QubesOS
/
qubes-linux-template-builder
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge remote-tracking branch 'nrgaway/wheezy' into wheezy

Browse Source
pull/1/head mm_a526f17e
Marek Marczykowski-Górecki 10 years ago
parent d63d8cccbd d682f0bfaa
commit a526f17ef8
32 changed files with 498 additions and 570 deletions
Show Stats Download Patch File Download Diff File

3
functions.sh
Unescape View File

@ -3,6 +3,9 @@
set -e
VERBOSE=${VERBOSE:-1}
DEBUG=${DEBUG:-0}
################################################################################
# Global functions
################################################################################

1
scripts_debian/00_prepare.sh
Unescape View File

@ -43,4 +43,3 @@ fi
# Execute any template flavor or sub flavor 'post' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "post"

14
scripts_debian/02_install_groups.sh
Unescape View File

@ -85,7 +85,7 @@ EOF
chroot "${INSTALLDIR}" apt-get update
true "${stout}"
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "${INSTALLDIR}" apt-get -y --force-yes dist-upgrade
chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} dist-upgrade
# ------------------------------------------------------------------------------
# Configure keyboard
@ -115,7 +115,7 @@ EOF
for package_list in ${packages_list[@]}; do
debug "Installing extra packages from: ${package_list}"
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
xargs chroot ${INSTALLDIR} apt-get -y --force-yes install < "${package_list}"
xargs chroot ${INSTALLDIR} apt-get ${APT_GET_OPTIONS} install < "${package_list}"
done
# ------------------------------------------------------------------------------
@ -135,10 +135,10 @@ EOF
debug "Installing systemd for debian (${DEBIANVERSION})"
if [ "${DEBIANVERSION}" == "wheezy" ]; then
echo 'Yes, do as I say!' | DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "${INSTALLDIR}" apt-get -y --force-yes remove sysvinit
chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} remove sysvinit
else
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "${INSTALLDIR}" apt-get -y --force-yes remove sysvinit
chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} remove sysvinit
fi
# Prevent sysvinit from being re-installed
@ -155,12 +155,11 @@ EOF
chroot "${INSTALLDIR}" apt-get update
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "${INSTALLDIR}" apt-get -y --force-yes install systemd-sysv
chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} install systemd-sysv
# ------------------------------------------------------------------------------
# Set multu-user.target as the default target (runlevel 3)
# ------------------------------------------------------------------------------
#chroot "${INSTALLDIR}" systemctl set-default multi-user.target
chroot "${INSTALLDIR}" rm -f /etc/systemd/system/default.target
chroot "${INSTALLDIR}" ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
@ -176,7 +175,7 @@ EOF
fi
chroot ${INSTALLDIR} apt-get update
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot ${INSTALLDIR} apt-get -y --force-yes -t wheezy-backports install init-system-helpers
chroot ${INSTALLDIR} apt-get ${APT_GET_OPTIONS} -t wheezy-backports install init-system-helpers
fi
# ------------------------------------------------------------------------------
@ -199,4 +198,3 @@ fi
# Execute any template flavor or sub flavor 'post' scripts
# ------------------------------------------------------------------------------
buildStep "$0" "post"

62
scripts_debian/04_install_qubes.sh
Unescape View File

@ -58,38 +58,12 @@ EOF
chroot "${INSTALLDIR}" locale-gen
chroot "${INSTALLDIR}" update-locale LANG=en_US.UTF-8
# # --------------------------------------------------------------------------
# # Update /etc/fstab
# # --------------------------------------------------------------------------
# #debug "Updating template fstab file..."
# #cat >> "${INSTALLDIR}/etc/fstab" <<EOF
#/dev/mapper/dmroot / ext4 defaults,noatime 1 1
#/dev/xvdc1 swap swap defaults 0 0
#
#/dev/xvdb /rw ext4 noauto,defaults,discard 1 2
#/rw/home /home none noauto,bind,defaults 0 0
#
#tmpfs /dev/shm tmpfs defaults 0 0
#devpts /dev/pts devpts gid=5,mode=620 0 0
#proc /proc proc defaults 0 0
#sysfs /sys sysfs defaults 0 0
#xen /proc/xen xenfs defaults 0 0
#
#/dev/xvdi /mnt/removable auto noauto,user,rw 0 0
#/dev/xvdd /lib/modules ext3 defaults 0 0
#EOF
# --------------------------------------------------------------------------
# Link mtab
# --------------------------------------------------------------------------
rm -f "${INSTALLDIR}/etc/mtab"
ln -s "../proc/self/mounts" "${INSTALLDIR}/etc/mtab"
# # --------------------------------------------------------------------------
# # Create modules directory
# # --------------------------------------------------------------------------
# mkdir -p "${INSTALLDIR}/lib/modules"
# --------------------------------------------------------------------------
# Start of Qubes package installation
# --------------------------------------------------------------------------
@ -141,7 +115,7 @@ EOF
# Install Qubes packages
# --------------------------------------------------------------------------
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "${INSTALLDIR}" apt-get -y --force-yes install $(cat ${SCRIPTSDIR}/packages_qubes.list) || \
chroot "${INSTALLDIR}" apt-get ${APT_GET_OPTIONS} install $(cat ${SCRIPTSDIR}/packages_qubes.list) || \
{ umount_kill "${INSTALLDIR}"; exit 1; }
# --------------------------------------------------------------------------
@ -156,32 +130,7 @@ EOF
# Remove temporary policy layer so services can start normally in the
# deployed template.
# --------------------------------------------------------------------------
rm -f "${BUILDCHROOT}/usr/sbin/policy-rc.d"
# # --------------------------------------------------------------------------
# # Qubes needs a user named 'user'
# # --------------------------------------------------------------------------
# if chroot "${INSTALLDIR}" id -u 'user' >/dev/null 2>&1; then
# :
# else
# chroot "${INSTALLDIR}" groupadd -f user
# chroot "${INSTALLDIR}" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user
# fi
# # --------------------------------------------------------------------------
# # Modules setup
# # --------------------------------------------------------------------------
# echo "xen_netfront" >> "${INSTALLDIR}/etc/modules"
# # --------------------------------------------------------------------------
# # Remove `mesg` from root/.profile?
# # --------------------------------------------------------------------------
# sed -i -e '/^mesg n/d' "${INSTALLDIR}/root/.profile"
# # --------------------------------------------------------------------------
# # Need a xen log directory or xen scripts will fail
# # --------------------------------------------------------------------------
# mkdir -p -m 0700 "${INSTALLDIR}/var/log/xen"
rm -f "${INSTALLDIR}/usr/sbin/policy-rc.d"
# --------------------------------------------------------------------------
# Copy extra files to installation directory. Contains:
@ -189,13 +138,6 @@ EOF
# --------------------------------------------------------------------------
copyTree "qubes-files" "${SCRIPTSDIR}" "${INSTALLDIR}"
# # --------------------------------------------------------------------------
# # Looks like hosts file may contain tabs and qubes will not parse it
# # correctly
# # --------------------------------------------------------------------------
# expand "${INSTALLDIR}/etc/hosts" > "${INSTALLDIR}/etc/hosts.dist"
# mv "${INSTALLDIR}/etc/hosts.dist" "${INSTALLDIR}/etc/hosts"
touch "${INSTALLDIR}/tmp/.prepared_qubes"
fi

3
scripts_debian/09_cleanup.sh
Unescape View File

@ -27,9 +27,6 @@ rm -rf "${INSTALLDIR}/var/cache/apt/archives/*"
rm -f "${INSTALLDIR}/etc/apt/sources.list.d/qubes-builder.list"
rm -f "${INSTALLDIR}/etc/apt/trusted.gpg.d/qubes-builder.gpg"
# XXX: Whats this for?
rm -rf buildchroot
# ------------------------------------------------------------------------------
# Execute any template flavor or sub flavor 'post' scripts
# ------------------------------------------------------------------------------

106
scripts_debian/NOTES.old
Unescape View File

@ -1,106 +0,0 @@
=====================================================================
These are my original notes for steps to intergrate Whonix into Qubes
=====================================================================
Read README.whonix qubes-builder package for build instructions
None of the notes below apply at this point but I am saving them
until whonix intergration is complete since there still may be some
valid steps I will need to intergrate ubuntu as well
=====================================================================
# Build depends
sudo yum install rpmdevtools rpm-build createrepo rpm-sign
# Additional for debian template
sudo yum install debootstrap dpkg-dev
# Build
# https://qubes-os.org/wiki/BuildingArchlinuxTemplate
# ---------------------------------------------------
clean all
clean all rpms
sudo umount chroot-wheezy/proc
sudo rm -r chroot-wheezy
cd qubes-src/linus-template-builder
sudo umount mnt
sudo rm prepared_images/...
make get-sources
make vmm-xen-vm
make core-vchan-xen-vm
make linux-utils-vm
make core-agent-linux-vm
make gui-common-vm
make gui-agent-linux-vm
make linux-template-builder
# builder.conf
# ------------
GIT_SUBDIR=marmarek
COMPONENTS:=$(filter-out desktop-linux-kde desktop-linux-xfce,$(COMPONENTS))
DISTS_VM=wheezy
NO_SIGN="1"
DEBUG="1"
VERBOSE=2
# Changed (XXX: Marks the spot!)
# ------------------------------
# Makefile.debian
# - wheezy repo dir does not get created...
# prepare-chroot-debian
# - chroot /dev/null should be 0666
# Wheezy needs a keyring
# ----------------------
# Create in keys_debian
# Get from https://ftp-master.debian.org/keys.html
gpg --no-default-keyring --keyring=wheezy-debian-archive-keyring.gpg --import wheezy-archive-key-7.0.asc
# move from /user/home/.gnupgp to keys_debian
# Wheezy Hacks
# ------------
# Need 2.0 pulse audio drivers
# *add to source list*
cd qubes-src
git clone --branch v2.0 git://anongit.freedesktop.org/pulseaudio/pulseaudio
cp -prf pulseaudio/src/pulsecore gui-agent-linux/pulse/pulsecore-2.0
cd ..
# Add to...
# module-vchan-sink-symdef.h
#elif PA_CHECK_VERSION(2,0,0)
bool pa__load_once(void);
# Add to..
# Makefile
# Build errors - template
# -----------------------
make[1]: *** [update-repo] Error 32
make: *** [linux-template-builder] Error 1
mount: mount(2) failed: No such file or directory
- remove all mounts and try again. Some mounts may need to be tried multiple times
$ sudo umount chroot-wheezy/proc/
$ sudo umount chroot-wheezy/proc/
umount: chroot-wheezy/proc/: not mounted
$ sudo umount chroot-wheezy/tmp/qubes-apt-repo/
$ sudo umount chroot-wheezy/tmp/qubes-apt-repo/
umount: chroot-wheezy/tmp/qubes-apt-repo/: not mounted
$ sudo umount chroot-wheezy/tmp/qubes-deb/
$ sudo umount chroot-wheezy/tmp/qubes-deb/
$ sudo umount chroot-wheezy/tmp/qubes-deb/
umount: chroot-wheezy/tmp/qubes-deb/: not mounted

26
scripts_debian/gnome/04_install_qubes_post.sh
Unescape View File

@ -1,26 +0,0 @@
#!/bin/bash
# vim: set ts=4 sw=4 sts=4 et :
#
# Whonix Post Install Steps (after qubes install)
#
# ------------------------------------------------------------------------------
# Source external scripts
# ------------------------------------------------------------------------------
. ${SCRIPTSDIR}/vars.sh
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "${VERBOSE}" -ge 2 -o "${DEBUG}" == "1" ]; then
set -x
else
set -e
fi
# ------------------------------------------------------------------------------
# Disable gnome network-manager since it will prevent networking
# ------------------------------------------------------------------------------
debug "Disabling gnome network-manager"
chroot "${INSTALLDIR}" systemctl disable network-manager

2
scripts_debian/packages_qubes.list
Unescape View File

@ -4,3 +4,5 @@ xdg-user-dirs
gnome-themes-standard
xsettingsd
gnome-packagekit
chrony
ntpdate

42
scripts_debian/proxy/files/.facl
Unescape View File

@ -1,42 +0,0 @@
# file: .
# owner: user
# group: user
user::rwx
group::r-x
other::r-x
# file: etc
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/udev
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/udev/rules.d
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/udev/rules.d/xen-backend.rules
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/udev/rules.d/98-kexec.rules
# owner: root
# group: root
user::rw-
group::r--
other::r--

16
scripts_debian/proxy/files/etc/udev/rules.d/xen-backend.rules
Unescape View File

@ -1,16 +0,0 @@
SUBSYSTEM=="xen-backend", KERNEL=="tap*", RUN+="/etc/xen/scripts/blktap $env{ACTION}"
SUBSYSTEM=="xen-backend", KERNEL=="vbd*", RUN+="/etc/xen/scripts/block $env{ACTION}"
SUBSYSTEM=="xen-backend", KERNEL=="vtpm*", RUN+="/etc/xen/scripts/vtpm $env{ACTION}"
SUBSYSTEM=="xen-backend", KERNEL=="vif2-*", RUN+="/etc/xen/scripts/vif2 $env{ACTION}"
SUBSYSTEM=="xen-backend", KERNEL=="vif-*", ACTION=="online", RUN+="/etc/xen/scripts/vif-setup online type_if=vif"
SUBSYSTEM=="xen-backend", KERNEL=="vif-*", ACTION=="offline", RUN+="/etc/xen/scripts/vif-setup offline type_if=vif"
SUBSYSTEM=="xen-backend", KERNEL=="vscsi*", RUN+="/etc/xen/scripts/vscsi $env{ACTION}"
SUBSYSTEM=="xen-backend", ACTION=="remove", RUN+="/etc/xen/scripts/xen-hotplug-cleanup"
KERNEL=="evtchn", NAME="xen/%k"
SUBSYSTEM=="xen", KERNEL=="blktap[0-9]*", NAME="xen/%k", MODE="0600"
SUBSYSTEM=="blktap2", KERNEL=="blktap[0-9]*", NAME="xen/blktap-2/%k", MODE="0600"
KERNEL=="blktap-control", NAME="xen/blktap-2/control", MODE="0600"
KERNEL=="gntdev", NAME="xen/%k", MODE="0600"
KERNEL=="pci_iomul", NAME="xen/%k", MODE="0600"
KERNEL=="tapdev[a-z]*", NAME="xen/blktap-2/tapdev%m", MODE="0600"
SUBSYSTEM=="net", KERNEL=="tap*", ACTION=="add", RUN+="/etc/xen/scripts/vif-setup $env{ACTION} type_if=tap"

16
scripts_debian/vars.sh
Unescape View File

@ -11,18 +11,8 @@
DEBIANVERSION=${DIST}
# Location to grab debian packages
DEBIAN_MIRROR=http://ftp.us.debian.org/debian/
#DEBIAN_MIRROR=http://http.debian.net/debian
DEBIAN_MIRROR=http://ftp.ca.debian.org/debian/
#DEBIAN_MIRROR=http://ftp.us.debian.org/debian/
#DEBIAN_MIRROR=http://ftp.ca.debian.org/debian/
# XXX: Is this even used?
EXTRAPKGS="openssh-clients,screen,vim-nox,less"
# XXX: Is this even used?
QUBESDEBIANGIT="http://dsg.is/qubes/"
# XXX: Is this even used?
# make runs the scripts with sudo -E, so HOME is set to /home/user during
# build, which does not exist. We need to write to ${HOME}/.gnupg so set it
# to something valid.
HOME=/root
APT_GET_OPTIONS="-o Dpkg::Options::="--force-confnew" --force-yes -y"

81
scripts_debian/wheezy+whonix-gateway/files/.facl
Unescape View File

@ -5,91 +5,105 @@ user::rwx
group::r-x
other::r-x
# file: etc
# file: lib
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/hosts
# file: lib/systemd
# owner: root
# group: root
user::rw-
group::r--
other::r--
user::rwx
group::r-x
other::r-x
# file: etc/uwt.d
# file: lib/systemd/system
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/uwt.d/50_uwt_default
# file: lib/systemd/system/qubes-whonix-firewall.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/xdg
# file: lib/systemd/system/qubes-whonix-network.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg/autostart
# file: etc/hosts
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/uwt.d
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg/autostart/qubes-whonixsetup.desktop
# file: etc/uwt.d/50_uwt_default
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/apt
# file: etc/xdg
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/apt/preferences.d
# file: etc/xdg/autostart
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/apt/preferences.d/whonix_qubes
# file: etc/xdg/autostart/qubes-whonixsetup.desktop
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/udev
# file: etc/apt
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/udev/rules.d
# file: etc/apt/preferences.d
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/udev/rules.d/99-qubes-whonix.rules
# file: etc/apt/preferences.d/whonix_qubes
# owner: root
# group: root
user::rw-
@ -152,34 +166,55 @@ user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/setup-ip
# file: usr/lib/whonix/whonix.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/tests.sh
# file: usr/lib/whonix/init
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/messages.yaml
# file: usr/lib/whonix/init/replace-ips
# owner: root
# group: root
user::rw-
group::r--
other::r--
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/init.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/network-proxy-setup.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/replace-ips
# file: usr/lib/whonix/init/qubes-firewall-user-script
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/messages.yaml
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr/lib/whonix/alert
# owner: root
# group: root

1
scripts_debian/wheezy+whonix-gateway/files/etc/udev/rules.d/99-qubes-whonix.rules
Unescape View File

@ -1 +0,0 @@
SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip"

14
scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service
Unescape View File

@ -0,0 +1,14 @@
[Unit]
Description=Qubes Whonix firewall updater
After=qubes-whonix-network.service
Before=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=/usr/lib/whonix/init/init.sh
ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

14
scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service
Unescape View File

@ -0,0 +1,14 @@
[Unit]
Description=Qubes Whonix network proxy setup
ConditionPathExists=/var/run/qubes-service/qubes-network
Before=network.target
After=qubes-firewall.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/whonix/init/network-proxy-setup.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

38
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh
Unescape View File

@ -0,0 +1,38 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" != "template" ]; then
# Files that will have the immutable bit set
# since we don't want them modified by other programs
IMMUTABLE_FILES=(
'/etc/resolv.conf'
'/etc/hostname'
'/etc/hosts'
)
# Make sure all .anondist files in list are immutable
immutableFilesEnable "${IMMUTABLE_FILES}"
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
# Make sure we are using a copy of the annondist file and if not
# copy the annondist file and set it immutable
copyAnondist "/etc/resolv.conf"
copyAnondist "/etc/hosts"
copyAnondist "/etc/hostname"
# Replace IP addresses in known configuration files / scripts to
# currently discovered one
/usr/lib/whonix/init/replace-ips
# Make sure hostname is correct
/bin/hostname host
if [ "${WHONIX}" == "gateway" ]; then
# Make sure we remove whonixsetup.done if Tor is not enabled
# to allow choice of repo and prevent whonixcheck errors
grep "^DisableNetwork 0$" /etc/tor/torrc || {
rm -f /var/lib/whonix/do_once/whonixsetup.done
}
fi
fi

61
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh
Unescape View File

@ -0,0 +1,61 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
INTERFACE="eth1"
if [ "${WHONIX}" == "gateway" ]; then
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
# Setup Xen / Qubes proxy
network=$(xenstore-read qubes-netvm-network 2>/dev/null)
if [ "x$network" != "x" ]; then
gateway=$(xenstore-read qubes-netvm-gateway)
netmask=$(xenstore-read qubes-netvm-netmask)
secondary_dns=$(xenstore-read qubes-netvm-secondary-dns)
modprobe netbk 2> /dev/null || modprobe xen-netback
echo "NS1=$gateway" > /var/run/qubes/qubes-ns
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
#/usr/lib/qubes/qubes-setup-dnat-to-ns
echo "0" > /proc/sys/net/ipv4/ip_forward
/sbin/ethtool -K eth0 sg off || :
fi
# Now, assign it the netvm-gateway IP address
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
if [ x${ip} != x ]; then
# Create a dummy eth1 interface so tor can bind to it if there
# are no DOMU virtual machines connected at the moment
/sbin/ip link add ${INTERFACE} type dummy
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
/sbin/ifconfig ${INTERFACE} up
/sbin/ethtool -K ${INTERFACE} sg off || true
/sbin/ethtool -K ${INTERFACE} tx off || true
ip link set ${INTERFACE} up
fi
echo "0" > /proc/sys/net/ipv4/ip_forward
# Allow whonix-gateway to act as an update-proxy
touch /var/run/qubes-service/qubes-updates-proxy
#systemctl stop qubes-updates-proxy.service
# Search and replace tinyproxy error files so we can inject code that
# we can use to identify that its a tor proxy so updates are secure
error_file="/usr/share/tinyproxy/default.html"
grep -q "${PROXY_META}" "${error_file}" || {
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
}
fi
# Copy firewall script so Qubes will reload it when it reloads
cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script

47
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-firewall-user-script
Unescape View File

@ -0,0 +1,47 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" != "template" ]; then
# Make sure IP forwarding is disabled
echo "0" > /proc/sys/net/ipv4/ip_forward
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
# Start Whonix Firewall
if [ "${WHONIX}" == "gateway" ]; then
export INT_IF="vif+"
export INT_TIF="vif+"
# Inject custom firewall rules into whonix_firewall
sed -i -f - /usr/bin/whonix_firewall <<-EOF
/^## IPv4 DROP INVALID INCOMING PACKAGES/,/######################################/c \\
## IPv4 DROP INVALID INCOMING PACKAGES \\
## \\
## --- THE FOLLOWING WS INJECTED --- \\
## Qubes Tiny Proxy Updater \\
iptables -t nat -N PR-QBS-SERVICES \\
iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
\\
# Route any traffic FROM netvm TO netvm BACK-TO localhost \\
# Allows localhost access to tor network \\
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
######################################
EOF
fi
# Load the firewall
# XXX: TODO: Take down all network accesss if firewall fails
/usr/bin/whonix_firewall
systemctl restart qubes-updates-proxy.service
fi

0
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/replace-ips → scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/replace-ips
Unescape View File

78
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/setup-ip
Unescape View File

@ -1,78 +0,0 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" == "gateway" ]; then
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
INTERFACE="eth1"
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
# Create a dummy eth1 interface so tor can bind to it if there
# are no DOMU virtual machines connected at the moment
ip link show ${INTERFACE} >> /dev/null || {
/sbin/ip link add ${INTERFACE} type dummy
# Now, assign it the netvm-gateway IP address
if [ x${ip} != x ]; then
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
/sbin/ifconfig ${INTERFACE} up
/sbin/ethtool -K ${INTERFACE} sg off || true
/sbin/ethtool -K ${INTERFACE} tx off || true
fi
ip link set ${INTERFACE} up
}
fi
if [ "${WHONIX}" != "template" ]; then
# Files that will have the immutable bit set
# since we don't want them modified by other programs
IMMUTABLE_FILES=(
'/etc/resolv.conf'
'/etc/hostname'
'/etc/hosts'
)
# Make sure all .anondist files in list are immutable
immutableFilesEnable "${IMMUTABLE_FILES}"
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
# Make sure we are using a copy of the annondist file and if not
# copy the annondist file and set it immutable
copyAnondist "/etc/resolv.conf"
copyAnondist "/etc/hosts"
copyAnondist "/etc/hostname"
# Replace IP addresses in known configuration files / scripts to
# currently discovered one
/usr/lib/whonix/replace-ips
# Make sure hostname is correct
/bin/hostname host
# Start Whonix Firewall
if [ "${WHONIX}" == "gateway" ]; then
export INT_IF="vif+"
export INT_TIF="vif+"
fi
/usr/bin/whonix_firewall
if [ "${WHONIX}" == "gateway" ]; then
# Route any traffic FROM netvm TO netvm BACK-TO localhost
# Allows localhost access to tor network
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1
fi
# Make sure we remove whonixsetup.done if Tor is not enabled
# to allow choice of repo and prevent whonixcheck errors
grep "^DisableNetwork 0$" /etc/tor/torrc || {
rm -f /var/lib/whonix/do_once/whonixsetup.done
}
fi

95
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/tests.sh
Unescape View File

@ -1,95 +0,0 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
#sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
#disable_sysv tor
#disable_sysv sdwdate
iptables -F
iptables -t nat -F
LOG_IP4=1
LOG_IP6=0
# for IPv4
if [ "$LOG_IP4" == "1" ]; then
iptables -t raw -A OUTPUT -p icmp -j TRACE
iptables -t raw -A PREROUTING -p icmp -j TRACE
modprobe ipt_LOG
fi
# for IPv6
if [ "$LOG_IP6" == "1" ]; then
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
modprobe ip6t_LOG
fi
sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -o eth0 -j ACCEPT
iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -s 10.137.255.254 --sport 8082 -j DNAT --to-destination 127.0.0.1:9105
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.1 --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp --dport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A INPUT -i vif+ -p tcp --dport 8082 -j ACCEPT"
#iptables -t nat -A PR-QBS-SERVICES -i vif+ -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT"
#iptables -t nat -A OUTPUT -o eth0 -p tcp --dport 9105 -j ACCEPT
#iptables -t nat -A OUTPUT -o lo -p tcp --dport 9105 -j ACCEPT
#iptables -t nat -A PREROUTING -i lo -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
#iptables -t nat -A PREROUTING -i eth0 -d 10.137.255.254 -p tcp --dport 8082 -j REDIRECT
#iptables -t nat -A PREROUTING -i lo -p tcp --dport 9105 -j REDIRECT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp --dport 8082 -i eth0 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -i lo -j DNAT --to 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p tcp -s 10.137.2.1 --sport 9105 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
#iptables -t nat -A PREROUTING -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
#iptables -t nat -A OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254
#iptables -t nat -A OUTPUT -p tcp -d 10.137.2.21 --dport 8082 -j DNAT --to-destination 10.137.255.254
# Works
# localhost/loopback maps localhost port 8082 to localhost port 8888
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j REDIRECT --to-ports 8888
# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING --dst 127.0.0.1 -p tcp --dport 8082 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p udp -d 10.137.2.1 --dport 52 -j DNAT --to-destination 10.137.255.254:8082
# Remap ALL traffic
#iptables -t nat -A OUTPUT -p tcp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A OUTPUT -p udp -j DNAT --to-destination 10.137.255.254:8082
#iptables -t nat -A PREROUTING --dst 10.137.2.1 -p udp --dport 53 -j REDIRECT --to-port 9105
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
#iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 53 -j REDIRECT --to-ports 9105
#iptables -v -L
#iptables -v -t nat -L
#telnet 127.0.0.1 9105
#telnet 10.137.2.1 8082
#telnet 127.0.0.1 8082
#tail -100 /var/log/kern.log

80
scripts_debian/wheezy+whonix-workstation/files/.facl
Unescape View File

@ -5,70 +5,84 @@ user::rwx
group::r-x
other::r-x
# file: etc
# file: lib
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/hosts
# file: lib/systemd
# owner: root
# group: root
user::rw-
group::r--
other::r--
user::rwx
group::r-x
other::r-x
# file: etc/uwt.d
# file: lib/systemd/system
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/uwt.d/50_uwt_default
# file: lib/systemd/system/qubes-whonix-firewall.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/xdg
# file: lib/systemd/system/qubes-whonix-network.service
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg/autostart
# file: etc/hosts
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/uwt.d
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/xdg/autostart/qubes-whonixsetup.desktop
# file: etc/uwt.d/50_uwt_default
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/udev
# file: etc/xdg
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/udev/rules.d
# file: etc/xdg/autostart
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/udev/rules.d/99-qubes-whonix.rules
# file: etc/xdg/autostart/qubes-whonixsetup.desktop
# owner: root
# group: root
user::rw-
@ -131,27 +145,55 @@ user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/setup-ip
# file: usr/lib/whonix/whonix.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/messages.yaml
# file: usr/lib/whonix/init
# owner: root
# group: root
user::rw-
group::r--
other::r--
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/replace-ips
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/init.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/init/network-proxy-setup.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/replace-ips
# file: usr/lib/whonix/init/qubes-firewall-user-script
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/messages.yaml
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr/lib/whonix/alert
# owner: root
# group: root

1
scripts_debian/wheezy+whonix-workstation/files/etc/udev/rules.d/99-qubes-whonix.rules
Unescape View File

@ -1 +0,0 @@
SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip"

14
scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service
Unescape View File

@ -0,0 +1,14 @@
[Unit]
Description=Qubes Whonix firewall updater
After=qubes-whonix-network.service
Before=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=/usr/lib/whonix/init/init.sh
ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

14
scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service
Unescape View File

@ -0,0 +1,14 @@
[Unit]
Description=Qubes Whonix network proxy setup
ConditionPathExists=/var/run/qubes-service/qubes-network
Before=network.target
After=qubes-firewall.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/lib/whonix/init/network-proxy-setup.sh
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

38
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh
Unescape View File

@ -0,0 +1,38 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" != "template" ]; then
# Files that will have the immutable bit set
# since we don't want them modified by other programs
IMMUTABLE_FILES=(
'/etc/resolv.conf'
'/etc/hostname'
'/etc/hosts'
)
# Make sure all .anondist files in list are immutable
immutableFilesEnable "${IMMUTABLE_FILES}"
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
# Make sure we are using a copy of the annondist file and if not
# copy the annondist file and set it immutable
copyAnondist "/etc/resolv.conf"
copyAnondist "/etc/hosts"
copyAnondist "/etc/hostname"
# Replace IP addresses in known configuration files / scripts to
# currently discovered one
/usr/lib/whonix/init/replace-ips
# Make sure hostname is correct
/bin/hostname host
if [ "${WHONIX}" == "gateway" ]; then
# Make sure we remove whonixsetup.done if Tor is not enabled
# to allow choice of repo and prevent whonixcheck errors
grep "^DisableNetwork 0$" /etc/tor/torrc || {
rm -f /var/lib/whonix/do_once/whonixsetup.done
}
fi
fi

67
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh
Unescape View File

@ -0,0 +1,67 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
# Or just enable them :)
#ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service'
#ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service'
#ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service'
INTERFACE="eth1"
if [ "${WHONIX}" == "gateway" ]; then
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
# Setup Xen / Qubes proxy
network=$(xenstore-read qubes-netvm-network 2>/dev/null)
if [ "x$network" != "x" ]; then
gateway=$(xenstore-read qubes-netvm-gateway)
netmask=$(xenstore-read qubes-netvm-netmask)
secondary_dns=$(xenstore-read qubes-netvm-secondary-dns)
modprobe netbk 2> /dev/null || modprobe xen-netback
echo "NS1=$gateway" > /var/run/qubes/qubes-ns
echo "NS2=$secondary_dns" >> /var/run/qubes/qubes-ns
#/usr/lib/qubes/qubes-setup-dnat-to-ns
echo "0" > /proc/sys/net/ipv4/ip_forward
/sbin/ethtool -K eth0 sg off || :
fi
# Now, assign it the netvm-gateway IP address
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
if [ x${ip} != x ]; then
# Create a dummy eth1 interface so tor can bind to it if there
# are no DOMU virtual machines connected at the moment
/sbin/ip link add ${INTERFACE} type dummy
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
/sbin/ifconfig ${INTERFACE} up
/sbin/ethtool -K ${INTERFACE} sg off || true
/sbin/ethtool -K ${INTERFACE} tx off || true
ip link set ${INTERFACE} up
fi
echo "0" > /proc/sys/net/ipv4/ip_forward
# Allow whonix-gateway to act as an update-proxy
touch /var/run/qubes-service/qubes-updates-proxy
#systemctl stop qubes-updates-proxy.service
# Search and replace tinyproxy error files so we can inject code that
# we can use to identify that its a tor proxy so updates are secure
error_file="/usr/share/tinyproxy/default.html"
grep -q "${PROXY_META}" "${error_file}" || {
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
}
fi
# Copy firewall script so Qubes will reload it when it reloads
cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script

47
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-firewall-user-script
Unescape View File

@ -0,0 +1,47 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" != "template" ]; then
# Make sure IP forwarding is disabled
echo "0" > /proc/sys/net/ipv4/ip_forward
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
# Start Whonix Firewall
if [ "${WHONIX}" == "gateway" ]; then
export INT_IF="vif+"
export INT_TIF="vif+"
# Inject custom firewall rules into whonix_firewall
sed -i -f - /usr/bin/whonix_firewall <<-EOF
/^## IPv4 DROP INVALID INCOMING PACKAGES/,/######################################/c \\
## IPv4 DROP INVALID INCOMING PACKAGES \\
## \\
## --- THE FOLLOWING WS INJECTED --- \\
## Qubes Tiny Proxy Updater \\
iptables -t nat -N PR-QBS-SERVICES \\
iptables -A INPUT -i vif+ -p tcp -m tcp --dport 8082 -j ACCEPT \\
iptables -A OUTPUT -o vif+ -p tcp -m tcp --sport 8082 -j ACCEPT \\
iptables -t nat -A PREROUTING -j PR-QBS-SERVICES \\
iptables -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i vif+ -p tcp -m tcp --dport 8082 -j REDIRECT \\
\\
# Route any traffic FROM netvm TO netvm BACK-TO localhost \\
# Allows localhost access to tor network \\
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1 \\
######################################
EOF
fi
# Load the firewall
# XXX: TODO: Take down all network accesss if firewall fails
/usr/bin/whonix_firewall
systemctl restart qubes-updates-proxy.service
fi

0
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips → scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/replace-ips
Unescape View File

78
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip
Unescape View File

@ -1,78 +0,0 @@
#!/bin/bash
. /usr/lib/whonix/utility_functions
if [ "${WHONIX}" == "gateway" ]; then
if [ -x /usr/sbin/xenstore-read ]; then
XENSTORE_READ="/usr/sbin/xenstore-read"
else
XENSTORE_READ="/usr/bin/xenstore-read"
fi
INTERFACE="eth1"
ip=$(${XENSTORE_READ} qubes-netvm-gateway 2> /dev/null)
# Create a dummy eth1 interface so tor can bind to it if there
# are no DOMU virtual machines connected at the moment
ip link show ${INTERFACE} >> /dev/null || {
/sbin/ip link add ${INTERFACE} type dummy
# Now, assign it the netvm-gateway IP address
if [ x${ip} != x ]; then
netmask=$(${XENSTORE_READ} qubes-netvm-netmask)
gateway=$(${XENSTORE_READ} qubes-netvm-gateway)
/sbin/ifconfig ${INTERFACE} ${ip} netmask 255.255.255.255
/sbin/ifconfig ${INTERFACE} up
/sbin/ethtool -K ${INTERFACE} sg off || true
/sbin/ethtool -K ${INTERFACE} tx off || true
fi
ip link set ${INTERFACE} up
}
fi
if [ "${WHONIX}" != "template" ]; then
# Files that will have the immutable bit set
# since we don't want them modified by other programs
IMMUTABLE_FILES=(
'/etc/resolv.conf'
'/etc/hostname'
'/etc/hosts'
)
# Make sure all .anondist files in list are immutable
immutableFilesEnable "${IMMUTABLE_FILES}"
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
# Make sure we are using a copy of the annondist file and if not
# copy the annondist file and set it immutable
copyAnondist "/etc/resolv.conf"
copyAnondist "/etc/hosts"
copyAnondist "/etc/hostname"
# Replace IP addresses in known configuration files / scripts to
# currently discovered one
/usr/lib/whonix/replace-ips
# Make sure hostname is correct
/bin/hostname host
# Start Whonix Firewall
if [ "${WHONIX}" == "gateway" ]; then
export INT_IF="vif+"
export INT_TIF="vif+"
fi
/usr/bin/whonix_firewall
if [ "${WHONIX}" == "gateway" ]; then
# Route any traffic FROM netvm TO netvm BACK-TO localhost
# Allows localhost access to tor network
iptables -t nat -A OUTPUT -s ${ip} -d ${ip} -j DNAT --to-destination 127.0.0.1
fi
# Make sure we remove whonixsetup.done if Tor is not enabled
# to allow choice of repo and prevent whonixcheck errors
grep "^DisableNetwork 0$" /etc/tor/torrc || {
rm -f /var/lib/whonix/do_once/whonixsetup.done
}
fi

6
scripts_debian/wheezy+whonix/04_install_qubes_post.sh
Unescape View File

@ -19,6 +19,12 @@ else
set -e
fi
# ------------------------------------------------------------------------------
# Enable Qubes-Whonix services
# ------------------------------------------------------------------------------
chroot "${INSTALLDIR}" systemctl enable qubes-whonix-network.service || :
chroot "${INSTALLDIR}" systemctl enable qubes-whonix-firewall || :
# ------------------------------------------------------------------------------
# Restore Whonix apt-get
# ------------------------------------------------------------------------------

3
umount_kill.sh
Unescape View File

@ -39,6 +39,9 @@ umount_kill() {
# since we are doing an exact string match on the path
MOUNTDIR=$(echo "${MOUNTDIR}" | sed s#//*#/#g)
# Sync the disk befoe un-mounting to be sure everything is written
sync
warn "-> Attempting to kill any processes still running in '${MOUNTDIR}' before un-mounting"
for dir in $(sudo grep "${MOUNTDIR}" /proc/mounts | cut -f2 -d" " | sort -r | grep "^${MOUNTDIR}")
do

Write Preview
Loading…
Cancel
Save