From af189150c9e0f55c054d52b1db695673d8a590d2 Mon Sep 17 00:00:00 2001
From: Jason Mehring <nrgaway@gmail.com>
Date: Sun, 9 Nov 2014 12:53:07 -0500
Subject: [PATCH] debian: Whonix systemd overrides

---
 .../wheezy+whonix-gateway/files/.facl         | 19 +++++++++++++------
 .../system/qubes-whonix-firewall.service      |  6 ++----
 .../systemd/system/qubes-whonix-init.service  | 13 +++++++++++++
 .../system/qubes-whonix-network.service       |  3 ++-
 .../lib/whonix/init/network-proxy-setup.sh    |  5 +----
 ...l-user-script => qubes-whonix-firewall.sh} |  0
 .../lib/whonix/init/qubes-whonix-tor.service  | 16 ++++++++++++++++
 .../wheezy+whonix-workstation/files/.facl     | 18 +++++++++---------
 .../system/qubes-whonix-firewall.service      |  6 ++----
 .../systemd/system/qubes-whonix-init.service  | 13 +++++++++++++
 .../system/qubes-whonix-network.service       |  3 ++-
 .../lib/whonix/init/network-proxy-setup.sh    | 11 +----------
 ...l-user-script => qubes-whonix-firewall.sh} |  0
 .../wheezy+whonix/04_install_qubes_post.sh    |  7 ++++++-
 14 files changed, 80 insertions(+), 40 deletions(-)
 create mode 100644 scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-init.service
 rename scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/{qubes-firewall-user-script => qubes-whonix-firewall.sh} (100%)
 create mode 100644 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-tor.service
 create mode 100644 scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-init.service
 rename scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/{qubes-firewall-user-script => qubes-whonix-firewall.sh} (100%)

diff --git a/scripts_debian/wheezy+whonix-gateway/files/.facl b/scripts_debian/wheezy+whonix-gateway/files/.facl
index b580d19..f25a44e 100644
--- a/scripts_debian/wheezy+whonix-gateway/files/.facl
+++ b/scripts_debian/wheezy+whonix-gateway/files/.facl
@@ -40,6 +40,13 @@ user::rw-
 group::r--
 other::r--
 
+# file: lib/systemd/system/qubes-whonix-init.service
+# owner: root
+# group: root
+user::rw-
+group::r--
+other::r--
+
 # file: etc
 # owner: root
 # group: root
@@ -166,14 +173,14 @@ user::rwx
 group::r-x
 other::r-x
 
-# file: usr/lib/whonix/whonix.sh
+# file: usr/lib/whonix/init
 # owner: root
 # group: root
 user::rwx
 group::r-x
 other::r-x
 
-# file: usr/lib/whonix/init
+# file: usr/lib/whonix/init/qubes-whonix-firewall.sh
 # owner: root
 # group: root
 user::rwx
@@ -201,12 +208,12 @@ user::rwx
 group::r-x
 other::r-x
 
-# file: usr/lib/whonix/init/qubes-firewall-user-script
+# file: usr/lib/whonix/init/qubes-whonix-tor.service
 # owner: root
 # group: root
-user::rwx
-group::r-x
-other::r-x
+user::rw-
+group::r--
+other::r--
 
 # file: usr/lib/whonix/messages.yaml
 # owner: root
diff --git a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service
index 649fe7a..89a5229 100644
--- a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service
+++ b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-firewall.service
@@ -4,11 +4,9 @@ After=qubes-whonix-network.service
 Before=network.target
 
 [Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStartPre=/usr/lib/whonix/init/init.sh
-ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script
+ExecStart=/usr/lib/whonix/init/qubes-whonix-firewall.sh
 StandardOutput=syslog
 
 [Install]
 WantedBy=multi-user.target
+Alias=qubes-firewall.service
diff --git a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-init.service b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-init.service
new file mode 100644
index 0000000..6215c2c
--- /dev/null
+++ b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-init.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Qubes Whonix initialization script
+After=qubes-whonix-network.service
+Before=qubes-whonix-firewall.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/whonix/init/init.sh
+StandardOutput=syslog
+
+[Install]
+WantedBy=multi-user.target
diff --git a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service
index 245e031..4e71280 100644
--- a/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service
+++ b/scripts_debian/wheezy+whonix-gateway/files/lib/systemd/system/qubes-whonix-network.service
@@ -2,7 +2,7 @@
 Description=Qubes Whonix network proxy setup
 ConditionPathExists=/var/run/qubes-service/qubes-network
 Before=network.target
-After=qubes-firewall.service
+After=iptables.service
 
 [Service]
 Type=oneshot
@@ -12,3 +12,4 @@ StandardOutput=syslog
 
 [Install]
 WantedBy=multi-user.target
+Alias=qubes-network.service
diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh
index 67d078e..4010441 100755
--- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh
@@ -53,9 +53,6 @@ if [ "${WHONIX}" == "gateway" ]; then
     # we can use to identify that its a tor proxy so updates are secure
     error_file="/usr/share/tinyproxy/default.html"
     grep -q "${PROXY_META}" "${error_file}" || {
-        sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
+        sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
     }
 fi
-
-# Copy firewall script so Qubes will reload it when it reloads
-cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script
diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-firewall-user-script b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh
similarity index 100%
rename from scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-firewall-user-script
rename to scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-firewall.sh
diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-tor.service b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-tor.service
new file mode 100644
index 0000000..0a83e1b
--- /dev/null
+++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-tor.service
@@ -0,0 +1,16 @@
+[Unit]
+Description = Anonymizing overlay network for TCP
+After = syslog.target network.target nss-lookup.target
+
+[Service]
+Type = simple
+ExecStart = /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --quiet
+ExecReload = /bin/kill -HUP ${MAINPID}
+ExecStop = /bin/kill -INT ${MAINPID}
+TimeoutSec = 60
+Restart = on-failure
+LimitNOFILE = 32768
+
+[Install]
+WantedBy = multi-user.target
+Alias=tor.service
diff --git a/scripts_debian/wheezy+whonix-workstation/files/.facl b/scripts_debian/wheezy+whonix-workstation/files/.facl
index d33107e..41e3aba 100644
--- a/scripts_debian/wheezy+whonix-workstation/files/.facl
+++ b/scripts_debian/wheezy+whonix-workstation/files/.facl
@@ -40,6 +40,13 @@ user::rw-
 group::r--
 other::r--
 
+# file: lib/systemd/system/qubes-whonix-init.service
+# owner: root
+# group: root
+user::rw-
+group::r--
+other::r--
+
 # file: etc
 # owner: root
 # group: root
@@ -145,14 +152,14 @@ user::rwx
 group::r-x
 other::r-x
 
-# file: usr/lib/whonix/whonix.sh
+# file: usr/lib/whonix/init
 # owner: root
 # group: root
 user::rwx
 group::r-x
 other::r-x
 
-# file: usr/lib/whonix/init
+# file: usr/lib/whonix/init/qubes-whonix-firewall.sh
 # owner: root
 # group: root
 user::rwx
@@ -180,13 +187,6 @@ user::rwx
 group::r-x
 other::r-x
 
-# file: usr/lib/whonix/init/qubes-firewall-user-script
-# owner: root
-# group: root
-user::rwx
-group::r-x
-other::r-x
-
 # file: usr/lib/whonix/messages.yaml
 # owner: root
 # group: root
diff --git a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service
index 649fe7a..89a5229 100644
--- a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service
+++ b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-firewall.service
@@ -4,11 +4,9 @@ After=qubes-whonix-network.service
 Before=network.target
 
 [Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStartPre=/usr/lib/whonix/init/init.sh
-ExecStart=/usr/lib/whonix/init/qubes-firewall-user-script
+ExecStart=/usr/lib/whonix/init/qubes-whonix-firewall.sh
 StandardOutput=syslog
 
 [Install]
 WantedBy=multi-user.target
+Alias=qubes-firewall.service
diff --git a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-init.service b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-init.service
new file mode 100644
index 0000000..6215c2c
--- /dev/null
+++ b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-init.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Qubes Whonix initialization script
+After=qubes-whonix-network.service
+Before=qubes-whonix-firewall.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/whonix/init/init.sh
+StandardOutput=syslog
+
+[Install]
+WantedBy=multi-user.target
diff --git a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service
index 245e031..4e71280 100644
--- a/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service
+++ b/scripts_debian/wheezy+whonix-workstation/files/lib/systemd/system/qubes-whonix-network.service
@@ -2,7 +2,7 @@
 Description=Qubes Whonix network proxy setup
 ConditionPathExists=/var/run/qubes-service/qubes-network
 Before=network.target
-After=qubes-firewall.service
+After=iptables.service
 
 [Service]
 Type=oneshot
@@ -12,3 +12,4 @@ StandardOutput=syslog
 
 [Install]
 WantedBy=multi-user.target
+Alias=qubes-network.service
diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh
index a08322d..4010441 100755
--- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh
+++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh
@@ -2,12 +2,6 @@
 
 . /usr/lib/whonix/utility_functions
 
-# Or just enable them :)
-#ln -s '/lib/systemd/system/qubes-whonix-network.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-network.service'
-#ln -s '/lib/systemd/system/qubes-whonix-firewall.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-firewall.service'
-#ln -s '/lib/systemd/system/qubes-whonix-init.service' '/etc/systemd/system/multi-user.target.wants/qubes-whonix-init.service'
-
-
 INTERFACE="eth1"
 
 if [ "${WHONIX}" == "gateway" ]; then
@@ -59,9 +53,6 @@ if [ "${WHONIX}" == "gateway" ]; then
     # we can use to identify that its a tor proxy so updates are secure
     error_file="/usr/share/tinyproxy/default.html"
     grep -q "${PROXY_META}" "${error_file}" || {
-        sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
+        sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
     }
 fi
-
-# Copy firewall script so Qubes will reload it when it reloads
-cp -pf /usr/lib/whonix/init/qubes-firewall-user-script /rw/config/qubes-firewall-user-script
diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-firewall-user-script b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh
similarity index 100%
rename from scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-firewall-user-script
rename to scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/qubes-whonix-firewall.sh
diff --git a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh
index 7456adf..9f58254 100755
--- a/scripts_debian/wheezy+whonix/04_install_qubes_post.sh
+++ b/scripts_debian/wheezy+whonix/04_install_qubes_post.sh
@@ -22,8 +22,13 @@ fi
 # ------------------------------------------------------------------------------
 # Enable Qubes-Whonix services
 # ------------------------------------------------------------------------------
+chroot "${INSTALLDIR}" systemctl disable qubes-whonix-network.service || :
 chroot "${INSTALLDIR}" systemctl enable qubes-whonix-network.service || :
-chroot "${INSTALLDIR}" systemctl enable qubes-whonix-firewall || :
+
+chroot "${INSTALLDIR}" systemctl disable qubes-whonix-firewall.service || :
+chroot "${INSTALLDIR}" systemctl enable qubes-whonix-firewall.service || :
+
+chroot "${INSTALLDIR}" systemctl enable qubes-whonix-init.service || :
 
 # ------------------------------------------------------------------------------
 # Restore Whonix apt-get