .../extra-qubes-files/etc/xen/scripts/vtpm | 22 + .../etc/xen/scripts/vtpm-common.sh | 448 ++++++++++++++++++ .../etc/xen/scripts/vtpm-delete | 18 + .../etc/xen/scripts/vtpm-hotplug-common.sh | 35 ++ .../etc/xen/scripts/vtpm-impl | 208 ++++++++ .../etc/xen/scripts/vtpm-migration.sh | 19 + .../etc/xen/scripts/xen-hotplug-cleanup | 45 ++ .../etc/xen/scripts/xen-hotplug-common.sh | 102 ++++ .../etc/xen/scripts/xen-network-common.sh | 141 ++++++ .../etc/xen/scripts/xen-script-common.sh | 44 ++ .../debian-jessie-archive-keyring.gpg} | Bin .../keys/debian-wheezy-archive-keyring.gpg | Bin 0 -> 3569 bytes scripts_debian/packages.list | 10 +- scripts_debian/packages_jessie.list | 9 + scripts_debian/packages_wheezy.list | 9 + .../packages_wheezy_whonix-gateway.list | 1 + .../packages_wheezy_whonix-workstation.list | 1 + scripts_debian/packages_wheezy_whonix.list | 29 ++ scripts_debian/vars.sh | 108 +++++ umount.sh | 60 +++ 65 files changed, 4324 insertions(+), 180 deletions(-) create mode 100644 appmenus_wheezy/netvm-whitelisted-appmenus.list create mode 100644 appmenus_wheezy/vm-whitelisted-appmenus.list create mode 100644 appmenus_wheezy/whitelisted-appmenus.list create mode 100644 scripts_debian/NOTES create mode 120000 scripts_debian/custom_wheezy_whonix-gateway/02_install_groups_packages_installed.sh create mode 120000 scripts_debian/custom_wheezy_whonix-gateway/04_install_qubes_post.sh create mode 100755 scripts_debian/custom_wheezy_whonix-gateway/99_custom_configuration.sh create mode 100644 scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/etc/udev/rules.d/99-qubes-whonix.rules create mode 100755 scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/usr/lib/whonix/replace-ips create mode 100755 scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/usr/lib/whonix/setup-ip create mode 120000 scripts_debian/custom_wheezy_whonix-workstation/02_install_groups_packages_installed.sh create mode 120000 scripts_debian/custom_wheezy_whonix-workstation/04_install_qubes_post.sh create mode 100755 scripts_debian/custom_wheezy_whonix-workstation/99_custom_configuration.sh create mode 100755 scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh create mode 100755 scripts_debian/custom_wheezy_whonix/04_install_qubes_post.sh create mode 100644 scripts_debian/extra-qubes-files/etc/udev/rules.d/98-kexec.rules create mode 100644 scripts_debian/extra-qubes-files/etc/udev/rules.d/xen-backend.rules create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/blktap create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/block create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/block-common.sh create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/block-enbd create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/block-nbd create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/external-device-migrate create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/hotplugpath.sh create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/locking.sh create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/logging.sh create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/network-bridge create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/network-nat create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/network-route create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/vif-bridge create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/vif-common.sh create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/vif-nat create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/vif-route create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/vif-route-qubes create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/vif-setup create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/vif2 create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/vscsi create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-common.sh create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-delete create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-hotplug-common.sh create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-impl create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-migration.sh create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/xen-hotplug-cleanup create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/xen-hotplug-common.sh create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/xen-network-common.sh create mode 100755 scripts_debian/extra-qubes-files/etc/xen/scripts/xen-script-common.sh rename scripts_debian/{debian-archive-keyring.gpg => keys/debian-jessie-archive-keyring.gpg} (100%) create mode 100644 scripts_debian/keys/debian-wheezy-archive-keyring.gpg mode change 100644 => 120000 scripts_debian/packages.list create mode 100644 scripts_debian/packages_jessie.list create mode 100644 scripts_debian/packages_wheezy.list create mode 120000 scripts_debian/packages_wheezy_whonix-gateway.list create mode 120000 scripts_debian/packages_wheezy_whonix-workstation.list create mode 100644 scripts_debian/packages_wheezy_whonix.list create mode 100755 umount.sh diff --git a/appmenus_wheezy/netvm-whitelisted-appmenus.list b/appmenus_wheezy/netvm-whitelisted-appmenus.list new file mode 100644 index 0000000..4b744f7 --- /dev/null +++ b/appmenus_wheezy/netvm-whitelisted-appmenus.list @@ -0,0 +1 @@ +gnome-terminal.desktop diff --git a/appmenus_wheezy/vm-whitelisted-appmenus.list b/appmenus_wheezy/vm-whitelisted-appmenus.list new file mode 100644 index 0000000..4b744f7 --- /dev/null +++ b/appmenus_wheezy/vm-whitelisted-appmenus.list @@ -0,0 +1 @@ +gnome-terminal.desktop diff --git a/appmenus_wheezy/whitelisted-appmenus.list b/appmenus_wheezy/whitelisted-appmenus.list new file mode 100644 index 0000000..4b744f7 --- /dev/null +++ b/appmenus_wheezy/whitelisted-appmenus.list @@ -0,0 +1 @@ +gnome-terminal.desktop diff --git a/cleanup_image b/cleanup_image index 3716593..195f1ac 100755 --- a/cleanup_image +++ b/cleanup_image @@ -20,6 +20,7 @@ ls -als $IMG mount -o loop $IMG mnt || exit 1 export INSTALLDIR=`pwd`/mnt/ +echo "--> Cleaning up image file..." $SCRIPTSDIR/09_cleanup.sh echo "--> Compacting image file..." diff --git a/prepare_image b/prepare_image index c6b7a62..7763464 100755 --- a/prepare_image +++ b/prepare_image @@ -1,6 +1,10 @@ -#!/bin/sh +#!/bin/bash +#XXX: use bash #!/bin/sh -export IMG=$1 +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +export IMG="$1" export LC_ALL=POSIX RETCODE=0 @@ -8,49 +12,70 @@ RETCODE=0 : ${DIST=fc14} . ./builder_setup >/dev/null +. ./umount.sh >/dev/null -set -e +if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then + set -x +else + set -e +fi if ! [ $# -eq 1 ]; then -echo "usage $0 " -exit + echo "usage $0 " + exit fi if [ "$VERBOSE" == "1" ]; then - export YUM_OPTS="$YUM_OPTS -q" + export YUM_OPTS="$YUM_OPTS -q" fi +# ------------------------------------------------------------------------------ +# Prepare for mount +# ------------------------------------------------------------------------------ echo "-> Preparing instalation of $DIST template..." -$SCRIPTSDIR/00_prepare.sh - -if [ -f $IMG ]; then - echo "-> Image file already exists, assuming *update*..." - mount -o loop $IMG mnt || exit 1 - export INSTALLDIR=`pwd`/mnt/ - trap "umount $INSTALLDIR" EXIT +"$SCRIPTSDIR/00_prepare.sh" + +# ------------------------------------------------------------------------------ +# Mount image and install core OS +# ------------------------------------------------------------------------------ +if [ -f "$IMG" ]; then + echo "-> Image file already exists, assuming *update*..." + mount -o loop "$IMG" mnt || exit 1 + export INSTALLDIR="`pwd`/mnt/" + trap "umount_image ${INSTALLDIR::-1}" EXIT + + # XXX: Temp; just for debugging + if ! [ -f "$INSTALLDIR/tmp/.prepared_debootstrap" ]; then + "$SCRIPTSDIR/01_install_core.sh" + fi else + echo "-> Initializing empty image..." + truncate -s 10G "$IMG" || exit 1 - echo "-> Initializing empty image..." - truncate -s 10G $IMG || exit 1 + echo "-> Creating filesystem..." + mkfs.ext4 -q -F "$IMG" || exit 1 - echo "-> Creating filesystem..." - mkfs.ext4 -q -F $IMG || exit 1 + mkdir -p mnt + mount -o loop "$IMG" mnt || exit 1 - mkdir -p mnt - mount -o loop $IMG mnt || exit 1 + export INSTALLDIR="`pwd`/mnt/" + trap "umount_image ${INSTALLDIR::-1}" EXIT - export INSTALLDIR=`pwd`/mnt/ - - trap "umount $INSTALLDIR" EXIT - - $SCRIPTSDIR/01_install_core.sh + "$SCRIPTSDIR/01_install_core.sh" fi +# ------------------------------------------------------------------------------ +# Install package groups +# ------------------------------------------------------------------------------ echo "-> Installing package groups..." -$SCRIPTSDIR/02_install_groups.sh +"$SCRIPTSDIR/02_install_groups.sh" +# ------------------------------------------------------------------------------ +# Cleanup +# ------------------------------------------------------------------------------ trap - EXIT + echo "-> Unmounting prepared_image..." -sudo umount $INSTALLDIR +umount_image "$INSTALLDIR" || : exit $RETCODE diff --git a/qubeize_image b/qubeize_image index 6f0e563..9c4b049 100755 --- a/qubeize_image +++ b/qubeize_image @@ -1,81 +1,105 @@ #!/bin/sh -export CLEANIMG=$1 -export NAME=$2 +# ------------------------------------------------------------------------------ +# Configurations and Conditionals +# ------------------------------------------------------------------------------ +export CLEANIMG="$1" +export NAME="$2" export LC_ALL=POSIX . ./builder_setup >/dev/null +. ./umount.sh >/dev/null -set -e +#set -e +set -x if [ $# -eq 0 ]; then -echo "usage $0 " -exit + echo "usage $0 " + exit fi -if [ x$CLEANIMG = x ]; then -echo "Image file not specified!" -exit 1 +if [ "x$CLEANIMG" = x ]; then + echo "Image file not specified!" + exit 1 fi -if [ x$NAME = x ]; then -echo "Name not given!" -exit 1 +if [ "x$NAME" = x ]; then + echo "Name not given!" + exit 1 fi ID=$(id -ur) if [ $ID != 0 ] ; then - echo "This script should be run as root user." - exit 1 + echo "This script should be run as root user." + exit 1 fi if [ "$VERBOSE" == "1" ]; then - export YUM_OPTS="$YUM_OPTS -q" + export YUM_OPTS="$YUM_OPTS -q" fi +# ------------------------------------------------------------------------------ +# Cleanup function +# ------------------------------------------------------------------------------ function cleanup() { - if grep -q " $PWD/mnt/proc " /proc/mounts; then - umount mnt/proc - fi - if grep -q " $PWD/mnt " /proc/mounts; then - umount mnt - fi + umount_image "$PWD/mnt" || : } - trap cleanup ERR -export IMG=qubeized_images/$NAME-root.img -echo "--> Copying $CLEANIMG to $IMG..." -cp $CLEANIMG $IMG || exit 1 +# ------------------------------------------------------------------------------ +# Mount qubeized_image +# ------------------------------------------------------------------------------ +# NEW: continue installation from last point if UPDATE="false" +# if UPDATE does not exist (keep it backwards compatible for fedora script) +# - OR - +# update="true", copy over prepared image as normal -echo "--> Mounting $IMG" +export IMG="qubeized_images/$NAME-root.img" + +[ "$UPDATE" ] && UPDATE=$(echo $UPDATE | awk '{print tolower($0)}') +if [ "$IMG" -nt "$CLEANIMG" -a "$UPDATE" == "false" ]; then + echo "--> Using original $IMG... (UPDATE=false and qubized_image is newer than prepared_image)" +else + echo "--> Copying $CLEANIMG to $IMG..." + cp "$CLEANIMG" "$IMG" || exit 1 +fi +echo "--> Mounting $IMG" mkdir -p mnt -mount -o loop $IMG mnt || exit 1 +mount -o loop "$IMG" mnt || exit 1 export INSTALLDIR=mnt -$SCRIPTSDIR/04_install_qubes.sh || { umount $INSTALLDIR; exit 1; } +# ------------------------------------------------------------------------------ +# Run qubeize script +# ------------------------------------------------------------------------------ +"$SCRIPTSDIR/04_install_qubes.sh" || { umount "$INSTALLDIR"; exit 1; } +# ------------------------------------------------------------------------------ +# Create App Menus +# ------------------------------------------------------------------------------ echo "--> Copying the Apps Menu shortcuts..." -export APPSORIG=qubeized_images/$NAME-apps.orig -export APPSTEMPL=qubeized_images/$NAME-apps.templates -mkdir -p $APPSORIG -cp -r $(pwd)/mnt/usr/share/applications/* $APPSORIG +export APPSORIG="qubeized_images/$NAME-apps.orig" +export APPSTEMPL="qubeized_images/$NAME-apps.templates" +mkdir -p "$APPSORIG" +cp -r "$(pwd)"/mnt/usr/share/applications/* "$APPSORIG" echo "--> Creating the Apps Menu templates..." -./create_apps_templates.sh $APPSORIG $APPSTEMPL +"./create_apps_templates.sh" "$APPSORIG" "$APPSTEMPL" echo "--> Choosing appmenus whitelists..." rm -f appmenus if [ -d "appmenus_${DIST}_${TEMPLATE_FLAVOR}" ]; then - ln -s "appmenus_${DIST}_${TEMPLATE_FLAVOR}" appmenus + ln -s "appmenus_${DIST}_${TEMPLATE_FLAVOR}" appmenus elif [ -d "appmenus_$DIST" ]; then - ln -s "appmenus_$DIST" appmenus + ln -s "appmenus_$DIST" appmenus else - ln -s "appmenus_generic" appmenus + ln -s "appmenus_generic" appmenus fi +# ------------------------------------------------------------------------------ +# Link directories so they can be mounted +# ------------------------------------------------------------------------------ echo "--> Linking /home to /rw/home..." mv mnt/home mnt/home.orig ln -sf /rw/home mnt/home @@ -85,14 +109,17 @@ mv mnt/usr/local mnt/usr/local.orig ln -sf /rw/usrlocal mnt/usr/local if [ -e mnt/etc/sysconfig/i18n ]; then - echo "--> Setting up default locale..." - echo LC_CTYPE=en_US.UTF-8 > mnt/etc/sysconfig/i18n + echo "--> Setting up default locale..." + echo LC_CTYPE=en_US.UTF-8 > mnt/etc/sysconfig/i18n fi +# ------------------------------------------------------------------------------ +# Finsh - unmount image +# ------------------------------------------------------------------------------ echo "--> Unmounting $IMG" -umount mnt +cleanup echo "Qubeized image stored at: $IMG" echo "Reducing image size (calling cleanup_image)..." -./cleanup_image $IMG +./cleanup_image "$IMG" diff --git a/scripts_debian/00_prepare.sh b/scripts_debian/00_prepare.sh index c530c0f..4e895cf 100755 --- a/scripts_debian/00_prepare.sh +++ b/scripts_debian/00_prepare.sh @@ -1,5 +1,49 @@ -#!/bin/sh -x +#!/bin/bash -x # vim: set ts=4 sw=4 sts=4 et : -# This script does nothing now. +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +. ./umount.sh >/dev/null + +INSTALLDIR="`pwd`/mnt/" +umount_image "${INSTALLDIR::-1}" || : + +# ------------------------------------------------------------------------------ +# Set debug display +# ------------------------------------------------------------------------------ +if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then + set -x +else + set -e +fi + +# ------------------------------------------------------------------------------ +# Execute any custom pre configuration scripts +# ------------------------------------------------------------------------------ +customStep "$0" "pre" + +# ------------------------------------------------------------------------------ +# Force overwrite of an existing image for now if debootstrap did not seem to complete... +# ------------------------------------------------------------------------------ +if [ -f "$IMG" ]; then + mount -o loop "$IMG" "$INSTALLDIR" || exit 1 + + # Assume a failed debootstrap installation if .prepare_debootstrap does not exist + if ! [ -f "$INSTALLDIR/tmp/.prepared_debootstrap" ]; then + echo "-> Failed Image file $IMG already exists, deleting..." + rm -f "$IMG" + # Allow qubes to be updated + elif [ -f "$INSTALLDIR/tmp/.prepared_qubes" ]; then + rm "$INSTALLDIR/tmp/.prepared_qubes" + fi + + # Umount image; don't fail if its already umounted + umount_image "${INSTALLDIR::-1}" || : +fi + +# ------------------------------------------------------------------------------ +# Execute any custom post configuration scripts +# ------------------------------------------------------------------------------ +customStep "$0" "post" diff --git a/scripts_debian/01_install_core.sh b/scripts_debian/01_install_core.sh index a384d23..65f29b6 100755 --- a/scripts_debian/01_install_core.sh +++ b/scripts_debian/01_install_core.sh @@ -1,11 +1,35 @@ #!/bin/sh # vim: set ts=4 sw=4 sts=4 et : +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ . $SCRIPTSDIR/vars.sh -echo "-> Installing base debian system" +set -e +if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then + set -x +fi -COMPONENTS="" debootstrap --arch=amd64 --include=ncurses-term \ - --components=main --keyring=${SCRIPTSDIR}/debian-archive-keyring.gpg \ - $DEBIANVERSION "$INSTALLDIR" http://http.debian.net/debian || { echo "Debootstrap failed!"; exit 1; } +# ------------------------------------------------------------------------------ +# Execute any custom pre configuration scripts +# ------------------------------------------------------------------------------ +customStep "$0" "pre" + +# ------------------------------------------------------------------------------ +# Install base debian system +# ------------------------------------------------------------------------------ +if ! [ -f "$INSTALLDIR/tmp/.prepared_debootstrap" ]; then + echo "-> Installing base ${DEBIANVERSION} system" + COMPONENTS="" debootstrap --arch=amd64 --include=ncurses-term \ + --components=main --keyring="${SCRIPTSDIR}/keys/debian-${DEBIANVERSION}-archive-keyring.gpg" \ + "$DEBIANVERSION" "$INSTALLDIR" "$DEBIAN_MIRROR" || { echo "Debootstrap failed!"; exit 1; } + chroot "$INSTALLDIR" chmod 0666 "/dev/null" + touch "$INSTALLDIR/tmp/.prepared_debootstrap" +fi + +# ------------------------------------------------------------------------------ +# Execute any custom post configuration scripts +# ------------------------------------------------------------------------------ +customStep "$0" "post" diff --git a/scripts_debian/02_install_groups.sh b/scripts_debian/02_install_groups.sh index f8ef9c2..d87cc40 100755 --- a/scripts_debian/02_install_groups.sh +++ b/scripts_debian/02_install_groups.sh @@ -1,57 +1,177 @@ #!/bin/sh # vim: set ts=4 sw=4 sts=4 et : +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +set -x + . $SCRIPTSDIR/vars.sh +. ./umount.sh >/dev/null + +# ------------------------------------------------------------------------------ +# If .prepared_debootstrap has not been completed, don't continue +# ------------------------------------------------------------------------------ +if ! [ -f "$INSTALLDIR/tmp/.prepared_debootstrap" ]; then + echo "--> prepared_debootstrap installataion has not completed!... Exiting" + exit 1 +fi + +# ------------------------------------------------------------------------------ +# Mount system mount points +# ------------------------------------------------------------------------------ +for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "$INSTALLDIR/$fs"; done + +# ------------------------------------------------------------------------------ +# Execute any custom pre configuration scripts +# ------------------------------------------------------------------------------ +customStep "$0" "pre" -# Set up a temporary policy-rc.d to prevent apt from starting services -# on package installation -cat > $BUILDCHROOT/usr/sbin/policy-rc.d < Install groups error and umount" + rm -f "$INSTALLDIR/usr/sbin/policy-rc.d" + umount_image "$INSTALLDIR" || : + exit 1 + } + trap error ERR + trap error EXIT + + # ------------------------------------------------------------------------------ + # Set up a temporary policy-rc.d to prevent apt from starting services + # on package installation + # ------------------------------------------------------------------------------ + cat > "$INSTALLDIR/usr/sbin/policy-rc.d" < Adding debian-security repository." - # security.debian.org only makes sense for stable/wheezy - echo "deb http://security.debian.org/ ${DEBIANVERSION}/updates main" \ - >> "$INSTALLDIR/etc/apt/sources.list" - echo "deb-src http://security.debian.org/ ${DEBIANVERSION}/updates main" \ - >> "$INSTALLDIR/etc/apt/sources.list" - - echo "--> Installing systemd" - # sysvinit gives problems with qubes initramfs, we depend on systemd - # for now. Apt *really* doesn't want to replace sysvinit in wheezy. - # For jessie and newer, sysvinit is provided by sysvinit-core which - # is not an essential package. - echo 'Yes, do as I say!' | chroot $INSTALLDIR apt-get -y \ - --force-yes install systemd-sysv -else # testing/unstable - echo "--> Installing systemd" - chroot $INSTALLDIR apt-get -y install systemd-sysv -fi + source="deb http://security.debian.org ${DEBIANVERSION}/updates main" + if ! grep -r -q "$source" "$INSTALLDIR/etc/apt/sources.list"*; then + touch "$INSTALLDIR/etc/apt/sources.list" + echo "$source" >> "$INSTALLDIR/etc/apt/sources.list" + fi + source="deb-src http://security.debian.org ${DEBIANVERSION}/updates main" + if ! grep -r -q "$source" "$INSTALLDIR/etc/apt/sources.list"*; then + touch "$INSTALLDIR/etc/apt/sources.list" + echo "$source" >> "$INSTALLDIR/etc/apt/sources.list" + fi -chroot $INSTALLDIR systemctl set-default multi-user.target + # ------------------------------------------------------------------------------ + # Upgrade system + # ------------------------------------------------------------------------------ + echo "--> Upgrading system" + chroot "$INSTALLDIR" apt-get update + DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + chroot "$INSTALLDIR" apt-get -y --force-yes dist-upgrade -echo "--> Upgrading system" -chroot $INSTALLDIR apt-get update -chroot $INSTALLDIR apt-get -y upgrade - -echo "--> Setting keyboard layout" -chroot $INSTALLDIR debconf-set-selections < Setting keyboard layout" + chroot "$INSTALLDIR" debconf-set-selections < Installing extra packages" -xargs chroot $INSTALLDIR apt-get -y install < $SCRIPTSDIR/packages.list + # ------------------------------------------------------------------------------ + # Install extra packages in script_$DEBIANVERSION/packages.list file + # ------------------------------------------------------------------------------ + if [ -n "${TEMPLATE_FLAVOR}" ]; then + PKGLISTFILE="$SCRIPTSDIR/packages_${DIST}_${TEMPLATE_FLAVOR}.list" + if ! [ -r "${PKGLISTFILE}" ]; then + echo "ERROR: ${PKGLISTFILE} does not exists!" + exit 1 + fi + elif [ -r "$SCRIPTSDIR/packages_${DIST}.list" ]; then + PKGLISTFILE="$SCRIPTSDIR/packages_${DIST}.list" + else + PKGLISTFILE="$SCRIPTSDIR/packages.list" + fi + + echo "--> Installing extra packages" + DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + xargs chroot $INSTALLDIR apt-get -y --force-yes install < "$PKGLISTFILE" + + # ------------------------------------------------------------------------------ + # Execute any custom configuration scripts after file packages installed + # (Whonix needs dependancies installed before installation) + # ------------------------------------------------------------------------------ + customStep "$0" "packages_installed" + + # ------------------------------------------------------------------------------ + # Install systemd + # ------------------------------------------------------------------------------ + # - sysvinit gives problems with qubes initramfs, we depend on systemd + # for now. Apt *really* doesn't want to replace sysvinit in wheezy. + # For jessie and newer, sysvinit is provided by sysvinit-core which + # is not an essential package. + # ------------------------------------------------------------------------------ + echo "--> Installing systemd for wheezy ($DEBIANVERSION)" + echo 'Yes, do as I say!' | DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + chroot "$INSTALLDIR" apt-get -y --force-yes remove sysvinit + + # Prevent sysvinit from being re-installed + echo "--> Preventing sysvinit re-installation" + chroot "$INSTALLDIR" apt-mark hold sysvinit + + chroot "$INSTALLDIR" apt-get update + DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + chroot "$INSTALLDIR" apt-get -y --force-yes install systemd-sysv + + # ------------------------------------------------------------------------------ + # Set multu-user.target as the default target (runlevel 3) + # ------------------------------------------------------------------------------ + #chroot "$INSTALLDIR" systemctl set-default multi-user.target + chroot "$INSTALLDIR" rm -f /etc/systemd/system/default.target + chroot "$INSTALLDIR" ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target + + # ------------------------------------------------------------------------------ + # Qubes is now being built with some SID packages; grab backport for wheezy + # ------------------------------------------------------------------------------ + if [ "$DEBIANVERSION" == "wheezy" ]; then + echo "--> Adding wheezy backports repository." + source="deb http://http.debian.net/debian wheezy-backports main" + if ! grep -r -q "$source" "$INSTALLDIR/etc/apt/sources.list"*; then + touch "$INSTALLDIR/etc/apt/sources.list" + echo "$source" >> "$INSTALLDIR/etc/apt/sources.list" + fi + chroot $INSTALLDIR apt-get update + DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + chroot $INSTALLDIR apt-get -y --force-yes -t wheezy-backports install init-system-helpers + fi + + # ------------------------------------------------------------------------------ + # Cleanup + # ------------------------------------------------------------------------------ + # Remove temporary policy layer so services can start normally in the + # deployed template. + rm -f "$INSTALLDIR/usr/sbin/policy-rc.d" + touch "$INSTALLDIR/tmp/.prepared_groups" + trap - ERR EXIT + trap + + # Kill all processes and umount all mounts within $INSTALLDIR, + # but not $INSTALLDIR itself (extra '/' prevents $INSTALLDIR from being + # umounted itself) + umount_image "$INSTALLDIR/" || : +fi -# Remove temporary policy layer so services can start normally in the -# deployed template. -rm -f $BUILDCHROOT/usr/sbin/policy-rc.d +# ------------------------------------------------------------------------------ +# Execute any custom post configuration scripts +# ------------------------------------------------------------------------------ +customStep "$0" "post" diff --git a/scripts_debian/04_install_qubes.sh b/scripts_debian/04_install_qubes.sh index 8f05f57..f29612f 100755 --- a/scripts_debian/04_install_qubes.sh +++ b/scripts_debian/04_install_qubes.sh @@ -1,45 +1,103 @@ #!/bin/sh # vim: set ts=4 sw=4 sts=4 et : +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +set -x + +# ------------------------------------------------------------------------------ +# Source external scripts +# ------------------------------------------------------------------------------ . $SCRIPTSDIR/vars.sh +. ./umount.sh >/dev/null + +# ------------------------------------------------------------------------------ +# If .prepared_groups has not been completed, don't continue +# ------------------------------------------------------------------------------ +if ! [ -f "$INSTALLDIR/tmp/.prepared_groups" ]; then + echo "--> prepared_groups installataion has not completed!... Exiting" + exit 1 +fi -# Set up a temporary policy-rc.d to prevent apt from starting services -# on package installation -cat > $INSTALLCHROOT/usr/sbin/policy-rc.d < Installing qbues modules" + + # -------------------------------------------------------------------------- + # Set up a temporary policy-rc.d to prevent apt from starting services + # on package installation + # -------------------------------------------------------------------------- + cat > "$INSTALLCHROOT/usr/sbin/policy-rc.d" < Generate locales" -echo "en_US.UTF-8 UTF-8" >> $INSTALLDIR/etc/locale.gen -chroot $INSTALLDIR locale-gen -chroot $INSTALLDIR update-locale LANG=en_US.UTF-8 - -echo "--> Updating template fstab file..." -cat >> $INSTALLDIR/etc/fstab < Generate locales" + echo "en_US.UTF-8 UTF-8" >> "$INSTALLDIR/etc/locale.gen" + chroot "$INSTALLDIR" locale-gen + chroot "$INSTALLDIR" update-locale LANG=en_US.UTF-8 + + # -------------------------------------------------------------------------- + # Update /etc/fstab + # -------------------------------------------------------------------------- + echo "--> Updating template fstab file..." + cat >> "$INSTALLDIR/etc/fstab" < Installing qubes packages" -export CUSTOMREPO="$PWD/yum_repo_qubes/$DIST" - -if ! [ -e $CACHEDIR/repo-secring.gpg ]; then - mkdir -p $CACHEDIR - gpg --gen-key --batch < Installing qubes packages" + export CUSTOMREPO="$PWD/yum_repo_qubes/$DIST" + + # -------------------------------------------------------------------------- + # Install keyrings + # -------------------------------------------------------------------------- + if ! [ -e "$CACHEDIR/repo-secring.gpg" ]; then + mkdir -p "$CACHEDIR" + gpg --gen-key --batch < $INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list < "$INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list" <> $INSTALLDIR/etc/modules - -sed -i -e '/^mesg n/d' $INSTALLDIR/root/.profile + # -------------------------------------------------------------------------- + # Update system; exit is not successful + # -------------------------------------------------------------------------- + chroot "$INSTALLDIR" apt-get update || { umount "$INSTALLDIR/tmp/qubes_repo"; exit 1; } + + # -------------------------------------------------------------------------- + # Install Qubes packages + # -------------------------------------------------------------------------- + DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + chroot "$INSTALLDIR" apt-get -y --force-yes install `cat $SCRIPTSDIR/packages_qubes.list` || \ + { umount "$INSTALLDIR/tmp/qubes_repo"; exit 1; } + + # -------------------------------------------------------------------------- + # Remove Quebes repo from sources.list.d + # -------------------------------------------------------------------------- + rm -f "$INSTALLDIR"/etc/apt/sources.list.d/qubes*.list + umount "$INSTALLDIR/tmp/qubes_repo" + rm -f "$INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list" + chroot "$INSTALLDIR" apt-get update || exit 1 + + # -------------------------------------------------------------------------- + # Remove temporary policy layer so services can start normally in the + # deployed template. + # -------------------------------------------------------------------------- + rm -f "$BUILDCHROOT/usr/sbin/policy-rc.d" + + # -------------------------------------------------------------------------- + # Qubes needs a user named 'user' + # -------------------------------------------------------------------------- + if chroot "$INSTALLDIR" id -u 'user' >/dev/null 2>&1; then + : + else + chroot "$INSTALLDIR" groupadd -f user + chroot "$INSTALLDIR" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user + fi + + # -------------------------------------------------------------------------- + # Modules setup + # -------------------------------------------------------------------------- + echo "xen_netfront" >> "$INSTALLDIR/etc/modules" + + # -------------------------------------------------------------------------- + # Remove `mesg` from root/.profile? + # -------------------------------------------------------------------------- + sed -i -e '/^mesg n/d' "$INSTALLDIR/root/.profile" + + # -------------------------------------------------------------------------- + # Need a xen log directory or xen scripts will fail + # -------------------------------------------------------------------------- + mkdir -p -m 0700 "$INSTALLDIR/var/log/xen" + + # -------------------------------------------------------------------------- + # Copy over any extra files that may be needed that are located in + # $SCRIPT_DIR/extra-qubes-files + # -------------------------------------------------------------------------- + echo "-> Copy extra files..." + copy_dirs "extra-qubes-files" + + touch "$INSTALLDIR/tmp/.prepared_qubes" +fi -# Kill any processes that might have been started by apt before unmounting -lsof $INSTALLDIR | tail -n +2 | awk '{print $2}' | xargs --no-run-if-empty kill +# ------------------------------------------------------------------------------ +# Execute any custom post configuration scripts +# ------------------------------------------------------------------------------ +customStep "$0" "post" +# ------------------------------------------------------------------------------ +# Kill all processes and umount all mounts within $INSTALLDIR, but not +# $INSTALLDIR itself (extra '/' prevents $INSTALLDIR from being umounted itself) +# ------------------------------------------------------------------------------ +umount_image "$INSTALLDIR/" || : diff --git a/scripts_debian/09_cleanup.sh b/scripts_debian/09_cleanup.sh index 6e55efa..5411a9c 100755 --- a/scripts_debian/09_cleanup.sh +++ b/scripts_debian/09_cleanup.sh @@ -1,10 +1,27 @@ #!/bin/sh # vim: set ts=4 sw=4 sts=4 et : -rm -f $INSTALLDIR/var/cache/apt/archives/* +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +. $SCRIPTSDIR/vars.sh -rm -f $INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list -rm -f $INSTALLDIR/etc/apt/trusted.gpg.d/qubes-builder.gpg +# ------------------------------------------------------------------------------ +# Execute any custom pre configuration scripts +# ------------------------------------------------------------------------------ +customStep "$0" "pre" +# ------------------------------------------------------------------------------ +# Cleanup any left over files from installation +# ------------------------------------------------------------------------------ +rm -rf "INSTALLDIR/var/cache/apt/archives/*" +rm -f "$INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list" +rm -f "$INSTALLDIR/etc/apt/trusted.gpg.d/qubes-builder.gpg" + +# XXX: Whats this for? rm -rf buildchroot +# ------------------------------------------------------------------------------ +# Execute any custom post configuration scripts +# ------------------------------------------------------------------------------ +customStep "$0" "post" diff --git a/scripts_debian/NOTES b/scripts_debian/NOTES new file mode 100644 index 0000000..e67480d --- /dev/null +++ b/scripts_debian/NOTES @@ -0,0 +1,5 @@ +NOTES +===== + +- move whonix install into step 01-pre! + that way we dont need to setup systemd 2 times! diff --git a/scripts_debian/custom_wheezy_whonix-gateway/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix-gateway/02_install_groups_packages_installed.sh new file mode 120000 index 0000000..282b083 --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix-gateway/02_install_groups_packages_installed.sh @@ -0,0 +1 @@ +../custom_wheezy_whonix/02_install_groups_packages_installed.sh \ No newline at end of file diff --git a/scripts_debian/custom_wheezy_whonix-gateway/04_install_qubes_post.sh b/scripts_debian/custom_wheezy_whonix-gateway/04_install_qubes_post.sh new file mode 120000 index 0000000..2ee5337 --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix-gateway/04_install_qubes_post.sh @@ -0,0 +1 @@ +../custom_wheezy_whonix/04_install_qubes_post.sh \ No newline at end of file diff --git a/scripts_debian/custom_wheezy_whonix-gateway/99_custom_configuration.sh b/scripts_debian/custom_wheezy_whonix-gateway/99_custom_configuration.sh new file mode 100755 index 0000000..6474734 --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix-gateway/99_custom_configuration.sh @@ -0,0 +1,20 @@ +#!/bin/bash +# vim: set ts=4 sw=4 sts=4 et : + +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +. $SCRIPTSDIR/vars.sh +. ./umount.sh >/dev/null + +if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then + set -x +fi + +if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" ]; then + # -------------------------------------------------------------------------- + # Install Custom Configurations + # -------------------------------------------------------------------------- + echo "10.152.152.10" > "$INSTALLDIR/etc/whonix-netvm-gateway" + touch "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" +fi diff --git a/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/etc/udev/rules.d/99-qubes-whonix.rules b/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/etc/udev/rules.d/99-qubes-whonix.rules new file mode 100644 index 0000000..fe68663 --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/etc/udev/rules.d/99-qubes-whonix.rules @@ -0,0 +1,2 @@ + +SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip" diff --git a/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/usr/lib/whonix/replace-ips b/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/usr/lib/whonix/replace-ips new file mode 100755 index 0000000..dbf7022 --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/usr/lib/whonix/replace-ips @@ -0,0 +1,60 @@ +#!/bin/bash + +# Search though files and updates IP address to current qubes-netvm-gateway address on startup +# of eth0 + + +DIRS="/usr/lib/leaktest-workstation/simple_ping.py \ + /usr/lib/whonixcheck/preparation \ + /usr/share/anon-kde-streamiso/share/config/kioslaverc \ + /usr/bin/whonix_firewall \ + /etc/whonix_firewall.d/30_default \ + /usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh \ + /usr/bin/uwt \ + /etc/uwt.d/30_uwt_default \ + /usr/share/tor/tor-service-defaults-torrc.anondist \ + /usr/bin/update-torbrowser \ + /etc/network/interfaces.whonix \ + /etc/resolv.conf.anondist \ + /etc/sdwdate.d/31_anon_dist_stream_isolation_plugin \ + /etc/rinetd.conf.anondist \ + /etc/network/interfaces.whonix \ + /usr/share/anon-torchat/.torchat/torchat.ini" + +# $1 = space delimited files +function replace_ips() +{ + IP=$2 + LAST_IP=$3 + + if ! [ "$LAST_IP" == "$IP" ]; then + for file in $1; do + if [ -f "$file" ]; then + #find / -xdev -type f -print0 | xargs -0r file | grep 'ASCII text' | awk -F: '{print $1}' | \ + # xargs -d'\n' -r sed -i "s/$LAST_IP/$IP/g" + #find / -xdev -type f -print0 | xargs -0r file | grep 'ASCII text' | awk -F: '{print $1}' | \ + # xargs -d'\n' -r sed -i "s/$LAST_IP_PART./$IP_PART./g" + sed -i "s/$LAST_IP/$IP/g" "$file" + fi + done + echo "$IP" > /etc/whonix-netvm-gateway + service tor restart + fi +} + +IP=`xenstore-read qubes-netvm-gateway` +IP_PART=$(echo $IP | cut -f 1,2,3 -d".") +LAST_IP="$(cat /etc/whonix-netvm-gateway)" +LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".") +replace_ips "$DIRS" $IP $LAST_IP + +# Do again; checking for original 10.152.152.10 incase of update +LAST_IP=10.152.152.10 +LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".") +replace_ips "$DIRS" $IP $LAST_IP + +# Do again; checking for original 10.152.152.11 incase of update +LAST_IP=10.152.152.11 +LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".") +replace_ips "$DIRS" $IP $LAST_IP + diff --git a/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/usr/lib/whonix/setup-ip b/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/usr/lib/whonix/setup-ip new file mode 100755 index 0000000..0c4fbec --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/usr/lib/whonix/setup-ip @@ -0,0 +1,38 @@ +#!/bin/sh + +if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" +else + XENSTORE_READ="/usr/bin/xenstore-read" +fi + +# Create a dummy eth1 interface so tor can bind to it if there +# are no DOMU virtual machines connected at the moment +INTERFACE="eth1" +/sbin/ip link add $INTERFACE type dummy + +# Now, assign it the netvm-gateway IP address +ip=$($XENSTORE_READ qubes-netvm-gateway 2> /dev/null) +if [ x$ip != x ]; then + netmask=$($XENSTORE_READ qubes-netvm-netmask) + gateway=$($XENSTORE_READ qubes-netvm-gateway) + /sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255 + /sbin/ifconfig $INTERFACE up + /sbin/ethtool -K $INTERFACE sg off + /sbin/ethtool -K $INTERFACE tx off +fi + +# Replace IP addresses in known configuration files / scripts to +# currently discovered one +/usr/lib/whonix/replace-ips + +# Make sure we have correct nameserver set +echo "nameserver 127.0.0.1" > /etc/resolv.conf + +# Make sure hostname is correct +/bin/hostname -b host + +# Start Whonix Firewall +export INT_IF="vif+" +export INT_TIF="vif+" +/usr/bin/whonix_firewall diff --git a/scripts_debian/custom_wheezy_whonix-workstation/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix-workstation/02_install_groups_packages_installed.sh new file mode 120000 index 0000000..282b083 --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix-workstation/02_install_groups_packages_installed.sh @@ -0,0 +1 @@ +../custom_wheezy_whonix/02_install_groups_packages_installed.sh \ No newline at end of file diff --git a/scripts_debian/custom_wheezy_whonix-workstation/04_install_qubes_post.sh b/scripts_debian/custom_wheezy_whonix-workstation/04_install_qubes_post.sh new file mode 120000 index 0000000..2ee5337 --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix-workstation/04_install_qubes_post.sh @@ -0,0 +1 @@ +../custom_wheezy_whonix/04_install_qubes_post.sh \ No newline at end of file diff --git a/scripts_debian/custom_wheezy_whonix-workstation/99_custom_configuration.sh b/scripts_debian/custom_wheezy_whonix-workstation/99_custom_configuration.sh new file mode 100755 index 0000000..73ba84c --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix-workstation/99_custom_configuration.sh @@ -0,0 +1,12 @@ +#!/bin/bash +# vim: set ts=4 sw=4 sts=4 et : + +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +. $SCRIPTSDIR/vars.sh +. ./umount.sh >/dev/null + +if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then + set -x +fi diff --git a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh new file mode 100755 index 0000000..2223777 --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh @@ -0,0 +1,216 @@ +#!/bin/bash +# vim: set ts=4 sw=4 sts=4 et : + +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +. $SCRIPTSDIR/vars.sh +. ./umount.sh >/dev/null + +if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then + set -x +fi + +# ------------------------------------------------------------------------------ +# chroot Whonix build script (Make sure set -e is not set) +# ------------------------------------------------------------------------------ +read -r -d '' WHONIX_BUILD_SCRIPT <<'EOF' +#!/bin/bash + +################################################################################ +# Pre Fixups +sudo mkdir -p /boot/grub2 +sudo touch /boot/grub2/grub.cfg +sudo mkdir -p /boot/grub +sudo touch /boot/grub/grub.cfg +sudo mkdir --parents --mode=g+rw "/tmp/uwt" + +# Whonix seems to re-install sysvinit even though there is a hold +# on the package. Things seem to work anyway. BUT hopfully the +# hold on grub* don't get removed +sudo apt-mark hold sysvinit +sudo apt-mark hold grub-common grub-pc-bin grub2-common + +# Whonix expects haveged to be started +sudo /etc/init.d/haveged start + +################################################################################ +# Whonix installation +export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1" + +pushd ~/Whonix +sudo ~/Whonix/whonix_build \ + --build $1 \ + --64bit-linux \ + --current-sources \ + --enable-whonix-apt-repository \ + --whonix-apt-repository-distribution $2 \ + --install-to-root \ + --skip-verifiable \ + --minimal-report \ + --skip-sanity-tests || { exit 1; } +popd + +################################################################################ +# Post Fixups + +pushd /etc/network +sudo rm -f interfaces +sudo ln -s interfaces.backup interfaces +popd + +pushd /etc +sudo rm -f resolv.conf +sudo ln -s resolv.conf.backup resolv.conf +popd + +sudo update-rc.d network-manager disable +sudo update-rc.d spice-vdagent disable +sudo update-rc.d swap-file-creator disable +sudo update-rc.d whonix-initializer disable + +# Fake that initializer was already run +sudo mkdir -p /root/.whonix +sudo touch /root/.whonix/first_run_initializer.done + +# Prevent whonixcheck error +sudo su -c 'echo WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER=\"1\" >> /etc/whonix.d/30_whonixcheck_default' + +# Ensure umask set in /etc/login.defs is used (022) +sudo su -c 'echo "session optional pam_umask.so" >> /etc/pam.d/common-session' + +sudo touch "/tmp/.prepared_whonix" + +EOF + + +# ------------------------------------------------------------------------------ +# chroot Whonix fix script (Make sure set -e is not set) +# Run ../whonix_fix when whonix gives grub-pc error +# ------------------------------------------------------------------------------ +# TODO: Do something in whonix build to automatically run fixups and +# ignore certain errors +read -r -d '' WHONIX_FIX_SCRIPT <<'EOF' +DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + sudo apt-get -y --force-yes remove grub-common grub-pc-bin grub2-common +sudo apt-mark hold grub-common grub-pc-bin grub2-common +EOF + + +# ------------------------------------------------------------------------------ +# Set defualts for apt not to install recommended or extra packages +# ------------------------------------------------------------------------------ +read -r -d '' WHONIX_APT_PREFERENCES <<'EOF' +Acquire::Languages "none"; +APT::Install-Recommends "false"; +APT::Install-Suggests "false"; +Dpkg::Options "--force-confold"; +EOF + +# ------------------------------------------------------------------------------ +# Cleanup function +# ------------------------------------------------------------------------------ +function error() { + echo "--> Whonix error; umounting $INSTALLDIR to prevent further writes" + umount_image "$INSTALLDIR" || : + exit 1 +} +trap error ERR +trap error EXIT + +# ------------------------------------------------------------------------------ +# Mount devices, etc required for Whonix installation +# ------------------------------------------------------------------------------ +if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then + echo "-> Installing whonix system" + + # -------------------------------------------------------------------------- + # Whonix system config dependancies + # -------------------------------------------------------------------------- + #/usr/sbin/grub-probe: error: cannot find a device for / (is /dev mounted?) + #cannot stat `/boot/grub/grub.cfg': No such file or directory + + # Qubes needs a user named 'user' + if chroot "$INSTALLDIR" id -u 'user' >/dev/null 2>&1; then + : + else + chroot "$INSTALLDIR" groupadd -f user + chroot "$INSTALLDIR" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user + fi + + # Change hostname to 'host' + echo "host" > "$INSTALLDIR/etc/hostname" + chroot "$INSTALLDIR" sed -i "s/localhost/host/g" /etc/hosts + + if ! [ -f "$INSTALLDIR/etc/sudoers.d/qubes" ]; then + cp -p /etc/sudoers.d/qubes "$INSTALLDIR/etc/sudoers.d/qubes" + fi + + # -------------------------------------------------------------------------- + # Install Whonix system + # -------------------------------------------------------------------------- + if ! [ -d "$INSTALLDIR/home/user/Whonix" ]; then + echo "-> Installing Whonix build environment..." + chroot "$INSTALLDIR" su user -c 'mkdir /home/user/Whonix' + fi + + if [ -d "$INSTALLDIR/home/user/Whonix" ]; then + mount --bind "../Whonix" "$INSTALLDIR/home/user/Whonix" + echo "-> Building Whonix..." + + # Install apt-get preferences + echo "$WHONIX_APT_PREFERENCE" > "$INSTALLDIR/etc/apt/apt.conf.d/99whonix" + chmod 0644 "$INSTALLDIR/etc/apt/apt.conf.d/99whonix" + + # Install Whonix fix script + echo "$WHONIX_FIX_SCRIPT" > "$INSTALLDIR/home/user/whonix_fix" + chmod 0755 "$INSTALLDIR/home/user/whonix_fix" + + # Install Whonix build scripts + echo "$WHONIX_BUILD_SCRIPT" > "$INSTALLDIR/home/user/whonix_build" + chmod 0755 "$INSTALLDIR/home/user/whonix_build" + + if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then + BUILD_TYPE="--torgateway" + elif [ "${TEMPLATE_FLAVOR}" == "whonix-workstation" ]; then + BUILD_TYPE="--torworkstation" + else + echo "Incorrent Whonix type \"${TEMPLATE_FLAVOR}\" selected. Not building Whonix modules" + echo "You need to set TEMPLATE_FLAVOR environment variable to either" + echo "whonix-gateway OR whonix-workstation" + exit 1 + fi + + chroot "$INSTALLDIR" su user -c "cd ~; ./whonix_build $BUILD_TYPE $DIST" || { exit 1; } + fi +fi + +# ------------------------------------------------------------------------------ +# Execute any custom configuration scripts +# ------------------------------------------------------------------------------ +customStep "99_custom_configuration.sh" + +# XXX: Why do I need to move them out of the way? Lets try keeping them +# in place (modify post script too) +# ------------------------------------------------------------------------------ +# Move Whonix sources out of way +# ------------------------------------------------------------------------------ +#if [ -L "$INSTALLDIR/etc/apt/sources.list.d" ]; then +# mv "$INSTALLDIR/etc/apt/sources.list.d" "$INSTALLDIR/etc/apt/sources.list.d.qubes" +# mkdir -p "$INSTALLDIR/etc/apt/sources.list.d" +# cp -p "$INSTALLDIR/etc/apt/sources.list.d.qubes/debian.list" "$INSTALLDIR/etc/apt/sources.list.d" +#fi + +# ------------------------------------------------------------------------------ +# Bring back original apt-get for installation of Qubues +# ------------------------------------------------------------------------------ +if [ -L "$INSTALLDIR/usr/bin/apt-get" ]; then + rm "$INSTALLDIR/usr/bin/apt-get" + chroot "$INSTALLDIR" su -c "cd /usr/bin/; ln -s apt-get.anondist-orig apt-get" +fi + +# ------------------------------------------------------------------------------ +# Leave cleanup to calling function +# ------------------------------------------------------------------------------ +trap - ERR EXIT +trap diff --git a/scripts_debian/custom_wheezy_whonix/04_install_qubes_post.sh b/scripts_debian/custom_wheezy_whonix/04_install_qubes_post.sh new file mode 100755 index 0000000..11f4193 --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix/04_install_qubes_post.sh @@ -0,0 +1,55 @@ +#!/bin/bash +# vim: set ts=4 sw=4 sts=4 et : + +# +# Whonix Post Install Steps (after qubes install) +# + +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +. $SCRIPTSDIR/vars.sh + +if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then + set -x +fi + +# ------------------------------------------------------------------------------ +# Restore Whonix apt-get +# ------------------------------------------------------------------------------ +if [ -L "$INSTALLDIR/usr/bin/apt-get" ]; then + rm "$INSTALLDIR/usr/bin/apt-get" + chroot "$INSTALLDIR" su -c "cd /usr/bin/; ln -s apt-get.anondist apt-get" +fi + +# ------------------------------------------------------------------------------ +# Restore Whonix sources +# ------------------------------------------------------------------------------ +#if [ -L "$INSTALLDIR/etc/apt/sources.list.d" ]; then +# rm -rf "$INSTALLDIR/etc/apt/sources.list.d" +# mv "$INSTALLDIR/etc/apt/sources.list.d.qubes" "$INSTALLDIR/etc/apt/sources.list.d" +#fi + +# ------------------------------------------------------------------------------ +# Restore whonix resolv.conf +# ------------------------------------------------------------------------------ +if [ -L "$INSTALLDIR/etc/resolv.conf" ]; then + pushd "$INSTALLDIR/etc" + sudo rm -f resolv.conf + sudo ln -s resolv.conf.anondist resolv.conf + popd +fi + +# ------------------------------------------------------------------------------ +# Copy over any extra files +# ------------------------------------------------------------------------------ +echo "-> Copy extra files..." +copy_dirs "extra-whonix-files" + +# ------------------------------------------------------------------------------ +# Cleanup Whonix Installation +# ------------------------------------------------------------------------------ +rm -rf "$INSTALLDIR"/home/user/Whonix +rm -rf "$INSTALLDIR"/home/user/whonix_binary +rm -f "$INSTALLDIR"/home/user/whonix_fix +rm -f "$INSTALLDIR"/home/user/whonix_build diff --git a/scripts_debian/extra-qubes-files/etc/udev/rules.d/98-kexec.rules b/scripts_debian/extra-qubes-files/etc/udev/rules.d/98-kexec.rules new file mode 100644 index 0000000..8c742dd --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/udev/rules.d/98-kexec.rules @@ -0,0 +1,4 @@ +SUBSYSTEM=="cpu", ACTION=="online", PROGRAM="/bin/systemctl try-restart kdump.service" +SUBSYSTEM=="cpu", ACTION=="offline", PROGRAM="/bin/systemctl try-restart kdump.service" +SUBSYSTEM=="memory", ACTION=="add", PROGRAM="/bin/systemctl try-restart kdump.service" +SUBSYSTEM=="memory", ACTION=="remove", PROGRAM="/bin/systemctl try-restart kdump.service" diff --git a/scripts_debian/extra-qubes-files/etc/udev/rules.d/xen-backend.rules b/scripts_debian/extra-qubes-files/etc/udev/rules.d/xen-backend.rules new file mode 100644 index 0000000..40f2658 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/udev/rules.d/xen-backend.rules @@ -0,0 +1,16 @@ +SUBSYSTEM=="xen-backend", KERNEL=="tap*", RUN+="/etc/xen/scripts/blktap $env{ACTION}" +SUBSYSTEM=="xen-backend", KERNEL=="vbd*", RUN+="/etc/xen/scripts/block $env{ACTION}" +SUBSYSTEM=="xen-backend", KERNEL=="vtpm*", RUN+="/etc/xen/scripts/vtpm $env{ACTION}" +SUBSYSTEM=="xen-backend", KERNEL=="vif2-*", RUN+="/etc/xen/scripts/vif2 $env{ACTION}" +SUBSYSTEM=="xen-backend", KERNEL=="vif-*", ACTION=="online", RUN+="/etc/xen/scripts/vif-setup online type_if=vif" +SUBSYSTEM=="xen-backend", KERNEL=="vif-*", ACTION=="offline", RUN+="/etc/xen/scripts/vif-setup offline type_if=vif" +SUBSYSTEM=="xen-backend", KERNEL=="vscsi*", RUN+="/etc/xen/scripts/vscsi $env{ACTION}" +SUBSYSTEM=="xen-backend", ACTION=="remove", RUN+="/etc/xen/scripts/xen-hotplug-cleanup" +KERNEL=="evtchn", NAME="xen/%k" +SUBSYSTEM=="xen", KERNEL=="blktap[0-9]*", NAME="xen/%k", MODE="0600" +SUBSYSTEM=="blktap2", KERNEL=="blktap[0-9]*", NAME="xen/blktap-2/%k", MODE="0600" +KERNEL=="blktap-control", NAME="xen/blktap-2/control", MODE="0600" +KERNEL=="gntdev", NAME="xen/%k", MODE="0600" +KERNEL=="pci_iomul", NAME="xen/%k", MODE="0600" +KERNEL=="tapdev[a-z]*", NAME="xen/blktap-2/tapdev%m", MODE="0600" +SUBSYSTEM=="net", KERNEL=="tap*", ACTION=="add", RUN+="/etc/xen/scripts/vif-setup $env{ACTION} type_if=tap" diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/blktap b/scripts_debian/extra-qubes-files/etc/xen/scripts/blktap new file mode 100755 index 0000000..cd30a38 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/blktap @@ -0,0 +1,94 @@ +#!/bin/bash + +# Copyright (c) 2005, XenSource Ltd. + +dir=$(dirname "$0") +. "$dir/xen-hotplug-common.sh" +. "$dir/block-common.sh" + +findCommand "$@" + +## +# check_blktap_sharing file mode +# +# Perform the sharing check for the given blktap and mode. +# +check_blktap_sharing() +{ + local file="$1" + local mode="$2" + + local base_path="$XENBUS_BASE_PATH/$XENBUS_TYPE" + for dom in $(xenstore-list "$base_path") + do + for dev in $(xenstore-list "$base_path/$dom") + do + params=$(xenstore_read_default "$base_path/$dom/$dev/params" "" | cut -d: -f2) + if [ "$file" = "$params" ] + then + + if [ "$mode" = 'w' ] + then + if ! same_vm "$dom" + then + echo 'guest' + return + fi + else + local m=$(xenstore_read_default "$base_path/$dom/$dev/mode" "") + m=$(canonicalise_mode "$m") + + if [ "$m" = 'w' ] + then + if ! same_vm "$dom" + then + echo 'guest' + return + fi + fi + fi + fi + done + done + + echo 'ok' +} + + +t=$(xenstore_read_default "$XENBUS_PATH/type" 'MISSING') +if [ -n "$t" ] +then + p=$(xenstore_read "$XENBUS_PATH/params") + p=${p#tapdisk:} + # if we have a ':', chew from head including : + if echo $p | grep -q \: + then + p=${p#*:} + fi +fi +# some versions of readlink cannot be passed a regular file +if [ -L "$p" ]; then + file=$(readlink -f "$p") || fatal "$p link does not exist." +else + file="$p" +fi + +if [ "$command" = 'add' ] +then + [ -e "$file" ] || { fatal $file does not exist; } + + FRONTEND_ID=$(xenstore_read "$XENBUS_PATH/frontend-id") + FRONTEND_UUID=$(xenstore_read "/local/domain/$FRONTEND_ID/vm") + mode=$(xenstore_read "$XENBUS_PATH/mode") + mode=$(canonicalise_mode "$mode") + + if [ "$mode" != '!' ] + then + result=$(check_blktap_sharing "$file" "$mode") + [ "$result" = 'ok' ] || ebusy "$file already in use by other domain" + fi + + success +fi + +exit 0 diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/block b/scripts_debian/extra-qubes-files/etc/xen/scripts/block new file mode 100755 index 0000000..7266a78 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/block @@ -0,0 +1,354 @@ +#!/bin/bash + +dir=$(dirname "$0") +. "$dir/block-common.sh" + +HOTPLUG_STORE="/var/run/xen-hotplug/${XENBUS_PATH//\//-}" + +expand_dev() { + local dev + case $1 in + /*) + dev=$1 + ;; + *) + dev=/dev/$1 + ;; + esac + echo -n $dev +} + +find_free_loopback_helper() { + local next_devnum=0 + local busy_devnum + while read busy_devnum; do + if [ "$next_devnum" != "$busy_devnum" ]; then + break + fi + let next_devnum=$next_devnum+1 + done + echo "/dev/loop${next_devnum}" +} + +# Not all distros have "losetup -f" +find_free_loopback_dev() { + local loopdev + loopdev=$(losetup -a | sed -e 's+^/dev/loop++' -e 's/:.*//' | find_free_loopback_helper) + if [ -n "$loopdev" ] && [ -b "$loopdev" ]; then + echo "$loopdev" + fi +} + +## +# check_sharing device mode +# +# Check whether the device requested is already in use. To use the device in +# read-only mode, it may be in use in read-only mode, but may not be in use in +# read-write anywhere at all. To use the device in read-write mode, it must +# not be in use anywhere at all. +# +# Prints one of +# +# 'local': the device may not be used because it is mounted in the current +# (i.e. the privileged domain) in a way incompatible with the +# requested mode; +# 'guest': the device may not be used because it already mounted by a guest +# in a way incompatible with the requested mode; or +# 'ok': the device may be used. +# +check_sharing() +{ + local dev="$1" + local mode="$2" + + local devmm=$(device_major_minor "$dev") + local file + + if [ "$mode" = 'w' ] + then + toskip="^$" + else + toskip="^[^ ]* [^ ]* [^ ]* ro[, ]" + fi + + for file in $(cat /proc/mounts | grep -v "$toskip" | cut -f 1 -d ' ') + do + if [ -e "$file" ] + then + local d=$(device_major_minor "$file") + + if [ "$d" = "$devmm" ] + then + echo 'local' + return + fi + fi + done + + local base_path="$XENBUS_BASE_PATH/$XENBUS_TYPE" + for dom in $(xenstore-list "$base_path") + do + for dev in $(xenstore-list "$base_path/$dom") + do + d=$(xenstore_read_default "$base_path/$dom/$dev/physical-device" "") + + if [ "$d" = "$devmm" ] + then + if [ "$mode" = 'w' ] + then + if ! same_vm $dom + then + echo 'guest' + return + fi + else + local m=$(xenstore_read_default "$base_path/$dom/$dev/mode" "") + m=$(canonicalise_mode "$m") + + if [ "$m" = 'w' ] + then + if ! same_vm $dom + then + echo 'guest' + return + fi + fi + fi + fi + done + done + + echo 'ok' +} + + +## +# check_device_sharing dev mode +# +# Perform the sharing check for the given physical device and mode. +# +check_device_sharing() +{ + local dev="$1" + local mode=$(canonicalise_mode "$2") + local result + + if [ "x$mode" = 'x!' ] + then + return 0 + fi + + result=$(check_sharing "$dev" "$mode") + + if [ "$result" != 'ok' ] + then + do_ebusy "Device $dev is mounted " "$mode" "$result" + fi +} + + +## +# check_device_sharing file dev mode +# +# Perform the sharing check for the given file mounted through the given +# loopback interface, in the given mode. +# +check_file_sharing() +{ + local file="$1" + local dev="$2" + local mode="$3" + + result=$(check_sharing "$dev" "$mode") + + if [ "$result" != 'ok' ] + then + do_ebusy "File $file is loopback-mounted through $dev, +which is mounted " "$mode" "$result" + fi +} + + +## +# do_ebusy prefix mode result +# +# Helper function for check_device_sharing check_file_sharing, calling ebusy +# with an error message constructed from the given prefix, mode, and result +# from a call to check_sharing. +# +do_ebusy() +{ + local prefix="$1" + local mode="$2" + local result="$3" + + if [ "$result" = 'guest' ] + then + dom='a guest ' + when='now' + else + dom='the privileged ' + when='by a guest' + fi + + if [ "$mode" = 'w' ] + then + m1='' + m2='' + else + m1='read-write ' + m2='read-only ' + fi + + release_lock "block" + ebusy \ +"${prefix}${m1}in ${dom}domain, +and so cannot be mounted ${m2}${when}." +} + + +t=$(xenstore_read_default "$XENBUS_PATH/type" 'MISSING') + +case "$command" in + add) + phys=$(xenstore_read_default "$XENBUS_PATH/physical-device" 'MISSING') + if [ "$phys" != 'MISSING' ] + then + # Depending upon the hotplug configuration, it is possible for this + # script to be called twice, so just bail. + exit 0 + fi + + if [ -n "$t" ] + then + p=$(xenstore_read "$XENBUS_PATH/params") + mode=$(xenstore_read "$XENBUS_PATH/mode") + echo $p > "$HOTPLUG_STORE-params" + echo $mode > "$HOTPLUG_STORE-mode" + echo $t > "$HOTPLUG_STORE-type" + fi + FRONTEND_ID=$(xenstore_read "$XENBUS_PATH/frontend-id") + FRONTEND_UUID=$(xenstore_read_default \ + "/local/domain/$FRONTEND_ID/vm" 'unknown') + + case $t in + phy) + dev=$(expand_dev $p) + + if [ -L "$dev" ] + then + dev=$(readlink -f "$dev") || fatal "$dev link does not exist." + fi + test -e "$dev" || fatal "$dev does not exist." + test -b "$dev" || fatal "$dev is not a block device." + + claim_lock "block" + check_device_sharing "$dev" "$mode" + write_dev "$dev" + release_lock "block" + exit 0 + ;; + + file) + # Canonicalise the file, for sharing check comparison, and the mode + # for ease of use here. + file=$(readlink -f "$p") || fatal "$p does not exist." + test -f "$file" || fatal "$file does not exist." + mode=$(canonicalise_mode "$mode") + + claim_lock "block" + + # Avoid a race with the remove if the path has been deleted, or + # otherwise changed from "InitWait" state e.g. due to a timeout + xenbus_state=$(xenstore_read_default "$XENBUS_PATH/state" 'unknown') + if [ "$xenbus_state" != '2' ] + then + release_lock "block" + fatal "Path closed or removed during hotplug add: $XENBUS_PATH state: $xenbus_state" + fi + + if [ "$mode" = 'w' ] && ! stat "$file" -c %A | grep -q w + then + release_lock "block" + ebusy \ +"File $file is read-only, and so I will not +mount it read-write in a guest domain." + fi + + if [ "x$mode" != 'x!' ] + then + inode=$(stat -c '%i' "$file") + dev=$(stat -c '%D' "$file") + if [ -z "$inode" ] || [ -z "$dev" ] + then + fatal "Unable to lookup $file: dev: $dev inode: $inode" + fi + + shared_list=$(losetup -j "$file" | head -n 1 | cut -d : -f 1) + for dev in "$shared_list" + do + if [ -n "$dev" ] + then + check_file_sharing "$file" "$dev" "$mode" + loopdev="$dev" + fi + done + fi + + if [ -z "$loopdev" ]; then + loopdev=$(losetup -f 2>/dev/null || find_free_loopback_dev) + if [ "$loopdev" = '' ] + then + release_lock "block" + fatal 'Failed to find an unused loop device' + fi + + if LANG=C losetup -h 2>&1 | grep read-only >/dev/null + then + roflag="-$mode"; roflag="${roflag#-w}"; roflag="${roflag#-!}" + else + roflag='' + fi + do_or_die losetup $roflag "$loopdev" "$file" + fi + xenstore_write "$XENBUS_PATH/node" "$loopdev" + echo $loopdev > "$HOTPLUG_STORE-node" + write_dev "$loopdev" + release_lock "block" + exit 0 + ;; + + "") + claim_lock "block" + success + release_lock "block" + ;; + esac + ;; + + remove) + t=$(cat $HOTPLUG_STORE-type) + case $t in + phy) + exit 0 + ;; + + file) + claim_lock "block" + node=$(cat "$HOTPLUG_STORE-node") + losetup -d "$node" + release_lock "block" + exit 0 + ;; + + "") + exit 0 + ;; + esac + ;; + +esac + +# If we've reached here, $t is neither phy nor file, so fire a helper script. +[ -x ${XEN_SCRIPT_DIR}/block-"$t" ] && \ + ${XEN_SCRIPT_DIR}/block-"$t" "$command" $node diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/block-common.sh b/scripts_debian/extra-qubes-files/etc/xen/scripts/block-common.sh new file mode 100755 index 0000000..cc374ef --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/block-common.sh @@ -0,0 +1,125 @@ +# +# Copyright (c) 2005 XenSource Ltd. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of version 2.1 of the GNU Lesser General Public +# License as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + + +dir=$(dirname "$0") +. "$dir/xen-hotplug-common.sh" + +findCommand "$@" + +if [ "$command" != "add" ] && + [ "$command" != "remove" ] +then + log err "Invalid command: $command" + exit 1 +fi + + +XENBUS_PATH="${XENBUS_PATH:?}" + + +ebusy() +{ + xenstore_write "$XENBUS_PATH/hotplug-error" "$*" \ + "$XENBUS_PATH/hotplug-status" busy + log err "$@" + exit 1 +} + + +## +# Print the given device's major and minor numbers, written in hex and +# separated by a colon. +device_major_minor() +{ + stat -L -c %t:%T "$1" +} + + +## +# Write physical-device = MM,mm to the store, where MM and mm are the major +# and minor numbers of device respectively. +# +# @param device The device from which major and minor numbers are read, which +# will be written into the store. +# +write_dev() { + local mm + + mm=$(device_major_minor "$1") + + if [ -z $mm ] + then + fatal "Backend device does not exist" + fi + + xenstore_write "$XENBUS_PATH/physical-device" "$mm" + + success +} + + +## +# canonicalise_mode mode +# +# Takes the given mode, which may be r, w, ro, rw, w!, or rw!, or variations +# thereof, and canonicalises them to one of +# +# 'r': perform checks for a new read-only mount; +# 'w': perform checks for a read-write mount; or +# '!': perform no checks at all. +# +canonicalise_mode() +{ + local mode="$1" + + if ! expr index "$mode" 'w' >/dev/null + then + echo 'r' + elif ! expr index "$mode" '!' >/dev/null + then + echo 'w' + else + echo '!' + fi +} + + +same_vm() +{ + local otherdom="$1" + # Note that othervm can be MISSING here, because Xend will be racing with + # the hotplug scripts -- the entries in /local/domain can be removed by + # Xend before the hotplug scripts have removed the entry in + # /local/domain/0/backend/. In this case, we want to pretend that the + # VM is the same as FRONTEND_UUID, because that way the 'sharing' will be + # allowed. + local othervm=$(xenstore_read_default "/local/domain/$otherdom/vm" \ + "$FRONTEND_UUID") + local target=$(xenstore_read_default "/local/domain/$FRONTEND_ID/target" \ + "-1") + local otarget=$(xenstore_read_default "/local/domain/$otherdom/target" \ + "-1") + local otvm=$(xenstore_read_default "/local/domain/$otarget/vm" \ + "-1") + otvm=${otvm%-1} + othervm=${othervm%-1} + local frontend_uuid=${FRONTEND_UUID%-1} + + [ "$frontend_uuid" = "$othervm" -o "$target" = "$otherdom" -o "$frontend_uuid" = "$otvm" ] +} + diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/block-enbd b/scripts_debian/extra-qubes-files/etc/xen/scripts/block-enbd new file mode 100755 index 0000000..67faa84 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/block-enbd @@ -0,0 +1,27 @@ +#!/bin/bash + +# Usage: block-enbd [bind server ctl_port |unbind node] +# +# The node argument to unbind is the name of the device node we are to +# unbind. +# +# This assumes you're running a correctly configured server at the other end! + +dir=$(dirname "$0") +. "$dir/block-common.sh" + +case "$command" in + add) + for dev in /dev/nd*; do + if nbd-client $2:$3 $dev; then + write_dev $dev + exit 0 + fi + done + exit 1 + ;; + remove) + nbd-client -d $2 + exit 0 + ;; +esac diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/block-nbd b/scripts_debian/extra-qubes-files/etc/xen/scripts/block-nbd new file mode 100755 index 0000000..b29b315 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/block-nbd @@ -0,0 +1,27 @@ +#!/bin/bash + +# Usage: block-nbd [bind server ctl_port |unbind node] +# +# The node argument to unbind is the name of the device node we are to +# unbind. +# +# This assumes you're running a correctly configured server at the other end! + +dir=$(dirname "$0") +. "$dir/block-common.sh" + +case "$command" in + add) + for dev in /dev/nbd*; do + if nbd-client $2 $3 $dev; then + write_dev $dev + exit 0 + fi + done + exit 1 + ;; + remove) + nbd-client -d $2 + exit 0 + ;; +esac diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/external-device-migrate b/scripts_debian/extra-qubes-files/etc/xen/scripts/external-device-migrate new file mode 100755 index 0000000..a411348 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/external-device-migrate @@ -0,0 +1,98 @@ +#!/bin/bash + +# Copyright (c) 2005 IBM Corporation +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of version 2.1 of the GNU Lesser General Public +# License as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +set -x + +# This script is called by XenD for migration of external devices +# It does not handle the migration of those devices itself, but +# passes the requests on to further applications +# It handles the low-level command line parsing and some of the +# synchronization + +dir=$(dirname "$0") +. "$dir/logging.sh" + + +function ext_dev_migrate_usage() { +cat < : n-th migration step +-host : the destination host +-domname : name of the domain that is migrating +-type : the type of device that is migrating +-subtype : the subtype of the device +-recover : indicates recovery request; an error + occurred during migration +-help : display this help screen +EOF +} + +# Parse the command line paramters. The following parameters must be +# passed as the first ones in the sequence: +# -step [required] +# -host [required] +# -domname [required] +# -type [required] +# -subtype [optional] +# -recover [optional] +# The remaining ones will be passed to the called function. +function evaluate_params() +{ + local step host domname typ recover filename func stype + stype="" + while [ $# -ge 1 ]; do + case "$1" in + -step) step=$2; shift; shift;; + -host) host=$2; shift; shift;; + -domname) domname=$2; shift; shift;; + -type) typ=$2; shift; shift;; + -subtype) stype=$2; shift; shift;; + -recover) recover=1; shift;; + -help) ext_dev_migrate_usage; exit 0;; + *) break;; + esac + done + + if [ "$step" = "" -o \ + "$host" = "" -o \ + "$typ" = "" -o \ + "$domname" = "" ]; then + echo "Error: Parameter(s) missing (-step/-host/-type/-domname)" 1>&2 + echo "" 1>&2 + echo "$0 -help for usage." 1>&2 + exit 1 + fi + + filename="$dir/$typ$stype-migration.sh" + if [ ! -r $filename ]; then + echo "Error: Could not find script '$filename'" + return + fi + . "$filename" + + if [ "$recover" = "1" ]; then + func="$typ"_recover + eval $func $host $domname $step $* + else + func="$typ"_migration_step + eval $func $host $domname $step $* + fi +} + +evaluate_params "$@" diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/hotplugpath.sh b/scripts_debian/extra-qubes-files/etc/xen/scripts/hotplugpath.sh new file mode 100755 index 0000000..254b3e2 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/hotplugpath.sh @@ -0,0 +1,10 @@ +SBINDIR="/usr/sbin" +BINDIR="/usr/bin" +LIBEXEC="/usr/lib/xen/bin" +LIBDIR="/usr/lib64" +SHAREDIR="/usr/share" +PRIVATE_BINDIR="/usr/lib64/xen/bin" +XENFIRMWAREDIR="/usr/lib/xen/boot" +XEN_CONFIG_DIR="/etc/xen" +XEN_SCRIPT_DIR="/etc/xen/scripts" +XEN_LOCK_DIR="/var/lock" diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/locking.sh b/scripts_debian/extra-qubes-files/etc/xen/scripts/locking.sh new file mode 100755 index 0000000..e233c47 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/locking.sh @@ -0,0 +1,110 @@ +# +# Copyright (c) 2005 XenSource Ltd. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of version 2.1 of the GNU Lesser General Public +# License as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +# +# Serialisation +# + +LOCK_SLEEPTIME=1 +LOCK_SPINNING_RETRIES=5 +LOCK_RETRIES=100 +LOCK_BASEDIR=/var/run/xen-hotplug + + +claim_lock() +{ + local lockdir="$LOCK_BASEDIR/$1" + mkdir -p "$LOCK_BASEDIR" + _claim_lock "$lockdir" +} + + +release_lock() +{ + _release_lock "$LOCK_BASEDIR/$1" +} + + +# This function will be redefined in xen-hotplug-common.sh. +sigerr() { + exit 1 +} + + +_claim_lock() +{ + local lockdir="$1" + local owner=$(_lock_owner "$lockdir") + local retries=0 + + while [ $retries -lt $LOCK_RETRIES ] + do + mkdir "$lockdir" 2>/dev/null && trap "_release_lock $lockdir; sigerr" ERR && + _update_lock_info "$lockdir" && return + + local new_owner=$(_lock_owner "$lockdir") + if [ "$new_owner" != "$owner" ] + then + owner="$new_owner" + retries=0 + else + local pid=$(echo $owner | cut -d : -f 1) + if [ -n "$pid" -a "$pid" != "unknown" -a ! -f "/proc/$pid/status" ] + then + _release_lock $lockdir + fi + fi + + if [ $retries -gt $LOCK_SPINNING_RETRIES ] + then + sleep $LOCK_SLEEPTIME + else + sleep 0 + fi + retries=$(($retries + 1)) + done + _steal_lock "$lockdir" +} + + +_release_lock() +{ + trap sigerr ERR + rm -rf "$1" 2>/dev/null || true +} + + +_steal_lock() +{ + local lockdir="$1" + local owner=$(cat "$lockdir/owner" 2>/dev/null || echo "unknown") + log err "Forced to steal lock on $lockdir from $owner!" + _release_lock "$lockdir" + _claim_lock "$lockdir" +} + + +_lock_owner() +{ + cat "$1/owner" 2>/dev/null || echo "unknown" +} + + +_update_lock_info() +{ + echo "$$: $0" >"$1/owner" +} diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/logging.sh b/scripts_debian/extra-qubes-files/etc/xen/scripts/logging.sh new file mode 100755 index 0000000..c1bc699 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/logging.sh @@ -0,0 +1,22 @@ +# +# Copyright (c) 2005 XenSource Ltd. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of version 2.1 of the GNU Lesser General Public +# License as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +log() { + local level="$1" + shift + logger -p "daemon.$level" -- "$0:" "$@" || echo "$0 $@" >&2 +} diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/network-bridge b/scripts_debian/extra-qubes-files/etc/xen/scripts/network-bridge new file mode 100755 index 0000000..6f8475a --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/network-bridge @@ -0,0 +1,337 @@ +#!/bin/bash +#============================================================================ +# Default Xen network start/stop script. +# Xend calls a network script when it starts. +# The script name to use is defined in ${XEN_CONFIG_DIR}/xend-config.sxp +# in the network-script field. +# +# This script creates a bridge (default ${netdev}), adds a device +# (defaults to the device on the default gateway route) to it, copies +# the IP addresses from the device to the bridge and adjusts the routes +# accordingly. +# +# If all goes well, this should ensure that networking stays up. +# However, some configurations are upset by this, especially +# NFS roots. If the bridged setup does not meet your needs, +# configure a different script, for example using routing instead. +# +# Usage: +# +# network-bridge (start|stop|status) {VAR=VAL}* +# +# Vars: +# +# bridge The bridge to use (default ${netdev}). +# netdev The interface to add to the bridge (default gateway device). +# antispoof Whether to use iptables to prevent spoofing (default no). +# +# Internal Vars: +# pdev="p${netdev}" +# tdev=tmpbridge +# +# start: +# Creates the bridge as tdev +# Copies the IP and MAC addresses from pdev to bridge +# Renames netdev to be pdev +# Renames tdev to bridge +# Enslaves pdev to bridge +# +# stop: +# Removes pdev from the bridge +# Transfers addresses, routes from bridge to pdev +# Renames bridge to tdev +# Renames pdev to netdev +# Deletes tdev +# +# status: +# Print addresses, interfaces, routes +# +#============================================================================ + + +dir=$(dirname "$0") +. "$dir/logging.sh" +. "$dir/xen-script-common.sh" +. "$dir/xen-network-common.sh" +. "$dir/locking.sh" + +findCommand "$@" +evalVariables "$@" + +is_network_root () { + local rootfs=$(awk '{ if ($1 !~ /^[ \t]*#/ && $2 == "/") { print $3; }}' /etc/mtab) + local rootopts=$(awk '{ if ($1 !~ /^[ \t]*#/ && $2 == "/") { print $4; }}' /etc/mtab) + + [[ "$rootfs" =~ "^nfs" ]] || [[ "$rootopts" =~ "_netdev" ]] && has_nfsroot=1 || has_nfsroot=0 + if [ $has_nfsroot -eq 1 ]; then + local bparms=$(cat /proc/cmdline) + for p in $bparms; do + local ipaddr=$(echo $p | awk /nfsroot=/'{ print substr($1,9,index($1,":")-9) }') + if [ "$ipaddr" != "" ]; then + local nfsdev=$(ip route get $ipaddr | awk /$ipaddr/'{ print $3 }') + [[ "$nfsdev" == "$netdev" ]] && return 0 || return 1 + fi + done + fi + return 1 +} + +find_alt_device () { + local interf=$1 + local prefix=${interf%[[:digit:]]} + local ifs=$(ip link show | grep " $prefix" |\ + awk '{ printf ("%s",substr($2,1,length($2)-1)) }' |\ + sed s/$interf//) + echo "$ifs" +} + +netdev=${netdev:-$(ip route list 0.0.0.0/0 | \ + sed 's/.*dev \([a-z]\+[0-9]\+\).*$/\1/')} +if is_network_root ; then + altdevs=$(find_alt_device $netdev) + for netdev in $altdevs; do break; done + if [ -z "$netdev" ]; then + [ -x /usr/bin/logger ] && /usr/bin/logger "network-bridge: bridging not supported on network root; not starting" + exit + fi +fi +netdev=${netdev:-eth0} +bridge=${bridge:-${netdev}} +antispoof=${antispoof:-no} + +pdev="p${netdev}" +tdev=tmpbridge + +get_ip_info() { + addr_pfx=`ip addr show dev $1 | egrep '^ *inet' | sed -e 's/ *inet //' -e 's/ .*//'` + gateway=`ip route show dev $1 | fgrep default | sed 's/default via //'` +} + +do_ifup() { + if [ $1 != "${netdev}" ] || ! ifup $1 ; then + if [ -n "$addr_pfx" ] ; then + # use the info from get_ip_info() + ip addr flush $1 + ip addr add ${addr_pfx} dev $1 + fi + ip link set dev $1 up + [ -n "$gateway" ] && ip route add default via ${gateway} + fi +} + +# Usage: transfer_addrs src dst +# Copy all IP addresses (including aliases) from device $src to device $dst. +transfer_addrs () { + local src=$1 + local dst=$2 + # Don't bother if $dst already has IP addresses. + if ip addr show dev ${dst} | egrep -q '^ *inet ' ; then + return + fi + # Address lines start with 'inet' and have the device in them. + # Replace 'inet' with 'ip addr add' and change the device name $src + # to 'dev $src'. + ip addr show dev ${src} | egrep '^ *inet ' | sed -e " +s/inet/ip addr add/ +s@\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+/[0-9]\+\)@\1@ +s/${src}/dev ${dst} label ${dst}/ +s/secondary// +" | sh -e + # Remove automatic routes on destination device + ip route list | sed -ne " +/dev ${dst}\( \|$\)/ { + s/^/ip route del / + p +}" | sh -e +} + +# Usage: transfer_routes src dst +# Get all IP routes to device $src, delete them, and +# add the same routes to device $dst. +# The original routes have to be deleted, otherwise adding them +# for $dst fails (duplicate routes). +transfer_routes () { + local src=$1 + local dst=$2 + # List all routes and grep the ones with $src in. + # Stick 'ip route del' on the front to delete. + # Change $src to $dst and use 'ip route add' to add. + ip route list | sed -ne " +/dev ${src}\( \|$\)/ { + h + s/^/ip route del / + P + g + s/${src}/${dst}/ + s/^/ip route add / + P + d +}" | sh -e +} + + +## +# link_exists interface +# +# Returns 0 if the interface named exists (whether up or down), 1 otherwise. +# +link_exists() +{ + if ip link show "$1" >/dev/null 2>/dev/null + then + return 0 + else + return 1 + fi +} + +# Set the default forwarding policy for $dev to drop. +# Allow forwarding to the bridge. +antispoofing () { + iptables -P FORWARD DROP + iptables -F FORWARD + iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT +} + +# Usage: show_status dev bridge +# Print ifconfig and routes. +show_status () { + local dev=$1 + local bridge=$2 + + echo '============================================================' + ip addr show ${dev} + ip addr show ${bridge} + echo ' ' + brctl show ${bridge} + echo ' ' + ip route list + echo ' ' + route -n + echo '============================================================' +} + +op_start () { + if [ "${bridge}" = "null" ] ; then + return + fi + + if [ `brctl show | wc -l` != 1 ]; then + return + fi + + if link_exists "$pdev"; then + # The device is already up. + return + fi + + claim_lock "network-bridge" + + create_bridge ${tdev} + + preiftransfer ${netdev} + transfer_addrs ${netdev} ${tdev} + # Remember slaves for bonding interface. + if [ -e /sys/class/net/${netdev}/bonding/slaves ]; then + slaves=`cat /sys/class/net/${netdev}/bonding/slaves` + fi + # Remember the IP details for do_ifup. + get_ip_info ${netdev} + if ! ifdown ${netdev}; then + ip link set ${netdev} down + ip addr flush ${netdev} + fi + ip link set ${netdev} name ${pdev} + ip link set ${tdev} name ${bridge} + + setup_physical_bridge_port ${pdev} + + # Restore slaves + if [ -n "${slaves}" ]; then + ip link set ${pdev} up + ifenslave ${pdev} ${slaves} + fi + add_to_bridge2 ${bridge} ${pdev} + do_ifup ${bridge} + + if [ ${antispoof} = 'yes' ] ; then + antispoofing + fi + + release_lock "network-bridge" +} + +op_stop () { + if [ "${bridge}" = "null" ]; then + return + fi + if ! link_exists "$bridge"; then + return + fi + if ! [ -e "/sys/class/net/${bridge}/brif/${pdev}" ]; then + # $bridge is not a bridge to which pdev is enslaved + return + fi + + claim_lock "network-bridge" + + transfer_addrs ${bridge} ${pdev} + if ! ifdown ${bridge}; then + get_ip_info ${bridge} + fi + ip link set ${pdev} down + ip addr flush ${bridge} + + brctl delif ${bridge} ${pdev} + ip link set ${bridge} down + + ip link set ${bridge} name ${tdev} + ip link set ${pdev} name ${netdev} + do_ifup ${netdev} + + brctl delbr ${tdev} + + release_lock "network-bridge" +} + +# adds $dev to $bridge but waits for $dev to be in running state first +add_to_bridge2() { + local bridge=$1 + local dev=$2 + local maxtries=10 + + echo -n "Waiting for ${dev} to negotiate link." + ip link set ${dev} up + for i in `seq ${maxtries}` ; do + if ifconfig ${dev} | grep -q RUNNING ; then + break + else + echo -n '.' + sleep 1 + fi + done + + if [ ${i} -eq ${maxtries} ] ; then echo -n '(link isnt in running state)' ; fi + echo + + add_to_bridge ${bridge} ${dev} +} + +case "$command" in + start) + op_start + ;; + + stop) + op_stop + ;; + + status) + show_status ${netdev} ${bridge} + ;; + + *) + echo "Unknown command: $command" >&2 + echo 'Valid commands are: start, stop, status' >&2 + exit 1 +esac diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/network-nat b/scripts_debian/extra-qubes-files/etc/xen/scripts/network-nat new file mode 100755 index 0000000..eb1740e --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/network-nat @@ -0,0 +1,124 @@ +#!/bin/bash +#============================================================================ +# Default Xen network start/stop script when using NAT. +# Xend calls a network script when it starts. +# The script name to use is defined in ${XEN_CONFIG_DIR}/xend-config.sxp +# in the network-script field. +# +# Usage: +# +# network-nat (start|stop|status) {VAR=VAL}* +# +# Vars: +# +# netdev The gateway interface (default eth0). +# antispoof Whether to use iptables to prevent spoofing (default no). +# dhcp Whether to alter the local DHCP configuration (default no). +# +#============================================================================ + +dir=$(dirname "$0") +. "$dir/hotplugpath.sh" +. "$dir/xen-script-common.sh" +. "$dir/xen-network-common.sh" + +findCommand "$@" +evalVariables "$@" + +netdev=${netdev:-eth0} +# antispoofing not yet implemented +antispoof=${antispoof:-no} + +# turn on dhcp feature by default if dhcpd is installed +if [ -f /etc/dhcpd.conf ] +then + dhcp=${dhcp:-yes} +else + dhcp=${dhcp:-no} +fi + + +if [ "$dhcp" != 'no' ] +then + dhcpd_conf_file=$(find_dhcpd_conf_file) + dhcpd_init_file=$(find_dhcpd_init_file) + if [ -z "$dhcpd_conf_file" ] || [ -z "$dhcpd_init_file" ] + then + echo 'Failed to find dhcpd configuration or init file.' >&2 + exit 1 + fi +fi + +domain_name=`cat /etc/resolv.conf | grep -v "#" | grep -E 'search|domain' -i | tail -n 1 | awk '{ print $2 }'` +nameserver=`cat /etc/resolv.conf | grep -v "#" | grep "nameserver" -i -m 1 | awk '{ print $2 }'` + +function dhcp_start() +{ + if ! grep -q "subnet 10.0.0.0" "$dhcpd_conf_file" + then + echo >>"$dhcpd_conf_file" "subnet 10.0.0.0 netmask 255.255.0.0 {\ + option domain-name \"$domain_name\";\ + option domain-name-servers $nameserver; }" + fi + + "$dhcpd_init_file" restart +} + + +function dhcp_stop() +{ + local tmpfile=$(mktemp) + grep -v "subnet 10.0.0.0" "$dhcpd_conf_file" >"$tmpfile" + if diff "$tmpfile" "$dhcpd_conf_file" >&/dev/null + then + rm "$tmpfile" + else + mv "$tmpfile" "$dhcpd_conf_file" + fi + + "$dhcpd_init_file" restart +} + + +op_start() { + echo 1 >/proc/sys/net/ipv4/ip_forward + iptables -t nat -A POSTROUTING -o ${netdev} -j MASQUERADE + [ "$dhcp" != 'no' ] && dhcp_start +} + + +op_stop() { + [ "$dhcp" != 'no' ] && dhcp_stop + iptables -t nat -D POSTROUTING -o ${netdev} -j MASQUERADE +} + + +show_status() { + echo '============================================================' + ifconfig + echo ' ' + ip route list + echo ' ' + route -n + echo '============================================================' + +} + +case "$command" in + start) + op_start + ;; + + stop) + op_stop + ;; + + status) + show_status + ;; + + *) + echo "Unknown command: $command" >&2 + echo 'Valid commands are: start, stop, status' >&2 + exit 1 +esac diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/network-route b/scripts_debian/extra-qubes-files/etc/xen/scripts/network-route new file mode 100755 index 0000000..8f6a1be --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/network-route @@ -0,0 +1,28 @@ +#!/bin/bash +#============================================================================ +# Default Xen network start/stop script. +# Xend calls a network script when it starts. +# The script name to use is defined in ${XEN_CONFIG_DIR}/xend-config.sxp +# in the network-script field. +# +# Usage: +# +# network-route (start|stop|status) {VAR=VAL}* +# +# Vars: +# +# netdev The gateway interface (default eth0). +# antispoof Whether to use iptables to prevent spoofing (default yes). +# +#============================================================================ + +dir=$(dirname "$0") +. "$dir/hotplugpath.sh" +. "$dir/xen-script-common.sh" + +evalVariables "$@" + +netdev=${netdev:-eth0} + +echo 1 >/proc/sys/net/ipv4/ip_forward +echo 1 >/proc/sys/net/ipv4/conf/${netdev}/proxy_arp diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-bridge b/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-bridge new file mode 100755 index 0000000..960784a --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-bridge @@ -0,0 +1,108 @@ +#!/bin/bash +#============================================================================ +# ${XEN_SCRIPT_DIR}/vif-bridge +# +# Script for configuring a vif in bridged mode. +# The hotplugging system will call this script if it is specified either in +# the device configuration given to Xend, or the default Xend configuration +# in ${XEN_CONFIG_DIR}/xend-config.sxp. If the script is specified in +# neither of those places, then this script is the default. +# +# Usage: +# vif-bridge (add|remove|online|offline) +# +# Environment vars: +# vif vif interface name (required). +# XENBUS_PATH path to this device's details in the XenStore (required). +# +# Read from the store: +# bridge bridge to add the vif to (optional). Defaults to searching for the +# bridge itself. +# ip list of IP networks for the vif, space-separated (optional). +# +# up: +# Enslaves the vif interface to the bridge and adds iptables rules +# for its ip addresses (if any). +# +# down: +# Removes the vif interface from the bridge and removes the iptables +# rules for its ip addresses (if any). +#============================================================================ + +dir=$(dirname "$0") +. "$dir/vif-common.sh" + +bridge=${bridge:-} +bridge=$(xenstore_read_default "$XENBUS_PATH/bridge" "$bridge") + +if [ -z "$bridge" ] +then + bridge=$(brctl show | cut -d " +" -f 2 | cut -f 1) + + if [ -z "$bridge" ] + then + fatal "Could not find bridge, and none was specified" + fi +else + # + # Old style bridge setup with netloop, used to have a bridge name + # of xenbrX, enslaving pethX and vif0.X, and then configuring + # eth0. + # + # New style bridge setup does not use netloop, so the bridge name + # is ethX and the physical device is enslaved pethX + # + # So if... + # + # - User asks for xenbrX + # - AND xenbrX doesn't exist + # - AND there is a ethX device which is a bridge + # + # ..then we translate xenbrX to ethX + # + # This lets old config files work without modification + # + if [ ! -e "/sys/class/net/$bridge" ] && [ -z "${bridge##xenbr*}" ] + then + if [ -e "/sys/class/net/eth${bridge#xenbr}/bridge" ] + then + bridge="eth${bridge#xenbr}" + fi + fi +fi + +RET=0 +ip link show $bridge 1>/dev/null 2>&1 || RET=1 +if [ "$RET" -eq 1 ] +then + fatal "Could not find bridge device $bridge" +fi + +case "$command" in + online) + setup_virtual_bridge_port "$dev" + mtu="`ip link show $bridge | awk '/mtu/ { print $5 }'`" + if [ -n "$mtu" ] && [ "$mtu" -gt 0 ] + then + ip link set $dev mtu $mtu || : + fi + add_to_bridge "$bridge" "$dev" + ;; + + offline) + do_without_error brctl delif "$bridge" "$dev" + do_without_error ifconfig "$dev" down + ;; + + add) + setup_virtual_bridge_port "$dev" + add_to_bridge "$bridge" "$dev" + ;; +esac + +log debug "Successful vif-bridge $command for $dev, bridge $bridge." +if [ "$type_if" = vif -a "$command" = "online" ] +then + success +fi diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-common.sh b/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-common.sh new file mode 100755 index 0000000..c9c5d41 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-common.sh @@ -0,0 +1,190 @@ +# +# Copyright (c) 2005 XenSource Ltd. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of version 2.1 of the GNU Lesser General Public +# License as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + + +dir=$(dirname "$0") +. "$dir/xen-hotplug-common.sh" +. "$dir/xen-network-common.sh" + +findCommand "$@" + +if [ "$command" != "online" ] && + [ "$command" != "offline" ] && + [ "$command" != "add" ] && + [ "$command" != "remove" ] +then + log err "Invalid command: $command" + exit 1 +fi + + +# Parameters may be read from the environment, the command line arguments, and +# the store, with overriding in that order. The environment is given by the +# driver, the command line is given by the Xend global configuration, and +# store details are given by the per-domain or per-device configuration. + +evalVariables "$@" + +# Older versions of Xen do not pass in the type as an argument, +# so the default value is vif. +: ${type_if:=vif} + +case "$type_if" in + vif) + dev=$vif + ;; + tap) + dev=$INTERFACE + ;; + *) + log err "unknown interface type $type_if" + exit 1 + ;; +esac + +case "$command" in + online | offline) + test "$type_if" != vif && exit 0 + ;; + add | remove) + test "$type_if" != tap && exit 0 + ;; +esac + + +if [ "$type_if" = vif ]; then + # Check presence of compulsory args. + XENBUS_PATH="${XENBUS_PATH:?}" + dev="${dev:?}" + + vifname=$(xenstore_read_default "$XENBUS_PATH/vifname" "") + if [ "$vifname" ] + then + if [ "$command" == "online" ] && ! ip link show "$vifname" >&/dev/null + then + do_or_die ip link set "$dev" name "$vifname" + fi + dev="$vifname" + fi +elif [ "$type_if" = tap ]; then + # Check presence of compulsory args. + : ${INTERFACE:?} + + # Get xenbus_path from device name. + # The name is built like that: "tap${domid}.${devid}". + dev_=${dev#tap} + domid=${dev_%.*} + devid=${dev_#*.} + + XENBUS_PATH="/local/domain/0/backend/vif/$domid/$devid" +fi + +ip=${ip:-} +ip=$(xenstore_read_default "$XENBUS_PATH/ip" "$ip") + +frob_iptable() +{ + if [ "$command" == "online" ] + then + local c="-I" + else + local c="-D" + fi + + iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \ + "$@" -j ACCEPT 2>/dev/null && + iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$dev" \ + -j ACCEPT 2>/dev/null + + if [ "$command" == "online" -a $? -ne 0 ] + then + log err "iptables setup failed. This may affect guest networking." + fi +} + + +## +# Add or remove the appropriate entries in the iptables. With antispoofing +# turned on, we have to explicitly allow packets to the interface, regardless +# of the ip setting. If ip is set, then we additionally restrict the packets +# to those coming from the specified networks, though we allow DHCP requests +# as well. +# +handle_iptable() +{ + # Check for a working iptables installation. Checking for the iptables + # binary is not sufficient, because the user may not have the appropriate + # modules installed. If iptables is not working, then there's no need to do + # anything with it, so we can just return. + if ! iptables -L -n >&/dev/null + then + return + fi + + claim_lock "iptables" + + if [ "$ip" != "" ] + then + local addr + for addr in $ip + do + frob_iptable -s "$addr" + done + + # Always allow the domain to talk to a DHCP server. + frob_iptable -p udp --sport 68 --dport 67 + else + # No IP addresses have been specified, so allow anything. + frob_iptable + fi + + release_lock "iptables" +} + + +## +# ip_of interface +# +# Print the IP address currently in use at the given interface, or nothing if +# the interface is not up. +# +ip_of() +{ + ip addr show "$1" | awk "/^.*inet.*$1\$/{print \$2}" | sed -n '1 s,/.*,,p' +} + + +## +# dom0_ip +# +# Print the IP address of the interface in dom0 through which we are routing. +# This is the IP address on the interface specified as "netdev" as a parameter +# to these scripts, or eth0 by default. This function will call fatal if no +# such interface could be found. +# +dom0_ip() +{ + local nd=${netdev:-eth0} + local result=$(ip_of "$nd") + if [ -z "$result" ] + then + fatal +"$netdev is not up. Bring it up or specify another interface with " \ +"netdev= as a parameter to $0." + fi + echo "$result" +} diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-nat b/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-nat new file mode 100755 index 0000000..9082cc9 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-nat @@ -0,0 +1,192 @@ +#!/bin/bash +#============================================================================ +# ${XEN_SCRIPT_DIR}/vif-nat +# +# Script for configuring a vif in routed-nat mode. +# The hotplugging system will call this script if it is specified either in +# the device configuration given to Xend, or the default Xend configuration +# in ${XEN_CONFIG_DIR}/xend-config.sxp. If the script is specified in +# neither of those places, then vif-bridge is the default. +# +# Usage: +# vif-nat (add|remove|online|offline) +# +# Environment vars: +# dev vif interface name (required). +# XENBUS_PATH path to this device's details in the XenStore (required). +# +# Parameters: +# dhcp Whether to alter the local DHCP configuration to include this +# new host (default no). +# +# Read from the store: +# ip list of IP networks for the vif, space-separated (default given in +# this script). +#============================================================================ + + +dir=$(dirname "$0") +. "$dir/vif-common.sh" + +# turn on dhcp feature by default if dhcpd is installed +if [ -f /etc/dhcpd.conf ] +then + dhcp=${dhcp:-yes} +else + dhcp=${dhcp:-no} +fi + +if [ "$dhcp" != 'no' ] +then + dhcpd_conf_file=$(find_dhcpd_conf_file) + dhcpd_init_file=$(find_dhcpd_init_file) + dhcpd_arg_file=$(find_dhcpd_arg_file) + if [ -z "$dhcpd_conf_file" ] || [ -z "$dhcpd_init_file" ] || [ -z "$dhcpd_arg_file" ] + then + echo 'Failed to find dhcpd configuration or init or args file.' >&2 + exit 1 + fi +fi + + +domid=$(xenstore_read "$XENBUS_PATH/frontend-id") +vifid=$(xenstore_read "$XENBUS_PATH/handle") +vifid=$(( $vifid + 1 )) + + +ip_from_dom() +{ + local domid1=$(( $domid / 256 )) + local domid2=$(( $domid % 256 )) + + echo "10.$domid1.$domid2.$vifid/16" +} + + +routing_ip() +{ + echo $(echo $1 | awk -F. '{print $1"."$2"."$3"."$4 + 127}') +} + + +dotted_quad() +{ + echo\ + $(( ($1 & 0xFF000000) >> 24))\ +.$(( ($1 & 0x00FF0000) >> 16))\ +.$(( ($1 & 0x0000FF00) >> 8 ))\ +.$(( $1 & 0x000000FF )) +} + + +if [ "$ip" = "" ] +then + ip=$(ip_from_dom) +fi + +router_ip=$(routing_ip "$ip") + +# Split the given IP/bits pair. +vif_ip=`echo ${ip} | awk -F/ '{print $1}'` + +hostname=$(xenstore_read "$XENBUS_PATH/domain" | tr -- '_.:/+' '-----') +if [ "$vifid" != "1" ] +then + hostname="$hostname-$vifid" +fi + +dhcparg_remove_entry() +{ + local tmpfile=$(mktemp) + sed -e "s/${dev} //" "$dhcpd_arg_file" >"$tmpfile" + if diff "$tmpfile" "$dhcpd_arg_file" >/dev/null + then + rm "$tmpfile" + else + mv "$tmpfile" "$dhcpd_arg_file" + fi +} + +dhcparg_add_entry() +{ + dhcparg_remove_entry + local tmpfile=$(mktemp) + # handle Red Hat, SUSE, and Debian styles, with or without quotes + sed -e 's/^DHCPDARGS="*\([^"]*\)"*/DHCPDARGS="\1'"${dev} "'"/' \ + "$dhcpd_arg_file" >"$tmpfile" && mv "$tmpfile" "$dhcpd_arg_file" + sed -e 's/^DHCPD_INTERFACE="*\([^"]*\)"*/DHCPD_INTERFACE="\1'"${dev} "'"/' \ + "$dhcpd_arg_file" >"$tmpfile" && mv "$tmpfile" "$dhcpd_arg_file" + sed -e 's/^INTERFACES="*\([^"]*\)"*/INTERFACES="\1'"${dev} "'"/' \ + "$dhcpd_arg_file" >"$tmpfile" && mv "$tmpfile" "$dhcpd_arg_file" + rm -f "$tmpfile" +} + +dhcp_remove_entry() +{ + local tmpfile=$(mktemp) + grep -v "host $hostname" "$dhcpd_conf_file" >"$tmpfile" + if diff "$tmpfile" "$dhcpd_conf_file" >/dev/null + then + rm "$tmpfile" + else + mv "$tmpfile" "$dhcpd_conf_file" + fi + dhcparg_remove_entry +} + + +dhcp_up() +{ + claim_lock "vif-nat-dhcp" + dhcp_remove_entry + mac=$(xenstore_read "$XENBUS_PATH/mac") + echo >>"$dhcpd_conf_file" \ +"host $hostname { hardware ethernet $mac; fixed-address $vif_ip; option routers $router_ip; option host-name \"$hostname\"; }" + dhcparg_add_entry + release_lock "vif-nat-dhcp" + "$dhcpd_init_file" restart || true +} + + +dhcp_down() +{ + claim_lock "vif-nat-dhcp" + dhcp_remove_entry + release_lock "vif-nat-dhcp" + "$dhcpd_init_file" restart || true # We need to ignore failure because + # ISC dhcpd 3 borks if there is nothing + # for it to do, which is the case if + # the outgoing interface is not + # configured to offer leases and there + # are no vifs. +} + + +case "$command" in + online) + if ip route | grep -q "dev ${dev}" + then + log debug "${dev} already up" + exit 0 + fi + + do_or_die ip link set "${dev}" up arp on + do_or_die ip addr add "$router_ip" dev "${dev}" + do_or_die ip route add "$vif_ip" dev "${dev}" src "$router_ip" + echo 1 >/proc/sys/net/ipv4/conf/${dev}/proxy_arp + [ "$dhcp" != 'no' ] && dhcp_up + ;; + offline) + [ "$dhcp" != 'no' ] && dhcp_down + do_without_error ifconfig "${dev}" down + ;; +esac + + +handle_iptable + +log debug "Successful vif-nat $command for ${dev}." +if [ "$command" = "online" ] +then + success +fi diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-route b/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-route new file mode 100755 index 0000000..6c5587a --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-route @@ -0,0 +1,56 @@ +#!/bin/bash +#============================================================================ +# ${XEN_SCRIPT_DIR}/vif-route +# +# Script for configuring a vif in routed mode. +# The hotplugging system will call this script if it is specified either in +# the device configuration given to Xend, or the default Xend configuration +# in ${XEN_CONFIG_DIR}/xend-config.sxp. If the script is specified in +# neither of those places, then vif-bridge is the default. +# +# Usage: +# vif-route (add|remove|online|offline) +# +# Environment vars: +# dev vif interface name (required). +# XENBUS_PATH path to this device's details in the XenStore (required). +# +# Read from the store: +# ip list of IP networks for the vif, space-separated (default given in +# this script). +#============================================================================ + +dir=$(dirname "$0") +. "${dir}/vif-common.sh" + +main_ip=$(dom0_ip) + +case "${command}" in + online) + ifconfig ${dev} ${main_ip} netmask 255.255.255.255 up + echo 1 >/proc/sys/net/ipv4/conf/${dev}/proxy_arp + ipcmd='add' + cmdprefix='' + ;; + offline) + do_without_error ifdown ${dev} + ipcmd='del' + cmdprefix='do_without_error' + ;; +esac + +if [ "${ip}" ] ; then + # If we've been given a list of IP addresses, then add routes from dom0 to + # the guest using those addresses. + for addr in ${ip} ; do + ${cmdprefix} ip route ${ipcmd} ${addr} dev ${dev} src ${main_ip} + done +fi + +handle_iptable + +log debug "Successful vif-route ${command} for ${dev}." +if [ "${command}" = "online" ] +then + success +fi diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-route-qubes b/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-route-qubes new file mode 100755 index 0000000..68fbf38 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-route-qubes @@ -0,0 +1,65 @@ +#!/bin/bash +#============================================================================ +# /etc/xen/vif-route-qubes +# +# Script for configuring a vif in routed mode. +# The hotplugging system will call this script if it is specified either in +# the device configuration given to Xend, or the default Xend configuration +# in /etc/xen/xend-config.sxp. If the script is specified in neither of those +# places, then vif-bridge is the default. +# +# Usage: +# vif-route (add|remove|online|offline) +# +# Environment vars: +# vif vif interface name (required). +# XENBUS_PATH path to this device's details in the XenStore (required). +# +# Read from the store: +# ip list of IP networks for the vif, space-separated (default given in +# this script). +#============================================================================ + +dir=$(dirname "$0") +. "$dir/vif-common.sh" + +#main_ip=$(dom0_ip) + +case "$command" in + online) + ifconfig ${vif} up + echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp + ipcmd='add' + iptables_cmd='-I PREROUTING 1' + cmdprefix='' + ;; + offline) + do_without_error ifdown ${vif} + ipcmd='del' + iptables_cmd='-D PREROUTING' + cmdprefix='do_without_error' + ;; +esac + +domid=${vif/vif/} +domid=${domid/.*/} +# metric must be possitive, but prefer later interface +# 32752 is max XID aka domid +metric=$[ 32752 - $domid ] + +if [ "${ip}" ] ; then + # If we've been given a list of IP addresses, then add routes from dom0 to + # the guest using those addresses. + for addr in ${ip} ; do + ${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric + done + ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP + back_ip=`xenstore-read qubes-netvm-gateway` + ${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif} +fi + +log debug "Successful vif-route-qubes $command for $vif." +if [ "$command" = "online" ] +then + success +fi diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-setup b/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-setup new file mode 100755 index 0000000..bcc462e --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-setup @@ -0,0 +1,9 @@ +#!/bin/bash + +if test "$script" +then + exec $script $* +else + exec /etc/xen/scripts/vif-bridge $* +fi + diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vif2 b/scripts_debian/extra-qubes-files/etc/xen/scripts/vif2 new file mode 100755 index 0000000..2c155be --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/vif2 @@ -0,0 +1,46 @@ +#!/bin/bash + +dir=$(dirname "$0") +. "$dir/xen-hotplug-common.sh" +. "$dir/xen-network-common.sh" + +bridge=$(xenstore_read_default "$XENBUS_PATH/bridge" "$bridge") +if [ -z "$bridge" ] + then + nr_bridges=$(($(brctl show | cut -f 1 | grep -v "^$" | wc -l) - 1)) + if [ "$nr_bridges" != 1 ] + then + fatal "no bridge specified, and don't know which one to use ($nr_bridges found)" + fi + bridge=$(brctl show | cut -d " +" -f 2 | cut -f 1) +fi + +command="$1" +shift + +case "$command" in + "online") + if [ "$bridge" != "-" ] + then + setup_virtual_bridge_port "$vif" + add_to_bridge "$bridge" "$vif" + else + # Just let the normal udev rules for interfaces handle it. + true + fi + success + ;; + + "add") + success + ;; + + "remove") + ;; + + *) + echo "Unknown command: $command" + echo 'Valid commands are: add, remove, online' + exit 1 +esac diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vscsi b/scripts_debian/extra-qubes-files/etc/xen/scripts/vscsi new file mode 100755 index 0000000..5ac2614 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/vscsi @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Copyright (c) 2007, FUJITSU Limited +# Based on the block scripts code. +# + +dir=$(dirname "$0") +. "$dir/xen-hotplug-common.sh" + +findCommand "$@" + +case "$command" in + add) + success + ;; + remove) + # TODO + exit 0 + ;; +esac + +exit 0 diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm b/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm new file mode 100755 index 0000000..38a4532 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm @@ -0,0 +1,22 @@ +#!/bin/bash + +dir=$(dirname "$0") +. "$dir/vtpm-hotplug-common.sh" + +vtpm_fatal_error=0 + +case "$command" in + add) + vtpm_create_instance + ;; + remove) + vtpm_remove_instance + ;; +esac + +if [ $vtpm_fatal_error -eq 0 ]; then + log debug "Successful vTPM operation '$command'." + success +else + fatal "Error while executing vTPM operation '$command'." +fi diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-common.sh b/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-common.sh new file mode 100755 index 0000000..d0d7935 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-common.sh @@ -0,0 +1,448 @@ +# +# Copyright (c) 2005 IBM Corporation +# Copyright (c) 2005 XenSource Ltd. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of version 2.1 of the GNU Lesser General Public +# License as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +dir=$(dirname "$0") +. "$dir/logging.sh" +. "$dir/locking.sh" + +VTPMDB="/var/vtpm/vtpm.db" + +#In the vtpm-impl file some commands should be defined: +# vtpm_create, vtpm_setup, vtpm_start, etc. (see below) +if [ -r "$dir/vtpm-impl.alt" ]; then + . "$dir/vtpm-impl.alt" +elif [ -r "$dir/vtpm-impl" ]; then + . "$dir/vtpm-impl" +else + function vtpm_create () { + true + } + function vtpm_setup() { + true + } + function vtpm_start() { + true + } + function vtpm_suspend() { + true + } + function vtpm_resume() { + true + } + function vtpm_delete() { + true + } + function vtpm_migrate() { + echo "Error: vTPM migration accross machines not implemented." + } + function vtpm_migrate_local() { + echo "Error: local vTPM migration not supported" + } + function vtpm_migrate_recover() { + true + } +fi + + +#Find the instance number for the vtpm given the name of the domain +# Parameters +# - vmname : the name of the vm +# Return value +# Returns '0' if instance number could not be found, otherwise +# it returns the instance number in the variable 'instance' +function vtpmdb_find_instance () { + local vmname ret instance + vmname=$1 + ret=0 + + instance=$(cat $VTPMDB | \ + awk -vvmname=$vmname \ + '{ \ + if ( 1 != index($1,"#")) { \ + if ( $1 == vmname ) { \ + print $2; \ + exit; \ + } \ + } \ + }') + if [ "$instance" != "" ]; then + ret=$instance + fi + echo "$ret" +} + + +# Check whether a particular instance number is still available +# returns "0" if it is not available, "1" otherwise. +function vtpmdb_is_free_instancenum () { + local instance instances avail i + instance=$1 + avail=1 + #Allowed instance number range: 1-255 + if [ $instance -eq 0 -o $instance -gt 255 ]; then + avail=0 + else + instances=$(cat $VTPMDB | \ + awk \ + '{ \ + if (1 != index($1,"#")) { \ + printf("%s ",$2); \ + } \ + }') + for i in $instances; do + if [ $i -eq $instance ]; then + avail=0 + break + fi + done + fi + echo "$avail" +} + + +# Get an available instance number given the database +# Returns an unused instance number +function vtpmdb_get_free_instancenum () { + local ctr instances don found + instances=$(cat $VTPMDB | \ + awk \ + '{ \ + if (1 != index($1,"#")) { \ + printf("%s ",$2); \ + } \ + }') + ctr=1 + don=0 + while [ $don -eq 0 ]; do + found=0 + for i in $instances; do + if [ $i -eq $ctr ]; then + found=1; + break; + fi + done + + if [ $found -eq 0 ]; then + don=1 + break + fi + let ctr=ctr+1 + done + echo "$ctr" +} + + +# Add a domain name and instance number to the DB file +function vtpmdb_add_instance () { + local res vmname inst + vmname=$1 + inst=$2 + + if [ ! -f $VTPMDB ]; then + echo "#Database for VM to vTPM association" > $VTPMDB + echo "#1st column: domain name" >> $VTPMDB + echo "#2nd column: TPM instance number" >> $VTPMDB + fi + res=$(vtpmdb_validate_entry $vmname $inst) + if [ $res -eq 0 ]; then + echo "$vmname $inst" >> $VTPMDB + fi +} + + +#Validate whether an entry is the same as passed to this +#function +function vtpmdb_validate_entry () { + local res rc vmname inst + rc=0 + vmname=$1 + inst=$2 + + res=$(cat $VTPMDB | \ + awk -vvmname=$vmname \ + -vinst=$inst \ + '{ \ + if ( 1 == index($1,"#")) {\ + } else \ + if ( $1 == vmname && \ + $2 == inst) { \ + printf("1"); \ + exit; \ + } else \ + if ( $1 == vmname || \ + $2 == inst) { \ + printf("2"); \ + exit; \ + } \ + }') + + if [ "$res" == "1" ]; then + rc=1 + elif [ "$res" == "2" ]; then + rc=2 + fi + echo "$rc" +} + + +#Remove an entry from the vTPM database given its domain name +#and instance number +function vtpmdb_remove_entry () { + local vmname instance VTPMDB_TMP + vmname=$1 + instance=$2 + VTPMDB_TMP="$VTPMDB".tmp + + $(cat $VTPMDB | \ + awk -vvmname=$vmname \ + '{ \ + if ( $1 != vmname ) { \ + print $0; \ + } \ + '} > $VTPMDB_TMP) + if [ -e $VTPMDB_TMP ]; then + mv -f $VTPMDB_TMP $VTPMDB + vtpm_delete $instance + else + log err "Error creating temporary file '$VTPMDB_TMP'." + fi +} + + +# Find the reason for the creation of this device: +# Returns 'resume' or 'create' +function vtpm_get_create_reason () { + local resume + resume=$(xenstore_read $XENBUS_PATH/resume) + if [ "$resume" == "True" ]; then + echo "resume" + else + echo "create" + fi +} + + +#Create a vTPM instance +# If no entry in the TPM database is found, the instance is +# created and an entry added to the database. +function vtpm_create_instance () { + local res instance domname reason uuid + uuid=$(xenstore_read "$XENBUS_PATH"/uuid) + reason=$(vtpm_get_create_reason) + + claim_lock vtpmdb + + instance="0" + + if [ "$uuid" != "" ]; then + instance=$(vtpmdb_find_instance $uuid) + fi + if [ "$instance" == "0" ]; then + domname=$(xenstore_read "$XENBUS_PATH"/domain) + instance=$(vtpmdb_find_instance $domname) + fi + + if [ "$instance" == "0" -a "$reason" != "create" ]; then + release_lock vtpmdb + return + fi + + if [ "$instance" == "0" ]; then + #Try to give the preferred instance to the domain + instance=$(xenstore_read "$XENBUS_PATH"/pref_instance) + if [ "$instance" != "" ]; then + res=$(vtpmdb_is_free_instancenum $instance) + if [ $res -eq 0 ]; then + instance=$(vtpmdb_get_free_instancenum) + fi + else + instance=$(vtpmdb_get_free_instancenum) + fi + + vtpm_create $instance + + if [ $vtpm_fatal_error -eq 0 ]; then + if [ "$uuid" != "" ]; then + vtpmdb_add_instance $uuid $instance + else + vtpmdb_add_instance $domname $instance + fi + fi + else + if [ "$reason" == "resume" ]; then + vtpm_resume $instance + else + vtpm_start $instance + fi + fi + + release_lock vtpmdb + + xenstore_write $XENBUS_PATH/instance $instance +} + + +#Remove an instance when a VM is terminating or suspending. +#Since it is assumed that the VM will appear again, the +#entry is kept in the VTPMDB file. +function vtpm_remove_instance () { + local instance reason domname uuid + #Stop script execution quietly if path does not exist (anymore) + xenstore-exists "$XENBUS_PATH"/domain + uuid=$(xenstore_read "$XENBUS_PATH"/uuid) + + claim_lock vtpmdb + + instance="0" + + if [ "$uuid" != "" ]; then + instance=$(vtpmdb_find_instance $uuid) + fi + + if [ "$instance" == "0" ]; then + domname=$(xenstore_read "$XENBUS_PATH"/domain) + instance=$(vtpmdb_find_instance $domname) + fi + + if [ "$instance" != "0" ]; then + vtpm_suspend $instance + fi + + release_lock vtpmdb +} + + +#Remove an entry in the VTPMDB file given the domain's name +#1st parameter: The name of the domain +function vtpm_delete_instance () { + local instance + + claim_lock vtpmdb + + instance=$(vtpmdb_find_instance $1) + if [ "$instance" != "0" ]; then + vtpmdb_remove_entry $1 $instance + fi + + release_lock vtpmdb +} + +# Determine whether the given address is local to this machine +# Return values: +# "-1" : the given machine name is invalid +# "0" : this is not an address of this machine +# "1" : this is an address local to this machine +function vtpm_isLocalAddress() { + local addr res + addr=$(ping $1 -c 1 | \ + awk '{ print substr($3,2,length($3)-2); exit }') + if [ "$addr" == "" ]; then + echo "-1" + return + fi + res=$(ifconfig | grep "inet addr" | \ + awk -vaddr=$addr \ + '{ \ + if ( addr == substr($2, 6)) {\ + print "1"; \ + } \ + }' \ + ) + if [ "$res" == "" ]; then + echo "0" + return + fi + echo "1" +} + +# Perform a migration step. This function differentiates between migration +# to the local host or to a remote machine. +# Parameters: +# 1st: destination host to migrate to +# 2nd: name of the domain to migrate +# 3rd: the migration step to perform +function vtpm_migration_step() { + local res=$(vtpm_isLocalAddress $1) + if [ "$res" == "0" ]; then + vtpm_migrate $1 $2 $3 + else + vtpm_migrate_local + fi +} + +# Recover from migration due to an error. This function differentiates +# between migration to the local host or to a remote machine. +# Parameters: +# 1st: destination host the migration was going to +# 2nd: name of the domain that was to be migrated +# 3rd: the last successful migration step that was done +function vtpm_recover() { + local res + res=$(vtpm_isLocalAddress $1) + if [ "$res" == "0" ]; then + vtpm_migrate_recover $1 $2 $3 + fi +} + + +#Determine the domain id given a domain's name. +#1st parameter: name of the domain +#return value: domain id or -1 if domain id could not be determined +function vtpm_domid_from_name () { + local id name ids + ids=$(xenstore-list /local/domain) + for id in $ids; do + name=$(xenstore-read /local/domain/$id/name) + if [ "$name" == "$1" ]; then + echo "$id" + return + fi + done + echo "-1" +} + +#Determine the virtual TPM's instance number using the domain ID. +#1st parm: domain ID +function vtpm_uuid_by_domid() { + echo $(xenstore-read /local/domain/0/backend/vtpm/$1/0/uuid) +} + + +# Determine the vTPM's UUID by the name of the VM +function vtpm_uuid_from_vmname() { + local domid=$(vtpm_domid_from_name $1) + if [ "$domid" != "-1" ]; then + echo $(vtpm_uuid_by_domid $domid) + return + fi + echo "" +} + +#Add a virtual TPM instance number and its associated domain name +#to the VTPMDB file and activate usage of this virtual TPM instance +#by writing the instance number into the xenstore +#1st parm: name of virtual machine +#2nd parm: instance of associated virtual TPM +function vtpm_add_and_activate() { + local domid=$(vtpm_domid_from_name $1) + local vtpm_uuid=$(vtpm_uuid_from_vmname $1) + if [ "$vtpm_uuid" != "" -a "$domid" != "-1" ]; then + vtpmdb_add_instance $vtpm_uuid $2 + xenstore-write backend/vtpm/$domid/0/instance $2 + fi +} diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-delete b/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-delete new file mode 100755 index 0000000..b75b95b --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-delete @@ -0,0 +1,18 @@ +#!/bin/bash + +# This scripts must be called the following way: +# vtpm-delete +# or +# vtpm-delete --vmname + +dir=$(dirname "$0") +. "$dir/vtpm-common.sh" + +if [ "$1" == "--vmname" ]; then + vtpm_uuid=$(vtpm_uuid_from_vmname $2) + if [ "$vtpm_uuid" != "" ];then + vtpm_delete_instance $vtpm_uuid + fi +else + vtpm_delete_instance $1 +fi diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-hotplug-common.sh b/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-hotplug-common.sh new file mode 100755 index 0000000..9fd35e7 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-hotplug-common.sh @@ -0,0 +1,35 @@ +# +# Copyright (c) 2005 IBM Corporation +# Copyright (c) 2005 XenSource Ltd. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of version 2.1 of the GNU Lesser General Public +# License as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +dir=$(dirname "$0") +. "$dir/xen-hotplug-common.sh" + +findCommand "$@" +if [ "$command" != "online" ] && + [ "$command" != "offline" ] && + [ "$command" != "add" ] && + [ "$command" != "remove" ] +then + log err "Invalid command: $command" + exit 1 +fi + + +XENBUS_PATH="${XENBUS_PATH:?}" + +. "$dir/vtpm-common.sh" diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-impl b/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-impl new file mode 100755 index 0000000..4f9a1fd --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-impl @@ -0,0 +1,208 @@ +#!/bin/bash +# =================================================================== +# +# Copyright (c) 2005, Intel Corp. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +# OF THE POSSIBILITY OF SUCH DAMAGE. +# =================================================================== + +# | SRC | TAG | CMD SIZE | ORD |mtype|strt +TPM_CMD_OPEN=\\x00\\x00\\x00\\x00\\x01\\xc1\\x00\\x00\\x00\\x11\\x01\\x00\\x00\\x01\\x01\\x01 +TPM_CMD_RESM=\\x00\\x00\\x00\\x00\\x01\\xc1\\x00\\x00\\x00\\x11\\x01\\x00\\x00\\x01\\x01\\x02 +TPM_CMD_CLOS=\\x00\\x00\\x00\\x00\\x01\\xc1\\x00\\x00\\x00\\x0e\\x01\\x00\\x00\\x02 +TPM_CMD_DELE=\\x00\\x00\\x00\\x00\\x01\\xc1\\x00\\x00\\x00\\x0e\\x01\\x00\\x00\\x03 + +TPM_TYPE_PVM=\\x01 +TPM_TYPE_HVM=\\x02 + +TPM_SUCCESS=00000000 + +TX_VTPM_MANAGER=/var/vtpm/fifos/from_console.fifo +RX_VTPM_MANAGER=/var/vtpm/fifos/to_console.fifo + +VTPM_MIG=/usr/bin/vtpm_migrator + +# -------------------- Helpers for binary streams ----------- + +function str_to_hex32() { + printf "%0.8x" $1 +} + +function hex32_to_bin() { + local inst=$(str_to_hex32 $1); + + local n1=`echo $inst | sed 's/\(..\)....../\\\\x\1/'` + local n2=`echo $inst | sed 's/..\(..\)..../\\\\x\1/'` + local n3=`echo $inst | sed 's/....\(..\)../\\\\x\1/'` + local n4=`echo $inst | sed 's/......\(..\)/\\\\x\1/'` + + echo "$n1$n2$n3$n4" +} + +function vtpm_manager_cmd() { + local cmd=$1; + local inst=$2; + local inst_bin=$(hex32_to_bin $inst); + + claim_lock vtpm_mgr + + #send cmd to vtpm_manager + printf "$cmd$inst_bin" > $TX_VTPM_MANAGER + + #recv response + set +e + local resp_hex=`dd skip=10 bs=1 count=4 if=$RX_VTPM_MANAGER 2> /dev/null | xxd -ps` + set -e + + release_lock vtpm_mgr + + #return whether the command was successful + if [ $resp_hex -ne $TPM_SUCCESS ]; then + vtpm_fatal_error=1 + false + else + true + fi +} + +# Helper to get vm type to pass to vtpm_manager open/resume +function vtpm_get_type() { + local inst=$(xenstore_read $XENBUS_PATH/frontend-id) + local vm=$(xenstore_read /local/domain/$inst/vm) + if [ "$vm" != "" ]; then + local ostype=$(xenstore-read $vm/image/ostype) + if [ "$ostype" == "hvm" ]; then + echo $TPM_TYPE_HVM; + else + echo $TPM_TYPE_PVM; + fi + fi +} + +# ------------------ Command handlers ----------------- + +# Create new vtpm instance & set it up for use +function vtpm_create () { + # Creation is handled implicitly by the manager on first setup + # so just set it up for use + $(vtpm_start $1) +} + +# Setup vtpm instance for use. +function vtpm_start() { + local vmtype=$(vtpm_get_type); + $(vtpm_manager_cmd $TPM_CMD_OPEN$vmtype $1) +} + +function vtpm_resume() { + local vmtype=$(vtpm_get_type); + $(vtpm_manager_cmd $TPM_CMD_RESM$vmtype $1) +} + +# Reset the vtpm AKA clear PCRs +function vtpm_reset() { + #not used by current implemenation + true +} + +# Shutdown the vtpm while the vm is down +# This could be a suspend of shutdown +# we cannot distinquish, so save the state +# and decide on startup if we should keep is +function vtpm_suspend() { + $(vtpm_manager_cmd $TPM_CMD_CLOS $1) +} + + +function vtpm_delete() { + local inst=$1 + if $(vtpm_manager_cmd $TPM_CMD_DELE $inst); then + rm -f /var/vtpm/vtpm_dm_$1.data + true + else + vtpm_fatal_error=1 + false + fi +} + +# Perform a migration step. This function differentiates between migration +# to the local host or to a remote machine. +# Parameters: +# 1st: destination host to migrate to +# 2nd: name of the domain to migrate +# 3rd: the migration step to perform +function vtpm_migrate() { + local instance res + + instance=$(vtpmdb_find_instance $2) + if [ "$instance" == "" ]; then + log err "VTPM Migratoin failed. Unable to translation of domain name" + echo "Error: VTPM Migration failed while looking up instance number" + fi + + case "$3" in + 0) + #Incicate migration supported + echo "0" + ;; + + 1) + # Get Public Key from Destination + # Call vtpm_manager's migration part 1 + claim_lock vtpm_mgr + $VTPM_MIG $1 $2 $instance $3 + release_lock vtpm_mgr + ;; + + 2) + # Call manager's migration step 2 and send result to destination + # If successful remove from db + claim_lock vtpm_mgr + $VTPM_MIG $1 $2 $instance $3 + release_lock vtpm_mgr + ;; + + 3) + if `ps x | grep "$VTPM_MIG $1"`; then + log err "VTPM Migration failed to complete." + echo "Error: VTPM Migration failed to complete." + fi + ;; + esac + +} + + +function vtpm_migrate_recover() { + echo "Error: Recovery not supported yet" +} + +function vtpm_migrate_local() { + echo "Error: local vTPM migration not supported" +} diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-migration.sh b/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-migration.sh new file mode 100755 index 0000000..7e38ae2 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-migration.sh @@ -0,0 +1,19 @@ +# +# Copyright (c) 2005 IBM Corporation +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of version 2.1 of the GNU Lesser General Public +# License as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +dir=$(dirname "$0") +. "$dir/vtpm-common.sh" diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/xen-hotplug-cleanup b/scripts_debian/extra-qubes-files/etc/xen/scripts/xen-hotplug-cleanup new file mode 100755 index 0000000..fcaa8fc --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/xen-hotplug-cleanup @@ -0,0 +1,45 @@ +#! /bin/bash + +dir=$(dirname "$0") +. "$dir/xen-hotplug-common.sh" + +# Claim the lock protecting ${XEN_SCRIPT_DIR}/block. This stops a race whereby +# paths in the store would disappear underneath that script as it attempted to +# read from the store checking for device sharing. +# Any other scripts that do similar things will have to have their lock +# claimed too. +# This is pretty horrible, but there's not really a nicer way of solving this. +claim_lock "block" + +# split backend/DEVCLASS/VMID/DEVID on slashes +path_array=( ${XENBUS_PATH//\// } ) +# get /vm/UUID path +vm=$(xenstore_read_default "/local/domain/${path_array[2]}/vm" "") +# construct /vm/UUID/device/DEVCLASS/DEVID +if [ "$vm" != "" ]; then + vm_dev="$vm/device/${path_array[1]}/${path_array[3]}" + + # if the vm path does not exist and the device class is 'vbd' then we may have + # a tap2 device + $(xenstore-read "$vm_dev" 2>/dev/null) || \ + { + if [ "${path_array[1]}" = "vbd" ]; then + vm_dev="$vm/device/tap2/${path_array[3]}" + fi + } +else + vm_dev= +fi + +# remove device frontend store entries +xenstore-rm -t \ + $(xenstore-read "$XENBUS_PATH/frontend" 2>/dev/null) 2>/dev/null || true + +# remove device backend store entries +xenstore-rm -t "$XENBUS_PATH" 2>/dev/null || true +xenstore-rm -t "error/$XENBUS_PATH" 2>/dev/null || true + +# remove device path from /vm/UUID +[ "$vm_dev" != "" ] && xenstore-rm -t "$vm_dev" 2>/dev/null || true + +release_lock "block" diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/xen-hotplug-common.sh b/scripts_debian/extra-qubes-files/etc/xen/scripts/xen-hotplug-common.sh new file mode 100755 index 0000000..370f9ad --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/xen-hotplug-common.sh @@ -0,0 +1,102 @@ +# +# Copyright (c) 2005 XenSource Ltd. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of version 2.1 of the GNU Lesser General Public +# License as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + + +dir=$(dirname "$0") +. "$dir/hotplugpath.sh" +. "$dir/logging.sh" +. "$dir/xen-script-common.sh" +. "$dir/locking.sh" + +exec 2>>/var/log/xen/xen-hotplug.log + +export PATH="${BINDIR}:${SBINDIR}:${LIBEXEC}:${PRIVATE_BINDIR}:/sbin:/bin:/usr/bin:/usr/sbin:$PATH" +export LANG="POSIX" +unset $(set | grep ^LC_ | cut -d= -f1) + +fatal() { + _xenstore_write "$XENBUS_PATH/hotplug-error" "$*" \ + "$XENBUS_PATH/hotplug-status" error + log err "$@" + exit 1 +} + +success() { + # Tell DevController that backend is "connected" + xenstore_write "$XENBUS_PATH/hotplug-status" connected +} + +do_or_die() { + "$@" || fatal "$@ failed" +} + +do_without_error() { + "$@" 2>/dev/null || log debug "$@ failed" +} + +sigerr() { + fatal "$0 failed; error detected." +} + +trap sigerr ERR + + +## +# xenstore_read + +# +# Read each of the given paths, returning each result on a separate line, or +# exit this script if any of the paths is missing. +# +xenstore_read() { + local v=$(xenstore-read "$@" || true) + [ "$v" != "" ] || fatal "xenstore-read $@ failed." + echo "$v" +} + + +## +# xenstore_read_default +# +# Read the given path, returning the value there or the given default if the +# path is not present. +# +xenstore_read_default() { + xenstore-read "$1" 2>/dev/null || echo "$2" +} + + +## +# _xenstore_write ( )+ +# +# Write each of the key/value pairs to the store. +# +_xenstore_write() { + log debug "Writing $@ to xenstore." + xenstore-write "$@" +} + +## +# xenstore_write ( )+ +# +# Write each of the key/value pairs to the store, and exit this script if any +# such writing fails. +# +xenstore_write() { + _xenstore_write "$@" || fatal "Writing $@ to xenstore failed." +} + +log debug "$@" "XENBUS_PATH=$XENBUS_PATH" diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/xen-network-common.sh b/scripts_debian/extra-qubes-files/etc/xen/scripts/xen-network-common.sh new file mode 100755 index 0000000..f88f9b6 --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/xen-network-common.sh @@ -0,0 +1,141 @@ +# +# Copyright (c) 2005 XenSource Ltd. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of version 2.1 of the GNU Lesser General Public +# License as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + + +# Gentoo doesn't have ifup/ifdown, so we define appropriate alternatives. + +# Other platforms just use ifup / ifdown directly. + +## +# preiftransfer +# +# @param $1 The current name for the physical device, which is also the name +# that the virtual device will take once the physical device has +# been renamed. + +if ! which ifup >/dev/null 2>/dev/null +then + preiftransfer() + { + true + } + ifup() + { + false + } + ifdown() + { + false + } +else + preiftransfer() + { + true + } +fi + + +first_file() +{ + t="$1" + shift + for file in $@ + do + if [ "$t" "$file" ] + then + echo "$file" + return + fi + done +} + +find_dhcpd_conf_file() +{ + first_file -f /etc/dhcp3/dhcpd.conf /etc/dhcpd.conf +} + + +find_dhcpd_init_file() +{ + first_file -x /etc/init.d/{dhcp3-server,dhcp,dhcpd} +} + +find_dhcpd_arg_file() +{ + first_file -f /etc/sysconfig/dhcpd /etc/defaults/dhcp /etc/default/dhcp3-server +} + +# configure interfaces which act as pure bridge ports: +_setup_bridge_port() { + local dev="$1" + local virtual="$2" + + # take interface down ... + ip link set ${dev} down + + if [ $virtual -ne 0 ] ; then + # Initialise a dummy MAC address. We choose the numerically + # largest non-broadcast address to prevent the address getting + # stolen by an Ethernet bridge for STP purposes. + # (FE:FF:FF:FF:FF:FF) + ip link set ${dev} address fe:ff:ff:ff:ff:ff || true + fi + + # ... and configure it + ip addr flush ${dev} +} + +setup_physical_bridge_port() { + _setup_bridge_port $1 0 +} +setup_virtual_bridge_port() { + _setup_bridge_port $1 1 +} + +# Usage: create_bridge bridge +create_bridge () { + local bridge=$1 + + # Don't create the bridge if it already exists. + if [ ! -e "/sys/class/net/${bridge}/bridge" ]; then + brctl addbr ${bridge} + brctl stp ${bridge} off + brctl setfd ${bridge} 0 + # Setting these to zero stops guest<->LAN traffic + # traversing the bridge from hitting the *tables + # rulesets. guest<->host traffic still gets processed + # by the host's iptables rules so this isn't a hole + sysctl -q -w "net.bridge.bridge-nf-call-arptables=0" + sysctl -q -w "net.bridge.bridge-nf-call-ip6tables=0" + sysctl -q -w "net.bridge.bridge-nf-call-iptables=0" + fi +} + +# Usage: add_to_bridge bridge dev +add_to_bridge () { + local bridge=$1 + local dev=$2 + + # Don't add $dev to $bridge if it's already on a bridge. + if [ -e "/sys/class/net/${bridge}/brif/${dev}" ]; then + ip link set ${dev} up || true + return + fi + brctl addif ${bridge} ${dev} + ip link set ${dev} up +} + diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/xen-script-common.sh b/scripts_debian/extra-qubes-files/etc/xen/scripts/xen-script-common.sh new file mode 100755 index 0000000..f6841ac --- /dev/null +++ b/scripts_debian/extra-qubes-files/etc/xen/scripts/xen-script-common.sh @@ -0,0 +1,44 @@ +# +# Copyright (c) 2005 XenSource Ltd. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of version 2.1 of the GNU Lesser General Public +# License as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + + +set -e + + +evalVariables() +{ + for arg in "$@" + do + if expr 'index' "$arg" '=' '>' '1' >/dev/null + then + eval "$arg" + fi + done +} + + +findCommand() +{ + for arg in "$@" + do + if ! expr 'index' "$arg" '=' >/dev/null + then + command="$arg" + return + fi + done +} diff --git a/scripts_debian/debian-archive-keyring.gpg b/scripts_debian/keys/debian-jessie-archive-keyring.gpg similarity index 100% rename from scripts_debian/debian-archive-keyring.gpg rename to scripts_debian/keys/debian-jessie-archive-keyring.gpg diff --git a/scripts_debian/keys/debian-wheezy-archive-keyring.gpg b/scripts_debian/keys/debian-wheezy-archive-keyring.gpg new file mode 100644 index 0000000000000000000000000000000000000000..6db1f3a93c12bc0225f7156a59cc5833753d5328 GIT binary patch literal 3569 zcmYk8XFMAW*M}n_R*TlANVWFXQnU6dTD3PpBr#&eh)tCsW>H(zYVB34Hl>PEHEPvt zZK7^!d-Q(a_xC=Z&X;rk=gajw*U13h1U<{#eNRLK7{w}A2(I(TR596~20#p6i03D0 zY)Z6G%p`xx{eAySl(z@6?cDw5s(@+OPajZf1IF##w+&Gl=-E)S5nmjv!wOB}(%}|h zuxRucbiBJmRN~+!R8;9D=7(GO*t?&Gb5YTKCB{%xHe%8toUm)k?)|a3<ExmaJ2QbLOKi@lj<%xAt*B+C~U< zu!)=4E>vqGH)WGiyidpGDY-%yM_FI}A5I7_f+%StY+fdIR!B6_8yr$s=9!W}f)4%Oy zQ#CFr-J#-{mBcJXYTJDJlQrN#<>eUYojma6t7{&co_T9%(t)cgh={pX|DbA_s-oI^ zBTNA?|Au(_n+J)**2It7?6%1DaCj}07`Y0hW;qXXUZhu|{6pz~V@dzuVoXbZaUgbF z9&ca7^{G<)smG$x@wN(8hWpku;!6i@4XvT0y6-eg4di5zf?2tZV?sS2}0LQxPUPkRK?2L@5{M!UH} z(MWrU0TPZvqTmp17zV=oNLWd}AiBjP=h75dLX;|w=_D`Pfo}{@L`OB_30)I!}h04=D zY1Wi`Z{(_Ljeju4)All;6TC&`pFY}Y9Ik79rLIYBeCzXNLl7`+4K`Zbybz|Z_=V#3 z#Qu3V+V8*6l|E+1Fp*=WfZ=XTK>dg}Vc^T(UUlH~W1+Q?vbaFT(k<1y^2aQ)pCi+n z!Xs=+%0y51Q>5oc`FNJEi#9~yTIQ5x5k6i$ZyQ&b1vV>wtj+GiDjJf9CU|K)s( z*Xg;_)^QgyTj(el*FCFA5*8RfBCyscJgzG4rQ+@NwDZRf2C2WGTtPfcvAwLypo>P>ik^f-fxLD1aafo{VGrphCBbO2i;|6KW2yBK#mBK~w_q4&oI-jAL$Z8;f z7^@DVy#)k-|1$KO@Rtw|>q&fYK+J$F9Uz?g1FyrbffW54cECx>;)V9S=J_rQ0*!W;5fOpA!-e5c z6bk0(DC__ead&e;+GB*#e(1kzXBkE;YPh(1Bh;xc`7SHD&)0*hPB7WjPwCDtklNk$gLlhWyWQF_1kebt^Z#8s#Bm(Z8O)W zeLE`j7wp6=GO>w?cd5f;fM2=r8zPVK~;^*EZVA*jQ(lVbH`YT2ep(m6ft zlvwRv^PS~QN1xVrX{vVpqrJVrQI|g1m^&$P@r)7jUCfZmkQtW}q>cYBHT_3pIrJ%lHxE(!4#&j%5z zhb--e<21BrT$>b?o8KSP(le2$rg1i(tN80b0#>4!4V^*R_ylkwHhJ9GfFA@Mh~2Bh zIGt^^Xc*agTbDS>v+l{{A9ehxTdGeRil)0MbFtD=oB-i}I33<`yl9fO{I2OlaFz?K zWJ_3WU*BDGM$r8-F$rV=js@`kc^v7pCU__hy;H4@>ZYyq}qN#IfM3^Do)8Uh9Oz zAQ9!4mAp3=l8t+ol0&}nbT`+~xjH(6N$1U<1R@PL2B}EfF0)nkoM!JO?F(JBcWozW z#+-601#h4*Ryh_<-XGlco} zARup^rrEvBBaZG({5|=r6yMPHheQzUVTsSdV+RiNUvO!DVd+elV?UhgNayYjmOK9A z)Y#`_^vw)hM2vL*#2uO*{2g*z4J)?c3|g&%C$yrA49Pe=6?_qxj%A5AGvzpbkX?;e*NDt1Jy4cZ8J{85+ zvR&n#k(*JL^a1CEuJKx3N8G1D4>zU?xQW7DatQp@gY-4JiR%;ld8^;4qT+_7Fu@d` zJUQ07ve!<^V0&g_(hO`BbPmL*e>VR0W;DS+K-B2zVVTd6D27#gMJu&WRq#Fw2X&vE;(oTOHr*HP)i*`1Zr{dWHh|^Qe1(T?lAyU#h z4jWdaSyQ9a^dL`l#@1VQC*jfP15C^G-3{&6JXqB;7t8JU2Ysh1Wl{LNg+;F;24h)K z*Ra(6yF&vRF`{=jt%kqRoYDyL=muXk3YYJ?v)g^3EYSFXptaU|lYUMGr-6;;ok$B& zX_9hJYh>;y;zM`@5NzhI848B4nS;tM?bFn$R{e_-ycI-6>@SuMv6Y^`NV9zRWOO8X zbB4-=v29tbKnSWw<@DksVz+(zbxricG)AFS0*_8%Fix*IgV zT?^D>_q1TwU<;n({&ldNI#@8`F?M#k{uYN^%Wg;R^gU&@qPWsJFQ>5OXn6UUuac{k z#$<#k-q1wrDG?B`kCc=8o_aYAu`82yWZXS=WWg&G2zWFv3$W_l-YV}R4A|tp9|@Hb z&YNNz$2l}rOgxq&**?{sCsS*XNwoq^1pZW8O>D|!a{ibO2j*_%c`fZdN{yIMOSU>< zk=&kR@^i`D!wW2#l3pZ+@jRhF{b!stD9J6*HS5snj!8C7Fo+d?rtEC0ruy0P?fw3m zL~YLpi7%}UQGYEN4denbUBgHHf3Mb!|9Q3kn-yzv>MM1Q@{89!c@nkg8?5<}bF~BD z(Hac}ehQsdnIt&~Pl*P6CP@v~0@?m%zxY1boIYeVl=P*1r{_@DLwnR#fz#rilYUBt zDF3i;bX-F0dFap_F?jR^duK^)%Exoh{Ssk;cB*^?;UA-b5Lv=`jcTMp;*nmSzeY0g zkPmseHITCu+j=(xKNe|f0N~i?Y1fdN$9{h*VF2#Qc~L~G??=td-*>VY6fK`Po2ZTL zD@{u%bE~i#T6n|3d#3#OnTIkfjYNB7!%V*x?&iwc6=8@@buo?|OBq3eeqZ>f{~~e{ z9bd!>RJ5w#Zl0Z>j8y27!}K2cINjRs)HyP(#y;EEepMZDv4x@QF29xcObdf{u7WCg z4`v6u{!I6VEyL!fRN5w6O4|+qHOtn7A_*JBTcj&A7O9@$Bmm*&#}|EBJfy@QTecSNy{{?;plB$t}R60IFBM&(qUfz1ZAVT{w{C-4RT)P(iO`>FA#8rv!iK zE+Y3cEL~tBfyHKpPCbK^*}Na5(SZK(Va0|J$5|&HXTPUQ4Gy88)NI~-%V60^Dv5{2 z%*g$?EIKbDsz7p(M_4vDh8c~TgWNOZ$BhK{5G Checking for any custom $2 configuration scripts for $1..." + splitPath "$1" path_parts + + if [ "$2" ]; then + script_name="${path_parts[base]}_$2${path_parts[dotext]}" + else + script_name="${path_parts[base]}${path_parts[dotext]}" + fi + + if [ -n "${TEMPLATE_FLAVOR}" ]; then + script="$SCRIPTSDIR/custom_${DIST}_${TEMPLATE_FLAVOR}/${script_name}" + else + script="$SCRIPTSDIR/custom_${DIST}/${script_name}" + fi + + if [ -f "$script" ]; then + "$script" + fi +} + + +# ------------------------------------------------------------------------------ +# Copy extra file tree to $INSTALLDIR +# ------------------------------------------------------------------------------ +copy_dirs() { + DIR="$1" + if [ -n "${TEMPLATE_FLAVOR}" ]; then + CUSTOMDIR="$SCRIPTSDIR/custom_${DIST}_${TEMPLATE_FLAVOR}/${DIR}" + else + CUSTOMDIR="$SCRIPTSDIR/custom_${DIST}/${DIR}" + fi + + if [ -d "$CUSTOMDIR" ]; then + cp -rp "$CUSTOMDIR/"* "$INSTALLDIR" + elif [ -d "$SCRIPTSDIR/${DIR}" ]; then + cp -rp "$SCRIPTSDIR/${DIR}/"* "$INSTALLDIR" + fi +} diff --git a/umount.sh b/umount.sh new file mode 100755 index 0000000..9fc7df6 --- /dev/null +++ b/umount.sh @@ -0,0 +1,60 @@ +#!/bin/bash -e + +# +# Written by Jason Mehring (nrgaway@gmail.com) +# + +# Kills any processes within the mounted location and +# unmounts any mounts active within. +# +# To keep the actual mount mounted, add a '/' to end +# +# $1: directory to umount +# +# Examples: +# To kill all processes and mounts within 'chroot-jessie' but keep +# 'chroot-jessie' mounted: +# +# ./umount.sh chroot-jessie/ +# +# To kill all processes and mounts within 'chroot-jessie' AND also +# umount 'chroot-jessie' mount: +# +# ./umount.sh chroot-jessie +# + +# $1 = full path to mount; +# $2 = if set will not umount; only kill processes in mount +umount_image() { + MOUNTDIR="$1" + + # We need absolute paths here so we don't kill everything + if ! [[ "$MOUNTDIR" = /* ]]; then + MOUNTDIR="${PWD}/${MOUNTDIR}" + fi + + echo "-> Attempting to kill any processes still running in '$MOUNTDIR' before un-mounting" + for dir in $(sudo grep "$MOUNTDIR" /proc/mounts | cut -f2 -d" " | sort -r | grep "^$MOUNTDIR") + do + sudo lsof "$dir" 2> /dev/null | \ + grep "$dir" | \ + tail -n +2 | \ + awk '{print $2}' | \ + xargs --no-run-if-empty sudo kill -9 + + echo "un-mounting $dir" + if ! [ "$2" ] && $(mountpoint -q "$dir"); then + sudo umount -n "$dir" 2> /dev/null || \ + sudo umount -n -l "$dir" 2> /dev/null || \ + echo "umount $dir unsuccessful!" + fi + done +} + +kill_processes_in_mount() { + umount_image $1 "false" || : +} + +if [ $(basename "$0") == "umount.sh" -a "$1" ]; then + umount_image "$1" +fi From 8c212df88f96cd906c145c08ed7a613af771b15b Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Tue, 14 Oct 2014 14:26:56 -0400 Subject: [PATCH 02/83] Changed wheezy backports to use DEBIAN_MIRROR address and added a wheezy conditional to unistall sysvinit differently then jessie --- scripts_debian/02_install_groups.sh | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/scripts_debian/02_install_groups.sh b/scripts_debian/02_install_groups.sh index d87cc40..8d57154 100755 --- a/scripts_debian/02_install_groups.sh +++ b/scripts_debian/02_install_groups.sh @@ -120,9 +120,14 @@ EOF # For jessie and newer, sysvinit is provided by sysvinit-core which # is not an essential package. # ------------------------------------------------------------------------------ - echo "--> Installing systemd for wheezy ($DEBIANVERSION)" - echo 'Yes, do as I say!' | DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - chroot "$INSTALLDIR" apt-get -y --force-yes remove sysvinit + echo "--> Installing systemd for debian ($DEBIANVERSION)" + if [ "$DEBIANVERSION" == "wheezy" ]; then + echo 'Yes, do as I say!' | DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + chroot "$INSTALLDIR" apt-get -y --force-yes remove sysvinit + else + DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + chroot "$INSTALLDIR" apt-get -y --force-yes remove sysvinit + fi # Prevent sysvinit from being re-installed echo "--> Preventing sysvinit re-installation" @@ -144,7 +149,7 @@ EOF # ------------------------------------------------------------------------------ if [ "$DEBIANVERSION" == "wheezy" ]; then echo "--> Adding wheezy backports repository." - source="deb http://http.debian.net/debian wheezy-backports main" + source="deb ${DEBIAN_MIRROR} wheezy-backports main" if ! grep -r -q "$source" "$INSTALLDIR/etc/apt/sources.list"*; then touch "$INSTALLDIR/etc/apt/sources.list" echo "$source" >> "$INSTALLDIR/etc/apt/sources.list" From c1938374e2868a61823bc6cd3c1a2115569b1057 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Tue, 14 Oct 2014 14:29:14 -0400 Subject: [PATCH 03/83] Changed qubeize_image back to use set -e not set -x --- qubeize_image | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/qubeize_image b/qubeize_image index 9c4b049..6c5857c 100755 --- a/qubeize_image +++ b/qubeize_image @@ -10,8 +10,7 @@ export LC_ALL=POSIX . ./builder_setup >/dev/null . ./umount.sh >/dev/null -#set -e -set -x +set -e if [ $# -eq 0 ]; then echo "usage $0 " From 574668f7d9c348c7019e43a1a50882ffa341827b Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Tue, 14 Oct 2014 16:30:12 -0400 Subject: [PATCH 04/83] Fixed issue with umounting when path ended with double slashes// and changed code that set INSTALLDIR to create proper full path without any trailing slashes --- prepare_image | 26 ++++++++------------------ qubeize_image | 6 +++++- scripts_debian/00_prepare.sh | 6 +++--- scripts_debian/04_install_qubes.sh | 6 +++--- umount.sh | 4 ++++ 5 files changed, 23 insertions(+), 25 deletions(-) diff --git a/prepare_image b/prepare_image index 7763464..edb3489 100755 --- a/prepare_image +++ b/prepare_image @@ -1,5 +1,4 @@ #!/bin/bash -#XXX: use bash #!/bin/sh # ------------------------------------------------------------------------------ # Configurations @@ -38,32 +37,23 @@ echo "-> Preparing instalation of $DIST template..." # ------------------------------------------------------------------------------ # Mount image and install core OS # ------------------------------------------------------------------------------ +export INSTALLDIR="$(readlink -m mnt)" + if [ -f "$IMG" ]; then echo "-> Image file already exists, assuming *update*..." - mount -o loop "$IMG" mnt || exit 1 - export INSTALLDIR="`pwd`/mnt/" - trap "umount_image ${INSTALLDIR::-1}" EXIT - - # XXX: Temp; just for debugging - if ! [ -f "$INSTALLDIR/tmp/.prepared_debootstrap" ]; then - "$SCRIPTSDIR/01_install_core.sh" - fi else echo "-> Initializing empty image..." truncate -s 10G "$IMG" || exit 1 echo "-> Creating filesystem..." mkfs.ext4 -q -F "$IMG" || exit 1 - - mkdir -p mnt - mount -o loop "$IMG" mnt || exit 1 - - export INSTALLDIR="`pwd`/mnt/" - trap "umount_image ${INSTALLDIR::-1}" EXIT - - "$SCRIPTSDIR/01_install_core.sh" fi +mkdir -p "$INSTALLDIR" +mount -o loop "$IMG" "$INSTALLDIR" || exit 1 +trap "umount_image $(readlink -m $INSTALLDIR)" EXIT +"$SCRIPTSDIR/01_install_core.sh" + # ------------------------------------------------------------------------------ # Install package groups # ------------------------------------------------------------------------------ @@ -76,6 +66,6 @@ echo "-> Installing package groups..." trap - EXIT echo "-> Unmounting prepared_image..." -umount_image "$INSTALLDIR" || : +umount_image "$(readlink -m $INSTALLDIR)" || : exit $RETCODE diff --git a/qubeize_image b/qubeize_image index 6c5857c..08a1efa 100755 --- a/qubeize_image +++ b/qubeize_image @@ -10,7 +10,11 @@ export LC_ALL=POSIX . ./builder_setup >/dev/null . ./umount.sh >/dev/null -set -e +if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then + set -x +else + set -e +fi if [ $# -eq 0 ]; then echo "usage $0 " diff --git a/scripts_debian/00_prepare.sh b/scripts_debian/00_prepare.sh index 4e895cf..c87ccff 100755 --- a/scripts_debian/00_prepare.sh +++ b/scripts_debian/00_prepare.sh @@ -6,8 +6,8 @@ # ------------------------------------------------------------------------------ . ./umount.sh >/dev/null -INSTALLDIR="`pwd`/mnt/" -umount_image "${INSTALLDIR::-1}" || : +INSTALLDIR="$(readlink -m mnt)" +umount_image "$INSTALLDIR" || : # ------------------------------------------------------------------------------ # Set debug display @@ -39,7 +39,7 @@ if [ -f "$IMG" ]; then fi # Umount image; don't fail if its already umounted - umount_image "${INSTALLDIR::-1}" || : + umount_image "$INSTALLDIR" || : fi # ------------------------------------------------------------------------------ diff --git a/scripts_debian/04_install_qubes.sh b/scripts_debian/04_install_qubes.sh index f29612f..2b84b97 100755 --- a/scripts_debian/04_install_qubes.sh +++ b/scripts_debian/04_install_qubes.sh @@ -131,20 +131,20 @@ EOF # -------------------------------------------------------------------------- # Update system; exit is not successful # -------------------------------------------------------------------------- - chroot "$INSTALLDIR" apt-get update || { umount "$INSTALLDIR/tmp/qubes_repo"; exit 1; } + chroot "$INSTALLDIR" apt-get update || { umount_image "$INSTALLDIR"; exit 1; } # -------------------------------------------------------------------------- # Install Qubes packages # -------------------------------------------------------------------------- DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ chroot "$INSTALLDIR" apt-get -y --force-yes install `cat $SCRIPTSDIR/packages_qubes.list` || \ - { umount "$INSTALLDIR/tmp/qubes_repo"; exit 1; } + { umount_image "$INSTALLDIR"; exit 1; } # -------------------------------------------------------------------------- # Remove Quebes repo from sources.list.d # -------------------------------------------------------------------------- rm -f "$INSTALLDIR"/etc/apt/sources.list.d/qubes*.list - umount "$INSTALLDIR/tmp/qubes_repo" + umount_image "$INSTALLDIR/tmp/qubes_repo" rm -f "$INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list" chroot "$INSTALLDIR" apt-get update || exit 1 diff --git a/umount.sh b/umount.sh index 9fc7df6..248456a 100755 --- a/umount.sh +++ b/umount.sh @@ -33,6 +33,10 @@ umount_image() { MOUNTDIR="${PWD}/${MOUNTDIR}" fi + # Strip any extra trailing slashes ('/') from path if they exist + # since we are doing an exact string match on the path + MOUNTDIR=$(echo "$MOUNTDIR" | sed s#//*#/#g) + echo "-> Attempting to kill any processes still running in '$MOUNTDIR' before un-mounting" for dir in $(sudo grep "$MOUNTDIR" /proc/mounts | cut -f2 -d" " | sort -r | grep "^$MOUNTDIR") do From c27d84cc80b6fabe7ab23364ac5f7c0eb944ed7c Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Tue, 14 Oct 2014 17:04:42 -0400 Subject: [PATCH 05/83] Renamed umount_image to umount_kill as to better shuit its purpose --- prepare_image | 6 +++--- qubeize_image | 4 ++-- scripts_debian/00_prepare.sh | 6 +++--- scripts_debian/02_install_groups.sh | 6 +++--- scripts_debian/04_install_qubes.sh | 10 +++++----- .../99_custom_configuration.sh | 2 +- .../99_custom_configuration.sh | 2 +- .../02_install_groups_packages_installed.sh | 4 ++-- umount.sh => umount_kill.sh | 12 ++++++------ 9 files changed, 26 insertions(+), 26 deletions(-) rename umount.sh => umount_kill.sh (89%) diff --git a/prepare_image b/prepare_image index edb3489..09f98b0 100755 --- a/prepare_image +++ b/prepare_image @@ -11,7 +11,7 @@ RETCODE=0 : ${DIST=fc14} . ./builder_setup >/dev/null -. ./umount.sh >/dev/null +. ./umount_kill.sh >/dev/null if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then set -x @@ -51,7 +51,7 @@ fi mkdir -p "$INSTALLDIR" mount -o loop "$IMG" "$INSTALLDIR" || exit 1 -trap "umount_image $(readlink -m $INSTALLDIR)" EXIT +trap "umount_kill $(readlink -m $INSTALLDIR)" EXIT "$SCRIPTSDIR/01_install_core.sh" # ------------------------------------------------------------------------------ @@ -66,6 +66,6 @@ echo "-> Installing package groups..." trap - EXIT echo "-> Unmounting prepared_image..." -umount_image "$(readlink -m $INSTALLDIR)" || : +umount_kill "$(readlink -m $INSTALLDIR)" || : exit $RETCODE diff --git a/qubeize_image b/qubeize_image index 08a1efa..703392f 100755 --- a/qubeize_image +++ b/qubeize_image @@ -8,7 +8,7 @@ export NAME="$2" export LC_ALL=POSIX . ./builder_setup >/dev/null -. ./umount.sh >/dev/null +. ./umount_kill.sh >/dev/null if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then set -x @@ -46,7 +46,7 @@ fi # Cleanup function # ------------------------------------------------------------------------------ function cleanup() { - umount_image "$PWD/mnt" || : + umount_kill "$PWD/mnt" || : } trap cleanup ERR diff --git a/scripts_debian/00_prepare.sh b/scripts_debian/00_prepare.sh index c87ccff..a811826 100755 --- a/scripts_debian/00_prepare.sh +++ b/scripts_debian/00_prepare.sh @@ -4,10 +4,10 @@ # ------------------------------------------------------------------------------ # Configurations # ------------------------------------------------------------------------------ -. ./umount.sh >/dev/null +. ./umount_kill.sh >/dev/null INSTALLDIR="$(readlink -m mnt)" -umount_image "$INSTALLDIR" || : +umount_kill "$INSTALLDIR" || : # ------------------------------------------------------------------------------ # Set debug display @@ -39,7 +39,7 @@ if [ -f "$IMG" ]; then fi # Umount image; don't fail if its already umounted - umount_image "$INSTALLDIR" || : + umount_kill "$INSTALLDIR" || : fi # ------------------------------------------------------------------------------ diff --git a/scripts_debian/02_install_groups.sh b/scripts_debian/02_install_groups.sh index 8d57154..80a6c9e 100755 --- a/scripts_debian/02_install_groups.sh +++ b/scripts_debian/02_install_groups.sh @@ -7,7 +7,7 @@ set -x . $SCRIPTSDIR/vars.sh -. ./umount.sh >/dev/null +. ./umount_kill.sh >/dev/null # ------------------------------------------------------------------------------ # If .prepared_debootstrap has not been completed, don't continue @@ -34,7 +34,7 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_groups" ]; then function error() { echo "--> Install groups error and umount" rm -f "$INSTALLDIR/usr/sbin/policy-rc.d" - umount_image "$INSTALLDIR" || : + umount_kill "$INSTALLDIR" || : exit 1 } trap error ERR @@ -172,7 +172,7 @@ EOF # Kill all processes and umount all mounts within $INSTALLDIR, # but not $INSTALLDIR itself (extra '/' prevents $INSTALLDIR from being # umounted itself) - umount_image "$INSTALLDIR/" || : + umount_kill "$INSTALLDIR/" || : fi # ------------------------------------------------------------------------------ diff --git a/scripts_debian/04_install_qubes.sh b/scripts_debian/04_install_qubes.sh index 2b84b97..423a7d2 100755 --- a/scripts_debian/04_install_qubes.sh +++ b/scripts_debian/04_install_qubes.sh @@ -10,7 +10,7 @@ set -x # Source external scripts # ------------------------------------------------------------------------------ . $SCRIPTSDIR/vars.sh -. ./umount.sh >/dev/null +. ./umount_kill.sh >/dev/null # ------------------------------------------------------------------------------ # If .prepared_groups has not been completed, don't continue @@ -131,20 +131,20 @@ EOF # -------------------------------------------------------------------------- # Update system; exit is not successful # -------------------------------------------------------------------------- - chroot "$INSTALLDIR" apt-get update || { umount_image "$INSTALLDIR"; exit 1; } + chroot "$INSTALLDIR" apt-get update || { umount_kill "$INSTALLDIR"; exit 1; } # -------------------------------------------------------------------------- # Install Qubes packages # -------------------------------------------------------------------------- DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ chroot "$INSTALLDIR" apt-get -y --force-yes install `cat $SCRIPTSDIR/packages_qubes.list` || \ - { umount_image "$INSTALLDIR"; exit 1; } + { umount_kill "$INSTALLDIR"; exit 1; } # -------------------------------------------------------------------------- # Remove Quebes repo from sources.list.d # -------------------------------------------------------------------------- rm -f "$INSTALLDIR"/etc/apt/sources.list.d/qubes*.list - umount_image "$INSTALLDIR/tmp/qubes_repo" + umount_kill "$INSTALLDIR/tmp/qubes_repo" rm -f "$INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list" chroot "$INSTALLDIR" apt-get update || exit 1 @@ -198,5 +198,5 @@ customStep "$0" "post" # Kill all processes and umount all mounts within $INSTALLDIR, but not # $INSTALLDIR itself (extra '/' prevents $INSTALLDIR from being umounted itself) # ------------------------------------------------------------------------------ -umount_image "$INSTALLDIR/" || : +umount_kill "$INSTALLDIR/" || : diff --git a/scripts_debian/custom_wheezy_whonix-gateway/99_custom_configuration.sh b/scripts_debian/custom_wheezy_whonix-gateway/99_custom_configuration.sh index 6474734..c359eea 100755 --- a/scripts_debian/custom_wheezy_whonix-gateway/99_custom_configuration.sh +++ b/scripts_debian/custom_wheezy_whonix-gateway/99_custom_configuration.sh @@ -5,7 +5,7 @@ # Configurations # ------------------------------------------------------------------------------ . $SCRIPTSDIR/vars.sh -. ./umount.sh >/dev/null +. ./umount_kill.sh >/dev/null if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then set -x diff --git a/scripts_debian/custom_wheezy_whonix-workstation/99_custom_configuration.sh b/scripts_debian/custom_wheezy_whonix-workstation/99_custom_configuration.sh index 73ba84c..5dcba8e 100755 --- a/scripts_debian/custom_wheezy_whonix-workstation/99_custom_configuration.sh +++ b/scripts_debian/custom_wheezy_whonix-workstation/99_custom_configuration.sh @@ -5,7 +5,7 @@ # Configurations # ------------------------------------------------------------------------------ . $SCRIPTSDIR/vars.sh -. ./umount.sh >/dev/null +. ./umount_kill.sh >/dev/null if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then set -x diff --git a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh index 2223777..c437d67 100755 --- a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh @@ -5,7 +5,7 @@ # Configurations # ------------------------------------------------------------------------------ . $SCRIPTSDIR/vars.sh -. ./umount.sh >/dev/null +. ./umount_kill.sh >/dev/null if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then set -x @@ -112,7 +112,7 @@ EOF # ------------------------------------------------------------------------------ function error() { echo "--> Whonix error; umounting $INSTALLDIR to prevent further writes" - umount_image "$INSTALLDIR" || : + umount_kill "$INSTALLDIR" || : exit 1 } trap error ERR diff --git a/umount.sh b/umount_kill.sh similarity index 89% rename from umount.sh rename to umount_kill.sh index 248456a..4d1644e 100755 --- a/umount.sh +++ b/umount_kill.sh @@ -15,17 +15,17 @@ # To kill all processes and mounts within 'chroot-jessie' but keep # 'chroot-jessie' mounted: # -# ./umount.sh chroot-jessie/ +# ./umount_kill.sh chroot-jessie/ # # To kill all processes and mounts within 'chroot-jessie' AND also # umount 'chroot-jessie' mount: # -# ./umount.sh chroot-jessie +# ./umount_kill.sh chroot-jessie # # $1 = full path to mount; # $2 = if set will not umount; only kill processes in mount -umount_image() { +umount_kill() { MOUNTDIR="$1" # We need absolute paths here so we don't kill everything @@ -56,9 +56,9 @@ umount_image() { } kill_processes_in_mount() { - umount_image $1 "false" || : + umount_kill $1 "false" || : } -if [ $(basename "$0") == "umount.sh" -a "$1" ]; then - umount_image "$1" +if [ $(basename "$0") == "umount_kill.sh" -a "$1" ]; then + umount_kill "$1" fi From 5aa39eee6f4580946fbdcd489362daddddda4449 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Tue, 14 Oct 2014 18:01:59 -0400 Subject: [PATCH 06/83] Moved old NOTES from qubes-builder to here --- scripts_debian/NOTES | 5 -- scripts_debian/NOTES.old | 106 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 106 insertions(+), 5 deletions(-) delete mode 100644 scripts_debian/NOTES create mode 100644 scripts_debian/NOTES.old diff --git a/scripts_debian/NOTES b/scripts_debian/NOTES deleted file mode 100644 index e67480d..0000000 --- a/scripts_debian/NOTES +++ /dev/null @@ -1,5 +0,0 @@ -NOTES -===== - -- move whonix install into step 01-pre! - that way we dont need to setup systemd 2 times! diff --git a/scripts_debian/NOTES.old b/scripts_debian/NOTES.old new file mode 100644 index 0000000..6e1021e --- /dev/null +++ b/scripts_debian/NOTES.old @@ -0,0 +1,106 @@ +===================================================================== +These are my original notes for steps to intergrate Whonix into Qubes +===================================================================== + +Read README.whonix qubes-builder package for build instructions + +None of the notes below apply at this point but I am saving them +until whonix intergration is complete since there still may be some +valid steps I will need to intergrate ubuntu as well + +===================================================================== +# Build depends +sudo yum install rpmdevtools rpm-build createrepo rpm-sign + +# Additional for debian template +sudo yum install debootstrap dpkg-dev + +# Build +# https://qubes-os.org/wiki/BuildingArchlinuxTemplate +# --------------------------------------------------- +clean all +clean all rpms +sudo umount chroot-wheezy/proc +sudo rm -r chroot-wheezy +cd qubes-src/linus-template-builder +sudo umount mnt +sudo rm prepared_images/... + +make get-sources + +make vmm-xen-vm +make core-vchan-xen-vm +make linux-utils-vm +make core-agent-linux-vm +make gui-common-vm +make gui-agent-linux-vm + +make linux-template-builder + + +# builder.conf +# ------------ +GIT_SUBDIR=marmarek +COMPONENTS:=$(filter-out desktop-linux-kde desktop-linux-xfce,$(COMPONENTS)) +DISTS_VM=wheezy +NO_SIGN="1" +DEBUG="1" +VERBOSE=2 + + +# Changed (XXX: Marks the spot!) +# ------------------------------ +# Makefile.debian +# - wheezy repo dir does not get created... +# prepare-chroot-debian +# - chroot /dev/null should be 0666 + + +# Wheezy needs a keyring +# ---------------------- +# Create in keys_debian +# Get from https://ftp-master.debian.org/keys.html +gpg --no-default-keyring --keyring=wheezy-debian-archive-keyring.gpg --import wheezy-archive-key-7.0.asc +# move from /user/home/.gnupgp to keys_debian + + +# Wheezy Hacks +# ------------ +# Need 2.0 pulse audio drivers +# *add to source list* +cd qubes-src +git clone --branch v2.0 git://anongit.freedesktop.org/pulseaudio/pulseaudio +cp -prf pulseaudio/src/pulsecore gui-agent-linux/pulse/pulsecore-2.0 +cd .. + +# Add to... +# module-vchan-sink-symdef.h + +#elif PA_CHECK_VERSION(2,0,0) +bool pa__load_once(void); + +# Add to.. +# Makefile + + +# Build errors - template +# ----------------------- +make[1]: *** [update-repo] Error 32 +make: *** [linux-template-builder] Error 1 +mount: mount(2) failed: No such file or directory + +- remove all mounts and try again. Some mounts may need to be tried multiple times + +$ sudo umount chroot-wheezy/proc/ +$ sudo umount chroot-wheezy/proc/ +umount: chroot-wheezy/proc/: not mounted + +$ sudo umount chroot-wheezy/tmp/qubes-apt-repo/ +$ sudo umount chroot-wheezy/tmp/qubes-apt-repo/ +umount: chroot-wheezy/tmp/qubes-apt-repo/: not mounted + +$ sudo umount chroot-wheezy/tmp/qubes-deb/ +$ sudo umount chroot-wheezy/tmp/qubes-deb/ +$ sudo umount chroot-wheezy/tmp/qubes-deb/ +umount: chroot-wheezy/tmp/qubes-deb/: not mounted + From f5d9341e6ad777ed3a9c91963e076ad4b9b84aa0 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Tue, 14 Oct 2014 18:26:01 -0400 Subject: [PATCH 07/83] Moved Whonix submodules init and patches from qubes-builder here to keep everything in one place --- .../02_install_groups_packages_installed.sh | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh index c437d67..21c3f98 100755 --- a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh @@ -124,6 +124,34 @@ trap error EXIT if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then echo "-> Installing whonix system" + # -------------------------------------------------------------------------- + # Initialize Whonix submodules + # -------------------------------------------------------------------------- + pushd "$WHONIX_DIR" + { + git submodule update --init --recursive; + } + popd + + # -------------------------------------------------------------------------- + # Patch Whonix submodules + # -------------------------------------------------------------------------- + + # Patch anon-meta-packages to not depend on grub-pc + # XXX: Seems like the error disappears, but then whonix updates to original code? + pushd "$WHONIX_DIR/packages/anon-meta-packages/debian" + { + sed -i 's/ grub-pc,//g' control; + #git commit -am 'removed grub-pc depend'; + } + popd + + pushd "$WHONIX_DIR/build-steps.d" + { + sed -i 's/ check_for_uncommited_changes/ #check_for_uncommited_changes/g' 1200_create-debian-packages; + } + popd + # -------------------------------------------------------------------------- # Whonix system config dependancies # -------------------------------------------------------------------------- From ddbb97a2a3898ca680d3b9f2ed69e35de57dcc0a Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Wed, 15 Oct 2014 02:57:19 -0400 Subject: [PATCH 08/83] Added additional configurations to allow Whonix to boot with tor enabled --- .../etc/udev/rules.d/99-qubes-whonix.rules | 2 +- .../02_install_groups_packages_installed.sh | 15 +++++++++++---- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/etc/udev/rules.d/99-qubes-whonix.rules b/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/etc/udev/rules.d/99-qubes-whonix.rules index fe68663..679a178 100644 --- a/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/etc/udev/rules.d/99-qubes-whonix.rules +++ b/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/etc/udev/rules.d/99-qubes-whonix.rules @@ -1,2 +1,2 @@ - SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip" +SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="online", RUN+="/usr/lib/whonix/setup-ip" diff --git a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh index 21c3f98..c7eb388 100755 --- a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh @@ -64,10 +64,12 @@ sudo rm -f resolv.conf sudo ln -s resolv.conf.backup resolv.conf popd -sudo update-rc.d network-manager disable -sudo update-rc.d spice-vdagent disable -sudo update-rc.d swap-file-creator disable -sudo update-rc.d whonix-initializer disable +# Enable Tor +sudo sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' /etc/tor/torrc + +# Fake that whonixsetup was already run +sudo mkdir -p /var/lib/whonix/do_once +sudo touch /var/lib/whonix/do_once/whonixsetup.done # Fake that initializer was already run sudo mkdir -p /root/.whonix @@ -79,6 +81,11 @@ sudo su -c 'echo WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER=\"1\" >> /etc/wh # Ensure umask set in /etc/login.defs is used (022) sudo su -c 'echo "session optional pam_umask.so" >> /etc/pam.d/common-session' +sudo update-rc.d network-manager disable +sudo update-rc.d spice-vdagent disable +sudo update-rc.d swap-file-creator disable +sudo update-rc.d whonix-initializer disable + sudo touch "/tmp/.prepared_whonix" EOF From 0b473a63331b5eab4501d9dd30c7dbe1752af219 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Wed, 15 Oct 2014 03:00:19 -0400 Subject: [PATCH 09/83] remove stray shebang --- .../custom_wheezy_whonix/02_install_groups_packages_installed.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh index c7eb388..cef0da1 100755 --- a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh @@ -15,7 +15,6 @@ fi # chroot Whonix build script (Make sure set -e is not set) # ------------------------------------------------------------------------------ read -r -d '' WHONIX_BUILD_SCRIPT <<'EOF' -#!/bin/bash ################################################################################ # Pre Fixups From 532e31312bb9239d8e53f2820dd5a03fd9f4aba1 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Wed, 15 Oct 2014 07:16:09 -0400 Subject: [PATCH 10/83] fixed some permission issues created when init whonix submodules --- .../02_install_groups_packages_installed.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh index cef0da1..7254b05 100755 --- a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh @@ -154,7 +154,7 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then pushd "$WHONIX_DIR/build-steps.d" { - sed -i 's/ check_for_uncommited_changes/ #check_for_uncommited_changes/g' 1200_create-debian-packages; + sed -i 's/ check_for_uncommited_changes/ #check_for_uncommited_changes/g' 1200_create-debian-packages; } popd From fb1a2dbf92d4d9196380837f592c99222e087f98 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Wed, 15 Oct 2014 09:01:41 -0400 Subject: [PATCH 11/83] make sure we do not initialize Whonix submodules as root --- .../02_install_groups_packages_installed.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh index 7254b05..e5ab664 100755 --- a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh @@ -135,7 +135,7 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then # -------------------------------------------------------------------------- pushd "$WHONIX_DIR" { - git submodule update --init --recursive; + su $USER -c "git submodule update --init --recursive" } popd From 1334b8ae50d30018caa44bdbe8ba4ee654e15c24 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Thu, 16 Oct 2014 12:03:05 -0400 Subject: [PATCH 12/83] Added colorized messages and changed scripts to use them Added a few more whonix replacement tweaks Updated umount_kill.sh to be able to umount directories that have been deleted Added a DEBUG feature to save / use already created debootstrap image to save time debugging --- functions.sh | 183 ++++++++++++++++++ prepare_image | 2 +- scripts_debian/00_prepare.sh | 12 +- scripts_debian/01_install_core.sh | 13 +- scripts_debian/02_install_groups.sh | 41 ++-- scripts_debian/04_install_qubes.sh | 26 +-- scripts_debian/09_cleanup.sh | 11 +- .../00_prepare_pre.sh | 1 + .../01_install_core_post.sh | 1 + .../99_custom_configuration.sh | 10 +- .../00_prepare_pre.sh | 1 + .../01_install_core_post.sh | 1 + .../custom_wheezy_whonix/00_prepare_pre.sh | 54 ++++++ .../01_install_core_post.sh | 38 ++++ .../02_install_groups_packages_installed.sh | 75 +++++-- .../04_install_qubes_post.sh | 8 +- scripts_debian/vars.sh | 101 +--------- umount_kill.sh | 18 +- 18 files changed, 435 insertions(+), 161 deletions(-) create mode 100755 functions.sh create mode 120000 scripts_debian/custom_wheezy_whonix-gateway/00_prepare_pre.sh create mode 120000 scripts_debian/custom_wheezy_whonix-gateway/01_install_core_post.sh create mode 120000 scripts_debian/custom_wheezy_whonix-workstation/00_prepare_pre.sh create mode 120000 scripts_debian/custom_wheezy_whonix-workstation/01_install_core_post.sh create mode 100755 scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh create mode 100755 scripts_debian/custom_wheezy_whonix/01_install_core_post.sh diff --git a/functions.sh b/functions.sh new file mode 100755 index 0000000..0f93b7c --- /dev/null +++ b/functions.sh @@ -0,0 +1,183 @@ +################################################################################ +# Global functions +################################################################################ + +# ------------------------------------------------------------------------------ +# Define colors +# ------------------------------------------------------------------------------ +colors() { + ## Thanks to: + ## http://mywiki.wooledge.org/BashFAQ/037 + ## Variables for terminal requests. + [[ -t 2 ]] && { + export alt=$( tput smcup || tput ti ) # Start alt display + export ealt=$( tput rmcup || tput te ) # End alt display + export hide=$( tput civis || tput vi ) # Hide cursor + export show=$( tput cnorm || tput ve ) # Show cursor + export save=$( tput sc ) # Save cursor + export load=$( tput rc ) # Load cursor + export bold=$( tput bold || tput md ) # Start bold + export stout=$( tput smso || tput so ) # Start stand-out + export estout=$( tput rmso || tput se ) # End stand-out + export under=$( tput smul || tput us ) # Start underline + export eunder=$( tput rmul || tput ue ) # End underline + export reset=$( tput sgr0 || tput me ) # Reset cursor + export blink=$( tput blink || tput mb ) # Start blinking + export italic=$( tput sitm || tput ZH ) # Start italic + export eitalic=$( tput ritm || tput ZR ) # End italic + [[ $TERM != *-m ]] && { + export red=$( tput setaf 1|| tput AF 1 ) + export green=$( tput setaf 2|| tput AF 2 ) + export yellow=$( tput setaf 3|| tput AF 3 ) + export blue=$( tput setaf 4|| tput AF 4 ) + export magenta=$( tput setaf 5|| tput AF 5 ) + export cyan=$( tput setaf 6|| tput AF 6 ) + } + export white=$( tput setaf 7|| tput AF 7 ) + export default=$( tput op ) + export eed=$( tput ed || tput cd ) # Erase to end of display + export eel=$( tput el || tput ce ) # Erase to end of line + export ebl=$( tput el1 || tput cb ) # Erase to beginning of line + export ewl=$eel$ebl # Erase whole line + export draw=$( tput -S <<< ' enacs + smacs + acsc + rmacs' || { \ + tput eA; tput as; + tput ac; tput ae; } ) # Drawing characters + export back=$'\b' + } 2>/dev/null ||: + + export build_already_defined_colors="true" +} + +if [ ! "$build_already_defined_colors" = "true" ]; then + colors +fi + + +# ------------------------------------------------------------------------------ +# Display messages in color +# ------------------------------------------------------------------------------ +info() { + echo "${bold}${cyan}INFO: ${1}${reset}" +} + +debug() { + echo "${bold}${green}DEBUG: ${1}${reset}" +} + +warn() { + echo "${stout}${yellow}WARNING: ${1}${reset}" +} + +error() { + echo "${bold}${red}ERROR: ${1}${reset}" +} + + +# ------------------------------------------------------------------------------ +# Takes an array and exports it a global variable +# +# $1: Array to export +# $2: Global variable name to use for export +# +# http://ihaveabackup.net/2012/01/29/a-workaround-for-passing-arrays-in-bash/ +# +# ------------------------------------------------------------------------------ +setArrayAsGlobal() { + local array="$1" + local export_as="$2" + local code=$(declare -p "$array") + local replaced="${code/$array/$export_as}" + eval ${replaced/declare -/declare -g} +} + + +# ------------------------------------------------------------------------------ +# Spilts the path and returns an array of parts +# +# $1: Full path of file to split +# $2: Global variable name to use for export +# Returns: +# ([full]='original name' [dir]='directory' [base]='filename' [ext]='extension') +# +# Original concept path split from: +# https://stackoverflow.com/questions/965053/extract-filename-and-extension-in-bash +# +# ------------------------------------------------------------------------------ +splitPath() { + + local return_global_var=$2 + local filename="${1##*/}" # Strip longest match of */ from start + local dir="${1:0:${#1} - ${#filename}}" # Substring from 0 thru pos of filename + local base="${filename%.[^.]*}" # Strip shortest match of . plus at least one non-dot char from end + local ext="${filename:${#base} + 1}" # Substring from len of base thru end + if [ "$ext" ]; then + local dotext=".$ext" + else + local dotext="" + fi + if [[ -z "$base" && -n "$ext" ]]; then # If we have an extension and no base, it's really the base + base=".$ext" + ext="" + dotext="" + fi + + declare -A PARTS=([full]="$1" [dir]="$dir" [base]="$base" [ext]="$ext" [dotext]="$dotext") + setArrayAsGlobal PARTS $return_global_var +} + + +# ------------------------------------------------------------------------------ +# Executes any additional optional configuration steps if the configuration +# scripts exist +# ------------------------------------------------------------------------------ +customStep() { + info "Checking for any custom $2 configuration scripts for $1..." + splitPath "$1" path_parts + + if [ "$2" ]; then + script_name="${path_parts[base]}_$2${path_parts[dotext]}" + else + script_name="${path_parts[base]}${path_parts[dotext]}" + fi + + if [ -n "${TEMPLATE_FLAVOR}" ]; then + script="$SCRIPTSDIR/custom_${DIST}_${TEMPLATE_FLAVOR}/${script_name}" + else + script="$SCRIPTSDIR/custom_${DIST}/${script_name}" + fi + + if [ -f "$script" ]; then + echo "${bold}${under}INFO: Currently running script: ${script}${reset}" + "$script" + fi +} + + +# ------------------------------------------------------------------------------ +# Copy extra file tree to $INSTALLDIR +# ------------------------------------------------------------------------------ +copy_dirs() { + DIR="$1" + info "Entering Copy extra file tree to $INSTALLDIR..." + if [ -n "${TEMPLATE_FLAVOR}" ]; then + CUSTOMDIR="$SCRIPTSDIR/custom_${DIST}_${TEMPLATE_FLAVOR}/${DIR}" + else + CUSTOMDIR="$SCRIPTSDIR/custom_${DIST}/${DIR}" + fi + + if [ -d "$CUSTOMDIR" ]; then + debug "Copying $CUSTOMDIR/* $INSTALLDIR..." + cp -rp "$CUSTOMDIR/"* "$INSTALLDIR" + elif [ -d "$SCRIPTSDIR/${DIR}" ]; then + debug "Copying $SCRIPTSDIR/${DIR}/* $INSTALLDIR" + cp -rp "$SCRIPTSDIR/${DIR}/"* "$INSTALLDIR" + else + debug "No extra files to copy" + fi +} + +# $0 is module that sourced vars.sh +echo "${bold}${under}INFO: Currently running script: ${0}${reset}" diff --git a/prepare_image b/prepare_image index 09f98b0..bd4a4fa 100755 --- a/prepare_image +++ b/prepare_image @@ -38,6 +38,7 @@ echo "-> Preparing instalation of $DIST template..." # Mount image and install core OS # ------------------------------------------------------------------------------ export INSTALLDIR="$(readlink -m mnt)" +mkdir -p "$INSTALLDIR" if [ -f "$IMG" ]; then echo "-> Image file already exists, assuming *update*..." @@ -49,7 +50,6 @@ else mkfs.ext4 -q -F "$IMG" || exit 1 fi -mkdir -p "$INSTALLDIR" mount -o loop "$IMG" "$INSTALLDIR" || exit 1 trap "umount_kill $(readlink -m $INSTALLDIR)" EXIT "$SCRIPTSDIR/01_install_core.sh" diff --git a/scripts_debian/00_prepare.sh b/scripts_debian/00_prepare.sh index a811826..c35aa05 100755 --- a/scripts_debian/00_prepare.sh +++ b/scripts_debian/00_prepare.sh @@ -2,16 +2,17 @@ # vim: set ts=4 sw=4 sts=4 et : # ------------------------------------------------------------------------------ -# Configurations +# Source external scripts # ------------------------------------------------------------------------------ +. $SCRIPTSDIR/vars.sh . ./umount_kill.sh >/dev/null +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ INSTALLDIR="$(readlink -m mnt)" umount_kill "$INSTALLDIR" || : -# ------------------------------------------------------------------------------ -# Set debug display -# ------------------------------------------------------------------------------ if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then set -x else @@ -26,12 +27,13 @@ customStep "$0" "pre" # ------------------------------------------------------------------------------ # Force overwrite of an existing image for now if debootstrap did not seem to complete... # ------------------------------------------------------------------------------ +debug "Determine if $IMG should be reused or deleted..." if [ -f "$IMG" ]; then mount -o loop "$IMG" "$INSTALLDIR" || exit 1 # Assume a failed debootstrap installation if .prepare_debootstrap does not exist if ! [ -f "$INSTALLDIR/tmp/.prepared_debootstrap" ]; then - echo "-> Failed Image file $IMG already exists, deleting..." + warn "Failed Image file $IMG already exists, deleting..." rm -f "$IMG" # Allow qubes to be updated elif [ -f "$INSTALLDIR/tmp/.prepared_qubes" ]; then diff --git a/scripts_debian/01_install_core.sh b/scripts_debian/01_install_core.sh index 65f29b6..177da2b 100755 --- a/scripts_debian/01_install_core.sh +++ b/scripts_debian/01_install_core.sh @@ -2,13 +2,17 @@ # vim: set ts=4 sw=4 sts=4 et : # ------------------------------------------------------------------------------ -# Configurations +# Source external scripts # ------------------------------------------------------------------------------ . $SCRIPTSDIR/vars.sh -set -e +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then set -x +else + set -e fi # ------------------------------------------------------------------------------ @@ -20,10 +24,10 @@ customStep "$0" "pre" # Install base debian system # ------------------------------------------------------------------------------ if ! [ -f "$INSTALLDIR/tmp/.prepared_debootstrap" ]; then - echo "-> Installing base ${DEBIANVERSION} system" + debug "Installing base ${DEBIANVERSION} system" COMPONENTS="" debootstrap --arch=amd64 --include=ncurses-term \ --components=main --keyring="${SCRIPTSDIR}/keys/debian-${DEBIANVERSION}-archive-keyring.gpg" \ - "$DEBIANVERSION" "$INSTALLDIR" "$DEBIAN_MIRROR" || { echo "Debootstrap failed!"; exit 1; } + "$DEBIANVERSION" "$INSTALLDIR" "$DEBIAN_MIRROR" || { error "Debootstrap failed!"; exit 1; } chroot "$INSTALLDIR" chmod 0666 "/dev/null" touch "$INSTALLDIR/tmp/.prepared_debootstrap" fi @@ -32,4 +36,3 @@ fi # Execute any custom post configuration scripts # ------------------------------------------------------------------------------ customStep "$0" "post" - diff --git a/scripts_debian/02_install_groups.sh b/scripts_debian/02_install_groups.sh index 80a6c9e..1fa0c3e 100755 --- a/scripts_debian/02_install_groups.sh +++ b/scripts_debian/02_install_groups.sh @@ -2,18 +2,26 @@ # vim: set ts=4 sw=4 sts=4 et : # ------------------------------------------------------------------------------ -# Configurations +# Source external scripts # ------------------------------------------------------------------------------ -set -x - . $SCRIPTSDIR/vars.sh . ./umount_kill.sh >/dev/null +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then + set -x +else + set -e +fi + # ------------------------------------------------------------------------------ # If .prepared_debootstrap has not been completed, don't continue # ------------------------------------------------------------------------------ if ! [ -f "$INSTALLDIR/tmp/.prepared_debootstrap" ]; then - echo "--> prepared_debootstrap installataion has not completed!... Exiting" + error "prepared_debootstrap installataion has not completed!... Exiting" + umount_kill "$INSTALLDIR" || : exit 1 fi @@ -31,14 +39,14 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_groups" ]; then # ------------------------------------------------------------------------------ # Cleanup function # ------------------------------------------------------------------------------ - function error() { - echo "--> Install groups error and umount" + function cleanup() { + error "Install groups error and umount" rm -f "$INSTALLDIR/usr/sbin/policy-rc.d" umount_kill "$INSTALLDIR" || : exit 1 } - trap error ERR - trap error EXIT + trap cleanup ERR + trap cleanup EXIT # ------------------------------------------------------------------------------ # Set up a temporary policy-rc.d to prevent apt from starting services @@ -53,7 +61,7 @@ EOF # ------------------------------------------------------------------------------ # Add debian security repository # ------------------------------------------------------------------------------ - echo "--> Adding debian-security repository." + debug "Adding debian-security repository." source="deb http://security.debian.org ${DEBIANVERSION}/updates main" if ! grep -r -q "$source" "$INSTALLDIR/etc/apt/sources.list"*; then touch "$INSTALLDIR/etc/apt/sources.list" @@ -68,7 +76,7 @@ EOF # ------------------------------------------------------------------------------ # Upgrade system # ------------------------------------------------------------------------------ - echo "--> Upgrading system" + debug "Upgrading system" chroot "$INSTALLDIR" apt-get update DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ chroot "$INSTALLDIR" apt-get -y --force-yes dist-upgrade @@ -76,7 +84,7 @@ EOF # ------------------------------------------------------------------------------ # Configure keyboard # ------------------------------------------------------------------------------ - echo "--> Setting keyboard layout" + debug "Setting keyboard layout" chroot "$INSTALLDIR" debconf-set-selections < Installing extra packages" + debug "Installing extra packages" DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ xargs chroot $INSTALLDIR apt-get -y --force-yes install < "$PKGLISTFILE" @@ -120,7 +129,7 @@ EOF # For jessie and newer, sysvinit is provided by sysvinit-core which # is not an essential package. # ------------------------------------------------------------------------------ - echo "--> Installing systemd for debian ($DEBIANVERSION)" + debug "Installing systemd for debian ($DEBIANVERSION)" if [ "$DEBIANVERSION" == "wheezy" ]; then echo 'Yes, do as I say!' | DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ chroot "$INSTALLDIR" apt-get -y --force-yes remove sysvinit @@ -130,7 +139,7 @@ EOF fi # Prevent sysvinit from being re-installed - echo "--> Preventing sysvinit re-installation" + debug "Preventing sysvinit re-installation" chroot "$INSTALLDIR" apt-mark hold sysvinit chroot "$INSTALLDIR" apt-get update @@ -148,7 +157,7 @@ EOF # Qubes is now being built with some SID packages; grab backport for wheezy # ------------------------------------------------------------------------------ if [ "$DEBIANVERSION" == "wheezy" ]; then - echo "--> Adding wheezy backports repository." + debug "Adding wheezy backports repository." source="deb ${DEBIAN_MIRROR} wheezy-backports main" if ! grep -r -q "$source" "$INSTALLDIR/etc/apt/sources.list"*; then touch "$INSTALLDIR/etc/apt/sources.list" diff --git a/scripts_debian/04_install_qubes.sh b/scripts_debian/04_install_qubes.sh index 423a7d2..88a7612 100755 --- a/scripts_debian/04_install_qubes.sh +++ b/scripts_debian/04_install_qubes.sh @@ -1,22 +1,26 @@ #!/bin/sh # vim: set ts=4 sw=4 sts=4 et : -# ------------------------------------------------------------------------------ -# Configurations -# ------------------------------------------------------------------------------ -set -x - # ------------------------------------------------------------------------------ # Source external scripts # ------------------------------------------------------------------------------ . $SCRIPTSDIR/vars.sh . ./umount_kill.sh >/dev/null +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then + set -x +else + set -e +fi + # ------------------------------------------------------------------------------ # If .prepared_groups has not been completed, don't continue # ------------------------------------------------------------------------------ if ! [ -f "$INSTALLDIR/tmp/.prepared_groups" ]; then - echo "--> prepared_groups installataion has not completed!... Exiting" + error "prepared_groups installataion has not completed!... Exiting" exit 1 fi @@ -34,7 +38,7 @@ customStep "$0" "pre" # Install Qubes Packages # ------------------------------------------------------------------------------ if ! [ -f "$INSTALLDIR/tmp/.prepared_qubes" ]; then - echo "--> Installing qbues modules" + debug "Installing qbues modules" # -------------------------------------------------------------------------- # Set up a temporary policy-rc.d to prevent apt from starting services @@ -49,7 +53,7 @@ EOF # -------------------------------------------------------------------------- # Generate locales # -------------------------------------------------------------------------- - echo "--> Generate locales" + debug "Generate locales" echo "en_US.UTF-8 UTF-8" >> "$INSTALLDIR/etc/locale.gen" chroot "$INSTALLDIR" locale-gen chroot "$INSTALLDIR" update-locale LANG=en_US.UTF-8 @@ -57,7 +61,7 @@ EOF # -------------------------------------------------------------------------- # Update /etc/fstab # -------------------------------------------------------------------------- - echo "--> Updating template fstab file..." + debug "Updating template fstab file..." cat >> "$INSTALLDIR/etc/fstab" < Installing qubes packages" + debug "Installing qubes packages" export CUSTOMREPO="$PWD/yum_repo_qubes/$DIST" # -------------------------------------------------------------------------- @@ -183,7 +187,7 @@ EOF # Copy over any extra files that may be needed that are located in # $SCRIPT_DIR/extra-qubes-files # -------------------------------------------------------------------------- - echo "-> Copy extra files..." + debug "Copy extra files..." copy_dirs "extra-qubes-files" touch "$INSTALLDIR/tmp/.prepared_qubes" diff --git a/scripts_debian/09_cleanup.sh b/scripts_debian/09_cleanup.sh index 5411a9c..d2b6f2b 100755 --- a/scripts_debian/09_cleanup.sh +++ b/scripts_debian/09_cleanup.sh @@ -2,10 +2,19 @@ # vim: set ts=4 sw=4 sts=4 et : # ------------------------------------------------------------------------------ -# Configurations +# Source external scripts # ------------------------------------------------------------------------------ . $SCRIPTSDIR/vars.sh +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then + set -x +else + set -e +fi + # ------------------------------------------------------------------------------ # Execute any custom pre configuration scripts # ------------------------------------------------------------------------------ diff --git a/scripts_debian/custom_wheezy_whonix-gateway/00_prepare_pre.sh b/scripts_debian/custom_wheezy_whonix-gateway/00_prepare_pre.sh new file mode 120000 index 0000000..9ad8e72 --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix-gateway/00_prepare_pre.sh @@ -0,0 +1 @@ +../custom_wheezy_whonix/00_prepare_pre.sh \ No newline at end of file diff --git a/scripts_debian/custom_wheezy_whonix-gateway/01_install_core_post.sh b/scripts_debian/custom_wheezy_whonix-gateway/01_install_core_post.sh new file mode 120000 index 0000000..ba75217 --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix-gateway/01_install_core_post.sh @@ -0,0 +1 @@ +../custom_wheezy_whonix/01_install_core_post.sh \ No newline at end of file diff --git a/scripts_debian/custom_wheezy_whonix-gateway/99_custom_configuration.sh b/scripts_debian/custom_wheezy_whonix-gateway/99_custom_configuration.sh index c359eea..048dc79 100755 --- a/scripts_debian/custom_wheezy_whonix-gateway/99_custom_configuration.sh +++ b/scripts_debian/custom_wheezy_whonix-gateway/99_custom_configuration.sh @@ -2,15 +2,23 @@ # vim: set ts=4 sw=4 sts=4 et : # ------------------------------------------------------------------------------ -# Configurations +# Source external scripts # ------------------------------------------------------------------------------ . $SCRIPTSDIR/vars.sh . ./umount_kill.sh >/dev/null +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then set -x +else + set -e fi +# ------------------------------------------------------------------------------ +# +# ------------------------------------------------------------------------------ if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" ]; then # -------------------------------------------------------------------------- # Install Custom Configurations diff --git a/scripts_debian/custom_wheezy_whonix-workstation/00_prepare_pre.sh b/scripts_debian/custom_wheezy_whonix-workstation/00_prepare_pre.sh new file mode 120000 index 0000000..9ad8e72 --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix-workstation/00_prepare_pre.sh @@ -0,0 +1 @@ +../custom_wheezy_whonix/00_prepare_pre.sh \ No newline at end of file diff --git a/scripts_debian/custom_wheezy_whonix-workstation/01_install_core_post.sh b/scripts_debian/custom_wheezy_whonix-workstation/01_install_core_post.sh new file mode 120000 index 0000000..ba75217 --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix-workstation/01_install_core_post.sh @@ -0,0 +1 @@ +../custom_wheezy_whonix/01_install_core_post.sh \ No newline at end of file diff --git a/scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh b/scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh new file mode 100755 index 0000000..8916154 --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh @@ -0,0 +1,54 @@ +#!/bin/bash -x +# vim: set ts=4 sw=4 sts=4 et : + +################################################################################ +# Allows a pre-built image to be used (if it exists) for installing +# Whonix. This option is useful only for debugging Whonix installations +# +# To use, first create a regualr wheezy template and manually copy the prepared +# image to debian-7-x64-prepard.img +# +# Example: +# cp ~/qubes-builder/qubes-src/linux-template-builder/prepared_images/debian-7-x64.img ~/qubes-builder/qubes-src/linux-template-builder/prepared_images/debian-7-x64-whonix-gateway-prepard.img +################################################################################ + +# ------------------------------------------------------------------------------ +# Return if DEBUG is not "1" +# ------------------------------------------------------------------------------ +# This script is only used if DEBUG is set +if [ ! "$DEBUG" == "1" ]; then + exit 0 +fi + +# ------------------------------------------------------------------------------ +# Source external scripts +# ------------------------------------------------------------------------------ +. $SCRIPTSDIR/vars.sh +. ./umount_kill.sh >/dev/null + +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then + set -x +else + set -e +fi + +INSTALLDIR="$(readlink -m mnt)" +umount_kill "$INSTALLDIR" || : + +# ------------------------------------------------------------------------------ +# Use an already prepared debian image to install Whonix (for DEBUGGING) +# ------------------------------------------------------------------------------ +splitPath "$IMG" path_parts +PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-prepared${path_parts[dotext]}" + +if [ -f "$PREPARED_IMG" ]; then + warn "Copying $PREPARED_IMG to $IMG" + mount -o loop "$PREPARED_IMG" "$INSTALLDIR" || exit 1 + rm -f "$INSTALLDIR/tmp/.prepared_groups" + umount_kill "$INSTALLDIR" || : + cp -f "$PREPARED_IMG" "$IMG" +fi + diff --git a/scripts_debian/custom_wheezy_whonix/01_install_core_post.sh b/scripts_debian/custom_wheezy_whonix/01_install_core_post.sh new file mode 100755 index 0000000..2590b59 --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix/01_install_core_post.sh @@ -0,0 +1,38 @@ +#!/bin/sh +# vim: set ts=4 sw=4 sts=4 et : + +# ------------------------------------------------------------------------------ +# Return if DEBUG is not "1" +# ------------------------------------------------------------------------------ +# This script is only used if DEBUG is set +if [ ! "$DEBUG" == "1" ]; then + exit 0 +fi + +# ------------------------------------------------------------------------------ +# Source external scripts +# ------------------------------------------------------------------------------ +. $SCRIPTSDIR/vars.sh +. ./umount_kill.sh >/dev/null + +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then + set -x +else + set -e +fi + +# ------------------------------------------------------------------------------ +# Create a copy of an already prepared bootstraped image if it does not exist +# ------------------------------------------------------------------------------ +splitPath "$IMG" path_parts +PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-prepared${path_parts[dotext]}" + +if ! [ -f "$PREPARED_IMG" ]; then + umount_kill "$INSTALLDIR" || : + warn "Copying $IMG to $PREPARED_IMG" + cp -f "$IMG" "$PREPARED_IMG" + mount -o loop "$IMG" "$INSTALLDIR" || exit 1 +fi diff --git a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh index e5ab664..6258a1c 100755 --- a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh @@ -2,13 +2,18 @@ # vim: set ts=4 sw=4 sts=4 et : # ------------------------------------------------------------------------------ -# Configurations +# Source external scripts # ------------------------------------------------------------------------------ . $SCRIPTSDIR/vars.sh . ./umount_kill.sh >/dev/null +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then set -x +else + set -e fi # ------------------------------------------------------------------------------ @@ -28,7 +33,7 @@ sudo mkdir --parents --mode=g+rw "/tmp/uwt" # on the package. Things seem to work anyway. BUT hopfully the # hold on grub* don't get removed sudo apt-mark hold sysvinit -sudo apt-mark hold grub-common grub-pc-bin grub2-common +sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common # Whonix expects haveged to be started sudo /etc/init.d/haveged start @@ -89,7 +94,6 @@ sudo touch "/tmp/.prepared_whonix" EOF - # ------------------------------------------------------------------------------ # chroot Whonix fix script (Make sure set -e is not set) # Run ../whonix_fix when whonix gives grub-pc error @@ -98,10 +102,27 @@ EOF # ignore certain errors read -r -d '' WHONIX_FIX_SCRIPT <<'EOF' DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - sudo apt-get -y --force-yes remove grub-common grub-pc-bin grub2-common + sudo apt-get -y --force-yes remove grub-pc grub-common grub-pc-bin grub2-common sudo apt-mark hold grub-common grub-pc-bin grub2-common EOF +read -r -d '' WHONIX_APT_PIN <<'EOF' +Package: grub-pc +Pin: version * +Pin-Priority: -100 + +Package: grub-pc-bin +Pin: version * +Pin-Priority: -100 + +Package: grub-common +Pin: version * +Pin-Priority: -100 + +Package: grub2-common +Pin: version * +Pin-Priority: -100 +EOF # ------------------------------------------------------------------------------ # Set defualts for apt not to install recommended or extra packages @@ -116,19 +137,19 @@ EOF # ------------------------------------------------------------------------------ # Cleanup function # ------------------------------------------------------------------------------ -function error() { - echo "--> Whonix error; umounting $INSTALLDIR to prevent further writes" +function cleanup() { + error "Whonix error; umounting $INSTALLDIR to prevent further writes" umount_kill "$INSTALLDIR" || : exit 1 } -trap error ERR -trap error EXIT +trap cleanup ERR +trap cleanup EXIT # ------------------------------------------------------------------------------ # Mount devices, etc required for Whonix installation # ------------------------------------------------------------------------------ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then - echo "-> Installing whonix system" + info "Installing Whonix system" # -------------------------------------------------------------------------- # Initialize Whonix submodules @@ -147,17 +168,31 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then # XXX: Seems like the error disappears, but then whonix updates to original code? pushd "$WHONIX_DIR/packages/anon-meta-packages/debian" { - sed -i 's/ grub-pc,//g' control; - #git commit -am 'removed grub-pc depend'; + sed -i 's/ grub-pc,//g' control || :; + su $USER -c "git commit -am 'removed grub-pc depend'" || :; + } + popd + + pushd "$WHONIX_DIR" + { + sed -i 's/grub-pc//g' grml_packages || :; + su $USER -c "git commit -am 'removed grub-pc depend'" || :; } popd - pushd "$WHONIX_DIR/build-steps.d" + pushd "$WHONIX_DIR/packages/anon-shared-build-fix-grub/usr/lib/anon-dist/chroot-scripts-post.d" { - sed -i 's/ check_for_uncommited_changes/ #check_for_uncommited_changes/g' 1200_create-debian-packages; + sed -i 's/update-grub/:/g' 85_update_grub || :; + su $USER -c "git commit -am 'removed grub-pc depend'" || :; } popd + #pushd "$WHONIX_DIR/build-steps.d" + #{ + # sed -i 's/ check_for_uncommited_changes/ #check_for_uncommited_changes/g' 1200_create-debian-packages; + #} + #popd + # -------------------------------------------------------------------------- # Whonix system config dependancies # -------------------------------------------------------------------------- @@ -184,18 +219,22 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then # Install Whonix system # -------------------------------------------------------------------------- if ! [ -d "$INSTALLDIR/home/user/Whonix" ]; then - echo "-> Installing Whonix build environment..." + debug "Installing Whonix build environment..." chroot "$INSTALLDIR" su user -c 'mkdir /home/user/Whonix' fi if [ -d "$INSTALLDIR/home/user/Whonix" ]; then + debug "Building Whonix..." mount --bind "../Whonix" "$INSTALLDIR/home/user/Whonix" - echo "-> Building Whonix..." # Install apt-get preferences echo "$WHONIX_APT_PREFERENCE" > "$INSTALLDIR/etc/apt/apt.conf.d/99whonix" chmod 0644 "$INSTALLDIR/etc/apt/apt.conf.d/99whonix" + # Pin grub packages so they will not install + echo "$WHONIX_APT_PIN" > "$INSTALLDIR/etc/apt/preferences.d/whonix_qubes" + chmod 0644 "$INSTALLDIR/etc/apt/preferences.d/whonix_qubes" + # Install Whonix fix script echo "$WHONIX_FIX_SCRIPT" > "$INSTALLDIR/home/user/whonix_fix" chmod 0755 "$INSTALLDIR/home/user/whonix_fix" @@ -209,9 +248,9 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then elif [ "${TEMPLATE_FLAVOR}" == "whonix-workstation" ]; then BUILD_TYPE="--torworkstation" else - echo "Incorrent Whonix type \"${TEMPLATE_FLAVOR}\" selected. Not building Whonix modules" - echo "You need to set TEMPLATE_FLAVOR environment variable to either" - echo "whonix-gateway OR whonix-workstation" + error "Incorrent Whonix type \"${TEMPLATE_FLAVOR}\" selected. Not building Whonix modules" + error "You need to set TEMPLATE_FLAVOR environment variable to either" + error "whonix-gateway OR whonix-workstation" exit 1 fi diff --git a/scripts_debian/custom_wheezy_whonix/04_install_qubes_post.sh b/scripts_debian/custom_wheezy_whonix/04_install_qubes_post.sh index 11f4193..11d7e32 100755 --- a/scripts_debian/custom_wheezy_whonix/04_install_qubes_post.sh +++ b/scripts_debian/custom_wheezy_whonix/04_install_qubes_post.sh @@ -6,12 +6,17 @@ # # ------------------------------------------------------------------------------ -# Configurations +# Source external scripts # ------------------------------------------------------------------------------ . $SCRIPTSDIR/vars.sh +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then set -x +else + set -e fi # ------------------------------------------------------------------------------ @@ -43,7 +48,6 @@ fi # ------------------------------------------------------------------------------ # Copy over any extra files # ------------------------------------------------------------------------------ -echo "-> Copy extra files..." copy_dirs "extra-whonix-files" # ------------------------------------------------------------------------------ diff --git a/scripts_debian/vars.sh b/scripts_debian/vars.sh index be2ee69..aeb5940 100755 --- a/scripts_debian/vars.sh +++ b/scripts_debian/vars.sh @@ -1,6 +1,9 @@ # ------------------------------------------------------------------------------ # Global variables and functions # ------------------------------------------------------------------------------ + +. ./functions.sh + # The codename of the debian version to install. # jessie = testing, wheezy = stable DEBIANVERSION=$DIST @@ -21,101 +24,3 @@ QUBESDEBIANGIT="http://dsg.is/qubes/" # build, which does not exist. We need to write to $HOME/.gnupg so set it # to something valid. HOME=/root - - -# ------------------------------------------------------------------------------ -# Takes an array and exports it a global variable -# -# $1: Array to export -# $2: Global variable name to use for export -# -# http://ihaveabackup.net/2012/01/29/a-workaround-for-passing-arrays-in-bash/ -# -# ------------------------------------------------------------------------------ -setArrayAsGlobal() { - local array="$1" - local export_as="$2" - local code=$(declare -p "$array") - local replaced="${code/$array/$export_as}" - eval ${replaced/declare -/declare -g} -} - - -# ------------------------------------------------------------------------------ -# Spilts the path and returns an array of parts -# -# $1: Full path of file to split -# $2: Global variable name to use for export -# Returns: -# ([full]='original name' [dir]='directory' [base]='filename' [ext]='extension') -# -# Original concept path split from: -# https://stackoverflow.com/questions/965053/extract-filename-and-extension-in-bash -# -# ------------------------------------------------------------------------------ -splitPath() { - - local return_global_var=$2 - local filename="${1##*/}" # Strip longest match of */ from start - local dir="${1:0:${#1} - ${#filename}}" # Substring from 0 thru pos of filename - local base="${filename%.[^.]*}" # Strip shortest match of . plus at least one non-dot char from end - local ext="${filename:${#base} + 1}" # Substring from len of base thru end - if [ "$ext" ]; then - local dotext=".$ext" - else - local dotext="" - fi - if [[ -z "$base" && -n "$ext" ]]; then # If we have an extension and no base, it's really the base - base=".$ext" - ext="" - dotext="" - fi - - declare -A PARTS=([full]="$1" [dir]="$dir" [base]="$base" [ext]="$ext" [dotext]="$dotext") - setArrayAsGlobal PARTS $return_global_var -} - - -# ------------------------------------------------------------------------------ -# Executes any additional optional configuration steps if the configuration -# scripts exist -# ------------------------------------------------------------------------------ -customStep() { - echo "--> Checking for any custom $2 configuration scripts for $1..." - splitPath "$1" path_parts - - if [ "$2" ]; then - script_name="${path_parts[base]}_$2${path_parts[dotext]}" - else - script_name="${path_parts[base]}${path_parts[dotext]}" - fi - - if [ -n "${TEMPLATE_FLAVOR}" ]; then - script="$SCRIPTSDIR/custom_${DIST}_${TEMPLATE_FLAVOR}/${script_name}" - else - script="$SCRIPTSDIR/custom_${DIST}/${script_name}" - fi - - if [ -f "$script" ]; then - "$script" - fi -} - - -# ------------------------------------------------------------------------------ -# Copy extra file tree to $INSTALLDIR -# ------------------------------------------------------------------------------ -copy_dirs() { - DIR="$1" - if [ -n "${TEMPLATE_FLAVOR}" ]; then - CUSTOMDIR="$SCRIPTSDIR/custom_${DIST}_${TEMPLATE_FLAVOR}/${DIR}" - else - CUSTOMDIR="$SCRIPTSDIR/custom_${DIST}/${DIR}" - fi - - if [ -d "$CUSTOMDIR" ]; then - cp -rp "$CUSTOMDIR/"* "$INSTALLDIR" - elif [ -d "$SCRIPTSDIR/${DIR}" ]; then - cp -rp "$SCRIPTSDIR/${DIR}/"* "$INSTALLDIR" - fi -} diff --git a/umount_kill.sh b/umount_kill.sh index 4d1644e..4e64834 100755 --- a/umount_kill.sh +++ b/umount_kill.sh @@ -23,6 +23,8 @@ # ./umount_kill.sh chroot-jessie # +. ./functions.sh + # $1 = full path to mount; # $2 = if set will not umount; only kill processes in mount umount_kill() { @@ -37,7 +39,7 @@ umount_kill() { # since we are doing an exact string match on the path MOUNTDIR=$(echo "$MOUNTDIR" | sed s#//*#/#g) - echo "-> Attempting to kill any processes still running in '$MOUNTDIR' before un-mounting" + debug "-> Attempting to kill any processes still running in '$MOUNTDIR' before un-mounting" for dir in $(sudo grep "$MOUNTDIR" /proc/mounts | cut -f2 -d" " | sort -r | grep "^$MOUNTDIR") do sudo lsof "$dir" 2> /dev/null | \ @@ -46,11 +48,21 @@ umount_kill() { awk '{print $2}' | \ xargs --no-run-if-empty sudo kill -9 - echo "un-mounting $dir" if ! [ "$2" ] && $(mountpoint -q "$dir"); then + debug "un-mounting $dir" sudo umount -n "$dir" 2> /dev/null || \ sudo umount -n -l "$dir" 2> /dev/null || \ - echo "umount $dir unsuccessful!" + error "umount $dir unsuccessful!" + elif ! [ "$2" ]; then + # Look for (deleted) mountpoints + debug "not a regular mount point: $dir" + base=$(basename "$dir") + dir=$(dirname "$dir") + base=$(echo "$base" | sed 's/[\].*$//') + dir="$dir/$base" + sudo umount -v -f -n "$dir" 2> /dev/null || \ + sudo umount -v -f -n -l "$dir" 2> /dev/null || \ + error "umount $dir unsuccessful!" fi done } From 4e2a9158a88663a984fbf9824b5e76b4adac104a Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Thu, 16 Oct 2014 16:05:28 -0400 Subject: [PATCH 13/83] Added snapshot for debootstrap completion and when system is updated with extra packages before Whonix is installed for debugging only (SNAPSHOT must be set to "1" Tweaked Whonix configurations some more so it should now run without errors --- scripts_debian/00_prepare.sh | 6 ++-- .../custom_wheezy_whonix/00_prepare_pre.sh | 10 +++---- .../01_install_core_post.sh | 10 +++---- .../02_install_groups_packages_installed.sh | 28 ++++++++++++++++--- 4 files changed, 37 insertions(+), 17 deletions(-) diff --git a/scripts_debian/00_prepare.sh b/scripts_debian/00_prepare.sh index c35aa05..03edeb5 100755 --- a/scripts_debian/00_prepare.sh +++ b/scripts_debian/00_prepare.sh @@ -10,15 +10,15 @@ # ------------------------------------------------------------------------------ # Configurations # ------------------------------------------------------------------------------ -INSTALLDIR="$(readlink -m mnt)" -umount_kill "$INSTALLDIR" || : - if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then set -x else set -e fi +INSTALLDIR="$(readlink -m mnt)" +umount_kill "$INSTALLDIR" || : + # ------------------------------------------------------------------------------ # Execute any custom pre configuration scripts # ------------------------------------------------------------------------------ diff --git a/scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh b/scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh index 8916154..3c81ee6 100755 --- a/scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh +++ b/scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh @@ -13,10 +13,10 @@ ################################################################################ # ------------------------------------------------------------------------------ -# Return if DEBUG is not "1" +# Return if SNAPSHOT is not "1" # ------------------------------------------------------------------------------ -# This script is only used if DEBUG is set -if [ ! "$DEBUG" == "1" ]; then +# This script is only used if SNAPSHOT is set +if [ ! "$SNAPSHOT" == "1" ]; then exit 0 fi @@ -39,10 +39,10 @@ INSTALLDIR="$(readlink -m mnt)" umount_kill "$INSTALLDIR" || : # ------------------------------------------------------------------------------ -# Use an already prepared debian image to install Whonix (for DEBUGGING) +# Use a snapshot of the debootstraped debian image to install Whonix (for DEBUGGING) # ------------------------------------------------------------------------------ splitPath "$IMG" path_parts -PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-prepared${path_parts[dotext]}" +PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-debootstrap${path_parts[dotext]}" if [ -f "$PREPARED_IMG" ]; then warn "Copying $PREPARED_IMG to $IMG" diff --git a/scripts_debian/custom_wheezy_whonix/01_install_core_post.sh b/scripts_debian/custom_wheezy_whonix/01_install_core_post.sh index 2590b59..db7ec1b 100755 --- a/scripts_debian/custom_wheezy_whonix/01_install_core_post.sh +++ b/scripts_debian/custom_wheezy_whonix/01_install_core_post.sh @@ -2,10 +2,10 @@ # vim: set ts=4 sw=4 sts=4 et : # ------------------------------------------------------------------------------ -# Return if DEBUG is not "1" +# Return if SNAPSHOT is not "1" # ------------------------------------------------------------------------------ -# This script is only used if DEBUG is set -if [ ! "$DEBUG" == "1" ]; then +# This script is only used if SNAPSHOT is set +if [ ! "$SNAPSHOT" == "1" ]; then exit 0 fi @@ -25,10 +25,10 @@ else fi # ------------------------------------------------------------------------------ -# Create a copy of an already prepared bootstraped image if it does not exist +# Create a snapshot of the already debootstraped image # ------------------------------------------------------------------------------ splitPath "$IMG" path_parts -PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-prepared${path_parts[dotext]}" +PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-debootstrap${path_parts[dotext]}" if ! [ -f "$PREPARED_IMG" ]; then umount_kill "$INSTALLDIR" || : diff --git a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh index 6258a1c..f9074f2 100755 --- a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh @@ -16,6 +16,24 @@ else set -e fi +# ------------------------------------------------------------------------------ +# XXX: Create a snapshot - Only for DEBUGGING! +# ------------------------------------------------------------------------------ +# Only execute if SNAPSHOT is set +if [ "$SNAPSHOT" == "1" ]; then + splitPath "$IMG" path_parts + PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-updated${path_parts[dotext]}" + + if ! [ -f "$PREPARED_IMG" ]; then + umount_kill "$INSTALLDIR" || : + warn "Copying $IMG to $PREPARED_IMG" + cp -f "$IMG" "$PREPARED_IMG" + mount -o loop "$IMG" "$INSTALLDIR" || exit 1 + for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "$INSTALLDIR/$fs"; done + fi +fi + + # ------------------------------------------------------------------------------ # chroot Whonix build script (Make sure set -e is not set) # ------------------------------------------------------------------------------ @@ -166,16 +184,17 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then # Patch anon-meta-packages to not depend on grub-pc # XXX: Seems like the error disappears, but then whonix updates to original code? - pushd "$WHONIX_DIR/packages/anon-meta-packages/debian" + pushd "$WHONIX_DIR" { - sed -i 's/ grub-pc,//g' control || :; + sed -i 's/grub-pc//g' grml_packages || :; su $USER -c "git commit -am 'removed grub-pc depend'" || :; } popd - pushd "$WHONIX_DIR" + pushd "$WHONIX_DIR/packages/anon-meta-packages/debian" { - sed -i 's/grub-pc//g' grml_packages || :; + sed -i 's/ grub-pc,//g' control || :; + su $USER -c "dpkg-source --commit" || :; su $USER -c "git commit -am 'removed grub-pc depend'" || :; } popd @@ -183,6 +202,7 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then pushd "$WHONIX_DIR/packages/anon-shared-build-fix-grub/usr/lib/anon-dist/chroot-scripts-post.d" { sed -i 's/update-grub/:/g' 85_update_grub || :; + su $USER -c "dpkg-source --commit" || :; su $USER -c "git commit -am 'removed grub-pc depend'" || :; } popd From 12d38082821b6292b8d88e747f3f5e16549352d9 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Thu, 16 Oct 2014 18:00:26 -0400 Subject: [PATCH 14/83] Changed user id from $USER ro user since $USER was root --- .../custom_wheezy_whonix/00_prepare_pre.sh | 22 +++++++++++++------ .../02_install_groups_packages_installed.sh | 13 +++++------ 2 files changed, 21 insertions(+), 14 deletions(-) diff --git a/scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh b/scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh index 3c81ee6..421eb2b 100755 --- a/scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh +++ b/scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh @@ -36,19 +36,27 @@ else fi INSTALLDIR="$(readlink -m mnt)" -umount_kill "$INSTALLDIR" || : # ------------------------------------------------------------------------------ # Use a snapshot of the debootstraped debian image to install Whonix (for DEBUGGING) # ------------------------------------------------------------------------------ -splitPath "$IMG" path_parts -PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-debootstrap${path_parts[dotext]}" -if [ -f "$PREPARED_IMG" ]; then - warn "Copying $PREPARED_IMG to $IMG" - mount -o loop "$PREPARED_IMG" "$INSTALLDIR" || exit 1 +copy_snapshot() { + warn "Copying $1 to $IMG" + umount_kill "$INSTALLDIR" || : + mount -o loop "$1" "$INSTALLDIR" || exit 1 rm -f "$INSTALLDIR/tmp/.prepared_groups" umount_kill "$INSTALLDIR" || : - cp -f "$PREPARED_IMG" "$IMG" + cp -f "$1" "$IMG" +} + +splitPath "$IMG" path_parts +debootstrap_snapshot="${path_parts[dir]}${path_parts[base]}-debootstrap${path_parts[dotext]}" +updated_snapshot="${path_parts[dir]}${path_parts[base]}-updated${path_parts[dotext]}" + +if [ -f "$updated_snapshot" ]; then + copy_snapshot "$updated_snapshot" +elif [ -f "$debootstrap_snapshot" ]; then + copy_snapshot "$debootstrap_snapshot" fi diff --git a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh index f9074f2..cc9453f 100755 --- a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh @@ -33,7 +33,6 @@ if [ "$SNAPSHOT" == "1" ]; then fi fi - # ------------------------------------------------------------------------------ # chroot Whonix build script (Make sure set -e is not set) # ------------------------------------------------------------------------------ @@ -174,7 +173,7 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then # -------------------------------------------------------------------------- pushd "$WHONIX_DIR" { - su $USER -c "git submodule update --init --recursive" + su user -c "git submodule update --init --recursive" } popd @@ -187,23 +186,23 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then pushd "$WHONIX_DIR" { sed -i 's/grub-pc//g' grml_packages || :; - su $USER -c "git commit -am 'removed grub-pc depend'" || :; + su user -c "git commit -am 'removed grub-pc depend'" || :; } popd pushd "$WHONIX_DIR/packages/anon-meta-packages/debian" { sed -i 's/ grub-pc,//g' control || :; - su $USER -c "dpkg-source --commit" || :; - su $USER -c "git commit -am 'removed grub-pc depend'" || :; + su user -c "dpkg-source --commit" || :; + su user -c "git commit -am 'removed grub-pc depend'" || :; } popd pushd "$WHONIX_DIR/packages/anon-shared-build-fix-grub/usr/lib/anon-dist/chroot-scripts-post.d" { sed -i 's/update-grub/:/g' 85_update_grub || :; - su $USER -c "dpkg-source --commit" || :; - su $USER -c "git commit -am 'removed grub-pc depend'" || :; + su user -c "dpkg-source --commit" || :; + su user -c "git commit -am 'removed grub-pc depend'" || :; } popd From c19c9a579a61fd4e06bc16c223bbaafa67c2351e Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 17 Oct 2014 00:24:00 -0400 Subject: [PATCH 15/83] Pinned sysvinit again; lets see if it will prevent it from being re-installed Added more configurations to attempt to build Whonix un-attended --- scripts_debian/02_install_groups.sh | 9 +++++ .../02_install_groups_packages_installed.sh | 39 ++++++++++++------- scripts_debian/packages_wheezy_whonix.list | 6 +++ 3 files changed, 40 insertions(+), 14 deletions(-) diff --git a/scripts_debian/02_install_groups.sh b/scripts_debian/02_install_groups.sh index 1fa0c3e..ac8dfc5 100755 --- a/scripts_debian/02_install_groups.sh +++ b/scripts_debian/02_install_groups.sh @@ -142,6 +142,15 @@ EOF debug "Preventing sysvinit re-installation" chroot "$INSTALLDIR" apt-mark hold sysvinit + # Pin sysvinit to prevent being re-installed + read -r -d '' SYSVINIT_APT_PIN <<'EOF' +Package: sysvinit +Pin: version * +Pin-Priority: -100 +EOF + echo "$SYSVINIT_APT_PIN" > "$INSTALLDIR/etc/apt/preferences.d/qubes_sysvinit" + chmod 0644 "$INSTALLDIR/etc/apt/preferences.d/qubes_sysvinit" + chroot "$INSTALLDIR" apt-get update DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ chroot "$INSTALLDIR" apt-get -y --force-yes install systemd-sysv diff --git a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh index cc9453f..f220612 100755 --- a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh @@ -180,37 +180,46 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then # -------------------------------------------------------------------------- # Patch Whonix submodules # -------------------------------------------------------------------------- - + # Patch anon-meta-packages to not depend on grub-pc - # XXX: Seems like the error disappears, but then whonix updates to original code? pushd "$WHONIX_DIR" { + #su user -c "git branch qubes 9.2" || :; + #su user -c "git checkout qubes" || :; sed -i 's/grub-pc//g' grml_packages || :; - su user -c "git commit -am 'removed grub-pc depend'" || :; + #su user -c "git commit -am 'removed grub-pc depend'" || :; } popd pushd "$WHONIX_DIR/packages/anon-meta-packages/debian" { + #su user -c "git branch qubes" || :; + #su user -c "git checkout qubes" || :; sed -i 's/ grub-pc,//g' control || :; - su user -c "dpkg-source --commit" || :; - su user -c "git commit -am 'removed grub-pc depend'" || :; + cd ..; + su user -c "dpkg-source -q --commit . no_grub" || :; + #git add . + #su user -c "git commit -am 'removed grub-pc depend'" || :; } popd pushd "$WHONIX_DIR/packages/anon-shared-build-fix-grub/usr/lib/anon-dist/chroot-scripts-post.d" { + #su user -c "git branch qubes" || :; + #su user -c "git checkout qubes" || :; sed -i 's/update-grub/:/g' 85_update_grub || :; - su user -c "dpkg-source --commit" || :; - su user -c "git commit -am 'removed grub-pc depend'" || :; + cd ../../../..; + su user -c "dpkg-source -q --commit . no_grub" || :; + #git add . + #su user -c "git commit -am 'removed grub-pc depend'" || :; } popd - #pushd "$WHONIX_DIR/build-steps.d" - #{ - # sed -i 's/ check_for_uncommited_changes/ #check_for_uncommited_changes/g' 1200_create-debian-packages; - #} - #popd + pushd "$WHONIX_DIR/build-steps.d" + { + sed -i 's/ check_for_uncommited_changes/ #check_for_uncommited_changes/g' 1200_create-debian-packages; + } + popd # -------------------------------------------------------------------------- # Whonix system config dependancies @@ -246,9 +255,11 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then debug "Building Whonix..." mount --bind "../Whonix" "$INSTALLDIR/home/user/Whonix" + # This breaks whonix depends since it must just rely on recommended + # packages since it seems to install just about everything :) # Install apt-get preferences - echo "$WHONIX_APT_PREFERENCE" > "$INSTALLDIR/etc/apt/apt.conf.d/99whonix" - chmod 0644 "$INSTALLDIR/etc/apt/apt.conf.d/99whonix" + #echo "$WHONIX_APT_PREFERENCES" > "$INSTALLDIR/etc/apt/apt.conf.d/99whonix" + #chmod 0644 "$INSTALLDIR/etc/apt/apt.conf.d/99whonix" # Pin grub packages so they will not install echo "$WHONIX_APT_PIN" > "$INSTALLDIR/etc/apt/preferences.d/whonix_qubes" diff --git a/scripts_debian/packages_wheezy_whonix.list b/scripts_debian/packages_wheezy_whonix.list index 09938c9..c8327e4 100644 --- a/scripts_debian/packages_wheezy_whonix.list +++ b/scripts_debian/packages_wheezy_whonix.list @@ -7,6 +7,7 @@ ncurses-term xserver-xorg-core x11-xserver-utils xinit + git curl sudo @@ -27,3 +28,8 @@ usbutils lsb-release acpi-support-base haveged + +build-essential:native +gcc +fakeroot +lintian From 64093db75adbbb6201e1ae426d1cfd74a647400c Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 17 Oct 2014 23:34:01 -0400 Subject: [PATCH 16/83] deb commit for modified packages should be working now --- functions.sh | 12 +- scripts_debian/02_install_groups.sh | 4 +- .../02_install_groups_packages_installed.sh | 142 +++++++++++------- umount_kill.sh | 6 +- 4 files changed, 104 insertions(+), 60 deletions(-) diff --git a/functions.sh b/functions.sh index 0f93b7c..460ea6b 100755 --- a/functions.sh +++ b/functions.sh @@ -55,12 +55,22 @@ if [ ! "$build_already_defined_colors" = "true" ]; then colors fi +if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then + chroot() { + local retval + true ${blue} + /usr/sbin/chroot "$@" + retval=$? + true ${reset} + return $retval + } +fi # ------------------------------------------------------------------------------ # Display messages in color # ------------------------------------------------------------------------------ info() { - echo "${bold}${cyan}INFO: ${1}${reset}" + echo "${bold}${blue}INFO: ${1}${reset}" } debug() { diff --git a/scripts_debian/02_install_groups.sh b/scripts_debian/02_install_groups.sh index ac8dfc5..de52e80 100755 --- a/scripts_debian/02_install_groups.sh +++ b/scripts_debian/02_install_groups.sh @@ -78,6 +78,7 @@ EOF # ------------------------------------------------------------------------------ debug "Upgrading system" chroot "$INSTALLDIR" apt-get update + true "${stout}" DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ chroot "$INSTALLDIR" apt-get -y --force-yes dist-upgrade @@ -143,12 +144,11 @@ EOF chroot "$INSTALLDIR" apt-mark hold sysvinit # Pin sysvinit to prevent being re-installed - read -r -d '' SYSVINIT_APT_PIN <<'EOF' + cat > "$INSTALLDIR/etc/apt/preferences.d/qubes_sysvinit" < "$INSTALLDIR/etc/apt/preferences.d/qubes_sysvinit" chmod 0644 "$INSTALLDIR/etc/apt/preferences.d/qubes_sysvinit" chroot "$INSTALLDIR" apt-get update diff --git a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh index f220612..4614f35 100755 --- a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh @@ -180,44 +180,75 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then # -------------------------------------------------------------------------- # Patch Whonix submodules # -------------------------------------------------------------------------- - + + # Chekout a branch; create a branch first if it does not exist + checkout_branch() { + branch=$(git symbolic-ref --short -q HEAD) + if ! [ "$branch" == "$1" ]; then + su user -c git checkout "$1" >/dev/null 2>&1 || \ + { + su user -c git branch "$1" + su user -c git checkout "$1" + } + fi + } + + # sed search and replace. return 0 if replace happened, otherwise 1 + search_replace() { + local search="$1" + local replace="$2" + local file="$3" + sed -i.bak '/'"$search"'/,${s//'"$replace"'/;b};$q1' "$file" + } + # Patch anon-meta-packages to not depend on grub-pc pushd "$WHONIX_DIR" { - #su user -c "git branch qubes 9.2" || :; - #su user -c "git checkout qubes" || :; - sed -i 's/grub-pc//g' grml_packages || :; - #su user -c "git commit -am 'removed grub-pc depend'" || :; + search_replace "grub-pc" "" "grml_packages" || : } popd pushd "$WHONIX_DIR/packages/anon-meta-packages/debian" { - #su user -c "git branch qubes" || :; - #su user -c "git checkout qubes" || :; - sed -i 's/ grub-pc,//g' control || :; - cd ..; - su user -c "dpkg-source -q --commit . no_grub" || :; - #git add . - #su user -c "git commit -am 'removed grub-pc depend'" || :; + search1=" grub-pc," + replace="" + + #checkout_branch qubes + search_replace "$search1" "$replace" control && \ + { + cd "$WHONIX_DIR/packages/anon-meta-packages" + : + #sudo -E -u user make deb-pkg || : + #su user -c "dpkg-source --commit" || : + #git add . + #su user -c "git commit -am 'removed grub-pc depend'" + } || : } popd pushd "$WHONIX_DIR/packages/anon-shared-build-fix-grub/usr/lib/anon-dist/chroot-scripts-post.d" { - #su user -c "git branch qubes" || :; - #su user -c "git checkout qubes" || :; - sed -i 's/update-grub/:/g' 85_update_grub || :; - cd ../../../..; - su user -c "dpkg-source -q --commit . no_grub" || :; - #git add . - #su user -c "git commit -am 'removed grub-pc depend'" || :; + search1="update-grub" + replace=":" + + #checkout_branch qubes + search_replace "$search1" "$replace" 85_update_grub && \ + { + cd "$WHONIX_DIR/packages/anon-shared-build-fix-grub" + sudo -E -u user make deb-pkg || : + su user -c "EDITOR=/bin/true dpkg-source -q --commit . no_grub" + #git add . + #su user -c "git commit -am 'removed grub-pc depend'" + } || : } popd pushd "$WHONIX_DIR/build-steps.d" { - sed -i 's/ check_for_uncommited_changes/ #check_for_uncommited_changes/g' 1200_create-debian-packages; + search1=" check_for_uncommited_changes" + replace=" #check_for_uncommited_changes" + + search_replace "$search1" "$replace" 1200_create-debian-packages || : } popd @@ -228,14 +259,15 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then #cannot stat `/boot/grub/grub.cfg': No such file or directory # Qubes needs a user named 'user' - if chroot "$INSTALLDIR" id -u 'user' >/dev/null 2>&1; then - : - else + debug "Whonix Add user" + chroot "$INSTALLDIR" id -u 'user' >/dev/null 2>&1 || \ + { chroot "$INSTALLDIR" groupadd -f user chroot "$INSTALLDIR" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user - fi + } # Change hostname to 'host' + debug "Whonix change host" echo "host" > "$INSTALLDIR/etc/hostname" chroot "$INSTALLDIR" sed -i "s/localhost/host/g" /etc/hosts @@ -255,36 +287,38 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then debug "Building Whonix..." mount --bind "../Whonix" "$INSTALLDIR/home/user/Whonix" - # This breaks whonix depends since it must just rely on recommended - # packages since it seems to install just about everything :) - # Install apt-get preferences - #echo "$WHONIX_APT_PREFERENCES" > "$INSTALLDIR/etc/apt/apt.conf.d/99whonix" - #chmod 0644 "$INSTALLDIR/etc/apt/apt.conf.d/99whonix" - - # Pin grub packages so they will not install - echo "$WHONIX_APT_PIN" > "$INSTALLDIR/etc/apt/preferences.d/whonix_qubes" - chmod 0644 "$INSTALLDIR/etc/apt/preferences.d/whonix_qubes" - - # Install Whonix fix script - echo "$WHONIX_FIX_SCRIPT" > "$INSTALLDIR/home/user/whonix_fix" - chmod 0755 "$INSTALLDIR/home/user/whonix_fix" - - # Install Whonix build scripts - echo "$WHONIX_BUILD_SCRIPT" > "$INSTALLDIR/home/user/whonix_build" - chmod 0755 "$INSTALLDIR/home/user/whonix_build" - - if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then - BUILD_TYPE="--torgateway" - elif [ "${TEMPLATE_FLAVOR}" == "whonix-workstation" ]; then - BUILD_TYPE="--torworkstation" - else - error "Incorrent Whonix type \"${TEMPLATE_FLAVOR}\" selected. Not building Whonix modules" - error "You need to set TEMPLATE_FLAVOR environment variable to either" - error "whonix-gateway OR whonix-workstation" - exit 1 - fi - - chroot "$INSTALLDIR" su user -c "cd ~; ./whonix_build $BUILD_TYPE $DIST" || { exit 1; } + # XXX: Does this break Whonix build? + # Install apt-get preferences + #echo "$WHONIX_APT_PREFERENCES" > "$INSTALLDIR/etc/apt/apt.conf.d/99whonix" + #chmod 0644 "$INSTALLDIR/etc/apt/apt.conf.d/99whonix" + + # Pin grub packages so they will not install + echo "$WHONIX_APT_PIN" > "$INSTALLDIR/etc/apt/preferences.d/whonix_qubes" + chmod 0644 "$INSTALLDIR/etc/apt/preferences.d/whonix_qubes" + + # Install Whonix fix script + echo "$WHONIX_FIX_SCRIPT" > "$INSTALLDIR/home/user/whonix_fix" + chmod 0755 "$INSTALLDIR/home/user/whonix_fix" + + # Install Whonix build scripts + echo "$WHONIX_BUILD_SCRIPT" > "$INSTALLDIR/home/user/whonix_build" + chmod 0755 "$INSTALLDIR/home/user/whonix_build" + + if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then + BUILD_TYPE="--torgateway" + elif [ "${TEMPLATE_FLAVOR}" == "whonix-workstation" ]; then + BUILD_TYPE="--torworkstation" + else + error "Incorrent Whonix type \"${TEMPLATE_FLAVOR}\" selected. Not building Whonix modules" + error "You need to set TEMPLATE_FLAVOR environment variable to either" + error "whonix-gateway OR whonix-workstation" + exit 1 + fi + + chroot "$INSTALLDIR" su user -c "cd ~; ./whonix_build $BUILD_TYPE $DIST" || { exit 1; } + else + error "chroot /home/user/Whonix directory does not exist... exiting!" + exit fi fi diff --git a/umount_kill.sh b/umount_kill.sh index 4e64834..e5b50e3 100755 --- a/umount_kill.sh +++ b/umount_kill.sh @@ -39,7 +39,7 @@ umount_kill() { # since we are doing an exact string match on the path MOUNTDIR=$(echo "$MOUNTDIR" | sed s#//*#/#g) - debug "-> Attempting to kill any processes still running in '$MOUNTDIR' before un-mounting" + warn "-> Attempting to kill any processes still running in '$MOUNTDIR' before un-mounting" for dir in $(sudo grep "$MOUNTDIR" /proc/mounts | cut -f2 -d" " | sort -r | grep "^$MOUNTDIR") do sudo lsof "$dir" 2> /dev/null | \ @@ -49,13 +49,13 @@ umount_kill() { xargs --no-run-if-empty sudo kill -9 if ! [ "$2" ] && $(mountpoint -q "$dir"); then - debug "un-mounting $dir" + info "un-mounting $dir" sudo umount -n "$dir" 2> /dev/null || \ sudo umount -n -l "$dir" 2> /dev/null || \ error "umount $dir unsuccessful!" elif ! [ "$2" ]; then # Look for (deleted) mountpoints - debug "not a regular mount point: $dir" + info "not a regular mount point: $dir" base=$(basename "$dir") dir=$(dirname "$dir") base=$(echo "$base" | sed 's/[\].*$//') From c87c046fe1f60dca5fbfe99d17482abc5737b54f Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sat, 18 Oct 2014 08:59:21 -0400 Subject: [PATCH 17/83] Added a create-template-list.sh which can be used to get new templates from dom0 --- .gitignore | 1 + Makefile | 1 + create-template-list.sh | 45 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+) create mode 100755 create-template-list.sh diff --git a/.gitignore b/.gitignore index 573534c..a2269fc 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ cache_* mnt_* *.iso *.fs +install-templates.sh diff --git a/Makefile b/Makefile index f69810e..c510f76 100644 --- a/Makefile +++ b/Makefile @@ -25,6 +25,7 @@ rpms: sudo -E ./prepare_image prepared_images/$(TEMPLATE_NAME).img && \ sudo -E ./qubeize_image prepared_images/$(TEMPLATE_NAME).img $(TEMPLATE_NAME) && \ ./build_template_rpm $(TEMPLATE_NAME) || exit 1; \ + ./create-template-list.sh || : \ update-repo-installer: [ -z "$$UPDATE_REPO" ] && UPDATE_REPO=../installer/yum/qubes-dom0;\ diff --git a/create-template-list.sh b/create-template-list.sh new file mode 100755 index 0000000..0feaf73 --- /dev/null +++ b/create-template-list.sh @@ -0,0 +1,45 @@ +#!/bin/bash + +# +# Creates a small script to copy to dom0 to retrieve the generated template rpm's +# + +TEMPLATES="./rpm/install-templates.sh" + +TEMPLATES="$(readlink -m $TEMPLATES)" +touch "$TEMPLATES" +write() { + echo "$1" >> "$TEMPLATES" +} + +write "#!/bin/bash" +write "" + +if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" +else + XENSTORE_READ="/usr/bin/xenstore-read" +fi + +VERSION="-$(cat ./version)" +name=$($XENSTORE_READ name) +path="$(readlink -m .)" +files=$(ls rpm/noarch) + +for file in ${files[@]}; do + write "qvm-run --pass-io development-qubes 'cat ${path}/rpm/noarch/${file}' > ${file}" + write "" + write "yum erase $(echo "$file" | sed -r "s/($VERSION).+$//")" + write "" + write "yum install ${file}" + write "" + write "" +done + +write "# Use the following command in DOM0 to retreive this file:" +write "# qvm-run --pass-io $name 'cat ${TEMPLATES}' > install-templates.sh" + +echo "Use the following command in DOM0 to retreive this file:" +echo "qvm-run --pass-io $name 'cat ${TEMPLATES}' > install-templates.sh" + + From 3da7d92dc8f3b193b4ea2c01121a2cab70a867d5 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sat, 18 Oct 2014 10:53:11 -0400 Subject: [PATCH 18/83] Renamed create-template-list.sh to create_template_list.sh; overwrite file each time --- Makefile | 2 +- create-template-list.sh => create_template_list.sh | 13 ++++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) rename create-template-list.sh => create_template_list.sh (93%) diff --git a/Makefile b/Makefile index c510f76..f5e65d4 100644 --- a/Makefile +++ b/Makefile @@ -25,7 +25,7 @@ rpms: sudo -E ./prepare_image prepared_images/$(TEMPLATE_NAME).img && \ sudo -E ./qubeize_image prepared_images/$(TEMPLATE_NAME).img $(TEMPLATE_NAME) && \ ./build_template_rpm $(TEMPLATE_NAME) || exit 1; \ - ./create-template-list.sh || : \ + ./create_template_list.sh || : \ update-repo-installer: [ -z "$$UPDATE_REPO" ] && UPDATE_REPO=../installer/yum/qubes-dom0;\ diff --git a/create-template-list.sh b/create_template_list.sh similarity index 93% rename from create-template-list.sh rename to create_template_list.sh index 0feaf73..260d3aa 100755 --- a/create-template-list.sh +++ b/create_template_list.sh @@ -6,26 +6,29 @@ TEMPLATES="./rpm/install-templates.sh" -TEMPLATES="$(readlink -m $TEMPLATES)" -touch "$TEMPLATES" write() { echo "$1" >> "$TEMPLATES" } -write "#!/bin/bash" -write "" - if [ -x /usr/sbin/xenstore-read ]; then XENSTORE_READ="/usr/sbin/xenstore-read" else XENSTORE_READ="/usr/bin/xenstore-read" fi +TEMPLATES="$(readlink -m $TEMPLATES)" VERSION="-$(cat ./version)" name=$($XENSTORE_READ name) path="$(readlink -m .)" files=$(ls rpm/noarch) +# +# Write to install-templates +# + +echo "#!/bin/bash" > "$TEMPLATES" +write "" + for file in ${files[@]}; do write "qvm-run --pass-io development-qubes 'cat ${path}/rpm/noarch/${file}' > ${file}" write "" From 8de649323024004518b6dc8970ef8abdcb342e44 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 19 Oct 2014 01:18:58 -0400 Subject: [PATCH 19/83] Remove UPDATE --- qubeize_image | 14 ++------------ scripts_debian/00_prepare.sh | 9 ++------- 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/qubeize_image b/qubeize_image index 703392f..0333754 100755 --- a/qubeize_image +++ b/qubeize_image @@ -53,20 +53,10 @@ trap cleanup ERR # ------------------------------------------------------------------------------ # Mount qubeized_image # ------------------------------------------------------------------------------ -# NEW: continue installation from last point if UPDATE="false" -# if UPDATE does not exist (keep it backwards compatible for fedora script) -# - OR - -# update="true", copy over prepared image as normal - export IMG="qubeized_images/$NAME-root.img" -[ "$UPDATE" ] && UPDATE=$(echo $UPDATE | awk '{print tolower($0)}') -if [ "$IMG" -nt "$CLEANIMG" -a "$UPDATE" == "false" ]; then - echo "--> Using original $IMG... (UPDATE=false and qubized_image is newer than prepared_image)" -else - echo "--> Copying $CLEANIMG to $IMG..." - cp "$CLEANIMG" "$IMG" || exit 1 -fi +echo "--> Copying $CLEANIMG to $IMG..." +cp "$CLEANIMG" "$IMG" || exit 1 echo "--> Mounting $IMG" mkdir -p mnt diff --git a/scripts_debian/00_prepare.sh b/scripts_debian/00_prepare.sh index 03edeb5..e4eaad1 100755 --- a/scripts_debian/00_prepare.sh +++ b/scripts_debian/00_prepare.sh @@ -15,7 +15,6 @@ if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then else set -e fi - INSTALLDIR="$(readlink -m mnt)" umount_kill "$INSTALLDIR" || : @@ -29,15 +28,11 @@ customStep "$0" "pre" # ------------------------------------------------------------------------------ debug "Determine if $IMG should be reused or deleted..." if [ -f "$IMG" ]; then - mount -o loop "$IMG" "$INSTALLDIR" || exit 1 - # Assume a failed debootstrap installation if .prepare_debootstrap does not exist + mount -o loop "$IMG" "$INSTALLDIR" || exit 1 if ! [ -f "$INSTALLDIR/tmp/.prepared_debootstrap" ]; then - warn "Failed Image file $IMG already exists, deleting..." + warn "Last build failed. Deleting $IMG" rm -f "$IMG" - # Allow qubes to be updated - elif [ -f "$INSTALLDIR/tmp/.prepared_qubes" ]; then - rm "$INSTALLDIR/tmp/.prepared_qubes" fi # Umount image; don't fail if its already umounted From 86ca300413bcd9138f03bc68660507ccfc543b69 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 19 Oct 2014 04:23:19 -0400 Subject: [PATCH 20/83] Remove stale snapshots --- .../custom_wheezy_whonix/00_prepare_pre.sh | 19 +++++++++++++++---- .../01_install_core_post.sh | 2 +- .../02_install_groups_packages_installed.sh | 2 +- 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh b/scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh index 421eb2b..32bd835 100755 --- a/scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh +++ b/scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh @@ -41,9 +41,20 @@ INSTALLDIR="$(readlink -m mnt)" # Use a snapshot of the debootstraped debian image to install Whonix (for DEBUGGING) # ------------------------------------------------------------------------------ -copy_snapshot() { - warn "Copying $1 to $IMG" +manage_snapshot() { umount_kill "$INSTALLDIR" || : + + mount -o loop "$IMG" "$INSTALLDIR" || exit 1 + # Remove old snapshots if whonix completed + if [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then + warn "Removing stale snapshots" + umount_kill "$INSTALLDIR" || : + rm -rf "$debootstrap_snapshot" + rm -rf "$updated_snapshot" + return + fi + + warn "Copying $1 to $IMG" mount -o loop "$1" "$INSTALLDIR" || exit 1 rm -f "$INSTALLDIR/tmp/.prepared_groups" umount_kill "$INSTALLDIR" || : @@ -55,8 +66,8 @@ debootstrap_snapshot="${path_parts[dir]}${path_parts[base]}-debootstrap${path_pa updated_snapshot="${path_parts[dir]}${path_parts[base]}-updated${path_parts[dotext]}" if [ -f "$updated_snapshot" ]; then - copy_snapshot "$updated_snapshot" + manage_snapshot "$updated_snapshot" elif [ -f "$debootstrap_snapshot" ]; then - copy_snapshot "$debootstrap_snapshot" + manage_snapshot "$debootstrap_snapshot" fi diff --git a/scripts_debian/custom_wheezy_whonix/01_install_core_post.sh b/scripts_debian/custom_wheezy_whonix/01_install_core_post.sh index db7ec1b..2c53338 100755 --- a/scripts_debian/custom_wheezy_whonix/01_install_core_post.sh +++ b/scripts_debian/custom_wheezy_whonix/01_install_core_post.sh @@ -30,7 +30,7 @@ fi splitPath "$IMG" path_parts PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-debootstrap${path_parts[dotext]}" -if ! [ -f "$PREPARED_IMG" ]; then +if ! [ -f "$PREPARED_IMG" ] && ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then umount_kill "$INSTALLDIR" || : warn "Copying $IMG to $PREPARED_IMG" cp -f "$IMG" "$PREPARED_IMG" diff --git a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh index 4614f35..9f80039 100755 --- a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh @@ -24,7 +24,7 @@ if [ "$SNAPSHOT" == "1" ]; then splitPath "$IMG" path_parts PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-updated${path_parts[dotext]}" - if ! [ -f "$PREPARED_IMG" ]; then + if ! [ -f "$PREPARED_IMG" ] && ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then umount_kill "$INSTALLDIR" || : warn "Copying $IMG to $PREPARED_IMG" cp -f "$IMG" "$PREPARED_IMG" From 60b7f2fa7a61a0c2adb439455182dcf6434c8552 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 19 Oct 2014 19:36:59 -0400 Subject: [PATCH 21/83] Added facl function to restore file permissions on files copied to image --- functions.sh | 51 +++- .../extra-whonix-files/.facl | 77 +++++ scripts_debian/extra-qubes-files/.facl | 273 ++++++++++++++++++ 3 files changed, 390 insertions(+), 11 deletions(-) create mode 100644 scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/.facl create mode 100644 scripts_debian/extra-qubes-files/.facl diff --git a/functions.sh b/functions.sh index 460ea6b..955f482 100755 --- a/functions.sh +++ b/functions.sh @@ -1,3 +1,6 @@ +#!/bin/bash +# vim: set ts=4 sw=4 sts=4 et : + ################################################################################ # Global functions ################################################################################ @@ -168,24 +171,50 @@ customStep() { # ------------------------------------------------------------------------------ # Copy extra file tree to $INSTALLDIR +# +# To set file permissions is a PITA since git won't save them and will +# complain heavily if they are set to root only read, so this is the procdure: +# +# 1. Change to the directory that you want to have file permissions retained +# 2. Change all the file permissions / ownership as you want +# 3. Change back to the root of the exta directory (IE: extra-qubes-files) +# 4. getfacl -R . > ".facl" +# 5. If git complains; reset file ownership back to user. The .facl file stored +# the file permissions and will be used to reset the file permissions after +# they get copied over to $INSTALLDIR +# NOTE: Don't forget to redo this process if you add -OR- remove files # ------------------------------------------------------------------------------ copy_dirs() { - DIR="$1" - info "Entering Copy extra file tree to $INSTALLDIR..." + dir="$1" + install_dir="$(readlink -m ${INSTALLDIR})" + + info "copy_dirs(): ${install_dir}" if [ -n "${TEMPLATE_FLAVOR}" ]; then - CUSTOMDIR="$SCRIPTSDIR/custom_${DIST}_${TEMPLATE_FLAVOR}/${DIR}" + custom_dir="${SCRIPTSDIR}/custom_${DIST}_${TEMPLATE_FLAVOR}/${dir}" else - CUSTOMDIR="$SCRIPTSDIR/custom_${DIST}/${DIR}" + custom_dir="${SCRIPTSDIR}/custom_${DIST}/${dir}" fi - if [ -d "$CUSTOMDIR" ]; then - debug "Copying $CUSTOMDIR/* $INSTALLDIR..." - cp -rp "$CUSTOMDIR/"* "$INSTALLDIR" - elif [ -d "$SCRIPTSDIR/${DIR}" ]; then - debug "Copying $SCRIPTSDIR/${DIR}/* $INSTALLDIR" - cp -rp "$SCRIPTSDIR/${DIR}/"* "$INSTALLDIR" + if [ -d "${custom_dir}" ]; then + dir="${custom_dir}/" + elif [ -d "${SCRIPTSDIR}/${dir}" ]; then + dir="${SCRIPTSDIR}/${dir}/" else - debug "No extra files to copy" + debug "No extra files to copy for ${dir}" + return 0 + fi + + dir="$(readlink -m $dir)" + debug "Copying ${dir}/* ${install_dir}" + cp -rp "${dir}/"* "${install_dir}" + + if [ -f "${dir}/.facl" ]; then + debug "Restoring file permissions..." + pushd "$install_dir" + { + setfacl --restore="${dir}/.facl" 2>/dev/null ||: + } + popd fi } diff --git a/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/.facl b/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/.facl new file mode 100644 index 0000000..d047a8c --- /dev/null +++ b/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/.facl @@ -0,0 +1,77 @@ +# file: . +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/udev +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/udev/rules.d +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/udev/rules.d/99-qubes-whonix.rules +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: .facl +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: usr +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/setup-ip +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/replace-ips +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + diff --git a/scripts_debian/extra-qubes-files/.facl b/scripts_debian/extra-qubes-files/.facl new file mode 100644 index 0000000..8e44ed9 --- /dev/null +++ b/scripts_debian/extra-qubes-files/.facl @@ -0,0 +1,273 @@ +# file: . +# owner: user +# group: user +user::rwx +group::r-x +other::r-x + +# file: etc +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/udev +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/udev/rules.d +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/udev/rules.d/xen-backend.rules +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/udev/rules.d/98-kexec.rules +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/xen +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/vif-bridge +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/vtpm-delete +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/vif2 +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/vtpm +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/external-device-migrate +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/vif-route-qubes +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/xen/scripts/network-nat +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/xen-hotplug-common.sh +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/vtpm-common.sh +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/vtpm-impl +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/locking.sh +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/xen-hotplug-cleanup +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/xen-network-common.sh +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/block-nbd +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/block +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/hotplugpath.sh +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/vtpm-migration.sh +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/network-bridge +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/block-enbd +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/vif-common.sh +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/vif-setup +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/vif-nat +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/vif-route +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/vscsi +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/network-route +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/blktap +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/xen-script-common.sh +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/logging.sh +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/block-common.sh +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: etc/xen/scripts/vtpm-hotplug-common.sh +# owner: root +# group: root +user::rwx +group::--- +other::--- + +# file: .facl +# owner: user +# group: user +user::rwx +group::rwx +other::rwx + From 5d3d538c920e2fc222bd8c87d05acd22a06cfa50 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Mon, 20 Oct 2014 12:25:31 -0400 Subject: [PATCH 22/83] need to be sudo to install template --- create_template_list.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/create_template_list.sh b/create_template_list.sh index 260d3aa..2ede209 100755 --- a/create_template_list.sh +++ b/create_template_list.sh @@ -32,9 +32,9 @@ write "" for file in ${files[@]}; do write "qvm-run --pass-io development-qubes 'cat ${path}/rpm/noarch/${file}' > ${file}" write "" - write "yum erase $(echo "$file" | sed -r "s/($VERSION).+$//")" + write "sudo yum erase $(echo "$file" | sed -r "s/($VERSION).+$//")" write "" - write "yum install ${file}" + write "sudo yum install ${file}" write "" write "" done From aef3f120972d0c1c186aa1d39706a934d190f510 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Mon, 20 Oct 2014 19:45:23 -0400 Subject: [PATCH 23/83] Make sure the logged in user name is used for su -c --- .../02_install_groups_packages_installed.sh | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh index 9f80039..186efd6 100755 --- a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh @@ -173,7 +173,7 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then # -------------------------------------------------------------------------- pushd "$WHONIX_DIR" { - su user -c "git submodule update --init --recursive" + su $(logname) -c "git submodule update --init --recursive" } popd @@ -185,10 +185,10 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then checkout_branch() { branch=$(git symbolic-ref --short -q HEAD) if ! [ "$branch" == "$1" ]; then - su user -c git checkout "$1" >/dev/null 2>&1 || \ + su $(logname) -c git checkout "$1" >/dev/null 2>&1 || \ { - su user -c git branch "$1" - su user -c git checkout "$1" + su $(logname) -c git branch "$1" + su $(logname) -c git checkout "$1" } fi } @@ -218,10 +218,10 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then { cd "$WHONIX_DIR/packages/anon-meta-packages" : - #sudo -E -u user make deb-pkg || : - #su user -c "dpkg-source --commit" || : + #sudo -E -u $(logname) make deb-pkg || : + #su $(logname) -c "dpkg-source --commit" || : #git add . - #su user -c "git commit -am 'removed grub-pc depend'" + #su $(logname) -c "git commit -am 'removed grub-pc depend'" } || : } popd @@ -235,10 +235,10 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then search_replace "$search1" "$replace" 85_update_grub && \ { cd "$WHONIX_DIR/packages/anon-shared-build-fix-grub" - sudo -E -u user make deb-pkg || : - su user -c "EDITOR=/bin/true dpkg-source -q --commit . no_grub" + sudo -E -u $(logname) make deb-pkg || : + su $(logname) -c "EDITOR=/bin/true dpkg-source -q --commit . no_grub" #git add . - #su user -c "git commit -am 'removed grub-pc depend'" + #su $(logname) -c "git commit -am 'removed grub-pc depend'" } || : } popd From 82113fd174deef772d4e60b1b9e276428be082d7 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Mon, 20 Oct 2014 21:02:24 -0400 Subject: [PATCH 24/83] Added TODO list for cleaning up debian source tree --- scripts_debian/TODO | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 scripts_debian/TODO diff --git a/scripts_debian/TODO b/scripts_debian/TODO new file mode 100644 index 0000000..17a9484 --- /dev/null +++ b/scripts_debian/TODO @@ -0,0 +1,42 @@ +TODO: +----- + +- Move template flavors into own directories so scripts_dir wont be polluted + ../scripts_flavors/wheezy-whonix-gateway/ + + ../${TEMPLATE_FLAVOR_DIR}/${TEMPLATE_FLAVOR_PREFIX}[-]whonix-gateway/ + +# ------------------------------------------------------------------------------ +# - Make flavor directory have $DIST in name - to prevent it from bwing built +# incorrectly +# - Configuration option to choose alternate location of flavor directory +# - Configuration option to use custom $DIST- prefix (for generic flavors) +# - Take into consideration that multiple templates will build at once so we +# need to set a custom prefix like this: +# ------------------------------------------------------------------------------ + +# - Would use the prefix of 'debian' which would allow same script to be used for +# all 'debian' based builds, or it could have been set as +# 'wheezy+whonix-gateway::' to use a script destined for any distro +TEMPLATE_FLAVOR_PREFIX = wheezy+whonix-gateway::debian \ + wheezy+whonix-workstation::debian + +# Alternate location for template flavor scripts +TEMPLATE_FLAVOR_DIR = wheezy+whonix-gateway::/home/user/whonix/gateway \ + wheezy+whonix-workstation::/home/usr/whonix/workstation + +- allow access to multiple flavor options .. say gnome for whonix-workstation + wheezy+whonix-workstation+gnome+more + +# ------------------------------------------------------------------------------ +# - TEMPLATE_OPTIONS will be iterated and each entry treated as if it was its +# own flavor, but to override you must include base flavor name: +# ------------------------------------------------------------------------------ + +# Would use same FLAVOR for all distros for whonix-workstation+gnome +TEMPLATE_FLAVOR_PREFIX = wheezy+whonix-workstation+gnome:: + +# - Template Flavors are in /home/user/whoix/gnome for wheezy+whonix-workstation+gnome +# - DISTS_VM is still lists all OPTIONAL flavors though +TEMPLATE_FLAVOR_DIR = wheezy+whonix-workstation+gnome::/home/usr/whonix/gnome + From f597ff760f147db99947f4cbc565acfd080d1bb2 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Tue, 21 Oct 2014 09:12:05 -0400 Subject: [PATCH 25/83] Added ability to be able to relocate TEMPLATE_FLAVORS to any directory via configuration file Added ability to specify more than one TEMPLATE_FLAVOR (Primary plus others) Added ability for all TEMPLATE_FLAVORS and others to be able to hook into scripts (pre / post) Addeed tests for above functionality With these changes TEMPLATE_FLAVORS can be self contained and not polute code space --- functions.sh | 173 +++-- .../00_prepare_pre.sh | 1 - .../01_install_core_post.sh | 1 - .../02_install_groups_packages_installed.sh | 1 - .../04_install_qubes_post.sh | 1 - .../00_prepare_pre.sh | 1 - .../01_install_core_post.sh | 1 - .../02_install_groups_packages_installed.sh | 1 - .../04_install_qubes_post.sh | 1 - .../wheezy+whonix-gateway/00_prepare_pre.sh | 1 + .../01_install_core_post.sh | 1 + .../02_install_groups_packages_installed.sh | 1 + .../04_install_qubes_post.sh | 1 + .../99_custom_configuration.sh | 0 .../extra-whonix-files/.facl | 0 .../etc/udev/rules.d/99-qubes-whonix.rules | 0 .../usr/lib/whonix/replace-ips | 0 .../usr/lib/whonix/setup-ip | 0 .../00_prepare_pre.sh | 1 + .../01_install_core_post.sh | 1 + .../02_install_groups_packages_installed.sh | 1 + .../04_install_qubes_post.sh | 1 + .../99_custom_configuration.sh | 0 .../00_prepare_pre.sh | 0 .../01_install_core_post.sh | 0 .../02_install_groups_packages_installed.sh | 0 .../04_install_qubes_post.sh | 0 tests/assert/.travis.yml | 4 + tests/assert/COPYING | 674 ++++++++++++++++++ tests/assert/COPYING.LESSER | 165 +++++ tests/assert/README.rst | 176 +++++ tests/assert/assert.sh | 148 ++++ tests/assert/tests.sh | 121 ++++ .../TODO => tests/template-flavors/NOTES | 14 +- .../wheezy+whonix-gateway+gnome/test_pre.sh | 4 + .../wheezy+whonix-gateway/test_pre.sh | 4 + .../debian+whonix-gateway+gnome/test_pre.sh | 4 + .../debian+whonix-gateway/test_pre.sh | 4 + tests/template-flavors/test.sh | 162 +++++ .../template-flavors/test_copy_location/test1 | 0 .../template-flavors/test_copy_location/test2 | 0 .../template-flavors/test_copy_location/test3 | 0 tests/template-flavors/test_pre.sh | 4 + .../wheezy+whonix-gateway+gnome/test_pre.sh | 4 + .../wheezy+whonix-gateway/files/test1 | 0 .../wheezy+whonix-gateway/files/test2 | 0 .../wheezy+whonix-gateway/files/test3 | 0 .../wheezy+whonix-gateway/test_pre.sh | 4 + tests/template-flavors/wheezy/test_pre.sh | 4 + .../whonix-gateway+gnome/test_pre.sh | 4 + .../whonix-gateway/test_pre.sh | 4 + 51 files changed, 1635 insertions(+), 58 deletions(-) delete mode 120000 scripts_debian/custom_wheezy_whonix-gateway/00_prepare_pre.sh delete mode 120000 scripts_debian/custom_wheezy_whonix-gateway/01_install_core_post.sh delete mode 120000 scripts_debian/custom_wheezy_whonix-gateway/02_install_groups_packages_installed.sh delete mode 120000 scripts_debian/custom_wheezy_whonix-gateway/04_install_qubes_post.sh delete mode 120000 scripts_debian/custom_wheezy_whonix-workstation/00_prepare_pre.sh delete mode 120000 scripts_debian/custom_wheezy_whonix-workstation/01_install_core_post.sh delete mode 120000 scripts_debian/custom_wheezy_whonix-workstation/02_install_groups_packages_installed.sh delete mode 120000 scripts_debian/custom_wheezy_whonix-workstation/04_install_qubes_post.sh create mode 120000 scripts_debian/wheezy+whonix-gateway/00_prepare_pre.sh create mode 120000 scripts_debian/wheezy+whonix-gateway/01_install_core_post.sh create mode 120000 scripts_debian/wheezy+whonix-gateway/02_install_groups_packages_installed.sh create mode 120000 scripts_debian/wheezy+whonix-gateway/04_install_qubes_post.sh rename scripts_debian/{custom_wheezy_whonix-gateway => wheezy+whonix-gateway}/99_custom_configuration.sh (100%) rename scripts_debian/{custom_wheezy_whonix-gateway => wheezy+whonix-gateway}/extra-whonix-files/.facl (100%) rename scripts_debian/{custom_wheezy_whonix-gateway => wheezy+whonix-gateway}/extra-whonix-files/etc/udev/rules.d/99-qubes-whonix.rules (100%) rename scripts_debian/{custom_wheezy_whonix-gateway => wheezy+whonix-gateway}/extra-whonix-files/usr/lib/whonix/replace-ips (100%) rename scripts_debian/{custom_wheezy_whonix-gateway => wheezy+whonix-gateway}/extra-whonix-files/usr/lib/whonix/setup-ip (100%) create mode 120000 scripts_debian/wheezy+whonix-workstation/00_prepare_pre.sh create mode 120000 scripts_debian/wheezy+whonix-workstation/01_install_core_post.sh create mode 120000 scripts_debian/wheezy+whonix-workstation/02_install_groups_packages_installed.sh create mode 120000 scripts_debian/wheezy+whonix-workstation/04_install_qubes_post.sh rename scripts_debian/{custom_wheezy_whonix-workstation => wheezy+whonix-workstation}/99_custom_configuration.sh (100%) rename scripts_debian/{custom_wheezy_whonix => wheezy+whonix}/00_prepare_pre.sh (100%) rename scripts_debian/{custom_wheezy_whonix => wheezy+whonix}/01_install_core_post.sh (100%) rename scripts_debian/{custom_wheezy_whonix => wheezy+whonix}/02_install_groups_packages_installed.sh (100%) rename scripts_debian/{custom_wheezy_whonix => wheezy+whonix}/04_install_qubes_post.sh (100%) create mode 100644 tests/assert/.travis.yml create mode 100644 tests/assert/COPYING create mode 100644 tests/assert/COPYING.LESSER create mode 100644 tests/assert/README.rst create mode 100644 tests/assert/assert.sh create mode 100755 tests/assert/tests.sh rename scripts_debian/TODO => tests/template-flavors/NOTES (76%) create mode 100755 tests/template-flavors/another_location/wheezy+whonix-gateway+gnome/test_pre.sh create mode 100755 tests/template-flavors/another_location/wheezy+whonix-gateway/test_pre.sh create mode 100755 tests/template-flavors/debian+whonix-gateway+gnome/test_pre.sh create mode 100755 tests/template-flavors/debian+whonix-gateway/test_pre.sh create mode 100755 tests/template-flavors/test.sh create mode 100644 tests/template-flavors/test_copy_location/test1 create mode 100644 tests/template-flavors/test_copy_location/test2 create mode 100644 tests/template-flavors/test_copy_location/test3 create mode 100755 tests/template-flavors/test_pre.sh create mode 100755 tests/template-flavors/wheezy+whonix-gateway+gnome/test_pre.sh create mode 100644 tests/template-flavors/wheezy+whonix-gateway/files/test1 create mode 100644 tests/template-flavors/wheezy+whonix-gateway/files/test2 create mode 100644 tests/template-flavors/wheezy+whonix-gateway/files/test3 create mode 100755 tests/template-flavors/wheezy+whonix-gateway/test_pre.sh create mode 100755 tests/template-flavors/wheezy/test_pre.sh create mode 100755 tests/template-flavors/whonix-gateway+gnome/test_pre.sh create mode 100755 tests/template-flavors/whonix-gateway/test_pre.sh diff --git a/functions.sh b/functions.sh index 955f482..8124ac6 100755 --- a/functions.sh +++ b/functions.sh @@ -73,22 +73,21 @@ fi # Display messages in color # ------------------------------------------------------------------------------ info() { - echo "${bold}${blue}INFO: ${1}${reset}" + [[ -z $TEST ]] && echo -e "${bold}${blue}INFO: ${1}${reset}" || : } debug() { - echo "${bold}${green}DEBUG: ${1}${reset}" + [[ -z $TEST ]] && echo -e "${bold}${green}DEBUG: ${1}${reset}" || : } warn() { - echo "${stout}${yellow}WARNING: ${1}${reset}" + [[ -z $TEST ]] && echo -e "${stout}${yellow}WARNING: ${1}${reset}" || : } error() { - echo "${bold}${red}ERROR: ${1}${reset}" + [[ -z $TEST ]] && echo -e "${bold}${red}ERROR: ${1}${reset}" || : } - # ------------------------------------------------------------------------------ # Takes an array and exports it a global variable # @@ -141,64 +140,62 @@ splitPath() { setArrayAsGlobal PARTS $return_global_var } - -# ------------------------------------------------------------------------------ -# Executes any additional optional configuration steps if the configuration -# scripts exist -# ------------------------------------------------------------------------------ -customStep() { - info "Checking for any custom $2 configuration scripts for $1..." - splitPath "$1" path_parts - if [ "$2" ]; then - script_name="${path_parts[base]}_$2${path_parts[dotext]}" +customStepExec() { + local calling_script="$1" + local step="$2" + local template_flavor="$3" + local template_flavor_dir="$4" + local template_flavor_prefix="$5" + + [[ -z $TEST ]] && echo "Calling script: ${calling_script}" || : + [[ -z $TEST ]] && echo "Step: ${step}" || : + [[ -z $TEST ]] && echo "Template Flavor: ${template_flavor}" || : + [[ -z $TEST ]] && echo "Template Dir: ${template_flavor_dir}" || : + [[ -z $TEST ]] && echo "Template Prefix: ${template_flavor_prefix}" || : + + splitPath "${calling_script}" path_parts + + # Step: [pre] | [post] (or custom inserted step) + if [ "${step}" ]; then + script_name="${path_parts[base]}_${step}${path_parts[dotext]}" else script_name="${path_parts[base]}${path_parts[dotext]}" fi - if [ -n "${TEMPLATE_FLAVOR}" ]; then - script="$SCRIPTSDIR/custom_${DIST}_${TEMPLATE_FLAVOR}/${script_name}" + if [ -n "${template_flavor}" ]; then + script="${template_flavor_dir}/${template_flavor_prefix}${template_flavor}/${script_name}" else - script="$SCRIPTSDIR/custom_${DIST}/${script_name}" + script="${template_flavor_dir}/${template_flavor_prefix}/${script_name}" fi if [ -f "$script" ]; then - echo "${bold}${under}INFO: Currently running script: ${script}${reset}" + [[ -n $TEST ]] && echo "${script}" || echo "${bold}${under}INFO: Currently running script: ${script}${reset}" "$script" + else + [[ -z $TEST ]] && debug "${bold}INFO: No CustomStep found for: ${script}${reset}" || : fi } - -# ------------------------------------------------------------------------------ -# Copy extra file tree to $INSTALLDIR -# -# To set file permissions is a PITA since git won't save them and will -# complain heavily if they are set to root only read, so this is the procdure: -# -# 1. Change to the directory that you want to have file permissions retained -# 2. Change all the file permissions / ownership as you want -# 3. Change back to the root of the exta directory (IE: extra-qubes-files) -# 4. getfacl -R . > ".facl" -# 5. If git complains; reset file ownership back to user. The .facl file stored -# the file permissions and will be used to reset the file permissions after -# they get copied over to $INSTALLDIR -# NOTE: Don't forget to redo this process if you add -OR- remove files -# ------------------------------------------------------------------------------ -copy_dirs() { - dir="$1" - install_dir="$(readlink -m ${INSTALLDIR})" +customCopy() { + local calling_script="$1" + local dir="$2" + local template_flavor="$3" + local template_flavor_dir="$4" + local template_flavor_prefix="$5" + local install_dir="$(readlink -m ${INSTALLDIR})" info "copy_dirs(): ${install_dir}" - if [ -n "${TEMPLATE_FLAVOR}" ]; then - custom_dir="${SCRIPTSDIR}/custom_${DIST}_${TEMPLATE_FLAVOR}/${dir}" + if [ -n "${template_flavor}" ]; then + custom_dir="${template_flavor_dir}/${template_flavor_prefix}${template_flavor}/${dir}" else - custom_dir="${SCRIPTSDIR}/custom_${DIST}/${dir}" + custom_dir="${template_flavor_dir}/${template_flavor_prefix}/${dir}" fi if [ -d "${custom_dir}" ]; then dir="${custom_dir}/" - elif [ -d "${SCRIPTSDIR}/${dir}" ]; then - dir="${SCRIPTSDIR}/${dir}/" + elif [ -d "${template_flavor_dir}/${dir}" ]; then + dir="${template_flavor_dir}/${dir}/" else debug "No extra files to copy for ${dir}" return 0 @@ -218,5 +215,95 @@ copy_dirs() { fi } +templateFlavor() { + local template=${TEMPLATE_FLAVOR} + local default="${SCRIPTSDIR}" + + echo ${template:-${default}} +} + +templateFlavorPrefix() { + local template=${1-${TEMPLATE_FLAVOR}} + for element in "${TEMPLATE_FLAVOR_PREFIX[@]}" + do + if [ "${element%;*}" == "${DIST}+${template}" ]; then + echo ${element#*;} + return + fi + done + + echo "${DIST}${TEMPLATE_FLAVOR:++}" +} + +templateFlavorDir() { + local template=${1-${TEMPLATE_FLAVOR}} + for element in "${TEMPLATE_FLAVOR_DIR[@]}" + do + if [ "${element%;*}" == "${DIST}+${template}" ]; then + echo ${element#*;} + return + fi + done + + echo "${SCRIPTDIR}" +} + +customParse() { + local calling_script="$1" + local step="$2" + local functionExec="$3" + local template_flavor="$(templateFlavor)" + local template_flavor_dir="$(templateFlavorDir ${template_flavor})" + local template_flavor_prefix="$(templateFlavorPrefix ${template_flavor})" + + ${functionExec} "${calling_script}" \ + "${step}" \ + "${template_flavor}" \ + "${template_flavor_dir}" \ + "${template_flavor_prefix}" + + + for template in ${TEMPLATE_OPTIONS[@]} + do + template_flavor="$(templateFlavor)+${template}" + template_flavor_dir="$(templateFlavorDir ${template_flavor})" + template_flavor_prefix="$(templateFlavorPrefix ${template_flavor})" + + ${functionExec} "${calling_script}" \ + "${step}" \ + "${template_flavor}" \ + "${template_flavor_dir}" \ + "${template_flavor_prefix}" + done +} + +# ------------------------------------------------------------------------------ +# Executes any additional optional configuration steps if the configuration +# scripts exist +# ------------------------------------------------------------------------------ +customStep() { + customParse "$1" "$2" "customStepExec" +} + +# ------------------------------------------------------------------------------ +# Copy extra file tree to $INSTALLDIR +# TODO: Allow copy per step (04_install_qubes.sh-files) +# +# To set file permissions is a PITA since git won't save them and will +# complain heavily if they are set to root only read, so this is the procdure: +# +# 1. Change to the directory that you want to have file permissions retained +# 2. Change all the file permissions / ownership as you want +# 3. Change back to the root of the exta directory (IE: extra-qubes-files) +# 4. getfacl -R . > ".facl" +# 5. If git complains; reset file ownership back to user. The .facl file stored +# the file permissions and will be used to reset the file permissions after +# they get copied over to $INSTALLDIR +# NOTE: Don't forget to redo this process if you add -OR- remove files +# ------------------------------------------------------------------------------ +copy_dirs() { + customParse "" "$1" "customCopy" +} + # $0 is module that sourced vars.sh echo "${bold}${under}INFO: Currently running script: ${0}${reset}" diff --git a/scripts_debian/custom_wheezy_whonix-gateway/00_prepare_pre.sh b/scripts_debian/custom_wheezy_whonix-gateway/00_prepare_pre.sh deleted file mode 120000 index 9ad8e72..0000000 --- a/scripts_debian/custom_wheezy_whonix-gateway/00_prepare_pre.sh +++ /dev/null @@ -1 +0,0 @@ -../custom_wheezy_whonix/00_prepare_pre.sh \ No newline at end of file diff --git a/scripts_debian/custom_wheezy_whonix-gateway/01_install_core_post.sh b/scripts_debian/custom_wheezy_whonix-gateway/01_install_core_post.sh deleted file mode 120000 index ba75217..0000000 --- a/scripts_debian/custom_wheezy_whonix-gateway/01_install_core_post.sh +++ /dev/null @@ -1 +0,0 @@ -../custom_wheezy_whonix/01_install_core_post.sh \ No newline at end of file diff --git a/scripts_debian/custom_wheezy_whonix-gateway/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix-gateway/02_install_groups_packages_installed.sh deleted file mode 120000 index 282b083..0000000 --- a/scripts_debian/custom_wheezy_whonix-gateway/02_install_groups_packages_installed.sh +++ /dev/null @@ -1 +0,0 @@ -../custom_wheezy_whonix/02_install_groups_packages_installed.sh \ No newline at end of file diff --git a/scripts_debian/custom_wheezy_whonix-gateway/04_install_qubes_post.sh b/scripts_debian/custom_wheezy_whonix-gateway/04_install_qubes_post.sh deleted file mode 120000 index 2ee5337..0000000 --- a/scripts_debian/custom_wheezy_whonix-gateway/04_install_qubes_post.sh +++ /dev/null @@ -1 +0,0 @@ -../custom_wheezy_whonix/04_install_qubes_post.sh \ No newline at end of file diff --git a/scripts_debian/custom_wheezy_whonix-workstation/00_prepare_pre.sh b/scripts_debian/custom_wheezy_whonix-workstation/00_prepare_pre.sh deleted file mode 120000 index 9ad8e72..0000000 --- a/scripts_debian/custom_wheezy_whonix-workstation/00_prepare_pre.sh +++ /dev/null @@ -1 +0,0 @@ -../custom_wheezy_whonix/00_prepare_pre.sh \ No newline at end of file diff --git a/scripts_debian/custom_wheezy_whonix-workstation/01_install_core_post.sh b/scripts_debian/custom_wheezy_whonix-workstation/01_install_core_post.sh deleted file mode 120000 index ba75217..0000000 --- a/scripts_debian/custom_wheezy_whonix-workstation/01_install_core_post.sh +++ /dev/null @@ -1 +0,0 @@ -../custom_wheezy_whonix/01_install_core_post.sh \ No newline at end of file diff --git a/scripts_debian/custom_wheezy_whonix-workstation/02_install_groups_packages_installed.sh b/scripts_debian/custom_wheezy_whonix-workstation/02_install_groups_packages_installed.sh deleted file mode 120000 index 282b083..0000000 --- a/scripts_debian/custom_wheezy_whonix-workstation/02_install_groups_packages_installed.sh +++ /dev/null @@ -1 +0,0 @@ -../custom_wheezy_whonix/02_install_groups_packages_installed.sh \ No newline at end of file diff --git a/scripts_debian/custom_wheezy_whonix-workstation/04_install_qubes_post.sh b/scripts_debian/custom_wheezy_whonix-workstation/04_install_qubes_post.sh deleted file mode 120000 index 2ee5337..0000000 --- a/scripts_debian/custom_wheezy_whonix-workstation/04_install_qubes_post.sh +++ /dev/null @@ -1 +0,0 @@ -../custom_wheezy_whonix/04_install_qubes_post.sh \ No newline at end of file diff --git a/scripts_debian/wheezy+whonix-gateway/00_prepare_pre.sh b/scripts_debian/wheezy+whonix-gateway/00_prepare_pre.sh new file mode 120000 index 0000000..d1f0dd6 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/00_prepare_pre.sh @@ -0,0 +1 @@ +../wheezy+whonix/00_prepare_pre.sh \ No newline at end of file diff --git a/scripts_debian/wheezy+whonix-gateway/01_install_core_post.sh b/scripts_debian/wheezy+whonix-gateway/01_install_core_post.sh new file mode 120000 index 0000000..3524b69 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/01_install_core_post.sh @@ -0,0 +1 @@ +../wheezy+whonix/01_install_core_post.sh \ No newline at end of file diff --git a/scripts_debian/wheezy+whonix-gateway/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix-gateway/02_install_groups_packages_installed.sh new file mode 120000 index 0000000..4b74627 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/02_install_groups_packages_installed.sh @@ -0,0 +1 @@ +../wheezy+whonix/02_install_groups_packages_installed.sh \ No newline at end of file diff --git a/scripts_debian/wheezy+whonix-gateway/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix-gateway/04_install_qubes_post.sh new file mode 120000 index 0000000..db7d12f --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/04_install_qubes_post.sh @@ -0,0 +1 @@ +../wheezy+whonix/04_install_qubes_post.sh \ No newline at end of file diff --git a/scripts_debian/custom_wheezy_whonix-gateway/99_custom_configuration.sh b/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh similarity index 100% rename from scripts_debian/custom_wheezy_whonix-gateway/99_custom_configuration.sh rename to scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh diff --git a/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/.facl b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/.facl similarity index 100% rename from scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/.facl rename to scripts_debian/wheezy+whonix-gateway/extra-whonix-files/.facl diff --git a/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/etc/udev/rules.d/99-qubes-whonix.rules b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/udev/rules.d/99-qubes-whonix.rules similarity index 100% rename from scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/etc/udev/rules.d/99-qubes-whonix.rules rename to scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/udev/rules.d/99-qubes-whonix.rules diff --git a/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/usr/lib/whonix/replace-ips similarity index 100% rename from scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/usr/lib/whonix/replace-ips rename to scripts_debian/wheezy+whonix-gateway/extra-whonix-files/usr/lib/whonix/replace-ips diff --git a/scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/usr/lib/whonix/setup-ip similarity index 100% rename from scripts_debian/custom_wheezy_whonix-gateway/extra-whonix-files/usr/lib/whonix/setup-ip rename to scripts_debian/wheezy+whonix-gateway/extra-whonix-files/usr/lib/whonix/setup-ip diff --git a/scripts_debian/wheezy+whonix-workstation/00_prepare_pre.sh b/scripts_debian/wheezy+whonix-workstation/00_prepare_pre.sh new file mode 120000 index 0000000..d1f0dd6 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/00_prepare_pre.sh @@ -0,0 +1 @@ +../wheezy+whonix/00_prepare_pre.sh \ No newline at end of file diff --git a/scripts_debian/wheezy+whonix-workstation/01_install_core_post.sh b/scripts_debian/wheezy+whonix-workstation/01_install_core_post.sh new file mode 120000 index 0000000..3524b69 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/01_install_core_post.sh @@ -0,0 +1 @@ +../wheezy+whonix/01_install_core_post.sh \ No newline at end of file diff --git a/scripts_debian/wheezy+whonix-workstation/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix-workstation/02_install_groups_packages_installed.sh new file mode 120000 index 0000000..4b74627 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/02_install_groups_packages_installed.sh @@ -0,0 +1 @@ +../wheezy+whonix/02_install_groups_packages_installed.sh \ No newline at end of file diff --git a/scripts_debian/wheezy+whonix-workstation/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix-workstation/04_install_qubes_post.sh new file mode 120000 index 0000000..db7d12f --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/04_install_qubes_post.sh @@ -0,0 +1 @@ +../wheezy+whonix/04_install_qubes_post.sh \ No newline at end of file diff --git a/scripts_debian/custom_wheezy_whonix-workstation/99_custom_configuration.sh b/scripts_debian/wheezy+whonix-workstation/99_custom_configuration.sh similarity index 100% rename from scripts_debian/custom_wheezy_whonix-workstation/99_custom_configuration.sh rename to scripts_debian/wheezy+whonix-workstation/99_custom_configuration.sh diff --git a/scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh b/scripts_debian/wheezy+whonix/00_prepare_pre.sh similarity index 100% rename from scripts_debian/custom_wheezy_whonix/00_prepare_pre.sh rename to scripts_debian/wheezy+whonix/00_prepare_pre.sh diff --git a/scripts_debian/custom_wheezy_whonix/01_install_core_post.sh b/scripts_debian/wheezy+whonix/01_install_core_post.sh similarity index 100% rename from scripts_debian/custom_wheezy_whonix/01_install_core_post.sh rename to scripts_debian/wheezy+whonix/01_install_core_post.sh diff --git a/scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh similarity index 100% rename from scripts_debian/custom_wheezy_whonix/02_install_groups_packages_installed.sh rename to scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh diff --git a/scripts_debian/custom_wheezy_whonix/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh similarity index 100% rename from scripts_debian/custom_wheezy_whonix/04_install_qubes_post.sh rename to scripts_debian/wheezy+whonix/04_install_qubes_post.sh diff --git a/tests/assert/.travis.yml b/tests/assert/.travis.yml new file mode 100644 index 0000000..4cb26a2 --- /dev/null +++ b/tests/assert/.travis.yml @@ -0,0 +1,4 @@ +language: bash +script: bash tests.sh +before_install: + - sudo apt-get install bc diff --git a/tests/assert/COPYING b/tests/assert/COPYING new file mode 100644 index 0000000..94a9ed0 --- /dev/null +++ b/tests/assert/COPYING @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/tests/assert/COPYING.LESSER b/tests/assert/COPYING.LESSER new file mode 100644 index 0000000..cca7fc2 --- /dev/null +++ b/tests/assert/COPYING.LESSER @@ -0,0 +1,165 @@ + GNU LESSER GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + + This version of the GNU Lesser General Public License incorporates +the terms and conditions of version 3 of the GNU General Public +License, supplemented by the additional permissions listed below. + + 0. Additional Definitions. + + As used herein, "this License" refers to version 3 of the GNU Lesser +General Public License, and the "GNU GPL" refers to version 3 of the GNU +General Public License. + + "The Library" refers to a covered work governed by this License, +other than an Application or a Combined Work as defined below. + + An "Application" is any work that makes use of an interface provided +by the Library, but which is not otherwise based on the Library. +Defining a subclass of a class defined by the Library is deemed a mode +of using an interface provided by the Library. + + A "Combined Work" is a work produced by combining or linking an +Application with the Library. The particular version of the Library +with which the Combined Work was made is also called the "Linked +Version". + + The "Minimal Corresponding Source" for a Combined Work means the +Corresponding Source for the Combined Work, excluding any source code +for portions of the Combined Work that, considered in isolation, are +based on the Application, and not on the Linked Version. + + The "Corresponding Application Code" for a Combined Work means the +object code and/or source code for the Application, including any data +and utility programs needed for reproducing the Combined Work from the +Application, but excluding the System Libraries of the Combined Work. + + 1. Exception to Section 3 of the GNU GPL. + + You may convey a covered work under sections 3 and 4 of this License +without being bound by section 3 of the GNU GPL. + + 2. Conveying Modified Versions. + + If you modify a copy of the Library, and, in your modifications, a +facility refers to a function or data to be supplied by an Application +that uses the facility (other than as an argument passed when the +facility is invoked), then you may convey a copy of the modified +version: + + a) under this License, provided that you make a good faith effort to + ensure that, in the event an Application does not supply the + function or data, the facility still operates, and performs + whatever part of its purpose remains meaningful, or + + b) under the GNU GPL, with none of the additional permissions of + this License applicable to that copy. + + 3. Object Code Incorporating Material from Library Header Files. + + The object code form of an Application may incorporate material from +a header file that is part of the Library. You may convey such object +code under terms of your choice, provided that, if the incorporated +material is not limited to numerical parameters, data structure +layouts and accessors, or small macros, inline functions and templates +(ten or fewer lines in length), you do both of the following: + + a) Give prominent notice with each copy of the object code that the + Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the object code with a copy of the GNU GPL and this license + document. + + 4. Combined Works. + + You may convey a Combined Work under terms of your choice that, +taken together, effectively do not restrict modification of the +portions of the Library contained in the Combined Work and reverse +engineering for debugging such modifications, if you also do each of +the following: + + a) Give prominent notice with each copy of the Combined Work that + the Library is used in it and that the Library and its use are + covered by this License. + + b) Accompany the Combined Work with a copy of the GNU GPL and this license + document. + + c) For a Combined Work that displays copyright notices during + execution, include the copyright notice for the Library among + these notices, as well as a reference directing the user to the + copies of the GNU GPL and this license document. + + d) Do one of the following: + + 0) Convey the Minimal Corresponding Source under the terms of this + License, and the Corresponding Application Code in a form + suitable for, and under terms that permit, the user to + recombine or relink the Application with a modified version of + the Linked Version to produce a modified Combined Work, in the + manner specified by section 6 of the GNU GPL for conveying + Corresponding Source. + + 1) Use a suitable shared library mechanism for linking with the + Library. A suitable mechanism is one that (a) uses at run time + a copy of the Library already present on the user's computer + system, and (b) will operate properly with a modified version + of the Library that is interface-compatible with the Linked + Version. + + e) Provide Installation Information, but only if you would otherwise + be required to provide such information under section 6 of the + GNU GPL, and only to the extent that such information is + necessary to install and execute a modified version of the + Combined Work produced by recombining or relinking the + Application with a modified version of the Linked Version. (If + you use option 4d0, the Installation Information must accompany + the Minimal Corresponding Source and Corresponding Application + Code. If you use option 4d1, you must provide the Installation + Information in the manner specified by section 6 of the GNU GPL + for conveying Corresponding Source.) + + 5. Combined Libraries. + + You may place library facilities that are a work based on the +Library side by side in a single library together with other library +facilities that are not Applications and are not covered by this +License, and convey such a combined library under terms of your +choice, if you do both of the following: + + a) Accompany the combined library with a copy of the same work based + on the Library, uncombined with any other library facilities, + conveyed under the terms of this License. + + b) Give prominent notice with the combined library that part of it + is a work based on the Library, and explaining where to find the + accompanying uncombined form of the same work. + + 6. Revised Versions of the GNU Lesser General Public License. + + The Free Software Foundation may publish revised and/or new versions +of the GNU Lesser General Public License from time to time. Such new +versions will be similar in spirit to the present version, but may +differ in detail to address new problems or concerns. + + Each version is given a distinguishing version number. If the +Library as you received it specifies that a certain numbered version +of the GNU Lesser General Public License "or any later version" +applies to it, you have the option of following the terms and +conditions either of that published version or of any later version +published by the Free Software Foundation. If the Library as you +received it does not specify a version number of the GNU Lesser +General Public License, you may choose any version of the GNU Lesser +General Public License ever published by the Free Software Foundation. + + If the Library as you received it specifies that a proxy can decide +whether future versions of the GNU Lesser General Public License shall +apply, that proxy's public statement of acceptance of any version is +permanent authorization for you to choose that version for the +Library. diff --git a/tests/assert/README.rst b/tests/assert/README.rst new file mode 100644 index 0000000..f2630b4 --- /dev/null +++ b/tests/assert/README.rst @@ -0,0 +1,176 @@ +########### + assert.sh +########### + +**assert.sh** is test-driven development in the Bourne again shell. + +:Version: 1.0.2 +:Author: Robert Lehmann +:License: LGPLv3 +:Requirements: `bc -- an arbitrary precision calculator language + `_ + (installed on all POSIX-compliant systems) + +.. image:: https://travis-ci.org/lehmannro/assert.sh.svg?branch=master + :target: https://travis-ci.org/lehmannro/assert.sh + +Example +======= + +:: + + . assert.sh + + # `echo test` is expected to write "test" on stdout + assert "echo test" "test" + # `seq 3` is expected to print "1", "2" and "3" on different lines + assert "seq 3" "1\n2\n3" + # exit code of `true` is expected to be 0 + assert_raises "true" + # exit code of `false` is expected to be 1 + assert_raises "false" 1 + # end of test suite + assert_end examples + +If you had written the above snippet into ``tests.sh`` you could invoke it +without any extra hassle:: + + $ ./tests.sh + all 4 examples tests passed in 0.014s. + +Watch out to have ``tests.sh`` executable (``chmod +x tests.sh``), otherwise +you need to invoke it with ``bash tests.sh`` + +Now, we will add a failing test case to our suite:: + + # expect `exit 127` to terminate with code 128 + assert_raises "exit 127" 128 + +Remember to insert test cases before ``assert_end`` (or write another +``assert_end`` to the end of your file). Otherwise test statistics will be +omitted. + +When run, the output is:: + + test #5 "exit 127" failed: + program terminated with code 127 instead of 128 + 1 of 5 examples tests failed in 0.019s. + + +Features +======== + ++ lightweight interface: ``assert`` and ``assert_raises`` *only* ++ minimal setup -- source ``assert.sh`` and you're done ++ test grouping in individual suites ++ time benchmarks with real-time display of test progress ++ run all tests, stop on first failure, or collect numbers only + +Use case +======== + +You wrote an application. Following sane development practices, you want to +protect yourself against introducing errors with a test suite. Even though most +languages have excellent testing tools, modifying process state (input ``stdin``, +command line arguments ``argv``, environment variables) is awkard in most +languages. The shell was made to do just that, so why don't run the tests in +your shell? + +Reference +========= + ++ ``assert [stdout] [stdin]`` + + Check for an expected output when running your command. `stdout` supports all + control sequences printf(1) interprets, eg. ``\n`` for a newline. The default + `stdout` is assumed to be empty. + ++ ``assert_raises [exitcode] [stdin]`` + + Verify `command` terminated with the expected status code. The default + `exitcode` is assumed to be 0. + ++ ``assert_end [suite]`` + + Finalize a test suite and print statistics. + +Command line options +-------------------- + +See ``assert.sh --help`` for command line options on test runners. + + -v, --verbose Generate real-time output for every individual test run. + -x, --stop Stop running tests after the first failure. + (Default: run all tests.) + -i, --invariant Do not measure runtime for suites. Useful mainly to parse + test output. + -d, --discover Collect test suites and number of tests only; don't run any + tests. + -c, --continue Do not modify exit code depending on overall suite status. + -h Show brief usage information and exit. + --help Show usage manual and exit. + +Environment variables +--------------------- + +================= ==================== +variable corresponding option +================= ==================== +``$DEBUG`` ``--verbose`` +``$STOP`` ``--stop`` +``$INVARIANT`` ``--invariant`` +``$DISCOVERONLY`` ``--discover-only`` +``$CONTINUE`` ``--continue`` +================= ==================== + +Changelog +========= + +master + * Added support for ``set -e`` environments (closes `#6 + `_, thanks David Schoen.) + * Modified exit code automatically in case *any* test failed in the suite. + * Added ``--continue`` flag to avoid tinkering with the exit code. + +1.0.2 + * Fixed Mac OS compatibility (closes `#3 + `_.) + +1.0.1 + * Added support for ``set -u`` environments (closes `#1 + `_.) + * Fixed several leaks of stderr. + * Fixed propagation of options to nested test suites. + +Related projects +================ + +`ShUnit`__ + ShUnit is a testing framework of the xUnit family for Bourne derived shells. + It is quite feature-rich but requires a whole lot of boilerplate to write a + basic test suite. *assert.sh* aims to be lightweight and easy to setup. + +__ http://shunit.sourceforge.net/ + +`shUnit2`__ + shUnit2 is a modern xUnit-style testing framework. It comes with a bunch of + magic to remove unneccessary verbosity. It requires extra care when crafting + test cases with many subprocess invocations as you have to fall back to shell + features to fetch results. *assert.sh* wraps this functionality out of the + box. + +__ http://code.google.com/p/shunit2/ + +`tap-functions`__ + A Test Anything Protocol (TAP) producer with an inherently natural-language- + style API. Unfortunately it's only of draft quality and decouples the test + runner from analysis, which does not allow for *assert.sh* features such as + ``--collect-only`` and ``--stop``. + +__ http://testanything.org/wiki/index.php/Tap-functions + +`stub.sh`__ + Helpers to fake binaries and bash builtins. It supports mocking features such + as expecting a certain number of invocations and plays well with *assert.sh*. + +__ https://github.com/jimeh/stub.sh diff --git a/tests/assert/assert.sh b/tests/assert/assert.sh new file mode 100644 index 0000000..b0c679c --- /dev/null +++ b/tests/assert/assert.sh @@ -0,0 +1,148 @@ +#!/bin/bash +# assert.sh 1.0 - bash unit testing framework +# Copyright (C) 2009, 2010, 2011, 2012 Robert Lehmann +# +# http://github.com/lehmannro/assert.sh +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published +# by the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . + +export DISCOVERONLY=${DISCOVERONLY:-} +export DEBUG=${DEBUG:-} +export STOP=${STOP:-} +export INVARIANT=${INVARIANT:-} +export CONTINUE=${CONTINUE:-} + +args="$(getopt -n "$0" -l \ + verbose,help,stop,discover,invariant,continue vhxdic $*)" \ +|| exit -1 +for arg in $args; do + case "$arg" in + -h) + echo "$0 [-vxidc]" \ + "[--verbose] [--stop] [--invariant] [--discover] [--continue]" + echo "`sed 's/./ /g' <<< "$0"` [-h] [--help]" + exit 0;; + --help) + cat < [stdin] + (( tests_ran++ )) || : + [[ -n "$DISCOVERONLY" ]] && return || true + # printf required for formatting + printf -v expected "x${2:-}" # x required to overwrite older results + result="$(eval 2>/dev/null $1 <<< ${3:-})" || true + # Note: $expected is already decorated + if [[ "x$result" == "$expected" ]]; then + [[ -n "$DEBUG" ]] && echo -n . || true + return + fi + result="$(sed -e :a -e '$!N;s/\n/\\n/;ta' <<< "$result")" + [[ -z "$result" ]] && result="nothing" || result="\"$result\"" + [[ -z "$2" ]] && expected="nothing" || expected="\"$2\"" + _assert_fail "expected $expected${_indent}got $result" "$1" "$3" +} + +assert_raises() { + # assert_raises [stdin] + (( tests_ran++ )) || : + [[ -n "$DISCOVERONLY" ]] && return || true + status=0 + (eval $1 <<< ${3:-}) > /dev/null 2>&1 || status=$? + expected=${2:-0} + if [[ "$status" -eq "$expected" ]]; then + [[ -n "$DEBUG" ]] && echo -n . || true + return + fi + _assert_fail "program terminated with code $status instead of $expected" "$1" "$3" +} + +_assert_fail() { + # _assert_fail + [[ -n "$DEBUG" ]] && echo -n X + report="test #$tests_ran \"$2${3:+ <<< $3}\" failed:${_indent}$1" + if [[ -n "$STOP" ]]; then + [[ -n "$DEBUG" ]] && echo + echo "$report" + exit 1 + fi + tests_errors[$tests_failed]="$report" + (( tests_failed++ )) || : +} + +_assert_reset +: ${tests_suite_status:=0} # remember if any of the tests failed so far +_assert_cleanup() { + local status=$? + # modify exit code if it's not already non-zero + [[ $status -eq 0 && -z $CONTINUE ]] && exit $tests_suite_status +} +trap _assert_cleanup EXIT diff --git a/tests/assert/tests.sh b/tests/assert/tests.sh new file mode 100755 index 0000000..6a31b6d --- /dev/null +++ b/tests/assert/tests.sh @@ -0,0 +1,121 @@ +#!/bin/bash + +set -e + +. assert.sh + +assert "echo" # no output expected +assert "echo foo" "foo" # output expected +assert "cat" "bar" "bar" # output expected if input's given +assert_raises "true" 0 "" # status code expected +assert_raises "exit 127" 127 "" # status code expected +assert "head -1 < $0" "#!/bin/bash" # redirections +assert "seq 2" "1\n2" # multi-line output expected +assert_raises 'read a; exit $a' 42 "42" # variables still work +assert "echo 1; +echo 2 # ^" "1\n2" # semicolon required! +assert_end demo + +_clean() { + _assert_reset # reset state + DEBUG= STOP= INVARIANT=1 DISCOVERONLY= CONTINUE= # reset flags + eval $* # read new flags +} + +# clean output +assert "_clean; assert true; assert_end" \ +"all 1 tests passed." +# error reports on failure +assert "_clean; assert 'seq 1'; assert_end" \ +'test #1 "seq 1" failed:\n\texpected nothing\n\tgot "1"\n1 of 1 tests failed.' +assert "_clean; assert true '1'; assert_end" \ +'test #1 "true" failed:\n\texpected "1"\n\tgot nothing\n1 of 1 tests failed.' +assert "_clean; assert 'true' 'foo' 'bar'; assert_end" \ +'test #1 "true <<< bar" failed:\n\texpected "foo"\n\tgot nothing\n1 of 1 tests failed.' +# debug output (-v) +assert "_clean DEBUG=1; assert true; assert_end" \ +".\nall 1 tests passed." +assert "_clean DEBUG=1; assert_raises false; assert_end" \ +'X\ntest #1 "false" failed:\n\tprogram terminated with code 1 instead of 0 +1 of 1 tests failed.' +# collect tests only (-d) +assert "_clean DISCOVERONLY=1; assert true; assert false; assert_end" \ +"collected 2 tests." +# stop immediately on failure (-x) +assert "_clean STOP=1; assert_raises false; assert_end" \ +'test #1 "false" failed:\n\tprogram terminated with code 1 instead of 0' +# runtime statistics (omission of -i) +assert_raises "_clean INVARIANT=; +assert_end | egrep 'all 0 tests passed in ([0-9]|[0-9].[0-9]{3})s'" +assert_end output + +# assert_end exit code is the number of failures +assert_raises "_clean; assert_raises false; assert_raises false; assert_end" 2 +# stderr should NOT leak if ignored +assert "_clean; assert less" "" +# stderr should be redirectable though +assert '_clean; assert "less 2>&1" "Missing filename (\"less --help\" for help)"' +# bash failures behave just like stderr +assert "_clean; assert ___invalid" "" +# test suites can be nested and settings are inherited +# (ie. we don't need to invoke the inner suite with the very same options, +# namely --invariant) +assert "_clean; bash -c ' +. assert.sh; +assert_raises true; assert_end outer; +bash -c \". assert.sh; assert_raises true; assert_end inner\" +' '' --invariant" "all 1 outer tests passed. +all 1 inner tests passed." # is $0 +# set the correct exit status +assert_raises "_clean; bash -c \" +. assert.sh; assert true ''; assert_end one; +assert 'echo bar' 'bar'; assert_end two\"" 0 +assert_raises "_clean; bash -c \" +. assert.sh; assert true 'foo'; assert_end one; +assert 'echo bar' 'bar'; assert_end two\"" 1 +# ..but do not override it +assert_raises "_clean; bash -c \" +. assert.sh; assert true 'foo'; assert_end one; +assert 'echo bar' 'bar'; assert_end two; exit 3\"" 3 +# environment variables do not leak +assert "_clean; x=0; assert 'x=1'; assert_raises 'x=2'; echo \$x" 0 +assert "_clean; x=0; assert 'export x=1'; assert_raises 'export x=2'; +echo \$x" 0 +assert_end interaction + +# commit: fixed output to report all errors, not just the first +assert "_clean; +assert_raises false; assert_raises false; +assert_end" 'test #1 "false" failed: +\tprogram terminated with code 1 instead of 0 +test #2 "false" failed: +\tprogram terminated with code 1 instead of 0 +2 of 2 tests failed.' +# commit: added default value for assert_raises +assert_raises "_clean; assert_raises true; assert_end" 0 +# commit: fixed verbose failure reports in assert_raises +assert "_clean DEBUG=1; assert_raises false; assert_end" 'X +test #1 "false" failed: +\tprogram terminated with code 1 instead of 0 +1 of 1 tests failed.' +# commit: redirected assert_raises output +assert "_clean; assert_raises 'echo 1'; assert_end" "all 1 tests passed." +# commit: fixed --discover to reset properly +assert "_clean DISCOVERONLY=1; +assert 1; assert 1; assert_end; +assert 1; assert_end;" "collected 2 tests.\ncollected 1 tests." +# commit: stopped errors from leaking into other test suites +assert "_clean; +assert_raises false; assert_raises false; assert_end; +assert_raises false; assert_end" 'test #1 "false" failed: +\tprogram terminated with code 1 instead of 0 +test #2 "false" failed: +\tprogram terminated with code 1 instead of 0 +2 of 2 tests failed. +test #1 "false" failed: +\tprogram terminated with code 1 instead of 0 +1 of 1 tests failed.' +# issue 1: assert.sh: line 87: DISCOVERONLY: unbound variable +assert "_clean; set -u; assert_raises true; assert true; assert_end" \ +"all 2 tests passed." +assert_end regression diff --git a/scripts_debian/TODO b/tests/template-flavors/NOTES similarity index 76% rename from scripts_debian/TODO rename to tests/template-flavors/NOTES index 17a9484..a599ccb 100644 --- a/scripts_debian/TODO +++ b/tests/template-flavors/NOTES @@ -17,13 +17,13 @@ TODO: # - Would use the prefix of 'debian' which would allow same script to be used for # all 'debian' based builds, or it could have been set as -# 'wheezy+whonix-gateway::' to use a script destined for any distro -TEMPLATE_FLAVOR_PREFIX = wheezy+whonix-gateway::debian \ - wheezy+whonix-workstation::debian +# 'wheezy+whonix-gateway;' to use a script destined for any distro +TEMPLATE_FLAVOR_PREFIX = wheezy+whonix-gateway;debian \ + wheezy+whonix-workstation;debian # Alternate location for template flavor scripts -TEMPLATE_FLAVOR_DIR = wheezy+whonix-gateway::/home/user/whonix/gateway \ - wheezy+whonix-workstation::/home/usr/whonix/workstation +TEMPLATE_FLAVOR_DIR = wheezy+whonix-gateway;/home/user/whonix/gateway \ + wheezy+whonix-workstation;/home/usr/whonix/workstation - allow access to multiple flavor options .. say gnome for whonix-workstation wheezy+whonix-workstation+gnome+more @@ -34,9 +34,9 @@ TEMPLATE_FLAVOR_DIR = wheezy+whonix-gateway::/home/user/whonix/gateway \ # ------------------------------------------------------------------------------ # Would use same FLAVOR for all distros for whonix-workstation+gnome -TEMPLATE_FLAVOR_PREFIX = wheezy+whonix-workstation+gnome:: +TEMPLATE_FLAVOR_PREFIX = wheezy+whonix-workstation+gnome; # - Template Flavors are in /home/user/whoix/gnome for wheezy+whonix-workstation+gnome # - DISTS_VM is still lists all OPTIONAL flavors though -TEMPLATE_FLAVOR_DIR = wheezy+whonix-workstation+gnome::/home/usr/whonix/gnome +TEMPLATE_FLAVOR_DIR = wheezy+whonix-workstation+gnome;/home/usr/whonix/gnome diff --git a/tests/template-flavors/another_location/wheezy+whonix-gateway+gnome/test_pre.sh b/tests/template-flavors/another_location/wheezy+whonix-gateway+gnome/test_pre.sh new file mode 100755 index 0000000..9a4e120 --- /dev/null +++ b/tests/template-flavors/another_location/wheezy+whonix-gateway+gnome/test_pre.sh @@ -0,0 +1,4 @@ +#!/bin/sh +# vim: set ts=4 sw=4 sts=4 et : + +: diff --git a/tests/template-flavors/another_location/wheezy+whonix-gateway/test_pre.sh b/tests/template-flavors/another_location/wheezy+whonix-gateway/test_pre.sh new file mode 100755 index 0000000..9a4e120 --- /dev/null +++ b/tests/template-flavors/another_location/wheezy+whonix-gateway/test_pre.sh @@ -0,0 +1,4 @@ +#!/bin/sh +# vim: set ts=4 sw=4 sts=4 et : + +: diff --git a/tests/template-flavors/debian+whonix-gateway+gnome/test_pre.sh b/tests/template-flavors/debian+whonix-gateway+gnome/test_pre.sh new file mode 100755 index 0000000..9a4e120 --- /dev/null +++ b/tests/template-flavors/debian+whonix-gateway+gnome/test_pre.sh @@ -0,0 +1,4 @@ +#!/bin/sh +# vim: set ts=4 sw=4 sts=4 et : + +: diff --git a/tests/template-flavors/debian+whonix-gateway/test_pre.sh b/tests/template-flavors/debian+whonix-gateway/test_pre.sh new file mode 100755 index 0000000..9a4e120 --- /dev/null +++ b/tests/template-flavors/debian+whonix-gateway/test_pre.sh @@ -0,0 +1,4 @@ +#!/bin/sh +# vim: set ts=4 sw=4 sts=4 et : + +: diff --git a/tests/template-flavors/test.sh b/tests/template-flavors/test.sh new file mode 100755 index 0000000..eb8b5e1 --- /dev/null +++ b/tests/template-flavors/test.sh @@ -0,0 +1,162 @@ +#!/bin/sh +# vim: set ts=4 sw=4 sts=4 et : + +VERBOSE=2 +DEBUG=1 + +pushd ../.. +export ROOT_DIR=$(readlink -m .) + +# ------------------------------------------------------------------------------ +# Source external scripts +# ------------------------------------------------------------------------------ +. ./functions.sh +. ./tests/assert/assert.sh + +head() { + echo + echo + info "------------------------------------------------------------------------------" + info "${1%%\\n*}" + if ! [ "${1%%\\n*}" == "${1#*\\n}" ]; then + [[ -z $TEST ]] && echo -e "${bold}${green}${1#*\\n}${reset}" || : + fi + info "------------------------------------------------------------------------------" +} + +info() { + [[ -z $TEST ]] && echo -e "${bold}${blue}${1}${reset}" || : +} + +#debug() { +# [[ -z $TEST ]] && echo -e "${bold}${red}${1}${reset}" || : +#} + +assertTest(){ + TEST=True + printf "${bold}${red}" + assert "$1" "$2" + printf "${reset}" + unset TEST +} + +assertEnd() { + printf "${bold}${red}" + assert_end "$1" + printf "${reset}" +} + +# Defaults +export SCRIPTDIR="tests/template-flavors" +export DIST="wheezy" +export TEMPLATE_FLAVOR="whonix-gateway" + +# Should be parses in functions! +export TEMPLATE_FLAVOR_PREFIX="" + +# Just use error to show text in red +head "=== Globals ===" +debug 'export SCRIPTDIR="tests/template-flavors"' +debug 'export DIST="wheezy"' +debug 'export TEMPLATE_FLAVOR="whonix-gateway"' +debug 'export TEMPLATE_FLAVOR_PREFIX=""' +#debug "TEST=\"${TEST}\"" + +# ------------------------------------------------------------------------------ +head " 1. With TEMPLATE_FOLDER + \n tests/template-flavors/wheezy+whonix-gateway/test_pre.sh" +customStep "$0" "pre" +assertTest "customStep $0 pre" "tests/template-flavors/wheezy+whonix-gateway/test_pre.sh" +assertEnd "Test 1" + +# ------------------------------------------------------------------------------ +head " 2. Without TEMPLATE_FOLDER + \n tests/template-flavors/wheezy/test_pre.sh" +export TEMPLATE_FLAVOR="" +customStep "$0" "pre" +assertTest "customStep $0 pre" "tests/template-flavors/wheezy/test_pre.sh" +assertEnd "Test 2" + +# ------------------------------------------------------------------------------ +head " 3. Template Options + \n DISTS_VM = wheezy+whonix-gateway+gnome \ + \n DISTS_VM = +++ \ + \n Options get seperated into TEMPLATE_OPTIONS seperated by spaces" +# +export TEMPLATE_FLAVOR="whonix-gateway" +export TEMPLATE_OPTIONS=('gnome' 'kde') +customStep "$0" "pre" +debug "Not supposed to find wheezy+whonix-gateway+kde" +assertTest "customStep $0 pre" "tests/template-flavors/wheezy+whonix-gateway/test_pre.sh\ntests/template-flavors/wheezy+whonix-gateway+gnome/test_pre.sh" +assertEnd "Test 3" + +# ------------------------------------------------------------------------------ +head " 4. Template Options with custom prefix + \n TEMPLATE_FLAVOR_PREFIX \ + \n export TEMPLATE_FLAVOR_PREFIX=( \ + \n 'wheezy+whonix-gateway;debian+' \ + \n 'wheezy+whonix-workstation;debian+' \ + \n)" +export TEMPLATE_FLAVOR_PREFIX=( + 'wheezy+whonix-gateway;debian+' + 'wheezy+whonix-workstation;debian+' +) +customStep "$0" "pre" +debug "Not supposed to find debian+whonix-gateway+kde" +assertTest "customStep $0 pre" "tests/template-flavors/debian+whonix-gateway/test_pre.sh\ntests/template-flavors/wheezy+whonix-gateway+gnome/test_pre.sh" +assertEnd "Test 4" + +# ------------------------------------------------------------------------------ +head " 5. Template Options with NO prefix + \n TEMPLATE_FLAVOR_PREFIX \ + \n export TEMPLATE_FLAVOR_PREFIX=( \ + \n 'wheezy+whonix-gateway;' \ + \n 'wheezy+whonix-workstation;' \ + \n)" +export TEMPLATE_FLAVOR_PREFIX=( + 'wheezy+whonix-gateway;' + 'wheezy+whonix-workstation;' +) +customStep "$0" "pre" +debug "Not supposed to find whonix-gateway+kde" +assertTest "customStep $0 pre" "tests/template-flavors/whonix-gateway/test_pre.sh\ntests/template-flavors/wheezy+whonix-gateway+gnome/test_pre.sh" +assertEnd "Test 5" + +# ------------------------------------------------------------------------------ +head " 6. Custom template directory + \n unset TEMPLATE_FLAVOR_PREFIX \ + \n unset TEMPLATE_OPTIONS \ + \n TEMPLATE_FLAVOR_DIR=wheezy+whonix-gateway;tests/template-flavors/another_location" +unset TEMPLATE_FLAVOR_PREFIX +unset TEMPLATE_OPTIONS +TEMPLATE_FLAVOR_DIR="wheezy+whonix-gateway;tests/template-flavors/another_location" +customStep "$0" "pre" +assertTest "customStep $0 pre" "tests/template-flavors/another_location/wheezy+whonix-gateway/test_pre.sh" +assertEnd "Test 6" + +# ------------------------------------------------------------------------------ +head " 7. Custom template directory for options + \n unset TEMPLATE_FLAVOR_PREFIX \ + \n unset TEMPLATE_OPTIONS \ + \n TEMPLATE_FLAVOR_DIR=wheezy+whonix-gateway+gnome;tests/template-flavors/another_location" +unset TEMPLATE_FLAVOR_PREFIX +export TEMPLATE_OPTIONS=('gnome') +TEMPLATE_FLAVOR_DIR="wheezy+whonix-gateway+gnome;tests/template-flavors/another_location" +customStep "$0" "pre" +assertTest "customStep $0 pre" "tests/template-flavors/wheezy+whonix-gateway/test_pre.sh\ntests/template-flavors/another_location/wheezy+whonix-gateway+gnome/test_pre.sh" +assertEnd "Test 7" + +# ------------------------------------------------------------------------------ +export INSTALLDIR="${SCRIPTDIR}/test_copy_location" +head " 8. Copy files + \n Just test copying from here to ${INSTALLDIR}" +TEMPLATE_FLAVOR_DIR="" +TEMPLATE_OPTIONS="" +rm -rf "$INSTALLDIR"/* +copy_dirs "files" +ls -l "$INSTALLDIR" +assertTest "ls $INSTALLDIR" "test1\ntest2\ntest3" +assertEnd "Test 8" + +# Done +popd diff --git a/tests/template-flavors/test_copy_location/test1 b/tests/template-flavors/test_copy_location/test1 new file mode 100644 index 0000000..e69de29 diff --git a/tests/template-flavors/test_copy_location/test2 b/tests/template-flavors/test_copy_location/test2 new file mode 100644 index 0000000..e69de29 diff --git a/tests/template-flavors/test_copy_location/test3 b/tests/template-flavors/test_copy_location/test3 new file mode 100644 index 0000000..e69de29 diff --git a/tests/template-flavors/test_pre.sh b/tests/template-flavors/test_pre.sh new file mode 100755 index 0000000..9a4e120 --- /dev/null +++ b/tests/template-flavors/test_pre.sh @@ -0,0 +1,4 @@ +#!/bin/sh +# vim: set ts=4 sw=4 sts=4 et : + +: diff --git a/tests/template-flavors/wheezy+whonix-gateway+gnome/test_pre.sh b/tests/template-flavors/wheezy+whonix-gateway+gnome/test_pre.sh new file mode 100755 index 0000000..9a4e120 --- /dev/null +++ b/tests/template-flavors/wheezy+whonix-gateway+gnome/test_pre.sh @@ -0,0 +1,4 @@ +#!/bin/sh +# vim: set ts=4 sw=4 sts=4 et : + +: diff --git a/tests/template-flavors/wheezy+whonix-gateway/files/test1 b/tests/template-flavors/wheezy+whonix-gateway/files/test1 new file mode 100644 index 0000000..e69de29 diff --git a/tests/template-flavors/wheezy+whonix-gateway/files/test2 b/tests/template-flavors/wheezy+whonix-gateway/files/test2 new file mode 100644 index 0000000..e69de29 diff --git a/tests/template-flavors/wheezy+whonix-gateway/files/test3 b/tests/template-flavors/wheezy+whonix-gateway/files/test3 new file mode 100644 index 0000000..e69de29 diff --git a/tests/template-flavors/wheezy+whonix-gateway/test_pre.sh b/tests/template-flavors/wheezy+whonix-gateway/test_pre.sh new file mode 100755 index 0000000..9a4e120 --- /dev/null +++ b/tests/template-flavors/wheezy+whonix-gateway/test_pre.sh @@ -0,0 +1,4 @@ +#!/bin/sh +# vim: set ts=4 sw=4 sts=4 et : + +: diff --git a/tests/template-flavors/wheezy/test_pre.sh b/tests/template-flavors/wheezy/test_pre.sh new file mode 100755 index 0000000..9a4e120 --- /dev/null +++ b/tests/template-flavors/wheezy/test_pre.sh @@ -0,0 +1,4 @@ +#!/bin/sh +# vim: set ts=4 sw=4 sts=4 et : + +: diff --git a/tests/template-flavors/whonix-gateway+gnome/test_pre.sh b/tests/template-flavors/whonix-gateway+gnome/test_pre.sh new file mode 100755 index 0000000..9a4e120 --- /dev/null +++ b/tests/template-flavors/whonix-gateway+gnome/test_pre.sh @@ -0,0 +1,4 @@ +#!/bin/sh +# vim: set ts=4 sw=4 sts=4 et : + +: diff --git a/tests/template-flavors/whonix-gateway/test_pre.sh b/tests/template-flavors/whonix-gateway/test_pre.sh new file mode 100755 index 0000000..9a4e120 --- /dev/null +++ b/tests/template-flavors/whonix-gateway/test_pre.sh @@ -0,0 +1,4 @@ +#!/bin/sh +# vim: set ts=4 sw=4 sts=4 et : + +: From 4ad852245571047fe116ec427f55c1b65f15f068 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Tue, 21 Oct 2014 10:00:32 -0400 Subject: [PATCH 26/83] Fixed typo of SCRIPTSDIR var --- functions.sh | 17 +++++++---------- tests/template-flavors/test.sh | 6 +++--- 2 files changed, 10 insertions(+), 13 deletions(-) diff --git a/functions.sh b/functions.sh index 8124ac6..b5171ff 100755 --- a/functions.sh +++ b/functions.sh @@ -148,11 +148,11 @@ customStepExec() { local template_flavor_dir="$4" local template_flavor_prefix="$5" - [[ -z $TEST ]] && echo "Calling script: ${calling_script}" || : - [[ -z $TEST ]] && echo "Step: ${step}" || : - [[ -z $TEST ]] && echo "Template Flavor: ${template_flavor}" || : - [[ -z $TEST ]] && echo "Template Dir: ${template_flavor_dir}" || : - [[ -z $TEST ]] && echo "Template Prefix: ${template_flavor_prefix}" || : + [[ -z $TEST ]] && debug "Calling script: ${calling_script}" || : + [[ -z $TEST ]] && debug "Step: ${step}" || : + [[ -z $TEST ]] && debug "Template Flavor: ${template_flavor}" || : + [[ -z $TEST ]] && debug "Template Dir: ${template_flavor_dir}" || : + [[ -z $TEST ]] && debug "Template Prefix: ${template_flavor_prefix}" || : splitPath "${calling_script}" path_parts @@ -216,10 +216,7 @@ customCopy() { } templateFlavor() { - local template=${TEMPLATE_FLAVOR} - local default="${SCRIPTSDIR}" - - echo ${template:-${default}} + echo ${TEMPLATE_FLAVOR} } templateFlavorPrefix() { @@ -245,7 +242,7 @@ templateFlavorDir() { fi done - echo "${SCRIPTDIR}" + echo "${SCRIPTSDIR}" } customParse() { diff --git a/tests/template-flavors/test.sh b/tests/template-flavors/test.sh index eb8b5e1..f7365a7 100755 --- a/tests/template-flavors/test.sh +++ b/tests/template-flavors/test.sh @@ -47,7 +47,7 @@ assertEnd() { } # Defaults -export SCRIPTDIR="tests/template-flavors" +export SCRIPTSDIR="tests/template-flavors" export DIST="wheezy" export TEMPLATE_FLAVOR="whonix-gateway" @@ -56,7 +56,7 @@ export TEMPLATE_FLAVOR_PREFIX="" # Just use error to show text in red head "=== Globals ===" -debug 'export SCRIPTDIR="tests/template-flavors"' +debug 'export SCRIPTSDIR="tests/template-flavors"' debug 'export DIST="wheezy"' debug 'export TEMPLATE_FLAVOR="whonix-gateway"' debug 'export TEMPLATE_FLAVOR_PREFIX=""' @@ -147,7 +147,7 @@ assertTest "customStep $0 pre" "tests/template-flavors/wheezy+whonix-gateway/tes assertEnd "Test 7" # ------------------------------------------------------------------------------ -export INSTALLDIR="${SCRIPTDIR}/test_copy_location" +export INSTALLDIR="${SCRIPTSDIR}/test_copy_location" head " 8. Copy files \n Just test copying from here to ${INSTALLDIR}" TEMPLATE_FLAVOR_DIR="" From f3a02b1251d159ab29bd4ac3654e9491e9c92f27 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Wed, 22 Oct 2014 16:37:26 -0400 Subject: [PATCH 27/83] Created function to load package.list from proper directories. There can be multiple targets if TEMPLATE_FLAVOR and sub flavors are defined. All package.list files are kept within each flavor directory Refactored some code to allow above to reduce duplication of code --- functions.sh | 200 +++++++++--------- scripts_debian/00_prepare.sh | 8 +- scripts_debian/01_install_core.sh | 8 +- scripts_debian/02_install_groups.sh | 37 ++-- scripts_debian/04_install_qubes.sh | 10 +- scripts_debian/09_cleanup.sh | 8 +- scripts_debian/packages.list | 1 - .../packages_wheezy_whonix-gateway.list | 1 - .../packages_wheezy_whonix-workstation.list | 1 - .../packages_wheezy.list | 1 + .../packages_wheezy.list | 1 + .../02_install_groups_packages_installed.sh | 4 +- .../wheezy+whonix/04_install_qubes_post.sh | 2 +- .../packages_wheezy.list} | 0 .../another_location/whonix gw/packages.list | 0 .../test_pre.sh | 0 .../test_pre.sh | 0 .../whonix_gnome/packages.list | 0 .../another_location/whonix_gnome/test_pre.sh | 4 + tests/template-flavors/packages.list | 0 tests/template-flavors/packages_wheezy.list | 0 tests/template-flavors/test.sh | 123 +++++++---- .../wheezy+whonix-gateway+gnome/packages.list | 0 .../wheezy+whonix-gateway/packages.list | 0 24 files changed, 233 insertions(+), 176 deletions(-) delete mode 120000 scripts_debian/packages.list delete mode 120000 scripts_debian/packages_wheezy_whonix-gateway.list delete mode 120000 scripts_debian/packages_wheezy_whonix-workstation.list create mode 120000 scripts_debian/wheezy+whonix-gateway/packages_wheezy.list create mode 120000 scripts_debian/wheezy+whonix-workstation/packages_wheezy.list rename scripts_debian/{packages_wheezy_whonix.list => wheezy+whonix/packages_wheezy.list} (100%) create mode 100644 tests/template-flavors/another_location/whonix gw/packages.list rename tests/template-flavors/another_location/{wheezy+whonix-gateway+gnome => whonix gw}/test_pre.sh (100%) rename tests/template-flavors/another_location/{wheezy+whonix-gateway => whonix-gw}/test_pre.sh (100%) create mode 100644 tests/template-flavors/another_location/whonix_gnome/packages.list create mode 100755 tests/template-flavors/another_location/whonix_gnome/test_pre.sh create mode 100644 tests/template-flavors/packages.list create mode 100644 tests/template-flavors/packages_wheezy.list create mode 100644 tests/template-flavors/wheezy+whonix-gateway+gnome/packages.list create mode 100644 tests/template-flavors/wheezy+whonix-gateway/packages.list diff --git a/functions.sh b/functions.sh index b5171ff..a3437cc 100755 --- a/functions.sh +++ b/functions.sh @@ -140,146 +140,148 @@ splitPath() { setArrayAsGlobal PARTS $return_global_var } +templateFlavor() { + echo ${TEMPLATE_FLAVOR} +} -customStepExec() { - local calling_script="$1" - local step="$2" - local template_flavor="$3" - local template_flavor_dir="$4" - local template_flavor_prefix="$5" - - [[ -z $TEST ]] && debug "Calling script: ${calling_script}" || : - [[ -z $TEST ]] && debug "Step: ${step}" || : - [[ -z $TEST ]] && debug "Template Flavor: ${template_flavor}" || : - [[ -z $TEST ]] && debug "Template Dir: ${template_flavor_dir}" || : - [[ -z $TEST ]] && debug "Template Prefix: ${template_flavor_prefix}" || : +templateFlavorPrefix() { + local template_flavor=${1-$(templateFlavor)} + for element in "${TEMPLATE_FLAVOR_PREFIX[@]}" + do + if [ "${element%;*}" == "${DIST}+${template_flavor}" ]; then + echo ${element#*;} + return + fi + done + + echo "${DIST}${template_flavor:++}" +} - splitPath "${calling_script}" path_parts +templateDir() { + local template_flavor=${1-$(templateFlavor)} + for element in "${TEMPLATE_FLAVOR_DIR[@]}" + do + if [ "${element%;*}" == "$(templateFlavorPrefix ${template_flavor})${template_flavor}" ]; then + echo ${element#*;} + return + fi + done - # Step: [pre] | [post] (or custom inserted step) - if [ "${step}" ]; then - script_name="${path_parts[base]}_${step}${path_parts[dotext]}" + if [ -n "${template_flavor}" ]; then + local template_flavor_prefix="$(templateFlavorPrefix ${template_flavor})" + local dir="${SCRIPTSDIR}/${template_flavor_prefix}${template_flavor}" else - script_name="${path_parts[base]}${path_parts[dotext]}" + local dir="${SCRIPTSDIR}" fi - if [ -n "${template_flavor}" ]; then - script="${template_flavor_dir}/${template_flavor_prefix}${template_flavor}/${script_name}" + echo "${dir}" +} + +templateFile() { + local file="$1" + local suffix="$2" + local template_flavor="$3" + local template_dir="$(templateDir ${template_flavor})" + + splitPath "${file}" path_parts + + # Append suffix to filename (before extension) + if [ "${suffix}" ]; then + file="${template_dir}/${path_parts[base]}_${suffix}${path_parts[dotext]}" else - script="${template_flavor_dir}/${template_flavor_prefix}/${script_name}" + file="${template_dir}/${path_parts[base]}${path_parts[dotext]}" fi - if [ -f "$script" ]; then + if [ -f "${file}" ]; then + echo "${file}" + fi +} + +buildStepExec() { + local filename="$1" + local suffix="$2" + local template_flavor="$3" + + script="$(templateFile "${filename}" "${suffix}" "${template_flavor}")" + + if [ -f "${script}" ]; then [[ -n $TEST ]] && echo "${script}" || echo "${bold}${under}INFO: Currently running script: ${script}${reset}" - "$script" - else - [[ -z $TEST ]] && debug "${bold}INFO: No CustomStep found for: ${script}${reset}" || : + # Execute $script + "${script}" fi } -customCopy() { +copyTreeExec() { local calling_script="$1" local dir="$2" local template_flavor="$3" - local template_flavor_dir="$4" - local template_flavor_prefix="$5" - local install_dir="$(readlink -m ${INSTALLDIR})" - info "copy_dirs(): ${install_dir}" - if [ -n "${template_flavor}" ]; then - custom_dir="${template_flavor_dir}/${template_flavor_prefix}${template_flavor}/${dir}" - else - custom_dir="${template_flavor_dir}/${template_flavor_prefix}/${dir}" - fi + local template_dir="$(templateDir ${template_flavor})" + local source_dir="$(readlink -m ${template_dir}/${dir})" + local install_dir="$(readlink -m ${INSTALLDIR})" - if [ -d "${custom_dir}" ]; then - dir="${custom_dir}/" - elif [ -d "${template_flavor_dir}/${dir}" ]; then - dir="${template_flavor_dir}/${dir}/" - else + if ! [ -d "${source_dir}" ]; then debug "No extra files to copy for ${dir}" - return 0 + return 0 fi - dir="$(readlink -m $dir)" - debug "Copying ${dir}/* ${install_dir}" - cp -rp "${dir}/"* "${install_dir}" + debug "Copying ${source_dir}/* ${install_dir}" + cp -rp "${source_dir}/"* "${install_dir}" - if [ -f "${dir}/.facl" ]; then + if [ -f "${source_dir}/.facl" ]; then debug "Restoring file permissions..." pushd "$install_dir" { - setfacl --restore="${dir}/.facl" 2>/dev/null ||: + setfacl --restore="${source_dir}/.facl" 2>/dev/null ||: } popd fi } -templateFlavor() { - echo ${TEMPLATE_FLAVOR} -} - -templateFlavorPrefix() { - local template=${1-${TEMPLATE_FLAVOR}} - for element in "${TEMPLATE_FLAVOR_PREFIX[@]}" - do - if [ "${element%;*}" == "${DIST}+${template}" ]; then - echo ${element#*;} - return - fi - done - - echo "${DIST}${TEMPLATE_FLAVOR:++}" -} - -templateFlavorDir() { - local template=${1-${TEMPLATE_FLAVOR}} - for element in "${TEMPLATE_FLAVOR_DIR[@]}" - do - if [ "${element%;*}" == "${DIST}+${template}" ]; then - echo ${element#*;} - return - fi - done - - echo "${SCRIPTSDIR}" -} - -customParse() { +callTemplateFunction() { local calling_script="$1" - local step="$2" + local calling_arg="$2" local functionExec="$3" local template_flavor="$(templateFlavor)" - local template_flavor_dir="$(templateFlavorDir ${template_flavor})" - local template_flavor_prefix="$(templateFlavorPrefix ${template_flavor})" ${functionExec} "${calling_script}" \ - "${step}" \ - "${template_flavor}" \ - "${template_flavor_dir}" \ - "${template_flavor_prefix}" - + "${calling_arg}" \ + "${template_flavor}" - for template in ${TEMPLATE_OPTIONS[@]} + for option in ${TEMPLATE_OPTIONS[@]} do - template_flavor="$(templateFlavor)+${template}" - template_flavor_dir="$(templateFlavorDir ${template_flavor})" - template_flavor_prefix="$(templateFlavorPrefix ${template_flavor})" - ${functionExec} "${calling_script}" \ - "${step}" \ - "${template_flavor}" \ - "${template_flavor_dir}" \ - "${template_flavor_prefix}" + "${calling_arg}" \ + "$(templateFlavor)+${option}" done } +# ------------------------------------------------------------------------------ +# ------------------------------------------------------------------------------ +getFileLocations() { + local return_global_var=$1 + local filename="$2" + local suffix="$3" + local function="templateFile" + + + IFS_orig="${IFS}}"; IFS=$'\n' + files=( $(callTemplateFunction "${filename}" "${suffix}" "${function}") ) + setArrayAsGlobal files $return_global_var + + IFS="${IFS_orig}" +} + # ------------------------------------------------------------------------------ # Executes any additional optional configuration steps if the configuration # scripts exist # ------------------------------------------------------------------------------ -customStep() { - customParse "$1" "$2" "customStepExec" +buildStep() { + local filename="$1" + local suffix="$2" + local function="buildStepExec" + + callTemplateFunction "${filename}" "${suffix}" "${function}" } # ------------------------------------------------------------------------------ @@ -298,8 +300,12 @@ customStep() { # they get copied over to $INSTALLDIR # NOTE: Don't forget to redo this process if you add -OR- remove files # ------------------------------------------------------------------------------ -copy_dirs() { - customParse "" "$1" "customCopy" +copyTree() { + local not_used="" + local dir="$1" + local function="copyTreeExec" + + callTemplateFunction "${not_used}" "${dir}" "${function}" } # $0 is module that sourced vars.sh diff --git a/scripts_debian/00_prepare.sh b/scripts_debian/00_prepare.sh index e4eaad1..1dcc836 100755 --- a/scripts_debian/00_prepare.sh +++ b/scripts_debian/00_prepare.sh @@ -19,9 +19,9 @@ INSTALLDIR="$(readlink -m mnt)" umount_kill "$INSTALLDIR" || : # ------------------------------------------------------------------------------ -# Execute any custom pre configuration scripts +# Execute any template flavor or sub flavor 'pre' scripts # ------------------------------------------------------------------------------ -customStep "$0" "pre" +buildStep "$0" "pre" # ------------------------------------------------------------------------------ # Force overwrite of an existing image for now if debootstrap did not seem to complete... @@ -40,7 +40,7 @@ if [ -f "$IMG" ]; then fi # ------------------------------------------------------------------------------ -# Execute any custom post configuration scripts +# Execute any template flavor or sub flavor 'post' scripts # ------------------------------------------------------------------------------ -customStep "$0" "post" +buildStep "$0" "post" diff --git a/scripts_debian/01_install_core.sh b/scripts_debian/01_install_core.sh index 177da2b..cd742f5 100755 --- a/scripts_debian/01_install_core.sh +++ b/scripts_debian/01_install_core.sh @@ -16,9 +16,9 @@ else fi # ------------------------------------------------------------------------------ -# Execute any custom pre configuration scripts +# Execute any template flavor or sub flavor 'pre' scripts # ------------------------------------------------------------------------------ -customStep "$0" "pre" +buildStep "$0" "pre" # ------------------------------------------------------------------------------ # Install base debian system @@ -33,6 +33,6 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_debootstrap" ]; then fi # ------------------------------------------------------------------------------ -# Execute any custom post configuration scripts +# Execute any template flavor or sub flavor 'post' scripts # ------------------------------------------------------------------------------ -customStep "$0" "post" +buildStep "$0" "post" diff --git a/scripts_debian/02_install_groups.sh b/scripts_debian/02_install_groups.sh index de52e80..b60a8d4 100755 --- a/scripts_debian/02_install_groups.sh +++ b/scripts_debian/02_install_groups.sh @@ -31,9 +31,9 @@ fi for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "$INSTALLDIR/$fs"; done # ------------------------------------------------------------------------------ -# Execute any custom pre configuration scripts +# Execute any template flavor or sub flavor 'pre' scripts # ------------------------------------------------------------------------------ -customStep "$0" "pre" +buildStep "$0" "pre" if ! [ -f "$INSTALLDIR/tmp/.prepared_groups" ]; then # ------------------------------------------------------------------------------ @@ -98,29 +98,26 @@ EOF # ------------------------------------------------------------------------------ # Install extra packages in script_$DEBIANVERSION/packages.list file + # -and / or- TEMPLATE_FLAVOR directories # ------------------------------------------------------------------------------ - if [ -n "${TEMPLATE_FLAVOR}" ]; then - PKGLISTFILE="$SCRIPTSDIR/packages_${DIST}_${TEMPLATE_FLAVOR}.list" - if ! [ -r "${PKGLISTFILE}" ]; then - error "ERROR: ${PKGLISTFILE} does not exists!" - umount_kill "$INSTALLDIR" || : - exit 1 - fi - elif [ -r "$SCRIPTSDIR/packages_${DIST}.list" ]; then - PKGLISTFILE="$SCRIPTSDIR/packages_${DIST}.list" - else - PKGLISTFILE="$SCRIPTSDIR/packages.list" + getFileLocations packages_list "packages.list" "${DIST}" + if [ -z "${packages_list}" ]; then + error "Can not locate a package.list file!" + umount_kill "$INSTALLDIR" || : + exit 1 fi - debug "Installing extra packages" - DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - xargs chroot $INSTALLDIR apt-get -y --force-yes install < "$PKGLISTFILE" + for package_list in "${packages_list[@]}"; do + debug "Installing extra packages from: ${package_list}" + DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + xargs chroot $INSTALLDIR apt-get -y --force-yes install < "$package_list" + done # ------------------------------------------------------------------------------ - # Execute any custom configuration scripts after file packages installed + # Execute any template flavor or sub flavor scripts after packages are installed # (Whonix needs dependancies installed before installation) # ------------------------------------------------------------------------------ - customStep "$0" "packages_installed" + buildStep "$0" "packages_installed" # ------------------------------------------------------------------------------ # Install systemd @@ -194,7 +191,7 @@ EOF fi # ------------------------------------------------------------------------------ -# Execute any custom post configuration scripts +# Execute any template flavor or sub flavor 'post' scripts # ------------------------------------------------------------------------------ -customStep "$0" "post" +buildStep "$0" "post" diff --git a/scripts_debian/04_install_qubes.sh b/scripts_debian/04_install_qubes.sh index 88a7612..6c94531 100755 --- a/scripts_debian/04_install_qubes.sh +++ b/scripts_debian/04_install_qubes.sh @@ -30,9 +30,9 @@ fi for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "$INSTALLDIR/$fs"; done # ------------------------------------------------------------------------------ -# Execute any custom pre configuration scripts +# Execute any template flavor or sub flavor 'pre' scripts # ------------------------------------------------------------------------------ -customStep "$0" "pre" +buildStep "$0" "pre" # ------------------------------------------------------------------------------ # Install Qubes Packages @@ -188,15 +188,15 @@ EOF # $SCRIPT_DIR/extra-qubes-files # -------------------------------------------------------------------------- debug "Copy extra files..." - copy_dirs "extra-qubes-files" + copyTree "extra-qubes-files" touch "$INSTALLDIR/tmp/.prepared_qubes" fi # ------------------------------------------------------------------------------ -# Execute any custom post configuration scripts +# Execute any template flavor or sub flavor 'post' scripts # ------------------------------------------------------------------------------ -customStep "$0" "post" +buildStep "$0" "post" # ------------------------------------------------------------------------------ # Kill all processes and umount all mounts within $INSTALLDIR, but not diff --git a/scripts_debian/09_cleanup.sh b/scripts_debian/09_cleanup.sh index d2b6f2b..dce636e 100755 --- a/scripts_debian/09_cleanup.sh +++ b/scripts_debian/09_cleanup.sh @@ -16,9 +16,9 @@ else fi # ------------------------------------------------------------------------------ -# Execute any custom pre configuration scripts +# Execute any template flavor or sub flavor 'pre' scripts # ------------------------------------------------------------------------------ -customStep "$0" "pre" +buildStep "$0" "pre" # ------------------------------------------------------------------------------ # Cleanup any left over files from installation @@ -31,6 +31,6 @@ rm -f "$INSTALLDIR/etc/apt/trusted.gpg.d/qubes-builder.gpg" rm -rf buildchroot # ------------------------------------------------------------------------------ -# Execute any custom post configuration scripts +# Execute any template flavor or sub flavor 'post' scripts # ------------------------------------------------------------------------------ -customStep "$0" "post" +buildStep "$0" "post" diff --git a/scripts_debian/packages.list b/scripts_debian/packages.list deleted file mode 120000 index 525a06f..0000000 --- a/scripts_debian/packages.list +++ /dev/null @@ -1 +0,0 @@ -packages_jessie.list \ No newline at end of file diff --git a/scripts_debian/packages_wheezy_whonix-gateway.list b/scripts_debian/packages_wheezy_whonix-gateway.list deleted file mode 120000 index d2bd272..0000000 --- a/scripts_debian/packages_wheezy_whonix-gateway.list +++ /dev/null @@ -1 +0,0 @@ -packages_wheezy_whonix.list \ No newline at end of file diff --git a/scripts_debian/packages_wheezy_whonix-workstation.list b/scripts_debian/packages_wheezy_whonix-workstation.list deleted file mode 120000 index d2bd272..0000000 --- a/scripts_debian/packages_wheezy_whonix-workstation.list +++ /dev/null @@ -1 +0,0 @@ -packages_wheezy_whonix.list \ No newline at end of file diff --git a/scripts_debian/wheezy+whonix-gateway/packages_wheezy.list b/scripts_debian/wheezy+whonix-gateway/packages_wheezy.list new file mode 120000 index 0000000..d5dfb50 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/packages_wheezy.list @@ -0,0 +1 @@ +../wheezy+whonix/packages_wheezy.list \ No newline at end of file diff --git a/scripts_debian/wheezy+whonix-workstation/packages_wheezy.list b/scripts_debian/wheezy+whonix-workstation/packages_wheezy.list new file mode 120000 index 0000000..d5dfb50 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/packages_wheezy.list @@ -0,0 +1 @@ +../wheezy+whonix/packages_wheezy.list \ No newline at end of file diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 186efd6..36e22f0 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -323,9 +323,9 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then fi # ------------------------------------------------------------------------------ -# Execute any custom configuration scripts +# Execute any template flavor or sub flavor scripts # ------------------------------------------------------------------------------ -customStep "99_custom_configuration.sh" +buildStep "99_custom_configuration.sh" # XXX: Why do I need to move them out of the way? Lets try keeping them # in place (modify post script too) diff --git a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh index 11d7e32..b69a760 100755 --- a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh +++ b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh @@ -48,7 +48,7 @@ fi # ------------------------------------------------------------------------------ # Copy over any extra files # ------------------------------------------------------------------------------ -copy_dirs "extra-whonix-files" +copyTree "extra-whonix-files" # ------------------------------------------------------------------------------ # Cleanup Whonix Installation diff --git a/scripts_debian/packages_wheezy_whonix.list b/scripts_debian/wheezy+whonix/packages_wheezy.list similarity index 100% rename from scripts_debian/packages_wheezy_whonix.list rename to scripts_debian/wheezy+whonix/packages_wheezy.list diff --git a/tests/template-flavors/another_location/whonix gw/packages.list b/tests/template-flavors/another_location/whonix gw/packages.list new file mode 100644 index 0000000..e69de29 diff --git a/tests/template-flavors/another_location/wheezy+whonix-gateway+gnome/test_pre.sh b/tests/template-flavors/another_location/whonix gw/test_pre.sh similarity index 100% rename from tests/template-flavors/another_location/wheezy+whonix-gateway+gnome/test_pre.sh rename to tests/template-flavors/another_location/whonix gw/test_pre.sh diff --git a/tests/template-flavors/another_location/wheezy+whonix-gateway/test_pre.sh b/tests/template-flavors/another_location/whonix-gw/test_pre.sh similarity index 100% rename from tests/template-flavors/another_location/wheezy+whonix-gateway/test_pre.sh rename to tests/template-flavors/another_location/whonix-gw/test_pre.sh diff --git a/tests/template-flavors/another_location/whonix_gnome/packages.list b/tests/template-flavors/another_location/whonix_gnome/packages.list new file mode 100644 index 0000000..e69de29 diff --git a/tests/template-flavors/another_location/whonix_gnome/test_pre.sh b/tests/template-flavors/another_location/whonix_gnome/test_pre.sh new file mode 100755 index 0000000..9a4e120 --- /dev/null +++ b/tests/template-flavors/another_location/whonix_gnome/test_pre.sh @@ -0,0 +1,4 @@ +#!/bin/sh +# vim: set ts=4 sw=4 sts=4 et : + +: diff --git a/tests/template-flavors/packages.list b/tests/template-flavors/packages.list new file mode 100644 index 0000000..e69de29 diff --git a/tests/template-flavors/packages_wheezy.list b/tests/template-flavors/packages_wheezy.list new file mode 100644 index 0000000..e69de29 diff --git a/tests/template-flavors/test.sh b/tests/template-flavors/test.sh index f7365a7..bc1c50d 100755 --- a/tests/template-flavors/test.sh +++ b/tests/template-flavors/test.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # vim: set ts=4 sw=4 sts=4 et : VERBOSE=2 @@ -42,7 +42,7 @@ assertTest(){ assertEnd() { printf "${bold}${red}" - assert_end "$1" + [[ -n "$1" ]] && assert_end "$1" || assert_end printf "${reset}" } @@ -60,22 +60,24 @@ debug 'export SCRIPTSDIR="tests/template-flavors"' debug 'export DIST="wheezy"' debug 'export TEMPLATE_FLAVOR="whonix-gateway"' debug 'export TEMPLATE_FLAVOR_PREFIX=""' -#debug "TEST=\"${TEST}\"" # ------------------------------------------------------------------------------ -head " 1. With TEMPLATE_FOLDER - \n tests/template-flavors/wheezy+whonix-gateway/test_pre.sh" -customStep "$0" "pre" -assertTest "customStep $0 pre" "tests/template-flavors/wheezy+whonix-gateway/test_pre.sh" -assertEnd "Test 1" +head " 1. With TEMPLATE_FLAVOR + \n export SCRIPTSDIR=tests/template-flavors \ + \n export DIST=wheezy \ + \n export TEMPLATE_FLAVOR=whonix-gateway \ + \n export TEMPLATE_FLAVOR_PREFIX=" +buildStep "$0" "pre" +assertTest "buildStep $0 pre" "tests/template-flavors/wheezy+whonix-gateway/test_pre.sh" +assertEnd # ------------------------------------------------------------------------------ -head " 2. Without TEMPLATE_FOLDER - \n tests/template-flavors/wheezy/test_pre.sh" +head " 2. Without TEMPLATE_FLAVOR + \n export TEMPLATE_FLAVOR= " export TEMPLATE_FLAVOR="" -customStep "$0" "pre" -assertTest "customStep $0 pre" "tests/template-flavors/wheezy/test_pre.sh" -assertEnd "Test 2" +buildStep "$0" "pre" +assertTest "buildStep $0 pre" "tests/template-flavors/test_pre.sh" +assertEnd # ------------------------------------------------------------------------------ head " 3. Template Options @@ -85,10 +87,10 @@ head " 3. Template Options # export TEMPLATE_FLAVOR="whonix-gateway" export TEMPLATE_OPTIONS=('gnome' 'kde') -customStep "$0" "pre" +buildStep "$0" "pre" debug "Not supposed to find wheezy+whonix-gateway+kde" -assertTest "customStep $0 pre" "tests/template-flavors/wheezy+whonix-gateway/test_pre.sh\ntests/template-flavors/wheezy+whonix-gateway+gnome/test_pre.sh" -assertEnd "Test 3" +assertTest "buildStep $0 pre" "tests/template-flavors/wheezy+whonix-gateway/test_pre.sh\ntests/template-flavors/wheezy+whonix-gateway+gnome/test_pre.sh" +assertEnd # ------------------------------------------------------------------------------ head " 4. Template Options with custom prefix @@ -101,10 +103,10 @@ export TEMPLATE_FLAVOR_PREFIX=( 'wheezy+whonix-gateway;debian+' 'wheezy+whonix-workstation;debian+' ) -customStep "$0" "pre" +buildStep "$0" "pre" debug "Not supposed to find debian+whonix-gateway+kde" -assertTest "customStep $0 pre" "tests/template-flavors/debian+whonix-gateway/test_pre.sh\ntests/template-flavors/wheezy+whonix-gateway+gnome/test_pre.sh" -assertEnd "Test 4" +assertTest "buildStep $0 pre" "tests/template-flavors/debian+whonix-gateway/test_pre.sh\ntests/template-flavors/wheezy+whonix-gateway+gnome/test_pre.sh" +assertEnd # ------------------------------------------------------------------------------ head " 5. Template Options with NO prefix @@ -117,46 +119,95 @@ export TEMPLATE_FLAVOR_PREFIX=( 'wheezy+whonix-gateway;' 'wheezy+whonix-workstation;' ) -customStep "$0" "pre" +buildStep "$0" "pre" debug "Not supposed to find whonix-gateway+kde" -assertTest "customStep $0 pre" "tests/template-flavors/whonix-gateway/test_pre.sh\ntests/template-flavors/wheezy+whonix-gateway+gnome/test_pre.sh" -assertEnd "Test 5" +assertTest "buildStep $0 pre" "tests/template-flavors/whonix-gateway/test_pre.sh\ntests/template-flavors/wheezy+whonix-gateway+gnome/test_pre.sh" +assertEnd # ------------------------------------------------------------------------------ head " 6. Custom template directory \n unset TEMPLATE_FLAVOR_PREFIX \ \n unset TEMPLATE_OPTIONS \ - \n TEMPLATE_FLAVOR_DIR=wheezy+whonix-gateway;tests/template-flavors/another_location" + \n TEMPLATE_FLAVOR_DIR=wheezy+whonix-gateway;tests/template-flavors/another_location/whonix-gw" unset TEMPLATE_FLAVOR_PREFIX unset TEMPLATE_OPTIONS -TEMPLATE_FLAVOR_DIR="wheezy+whonix-gateway;tests/template-flavors/another_location" -customStep "$0" "pre" -assertTest "customStep $0 pre" "tests/template-flavors/another_location/wheezy+whonix-gateway/test_pre.sh" -assertEnd "Test 6" +TEMPLATE_FLAVOR_DIR="wheezy+whonix-gateway;tests/template-flavors/another_location/whonix-gw" +buildStep "$0" "pre" +assertTest "buildStep $0 pre" "tests/template-flavors/another_location/whonix-gw/test_pre.sh" +assertEnd # ------------------------------------------------------------------------------ -head " 7. Custom template directory for options +head " 7. Custom template directory with space in name \n unset TEMPLATE_FLAVOR_PREFIX \ \n unset TEMPLATE_OPTIONS \ - \n TEMPLATE_FLAVOR_DIR=wheezy+whonix-gateway+gnome;tests/template-flavors/another_location" + \n TEMPLATE_FLAVOR_DIR=wheezy+whonix-gateway;tests/template-flavors/another_location/whonix gw" +TEMPLATE_FLAVOR_DIR="wheezy+whonix-gateway;tests/template-flavors/another_location/whonix gw" +buildStep "$0" "pre" +assertTest "buildStep $0 pre" "tests/template-flavors/another_location/whonix gw/test_pre.sh" +assertEnd + +# ------------------------------------------------------------------------------ +head " 8. Custom template directory for options + \n unset TEMPLATE_FLAVOR_PREFIX \ + \n unset TEMPLATE_OPTIONS \ + \n TEMPLATE_FLAVOR_DIR=wheezy+whonix-gateway+gnome;tests/template-flavors/another_location/whonix_gnome" unset TEMPLATE_FLAVOR_PREFIX export TEMPLATE_OPTIONS=('gnome') -TEMPLATE_FLAVOR_DIR="wheezy+whonix-gateway+gnome;tests/template-flavors/another_location" -customStep "$0" "pre" -assertTest "customStep $0 pre" "tests/template-flavors/wheezy+whonix-gateway/test_pre.sh\ntests/template-flavors/another_location/wheezy+whonix-gateway+gnome/test_pre.sh" -assertEnd "Test 7" +TEMPLATE_FLAVOR_DIR="wheezy+whonix-gateway+gnome;tests/template-flavors/another_location/whonix_gnome" +buildStep "$0" "pre" +assertTest "buildStep $0 pre" "tests/template-flavors/wheezy+whonix-gateway/test_pre.sh\ntests/template-flavors/another_location/whonix_gnome/test_pre.sh" +assertEnd + +# ------------------------------------------------------------------------------ +head " 9. Configuration Files + \n Find packages.list for every template available" +TEMPLATE_FLAVOR_DIR="wheezy+whonix-gateway;tests/template-flavors/another_location/whonix gw" +getFileLocations filelist 'packages.list' +for file in "${filelist[@]}"; do + echo "Configuration: ${file}" +done +result="$(echo $(printf "'%s' " "${filelist[@]}"))" +assertTest "echo ${result}" "tests/template-flavors/another_location/whonix gw/packages.list tests/template-flavors/wheezy+whonix-gateway+gnome/packages.list" +assertEnd + +# ------------------------------------------------------------------------------ +head "10. Configuration Files - No Template + \n Find packages.list for every template available" +TEMPLATE_FLAVOR= +TEMPLATE_FLAVOR_DIR= +getFileLocations filelist 'packages.list' +for file in "${filelist[@]}"; do + echo "Configuration: ${file}" +done +result="$(echo $(printf "'%s' " "${filelist[@]}"))" +assertTest "echo ${result}" "tests/template-flavors/packages.list" +assertEnd + +# ------------------------------------------------------------------------------ +head "11. Configuration Files - No Template - with suffix + \n Find packages.list for every template available" +TEMPLATE_FLAVOR= +TEMPLATE_FLAVOR_DIR= +getFileLocations filelist 'packages.list' 'wheezy' +for file in "${filelist[@]}"; do + echo "Configuration: ${file}" +done +result="$(echo $(printf "'%s' " "${filelist[@]}"))" +assertTest "echo ${result}" "tests/template-flavors/packages_wheezy.list" +assertEnd # ------------------------------------------------------------------------------ export INSTALLDIR="${SCRIPTSDIR}/test_copy_location" -head " 8. Copy files +head "12. Copy files \n Just test copying from here to ${INSTALLDIR}" +TEMPLATE_FLAVOR="whonix-gateway" TEMPLATE_FLAVOR_DIR="" TEMPLATE_OPTIONS="" rm -rf "$INSTALLDIR"/* -copy_dirs "files" +copyTree "files" ls -l "$INSTALLDIR" assertTest "ls $INSTALLDIR" "test1\ntest2\ntest3" -assertEnd "Test 8" +assertEnd # Done popd diff --git a/tests/template-flavors/wheezy+whonix-gateway+gnome/packages.list b/tests/template-flavors/wheezy+whonix-gateway+gnome/packages.list new file mode 100644 index 0000000..e69de29 diff --git a/tests/template-flavors/wheezy+whonix-gateway/packages.list b/tests/template-flavors/wheezy+whonix-gateway/packages.list new file mode 100644 index 0000000..e69de29 From b4ea7f437b30e2a0c8e135bee4a0a938264adf3d Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Wed, 22 Oct 2014 17:16:35 -0400 Subject: [PATCH 28/83] Removed wheezy packages deps from whonix list since wheezy packages will now also be installed seperately --- scripts_debian/wheezy+whonix/packages_wheezy.list | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/scripts_debian/wheezy+whonix/packages_wheezy.list b/scripts_debian/wheezy+whonix/packages_wheezy.list index c8327e4..acf4ebe 100644 --- a/scripts_debian/wheezy+whonix/packages_wheezy.list +++ b/scripts_debian/wheezy+whonix/packages_wheezy.list @@ -1,13 +1,3 @@ -gnome-terminal -locales -sudo -dmsetup -psmisc -ncurses-term -xserver-xorg-core -x11-xserver-utils -xinit - git curl sudo From c26d0eac1a3bc47308ccef4afa75e8ade8db734f Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Wed, 22 Oct 2014 22:38:07 -0400 Subject: [PATCH 29/83] added static host related files for whonix copy and moved copy to pre whonix install --- functions.sh | 5 +- .../extra-whonix-files/.facl | 28 +++++++++++ .../extra-whonix-files/etc/hostname | 1 + .../extra-whonix-files/etc/hosts | 16 +++++++ .../extra-whonix-files/etc/sudoers.d/qubes | 46 +++++++++++++++++++ .../02_install_groups_packages_installed.sh | 23 +++++++--- .../wheezy+whonix/04_install_qubes_post.sh | 3 +- .../wheezy+whonix/packages_wheezy.list | 10 ++++ 8 files changed, 122 insertions(+), 10 deletions(-) create mode 100644 scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hostname create mode 100644 scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hosts create mode 100644 scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/sudoers.d/qubes diff --git a/functions.sh b/functions.sh index a3437cc..c3ce484 100755 --- a/functions.sh +++ b/functions.sh @@ -294,8 +294,9 @@ buildStep() { # 1. Change to the directory that you want to have file permissions retained # 2. Change all the file permissions / ownership as you want # 3. Change back to the root of the exta directory (IE: extra-qubes-files) -# 4. getfacl -R . > ".facl" -# 5. If git complains; reset file ownership back to user. The .facl file stored +# 4. Manually restore facl's: setfacl --restore=.facl +# 5. Manually create facl backup used after copying: getfacl -R . > .facl +# 6. If git complains; reset file ownership back to user. The .facl file stored # the file permissions and will be used to reset the file permissions after # they get copied over to $INSTALLDIR # NOTE: Don't forget to redo this process if you add -OR- remove files diff --git a/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/.facl b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/.facl index d047a8c..4e00c79 100644 --- a/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/.facl +++ b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/.facl @@ -12,6 +12,13 @@ user::rwx group::r-x other::r-x +# file: etc/hosts +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: etc/udev # owner: root # group: root @@ -33,6 +40,27 @@ user::rw- group::r-- other::r-- +# file: etc/hostname +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/sudoers.d +# owner: root +# group: user +user::rwx +group::r-x +other::r-x + +# file: etc/sudoers.d/qubes +# owner: root +# group: root +user::r-- +group::r-- +other::--- + # file: .facl # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hostname b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hostname new file mode 100644 index 0000000..c70dc2d --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hostname @@ -0,0 +1 @@ +host diff --git a/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hosts b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hosts new file mode 100644 index 0000000..87b1540 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hosts @@ -0,0 +1,16 @@ +## Anonymity Distribution /etc/hosts + +## Defaults +127.0.0.1 host +::1 host ip6-host ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +## End of defaults + +## Anonymity Distribution specific +127.0.0.1 host.localdomain host +## End of Anonymity Distribution specific + +## End of Anonymity Distribution /etc/hosts diff --git a/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/sudoers.d/qubes b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/sudoers.d/qubes new file mode 100644 index 0000000..8087a90 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/sudoers.d/qubes @@ -0,0 +1,46 @@ +user ALL=(ALL) NOPASSWD: ALL + +# WTF?! Have you lost your mind?! +# +# In Qubes VMs there is no point in isolating the root account from +# the user account. This is because all the user data are already +# accessible from the user account, so there is no direct benefit for +# the attacker if she could escalate to root (there is even no benefit +# in trying to install some persistent rootkits, as the VM's root +# filesystem modifications are lost upon each start of a VM). +# +# One might argue that some hypothetical attacks against the +# hypervisor or the few daemons/backends in Dom0 (so VM escape +# attacks) most likely would require root access in the VM to trigger +# the attack. +# +# That's true, but mere existence of such a bug in the hypervisor or +# Dom0 that could be exploited by a malicious VM, no matter whether +# requiring user, root, or even kernel access in the VM, would be +# FATAL. In such situation (if there was such a bug in Xen) there +# really is no comforting that: "oh, but the mitigating factor was +# that the attacker needed root in VM!" We're not M$, and we're not +# gonna BS our users that there are mitigating factors in that case, +# and for sure, root/user isolation is not a mitigating factor. +# +# Because, really, if somebody could find and exploit a bug in the Xen +# hypervisor -- so far there have been only one (!) publicly disclosed +# exploitable bug in the Xen hypervisor from a VM, found in 2008, +# incidentally by one of the Qubes developers (RW) -- then it would be +# highly unlikely if that person couldn't also found a user-to-root +# escalation in VM (which as we know from history of UNIX/Linux +# happens all the time). +# +# At the same time allowing for easy user-to-root escalation in a VM +# is simply convenient for users, especially for update installation. +# +# Currently this still doesn't work as expected, because some idotic +# piece of software called PolKit uses own set of policies. We're +# planning to address this in Beta 2. (Why PolKit is an idiocy? Do a +# simple experiment: start 'xinput test' in one xterm, running as +# user, then open some app that uses PolKit and asks for root +# password, e.g. gpk-update-viewer -- observe how all the keystrokes +# with root password you enter into the "secure" PolKit dialog box can +# be seen by the xinput program...) +# +# joanna. diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 36e22f0..1825da1 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -267,13 +267,22 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then } # Change hostname to 'host' - debug "Whonix change host" - echo "host" > "$INSTALLDIR/etc/hostname" - chroot "$INSTALLDIR" sed -i "s/localhost/host/g" /etc/hosts - - if ! [ -f "$INSTALLDIR/etc/sudoers.d/qubes" ]; then - cp -p /etc/sudoers.d/qubes "$INSTALLDIR/etc/sudoers.d/qubes" - fi + #debug "Whonix change host" + #echo "host" > "$INSTALLDIR/etc/hostname" + #chroot "$INSTALLDIR" sed -i "s/localhost/host/g" /etc/hosts + + #if ! [ -f "$INSTALLDIR/etc/sudoers.d/qubes" ]; then + # cp -p /etc/sudoers.d/qubes "$INSTALLDIR/etc/sudoers.d/qubes" + #fi + + # ------------------------------------------------------------------------------ + # Copy over any extra files + # XXX: Moved to 02_install_groups_packages_installed.sh + # ------------------------------------------------------------------------------ + copyTree "extra-whonix-files" + + # XXX: Temp debug to see if it copied over files okay + #exit 1 # -------------------------------------------------------------------------- # Install Whonix system diff --git a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh index b69a760..0429da7 100755 --- a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh +++ b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh @@ -47,8 +47,9 @@ fi # ------------------------------------------------------------------------------ # Copy over any extra files +# XXX: Moved to 02_install_groups_packages_installed.sh # ------------------------------------------------------------------------------ -copyTree "extra-whonix-files" +#copyTree "extra-whonix-files" # ------------------------------------------------------------------------------ # Cleanup Whonix Installation diff --git a/scripts_debian/wheezy+whonix/packages_wheezy.list b/scripts_debian/wheezy+whonix/packages_wheezy.list index acf4ebe..c8327e4 100644 --- a/scripts_debian/wheezy+whonix/packages_wheezy.list +++ b/scripts_debian/wheezy+whonix/packages_wheezy.list @@ -1,3 +1,13 @@ +gnome-terminal +locales +sudo +dmsetup +psmisc +ncurses-term +xserver-xorg-core +x11-xserver-utils +xinit + git curl sudo From 6f9860fb17da808ff0bc0f5cd87055655b736504 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Thu, 23 Oct 2014 01:44:21 -0400 Subject: [PATCH 30/83] Tweaked configuration setting to work with upstream changes --- scripts_debian/04_install_qubes.sh | 2 +- scripts_debian/vars.sh | 2 + .../02_install_groups_packages_installed.sh | 13 ++++-- tests/shellcheck/INSTALL | 42 +++++++++++++++++++ 4 files changed, 55 insertions(+), 4 deletions(-) create mode 100755 tests/shellcheck/INSTALL diff --git a/scripts_debian/04_install_qubes.sh b/scripts_debian/04_install_qubes.sh index 6c94531..c1858d4 100755 --- a/scripts_debian/04_install_qubes.sh +++ b/scripts_debian/04_install_qubes.sh @@ -141,7 +141,7 @@ EOF # Install Qubes packages # -------------------------------------------------------------------------- DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - chroot "$INSTALLDIR" apt-get -y --force-yes install `cat $SCRIPTSDIR/packages_qubes.list` || \ + chroot "$INSTALLDIR" apt-get -y --force-yes install $(cat $SCRIPTSDIR/packages_qubes.list) || \ { umount_kill "$INSTALLDIR"; exit 1; } # -------------------------------------------------------------------------- diff --git a/scripts_debian/vars.sh b/scripts_debian/vars.sh index aeb5940..b2450b1 100755 --- a/scripts_debian/vars.sh +++ b/scripts_debian/vars.sh @@ -1,3 +1,5 @@ +#!/bin/bash + # ------------------------------------------------------------------------------ # Global variables and functions # ------------------------------------------------------------------------------ diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 1825da1..2639417 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -281,9 +281,6 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then # ------------------------------------------------------------------------------ copyTree "extra-whonix-files" - # XXX: Temp debug to see if it copied over files okay - #exit 1 - # -------------------------------------------------------------------------- # Install Whonix system # -------------------------------------------------------------------------- @@ -355,6 +352,16 @@ if [ -L "$INSTALLDIR/usr/bin/apt-get" ]; then chroot "$INSTALLDIR" su -c "cd /usr/bin/; ln -s apt-get.anondist-orig apt-get" fi +# ------------------------------------------------------------------------------ +# Make sure the temporary policy-rc.d to prevent apt from starting services +# on package installation is still active; Whonix may have reset it +# ------------------------------------------------------------------------------ +cat > "$INSTALLDIR/usr/sbin/policy-rc.d" <> $file +fi + +# You now need to manually source .bash_profile +echo "You now need to manually source .bash_profile" +echo "source ~/.bash_profile" + +# Then verify PATH is set correctly +echo +echo +echo "Then verify PATH is set correctly" +echo "which shellcheck" +echo "~/.cabal/bin/shellcheck" + + +# To run the unit test suite: +# +# cabal configure --enable-tests +# cabal build +# cabal test From 0b341f4fb2e03701ef8c61241a2dff6d5ca32dd3 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 24 Oct 2014 06:48:11 -0400 Subject: [PATCH 31/83] Moved qubes-extra-files to its own directory as a sub-template (proxy) as its only needed for proxies Removed call from qubes_installation scripts for proxy files. will now be added by sub-template Renamed extra-whonix-files to files Modifies functions.sh to allow for very short proxy names and custom directories that will be dist independent --- functions.sh | 21 +- scripts_debian/04_install_qubes.sh | 9 - .../{extra-qubes-files => proxy/files}/.facl | 0 .../files}/etc/udev/rules.d/98-kexec.rules | 0 .../files}/etc/udev/rules.d/xen-backend.rules | 0 .../files}/etc/xen/scripts/blktap | 0 .../files}/etc/xen/scripts/block | 0 .../files}/etc/xen/scripts/block-common.sh | 0 .../files}/etc/xen/scripts/block-enbd | 0 .../files}/etc/xen/scripts/block-nbd | 0 .../etc/xen/scripts/external-device-migrate | 0 .../files}/etc/xen/scripts/hotplugpath.sh | 0 .../files}/etc/xen/scripts/locking.sh | 0 .../files}/etc/xen/scripts/logging.sh | 0 .../files}/etc/xen/scripts/network-bridge | 0 .../files}/etc/xen/scripts/network-nat | 0 .../files}/etc/xen/scripts/network-route | 0 .../files}/etc/xen/scripts/vif-bridge | 0 .../files}/etc/xen/scripts/vif-common.sh | 0 .../files}/etc/xen/scripts/vif-nat | 0 .../files}/etc/xen/scripts/vif-route | 0 .../files}/etc/xen/scripts/vif-route-qubes | 0 .../files}/etc/xen/scripts/vif-setup | 0 .../files}/etc/xen/scripts/vif2 | 0 .../files}/etc/xen/scripts/vscsi | 0 .../files}/etc/xen/scripts/vtpm | 0 .../files}/etc/xen/scripts/vtpm-common.sh | 0 .../files}/etc/xen/scripts/vtpm-delete | 0 .../etc/xen/scripts/vtpm-hotplug-common.sh | 0 .../files}/etc/xen/scripts/vtpm-impl | 0 .../files}/etc/xen/scripts/vtpm-migration.sh | 0 .../etc/xen/scripts/xen-hotplug-cleanup | 0 .../etc/xen/scripts/xen-hotplug-common.sh | 0 .../etc/xen/scripts/xen-network-common.sh | 0 .../etc/xen/scripts/xen-script-common.sh | 0 .../{extra-whonix-files => files}/.facl | 0 .../etc/hostname | 0 .../{extra-whonix-files => files}/etc/hosts | 0 .../etc/sudoers.d/qubes | 0 .../etc/udev/rules.d/99-qubes-whonix.rules | 0 .../usr/lib/whonix/replace-ips | 0 .../usr/lib/whonix/setup-ip | 0 .../02_install_groups_packages_installed.sh | 2 +- .../wheezy+whonix/04_install_qubes_post.sh | 12 +- tests/template-flavors/proxy/test_pre.sh | 4 + tests/template-flavors/test.sh | 289 ++++++++++++------ 46 files changed, 233 insertions(+), 104 deletions(-) rename scripts_debian/{extra-qubes-files => proxy/files}/.facl (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/udev/rules.d/98-kexec.rules (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/udev/rules.d/xen-backend.rules (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/blktap (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/block (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/block-common.sh (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/block-enbd (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/block-nbd (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/external-device-migrate (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/hotplugpath.sh (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/locking.sh (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/logging.sh (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/network-bridge (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/network-nat (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/network-route (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/vif-bridge (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/vif-common.sh (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/vif-nat (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/vif-route (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/vif-route-qubes (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/vif-setup (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/vif2 (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/vscsi (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/vtpm (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/vtpm-common.sh (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/vtpm-delete (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/vtpm-hotplug-common.sh (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/vtpm-impl (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/vtpm-migration.sh (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/xen-hotplug-cleanup (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/xen-hotplug-common.sh (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/xen-network-common.sh (100%) rename scripts_debian/{extra-qubes-files => proxy/files}/etc/xen/scripts/xen-script-common.sh (100%) rename scripts_debian/wheezy+whonix-gateway/{extra-whonix-files => files}/.facl (100%) rename scripts_debian/wheezy+whonix-gateway/{extra-whonix-files => files}/etc/hostname (100%) rename scripts_debian/wheezy+whonix-gateway/{extra-whonix-files => files}/etc/hosts (100%) rename scripts_debian/wheezy+whonix-gateway/{extra-whonix-files => files}/etc/sudoers.d/qubes (100%) rename scripts_debian/wheezy+whonix-gateway/{extra-whonix-files => files}/etc/udev/rules.d/99-qubes-whonix.rules (100%) rename scripts_debian/wheezy+whonix-gateway/{extra-whonix-files => files}/usr/lib/whonix/replace-ips (100%) rename scripts_debian/wheezy+whonix-gateway/{extra-whonix-files => files}/usr/lib/whonix/setup-ip (100%) create mode 100755 tests/template-flavors/proxy/test_pre.sh diff --git a/functions.sh b/functions.sh index c3ce484..d0967e6 100755 --- a/functions.sh +++ b/functions.sh @@ -148,8 +148,8 @@ templateFlavorPrefix() { local template_flavor=${1-$(templateFlavor)} for element in "${TEMPLATE_FLAVOR_PREFIX[@]}" do - if [ "${element%;*}" == "${DIST}+${template_flavor}" ]; then - echo ${element#*;} + if [ "${element%:*}" == "${DIST}+${template_flavor}" ]; then + echo ${element#*:} return fi done @@ -159,10 +159,16 @@ templateFlavorPrefix() { templateDir() { local template_flavor=${1-$(templateFlavor)} + for element in "${TEMPLATE_FLAVOR_DIR[@]}" do - if [ "${element%;*}" == "$(templateFlavorPrefix ${template_flavor})${template_flavor}" ]; then - echo ${element#*;} + # (wheezy+whonix-gateway / wheezy+whonix-gateway+gnome[+++] / wheezy+gnome ) + if [ "${element%:*}" == "$(templateFlavorPrefix ${template_flavor})${template_flavor}" ]; then + eval echo -e ${element#*:} + return + # Very short name compare (+proxy) + elif [ "${element:0:1}" == "+" -a "${element%:*}" == "+${template_flavor}" ]; then + eval echo -e ${element#*:} return fi done @@ -206,6 +212,7 @@ buildStepExec() { if [ -f "${script}" ]; then [[ -n $TEST ]] && echo "${script}" || echo "${bold}${under}INFO: Currently running script: ${script}${reset}" + # Execute $script "${script}" fi @@ -250,9 +257,15 @@ callTemplateFunction() { for option in ${TEMPLATE_OPTIONS[@]} do + # Long name (wheezy+whonix-gateway+proxy) ${functionExec} "${calling_script}" \ "${calling_arg}" \ "$(templateFlavor)+${option}" + + # Short name (wheezy+proxy) + ${functionExec} "${calling_script}" \ + "${calling_arg}" \ + "${option}" done } diff --git a/scripts_debian/04_install_qubes.sh b/scripts_debian/04_install_qubes.sh index c1858d4..94071c9 100755 --- a/scripts_debian/04_install_qubes.sh +++ b/scripts_debian/04_install_qubes.sh @@ -182,15 +182,6 @@ EOF # Need a xen log directory or xen scripts will fail # -------------------------------------------------------------------------- mkdir -p -m 0700 "$INSTALLDIR/var/log/xen" - - # -------------------------------------------------------------------------- - # Copy over any extra files that may be needed that are located in - # $SCRIPT_DIR/extra-qubes-files - # -------------------------------------------------------------------------- - debug "Copy extra files..." - copyTree "extra-qubes-files" - - touch "$INSTALLDIR/tmp/.prepared_qubes" fi # ------------------------------------------------------------------------------ diff --git a/scripts_debian/extra-qubes-files/.facl b/scripts_debian/proxy/files/.facl similarity index 100% rename from scripts_debian/extra-qubes-files/.facl rename to scripts_debian/proxy/files/.facl diff --git a/scripts_debian/extra-qubes-files/etc/udev/rules.d/98-kexec.rules b/scripts_debian/proxy/files/etc/udev/rules.d/98-kexec.rules similarity index 100% rename from scripts_debian/extra-qubes-files/etc/udev/rules.d/98-kexec.rules rename to scripts_debian/proxy/files/etc/udev/rules.d/98-kexec.rules diff --git a/scripts_debian/extra-qubes-files/etc/udev/rules.d/xen-backend.rules b/scripts_debian/proxy/files/etc/udev/rules.d/xen-backend.rules similarity index 100% rename from scripts_debian/extra-qubes-files/etc/udev/rules.d/xen-backend.rules rename to scripts_debian/proxy/files/etc/udev/rules.d/xen-backend.rules diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/blktap b/scripts_debian/proxy/files/etc/xen/scripts/blktap similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/blktap rename to scripts_debian/proxy/files/etc/xen/scripts/blktap diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/block b/scripts_debian/proxy/files/etc/xen/scripts/block similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/block rename to scripts_debian/proxy/files/etc/xen/scripts/block diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/block-common.sh b/scripts_debian/proxy/files/etc/xen/scripts/block-common.sh similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/block-common.sh rename to scripts_debian/proxy/files/etc/xen/scripts/block-common.sh diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/block-enbd b/scripts_debian/proxy/files/etc/xen/scripts/block-enbd similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/block-enbd rename to scripts_debian/proxy/files/etc/xen/scripts/block-enbd diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/block-nbd b/scripts_debian/proxy/files/etc/xen/scripts/block-nbd similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/block-nbd rename to scripts_debian/proxy/files/etc/xen/scripts/block-nbd diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/external-device-migrate b/scripts_debian/proxy/files/etc/xen/scripts/external-device-migrate similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/external-device-migrate rename to scripts_debian/proxy/files/etc/xen/scripts/external-device-migrate diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/hotplugpath.sh b/scripts_debian/proxy/files/etc/xen/scripts/hotplugpath.sh similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/hotplugpath.sh rename to scripts_debian/proxy/files/etc/xen/scripts/hotplugpath.sh diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/locking.sh b/scripts_debian/proxy/files/etc/xen/scripts/locking.sh similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/locking.sh rename to scripts_debian/proxy/files/etc/xen/scripts/locking.sh diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/logging.sh b/scripts_debian/proxy/files/etc/xen/scripts/logging.sh similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/logging.sh rename to scripts_debian/proxy/files/etc/xen/scripts/logging.sh diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/network-bridge b/scripts_debian/proxy/files/etc/xen/scripts/network-bridge similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/network-bridge rename to scripts_debian/proxy/files/etc/xen/scripts/network-bridge diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/network-nat b/scripts_debian/proxy/files/etc/xen/scripts/network-nat similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/network-nat rename to scripts_debian/proxy/files/etc/xen/scripts/network-nat diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/network-route b/scripts_debian/proxy/files/etc/xen/scripts/network-route similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/network-route rename to scripts_debian/proxy/files/etc/xen/scripts/network-route diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-bridge b/scripts_debian/proxy/files/etc/xen/scripts/vif-bridge similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/vif-bridge rename to scripts_debian/proxy/files/etc/xen/scripts/vif-bridge diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-common.sh b/scripts_debian/proxy/files/etc/xen/scripts/vif-common.sh similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/vif-common.sh rename to scripts_debian/proxy/files/etc/xen/scripts/vif-common.sh diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-nat b/scripts_debian/proxy/files/etc/xen/scripts/vif-nat similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/vif-nat rename to scripts_debian/proxy/files/etc/xen/scripts/vif-nat diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-route b/scripts_debian/proxy/files/etc/xen/scripts/vif-route similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/vif-route rename to scripts_debian/proxy/files/etc/xen/scripts/vif-route diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-route-qubes b/scripts_debian/proxy/files/etc/xen/scripts/vif-route-qubes similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/vif-route-qubes rename to scripts_debian/proxy/files/etc/xen/scripts/vif-route-qubes diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vif-setup b/scripts_debian/proxy/files/etc/xen/scripts/vif-setup similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/vif-setup rename to scripts_debian/proxy/files/etc/xen/scripts/vif-setup diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vif2 b/scripts_debian/proxy/files/etc/xen/scripts/vif2 similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/vif2 rename to scripts_debian/proxy/files/etc/xen/scripts/vif2 diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vscsi b/scripts_debian/proxy/files/etc/xen/scripts/vscsi similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/vscsi rename to scripts_debian/proxy/files/etc/xen/scripts/vscsi diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm b/scripts_debian/proxy/files/etc/xen/scripts/vtpm similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm rename to scripts_debian/proxy/files/etc/xen/scripts/vtpm diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-common.sh b/scripts_debian/proxy/files/etc/xen/scripts/vtpm-common.sh similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-common.sh rename to scripts_debian/proxy/files/etc/xen/scripts/vtpm-common.sh diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-delete b/scripts_debian/proxy/files/etc/xen/scripts/vtpm-delete similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-delete rename to scripts_debian/proxy/files/etc/xen/scripts/vtpm-delete diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-hotplug-common.sh b/scripts_debian/proxy/files/etc/xen/scripts/vtpm-hotplug-common.sh similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-hotplug-common.sh rename to scripts_debian/proxy/files/etc/xen/scripts/vtpm-hotplug-common.sh diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-impl b/scripts_debian/proxy/files/etc/xen/scripts/vtpm-impl similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-impl rename to scripts_debian/proxy/files/etc/xen/scripts/vtpm-impl diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-migration.sh b/scripts_debian/proxy/files/etc/xen/scripts/vtpm-migration.sh similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/vtpm-migration.sh rename to scripts_debian/proxy/files/etc/xen/scripts/vtpm-migration.sh diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/xen-hotplug-cleanup b/scripts_debian/proxy/files/etc/xen/scripts/xen-hotplug-cleanup similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/xen-hotplug-cleanup rename to scripts_debian/proxy/files/etc/xen/scripts/xen-hotplug-cleanup diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/xen-hotplug-common.sh b/scripts_debian/proxy/files/etc/xen/scripts/xen-hotplug-common.sh similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/xen-hotplug-common.sh rename to scripts_debian/proxy/files/etc/xen/scripts/xen-hotplug-common.sh diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/xen-network-common.sh b/scripts_debian/proxy/files/etc/xen/scripts/xen-network-common.sh similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/xen-network-common.sh rename to scripts_debian/proxy/files/etc/xen/scripts/xen-network-common.sh diff --git a/scripts_debian/extra-qubes-files/etc/xen/scripts/xen-script-common.sh b/scripts_debian/proxy/files/etc/xen/scripts/xen-script-common.sh similarity index 100% rename from scripts_debian/extra-qubes-files/etc/xen/scripts/xen-script-common.sh rename to scripts_debian/proxy/files/etc/xen/scripts/xen-script-common.sh diff --git a/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/.facl b/scripts_debian/wheezy+whonix-gateway/files/.facl similarity index 100% rename from scripts_debian/wheezy+whonix-gateway/extra-whonix-files/.facl rename to scripts_debian/wheezy+whonix-gateway/files/.facl diff --git a/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hostname b/scripts_debian/wheezy+whonix-gateway/files/etc/hostname similarity index 100% rename from scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hostname rename to scripts_debian/wheezy+whonix-gateway/files/etc/hostname diff --git a/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hosts b/scripts_debian/wheezy+whonix-gateway/files/etc/hosts similarity index 100% rename from scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/hosts rename to scripts_debian/wheezy+whonix-gateway/files/etc/hosts diff --git a/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/sudoers.d/qubes b/scripts_debian/wheezy+whonix-gateway/files/etc/sudoers.d/qubes similarity index 100% rename from scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/sudoers.d/qubes rename to scripts_debian/wheezy+whonix-gateway/files/etc/sudoers.d/qubes diff --git a/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/udev/rules.d/99-qubes-whonix.rules b/scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules similarity index 100% rename from scripts_debian/wheezy+whonix-gateway/extra-whonix-files/etc/udev/rules.d/99-qubes-whonix.rules rename to scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules diff --git a/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips similarity index 100% rename from scripts_debian/wheezy+whonix-gateway/extra-whonix-files/usr/lib/whonix/replace-ips rename to scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips diff --git a/scripts_debian/wheezy+whonix-gateway/extra-whonix-files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip similarity index 100% rename from scripts_debian/wheezy+whonix-gateway/extra-whonix-files/usr/lib/whonix/setup-ip rename to scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 2639417..191bdff 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -279,7 +279,7 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then # Copy over any extra files # XXX: Moved to 02_install_groups_packages_installed.sh # ------------------------------------------------------------------------------ - copyTree "extra-whonix-files" + copyTree "files" # -------------------------------------------------------------------------- # Install Whonix system diff --git a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh index 0429da7..ad34e9c 100755 --- a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh +++ b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh @@ -45,11 +45,13 @@ if [ -L "$INSTALLDIR/etc/resolv.conf" ]; then popd fi -# ------------------------------------------------------------------------------ -# Copy over any extra files -# XXX: Moved to 02_install_groups_packages_installed.sh -# ------------------------------------------------------------------------------ -#copyTree "extra-whonix-files" +# -------------------------------------------------------------------------- +# Copy over any extra files that may be needed that are located in +# -------------------------------------------------------------------------- +debug "Copy extra Qubes related files..." +copyTree "extra-qubes-files" + +touch "$INSTALLDIR/tmp/.prepared_qubes" # ------------------------------------------------------------------------------ # Cleanup Whonix Installation diff --git a/tests/template-flavors/proxy/test_pre.sh b/tests/template-flavors/proxy/test_pre.sh new file mode 100755 index 0000000..9a4e120 --- /dev/null +++ b/tests/template-flavors/proxy/test_pre.sh @@ -0,0 +1,4 @@ +#!/bin/sh +# vim: set ts=4 sw=4 sts=4 et : + +: diff --git a/tests/template-flavors/test.sh b/tests/template-flavors/test.sh index bc1c50d..c76faff 100755 --- a/tests/template-flavors/test.sh +++ b/tests/template-flavors/test.sh @@ -5,7 +5,7 @@ VERBOSE=2 DEBUG=1 pushd ../.. -export ROOT_DIR=$(readlink -m .) +ROOT_DIR=$(readlink -m .) # ------------------------------------------------------------------------------ # Source external scripts @@ -13,24 +13,59 @@ export ROOT_DIR=$(readlink -m .) . ./functions.sh . ./tests/assert/assert.sh -head() { +header() { echo echo info "------------------------------------------------------------------------------" - info "${1%%\\n*}" - if ! [ "${1%%\\n*}" == "${1#*\\n}" ]; then - [[ -z $TEST ]] && echo -e "${bold}${green}${1#*\\n}${reset}" || : - fi - info "------------------------------------------------------------------------------" + + IFS= read -r title; info "${title}" + while IFS= read -r line; do + echo "${bold}${magenta}${line}${reset}" + done; + + echo + values SCRIPTSDIR + values DIST + values DISTS_VM + values TEMPLATE_FLAVOR + values TEMPLATE_FLAVOR_PREFIX + values TEMPLATE_FLAVOR_DIR + values TEMPLATE_OPTIONS + echo +} + +declare -A VALUES=( + [SCRIPTSDIR]="" + [DIST]="" + [DISTS_VM]="" + [TEMPLATE_FLAVOR]="" + [TEMPLATE_FLAVOR_DIR]="" + [TEMPLATE_FLAVOR_PREFIX]="" + [TEMPLATE_OPTIONS]="" +) + +values() { + [[ -z $TEST ]] && { + label=${1} + value="${1}[@]" + value="${!value}" + + if [ "${VALUES[$label]}" == "${value}" ]; then + printf " ${bold}${magenta}%-22s = ${value}${reset}\n" "${label}" || : + else + printf " ${bold}${black}%-22s = ${value}${reset}\n" "${label}" || : + fi + VALUES[$label]="${value}" + } } info() { - [[ -z $TEST ]] && echo -e "${bold}${blue}${1}${reset}" || : + [[ -z $TEST ]] && echo "${bold}${blue}${1}${reset}" || : } -#debug() { -# [[ -z $TEST ]] && echo -e "${bold}${red}${1}${reset}" || : -#} +debug() { + [[ -z $TEST ]] && echo -e "${magenta}${1}${reset}" || : +} assertTest(){ TEST=True @@ -46,122 +81,187 @@ assertEnd() { printf "${reset}" } -# Defaults -export SCRIPTSDIR="tests/template-flavors" -export DIST="wheezy" -export TEMPLATE_FLAVOR="whonix-gateway" - -# Should be parses in functions! -export TEMPLATE_FLAVOR_PREFIX="" - -# Just use error to show text in red -head "=== Globals ===" -debug 'export SCRIPTSDIR="tests/template-flavors"' -debug 'export DIST="wheezy"' -debug 'export TEMPLATE_FLAVOR="whonix-gateway"' -debug 'export TEMPLATE_FLAVOR_PREFIX=""' - # ------------------------------------------------------------------------------ -head " 1. With TEMPLATE_FLAVOR - \n export SCRIPTSDIR=tests/template-flavors \ - \n export DIST=wheezy \ - \n export TEMPLATE_FLAVOR=whonix-gateway \ - \n export TEMPLATE_FLAVOR_PREFIX=" +# 1. With TEMPLATE_FLAVOR +# ------------------------------------------------------------------------------ +SCRIPTSDIR="tests/template-flavors" +DIST="wheezy" +TEMPLATE_FLAVOR="whonix-gateway" +TEMPLATE_FLAVOR_PREFIX="" + +header <+++ \ - \n Options get seperated into TEMPLATE_OPTIONS seperated by spaces" -# -export TEMPLATE_FLAVOR="whonix-gateway" -export TEMPLATE_OPTIONS=('gnome' 'kde') +TEMPLATE_FLAVOR="whonix-gateway" +TEMPLATE_OPTIONS=('gnome' 'kde') + +header < Date: Fri, 24 Oct 2014 16:17:29 -0400 Subject: [PATCH 32/83] Added ability to name tempaltes within configuration file and check/fix to make sure names under 32 characters --- Makefile | 9 ++ builder_fix_filenames | 9 ++ builder_setup | 5 + functions.sh | 50 ++++++++- tests/template-flavors/test.sh | 187 ++++++++++++++++++++++++++++----- 5 files changed, 232 insertions(+), 28 deletions(-) create mode 100755 builder_fix_filenames diff --git a/Makefile b/Makefile index f5e65d4..f9f3e50 100644 --- a/Makefile +++ b/Makefile @@ -6,10 +6,19 @@ export DIST dist_ver := $(shell DIST=$(DIST) ./builder_setup) DISTRIBUTION := $(word 1,$(dist_ver)) DIST_VERSION := $(word 2,$(dist_ver)) +TEMPLATE_NAME := $(word 3,$(dist_ver)) + +ifeq (,$(TEMPLATE_NAME)) TEMPLATE_NAME := $(DISTRIBUTION)-$(DIST_VERSION)-x64 ifdef TEMPLATE_FLAVOR TEMPLATE_NAME := $(TEMPLATE_NAME)-$(TEMPLATE_FLAVOR) endif +endif + +# Make sure names are < 32 characters +fix_up := $(shell TEMPLATE_NAME=$(TEMPLATE_NAME) ./builder_fix_filenames) +TEMPLATE_NAME := $(word 1,$(fix_up)) + VERSION := $(shell cat version) TIMESTAMP := $(shell date -u +%Y%m%d%H%M) diff --git a/builder_fix_filenames b/builder_fix_filenames new file mode 100755 index 0000000..6d3848f --- /dev/null +++ b/builder_fix_filenames @@ -0,0 +1,9 @@ +#!/bin/bash + +# Check template name length and fix if not under 32 characters +# Return the result + +. ./functions.sh > /dev/null + +# Check for custom template name +templateNameDist "${TEMPLATE_NAME}" diff --git a/builder_setup b/builder_setup index ba265b9..bd2b23f 100755 --- a/builder_setup +++ b/builder_setup @@ -2,6 +2,8 @@ # Setup env variables +. ./functions.sh > /dev/null + case "$DIST" in fc*) DISTRIBUTION=fedora @@ -31,3 +33,6 @@ CACHEDIR=cache_$DIST export SCRIPTSDIR CACHEDIR echo $DISTRIBUTION $VERSION + +# Check for custom template name +#templateName > /dev/null && templateName diff --git a/functions.sh b/functions.sh index d0967e6..d86543b 100755 --- a/functions.sh +++ b/functions.sh @@ -157,13 +157,61 @@ templateFlavorPrefix() { echo "${DIST}${template_flavor:++}" } +templateNameDist() { + local dist_name="${1}" + template_name="$(templateName)" && dist_name="${template_name}" + + # XXX: Temp hack to shorten name + if [ ${#dist_name} -ge 32 ]; then + if [ ${#template_name} -lt 32 ]; then + dist_name="${template_name}" + else + dist_name="${dist_name:0:31}" + fi + fi + echo ${dist_name} +} + +templateName() { + local template_flavor=${1-$(templateFlavor)} + retval=1 # Default is 1; mean no replace happened + + # Only apply options if $1 was not passed + if [ -n "${1}" ]; then + local template_options= + else + local template_options="${TEMPLATE_OPTIONS// /+}" + fi + + local template_name="$(templateFlavorPrefix ${template_flavor})${template_flavor}${template_options:++}${template_options}" + + for element in "${TEMPLATE_LABEL[@]}"; do + if [ "${element%:*}" == "${template_name}" ]; then + template_name="${element#*:}" + retval=0 + break + fi + done + + if [ ${#template_name} -ge 32 ]; then + error "Template name is greater than 31 characters: ${template_name}" + error "Please set an alias" + error "Exiting!!!" + exit 1 + fi + + echo ${template_name} + return $retval +} + templateDir() { local template_flavor=${1-$(templateFlavor)} for element in "${TEMPLATE_FLAVOR_DIR[@]}" do # (wheezy+whonix-gateway / wheezy+whonix-gateway+gnome[+++] / wheezy+gnome ) - if [ "${element%:*}" == "$(templateFlavorPrefix ${template_flavor})${template_flavor}" ]; then + #if [ "${element%:*}" == "$(templateFlavorPrefix ${template_flavor})${template_flavor}" ]; then + if [ "${element%:*}" == "$(templateName ${template_flavor})" ]; then eval echo -e ${element#*:} return # Very short name compare (+proxy) diff --git a/tests/template-flavors/test.sh b/tests/template-flavors/test.sh index c76faff..43f8fac 100755 --- a/tests/template-flavors/test.sh +++ b/tests/template-flavors/test.sh @@ -55,6 +55,7 @@ values() { else printf " ${bold}${black}%-22s = ${value}${reset}\n" "${label}" || : fi + #printf "${bold}${black}%s=\"${value}\"${reset}\n" "${label}" || : VALUES[$label]="${value}" } } @@ -86,8 +87,11 @@ assertEnd() { # ------------------------------------------------------------------------------ SCRIPTSDIR="tests/template-flavors" DIST="wheezy" +DISTS_VM="" TEMPLATE_FLAVOR="whonix-gateway" TEMPLATE_FLAVOR_PREFIX="" +TEMPLATE_FLAVOR_DIR="" +TEMPLATE_OPTIONS="" header < Date: Sat, 25 Oct 2014 12:49:49 -0400 Subject: [PATCH 33/83] More whonix-gateway tweaks. It should be working now --- .../99_custom_configuration.sh | 13 +- .../wheezy+whonix-gateway/files/.facl | 7 ++ .../etc/udev/rules.d/99-qubes-whonix.rules | 1 - .../usr/lib/whonix/enable-iptables-logging.sh | 22 ++++ .../files/usr/lib/whonix/replace-ips | 114 +++++++++++------- .../files/usr/lib/whonix/setup-ip | 98 ++++++++++++--- 6 files changed, 192 insertions(+), 63 deletions(-) create mode 100755 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh diff --git a/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh b/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh index 048dc79..0d4a9bb 100755 --- a/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh +++ b/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh @@ -17,7 +17,7 @@ else fi # ------------------------------------------------------------------------------ -# +# whonix-netvm-gateway contains last known IP used to search and replace # ------------------------------------------------------------------------------ if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" ]; then # -------------------------------------------------------------------------- @@ -26,3 +26,14 @@ if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_wh echo "10.152.152.10" > "$INSTALLDIR/etc/whonix-netvm-gateway" touch "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" fi + +# ------------------------------------------------------------------------------ +# Remove apt-cacher-ng as it conflicts with something and is only for install +# ------------------------------------------------------------------------------ +DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + chroot "$INSTALLDIR" apt-get -y --force-yes remove apt-cacher-ng + +# ------------------------------------------------------------------------------ +# Remove original sources.list. We will use one installed by Whonix now +# ------------------------------------------------------------------------------ +rm -f "${INSTALLDIR}/etc/apt/sources.list" diff --git a/scripts_debian/wheezy+whonix-gateway/files/.facl b/scripts_debian/wheezy+whonix-gateway/files/.facl index 4e00c79..9e5e47b 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/.facl +++ b/scripts_debian/wheezy+whonix-gateway/files/.facl @@ -103,3 +103,10 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/enable-iptables-logging.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + diff --git a/scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules b/scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules index 679a178..8bcf97d 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules +++ b/scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules @@ -1,2 +1 @@ SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip" -SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="online", RUN+="/usr/lib/whonix/setup-ip" diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh new file mode 100755 index 0000000..d3a2b95 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# Check /var/log/kern.log for logging results + +LOG_IP4=1 +LOG_IP6=0 + +# for IPv4 +if [ "$LOG_IP4" == "1" ]; then + iptables -t raw -A OUTPUT -p icmp -j TRACE + iptables -t raw -A PREROUTING -p icmp -j TRACE + modprobe ipt_LOG +fi + +# for IPv6 +if [ "$LOG_IP6" == "1" ]; then + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE + modprobe ip6t_LOG +fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips index dbf7022..7f818b8 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips @@ -1,60 +1,86 @@ #!/bin/bash -# Search though files and updates IP address to current qubes-netvm-gateway address on startup -# of eth0 - - -DIRS="/usr/lib/leaktest-workstation/simple_ping.py \ - /usr/lib/whonixcheck/preparation \ - /usr/share/anon-kde-streamiso/share/config/kioslaverc \ - /usr/bin/whonix_firewall \ - /etc/whonix_firewall.d/30_default \ - /usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh \ - /usr/bin/uwt \ - /etc/uwt.d/30_uwt_default \ - /usr/share/tor/tor-service-defaults-torrc.anondist \ - /usr/bin/update-torbrowser \ - /etc/network/interfaces.whonix \ - /etc/resolv.conf.anondist \ - /etc/sdwdate.d/31_anon_dist_stream_isolation_plugin \ - /etc/rinetd.conf.anondist \ - /etc/network/interfaces.whonix \ - /usr/share/anon-torchat/.torchat/torchat.ini" - -# $1 = space delimited files +# Search though files and updates IP address to the current +# 'qubes-netvm-gateway' IP address + +FILES=( + '/usr/lib/leaktest-workstation/simple_ping.py' + '/usr/lib/whonixcheck/preparation' + '/usr/share/anon-kde-streamiso/share/config/kioslaverc' + '/usr/bin/whonix_firewall' + '/etc/whonix_firewall.d/30_default' + '/usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh' + '/usr/bin/uwt' + '/etc/uwt.d/30_uwt_default' + '/usr/share/tor/tor-service-defaults-torrc.anondist' + '/usr/bin/update-torbrowser' + '/etc/network/interfaces.whonix' + '/etc/resolv.conf.anondist' + '/etc/sdwdate.d/31_anon_dist_stream_isolation_plugin' + '/etc/rinetd.conf.anondist' + '/etc/network/interfaces.whonix' + '/usr/share/anon-torchat/.torchat/torchat.ini' +) + +# sed search and replace. return 0 if replace happened, otherwise 1 +search_replace() { + local search="$1" + local replace="$2" + local file="$3" + local retval=1 + + if ! [ -L "${file}" ]; then + ls_attrs="$(lsattr "${file}")" + ls_attrs=${ls_attrs:4:1} + if [ "${ls_attrs}" == "i" ]; then + chattr -i "${file}" + fi + fi + + sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" + retval=$? + + if [ "${ls_attrs}" == "i" ]; then + chattr +i "${file}" + fi + + return $retval +} + function replace_ips() { - IP=$2 - LAST_IP=$3 + local search_ip="${1}" + local replace_ip="${2}" + local files=("${!3}") + local restart_tor=0 - if ! [ "$LAST_IP" == "$IP" ]; then - for file in $1; do + # If IP is 10.152.152.10, network is 10.152.152.0 + replace_network="${replace_ip%.*}.0" + search_network="${search_ip%.*}.0" + + if ! [ "${search_ip}" == "${replace_ip}" ]; then + for file in "${files[@]}"; do if [ -f "$file" ]; then - #find / -xdev -type f -print0 | xargs -0r file | grep 'ASCII text' | awk -F: '{print $1}' | \ - # xargs -d'\n' -r sed -i "s/$LAST_IP/$IP/g" - #find / -xdev -type f -print0 | xargs -0r file | grep 'ASCII text' | awk -F: '{print $1}' | \ - # xargs -d'\n' -r sed -i "s/$LAST_IP_PART./$IP_PART./g" - sed -i "s/$LAST_IP/$IP/g" "$file" + search_replace "${search_ip}" "${replace_ip}" "${file}" && restart_tor=1 + search_replace "${search_network}" "${replace_network}" "${file}" && restart_tor=1 fi done - echo "$IP" > /etc/whonix-netvm-gateway - service tor restart + + if [ "${restart_tor}" == "1" ]; then + echo "${replace_ip}" > /etc/whonix-netvm-gateway + service tor restart + fi fi } -IP=`xenstore-read qubes-netvm-gateway` -IP_PART=$(echo $IP | cut -f 1,2,3 -d".") -LAST_IP="$(cat /etc/whonix-netvm-gateway)" -LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".") -replace_ips "$DIRS" $IP $LAST_IP +ip="$(xenstore-read qubes-netvm-gateway)" + +# Compare to current IP address assiged by Qubes +replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] # Do again; checking for original 10.152.152.10 incase of update -LAST_IP=10.152.152.10 -LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".") -replace_ips "$DIRS" $IP $LAST_IP +replace_ips "10.152.152.10" "${ip}" FILES[@] # Do again; checking for original 10.152.152.11 incase of update -LAST_IP=10.152.152.11 -LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".") -replace_ips "$DIRS" $IP $LAST_IP +replace_ips "10.152.152.11" "${ip}" FILES[@] diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip index 0c4fbec..2044731 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip @@ -1,34 +1,94 @@ -#!/bin/sh +#!/bin/bash if [ -x /usr/sbin/xenstore-read ]; then XENSTORE_READ="/usr/sbin/xenstore-read" else XENSTORE_READ="/usr/bin/xenstore-read" fi +ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) + +INTERFACE="eth1" # Create a dummy eth1 interface so tor can bind to it if there # are no DOMU virtual machines connected at the moment -INTERFACE="eth1" -/sbin/ip link add $INTERFACE type dummy - -# Now, assign it the netvm-gateway IP address -ip=$($XENSTORE_READ qubes-netvm-gateway 2> /dev/null) -if [ x$ip != x ]; then - netmask=$($XENSTORE_READ qubes-netvm-netmask) - gateway=$($XENSTORE_READ qubes-netvm-gateway) - /sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255 - /sbin/ifconfig $INTERFACE up - /sbin/ethtool -K $INTERFACE sg off - /sbin/ethtool -K $INTERFACE tx off -fi +ip link show ${INTERFACE} >> /dev/null || { + /sbin/ip link add ${INTERFACE} type dummy + + # Now, assign it the netvm-gateway IP address + if [ x${ip} != x ]; then + netmask=$(${XENSTORE_READ} qubes-netvm-netmask) + gateway=$(${XENSTORE_READ} qubes-netvm-gateway) + /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 + /sbin/ifconfig ${INTERFACE} up + /sbin/ethtool -K ${INTERFACE} sg off + /sbin/ethtool -K ${INTERFACE} tx off + fi +} + +# Files that will have the immutable bit set +# since we don't want them modified by other programs +IMMUTABLE_FILES=( + '/etc/resolv.conf' + '/etc/hostname' + '/etc/hosts' +) + +immutableFilesEnable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + chattr +i "${file}${suffix}" + fi + done +} + +immutableFilesDisable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + chattr -i "${file}${suffix}" + fi + done +} + +copyAnondist() { + file="${1}" + suffix="${2-.anondist}" + + # Remove any softlinks first + if [ -L "${file}" ]; then + rm -f "${file}" + fi + + if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then + chattr -i "${file}" + rm -f "${file}" + cp -p "${file}${suffix}" "${file}" + chattr +i "${file}" + elif ! [ -f "${file}" ]; then + cp -p "${file}${suffix}" "${file}" + chattr +i "${file}" + fi +} + +# Make sure all .anondist files in list are immutable +immutableFilesEnable "${IMMUTABLE_FILES}" +immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" + +# Make sure we are using a copy of the annondist file and if not +# copy the annondist file and set it immutable +copyAnondist "/etc/resolv.conf" +copyAnondist "/etc/hosts" +copyAnondist "/etc/hostname" # Replace IP addresses in known configuration files / scripts to # currently discovered one /usr/lib/whonix/replace-ips -# Make sure we have correct nameserver set -echo "nameserver 127.0.0.1" > /etc/resolv.conf - # Make sure hostname is correct /bin/hostname -b host @@ -36,3 +96,7 @@ echo "nameserver 127.0.0.1" > /etc/resolv.conf export INT_IF="vif+" export INT_TIF="vif+" /usr/bin/whonix_firewall + +# Route any traffic FROM netvm TO netvm BACK-TO localhost +# Allows localhost access to tor network +iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 From cd19220993c8299a493d9cee8c436f25c8751e11 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sat, 25 Oct 2014 18:06:30 -0400 Subject: [PATCH 34/83] Whonix-gateway configurations --- functions.sh | 5 + mnt/.gitignore | 0 .../99_custom_configuration.sh | 11 -- .../99_custom_configuration.sh | 20 +++- .../wheezy+whonix-workstation/files/.facl | 112 ++++++++++++++++++ .../files/etc/hostname | 1 + .../wheezy+whonix-workstation/files/etc/hosts | 16 +++ .../files/etc/sudoers.d/qubes | 46 +++++++ .../etc/udev/rules.d/99-qubes-whonix.rules | 1 + .../usr/lib/whonix/enable-iptables-logging.sh | 22 ++++ .../files/usr/lib/whonix/replace-ips | 88 ++++++++++++++ .../files/usr/lib/whonix/setup-ip | 71 +++++++++++ .../02_install_groups_packages_installed.sh | 14 ++- 13 files changed, 394 insertions(+), 13 deletions(-) delete mode 100644 mnt/.gitignore create mode 100644 scripts_debian/wheezy+whonix-workstation/files/.facl create mode 100644 scripts_debian/wheezy+whonix-workstation/files/etc/hostname create mode 100644 scripts_debian/wheezy+whonix-workstation/files/etc/hosts create mode 100644 scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/qubes create mode 100644 scripts_debian/wheezy+whonix-workstation/files/etc/udev/rules.d/99-qubes-whonix.rules create mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh create mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips create mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip diff --git a/functions.sh b/functions.sh index d86543b..fa73126 100755 --- a/functions.sh +++ b/functions.sh @@ -169,6 +169,9 @@ templateNameDist() { dist_name="${dist_name:0:31}" fi fi + + # Remove and '+' characters from name since they are invalid for name + dist_name="${dist_name//+/-}" echo ${dist_name} } @@ -185,6 +188,8 @@ templateName() { local template_name="$(templateFlavorPrefix ${template_flavor})${template_flavor}${template_options:++}${template_options}" + # Make sure TEMPLATE_LABEL is an array + TEMPLATE_LABEL=( ${TEMPLATE_LABEL} ) for element in "${TEMPLATE_LABEL[@]}"; do if [ "${element%:*}" == "${template_name}" ]; then template_name="${element#*:}" diff --git a/mnt/.gitignore b/mnt/.gitignore deleted file mode 100644 index e69de29..0000000 diff --git a/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh b/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh index 0d4a9bb..9e0a543 100755 --- a/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh +++ b/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh @@ -26,14 +26,3 @@ if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_wh echo "10.152.152.10" > "$INSTALLDIR/etc/whonix-netvm-gateway" touch "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" fi - -# ------------------------------------------------------------------------------ -# Remove apt-cacher-ng as it conflicts with something and is only for install -# ------------------------------------------------------------------------------ -DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - chroot "$INSTALLDIR" apt-get -y --force-yes remove apt-cacher-ng - -# ------------------------------------------------------------------------------ -# Remove original sources.list. We will use one installed by Whonix now -# ------------------------------------------------------------------------------ -rm -f "${INSTALLDIR}/etc/apt/sources.list" diff --git a/scripts_debian/wheezy+whonix-workstation/99_custom_configuration.sh b/scripts_debian/wheezy+whonix-workstation/99_custom_configuration.sh index 5dcba8e..e19d7d9 100755 --- a/scripts_debian/wheezy+whonix-workstation/99_custom_configuration.sh +++ b/scripts_debian/wheezy+whonix-workstation/99_custom_configuration.sh @@ -2,11 +2,29 @@ # vim: set ts=4 sw=4 sts=4 et : # ------------------------------------------------------------------------------ -# Configurations +# Source external scripts # ------------------------------------------------------------------------------ . $SCRIPTSDIR/vars.sh . ./umount_kill.sh >/dev/null +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then set -x +else + set -e +fi + +# ------------------------------------------------------------------------------ +# whonix-netvm-gateway contains last known IP used to search and replace +# ------------------------------------------------------------------------------ +if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" ]; then + # -------------------------------------------------------------------------- + # Install Custom Configurations + # -------------------------------------------------------------------------- + echo "10.152.152.11" > "$INSTALLDIR/etc/whonix-ip" + echo "10.152.152.10" > "$INSTALLDIR/etc/whonix-netvm-gateway" + + touch "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/.facl b/scripts_debian/wheezy+whonix-workstation/files/.facl new file mode 100644 index 0000000..9e5e47b --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/.facl @@ -0,0 +1,112 @@ +# file: . +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/hosts +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/udev +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/udev/rules.d +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/udev/rules.d/99-qubes-whonix.rules +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/hostname +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/sudoers.d +# owner: root +# group: user +user::rwx +group::r-x +other::r-x + +# file: etc/sudoers.d/qubes +# owner: root +# group: root +user::r-- +group::r-- +other::--- + +# file: .facl +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: usr +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/setup-ip +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/replace-ips +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/enable-iptables-logging.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/hostname b/scripts_debian/wheezy+whonix-workstation/files/etc/hostname new file mode 100644 index 0000000..c70dc2d --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/etc/hostname @@ -0,0 +1 @@ +host diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/hosts b/scripts_debian/wheezy+whonix-workstation/files/etc/hosts new file mode 100644 index 0000000..87b1540 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/etc/hosts @@ -0,0 +1,16 @@ +## Anonymity Distribution /etc/hosts + +## Defaults +127.0.0.1 host +::1 host ip6-host ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +## End of defaults + +## Anonymity Distribution specific +127.0.0.1 host.localdomain host +## End of Anonymity Distribution specific + +## End of Anonymity Distribution /etc/hosts diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/qubes b/scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/qubes new file mode 100644 index 0000000..8087a90 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/qubes @@ -0,0 +1,46 @@ +user ALL=(ALL) NOPASSWD: ALL + +# WTF?! Have you lost your mind?! +# +# In Qubes VMs there is no point in isolating the root account from +# the user account. This is because all the user data are already +# accessible from the user account, so there is no direct benefit for +# the attacker if she could escalate to root (there is even no benefit +# in trying to install some persistent rootkits, as the VM's root +# filesystem modifications are lost upon each start of a VM). +# +# One might argue that some hypothetical attacks against the +# hypervisor or the few daemons/backends in Dom0 (so VM escape +# attacks) most likely would require root access in the VM to trigger +# the attack. +# +# That's true, but mere existence of such a bug in the hypervisor or +# Dom0 that could be exploited by a malicious VM, no matter whether +# requiring user, root, or even kernel access in the VM, would be +# FATAL. In such situation (if there was such a bug in Xen) there +# really is no comforting that: "oh, but the mitigating factor was +# that the attacker needed root in VM!" We're not M$, and we're not +# gonna BS our users that there are mitigating factors in that case, +# and for sure, root/user isolation is not a mitigating factor. +# +# Because, really, if somebody could find and exploit a bug in the Xen +# hypervisor -- so far there have been only one (!) publicly disclosed +# exploitable bug in the Xen hypervisor from a VM, found in 2008, +# incidentally by one of the Qubes developers (RW) -- then it would be +# highly unlikely if that person couldn't also found a user-to-root +# escalation in VM (which as we know from history of UNIX/Linux +# happens all the time). +# +# At the same time allowing for easy user-to-root escalation in a VM +# is simply convenient for users, especially for update installation. +# +# Currently this still doesn't work as expected, because some idotic +# piece of software called PolKit uses own set of policies. We're +# planning to address this in Beta 2. (Why PolKit is an idiocy? Do a +# simple experiment: start 'xinput test' in one xterm, running as +# user, then open some app that uses PolKit and asks for root +# password, e.g. gpk-update-viewer -- observe how all the keystrokes +# with root password you enter into the "secure" PolKit dialog box can +# be seen by the xinput program...) +# +# joanna. diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/udev/rules.d/99-qubes-whonix.rules b/scripts_debian/wheezy+whonix-workstation/files/etc/udev/rules.d/99-qubes-whonix.rules new file mode 100644 index 0000000..8bcf97d --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/etc/udev/rules.d/99-qubes-whonix.rules @@ -0,0 +1 @@ +SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip" diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh new file mode 100755 index 0000000..d3a2b95 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +# Check /var/log/kern.log for logging results + +LOG_IP4=1 +LOG_IP6=0 + +# for IPv4 +if [ "$LOG_IP4" == "1" ]; then + iptables -t raw -A OUTPUT -p icmp -j TRACE + iptables -t raw -A PREROUTING -p icmp -j TRACE + modprobe ipt_LOG +fi + +# for IPv6 +if [ "$LOG_IP6" == "1" ]; then + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE + modprobe ip6t_LOG +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips new file mode 100755 index 0000000..3a43484 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips @@ -0,0 +1,88 @@ +#!/bin/bash + +# Search though files and updates IP address to the current +# 'qubes-netvm-gateway' IP address + +FILES=( + '/usr/lib/leaktest-workstation/simple_ping.py' + '/usr/lib/whonixcheck/preparation' + '/usr/share/anon-kde-streamiso/share/config/kioslaverc' + '/usr/bin/whonix_firewall' + '/etc/whonix_firewall.d/30_default' + '/usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh' + '/usr/bin/uwt' + '/etc/uwt.d/30_uwt_default' + '/usr/share/tor/tor-service-defaults-torrc.anondist' + '/usr/bin/update-torbrowser' + '/etc/network/interfaces.whonix' + '/etc/resolv.conf.anondist' + '/etc/sdwdate.d/31_anon_dist_stream_isolation_plugin' + '/etc/rinetd.conf.anondist' + '/etc/network/interfaces.whonix' + '/usr/share/anon-torchat/.torchat/torchat.ini' +) + +# sed search and replace. return 0 if replace happened, otherwise 1 +search_replace() { + local search="$1" + local replace="$2" + local file="$3" + local retval=1 + + if ! [ -L "${file}" ]; then + ls_attrs="$(lsattr "${file}")" + ls_attrs=${ls_attrs:4:1} + if [ "${ls_attrs}" == "i" ]; then + chattr -i "${file}" + fi + fi + + sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" + retval=$? + + if [ "${ls_attrs}" == "i" ]; then + chattr +i "${file}" + fi + + return $retval +} + +function replace_ips() +{ + local search_ip="${1}" + local replace_ip="${2}" + local files=("${!3}") + local replaced=0 + + # If IP is 10.152.152.10, network is 10.152.152.0 + replace_network="${replace_ip%.*}.0" + search_network="${search_ip%.*}.0" + + if ! [ "${search_ip}" == "${replace_ip}" ]; then + for file in "${files[@]}"; do + if [ -f "$file" ]; then + search_replace "${search_ip}" "${replace_ip}" "${file}" && replaced=1 + search_replace "${search_network}" "${replace_network}" "${file}" && replaced=1 + fi + done + fi + + return $replaced +} + +ip="$(xenstore-read qubes-ip)" +gateway="$(xenstore-read qubes-gateway)" + +# Compare to current IP address assiged by Qubes +replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + +# Do again; checking for original 10.152.152.11 incase of update +replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + +# Compare to current gateway IP address assiged by Qubes +replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + +# Do again; checking for original 10.152.152.10 incase of update +replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + + diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip new file mode 100755 index 0000000..d8aa2ba --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip @@ -0,0 +1,71 @@ +#!/bin/bash + +# Files that will have the immutable bit set +# since we don't want them modified by other programs +IMMUTABLE_FILES=( + '/etc/resolv.conf' + '/etc/hostname' + '/etc/hosts' +) + +immutableFilesEnable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + chattr +i "${file}${suffix}" + fi + done +} + +immutableFilesDisable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + chattr -i "${file}${suffix}" + fi + done +} + +copyAnondist() { + file="${1}" + suffix="${2-.anondist}" + + # Remove any softlinks first + if [ -L "${file}" ]; then + rm -f "${file}" + fi + + if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then + chattr -i "${file}" + rm -f "${file}" + cp -p "${file}${suffix}" "${file}" + chattr +i "${file}" + elif ! [ -f "${file}" ]; then + cp -p "${file}${suffix}" "${file}" + chattr +i "${file}" + fi +} + +# Make sure all .anondist files in list are immutable +immutableFilesEnable "${IMMUTABLE_FILES}" +immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" + +# Make sure we are using a copy of the annondist file and if not +# copy the annondist file and set it immutable +copyAnondist "/etc/resolv.conf" +copyAnondist "/etc/hosts" +copyAnondist "/etc/hostname" + +# Replace IP addresses in known configuration files / scripts to +# currently discovered one +/usr/lib/whonix/replace-ips + +# Make sure hostname is correct +/bin/hostname -b host + +# Start Whonix Firewall +/usr/bin/whonix_firewall diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 191bdff..c3f8d3e 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -75,6 +75,8 @@ popd ################################################################################ # Post Fixups +set -e + pushd /etc/network sudo rm -f interfaces sudo ln -s interfaces.backup interfaces @@ -86,7 +88,9 @@ sudo ln -s resolv.conf.backup resolv.conf popd # Enable Tor -sudo sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' /etc/tor/torrc +if [ "${1}" == "whonix-gateway" ]; then + sudo sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' /etc/tor/torrc +fi # Fake that whonixsetup was already run sudo mkdir -p /var/lib/whonix/do_once @@ -107,6 +111,14 @@ sudo update-rc.d spice-vdagent disable sudo update-rc.d swap-file-creator disable sudo update-rc.d whonix-initializer disable +# Remove original sources.list +sudo rm -f /etc/apt/sources.list +sudo apt-get.anondist-orig update + +# Remove apt-cacher-ng +DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + sudo apt-get.anondist-orig -y --force-yes remove apt-cacher-ng + sudo touch "/tmp/.prepared_whonix" EOF From 46868985194cf4c1369fddce207709e5cc407faf Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 26 Oct 2014 14:46:20 -0400 Subject: [PATCH 35/83] Fix enable tor regression --- .../02_install_groups_packages_installed.sh | 4 ++-- .../wheezy+whonix/04_install_qubes_post.sh | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index c3f8d3e..82d9372 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -84,11 +84,11 @@ popd pushd /etc sudo rm -f resolv.conf -sudo ln -s resolv.conf.backup resolv.conf +sudo cp -p resolv.conf.backup resolv.conf popd # Enable Tor -if [ "${1}" == "whonix-gateway" ]; then +if [ "${1}" == "--torgateway" ]; then sudo sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' /etc/tor/torrc fi diff --git a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh index ad34e9c..b9e7e50 100755 --- a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh +++ b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh @@ -38,12 +38,12 @@ fi # ------------------------------------------------------------------------------ # Restore whonix resolv.conf # ------------------------------------------------------------------------------ -if [ -L "$INSTALLDIR/etc/resolv.conf" ]; then - pushd "$INSTALLDIR/etc" - sudo rm -f resolv.conf - sudo ln -s resolv.conf.anondist resolv.conf - popd -fi +pushd "$INSTALLDIR/etc" +{ + rm -f resolv.conf + cp -p resolv.conf.anondist resolv.conf +} +popd # -------------------------------------------------------------------------- # Copy over any extra files that may be needed that are located in From 8588625650af7d7645074ec1325b113191e7d508 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 26 Oct 2014 14:48:09 -0400 Subject: [PATCH 36/83] Fixed debian fonts issue where terminal would initially display black on black text Added some default themes Added default rendering options --- functions.sh | 22 +++--- scripts_debian/04_install_qubes.sh | 6 ++ scripts_debian/packages_qubes.list | 3 + scripts_debian/qubes-files/.facl | 70 +++++++++++++++++++ .../etc/X11/Xsession.d/25xdg-qubes-settings | 18 +++++ scripts_debian/qubes-files/etc/xdg/Xresources | 5 ++ scripts_debian/qubes-files/etc/xdg/fonts.conf | 29 ++++++++ scripts_debian/qubes-files/etc/xdg/xsettingsd | 19 +++++ scripts_debian/vars.sh | 2 +- 9 files changed, 165 insertions(+), 9 deletions(-) create mode 100644 scripts_debian/qubes-files/.facl create mode 100755 scripts_debian/qubes-files/etc/X11/Xsession.d/25xdg-qubes-settings create mode 100644 scripts_debian/qubes-files/etc/xdg/Xresources create mode 100644 scripts_debian/qubes-files/etc/xdg/fonts.conf create mode 100644 scripts_debian/qubes-files/etc/xdg/xsettingsd diff --git a/functions.sh b/functions.sh index fa73126..c579c87 100755 --- a/functions.sh +++ b/functions.sh @@ -272,25 +272,26 @@ buildStepExec() { } copyTreeExec() { - local calling_script="$1" + local source_dir="$1" local dir="$2" local template_flavor="$3" + local target_dir="$4" local template_dir="$(templateDir ${template_flavor})" - local source_dir="$(readlink -m ${template_dir}/${dir})" - local install_dir="$(readlink -m ${INSTALLDIR})" + local source_dir="$(readlink -m ${source_dir:-${template_dir}}/${dir})" + local target_dir="$(readlink -m ${target_dir:-${INSTALLDIR}})" if ! [ -d "${source_dir}" ]; then debug "No extra files to copy for ${dir}" return 0 fi - debug "Copying ${source_dir}/* ${install_dir}" - cp -rp "${source_dir}/"* "${install_dir}" + debug "Copying ${source_dir}/* ${target_dir}" + cp -rp "${source_dir}/"* "${target_dir}" if [ -f "${source_dir}/.facl" ]; then debug "Restoring file permissions..." - pushd "$install_dir" + pushd "${target_dir}" { setfacl --restore="${source_dir}/.facl" 2>/dev/null ||: } @@ -368,11 +369,16 @@ buildStep() { # NOTE: Don't forget to redo this process if you add -OR- remove files # ------------------------------------------------------------------------------ copyTree() { - local not_used="" local dir="$1" + local source_dir="$2" + local target_dir="$3" local function="copyTreeExec" - callTemplateFunction "${not_used}" "${dir}" "${function}" + if [ "x${source_dir}" == "x" ]; then + callTemplateFunction "" "${dir}" "${function}" + else + copyTreeExec "${source_dir}" "${dir}" "" "${target_dir}" + fi } # $0 is module that sourced vars.sh diff --git a/scripts_debian/04_install_qubes.sh b/scripts_debian/04_install_qubes.sh index 94071c9..c5067b4 100755 --- a/scripts_debian/04_install_qubes.sh +++ b/scripts_debian/04_install_qubes.sh @@ -182,6 +182,12 @@ EOF # Need a xen log directory or xen scripts will fail # -------------------------------------------------------------------------- mkdir -p -m 0700 "$INSTALLDIR/var/log/xen" + + # -------------------------------------------------------------------------- + # Copy extra files to installation directory. Contains: + # - font fixes for display issues + # -------------------------------------------------------------------------- + copyTree "qubes-files" "${SCRIPTSDIR}" "${INSTALLDIR}" fi # ------------------------------------------------------------------------------ diff --git a/scripts_debian/packages_qubes.list b/scripts_debian/packages_qubes.list index d14a42b..11bcbd2 100644 --- a/scripts_debian/packages_qubes.list +++ b/scripts_debian/packages_qubes.list @@ -1,2 +1,5 @@ qubes-core-agent qubes-gui-agent +xdg-user-dirs +gnome-themes-standard +xsettingsd diff --git a/scripts_debian/qubes-files/.facl b/scripts_debian/qubes-files/.facl new file mode 100644 index 0000000..641da9f --- /dev/null +++ b/scripts_debian/qubes-files/.facl @@ -0,0 +1,70 @@ +# file: . +# owner: user +# group: user +user::rwx +group::r-x +other::r-x + +# file: etc +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/xdg +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/xdg/Xresources +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/xdg/fonts.conf +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/xdg/xsettingsd +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/X11 +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/X11/Xsession.d +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/X11/Xsession.d/25xdg-qubes-settings +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: .facl +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + diff --git a/scripts_debian/qubes-files/etc/X11/Xsession.d/25xdg-qubes-settings b/scripts_debian/qubes-files/etc/X11/Xsession.d/25xdg-qubes-settings new file mode 100755 index 0000000..3bab64b --- /dev/null +++ b/scripts_debian/qubes-files/etc/X11/Xsession.d/25xdg-qubes-settings @@ -0,0 +1,18 @@ +#!/bin/sh + +installConfigurationFile() { + file="${1}" + + if ! [ -f "${HOME}/.${file}" ]; then + if [ -f "/etc/xdg/${file}" ]; then + cp "/etc/xdg/${file}" "${HOME}/.${file}" + fi + fi +} + +if [ -x /usr/bin/xsettingsd ]; then + installConfigurationFile "xsettingsd" + installConfigurationFile "fonts.conf" + installConfigurationFile "Xresources" + /usr/bin/xsettingsd & +fi diff --git a/scripts_debian/qubes-files/etc/xdg/Xresources b/scripts_debian/qubes-files/etc/xdg/Xresources new file mode 100644 index 0000000..2bb5317 --- /dev/null +++ b/scripts_debian/qubes-files/etc/xdg/Xresources @@ -0,0 +1,5 @@ +Xft.antialias: 1 +Xft.hinting: 1 +Xft.rgba: rgb +Xft.hintstyle: hintslight +Xft.lcdfilter: lcddefault diff --git a/scripts_debian/qubes-files/etc/xdg/fonts.conf b/scripts_debian/qubes-files/etc/xdg/fonts.conf new file mode 100644 index 0000000..17408f4 --- /dev/null +++ b/scripts_debian/qubes-files/etc/xdg/fonts.conf @@ -0,0 +1,29 @@ + + + + + + rgb + + + + + true + + + + + hintslight + + + + + true + + + + + lcddefault + + + diff --git a/scripts_debian/qubes-files/etc/xdg/xsettingsd b/scripts_debian/qubes-files/etc/xdg/xsettingsd new file mode 100644 index 0000000..1cf2f71 --- /dev/null +++ b/scripts_debian/qubes-files/etc/xdg/xsettingsd @@ -0,0 +1,19 @@ +Gtk/ButtonImages 1 +Gtk/CursorThemeName "Vanilla-DMZ" +Gtk/FontName "sans 10" +Gtk/KeyThemeName "Adwaita" +Gtk/MenuImages 1 +Gtk/ToolbarIconSize 2 +Gtk/ToolbarStyle "Icons" + +Net/EnableEventSounds 0 +Net/EnableInputFeedbackSounds 0 +Net/FallbackIconTheme "gnome" +Net/IconThemeName "gnome" +Net/ThemeName "Adwaita" + +Xft/Antialias 1 +Xft/Hinting 1 +Xft/HintStyle "hintslight" +Xft/RGBA "rgb" +Xft/lcdfilter "lcddefault" diff --git a/scripts_debian/vars.sh b/scripts_debian/vars.sh index b2450b1..5f191ee 100755 --- a/scripts_debian/vars.sh +++ b/scripts_debian/vars.sh @@ -12,8 +12,8 @@ DEBIANVERSION=$DIST # Location to grab debian packages #DEBIAN_MIRROR=http://http.debian.net/debian -#DEBIAN_MIRROR=http://mirror.csclub.uwaterloo.ca/debian/ DEBIAN_MIRROR=http://ftp.ca.debian.org/debian/ +#DEBIAN_MIRROR=http://ftp.us.debian.org/debian/ # XXX: Is this even used? EXTRAPKGS="openssh-clients,screen,vim-nox,less" From 99ef1072fa0dfa45140cf11dcd25abf47e535b5d Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 26 Oct 2014 14:55:22 -0400 Subject: [PATCH 37/83] Convert tabs in hosts file to spaces so qubes can parse it correctly --- scripts_debian/04_install_qubes.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/scripts_debian/04_install_qubes.sh b/scripts_debian/04_install_qubes.sh index c5067b4..47530d4 100755 --- a/scripts_debian/04_install_qubes.sh +++ b/scripts_debian/04_install_qubes.sh @@ -188,6 +188,13 @@ EOF # - font fixes for display issues # -------------------------------------------------------------------------- copyTree "qubes-files" "${SCRIPTSDIR}" "${INSTALLDIR}" + + # -------------------------------------------------------------------------- + # Looks like hosts file may contain tabs and qubes will not parse it + # correctly + # -------------------------------------------------------------------------- + expand "${INSTALLDIR}/etc/hosts" > "${INSATLLDIR}/etc/hosts.dist" + mv "${INSTALLDIR}/etc/hosts.dist" "${INSATLLDIR}/etc/hosts" fi # ------------------------------------------------------------------------------ From dd49aff3e3cb33cc94c35d9ebab1a6f643e7bcef Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 26 Oct 2014 14:59:38 -0400 Subject: [PATCH 38/83] Set defualt umask --- scripts_debian/02_install_groups.sh | 5 +++++ .../wheezy+whonix/02_install_groups_packages_installed.sh | 3 --- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/scripts_debian/02_install_groups.sh b/scripts_debian/02_install_groups.sh index b60a8d4..bfd3772 100755 --- a/scripts_debian/02_install_groups.sh +++ b/scripts_debian/02_install_groups.sh @@ -58,6 +58,11 @@ return 101 # Action forbidden by policy EOF chmod 755 "$INSTALLDIR/usr/sbin/policy-rc.d" + # ------------------------------------------------------------------------------ + # Ensure umask set in /etc/login.defs is used (022) + # ------------------------------------------------------------------------------ + echo "session optional pam_umask.so" >> "${INSTALLDIR}/etc/pam.d/common-session" + # ------------------------------------------------------------------------------ # Add debian security repository # ------------------------------------------------------------------------------ diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 82d9372..f1b0ce9 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -103,9 +103,6 @@ sudo touch /root/.whonix/first_run_initializer.done # Prevent whonixcheck error sudo su -c 'echo WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER=\"1\" >> /etc/whonix.d/30_whonixcheck_default' -# Ensure umask set in /etc/login.defs is used (022) -sudo su -c 'echo "session optional pam_umask.so" >> /etc/pam.d/common-session' - sudo update-rc.d network-manager disable sudo update-rc.d spice-vdagent disable sudo update-rc.d swap-file-creator disable From 2193c2084fc0d5f65b55d38e9d0fdfcce41aafc4 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 26 Oct 2014 16:10:42 -0400 Subject: [PATCH 39/83] Added GUI package manager for updates via Qubes manager --- scripts_debian/packages_qubes.list | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts_debian/packages_qubes.list b/scripts_debian/packages_qubes.list index 11bcbd2..886e424 100644 --- a/scripts_debian/packages_qubes.list +++ b/scripts_debian/packages_qubes.list @@ -3,3 +3,4 @@ qubes-gui-agent xdg-user-dirs gnome-themes-standard xsettingsd +gpk-update-viewer From 676a3a45b54e1e9ceb42c7402ca04084c9c557d5 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 26 Oct 2014 16:36:39 -0400 Subject: [PATCH 40/83] Fix a var typo when expaning hosts file --- scripts_debian/04_install_qubes.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts_debian/04_install_qubes.sh b/scripts_debian/04_install_qubes.sh index 47530d4..85ed9eb 100755 --- a/scripts_debian/04_install_qubes.sh +++ b/scripts_debian/04_install_qubes.sh @@ -193,8 +193,8 @@ EOF # Looks like hosts file may contain tabs and qubes will not parse it # correctly # -------------------------------------------------------------------------- - expand "${INSTALLDIR}/etc/hosts" > "${INSATLLDIR}/etc/hosts.dist" - mv "${INSTALLDIR}/etc/hosts.dist" "${INSATLLDIR}/etc/hosts" + expand "${INSTALLDIR}/etc/hosts" > "${INSTALLDIR}/etc/hosts.dist" + mv "${INSTALLDIR}/etc/hosts.dist" "${INSTALLDIR}/etc/hosts" fi # ------------------------------------------------------------------------------ From 73926c1ed33ca5b0f2c34c5cf236c3029ba04f34 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 26 Oct 2014 16:40:42 -0400 Subject: [PATCH 41/83] Use gnome-packagekit for GUI update manager --- scripts_debian/packages_qubes.list | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts_debian/packages_qubes.list b/scripts_debian/packages_qubes.list index 886e424..55a8f32 100644 --- a/scripts_debian/packages_qubes.list +++ b/scripts_debian/packages_qubes.list @@ -3,4 +3,4 @@ qubes-gui-agent xdg-user-dirs gnome-themes-standard xsettingsd -gpk-update-viewer +gnome-packagekit From e586bc1a2facb12f5beb14afa5223e2027c64287 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 26 Oct 2014 23:55:21 -0400 Subject: [PATCH 42/83] Fixed some issues with Makefile TEMPLATE_* vars that were expected to be arrays or easily importable as one --- functions.sh | 26 +++++++++++++++++++++++--- tests/template-flavors/test.sh | 7 +++++-- 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/functions.sh b/functions.sh index c579c87..cf02873 100755 --- a/functions.sh +++ b/functions.sh @@ -146,6 +146,12 @@ templateFlavor() { templateFlavorPrefix() { local template_flavor=${1-$(templateFlavor)} + + # If TEMPLATE_FLAVOR_PREFIX is not already an array, make it one + if ! [[ "$(declare -p TEMPLATE_FLAVOR_PREFIX 2>/dev/null)" =~ ^declare\ -a.* ]] ; then + TEMPLATE_FLAVOR_PREFIX=( ${TEMPLATE_FLAVOR_PREFIX} ) + fi + for element in "${TEMPLATE_FLAVOR_PREFIX[@]}" do if [ "${element%:*}" == "${DIST}+${template_flavor}" ]; then @@ -188,8 +194,11 @@ templateName() { local template_name="$(templateFlavorPrefix ${template_flavor})${template_flavor}${template_options:++}${template_options}" - # Make sure TEMPLATE_LABEL is an array - TEMPLATE_LABEL=( ${TEMPLATE_LABEL} ) + # If TEMPLATE_LABEL is not already an array, make it one + if ! [[ "$(declare -p TEMPLATE_LABEL 2>/dev/null)" =~ ^declare\ -a.* ]] ; then + TEMPLATE_LABEL=( ${TEMPLATE_LABEL} ) + fi + for element in "${TEMPLATE_LABEL[@]}"; do if [ "${element%:*}" == "${template_name}" ]; then template_name="${element#*:}" @@ -212,6 +221,11 @@ templateName() { templateDir() { local template_flavor=${1-$(templateFlavor)} + # If TEMPLATE_FLAVOR_DIR is not already an array, make it one + if ! [[ "$(declare -p TEMPLATE_FLAVOR_DIR 2>/dev/null)" =~ ^declare\ -a.* ]] ; then + TEMPLATE_FLAVOR_DIR=( ${TEMPLATE_FLAVOR_DIR} ) + fi + for element in "${TEMPLATE_FLAVOR_DIR[@]}" do # (wheezy+whonix-gateway / wheezy+whonix-gateway+gnome[+++] / wheezy+gnome ) @@ -332,8 +346,14 @@ getFileLocations() { local function="templateFile" + #IFS_orig="${IFS}}"; IFS=$'\n' + #files=( $(callTemplateFunction "${filename}" "${suffix}" "${function}") ) + #setArrayAsGlobal files $return_global_var + + files=$(callTemplateFunction "${filename}" "${suffix}" "${function}") + IFS_orig="${IFS}}"; IFS=$'\n' - files=( $(callTemplateFunction "${filename}" "${suffix}" "${function}") ) + files=( "${files}" ) setArrayAsGlobal files $return_global_var IFS="${IFS_orig}" diff --git a/tests/template-flavors/test.sh b/tests/template-flavors/test.sh index 43f8fac..51ad768 100755 --- a/tests/template-flavors/test.sh +++ b/tests/template-flavors/test.sh @@ -233,7 +233,7 @@ DIST="wheezy" DISTS_VM="" TEMPLATE_FLAVOR="whonix-gateway" TEMPLATE_FLAVOR_PREFIX="" -TEMPLATE_FLAVOR_DIR="wheezy+whonix-gateway:tests/template-flavors/another_location/whonix gw" +TEMPLATE_FLAVOR_DIR=("wheezy+whonix-gateway:tests/template-flavors/another_location/whonix gw") TEMPLATE_OPTIONS="" header < Date: Mon, 27 Oct 2014 02:29:07 -0400 Subject: [PATCH 43/83] Added gnome sub-template --- scripts_debian/gnome/04_install_qubes_post.sh | 26 +++++++++++++++++++ scripts_debian/gnome/packages_jessie.list | 2 ++ scripts_debian/gnome/packages_wheezy.list | 2 ++ 3 files changed, 30 insertions(+) create mode 100755 scripts_debian/gnome/04_install_qubes_post.sh create mode 100644 scripts_debian/gnome/packages_jessie.list create mode 100644 scripts_debian/gnome/packages_wheezy.list diff --git a/scripts_debian/gnome/04_install_qubes_post.sh b/scripts_debian/gnome/04_install_qubes_post.sh new file mode 100755 index 0000000..269b8b2 --- /dev/null +++ b/scripts_debian/gnome/04_install_qubes_post.sh @@ -0,0 +1,26 @@ +#!/bin/bash +# vim: set ts=4 sw=4 sts=4 et : + +# +# Whonix Post Install Steps (after qubes install) +# + +# ------------------------------------------------------------------------------ +# Source external scripts +# ------------------------------------------------------------------------------ +. $SCRIPTSDIR/vars.sh + +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then + set -x +else + set -e +fi + +# ------------------------------------------------------------------------------ +# Disable gnome network-manager since it will prevent networking +# ------------------------------------------------------------------------------ +debug "Disabling gnome network-manager" +chroot "$INSTALLDIR" systemctl disable network-manager diff --git a/scripts_debian/gnome/packages_jessie.list b/scripts_debian/gnome/packages_jessie.list new file mode 100644 index 0000000..116619d --- /dev/null +++ b/scripts_debian/gnome/packages_jessie.list @@ -0,0 +1,2 @@ +gnome-desktop-environment +gnome-accessibility-themes diff --git a/scripts_debian/gnome/packages_wheezy.list b/scripts_debian/gnome/packages_wheezy.list new file mode 100644 index 0000000..116619d --- /dev/null +++ b/scripts_debian/gnome/packages_wheezy.list @@ -0,0 +1,2 @@ +gnome-desktop-environment +gnome-accessibility-themes From c238716d6ad67a2e26623658903623b17c4ffb32 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Tue, 28 Oct 2014 04:09:55 -0400 Subject: [PATCH 44/83] Code cleanup - whonix* not tested --- functions.sh | 18 +- scripts_debian/00_prepare.sh | 20 +- scripts_debian/01_install_core.sh | 12 +- scripts_debian/02_install_groups.sh | 90 +++--- scripts_debian/04_install_qubes.sh | 92 +++--- scripts_debian/09_cleanup.sh | 10 +- scripts_debian/gnome/04_install_qubes_post.sh | 6 +- scripts_debian/vars.sh | 4 +- .../99_custom_configuration.sh | 10 +- .../files/usr/lib/whonix/replace-ips | 17 +- .../files/usr/lib/whonix/setup-ip | 21 +- .../99_custom_configuration.sh | 12 +- .../wheezy+whonix/00_prepare_pre.sh | 26 +- .../wheezy+whonix/01_install_core_post.sh | 18 +- .../02_install_groups_packages_installed.sh | 277 +++++++++--------- .../wheezy+whonix/04_install_qubes_post.sh | 44 +-- tests/template-flavors/test.sh | 20 +- umount_kill.sh | 8 +- 18 files changed, 354 insertions(+), 351 deletions(-) diff --git a/functions.sh b/functions.sh index cf02873..913198c 100755 --- a/functions.sh +++ b/functions.sh @@ -28,7 +28,7 @@ colors() { export blink=$( tput blink || tput mb ) # Start blinking export italic=$( tput sitm || tput ZH ) # Start italic export eitalic=$( tput ritm || tput ZR ) # End italic - [[ $TERM != *-m ]] && { + [[ ${TERM} != *-m ]] && { export red=$( tput setaf 1|| tput AF 1 ) export green=$( tput setaf 2|| tput AF 2 ) export yellow=$( tput setaf 3|| tput AF 3 ) @@ -58,7 +58,7 @@ if [ ! "$build_already_defined_colors" = "true" ]; then colors fi -if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then +if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then chroot() { local retval true ${blue} @@ -73,19 +73,19 @@ fi # Display messages in color # ------------------------------------------------------------------------------ info() { - [[ -z $TEST ]] && echo -e "${bold}${blue}INFO: ${1}${reset}" || : + [[ -z ${TEST} ]] && echo -e "${bold}${blue}INFO: ${1}${reset}" || : } debug() { - [[ -z $TEST ]] && echo -e "${bold}${green}DEBUG: ${1}${reset}" || : + [[ -z ${TEST} ]] && echo -e "${bold}${green}DEBUG: ${1}${reset}" || : } warn() { - [[ -z $TEST ]] && echo -e "${stout}${yellow}WARNING: ${1}${reset}" || : + [[ -z ${TEST} ]] && echo -e "${stout}${yellow}WARNING: ${1}${reset}" || : } error() { - [[ -z $TEST ]] && echo -e "${bold}${red}ERROR: ${1}${reset}" || : + [[ -z ${TEST} ]] && echo -e "${bold}${red}ERROR: ${1}${reset}" || : } # ------------------------------------------------------------------------------ @@ -278,7 +278,7 @@ buildStepExec() { script="$(templateFile "${filename}" "${suffix}" "${template_flavor}")" if [ -f "${script}" ]; then - [[ -n $TEST ]] && echo "${script}" || echo "${bold}${under}INFO: Currently running script: ${script}${reset}" + [[ -n ${TEST} ]] && echo "${script}" || echo "${bold}${under}INFO: Currently running script: ${script}${reset}" # Execute $script "${script}" @@ -372,7 +372,7 @@ buildStep() { } # ------------------------------------------------------------------------------ -# Copy extra file tree to $INSTALLDIR +# Copy extra file tree to ${INSTALLDIR} # TODO: Allow copy per step (04_install_qubes.sh-files) # # To set file permissions is a PITA since git won't save them and will @@ -385,7 +385,7 @@ buildStep() { # 5. Manually create facl backup used after copying: getfacl -R . > .facl # 6. If git complains; reset file ownership back to user. The .facl file stored # the file permissions and will be used to reset the file permissions after -# they get copied over to $INSTALLDIR +# they get copied over to ${INSTALLDIR} # NOTE: Don't forget to redo this process if you add -OR- remove files # ------------------------------------------------------------------------------ copyTree() { diff --git a/scripts_debian/00_prepare.sh b/scripts_debian/00_prepare.sh index 1dcc836..5b7be6f 100755 --- a/scripts_debian/00_prepare.sh +++ b/scripts_debian/00_prepare.sh @@ -4,19 +4,19 @@ # ------------------------------------------------------------------------------ # Source external scripts # ------------------------------------------------------------------------------ -. $SCRIPTSDIR/vars.sh +. ${SCRIPTSDIR}/vars.sh . ./umount_kill.sh >/dev/null # ------------------------------------------------------------------------------ # Configurations # ------------------------------------------------------------------------------ -if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then +if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then set -x else set -e fi INSTALLDIR="$(readlink -m mnt)" -umount_kill "$INSTALLDIR" || : +umount_kill "${INSTALLDIR}" || : # ------------------------------------------------------------------------------ # Execute any template flavor or sub flavor 'pre' scripts @@ -26,17 +26,17 @@ buildStep "$0" "pre" # ------------------------------------------------------------------------------ # Force overwrite of an existing image for now if debootstrap did not seem to complete... # ------------------------------------------------------------------------------ -debug "Determine if $IMG should be reused or deleted..." -if [ -f "$IMG" ]; then +debug "Determine if ${IMG} should be reused or deleted..." +if [ -f "${IMG}" ]; then # Assume a failed debootstrap installation if .prepare_debootstrap does not exist - mount -o loop "$IMG" "$INSTALLDIR" || exit 1 - if ! [ -f "$INSTALLDIR/tmp/.prepared_debootstrap" ]; then - warn "Last build failed. Deleting $IMG" - rm -f "$IMG" + mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1 + if ! [ -f "${INSTALLDIR}/tmp/.prepared_debootstrap" ]; then + warn "Last build failed. Deleting ${IMG}" + rm -f "${IMG}" fi # Umount image; don't fail if its already umounted - umount_kill "$INSTALLDIR" || : + umount_kill "${INSTALLDIR}" || : fi # ------------------------------------------------------------------------------ diff --git a/scripts_debian/01_install_core.sh b/scripts_debian/01_install_core.sh index cd742f5..6ff9357 100755 --- a/scripts_debian/01_install_core.sh +++ b/scripts_debian/01_install_core.sh @@ -4,12 +4,12 @@ # ------------------------------------------------------------------------------ # Source external scripts # ------------------------------------------------------------------------------ -. $SCRIPTSDIR/vars.sh +. ${SCRIPTSDIR}/vars.sh # ------------------------------------------------------------------------------ # Configurations # ------------------------------------------------------------------------------ -if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then +if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then set -x else set -e @@ -23,13 +23,13 @@ buildStep "$0" "pre" # ------------------------------------------------------------------------------ # Install base debian system # ------------------------------------------------------------------------------ -if ! [ -f "$INSTALLDIR/tmp/.prepared_debootstrap" ]; then +if ! [ -f "${INSTALLDIR}/tmp/.prepared_debootstrap" ]; then debug "Installing base ${DEBIANVERSION} system" COMPONENTS="" debootstrap --arch=amd64 --include=ncurses-term \ --components=main --keyring="${SCRIPTSDIR}/keys/debian-${DEBIANVERSION}-archive-keyring.gpg" \ - "$DEBIANVERSION" "$INSTALLDIR" "$DEBIAN_MIRROR" || { error "Debootstrap failed!"; exit 1; } - chroot "$INSTALLDIR" chmod 0666 "/dev/null" - touch "$INSTALLDIR/tmp/.prepared_debootstrap" + "${DEBIANVERSION}" "${INSTALLDIR}" "${DEBIAN_MIRROR}" || { error "Debootstrap failed!"; exit 1; } + chroot "${INSTALLDIR}" chmod 0666 "/dev/null" + touch "${INSTALLDIR}/tmp/.prepared_debootstrap" fi # ------------------------------------------------------------------------------ diff --git a/scripts_debian/02_install_groups.sh b/scripts_debian/02_install_groups.sh index bfd3772..0754348 100755 --- a/scripts_debian/02_install_groups.sh +++ b/scripts_debian/02_install_groups.sh @@ -4,13 +4,13 @@ # ------------------------------------------------------------------------------ # Source external scripts # ------------------------------------------------------------------------------ -. $SCRIPTSDIR/vars.sh +. ${SCRIPTSDIR}/vars.sh . ./umount_kill.sh >/dev/null # ------------------------------------------------------------------------------ # Configurations # ------------------------------------------------------------------------------ -if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then +if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then set -x else set -e @@ -19,30 +19,30 @@ fi # ------------------------------------------------------------------------------ # If .prepared_debootstrap has not been completed, don't continue # ------------------------------------------------------------------------------ -if ! [ -f "$INSTALLDIR/tmp/.prepared_debootstrap" ]; then +if ! [ -f "${INSTALLDIR}/tmp/.prepared_debootstrap" ]; then error "prepared_debootstrap installataion has not completed!... Exiting" - umount_kill "$INSTALLDIR" || : + umount_kill "${INSTALLDIR}" || : exit 1 fi # ------------------------------------------------------------------------------ # Mount system mount points # ------------------------------------------------------------------------------ -for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "$INSTALLDIR/$fs"; done +for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "${INSTALLDIR}/$fs"; done # ------------------------------------------------------------------------------ # Execute any template flavor or sub flavor 'pre' scripts # ------------------------------------------------------------------------------ buildStep "$0" "pre" -if ! [ -f "$INSTALLDIR/tmp/.prepared_groups" ]; then +if ! [ -f "${INSTALLDIR}/tmp/.prepared_groups" ]; then # ------------------------------------------------------------------------------ # Cleanup function # ------------------------------------------------------------------------------ function cleanup() { error "Install groups error and umount" - rm -f "$INSTALLDIR/usr/sbin/policy-rc.d" - umount_kill "$INSTALLDIR" || : + rm -f "${INSTALLDIR}/usr/sbin/policy-rc.d" + umount_kill "${INSTALLDIR}" || : exit 1 } trap cleanup ERR @@ -52,11 +52,11 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_groups" ]; then # Set up a temporary policy-rc.d to prevent apt from starting services # on package installation # ------------------------------------------------------------------------------ - cat > "$INSTALLDIR/usr/sbin/policy-rc.d" < "${INSTALLDIR}/usr/sbin/policy-rc.d" <> "$INSTALLDIR/etc/apt/sources.list" + if ! grep -r -q "$source" "${INSTALLDIR}/etc/apt/sources.list"*; then + touch "${INSTALLDIR}/etc/apt/sources.list" + echo "$source" >> "${INSTALLDIR}/etc/apt/sources.list" fi source="deb-src http://security.debian.org ${DEBIANVERSION}/updates main" - if ! grep -r -q "$source" "$INSTALLDIR/etc/apt/sources.list"*; then - touch "$INSTALLDIR/etc/apt/sources.list" - echo "$source" >> "$INSTALLDIR/etc/apt/sources.list" + if ! grep -r -q "$source" "${INSTALLDIR}/etc/apt/sources.list"*; then + touch "${INSTALLDIR}/etc/apt/sources.list" + echo "$source" >> "${INSTALLDIR}/etc/apt/sources.list" fi # ------------------------------------------------------------------------------ # Upgrade system # ------------------------------------------------------------------------------ debug "Upgrading system" - chroot "$INSTALLDIR" apt-get update + chroot "${INSTALLDIR}" apt-get update true "${stout}" DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - chroot "$INSTALLDIR" apt-get -y --force-yes dist-upgrade + chroot "${INSTALLDIR}" apt-get -y --force-yes dist-upgrade # ------------------------------------------------------------------------------ # Configure keyboard # ------------------------------------------------------------------------------ debug "Setting keyboard layout" - chroot "$INSTALLDIR" debconf-set-selections < "$INSTALLDIR/etc/apt/preferences.d/qubes_sysvinit" < "${INSTALLDIR}/etc/apt/preferences.d/qubes_sysvinit" <> "$INSTALLDIR/etc/apt/sources.list" + if ! grep -r -q "$source" "${INSTALLDIR}/etc/apt/sources.list"*; then + touch "${INSTALLDIR}/etc/apt/sources.list" + echo "$source" >> "${INSTALLDIR}/etc/apt/sources.list" fi - chroot $INSTALLDIR apt-get update + chroot ${INSTALLDIR} apt-get update DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - chroot $INSTALLDIR apt-get -y --force-yes -t wheezy-backports install init-system-helpers + chroot ${INSTALLDIR} apt-get -y --force-yes -t wheezy-backports install init-system-helpers fi # ------------------------------------------------------------------------------ @@ -184,15 +184,15 @@ EOF # ------------------------------------------------------------------------------ # Remove temporary policy layer so services can start normally in the # deployed template. - rm -f "$INSTALLDIR/usr/sbin/policy-rc.d" - touch "$INSTALLDIR/tmp/.prepared_groups" + rm -f "${INSTALLDIR}/usr/sbin/policy-rc.d" + touch "${INSTALLDIR}/tmp/.prepared_groups" trap - ERR EXIT trap - # Kill all processes and umount all mounts within $INSTALLDIR, - # but not $INSTALLDIR itself (extra '/' prevents $INSTALLDIR from being + # Kill all processes and umount all mounts within ${INSTALLDIR}, + # but not ${INSTALLDIR} itself (extra '/' prevents ${INSTALLDIR} from being # umounted itself) - umount_kill "$INSTALLDIR/" || : + umount_kill "${INSTALLDIR}/" || : fi # ------------------------------------------------------------------------------ diff --git a/scripts_debian/04_install_qubes.sh b/scripts_debian/04_install_qubes.sh index 85ed9eb..2afd7e0 100755 --- a/scripts_debian/04_install_qubes.sh +++ b/scripts_debian/04_install_qubes.sh @@ -4,13 +4,13 @@ # ------------------------------------------------------------------------------ # Source external scripts # ------------------------------------------------------------------------------ -. $SCRIPTSDIR/vars.sh +. ${SCRIPTSDIR}/vars.sh . ./umount_kill.sh >/dev/null # ------------------------------------------------------------------------------ # Configurations # ------------------------------------------------------------------------------ -if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then +if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then set -x else set -e @@ -19,7 +19,7 @@ fi # ------------------------------------------------------------------------------ # If .prepared_groups has not been completed, don't continue # ------------------------------------------------------------------------------ -if ! [ -f "$INSTALLDIR/tmp/.prepared_groups" ]; then +if ! [ -f "${INSTALLDIR}/tmp/.prepared_groups" ]; then error "prepared_groups installataion has not completed!... Exiting" exit 1 fi @@ -27,7 +27,7 @@ fi # ------------------------------------------------------------------------------ # Mount system mount points # ------------------------------------------------------------------------------ -for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "$INSTALLDIR/$fs"; done +for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "${INSTALLDIR}/$fs"; done # ------------------------------------------------------------------------------ # Execute any template flavor or sub flavor 'pre' scripts @@ -37,32 +37,32 @@ buildStep "$0" "pre" # ------------------------------------------------------------------------------ # Install Qubes Packages # ------------------------------------------------------------------------------ -if ! [ -f "$INSTALLDIR/tmp/.prepared_qubes" ]; then +if ! [ -f "${INSTALLDIR}/tmp/.prepared_qubes" ]; then debug "Installing qbues modules" # -------------------------------------------------------------------------- # Set up a temporary policy-rc.d to prevent apt from starting services # on package installation # -------------------------------------------------------------------------- - cat > "$INSTALLCHROOT/usr/sbin/policy-rc.d" < "${INSTALLCHROOT}/usr/sbin/policy-rc.d" <> "$INSTALLDIR/etc/locale.gen" - chroot "$INSTALLDIR" locale-gen - chroot "$INSTALLDIR" update-locale LANG=en_US.UTF-8 + echo "en_US.UTF-8 UTF-8" >> "${INSTALLDIR}/etc/locale.gen" + chroot "${INSTALLDIR}" locale-gen + chroot "${INSTALLDIR}" update-locale LANG=en_US.UTF-8 # -------------------------------------------------------------------------- # Update /etc/fstab # -------------------------------------------------------------------------- debug "Updating template fstab file..." - cat >> "$INSTALLDIR/etc/fstab" <> "${INSTALLDIR}/etc/fstab" < "$INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list" < "${INSTALLDIR}/etc/apt/sources.list.d/qubes-builder.list" </dev/null 2>&1; then + if chroot "${INSTALLDIR}" id -u 'user' >/dev/null 2>&1; then : else - chroot "$INSTALLDIR" groupadd -f user - chroot "$INSTALLDIR" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user + chroot "${INSTALLDIR}" groupadd -f user + chroot "${INSTALLDIR}" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user fi # -------------------------------------------------------------------------- # Modules setup # -------------------------------------------------------------------------- - echo "xen_netfront" >> "$INSTALLDIR/etc/modules" + echo "xen_netfront" >> "${INSTALLDIR}/etc/modules" # -------------------------------------------------------------------------- # Remove `mesg` from root/.profile? # -------------------------------------------------------------------------- - sed -i -e '/^mesg n/d' "$INSTALLDIR/root/.profile" + sed -i -e '/^mesg n/d' "${INSTALLDIR}/root/.profile" # -------------------------------------------------------------------------- # Need a xen log directory or xen scripts will fail # -------------------------------------------------------------------------- - mkdir -p -m 0700 "$INSTALLDIR/var/log/xen" + mkdir -p -m 0700 "${INSTALLDIR}/var/log/xen" # -------------------------------------------------------------------------- # Copy extra files to installation directory. Contains: @@ -195,6 +195,8 @@ EOF # -------------------------------------------------------------------------- expand "${INSTALLDIR}/etc/hosts" > "${INSTALLDIR}/etc/hosts.dist" mv "${INSTALLDIR}/etc/hosts.dist" "${INSTALLDIR}/etc/hosts" + + touch "${INSTALLDIR}/tmp/.prepared_qubes" fi # ------------------------------------------------------------------------------ @@ -203,8 +205,8 @@ fi buildStep "$0" "post" # ------------------------------------------------------------------------------ -# Kill all processes and umount all mounts within $INSTALLDIR, but not -# $INSTALLDIR itself (extra '/' prevents $INSTALLDIR from being umounted itself) +# Kill all processes and umount all mounts within ${INSTALLDIR}, but not +# ${INSTALLDIR} itself (extra '/' prevents ${INSTALLDIR} from being umounted itself) # ------------------------------------------------------------------------------ -umount_kill "$INSTALLDIR/" || : +umount_kill "${INSTALLDIR}/" || : diff --git a/scripts_debian/09_cleanup.sh b/scripts_debian/09_cleanup.sh index dce636e..215024d 100755 --- a/scripts_debian/09_cleanup.sh +++ b/scripts_debian/09_cleanup.sh @@ -4,12 +4,12 @@ # ------------------------------------------------------------------------------ # Source external scripts # ------------------------------------------------------------------------------ -. $SCRIPTSDIR/vars.sh +. ${SCRIPTSDIR}/vars.sh # ------------------------------------------------------------------------------ # Configurations # ------------------------------------------------------------------------------ -if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then +if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then set -x else set -e @@ -23,9 +23,9 @@ buildStep "$0" "pre" # ------------------------------------------------------------------------------ # Cleanup any left over files from installation # ------------------------------------------------------------------------------ -rm -rf "INSTALLDIR/var/cache/apt/archives/*" -rm -f "$INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list" -rm -f "$INSTALLDIR/etc/apt/trusted.gpg.d/qubes-builder.gpg" +rm -rf "${INSTALLDIR}/var/cache/apt/archives/*" +rm -f "${INSTALLDIR}/etc/apt/sources.list.d/qubes-builder.list" +rm -f "${INSTALLDIR}/etc/apt/trusted.gpg.d/qubes-builder.gpg" # XXX: Whats this for? rm -rf buildchroot diff --git a/scripts_debian/gnome/04_install_qubes_post.sh b/scripts_debian/gnome/04_install_qubes_post.sh index 269b8b2..fcb309e 100755 --- a/scripts_debian/gnome/04_install_qubes_post.sh +++ b/scripts_debian/gnome/04_install_qubes_post.sh @@ -8,12 +8,12 @@ # ------------------------------------------------------------------------------ # Source external scripts # ------------------------------------------------------------------------------ -. $SCRIPTSDIR/vars.sh +. ${SCRIPTSDIR}/vars.sh # ------------------------------------------------------------------------------ # Configurations # ------------------------------------------------------------------------------ -if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then +if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then set -x else set -e @@ -23,4 +23,4 @@ fi # Disable gnome network-manager since it will prevent networking # ------------------------------------------------------------------------------ debug "Disabling gnome network-manager" -chroot "$INSTALLDIR" systemctl disable network-manager +chroot "${INSTALLDIR}" systemctl disable network-manager diff --git a/scripts_debian/vars.sh b/scripts_debian/vars.sh index 5f191ee..bcceee8 100755 --- a/scripts_debian/vars.sh +++ b/scripts_debian/vars.sh @@ -8,7 +8,7 @@ # The codename of the debian version to install. # jessie = testing, wheezy = stable -DEBIANVERSION=$DIST +DEBIANVERSION=${DIST} # Location to grab debian packages #DEBIAN_MIRROR=http://http.debian.net/debian @@ -23,6 +23,6 @@ QUBESDEBIANGIT="http://dsg.is/qubes/" # XXX: Is this even used? # make runs the scripts with sudo -E, so HOME is set to /home/user during -# build, which does not exist. We need to write to $HOME/.gnupg so set it +# build, which does not exist. We need to write to ${HOME}/.gnupg so set it # to something valid. HOME=/root diff --git a/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh b/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh index 9e0a543..4531e88 100755 --- a/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh +++ b/scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh @@ -4,13 +4,13 @@ # ------------------------------------------------------------------------------ # Source external scripts # ------------------------------------------------------------------------------ -. $SCRIPTSDIR/vars.sh +. ${SCRIPTSDIR}/vars.sh . ./umount_kill.sh >/dev/null # ------------------------------------------------------------------------------ # Configurations # ------------------------------------------------------------------------------ -if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then +if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then set -x else set -e @@ -19,10 +19,10 @@ fi # ------------------------------------------------------------------------------ # whonix-netvm-gateway contains last known IP used to search and replace # ------------------------------------------------------------------------------ -if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" ]; then +if [ -f "${INSTALLDIR}/tmp/.whonix_post" -a ! -f "${INSTALLDIR}/tmp/.whonix_custom_configurations" ]; then # -------------------------------------------------------------------------- # Install Custom Configurations # -------------------------------------------------------------------------- - echo "10.152.152.10" > "$INSTALLDIR/etc/whonix-netvm-gateway" - touch "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" + echo "10.152.152.10" > "${INSTALLDIR}/etc/whonix-netvm-gateway" + touch "${INSTALLDIR}/tmp/.whonix_custom_configurations" fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips index 7f818b8..d41f88a 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips @@ -24,9 +24,9 @@ FILES=( # sed search and replace. return 0 if replace happened, otherwise 1 search_replace() { - local search="$1" - local replace="$2" - local file="$3" + local search="${1}" + local replace="${2}" + local file="${3}" local retval=1 if ! [ -L "${file}" ]; then @@ -36,7 +36,7 @@ search_replace() { chattr -i "${file}" fi fi - + sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" retval=$? @@ -55,8 +55,8 @@ function replace_ips() local restart_tor=0 # If IP is 10.152.152.10, network is 10.152.152.0 - replace_network="${replace_ip%.*}.0" - search_network="${search_ip%.*}.0" + search_network="${search_ip%[.]*}.0" + replace_network="${replace_ip%[.]*}.0" if ! [ "${search_ip}" == "${replace_ip}" ]; then for file in "${files[@]}"; do @@ -68,7 +68,10 @@ function replace_ips() if [ "${restart_tor}" == "1" ]; then echo "${replace_ip}" > /etc/whonix-netvm-gateway - service tor restart + grep "^DisableNetwork 0$" /etc/tor/torrc && { + service tor reload || true; + #sleep 1; + } fi fi } diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip index 2044731..0aadc68 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip @@ -5,9 +5,9 @@ if [ -x /usr/sbin/xenstore-read ]; then else XENSTORE_READ="/usr/bin/xenstore-read" fi -ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) INTERFACE="eth1" +ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) # Create a dummy eth1 interface so tor can bind to it if there # are no DOMU virtual machines connected at the moment @@ -100,3 +100,22 @@ export INT_TIF="vif+" # Route any traffic FROM netvm TO netvm BACK-TO localhost # Allows localhost access to tor network iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 + +enable() { + servicename=${1} + + grep "^DisableNetwork 0$" /etc/tor/torrc && { + # Check to see if the service is already enabled and if not, enable it + string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}" + + if ! [ $(find $string 2>/dev/null | wc -l) -eq 1 ] ; then + echo "${1} is currently disabled; enabling it" + systemctl --quiet enable ${servicename} + fi + } +} + +#enable tor +#enable whonixcheck +#enable sdwdate + diff --git a/scripts_debian/wheezy+whonix-workstation/99_custom_configuration.sh b/scripts_debian/wheezy+whonix-workstation/99_custom_configuration.sh index e19d7d9..e36dc97 100755 --- a/scripts_debian/wheezy+whonix-workstation/99_custom_configuration.sh +++ b/scripts_debian/wheezy+whonix-workstation/99_custom_configuration.sh @@ -4,13 +4,13 @@ # ------------------------------------------------------------------------------ # Source external scripts # ------------------------------------------------------------------------------ -. $SCRIPTSDIR/vars.sh +. ${SCRIPTSDIR}/vars.sh . ./umount_kill.sh >/dev/null # ------------------------------------------------------------------------------ # Configurations # ------------------------------------------------------------------------------ -if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then +if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then set -x else set -e @@ -19,12 +19,12 @@ fi # ------------------------------------------------------------------------------ # whonix-netvm-gateway contains last known IP used to search and replace # ------------------------------------------------------------------------------ -if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" ]; then +if [ -f "${INSTALLDIR}/tmp/.whonix_prepared" -a ! -f "${INSTALLDIR}/tmp/.whonix_custom_configurations" ]; then # -------------------------------------------------------------------------- # Install Custom Configurations # -------------------------------------------------------------------------- - echo "10.152.152.11" > "$INSTALLDIR/etc/whonix-ip" - echo "10.152.152.10" > "$INSTALLDIR/etc/whonix-netvm-gateway" + echo "10.152.152.11" > "${INSTALLDIR}/etc/whonix-ip" + echo "10.152.152.10" > "${INSTALLDIR}/etc/whonix-netvm-gateway" - touch "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" + touch "${INSTALLDIR}/tmp/.whonix_custom_configurations" fi diff --git a/scripts_debian/wheezy+whonix/00_prepare_pre.sh b/scripts_debian/wheezy+whonix/00_prepare_pre.sh index 32bd835..9b21b60 100755 --- a/scripts_debian/wheezy+whonix/00_prepare_pre.sh +++ b/scripts_debian/wheezy+whonix/00_prepare_pre.sh @@ -16,20 +16,20 @@ # Return if SNAPSHOT is not "1" # ------------------------------------------------------------------------------ # This script is only used if SNAPSHOT is set -if [ ! "$SNAPSHOT" == "1" ]; then +if [ ! "${SNAPSHOT}" == "1" ]; then exit 0 fi # ------------------------------------------------------------------------------ # Source external scripts # ------------------------------------------------------------------------------ -. $SCRIPTSDIR/vars.sh +. ${SCRIPTSDIR}/vars.sh . ./umount_kill.sh >/dev/null # ------------------------------------------------------------------------------ # Configurations # ------------------------------------------------------------------------------ -if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then +if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then set -x else set -e @@ -42,26 +42,26 @@ INSTALLDIR="$(readlink -m mnt)" # ------------------------------------------------------------------------------ manage_snapshot() { - umount_kill "$INSTALLDIR" || : + umount_kill "${INSTALLDIR}" || : - mount -o loop "$IMG" "$INSTALLDIR" || exit 1 + mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1 # Remove old snapshots if whonix completed - if [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then + if [ -f "${INSTALLDIR}/tmp/.whonix_post" ]; then warn "Removing stale snapshots" - umount_kill "$INSTALLDIR" || : + umount_kill "${INSTALLDIR}" || : rm -rf "$debootstrap_snapshot" rm -rf "$updated_snapshot" return fi - warn "Copying $1 to $IMG" - mount -o loop "$1" "$INSTALLDIR" || exit 1 - rm -f "$INSTALLDIR/tmp/.prepared_groups" - umount_kill "$INSTALLDIR" || : - cp -f "$1" "$IMG" + warn "Copying $1 to ${IMG}" + mount -o loop "$1" "${INSTALLDIR}" || exit 1 + rm -f "${INSTALLDIR}/tmp/.prepared_groups" + umount_kill "${INSTALLDIR}" || : + cp -f "$1" "${IMG}" } -splitPath "$IMG" path_parts +splitPath "${IMG}" path_parts debootstrap_snapshot="${path_parts[dir]}${path_parts[base]}-debootstrap${path_parts[dotext]}" updated_snapshot="${path_parts[dir]}${path_parts[base]}-updated${path_parts[dotext]}" diff --git a/scripts_debian/wheezy+whonix/01_install_core_post.sh b/scripts_debian/wheezy+whonix/01_install_core_post.sh index 2c53338..9534618 100755 --- a/scripts_debian/wheezy+whonix/01_install_core_post.sh +++ b/scripts_debian/wheezy+whonix/01_install_core_post.sh @@ -5,20 +5,20 @@ # Return if SNAPSHOT is not "1" # ------------------------------------------------------------------------------ # This script is only used if SNAPSHOT is set -if [ ! "$SNAPSHOT" == "1" ]; then +if [ ! "${SNAPSHOT}" == "1" ]; then exit 0 fi # ------------------------------------------------------------------------------ # Source external scripts # ------------------------------------------------------------------------------ -. $SCRIPTSDIR/vars.sh +. ${SCRIPTSDIR}/vars.sh . ./umount_kill.sh >/dev/null # ------------------------------------------------------------------------------ # Configurations # ------------------------------------------------------------------------------ -if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then +if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then set -x else set -e @@ -27,12 +27,12 @@ fi # ------------------------------------------------------------------------------ # Create a snapshot of the already debootstraped image # ------------------------------------------------------------------------------ -splitPath "$IMG" path_parts +splitPath "${IMG}" path_parts PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-debootstrap${path_parts[dotext]}" -if ! [ -f "$PREPARED_IMG" ] && ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then - umount_kill "$INSTALLDIR" || : - warn "Copying $IMG to $PREPARED_IMG" - cp -f "$IMG" "$PREPARED_IMG" - mount -o loop "$IMG" "$INSTALLDIR" || exit 1 +if ! [ -f "${PREPARED_IMG}" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_post" ]; then + umount_kill "${INSTALLDIR}" || : + warn "Copying ${IMG} to ${PREPARED_IMG}" + cp -f "${IMG}" "${PREPARED_IMG}" + mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1 fi diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index f1b0ce9..e25ced8 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -4,13 +4,13 @@ # ------------------------------------------------------------------------------ # Source external scripts # ------------------------------------------------------------------------------ -. $SCRIPTSDIR/vars.sh +. ${SCRIPTSDIR}/vars.sh . ./umount_kill.sh >/dev/null # ------------------------------------------------------------------------------ # Configurations # ------------------------------------------------------------------------------ -if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then +if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then set -x else set -e @@ -20,16 +20,16 @@ fi # XXX: Create a snapshot - Only for DEBUGGING! # ------------------------------------------------------------------------------ # Only execute if SNAPSHOT is set -if [ "$SNAPSHOT" == "1" ]; then - splitPath "$IMG" path_parts +if [ "${SNAPSHOT}" == "1" ]; then + splitPath "${IMG}" path_parts PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-updated${path_parts[dotext]}" - if ! [ -f "$PREPARED_IMG" ] && ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then - umount_kill "$INSTALLDIR" || : - warn "Copying $IMG to $PREPARED_IMG" - cp -f "$IMG" "$PREPARED_IMG" - mount -o loop "$IMG" "$INSTALLDIR" || exit 1 - for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "$INSTALLDIR/$fs"; done + if ! [ -f "${PREPARED_IMG}" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then + umount_kill "${INSTALLDIR}" || : + warn "Copying ${IMG} to ${PREPARED_IMG}" + cp -f "${IMG}" "${PREPARED_IMG}" + mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1 + for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "${INSTALLDIR}/$fs"; done fi fi @@ -71,53 +71,6 @@ sudo ~/Whonix/whonix_build \ --minimal-report \ --skip-sanity-tests || { exit 1; } popd - -################################################################################ -# Post Fixups - -set -e - -pushd /etc/network -sudo rm -f interfaces -sudo ln -s interfaces.backup interfaces -popd - -pushd /etc -sudo rm -f resolv.conf -sudo cp -p resolv.conf.backup resolv.conf -popd - -# Enable Tor -if [ "${1}" == "--torgateway" ]; then - sudo sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' /etc/tor/torrc -fi - -# Fake that whonixsetup was already run -sudo mkdir -p /var/lib/whonix/do_once -sudo touch /var/lib/whonix/do_once/whonixsetup.done - -# Fake that initializer was already run -sudo mkdir -p /root/.whonix -sudo touch /root/.whonix/first_run_initializer.done - -# Prevent whonixcheck error -sudo su -c 'echo WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER=\"1\" >> /etc/whonix.d/30_whonixcheck_default' - -sudo update-rc.d network-manager disable -sudo update-rc.d spice-vdagent disable -sudo update-rc.d swap-file-creator disable -sudo update-rc.d whonix-initializer disable - -# Remove original sources.list -sudo rm -f /etc/apt/sources.list -sudo apt-get.anondist-orig update - -# Remove apt-cacher-ng -DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - sudo apt-get.anondist-orig -y --force-yes remove apt-cacher-ng - -sudo touch "/tmp/.prepared_whonix" - EOF # ------------------------------------------------------------------------------ @@ -164,8 +117,8 @@ EOF # Cleanup function # ------------------------------------------------------------------------------ function cleanup() { - error "Whonix error; umounting $INSTALLDIR to prevent further writes" - umount_kill "$INSTALLDIR" || : + error "Whonix error; umounting ${INSTALLDIR} to prevent further writes" + umount_kill "${INSTALLDIR}" || : exit 1 } trap cleanup ERR @@ -174,15 +127,15 @@ trap cleanup EXIT # ------------------------------------------------------------------------------ # Mount devices, etc required for Whonix installation # ------------------------------------------------------------------------------ -if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then - info "Installing Whonix system" +if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then + info "Preparing Whonix system" # -------------------------------------------------------------------------- # Initialize Whonix submodules # -------------------------------------------------------------------------- - pushd "$WHONIX_DIR" + pushd "${WHONIX_DIR}" { - su $(logname) -c "git submodule update --init --recursive" + su $(logname) -c "git submodule update --init --recursive"; } popd @@ -211,21 +164,21 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then } # Patch anon-meta-packages to not depend on grub-pc - pushd "$WHONIX_DIR" + pushd "${WHONIX_DIR}" { search_replace "grub-pc" "" "grml_packages" || : } popd - pushd "$WHONIX_DIR/packages/anon-meta-packages/debian" + pushd "${WHONIX_DIR}/packages/anon-meta-packages/debian" { - search1=" grub-pc," - replace="" + search1=" grub-pc,"; + replace=""; #checkout_branch qubes search_replace "$search1" "$replace" control && \ { - cd "$WHONIX_DIR/packages/anon-meta-packages" + cd "${WHONIX_DIR}/packages/anon-meta-packages"; : #sudo -E -u $(logname) make deb-pkg || : #su $(logname) -c "dpkg-source --commit" || : @@ -235,27 +188,27 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then } popd - pushd "$WHONIX_DIR/packages/anon-shared-build-fix-grub/usr/lib/anon-dist/chroot-scripts-post.d" + pushd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub/usr/lib/anon-dist/chroot-scripts-post.d" { - search1="update-grub" - replace=":" + search1="update-grub"; + replace=":"; #checkout_branch qubes search_replace "$search1" "$replace" 85_update_grub && \ { - cd "$WHONIX_DIR/packages/anon-shared-build-fix-grub" + cd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub"; sudo -E -u $(logname) make deb-pkg || : - su $(logname) -c "EDITOR=/bin/true dpkg-source -q --commit . no_grub" - #git add . + su $(logname) -c "EDITOR=/bin/true dpkg-source -q --commit . no_grub"; + #git add . ; #su $(logname) -c "git commit -am 'removed grub-pc depend'" } || : } popd - pushd "$WHONIX_DIR/build-steps.d" + pushd "${WHONIX_DIR}/build-steps.d" { - search1=" check_for_uncommited_changes" - replace=" #check_for_uncommited_changes" + search1=" check_for_uncommited_changes"; + replace=" #check_for_uncommited_changes"; search_replace "$search1" "$replace" 1200_create-debian-packages || : } @@ -264,112 +217,152 @@ if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then # -------------------------------------------------------------------------- # Whonix system config dependancies # -------------------------------------------------------------------------- - #/usr/sbin/grub-probe: error: cannot find a device for / (is /dev mounted?) - #cannot stat `/boot/grub/grub.cfg': No such file or directory # Qubes needs a user named 'user' debug "Whonix Add user" - chroot "$INSTALLDIR" id -u 'user' >/dev/null 2>&1 || \ + chroot "${INSTALLDIR}" id -u 'user' >/dev/null 2>&1 || \ { - chroot "$INSTALLDIR" groupadd -f user - chroot "$INSTALLDIR" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user + chroot "${INSTALLDIR}" groupadd -f user + chroot "${INSTALLDIR}" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user } - # Change hostname to 'host' - #debug "Whonix change host" - #echo "host" > "$INSTALLDIR/etc/hostname" - #chroot "$INSTALLDIR" sed -i "s/localhost/host/g" /etc/hosts + # Pin grub packages so they will not install + echo "${WHONIX_APT_PIN}" > "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes" + chmod 0644 "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes" + + # Install Whonix fix script + echo "${WHONIX_FIX_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_fix" + chmod 0755 "${INSTALLDIR}/home/user/whonix_fix" - #if ! [ -f "$INSTALLDIR/etc/sudoers.d/qubes" ]; then - # cp -p /etc/sudoers.d/qubes "$INSTALLDIR/etc/sudoers.d/qubes" - #fi + # Install Whonix build scripts + echo "${WHONIX_BUILD_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_build" + chmod 0755 "${INSTALLDIR}/home/user/whonix_build" # ------------------------------------------------------------------------------ # Copy over any extra files - # XXX: Moved to 02_install_groups_packages_installed.sh # ------------------------------------------------------------------------------ copyTree "files" + touch "${INSTALLDIR}/tmp/.whonix_prepared" +fi + +# ------------------------------------------------------------------------------ +# Install Whonix +# ------------------------------------------------------------------------------ +if [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_installed" ]; then + info "Installing Whonix system" + # -------------------------------------------------------------------------- - # Install Whonix system + # Install Whonix code base # -------------------------------------------------------------------------- - if ! [ -d "$INSTALLDIR/home/user/Whonix" ]; then + if ! [ -d "${INSTALLDIR}/home/user/Whonix" ]; then debug "Installing Whonix build environment..." - chroot "$INSTALLDIR" su user -c 'mkdir /home/user/Whonix' + chroot "${INSTALLDIR}" su user -c 'mkdir /home/user/Whonix' fi - if [ -d "$INSTALLDIR/home/user/Whonix" ]; then + if [ -d "${INSTALLDIR}/home/user/Whonix" ]; then debug "Building Whonix..." - mount --bind "../Whonix" "$INSTALLDIR/home/user/Whonix" - - # XXX: Does this break Whonix build? - # Install apt-get preferences - #echo "$WHONIX_APT_PREFERENCES" > "$INSTALLDIR/etc/apt/apt.conf.d/99whonix" - #chmod 0644 "$INSTALLDIR/etc/apt/apt.conf.d/99whonix" - - # Pin grub packages so they will not install - echo "$WHONIX_APT_PIN" > "$INSTALLDIR/etc/apt/preferences.d/whonix_qubes" - chmod 0644 "$INSTALLDIR/etc/apt/preferences.d/whonix_qubes" - - # Install Whonix fix script - echo "$WHONIX_FIX_SCRIPT" > "$INSTALLDIR/home/user/whonix_fix" - chmod 0755 "$INSTALLDIR/home/user/whonix_fix" - - # Install Whonix build scripts - echo "$WHONIX_BUILD_SCRIPT" > "$INSTALLDIR/home/user/whonix_build" - chmod 0755 "$INSTALLDIR/home/user/whonix_build" - - if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then - BUILD_TYPE="--torgateway" - elif [ "${TEMPLATE_FLAVOR}" == "whonix-workstation" ]; then - BUILD_TYPE="--torworkstation" - else - error "Incorrent Whonix type \"${TEMPLATE_FLAVOR}\" selected. Not building Whonix modules" - error "You need to set TEMPLATE_FLAVOR environment variable to either" - error "whonix-gateway OR whonix-workstation" - exit 1 - fi + mount --bind "../Whonix" "${INSTALLDIR}/home/user/Whonix" + fi - chroot "$INSTALLDIR" su user -c "cd ~; ./whonix_build $BUILD_TYPE $DIST" || { exit 1; } + if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then + BUILD_TYPE="--torgateway" + elif [ "${TEMPLATE_FLAVOR}" == "whonix-workstation" ]; then + BUILD_TYPE="--torworkstation" else - error "chroot /home/user/Whonix directory does not exist... exiting!" - exit + error "Incorrent Whonix type \"${TEMPLATE_FLAVOR}\" selected. Not building Whonix modules" + error "You need to set TEMPLATE_FLAVOR environment variable to either" + error "whonix-gateway OR whonix-workstation" + exit 1 fi + + chroot "${INSTALLDIR}" su user -c "cd ~; ./whonix_build ${BUILD_TYPE} ${DIST}" || { exit 1; } + + touch "${INSTALLDIR}/tmp/.whonix_installed" fi # ------------------------------------------------------------------------------ -# Execute any template flavor or sub flavor scripts +# Whonix Post Installation Configurations # ------------------------------------------------------------------------------ -buildStep "99_custom_configuration.sh" +if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_post" ]; then + info "Post Configuring Whonix System" + + pushd "${INSTALLDIR}/etc/network" + { + rm -f interfaces; + ln -s interfaces.backup interfaces; + } + popd + + pushd "${INSTALLDIR}/etc" + { + rm -f resolv.conf; + cp -p resolv.conf.backup resolv.conf; + } + popd + + # Enable Tor + if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then + sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "${INSTALLDIR}/etc/tor/torrc" + fi + + # Fake that whonixsetup was already run + mkdir -p "${INSTALLDIR}/var/lib/whonix/do_once" + touch "${INSTALLDIR}/var/lib/whonix/do_once/whonixsetup.done" + + # Fake that initializer was already run + mkdir -p "${INSTALLDIR}/root/.whonix" + touch "${INSTALLDIR}/root/.whonix/first_run_initializer.done" + + # Prevent whonixcheck error + echo 'WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"' >> "${INSTALLDIR}/etc/whonix.d/30_whonixcheck_default" + + # Disable unwanted applications + chroot "${INSTALLDIR}" update-rc.d network-manager disable || : + chroot "${INSTALLDIR}" update-rc.d spice-vdagent disable || : + chroot "${INSTALLDIR}" update-rc.d swap-file-creator disable || : + chroot "${INSTALLDIR}" update-rc.d whonix-initializer disable || : + + chroot "${INSTALLDIR}" service apt-cacher-ng stop || : + chroot "${INSTALLDIR}" update-rc.d apt-cacher-ng disable || : + + # Remove apt-cacher-ng + DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + chroot ${INSTALLDIR} apt-get.anondist-orig -y --force-yes remove --purge apt-cacher-ng + + # Remove original sources.list + rm -f "${INSTALLDIR}/etc/apt/sources.list" + + DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + chroot ${INSTALLDIR} apt-get.anondist-orig update + + touch "${INSTALLDIR}/tmp/.whonix_post" +fi -# XXX: Why do I need to move them out of the way? Lets try keeping them -# in place (modify post script too) # ------------------------------------------------------------------------------ -# Move Whonix sources out of way +# Execute any template flavor or sub flavor scripts # ------------------------------------------------------------------------------ -#if [ -L "$INSTALLDIR/etc/apt/sources.list.d" ]; then -# mv "$INSTALLDIR/etc/apt/sources.list.d" "$INSTALLDIR/etc/apt/sources.list.d.qubes" -# mkdir -p "$INSTALLDIR/etc/apt/sources.list.d" -# cp -p "$INSTALLDIR/etc/apt/sources.list.d.qubes/debian.list" "$INSTALLDIR/etc/apt/sources.list.d" -#fi +buildStep "99_custom_configuration.sh" # ------------------------------------------------------------------------------ # Bring back original apt-get for installation of Qubues # ------------------------------------------------------------------------------ -if [ -L "$INSTALLDIR/usr/bin/apt-get" ]; then - rm "$INSTALLDIR/usr/bin/apt-get" - chroot "$INSTALLDIR" su -c "cd /usr/bin/; ln -s apt-get.anondist-orig apt-get" -fi +pushd "${INSTALLDIR}/usr/bin" +{ + rm -f apt-get; + cp -p apt-get.anondist-orig apt-get; +} +popd # ------------------------------------------------------------------------------ # Make sure the temporary policy-rc.d to prevent apt from starting services # on package installation is still active; Whonix may have reset it # ------------------------------------------------------------------------------ -cat > "$INSTALLDIR/usr/sbin/policy-rc.d" < "${INSTALLDIR}/usr/sbin/policy-rc.d" < Attempting to kill any processes still running in '$MOUNTDIR' before un-mounting" - for dir in $(sudo grep "$MOUNTDIR" /proc/mounts | cut -f2 -d" " | sort -r | grep "^$MOUNTDIR") + warn "-> Attempting to kill any processes still running in '${MOUNTDIR}' before un-mounting" + for dir in $(sudo grep "${MOUNTDIR}" /proc/mounts | cut -f2 -d" " | sort -r | grep "^${MOUNTDIR}") do sudo lsof "$dir" 2> /dev/null | \ grep "$dir" | \ From f5ede83def8f224e88fa6d00c4fa31d90cae9998 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Wed, 29 Oct 2014 08:16:46 -0400 Subject: [PATCH 45/83] Change copy function not to use wildcard --- functions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/functions.sh b/functions.sh index 913198c..c4bb43d 100755 --- a/functions.sh +++ b/functions.sh @@ -301,7 +301,7 @@ copyTreeExec() { fi debug "Copying ${source_dir}/* ${target_dir}" - cp -rp "${source_dir}/"* "${target_dir}" + cp -rp "${source_dir}/." "${target_dir}" if [ -f "${source_dir}/.facl" ]; then debug "Restoring file permissions..." From 82a68e9c876f83168fe14b1e9e9e2583379189ff Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Wed, 29 Oct 2014 12:53:35 -0400 Subject: [PATCH 46/83] Added initial configuration dialog setup for whonix-gateway --- .../wheezy+whonix-gateway/files/.facl | 113 ++++++++++++- .../files/etc/apt/preferences.d/whonix_qubes | 15 ++ .../xdg/autostart/qubes-whonixsetup.desktop | 8 + .../files/home/user/.whonix_build.sh.swp | Bin 0 -> 12288 bytes .../user/build-steps.d/1000_qubes-patches.sh | 92 ++++++++++ .../2900_qubes-post-installation.sh | 60 +++++++ .../files/home/user/whonix_build.sh | 41 +++++ .../files/home/user/whonix_fix.sh | 3 + .../files/usr/lib/whonix/qubes-whonixsetup | 23 +++ .../files/usr/lib/whonix/replace-ips | 31 ++-- .../files/usr/lib/whonix/setup-ip | 50 ++++-- .../files/home/user/whonix_build.sh | 41 +++++ .../files/usr/lib/whonix/replace-ips | 23 ++- .../files/usr/lib/whonix/setup-ip | 5 +- .../02_install_groups_packages_installed.sh | 22 ++- ...groups_packages_installed.sh.build-steps.d | 157 ++++++++++++++++++ 16 files changed, 631 insertions(+), 53 deletions(-) create mode 100644 scripts_debian/wheezy+whonix-gateway/files/etc/apt/preferences.d/whonix_qubes create mode 100644 scripts_debian/wheezy+whonix-gateway/files/etc/xdg/autostart/qubes-whonixsetup.desktop create mode 100644 scripts_debian/wheezy+whonix-gateway/files/home/user/.whonix_build.sh.swp create mode 100755 scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/1000_qubes-patches.sh create mode 100755 scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/2900_qubes-post-installation.sh create mode 100755 scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_build.sh create mode 100755 scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_fix.sh create mode 100755 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup create mode 100755 scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh create mode 100755 scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh.build-steps.d diff --git a/scripts_debian/wheezy+whonix-gateway/files/.facl b/scripts_debian/wheezy+whonix-gateway/files/.facl index 9e5e47b..e81b167 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/.facl +++ b/scripts_debian/wheezy+whonix-gateway/files/.facl @@ -1,6 +1,6 @@ # file: . -# owner: root -# group: root +# owner: user +# group: user user::rwx group::r-x other::r-x @@ -19,6 +19,48 @@ user::rw- group::r-- other::r-- +# file: etc/xdg +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/xdg/autostart +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/xdg/autostart/qubes-whonixsetup.desktop +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/apt +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/apt/preferences.d +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/apt/preferences.d/whonix_qubes +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: etc/udev # owner: root # group: root @@ -49,7 +91,7 @@ other::r-- # file: etc/sudoers.d # owner: root -# group: user +# group: root user::rwx group::r-x other::r-x @@ -61,9 +103,65 @@ user::r-- group::r-- other::--- -# file: .facl +# file: home # owner: root # group: root +user::rwx +group::r-x +other::r-x + +# file: home/user +# owner: user +# group: user +user::rwx +group::r-x +other::r-x + +# file: home/user/whonix_fix.sh +# owner: user +# group: user +user::rwx +group::r-x +other::r-x + +# file: home/user/build-steps.d +# owner: user +# group: user +user::rwx +group::r-x +other::r-x + +# file: home/user/build-steps.d/1000_qubes-patches.sh +# owner: user +# group: user +user::rwx +group::r-x +other::r-x + +# file: home/user/build-steps.d/2900_qubes-post-installation.sh +# owner: user +# group: user +user::rwx +group::r-x +other::r-x + +# file: home/user/whonix_build.sh +# owner: user +# group: user +user::rwx +group::r-x +other::r-x + +# file: home/user/.whonix_build.sh.swp +# owner: user +# group: user +user::rw- +group::r-- +other::r-- + +# file: .facl +# owner: user +# group: user user::rw- group::r-- other::r-- @@ -103,6 +201,13 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/qubes-whonixsetup +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + # file: usr/lib/whonix/enable-iptables-logging.sh # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-gateway/files/etc/apt/preferences.d/whonix_qubes b/scripts_debian/wheezy+whonix-gateway/files/etc/apt/preferences.d/whonix_qubes new file mode 100644 index 0000000..9bc0b6c --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/etc/apt/preferences.d/whonix_qubes @@ -0,0 +1,15 @@ +Package: grub-pc +Pin: version * +Pin-Priority: -100 + +Package: grub-pc-bin +Pin: version * +Pin-Priority: -100 + +Package: grub-common +Pin: version * +Pin-Priority: -100 + +Package: grub2-common +Pin: version * +Pin-Priority: -100 diff --git a/scripts_debian/wheezy+whonix-gateway/files/etc/xdg/autostart/qubes-whonixsetup.desktop b/scripts_debian/wheezy+whonix-gateway/files/etc/xdg/autostart/qubes-whonixsetup.desktop new file mode 100644 index 0000000..260635d --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/etc/xdg/autostart/qubes-whonixsetup.desktop @@ -0,0 +1,8 @@ +## This file is part of Whonix. +## Copyright (C) 2012 - 2014 Patrick Schleizer +## See the file COPYING for copying conditions. + +[Desktop Entry] +Type=Application +Terminal=false +Exec=/usr/lib/whonix/qubes-whonixsetup diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/.whonix_build.sh.swp b/scripts_debian/wheezy+whonix-gateway/files/home/user/.whonix_build.sh.swp new file mode 100644 index 0000000000000000000000000000000000000000..e88a6478eef4588aedea9c84d9e00d26bc6d0228 GIT binary patch literal 12288 zcmeI2&5j&35XYT_3kiW09Jm%Uk&rg>^zIOmL?{vo8(?ABti&uq2sG*sPq&%wwqv{J zBZMF>2zUT4z=ap!!~wwp9)Ks{&P#Bi+}$&~iB?(;bIGbK{imm0<#PGg_DHR%XzPRB z_uy*p3d6R+*!3Uwhp)f5!8YDutg^!R?vq-ktUJla+aLOX!M!RHmPeJ$lhvIyagfWh znsX-#org}W9Bgc)c6OAANQPxF%Y?YUxID{LDd#*z&sn$##xfT+$W$SMdXC0Cswe5$ z?EfT3K1AR&6R6ynU%SX&>2GiOWp+C+!3)nHoaPnN+K2!VAOb{y2oM1xKm>>Y5qOM% z(`VQh*mt(=-)ygE9=o=;bRhynfCvx)B0vO)01+SpM1Tko0U|&Io`T-L^#MZK-i;Vq_`VI9d>MH7= zXBhhf^*w5aGN^kfK%GbZdV#TTQQx5Mqdq|mP}fj^`WJKi3-t@?N7PrS5vtDl31m(w z69FPX1c(3;AOb|-bP~`?Ck(K0ZYNT68J5Y+uG1jyE>AUPMHNyq;*C{m6NK3OZ`<8 zQTm|#*g-3&xH3kRj$2ikSlCtnt5+iFcwM==>Z^-R;nFsC*eX%*Ft}S6t77S@uUT!1 zQqia@n(8OtUV(6NfCtARwJe;9R3w1s!nnf+ ziaQH)u&^{^j*)1b1it>&yVReSA~X}oRGvU;s)*}&dF7EToA0qI3OqmF-sjEDapUd6 zPJK?8LmjUjvI&VQUv`iR2SyZXiqm%ijV=?Q!*~*=q6aX{WSLs9LKJ|x&J?BD?@OBHsG7k__;b&1*n)y*ifV2?S$+ZBA2|g-3Q#$k~ z-Qu@GCE`YU+0395xIzcj%ypW@I#tCP1QGt~1Rh2G(Tm4vV{Sv~BOb?(>z_QZj|<$# Pbl;ToN?X=lb7TJj93u3Z literal 0 HcmV?d00001 diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/1000_qubes-patches.sh b/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/1000_qubes-patches.sh new file mode 100755 index 0000000..30c5f71 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/1000_qubes-patches.sh @@ -0,0 +1,92 @@ +#!/bin/bash +# vim: set ts=4 sw=4 sts=4 et : + +set -x + +WHONIX_DIR="$(readlink -m .)" + +# -------------------------------------------------------------------------- +# Initialize Whonix submodules +# -------------------------------------------------------------------------- +pushd "${WHONIX_DIR}" +{ + sudo git submodule update --init --recursive; +} +popd + +# -------------------------------------------------------------------------- +# Patch Whonix submodules +# -------------------------------------------------------------------------- + +# Chekout a branch; create a branch first if it does not exist +checkout_branch() { + branch=$(git symbolic-ref --short -q HEAD) + if ! [ "${branch}" == "${1}" ]; then + sudo -u "${user_name}" git checkout "${1}" >/dev/null 2>&1 || \ + { + sudo -u "${user_name}" git branch "${1}" + sudo -u "${user_name}" git checkout "${1}" + } + fi +} + +# sed search and replace. return 0 if replace happened, otherwise 1 +search_replace() { + local search="${1}" + local replace="${2}" + local file="${3}" + + sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" +} + +# Patch anon-meta-packages to not depend on grub-pc +pushd "${WHONIX_DIR}" +{ + search_replace "grub-pc" "" "grml_packages" || : +} +popd + +pushd "${WHONIX_DIR}/packages/anon-meta-packages/debian" +{ + search1=" grub-pc,"; + replace=""; + + #checkout_branch qubes + search_replace "${search1}" "${replace}" control && \ + { + cd "${WHONIX_DIR}/packages/anon-meta-packages"; + : + #sudo -E -u "${user_name}" make deb-pkg || : + #su "${user_name}" -c "dpkg-source --commit" || : + #git add . + #su "${user_name}" -c "git commit -am 'removed grub-pc depend'" + } || : +} +popd + +pushd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub/usr/lib/anon-dist/chroot-scripts-post.d" +{ + search1="update-grub"; + replace=":"; + + #checkout_branch qubes + search_replace "${search1}" "${replace}" 85_update_grub && \ + { + cd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub"; + sudo -E -u "${user_name}" make deb-pkg || : + su "${user_name}" -c "EDITOR=/bin/true dpkg-source -q --commit . no_grub"; + #git add . ; + #su "${user_name}" -c "git commit -am 'removed grub-pc depend'" + } || : +} +popd + +pushd "${WHONIX_DIR}/build-steps.d" +{ + search1=" check_for_uncommited_changes"; + replace=" #check_for_uncommited_changes"; + + search_replace "${search1}" "${replace}" 1200_create-debian-packages || : + } +popd + diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/2900_qubes-post-installation.sh b/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/2900_qubes-post-installation.sh new file mode 100755 index 0000000..654b9a5 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/2900_qubes-post-installation.sh @@ -0,0 +1,60 @@ +#!/bin/bash +# vim: set ts=4 sw=4 sts=4 et : + +# ------------------------------------------------------------------------------ +# Whonix Post Installation Configurations +# ------------------------------------------------------------------------------ +echo "Post Configuring Whonix System" + +pushd "/etc/network" +{ + rm -f interfaces; + ln -s interfaces.backup interfaces; +} +popd + +pushd "/etc" +{ + rm -f resolv.conf; + cp -p resolv.conf.backup resolv.conf; +} +popd + +# Enable Tor +#if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then +# sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "/etc/tor/torrc" +#fi + +# Fake that whonixsetup was already run +#mkdir -p "/var/lib/whonix/do_once" +#touch "/var/lib/whonix/do_once/whonixsetup.done" + +# Fake that initializer was already run +mkdir -p "/root/.whonix" +touch "/root/.whonix/first_run_initializer.done" + +# Prevent whonixcheck error +echo 'WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"' >> "/etc/whonix.d/30_whonixcheck_default" + +# Use gdialog as an alternative for dialog +update-alternatives --install /usr/bin/dialog dialog /usr/bin/gdialog 999 + +# Disable unwanted applications +update-rc.d network-manager disable || : +update-rc.d spice-vdagent disable || : +update-rc.d swap-file-creator disable || : +update-rc.d whonix-initializer disable || : + +service apt-cacher-ng stop || : +update-rc.d apt-cacher-ng disable || : + +# Remove apt-cacher-ng +DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + apt-get.anondist-orig -y --force-yes remove --purge apt-cacher-ng + +# Remove original sources.list +rm -f "/etc/apt/sources.list" + +DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + apt-get.anondist-orig update + diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_build.sh b/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_build.sh new file mode 100755 index 0000000..0fdf086 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_build.sh @@ -0,0 +1,41 @@ +################################################################################ +# Pre Fixups +sudo mkdir -p /boot/grub2 +sudo touch /boot/grub2/grub.cfg +sudo mkdir -p /boot/grub +sudo touch /boot/grub/grub.cfg +sudo mkdir --parents --mode=g+rw "/tmp/uwt" + +# Whonix seems to re-install sysvinit even though there is a hold +# on the package. Things seem to work anyway. BUT hopfully the +# hold on grub* don't get removed +sudo apt-mark hold sysvinit +sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common + +# Whonix expects haveged to be started +sudo /etc/init.d/haveged start + +# ------------------------------------------------------------------------------ +# Link our build steps into Whonix build directory +# ------------------------------------------------------------------------------ +#pushd /home/user/Whonix/build-steps.d +#cp -pf /home/user/build-steps.d/* . +#popd + +# ------------------------------------------------------------------------------ +# Whonix installation +# ------------------------------------------------------------------------------ +export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1" + +pushd ~/Whonix +sudo ~/Whonix/whonix_build \ + --build $1 \ + --64bit-linux \ + --current-sources \ + --enable-whonix-apt-repository \ + --whonix-apt-repository-distribution $2 \ + --install-to-root \ + --skip-verifiable \ + --minimal-report \ + --skip-sanity-tests || { exit 1; } +popd diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_fix.sh b/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_fix.sh new file mode 100755 index 0000000..508180a --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_fix.sh @@ -0,0 +1,3 @@ +DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ + sudo apt-get -y --force-yes remove grub-pc grub-common grub-pc-bin grub2-common + sudo apt-mark hold grub-common grub-pc-bin grub2-common diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup new file mode 100755 index 0000000..681c889 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup @@ -0,0 +1,23 @@ +#/bin/bash + +# XXX: TODO: +# - Make sure we can't just run this from setup-ip +# - Alternatives? instead of deleting dialog? +# +# INSTALLATION NOTES: +# - Make sure /etc/tor/torrc is disabled initially +# - Make sure /var/lib/whonix/do_once/whonixsetup.done does not exist +# so repo questions will be asked +# - /etc/xdg/autostart/qubes-whonixsetup must be in place +# - this file must be in place +# - gdialog must have over-written dialog +# - patches to setup-ip: +# - bring eth1 up +# - remove old code that was trying to get setup working + +grep "^DisableNetwork 0$" /etc/tor/torrc || { + sudo systemctl stop whonixcheck + sudo systemctl stop tor + sudo /usr/lib/whonix/setup-ip + sudo /usr/bin/whonixsetup +} diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips index d41f88a..f2e4076 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips @@ -52,7 +52,7 @@ function replace_ips() local search_ip="${1}" local replace_ip="${2}" local files=("${!3}") - local restart_tor=0 + local retval=1 # If IP is 10.152.152.10, network is 10.152.152.0 search_network="${search_ip%[.]*}.0" @@ -61,29 +61,32 @@ function replace_ips() if ! [ "${search_ip}" == "${replace_ip}" ]; then for file in "${files[@]}"; do if [ -f "$file" ]; then - search_replace "${search_ip}" "${replace_ip}" "${file}" && restart_tor=1 - search_replace "${search_network}" "${replace_network}" "${file}" && restart_tor=1 + search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0 + search_replace "${search_network}" "${replace_network}" "${file}" && retval=0 fi done - - if [ "${restart_tor}" == "1" ]; then - echo "${replace_ip}" > /etc/whonix-netvm-gateway - grep "^DisableNetwork 0$" /etc/tor/torrc && { - service tor reload || true; - #sleep 1; - } - fi fi + + return $retval +} + +update_ip() { + ip=${1} + + echo "${ip}" > /etc/whonix-netvm-gateway + grep '^DisableNetwork 0$' /etc/tor/torrc && { + service tor reload || true; + } } ip="$(xenstore-read qubes-netvm-gateway)" # Compare to current IP address assiged by Qubes -replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] +replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}" # Do again; checking for original 10.152.152.10 incase of update -replace_ips "10.152.152.10" "${ip}" FILES[@] +replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}" # Do again; checking for original 10.152.152.11 incase of update -replace_ips "10.152.152.11" "${ip}" FILES[@] +replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}" diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip index 0aadc68..9a098f7 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip @@ -23,6 +23,8 @@ ip link show ${INTERFACE} >> /dev/null || { /sbin/ethtool -K ${INTERFACE} sg off /sbin/ethtool -K ${INTERFACE} tx off fi + + ip link set ${INTERFACE} up } # Files that will have the immutable bit set @@ -90,7 +92,7 @@ copyAnondist "/etc/hostname" /usr/lib/whonix/replace-ips # Make sure hostname is correct -/bin/hostname -b host +/bin/hostname host # Start Whonix Firewall export INT_IF="vif+" @@ -101,21 +103,39 @@ export INT_TIF="vif+" # Allows localhost access to tor network iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 -enable() { +# Will only enable / disable if service is not already in that state +enable_sysv() { servicename=${1} - - grep "^DisableNetwork 0$" /etc/tor/torrc && { - # Check to see if the service is already enabled and if not, enable it - string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}" - - if ! [ $(find $string 2>/dev/null | wc -l) -eq 1 ] ; then - echo "${1} is currently disabled; enabling it" - systemctl --quiet enable ${servicename} - fi - } + disable=${2-0} + + # Check to see if the service is already enabled and if not, enable it + string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}" + + if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then + case ${disable} in + 0) + echo "${1} is currently disabled; enabling it" + systemctl --quiet enable ${servicename} + ;; + 1) + echo "${1} is currently enabled; disabling it" + systemctl --quiet disable ${servicename} + ;; + esac + fi } -#enable tor -#enable whonixcheck -#enable sdwdate +disable_sysv() { + enable_sysv ${1} 1 +} +# This would be a really good place to apply any hacks required and remove them +# from template build script +grep "^DisableNetwork 0$" /etc/tor/torrc && { + #enable_sysv tor + #enable_sysv whonixcheck + #enable_sysv sdwdate + : +} || { + : +} diff --git a/scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh b/scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh new file mode 100755 index 0000000..0fdf086 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh @@ -0,0 +1,41 @@ +################################################################################ +# Pre Fixups +sudo mkdir -p /boot/grub2 +sudo touch /boot/grub2/grub.cfg +sudo mkdir -p /boot/grub +sudo touch /boot/grub/grub.cfg +sudo mkdir --parents --mode=g+rw "/tmp/uwt" + +# Whonix seems to re-install sysvinit even though there is a hold +# on the package. Things seem to work anyway. BUT hopfully the +# hold on grub* don't get removed +sudo apt-mark hold sysvinit +sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common + +# Whonix expects haveged to be started +sudo /etc/init.d/haveged start + +# ------------------------------------------------------------------------------ +# Link our build steps into Whonix build directory +# ------------------------------------------------------------------------------ +#pushd /home/user/Whonix/build-steps.d +#cp -pf /home/user/build-steps.d/* . +#popd + +# ------------------------------------------------------------------------------ +# Whonix installation +# ------------------------------------------------------------------------------ +export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1" + +pushd ~/Whonix +sudo ~/Whonix/whonix_build \ + --build $1 \ + --64bit-linux \ + --current-sources \ + --enable-whonix-apt-repository \ + --whonix-apt-repository-distribution $2 \ + --install-to-root \ + --skip-verifiable \ + --minimal-report \ + --skip-sanity-tests || { exit 1; } +popd diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips index 3a43484..bc44984 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips @@ -24,9 +24,9 @@ FILES=( # sed search and replace. return 0 if replace happened, otherwise 1 search_replace() { - local search="$1" - local replace="$2" - local file="$3" + local search="${1}" + local replace="${2}" + local file="${3}" local retval=1 if ! [ -L "${file}" ]; then @@ -36,7 +36,7 @@ search_replace() { chattr -i "${file}" fi fi - + sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" retval=$? @@ -52,22 +52,22 @@ function replace_ips() local search_ip="${1}" local replace_ip="${2}" local files=("${!3}") - local replaced=0 + local retval=1 # If IP is 10.152.152.10, network is 10.152.152.0 - replace_network="${replace_ip%.*}.0" - search_network="${search_ip%.*}.0" + search_network="${search_ip%[.]*}.0" + replace_network="${replace_ip%[.]*}.0" if ! [ "${search_ip}" == "${replace_ip}" ]; then for file in "${files[@]}"; do if [ -f "$file" ]; then - search_replace "${search_ip}" "${replace_ip}" "${file}" && replaced=1 - search_replace "${search_network}" "${replace_network}" "${file}" && replaced=1 + search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0 + search_replace "${search_network}" "${replace_network}" "${file}" && retval=0 fi done fi - - return $replaced + + return $retval } ip="$(xenstore-read qubes-ip)" @@ -85,4 +85,3 @@ replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${ # Do again; checking for original 10.152.152.10 incase of update replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway - diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip index d8aa2ba..2dca037 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip @@ -3,7 +3,6 @@ # Files that will have the immutable bit set # since we don't want them modified by other programs IMMUTABLE_FILES=( - '/etc/resolv.conf' '/etc/hostname' '/etc/hosts' ) @@ -56,7 +55,6 @@ immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" # Make sure we are using a copy of the annondist file and if not # copy the annondist file and set it immutable -copyAnondist "/etc/resolv.conf" copyAnondist "/etc/hosts" copyAnondist "/etc/hostname" @@ -65,7 +63,8 @@ copyAnondist "/etc/hostname" /usr/lib/whonix/replace-ips # Make sure hostname is correct -/bin/hostname -b host +/bin/hostname host # Start Whonix Firewall /usr/bin/whonix_firewall + diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index e25ced8..7cda7ca 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -276,7 +276,7 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ] && ! [ -f "${INSTALLDIR}/tmp/.who exit 1 fi - chroot "${INSTALLDIR}" su user -c "cd ~; ./whonix_build ${BUILD_TYPE} ${DIST}" || { exit 1; } + chroot "${INSTALLDIR}" su user -c "cd ~; ./whonix_build.sh ${BUILD_TYPE} ${DIST}" || { exit 1; } touch "${INSTALLDIR}/tmp/.whonix_installed" fi @@ -302,13 +302,21 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh popd # Enable Tor - if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then - sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "${INSTALLDIR}/etc/tor/torrc" - fi + #if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then + # sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "${INSTALLDIR}/etc/tor/torrc" + #fi + + # Enable aliases in .bashrc + sed -i "s/^# export/export/g" "${INSTALLDIR}/root/.bashrc" + sed -i "s/^# eval/eval/g" "${INSTALLDIR}/root/.bashrc" + sed -i "s/^# alias/alias/g" "${INSTALLDIR}/root/.bashrc" + sed -i "s/^#force_color_prompt/force_color_prompt/g" "${INSTALLDIR}/home/user/.bashrc" + sed -i "s/#alias/alias/g" "${INSTALLDIR}/home/user/.bashrc" + sed -i "s/alias l='ls -CF'/alias l='ls -l'/g" "${INSTALLDIR}/home/user/.bashrc" # Fake that whonixsetup was already run mkdir -p "${INSTALLDIR}/var/lib/whonix/do_once" - touch "${INSTALLDIR}/var/lib/whonix/do_once/whonixsetup.done" + #touch "${INSTALLDIR}/var/lib/whonix/do_once/whonixsetup.done" # Fake that initializer was already run mkdir -p "${INSTALLDIR}/root/.whonix" @@ -317,6 +325,10 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh # Prevent whonixcheck error echo 'WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"' >> "${INSTALLDIR}/etc/whonix.d/30_whonixcheck_default" + # Use gdialog as an alternative for dialog + mv -f "${INSTALLDIR}/usr/bin/dialog" "${INSTALLDIR}/usr/bin/dialog.dist" + chroot "${INSTALLDIR}" update-alternatives --force --install /usr/bin/dialog dialog /usr/bin/gdialog 999 + # Disable unwanted applications chroot "${INSTALLDIR}" update-rc.d network-manager disable || : chroot "${INSTALLDIR}" update-rc.d spice-vdagent disable || : diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh.build-steps.d b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh.build-steps.d new file mode 100755 index 0000000..8cd88f0 --- /dev/null +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh.build-steps.d @@ -0,0 +1,157 @@ +#!/bin/bash +# vim: set ts=4 sw=4 sts=4 et : + +# ------------------------------------------------------------------------------ +# Source external scripts +# ------------------------------------------------------------------------------ +. ${SCRIPTSDIR}/vars.sh +. ./umount_kill.sh >/dev/null + +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then + set -x +else + set -e +fi + +# ------------------------------------------------------------------------------ +# XXX: Create a snapshot - Only for DEBUGGING! +# ------------------------------------------------------------------------------ +# Only execute if SNAPSHOT is set +if [ "${SNAPSHOT}" == "1" ]; then + splitPath "${IMG}" path_parts + PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-updated${path_parts[dotext]}" + + if ! [ -f "${PREPARED_IMG}" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then + umount_kill "${INSTALLDIR}" || : + warn "Copying ${IMG} to ${PREPARED_IMG}" + cp -f "${IMG}" "${PREPARED_IMG}" + mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1 + for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "${INSTALLDIR}/$fs"; done + fi +fi + +# ------------------------------------------------------------------------------ +# Set defualts for apt not to install recommended or extra packages +# ------------------------------------------------------------------------------ +#read -r -d '' WHONIX_APT_PREFERENCES <<'EOF' +#Acquire::Languages "none"; +#APT::Install-Recommends "false"; +#APT::Install-Suggests "false"; +#Dpkg::Options "--force-confold"; +#EOF + +# ------------------------------------------------------------------------------ +# Cleanup function +# ------------------------------------------------------------------------------ +function cleanup() { + error "Whonix error; umounting ${INSTALLDIR} to prevent further writes" + umount_kill "${INSTALLDIR}" || : + exit 1 +} +trap cleanup ERR +trap cleanup EXIT + +# ------------------------------------------------------------------------------ +# Mount devices, etc required for Whonix installation +# ------------------------------------------------------------------------------ +if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then + info "Preparing Whonix system" + + # -------------------------------------------------------------------------- + # Qubes needs a user named 'user' + # -------------------------------------------------------------------------- + debug "Whonix Add user" + chroot "${INSTALLDIR}" id -u 'user' >/dev/null 2>&1 || \ + { + chroot "${INSTALLDIR}" groupadd -f user + chroot "${INSTALLDIR}" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user + } + + # ------------------------------------------------------------------------------ + # Copy over any extra files + # ------------------------------------------------------------------------------ + copyTree "files" + + touch "${INSTALLDIR}/tmp/.whonix_prepared" +fi + +# ------------------------------------------------------------------------------ +# Install Whonix +# ------------------------------------------------------------------------------ +if [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_installed" ]; then + info "Installing Whonix system" + + # ------------------------------------------------------------------------------ + # Create Whonix mount point + # ------------------------------------------------------------------------------ + if ! [ -d "${INSTALLDIR}/home/user/Whonix" ]; then + debug "Installing Whonix build environment..." + chroot "${INSTALLDIR}" su user -c 'mkdir /home/user/Whonix' + fi + + # -------------------------------------------------------------------------- + # Install Whonix code base + # -------------------------------------------------------------------------- + if [ -d "${INSTALLDIR}/home/user/Whonix" ]; then + debug "Building Whonix..." + mount --bind "../Whonix" "${INSTALLDIR}/home/user/Whonix" + sync + sleep 1 + fi + + # ------------------------------------------------------------------------------ + # Determine type of Whonix build + # ------------------------------------------------------------------------------ + if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then + BUILD_TYPE="--torgateway" + elif [ "${TEMPLATE_FLAVOR}" == "whonix-workstation" ]; then + BUILD_TYPE="--torworkstation" + else + error "Incorrent Whonix type \"${TEMPLATE_FLAVOR}\" selected. Not building Whonix modules" + error "You need to set TEMPLATE_FLAVOR environment variable to either" + error "whonix-gateway OR whonix-workstation" + exit 1 + fi + + # ------------------------------------------------------------------------------ + # Start Whonix build process + # ------------------------------------------------------------------------------ + chroot "${INSTALLDIR}" su user -c "cd ~; ./whonix_build.sh ${BUILD_TYPE} ${DIST}" || { exit 1; } + + touch "${INSTALLDIR}/tmp/.whonix_installed" + touch "${INSTALLDIR}/tmp/.whonix_post" +fi + +# ------------------------------------------------------------------------------ +# Execute any template flavor or sub flavor scripts +# ------------------------------------------------------------------------------ +buildStep "99_custom_configuration.sh" + +# ------------------------------------------------------------------------------ +# Bring back original apt-get for installation of Qubues +# ------------------------------------------------------------------------------ +pushd "${INSTALLDIR}/usr/bin" +{ + rm -f apt-get; + cp -p apt-get.anondist-orig apt-get; +} +popd + +# ------------------------------------------------------------------------------ +# Make sure the temporary policy-rc.d to prevent apt from starting services +# on package installation is still active; Whonix may have reset it +# ------------------------------------------------------------------------------ +cat > "${INSTALLDIR}/usr/sbin/policy-rc.d" < Date: Sun, 2 Nov 2014 16:14:36 -0500 Subject: [PATCH 47/83] Whonix setup GUI now run on first start to allow configuration Added alternate for dialag (gdialog) so some of Whonix programs run Changed sudo permissions to fix umask and not use QT shared memory Changed whonix to use basic hosts file Added detection if template is active for updating Added startup code for tinyproxy Added code to disable uwt so apt-get can be used as proxy Created a python GUI Message Alert using yaml for messages (internationalization) --- .../wheezy+whonix-gateway/files/.facl | 92 ++++----- .../wheezy+whonix-gateway/files/etc/hosts | 9 - .../files/etc/uwt.d/50_uwt_default | 6 + .../files/home/user/.whonix_build.sh.swp | Bin 12288 -> 0 bytes .../user/build-steps.d/1000_qubes-patches.sh | 92 --------- .../2900_qubes-post-installation.sh | 60 ------ .../files/home/user/whonix_build.sh | 41 ---- .../files/home/user/whonix_fix.sh | 3 - .../files/usr/lib/whonix/alert | 90 ++++++++ .../usr/lib/whonix/enable-iptables-logging.sh | 8 + .../files/usr/lib/whonix/messages.yaml | 12 ++ .../files/usr/lib/whonix/qubes-whonixsetup | 65 ++++-- .../files/usr/lib/whonix/replace-ips | 48 ++++- .../files/usr/lib/whonix/setup-ip | 195 ++++++------------ .../files/usr/lib/whonix/tests.sh | 95 +++++++++ .../files/usr/lib/whonix/utility_functions | 94 +++++++++ .../wheezy+whonix-workstation/files/.facl | 53 ++++- .../wheezy+whonix-workstation/files/etc/hosts | 9 - .../files/etc/uwt.d/50_uwt_default | 6 + .../files/home/user/whonix_build.sh | 41 ---- .../files/usr/lib/whonix/alert | 90 ++++++++ .../usr/lib/whonix/enable-iptables-logging.sh | 8 + .../files/usr/lib/whonix/messages.yaml | 12 ++ .../files/usr/lib/whonix/qubes-whonixsetup | 46 +++++ .../files/usr/lib/whonix/replace-ips | 57 +++-- .../files/usr/lib/whonix/setup-ip | 116 ++++++----- .../files/usr/lib/whonix/tests.sh | 95 +++++++++ .../files/usr/lib/whonix/utility_functions | 94 +++++++++ .../02_install_groups_packages_installed.sh | 45 ++-- .../wheezy+whonix/04_install_qubes_post.sh | 2 +- 30 files changed, 1028 insertions(+), 556 deletions(-) create mode 100644 scripts_debian/wheezy+whonix-gateway/files/etc/uwt.d/50_uwt_default delete mode 100644 scripts_debian/wheezy+whonix-gateway/files/home/user/.whonix_build.sh.swp delete mode 100755 scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/1000_qubes-patches.sh delete mode 100755 scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/2900_qubes-post-installation.sh delete mode 100755 scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_build.sh delete mode 100755 scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_fix.sh create mode 100755 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/alert create mode 100644 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml create mode 100755 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh create mode 100755 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/utility_functions create mode 100644 scripts_debian/wheezy+whonix-workstation/files/etc/uwt.d/50_uwt_default delete mode 100755 scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh create mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/alert create mode 100644 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml create mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup create mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh create mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/utility_functions diff --git a/scripts_debian/wheezy+whonix-gateway/files/.facl b/scripts_debian/wheezy+whonix-gateway/files/.facl index e81b167..ece4cc6 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/.facl +++ b/scripts_debian/wheezy+whonix-gateway/files/.facl @@ -19,6 +19,20 @@ user::rw- group::r-- other::r-- +# file: etc/uwt.d +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/uwt.d/50_uwt_default +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: etc/xdg # owner: root # group: root @@ -94,7 +108,7 @@ other::r-- # group: root user::rwx group::r-x -other::r-x +other::--- # file: etc/sudoers.d/qubes # owner: root @@ -103,98 +117,70 @@ user::r-- group::r-- other::--- -# file: home -# owner: root -# group: root -user::rwx -group::r-x -other::r-x - -# file: home/user -# owner: user -# group: user -user::rwx -group::r-x -other::r-x - -# file: home/user/whonix_fix.sh +# file: .facl # owner: user # group: user -user::rwx -group::r-x -other::r-x +user::rw- +group::r-- +other::r-- -# file: home/user/build-steps.d -# owner: user -# group: user +# file: usr +# owner: root +# group: root user::rwx group::r-x other::r-x -# file: home/user/build-steps.d/1000_qubes-patches.sh -# owner: user -# group: user +# file: usr/lib +# owner: root +# group: root user::rwx group::r-x other::r-x -# file: home/user/build-steps.d/2900_qubes-post-installation.sh -# owner: user -# group: user +# file: usr/lib/whonix +# owner: root +# group: root user::rwx group::r-x other::r-x -# file: home/user/whonix_build.sh -# owner: user -# group: user +# file: usr/lib/whonix/utility_functions +# owner: root +# group: root user::rwx group::r-x other::r-x -# file: home/user/.whonix_build.sh.swp -# owner: user -# group: user -user::rw- -group::r-- -other::r-- - -# file: .facl -# owner: user -# group: user -user::rw- -group::r-- -other::r-- - -# file: usr +# file: usr/lib/whonix/setup-ip # owner: root # group: root user::rwx group::r-x other::r-x -# file: usr/lib +# file: usr/lib/whonix/tests.sh # owner: root # group: root user::rwx group::r-x other::r-x -# file: usr/lib/whonix +# file: usr/lib/whonix/messages.yaml # owner: root # group: root -user::rwx -group::r-x -other::r-x +user::rw- +group::r-- +other::r-- -# file: usr/lib/whonix/setup-ip +# file: usr/lib/whonix/replace-ips # owner: root # group: root user::rwx group::r-x other::r-x -# file: usr/lib/whonix/replace-ips +# file: usr/lib/whonix/alert # owner: root # group: root user::rwx diff --git a/scripts_debian/wheezy+whonix-gateway/files/etc/hosts b/scripts_debian/wheezy+whonix-gateway/files/etc/hosts index 87b1540..cc0e30d 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/etc/hosts +++ b/scripts_debian/wheezy+whonix-gateway/files/etc/hosts @@ -1,14 +1,5 @@ ## Anonymity Distribution /etc/hosts -## Defaults -127.0.0.1 host -::1 host ip6-host ip6-loopback -fe00::0 ip6-localnet -ff00::0 ip6-mcastprefix -ff02::1 ip6-allnodes -ff02::2 ip6-allrouters -## End of defaults - ## Anonymity Distribution specific 127.0.0.1 host.localdomain host ## End of Anonymity Distribution specific diff --git a/scripts_debian/wheezy+whonix-gateway/files/etc/uwt.d/50_uwt_default b/scripts_debian/wheezy+whonix-gateway/files/etc/uwt.d/50_uwt_default new file mode 100644 index 0000000..bac9ef3 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/etc/uwt.d/50_uwt_default @@ -0,0 +1,6 @@ + +. /usr/lib/whonix/utility_functions + +if [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "1" ]; then + uwtwrapper["/usr/bin/apt-get"]="0" +fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/.whonix_build.sh.swp b/scripts_debian/wheezy+whonix-gateway/files/home/user/.whonix_build.sh.swp deleted file mode 100644 index e88a6478eef4588aedea9c84d9e00d26bc6d0228..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12288 zcmeI2&5j&35XYT_3kiW09Jm%Uk&rg>^zIOmL?{vo8(?ABti&uq2sG*sPq&%wwqv{J zBZMF>2zUT4z=ap!!~wwp9)Ks{&P#Bi+}$&~iB?(;bIGbK{imm0<#PGg_DHR%XzPRB z_uy*p3d6R+*!3Uwhp)f5!8YDutg^!R?vq-ktUJla+aLOX!M!RHmPeJ$lhvIyagfWh znsX-#org}W9Bgc)c6OAANQPxF%Y?YUxID{LDd#*z&sn$##xfT+$W$SMdXC0Cswe5$ z?EfT3K1AR&6R6ynU%SX&>2GiOWp+C+!3)nHoaPnN+K2!VAOb{y2oM1xKm>>Y5qOM% z(`VQh*mt(=-)ygE9=o=;bRhynfCvx)B0vO)01+SpM1Tko0U|&Io`T-L^#MZK-i;Vq_`VI9d>MH7= zXBhhf^*w5aGN^kfK%GbZdV#TTQQx5Mqdq|mP}fj^`WJKi3-t@?N7PrS5vtDl31m(w z69FPX1c(3;AOb|-bP~`?Ck(K0ZYNT68J5Y+uG1jyE>AUPMHNyq;*C{m6NK3OZ`<8 zQTm|#*g-3&xH3kRj$2ikSlCtnt5+iFcwM==>Z^-R;nFsC*eX%*Ft}S6t77S@uUT!1 zQqia@n(8OtUV(6NfCtARwJe;9R3w1s!nnf+ ziaQH)u&^{^j*)1b1it>&yVReSA~X}oRGvU;s)*}&dF7EToA0qI3OqmF-sjEDapUd6 zPJK?8LmjUjvI&VQUv`iR2SyZXiqm%ijV=?Q!*~*=q6aX{WSLs9LKJ|x&J?BD?@OBHsG7k__;b&1*n)y*ifV2?S$+ZBA2|g-3Q#$k~ z-Qu@GCE`YU+0395xIzcj%ypW@I#tCP1QGt~1Rh2G(Tm4vV{Sv~BOb?(>z_QZj|<$# Pbl;ToN?X=lb7TJj93u3Z diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/1000_qubes-patches.sh b/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/1000_qubes-patches.sh deleted file mode 100755 index 30c5f71..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/1000_qubes-patches.sh +++ /dev/null @@ -1,92 +0,0 @@ -#!/bin/bash -# vim: set ts=4 sw=4 sts=4 et : - -set -x - -WHONIX_DIR="$(readlink -m .)" - -# -------------------------------------------------------------------------- -# Initialize Whonix submodules -# -------------------------------------------------------------------------- -pushd "${WHONIX_DIR}" -{ - sudo git submodule update --init --recursive; -} -popd - -# -------------------------------------------------------------------------- -# Patch Whonix submodules -# -------------------------------------------------------------------------- - -# Chekout a branch; create a branch first if it does not exist -checkout_branch() { - branch=$(git symbolic-ref --short -q HEAD) - if ! [ "${branch}" == "${1}" ]; then - sudo -u "${user_name}" git checkout "${1}" >/dev/null 2>&1 || \ - { - sudo -u "${user_name}" git branch "${1}" - sudo -u "${user_name}" git checkout "${1}" - } - fi -} - -# sed search and replace. return 0 if replace happened, otherwise 1 -search_replace() { - local search="${1}" - local replace="${2}" - local file="${3}" - - sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" -} - -# Patch anon-meta-packages to not depend on grub-pc -pushd "${WHONIX_DIR}" -{ - search_replace "grub-pc" "" "grml_packages" || : -} -popd - -pushd "${WHONIX_DIR}/packages/anon-meta-packages/debian" -{ - search1=" grub-pc,"; - replace=""; - - #checkout_branch qubes - search_replace "${search1}" "${replace}" control && \ - { - cd "${WHONIX_DIR}/packages/anon-meta-packages"; - : - #sudo -E -u "${user_name}" make deb-pkg || : - #su "${user_name}" -c "dpkg-source --commit" || : - #git add . - #su "${user_name}" -c "git commit -am 'removed grub-pc depend'" - } || : -} -popd - -pushd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub/usr/lib/anon-dist/chroot-scripts-post.d" -{ - search1="update-grub"; - replace=":"; - - #checkout_branch qubes - search_replace "${search1}" "${replace}" 85_update_grub && \ - { - cd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub"; - sudo -E -u "${user_name}" make deb-pkg || : - su "${user_name}" -c "EDITOR=/bin/true dpkg-source -q --commit . no_grub"; - #git add . ; - #su "${user_name}" -c "git commit -am 'removed grub-pc depend'" - } || : -} -popd - -pushd "${WHONIX_DIR}/build-steps.d" -{ - search1=" check_for_uncommited_changes"; - replace=" #check_for_uncommited_changes"; - - search_replace "${search1}" "${replace}" 1200_create-debian-packages || : - } -popd - diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/2900_qubes-post-installation.sh b/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/2900_qubes-post-installation.sh deleted file mode 100755 index 654b9a5..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/home/user/build-steps.d/2900_qubes-post-installation.sh +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash -# vim: set ts=4 sw=4 sts=4 et : - -# ------------------------------------------------------------------------------ -# Whonix Post Installation Configurations -# ------------------------------------------------------------------------------ -echo "Post Configuring Whonix System" - -pushd "/etc/network" -{ - rm -f interfaces; - ln -s interfaces.backup interfaces; -} -popd - -pushd "/etc" -{ - rm -f resolv.conf; - cp -p resolv.conf.backup resolv.conf; -} -popd - -# Enable Tor -#if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then -# sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "/etc/tor/torrc" -#fi - -# Fake that whonixsetup was already run -#mkdir -p "/var/lib/whonix/do_once" -#touch "/var/lib/whonix/do_once/whonixsetup.done" - -# Fake that initializer was already run -mkdir -p "/root/.whonix" -touch "/root/.whonix/first_run_initializer.done" - -# Prevent whonixcheck error -echo 'WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"' >> "/etc/whonix.d/30_whonixcheck_default" - -# Use gdialog as an alternative for dialog -update-alternatives --install /usr/bin/dialog dialog /usr/bin/gdialog 999 - -# Disable unwanted applications -update-rc.d network-manager disable || : -update-rc.d spice-vdagent disable || : -update-rc.d swap-file-creator disable || : -update-rc.d whonix-initializer disable || : - -service apt-cacher-ng stop || : -update-rc.d apt-cacher-ng disable || : - -# Remove apt-cacher-ng -DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - apt-get.anondist-orig -y --force-yes remove --purge apt-cacher-ng - -# Remove original sources.list -rm -f "/etc/apt/sources.list" - -DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - apt-get.anondist-orig update - diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_build.sh b/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_build.sh deleted file mode 100755 index 0fdf086..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_build.sh +++ /dev/null @@ -1,41 +0,0 @@ -################################################################################ -# Pre Fixups -sudo mkdir -p /boot/grub2 -sudo touch /boot/grub2/grub.cfg -sudo mkdir -p /boot/grub -sudo touch /boot/grub/grub.cfg -sudo mkdir --parents --mode=g+rw "/tmp/uwt" - -# Whonix seems to re-install sysvinit even though there is a hold -# on the package. Things seem to work anyway. BUT hopfully the -# hold on grub* don't get removed -sudo apt-mark hold sysvinit -sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common - -# Whonix expects haveged to be started -sudo /etc/init.d/haveged start - -# ------------------------------------------------------------------------------ -# Link our build steps into Whonix build directory -# ------------------------------------------------------------------------------ -#pushd /home/user/Whonix/build-steps.d -#cp -pf /home/user/build-steps.d/* . -#popd - -# ------------------------------------------------------------------------------ -# Whonix installation -# ------------------------------------------------------------------------------ -export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1" - -pushd ~/Whonix -sudo ~/Whonix/whonix_build \ - --build $1 \ - --64bit-linux \ - --current-sources \ - --enable-whonix-apt-repository \ - --whonix-apt-repository-distribution $2 \ - --install-to-root \ - --skip-verifiable \ - --minimal-report \ - --skip-sanity-tests || { exit 1; } -popd diff --git a/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_fix.sh b/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_fix.sh deleted file mode 100755 index 508180a..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/home/user/whonix_fix.sh +++ /dev/null @@ -1,3 +0,0 @@ -DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - sudo apt-get -y --force-yes remove grub-pc grub-common grub-pc-bin grub2-common - sudo apt-mark hold grub-common grub-pc-bin grub2-common diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/alert b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/alert new file mode 100755 index 0000000..e585475 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/alert @@ -0,0 +1,90 @@ +#!/usr/bin/python + +# +# Copyright 2014 Jason Mehring (nrgaway@gmail.com) +# + +from PyQt4 import QtGui +import locale +import yaml + +DEFAULT_LANG = 'en' + +class Messages(): + filename = None + data = None + language = DEFAULT_LANG + title = None + icon = None + message = None + + def __init__(self, section, filename): + self.filename = filename + + language = locale.getdefaultlocale()[0].split('_')[0] + if language: + self.language = language + + try: + stream = file(filename, 'r') + data = yaml.load(stream) + + if section in data.keys(): + section = data[section] + + self.icon = section.get('icon', None) + + language = section.get(self.language, DEFAULT_LANG) + + self.title = language.get('title', None) + self.message = language.get('message', None) + + except (IOError): + pass + except (yaml.scanner.ScannerError, yaml.parser.ParserError): + pass + +class WhonixMessageBox(QtGui.QMessageBox): + def __init__(self, message): + super(WhonixMessageBox, self).__init__() + self.message = message + self.initUI() + + def initUI(self): + message = self.message + + if message.title: + self.setWindowTitle(message.title) + + if message.icon: + self.setIcon(getattr(QtGui.QMessageBox, message.icon)) + + if message.message: + self.setText(message.message) + self.exec_() + +import argparse +import sys + + + +def main(): + parser = argparse.ArgumentParser(description='Display a QT Message Box') + + parser.add_argument('section', help="Message section") + parser.add_argument('filename', help="File including full path") + + args = parser.parse_args() + + if not args.filename and args.section: + print parser.usage() + sys.exit(1) + + app = QtGui.QApplication(sys.argv) + + message = Messages(args.section, args.filename) + dialog = WhonixMessageBox(message) + sys.exit() + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh index d3a2b95..a8e1653 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh @@ -20,3 +20,11 @@ if [ "$LOG_IP6" == "1" ]; then ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE modprobe ip6t_LOG fi + +# Redirect local port to remote via socat +#apt-get install socat +#socat TCP4-LISTEN:8082,fork,mode=0666,user=root,group=root TCP4:10.137.255.254:8082 +# +# Works +# localhost/loopback maps localhost port 8082 to localhost port 8888 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888 diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml new file mode 100644 index 0000000..d3be464 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml @@ -0,0 +1,12 @@ + +update: + icon: Critical + en: + title: Tor netvm required for updates + message: | +

Tor netvm required for updates!

+

Please ensure your template vm has a Whonix gateway as it's VM.

+

No updates are possible without an active (running) Whonix gateway VM.

+

+

Template will now power off

+ diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup index 681c889..49dff91 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup @@ -1,23 +1,46 @@ -#/bin/bash +#!/bin/bash -# XXX: TODO: -# - Make sure we can't just run this from setup-ip -# - Alternatives? instead of deleting dialog? -# -# INSTALLATION NOTES: -# - Make sure /etc/tor/torrc is disabled initially -# - Make sure /var/lib/whonix/do_once/whonixsetup.done does not exist -# so repo questions will be asked -# - /etc/xdg/autostart/qubes-whonixsetup must be in place -# - this file must be in place -# - gdialog must have over-written dialog -# - patches to setup-ip: -# - bring eth1 up -# - remove old code that was trying to get setup working +. /usr/lib/whonix/utility_functions -grep "^DisableNetwork 0$" /etc/tor/torrc || { - sudo systemctl stop whonixcheck - sudo systemctl stop tor - sudo /usr/lib/whonix/setup-ip - sudo /usr/bin/whonixsetup -} +if [ "${WHONIX}" == "gateway" ]; then + grep "^DisableNetwork 0$" /etc/tor/torrc || { + sudo service sdwdate restart + sudo service tor stop + sudo /usr/bin/whonixsetup && { + enable_sysv tor + sleep 1 + enable_sysv sdwdate + } || { + sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" + disable_sysv tor + disable_sysv sdwdate + sudo /sbin/poweroff + } + } + + # Allow whonix-gateway to act as an update-proxy + sudo systemctl status qubes-updates-proxy.service || { + error_file="/usr/share/tinyproxy/default.html" + + # Search and replace tinyproxy error files so we can inject code that + # we can use to identify that its a tor proxy so updates are secure + grep -q "${PROXY_META}" "${error_file}" || { + sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" + } + + sudo touch /var/run/qubes-service/qubes-updates-proxy + sudo iptables -t nat -N PR-QBS-SERVICES + sudo systemctl start qubes-updates-proxy.service + } + +elif [ "${WHONIX}" == "workstation" ]; then + if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then + enable_sysv sdwdate + sudo service sdwdate restart + sudo /usr/bin/whonixsetup + fi + +elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then + /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml + sudo /sbin/poweroff +fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips index f2e4076..900a584 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips @@ -1,7 +1,9 @@ #!/bin/bash +. /usr/lib/whonix/utility_functions + # Search though files and updates IP address to the current -# 'qubes-netvm-gateway' IP address +# IP address(es) FILES=( '/usr/lib/leaktest-workstation/simple_ping.py' @@ -40,7 +42,7 @@ search_replace() { sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" retval=$? - if [ "${ls_attrs}" == "i" ]; then + if [ "${ls_attrs}" = "i" ]; then chattr +i "${file}" fi @@ -58,7 +60,7 @@ function replace_ips() search_network="${search_ip%[.]*}.0" replace_network="${replace_ip%[.]*}.0" - if ! [ "${search_ip}" == "${replace_ip}" ]; then + if ! [ "${search_ip}" = "${replace_ip}" ]; then for file in "${files[@]}"; do if [ -f "$file" ]; then search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0 @@ -75,18 +77,42 @@ update_ip() { echo "${ip}" > /etc/whonix-netvm-gateway grep '^DisableNetwork 0$' /etc/tor/torrc && { - service tor reload || true; + service tor status && { + service tor reload || true; + } } } -ip="$(xenstore-read qubes-netvm-gateway)" +if [ "${WHONIX}" == "gateway" ]; then + ip="$(xenstore-read qubes-netvm-gateway)" + if [ x${ip} != x ]; then + # Compare to current IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}" + + # Do again; checking for original 10.152.152.10 incase of update + replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}" -# Compare to current IP address assiged by Qubes -replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}" + # Do again; checking for original 10.152.152.11 incase of update + replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}" + fi -# Do again; checking for original 10.152.152.10 incase of update -replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}" +elif [ "${WHONIX}" == "workstation" ]; then + ip="$(xenstore-read qubes-ip)" + gateway="$(xenstore-read qubes-gateway)" -# Do again; checking for original 10.152.152.11 incase of update -replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}" + if [ x${ip} != x ]; then + # Compare to current IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + # Do again; checking for original 10.152.152.11 incase of update + replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + fi + + if [ x${gateway} != x ]; then + # Compare to current gateway IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + + # Do again; checking for original 10.152.152.10 incase of update + replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + fi +fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip index 9a098f7..989ccd8 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip @@ -1,141 +1,78 @@ #!/bin/bash -if [ -x /usr/sbin/xenstore-read ]; then - XENSTORE_READ="/usr/sbin/xenstore-read" -else - XENSTORE_READ="/usr/bin/xenstore-read" -fi - -INTERFACE="eth1" -ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) - -# Create a dummy eth1 interface so tor can bind to it if there -# are no DOMU virtual machines connected at the moment -ip link show ${INTERFACE} >> /dev/null || { - /sbin/ip link add ${INTERFACE} type dummy +. /usr/lib/whonix/utility_functions - # Now, assign it the netvm-gateway IP address - if [ x${ip} != x ]; then - netmask=$(${XENSTORE_READ} qubes-netvm-netmask) - gateway=$(${XENSTORE_READ} qubes-netvm-gateway) - /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 - /sbin/ifconfig ${INTERFACE} up - /sbin/ethtool -K ${INTERFACE} sg off - /sbin/ethtool -K ${INTERFACE} tx off +if [ "${WHONIX}" == "gateway" ]; then + if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" + else + XENSTORE_READ="/usr/bin/xenstore-read" fi - ip link set ${INTERFACE} up -} - -# Files that will have the immutable bit set -# since we don't want them modified by other programs -IMMUTABLE_FILES=( - '/etc/resolv.conf' - '/etc/hostname' - '/etc/hosts' -) - -immutableFilesEnable() { - files="${1}" - suffix="${2}" - - for file in "${files[@]}"; do - if [ -f "${file}" ] && ! [ -L "${file}" ]; then - chattr +i "${file}${suffix}" + INTERFACE="eth1" + ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) + + # Create a dummy eth1 interface so tor can bind to it if there + # are no DOMU virtual machines connected at the moment + ip link show ${INTERFACE} >> /dev/null || { + /sbin/ip link add ${INTERFACE} type dummy + + # Now, assign it the netvm-gateway IP address + if [ x${ip} != x ]; then + netmask=$(${XENSTORE_READ} qubes-netvm-netmask) + gateway=$(${XENSTORE_READ} qubes-netvm-gateway) + /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 + /sbin/ifconfig ${INTERFACE} up + /sbin/ethtool -K ${INTERFACE} sg off || true + /sbin/ethtool -K ${INTERFACE} tx off || true fi - done -} -immutableFilesDisable() { - files="${1}" - suffix="${2}" - - for file in "${files[@]}"; do - if [ -f "${file}" ] && ! [ -L "${file}" ]; then - chattr -i "${file}${suffix}" - fi - done -} - -copyAnondist() { - file="${1}" - suffix="${2-.anondist}" - - # Remove any softlinks first - if [ -L "${file}" ]; then - rm -f "${file}" - fi + ip link set ${INTERFACE} up + } +fi - if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then - chattr -i "${file}" - rm -f "${file}" - cp -p "${file}${suffix}" "${file}" - chattr +i "${file}" - elif ! [ -f "${file}" ]; then - cp -p "${file}${suffix}" "${file}" - chattr +i "${file}" +if [ "${WHONIX}" != "template" ]; then + # Files that will have the immutable bit set + # since we don't want them modified by other programs + IMMUTABLE_FILES=( + '/etc/resolv.conf' + '/etc/hostname' + '/etc/hosts' + ) + + # Make sure all .anondist files in list are immutable + immutableFilesEnable "${IMMUTABLE_FILES}" + immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" + + # Make sure we are using a copy of the annondist file and if not + # copy the annondist file and set it immutable + copyAnondist "/etc/resolv.conf" + copyAnondist "/etc/hosts" + copyAnondist "/etc/hostname" + + # Replace IP addresses in known configuration files / scripts to + # currently discovered one + /usr/lib/whonix/replace-ips + + # Make sure hostname is correct + /bin/hostname host + + # Start Whonix Firewall + if [ "${WHONIX}" == "gateway" ]; then + export INT_IF="vif+" + export INT_TIF="vif+" fi -} - -# Make sure all .anondist files in list are immutable -immutableFilesEnable "${IMMUTABLE_FILES}" -immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" - -# Make sure we are using a copy of the annondist file and if not -# copy the annondist file and set it immutable -copyAnondist "/etc/resolv.conf" -copyAnondist "/etc/hosts" -copyAnondist "/etc/hostname" - -# Replace IP addresses in known configuration files / scripts to -# currently discovered one -/usr/lib/whonix/replace-ips - -# Make sure hostname is correct -/bin/hostname host - -# Start Whonix Firewall -export INT_IF="vif+" -export INT_TIF="vif+" -/usr/bin/whonix_firewall + /usr/bin/whonix_firewall -# Route any traffic FROM netvm TO netvm BACK-TO localhost -# Allows localhost access to tor network -iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 - -# Will only enable / disable if service is not already in that state -enable_sysv() { - servicename=${1} - disable=${2-0} - - # Check to see if the service is already enabled and if not, enable it - string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}" - - if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then - case ${disable} in - 0) - echo "${1} is currently disabled; enabling it" - systemctl --quiet enable ${servicename} - ;; - 1) - echo "${1} is currently enabled; disabling it" - systemctl --quiet disable ${servicename} - ;; - esac + if [ "${WHONIX}" == "gateway" ]; then + # Route any traffic FROM netvm TO netvm BACK-TO localhost + # Allows localhost access to tor network + iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 fi -} -disable_sysv() { - enable_sysv ${1} 1 -} - -# This would be a really good place to apply any hacks required and remove them -# from template build script -grep "^DisableNetwork 0$" /etc/tor/torrc && { - #enable_sysv tor - #enable_sysv whonixcheck - #enable_sysv sdwdate - : -} || { - : -} + # Make sure we remove whonixsetup.done if Tor is not enabled + # to allow choice of repo and prevent whonixcheck errors + grep "^DisableNetwork 0$" /etc/tor/torrc || { + rm -f /var/lib/whonix/do_once/whonixsetup.done + } +fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh new file mode 100755 index 0000000..6570b49 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh @@ -0,0 +1,95 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" +#disable_sysv tor +#disable_sysv sdwdate + +iptables -F +iptables -t nat -F + +LOG_IP4=1 +LOG_IP6=0 + +# for IPv4 +if [ "$LOG_IP4" == "1" ]; then + iptables -t raw -A OUTPUT -p icmp -j TRACE + iptables -t raw -A PREROUTING -p icmp -j TRACE + modprobe ipt_LOG +fi + +# for IPv6 +if [ "$LOG_IP6" == "1" ]; then + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE + modprobe ip6t_LOG +fi + +sysctl -w net.ipv4.ip_forward=1 + +iptables -A FORWARD -i eth0 -j ACCEPT +iptables -A FORWARD -o eth0 -j ACCEPT +iptables -A FORWARD -i lo -j ACCEPT +iptables -A FORWARD -o lo -j ACCEPT + +#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105 +#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 + + +#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 + +#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT" +#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT" + +#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT +#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT +#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082 + +#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 + +#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 + +# Works +# localhost/loopback maps localhost port 8082 to localhost port 8888 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888 + +# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082 + +# Remap ALL traffic +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082 + + +#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 + +#iptables -v -L +#iptables -v -t nat -L +#telnet 127.0.0.1 9105 +#telnet 10.137.2.1 8082 +#telnet 127.0.0.1 8082 +#tail -100 /var/log/kern.log diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/utility_functions b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/utility_functions new file mode 100755 index 0000000..8a3b4e7 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/utility_functions @@ -0,0 +1,94 @@ +#!/bin/bash + +# /etc/uwt.d/50_uwt_default relies on this in order to allow connection +# to proxy for template +PROXY_SERVER="http://10.137.255.254:8082/" +PROXY_META='' + +if [ -f "/var/run/qubes-service/updates-proxy-setup" ]; then + WHONIX="template" +elif [ -f "/usr/share/anon-gw-base-files/gateway" ]; then + WHONIX="gateway" +elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then + WHONIX="workstation" +else + WHONIX="unknown" +fi + +if [ "${WHONIX}" == "template" ]; then + curl.anondist-orig "${PROXY_SERVER}" | grep -q "${PROXY_META}" && { + PROXY_SECURE=1 + } || { + PROXY_SECURE=0 + } +fi + +immutableFilesEnable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + sudo chattr +i "${file}${suffix}" + fi + done +} + +immutableFilesDisable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + sudo chattr -i "${file}${suffix}" + fi + done +} + +copyAnondist() { + file="${1}" + suffix="${2-.anondist}" + + # Remove any softlinks first + if [ -L "${file}" ]; then + sudo rm -f "${file}" + fi + + if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then + sudo chattr -i "${file}" + sudo rm -f "${file}" + sudo cp -p "${file}${suffix}" "${file}" + sudo chattr +i "${file}" + elif ! [ -f "${file}" ]; then + sudo cp -p "${file}${suffix}" "${file}" + sudo chattr +i "${file}" + fi +} + +# Will only enable / disable if service is not already in that state +enable_sysv() { + servicename=${1} + disable=${2-0} + + # Check to see if the service is already enabled and if not, enable it + string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}" + + if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then + case ${disable} in + 0) + echo "${1} is currently disabled; enabling it" + sudo systemctl --quiet enable ${servicename} + ;; + 1) + echo "${1} is currently enabled; disabling it" + sudo service ${servicename} stop + sudo systemctl --quiet disable ${servicename} + ;; + esac + fi +} + +disable_sysv() { + enable_sysv ${1} 1 +} + diff --git a/scripts_debian/wheezy+whonix-workstation/files/.facl b/scripts_debian/wheezy+whonix-workstation/files/.facl index 9e5e47b..bfdec11 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/.facl +++ b/scripts_debian/wheezy+whonix-workstation/files/.facl @@ -19,6 +19,20 @@ user::rw- group::r-- other::r-- +# file: etc/uwt.d +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/uwt.d/50_uwt_default +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: etc/udev # owner: root # group: root @@ -49,10 +63,10 @@ other::r-- # file: etc/sudoers.d # owner: root -# group: user +# group: root user::rwx group::r-x -other::r-x +other::--- # file: etc/sudoers.d/qubes # owner: root @@ -89,6 +103,13 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/utility_functions +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + # file: usr/lib/whonix/setup-ip # owner: root # group: root @@ -96,6 +117,20 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/tests.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/messages.yaml +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: usr/lib/whonix/replace-ips # owner: root # group: root @@ -103,6 +138,20 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/alert +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/qubes-whonixsetup +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + # file: usr/lib/whonix/enable-iptables-logging.sh # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/hosts b/scripts_debian/wheezy+whonix-workstation/files/etc/hosts index 87b1540..cc0e30d 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/etc/hosts +++ b/scripts_debian/wheezy+whonix-workstation/files/etc/hosts @@ -1,14 +1,5 @@ ## Anonymity Distribution /etc/hosts -## Defaults -127.0.0.1 host -::1 host ip6-host ip6-loopback -fe00::0 ip6-localnet -ff00::0 ip6-mcastprefix -ff02::1 ip6-allnodes -ff02::2 ip6-allrouters -## End of defaults - ## Anonymity Distribution specific 127.0.0.1 host.localdomain host ## End of Anonymity Distribution specific diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/uwt.d/50_uwt_default b/scripts_debian/wheezy+whonix-workstation/files/etc/uwt.d/50_uwt_default new file mode 100644 index 0000000..bac9ef3 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/etc/uwt.d/50_uwt_default @@ -0,0 +1,6 @@ + +. /usr/lib/whonix/utility_functions + +if [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "1" ]; then + uwtwrapper["/usr/bin/apt-get"]="0" +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh b/scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh deleted file mode 100755 index 0fdf086..0000000 --- a/scripts_debian/wheezy+whonix-workstation/files/home/user/whonix_build.sh +++ /dev/null @@ -1,41 +0,0 @@ -################################################################################ -# Pre Fixups -sudo mkdir -p /boot/grub2 -sudo touch /boot/grub2/grub.cfg -sudo mkdir -p /boot/grub -sudo touch /boot/grub/grub.cfg -sudo mkdir --parents --mode=g+rw "/tmp/uwt" - -# Whonix seems to re-install sysvinit even though there is a hold -# on the package. Things seem to work anyway. BUT hopfully the -# hold on grub* don't get removed -sudo apt-mark hold sysvinit -sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common - -# Whonix expects haveged to be started -sudo /etc/init.d/haveged start - -# ------------------------------------------------------------------------------ -# Link our build steps into Whonix build directory -# ------------------------------------------------------------------------------ -#pushd /home/user/Whonix/build-steps.d -#cp -pf /home/user/build-steps.d/* . -#popd - -# ------------------------------------------------------------------------------ -# Whonix installation -# ------------------------------------------------------------------------------ -export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1" - -pushd ~/Whonix -sudo ~/Whonix/whonix_build \ - --build $1 \ - --64bit-linux \ - --current-sources \ - --enable-whonix-apt-repository \ - --whonix-apt-repository-distribution $2 \ - --install-to-root \ - --skip-verifiable \ - --minimal-report \ - --skip-sanity-tests || { exit 1; } -popd diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/alert b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/alert new file mode 100755 index 0000000..e585475 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/alert @@ -0,0 +1,90 @@ +#!/usr/bin/python + +# +# Copyright 2014 Jason Mehring (nrgaway@gmail.com) +# + +from PyQt4 import QtGui +import locale +import yaml + +DEFAULT_LANG = 'en' + +class Messages(): + filename = None + data = None + language = DEFAULT_LANG + title = None + icon = None + message = None + + def __init__(self, section, filename): + self.filename = filename + + language = locale.getdefaultlocale()[0].split('_')[0] + if language: + self.language = language + + try: + stream = file(filename, 'r') + data = yaml.load(stream) + + if section in data.keys(): + section = data[section] + + self.icon = section.get('icon', None) + + language = section.get(self.language, DEFAULT_LANG) + + self.title = language.get('title', None) + self.message = language.get('message', None) + + except (IOError): + pass + except (yaml.scanner.ScannerError, yaml.parser.ParserError): + pass + +class WhonixMessageBox(QtGui.QMessageBox): + def __init__(self, message): + super(WhonixMessageBox, self).__init__() + self.message = message + self.initUI() + + def initUI(self): + message = self.message + + if message.title: + self.setWindowTitle(message.title) + + if message.icon: + self.setIcon(getattr(QtGui.QMessageBox, message.icon)) + + if message.message: + self.setText(message.message) + self.exec_() + +import argparse +import sys + + + +def main(): + parser = argparse.ArgumentParser(description='Display a QT Message Box') + + parser.add_argument('section', help="Message section") + parser.add_argument('filename', help="File including full path") + + args = parser.parse_args() + + if not args.filename and args.section: + print parser.usage() + sys.exit(1) + + app = QtGui.QApplication(sys.argv) + + message = Messages(args.section, args.filename) + dialog = WhonixMessageBox(message) + sys.exit() + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh index d3a2b95..a8e1653 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh @@ -20,3 +20,11 @@ if [ "$LOG_IP6" == "1" ]; then ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE modprobe ip6t_LOG fi + +# Redirect local port to remote via socat +#apt-get install socat +#socat TCP4-LISTEN:8082,fork,mode=0666,user=root,group=root TCP4:10.137.255.254:8082 +# +# Works +# localhost/loopback maps localhost port 8082 to localhost port 8888 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888 diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml new file mode 100644 index 0000000..d3be464 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml @@ -0,0 +1,12 @@ + +update: + icon: Critical + en: + title: Tor netvm required for updates + message: | +

Tor netvm required for updates!

+

Please ensure your template vm has a Whonix gateway as it's VM.

+

No updates are possible without an active (running) Whonix gateway VM.

+

+

Template will now power off

+ diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup new file mode 100755 index 0000000..49dff91 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup @@ -0,0 +1,46 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +if [ "${WHONIX}" == "gateway" ]; then + grep "^DisableNetwork 0$" /etc/tor/torrc || { + sudo service sdwdate restart + sudo service tor stop + sudo /usr/bin/whonixsetup && { + enable_sysv tor + sleep 1 + enable_sysv sdwdate + } || { + sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" + disable_sysv tor + disable_sysv sdwdate + sudo /sbin/poweroff + } + } + + # Allow whonix-gateway to act as an update-proxy + sudo systemctl status qubes-updates-proxy.service || { + error_file="/usr/share/tinyproxy/default.html" + + # Search and replace tinyproxy error files so we can inject code that + # we can use to identify that its a tor proxy so updates are secure + grep -q "${PROXY_META}" "${error_file}" || { + sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" + } + + sudo touch /var/run/qubes-service/qubes-updates-proxy + sudo iptables -t nat -N PR-QBS-SERVICES + sudo systemctl start qubes-updates-proxy.service + } + +elif [ "${WHONIX}" == "workstation" ]; then + if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then + enable_sysv sdwdate + sudo service sdwdate restart + sudo /usr/bin/whonixsetup + fi + +elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then + /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml + sudo /sbin/poweroff +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips index bc44984..900a584 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips @@ -1,7 +1,9 @@ #!/bin/bash +. /usr/lib/whonix/utility_functions + # Search though files and updates IP address to the current -# 'qubes-netvm-gateway' IP address +# IP address(es) FILES=( '/usr/lib/leaktest-workstation/simple_ping.py' @@ -40,7 +42,7 @@ search_replace() { sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}" retval=$? - if [ "${ls_attrs}" == "i" ]; then + if [ "${ls_attrs}" = "i" ]; then chattr +i "${file}" fi @@ -58,7 +60,7 @@ function replace_ips() search_network="${search_ip%[.]*}.0" replace_network="${replace_ip%[.]*}.0" - if ! [ "${search_ip}" == "${replace_ip}" ]; then + if ! [ "${search_ip}" = "${replace_ip}" ]; then for file in "${files[@]}"; do if [ -f "$file" ]; then search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0 @@ -70,18 +72,47 @@ function replace_ips() return $retval } -ip="$(xenstore-read qubes-ip)" -gateway="$(xenstore-read qubes-gateway)" +update_ip() { + ip=${1} + + echo "${ip}" > /etc/whonix-netvm-gateway + grep '^DisableNetwork 0$' /etc/tor/torrc && { + service tor status && { + service tor reload || true; + } + } +} -# Compare to current IP address assiged by Qubes -replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip +if [ "${WHONIX}" == "gateway" ]; then + ip="$(xenstore-read qubes-netvm-gateway)" + if [ x${ip} != x ]; then + # Compare to current IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}" -# Do again; checking for original 10.152.152.11 incase of update -replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + # Do again; checking for original 10.152.152.10 incase of update + replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}" + + # Do again; checking for original 10.152.152.11 incase of update + replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}" + fi -# Compare to current gateway IP address assiged by Qubes -replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway +elif [ "${WHONIX}" == "workstation" ]; then + ip="$(xenstore-read qubes-ip)" + gateway="$(xenstore-read qubes-gateway)" -# Do again; checking for original 10.152.152.10 incase of update -replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + if [ x${ip} != x ]; then + # Compare to current IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + # Do again; checking for original 10.152.152.11 incase of update + replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip + fi + + if [ x${gateway} != x ]; then + # Compare to current gateway IP address assiged by Qubes + replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + + # Do again; checking for original 10.152.152.10 incase of update + replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway + fi +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip index 2dca037..989ccd8 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip @@ -1,70 +1,78 @@ #!/bin/bash -# Files that will have the immutable bit set -# since we don't want them modified by other programs -IMMUTABLE_FILES=( - '/etc/hostname' - '/etc/hosts' -) +. /usr/lib/whonix/utility_functions -immutableFilesEnable() { - files="${1}" - suffix="${2}" +if [ "${WHONIX}" == "gateway" ]; then + if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" + else + XENSTORE_READ="/usr/bin/xenstore-read" + fi - for file in "${files[@]}"; do - if [ -f "${file}" ] && ! [ -L "${file}" ]; then - chattr +i "${file}${suffix}" - fi - done -} + INTERFACE="eth1" + ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) -immutableFilesDisable() { - files="${1}" - suffix="${2}" + # Create a dummy eth1 interface so tor can bind to it if there + # are no DOMU virtual machines connected at the moment + ip link show ${INTERFACE} >> /dev/null || { + /sbin/ip link add ${INTERFACE} type dummy - for file in "${files[@]}"; do - if [ -f "${file}" ] && ! [ -L "${file}" ]; then - chattr -i "${file}${suffix}" + # Now, assign it the netvm-gateway IP address + if [ x${ip} != x ]; then + netmask=$(${XENSTORE_READ} qubes-netvm-netmask) + gateway=$(${XENSTORE_READ} qubes-netvm-gateway) + /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 + /sbin/ifconfig ${INTERFACE} up + /sbin/ethtool -K ${INTERFACE} sg off || true + /sbin/ethtool -K ${INTERFACE} tx off || true fi - done -} -copyAnondist() { - file="${1}" - suffix="${2-.anondist}" + ip link set ${INTERFACE} up + } +fi - # Remove any softlinks first - if [ -L "${file}" ]; then - rm -f "${file}" - fi +if [ "${WHONIX}" != "template" ]; then + # Files that will have the immutable bit set + # since we don't want them modified by other programs + IMMUTABLE_FILES=( + '/etc/resolv.conf' + '/etc/hostname' + '/etc/hosts' + ) - if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then - chattr -i "${file}" - rm -f "${file}" - cp -p "${file}${suffix}" "${file}" - chattr +i "${file}" - elif ! [ -f "${file}" ]; then - cp -p "${file}${suffix}" "${file}" - chattr +i "${file}" - fi -} + # Make sure all .anondist files in list are immutable + immutableFilesEnable "${IMMUTABLE_FILES}" + immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" -# Make sure all .anondist files in list are immutable -immutableFilesEnable "${IMMUTABLE_FILES}" -immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" + # Make sure we are using a copy of the annondist file and if not + # copy the annondist file and set it immutable + copyAnondist "/etc/resolv.conf" + copyAnondist "/etc/hosts" + copyAnondist "/etc/hostname" -# Make sure we are using a copy of the annondist file and if not -# copy the annondist file and set it immutable -copyAnondist "/etc/hosts" -copyAnondist "/etc/hostname" + # Replace IP addresses in known configuration files / scripts to + # currently discovered one + /usr/lib/whonix/replace-ips -# Replace IP addresses in known configuration files / scripts to -# currently discovered one -/usr/lib/whonix/replace-ips + # Make sure hostname is correct + /bin/hostname host -# Make sure hostname is correct -/bin/hostname host + # Start Whonix Firewall + if [ "${WHONIX}" == "gateway" ]; then + export INT_IF="vif+" + export INT_TIF="vif+" + fi + /usr/bin/whonix_firewall -# Start Whonix Firewall -/usr/bin/whonix_firewall + if [ "${WHONIX}" == "gateway" ]; then + # Route any traffic FROM netvm TO netvm BACK-TO localhost + # Allows localhost access to tor network + iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 + fi + # Make sure we remove whonixsetup.done if Tor is not enabled + # to allow choice of repo and prevent whonixcheck errors + grep "^DisableNetwork 0$" /etc/tor/torrc || { + rm -f /var/lib/whonix/do_once/whonixsetup.done + } +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh new file mode 100755 index 0000000..6570b49 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh @@ -0,0 +1,95 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" +#disable_sysv tor +#disable_sysv sdwdate + +iptables -F +iptables -t nat -F + +LOG_IP4=1 +LOG_IP6=0 + +# for IPv4 +if [ "$LOG_IP4" == "1" ]; then + iptables -t raw -A OUTPUT -p icmp -j TRACE + iptables -t raw -A PREROUTING -p icmp -j TRACE + modprobe ipt_LOG +fi + +# for IPv6 +if [ "$LOG_IP6" == "1" ]; then + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE + ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE + modprobe ip6t_LOG +fi + +sysctl -w net.ipv4.ip_forward=1 + +iptables -A FORWARD -i eth0 -j ACCEPT +iptables -A FORWARD -o eth0 -j ACCEPT +iptables -A FORWARD -i lo -j ACCEPT +iptables -A FORWARD -o lo -j ACCEPT + +#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105 +#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 + + +#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 + +#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT" +#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT" + +#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT +#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT +#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT +#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082 + +#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 + +#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 +#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 + +# Works +# localhost/loopback maps localhost port 8082 to localhost port 8888 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888 + +# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082 + +# Remap ALL traffic +#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 +#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082 + + +#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 +#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 + +#iptables -v -L +#iptables -v -t nat -L +#telnet 127.0.0.1 9105 +#telnet 10.137.2.1 8082 +#telnet 127.0.0.1 8082 +#tail -100 /var/log/kern.log diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/utility_functions b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/utility_functions new file mode 100755 index 0000000..8a3b4e7 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/utility_functions @@ -0,0 +1,94 @@ +#!/bin/bash + +# /etc/uwt.d/50_uwt_default relies on this in order to allow connection +# to proxy for template +PROXY_SERVER="http://10.137.255.254:8082/" +PROXY_META='' + +if [ -f "/var/run/qubes-service/updates-proxy-setup" ]; then + WHONIX="template" +elif [ -f "/usr/share/anon-gw-base-files/gateway" ]; then + WHONIX="gateway" +elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then + WHONIX="workstation" +else + WHONIX="unknown" +fi + +if [ "${WHONIX}" == "template" ]; then + curl.anondist-orig "${PROXY_SERVER}" | grep -q "${PROXY_META}" && { + PROXY_SECURE=1 + } || { + PROXY_SECURE=0 + } +fi + +immutableFilesEnable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + sudo chattr +i "${file}${suffix}" + fi + done +} + +immutableFilesDisable() { + files="${1}" + suffix="${2}" + + for file in "${files[@]}"; do + if [ -f "${file}" ] && ! [ -L "${file}" ]; then + sudo chattr -i "${file}${suffix}" + fi + done +} + +copyAnondist() { + file="${1}" + suffix="${2-.anondist}" + + # Remove any softlinks first + if [ -L "${file}" ]; then + sudo rm -f "${file}" + fi + + if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then + sudo chattr -i "${file}" + sudo rm -f "${file}" + sudo cp -p "${file}${suffix}" "${file}" + sudo chattr +i "${file}" + elif ! [ -f "${file}" ]; then + sudo cp -p "${file}${suffix}" "${file}" + sudo chattr +i "${file}" + fi +} + +# Will only enable / disable if service is not already in that state +enable_sysv() { + servicename=${1} + disable=${2-0} + + # Check to see if the service is already enabled and if not, enable it + string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}" + + if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then + case ${disable} in + 0) + echo "${1} is currently disabled; enabling it" + sudo systemctl --quiet enable ${servicename} + ;; + 1) + echo "${1} is currently enabled; disabling it" + sudo service ${servicename} stop + sudo systemctl --quiet disable ${servicename} + ;; + esac + fi +} + +disable_sysv() { + enable_sysv ${1} 1 +} + diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 7cda7ca..2416fb6 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -55,6 +55,12 @@ sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common # Whonix expects haveged to be started sudo /etc/init.d/haveged start +# Whonix does not always fix permissions after writing as sudo, especially +# when running whonixsetup so /var/lib/whonix/done_once is not readable by +# user, so set defualt umask for sudo +#sudo su -c 'echo "Defaults umask = 0002" >> /etc/sudoers' +#sudo su -c 'echo "Defaults umask_override" >> /etc/sudoers' + ################################################################################ # Whonix installation export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1" @@ -74,17 +80,8 @@ popd EOF # ------------------------------------------------------------------------------ -# chroot Whonix fix script (Make sure set -e is not set) -# Run ../whonix_fix when whonix gives grub-pc error +# Pin grub so it won't install # ------------------------------------------------------------------------------ -# TODO: Do something in whonix build to automatically run fixups and -# ignore certain errors -read -r -d '' WHONIX_FIX_SCRIPT <<'EOF' -DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - sudo apt-get -y --force-yes remove grub-pc grub-common grub-pc-bin grub2-common -sudo apt-mark hold grub-common grub-pc-bin grub2-common -EOF - read -r -d '' WHONIX_APT_PIN <<'EOF' Package: grub-pc Pin: version * @@ -230,13 +227,9 @@ if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then echo "${WHONIX_APT_PIN}" > "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes" chmod 0644 "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes" - # Install Whonix fix script - echo "${WHONIX_FIX_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_fix" - chmod 0755 "${INSTALLDIR}/home/user/whonix_fix" - # Install Whonix build scripts - echo "${WHONIX_BUILD_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_build" - chmod 0755 "${INSTALLDIR}/home/user/whonix_build" + echo "${WHONIX_BUILD_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_build.sh" + chmod 0755 "${INSTALLDIR}/home/user/whonix_build.sh" # ------------------------------------------------------------------------------ # Copy over any extra files @@ -287,6 +280,7 @@ fi if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_post" ]; then info "Post Configuring Whonix System" + # Don't need Whonix interfaces; restore original pushd "${INSTALLDIR}/etc/network" { rm -f interfaces; @@ -294,6 +288,8 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh } popd + # Qubes installation will need a normal resolv.conf; will be restored back + # in 04_qubes_install_post.sh within the wheezy+whonix-* directories pushd "${INSTALLDIR}/etc" { rm -f resolv.conf; @@ -301,6 +297,17 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh } popd + # Remove link to hosts file and copy original back + # Will get set back to Whonix hosts file when the + # /usr/lib/whonix/setup-ip is run on startup + pushd "${INSTALLDIR}/etc" + { + rm -f hosts; + cp -p hosts.anondist-orig hosts; + } + popd + + # Enable Tor #if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then # sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "${INSTALLDIR}/etc/tor/torrc" @@ -315,7 +322,7 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh sed -i "s/alias l='ls -CF'/alias l='ls -l'/g" "${INSTALLDIR}/home/user/.bashrc" # Fake that whonixsetup was already run - mkdir -p "${INSTALLDIR}/var/lib/whonix/do_once" + #mkdir -p "${INSTALLDIR}/var/lib/whonix/do_once" #touch "${INSTALLDIR}/var/lib/whonix/do_once/whonixsetup.done" # Fake that initializer was already run @@ -338,6 +345,10 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh chroot "${INSTALLDIR}" service apt-cacher-ng stop || : chroot "${INSTALLDIR}" update-rc.d apt-cacher-ng disable || : + # Tor will be re-enabled upon initial configuration + chroot "${INSTALLDIR}" update-rc.d tor disable || : + chroot "${INSTALLDIR}" update-rc.d sdwdate disable || : + # Remove apt-cacher-ng DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ chroot ${INSTALLDIR} apt-get.anondist-orig -y --force-yes remove --purge apt-cacher-ng diff --git a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh index 73aa49a..f394ff8 100755 --- a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh +++ b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh @@ -45,4 +45,4 @@ popd rm -rf "${INSTALLDIR}"/home/user/Whonix rm -rf "${INSTALLDIR}"/home/user/whonix_binary rm -f "${INSTALLDIR}"/home/user/whonix_fix -rm -f "${INSTALLDIR}"/home/user/whonix_build +rm -f "${INSTALLDIR}"/home/user/whonix_build.sh From cbe081b7bc4f83c650db6fee504b0f1ce38edf81 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 2 Nov 2014 16:20:41 -0500 Subject: [PATCH 48/83] Removed portions of qubes setup that are now handled within core-agent-linux --- scripts_debian/04_install_qubes.sh | 102 ++-- scripts_debian/proxy/files/.facl | 231 --------- .../files/etc/udev/rules.d/98-kexec.rules | 4 - .../proxy/files/etc/xen/scripts/blktap | 94 ---- .../proxy/files/etc/xen/scripts/block | 354 -------------- .../files/etc/xen/scripts/block-common.sh | 125 ----- .../proxy/files/etc/xen/scripts/block-enbd | 27 -- .../proxy/files/etc/xen/scripts/block-nbd | 27 -- .../etc/xen/scripts/external-device-migrate | 98 ---- .../files/etc/xen/scripts/hotplugpath.sh | 10 - .../proxy/files/etc/xen/scripts/locking.sh | 110 ----- .../proxy/files/etc/xen/scripts/logging.sh | 22 - .../files/etc/xen/scripts/network-bridge | 337 ------------- .../proxy/files/etc/xen/scripts/network-nat | 124 ----- .../proxy/files/etc/xen/scripts/network-route | 28 -- .../proxy/files/etc/xen/scripts/vif-bridge | 108 ----- .../proxy/files/etc/xen/scripts/vif-common.sh | 190 -------- .../proxy/files/etc/xen/scripts/vif-nat | 192 -------- .../proxy/files/etc/xen/scripts/vif-route | 56 --- .../files/etc/xen/scripts/vif-route-qubes | 65 --- .../proxy/files/etc/xen/scripts/vif-setup | 9 - .../proxy/files/etc/xen/scripts/vif2 | 46 -- .../proxy/files/etc/xen/scripts/vscsi | 22 - .../proxy/files/etc/xen/scripts/vtpm | 22 - .../files/etc/xen/scripts/vtpm-common.sh | 448 ------------------ .../proxy/files/etc/xen/scripts/vtpm-delete | 18 - .../etc/xen/scripts/vtpm-hotplug-common.sh | 35 -- .../proxy/files/etc/xen/scripts/vtpm-impl | 208 -------- .../files/etc/xen/scripts/vtpm-migration.sh | 19 - .../files/etc/xen/scripts/xen-hotplug-cleanup | 45 -- .../etc/xen/scripts/xen-hotplug-common.sh | 102 ---- .../etc/xen/scripts/xen-network-common.sh | 141 ------ .../etc/xen/scripts/xen-script-common.sh | 44 -- 33 files changed, 51 insertions(+), 3412 deletions(-) delete mode 100644 scripts_debian/proxy/files/etc/udev/rules.d/98-kexec.rules delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/blktap delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/block delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/block-common.sh delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/block-enbd delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/block-nbd delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/external-device-migrate delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/hotplugpath.sh delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/locking.sh delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/logging.sh delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/network-bridge delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/network-nat delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/network-route delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/vif-bridge delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/vif-common.sh delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/vif-nat delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/vif-route delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/vif-route-qubes delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/vif-setup delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/vif2 delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/vscsi delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/vtpm delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/vtpm-common.sh delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/vtpm-delete delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/vtpm-hotplug-common.sh delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/vtpm-impl delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/vtpm-migration.sh delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/xen-hotplug-cleanup delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/xen-hotplug-common.sh delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/xen-network-common.sh delete mode 100755 scripts_debian/proxy/files/etc/xen/scripts/xen-script-common.sh diff --git a/scripts_debian/04_install_qubes.sh b/scripts_debian/04_install_qubes.sh index 2afd7e0..adeab12 100755 --- a/scripts_debian/04_install_qubes.sh +++ b/scripts_debian/04_install_qubes.sh @@ -58,26 +58,26 @@ EOF chroot "${INSTALLDIR}" locale-gen chroot "${INSTALLDIR}" update-locale LANG=en_US.UTF-8 - # -------------------------------------------------------------------------- - # Update /etc/fstab - # -------------------------------------------------------------------------- - debug "Updating template fstab file..." - cat >> "${INSTALLDIR}/etc/fstab" <> "${INSTALLDIR}/etc/fstab" </dev/null 2>&1; then - : - else - chroot "${INSTALLDIR}" groupadd -f user - chroot "${INSTALLDIR}" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user - fi +# # -------------------------------------------------------------------------- +# # Qubes needs a user named 'user' +# # -------------------------------------------------------------------------- +# if chroot "${INSTALLDIR}" id -u 'user' >/dev/null 2>&1; then +# : +# else +# chroot "${INSTALLDIR}" groupadd -f user +# chroot "${INSTALLDIR}" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user +# fi - # -------------------------------------------------------------------------- - # Modules setup - # -------------------------------------------------------------------------- - echo "xen_netfront" >> "${INSTALLDIR}/etc/modules" +# # -------------------------------------------------------------------------- +# # Modules setup +# # -------------------------------------------------------------------------- +# echo "xen_netfront" >> "${INSTALLDIR}/etc/modules" - # -------------------------------------------------------------------------- - # Remove `mesg` from root/.profile? - # -------------------------------------------------------------------------- - sed -i -e '/^mesg n/d' "${INSTALLDIR}/root/.profile" +# # -------------------------------------------------------------------------- +# # Remove `mesg` from root/.profile? +# # -------------------------------------------------------------------------- +# sed -i -e '/^mesg n/d' "${INSTALLDIR}/root/.profile" - # -------------------------------------------------------------------------- - # Need a xen log directory or xen scripts will fail - # -------------------------------------------------------------------------- - mkdir -p -m 0700 "${INSTALLDIR}/var/log/xen" +# # -------------------------------------------------------------------------- +# # Need a xen log directory or xen scripts will fail +# # -------------------------------------------------------------------------- +# mkdir -p -m 0700 "${INSTALLDIR}/var/log/xen" # -------------------------------------------------------------------------- # Copy extra files to installation directory. Contains: @@ -189,12 +189,12 @@ EOF # -------------------------------------------------------------------------- copyTree "qubes-files" "${SCRIPTSDIR}" "${INSTALLDIR}" - # -------------------------------------------------------------------------- - # Looks like hosts file may contain tabs and qubes will not parse it - # correctly - # -------------------------------------------------------------------------- - expand "${INSTALLDIR}/etc/hosts" > "${INSTALLDIR}/etc/hosts.dist" - mv "${INSTALLDIR}/etc/hosts.dist" "${INSTALLDIR}/etc/hosts" +# # -------------------------------------------------------------------------- +# # Looks like hosts file may contain tabs and qubes will not parse it +# # correctly +# # -------------------------------------------------------------------------- +# expand "${INSTALLDIR}/etc/hosts" > "${INSTALLDIR}/etc/hosts.dist" +# mv "${INSTALLDIR}/etc/hosts.dist" "${INSTALLDIR}/etc/hosts" touch "${INSTALLDIR}/tmp/.prepared_qubes" fi diff --git a/scripts_debian/proxy/files/.facl b/scripts_debian/proxy/files/.facl index 8e44ed9..4e26d4d 100644 --- a/scripts_debian/proxy/files/.facl +++ b/scripts_debian/proxy/files/.facl @@ -40,234 +40,3 @@ user::rw- group::r-- other::r-- -# file: etc/xen -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/vif-bridge -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/vtpm-delete -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/vif2 -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/vtpm -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/external-device-migrate -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/vif-route-qubes -# owner: root -# group: root -user::rwx -group::r-x -other::r-x - -# file: etc/xen/scripts/network-nat -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/xen-hotplug-common.sh -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/vtpm-common.sh -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/vtpm-impl -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/locking.sh -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/xen-hotplug-cleanup -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/xen-network-common.sh -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/block-nbd -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/block -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/hotplugpath.sh -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/vtpm-migration.sh -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/network-bridge -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/block-enbd -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/vif-common.sh -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/vif-setup -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/vif-nat -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/vif-route -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/vscsi -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/network-route -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/blktap -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/xen-script-common.sh -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/logging.sh -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/block-common.sh -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: etc/xen/scripts/vtpm-hotplug-common.sh -# owner: root -# group: root -user::rwx -group::--- -other::--- - -# file: .facl -# owner: user -# group: user -user::rwx -group::rwx -other::rwx - diff --git a/scripts_debian/proxy/files/etc/udev/rules.d/98-kexec.rules b/scripts_debian/proxy/files/etc/udev/rules.d/98-kexec.rules deleted file mode 100644 index 8c742dd..0000000 --- a/scripts_debian/proxy/files/etc/udev/rules.d/98-kexec.rules +++ /dev/null @@ -1,4 +0,0 @@ -SUBSYSTEM=="cpu", ACTION=="online", PROGRAM="/bin/systemctl try-restart kdump.service" -SUBSYSTEM=="cpu", ACTION=="offline", PROGRAM="/bin/systemctl try-restart kdump.service" -SUBSYSTEM=="memory", ACTION=="add", PROGRAM="/bin/systemctl try-restart kdump.service" -SUBSYSTEM=="memory", ACTION=="remove", PROGRAM="/bin/systemctl try-restart kdump.service" diff --git a/scripts_debian/proxy/files/etc/xen/scripts/blktap b/scripts_debian/proxy/files/etc/xen/scripts/blktap deleted file mode 100755 index cd30a38..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/blktap +++ /dev/null @@ -1,94 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2005, XenSource Ltd. - -dir=$(dirname "$0") -. "$dir/xen-hotplug-common.sh" -. "$dir/block-common.sh" - -findCommand "$@" - -## -# check_blktap_sharing file mode -# -# Perform the sharing check for the given blktap and mode. -# -check_blktap_sharing() -{ - local file="$1" - local mode="$2" - - local base_path="$XENBUS_BASE_PATH/$XENBUS_TYPE" - for dom in $(xenstore-list "$base_path") - do - for dev in $(xenstore-list "$base_path/$dom") - do - params=$(xenstore_read_default "$base_path/$dom/$dev/params" "" | cut -d: -f2) - if [ "$file" = "$params" ] - then - - if [ "$mode" = 'w' ] - then - if ! same_vm "$dom" - then - echo 'guest' - return - fi - else - local m=$(xenstore_read_default "$base_path/$dom/$dev/mode" "") - m=$(canonicalise_mode "$m") - - if [ "$m" = 'w' ] - then - if ! same_vm "$dom" - then - echo 'guest' - return - fi - fi - fi - fi - done - done - - echo 'ok' -} - - -t=$(xenstore_read_default "$XENBUS_PATH/type" 'MISSING') -if [ -n "$t" ] -then - p=$(xenstore_read "$XENBUS_PATH/params") - p=${p#tapdisk:} - # if we have a ':', chew from head including : - if echo $p | grep -q \: - then - p=${p#*:} - fi -fi -# some versions of readlink cannot be passed a regular file -if [ -L "$p" ]; then - file=$(readlink -f "$p") || fatal "$p link does not exist." -else - file="$p" -fi - -if [ "$command" = 'add' ] -then - [ -e "$file" ] || { fatal $file does not exist; } - - FRONTEND_ID=$(xenstore_read "$XENBUS_PATH/frontend-id") - FRONTEND_UUID=$(xenstore_read "/local/domain/$FRONTEND_ID/vm") - mode=$(xenstore_read "$XENBUS_PATH/mode") - mode=$(canonicalise_mode "$mode") - - if [ "$mode" != '!' ] - then - result=$(check_blktap_sharing "$file" "$mode") - [ "$result" = 'ok' ] || ebusy "$file already in use by other domain" - fi - - success -fi - -exit 0 diff --git a/scripts_debian/proxy/files/etc/xen/scripts/block b/scripts_debian/proxy/files/etc/xen/scripts/block deleted file mode 100755 index 7266a78..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/block +++ /dev/null @@ -1,354 +0,0 @@ -#!/bin/bash - -dir=$(dirname "$0") -. "$dir/block-common.sh" - -HOTPLUG_STORE="/var/run/xen-hotplug/${XENBUS_PATH//\//-}" - -expand_dev() { - local dev - case $1 in - /*) - dev=$1 - ;; - *) - dev=/dev/$1 - ;; - esac - echo -n $dev -} - -find_free_loopback_helper() { - local next_devnum=0 - local busy_devnum - while read busy_devnum; do - if [ "$next_devnum" != "$busy_devnum" ]; then - break - fi - let next_devnum=$next_devnum+1 - done - echo "/dev/loop${next_devnum}" -} - -# Not all distros have "losetup -f" -find_free_loopback_dev() { - local loopdev - loopdev=$(losetup -a | sed -e 's+^/dev/loop++' -e 's/:.*//' | find_free_loopback_helper) - if [ -n "$loopdev" ] && [ -b "$loopdev" ]; then - echo "$loopdev" - fi -} - -## -# check_sharing device mode -# -# Check whether the device requested is already in use. To use the device in -# read-only mode, it may be in use in read-only mode, but may not be in use in -# read-write anywhere at all. To use the device in read-write mode, it must -# not be in use anywhere at all. -# -# Prints one of -# -# 'local': the device may not be used because it is mounted in the current -# (i.e. the privileged domain) in a way incompatible with the -# requested mode; -# 'guest': the device may not be used because it already mounted by a guest -# in a way incompatible with the requested mode; or -# 'ok': the device may be used. -# -check_sharing() -{ - local dev="$1" - local mode="$2" - - local devmm=$(device_major_minor "$dev") - local file - - if [ "$mode" = 'w' ] - then - toskip="^$" - else - toskip="^[^ ]* [^ ]* [^ ]* ro[, ]" - fi - - for file in $(cat /proc/mounts | grep -v "$toskip" | cut -f 1 -d ' ') - do - if [ -e "$file" ] - then - local d=$(device_major_minor "$file") - - if [ "$d" = "$devmm" ] - then - echo 'local' - return - fi - fi - done - - local base_path="$XENBUS_BASE_PATH/$XENBUS_TYPE" - for dom in $(xenstore-list "$base_path") - do - for dev in $(xenstore-list "$base_path/$dom") - do - d=$(xenstore_read_default "$base_path/$dom/$dev/physical-device" "") - - if [ "$d" = "$devmm" ] - then - if [ "$mode" = 'w' ] - then - if ! same_vm $dom - then - echo 'guest' - return - fi - else - local m=$(xenstore_read_default "$base_path/$dom/$dev/mode" "") - m=$(canonicalise_mode "$m") - - if [ "$m" = 'w' ] - then - if ! same_vm $dom - then - echo 'guest' - return - fi - fi - fi - fi - done - done - - echo 'ok' -} - - -## -# check_device_sharing dev mode -# -# Perform the sharing check for the given physical device and mode. -# -check_device_sharing() -{ - local dev="$1" - local mode=$(canonicalise_mode "$2") - local result - - if [ "x$mode" = 'x!' ] - then - return 0 - fi - - result=$(check_sharing "$dev" "$mode") - - if [ "$result" != 'ok' ] - then - do_ebusy "Device $dev is mounted " "$mode" "$result" - fi -} - - -## -# check_device_sharing file dev mode -# -# Perform the sharing check for the given file mounted through the given -# loopback interface, in the given mode. -# -check_file_sharing() -{ - local file="$1" - local dev="$2" - local mode="$3" - - result=$(check_sharing "$dev" "$mode") - - if [ "$result" != 'ok' ] - then - do_ebusy "File $file is loopback-mounted through $dev, -which is mounted " "$mode" "$result" - fi -} - - -## -# do_ebusy prefix mode result -# -# Helper function for check_device_sharing check_file_sharing, calling ebusy -# with an error message constructed from the given prefix, mode, and result -# from a call to check_sharing. -# -do_ebusy() -{ - local prefix="$1" - local mode="$2" - local result="$3" - - if [ "$result" = 'guest' ] - then - dom='a guest ' - when='now' - else - dom='the privileged ' - when='by a guest' - fi - - if [ "$mode" = 'w' ] - then - m1='' - m2='' - else - m1='read-write ' - m2='read-only ' - fi - - release_lock "block" - ebusy \ -"${prefix}${m1}in ${dom}domain, -and so cannot be mounted ${m2}${when}." -} - - -t=$(xenstore_read_default "$XENBUS_PATH/type" 'MISSING') - -case "$command" in - add) - phys=$(xenstore_read_default "$XENBUS_PATH/physical-device" 'MISSING') - if [ "$phys" != 'MISSING' ] - then - # Depending upon the hotplug configuration, it is possible for this - # script to be called twice, so just bail. - exit 0 - fi - - if [ -n "$t" ] - then - p=$(xenstore_read "$XENBUS_PATH/params") - mode=$(xenstore_read "$XENBUS_PATH/mode") - echo $p > "$HOTPLUG_STORE-params" - echo $mode > "$HOTPLUG_STORE-mode" - echo $t > "$HOTPLUG_STORE-type" - fi - FRONTEND_ID=$(xenstore_read "$XENBUS_PATH/frontend-id") - FRONTEND_UUID=$(xenstore_read_default \ - "/local/domain/$FRONTEND_ID/vm" 'unknown') - - case $t in - phy) - dev=$(expand_dev $p) - - if [ -L "$dev" ] - then - dev=$(readlink -f "$dev") || fatal "$dev link does not exist." - fi - test -e "$dev" || fatal "$dev does not exist." - test -b "$dev" || fatal "$dev is not a block device." - - claim_lock "block" - check_device_sharing "$dev" "$mode" - write_dev "$dev" - release_lock "block" - exit 0 - ;; - - file) - # Canonicalise the file, for sharing check comparison, and the mode - # for ease of use here. - file=$(readlink -f "$p") || fatal "$p does not exist." - test -f "$file" || fatal "$file does not exist." - mode=$(canonicalise_mode "$mode") - - claim_lock "block" - - # Avoid a race with the remove if the path has been deleted, or - # otherwise changed from "InitWait" state e.g. due to a timeout - xenbus_state=$(xenstore_read_default "$XENBUS_PATH/state" 'unknown') - if [ "$xenbus_state" != '2' ] - then - release_lock "block" - fatal "Path closed or removed during hotplug add: $XENBUS_PATH state: $xenbus_state" - fi - - if [ "$mode" = 'w' ] && ! stat "$file" -c %A | grep -q w - then - release_lock "block" - ebusy \ -"File $file is read-only, and so I will not -mount it read-write in a guest domain." - fi - - if [ "x$mode" != 'x!' ] - then - inode=$(stat -c '%i' "$file") - dev=$(stat -c '%D' "$file") - if [ -z "$inode" ] || [ -z "$dev" ] - then - fatal "Unable to lookup $file: dev: $dev inode: $inode" - fi - - shared_list=$(losetup -j "$file" | head -n 1 | cut -d : -f 1) - for dev in "$shared_list" - do - if [ -n "$dev" ] - then - check_file_sharing "$file" "$dev" "$mode" - loopdev="$dev" - fi - done - fi - - if [ -z "$loopdev" ]; then - loopdev=$(losetup -f 2>/dev/null || find_free_loopback_dev) - if [ "$loopdev" = '' ] - then - release_lock "block" - fatal 'Failed to find an unused loop device' - fi - - if LANG=C losetup -h 2>&1 | grep read-only >/dev/null - then - roflag="-$mode"; roflag="${roflag#-w}"; roflag="${roflag#-!}" - else - roflag='' - fi - do_or_die losetup $roflag "$loopdev" "$file" - fi - xenstore_write "$XENBUS_PATH/node" "$loopdev" - echo $loopdev > "$HOTPLUG_STORE-node" - write_dev "$loopdev" - release_lock "block" - exit 0 - ;; - - "") - claim_lock "block" - success - release_lock "block" - ;; - esac - ;; - - remove) - t=$(cat $HOTPLUG_STORE-type) - case $t in - phy) - exit 0 - ;; - - file) - claim_lock "block" - node=$(cat "$HOTPLUG_STORE-node") - losetup -d "$node" - release_lock "block" - exit 0 - ;; - - "") - exit 0 - ;; - esac - ;; - -esac - -# If we've reached here, $t is neither phy nor file, so fire a helper script. -[ -x ${XEN_SCRIPT_DIR}/block-"$t" ] && \ - ${XEN_SCRIPT_DIR}/block-"$t" "$command" $node diff --git a/scripts_debian/proxy/files/etc/xen/scripts/block-common.sh b/scripts_debian/proxy/files/etc/xen/scripts/block-common.sh deleted file mode 100755 index cc374ef..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/block-common.sh +++ /dev/null @@ -1,125 +0,0 @@ -# -# Copyright (c) 2005 XenSource Ltd. -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of version 2.1 of the GNU Lesser General Public -# License as published by the Free Software Foundation. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - - -dir=$(dirname "$0") -. "$dir/xen-hotplug-common.sh" - -findCommand "$@" - -if [ "$command" != "add" ] && - [ "$command" != "remove" ] -then - log err "Invalid command: $command" - exit 1 -fi - - -XENBUS_PATH="${XENBUS_PATH:?}" - - -ebusy() -{ - xenstore_write "$XENBUS_PATH/hotplug-error" "$*" \ - "$XENBUS_PATH/hotplug-status" busy - log err "$@" - exit 1 -} - - -## -# Print the given device's major and minor numbers, written in hex and -# separated by a colon. -device_major_minor() -{ - stat -L -c %t:%T "$1" -} - - -## -# Write physical-device = MM,mm to the store, where MM and mm are the major -# and minor numbers of device respectively. -# -# @param device The device from which major and minor numbers are read, which -# will be written into the store. -# -write_dev() { - local mm - - mm=$(device_major_minor "$1") - - if [ -z $mm ] - then - fatal "Backend device does not exist" - fi - - xenstore_write "$XENBUS_PATH/physical-device" "$mm" - - success -} - - -## -# canonicalise_mode mode -# -# Takes the given mode, which may be r, w, ro, rw, w!, or rw!, or variations -# thereof, and canonicalises them to one of -# -# 'r': perform checks for a new read-only mount; -# 'w': perform checks for a read-write mount; or -# '!': perform no checks at all. -# -canonicalise_mode() -{ - local mode="$1" - - if ! expr index "$mode" 'w' >/dev/null - then - echo 'r' - elif ! expr index "$mode" '!' >/dev/null - then - echo 'w' - else - echo '!' - fi -} - - -same_vm() -{ - local otherdom="$1" - # Note that othervm can be MISSING here, because Xend will be racing with - # the hotplug scripts -- the entries in /local/domain can be removed by - # Xend before the hotplug scripts have removed the entry in - # /local/domain/0/backend/. In this case, we want to pretend that the - # VM is the same as FRONTEND_UUID, because that way the 'sharing' will be - # allowed. - local othervm=$(xenstore_read_default "/local/domain/$otherdom/vm" \ - "$FRONTEND_UUID") - local target=$(xenstore_read_default "/local/domain/$FRONTEND_ID/target" \ - "-1") - local otarget=$(xenstore_read_default "/local/domain/$otherdom/target" \ - "-1") - local otvm=$(xenstore_read_default "/local/domain/$otarget/vm" \ - "-1") - otvm=${otvm%-1} - othervm=${othervm%-1} - local frontend_uuid=${FRONTEND_UUID%-1} - - [ "$frontend_uuid" = "$othervm" -o "$target" = "$otherdom" -o "$frontend_uuid" = "$otvm" ] -} - diff --git a/scripts_debian/proxy/files/etc/xen/scripts/block-enbd b/scripts_debian/proxy/files/etc/xen/scripts/block-enbd deleted file mode 100755 index 67faa84..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/block-enbd +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash - -# Usage: block-enbd [bind server ctl_port |unbind node] -# -# The node argument to unbind is the name of the device node we are to -# unbind. -# -# This assumes you're running a correctly configured server at the other end! - -dir=$(dirname "$0") -. "$dir/block-common.sh" - -case "$command" in - add) - for dev in /dev/nd*; do - if nbd-client $2:$3 $dev; then - write_dev $dev - exit 0 - fi - done - exit 1 - ;; - remove) - nbd-client -d $2 - exit 0 - ;; -esac diff --git a/scripts_debian/proxy/files/etc/xen/scripts/block-nbd b/scripts_debian/proxy/files/etc/xen/scripts/block-nbd deleted file mode 100755 index b29b315..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/block-nbd +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash - -# Usage: block-nbd [bind server ctl_port |unbind node] -# -# The node argument to unbind is the name of the device node we are to -# unbind. -# -# This assumes you're running a correctly configured server at the other end! - -dir=$(dirname "$0") -. "$dir/block-common.sh" - -case "$command" in - add) - for dev in /dev/nbd*; do - if nbd-client $2 $3 $dev; then - write_dev $dev - exit 0 - fi - done - exit 1 - ;; - remove) - nbd-client -d $2 - exit 0 - ;; -esac diff --git a/scripts_debian/proxy/files/etc/xen/scripts/external-device-migrate b/scripts_debian/proxy/files/etc/xen/scripts/external-device-migrate deleted file mode 100755 index a411348..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/external-device-migrate +++ /dev/null @@ -1,98 +0,0 @@ -#!/bin/bash - -# Copyright (c) 2005 IBM Corporation -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of version 2.1 of the GNU Lesser General Public -# License as published by the Free Software Foundation. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -set -x - -# This script is called by XenD for migration of external devices -# It does not handle the migration of those devices itself, but -# passes the requests on to further applications -# It handles the low-level command line parsing and some of the -# synchronization - -dir=$(dirname "$0") -. "$dir/logging.sh" - - -function ext_dev_migrate_usage() { -cat < : n-th migration step --host : the destination host --domname : name of the domain that is migrating --type : the type of device that is migrating --subtype : the subtype of the device --recover : indicates recovery request; an error - occurred during migration --help : display this help screen -EOF -} - -# Parse the command line paramters. The following parameters must be -# passed as the first ones in the sequence: -# -step [required] -# -host [required] -# -domname [required] -# -type [required] -# -subtype [optional] -# -recover [optional] -# The remaining ones will be passed to the called function. -function evaluate_params() -{ - local step host domname typ recover filename func stype - stype="" - while [ $# -ge 1 ]; do - case "$1" in - -step) step=$2; shift; shift;; - -host) host=$2; shift; shift;; - -domname) domname=$2; shift; shift;; - -type) typ=$2; shift; shift;; - -subtype) stype=$2; shift; shift;; - -recover) recover=1; shift;; - -help) ext_dev_migrate_usage; exit 0;; - *) break;; - esac - done - - if [ "$step" = "" -o \ - "$host" = "" -o \ - "$typ" = "" -o \ - "$domname" = "" ]; then - echo "Error: Parameter(s) missing (-step/-host/-type/-domname)" 1>&2 - echo "" 1>&2 - echo "$0 -help for usage." 1>&2 - exit 1 - fi - - filename="$dir/$typ$stype-migration.sh" - if [ ! -r $filename ]; then - echo "Error: Could not find script '$filename'" - return - fi - . "$filename" - - if [ "$recover" = "1" ]; then - func="$typ"_recover - eval $func $host $domname $step $* - else - func="$typ"_migration_step - eval $func $host $domname $step $* - fi -} - -evaluate_params "$@" diff --git a/scripts_debian/proxy/files/etc/xen/scripts/hotplugpath.sh b/scripts_debian/proxy/files/etc/xen/scripts/hotplugpath.sh deleted file mode 100755 index 254b3e2..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/hotplugpath.sh +++ /dev/null @@ -1,10 +0,0 @@ -SBINDIR="/usr/sbin" -BINDIR="/usr/bin" -LIBEXEC="/usr/lib/xen/bin" -LIBDIR="/usr/lib64" -SHAREDIR="/usr/share" -PRIVATE_BINDIR="/usr/lib64/xen/bin" -XENFIRMWAREDIR="/usr/lib/xen/boot" -XEN_CONFIG_DIR="/etc/xen" -XEN_SCRIPT_DIR="/etc/xen/scripts" -XEN_LOCK_DIR="/var/lock" diff --git a/scripts_debian/proxy/files/etc/xen/scripts/locking.sh b/scripts_debian/proxy/files/etc/xen/scripts/locking.sh deleted file mode 100755 index e233c47..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/locking.sh +++ /dev/null @@ -1,110 +0,0 @@ -# -# Copyright (c) 2005 XenSource Ltd. -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of version 2.1 of the GNU Lesser General Public -# License as published by the Free Software Foundation. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -# -# Serialisation -# - -LOCK_SLEEPTIME=1 -LOCK_SPINNING_RETRIES=5 -LOCK_RETRIES=100 -LOCK_BASEDIR=/var/run/xen-hotplug - - -claim_lock() -{ - local lockdir="$LOCK_BASEDIR/$1" - mkdir -p "$LOCK_BASEDIR" - _claim_lock "$lockdir" -} - - -release_lock() -{ - _release_lock "$LOCK_BASEDIR/$1" -} - - -# This function will be redefined in xen-hotplug-common.sh. -sigerr() { - exit 1 -} - - -_claim_lock() -{ - local lockdir="$1" - local owner=$(_lock_owner "$lockdir") - local retries=0 - - while [ $retries -lt $LOCK_RETRIES ] - do - mkdir "$lockdir" 2>/dev/null && trap "_release_lock $lockdir; sigerr" ERR && - _update_lock_info "$lockdir" && return - - local new_owner=$(_lock_owner "$lockdir") - if [ "$new_owner" != "$owner" ] - then - owner="$new_owner" - retries=0 - else - local pid=$(echo $owner | cut -d : -f 1) - if [ -n "$pid" -a "$pid" != "unknown" -a ! -f "/proc/$pid/status" ] - then - _release_lock $lockdir - fi - fi - - if [ $retries -gt $LOCK_SPINNING_RETRIES ] - then - sleep $LOCK_SLEEPTIME - else - sleep 0 - fi - retries=$(($retries + 1)) - done - _steal_lock "$lockdir" -} - - -_release_lock() -{ - trap sigerr ERR - rm -rf "$1" 2>/dev/null || true -} - - -_steal_lock() -{ - local lockdir="$1" - local owner=$(cat "$lockdir/owner" 2>/dev/null || echo "unknown") - log err "Forced to steal lock on $lockdir from $owner!" - _release_lock "$lockdir" - _claim_lock "$lockdir" -} - - -_lock_owner() -{ - cat "$1/owner" 2>/dev/null || echo "unknown" -} - - -_update_lock_info() -{ - echo "$$: $0" >"$1/owner" -} diff --git a/scripts_debian/proxy/files/etc/xen/scripts/logging.sh b/scripts_debian/proxy/files/etc/xen/scripts/logging.sh deleted file mode 100755 index c1bc699..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/logging.sh +++ /dev/null @@ -1,22 +0,0 @@ -# -# Copyright (c) 2005 XenSource Ltd. -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of version 2.1 of the GNU Lesser General Public -# License as published by the Free Software Foundation. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -log() { - local level="$1" - shift - logger -p "daemon.$level" -- "$0:" "$@" || echo "$0 $@" >&2 -} diff --git a/scripts_debian/proxy/files/etc/xen/scripts/network-bridge b/scripts_debian/proxy/files/etc/xen/scripts/network-bridge deleted file mode 100755 index 6f8475a..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/network-bridge +++ /dev/null @@ -1,337 +0,0 @@ -#!/bin/bash -#============================================================================ -# Default Xen network start/stop script. -# Xend calls a network script when it starts. -# The script name to use is defined in ${XEN_CONFIG_DIR}/xend-config.sxp -# in the network-script field. -# -# This script creates a bridge (default ${netdev}), adds a device -# (defaults to the device on the default gateway route) to it, copies -# the IP addresses from the device to the bridge and adjusts the routes -# accordingly. -# -# If all goes well, this should ensure that networking stays up. -# However, some configurations are upset by this, especially -# NFS roots. If the bridged setup does not meet your needs, -# configure a different script, for example using routing instead. -# -# Usage: -# -# network-bridge (start|stop|status) {VAR=VAL}* -# -# Vars: -# -# bridge The bridge to use (default ${netdev}). -# netdev The interface to add to the bridge (default gateway device). -# antispoof Whether to use iptables to prevent spoofing (default no). -# -# Internal Vars: -# pdev="p${netdev}" -# tdev=tmpbridge -# -# start: -# Creates the bridge as tdev -# Copies the IP and MAC addresses from pdev to bridge -# Renames netdev to be pdev -# Renames tdev to bridge -# Enslaves pdev to bridge -# -# stop: -# Removes pdev from the bridge -# Transfers addresses, routes from bridge to pdev -# Renames bridge to tdev -# Renames pdev to netdev -# Deletes tdev -# -# status: -# Print addresses, interfaces, routes -# -#============================================================================ - - -dir=$(dirname "$0") -. "$dir/logging.sh" -. "$dir/xen-script-common.sh" -. "$dir/xen-network-common.sh" -. "$dir/locking.sh" - -findCommand "$@" -evalVariables "$@" - -is_network_root () { - local rootfs=$(awk '{ if ($1 !~ /^[ \t]*#/ && $2 == "/") { print $3; }}' /etc/mtab) - local rootopts=$(awk '{ if ($1 !~ /^[ \t]*#/ && $2 == "/") { print $4; }}' /etc/mtab) - - [[ "$rootfs" =~ "^nfs" ]] || [[ "$rootopts" =~ "_netdev" ]] && has_nfsroot=1 || has_nfsroot=0 - if [ $has_nfsroot -eq 1 ]; then - local bparms=$(cat /proc/cmdline) - for p in $bparms; do - local ipaddr=$(echo $p | awk /nfsroot=/'{ print substr($1,9,index($1,":")-9) }') - if [ "$ipaddr" != "" ]; then - local nfsdev=$(ip route get $ipaddr | awk /$ipaddr/'{ print $3 }') - [[ "$nfsdev" == "$netdev" ]] && return 0 || return 1 - fi - done - fi - return 1 -} - -find_alt_device () { - local interf=$1 - local prefix=${interf%[[:digit:]]} - local ifs=$(ip link show | grep " $prefix" |\ - awk '{ printf ("%s",substr($2,1,length($2)-1)) }' |\ - sed s/$interf//) - echo "$ifs" -} - -netdev=${netdev:-$(ip route list 0.0.0.0/0 | \ - sed 's/.*dev \([a-z]\+[0-9]\+\).*$/\1/')} -if is_network_root ; then - altdevs=$(find_alt_device $netdev) - for netdev in $altdevs; do break; done - if [ -z "$netdev" ]; then - [ -x /usr/bin/logger ] && /usr/bin/logger "network-bridge: bridging not supported on network root; not starting" - exit - fi -fi -netdev=${netdev:-eth0} -bridge=${bridge:-${netdev}} -antispoof=${antispoof:-no} - -pdev="p${netdev}" -tdev=tmpbridge - -get_ip_info() { - addr_pfx=`ip addr show dev $1 | egrep '^ *inet' | sed -e 's/ *inet //' -e 's/ .*//'` - gateway=`ip route show dev $1 | fgrep default | sed 's/default via //'` -} - -do_ifup() { - if [ $1 != "${netdev}" ] || ! ifup $1 ; then - if [ -n "$addr_pfx" ] ; then - # use the info from get_ip_info() - ip addr flush $1 - ip addr add ${addr_pfx} dev $1 - fi - ip link set dev $1 up - [ -n "$gateway" ] && ip route add default via ${gateway} - fi -} - -# Usage: transfer_addrs src dst -# Copy all IP addresses (including aliases) from device $src to device $dst. -transfer_addrs () { - local src=$1 - local dst=$2 - # Don't bother if $dst already has IP addresses. - if ip addr show dev ${dst} | egrep -q '^ *inet ' ; then - return - fi - # Address lines start with 'inet' and have the device in them. - # Replace 'inet' with 'ip addr add' and change the device name $src - # to 'dev $src'. - ip addr show dev ${src} | egrep '^ *inet ' | sed -e " -s/inet/ip addr add/ -s@\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+/[0-9]\+\)@\1@ -s/${src}/dev ${dst} label ${dst}/ -s/secondary// -" | sh -e - # Remove automatic routes on destination device - ip route list | sed -ne " -/dev ${dst}\( \|$\)/ { - s/^/ip route del / - p -}" | sh -e -} - -# Usage: transfer_routes src dst -# Get all IP routes to device $src, delete them, and -# add the same routes to device $dst. -# The original routes have to be deleted, otherwise adding them -# for $dst fails (duplicate routes). -transfer_routes () { - local src=$1 - local dst=$2 - # List all routes and grep the ones with $src in. - # Stick 'ip route del' on the front to delete. - # Change $src to $dst and use 'ip route add' to add. - ip route list | sed -ne " -/dev ${src}\( \|$\)/ { - h - s/^/ip route del / - P - g - s/${src}/${dst}/ - s/^/ip route add / - P - d -}" | sh -e -} - - -## -# link_exists interface -# -# Returns 0 if the interface named exists (whether up or down), 1 otherwise. -# -link_exists() -{ - if ip link show "$1" >/dev/null 2>/dev/null - then - return 0 - else - return 1 - fi -} - -# Set the default forwarding policy for $dev to drop. -# Allow forwarding to the bridge. -antispoofing () { - iptables -P FORWARD DROP - iptables -F FORWARD - iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT -} - -# Usage: show_status dev bridge -# Print ifconfig and routes. -show_status () { - local dev=$1 - local bridge=$2 - - echo '============================================================' - ip addr show ${dev} - ip addr show ${bridge} - echo ' ' - brctl show ${bridge} - echo ' ' - ip route list - echo ' ' - route -n - echo '============================================================' -} - -op_start () { - if [ "${bridge}" = "null" ] ; then - return - fi - - if [ `brctl show | wc -l` != 1 ]; then - return - fi - - if link_exists "$pdev"; then - # The device is already up. - return - fi - - claim_lock "network-bridge" - - create_bridge ${tdev} - - preiftransfer ${netdev} - transfer_addrs ${netdev} ${tdev} - # Remember slaves for bonding interface. - if [ -e /sys/class/net/${netdev}/bonding/slaves ]; then - slaves=`cat /sys/class/net/${netdev}/bonding/slaves` - fi - # Remember the IP details for do_ifup. - get_ip_info ${netdev} - if ! ifdown ${netdev}; then - ip link set ${netdev} down - ip addr flush ${netdev} - fi - ip link set ${netdev} name ${pdev} - ip link set ${tdev} name ${bridge} - - setup_physical_bridge_port ${pdev} - - # Restore slaves - if [ -n "${slaves}" ]; then - ip link set ${pdev} up - ifenslave ${pdev} ${slaves} - fi - add_to_bridge2 ${bridge} ${pdev} - do_ifup ${bridge} - - if [ ${antispoof} = 'yes' ] ; then - antispoofing - fi - - release_lock "network-bridge" -} - -op_stop () { - if [ "${bridge}" = "null" ]; then - return - fi - if ! link_exists "$bridge"; then - return - fi - if ! [ -e "/sys/class/net/${bridge}/brif/${pdev}" ]; then - # $bridge is not a bridge to which pdev is enslaved - return - fi - - claim_lock "network-bridge" - - transfer_addrs ${bridge} ${pdev} - if ! ifdown ${bridge}; then - get_ip_info ${bridge} - fi - ip link set ${pdev} down - ip addr flush ${bridge} - - brctl delif ${bridge} ${pdev} - ip link set ${bridge} down - - ip link set ${bridge} name ${tdev} - ip link set ${pdev} name ${netdev} - do_ifup ${netdev} - - brctl delbr ${tdev} - - release_lock "network-bridge" -} - -# adds $dev to $bridge but waits for $dev to be in running state first -add_to_bridge2() { - local bridge=$1 - local dev=$2 - local maxtries=10 - - echo -n "Waiting for ${dev} to negotiate link." - ip link set ${dev} up - for i in `seq ${maxtries}` ; do - if ifconfig ${dev} | grep -q RUNNING ; then - break - else - echo -n '.' - sleep 1 - fi - done - - if [ ${i} -eq ${maxtries} ] ; then echo -n '(link isnt in running state)' ; fi - echo - - add_to_bridge ${bridge} ${dev} -} - -case "$command" in - start) - op_start - ;; - - stop) - op_stop - ;; - - status) - show_status ${netdev} ${bridge} - ;; - - *) - echo "Unknown command: $command" >&2 - echo 'Valid commands are: start, stop, status' >&2 - exit 1 -esac diff --git a/scripts_debian/proxy/files/etc/xen/scripts/network-nat b/scripts_debian/proxy/files/etc/xen/scripts/network-nat deleted file mode 100755 index eb1740e..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/network-nat +++ /dev/null @@ -1,124 +0,0 @@ -#!/bin/bash -#============================================================================ -# Default Xen network start/stop script when using NAT. -# Xend calls a network script when it starts. -# The script name to use is defined in ${XEN_CONFIG_DIR}/xend-config.sxp -# in the network-script field. -# -# Usage: -# -# network-nat (start|stop|status) {VAR=VAL}* -# -# Vars: -# -# netdev The gateway interface (default eth0). -# antispoof Whether to use iptables to prevent spoofing (default no). -# dhcp Whether to alter the local DHCP configuration (default no). -# -#============================================================================ - -dir=$(dirname "$0") -. "$dir/hotplugpath.sh" -. "$dir/xen-script-common.sh" -. "$dir/xen-network-common.sh" - -findCommand "$@" -evalVariables "$@" - -netdev=${netdev:-eth0} -# antispoofing not yet implemented -antispoof=${antispoof:-no} - -# turn on dhcp feature by default if dhcpd is installed -if [ -f /etc/dhcpd.conf ] -then - dhcp=${dhcp:-yes} -else - dhcp=${dhcp:-no} -fi - - -if [ "$dhcp" != 'no' ] -then - dhcpd_conf_file=$(find_dhcpd_conf_file) - dhcpd_init_file=$(find_dhcpd_init_file) - if [ -z "$dhcpd_conf_file" ] || [ -z "$dhcpd_init_file" ] - then - echo 'Failed to find dhcpd configuration or init file.' >&2 - exit 1 - fi -fi - -domain_name=`cat /etc/resolv.conf | grep -v "#" | grep -E 'search|domain' -i | tail -n 1 | awk '{ print $2 }'` -nameserver=`cat /etc/resolv.conf | grep -v "#" | grep "nameserver" -i -m 1 | awk '{ print $2 }'` - -function dhcp_start() -{ - if ! grep -q "subnet 10.0.0.0" "$dhcpd_conf_file" - then - echo >>"$dhcpd_conf_file" "subnet 10.0.0.0 netmask 255.255.0.0 {\ - option domain-name \"$domain_name\";\ - option domain-name-servers $nameserver; }" - fi - - "$dhcpd_init_file" restart -} - - -function dhcp_stop() -{ - local tmpfile=$(mktemp) - grep -v "subnet 10.0.0.0" "$dhcpd_conf_file" >"$tmpfile" - if diff "$tmpfile" "$dhcpd_conf_file" >&/dev/null - then - rm "$tmpfile" - else - mv "$tmpfile" "$dhcpd_conf_file" - fi - - "$dhcpd_init_file" restart -} - - -op_start() { - echo 1 >/proc/sys/net/ipv4/ip_forward - iptables -t nat -A POSTROUTING -o ${netdev} -j MASQUERADE - [ "$dhcp" != 'no' ] && dhcp_start -} - - -op_stop() { - [ "$dhcp" != 'no' ] && dhcp_stop - iptables -t nat -D POSTROUTING -o ${netdev} -j MASQUERADE -} - - -show_status() { - echo '============================================================' - ifconfig - echo ' ' - ip route list - echo ' ' - route -n - echo '============================================================' - -} - -case "$command" in - start) - op_start - ;; - - stop) - op_stop - ;; - - status) - show_status - ;; - - *) - echo "Unknown command: $command" >&2 - echo 'Valid commands are: start, stop, status' >&2 - exit 1 -esac diff --git a/scripts_debian/proxy/files/etc/xen/scripts/network-route b/scripts_debian/proxy/files/etc/xen/scripts/network-route deleted file mode 100755 index 8f6a1be..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/network-route +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash -#============================================================================ -# Default Xen network start/stop script. -# Xend calls a network script when it starts. -# The script name to use is defined in ${XEN_CONFIG_DIR}/xend-config.sxp -# in the network-script field. -# -# Usage: -# -# network-route (start|stop|status) {VAR=VAL}* -# -# Vars: -# -# netdev The gateway interface (default eth0). -# antispoof Whether to use iptables to prevent spoofing (default yes). -# -#============================================================================ - -dir=$(dirname "$0") -. "$dir/hotplugpath.sh" -. "$dir/xen-script-common.sh" - -evalVariables "$@" - -netdev=${netdev:-eth0} - -echo 1 >/proc/sys/net/ipv4/ip_forward -echo 1 >/proc/sys/net/ipv4/conf/${netdev}/proxy_arp diff --git a/scripts_debian/proxy/files/etc/xen/scripts/vif-bridge b/scripts_debian/proxy/files/etc/xen/scripts/vif-bridge deleted file mode 100755 index 960784a..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/vif-bridge +++ /dev/null @@ -1,108 +0,0 @@ -#!/bin/bash -#============================================================================ -# ${XEN_SCRIPT_DIR}/vif-bridge -# -# Script for configuring a vif in bridged mode. -# The hotplugging system will call this script if it is specified either in -# the device configuration given to Xend, or the default Xend configuration -# in ${XEN_CONFIG_DIR}/xend-config.sxp. If the script is specified in -# neither of those places, then this script is the default. -# -# Usage: -# vif-bridge (add|remove|online|offline) -# -# Environment vars: -# vif vif interface name (required). -# XENBUS_PATH path to this device's details in the XenStore (required). -# -# Read from the store: -# bridge bridge to add the vif to (optional). Defaults to searching for the -# bridge itself. -# ip list of IP networks for the vif, space-separated (optional). -# -# up: -# Enslaves the vif interface to the bridge and adds iptables rules -# for its ip addresses (if any). -# -# down: -# Removes the vif interface from the bridge and removes the iptables -# rules for its ip addresses (if any). -#============================================================================ - -dir=$(dirname "$0") -. "$dir/vif-common.sh" - -bridge=${bridge:-} -bridge=$(xenstore_read_default "$XENBUS_PATH/bridge" "$bridge") - -if [ -z "$bridge" ] -then - bridge=$(brctl show | cut -d " -" -f 2 | cut -f 1) - - if [ -z "$bridge" ] - then - fatal "Could not find bridge, and none was specified" - fi -else - # - # Old style bridge setup with netloop, used to have a bridge name - # of xenbrX, enslaving pethX and vif0.X, and then configuring - # eth0. - # - # New style bridge setup does not use netloop, so the bridge name - # is ethX and the physical device is enslaved pethX - # - # So if... - # - # - User asks for xenbrX - # - AND xenbrX doesn't exist - # - AND there is a ethX device which is a bridge - # - # ..then we translate xenbrX to ethX - # - # This lets old config files work without modification - # - if [ ! -e "/sys/class/net/$bridge" ] && [ -z "${bridge##xenbr*}" ] - then - if [ -e "/sys/class/net/eth${bridge#xenbr}/bridge" ] - then - bridge="eth${bridge#xenbr}" - fi - fi -fi - -RET=0 -ip link show $bridge 1>/dev/null 2>&1 || RET=1 -if [ "$RET" -eq 1 ] -then - fatal "Could not find bridge device $bridge" -fi - -case "$command" in - online) - setup_virtual_bridge_port "$dev" - mtu="`ip link show $bridge | awk '/mtu/ { print $5 }'`" - if [ -n "$mtu" ] && [ "$mtu" -gt 0 ] - then - ip link set $dev mtu $mtu || : - fi - add_to_bridge "$bridge" "$dev" - ;; - - offline) - do_without_error brctl delif "$bridge" "$dev" - do_without_error ifconfig "$dev" down - ;; - - add) - setup_virtual_bridge_port "$dev" - add_to_bridge "$bridge" "$dev" - ;; -esac - -log debug "Successful vif-bridge $command for $dev, bridge $bridge." -if [ "$type_if" = vif -a "$command" = "online" ] -then - success -fi diff --git a/scripts_debian/proxy/files/etc/xen/scripts/vif-common.sh b/scripts_debian/proxy/files/etc/xen/scripts/vif-common.sh deleted file mode 100755 index c9c5d41..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/vif-common.sh +++ /dev/null @@ -1,190 +0,0 @@ -# -# Copyright (c) 2005 XenSource Ltd. -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of version 2.1 of the GNU Lesser General Public -# License as published by the Free Software Foundation. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - - -dir=$(dirname "$0") -. "$dir/xen-hotplug-common.sh" -. "$dir/xen-network-common.sh" - -findCommand "$@" - -if [ "$command" != "online" ] && - [ "$command" != "offline" ] && - [ "$command" != "add" ] && - [ "$command" != "remove" ] -then - log err "Invalid command: $command" - exit 1 -fi - - -# Parameters may be read from the environment, the command line arguments, and -# the store, with overriding in that order. The environment is given by the -# driver, the command line is given by the Xend global configuration, and -# store details are given by the per-domain or per-device configuration. - -evalVariables "$@" - -# Older versions of Xen do not pass in the type as an argument, -# so the default value is vif. -: ${type_if:=vif} - -case "$type_if" in - vif) - dev=$vif - ;; - tap) - dev=$INTERFACE - ;; - *) - log err "unknown interface type $type_if" - exit 1 - ;; -esac - -case "$command" in - online | offline) - test "$type_if" != vif && exit 0 - ;; - add | remove) - test "$type_if" != tap && exit 0 - ;; -esac - - -if [ "$type_if" = vif ]; then - # Check presence of compulsory args. - XENBUS_PATH="${XENBUS_PATH:?}" - dev="${dev:?}" - - vifname=$(xenstore_read_default "$XENBUS_PATH/vifname" "") - if [ "$vifname" ] - then - if [ "$command" == "online" ] && ! ip link show "$vifname" >&/dev/null - then - do_or_die ip link set "$dev" name "$vifname" - fi - dev="$vifname" - fi -elif [ "$type_if" = tap ]; then - # Check presence of compulsory args. - : ${INTERFACE:?} - - # Get xenbus_path from device name. - # The name is built like that: "tap${domid}.${devid}". - dev_=${dev#tap} - domid=${dev_%.*} - devid=${dev_#*.} - - XENBUS_PATH="/local/domain/0/backend/vif/$domid/$devid" -fi - -ip=${ip:-} -ip=$(xenstore_read_default "$XENBUS_PATH/ip" "$ip") - -frob_iptable() -{ - if [ "$command" == "online" ] - then - local c="-I" - else - local c="-D" - fi - - iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \ - "$@" -j ACCEPT 2>/dev/null && - iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$dev" \ - -j ACCEPT 2>/dev/null - - if [ "$command" == "online" -a $? -ne 0 ] - then - log err "iptables setup failed. This may affect guest networking." - fi -} - - -## -# Add or remove the appropriate entries in the iptables. With antispoofing -# turned on, we have to explicitly allow packets to the interface, regardless -# of the ip setting. If ip is set, then we additionally restrict the packets -# to those coming from the specified networks, though we allow DHCP requests -# as well. -# -handle_iptable() -{ - # Check for a working iptables installation. Checking for the iptables - # binary is not sufficient, because the user may not have the appropriate - # modules installed. If iptables is not working, then there's no need to do - # anything with it, so we can just return. - if ! iptables -L -n >&/dev/null - then - return - fi - - claim_lock "iptables" - - if [ "$ip" != "" ] - then - local addr - for addr in $ip - do - frob_iptable -s "$addr" - done - - # Always allow the domain to talk to a DHCP server. - frob_iptable -p udp --sport 68 --dport 67 - else - # No IP addresses have been specified, so allow anything. - frob_iptable - fi - - release_lock "iptables" -} - - -## -# ip_of interface -# -# Print the IP address currently in use at the given interface, or nothing if -# the interface is not up. -# -ip_of() -{ - ip addr show "$1" | awk "/^.*inet.*$1\$/{print \$2}" | sed -n '1 s,/.*,,p' -} - - -## -# dom0_ip -# -# Print the IP address of the interface in dom0 through which we are routing. -# This is the IP address on the interface specified as "netdev" as a parameter -# to these scripts, or eth0 by default. This function will call fatal if no -# such interface could be found. -# -dom0_ip() -{ - local nd=${netdev:-eth0} - local result=$(ip_of "$nd") - if [ -z "$result" ] - then - fatal -"$netdev is not up. Bring it up or specify another interface with " \ -"netdev= as a parameter to $0." - fi - echo "$result" -} diff --git a/scripts_debian/proxy/files/etc/xen/scripts/vif-nat b/scripts_debian/proxy/files/etc/xen/scripts/vif-nat deleted file mode 100755 index 9082cc9..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/vif-nat +++ /dev/null @@ -1,192 +0,0 @@ -#!/bin/bash -#============================================================================ -# ${XEN_SCRIPT_DIR}/vif-nat -# -# Script for configuring a vif in routed-nat mode. -# The hotplugging system will call this script if it is specified either in -# the device configuration given to Xend, or the default Xend configuration -# in ${XEN_CONFIG_DIR}/xend-config.sxp. If the script is specified in -# neither of those places, then vif-bridge is the default. -# -# Usage: -# vif-nat (add|remove|online|offline) -# -# Environment vars: -# dev vif interface name (required). -# XENBUS_PATH path to this device's details in the XenStore (required). -# -# Parameters: -# dhcp Whether to alter the local DHCP configuration to include this -# new host (default no). -# -# Read from the store: -# ip list of IP networks for the vif, space-separated (default given in -# this script). -#============================================================================ - - -dir=$(dirname "$0") -. "$dir/vif-common.sh" - -# turn on dhcp feature by default if dhcpd is installed -if [ -f /etc/dhcpd.conf ] -then - dhcp=${dhcp:-yes} -else - dhcp=${dhcp:-no} -fi - -if [ "$dhcp" != 'no' ] -then - dhcpd_conf_file=$(find_dhcpd_conf_file) - dhcpd_init_file=$(find_dhcpd_init_file) - dhcpd_arg_file=$(find_dhcpd_arg_file) - if [ -z "$dhcpd_conf_file" ] || [ -z "$dhcpd_init_file" ] || [ -z "$dhcpd_arg_file" ] - then - echo 'Failed to find dhcpd configuration or init or args file.' >&2 - exit 1 - fi -fi - - -domid=$(xenstore_read "$XENBUS_PATH/frontend-id") -vifid=$(xenstore_read "$XENBUS_PATH/handle") -vifid=$(( $vifid + 1 )) - - -ip_from_dom() -{ - local domid1=$(( $domid / 256 )) - local domid2=$(( $domid % 256 )) - - echo "10.$domid1.$domid2.$vifid/16" -} - - -routing_ip() -{ - echo $(echo $1 | awk -F. '{print $1"."$2"."$3"."$4 + 127}') -} - - -dotted_quad() -{ - echo\ - $(( ($1 & 0xFF000000) >> 24))\ -.$(( ($1 & 0x00FF0000) >> 16))\ -.$(( ($1 & 0x0000FF00) >> 8 ))\ -.$(( $1 & 0x000000FF )) -} - - -if [ "$ip" = "" ] -then - ip=$(ip_from_dom) -fi - -router_ip=$(routing_ip "$ip") - -# Split the given IP/bits pair. -vif_ip=`echo ${ip} | awk -F/ '{print $1}'` - -hostname=$(xenstore_read "$XENBUS_PATH/domain" | tr -- '_.:/+' '-----') -if [ "$vifid" != "1" ] -then - hostname="$hostname-$vifid" -fi - -dhcparg_remove_entry() -{ - local tmpfile=$(mktemp) - sed -e "s/${dev} //" "$dhcpd_arg_file" >"$tmpfile" - if diff "$tmpfile" "$dhcpd_arg_file" >/dev/null - then - rm "$tmpfile" - else - mv "$tmpfile" "$dhcpd_arg_file" - fi -} - -dhcparg_add_entry() -{ - dhcparg_remove_entry - local tmpfile=$(mktemp) - # handle Red Hat, SUSE, and Debian styles, with or without quotes - sed -e 's/^DHCPDARGS="*\([^"]*\)"*/DHCPDARGS="\1'"${dev} "'"/' \ - "$dhcpd_arg_file" >"$tmpfile" && mv "$tmpfile" "$dhcpd_arg_file" - sed -e 's/^DHCPD_INTERFACE="*\([^"]*\)"*/DHCPD_INTERFACE="\1'"${dev} "'"/' \ - "$dhcpd_arg_file" >"$tmpfile" && mv "$tmpfile" "$dhcpd_arg_file" - sed -e 's/^INTERFACES="*\([^"]*\)"*/INTERFACES="\1'"${dev} "'"/' \ - "$dhcpd_arg_file" >"$tmpfile" && mv "$tmpfile" "$dhcpd_arg_file" - rm -f "$tmpfile" -} - -dhcp_remove_entry() -{ - local tmpfile=$(mktemp) - grep -v "host $hostname" "$dhcpd_conf_file" >"$tmpfile" - if diff "$tmpfile" "$dhcpd_conf_file" >/dev/null - then - rm "$tmpfile" - else - mv "$tmpfile" "$dhcpd_conf_file" - fi - dhcparg_remove_entry -} - - -dhcp_up() -{ - claim_lock "vif-nat-dhcp" - dhcp_remove_entry - mac=$(xenstore_read "$XENBUS_PATH/mac") - echo >>"$dhcpd_conf_file" \ -"host $hostname { hardware ethernet $mac; fixed-address $vif_ip; option routers $router_ip; option host-name \"$hostname\"; }" - dhcparg_add_entry - release_lock "vif-nat-dhcp" - "$dhcpd_init_file" restart || true -} - - -dhcp_down() -{ - claim_lock "vif-nat-dhcp" - dhcp_remove_entry - release_lock "vif-nat-dhcp" - "$dhcpd_init_file" restart || true # We need to ignore failure because - # ISC dhcpd 3 borks if there is nothing - # for it to do, which is the case if - # the outgoing interface is not - # configured to offer leases and there - # are no vifs. -} - - -case "$command" in - online) - if ip route | grep -q "dev ${dev}" - then - log debug "${dev} already up" - exit 0 - fi - - do_or_die ip link set "${dev}" up arp on - do_or_die ip addr add "$router_ip" dev "${dev}" - do_or_die ip route add "$vif_ip" dev "${dev}" src "$router_ip" - echo 1 >/proc/sys/net/ipv4/conf/${dev}/proxy_arp - [ "$dhcp" != 'no' ] && dhcp_up - ;; - offline) - [ "$dhcp" != 'no' ] && dhcp_down - do_without_error ifconfig "${dev}" down - ;; -esac - - -handle_iptable - -log debug "Successful vif-nat $command for ${dev}." -if [ "$command" = "online" ] -then - success -fi diff --git a/scripts_debian/proxy/files/etc/xen/scripts/vif-route b/scripts_debian/proxy/files/etc/xen/scripts/vif-route deleted file mode 100755 index 6c5587a..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/vif-route +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/bash -#============================================================================ -# ${XEN_SCRIPT_DIR}/vif-route -# -# Script for configuring a vif in routed mode. -# The hotplugging system will call this script if it is specified either in -# the device configuration given to Xend, or the default Xend configuration -# in ${XEN_CONFIG_DIR}/xend-config.sxp. If the script is specified in -# neither of those places, then vif-bridge is the default. -# -# Usage: -# vif-route (add|remove|online|offline) -# -# Environment vars: -# dev vif interface name (required). -# XENBUS_PATH path to this device's details in the XenStore (required). -# -# Read from the store: -# ip list of IP networks for the vif, space-separated (default given in -# this script). -#============================================================================ - -dir=$(dirname "$0") -. "${dir}/vif-common.sh" - -main_ip=$(dom0_ip) - -case "${command}" in - online) - ifconfig ${dev} ${main_ip} netmask 255.255.255.255 up - echo 1 >/proc/sys/net/ipv4/conf/${dev}/proxy_arp - ipcmd='add' - cmdprefix='' - ;; - offline) - do_without_error ifdown ${dev} - ipcmd='del' - cmdprefix='do_without_error' - ;; -esac - -if [ "${ip}" ] ; then - # If we've been given a list of IP addresses, then add routes from dom0 to - # the guest using those addresses. - for addr in ${ip} ; do - ${cmdprefix} ip route ${ipcmd} ${addr} dev ${dev} src ${main_ip} - done -fi - -handle_iptable - -log debug "Successful vif-route ${command} for ${dev}." -if [ "${command}" = "online" ] -then - success -fi diff --git a/scripts_debian/proxy/files/etc/xen/scripts/vif-route-qubes b/scripts_debian/proxy/files/etc/xen/scripts/vif-route-qubes deleted file mode 100755 index 68fbf38..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/vif-route-qubes +++ /dev/null @@ -1,65 +0,0 @@ -#!/bin/bash -#============================================================================ -# /etc/xen/vif-route-qubes -# -# Script for configuring a vif in routed mode. -# The hotplugging system will call this script if it is specified either in -# the device configuration given to Xend, or the default Xend configuration -# in /etc/xen/xend-config.sxp. If the script is specified in neither of those -# places, then vif-bridge is the default. -# -# Usage: -# vif-route (add|remove|online|offline) -# -# Environment vars: -# vif vif interface name (required). -# XENBUS_PATH path to this device's details in the XenStore (required). -# -# Read from the store: -# ip list of IP networks for the vif, space-separated (default given in -# this script). -#============================================================================ - -dir=$(dirname "$0") -. "$dir/vif-common.sh" - -#main_ip=$(dom0_ip) - -case "$command" in - online) - ifconfig ${vif} up - echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp - ipcmd='add' - iptables_cmd='-I PREROUTING 1' - cmdprefix='' - ;; - offline) - do_without_error ifdown ${vif} - ipcmd='del' - iptables_cmd='-D PREROUTING' - cmdprefix='do_without_error' - ;; -esac - -domid=${vif/vif/} -domid=${domid/.*/} -# metric must be possitive, but prefer later interface -# 32752 is max XID aka domid -metric=$[ 32752 - $domid ] - -if [ "${ip}" ] ; then - # If we've been given a list of IP addresses, then add routes from dom0 to - # the guest using those addresses. - for addr in ${ip} ; do - ${cmdprefix} ip route ${ipcmd} ${addr} dev ${vif} metric $metric - done - ${cmdprefix} iptables -t raw $iptables_cmd -i ${vif} \! -s ${ip} -j DROP - back_ip=`xenstore-read qubes-netvm-gateway` - ${cmdprefix} ip addr ${ipcmd} ${back_ip}/32 dev ${vif} -fi - -log debug "Successful vif-route-qubes $command for $vif." -if [ "$command" = "online" ] -then - success -fi diff --git a/scripts_debian/proxy/files/etc/xen/scripts/vif-setup b/scripts_debian/proxy/files/etc/xen/scripts/vif-setup deleted file mode 100755 index bcc462e..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/vif-setup +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -if test "$script" -then - exec $script $* -else - exec /etc/xen/scripts/vif-bridge $* -fi - diff --git a/scripts_debian/proxy/files/etc/xen/scripts/vif2 b/scripts_debian/proxy/files/etc/xen/scripts/vif2 deleted file mode 100755 index 2c155be..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/vif2 +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -dir=$(dirname "$0") -. "$dir/xen-hotplug-common.sh" -. "$dir/xen-network-common.sh" - -bridge=$(xenstore_read_default "$XENBUS_PATH/bridge" "$bridge") -if [ -z "$bridge" ] - then - nr_bridges=$(($(brctl show | cut -f 1 | grep -v "^$" | wc -l) - 1)) - if [ "$nr_bridges" != 1 ] - then - fatal "no bridge specified, and don't know which one to use ($nr_bridges found)" - fi - bridge=$(brctl show | cut -d " -" -f 2 | cut -f 1) -fi - -command="$1" -shift - -case "$command" in - "online") - if [ "$bridge" != "-" ] - then - setup_virtual_bridge_port "$vif" - add_to_bridge "$bridge" "$vif" - else - # Just let the normal udev rules for interfaces handle it. - true - fi - success - ;; - - "add") - success - ;; - - "remove") - ;; - - *) - echo "Unknown command: $command" - echo 'Valid commands are: add, remove, online' - exit 1 -esac diff --git a/scripts_debian/proxy/files/etc/xen/scripts/vscsi b/scripts_debian/proxy/files/etc/xen/scripts/vscsi deleted file mode 100755 index 5ac2614..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/vscsi +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh -# -# Copyright (c) 2007, FUJITSU Limited -# Based on the block scripts code. -# - -dir=$(dirname "$0") -. "$dir/xen-hotplug-common.sh" - -findCommand "$@" - -case "$command" in - add) - success - ;; - remove) - # TODO - exit 0 - ;; -esac - -exit 0 diff --git a/scripts_debian/proxy/files/etc/xen/scripts/vtpm b/scripts_debian/proxy/files/etc/xen/scripts/vtpm deleted file mode 100755 index 38a4532..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/vtpm +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -dir=$(dirname "$0") -. "$dir/vtpm-hotplug-common.sh" - -vtpm_fatal_error=0 - -case "$command" in - add) - vtpm_create_instance - ;; - remove) - vtpm_remove_instance - ;; -esac - -if [ $vtpm_fatal_error -eq 0 ]; then - log debug "Successful vTPM operation '$command'." - success -else - fatal "Error while executing vTPM operation '$command'." -fi diff --git a/scripts_debian/proxy/files/etc/xen/scripts/vtpm-common.sh b/scripts_debian/proxy/files/etc/xen/scripts/vtpm-common.sh deleted file mode 100755 index d0d7935..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/vtpm-common.sh +++ /dev/null @@ -1,448 +0,0 @@ -# -# Copyright (c) 2005 IBM Corporation -# Copyright (c) 2005 XenSource Ltd. -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of version 2.1 of the GNU Lesser General Public -# License as published by the Free Software Foundation. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -dir=$(dirname "$0") -. "$dir/logging.sh" -. "$dir/locking.sh" - -VTPMDB="/var/vtpm/vtpm.db" - -#In the vtpm-impl file some commands should be defined: -# vtpm_create, vtpm_setup, vtpm_start, etc. (see below) -if [ -r "$dir/vtpm-impl.alt" ]; then - . "$dir/vtpm-impl.alt" -elif [ -r "$dir/vtpm-impl" ]; then - . "$dir/vtpm-impl" -else - function vtpm_create () { - true - } - function vtpm_setup() { - true - } - function vtpm_start() { - true - } - function vtpm_suspend() { - true - } - function vtpm_resume() { - true - } - function vtpm_delete() { - true - } - function vtpm_migrate() { - echo "Error: vTPM migration accross machines not implemented." - } - function vtpm_migrate_local() { - echo "Error: local vTPM migration not supported" - } - function vtpm_migrate_recover() { - true - } -fi - - -#Find the instance number for the vtpm given the name of the domain -# Parameters -# - vmname : the name of the vm -# Return value -# Returns '0' if instance number could not be found, otherwise -# it returns the instance number in the variable 'instance' -function vtpmdb_find_instance () { - local vmname ret instance - vmname=$1 - ret=0 - - instance=$(cat $VTPMDB | \ - awk -vvmname=$vmname \ - '{ \ - if ( 1 != index($1,"#")) { \ - if ( $1 == vmname ) { \ - print $2; \ - exit; \ - } \ - } \ - }') - if [ "$instance" != "" ]; then - ret=$instance - fi - echo "$ret" -} - - -# Check whether a particular instance number is still available -# returns "0" if it is not available, "1" otherwise. -function vtpmdb_is_free_instancenum () { - local instance instances avail i - instance=$1 - avail=1 - #Allowed instance number range: 1-255 - if [ $instance -eq 0 -o $instance -gt 255 ]; then - avail=0 - else - instances=$(cat $VTPMDB | \ - awk \ - '{ \ - if (1 != index($1,"#")) { \ - printf("%s ",$2); \ - } \ - }') - for i in $instances; do - if [ $i -eq $instance ]; then - avail=0 - break - fi - done - fi - echo "$avail" -} - - -# Get an available instance number given the database -# Returns an unused instance number -function vtpmdb_get_free_instancenum () { - local ctr instances don found - instances=$(cat $VTPMDB | \ - awk \ - '{ \ - if (1 != index($1,"#")) { \ - printf("%s ",$2); \ - } \ - }') - ctr=1 - don=0 - while [ $don -eq 0 ]; do - found=0 - for i in $instances; do - if [ $i -eq $ctr ]; then - found=1; - break; - fi - done - - if [ $found -eq 0 ]; then - don=1 - break - fi - let ctr=ctr+1 - done - echo "$ctr" -} - - -# Add a domain name and instance number to the DB file -function vtpmdb_add_instance () { - local res vmname inst - vmname=$1 - inst=$2 - - if [ ! -f $VTPMDB ]; then - echo "#Database for VM to vTPM association" > $VTPMDB - echo "#1st column: domain name" >> $VTPMDB - echo "#2nd column: TPM instance number" >> $VTPMDB - fi - res=$(vtpmdb_validate_entry $vmname $inst) - if [ $res -eq 0 ]; then - echo "$vmname $inst" >> $VTPMDB - fi -} - - -#Validate whether an entry is the same as passed to this -#function -function vtpmdb_validate_entry () { - local res rc vmname inst - rc=0 - vmname=$1 - inst=$2 - - res=$(cat $VTPMDB | \ - awk -vvmname=$vmname \ - -vinst=$inst \ - '{ \ - if ( 1 == index($1,"#")) {\ - } else \ - if ( $1 == vmname && \ - $2 == inst) { \ - printf("1"); \ - exit; \ - } else \ - if ( $1 == vmname || \ - $2 == inst) { \ - printf("2"); \ - exit; \ - } \ - }') - - if [ "$res" == "1" ]; then - rc=1 - elif [ "$res" == "2" ]; then - rc=2 - fi - echo "$rc" -} - - -#Remove an entry from the vTPM database given its domain name -#and instance number -function vtpmdb_remove_entry () { - local vmname instance VTPMDB_TMP - vmname=$1 - instance=$2 - VTPMDB_TMP="$VTPMDB".tmp - - $(cat $VTPMDB | \ - awk -vvmname=$vmname \ - '{ \ - if ( $1 != vmname ) { \ - print $0; \ - } \ - '} > $VTPMDB_TMP) - if [ -e $VTPMDB_TMP ]; then - mv -f $VTPMDB_TMP $VTPMDB - vtpm_delete $instance - else - log err "Error creating temporary file '$VTPMDB_TMP'." - fi -} - - -# Find the reason for the creation of this device: -# Returns 'resume' or 'create' -function vtpm_get_create_reason () { - local resume - resume=$(xenstore_read $XENBUS_PATH/resume) - if [ "$resume" == "True" ]; then - echo "resume" - else - echo "create" - fi -} - - -#Create a vTPM instance -# If no entry in the TPM database is found, the instance is -# created and an entry added to the database. -function vtpm_create_instance () { - local res instance domname reason uuid - uuid=$(xenstore_read "$XENBUS_PATH"/uuid) - reason=$(vtpm_get_create_reason) - - claim_lock vtpmdb - - instance="0" - - if [ "$uuid" != "" ]; then - instance=$(vtpmdb_find_instance $uuid) - fi - if [ "$instance" == "0" ]; then - domname=$(xenstore_read "$XENBUS_PATH"/domain) - instance=$(vtpmdb_find_instance $domname) - fi - - if [ "$instance" == "0" -a "$reason" != "create" ]; then - release_lock vtpmdb - return - fi - - if [ "$instance" == "0" ]; then - #Try to give the preferred instance to the domain - instance=$(xenstore_read "$XENBUS_PATH"/pref_instance) - if [ "$instance" != "" ]; then - res=$(vtpmdb_is_free_instancenum $instance) - if [ $res -eq 0 ]; then - instance=$(vtpmdb_get_free_instancenum) - fi - else - instance=$(vtpmdb_get_free_instancenum) - fi - - vtpm_create $instance - - if [ $vtpm_fatal_error -eq 0 ]; then - if [ "$uuid" != "" ]; then - vtpmdb_add_instance $uuid $instance - else - vtpmdb_add_instance $domname $instance - fi - fi - else - if [ "$reason" == "resume" ]; then - vtpm_resume $instance - else - vtpm_start $instance - fi - fi - - release_lock vtpmdb - - xenstore_write $XENBUS_PATH/instance $instance -} - - -#Remove an instance when a VM is terminating or suspending. -#Since it is assumed that the VM will appear again, the -#entry is kept in the VTPMDB file. -function vtpm_remove_instance () { - local instance reason domname uuid - #Stop script execution quietly if path does not exist (anymore) - xenstore-exists "$XENBUS_PATH"/domain - uuid=$(xenstore_read "$XENBUS_PATH"/uuid) - - claim_lock vtpmdb - - instance="0" - - if [ "$uuid" != "" ]; then - instance=$(vtpmdb_find_instance $uuid) - fi - - if [ "$instance" == "0" ]; then - domname=$(xenstore_read "$XENBUS_PATH"/domain) - instance=$(vtpmdb_find_instance $domname) - fi - - if [ "$instance" != "0" ]; then - vtpm_suspend $instance - fi - - release_lock vtpmdb -} - - -#Remove an entry in the VTPMDB file given the domain's name -#1st parameter: The name of the domain -function vtpm_delete_instance () { - local instance - - claim_lock vtpmdb - - instance=$(vtpmdb_find_instance $1) - if [ "$instance" != "0" ]; then - vtpmdb_remove_entry $1 $instance - fi - - release_lock vtpmdb -} - -# Determine whether the given address is local to this machine -# Return values: -# "-1" : the given machine name is invalid -# "0" : this is not an address of this machine -# "1" : this is an address local to this machine -function vtpm_isLocalAddress() { - local addr res - addr=$(ping $1 -c 1 | \ - awk '{ print substr($3,2,length($3)-2); exit }') - if [ "$addr" == "" ]; then - echo "-1" - return - fi - res=$(ifconfig | grep "inet addr" | \ - awk -vaddr=$addr \ - '{ \ - if ( addr == substr($2, 6)) {\ - print "1"; \ - } \ - }' \ - ) - if [ "$res" == "" ]; then - echo "0" - return - fi - echo "1" -} - -# Perform a migration step. This function differentiates between migration -# to the local host or to a remote machine. -# Parameters: -# 1st: destination host to migrate to -# 2nd: name of the domain to migrate -# 3rd: the migration step to perform -function vtpm_migration_step() { - local res=$(vtpm_isLocalAddress $1) - if [ "$res" == "0" ]; then - vtpm_migrate $1 $2 $3 - else - vtpm_migrate_local - fi -} - -# Recover from migration due to an error. This function differentiates -# between migration to the local host or to a remote machine. -# Parameters: -# 1st: destination host the migration was going to -# 2nd: name of the domain that was to be migrated -# 3rd: the last successful migration step that was done -function vtpm_recover() { - local res - res=$(vtpm_isLocalAddress $1) - if [ "$res" == "0" ]; then - vtpm_migrate_recover $1 $2 $3 - fi -} - - -#Determine the domain id given a domain's name. -#1st parameter: name of the domain -#return value: domain id or -1 if domain id could not be determined -function vtpm_domid_from_name () { - local id name ids - ids=$(xenstore-list /local/domain) - for id in $ids; do - name=$(xenstore-read /local/domain/$id/name) - if [ "$name" == "$1" ]; then - echo "$id" - return - fi - done - echo "-1" -} - -#Determine the virtual TPM's instance number using the domain ID. -#1st parm: domain ID -function vtpm_uuid_by_domid() { - echo $(xenstore-read /local/domain/0/backend/vtpm/$1/0/uuid) -} - - -# Determine the vTPM's UUID by the name of the VM -function vtpm_uuid_from_vmname() { - local domid=$(vtpm_domid_from_name $1) - if [ "$domid" != "-1" ]; then - echo $(vtpm_uuid_by_domid $domid) - return - fi - echo "" -} - -#Add a virtual TPM instance number and its associated domain name -#to the VTPMDB file and activate usage of this virtual TPM instance -#by writing the instance number into the xenstore -#1st parm: name of virtual machine -#2nd parm: instance of associated virtual TPM -function vtpm_add_and_activate() { - local domid=$(vtpm_domid_from_name $1) - local vtpm_uuid=$(vtpm_uuid_from_vmname $1) - if [ "$vtpm_uuid" != "" -a "$domid" != "-1" ]; then - vtpmdb_add_instance $vtpm_uuid $2 - xenstore-write backend/vtpm/$domid/0/instance $2 - fi -} diff --git a/scripts_debian/proxy/files/etc/xen/scripts/vtpm-delete b/scripts_debian/proxy/files/etc/xen/scripts/vtpm-delete deleted file mode 100755 index b75b95b..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/vtpm-delete +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -# This scripts must be called the following way: -# vtpm-delete -# or -# vtpm-delete --vmname - -dir=$(dirname "$0") -. "$dir/vtpm-common.sh" - -if [ "$1" == "--vmname" ]; then - vtpm_uuid=$(vtpm_uuid_from_vmname $2) - if [ "$vtpm_uuid" != "" ];then - vtpm_delete_instance $vtpm_uuid - fi -else - vtpm_delete_instance $1 -fi diff --git a/scripts_debian/proxy/files/etc/xen/scripts/vtpm-hotplug-common.sh b/scripts_debian/proxy/files/etc/xen/scripts/vtpm-hotplug-common.sh deleted file mode 100755 index 9fd35e7..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/vtpm-hotplug-common.sh +++ /dev/null @@ -1,35 +0,0 @@ -# -# Copyright (c) 2005 IBM Corporation -# Copyright (c) 2005 XenSource Ltd. -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of version 2.1 of the GNU Lesser General Public -# License as published by the Free Software Foundation. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -dir=$(dirname "$0") -. "$dir/xen-hotplug-common.sh" - -findCommand "$@" -if [ "$command" != "online" ] && - [ "$command" != "offline" ] && - [ "$command" != "add" ] && - [ "$command" != "remove" ] -then - log err "Invalid command: $command" - exit 1 -fi - - -XENBUS_PATH="${XENBUS_PATH:?}" - -. "$dir/vtpm-common.sh" diff --git a/scripts_debian/proxy/files/etc/xen/scripts/vtpm-impl b/scripts_debian/proxy/files/etc/xen/scripts/vtpm-impl deleted file mode 100755 index 4f9a1fd..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/vtpm-impl +++ /dev/null @@ -1,208 +0,0 @@ -#!/bin/bash -# =================================================================== -# -# Copyright (c) 2005, Intel Corp. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of Intel Corporation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -# OF THE POSSIBILITY OF SUCH DAMAGE. -# =================================================================== - -# | SRC | TAG | CMD SIZE | ORD |mtype|strt -TPM_CMD_OPEN=\\x00\\x00\\x00\\x00\\x01\\xc1\\x00\\x00\\x00\\x11\\x01\\x00\\x00\\x01\\x01\\x01 -TPM_CMD_RESM=\\x00\\x00\\x00\\x00\\x01\\xc1\\x00\\x00\\x00\\x11\\x01\\x00\\x00\\x01\\x01\\x02 -TPM_CMD_CLOS=\\x00\\x00\\x00\\x00\\x01\\xc1\\x00\\x00\\x00\\x0e\\x01\\x00\\x00\\x02 -TPM_CMD_DELE=\\x00\\x00\\x00\\x00\\x01\\xc1\\x00\\x00\\x00\\x0e\\x01\\x00\\x00\\x03 - -TPM_TYPE_PVM=\\x01 -TPM_TYPE_HVM=\\x02 - -TPM_SUCCESS=00000000 - -TX_VTPM_MANAGER=/var/vtpm/fifos/from_console.fifo -RX_VTPM_MANAGER=/var/vtpm/fifos/to_console.fifo - -VTPM_MIG=/usr/bin/vtpm_migrator - -# -------------------- Helpers for binary streams ----------- - -function str_to_hex32() { - printf "%0.8x" $1 -} - -function hex32_to_bin() { - local inst=$(str_to_hex32 $1); - - local n1=`echo $inst | sed 's/\(..\)....../\\\\x\1/'` - local n2=`echo $inst | sed 's/..\(..\)..../\\\\x\1/'` - local n3=`echo $inst | sed 's/....\(..\)../\\\\x\1/'` - local n4=`echo $inst | sed 's/......\(..\)/\\\\x\1/'` - - echo "$n1$n2$n3$n4" -} - -function vtpm_manager_cmd() { - local cmd=$1; - local inst=$2; - local inst_bin=$(hex32_to_bin $inst); - - claim_lock vtpm_mgr - - #send cmd to vtpm_manager - printf "$cmd$inst_bin" > $TX_VTPM_MANAGER - - #recv response - set +e - local resp_hex=`dd skip=10 bs=1 count=4 if=$RX_VTPM_MANAGER 2> /dev/null | xxd -ps` - set -e - - release_lock vtpm_mgr - - #return whether the command was successful - if [ $resp_hex -ne $TPM_SUCCESS ]; then - vtpm_fatal_error=1 - false - else - true - fi -} - -# Helper to get vm type to pass to vtpm_manager open/resume -function vtpm_get_type() { - local inst=$(xenstore_read $XENBUS_PATH/frontend-id) - local vm=$(xenstore_read /local/domain/$inst/vm) - if [ "$vm" != "" ]; then - local ostype=$(xenstore-read $vm/image/ostype) - if [ "$ostype" == "hvm" ]; then - echo $TPM_TYPE_HVM; - else - echo $TPM_TYPE_PVM; - fi - fi -} - -# ------------------ Command handlers ----------------- - -# Create new vtpm instance & set it up for use -function vtpm_create () { - # Creation is handled implicitly by the manager on first setup - # so just set it up for use - $(vtpm_start $1) -} - -# Setup vtpm instance for use. -function vtpm_start() { - local vmtype=$(vtpm_get_type); - $(vtpm_manager_cmd $TPM_CMD_OPEN$vmtype $1) -} - -function vtpm_resume() { - local vmtype=$(vtpm_get_type); - $(vtpm_manager_cmd $TPM_CMD_RESM$vmtype $1) -} - -# Reset the vtpm AKA clear PCRs -function vtpm_reset() { - #not used by current implemenation - true -} - -# Shutdown the vtpm while the vm is down -# This could be a suspend of shutdown -# we cannot distinquish, so save the state -# and decide on startup if we should keep is -function vtpm_suspend() { - $(vtpm_manager_cmd $TPM_CMD_CLOS $1) -} - - -function vtpm_delete() { - local inst=$1 - if $(vtpm_manager_cmd $TPM_CMD_DELE $inst); then - rm -f /var/vtpm/vtpm_dm_$1.data - true - else - vtpm_fatal_error=1 - false - fi -} - -# Perform a migration step. This function differentiates between migration -# to the local host or to a remote machine. -# Parameters: -# 1st: destination host to migrate to -# 2nd: name of the domain to migrate -# 3rd: the migration step to perform -function vtpm_migrate() { - local instance res - - instance=$(vtpmdb_find_instance $2) - if [ "$instance" == "" ]; then - log err "VTPM Migratoin failed. Unable to translation of domain name" - echo "Error: VTPM Migration failed while looking up instance number" - fi - - case "$3" in - 0) - #Incicate migration supported - echo "0" - ;; - - 1) - # Get Public Key from Destination - # Call vtpm_manager's migration part 1 - claim_lock vtpm_mgr - $VTPM_MIG $1 $2 $instance $3 - release_lock vtpm_mgr - ;; - - 2) - # Call manager's migration step 2 and send result to destination - # If successful remove from db - claim_lock vtpm_mgr - $VTPM_MIG $1 $2 $instance $3 - release_lock vtpm_mgr - ;; - - 3) - if `ps x | grep "$VTPM_MIG $1"`; then - log err "VTPM Migration failed to complete." - echo "Error: VTPM Migration failed to complete." - fi - ;; - esac - -} - - -function vtpm_migrate_recover() { - echo "Error: Recovery not supported yet" -} - -function vtpm_migrate_local() { - echo "Error: local vTPM migration not supported" -} diff --git a/scripts_debian/proxy/files/etc/xen/scripts/vtpm-migration.sh b/scripts_debian/proxy/files/etc/xen/scripts/vtpm-migration.sh deleted file mode 100755 index 7e38ae2..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/vtpm-migration.sh +++ /dev/null @@ -1,19 +0,0 @@ -# -# Copyright (c) 2005 IBM Corporation -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of version 2.1 of the GNU Lesser General Public -# License as published by the Free Software Foundation. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -dir=$(dirname "$0") -. "$dir/vtpm-common.sh" diff --git a/scripts_debian/proxy/files/etc/xen/scripts/xen-hotplug-cleanup b/scripts_debian/proxy/files/etc/xen/scripts/xen-hotplug-cleanup deleted file mode 100755 index fcaa8fc..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/xen-hotplug-cleanup +++ /dev/null @@ -1,45 +0,0 @@ -#! /bin/bash - -dir=$(dirname "$0") -. "$dir/xen-hotplug-common.sh" - -# Claim the lock protecting ${XEN_SCRIPT_DIR}/block. This stops a race whereby -# paths in the store would disappear underneath that script as it attempted to -# read from the store checking for device sharing. -# Any other scripts that do similar things will have to have their lock -# claimed too. -# This is pretty horrible, but there's not really a nicer way of solving this. -claim_lock "block" - -# split backend/DEVCLASS/VMID/DEVID on slashes -path_array=( ${XENBUS_PATH//\// } ) -# get /vm/UUID path -vm=$(xenstore_read_default "/local/domain/${path_array[2]}/vm" "") -# construct /vm/UUID/device/DEVCLASS/DEVID -if [ "$vm" != "" ]; then - vm_dev="$vm/device/${path_array[1]}/${path_array[3]}" - - # if the vm path does not exist and the device class is 'vbd' then we may have - # a tap2 device - $(xenstore-read "$vm_dev" 2>/dev/null) || \ - { - if [ "${path_array[1]}" = "vbd" ]; then - vm_dev="$vm/device/tap2/${path_array[3]}" - fi - } -else - vm_dev= -fi - -# remove device frontend store entries -xenstore-rm -t \ - $(xenstore-read "$XENBUS_PATH/frontend" 2>/dev/null) 2>/dev/null || true - -# remove device backend store entries -xenstore-rm -t "$XENBUS_PATH" 2>/dev/null || true -xenstore-rm -t "error/$XENBUS_PATH" 2>/dev/null || true - -# remove device path from /vm/UUID -[ "$vm_dev" != "" ] && xenstore-rm -t "$vm_dev" 2>/dev/null || true - -release_lock "block" diff --git a/scripts_debian/proxy/files/etc/xen/scripts/xen-hotplug-common.sh b/scripts_debian/proxy/files/etc/xen/scripts/xen-hotplug-common.sh deleted file mode 100755 index 370f9ad..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/xen-hotplug-common.sh +++ /dev/null @@ -1,102 +0,0 @@ -# -# Copyright (c) 2005 XenSource Ltd. -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of version 2.1 of the GNU Lesser General Public -# License as published by the Free Software Foundation. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - - -dir=$(dirname "$0") -. "$dir/hotplugpath.sh" -. "$dir/logging.sh" -. "$dir/xen-script-common.sh" -. "$dir/locking.sh" - -exec 2>>/var/log/xen/xen-hotplug.log - -export PATH="${BINDIR}:${SBINDIR}:${LIBEXEC}:${PRIVATE_BINDIR}:/sbin:/bin:/usr/bin:/usr/sbin:$PATH" -export LANG="POSIX" -unset $(set | grep ^LC_ | cut -d= -f1) - -fatal() { - _xenstore_write "$XENBUS_PATH/hotplug-error" "$*" \ - "$XENBUS_PATH/hotplug-status" error - log err "$@" - exit 1 -} - -success() { - # Tell DevController that backend is "connected" - xenstore_write "$XENBUS_PATH/hotplug-status" connected -} - -do_or_die() { - "$@" || fatal "$@ failed" -} - -do_without_error() { - "$@" 2>/dev/null || log debug "$@ failed" -} - -sigerr() { - fatal "$0 failed; error detected." -} - -trap sigerr ERR - - -## -# xenstore_read + -# -# Read each of the given paths, returning each result on a separate line, or -# exit this script if any of the paths is missing. -# -xenstore_read() { - local v=$(xenstore-read "$@" || true) - [ "$v" != "" ] || fatal "xenstore-read $@ failed." - echo "$v" -} - - -## -# xenstore_read_default -# -# Read the given path, returning the value there or the given default if the -# path is not present. -# -xenstore_read_default() { - xenstore-read "$1" 2>/dev/null || echo "$2" -} - - -## -# _xenstore_write ( )+ -# -# Write each of the key/value pairs to the store. -# -_xenstore_write() { - log debug "Writing $@ to xenstore." - xenstore-write "$@" -} - -## -# xenstore_write ( )+ -# -# Write each of the key/value pairs to the store, and exit this script if any -# such writing fails. -# -xenstore_write() { - _xenstore_write "$@" || fatal "Writing $@ to xenstore failed." -} - -log debug "$@" "XENBUS_PATH=$XENBUS_PATH" diff --git a/scripts_debian/proxy/files/etc/xen/scripts/xen-network-common.sh b/scripts_debian/proxy/files/etc/xen/scripts/xen-network-common.sh deleted file mode 100755 index f88f9b6..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/xen-network-common.sh +++ /dev/null @@ -1,141 +0,0 @@ -# -# Copyright (c) 2005 XenSource Ltd. -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of version 2.1 of the GNU Lesser General Public -# License as published by the Free Software Foundation. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - - -# Gentoo doesn't have ifup/ifdown, so we define appropriate alternatives. - -# Other platforms just use ifup / ifdown directly. - -## -# preiftransfer -# -# @param $1 The current name for the physical device, which is also the name -# that the virtual device will take once the physical device has -# been renamed. - -if ! which ifup >/dev/null 2>/dev/null -then - preiftransfer() - { - true - } - ifup() - { - false - } - ifdown() - { - false - } -else - preiftransfer() - { - true - } -fi - - -first_file() -{ - t="$1" - shift - for file in $@ - do - if [ "$t" "$file" ] - then - echo "$file" - return - fi - done -} - -find_dhcpd_conf_file() -{ - first_file -f /etc/dhcp3/dhcpd.conf /etc/dhcpd.conf -} - - -find_dhcpd_init_file() -{ - first_file -x /etc/init.d/{dhcp3-server,dhcp,dhcpd} -} - -find_dhcpd_arg_file() -{ - first_file -f /etc/sysconfig/dhcpd /etc/defaults/dhcp /etc/default/dhcp3-server -} - -# configure interfaces which act as pure bridge ports: -_setup_bridge_port() { - local dev="$1" - local virtual="$2" - - # take interface down ... - ip link set ${dev} down - - if [ $virtual -ne 0 ] ; then - # Initialise a dummy MAC address. We choose the numerically - # largest non-broadcast address to prevent the address getting - # stolen by an Ethernet bridge for STP purposes. - # (FE:FF:FF:FF:FF:FF) - ip link set ${dev} address fe:ff:ff:ff:ff:ff || true - fi - - # ... and configure it - ip addr flush ${dev} -} - -setup_physical_bridge_port() { - _setup_bridge_port $1 0 -} -setup_virtual_bridge_port() { - _setup_bridge_port $1 1 -} - -# Usage: create_bridge bridge -create_bridge () { - local bridge=$1 - - # Don't create the bridge if it already exists. - if [ ! -e "/sys/class/net/${bridge}/bridge" ]; then - brctl addbr ${bridge} - brctl stp ${bridge} off - brctl setfd ${bridge} 0 - # Setting these to zero stops guest<->LAN traffic - # traversing the bridge from hitting the *tables - # rulesets. guest<->host traffic still gets processed - # by the host's iptables rules so this isn't a hole - sysctl -q -w "net.bridge.bridge-nf-call-arptables=0" - sysctl -q -w "net.bridge.bridge-nf-call-ip6tables=0" - sysctl -q -w "net.bridge.bridge-nf-call-iptables=0" - fi -} - -# Usage: add_to_bridge bridge dev -add_to_bridge () { - local bridge=$1 - local dev=$2 - - # Don't add $dev to $bridge if it's already on a bridge. - if [ -e "/sys/class/net/${bridge}/brif/${dev}" ]; then - ip link set ${dev} up || true - return - fi - brctl addif ${bridge} ${dev} - ip link set ${dev} up -} - diff --git a/scripts_debian/proxy/files/etc/xen/scripts/xen-script-common.sh b/scripts_debian/proxy/files/etc/xen/scripts/xen-script-common.sh deleted file mode 100755 index f6841ac..0000000 --- a/scripts_debian/proxy/files/etc/xen/scripts/xen-script-common.sh +++ /dev/null @@ -1,44 +0,0 @@ -# -# Copyright (c) 2005 XenSource Ltd. -# -# This library is free software; you can redistribute it and/or -# modify it under the terms of version 2.1 of the GNU Lesser General Public -# License as published by the Free Software Foundation. -# -# This library is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# Lesser General Public License for more details. -# -# You should have received a copy of the GNU Lesser General Public -# License along with this library; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - - -set -e - - -evalVariables() -{ - for arg in "$@" - do - if expr 'index' "$arg" '=' '>' '1' >/dev/null - then - eval "$arg" - fi - done -} - - -findCommand() -{ - for arg in "$@" - do - if ! expr 'index' "$arg" '=' >/dev/null - then - command="$arg" - return - fi - done -} From 16fdd0cc1d9fd3cc93c5632b91cbed070e2f8259 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 2 Nov 2014 16:41:39 -0500 Subject: [PATCH 49/83] debian: Added acpid to package list for all distros --- scripts_debian/packages_jessie.list | 1 + scripts_debian/packages_wheezy.list | 1 + scripts_debian/wheezy+whonix/packages_wheezy.list | 1 + 3 files changed, 3 insertions(+) diff --git a/scripts_debian/packages_jessie.list b/scripts_debian/packages_jessie.list index 7747fcf..fddb0a6 100644 --- a/scripts_debian/packages_jessie.list +++ b/scripts_debian/packages_jessie.list @@ -7,3 +7,4 @@ ncurses-term xserver-xorg-core x11-xserver-utils xinit +acpid diff --git a/scripts_debian/packages_wheezy.list b/scripts_debian/packages_wheezy.list index 7747fcf..fddb0a6 100644 --- a/scripts_debian/packages_wheezy.list +++ b/scripts_debian/packages_wheezy.list @@ -7,3 +7,4 @@ ncurses-term xserver-xorg-core x11-xserver-utils xinit +acpid diff --git a/scripts_debian/wheezy+whonix/packages_wheezy.list b/scripts_debian/wheezy+whonix/packages_wheezy.list index c8327e4..7dabc23 100644 --- a/scripts_debian/wheezy+whonix/packages_wheezy.list +++ b/scripts_debian/wheezy+whonix/packages_wheezy.list @@ -7,6 +7,7 @@ ncurses-term xserver-xorg-core x11-xserver-utils xinit +acpid git curl From 3d4eb870ce496280752ed36fcd9cfd08ad632d63 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Mon, 3 Nov 2014 02:39:08 -0500 Subject: [PATCH 50/83] Debian: Configured all wheezy/jessie+gnome whitelists --- appmenus_jessie/vm-whitelisted-appmenus.list | 2 ++ appmenus_jessie/whitelisted-appmenus.list | 5 +++++ .../netvm-whitelisted-appmenus.list | 1 + .../vm-whitelisted-appmenus.list | 16 ++++++++++++++++ appmenus_jessie_gnome/whitelisted-appmenus.list | 10 ++++++++++ appmenus_wheezy/vm-whitelisted-appmenus.list | 2 ++ appmenus_wheezy/whitelisted-appmenus.list | 5 +++++ .../netvm-whitelisted-appmenus.list | 1 + .../vm-whitelisted-appmenus.list | 15 +++++++++++++++ appmenus_wheezy_gnome/whitelisted-appmenus.list | 11 +++++++++++ 10 files changed, 68 insertions(+) create mode 100644 appmenus_jessie_gnome/netvm-whitelisted-appmenus.list create mode 100644 appmenus_jessie_gnome/vm-whitelisted-appmenus.list create mode 100644 appmenus_jessie_gnome/whitelisted-appmenus.list create mode 100644 appmenus_wheezy_gnome/netvm-whitelisted-appmenus.list create mode 100644 appmenus_wheezy_gnome/vm-whitelisted-appmenus.list create mode 100644 appmenus_wheezy_gnome/whitelisted-appmenus.list diff --git a/appmenus_jessie/vm-whitelisted-appmenus.list b/appmenus_jessie/vm-whitelisted-appmenus.list index 4b744f7..31d9cad 100644 --- a/appmenus_jessie/vm-whitelisted-appmenus.list +++ b/appmenus_jessie/vm-whitelisted-appmenus.list @@ -1 +1,3 @@ gnome-terminal.desktop +nautilus.desktop +yelp.desktop diff --git a/appmenus_jessie/whitelisted-appmenus.list b/appmenus_jessie/whitelisted-appmenus.list index 4b744f7..84a4b50 100644 --- a/appmenus_jessie/whitelisted-appmenus.list +++ b/appmenus_jessie/whitelisted-appmenus.list @@ -1 +1,6 @@ gnome-terminal.desktop +gpk-application.desktop +gpk-update-viewer.desktop +gpk-prefs.desktop +gpk-log.desktop +yelp.desktop diff --git a/appmenus_jessie_gnome/netvm-whitelisted-appmenus.list b/appmenus_jessie_gnome/netvm-whitelisted-appmenus.list new file mode 100644 index 0000000..4b744f7 --- /dev/null +++ b/appmenus_jessie_gnome/netvm-whitelisted-appmenus.list @@ -0,0 +1 @@ +gnome-terminal.desktop diff --git a/appmenus_jessie_gnome/vm-whitelisted-appmenus.list b/appmenus_jessie_gnome/vm-whitelisted-appmenus.list new file mode 100644 index 0000000..0f893ba --- /dev/null +++ b/appmenus_jessie_gnome/vm-whitelisted-appmenus.list @@ -0,0 +1,16 @@ +evolution.desktop +gimp.desktop +yelp.desktop +iceweasel.desktop +eog.desktop +rhythmbox.desktop +gnome-system-log.desktop +gnome-terminal.desktop +gnome-calculator.desktop +org.gnome.Cheese.desktop +org.gnome.Nautilus.desktop +org.gnome.gedit.desktop +shotwell.desktop +org.gnome.Totem.desktop +libreoffice-startcenter.desktop +session-properties.desktop diff --git a/appmenus_jessie_gnome/whitelisted-appmenus.list b/appmenus_jessie_gnome/whitelisted-appmenus.list new file mode 100644 index 0000000..a325bd9 --- /dev/null +++ b/appmenus_jessie_gnome/whitelisted-appmenus.list @@ -0,0 +1,10 @@ +gdebi.desktop +yelp.desktop +gpk-log.desktop +gpk-prefs.desktop +gpk-update-viewer.desktop +gpk-application.desktop +gnome-printers-panel.desktop +tracker-preferences.desktop +gnome-system-log.desktop +gnome-terminal.desktop diff --git a/appmenus_wheezy/vm-whitelisted-appmenus.list b/appmenus_wheezy/vm-whitelisted-appmenus.list index 4b744f7..31d9cad 100644 --- a/appmenus_wheezy/vm-whitelisted-appmenus.list +++ b/appmenus_wheezy/vm-whitelisted-appmenus.list @@ -1 +1,3 @@ gnome-terminal.desktop +nautilus.desktop +yelp.desktop diff --git a/appmenus_wheezy/whitelisted-appmenus.list b/appmenus_wheezy/whitelisted-appmenus.list index 4b744f7..84a4b50 100644 --- a/appmenus_wheezy/whitelisted-appmenus.list +++ b/appmenus_wheezy/whitelisted-appmenus.list @@ -1 +1,6 @@ gnome-terminal.desktop +gpk-application.desktop +gpk-update-viewer.desktop +gpk-prefs.desktop +gpk-log.desktop +yelp.desktop diff --git a/appmenus_wheezy_gnome/netvm-whitelisted-appmenus.list b/appmenus_wheezy_gnome/netvm-whitelisted-appmenus.list new file mode 100644 index 0000000..4b744f7 --- /dev/null +++ b/appmenus_wheezy_gnome/netvm-whitelisted-appmenus.list @@ -0,0 +1 @@ +gnome-terminal.desktop diff --git a/appmenus_wheezy_gnome/vm-whitelisted-appmenus.list b/appmenus_wheezy_gnome/vm-whitelisted-appmenus.list new file mode 100644 index 0000000..33843f3 --- /dev/null +++ b/appmenus_wheezy_gnome/vm-whitelisted-appmenus.list @@ -0,0 +1,15 @@ +gnome-terminal.desktop +gcalctool.desktop +evolution.desktop +nautilus.desktop +iceweasel.desktop +libreoffice-startcenter.desktop +gedit.desktop +gimp.desktop +eog.desktop +totem.desktop +rhythmbox.desktop +gnome-system-log.desktop +cheese.desktop +session-properties.desktop +yelp.desktop diff --git a/appmenus_wheezy_gnome/whitelisted-appmenus.list b/appmenus_wheezy_gnome/whitelisted-appmenus.list new file mode 100644 index 0000000..89d9525 --- /dev/null +++ b/appmenus_wheezy_gnome/whitelisted-appmenus.list @@ -0,0 +1,11 @@ +gnome-terminal.desktop +gpk-application.desktop +gpk-update-viewer.desktop +gpk-prefs.desktop +gpk-log.desktop +gnome-panel.desktop +gnome-printers-panel.desktop +gnome-system-log.desktop +gdebi.desktop +tracker-preferences.desktop +yelp.desktop From b85dfe810b6f7b5cd3654f53602564688fad8863 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Mon, 3 Nov 2014 23:56:07 -0500 Subject: [PATCH 51/83] whonix-workstation: Added missing setup file --- .../files/etc/xdg/autostart/qubes-whonixsetup.desktop | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 scripts_debian/wheezy+whonix-workstation/files/etc/xdg/autostart/qubes-whonixsetup.desktop diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/xdg/autostart/qubes-whonixsetup.desktop b/scripts_debian/wheezy+whonix-workstation/files/etc/xdg/autostart/qubes-whonixsetup.desktop new file mode 100644 index 0000000..260635d --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/etc/xdg/autostart/qubes-whonixsetup.desktop @@ -0,0 +1,8 @@ +## This file is part of Whonix. +## Copyright (C) 2012 - 2014 Patrick Schleizer +## See the file COPYING for copying conditions. + +[Desktop Entry] +Type=Application +Terminal=false +Exec=/usr/lib/whonix/qubes-whonixsetup From d8138a8f449c6b5ffdc5502718813448c056326d Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Mon, 3 Nov 2014 23:57:21 -0500 Subject: [PATCH 52/83] Removed commented out function that is not used --- builder_setup | 3 --- 1 file changed, 3 deletions(-) diff --git a/builder_setup b/builder_setup index bd2b23f..b1cefb2 100755 --- a/builder_setup +++ b/builder_setup @@ -33,6 +33,3 @@ CACHEDIR=cache_$DIST export SCRIPTSDIR CACHEDIR echo $DISTRIBUTION $VERSION - -# Check for custom template name -#templateName > /dev/null && templateName From 422dcc9c247de5a67f03e1741a08da1b61dd4d33 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Mon, 3 Nov 2014 23:59:48 -0500 Subject: [PATCH 53/83] debian: honor verbose; fixed bug where base package.list was not being used --- functions.sh | 62 ++++++++++++++++++++++++----- scripts_debian/02_install_groups.sh | 2 +- tests/template-flavors/test.sh | 44 ++++++++++---------- 3 files changed, 74 insertions(+), 34 deletions(-) diff --git a/functions.sh b/functions.sh index c4bb43d..4296bd6 100755 --- a/functions.sh +++ b/functions.sh @@ -1,6 +1,9 @@ #!/bin/bash # vim: set ts=4 sw=4 sts=4 et : +# XXX +set -e + ################################################################################ # Global functions ################################################################################ @@ -72,20 +75,40 @@ fi # ------------------------------------------------------------------------------ # Display messages in color # ------------------------------------------------------------------------------ +# Only output text under certain conditions +output() { + case ${VERBOSE} in + 0) + true "${1}" + ;; + 1) + echo -e "${1}" + ;; + 2) + # Don't echo if -x is set since it will already be displayed via true + [[ ${-/x} != $- ]] || echo -e "${1}" + true "${1}" + ;; + *) + true "${1}" + ;; + esac +} + info() { - [[ -z ${TEST} ]] && echo -e "${bold}${blue}INFO: ${1}${reset}" || : + output "${bold}${blue}INFO: ${1}${reset}" || : } debug() { - [[ -z ${TEST} ]] && echo -e "${bold}${green}DEBUG: ${1}${reset}" || : + output "${bold}${green}DEBUG: ${1}${reset}" || : } warn() { - [[ -z ${TEST} ]] && echo -e "${stout}${yellow}WARNING: ${1}${reset}" || : + output "${stout}${yellow}WARNING: ${1}${reset}" || : } error() { - [[ -z ${TEST} ]] && echo -e "${bold}${red}ERROR: ${1}${reset}" || : + output "${bold}${red}ERROR: ${1}${reset}" || : } # ------------------------------------------------------------------------------ @@ -254,7 +277,7 @@ templateFile() { local file="$1" local suffix="$2" local template_flavor="$3" - local template_dir="$(templateDir ${template_flavor})" + local template_dir="$(templateDir "${template_flavor}")" splitPath "${file}" path_parts @@ -277,9 +300,17 @@ buildStepExec() { script="$(templateFile "${filename}" "${suffix}" "${template_flavor}")" - if [ -f "${script}" ]; then - [[ -n ${TEST} ]] && echo "${script}" || echo "${bold}${under}INFO: Currently running script: ${script}${reset}" + #if [ -f "${script}" ]; then + if [ -f "${script}" ] && [ ! ${GLOBAL_CACHE[$script]+_} ]; then + # Test module expects raw output back only used to asser test results + if [[ -n ${TEST} ]]; then + echo "${script}" + else + output "${bold}${under}INFO: Currently running script: ${script}${reset}" + fi + # Cache $script + GLOBAL_CACHE[$script]=1 # Execute $script "${script}" fi @@ -308,12 +339,17 @@ copyTreeExec() { pushd "${target_dir}" { setfacl --restore="${source_dir}/.facl" 2>/dev/null ||: + rm -f .facl } popd fi } callTemplateFunction() { + # Reset Cache + unset GLOBAL_CACHE + declare -A -g GLOBAL_CACHE + local calling_script="$1" local calling_arg="$2" local functionExec="$3" @@ -335,6 +371,12 @@ callTemplateFunction() { "${calling_arg}" \ "${option}" done + + # If template_flavor exists, also check on base distro + if [ -n "${template_flavor}" ]; then + ${functionExec} "${calling_script}" \ + "${calling_arg}" + fi } # ------------------------------------------------------------------------------ @@ -350,7 +392,9 @@ getFileLocations() { #files=( $(callTemplateFunction "${filename}" "${suffix}" "${function}") ) #setArrayAsGlobal files $return_global_var - files=$(callTemplateFunction "${filename}" "${suffix}" "${function}") + # XXX + #files=$(callTemplateFunction "${filename}" "${suffix}" "${function}") + files="$(callTemplateFunction "${filename}" "${suffix}" "${function}")" IFS_orig="${IFS}}"; IFS=$'\n' files=( "${files}" ) @@ -402,4 +446,4 @@ copyTree() { } # $0 is module that sourced vars.sh -echo "${bold}${under}INFO: Currently running script: ${0}${reset}" +output "${bold}${under}INFO: Currently running script: ${0}${reset}" diff --git a/scripts_debian/02_install_groups.sh b/scripts_debian/02_install_groups.sh index 0754348..d30152a 100755 --- a/scripts_debian/02_install_groups.sh +++ b/scripts_debian/02_install_groups.sh @@ -112,7 +112,7 @@ EOF exit 1 fi - for package_list in "${packages_list[@]}"; do + for package_list in ${packages_list[@]}; do debug "Installing extra packages from: ${package_list}" DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ xargs chroot ${INSTALLDIR} apt-get -y --force-yes install < "${package_list}" diff --git a/tests/template-flavors/test.sh b/tests/template-flavors/test.sh index 3c40cf5..b341ce1 100755 --- a/tests/template-flavors/test.sh +++ b/tests/template-flavors/test.sh @@ -1,8 +1,7 @@ #!/bin/bash # vim: set ts=4 sw=4 sts=4 et : -VERBOSE=2 -DEBUG=1 +VERBOSE=1 pushd ../.. ROOT_DIR=$(readlink -m .) @@ -45,27 +44,24 @@ declare -A VALUES=( ) values() { - [[ -z ${TEST} ]] && { - label=${1} - value="${1}[@]" - value="${!value}" - - if [ "${VALUES[$label]}" == "${value}" ]; then - printf " ${bold}${magenta}%-22s = ${value}${reset}\n" "${label}" || : - else - printf " ${bold}${black}%-22s = ${value}${reset}\n" "${label}" || : - fi - #printf "${bold}${black}%s=\"${value}\"${reset}\n" "${label}" || : - VALUES[$label]="${value}" - } + label=${1} + value="${1}[@]" + value="${!value}" + + if [ "${VALUES[$label]}" == "${value}" ]; then + printf " ${bold}${magenta}%-22s = ${value}${reset}\n" "${label}" || : + else + printf " ${bold}${black}%-22s = ${value}${reset}\n" "${label}" || : + fi + VALUES[$label]="${value}" } info() { - [[ -z ${TEST} ]] && echo "${bold}${blue}${1}${reset}" || : + output "${bold}${blue}${1}${reset}" || : } debug() { - [[ -z ${TEST} ]] && echo -e "${magenta}${1}${reset}" || : + output "${magenta}${1}${reset}" || : } assertTest(){ @@ -97,7 +93,7 @@ header < Date: Tue, 4 Nov 2014 00:01:13 -0500 Subject: [PATCH 54/83] whonix: Added ability to be able to update templates via tor proxy. Firewall rules not working yet on gateway --- .../files/usr/lib/whonix/qubes-whonixsetup | 2 +- .../wheezy+whonix-workstation/files/.facl | 28 +++- .../files/usr/lib/whonix/qubes-whonixsetup | 2 +- .../files/usr/lib/whonix/tests.sh | 95 ----------- .../02_install_groups_packages_installed.sh | 9 +- ...groups_packages_installed.sh.build-steps.d | 157 ------------------ .../wheezy+whonix/packages_wheezy.list | 11 -- 7 files changed, 27 insertions(+), 277 deletions(-) delete mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh delete mode 100755 scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh.build-steps.d diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup index 49dff91..814af62 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup @@ -42,5 +42,5 @@ elif [ "${WHONIX}" == "workstation" ]; then elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml - sudo /sbin/poweroff + #sudo /sbin/poweroff fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/.facl b/scripts_debian/wheezy+whonix-workstation/files/.facl index bfdec11..d173e0d 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/.facl +++ b/scripts_debian/wheezy+whonix-workstation/files/.facl @@ -33,6 +33,27 @@ user::rw- group::r-- other::r-- +# file: etc/xdg +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/xdg/autostart +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: etc/xdg/autostart/qubes-whonixsetup.desktop +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: etc/udev # owner: root # group: root @@ -117,13 +138,6 @@ user::rwx group::r-x other::r-x -# file: usr/lib/whonix/tests.sh -# owner: root -# group: root -user::rwx -group::r-x -other::r-x - # file: usr/lib/whonix/messages.yaml # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup index 49dff91..814af62 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup @@ -42,5 +42,5 @@ elif [ "${WHONIX}" == "workstation" ]; then elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml - sudo /sbin/poweroff + #sudo /sbin/poweroff fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh deleted file mode 100755 index 6570b49..0000000 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/tests.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/bash - -. /usr/lib/whonix/utility_functions - -#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" -#disable_sysv tor -#disable_sysv sdwdate - -iptables -F -iptables -t nat -F - -LOG_IP4=1 -LOG_IP6=0 - -# for IPv4 -if [ "$LOG_IP4" == "1" ]; then - iptables -t raw -A OUTPUT -p icmp -j TRACE - iptables -t raw -A PREROUTING -p icmp -j TRACE - modprobe ipt_LOG -fi - -# for IPv6 -if [ "$LOG_IP6" == "1" ]; then - ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE - ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE - ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE - ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE - modprobe ip6t_LOG -fi - -sysctl -w net.ipv4.ip_forward=1 - -iptables -A FORWARD -i eth0 -j ACCEPT -iptables -A FORWARD -o eth0 -j ACCEPT -iptables -A FORWARD -i lo -j ACCEPT -iptables -A FORWARD -o lo -j ACCEPT - -#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - -#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105 -#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 - - -#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 - -#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT" -#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT" - -#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT -#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT -#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT -#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT -#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082 - -#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 - -#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 -#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 -#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 -#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 - -# Works -# localhost/loopback maps localhost port 8082 to localhost port 8888 -#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888 - -# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082 - -# Remap ALL traffic -#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082 - - -#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105 -#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 -#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 - -#iptables -v -L -#iptables -v -t nat -L -#telnet 127.0.0.1 9105 -#telnet 10.137.2.1 8082 -#telnet 127.0.0.1 8082 -#tail -100 /var/log/kern.log diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 2416fb6..0a92070 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -34,10 +34,9 @@ if [ "${SNAPSHOT}" == "1" ]; then fi # ------------------------------------------------------------------------------ -# chroot Whonix build script (Make sure set -e is not set) +# chroot Whonix build script # ------------------------------------------------------------------------------ -read -r -d '' WHONIX_BUILD_SCRIPT <<'EOF' - +read -r -d '' WHONIX_BUILD_SCRIPT <<'EOF' || true ################################################################################ # Pre Fixups sudo mkdir -p /boot/grub2 @@ -82,7 +81,7 @@ EOF # ------------------------------------------------------------------------------ # Pin grub so it won't install # ------------------------------------------------------------------------------ -read -r -d '' WHONIX_APT_PIN <<'EOF' +read -r -d '' WHONIX_APT_PIN <<'EOF' || true Package: grub-pc Pin: version * Pin-Priority: -100 @@ -103,7 +102,7 @@ EOF # ------------------------------------------------------------------------------ # Set defualts for apt not to install recommended or extra packages # ------------------------------------------------------------------------------ -read -r -d '' WHONIX_APT_PREFERENCES <<'EOF' +read -r -d '' WHONIX_APT_PREFERENCES <<'EOF' || true Acquire::Languages "none"; APT::Install-Recommends "false"; APT::Install-Suggests "false"; diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh.build-steps.d b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh.build-steps.d deleted file mode 100755 index 8cd88f0..0000000 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh.build-steps.d +++ /dev/null @@ -1,157 +0,0 @@ -#!/bin/bash -# vim: set ts=4 sw=4 sts=4 et : - -# ------------------------------------------------------------------------------ -# Source external scripts -# ------------------------------------------------------------------------------ -. ${SCRIPTSDIR}/vars.sh -. ./umount_kill.sh >/dev/null - -# ------------------------------------------------------------------------------ -# Configurations -# ------------------------------------------------------------------------------ -if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then - set -x -else - set -e -fi - -# ------------------------------------------------------------------------------ -# XXX: Create a snapshot - Only for DEBUGGING! -# ------------------------------------------------------------------------------ -# Only execute if SNAPSHOT is set -if [ "${SNAPSHOT}" == "1" ]; then - splitPath "${IMG}" path_parts - PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-updated${path_parts[dotext]}" - - if ! [ -f "${PREPARED_IMG}" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then - umount_kill "${INSTALLDIR}" || : - warn "Copying ${IMG} to ${PREPARED_IMG}" - cp -f "${IMG}" "${PREPARED_IMG}" - mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1 - for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "${INSTALLDIR}/$fs"; done - fi -fi - -# ------------------------------------------------------------------------------ -# Set defualts for apt not to install recommended or extra packages -# ------------------------------------------------------------------------------ -#read -r -d '' WHONIX_APT_PREFERENCES <<'EOF' -#Acquire::Languages "none"; -#APT::Install-Recommends "false"; -#APT::Install-Suggests "false"; -#Dpkg::Options "--force-confold"; -#EOF - -# ------------------------------------------------------------------------------ -# Cleanup function -# ------------------------------------------------------------------------------ -function cleanup() { - error "Whonix error; umounting ${INSTALLDIR} to prevent further writes" - umount_kill "${INSTALLDIR}" || : - exit 1 -} -trap cleanup ERR -trap cleanup EXIT - -# ------------------------------------------------------------------------------ -# Mount devices, etc required for Whonix installation -# ------------------------------------------------------------------------------ -if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then - info "Preparing Whonix system" - - # -------------------------------------------------------------------------- - # Qubes needs a user named 'user' - # -------------------------------------------------------------------------- - debug "Whonix Add user" - chroot "${INSTALLDIR}" id -u 'user' >/dev/null 2>&1 || \ - { - chroot "${INSTALLDIR}" groupadd -f user - chroot "${INSTALLDIR}" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user - } - - # ------------------------------------------------------------------------------ - # Copy over any extra files - # ------------------------------------------------------------------------------ - copyTree "files" - - touch "${INSTALLDIR}/tmp/.whonix_prepared" -fi - -# ------------------------------------------------------------------------------ -# Install Whonix -# ------------------------------------------------------------------------------ -if [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_installed" ]; then - info "Installing Whonix system" - - # ------------------------------------------------------------------------------ - # Create Whonix mount point - # ------------------------------------------------------------------------------ - if ! [ -d "${INSTALLDIR}/home/user/Whonix" ]; then - debug "Installing Whonix build environment..." - chroot "${INSTALLDIR}" su user -c 'mkdir /home/user/Whonix' - fi - - # -------------------------------------------------------------------------- - # Install Whonix code base - # -------------------------------------------------------------------------- - if [ -d "${INSTALLDIR}/home/user/Whonix" ]; then - debug "Building Whonix..." - mount --bind "../Whonix" "${INSTALLDIR}/home/user/Whonix" - sync - sleep 1 - fi - - # ------------------------------------------------------------------------------ - # Determine type of Whonix build - # ------------------------------------------------------------------------------ - if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then - BUILD_TYPE="--torgateway" - elif [ "${TEMPLATE_FLAVOR}" == "whonix-workstation" ]; then - BUILD_TYPE="--torworkstation" - else - error "Incorrent Whonix type \"${TEMPLATE_FLAVOR}\" selected. Not building Whonix modules" - error "You need to set TEMPLATE_FLAVOR environment variable to either" - error "whonix-gateway OR whonix-workstation" - exit 1 - fi - - # ------------------------------------------------------------------------------ - # Start Whonix build process - # ------------------------------------------------------------------------------ - chroot "${INSTALLDIR}" su user -c "cd ~; ./whonix_build.sh ${BUILD_TYPE} ${DIST}" || { exit 1; } - - touch "${INSTALLDIR}/tmp/.whonix_installed" - touch "${INSTALLDIR}/tmp/.whonix_post" -fi - -# ------------------------------------------------------------------------------ -# Execute any template flavor or sub flavor scripts -# ------------------------------------------------------------------------------ -buildStep "99_custom_configuration.sh" - -# ------------------------------------------------------------------------------ -# Bring back original apt-get for installation of Qubues -# ------------------------------------------------------------------------------ -pushd "${INSTALLDIR}/usr/bin" -{ - rm -f apt-get; - cp -p apt-get.anondist-orig apt-get; -} -popd - -# ------------------------------------------------------------------------------ -# Make sure the temporary policy-rc.d to prevent apt from starting services -# on package installation is still active; Whonix may have reset it -# ------------------------------------------------------------------------------ -cat > "${INSTALLDIR}/usr/sbin/policy-rc.d" < Date: Tue, 4 Nov 2014 02:44:05 -0500 Subject: [PATCH 55/83] debian: cleanup; everything working except whonix template update --- functions.sh | 31 +++++-------------------------- 1 file changed, 5 insertions(+), 26 deletions(-) diff --git a/functions.sh b/functions.sh index 4296bd6..6ded53f 100755 --- a/functions.sh +++ b/functions.sh @@ -1,7 +1,6 @@ #!/bin/bash # vim: set ts=4 sw=4 sts=4 et : -# XXX set -e ################################################################################ @@ -77,22 +76,10 @@ fi # ------------------------------------------------------------------------------ # Only output text under certain conditions output() { - case ${VERBOSE} in - 0) - true "${1}" - ;; - 1) - echo -e "${1}" - ;; - 2) - # Don't echo if -x is set since it will already be displayed via true - [[ ${-/x} != $- ]] || echo -e "${1}" - true "${1}" - ;; - *) - true "${1}" - ;; - esac + if [ "${VERBOSE}" -ge 1 ]; then + # Don't echo if -x is set since it will already be displayed via true + [[ ${-/x} != $- ]] || echo -e "${1}" + fi } info() { @@ -252,7 +239,6 @@ templateDir() { for element in "${TEMPLATE_FLAVOR_DIR[@]}" do # (wheezy+whonix-gateway / wheezy+whonix-gateway+gnome[+++] / wheezy+gnome ) - #if [ "${element%:*}" == "$(templateFlavorPrefix ${template_flavor})${template_flavor}" ]; then if [ "${element%:*}" == "$(templateName ${template_flavor})" ]; then eval echo -e ${element#*:} return @@ -300,8 +286,8 @@ buildStepExec() { script="$(templateFile "${filename}" "${suffix}" "${template_flavor}")" - #if [ -f "${script}" ]; then if [ -f "${script}" ] && [ ! ${GLOBAL_CACHE[$script]+_} ]; then + # Test module expects raw output back only used to asser test results if [[ -n ${TEST} ]]; then echo "${script}" @@ -387,13 +373,6 @@ getFileLocations() { local suffix="$3" local function="templateFile" - - #IFS_orig="${IFS}}"; IFS=$'\n' - #files=( $(callTemplateFunction "${filename}" "${suffix}" "${function}") ) - #setArrayAsGlobal files $return_global_var - - # XXX - #files=$(callTemplateFunction "${filename}" "${suffix}" "${function}") files="$(callTemplateFunction "${filename}" "${suffix}" "${function}")" IFS_orig="${IFS}}"; IFS=$'\n' From d63d8cccbd0e9093db6c57e6491ad002177a6efa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Thu, 6 Nov 2014 02:11:07 +0100 Subject: [PATCH 56/83] Prepare mountpoint before calling any dist-specific script For example debian's 00_prepare.sh want to use it. --- prepare_image | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/prepare_image b/prepare_image index bd4a4fa..f5a3fef 100755 --- a/prepare_image +++ b/prepare_image @@ -32,13 +32,13 @@ fi # Prepare for mount # ------------------------------------------------------------------------------ echo "-> Preparing instalation of $DIST template..." +export INSTALLDIR="$(readlink -m mnt)" +mkdir -p "$INSTALLDIR" "$SCRIPTSDIR/00_prepare.sh" # ------------------------------------------------------------------------------ # Mount image and install core OS # ------------------------------------------------------------------------------ -export INSTALLDIR="$(readlink -m mnt)" -mkdir -p "$INSTALLDIR" if [ -f "$IMG" ]; then echo "-> Image file already exists, assuming *update*..." From 23f1212b00649b4b7eb18ec7c03313e45168f4ca Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Thu, 6 Nov 2014 23:56:57 -0500 Subject: [PATCH 57/83] VERBOSE and DEBUG will default to defaults if not called by Makefile --- functions.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/functions.sh b/functions.sh index 6ded53f..ccbcb71 100755 --- a/functions.sh +++ b/functions.sh @@ -3,6 +3,9 @@ set -e +VERBOSE=${VERBOSE:-1} +DEBUG=${DEBUG:-0} + ################################################################################ # Global functions ################################################################################ From f8c9dd684c633425dd4e4a8455bdfbf25b61cc0a Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Thu, 6 Nov 2014 23:58:34 -0500 Subject: [PATCH 58/83] Sync to disk before un-mounting --- umount_kill.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/umount_kill.sh b/umount_kill.sh index c647107..57778c9 100755 --- a/umount_kill.sh +++ b/umount_kill.sh @@ -39,6 +39,9 @@ umount_kill() { # since we are doing an exact string match on the path MOUNTDIR=$(echo "${MOUNTDIR}" | sed s#//*#/#g) + # Sync the disk befoe un-mounting to be sure everything is written + sync + warn "-> Attempting to kill any processes still running in '${MOUNTDIR}' before un-mounting" for dir in $(sudo grep "${MOUNTDIR}" /proc/mounts | cut -f2 -d" " | sort -r | grep "^${MOUNTDIR}") do From 88cf6f8b593dd350d95b0efeeb3aa49fcd0f33af Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Thu, 6 Nov 2014 23:59:59 -0500 Subject: [PATCH 59/83] debian: Modifications due to new postinit scripts, etc in core-agent-linux module --- scripts_debian/00_prepare.sh | 1 - scripts_debian/02_install_groups.sh | 14 +++---- scripts_debian/04_install_qubes.sh | 62 +---------------------------- scripts_debian/09_cleanup.sh | 3 -- scripts_debian/vars.sh | 16 ++------ 5 files changed, 11 insertions(+), 85 deletions(-) diff --git a/scripts_debian/00_prepare.sh b/scripts_debian/00_prepare.sh index 5b7be6f..897bc0a 100755 --- a/scripts_debian/00_prepare.sh +++ b/scripts_debian/00_prepare.sh @@ -43,4 +43,3 @@ fi # Execute any template flavor or sub flavor 'post' scripts # ------------------------------------------------------------------------------ buildStep "$0" "post" - diff --git a/scripts_debian/02_install_groups.sh b/scripts_debian/02_install_groups.sh index d30152a..5439819 100755 --- a/scripts_debian/02_install_groups.sh +++ b/scripts_debian/02_install_groups.sh @@ -85,7 +85,7 @@ EOF chroot "${INSTALLDIR}" apt-get update true "${stout}" DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - chroot "${INSTALLDIR}" apt-get -y --force-yes dist-upgrade + chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} dist-upgrade # ------------------------------------------------------------------------------ # Configure keyboard @@ -115,7 +115,7 @@ EOF for package_list in ${packages_list[@]}; do debug "Installing extra packages from: ${package_list}" DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - xargs chroot ${INSTALLDIR} apt-get -y --force-yes install < "${package_list}" + xargs chroot ${INSTALLDIR} apt-get ${APT_GET_OPTIONS} install < "${package_list}" done # ------------------------------------------------------------------------------ @@ -135,10 +135,10 @@ EOF debug "Installing systemd for debian (${DEBIANVERSION})" if [ "${DEBIANVERSION}" == "wheezy" ]; then echo 'Yes, do as I say!' | DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - chroot "${INSTALLDIR}" apt-get -y --force-yes remove sysvinit + chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} remove sysvinit else DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - chroot "${INSTALLDIR}" apt-get -y --force-yes remove sysvinit + chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} remove sysvinit fi # Prevent sysvinit from being re-installed @@ -155,12 +155,11 @@ EOF chroot "${INSTALLDIR}" apt-get update DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - chroot "${INSTALLDIR}" apt-get -y --force-yes install systemd-sysv + chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} install systemd-sysv # ------------------------------------------------------------------------------ # Set multu-user.target as the default target (runlevel 3) # ------------------------------------------------------------------------------ - #chroot "${INSTALLDIR}" systemctl set-default multi-user.target chroot "${INSTALLDIR}" rm -f /etc/systemd/system/default.target chroot "${INSTALLDIR}" ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target @@ -176,7 +175,7 @@ EOF fi chroot ${INSTALLDIR} apt-get update DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \ - chroot ${INSTALLDIR} apt-get -y --force-yes -t wheezy-backports install init-system-helpers + chroot ${INSTALLDIR} apt-get ${APT_GET_OPTIONS} -t wheezy-backports install init-system-helpers fi # ------------------------------------------------------------------------------ @@ -199,4 +198,3 @@ fi # Execute any template flavor or sub flavor 'post' scripts # ------------------------------------------------------------------------------ buildStep "$0" "post" - diff --git a/scripts_debian/04_install_qubes.sh b/scripts_debian/04_install_qubes.sh index adeab12..190bb89 100755 --- a/scripts_debian/04_install_qubes.sh +++ b/scripts_debian/04_install_qubes.sh @@ -58,38 +58,12 @@ EOF chroot "${INSTALLDIR}" locale-gen chroot "${INSTALLDIR}" update-locale LANG=en_US.UTF-8 -# # -------------------------------------------------------------------------- -# # Update /etc/fstab -# # -------------------------------------------------------------------------- -# #debug "Updating template fstab file..." -# #cat >> "${INSTALLDIR}/etc/fstab" </dev/null 2>&1; then -# : -# else -# chroot "${INSTALLDIR}" groupadd -f user -# chroot "${INSTALLDIR}" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user -# fi - -# # -------------------------------------------------------------------------- -# # Modules setup -# # -------------------------------------------------------------------------- -# echo "xen_netfront" >> "${INSTALLDIR}/etc/modules" - -# # -------------------------------------------------------------------------- -# # Remove `mesg` from root/.profile? -# # -------------------------------------------------------------------------- -# sed -i -e '/^mesg n/d' "${INSTALLDIR}/root/.profile" - -# # -------------------------------------------------------------------------- -# # Need a xen log directory or xen scripts will fail -# # -------------------------------------------------------------------------- -# mkdir -p -m 0700 "${INSTALLDIR}/var/log/xen" + rm -f "${INSTALLDIR}/usr/sbin/policy-rc.d" # -------------------------------------------------------------------------- # Copy extra files to installation directory. Contains: @@ -189,13 +138,6 @@ EOF # -------------------------------------------------------------------------- copyTree "qubes-files" "${SCRIPTSDIR}" "${INSTALLDIR}" -# # -------------------------------------------------------------------------- -# # Looks like hosts file may contain tabs and qubes will not parse it -# # correctly -# # -------------------------------------------------------------------------- -# expand "${INSTALLDIR}/etc/hosts" > "${INSTALLDIR}/etc/hosts.dist" -# mv "${INSTALLDIR}/etc/hosts.dist" "${INSTALLDIR}/etc/hosts" - touch "${INSTALLDIR}/tmp/.prepared_qubes" fi diff --git a/scripts_debian/09_cleanup.sh b/scripts_debian/09_cleanup.sh index 215024d..b99ae43 100755 --- a/scripts_debian/09_cleanup.sh +++ b/scripts_debian/09_cleanup.sh @@ -27,9 +27,6 @@ rm -rf "${INSTALLDIR}/var/cache/apt/archives/*" rm -f "${INSTALLDIR}/etc/apt/sources.list.d/qubes-builder.list" rm -f "${INSTALLDIR}/etc/apt/trusted.gpg.d/qubes-builder.gpg" -# XXX: Whats this for? -rm -rf buildchroot - # ------------------------------------------------------------------------------ # Execute any template flavor or sub flavor 'post' scripts # ------------------------------------------------------------------------------ diff --git a/scripts_debian/vars.sh b/scripts_debian/vars.sh index bcceee8..7c34bde 100755 --- a/scripts_debian/vars.sh +++ b/scripts_debian/vars.sh @@ -11,18 +11,8 @@ DEBIANVERSION=${DIST} # Location to grab debian packages +DEBIAN_MIRROR=http://ftp.us.debian.org/debian/ #DEBIAN_MIRROR=http://http.debian.net/debian -DEBIAN_MIRROR=http://ftp.ca.debian.org/debian/ -#DEBIAN_MIRROR=http://ftp.us.debian.org/debian/ +#DEBIAN_MIRROR=http://ftp.ca.debian.org/debian/ -# XXX: Is this even used? -EXTRAPKGS="openssh-clients,screen,vim-nox,less" - -# XXX: Is this even used? -QUBESDEBIANGIT="http://dsg.is/qubes/" - -# XXX: Is this even used? -# make runs the scripts with sudo -E, so HOME is set to /home/user during -# build, which does not exist. We need to write to ${HOME}/.gnupg so set it -# to something valid. -HOME=/root +APT_GET_OPTIONS="-o Dpkg::Options::="--force-confnew" --force-yes -y" From 4e7dbfcb0638407052bfc77c8e2fbb998c2a834b Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 7 Nov 2014 00:00:57 -0500 Subject: [PATCH 60/83] debian: Whonix modifications due to new postinit in core-agent-linux module --- scripts_debian/NOTES.old | 106 ------------------ scripts_debian/gnome/04_install_qubes_post.sh | 26 ----- scripts_debian/proxy/files/.facl | 42 ------- .../files/etc/udev/rules.d/xen-backend.rules | 16 --- .../wheezy+whonix-gateway/files/.facl | 81 +++++++++---- .../etc/udev/rules.d/99-qubes-whonix.rules | 1 - .../system/qubes-whonix-firewall.service | 14 +++ .../system/qubes-whonix-network.service | 14 +++ .../files/usr/lib/whonix/init/init.sh | 38 +++++++ .../lib/whonix/init/network-proxy-setup.sh | 67 +++++++++++ .../whonix/init/qubes-firewall-user-script | 47 ++++++++ .../usr/lib/whonix/{ => init}/replace-ips | 0 .../files/usr/lib/whonix/setup-ip | 78 ------------- .../files/usr/lib/whonix/tests.sh | 95 ---------------- .../wheezy+whonix-workstation/files/.facl | 80 +++++++++---- .../etc/udev/rules.d/99-qubes-whonix.rules | 1 - .../system/qubes-whonix-firewall.service | 14 +++ .../system/qubes-whonix-network.service | 14 +++ .../files/usr/lib/whonix/init/init.sh | 38 +++++++ .../lib/whonix/init/network-proxy-setup.sh | 67 +++++++++++ .../whonix/init/qubes-firewall-user-script | 47 ++++++++ .../usr/lib/whonix/{ => init}/replace-ips | 0 .../files/usr/lib/whonix/setup-ip | 78 ------------- 23 files changed, 479 insertions(+), 485 deletions(-) delete mode 100644 scripts_debian/NOTES.old delete mode 100755 scripts_debian/gnome/04_install_qubes_post.sh delete mode 100644 scripts_debian/proxy/files/.facl delete mode 100644 scripts_debian/proxy/files/etc/udev/rules.d/xen-backend.rules delete mode 100644 scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules create mode 100644 scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service create mode 100644 scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service create mode 100755 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh create mode 100755 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh create mode 100755 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-firewall-user-script rename scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/{ => init}/replace-ips (100%) delete mode 100755 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip delete mode 100755 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh delete mode 100644 scripts_debian/wheezy+whonix-workstation/files/etc/udev/rules.d/99-qubes-whonix.rules create mode 100644 scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service create mode 100644 scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service create mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh create mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh create mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-firewall-user-script rename scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/{ => init}/replace-ips (100%) delete mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip diff --git a/scripts_debian/NOTES.old b/scripts_debian/NOTES.old deleted file mode 100644 index 6e1021e..0000000 --- a/scripts_debian/NOTES.old +++ /dev/null @@ -1,106 +0,0 @@ -===================================================================== -These are my original notes for steps to intergrate Whonix into Qubes -===================================================================== - -Read README.whonix qubes-builder package for build instructions - -None of the notes below apply at this point but I am saving them -until whonix intergration is complete since there still may be some -valid steps I will need to intergrate ubuntu as well - -===================================================================== -# Build depends -sudo yum install rpmdevtools rpm-build createrepo rpm-sign - -# Additional for debian template -sudo yum install debootstrap dpkg-dev - -# Build -# https://qubes-os.org/wiki/BuildingArchlinuxTemplate -# --------------------------------------------------- -clean all -clean all rpms -sudo umount chroot-wheezy/proc -sudo rm -r chroot-wheezy -cd qubes-src/linus-template-builder -sudo umount mnt -sudo rm prepared_images/... - -make get-sources - -make vmm-xen-vm -make core-vchan-xen-vm -make linux-utils-vm -make core-agent-linux-vm -make gui-common-vm -make gui-agent-linux-vm - -make linux-template-builder - - -# builder.conf -# ------------ -GIT_SUBDIR=marmarek -COMPONENTS:=$(filter-out desktop-linux-kde desktop-linux-xfce,$(COMPONENTS)) -DISTS_VM=wheezy -NO_SIGN="1" -DEBUG="1" -VERBOSE=2 - - -# Changed (XXX: Marks the spot!) -# ------------------------------ -# Makefile.debian -# - wheezy repo dir does not get created... -# prepare-chroot-debian -# - chroot /dev/null should be 0666 - - -# Wheezy needs a keyring -# ---------------------- -# Create in keys_debian -# Get from https://ftp-master.debian.org/keys.html -gpg --no-default-keyring --keyring=wheezy-debian-archive-keyring.gpg --import wheezy-archive-key-7.0.asc -# move from /user/home/.gnupgp to keys_debian - - -# Wheezy Hacks -# ------------ -# Need 2.0 pulse audio drivers -# *add to source list* -cd qubes-src -git clone --branch v2.0 git://anongit.freedesktop.org/pulseaudio/pulseaudio -cp -prf pulseaudio/src/pulsecore gui-agent-linux/pulse/pulsecore-2.0 -cd .. - -# Add to... -# module-vchan-sink-symdef.h - -#elif PA_CHECK_VERSION(2,0,0) -bool pa__load_once(void); - -# Add to.. -# Makefile - - -# Build errors - template -# ----------------------- -make[1]: *** [update-repo] Error 32 -make: *** [linux-template-builder] Error 1 -mount: mount(2) failed: No such file or directory - -- remove all mounts and try again. Some mounts may need to be tried multiple times - -$ sudo umount chroot-wheezy/proc/ -$ sudo umount chroot-wheezy/proc/ -umount: chroot-wheezy/proc/: not mounted - -$ sudo umount chroot-wheezy/tmp/qubes-apt-repo/ -$ sudo umount chroot-wheezy/tmp/qubes-apt-repo/ -umount: chroot-wheezy/tmp/qubes-apt-repo/: not mounted - -$ sudo umount chroot-wheezy/tmp/qubes-deb/ -$ sudo umount chroot-wheezy/tmp/qubes-deb/ -$ sudo umount chroot-wheezy/tmp/qubes-deb/ -umount: chroot-wheezy/tmp/qubes-deb/: not mounted - diff --git a/scripts_debian/gnome/04_install_qubes_post.sh b/scripts_debian/gnome/04_install_qubes_post.sh deleted file mode 100755 index fcb309e..0000000 --- a/scripts_debian/gnome/04_install_qubes_post.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# vim: set ts=4 sw=4 sts=4 et : - -# -# Whonix Post Install Steps (after qubes install) -# - -# ------------------------------------------------------------------------------ -# Source external scripts -# ------------------------------------------------------------------------------ -. ${SCRIPTSDIR}/vars.sh - -# ------------------------------------------------------------------------------ -# Configurations -# ------------------------------------------------------------------------------ -if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then - set -x -else - set -e -fi - -# ------------------------------------------------------------------------------ -# Disable gnome network-manager since it will prevent networking -# ------------------------------------------------------------------------------ -debug "Disabling gnome network-manager" -chroot "${INSTALLDIR}" systemctl disable network-manager diff --git a/scripts_debian/proxy/files/.facl b/scripts_debian/proxy/files/.facl deleted file mode 100644 index 4e26d4d..0000000 --- a/scripts_debian/proxy/files/.facl +++ /dev/null @@ -1,42 +0,0 @@ -# file: . -# owner: user -# group: user -user::rwx -group::r-x -other::r-x - -# file: etc -# owner: root -# group: root -user::rwx -group::r-x -other::r-x - -# file: etc/udev -# owner: root -# group: root -user::rwx -group::r-x -other::r-x - -# file: etc/udev/rules.d -# owner: root -# group: root -user::rwx -group::r-x -other::r-x - -# file: etc/udev/rules.d/xen-backend.rules -# owner: root -# group: root -user::rw- -group::r-- -other::r-- - -# file: etc/udev/rules.d/98-kexec.rules -# owner: root -# group: root -user::rw- -group::r-- -other::r-- - diff --git a/scripts_debian/proxy/files/etc/udev/rules.d/xen-backend.rules b/scripts_debian/proxy/files/etc/udev/rules.d/xen-backend.rules deleted file mode 100644 index 40f2658..0000000 --- a/scripts_debian/proxy/files/etc/udev/rules.d/xen-backend.rules +++ /dev/null @@ -1,16 +0,0 @@ -SUBSYSTEM=="xen-backend", KERNEL=="tap*", RUN+="/etc/xen/scripts/blktap $env{ACTION}" -SUBSYSTEM=="xen-backend", KERNEL=="vbd*", RUN+="/etc/xen/scripts/block $env{ACTION}" -SUBSYSTEM=="xen-backend", KERNEL=="vtpm*", RUN+="/etc/xen/scripts/vtpm $env{ACTION}" -SUBSYSTEM=="xen-backend", KERNEL=="vif2-*", RUN+="/etc/xen/scripts/vif2 $env{ACTION}" -SUBSYSTEM=="xen-backend", KERNEL=="vif-*", ACTION=="online", RUN+="/etc/xen/scripts/vif-setup online type_if=vif" -SUBSYSTEM=="xen-backend", KERNEL=="vif-*", ACTION=="offline", RUN+="/etc/xen/scripts/vif-setup offline type_if=vif" -SUBSYSTEM=="xen-backend", KERNEL=="vscsi*", RUN+="/etc/xen/scripts/vscsi $env{ACTION}" -SUBSYSTEM=="xen-backend", ACTION=="remove", RUN+="/etc/xen/scripts/xen-hotplug-cleanup" -KERNEL=="evtchn", NAME="xen/%k" -SUBSYSTEM=="xen", KERNEL=="blktap[0-9]*", NAME="xen/%k", MODE="0600" -SUBSYSTEM=="blktap2", KERNEL=="blktap[0-9]*", NAME="xen/blktap-2/%k", MODE="0600" -KERNEL=="blktap-control", NAME="xen/blktap-2/control", MODE="0600" -KERNEL=="gntdev", NAME="xen/%k", MODE="0600" -KERNEL=="pci_iomul", NAME="xen/%k", MODE="0600" -KERNEL=="tapdev[a-z]*", NAME="xen/blktap-2/tapdev%m", MODE="0600" -SUBSYSTEM=="net", KERNEL=="tap*", ACTION=="add", RUN+="/etc/xen/scripts/vif-setup $env{ACTION} type_if=tap" diff --git a/scripts_debian/wheezy+whonix-gateway/files/.facl b/scripts_debian/wheezy+whonix-gateway/files/.facl index ece4cc6..b580d19 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/.facl +++ b/scripts_debian/wheezy+whonix-gateway/files/.facl @@ -5,91 +5,105 @@ user::rwx group::r-x other::r-x -# file: etc +# file: lib # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/hosts +# file: lib/systemd # owner: root # group: root -user::rw- -group::r-- -other::r-- +user::rwx +group::r-x +other::r-x -# file: etc/uwt.d +# file: lib/systemd/system # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/uwt.d/50_uwt_default +# file: lib/systemd/system/qubes-whonix-firewall.service # owner: root # group: root user::rw- group::r-- other::r-- -# file: etc/xdg +# file: lib/systemd/system/qubes-whonix-network.service +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/xdg/autostart +# file: etc/hosts +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/uwt.d # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/xdg/autostart/qubes-whonixsetup.desktop +# file: etc/uwt.d/50_uwt_default # owner: root # group: root user::rw- group::r-- other::r-- -# file: etc/apt +# file: etc/xdg # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/apt/preferences.d +# file: etc/xdg/autostart # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/apt/preferences.d/whonix_qubes +# file: etc/xdg/autostart/qubes-whonixsetup.desktop # owner: root # group: root user::rw- group::r-- other::r-- -# file: etc/udev +# file: etc/apt # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/udev/rules.d +# file: etc/apt/preferences.d # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/udev/rules.d/99-qubes-whonix.rules +# file: etc/apt/preferences.d/whonix_qubes # owner: root # group: root user::rw- @@ -152,34 +166,55 @@ user::rwx group::r-x other::r-x -# file: usr/lib/whonix/setup-ip +# file: usr/lib/whonix/whonix.sh # owner: root # group: root user::rwx group::r-x other::r-x -# file: usr/lib/whonix/tests.sh +# file: usr/lib/whonix/init # owner: root # group: root user::rwx group::r-x other::r-x -# file: usr/lib/whonix/messages.yaml +# file: usr/lib/whonix/init/replace-ips # owner: root # group: root -user::rw- -group::r-- -other::r-- +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/init/init.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/init/network-proxy-setup.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x -# file: usr/lib/whonix/replace-ips +# file: usr/lib/whonix/init/qubes-firewall-user-script # owner: root # group: root user::rwx group::r-x other::r-x +# file: usr/lib/whonix/messages.yaml +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: usr/lib/whonix/alert # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules b/scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules deleted file mode 100644 index 8bcf97d..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules +++ /dev/null @@ -1 +0,0 @@ -SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip" diff --git a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service new file mode 100644 index 0000000..649fe7a --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service @@ -0,0 +1,14 @@ +[Unit] +Description=Qubes Whonix firewall updater +After=qubes-whonix-network.service +Before=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStartPre=/usr/lib/whonix/init/init.sh +ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service new file mode 100644 index 0000000..245e031 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service @@ -0,0 +1,14 @@ +[Unit] +Description=Qubes Whonix network proxy setup +ConditionPathExists=/var/run/qubes-service/qubes-network +Before=network.target +After=qubes-firewall.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/lib/whonix/init/network-proxy-setup.sh +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh new file mode 100755 index 0000000..2727847 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +if [ "${WHONIX}" != "template" ]; then + # Files that will have the immutable bit set + # since we don't want them modified by other programs + IMMUTABLE_FILES=( + '/etc/resolv.conf' + '/etc/hostname' + '/etc/hosts' + ) + + # Make sure all .anondist files in list are immutable + immutableFilesEnable "${IMMUTABLE_FILES}" + immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" + + # Make sure we are using a copy of the annondist file and if not + # copy the annondist file and set it immutable + copyAnondist "/etc/resolv.conf" + copyAnondist "/etc/hosts" + copyAnondist "/etc/hostname" + + # Replace IP addresses in known configuration files / scripts to + # currently discovered one + /usr/lib/whonix/init/replace-ips + + # Make sure hostname is correct + /bin/hostname host + + if [ "${WHONIX}" == "gateway" ]; then + # Make sure we remove whonixsetup.done if Tor is not enabled + # to allow choice of repo and prevent whonixcheck errors + grep "^DisableNetwork 0$" /etc/tor/torrc || { + rm -f /var/lib/whonix/do_once/whonixsetup.done + } + fi +fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh new file mode 100755 index 0000000..a08322d --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +# Or just enable them :) +#ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service' +#ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service' +#ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service' + + +INTERFACE="eth1" + +if [ "${WHONIX}" == "gateway" ]; then + + if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" + else + XENSTORE_READ="/usr/bin/xenstore-read" + fi + + # Setup Xen / Qubes proxy + network=$(xenstore-read qubes-netvm-network 2>/dev/null) + if [ "x$network" != "x" ]; then + gateway=$(xenstore-read qubes-netvm-gateway) + netmask=$(xenstore-read qubes-netvm-netmask) + secondary_dns=$(xenstore-read qubes-netvm-secondary-dns) + modprobe netbk 2> /dev/null || modprobe xen-netback + echo "NS1=$gateway" > /var/run/qubes/qubes-ns + echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns + #/usr/lib/qubes/qubes-setup-dnat-to-ns + echo "0" > /proc/sys/net/ipv4/ip_forward + /sbin/ethtool -K eth0 sg off || : + fi + + # Now, assign it the netvm-gateway IP address + ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) + if [ x${ip} != x ]; then + # Create a dummy eth1 interface so tor can bind to it if there + # are no DOMU virtual machines connected at the moment + /sbin/ip link add ${INTERFACE} type dummy + + netmask=$(${XENSTORE_READ} qubes-netvm-netmask) + gateway=$(${XENSTORE_READ} qubes-netvm-gateway) + /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 + /sbin/ifconfig ${INTERFACE} up + /sbin/ethtool -K ${INTERFACE} sg off || true + /sbin/ethtool -K ${INTERFACE} tx off || true + + ip link set ${INTERFACE} up + fi + + echo "0" > /proc/sys/net/ipv4/ip_forward + + # Allow whonix-gateway to act as an update-proxy + touch /var/run/qubes-service/qubes-updates-proxy + #systemctl stop qubes-updates-proxy.service + + # Search and replace tinyproxy error files so we can inject code that + # we can use to identify that its a tor proxy so updates are secure + error_file="/usr/share/tinyproxy/default.html" + grep -q "${PROXY_META}" "${error_file}" || { + sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" + } +fi + +# Copy firewall script so Qubes will reload it when it reloads +cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-firewall-user-script b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-firewall-user-script new file mode 100755 index 0000000..6863a9e --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-firewall-user-script @@ -0,0 +1,47 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +if [ "${WHONIX}" != "template" ]; then + # Make sure IP forwarding is disabled + echo "0" > /proc/sys/net/ipv4/ip_forward + + if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" + else + XENSTORE_READ="/usr/bin/xenstore-read" + fi + + ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) + + # Start Whonix Firewall + if [ "${WHONIX}" == "gateway" ]; then + export INT_IF="vif+" + export INT_TIF="vif+" + + # Inject custom firewall rules into whonix_firewall + sed -i -f - /usr/bin/whonix_firewall <<-EOF +/^## IPv4 DROP INVALID INCOMING PACKAGES/,/######################################/c \\ +## IPv4 DROP INVALID INCOMING PACKAGES \\ +## \\ +## --- THE FOLLOWING WS INJECTED --- \\ +## Qubes Tiny Proxy Updater \\ +iptables -t nat -N PR-QBS-SERVICES \\ +iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\ +iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\ +iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\ +iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\ +\\ +# Route any traffic FROM netvm TO netvm BACK-TO localhost \\ +# Allows localhost access to tor network \\ +iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\ +###################################### +EOF + fi + + # Load the firewall + # XXX: TODO: Take down all network accesss if firewall fails + /usr/bin/whonix_firewall + + systemctl restart qubes-updates-proxy.service +fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/replace-ips similarity index 100% rename from scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips rename to scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/replace-ips diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip deleted file mode 100755 index 989ccd8..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/bash - -. /usr/lib/whonix/utility_functions - -if [ "${WHONIX}" == "gateway" ]; then - if [ -x /usr/sbin/xenstore-read ]; then - XENSTORE_READ="/usr/sbin/xenstore-read" - else - XENSTORE_READ="/usr/bin/xenstore-read" - fi - - INTERFACE="eth1" - ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) - - # Create a dummy eth1 interface so tor can bind to it if there - # are no DOMU virtual machines connected at the moment - ip link show ${INTERFACE} >> /dev/null || { - /sbin/ip link add ${INTERFACE} type dummy - - # Now, assign it the netvm-gateway IP address - if [ x${ip} != x ]; then - netmask=$(${XENSTORE_READ} qubes-netvm-netmask) - gateway=$(${XENSTORE_READ} qubes-netvm-gateway) - /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 - /sbin/ifconfig ${INTERFACE} up - /sbin/ethtool -K ${INTERFACE} sg off || true - /sbin/ethtool -K ${INTERFACE} tx off || true - fi - - ip link set ${INTERFACE} up - } -fi - -if [ "${WHONIX}" != "template" ]; then - # Files that will have the immutable bit set - # since we don't want them modified by other programs - IMMUTABLE_FILES=( - '/etc/resolv.conf' - '/etc/hostname' - '/etc/hosts' - ) - - # Make sure all .anondist files in list are immutable - immutableFilesEnable "${IMMUTABLE_FILES}" - immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" - - # Make sure we are using a copy of the annondist file and if not - # copy the annondist file and set it immutable - copyAnondist "/etc/resolv.conf" - copyAnondist "/etc/hosts" - copyAnondist "/etc/hostname" - - # Replace IP addresses in known configuration files / scripts to - # currently discovered one - /usr/lib/whonix/replace-ips - - # Make sure hostname is correct - /bin/hostname host - - # Start Whonix Firewall - if [ "${WHONIX}" == "gateway" ]; then - export INT_IF="vif+" - export INT_TIF="vif+" - fi - /usr/bin/whonix_firewall - - if [ "${WHONIX}" == "gateway" ]; then - # Route any traffic FROM netvm TO netvm BACK-TO localhost - # Allows localhost access to tor network - iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 - fi - - # Make sure we remove whonixsetup.done if Tor is not enabled - # to allow choice of repo and prevent whonixcheck errors - grep "^DisableNetwork 0$" /etc/tor/torrc || { - rm -f /var/lib/whonix/do_once/whonixsetup.done - } -fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh deleted file mode 100755 index 6570b49..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/bash - -. /usr/lib/whonix/utility_functions - -#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" -#disable_sysv tor -#disable_sysv sdwdate - -iptables -F -iptables -t nat -F - -LOG_IP4=1 -LOG_IP6=0 - -# for IPv4 -if [ "$LOG_IP4" == "1" ]; then - iptables -t raw -A OUTPUT -p icmp -j TRACE - iptables -t raw -A PREROUTING -p icmp -j TRACE - modprobe ipt_LOG -fi - -# for IPv6 -if [ "$LOG_IP6" == "1" ]; then - ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE - ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE - ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE - ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE - modprobe ip6t_LOG -fi - -sysctl -w net.ipv4.ip_forward=1 - -iptables -A FORWARD -i eth0 -j ACCEPT -iptables -A FORWARD -o eth0 -j ACCEPT -iptables -A FORWARD -i lo -j ACCEPT -iptables -A FORWARD -o lo -j ACCEPT - -#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE - -#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105 -#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 - - -#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082 - -#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT" -#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT" - -#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT -#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT -#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT -#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT -#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082 - -#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 - -#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 -#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 -#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254 -#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254 - -# Works -# localhost/loopback maps localhost port 8082 to localhost port 8888 -#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888 - -# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082 - -# Remap ALL traffic -#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082 -#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082 - - -#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105 -#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 -#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105 - -#iptables -v -L -#iptables -v -t nat -L -#telnet 127.0.0.1 9105 -#telnet 10.137.2.1 8082 -#telnet 127.0.0.1 8082 -#tail -100 /var/log/kern.log diff --git a/scripts_debian/wheezy+whonix-workstation/files/.facl b/scripts_debian/wheezy+whonix-workstation/files/.facl index d173e0d..d33107e 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/.facl +++ b/scripts_debian/wheezy+whonix-workstation/files/.facl @@ -5,70 +5,84 @@ user::rwx group::r-x other::r-x -# file: etc +# file: lib # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/hosts +# file: lib/systemd # owner: root # group: root -user::rw- -group::r-- -other::r-- +user::rwx +group::r-x +other::r-x -# file: etc/uwt.d +# file: lib/systemd/system # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/uwt.d/50_uwt_default +# file: lib/systemd/system/qubes-whonix-firewall.service # owner: root # group: root user::rw- group::r-- other::r-- -# file: etc/xdg +# file: lib/systemd/system/qubes-whonix-network.service +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/xdg/autostart +# file: etc/hosts +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + +# file: etc/uwt.d # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/xdg/autostart/qubes-whonixsetup.desktop +# file: etc/uwt.d/50_uwt_default # owner: root # group: root user::rw- group::r-- other::r-- -# file: etc/udev +# file: etc/xdg # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/udev/rules.d +# file: etc/xdg/autostart # owner: root # group: root user::rwx group::r-x other::r-x -# file: etc/udev/rules.d/99-qubes-whonix.rules +# file: etc/xdg/autostart/qubes-whonixsetup.desktop # owner: root # group: root user::rw- @@ -131,27 +145,55 @@ user::rwx group::r-x other::r-x -# file: usr/lib/whonix/setup-ip +# file: usr/lib/whonix/whonix.sh # owner: root # group: root user::rwx group::r-x other::r-x -# file: usr/lib/whonix/messages.yaml +# file: usr/lib/whonix/init # owner: root # group: root -user::rw- -group::r-- -other::r-- +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/init/replace-ips +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/init/init.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + +# file: usr/lib/whonix/init/network-proxy-setup.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x -# file: usr/lib/whonix/replace-ips +# file: usr/lib/whonix/init/qubes-firewall-user-script # owner: root # group: root user::rwx group::r-x other::r-x +# file: usr/lib/whonix/messages.yaml +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: usr/lib/whonix/alert # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/udev/rules.d/99-qubes-whonix.rules b/scripts_debian/wheezy+whonix-workstation/files/etc/udev/rules.d/99-qubes-whonix.rules deleted file mode 100644 index 8bcf97d..0000000 --- a/scripts_debian/wheezy+whonix-workstation/files/etc/udev/rules.d/99-qubes-whonix.rules +++ /dev/null @@ -1 +0,0 @@ -SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip" diff --git a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service new file mode 100644 index 0000000..649fe7a --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service @@ -0,0 +1,14 @@ +[Unit] +Description=Qubes Whonix firewall updater +After=qubes-whonix-network.service +Before=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStartPre=/usr/lib/whonix/init/init.sh +ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service new file mode 100644 index 0000000..245e031 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service @@ -0,0 +1,14 @@ +[Unit] +Description=Qubes Whonix network proxy setup +ConditionPathExists=/var/run/qubes-service/qubes-network +Before=network.target +After=qubes-firewall.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/lib/whonix/init/network-proxy-setup.sh +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh new file mode 100755 index 0000000..2727847 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh @@ -0,0 +1,38 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +if [ "${WHONIX}" != "template" ]; then + # Files that will have the immutable bit set + # since we don't want them modified by other programs + IMMUTABLE_FILES=( + '/etc/resolv.conf' + '/etc/hostname' + '/etc/hosts' + ) + + # Make sure all .anondist files in list are immutable + immutableFilesEnable "${IMMUTABLE_FILES}" + immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" + + # Make sure we are using a copy of the annondist file and if not + # copy the annondist file and set it immutable + copyAnondist "/etc/resolv.conf" + copyAnondist "/etc/hosts" + copyAnondist "/etc/hostname" + + # Replace IP addresses in known configuration files / scripts to + # currently discovered one + /usr/lib/whonix/init/replace-ips + + # Make sure hostname is correct + /bin/hostname host + + if [ "${WHONIX}" == "gateway" ]; then + # Make sure we remove whonixsetup.done if Tor is not enabled + # to allow choice of repo and prevent whonixcheck errors + grep "^DisableNetwork 0$" /etc/tor/torrc || { + rm -f /var/lib/whonix/do_once/whonixsetup.done + } + fi +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh new file mode 100755 index 0000000..a08322d --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +# Or just enable them :) +#ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service' +#ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service' +#ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service' + + +INTERFACE="eth1" + +if [ "${WHONIX}" == "gateway" ]; then + + if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" + else + XENSTORE_READ="/usr/bin/xenstore-read" + fi + + # Setup Xen / Qubes proxy + network=$(xenstore-read qubes-netvm-network 2>/dev/null) + if [ "x$network" != "x" ]; then + gateway=$(xenstore-read qubes-netvm-gateway) + netmask=$(xenstore-read qubes-netvm-netmask) + secondary_dns=$(xenstore-read qubes-netvm-secondary-dns) + modprobe netbk 2> /dev/null || modprobe xen-netback + echo "NS1=$gateway" > /var/run/qubes/qubes-ns + echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns + #/usr/lib/qubes/qubes-setup-dnat-to-ns + echo "0" > /proc/sys/net/ipv4/ip_forward + /sbin/ethtool -K eth0 sg off || : + fi + + # Now, assign it the netvm-gateway IP address + ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) + if [ x${ip} != x ]; then + # Create a dummy eth1 interface so tor can bind to it if there + # are no DOMU virtual machines connected at the moment + /sbin/ip link add ${INTERFACE} type dummy + + netmask=$(${XENSTORE_READ} qubes-netvm-netmask) + gateway=$(${XENSTORE_READ} qubes-netvm-gateway) + /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 + /sbin/ifconfig ${INTERFACE} up + /sbin/ethtool -K ${INTERFACE} sg off || true + /sbin/ethtool -K ${INTERFACE} tx off || true + + ip link set ${INTERFACE} up + fi + + echo "0" > /proc/sys/net/ipv4/ip_forward + + # Allow whonix-gateway to act as an update-proxy + touch /var/run/qubes-service/qubes-updates-proxy + #systemctl stop qubes-updates-proxy.service + + # Search and replace tinyproxy error files so we can inject code that + # we can use to identify that its a tor proxy so updates are secure + error_file="/usr/share/tinyproxy/default.html" + grep -q "${PROXY_META}" "${error_file}" || { + sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" + } +fi + +# Copy firewall script so Qubes will reload it when it reloads +cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-firewall-user-script b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-firewall-user-script new file mode 100755 index 0000000..6863a9e --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-firewall-user-script @@ -0,0 +1,47 @@ +#!/bin/bash + +. /usr/lib/whonix/utility_functions + +if [ "${WHONIX}" != "template" ]; then + # Make sure IP forwarding is disabled + echo "0" > /proc/sys/net/ipv4/ip_forward + + if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" + else + XENSTORE_READ="/usr/bin/xenstore-read" + fi + + ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) + + # Start Whonix Firewall + if [ "${WHONIX}" == "gateway" ]; then + export INT_IF="vif+" + export INT_TIF="vif+" + + # Inject custom firewall rules into whonix_firewall + sed -i -f - /usr/bin/whonix_firewall <<-EOF +/^## IPv4 DROP INVALID INCOMING PACKAGES/,/######################################/c \\ +## IPv4 DROP INVALID INCOMING PACKAGES \\ +## \\ +## --- THE FOLLOWING WS INJECTED --- \\ +## Qubes Tiny Proxy Updater \\ +iptables -t nat -N PR-QBS-SERVICES \\ +iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\ +iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\ +iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\ +iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\ +\\ +# Route any traffic FROM netvm TO netvm BACK-TO localhost \\ +# Allows localhost access to tor network \\ +iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\ +###################################### +EOF + fi + + # Load the firewall + # XXX: TODO: Take down all network accesss if firewall fails + /usr/bin/whonix_firewall + + systemctl restart qubes-updates-proxy.service +fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/replace-ips similarity index 100% rename from scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips rename to scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/replace-ips diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip deleted file mode 100755 index 989ccd8..0000000 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/bash - -. /usr/lib/whonix/utility_functions - -if [ "${WHONIX}" == "gateway" ]; then - if [ -x /usr/sbin/xenstore-read ]; then - XENSTORE_READ="/usr/sbin/xenstore-read" - else - XENSTORE_READ="/usr/bin/xenstore-read" - fi - - INTERFACE="eth1" - ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) - - # Create a dummy eth1 interface so tor can bind to it if there - # are no DOMU virtual machines connected at the moment - ip link show ${INTERFACE} >> /dev/null || { - /sbin/ip link add ${INTERFACE} type dummy - - # Now, assign it the netvm-gateway IP address - if [ x${ip} != x ]; then - netmask=$(${XENSTORE_READ} qubes-netvm-netmask) - gateway=$(${XENSTORE_READ} qubes-netvm-gateway) - /sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255 - /sbin/ifconfig ${INTERFACE} up - /sbin/ethtool -K ${INTERFACE} sg off || true - /sbin/ethtool -K ${INTERFACE} tx off || true - fi - - ip link set ${INTERFACE} up - } -fi - -if [ "${WHONIX}" != "template" ]; then - # Files that will have the immutable bit set - # since we don't want them modified by other programs - IMMUTABLE_FILES=( - '/etc/resolv.conf' - '/etc/hostname' - '/etc/hosts' - ) - - # Make sure all .anondist files in list are immutable - immutableFilesEnable "${IMMUTABLE_FILES}" - immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist" - - # Make sure we are using a copy of the annondist file and if not - # copy the annondist file and set it immutable - copyAnondist "/etc/resolv.conf" - copyAnondist "/etc/hosts" - copyAnondist "/etc/hostname" - - # Replace IP addresses in known configuration files / scripts to - # currently discovered one - /usr/lib/whonix/replace-ips - - # Make sure hostname is correct - /bin/hostname host - - # Start Whonix Firewall - if [ "${WHONIX}" == "gateway" ]; then - export INT_IF="vif+" - export INT_TIF="vif+" - fi - /usr/bin/whonix_firewall - - if [ "${WHONIX}" == "gateway" ]; then - # Route any traffic FROM netvm TO netvm BACK-TO localhost - # Allows localhost access to tor network - iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 - fi - - # Make sure we remove whonixsetup.done if Tor is not enabled - # to allow choice of repo and prevent whonixcheck errors - grep "^DisableNetwork 0$" /etc/tor/torrc || { - rm -f /var/lib/whonix/do_once/whonixsetup.done - } -fi From 9322bab8c10da55d63a030fb999e09de411093db Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 7 Nov 2014 00:34:38 -0500 Subject: [PATCH 61/83] debian: Enable Whonix systemd services --- .../files/usr/lib/whonix/init/network-proxy-setup.sh | 6 ------ scripts_debian/wheezy+whonix/04_install_qubes_post.sh | 6 ++++++ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh index a08322d..67d078e 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh @@ -2,12 +2,6 @@ . /usr/lib/whonix/utility_functions -# Or just enable them :) -#ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service' -#ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service' -#ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service' - - INTERFACE="eth1" if [ "${WHONIX}" == "gateway" ]; then diff --git a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh index f394ff8..7456adf 100755 --- a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh +++ b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh @@ -19,6 +19,12 @@ else set -e fi +# ------------------------------------------------------------------------------ +# Enable Qubes-Whonix services +# ------------------------------------------------------------------------------ +chroot "${INSTALLDIR}" systemctl enable qubes-whonix-network.service || : +chroot "${INSTALLDIR}" systemctl enable qubes-whonix-firewall || : + # ------------------------------------------------------------------------------ # Restore Whonix apt-get # ------------------------------------------------------------------------------ From d682f0bfaa935d9daafaa9b1d8ba5b2962ab59e3 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Fri, 7 Nov 2014 09:08:28 -0500 Subject: [PATCH 62/83] debian: Added time sync packages --- scripts_debian/packages_qubes.list | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts_debian/packages_qubes.list b/scripts_debian/packages_qubes.list index 55a8f32..6bea80d 100644 --- a/scripts_debian/packages_qubes.list +++ b/scripts_debian/packages_qubes.list @@ -4,3 +4,5 @@ xdg-user-dirs gnome-themes-standard xsettingsd gnome-packagekit +chrony +ntpdate From 9efcf913e7c2017f6e54f7505acb69afab39954b Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 9 Nov 2014 12:52:35 -0500 Subject: [PATCH 63/83] debian: Modified template install script to read better --- create_template_list.sh | 67 ++++++++++++++++++++++------------------- 1 file changed, 36 insertions(+), 31 deletions(-) diff --git a/create_template_list.sh b/create_template_list.sh index 2ede209..7d4fb07 100755 --- a/create_template_list.sh +++ b/create_template_list.sh @@ -1,48 +1,53 @@ #!/bin/bash +# vim: set ts=4 sw=4 sts=4 et : # # Creates a small script to copy to dom0 to retrieve the generated template rpm's # -TEMPLATES="./rpm/install-templates.sh" +template_dir="$(readlink -m ./rpm/install-templates.sh)" +files=( $(ls rpm/noarch) ) +name=$($XENSTORE_READ name) -write() { - echo "$1" >> "$TEMPLATES" -} +# ----------------------------------------------------------------------------- +# Write $vars +# ----------------------------------------------------------------------------- +cat << EOF > "${template_dir}" +#!/bin/bash -if [ -x /usr/sbin/xenstore-read ]; then - XENSTORE_READ="/usr/sbin/xenstore-read" -else - XENSTORE_READ="/usr/bin/xenstore-read" -fi +# Use the following command in DOM0 to retreive this file: +# qvm-run --pass-io ${name} 'cat ${template_dir}' > install-templates.sh -TEMPLATES="$(readlink -m $TEMPLATES)" -VERSION="-$(cat ./version)" -name=$($XENSTORE_READ name) -path="$(readlink -m .)" -files=$(ls rpm/noarch) +files=" +$(printf "%s \n" ${files[@]}) +" -# -# Write to install-templates -# +path="$(readlink -m .)/rpm/noarch" +version="-$(cat ./version)" +EOF -echo "#!/bin/bash" > "$TEMPLATES" -write "" +# ----------------------------------------------------------------------------- +# Write installation function +# ----------------------------------------------------------------------------- +cat << 'EOF' >> "${template_dir}" for file in ${files[@]}; do - write "qvm-run --pass-io development-qubes 'cat ${path}/rpm/noarch/${file}' > ${file}" - write "" - write "sudo yum erase $(echo "$file" | sed -r "s/($VERSION).+$//")" - write "" - write "sudo yum install ${file}" - write "" - write "" + if [ ! -e ${file} ]; then + qvm-run --pass-io development-qubes "cat ${path}/${file}" > ${file} + fi + + sudo yum erase $(echo "${file}" | sed -r "s/(${version}).+$//") && { + sudo yum install ${file} && { + rm -f ${file} + } + } done - -write "# Use the following command in DOM0 to retreive this file:" -write "# qvm-run --pass-io $name 'cat ${TEMPLATES}' > install-templates.sh" - +EOF + +# ----------------------------------------------------------------------------- +# Display instructions +# ----------------------------------------------------------------------------- echo "Use the following command in DOM0 to retreive this file:" -echo "qvm-run --pass-io $name 'cat ${TEMPLATES}' > install-templates.sh" +echo "qvm-run --pass-io ${name} 'cat ${template_dir}' > install-templates.sh" From af189150c9e0f55c054d52b1db695673d8a590d2 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 9 Nov 2014 12:53:07 -0500 Subject: [PATCH 64/83] debian: Whonix systemd overrides --- .../wheezy+whonix-gateway/files/.facl | 19 +++++++++++++------ .../system/qubes-whonix-firewall.service | 6 ++---- .../systemd/system/qubes-whonix-init.service | 13 +++++++++++++ .../system/qubes-whonix-network.service | 3 ++- .../lib/whonix/init/network-proxy-setup.sh | 5 +---- ...l-user-script => qubes-whonix-firewall.sh} | 0 .../lib/whonix/init/qubes-whonix-tor.service | 16 ++++++++++++++++ .../wheezy+whonix-workstation/files/.facl | 18 +++++++++--------- .../system/qubes-whonix-firewall.service | 6 ++---- .../systemd/system/qubes-whonix-init.service | 13 +++++++++++++ .../system/qubes-whonix-network.service | 3 ++- .../lib/whonix/init/network-proxy-setup.sh | 11 +---------- ...l-user-script => qubes-whonix-firewall.sh} | 0 .../wheezy+whonix/04_install_qubes_post.sh | 7 ++++++- 14 files changed, 80 insertions(+), 40 deletions(-) create mode 100644 scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-init.service rename scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/{qubes-firewall-user-script => qubes-whonix-firewall.sh} (100%) create mode 100644 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-tor.service create mode 100644 scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-init.service rename scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/{qubes-firewall-user-script => qubes-whonix-firewall.sh} (100%) diff --git a/scripts_debian/wheezy+whonix-gateway/files/.facl b/scripts_debian/wheezy+whonix-gateway/files/.facl index b580d19..f25a44e 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/.facl +++ b/scripts_debian/wheezy+whonix-gateway/files/.facl @@ -40,6 +40,13 @@ user::rw- group::r-- other::r-- +# file: lib/systemd/system/qubes-whonix-init.service +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: etc # owner: root # group: root @@ -166,14 +173,14 @@ user::rwx group::r-x other::r-x -# file: usr/lib/whonix/whonix.sh +# file: usr/lib/whonix/init # owner: root # group: root user::rwx group::r-x other::r-x -# file: usr/lib/whonix/init +# file: usr/lib/whonix/init/qubes-whonix-firewall.sh # owner: root # group: root user::rwx @@ -201,12 +208,12 @@ user::rwx group::r-x other::r-x -# file: usr/lib/whonix/init/qubes-firewall-user-script +# file: usr/lib/whonix/init/qubes-whonix-tor.service # owner: root # group: root -user::rwx -group::r-x -other::r-x +user::rw- +group::r-- +other::r-- # file: usr/lib/whonix/messages.yaml # owner: root diff --git a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service index 649fe7a..89a5229 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service +++ b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service @@ -4,11 +4,9 @@ After=qubes-whonix-network.service Before=network.target [Service] -Type=oneshot -RemainAfterExit=yes -ExecStartPre=/usr/lib/whonix/init/init.sh -ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script +ExecStart=/usr/lib/whonix/init/qubes-whonix-firewall.sh StandardOutput=syslog [Install] WantedBy=multi-user.target +Alias=qubes-firewall.service diff --git a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-init.service b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-init.service new file mode 100644 index 0000000..6215c2c --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-init.service @@ -0,0 +1,13 @@ +[Unit] +Description=Qubes Whonix initialization script +After=qubes-whonix-network.service +Before=qubes-whonix-firewall.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/lib/whonix/init/init.sh +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service index 245e031..4e71280 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service +++ b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service @@ -2,7 +2,7 @@ Description=Qubes Whonix network proxy setup ConditionPathExists=/var/run/qubes-service/qubes-network Before=network.target -After=qubes-firewall.service +After=iptables.service [Service] Type=oneshot @@ -12,3 +12,4 @@ StandardOutput=syslog [Install] WantedBy=multi-user.target +Alias=qubes-network.service diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh index 67d078e..4010441 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh @@ -53,9 +53,6 @@ if [ "${WHONIX}" == "gateway" ]; then # we can use to identify that its a tor proxy so updates are secure error_file="/usr/share/tinyproxy/default.html" grep -q "${PROXY_META}" "${error_file}" || { - sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" + sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" } fi - -# Copy firewall script so Qubes will reload it when it reloads -cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-firewall-user-script b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh similarity index 100% rename from scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-firewall-user-script rename to scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-tor.service b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-tor.service new file mode 100644 index 0000000..0a83e1b --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-tor.service @@ -0,0 +1,16 @@ +[Unit] +Description = Anonymizing overlay network for TCP +After = syslog.target network.target nss-lookup.target + +[Service] +Type = simple +ExecStart = /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --quiet +ExecReload = /bin/kill -HUP ${MAINPID} +ExecStop = /bin/kill -INT ${MAINPID} +TimeoutSec = 60 +Restart = on-failure +LimitNOFILE = 32768 + +[Install] +WantedBy = multi-user.target +Alias=tor.service diff --git a/scripts_debian/wheezy+whonix-workstation/files/.facl b/scripts_debian/wheezy+whonix-workstation/files/.facl index d33107e..41e3aba 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/.facl +++ b/scripts_debian/wheezy+whonix-workstation/files/.facl @@ -40,6 +40,13 @@ user::rw- group::r-- other::r-- +# file: lib/systemd/system/qubes-whonix-init.service +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: etc # owner: root # group: root @@ -145,14 +152,14 @@ user::rwx group::r-x other::r-x -# file: usr/lib/whonix/whonix.sh +# file: usr/lib/whonix/init # owner: root # group: root user::rwx group::r-x other::r-x -# file: usr/lib/whonix/init +# file: usr/lib/whonix/init/qubes-whonix-firewall.sh # owner: root # group: root user::rwx @@ -180,13 +187,6 @@ user::rwx group::r-x other::r-x -# file: usr/lib/whonix/init/qubes-firewall-user-script -# owner: root -# group: root -user::rwx -group::r-x -other::r-x - # file: usr/lib/whonix/messages.yaml # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service index 649fe7a..89a5229 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service +++ b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service @@ -4,11 +4,9 @@ After=qubes-whonix-network.service Before=network.target [Service] -Type=oneshot -RemainAfterExit=yes -ExecStartPre=/usr/lib/whonix/init/init.sh -ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script +ExecStart=/usr/lib/whonix/init/qubes-whonix-firewall.sh StandardOutput=syslog [Install] WantedBy=multi-user.target +Alias=qubes-firewall.service diff --git a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-init.service b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-init.service new file mode 100644 index 0000000..6215c2c --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-init.service @@ -0,0 +1,13 @@ +[Unit] +Description=Qubes Whonix initialization script +After=qubes-whonix-network.service +Before=qubes-whonix-firewall.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/lib/whonix/init/init.sh +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service index 245e031..4e71280 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service +++ b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service @@ -2,7 +2,7 @@ Description=Qubes Whonix network proxy setup ConditionPathExists=/var/run/qubes-service/qubes-network Before=network.target -After=qubes-firewall.service +After=iptables.service [Service] Type=oneshot @@ -12,3 +12,4 @@ StandardOutput=syslog [Install] WantedBy=multi-user.target +Alias=qubes-network.service diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh index a08322d..4010441 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh @@ -2,12 +2,6 @@ . /usr/lib/whonix/utility_functions -# Or just enable them :) -#ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service' -#ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service' -#ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service' - - INTERFACE="eth1" if [ "${WHONIX}" == "gateway" ]; then @@ -59,9 +53,6 @@ if [ "${WHONIX}" == "gateway" ]; then # we can use to identify that its a tor proxy so updates are secure error_file="/usr/share/tinyproxy/default.html" grep -q "${PROXY_META}" "${error_file}" || { - sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" + sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" } fi - -# Copy firewall script so Qubes will reload it when it reloads -cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-firewall-user-script b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh similarity index 100% rename from scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-firewall-user-script rename to scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh diff --git a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh index 7456adf..9f58254 100755 --- a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh +++ b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh @@ -22,8 +22,13 @@ fi # ------------------------------------------------------------------------------ # Enable Qubes-Whonix services # ------------------------------------------------------------------------------ +chroot "${INSTALLDIR}" systemctl disable qubes-whonix-network.service || : chroot "${INSTALLDIR}" systemctl enable qubes-whonix-network.service || : -chroot "${INSTALLDIR}" systemctl enable qubes-whonix-firewall || : + +chroot "${INSTALLDIR}" systemctl disable qubes-whonix-firewall.service || : +chroot "${INSTALLDIR}" systemctl enable qubes-whonix-firewall.service || : + +chroot "${INSTALLDIR}" systemctl enable qubes-whonix-init.service || : # ------------------------------------------------------------------------------ # Restore Whonix apt-get From 55d06dc83dda1e251766aadc6d5b107a231bcf2b Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Sun, 9 Nov 2014 13:24:08 -0500 Subject: [PATCH 65/83] xenstore-read name was missing from create_template_list.sh --- create_template_list.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/create_template_list.sh b/create_template_list.sh index 7d4fb07..cf8dfed 100755 --- a/create_template_list.sh +++ b/create_template_list.sh @@ -7,7 +7,7 @@ template_dir="$(readlink -m ./rpm/install-templates.sh)" files=( $(ls rpm/noarch) ) -name=$($XENSTORE_READ name) +name=$(xenstore-read name) # ----------------------------------------------------------------------------- # Write $vars From 2838225f441d2c6012472e7c0acdb7725b56c77b Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Mon, 10 Nov 2014 10:47:27 -0500 Subject: [PATCH 66/83] Made sure color chroot function returned shell exit status and not trigger error within that function --- functions.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/functions.sh b/functions.sh index ccbcb71..52ae51c 100755 --- a/functions.sh +++ b/functions.sh @@ -67,8 +67,7 @@ if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then chroot() { local retval true ${blue} - /usr/sbin/chroot "$@" - retval=$? + /usr/sbin/chroot "$@" && { retval=$?; true; } || { retval=$?; true; } true ${reset} return $retval } From 26a594a8e5fba3c3bc2c69ac5fb7cddb0f245e38 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Mon, 10 Nov 2014 10:46:24 -0500 Subject: [PATCH 67/83] debian: renamed key files to match same format as those in qubes-builder --- scripts_debian/01_install_core.sh | 2 +- .../keys/jessie-debian-archive-keyring.gpg | Bin 0 -> 13568 bytes .../keys/wheezy-debian-archive-keyring.gpg | Bin 0 -> 3569 bytes scripts_debian/vars.sh | 4 ++-- 4 files changed, 3 insertions(+), 3 deletions(-) create mode 100644 scripts_debian/keys/jessie-debian-archive-keyring.gpg create mode 100644 scripts_debian/keys/wheezy-debian-archive-keyring.gpg diff --git a/scripts_debian/01_install_core.sh b/scripts_debian/01_install_core.sh index 6ff9357..0c99295 100755 --- a/scripts_debian/01_install_core.sh +++ b/scripts_debian/01_install_core.sh @@ -26,7 +26,7 @@ buildStep "$0" "pre" if ! [ -f "${INSTALLDIR}/tmp/.prepared_debootstrap" ]; then debug "Installing base ${DEBIANVERSION} system" COMPONENTS="" debootstrap --arch=amd64 --include=ncurses-term \ - --components=main --keyring="${SCRIPTSDIR}/keys/debian-${DEBIANVERSION}-archive-keyring.gpg" \ + --components=main --keyring="${SCRIPTSDIR}/keys/${DEBIANVERSION}-debian-archive-keyring.gpg" \ "${DEBIANVERSION}" "${INSTALLDIR}" "${DEBIAN_MIRROR}" || { error "Debootstrap failed!"; exit 1; } chroot "${INSTALLDIR}" chmod 0666 "/dev/null" touch "${INSTALLDIR}/tmp/.prepared_debootstrap" diff --git a/scripts_debian/keys/jessie-debian-archive-keyring.gpg b/scripts_debian/keys/jessie-debian-archive-keyring.gpg new file mode 100644 index 0000000000000000000000000000000000000000..46d1f0e23f17522e0d4fb358b24d78b8c53add58 GIT binary patch literal 13568 zcmbW7V{m8f)~Elm-LdVYW81cE+qRSLxMSP4Z5!ROopg-p^mER6-+8NMYHGgj4{KNL zy7pSvx_@^nFdV3~cF{QyB4DytVuq8PuNSrP#J^d`7Ia<=#*|OHpW`KYMaR1kfj(IK z3Ku?hh8iHa0xgBD+ir&h#<<0oZHAT&W9yl{d_<(KL%_-F(XCg{?}M9bQ+ynEC79er z5LRo1lGGW@0WI8`k<&_`Sx{Rd+_pID&!rdB(I}BYT?Gu?&X~=dPVv3Mcv@ClaKM#A#?-RM%QzcMnCd zkqi}mQ@wYH4Mr*ex}xA4D$Nf*40G+2T2))d#fG(N`WU*Za`a~u($f&VmC0;Y8&}P@ zUTJ{=IxWmL*9F>6HJ$eI#PPT$UB-cjhr6?z6!eN$wTlOW!n>+RlO=4d3v!8};qbcJ zeE**Ps<8&S`3g>OIKuDOzfCqU2GJa(xlL$`(*{Lc`$No(){u(i2hZ9G5%N&75{<*Z z#BGVNqF1;{&mtjny_c7?;5+Oo7U{4DdJpp!MWd{ zQHkilN6L$&7Qy#JrZvx9eQ_}(KCY=Pj6?}CzS}Q~v<0+=4k>y$c8Ymh;D%R5d085G z#E<75lzvn0kv|N81OxzT;8t>QF){HpAy9HQFtj!yP&BbNF>o>=kTUTg;5Iffv@o!x zb^PZUzqN&vvlHDv59#b2&3Ge#c|lQtfB_U>z@Jb7V}pP}!BLp|gTp{ULVy5+qe22h zLBoKe0fPVm;{gGq`vah%5RJuA<646VpQx`80Ub{Qi4kpytwXd7dmRk=7U`*67@>$M z{3<_RcS#wdF@-DIj@1N2nKrveHj1>HzT*6Lhf-~>J=Wg7lF>(@-R`=csJ7ID(5xN| zff>0Nb#&nU?NL(L?;;eZXl+3{RZF_)I*WpVgp_u zwK2-noA%I3dn7JtM97*IjREq~nHrGMSH8-?j=ybGRsMOaDXOrMQ+ML*uG%v1d)>1yJ3smnv<@(v%w^ zE*}$QFu_K&{$h4(tX#SnBz-uKP^C4%0FVe!98g3cNC5aJL<2gXh{*RF$#7EQJWY<` ze`qAF309?tD(;HHK8Zcsv>V^~I=M}X9(&M?M5aS8)prF|`>2>+H#hN?x6?kavXzE( z9}VxCeO*st?9*esw_EduKg(~80e_++1%)rDcGm(=8FgSeFB|h-aAae2D~`g`Rbro` z<*O{&6XsuG`KjmCRE#-tbE;n+*|6;XdJKYFk1o*!3vqQaq-p&-8LXTM@Jh5^?M!p- zGNneGM?;Zydy1YocQgN-NEpmn%-4Qlnak^NAxVD-d#pm9F_=r%{nD#x-`d_@S)bDY`w6cSLb`VKwmXQxg7XW#NklmUCp)aG z$C63$3q={FM=*1%7JCMAp4xnj^U(7>H)+3}(MT$=#T%U0NBecs))c?}M@=DJP{slv z5yIX^w>`Kx9Q||K^9m^{x@xTt!71gDI4Oy-i6vtq-*P>IJ7gxQ*^++m4eu%W9g@LE z@pcu&adWQjwOr0l74}q!@fC2=>IT$dtlE}Z&d9HH-S)Mu7;e+(GQ}@x`GMd1#$E$u ze1d(v%IpO5E=gd%s17hP!wu2G!6buEQl7J!ikLxJz%~xujJGR2LFp0ZI;t|X$7r|v z2XnfQSN36z^cWV$GAZm7=~)k_qi6(t6iZLMpwQ**r-Vt(eVc~Y9e8Cn@3in?Us~ub zRHWQ_5rv2)5|pa7zxB+Al{1C5p(uh5N5_>_O#+$c)?D6S`9V0#kl=WfSP}y@hWyo~ z$n-*dG9?Js<9Abo7}hDP)hW!x`@a9ZpCmU-e~rza3l@a&hC|j`vH=Ek(WD)`UtN1Y z=<_{q!VVw3J(d|!a<;QXma+*-4n4m}Q)ko&sX(?otik?M9Fpn8^Wm4vQ8!i{xu>9m z^kwSg<^@b+nCwUV%wtT(wlU;RGy`RE1;}(8L9w4HY-~1Lkreo977Jm`0jR=6+5@Ut zw9R?>sCi<)o2u>78&Y;=mokD84-<_ZDX`I&=Md1NAvc}g_7Y*{)k=33w;9PZ>6D|S zzmqV|GBI;)`|f`WZ4hLKe?b5BGEEHea+W`Sw@aRMT8B`;opVX>jtw2jbh+Z$cF7yj zFktg5m||e~UDQ!jkgJ%oIvso9N7%N8lR;!SPxnQ9<<20p49S*M{&$~~v|91`(lLpz#RX4^!-b3mm=B7u0T;x0#_y5^M^ zG3rSptMbm!5e+BKiJoymuek1nX{i-~^mBnbAd#mhN_`S4+I7kgI&O^mes8?l%%2F( zwD@e=YM`yGw`v*9kVp3mijaY05XIchonYM!;`Q@J)Ai@<{Am$@a8Xc1qW-LH$AyRq6o-2RaK@M+_p*;Hfj;C4_iff_y*ko$RZz{!@cfNX`$0oa_!5$ z&SotS#`~-l0sPwzCpoBjUH-*SLlbMJ5$FOFpddo=W9*^s!cWVk}@|9 z6A)`&==qpgvY36{@2;YQO|EI%Nu%ZtN5w6fM#UGLNWHs@&pH=KT)pJ#FZQR$zG*QZWq zH+--eZb>uU$j*&VO4+AAbZ{awnwcJJQAqd#d1UW0IVn^d4&LvWUZDtS$Zt2F46}Wag<;m`m$)%*ry@5%b{KZ{rtt-6aIcMdRF*07ZvTx+c{;2% zYGY9fFx8+Arry~3m6tgAJTVB#bwKCI6&2O>dxz26uN_hJzzrQ;D=Fl;D5W~=-@MaT z-tj%%QL90;rdX{~B`e7=@2)9vj4Zn%u+`;PyBkaVCd&L5O=xhU=6%;c$6-S~6l{WY z84y73z<72OHd=sy;B*7*qnUq?0f~GflKLsh?s(IGB>BMCj1fA?;rgQ?=|RMBPwHHL z(lslsSAy2)Cd%;4FPN5GNkz;>puW=-^|0FnjRTTyxflCVwbUC6&8c)3i;bm;e^TLW zE?UO3@$i67M<9d82250?8GAN#rfwP^3|g{N^apwH(Rco-^IlPzWdU%dRVLF^NL)T# z%iF;(XyLTgcf;C5ft{=1ebX1n+W^L^<(vq_9v{c2=L`_{I!8IZ&BGQ}`JDMW^tJH& zY|Tl|4M}VVXsGIld&HT*Z-joi(%g7cHW0#FIhpkc(qFYnG=@ct9lbS=W0k8CKES#X z!{7)4Cw}ASAIUaweG5XY_gwtaZ@~h}p7`S7K#RC8;cF(k8F-D%8x_k_t|cL-XLt&I zu@dkaPVb}{t<~?Ppa_g{kL&C3@og`{VVd4DJjMYBPmF)@t@a0bfRoyWlR(|L#^^Wy zurnTaw&hgklKS6r2?9zfoQ|+-hJkRFq>1} z;%}MTjkEY@{3ZGu6!QI^D_AR(Y!0K!e>Q{=up>r?vE_jv_^2S8dPO+GLrmByV|H=C zdZ#~HT!`U$=|GlluES^sKA!F7VNnrT1Q8;t#ETF~WLK2K{tWnXCDI5|&4FAa{&qWH zCU)7#CjAr39)^oWjFeFoFdHiWw6_*DQkE$2k0eV7{}o{Z0Y@Wq3s(~Y0T*XG8v|zx zBLXE0Gg}K=v%k7b!Akd)-svBmrX=7tb+)%LaB?hl!+eUpS0)cbp!%lq5vT|U}8dV zq(X#aUekAuecI0E$+lbe+h5x0UubRXm5`=4huwEhc{hmETsJk z<)orWG#Lpw65Dr3fznL5Z-KPf6w?w_g9g?3c`2=BLjtZIgY>twOPO4lExrni4F!0y zUFqf;>7x9=OWI^7zH17aocy3}qZzhsmguE`u$bp}RzbN1XSg5q{F=#0q7I1;s-_mv z!-yYkD!~a^&voE{^gXel%qew0F}4yuI9sjGw~s-#-vJEzHsASOCpg=uEpO!QN68Im z`J<3rvhYjiRByXiP(8|m#$_@`f9n#F5js7VMUF?_D~03Yu5S8b^|)*q$dOHKsAlDD ztAw%&i%!ncqYSLyfKS*c5rhmS9P{sj-n|O%Wwu1*U=i0I@SGx_Mq9W}*-JZ5$Vf|d zEN+(${AIgM{%!b(-QxMm=~6U zWl@y_Y?r52rMUO$3Hw1VwpQT+jG*>o7tPunHkvHnwXmYS^Vhj?W`?~Jm{R=oj+f@jyA1T zOG-MRFNO%1L*keY|KWb{ItikpWv9gKFby6<$|NkbNANp?sNM~m+SNtHs&_UH`U zrx9}IJbH+i^@P7-r6>3orUDHU-En(f>w|u`tZGBh^9;TxZw7!H(q`hf_LwON?n0H1 zdq6TG#2d%BT@W(^U(@^+&8>Hl#W=P-s7PLy@-<%}^*G zR*^INwlhSx5~F6i@{mmLc6h(IQsE)2qyKP5rNRqsKg}RBHWsVAa=W=;#ELDj)w zX+n8BDY;6@xe5S)e3&2xEdYlN+|gd7dd?_E@LLb59F9S%l^))}l4z9S?|LhG8;{d9 zA2Dv+({WjFf#;?~f|7b5drauS&n+3u$ixPYXux|ak*HYTz1P4A8lYhl4SKJz$}87yUI z*iUkSO+hwB0dTR9%ijGemnP|eJX7=E+~Jq>D6uIxwh!NX`pYm#aq`SYRKH`DF4wv< zv9N^Y*uq}j8|?}d_;5?I^<^<+miOwl!mG<4Rj_SEt zPW)Dxy~sy)1~n^!Z96*F+X5Y7$EMS(KX2Gi4kG70#EU_bi~2GQNe)~%KxyP%>|5GE z=_k>o!rMQ{(;-(ffom*TZNkrO!v6a&{?}JUq zj~?jra&hxCh^)2g;`WIC;QgfRY>D_grlY#e9f5$=PiHB#*$8)w5^?G4@${;p5Y=$+ zwF;H%hpb=o!JSS4#CpQ&SZ(}cog$26jSb@V%?ODl2sAOlq2^Q9U?V==$mT7uAGNqz zNVHg#A1_+=#xcM1S(+tyaUaHn^s{>s)cl%A9CB%4*l}}UX1JK(g)BsSNsVWa^?ZXr z?Z%?ryrO!EI+TjzyEd6nvt7>!HSfHoS$f3u-d+FN`AmKb;?OP7W7@i9@I1w$uax?RP5dr#dh^U!=BBDF?0?4ltE||cA_;7M@ zRHa+s^gqXlfPQsMVJ_V}Tqe0aMCO*sSWEhlj1q*7VH;;e7|?Pqzf|NeORl=lsWqp3 z_5AHlF93GBoWL6&oYny>Z@%2P33hSyGIm6Xu|HM8YcKMFw$f3rT7P7+-ewW3{l)mr z#g2-FdnV{gHwL|@TMHky-)w=AF0Lq z`Gp|RowoohlW3xrfGm;?HvUZ{Bk>L4^}6pezcA_RX>9>H@%9pdG~Y67Mi1x#HBig> z61?e{|Ff2M&1bC$!p4nB)RG_^c|f)xq94tyx2)%nL29R}n)cG5o_tb3wiyJi9LS-5 z41(1*5_t{zQojlc%76Xc|C(Xi1E0nEq)hV6XrhpFj1fLuEqw)F9Bam6bDLG9Epo%a z$ocV5Qq@65?Q-V6(69urj)+ z8T?R08oYq%^a}(bTuab)`KYXWdr5I zE=#U<((V8eJ!c?kZP;z(Z}00Te3Zlbi4^gNy?a9Y2+xDLpH#w(5Sdkq5g(c7T-6sU za^y;0edHl_GjUZ%c270%?RRsX@ma`sppz#%M9dDg1;A9_rGDi4Z@hyPgA0xhWUQn| zk`ygfdy2rrUS^p^hL%2cw6=VN8`xpj;T*x{+Z@1AuV5{7fH10hftI~_OkH+gCxA*O zsdY~b2UCg)*=9nF6D^kxL4iYBZ?=CUQ}!#ZIiMYfMGCYQvBjlLQ{%_^+HcJUf%CeY zv5nUj2U46+lZ+{uwSGf)PjHn!7gRY)N20j1QP0SZRilOxgqZeYw|xE8Wps+EuksHn_t*y21$~ag7Xq^uH>Z64DvUCIf*xyiZC@hIwqdAW%lR<}W^2wB$!Mk>5`(NHvaK^Huhczvi zv2b!D%M8U>-V3w0%W7uwu={TJjMa=zIp4m#w`x4lL7dwd$FWE{sXr*FlHr-BSwq|) zmy5x;qt#J_XVdcWI)$?x6(^*D0n%`R=1AE+6fF4lj8cLzFbSSqi*Mgvis ztW$|p)?%KXmJD#b-a=ANfxmaVeBk>nrF{32$RtPbI@0`sQnk-%v@J5cg@ca4OAb#n z^9pWVs~`H)G89#C=%Ha%Tkoq&(3%w|t}5NWmV^-~Iv>kIKooIB5dz|pQ2FhipWZd2 zzdIuBM>8I@?OK;zsk?&W`ihUbiO79^|H=U=dY)UlcV@y<7$=T>-MIjg^rV+)(CgqT zB45;yTg4k()Vbk=pR+_^$I*qdsFOQzWn$Ncuk$g?9{e6z#~zOyHO>2_Q#^Q0TQs@^ z`l+zfyG09v?9Nw=dU{%rM>9-H%JGQJbMR~(C01HKEsce+ppb%HRpmz&8c`YB@Ea;V zxZmwku$cE!k~VL1U<+I^tdAiey37*DMBTba8+T|adUDHVLhnH2BE46dJ)9QjG>-J% zQu_gdCfsMDo8P6UF7%IEn&`z!lW`R8+$ziwLY8Xd^s?3s=bbj%Af-g_ulK*2CX$$jq_znZdj?!AU!kK z5vqY9AUSAxmdNOXlk}gRpG(dBPcG*1|Cx(@ZuyV^axmaerv8(Q{b#?2hWgij|6j3~ zU0rUU$w#yCq$0vQc@VTZyJvpUSN}7yVTPkXHk7CGi(<+c5q$oMeccK4vD=31T#e#Z zeSiAlV~h~XD_Q;QvYAc(x7MavjRAjuIHTVi{DifJ)2Tyi17GTYhFbrW3&p~+OGWhE z6u(B`?R+o~els60HM>7|vD3iHt0`IZIyqyds~dcng5B5A{E^KOvDMhNEmH4oTy64v zU4XWoZg1C+N4@EQnwg4ns@`YwH6)KtD19mX7=MiRK{BR8P6_n55J-0SRWp*LLy@tC zQ{k!BvRcRWQIp?eC60m!VkI8hQLMdsa!n~)@r46AGB7O=ff*v#qPaT}H!w0JQlbjv zy;6TaR`J{^^hNk=uEN=KDdm0!XttLa5zBcU4+!3^>beW=%Uh4R4X_339mv!wH z6Tw3M@aNtla%lJ_l?n@?oS-%=-5^wU7ZK;KxBL3s$$RQwL5etz{?$ViC=P0X>t) z>I5_(1ce{=gVAF)$}lIwdoC?fPBY1>c0Tv+7fJNZpXK+hNZ^V>JR%68&Y!Bf-Twz6 zQn5IAZ{;FCpf@T%Z;s@6b8EnI5HMSNDmo^p;*w@L0lD8YEH>hY1n|pG`xwATgmo+T;t&=Ob`j z5wAiY^O|@3n}`5JrX;6^#5l^Y9Rf&#zK3N-Z9Ds04=dn>g<9Em?dauK(K>>)87*DF z5%`l=JNq=6aI;=}qBL8OQ%N|->N(3(!%-*!CTlYBQ~Ao$XgQ|9=-QpaTB0`}Nx)T$ z9Sss3i_{fAIt1syd}d;lPlHp*muMOZk=+mn2Hlq0hOe=*4^`r|GKrYanh=?csqO%Z z=_bG^NQG%A5u8`+;TAneqhaLbW99c&42a1(o5WPR&!+(tYZ!98L%AWa2$iHI|3K&4PzH%6fG0YpFtM74x zg9)e)@j3k-kS+5Y1^_WIJ!XxC8N6sX%a4NZr|{Rv|E942;8w~$`C07WDePkk0iXyU zC@WMHIt@Vuju$4peSjf?*0!Q1YYym3ueONfqkLxw(8-4*Gf0VTAiO_r^&M%P1RVl0pdbe04BABiMIBRI07HzpAx{Q@HX{C0`F}Jk>mnVCc9x z8|q|yLzr~1PGTUHmJ;iP&>?Yhi$(dRQK=Gyv`L1K^b2CUB0|=J>9XI<11IWAc=;uP z-zxCMWM&8RuT-MlC8g8#ie($hXXj_qGQA^J{lXf_Yl%B6ctOP(!F$QOh@oH9KWI24 zk*(v-aQOh%M^G?G9&!)x?8fx%d#icQ&{bDrT%*()XeVwpojt;p`7%_bexPfc^uOk2 z@_7ai_Mn)_XgH5IK(nBV^2Eml0 zT2WpM$83`@TM$_r$@C5foUkTHS*5zJ{jgtaGw#Br|DdA&$u0_=U?}0Fo+&+N^j6y9 zN}15Htdd2q*wT`Dug*L+3hPnN)zI}W5-rEXBzCa_+{#4F7#lKL{u@Q4W5Lwc-ELXk zbA|w&O-<5PJ*!^&u#fzgiF_Wdm2kXVcQK&MC`;<$c(z3O&ld4lk<%_d6?rCHu#)D8 zDzX~G=-G=vDTp!myVwa!*Wz0INY)L>RG5o{MdzzM+#a=hz`iSJQj>?>t6QgemA7M4 z?eVuFUukTEI8tdcYBa58hjCNFbD&~lJKDl3CkFTEUxNeJ$4rM^<<&=dhyGL8XkxUD9|r-IUz{fCFdGW z?^gz?el0TP<3%@1`1$Ww7a0s&=cKXGf8RDy*JOZK8g?ySJu#@D#KTi(w%u&9v6P?e zLX+$~{OTu|24telv|SsA|LuqKnUIu}E$fvjYIJ0HsaW4xaVh4~+(Psu76bwJ(@#*4EWITO~qd>Dd0}zWnU<9mJAFC}?0hk9E zPuOk6+qXFho~_ZS1)dzELeh~cMp=g~mB%w7_^P%3{^X{jQF{$f%rT2Pa_338U)7K{ zcHq)$%>Ek$@BZB#LiUFCbb5Q8r?=gUZZkP3R!=8NDhn+tKqFB9D6;tfTP()*Cl+)2 zE7SkyRP6H}8RX|ZGPys1{q`A0GSqQU<8cX+-3k2#T6c z_jlV`VEAr4Ai(@Rr-D#^I(baM6>M__f zQ~V%ai(hK=aWo?ofw)pB-wv)=q^4OuP-1tKf2+H#am{re`)0-a)EB&TV-J-*``;*= z9W4OILS9L1Z2g$kcf(jrw-*FH0Nk|lyc2?-)XEbgr2|L z=WizUTeW)vMzy}UU@73Pu-@zv>-N|EH8wSY!e)TxffW*krGn+@W3NR9?Y(bw-?}(h zfOp_D_2CfRg6OnAdI*NiedCK$#81H|0p_n;VqUi9GG{Zm0woGi*ep(K^3rjOZc1U{( zk3UMuQSK{*ZhtR`8AsH(!c_*UqAUDHECoI(J!X(*@hQxI(gzfze*`A&=IT>m{vC^P zeF0=Z28Amrvr5(aOxJaR7L@(nVac1OvXhb*Z zI>cL*kvJuIC=m0b;WHrZ)Y4%^I(q>7|2B(H+NPx_+Vr`qnb0%)sze29FdB7P?_v3J+9sx=@1k35%7cB$ znS0;;P`}-fJQ48)j`MA|t>`-e74vFf_v4mY`c7%f6U{m)xPboEUf0pZp_TcU12r{o zEZ{jWil0BMp?6c{BZo&mhGKa1J8a0FS^buiFLSLHy8Ug#&bJJ-qxxE~%Nrpj(69JK zbH^E}xf19DXkn!zWc@G3hr(I4dr5>;1+Cj#MW4E_Y8n)kYqgfX5#%VsxEr3!fr4+b zZjCLEZJcSIiQ-E$??*<3Rn9geHN=}`S*k? z=p`N7?#~qUm_fepfjMbI;}>T9=!y!_$H<8k*c46`sq(WLT_5|MWfxSrIyE40@#P$k zes}5H=1inYDsG;v>k<|zLy@x%9TFI@%a^CGgR1bsIaz7$Q% zGUD|l@0W?DkLYi_7v3qH&@zgic`x`DX^C?cx>)@$(0QH!N^ae z0`%VG)Z%erU&)aDhye9XIbZU>AuIHkIM4p`zkNnI|N2BAH=m!VgN;aW4Cl#M)gR#v zHN4TXsKPrVPAyW;YZE#+i;n%=EAnYqz79kw7))Z$B9{0z8!a=Dtxlxz0}a)76NM>h zj?P5G@k!}K3nsmFulfb7oZXJ!fa8MIRXq3t z$#IDinO>&_8^PlYF3NgW;SwtzS<`+*!dG?a&7nf%ogjDTL9@m;A$A8o#WWi(GvLy* z4b6aQhj8ah3Bt0kev_7L;qq3uTeRT7r3u(h>8U9zR5Lz`28gIX(7M+(ql;D zY7c1p6C(;umlE400)$Lm{RA0g8f-7glDB4e63}7n`<8DMiyhrmnsV`1e9KpaUDz%> zo#jeWKw=`C*Xo>@lNF2r6Kf2607ffxiO?5t-8+8<#Km1y=r7N`Uvf2%O;oaoj2BY>J*9NYX*2~N#Im*`2+W{A=T6AxkcV|DaPnWd50$6 zuaQ5J>yj}V7D$2S&JuPaqna<;%^1osmnBLRdG+= zKW`XT_ttC`Tq6l(!Sa}a=RmyKfdNhdVWc(x@?m)wSl9jtCgtm6@c^WCrwN3i2;;~i z4NS(yE^EW0v^Ks0p2J)GjtlR&oV!+I1 zSAQac)Uf}7TJsiI<%RHucJR>r^z$3A2bK7?x2A;v)Sp8iR^@~Tht|_7tR91;XOxo3 z^BG7+P02D_46$4hujIYTsz#ap%@raJlv@xNTf|4e^T`bJK!NE#&SJ~UQZByT2#ufj zlR~SiMKc7GhprYSgQKq^u$rr%SgJ|6X~NNTw8@Or7SP!tbw!aV*8T@55=C1fqw3t? znj^EK8O=+KHH5ZZ!_K%bb%zWUeyVM}1uUe`>pA8=m)XZ1 zlxz~Bff*hh*dt;vcfjs-_BD@6sTyMRF%TA(DTC}PJ@Bo$e`eIs>mIBqqOz5FhpYBd zYuh3Tc>c>C%KdxAl4!<#NET-@sF7R!o{E`p7y}rStL}rd&p!PxGWm`JKdqqi+mQ;r z0mFuB)N#}ci(@o{DK~pcqXN1>(*pjTMe|6*<$m|zG*E6FWT8#nDvGS!27_oTE?UfA zX-{F@Sc<_$QRfLv0!_gT zjNr5`Q82+kZ_Hf#xJiaw=?mu2$Ogw0l7VjTiZ}>(kDls~wopJB%7O;{rlF{FEojdB3H_ll(yp%0h1)5nkAh)biVeP%uFU;3CjIWL(p|g1e^JGgQ~-Pq z3nus`(x}J)YC)Z|09hiX7kK346u(n%Bq&gQ&)s*8^@#NlDy#+0c#_9>BAWLd5A<0SU#{h0@p0CopmdepQ$K5g*tuncx ziia3lDw#TRE}e=*C?5mmYO`W*RjRW!cZY1?N|M6>0<(Nn(0!1d> brdCAhOIaZ?EP#O}tQ%dkE8h6nXBYWjjwlbW literal 0 HcmV?d00001 diff --git a/scripts_debian/keys/wheezy-debian-archive-keyring.gpg b/scripts_debian/keys/wheezy-debian-archive-keyring.gpg new file mode 100644 index 0000000000000000000000000000000000000000..6db1f3a93c12bc0225f7156a59cc5833753d5328 GIT binary patch literal 3569 zcmYk8XFMAW*M}n_R*TlANVWFXQnU6dTD3PpBr#&eh)tCsW>H(zYVB34Hl>PEHEPvt zZK7^!d-Q(a_xC=Z&X;rk=gajw*U13h1U<{#eNRLK7{w}A2(I(TR596~20#p6i03D0 zY)Z6G%p`xx{eAySl(z@6?cDw5s(@+OPajZf1IF##w+&Gl=-E)S5nmjv!wOB}(%}|h zuxRucbiBJmRN~+!R8;9D=7(GO*t?&Gb5YTKCB{%xHe%8toUm)k?)|a3<ExmaJ2QbLOKi@lj<%xAt*B+C~U< zu!)=4E>vqGH)WGiyidpGDY-%yM_FI}A5I7_f+%StY+fdIR!B6_8yr$s=9!W}f)4%Oy zQ#CFr-J#-{mBcJXYTJDJlQrN#<>eUYojma6t7{&co_T9%(t)cgh={pX|DbA_s-oI^ zBTNA?|Au(_n+J)**2It7?6%1DaCj}07`Y0hW;qXXUZhu|{6pz~V@dzuVoXbZaUgbF z9&ca7^{G<)smG$x@wN(8hWpku;!6i@4XvT0y6-eg4di5zf?2tZV?sS2}0LQxPUPkRK?2L@5{M!UH} z(MWrU0TPZvqTmp17zV=oNLWd}AiBjP=h75dLX;|w=_D`Pfo}{@L`OB_30)I!}h04=D zY1Wi`Z{(_Ljeju4)All;6TC&`pFY}Y9Ik79rLIYBeCzXNLl7`+4K`Zbybz|Z_=V#3 z#Qu3V+V8*6l|E+1Fp*=WfZ=XTK>dg}Vc^T(UUlH~W1+Q?vbaFT(k<1y^2aQ)pCi+n z!Xs=+%0y51Q>5oc`FNJEi#9~yTIQ5x5k6i$ZyQ&b1vV>wtj+GiDjJf9CU|K)s( z*Xg;_)^QgyTj(el*FCFA5*8RfBCyscJgzG4rQ+@NwDZRf2C2WGTtPfcvAwLypo>P>ik^f-fxLD1aafo{VGrphCBbO2i;|6KW2yBK#mBK~w_q4&oI-jAL$Z8;f z7^@DVy#)k-|1$KO@Rtw|>q&fYK+J$F9Uz?g1FyrbffW54cECx>;)V9S=J_rQ0*!W;5fOpA!-e5c z6bk0(DC__ead&e;+GB*#e(1kzXBkE;YPh(1Bh;xc`7SHD&)0*hPB7WjPwCDtklNk$gLlhWyWQF_1kebt^Z#8s#Bm(Z8O)W zeLE`j7wp6=GO>w?cd5f;fM2=r8zPVK~;^*EZVA*jQ(lVbH`YT2ep(m6ft zlvwRv^PS~QN1xVrX{vVpqrJVrQI|g1m^&$P@r)7jUCfZmkQtW}q>cYBHT_3pIrJ%lHxE(!4#&j%5z zhb--e<21BrT$>b?o8KSP(le2$rg1i(tN80b0#>4!4V^*R_ylkwHhJ9GfFA@Mh~2Bh zIGt^^Xc*agTbDS>v+l{{A9ehxTdGeRil)0MbFtD=oB-i}I33<`yl9fO{I2OlaFz?K zWJ_3WU*BDGM$r8-F$rV=js@`kc^v7pCU__hy;H4@>ZYyq}qN#IfM3^Do)8Uh9Oz zAQ9!4mAp3=l8t+ol0&}nbT`+~xjH(6N$1U<1R@PL2B}EfF0)nkoM!JO?F(JBcWozW z#+-601#h4*Ryh_<-XGlco} zARup^rrEvBBaZG({5|=r6yMPHheQzUVTsSdV+RiNUvO!DVd+elV?UhgNayYjmOK9A z)Y#`_^vw)hM2vL*#2uO*{2g*z4J)?c3|g&%C$yrA49Pe=6?_qxj%A5AGvzpbkX?;e*NDt1Jy4cZ8J{85+ zvR&n#k(*JL^a1CEuJKx3N8G1D4>zU?xQW7DatQp@gY-4JiR%;ld8^;4qT+_7Fu@d` zJUQ07ve!<^V0&g_(hO`BbPmL*e>VR0W;DS+K-B2zVVTd6D27#gMJu&WRq#Fw2X&vE;(oTOHr*HP)i*`1Zr{dWHh|^Qe1(T?lAyU#h z4jWdaSyQ9a^dL`l#@1VQC*jfP15C^G-3{&6JXqB;7t8JU2Ysh1Wl{LNg+;F;24h)K z*Ra(6yF&vRF`{=jt%kqRoYDyL=muXk3YYJ?v)g^3EYSFXptaU|lYUMGr-6;;ok$B& zX_9hJYh>;y;zM`@5NzhI848B4nS;tM?bFn$R{e_-ycI-6>@SuMv6Y^`NV9zRWOO8X zbB4-=v29tbKnSWw<@DksVz+(zbxricG)AFS0*_8%Fix*IgV zT?^D>_q1TwU<;n({&ldNI#@8`F?M#k{uYN^%Wg;R^gU&@qPWsJFQ>5OXn6UUuac{k z#$<#k-q1wrDG?B`kCc=8o_aYAu`82yWZXS=WWg&G2zWFv3$W_l-YV}R4A|tp9|@Hb z&YNNz$2l}rOgxq&**?{sCsS*XNwoq^1pZW8O>D|!a{ibO2j*_%c`fZdN{yIMOSU>< zk=&kR@^i`D!wW2#l3pZ+@jRhF{b!stD9J6*HS5snj!8C7Fo+d?rtEC0ruy0P?fw3m zL~YLpi7%}UQGYEN4denbUBgHHf3Mb!|9Q3kn-yzv>MM1Q@{89!c@nkg8?5<}bF~BD z(Hac}ehQsdnIt&~Pl*P6CP@v~0@?m%zxY1boIYeVl=P*1r{_@DLwnR#fz#rilYUBt zDF3i;bX-F0dFap_F?jR^duK^)%Exoh{Ssk;cB*^?;UA-b5Lv=`jcTMp;*nmSzeY0g zkPmseHITCu+j=(xKNe|f0N~i?Y1fdN$9{h*VF2#Qc~L~G??=td-*>VY6fK`Po2ZTL zD@{u%bE~i#T6n|3d#3#OnTIkfjYNB7!%V*x?&iwc6=8@@buo?|OBq3eeqZ>f{~~e{ z9bd!>RJ5w#Zl0Z>j8y27!}K2cINjRs)HyP(#y;EEepMZDv4x@QF29xcObdf{u7WCg z4`v6u{!I6VEyL!fRN5w6O4|+qHOtn7A_*JBTcj&A7O9@$Bmm*&#}|EBJfy@QTecSNy{{?;plB$t}R60IFBM&(qUfz1ZAVT{w{C-4RT)P(iO`>FA#8rv!iK zE+Y3cEL~tBfyHKpPCbK^*}Na5(SZK(Va0|J$5|&HXTPUQ4Gy88)NI~-%V60^Dv5{2 z%*g$?EIKbDsz7p(M_4vDh8c~TgWNOZ$BhK{5G Date: Tue, 11 Nov 2014 09:00:54 -0500 Subject: [PATCH 68/83] Added verbose indication telmplate files was downloading from AppVM --- create_template_list.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/create_template_list.sh b/create_template_list.sh index cf8dfed..1e9c00f 100755 --- a/create_template_list.sh +++ b/create_template_list.sh @@ -24,6 +24,7 @@ $(printf "%s \n" ${files[@]}) path="$(readlink -m .)/rpm/noarch" version="-$(cat ./version)" +name="${name}" EOF # ----------------------------------------------------------------------------- @@ -33,6 +34,7 @@ cat << 'EOF' >> "${template_dir}" for file in ${files[@]}; do if [ ! -e ${file} ]; then + echo "Copying ${file} from ${name} to ${PWD}/${file}..." qvm-run --pass-io development-qubes "cat ${path}/${file}" > ${file} fi From 6bed22eec54b291c4539bc23533fa5e66c736163 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Tue, 11 Nov 2014 09:01:34 -0500 Subject: [PATCH 69/83] debian: Removed keyfiles using old name --- .../keys/debian-jessie-archive-keyring.gpg | Bin 13568 -> 0 bytes .../keys/debian-wheezy-archive-keyring.gpg | Bin 3569 -> 0 bytes 2 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 scripts_debian/keys/debian-jessie-archive-keyring.gpg delete mode 100644 scripts_debian/keys/debian-wheezy-archive-keyring.gpg diff --git a/scripts_debian/keys/debian-jessie-archive-keyring.gpg b/scripts_debian/keys/debian-jessie-archive-keyring.gpg deleted file mode 100644 index 46d1f0e23f17522e0d4fb358b24d78b8c53add58..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 13568 zcmbW7V{m8f)~Elm-LdVYW81cE+qRSLxMSP4Z5!ROopg-p^mER6-+8NMYHGgj4{KNL zy7pSvx_@^nFdV3~cF{QyB4DytVuq8PuNSrP#J^d`7Ia<=#*|OHpW`KYMaR1kfj(IK z3Ku?hh8iHa0xgBD+ir&h#<<0oZHAT&W9yl{d_<(KL%_-F(XCg{?}M9bQ+ynEC79er z5LRo1lGGW@0WI8`k<&_`Sx{Rd+_pID&!rdB(I}BYT?Gu?&X~=dPVv3Mcv@ClaKM#A#?-RM%QzcMnCd zkqi}mQ@wYH4Mr*ex}xA4D$Nf*40G+2T2))d#fG(N`WU*Za`a~u($f&VmC0;Y8&}P@ zUTJ{=IxWmL*9F>6HJ$eI#PPT$UB-cjhr6?z6!eN$wTlOW!n>+RlO=4d3v!8};qbcJ zeE**Ps<8&S`3g>OIKuDOzfCqU2GJa(xlL$`(*{Lc`$No(){u(i2hZ9G5%N&75{<*Z z#BGVNqF1;{&mtjny_c7?;5+Oo7U{4DdJpp!MWd{ zQHkilN6L$&7Qy#JrZvx9eQ_}(KCY=Pj6?}CzS}Q~v<0+=4k>y$c8Ymh;D%R5d085G z#E<75lzvn0kv|N81OxzT;8t>QF){HpAy9HQFtj!yP&BbNF>o>=kTUTg;5Iffv@o!x zb^PZUzqN&vvlHDv59#b2&3Ge#c|lQtfB_U>z@Jb7V}pP}!BLp|gTp{ULVy5+qe22h zLBoKe0fPVm;{gGq`vah%5RJuA<646VpQx`80Ub{Qi4kpytwXd7dmRk=7U`*67@>$M z{3<_RcS#wdF@-DIj@1N2nKrveHj1>HzT*6Lhf-~>J=Wg7lF>(@-R`=csJ7ID(5xN| zff>0Nb#&nU?NL(L?;;eZXl+3{RZF_)I*WpVgp_u zwK2-noA%I3dn7JtM97*IjREq~nHrGMSH8-?j=ybGRsMOaDXOrMQ+ML*uG%v1d)>1yJ3smnv<@(v%w^ zE*}$QFu_K&{$h4(tX#SnBz-uKP^C4%0FVe!98g3cNC5aJL<2gXh{*RF$#7EQJWY<` ze`qAF309?tD(;HHK8Zcsv>V^~I=M}X9(&M?M5aS8)prF|`>2>+H#hN?x6?kavXzE( z9}VxCeO*st?9*esw_EduKg(~80e_++1%)rDcGm(=8FgSeFB|h-aAae2D~`g`Rbro` z<*O{&6XsuG`KjmCRE#-tbE;n+*|6;XdJKYFk1o*!3vqQaq-p&-8LXTM@Jh5^?M!p- zGNneGM?;Zydy1YocQgN-NEpmn%-4Qlnak^NAxVD-d#pm9F_=r%{nD#x-`d_@S)bDY`w6cSLb`VKwmXQxg7XW#NklmUCp)aG z$C63$3q={FM=*1%7JCMAp4xnj^U(7>H)+3}(MT$=#T%U0NBecs))c?}M@=DJP{slv z5yIX^w>`Kx9Q||K^9m^{x@xTt!71gDI4Oy-i6vtq-*P>IJ7gxQ*^++m4eu%W9g@LE z@pcu&adWQjwOr0l74}q!@fC2=>IT$dtlE}Z&d9HH-S)Mu7;e+(GQ}@x`GMd1#$E$u ze1d(v%IpO5E=gd%s17hP!wu2G!6buEQl7J!ikLxJz%~xujJGR2LFp0ZI;t|X$7r|v z2XnfQSN36z^cWV$GAZm7=~)k_qi6(t6iZLMpwQ**r-Vt(eVc~Y9e8Cn@3in?Us~ub zRHWQ_5rv2)5|pa7zxB+Al{1C5p(uh5N5_>_O#+$c)?D6S`9V0#kl=WfSP}y@hWyo~ z$n-*dG9?Js<9Abo7}hDP)hW!x`@a9ZpCmU-e~rza3l@a&hC|j`vH=Ek(WD)`UtN1Y z=<_{q!VVw3J(d|!a<;QXma+*-4n4m}Q)ko&sX(?otik?M9Fpn8^Wm4vQ8!i{xu>9m z^kwSg<^@b+nCwUV%wtT(wlU;RGy`RE1;}(8L9w4HY-~1Lkreo977Jm`0jR=6+5@Ut zw9R?>sCi<)o2u>78&Y;=mokD84-<_ZDX`I&=Md1NAvc}g_7Y*{)k=33w;9PZ>6D|S zzmqV|GBI;)`|f`WZ4hLKe?b5BGEEHea+W`Sw@aRMT8B`;opVX>jtw2jbh+Z$cF7yj zFktg5m||e~UDQ!jkgJ%oIvso9N7%N8lR;!SPxnQ9<<20p49S*M{&$~~v|91`(lLpz#RX4^!-b3mm=B7u0T;x0#_y5^M^ zG3rSptMbm!5e+BKiJoymuek1nX{i-~^mBnbAd#mhN_`S4+I7kgI&O^mes8?l%%2F( zwD@e=YM`yGw`v*9kVp3mijaY05XIchonYM!;`Q@J)Ai@<{Am$@a8Xc1qW-LH$AyRq6o-2RaK@M+_p*;Hfj;C4_iff_y*ko$RZz{!@cfNX`$0oa_!5$ z&SotS#`~-l0sPwzCpoBjUH-*SLlbMJ5$FOFpddo=W9*^s!cWVk}@|9 z6A)`&==qpgvY36{@2;YQO|EI%Nu%ZtN5w6fM#UGLNWHs@&pH=KT)pJ#FZQR$zG*QZWq zH+--eZb>uU$j*&VO4+AAbZ{awnwcJJQAqd#d1UW0IVn^d4&LvWUZDtS$Zt2F46}Wag<;m`m$)%*ry@5%b{KZ{rtt-6aIcMdRF*07ZvTx+c{;2% zYGY9fFx8+Arry~3m6tgAJTVB#bwKCI6&2O>dxz26uN_hJzzrQ;D=Fl;D5W~=-@MaT z-tj%%QL90;rdX{~B`e7=@2)9vj4Zn%u+`;PyBkaVCd&L5O=xhU=6%;c$6-S~6l{WY z84y73z<72OHd=sy;B*7*qnUq?0f~GflKLsh?s(IGB>BMCj1fA?;rgQ?=|RMBPwHHL z(lslsSAy2)Cd%;4FPN5GNkz;>puW=-^|0FnjRTTyxflCVwbUC6&8c)3i;bm;e^TLW zE?UO3@$i67M<9d82250?8GAN#rfwP^3|g{N^apwH(Rco-^IlPzWdU%dRVLF^NL)T# z%iF;(XyLTgcf;C5ft{=1ebX1n+W^L^<(vq_9v{c2=L`_{I!8IZ&BGQ}`JDMW^tJH& zY|Tl|4M}VVXsGIld&HT*Z-joi(%g7cHW0#FIhpkc(qFYnG=@ct9lbS=W0k8CKES#X z!{7)4Cw}ASAIUaweG5XY_gwtaZ@~h}p7`S7K#RC8;cF(k8F-D%8x_k_t|cL-XLt&I zu@dkaPVb}{t<~?Ppa_g{kL&C3@og`{VVd4DJjMYBPmF)@t@a0bfRoyWlR(|L#^^Wy zurnTaw&hgklKS6r2?9zfoQ|+-hJkRFq>1} z;%}MTjkEY@{3ZGu6!QI^D_AR(Y!0K!e>Q{=up>r?vE_jv_^2S8dPO+GLrmByV|H=C zdZ#~HT!`U$=|GlluES^sKA!F7VNnrT1Q8;t#ETF~WLK2K{tWnXCDI5|&4FAa{&qWH zCU)7#CjAr39)^oWjFeFoFdHiWw6_*DQkE$2k0eV7{}o{Z0Y@Wq3s(~Y0T*XG8v|zx zBLXE0Gg}K=v%k7b!Akd)-svBmrX=7tb+)%LaB?hl!+eUpS0)cbp!%lq5vT|U}8dV zq(X#aUekAuecI0E$+lbe+h5x0UubRXm5`=4huwEhc{hmETsJk z<)orWG#Lpw65Dr3fznL5Z-KPf6w?w_g9g?3c`2=BLjtZIgY>twOPO4lExrni4F!0y zUFqf;>7x9=OWI^7zH17aocy3}qZzhsmguE`u$bp}RzbN1XSg5q{F=#0q7I1;s-_mv z!-yYkD!~a^&voE{^gXel%qew0F}4yuI9sjGw~s-#-vJEzHsASOCpg=uEpO!QN68Im z`J<3rvhYjiRByXiP(8|m#$_@`f9n#F5js7VMUF?_D~03Yu5S8b^|)*q$dOHKsAlDD ztAw%&i%!ncqYSLyfKS*c5rhmS9P{sj-n|O%Wwu1*U=i0I@SGx_Mq9W}*-JZ5$Vf|d zEN+(${AIgM{%!b(-QxMm=~6U zWl@y_Y?r52rMUO$3Hw1VwpQT+jG*>o7tPunHkvHnwXmYS^Vhj?W`?~Jm{R=oj+f@jyA1T zOG-MRFNO%1L*keY|KWb{ItikpWv9gKFby6<$|NkbNANp?sNM~m+SNtHs&_UH`U zrx9}IJbH+i^@P7-r6>3orUDHU-En(f>w|u`tZGBh^9;TxZw7!H(q`hf_LwON?n0H1 zdq6TG#2d%BT@W(^U(@^+&8>Hl#W=P-s7PLy@-<%}^*G zR*^INwlhSx5~F6i@{mmLc6h(IQsE)2qyKP5rNRqsKg}RBHWsVAa=W=;#ELDj)w zX+n8BDY;6@xe5S)e3&2xEdYlN+|gd7dd?_E@LLb59F9S%l^))}l4z9S?|LhG8;{d9 zA2Dv+({WjFf#;?~f|7b5drauS&n+3u$ixPYXux|ak*HYTz1P4A8lYhl4SKJz$}87yUI z*iUkSO+hwB0dTR9%ijGemnP|eJX7=E+~Jq>D6uIxwh!NX`pYm#aq`SYRKH`DF4wv< zv9N^Y*uq}j8|?}d_;5?I^<^<+miOwl!mG<4Rj_SEt zPW)Dxy~sy)1~n^!Z96*F+X5Y7$EMS(KX2Gi4kG70#EU_bi~2GQNe)~%KxyP%>|5GE z=_k>o!rMQ{(;-(ffom*TZNkrO!v6a&{?}JUq zj~?jra&hxCh^)2g;`WIC;QgfRY>D_grlY#e9f5$=PiHB#*$8)w5^?G4@${;p5Y=$+ zwF;H%hpb=o!JSS4#CpQ&SZ(}cog$26jSb@V%?ODl2sAOlq2^Q9U?V==$mT7uAGNqz zNVHg#A1_+=#xcM1S(+tyaUaHn^s{>s)cl%A9CB%4*l}}UX1JK(g)BsSNsVWa^?ZXr z?Z%?ryrO!EI+TjzyEd6nvt7>!HSfHoS$f3u-d+FN`AmKb;?OP7W7@i9@I1w$uax?RP5dr#dh^U!=BBDF?0?4ltE||cA_;7M@ zRHa+s^gqXlfPQsMVJ_V}Tqe0aMCO*sSWEhlj1q*7VH;;e7|?Pqzf|NeORl=lsWqp3 z_5AHlF93GBoWL6&oYny>Z@%2P33hSyGIm6Xu|HM8YcKMFw$f3rT7P7+-ewW3{l)mr z#g2-FdnV{gHwL|@TMHky-)w=AF0Lq z`Gp|RowoohlW3xrfGm;?HvUZ{Bk>L4^}6pezcA_RX>9>H@%9pdG~Y67Mi1x#HBig> z61?e{|Ff2M&1bC$!p4nB)RG_^c|f)xq94tyx2)%nL29R}n)cG5o_tb3wiyJi9LS-5 z41(1*5_t{zQojlc%76Xc|C(Xi1E0nEq)hV6XrhpFj1fLuEqw)F9Bam6bDLG9Epo%a z$ocV5Qq@65?Q-V6(69urj)+ z8T?R08oYq%^a}(bTuab)`KYXWdr5I zE=#U<((V8eJ!c?kZP;z(Z}00Te3Zlbi4^gNy?a9Y2+xDLpH#w(5Sdkq5g(c7T-6sU za^y;0edHl_GjUZ%c270%?RRsX@ma`sppz#%M9dDg1;A9_rGDi4Z@hyPgA0xhWUQn| zk`ygfdy2rrUS^p^hL%2cw6=VN8`xpj;T*x{+Z@1AuV5{7fH10hftI~_OkH+gCxA*O zsdY~b2UCg)*=9nF6D^kxL4iYBZ?=CUQ}!#ZIiMYfMGCYQvBjlLQ{%_^+HcJUf%CeY zv5nUj2U46+lZ+{uwSGf)PjHn!7gRY)N20j1QP0SZRilOxgqZeYw|xE8Wps+EuksHn_t*y21$~ag7Xq^uH>Z64DvUCIf*xyiZC@hIwqdAW%lR<}W^2wB$!Mk>5`(NHvaK^Huhczvi zv2b!D%M8U>-V3w0%W7uwu={TJjMa=zIp4m#w`x4lL7dwd$FWE{sXr*FlHr-BSwq|) zmy5x;qt#J_XVdcWI)$?x6(^*D0n%`R=1AE+6fF4lj8cLzFbSSqi*Mgvis ztW$|p)?%KXmJD#b-a=ANfxmaVeBk>nrF{32$RtPbI@0`sQnk-%v@J5cg@ca4OAb#n z^9pWVs~`H)G89#C=%Ha%Tkoq&(3%w|t}5NWmV^-~Iv>kIKooIB5dz|pQ2FhipWZd2 zzdIuBM>8I@?OK;zsk?&W`ihUbiO79^|H=U=dY)UlcV@y<7$=T>-MIjg^rV+)(CgqT zB45;yTg4k()Vbk=pR+_^$I*qdsFOQzWn$Ncuk$g?9{e6z#~zOyHO>2_Q#^Q0TQs@^ z`l+zfyG09v?9Nw=dU{%rM>9-H%JGQJbMR~(C01HKEsce+ppb%HRpmz&8c`YB@Ea;V zxZmwku$cE!k~VL1U<+I^tdAiey37*DMBTba8+T|adUDHVLhnH2BE46dJ)9QjG>-J% zQu_gdCfsMDo8P6UF7%IEn&`z!lW`R8+$ziwLY8Xd^s?3s=bbj%Af-g_ulK*2CX$$jq_znZdj?!AU!kK z5vqY9AUSAxmdNOXlk}gRpG(dBPcG*1|Cx(@ZuyV^axmaerv8(Q{b#?2hWgij|6j3~ zU0rUU$w#yCq$0vQc@VTZyJvpUSN}7yVTPkXHk7CGi(<+c5q$oMeccK4vD=31T#e#Z zeSiAlV~h~XD_Q;QvYAc(x7MavjRAjuIHTVi{DifJ)2Tyi17GTYhFbrW3&p~+OGWhE z6u(B`?R+o~els60HM>7|vD3iHt0`IZIyqyds~dcng5B5A{E^KOvDMhNEmH4oTy64v zU4XWoZg1C+N4@EQnwg4ns@`YwH6)KtD19mX7=MiRK{BR8P6_n55J-0SRWp*LLy@tC zQ{k!BvRcRWQIp?eC60m!VkI8hQLMdsa!n~)@r46AGB7O=ff*v#qPaT}H!w0JQlbjv zy;6TaR`J{^^hNk=uEN=KDdm0!XttLa5zBcU4+!3^>beW=%Uh4R4X_339mv!wH z6Tw3M@aNtla%lJ_l?n@?oS-%=-5^wU7ZK;KxBL3s$$RQwL5etz{?$ViC=P0X>t) z>I5_(1ce{=gVAF)$}lIwdoC?fPBY1>c0Tv+7fJNZpXK+hNZ^V>JR%68&Y!Bf-Twz6 zQn5IAZ{;FCpf@T%Z;s@6b8EnI5HMSNDmo^p;*w@L0lD8YEH>hY1n|pG`xwATgmo+T;t&=Ob`j z5wAiY^O|@3n}`5JrX;6^#5l^Y9Rf&#zK3N-Z9Ds04=dn>g<9Em?dauK(K>>)87*DF z5%`l=JNq=6aI;=}qBL8OQ%N|->N(3(!%-*!CTlYBQ~Ao$XgQ|9=-QpaTB0`}Nx)T$ z9Sss3i_{fAIt1syd}d;lPlHp*muMOZk=+mn2Hlq0hOe=*4^`r|GKrYanh=?csqO%Z z=_bG^NQG%A5u8`+;TAneqhaLbW99c&42a1(o5WPR&!+(tYZ!98L%AWa2$iHI|3K&4PzH%6fG0YpFtM74x zg9)e)@j3k-kS+5Y1^_WIJ!XxC8N6sX%a4NZr|{Rv|E942;8w~$`C07WDePkk0iXyU zC@WMHIt@Vuju$4peSjf?*0!Q1YYym3ueONfqkLxw(8-4*Gf0VTAiO_r^&M%P1RVl0pdbe04BABiMIBRI07HzpAx{Q@HX{C0`F}Jk>mnVCc9x z8|q|yLzr~1PGTUHmJ;iP&>?Yhi$(dRQK=Gyv`L1K^b2CUB0|=J>9XI<11IWAc=;uP z-zxCMWM&8RuT-MlC8g8#ie($hXXj_qGQA^J{lXf_Yl%B6ctOP(!F$QOh@oH9KWI24 zk*(v-aQOh%M^G?G9&!)x?8fx%d#icQ&{bDrT%*()XeVwpojt;p`7%_bexPfc^uOk2 z@_7ai_Mn)_XgH5IK(nBV^2Eml0 zT2WpM$83`@TM$_r$@C5foUkTHS*5zJ{jgtaGw#Br|DdA&$u0_=U?}0Fo+&+N^j6y9 zN}15Htdd2q*wT`Dug*L+3hPnN)zI}W5-rEXBzCa_+{#4F7#lKL{u@Q4W5Lwc-ELXk zbA|w&O-<5PJ*!^&u#fzgiF_Wdm2kXVcQK&MC`;<$c(z3O&ld4lk<%_d6?rCHu#)D8 zDzX~G=-G=vDTp!myVwa!*Wz0INY)L>RG5o{MdzzM+#a=hz`iSJQj>?>t6QgemA7M4 z?eVuFUukTEI8tdcYBa58hjCNFbD&~lJKDl3CkFTEUxNeJ$4rM^<<&=dhyGL8XkxUD9|r-IUz{fCFdGW z?^gz?el0TP<3%@1`1$Ww7a0s&=cKXGf8RDy*JOZK8g?ySJu#@D#KTi(w%u&9v6P?e zLX+$~{OTu|24telv|SsA|LuqKnUIu}E$fvjYIJ0HsaW4xaVh4~+(Psu76bwJ(@#*4EWITO~qd>Dd0}zWnU<9mJAFC}?0hk9E zPuOk6+qXFho~_ZS1)dzELeh~cMp=g~mB%w7_^P%3{^X{jQF{$f%rT2Pa_338U)7K{ zcHq)$%>Ek$@BZB#LiUFCbb5Q8r?=gUZZkP3R!=8NDhn+tKqFB9D6;tfTP()*Cl+)2 zE7SkyRP6H}8RX|ZGPys1{q`A0GSqQU<8cX+-3k2#T6c z_jlV`VEAr4Ai(@Rr-D#^I(baM6>M__f zQ~V%ai(hK=aWo?ofw)pB-wv)=q^4OuP-1tKf2+H#am{re`)0-a)EB&TV-J-*``;*= z9W4OILS9L1Z2g$kcf(jrw-*FH0Nk|lyc2?-)XEbgr2|L z=WizUTeW)vMzy}UU@73Pu-@zv>-N|EH8wSY!e)TxffW*krGn+@W3NR9?Y(bw-?}(h zfOp_D_2CfRg6OnAdI*NiedCK$#81H|0p_n;VqUi9GG{Zm0woGi*ep(K^3rjOZc1U{( zk3UMuQSK{*ZhtR`8AsH(!c_*UqAUDHECoI(J!X(*@hQxI(gzfze*`A&=IT>m{vC^P zeF0=Z28Amrvr5(aOxJaR7L@(nVac1OvXhb*Z zI>cL*kvJuIC=m0b;WHrZ)Y4%^I(q>7|2B(H+NPx_+Vr`qnb0%)sze29FdB7P?_v3J+9sx=@1k35%7cB$ znS0;;P`}-fJQ48)j`MA|t>`-e74vFf_v4mY`c7%f6U{m)xPboEUf0pZp_TcU12r{o zEZ{jWil0BMp?6c{BZo&mhGKa1J8a0FS^buiFLSLHy8Ug#&bJJ-qxxE~%Nrpj(69JK zbH^E}xf19DXkn!zWc@G3hr(I4dr5>;1+Cj#MW4E_Y8n)kYqgfX5#%VsxEr3!fr4+b zZjCLEZJcSIiQ-E$??*<3Rn9geHN=}`S*k? z=p`N7?#~qUm_fepfjMbI;}>T9=!y!_$H<8k*c46`sq(WLT_5|MWfxSrIyE40@#P$k zes}5H=1inYDsG;v>k<|zLy@x%9TFI@%a^CGgR1bsIaz7$Q% zGUD|l@0W?DkLYi_7v3qH&@zgic`x`DX^C?cx>)@$(0QH!N^ae z0`%VG)Z%erU&)aDhye9XIbZU>AuIHkIM4p`zkNnI|N2BAH=m!VgN;aW4Cl#M)gR#v zHN4TXsKPrVPAyW;YZE#+i;n%=EAnYqz79kw7))Z$B9{0z8!a=Dtxlxz0}a)76NM>h zj?P5G@k!}K3nsmFulfb7oZXJ!fa8MIRXq3t z$#IDinO>&_8^PlYF3NgW;SwtzS<`+*!dG?a&7nf%ogjDTL9@m;A$A8o#WWi(GvLy* z4b6aQhj8ah3Bt0kev_7L;qq3uTeRT7r3u(h>8U9zR5Lz`28gIX(7M+(ql;D zY7c1p6C(;umlE400)$Lm{RA0g8f-7glDB4e63}7n`<8DMiyhrmnsV`1e9KpaUDz%> zo#jeWKw=`C*Xo>@lNF2r6Kf2607ffxiO?5t-8+8<#Km1y=r7N`Uvf2%O;oaoj2BY>J*9NYX*2~N#Im*`2+W{A=T6AxkcV|DaPnWd50$6 zuaQ5J>yj}V7D$2S&JuPaqna<;%^1osmnBLRdG+= zKW`XT_ttC`Tq6l(!Sa}a=RmyKfdNhdVWc(x@?m)wSl9jtCgtm6@c^WCrwN3i2;;~i z4NS(yE^EW0v^Ks0p2J)GjtlR&oV!+I1 zSAQac)Uf}7TJsiI<%RHucJR>r^z$3A2bK7?x2A;v)Sp8iR^@~Tht|_7tR91;XOxo3 z^BG7+P02D_46$4hujIYTsz#ap%@raJlv@xNTf|4e^T`bJK!NE#&SJ~UQZByT2#ufj zlR~SiMKc7GhprYSgQKq^u$rr%SgJ|6X~NNTw8@Or7SP!tbw!aV*8T@55=C1fqw3t? znj^EK8O=+KHH5ZZ!_K%bb%zWUeyVM}1uUe`>pA8=m)XZ1 zlxz~Bff*hh*dt;vcfjs-_BD@6sTyMRF%TA(DTC}PJ@Bo$e`eIs>mIBqqOz5FhpYBd zYuh3Tc>c>C%KdxAl4!<#NET-@sF7R!o{E`p7y}rStL}rd&p!PxGWm`JKdqqi+mQ;r z0mFuB)N#}ci(@o{DK~pcqXN1>(*pjTMe|6*<$m|zG*E6FWT8#nDvGS!27_oTE?UfA zX-{F@Sc<_$QRfLv0!_gT zjNr5`Q82+kZ_Hf#xJiaw=?mu2$Ogw0l7VjTiZ}>(kDls~wopJB%7O;{rlF{FEojdB3H_ll(yp%0h1)5nkAh)biVeP%uFU;3CjIWL(p|g1e^JGgQ~-Pq z3nus`(x}J)YC)Z|09hiX7kK346u(n%Bq&gQ&)s*8^@#NlDy#+0c#_9>BAWLd5A<0SU#{h0@p0CopmdepQ$K5g*tuncx ziia3lDw#TRE}e=*C?5mmYO`W*RjRW!cZY1?N|M6>0<(Nn(0!1d> brdCAhOIaZ?EP#O}tQ%dkE8h6nXBYWjjwlbW diff --git a/scripts_debian/keys/debian-wheezy-archive-keyring.gpg b/scripts_debian/keys/debian-wheezy-archive-keyring.gpg deleted file mode 100644 index 6db1f3a93c12bc0225f7156a59cc5833753d5328..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3569 zcmYk8XFMAW*M}n_R*TlANVWFXQnU6dTD3PpBr#&eh)tCsW>H(zYVB34Hl>PEHEPvt zZK7^!d-Q(a_xC=Z&X;rk=gajw*U13h1U<{#eNRLK7{w}A2(I(TR596~20#p6i03D0 zY)Z6G%p`xx{eAySl(z@6?cDw5s(@+OPajZf1IF##w+&Gl=-E)S5nmjv!wOB}(%}|h zuxRucbiBJmRN~+!R8;9D=7(GO*t?&Gb5YTKCB{%xHe%8toUm)k?)|a3<ExmaJ2QbLOKi@lj<%xAt*B+C~U< zu!)=4E>vqGH)WGiyidpGDY-%yM_FI}A5I7_f+%StY+fdIR!B6_8yr$s=9!W}f)4%Oy zQ#CFr-J#-{mBcJXYTJDJlQrN#<>eUYojma6t7{&co_T9%(t)cgh={pX|DbA_s-oI^ zBTNA?|Au(_n+J)**2It7?6%1DaCj}07`Y0hW;qXXUZhu|{6pz~V@dzuVoXbZaUgbF z9&ca7^{G<)smG$x@wN(8hWpku;!6i@4XvT0y6-eg4di5zf?2tZV?sS2}0LQxPUPkRK?2L@5{M!UH} z(MWrU0TPZvqTmp17zV=oNLWd}AiBjP=h75dLX;|w=_D`Pfo}{@L`OB_30)I!}h04=D zY1Wi`Z{(_Ljeju4)All;6TC&`pFY}Y9Ik79rLIYBeCzXNLl7`+4K`Zbybz|Z_=V#3 z#Qu3V+V8*6l|E+1Fp*=WfZ=XTK>dg}Vc^T(UUlH~W1+Q?vbaFT(k<1y^2aQ)pCi+n z!Xs=+%0y51Q>5oc`FNJEi#9~yTIQ5x5k6i$ZyQ&b1vV>wtj+GiDjJf9CU|K)s( z*Xg;_)^QgyTj(el*FCFA5*8RfBCyscJgzG4rQ+@NwDZRf2C2WGTtPfcvAwLypo>P>ik^f-fxLD1aafo{VGrphCBbO2i;|6KW2yBK#mBK~w_q4&oI-jAL$Z8;f z7^@DVy#)k-|1$KO@Rtw|>q&fYK+J$F9Uz?g1FyrbffW54cECx>;)V9S=J_rQ0*!W;5fOpA!-e5c z6bk0(DC__ead&e;+GB*#e(1kzXBkE;YPh(1Bh;xc`7SHD&)0*hPB7WjPwCDtklNk$gLlhWyWQF_1kebt^Z#8s#Bm(Z8O)W zeLE`j7wp6=GO>w?cd5f;fM2=r8zPVK~;^*EZVA*jQ(lVbH`YT2ep(m6ft zlvwRv^PS~QN1xVrX{vVpqrJVrQI|g1m^&$P@r)7jUCfZmkQtW}q>cYBHT_3pIrJ%lHxE(!4#&j%5z zhb--e<21BrT$>b?o8KSP(le2$rg1i(tN80b0#>4!4V^*R_ylkwHhJ9GfFA@Mh~2Bh zIGt^^Xc*agTbDS>v+l{{A9ehxTdGeRil)0MbFtD=oB-i}I33<`yl9fO{I2OlaFz?K zWJ_3WU*BDGM$r8-F$rV=js@`kc^v7pCU__hy;H4@>ZYyq}qN#IfM3^Do)8Uh9Oz zAQ9!4mAp3=l8t+ol0&}nbT`+~xjH(6N$1U<1R@PL2B}EfF0)nkoM!JO?F(JBcWozW z#+-601#h4*Ryh_<-XGlco} zARup^rrEvBBaZG({5|=r6yMPHheQzUVTsSdV+RiNUvO!DVd+elV?UhgNayYjmOK9A z)Y#`_^vw)hM2vL*#2uO*{2g*z4J)?c3|g&%C$yrA49Pe=6?_qxj%A5AGvzpbkX?;e*NDt1Jy4cZ8J{85+ zvR&n#k(*JL^a1CEuJKx3N8G1D4>zU?xQW7DatQp@gY-4JiR%;ld8^;4qT+_7Fu@d` zJUQ07ve!<^V0&g_(hO`BbPmL*e>VR0W;DS+K-B2zVVTd6D27#gMJu&WRq#Fw2X&vE;(oTOHr*HP)i*`1Zr{dWHh|^Qe1(T?lAyU#h z4jWdaSyQ9a^dL`l#@1VQC*jfP15C^G-3{&6JXqB;7t8JU2Ysh1Wl{LNg+;F;24h)K z*Ra(6yF&vRF`{=jt%kqRoYDyL=muXk3YYJ?v)g^3EYSFXptaU|lYUMGr-6;;ok$B& zX_9hJYh>;y;zM`@5NzhI848B4nS;tM?bFn$R{e_-ycI-6>@SuMv6Y^`NV9zRWOO8X zbB4-=v29tbKnSWw<@DksVz+(zbxricG)AFS0*_8%Fix*IgV zT?^D>_q1TwU<;n({&ldNI#@8`F?M#k{uYN^%Wg;R^gU&@qPWsJFQ>5OXn6UUuac{k z#$<#k-q1wrDG?B`kCc=8o_aYAu`82yWZXS=WWg&G2zWFv3$W_l-YV}R4A|tp9|@Hb z&YNNz$2l}rOgxq&**?{sCsS*XNwoq^1pZW8O>D|!a{ibO2j*_%c`fZdN{yIMOSU>< zk=&kR@^i`D!wW2#l3pZ+@jRhF{b!stD9J6*HS5snj!8C7Fo+d?rtEC0ruy0P?fw3m zL~YLpi7%}UQGYEN4denbUBgHHf3Mb!|9Q3kn-yzv>MM1Q@{89!c@nkg8?5<}bF~BD z(Hac}ehQsdnIt&~Pl*P6CP@v~0@?m%zxY1boIYeVl=P*1r{_@DLwnR#fz#rilYUBt zDF3i;bX-F0dFap_F?jR^duK^)%Exoh{Ssk;cB*^?;UA-b5Lv=`jcTMp;*nmSzeY0g zkPmseHITCu+j=(xKNe|f0N~i?Y1fdN$9{h*VF2#Qc~L~G??=td-*>VY6fK`Po2ZTL zD@{u%bE~i#T6n|3d#3#OnTIkfjYNB7!%V*x?&iwc6=8@@buo?|OBq3eeqZ>f{~~e{ z9bd!>RJ5w#Zl0Z>j8y27!}K2cINjRs)HyP(#y;EEepMZDv4x@QF29xcObdf{u7WCg z4`v6u{!I6VEyL!fRN5w6O4|+qHOtn7A_*JBTcj&A7O9@$Bmm*&#}|EBJfy@QTecSNy{{?;plB$t}R60IFBM&(qUfz1ZAVT{w{C-4RT)P(iO`>FA#8rv!iK zE+Y3cEL~tBfyHKpPCbK^*}Na5(SZK(Va0|J$5|&HXTPUQ4Gy88)NI~-%V60^Dv5{2 z%*g$?EIKbDsz7p(M_4vDh8c~TgWNOZ$BhK{5G Date: Tue, 11 Nov 2014 13:39:27 -0500 Subject: [PATCH 70/83] whonix: Changes to allow secure update --- .../lib/whonix/init/qubes-whonix-firewall.sh | 20 ++++++++++--------- .../lib/whonix/init/qubes-whonix-firewall.sh | 20 ++++++++++--------- .../wheezy+whonix/04_install_qubes_post.sh | 5 +++++ 3 files changed, 27 insertions(+), 18 deletions(-) diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh index 6863a9e..50c5cbc 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh @@ -2,16 +2,16 @@ . /usr/lib/whonix/utility_functions -if [ "${WHONIX}" != "template" ]; then - # Make sure IP forwarding is disabled - echo "0" > /proc/sys/net/ipv4/ip_forward +if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" +else + XENSTORE_READ="/usr/bin/xenstore-read" +fi - if [ -x /usr/sbin/xenstore-read ]; then - XENSTORE_READ="/usr/sbin/xenstore-read" - else - XENSTORE_READ="/usr/bin/xenstore-read" - fi +# Make sure IP forwarding is disabled +echo "0" > /proc/sys/net/ipv4/ip_forward +if [ "${WHONIX}" != "template" ]; then ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) # Start Whonix Firewall @@ -31,10 +31,12 @@ iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\ iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\ iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\ iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\ +iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\ +iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\ \\ # Route any traffic FROM netvm TO netvm BACK-TO localhost \\ # Allows localhost access to tor network \\ -iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\ +#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\ ###################################### EOF fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh index 6863a9e..50c5cbc 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh @@ -2,16 +2,16 @@ . /usr/lib/whonix/utility_functions -if [ "${WHONIX}" != "template" ]; then - # Make sure IP forwarding is disabled - echo "0" > /proc/sys/net/ipv4/ip_forward +if [ -x /usr/sbin/xenstore-read ]; then + XENSTORE_READ="/usr/sbin/xenstore-read" +else + XENSTORE_READ="/usr/bin/xenstore-read" +fi - if [ -x /usr/sbin/xenstore-read ]; then - XENSTORE_READ="/usr/sbin/xenstore-read" - else - XENSTORE_READ="/usr/bin/xenstore-read" - fi +# Make sure IP forwarding is disabled +echo "0" > /proc/sys/net/ipv4/ip_forward +if [ "${WHONIX}" != "template" ]; then ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null) # Start Whonix Firewall @@ -31,10 +31,12 @@ iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\ iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\ iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\ iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\ +iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\ +iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\ \\ # Route any traffic FROM netvm TO netvm BACK-TO localhost \\ # Allows localhost access to tor network \\ -iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\ +#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\ ###################################### EOF fi diff --git a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh index 9f58254..c6ab0e3 100755 --- a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh +++ b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh @@ -19,6 +19,11 @@ else set -e fi +# ------------------------------------------------------------------------------ +# Make sure IP forwarding is disabled (Qubes enables it by default) +# ------------------------------------------------------------------------------ +echo "0" > /proc/sys/net/ipv4/ip_forward + # ------------------------------------------------------------------------------ # Enable Qubes-Whonix services # ------------------------------------------------------------------------------ From d92d6d1577f012454d7b235cc73e4ce8e3f9b844 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Tue, 11 Nov 2014 13:41:42 -0500 Subject: [PATCH 71/83] whonix: Lockdown network if not connected to a tor-newvm --- .../files/usr/lib/whonix/messages.yaml | 3 --- .../files/usr/lib/whonix/qubes-whonixsetup | 15 ++++++++++++++- .../files/usr/lib/whonix/messages.yaml | 3 --- .../files/usr/lib/whonix/qubes-whonixsetup | 15 ++++++++++++++- 4 files changed, 28 insertions(+), 8 deletions(-) diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml index d3be464..075ab09 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml @@ -7,6 +7,3 @@ update:

Tor netvm required for updates!

Please ensure your template vm has a Whonix gateway as it's VM.

No updates are possible without an active (running) Whonix gateway VM.

-

-

Template will now power off

- diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup index 814af62..edb6240 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup @@ -41,6 +41,19 @@ elif [ "${WHONIX}" == "workstation" ]; then fi elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then + # Set secure defaults. + iptables -P INPUT DROP + iptables -P FORWARD DROP + iptables -P OUTPUT DROP + + # Flush old rules. + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + + # Display warning that netvm is not connected to a torvm /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml - #sudo /sbin/poweroff fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml index d3be464..075ab09 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml @@ -7,6 +7,3 @@ update:

Tor netvm required for updates!

Please ensure your template vm has a Whonix gateway as it's VM.

No updates are possible without an active (running) Whonix gateway VM.

-

-

Template will now power off

- diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup index 814af62..edb6240 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup @@ -41,6 +41,19 @@ elif [ "${WHONIX}" == "workstation" ]; then fi elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then + # Set secure defaults. + iptables -P INPUT DROP + iptables -P FORWARD DROP + iptables -P OUTPUT DROP + + # Flush old rules. + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + + # Display warning that netvm is not connected to a torvm /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml - #sudo /sbin/poweroff fi From 581529856c50d162de8d251227e080db4be9e8f1 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Thu, 13 Nov 2014 19:08:12 -0500 Subject: [PATCH 72/83] whonix: Added App Menus --- .../netvm-whitelisted-appmenus.list | 21 ++++ .../vm-whitelisted-appmenus.list | 21 ++++ .../whitelisted-appmenus.list | 11 +++ .../netvm-whitelisted-appmenus.list | 1 + .../vm-whitelisted-appmenus.list | 27 ++++++ .../whitelisted-appmenus.list | 96 +++++++++++++++++++ 6 files changed, 177 insertions(+) create mode 100644 appmenus_wheezy_whonix-gateway/netvm-whitelisted-appmenus.list create mode 100644 appmenus_wheezy_whonix-gateway/vm-whitelisted-appmenus.list create mode 100644 appmenus_wheezy_whonix-gateway/whitelisted-appmenus.list create mode 100644 appmenus_wheezy_whonix-workstation/netvm-whitelisted-appmenus.list create mode 100644 appmenus_wheezy_whonix-workstation/vm-whitelisted-appmenus.list create mode 100644 appmenus_wheezy_whonix-workstation/whitelisted-appmenus.list diff --git a/appmenus_wheezy_whonix-gateway/netvm-whitelisted-appmenus.list b/appmenus_wheezy_whonix-gateway/netvm-whitelisted-appmenus.list new file mode 100644 index 0000000..68ed628 --- /dev/null +++ b/appmenus_wheezy_whonix-gateway/netvm-whitelisted-appmenus.list @@ -0,0 +1,21 @@ +gnome-terminal.desktop +nautilus.desktop +yelp.desktop +gateway-arm.desktop +gateway-firewall30default.desktop +gateway-firewall50user.desktop +gateway-firsttimesetup.desktop +gateway-reloadfirewall.desktop +gateway-reloadtor.desktop +gateway-restarttor.desktop +gateway-stoptor.desktop +gateway-torrc.desktop +gateway-torrcexamples.desktop +timesync.desktop +whonixcheck.desktop +whonix_repository.desktop +dolphin.desktop +Help.desktop +ksystemlog.desktop +kwrite.desktop + diff --git a/appmenus_wheezy_whonix-gateway/vm-whitelisted-appmenus.list b/appmenus_wheezy_whonix-gateway/vm-whitelisted-appmenus.list new file mode 100644 index 0000000..68ed628 --- /dev/null +++ b/appmenus_wheezy_whonix-gateway/vm-whitelisted-appmenus.list @@ -0,0 +1,21 @@ +gnome-terminal.desktop +nautilus.desktop +yelp.desktop +gateway-arm.desktop +gateway-firewall30default.desktop +gateway-firewall50user.desktop +gateway-firsttimesetup.desktop +gateway-reloadfirewall.desktop +gateway-reloadtor.desktop +gateway-restarttor.desktop +gateway-stoptor.desktop +gateway-torrc.desktop +gateway-torrcexamples.desktop +timesync.desktop +whonixcheck.desktop +whonix_repository.desktop +dolphin.desktop +Help.desktop +ksystemlog.desktop +kwrite.desktop + diff --git a/appmenus_wheezy_whonix-gateway/whitelisted-appmenus.list b/appmenus_wheezy_whonix-gateway/whitelisted-appmenus.list new file mode 100644 index 0000000..25df4f2 --- /dev/null +++ b/appmenus_wheezy_whonix-gateway/whitelisted-appmenus.list @@ -0,0 +1,11 @@ +gnome-terminal.desktop +gpk-application.desktop +gpk-update-viewer.desktop +gpk-prefs.desktop +gpk-log.desktop +yelp.desktop +gateway-firewall30default.desktop +gateway-firewall50user.desktop +gateway-torrc.desktop +gateway-torrcexamples.desktop +kwrite.desktop diff --git a/appmenus_wheezy_whonix-workstation/netvm-whitelisted-appmenus.list b/appmenus_wheezy_whonix-workstation/netvm-whitelisted-appmenus.list new file mode 100644 index 0000000..4b744f7 --- /dev/null +++ b/appmenus_wheezy_whonix-workstation/netvm-whitelisted-appmenus.list @@ -0,0 +1 @@ +gnome-terminal.desktop diff --git a/appmenus_wheezy_whonix-workstation/vm-whitelisted-appmenus.list b/appmenus_wheezy_whonix-workstation/vm-whitelisted-appmenus.list new file mode 100644 index 0000000..4371561 --- /dev/null +++ b/appmenus_wheezy_whonix-workstation/vm-whitelisted-appmenus.list @@ -0,0 +1,27 @@ +gnome-terminal.desktop +nautilus.desktop +yelp.desktop + +anondist-torbrowser.desktop +anondist-torbrowser_update.desktop +gateway-firsttimesetup.desktop +timesync.desktop +vlc.desktop +whonixcheck.desktop +whonix-contribute.desktop +whonix-documentation.desktop +whonix-donate.desktop +whonix-featureblog.desktop +whonix-forum.desktop +whonix-importantblog.desktop +whonix-irc-chat-support.desktop +whonix-mailinglist.desktop +whonix_repository.desktop +xchat.desktop +x-www-browser.desktop +dolphin.desktop +Help.desktop +kcalc.desktop +kgpg.desktop +kwrite.desktop + diff --git a/appmenus_wheezy_whonix-workstation/whitelisted-appmenus.list b/appmenus_wheezy_whonix-workstation/whitelisted-appmenus.list new file mode 100644 index 0000000..c9b6f00 --- /dev/null +++ b/appmenus_wheezy_whonix-workstation/whitelisted-appmenus.list @@ -0,0 +1,96 @@ +gnome-terminal.desktop +gpk-application.desktop +gpk-update-viewer.desktop +gpk-prefs.desktop +gpk-log.desktop +yelp.desktop + + +anondist-torbrowser.desktop +anondist-torbrowser_update.desktop +bluetooth-sendto.desktop +bluetooth-wizard.desktop +brasero.desktop +brasero-nautilus.desktop +display.im6.desktop +fpm2.desktop +gateway-firsttimesetup.desktop +gcr-prompter.desktop +gcr-viewer.desktop +gnome-terminal.desktop +gpk-application.desktop +gpk-dbus-service.desktop +gpk-install-catalog.desktop +gpk-install-local-file.desktop +gpk-log.desktop +gpk-prefs.desktop +gpk-service-pack.desktop +gpk-update-viewer.desktop +iceweasel.desktop +kde4 +mat.desktop +mimeinfo.cache +nact.desktop +nautilus-autorun-software.desktop +nautilus.desktop +nm-applet.desktop +nm-connection-editor.desktop +python2.7.desktop +timesync.desktop +vlc.desktop +whonixcheck.desktop +whonix-contribute.desktop +whonix-documentation.desktop +whonix-donate.desktop +whonix-featureblog.desktop +whonix-forum.desktop +whonix-importantblog.desktop +whonix-irc-chat-support.desktop +whonix-mailinglist.desktop +whonix_repository.desktop +xchat.desktop +x-www-browser.desktop +yelp.desktop + + +akonaditray.desktop +-rw-r--r-- 1 root root 5000 Jun 22 2012 ark.desktop +dolphin.desktop +gwenview.desktop +Help.desktop +jovieapp.desktop +kcalc.desktop +kdepasswd.desktop +kdesystemsettings.desktop +keditbookmarks.desktop +kfind.desktop +kfontview.desktop +kgpg.desktop +klipper.desktop +kmag.desktop +kmailservice.desktop +kmix.desktop +kmousetool.desktop +kmouth.desktop +konsole.desktop +krandrtray.desktop +ksysguard.desktop +ksystemlog.desktop +-rw-r--r-- 1 root root 1766 Jun 6 2012 ktelnetservice.desktop +kvkbd.desktop +kwrite.desktop +nepomukbackup.desktop +nepomukcontroller.desktop +okularApplication_comicbook.desktop +okularApplication_dvi.desktop +okularApplication_fax.desktop +okularApplication_fb.desktop +okularApplication_ghostview.desktop +okularApplication_kimgio.desktop +okularApplication_ooo.desktop +okularApplication_pdf.desktop +okularApplication_plucker.desktop +okularApplication_xps.desktop +okular.desktop +systemsettings.desktop + From 60ccebc8b7c2225d65bb8222dfcd23e3b20081e2 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Thu, 13 Nov 2014 19:12:44 -0500 Subject: [PATCH 73/83] whonix: Updated to Whonix 9.4 base. Removed all patches to Whonix code and installed grub and replaced update-grub with link to /bin/true --- .../files/etc/apt/preferences.d/whonix_qubes | 15 --- .../02_install_groups_packages_installed.sh | 110 ++---------------- .../wheezy+whonix/packages_wheezy.list | 3 + 3 files changed, 10 insertions(+), 118 deletions(-) delete mode 100644 scripts_debian/wheezy+whonix-gateway/files/etc/apt/preferences.d/whonix_qubes diff --git a/scripts_debian/wheezy+whonix-gateway/files/etc/apt/preferences.d/whonix_qubes b/scripts_debian/wheezy+whonix-gateway/files/etc/apt/preferences.d/whonix_qubes deleted file mode 100644 index 9bc0b6c..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/etc/apt/preferences.d/whonix_qubes +++ /dev/null @@ -1,15 +0,0 @@ -Package: grub-pc -Pin: version * -Pin-Priority: -100 - -Package: grub-pc-bin -Pin: version * -Pin-Priority: -100 - -Package: grub-common -Pin: version * -Pin-Priority: -100 - -Package: grub2-common -Pin: version * -Pin-Priority: -100 diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 0a92070..278d376 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -78,37 +78,6 @@ sudo ~/Whonix/whonix_build \ popd EOF -# ------------------------------------------------------------------------------ -# Pin grub so it won't install -# ------------------------------------------------------------------------------ -read -r -d '' WHONIX_APT_PIN <<'EOF' || true -Package: grub-pc -Pin: version * -Pin-Priority: -100 - -Package: grub-pc-bin -Pin: version * -Pin-Priority: -100 - -Package: grub-common -Pin: version * -Pin-Priority: -100 - -Package: grub2-common -Pin: version * -Pin-Priority: -100 -EOF - -# ------------------------------------------------------------------------------ -# Set defualts for apt not to install recommended or extra packages -# ------------------------------------------------------------------------------ -read -r -d '' WHONIX_APT_PREFERENCES <<'EOF' || true -Acquire::Languages "none"; -APT::Install-Recommends "false"; -APT::Install-Suggests "false"; -Dpkg::Options "--force-confold"; -EOF - # ------------------------------------------------------------------------------ # Cleanup function # ------------------------------------------------------------------------------ @@ -136,22 +105,16 @@ if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then popd # -------------------------------------------------------------------------- - # Patch Whonix submodules + # Fake grub installation since Whonix has depends on grub-pc # -------------------------------------------------------------------------- + mkdir -p "${INSTALLDIR}/boot/grub" + cp "${INSTALLDIR}/usr/lib/grub/i386-pc/"* "${INSTALLDIR}/boot/grub" + rm -f "${INSTALLDIR}/usr/sbin/update-grub" + chroot "${INSTALLDIR}" ln -s /bin/true /usr/sbin/update-grub - # Chekout a branch; create a branch first if it does not exist - checkout_branch() { - branch=$(git symbolic-ref --short -q HEAD) - if ! [ "$branch" == "$1" ]; then - su $(logname) -c git checkout "$1" >/dev/null 2>&1 || \ - { - su $(logname) -c git branch "$1" - su $(logname) -c git checkout "$1" - } - fi - } - + # -------------------------------------------------------------------------- # sed search and replace. return 0 if replace happened, otherwise 1 + # -------------------------------------------------------------------------- search_replace() { local search="$1" local replace="$2" @@ -159,57 +122,6 @@ if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then sed -i.bak '/'"$search"'/,${s//'"$replace"'/;b};$q1' "$file" } - # Patch anon-meta-packages to not depend on grub-pc - pushd "${WHONIX_DIR}" - { - search_replace "grub-pc" "" "grml_packages" || : - } - popd - - pushd "${WHONIX_DIR}/packages/anon-meta-packages/debian" - { - search1=" grub-pc,"; - replace=""; - - #checkout_branch qubes - search_replace "$search1" "$replace" control && \ - { - cd "${WHONIX_DIR}/packages/anon-meta-packages"; - : - #sudo -E -u $(logname) make deb-pkg || : - #su $(logname) -c "dpkg-source --commit" || : - #git add . - #su $(logname) -c "git commit -am 'removed grub-pc depend'" - } || : - } - popd - - pushd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub/usr/lib/anon-dist/chroot-scripts-post.d" - { - search1="update-grub"; - replace=":"; - - #checkout_branch qubes - search_replace "$search1" "$replace" 85_update_grub && \ - { - cd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub"; - sudo -E -u $(logname) make deb-pkg || : - su $(logname) -c "EDITOR=/bin/true dpkg-source -q --commit . no_grub"; - #git add . ; - #su $(logname) -c "git commit -am 'removed grub-pc depend'" - } || : - } - popd - - pushd "${WHONIX_DIR}/build-steps.d" - { - search1=" check_for_uncommited_changes"; - replace=" #check_for_uncommited_changes"; - - search_replace "$search1" "$replace" 1200_create-debian-packages || : - } - popd - # -------------------------------------------------------------------------- # Whonix system config dependancies # -------------------------------------------------------------------------- @@ -222,10 +134,6 @@ if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then chroot "${INSTALLDIR}" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user } - # Pin grub packages so they will not install - echo "${WHONIX_APT_PIN}" > "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes" - chmod 0644 "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes" - # Install Whonix build scripts echo "${WHONIX_BUILD_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_build.sh" chmod 0755 "${INSTALLDIR}/home/user/whonix_build.sh" @@ -320,10 +228,6 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh sed -i "s/#alias/alias/g" "${INSTALLDIR}/home/user/.bashrc" sed -i "s/alias l='ls -CF'/alias l='ls -l'/g" "${INSTALLDIR}/home/user/.bashrc" - # Fake that whonixsetup was already run - #mkdir -p "${INSTALLDIR}/var/lib/whonix/do_once" - #touch "${INSTALLDIR}/var/lib/whonix/do_once/whonixsetup.done" - # Fake that initializer was already run mkdir -p "${INSTALLDIR}/root/.whonix" touch "${INSTALLDIR}/root/.whonix/first_run_initializer.done" diff --git a/scripts_debian/wheezy+whonix/packages_wheezy.list b/scripts_debian/wheezy+whonix/packages_wheezy.list index acf4ebe..91e329e 100644 --- a/scripts_debian/wheezy+whonix/packages_wheezy.list +++ b/scripts_debian/wheezy+whonix/packages_wheezy.list @@ -23,3 +23,6 @@ build-essential:native gcc fakeroot lintian + +rsync +grub-pc From 4acca407d7d5f2f247fd749953cab7d4e935409f Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Thu, 13 Nov 2014 19:13:51 -0500 Subject: [PATCH 74/83] whonix: Added ability to run both gateway and workstation as AppVM's (not standalone) --- .../wheezy+whonix-gateway/files/.facl | 35 ++++++----- .../files/usr/lib/whonix/bind-dirs.sh | 58 +++++++++++++++++++ .../files/usr/lib/whonix/init/init.sh | 8 --- .../lib/whonix/init/network-proxy-setup.sh | 1 - .../lib/whonix/init/qubes-whonix-bind.service | 14 +++++ .../usr/lib/whonix/init/whonixcheck.service | 18 ++++++ .../files/usr/lib/whonix/qubes-whonixsetup | 58 +++++++------------ .../wheezy+whonix-workstation/files/.facl | 7 +++ .../files/usr/lib/whonix/bind-dirs.sh | 58 +++++++++++++++++++ .../files/usr/lib/whonix/init/init.sh | 8 --- .../lib/whonix/init/network-proxy-setup.sh | 1 - .../files/usr/lib/whonix/qubes-whonixsetup | 58 +++++++------------ 12 files changed, 216 insertions(+), 108 deletions(-) create mode 100755 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh create mode 100644 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-bind.service create mode 100644 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/whonixcheck.service create mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh diff --git a/scripts_debian/wheezy+whonix-gateway/files/.facl b/scripts_debian/wheezy+whonix-gateway/files/.facl index f25a44e..5065286 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/.facl +++ b/scripts_debian/wheezy+whonix-gateway/files/.facl @@ -103,20 +103,6 @@ user::rwx group::r-x other::r-x -# file: etc/apt/preferences.d -# owner: root -# group: root -user::rwx -group::r-x -other::r-x - -# file: etc/apt/preferences.d/whonix_qubes -# owner: root -# group: root -user::rw- -group::r-- -other::r-- - # file: etc/hostname # owner: root # group: root @@ -173,6 +159,13 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/bind-dirs.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + # file: usr/lib/whonix/init # owner: root # group: root @@ -187,6 +180,13 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/init/qubes-whonix-bind.service +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: usr/lib/whonix/init/replace-ips # owner: root # group: root @@ -201,6 +201,13 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/init/whonixcheck.service +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: usr/lib/whonix/init/network-proxy-setup.sh # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh new file mode 100755 index 0000000..ab2b0be --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# To umount all binds, just pass any arg in $1 +# + +. /usr/lib/whonix/utility_functions + +# Don't run if started as a template +if ! [ "${WHONIX}" == "template" ]; then + # Array of directories to bind + BINDS=( + '/rw/srv/whonix/root/.whonix:/root/.whonix' + '/rw/srv/whonix/root/.whonix.d:/root/.whonix.d' + '/rw/srv/whonix/var/lib/whonix:/var/lib/whonix' + '/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck' + '/rw/srv/whonix/etc/tor:/etc/tor' + ) + + for bind in ${BINDS[@]}; do + rw_dir="${bind%%:*}" + ro_dir="${bind##*:}" + + # Make sure ro directory is not mounted + umount "${ro_dir}" 2> /dev/null || true + + if [ -n "${1}" ]; then + echo "Umounting only..." + exit 0 + fi + + # Make sure ro directory exists + if ! [ -d "${ro_dir}" ]; then + mkdir -p "${ro_dir}" + fi + + # Initially copy over data directories to /rw if rw directory does not exist + if ! [ -d "${rw_dir}" ]; then + mkdir -p "${rw_dir}" + rsync -hax "${ro_dir}/." "${rw_dir}" + fi + + # Bind the directory + sync + mount --bind "${rw_dir}" "${ro_dir}" + done + sync +fi + +if [ "${WHONIX}" == "gateway" ]; then + # Make sure we remove whonixsetup.done if Tor is not enabled + # to allow choice of repo and prevent whonixcheck errors + grep "^DisableNetwork 0$" /etc/tor/torrc || { + sudo rm -f /var/lib/whonix/do_once/whonixsetup.done + } +fi + +exit 0 diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh index 2727847..1839152 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh @@ -27,12 +27,4 @@ if [ "${WHONIX}" != "template" ]; then # Make sure hostname is correct /bin/hostname host - - if [ "${WHONIX}" == "gateway" ]; then - # Make sure we remove whonixsetup.done if Tor is not enabled - # to allow choice of repo and prevent whonixcheck errors - grep "^DisableNetwork 0$" /etc/tor/torrc || { - rm -f /var/lib/whonix/do_once/whonixsetup.done - } - fi fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh index 4010441..71a43cf 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh @@ -47,7 +47,6 @@ if [ "${WHONIX}" == "gateway" ]; then # Allow whonix-gateway to act as an update-proxy touch /var/run/qubes-service/qubes-updates-proxy - #systemctl stop qubes-updates-proxy.service # Search and replace tinyproxy error files so we can inject code that # we can use to identify that its a tor proxy so updates are secure diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-bind.service b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-bind.service new file mode 100644 index 0000000..5d145aa --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-bind.service @@ -0,0 +1,14 @@ +[Unit] +Description=Qubes Whonix bind /rw to ro dirs script +DefaultDependencies=no +Before=sysinit.target +After=qubes-sysinit.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/lib/whonix/init/bind-dirs.sh +StandardOutput=syslog + +[Install] +WantedBy=sysinit.target diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/whonixcheck.service b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/whonixcheck.service new file mode 100644 index 0000000..5f883d2 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/whonixcheck.service @@ -0,0 +1,18 @@ +[Unit] +Description=Checks many important aspects of Whonix. +After=syslog.target network.target + +[Service] +Type=forking +ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/run/whonixcheck +ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonixcheck +ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonix/whonixblog +ExecStart=/usr/lib/whonixcheckdaemon +PIDFile=/var/run/whonixcheck.pid +User=user +Group=user +UMask=0007 +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup index edb6240..f90d15b 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup @@ -2,57 +2,39 @@ . /usr/lib/whonix/utility_functions +if ! [ "${WHONIX}" == "template" ]; then + sudo /usr/lib/whonix/bind-dirs.sh +fi + if [ "${WHONIX}" == "gateway" ]; then - grep "^DisableNetwork 0$" /etc/tor/torrc || { + if grep "^DisableNetwork 0$" /etc/tor/torrc ;then + sudo service sdwdate restart + sudo service tor restart + else sudo service sdwdate restart sudo service tor stop - sudo /usr/bin/whonixsetup && { - enable_sysv tor - sleep 1 - enable_sysv sdwdate - } || { - sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" - disable_sysv tor - disable_sysv sdwdate - sudo /sbin/poweroff - } - } - - # Allow whonix-gateway to act as an update-proxy - sudo systemctl status qubes-updates-proxy.service || { - error_file="/usr/share/tinyproxy/default.html" - - # Search and replace tinyproxy error files so we can inject code that - # we can use to identify that its a tor proxy so updates are secure - grep -q "${PROXY_META}" "${error_file}" || { - sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" - } - - sudo touch /var/run/qubes-service/qubes-updates-proxy - sudo iptables -t nat -N PR-QBS-SERVICES - sudo systemctl start qubes-updates-proxy.service - } + sudo /usr/bin/whonixsetup + fi elif [ "${WHONIX}" == "workstation" ]; then + sudo service sdwdate restart if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then - enable_sysv sdwdate - sudo service sdwdate restart sudo /usr/bin/whonixsetup fi elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then # Set secure defaults. - iptables -P INPUT DROP - iptables -P FORWARD DROP - iptables -P OUTPUT DROP + sudo iptables -P INPUT DROP + sudo iptables -P FORWARD DROP + sudo iptables -P OUTPUT DROP # Flush old rules. - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X + sudo iptables -F + sudo iptables -X + sudo iptables -t nat -F + sudo iptables -t nat -X + sudo iptables -t mangle -F + sudo iptables -t mangle -X # Display warning that netvm is not connected to a torvm /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml diff --git a/scripts_debian/wheezy+whonix-workstation/files/.facl b/scripts_debian/wheezy+whonix-workstation/files/.facl index 41e3aba..2e89eb9 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/.facl +++ b/scripts_debian/wheezy+whonix-workstation/files/.facl @@ -152,6 +152,13 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/bind-dirs.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + # file: usr/lib/whonix/init # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh new file mode 100755 index 0000000..ab2b0be --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# To umount all binds, just pass any arg in $1 +# + +. /usr/lib/whonix/utility_functions + +# Don't run if started as a template +if ! [ "${WHONIX}" == "template" ]; then + # Array of directories to bind + BINDS=( + '/rw/srv/whonix/root/.whonix:/root/.whonix' + '/rw/srv/whonix/root/.whonix.d:/root/.whonix.d' + '/rw/srv/whonix/var/lib/whonix:/var/lib/whonix' + '/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck' + '/rw/srv/whonix/etc/tor:/etc/tor' + ) + + for bind in ${BINDS[@]}; do + rw_dir="${bind%%:*}" + ro_dir="${bind##*:}" + + # Make sure ro directory is not mounted + umount "${ro_dir}" 2> /dev/null || true + + if [ -n "${1}" ]; then + echo "Umounting only..." + exit 0 + fi + + # Make sure ro directory exists + if ! [ -d "${ro_dir}" ]; then + mkdir -p "${ro_dir}" + fi + + # Initially copy over data directories to /rw if rw directory does not exist + if ! [ -d "${rw_dir}" ]; then + mkdir -p "${rw_dir}" + rsync -hax "${ro_dir}/." "${rw_dir}" + fi + + # Bind the directory + sync + mount --bind "${rw_dir}" "${ro_dir}" + done + sync +fi + +if [ "${WHONIX}" == "gateway" ]; then + # Make sure we remove whonixsetup.done if Tor is not enabled + # to allow choice of repo and prevent whonixcheck errors + grep "^DisableNetwork 0$" /etc/tor/torrc || { + sudo rm -f /var/lib/whonix/do_once/whonixsetup.done + } +fi + +exit 0 diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh index 2727847..1839152 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh @@ -27,12 +27,4 @@ if [ "${WHONIX}" != "template" ]; then # Make sure hostname is correct /bin/hostname host - - if [ "${WHONIX}" == "gateway" ]; then - # Make sure we remove whonixsetup.done if Tor is not enabled - # to allow choice of repo and prevent whonixcheck errors - grep "^DisableNetwork 0$" /etc/tor/torrc || { - rm -f /var/lib/whonix/do_once/whonixsetup.done - } - fi fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh index 4010441..71a43cf 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh @@ -47,7 +47,6 @@ if [ "${WHONIX}" == "gateway" ]; then # Allow whonix-gateway to act as an update-proxy touch /var/run/qubes-service/qubes-updates-proxy - #systemctl stop qubes-updates-proxy.service # Search and replace tinyproxy error files so we can inject code that # we can use to identify that its a tor proxy so updates are secure diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup index edb6240..f90d15b 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup @@ -2,57 +2,39 @@ . /usr/lib/whonix/utility_functions +if ! [ "${WHONIX}" == "template" ]; then + sudo /usr/lib/whonix/bind-dirs.sh +fi + if [ "${WHONIX}" == "gateway" ]; then - grep "^DisableNetwork 0$" /etc/tor/torrc || { + if grep "^DisableNetwork 0$" /etc/tor/torrc ;then + sudo service sdwdate restart + sudo service tor restart + else sudo service sdwdate restart sudo service tor stop - sudo /usr/bin/whonixsetup && { - enable_sysv tor - sleep 1 - enable_sysv sdwdate - } || { - sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" - disable_sysv tor - disable_sysv sdwdate - sudo /sbin/poweroff - } - } - - # Allow whonix-gateway to act as an update-proxy - sudo systemctl status qubes-updates-proxy.service || { - error_file="/usr/share/tinyproxy/default.html" - - # Search and replace tinyproxy error files so we can inject code that - # we can use to identify that its a tor proxy so updates are secure - grep -q "${PROXY_META}" "${error_file}" || { - sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" - } - - sudo touch /var/run/qubes-service/qubes-updates-proxy - sudo iptables -t nat -N PR-QBS-SERVICES - sudo systemctl start qubes-updates-proxy.service - } + sudo /usr/bin/whonixsetup + fi elif [ "${WHONIX}" == "workstation" ]; then + sudo service sdwdate restart if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then - enable_sysv sdwdate - sudo service sdwdate restart sudo /usr/bin/whonixsetup fi elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then # Set secure defaults. - iptables -P INPUT DROP - iptables -P FORWARD DROP - iptables -P OUTPUT DROP + sudo iptables -P INPUT DROP + sudo iptables -P FORWARD DROP + sudo iptables -P OUTPUT DROP # Flush old rules. - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X + sudo iptables -F + sudo iptables -X + sudo iptables -t nat -F + sudo iptables -t nat -X + sudo iptables -t mangle -F + sudo iptables -t mangle -X # Display warning that netvm is not connected to a torvm /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml From a08bb8ed864d5ec3f3d5121fa8cb57cb74492c15 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Mon, 17 Nov 2014 16:39:02 -0500 Subject: [PATCH 75/83] AppVM was hard coded by mistake. Changed to pick up users AppVM name --- create_template_list.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/create_template_list.sh b/create_template_list.sh index 1e9c00f..5c0fbca 100755 --- a/create_template_list.sh +++ b/create_template_list.sh @@ -35,7 +35,7 @@ cat << 'EOF' >> "${template_dir}" for file in ${files[@]}; do if [ ! -e ${file} ]; then echo "Copying ${file} from ${name} to ${PWD}/${file}..." - qvm-run --pass-io development-qubes "cat ${path}/${file}" > ${file} + qvm-run --pass-io ${name} "cat ${path}/${file}" > ${file} fi sudo yum erase $(echo "${file}" | sed -r "s/(${version}).+$//") && { From e1ce88291f6595298476bf7466849189801c828b Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Tue, 18 Nov 2014 17:40:31 -0500 Subject: [PATCH 76/83] whonix: Need to commit Makefile or Whonix install script complains --- .../wheezy+whonix/02_install_groups_packages_installed.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 278d376..9cdd7a2 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -100,6 +100,8 @@ if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then # -------------------------------------------------------------------------- pushd "${WHONIX_DIR}" { + git add Makefile || true + git commit Makefile -m 'Added Makefile' || true su $(logname) -c "git submodule update --init --recursive"; } popd From a91429751dc38504a397cf7a980bd52b2196a59b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 1 Dec 2014 02:45:53 +0100 Subject: [PATCH 77/83] whonix: remove unused file --- .../usr/lib/whonix/init/qubes-whonix-bind.service | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-bind.service diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-bind.service b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-bind.service deleted file mode 100644 index 5d145aa..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-bind.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=Qubes Whonix bind /rw to ro dirs script -DefaultDependencies=no -Before=sysinit.target -After=qubes-sysinit.service - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/lib/whonix/init/bind-dirs.sh -StandardOutput=syslog - -[Install] -WantedBy=sysinit.target From 43e319b562555dfe6d756157a175383c75dc9658 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 1 Dec 2014 02:47:31 +0100 Subject: [PATCH 78/83] whonix: place "allow all" sudo configuration only build time qubes-core-agent will provide appropriate file later so do not conflict with it. --- .../wheezy+whonix-gateway/09_cleanup_post.sh | 1 + .../wheezy+whonix-gateway/files/.facl | 2 +- .../files/etc/sudoers.d/qubes | 46 ------------------- .../files/etc/sudoers.d/whonix-build | 1 + .../09_cleanup_post.sh | 1 + .../wheezy+whonix-workstation/files/.facl | 2 +- .../files/etc/sudoers.d/qubes | 46 ------------------- .../files/etc/sudoers.d/whonix-build | 1 + .../wheezy+whonix/09_cleanup_post.sh | 18 ++++++++ 9 files changed, 24 insertions(+), 94 deletions(-) create mode 120000 scripts_debian/wheezy+whonix-gateway/09_cleanup_post.sh delete mode 100644 scripts_debian/wheezy+whonix-gateway/files/etc/sudoers.d/qubes create mode 100644 scripts_debian/wheezy+whonix-gateway/files/etc/sudoers.d/whonix-build create mode 120000 scripts_debian/wheezy+whonix-workstation/09_cleanup_post.sh delete mode 100644 scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/qubes create mode 100644 scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/whonix-build create mode 100755 scripts_debian/wheezy+whonix/09_cleanup_post.sh diff --git a/scripts_debian/wheezy+whonix-gateway/09_cleanup_post.sh b/scripts_debian/wheezy+whonix-gateway/09_cleanup_post.sh new file mode 120000 index 0000000..9728555 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/09_cleanup_post.sh @@ -0,0 +1 @@ +../wheezy+whonix/09_cleanup_post.sh \ No newline at end of file diff --git a/scripts_debian/wheezy+whonix-gateway/files/.facl b/scripts_debian/wheezy+whonix-gateway/files/.facl index 5065286..56e79de 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/.facl +++ b/scripts_debian/wheezy+whonix-gateway/files/.facl @@ -117,7 +117,7 @@ user::rwx group::r-x other::--- -# file: etc/sudoers.d/qubes +# file: etc/sudoers.d/whonix-build # owner: root # group: root user::r-- diff --git a/scripts_debian/wheezy+whonix-gateway/files/etc/sudoers.d/qubes b/scripts_debian/wheezy+whonix-gateway/files/etc/sudoers.d/qubes deleted file mode 100644 index 8087a90..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/etc/sudoers.d/qubes +++ /dev/null @@ -1,46 +0,0 @@ -user ALL=(ALL) NOPASSWD: ALL - -# WTF?! Have you lost your mind?! -# -# In Qubes VMs there is no point in isolating the root account from -# the user account. This is because all the user data are already -# accessible from the user account, so there is no direct benefit for -# the attacker if she could escalate to root (there is even no benefit -# in trying to install some persistent rootkits, as the VM's root -# filesystem modifications are lost upon each start of a VM). -# -# One might argue that some hypothetical attacks against the -# hypervisor or the few daemons/backends in Dom0 (so VM escape -# attacks) most likely would require root access in the VM to trigger -# the attack. -# -# That's true, but mere existence of such a bug in the hypervisor or -# Dom0 that could be exploited by a malicious VM, no matter whether -# requiring user, root, or even kernel access in the VM, would be -# FATAL. In such situation (if there was such a bug in Xen) there -# really is no comforting that: "oh, but the mitigating factor was -# that the attacker needed root in VM!" We're not M$, and we're not -# gonna BS our users that there are mitigating factors in that case, -# and for sure, root/user isolation is not a mitigating factor. -# -# Because, really, if somebody could find and exploit a bug in the Xen -# hypervisor -- so far there have been only one (!) publicly disclosed -# exploitable bug in the Xen hypervisor from a VM, found in 2008, -# incidentally by one of the Qubes developers (RW) -- then it would be -# highly unlikely if that person couldn't also found a user-to-root -# escalation in VM (which as we know from history of UNIX/Linux -# happens all the time). -# -# At the same time allowing for easy user-to-root escalation in a VM -# is simply convenient for users, especially for update installation. -# -# Currently this still doesn't work as expected, because some idotic -# piece of software called PolKit uses own set of policies. We're -# planning to address this in Beta 2. (Why PolKit is an idiocy? Do a -# simple experiment: start 'xinput test' in one xterm, running as -# user, then open some app that uses PolKit and asks for root -# password, e.g. gpk-update-viewer -- observe how all the keystrokes -# with root password you enter into the "secure" PolKit dialog box can -# be seen by the xinput program...) -# -# joanna. diff --git a/scripts_debian/wheezy+whonix-gateway/files/etc/sudoers.d/whonix-build b/scripts_debian/wheezy+whonix-gateway/files/etc/sudoers.d/whonix-build new file mode 100644 index 0000000..5841129 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/etc/sudoers.d/whonix-build @@ -0,0 +1 @@ +user ALL=(ALL) NOPASSWD: ALL diff --git a/scripts_debian/wheezy+whonix-workstation/09_cleanup_post.sh b/scripts_debian/wheezy+whonix-workstation/09_cleanup_post.sh new file mode 120000 index 0000000..9728555 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/09_cleanup_post.sh @@ -0,0 +1 @@ +../wheezy+whonix/09_cleanup_post.sh \ No newline at end of file diff --git a/scripts_debian/wheezy+whonix-workstation/files/.facl b/scripts_debian/wheezy+whonix-workstation/files/.facl index 2e89eb9..9056544 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/.facl +++ b/scripts_debian/wheezy+whonix-workstation/files/.facl @@ -110,7 +110,7 @@ user::rwx group::r-x other::--- -# file: etc/sudoers.d/qubes +# file: etc/sudoers.d/whonix-build # owner: root # group: root user::r-- diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/qubes b/scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/qubes deleted file mode 100644 index 8087a90..0000000 --- a/scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/qubes +++ /dev/null @@ -1,46 +0,0 @@ -user ALL=(ALL) NOPASSWD: ALL - -# WTF?! Have you lost your mind?! -# -# In Qubes VMs there is no point in isolating the root account from -# the user account. This is because all the user data are already -# accessible from the user account, so there is no direct benefit for -# the attacker if she could escalate to root (there is even no benefit -# in trying to install some persistent rootkits, as the VM's root -# filesystem modifications are lost upon each start of a VM). -# -# One might argue that some hypothetical attacks against the -# hypervisor or the few daemons/backends in Dom0 (so VM escape -# attacks) most likely would require root access in the VM to trigger -# the attack. -# -# That's true, but mere existence of such a bug in the hypervisor or -# Dom0 that could be exploited by a malicious VM, no matter whether -# requiring user, root, or even kernel access in the VM, would be -# FATAL. In such situation (if there was such a bug in Xen) there -# really is no comforting that: "oh, but the mitigating factor was -# that the attacker needed root in VM!" We're not M$, and we're not -# gonna BS our users that there are mitigating factors in that case, -# and for sure, root/user isolation is not a mitigating factor. -# -# Because, really, if somebody could find and exploit a bug in the Xen -# hypervisor -- so far there have been only one (!) publicly disclosed -# exploitable bug in the Xen hypervisor from a VM, found in 2008, -# incidentally by one of the Qubes developers (RW) -- then it would be -# highly unlikely if that person couldn't also found a user-to-root -# escalation in VM (which as we know from history of UNIX/Linux -# happens all the time). -# -# At the same time allowing for easy user-to-root escalation in a VM -# is simply convenient for users, especially for update installation. -# -# Currently this still doesn't work as expected, because some idotic -# piece of software called PolKit uses own set of policies. We're -# planning to address this in Beta 2. (Why PolKit is an idiocy? Do a -# simple experiment: start 'xinput test' in one xterm, running as -# user, then open some app that uses PolKit and asks for root -# password, e.g. gpk-update-viewer -- observe how all the keystrokes -# with root password you enter into the "secure" PolKit dialog box can -# be seen by the xinput program...) -# -# joanna. diff --git a/scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/whonix-build b/scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/whonix-build new file mode 100644 index 0000000..5841129 --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/whonix-build @@ -0,0 +1 @@ +user ALL=(ALL) NOPASSWD: ALL diff --git a/scripts_debian/wheezy+whonix/09_cleanup_post.sh b/scripts_debian/wheezy+whonix/09_cleanup_post.sh new file mode 100755 index 0000000..050cdc4 --- /dev/null +++ b/scripts_debian/wheezy+whonix/09_cleanup_post.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +# ------------------------------------------------------------------------------ +# Source external scripts +# ------------------------------------------------------------------------------ +. ${SCRIPTSDIR}/vars.sh +. ./umount_kill.sh >/dev/null + +# ------------------------------------------------------------------------------ +# Configurations +# ------------------------------------------------------------------------------ +if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then + set -x +else + set -e +fi + +rm -f "${INSTALLDIR}/etc/sudoers.d/whonix-build" From d87edd0066d7f11b86c62372b90c5e09457fcef3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 1 Dec 2014 02:48:50 +0100 Subject: [PATCH 79/83] whonix: use the same user UID as host to build whonix pkgs Otherwise whonix_build will have no access to sources (which are bind-mounted from outside of chroot). --- .../02_install_groups_packages_installed.sh | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 9cdd7a2..0b22bf2 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -132,8 +132,13 @@ if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then debug "Whonix Add user" chroot "${INSTALLDIR}" id -u 'user' >/dev/null 2>&1 || \ { + # UID needs match host user to have access to Whonix sources chroot "${INSTALLDIR}" groupadd -f user - chroot "${INSTALLDIR}" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user + [ -n "$SUDO_UID" ] && USER_OPTS="-u $SUDO_UID" + chroot "${INSTALLDIR}" useradd -g user $USER_OPTS -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user + if [ `chroot "${INSTALLDIR}" id -u user` != 1000 ]; then + chroot "${INSTALLDIR}" useradd -g user -u 1000 -M -s /bin/bash user-placeholder + fi } # Install Whonix build scripts @@ -222,6 +227,12 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh # sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "${INSTALLDIR}/etc/tor/torrc" #fi + # Restore default user UID to have the same in all builds regardless of build host + if [ -n "`chroot "${INSTALLDIR}" id -u user-placeholder`" ]; then + chroot "${INSTALLDIR}" userdel user-placeholder + chroot "${INSTALLDIR}" usermod -u 1000 user + fi + # Enable aliases in .bashrc sed -i "s/^# export/export/g" "${INSTALLDIR}/root/.bashrc" sed -i "s/^# eval/eval/g" "${INSTALLDIR}/root/.bashrc" From f14e132f5ec2041d178c50734d7138a46b6c768f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 1 Dec 2014 02:50:37 +0100 Subject: [PATCH 80/83] debian: do not remove qubes repo --- scripts_debian/04_install_qubes.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scripts_debian/04_install_qubes.sh b/scripts_debian/04_install_qubes.sh index 190bb89..d29b960 100755 --- a/scripts_debian/04_install_qubes.sh +++ b/scripts_debian/04_install_qubes.sh @@ -119,9 +119,8 @@ EOF { umount_kill "${INSTALLDIR}"; exit 1; } # -------------------------------------------------------------------------- - # Remove Quebes repo from sources.list.d + # Remove Qubes Builder repo from sources.list.d # -------------------------------------------------------------------------- - rm -f "${INSTALLDIR}"/etc/apt/sources.list.d/qubes*.list umount_kill "${INSTALLDIR}/tmp/qubes_repo" rm -f "${INSTALLDIR}/etc/apt/sources.list.d/qubes-builder.list" chroot "${INSTALLDIR}" apt-get update || exit 1 From 1e999e1ced77db6f6e3c06d8f6ca75bccc68a542 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 1 Dec 2014 20:10:27 +0100 Subject: [PATCH 81/83] debian: move system/X11 configuration to gui-agent-linux --- .../etc/X11/Xsession.d/25xdg-qubes-settings | 18 ------------ scripts_debian/qubes-files/etc/xdg/Xresources | 5 ---- scripts_debian/qubes-files/etc/xdg/fonts.conf | 29 ------------------- scripts_debian/qubes-files/etc/xdg/xsettingsd | 19 ------------ 4 files changed, 71 deletions(-) delete mode 100755 scripts_debian/qubes-files/etc/X11/Xsession.d/25xdg-qubes-settings delete mode 100644 scripts_debian/qubes-files/etc/xdg/Xresources delete mode 100644 scripts_debian/qubes-files/etc/xdg/fonts.conf delete mode 100644 scripts_debian/qubes-files/etc/xdg/xsettingsd diff --git a/scripts_debian/qubes-files/etc/X11/Xsession.d/25xdg-qubes-settings b/scripts_debian/qubes-files/etc/X11/Xsession.d/25xdg-qubes-settings deleted file mode 100755 index 3bab64b..0000000 --- a/scripts_debian/qubes-files/etc/X11/Xsession.d/25xdg-qubes-settings +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -installConfigurationFile() { - file="${1}" - - if ! [ -f "${HOME}/.${file}" ]; then - if [ -f "/etc/xdg/${file}" ]; then - cp "/etc/xdg/${file}" "${HOME}/.${file}" - fi - fi -} - -if [ -x /usr/bin/xsettingsd ]; then - installConfigurationFile "xsettingsd" - installConfigurationFile "fonts.conf" - installConfigurationFile "Xresources" - /usr/bin/xsettingsd & -fi diff --git a/scripts_debian/qubes-files/etc/xdg/Xresources b/scripts_debian/qubes-files/etc/xdg/Xresources deleted file mode 100644 index 2bb5317..0000000 --- a/scripts_debian/qubes-files/etc/xdg/Xresources +++ /dev/null @@ -1,5 +0,0 @@ -Xft.antialias: 1 -Xft.hinting: 1 -Xft.rgba: rgb -Xft.hintstyle: hintslight -Xft.lcdfilter: lcddefault diff --git a/scripts_debian/qubes-files/etc/xdg/fonts.conf b/scripts_debian/qubes-files/etc/xdg/fonts.conf deleted file mode 100644 index 17408f4..0000000 --- a/scripts_debian/qubes-files/etc/xdg/fonts.conf +++ /dev/null @@ -1,29 +0,0 @@ - - - - - - rgb - - - - - true - - - - - hintslight - - - - - true - - - - - lcddefault - - - diff --git a/scripts_debian/qubes-files/etc/xdg/xsettingsd b/scripts_debian/qubes-files/etc/xdg/xsettingsd deleted file mode 100644 index 1cf2f71..0000000 --- a/scripts_debian/qubes-files/etc/xdg/xsettingsd +++ /dev/null @@ -1,19 +0,0 @@ -Gtk/ButtonImages 1 -Gtk/CursorThemeName "Vanilla-DMZ" -Gtk/FontName "sans 10" -Gtk/KeyThemeName "Adwaita" -Gtk/MenuImages 1 -Gtk/ToolbarIconSize 2 -Gtk/ToolbarStyle "Icons" - -Net/EnableEventSounds 0 -Net/EnableInputFeedbackSounds 0 -Net/FallbackIconTheme "gnome" -Net/IconThemeName "gnome" -Net/ThemeName "Adwaita" - -Xft/Antialias 1 -Xft/Hinting 1 -Xft/HintStyle "hintslight" -Xft/RGBA "rgb" -Xft/lcdfilter "lcddefault" From 2b1cb2f3235dce92a5513b4c6cb3efb3abb0b3db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 1 Dec 2014 20:11:47 +0100 Subject: [PATCH 82/83] debian/whonix: it is irrelevant whether ip_forward is enabled on build host --- scripts_debian/wheezy+whonix/04_install_qubes_post.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh index c6ab0e3..9f58254 100755 --- a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh +++ b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh @@ -19,11 +19,6 @@ else set -e fi -# ------------------------------------------------------------------------------ -# Make sure IP forwarding is disabled (Qubes enables it by default) -# ------------------------------------------------------------------------------ -echo "0" > /proc/sys/net/ipv4/ip_forward - # ------------------------------------------------------------------------------ # Enable Qubes-Whonix services # ------------------------------------------------------------------------------ From 7bae8ae3536596b702f11bfd3369867b1f5ff9f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Mon, 1 Dec 2014 20:12:45 +0100 Subject: [PATCH 83/83] debian: do not give access to host /run --- scripts_debian/02_install_groups.sh | 3 ++- scripts_debian/04_install_qubes.sh | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts_debian/02_install_groups.sh b/scripts_debian/02_install_groups.sh index 5439819..7c1d4ca 100755 --- a/scripts_debian/02_install_groups.sh +++ b/scripts_debian/02_install_groups.sh @@ -28,7 +28,8 @@ fi # ------------------------------------------------------------------------------ # Mount system mount points # ------------------------------------------------------------------------------ -for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "${INSTALLDIR}/$fs"; done +for fs in /dev /dev/pts /proc /sys; do mount -B $fs "${INSTALLDIR}/$fs"; done +mount -t tmpfs none "${INSTALLDIR}/run" # ------------------------------------------------------------------------------ # Execute any template flavor or sub flavor 'pre' scripts diff --git a/scripts_debian/04_install_qubes.sh b/scripts_debian/04_install_qubes.sh index d29b960..6f0d020 100755 --- a/scripts_debian/04_install_qubes.sh +++ b/scripts_debian/04_install_qubes.sh @@ -27,7 +27,8 @@ fi # ------------------------------------------------------------------------------ # Mount system mount points # ------------------------------------------------------------------------------ -for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "${INSTALLDIR}/$fs"; done +for fs in /dev /dev/pts /proc /sys; do mount -B $fs "${INSTALLDIR}/$fs"; done +mount -t tmpfs none "${INSTALLDIR}/run" # ------------------------------------------------------------------------------ # Execute any template flavor or sub flavor 'pre' scripts