From 581529856c50d162de8d251227e080db4be9e8f1 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Thu, 13 Nov 2014 19:08:12 -0500 Subject: [PATCH 1/5] whonix: Added App Menus --- .../netvm-whitelisted-appmenus.list | 21 ++++ .../vm-whitelisted-appmenus.list | 21 ++++ .../whitelisted-appmenus.list | 11 +++ .../netvm-whitelisted-appmenus.list | 1 + .../vm-whitelisted-appmenus.list | 27 ++++++ .../whitelisted-appmenus.list | 96 +++++++++++++++++++ 6 files changed, 177 insertions(+) create mode 100644 appmenus_wheezy_whonix-gateway/netvm-whitelisted-appmenus.list create mode 100644 appmenus_wheezy_whonix-gateway/vm-whitelisted-appmenus.list create mode 100644 appmenus_wheezy_whonix-gateway/whitelisted-appmenus.list create mode 100644 appmenus_wheezy_whonix-workstation/netvm-whitelisted-appmenus.list create mode 100644 appmenus_wheezy_whonix-workstation/vm-whitelisted-appmenus.list create mode 100644 appmenus_wheezy_whonix-workstation/whitelisted-appmenus.list diff --git a/appmenus_wheezy_whonix-gateway/netvm-whitelisted-appmenus.list b/appmenus_wheezy_whonix-gateway/netvm-whitelisted-appmenus.list new file mode 100644 index 0000000..68ed628 --- /dev/null +++ b/appmenus_wheezy_whonix-gateway/netvm-whitelisted-appmenus.list @@ -0,0 +1,21 @@ +gnome-terminal.desktop +nautilus.desktop +yelp.desktop +gateway-arm.desktop +gateway-firewall30default.desktop +gateway-firewall50user.desktop +gateway-firsttimesetup.desktop +gateway-reloadfirewall.desktop +gateway-reloadtor.desktop +gateway-restarttor.desktop +gateway-stoptor.desktop +gateway-torrc.desktop +gateway-torrcexamples.desktop +timesync.desktop +whonixcheck.desktop +whonix_repository.desktop +dolphin.desktop +Help.desktop +ksystemlog.desktop +kwrite.desktop + diff --git a/appmenus_wheezy_whonix-gateway/vm-whitelisted-appmenus.list b/appmenus_wheezy_whonix-gateway/vm-whitelisted-appmenus.list new file mode 100644 index 0000000..68ed628 --- /dev/null +++ b/appmenus_wheezy_whonix-gateway/vm-whitelisted-appmenus.list @@ -0,0 +1,21 @@ +gnome-terminal.desktop +nautilus.desktop +yelp.desktop +gateway-arm.desktop +gateway-firewall30default.desktop +gateway-firewall50user.desktop +gateway-firsttimesetup.desktop +gateway-reloadfirewall.desktop +gateway-reloadtor.desktop +gateway-restarttor.desktop +gateway-stoptor.desktop +gateway-torrc.desktop +gateway-torrcexamples.desktop +timesync.desktop +whonixcheck.desktop +whonix_repository.desktop +dolphin.desktop +Help.desktop +ksystemlog.desktop +kwrite.desktop + diff --git a/appmenus_wheezy_whonix-gateway/whitelisted-appmenus.list b/appmenus_wheezy_whonix-gateway/whitelisted-appmenus.list new file mode 100644 index 0000000..25df4f2 --- /dev/null +++ b/appmenus_wheezy_whonix-gateway/whitelisted-appmenus.list @@ -0,0 +1,11 @@ +gnome-terminal.desktop +gpk-application.desktop +gpk-update-viewer.desktop +gpk-prefs.desktop +gpk-log.desktop +yelp.desktop +gateway-firewall30default.desktop +gateway-firewall50user.desktop +gateway-torrc.desktop +gateway-torrcexamples.desktop +kwrite.desktop diff --git a/appmenus_wheezy_whonix-workstation/netvm-whitelisted-appmenus.list b/appmenus_wheezy_whonix-workstation/netvm-whitelisted-appmenus.list new file mode 100644 index 0000000..4b744f7 --- /dev/null +++ b/appmenus_wheezy_whonix-workstation/netvm-whitelisted-appmenus.list @@ -0,0 +1 @@ +gnome-terminal.desktop diff --git a/appmenus_wheezy_whonix-workstation/vm-whitelisted-appmenus.list b/appmenus_wheezy_whonix-workstation/vm-whitelisted-appmenus.list new file mode 100644 index 0000000..4371561 --- /dev/null +++ b/appmenus_wheezy_whonix-workstation/vm-whitelisted-appmenus.list @@ -0,0 +1,27 @@ +gnome-terminal.desktop +nautilus.desktop +yelp.desktop + +anondist-torbrowser.desktop +anondist-torbrowser_update.desktop +gateway-firsttimesetup.desktop +timesync.desktop +vlc.desktop +whonixcheck.desktop +whonix-contribute.desktop +whonix-documentation.desktop +whonix-donate.desktop +whonix-featureblog.desktop +whonix-forum.desktop +whonix-importantblog.desktop +whonix-irc-chat-support.desktop +whonix-mailinglist.desktop +whonix_repository.desktop +xchat.desktop +x-www-browser.desktop +dolphin.desktop +Help.desktop +kcalc.desktop +kgpg.desktop +kwrite.desktop + diff --git a/appmenus_wheezy_whonix-workstation/whitelisted-appmenus.list b/appmenus_wheezy_whonix-workstation/whitelisted-appmenus.list new file mode 100644 index 0000000..c9b6f00 --- /dev/null +++ b/appmenus_wheezy_whonix-workstation/whitelisted-appmenus.list @@ -0,0 +1,96 @@ +gnome-terminal.desktop +gpk-application.desktop +gpk-update-viewer.desktop +gpk-prefs.desktop +gpk-log.desktop +yelp.desktop + + +anondist-torbrowser.desktop +anondist-torbrowser_update.desktop +bluetooth-sendto.desktop +bluetooth-wizard.desktop +brasero.desktop +brasero-nautilus.desktop +display.im6.desktop +fpm2.desktop +gateway-firsttimesetup.desktop +gcr-prompter.desktop +gcr-viewer.desktop +gnome-terminal.desktop +gpk-application.desktop +gpk-dbus-service.desktop +gpk-install-catalog.desktop +gpk-install-local-file.desktop +gpk-log.desktop +gpk-prefs.desktop +gpk-service-pack.desktop +gpk-update-viewer.desktop +iceweasel.desktop +kde4 +mat.desktop +mimeinfo.cache +nact.desktop +nautilus-autorun-software.desktop +nautilus.desktop +nm-applet.desktop +nm-connection-editor.desktop +python2.7.desktop +timesync.desktop +vlc.desktop +whonixcheck.desktop +whonix-contribute.desktop +whonix-documentation.desktop +whonix-donate.desktop +whonix-featureblog.desktop +whonix-forum.desktop +whonix-importantblog.desktop +whonix-irc-chat-support.desktop +whonix-mailinglist.desktop +whonix_repository.desktop +xchat.desktop +x-www-browser.desktop +yelp.desktop + + +akonaditray.desktop +-rw-r--r-- 1 root root 5000 Jun 22 2012 ark.desktop +dolphin.desktop +gwenview.desktop +Help.desktop +jovieapp.desktop +kcalc.desktop +kdepasswd.desktop +kdesystemsettings.desktop +keditbookmarks.desktop +kfind.desktop +kfontview.desktop +kgpg.desktop +klipper.desktop +kmag.desktop +kmailservice.desktop +kmix.desktop +kmousetool.desktop +kmouth.desktop +konsole.desktop +krandrtray.desktop +ksysguard.desktop +ksystemlog.desktop +-rw-r--r-- 1 root root 1766 Jun 6 2012 ktelnetservice.desktop +kvkbd.desktop +kwrite.desktop +nepomukbackup.desktop +nepomukcontroller.desktop +okularApplication_comicbook.desktop +okularApplication_dvi.desktop +okularApplication_fax.desktop +okularApplication_fb.desktop +okularApplication_ghostview.desktop +okularApplication_kimgio.desktop +okularApplication_ooo.desktop +okularApplication_pdf.desktop +okularApplication_plucker.desktop +okularApplication_xps.desktop +okular.desktop +systemsettings.desktop + From 60ccebc8b7c2225d65bb8222dfcd23e3b20081e2 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Thu, 13 Nov 2014 19:12:44 -0500 Subject: [PATCH 2/5] whonix: Updated to Whonix 9.4 base. Removed all patches to Whonix code and installed grub and replaced update-grub with link to /bin/true --- .../files/etc/apt/preferences.d/whonix_qubes | 15 --- .../02_install_groups_packages_installed.sh | 110 ++---------------- .../wheezy+whonix/packages_wheezy.list | 3 + 3 files changed, 10 insertions(+), 118 deletions(-) delete mode 100644 scripts_debian/wheezy+whonix-gateway/files/etc/apt/preferences.d/whonix_qubes diff --git a/scripts_debian/wheezy+whonix-gateway/files/etc/apt/preferences.d/whonix_qubes b/scripts_debian/wheezy+whonix-gateway/files/etc/apt/preferences.d/whonix_qubes deleted file mode 100644 index 9bc0b6c..0000000 --- a/scripts_debian/wheezy+whonix-gateway/files/etc/apt/preferences.d/whonix_qubes +++ /dev/null @@ -1,15 +0,0 @@ -Package: grub-pc -Pin: version * -Pin-Priority: -100 - -Package: grub-pc-bin -Pin: version * -Pin-Priority: -100 - -Package: grub-common -Pin: version * -Pin-Priority: -100 - -Package: grub2-common -Pin: version * -Pin-Priority: -100 diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 0a92070..278d376 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -78,37 +78,6 @@ sudo ~/Whonix/whonix_build \ popd EOF -# ------------------------------------------------------------------------------ -# Pin grub so it won't install -# ------------------------------------------------------------------------------ -read -r -d '' WHONIX_APT_PIN <<'EOF' || true -Package: grub-pc -Pin: version * -Pin-Priority: -100 - -Package: grub-pc-bin -Pin: version * -Pin-Priority: -100 - -Package: grub-common -Pin: version * -Pin-Priority: -100 - -Package: grub2-common -Pin: version * -Pin-Priority: -100 -EOF - -# ------------------------------------------------------------------------------ -# Set defualts for apt not to install recommended or extra packages -# ------------------------------------------------------------------------------ -read -r -d '' WHONIX_APT_PREFERENCES <<'EOF' || true -Acquire::Languages "none"; -APT::Install-Recommends "false"; -APT::Install-Suggests "false"; -Dpkg::Options "--force-confold"; -EOF - # ------------------------------------------------------------------------------ # Cleanup function # ------------------------------------------------------------------------------ @@ -136,22 +105,16 @@ if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then popd # -------------------------------------------------------------------------- - # Patch Whonix submodules + # Fake grub installation since Whonix has depends on grub-pc # -------------------------------------------------------------------------- + mkdir -p "${INSTALLDIR}/boot/grub" + cp "${INSTALLDIR}/usr/lib/grub/i386-pc/"* "${INSTALLDIR}/boot/grub" + rm -f "${INSTALLDIR}/usr/sbin/update-grub" + chroot "${INSTALLDIR}" ln -s /bin/true /usr/sbin/update-grub - # Chekout a branch; create a branch first if it does not exist - checkout_branch() { - branch=$(git symbolic-ref --short -q HEAD) - if ! [ "$branch" == "$1" ]; then - su $(logname) -c git checkout "$1" >/dev/null 2>&1 || \ - { - su $(logname) -c git branch "$1" - su $(logname) -c git checkout "$1" - } - fi - } - + # -------------------------------------------------------------------------- # sed search and replace. return 0 if replace happened, otherwise 1 + # -------------------------------------------------------------------------- search_replace() { local search="$1" local replace="$2" @@ -159,57 +122,6 @@ if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then sed -i.bak '/'"$search"'/,${s//'"$replace"'/;b};$q1' "$file" } - # Patch anon-meta-packages to not depend on grub-pc - pushd "${WHONIX_DIR}" - { - search_replace "grub-pc" "" "grml_packages" || : - } - popd - - pushd "${WHONIX_DIR}/packages/anon-meta-packages/debian" - { - search1=" grub-pc,"; - replace=""; - - #checkout_branch qubes - search_replace "$search1" "$replace" control && \ - { - cd "${WHONIX_DIR}/packages/anon-meta-packages"; - : - #sudo -E -u $(logname) make deb-pkg || : - #su $(logname) -c "dpkg-source --commit" || : - #git add . - #su $(logname) -c "git commit -am 'removed grub-pc depend'" - } || : - } - popd - - pushd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub/usr/lib/anon-dist/chroot-scripts-post.d" - { - search1="update-grub"; - replace=":"; - - #checkout_branch qubes - search_replace "$search1" "$replace" 85_update_grub && \ - { - cd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub"; - sudo -E -u $(logname) make deb-pkg || : - su $(logname) -c "EDITOR=/bin/true dpkg-source -q --commit . no_grub"; - #git add . ; - #su $(logname) -c "git commit -am 'removed grub-pc depend'" - } || : - } - popd - - pushd "${WHONIX_DIR}/build-steps.d" - { - search1=" check_for_uncommited_changes"; - replace=" #check_for_uncommited_changes"; - - search_replace "$search1" "$replace" 1200_create-debian-packages || : - } - popd - # -------------------------------------------------------------------------- # Whonix system config dependancies # -------------------------------------------------------------------------- @@ -222,10 +134,6 @@ if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then chroot "${INSTALLDIR}" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user } - # Pin grub packages so they will not install - echo "${WHONIX_APT_PIN}" > "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes" - chmod 0644 "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes" - # Install Whonix build scripts echo "${WHONIX_BUILD_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_build.sh" chmod 0755 "${INSTALLDIR}/home/user/whonix_build.sh" @@ -320,10 +228,6 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh sed -i "s/#alias/alias/g" "${INSTALLDIR}/home/user/.bashrc" sed -i "s/alias l='ls -CF'/alias l='ls -l'/g" "${INSTALLDIR}/home/user/.bashrc" - # Fake that whonixsetup was already run - #mkdir -p "${INSTALLDIR}/var/lib/whonix/do_once" - #touch "${INSTALLDIR}/var/lib/whonix/do_once/whonixsetup.done" - # Fake that initializer was already run mkdir -p "${INSTALLDIR}/root/.whonix" touch "${INSTALLDIR}/root/.whonix/first_run_initializer.done" diff --git a/scripts_debian/wheezy+whonix/packages_wheezy.list b/scripts_debian/wheezy+whonix/packages_wheezy.list index acf4ebe..91e329e 100644 --- a/scripts_debian/wheezy+whonix/packages_wheezy.list +++ b/scripts_debian/wheezy+whonix/packages_wheezy.list @@ -23,3 +23,6 @@ build-essential:native gcc fakeroot lintian + +rsync +grub-pc From 4acca407d7d5f2f247fd749953cab7d4e935409f Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Thu, 13 Nov 2014 19:13:51 -0500 Subject: [PATCH 3/5] whonix: Added ability to run both gateway and workstation as AppVM's (not standalone) --- .../wheezy+whonix-gateway/files/.facl | 35 ++++++----- .../files/usr/lib/whonix/bind-dirs.sh | 58 +++++++++++++++++++ .../files/usr/lib/whonix/init/init.sh | 8 --- .../lib/whonix/init/network-proxy-setup.sh | 1 - .../lib/whonix/init/qubes-whonix-bind.service | 14 +++++ .../usr/lib/whonix/init/whonixcheck.service | 18 ++++++ .../files/usr/lib/whonix/qubes-whonixsetup | 58 +++++++------------ .../wheezy+whonix-workstation/files/.facl | 7 +++ .../files/usr/lib/whonix/bind-dirs.sh | 58 +++++++++++++++++++ .../files/usr/lib/whonix/init/init.sh | 8 --- .../lib/whonix/init/network-proxy-setup.sh | 1 - .../files/usr/lib/whonix/qubes-whonixsetup | 58 +++++++------------ 12 files changed, 216 insertions(+), 108 deletions(-) create mode 100755 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh create mode 100644 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-bind.service create mode 100644 scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/whonixcheck.service create mode 100755 scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh diff --git a/scripts_debian/wheezy+whonix-gateway/files/.facl b/scripts_debian/wheezy+whonix-gateway/files/.facl index f25a44e..5065286 100644 --- a/scripts_debian/wheezy+whonix-gateway/files/.facl +++ b/scripts_debian/wheezy+whonix-gateway/files/.facl @@ -103,20 +103,6 @@ user::rwx group::r-x other::r-x -# file: etc/apt/preferences.d -# owner: root -# group: root -user::rwx -group::r-x -other::r-x - -# file: etc/apt/preferences.d/whonix_qubes -# owner: root -# group: root -user::rw- -group::r-- -other::r-- - # file: etc/hostname # owner: root # group: root @@ -173,6 +159,13 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/bind-dirs.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + # file: usr/lib/whonix/init # owner: root # group: root @@ -187,6 +180,13 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/init/qubes-whonix-bind.service +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: usr/lib/whonix/init/replace-ips # owner: root # group: root @@ -201,6 +201,13 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/init/whonixcheck.service +# owner: root +# group: root +user::rw- +group::r-- +other::r-- + # file: usr/lib/whonix/init/network-proxy-setup.sh # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh new file mode 100755 index 0000000..ab2b0be --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# To umount all binds, just pass any arg in $1 +# + +. /usr/lib/whonix/utility_functions + +# Don't run if started as a template +if ! [ "${WHONIX}" == "template" ]; then + # Array of directories to bind + BINDS=( + '/rw/srv/whonix/root/.whonix:/root/.whonix' + '/rw/srv/whonix/root/.whonix.d:/root/.whonix.d' + '/rw/srv/whonix/var/lib/whonix:/var/lib/whonix' + '/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck' + '/rw/srv/whonix/etc/tor:/etc/tor' + ) + + for bind in ${BINDS[@]}; do + rw_dir="${bind%%:*}" + ro_dir="${bind##*:}" + + # Make sure ro directory is not mounted + umount "${ro_dir}" 2> /dev/null || true + + if [ -n "${1}" ]; then + echo "Umounting only..." + exit 0 + fi + + # Make sure ro directory exists + if ! [ -d "${ro_dir}" ]; then + mkdir -p "${ro_dir}" + fi + + # Initially copy over data directories to /rw if rw directory does not exist + if ! [ -d "${rw_dir}" ]; then + mkdir -p "${rw_dir}" + rsync -hax "${ro_dir}/." "${rw_dir}" + fi + + # Bind the directory + sync + mount --bind "${rw_dir}" "${ro_dir}" + done + sync +fi + +if [ "${WHONIX}" == "gateway" ]; then + # Make sure we remove whonixsetup.done if Tor is not enabled + # to allow choice of repo and prevent whonixcheck errors + grep "^DisableNetwork 0$" /etc/tor/torrc || { + sudo rm -f /var/lib/whonix/do_once/whonixsetup.done + } +fi + +exit 0 diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh index 2727847..1839152 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/init.sh @@ -27,12 +27,4 @@ if [ "${WHONIX}" != "template" ]; then # Make sure hostname is correct /bin/hostname host - - if [ "${WHONIX}" == "gateway" ]; then - # Make sure we remove whonixsetup.done if Tor is not enabled - # to allow choice of repo and prevent whonixcheck errors - grep "^DisableNetwork 0$" /etc/tor/torrc || { - rm -f /var/lib/whonix/do_once/whonixsetup.done - } - fi fi diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh index 4010441..71a43cf 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/network-proxy-setup.sh @@ -47,7 +47,6 @@ if [ "${WHONIX}" == "gateway" ]; then # Allow whonix-gateway to act as an update-proxy touch /var/run/qubes-service/qubes-updates-proxy - #systemctl stop qubes-updates-proxy.service # Search and replace tinyproxy error files so we can inject code that # we can use to identify that its a tor proxy so updates are secure diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-bind.service b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-bind.service new file mode 100644 index 0000000..5d145aa --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/qubes-whonix-bind.service @@ -0,0 +1,14 @@ +[Unit] +Description=Qubes Whonix bind /rw to ro dirs script +DefaultDependencies=no +Before=sysinit.target +After=qubes-sysinit.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/lib/whonix/init/bind-dirs.sh +StandardOutput=syslog + +[Install] +WantedBy=sysinit.target diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/whonixcheck.service b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/whonixcheck.service new file mode 100644 index 0000000..5f883d2 --- /dev/null +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/init/whonixcheck.service @@ -0,0 +1,18 @@ +[Unit] +Description=Checks many important aspects of Whonix. +After=syslog.target network.target + +[Service] +Type=forking +ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/run/whonixcheck +ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonixcheck +ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonix/whonixblog +ExecStart=/usr/lib/whonixcheckdaemon +PIDFile=/var/run/whonixcheck.pid +User=user +Group=user +UMask=0007 +StandardOutput=syslog + +[Install] +WantedBy=multi-user.target diff --git a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup index edb6240..f90d15b 100755 --- a/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup +++ b/scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/qubes-whonixsetup @@ -2,57 +2,39 @@ . /usr/lib/whonix/utility_functions +if ! [ "${WHONIX}" == "template" ]; then + sudo /usr/lib/whonix/bind-dirs.sh +fi + if [ "${WHONIX}" == "gateway" ]; then - grep "^DisableNetwork 0$" /etc/tor/torrc || { + if grep "^DisableNetwork 0$" /etc/tor/torrc ;then + sudo service sdwdate restart + sudo service tor restart + else sudo service sdwdate restart sudo service tor stop - sudo /usr/bin/whonixsetup && { - enable_sysv tor - sleep 1 - enable_sysv sdwdate - } || { - sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" - disable_sysv tor - disable_sysv sdwdate - sudo /sbin/poweroff - } - } - - # Allow whonix-gateway to act as an update-proxy - sudo systemctl status qubes-updates-proxy.service || { - error_file="/usr/share/tinyproxy/default.html" - - # Search and replace tinyproxy error files so we can inject code that - # we can use to identify that its a tor proxy so updates are secure - grep -q "${PROXY_META}" "${error_file}" || { - sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" - } - - sudo touch /var/run/qubes-service/qubes-updates-proxy - sudo iptables -t nat -N PR-QBS-SERVICES - sudo systemctl start qubes-updates-proxy.service - } + sudo /usr/bin/whonixsetup + fi elif [ "${WHONIX}" == "workstation" ]; then + sudo service sdwdate restart if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then - enable_sysv sdwdate - sudo service sdwdate restart sudo /usr/bin/whonixsetup fi elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then # Set secure defaults. - iptables -P INPUT DROP - iptables -P FORWARD DROP - iptables -P OUTPUT DROP + sudo iptables -P INPUT DROP + sudo iptables -P FORWARD DROP + sudo iptables -P OUTPUT DROP # Flush old rules. - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X + sudo iptables -F + sudo iptables -X + sudo iptables -t nat -F + sudo iptables -t nat -X + sudo iptables -t mangle -F + sudo iptables -t mangle -X # Display warning that netvm is not connected to a torvm /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml diff --git a/scripts_debian/wheezy+whonix-workstation/files/.facl b/scripts_debian/wheezy+whonix-workstation/files/.facl index 41e3aba..2e89eb9 100644 --- a/scripts_debian/wheezy+whonix-workstation/files/.facl +++ b/scripts_debian/wheezy+whonix-workstation/files/.facl @@ -152,6 +152,13 @@ user::rwx group::r-x other::r-x +# file: usr/lib/whonix/bind-dirs.sh +# owner: root +# group: root +user::rwx +group::r-x +other::r-x + # file: usr/lib/whonix/init # owner: root # group: root diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh new file mode 100755 index 0000000..ab2b0be --- /dev/null +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +# +# To umount all binds, just pass any arg in $1 +# + +. /usr/lib/whonix/utility_functions + +# Don't run if started as a template +if ! [ "${WHONIX}" == "template" ]; then + # Array of directories to bind + BINDS=( + '/rw/srv/whonix/root/.whonix:/root/.whonix' + '/rw/srv/whonix/root/.whonix.d:/root/.whonix.d' + '/rw/srv/whonix/var/lib/whonix:/var/lib/whonix' + '/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck' + '/rw/srv/whonix/etc/tor:/etc/tor' + ) + + for bind in ${BINDS[@]}; do + rw_dir="${bind%%:*}" + ro_dir="${bind##*:}" + + # Make sure ro directory is not mounted + umount "${ro_dir}" 2> /dev/null || true + + if [ -n "${1}" ]; then + echo "Umounting only..." + exit 0 + fi + + # Make sure ro directory exists + if ! [ -d "${ro_dir}" ]; then + mkdir -p "${ro_dir}" + fi + + # Initially copy over data directories to /rw if rw directory does not exist + if ! [ -d "${rw_dir}" ]; then + mkdir -p "${rw_dir}" + rsync -hax "${ro_dir}/." "${rw_dir}" + fi + + # Bind the directory + sync + mount --bind "${rw_dir}" "${ro_dir}" + done + sync +fi + +if [ "${WHONIX}" == "gateway" ]; then + # Make sure we remove whonixsetup.done if Tor is not enabled + # to allow choice of repo and prevent whonixcheck errors + grep "^DisableNetwork 0$" /etc/tor/torrc || { + sudo rm -f /var/lib/whonix/do_once/whonixsetup.done + } +fi + +exit 0 diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh index 2727847..1839152 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/init.sh @@ -27,12 +27,4 @@ if [ "${WHONIX}" != "template" ]; then # Make sure hostname is correct /bin/hostname host - - if [ "${WHONIX}" == "gateway" ]; then - # Make sure we remove whonixsetup.done if Tor is not enabled - # to allow choice of repo and prevent whonixcheck errors - grep "^DisableNetwork 0$" /etc/tor/torrc || { - rm -f /var/lib/whonix/do_once/whonixsetup.done - } - fi fi diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh index 4010441..71a43cf 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/init/network-proxy-setup.sh @@ -47,7 +47,6 @@ if [ "${WHONIX}" == "gateway" ]; then # Allow whonix-gateway to act as an update-proxy touch /var/run/qubes-service/qubes-updates-proxy - #systemctl stop qubes-updates-proxy.service # Search and replace tinyproxy error files so we can inject code that # we can use to identify that its a tor proxy so updates are secure diff --git a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup index edb6240..f90d15b 100755 --- a/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup +++ b/scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/qubes-whonixsetup @@ -2,57 +2,39 @@ . /usr/lib/whonix/utility_functions +if ! [ "${WHONIX}" == "template" ]; then + sudo /usr/lib/whonix/bind-dirs.sh +fi + if [ "${WHONIX}" == "gateway" ]; then - grep "^DisableNetwork 0$" /etc/tor/torrc || { + if grep "^DisableNetwork 0$" /etc/tor/torrc ;then + sudo service sdwdate restart + sudo service tor restart + else sudo service sdwdate restart sudo service tor stop - sudo /usr/bin/whonixsetup && { - enable_sysv tor - sleep 1 - enable_sysv sdwdate - } || { - sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc" - disable_sysv tor - disable_sysv sdwdate - sudo /sbin/poweroff - } - } - - # Allow whonix-gateway to act as an update-proxy - sudo systemctl status qubes-updates-proxy.service || { - error_file="/usr/share/tinyproxy/default.html" - - # Search and replace tinyproxy error files so we can inject code that - # we can use to identify that its a tor proxy so updates are secure - grep -q "${PROXY_META}" "${error_file}" || { - sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}" - } - - sudo touch /var/run/qubes-service/qubes-updates-proxy - sudo iptables -t nat -N PR-QBS-SERVICES - sudo systemctl start qubes-updates-proxy.service - } + sudo /usr/bin/whonixsetup + fi elif [ "${WHONIX}" == "workstation" ]; then + sudo service sdwdate restart if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then - enable_sysv sdwdate - sudo service sdwdate restart sudo /usr/bin/whonixsetup fi elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then # Set secure defaults. - iptables -P INPUT DROP - iptables -P FORWARD DROP - iptables -P OUTPUT DROP + sudo iptables -P INPUT DROP + sudo iptables -P FORWARD DROP + sudo iptables -P OUTPUT DROP # Flush old rules. - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X + sudo iptables -F + sudo iptables -X + sudo iptables -t nat -F + sudo iptables -t nat -X + sudo iptables -t mangle -F + sudo iptables -t mangle -X # Display warning that netvm is not connected to a torvm /usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml From a08bb8ed864d5ec3f3d5121fa8cb57cb74492c15 Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Mon, 17 Nov 2014 16:39:02 -0500 Subject: [PATCH 4/5] AppVM was hard coded by mistake. Changed to pick up users AppVM name --- create_template_list.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/create_template_list.sh b/create_template_list.sh index 1e9c00f..5c0fbca 100755 --- a/create_template_list.sh +++ b/create_template_list.sh @@ -35,7 +35,7 @@ cat << 'EOF' >> "${template_dir}" for file in ${files[@]}; do if [ ! -e ${file} ]; then echo "Copying ${file} from ${name} to ${PWD}/${file}..." - qvm-run --pass-io development-qubes "cat ${path}/${file}" > ${file} + qvm-run --pass-io ${name} "cat ${path}/${file}" > ${file} fi sudo yum erase $(echo "${file}" | sed -r "s/(${version}).+$//") && { From e1ce88291f6595298476bf7466849189801c828b Mon Sep 17 00:00:00 2001 From: Jason Mehring Date: Tue, 18 Nov 2014 17:40:31 -0500 Subject: [PATCH 5/5] whonix: Need to commit Makefile or Whonix install script complains --- .../wheezy+whonix/02_install_groups_packages_installed.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh index 278d376..9cdd7a2 100755 --- a/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh +++ b/scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh @@ -100,6 +100,8 @@ if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then # -------------------------------------------------------------------------- pushd "${WHONIX_DIR}" { + git add Makefile || true + git commit Makefile -m 'Added Makefile' || true su $(logname) -c "git submodule update --init --recursive"; } popd