Merge remote-tracking branch 'nrgaway/wheezy' into wheezy
This commit is contained in:
commit
b40322b798
@ -0,0 +1,21 @@
|
||||
gnome-terminal.desktop
|
||||
nautilus.desktop
|
||||
yelp.desktop
|
||||
gateway-arm.desktop
|
||||
gateway-firewall30default.desktop
|
||||
gateway-firewall50user.desktop
|
||||
gateway-firsttimesetup.desktop
|
||||
gateway-reloadfirewall.desktop
|
||||
gateway-reloadtor.desktop
|
||||
gateway-restarttor.desktop
|
||||
gateway-stoptor.desktop
|
||||
gateway-torrc.desktop
|
||||
gateway-torrcexamples.desktop
|
||||
timesync.desktop
|
||||
whonixcheck.desktop
|
||||
whonix_repository.desktop
|
||||
dolphin.desktop
|
||||
Help.desktop
|
||||
ksystemlog.desktop
|
||||
kwrite.desktop
|
||||
|
21
appmenus_wheezy_whonix-gateway/vm-whitelisted-appmenus.list
Normal file
21
appmenus_wheezy_whonix-gateway/vm-whitelisted-appmenus.list
Normal file
@ -0,0 +1,21 @@
|
||||
gnome-terminal.desktop
|
||||
nautilus.desktop
|
||||
yelp.desktop
|
||||
gateway-arm.desktop
|
||||
gateway-firewall30default.desktop
|
||||
gateway-firewall50user.desktop
|
||||
gateway-firsttimesetup.desktop
|
||||
gateway-reloadfirewall.desktop
|
||||
gateway-reloadtor.desktop
|
||||
gateway-restarttor.desktop
|
||||
gateway-stoptor.desktop
|
||||
gateway-torrc.desktop
|
||||
gateway-torrcexamples.desktop
|
||||
timesync.desktop
|
||||
whonixcheck.desktop
|
||||
whonix_repository.desktop
|
||||
dolphin.desktop
|
||||
Help.desktop
|
||||
ksystemlog.desktop
|
||||
kwrite.desktop
|
||||
|
11
appmenus_wheezy_whonix-gateway/whitelisted-appmenus.list
Normal file
11
appmenus_wheezy_whonix-gateway/whitelisted-appmenus.list
Normal file
@ -0,0 +1,11 @@
|
||||
gnome-terminal.desktop
|
||||
gpk-application.desktop
|
||||
gpk-update-viewer.desktop
|
||||
gpk-prefs.desktop
|
||||
gpk-log.desktop
|
||||
yelp.desktop
|
||||
gateway-firewall30default.desktop
|
||||
gateway-firewall50user.desktop
|
||||
gateway-torrc.desktop
|
||||
gateway-torrcexamples.desktop
|
||||
kwrite.desktop
|
@ -0,0 +1 @@
|
||||
gnome-terminal.desktop
|
@ -0,0 +1,27 @@
|
||||
gnome-terminal.desktop
|
||||
nautilus.desktop
|
||||
yelp.desktop
|
||||
|
||||
anondist-torbrowser.desktop
|
||||
anondist-torbrowser_update.desktop
|
||||
gateway-firsttimesetup.desktop
|
||||
timesync.desktop
|
||||
vlc.desktop
|
||||
whonixcheck.desktop
|
||||
whonix-contribute.desktop
|
||||
whonix-documentation.desktop
|
||||
whonix-donate.desktop
|
||||
whonix-featureblog.desktop
|
||||
whonix-forum.desktop
|
||||
whonix-importantblog.desktop
|
||||
whonix-irc-chat-support.desktop
|
||||
whonix-mailinglist.desktop
|
||||
whonix_repository.desktop
|
||||
xchat.desktop
|
||||
x-www-browser.desktop
|
||||
dolphin.desktop
|
||||
Help.desktop
|
||||
kcalc.desktop
|
||||
kgpg.desktop
|
||||
kwrite.desktop
|
||||
|
96
appmenus_wheezy_whonix-workstation/whitelisted-appmenus.list
Normal file
96
appmenus_wheezy_whonix-workstation/whitelisted-appmenus.list
Normal file
@ -0,0 +1,96 @@
|
||||
gnome-terminal.desktop
|
||||
gpk-application.desktop
|
||||
gpk-update-viewer.desktop
|
||||
gpk-prefs.desktop
|
||||
gpk-log.desktop
|
||||
yelp.desktop
|
||||
|
||||
|
||||
anondist-torbrowser.desktop
|
||||
anondist-torbrowser_update.desktop
|
||||
bluetooth-sendto.desktop
|
||||
bluetooth-wizard.desktop
|
||||
brasero.desktop
|
||||
brasero-nautilus.desktop
|
||||
display.im6.desktop
|
||||
fpm2.desktop
|
||||
gateway-firsttimesetup.desktop
|
||||
gcr-prompter.desktop
|
||||
gcr-viewer.desktop
|
||||
gnome-terminal.desktop
|
||||
gpk-application.desktop
|
||||
gpk-dbus-service.desktop
|
||||
gpk-install-catalog.desktop
|
||||
gpk-install-local-file.desktop
|
||||
gpk-log.desktop
|
||||
gpk-prefs.desktop
|
||||
gpk-service-pack.desktop
|
||||
gpk-update-viewer.desktop
|
||||
iceweasel.desktop
|
||||
kde4
|
||||
mat.desktop
|
||||
mimeinfo.cache
|
||||
nact.desktop
|
||||
nautilus-autorun-software.desktop
|
||||
nautilus.desktop
|
||||
nm-applet.desktop
|
||||
nm-connection-editor.desktop
|
||||
python2.7.desktop
|
||||
timesync.desktop
|
||||
vlc.desktop
|
||||
whonixcheck.desktop
|
||||
whonix-contribute.desktop
|
||||
whonix-documentation.desktop
|
||||
whonix-donate.desktop
|
||||
whonix-featureblog.desktop
|
||||
whonix-forum.desktop
|
||||
whonix-importantblog.desktop
|
||||
whonix-irc-chat-support.desktop
|
||||
whonix-mailinglist.desktop
|
||||
whonix_repository.desktop
|
||||
xchat.desktop
|
||||
x-www-browser.desktop
|
||||
yelp.desktop
|
||||
|
||||
|
||||
akonaditray.desktop
|
||||
-rw-r--r-- 1 root root 5000 Jun 22 2012 ark.desktop
|
||||
dolphin.desktop
|
||||
gwenview.desktop
|
||||
Help.desktop
|
||||
jovieapp.desktop
|
||||
kcalc.desktop
|
||||
kdepasswd.desktop
|
||||
kdesystemsettings.desktop
|
||||
keditbookmarks.desktop
|
||||
kfind.desktop
|
||||
kfontview.desktop
|
||||
kgpg.desktop
|
||||
klipper.desktop
|
||||
kmag.desktop
|
||||
kmailservice.desktop
|
||||
kmix.desktop
|
||||
kmousetool.desktop
|
||||
kmouth.desktop
|
||||
konsole.desktop
|
||||
krandrtray.desktop
|
||||
ksysguard.desktop
|
||||
ksystemlog.desktop
|
||||
-rw-r--r-- 1 root root 1766 Jun 6 2012 ktelnetservice.desktop
|
||||
kvkbd.desktop
|
||||
kwrite.desktop
|
||||
nepomukbackup.desktop
|
||||
nepomukcontroller.desktop
|
||||
okularApplication_comicbook.desktop
|
||||
okularApplication_dvi.desktop
|
||||
okularApplication_fax.desktop
|
||||
okularApplication_fb.desktop
|
||||
okularApplication_ghostview.desktop
|
||||
okularApplication_kimgio.desktop
|
||||
okularApplication_ooo.desktop
|
||||
okularApplication_pdf.desktop
|
||||
okularApplication_plucker.desktop
|
||||
okularApplication_xps.desktop
|
||||
okular.desktop
|
||||
systemsettings.desktop
|
||||
|
@ -35,7 +35,7 @@ cat << 'EOF' >> "${template_dir}"
|
||||
for file in ${files[@]}; do
|
||||
if [ ! -e ${file} ]; then
|
||||
echo "Copying ${file} from ${name} to ${PWD}/${file}..."
|
||||
qvm-run --pass-io development-qubes "cat ${path}/${file}" > ${file}
|
||||
qvm-run --pass-io ${name} "cat ${path}/${file}" > ${file}
|
||||
fi
|
||||
|
||||
sudo yum erase $(echo "${file}" | sed -r "s/(${version}).+$//") && {
|
||||
|
@ -103,20 +103,6 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: etc/apt/preferences.d
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: etc/apt/preferences.d/whonix_qubes
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: etc/hostname
|
||||
# owner: root
|
||||
# group: root
|
||||
@ -173,6 +159,13 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/bind-dirs.sh
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/init
|
||||
# owner: root
|
||||
# group: root
|
||||
@ -187,6 +180,13 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/init/qubes-whonix-bind.service
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: usr/lib/whonix/init/replace-ips
|
||||
# owner: root
|
||||
# group: root
|
||||
@ -201,6 +201,13 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/init/whonixcheck.service
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rw-
|
||||
group::r--
|
||||
other::r--
|
||||
|
||||
# file: usr/lib/whonix/init/network-proxy-setup.sh
|
||||
# owner: root
|
||||
# group: root
|
||||
|
@ -1,15 +0,0 @@
|
||||
Package: grub-pc
|
||||
Pin: version *
|
||||
Pin-Priority: -100
|
||||
|
||||
Package: grub-pc-bin
|
||||
Pin: version *
|
||||
Pin-Priority: -100
|
||||
|
||||
Package: grub-common
|
||||
Pin: version *
|
||||
Pin-Priority: -100
|
||||
|
||||
Package: grub2-common
|
||||
Pin: version *
|
||||
Pin-Priority: -100
|
58
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh
Executable file
58
scripts_debian/wheezy+whonix-gateway/files/usr/lib/whonix/bind-dirs.sh
Executable file
@ -0,0 +1,58 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# To umount all binds, just pass any arg in $1
|
||||
#
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
# Don't run if started as a template
|
||||
if ! [ "${WHONIX}" == "template" ]; then
|
||||
# Array of directories to bind
|
||||
BINDS=(
|
||||
'/rw/srv/whonix/root/.whonix:/root/.whonix'
|
||||
'/rw/srv/whonix/root/.whonix.d:/root/.whonix.d'
|
||||
'/rw/srv/whonix/var/lib/whonix:/var/lib/whonix'
|
||||
'/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck'
|
||||
'/rw/srv/whonix/etc/tor:/etc/tor'
|
||||
)
|
||||
|
||||
for bind in ${BINDS[@]}; do
|
||||
rw_dir="${bind%%:*}"
|
||||
ro_dir="${bind##*:}"
|
||||
|
||||
# Make sure ro directory is not mounted
|
||||
umount "${ro_dir}" 2> /dev/null || true
|
||||
|
||||
if [ -n "${1}" ]; then
|
||||
echo "Umounting only..."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Make sure ro directory exists
|
||||
if ! [ -d "${ro_dir}" ]; then
|
||||
mkdir -p "${ro_dir}"
|
||||
fi
|
||||
|
||||
# Initially copy over data directories to /rw if rw directory does not exist
|
||||
if ! [ -d "${rw_dir}" ]; then
|
||||
mkdir -p "${rw_dir}"
|
||||
rsync -hax "${ro_dir}/." "${rw_dir}"
|
||||
fi
|
||||
|
||||
# Bind the directory
|
||||
sync
|
||||
mount --bind "${rw_dir}" "${ro_dir}"
|
||||
done
|
||||
sync
|
||||
fi
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||
# to allow choice of repo and prevent whonixcheck errors
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
sudo rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||
}
|
||||
fi
|
||||
|
||||
exit 0
|
@ -27,12 +27,4 @@ if [ "${WHONIX}" != "template" ]; then
|
||||
|
||||
# Make sure hostname is correct
|
||||
/bin/hostname host
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||
# to allow choice of repo and prevent whonixcheck errors
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||
}
|
||||
fi
|
||||
fi
|
||||
|
@ -47,7 +47,6 @@ if [ "${WHONIX}" == "gateway" ]; then
|
||||
|
||||
# Allow whonix-gateway to act as an update-proxy
|
||||
touch /var/run/qubes-service/qubes-updates-proxy
|
||||
#systemctl stop qubes-updates-proxy.service
|
||||
|
||||
# Search and replace tinyproxy error files so we can inject code that
|
||||
# we can use to identify that its a tor proxy so updates are secure
|
||||
|
@ -0,0 +1,14 @@
|
||||
[Unit]
|
||||
Description=Qubes Whonix bind /rw to ro dirs script
|
||||
DefaultDependencies=no
|
||||
Before=sysinit.target
|
||||
After=qubes-sysinit.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/lib/whonix/init/bind-dirs.sh
|
||||
StandardOutput=syslog
|
||||
|
||||
[Install]
|
||||
WantedBy=sysinit.target
|
@ -0,0 +1,18 @@
|
||||
[Unit]
|
||||
Description=Checks many important aspects of Whonix.
|
||||
After=syslog.target network.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/run/whonixcheck
|
||||
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonixcheck
|
||||
ExecStartPre=/usr/bin/install -m 0775 -d --owner user --group user /var/lib/whonix/whonixblog
|
||||
ExecStart=/usr/lib/whonixcheckdaemon
|
||||
PIDFile=/var/run/whonixcheck.pid
|
||||
User=user
|
||||
Group=user
|
||||
UMask=0007
|
||||
StandardOutput=syslog
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -2,57 +2,39 @@
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
if ! [ "${WHONIX}" == "template" ]; then
|
||||
sudo /usr/lib/whonix/bind-dirs.sh
|
||||
fi
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
if grep "^DisableNetwork 0$" /etc/tor/torrc ;then
|
||||
sudo service sdwdate restart
|
||||
sudo service tor restart
|
||||
else
|
||||
sudo service sdwdate restart
|
||||
sudo service tor stop
|
||||
sudo /usr/bin/whonixsetup && {
|
||||
enable_sysv tor
|
||||
sleep 1
|
||||
enable_sysv sdwdate
|
||||
} || {
|
||||
sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
|
||||
disable_sysv tor
|
||||
disable_sysv sdwdate
|
||||
sudo /sbin/poweroff
|
||||
}
|
||||
}
|
||||
|
||||
# Allow whonix-gateway to act as an update-proxy
|
||||
sudo systemctl status qubes-updates-proxy.service || {
|
||||
error_file="/usr/share/tinyproxy/default.html"
|
||||
|
||||
# Search and replace tinyproxy error files so we can inject code that
|
||||
# we can use to identify that its a tor proxy so updates are secure
|
||||
grep -q "${PROXY_META}" "${error_file}" || {
|
||||
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
|
||||
}
|
||||
|
||||
sudo touch /var/run/qubes-service/qubes-updates-proxy
|
||||
sudo iptables -t nat -N PR-QBS-SERVICES
|
||||
sudo systemctl start qubes-updates-proxy.service
|
||||
}
|
||||
sudo /usr/bin/whonixsetup
|
||||
fi
|
||||
|
||||
elif [ "${WHONIX}" == "workstation" ]; then
|
||||
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
|
||||
enable_sysv sdwdate
|
||||
sudo service sdwdate restart
|
||||
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
|
||||
sudo /usr/bin/whonixsetup
|
||||
fi
|
||||
|
||||
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
|
||||
# Set secure defaults.
|
||||
iptables -P INPUT DROP
|
||||
iptables -P FORWARD DROP
|
||||
iptables -P OUTPUT DROP
|
||||
sudo iptables -P INPUT DROP
|
||||
sudo iptables -P FORWARD DROP
|
||||
sudo iptables -P OUTPUT DROP
|
||||
|
||||
# Flush old rules.
|
||||
iptables -F
|
||||
iptables -X
|
||||
iptables -t nat -F
|
||||
iptables -t nat -X
|
||||
iptables -t mangle -F
|
||||
iptables -t mangle -X
|
||||
sudo iptables -F
|
||||
sudo iptables -X
|
||||
sudo iptables -t nat -F
|
||||
sudo iptables -t nat -X
|
||||
sudo iptables -t mangle -F
|
||||
sudo iptables -t mangle -X
|
||||
|
||||
# Display warning that netvm is not connected to a torvm
|
||||
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
|
||||
|
@ -152,6 +152,13 @@ user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/bind-dirs.sh
|
||||
# owner: root
|
||||
# group: root
|
||||
user::rwx
|
||||
group::r-x
|
||||
other::r-x
|
||||
|
||||
# file: usr/lib/whonix/init
|
||||
# owner: root
|
||||
# group: root
|
||||
|
58
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh
Executable file
58
scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/bind-dirs.sh
Executable file
@ -0,0 +1,58 @@
|
||||
#!/bin/bash
|
||||
|
||||
#
|
||||
# To umount all binds, just pass any arg in $1
|
||||
#
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
# Don't run if started as a template
|
||||
if ! [ "${WHONIX}" == "template" ]; then
|
||||
# Array of directories to bind
|
||||
BINDS=(
|
||||
'/rw/srv/whonix/root/.whonix:/root/.whonix'
|
||||
'/rw/srv/whonix/root/.whonix.d:/root/.whonix.d'
|
||||
'/rw/srv/whonix/var/lib/whonix:/var/lib/whonix'
|
||||
'/rw/srv/whonix/var/lib/whonixcheck:/var/lib/whonixcheck'
|
||||
'/rw/srv/whonix/etc/tor:/etc/tor'
|
||||
)
|
||||
|
||||
for bind in ${BINDS[@]}; do
|
||||
rw_dir="${bind%%:*}"
|
||||
ro_dir="${bind##*:}"
|
||||
|
||||
# Make sure ro directory is not mounted
|
||||
umount "${ro_dir}" 2> /dev/null || true
|
||||
|
||||
if [ -n "${1}" ]; then
|
||||
echo "Umounting only..."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Make sure ro directory exists
|
||||
if ! [ -d "${ro_dir}" ]; then
|
||||
mkdir -p "${ro_dir}"
|
||||
fi
|
||||
|
||||
# Initially copy over data directories to /rw if rw directory does not exist
|
||||
if ! [ -d "${rw_dir}" ]; then
|
||||
mkdir -p "${rw_dir}"
|
||||
rsync -hax "${ro_dir}/." "${rw_dir}"
|
||||
fi
|
||||
|
||||
# Bind the directory
|
||||
sync
|
||||
mount --bind "${rw_dir}" "${ro_dir}"
|
||||
done
|
||||
sync
|
||||
fi
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||
# to allow choice of repo and prevent whonixcheck errors
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
sudo rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||
}
|
||||
fi
|
||||
|
||||
exit 0
|
@ -27,12 +27,4 @@ if [ "${WHONIX}" != "template" ]; then
|
||||
|
||||
# Make sure hostname is correct
|
||||
/bin/hostname host
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
# Make sure we remove whonixsetup.done if Tor is not enabled
|
||||
# to allow choice of repo and prevent whonixcheck errors
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
rm -f /var/lib/whonix/do_once/whonixsetup.done
|
||||
}
|
||||
fi
|
||||
fi
|
||||
|
@ -47,7 +47,6 @@ if [ "${WHONIX}" == "gateway" ]; then
|
||||
|
||||
# Allow whonix-gateway to act as an update-proxy
|
||||
touch /var/run/qubes-service/qubes-updates-proxy
|
||||
#systemctl stop qubes-updates-proxy.service
|
||||
|
||||
# Search and replace tinyproxy error files so we can inject code that
|
||||
# we can use to identify that its a tor proxy so updates are secure
|
||||
|
@ -2,57 +2,39 @@
|
||||
|
||||
. /usr/lib/whonix/utility_functions
|
||||
|
||||
if ! [ "${WHONIX}" == "template" ]; then
|
||||
sudo /usr/lib/whonix/bind-dirs.sh
|
||||
fi
|
||||
|
||||
if [ "${WHONIX}" == "gateway" ]; then
|
||||
grep "^DisableNetwork 0$" /etc/tor/torrc || {
|
||||
if grep "^DisableNetwork 0$" /etc/tor/torrc ;then
|
||||
sudo service sdwdate restart
|
||||
sudo service tor restart
|
||||
else
|
||||
sudo service sdwdate restart
|
||||
sudo service tor stop
|
||||
sudo /usr/bin/whonixsetup && {
|
||||
enable_sysv tor
|
||||
sleep 1
|
||||
enable_sysv sdwdate
|
||||
} || {
|
||||
sed -i 's/^DisableNetwork 0/#DisableNetwork 0/g' "/etc/tor/torrc"
|
||||
disable_sysv tor
|
||||
disable_sysv sdwdate
|
||||
sudo /sbin/poweroff
|
||||
}
|
||||
}
|
||||
|
||||
# Allow whonix-gateway to act as an update-proxy
|
||||
sudo systemctl status qubes-updates-proxy.service || {
|
||||
error_file="/usr/share/tinyproxy/default.html"
|
||||
|
||||
# Search and replace tinyproxy error files so we can inject code that
|
||||
# we can use to identify that its a tor proxy so updates are secure
|
||||
grep -q "${PROXY_META}" "${error_file}" || {
|
||||
sudo sed -i "s/<\/head>/${PROXY_META}\n<\/head>/" "${error_file}"
|
||||
}
|
||||
|
||||
sudo touch /var/run/qubes-service/qubes-updates-proxy
|
||||
sudo iptables -t nat -N PR-QBS-SERVICES
|
||||
sudo systemctl start qubes-updates-proxy.service
|
||||
}
|
||||
sudo /usr/bin/whonixsetup
|
||||
fi
|
||||
|
||||
elif [ "${WHONIX}" == "workstation" ]; then
|
||||
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
|
||||
enable_sysv sdwdate
|
||||
sudo service sdwdate restart
|
||||
if ! [ -f "/var/lib/whonix/do_once/whonixsetup.done" ]; then
|
||||
sudo /usr/bin/whonixsetup
|
||||
fi
|
||||
|
||||
elif [ "${WHONIX}" == "template" -a "${PROXY_SECURE}" == "0" ]; then
|
||||
# Set secure defaults.
|
||||
iptables -P INPUT DROP
|
||||
iptables -P FORWARD DROP
|
||||
iptables -P OUTPUT DROP
|
||||
sudo iptables -P INPUT DROP
|
||||
sudo iptables -P FORWARD DROP
|
||||
sudo iptables -P OUTPUT DROP
|
||||
|
||||
# Flush old rules.
|
||||
iptables -F
|
||||
iptables -X
|
||||
iptables -t nat -F
|
||||
iptables -t nat -X
|
||||
iptables -t mangle -F
|
||||
iptables -t mangle -X
|
||||
sudo iptables -F
|
||||
sudo iptables -X
|
||||
sudo iptables -t nat -F
|
||||
sudo iptables -t nat -X
|
||||
sudo iptables -t mangle -F
|
||||
sudo iptables -t mangle -X
|
||||
|
||||
# Display warning that netvm is not connected to a torvm
|
||||
/usr/lib/whonix/alert update /usr/lib/whonix/messages.yaml
|
||||
|
@ -78,37 +78,6 @@ sudo ~/Whonix/whonix_build \
|
||||
popd
|
||||
EOF
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Pin grub so it won't install
|
||||
# ------------------------------------------------------------------------------
|
||||
read -r -d '' WHONIX_APT_PIN <<'EOF' || true
|
||||
Package: grub-pc
|
||||
Pin: version *
|
||||
Pin-Priority: -100
|
||||
|
||||
Package: grub-pc-bin
|
||||
Pin: version *
|
||||
Pin-Priority: -100
|
||||
|
||||
Package: grub-common
|
||||
Pin: version *
|
||||
Pin-Priority: -100
|
||||
|
||||
Package: grub2-common
|
||||
Pin: version *
|
||||
Pin-Priority: -100
|
||||
EOF
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Set defualts for apt not to install recommended or extra packages
|
||||
# ------------------------------------------------------------------------------
|
||||
read -r -d '' WHONIX_APT_PREFERENCES <<'EOF' || true
|
||||
Acquire::Languages "none";
|
||||
APT::Install-Recommends "false";
|
||||
APT::Install-Suggests "false";
|
||||
Dpkg::Options "--force-confold";
|
||||
EOF
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# Cleanup function
|
||||
# ------------------------------------------------------------------------------
|
||||
@ -131,27 +100,23 @@ if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then
|
||||
# --------------------------------------------------------------------------
|
||||
pushd "${WHONIX_DIR}"
|
||||
{
|
||||
git add Makefile || true
|
||||
git commit Makefile -m 'Added Makefile' || true
|
||||
su $(logname) -c "git submodule update --init --recursive";
|
||||
}
|
||||
popd
|
||||
|
||||
# --------------------------------------------------------------------------
|
||||
# Patch Whonix submodules
|
||||
# Fake grub installation since Whonix has depends on grub-pc
|
||||
# --------------------------------------------------------------------------
|
||||
mkdir -p "${INSTALLDIR}/boot/grub"
|
||||
cp "${INSTALLDIR}/usr/lib/grub/i386-pc/"* "${INSTALLDIR}/boot/grub"
|
||||
rm -f "${INSTALLDIR}/usr/sbin/update-grub"
|
||||
chroot "${INSTALLDIR}" ln -s /bin/true /usr/sbin/update-grub
|
||||
|
||||
# Chekout a branch; create a branch first if it does not exist
|
||||
checkout_branch() {
|
||||
branch=$(git symbolic-ref --short -q HEAD)
|
||||
if ! [ "$branch" == "$1" ]; then
|
||||
su $(logname) -c git checkout "$1" >/dev/null 2>&1 || \
|
||||
{
|
||||
su $(logname) -c git branch "$1"
|
||||
su $(logname) -c git checkout "$1"
|
||||
}
|
||||
fi
|
||||
}
|
||||
|
||||
# --------------------------------------------------------------------------
|
||||
# sed search and replace. return 0 if replace happened, otherwise 1
|
||||
# --------------------------------------------------------------------------
|
||||
search_replace() {
|
||||
local search="$1"
|
||||
local replace="$2"
|
||||
@ -159,57 +124,6 @@ if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then
|
||||
sed -i.bak '/'"$search"'/,${s//'"$replace"'/;b};$q1' "$file"
|
||||
}
|
||||
|
||||
# Patch anon-meta-packages to not depend on grub-pc
|
||||
pushd "${WHONIX_DIR}"
|
||||
{
|
||||
search_replace "grub-pc" "" "grml_packages" || :
|
||||
}
|
||||
popd
|
||||
|
||||
pushd "${WHONIX_DIR}/packages/anon-meta-packages/debian"
|
||||
{
|
||||
search1=" grub-pc,";
|
||||
replace="";
|
||||
|
||||
#checkout_branch qubes
|
||||
search_replace "$search1" "$replace" control && \
|
||||
{
|
||||
cd "${WHONIX_DIR}/packages/anon-meta-packages";
|
||||
:
|
||||
#sudo -E -u $(logname) make deb-pkg || :
|
||||
#su $(logname) -c "dpkg-source --commit" || :
|
||||
#git add .
|
||||
#su $(logname) -c "git commit -am 'removed grub-pc depend'"
|
||||
} || :
|
||||
}
|
||||
popd
|
||||
|
||||
pushd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub/usr/lib/anon-dist/chroot-scripts-post.d"
|
||||
{
|
||||
search1="update-grub";
|
||||
replace=":";
|
||||
|
||||
#checkout_branch qubes
|
||||
search_replace "$search1" "$replace" 85_update_grub && \
|
||||
{
|
||||
cd "${WHONIX_DIR}/packages/anon-shared-build-fix-grub";
|
||||
sudo -E -u $(logname) make deb-pkg || :
|
||||
su $(logname) -c "EDITOR=/bin/true dpkg-source -q --commit . no_grub";
|
||||
#git add . ;
|
||||
#su $(logname) -c "git commit -am 'removed grub-pc depend'"
|
||||
} || :
|
||||
}
|
||||
popd
|
||||
|
||||
pushd "${WHONIX_DIR}/build-steps.d"
|
||||
{
|
||||
search1=" check_for_uncommited_changes";
|
||||
replace=" #check_for_uncommited_changes";
|
||||
|
||||
search_replace "$search1" "$replace" 1200_create-debian-packages || :
|
||||
}
|
||||
popd
|
||||
|
||||
# --------------------------------------------------------------------------
|
||||
# Whonix system config dependancies
|
||||
# --------------------------------------------------------------------------
|
||||
@ -222,10 +136,6 @@ if ! [ -f "${INSTALLDIR}/tmp/.whonix_prepared" ]; then
|
||||
chroot "${INSTALLDIR}" useradd -g user -G dialout,cdrom,floppy,sudo,audio,dip,video,plugdev -m -s /bin/bash user
|
||||
}
|
||||
|
||||
# Pin grub packages so they will not install
|
||||
echo "${WHONIX_APT_PIN}" > "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes"
|
||||
chmod 0644 "${INSTALLDIR}/etc/apt/preferences.d/whonix_qubes"
|
||||
|
||||
# Install Whonix build scripts
|
||||
echo "${WHONIX_BUILD_SCRIPT}" > "${INSTALLDIR}/home/user/whonix_build.sh"
|
||||
chmod 0755 "${INSTALLDIR}/home/user/whonix_build.sh"
|
||||
@ -320,10 +230,6 @@ if [ -f "${INSTALLDIR}/tmp/.whonix_installed" ] && ! [ -f "${INSTALLDIR}/tmp/.wh
|
||||
sed -i "s/#alias/alias/g" "${INSTALLDIR}/home/user/.bashrc"
|
||||
sed -i "s/alias l='ls -CF'/alias l='ls -l'/g" "${INSTALLDIR}/home/user/.bashrc"
|
||||
|
||||
# Fake that whonixsetup was already run
|
||||
#mkdir -p "${INSTALLDIR}/var/lib/whonix/do_once"
|
||||
#touch "${INSTALLDIR}/var/lib/whonix/do_once/whonixsetup.done"
|
||||
|
||||
# Fake that initializer was already run
|
||||
mkdir -p "${INSTALLDIR}/root/.whonix"
|
||||
touch "${INSTALLDIR}/root/.whonix/first_run_initializer.done"
|
||||
|
@ -23,3 +23,6 @@ build-essential:native
|
||||
gcc
|
||||
fakeroot
|
||||
lintian
|
||||
|
||||
rsync
|
||||
grub-pc
|
||||
|
Loading…
Reference in New Issue
Block a user