QubesOS/qubes-linux-template-builder
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'wheezy'

Browse Source
This commit is contained in:
Marek Marczykowski-Górecki 2014-12-02 03:15:02 +01:00
commit 92faf3296b
134 changed files with 5718 additions and 182 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -5,3 +5,4 @@ cache_*
mnt_* mnt_*
*.iso *.iso
*.fs *.fs
install-templates.sh

10
Makefile
View File

@ -6,10 +6,19 @@ export DIST
dist_ver := $(shell DIST=$(DIST) ./builder_setup) dist_ver := $(shell DIST=$(DIST) ./builder_setup)
DISTRIBUTION := $(word 1,$(dist_ver)) DISTRIBUTION := $(word 1,$(dist_ver))
DIST_VERSION := $(word 2,$(dist_ver)) DIST_VERSION := $(word 2,$(dist_ver))
TEMPLATE_NAME := $(word 3,$(dist_ver))
ifeq (,$(TEMPLATE_NAME))
TEMPLATE_NAME := $(DISTRIBUTION)-$(DIST_VERSION)-x64 TEMPLATE_NAME := $(DISTRIBUTION)-$(DIST_VERSION)-x64
ifdef TEMPLATE_FLAVOR ifdef TEMPLATE_FLAVOR
TEMPLATE_NAME := $(TEMPLATE_NAME)-$(TEMPLATE_FLAVOR) TEMPLATE_NAME := $(TEMPLATE_NAME)-$(TEMPLATE_FLAVOR)
endif endif
endif
# Make sure names are < 32 characters
fix_up := $(shell TEMPLATE_NAME=$(TEMPLATE_NAME) ./builder_fix_filenames)
TEMPLATE_NAME := $(word 1,$(fix_up))
VERSION := $(shell cat version) VERSION := $(shell cat version)
TIMESTAMP := $(shell date -u +%Y%m%d%H%M) TIMESTAMP := $(shell date -u +%Y%m%d%H%M)
@ -25,6 +34,7 @@ rpms:
sudo -E ./prepare_image prepared_images/$(TEMPLATE_NAME).img && \ sudo -E ./prepare_image prepared_images/$(TEMPLATE_NAME).img && \
sudo -E ./qubeize_image prepared_images/$(TEMPLATE_NAME).img $(TEMPLATE_NAME) && \ sudo -E ./qubeize_image prepared_images/$(TEMPLATE_NAME).img $(TEMPLATE_NAME) && \
./build_template_rpm $(TEMPLATE_NAME) || exit 1; \ ./build_template_rpm $(TEMPLATE_NAME) || exit 1; \
./create_template_list.sh || : \
update-repo-installer: update-repo-installer:
[ -z "$$UPDATE_REPO" ] && UPDATE_REPO=../installer/yum/qubes-dom0;\ [ -z "$$UPDATE_REPO" ] && UPDATE_REPO=../installer/yum/qubes-dom0;\

2
appmenus_jessie/vm-whitelisted-appmenus.list
View File

@ -1 +1,3 @@
gnome-terminal.desktop gnome-terminal.desktop
nautilus.desktop
yelp.desktop

5
appmenus_jessie/whitelisted-appmenus.list
View File

@ -1 +1,6 @@
gnome-terminal.desktop gnome-terminal.desktop
gpk-application.desktop
gpk-update-viewer.desktop
gpk-prefs.desktop
gpk-log.desktop
yelp.desktop

1
appmenus_jessie_gnome/netvm-whitelisted-appmenus.list Normal file
View File

@ -0,0 +1 @@
gnome-terminal.desktop

16
appmenus_jessie_gnome/vm-whitelisted-appmenus.list Normal file
View File

@ -0,0 +1,16 @@
evolution.desktop
gimp.desktop
yelp.desktop
iceweasel.desktop
eog.desktop
rhythmbox.desktop
gnome-system-log.desktop
gnome-terminal.desktop
gnome-calculator.desktop
org.gnome.Cheese.desktop
org.gnome.Nautilus.desktop
org.gnome.gedit.desktop
shotwell.desktop
org.gnome.Totem.desktop
libreoffice-startcenter.desktop
session-properties.desktop

10
appmenus_jessie_gnome/whitelisted-appmenus.list Normal file
View File

@ -0,0 +1,10 @@
gdebi.desktop
yelp.desktop
gpk-log.desktop
gpk-prefs.desktop
gpk-update-viewer.desktop
gpk-application.desktop
gnome-printers-panel.desktop
tracker-preferences.desktop
gnome-system-log.desktop
gnome-terminal.desktop

1
appmenus_wheezy/netvm-whitelisted-appmenus.list Normal file
View File

@ -0,0 +1 @@
gnome-terminal.desktop

3
appmenus_wheezy/vm-whitelisted-appmenus.list Normal file
View File

@ -0,0 +1,3 @@
gnome-terminal.desktop
nautilus.desktop
yelp.desktop

6
appmenus_wheezy/whitelisted-appmenus.list Normal file
View File

@ -0,0 +1,6 @@
gnome-terminal.desktop
gpk-application.desktop
gpk-update-viewer.desktop
gpk-prefs.desktop
gpk-log.desktop
yelp.desktop

1
appmenus_wheezy_gnome/netvm-whitelisted-appmenus.list Normal file
View File

@ -0,0 +1 @@
gnome-terminal.desktop

15
appmenus_wheezy_gnome/vm-whitelisted-appmenus.list Normal file
View File

@ -0,0 +1,15 @@
gnome-terminal.desktop
gcalctool.desktop
evolution.desktop
nautilus.desktop
iceweasel.desktop
libreoffice-startcenter.desktop
gedit.desktop
gimp.desktop
eog.desktop
totem.desktop
rhythmbox.desktop
gnome-system-log.desktop
cheese.desktop
session-properties.desktop
yelp.desktop

11
appmenus_wheezy_gnome/whitelisted-appmenus.list Normal file
View File

@ -0,0 +1,11 @@
gnome-terminal.desktop
gpk-application.desktop
gpk-update-viewer.desktop
gpk-prefs.desktop
gpk-log.desktop
gnome-panel.desktop
gnome-printers-panel.desktop
gnome-system-log.desktop
gdebi.desktop
tracker-preferences.desktop
yelp.desktop

21
appmenus_wheezy_whonix-gateway/netvm-whitelisted-appmenus.list Normal file
View File

@ -0,0 +1,21 @@
gnome-terminal.desktop
nautilus.desktop
yelp.desktop
gateway-arm.desktop
gateway-firewall30default.desktop
gateway-firewall50user.desktop
gateway-firsttimesetup.desktop
gateway-reloadfirewall.desktop
gateway-reloadtor.desktop
gateway-restarttor.desktop
gateway-stoptor.desktop
gateway-torrc.desktop
gateway-torrcexamples.desktop
timesync.desktop
whonixcheck.desktop
whonix_repository.desktop
dolphin.desktop
Help.desktop
ksystemlog.desktop
kwrite.desktop

21
appmenus_wheezy_whonix-gateway/vm-whitelisted-appmenus.list Normal file
View File

@ -0,0 +1,21 @@
gnome-terminal.desktop
nautilus.desktop
yelp.desktop
gateway-arm.desktop
gateway-firewall30default.desktop
gateway-firewall50user.desktop
gateway-firsttimesetup.desktop
gateway-reloadfirewall.desktop
gateway-reloadtor.desktop
gateway-restarttor.desktop
gateway-stoptor.desktop
gateway-torrc.desktop
gateway-torrcexamples.desktop
timesync.desktop
whonixcheck.desktop
whonix_repository.desktop
dolphin.desktop
Help.desktop
ksystemlog.desktop
kwrite.desktop

11
appmenus_wheezy_whonix-gateway/whitelisted-appmenus.list Normal file
View File

@ -0,0 +1,11 @@
gnome-terminal.desktop
gpk-application.desktop
gpk-update-viewer.desktop
gpk-prefs.desktop
gpk-log.desktop
yelp.desktop
gateway-firewall30default.desktop
gateway-firewall50user.desktop
gateway-torrc.desktop
gateway-torrcexamples.desktop
kwrite.desktop

1
appmenus_wheezy_whonix-workstation/netvm-whitelisted-appmenus.list Normal file
View File

@ -0,0 +1 @@
gnome-terminal.desktop

27
appmenus_wheezy_whonix-workstation/vm-whitelisted-appmenus.list Normal file
View File

@ -0,0 +1,27 @@
gnome-terminal.desktop
nautilus.desktop
yelp.desktop
anondist-torbrowser.desktop
anondist-torbrowser_update.desktop
gateway-firsttimesetup.desktop
timesync.desktop
vlc.desktop
whonixcheck.desktop
whonix-contribute.desktop
whonix-documentation.desktop
whonix-donate.desktop
whonix-featureblog.desktop
whonix-forum.desktop
whonix-importantblog.desktop
whonix-irc-chat-support.desktop
whonix-mailinglist.desktop
whonix_repository.desktop
xchat.desktop
x-www-browser.desktop
dolphin.desktop
Help.desktop
kcalc.desktop
kgpg.desktop
kwrite.desktop

96
appmenus_wheezy_whonix-workstation/whitelisted-appmenus.list Normal file
View File

@ -0,0 +1,96 @@
gnome-terminal.desktop
gpk-application.desktop
gpk-update-viewer.desktop
gpk-prefs.desktop
gpk-log.desktop
yelp.desktop
anondist-torbrowser.desktop
anondist-torbrowser_update.desktop
bluetooth-sendto.desktop
bluetooth-wizard.desktop
brasero.desktop
brasero-nautilus.desktop
display.im6.desktop
fpm2.desktop
gateway-firsttimesetup.desktop
gcr-prompter.desktop
gcr-viewer.desktop
gnome-terminal.desktop
gpk-application.desktop
gpk-dbus-service.desktop
gpk-install-catalog.desktop
gpk-install-local-file.desktop
gpk-log.desktop
gpk-prefs.desktop
gpk-service-pack.desktop
gpk-update-viewer.desktop
iceweasel.desktop
kde4
mat.desktop
mimeinfo.cache
nact.desktop
nautilus-autorun-software.desktop
nautilus.desktop
nm-applet.desktop
nm-connection-editor.desktop
python2.7.desktop
timesync.desktop
vlc.desktop
whonixcheck.desktop
whonix-contribute.desktop
whonix-documentation.desktop
whonix-donate.desktop
whonix-featureblog.desktop
whonix-forum.desktop
whonix-importantblog.desktop
whonix-irc-chat-support.desktop
whonix-mailinglist.desktop
whonix_repository.desktop
xchat.desktop
x-www-browser.desktop
yelp.desktop
akonaditray.desktop
-rw-r--r-- 1 root root 5000 Jun 22 2012 ark.desktop
dolphin.desktop
gwenview.desktop
Help.desktop
jovieapp.desktop
kcalc.desktop
kdepasswd.desktop
kdesystemsettings.desktop
keditbookmarks.desktop
kfind.desktop
kfontview.desktop
kgpg.desktop
klipper.desktop
kmag.desktop
kmailservice.desktop
kmix.desktop
kmousetool.desktop
kmouth.desktop
konsole.desktop
krandrtray.desktop
ksysguard.desktop
ksystemlog.desktop
-rw-r--r-- 1 root root 1766 Jun 6 2012 ktelnetservice.desktop
kvkbd.desktop
kwrite.desktop
nepomukbackup.desktop
nepomukcontroller.desktop
okularApplication_comicbook.desktop
okularApplication_dvi.desktop
okularApplication_fax.desktop
okularApplication_fb.desktop
okularApplication_ghostview.desktop
okularApplication_kimgio.desktop
okularApplication_ooo.desktop
okularApplication_pdf.desktop
okularApplication_plucker.desktop
okularApplication_xps.desktop
okular.desktop
systemsettings.desktop

9
builder_fix_filenames Executable file
View File

@ -0,0 +1,9 @@
#!/bin/bash
# Check template name length and fix if not under 32 characters
# Return the result
. ./functions.sh > /dev/null
# Check for custom template name
templateNameDist "${TEMPLATE_NAME}"

2
builder_setup
View File

@ -2,6 +2,8 @@
# Setup env variables # Setup env variables
. ./functions.sh > /dev/null
case "$DIST" in case "$DIST" in
fc*) fc*)
DISTRIBUTION=fedora DISTRIBUTION=fedora

1
cleanup_image
View File

@ -20,6 +20,7 @@ ls -als $IMG
mount -o loop $IMG mnt || exit 1 mount -o loop $IMG mnt || exit 1
export INSTALLDIR=`pwd`/mnt/ export INSTALLDIR=`pwd`/mnt/
echo "--> Cleaning up image file..."
$SCRIPTSDIR/09_cleanup.sh $SCRIPTSDIR/09_cleanup.sh
echo "--> Compacting image file..." echo "--> Compacting image file..."

55
create_template_list.sh Executable file
View File

@ -0,0 +1,55 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
#
# Creates a small script to copy to dom0 to retrieve the generated template rpm's
#
template_dir="$(readlink -m ./rpm/install-templates.sh)"
files=( $(ls rpm/noarch) )
name=$(xenstore-read name)
# -----------------------------------------------------------------------------
# Write $vars
# -----------------------------------------------------------------------------
cat << EOF > "${template_dir}"
#!/bin/bash
# Use the following command in DOM0 to retreive this file:
# qvm-run --pass-io ${name} 'cat ${template_dir}' > install-templates.sh
files="
$(printf "%s \n" ${files[@]})
"
path="$(readlink -m .)/rpm/noarch"
version="-$(cat ./version)"
name="${name}"
EOF
# -----------------------------------------------------------------------------
# Write installation function
# -----------------------------------------------------------------------------
cat << 'EOF' >> "${template_dir}"
for file in ${files[@]}; do
if [ ! -e ${file} ]; then
echo "Copying ${file} from ${name} to ${PWD}/${file}..."
qvm-run --pass-io ${name} "cat ${path}/${file}" > ${file}
fi
sudo yum erase $(echo "${file}" | sed -r "s/(${version}).+$//") && {
sudo yum install ${file} && {
rm -f ${file}
}
}
done
EOF
# -----------------------------------------------------------------------------
# Display instructions
# -----------------------------------------------------------------------------
echo "Use the following command in DOM0 to retreive this file:"
echo "qvm-run --pass-io ${name} 'cat ${template_dir}' > install-templates.sh"

430
functions.sh Executable file
View File

@ -0,0 +1,430 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
set -e
VERBOSE=${VERBOSE:-1}
DEBUG=${DEBUG:-0}
################################################################################
# Global functions
################################################################################
# ------------------------------------------------------------------------------
# Define colors
# ------------------------------------------------------------------------------
colors() {
## Thanks to:
## http://mywiki.wooledge.org/BashFAQ/037
## Variables for terminal requests.
[[ -t 2 ]] && {
export alt=$( tput smcup || tput ti ) # Start alt display
export ealt=$( tput rmcup || tput te ) # End alt display
export hide=$( tput civis || tput vi ) # Hide cursor
export show=$( tput cnorm || tput ve ) # Show cursor
export save=$( tput sc ) # Save cursor
export load=$( tput rc ) # Load cursor
export bold=$( tput bold || tput md ) # Start bold
export stout=$( tput smso || tput so ) # Start stand-out
export estout=$( tput rmso || tput se ) # End stand-out
export under=$( tput smul || tput us ) # Start underline
export eunder=$( tput rmul || tput ue ) # End underline
export reset=$( tput sgr0 || tput me ) # Reset cursor
export blink=$( tput blink || tput mb ) # Start blinking
export italic=$( tput sitm || tput ZH ) # Start italic
export eitalic=$( tput ritm || tput ZR ) # End italic
[[ ${TERM} != *-m ]] && {
export red=$( tput setaf 1|| tput AF 1 )
export green=$( tput setaf 2|| tput AF 2 )
export yellow=$( tput setaf 3|| tput AF 3 )
export blue=$( tput setaf 4|| tput AF 4 )
export magenta=$( tput setaf 5|| tput AF 5 )
export cyan=$( tput setaf 6|| tput AF 6 )
}
export white=$( tput setaf 7|| tput AF 7 )
export default=$( tput op )
export eed=$( tput ed || tput cd ) # Erase to end of display
export eel=$( tput el || tput ce ) # Erase to end of line
export ebl=$( tput el1 || tput cb ) # Erase to beginning of line
export ewl=$eel$ebl # Erase whole line
export draw=$( tput -S <<< ' enacs
smacs
acsc
rmacs' || { \
tput eA; tput as;
tput ac; tput ae; } ) # Drawing characters
export back=$'\b'
} 2>/dev/null ||:
export build_already_defined_colors="true"
}
if [ ! "$build_already_defined_colors" = "true" ]; then
colors
fi
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
chroot() {
local retval
true ${blue}
/usr/sbin/chroot "$@" && { retval=$?; true; } || { retval=$?; true; }
true ${reset}
return $retval
}
fi
# ------------------------------------------------------------------------------
# Display messages in color
# ------------------------------------------------------------------------------
# Only output text under certain conditions
output() {
if [ "${VERBOSE}" -ge 1 ]; then
# Don't echo if -x is set since it will already be displayed via true
[[ ${-/x} != $- ]] || echo -e "${1}"
fi
}
info() {
output "${bold}${blue}INFO: ${1}${reset}" || :
}
debug() {
output "${bold}${green}DEBUG: ${1}${reset}" || :
}
warn() {
output "${stout}${yellow}WARNING: ${1}${reset}" || :
}
error() {
output "${bold}${red}ERROR: ${1}${reset}" || :
}
# ------------------------------------------------------------------------------
# Takes an array and exports it a global variable
#
# $1: Array to export
# $2: Global variable name to use for export
#
# http://ihaveabackup.net/2012/01/29/a-workaround-for-passing-arrays-in-bash/
#
# ------------------------------------------------------------------------------
setArrayAsGlobal() {
local array="$1"
local export_as="$2"
local code=$(declare -p "$array")
local replaced="${code/$array/$export_as}"
eval ${replaced/declare -/declare -g}
}
# ------------------------------------------------------------------------------
# Spilts the path and returns an array of parts
#
# $1: Full path of file to split
# $2: Global variable name to use for export
# Returns:
# ([full]='original name' [dir]='directory' [base]='filename' [ext]='extension')
#
# Original concept path split from:
# https://stackoverflow.com/questions/965053/extract-filename-and-extension-in-bash
#
# ------------------------------------------------------------------------------
splitPath() {
local return_global_var=$2
local filename="${1##*/}" # Strip longest match of */ from start
local dir="${1:0:${#1} - ${#filename}}" # Substring from 0 thru pos of filename
local base="${filename%.[^.]*}" # Strip shortest match of . plus at least one non-dot char from end
local ext="${filename:${#base} + 1}" # Substring from len of base thru end
if [ "$ext" ]; then
local dotext=".$ext"
else
local dotext=""
fi
if [[ -z "$base" && -n "$ext" ]]; then # If we have an extension and no base, it's really the base
base=".$ext"
ext=""
dotext=""
fi
declare -A PARTS=([full]="$1" [dir]="$dir" [base]="$base" [ext]="$ext" [dotext]="$dotext")
setArrayAsGlobal PARTS $return_global_var
}
templateFlavor() {
echo ${TEMPLATE_FLAVOR}
}
templateFlavorPrefix() {
local template_flavor=${1-$(templateFlavor)}
# If TEMPLATE_FLAVOR_PREFIX is not already an array, make it one
if ! [[ "$(declare -p TEMPLATE_FLAVOR_PREFIX 2>/dev/null)" =~ ^declare\ -a.* ]] ; then
TEMPLATE_FLAVOR_PREFIX=( ${TEMPLATE_FLAVOR_PREFIX} )
fi
for element in "${TEMPLATE_FLAVOR_PREFIX[@]}"
do
if [ "${element%:*}" == "${DIST}+${template_flavor}" ]; then
echo ${element#*:}
return
fi
done
echo "${DIST}${template_flavor:++}"
}
templateNameDist() {
local dist_name="${1}"
template_name="$(templateName)" && dist_name="${template_name}"
# XXX: Temp hack to shorten name
if [ ${#dist_name} -ge 32 ]; then
if [ ${#template_name} -lt 32 ]; then
dist_name="${template_name}"
else
dist_name="${dist_name:0:31}"
fi
fi
# Remove and '+' characters from name since they are invalid for name
dist_name="${dist_name//+/-}"
echo ${dist_name}
}
templateName() {
local template_flavor=${1-$(templateFlavor)}
retval=1 # Default is 1; mean no replace happened
# Only apply options if $1 was not passed
if [ -n "${1}" ]; then
local template_options=
else
local template_options="${TEMPLATE_OPTIONS// /+}"
fi
local template_name="$(templateFlavorPrefix ${template_flavor})${template_flavor}${template_options:++}${template_options}"
# If TEMPLATE_LABEL is not already an array, make it one
if ! [[ "$(declare -p TEMPLATE_LABEL 2>/dev/null)" =~ ^declare\ -a.* ]] ; then
TEMPLATE_LABEL=( ${TEMPLATE_LABEL} )
fi
for element in "${TEMPLATE_LABEL[@]}"; do
if [ "${element%:*}" == "${template_name}" ]; then
template_name="${element#*:}"
retval=0
break
fi
done
if [ ${#template_name} -ge 32 ]; then
error "Template name is greater than 31 characters: ${template_name}"
error "Please set an alias"
error "Exiting!!!"
exit 1
fi
echo ${template_name}
return $retval
}
templateDir() {
local template_flavor=${1-$(templateFlavor)}
# If TEMPLATE_FLAVOR_DIR is not already an array, make it one
if ! [[ "$(declare -p TEMPLATE_FLAVOR_DIR 2>/dev/null)" =~ ^declare\ -a.* ]] ; then
TEMPLATE_FLAVOR_DIR=( ${TEMPLATE_FLAVOR_DIR} )
fi
for element in "${TEMPLATE_FLAVOR_DIR[@]}"
do
# (wheezy+whonix-gateway / wheezy+whonix-gateway+gnome[+++] / wheezy+gnome )
if [ "${element%:*}" == "$(templateName ${template_flavor})" ]; then
eval echo -e ${element#*:}
return
# Very short name compare (+proxy)
elif [ "${element:0:1}" == "+" -a "${element%:*}" == "+${template_flavor}" ]; then
eval echo -e ${element#*:}
return
fi
done
if [ -n "${template_flavor}" ]; then
local template_flavor_prefix="$(templateFlavorPrefix ${template_flavor})"
local dir="${SCRIPTSDIR}/${template_flavor_prefix}${template_flavor}"
else
local dir="${SCRIPTSDIR}"
fi
echo "${dir}"
}
templateFile() {
local file="$1"
local suffix="$2"
local template_flavor="$3"
local template_dir="$(templateDir "${template_flavor}")"
splitPath "${file}" path_parts
# Append suffix to filename (before extension)
if [ "${suffix}" ]; then
file="${template_dir}/${path_parts[base]}_${suffix}${path_parts[dotext]}"
else
file="${template_dir}/${path_parts[base]}${path_parts[dotext]}"
fi
if [ -f "${file}" ]; then
echo "${file}"
fi
}
buildStepExec() {
local filename="$1"
local suffix="$2"
local template_flavor="$3"
script="$(templateFile "${filename}" "${suffix}" "${template_flavor}")"
if [ -f "${script}" ] && [ ! ${GLOBAL_CACHE[$script]+_} ]; then
# Test module expects raw output back only used to asser test results
if [[ -n ${TEST} ]]; then
echo "${script}"
else
output "${bold}${under}INFO: Currently running script: ${script}${reset}"
fi
# Cache $script
GLOBAL_CACHE[$script]=1
# Execute $script
"${script}"
fi
}
copyTreeExec() {
local source_dir="$1"
local dir="$2"
local template_flavor="$3"
local target_dir="$4"
local template_dir="$(templateDir ${template_flavor})"
local source_dir="$(readlink -m ${source_dir:-${template_dir}}/${dir})"
local target_dir="$(readlink -m ${target_dir:-${INSTALLDIR}})"
if ! [ -d "${source_dir}" ]; then
debug "No extra files to copy for ${dir}"
return 0
fi
debug "Copying ${source_dir}/* ${target_dir}"
cp -rp "${source_dir}/." "${target_dir}"
if [ -f "${source_dir}/.facl" ]; then
debug "Restoring file permissions..."
pushd "${target_dir}"
{
setfacl --restore="${source_dir}/.facl" 2>/dev/null ||:
rm -f .facl
}
popd
fi
}
callTemplateFunction() {
# Reset Cache
unset GLOBAL_CACHE
declare -A -g GLOBAL_CACHE
local calling_script="$1"
local calling_arg="$2"
local functionExec="$3"
local template_flavor="$(templateFlavor)"
${functionExec} "${calling_script}" \
"${calling_arg}" \
"${template_flavor}"
for option in ${TEMPLATE_OPTIONS[@]}
do
# Long name (wheezy+whonix-gateway+proxy)
${functionExec} "${calling_script}" \
"${calling_arg}" \
"$(templateFlavor)+${option}"
# Short name (wheezy+proxy)
${functionExec} "${calling_script}" \
"${calling_arg}" \
"${option}"
done
# If template_flavor exists, also check on base distro
if [ -n "${template_flavor}" ]; then
${functionExec} "${calling_script}" \
"${calling_arg}"
fi
}
# ------------------------------------------------------------------------------
# ------------------------------------------------------------------------------
getFileLocations() {
local return_global_var=$1
local filename="$2"
local suffix="$3"
local function="templateFile"
files="$(callTemplateFunction "${filename}" "${suffix}" "${function}")"
IFS_orig="${IFS}}"; IFS=$'\n'
files=( "${files}" )
setArrayAsGlobal files $return_global_var
IFS="${IFS_orig}"
}
# ------------------------------------------------------------------------------
# Executes any additional optional configuration steps if the configuration
# scripts exist
# ------------------------------------------------------------------------------
buildStep() {
local filename="$1"
local suffix="$2"
local function="buildStepExec"
callTemplateFunction "${filename}" "${suffix}" "${function}"
}
# ------------------------------------------------------------------------------
# Copy extra file tree to ${INSTALLDIR}
# TODO: Allow copy per step (04_install_qubes.sh-files)
#
# To set file permissions is a PITA since git won't save them and will
# complain heavily if they are set to root only read, so this is the procdure:
#
# 1. Change to the directory that you want to have file permissions retained
# 2. Change all the file permissions / ownership as you want
# 3. Change back to the root of the exta directory (IE: extra-qubes-files)
# 4. Manually restore facl's: setfacl --restore=.facl
# 5. Manually create facl backup used after copying: getfacl -R . > .facl
# 6. If git complains; reset file ownership back to user. The .facl file stored
# the file permissions and will be used to reset the file permissions after
# they get copied over to ${INSTALLDIR}
# NOTE: Don't forget to redo this process if you add -OR- remove files
# ------------------------------------------------------------------------------
copyTree() {
local dir="$1"
local source_dir="$2"
local target_dir="$3"
local function="copyTreeExec"
if [ "x${source_dir}" == "x" ]; then
callTemplateFunction "" "${dir}" "${function}"
else
copyTreeExec "${source_dir}" "${dir}" "" "${target_dir}"
fi
}
# $0 is module that sourced vars.sh
output "${bold}${under}INFO: Currently running script: ${0}${reset}"

73
prepare_image
View File

@ -1,6 +1,9 @@
#!/bin/sh #!/bin/bash
export IMG=$1 # ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
export IMG="$1"
export LC_ALL=POSIX export LC_ALL=POSIX
RETCODE=0 RETCODE=0
@ -8,49 +11,61 @@ RETCODE=0
: ${DIST=fc14} : ${DIST=fc14}
. ./builder_setup >/dev/null . ./builder_setup >/dev/null
. ./umount_kill.sh >/dev/null
set -e if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then
set -x
else
set -e
fi
if ! [ $# -eq 1 ]; then if ! [ $# -eq 1 ]; then
echo "usage $0 <img_file_name>" echo "usage $0 <img_file_name>"
exit exit
fi fi
if [ "$VERBOSE" == "1" ]; then if [ "$VERBOSE" == "1" ]; then
export YUM_OPTS="$YUM_OPTS -q" export YUM_OPTS="$YUM_OPTS -q"
fi fi
# ------------------------------------------------------------------------------
# Prepare for mount
# ------------------------------------------------------------------------------
echo "-> Preparing instalation of $DIST template..." echo "-> Preparing instalation of $DIST template..."
$SCRIPTSDIR/00_prepare.sh export INSTALLDIR="$(readlink -m mnt)"
mkdir -p "$INSTALLDIR"
"$SCRIPTSDIR/00_prepare.sh"
if [ -f $IMG ]; then # ------------------------------------------------------------------------------
echo "-> Image file already exists, assuming *update*..." # Mount image and install core OS
mount -o loop $IMG mnt || exit 1 # ------------------------------------------------------------------------------
export INSTALLDIR=`pwd`/mnt/
trap "umount $INSTALLDIR" EXIT if [ -f "$IMG" ]; then
echo "-> Image file already exists, assuming *update*..."
else else
echo "-> Initializing empty image..."
truncate -s 10G "$IMG" || exit 1
echo "-> Initializing empty image..." echo "-> Creating filesystem..."
truncate -s 10G $IMG || exit 1 mkfs.ext4 -q -F "$IMG" || exit 1
echo "-> Creating filesystem..."
mkfs.ext4 -q -F $IMG || exit 1
mkdir -p mnt
mount -o loop $IMG mnt || exit 1
export INSTALLDIR=`pwd`/mnt/
trap "umount $INSTALLDIR" EXIT
$SCRIPTSDIR/01_install_core.sh
fi fi
echo "-> Installing package groups..." mount -o loop "$IMG" "$INSTALLDIR" || exit 1
$SCRIPTSDIR/02_install_groups.sh trap "umount_kill $(readlink -m $INSTALLDIR)" EXIT
"$SCRIPTSDIR/01_install_core.sh"
# ------------------------------------------------------------------------------
# Install package groups
# ------------------------------------------------------------------------------
echo "-> Installing package groups..."
"$SCRIPTSDIR/02_install_groups.sh"
# ------------------------------------------------------------------------------
# Cleanup
# ------------------------------------------------------------------------------
trap - EXIT trap - EXIT
echo "-> Unmounting prepared_image..." echo "-> Unmounting prepared_image..."
sudo umount $INSTALLDIR umount_kill "$(readlink -m $INSTALLDIR)" || :
exit $RETCODE exit $RETCODE

96
qubeize_image
View File

@ -1,81 +1,98 @@
#!/bin/sh #!/bin/sh
export CLEANIMG=$1 # ------------------------------------------------------------------------------
export NAME=$2 # Configurations and Conditionals
# ------------------------------------------------------------------------------
export CLEANIMG="$1"
export NAME="$2"
export LC_ALL=POSIX export LC_ALL=POSIX
. ./builder_setup >/dev/null . ./builder_setup >/dev/null
. ./umount_kill.sh >/dev/null
set -e if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then
set -x
else
set -e
fi
if [ $# -eq 0 ]; then if [ $# -eq 0 ]; then
echo "usage $0 <clean_image_file> <template_name>" echo "usage $0 <clean_image_file> <template_name>"
exit exit
fi fi
if [ x$CLEANIMG = x ]; then if [ "x$CLEANIMG" = x ]; then
echo "Image file not specified!" echo "Image file not specified!"
exit 1 exit 1
fi fi
if [ x$NAME = x ]; then if [ "x$NAME" = x ]; then
echo "Name not given!" echo "Name not given!"
exit 1 exit 1
fi fi
ID=$(id -ur) ID=$(id -ur)
if [ $ID != 0 ] ; then if [ $ID != 0 ] ; then
echo "This script should be run as root user." echo "This script should be run as root user."
exit 1 exit 1
fi fi
if [ "$VERBOSE" == "1" ]; then if [ "$VERBOSE" == "1" ]; then
export YUM_OPTS="$YUM_OPTS -q" export YUM_OPTS="$YUM_OPTS -q"
fi fi
# ------------------------------------------------------------------------------
# Cleanup function
# ------------------------------------------------------------------------------
function cleanup() { function cleanup() {
if grep -q " $PWD/mnt/proc " /proc/mounts; then umount_kill "$PWD/mnt" || :
umount mnt/proc
fi
if grep -q " $PWD/mnt " /proc/mounts; then
umount mnt
fi
} }
trap cleanup ERR trap cleanup ERR
export IMG=qubeized_images/$NAME-root.img # ------------------------------------------------------------------------------
# Mount qubeized_image
# ------------------------------------------------------------------------------
export IMG="qubeized_images/$NAME-root.img"
echo "--> Copying $CLEANIMG to $IMG..." echo "--> Copying $CLEANIMG to $IMG..."
cp $CLEANIMG $IMG || exit 1 cp "$CLEANIMG" "$IMG" || exit 1
echo "--> Mounting $IMG" echo "--> Mounting $IMG"
mkdir -p mnt mkdir -p mnt
mount -o loop $IMG mnt || exit 1 mount -o loop "$IMG" mnt || exit 1
export INSTALLDIR=mnt export INSTALLDIR=mnt
$SCRIPTSDIR/04_install_qubes.sh || { umount $INSTALLDIR; exit 1; } # ------------------------------------------------------------------------------
# Run qubeize script
# ------------------------------------------------------------------------------
"$SCRIPTSDIR/04_install_qubes.sh" || { umount "$INSTALLDIR"; exit 1; }
# ------------------------------------------------------------------------------
# Create App Menus
# ------------------------------------------------------------------------------
echo "--> Copying the Apps Menu shortcuts..." echo "--> Copying the Apps Menu shortcuts..."
export APPSORIG=qubeized_images/$NAME-apps.orig export APPSORIG="qubeized_images/$NAME-apps.orig"
export APPSTEMPL=qubeized_images/$NAME-apps.templates export APPSTEMPL="qubeized_images/$NAME-apps.templates"
mkdir -p $APPSORIG mkdir -p "$APPSORIG"
cp -r $(pwd)/mnt/usr/share/applications/* $APPSORIG cp -r "$(pwd)"/mnt/usr/share/applications/* "$APPSORIG"
echo "--> Creating the Apps Menu templates..." echo "--> Creating the Apps Menu templates..."
./create_apps_templates.sh $APPSORIG $APPSTEMPL "./create_apps_templates.sh" "$APPSORIG" "$APPSTEMPL"
echo "--> Choosing appmenus whitelists..." echo "--> Choosing appmenus whitelists..."
rm -f appmenus rm -f appmenus
if [ -d "appmenus_${DIST}_${TEMPLATE_FLAVOR}" ]; then if [ -d "appmenus_${DIST}_${TEMPLATE_FLAVOR}" ]; then
ln -s "appmenus_${DIST}_${TEMPLATE_FLAVOR}" appmenus ln -s "appmenus_${DIST}_${TEMPLATE_FLAVOR}" appmenus
elif [ -d "appmenus_$DIST" ]; then elif [ -d "appmenus_$DIST" ]; then
ln -s "appmenus_$DIST" appmenus ln -s "appmenus_$DIST" appmenus
else else
ln -s "appmenus_generic" appmenus ln -s "appmenus_generic" appmenus
fi fi
# ------------------------------------------------------------------------------
# Link directories so they can be mounted
# ------------------------------------------------------------------------------
echo "--> Linking /home to /rw/home..." echo "--> Linking /home to /rw/home..."
mv mnt/home mnt/home.orig mv mnt/home mnt/home.orig
ln -sf /rw/home mnt/home ln -sf /rw/home mnt/home
@ -85,14 +102,17 @@ mv mnt/usr/local mnt/usr/local.orig
ln -sf /rw/usrlocal mnt/usr/local ln -sf /rw/usrlocal mnt/usr/local
if [ -e mnt/etc/sysconfig/i18n ]; then if [ -e mnt/etc/sysconfig/i18n ]; then
echo "--> Setting up default locale..." echo "--> Setting up default locale..."
echo LC_CTYPE=en_US.UTF-8 > mnt/etc/sysconfig/i18n echo LC_CTYPE=en_US.UTF-8 > mnt/etc/sysconfig/i18n
fi fi
# ------------------------------------------------------------------------------
# Finsh - unmount image
# ------------------------------------------------------------------------------
echo "--> Unmounting $IMG" echo "--> Unmounting $IMG"
umount mnt cleanup
echo "Qubeized image stored at: $IMG" echo "Qubeized image stored at: $IMG"
echo "Reducing image size (calling cleanup_image)..." echo "Reducing image size (calling cleanup_image)..."
./cleanup_image $IMG ./cleanup_image "$IMG"

44
scripts_debian/00_prepare.sh
View File

@ -1,5 +1,45 @@
#!/bin/sh -x #!/bin/bash -x
# vim: set ts=4 sw=4 sts=4 et : # vim: set ts=4 sw=4 sts=4 et :
# This script does nothing now. # ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
INSTALLDIR="$(readlink -m mnt)"
umount_kill "${INSTALLDIR}" || :
# ------------------------------------------------------------------------------
# Execute any template flavor or sub flavor 'pre' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "pre"
# ------------------------------------------------------------------------------
# Force overwrite of an existing image for now if debootstrap did not seem to complete...
# ------------------------------------------------------------------------------
debug "Determine if ${IMG} should be reused or deleted..."
if [ -f "${IMG}" ]; then
# Assume a failed debootstrap installation if .prepare_debootstrap does not exist
mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1
if ! [ -f "${INSTALLDIR}/tmp/.prepared_debootstrap" ]; then
warn "Last build failed. Deleting ${IMG}"
rm -f "${IMG}"
fi
# Umount image; don't fail if its already umounted
umount_kill "${INSTALLDIR}" || :
fi
# ------------------------------------------------------------------------------
# Execute any template flavor or sub flavor 'post' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "post"

37
scripts_debian/01_install_core.sh
View File

@ -1,11 +1,38 @@
#!/bin/sh #!/bin/sh
# vim: set ts=4 sw=4 sts=4 et : # vim: set ts=4 sw=4 sts=4 et :
. $SCRIPTSDIR/vars.sh # ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
echo "-> Installing base debian system" # ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
COMPONENTS="" debootstrap --arch=amd64 --include=ncurses-term \ # ------------------------------------------------------------------------------
--components=main --keyring=${SCRIPTSDIR}/debian-archive-keyring.gpg \ # Execute any template flavor or sub flavor 'pre' scripts
$DEBIANVERSION "$INSTALLDIR" http://http.debian.net/debian || { echo "Debootstrap failed!"; exit 1; } # ------------------------------------------------------------------------------
buildStep "$0" "pre"
# ------------------------------------------------------------------------------
# Install base debian system
# ------------------------------------------------------------------------------
if ! [ -f "${INSTALLDIR}/tmp/.prepared_debootstrap" ]; then
debug "Installing base ${DEBIANVERSION} system"
COMPONENTS="" debootstrap --arch=amd64 --include=ncurses-term \
--components=main --keyring="${SCRIPTSDIR}/keys/${DEBIANVERSION}-debian-archive-keyring.gpg" \
"${DEBIANVERSION}" "${INSTALLDIR}" "${DEBIAN_MIRROR}" || { error "Debootstrap failed!"; exit 1; }
chroot "${INSTALLDIR}" chmod 0666 "/dev/null"
touch "${INSTALLDIR}/tmp/.prepared_debootstrap"
fi
# ------------------------------------------------------------------------------
# Execute any template flavor or sub flavor 'post' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "post"

218
scripts_debian/02_install_groups.sh
View File

@ -1,57 +1,201 @@
#!/bin/sh #!/bin/sh
# vim: set ts=4 sw=4 sts=4 et : # vim: set ts=4 sw=4 sts=4 et :
. $SCRIPTSDIR/vars.sh # ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
# Set up a temporary policy-rc.d to prevent apt from starting services # ------------------------------------------------------------------------------
# on package installation # Configurations
cat > $BUILDCHROOT/usr/sbin/policy-rc.d <<EOF # ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
# ------------------------------------------------------------------------------
# If .prepared_debootstrap has not been completed, don't continue
# ------------------------------------------------------------------------------
if ! [ -f "${INSTALLDIR}/tmp/.prepared_debootstrap" ]; then
error "prepared_debootstrap installataion has not completed!... Exiting"
umount_kill "${INSTALLDIR}" || :
exit 1
fi
# ------------------------------------------------------------------------------
# Mount system mount points
# ------------------------------------------------------------------------------
for fs in /dev /dev/pts /proc /sys; do mount -B $fs "${INSTALLDIR}/$fs"; done
mount -t tmpfs none "${INSTALLDIR}/run"
# ------------------------------------------------------------------------------
# Execute any template flavor or sub flavor 'pre' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "pre"
if ! [ -f "${INSTALLDIR}/tmp/.prepared_groups" ]; then
# ------------------------------------------------------------------------------
# Cleanup function
# ------------------------------------------------------------------------------
function cleanup() {
error "Install groups error and umount"
rm -f "${INSTALLDIR}/usr/sbin/policy-rc.d"
umount_kill "${INSTALLDIR}" || :
exit 1
}
trap cleanup ERR
trap cleanup EXIT
# ------------------------------------------------------------------------------
# Set up a temporary policy-rc.d to prevent apt from starting services
# on package installation
# ------------------------------------------------------------------------------
cat > "${INSTALLDIR}/usr/sbin/policy-rc.d" <<EOF
#!/bin/sh #!/bin/sh
return 101 # Action forbidden by policy return 101 # Action forbidden by policy
EOF EOF
chmod 755 $BUILDCHROOT/usr/sbin/policy-rc.d chmod 755 "${INSTALLDIR}/usr/sbin/policy-rc.d"
if [ "$DEBIANVERSION" = "wheezy" ]; then # stable # ------------------------------------------------------------------------------
echo "--> Adding debian-security repository." # Ensure umask set in /etc/login.defs is used (022)
# security.debian.org only makes sense for stable/wheezy # ------------------------------------------------------------------------------
echo "deb http://security.debian.org/ ${DEBIANVERSION}/updates main" \ echo "session optional pam_umask.so" >> "${INSTALLDIR}/etc/pam.d/common-session"
>> "$INSTALLDIR/etc/apt/sources.list"
echo "deb-src http://security.debian.org/ ${DEBIANVERSION}/updates main" \
>> "$INSTALLDIR/etc/apt/sources.list"
echo "--> Installing systemd" # ------------------------------------------------------------------------------
# sysvinit gives problems with qubes initramfs, we depend on systemd # Add debian security repository
# for now. Apt *really* doesn't want to replace sysvinit in wheezy. # ------------------------------------------------------------------------------
# For jessie and newer, sysvinit is provided by sysvinit-core which debug "Adding debian-security repository."
# is not an essential package. source="deb http://security.debian.org ${DEBIANVERSION}/updates main"
echo 'Yes, do as I say!' | chroot $INSTALLDIR apt-get -y \ if ! grep -r -q "$source" "${INSTALLDIR}/etc/apt/sources.list"*; then
--force-yes install systemd-sysv touch "${INSTALLDIR}/etc/apt/sources.list"
else # testing/unstable echo "$source" >> "${INSTALLDIR}/etc/apt/sources.list"
echo "--> Installing systemd" fi
chroot $INSTALLDIR apt-get -y install systemd-sysv source="deb-src http://security.debian.org ${DEBIANVERSION}/updates main"
fi if ! grep -r -q "$source" "${INSTALLDIR}/etc/apt/sources.list"*; then
touch "${INSTALLDIR}/etc/apt/sources.list"
echo "$source" >> "${INSTALLDIR}/etc/apt/sources.list"
fi
chroot $INSTALLDIR systemctl set-default multi-user.target # ------------------------------------------------------------------------------
# Upgrade system
# ------------------------------------------------------------------------------
debug "Upgrading system"
chroot "${INSTALLDIR}" apt-get update
true "${stout}"
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} dist-upgrade
echo "--> Upgrading system" # ------------------------------------------------------------------------------
chroot $INSTALLDIR apt-get update # Configure keyboard
chroot $INSTALLDIR apt-get -y upgrade # ------------------------------------------------------------------------------
debug "Setting keyboard layout"
echo "--> Setting keyboard layout" chroot "${INSTALLDIR}" debconf-set-selections <<EOF
chroot $INSTALLDIR debconf-set-selections <<EOF
keyboard-configuration keyboard-configuration/variant select English (US) keyboard-configuration keyboard-configuration/variant select English (US)
keyboard-configuration keyboard-configuration/layout select English (US) keyboard-configuration keyboard-configuration/layout select English (US)
keyboard-configuration keyboard-configuration/model select Generic 105-key (Intl) PC keyboard-configuration keyboard-configuration/model select Generic 105-key (Intl) PC
keyboard-configuration keyboard-configuration/modelcode string pc105 keyboard-configuration keyboard-configuration/modelcode string pc105
keyboard-configuration keyboard-configuration/layoutcode string us keyboard-configuration keyboard-configuration/layoutcode string us
keyboard-configuration keyboard-configuration/variantcode string keyboard-configuration keyboard-configuration/variantcode string
keyboard-configuration keyboard-configuration/optionscode string keyboard-configuration keyboard-configuration/optionscode string
EOF EOF
echo "--> Installing extra packages" # ------------------------------------------------------------------------------
xargs chroot $INSTALLDIR apt-get -y install < $SCRIPTSDIR/packages.list # Install extra packages in script_${DEBIANVERSION}/packages.list file
# -and / or- TEMPLATE_FLAVOR directories
# ------------------------------------------------------------------------------
getFileLocations packages_list "packages.list" "${DIST}"
if [ -z "${packages_list}" ]; then
error "Can not locate a package.list file!"
umount_kill "${INSTALLDIR}" || :
exit 1
fi
# Remove temporary policy layer so services can start normally in the for package_list in ${packages_list[@]}; do
# deployed template. debug "Installing extra packages from: ${package_list}"
rm -f $BUILDCHROOT/usr/sbin/policy-rc.d DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
xargs chroot ${INSTALLDIR} apt-get ${APT_GET_OPTIONS} install < "${package_list}"
done
# ------------------------------------------------------------------------------
# Execute any template flavor or sub flavor scripts after packages are installed
# (Whonix needs dependancies installed before installation)
# ------------------------------------------------------------------------------
buildStep "$0" "packages_installed"
# ------------------------------------------------------------------------------
# Install systemd
# ------------------------------------------------------------------------------
# - sysvinit gives problems with qubes initramfs, we depend on systemd
# for now. Apt *really* doesn't want to replace sysvinit in wheezy.
# For jessie and newer, sysvinit is provided by sysvinit-core which
# is not an essential package.
# ------------------------------------------------------------------------------
debug "Installing systemd for debian (${DEBIANVERSION})"
if [ "${DEBIANVERSION}" == "wheezy" ]; then
echo 'Yes, do as I say!' | DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} remove sysvinit
else
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} remove sysvinit
fi
# Prevent sysvinit from being re-installed
debug "Preventing sysvinit re-installation"
chroot "${INSTALLDIR}" apt-mark hold sysvinit
# Pin sysvinit to prevent being re-installed
cat > "${INSTALLDIR}/etc/apt/preferences.d/qubes_sysvinit" <<EOF
Package: sysvinit
Pin: version *
Pin-Priority: -100
EOF
chmod 0644 "${INSTALLDIR}/etc/apt/preferences.d/qubes_sysvinit"
chroot "${INSTALLDIR}" apt-get update
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} install systemd-sysv
# ------------------------------------------------------------------------------
# Set multu-user.target as the default target (runlevel 3)
# ------------------------------------------------------------------------------
chroot "${INSTALLDIR}" rm -f /etc/systemd/system/default.target
chroot "${INSTALLDIR}" ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
# ------------------------------------------------------------------------------
# Qubes is now being built with some SID packages; grab backport for wheezy
# ------------------------------------------------------------------------------
if [ "${DEBIANVERSION}" == "wheezy" ]; then
debug "Adding wheezy backports repository."
source="deb ${DEBIAN_MIRROR} wheezy-backports main"
if ! grep -r -q "$source" "${INSTALLDIR}/etc/apt/sources.list"*; then
touch "${INSTALLDIR}/etc/apt/sources.list"
echo "$source" >> "${INSTALLDIR}/etc/apt/sources.list"
fi
chroot ${INSTALLDIR} apt-get update
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot ${INSTALLDIR} apt-get ${APT_GET_OPTIONS} -t wheezy-backports install init-system-helpers
fi
# ------------------------------------------------------------------------------
# Cleanup
# ------------------------------------------------------------------------------
# Remove temporary policy layer so services can start normally in the
# deployed template.
rm -f "${INSTALLDIR}/usr/sbin/policy-rc.d"
touch "${INSTALLDIR}/tmp/.prepared_groups"
trap - ERR EXIT
trap
# Kill all processes and umount all mounts within ${INSTALLDIR},
# but not ${INSTALLDIR} itself (extra '/' prevents ${INSTALLDIR} from being
# umounted itself)
umount_kill "${INSTALLDIR}/" || :
fi
# ------------------------------------------------------------------------------
# Execute any template flavor or sub flavor 'post' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "post"

184
scripts_debian/04_install_qubes.sh
View File

@ -1,86 +1,154 @@
#!/bin/sh #!/bin/sh
# vim: set ts=4 sw=4 sts=4 et : # vim: set ts=4 sw=4 sts=4 et :
. $SCRIPTSDIR/vars.sh # ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
# Set up a temporary policy-rc.d to prevent apt from starting services # ------------------------------------------------------------------------------
# on package installation # Configurations
cat > $INSTALLCHROOT/usr/sbin/policy-rc.d <<EOF # ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
# ------------------------------------------------------------------------------
# If .prepared_groups has not been completed, don't continue
# ------------------------------------------------------------------------------
if ! [ -f "${INSTALLDIR}/tmp/.prepared_groups" ]; then
error "prepared_groups installataion has not completed!... Exiting"
exit 1
fi
# ------------------------------------------------------------------------------
# Mount system mount points
# ------------------------------------------------------------------------------
for fs in /dev /dev/pts /proc /sys; do mount -B $fs "${INSTALLDIR}/$fs"; done
mount -t tmpfs none "${INSTALLDIR}/run"
# ------------------------------------------------------------------------------
# Execute any template flavor or sub flavor 'pre' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "pre"
# ------------------------------------------------------------------------------
# Install Qubes Packages
# ------------------------------------------------------------------------------
if ! [ -f "${INSTALLDIR}/tmp/.prepared_qubes" ]; then
debug "Installing qbues modules"
# --------------------------------------------------------------------------
# Set up a temporary policy-rc.d to prevent apt from starting services
# on package installation
# --------------------------------------------------------------------------
cat > "${INSTALLCHROOT}/usr/sbin/policy-rc.d" <<EOF
#!/bin/sh #!/bin/sh
return 101 # Action forbidden by policy return 101 # Action forbidden by policy
EOF EOF
chmod 755 $INSTALLCHROOT/usr/sbin/policy-rc.d chmod 755 ${INSTALLCHROOT}/usr/sbin/policy-rc.d
echo "--> Generate locales" # --------------------------------------------------------------------------
echo "en_US.UTF-8 UTF-8" >> $INSTALLDIR/etc/locale.gen # Generate locales
chroot $INSTALLDIR locale-gen # --------------------------------------------------------------------------
chroot $INSTALLDIR update-locale LANG=en_US.UTF-8 debug "Generate locales"
echo "en_US.UTF-8 UTF-8" >> "${INSTALLDIR}/etc/locale.gen"
chroot "${INSTALLDIR}" locale-gen
chroot "${INSTALLDIR}" update-locale LANG=en_US.UTF-8
echo "--> Updating template fstab file..." # --------------------------------------------------------------------------
cat >> $INSTALLDIR/etc/fstab <<EOF # Link mtab
proc /proc proc defaults 0 0 # --------------------------------------------------------------------------
sysfs /sys sysfs defaults 0 0 rm -f "${INSTALLDIR}/etc/mtab"
/dev/mapper/dmroot / ext4 discard,noatime,errors=remount-ro 0 0 ln -s "../proc/self/mounts" "${INSTALLDIR}/etc/mtab"
/dev/xvdb /rw ext4 noauto,discard,noatime,errors=remount-ro 0 0
/dev/xvdc1 swap swap defaults 0 0
/dev/xvdd /lib/modules ext3 defaults 0 0
xen /proc/xen xenfs defaults 0 0
/rw/home /home none noauto,bind,defaults 0 0
/dev/xvdi /mnt/removable auto noauto,user,rw 0 0
EOF
rm -f $INSTALLDIR/etc/mtab # --------------------------------------------------------------------------
ln -s ../proc/self/mounts $INSTALLDIR/etc/mtab # Start of Qubes package installation
# --------------------------------------------------------------------------
debug "Installing qubes packages"
export CUSTOMREPO="${PWD}/yum_repo_qubes/${DIST}"
mkdir -p $INSTALLDIR/lib/modules # --------------------------------------------------------------------------
# Install keyrings
echo "--> Installing qubes packages" # --------------------------------------------------------------------------
export CUSTOMREPO="$PWD/yum_repo_qubes/$DIST" if ! [ -e "${CACHEDIR}/repo-secring.gpg" ]; then
mkdir -p "${CACHEDIR}"
if ! [ -e $CACHEDIR/repo-secring.gpg ]; then gpg --gen-key --batch <<EOF
mkdir -p $CACHEDIR
gpg --gen-key --batch <<EOF
Key-Type: RSA Key-Type: RSA
Key-Length: 1024 Key-Length: 1024
Key-Usage: sign Key-Usage: sign
Name-Real: Qubes builder Name-Real: Qubes builder
Expire-Date: 0 Expire-Date: 0
%pubring $CACHEDIR/repo-pubring.gpg %pubring ${CACHEDIR}/repo-pubring.gpg
%secring $CACHEDIR/repo-secring.gpg %secring ${CACHEDIR}/repo-secring.gpg
%commit %commit
EOF EOF
fi fi
gpg -abs --no-default-keyring \ gpg -abs --no-default-keyring \
--secret-keyring $CACHEDIR/repo-secring.gpg \ --secret-keyring "${CACHEDIR}/repo-secring.gpg" \
--keyring $CACHEDIR/repo-pubring.gpg \ --keyring "${CACHEDIR}/repo-pubring.gpg" \
-o $CUSTOMREPO/dists/$DIST/Release.gpg \ -o "${CUSTOMREPO}/dists/${DIST}/Release.gpg" \
$CUSTOMREPO/dists/$DIST/Release "${CUSTOMREPO}/dists/${DIST}/Release"
cp "${CACHEDIR}/repo-pubring.gpg" "${INSTALLDIR}/etc/apt/trusted.gpg.d/qubes-builder.gpg"
mkdir -p $INSTALLDIR/tmp/qubes_repo # --------------------------------------------------------------------------
mount --bind $CUSTOMREPO $INSTALLDIR/tmp/qubes_repo # Mount local qubes_repo
cat > $INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list <<EOF # --------------------------------------------------------------------------
deb file:/tmp/qubes_repo $DEBIANVERSION main mkdir -p "${INSTALLDIR}/tmp/qubes_repo"
mount --bind "${CUSTOMREPO}" "${INSTALLDIR}/tmp/qubes_repo"
# --------------------------------------------------------------------------
# Include qubes repo for apt
# --------------------------------------------------------------------------
cat > "${INSTALLDIR}/etc/apt/sources.list.d/qubes-builder.list" <<EOF
deb file:/tmp/qubes_repo ${DEBIANVERSION} main
EOF EOF
cp $CACHEDIR/repo-pubring.gpg $INSTALLDIR/etc/apt/trusted.gpg.d/qubes-builder.gpg
chroot $INSTALLDIR apt-get update || { umount $INSTALLDIR/tmp/qubes_repo; exit 1; } # --------------------------------------------------------------------------
chroot $INSTALLDIR apt-get -y install `cat $SCRIPTSDIR/packages_qubes.list` || { umount $INSTALLDIR/tmp/qubes_repo; exit 1; } # Update system; exit is not successful
umount $INSTALLDIR/tmp/qubes_repo # --------------------------------------------------------------------------
rm -f $INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list chroot "${INSTALLDIR}" apt-get update || { umount_kill "${INSTALLDIR}"; exit 1; }
chroot $INSTALLDIR apt-get update || exit 1
# Remove temporary policy layer so services can start normally in the # --------------------------------------------------------------------------
# deployed template. # Install Qubes packages
rm -f $BUILDCHROOT/usr/sbin/policy-rc.d # --------------------------------------------------------------------------
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} install $(cat ${SCRIPTSDIR}/packages_qubes.list) || \
{ umount_kill "${INSTALLDIR}"; exit 1; }
chroot $INSTALLDIR groupadd user # --------------------------------------------------------------------------
chroot $INSTALLDIR useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user # Remove Qubes Builder repo from sources.list.d
# --------------------------------------------------------------------------
umount_kill "${INSTALLDIR}/tmp/qubes_repo"
rm -f "${INSTALLDIR}/etc/apt/sources.list.d/qubes-builder.list"
chroot "${INSTALLDIR}" apt-get update || exit 1
echo "xen_netfront" >> $INSTALLDIR/etc/modules # --------------------------------------------------------------------------
# Remove temporary policy layer so services can start normally in the
# deployed template.
# --------------------------------------------------------------------------
rm -f "${INSTALLDIR}/usr/sbin/policy-rc.d"
sed -i -e '/^mesg n/d' $INSTALLDIR/root/.profile # --------------------------------------------------------------------------
# Copy extra files to installation directory. Contains:
# - font fixes for display issues
# --------------------------------------------------------------------------
copyTree "qubes-files" "${SCRIPTSDIR}" "${INSTALLDIR}"
# Kill any processes that might have been started by apt before unmounting touch "${INSTALLDIR}/tmp/.prepared_qubes"
lsof $INSTALLDIR | tail -n +2 | awk '{print $2}' | xargs --no-run-if-empty kill fi
# ------------------------------------------------------------------------------
# Execute any template flavor or sub flavor 'post' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "post"
# ------------------------------------------------------------------------------
# Kill all processes and umount all mounts within ${INSTALLDIR}, but not
# ${INSTALLDIR} itself (extra '/' prevents ${INSTALLDIR} from being umounted itself)
# ------------------------------------------------------------------------------
umount_kill "${INSTALLDIR}/" || :

31
scripts_debian/09_cleanup.sh
View File

@ -1,10 +1,33 @@
#!/bin/sh #!/bin/sh
# vim: set ts=4 sw=4 sts=4 et : # vim: set ts=4 sw=4 sts=4 et :
rm -f $INSTALLDIR/var/cache/apt/archives/* # ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
rm -f $INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list # ------------------------------------------------------------------------------
rm -f $INSTALLDIR/etc/apt/trusted.gpg.d/qubes-builder.gpg # Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
rm -rf buildchroot # ------------------------------------------------------------------------------
# Execute any template flavor or sub flavor 'pre' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "pre"
# ------------------------------------------------------------------------------
# Cleanup any left over files from installation
# ------------------------------------------------------------------------------
rm -rf "${INSTALLDIR}/var/cache/apt/archives/*"
rm -f "${INSTALLDIR}/etc/apt/sources.list.d/qubes-builder.list"
rm -f "${INSTALLDIR}/etc/apt/trusted.gpg.d/qubes-builder.gpg"
# ------------------------------------------------------------------------------
# Execute any template flavor or sub flavor 'post' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "post"

2
scripts_debian/gnome/packages_jessie.list Normal file
View File

@ -0,0 +1,2 @@
gnome-desktop-environment
gnome-accessibility-themes

2
scripts_debian/gnome/packages_wheezy.list Normal file
View File

@ -0,0 +1,2 @@
gnome-desktop-environment
gnome-accessibility-themes

0
scripts_debian/debian-archive-keyring.gpg → scripts_debian/keys/jessie-debian-archive-keyring.gpg
View File

BIN
scripts_debian/keys/wheezy-debian-archive-keyring.gpg Normal file
View File

Binary file not shown.

1
scripts_debian/packages.list → scripts_debian/packages_jessie.list
View File

@ -7,3 +7,4 @@ ncurses-term
xserver-xorg-core xserver-xorg-core
x11-xserver-utils x11-xserver-utils
xinit xinit
acpid

6
scripts_debian/packages_qubes.list
View File

@ -1,2 +1,8 @@
qubes-core-agent qubes-core-agent
qubes-gui-agent qubes-gui-agent
xdg-user-dirs
gnome-themes-standard
xsettingsd
gnome-packagekit
chrony
ntpdate

10
scripts_debian/packages_wheezy.list Normal file
View File

@ -0,0 +1,10 @@
gnome-terminal
locales
sudo
dmsetup
psmisc
ncurses-term
xserver-xorg-core
x11-xserver-utils
xinit
acpid

70
scripts_debian/qubes-files/.facl Normal file
View File

@ -0,0 +1,70 @@
# file: .
# owner: user
# group: user
user::rwx
group::r-x
other::r-x
# file: etc
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg/Xresources
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/xdg/fonts.conf
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/xdg/xsettingsd
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/X11
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/X11/Xsession.d
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/X11/Xsession.d/25xdg-qubes-settings
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: .facl
# owner: root
# group: root
user::rw-
group::r--
other::r--

23
scripts_debian/vars.sh
View File

@ -1,13 +1,18 @@
#!/bin/bash
# ------------------------------------------------------------------------------
# Global variables and functions
# ------------------------------------------------------------------------------
. ./functions.sh
# The codename of the debian version to install. # The codename of the debian version to install.
# jessie = testing, wheezy = stable # jessie = testing, wheezy = stable
DEBIANVERSION=$DIST DEBIANVERSION=${DIST}
EXTRAPKGS="openssh-clients,screen,vim-nox,less" # Location to grab debian packages
DEBIAN_MIRROR=http://ftp.us.debian.org/debian
QUBESDEBIANGIT="http://dsg.is/qubes/" #DEBIAN_MIRROR=http://http.debian.net/debian
#DEBIAN_MIRROR=http://ftp.ca.debian.org/debian
# make runs the scripts with sudo -E, so HOME is set to /home/user during
# build, which does not exist. We need to write to $HOME/.gnupg so set it
# to something valid.
HOME=/root
APT_GET_OPTIONS="-o Dpkg::Options::="--force-confnew" --force-yes -y"

1
scripts_debian/wheezy+whonix-gateway/00_prepare_pre.sh Symbolic link
View File

@ -0,0 +1 @@
../wheezy+whonix/00_prepare_pre.sh

1
scripts_debian/wheezy+whonix-gateway/01_install_core_post.sh Symbolic link
View File

@ -0,0 +1 @@
../wheezy+whonix/01_install_core_post.sh

1
scripts_debian/wheezy+whonix-gateway/02_install_groups_packages_installed.sh Symbolic link
View File

@ -0,0 +1 @@
../wheezy+whonix/02_install_groups_packages_installed.sh

1
scripts_debian/wheezy+whonix-gateway/04_install_qubes_post.sh Symbolic link
View File

@ -0,0 +1 @@
../wheezy+whonix/04_install_qubes_post.sh

1
scripts_debian/wheezy+whonix-gateway/09_cleanup_post.sh Symbolic link
View File

@ -0,0 +1 @@
../wheezy+whonix/09_cleanup_post.sh

28
scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh Executable file
View File

@ -0,0 +1,28 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
# ------------------------------------------------------------------------------
# whonix-netvm-gateway contains last known IP used to search and replace
# ------------------------------------------------------------------------------
if [ -f "${INSTALLDIR}/tmp/.whonix_post" -a ! -f "${INSTALLDIR}/tmp/.whonix_custom_configurations" ]; then
# --------------------------------------------------------------------------
# Install Custom Configurations
# --------------------------------------------------------------------------
echo "10.152.152.10" > "${INSTALLDIR}/etc/whonix-netvm-gateway"
touch "${INSTALLDIR}/tmp/.whonix_custom_configurations"
fi

252
scripts_debian/wheezy+whonix-gateway/files/.facl Normal file
View File

@ -0,0 +1,252 @@
# file: .
# owner: user
# group: user
user::rwx
group::r-x
other::r-x
# file: lib
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd/system
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd/system/qubes-whonix-firewall.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: lib/systemd/system/qubes-whonix-network.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: lib/systemd/system/qubes-whonix-init.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/hosts
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/uwt.d
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/uwt.d/50_uwt_default
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/xdg
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg/autostart
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg/autostart/qubes-whonixsetup.desktop
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/apt
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/hostname
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/sudoers.d
# owner: root
# group: root
user::rwx
group::r-x
other::---
# file: etc/sudoers.d/whonix-build
# owner: root
# group: root
user::r--
group::r--
other::---
# file: .facl
# owner: user
# group: user
user::rw-
group::r--
other::r--
# file: usr
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/utility_functions
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/bind-dirs.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/qubes-whonix-firewall.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/qubes-whonix-bind.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr/lib/whonix/init/replace-ips
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/init.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/whonixcheck.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr/lib/whonix/init/network-proxy-setup.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/qubes-whonix-tor.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr/lib/whonix/messages.yaml
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr/lib/whonix/alert
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/qubes-whonixsetup
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/enable-iptables-logging.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

1
scripts_debian/wheezy+whonix-gateway/files/etc/hostname Normal file
View File

@ -0,0 +1 @@
host

7
scripts_debian/wheezy+whonix-gateway/files/etc/hosts Normal file
View File

@ -0,0 +1,7 @@
## Anonymity Distribution /etc/hosts
## Anonymity Distribution specific
127.0.0.1 host.localdomain host
## End of Anonymity Distribution specific
## End of Anonymity Distribution /etc/hosts

1
scripts_debian/wheezy+whonix-gateway/files/etc/sudoers.d/whonix-build Normal file
View File

@ -0,0 +1 @@
user ALL=(ALL) NOPASSWD: ALL

6
scripts_debian/wheezy+whonix-gateway/files/etc/uwt.d/50_uwt_default Normal file
View File

@ -0,0 +1,6 @@
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "1" ]; then
uwtwrapper["/usr/bin/apt-get"]="0"
fi

8
scripts_debian/wheezy+whonix-gateway/files/etc/xdg/autostart/qubes-whonixsetup.desktop Normal file
View File

@ -0,0 +1,8 @@
## This file is part of Whonix.
## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
[Desktop Entry]
Type=Application
Terminal=false
Exec=/usr/lib/whonix/qubes-whonixsetup

12
scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Qubes Whonix firewall updater
After=qubes-whonix-network.service
Before=network.target
[Service]
ExecStart=/usr/lib/whonix/init/qubes-whonix-firewall.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target
Alias=qubes-firewall.service

13
scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-init.service Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Qubes Whonix initialization script
After=qubes-whonix-network.service
Before=qubes-whonix-firewall.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/whonix/init/init.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

15
scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service Normal file
View File

@ -0,0 +1,15 @@
[Unit]
Description=Qubes Whonix network proxy setup
ConditionPathExists=/var/run/qubes-service/qubes-network
Before=network.target
After=iptables.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/whonix/init/network-proxy-setup.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target
Alias=qubes-network.service

90
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/alert Executable file
View File

@ -0,0 +1,90 @@
#!/usr/bin/python
#
# Copyright 2014 Jason Mehring (nrgaway@gmail.com)
#
from PyQt4 import QtGui
import locale
import yaml
DEFAULT_LANG = 'en'
class Messages():
filename = None
data = None
language = DEFAULT_LANG
title = None
icon = None
message = None
def __init__(self, section, filename):
self.filename = filename
language = locale.getdefaultlocale()[0].split('_')[0]
if language:
self.language = language
try:
stream = file(filename, 'r')
data = yaml.load(stream)
if section in data.keys():
section = data[section]
self.icon = section.get('icon', None)
language = section.get(self.language, DEFAULT_LANG)
self.title = language.get('title', None)
self.message = language.get('message', None)
except (IOError):
pass
except (yaml.scanner.ScannerError, yaml.parser.ParserError):
pass
class WhonixMessageBox(QtGui.QMessageBox):
def __init__(self, message):
super(WhonixMessageBox, self).__init__()
self.message = message
self.initUI()
def initUI(self):
message = self.message
if message.title:
self.setWindowTitle(message.title)
if message.icon:
self.setIcon(getattr(QtGui.QMessageBox, message.icon))
if message.message:
self.setText(message.message)
self.exec_()
import argparse
import sys
def main():
parser = argparse.ArgumentParser(description='Display a QT Message Box')
parser.add_argument('section', help="Message section")
parser.add_argument('filename', help="File including full path")
args = parser.parse_args()
if not args.filename and args.section:
print parser.usage()
sys.exit(1)
app = QtGui.QApplication(sys.argv)
message = Messages(args.section, args.filename)
dialog = WhonixMessageBox(message)
sys.exit()
if __name__ == "__main__":
main()

58
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
#
# To umount all binds, just pass any arg in $1
#
. /usr/lib/whonix/utility_functions
# Don't run if started as a template
if ! [ "${WHONIX}" == "template" ]; then
# Array of directories to bind
BINDS=(
'/rw/srv/whonix/root/.whonix:/root/.whonix'
'/rw/srv/whonix/root/.whonix.d:/root/.whonix.d'
'/rw/srv/whonix/var/lib/whonix:/var/lib/whonix'
'/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck'
'/rw/srv/whonix/etc/tor:/etc/tor'
)
for bind in ${BINDS[@]}; do
rw_dir="${bind%%:*}"
ro_dir="${bind##*:}"
# Make sure ro directory is not mounted
umount "${ro_dir}" 2> /dev/null || true
if [ -n "${1}" ]; then
echo "Umounting only..."
exit 0
fi
# Make sure ro directory exists
if ! [ -d "${ro_dir}" ]; then
mkdir -p "${ro_dir}"
fi
# Initially copy over data directories to /rw if rw directory does not exist
if ! [ -d "${rw_dir}" ]; then
mkdir -p "${rw_dir}"
rsync -hax "${ro_dir}/." "${rw_dir}"
fi
# Bind the directory
sync
mount --bind "${rw_dir}" "${ro_dir}"
done
sync
fi
if [ "${WHONIX}" == "gateway" ]; then
# Make sure we remove whonixsetup.done if Tor is not enabled
# to allow choice of repo and prevent whonixcheck errors
grep "^DisableNetwork 0$" /etc/tor/torrc || {
sudo rm -f /var/lib/whonix/do_once/whonixsetup.done
}
fi
exit 0

30
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/enable-iptables-logging.sh Executable file
View File

@ -0,0 +1,30 @@
#!/bin/bash
# Check /var/log/kern.log for logging results
LOG_IP4=1
LOG_IP6=0
# for IPv4
if [ "$LOG_IP4" == "1" ]; then
iptables -t raw -A OUTPUT -p icmp -j TRACE
iptables -t raw -A PREROUTING -p icmp -j TRACE
modprobe ipt_LOG
fi
# for IPv6
if [ "$LOG_IP6" == "1" ]; then
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
modprobe ip6t_LOG
fi
# Redirect local port to remote via socat
#apt-get install socat
#socat TCP4-LISTEN:8082,fork,mode=0666,user=root,group=root TCP4:10.137.255.254:8082
#
# Works
# localhost/loopback maps localhost port 8082 to localhost port 8888
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888

30
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh Executable file
View File

@ -0,0 +1,30 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" != "template" ]; then
# Files that will have the immutable bit set
# since we don't want them modified by other programs
IMMUTABLE_FILES=(
'/etc/resolv.conf'
'/etc/hostname'
'/etc/hosts'
)
# Make sure all .anondist files in list are immutable
immutableFilesEnable "${IMMUTABLE_FILES}"
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
# Make sure we are using a copy of the annondist file and if not
# copy the annondist file and set it immutable
copyAnondist "/etc/resolv.conf"
copyAnondist "/etc/hosts"
copyAnondist "/etc/hostname"
# Replace IP addresses in known configuration files / scripts to
# currently discovered one
/usr/lib/whonix/init/replace-ips
# Make sure hostname is correct
/bin/hostname host
fi

57
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
INTERFACE="eth1"
if [ "${WHONIX}" == "gateway" ]; then
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
# Setup Xen / Qubes proxy
network=$(xenstore-read qubes-netvm-network 2>/dev/null)
if [ "x$network" != "x" ]; then
gateway=$(xenstore-read qubes-netvm-gateway)
netmask=$(xenstore-read qubes-netvm-netmask)
secondary_dns=$(xenstore-read qubes-netvm-secondary-dns)
modprobe netbk 2> /dev/null || modprobe xen-netback
echo "NS1=$gateway" > /var/run/qubes/qubes-ns
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
#/usr/lib/qubes/qubes-setup-dnat-to-ns
echo "0" > /proc/sys/net/ipv4/ip_forward
/sbin/ethtool -K eth0 sg off || :
fi
# Now, assign it the netvm-gateway IP address
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
if [ x${ip} != x ]; then
# Create a dummy eth1 interface so tor can bind to it if there
# are no DOMU virtual machines connected at the moment
/sbin/ip link add ${INTERFACE} type dummy
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
/sbin/ifconfig ${INTERFACE} up
/sbin/ethtool -K ${INTERFACE} sg off || true
/sbin/ethtool -K ${INTERFACE} tx off || true
ip link set ${INTERFACE} up
fi
echo "0" > /proc/sys/net/ipv4/ip_forward
# Allow whonix-gateway to act as an update-proxy
touch /var/run/qubes-service/qubes-updates-proxy
# Search and replace tinyproxy error files so we can inject code that
# we can use to identify that its a tor proxy so updates are secure
error_file="/usr/share/tinyproxy/default.html"
grep -q "${PROXY_META}" "${error_file}" || {
sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
}
fi

49
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh Executable file
View File

@ -0,0 +1,49 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
# Make sure IP forwarding is disabled
echo "0" > /proc/sys/net/ipv4/ip_forward
if [ "${WHONIX}" != "template" ]; then
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
# Start Whonix Firewall
if [ "${WHONIX}" == "gateway" ]; then
export INT_IF="vif+"
export INT_TIF="vif+"
# Inject custom firewall rules into whonix_firewall
sed -i -f - /usr/bin/whonix_firewall <<-EOF
/^## IPv4 DROP INVALID INCOMING PACKAGES/,/######################################/c \\
## IPv4 DROP INVALID INCOMING PACKAGES \\
## \\
## --- THE FOLLOWING WS INJECTED --- \\
## Qubes Tiny Proxy Updater \\
iptables -t nat -N PR-QBS-SERVICES \\
iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\
\\
# Route any traffic FROM netvm TO netvm BACK-TO localhost \\
# Allows localhost access to tor network \\
#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
######################################
EOF
fi
# Load the firewall
# XXX: TODO: Take down all network accesss if firewall fails
/usr/bin/whonix_firewall
systemctl restart qubes-updates-proxy.service
fi

16
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-tor.service Normal file
View File

@ -0,0 +1,16 @@
[Unit]
Description = Anonymizing overlay network for TCP
After = syslog.target network.target nss-lookup.target
[Service]
Type = simple
ExecStart = /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --quiet
ExecReload = /bin/kill -HUP ${MAINPID}
ExecStop = /bin/kill -INT ${MAINPID}
TimeoutSec = 60
Restart = on-failure
LimitNOFILE = 32768
[Install]
WantedBy = multi-user.target
Alias=tor.service

118
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/replace-ips Executable file
View File

@ -0,0 +1,118 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
# Search though files and updates IP address to the current
# IP address(es)
FILES=(
'/usr/lib/leaktest-workstation/simple_ping.py'
'/usr/lib/whonixcheck/preparation'
'/usr/share/anon-kde-streamiso/share/config/kioslaverc'
'/usr/bin/whonix_firewall'
'/etc/whonix_firewall.d/30_default'
'/usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh'
'/usr/bin/uwt'
'/etc/uwt.d/30_uwt_default'
'/usr/share/tor/tor-service-defaults-torrc.anondist'
'/usr/bin/update-torbrowser'
'/etc/network/interfaces.whonix'
'/etc/resolv.conf.anondist'
'/etc/sdwdate.d/31_anon_dist_stream_isolation_plugin'
'/etc/rinetd.conf.anondist'
'/etc/network/interfaces.whonix'
'/usr/share/anon-torchat/.torchat/torchat.ini'
)
# sed search and replace. return 0 if replace happened, otherwise 1
search_replace() {
local search="${1}"
local replace="${2}"
local file="${3}"
local retval=1
if ! [ -L "${file}" ]; then
ls_attrs="$(lsattr "${file}")"
ls_attrs=${ls_attrs:4:1}
if [ "${ls_attrs}" == "i" ]; then
chattr -i "${file}"
fi
fi
sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}"
retval=$?
if [ "${ls_attrs}" = "i" ]; then
chattr +i "${file}"
fi
return $retval
}
function replace_ips()
{
local search_ip="${1}"
local replace_ip="${2}"
local files=("${!3}")
local retval=1
# If IP is 10.152.152.10, network is 10.152.152.0
search_network="${search_ip%[.]*}.0"
replace_network="${replace_ip%[.]*}.0"
if ! [ "${search_ip}" = "${replace_ip}" ]; then
for file in "${files[@]}"; do
if [ -f "$file" ]; then
search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0
search_replace "${search_network}" "${replace_network}" "${file}" && retval=0
fi
done
fi
return $retval
}
update_ip() {
ip=${1}
echo "${ip}" > /etc/whonix-netvm-gateway
grep '^DisableNetwork 0$' /etc/tor/torrc && {
service tor status && {
service tor reload || true;
}
}
}
if [ "${WHONIX}" == "gateway" ]; then
ip="$(xenstore-read qubes-netvm-gateway)"
if [ x${ip} != x ]; then
# Compare to current IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}"
# Do again; checking for original 10.152.152.10 incase of update
replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}"
# Do again; checking for original 10.152.152.11 incase of update
replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}"
fi
elif [ "${WHONIX}" == "workstation" ]; then
ip="$(xenstore-read qubes-ip)"
gateway="$(xenstore-read qubes-gateway)"
if [ x${ip} != x ]; then
# Compare to current IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
# Do again; checking for original 10.152.152.11 incase of update
replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
fi
if [ x${gateway} != x ]; then
# Compare to current gateway IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
# Do again; checking for original 10.152.152.10 incase of update
replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
fi
fi

18
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/whonixcheck.service Normal file
View File

@ -0,0 +1,18 @@
[Unit]
Description=Checks many important aspects of Whonix.
After=syslog.target network.target
[Service]
Type=forking
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/run/whonixcheck
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonixcheck
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonix/whonixblog
ExecStart=/usr/lib/whonixcheckdaemon
PIDFile=/var/run/whonixcheck.pid
User=user
Group=user
UMask=0007
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

9
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/messages.yaml Normal file
View File

@ -0,0 +1,9 @@
update:
icon: Critical
en:
title: Tor netvm required for updates
message: |
<p><B>Tor netvm required for updates!</B></p>
<p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
<p>No updates are possible without an active (running) Whonix gateway VM.</p>

41
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup Executable file
View File

@ -0,0 +1,41 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if ! [ "${WHONIX}" == "template" ]; then
sudo /usr/lib/whonix/bind-dirs.sh
fi
if [ "${WHONIX}" == "gateway" ]; then
if grep "^DisableNetwork 0$" /etc/tor/torrc ;then
sudo service sdwdate restart
sudo service tor restart
else
sudo service sdwdate restart
sudo service tor stop
sudo /usr/bin/whonixsetup
fi
elif [ "${WHONIX}" == "workstation" ]; then
sudo service sdwdate restart
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
sudo /usr/bin/whonixsetup
fi
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
# Set secure defaults.
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP
# Flush old rules.
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
# Display warning that netvm is not connected to a torvm
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
fi

94
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/utility_functions Executable file
View File

@ -0,0 +1,94 @@
#!/bin/bash
# /etc/uwt.d/50_uwt_default relies on this in order to allow connection
# to proxy for template
PROXY_SERVER="http://10.137.255.254:8082/"
PROXY_META='<meta name=\"application-name\" content=\"tor proxy\"\/>'
if [ -f "/var/run/qubes-service/updates-proxy-setup" ]; then
WHONIX="template"
elif [ -f "/usr/share/anon-gw-base-files/gateway" ]; then
WHONIX="gateway"
elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
WHONIX="workstation"
else
WHONIX="unknown"
fi
if [ "${WHONIX}" == "template" ]; then
curl.anondist-orig "${PROXY_SERVER}" | grep -q "${PROXY_META}" && {
PROXY_SECURE=1
} || {
PROXY_SECURE=0
}
fi
immutableFilesEnable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
sudo chattr +i "${file}${suffix}"
fi
done
}
immutableFilesDisable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
sudo chattr -i "${file}${suffix}"
fi
done
}
copyAnondist() {
file="${1}"
suffix="${2-.anondist}"
# Remove any softlinks first
if [ -L "${file}" ]; then
sudo rm -f "${file}"
fi
if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then
sudo chattr -i "${file}"
sudo rm -f "${file}"
sudo cp -p "${file}${suffix}" "${file}"
sudo chattr +i "${file}"
elif ! [ -f "${file}" ]; then
sudo cp -p "${file}${suffix}" "${file}"
sudo chattr +i "${file}"
fi
}
# Will only enable / disable if service is not already in that state
enable_sysv() {
servicename=${1}
disable=${2-0}
# Check to see if the service is already enabled and if not, enable it
string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}"
if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then
case ${disable} in
0)
echo "${1} is currently disabled; enabling it"
sudo systemctl --quiet enable ${servicename}
;;
1)
echo "${1} is currently enabled; disabling it"
sudo service ${servicename} stop
sudo systemctl --quiet disable ${servicename}
;;
esac
fi
}
disable_sysv() {
enable_sysv ${1} 1
}

1
scripts_debian/wheezy+whonix-gateway/packages_wheezy.list Symbolic link
View File

@ -0,0 +1 @@
../wheezy+whonix/packages_wheezy.list

1
scripts_debian/wheezy+whonix-workstation/00_prepare_pre.sh Symbolic link
View File

@ -0,0 +1 @@
../wheezy+whonix/00_prepare_pre.sh

1
scripts_debian/wheezy+whonix-workstation/01_install_core_post.sh Symbolic link
View File

@ -0,0 +1 @@
../wheezy+whonix/01_install_core_post.sh

1
scripts_debian/wheezy+whonix-workstation/02_install_groups_packages_installed.sh Symbolic link
View File

@ -0,0 +1 @@
../wheezy+whonix/02_install_groups_packages_installed.sh

1
scripts_debian/wheezy+whonix-workstation/04_install_qubes_post.sh Symbolic link
View File

@ -0,0 +1 @@
../wheezy+whonix/04_install_qubes_post.sh

1
scripts_debian/wheezy+whonix-workstation/09_cleanup_post.sh Symbolic link
View File

@ -0,0 +1 @@
../wheezy+whonix/09_cleanup_post.sh

30
scripts_debian/wheezy+whonix-workstation/99_custom_configuration.sh Executable file
View File

@ -0,0 +1,30 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
# ------------------------------------------------------------------------------
# whonix-netvm-gateway contains last known IP used to search and replace
# ------------------------------------------------------------------------------
if [ -f "${INSTALLDIR}/tmp/.whonix_prepared" -a ! -f "${INSTALLDIR}/tmp/.whonix_custom_configurations" ]; then
# --------------------------------------------------------------------------
# Install Custom Configurations
# --------------------------------------------------------------------------
echo "10.152.152.11" > "${INSTALLDIR}/etc/whonix-ip"
echo "10.152.152.10" > "${INSTALLDIR}/etc/whonix-netvm-gateway"
touch "${INSTALLDIR}/tmp/.whonix_custom_configurations"
fi

224
scripts_debian/wheezy+whonix-workstation/files/.facl Normal file
View File

@ -0,0 +1,224 @@
# file: .
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd/system
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: lib/systemd/system/qubes-whonix-firewall.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: lib/systemd/system/qubes-whonix-network.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: lib/systemd/system/qubes-whonix-init.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/hosts
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/uwt.d
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/uwt.d/50_uwt_default
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/xdg
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg/autostart
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg/autostart/qubes-whonixsetup.desktop
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/hostname
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/sudoers.d
# owner: root
# group: root
user::rwx
group::r-x
other::---
# file: etc/sudoers.d/whonix-build
# owner: root
# group: root
user::r--
group::r--
other::---
# file: .facl
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/utility_functions
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/bind-dirs.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/qubes-whonix-firewall.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/replace-ips
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/init.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/network-proxy-setup.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/messages.yaml
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr/lib/whonix/alert
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/qubes-whonixsetup
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/enable-iptables-logging.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

1
scripts_debian/wheezy+whonix-workstation/files/etc/hostname Normal file
View File

@ -0,0 +1 @@
host

7
scripts_debian/wheezy+whonix-workstation/files/etc/hosts Normal file
View File

@ -0,0 +1,7 @@
## Anonymity Distribution /etc/hosts
## Anonymity Distribution specific
127.0.0.1 host.localdomain host
## End of Anonymity Distribution specific
## End of Anonymity Distribution /etc/hosts

1
scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/whonix-build Normal file
View File

@ -0,0 +1 @@
user ALL=(ALL) NOPASSWD: ALL

6
scripts_debian/wheezy+whonix-workstation/files/etc/uwt.d/50_uwt_default Normal file
View File

@ -0,0 +1,6 @@
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "1" ]; then
uwtwrapper["/usr/bin/apt-get"]="0"
fi

8
scripts_debian/wheezy+whonix-workstation/files/etc/xdg/autostart/qubes-whonixsetup.desktop Normal file
View File

@ -0,0 +1,8 @@
## This file is part of Whonix.
## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
[Desktop Entry]
Type=Application
Terminal=false
Exec=/usr/lib/whonix/qubes-whonixsetup

12
scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service Normal file
View File

@ -0,0 +1,12 @@
[Unit]
Description=Qubes Whonix firewall updater
After=qubes-whonix-network.service
Before=network.target
[Service]
ExecStart=/usr/lib/whonix/init/qubes-whonix-firewall.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target
Alias=qubes-firewall.service

13
scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-init.service Normal file
View File

@ -0,0 +1,13 @@
[Unit]
Description=Qubes Whonix initialization script
After=qubes-whonix-network.service
Before=qubes-whonix-firewall.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/whonix/init/init.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

15
scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service Normal file
View File

@ -0,0 +1,15 @@
[Unit]
Description=Qubes Whonix network proxy setup
ConditionPathExists=/var/run/qubes-service/qubes-network
Before=network.target
After=iptables.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/whonix/init/network-proxy-setup.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target
Alias=qubes-network.service

90
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/alert Executable file
View File

@ -0,0 +1,90 @@
#!/usr/bin/python
#
# Copyright 2014 Jason Mehring (nrgaway@gmail.com)
#
from PyQt4 import QtGui
import locale
import yaml
DEFAULT_LANG = 'en'
class Messages():
filename = None
data = None
language = DEFAULT_LANG
title = None
icon = None
message = None
def __init__(self, section, filename):
self.filename = filename
language = locale.getdefaultlocale()[0].split('_')[0]
if language:
self.language = language
try:
stream = file(filename, 'r')
data = yaml.load(stream)
if section in data.keys():
section = data[section]
self.icon = section.get('icon', None)
language = section.get(self.language, DEFAULT_LANG)
self.title = language.get('title', None)
self.message = language.get('message', None)
except (IOError):
pass
except (yaml.scanner.ScannerError, yaml.parser.ParserError):
pass
class WhonixMessageBox(QtGui.QMessageBox):
def __init__(self, message):
super(WhonixMessageBox, self).__init__()
self.message = message
self.initUI()
def initUI(self):
message = self.message
if message.title:
self.setWindowTitle(message.title)
if message.icon:
self.setIcon(getattr(QtGui.QMessageBox, message.icon))
if message.message:
self.setText(message.message)
self.exec_()
import argparse
import sys
def main():
parser = argparse.ArgumentParser(description='Display a QT Message Box')
parser.add_argument('section', help="Message section")
parser.add_argument('filename', help="File including full path")
args = parser.parse_args()
if not args.filename and args.section:
print parser.usage()
sys.exit(1)
app = QtGui.QApplication(sys.argv)
message = Messages(args.section, args.filename)
dialog = WhonixMessageBox(message)
sys.exit()
if __name__ == "__main__":
main()

58
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh Executable file
View File

@ -0,0 +1,58 @@
#!/bin/bash
#
# To umount all binds, just pass any arg in $1
#
. /usr/lib/whonix/utility_functions
# Don't run if started as a template
if ! [ "${WHONIX}" == "template" ]; then
# Array of directories to bind
BINDS=(
'/rw/srv/whonix/root/.whonix:/root/.whonix'
'/rw/srv/whonix/root/.whonix.d:/root/.whonix.d'
'/rw/srv/whonix/var/lib/whonix:/var/lib/whonix'
'/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck'
'/rw/srv/whonix/etc/tor:/etc/tor'
)
for bind in ${BINDS[@]}; do
rw_dir="${bind%%:*}"
ro_dir="${bind##*:}"
# Make sure ro directory is not mounted
umount "${ro_dir}" 2> /dev/null || true
if [ -n "${1}" ]; then
echo "Umounting only..."
exit 0
fi
# Make sure ro directory exists
if ! [ -d "${ro_dir}" ]; then
mkdir -p "${ro_dir}"
fi
# Initially copy over data directories to /rw if rw directory does not exist
if ! [ -d "${rw_dir}" ]; then
mkdir -p "${rw_dir}"
rsync -hax "${ro_dir}/." "${rw_dir}"
fi
# Bind the directory
sync
mount --bind "${rw_dir}" "${ro_dir}"
done
sync
fi
if [ "${WHONIX}" == "gateway" ]; then
# Make sure we remove whonixsetup.done if Tor is not enabled
# to allow choice of repo and prevent whonixcheck errors
grep "^DisableNetwork 0$" /etc/tor/torrc || {
sudo rm -f /var/lib/whonix/do_once/whonixsetup.done
}
fi
exit 0

30
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh Executable file
View File

@ -0,0 +1,30 @@
#!/bin/bash
# Check /var/log/kern.log for logging results
LOG_IP4=1
LOG_IP6=0
# for IPv4
if [ "$LOG_IP4" == "1" ]; then
iptables -t raw -A OUTPUT -p icmp -j TRACE
iptables -t raw -A PREROUTING -p icmp -j TRACE
modprobe ipt_LOG
fi
# for IPv6
if [ "$LOG_IP6" == "1" ]; then
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
modprobe ip6t_LOG
fi
# Redirect local port to remote via socat
#apt-get install socat
#socat TCP4-LISTEN:8082,fork,mode=0666,user=root,group=root TCP4:10.137.255.254:8082
#
# Works
# localhost/loopback maps localhost port 8082 to localhost port 8888
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888

30
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh Executable file
View File

@ -0,0 +1,30 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" != "template" ]; then
# Files that will have the immutable bit set
# since we don't want them modified by other programs
IMMUTABLE_FILES=(
'/etc/resolv.conf'
'/etc/hostname'
'/etc/hosts'
)
# Make sure all .anondist files in list are immutable
immutableFilesEnable "${IMMUTABLE_FILES}"
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
# Make sure we are using a copy of the annondist file and if not
# copy the annondist file and set it immutable
copyAnondist "/etc/resolv.conf"
copyAnondist "/etc/hosts"
copyAnondist "/etc/hostname"
# Replace IP addresses in known configuration files / scripts to
# currently discovered one
/usr/lib/whonix/init/replace-ips
# Make sure hostname is correct
/bin/hostname host
fi

57
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh Executable file
View File

@ -0,0 +1,57 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
INTERFACE="eth1"
if [ "${WHONIX}" == "gateway" ]; then
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
# Setup Xen / Qubes proxy
network=$(xenstore-read qubes-netvm-network 2>/dev/null)
if [ "x$network" != "x" ]; then
gateway=$(xenstore-read qubes-netvm-gateway)
netmask=$(xenstore-read qubes-netvm-netmask)
secondary_dns=$(xenstore-read qubes-netvm-secondary-dns)
modprobe netbk 2> /dev/null || modprobe xen-netback
echo "NS1=$gateway" > /var/run/qubes/qubes-ns
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
#/usr/lib/qubes/qubes-setup-dnat-to-ns
echo "0" > /proc/sys/net/ipv4/ip_forward
/sbin/ethtool -K eth0 sg off || :
fi
# Now, assign it the netvm-gateway IP address
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
if [ x${ip} != x ]; then
# Create a dummy eth1 interface so tor can bind to it if there
# are no DOMU virtual machines connected at the moment
/sbin/ip link add ${INTERFACE} type dummy
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
/sbin/ifconfig ${INTERFACE} up
/sbin/ethtool -K ${INTERFACE} sg off || true
/sbin/ethtool -K ${INTERFACE} tx off || true
ip link set ${INTERFACE} up
fi
echo "0" > /proc/sys/net/ipv4/ip_forward
# Allow whonix-gateway to act as an update-proxy
touch /var/run/qubes-service/qubes-updates-proxy
# Search and replace tinyproxy error files so we can inject code that
# we can use to identify that its a tor proxy so updates are secure
error_file="/usr/share/tinyproxy/default.html"
grep -q "${PROXY_META}" "${error_file}" || {
sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
}
fi

49
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh Executable file
View File

@ -0,0 +1,49 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
# Make sure IP forwarding is disabled
echo "0" > /proc/sys/net/ipv4/ip_forward
if [ "${WHONIX}" != "template" ]; then
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
# Start Whonix Firewall
if [ "${WHONIX}" == "gateway" ]; then
export INT_IF="vif+"
export INT_TIF="vif+"
# Inject custom firewall rules into whonix_firewall
sed -i -f - /usr/bin/whonix_firewall <<-EOF
/^## IPv4 DROP INVALID INCOMING PACKAGES/,/######################################/c \\
## IPv4 DROP INVALID INCOMING PACKAGES \\
## \\
## --- THE FOLLOWING WS INJECTED --- \\
## Qubes Tiny Proxy Updater \\
iptables -t nat -N PR-QBS-SERVICES \\
iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:53 \\
iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to ${ip}:9040 \\
\\
# Route any traffic FROM netvm TO netvm BACK-TO localhost \\
# Allows localhost access to tor network \\
#iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
######################################
EOF
fi
# Load the firewall
# XXX: TODO: Take down all network accesss if firewall fails
/usr/bin/whonix_firewall
systemctl restart qubes-updates-proxy.service
fi

118
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/replace-ips Executable file
View File

@ -0,0 +1,118 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
# Search though files and updates IP address to the current
# IP address(es)
FILES=(
'/usr/lib/leaktest-workstation/simple_ping.py'
'/usr/lib/whonixcheck/preparation'
'/usr/share/anon-kde-streamiso/share/config/kioslaverc'
'/usr/bin/whonix_firewall'
'/etc/whonix_firewall.d/30_default'
'/usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh'
'/usr/bin/uwt'
'/etc/uwt.d/30_uwt_default'
'/usr/share/tor/tor-service-defaults-torrc.anondist'
'/usr/bin/update-torbrowser'
'/etc/network/interfaces.whonix'
'/etc/resolv.conf.anondist'
'/etc/sdwdate.d/31_anon_dist_stream_isolation_plugin'
'/etc/rinetd.conf.anondist'
'/etc/network/interfaces.whonix'
'/usr/share/anon-torchat/.torchat/torchat.ini'
)
# sed search and replace. return 0 if replace happened, otherwise 1
search_replace() {
local search="${1}"
local replace="${2}"
local file="${3}"
local retval=1
if ! [ -L "${file}" ]; then
ls_attrs="$(lsattr "${file}")"
ls_attrs=${ls_attrs:4:1}
if [ "${ls_attrs}" == "i" ]; then
chattr -i "${file}"
fi
fi
sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}"
retval=$?
if [ "${ls_attrs}" = "i" ]; then
chattr +i "${file}"
fi
return $retval
}
function replace_ips()
{
local search_ip="${1}"
local replace_ip="${2}"
local files=("${!3}")
local retval=1
# If IP is 10.152.152.10, network is 10.152.152.0
search_network="${search_ip%[.]*}.0"
replace_network="${replace_ip%[.]*}.0"
if ! [ "${search_ip}" = "${replace_ip}" ]; then
for file in "${files[@]}"; do
if [ -f "$file" ]; then
search_replace "${search_ip}" "${replace_ip}" "${file}" && retval=0
search_replace "${search_network}" "${replace_network}" "${file}" && retval=0
fi
done
fi
return $retval
}
update_ip() {
ip=${1}
echo "${ip}" > /etc/whonix-netvm-gateway
grep '^DisableNetwork 0$' /etc/tor/torrc && {
service tor status && {
service tor reload || true;
}
}
}
if [ "${WHONIX}" == "gateway" ]; then
ip="$(xenstore-read qubes-netvm-gateway)"
if [ x${ip} != x ]; then
# Compare to current IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${ip}" FILES[@] && update_ip "${ip}"
# Do again; checking for original 10.152.152.10 incase of update
replace_ips "10.152.152.10" "${ip}" FILES[@] && update_ip "${ip}"
# Do again; checking for original 10.152.152.11 incase of update
replace_ips "10.152.152.11" "${ip}" FILES[@] && update_ip "${ip}"
fi
elif [ "${WHONIX}" == "workstation" ]; then
ip="$(xenstore-read qubes-ip)"
gateway="$(xenstore-read qubes-gateway)"
if [ x${ip} != x ]; then
# Compare to current IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
# Do again; checking for original 10.152.152.11 incase of update
replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
fi
if [ x${gateway} != x ]; then
# Compare to current gateway IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
# Do again; checking for original 10.152.152.10 incase of update
replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
fi
fi

9
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/messages.yaml Normal file
View File

@ -0,0 +1,9 @@
update:
icon: Critical
en:
title: Tor netvm required for updates
message: |
<p><B>Tor netvm required for updates!</B></p>
<p>Please ensure your template vm has a Whonix gateway as it's VM.</p>
<p>No updates are possible without an active (running) Whonix gateway VM.</p>

41
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup Executable file
View File

@ -0,0 +1,41 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if ! [ "${WHONIX}" == "template" ]; then
sudo /usr/lib/whonix/bind-dirs.sh
fi
if [ "${WHONIX}" == "gateway" ]; then
if grep "^DisableNetwork 0$" /etc/tor/torrc ;then
sudo service sdwdate restart
sudo service tor restart
else
sudo service sdwdate restart
sudo service tor stop
sudo /usr/bin/whonixsetup
fi
elif [ "${WHONIX}" == "workstation" ]; then
sudo service sdwdate restart
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
sudo /usr/bin/whonixsetup
fi
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
# Set secure defaults.
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT DROP
# Flush old rules.
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
# Display warning that netvm is not connected to a torvm
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
fi

94
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/utility_functions Executable file
View File

@ -0,0 +1,94 @@
#!/bin/bash
# /etc/uwt.d/50_uwt_default relies on this in order to allow connection
# to proxy for template
PROXY_SERVER="http://10.137.255.254:8082/"
PROXY_META='<meta name=\"application-name\" content=\"tor proxy\"\/>'
if [ -f "/var/run/qubes-service/updates-proxy-setup" ]; then
WHONIX="template"
elif [ -f "/usr/share/anon-gw-base-files/gateway" ]; then
WHONIX="gateway"
elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then
WHONIX="workstation"
else
WHONIX="unknown"
fi
if [ "${WHONIX}" == "template" ]; then
curl.anondist-orig "${PROXY_SERVER}" | grep -q "${PROXY_META}" && {
PROXY_SECURE=1
} || {
PROXY_SECURE=0
}
fi
immutableFilesEnable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
sudo chattr +i "${file}${suffix}"
fi
done
}
immutableFilesDisable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
sudo chattr -i "${file}${suffix}"
fi
done
}
copyAnondist() {
file="${1}"
suffix="${2-.anondist}"
# Remove any softlinks first
if [ -L "${file}" ]; then
sudo rm -f "${file}"
fi
if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then
sudo chattr -i "${file}"
sudo rm -f "${file}"
sudo cp -p "${file}${suffix}" "${file}"
sudo chattr +i "${file}"
elif ! [ -f "${file}" ]; then
sudo cp -p "${file}${suffix}" "${file}"
sudo chattr +i "${file}"
fi
}
# Will only enable / disable if service is not already in that state
enable_sysv() {
servicename=${1}
disable=${2-0}
# Check to see if the service is already enabled and if not, enable it
string="/etc/rc$(runlevel | awk '{ print $2 }').d/S[0-9][0-9]${servicename}"
if [ $(find $string 2>/dev/null | wc -l) -eq ${disable} ] ; then
case ${disable} in
0)
echo "${1} is currently disabled; enabling it"
sudo systemctl --quiet enable ${servicename}
;;
1)
echo "${1} is currently enabled; disabling it"
sudo service ${servicename} stop
sudo systemctl --quiet disable ${servicename}
;;
esac
fi
}
disable_sysv() {
enable_sysv ${1} 1
}

1
scripts_debian/wheezy+whonix-workstation/packages_wheezy.list Symbolic link
View File

@ -0,0 +1 @@
../wheezy+whonix/packages_wheezy.list

73
scripts_debian/wheezy+whonix/00_prepare_pre.sh Executable file
View File

@ -0,0 +1,73 @@
#!/bin/bash -x
# vim: set ts=4 sw=4 sts=4 et :
################################################################################
# Allows a pre-built image to be used (if it exists) for installing
# Whonix. This option is useful only for debugging Whonix installations
#
# To use, first create a regualr wheezy template and manually copy the prepared
# image to debian-7-x64-prepard.img
#
# Example:
# cp ~/qubes-builder/qubes-src/linux-template-builder/prepared_images/debian-7-x64.img ~/qubes-builder/qubes-src/linux-template-builder/prepared_images/debian-7-x64-whonix-gateway-prepard.img
################################################################################
# ------------------------------------------------------------------------------
# Return if SNAPSHOT is not "1"
# ------------------------------------------------------------------------------
# This script is only used if SNAPSHOT is set
if [ ! "${SNAPSHOT}" == "1" ]; then
exit 0
fi
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
INSTALLDIR="$(readlink -m mnt)"
# ------------------------------------------------------------------------------
# Use a snapshot of the debootstraped debian image to install Whonix (for DEBUGGING)
# ------------------------------------------------------------------------------
manage_snapshot() {
umount_kill "${INSTALLDIR}" || :
mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1
# Remove old snapshots if whonix completed
if [ -f "${INSTALLDIR}/tmp/.whonix_post" ]; then
warn "Removing stale snapshots"
umount_kill "${INSTALLDIR}" || :
rm -rf "$debootstrap_snapshot"
rm -rf "$updated_snapshot"
return
fi
warn "Copying $1 to ${IMG}"
mount -o loop "$1" "${INSTALLDIR}" || exit 1
rm -f "${INSTALLDIR}/tmp/.prepared_groups"
umount_kill "${INSTALLDIR}" || :
cp -f "$1" "${IMG}"
}
splitPath "${IMG}" path_parts
debootstrap_snapshot="${path_parts[dir]}${path_parts[base]}-debootstrap${path_parts[dotext]}"
updated_snapshot="${path_parts[dir]}${path_parts[base]}-updated${path_parts[dotext]}"
if [ -f "$updated_snapshot" ]; then
manage_snapshot "$updated_snapshot"
elif [ -f "$debootstrap_snapshot" ]; then
manage_snapshot "$debootstrap_snapshot"
fi

38
scripts_debian/wheezy+whonix/01_install_core_post.sh Executable file
View File

@ -0,0 +1,38 @@
#!/bin/sh
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Return if SNAPSHOT is not "1"
# ------------------------------------------------------------------------------
# This script is only used if SNAPSHOT is set
if [ ! "${SNAPSHOT}" == "1" ]; then
exit 0
fi
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
# ------------------------------------------------------------------------------
# Create a snapshot of the already debootstraped image
# ------------------------------------------------------------------------------
splitPath "${IMG}" path_parts
PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-debootstrap${path_parts[dotext]}"
if ! [ -f "${PREPARED_IMG}" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_post" ]; then
umount_kill "${INSTALLDIR}" || :
warn "Copying ${IMG} to ${PREPARED_IMG}"
cp -f "${IMG}" "${PREPARED_IMG}"
mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1
fi

310
scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh Executable file
View File

@ -0,0 +1,310 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
# ------------------------------------------------------------------------------
# XXX: Create a snapshot - Only for DEBUGGING!
# ------------------------------------------------------------------------------
# Only execute if SNAPSHOT is set
if [ "${SNAPSHOT}" == "1" ]; then
splitPath "${IMG}" path_parts
PREPARED_IMG="${path_parts[dir]}${path_parts[base]}-updated${path_parts[dotext]}"
if ! [ -f "${PREPARED_IMG}" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then
umount_kill "${INSTALLDIR}" || :
warn "Copying ${IMG} to ${PREPARED_IMG}"
cp -f "${IMG}" "${PREPARED_IMG}"
mount -o loop "${IMG}" "${INSTALLDIR}" || exit 1
for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "${INSTALLDIR}/$fs"; done
fi
fi
# ------------------------------------------------------------------------------
# chroot Whonix build script
# ------------------------------------------------------------------------------
read -r -d '' WHONIX_BUILD_SCRIPT <<'EOF' || true
################################################################################
# Pre Fixups
sudo mkdir -p /boot/grub2
sudo touch /boot/grub2/grub.cfg
sudo mkdir -p /boot/grub
sudo touch /boot/grub/grub.cfg
sudo mkdir --parents --mode=g+rw "/tmp/uwt"
# Whonix seems to re-install sysvinit even though there is a hold
# on the package. Things seem to work anyway. BUT hopfully the
# hold on grub* don't get removed
sudo apt-mark hold sysvinit
sudo apt-mark hold grub-pc grub-pc-bin grub-common grub2-common
# Whonix expects haveged to be started
sudo /etc/init.d/haveged start
# Whonix does not always fix permissions after writing as sudo, especially
# when running whonixsetup so /var/lib/whonix/done_once is not readable by
# user, so set defualt umask for sudo
#sudo su -c 'echo "Defaults umask = 0002" >> /etc/sudoers'
#sudo su -c 'echo "Defaults umask_override" >> /etc/sudoers'
################################################################################
# Whonix installation
export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1"
pushd ~/Whonix
sudo ~/Whonix/whonix_build \
--build $1 \
--64bit-linux \
--current-sources \
--enable-whonix-apt-repository \
--whonix-apt-repository-distribution $2 \
--install-to-root \
--skip-verifiable \
--minimal-report \
--skip-sanity-tests || { exit 1; }
popd
EOF
# ------------------------------------------------------------------------------
# Cleanup function
# ------------------------------------------------------------------------------
function cleanup() {
error "Whonix error; umounting ${INSTALLDIR} to prevent further writes"
umount_kill "${INSTALLDIR}" || :
exit 1
}
trap cleanup ERR
trap cleanup EXIT
# ------------------------------------------------------------------------------
# Mount devices, etc required for Whonix installation
# ------------------------------------------------------------------------------
if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then
info "Preparing Whonix system"
# --------------------------------------------------------------------------
# Initialize Whonix submodules
# --------------------------------------------------------------------------
pushd "${WHONIX_DIR}"
{
git add Makefile || true
git commit Makefile -m 'Added Makefile' || true
su $(logname) -c "git submodule update --init --recursive";
}
popd
# --------------------------------------------------------------------------
# Fake grub installation since Whonix has depends on grub-pc
# --------------------------------------------------------------------------
mkdir -p "${INSTALLDIR}/boot/grub"
cp "${INSTALLDIR}/usr/lib/grub/i386-pc/"* "${INSTALLDIR}/boot/grub"
rm -f "${INSTALLDIR}/usr/sbin/update-grub"
chroot "${INSTALLDIR}" ln -s /bin/true /usr/sbin/update-grub
# --------------------------------------------------------------------------
# sed search and replace. return 0 if replace happened, otherwise 1
# --------------------------------------------------------------------------
search_replace() {
local search="$1"
local replace="$2"
local file="$3"
sed -i.bak '/'"$search"'/,${s//'"$replace"'/;b};$q1' "$file"
}
# --------------------------------------------------------------------------
# Whonix system config dependancies
# --------------------------------------------------------------------------
# Qubes needs a user named 'user'
debug "Whonix Add user"
chroot "${INSTALLDIR}" id -u 'user' >/dev/null 2>&1 || \
{
# UID needs match host user to have access to Whonix sources
chroot "${INSTALLDIR}" groupadd -f user
[ -n "$SUDO_UID" ] && USER_OPTS="-u $SUDO_UID"
chroot "${INSTALLDIR}" useradd -g user $USER_OPTS -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user
if [ `chroot "${INSTALLDIR}" id -u user` != 1000 ]; then
chroot "${INSTALLDIR}" useradd -g user -u 1000 -M -s /bin/bash user-placeholder
fi
}
# Install Whonix build scripts
echo "${WHONIX_BUILD_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_build.sh"
chmod 0755 "${INSTALLDIR}/home/user/whonix_build.sh"
# ------------------------------------------------------------------------------
# Copy over any extra files
# ------------------------------------------------------------------------------
copyTree "files"
touch "${INSTALLDIR}/tmp/.whonix_prepared"
fi
# ------------------------------------------------------------------------------
# Install Whonix
# ------------------------------------------------------------------------------
if [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_installed" ]; then
info "Installing Whonix system"
# --------------------------------------------------------------------------
# Install Whonix code base
# --------------------------------------------------------------------------
if ! [ -d "${INSTALLDIR}/home/user/Whonix" ]; then
debug "Installing Whonix build environment..."
chroot "${INSTALLDIR}" su user -c 'mkdir /home/user/Whonix'
fi
if [ -d "${INSTALLDIR}/home/user/Whonix" ]; then
debug "Building Whonix..."
mount --bind "../Whonix" "${INSTALLDIR}/home/user/Whonix"
fi
if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then
BUILD_TYPE="--torgateway"
elif [ "${TEMPLATE_FLAVOR}" == "whonix-workstation" ]; then
BUILD_TYPE="--torworkstation"
else
error "Incorrent Whonix type \"${TEMPLATE_FLAVOR}\" selected. Not building Whonix modules"
error "You need to set TEMPLATE_FLAVOR environment variable to either"
error "whonix-gateway OR whonix-workstation"
exit 1
fi
chroot "${INSTALLDIR}" su user -c "cd ~; ./whonix_build.sh ${BUILD_TYPE} ${DIST}" || { exit 1; }
touch "${INSTALLDIR}/tmp/.whonix_installed"
fi
# ------------------------------------------------------------------------------
# Whonix Post Installation Configurations
# ------------------------------------------------------------------------------
if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.whonix_post" ]; then
info "Post Configuring Whonix System"
# Don't need Whonix interfaces; restore original
pushd "${INSTALLDIR}/etc/network"
{
rm -f interfaces;
ln -s interfaces.backup interfaces;
}
popd
# Qubes installation will need a normal resolv.conf; will be restored back
# in 04_qubes_install_post.sh within the wheezy+whonix-* directories
pushd "${INSTALLDIR}/etc"
{
rm -f resolv.conf;
cp -p resolv.conf.backup resolv.conf;
}
popd
# Remove link to hosts file and copy original back
# Will get set back to Whonix hosts file when the
# /usr/lib/whonix/setup-ip is run on startup
pushd "${INSTALLDIR}/etc"
{
rm -f hosts;
cp -p hosts.anondist-orig hosts;
}
popd
# Enable Tor
#if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then
# sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' "${INSTALLDIR}/etc/tor/torrc"
#fi
# Restore default user UID to have the same in all builds regardless of build host
if [ -n "`chroot "${INSTALLDIR}" id -u user-placeholder`" ]; then
chroot "${INSTALLDIR}" userdel user-placeholder
chroot "${INSTALLDIR}" usermod -u 1000 user
fi
# Enable aliases in .bashrc
sed -i "s/^# export/export/g" "${INSTALLDIR}/root/.bashrc"
sed -i "s/^# eval/eval/g" "${INSTALLDIR}/root/.bashrc"
sed -i "s/^# alias/alias/g" "${INSTALLDIR}/root/.bashrc"
sed -i "s/^#force_color_prompt/force_color_prompt/g" "${INSTALLDIR}/home/user/.bashrc"
sed -i "s/#alias/alias/g" "${INSTALLDIR}/home/user/.bashrc"
sed -i "s/alias l='ls -CF'/alias l='ls -l'/g" "${INSTALLDIR}/home/user/.bashrc"
# Fake that initializer was already run
mkdir -p "${INSTALLDIR}/root/.whonix"
touch "${INSTALLDIR}/root/.whonix/first_run_initializer.done"
# Prevent whonixcheck error
echo 'WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER="1"' >> "${INSTALLDIR}/etc/whonix.d/30_whonixcheck_default"
# Use gdialog as an alternative for dialog
mv -f "${INSTALLDIR}/usr/bin/dialog" "${INSTALLDIR}/usr/bin/dialog.dist"
chroot "${INSTALLDIR}" update-alternatives --force --install /usr/bin/dialog dialog /usr/bin/gdialog 999
# Disable unwanted applications
chroot "${INSTALLDIR}" update-rc.d network-manager disable || :
chroot "${INSTALLDIR}" update-rc.d spice-vdagent disable || :
chroot "${INSTALLDIR}" update-rc.d swap-file-creator disable || :
chroot "${INSTALLDIR}" update-rc.d whonix-initializer disable || :
chroot "${INSTALLDIR}" service apt-cacher-ng stop || :
chroot "${INSTALLDIR}" update-rc.d apt-cacher-ng disable || :
# Tor will be re-enabled upon initial configuration
chroot "${INSTALLDIR}" update-rc.d tor disable || :
chroot "${INSTALLDIR}" update-rc.d sdwdate disable || :
# Remove apt-cacher-ng
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot ${INSTALLDIR} apt-get.anondist-orig -y --force-yes remove --purge apt-cacher-ng
# Remove original sources.list
rm -f "${INSTALLDIR}/etc/apt/sources.list"
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot ${INSTALLDIR} apt-get.anondist-orig update
touch "${INSTALLDIR}/tmp/.whonix_post"
fi
# ------------------------------------------------------------------------------
# Execute any template flavor or sub flavor scripts
# ------------------------------------------------------------------------------
buildStep "99_custom_configuration.sh"
# ------------------------------------------------------------------------------
# Bring back original apt-get for installation of Qubues
# ------------------------------------------------------------------------------
pushd "${INSTALLDIR}/usr/bin"
{
rm -f apt-get;
cp -p apt-get.anondist-orig apt-get;
}
popd
# ------------------------------------------------------------------------------
# Make sure the temporary policy-rc.d to prevent apt from starting services
# on package installation is still active; Whonix may have reset it
# ------------------------------------------------------------------------------
cat > "${INSTALLDIR}/usr/sbin/policy-rc.d" <<EOF
#!/bin/sh
return 101 # Action forbidden by policy
EOF
chmod 755 "${INSTALLDIR}/usr/sbin/policy-rc.d"
# ------------------------------------------------------------------------------
# Leave cleanup to calling function
# ------------------------------------------------------------------------------
trap - ERR EXIT
trap

59
scripts_debian/wheezy+whonix/04_install_qubes_post.sh Executable file
View File

@ -0,0 +1,59 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
#
# Whonix Post Install Steps (after qubes install)
#
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
# ------------------------------------------------------------------------------
# Enable Qubes-Whonix services
# ------------------------------------------------------------------------------
chroot "${INSTALLDIR}" systemctl disable qubes-whonix-network.service || :
chroot "${INSTALLDIR}" systemctl enable qubes-whonix-network.service || :
chroot "${INSTALLDIR}" systemctl disable qubes-whonix-firewall.service || :
chroot "${INSTALLDIR}" systemctl enable qubes-whonix-firewall.service || :
chroot "${INSTALLDIR}" systemctl enable qubes-whonix-init.service || :
# ------------------------------------------------------------------------------
# Restore Whonix apt-get
# ------------------------------------------------------------------------------
pushd "${INSTALLDIR}/usr/bin"
{
rm -f apt-get;
cp -p apt-get.anondist apt-get;
}
popd
# ------------------------------------------------------------------------------
# Restore whonix resolv.conf
# ------------------------------------------------------------------------------
pushd "${INSTALLDIR}/etc"
{
rm -f resolv.conf;
cp -p resolv.conf.anondist resolv.conf;
}
popd
# ------------------------------------------------------------------------------
# Cleanup Whonix Installation
# ------------------------------------------------------------------------------
rm -rf "${INSTALLDIR}"/home/user/Whonix
rm -rf "${INSTALLDIR}"/home/user/whonix_binary
rm -f "${INSTALLDIR}"/home/user/whonix_fix
rm -f "${INSTALLDIR}"/home/user/whonix_build.sh

18
scripts_debian/wheezy+whonix/09_cleanup_post.sh Executable file
View File

@ -0,0 +1,18 @@
#!/bin/sh
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
. ./umount_kill.sh >/dev/null
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
rm -f "${INSTALLDIR}/etc/sudoers.d/whonix-build"

28
scripts_debian/wheezy+whonix/packages_wheezy.list Normal file
View File

@ -0,0 +1,28 @@
git
curl
sudo
locales
console-data
console-common
initramfs-tools
os-prober
bzip2
file
less
lsof
most
pciutils
strace
sysfsutils
usbutils
lsb-release
acpi-support-base
haveged
build-essential:native
gcc
fakeroot
lintian
rsync
grub-pc

Some files were not shown because too many files have changed in this diff Show More