Debian Wheezy template addition and refactoring to allow Whonix TEMPLATE_FLAVOR

pull/1/head
Jason Mehring 10 years ago
parent 009df31f74
commit 9e91084ef2

@ -20,6 +20,7 @@ ls -als $IMG
mount -o loop $IMG mnt || exit 1
export INSTALLDIR=`pwd`/mnt/
echo "--> Cleaning up image file..."
$SCRIPTSDIR/09_cleanup.sh
echo "--> Compacting image file..."

@ -1,6 +1,10 @@
#!/bin/sh
#!/bin/bash
#XXX: use bash #!/bin/sh
export IMG=$1
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
export IMG="$1"
export LC_ALL=POSIX
RETCODE=0
@ -8,49 +12,70 @@ RETCODE=0
: ${DIST=fc14}
. ./builder_setup >/dev/null
. ./umount.sh >/dev/null
set -e
if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then
set -x
else
set -e
fi
if ! [ $# -eq 1 ]; then
echo "usage $0 <img_file_name>"
exit
echo "usage $0 <img_file_name>"
exit
fi
if [ "$VERBOSE" == "1" ]; then
export YUM_OPTS="$YUM_OPTS -q"
export YUM_OPTS="$YUM_OPTS -q"
fi
# ------------------------------------------------------------------------------
# Prepare for mount
# ------------------------------------------------------------------------------
echo "-> Preparing instalation of $DIST template..."
$SCRIPTSDIR/00_prepare.sh
if [ -f $IMG ]; then
echo "-> Image file already exists, assuming *update*..."
mount -o loop $IMG mnt || exit 1
export INSTALLDIR=`pwd`/mnt/
trap "umount $INSTALLDIR" EXIT
"$SCRIPTSDIR/00_prepare.sh"
# ------------------------------------------------------------------------------
# Mount image and install core OS
# ------------------------------------------------------------------------------
if [ -f "$IMG" ]; then
echo "-> Image file already exists, assuming *update*..."
mount -o loop "$IMG" mnt || exit 1
export INSTALLDIR="`pwd`/mnt/"
trap "umount_image ${INSTALLDIR::-1}" EXIT
# XXX: Temp; just for debugging
if ! [ -f "$INSTALLDIR/tmp/.prepared_debootstrap" ]; then
"$SCRIPTSDIR/01_install_core.sh"
fi
else
echo "-> Initializing empty image..."
truncate -s 10G "$IMG" || exit 1
echo "-> Initializing empty image..."
truncate -s 10G $IMG || exit 1
echo "-> Creating filesystem..."
mkfs.ext4 -q -F "$IMG" || exit 1
echo "-> Creating filesystem..."
mkfs.ext4 -q -F $IMG || exit 1
mkdir -p mnt
mount -o loop "$IMG" mnt || exit 1
mkdir -p mnt
mount -o loop $IMG mnt || exit 1
export INSTALLDIR="`pwd`/mnt/"
trap "umount_image ${INSTALLDIR::-1}" EXIT
export INSTALLDIR=`pwd`/mnt/
trap "umount $INSTALLDIR" EXIT
$SCRIPTSDIR/01_install_core.sh
"$SCRIPTSDIR/01_install_core.sh"
fi
# ------------------------------------------------------------------------------
# Install package groups
# ------------------------------------------------------------------------------
echo "-> Installing package groups..."
$SCRIPTSDIR/02_install_groups.sh
"$SCRIPTSDIR/02_install_groups.sh"
# ------------------------------------------------------------------------------
# Cleanup
# ------------------------------------------------------------------------------
trap - EXIT
echo "-> Unmounting prepared_image..."
sudo umount $INSTALLDIR
umount_image "$INSTALLDIR" || :
exit $RETCODE

@ -1,81 +1,105 @@
#!/bin/sh
export CLEANIMG=$1
export NAME=$2
# ------------------------------------------------------------------------------
# Configurations and Conditionals
# ------------------------------------------------------------------------------
export CLEANIMG="$1"
export NAME="$2"
export LC_ALL=POSIX
. ./builder_setup >/dev/null
. ./umount.sh >/dev/null
set -e
#set -e
set -x
if [ $# -eq 0 ]; then
echo "usage $0 <clean_image_file> <template_name>"
exit
echo "usage $0 <clean_image_file> <template_name>"
exit
fi
if [ x$CLEANIMG = x ]; then
echo "Image file not specified!"
exit 1
if [ "x$CLEANIMG" = x ]; then
echo "Image file not specified!"
exit 1
fi
if [ x$NAME = x ]; then
echo "Name not given!"
exit 1
if [ "x$NAME" = x ]; then
echo "Name not given!"
exit 1
fi
ID=$(id -ur)
if [ $ID != 0 ] ; then
echo "This script should be run as root user."
exit 1
echo "This script should be run as root user."
exit 1
fi
if [ "$VERBOSE" == "1" ]; then
export YUM_OPTS="$YUM_OPTS -q"
export YUM_OPTS="$YUM_OPTS -q"
fi
# ------------------------------------------------------------------------------
# Cleanup function
# ------------------------------------------------------------------------------
function cleanup() {
if grep -q " $PWD/mnt/proc " /proc/mounts; then
umount mnt/proc
fi
if grep -q " $PWD/mnt " /proc/mounts; then
umount mnt
fi
umount_image "$PWD/mnt" || :
}
trap cleanup ERR
export IMG=qubeized_images/$NAME-root.img
echo "--> Copying $CLEANIMG to $IMG..."
cp $CLEANIMG $IMG || exit 1
# ------------------------------------------------------------------------------
# Mount qubeized_image
# ------------------------------------------------------------------------------
# NEW: continue installation from last point if UPDATE="false"
# if UPDATE does not exist (keep it backwards compatible for fedora script)
# - OR -
# update="true", copy over prepared image as normal
echo "--> Mounting $IMG"
export IMG="qubeized_images/$NAME-root.img"
[ "$UPDATE" ] && UPDATE=$(echo $UPDATE | awk '{print tolower($0)}')
if [ "$IMG" -nt "$CLEANIMG" -a "$UPDATE" == "false" ]; then
echo "--> Using original $IMG... (UPDATE=false and qubized_image is newer than prepared_image)"
else
echo "--> Copying $CLEANIMG to $IMG..."
cp "$CLEANIMG" "$IMG" || exit 1
fi
echo "--> Mounting $IMG"
mkdir -p mnt
mount -o loop $IMG mnt || exit 1
mount -o loop "$IMG" mnt || exit 1
export INSTALLDIR=mnt
$SCRIPTSDIR/04_install_qubes.sh || { umount $INSTALLDIR; exit 1; }
# ------------------------------------------------------------------------------
# Run qubeize script
# ------------------------------------------------------------------------------
"$SCRIPTSDIR/04_install_qubes.sh" || { umount "$INSTALLDIR"; exit 1; }
# ------------------------------------------------------------------------------
# Create App Menus
# ------------------------------------------------------------------------------
echo "--> Copying the Apps Menu shortcuts..."
export APPSORIG=qubeized_images/$NAME-apps.orig
export APPSTEMPL=qubeized_images/$NAME-apps.templates
mkdir -p $APPSORIG
cp -r $(pwd)/mnt/usr/share/applications/* $APPSORIG
export APPSORIG="qubeized_images/$NAME-apps.orig"
export APPSTEMPL="qubeized_images/$NAME-apps.templates"
mkdir -p "$APPSORIG"
cp -r "$(pwd)"/mnt/usr/share/applications/* "$APPSORIG"
echo "--> Creating the Apps Menu templates..."
./create_apps_templates.sh $APPSORIG $APPSTEMPL
"./create_apps_templates.sh" "$APPSORIG" "$APPSTEMPL"
echo "--> Choosing appmenus whitelists..."
rm -f appmenus
if [ -d "appmenus_${DIST}_${TEMPLATE_FLAVOR}" ]; then
ln -s "appmenus_${DIST}_${TEMPLATE_FLAVOR}" appmenus
ln -s "appmenus_${DIST}_${TEMPLATE_FLAVOR}" appmenus
elif [ -d "appmenus_$DIST" ]; then
ln -s "appmenus_$DIST" appmenus
ln -s "appmenus_$DIST" appmenus
else
ln -s "appmenus_generic" appmenus
ln -s "appmenus_generic" appmenus
fi
# ------------------------------------------------------------------------------
# Link directories so they can be mounted
# ------------------------------------------------------------------------------
echo "--> Linking /home to /rw/home..."
mv mnt/home mnt/home.orig
ln -sf /rw/home mnt/home
@ -85,14 +109,17 @@ mv mnt/usr/local mnt/usr/local.orig
ln -sf /rw/usrlocal mnt/usr/local
if [ -e mnt/etc/sysconfig/i18n ]; then
echo "--> Setting up default locale..."
echo LC_CTYPE=en_US.UTF-8 > mnt/etc/sysconfig/i18n
echo "--> Setting up default locale..."
echo LC_CTYPE=en_US.UTF-8 > mnt/etc/sysconfig/i18n
fi
# ------------------------------------------------------------------------------
# Finsh - unmount image
# ------------------------------------------------------------------------------
echo "--> Unmounting $IMG"
umount mnt
cleanup
echo "Qubeized image stored at: $IMG"
echo "Reducing image size (calling cleanup_image)..."
./cleanup_image $IMG
./cleanup_image "$IMG"

@ -1,5 +1,49 @@
#!/bin/sh -x
#!/bin/bash -x
# vim: set ts=4 sw=4 sts=4 et :
# This script does nothing now.
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
. ./umount.sh >/dev/null
INSTALLDIR="`pwd`/mnt/"
umount_image "${INSTALLDIR::-1}" || :
# ------------------------------------------------------------------------------
# Set debug display
# ------------------------------------------------------------------------------
if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then
set -x
else
set -e
fi
# ------------------------------------------------------------------------------
# Execute any custom pre configuration scripts
# ------------------------------------------------------------------------------
customStep "$0" "pre"
# ------------------------------------------------------------------------------
# Force overwrite of an existing image for now if debootstrap did not seem to complete...
# ------------------------------------------------------------------------------
if [ -f "$IMG" ]; then
mount -o loop "$IMG" "$INSTALLDIR" || exit 1
# Assume a failed debootstrap installation if .prepare_debootstrap does not exist
if ! [ -f "$INSTALLDIR/tmp/.prepared_debootstrap" ]; then
echo "-> Failed Image file $IMG already exists, deleting..."
rm -f "$IMG"
# Allow qubes to be updated
elif [ -f "$INSTALLDIR/tmp/.prepared_qubes" ]; then
rm "$INSTALLDIR/tmp/.prepared_qubes"
fi
# Umount image; don't fail if its already umounted
umount_image "${INSTALLDIR::-1}" || :
fi
# ------------------------------------------------------------------------------
# Execute any custom post configuration scripts
# ------------------------------------------------------------------------------
customStep "$0" "post"

@ -1,11 +1,35 @@
#!/bin/sh
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
. $SCRIPTSDIR/vars.sh
echo "-> Installing base debian system"
set -e
if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then
set -x
fi
COMPONENTS="" debootstrap --arch=amd64 --include=ncurses-term \
--components=main --keyring=${SCRIPTSDIR}/debian-archive-keyring.gpg \
$DEBIANVERSION "$INSTALLDIR" http://http.debian.net/debian || { echo "Debootstrap failed!"; exit 1; }
# ------------------------------------------------------------------------------
# Execute any custom pre configuration scripts
# ------------------------------------------------------------------------------
customStep "$0" "pre"
# ------------------------------------------------------------------------------
# Install base debian system
# ------------------------------------------------------------------------------
if ! [ -f "$INSTALLDIR/tmp/.prepared_debootstrap" ]; then
echo "-> Installing base ${DEBIANVERSION} system"
COMPONENTS="" debootstrap --arch=amd64 --include=ncurses-term \
--components=main --keyring="${SCRIPTSDIR}/keys/debian-${DEBIANVERSION}-archive-keyring.gpg" \
"$DEBIANVERSION" "$INSTALLDIR" "$DEBIAN_MIRROR" || { echo "Debootstrap failed!"; exit 1; }
chroot "$INSTALLDIR" chmod 0666 "/dev/null"
touch "$INSTALLDIR/tmp/.prepared_debootstrap"
fi
# ------------------------------------------------------------------------------
# Execute any custom post configuration scripts
# ------------------------------------------------------------------------------
customStep "$0" "post"

@ -1,57 +1,177 @@
#!/bin/sh
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
set -x
. $SCRIPTSDIR/vars.sh
. ./umount.sh >/dev/null
# ------------------------------------------------------------------------------
# If .prepared_debootstrap has not been completed, don't continue
# ------------------------------------------------------------------------------
if ! [ -f "$INSTALLDIR/tmp/.prepared_debootstrap" ]; then
echo "--> prepared_debootstrap installataion has not completed!... Exiting"
exit 1
fi
# ------------------------------------------------------------------------------
# Mount system mount points
# ------------------------------------------------------------------------------
for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "$INSTALLDIR/$fs"; done
# ------------------------------------------------------------------------------
# Execute any custom pre configuration scripts
# ------------------------------------------------------------------------------
customStep "$0" "pre"
# Set up a temporary policy-rc.d to prevent apt from starting services
# on package installation
cat > $BUILDCHROOT/usr/sbin/policy-rc.d <<EOF
if ! [ -f "$INSTALLDIR/tmp/.prepared_groups" ]; then
# ------------------------------------------------------------------------------
# Cleanup function
# ------------------------------------------------------------------------------
function error() {
echo "--> Install groups error and umount"
rm -f "$INSTALLDIR/usr/sbin/policy-rc.d"
umount_image "$INSTALLDIR" || :
exit 1
}
trap error ERR
trap error EXIT
# ------------------------------------------------------------------------------
# Set up a temporary policy-rc.d to prevent apt from starting services
# on package installation
# ------------------------------------------------------------------------------
cat > "$INSTALLDIR/usr/sbin/policy-rc.d" <<EOF
#!/bin/sh
return 101 # Action forbidden by policy
EOF
chmod 755 $BUILDCHROOT/usr/sbin/policy-rc.d
chmod 755 "$INSTALLDIR/usr/sbin/policy-rc.d"
if [ "$DEBIANVERSION" = "wheezy" ]; then # stable
# ------------------------------------------------------------------------------
# Add debian security repository
# ------------------------------------------------------------------------------
echo "--> Adding debian-security repository."
# security.debian.org only makes sense for stable/wheezy
echo "deb http://security.debian.org/ ${DEBIANVERSION}/updates main" \
>> "$INSTALLDIR/etc/apt/sources.list"
echo "deb-src http://security.debian.org/ ${DEBIANVERSION}/updates main" \
>> "$INSTALLDIR/etc/apt/sources.list"
echo "--> Installing systemd"
# sysvinit gives problems with qubes initramfs, we depend on systemd
# for now. Apt *really* doesn't want to replace sysvinit in wheezy.
# For jessie and newer, sysvinit is provided by sysvinit-core which
# is not an essential package.
echo 'Yes, do as I say!' | chroot $INSTALLDIR apt-get -y \
--force-yes install systemd-sysv
else # testing/unstable
echo "--> Installing systemd"
chroot $INSTALLDIR apt-get -y install systemd-sysv
fi
source="deb http://security.debian.org ${DEBIANVERSION}/updates main"
if ! grep -r -q "$source" "$INSTALLDIR/etc/apt/sources.list"*; then
touch "$INSTALLDIR/etc/apt/sources.list"
echo "$source" >> "$INSTALLDIR/etc/apt/sources.list"
fi
source="deb-src http://security.debian.org ${DEBIANVERSION}/updates main"
if ! grep -r -q "$source" "$INSTALLDIR/etc/apt/sources.list"*; then
touch "$INSTALLDIR/etc/apt/sources.list"
echo "$source" >> "$INSTALLDIR/etc/apt/sources.list"
fi
chroot $INSTALLDIR systemctl set-default multi-user.target
# ------------------------------------------------------------------------------
# Upgrade system
# ------------------------------------------------------------------------------
echo "--> Upgrading system"
chroot "$INSTALLDIR" apt-get update
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "$INSTALLDIR" apt-get -y --force-yes dist-upgrade
echo "--> Upgrading system"
chroot $INSTALLDIR apt-get update
chroot $INSTALLDIR apt-get -y upgrade
echo "--> Setting keyboard layout"
chroot $INSTALLDIR debconf-set-selections <<EOF
# ------------------------------------------------------------------------------
# Configure keyboard
# ------------------------------------------------------------------------------
echo "--> Setting keyboard layout"
chroot "$INSTALLDIR" debconf-set-selections <<EOF
keyboard-configuration keyboard-configuration/variant select English (US)
keyboard-configuration keyboard-configuration/layout select English (US)
keyboard-configuration keyboard-configuration/model select Generic 105-key (Intl) PC
keyboard-configuration keyboard-configuration/modelcode string pc105
keyboard-configuration keyboard-configuration/layoutcode string us
keyboard-configuration keyboard-configuration/variantcode string
keyboard-configuration keyboard-configuration/optionscode string
keyboard-configuration keyboard-configuration/variantcode string
keyboard-configuration keyboard-configuration/optionscode string
EOF
echo "--> Installing extra packages"
xargs chroot $INSTALLDIR apt-get -y install < $SCRIPTSDIR/packages.list
# ------------------------------------------------------------------------------
# Install extra packages in script_$DEBIANVERSION/packages.list file
# ------------------------------------------------------------------------------
if [ -n "${TEMPLATE_FLAVOR}" ]; then
PKGLISTFILE="$SCRIPTSDIR/packages_${DIST}_${TEMPLATE_FLAVOR}.list"
if ! [ -r "${PKGLISTFILE}" ]; then
echo "ERROR: ${PKGLISTFILE} does not exists!"
exit 1
fi
elif [ -r "$SCRIPTSDIR/packages_${DIST}.list" ]; then
PKGLISTFILE="$SCRIPTSDIR/packages_${DIST}.list"
else
PKGLISTFILE="$SCRIPTSDIR/packages.list"
fi
echo "--> Installing extra packages"
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
xargs chroot $INSTALLDIR apt-get -y --force-yes install < "$PKGLISTFILE"
# ------------------------------------------------------------------------------
# Execute any custom configuration scripts after file packages installed
# (Whonix needs dependancies installed before installation)
# ------------------------------------------------------------------------------
customStep "$0" "packages_installed"
# ------------------------------------------------------------------------------
# Install systemd
# ------------------------------------------------------------------------------
# - sysvinit gives problems with qubes initramfs, we depend on systemd
# for now. Apt *really* doesn't want to replace sysvinit in wheezy.
# For jessie and newer, sysvinit is provided by sysvinit-core which
# is not an essential package.
# ------------------------------------------------------------------------------
echo "--> Installing systemd for wheezy ($DEBIANVERSION)"
echo 'Yes, do as I say!' | DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "$INSTALLDIR" apt-get -y --force-yes remove sysvinit
# Prevent sysvinit from being re-installed
echo "--> Preventing sysvinit re-installation"
chroot "$INSTALLDIR" apt-mark hold sysvinit
chroot "$INSTALLDIR" apt-get update
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "$INSTALLDIR" apt-get -y --force-yes install systemd-sysv
# ------------------------------------------------------------------------------
# Set multu-user.target as the default target (runlevel 3)
# ------------------------------------------------------------------------------
#chroot "$INSTALLDIR" systemctl set-default multi-user.target
chroot "$INSTALLDIR" rm -f /etc/systemd/system/default.target
chroot "$INSTALLDIR" ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
# ------------------------------------------------------------------------------
# Qubes is now being built with some SID packages; grab backport for wheezy
# ------------------------------------------------------------------------------
if [ "$DEBIANVERSION" == "wheezy" ]; then
echo "--> Adding wheezy backports repository."
source="deb http://http.debian.net/debian wheezy-backports main"
if ! grep -r -q "$source" "$INSTALLDIR/etc/apt/sources.list"*; then
touch "$INSTALLDIR/etc/apt/sources.list"
echo "$source" >> "$INSTALLDIR/etc/apt/sources.list"
fi
chroot $INSTALLDIR apt-get update
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot $INSTALLDIR apt-get -y --force-yes -t wheezy-backports install init-system-helpers
fi
# ------------------------------------------------------------------------------
# Cleanup
# ------------------------------------------------------------------------------
# Remove temporary policy layer so services can start normally in the
# deployed template.
rm -f "$INSTALLDIR/usr/sbin/policy-rc.d"
touch "$INSTALLDIR/tmp/.prepared_groups"
trap - ERR EXIT
trap
# Kill all processes and umount all mounts within $INSTALLDIR,
# but not $INSTALLDIR itself (extra '/' prevents $INSTALLDIR from being
# umounted itself)
umount_image "$INSTALLDIR/" || :
fi
# Remove temporary policy layer so services can start normally in the
# deployed template.
rm -f $BUILDCHROOT/usr/sbin/policy-rc.d
# ------------------------------------------------------------------------------
# Execute any custom post configuration scripts
# ------------------------------------------------------------------------------
customStep "$0" "post"

@ -1,45 +1,103 @@
#!/bin/sh
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
set -x
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. $SCRIPTSDIR/vars.sh
. ./umount.sh >/dev/null
# ------------------------------------------------------------------------------
# If .prepared_groups has not been completed, don't continue
# ------------------------------------------------------------------------------
if ! [ -f "$INSTALLDIR/tmp/.prepared_groups" ]; then
echo "--> prepared_groups installataion has not completed!... Exiting"
exit 1
fi
# Set up a temporary policy-rc.d to prevent apt from starting services
# on package installation
cat > $INSTALLCHROOT/usr/sbin/policy-rc.d <<EOF
# ------------------------------------------------------------------------------
# Mount system mount points
# ------------------------------------------------------------------------------
for fs in /dev /dev/pts /proc /sys /run; do mount -B $fs "$INSTALLDIR/$fs"; done
# ------------------------------------------------------------------------------
# Execute any custom pre configuration scripts
# ------------------------------------------------------------------------------
customStep "$0" "pre"
# ------------------------------------------------------------------------------
# Install Qubes Packages
# ------------------------------------------------------------------------------
if ! [ -f "$INSTALLDIR/tmp/.prepared_qubes" ]; then
echo "--> Installing qbues modules"
# --------------------------------------------------------------------------
# Set up a temporary policy-rc.d to prevent apt from starting services
# on package installation
# --------------------------------------------------------------------------
cat > "$INSTALLCHROOT/usr/sbin/policy-rc.d" <<EOF
#!/bin/sh
return 101 # Action forbidden by policy
EOF
chmod 755 $INSTALLCHROOT/usr/sbin/policy-rc.d
echo "--> Generate locales"
echo "en_US.UTF-8 UTF-8" >> $INSTALLDIR/etc/locale.gen
chroot $INSTALLDIR locale-gen
chroot $INSTALLDIR update-locale LANG=en_US.UTF-8
echo "--> Updating template fstab file..."
cat >> $INSTALLDIR/etc/fstab <<EOF
proc /proc proc defaults 0 0
sysfs /sys sysfs defaults 0 0
/dev/mapper/dmroot / ext4 discard,noatime,errors=remount-ro 0 0
/dev/xvdb /rw ext4 noauto,discard,noatime,errors=remount-ro 0 0
/dev/xvdc1 swap swap defaults 0 0
/dev/xvdd /lib/modules ext3 defaults 0 0
xen /proc/xen xenfs defaults 0 0
/rw/home /home none noauto,bind,defaults 0 0
/dev/xvdi /mnt/removable auto noauto,user,rw 0 0
chmod 755 $INSTALLCHROOT/usr/sbin/policy-rc.d
# --------------------------------------------------------------------------
# Generate locales
# --------------------------------------------------------------------------
echo "--> Generate locales"
echo "en_US.UTF-8 UTF-8" >> "$INSTALLDIR/etc/locale.gen"
chroot "$INSTALLDIR" locale-gen
chroot "$INSTALLDIR" update-locale LANG=en_US.UTF-8
# --------------------------------------------------------------------------
# Update /etc/fstab
# --------------------------------------------------------------------------
echo "--> Updating template fstab file..."
cat >> "$INSTALLDIR/etc/fstab" <<EOF
/dev/mapper/dmroot / ext4 defaults,noatime 1 1
/dev/xvdc1 swap swap defaults 0 0
/dev/xvdb /rw ext4 noauto,defaults,discard 1 2
/rw/home /home none noauto,bind,defaults 0 0
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
proc /proc proc defaults 0 0
sysfs /sys sysfs defaults 0 0
xen /proc/xen xenfs defaults 0 0
/dev/xvdi /mnt/removable auto noauto,user,rw 0 0
/dev/xvdd /lib/modules ext3 defaults 0 0
EOF
rm -f $INSTALLDIR/etc/mtab
ln -s ../proc/self/mounts $INSTALLDIR/etc/mtab
mkdir -p $INSTALLDIR/lib/modules
echo "--> Installing qubes packages"
export CUSTOMREPO="$PWD/yum_repo_qubes/$DIST"
if ! [ -e $CACHEDIR/repo-secring.gpg ]; then
mkdir -p $CACHEDIR
gpg --gen-key --batch <<EOF
# --------------------------------------------------------------------------
# Link mtab
# --------------------------------------------------------------------------
rm -f "$INSTALLDIR/etc/mtab"
ln -s "../proc/self/mounts" "$INSTALLDIR/etc/mtab"
# --------------------------------------------------------------------------
# Create modules directory
# --------------------------------------------------------------------------
mkdir -p "$INSTALLDIR/lib/modules"
# --------------------------------------------------------------------------
# Start of Qubes package installation
# --------------------------------------------------------------------------
echo "--> Installing qubes packages"
export CUSTOMREPO="$PWD/yum_repo_qubes/$DIST"
# --------------------------------------------------------------------------
# Install keyrings
# --------------------------------------------------------------------------
if ! [ -e "$CACHEDIR/repo-secring.gpg" ]; then
mkdir -p "$CACHEDIR"
gpg --gen-key --batch <<EOF
Key-Type: RSA
Key-Length: 1024
Key-Usage: sign
@ -49,38 +107,96 @@ Expire-Date: 0
%secring $CACHEDIR/repo-secring.gpg
%commit
EOF
fi
gpg -abs --no-default-keyring \
--secret-keyring $CACHEDIR/repo-secring.gpg \
--keyring $CACHEDIR/repo-pubring.gpg \
-o $CUSTOMREPO/dists/$DIST/Release.gpg \
$CUSTOMREPO/dists/$DIST/Release
mkdir -p $INSTALLDIR/tmp/qubes_repo
mount --bind $CUSTOMREPO $INSTALLDIR/tmp/qubes_repo
cat > $INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list <<EOF
fi
gpg -abs --no-default-keyring \
--secret-keyring "$CACHEDIR/repo-secring.gpg" \
--keyring "$CACHEDIR/repo-pubring.gpg" \
-o "$CUSTOMREPO/dists/$DIST/Release.gpg" \
"$CUSTOMREPO/dists/$DIST/Release"
cp "$CACHEDIR/repo-pubring.gpg" "$INSTALLDIR/etc/apt/trusted.gpg.d/qubes-builder.gpg"
# --------------------------------------------------------------------------
# Mount local qubes_repo
# --------------------------------------------------------------------------
mkdir -p "$INSTALLDIR/tmp/qubes_repo"
mount --bind "$CUSTOMREPO" "$INSTALLDIR/tmp/qubes_repo"
# --------------------------------------------------------------------------
# Include qubes repo for apt
# --------------------------------------------------------------------------
cat > "$INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list" <<EOF
deb file:/tmp/qubes_repo $DEBIANVERSION main
EOF
cp $CACHEDIR/repo-pubring.gpg $INSTALLDIR/etc/apt/trusted.gpg.d/qubes-builder.gpg
chroot $INSTALLDIR apt-get update || { umount $INSTALLDIR/tmp/qubes_repo; exit 1; }
chroot $INSTALLDIR apt-get -y install `cat $SCRIPTSDIR/packages_qubes.list` || { umount $INSTALLDIR/tmp/qubes_repo; exit 1; }
umount $INSTALLDIR/tmp/qubes_repo
rm -f $INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list
chroot $INSTALLDIR apt-get update || exit 1
# Remove temporary policy layer so services can start normally in the
# deployed template.
rm -f $BUILDCHROOT/usr/sbin/policy-rc.d
chroot $INSTALLDIR groupadd user
chroot $INSTALLDIR useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user
echo "xen_netfront" >> $INSTALLDIR/etc/modules
sed -i -e '/^mesg n/d' $INSTALLDIR/root/.profile
# --------------------------------------------------------------------------
# Update system; exit is not successful
# --------------------------------------------------------------------------
chroot "$INSTALLDIR" apt-get update || { umount "$INSTALLDIR/tmp/qubes_repo"; exit 1; }
# --------------------------------------------------------------------------
# Install Qubes packages
# --------------------------------------------------------------------------
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "$INSTALLDIR" apt-get -y --force-yes install `cat $SCRIPTSDIR/packages_qubes.list` || \
{ umount "$INSTALLDIR/tmp/qubes_repo"; exit 1; }
# --------------------------------------------------------------------------
# Remove Quebes repo from sources.list.d
# --------------------------------------------------------------------------
rm -f "$INSTALLDIR"/etc/apt/sources.list.d/qubes*.list
umount "$INSTALLDIR/tmp/qubes_repo"
rm -f "$INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list"
chroot "$INSTALLDIR" apt-get update || exit 1
# --------------------------------------------------------------------------
# Remove temporary policy layer so services can start normally in the
# deployed template.
# --------------------------------------------------------------------------
rm -f "$BUILDCHROOT/usr/sbin/policy-rc.d"
# --------------------------------------------------------------------------
# Qubes needs a user named 'user'
# --------------------------------------------------------------------------
if chroot "$INSTALLDIR" id -u 'user' >/dev/null 2>&1; then
:
else
chroot "$INSTALLDIR" groupadd -f user
chroot "$INSTALLDIR" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user
fi
# --------------------------------------------------------------------------
# Modules setup
# --------------------------------------------------------------------------
echo "xen_netfront" >> "$INSTALLDIR/etc/modules"
# --------------------------------------------------------------------------
# Remove `mesg` from root/.profile?
# --------------------------------------------------------------------------
sed -i -e '/^mesg n/d' "$INSTALLDIR/root/.profile"
# --------------------------------------------------------------------------
# Need a xen log directory or xen scripts will fail
# --------------------------------------------------------------------------
mkdir -p -m 0700 "$INSTALLDIR/var/log/xen"
# --------------------------------------------------------------------------
# Copy over any extra files that may be needed that are located in
# $SCRIPT_DIR/extra-qubes-files
# --------------------------------------------------------------------------
echo "-> Copy extra files..."
copy_dirs "extra-qubes-files"
touch "$INSTALLDIR/tmp/.prepared_qubes"
fi
# Kill any processes that might have been started by apt before unmounting
lsof $INSTALLDIR | tail -n +2 | awk '{print $2}' | xargs --no-run-if-empty kill
# ------------------------------------------------------------------------------
# Execute any custom post configuration scripts
# ------------------------------------------------------------------------------
customStep "$0" "post"
# ------------------------------------------------------------------------------
# Kill all processes and umount all mounts within $INSTALLDIR, but not
# $INSTALLDIR itself (extra '/' prevents $INSTALLDIR from being umounted itself)
# ------------------------------------------------------------------------------
umount_image "$INSTALLDIR/" || :

@ -1,10 +1,27 @@
#!/bin/sh
# vim: set ts=4 sw=4 sts=4 et :
rm -f $INSTALLDIR/var/cache/apt/archives/*
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
. $SCRIPTSDIR/vars.sh
rm -f $INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list
rm -f $INSTALLDIR/etc/apt/trusted.gpg.d/qubes-builder.gpg
# ------------------------------------------------------------------------------
# Execute any custom pre configuration scripts
# ------------------------------------------------------------------------------
customStep "$0" "pre"
# ------------------------------------------------------------------------------
# Cleanup any left over files from installation
# ------------------------------------------------------------------------------
rm -rf "INSTALLDIR/var/cache/apt/archives/*"
rm -f "$INSTALLDIR/etc/apt/sources.list.d/qubes-builder.list"
rm -f "$INSTALLDIR/etc/apt/trusted.gpg.d/qubes-builder.gpg"
# XXX: Whats this for?
rm -rf buildchroot
# ------------------------------------------------------------------------------
# Execute any custom post configuration scripts
# ------------------------------------------------------------------------------
customStep "$0" "post"

@ -0,0 +1,5 @@
NOTES
=====
- move whonix install into step 01-pre!
that way we dont need to setup systemd 2 times!

@ -0,0 +1 @@
../custom_wheezy_whonix/02_install_groups_packages_installed.sh

@ -0,0 +1 @@
../custom_wheezy_whonix/04_install_qubes_post.sh

@ -0,0 +1,20 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
. $SCRIPTSDIR/vars.sh
. ./umount.sh >/dev/null
if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then
set -x
fi
if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" ]; then
# --------------------------------------------------------------------------
# Install Custom Configurations
# --------------------------------------------------------------------------
echo "10.152.152.10" > "$INSTALLDIR/etc/whonix-netvm-gateway"
touch "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations"
fi

@ -0,0 +1,2 @@
SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip"

@ -0,0 +1,60 @@
#!/bin/bash
# Search though files and updates IP address to current qubes-netvm-gateway address on startup
# of eth0
DIRS="/usr/lib/leaktest-workstation/simple_ping.py \
/usr/lib/whonixcheck/preparation \
/usr/share/anon-kde-streamiso/share/config/kioslaverc \
/usr/bin/whonix_firewall \
/etc/whonix_firewall.d/30_default \
/usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh \
/usr/bin/uwt \
/etc/uwt.d/30_uwt_default \
/usr/share/tor/tor-service-defaults-torrc.anondist \
/usr/bin/update-torbrowser \
/etc/network/interfaces.whonix \
/etc/resolv.conf.anondist \
/etc/sdwdate.d/31_anon_dist_stream_isolation_plugin \
/etc/rinetd.conf.anondist \
/etc/network/interfaces.whonix \
/usr/share/anon-torchat/.torchat/torchat.ini"
# $1 = space delimited files
function replace_ips()
{
IP=$2
LAST_IP=$3
if ! [ "$LAST_IP" == "$IP" ]; then
for file in $1; do
if [ -f "$file" ]; then
#find / -xdev -type f -print0 | xargs -0r file | grep 'ASCII text' | awk -F: '{print $1}' | \
# xargs -d'\n' -r sed -i "s/$LAST_IP/$IP/g"
#find / -xdev -type f -print0 | xargs -0r file | grep 'ASCII text' | awk -F: '{print $1}' | \
# xargs -d'\n' -r sed -i "s/$LAST_IP_PART./$IP_PART./g"
sed -i "s/$LAST_IP/$IP/g" "$file"
fi
done
echo "$IP" > /etc/whonix-netvm-gateway
service tor restart
fi
}
IP=`xenstore-read qubes-netvm-gateway`
IP_PART=$(echo $IP | cut -f 1,2,3 -d".")
LAST_IP="$(cat /etc/whonix-netvm-gateway)"
LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".")
replace_ips "$DIRS" $IP $LAST_IP
# Do again; checking for original 10.152.152.10 incase of update
LAST_IP=10.152.152.10
LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".")
replace_ips "$DIRS" $IP $LAST_IP
# Do again; checking for original 10.152.152.11 incase of update
LAST_IP=10.152.152.11
LAST_IP_PART=$(echo $LAST_IP | cut -f 1,2,3 -d".")
replace_ips "$DIRS" $IP $LAST_IP

@ -0,0 +1,38 @@
#!/bin/sh
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
# Create a dummy eth1 interface so tor can bind to it if there
# are no DOMU virtual machines connected at the moment
INTERFACE="eth1"
/sbin/ip link add $INTERFACE type dummy
# Now, assign it the netvm-gateway IP address
ip=$($XENSTORE_READ qubes-netvm-gateway 2> /dev/null)
if [ x$ip != x ]; then
netmask=$($XENSTORE_READ qubes-netvm-netmask)
gateway=$($XENSTORE_READ qubes-netvm-gateway)
/sbin/ifconfig $INTERFACE $ip netmask 255.255.255.255
/sbin/ifconfig $INTERFACE up
/sbin/ethtool -K $INTERFACE sg off
/sbin/ethtool -K $INTERFACE tx off
fi
# Replace IP addresses in known configuration files / scripts to
# currently discovered one
/usr/lib/whonix/replace-ips
# Make sure we have correct nameserver set
echo "nameserver 127.0.0.1" > /etc/resolv.conf
# Make sure hostname is correct
/bin/hostname -b host
# Start Whonix Firewall
export INT_IF="vif+"
export INT_TIF="vif+"
/usr/bin/whonix_firewall

@ -0,0 +1 @@
../custom_wheezy_whonix/02_install_groups_packages_installed.sh

@ -0,0 +1 @@
../custom_wheezy_whonix/04_install_qubes_post.sh

@ -0,0 +1,12 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
. $SCRIPTSDIR/vars.sh
. ./umount.sh >/dev/null
if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then
set -x
fi

@ -0,0 +1,216 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
. $SCRIPTSDIR/vars.sh
. ./umount.sh >/dev/null
if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then
set -x
fi
# ------------------------------------------------------------------------------
# chroot Whonix build script (Make sure set -e is not set)
# ------------------------------------------------------------------------------
read -r -d '' WHONIX_BUILD_SCRIPT <<'EOF'
#!/bin/bash
################################################################################
# Pre Fixups
sudo mkdir -p /boot/grub2
sudo touch /boot/grub2/grub.cfg
sudo mkdir -p /boot/grub
sudo touch /boot/grub/grub.cfg
sudo mkdir --parents --mode=g+rw "/tmp/uwt"
# Whonix seems to re-install sysvinit even though there is a hold
# on the package. Things seem to work anyway. BUT hopfully the
# hold on grub* don't get removed
sudo apt-mark hold sysvinit
sudo apt-mark hold grub-common grub-pc-bin grub2-common
# Whonix expects haveged to be started
sudo /etc/init.d/haveged start
################################################################################
# Whonix installation
export WHONIX_BUILD_UNATTENDED_PKG_INSTALL="1"
pushd ~/Whonix
sudo ~/Whonix/whonix_build \
--build $1 \
--64bit-linux \
--current-sources \
--enable-whonix-apt-repository \
--whonix-apt-repository-distribution $2 \
--install-to-root \
--skip-verifiable \
--minimal-report \
--skip-sanity-tests || { exit 1; }
popd
################################################################################
# Post Fixups
pushd /etc/network
sudo rm -f interfaces
sudo ln -s interfaces.backup interfaces
popd
pushd /etc
sudo rm -f resolv.conf
sudo ln -s resolv.conf.backup resolv.conf
popd
sudo update-rc.d network-manager disable
sudo update-rc.d spice-vdagent disable
sudo update-rc.d swap-file-creator disable
sudo update-rc.d whonix-initializer disable
# Fake that initializer was already run
sudo mkdir -p /root/.whonix
sudo touch /root/.whonix/first_run_initializer.done
# Prevent whonixcheck error
sudo su -c 'echo WHONIXCHECK_NO_EXIT_ON_UNSUPPORTED_VIRTUALIZER=\"1\" >> /etc/whonix.d/30_whonixcheck_default'
# Ensure umask set in /etc/login.defs is used (022)
sudo su -c 'echo "session optional pam_umask.so" >> /etc/pam.d/common-session'
sudo touch "/tmp/.prepared_whonix"
EOF
# ------------------------------------------------------------------------------
# chroot Whonix fix script (Make sure set -e is not set)
# Run ../whonix_fix when whonix gives grub-pc error
# ------------------------------------------------------------------------------
# TODO: Do something in whonix build to automatically run fixups and
# ignore certain errors
read -r -d '' WHONIX_FIX_SCRIPT <<'EOF'
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
sudo apt-get -y --force-yes remove grub-common grub-pc-bin grub2-common
sudo apt-mark hold grub-common grub-pc-bin grub2-common
EOF
# ------------------------------------------------------------------------------
# Set defualts for apt not to install recommended or extra packages
# ------------------------------------------------------------------------------
read -r -d '' WHONIX_APT_PREFERENCES <<'EOF'
Acquire::Languages "none";
APT::Install-Recommends "false";
APT::Install-Suggests "false";
Dpkg::Options "--force-confold";
EOF
# ------------------------------------------------------------------------------
# Cleanup function
# ------------------------------------------------------------------------------
function error() {
echo "--> Whonix error; umounting $INSTALLDIR to prevent further writes"
umount_image "$INSTALLDIR" || :
exit 1
}
trap error ERR
trap error EXIT
# ------------------------------------------------------------------------------
# Mount devices, etc required for Whonix installation
# ------------------------------------------------------------------------------
if ! [ -f "$INSTALLDIR/tmp/.prepared_whonix" ]; then
echo "-> Installing whonix system"
# --------------------------------------------------------------------------
# Whonix system config dependancies
# --------------------------------------------------------------------------
#/usr/sbin/grub-probe: error: cannot find a device for / (is /dev mounted?)
#cannot stat `/boot/grub/grub.cfg': No such file or directory
# Qubes needs a user named 'user'
if chroot "$INSTALLDIR" id -u 'user' >/dev/null 2>&1; then
:
else
chroot "$INSTALLDIR" groupadd -f user
chroot "$INSTALLDIR" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user
fi
# Change hostname to 'host'
echo "host" > "$INSTALLDIR/etc/hostname"
chroot "$INSTALLDIR" sed -i "s/localhost/host/g" /etc/hosts
if ! [ -f "$INSTALLDIR/etc/sudoers.d/qubes" ]; then
cp -p /etc/sudoers.d/qubes "$INSTALLDIR/etc/sudoers.d/qubes"
fi
# --------------------------------------------------------------------------
# Install Whonix system
# --------------------------------------------------------------------------
if ! [ -d "$INSTALLDIR/home/user/Whonix" ]; then
echo "-> Installing Whonix build environment..."
chroot "$INSTALLDIR" su user -c 'mkdir /home/user/Whonix'
fi
if [ -d "$INSTALLDIR/home/user/Whonix" ]; then
mount --bind "../Whonix" "$INSTALLDIR/home/user/Whonix"
echo "-> Building Whonix..."
# Install apt-get preferences
echo "$WHONIX_APT_PREFERENCE" > "$INSTALLDIR/etc/apt/apt.conf.d/99whonix"
chmod 0644 "$INSTALLDIR/etc/apt/apt.conf.d/99whonix"
# Install Whonix fix script
echo "$WHONIX_FIX_SCRIPT" > "$INSTALLDIR/home/user/whonix_fix"
chmod 0755 "$INSTALLDIR/home/user/whonix_fix"
# Install Whonix build scripts
echo "$WHONIX_BUILD_SCRIPT" > "$INSTALLDIR/home/user/whonix_build"
chmod 0755 "$INSTALLDIR/home/user/whonix_build"
if [ "${TEMPLATE_FLAVOR}" == "whonix-gateway" ]; then
BUILD_TYPE="--torgateway"
elif [ "${TEMPLATE_FLAVOR}" == "whonix-workstation" ]; then
BUILD_TYPE="--torworkstation"
else
echo "Incorrent Whonix type \"${TEMPLATE_FLAVOR}\" selected. Not building Whonix modules"
echo "You need to set TEMPLATE_FLAVOR environment variable to either"
echo "whonix-gateway OR whonix-workstation"
exit 1
fi
chroot "$INSTALLDIR" su user -c "cd ~; ./whonix_build $BUILD_TYPE $DIST" || { exit 1; }
fi
fi
# ------------------------------------------------------------------------------
# Execute any custom configuration scripts
# ------------------------------------------------------------------------------
customStep "99_custom_configuration.sh"
# XXX: Why do I need to move them out of the way? Lets try keeping them
# in place (modify post script too)
# ------------------------------------------------------------------------------
# Move Whonix sources out of way
# ------------------------------------------------------------------------------
#if [ -L "$INSTALLDIR/etc/apt/sources.list.d" ]; then
# mv "$INSTALLDIR/etc/apt/sources.list.d" "$INSTALLDIR/etc/apt/sources.list.d.qubes"
# mkdir -p "$INSTALLDIR/etc/apt/sources.list.d"
# cp -p "$INSTALLDIR/etc/apt/sources.list.d.qubes/debian.list" "$INSTALLDIR/etc/apt/sources.list.d"
#fi
# ------------------------------------------------------------------------------
# Bring back original apt-get for installation of Qubues
# ------------------------------------------------------------------------------
if [ -L "$INSTALLDIR/usr/bin/apt-get" ]; then
rm "$INSTALLDIR/usr/bin/apt-get"
chroot "$INSTALLDIR" su -c "cd /usr/bin/; ln -s apt-get.anondist-orig apt-get"
fi
# ------------------------------------------------------------------------------
# Leave cleanup to calling function
# ------------------------------------------------------------------------------
trap - ERR EXIT
trap

@ -0,0 +1,55 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
#
# Whonix Post Install Steps (after qubes install)
#
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
. $SCRIPTSDIR/vars.sh
if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then
set -x
fi
# ------------------------------------------------------------------------------
# Restore Whonix apt-get
# ------------------------------------------------------------------------------
if [ -L "$INSTALLDIR/usr/bin/apt-get" ]; then
rm "$INSTALLDIR/usr/bin/apt-get"
chroot "$INSTALLDIR" su -c "cd /usr/bin/; ln -s apt-get.anondist apt-get"
fi
# ------------------------------------------------------------------------------
# Restore Whonix sources
# ------------------------------------------------------------------------------
#if [ -L "$INSTALLDIR/etc/apt/sources.list.d" ]; then
# rm -rf "$INSTALLDIR/etc/apt/sources.list.d"
# mv "$INSTALLDIR/etc/apt/sources.list.d.qubes" "$INSTALLDIR/etc/apt/sources.list.d"
#fi
# ------------------------------------------------------------------------------
# Restore whonix resolv.conf
# ------------------------------------------------------------------------------
if [ -L "$INSTALLDIR/etc/resolv.conf" ]; then
pushd "$INSTALLDIR/etc"
sudo rm -f resolv.conf
sudo ln -s resolv.conf.anondist resolv.conf
popd
fi
# ------------------------------------------------------------------------------
# Copy over any extra files
# ------------------------------------------------------------------------------
echo "-> Copy extra files..."
copy_dirs "extra-whonix-files"
# ------------------------------------------------------------------------------
# Cleanup Whonix Installation
# ------------------------------------------------------------------------------
rm -rf "$INSTALLDIR"/home/user/Whonix
rm -rf "$INSTALLDIR"/home/user/whonix_binary
rm -f "$INSTALLDIR"/home/user/whonix_fix
rm -f "$INSTALLDIR"/home/user/whonix_build

@ -0,0 +1,4 @@
SUBSYSTEM=="cpu", ACTION=="online", PROGRAM="/bin/systemctl try-restart kdump.service"
SUBSYSTEM=="cpu", ACTION=="offline", PROGRAM="/bin/systemctl try-restart kdump.service"
SUBSYSTEM=="memory", ACTION=="add", PROGRAM="/bin/systemctl try-restart kdump.service"
SUBSYSTEM=="memory", ACTION=="remove", PROGRAM="/bin/systemctl try-restart kdump.service"

@ -0,0 +1,16 @@
SUBSYSTEM=="xen-backend", KERNEL=="tap*", RUN+="/etc/xen/scripts/blktap $env{ACTION}"
SUBSYSTEM=="xen-backend", KERNEL=="vbd*", RUN+="/etc/xen/scripts/block $env{ACTION}"
SUBSYSTEM=="xen-backend", KERNEL=="vtpm*", RUN+="/etc/xen/scripts/vtpm $env{ACTION}"
SUBSYSTEM=="xen-backend", KERNEL=="vif2-*", RUN+="/etc/xen/scripts/vif2 $env{ACTION}"
SUBSYSTEM=="xen-backend", KERNEL=="vif-*", ACTION=="online", RUN+="/etc/xen/scripts/vif-setup online type_if=vif"
SUBSYSTEM=="xen-backend", KERNEL=="vif-*", ACTION=="offline", RUN+="/etc/xen/scripts/vif-setup offline type_if=vif"
SUBSYSTEM=="xen-backend", KERNEL=="vscsi*", RUN+="/etc/xen/scripts/vscsi $env{ACTION}"
SUBSYSTEM=="xen-backend", ACTION=="remove", RUN+="/etc/xen/scripts/xen-hotplug-cleanup"
KERNEL=="evtchn", NAME="xen/%k"
SUBSYSTEM=="xen", KERNEL=="blktap[0-9]*", NAME="xen/%k", MODE="0600"
SUBSYSTEM=="blktap2", KERNEL=="blktap[0-9]*", NAME="xen/blktap-2/%k", MODE="0600"
KERNEL=="blktap-control", NAME="xen/blktap-2/control", MODE="0600"
KERNEL=="gntdev", NAME="xen/%k", MODE="0600"
KERNEL=="pci_iomul", NAME="xen/%k", MODE="0600"
KERNEL=="tapdev[a-z]*", NAME="xen/blktap-2/tapdev%m", MODE="0600"
SUBSYSTEM=="net", KERNEL=="tap*", ACTION=="add", RUN+="/etc/xen/scripts/vif-setup $env{ACTION} type_if=tap"

@ -0,0 +1,94 @@
#!/bin/bash
# Copyright (c) 2005, XenSource Ltd.
dir=$(dirname "$0")
. "$dir/xen-hotplug-common.sh"
. "$dir/block-common.sh"
findCommand "$@"
##
# check_blktap_sharing file mode
#
# Perform the sharing check for the given blktap and mode.
#
check_blktap_sharing()
{
local file="$1"
local mode="$2"
local base_path="$XENBUS_BASE_PATH/$XENBUS_TYPE"
for dom in $(xenstore-list "$base_path")
do
for dev in $(xenstore-list "$base_path/$dom")
do
params=$(xenstore_read_default "$base_path/$dom/$dev/params" "" | cut -d: -f2)
if [ "$file" = "$params" ]
then
if [ "$mode" = 'w' ]
then
if ! same_vm "$dom"
then
echo 'guest'
return
fi
else
local m=$(xenstore_read_default "$base_path/$dom/$dev/mode" "")
m=$(canonicalise_mode "$m")
if [ "$m" = 'w' ]
then
if ! same_vm "$dom"
then
echo 'guest'
return
fi
fi
fi
fi
done
done
echo 'ok'
}
t=$(xenstore_read_default "$XENBUS_PATH/type" 'MISSING')
if [ -n "$t" ]
then
p=$(xenstore_read "$XENBUS_PATH/params")
p=${p#tapdisk:}
# if we have a ':', chew from head including :
if echo $p | grep -q \:
then
p=${p#*:}
fi
fi
# some versions of readlink cannot be passed a regular file
if [ -L "$p" ]; then
file=$(readlink -f "$p") || fatal "$p link does not exist."
else
file="$p"
fi
if [ "$command" = 'add' ]
then
[ -e "$file" ] || { fatal $file does not exist; }
FRONTEND_ID=$(xenstore_read "$XENBUS_PATH/frontend-id")
FRONTEND_UUID=$(xenstore_read "/local/domain/$FRONTEND_ID/vm")
mode=$(xenstore_read "$XENBUS_PATH/mode")
mode=$(canonicalise_mode "$mode")
if [ "$mode" != '!' ]
then
result=$(check_blktap_sharing "$file" "$mode")
[ "$result" = 'ok' ] || ebusy "$file already in use by other domain"
fi
success
fi
exit 0

@ -0,0 +1,354 @@
#!/bin/bash
dir=$(dirname "$0")
. "$dir/block-common.sh"
HOTPLUG_STORE="/var/run/xen-hotplug/${XENBUS_PATH//\//-}"
expand_dev() {
local dev
case $1 in
/*)
dev=$1
;;
*)
dev=/dev/$1
;;
esac
echo -n $dev
}
find_free_loopback_helper() {
local next_devnum=0
local busy_devnum
while read busy_devnum; do
if [ "$next_devnum" != "$busy_devnum" ]; then
break
fi
let next_devnum=$next_devnum+1
done
echo "/dev/loop${next_devnum}"
}
# Not all distros have "losetup -f"
find_free_loopback_dev() {
local loopdev
loopdev=$(losetup -a | sed -e 's+^/dev/loop++' -e 's/:.*//' | find_free_loopback_helper)
if [ -n "$loopdev" ] && [ -b "$loopdev" ]; then
echo "$loopdev"
fi
}
##
# check_sharing device mode
#
# Check whether the device requested is already in use. To use the device in
# read-only mode, it may be in use in read-only mode, but may not be in use in
# read-write anywhere at all. To use the device in read-write mode, it must
# not be in use anywhere at all.
#
# Prints one of
#
# 'local': the device may not be used because it is mounted in the current
# (i.e. the privileged domain) in a way incompatible with the
# requested mode;
# 'guest': the device may not be used because it already mounted by a guest
# in a way incompatible with the requested mode; or
# 'ok': the device may be used.
#
check_sharing()
{
local dev="$1"
local mode="$2"
local devmm=$(device_major_minor "$dev")
local file
if [ "$mode" = 'w' ]
then
toskip="^$"
else
toskip="^[^ ]* [^ ]* [^ ]* ro[, ]"
fi
for file in $(cat /proc/mounts | grep -v "$toskip" | cut -f 1 -d ' ')
do
if [ -e "$file" ]
then
local d=$(device_major_minor "$file")
if [ "$d" = "$devmm" ]
then
echo 'local'
return
fi
fi
done
local base_path="$XENBUS_BASE_PATH/$XENBUS_TYPE"
for dom in $(xenstore-list "$base_path")
do
for dev in $(xenstore-list "$base_path/$dom")
do
d=$(xenstore_read_default "$base_path/$dom/$dev/physical-device" "")
if [ "$d" = "$devmm" ]
then
if [ "$mode" = 'w' ]
then
if ! same_vm $dom
then
echo 'guest'
return
fi
else
local m=$(xenstore_read_default "$base_path/$dom/$dev/mode" "")
m=$(canonicalise_mode "$m")
if [ "$m" = 'w' ]
then
if ! same_vm $dom
then
echo 'guest'
return
fi
fi
fi
fi
done
done
echo 'ok'
}
##
# check_device_sharing dev mode
#
# Perform the sharing check for the given physical device and mode.
#
check_device_sharing()
{
local dev="$1"
local mode=$(canonicalise_mode "$2")
local result
if [ "x$mode" = 'x!' ]
then
return 0
fi
result=$(check_sharing "$dev" "$mode")
if [ "$result" != 'ok' ]
then
do_ebusy "Device $dev is mounted " "$mode" "$result"
fi
}
##
# check_device_sharing file dev mode
#
# Perform the sharing check for the given file mounted through the given
# loopback interface, in the given mode.
#
check_file_sharing()
{
local file="$1"
local dev="$2"
local mode="$3"
result=$(check_sharing "$dev" "$mode")
if [ "$result" != 'ok' ]
then
do_ebusy "File $file is loopback-mounted through $dev,
which is mounted " "$mode" "$result"
fi
}
##
# do_ebusy prefix mode result
#
# Helper function for check_device_sharing check_file_sharing, calling ebusy
# with an error message constructed from the given prefix, mode, and result
# from a call to check_sharing.
#
do_ebusy()
{
local prefix="$1"