Whonix-gateway configurations

This commit is contained in:
Jason Mehring 2014-10-25 18:06:30 -04:00
parent 477dadb96c
commit cd19220993
13 changed files with 394 additions and 13 deletions

View File

@ -169,6 +169,9 @@ templateNameDist() {
dist_name="${dist_name:0:31}"
fi
fi
# Remove and '+' characters from name since they are invalid for name
dist_name="${dist_name//+/-}"
echo ${dist_name}
}
@ -185,6 +188,8 @@ templateName() {
local template_name="$(templateFlavorPrefix ${template_flavor})${template_flavor}${template_options:++}${template_options}"
# Make sure TEMPLATE_LABEL is an array
TEMPLATE_LABEL=( ${TEMPLATE_LABEL} )
for element in "${TEMPLATE_LABEL[@]}"; do
if [ "${element%:*}" == "${template_name}" ]; then
template_name="${element#*:}"

0
mnt/.gitignore vendored
View File

View File

@ -26,14 +26,3 @@ if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_wh
echo "10.152.152.10" > "$INSTALLDIR/etc/whonix-netvm-gateway"
touch "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations"
fi
# ------------------------------------------------------------------------------
# Remove apt-cacher-ng as it conflicts with something and is only for install
# ------------------------------------------------------------------------------
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
chroot "$INSTALLDIR" apt-get -y --force-yes remove apt-cacher-ng
# ------------------------------------------------------------------------------
# Remove original sources.list. We will use one installed by Whonix now
# ------------------------------------------------------------------------------
rm -f "${INSTALLDIR}/etc/apt/sources.list"

View File

@ -2,11 +2,29 @@
# vim: set ts=4 sw=4 sts=4 et :
# ------------------------------------------------------------------------------
# Configurations
# Source external scripts
# ------------------------------------------------------------------------------
. $SCRIPTSDIR/vars.sh
. ./umount_kill.sh >/dev/null
# ------------------------------------------------------------------------------
# Configurations
# ------------------------------------------------------------------------------
if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then
set -x
else
set -e
fi
# ------------------------------------------------------------------------------
# whonix-netvm-gateway contains last known IP used to search and replace
# ------------------------------------------------------------------------------
if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" ]; then
# --------------------------------------------------------------------------
# Install Custom Configurations
# --------------------------------------------------------------------------
echo "10.152.152.11" > "$INSTALLDIR/etc/whonix-ip"
echo "10.152.152.10" > "$INSTALLDIR/etc/whonix-netvm-gateway"
touch "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations"
fi

View File

@ -0,0 +1,112 @@
# file: .
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/hosts
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/udev
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/udev/rules.d
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: etc/udev/rules.d/99-qubes-whonix.rules
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/hostname
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: etc/sudoers.d
# owner: root
# group: user
user::rwx
group::r-x
other::r-x
# file: etc/sudoers.d/qubes
# owner: root
# group: root
user::r--
group::r--
other::---
# file: .facl
# owner: root
# group: root
user::rw-
group::r--
other::r--
# file: usr
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/setup-ip
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/replace-ips
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
# file: usr/lib/whonix/enable-iptables-logging.sh
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

View File

@ -0,0 +1 @@
host

View File

@ -0,0 +1,16 @@
## Anonymity Distribution /etc/hosts
## Defaults
127.0.0.1 host
::1 host ip6-host ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
## End of defaults
## Anonymity Distribution specific
127.0.0.1 host.localdomain host
## End of Anonymity Distribution specific
## End of Anonymity Distribution /etc/hosts

View File

@ -0,0 +1,46 @@
user ALL=(ALL) NOPASSWD: ALL
# WTF?! Have you lost your mind?!
#
# In Qubes VMs there is no point in isolating the root account from
# the user account. This is because all the user data are already
# accessible from the user account, so there is no direct benefit for
# the attacker if she could escalate to root (there is even no benefit
# in trying to install some persistent rootkits, as the VM's root
# filesystem modifications are lost upon each start of a VM).
#
# One might argue that some hypothetical attacks against the
# hypervisor or the few daemons/backends in Dom0 (so VM escape
# attacks) most likely would require root access in the VM to trigger
# the attack.
#
# That's true, but mere existence of such a bug in the hypervisor or
# Dom0 that could be exploited by a malicious VM, no matter whether
# requiring user, root, or even kernel access in the VM, would be
# FATAL. In such situation (if there was such a bug in Xen) there
# really is no comforting that: "oh, but the mitigating factor was
# that the attacker needed root in VM!" We're not M$, and we're not
# gonna BS our users that there are mitigating factors in that case,
# and for sure, root/user isolation is not a mitigating factor.
#
# Because, really, if somebody could find and exploit a bug in the Xen
# hypervisor -- so far there have been only one (!) publicly disclosed
# exploitable bug in the Xen hypervisor from a VM, found in 2008,
# incidentally by one of the Qubes developers (RW) -- then it would be
# highly unlikely if that person couldn't also found a user-to-root
# escalation in VM (which as we know from history of UNIX/Linux
# happens all the time).
#
# At the same time allowing for easy user-to-root escalation in a VM
# is simply convenient for users, especially for update installation.
#
# Currently this still doesn't work as expected, because some idotic
# piece of software called PolKit uses own set of policies. We're
# planning to address this in Beta 2. (Why PolKit is an idiocy? Do a
# simple experiment: start 'xinput test' in one xterm, running as
# user, then open some app that uses PolKit and asks for root
# password, e.g. gpk-update-viewer -- observe how all the keystrokes
# with root password you enter into the "secure" PolKit dialog box can
# be seen by the xinput program...)
#
# joanna.

View File

@ -0,0 +1 @@
SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip"

View File

@ -0,0 +1,22 @@
#!/bin/bash
# Check /var/log/kern.log for logging results
LOG_IP4=1
LOG_IP6=0
# for IPv4
if [ "$LOG_IP4" == "1" ]; then
iptables -t raw -A OUTPUT -p icmp -j TRACE
iptables -t raw -A PREROUTING -p icmp -j TRACE
modprobe ipt_LOG
fi
# for IPv6
if [ "$LOG_IP6" == "1" ]; then
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
modprobe ip6t_LOG
fi

View File

@ -0,0 +1,88 @@
#!/bin/bash
# Search though files and updates IP address to the current
# 'qubes-netvm-gateway' IP address
FILES=(
'/usr/lib/leaktest-workstation/simple_ping.py'
'/usr/lib/whonixcheck/preparation'
'/usr/share/anon-kde-streamiso/share/config/kioslaverc'
'/usr/bin/whonix_firewall'
'/etc/whonix_firewall.d/30_default'
'/usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh'
'/usr/bin/uwt'
'/etc/uwt.d/30_uwt_default'
'/usr/share/tor/tor-service-defaults-torrc.anondist'
'/usr/bin/update-torbrowser'
'/etc/network/interfaces.whonix'
'/etc/resolv.conf.anondist'
'/etc/sdwdate.d/31_anon_dist_stream_isolation_plugin'
'/etc/rinetd.conf.anondist'
'/etc/network/interfaces.whonix'
'/usr/share/anon-torchat/.torchat/torchat.ini'
)
# sed search and replace. return 0 if replace happened, otherwise 1
search_replace() {
local search="$1"
local replace="$2"
local file="$3"
local retval=1
if ! [ -L "${file}" ]; then
ls_attrs="$(lsattr "${file}")"
ls_attrs=${ls_attrs:4:1}
if [ "${ls_attrs}" == "i" ]; then
chattr -i "${file}"
fi
fi
sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}"
retval=$?
if [ "${ls_attrs}" == "i" ]; then
chattr +i "${file}"
fi
return $retval
}
function replace_ips()
{
local search_ip="${1}"
local replace_ip="${2}"
local files=("${!3}")
local replaced=0
# If IP is 10.152.152.10, network is 10.152.152.0
replace_network="${replace_ip%.*}.0"
search_network="${search_ip%.*}.0"
if ! [ "${search_ip}" == "${replace_ip}" ]; then
for file in "${files[@]}"; do
if [ -f "$file" ]; then
search_replace "${search_ip}" "${replace_ip}" "${file}" && replaced=1
search_replace "${search_network}" "${replace_network}" "${file}" && replaced=1
fi
done
fi
return $replaced
}
ip="$(xenstore-read qubes-ip)"
gateway="$(xenstore-read qubes-gateway)"
# Compare to current IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
# Do again; checking for original 10.152.152.11 incase of update
replace_ips "10.152.152.11" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
# Compare to current gateway IP address assiged by Qubes
replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
# Do again; checking for original 10.152.152.10 incase of update
replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway

View File

@ -0,0 +1,71 @@
#!/bin/bash
# Files that will have the immutable bit set
# since we don't want them modified by other programs
IMMUTABLE_FILES=(
'/etc/resolv.conf'
'/etc/hostname'
'/etc/hosts'
)
immutableFilesEnable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
chattr +i "${file}${suffix}"
fi
done
}
immutableFilesDisable() {
files="${1}"
suffix="${2}"
for file in "${files[@]}"; do
if [ -f "${file}" ] && ! [ -L "${file}" ]; then
chattr -i "${file}${suffix}"
fi
done
}
copyAnondist() {
file="${1}"
suffix="${2-.anondist}"
# Remove any softlinks first
if [ -L "${file}" ]; then
rm -f "${file}"
fi
if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then
chattr -i "${file}"
rm -f "${file}"
cp -p "${file}${suffix}" "${file}"
chattr +i "${file}"
elif ! [ -f "${file}" ]; then
cp -p "${file}${suffix}" "${file}"
chattr +i "${file}"
fi
}
# Make sure all .anondist files in list are immutable
immutableFilesEnable "${IMMUTABLE_FILES}"
immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
# Make sure we are using a copy of the annondist file and if not
# copy the annondist file and set it immutable
copyAnondist "/etc/resolv.conf"
copyAnondist "/etc/hosts"
copyAnondist "/etc/hostname"
# Replace IP addresses in known configuration files / scripts to
# currently discovered one
/usr/lib/whonix/replace-ips
# Make sure hostname is correct
/bin/hostname -b host
# Start Whonix Firewall
/usr/bin/whonix_firewall

View File

@ -75,6 +75,8 @@ popd
################################################################################
# Post Fixups
set -e
pushd /etc/network
sudo rm -f interfaces
sudo ln -s interfaces.backup interfaces
@ -86,7 +88,9 @@ sudo ln -s resolv.conf.backup resolv.conf
popd
# Enable Tor
if [ "${1}" == "whonix-gateway" ]; then
sudo sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' /etc/tor/torrc
fi
# Fake that whonixsetup was already run
sudo mkdir -p /var/lib/whonix/do_once
@ -107,6 +111,14 @@ sudo update-rc.d spice-vdagent disable
sudo update-rc.d swap-file-creator disable
sudo update-rc.d whonix-initializer disable
# Remove original sources.list
sudo rm -f /etc/apt/sources.list
sudo apt-get.anondist-orig update
# Remove apt-cacher-ng
DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
sudo apt-get.anondist-orig -y --force-yes remove apt-cacher-ng
sudo touch "/tmp/.prepared_whonix"
EOF