Whonix-gateway configurations

functions.sh

@@ -169,6 +169,9 @@ templateNameDist() {
             dist_name="${dist_name:0:31}"
         fi
     fi
+
+    # Remove and '+' characters from name since they are invalid for name
+    dist_name="${dist_name//+/-}"
     echo ${dist_name}
 }
 
@@ -185,6 +188,8 @@ templateName() {
 
     local template_name="$(templateFlavorPrefix ${template_flavor})${template_flavor}${template_options:++}${template_options}"
 
+    # Make sure TEMPLATE_LABEL is an array
+    TEMPLATE_LABEL=( ${TEMPLATE_LABEL} )
     for element in "${TEMPLATE_LABEL[@]}"; do
         if [ "${element%:*}" == "${template_name}" ]; then
             template_name="${element#*:}"

scripts_debian/wheezy+whonix-gateway/99_custom_configuration.sh

@@ -26,14 +26,3 @@ if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_wh
     echo "10.152.152.10" > "$INSTALLDIR/etc/whonix-netvm-gateway"
     touch "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations"
 fi
-
-# ------------------------------------------------------------------------------
-# Remove apt-cacher-ng as it conflicts with something and is only for install
-# ------------------------------------------------------------------------------
-DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
-    chroot "$INSTALLDIR" apt-get -y --force-yes remove apt-cacher-ng
-
-# ------------------------------------------------------------------------------
-# Remove original sources.list.  We will use one installed by Whonix now
-# ------------------------------------------------------------------------------
-rm -f "${INSTALLDIR}/etc/apt/sources.list"

scripts_debian/wheezy+whonix-workstation/99_custom_configuration.sh

@@ -2,11 +2,29 @@
 # vim: set ts=4 sw=4 sts=4 et :
 
 # ------------------------------------------------------------------------------
-# Configurations
+# Source external scripts
 # ------------------------------------------------------------------------------
 . $SCRIPTSDIR/vars.sh
 . ./umount_kill.sh >/dev/null
 
+# ------------------------------------------------------------------------------
+# Configurations
+# ------------------------------------------------------------------------------
 if [ "$VERBOSE" -ge 2 -o "$DEBUG" == "1" ]; then
     set -x
+else
+    set -e
+fi
+
+# ------------------------------------------------------------------------------
+# whonix-netvm-gateway contains last known IP used to search and replace
+# ------------------------------------------------------------------------------
+if [ -f "$INSTALLDIR/tmp/.prepared_whonix" -a ! -f "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations" ]; then
+    # --------------------------------------------------------------------------
+    # Install Custom Configurations
+    # --------------------------------------------------------------------------
+    echo "10.152.152.11" > "$INSTALLDIR/etc/whonix-ip"
+    echo "10.152.152.10" > "$INSTALLDIR/etc/whonix-netvm-gateway"
+
+    touch "$INSTALLDIR/tmp/.prepared_whonix_custom_configurations"
 fi

scripts_debian/wheezy+whonix-workstation/files/.facl

@@ -0,0 +1,112 @@
+# file: .
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: etc
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: etc/hosts
+# owner: root
+# group: root
+user::rw-
+group::r--
+other::r--
+
+# file: etc/udev
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: etc/udev/rules.d
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: etc/udev/rules.d/99-qubes-whonix.rules
+# owner: root
+# group: root
+user::rw-
+group::r--
+other::r--
+
+# file: etc/hostname
+# owner: root
+# group: root
+user::rw-
+group::r--
+other::r--
+
+# file: etc/sudoers.d
+# owner: root
+# group: user
+user::rwx
+group::r-x
+other::r-x
+
+# file: etc/sudoers.d/qubes
+# owner: root
+# group: root
+user::r--
+group::r--
+other::---
+
+# file: .facl
+# owner: root
+# group: root
+user::rw-
+group::r--
+other::r--
+
+# file: usr
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: usr/lib
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: usr/lib/whonix
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: usr/lib/whonix/setup-ip
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: usr/lib/whonix/replace-ips
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+
+# file: usr/lib/whonix/enable-iptables-logging.sh
+# owner: root
+# group: root
+user::rwx
+group::r-x
+other::r-x
+

scripts_debian/wheezy+whonix-workstation/files/etc/hostname

@@ -0,0 +1 @@
+host

scripts_debian/wheezy+whonix-workstation/files/etc/hosts

@@ -0,0 +1,16 @@
+## Anonymity Distribution /etc/hosts
+
+## Defaults
+127.0.0.1       host
+::1             host ip6-host ip6-loopback
+fe00::0         ip6-localnet
+ff00::0         ip6-mcastprefix
+ff02::1         ip6-allnodes
+ff02::2         ip6-allrouters
+## End of defaults
+
+## Anonymity Distribution specific
+127.0.0.1 host.localdomain host
+## End of Anonymity Distribution specific
+
+## End of Anonymity Distribution /etc/hosts

scripts_debian/wheezy+whonix-workstation/files/etc/sudoers.d/qubes

@@ -0,0 +1,46 @@
+user ALL=(ALL) NOPASSWD: ALL
+
+# WTF?! Have you lost your mind?!
+#
+# In Qubes VMs there is no point in isolating the root account from
+# the user account. This is because all the user data are already
+# accessible from the user account, so there is no direct benefit for
+# the attacker if she could escalate to root (there is even no benefit
+# in trying to install some persistent rootkits, as the VM's root
+# filesystem modifications are lost upon each start of a VM).
+#
+# One might argue that some hypothetical attacks against the
+# hypervisor or the few daemons/backends in Dom0 (so VM escape
+# attacks) most likely would require root access in the VM to trigger
+# the attack.
+#
+# That's true, but mere existence of such a bug in the hypervisor or
+# Dom0 that could be exploited by a malicious VM, no matter whether
+# requiring user, root, or even kernel access in the VM, would be
+# FATAL. In such situation (if there was such a bug in Xen) there
+# really is no comforting that: "oh, but the mitigating factor was
+# that the attacker needed root in VM!" We're not M$, and we're not
+# gonna BS our users that there are mitigating factors in that case,
+# and for sure, root/user isolation is not a mitigating factor.
+#
+# Because, really, if somebody could find and exploit a bug in the Xen
+# hypervisor -- so far there have been only one (!) publicly disclosed
+# exploitable bug in the Xen hypervisor from a VM, found in 2008,
+# incidentally by one of the Qubes developers (RW) -- then it would be
+# highly unlikely if that person couldn't also found a user-to-root
+# escalation in VM (which as we know from history of UNIX/Linux
+# happens all the time).
+#
+# At the same time allowing for easy user-to-root escalation in a VM
+# is simply convenient for users, especially for update installation.
+#
+# Currently this still doesn't work as expected, because some idotic
+# piece of software called PolKit uses own set of policies. We're
+# planning to address this in Beta 2. (Why PolKit is an idiocy? Do a
+# simple experiment: start 'xinput test' in one xterm, running as
+# user, then open some app that uses PolKit and asks for root
+# password, e.g.  gpk-update-viewer -- observe how all the keystrokes
+# with root password you enter into the "secure" PolKit dialog box can
+# be seen by the xinput program...)
+#
+# joanna.

scripts_debian/wheezy+whonix-workstation/files/etc/udev/rules.d/99-qubes-whonix.rules

@@ -0,0 +1 @@
+SUBSYSTEMS=="xen", KERNEL=="eth*", ACTION=="add", RUN+="/usr/lib/whonix/setup-ip"

scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/enable-iptables-logging.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Check /var/log/kern.log for logging results
+
+LOG_IP4=1
+LOG_IP6=0
+
+# for IPv4
+if [ "$LOG_IP4" == "1" ]; then
+    iptables -t raw -A OUTPUT -p icmp -j TRACE
+    iptables -t raw -A PREROUTING -p icmp -j TRACE
+    modprobe ipt_LOG
+fi
+
+# for IPv6
+if [ "$LOG_IP6" == "1" ]; then
+    ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j TRACE
+    ip6tables -t raw -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j TRACE
+    ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-request -j TRACE
+    ip6tables -t raw -A PREROUTING -p icmpv6 --icmpv6-type echo-reply -j TRACE
+    modprobe ip6t_LOG
+fi

scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/replace-ips

@@ -0,0 +1,88 @@
+#!/bin/bash
+
+# Search though files and updates IP address to the current 
+# 'qubes-netvm-gateway' IP address
+
+FILES=(
+    '/usr/lib/leaktest-workstation/simple_ping.py'
+    '/usr/lib/whonixcheck/preparation'
+    '/usr/share/anon-kde-streamiso/share/config/kioslaverc'
+    '/usr/bin/whonix_firewall'
+    '/etc/whonix_firewall.d/30_default'
+    '/usr/lib/anon-shared-helper-scripts/tor_bootstrap_check.bsh'
+    '/usr/bin/uwt'
+    '/etc/uwt.d/30_uwt_default'
+    '/usr/share/tor/tor-service-defaults-torrc.anondist'
+    '/usr/bin/update-torbrowser'
+    '/etc/network/interfaces.whonix'
+    '/etc/resolv.conf.anondist'
+    '/etc/sdwdate.d/31_anon_dist_stream_isolation_plugin'
+    '/etc/rinetd.conf.anondist'
+    '/etc/network/interfaces.whonix'
+    '/usr/share/anon-torchat/.torchat/torchat.ini'
+)
+
+# sed search and replace. return 0 if replace happened, otherwise 1
+search_replace() {
+    local search="$1"
+    local replace="$2"
+    local file="$3"
+    local retval=1
+
+    if ! [ -L "${file}" ]; then 
+        ls_attrs="$(lsattr "${file}")"
+        ls_attrs=${ls_attrs:4:1}
+        if [ "${ls_attrs}" == "i" ]; then
+            chattr -i "${file}"
+        fi
+    fi
+
+    sed -i.bak '/'"${search}"'/,${s//'"${replace}"'/;b};$q1' "${file}"
+    retval=$?
+
+    if [ "${ls_attrs}" == "i" ]; then
+        chattr +i "${file}"
+    fi
+
+    return $retval
+}
+
+function replace_ips()
+{
+    local search_ip="${1}"
+    local replace_ip="${2}"
+    local files=("${!3}")
+    local replaced=0
+
+    # If IP is 10.152.152.10, network is 10.152.152.0
+    replace_network="${replace_ip%.*}.0"
+    search_network="${search_ip%.*}.0"
+
+    if ! [ "${search_ip}" == "${replace_ip}" ]; then
+        for file in "${files[@]}"; do
+            if [ -f "$file" ]; then
+                search_replace "${search_ip}" "${replace_ip}" "${file}" && replaced=1
+                search_replace "${search_network}" "${replace_network}" "${file}" && replaced=1
+            fi
+        done
+    fi
+    
+    return $replaced
+}
+
+ip="$(xenstore-read qubes-ip)"
+gateway="$(xenstore-read qubes-gateway)"
+
+# Compare to current IP address assiged by Qubes
+replace_ips "$(cat /etc/whonix-ip)" "${ip}" FILES[@] && echo "${ip}" > /etc/whonix-ip
+
+# Do again; checking for original 10.152.152.11 incase of update
+replace_ips "10.152.152.11" "${ip}" FILES[@] &&  echo "${ip}" > /etc/whonix-ip
+
+# Compare to current gateway IP address assiged by Qubes
+replace_ips "$(cat /etc/whonix-netvm-gateway)" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
+
+# Do again; checking for original 10.152.152.10 incase of update
+replace_ips "10.152.152.10" "${gateway}" FILES[@] && echo "${gateway}" > /etc/whonix-netvm-gateway
+
+

scripts_debian/wheezy+whonix-workstation/files/usr/lib/whonix/setup-ip

@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# Files that will have the immutable bit set 
+# since we don't want them modified by other programs
+IMMUTABLE_FILES=( 
+    '/etc/resolv.conf'
+    '/etc/hostname'
+    '/etc/hosts'
+)
+
+immutableFilesEnable() {
+    files="${1}"
+    suffix="${2}"
+
+    for file in "${files[@]}"; do
+        if [ -f "${file}" ] && ! [ -L "${file}" ]; then 
+            chattr +i "${file}${suffix}"
+        fi
+    done
+}
+
+immutableFilesDisable() {
+    files="${1}"
+    suffix="${2}"
+
+    for file in "${files[@]}"; do
+        if [ -f "${file}" ] && ! [ -L "${file}" ]; then 
+            chattr -i "${file}${suffix}"
+        fi
+    done
+}
+
+copyAnondist() {
+    file="${1}"
+    suffix="${2-.anondist}"
+
+    # Remove any softlinks first
+    if [ -L "${file}" ]; then 
+        rm -f "${file}"
+    fi
+
+    if [ -f "${file}" ] && [ -n "$(diff ${file} ${file}${suffix})" ]; then 
+        chattr -i "${file}"
+        rm -f "${file}"
+        cp -p "${file}${suffix}" "${file}"
+        chattr +i "${file}"
+    elif ! [ -f "${file}" ]; then 
+        cp -p "${file}${suffix}" "${file}"
+        chattr +i "${file}"
+    fi
+}
+
+# Make sure all .anondist files in list are immutable
+immutableFilesEnable "${IMMUTABLE_FILES}"
+immutableFilesEnable "${IMMUTABLE_FILES}" ".anondist"
+
+# Make sure we are using a copy of the annondist file and if not
+# copy the annondist file and set it immutable
+copyAnondist "/etc/resolv.conf"
+copyAnondist "/etc/hosts"
+copyAnondist "/etc/hostname"
+
+# Replace IP addresses in known configuration files / scripts to 
+# currently discovered one
+/usr/lib/whonix/replace-ips
+
+# Make sure hostname is correct
+/bin/hostname -b host
+
+# Start Whonix Firewall
+/usr/bin/whonix_firewall

scripts_debian/wheezy+whonix/02_install_groups_packages_installed.sh

@@ -75,6 +75,8 @@ popd
 ################################################################################
 # Post Fixups
 
+set -e
+
 pushd /etc/network
 sudo rm -f interfaces
 sudo ln -s interfaces.backup interfaces
@@ -86,7 +88,9 @@ sudo ln -s resolv.conf.backup resolv.conf
 popd
 
 # Enable Tor
-sudo sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' /etc/tor/torrc
+if [ "${1}" == "whonix-gateway" ]; then
+    sudo sed -i 's/#DisableNetwork 0/DisableNetwork 0/g' /etc/tor/torrc
+fi
 
 # Fake that whonixsetup was already run
 sudo mkdir -p /var/lib/whonix/do_once
@@ -107,6 +111,14 @@ sudo update-rc.d spice-vdagent disable
 sudo update-rc.d swap-file-creator disable
 sudo update-rc.d whonix-initializer disable
 
+# Remove original sources.list
+sudo rm -f /etc/apt/sources.list
+sudo apt-get.anondist-orig update
+
+# Remove apt-cacher-ng
+DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true \
+    sudo apt-get.anondist-orig -y --force-yes remove apt-cacher-ng
+
 sudo touch "/tmp/.prepared_whonix"
 
 EOF