diff --git a/README.md b/README.md new file mode 100644 index 0000000..6b24a20 --- /dev/null +++ b/README.md @@ -0,0 +1,13 @@ + +This role builds on, and requires, ../base_role and lays down the +basics for cntlm and socks and http and https proxies. It is required +to be run after ../base_role + +Look at the variables in defaults/main.yml to customize the role, and +double-check the settings in vars/*.yml. + +It is multi-target and should run on Gentoo2, Debian4, Devuan5, Ubuntu18 +athough only tested on Gentoo. To bring it up to date, just copy the +existing files in vars and maybe tasks to the new name and edit to suit, +but be advised that it is systemd-challenged, like its author. + diff --git a/overlay/Linux/usr/local/bin/proxy_libvirt_ga_test.bash b/overlay/Linux/usr/local/bin/proxy_libvirt_ga_test.bash index 7ff1bac..d6689ff 100755 --- a/overlay/Linux/usr/local/bin/proxy_libvirt_ga_test.bash +++ b/overlay/Linux/usr/local/bin/proxy_libvirt_ga_test.bash @@ -1,10 +1,8 @@ #!/bin/bash ROLE=proxy -MODE=host #[ $# -eq 0 ] && set -- Whonix-Gateway /bin/cat /proc/cmdline -[ $# -eq 0 ] && set -- Whonix-Gateway /bin/netstat -lnp4 [ $# -lt 2 ] && echo USAGE: $0 domain command arguments HOST=$1 diff --git a/overlay/Linux/usr/local/bin/proxy_ping_test.bash b/overlay/Linux/usr/local/bin/proxy_ping_test.bash index f0fa7d4..b4c2195 100755 --- a/overlay/Linux/usr/local/bin/proxy_ping_test.bash +++ b/overlay/Linux/usr/local/bin/proxy_ping_test.bash @@ -7,6 +7,7 @@ ROLE=proxy PYVER=3 # DEBUG=1 +# TRACE=1 . /usr/local/bin/proxy_ping_lib.bash || \ { ERROR loading /usr/local/bin/proxy_ping_lib.bash ; exit 6; } @@ -19,17 +20,17 @@ which nslookup 2>/dev/null >/dev/null && HAVE_NSLOOKUP=1 || HAVE_NSLOOKUP=0 which tor-resolve 2>/dev/null >/dev/null && HAVE_TOR_RESOLVE=1 || HAVE_TOR_RESOLVE=0 [ -z "$prog" ] || prog=proxy_ping_test -proxy_ping_get_socks +proxy_ping_get_socks >/dev/null [ -z "$SOCKS_HOST" ] && SOCKS_HOST=127.0.0.1 [ -z "$SOCKS_PORT" ] && SOCKS_PORT=9050 [ -z "$SOCKS_DNS" ] && SOCKS_DNS=9053 HTTPS_PORT=9128 HTTPS_HOST=127.0.0.1 -proxy_ping_get_https +proxy_ping_get_https >/dev/null [ -z "$HTTPS_HOST" ] && HTTPS_HOST=127.0.0.1 HTTP_PORT=3128 HTTP_PROXY_HOST=127.0.0.1 -proxy_ping_get_http +proxy_ping_get_http >/dev/null [ -z "$HTTP_HOST" ] && HTTP_HOST=127.0.0.1 [ -f $PREFIX/etc/testforge/testforge.bash ] && \ @@ -80,9 +81,15 @@ SCURL="/usr/local/bin/scurl.bash --output /dev/null" NSL='nslookup -querytype=A -debug' NETS='netstat -nl4e' ALL="" +USAGE="$prog without arguments tests the current MODE=$MODE, +or with 0 to list the tests by number, +or one or more of the groups: + +" [ -z "$USER" ] && USER=$(id -un ) -[ $USER = root ] && DMESG_LINES=1 || DMESG_LINES=0 +[ $USER = root -a -n "$TRACE" -a "$TRACE" != '0' ] && DMESG_LINES=1 || DMESG_LINES=0 + [ -n "$PROXY_WLAN" ] || PROXY_WLAN=`proxy_ping_get_wlan` # fixme - required PROXY_WLAN=$( echo $PROXY_WLAN | grep ^wlan |sed -e 's/:.*//' ) @@ -91,11 +98,6 @@ PROXY_WLAN=$( echo $PROXY_WLAN | grep ^wlan |sed -e 's/:.*//' ) # fixme - required PROXY_WLAN_GW=$( echo $PROXY_WLAN_GW | grep ^wlan |sed -e 's/:.*//' ) MODE=$( proxy_ping_mode ) -USAGE="$prog without arguments tests the current MODE=$MODE, -or 0 to list the tests by number, -or one or more of the groups: - -" DNS_HOST=$SOCKS_HOST [ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin @@ -244,20 +246,21 @@ proxy_run_as_root () { DBUG proxy_run_as_root $* ; return 1 } -## proxy_test_pretests -proxy_test_pretests () { - if [ "$1" = panic ] ; then +# could pull these out as tests and add them to +## proxy_test_pretest_exit +proxy_test_pretest_exit () { + proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; } + if [ "$1" = panic -o "$1" = firewall ] ; then : dont ping on panic proxy_ping_broken || proxy_do_ping || \ { WARN ping failed for panic so skipping ; exit 0 ; } elif [ "$1" = direct -o "$1" = gateway -o "$1" = vda -o "$1" = kick ] ; then - proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; } proxy_ping_broken || proxy_do_ping || exit 3$? proxy_ping_test_resolv $MODE ||\ { WARN $prog proxy_ping_test_resolv=$? 'echo nameserver 127.0.0.1 > /etc/resolv.conf' ; exit 4 ; } proxy_ping_firewall_start || { ERROR "proxy_ping_firewall_start ret=$?" ; exit 5 ; } elif [ "$1" = nat ] ; then - proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; } + : proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; } else proxy_do_ping || exit 4$? proxy_ping_test_resolv $MODE || \ @@ -270,9 +273,25 @@ proxy_test_pretests () { ## proxy_test_help_args proxy_test_help_args () { + declare -a elts=() declare -a ret=() - ret=( $(grep " -.* $1 " /tmp/proxy_ping_test.hlp | \ - sed -e 's/.=.*//' -e 's/.*tests.//') ) + local elt + if [ "$1" = selektor -o "$1" = whonix -o "$1" = torhost ] ; then + elts=($1 socks http dns https tordns firefail) + elif [ "$1" = torlibvirthost ] ; then + elts=($1 libvirthost socks http https tordns firefail) + elts+=($MODE) + elif [ "$1" = gateway ] ; then + elts=($1 libvirtguest socks dns http https firefail) + else + elts=($1) + fi + for elt in "${elts[@]}" ; do +# DBUG proxy_test_help_args $elt $1 >&2 + ret+=( $(grep " -.* $elt " /tmp/proxy_ping_test.hlp | \ + sed -e 's/.=.*//' -e 's/.*tests.//') ) + done + DBUG proxy_test_help_args "${ret[@]}" >&2 echo "${ret[@]}" return 0 } @@ -293,9 +312,6 @@ proxy_ping_test_set_args () { ## vda - through the Gateway with the firewall - also polipo,panic - uses env [ "$1" = vda ] && aret=( 35 3 20 ) # -## tor - tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition -[ "$1" = tor ] && - aret=( 21 30 20 4 5 36 3 ) ## kick - open firewall with tor running - call dns,polipo +tor in addition [ "$1" = kick -o "$1" = host ] && aret=( 24 31 13 16 6 )# 30 24 31 6 13 16 @@ -304,15 +320,19 @@ proxy_ping_test_set_args () { aret=( 23 25 4 5 30 24 17 3 21 ) # 31 6 16 # aliases +# socks defines http as the target of a user using socks [ "$1" = "$SOCKS_PORT" ] && set -- socks +# http defines http as the target of a user using http [ "$1" = "$HTTP_PORT" ] && set -- http +# https defines http as the target of a user using https [ "$1" = "$HTTPS_PORT" ] && set -- https +# dns defines http as the target of a user using dns [ "$1" = "53" ] && set -- dns +# tordns defines http as the target of a user using tordns [ "$1" = "9053" ] && set -- tordns [ "$1" = scan ] && set -- iwlist [ "$1" = panic ] && set -- firewall -[ "$1" = tor ] && set -- torhost [ "$1" = to_gateway ] && set -- whonix [ "$1" = from_tor ] && set -- whonix [ "$1" = from_gateway ] && set -- gateway @@ -326,11 +346,11 @@ proxy_ping_test_set_args () { set -- ping dns socks http https tordns firefail libvirtguest # wifi? [ "$1" = whonix ] && \ - set -- ping tordns dns socks http https torhost tordns firefail gw -[ "$1" = tor ] && \ - set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw -[ "$1" = selektor ] && \ - set -- ping tordns dns trace socks http https torhost tordns firefail nmap gw + set -- ping tordns dns socks http https torhost tordns firefail gw +[ "$1" = tor -o "$1" = selektor ] && \ + set -- ping tordns dns trace torhost nmap gw +## torhost implies - +#? tor with the firewall to test the host side tor server - call to_tor,dns,ntp in addition [ "$1" = direct -o "$1" = '' ] && \ set -- ping dns trace nmap gw @@ -339,33 +359,34 @@ proxy_ping_test_set_args () { # aret="${#tests[@]}" ## gw - test if we are connected to the gateway -## torhost - running tor with the firewall ## env - from the cmdline with a properly setup env ## firefail - test the proxy without env vars to expect failure +## torhost - running tor with the firewall ## http - assumes torhost or whonix and env setup ## https - assumes torhost or whonix and env setup ## socks - assumes torhost or whonix and env setup +## tordns - test 9053 for dns using tor-resolve +## dns - dns using tor or the gateway, with the firewall - does not assume env ## ping - connected routed test the ping to DNS hosts ## ntp - ntpdate through the firewall ## nmap - nmap sgid through the firewall - does not assume env -## iwlist - wlan scan +## iwlist - wlan scan of a wifi host ## firewall - test that the firewall blocks -## virbr1 - assumes tor or whonix -## gateway - ssh to the whonix gateway +## virbr1 - looks for virbr1 on a libvirt host torhost or whonix +## gateway - ssh to the whonix gateway from the torhost ## trace - traceroute to DNSHOST - icmp is allowed by the firewall, except on vda ## wifi - test if we are connected - call scan in addition ## libvirthost - hosting a libvirt container ## libvirtguest - in a libvirt container -## tordns - test 9053 for dns using tor-resolve -## dns - dns using tor or the gateway, with the firewall - does not assume env -## whonix - whonix to the Gateway with the firewall - also panic - not assume env -## whonix - whonix gateway host side client setup with the firewall was from_to## direct - assume no firewall and no proxy - but may work depend on env -r +## whonix - whonix torhost with libvirt container running gateway behind firewall - aliases: to_gateway from_tor +## direct - assume no firewall and no proxy - but may work depend on env + for elt in "$@" ; do if [ "$elt" = gw -o "$elt" = '' -o "$elt" = env -o \ "$elt" = https -o "$elt" = http -o "$elt" = socks -o "$elt" = dns -o \ "$elt" = torhost -o "$elt" = tordns -o "$elt" = whonix -o \ - "$elt" = libvirthost -o "$elt" = libvirtguest -o "$elt" = virbr1 -o \ + "$elt" = libvirthost -o "$elt" = torlibvirthost -o \ + "$elt" = libvirtguest -o "$elt" = virbr1 -o \ "$elt" = ping -o "$elt" = trace -o "$elt" = ntp -o "$elt" = nmap -o \ "$elt" = iwlist -o "$elt" = firefail -o "$elt" = direct -o \ "$elt" = trace -o "$elt" = wifi -o "$elt" = '' -o "$elt" = '' \ @@ -405,9 +426,8 @@ if [ $1 = '-h' -o $1 = '--help' ] ; then set -- `proxy_ping_test_set_args "$@"` DBUG running tests numbered "$@" fi -proxy_route_test || { ERROR $prog route not connected ; exit 1$? ; } -proxy_test_pretests "$1" +proxy_test_pretest_exit "$1" # https://stackoverflow.com/questions/8290046/icmp-sockets-linux/20105379#20105379 if [ $( id -u ) -eq 0 ] ; then @@ -471,6 +491,7 @@ while [ "$#" -gt 0 ] ; do [ $DEBIAN -eq 0 ] && continue [ -z "$socks_proxy" ] && socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT + # mode whonix implies torhost if [ $MODE = whonix ] ; then ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e| grep 15:$SOCKS_PORT || { retval=$? @@ -496,14 +517,16 @@ while [ "$#" -gt 0 ] ; do GREP="$SOCKS_PORT" elif [ $ARG -eq 4 ] ; then - tests[4]="dig_socks_through_as_user @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com - tordns " + tests[4]="dig_socks_through_as_user @${SOCKS_HOST} -p $SOCKS_DNS $DNS_TARGET - tordns " [ $HAVE_DIG = 1 ] || continue if [ $MODE = whonix ] ; then + # test ssh to the whonix_gateway libvirt container + # and make sure that the socks proxy is runninh ssh -o ForwardX11=no user@10.0.2.15 netstat -nl4e | grep 15:$SOCKS_DNS fi - dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \ + dig @${SOCKS_HOST} -p $SOCKS_DNS $DNS_TARGET +timeout=$TIMEOUT >/dev/null || { \ retval=$? - WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @${SOCKS_HOST} -p $SOCKS_DNS www.whatismypublicip.com + WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig @${SOCKS_HOST} -p $SOCKS_DNS $DNS_TARGET [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" @@ -513,7 +536,7 @@ while [ "$#" -gt 0 ] ; do elif [ $ARG -eq 5 ] ; then tests[5]="nslookup_socks_as_user - tordns " [ $HAVE_NSLOOKUP = 1 ] || continue - desc="$NSL -port=$SOCKS_DNS www.whatismypublicip.com ${DNS_HOST}" + desc="$NSL -port=$SOCKS_DNS $DNS_TARGET ${DNS_HOST}" $desc >/dev/null || { \ retval=$? WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval $desc @@ -697,8 +720,9 @@ while [ "$#" -gt 0 ] ; do [ $DEBIAN -eq 0 ] && continue socks_proxy=socks5h://${SOCKS_HOST}:$SOCKS_PORT - proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null \ - || { retval=$? ; ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $SOCKS_PORT + proxy_ping_curl -x $socks_proxy https://$HTTP_TARGET >/dev/null || { + retval=$? ; + ERROR $prog test=$ARG "${tests[$ARG]}" retval=$retval curl $SOCKS_PORT [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" @@ -742,11 +766,11 @@ while [ "$#" -gt 0 ] ; do INFO $prog test=$ARG "${tests[$ARG]}" elif [ $ARG -eq 24 ] ; then - tests[24]="dig_direct_or_dnsmasq dig -b $IP www.whatismypublicip.com - direct " + tests[24]="dig_direct_or_dnsmasq dig -b $IP $DNS_TARGET - direct " [ $HAVE_DIG = 1 ] || continue [ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue [ -n "$IP" ] || continue - dig -b $IP www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \ + dig -b $IP $DNS_TARGET +timeout=$TIMEOUT >/dev/null || { \ retval=$? WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP [ -z "$ALL" ] && exit $ARG$retval || continue @@ -758,9 +782,9 @@ while [ "$#" -gt 0 ] ; do [ $HAVE_NSLOOKUP = 1 ] || continue # noenv with or without proxy # @$DNS_HOST1 should fail for firewall unless dnsmasq is working - $NSL >/dev/null www.whatismypublicip.com || { \ + $NSL >/dev/null $DNS_TARGET || { \ retval=$? - WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup www.whatismypublicip.com + WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval nslookup $DNS_TARGET [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" nslookup @@ -768,7 +792,7 @@ while [ "$#" -gt 0 ] ; do elif [ $ARG -eq 26 ] ; then tests[26]="route_connected_ping_scan - direct " [ $HAVE_DIG = 1 ] || continue - #? proxy_test_pretests + #? done already in proxy_test_pretest_exit proxy_do_ping && \ INFO $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP || \ WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP @@ -777,7 +801,7 @@ while [ "$#" -gt 0 ] ; do tests[27]="dns_as_user dig -b 127.0.0.1 - direct " [ $HAVE_DIG = 1 ] || continue [ -n "$PROXY_WLAN" -a -n "$IP" ] || proxy_ping_get_wlan_gw || continue - dig -b 127.0.0.1 www.whatismypublicip.com +timeout=$TIMEOUT >/dev/null || { \ + dig -b 127.0.0.1 $DNS_TARGET +timeout=$TIMEOUT >/dev/null || { \ retval=$? WARN $prog test=$ARG "${tests[$ARG]}" retval=$retval dig -b $IP [ -z "$ALL" ] && exit $ARG$retval || continue @@ -808,9 +832,9 @@ while [ "$#" -gt 0 ] ; do elif [ $ARG -eq 30 ] ; then tests[30]="tor_bootstrap_check_as_root tor_bootstrap_check.py - torhost " - [ $MODE = tor -o $MODE = selektor ] || { - ERROR $prog MODE != tor test=$ARG - [ -z "$ALL" ] && exit $ARG$retval || continue + [ $MODE = tor -o $MODE = whonix -o $MODE = selektor ] || { + # are there other roles that run tor? + WARN $prog MODE != tor test=$ARG } port=$SOCKS_PORT $NETS | grep -q :$port || { @@ -834,7 +858,7 @@ while [ "$#" -gt 0 ] ; do tests[31]="curl_noproxy_as_root polipo http pages $HTTP_PORT - direct http " proxy_ping_curl --noproxy http://${HTTP_HOST}:$HTTP_PORT && { \ retval=$? - ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval polipo http pages $HTTP_PORT + ERROR PANIC: $prog test=$ARG "${tests[$ARG]}" retval=$retval http to $HTTP_PORT [ -z "$ALL" ] && exit $ARG$retval || continue } INFO $prog test=$ARG "${tests[$ARG]}" @@ -923,7 +947,7 @@ while [ "$#" -gt 0 ] ; do INFO $prog test=$ARG "${tests[$ARG]}" GREP="" elif [ $ARG -eq 38 ] ; then - tests[38]="qemu-guest-agent and ports - libvirthost whonix " + tests[38]="qemu-guest-agent and ports - libvirthost " [ $USER = root ] || continue $PL proxy_libvirt_list aret=$? @@ -932,9 +956,10 @@ while [ "$#" -gt 0 ] ; do elif [ $aret -ne 10 -a $aret -ne 0 ] ; then DBUG proxy_libvirt_status aret=$aret else - $PL proxy_libvirt_list | grep -q "$GATEW_DOM" || { - ERROR MODE=$MODE and $GATEW_DOM not running ; - [ -z "$ALL" ] && exit $ARG$retval || continue + # was $GATEW_DOM but now can be gentoo_vm-2 etc + $PL proxy_libvirt_list 2>&1 | grep -q "running" || { + WARN MODE=$MODE and nothing libvirt running ; + continue } INFO $prog test=$ARG "${tests[$ARG]}" fi @@ -959,8 +984,6 @@ exit 0 curl $D -k --proxy 3) curl $D -k --proxy socks5://${SOCKS_HOST}:$SOCKS_PORT --proxy-insecure - 5) - nslookup -port=$SOCKS_DNS www.whatismypublicip.com ${SOCKS_HOST} \ 6) curl -k --proxy $HTTP_PORT 16) diff --git a/overlay/Linux/usr/local/etc/ssl/cacert-testforge.pem b/overlay/Linux/usr/local/etc/ssl/cacert-testforge.pem new file mode 120000 index 0000000..169da01 --- /dev/null +++ b/overlay/Linux/usr/local/etc/ssl/cacert-testforge.pem @@ -0,0 +1 @@ +cacert-curl.se_ca_cacert.pem \ No newline at end of file diff --git a/overlay/Linux/usr/local/etc/systemd/KickSecure.mask b/overlay/Linux/usr/local/etc/systemd/KickSecure.mask new file mode 100755 index 0000000..b308633 --- /dev/null +++ b/overlay/Linux/usr/local/etc/systemd/KickSecure.mask @@ -0,0 +1,285 @@ +# accounts-daemon.service +# acpid.path +# acpid.service +# acpid.socket +# acpi-support.service +# alsa-restore.service +# alsa-state.service +# alsa-utils.service +# apparmor.service +# apparmor.service.d +apt-daily.service +apt-daily.timer +apt-daily-upgrade.service +apt-daily-upgrade.timer +# autovt@.service +# basic.target +# blk-availability.service +# blockdev@.target +bluetooth.target +# bootclockrandomization.service +# boot-complete.target +# canary.service +# console-getty.service +# console-setup.service +# console-setup.service.d +# container-getty@.service +# cryptdisks-early.service +# cryptdisks.service +# cryptsetup-pre.target +# cryptsetup.target +# ctrl-alt-del.target +# dbus-org.freedesktop.hostname1.service +# dbus-org.freedesktop.locale1.service +# dbus-org.freedesktop.login1.service +# dbus-org.freedesktop.timedate1.service +# dbus.service +# dbus.socket +# debug-shell.service +# default.target +dev-hugepages.mount +# dev-mqueue.mount +# dist-skel-first-boot.service +# dm-event.service +# dm-event.socket +# e2scrub_all.service +# e2scrub_all.timer +# e2scrub_fail@.service +# e2scrub_reap.service +# e2scrub@.service +# emergency.service +# emergency.target +# exit.target +# final.target +# first-boot-complete.target +# flatpak-system-helper.service +# fstrim.service +# fstrim.timer +# gdm3.service +# gdm.service +# getty-pre.target +# getty@.service +# getty-static.service +# getty.target +# getty.target.wants +# graphical.target +# graphical.target.wants +# halt.target +# haveged.service +# haveged.service.d +# hibernate.target +# hide-hardware-info.service +# hwclock.service +# hybrid-sleep.target +# initrd-cleanup.service +# initrd-fs.target +# initrd-parse-etc.service +# initrd-root-device.target +# initrd-root-device.target.wants +# initrd-root-fs.target +# initrd-switch-root.service +# initrd-switch-root.target +# initrd.target +# initrd-udevadm-cleanup-db.service +# jitterentropy.service +# kexec.target +# keyboard-setup.service +# kmod.service +# kmod-static-nodes.service +# live-mode-apparmor.service +# live-tools.service +# local-fs-pre.target +# local-fs.target +# local-fs.target.wants +# lvm2-lvmpolld.service +# lvm2-lvmpolld.socket +# lvm2-monitor.service +# lvm2-pvscan@.service +# lvm2.service +# machine.slice +# man-db.service +# man-db.timer +# mnt-shared-kvm.service +# mnt-shared-vbox.service +# modprobe@.service +# msgcollector.service +# multi-user.target +# multi-user.target.wants +# NetworkManager-dispatcher.service +# NetworkManager.service +# NetworkManager-wait-online.service +# network-online.target +# network-pre.target +# network.target +# nss-lookup.target +# nss-user-lookup.target +# openvpn-client@.service +# openvpn@openvpn.service.d +# openvpn-server@.service +# openvpn.service +# openvpn@.service +# orca-kill-at-shutdown.service +# paths.target +# permission-hardening.service +# polkit.service +# poweroff.target +# printer.target +# proc-hidepid.service +# procps.service +# proc-sys-fs-binfmt_misc.automount +# proc-sys-fs-binfmt_misc.mount +# pulseaudio-enable-autospawn.service +# qubes-sync-time.service.d +# quotaon.service +# rc-local.service +# rc-local.service.d +# rc.service +# rcS.service +# reboot.target +# remote-cryptsetup.target +# remote-fs-pre.target +# remote-fs.target +# remount-secure.service +# remove-system-map.service +# rescue.service +# rescue.target +# rescue.target.wants +# rpcbind.target +# rsync.service +# runlevel0.target +# runlevel1.target +# runlevel1.target.wants +# runlevel2.target +# runlevel2.target.wants +# runlevel3.target +# runlevel3.target.wants +# runlevel4.target +# runlevel4.target.wants +# runlevel5.target +# runlevel5.target.wants +# runlevel6.target +sdwdate-gui-shutdown-notify.service +sdwdate-pre.service +sdwdate.service +# sdwdate.service.d +sdwdate-start-anondate-set-file-watcher.service +# serial-getty@.service +# shutdown.target +# sigpwr.target +# sleep.target +# slices.target +# smartcard.target +# sockets.target +# sockets.target.wants +# sound.target +# sound.target.wants +# sudo.service +# suspend.target +# suspend-then-hibernate.target +# swap.target +# sys-fs-fuse-connections.mount +# sysinit.target +# sysinit.target.wants +# sys-kernel-config.mount +# sys-kernel-debug.mount +# sys-kernel-tracing.mount +# syslog.socket +# systemd-ask-password-console.path +# systemd-ask-password-console.service +# systemd-ask-password-wall.path +# systemd-ask-password-wall.service +# systemd-backlight@.service +# systemd-binfmt.service +# systemd-bless-boot.service +# systemd-boot-check-no-failures.service +# systemd-boot-system-token.service +# systemd-exit.service +# systemd-fsckd.service +# systemd-fsckd.socket +# systemd-fsck-root.service +# systemd-fsck@.service +# systemd-halt.service +# systemd-hibernate-resume@.service +# systemd-hibernate.service +# systemd-hostnamed.service +# systemd-hwdb-update.service +# systemd-hybrid-sleep.service +# systemd-initctl.service +# systemd-initctl.socket +# systemd-journald-audit.socket +# systemd-journald-dev-log.socket +# systemd-journald.service +# systemd-journald@.service +# systemd-journald.socket +# systemd-journald@.socket +# systemd-journald-varlink@.socket +# systemd-journal-flush.service +# systemd-kexec.service +# systemd-localed.service +# systemd-localed.service.d +# systemd-logind.service +# systemd-machine-id-commit.service +# systemd-modules-load.service +# systemd-networkd.service +# systemd-networkd.socket +# systemd-networkd-wait-online.service +# systemd-network-generator.service +# systemd-poweroff.service +# systemd-pstore.service +# systemd-quotacheck.service +# systemd-random-seed.service +# systemd-reboot.service +# systemd-remount-fs.service +# systemd-resolved.service +# systemd-resolved.service.d +# systemd-rfkill.service +# systemd-rfkill.socket +# systemd-suspend.service +# systemd-suspend-then-hibernate.service +# systemd-sysctl.service +# systemd-sysusers.service +# systemd-timedated.service +# systemd-timesyncd.service.d +# systemd-time-wait-sync.service +# systemd-tmpfiles-clean.service +# systemd-tmpfiles-clean.timer +# systemd-tmpfiles-setup-dev.service +# systemd-tmpfiles-setup.service +# systemd-udevd-control.socket +# systemd-udevd-kernel.socket +# systemd-udevd.service +# systemd-udev-settle.service +# systemd-udev-trigger.service +# systemd-update-utmp-runlevel.service +# systemd-update-utmp.service +# systemd-user-sessions.service +# systemd-volatile-root.service +# system-systemd\x2dcryptsetup.slice +# system-update-cleanup.service +# system-update-pre.target +# system-update.target +# timers.target +# timers.target.wants +# timesanitycheck.service +# time-set.target +# time-sync.target +# tor@default.service +tor.service +tor@.service +# udev.service +# udisks2.service +# umount.target +# upower.service +# usb-gadget.target +# user-runtime-dir@.service +# user@.service +# user@.service.d +# user.slice +# user-.slice.d +# virtualbox-guest-utils.service +# whonix-legacy.service +# wpa_supplicant-nl80211@.service +# wpa_supplicant.service +# wpa_supplicant@.service +# wpa_supplicant-wired@.service +# x11-common.service diff --git a/overlay/Linux/usr/local/etc/systemd/proxy.mask b/overlay/Linux/usr/local/etc/systemd/proxy.mask new file mode 100644 index 0000000..11d08a8 --- /dev/null +++ b/overlay/Linux/usr/local/etc/systemd/proxy.mask @@ -0,0 +1,7 @@ +multi-user.target.wants/NetworkManager.service +multi-user.target.wants/bootclockrandomization.service +multi-user.target.wants/openvpn.service +multi-user.target.wants/remote-fs.target +multi-user.target.wants/sdwdate.service +privoxy.service +sdwdate.service diff --git a/overlay/Linux/usr/local/lib/whonix-libvirt/host-boot-popup b/overlay/Linux/usr/local/lib/whonix-libvirt/host-boot-popup new file mode 100755 index 0000000..ce2d360 --- /dev/null +++ b/overlay/Linux/usr/local/lib/whonix-libvirt/host-boot-popup @@ -0,0 +1,33 @@ +#!/bin/bash + +## Copyright (C) 2020 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## https://forums.whonix.org/t/whonix-host-operating-system/3931/236 + +title="WARNING - Whonix-Host DEVELOPERS-ONLY Preview Version" + +text="\ +

+DO NOT USE THIS YET AS A USER! +
+Whonix-Host is unreleased. Not even available for testers. This version is a preview for developers only.
+
+Missing features the the initial release include + +

+ +See full task list for first release of Whonix-Host.
+
+Help welcome! +

+" + +[ -d ~/.config/whonix/host-boot-popup ] || mkdir -p ~/.config/whonix/host-boot-popup +[ -z "$DISPLAY" ] || \ + [ -f /usr/lib/msgcollector/one-time-popup ] || \ + /usr/lib/msgcollector/one-time-popup ~/.config/whonix/host-boot-popup/dismissed_version_1 "$title" "$text" diff --git a/overlay/Linux/usr/local/lib/whonix-libvirt/host-boot-popup.dst b/overlay/Linux/usr/local/lib/whonix-libvirt/host-boot-popup.dst new file mode 100755 index 0000000..3a75895 --- /dev/null +++ b/overlay/Linux/usr/local/lib/whonix-libvirt/host-boot-popup.dst @@ -0,0 +1,31 @@ +#!/bin/bash + +## Copyright (C) 2020 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## https://forums.whonix.org/t/whonix-host-operating-system/3931/236 + +title="WARNING - Whonix-Host DEVELOPERS-ONLY Preview Version" + +text="\ +

+DO NOT USE THIS YET AS A USER! +
+Whonix-Host is unreleased. Not even available for testers. This version is a preview for developers only.
+
+Missing features the the initial release include + +

+ +See full task list for first release of Whonix-Host.
+
+Help welcome! +

+" + +mkdir -p ~/.config/whonix/host-boot-popup +/usr/lib/msgcollector/one-time-popup ~/.config/whonix/host-boot-popup/dismissed_version_1 "$title" "$text" diff --git a/overlay/Linux/usr/local/lib/whonix-libvirt/install b/overlay/Linux/usr/local/lib/whonix-libvirt/install new file mode 100755 index 0000000..11fb4bb --- /dev/null +++ b/overlay/Linux/usr/local/lib/whonix-libvirt/install @@ -0,0 +1,92 @@ +#!/bin/bash + +[ -f /var/lib/whonix-libvirt/install.done ] && exit 0 + +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -x +set -e + +## {{ Taken from qemu-system-common.postinst. +# Add the kvm group unless it's already there +if ! getent group kvm >/dev/null; then + addgroup --quiet --system kvm || true +fi +## }} Taken from qemu-system-common.postinst. + +## {{ Taken from libvirt-bin.postinst. +if ! getent group libvirt >/dev/null; then + addgroup --system libvirt +fi +## }} Taken from libvirt-bin.postinst. + +## Existence of user "user" is not guaranteed at this point. +## XXX: Or is it? +grep -q ^kvm /etc/group || addgroup user kvm +grep -q ^libvirt /etc/group || addgroup user libvirt + +## Create shared directory and adjust permissions +[ -d /mnt/gateway-shared ] || mkdir --parents /mnt/gateway-shared +[ -d /mnt/workstation-shared ] || mkdir --parents /mnt/workstation-shared +chmod 1777 /mnt/gateway-shared +chmod 1777 /mnt/workstation-shared + +## TODO: proper error handling. '|| true' can probably be removed. + +virsh -c qemu:///system net-autostart "default" || true +virsh -c qemu:///system net-start "default" || true +virsh -c qemu:///system net-define "/usr/local/share/whonix-libvirt/xml/Whonix-External.xml" || true +virsh -c qemu:///system net-define "/usr/local/share/whonix-libvirt/xml/Whonix-Internal.xml" || true +virsh -c qemu:///system net-autostart "Whonix-External" || true +virsh -c qemu:///system net-start "Whonix-External" || true +virsh -c qemu:///system net-autostart "Whonix-Internal" || true +virsh -c qemu:///system net-start "Whonix-Internal" || true + +## Doing the following in a temporary directory to avoid modified files should +## this be interrupted in the middle. +temp_dir="$(mktemp --directory)" +cp -r /usr/local/share/whonix-libvirt/xml "$temp_dir" + +if virsh capabilities | grep "" ; then + true "OK: found KVM" +else + ## replace the 'kvm' domain type with 'qemu' + search="" + replace="" + str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml" + str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml" + + search="" + replace="" + str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml" + str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml" + + ## https://forums.whonix.org/t/whonix-host-operating-system/3931/251 + search="" + replace="" + str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml" + str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml" + + ## https://forums.whonix.org/t/whonix-host-operating-system/3931/284 + search="1" + replace="" + str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml" + + ## https://forums.whonix.org/t/whonix-host-operating-system/3931/284 + search="1" + replace="" + str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml" +fi + +test -f "$temp_dir/xml/Whonix-Gateway.xml" +test -f "$temp_dir/xml/Whonix-Workstation.xml" + +virsh -c qemu:///system define "$temp_dir/xml/Whonix-Gateway.xml" || true +virsh -c qemu:///system define "$temp_dir/xml/Whonix-Workstation.xml" || true + +virt-xml "Whonix-Gateway" --add-device --filesystem source=/mnt/gateway-shared,target=shared,type=mount,accessmode=mapped || true +virt-xml "Whonix-Workstation" --add-device --filesystem source=/mnt/workstation-shared,target=shared,type=mount,accessmode=mapped || true + +mkdir --parents /var/lib/whonix-libvirt +touch /var/lib/whonix-libvirt/install.done diff --git a/overlay/Linux/usr/local/lib/whonix-libvirt/install.dst b/overlay/Linux/usr/local/lib/whonix-libvirt/install.dst new file mode 100755 index 0000000..eab8393 --- /dev/null +++ b/overlay/Linux/usr/local/lib/whonix-libvirt/install.dst @@ -0,0 +1,90 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -x +set -e + +## {{ Taken from qemu-system-common.postinst. +# Add the kvm group unless it's already there +if ! getent group kvm >/dev/null; then + addgroup --quiet --system kvm || true +fi +## }} Taken from qemu-system-common.postinst. + +## {{ Taken from libvirt-bin.postinst. +if ! getent group libvirt >/dev/null; then + addgroup --system libvirt +fi +## }} Taken from libvirt-bin.postinst. + +## Existence of user "user" is not guaranteed at this point. +## XXX: Or is it? +addgroup user kvm >/dev/null || true +addgroup user libvirt >/dev/null || true + +## Create shared directory and adjust permissions +mkdir --parents /mnt/gateway-shared +mkdir --parents /mnt/workstation-shared +chmod 777 /mnt/gateway-shared +chmod 777 /mnt/workstation-shared + +## TODO: proper error handling. '|| true' can probably be removed. + +virsh -c qemu:///system net-autostart "default" || true +virsh -c qemu:///system net-start "default" || true +virsh -c qemu:///system net-define "/usr/share/whonix-libvirt/xml/Whonix-External.xml" || true +virsh -c qemu:///system net-define "/usr/share/whonix-libvirt/xml/Whonix-Internal.xml" || true +virsh -c qemu:///system net-autostart "Whonix-External" || true +virsh -c qemu:///system net-start "Whonix-External" || true +virsh -c qemu:///system net-autostart "Whonix-Internal" || true +virsh -c qemu:///system net-start "Whonix-Internal" || true + +## Doing the following in a temporary directory to avoid modified files should +## this be interrupted in the middle. +temp_dir="$(mktemp --directory)" +cp -r /usr/share/whonix-libvirt/xml "$temp_dir" + +if virsh capabilities | grep "" ; then + true "OK: found KVM" +else + ## replace the 'kvm' domain type with 'qemu' + search="" + replace="" + str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml" + str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml" + + search="" + replace="" + str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml" + str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml" + + ## https://forums.whonix.org/t/whonix-host-operating-system/3931/251 + search="" + replace="" + str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml" + str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml" + + ## https://forums.whonix.org/t/whonix-host-operating-system/3931/284 + search="1" + replace="" + str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml" + + ## https://forums.whonix.org/t/whonix-host-operating-system/3931/284 + search="1" + replace="" + str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml" +fi + +test -f "$temp_dir/xml/Whonix-Gateway.xml" +test -f "$temp_dir/xml/Whonix-Workstation.xml" + +virsh -c qemu:///system define "$temp_dir/xml/Whonix-Gateway.xml" || true +virsh -c qemu:///system define "$temp_dir/xml/Whonix-Workstation.xml" || true + +virt-xml "Whonix-Gateway" --add-device --filesystem source=/mnt/gateway-shared,target=shared,type=mount,accessmode=mapped || true +virt-xml "Whonix-Workstation" --add-device --filesystem source=/mnt/workstation-shared,target=shared,type=mount,accessmode=mapped || true + +mkdir --parents /var/lib/whonix-libvirt +touch /var/lib/whonix-libvirt/install.done diff --git a/overlay/Linux/usr/local/lib/whonix-libvirt/live-mode-to-read-only b/overlay/Linux/usr/local/lib/whonix-libvirt/live-mode-to-read-only new file mode 100755 index 0000000..a0a4d69 --- /dev/null +++ b/overlay/Linux/usr/local/lib/whonix-libvirt/live-mode-to-read-only @@ -0,0 +1,35 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Similar to persistent-mode-to-read-write. + +set -x + +error_handler() { + exit_code="1" +} + +trap error_handler ERR + +exit_code="0" + +vm_names_list="$(virsh list --all | awk '{print $2}'| grep -v Name)" + +for vm_name_item in $vm_names_list ; do + virt-xml "$vm_name_item" --edit --disk readonly=on +done + +## https://phabricator.whonix.org/T914 +if test -f "/var/lib/libvirt/images/Whonix-Gateway.qcow2" ; then + chmod --verbose --recursive ugo-w "/var/lib/libvirt/images/Whonix-Gateway.qcow2" +fi +if test -f "/var/lib/libvirt/images/Whonix-Workstation.qcow2" ; then + chmod --verbose --recursive ugo-w "/var/lib/libvirt/images/Whonix-Workstation.qcow2" +fi + +## "chmod ugo-r" is set during build in chroot: +## https://github.com/Whonix/Whonix/blob/master/build-steps.d/1800_copy_vms_into_raw + +exit "$exit_code" diff --git a/overlay/Linux/usr/local/lib/whonix-libvirt/persistent-mode-to-read-write b/overlay/Linux/usr/local/lib/whonix-libvirt/persistent-mode-to-read-write new file mode 100755 index 0000000..0db0c66 --- /dev/null +++ b/overlay/Linux/usr/local/lib/whonix-libvirt/persistent-mode-to-read-write @@ -0,0 +1,27 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Similar to live-mode-to-read-only. + +set -x + +error_handler() { + exit_code="1" +} + +trap error_handler ERR + +exit_code="0" + +vm_names_list="$(virsh list --all | awk '{print $2}'| grep -v Name)" + +for vm_name_item in $vm_names_list ; do + virt-xml "$vm_name_item" --edit --disk readonly=off +done + +chmod --verbose --recursive ug+w "/var/lib/libvirt/images/Whonix-Gateway.qcow2" +chmod --verbose --recursive ug+w "/var/lib/libvirt/images/Whonix-Workstation.qcow2" + +exit "$exit_code" diff --git a/overlay/Linux/usr/local/proxy_whonix_lib.bash b/overlay/Linux/usr/local/proxy_whonix_lib.bash new file mode 100755 index 0000000..8d29acb --- /dev/null +++ b/overlay/Linux/usr/local/proxy_whonix_lib.bash @@ -0,0 +1,677 @@ +#!/bin/bash +# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*- + +ROLE=proxy +export PATH=$PATH:/usr/local/sbin:/usr/local/bin + +# . /usr/local/sbin/proxy_whonix_lib.bash || { echo ERROR: loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 2; } +. /usr/local/bin/proxy_ping_lib.bash || \ + { echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 2; } + +## proxy_guest_firewall_config -- /etc/firewall.conf.ws.new +proxy_guest_firewall_config () { + . /usr/local/sbin/proxy_whonix_guest_workstation-firewall.bash || return 2$? + source_config_folder + iptables_cmd="echo iptables" + ip6tables_cmd="echo # ip6tables" + main > /etc/firewall.conf.ws.new + + return $? +} + +## proxy_whonix_guest_config +proxy_whonix_guest_config () { + return 0 +} + +## proxy_whonix_guest_start +proxy_whonix_guest_start () { + local dire=$1 + + [ ! -f /etc/init.d/qemu-guest-agent ] || \ + proxy_rc_service qemu-guest-agent status >/dev/null \ + || proxy_rc_service qemu-guest-agent start || return 2$? + + return 0 +} + +## proxy_whonix_guest_test +proxy_whonix_guest_test () { + [ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || \ + echo WARN: /dev/virtio-ports/org.qemu.guest_agent.0 not created + proxy_rc_service qemu-guest-agent status + + return 0 +} + +## proxy_whonix_gateway_config +proxy_whonix_gateway_config () { + proxy_whonix_dnsmasq_config gateway 10.0.2.15 + return 0 +} + +## proxy_whonix_dnsmasq_config +proxy_whonix_dnsmasq_config () { + local dire + + [ "$#" -eq 0 ] || dire=$1 + [ -z "$dire" ] && MODE="$( proxy_whonix_mode )" && dire=$MODE + [ -n "$MODE" ] || MODE=host + + proxy_dest_port_wlan_config + [ -z "$PORT" -o -z "$DEST" ] && return 1 + + # 9040 - no wgetrc polipo + # need dnsmasq to 127 + file=/etc/dnsmasq.conf + if [ ! -f $file.$dire ] ; then + cp -p $file $file.$dire + cat >> $file.conf <> $file.conf <> $file.conf <> $file.conf <> $file.conf <> $file.conf <> $file.conf <> $file.$dire </dev/null || \ + proxy_rc_service libvirtd start || \ + echo WARN: libvirtd crashed - see /var/log/libvirt/libvirtd.log # 2>&1|tee $WLOG + proxy_libvirt_status + return 0 +} + +## proxy_whonix_libvirt_start +proxy_whonix_libvirt_start () { + + return 0 +} + +## proxy_whonix_libvirt_start +proxy_whonix_libvirt_start () { + local domain + [ "$#" -ge 1 ] && domain=$1 + + if [ ! -e /run/libvirt/libvirt-sock ] || ! proxy_rc_service libvirtd status >/dev/null ; then + cp /dev/null /var/log/libvirt/libvirtd.log + /etc/init.d/libvirtd status + retval=$? + [ $retval -eq 32 ] && WARN libvirtd crashed - zapping && /etc/init.d/libvirtd zap + [ $retval -eq 0 ] || /etc/init.d/libvirtd start || return 5$? # error: Failed to start livirtd + proxy_rc_service libvirtd start || return 3 + sleep $DELAY + fi + proxy_libvirt_no_autostart + proxy_libvirt_start + proxy_libvirt_status + proxy_virsh net-list | grep -q Whonix-Internal || virsh net-start Whonix-Internal || return 3 + proxy_virsh net-list | grep -q Whonix-External || virsh net-start Whonix-External || return 4 + + [ -z "$domain" ] && domain="$( proxy_testforge_get_gateway_dom )" + [ -z "$domain" ] && echo WARN: null proxy_testforge_get_gateway_dom && \ + domain=Whonix-Gateway && \ + echo INFO: set proxy_testforge_get_gateway_dom $domain + proxy_libvirt_list | grep -v grep | grep "$domain" || \ + virsh start $domain || { + ret=$? + echo ERROR: proxy_whonix_libvirt_start failed virsh start $domain ret=$ret + return 5$ret + } + + return 0 +} + +## proxy_whonix_test +proxy_whonix_test () { + local dire + DEBUG proxy_whonix_test $dire + [ "$#" -eq 0 ] && dire=$MODE || dire=$1 + + [ $dire = ws -o $dire = workstation ] && dire=vda + + if [ $dire = client ] ; then + : + # dunno - look at netstat? -nle4 + + elif [ $dire = vda -o $dire = gateway ] ; then + proxy_whonix_guest_test + + elif [ $dire = tor ] ; then + proxy_rc_service tor status >/dev/null || \ + { echo ERROR: $prog tor is not running ; return 2 ; } + + /usr/local/bin/proxy_ping_test.bash to_tor || return 6$? + + elif [ $dire = whonix ] ; then + proxy_libvirt_no_autostart + proxy_libvirt_clean_virbr1_rules + + proxy_whonix_get_gateway_dom + [ -z "$GATEW_DOM" ] && echo WARN: $prog DOM proxy_whonix_get_gateway_dom assuming Whonix-Gateway && DOM=Whonix-Gateway || DOM=$GATEW_DOM + + proxy_virsh list | grep -q $DOM || { echo ERROR: $prog $DOM not running ; return 2 ; } + + /usr/local/bin/proxy_ping_test.bash from_tor || return 6$? + fi + + #? gateway + if [ $dire = whonix -o $dire = vda -o $dire = tor ] ; then + proxy_rc_service polipo status >/dev/null >/dev/null || \ + { echo ERROR: $prog polipo not running ; return 4 ; } + /usr/local/bin/proxy_ping_test.bash polipo || return 9$? + elif [ $dire = host -o $dire = tor ] ; then + proxy_rc_service privoxy status >/dev/null >/dev/null || \ + { echo ERROR: $prog privoxy not running ; return 4 ; } + /usr/local/bin/proxy_ping_test.bash privoxy || return 9$? + fi + + if [ $dire = vda -o $dire = ws -o $dire = workstation ] ; then + proxy_clobber_resolv_local 10.152.152.10 + elif [ $dire = gateway -o $dire = whonix -o $dire = tor ] ; then + proxy_rc_service dnsmasq status 2>/dev/null >/dev/null || \ + { echo ERROR: $prog dnsmasq not running ; return 5 ; } + proxy_clobber_resolv_local 127.0.0.1 + fi + /usr/local/bin/proxy_ping_test.bash dns # || return 9$? + + /usr/local/bin/proxy_ping_test.bash $dire || return 6$? + + return 0 +} + +# Weher was this +## rc_host_symlink_etc_fstab +rc_host_symlink_etc_fstab () { + grep -q root=/dev/vda /proc/cmdline + PROXY_IS_VDA=$? +if [ $PROXY_IS_VDA -eq 0 ] ; then + [ -h /etc/fstab ] && [ -f /etc/fstab.vda ] && \ + rm -f /etc/fstab && ln -s /etc/fstab.vda /etc/fstab + return 1 +# else +# [ -h /etc/fstab ] && [ -f /etc/fstab.4TA ] && \ +# rm -f /etc/fstab && ln -s /etc/fstab.4TA /etc/fstab + fi + + return 0 +} + +## proxy_vda_config +proxy_vda_config () { + + rc_host_symlink_etc_fstab + sed -e 's/^#x1/x1/' -i /etc/inittab # + + if false ; then + sed -e 's/^#//' -i $PREFIX/etc/modules_load.d/vda*conf + if [ ! -h /etc/modules_load.d/vda_mods.conf ] ; then + ln -s $PREFIX/etc/modules_load.d/vda*conf /etc/modules_load.d/ + fi + fi + if false ; then + [ -f /etc/firewall.conf.vda ] && \ + cp -p /etc/firewall.conf.vda /etc/firewall.conf + fi + return 0 +} + +## +old_proxy_vda_config () { + + [ -f /etc/inittab ] && sed -e 's/^#x1/x1/' -i /etc/inittab + + return 0 +} + +## proxy_vda_whonix_config +proxy_vda_whonix_config () { + local dir=vda + + DEST=10.152.152.10 + PROXY_WLAN=eth0 + proxy_host_whonix_config $dire $DEST 9053 $PROXY_WLAN + + return $? +} + +## proxy_quest_config +proxy_quest_config () { + + proxy_vda_config + + sed -e 's/^#//' -i $PREFIX/etc/modules_load.d/vda*conf + if [ ! -h /etc/modules_load.d/vda_mods.conf ] ; then + cp -np $PREFIX/etc/modules_load.d/vda*conf /etc/modules-load.d/ + fi + return 0 +} + +## proxy_whonix_dnsmasq_start +proxy_whonix_dnsmasq_start () { + local dire + local service=dnsmasq + + [ "$#" -eq 0 ] || dire=$1 + [ -z "$dire" ] && MODE="$( proxy_whonix_mode )" && dire=$MODE + [ -n "$MODE" ] || MODE=host + + DEBUG proxy_whonix_dnsmasq_start $dire $PROXY_WLAN + + proxy_whonix_config $dire || return 1$? + + PROXY_WLAN=$( proxy_get_if ) + [ -z "$PROXY_WLAN" ] && echo ERROR: $prog empty PROXY_WLAN && return 4 + + sed -e "s/wlan[0-9]/$PROXY_WLAN/" -i /etc/dnsmasq.conf.$dire + if diff /etc/dnsmasq.conf.$dire /etc/dnsmasq.conf >/dev/null ; then + proxy_rc_service dnsmasq status >/dev/null || \ + proxy_ping_dnsmasq_start || return 8$? + else + proxy_rc_service dnsmasq status >/dev/null && \ + proxy_ping_dnsmasq_stop + cp -p /etc/dnsmasq.conf.$dire /etc/dnsmasq.conf + proxy_ping_dnsmasq_start || return 8$? + fi + + return 0 +} + +## proxy_whonix_privoxy_start +proxy_whonix_polipo_start () { + local dire + local service=polipo + + [ $# -eq 1 ] && dire=$1 + [ -z "$dire" ] && dire="$( proxy_whonix_mode )" + DEBUG proxy_whonix_start_$service $dire + + proxy_whonix_config $dire || \ + echo WARN: proxy_whonix_polipo_start proxy_whonix_config $dire $? # return 1$? + + sed -e "s/wlan[0-9]/$PROXY_WLAN/" -e "s/eth[0-9]/$PROXY_WLAN/" -i /etc/polipo/config.$dire + + if ! diff /etc/polipo/config.$dire /etc/polipo/config ; then + cp -p /etc/polipo/config.$dire /etc/polipo/config + proxy_rc_service $service restart || return 2$? + else + proxy_rc_service $service status >/dev/null || \ + proxy_rc_service $service start||return 3$ + fi + + return 0 +} + +## proxy_whonix_host_prepare_blocks +proxy_whonix_host_prepare_blocks () { + if [ ! -s /etc/firewall.conf.block ] ; then + if [ -f /usr/local/etc/firewall.conf.block ] ; then + echo "WARN: $prog copying /usr/local/etc/firewall.conf.block" + cp -p /usr/local/etc/firewall.conf.block /etc/firewall.conf.block + else + echo "ERROR: $prog missing /usr/local/etc/firewall.conf.block" + return 1 + fi + fi + return 0 +} + +## proxy_whonix_host_add_block +proxy_whonix_host_add_block () { + local elt tab ip + + # PROXY_WLAN=$( proxy_get_if ) + # [ $? -ne 0 -o -z "$PROXY_WLAN" ] && echo ERROR: $prog null interface && return 1 + if [ "$#" -eq 0 ] ; then + proxy_whonix_host_prepare_blocks \| return 1$? + set - $( cat /etc/firewall.conf.block ) + fi + # DEBUG "$prog adding $*" + [ -f /etc/firewall.conf.newer ] || \ + cp -p /etc/firewall.conf /etc/firewall.conf.newer + for elt in wlan virbr1 ; do + [ $elt = wlan ] && tab=INPUT || tab=LIBVIRT_FWI + grep -q "^# blocks $elt" /etc/firewall.conf.newer || { + echo ERROR: maker not found "^# blocks $elt" in /etc/firewall.conf.newer + return 2 + } + sed -e "/^# blocks $elt/,\$d" /etc/firewall.conf.newer > /etc/firewall.conf.$$ + echo "# blocks $elt" >> /etc/firewall.conf.$$ + for ip in $* ; do + grep -q $ip /etc/firewall.conf.block || \ + grep -q $ip /etc/firewall.conf.block.newer || \ + echo $ip >> /etc/firewall.conf.block.newer + grep -q -e "A $tab -s $ip" /etc/firewall.conf.newer && continue + echo "-A $tab -s $ip -p tcp -j DROP" >> /etc/firewall.conf.$$ + DEBUG "$prog -A $tab -s $ip -m tcp -p tcp -j DROP" + done + sed -e "1,/^# blocks $elt/d" /etc/firewall.conf.newer >> /etc/firewall.conf.$$ + mv /etc/firewall.conf.$$ /etc/firewall.conf.newer + done + return 0 +} + +## proxy_whonix_host_online +proxy_whonix_host_online () { + [ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$? + [ -z "$PROXY_WLAN" ] && echo ERROR: empty PROXY_WLAN && return 2 + if [ -x /etc/init.d/NetworkManager ] ; then + /etc/init.d/NetworkManager status || /etc/init.d/NetworkManager start || return 3 +else + proxy_rc_service NetworkManager status >/dev/null \ + || proxy_rc_service NetworkManager start || return 3$? +fi + nm-online -t 0 -x || return 4$? + + return 0 +} + +## proxy_whonix_down - call when the network goes down +proxy_whonix_down () { +# $PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$? + proxy_ping_online && return 0 # dont do anything + # nothing to do? + return 0 +} + +## proxy_whonix_up - call when the network comes up +proxy_whonix_up () { + # $PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$? + proxy_ping_online || return 0 # dont do anything + return 0 +} + +## proxy_whonix_start_wget +proxy_whonix_start_wget () { + return 0 + if [ -f /etc/wgetrc ] ; then + sp=https://127.0.0.1:3128 + grep -q ^https_proxy /etc/wgetrc && \ + sed -e "s@https_proxy.*@https_proxy = $sp@" -i /etc/wgetrc + grep -q ^https_proxy /etc/wgetrc && \ + echo "https_proxy = $sp" >> /etc/wgetrc + grep -q ^http_proxy /etc/wgetrc && \ + sed -e "s@http_proxy.*@http_proxy = $sp@" -i /etc/wgetrc + grep -q ^http_proxy /etc/wgetrc || \ + echo "http_proxy = $sp" >> /etc/wgetrc + fi + + sp=http://127.0.0.1:3128 + for elt in http https ; do + grep -q ^$elt_proxy /etc/wgetrc && \ + sed -e "s@$elt_proxy.*@$elt_proxy = $sp@" -i /etc/wgetrc || \ + echo "$elt_proxy = $sp" >> /etc/wgetrc + done + + + return 0 +} + +proxy_libvirt_clean_iptables () { + local i int dir dcp prot port + + for dir in i ; do + for int in virbr2 virbr1; do + dcp=67 + [ $dir = i ] || dcp=68 + for port in 53 $dcp ; do + [ $dir = i ] && table=INP || table=OUT + for prot in udp tcp; do + proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue + iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \ + echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT + done + done + done + done + + for dir in o ; do + for int in virbr2 virbr1; do + dcp=68 + [ $dir = o ] || dcp=67 + for port in 53 68 ; do + table=OUT + [ $dir = i ] && table=INP + for prot in udp tcp; do + proxy_iptables_save | grep -q -e "-A LIBVIRT_$table -i $int -p $prot -m $prot --dport $port -j ACCEPT" || continue + iptables -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT || \ + echo WARN: $? -D LIBVIRT_$table -$dir $int -p $prot -m $prot --dport $port -j ACCEPT + done + done + done + done + + return 0 +} + +base=proxy_whonix_lib +if [ -x /usr/bin/basename ] && [ $( /usr/bin/basename -- $0 .bash ) = $base ] ; then + [ "$#" -eq 0 ] && exit 0 + [ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \ + echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'|sort && \ + exit 0 + DEBUG $base "$@" + eval "$@" + exit $? + fi diff --git a/overlay/Linux/usr/local/sbin/debian_whonix_tor.bash b/overlay/Linux/usr/local/sbin/debian_whonix_tor.bash new file mode 100755 index 0000000..9df5b96 --- /dev/null +++ b/overlay/Linux/usr/local/sbin/debian_whonix_tor.bash @@ -0,0 +1,34 @@ +#!/bin/sh +# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*- + +ROLE=privacy +[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor + +# Nov 09 21:00:27 host vanguards[715]: WARNING[Mon Nov 09 21:00:27 2020]: Tor daemon connection failed: [Errno 24] Too many open files. Trying again... +systemctl stop vanguards +systemctl stop onion-grater +sh /etc/rc.local + +#su -c 'tor --verify-config' -s /bin/sh $PRIV_TOR_OWNER || exit 1 +tor --verify-config | grep -v 'notice\|DisableNetwork' +rm -f /etc/torrc.d/*~ + +netstat -nlp -t inet|grep 15:90 || { echo ERROR: alrady running ; exit 2 ; } + +cp /dev/null /run/tor/log.err +cp /dev/null /run/tor/log.log +rm -f /usr/local/etc/torrc.d/*~ /etc/torrc.d/*~ + +#su -c '/etc/init.d/tor stop' -s /bin/sh $PRIV_TOR_OWNER +#sleep 5 + +# su -c '/etc/init.d/tor start' -s /bin/sh $PRIV_TOR_OWNER +systemctl start tor || exit 4$? + +sleep 10 + +sed -e '/configured a non-loopback address/d' /run/tor/log.* + +[ -f /run/tor/log.err ] && cat /run/tor/log.err && exit 5 + +grep % /run/tor/log.* diff --git a/overlay/Linux/usr/local/sbin/privacy_whonix-gateway-firewall.bash b/overlay/Linux/usr/local/sbin/privacy_whonix-gateway-firewall.bash new file mode 100755 index 0000000..141c6a2 --- /dev/null +++ b/overlay/Linux/usr/local/sbin/privacy_whonix-gateway-firewall.bash @@ -0,0 +1,827 @@ +#!/bin/bash +# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*- + +prog=$( basename $0 .bash ) +PREFIX=/usr/local +ROLE=privacy + +[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash \ + || { echo >&2 ERROR: $prog "/usr/local/etc/testforge/testforge.bash" ; exit 1 ; } +[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor +[ -z "$PRIV_TOR_OWNER" ] && grep -q ^tor /etc/passwd && PRIV_TOR_OWNER=tor + +#set -- -x +DEBUG= +WHONIX_HOST=0 +WHONIX_GATE=1 + +SSH_SERVICE=22 +BOOTPC_SERVICE=68 +BOOTPS_SERVICE=67 +NETBIOSNS_SERVICE=137 +NETBIOSDG_SERVICE=138 + +PRIV_WHONIX_EXTERNAL_NET=10.0.2.0/24 +# 10.152.152.10 gateway +# 10.152.152.11 work +PRIV_WHONIX_INTERNAL_NET=10.152.152.0/24 + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## Copyright (C) 2014 - 2015 Jason Mehring +## See the file COPYING for copying conditions. + +ALLOW_GATEWAY_USER_USER=1 +GATEWAY_ALLOW_INCOMING_SSH=0 +GATEWAY_ALLOW_INCOMING_ICMP=0 + +#### meta start +#### project Whonix +#### category networking and firewall +#### description +## firewall script +#### meta end + +## --reject-with +## http://ubuntuforums.org/showthread.php?p=12011099 + +## Set to icmp-admin-prohibited because icmp-port-unreachable caused +## confusion. icmp-port-unreachable looks like a bug while +## icmp-admin-prohibited hopefully makes clear it is by design. + +set -e + +error_handler() { + echo "$0 ##################################################" + echo "$0 ERROR: Whonix firewall script failed!" + echo "$0 ##################################################" + + exit 1 +} + +trap "error_handler" ERR + +init() { + output_cmd "OK: Loading Whonix firewall..." + + set -o pipefail + set -o errtrace +} + +source_config_folder() { + shopt -s nullglob + local i + for i in \ + /etc/whonix_firewall.d/*.conf \ + /rw/config/whonix_firewall.d/*.conf \ + /usr/local/etc/whonix_firewall.d/*.conf \ + ; do + bash_n_exit_code="0" + bash_n_output="$(bash -n "$i" 2>&1)" || { bash_n_exit_code="$?" ; true; }; + if [ ! "$bash_n_exit_code" = "0" ]; then + output_cmd "ERROR: Invalid config file: $i + bash_n_exit_code: $bash_n_exit_code + bash_n_output: + $bash_n_output" >&2 + exit 1 + fi + source "$i" + done +} + +variables_defaults() { + [ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait" + [ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait" + + [ -n "$WORKSTATION_TRANSPARENT_TCP" ] || WORKSTATION_TRANSPARENT_TCP=1 + [ -n "$WORKSTATION_TRANSPARENT_DNS" ] || WORKSTATION_TRANSPARENT_DNS=1 + [ -n "$WORKSTATION_ALLOW_SOCKSIFIED" ] || WORKSTATION_ALLOW_SOCKSIFIED=1 + [ -n "$CONTROL_PORT_FILTER_PROXY_ENABLE" ] || CONTROL_PORT_FILTER_PROXY_ENABLE=1 + [ -n "$GATEWAY_ALLOW_INCOMING_DIR_PORT" ] || GATEWAY_ALLOW_INCOMING_DIR_PORT=0 + [ -n "$GATEWAY_ALLOW_INCOMING_OR_PORT" ] || GATEWAY_ALLOW_INCOMING_OR_PORT=0 + [ -n "$DIR_PORT" ] || DIR_PORT=80 + [ -n "$OR_PORT" ] || OR_PORT=443 + [ -n "$GATEWAY_TRANSPARENT_TCP" ] || GATEWAY_TRANSPARENT_TCP=0 + [ -n "$GATEWAY_TRANSPARENT_UDP" ] || GATEWAY_TRANSPARENT_UDP=0 + [ -n "$GATEWAY_TRANSPARENT_DNS" ] || GATEWAY_TRANSPARENT_DNS=0 + [ -n "$ALLOW_GATEWAY_ROOT_USER" ] || ALLOW_GATEWAY_ROOT_USER=0 + [ -n "$ALLOW_GATEWAY_USER_USER" ] || ALLOW_GATEWAY_USER_USER=0 + [ -n "$GATEWAY_ALLOW_INCOMING_SSH" ] || GATEWAY_ALLOW_INCOMING_SSH=0 + [ -n "$GATEWAY_ALLOW_INCOMING_ICMP" ] || GATEWAY_ALLOW_INCOMING_ICMP=0 + + ## Get Tor username, distro specific! + [ -n "$TOR_USER" ] || TOR_USER=$PRIV_TOR_OWNER + + ## Get user uids. +#!? [ -n "$CLEARNET_USER" ] || CLEARNET_USER="$(id -u clearnet)" + [ -n "$USER_USER" ] || USER_USER="$(id -u user)" || true + [ -n "$ROOT_USER" ] || ROOT_USER="$(id -u root)" +#!? [ -n "$TUNNEL_USER" ] || TUNNEL_USER="$(id -u tunnel)" + [ -n "$SDWDATE_USER" ] || SDWDATE_USER="$(id -u sdwdate)" + [ -n "$WHONIXCHECK_USER" ] || WHONIXCHECK_USER="$(id -u whonixcheck)" + + ## No NAT for clearnet user. + [ -n "$CLEARNET_USER" ] && NO_NAT_USERS+=" $CLEARNET_USER" + + ## No NAT for tunnel user. + [ -n "$TUNNEL_USER" ] && NO_NAT_USERS+=" $TUNNEL_USER" + + ## No NAT for user user. + ## DISABLED BY DEFAULT. For testing/debugging only. + if [ "$ALLOW_GATEWAY_USER_USER" = "1" ]; then + if [ "$USER_USER" = "" ]; then + output_cmd "INFO: USER_USER is unset. Not adding USER_USER to NO_NAT_USERS." + else + NO_NAT_USERS+=" $USER_USER" + fi + fi + + ## No NAT for root user. + ## DISABLED BY DEFAULT. For testing/debugging only. + if [ "$ALLOW_GATEWAY_ROOT_USER" = "1" ]; then + NO_NAT_USERS+=" $ROOT_USER" + fi + + ## Whonix-Gateway firewall does not support TUNNEL_FIREWALL_ENABLE=true yet. + ## It only supports VPN_FIREWALL="1". + ## In case someone confused this setting, i.e. using TUNNEL_FIREWALL_ENABLE=true + ## since this is how it is done on Whonix-Workstation, then gracefully enable + ## VPN_FIREWALL="1" to prevent users shooting their own feet. + if [ "$TUNNEL_FIREWALL_ENABLE" = "true" ]; then + VPN_FIREWALL="1" + fi + + ## No NAT for Tor itself, + ## unless VPN_FIREWALL mode is enabled. + if [ "$VPN_FIREWALL" = "1" ]; then + true + else + NO_NAT_USERS+=" $TOR_USER" + fi + + if command -v "qubesdb-read" >/dev/null 2>&1 ; then + [ -n "$INT_IF" ] || INT_IF="vif+" + [ -n "$INT_TIF" ] || INT_TIF="vif+" + fi + + ## External interface + [ -n "$EXT_IF" ] || EXT_IF="eth0" + ## Internal interface + [ -n "$INT_IF" ] || INT_IF="eth1" + ## Internal "tunnel" interface, usually the same as + ## the Internal interface unless using vpn tunnels + ## between workstations and gateway + [ -n "$INT_TIF" ] || INT_TIF="eth1" + + if [ "$NON_TOR_GATEWAY" = "" ]; then + if command -v "qubesdb-read" >/dev/null 2>&1 ; then + NON_TOR_GATEWAY="" + else + ## 10.0.2.2-10.0.2.24: VirtualBox DHCP + NON_TOR_GATEWAY="\ + 127.0.0.0-127.0.0.24 \ + 192.168.0.0-192.168.0.24 \ + 192.168.1.0-192.168.1.24 \ + 10.152.152.0-10.152.152.24 \ + 10.0.2.2-10.0.2.24 \ + " + fi + fi + + [ -n "$VPN_INTERFACE" ] || VPN_INTERFACE="tun0" + + ## Destinations you do not routed through VPN, only for Whonix-Gateway. + if [ "$LOCAL_NET" = "" ]; then + if command -v "qubesdb-read" >/dev/null 2>&1 ; then + LOCAL_NET="\ + 127.0.0.0-127.0.0.24 \ + 10.137.0.0-10.138.255.255 \ + " + else + ## 10.0.2.2/24: VirtualBox DHCP + LOCAL_NET="\ + 127.0.0.0-127.0.0.24 \ + 192.168.0.0-192.168.0.24 \ + 192.168.1.0-192.168.1.24 \ + 10.152.152.0-10.152.152.24 \ + 10.0.2.2-10.0.2.24 \ + " + fi + fi + + if [ "$WORKSTATION_DEST_SOCKSIFIED" = "" ]; then + ## 10.152.152.10 - Non-Qubes-Whonix-Gateway IP + ## + ## 10.137.0.0/8 - persistent Qubes-Whonix-Gateway IP range + ## 10.138.0.0/8 - DispVM Qubes-Whonix-Gateway IP range + if command -v "qubesdb-read" >/dev/null 2>&1 ; then + ## https://forums.whonix.org/t/whonix-gateway-not-reachable/7484/16 + ## 10.152.152.10 is hardcoded in some places. + WORKSTATION_DEST_SOCKSIFIED="10.137.0.0/16,10.138.0.0/16,10.152.152.10" + else + WORKSTATION_DEST_SOCKSIFIED="10.152.152.10" + fi + fi + + ## The following ports are used + ## - here in /usr/bin/whonix_firewall (package: whonix-gw-firewall) + ## - by Tor in /usr/share/tor/tor-service-defaults-torrc (package: anon-gw-anonymizer-config) + ## + ## The following applications will be separated, preventing identity + ## correlation through circuit sharing. + + ## Transparent Proxy Ports for Whonix-Workstation + [ -n "$TRANS_PORT_WORKSTATION" ] || TRANS_PORT_WORKSTATION="9040" + [ -n "$DNS_PORT_WORKSTATION" ] || DNS_PORT_WORKSTATION="5300" + + ## Transparent Proxy Ports for Whonix-Gateway + [ -n "$TRANS_PORT_GATEWAY" ] || TRANS_PORT_GATEWAY="9041" + [ -n "$DNS_PORT_GATEWAY" ] || DNS_PORT_GATEWAY="5400" + + ## Control Port Filter Proxy Port + [ -n "$CONTROL_PORT_FILTER_PROXY_PORT" ] || CONTROL_PORT_FILTER_PROXY_PORT="9051" + + [ -n "$GATEWAY_ALLOW_INCOMING_FLASHPROXY" ] || GATEWAY_ALLOW_INCOMING_FLASHPROXY="0" + [ -n "$FLASHPROXY_PORT" ] || FLASHPROXY_PORT="9000" + + ## Socks Ports for per application circuits. + [ -n "$SOCKS_PORT_TOR_DEFAULT" ] || SOCKS_PORT_TOR_DEFAULT="9050" + [ -n "$SOCKS_PORT_TB" ] || SOCKS_PORT_TB="9100" + [ -n "$SOCKS_PORT_IRC" ] || SOCKS_PORT_IRC="9101" + [ -n "$SOCKS_PORT_TORBIRDY" ] || SOCKS_PORT_TORBIRDY="9102" + [ -n "$SOCKS_PORT_IM" ] || SOCKS_PORT_IM="9103" + [ -n "$SOCKS_PORT_APT_GET" ] || SOCKS_PORT_APT_GET="9104" + [ -n "$SOCKS_PORT_GPG" ] || SOCKS_PORT_GPG="9105" + [ -n "$SOCKS_PORT_SSH" ] || SOCKS_PORT_SSH="9106" + [ -n "$SOCKS_PORT_GIT" ] || SOCKS_PORT_GIT="9107" + [ -n "$SOCKS_PORT_SDWDATE" ] || SOCKS_PORT_SDWDATE="9108" + [ -n "$SOCKS_PORT_WGET" ] || SOCKS_PORT_WGET="9109" + [ -n "$SOCKS_PORT_WHONIXCHECK" ] || SOCKS_PORT_WHONIXCHECK="9110" + [ -n "$SOCKS_PORT_BITCOIN" ] || SOCKS_PORT_BITCOIN="9111" + [ -n "$SOCKS_PORT_PRIVOXY" ] || SOCKS_PORT_PRIVOXY="9112" + [ -n "$SOCKS_PORT_POLIPO" ] || SOCKS_PORT_POLIPO="9113" + [ -n "$SOCKS_PORT_WHONIX_NEWS" ] || SOCKS_PORT_WHONIX_NEWS="9114" + [ -n "$SOCKS_PORT_TBB_DOWNLOAD" ] || SOCKS_PORT_TBB_DOWNLOAD="9115" + [ -n "$SOCKS_PORT_TBB_GPG" ] || SOCKS_PORT_TBB_GPG="9116" + [ -n "$SOCKS_PORT_CURL" ] || SOCKS_PORT_CURL="9117" + [ -n "$SOCKS_PORT_RSS" ] || SOCKS_PORT_RSS="9118" + [ -n "$SOCKS_PORT_TORCHAT" ] || SOCKS_PORT_TORCHAT="9119" + [ -n "$SOCKS_PORT_MIXMASTERUPDATE" ] || SOCKS_PORT_MIXMASTERUPDATE="9120" + [ -n "$SOCKS_PORT_MIXMASTER" ] || SOCKS_PORT_MIXMASTER="9121" + [ -n "$SOCKS_PORT_KDE" ] || SOCKS_PORT_KDE="9122" + [ -n "$SOCKS_PORT_GNOME" ] || SOCKS_PORT_GNOME="9123" + [ -n "$SOCKS_PORT_APTITUDE" ] || SOCKS_PORT_APTITUDE="9124" + [ -n "$SOCKS_PORT_YUM" ] || SOCKS_PORT_YUM="9125" + [ -n "$SOCKS_PORT_TBB_DEFAULT" ] || SOCKS_PORT_TBB_DEFAULT="9150" + + ## For testing purposes only. + ## To test if prerouting redirection rules for socksified interfere with transparent torification. + ## https://phabricator.whonix.org/T462 + #[ -n "$SOCKS_PORT_HTTP" ] || SOCKS_PORT_HTTP="80" + #[ -n "$SOCKS_PORT_SSL" ] || SOCKS_PORT_SSL="443" + + ## Adding more Socks Ports here should no longer be necessary. + ## There are already lots of custom ports prepared that you can use. + ## See documentation: + ## https://www.whonix.org/wiki/Stream_Isolation + ## + ## Additional Socks Ports for per application circuits could be + ## added here, but you would have to: + ## - Edit '/usr/local/etc/torrc.d/50_user.conf' to add more 'SocksPort's. + ## - And 'sudo service tor@default reload' afterwards. + ## - Add more socks port variables to Whonix firewall configuration. + ## (For example to '/etc/whonix_firewall.d/50_user.conf'.) + ## Follow the 'SOCKS_PORT_...' naming scheme. + ## (For example 'SOCKS_PORT_CUSTOM_ONE', 'SOCKS_PORT_CUSTOM_TWO', etc.) + ## - And issue "sudo /usr/bin/whonix_firewall" afterwards. + + socks_ports_list="$(compgen -v | grep SOCKS\_PORT\_)" +} + +ipv4_defaults() { + lsmod | grep -q iptable_filter || modprobe iptable_filter + ## Set secure defaults. + $iptables_cmd -P INPUT DROP + + ## FORWARD rules does not actually do anything if forwarding is disabled. Better be safe just in case. + $iptables_cmd -P FORWARD DROP + + ## Will be lifted below. + $iptables_cmd -P OUTPUT DROP +} + +ipv4_preparation() { + lsmod | grep -q nf_nat || modprobe nf_nat + lsmod | grep -q iptable_mangle || modprobe iptable_mangle + + ## Flush old rules. + $iptables_cmd -F + $iptables_cmd -X + $iptables_cmd -t nat -F + $iptables_cmd -t nat -X + $iptables_cmd -t mangle -F + $iptables_cmd -t mangle -X +} + +ipv4_drop_invalid_incoming_packages() { + lsmod | grep -q nf_conntrack || modprobe nf_conntrack + + ## DROP MARTIANS +## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/ + $iptables_cmd -A INPUT -i $WLAN_IF -s 10.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP SPOOF A: " + $iptables_cmd -A INPUT -i $WLAN_IF -s 172.16.0.0/12 -j LOG --log-prefix "iptables_martian_DROP SPOOF B: " + $iptables_cmd -A INPUT -i $WLAN_IF -s 192.168.0.0/16 -j LOG --log-prefix "iptables_martian_DROP SPOOF C: " + $iptables_cmd -A INPUT -i $WLAN_IF -s 224.0.0.0/4 -j LOG --log-prefix "iptables_martian_DROP MULTICAST D: " + $iptables_cmd -A INPUT -i $WLAN_IF -s 240.0.0.0/5 -j LOG --log-prefix "iptables_martian_DROP SPOOF E: " + $iptables_cmd -A INPUT -i $WLAN_IF -d 127.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP LOOPBACK: " + + $iptables_cmd -A INPUT -i $WLAN_IF -s 10.0.0.0/8 -j DROP + $iptables_cmd -A INPUT -i $WLAN_IF -s 172.16.0.0/12 -j DROP + $iptables_cmd -A INPUT -i $WLAN_IF -s 192.168.0.0/16 -j DROP + $iptables_cmd -A INPUT -i $WLAN_IF -s 224.0.0.0/4 -j DROP + $iptables_cmd -A INPUT -i $WLAN_IF -s 240.0.0.0/5 -j DROP + $iptables_cmd -A INPUT -i $WLAN_IF -d 127.0.0.0/8 -j DROP + + ## DROP INVALID + $iptables_cmd -A INPUT -m conntrack --ctstate INVALID -j DROP + $iptables_cmd -A INPUT -m state --state INVALID -j DROP + + ## DROP INVALID SYN PACKETS + $iptables_cmd -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $iptables_cmd -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $iptables_cmd -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + + ## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS + $iptables_cmd -A INPUT -f -j DROP + + ## DROP INCOMING MALFORMED XMAS PACKETS + $iptables_cmd -A INPUT -p tcp --tcp-flags ALL ALL -j DROP + + ## DROP INCOMING MALFORMED NULL PACKETS + $iptables_cmd -A INPUT -p tcp --tcp-flags ALL NONE -j DROP +} + +qubes() { + lsmod | grep -q xt_owner || modprobe xt_owner + if [ "$firewall_mode" = "timesync-fail-closed" ]; then + true "timesync-fail-closed mode, skipping rest of function $FUNCNAME" + return 0 + fi + + if [ -e /run/qubes/this-is-netvm ] || [ -e /run/qubes/this-is-proxyvm ]; then + local int_if_item + + for int_if_item in $INT_IF; do + ## Allow connections from port 8082 of internal vif interface for tinyproxy + ## tinyproxy is responsible to handle TemplateVMs updates. + $iptables_cmd -A INPUT -i "$int_if_item" -p tcp -m tcp --dport 8082 -j ACCEPT + $iptables_cmd -A OUTPUT -o "$int_if_item" -p tcp -m tcp --sport 8082 -j ACCEPT + done + + ## Qubes pre-routing. Will be able to intercept traffic destined for + ## 10.137.255.254 to be re-routed to tinyproxy. + $iptables_cmd -t nat -N PR-QBS-SERVICES + $iptables_cmd -t nat -A PREROUTING -j PR-QBS-SERVICES + + for int_if_item in $INT_IF; do + ## Redirects traffic destined for 10.137.255.154 to port 8082 (tinyproxy). + $iptables_cmd -t nat -A PR-QBS-SERVICES -d 10.137.255.254/32 -i "$int_if_item" -p tcp -m tcp --dport 8082 -j REDIRECT + done + + ## Forward tinyproxy output to port 5300/9040 on internal (Tor) interface (eth1) to be + ## able to connect to Internet (via Tor) to proxy updates for TemplateVM. + $iptables_cmd -t nat -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to "127.0.0.1:${DNS_PORT_GATEWAY}" + $iptables_cmd -t nat -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -j DNAT --to "127.0.0.1:${TRANS_PORT_GATEWAY}" + + ## The same for squid from qubes-updates-cache, which runs as user vm-updates. + if getent passwd vm-updates >/dev/null; then + $iptables_cmd -t nat -A OUTPUT -p udp -m owner --uid-owner vm-updates -m conntrack --ctstate NEW -j DNAT --to "127.0.0.1:${DNS_PORT_GATEWAY}" + $iptables_cmd -t nat -A OUTPUT -p tcp -m owner --uid-owner vm-updates -m conntrack --ctstate NEW -j DNAT --to "127.0.0.1:${TRANS_PORT_GATEWAY}" + fi + + ## https://github.com/QubesOS/qubes-issues/issues/3201#issuecomment-338646742 + $iptables_cmd -A OUTPUT -p udp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -d 127.0.0.1 --dport "${DNS_PORT_GATEWAY}" -j ACCEPT + $iptables_cmd -A OUTPUT -p tcp -m owner --uid-owner tinyproxy -m conntrack --ctstate NEW -d 127.0.0.1 --dport "${TRANS_PORT_GATEWAY}" -j ACCEPT + fi +} + +ipv4_input_rules() { + ## Traffic on the loopback interface is accepted. + $iptables_cmd -A INPUT -i lo -j ACCEPT + + ## Established incoming connections are accepted. + $iptables_cmd -A INPUT -m state --state ESTABLISHED -j ACCEPT + + ## Drop all incoming ICMP traffic by default. + ## All incoming connections are dropped by default anyway, but should a user + ## allow incoming ports (such as for incoming SSH or FlashProxy), ICMP should + ## still be dropped to filter for example ICMP time stamp requests. + if [ ! "$GATEWAY_ALLOW_INCOMING_ICMP" = "1" ]; then + $iptables_cmd -A INPUT -p icmp -j DROP + fi + + ## Allow all incoming connections on the virtual VPN network interface, + ## when VPN_FIREWALL mode is enabled. + ## DISABLED BY DEFAULT. + if [ "$VPN_FIREWALL" = "1" ]; then + $iptables_cmd -A INPUT -i "$VPN_INTERFACE" -j ACCEPT + fi + + local ext_if_item + + for ext_if_item in $EXT_IF; do + ## Allow incoming SSH connections on the external interface. + ## DISABLED BY DEFAULT. For testing/debugging only. + if [ "$GATEWAY_ALLOW_INCOMING_SSH" = "1" ]; then + $iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport 22 -j ACCEPT + fi + + ## Allow incoming Flash Proxy connections on the external interface. + ## This has NOTHING to do with Adobe Flash. + ## DISABLED BY DEFAULT. + if [ "$GATEWAY_ALLOW_INCOMING_FLASHPROXY" = "1" ]; then + $iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$FLASHPROXY_PORT" -j ACCEPT + fi + + local local_port_to_open + for local_port_to_open in $EXTERNAL_OPEN_PORTS; do + $iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$local_port_to_open" -j ACCEPT + done + + local local_udp_port_to_open + for local_udp_port_to_open in $EXTERNAL_UDP_OPEN_PORTS; do + $iptables_cmd -A INPUT -p udp --dport "$local_udp_port_to_open" -j ACCEPT + done + + if [ "$EXTERNAL_OPEN_ALL" = "true" ]; then + $iptables_cmd -A INPUT -j ACCEPT + fi + done + + if [ "$firewall_mode" = "timesync-fail-closed" ]; then + true "timesync-fail-closed mode, skipping rest of function $FUNCNAME" + return 0 + fi + + for ext_if_item in $EXT_IF; do + ## Allow incoming DIRPORT connections for an optional Tor relay. + ## DISABLED BY DEFAULT. + if [ "$GATEWAY_ALLOW_INCOMING_DIR_PORT" = "1" ]; then + $iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$DIR_PORT" -j ACCEPT + fi + + ## Allow incoming ORPORT connections for an optional Tor relay. + ## DISABLED BY DEFAULT. + if [ "$GATEWAY_ALLOW_INCOMING_OR_PORT" = "1" ]; then + $iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport "$OR_PORT" -j ACCEPT + fi + + ## Custom Open Ports on external interface + ## - untested, should work + ## - Replace 22,9050,9051,9150,9151 with any ports you like to be open, example: 9050,9051 + ## or just 9050 + ## - $iptables_cmd v1.4.14: multiport needs -p tcp, -p udp, -p udplite, -p sctp or -p dccp + #$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --match multiport --dports 22,9050,9051,9150,9151 -j ACCEPT + #$iptables_cmd -A INPUT -i "$ext_if_item" -p udp --match multiport --dports 22,9050,9051,9150,9151 -j ACCEPT + + ## OPTIONAL Allow incoming OpenVPN connections on the external interface. + #$iptables_cmd -A INPUT -i "$ext_if_item" -p tcp --dport 1194 -j ACCEPT + done + + local int_tif_item + local int_if_item + + for int_tif_item in $INT_TIF; do + if [ "$WORKSTATION_TRANSPARENT_DNS" = "1" ]; then + ## Allow DNS traffic to DnsPort. + $iptables_cmd -A INPUT -i "$int_tif_item" -p udp --dport "$DNS_PORT_WORKSTATION" -j ACCEPT + fi + done + + for int_if_item in $INT_IF; do + if [ "$WORKSTATION_TRANSPARENT_TCP" = "1" ]; then + ## Allow TCP traffic TransPort. + $iptables_cmd -A INPUT -i "$int_if_item" -p tcp --dport "$TRANS_PORT_WORKSTATION" -j ACCEPT + fi + done + + for int_tif_item in $INT_TIF; do + ## Allow TCP traffic to Control Port Filter Proxy. + if [ "$CONTROL_PORT_FILTER_PROXY_ENABLE" = "1" ]; then + $iptables_cmd -A INPUT -i "$int_tif_item" -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" -j ACCEPT + fi + + ## Allow socksified applications. + if [ "$WORKSTATION_ALLOW_SOCKSIFIED" = "1" ]; then + for socks_port in $socks_ports_list; do + true "$socks_port: ${!socks_port}" + $iptables_cmd -A INPUT -i "$int_tif_item" -p tcp --dport "${!socks_port}" -j ACCEPT + done + + ## Accept ports 9152-9189 prepared for user custom applications. + ## See /usr/share/tor/tor-service-defaults-torrc for more comments. + $iptables_cmd -A INPUT -i "$int_tif_item" -p tcp --match multiport --dports 9152:9189 -j ACCEPT + fi + done + + for int_if_item in $INT_IF; do + ## Redirect Control Port Filter Proxy to Control Port Filter Proxy port. + if [ "$CONTROL_PORT_FILTER_PROXY_ENABLE" = "1" ]; then + $iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -d "$WORKSTATION_DEST_SOCKSIFIED" -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" -j REDIRECT --to-ports "$CONTROL_PORT_FILTER_PROXY_PORT" + fi + + if [ "$WORKSTATION_ALLOW_SOCKSIFIED" = "1" ]; then + for socks_port in $socks_ports_list; do + true "$socks_port: ${!socks_port}" + ## Redirect Browser/IRC/TorBirdy, etc. to SocksPort. + $iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -d "$WORKSTATION_DEST_SOCKSIFIED" -p tcp --dport "${!socks_port}" -j REDIRECT --to-ports "${!socks_port}" + done + + ## Redirect ports 9152-9189 prepared for user custom applications. + $iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -d "$WORKSTATION_DEST_SOCKSIFIED" -p tcp --dport 9152:9189 -j REDIRECT + fi + + if [ "$WORKSTATION_TRANSPARENT_DNS" = "1" ]; then + ## Redirect remaining DNS traffic to DNS_PORT_WORKSTATION. + ## Only user installed applications not configured to use a SocksPort are affected. + $iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p udp --dport 53 -j REDIRECT --to-ports "$DNS_PORT_WORKSTATION" + fi + + if [ "$WORKSTATION_TRANSPARENT_TCP" = "1" ]; then + ## Catch all remaining TCP and redirect to TransPort. + ## Only user installed applications not configured to use a SocksPort are affected. + $iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION" + + ## Optionally restrict TransPort. + ## Replace above rule with a more restrictive one, e.g.: + #$iptables_cmd -t nat -A PREROUTING -i "$int_if_item" -p tcp --match multiport --dports 80,443 --syn -j REDIRECT --to-ports "$TRANS_PORT_WORKSTATION" + fi + done +} + +ipv4_input_defaults() { + ## Log. + #$iptables_cmd -A INPUT -j LOG --log-prefix "Whonix blocked input4: " + + ## Reject anything not explicitly allowed above. + ## Drop is better than reject here, because we do not want to reveal it's a Whonix-Gateway. + ## (In case someone running Whonix-Gateway on bare metal.) + $iptables_cmd -A INPUT -j DROP +} + +ipv4_forward() { + ## Log. + #$iptables_cmd -A FORWARD -j LOG --log-prefix "Whonix blocked forward4: " + + ## Reject everything. + $iptables_cmd -A FORWARD -j REJECT --reject-with icmp-admin-prohibited +} + +ipv4_reject_invalid_outgoing_packages() { + ## Drop invalid outgoing packages, + ## unless NO_REJECT_INVALID_OUTGOING_PACKAGES is set to 1. + if [ ! "$NO_REJECT_INVALID_OUTGOING_PACKAGES" = "1" ]; then + ## https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html + $iptables_cmd -A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited + $iptables_cmd -A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited + #$iptables_cmd -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j REJECT --reject-with icmp-admin-prohibited + #$iptables_cmd -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j REJECT --reject-with icmp-admin-prohibited + + ## DROP INVALID SYN PACKETS + $iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j REJECT --reject-with icmp-admin-prohibited + $iptables_cmd -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT --reject-with icmp-admin-prohibited + $iptables_cmd -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited + + ## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS + $iptables_cmd -A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited + + ## DROP INCOMING MALFORMED XMAS PACKETS + $iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL ALL -j REJECT --reject-with icmp-admin-prohibited + + ## DROP INCOMING MALFORMED NULL PACKETS + $iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL NONE -j REJECT --reject-with icmp-admin-prohibited + fi +} + +ipv4_output() { + lsmod | grep -q xt_owner || modprobe xt_owner + + ## Allow outgoing traffic on VPN interface, + ## if VPN_FIREWALL mode is enabled. + ## DISABLED BY DEFAULT. + if [ "$VPN_FIREWALL" = "1" ]; then + $iptables_cmd -A OUTPUT -o "$VPN_INTERFACE" -j ACCEPT + fi + + local no_nat_user + for no_nat_user in $NO_NAT_USERS ; do + $iptables_cmd -t nat -A OUTPUT -m owner --uid-owner "$no_nat_user" -j RETURN + done + + if [ "$firewall_mode" = "full" ]; then + ## Redirect of Gateway DNS traffic to DNS_PORT_GATEWAY. + ## DISABLED BY DEFAULT. default. Using SocksPort instead. + if [ "$GATEWAY_TRANSPARENT_DNS" = "1" ]; then + $iptables_cmd -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports "$DNS_PORT_GATEWAY" + fi + fi + + if [ "$firewall_mode" = "full" ]; then + ## Exclude connections to local network, Whonix-Workstation, VirtualBox from being redirected through Tor, + ## unless VPN_FIREWALL mode is enabled. + ## ENABLED BY DEFAULT. + if [ ! "$VPN_FIREWALL" = "1" ]; then + local non_tor_gateway_item + for non_tor_gateway_item in $NON_TOR_GATEWAY; do + $iptables_cmd -t nat -A OUTPUT -m iprange --dst-range "$non_tor_gateway_item" -j RETURN + done + fi + fi + + if [ "$firewall_mode" = "full" ]; then + ## Redirect all Gateway TCP traffic to TRANS_PORT_GATEWAY. + ## DISABLED BY DEFAULT. Using SocksPort instead. + if [ "$GATEWAY_TRANSPARENT_TCP" = "1" ]; then + $iptables_cmd -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports "$TRANS_PORT_GATEWAY" + fi + fi + + ## Existing connections are accepted. + $iptables_cmd -A OUTPUT -m state --state ESTABLISHED -j ACCEPT + + if [ "$firewall_mode" = "full" ]; then + ## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox, + ## unless VPN_FIREWALL mode is enabled. + ## ENABLED BY DEFAULT. + if [ ! "$VPN_FIREWALL" = "1" ]; then + for non_tor_gateway_item in $NON_TOR_GATEWAY; do + $iptables_cmd -A OUTPUT -m iprange --dst-range "$non_tor_gateway_item" -j ACCEPT + done + fi + fi + + if [ "$firewall_mode" = "full" ]; then + ## Accept outgoing connections to local network, + ## when VPN_FIREWALL mode is enabled. + ## DISABLED BY DEFAULT. + if [ "$VPN_FIREWALL" = "1" ]; then + local local_net_item + for local_net_item in $LOCAL_NET; do + $iptables_cmd -A OUTPUT -m iprange --dst-range "$local_net_item" -j ACCEPT + done + fi + fi + + ## Prevent connections to Tor SocksPorts. + ## https://phabricator.whonix.org/T533#11025 + if [ "$firewall_mode" = "timesync-fail-closed" ]; then + local socks_port_item + for socks_port_item in $socks_ports_list; do + true "$socks_port_item: ${!socks_port_item}" + if [ "$SOCKS_PORT_SDWDATE" = "${!socks_port_item}" ]; then + continue + fi + $iptables_cmd -A OUTPUT -p tcp --dport "${!socks_port_item}" --dst "127.0.0.1" -j REJECT + done + fi + + ## Access to localhost is required even in timesync-fail-closed mode, + ## otherwise breaks applications such as konsole and kwrite. + $iptables_cmd -A OUTPUT -o lo -j ACCEPT + + for no_nat_user in $NO_NAT_USERS ; do + $iptables_cmd -A OUTPUT -m owner --uid-owner "$no_nat_user" -j ACCEPT + done + + if [ "$firewall_mode" = "timesync-fail-closed" ]; then + ## Allow sdwdate talking to localhost and Tor in Whonix firewall timesync-fail-closed mode. + ## Otherwise in Whonix firewall full mode this rule is redundant. + $iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT + $iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT + + $iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "127.0.0.1" -j ACCEPT + fi + + ## Log. + #$iptables_cmd -A OUTPUT -j LOG --log-prefix "Whonix blocked output4: " + + ## Reject all other outgoing traffic. + $iptables_cmd -A OUTPUT -j REJECT --reject-with icmp-admin-prohibited +} + +ipv6() { + ## Policy DROP for all traffic as fallback. + $ip6tables_cmd -P INPUT DROP + $ip6tables_cmd -P OUTPUT DROP + $ip6tables_cmd -P FORWARD DROP + + ## Flush old rules. + $ip6tables_cmd -F + $ip6tables_cmd -X + $ip6tables_cmd -t mangle -F + $ip6tables_cmd -t mangle -X + + ## Allow unlimited access on loopback. + ## Not activated, since we do not need it. + #$ip6tables_cmd -A INPUT -i lo -j ACCEPT + #$ip6tables_cmd -A OUTPUT -o lo -j ACCEPT + + ## Log. + #$ip6tables_cmd -A INPUT -j LOG --log-prefix "Whonix blocked input6: " + #$ip6tables_cmd -A OUTPUT -j LOG --log-prefix "Whonix blocked output6: " + #$ip6tables_cmd -A FORWARD -j LOG --log-prefix "Whonix blocked forward6: " + + ## Drop/reject all other traffic. + $ip6tables_cmd -A INPUT -j DROP + ## --reject-with icmp-admin-prohibited not supported by ip6tables + $ip6tables_cmd -A OUTPUT -j REJECT + ## --reject-with icmp-admin-prohibited not supported by ip6tables + $ip6tables_cmd -A FORWARD -j REJECT +} + +status_files() { + mkdir --parents /run/whonix_firewall + if [ -e /run/whonix_firewall/first_run_current_boot.status ]; then + touch /run/whonix_firewall/consecutive_run.status + return 0 + fi + touch /run/whonix_firewall/first_run_current_boot.status +} + +date_cmd(){ + date -u +"%Y-%m-%d %T" +} + +output_cmd() { + echo "$(date_cmd) - $0 - $@" +} + +firewall_mode_detection() { + if [ ! "$firewall_mode" = "" ]; then + output_cmd "OK: Skipping firewall mode detection since already set to '$firewall_mode'." + if [ "$firewall_mode" = "timesync-fail-closed" ]; then + output_cmd "OK: (Only local Tor control port connections and torified sdwdate allowed.)" + return 0 + elif [ "$firewall_mode" = "full" ]; then + output_cmd "OK: (Full torified network access allowed.)" + return 0 + else + output_cmd "ERROR: firewall_mode must be set to either 'full' or 'timesync-fail-closed'." + error_handler + fi + fi + + ## Run Whonix firewall in full mode if sdwdate already succeeded. + if [ -e /run/sdwdate/first_success ]; then + firewall_mode=full + output_cmd "OK: (/run/sdwdate/first_success exists.)" + elif [ -e /run/sdwdate/success ]; then + firewall_mode=full + output_cmd "OK: (/run/sdwdate/success exists.)" + ## /run/whonix_firewall/first_run_current_boot.status already exists, + ## therefore have Whonix firewall run in full mode. + elif [ -e /run/whonix_firewall/first_run_current_boot.status ]; then + firewall_mode=full + output_cmd "OK: (/run/whonix_firewall/first_run_current_boot.status exists.)" + else + ## /run/whonix_firewall/first_run_current_boot.status does not yet exist, + ## therefore return 'yes, timesync-fail-closed'. + firewall_mode=timesync-fail-closed + fi + + if [ "$firewall_mode" = "timesync-fail-closed" ]; then + output_cmd "OK: First run during current boot, therefore running in timesync-fail-closed mode." + output_cmd "OK: (Only local Tor control port connections and torified sdwdate allowed.)" + else + output_cmd "OK: Consecutive run during current boot, therefore running in full mode." + output_cmd "OK: (Full torified network access allowed.)" + fi +} + +end() { + output_cmd "OK: Whonix firewall loaded." + + exit 0 +} + +main() { + init + firewall_mode_detection + variables_defaults + ipv4_defaults + ipv4_preparation + ipv4_drop_invalid_incoming_packages + qubes + ipv4_input_rules + ipv4_input_defaults + ipv4_forward + ipv4_reject_invalid_outgoing_packages + ipv4_output + if [ -d /proc/sys/net/ipv6/ ]; then + ipv6 + fi + status_files + end +} + +source_config_folder +main diff --git a/overlay/Linux/usr/local/sbin/proxy_firewall_start.bash b/overlay/Linux/usr/local/sbin/proxy_firewall_start.bash new file mode 100755 index 0000000..5a8c4b3 --- /dev/null +++ b/overlay/Linux/usr/local/sbin/proxy_firewall_start.bash @@ -0,0 +1,5 @@ +#!/bin/bash + +ROLE=proxy +. /usr/local/bin/proxy_ping_lib.bash || { echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 3; } +proxy_ping_firewall_restart $* diff --git a/overlay/Linux/usr/local/sbin/proxy_libvirt_ga_test.bash b/overlay/Linux/usr/local/sbin/proxy_libvirt_ga_test.bash new file mode 100755 index 0000000..6cb3bde --- /dev/null +++ b/overlay/Linux/usr/local/sbin/proxy_libvirt_ga_test.bash @@ -0,0 +1,80 @@ +#!/bin/sh +# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*- + +ROLE=hostvms + +#[ $# -eq 0 ] && set -- Whonix-Gateway /bin/cat /proc/cmdline +[ $# -eq 0 ] && set -- Whonix-Gateway /bin/netstat -lnp4 +[ $# -lt 2 ] && echo USAGE: $0 domain command arguments +. /usr/local/bin/usr_local_tput.bash || exit 3 + +HOST=$1 +shift +CMD=$1 +shift + +# FixMe +if [ $# -lt 1 ] ; then + ARGS="" + elif [ $# -gt 1 ] ; then + ARGS=`sed -e 's/ /","/g' <<< $*` + else + ARGS="$1" +fi + +[ "$HOST" = WWork106 ] && HOST=Whonix-Workstation || true +[ "$HOST" = WGate106 ] && HOST=Whonix-Gateway || true +[ -z "$CMD" ] && CMD=/usr/sbin/qemu-ga && ARGS=-D + +INFO $0 $HOST $CMD $ARGS + +if ifconfig virbr1 | grep -q 10.0.2.2 ; then + # lrwxrwxrwx 1 root root 11 Aug 26 21:58 /dev/virtio-ports/org.qemu.guest_agent.0 -> ../vport3p2 + INFO ssh user@10.0.2.15 virbr1 + ssh user@10.0.2.15 ls -l /dev/virtio-ports/org.qemu.guest_agent.0 | \ + grep /dev/virtio-ports/org.qemu.guest_agent.0 || \ + WARN NOT ssh ls -l /dev/virtio-ports/org.qemu.guest_agent.0 + # /usr/sbin/qemu-ga + ssh user@10.0.2.15 ps ax | \ + grep qemu-ga || \ + WARN NOT ssh ps qemu-ga +fi + + +DBUG virsh qemu-agent-command $HOST \ + '{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}' +virsh qemu-agent-command $HOST \ + '{"execute":"guest-exec", "arguments": {"capture-output": true,"path":"'$CMD'","arg":["'$ARGS'"]}}' \ + >/tmp/Q$$.out || exit 1$? + +grep -q return /tmp/Q$$.out || exit 2 +pid=`sed -e 's/.*://' -e 's/}.*//' /tmp/Q$$.out` +[ $? -eq 0 -a -n "$pid" ] || exit 3 + +# DBUG virsh qemu-agent-command $HOST \ +# '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' +#virsh qemu-agent-command $HOST \ +# '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \ +# >/tmp/R$$.out || exit 4$? + +TRIES=10 +i=0 +while [ $i -lt $TRIES ] ; do + i=`expr $i + 1` + virsh qemu-agent-command $HOST \ + '{"execute":"guest-exec-status", "arguments": {"pid": '$pid'}}' \ + >/tmp/R$$.out || exit 4$i$? + grep -q '"exitcode":0' /tmp/R$$.out && break + sleep 5 + DBUG $i +done +[ $i -lt $TRIES ] || \ + { ERROR $i no exitcode in /tmp/R$$.out; exit 5 ; } + +b64=`sed -e 's/{"return":{"exitcode":0,"out-data":"//' -e 's/",".*//' /tmp/R$$.out` +[ $? -eq 0 ] || exit 6 +[ -n "$b64" ] || exit 7 +echo $b64 | base64 -d - || exit 8 + +rm -f /tmp/{Q,R}$$.out +exit 0 diff --git a/overlay/Linux/usr/local/sbin/proxy_libvirt_hook_network.bash b/overlay/Linux/usr/local/sbin/proxy_libvirt_hook_network.bash new file mode 100755 index 0000000..9332d15 --- /dev/null +++ b/overlay/Linux/usr/local/sbin/proxy_libvirt_hook_network.bash @@ -0,0 +1,29 @@ +#!/bin/bash +# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*- + +prog=$( basename $0 .bash ) +PREFIX=/usr/local +ROLE=proxy +. /usr/local/bin/usr_local_tput.bash + +. /usr/local/bin/proxy_ping_lib.bash || exit 1$? + +if [ -f /etc/modules-load.d/firewall.conf ] ; then + grep -v '#' /etc/modules-load.d/firewall.conf|xargs modprobe --all +fi + +proxy_ping_firewall_restart +retval=$? +if [ $retval -eq 0 ] ; then + logger INFO: $prog proxy_ping_firewall_restart $* + else + logger ERROR: $prog proxy_ping_firewall_restart retval=$retval $* + exit $retval +fi + +# clean +exit 0 + +# BEGIN ANSIBLE MANAGED BLOCK proxy whonix_host.yml +# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*- +# END ANSIBLE MANAGED BLOCK proxy whonix_host.yml diff --git a/overlay/Linux/usr/local/sbin/proxy_libvirt_hook_qemu.bash b/overlay/Linux/usr/local/sbin/proxy_libvirt_hook_qemu.bash new file mode 100755 index 0000000..2295b9c --- /dev/null +++ b/overlay/Linux/usr/local/sbin/proxy_libvirt_hook_qemu.bash @@ -0,0 +1,13 @@ +#!/bin/bash +# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*- + +prog=$( basename $0 .bash ) +PREFIX=/usr/local +ROLE=proxy + +. /usr/local/bin/usr_local_tput.bash + +logger INFO: $0 $PWD $* + +exit 0 + diff --git a/overlay/Linux/usr/local/sbin/proxy_tor_lib.bad b/overlay/Linux/usr/local/sbin/proxy_tor_lib.bad new file mode 100755 index 0000000..12ed9f8 Binary files /dev/null and b/overlay/Linux/usr/local/sbin/proxy_tor_lib.bad differ diff --git a/overlay/Linux/usr/local/sbin/proxy_tor_lib.bash b/overlay/Linux/usr/local/sbin/proxy_tor_lib.bash new file mode 100755 index 0000000..7e4dc73 --- /dev/null +++ b/overlay/Linux/usr/local/sbin/proxy_tor_lib.bash @@ -0,0 +1,217 @@ +#!/bin/bash +# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*- +## /usr/local/bin/proxy_whonix_tor_start.bash + +ROLE=proxy +[ -z "$prog" ] && prog=$( basename $0 .bash ) +[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor + +## host_tor_verify_config +. /usr/local/bin/usr_local_tput.bash || exit 3 +host_tor_verify_config () { + # tor --verify-config # || exit 2$? + su -c 'tor --verify-config' -s /bin/sh $PRIV_TOR_OWNER \ + | grep -v 'notice\|DisableNetwork' + # || exit 2 + return 0 +} + +tor_grep_log () { + local log + + [ -f /run/tor/log ] && log=/run/tor/log || log=/tmp/tor.log + [ -f $log ] || { WARN $prog $log not found ; return 1 ; } + + INFO grep % $log + grep % $log | grep -v 5% + + return 0 +} + +## host_tor_is_running +host_tor_is_running () { + local retval + + retval=0 + if netstat -nlp4 2>&1| grep ':90.*/tor' ; then + DBUG $prog tor is already running + retval=2 + elif ps ax | grep -v grep | grep "su -c tor -s /bin/sh $PRIV_TOR_OWNER" ; then + DBUG $prog tor is already running + retval=3 + elif ls -l /run/tor/socket 2>/dev/null ; then + DBUG $prog tor is already running + retval=4 + fi + tor_grep_log + return $retval +} + +## host_tor_start +host_tor_start () { + #su -c '/etc/init.d/tor stop' -s /bin/sh $PRIV_TOR_OWNER + #sleep 5 + + [ -d /run/tor/ ] && rm -f /run/tor/* || mkdir /run/tor + # systemd overrides these + chown $PRIV_TOR_OWNER.$PRIV_TOR_OWNER /run/tor + chmod 2750 /run/tor/ + + gateway_tor_stop + # systemctl daemon-reload + rm -f /run/tor/log.err /tmp/log.err + rm -f /run/tor/log /tmp/log.log + rm -f /run/tor/tor.pid /tmp/log.pid + + + INFO starting tor - see /tmp/tor.err /tmp/tor.log + + if false ; then + su -c '/etc/init.d/tor start' -s /bin/sh $PRIV_TOR_OWNER + netstat -nlp -t inet | grep "$IP:9128" || systemctl --no-pager restart tor@default || return 4$? +else + su -c 'tor' -s /bin/sh $debian 2>/tmp/tor.err >/tmp/tor.log & + echo -n $! >/tmp/tor.pid +fi + sleep 15 + + return 0 +} + +## host_tor_stop +host_tor_stop () { + local debian + + [ -s /tmp/tor.pid ] && \ + DBUG $prog kill $( cat /tmp/tor.pid ) && \ + kill $( cat /tmp/tor.pid ) 2>/dev/null && \ + rm /tmp/tor.pid + rm -f /tmp/tor.log /tmp/tor.err + debian=$PRIV_TOR_OWNER + pkill -u $debian + [ -s /tmp/tog.pid ] && \ + kill $( cat /tmp/tog.pid ) 2>/dev/null \ + && rm /tmp/tog.pid + # echo 1|sudo dd of=/proc/sys/net/ipv4/tcp_tw_reuse + return 0 +} + +PROXY_ExcludeNodes="{gb},{ca}" + +## proxy_tor_torrc_update +proxy_tor_torrc_update () { + local file IP + file=$1 + IP=$2 + grep -q "SocksPort $IP:9050" $file || \ + echo "SocksPort $IP:9050" >> $file + grep -q "DNSPort $IP:9053" $file || \ + echo "DNSPort $IP:9053" >> $file + if false ; then + grep -q "TransPort $IP:9040" $file || \ + echo "TransPort $IP:9040 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort" >> $file + fi + grep -q "HTTPTunnelPort $IP:9128" $file || \ + echo "HTTPTunnelPort $IP:9128 IsolateDestAddr" >> $file + return 0 +} + + +export TOR_LOG="/var/log/tor/log" +export TOR_DIR=/var/lib/tor/data + +cmd_item_list=( +"--has-consensus" +"--current-time-in-valid-range" +"--show-valid-after" +"--show-valid-until" +"--show-middle-range" +) + +#"--tor-cert-lifetime-invalid" +#"--tor-cert-valid-after" + +## proxy_tor_test_ntp +proxy_tor_test_ntp () { + /usr/local/bin/proxy_ping_test.bash ntp + return $? +} + +## proxy_tor_test_anondate +proxy_tor_test_anondate () { + local cmd_item outout exit_code + +for cmd_item in ${cmd_item_list[@]} ; do + output="$( /usr/local/lib/helper-scripts/anondate $cmd_item $@ )" + exit_code="$?" + if [ $exit_code -eq 0 ] ; then + INFO "/usr/local/lib/helper-scripts/anondate $cmd_item $@" + echo "output: $output" + else + echo "WARN: /usr/local/lib/helper-scripts/anondate $cmd_item $@" + echo -n "exit_code: $exit_code " + echo "output: $output" + fi +done + return 0 +} + +host_tor_status () { + [ -f /tmp/tor.pid ] && \ + [ $( wc -c /tmp/tor.pid|sed -e 's/ .*//' ) -le 1 ] && \ + rm /tmp/tor.pid + + if [ -f /tmp/tor.pid ]; then + ps -p "$( cat /tmp/tor.pid )" + elif [ -f /run/tor/tor.pid ] ; then + ps -p "$( cat /run/tor/tor.pid )" + else + WARN $prog no /tmp/tor.pid or /run/tor/tor.pid + fi + + [ ! -f /usr/local/src/helper-scripts/tor_bootstrap_check.py ] || \ + python3 /usr/local/src/helper-scripts/tor_bootstrap_check.py \ + || return 1 + + debian=$PRIV_TOR_OWNER + INFO $prog $debian processes: + ps -g $debian + + guest_qemu_status || return 2$? + tor_start_not_running && return 3$? + + [ ! -f /usr/local/src/helper-scripts/tor_circuit_established_check.py ] || \ + a=$( python3 /usr/local/src/helper-scripts/tor_circuit_established_check.py ) \ + || return 4 + [ "$a" = "1" ]|| { echo "WARN: $prog tor_circuit_established_check != 1" ; + return 5 + } + + return 0 +} + +## proxy_tor_torrc_exclude +proxy_tor_torrc_exclude () { + local file + [ $# -eq 0 ] && file=$1 || file=/etc/tor/torrc + [ -n "$file" ] || return 1 + [ -f "$file" ] || return 2 + [ -n "$PROXY_ExcludeNodes" ] || return 3 + grep -q "ExcludeNodes.*$PROXY_ExcludeNodes" "$file" && return 0 + if grep -q "ExcludeNodes" $file ; then + sed -e "s@ExcludeNodes.*@ExcludeNodes ${PROXY_ExcludeNodes}@" -i $file + else + echo "ExcludeNodes $PROXY_ExcludeNodes" >> $file + fi + + return 0 +} + +base=proxy_tor_lib +if [ -x /usr/bin/basename ] && [ $( /usr/bin/basename -- $0 ) = $base'.bash' -o $( basename -- $0 ) = $base'.sh' ] ; then + [ "$#" -eq 0 ] && exit 0 + [ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'|sort && exit 0 + eval "$@" + exit $? + fi + diff --git a/overlay/Linux/usr/local/sbin/proxy_whonix-libvirt-install.bash b/overlay/Linux/usr/local/sbin/proxy_whonix-libvirt-install.bash new file mode 100755 index 0000000..b64580c --- /dev/null +++ b/overlay/Linux/usr/local/sbin/proxy_whonix-libvirt-install.bash @@ -0,0 +1,172 @@ +#!/bin/bash +# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*- + +set -o pipefail || exit 1 + +# was in /usr/lib/whonix-libvirt/install +# unlike that one, this should be idempotent +# [ -f /var/lib/whonix-libvirt/install.done ] && exit 0 + +prog=$( basename $0 .bash ) +PREFIX=/usr/local +ROLE=base +. /usr/local/bin/usr_local_tput.bash + +GATEW=1 +# for testforge use we only need the Gateway +WORKS= + +[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash +. /usr/local/bin/proxy_ping_lib.bash || \ + { echo ERROR: loading /usr/local/bin/proxy_ping_lib.bash ; exit 1; } +. /usr/local/bin/usr_local_base.bash || exit 2 + +MODE=`proxy_ping_mode` +[ $MODE = whonix ] || exit 0 + +#? echo ERROR: avoiding $prog proxy_whonix-libvirt-install.bash ; exit 10 + +[ -x /usr/local/bin/proxy_libvirt_hook_network.bash ] || exit 12 +/usr/local/bin/proxy_libvirt_hook_network.bash || exit 13 + +[ -d /usr/local/var/log ] || mkdir /usr/local/var/log || exit 14 +chmod 1777 /usr/local/var/log + +[ -f /etc/firewall.conf.whonix ] || \ + cp -p /usr/local/etc/firewall.conf.* /etc/ || exit 15 + +[ -f /etc/firewall.conf ] || \ + cp -p /etc/firewall.conf.whonix /etc/firewall.conf || exit 16 + +# ERROR: proxy_ping_firewall_check /etc/firewall.conf empty +[ -x /etc/libvirt/hooks/network ] || cat > /etc/libvirt/hooks/network << \EOF +#!/bin/sh +[ -d /usr/local/var/log ] || mkdir /usr/local/var/log +echo INFO: hooks/network $* > /usr/local/var/log/libvirt_network.log +bash /usr/local/bin/proxy_libvirt_hook_network.bash "$@" \ + >> /usr/local/var/log/libvirt_network.log 2>&1 +EOF +[ -x /etc/libvirt/hooks/network ] || chmod a+x /etc/libvirt/hooks/network + /etc/libvirt/hooks/network || exit 16 + +## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. +set -e + +## {{ Taken from qemu-system-common.postinst. +# Add the kvm group unless it's already there +if ! getent group kvm >/dev/null; then + addgroup --quiet --system kvm || true +fi +## }} Taken from qemu-system-common.postinst. + +## {{ Taken from libvirt-bin.postinst. +if ! getent group libvirt >/dev/null; then + addgroup --system libvirt +fi +## }} Taken from libvirt-bin.postinst. + +## Existence of user "user" is not guaranteed at this point. +if grep -q ^user /etc/passwd ; then + grep -q ^kvm /etc/group || addgroup user kvm + grep -q ^libvirt /etc/group || addgroup user libvirt +fi + +## Create shared directory and adjust permissions +[ -d /mnt/gateway-shared ] || mkdir --parents /mnt/gateway-shared +[ -n "$WORKS" ] && [ -d /mnt/workstation-shared ] || mkdir --parents /mnt/workstation-shared +chmod 1777 /mnt/gateway-shared +[ -n "$WORKS" ] && chmod 1777 /mnt/workstation-shared + + +## networks +proxy_virsh net-list --all | grep -q default || \ + virsh -c qemu:///system net-autostart "default" || exit 1$? +#? virsh -c qemu:///system net-start "default" || exit 2$? +proxy_virsh net-list --all | grep -q Whonix-External || \ + virsh -c qemu:///system net-define "/usr/local/etc/libvirt/qemu/networks/Whonix-External.xml" \ + || exit 3$? +proxy_virsh net-list --all | grep -q Whonix-Internal || \ + virsh -c qemu:///system net-define "/usr/local/etc/libvirt/qemu/networks/Whonix-Internal.xml" \ + || exit 4$? + +#no virsh -c qemu:///system net-autostart "Whonix-External" +proxy_virsh net-list | grep -q Whonix-External || \ + virsh -c qemu:///system net-start "Whonix-External" || exit 5$? +# no virsh -c qemu:///system net-autostart "Whonix-Internal" +proxy_virsh net-list | grep -q Whonix-Internal || \ + virsh -c qemu:///system net-start "Whonix-Internal" || exit 6$? + +lsmod | grep -q kvm||modprobe kvm || exit 7 +temp_dir=/usr/local/etc/libvirt/qemu + +if virsh capabilities | grep -q "/dev/null && \ + rm /tmp/tor.pid + rm -f /tmp/tor.log /tmp/tor.err + debian=$PRIV_TOR_OWNER + pkill -u $debian + [ -s /tmp/tog.pid ] && \ + kill $( cat /tmp/tog.pid ) 2>/dev/null \ + && rm /tmp/tog.pid + systemctl stop vanguards + # systemctl start onion-grater >/dev/null && systemctl stop onion-grater + # echo 1|sudo dd of=/proc/sys/net/ipv4/tcp_tw_reuse + netstat -npet4 + + return 0 +} + +## gateway_tor_torrc +gateway_tor_torrc () { + local file IP + # file=/etc/torrc.d/50_user.conf + file=/usr/local/etc/torrc.d/50_user.conf + if [ ! -f $file ] ; then + cat > $file <> $file + done + return 0 +} + +## gateway_tor_init_check_iptables +gateway_tor_init_check_iptables () { + local rule changed + changed=0 + rule='-A INPUT -i eth0 -p udp -m udp --dport 9053 -j ACCEPT' + if ! proxy_iptables_save | grep -q -e "$rule" ; then + [ $changed -eq 0 ] && proxy_iptables -D INPUT -j DROP + proxy_iptables $rule + changed=1 + fi + rule='-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT' + if ! proxy_iptables_save | grep -q -e "$rule" ; then + [ $changed -eq 0 ] && proxy_iptables -D INPUT -j DROP + proxy_iptables $rule + changed=1 + fi + rule='-A INPUT -i eth0 -p tcp -m tcp --dport 9128 -j ACCEPT' + if ! proxy_iptables_save | grep -q -e "$rule" ; then + [ $changed -eq 0 ] && proxy_iptables -D INPUT -j DROP + proxy_iptables $rule + changed=1 + fi + [ $changed -gt 0 ] && proxy_iptables -A INPUT -j DROP + return 0 +} +# systemctl --no-pager status tor@default + +## tor_start_not_running +tor_start_not_running () { + local retval + + retval=0 + if netstat -nlp4 2>&1| grep '15:90.*/tor' ; then + DBUG $prog tor is already running + retval=2 + elif ps ax | grep -v grep | grep "su -c tor -s /bin/sh $PRIV_TOR_OWNER" ; then + DBUG $prog tor is already running + retval=3 + elif ls -l /run/tor/socket 2>/dev/null ; then + DBUG $prog tor is already running + retval=4 + fi + tor_grep_log + return $retval +} + +## gateway_tor_config_tor +gateway_tor_config_tor () { + + gateway_tor_init_check_iptables || exit 2$? + gateway_tor_torrc + gateway_tor_init_config_gateway_conf + rm -f /usr/local/etc/torrc.d/*~ + return $? +} + +## tor_start_verify_config +tor_start_verify_config () { + # tor --verify-config # || exit 2$? + su -c 'tor --verify-config' -s /bin/sh $PRIV_TOR_OWNER \ + | grep -v 'notice\|DisableNetwork' + # || exit 2 + return 0 +} + +## tor_prepare_to_start +tor_prepare_to_start () { + #su -c '/etc/init.d/tor stop' -s /bin/sh $PRIV_TOR_OWNER + #sleep 5 + + [ -d /run/tor/ ] && rm -f /run/tor/* || mkdir /run/tor + # systemd overrides these + chown $PRIV_TOR_OWNER.$PRIV_TOR_OWNER /run/tor + chmod 0700 /run/tor/ + + gateway_tor_stop + # systemctl daemon-reload + rm -f /run/tor/log.err /tmp/log.err + rm -f /run/tor/log /tmp/log.log + rm -f /run/tor/tor.pid /tmp/log.pid + + sed '/DisableNetwork/d' -i /usr/local/etc/torrc.d/50_user.conf + + return 0 +} + +## tor_after_start +tor_after_start () { + + [ -s /tmp/tor.err ] && ERROR $prog /tmp/tor.err && cat /tmp/tor.err && return 6 + grep '\[warn\]' /tmp/tor.log + grep '\[err\]' /tmp/tor.log && ERROR $prog /tmp/tor.log && return 7 + + ls /run/tor/log* >/dev/null && \ + sed -e '/configured a non-loopback address/d' -i /run/tor/log* + chmod 750 /run/tor/ + chmod 640 /run/tor/log + INFO checked /tmp/tor.log /tmp/tor.err + + INFO starting onion-grater + # systemctl start onion-grater + pidof /usr/lib/onion-grater || return 0 + /usr/lib/onion-grater --listen-interface eth1 & + echo -n $! >/tmp/tog.pid + return 0 +} + +tor_grep_log () { + local log + + [ -f /run/tor/log ] && log=/run/tor/log || log=/tmp/tor.log + [ -f $log ] || { WARN $prog $log not found ; return 1 ; } + + INFO grep % $log + grep % $log | grep -v 5% + + return 0 +} + +tor_test () { + tor_grep_log + tor_qemu_status || return 1$? + return 0 +} + +tor_qemu_status () { + local pid + + pid=$( pidof /usr/sbin/qemu-ga ) + [ $? -eq 0 -a -n "$pid" ] || \ + { WARN $prog qemu-qa not running; return 1 ; } + lsof -p $pid | grep -q /dev/v || \ + { WARN /usr/sbin/qemu-ga not bound to /dev ; return 1 ; } + + return 0 +} + +tor_status () { + [ -f /tmp/tor.pid ] && \ + [ $( wc -c /tmp/tor.pid|sed -e 's/ .*//' ) -le 1 ] && \ + rm /tmp/tor.pid + + if [ -f /tmp/tor.pid ]; then + ps -p "$( cat /tmp/tor.pid )" + elif [ -f /run/tor/tor.pid ] ; then + ps -p "$( cat /run/tor/tor.pid )" + else + WARN $prog no /tmp/tor.pid or /run/tor/tor.pid + fi + + [ ! -f /usr/local/src/helper-scripts/tor_bootstrap_check.py ] || \ + python3 /usr/local/src/helper-scripts/tor_bootstrap_check.py \ + || return 1 + + debian=$( grep -q ^$PRIV_TOR_OWNER /etc/passwd && echo $PRIV_TOR_OWNER || echo tor ) + INFO $prog $debian processes: + ps -g $debian + + tor_qemu_status || return 1$? + tor_start_not_running && return 2$? + + # /usr/lib/helper-scripts/tor_circuit_established_check.py + + return 0 +} + +gateway_tor_verify () { + tor_start_verify_config || return 1 + + return 0 +} + +gateway_tor_start () { + local debian + # Nov 09 21:00:27 host vanguards[715]: WARNING[Mon Nov 09 21:00:27 2020]: Tor daemon connection failed: [Errno 24] Too many open files. Trying again... + + # debian-tor soft nofile 100000 + # /etc/security/limits.conf + + gateway_tor_config_tor || return 2$? + tor_start_not_running || return 3$? + + gateway_tor_verify || return 4$? + tor_prepare_to_start + + INFO startiing tor - see /tmp/tor.err /tmp/tor.log + #su -c '/etc/init.d/tor start' -s /bin/sh $PRIV_TOR_OWNER + #netstat -nlp -t inet | grep "$IP:9128" || systemctl --no-pager restart tor@default || return 4$? + su -c 'tor' -s /bin/sh $PRIV_TOR_OWNER 2>/tmp/tor.err >/tmp/tor.log & + echo -n $! >/tmp/tor.pid + + sleep 15 + + tor_after_start + tor_status + return 0 +} + +if [ "$#" -eq 0 ] ; then + echo USAGE: $prog "$USAGE" + +elif [ "$d1#" = '--help' ] ; then + echo USAGE: $prog "$USAGE" or: + grep '^## ' $0 | sed -e 's/^## //' + + ## config + elif [ $1 = config ] ; then + INFO $prog $1 + gateway_tor_config_tor || exit 1$? + + ## stop - + elif [ $1 = stop ] ; then + INFO $prog $1 + gateway_tor_stop + exit $? + + ## status + elif [ $1 = status ] ; then + INFO $prog tor_status + tor_status || exit $? + exit 0 + + ## start + elif [ "$1" = gateway -o "$1" = start ] ; then + INFO $prog tor_start + gateway_tor_start + exit $? + + ## restart + elif [ "$1" = restart ] ; then + INFO $prog tor_restart + gateway_tor_stop || exit 1$? + sleep 2 + gateway_tor_start + exit $? + + ## verify + elif [ "$1" = verify ] ; then + tor_start_verify_config + + elif [ "$1" = test ] ; then + tor_test + + elif [ "$1" = '--help' -o "$1" = '-h' ] ; then + echo USAGE: $prog "$USAGE or:" + grep '^## ' $0 | sed -e 's/## //' + + else + eval "$@" || exit $? +fi + +exit 0 diff --git a/overlay/Linux/usr/local/sbin/proxy_whonix_guest_gateway.bash b/overlay/Linux/usr/local/sbin/proxy_whonix_guest_gateway.bash new file mode 100755 index 0000000..e9e2041 --- /dev/null +++ b/overlay/Linux/usr/local/sbin/proxy_whonix_guest_gateway.bash @@ -0,0 +1,262 @@ +#!/bin/bash +# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*- + +ROLE=proxy +CONN=guest +USAGE="[config|start|stop|test|verify]" +prog=$( basename $0 .bash ) +. /usr/local/bin/usr_local_tput.bash + +. /usr/local/sbin/proxy_whonix_lib.bash || \ + { ERROR loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 1; } +. /usr/local/sbin/proxy_whonix_gateway_tor.bash || \ + { ERROR loading /usr/local/sbin/proxy_whonix_gateway_tor.bash ; exit 2; } +. /usr/local/bin/usr_local_tput.bash || exit 3 + +NSL='nslookup -querytype=A' +NETS='netstat -nl4e' +SHARED_MNTS="o" +# ELTS="onion-grater" # these work and start normally +# sdwdate should be linked to NetManager and prevents logins if not connected +# well start tor ourselves +# we dont need vanguards +DISABLE_SERVICES="sdwdate tor vanguards" +DISABLE_X_SERVICES="rads sdwdate-gui-shutdown-notify tor-control-panel" +grep -q ' text ' /proc/cmdline && \ + DISABLE_SERVICES="$DISABLE_X_SERVICES $DISABLE_SERVICES" + +## proxy_gateway_fix_getty_timeout +proxy_gateway_fix_getty_timeout () { + # fix_getty_timeout - wheres inittab + grep -l '^Exec.*agetty -o' /lib/systemd/system/*service | while read file ; do + [ -f $file.dst ] && continue + cp -p $file $file.dst + sed -e 's/agetty -o/agetty -t 120 -o/' -i $file + done + return 0 +} + +## proxy_gateway_disable_rads +proxy_gateway_disable_rads () { + # rads is really hard to kill + if [ ! -f /etc/rads.d/50_default.conf ] ; then + sed /etc/rads.d/30_default.conf > /etc/rads.d/50_default.conf \ + -e 's@rads_start_display_manager=1@rads_start_display_manager=0@' \ + -e 's@rads_skip_ram_test=0rads_skip_ram_test=1@' \ + -e 's@rads_wait=0@rads_wait=1@' \ + -e 's@rads_wait_seconds=10@rads_wait_seconds=20@' \ + -e 's@rads_debug=0@rads_debug=1@' + fi + return 0 +} + +## proxy_gateway_install_tor +proxy_gateway_install_tor () { + # fixme parameterize? + + if [ ! -f /usr/local/etc/torrc.d/50_user.conf ] ; then + cat > /usr/local/etc/torrc.d/50_user.conf << EOF +Socks5ProxyUsername foo +Socks5ProxyPassword bar +SafeLogging 0 +SocksPort 10.0.2.15:9050 +DnsPort 10.0.2.15:9053 +HTTPTunnelPort 10.0.2.15:9128 +TransPort 10.0.2.15:9040 +ControlSocket /run/tor/control +ControlSocketGroupWriteable 1 +DisableNetwork 0 +EOF + fi + + return 0 +} + +## proxy_gateway__shutup_verbosity +proxy_gateway_shutup_verbosity () { + for file in /etc/issue* /etc/issue.d/* ; do + [ -f $file ] || continue + [ -s $file ] && cp /dev/null $file + done + return 0 +} + +## proxy_gateway_install_fstab +proxy_gateway_install_fstab () { + # /etc/fstab + + options=noauto,rw,trans=virtio,version=9p2000.L,cache=none + for elt in $SHARED_MNTS ; do + [ -d /mnt/$elt ] || mkdir /mnt/$elt + grep -q /mnt/$elt /etc/fstab && continue + echo "$elt /mnt/$elt 9p $options 0 0" \ + >> /etc/fstab + done + return 0 +} + +## proxy_gateway_install_gagent +proxy_gateway_install_gagent () { + [ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || { + ERROR /dev/virtio-ports/org.qemu.guest_agent.0 not found + ERROR "check the host xml for " + ERROR "or blame Pottyring's systemd" + } + [ -x /usr/sbin/qemu-ga ] && return 0 + + # /mnt/shared/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb + if [ -f /var/cache/apt/archives/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb ] ; then + # /o/Cache/Apt/Debian/10.6/deb.debian.org/debian-security/pool/updates/main/q/qemu/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb + dpkg -i /var/cache/apt/archives/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb + fi + + false && \ + [ -f /lib/systemd/system/qemu-guest-agent.service ] && \ + [ ! -h /etc/systemd/system/multi-user.target/qemu-guest-agent.service ] && \ + ln -s /lib/systemd/system/qemu-guest-agent.service \ + /etc/systemd/system/multi-user.target.wants + return 0 +} + +## proxy_gateway_disable_services +proxy_gateway_disable_services () { + [ -f /usr/local/etc/local.d/local.bash ] || \ + { ERROR loading /usr/local/etc/local.d/local.bash ; return 2; } + local_systemd_stop_and_mask $DISABLE_SERVICES + + return 0 +} + +## proxy_gateway_test +proxy_gateway_test () { + + proxy_whonix_test gateway + + return 0 +} + +## proxy_gateway_config +proxy_gateway_config () { + grep '^nameserver 127.0.0.1' /etc/resolv.conf || \ + echo 'nameserver 127.0.0.1' >> /etc/resolv.conf + proxy_gateway_disable_services || return 1$? + # /usr/local/sbin/proxy_whonix_gateway_tor.bash config || return 2$? + gateway_tor_verify || return 3$? + return 0 +} + +## proxy_gateway_config +proxy_gateway_config () { + local dire=gateway + local file + + proxy_dest_port_wlan_config $dire || return 1$? + DEST=10.0.2.15 + PORT=9053 + [ -z "$PORT" -o -z "$DEST" ] && return 2 + #? proxy_whonix_polipo_config $dire + proxy_ping_test_resolv $dire || return 4$? + proxy_whonix_dnsmasq_config $dire || return 5$? + + return 0 +} +## proxy_gateway_start_bg +proxy_gateway_start_bg () { proxy_gateway_start $* ; } +## proxy_gateway_start +proxy_gateway_start () { + proxy_gateway_config || return 1$? + proxy_whonix_guest_start gateway + + proxy_ping_dnsmasq_status || \ + proxy_ping_dnsmasq_start || return 2$? + + /usr/local/sbin/proxy_whonix_gateway_tor.bash start || return 3$? + #? . gateway_tor_start + + #? polipo + # dnsmasq + + return 0 +} + +## proxy_gateway_stop +proxy_gateway_stop () { + gateway_tor_stop stop || return 3$? + + return 0 +} + +## proxy_gateway_status +proxy_gateway_status () { + + if [ -f /etc/ssh/sshd_config ] ; then + rc_service sshd status + else + WARN ssh not installed + fi + + # tor_grep_log || return 2$? + tor_status + + #? /usr/local/bin/proxy_ping_test.bash polipo || return 3$? + /usr/local/bin/proxy_ping_test.bash gateway || return 3$? + /usr/local/bin/proxy_ping_test.bash dns || return 4$? + + return 0 +} + +## proxy_gateway_config +proxy_gateway_config () { + systemctl is-enabled rc.local || systemctl enable --now rc.local || return 1 +# [ -f /etc/systemd/system/multi-user.target.wants/rc-local.service ] || \ +# ln -s /lib/systemd/system/rc-local.service \ +# /etc/systemd/system/multi-user.target.wants/rc-local.service + + systemctl is-enabled tor || systemctl disable --now tor + tor_config_tor || return 1$? + + return 0 +} + +proxy_gateway_verify () { + for elt in $( echo $USAGE | sed -e 's/|/ /' ) do ; grep ^$elt $0 ; done + tor_do_verify || return 1 + + return 0 +} + +## proxy_gateway_install +proxy_gateway_install () { + proxy_gateway_config || return 0 + + proxy_gateway_install_gagent + proxy_gateway_fix_getty_timeout + proxy_gateway_install_tor + proxy_gateway_shutup_verbosity + proxy_gateway_install_fstab + proxy_gateway_disable_rads + + return 0 +} + +if [ "$#" -eq 0 ] ; then + echo USAGE: $prog $USAGE + elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then + echo USAGE: $prog $USAGE or: + grep '^## ' $0 | sed -e 's/^## //' + + elif [ "$1" = config -o "$1" -o "$1" = install ] ; then + proxy_gateway_$1 || return 3$? + + elif [ "$1" = verify -o "$1" = status -o "$1" = test_from -o "$1" = test ] ; then + proxy_gateway_$1 || return 4$? + + elif [ "$1" = start_bg -o "$1" = start -o "$1" = stop ] ; then + proxy_gateway_$1 || return 5$? + + else + INFO $prog "$@" + eval "$@" + exit $? + + fi diff --git a/overlay/Linux/usr/local/sbin/proxy_whonix_guest_vda.bash b/overlay/Linux/usr/local/sbin/proxy_whonix_guest_vda.bash new file mode 100755 index 0000000..4220846 --- /dev/null +++ b/overlay/Linux/usr/local/sbin/proxy_whonix_guest_vda.bash @@ -0,0 +1,161 @@ +#!/bin/bash +# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*- + +ROLE=proxy +MODE=vda +CONN=guest +USAGE="[config|start|stop|status|restart|verify|test]" + +[ $( id -u ) -eq 0 ] || { ERROR you must be root ; exit 1 ; } +prog=$( basename $0 .bash ) + +export PATH=$PATH:/usr/local/sbin +. /usr/local/bin/usr_local_tput.bash || exit 2 +PREFIX=/usr/local + +NEEDED_SCRIPTS=" +/usr/local/bin/proxy_ping_test.bash +/usr/local/sbin/proxy_whonix_gateway_tor.bash +" +. /usr/local/etc/local.d/local.bash || exit 1 +. /usr/local/sbin/proxy_whonix_lib.bash || \ + { ERROR loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 2; } + +# vda does not need dnsmasq +# $DEST resolv.conf + +## proxy_vda_stop +proxy_vda_stop () { + + return 0 +} + +## tor_init_check_iptables +proxy_vda_init_check_iptables () { + # tor_init_check_iptables || return 1$? + return 0 +} + +## proxy_vda_config +proxy_vda_config () { + proxy_whonix_guest_config || return 1$? + + [ -f /etc/firewall.conf.vda ] && \ + cp -p /usr/local/etc/firewall.conf.vda /etc/firewall.conf.vda + + proxy_guest_firewall_config || return 2$? + #/usr/local/sbin/proxy_whonix_guest_workstation-firewall.bash > \ + # /etc/firewall.conf.ws.new + + proxy_vda_whonix_config + + return 0 +} + +## proxy_vda_verify +proxy_vda_verify () { + + for elt in $(echo $USAGE | sed -e 's/|/ /') ; do grep ^$elt $0 ; done + + return 0 +} + +proxy_vda_grep_logs () { + + return 0 +} + +## proxy_vda_test +proxy_vda_test () { + + proxy_whonix_test vda || return 3$? + + return 0 +} + +## proxy_vda_status +proxy_vda_status () { + netstat -nle4 | grep -q 127.0.0.1:3128 >/dev/null || \ + { [ -n "$DEBUG" ] && WARN $0 polipo not running ; return 1 ; } + [ -n "$DEBUG" ] && DBUG $0 polipo running + + /usr/local/bin/proxy_ping_test.bash vda + /usr/local/bin/proxy_ping_test.bash polipo + /usr/local/bin/proxy_ping_test.bash dns + + return 0 +} + +## proxy_vda_whonix_start +proxy_vda_whonix_start () { + local dire=vda + local ret + + #? proxy_whonix_guest_start + + proxy_whonix_polipo_start $dire || \ + { ret=$? ;ERROR $prog polipo not running ret=$ret ; return 4$ret ; } + + return 0 +} + +## proxy_vda_start +proxy_vda_start () { + # local_guest_start_services + local PROXY_WLAN_GW=10.152.152.10 + local IP=10.152.152.11 + + grep -q gateway /etc//hosts || grep $PROXY_WLAN_GW gateway >> /etc//hosts + + if ! ifconfig eth0 | grep -q $IP ; then + ifconfig eth0 $IP netmask 255.255.192.0 broadcast 10.152.191.255 + #? inet $IP netmask 255.0.0.0 broadcast 10.255.255.255 + fi + ip route | grep -q ^default || \ + route add default gw $PROXY_WLAN_GW + + # dnsmasq + echo nameserver $PROXY_WLAN_GW > /etc/resolv.conf + + [ -f /etc/firewall.conf.vda ] || exit 2 + if [ -f /etc/firewall.conf.vda -a ! -f /etc/firewall.conf ] ; then + cp -p /etc/firewall.conf.vda /etc/firewall.conf + proxy_iptables_restore < /etc/firewall.conf + elif ! diff -q /etc/firewall.conf.vda /etc/firewall.conf ; then + mv /etc/firewall.conf /etc/firewall.conf.bak + cp -p /etc/firewall.conf.vda /etc/firewall.conf + proxy_iptables -F; proxy_iptables_restore < /etc/firewall.conf + fi + proxy_iptables_save | grep -i reject || return 3 + + proxy_vda_whonix_start + + return 0 +} + +if [ "$#" -eq 0 ] ; then + echo USAGE: $prog $USAGE + + elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then + echo USAGE: $prog $USAGE or: + grep '^## ' $0 | sed -e 's/^## //' + + elif [ "$1" = config -o "$1" = 'install' ] ; then + proxy_vda_config || exit 3$? + + elif [ "$1" = verify -o "$1" = 'test' ] ; then + proxy_vda_$1 || exit 4$? + + elif [ "$1" = update -o "$1" = 'start' -o "$1" = 'status' -o "$1" = 'stop' ] ; then + proxy_vda_$1 || exit 5$? + + elif [ "$1" = hourly -o "$1" = 'refresh' ] ; then + proxy_vda_refresh || exit 6$? + + else + eval "$@" + exit $? + + fi + +exit 0 diff --git a/overlay/Linux/usr/local/sbin/proxy_whonix_guest_workstation-firewall.bash b/overlay/Linux/usr/local/sbin/proxy_whonix_guest_workstation-firewall.bash new file mode 100755 index 0000000..b707e20 --- /dev/null +++ b/overlay/Linux/usr/local/sbin/proxy_whonix_guest_workstation-firewall.bash @@ -0,0 +1,624 @@ +#!/bin/bash +# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*- + +prog=$( basename $0 .bash ) +ROLE=proxy +MODE=all +iptables_cmd='echo iptables' +ip6tables_cmd='echo iptables >/dev/null' + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +#### meta start +#### project Whonix +#### category networking and firewall +#### description +## firewall script +#### meta end + +## NOTE: If you make changes to this firewall, think about, if it would +## make sense to add the changes to Whonix-Gateway script as well. +## Some things like dropping invalid packages, should be shared. + +## TODO: +## - Should allow unlimited TCP/UDP/IPv6 traffic on the virtual external interface (OnionCat / OpenVPN). + +## source for some rules: +## http://www.cyberciti.biz/faq/ip6tables-ipv6-firewall-for-linux/ + +set -e + +error_handler() { + echo "$0 ##################################################" + echo "$0 ERROR: Whonix firewall script failed!" + echo "$0 ##################################################" + + exit 1 +} + +# trap "error_handler" ERR + +init() { + output_cmd "OK: Loading Whonix firewall..." + + set -o pipefail + set -o errtrace +} + +source_config_folder() { + shopt -s nullglob + local i + for i in \ + /etc/whonix_firewall.d/*.conf \ + /usr/local/etc/whonix_firewall.d/*.conf \ + ; do + bash_n_exit_code="0" + bash_n_output="$(bash -n "$i" 2>&1)" || { bash_n_exit_code="$?" ; true; }; + if [ ! "$bash_n_exit_code" = "0" ]; then + output_cmd "ERROR: Invalid config file: $i + bash_n_exit_code: $bash_n_exit_code + bash_n_output: + $bash_n_output" >&2 + exit 1 + fi + source "$i" + done +} + +variables_defaults() { + [ -n "$iptables_cmd" ] || iptables_cmd="iptables --wait" + [ -n "$ip6tables_cmd" ] || ip6tables_cmd="ip6tables --wait" + + ## Legacy. + if [ "$VPN_FIREWALL" = "1" ]; then + TUNNEL_FIREWALL_ENABLE="true" + fi + + ## Not in use/defined yet. + ## INT_IF could be the internal network. + ## EXT_IF could be an additional virtual network adapter, + ## such as OnionCat or OpenVPN. + + ## External interface + [ -n "$EXT_IF" ] || EXT_IF="eth0" + ## Internal interface + [ -n "$INT_IF" ] || INT_IF="eth1" + + if command -v "qubesdb-read" >/dev/null 2>&1 ; then + ## Would fail if netvm is set to 'none', + ## which is the case in Qubes R4 TemplateVMs. + [ -n "$GATEWAY_IP" ] || GATEWAY_IP="$(qubesdb-read /qubes-gateway 2>/dev/null)" || GATEWAY_IP="127.0.0.1" + else + [ -n "$GATEWAY_IP" ] || GATEWAY_IP="10.152.152.10" + fi + + ## Since hardcoded in anon-ws-disable-stacked-tor. + [ -n "$GATEWAY_IP_HARDCODED" ] || GATEWAY_IP_HARDCODED="10.152.152.10" + + [ -n "$TUNNEL_USER" ] || TUNNEL_USER="$(id -u tunnel 2>/dev/null)" || true + [ -n "$NOTUNNEL_USER" ] || NOTUNNEL_USER="$(id -u notunnel 2>/dev/null)" || true + [ -n "$UPDATESPROXYCHECK_USER" ] || UPDATESPROXYCHECK_USER="$(id -u updatesproxycheck 2>/dev/null)" || true + + [ -n "$SDWDATE_USER" ] || SDWDATE_USER="$(id -u sdwdate 2>/dev/null)" || true + [ -n "$WHONIXCHECK_USER" ] || WHONIXCHECK_USER="$(id -u whonixcheck 2>/dev/null)" || true + + [ -n "$TUNNEL_FIREWALL_ALLOW_NOTUNNEL_USER" ] || TUNNEL_FIREWALL_ALLOW_NOTUNNEL_USER="true" + + ## Control Port Filter Proxy Port + [ -n "$CONTROL_PORT_FILTER_PROXY_PORT" ] || CONTROL_PORT_FILTER_PROXY_PORT="9051" + + [ -n "$qubes_updates_proxy_port" ] || qubes_updates_proxy_port="8082" + + ## Socks Ports for per application circuits. + [ -n "$SOCKS_PORT_TOR_DEFAULT" ] || SOCKS_PORT_TOR_DEFAULT="9050" + [ -n "$SOCKS_PORT_TB" ] || SOCKS_PORT_TB="9100" + [ -n "$SOCKS_PORT_IRC" ] || SOCKS_PORT_IRC="9101" + [ -n "$SOCKS_PORT_TORBIRDY" ] || SOCKS_PORT_TORBIRDY="9102" + [ -n "$SOCKS_PORT_IM" ] || SOCKS_PORT_IM="9103" + [ -n "$SOCKS_PORT_APT_GET" ] || SOCKS_PORT_APT_GET="9104" + [ -n "$SOCKS_PORT_GPG" ] || SOCKS_PORT_GPG="9105" + [ -n "$SOCKS_PORT_SSH" ] || SOCKS_PORT_SSH="9106" + [ -n "$SOCKS_PORT_GIT" ] || SOCKS_PORT_GIT="9107" + [ -n "$SOCKS_PORT_SDWDATE" ] || SOCKS_PORT_SDWDATE="9108" + [ -n "$SOCKS_PORT_WGET" ] || SOCKS_PORT_WGET="9109" + [ -n "$SOCKS_PORT_WHONIXCHECK" ] || SOCKS_PORT_WHONIXCHECK="9110" + [ -n "$SOCKS_PORT_BITCOIN" ] || SOCKS_PORT_BITCOIN="9111" + [ -n "$SOCKS_PORT_PRIVOXY" ] || SOCKS_PORT_PRIVOXY="9112" + [ -n "$SOCKS_PORT_POLIPO" ] || SOCKS_PORT_POLIPO="9113" + [ -n "$SOCKS_PORT_WHONIX_NEWS" ] || SOCKS_PORT_WHONIX_NEWS="9114" + [ -n "$SOCKS_PORT_TBB_DOWNLOAD" ] || SOCKS_PORT_TBB_DOWNLOAD="9115" + [ -n "$SOCKS_PORT_TBB_GPG" ] || SOCKS_PORT_TBB_GPG="9116" + [ -n "$SOCKS_PORT_CURL" ] || SOCKS_PORT_CURL="9117" + [ -n "$SOCKS_PORT_RSS" ] || SOCKS_PORT_RSS="9118" + [ -n "$SOCKS_PORT_TORCHAT" ] || SOCKS_PORT_TORCHAT="9119" + [ -n "$SOCKS_PORT_MIXMASTERUPDATE" ] || SOCKS_PORT_MIXMASTERUPDATE="9120" + [ -n "$SOCKS_PORT_MIXMASTER" ] || SOCKS_PORT_MIXMASTER="9121" + [ -n "$SOCKS_PORT_KDE" ] || SOCKS_PORT_KDE="9122" + [ -n "$SOCKS_PORT_GNOME" ] || SOCKS_PORT_GNOME="9123" + [ -n "$SOCKS_PORT_APTITUDE" ] || SOCKS_PORT_APTITUDE="9124" + [ -n "$SOCKS_PORT_YUM" ] || SOCKS_PORT_YUM="9125" + [ -n "$SOCKS_PORT_TBB_DEFAULT" ] || SOCKS_PORT_TBB_DEFAULT="9150" + + socks_ports_list="$(compgen -v | grep SOCKS\_PORT\_)" + + [ -n "$VPN_INTERFACE" ] || VPN_INTERFACE="tun0" + + ## Destinations you do not routed through VPN. + if [ "$LOCAL_NET" = "" ]; then + if command -v "qubesdb-read" >/dev/null 2>&1 ; then + LOCAL_NET="\ + 127.0.0.0-127.0.0.24 \ + 10.137.0.0-10.138.255.255 \ + " + else + ## 10.0.2.2/24: VirtualBox DHCP + LOCAL_NET="\ + 127.0.0.0-127.0.0.24 \ + 192.168.0.0-192.168.0.24 \ + 192.168.1.0-192.168.1.24 \ + 10.152.152.0-10.152.152.24 \ + 10.0.2.2-10.0.2.24 \ + " + fi + fi +} + +ipv4_defaults() { + ## Set secure defaults. + $iptables_cmd -P INPUT DROP + + ## FORWARD rules does not actually do anything if forwarding is disabled. Better be safe just in case. + $iptables_cmd -P FORWARD DROP + + ## Will be lifted below. + $iptables_cmd -P OUTPUT DROP +} + +ipv4_preparation() { + ## Flush old rules. + $iptables_cmd -F + $iptables_cmd -X + $iptables_cmd -t nat -F + $iptables_cmd -t nat -X + $iptables_cmd -t mangle -F + $iptables_cmd -t mangle -X +} + +ipv4_drop_invalid_incoming_packages() { + ## DROP MARTIANS +## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/ + $iptables_cmd -A INPUT -i wlan6 -s 10.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP SPOOF A: " + $iptables_cmd -A INPUT -i wlan6 -s 172.16.0.0/12 -j LOG --log-prefix "iptables_martian_DROP SPOOF B: " + $iptables_cmd -A INPUT -i wlan6 -s 192.168.0.0/16 -j LOG --log-prefix "iptables_martian_DROP SPOOF C: " + $iptables_cmd -A INPUT -i wlan6 -s 224.0.0.0/4 -j LOG --log-prefix "iptables_martian_DROP MULTICAST D: " + $iptables_cmd -A INPUT -i wlan6 -s 240.0.0.0/5 -j LOG --log-prefix "iptables_martian_DROP SPOOF E: " + $iptables_cmd -A INPUT -i wlan6 -d 127.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP LOOPBACK: " + + $iptables_cmd -A INPUT -i wlan6 -s 10.0.0.0/8 -j DROP + $iptables_cmd -A INPUT -i wlan6 -s 172.16.0.0/12 -j DROP + $iptables_cmd -A INPUT -i wlan6 -s 192.168.0.0/16 -j DROP + $iptables_cmd -A INPUT -i wlan6 -s 224.0.0.0/4 -j DROP + $iptables_cmd -A INPUT -i wlan6 -s 240.0.0.0/5 -j DROP + $iptables_cmd -A INPUT -i wlan6 -d 127.0.0.0/8 -j DROP + + ## DROP INVALID + $iptables_cmd -A INPUT -m conntrack --ctstate INVALID -j DROP + $iptables_cmd -A INPUT -m state --state INVALID -j DROP + + ## DROP INVALID SYN PACKETS + $iptables_cmd -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + $iptables_cmd -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + $iptables_cmd -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + + ## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS + $iptables_cmd -A INPUT -f -j DROP + + ## DROP INCOMING MALFORMED XMAS PACKETS + $iptables_cmd -A INPUT -p tcp --tcp-flags ALL ALL -j DROP + + ## DROP INCOMING MALFORMED NULL PACKETS + $iptables_cmd -A INPUT -p tcp --tcp-flags ALL NONE -j DROP +} + +qubes() { + ## Not yet required. Just so Whonix-Workstation firewall can be more similar + ## to Whonix-Gateway firewall. + true +} + +qubes_dns() { + local counter + counter=0 + + ## Using '2>/dev/null' because 'qubesdb-read' DNS would fail in Qubes R4 + ## TemplateVMs, because these are non-networked by default. + + if qubes_primary_dns="$(qubesdb-read /qubes-primary-dns 2>/dev/null)" ; then + $iptables_cmd -A OUTPUT -p udp --dport 53 --dst "$qubes_primary_dns" -j ACCEPT + counter=$(( counter + 1 )) + fi + + if qubes_secondary_dns="$(qubesdb-read /qubes-secondary-dns 2>/dev/null)" ; then + $iptables_cmd -A OUTPUT -p udp --dport 53 --dst "$qubes_secondary_dns" -j ACCEPT + counter=$(( counter + 1 )) + fi + + if [ "$counter" -ge "2" ]; then + output_cmd "OK: Qubes DNS firewall rules ok." + else + $iptables_cmd -A OUTPUT -p udp --dport 53 -j ACCEPT + fi +} + +ipv4_input_rules() { + ## Traffic on the loopback interface is accepted. + $iptables_cmd -A INPUT -i lo -j ACCEPT + + ## Established incoming connections are accepted. + $iptables_cmd -A INPUT -m state --state ESTABLISHED -j ACCEPT + + ## Allow all incoming connections on the virtual VPN network interface, + ## when TUNNEL_FIREWALL_ENABLE mode is enabled. + ## DISABLED BY DEFAULT. + if [ "$TUNNEL_FIREWALL_ENABLE" = "true" ]; then + $iptables_cmd -A INPUT -i "$VPN_INTERFACE" -j ACCEPT + fi + + if [ "$firewall_mode" = "timesync-fail-closed" ]; then + true "firewall_mode is $firewall_mode, therefore not opening EXTERNAL_OPEN_PORTS." + else + local local_port_to_open + for local_port_to_open in $EXTERNAL_OPEN_PORTS; do + $iptables_cmd -A INPUT -p tcp --dport "$local_port_to_open" -j ACCEPT + done + + local local_udp_port_to_open + for local_udp_port_to_open in $EXTERNAL_UDP_OPEN_PORTS; do + $iptables_cmd -A INPUT -p udp --dport "$local_udp_port_to_open" -j ACCEPT + done + + if [ "$EXTERNAL_OPEN_ALL" = "true" ]; then + $iptables_cmd -A INPUT -j ACCEPT + fi + fi +} + +ipv4_input_defaults() { + ## Log. + #$iptables_cmd -A INPUT -j LOG --log-prefix "Whonix blocked input4: " + + ## Required for Control Port Filter Proxy Connection. + ## https://phabricator.whonix.org/T112 + $iptables_cmd -A INPUT -p tcp -j REJECT --reject-with tcp-reset + + ## Reject anything not explicitly allowed above. + $iptables_cmd -A INPUT -j REJECT --reject-with icmp-port-unreachable +} + +ipv4_forward() { + ## Log. + #$iptables_cmd -A FORWARD -j LOG --log-prefix "Whonix blocked forward4: " + + $iptables_cmd -A FORWARD -j DROP +} + +ipv4_reject_invalid_outgoing_packages() { + ## Drop invalid outgoing packages, + ## unless NO_REJECT_INVALID_OUTGOING_PACKAGES is set to 1. + if [ ! "$NO_REJECT_INVALID_OUTGOING_PACKAGES" = "1" ]; then + ## https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html + $iptables_cmd -A OUTPUT -m conntrack --ctstate INVALID -j REJECT --reject-with icmp-admin-prohibited + $iptables_cmd -A OUTPUT -m state --state INVALID -j REJECT --reject-with icmp-admin-prohibited + #$iptables_cmd -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j REJECT --reject-with icmp-admin-prohibited + #$iptables_cmd -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j REJECT --reject-with icmp-admin-prohibited + + ## DROP INVALID SYN PACKETS + $iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j REJECT --reject-with icmp-admin-prohibited + $iptables_cmd -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT --reject-with icmp-admin-prohibited + $iptables_cmd -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-admin-prohibited + + ## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS + $iptables_cmd -A OUTPUT -f -j REJECT --reject-with icmp-admin-prohibited + + ## DROP INCOMING MALFORMED XMAS PACKETS + $iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL ALL -j REJECT --reject-with icmp-admin-prohibited + + ## DROP INCOMING MALFORMED NULL PACKETS + $iptables_cmd -A OUTPUT -p tcp --tcp-flags ALL NONE -j REJECT --reject-with icmp-admin-prohibited + fi +} + +qubes_updates_proxy() { + ## Detect Qubes. + if ! command -v "qubesdb-read" >/dev/null 2>&1 ; then + return 0 + fi + + ## Detect being run inside TemplateVM. + if [ ! -f "/run/qubes/this-is-templatevm" ]; then + return 0 + fi + + ## Detect if torified Qubes updates proxy was detected. + if test -f "/run/qubes-service/whonix-secure-proxy" ; then + output_cmd "OK: Torified Qubes Updates Proxy check ok. Full access to Qubes Updates Proxy." + return 0 + fi + + output_cmd "OK: Torified Qubes Updates Proxy check not done yet. Limiting access to Qubes Updates Proxy to user 'updatesproxycheck'." + + $iptables_cmd -A OUTPUT -m owner --uid-owner "$UPDATESPROXYCHECK_USER" -m iprange --dst-range "127.0.0.1" -p tcp --dport "$qubes_updates_proxy_port" -j ACCEPT + $iptables_cmd -A OUTPUT -m owner --uid-owner "$UPDATESPROXYCHECK_USER" -m iprange --dst-range "10.137.255.254" -p tcp --dport "$qubes_updates_proxy_port" -j ACCEPT + + $iptables_cmd -A OUTPUT -m iprange --dst-range "127.0.0.1" -p tcp --dport "$qubes_updates_proxy_port" -j REJECT --reject-with icmp-admin-prohibited + $iptables_cmd -A OUTPUT -m iprange --dst-range "10.137.255.254" -p tcp --dport "$qubes_updates_proxy_port" -j REJECT --reject-with icmp-admin-prohibited +} + +ipv4_output() { + ## Prevent connections to Tor SocksPorts. + ## https://phabricator.whonix.org/T533#11025 + if [ "$firewall_mode" = "timesync-fail-closed" ]; then + local socks_port_item + for socks_port_item in $socks_ports_list; do + true "$socks_port_item: ${!socks_port_item}" + if [ "$SOCKS_PORT_SDWDATE" = "${!socks_port_item}" ]; then + continue + fi + $iptables_cmd -A OUTPUT -p tcp --dport "${!socks_port_item}" --dst "127.0.0.1" -j REJECT + done + fi + + qubes_updates_proxy + + ## Access to localhost is required even in timesync-fail-closed mode, + ## otherwise breaks applications such as konsole and kwrite. + $iptables_cmd -A OUTPUT -o lo -j ACCEPT + + ## Allow outgoing traffic on VPN interface, + ## if TUNNEL_FIREWALL_ENABLE mode is enabled. + ## DISABLED BY DEFAULT. + if [ "$TUNNEL_FIREWALL_ENABLE" = "true" ]; then + if [ "$firewall_mode" = "timesync-fail-closed" ]; then + true "firewall_mode is $firewall_mode, therefore prohibiting user $TUNNEL_USER traffic." + else + true "firewall_mode is $firewall_mode, therefore allowing user $TUNNEL_USER traffic." + ## Connections to VPN servers are allowed, + $iptables_cmd -A OUTPUT -o "$VPN_INTERFACE" -j ACCEPT + $iptables_cmd -A OUTPUT -m owner --uid-owner "$TUNNEL_USER" -j ACCEPT + fi + + if [ "$TUNNEL_FIREWALL_ALLOW_SDWDATE_USER" = "true" ]; then + $iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT + $iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT + $iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT + fi + + if [ "$TUNNEL_FIREWALL_ALLOW_NOTUNNEL_USER" = "true" ]; then + $iptables_cmd -A OUTPUT -m owner --uid-owner "$NOTUNNEL_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT + $iptables_cmd -A OUTPUT -m owner --uid-owner "$NOTUNNEL_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT + $iptables_cmd -A OUTPUT -m owner --uid-owner "$NOTUNNEL_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT + fi + + ## Accept outgoing connections to local network. + if [ "$TUNNEL_FIREWALL_ALLOW_LOCAL_NET" = "true" ]; then + if [ "$firewall_mode" = "timesync-fail-closed" ]; then + true + else + local local_net_item + for local_net_item in $LOCAL_NET; do + $iptables_cmd -A OUTPUT -m iprange --dst-range "$local_net_item" -j ACCEPT + done + fi + fi + + if [ "$TUNNEL_FIREWALL_ALLOW_CONTROL_PORT_FILTER_PROXY" = "true" ]; then + $iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "127.0.0.1" -j ACCEPT + $iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "$GATEWAY_IP" -j ACCEPT + $iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "$GATEWAY_IP_HARDCODED" -j ACCEPT + fi + + if [ "$TUNNEL_FIREWALL_ALLOW_TB_UPDATER" = "true" ]; then + if [ "$firewall_mode" = "timesync-fail-closed" ]; then + true + else + local socks_port_tbb + for socks_port_tbb in $SOCKS_PORT_TBB_DOWNLOAD $SOCKS_PORT_TBB_GPG ; do + $iptables_cmd -A OUTPUT -p tcp --dport "$socks_port_tbb" --dst "$GATEWAY_IP" -j ACCEPT + $iptables_cmd -A OUTPUT -p tcp --dport "$socks_port_tbb" --dst "$GATEWAY_IP_HARDCODED" -j ACCEPT + done + fi + fi + + if [ "$TUNNEL_FIREWALL_ALLOW_WHONIXCHECK" = "true" ]; then + if [ "$firewall_mode" = "timesync-fail-closed" ]; then + true + else + $iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT + $iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT + $iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT + fi + fi + else + if [ "$firewall_mode" = "timesync-fail-closed" ]; then + true "firewall_mode is $firewall_mode, therefore prohibiting DNS traffic." + else + true "firewall_mode is $firewall_mode, therefore allowing DNS traffic." + ## Allow Whonix-Workstation to query Whonix-Gateway for DNS. + $iptables_cmd -A OUTPUT -p udp --dport 53 --dst "$GATEWAY_IP" -j ACCEPT + $iptables_cmd -A OUTPUT -p udp --dport 53 --dst "$GATEWAY_IP_HARDCODED" -j ACCEPT + if command -v "qubesdb-read" >/dev/null 2>&1 ; then + qubes_dns + fi + fi + + ## Not sure about the next one. UDP is not supported by Tor, why not + ## block any outgoing UDP. Might have unwanted side effects when tunneling + ## UDP over Tor. + ## https://www.whonix.org/wiki/Tunnel_UDP_over_Tor + ## + ## All other non-TCP protocol traffic gets rejected. + ## iptables knows 7 different protocols and all. + ## (tcp, udp, udplite, icmp, esp, ah, sctp or all) + ## + ## (1) ping torproject.org + ## 4 packets transmitted, 0 received, 100% packet loss, time 3000ms + ## + ## (2) ping torproject.org + ## From 10.152.152.11 icmp_seq=1 Destination Port Unreachable + ## 0 packets transmitted, 0 received, +100 errors + ## + ## The next rule ensures, that only tcp can leave and achieves the desired result from (2). + $iptables_cmd -A OUTPUT ! -p tcp -j REJECT --reject-with icmp-port-unreachable + + if [ "$firewall_mode" = "timesync-fail-closed" ]; then + true "firewall_mode is $firewall_mode, therefore prohibiting all outgoing traffic." + + ## Allow sdwdate talking to localhost and Tor in Whonix firewall timesync-fail-closed mode. + ## Otherwise in Whonix firewall full mode this rule is redundant. + $iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT + $iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT + $iptables_cmd -A OUTPUT -m owner --uid-owner "$SDWDATE_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT + + $iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "127.0.0.1" -j ACCEPT + $iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "$GATEWAY_IP" -j ACCEPT + $iptables_cmd -A OUTPUT -m owner --uid-owner "$WHONIXCHECK_USER" -m iprange --dst-range "$GATEWAY_IP_HARDCODED" -j ACCEPT + + $iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "127.0.0.1" -j ACCEPT + $iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "$GATEWAY_IP" -j ACCEPT + $iptables_cmd -A OUTPUT -p tcp --dport "$CONTROL_PORT_FILTER_PROXY_PORT" --dst "$GATEWAY_IP_HARDCODED" -j ACCEPT + else + true "firewall_mode is $firewall_mode, therefore allowing all outgoing traffic." + ## Allow full outgoing connection but no incoming stuff. + $iptables_cmd -A OUTPUT -j ACCEPT + fi + + ## Log. + #$iptables_cmd -A OUTPUT -j LOG --log-prefix "Whonix blocked output4: " + + ## Reject all other outgoing traffic. + $iptables_cmd -A OUTPUT -j REJECT --reject-with icmp-port-unreachable + fi +} + +ipv6() { + ## Policy DROP for all traffic as fallback. + $ip6tables_cmd -P INPUT DROP + $ip6tables_cmd -P OUTPUT DROP + $ip6tables_cmd -P FORWARD DROP + + ## Flush old rules. + $ip6tables_cmd -F + $ip6tables_cmd -X + $ip6tables_cmd -t mangle -F + $ip6tables_cmd -t mangle -X + + ## Allow unlimited access on loopback. + $ip6tables_cmd -A INPUT -i lo -j ACCEPT + $ip6tables_cmd -A OUTPUT -o lo -j ACCEPT + + ## Log. + #$ip6tables_cmd -A INPUT -j LOG --log-prefix "Whonix blocked input6: " + #$ip6tables_cmd -A OUTPUT -j LOG --log-prefix "Whonix blocked output6: " + #$ip6tables_cmd -A FORWARD -j LOG --log-prefix "Whonix blocked forward6: " + + ## Drop/reject all other traffic. + $ip6tables_cmd -A INPUT -j DROP + ## --reject-with icmp-admin-prohibited not supported by ip6tables + $ip6tables_cmd -A OUTPUT -j REJECT --reject-with icmp6-port-unreachable + ## --reject-with icmp-admin-prohibited not supported by ip6tables + $ip6tables_cmd -A FORWARD -j DROP +} + +status_files() { + mkdir --parents /run/whonix_firewall + if [ -e /run/whonix_firewall/first_run_current_boot.status ]; then + touch /run/whonix_firewall/consecutive_run.status + return 0 + fi + touch /run/whonix_firewall/first_run_current_boot.status +} + +date_cmd(){ + date -u +"%Y-%m-%d %T" +} + +output_cmd() { + echo "$(date_cmd) - $0 - $@" +} + +firewall_mode_detection() { + if [ ! "$firewall_mode" = "" ]; then + output_cmd "OK: Skipping firewall mode detection since already set to '$firewall_mode'." + if [ "$firewall_mode" = "timesync-fail-closed" ]; then + output_cmd "OK: (Only local Tor control port connections and torified sdwdate allowed.)" + return 0 + elif [ "$firewall_mode" = "full" ]; then + output_cmd "OK: (Full torified network access allowed.)" + return 0 + else + output_cmd "ERROR: firewall_mode must be set to either 'full' or 'timesync-fail-closed'." + error_handler + fi + fi + + ## Run Whonix firewall in full mode if sdwdate already succeeded. + if [ -e /run/sdwdate/first_success ]; then + firewall_mode=full + output_cmd "OK: (/run/sdwdate/first_success exists.)" + elif [ -e /run/sdwdate/success ]; then + firewall_mode=full + output_cmd "OK: (/run/sdwdate/success exists.)" + ## /run/whonix_firewall/first_run_current_boot.status already exists, + ## therefore have Whonix firewall run in full mode. + elif [ -e /run/whonix_firewall/first_run_current_boot.status ]; then + firewall_mode=full + output_cmd "OK: (/run/whonix_firewall/first_run_current_boot.status exists.)" + else + ## /run/whonix_firewall/first_run_current_boot.status does not yet exist, + ## therefore return 'yes, timesync-fail-closed'. + firewall_mode=timesync-fail-closed + fi + + if [ "$firewall_mode" = "timesync-fail-closed" ]; then + output_cmd "OK: First run during current boot, therefore running in timesync-fail-closed mode." + output_cmd "OK: (Only local Tor control port connections and torified sdwdate allowed.)" + else + output_cmd "OK: Consecutive run during current boot, therefore running in full mode." + output_cmd "OK: (Full torified network access allowed.)" + fi +} + +end() { + output_cmd "OK: Whonix firewall loaded." + + exit 0 +} + +main() { + init + firewall_mode_detection + variables_defaults + ipv4_defaults + ipv4_preparation + ipv4_drop_invalid_incoming_packages + qubes + ipv4_input_rules + ipv4_input_defaults + ipv4_forward + ipv4_reject_invalid_outgoing_packages + ipv4_output + if [ -d /proc/sys/net/ipv6/ ]; then + ipv6 + fi + status_files + end +} + +if [ -x /usr/bin/basename ] && [ $( basename -- $0 ) = 'proxy_whonix_guest_workstation-firewall.bash' ] ; then + source_config_folder + iptables_cmd="echo iptables" + ip6tables_cmd="echo # ip6tables" + main + + fi diff --git a/overlay/Linux/usr/local/sbin/proxy_whonix_guest_workstation.bash b/overlay/Linux/usr/local/sbin/proxy_whonix_guest_workstation.bash new file mode 100755 index 0000000..51aa44c --- /dev/null +++ b/overlay/Linux/usr/local/sbin/proxy_whonix_guest_workstation.bash @@ -0,0 +1,195 @@ +#!/bin/bash +# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*- + +ROLE=proxy +[ -n "$prog" ] || prog= # no qa +prog=$( basename $0 .bash ) +. /usr/local/bin/usr_local_tput.bash + +USAGE="[config|start|stop|status|restart|test]" + +SHARED_MNTS="o" + +[ "$#" -eq 0 ] && set -- install + +## proxy_workstation_fix_getty_timeout +proxy_workstation_fix_getty_timeout () { + # fix_getty_timeout - wheres inittab + grep -l '^Exec.*agetty -o' /lib/systemd/system/*service | while read file ; do + [ -f $file.dst ] && continue + cp -p $file $file.dst + sed -e 's/agetty -o/agetty -t 120 -o/' -i $file + done + return 0 +} + + +## proxy_workstation__shutup_verbosity +proxy_workstation_shutup_verbosity () { + for file in /etc/issue* /etc/issue.d/* ; do + [ -f $file ] || continue + [ -s $file ] && cp /dev/null $file + done + return 0 +} + +## proxy_workstation_install_fstab +proxy_workstation_install_fstab () { + # /etc/fstab + options=noauto,rw,trans=virtio,version=9p2000.L,cache=none + for elt in $SHARED_MNTS ; do + [ -d /mnt/$elt ] || mkdir /mnt/$elt + grep -q /mnt/$elt /etc/fstab && continue + echo "$elt /mnt/$elt 9p $options 0 0" \ + >> /etc/fstab + done + # root + return 0 +} + +## proxy_workstation_install_gagent +proxy_workstation_install_gagent () { + [ -d /etc/apt ] && proxy_workstation_install_gagent_debian || return 1$? + [ -d /etc/gentoo ] && proxy_workstation_install_gagent_gentoo || return 2$? + return 0 +} + +## proxy_workstation_install_gagent +proxy_workstation_install_gagent_gentoo () { + [ -x /usr/bin/qemu-ga -a -x /etc/init.d/qemu-guest-agent ] || \ + emerge -vb app-emulation/qemu-guest-agent || return 1$? + return 0 +} + +## proxy_workstation_install_gagent +proxy_workstation_install_gagent_debian () { + [ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] || { + echo ERROR: /dev/virtio-ports/org.qemu.guest_agent.0 not found + ERROR "check the host xml for " + ERROR "or blame Pottyring's systemd" + } + [ -x /usr/sbin/qemu-ga ] && return 0 + + # /mnt/shared/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb + if [ -f /var/cache/apt/archives/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb ] ; then + dpkg -i /var/cache/apt/archives/qemu-guest-agent_3.1+dfsg-8+deb10u8_amd64.deb + fi + + # start guest-service - its failing on the device prerequisite + systemctl is-enabled qemu-guest-agent || systemctl enable --now qemu-guest-agent + false && \ + [ -f /lib/systemd/system/qemu-guest-agent.service ] && \ + [ ! -h /etc/systemd/system/multi-user.target/qemu-guest-agent.service ] && \ + ln -s /lib/systemd/system/qemu-guest-agent.service \ + /etc/systemd/system/multi-user.target.wants + return 0 +} + +## proxy_workstation_test +proxy_workstation_test () { + service qemu-guest-agent status >/dev/null || return 1$? + proxy_whonix_test ws || return 2$? + return 0 +} + +## proxy_workstation_config +proxy_workstation_config () { + proxy_whonix_guest_config || return 1$? + proxy_guest_firewall_config || return 2$? + + proxy_ws_whonix_config ws || return 3$? + + variables_defaults + [ -n "$GATEWAY_IP_HARDCODED" ] || GATEWAY_IP_HARDCODED="10.152.152.10" + + ## Control Port Filter Proxy Port + [ -n "$CONTROL_PORT_FILTER_PROXY_PORT" ] || CONTROL_PORT_FILTER_PROXY_PORT="9051" + [ -n "$SOCKS_PORT_TOR_DEFAULT" ] || SOCKS_PORT_TOR_DEFAULT="9050" + + ## Socks Ports for per application circuits. + [ -n "$SOCKS_PORT_TB" ] || SOCKS_PORT_TB="9100" + [ -n "$SOCKS_PORT_IRC" ] || SOCKS_PORT_IRC="9101" + [ -n "$SOCKS_PORT_TORBIRDY" ] || SOCKS_PORT_TORBIRDY="9102" + [ -n "$SOCKS_PORT_IM" ] || SOCKS_PORT_IM="9103" + [ -n "$SOCKS_PORT_APT_GET" ] || SOCKS_PORT_APT_GET="9104" + [ -n "$SOCKS_PORT_GPG" ] || SOCKS_PORT_GPG="9105" + [ -n "$SOCKS_PORT_SSH" ] || SOCKS_PORT_SSH="9106" + [ -n "$SOCKS_PORT_GIT" ] || SOCKS_PORT_GIT="9107" + [ -n "$SOCKS_PORT_SDWDATE" ] || SOCKS_PORT_SDWDATE="9108" + [ -n "$SOCKS_PORT_WGET" ] || SOCKS_PORT_WGET="9109" + [ -n "$SOCKS_PORT_WHONIXCHECK" ] || SOCKS_PORT_WHONIXCHECK="9110" + [ -n "$SOCKS_PORT_BITCOIN" ] || SOCKS_PORT_BITCOIN="9111" + [ -n "$SOCKS_PORT_PRIVOXY" ] || SOCKS_PORT_PRIVOXY="9112" + [ -n "$SOCKS_PORT_POLIPO" ] || SOCKS_PORT_POLIPO="9113" + [ -n "$SOCKS_PORT_WHONIX_NEWS" ] || SOCKS_PORT_WHONIX_NEWS="9114" + [ -n "$SOCKS_PORT_TBB_DOWNLOAD" ] || SOCKS_PORT_TBB_DOWNLOAD="9115" + [ -n "$SOCKS_PORT_TBB_GPG" ] || SOCKS_PORT_TBB_GPG="9116" + [ -n "$SOCKS_PORT_CURL" ] || SOCKS_PORT_CURL="9117" + [ -n "$SOCKS_PORT_RSS" ] || SOCKS_PORT_RSS="9118" + [ -n "$SOCKS_PORT_TORCHAT" ] || SOCKS_PORT_TORCHAT="9119" + [ -n "$SOCKS_PORT_MIXMASTERUPDATE" ] || SOCKS_PORT_MIXMASTERUPDATE="9120" + [ -n "$SOCKS_PORT_MIXMASTER" ] || SOCKS_PORT_MIXMASTER="9121" + [ -n "$SOCKS_PORT_KDE" ] || SOCKS_PORT_KDE="9122" + [ -n "$SOCKS_PORT_GNOME" ] || SOCKS_PORT_GNOME="9123" + [ -n "$SOCKS_PORT_APTITUDE" ] || SOCKS_PORT_APTITUDE="9124" + [ -n "$SOCKS_PORT_YUM" ] || SOCKS_PORT_YUM="9125" + [ -n "$SOCKS_PORT_TBB_DEFAULT" ] || SOCKS_PORT_TBB_DEFAULT="9150" + + return 0 +} + +## proxy_workstation_start_bg +proxy_workstation_start_bg () { proxy_workstation_start $* ; } +## proxy_workstation_start +proxy_workstation_start () { + local dire=ws + + proxy_workstation_config || return 1$? + proxy_whonix_guest_start + + proxy_whonix_polipo_start $dire || \ + { ret=$? ;echo ERROR: $prog polipo not started ret=$ret; return 4$ret ; } + + return 0 +} + +## proxy_workstation_stop +proxy_workstation_stop () { + + service qemu-guest-agent status >/dev/null \ + && service qemu-guest-agent stop || return 2$? + + return 0 +} + +## proxy_workstation_install +proxy_workstation_install () { + + proxy_workstation_install_gagent + proxy_workstation_fix_getty_timeout + proxy_workstation_shutup_verbosity + proxy_workstation_install_fstab + + return 0 +} + +if [ "$#" -eq 0 ] ; then + echo USAGE: $prog $USAGE + elif [ "$1" = '-h' ] || [ "$1" = '--help' ] ; then + echo USAGE: $prog $USAGE or: + grep '^## ' $0 | sed -e 's/^## //' + + elif [ "$1" = config -o "$1" = install ] ; then + proxy_workstation_install || return 3$? + + elif [ "$1" = verify -o "$1" = test ] ; then + proxy_workstation_test || return 4$? + + elif [ "$1" = start_bg -o "$1" = start -o "$1" = stop ] ; then + proxy_workstation_$1 || return 5$? + + else + eval "$@" + exit $? + + fi diff --git a/overlay/Linux/usr/local/sbin/proxy_whonix_host-firewall.bash b/overlay/Linux/usr/local/sbin/proxy_whonix_host-firewall.bash new file mode 100755 index 0000000..3dde358 --- /dev/null +++ b/overlay/Linux/usr/local/sbin/proxy_whonix_host-firewall.bash @@ -0,0 +1,769 @@ +#!/bin/bash +# -*-mode: sh; tab-width: 8; coding: utf-8-unix -*- + +prog=$( basename $0 .bash ) +PREFIX=/usr/local +ROLE=proxy +. /usr/local/bin/usr_local_base.bash || exit 2 + +VER=10 + +set -o pipefail || { ERROR use bash ; exit 1 ; } #! illegal option + +. /usr/local/bin/proxy_ping_lib.bash || exit 2 + +# unlike the original script, this just generates the rules +# and writes the to an output file +OUT=/tmp/I4$$.iptables +cp /dev/null $OUT4 +ip4_tables () { + # now unused + echo "$@" >> $OUT4 + return 0 +} +ip6_tables () { + [ -d /proc/sys/net/ipv6/ ] || return 0 + echo "$@" >> $OUT6 + return 0 +} + +. /usr/local/bin/proxy_ping_lib.bash || exit 2 + +# sysctl net.ipv4.conf.all.accept_redirects != 1 in /etc/sysctl.d/70_testforge_harden_lynis.conf + +[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash +# || { echo >&2 ERROR: $prog "$PREFIX/etc/testforge/testforge.bash" ; exit 3 ; } + +if [ "$#" -eq 1 -a "$1" = test ] ; then + bash /usr/local/bin/proxy_ping_test.bash 2>&1| grep ' 0% packet loss' \ + || { echo ERROR: ping ; exit 4 ; } + exit 0 + fi + +#set -- -x +# leave empty for debugging +[ "$DEBUG" = "1" ] && HUSH="" || HUSH="#D#" +WHONIX_HOST=1 +# leave it in anyway +LOCAL_TOR=1 + +if [ -f /etc/firewall.conf.block ] ; then + BLOCK_IPS=`cat /etc/firewall.conf.block` +else + BLOCK_IPS="37.191.192.147 51.79.22.22" +fi + +NOW=$( date +%c ) + +PROXY_WLAN=$( proxy_get_if ) +[ $? -eq 0 ] || { echo ERROR: " error getting device $?" ; exit 2 ; } +[ -n "$PROXY_WLAN" ] || { echo ERROR: " error getting device $PROXY_WLAN" ; exit 3 ; } + +## External interface +[ -n "$WLAN_IF" ] || WLAN_IF="$PROXY_WLAN" +[ -n "$IP" ] && WLAN_NET=$( echo $IP|sed -e 's/\.[1-9][0-9]*$/.0/' )/24 +[ -n "$PROXY_WLAN_GW" ] && PROXY_WLAN_GW=$( echo $IP|sed -e 's/\.[1-9][0-9]*$/.1/' ) + +[ -z "$PRIV_NTP_OWNER" ] && PRIV_NTP_OWNER=ntp +PRIV_NTP_GID=$( grep ^$PRIV_NTP_OWNER /etc/passwd|cut -d: -f 4 ) +[ -z "$PRIV_TOR_OWNER" ] && PRIV_TOR_OWNER=tor +PRIV_TOR_GID=$( grep ^$PRIV_TOR_OWNER /etc/passwd|cut -d: -f 4 ) +[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin +PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 ) +[ $LOCAL_TOR -ne 0 ] && CLEARNET_GIDS="$PRIV_BIN_GID $PRIV_TOR_GID" || CLEARNET_GIDS="$PRIV_BIN_GID" + +[ -z "$PRIV_TOR_SOCKSPORT" ] && PRIV_TOR_SOCKSPORT=9050 +[ -z "$PRIV_TOR_CONTROLPORT" ] && PRIV_TOR_CONTROLPORT=9051 +[ -z "$PRIV_TOR_DNSSPORT" ] && PRIV_TOR_DNSSPORT=9053 +[ -z "$PRIV_POLIPO_PROXYPORT" ] && PRIV_POLIPO_PROXYPORT=3128 +[ -z "$PRIV_TOR_PROXYPORT" ] && PRIV_TOR_PROXYPORT=9128 +[ -z "$PRIV_NAT_TRANSPORT" ] && PRIV_NAT_TRANSPORT="9040" +PRIV_NAT_TRANSHOST="$PROXY_WLAN" + +SSH_SERVICE=22 +BOOTPC_SERVICE=68 +BOOTPS_SERVICE=67 +[ -z "$PRIV_SERVICE_NTPPORT" ] && PRIV_SERVICE_NTPPORT=123 +NETBIOSNS_SERVICE=137 +NETBIOSDG_SERVICE=138 +NETBIOSSS_SERVICE=139 + +WLAN_ALLOW_SERVICES="$PRIV_SERVICE_NTPPORT $BOOTPC_SERVICE $BOOTPS_SERVICE" +WLAN_DROP_SERVICES="$NETBIOSNS_SERVICE $NETBIOSDG_SERVICE $NETBIOSSS_SERVICE" +NAT_SERVICES_TO_LO_TCP="" +EXT_ALLOW_SERVICES_IN_TCP="$SSH_SERVICE $PRIV_TOR_PROXYPORT $PRIV_TOR_SOCKSPORT 7001" +EXT_ALLOW_SERVICES_IN_UDP="$PRIV_TOR_DNSSPORT" +# $PRIV_NAT_TRANSPORT +EXT_ALLOW_SERVICES_OUT_TCP="$SSH_SERVICE $PRIV_TOR_PROXYPORT $PRIV_TOR_SOCKSPORT 7001" +EXT_ALLOW_SERVICES_OUT_UDP="$PRIV_TOR_DNSSPORT" + +EXT_VNET=virbr1 +PRIV_WHONIX_EXTERNAL_NET="10.0.2.0/24" +# 10.152.152.10 gateway +# 10.152.152.11 work +# 10.16.238.0.0 +INT_VNET=virbr2 +# gateway is 10.152.152.10 +PRIV_WHONIX_INTERNAL_NET=10.152.152.0/24 +PRIVATE_NET="" # 192.168.1.0/24 + +## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox, +## unless VPN_FIREWALL mode is enabled. Enabled By DEFAULT. +VPN_FIREWALL="0" +LIBVIRT_FW=1 # 0 or 1 or 2 +# I think this is still needed - dnsmasq is on 127: +LOCALHOST_DNS=1 +HOST_ALLOW_INCOMING_ICMP=1 +HOST_ALLOW_OUTGOING_ICMP=1 + +## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox, +## unless VPN_FIREWALL mode is enabled. Enabled By DEFAULT. +VPN_FIREWALL="0" +LIBVIRT_FW=1 # 0 or 1 or 2 + +#override +HOST_nat_TRANS="";PRIV_NAT_TRANSPORT="";PRIV_NAT_TRANSHOST="" + +INFO "Loading Whonix firewall for $PROXY_WLAN IP=$IP LIBVIRT_FW=$LIBVIRT_FW" + +if ifconfig -a | grep -q $EXT_VNET && proxy_virsh list | grep Whonix-Gateway ; then + # on the host - does this work? + ifconfig -a | grep -q inet # || ifconfig $EXT_VNET 10.0.2.2 up + HOST_WHONIX_GATE=1 + fi +if ifconfig -a | grep -q $INT_VNET && proxy_virsh list | grep Whonix-Workstation ; then + # on the host + ifconfig -a | grep -q inet #? || ifconfig $INT_VNET 10.152.152.10 up + HOST_WHONIX_WORK=1 + fi +HOST_WHONIX_GATE=1 +HOST_WHONIX_WORK=1 + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +########################### +## debugging +########################### + +#set -x + +########################### +## error_handler +########################### + +error_handler() { + echo "##################################################" + echo "Whonix firewall script failed!" see $OUT4 + echo "##################################################" + exit 1 +} + +#? trap "error_handler" ERR + +########################### +## source config folder +########################### + +shopt -s nullglob || exit 1 +for i in /etc/whonix_firewall.d/*.conf /usr/local/etc/whonix_firewall.d/*.conf; do + bash_n_exit_code="0" + bash_n_output="$(bash -n "$i" 2>&1)" || { bash_n_exit_code="$?" ; true; }; + if [ ! "$bash_n_exit_code" = "0" ]; then + ERROR "Invalid config file: $i +bash_n_exit_code: $bash_n_exit_code +bash_n_output: +$bash_n_output" >&2 + exit 1 + fi + source "$i" +done + +########################### +## comments +########################### + +## --reject-with +## http://ubuntuforums.org/showthread.php?p=12011099 + +## Set to icmp-admin-prohibited because icmp-port-unreachable caused +## confusion. icmp-port-unreachable looks like a bug while +## icmp-admin-prohibited hopefully makes clear it is by design. + +########################### +## /usr/bin/whonix_firewall +########################### + +########################### +## interfaces +########################### + +INFO "Loading Whonix firewall for $WLAN_IF" + +########################### +DBUG NON_TOR_GATEWAY +########################### + +#me these defaults should be in the .conf files +## Destinations you do not routed through VPN, only for Whonix-Gateway. +## 10.0.2.2/24: VirtualBox DHCP +[ -n "$NON_TOR_GATEWAY" ] || NON_TOR_GATEWAY="$PRIVATE_NET $WLAN_NET $PRIV_WHONIX_INTERNAL_NET $PRIV_WHONIX_EXTERNAL_NET" + +################ +## VPN related # +################ + +## Space separated list of VPN servers, +## which Whonix-Gateway is allowed to connect to. +[ -n "$VPN_SERVERS" ] || VPN_SERVERS="198.252.153.26" +VPN_SERVERS= + +[ -n "$VPN_INTERFACE" ] || VPN_INTERFACE="tun0" +VPN_INTERFACE= + +## Destinations you do not routed through VPN, only for Whonix-Gateway. +## $PRIV_WHONIX_EXTERNAL_NET: VirtualBox DHCP +[ -n "$LOCAL_NET" ] || LOCAL_NET="$PRIVATE_NET $WLAN_NET $PRIV_WHONIX_INTERNAL_NET $PRIV_WHONIX_EXTERNAL_NET" + +########################### +DBUG IPv4 DEFAULTS +########################### +lsmod | grep -q iptable_filter || modprobe iptable_filter + +########################### +DBUG IPv4 PREPARATIONS +########################### +# FixMe: nf or xt? +lsmod | grep -q nf_nat || modprobe nf_nat +lsmod | grep -q iptable_filter || modprobe iptable_filter +lsmod | grep -q iptable_mangle || modprobe iptable_mangle + +## Flush old rules. We now let the caller do that when it uses the rules +# mangle comes before filter, before nat +# iptables -t mangle -F +# iptables -t mangle -X +# iptables -t filter -F +# iptables -t filter -X +# iptables -t nat -F +# iptables -t nat -X + +DBUG MANGLE COMES BEFORE FILTER + +cat >> $OUT4 << EOF +# -*-mode: conf[Space]; tab-width: 8; coding: utf-8-unix -*- +# firewall.bash.libvirt.$VER +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +EOF + +[ $LIBVIRT_FW -ge 1 ] && \ + cat >> $OUT4 << EOF +:LIBVIRT_PRT - [0:0] +${HUSH}-A INPUT -j LOG --log-prefix "iptables_mangle_END-i: " --log-uid +EOF + +cat >> $OUT4 << EOF +COMMIT +EOF + +cat >> $OUT4 << EOF + +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +EOF + +cat >> $OUT4 << EOF +:LIBVIRT_PRT - [0:0] +EOF + +# iptables: No chain/target/match by that name. +false && \ +[ $LOCALHOST_DNS -gt 0 ] && \ + cat >> $OUT4 << EOF + +# was ! -o lo +# let resolve.conf redirect to lo - this rule cannot be removed +#-A OUTPUT -o $WLAN_IF -p tcp --dport $PRIV_SERVICE_DNSPORT -j DNAT --to-destination 127.0.0.1:$PRIV_SERVICE_DNSPORT +#-A OUTPUT -o $WLAN_IF -p udp --dport $PRIV_SERVICE_DNSPORT -j DNAT --to-destination 127.0.0.1:$PRIV_SERVICE_DNSPORT +EOF +#? +for elt in $NAT_SERVICES_TO_LO_TCP ; do + cat >> $OUT4 << EOF +-A OUTPUT ! -o lo -p tcp --dport $PRIV_SERVICE_DNSPORT -j DNAT --to-destination 127.0.0.1:$elt +EOF +done + +if [ $LOCAL_TOR -ne 0 -a "$PRIV_NAT_TRANSPORT" != "" -a "$PRIV_NAT_TRANSHOST" != "" -a "$PRIV_NAT_VIRTUAL_NET" != "" ] ; then + NO="" +else + NO="#" +fi +cat >> $OUT4 << EOF + +# .onion mapped addresses redirection to Tor. +${NO}-A OUTPUT -d $PRIV_NAT_VIRTUAL_NET -p tcp -j DNAT --to-destination ${PRIV_NAT_TRANSHOST}:$PRIV_NAT_TRANSPORT +EOF + +if [ -n "$HOST_nat_TRANS" -a "$PRIV_NAT_TRANSPORT" != "" -a "$PRIV_NAT_TRANSHOST" != "" ] ; then + cat >> $OUT4 << EOF + +# nat REDIRECT ALL REMAINING TCP TRAFFIC TO TOR. +# was ! -o lo +-A OUTPUT -o $WLAN_IF -j LOG --log-uid --log-prefix "iptables_nat_TRANS: " +-A OUTPUT -o $WLAN_IF -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DNAT --to-destination ${PRIV_NAT_TRANSHOST}:$PRIV_NAT_TRANSPORT +EOF + fi + +cat >> $OUT4 << EOF +## Log. +${HUSH}-A INPUT -j LOG --log-prefix "iptables_nat_END-i: " --log-uid +EOF + +lsmod | grep -q nft_masq || modprobe nft_masq +#4 lsmod | grep -q xt_MASQUERADE|| modprobe xt_MASQUERADE + +[ $LIBVIRT_FW -ge 1 ] && \ + cat >> $OUT4 << EOF +-A POSTROUTING -j LIBVIRT_PRT +-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET -d 224.0.0.0/24 -j RETURN +-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET -d 255.255.255.255/32 -j RETURN +-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET ! -d $PRIV_WHONIX_EXTERNAL_NET -p tcp -j MASQUERADE --to-ports 1024-65535 +-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET ! -d $PRIV_WHONIX_EXTERNAL_NET -p udp -j MASQUERADE --to-ports 1024-65535 +-A LIBVIRT_PRT -s $PRIV_WHONIX_EXTERNAL_NET ! -d $PRIV_WHONIX_EXTERNAL_NET -j MASQUERADE +EOF + +cat >> $OUT4 << EOF +COMMIT +EOF + +lsmod | grep -q nf_conntrack || modprobe nf_conntrack +lsmod | grep -q xt_state || modprobe xt_state + +cat >> $OUT4 << EOF +# SET SECURE DEFAULTS FOR INPUT FILTER +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +EOF + +[ $LIBVIRT_FW -ge 1 ] && \ + cat >> $OUT4 << EOF +:LIBVIRT_FWI - [0:0] +:LIBVIRT_FWO - [0:0] +:LIBVIRT_FWX - [0:0] +:LIBVIRT_INP - [0:0] +:LIBVIRT_OUT - [0:0] + +${HUSH}-A INPUT -j LOG --log-prefix "iptables_filter_BEGIN-i: firewall.bash.libvirt.$VER" --log-uid + +# blocks wlan +EOF + +for elt in $BLOCK_IPS ; do + cat >> $OUT4 << EOF +-A INPUT -s $elt -p tcp -j DROP +EOF + done + +DBUG IPv4 DROP INVALID INCOMING PACKAGES + +cat >> $OUT4 << EOF + +## DROP MARTIANS +## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/ +-A INPUT -i $WLAN_IF -s 10.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP SPOOF A: " +-A INPUT -i $WLAN_IF -s 172.16.0.0/12 -j LOG --log-prefix "iptables_martian_DROP SPOOF B: " +-A INPUT -i $WLAN_IF -s 192.168.0.0/16 -j LOG --log-prefix "iptables_martian_DROP SPOOF C: " +-A INPUT -i $WLAN_IF -s 224.0.0.0/4 -j LOG --log-prefix "iptables_martian_DROP MULTICAST D: " +-A INPUT -i $WLAN_IF -s 240.0.0.0/5 -j LOG --log-prefix "iptables_martian_DROP SPOOF E: " +-A INPUT -i $WLAN_IF -d 127.0.0.0/8 -j LOG --log-prefix "iptables_martian_DROP LOOPBACK: " + +-A INPUT -i $WLAN_IF -s 10.0.0.0/8 -j DROP +-A INPUT -i $WLAN_IF -s 172.16.0.0/12 -j DROP +-A INPUT -i $WLAN_IF -s 192.168.0.0/16 -j DROP +-A INPUT -i $WLAN_IF -s 224.0.0.0/4 -j DROP +-A INPUT -i $WLAN_IF -s 240.0.0.0/5 -j DROP +-A INPUT -i $WLAN_IF -d 127.0.0.0/8 -j DROP + +## DROP INVALID +-A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -m state --state INVALID -j DROP + +## DROP INVALID SYN PACKETS +-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP +-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP +-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + +## DROP PACKETS WITH INCOMING FRAGMENTS. THIS ATTACK ONCE RESULTED IN KERNEL PANICS +-A INPUT -f -j DROP +## DROP INCOMING MALFORMED XMAS PACKETS +-A INPUT -p tcp --tcp-flags ALL ALL -j DROP +## DROP INCOMING MALFORMED NULL PACKETS +-A INPUT -p tcp --tcp-flags ALL NONE -j DROP +EOF + +cat >> $OUT4 << EOF +## Traffic on the loopback interface is accepted. +-A INPUT -i lo -j ACCEPT +## Established incoming connections are accepted. +-A INPUT -m state --state ESTABLISHED -j ACCEPT +EOF + +## All incoming connections are dropped by default anyway, but should a user +## allow incoming ports (such as for incoming SSH or FlashProxy), ICMP should +## still be dropped to filter for example ICMP time stamp requests. +if [ "$HOST_ALLOW_INCOMING_ICMP" != "1" ]; then + DBUG Drop all incoming ICMP traffic by default. + cat >> $OUT4 << EOF +-A INPUT -i $WLAN_IF -p icmp -j LOG --log-prefix "IPTABLES_icmp_DROP-i: " --log-uid +-A INPUT -i $WLAN_IF -p icmp -j DROP +EOF + else + DBUG Accept all incoming ICMP traffic by default. + cat >> $OUT4 << EOF +### this is required for outgoing pings +-A INPUT -i $WLAN_IF -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid +-A INPUT -i $WLAN_IF -p icmp -j ACCEPT +EOF +fi + +## Allow all incoming connections on the virtual VPN network interface, +## when VPN_FIREWALL mode is enabled. DISABLED BY DEFAULT. +if [ "$VPN_FIREWALL" = "1" ]; then + cat >> $OUT4 << EOF + -A INPUT -i "$VPN_INTERFACE" -j ACCEPT +EOF +fi + +#root@Flati:# su -c '/usr/sbin/ntpdate 132.163.97.3' -s /bin/sh ntp +#12 Nov 21:39:14 ntpdate[4085]: bind() fails: Permission denied +#root@Flati:# ls -l `which ntpdate` +#-rwxr-sr-x 1 root ntp 85016 Jun 29 17:18 /usr/sbin/ntpdate + +lsmod | grep -q xt_owner || modprobe xt_owner +cat >> $OUT4 << EOF +# these are NOT needed +#!-A INPUT -i $WLAN_IF -m owner --gid-owner $PRIV_NTP_GID -p udp --sport $PRIV_SERVICE_NTPPORT -j LOG --log-uid --log-prefix "iptables_${PRIV_SERVICE_NTPPORT}_ACCEPT-o: " +#!-A INPUT -i $WLAN_IF -m owner --gid-owner $PRIV_NTP_GID -p udp --sport $PRIV_SERVICE_NTPPORT -j ACCEPT +#!-A INPUT -i $WLAN_IF -m owner --uid-owner 0 -p udp --sport $PRIV_SERVICE_NTPPORT -j LOG --log-uid --log-prefix "iptables_${PRIV_SERVICE_NTPPORT}_ACCEPT-o: " +#!-A INPUT -i $WLAN_IF -m owner --uid-owner 0 -p udp --sport $PRIV_SERVICE_NTPPORT -j ACCEPT +EOF + +DBUG clearnet gids is allowed to connect any outside target $CLEARNET_GIDS +for elt in $CLEARNET_GIDS ; do + cat >> $OUT4 << EOF +# these are NOT needed +#!-A INPUT -i $WLAN_IF -p tcp -m owner --gid-owner $elt -j ACCEPT +EOF +done + +cat >> $OUT4 << EOF +#?# let dhcp through? +#?-A INPUT -p udp --sport $BOOTPC_SERVICE -j ACCEPT +#?-A INPUT -p udp --sport $BOOTPS_SERVICE -j ACCEPT +EOF +# was ACCEPT - try DROP - should be up in mangle as REJECT? +for elt in $WLAN_DROP_SERVICES ; do + cat >> $OUT4 << EOF +-A INPUT -i $WLAN_IF -p udp --sport $elt -j DROP +EOF +done + +if [ "$HOST_ALLOW_INCOMING_ICMP" != "1" ]; then + DBUG Drop all incoming ICMP traffic by default. + cat >> $OUT4 << EOF +-A INPUT -i $EXT_VNET -p icmp -j LOG --log-prefix "IPTABLES_icmp_DROP-i: " --log-uid +-A INPUT -i $EXT_VNET -p icmp -j DROP +EOF + else + DBUG Accept all incoming ICMP traffic by default. + cat >> $OUT4 << EOF +### this is required for outgoing pings +-A INPUT -i $EXT_VNET -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-i: " --log-uid +-A INPUT -i $EXT_VNET -p icmp -j ACCEPT +EOF +fi + +DBUG use the gateway as a proxy box, including ssh INPUT +# works -i virbr1 and -sport not -dport +# -A INPUT -i virbr1 -p tcp --sport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-i: " +for elt in $EXT_ALLOW_SERVICES_IN_TCP ; do + cat >> $OUT4 << EOF +-A INPUT -i $EXT_VNET -p tcp --sport $elt -j LOG --log-uid --log-prefix "iptables_${elt}_ACCEPT-i: " +-A INPUT -i $EXT_VNET -p tcp --sport $elt -j ACCEPT +EOF +done +for elt in $EXT_ALLOW_SERVICES_IN_UDP ; do + cat >> $OUT4 << EOF +-A INPUT -i $EXT_VNET -p udp --sport $elt -j LOG --log-uid --log-prefix "iptables_${elt}_ACCEPT-i: " +-A INPUT -i $EXT_VNET -p udp --sport $elt -j ACCEPT +EOF +done + +## Reject anything not explicitly allowed above. +## Drop is better than reject here, because we do not want to reveal it's a Whonix-Gateway. +## (In case someone running Whonix-Gateway on bare metal.) +cat >> $OUT4 << EOF +-A INPUT -j LOG --log-prefix "IPTABLES_filter_DROP-i: " --log-uid +-A INPUT -j DROP +EOF + +# FixMe: DROP? +[ may = be ] && \ +cat >> $OUT4 << EOF +#?-A FORWARD -j LOG --log-prefix "IPTABLES_forward_DROP-i: " --log-uid +#?-A FORWARD -j REJECT --reject-with icmp-admin-prohibited +EOF + +[ $LIBVIRT_FW -ge 1 ] && \ + cat >> $OUT4 << EOF +-A INPUT -j LIBVIRT_INP + + + +-A FORWARD -j LIBVIRT_FWX +-A FORWARD -j LIBVIRT_FWI +-A FORWARD -j LIBVIRT_FWO +EOF +########################### +## IPv4 OUTPUT +########################### + +cat >> $OUT4 << EOF +## Traffic on the loopback interface is accepted. +-A OUTPUT -o lo -j ACCEPT + +## Existing connections are accepted. +-A OUTPUT -m state --state ESTABLISHED -j ACCEPT +EOF + +## Allow outgoing traffic on VPN interface, +## if VPN_FIREWALL mode is enabled. +## DISABLED BY DEFAULT. +if [ "$VPN_FIREWALL" = "1" ]; then + cat >> $OUT4 << EOF +-A OUTPUT -o "$VPN_INTERFACE" -j ACCEPT +EOF +fi + +## Connections to VPN servers are allowed, +## when VPN_FIREWALL mode is enabled. +## DISABLED BY DEFAULT. +if [ "$VPN_FIREWALL" = "1" ]; then + for SERVER in $VPN_SERVERS; do +cat >> $OUT4 << EOF +-A OUTPUT -d $SERVER -j ACCEPT +EOF + done +fi + +## Drop all incoming ICMP traffic by default. +## All incoming connections are dropped by default anyway, but should a user +## allow incoming ports (such as for incoming SSH or FlashProxy), ICMP should +## still be dropped to filter for example ICMP time stamp requests. +if [ "$HOST_ALLOW_OUTGOING_ICMP" != "1" ]; then + DBUG Drop all outcoming ICMP traffic by default. +cat >> $OUT4 << EOF +-A OUTPUT -o $WLAN_IF -p icmp -j LOG --log-prefix "IPTABLES_icmp_DROP-o: " --log-uid +-A OUTPUT -o $WLAN_IF -p icmp -j DROP +EOF + else + DBUG Accept all outcoming ICMP traffic by default. +cat >> $OUT4 << EOF +-A OUTPUT -o $WLAN_IF -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid +-A OUTPUT -o $WLAN_IF -p icmp -j ACCEPT +EOF +fi +## Accept outgoing connections to local network, Whonix-Workstation and VirtualBox, +## unless VPN_FIREWALL mode is enabled. ENABLED BY DEFAULT. +#? WHY?! +if [ "$VPN_FIREWALL" != "1" ]; then + for NET in $NON_TOR_GATEWAY; do +cat >> $OUT4 << EOF +#?-A OUTPUT -d $NET -j ACCEPT +EOF + done +fi + +# required sufficient works - not for user ntp +[ -n "$PRIV_NTP_GID" ] && \ + cat >> $OUT4 << EOF +# The ntp user is allowed to connect to services listening on the ntp port... +# If root runs ntpdate manually you will see requests to port 53 UID=0 +-A OUTPUT -o $WLAN_IF -m owner --gid-owner $PRIV_NTP_GID -p udp --dport $PRIV_SERVICE_NTPPORT -j LOG --log-uid --log-prefix "iptables_${PRIV_SERVICE_NTPPORT}_ACCEPT-o: " +-A OUTPUT -o $WLAN_IF -m owner --gid-owner $PRIV_NTP_GID -p udp --dport $PRIV_SERVICE_NTPPORT -j ACCEPT +-A OUTPUT -o $WLAN_IF -m owner --uid-owner 0 -p udp --dport $PRIV_SERVICE_NTPPORT -j LOG --log-uid --log-prefix "iptables_${PRIV_SERVICE_NTPPORT}_ACCEPT-o: " +-A OUTPUT -o $WLAN_IF -m owner --uid-owner 0 -p udp --dport $PRIV_SERVICE_NTPPORT -j ACCEPT +EOF + +cat >> $OUT4 << EOF +# ssh - specifically forbid ssh out the wlan +-A OUTPUT -o $WLAN_IF -p tcp --dport $SSH_SERVICE -j LOG --log-uid --log-prefix "IPTABLES_ssh_REJECT-o: " +-A OUTPUT -o $WLAN_IF -p tcp --dport $SSH_SERVICE -j REJECT --reject-with icmp-port-unreachable +EOF + +DBUG clearnet gids is allowed to connect any outside target $CLEARNET_GIDS +for elt in $CLEARNET_GIDS ; do + cat >> $OUT4 << EOF +# necessary and sufficient +-A OUTPUT -o $WLAN_IF -m owner --gid-owner $elt -j ACCEPT +EOF +done + +if [ "$HOST_ALLOW_OUTGOING_ICMP" == "1" ]; then + cat >> $OUT4 << EOF +-A OUTPUT -o $EXT_VNET -p icmp -j LOG --log-prefix "iptables_icmp_ACCEPT-o: " --log-uid +-A OUTPUT -o $EXT_VNET -p icmp -j ACCEPT +EOF +fi + +DBUG use the gateway as a proxy box, including ssh OUTPUT host to guest +# works -i virbr1 and -sport not -dport +# -A INPUT -i virbr1 -p tcp --sport 22 -j LOG --log-uid --log-prefix "iptables_22_ACCEPT-i: " +for elt in $EXT_ALLOW_SERVICES_OUT_TCP ; do + cat >> $OUT4 << EOF +-A OUTPUT -o $EXT_VNET -p tcp --dport $elt -j LOG --log-uid --log-prefix "iptables_${elt}_ACCEPT-o: " +-A OUTPUT -o $EXT_VNET -p tcp --dport $elt -j ACCEPT +EOF +done +for elt in $EXT_ALLOW_SERVICES_OUT_UDP ; do + cat >> $OUT4 << EOF +-A OUTPUT -o $EXT_VNET -p udp --dport $elt -j LOG --log-uid --log-prefix "iptables_${elt}_ACCEPT-o: " +-A OUTPUT -o $EXT_VNET -p udp --dport $elt -j ACCEPT +EOF +done + +cat >> $OUT4 << EOF +#??-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j RETURN +#?-A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT +EOF + +if [ $LIBVIRT_FW -ge 1 ] ; then + cat >> $OUT4 << EOF +-A OUTPUT -j LIBVIRT_OUT +# block virbr1 +EOF + for elt in $BLOCK_IPS ; do + cat >> $OUT4 << EOF +-A LIBVIRT_FWI -s $elt -p tcp -j DROP +EOF + done + cat >> $OUT4 << EOF +-A LIBVIRT_FWI -o $EXT_VNET -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: " +-A LIBVIRT_FWI -o $INT_VNET -j REJECT --reject-with icmp-port-unreachable + +-A LIBVIRT_FWI -d $PRIV_WHONIX_EXTERNAL_NET -o $EXT_VNET -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +-A LIBVIRT_FWI -o $EXT_VNET -j LOG --log-uid --log-prefix "IPTABLES_FWI_REJECT-o: " +#blocks +-A LIBVIRT_FWI -o $EXT_VNET -j REJECT --reject-with icmp-port-unreachable + +-A LIBVIRT_FWO -i $INT_VNET -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: " +-A LIBVIRT_FWO -i $INT_VNET -j REJECT --reject-with icmp-port-unreachable + +-A LIBVIRT_FWO -s $PRIV_WHONIX_EXTERNAL_NET -i $EXT_VNET -j ACCEPT + +-A LIBVIRT_FWO -i $EXT_VNET -j LOG --log-uid --log-prefix "IPTABLES_FWO_REJECT-i: " +-A LIBVIRT_FWO -i $EXT_VNET -j REJECT --reject-with icmp-port-unreachable + +-A LIBVIRT_FWX -i $INT_VNET -o $INT_VNET -j ACCEPT +-A LIBVIRT_FWX -i $EXT_VNET -o $EXT_VNET -j ACCEPT + +# FixMe: sic this is what libvirt did -i --dport +# FixMe: I will disable them as I dont think theyre needed or wanted +#no -A LIBVIRT_INP -i $INT_VNET -p udp --dport 53 -j ACCEPT +#no -A LIBVIRT_INP -i $INT_VNET -p tcp --dport 53 -j ACCEPT +#no -A LIBVIRT_INP -i $INT_VNET -p udp --dport 67 -j ACCEPT +#no -A LIBVIRT_INP -i $INT_VNET -p tcp --dport 67 -j ACCEPT +#no +#no # FixMe:sic this is what libvirt did -i --dport +#no -A LIBVIRT_INP -i $EXT_VNET -p udp --dport 53 -j ACCEPT +#no -A LIBVIRT_INP -i $EXT_VNET -p tcp --dport 53 -j ACCEPT +#no -A LIBVIRT_INP -i $EXT_VNET -p udp --dport 67 -j ACCEPT +#no -A LIBVIRT_INP -i $EXT_VNET -p tcp --dport 67 -j ACCEPT +#no +#no -A LIBVIRT_OUT -o $INT_VNET -p udp --dport 53 -j ACCEPT +#no -A LIBVIRT_OUT -o $INT_VNET -p tcp --dport 53 -j ACCEPT +#no -A LIBVIRT_OUT -o $INT_VNET -p udp --dport 68 -j ACCEPT +#no -A LIBVIRT_OUT -o $INT_VNET -p tcp --dport 68 -j ACCEPT +#no +#no -A LIBVIRT_OUT -o $EXT_VNET -p udp --dport 53 -j ACCEPT +#no -A LIBVIRT_OUT -o $EXT_VNET -p tcp --dport 53 -j ACCEPT +#no -A LIBVIRT_OUT -o $EXT_VNET -p udp --dport 68 -j ACCEPT +#no -A LIBVIRT_OUT -o $EXT_VNET -p tcp --dport 68 -j ACCEPT +EOF +fi + +cat >> $OUT4 << EOF +# added +-A LIBVIRT_FWX -o $EXT_VNET -s 10.0.2.2 -d 10.0.2.15 -j ACCEPT +${HUSH}-A OUTPUT -j LOG --log-uid --log-prefix "IPTABLES_filter_DROP-o: " +${HUSH}-A OUTPUT -j DROP +EOF + +cat >> $OUT4 << EOF +COMMIT +# Generated $NOW +EOF + +# IPV6 +if [ ! -e /proc/net/if_inet6 ] ; then + [ -f /etc/sysctl.d/70_testforge_harden_lynis.conf ] && \ + sed -i -e 's/^net.ipv6.conf/#net.ipv6.conf/' /etc/sysctl.d/70_testforge_harden_lynis.conf + else + # nft_reject nft_reject_inet nf_reject_ipv4 nft_reject_ipv4 ipt_REJECT + for elt in nf_reject_ipv6 nft_reject_ipv6 ip6t_REJECT ; do + lsmod | grep -q $elt || modprobe $elt + done + + sed -i -e 's/^#net.ipv6.conf/net.ipv6.conf/' /etc/sysctl.d/70_testforge_harden_lynis.conf + # ACTIVE + ## Log. + proxy_ip6tables -A INPUT -j LOG --log-prefix "IPTABLES_Whonix blocked input6: " + proxy_ip6tables -A OUTPUT -j LOG --log-prefix "IPTABLES_Whonix blocked output6: " + proxy_ip6tables -A FORWARD -j LOG --log-prefix "IPTABLES_Whonix blocked forward6: " + + ## Drop/reject all other traffic. + proxy_ip6tables -A INPUT -j DROP + #### --reject-with icmp-admin-prohibited not supported by proxy_ip6tables + proxy_ip6tables -A OUTPUT -j REJECT + ## --reject-with icmp-admin-prohibited not supported by proxy_ip6tables + proxy_ip6tables -A FORWARD -j REJECT +fi + + +########################### +## End +########################### + +proxy_iptables_restore -tv < $OUT4 >/tmp/I$$.log 2>&1 +retval=$? +if [ $retval -ne 0 ] ;then + ERROR "$prog firewall - $retval see /tmp/I$$.log" + exit $retval +fi + +echo "# Whonix firewall for wlan=$PROXY_WLAN LIBVIRT_FW=$LIBVIRT_FW" >> $OUT4 + +if [ `id -u` -eq 0 ] && ls /etc/sysctl.d/*.conf 2>/dev/null >/dev/null; then + # hardcore + sed -i \ + -e 's/forward = 0/forward = 1 ##libvirt/' \ + -e 's/forwarding = 0/forwarding = 1 ##libvirt/' \ + /etc/sysctl.d/*.conf + + grep -l forward /etc/sysctl.d/*f | xargs sysctl -p | grep forward >/dev/null +fi + +# mv $OUT4 /etc/firewall.conf.new || { echo ERROR: ; exit 9 ; } +INFO "OK Whonix firewall - mv $OUT4 /etc/firewall.conf.new" + +exit 0 diff --git a/overlay/Linux/usr/local/sbin/proxy_whonix_host.bash b/overlay/Linux/usr/local/sbin/proxy_whonix_host.bash new file mode 100755 index 0000000..8124ec3 --- /dev/null +++ b/overlay/Linux/usr/local/sbin/proxy_whonix_host.bash @@ -0,0 +1,534 @@ +#!/bin/bash +# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*- + +. /usr/local/bin/usr_local_tput.bash || exit 2 +PREFIX=/usr/local +ROLE=proxy +DELAY=10 +prog=proxy_whonix_host + +PL=$PREFIX/bin/proxy_libvirt_lib.bash + +USAGE="config|from_tor|to_tor|start|status|test|refresh|update" + +[ -f /usr/local/etc/testforge/testforge.bash ] && \ + . /usr/local/etc/testforge/testforge.bash +[ $( id -u ) -eq 0 ] || { ERROR $prog should be run as root ; exit 1 ; } + +. /usr/local/sbin/proxy_whonix_lib.bash || \ + { ERROR loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 2; } +. /usr/local/bin/proxy_ping_lib.bash || exit 3 + +prog=proxy_whonix_host +[ -z "$MODE" ] && MODE=`proxy_ping_mode` + +HTTP_PROXY_PORT=3128 +HTTP_PROXY_HOST=127.0.0.1 +HTTPS_PORT=9128 +HTTPS_HOST=127.0.0.1 +proxy_ping_get_socks +[ -z "$SOCKS_HOST" ] || SOCKS_HOST=127.0.0.1 +[ -z "$SOCKS_PORT" ] || SOCKS_PORT=9050 +proxy_ping_get_https +proxy_ping_get_http + +WD=$PWD + +NEEDED_DIRS="" +# /usr/local/lib/helper-scripts +# /usr/local/etc/ssl + +NEEDED_SCRIPTS=" +/usr/local/bin/proxy_get_if.bash +/usr/local/bin/proxy_libvirt_hook_qemu.bash +/usr/local/bin/proxy_ping_lib.bash +/usr/local/bin/proxy_ping_test.bash +/usr/local/etc/jnettop.conf +/usr/local/lib/helper-scripts/tor_bootstrap_check.py +/usr/local/lib/helper-scripts/tor_bootstrap_check.bsh +/usr/local/etc/ssl/cacert-testforge.pem +/usr/local/sbin/Whonix-Gateway.rc +/usr/local/sbin/debian_cache_to_archives.bash +/usr/local/sbin/debian_elts_to_uris.bash +/usr/local/sbin/debian_uris_to_urls.bash +/usr/local/sbin/proxy_libvirt_ga_test.bash +/usr/local/sbin/proxy_whonix_gateway_tor.bash +/usr/local/sbin/proxy_whonix_guest_gateway.bash +/usr/local/sbin/proxy_whonix_host-firewall.bash +/usr/local/sbin/proxy_whonix_host_lib.bash +/usr/local/sbin/proxy_whonix_host.bash +/usr/local/sbin/proxy_whonix_host_tor.bash +/usr/local/sbin/root_nm_wireless.bash +" + +proxy_install_package () { + for pkg in $* ; do + if [ -d /etc/apt ] ; then + [ "$pkg" = guestfish ] && pkg=libguestfs-tools + apt-get install -y $pkg || return $? + elif [ -d /etc/portage ] ; then + apt-get install -y $pkg || return $? + fi + done + return 0 +} + +## proxy_whonix_host_dmesg_blocks +proxy_whonix_host_dmesg_blocks () { + local retval=0 + + [ -f /etc/firewall.conf.block ] || touch /etc/firewall.conf.block + [ -z "$PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if` && retval=$? + [ $retval -ne 0 -o -z "$PROXY_WLAN" ] && { + ERROR $prog null interface && return 1 + } + dmesg|tail -1000 | grep IPTABLES_FWI_REJECT-o| \ + sed -e 's/.*SRC=//' -e 's/ .*//'|sort -u| \ + while read elt ; do + grep -q $elt /etc/firewall.conf.block && continue + grep -q $elt /etc/firewall.conf && continue + echo $elt >> /etc/firewall.conf.block + done + [ -s /etc/firewall.conf.block ] || proxy_whonix_host_prepare_blocks || return 1$? + proxy_whonix_host_add_block $( cat /etc/firewall.conf.block ) || return 2$? + + if [ ! -f /etc/firewall.conf.$$ -o ! -f /etc/firewall.conf ] ; then + return 3 + elif diff /etc/firewall.conf.$$ /etc/firewall.conf ; then + return 4 + else + base_wall.bash WARN: $prog BLOCKING \ + $(diff /etc/firewall.conf.$$ /etc/firewall.conf | grep -v , | cut -f 7 -d ' ') \ + in /etc/firewall.conf.block + proxy_ping_wlan_config /etc/firewall.conf.$$ + mv /etc/firewall.conf /etc/firewall.conf.bak && \ + mv /etc/firewall.conf.$$ /etc/firewall.conf && \ + /usr/local/bin/proxy_libvirt_hook_network.bash + fi + return 0 +} + +## proxy_whonix_host_refresh +proxy_whonix_host_refresh () { + local dire + [ "$#" -gt 0 ] && dire=$1 + [ -z "$dire" ] && dire=$( proxy_ping_mode ) + if [ $dire = whonix ] ; then + $PL proxy_libvirt_clean_iptables + proxy_whonix_host_dmesg_blocks + fi + return 0 +} + +## proxy_whonix_host_update +proxy_whonix_host_update () { + local copy_in + + # use nbd instead + return 0 + + DOM=$( proxy_whonix_get_gateway_dom ) + [ -z "$DOM" ] && \ + WARN proxy_whonix_host_update empty DOM from proxy_whonix_get_gateway_dom && \ + DOM=Whonix-Gateway + cd /usr/local/sbin/ + + cp -p $PWD/$DOM.rc rc.local + copy_in="copy-in $PWD/rc.local /etc" + for dir in $NEEDED_DIRS ; do + copy_in="$copy_in +mkdir $dir +" + done + for file in $NEEDED_SCRIPTS ; do + dir=$( dirname $file ) + copy_in="$copy_in +copy-in $file $dir +" + done + + QCOW=/var/lib/libvirt/images/$DOM.qcow2 + if [ -f $QCOW ] ; then + which virsh 2>/dev/null >/dev/null || proxy_install_package libvirt + proxy_virsh list | grep -q $DOM && virsh shutdown $DOM && echo sleep 60 && sleep 60 + which guestfish 2>/dev/null >/dev/null || proxy_install_package guestfish + INFO copying in $( echo $NEEDED_SCRIPTS| wc -w ) files + guestfish -a $QCOW << EOF +run +mount /dev/sda1 / +$copy_in +umount / +EOF + fi + rm -f rc.local + + return 0 +} + +## proxy_whonix_host_config +proxy_whonix_host_config () { + local dire + local retval=0 + [ "$#" -gt 0 ] && dire=$1 + [ -z "$dire" ] && dire=$( proxy_ping_mode ) + DBUG proxy_whonix_host_config dire=$dire + + [ -z "$PROXY_WLAN" ] && PROXY_WLAN=`proxy_get_if` && retval=$? + [ $retval -ne 0 -o -z "$PROXY_WLAN" ] && { + ERROR proxy_whonix_host_config null interface && return 1 + } + + proxy_ping_firewall_restart + proxy_ping_firewall_check || { + ERROR /etc/firewall.conf missing $? ; return 2 ; + } + + proxy_ping_test_resolv $dire || return 4$? + + proxy_whonix_privoxy_config $dire + proxy_ping_dnsmasq_config $dire || return 3$? + + if [ -f /etc/inittab ] ; then + grep -q '^x1' /etc/inittab || \ + sed -e 's/^x1/#x1/' -i /etc/inittab + # x1:12345:respawn:/sbin/agetty + fi + + proxy_ping_firewall_modules + if [ "$dire" = whonix ] ; then + [ -f /var/lib/libvirt/images/Whonix-Gateway.qcow2 ] || \ + WARN /var/lib/libvirt/images/Whonix-Gateway.qcow2 - mount /mnt/linuxKick150154 + + if [ -s /etc/firewall.conf.$dire ] ; then + proxy_ping_wlan_config /etc/firewall.conf.$dire /etc/firewall.conf + if ! diff -q /etc/firewall.conf.$dire /etc/firewall.conf ; then + cp -p /etc/firewall.conf.$dire /etc/firewall.conf + proxy_iptables_restore /etc/firewall.conf || return 3 + fi + elif [ -s /etc/firewall.conf ] ; then + iptables-save |grep -q virbr1 || { + proxy_iptables_restore /etc/firewall.conf || return 4 + } + else + [ -s /etc/firewall.conf.new ] || \ + /usr/local/sbin/privacy_whonix_host-firewall.bash || \ + { ERROR " $prog privacy_whonix_host-firewall.bash failed " ; return 5 ; } + [ -s /etc/firewall.conf.new ] || \ + { ERROR " /etc/firewall.conf.new missing " ; return 6 ; } + [ -s /etc/firewall.conf ] || cp -p /etc/firewall.conf.new /etc/firewall.conf + proxy_iptables_restore < /etc/firewall.conf || return 7 + fi + + proxy_host_whonix_config $dire + + elif [ "$dire" = selektor -o "$dire" = tor ] ; then + proxy_host_selektor_config $dire + fi + + + return 0 +} + +proxy_host_selektor_config () { DBUG proxy_host_selektor_config ; + local dire=$1 + + # /var/lib/tor/.SelekTOR/3xx/SelekTOR.xml + if [ -s /etc/firewall.conf.$dire ] ; then + proxy_ping_wlan_config /etc/firewall.conf.$dire /etc/firewall.conf + if ! diff -q /etc/firewall.conf.$dire /etc/firewall.conf ; then + cp -p /etc/firewall.conf.$dire /etc/firewall.conf + proxy_iptables_restore /etc/firewall.conf || return 8 + elif [ -s /etc/firewall.conf ] ; then + iptables-save |grep -q gid-owner || \ + proxy_iptables_restore /etc/firewall.conf || return 9 + else + { ERROR " /etc/firewall.conf.$dire missing " ; return 7 ; } + fi + fi + + return 0 +} + +## proxy_whonix_host_install +proxy_whonix_host_install () { DBUG proxy_whonix_host_install $* ; + + if [ $dire = host ] ; then + ERROR proxy_whonix_host_install host + return 1 + elif [ $dire = whonix ] ; then + proxy_whonix_libvirt_start + proxy_whonix_gateway_start $dire + else + if /etc/init.d/libvirtd status ; then + proxy_virsh list | grep -q Whonix-Gateway && \ + proxy_virsh shutdown Whonix-Gateway + fi + fi + + /usr/local/sbin/proxy_whonix_host_tor.bash $dire || return 7$? + + return 0 +} + +## proxy_host_from_config +proxy_host_from_config () { + #? rm -f /etc/modules_load.d/vda*conf + + DOM=$( proxy_whonix_get_gateway_dom ) + [ -z "$DOM" ] && \ + WARN proxy_host_whonix_config empty DOM assuming Whonix-Gateway && \ + DOM=Whonix-Gateway + + if [ -d /etc/libvirt/qemu/ -a /etc/libvirt/qemu/$DOM.xml ] ; then + if [ ! -f /etc/libvirt/qemu/$DOM.xml.dst ] ; then + cd /etc/libvirt/qemu/ + cp -p /etc/libvirt/qemu/$DOM.xml /etc/libvirt/qemu/$DOM.xml.dst + for file in $WD/$DOM.xml.?.diff ; do + [ -f /etc/libvirt/qemu/$DOM.xml ] || \ + ERROR $prog /etc/libvirt/qemu/$DOM.xml missing ; return 2 + patch /etc/libvirt/qemu/$DOM.xml < $file + done + cd $WD + fi + fi + return 0 +} +## proxy_host_from_config +proxy_host_whonix_config () { + local dire=whonix + local file + + [ -x /usr/local/bin/proxy_libvirt_hook_network.bash ] || return 1 + + if false && ! [ -x /etc/libvirt/hooks/network ] ; then + cat > /etc/libvirt/hooks/network < /dev/null || return 6 + $0 -h > /dev/null || return 7 + for elt in $( echo $USAGE | sed -e 's/|/ /g' ) ; do + grep -q ^proxy_whonix_host_$elt $0 || { WARN proxy_whonix_host_$elt NOT in $0 ; return 8 ; } + done + + return 0 +} + +## proxy_whonix_host_status +proxy_whonix_host_status () { proxy_whonix_host_test "$@" ; } + +## proxy_whonix_host_test +proxy_whonix_host_test () { + local dire + [ "$#" -gt 0 ] && dire=$1 + [ -z "$dire" ] && dire=$( proxy_ping_mode ) + + proxy_whonix_host_verify + + proxy_ping_status + + /usr/local/bin/proxy_ping_test.bash $dire || \ + WARN $prog proxy_ping_test.bash FAILED $dire + + if [ "$dire" = whonix ] ; then + grep "`date +%Y-%m-%d`.* error :" /var/local/log/libvirtd.log + proxy_whonix_host_tor.bash proxy_libvirt_test || return 1 + proxy_virsh list | grep running || return 2 + + # FixMe look in /etc/libvirt/qemu + for elt in Whonix-Gateway Whonix-Workstation Pen19-1 Kick15-1 ; do + proxy_virsh list | grep -q $elt || continue + # /usr/local/sbin/proxy_libvirt_ga_test.bash $elt /bin/netstat -lnp4 || + /usr/local/sbin/proxy_libvirt_ga_test.bash $elt ls /dev/virtio-ports/ || \ + WARN $prog $elt not responding + # fallsover with + # error: internal error: unable to execute QEMU agent command 'guest-exec-status': Invalid parameter 'pid' + done + fi + + return 0 +} + +## proxy_whonix_host_restart +proxy_whonix_host_restart () { + local dire + [ "$#" -gt 0 ] && dire=$1 || dire=$MODE + + proxy_whonix_host_start $dire || return 1$? + proxy_whonix_host_status $dire || return 2$? + return 0 +} + +## proxy_whonix_host_selektor +proxy_whonix_host_selektor () { + local dire=selektor + proxy_whonix_host_start $dire + return $? +} + +## proxy_whonix_host_from_tor +proxy_whonix_host_from_tor () { + local dire=whonix + proxy_whonix_host_start $dire + return $? +} + +## proxy_whonix_host_to_tor +proxy_whonix_host_to_tor () { + local dire=tor + proxy_virsh list | grep -q Whonix-Gateway && proxy_virsh shutdown Whonix-Gateway + proxy_whonix_host_start $dire + return $? +} + +## proxy_whonix_stop +proxy_whonix_stop () { + local dire + [ "$#" -gt 0 ] && dire=$1 + [ -z "$dire" ] && dire=$( proxy_ping_mode ) + DBUG proxy_whonix_stop $* + + if [ $dire = whonix -o $dire = host -o $dire = tor ] ; then + proxy_whonix_host_stop $dire + fi + return 0 +} + +## proxy_whonix_libvirt_stop +proxy_whonix_libvirt_stop () { + + proxy_virsh net-list | grep -q Whonix-External && \ + virsh net-destroy Whonix-External + + proxy_virsh net-list | grep -q Whonix-Internal && \ + virsh net-destroy Whonix-Internal + + proxy_virsh list | grep -q Whonix-Gateway && \ + virsh shutdown Whonix-Gateway + + proxy_virsh list | grep -q Whonix-Gateway && \ + virsh destroy Whonix-Gateway + + return 0 +} + +## proxy_whonix_host_stop +proxy_whonix_host_stop () { + local dire=$1 + + DBUG $prog proxy_whonix_host_stop $* + + if [ $dire = whonix ] ; then + proxy_rc_service polipo status >/dev/null && proxy_rc_service polipo stop + proxy_ping_dnsmasq_status && proxy_ping_dnsmasq_stop + proxy_whonix_libvirt_stop || return 3$? + elif [ $dire = tor ] ; then + proxy_rc_service tor status >/dev/null && proxy_rc_service tor stop + proxy_rc_service polipo status >/dev/null && proxy_rc_service polipo stop + fi + + + return 0 +} + +## proxy_whonix_gateway_start - start whonix on a host +proxy_whonix_gateway_start () { + local dire + [ "$#" -gt 0 ] && dire=$1 + + # proxy_ping_dnsmasq_status && proxy_ping_dnsmasq_stop + proxy_whonix_libvirt_start || return 3$? + + proxy_virsh net-list | grep -q Whonix-External || \ + virsh net-start Whonix-External || return 4$? + ifconfig virbr1 || return 5$? + + proxy_virsh net-list | grep -q Whonix-Internal || \ + virsh net-start Whonix-Internal|| return 6$? + ifconfig virbr2 || return 7$? + + DOM=$( proxy_whonix_get_gateway_dom ) + [ -z "$GATEW_DOM" ] && \ + WARN $prog empty DOM from proxy_whonix_get_gateway_dom && \ + DOM=Whonix-Gateway + proxy_virsh list | grep -q $DOM || \ + { INFO $prog virsh starting $DOM ; virsh start $DOM ; } || \ + return 8$? + + return 0 +} + +## proxy_whonix_host_start - start either whonix or tor on a host +proxy_whonix_host_start () { DBUG $prog proxy_whonix_host_start $* ; + local dire + [ "$#" -gt 0 ] && dire=$1 + + proxy_whonix_host_config $dire || return 2$? + + proxy_whonix_host_install $dire || return 4$? + proxy_clobber_resolv_local + + return 0 +} + +if [ "$#" -eq 0 ] ; then + echo USAGE: $prog $USAGE + + elif [ "$1" = '-h' -o "$1" = '--help' -o "$1" = 'host' ] ; then + echo USAGE: $prog $USAGE or: + grep '^## ' $0 | sed -e 's/^## //' + + elif [ "$1" = config ] ; then + [ -z "$MODE" ] && MODE=$( proxy_ping_mode ) + proxy_whonix_host_config $MODE || exit 2$? + + elif [ "$1" = start ] ; then + [ -z "$MODE" ] && MODE=$( proxy_ping_mode ) + proxy_whonix_host_start $MODE || exit 2$? + + elif [ "$1" = selektor ] ; then + MODE=$1 + proxy_whonix_host_start $MODE + + elif [ "$1" = to -o "$1" = 'to_tor' -o "$1" = 'tor' ] ; then + [ -z "$MODE" ] && MODE=$( proxy_ping_mode ) + proxy_whonix_host_to_tor || exit 3$? + + elif [ "$1" = from -o "$1" = 'from_tor' -o "$1" = 'whonix' ] ; then + [ -z "$MODE" ] && MODE=$( proxy_ping_mode ) + proxy_whonix_host_from_tor || exit 4$? + + elif [ "$1" = verify -o "$1" = 'install' ] ; then + [ -z "$MODE" ] && MODE=$( proxy_ping_mode ) + proxy_whonix_host_$1 $MODE || exit 5$? + + elif [ "$1" = 'test' ] ; then + [ -z "$MODE" ] && MODE=$( proxy_ping_mode ) + proxy_whonix_host_test $MODE || exit 4$? + + elif [ "$1" = update -o "$1" = 'start' -o "$1" = 'status' -o "$1" = 'stop' ] ; then + [ -z "$MODE" ] && MODE=$( proxy_ping_mode ) + proxy_whonix_host_$1 $MODE || exit 5$? + + elif [ "$1" = hourly -o "$1" = 'refresh' ] ; then + [ -z "$MODE" ] && MODE=$( proxy_ping_mode ) + proxy_whonix_host_refresh || exit 6$? + + else + DBUG $base "$@" + eval "$@" + exit $? + + fi + +exit 0 diff --git a/overlay/Linux/usr/local/sbin/proxy_whonix_host_libvirt.bash b/overlay/Linux/usr/local/sbin/proxy_whonix_host_libvirt.bash new file mode 100755 index 0000000..47f893f --- /dev/null +++ b/overlay/Linux/usr/local/sbin/proxy_whonix_host_libvirt.bash @@ -0,0 +1,3 @@ +#!/bin/bash +# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*- +exec bash /usr/local/bin/proxy_ping_lib.bash proxy_libvirt_test "$@" diff --git a/overlay/Linux/usr/local/sbin/proxy_whonix_host_tor.bash b/overlay/Linux/usr/local/sbin/proxy_whonix_host_tor.bash new file mode 100755 index 0000000..5120c26 --- /dev/null +++ b/overlay/Linux/usr/local/sbin/proxy_whonix_host_tor.bash @@ -0,0 +1,257 @@ +#!/bin/bash +# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*- + +ROLE=proxy +prog=$( basename $0 .bash ) + +. /usr/local/bin/usr_local_tput.bash || exit 2 +PREFIX=/usr/local + +USAGE="[to_tor|from_tor|test_to|test_from|verify]" + +. /usr/local/sbin/proxy_whonix_lib.bash || \ + { ERROR loading /usr/local/sbin/proxy_whonix_lib.bash ; exit 2; } +. /usr/local/bin/usr_local_base.bash || exit 2 +. /usr/local/sbin/proxy_tor_lib.bash || \ + { ERROR loading /usr/local/sbin/proxy_tor_lib.bash ; exit 3; } +. /usr/local/bin/usr_local_base.bash || exit 2 + +[ -f $PREFIX/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash +[ -z "$PRIV_TOR_OWNER" ] && grep -q ^debian-tor /etc/passwd && PRIV_TOR_OWNER=debian-tor +[ -z "$PRIV_TOR_OWNER" ] && grep -q ^tor /etc/passwd && PRIV_TOR_OWNER=tor +PRIV_TOR_GID=$( grep ^$PRIV_TOR_OWNER /etc/passwd|cut -d: -f 4 ) +[ -z "$PRIV_BIN_OWNER" ] && PRIV_BIN_OWNER=bin +PRIV_BIN_GID=$( grep ^$PRIV_BIN_OWNER /etc/passwd|cut -d: -f 4 ) + +#ps ax | grep 'usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/network.conf' && \ +# ps ax | grep 'usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/network.conf' | sed -e 's/ .*//' \ +# | xargs kill + +[ $USER != root ] || proxy_iptables_save | grep -qi reject || \ + proxy_ping_firewall_restart || exit 2$? +# bash /usr/local/sbin/base_firewall_start.bash + +## proxy_whonix_or_tor +proxy_whonix_or_tor () { DBUG proxy_whonix_or_tor $* ; + local a dire debian file + dire=$1 + file=/etc/tor/torrc + + [ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$? + [ -n "$PROXY_WLAN" ] || return 2$? + DBUG proxy_whonix_to_tor PROXY_WLAN=$PROXY_WLAN $* + + true || \ + proxy_ping_online || { + wlan7=$PROXY_WLAN + base_wlan_modules_unload $PROXY_WLAN + proxy_base_wlan_modules_load $PROXY_WLAN + ERROR not online ret=$? ; return 3 ; + } + proxy_whonix_copy_files $dire +## proxy_whonix_to_tor +} + +proxy_whonix_to_selektor () { DBUG proxy_whonix_to_selektor $* ; + local a dire file + dire=selektor + file= + proxy_whonix_or_tor $dire + if ps ax | grep -v grep | grep -q 'tor -f /var/lib/tor/.SelekTOR/3xx' ; then + : + elif ! proxy_route_check ; then + return $? + elif tty >/dev/null ; then + /var/local/bin/selektor.bash & + fi + +} + +proxy_whonix_to_tor () { DBUG proxy_whonix_to_tor $* ; + local a dire debian file + dire=tor + file=/etc/tor/torrc + + proxy_whonix_or_tor $dire || return 2$? + DBUG proxy_whonix_to_tor PROXY_WLAN=$PROXY_WLAN $* + + proxy_tor_torrc_update /etc/tor/torrc 127.0.0.1 + proxy_tor_torrc_exclude /etc/tor/torrc + # proxy_rc_service tor status >/dev/null || proxy_rc_service tor start + # weaker - includes running from cmdline + debian=$PRIV_TOR_OWNER + ps ax -g $debian | grep -v grep | grep -q ' tor ' || \ + proxy_rc_service tor start || \ + { ERROR not service start ret=$? ; return 3 ; } + + + proxy_whonix_privoxy_start tor || { + echo WARN: $prog privoxy NOT running ret=$? + # return 4 ; + } + + proxy_whonix_dnsmasq_start tor || { + echo WARN: proxy_whonix_to_tor dnsmasq NOT started retval=$? + # return 5$? ; + } + + # proxy_whonix_start_wget + + proxy_iptables_save | grep -q 'udp --dport 53 -j DNAT --to-destination 127.0.0.1:9053' || \ + proxy_rc_service dnsmasq status >/dev/null || \ + { ERROR $prog dnsmasq not running ; return 6 ; } + + netstat -nlp4 | grep 127.0.0.1:9 || return 9 + return 0 +} + +## proxy_tor_clean +proxy_tor_clean () { + [ -n "$MODE" ] || MODE="$( proxy_ping_mode )" + if [ "$MODE" = whonix ] ; then + proxy_whonix_get_gateway_dom || exit 8 + if [ -z "$GATEW_DOM" ] ; then + proxy_virsh list | grep -q $GATEW_DOM && \ + proxy_libvirt_clean_virbr1_rules + fi + fi + return 0 +} + +## proxy_tor_test +proxy_tor_test () { + local dire + [ $# -eq 1 ] && dire=$1 + [ -z "$dire" ] && dire="$( proxy_ping_mode )" + + if [ $dire = tor -o $dire = whonix -o $dire = host ] ; then + # is vda a host? + proxy_tor_test_ntp || return 2$? + proxy_tor_test_anondate # || return 3$? + fi + + proxy_whonix_test $dire || return 1$? + + return 0 +} + +starbucks_torrc () { proxy_whonix_host_tor_install $* ; } +## proxy_whonix_host_install +proxy_whonix_host_tor_install () { DBUG proxy_whonix_host_tor_install $* ; + [ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$? + [ -n "$PROXY_WLAN_IP" ] || PROXY_WLAN_IP=$( proxy_get_wlan_ip ) || \ + { ERROR proxy_whonix_host_tor_install ifconfig $PROXY_WLAN ; return 7 ; } + [ -z "$PROXY_WLAN_IP" ] && return 0 + + for file in /etc/tor/torrc /etc/tor/torrc-defaults ; do + [ -f $file ] || continue + grep -q "SocksPolicy accept " /etc/tor/torrc || continue + grep -q "SocksPolicy accept $PROXY_WLAN_IP" /etc/tor/torrc || continue + sed -e "s@^SocksPolicy accept [^/]*\$@SocksPolicy accept $PROXY_WLAN_IP@" \ + -i $file + done + + return 0 +} + +proxy_whonix_host_whonix () { proxy_whonix_from_tor $* ; } +## proxy_whonix_from_tor +proxy_whonix_from_tor () { + local dire=whonix + local ret + DBUG proxy_whonix_from_tor $* + + proxy_rc_service tor status >/dev/null && proxy_rc_service tor stop + + [ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$? + # ; return 2$ret + proxy_whonix_config $dire || { ret=$? ; ERROR proxy_whonix_from_tor failed proxy_whonix_config ret=$ret ; return 2$ret ; } + + proxy_whonix_libvirt_start || { + ret=$? ; + ERROR proxy_whonix_from_tor failed proxy_whonix_libvirt_start ret=$ret ; + return 3$ret + } + + a=$( proxy_iptables_save | grep -e '-A OUTPUT -o .* -m tcp -p tcp -m owner --gid-owner $PRIV_TOR_GID -j ACCEPT' | grep -c -v grep ) + [ $? -eq 0 ] && [ -n "$a" ] && [ "$a" -gt 0 ] && \ + WARN proxy_iptables -D OUTPUT -o $PROXY_WLAN -m tcp -p tcp -m owner --gid-owner $PRIV_TOR_GID -j ACCEPT + + proxy_whonix_copy_files $dire + + # netstat -nlp4e | grep 127.0.0.1:53 && { ERROR dns still running ; return 3;} + if false; then + proxy_rc_service pdnsd status >/dev/null && proxy_rc_service pdnsd stop + [ -f /etc/pdnsd/pdnsd.conf.whonix ] && \ + cp -p /etc/pdnsd/pdnsd.conf.whonix /etc/pdnsd/pdnsd.conf + + # proxy_whonix_start_wget + proxy_whonix_dnsmasq_start $dire || \ + { ret=$? ; echo WARN: proxy_whonix_from_tor dnsmasq NOT started $ret ; } + fi + + proxy_whonix_privoxy_start $dire || \ + { ret=$?; echo WARN: proxy_privoxy_from_tor polipo not started $ret ; } + + proxy_whonix_host_tor_install + + return 0 +} + +if [ "$#" -eq 0 ] ; then + echo USAGE: $prog $USAGE + + elif [ "$1" = '-h' ] || [ "$1" = 'help' ] || [ "$1" = '--help' ] ; then + echo USAGE: $prog $USAGE or: + grep '^## ' $0 | sed -e 's/^## //' + + elif [ "$1" = to -o "$1" = 'to_tor' -o "$1" = 'tor' ] ; then + [ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; } + proxy_whonix_to_tor || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 1$ret ; } + + elif [ "$1" = 'selektor' ] ; then + [ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; } + proxy_whonix_to_selektor || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 1$ret ; } + + elif [ "$1" = 'from' -o "$1" = 'from_tor' -o "$1" = 'whonix' ] ; then + [ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; } + proxy_whonix_from_tor || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 2$ret ; } + + elif [ "$1" = 'gateway' ] ; then + [ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; } + proxy_whonix_gateway || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 2$ret ; } + proxy_whonix_test gateway || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 4$ret ; } + + elif [ "$1" = 'test_from' -o "$1" = 'test_whonix' ] ; then + [ $( id -u ) -eq 0 ] || { ERROR $prog must be root ; exit 1 ; } + proxy_tor_test whonix || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 6$ret ; } + /usr/local/bin/proxy_ping_test.bash panic || exit 7 + + elif [ "$1" = 'test_gateway' -o "$1" = 'test_gateway' ] ; then + proxy_tor_test gateway || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 6$ret ; } + /usr/local/bin/proxy_ping_test.bash panic || exit 7 + + elif [ "$1" = 'test_to' -o "$1" = 'test_tor' ] ; then + proxy_tor_test tor || { ret=$? ; ERROR $prog $prog $1 retval=$ret ; exit 7$ret ; } + /usr/local/bin/proxy_ping_test.bash panic || exit 7 + + elif [ "$1" = 'direct' -o "$1" = 'test_direct' ] ; then + /usr/local/bin/proxy_ping_test.bash direct + + elif [ "$1" = 'verify' ] ; then + /usr/local/bin/proxy_ping_test.bash panic || exit 7 + [ -n "$MODE" ] || MODE="$( proxy_ping_mode )" + proxy_whonix_test $MODE || \ + { ret=$? ; ERROR "$prog host='$GATEW_DOM' retval=$ret" ; exit 8$ret ; } + + elif [ "$1" = 'clean' -o "$1" = 'stop' ] ; then + proxy_whonix_$1 + /usr/local/bin/proxy_ping_test.bash panic || exit 8 + + elif [ "$1" = 'config' ] ; then + ERROR $prog not implemented $1;exit 1 + + else + eval "$@" + exit $? + fi diff --git a/overlay/Linux/usr/local/sbin/proxy_whonix_lib.bash b/overlay/Linux/usr/local/sbin/proxy_whonix_lib.bash new file mode 100755 index 0000000..59026a9 --- /dev/null +++ b/overlay/Linux/usr/local/sbin/proxy_whonix_lib.bash @@ -0,0 +1,742 @@ +#!/bin/bash +# -*- mode: sh; fill-column: 75; tab-width: 8; coding: utf-8-unix -*- + +PREFIX=/usr/local +ROLE=proxy +prog=$( basename $0 .bash ) +export PATH=$PATH:$PREFIX/sbin:$PREFIX/bin +. $PREFIX/bin/usr_local_tput.bash + +PL=$PREFIX/bin/proxy_libvirt_lib.bash + +# . $PREFIX/sbin/proxy_whonix_lib.bash || { echo ERROR: loading $PREFIX/sbin/proxy_whonix_lib.bash ; exit 2; } +. $PREFIX/bin/proxy_ping_lib.bash || \ + { echo ERROR: loading $PREFIX/bin/proxy_ping_lib.bash ; exit 2; } +base=proxy_whonix_lib + +starbucks_torrc () { + ip=`ifconfig $wlan7 | grep -v '127.0.0.1\|grep' | grep inet.*broadcast| sed -e 's/.*inet //' -e 's/ .*//'` + [ $? -eq 0 ] || { echo ERROR: starbucks_torrc ifconfig $wlan7 ; return 7 ; } + [ -z "$ip" ] && return 0 + for file in /etc/tor/torrc /etc/tor/torrc-default ; do + grep -q "^SocksPolicy accept " /etc/tor/torrc || continue + grep -q "^SocksPolicy accept $ip$" /etc/tor/torrc && continue + sed -e "s@^SocksPolicy accept [^/]*\$@SocksPolicy accept $ip@" \ + -i $file + done + return +} + +starbucks_set () { + + if [ -f /etc/init.d/network-manager ] ; then + NetworkManager=network-manager + elif [ -f /etc/init.d/NetworkManager ] ; then + NetworkManager=NetworkManager + elif [ -f /lib/systemd/system/NetworkManager ] ; then + NetworkManager=NetworkManager + else + NetworkManager=network-manager + fi + mgr=$NetworkManager + mgr=wicd + + [ -x /mnt/linuxBack52/usr/bin/macchanger ] && \ + macchanger=/mnt/linuxBack52/usr/bin/macchanger || \ + macchanger=macchanger + + # may be empty wlan7 + # ifconfig wlan7 2>/dev/null && wlan7=wlan7 || wlan7=wlp3s0 + if [ -z "$wlan7" ] ; then + echo ERROR: null wlan7 ;exit 1 + fi + INFO starbucks_set wlan7=$wlan7 mgr=$mgr macchanger=$macchanger + + if [ -z "$wlan7" ] ; then + rmmod iwlmvm iwlwifi 2>/dev/null >/dev/null & + rmmod ath9k_htc ath9k_common ath9k_hw ath 2>/dev/null >/dev/null & + + elif [ $wlan7 = wlan4 ] ; then + rmmod iwlmvm iwlwifi 2>/dev/null >/dev/null & + elif [ $wlan7 = wlan6 -o $wlan7 = wlan7 ] ; then + rmmod ath9k_htc ath9k_common ath9k_hw ath 2>/dev/null >/dev/null & + fi + sleep 5 + + return 0 +} + +starbucks_ip () { + local wlan7 + [ $# -eq 0 -o -z "$1" ] && return 1 + wlan7=$1 + base_wlan_modules_unload $wlan7 || return 1$? + base_wlan_modules_load $wlan7 || return 2$? + + cd /etc + grep -l 'wlan[0-9]' * */* 2>/dev/null|grep -v ~$|xargs sed -e "s/wlan[0-9]/$wlan7/g" -i + + local_rc_service dbus start;local_rc_service wicd start + return 0 +} + +starbucks_start_services () { + [ -z "$MODE" ] && echo ERROR: $0 unknown MODE && return 2 + $PREFIX/sbin/proxy_whonix_host.bash start || return 3$? + # $PREFIX/sbin/proxy_whonix_host.bash proxy_whonix_host_start $MODE || return 5$? + [ "$MODE" != tor ] || starbucks_torrc || return 5$? + return 0 +} + +starbucks_stop () { + [ "$#" -eq 0 ] && set -- stop + starbucks_restart stop +} + +# old tor only +starbucks_restart () { + [ "$#" -eq 0 ] && set -- start + if [ -x /bin/systemctl ] ; then +# [ -e /etc/tor/torrc ] && /bin/systemctl $1 tor >/dev/null + [ -e /etc/pdnsd.conf ] && /bin/systemctl $1 pdnsd >/dev/null + [ -e /etc/polipo.conf ] && /bin/systemctl $1 polipo >/dev/null + /bin/systemctl $1 $mgr + else +# [ -e /etc/tor/torrc ] && /etc/init.d/tor $1 + [ -e /etc/pdnsd.conf ] && /etc/init.d/pdnsd $1 + [ -e /etc/polipo.conf ] && /etc/init.d/polipo $1 + /etc/init.d/$mgr $1 + fi + return 0 +} + +starbucks_pdnsd () { + if [ "$pdnsd" = "dnscrypt" ] && \ + ! ps ax | grep -v grep | grep -q /dnscrypt-proxy ; then + cp /dev/null /var/local/var/log/dnscrypt-proxy.log + $HARDEN_VAR_LOCAL/bin/dnscrypt-proxy --config $HARDEN_VAR_LOCAL/etc/dnscrypt-proxy.toml & + sleep $DELAY + [ ! -s /var/local/var/log/dnscrypt-proxy.log ] || \ + ! grep -q 'No servers configured' $HARDEN_VAR_LOCAL/var/log/dnscrypt-proxy.log || return 11 + ps ax | grep -v grep | grep -q /dnscrypt-proxy || return 12 + elif [ "$pdnsd" = "pdnsd" ] && ! ps ax | grep -v grep | grep -q /pdnsd ; then + if [ -x /bin/systemctl ] ; then + [ -e /etc/pdnsd.conf ] && /bin/systemctl stop pdnsd >/dev/null + else + [ -e /etc/pdnsd.conf ] && /etc/init.d/pdnsd stop + fi + fi +} + +starbucks_torrc () { + ip=`ifconfig $wlan7 | grep -v '127.0.0.1\|grep' | grep inet.*broadcast| sed -e 's/.*inet //' -e 's/ .*//'` + [ $? -eq 0 ] || { echo ERROR: starbucks_torrc ifconfig $wlan7 ; return 7 ; } + [ -z "$ip" ] || \ + grep -q "SocksPolicy accept $ip@" /etc/tor/torrc || \ + sed -e "s@^SocksPolicy accept [^/]*\$@SocksPolicy accept $ip@" \ + -i /etc/tor/torrc +} + + +## proxy_guest_firewall_config -- /etc/firewall.conf.ws.new +proxy_guest_firewall_config () { + . $PREFIX/sbin/proxy_whonix_guest_workstation-firewall.bash || return 2$? + source_config_folder + iptables_cmd="echo iptables" + ip6tables_cmd="echo # ip6tables" + main > /etc/firewall.conf.ws.new + + return $? +} + +## proxy_whonix_guest_config +proxy_whonix_guest_config () { + return 0 +} + +## proxy_whonix_guest_start +proxy_whonix_guest_start () { + $PL proxy_libvirt_start_guest + return $? +} + +## proxy_whonix_test_guest +proxy_whonix_test_guest () { + $PL proxy_libvirt_test_guest + return $? +} + +## proxy_whonix_gateway_config +proxy_whonix_gateway_config () { + proxy_whonix_dnsmasq_config gateway 10.0.2.15 + return 0 +} + +## proxy_whonix_dnsmasq_config +proxy_whonix_dnsmasq_config () { + local dire + + [ "$#" -eq 0 ] || dire=$1 + [ -z "$dire" ] && MODE="$( proxy_ping_mode )" && dire=$MODE + [ -n "$MODE" ] || MODE=host + + proxy_dest_port_wlan_config + [ -z "$PORT" -o -z "$DEST" ] && return 1 + + # 9040 - no wgetrc polipo + # need dnsmasq to 127 + file=/etc/dnsmasq.conf + if [ ! -f $file.$dire ] ; then + cp -p $file $file.$dire + cat >> $file.conf <> $file.conf <> $file.conf <> $file.conf <> $file.conf <> $file.conf <> $file.$dire </dev/null || \ + proxy_rc_service libvirtd start || \ + echo WARN: libvirtd crashed - see /var/log/libvirt/libvirtd.log # 2>&1|tee $WLOG + $PL proxy_libvirt_status + return 0 +} + +## proxy_whonix_libvirt_start +proxy_whonix_libvirt_start () { + local domain + [ "$#" -ge 1 ] && domain=$1 + + if [ ! -e /run/libvirt/libvirt-sock ] || ! proxy_rc_service libvirtd status >/dev/null ; then + cp /dev/null /var/log/libvirt/libvirtd.log + /etc/init.d/libvirtd status + retval=$? + [ $retval -eq 32 ] && WARN libvirtd crashed - zapping && /etc/init.d/libvirtd zap + [ $retval -eq 0 ] || /etc/init.d/libvirtd start || return 5$? # error: Failed to start livirtd + proxy_rc_service libvirtd start || return 3 + sleep $DELAY + fi + $PL proxy_libvirt_no_autostart + $PL proxy_libvirt_start + $PL proxy_libvirt_status + proxy_virsh net-list | grep -q Whonix-Internal || virsh net-start Whonix-Internal || return 3 + proxy_virsh net-list | grep -q Whonix-External || virsh net-start Whonix-External || return 4 + + [ -z "$domain" ] && domain="$( proxy_testforge_get_gateway_dom )" + [ -z "$domain" ] && echo WARN: null proxy_testforge_get_gateway_dom && \ + domain=Whonix-Gateway && \ + INFO set proxy_testforge_get_gateway_dom $domain + $PL proxy_libvirt_list | grep -v grep | grep "$domain" || \ + virsh start $domain || { + ret=$? + echo ERROR: proxy_whonix_libvirt_start failed virsh start $domain ret=$ret + return 5$ret + } + + return 0 +} + +## proxy_whonix_test +proxy_whonix_test () { + local dire + DBUG proxy_whonix_test $dire + [ "$#" -eq 0 ] && dire=$MODE || dire=$1 + + [ $dire = ws -o $dire = workstation ] && dire=vda + + if [ $dire = client ] ; then + : + # dunno - look at netstat? -nle4 + + elif [ $dire = nat ] ; then + $PL proxy_libvirt_test_guest + + elif [ $dire = vda -o $dire = gateway ] ; then + proxy_whonix_test_guest + + elif [ $dire = tor ] ; then + $PL proxy_libvirt_test_host + + elif [ $dire = whonix ] ; then + $PL proxy_libvirt_no_autostart + $PL proxy_libvirt_clean_virbr1_rules + + proxy_whonix_get_gateway_dom + [ -z "$GATEW_DOM" ] && echo WARN: $prog DOM proxy_whonix_get_gateway_dom assuming Whonix-Gateway && DOM=Whonix-Gateway || DOM=$GATEW_DOM + + proxy_virsh list | grep -q $DOM || { echo ERROR: $prog $DOM not running ; return 2 ; } + + $PREFIX/bin/proxy_ping_test.bash from_tor || return 6$? + fi + + #? gateway + if [ $dire = whonix -o $dire = vda -o $dire = tor ] ; then + proxy_rc_service polipo status >/dev/null >/dev/null || \ + { echo ERROR: $prog polipo not running ; return 4 ; } + $PREFIX/bin/proxy_ping_test.bash polipo || return 9$? + elif [ $dire = host -o $dire = tor ] ; then + proxy_rc_service privoxy status >/dev/null >/dev/null || \ + { echo ERROR: $prog privoxy not running ; return 4 ; } + $PREFIX/bin/proxy_ping_test.bash privoxy || return 9$? + fi + + if [ $dire = vda -o $dire = ws -o $dire = workstation ] ; then + proxy_clobber_resolv_local 10.152.152.10 + elif [ $dire = gateway -o $dire = whonix -o $dire = tor ] ; then + proxy_rc_service dnsmasq status 2>/dev/null >/dev/null || \ + { echo ERROR: $prog dnsmasq not running ; return 5 ; } + proxy_clobber_resolv_local 127.0.0.1 + fi + $PREFIX/bin/proxy_ping_test.bash dns # || return 9$? + + $PREFIX/bin/proxy_ping_test.bash $dire || return 6$? + + return 0 +} + +# Weher was this +## rc_host_symlink_etc_fstab +rc_host_symlink_etc_fstab () { + grep -q root=/dev/vda /proc/cmdline + PROXY_IS_VDA=$? +if [ $PROXY_IS_VDA -eq 0 ] ; then + [ -h /etc/fstab ] && [ -f /etc/fstab.vda ] && \ + rm -f /etc/fstab && ln -s /etc/fstab.vda /etc/fstab + return 1 +# else +# [ -h /etc/fstab ] && [ -f /etc/fstab.4TA ] && \ +# rm -f /etc/fstab && ln -s /etc/fstab.4TA /etc/fstab + fi + + return 0 +} + +## proxy_vda_config +proxy_vda_config () { + + rc_host_symlink_etc_fstab + sed -e 's/^#x1/x1/' -i /etc/inittab # + + if false ; then + sed -e 's/^#//' -i $PREFIX/etc/modules_load.d/vda*conf + if [ ! -h /etc/modules_load.d/vda_mods.conf ] ; then + ln -s $PREFIX/etc/modules_load.d/vda*conf /etc/modules_load.d/ + fi + fi + if false ; then + [ -f /etc/firewall.conf.vda ] && \ + cp -p /etc/firewall.conf.vda /etc/firewall.conf + fi + return 0 +} + +## +old_proxy_vda_config () { + + [ -f /etc/inittab ] && sed -e 's/^#x1/x1/' -i /etc/inittab + + return 0 +} + +## proxy_vda_whonix_config +proxy_vda_whonix_config () { + local dir=vda + + DEST=10.152.152.10 + PROXY_WLAN=eth0 + proxy_host_whonix_config $dire $DEST 9053 $PROXY_WLAN + + return $? +} + +## proxy_quest_config +proxy_quest_config () { + + proxy_vda_config + + sed -e 's/^#//' -i $PREFIX/etc/modules_load.d/vda*conf + if [ ! -h /etc/modules_load.d/vda_mods.conf ] ; then + cp -np $PREFIX/etc/modules_load.d/vda*conf /etc/modules-load.d/ + fi + return 0 +} + +## proxy_whonix_dnsmasq_start +proxy_whonix_dnsmasq_start () { + local dire + local service=dnsmasq + + [ "$#" -eq 0 ] || dire=$1 + [ -z "$dire" ] && MODE="$( proxy_ping_mode )" && dire=$MODE + [ -n "$MODE" ] || MODE=host + + DBUG proxy_whonix_dnsmasq_start $dire $PROXY_WLAN + + proxy_whonix_config $dire || return 1$? + + PROXY_WLAN=$( proxy_get_if ) + [ -z "$PROXY_WLAN" ] && echo ERROR: $prog empty PROXY_WLAN && return 4 + + sed -e "s/wlan[0-9]/$PROXY_WLAN/" -i /etc/dnsmasq.conf.$dire + if diff /etc/dnsmasq.conf.$dire /etc/dnsmasq.conf >/dev/null ; then + proxy_rc_service dnsmasq status >/dev/null || \ + proxy_ping_dnsmasq_start || return 8$? + else + proxy_rc_service dnsmasq status >/dev/null && \ + proxy_ping_dnsmasq_stop + cp -p /etc/dnsmasq.conf.$dire /etc/dnsmasq.conf + proxy_ping_dnsmasq_start || return 8$? + fi + + return 0 +} + +## proxy_whonix_privoxy_start +proxy_whonix_polipo_start () { + local dire + local service=polipo + + [ $# -eq 1 ] && dire=$1 + [ -z "$dire" ] && dire="$( proxy_ping_mode )" + DBUG proxy_whonix_start_$service $dire + + proxy_whonix_config $dire || \ + echo WARN: proxy_whonix_polipo_start proxy_whonix_config $dire $? # return 1$? + + sed -e "s/wlan[0-9]/$PROXY_WLAN/" -e "s/eth[0-9]/$PROXY_WLAN/" -i /etc/polipo/config.$dire + + if ! diff /etc/polipo/config.$dire /etc/polipo/config ; then + cp -p /etc/polipo/config.$dire /etc/polipo/config + proxy_rc_service $service restart || return 2$? + else + proxy_rc_service $service status >/dev/null || \ + proxy_rc_service $service start||return 3$ + fi + + return 0 +} + +## proxy_whonix_host_prepare_blocks +proxy_whonix_host_prepare_blocks () { + if [ ! -s /etc/firewall.conf.block ] ; then + if [ -f $PREFIX/etc/firewall.conf.block ] ; then + echo "WARN: $prog copying $PREFIX/etc/firewall.conf.block" + cp -p $PREFIX/etc/firewall.conf.block /etc/firewall.conf.block + else + ERROR "$prog missing $PREFIX/etc/firewall.conf.block" + return 1 + fi + fi + return 0 +} + +## proxy_whonix_host_add_block +proxy_whonix_host_add_block () { + local elt tab ip + + # PROXY_WLAN=$( proxy_get_if ) + # [ $? -ne 0 -o -z "$PROXY_WLAN" ] && echo ERROR: $prog null interface && return 1 + if [ "$#" -eq 0 ] ; then + proxy_whonix_host_prepare_blocks \| return 1$? + set -- $( cat /etc/firewall.conf.block ) + fi + # DBUG "$prog adding $*" + [ -f /etc/firewall.conf.newer ] || \ + cp -p /etc/firewall.conf /etc/firewall.conf.newer + for elt in wlan virbr1 ; do + [ $elt = wlan ] && tab=INPUT || tab=LIBVIRT_FWI + grep -q "^# blocks $elt" /etc/firewall.conf.newer || { + echo ERROR: maker not found "^# blocks $elt" in /etc/firewall.conf.newer + return 2 + } + sed -e "/^# blocks $elt/,\$d" /etc/firewall.conf.newer > /etc/firewall.conf.$$ + echo "# blocks $elt" >> /etc/firewall.conf.$$ + for ip in $* ; do + grep -q $ip /etc/firewall.conf.block || \ + grep -q $ip /etc/firewall.conf.block.newer || \ + echo $ip >> /etc/firewall.conf.block.newer + grep -q -e "A $tab -s $ip" /etc/firewall.conf.newer && continue + echo "-A $tab -s $ip -p tcp -j DROP" >> /etc/firewall.conf.$$ + DBUG "$prog -A $tab -s $ip -m tcp -p tcp -j DROP" + done + sed -e "1,/^# blocks $elt/d" /etc/firewall.conf.newer >> /etc/firewall.conf.$$ + mv /etc/firewall.conf.$$ /etc/firewall.conf.newer + done + return 0 +} + +## proxy_whonix_host_online +proxy_whonix_host_online () { + [ -n "$PROXY_WLAN" ] || PROXY_WLAN=$( proxy_get_if ) || return 1$? + [ -z "$PROXY_WLAN" ] && echo ERROR: empty PROXY_WLAN && return 2 + if [ -x /etc/init.d/NetworkManager ] ; then + /etc/init.d/NetworkManager status || /etc/init.d/NetworkManager start || return 3 +else + proxy_rc_service NetworkManager status >/dev/null \ + || proxy_rc_service NetworkManager start || return 3$? +fi + nm-online -t 0 -x || return 4$? + + return 0 +} + +## proxy_whonix_down - call when the network goes down +proxy_whonix_down () { +# $PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$? + proxy_ping_online && return 0 # dont do anything + # nothing to do? + return 0 +} + +## proxy_whonix_up - call when the network comes up +proxy_whonix_up () { + # $PREFIX/bin/proxy_ping_test.bash "$MODE" || return 1$? + proxy_ping_online || return 0 # dont do anything + return 0 +} + +## proxy_whonix_start_wget +proxy_whonix_start_wget () { + return 0 + if [ -f /etc/wgetrc ] ; then + sp=https://127.0.0.1:3128 + grep -q ^https_proxy /etc/wgetrc && \ + sed -e "s@https_proxy.*@https_proxy = $sp@" -i /etc/wgetrc + grep -q ^https_proxy /etc/wgetrc && \ + echo "https_proxy = $sp" >> /etc/wgetrc + grep -q ^http_proxy /etc/wgetrc && \ + sed -e "s@http_proxy.*@http_proxy = $sp@" -i /etc/wgetrc + grep -q ^http_proxy /etc/wgetrc || \ + echo "http_proxy = $sp" >> /etc/wgetrc + fi + + sp=http://127.0.0.1:3128 + for elt_proxy in http https ; do + grep -q ^$elt_proxy /etc/wgetrc && \ + sed -e "s@$elt_proxy.*@$elt_proxy = $sp@" -i /etc/wgetrc || \ + echo "$elt_proxy = $sp" >> /etc/wgetrc + done + + return 0 +} + +if [ -x /usr/bin/basename ] && [ $( /usr/bin/basename -- $0 .bash ) = $base ] ; then + [ "$#" -eq 0 ] && exit 0 + [ "$#" -eq 1 ] && [ "$1" = '-h' -o "$1" = '--help' ] && \ + echo USAGE: $0 && grep '^[a-z].*()\|^## ' $0 | sed -e 's/().*//'|sort && \ + exit 0 + DBUG $base "$@" + eval "$@" + exit $? + fi diff --git a/overlay/Linux/usr/local/sbin/proxy_whonix_tor_start.bash b/overlay/Linux/usr/local/sbin/proxy_whonix_tor_start.bash new file mode 100755 index 0000000..54f5ecb --- /dev/null +++ b/overlay/Linux/usr/local/sbin/proxy_whonix_tor_start.bash @@ -0,0 +1,2 @@ +#!/bin/bash +exec sh proxy_whonix_gateway_tor.bash "$@" diff --git a/overlay/Linux/usr/local/share/doc/txt/gitconfig3.txt b/overlay/Linux/usr/local/share/doc/txt/gitconfig3.txt new file mode 100644 index 0000000..f8ec4a2 --- /dev/null +++ b/overlay/Linux/usr/local/share/doc/txt/gitconfig3.txt @@ -0,0 +1,93 @@ +# -*-mode: doctest; tab-width: 0; py-indent-offset: 4; coding: utf-8-unix -*- + +== testserver box testing == + + >>> import os # doctest: +REPORT_ONLY_FIRST_FAILURE + +This is a Python doctest file that is executable documentation. +It is built to run in the host against a Vagranted VirtualBox, and is run +from the directory that contains the box's {{{.vagrant}}} subdirectory. + + >>> import subprocess + >>> import sys + >>> import time + +And, now run tests against the box. + + >>> sys.stderr.write("Running tests against box" +'\n') + 26 + +=== Box settings === + +We'll need the settings defined in {{{/usr/local/etc/testforge/testforge.yml}}} + + >>> import yaml + >>> sFacts = open('/usr/local/etc/testforge/testforge.yml', 'rt').read() + >>> assert sFacts + >>> dFacts = yaml.safe_load(sFacts) + +=== .gitconfig === + +We have a .gitconfig file in this directory that has our template +of what we need up in the box to checkout from https://git.example.com +You can edit the file and customize it, and we will use it as a +Python string template, so look out for the {{{%()s}}} template fields. + + >>> sDir = os.path.dirname(__file__) + >>> sFile = os.path.join(sDir, example.gitconfig') + >>> assert os.path.isfile(sFile), "ERROR: File not found " +sFile + >>> sGitConfig = open(sFile, 'r').read() + >>> assert sGitConfig, "ERROR: Nothing in " +sFile + +We will look for the environment variables: +* {{{AAA_CERT}}} for the filename of your example certificate +* {{{AAA_KEY}}} for the filename of your example key + + >>> sCertFile = os.environ.get('AAA_CERT') + >>> assert sCertFile, "ERROR: we need AAA_CERT set in the environment" + >>> assert os.path.isfile(sCertFile), "ERROR: the AAA_CERT in the environment is not a file" + + >>> sKeyFile = os.environ.get('AAA_KEY') + >>> assert sKeyFile, "ERROR: we need AAA_KEY set in the environment" + >>> assert os.path.isfile(sKeyFile), "ERROR: the AAA_KEY in the environment is not a file" + + >>> sIdentityFile = os.path.expandvars('$HOME/.ssh/id_rsa') + >>> assert os.path.isfile(sIdentityFile), "ERROR: the file ~/.ssh/id_rsa is not a file" + + +The directory we push to should have been created by Ansible. + + >>> sBoxHome = dFacts['BOX_HOME'] + >>> sDir = sBoxHome +'/etc/ssl/keys' + >>> run( "[ -d " +sDir +" ] || mkdir -p " +sDir) or None + +We will push these files up to the box so that we can use them. + + >>> sUser = os.environ.get('USERNAME') or os.environ.get('USER') + >>> sTo = 'dd of=%s/%s@example.com-nodes.key' % (sDir, sUser,) + >>> ssh_run_with_stdin(sTo, sKeyFile) or None + >>> sTo = 'dd of=%s/%s@example.com-clcerts.key' % (sDir, sUser,) + >>> ssh_run_with_stdin(sTo, sCertFile) or None + >>> sTo = 'dd of=%s/%s@example.com-id_rsa' % (sDir, sUser,) + >>> ssh_run_with_stdin(sTo, sIdentityFile) or None + >>> sToDir = '%s/%s@*' % (sDir, sUser,) + >>> run( "chown 600 " +sToDir) or None + +Now we have the cert and key up we can write our templated {{{~/.gitconfig}}} + + >>> sTempDir = os.environ.get('temp') or os.environ.get('TMP') or '/tmp' + >>> assert os.path.isdir(sTempDir) + >>> sFile = os.path.join(sTempDir, '.gitconfig') + >>> oFile = open(sFile, 'w') + >>> sGitConfig = sGitConfig % dict(USER=sUser, KEYSDIR=sDir, + ... BOX_HOME=sBoxHome) + >>> try: + ... oFile.write(sGitConfig) + ... finally: + ... oFile.close() + >>> assert os.path.isfile(sFile) + >>> sTo = sBoxHome +'/.gitconfig' + >>> ssh_run_with_stdin('dd of=' +sTo, sFile) or None + >>> sys.stderr.write("Wrote templated .gitconfig to " +sFile +'\n') + +QED. diff --git a/overlay/Linux/usr/local/share/doc/txt/gitconfigV.txt b/overlay/Linux/usr/local/share/doc/txt/gitconfigV.txt new file mode 100644 index 0000000..933dc69 --- /dev/null +++ b/overlay/Linux/usr/local/share/doc/txt/gitconfigV.txt @@ -0,0 +1,93 @@ +# -*-mode: doctest; tab-width: 0; py-indent-offset: 4; coding: utf-8-unix -*- + +== testserver box testing == + + >>> import os # doctest: +REPORT_ONLY_FIRST_FAILURE + +This is a Python doctest file that is executable documentation. +It is built to run in the host against a Vagranted VirtualBox, and is run +from the directory that contains the box's {{{.vagrant}}} subdirectory. + + >>> import subprocess + >>> import sys + >>> import time + +And, now run tests locally + + >>> sys.stderr.write("Running tests locally" +'\n') + 22 + +=== Box settings === + +We'll need the settings defined in {{{/usr/local/etc/testforge/testforge.yml}}} + + >>> import yaml + >>> sFacts = open('/usr/local/etc/testforge/testforge.yml', 'rt').read() + >>> assert sFacts + >>> dFacts = yaml.safe_load(sFacts) + +=== .gitconfig === + +We have a .gitconfig file in this directory that has our template +of what we need up in the box to checkout from https://git.example.com +You can edit the file and customize it, and we will use it as a +Python string template, so look out for the {{{%()s}}} template fields. + + >>> sDir = '/var/local/share/doc/txt' + >>> sFile = os.path.join(sDir, 'example.gitconfig') + >>> assert os.path.isfile(sFile), "ERROR: File not found " +sFile + >>> sGitConfig = open(sFile, 'r').read() + >>> assert sGitConfig, "ERROR: Nothing in " +sFile + +We will look for the environment variables: +* {{{AAA_CERT}}} for the filename of your example certificate +* {{{AAA_KEY}}} for the filename of your example key + + >>> sCertFile = os.environ.get('AAA_CERT') + >>> assert sCertFile, "ERROR: we need AAA_CERT set in the environment" + >>> assert os.path.isfile(sCertFile), "ERROR: the AAA_CERT in the environment is not a file" + + >>> sKeyFile = os.environ.get('AAA_KEY') + >>> assert sKeyFile, "ERROR: we need AAA_KEY set in the environment" + >>> assert os.path.isfile(sKeyFile), "ERROR: the AAA_KEY in the environment is not a file" + + >>> sIdentityFile = os.path.expandvars('$HOME/.ssh/id_rsa') + >>> assert os.path.isfile(sIdentityFile), "ERROR: the file ~/.ssh/id_rsa is not a file" + + +The directory we push to should have been created by Ansible. + + >>> sBoxHome = dFacts['BOX_HOME'] + >>> sDir = sBoxHome +'/etc/ssl/keys' + >>> run( "[ -d " +sDir +" ] || mkdir -p " +sDir) or None + +We will push these files up to the box so that we can use them. + + >>> sUser = os.environ.get('USERNAME') or os.environ.get('USER') + >>> sTo = 'dd of=%s/%s@example.com-nodes.key' % (sDir, sUser,) + >>> ssh_run_with_stdin(sTo, sKeyFile) or None + >>> sTo = 'dd of=%s/%s@example.com-clcerts.key' % (sDir, sUser,) + >>> ssh_run_with_stdin(sTo, sCertFile) or None + >>> sTo = 'dd of=%s/%s@example.com-id_rsa' % (sDir, sUser,) + >>> ssh_run_with_stdin(sTo, sIdentityFile) or None + >>> sToDir = '%s/%s@*' % (sDir, sUser,) + >>> run( "chown 600 " +sToDir) or None + +Now we have the cert and key up we can write our templated {{{~/.gitconfig}}} + + >>> sTempDir = os.environ.get('temp') or os.environ.get('TMP') or '/tmp' + >>> assert os.path.isdir(sTempDir) + >>> sFile = os.path.join(sTempDir, '.gitconfig') + >>> oFile = open(sFile, 'w') + >>> sGitConfig = sGitConfig % dict(USER=sUser, KEYSDIR=sDir, + ... BOX_HOME=sBoxHome) + >>> try: + ... oFile.write(sGitConfig) + ... finally: + ... oFile.close() + >>> assert os.path.isfile(sFile) + >>> sTo = sBoxHome +'/.gitconfig' + >>> ssh_run_with_stdin('dd of=' +sTo, sFile) or None + >>> sys.stderr.write("Wrote templated .gitconfig to " +sFile +'\n') + +QED. diff --git a/overlay/Linux/usr/local/share/doc/txt/proxy2.txt b/overlay/Linux/usr/local/share/doc/txt/proxy2.txt new file mode 100644 index 0000000..994227e --- /dev/null +++ b/overlay/Linux/usr/local/share/doc/txt/proxy2.txt @@ -0,0 +1,21 @@ +# -*-mode: doctest; tab-width: 0; py-indent-offset: 4; coding: utf-8-unix -*- + +== proxy box testing == + +This is a Python doctest file that is executable documentation. +It is built to run against a Vagranted VirtualBox, and is run from the +directory that contains the box's {{{.vagrant}}} subdirectory. + + >>> import subprocess + >>> import sys + >>> import time + +And, now run tests against the box. + + >>> print("Running tests against box", file=sys.stderr) + +We should be able to get a page from our proxy + + >>> sUrl = 'http://' +myip +':3128/' + >>> print ssh_run('wget -O - -q %s | grep Polipo | head -1' % (sUrl,)) + Welcome to Polipo diff --git a/overlay/Linux/usr/local/share/doc/txt/proxy3.txt b/overlay/Linux/usr/local/share/doc/txt/proxy3.txt new file mode 100644 index 0000000..d9a28bd --- /dev/null +++ b/overlay/Linux/usr/local/share/doc/txt/proxy3.txt @@ -0,0 +1,47 @@ +#!/var/local/bin/testforge_run_doctest3.bash +# -*-mode: doctest; tab-width: 0; py-indent-offset: 4; coding: utf-8-unix -*- + +== proxy testing == + +This is a Python doctest file that is executable documentation. + + >>> import os,sys # doctest: +REPORT_ONLY_FIRST_FAILURE + +And, now run tests against the box. + + >>> sys.stderr.write("Running tests against box" +'\n') + 2... + +=== Box settings === + +We'll need the settings defined in {{{/usr/local/etc/testforge/testforge.yml}}} + + >>> import yaml + >>> sFacts = run('cat /usr/local/etc/testforge/testforge.yml') + >>> assert sFacts + >>> dFacts = yaml.safe_load(sFacts) + +=== /var/local/bin/proxy_hourly.bash === + + >>> os.system("/usr/local/bin/proxy_hourly.bash") + 0 + +=== /var/local/src check === + + >>> os.chdir ('/usr/local/src') + >>> os.system('sh usr_local_proxy.bash check') + 0 + +=== /var/local/src test === + + >>> os.chdir ('/usr/local/src') + >>> os.system('sh usr_local_proxy.bash test') + 0 + +=== /var/local/src lint === + + >>> os.chdir ('/usr/local/src') + >>> os.system('sh usr_local_proxy.bash lint') + 0 + + diff --git a/overlay/Linux/usr/local/share/sed/fact_to_bash.sed b/overlay/Linux/usr/local/share/sed/fact_to_bash.sed new file mode 100644 index 0000000..6f3e789 --- /dev/null +++ b/overlay/Linux/usr/local/share/sed/fact_to_bash.sed @@ -0,0 +1,7 @@ +# ROLE=proxy +s@u*'@@g +s@^ *@@ +s@\[@"@ +s@\]@"@ +s@, @ @g +s@^@export @ diff --git a/overlay/Linux/usr/local/share/whonix-libvirt/xml/Kicksecure.xml b/overlay/Linux/usr/local/share/whonix-libvirt/xml/Kicksecure.xml new file mode 100644 index 0000000..0ad0446 --- /dev/null +++ b/overlay/Linux/usr/local/share/whonix-libvirt/xml/Kicksecure.xml @@ -0,0 +1,80 @@ + + Kicksecure + Do not change any settings if you do not understand the consequences! Learn more: https://www.whonix.org/wiki/KVM#XML_Settings + + 2097152 + 2097152 + + + + + + + 250 + + 1 + + hvm + + + + + + + + + + + + + + + + + + destroy + restart + restart + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + /dev/urandom + + + diff --git a/overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-Custom-Workstation.xml b/overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-Custom-Workstation.xml new file mode 100644 index 0000000..2864656 --- /dev/null +++ b/overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-Custom-Workstation.xml @@ -0,0 +1,80 @@ + + Whonix-Custom-Workstation + Do not change any settings if you do not understand the consequences! Learn more: https://www.whonix.org/wiki/KVM#XML_Settings + + 2097152 + 2097152 + + + + + + + 250 + + 1 + + hvm + + + + + + + + + + + + + + + + + + destroy + restart + restart + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + /dev/urandom + + + diff --git a/overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-External.xml b/overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-External.xml new file mode 100644 index 0000000..4083879 --- /dev/null +++ b/overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-External.xml @@ -0,0 +1,6 @@ + + Whonix-External + + + + diff --git a/overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-Gateway.xml b/overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-Gateway.xml new file mode 100644 index 0000000..eeabeff --- /dev/null +++ b/overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-Gateway.xml @@ -0,0 +1,82 @@ + + Whonix-Gateway + Do not change any settings if you do not understand the consequences! Learn more: https://www.whonix.org/wiki/KVM#XML_Settings + + 524288 + 524288 + + + + + + + 250 + + 1 + + hvm + + + + + + + + + + + + + + + + + + destroy + restart + restart + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + /dev/urandom + + + diff --git a/overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-Internal.xml b/overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-Internal.xml new file mode 100644 index 0000000..035cd91 --- /dev/null +++ b/overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-Internal.xml @@ -0,0 +1,4 @@ + + Whonix-Internal + + diff --git a/overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-Workstation.xml b/overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-Workstation.xml new file mode 100644 index 0000000..7fd883e --- /dev/null +++ b/overlay/Linux/usr/local/share/whonix-libvirt/xml/Whonix-Workstation.xml @@ -0,0 +1,80 @@ + + Whonix-Workstation + Do not change any settings if you do not understand the consequences! Learn more: https://www.whonix.org/wiki/KVM#XML_Settings + + 2097152 + 2097152 + + + + + + + 250 + + 1 + + hvm + + + + + + + + + + + + + + + + + + destroy + restart + restart + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + /dev/urandom + + + diff --git a/overlay/Linux/usr/local/src/helper-scripts/anondate b/overlay/Linux/usr/local/src/helper-scripts/anondate new file mode 100755 index 0000000..7c6f1a1 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/anondate @@ -0,0 +1,300 @@ +#!/bin/bash + +## Copyright (C) Amnesia +## Copyright (C) 2014 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -o pipefail + +export TOR_LOG="/var/log/tor/log" +if [ -d /var/lib/tor/data ] ; then + export TOR_DIR=/var/lib/tor/data + elif [ -d /var/lib/tor ] ; then + export TOR_DIR=/var/lib/tor + fi + +USAGE=" + --has-consensus + --current-time-in-valid-range + --show-valid-after + --show-valid-until + --show-middle-range + --tor-cert-lifetime-invalid + --tor-cert-valid-after + --verified-only + --prefer-verified + --unverified-only + --user-permission + --group-permission +" + +variables () { + [ -n "$TOR_RC" ] || TOR_RC="/etc/tor/torrc" + [ -n "$TOR_LOG" ] || TOR_LOG="/run/tor/log" + [ -n "$TOR_DIR" ] || TOR_DIR="/var/lib/tor" + [ -n "$TOR_DESCRIPTORS" ] || TOR_DESCRIPTORS="${TOR_DIR}/cached-microdescs" + [ -n "$NEW_TOR_DESCRIPTORS" ] || NEW_TOR_DESCRIPTORS="${TOR_DESCRIPTORS}.new" + [ -n "$TOR_CONSENSUS" ] || TOR_CONSENSUS="${TOR_DIR}/cached-microdesc-consensus" + [ -n "$TOR_UNVERIFIED_CONSENSUS" ] || TOR_UNVERIFIED_CONSENSUS="${TOR_DIR}/unverified-microdesc-consensus" + [ -n "$DATE_RE" ] || DATE_RE='[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]' +} + +parse_cmd_options() { + ## Thanks to: + ## http://mywiki.wooledge.org/BashFAQ/035 + + while : + do + case $1 in + --verbose) + echo "$SCRIPTNAME verbose output..." + echo "Script running as $(whoami)" + set -x + true "$0: $@" + shift + ;; + --has-consensus) + has_consensus_="true" + shift + ;; + --current-time-in-valid-range) + current_time_in_valid_range_="true" + shift + ;; + --show-valid-after) + show_valid_after_="true" + shift + ;; + --show-valid-until) + show_valid_until_="true" + shift + ;; + --show-middle-range) + show_middle_range_="true" + shift + ;; + --tor-cert-lifetime-invalid) + tor_cert_lifetime_invalid_="true" + shift + ;; + --tor-cert-valid-after) + tor_cert_valid_after_="true" + shift + ;; + --verified-only) + verified_only_="true" + shift + ;; + --prefer-verified) + prefer_verified_="true" + shift + ;; + --unverified-only) + unverified_only_="true" + shift + ;; + --user-permission) + user_permission_="true" + shift + ;; + --group-permission) + group_permission_="true" + shift + ;; + --) + shift + break + ;; + -*) + echo "$SCRIPTNAME unknown option: $1" >&2 + exit 111 + ;; + *) + break + ;; + esac + done + + ## If there are input files (for example) that follow the options, they + ## will remain in the "$@" positional parameters. + + if [ "$verified_only_" = "true" ]; then + consensus="$TOR_CONSENSUS" + elif [ "$prefer_verified_" = "true" ]; then + if [ -e "${TOR_CONSENSUS}" ]; then + consensus="$TOR_CONSENSUS" + else + consensus="$TOR_UNVERIFIED_CONSENSUS" + fi + elif [ "$unverified_only_" = "true" ]; then + consensus="$TOR_UNVERIFIED_CONSENSUS" + else + consensus="$TOR_CONSENSUS" + fi + + if [ "$has_consensus_" = "true" ]; then + has_consensus + exit "$?" + fi + if [ "$current_time_in_valid_range_" = "true" ]; then + current_time_is_in_valid_range + exit "$?" + fi + if [ "$show_valid_after_" = "true" ]; then + show-valid-after + exit "$?" + fi + if [ "$show_valid_until_" = "true" ]; then + show-valid-until + exit "$?" + fi + if [ "$show_middle_range_" = "true" ]; then + show-middle-range + exit "$?" + fi + if [ "$tor_cert_lifetime_invalid_" = "true" ]; then + tor_cert_lifetime_invalid + exit "$?" + fi + if [ "$tor_cert_valid_after_" = "true" ]; then + tor_cert_valid_after + exit "$?" + fi + if [ "$user_permission_" = "true" ]; then + user_permission + exit "$?" + fi + if [ "$group_permission_" = "true" ]; then + group_permission + exit "$?" + fi + + echo "USAGE: $0 $USAGE" + exit 1 +} + +root_check() { + if [ "$(id -u)" != "0" ]; then + echo "ERROR: Must run as root." + exit 112 + fi +} + +has_consensus() { + if [ ! -r "$consensus" ]; then + exit 4 + fi + local grep_exit_code="0" + grep -qs "^valid-until ${DATE_RE}"'$' "$consensus" || { grep_exit_code="$?" ; true; }; + if [ "$grep_exit_code" = "0" ]; then + return 0 + else + return 1 + fi +} + +show-valid-after() { + vstart="$(sed -n "/^valid-after \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1 + if [ "$show_valid_after_" = "true" ]; then + echo "$vstart" + fi +} + +show-valid-until() { + vend="$(sed -n "/^valid-until \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1 + if [ "$show_valid_until_" = "true" ]; then + echo "$vend" + fi +} + +show-middle-range() { + show-valid-after + show-valid-until + vmid="$(date -ud "${vstart} -0130" +'%F %T')" || exit 1 + if [ "$show_middle_range_" = "true" ]; then + echo "$vmid" + fi +} + +current_time_is_in_valid_range() { + show-middle-range + + ## {{ Sanity Test + ## Debugging. + #vend="2099-09-03 09:41:29" + vendchk="$(date -ud "${vstart} -0300" +'%F %T')" + if [ ! "${vend}" = "${vendchk}" ]; then + echo "ERROR: Unexpected valid-until: [${vend}] is not [${vstart} + 3h]" + return 1 + fi + ## Sanity Test + + curdate="$(date -u +'%F %T')" + ## Debugging. + #curdate="2099-09-03 09:41:29" + + vendcons="$(date -ud "${vstart} -0230" +'%F %T')" + order="${vstart} +${curdate} +${vendcons}" + ordersrt="$(echo "${order}" | sort)" + + if [ "${order}" = "${ordersrt}" ]; then + return 0 + fi + echo WARN: failed Sanity Test + echo INFO: 'expected' $order + echo INFO: 'got ' $ordersrt + return 1 +} + +tor_cert_lifetime_invalid() { + if [ ! -r "$TOR_LOG" ]; then + return 3 + fi + + ## TODO: + ## To be sure that we only grep relevant information, we + ## should delete the log when Tor is started, which we do + ## TODO: + ## in 10-tor.sh. + + ## Example Tor log: + ## Sep 03 10:32:59.000 [warn] Certificate already expired. Either their clock is set wrong, or your clock is wrong. + ## Sep 03 10:32:59.000 [warn] (certificate lifetime runs from Aug 16 00:00:00 2014 GMT through Jul 29 23:59:59 2015 GMT. Your time is Sep 03 10:32:59 2015 UTC.) + + ## The log severity will be "warn" if bootstrapping with + ## authorities and "info" with bridges. + grep "\[\(warn\|info\)\] Certificate \(not yet valid\|already expired\)\." "${TOR_LOG}" | tail -n 1 + if [ "$?" = "0" ]; then + return 0 + else + return 1 + fi +} + +tor_cert_valid_after() { + if [ ! -r "$TOR_LOG" ]; then + return 3 + fi + + ## Only print the last = freshest match + sed -n 's/^.*certificate lifetime runs from \(.*\) through.*$/\1/p' "${TOR_LOG}" | tail -n 1 + + ## Example output: + ## Jun 16 00:00:00 2014 GMT + ## sudo: timestamp too far in the future: Jun 16 00:00:00 2014 GMT + return 0 +} + +user_permission() { + stat -c "%U" "$consensus" +} + +group_permission() { + stat -c "%G" "$consensus" +} + +root_check +variables +parse_cmd_options "$@" diff --git a/overlay/Linux/usr/local/src/helper-scripts/anondate-tester b/overlay/Linux/usr/local/src/helper-scripts/anondate-tester new file mode 100644 index 0000000..d131ab4 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/anondate-tester @@ -0,0 +1,27 @@ +#!/bin/bash + +export TOR_LOG="/var/log/tor/log" +export TOR_DIR=/var/lib/tor/data + +cmd_item_list=( +"--has-consensus" +"--current-time-in-valid-range" +"--show-valid-after" +"--show-valid-until" +"--show-middle-range" +"--tor-cert-lifetime-invalid" +"--tor-cert-valid-after" +) + +for cmd_item in ${cmd_item_list[@]} ; do + output="$(/usr/local/lib64/helper-scripts/anondate $cmd_item $@)" + exit_code="$?" + if [ $exit_code -eq 0 ] ; then + echo "INFO: /usr/local/lib64/helper-scripts/anondate $cmd_item $@" + echo "output: $output" + else + echo "WARN: /usr/local/lib64/helper-scripts/anondate $cmd_item $@" + echo -n "exit_code: $exit_code " + echo "output: $output" + fi +done diff --git a/overlay/Linux/usr/local/src/helper-scripts/anondate-tester.diff b/overlay/Linux/usr/local/src/helper-scripts/anondate-tester.diff new file mode 100644 index 0000000..d01123c --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/anondate-tester.diff @@ -0,0 +1,45 @@ +*** anondate-tester.dst 2015-10-21 00:00:00.000000000 +0000 +--- anondate-tester 2020-12-20 22:02:49.000000000 +0000 +*************** +*** 1,8 **** +--- 1,9 ---- + #!/bin/bash + + export TOR_LOG="/var/log/tor/log" ++ export TOR_DIR=/var/lib/tor/data + + cmd_item_list=( + "--has-consensus" + "--current-time-in-valid-range" + "--show-valid-after" +*************** +*** 11,22 **** + "--tor-cert-lifetime-invalid" + "--tor-cert-valid-after" + ) + + for cmd_item in ${cmd_item_list[@]} ; do +! echo "cmd_item: /usr/local/lib64/helper-scripts/anondate $cmd_item $@" +! output="$(/usr/local/lib64/helper-scripts/anondate $cmd_item $@)" + exit_code="$?" +! echo "output: $output" +! echo "exit_code: $exit_code" +! echo "----------" + done +--- 12,27 ---- + "--tor-cert-lifetime-invalid" + "--tor-cert-valid-after" + ) + + for cmd_item in ${cmd_item_list[@]} ; do +! output="$(/usr/local/lib64/helper-scripts/anondate $cmd_item $@)" + exit_code="$?" +! if [ $exit_code -eq 0 ] ; then +! echo "INFO: /usr/local/lib64/helper-scripts/anondate $cmd_item $@" +! echo "output: $output" +! else +! echo "WARN: /usr/local/lib64/helper-scripts/anondate $cmd_item $@" +! echo -n "exit_code: $exit_code " +! echo "output: $output" +! fi + done diff --git a/overlay/Linux/usr/local/src/helper-scripts/anondate-tester.dst b/overlay/Linux/usr/local/src/helper-scripts/anondate-tester.dst new file mode 100755 index 0000000..346b616 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/anondate-tester.dst @@ -0,0 +1,22 @@ +#!/bin/bash + +export TOR_LOG="/var/log/tor/log" + +cmd_item_list=( +"--has-consensus" +"--current-time-in-valid-range" +"--show-valid-after" +"--show-valid-until" +"--show-middle-range" +"--tor-cert-lifetime-invalid" +"--tor-cert-valid-after" +) + +for cmd_item in ${cmd_item_list[@]} ; do + echo "cmd_item: /usr/local/lib64/helper-scripts/anondate $cmd_item $@" + output="$(/usr/local/lib64/helper-scripts/anondate $cmd_item $@)" + exit_code="$?" + echo "output: $output" + echo "exit_code: $exit_code" + echo "----------" +done diff --git a/overlay/Linux/usr/local/src/helper-scripts/anondate.diff b/overlay/Linux/usr/local/src/helper-scripts/anondate.diff new file mode 100644 index 0000000..6155cf2 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/anondate.diff @@ -0,0 +1,307 @@ +*** anondate.dst 2015-10-21 00:00:00.000000000 +0000 +--- anondate-tester 2020-12-20 22:02:49.000000000 +0000 +*************** +*** 1,275 **** + #!/bin/bash + +! ## Copyright (C) Amnesia +! ## Copyright (C) 2014 - 2020 ENCRYPTED SUPPORT LP +! ## See the file COPYING for copying conditions. + +! set -o pipefail +! +! variables() { +! [ -n "$TOR_RC" ] || TOR_RC="/etc/tor/torrc" +! [ -n "$TOR_LOG" ] || TOR_LOG="/run/tor/log" +! [ -n "$TOR_DIR" ] || TOR_DIR="/var/lib/tor" +! [ -n "$TOR_DESCRIPTORS" ] || TOR_DESCRIPTORS="${TOR_DIR}/cached-microdescs" +! [ -n "$NEW_TOR_DESCRIPTORS" ] || NEW_TOR_DESCRIPTORS="${TOR_DESCRIPTORS}.new" +! [ -n "$TOR_CONSENSUS" ] || TOR_CONSENSUS="${TOR_DIR}/cached-microdesc-consensus" +! [ -n "$TOR_UNVERIFIED_CONSENSUS" ] || TOR_UNVERIFIED_CONSENSUS="${TOR_DIR}/unverified-microdesc-consensus" +! [ -n "$DATE_RE" ] || DATE_RE='[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]' +! } +! +! parse_cmd_options() { +! ## Thanks to: +! ## http://mywiki.wooledge.org/BashFAQ/035 +! +! while : +! do +! case $1 in +! --verbose) +! echo "$SCRIPTNAME verbose output..." +! echo "Script running as $(whoami)" +! set -x +! true "$0: $@" +! shift +! ;; +! --has-consensus) +! has_consensus_="true" +! shift +! ;; +! --current-time-in-valid-range) +! current_time_in_valid_range_="true" +! shift +! ;; +! --show-valid-after) +! show_valid_after_="true" +! shift +! ;; +! --show-valid-until) +! show_valid_until_="true" +! shift +! ;; +! --show-middle-range) +! show_middle_range_="true" +! shift +! ;; +! --tor-cert-lifetime-invalid) +! tor_cert_lifetime_invalid_="true" +! shift +! ;; +! --tor-cert-valid-after) +! tor_cert_valid_after_="true" +! shift +! ;; +! --verified-only) +! verified_only_="true" +! shift +! ;; +! --prefer-verified) +! prefer_verified_="true" +! shift +! ;; +! --unverified-only) +! unverified_only_="true" +! shift +! ;; +! --user-permission) +! user_permission_="true" +! shift +! ;; +! --group-permission) +! group_permission_="true" +! shift +! ;; +! --) +! shift +! break +! ;; +! -*) +! echo "$SCRIPTNAME unknown option: $1" >&2 +! exit 111 +! ;; +! *) +! break +! ;; +! esac +! done +! +! ## If there are input files (for example) that follow the options, they +! ## will remain in the "$@" positional parameters. +! +! if [ "$verified_only_" = "true" ]; then +! consensus="$TOR_CONSENSUS" +! elif [ "$prefer_verified_" = "true" ]; then +! if [ -e "${TOR_CONSENSUS}" ]; then +! consensus="$TOR_CONSENSUS" +! else +! consensus="$TOR_UNVERIFIED_CONSENSUS" + fi +! elif [ "$unverified_only_" = "true" ]; then +! consensus="$TOR_UNVERIFIED_CONSENSUS" +! else +! consensus="$TOR_CONSENSUS" +! fi +! +! if [ "$has_consensus_" = "true" ]; then +! has_consensus +! exit "$?" +! fi +! if [ "$current_time_in_valid_range_" = "true" ]; then +! current_time_is_in_valid_range +! exit "$?" +! fi +! if [ "$show_valid_after_" = "true" ]; then +! show-valid-after +! exit "$?" +! fi +! if [ "$show_valid_until_" = "true" ]; then +! show-valid-until +! exit "$?" +! fi +! if [ "$show_middle_range_" = "true" ]; then +! show-middle-range +! exit "$?" +! fi +! if [ "$tor_cert_lifetime_invalid_" = "true" ]; then +! tor_cert_lifetime_invalid +! exit "$?" +! fi +! if [ "$tor_cert_valid_after_" = "true" ]; then +! tor_cert_valid_after +! exit "$?" +! fi +! if [ "$user_permission_" = "true" ]; then +! user_permission +! exit "$?" +! fi +! if [ "$group_permission_" = "true" ]; then +! group_permission +! exit "$?" +! fi +! +! echo "No option chosen." 2>&1 +! exit 1 +! } +! +! root_check() { +! if [ "$(id -u)" != "0" ]; then +! echo "ERROR: Must run as root." +! exit 112 +! fi +! } +! +! has_consensus() { +! if [ ! -r "$consensus" ]; then +! exit 4 +! fi +! local grep_exit_code="0" +! grep -qs "^valid-until ${DATE_RE}"'$' "$consensus" || { grep_exit_code="$?" ; true; }; +! if [ "$grep_exit_code" = "0" ]; then +! return 0 +! else +! return 1 +! fi +! } +! +! show-valid-after() { +! vstart="$(sed -n "/^valid-after \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1 +! if [ "$show_valid_after_" = "true" ]; then +! echo "$vstart" +! fi +! } +! +! show-valid-until() { +! vend="$(sed -n "/^valid-until \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1 +! if [ "$show_valid_until_" = "true" ]; then +! echo "$vend" +! fi +! } +! +! show-middle-range() { +! show-valid-after +! show-valid-until +! vmid="$(date -ud "${vstart} -0130" +'%F %T')" || exit 1 +! if [ "$show_middle_range_" = "true" ]; then +! echo "$vmid" +! fi +! } +! +! current_time_is_in_valid_range() { +! show-middle-range +! +! ## {{ Sanity Test +! ## Debugging. +! #vend="2099-09-03 09:41:29" +! vendchk="$(date -ud "${vstart} -0300" +'%F %T')" +! if [ ! "${vend}" = "${vendchk}" ]; then +! echo "ERROR: Unexpected valid-until: [${vend}] is not [${vstart} + 3h]" +! exit 1 +! fi +! ## }} Sanity Test +! +! curdate="$(date -u +'%F %T')" +! ## Debugging. +! #curdate="2099-09-03 09:41:29" +! +! vendcons="$(date -ud "${vstart} -0230" +'%F %T')" +! order="${vstart} +! ${curdate} +! ${vendcons}" +! ordersrt="$(echo "${order}" | sort)" +! +! if [ "${order}" = "${ordersrt}" ]; then +! exit 0 +! else +! exit 1 +! fi +! } +! +! tor_cert_lifetime_invalid() { +! if [ ! -r "$TOR_LOG" ]; then +! exit 3 +! fi +! +! ## TODO: +! ## To be sure that we only grep relevant information, we +! ## should delete the log when Tor is started, which we do +! ## TODO: +! ## in 10-tor.sh. +! +! ## Example Tor log: +! ## Sep 03 10:32:59.000 [warn] Certificate already expired. Either their clock is set wrong, or your clock is wrong. +! ## Sep 03 10:32:59.000 [warn] (certificate lifetime runs from Aug 16 00:00:00 2014 GMT through Jul 29 23:59:59 2015 GMT. Your time is Sep 03 10:32:59 2015 UTC.) +! +! ## The log severity will be "warn" if bootstrapping with +! ## authorities and "info" with bridges. +! grep "\[\(warn\|info\)\] Certificate \(not yet valid\|already expired\)\." "${TOR_LOG}" | tail -n 1 +! if [ "$?" = "0" ]; then +! return 0 +! else +! return 1 +! fi +! } +! +! tor_cert_valid_after() { +! if [ ! -r "$TOR_LOG" ]; then +! exit 3 +! fi +! +! ## Only print the last = freshest match +! sed -n 's/^.*certificate lifetime runs from \(.*\) through.*$/\1/p' "${TOR_LOG}" | tail -n 1 +! +! ## Example output: +! ## Jun 16 00:00:00 2014 GMT +! ## sudo: timestamp too far in the future: Jun 16 00:00:00 2014 GMT +! } +! +! user_permission() { +! stat -c "%U" "$consensus" +! } +! +! group_permission() { +! stat -c "%G" "$consensus" +! } +! +! root_check +! variables +! parse_cmd_options "$@" +--- 1,27 ---- + #!/bin/bash + +! export TOR_LOG="/var/log/tor/log" +! export TOR_DIR=/var/lib/tor/data + +! cmd_item_list=( +! "--has-consensus" +! "--current-time-in-valid-range" +! "--show-valid-after" +! "--show-valid-until" +! "--show-middle-range" +! "--tor-cert-lifetime-invalid" +! "--tor-cert-valid-after" +! ) +! +! for cmd_item in ${cmd_item_list[@]} ; do +! output="$(/usr/local/lib64/helper-scripts/anondate $cmd_item $@)" +! exit_code="$?" +! if [ $exit_code -eq 0 ] ; then +! echo "INFO: /usr/local/lib64/helper-scripts/anondate $cmd_item $@" +! echo "output: $output" +! else +! echo "WARN: /usr/local/lib64/helper-scripts/anondate $cmd_item $@" +! echo -n "exit_code: $exit_code " +! echo "output: $output" + fi +! done diff --git a/overlay/Linux/usr/local/src/helper-scripts/anondate.dst b/overlay/Linux/usr/local/src/helper-scripts/anondate.dst new file mode 100755 index 0000000..21d4d71 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/anondate.dst @@ -0,0 +1,275 @@ +#!/bin/bash + +## Copyright (C) Amnesia +## Copyright (C) 2014 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -o pipefail + +variables() { + [ -n "$TOR_RC" ] || TOR_RC="/etc/tor/torrc" + [ -n "$TOR_LOG" ] || TOR_LOG="/run/tor/log" + [ -n "$TOR_DIR" ] || TOR_DIR="/var/lib/tor" + [ -n "$TOR_DESCRIPTORS" ] || TOR_DESCRIPTORS="${TOR_DIR}/cached-microdescs" + [ -n "$NEW_TOR_DESCRIPTORS" ] || NEW_TOR_DESCRIPTORS="${TOR_DESCRIPTORS}.new" + [ -n "$TOR_CONSENSUS" ] || TOR_CONSENSUS="${TOR_DIR}/cached-microdesc-consensus" + [ -n "$TOR_UNVERIFIED_CONSENSUS" ] || TOR_UNVERIFIED_CONSENSUS="${TOR_DIR}/unverified-microdesc-consensus" + [ -n "$DATE_RE" ] || DATE_RE='[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] [0-9][0-9]:[0-9][0-9]:[0-9][0-9]' +} + +parse_cmd_options() { + ## Thanks to: + ## http://mywiki.wooledge.org/BashFAQ/035 + + while : + do + case $1 in + --verbose) + echo "$SCRIPTNAME verbose output..." + echo "Script running as $(whoami)" + set -x + true "$0: $@" + shift + ;; + --has-consensus) + has_consensus_="true" + shift + ;; + --current-time-in-valid-range) + current_time_in_valid_range_="true" + shift + ;; + --show-valid-after) + show_valid_after_="true" + shift + ;; + --show-valid-until) + show_valid_until_="true" + shift + ;; + --show-middle-range) + show_middle_range_="true" + shift + ;; + --tor-cert-lifetime-invalid) + tor_cert_lifetime_invalid_="true" + shift + ;; + --tor-cert-valid-after) + tor_cert_valid_after_="true" + shift + ;; + --verified-only) + verified_only_="true" + shift + ;; + --prefer-verified) + prefer_verified_="true" + shift + ;; + --unverified-only) + unverified_only_="true" + shift + ;; + --user-permission) + user_permission_="true" + shift + ;; + --group-permission) + group_permission_="true" + shift + ;; + --) + shift + break + ;; + -*) + echo "$SCRIPTNAME unknown option: $1" >&2 + exit 111 + ;; + *) + break + ;; + esac + done + + ## If there are input files (for example) that follow the options, they + ## will remain in the "$@" positional parameters. + + if [ "$verified_only_" = "true" ]; then + consensus="$TOR_CONSENSUS" + elif [ "$prefer_verified_" = "true" ]; then + if [ -e "${TOR_CONSENSUS}" ]; then + consensus="$TOR_CONSENSUS" + else + consensus="$TOR_UNVERIFIED_CONSENSUS" + fi + elif [ "$unverified_only_" = "true" ]; then + consensus="$TOR_UNVERIFIED_CONSENSUS" + else + consensus="$TOR_CONSENSUS" + fi + + if [ "$has_consensus_" = "true" ]; then + has_consensus + exit "$?" + fi + if [ "$current_time_in_valid_range_" = "true" ]; then + current_time_is_in_valid_range + exit "$?" + fi + if [ "$show_valid_after_" = "true" ]; then + show-valid-after + exit "$?" + fi + if [ "$show_valid_until_" = "true" ]; then + show-valid-until + exit "$?" + fi + if [ "$show_middle_range_" = "true" ]; then + show-middle-range + exit "$?" + fi + if [ "$tor_cert_lifetime_invalid_" = "true" ]; then + tor_cert_lifetime_invalid + exit "$?" + fi + if [ "$tor_cert_valid_after_" = "true" ]; then + tor_cert_valid_after + exit "$?" + fi + if [ "$user_permission_" = "true" ]; then + user_permission + exit "$?" + fi + if [ "$group_permission_" = "true" ]; then + group_permission + exit "$?" + fi + + echo "No option chosen." 2>&1 + exit 1 +} + +root_check() { + if [ "$(id -u)" != "0" ]; then + echo "ERROR: Must run as root." + exit 112 + fi +} + +has_consensus() { + if [ ! -r "$consensus" ]; then + exit 4 + fi + local grep_exit_code="0" + grep -qs "^valid-until ${DATE_RE}"'$' "$consensus" || { grep_exit_code="$?" ; true; }; + if [ "$grep_exit_code" = "0" ]; then + return 0 + else + return 1 + fi +} + +show-valid-after() { + vstart="$(sed -n "/^valid-after \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1 + if [ "$show_valid_after_" = "true" ]; then + echo "$vstart" + fi +} + +show-valid-until() { + vend="$(sed -n "/^valid-until \(${DATE_RE}\)"'$/s//\1/p; t q; b; :q q' ${consensus})" || exit 1 + if [ "$show_valid_until_" = "true" ]; then + echo "$vend" + fi +} + +show-middle-range() { + show-valid-after + show-valid-until + vmid="$(date -ud "${vstart} -0130" +'%F %T')" || exit 1 + if [ "$show_middle_range_" = "true" ]; then + echo "$vmid" + fi +} + +current_time_is_in_valid_range() { + show-middle-range + + ## {{ Sanity Test + ## Debugging. + #vend="2099-09-03 09:41:29" + vendchk="$(date -ud "${vstart} -0300" +'%F %T')" + if [ ! "${vend}" = "${vendchk}" ]; then + echo "ERROR: Unexpected valid-until: [${vend}] is not [${vstart} + 3h]" + exit 1 + fi + ## }} Sanity Test + + curdate="$(date -u +'%F %T')" + ## Debugging. + #curdate="2099-09-03 09:41:29" + + vendcons="$(date -ud "${vstart} -0230" +'%F %T')" + order="${vstart} +${curdate} +${vendcons}" + ordersrt="$(echo "${order}" | sort)" + + if [ "${order}" = "${ordersrt}" ]; then + exit 0 + else + exit 1 + fi +} + +tor_cert_lifetime_invalid() { + if [ ! -r "$TOR_LOG" ]; then + exit 3 + fi + + ## TODO: + ## To be sure that we only grep relevant information, we + ## should delete the log when Tor is started, which we do + ## TODO: + ## in 10-tor.sh. + + ## Example Tor log: + ## Sep 03 10:32:59.000 [warn] Certificate already expired. Either their clock is set wrong, or your clock is wrong. + ## Sep 03 10:32:59.000 [warn] (certificate lifetime runs from Aug 16 00:00:00 2014 GMT through Jul 29 23:59:59 2015 GMT. Your time is Sep 03 10:32:59 2015 UTC.) + + ## The log severity will be "warn" if bootstrapping with + ## authorities and "info" with bridges. + grep "\[\(warn\|info\)\] Certificate \(not yet valid\|already expired\)\." "${TOR_LOG}" | tail -n 1 + if [ "$?" = "0" ]; then + return 0 + else + return 1 + fi +} + +tor_cert_valid_after() { + if [ ! -r "$TOR_LOG" ]; then + exit 3 + fi + + ## Only print the last = freshest match + sed -n 's/^.*certificate lifetime runs from \(.*\) through.*$/\1/p' "${TOR_LOG}" | tail -n 1 + + ## Example output: + ## Jun 16 00:00:00 2014 GMT + ## sudo: timestamp too far in the future: Jun 16 00:00:00 2014 GMT +} + +user_permission() { + stat -c "%U" "$consensus" +} + +group_permission() { + stat -c "%G" "$consensus" +} + +root_check +variables +parse_cmd_options "$@" diff --git a/overlay/Linux/usr/local/src/helper-scripts/apt-get-update-kill-helper b/overlay/Linux/usr/local/src/helper-scripts/apt-get-update-kill-helper new file mode 100755 index 0000000..e0efafe --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/apt-get-update-kill-helper @@ -0,0 +1,8 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +kill -s sigterm "$1" + +exit 0 diff --git a/overlay/Linux/usr/local/src/helper-scripts/apt-get-update-simulate b/overlay/Linux/usr/local/src/helper-scripts/apt-get-update-simulate new file mode 100755 index 0000000..f107e97 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/apt-get-update-simulate @@ -0,0 +1,37 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Required to run apt-get dist-upgrade --simulate as user (non-root). +## Required for whonixcheck function check_operating_system. +## Exception to run /usr/bin/apt-get-update as user +## is defined in /etc/sudoers.d/. + +sigterm_trap() { + if [ "$lastpid" = "" ]; then + exit 0 + fi + ps -p "$lastpid" >/dev/null 2>&1 + if [ ! "$?" = "0" ]; then + ## Already terminated. + exit 0 + fi + kill -s sigterm "$lastpid" + exit "$?" +} + +trap "sigterm_trap" SIGTERM SIGINT + +timeout_after="10" +kill_after="5" + +timeout \ + --kill-after="$kill_after" \ + "$timeout_after" \ + apt-get dist-upgrade --simulate & + +lastpid="$!" +wait "$lastpid" + +exit "$?" diff --git a/overlay/Linux/usr/local/src/helper-scripts/bashrc-terminal-emulator b/overlay/Linux/usr/local/src/helper-scripts/bashrc-terminal-emulator new file mode 100755 index 0000000..34ec44b --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/bashrc-terminal-emulator @@ -0,0 +1,32 @@ +#!/bin/bash + +## Copyright (C) 2020 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## This script gets `source`ed. +## Using both 'return 0' and 'exit 0' to support both, `source`ing as well as +## executing this script. + +if [ -z "$PS1" ]; then + true "If not running interactively, don't do anything." + return 0 + exit 0 +fi + +shopt -q login_shell +var="$?" +if [ "$var" = "0" ]; then + true "running in a login shell, don't do anything." + ## Login shells are greeted by /etc/motd. + return 0 + exit 0 +fi + +## We run in a terminal emulator. + +if ! test -d /etc/update-motd.d ; then + return 0 + exit 0 +fi + +run-parts /etc/update-motd.d || true diff --git a/overlay/Linux/usr/local/src/helper-scripts/first-boot-skel b/overlay/Linux/usr/local/src/helper-scripts/first-boot-skel new file mode 100755 index 0000000..a7b39e8 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/first-boot-skel @@ -0,0 +1,111 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -x +set -e + +if command -v qubesdb-read >/dev/null 2>&1 ; then + qubes_vm_type="$(qubesdb-read /qubes-vm-type)" +fi + +cache_folder="/var/cache/anon-base-files" + +if [ "$qubes_vm_type" = "TemplateVM" ]; then + ## Separate done file for Qubes TemplateVMs to make this work with the + ## current home folder population for Qubes DispVMs. + ## https://github.com/QubesOS/qubes-core-agent-linux/blob/f380c346cf9af3f058b8ece853d7d4a5ece28815/misc/dispvm-prerun.sh#L6-L12 + done_file="$cache_folder/first-boot-skel.TemplateVM.done" +else + ## Non-Qubes-Whonix or non-Qubes TemplateVMs + done_file="$cache_folder/first-boot-skel.done" +fi + +if [ -e "$done_file" ]; then + exit 0 +fi + +user_name="user" +home_dir="/home/$user_name" + +if [ ! -d "$home_dir" ]; then + exit 0 +fi + +skel_folder="/etc/skel" + +if [ ! -d "$skel_folder" ]; then + exit 0 +fi + +pushd "$skel_folder" + +mkdir -p "$cache_folder" + +shopt -s dotglob +shopt -s nullglob + +for fso in ./* ; do + true "fso: $fso" + ## Technically below for 'cp' it would also be possible to use '$fso' rather + ## than '$fso_basename', but the latter produces a prettier xtrace. + fso_basename="${fso##*/}" + if [ ".bashrc" = "$fso_basename" ]; then + ## We do not need /home/user/.bashrc. + ## /home/user/.bashrc is handled below. + continue + fi + if [ ".bashrc.whonix" = "$fso_basename" ]; then + ## We do not need /home/user/.bashrc.whonix. + ## /home/user/.bashrc is handled below. + continue + fi + if [ ".bashrc.whonix-orig" = "$fso_basename" ]; then + ## We do not need /home/user/.bashrc.whonix-orig. + ## /home/user/.bashrc is handled below. + continue + fi + if [ -d "$fso" ]; then + true "folder: yes" + cp --verbose --no-clobber --archive --parents --recursive "$fso_basename" "$home_dir" + chown --changes --recursive "$user_name:$user_name" "$home_dir/$fso_basename" + else + true "folder: no" + ## Require '--dereference' otherwise the 'chown' below could fail. + cp --verbose --no-clobber --archive --dereference "$fso_basename" "$home_dir" + chown --changes "$user_name:$user_name" "$home_dir/$fso_basename" + fi +done + +if [ ! -f "$skel_folder/.bashrc.whonix-orig" ]; then + touch "$done_file" + exit 0 +fi +if [ ! -f "$skel_folder/.bashrc.whonix" ]; then + touch "$done_file" + exit 0 +fi +if [ ! -f "$skel_folder/.bashrc" ]; then + touch "$done_file" + exit 0 +fi + +if diff "$skel_folder/.bashrc.whonix" "$home_dir/.bashrc" >/dev/null ; then + ## no diff found + true "Already using Whonix $skel_folder/.bashrc.whonix. No need to copy $skel_folder/.bashrc.whonix." + touch "$done_file" + exit 0 +fi + +if diff "$skel_folder/.bashrc.whonix-orig" "$home_dir/.bashrc" >/dev/null ; then + ## no diff found + true "Overwriting default $home_dir/.bashrc ( which matches $skel_folder/.bashrc.whonix-orig ) with $skel_folder/.bashrc.whonix." + cp --verbose --archive "$skel_folder/.bashrc.whonix" "$home_dir/.bashrc" + chown --changes "$user_name:$user_name" "$home_dir/.bashrc" +else + ## a diff was found + true "User customized $home_dir/.bashrc. Keeping it." +fi + +touch "$done_file" diff --git a/overlay/Linux/usr/local/src/helper-scripts/leak-tests/exhaustive_ip_send.py b/overlay/Linux/usr/local/src/helper-scripts/leak-tests/exhaustive_ip_send.py new file mode 100755 index 0000000..057383d --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/leak-tests/exhaustive_ip_send.py @@ -0,0 +1,24 @@ +#!/usr/bin/python3 -u + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +import sys +from scapy.all import * + +#define the target gateway & data payload +target = "scanme.nmap.org" +#target = "45.33.32.156" + +data = "testing" + +#define packet +ip = IP() + +#define packet parameters +ip.dst = target + +#loop through all IP packet types +for ip_type in range(0,255): + ip.proto = ip_type + send(ip/data) diff --git a/overlay/Linux/usr/local/src/helper-scripts/leak-tests/simple_ping.py b/overlay/Linux/usr/local/src/helper-scripts/leak-tests/simple_ping.py new file mode 100755 index 0000000..31101fa --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/leak-tests/simple_ping.py @@ -0,0 +1,61 @@ +#!/usr/bin/python3 -u + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +# Since it will be useful to know something about the script, +# for the later tests, the terms are defined here: +# (A discussion of Python language structure is beyond +# the scope of this document) + +# [1] http://en.wikipedia.org/wiki/Ipv4 +# [2] http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol +# [3] http://en.wikipedia.org/wiki/IP_routing +# [4] http://en.wikipedia.org/wiki/Ping +# [5] http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#List_of_permitted_control_messages_.28incomplete_list.29 +# [6] http://www.secdev.org/projects/scapy/doc/usage.html#send-and-receive-packets-sr +# [7] http://www.secdev.org/projects/scapy/doc/usage.html#stacking-layers + +import sys +from scapy.all import * + +# define the target gateway & data payload +target = "10.152.152.10" +#target = "45.33.32.156" + +data = "testing" + +# define packets +# These define two variables, that are set to the object types IP +# and ICMP respectively. These objects in Scapy define the protocol +# type for IP (default IPv4) [1] and ICMP [2] respectively. +# And will send packets on the wire of these types when used. +ip = IP() +icmp = ICMP() + +# define packet parameters +ip.dst = target + +# IP packets are used for routing [3] between networks on the Internet. +# So, we assign the destination (dst) in the IP portion of the +# packet we are going to assemble and send out. +icmp.type = 8 +icmp.code = 0 + +# Defines the type of ICMP message to send out. The ..8 type.. is +# a type defined as ..echo request.., e.g. a simple ping [4]. +# See a list here of various types of ICMP [5] messages here. + +# The sr1() [6] command will ..send and receive network traffic, +# returning the 1st packet received... +# The notation of ..ip/icmp/data.. is the notation for encapsulation +# of various instances of networking protocols [7]. +# Read it right to left: ..data encapsulated inside an ICMP message +# and encapsulated inside an IP datagram... +test_ping = sr1(ip/icmp/data) + +if isinstance(test_ping, types.NoneType): + print("No response") +else: +# Prints a short report on the packet received (if any). + test_ping.summary() diff --git a/overlay/Linux/usr/local/src/helper-scripts/leak-tests/tcp_test.py b/overlay/Linux/usr/local/src/helper-scripts/leak-tests/tcp_test.py new file mode 100755 index 0000000..a485a46 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/leak-tests/tcp_test.py @@ -0,0 +1,25 @@ +#!/usr/bin/python3 -u + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +import sys +from scapy.all import * + +#define the target gateway & data payload +target = "scanme.nmap.org" +#target = "45.33.32.156" + +data = "testing" + +#define packets +ip = IP() +tcp = TCP() + +#define packet parameters +ip.dst = target + +#loop through all TCP ports +for tcp_port in range(0,65535): + tcp.dport = tcp_port + send(ip/tcp/data) diff --git a/overlay/Linux/usr/local/src/helper-scripts/leak-tests/udp_test.py b/overlay/Linux/usr/local/src/helper-scripts/leak-tests/udp_test.py new file mode 100755 index 0000000..cd74a5b --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/leak-tests/udp_test.py @@ -0,0 +1,25 @@ +#!/usr/bin/python3 -u + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +import sys +from scapy.all import * + +#define the target gateway & data payload +target = "scanme.nmap.org" +#target = "45.33.32.156" + +data = "testing" + +#define packets +ip = IP() +udp = UDP() + +#define packet parameters +ip.dst = target + +#loop through all TCP ports +for udp_port in range(0,65535): + udp.dport = udp_port + send(ip/udp/data) diff --git a/overlay/Linux/usr/local/src/helper-scripts/pkg_manager_running_check b/overlay/Linux/usr/local/src/helper-scripts/pkg_manager_running_check new file mode 100755 index 0000000..9bc074b --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/pkg_manager_running_check @@ -0,0 +1,58 @@ +#!/bin/bash + +check_package_manager_running_helper() { + if [ -f "/run/package_manager_lock" ]; then + check_apt_get_exit_code="/run/package_manager_lock exists." + package_manager_waiting_msg="Lock file \ +/run/package_manager_lock exists. Waiting for it to be removed..." + package_manager_waiting_msg_x="$package_manager_waiting_msg" + return 0 + fi + + local fuser_exit_code + fuser_exit_code=0 + sudo --non-interactive fuser /var/lib/dpkg/lock /var/cache/apt/archives/lock &>/dev/null || { fuser_exit_code="$?" ; true; }; + + ## If a package manager is running: + ## sudo --non-interactive fuser /var/lib/dpkg/lock /var/cache/apt/archives/lock ; echo $? + ## /var/lib/dpkg/lock: 15601 + ## /var/cache/apt/archives/lock: 15601 + ## 0 + ## + ## If no package manager is running: + ## sudo --non-interactive fuser /var/lib/dpkg/lock /var/cache/apt/archives/lock ; echo $? + ## 1 + + if [ "$fuser_exit_code" = "0" ]; then + check_apt_get_exit_code="1" + else + check_apt_get_exit_code="0" + fi + + if [ ! "$check_apt_get_exit_code" = "0" ]; then + ## package_manager_waiting_msg used by cli-only applications. + package_manager_waiting_msg="A package manager (such as apt-get) is currently running. Waiting for it to finish... + +If you are not aware of any package mangers running, exit now, find out if there are any issues with dpkg or apt-get. Run in the terminal for example: +sudo dpkg --audit +sudo dpkg --configure -a +sudo apt-get dist-upgrade + +Technical Info: +\"sudo --non-interactive fuser /var/lib/dpkg/lock /var/cache/apt/archives/lock\" exit code: $fuser_exit_code" + ## package_manager_waiting_msg_x used applications using msgcollector. + package_manager_waiting_msg_x="

A package manager (such as apt-get) is currently running. Waiting for it to finish... +

+If you are not aware of any package mangers running, exit now, find out if there are any issues with dpkg or apt-get. Run in the terminal for example: +sudo dpkg --audit +sudo dpkg --configure -a +sudo apt-get dist-upgrade +

+Technical Info: +\"sudo --non-interactive fuser /var/lib/dpkg/lock /var/cache/apt/archives/lock\" exit code: $fuser_exit_code

" + else + package_manager_waiting_msg="No package manger currently running. \ +You should not see this message. Please report this bug!" + package_manager_waiting_msg_x="$package_manager_waiting_msg" + fi +} diff --git a/overlay/Linux/usr/local/src/helper-scripts/pre.bsh b/overlay/Linux/usr/local/src/helper-scripts/pre.bsh new file mode 100755 index 0000000..d8b6542 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/pre.bsh @@ -0,0 +1,276 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## The idea of this bash fragment is: +## Say nothing, if everything goes well, but dump everything on error. + +## It allows to easily look inside the xtrace of a (Debian maintainer) script, +## when the DEBDEBUG environment variable is set to 1. + +## To use it in other scripts, use something like this: +# if [ -f /usr/local/lib64/helper-scripts/pre.bsh ]; then +# source /usr/local/lib64/helper-scripts/pre.bsh +# fi + +## Error log: +## - implement trap ERR if function errorhandlergeneral does not exist +## - implements a simple error handler if non exists +## - run silent by default +## - write xtrace to temporary log +## - show full xtrace on unexpected non-zero exit code +## - show exit code on unexpected non-zero exit code +## - run syntax check "bash -n" on this script +## - run syntax check "bash -n" on the script that sourced this script + +## DEBDEBUG: +## +## enable xtrace (-x) for maintainer script when DEBDEBUG environment +## variable is set to 1. +## For example: +## sudo DEBDEBUG=1 dpkg -i /path/to/package.deb + +## SKIP_SCRIPTS +## +## The SKIP_SCRIPTS environment variable to skip scripts by name +## For example: +## sudo DEBDEBUG=1 SKIP_SCRIPTS=" security-misc.postinst " dpkg -i /path/to/package.deb +## +## another example: +## +## export DEBDEBUG=1 +## export SKIP_SCRIPTS+=" security-misc.postinst " +## sudo -E dpkg -i /path/to/package.deb + +## Colorful output: provides color function + +## Shell options: enables errtrace + +## Configuration Folders +## +## For example if the name of the package is 'security-misc': +## - /etc/security-misc_maint.d/*.conf +## - /usr/local/etc/security-misc_maint.d/*.conf +## +## For example if the name of the script is 'panic-on-oops': +## - /etc/panic-on-oops_pre.d/*.conf +## - /usr/local/etc/panic-on-oops_pre.d/*.conf + +## {{{ pre.bsh 1.0 + +## bash script fragment + +colors() { + if [ "$TERM" = "" ]; then + return 0 + fi + + ## Thanks to: + ## http://mywiki.wooledge.org/BashFAQ/037 + ## Variables for terminal requests. + [[ -t 2 ]] && { + alt=$( tput smcup || tput ti ) # Start alt display + ealt=$( tput rmcup || tput te ) # End alt display + hide=$( tput civis || tput vi ) # Hide cursor + show=$( tput cnorm || tput ve ) # Show cursor + save=$( tput sc ) # Save cursor + load=$( tput rc ) # Load cursor + bold=$( tput bold || tput md ) # Start bold + stout=$( tput smso || tput so ) # Start stand-out + estout=$( tput rmso || tput se ) # End stand-out + under=$( tput smul || tput us ) # Start underline + eunder=$( tput rmul || tput ue ) # End underline + reset=$( tput sgr0 || tput me ) # Reset cursor + blink=$( tput blink || tput mb ) # Start blinking + italic=$( tput sitm || tput ZH ) # Start italic + eitalic=$( tput ritm || tput ZR ) # End italic + [[ $TERM != *-m ]] && { + red=$( tput setaf 1|| tput AF 1 ) + green=$( tput setaf 2|| tput AF 2 ) + yellow=$( tput setaf 3|| tput AF 3 ) + blue=$( tput setaf 4|| tput AF 4 ) + magenta=$( tput setaf 5|| tput AF 5 ) + cyan=$( tput setaf 6|| tput AF 6 ) + } + white=$( tput setaf 7|| tput AF 7 ) + default=$( tput op ) + eed=$( tput ed || tput cd ) # Erase to end of display + eel=$( tput el || tput ce ) # Erase to end of line + ebl=$( tput el1 || tput cb ) # Erase to beginning of line + ewl=$eel$ebl # Erase whole line + draw=$( tput -S <<< ' enacs + smacs + acsc + rmacs' || { \ + tput eA; tput as; + tput ac; tput ae; } ) # Drawing characters + back=$'\b' + } 2>/dev/null ||: +} + +source_config_folder() { + ## dpkg sets environment variables + ## example: + ## DPKG_MAINTSCRIPT_PACKAGE=security-misc + + if [ "$DPKG_MAINTSCRIPT_PACKAGE" = "" ]; then + pre_bsh_settings_folder="${own_filename}_pre.d" + else + pre_bsh_settings_folder="${DPKG_MAINTSCRIPT_PACKAGE}_maint.d" + fi + + ## example: + ## pre_bsh_settings_folder=security-misc_maint.d + + shopt -s nullglob + local i + + ## example: + ## /etc/panic-on-oops_pre.d/*.conf + ## /usr/local/etc/panic-on-oops_pre.d/*.conf + + true "folder 1: /etc/${pre_bsh_settings_folder}/*.conf" + true "folder 2: /usr/local/etc/${pre_bsh_settings_folder}/*.conf" + + for i in /etc/${pre_bsh_settings_folder}/*.conf /usr/local/etc/${pre_bsh_settings_folder}/*.conf; do + bash_n_exit_code="0" + bash_n_output="$(bash -n "$i" 2>&1)" || { bash_n_exit_code="$?" ; true; }; + if [ ! "$bash_n_exit_code" = "0" ]; then + force_output "Invalid config file: $i + bash_n_exit_code: $bash_n_exit_code + bash_n_output: + $bash_n_output" >&2 + rm -f "$TEMP_FILE_PRE_BSH" + exit 1 + fi + source "$i" + done + shopt -u nullglob +} + +check_scripts_to_skip() { + local skip_script + for skip_script in $SKIP_SCRIPTS; do + if [ "$skip_script" = "$own_filename" ]; then + force_output "INFO: Skipping $own_filename, because SKIP_SCRIPTS includes it." + rm -f "$TEMP_FILE_PRE_BSH" + exit 0 + fi + done +} + +disable_echo() { + if [ "$disabled_echo" = "true" ]; then + return 0 + fi + exec 5>&1 1>> "$TEMP_FILE_PRE_BSH" + exec 6>&2 2>> "$TEMP_FILE_PRE_BSH" + disabled_echo=true +} + +enable_echo() { + if [ "$disabled_echo" = "true" ]; then + exec 1>&5 + exec 2>&6 + disabled_echo=false + fi +} + +force_output() { + if [ "$disabled_echo" = "true" ]; then + redisable_echo="true" + enable_echo + fi + echo "$@" + if [ "$redisable_echo" = "true" ]; then + disable_echo + fi +} + +error_handler_pre() { + local exit_code="$?" + local last_err="$BASH_COMMAND" + + if [ ! "$DEBDEBUG" = "1" ]; then + local output + output="$(cat "$TEMP_FILE_PRE_BSH")" + fi + + if [ "$output" = "" ]; then + output="## See above." + fi + + force_output " +#################################################################### +## ${red}${bold}BEGIN ERROR in $0 detected!${reset} +## +## ${under}ERROR LOG${reset}: +$output +## +## ${under}BASH_COMMAND${reset}: $BASH_COMMAND +## ${under}EXIT_CODE${reset}: $exit_code +## +## ${red}${bold}END ERROR in $0 detected!${reset} +## ${red}${bold}Please report this bug!${reset} +#################################################################### +" 1>&2 + + rm -f "$TEMP_FILE_PRE_BSH" + exit 1 +} + +## config-package-dev doesn't like 'set -o pipefail' +## http://mailman.mit.edu/pipermail/config-package-dev/2015-May/000041.html +#set -o pipefail + +set -o errtrace + +TEMP_FILE_PRE_BSH="$(mktemp)" + +if test -o xtrace ; then + true "INFO: Setting DEBDEBUG to 1, because xtrace (-x) is set." + DEBDEBUG="1" +fi + +if [ "$DEBDEBUG" = "1" ]; then + set -x +fi + +if [ "$disable_echo" = "true" ]; then + disable_echo +fi + +colors + +## {{ Set up error handler. +if [ "$(type -t errorhandlergeneral)" = "function" ]; then + ## Function errorhandlergeneral exists (declared in + ## help-steps/pre). Prefer to use the more feature rich version of the error + ## handler. + trap "errorhandlergeneral" ERR +else + ## Function errorhandlergeneral does not exist. + + ## Check if any trap is already declared. + if [ "$(trap -p ERR)" = "" ]; then + ## No trap exist yet. + ## Fall back to a simpler error handler. + trap "error_handler_pre" ERR + fi +fi +## }} + +## syntax check this script +bash -n "$BASH_SOURCE" + +## syntax check script that sourced this script +bash -n "$0" + +own_filename="${0##*/}" + +source_config_folder + +check_scripts_to_skip + +## }}} diff --git a/overlay/Linux/usr/local/src/helper-scripts/repair_torrc.py b/overlay/Linux/usr/local/src/helper-scripts/repair_torrc.py new file mode 100755 index 0000000..c1880c2 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/repair_torrc.py @@ -0,0 +1,77 @@ +#!/usr/bin/python3 -u + +## Copyright (C) 2018 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +import os + +whonix = os.path.exists('/usr/share/anon-gw-base-files/gateway') +if whonix: + torrc_file_path = '/usr/local/etc/torrc.d/40_tor_control_panel.conf' + torrc_user_file_path = '/usr/local/etc/torrc.d/50_user.conf' +else: + torrc_file_path = '/etc/torrc.d/40_tor_control_panel.conf' + torrc_user_file_path = '/etc/torrc.d/50_user.conf' + +torrc_text = '# Do not edit this file!\n\ +# Please add modifications to the following file instead:\n' + +user_text = '# Tor user specific configuration file\n\ +#\n\ +# Add user modifications below this line:\n\ +############################################\n' + +'''Guarantee the existence of /etc/torrc.d/ +and the existence of /usr/local/etc/torrc.d/ if required. +''' +if not os.path.exists('/etc/torrc.d/'): + os.makedirs('/etc/torrc.d/') +if whonix and not os.path.exists('/usr/local/etc/torrc.d/'): + os.makedirs('/usr/local/etc/torrc.d/') + +'''Guarantee the existence of: +1. /etc/torrc.d/95_whonix.conf +2. /etc/tor/torrc +3. "%include /etc/torrc.d/95_whonix.conf" line in /etc/tor/torrc file + +In addition, we create 40_tor_control_panel.conf +and 50_user.conf here if they do not exist. +''' +whonix_torrcd_path = '/etc/torrc.d/95_whonix.conf' + +if not os.path.exists('/etc/tor/torrc'): + with open('/etc/tor/torrc', "w+") as f: + if whonix: + f.write('%include {0}\n'.format(whonix_torrcd_path)) + else: + f.write('%include {0}\n'.format(torrc_file_path)) + f.write('%include {0}\n'.format(torrc_user_file_path)) + +else: + torrcd_line_exists = 'include /etc/torrc.d' in open('/etc/tor/torrc', "r").read() + if not torrcd_line_exists: + with open('/etc/tor/torrc', "a") as f: + if whonix: + f.write('%include {0}\n'.format(whonix_torrcd_path)) + else: + f.write('%include {0}\n'.format(torrc_file_path)) + f.write('%include {0}\n'.format(torrc_user_file_path)) + +if whonix and not os.path.exists(whonix_torrcd_path): + with open(whonix_torrcd_path, "w+") as f: + f.write('%include {0}\n'.format(torrc_file_path)) + f.write('%include {0}\n'.format(torrc_user_file_path)) + +torrc_text = '%s# %s\n' % (torrc_text, torrc_user_file_path) +if not whonix: + torrc_text = (torrc_text + + 'Log notice file /run/tor/log\n') + +if not os.path.exists(torrc_file_path): + with open(torrc_file_path, "w+") as f: + f.write(torrc_text) + +if not os.path.exists(torrc_user_file_path): + with open(torrc_user_file_path, "w+") as f: + f.write(user_text) + diff --git a/overlay/Linux/usr/local/src/helper-scripts/settings_echo b/overlay/Linux/usr/local/src/helper-scripts/settings_echo new file mode 100755 index 0000000..134d757 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/settings_echo @@ -0,0 +1,15 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -e + +## provides: check_tor_bootstrap_helper_variables +source /usr/local/lib64/helper-scripts/tor_bootstrap_check.bsh + +check_tor_bootstrap_helper_variables + +echo "\ +GATEWAY_IP=\"$GATEWAY_IP\" +gateway_control_port=\"$gateway_control_port\"" diff --git a/overlay/Linux/usr/local/src/helper-scripts/settings_echo.dst b/overlay/Linux/usr/local/src/helper-scripts/settings_echo.dst new file mode 100755 index 0000000..6c04818 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/settings_echo.dst @@ -0,0 +1,15 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -e + +## provides: check_tor_bootstrap_helper_variables +source /usr/local/lib/helper-scripts/tor_bootstrap_check.bsh + +check_tor_bootstrap_helper_variables + +echo "\ +GATEWAY_IP=\"$GATEWAY_IP\" +gateway_control_port=\"$gateway_control_port\"" diff --git a/overlay/Linux/usr/local/src/helper-scripts/settings_environment_file_update b/overlay/Linux/usr/local/src/helper-scripts/settings_environment_file_update new file mode 100755 index 0000000..2d3f452 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/settings_environment_file_update @@ -0,0 +1,8 @@ +#!/bin/bash + +## Copyright (C) 2017 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -e + +/usr/local/lib64/helper-scripts/settings_echo > /run/helper-scripts/settings_environment_file diff --git a/overlay/Linux/usr/local/src/helper-scripts/settings_environment_file_update.dst b/overlay/Linux/usr/local/src/helper-scripts/settings_environment_file_update.dst new file mode 100755 index 0000000..ebe7d00 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/settings_environment_file_update.dst @@ -0,0 +1,8 @@ +#!/bin/bash + +## Copyright (C) 2017 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -e + +/usr/local/lib/helper-scripts/settings_echo > /run/helper-scripts/settings_environment_file diff --git a/overlay/Linux/usr/local/src/helper-scripts/te_pe_tb_check b/overlay/Linux/usr/local/src/helper-scripts/te_pe_tb_check new file mode 100755 index 0000000..9f94f88 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/te_pe_tb_check @@ -0,0 +1,233 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Exit codes of this script get interpreted by sdwdate. +## exit 0 +## exit 1: wait, retry and warning icon +## exit 2: wait, retry and error icon + +set -o pipefail +set -e errtrace + +error_handler() { + local exit_code="$?" + echo "\ +BASH_COMMAND: $BASH_COMMAND +exit_code: $exit_code" +} + +trap "error_handler" ERR + +source /usr/local/lib64/helper-scripts/tor_enabled_check +source /usr/local/lib64/helper-scripts/pkg_manager_running_check +source /usr/local/lib64/helper-scripts/tor_bootstrap_check.bsh + +te_pe_tb_check() { + if [ -f "/usr/share/anon-gw-base-files/gateway" ]; then + VM="Gateway" + elif [ -f "/usr/share/anon-ws-base-files/workstation" ]; then + VM="Workstation" + else + VM="Could not determine if this is gateway or workstation. Please report this bug." + fi + + clock_causes="\ +

Possible causes:
+- The host clock is wrong -> shut down the VM, fix the clock in the host and restart the VM.
+- The VM clock is wrong -> manually fix the clock. Restart Tor if necessary. Then restart sdwdate.
+- A host clock attack succeeded.
+- A hardware issue (for example bios clock issues).
" + + ## Debugging. + true "$FUNCNAME: CURL: $CURL" + true "$FUNCNAME: LD_PRELOAD: $LD_PRELOAD" + + if [ -e /usr/share/timesanitycheck/shared ]; then + ## provides: time_sanity_check + ## sets: time_sanity_check_exit_code + ## sets: time_sanity_check_msg_static + source /usr/share/timesanitycheck/shared + time_sanity_check + if [ "$time_sanity_check_exit_code" = "0" ]; then + echo "$time_sanity_check_msg_static" >&2 + else + echo "$time_sanity_check_msg_static +$clock_causes" + timesanitycheck_static_timestamp_based_failed="true" + if [ "$VM" = "Gateway" ]; then + exit 1 + fi + fi + fi + + ## Sets: TOR_ENABLED + check_tor_enabled_do + + if [ "$TOR_ENABLED" = "1" ]; then + ## Ok. + true + else + if [ -f /usr/share/whonix/marker ]; then + echo "Tor is disabled. Please enable Tor using whonixsetup.
\ +Start Menu -> System -> Anon Connection Wizard or in Terminal: sudo whonixsetup" + else + echo "Tor is disabled. Please enable Tor in the Tor config." + fi + + exit 1 + fi + + ## sets: check_apt_get_exit_code + ## sets: package_manager_waiting_msg + #check_package_manager_running_helper ## pkg_manager_running_check + #if [ "$check_apt_get_exit_code" = "0" ]; then + #true "Package manager not busy, ok." + #else + #echo "$package_manager_waiting_msg" + + #exit 2 + #fi + + ## sets: check_bootstrap_helper_script + ## sets: lastpid + ## sets: tor_bootstrap_percent + ## sets: tor_bootstrap_status + check_tor_circuit_established ## tor_bootstrap_check.bsh + + ## $tor_circuit_established_check_exit_code on timeout returns: + ## - 124 if sigterm was sufficient + ## - 137 if needed to use kill. + + for invalid_exit_code in "124" "137" "254" ; do + if [ "$tor_circuit_established_check_exit_code" = "$invalid_exit_code" ]; then + echo "Tor Bootstrap Result: \ + ERROR ($tor_circuit_established_check_exit_code).
Please report this bug!" + exit 1 + fi + done + + if [ "$tor_circuit_established_check_exit_code" = "255" ]; then + if [ "$VM" = "Gateway" ]; then + echo "Tor Bootstrap Result: \ +Tor's Control Port could not be reached.
" + elif [ "$VM" = "Workstation" ]; then + if [ -f /usr/share/whonix/marker ]; then + echo "Tor Bootstrap Result: \ +Tor's Control Port could not be reached.
\ +
Did you start Gateway beforehand? \ +
Please run whonixcheck on Gateway." + else + echo "Tor Bootstrap Result: \ +Tor's Control Port could not be reached.
\ +
Did you start Gateway beforehand?" + fi + else + if [ -f /usr/share/whonix/marker ]; then + echo "Tor Bootstrap Result: \ +Tor's Control Port could not be reached.
\ +
Did you start Gateway beforehand? \ +
Please run whonixcheck on Gateway. +
$FUNCNAME: This is neither a gateway nor a workstation. Please report this bug!" + else + echo "Tor Bootstrap Result: \ +Tor's Control Port could not be reached.
\ +
Did you start Gateway beforehand? +
$FUNCNAME: This is neither a gateway nor a workstation. Please report this bug!" + fi + fi + + exit 1 + fi + + if [ "$VM" = "Gateway" ]; then + check_tor_bootstrap_status + fi + + ## When using an old Tor consensus which might be the case when no Tor + ## circuit has been established yet, there is no point to check Tor + ## consensus time as it might be outdated leading to concluding that the + ## clock is fast. + if [ "$tor_circuit_established" = "0" ]; then + if [ "$VM" = "Gateway" ]; then + echo "Tor is not yet fully bootstrapped. $tor_bootstrap_percent % done.\ +
Tor reports: $tor_bootstrap_status" + else + echo "Tor is not yet fully bootstrapped. Tor circuit: $tor_circuit_established_word." + fi + exit "2" + fi + + ## If the static timestamp based time sanity check failed, there is no + ## need to run the Tor consensus based time sanity check. Avoiding + ## duplicate output. + if [ ! "$timesanitycheck_static_timestamp_based_failed" = "true" ]; then + ## sets: tor_consensus_valid_after_exit_code + ## sets: tor_consensus_valid_after_output + ## sets: tor_consensus_valid_after_unixtime + tor_consensus_valid-after + + ## sets: tor_consensus_valid_until_exit_code + ## sets: tor_consensus_valid_until_output + ## sets: tor_consensus_valid_until_unixtime + tor_consensus_valid-until + + current_unixtime="$(date +"%s")" + + if [ "$tor_consensus_valid_after_exit_code" = "0" ] && [ "$tor_consensus_valid_until_exit_code" = "0" ]; then + clock_tor_consensus_check_result="ok" + if [ "$current_unixtime" -ge "$tor_consensus_valid_after_unixtime" ]; then + true + else + clock_tor_consensus_check_result="slow" + clock_tor_consensus_check_msg="The clock might be too slow. Clock is slower than consensus/valid-after $tor_consensus_valid_after_output. $clock_causes" + fi + if [ "$current_unixtime" -ge "$tor_consensus_valid_until_unixtime" ]; then + clock_tor_consensus_check_result="fast" + clock_tor_consensus_check_msg="The clock might be too fast. Clock is faster than consensus/valid-until $tor_consensus_valid_until_output. $clock_causes" + else + true + fi + elif [ "$tor_consensus_valid_after_exit_code" = "277" ] && [ "$tor_consensus_valid_until_exit_code" = "277" ]; then + clock_tor_consensus_check_result="noneyet" + clock_tor_consensus_check_msg="Might not have downloaded a Tor consensus yet." + else + clock_tor_consensus_check_result="error" + clock_tor_consensus_check_msg="Consensus time sanity check failed. $clock_causes" + fi + + if [ "$clock_tor_consensus_check_result" = "ok" ]; then + clock_tor_consensus_check_result="ok" + clock_tor_consensus_check_msg="Clock within consensus parameters consensus/valid-after $tor_consensus_valid_after_output and consensus/valid-until $tor_consensus_valid_until_output." + fi + + if [ "$clock_tor_consensus_check_result" = "ok" ]; then + echo "

$clock_tor_consensus_check_msg

" >&2 + else + echo "

$clock_tor_consensus_check_msg

" + fi + + ## TODO + ## Would have to parse tor_bootstrap_status. + ## In case Tor cannot fetch Tor consensus $tor_consensus_valid_after_exit_code / + ## $tor_consensus_valid_until_exit_code may be zero but $tor_consensus_valid_until_output + ## may be empty. + #if [ ! "$clock_tor_consensus_check_result" = "ok" ]; then + # if [ "$VM" = "Gateway" ]; then + # exit "1" + # fi + #fi + fi + + if [ "$tor_circuit_established" = "1" ]; then + echo "

Tor fully bootstrapped.

" + exit "0" + fi + + echo "Tor Bootstrap Result: \ + ERROR tor_circuit_established is neither 0 nor 1. tor_circuit_established: $tor_circuit_established
Please report this bug!" >&2 + exit "0" +} + +te_pe_tb_check "$@" diff --git a/overlay/Linux/usr/local/src/helper-scripts/terminal-wrapper b/overlay/Linux/usr/local/src/helper-scripts/terminal-wrapper new file mode 100755 index 0000000..6f2363c --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/terminal-wrapper @@ -0,0 +1,73 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -x +set -e + +if [ -e "/etc/alternatives/x-terminal-emulator" ]; then + ## Lets see where for example /etc/alternatives/aptitude links to. + if readlink_result="$(readlink "/etc/alternatives/x-terminal-emulator")" ; then + ## Symlink could be read. Lets use it. + etc_alternatives_x_terminal_emulator_full_path="$readlink_result" + etc_alternatives_x_terminal_emulator_base_name="${etc_alternatives_x_terminal_emulator_full_path##*/}" + fi +fi + +supported_terminal_emulator_apps=" + xfce4-terminal + xterm + konsole +" + +for terminal_emulator_app_supported in $supported_terminal_emulator_apps ; do + if [ "$etc_alternatives_x_terminal_emulator_base_name" = "$terminal_emulator_app_supported" ]; then + [ -n "$terminal_emulator_app" ] || terminal_emulator_app="$terminal_emulator_app_supported" + fi +done + +if command -v xfce4-terminal >/dev/null 2>&1; then + [ -n "$terminal_emulator_app" ] || terminal_emulator_app="xfce4-terminal" +elif command -v xterm >/dev/null 2>&1; then + [ -n "$terminal_emulator_app" ] || terminal_emulator_app="xterm" +elif command -v konsole >/dev/null 2>&1; then + [ -n "$terminal_emulator_app" ] || terminal_emulator_app="konsole" +elif [ ! "$etc_alternatives_x_terminal_emulator_base_name" = "" ]; then + [ -n "$terminal_emulator_app" ] || terminal_emulator_app="$etc_alternatives_x_terminal_emulator_base_name" + [ -n "$terminal_emulator_extra_args" ] || terminal_emulator_extra_args="-e" +else + error_message="$0: No supported terminal_emulator_app installed! Please install either: +$supported_terminal_emulator_apps + +PPID: $PPID +$0 was called by: $(ps --no-headers -o command $PPID)" || true + kdialog --sorry "$error_message" >/dev/null 2>&1 || true + zenity --error --text "$error_message" >/dev/null 2>&1 || true + echo "$error_message" >&2 +fi + +if [ "$terminal_emulator_app" = "xfce4-terminal" ]; then + [ -n "$terminal_emulator_extra_args" ] || terminal_emulator_extra_args="--execute" +fi + +if [ "$terminal_emulator_app" = "xterm" ]; then + [ -n "$terminal_emulator_extra_args" ] || terminal_emulator_extra_args="-e" +fi + +if command -v qubesdb-read >/dev/null 2>&1; then + ## Qubes. + if [ "$terminal_emulator_app" = "konsole" ]; then + [ -n "$terminal_emulator_extra_args" ] || terminal_emulator_extra_args="--hold -e" + fi +else + ## Non-Qubes. + if [ "$terminal_emulator_app" = "konsole" ]; then + ## Do not use '--fullscreen' since this starts the window without window + ## controls (no window close button) which is confusing. + ## '-e' needs to be the last paramater. + [ -n "$terminal_emulator_extra_args" ] || terminal_emulator_extra_args="--hold -e" + fi +fi + +$terminal_emulator_app $terminal_emulator_extra_args $@ diff --git a/overlay/Linux/usr/local/src/helper-scripts/tor_bootstrap_check.bsh b/overlay/Linux/usr/local/src/helper-scripts/tor_bootstrap_check.bsh new file mode 100755 index 0000000..e83f7f8 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/tor_bootstrap_check.bsh @@ -0,0 +1,156 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +check_tor_bootstrap_helper_variables() { + if command -v qubesdb-read >/dev/null 2>&1 ; then + local qubes_vm_type + qubes_vm_type="$(qubesdb-read /qubes-vm-type)" || true + if [ "$qubes_vm_type" = "TemplateVM" ] || [ -f "/usr/share/anon-ws-base-files/workstation" ]; then + ## 'qubesdb-read /qubes-gateway' could fail if NetVM is set to 'none'. + if [ "$GATEWAY_IP" = "" ]; then + gateway_ip_error="" + qubesdb_read_qubes_gateway_result="$(qubesdb-read /qubes-gateway 2>/dev/null)" || { gateway_ip_error="qubesdb_read_failed" ; qubesdb_read_qubes_gateway_result="127.0.0.1" ; }; + GATEWAY_IP="$qubesdb_read_qubes_gateway_result" + fi + if [ "$gateway_control_port" = "" ]; then + gateway_control_port="9051" + fi + fi + fi + + if [ -f "/usr/share/anon-ws-base-files/workstation" ]; then + if [ "$GATEWAY_IP" = "" ]; then + GATEWAY_IP="10.152.152.10" + fi + if [ "$gateway_control_port" = "" ]; then + gateway_control_port="9051" + fi + fi + + if [ -f "/usr/share/anon-gw-base-files/gateway" ]; then + if [ "$GATEWAY_IP" = "" ]; then + GATEWAY_IP="127.0.0.1" + fi + fi + + if [ "$gateway_control_port" = "" ]; then + gateway_control_port="9051" + fi + if [ "$GATEWAY_IP" = "" ]; then + GATEWAY_IP="127.0.0.1" + fi +} + +check_tor_bootstrap_helper_run_helper_script() { + if [ "$TEMP_DIR" = "" ]; then + echo "Variable TEMP_DIR was empty." >&2 + TEMP_DIR="$(mktemp --directory)" + fi + + check_tor_bootstrap_helper_variables + + check_tor_bootstrap_helper_kill_after="5s" + check_tor_bootstrap_helper_timeout_after="10s" + check_bootstrap_helper_bootstrap_file="$TEMP_DIR/tor_check_bootstrap_helper_bootstrap_file" + + rm --force "$check_bootstrap_helper_bootstrap_file" + check_bootstrap_helper_script_exit_code="0" + timeout \ + --kill-after="$check_tor_bootstrap_helper_kill_after" \ + "$check_tor_bootstrap_helper_timeout_after" \ + $check_bootstrap_helper_script \ + > "$check_bootstrap_helper_bootstrap_file" \ + 2>&1 \ + & + lastpid="$!" + wait "$lastpid" || { check_bootstrap_helper_script_exit_code="$?" ; true; }; + + if [ -f "$check_bootstrap_helper_bootstrap_file" ]; then + check_bootstrap_helper_script_output="$(cat "$check_bootstrap_helper_bootstrap_file")" + if [ "$check_bootstrap_helper_script_output" = "" ]; then + check_bootstrap_helper_script_output="Variable check_bootstrap_helper_script_output is empty." + check_bootstrap_helper_script_exit_code="277" + fi + else + check_bootstrap_helper_script_output="ERROR: File '$check_bootstrap_helper_bootstrap_file' does not exist. check_bootstrap_helper_script: '$check_bootstrap_helper_script' Please report this Whonix bug!" + fi +} + +check_tor_bootstrap_helper() { + check_tor_bootstrap_status + check_tor_circuit_established +} + +check_tor_bootstrap_status() { + check_bootstrap_helper_script="/usr/local/lib64/helper-scripts/tor_bootstrap_check.py" + + ## sets: check_bootstrap_helper_script_exit_code + ## sets: check_bootstrap_helper_script_output + check_tor_bootstrap_helper_run_helper_script + + tor_bootstrap_percent="$check_bootstrap_helper_script_exit_code" + tor_bootstrap_status="$check_bootstrap_helper_script_output" + + ## `timeout` returns: + ## - 124 if sigterm was sufficient + ## - 137 if needed to use kill. + if [ "$check_bootstrap_helper_script_exit_code" = "124" ]; then + tor_bootstrap_timeout_type="sigterm" + elif [ "$check_bootstrap_helper_script_exit_code" = "137" ]; then + tor_bootstrap_timeout_type="sigkill" + else + tor_bootstrap_timeout_type="none" + fi +} + +check_tor_circuit_established() { + check_bootstrap_helper_script="/usr/local/lib64/helper-scripts/tor_circuit_established_check.py" + + ## sets: check_bootstrap_helper_script_exit_code + ## sets: check_bootstrap_helper_script_output + check_tor_bootstrap_helper_run_helper_script + + tor_circuit_established_check_exit_code="$check_bootstrap_helper_script_exit_code" + + if [ "$check_bootstrap_helper_script_exit_code" = "0" ]; then + tor_circuit_established="$check_bootstrap_helper_script_output" + if [ "$tor_circuit_established" = "1" ]; then + tor_circuit_established_word="established" + else + tor_circuit_established_word="not established" + fi + else + tor_circuit_established="0" + tor_circuit_established_word="not established" + fi +} + +tor_consensus_valid-after() { + check_bootstrap_helper_script="/usr/local/lib64/helper-scripts/tor_consensus_valid-after.py" + + ## sets: check_bootstrap_helper_script_exit_code + ## sets: check_bootstrap_helper_script_output + check_tor_bootstrap_helper_run_helper_script + + tor_consensus_valid_after_exit_code="$check_bootstrap_helper_script_exit_code" + tor_consensus_valid_after_output="$check_bootstrap_helper_script_output" + if [ "$check_bootstrap_helper_script_exit_code" = "0" ]; then + tor_consensus_valid_after_unixtime="$(date --date="$tor_consensus_valid_after_output" +"%s")" || true + fi +} + +tor_consensus_valid-until() { + check_bootstrap_helper_script="/usr/local/lib64/helper-scripts/tor_consensus_valid-until.py" + + ## sets: check_bootstrap_helper_script_exit_code + ## sets: check_bootstrap_helper_script_output + check_tor_bootstrap_helper_run_helper_script + + tor_consensus_valid_until_exit_code="$check_bootstrap_helper_script_exit_code" + tor_consensus_valid_until_output="$check_bootstrap_helper_script_output" + if [ "$check_bootstrap_helper_script_exit_code" = "0" ]; then + tor_consensus_valid_until_unixtime="$(date --date="$tor_consensus_valid_until_output" +"%s")" || true + fi +} diff --git a/overlay/Linux/usr/local/src/helper-scripts/tor_bootstrap_check.py b/overlay/Linux/usr/local/src/helper-scripts/tor_bootstrap_check.py new file mode 100755 index 0000000..24de87b --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/tor_bootstrap_check.py @@ -0,0 +1,37 @@ +#!/usr/bin/python3 -u + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +import sys +from stem.connection import connect +import re + +controller = connect() + +if not controller: + sys.exit(255) + +bootstrap_status = controller.get_info("status/bootstrap-phase") + +## Possible answer, if network cable has been removed: +## 250-status/bootstrap-phase=WARN BOOTSTRAP PROGRESS=80 TAG=conn_or SUMMARY="Connecting to the Tor network" WARNING="No route to host" REASON=NOROUTE COUNT=26 RECOMMENDATION=warn + +## Possible answer: +## 250-status/bootstrap-phase=NOTICE BOOTSTRAP PROGRESS=85 TAG=handshake_or SUMMARY="Finishing handshake with first hop" + +## Possible answer, when done: +## 250-status/bootstrap-phase=NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done" + +## TODO: parse the messages above. +## 0 + +print(format(bootstrap_status)) + +progress_percent = re.match('.* PROGRESS=([0-9]+).*', bootstrap_status) + +exit_code = int(progress_percent.group(1)) + +controller.close() + +sys.exit(exit_code) diff --git a/overlay/Linux/usr/local/src/helper-scripts/tor_circuit_established_check.py b/overlay/Linux/usr/local/src/helper-scripts/tor_circuit_established_check.py new file mode 100755 index 0000000..33c14fd --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/tor_circuit_established_check.py @@ -0,0 +1,26 @@ +#!/usr/bin/python3 -u + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +import sys +from stem.connection import connect + +controller = connect() + +if not controller: + sys.exit(255) + +circuit_established = controller.get_info("status/circuit-established") + +## Possible answer, if established: +## 1 + +## Possible answer, if not established: +## 0 + +print(format(circuit_established)) + +controller.close() + +sys.exit(0) diff --git a/overlay/Linux/usr/local/src/helper-scripts/tor_consensus_valid-after.py b/overlay/Linux/usr/local/src/helper-scripts/tor_consensus_valid-after.py new file mode 100755 index 0000000..c485a83 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/tor_consensus_valid-after.py @@ -0,0 +1,20 @@ +#!/usr/bin/python3 -u + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +import sys +from stem.connection import connect + +controller = connect() + +if not controller: + sys.exit(255) + +output = controller.get_info("consensus/valid-after") + +print(format(output)) + +controller.close() + +sys.exit(0) diff --git a/overlay/Linux/usr/local/src/helper-scripts/tor_consensus_valid-until.py b/overlay/Linux/usr/local/src/helper-scripts/tor_consensus_valid-until.py new file mode 100755 index 0000000..395b04c --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/tor_consensus_valid-until.py @@ -0,0 +1,20 @@ +#!/usr/bin/python3 -u + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +import sys +from stem.connection import connect + +controller = connect() + +if not controller: + sys.exit(255) + +output = controller.get_info("consensus/valid-until") + +print(format(output)) + +controller.close() + +sys.exit(0) diff --git a/overlay/Linux/usr/local/src/helper-scripts/tor_enabled_check b/overlay/Linux/usr/local/src/helper-scripts/tor_enabled_check new file mode 100755 index 0000000..1687327 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/tor_enabled_check @@ -0,0 +1,65 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +check_tor_enabled_do() { + ## Fallback. + TOR_ENABLED="0" + + ## Skip this test, if not running on Whonix-Gateway. + if [ ! -e "/usr/share/anon-gw-base-files/gateway" ]; then + TOR_ENABLED="1" + return 0 + fi + + ## Skip this test, if running in Qubes TemplateVM. + if command -v qubesdb-read >/dev/null 2>&1 ; then + local qubes_vm_type + qubes_vm_type="$(qubesdb-read /qubes-vm-type)" || true + if [ "$qubes_vm_type" = "TemplateVM" ]; then + TOR_ENABLED="1" + return 0 + fi + fi + + local line file_name file_name_list i + + shopt -s globstar + shopt -s nullglob + + if [ -f /usr/share/tor/tor-service-defaults-torrc ]; then + file_name_list+="/usr/share/tor/tor-service-defaults-torrc" + file_name_list+=" " + fi + if [ -f /etc/tor/torrc ]; then + file_name_list+="/etc/tor/torrc" + file_name_list+=" " + fi + + for i in /etc/torrc.d/* ; do + file_name_list+="$i" + file_name_list+=" " + done + + for i in /usr/local/etc/torrc.d/* ; do + file_name_list+="$i" + file_name_list+=" " + done + + for file_name in $file_name_list ; do + if ! test -f "$file_name" ; then + continue + fi + true "file_name: '$file_name'" + while read -r line || [ -n "$line" ]; do + if [ "$line" = "DisableNetwork 0" ]; then + TOR_ENABLED="1" + fi + if [ "$line" = "DisableNetwork 1" ]; then + TOR_ENABLED="0" + fi + done < "$file_name" + unset line + done +} diff --git a/overlay/Linux/usr/local/src/helper-scripts/tor_signal_newnym.py b/overlay/Linux/usr/local/src/helper-scripts/tor_signal_newnym.py new file mode 100755 index 0000000..e63ce0d --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/tor_signal_newnym.py @@ -0,0 +1,20 @@ +#!/usr/bin/python3 -u + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +import sys +from stem.connection import connect +from stem.control import Controller +from stem import Signal + +controller = connect() + +if not controller: + sys.exit(255) + +controller.signal(Signal.NEWNYM) + +controller.close() + +sys.exit(0) diff --git a/overlay/Linux/usr/local/src/helper-scripts/torsocks-remove-ld-preload b/overlay/Linux/usr/local/src/helper-scripts/torsocks-remove-ld-preload new file mode 100755 index 0000000..9c8e005 --- /dev/null +++ b/overlay/Linux/usr/local/src/helper-scripts/torsocks-remove-ld-preload @@ -0,0 +1,36 @@ +#!/bin/sh + +## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Must be an sh, not bash script, because /etc/cron.weekly/tor is a sh script, +## that sources /etc/default/tor, which sources this script. + +## Cope up with "set -o nounset". +: "${DEBDEBUG:="0"}" +: "${LD_PRELOAD:=""}" + +if [ "$DEBDEBUG" = "1" ]; then + set -x +fi + +if [ "$DEBDEBUG" = "1" ]; then + true "LD_PRELOAD: $LD_PRELOAD" +fi + +## Remove /usr/lib/torsocks/libtorsocks.so from LD_PRELOAD. +LD_PRELOAD="$(echo "$LD_PRELOAD" | sed 's/\/usr\/lib\/torsocks\/libtorsocks.so//g')" + +if [ "$DEBDEBUG" = "1" ]; then + true "exit code: $?" +fi + +export LD_PRELOAD + +if [ "$DEBDEBUG" = "1" ]; then + true "exit code: $?" + + true "LD_PRELOAD: $LD_PRELOAD" +fi + +## Don't use exit at the end, since this script can be sourced by others. diff --git a/overlay/Linux/usr/local/src/proxy_local_src.bash b/overlay/Linux/usr/local/src/proxy_local_src.bash new file mode 100755 index 0000000..44108cb --- /dev/null +++ b/overlay/Linux/usr/local/src/proxy_local_src.bash @@ -0,0 +1,24 @@ +#!/bin/bash +# -*- mode: sh; tab-width: 8; coding: utf-8-unix -*- + +prog=`basename $0 .bash` +PREFIX=/usr/local +ROLE=proxy +[ -f /usr/local/etc/testforge/testforge.bash ] && . /usr/local/etc/testforge/testforge.bash +[ `id -u` -eq 0 ] || echo ERROR: $prog should be run as root && exit 2 + +DESC="" + +cd $PREFIX/src || exit 4 + +which sdwdate >/dev/null 2>/dev/null || \ + [ -f $PREFIX/bin/sdwdate.bash ] || \ + sh sdwdate.bash + +[ -f testssl.sh ] || \ + sh testssl.bash || exit 7$? + +[ -x ../bin/analyze-ssl.pl.bash ] || \ + sh analyze-ssl.bash + +exit 0 diff --git a/overlay/Linux/usr/local/src/wicd-new.zip b/overlay/Linux/usr/local/src/wicd-new.zip new file mode 100644 index 0000000..add5f38 Binary files /dev/null and b/overlay/Linux/usr/local/src/wicd-new.zip differ diff --git a/overlay/Ubuntu/etc/ca-certificates/update.d/jks-keystore.diff b/overlay/Ubuntu/etc/ca-certificates/update.d/jks-keystore.diff new file mode 100644 index 0000000..4dfe419 --- /dev/null +++ b/overlay/Ubuntu/etc/ca-certificates/update.d/jks-keystore.diff @@ -0,0 +1,38 @@ +*** jks-keystore.dst 2016-03-30 01:41:20.000000000 +0300 +--- jks-keystore 2019-10-25 05:12:39.275249418 +0300 +*************** +*** 33,48 **** + if ! mountpoint -q /proc; then + echo >&2 "the keytool command requires a mounted proc fs (/proc)." + exit 1 + fi + +! for jvm in java-7-openjdk-$arch java-7-openjdk \ +! oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \ +! java-8-openjdk-$arch java-8-openjdk \ + oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \ + java-9-openjdk-$arch java-9-openjdk \ +! oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch; do + if [ -x /usr/lib/jvm/$jvm/bin/java ]; then + break + fi + done + export JAVA_HOME=/usr/lib/jvm/$jvm +--- 33,49 ---- + if ! mountpoint -q /proc; then + echo >&2 "the keytool command requires a mounted proc fs (/proc)." + exit 1 + fi + +! for jvm in java-8-openjdk-$arch java-8-openjdk \ + oracle-java8-jre-$arch oracle-java8-server-jre-$arch oracle-java8-jdk-$arch \ + java-9-openjdk-$arch java-9-openjdk \ +! oracle-java9-jre-$arch oracle-java9-server-jre-$arch oracle-java9-jdk-$arch \ +! java-7-openjdk-$arch java-7-openjdk \ +! oracle-java7-jre-$arch oracle-java7-server-jre-$arch oracle-java7-jdk-$arch \ +! ; do + if [ -x /usr/lib/jvm/$jvm/bin/java ]; then + break + fi + done + export JAVA_HOME=/usr/lib/jvm/$jvm diff --git a/tasks/Debian.yml b/tasks/Debian.yml new file mode 100644 index 0000000..627e371 --- /dev/null +++ b/tasks/Debian.yml @@ -0,0 +1,117 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +- name: "DEBUG: Including proxy Debian.yml" + debug: + verbosity: 1 + msg: "DEBUG: Including proxy Debian.yml BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}" + +# Perf h4x: Force dpkg to not to call sync() after package extraction, turn off +# the apt-cache (not needed in a container) and disable translation fetching... +- name: "/etc/dpkg/dpkg.cfg.d/02-force-unsafe-io" + blockinfile: + dest: /etc/dpkg/dpkg.cfg.d/02-force-unsafe-io + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml" + block: | + force-unsafe-io + +- name: "/etc/apt/apt.conf.d/no-cache" + blockinfile: + dest: /etc/apt/apt.conf.d/no-cache + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml" + block: | + Acquire::http {No-Cache=True;}; + when: + - ansible_virtualization_role|replace('NA', 'host') == 'guest' + +- name: "/etc/apt/apt.conf.d/no-cache" + blockinfile: + dest: /etc/apt/apt.conf.d/no-cache + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml" + block: | + Acquire::http {No-Cache=False;}; + when: + - ansible_virtualization_role|replace('NA', 'host') != 'guest' + +- name: "/etc/apt/apt.conf.d/no-lang" + blockinfile: + dest: /etc/apt/apt.conf.d/no-lang + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml" + block: | + Acquire::Languages "none"; + +- name: disable /etc/apt/apt.conf.d/50unattended-upgrades + shell: | + [ -f /etc/apt/apt.conf.d/50unattended-upgrades ] || exit 0 + grep -q '^[^/]' /etc/apt/apt.conf.d/50unattended-upgrades || exit 0 + sed -e 's@^\([^/]\)@//\1@' -i /etc/apt/apt.conf.d/50unattended-upgrades + exit 0 + +- name: /etc/apt/apt.conf.d/70insecure.conf + blockinfile: + dest: /etc/apt/apt.conf.d/70insecure.conf + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian.yml" + block: | + Acquire::AllowInsecureRepositories false; + +- name: install proxy_debs_inst packages + environment: + - "RUNLEVEL": 1 + apt: + force_apt_get: true + name: "{{ item }}" + state: latest + update_cache: no + ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}" + when: + - item != '' and item != [] + - not ansible_check_mode + - BASE_ARE_CONNECTED|default('') != '' + with_items: + - "{{ proxy_debs_inst }}" + - "{{ proxy_libvirt_debs_inst if BOX_WHONIX_PROXY_HOST != '' else [] }}" + - "{{ proxy_qemu_guest_debs_inst if PROXY_MODE in ['gateway','ws', 'vda'] else [] }}" + - "{{ proxy_gateway_debs_inst if BOX_OS_FLAVOR in ['WhonixGateway'] else [] }}" + - "{{ proxy_xfce_debs_inst if BOX_OS_FLAVOR in ['KickSecure', 'WhonixWorkstation'] else [] }}" + +- name: install cntlm packages + environment: + - "RUNLEVEL": 1 + apt: + force_apt_get: true + name: "cntlm" + state: latest + update_cache: no + ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}" + when: + - false + - not ansible_check_mode + - BASE_ARE_CONNECTED|default('') != '' + +- name: "/etc/default/console-setup" + lineinfile: + dest: /etc/default/console-setup + regexp: "^#* *{{item.name}}.*" + line: '{{ item.name }}="{{ item.val }}"' + state: present + with_items: + - { name: CODESET, val: "Uni2" } + - { name: FONTFACE, val: "TerminusBold" } + - { name: FONTSIZE, val: "28x14" } + +- name: /etc/apt/apt.conf.d/70testforge.conf + blockinfile: + dest: /etc/apt/apt.conf.d/70testforge.conf + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian_post.yml" + block: | + APT::Install-Recommends false; + APT::Install-Suggests false; + #APT::AutoRemove::RecommendsImportant false; + #APT::AutoRemove::SuggestsImportant false; + APT::Periodic::Enable 0; diff --git a/tasks/Debian_post.yml b/tasks/Debian_post.yml new file mode 100644 index 0000000..948e9ce --- /dev/null +++ b/tasks/Debian_post.yml @@ -0,0 +1,40 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +- debug: + verbosity: 1 + msg: "DEBUG: Including proxy Debian_post.yml SOCKS_PROXYHOST:SOCKS_PROXYPORT= {{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}" + +- name: /etc/apt/apt.conf.d/80proxy.conf + blockinfile: + dest: /etc/apt/apt.conf.d/80proxy.conf + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian_post.yml" + state: "{{'absent' if HTTP_PROXYHOST == '' else 'present' }}" + block: | + Acquire::http::Proxy "{{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}"; + Acquire::https::Proxy "{{HTTP_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}"; + +- name: /etc/apt/apt.conf.d/70testforge.conf + blockinfile: + dest: /etc/apt/apt.conf.d/70testforge.conf + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml" + state: "{{'absent' if HTTP_PROXYHOST == '' else 'present' }}" + block: | + + Acquire::tor::proxy "socks5h://apt:apt@{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}"; + Acquire::tor::Timeout 60; + when: + - "SOCKS_PROXYHOST != '' and SOCKS_PROXYPORT != ''" + +- name: "/etc/sdwdate.d/30_default.conf" + lineinfile: + dest: /etc/sdwdate.d/30_default.conf + create: true + regexp: "^#*{{ item.name }}.*" + line: "{{ item.name }}={{ item.val }}" + with_items: + - { name: PROXY_IP, val: "{{SOCKS_PROXYHOST}}" } + - { name: PROXY_PORT, val: "{{SOCKS_PROXYPORT}}" } + diff --git a/tasks/Devuan.yml b/tasks/Devuan.yml new file mode 100644 index 0000000..777f348 --- /dev/null +++ b/tasks/Devuan.yml @@ -0,0 +1,137 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +- name: "DEBUG: Including proxy Devuan.yml" + debug: + verbosity: 1 + msg: "DEBUG: Including proxy Devuan.yml BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}" + +# Perf h4x: Force dpkg to not to call sync() after package extraction, turn off +# the apt-cache (not needed in a container) and disable translation fetching... +- name: "/etc/dpkg/dpkg.cfg.d/02-force-unsafe-io" + blockinfile: + dest: /etc/dpkg/dpkg.cfg.d/02-force-unsafe-io + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml" + block: | + force-unsafe-io + +- name: "/etc/apt/apt.conf.d/no-cache" + blockinfile: + dest: /etc/apt/apt.conf.d/no-redirect + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml" + block: | + # https://lists.debian.org/debian-security-announce/2019/msg00010.html + Acquire::http::AllowRedirect=false update; + Acquire::http::AllowRedirect=false upgrade; + +- name: "/etc/apt/apt.conf.d/no-cache" + blockinfile: + dest: /etc/apt/apt.conf.d/no-cache + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml" + block: | + Acquire::http {No-Cache=True;}; + when: + - ansible_virtualization_role|replace('NA', 'host') == 'guest' + +- name: "/etc/apt/apt.conf.d/no-cache" + blockinfile: + dest: /etc/apt/apt.conf.d/no-cache + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml" + block: | + Acquire::http {No-Cache=False;}; + when: + - ansible_virtualization_role|replace('NA', 'host') != 'guest' + +- name: "/etc/apt/apt.conf.d/no-lang" + blockinfile: + dest: /etc/apt/apt.conf.d/no-lang + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml" + block: | + Acquire::Languages "none"; + +- name: disable /etc/apt/apt.conf.d/50unattended-upgrades + shell: | + [ -f /etc/apt/apt.conf.d/50unattended-upgrades ] || exit 0 + grep -q '^[^/]' /etc/apt/apt.conf.d/50unattended-upgrades || exit 0 + sed -e 's@^\([^/]\)@//\1@' -i /etc/apt/apt.conf.d/50unattended-upgrades + exit 0 + +- name: /etc/apt/apt.conf.d/70insecure.conf + blockinfile: + dest: /etc/apt/apt.conf.d/70insecure.conf + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Devuan.yml" + block: | + Acquire::AllowInsecureRepositories false; + +- name: install proxy_debs_inst packages + environment: + - "RUNLEVEL": 1 + apt: + force_apt_get: true + name: "{{ item }}" + state: latest + update_cache: no + ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}" + when: + - item != '' and item != [] + - not ansible_check_mode + - BASE_ARE_CONNECTED|default('') != '' + with_items: + - "{{proxy_debs_inst}}" + - "{{ proxy_libvirt_debs_inst if BOX_WHONIX_PROXY_HOST != '' else [] }}" + - "{{ proxy_qemu_guest_debs_inst if PROXY_MODE in ['gateway','ws', 'vda'] else [] }}" + - "{{ proxy_gateway_debs_inst if BOX_OS_FLAVOR in ['WhonixGateway'] else [] }}" + - "{{ proxy_xfce_debs_inst if BOX_OS_FLAVOR in ['KickSecure', 'WhonixWorkstation'] else [] }}" + +- name: install cntlm packages + environment: + - "RUNLEVEL": 1 + apt: + force_apt_get: true + name: "cntlm" + state: latest + update_cache: no + ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}" + when: + - false + - not ansible_check_mode + - BASE_ARE_CONNECTED|default('') != '' + +- name: "/etc/default/console-setup" + lineinfile: + dest: /etc/default/console-setup + create: yes + regexp: "^#* *{{item.name}}.*" + line: '{{ item.name }}="{{ item.val }}"' + state: present + with_items: + - { name: CODESET, val: "Uni2" } + - { name: FONTFACE, val: "TerminusBold" } + - { name: FONTSIZE, val: "28x14" } + +- name: /etc/apt/apt.conf.d/70testforge.conf + blockinfile: + dest: /etc/apt/apt.conf.d/70testforge.conf + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian_post.yml" + block: | + APT::Install-Recommends false; + APT::Install-Suggests false; + #APT::AutoRemove::RecommendsImportant false; + #APT::AutoRemove::SuggestsImportant false; + APT::Periodic::Enable 0; + +- name: //usr/share/tor/tor-service-defaults-torrc + shell: | + [ -f /usr/share/tor/tor-service-defaults-torrc ] && + [ -h /usr/share/tor/tor-service-defaults-torrc ] && return 0 + [ -f /usr/share/tor/tor-service-defaults-torrc ] || return 0 + mv /usr/share/tor/tor-service-defaults-torrc \ + /usr/share/tor/tor-service-defaults-torrc.bak + ln -s /etc/tor/torrc-defaults /usr/share/tor/tor-service-defaults-torrc diff --git a/tasks/Devuan_post.yml b/tasks/Devuan_post.yml new file mode 100644 index 0000000..948e9ce --- /dev/null +++ b/tasks/Devuan_post.yml @@ -0,0 +1,40 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +- debug: + verbosity: 1 + msg: "DEBUG: Including proxy Debian_post.yml SOCKS_PROXYHOST:SOCKS_PROXYPORT= {{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}" + +- name: /etc/apt/apt.conf.d/80proxy.conf + blockinfile: + dest: /etc/apt/apt.conf.d/80proxy.conf + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Debian_post.yml" + state: "{{'absent' if HTTP_PROXYHOST == '' else 'present' }}" + block: | + Acquire::http::Proxy "{{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}"; + Acquire::https::Proxy "{{HTTP_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}"; + +- name: /etc/apt/apt.conf.d/70testforge.conf + blockinfile: + dest: /etc/apt/apt.conf.d/70testforge.conf + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml" + state: "{{'absent' if HTTP_PROXYHOST == '' else 'present' }}" + block: | + + Acquire::tor::proxy "socks5h://apt:apt@{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}"; + Acquire::tor::Timeout 60; + when: + - "SOCKS_PROXYHOST != '' and SOCKS_PROXYPORT != ''" + +- name: "/etc/sdwdate.d/30_default.conf" + lineinfile: + dest: /etc/sdwdate.d/30_default.conf + create: true + regexp: "^#*{{ item.name }}.*" + line: "{{ item.name }}={{ item.val }}" + with_items: + - { name: PROXY_IP, val: "{{SOCKS_PROXYHOST}}" } + - { name: PROXY_PORT, val: "{{SOCKS_PROXYPORT}}" } + diff --git a/tasks/Gentoo.yml b/tasks/Gentoo.yml new file mode 100644 index 0000000..3f53b7e --- /dev/null +++ b/tasks/Gentoo.yml @@ -0,0 +1,67 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +--- + +- name: "DEBUG: proxy Gentoo2.yml" + debug: + verbosity: 1 + msg: "DEBUG: Including proxy Gentoo2.yml" + +- assert: + that: "'{{BOX_OS_FLAVOR}}' in ['Clipos', 'Funtoo', 'Pentoo' , 'Gentoo']" + +- name: "include proxy by-flavour tasks" + include_tasks: "roles/proxy/tasks/{{ ansible_distribution }}/{{ BOX_OS_FLAVOR }}/main.yml" + +- name: install proxy packages proxy_pkgs_inst + environment: "{{ portage_proxy_env }}" + shell: | + cd {{ BASE_ROOT_LOG_DIR }} || exit 2 + retval=0 + /usr/local/bin/usr_local_base.bash box_gentoo_emerge \ + {{proxy_pkgs_bootstrap}} \ + {{proxy_pkgs_inst}} \ + && exit 0 + retval=$? + echo WARN: $retval + exit $retval + when: + - BASE_ARE_CONNECTED|default('') != '' + - ansible_virtualization_role|replace('NA', 'host') == 'host' + ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}" + +- name: install proxy packages GUEST + environment: "{{ portage_proxy_env }}" + shell: | + cd {{ BASE_ROOT_LOG_DIR }} || exit 2 + /usr/local/bin/usr_local_base.bash box_gentoo_emerge \ + {{ proxy_pkgs_bootstrap }} \ + {{ proxy_pkgs_inst_guest }} \ + || exit $? + ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}" + when: + - BASE_ARE_CONNECTED|default('') != '' + - ansible_virtualization_role|replace('NA', 'host') != 'host' + +- name: install cntlm packages + portage: package="net-proxy/cntlm" state=present + when: CORP_NTLM_PROXY|default('') != '' + +- name: /etc/conf.d/consolefont + blockinfile: + dest: "/etc/{{ETC_CONF_D}}/consolefont" + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy Gentoo" + mode: 0644 + owner: "{{BOX_ROOT_USER}}" + group: "{{BOX_ROOT_GROUP}}" + create: yes + block: | + consolefont="ter-v24b" + +- name: rc-update add bootlogd boot + shell: | + rc-update | grep -q 'bootlogd .* boot' || \ + rc-update add bootlogd boot + exit 0 + + diff --git a/tasks/Gentoo/Gentoo/accept_keywords.yml b/tasks/Gentoo/Gentoo/accept_keywords.yml new file mode 100644 index 0000000..70abbb5 --- /dev/null +++ b/tasks/Gentoo/Gentoo/accept_keywords.yml @@ -0,0 +1,15 @@ +# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*- +# This is an automatically generated file: do not edit + +--- + + + +- name: "/etc/portage/package.accept_keywords/2020-03_polipo.txt" + blockinfile: + dest: /etc/portage/package.accept_keywords/2020-03_polipo.txt + create: true + marker: "# {mark} Ansible Managed Block proxy polipo" + block: | + =net-proxy/polipo-9999 ** + diff --git a/tasks/Gentoo/Gentoo/main.yml b/tasks/Gentoo/Gentoo/main.yml new file mode 100644 index 0000000..3f9576c --- /dev/null +++ b/tasks/Gentoo/Gentoo/main.yml @@ -0,0 +1,16 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +--- + +- name: "proxy Gentoo/Pentoo.yml" + debug: + verbosity: 1 + msg: "proxy Gentoo/Pentoo.yml" + +- include_tasks: Gentoo/Pentoo/portage.yml + +- include_tasks: Gentoo/Pentoo/use.yml + +#- include_tasks: Gentoo/Pentoo/mask.yml + +- include_tasks: Gentoo/Pentoo/accept_keywords.yml diff --git a/tasks/Gentoo/Gentoo/portage.yml b/tasks/Gentoo/Gentoo/portage.yml new file mode 100644 index 0000000..defde75 --- /dev/null +++ b/tasks/Gentoo/Gentoo/portage.yml @@ -0,0 +1,8 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +--- + +- name: "proxy Gentoo/Pentoo/portage.yml" + debug: + verbosity: 1 + msg: "proxy Gentoo/Pentoo/portage.yml" diff --git a/tasks/Gentoo/Gentoo/use.yml b/tasks/Gentoo/Gentoo/use.yml new file mode 100644 index 0000000..0e49b62 --- /dev/null +++ b/tasks/Gentoo/Gentoo/use.yml @@ -0,0 +1,55 @@ +# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*- +# This is an automatically generated file: do not edit + +--- + + + +- name: "/etc/portage/package.use/2022-08_nss.txt" + blockinfile: + dest: /etc/portage/package.use/2022-08_nss.txt + create: true + marker: "# {mark} Ansible Managed Block proxy curl" + block: | + net-misc/curl openssl -progress-meter alt-svc adns ftp http2 imap -ipv6 pop3 smtp ssh ssl tftp zstd -samba -sslv3 -threads -winssl -nss # -curl_ssl_gnutls -curl_ssl_mbedtls -curl_ssl_nss curl_ssl_openssl -curl_ssl_rustls + +- name: "/etc/portage/package.use/2017-01-01_libguestfs.txt" + blockinfile: + dest: /etc/portage/package.use/2017-01-01_libguestfs.txt + create: true + marker: "# {mark} Ansible Managed Block proxy unzip" + block: | + app-arch/unzip natspec + +- name: "/etc/portage/package.use/2020-00_ipv6.txt" + blockinfile: + dest: /etc/portage/package.use/2020-00_ipv6.txt + create: true + marker: "# {mark} Ansible Managed Block proxy nmap" + block: | + net-analyzer/nmap -ipv6 + +- name: "/etc/portage/package.use/2021-00_verify-sig.txt" + blockinfile: + dest: /etc/portage/package.use/2021-00_verify-sig.txt + create: true + marker: "# {mark} Ansible Managed Block proxy nmap" + block: | + net-analyzer/nmap verify-sig + +- name: "/etc/portage/package.use/2019-02_rkhunter.txt" + blockinfile: + dest: /etc/portage/package.use/2019-02_rkhunter.txt + create: true + marker: "# {mark} Ansible Managed Block proxy lsof" + block: | + sys-process/lsof rpc + +- name: "/etc/portage/package.use/2020-00_ipv6.txt" + blockinfile: + dest: /etc/portage/package.use/2020-00_ipv6.txt + create: true + marker: "# {mark} Ansible Managed Block proxy lsof" + block: | + sys-process/lsof -ipv6 + diff --git a/tasks/Gentoo/Pentoo/accept_keywords.yml b/tasks/Gentoo/Pentoo/accept_keywords.yml new file mode 100644 index 0000000..70abbb5 --- /dev/null +++ b/tasks/Gentoo/Pentoo/accept_keywords.yml @@ -0,0 +1,15 @@ +# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*- +# This is an automatically generated file: do not edit + +--- + + + +- name: "/etc/portage/package.accept_keywords/2020-03_polipo.txt" + blockinfile: + dest: /etc/portage/package.accept_keywords/2020-03_polipo.txt + create: true + marker: "# {mark} Ansible Managed Block proxy polipo" + block: | + =net-proxy/polipo-9999 ** + diff --git a/tasks/Gentoo/Pentoo/main.yml b/tasks/Gentoo/Pentoo/main.yml new file mode 100644 index 0000000..3f9576c --- /dev/null +++ b/tasks/Gentoo/Pentoo/main.yml @@ -0,0 +1,16 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +--- + +- name: "proxy Gentoo/Pentoo.yml" + debug: + verbosity: 1 + msg: "proxy Gentoo/Pentoo.yml" + +- include_tasks: Gentoo/Pentoo/portage.yml + +- include_tasks: Gentoo/Pentoo/use.yml + +#- include_tasks: Gentoo/Pentoo/mask.yml + +- include_tasks: Gentoo/Pentoo/accept_keywords.yml diff --git a/tasks/Gentoo/Pentoo/portage.yml b/tasks/Gentoo/Pentoo/portage.yml new file mode 100644 index 0000000..defde75 --- /dev/null +++ b/tasks/Gentoo/Pentoo/portage.yml @@ -0,0 +1,8 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +--- + +- name: "proxy Gentoo/Pentoo/portage.yml" + debug: + verbosity: 1 + msg: "proxy Gentoo/Pentoo/portage.yml" diff --git a/tasks/Gentoo/Pentoo/use.yml b/tasks/Gentoo/Pentoo/use.yml new file mode 100644 index 0000000..0e49b62 --- /dev/null +++ b/tasks/Gentoo/Pentoo/use.yml @@ -0,0 +1,55 @@ +# -*- mode: yaml; tab-width: 0; coding: utf-8-unix -*- +# This is an automatically generated file: do not edit + +--- + + + +- name: "/etc/portage/package.use/2022-08_nss.txt" + blockinfile: + dest: /etc/portage/package.use/2022-08_nss.txt + create: true + marker: "# {mark} Ansible Managed Block proxy curl" + block: | + net-misc/curl openssl -progress-meter alt-svc adns ftp http2 imap -ipv6 pop3 smtp ssh ssl tftp zstd -samba -sslv3 -threads -winssl -nss # -curl_ssl_gnutls -curl_ssl_mbedtls -curl_ssl_nss curl_ssl_openssl -curl_ssl_rustls + +- name: "/etc/portage/package.use/2017-01-01_libguestfs.txt" + blockinfile: + dest: /etc/portage/package.use/2017-01-01_libguestfs.txt + create: true + marker: "# {mark} Ansible Managed Block proxy unzip" + block: | + app-arch/unzip natspec + +- name: "/etc/portage/package.use/2020-00_ipv6.txt" + blockinfile: + dest: /etc/portage/package.use/2020-00_ipv6.txt + create: true + marker: "# {mark} Ansible Managed Block proxy nmap" + block: | + net-analyzer/nmap -ipv6 + +- name: "/etc/portage/package.use/2021-00_verify-sig.txt" + blockinfile: + dest: /etc/portage/package.use/2021-00_verify-sig.txt + create: true + marker: "# {mark} Ansible Managed Block proxy nmap" + block: | + net-analyzer/nmap verify-sig + +- name: "/etc/portage/package.use/2019-02_rkhunter.txt" + blockinfile: + dest: /etc/portage/package.use/2019-02_rkhunter.txt + create: true + marker: "# {mark} Ansible Managed Block proxy lsof" + block: | + sys-process/lsof rpc + +- name: "/etc/portage/package.use/2020-00_ipv6.txt" + blockinfile: + dest: /etc/portage/package.use/2020-00_ipv6.txt + create: true + marker: "# {mark} Ansible Managed Block proxy lsof" + block: | + sys-process/lsof -ipv6 + diff --git a/tasks/Gentoo_post.yml b/tasks/Gentoo_post.yml new file mode 100644 index 0000000..d644f0f --- /dev/null +++ b/tasks/Gentoo_post.yml @@ -0,0 +1,104 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +- name: "DEBUG: proxy Gentoo_post.yml" + debug: + verbosity: 1 + msg: "DEBUG: Including proxy Gentoo_post.yml" + +- name: proxy http equals + blockinfile: + dest: "{{ item.dest }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http equals" +# state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}" + block: | + # emerge does not seem to pick up .gitconfig settings for proxy from ~portage/.gitconfig + # neded to get these form the environment or hosts.yml + # fucking google go calls home during COMPILE + #NO api/services/events/v1/events.pb.go:15:2: google.golang.org/grpc@v1.43.0: Get "https://proxy.golang.org/google.golang.org/grpc/@v/v1.43.0.zip": proxyconnect tcp: dial tcp 127.0.0.1:9128: connect: connection refused + + # allow + #NO http_proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}} + #NO https_proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}} + #NO socks_proxy={{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}} + # NO RSYNC_PROXY={{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}} + http_proxy=http://127.0.0.1:666 + https_proxy=http://127.0.0.1:666 + socks_proxy=socks5h://127.0.0.1:666 + no_proxy="{{ NO_PROXY }}" + RSYNC_PROXY=127.0.0.1:666 + + when: + - "item.bool == 'yes'" + with_items: + - dest: "/etc/portage/make.conf" + owner: "portage" + group: "portage" + mode: "0644" + bool: "{{ 'yes' if ansible_distribution == 'Gentoo' else 'no' }}" + +- name: proxy http CURL_OPTS + blockinfile: + dest: "{{ item.dest }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http CURL_OPTS" +# state: "{{ 'present' if SOCKS_PROXY != '' else 'absent' }}" + block: | + CURL_OPTS="--cert-status --connect-timeout 30 {{ '--tlsv1.3' if BOX_TLS_VERSION == '1.3' else '--tlsv1.2' }} --location --proto-redir https --proto-default https --proto =https -x ${socks_proxy} --fail" + when: + - "item.bool == 'yes'" + with_items: + - dest: "/etc/portage/make.conf" + owner: "portage" + group: "portage" + mode: "0644" + bool: "{{ 'yes' if ansible_distribution == 'Gentoo' else 'no' }}" + +- name: proxy http FETCHCOMMAND + blockinfile: + dest: "{{ item.dest }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http FETCHCOMMAND" +# state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}" + block: | + #FETCHCOMMAND='wget -t 1 -T 10 --passive-ftp -O "\${DISTDIR}/\${FILE}" "\${URI}"' + + FETCHCOMMAND='/usr/local/bin/scurl.bash -- --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"' + FETCHCOMMAND_HTTP='/usr/local/bin/scurl.bash -- --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"' + FETCHCOMMAND_HTTPS='/usr/local/bin/scurl.bash -- --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"' + + RESUMECOMMAND='/usr/local/bin/scurl.bash -- -C - --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"' + RESUMECOMMAND_HTTP='/usr/local/bin/scurl.bash -- -C - --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"' + RESUMECOMMAND_HTTPS='/usr/local/bin/scurl.bash -- -C - --retry 1 --output "\${DISTDIR}/\${FILE}" "\${URI}"' + + when: + - "item.bool == 'yes'" + with_items: + - dest: "/etc/portage/make.conf" + owner: "portage" + group: "portage" + mode: "0644" + bool: "{{ 'yes' if ansible_distribution == 'Gentoo' else 'no' }}" + +- name: /etc/portage/make.conf PORTAGE_RSYNC_EXTRA_OPTS + blockinfile: + dest: /etc/portage/make.conf + create: no + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy [PORTAGE_RSYNC_EXTRA_OPTS]" + block: | + PORTAGE_RSYNC_RETRIES=5 + #mgorny suggested this speeds up sync, in my testing it makes a rather large difference + PORTAGE_RSYNC_EXTRA_OPTS="--omit-dir-times -4 --timeout=20" + + + + + + diff --git a/tasks/Msys.yml b/tasks/Msys.yml new file mode 100755 index 0000000..32c013f --- /dev/null +++ b/tasks/Msys.yml @@ -0,0 +1,28 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +--- + +- name: "DEBUG: Including proxy Msys.yml" + debug: + verbosity: 1 + msg: "DEBUG: Including proxy Msys.yml BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}" + +- name: netsh interface ip set address name="Ethernet0" static 10.1.2.220 255.255.255.0 10.1.2.1 + shell: | + # https://pureinfotech.com/set-static-ip-address-windows-10/ + netsh interface ip set address name="{{BOX_DEFAULT_OUTPUT_IF}}" static 10.152.152.13 255.255.255.0 10.152.152.10 + +- name: "proxy local_connection.yml" + include_tasks: "local_connection.yml" + +- block: + + - name: mvmc_setup.msi + shell: | + [ -f /e/net/Http/https://github.com/xavery/mvmc_setup/releases/download/2014_11_10/mvmc_setup.msi ] \ + wget --restrict-file-names=windows -xcP /e/net/Http \ + https://github.com/xavery/mvmc_setup/releases/download/2014_11_10/mvmc_setup.msi || \ + exit 1 + [ -d /c/Program Files/ ] || \ + start "/e/net/Http/github.com/xavery/mvmc_setup/releases/download/2014_11_10/mvmc_setup.msi" //quiet + diff --git a/tasks/Ubuntu.yml b/tasks/Ubuntu.yml new file mode 100644 index 0000000..5c398bc --- /dev/null +++ b/tasks/Ubuntu.yml @@ -0,0 +1,41 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +- name: "DEBUG: Including proxy Ubuntu.yml" + debug: + verbosity: 1 + msg: "DEBUG: Including proxy Ubuntu.yml" + +- name: install proxy_debs_inst packages + environment: + - "RUNLEVEL": 1 + shell: | + apt-get install {{ proxy_debs_inst|join(' ') }} -y \ + {{ '--print-uris' if BASE_ARE_CONNECTED|default('') == '' else '' }} + ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}" + when: + - not ansible_check_mode + +- name: install cntlm packages + environment: + - "RUNLEVEL": 1 + apt: + force_apt_get: true + name: "cntlm" + state: latest + update_cache: no + ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}" + when: + - not ansible_check_mode + - BASE_ARE_CONNECTED|default('') != '' + +- name: "/etc/default/console-setup" + lineinfile: + dest: /etc/default/console-setup + regexp: "^#* *{{item.name}}.*" + line: '{{ item.name }}="{{ item.val }}"' + state: present + with_items: + - { name: FONTFACE, val: "TerminusBold" } + - { name: FONTSIZE, val: "12x24" } + diff --git a/tasks/Ubuntu16.yml b/tasks/Ubuntu16.yml new file mode 100644 index 0000000..70fb55f --- /dev/null +++ b/tasks/Ubuntu16.yml @@ -0,0 +1,35 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +- name: "DEBUG: proxy Ubuntu14.yml" + debug: + verbosity: 1 + msg: "DEBUG: Including proxy Ubuntu14.yml" + +- name: install proxy_debs_inst packages + environment: + - "RUNLEVEL": 1 + apt: + force_apt_get: true + name: "{{ proxy_debs_inst }}" + state: latest + update_cache: no + ignore_errors: BASE_ARE_CONNECTED|default('') == '' + when: + - BASE_ARE_CONNECTED|default('') != '' + - not ansible_check_mode + +- name: install cntlm packages + environment: + - "RUNLEVEL": 1 + apt: + force_apt_get: true + name: "cntlm" + state: latest + update_cache: no + ignore_errors: "{{ BASE_PKG_IGNORE_ERRORS }}" + when: + - not ansible_check_mode + - CORP_NTLM_PROXY|default('') != '' + - BASE_ARE_CONNECTED|default('') != '' + diff --git a/tasks/Ubuntu16_no_systemd.yml b/tasks/Ubuntu16_no_systemd.yml new file mode 100644 index 0000000..03005cb --- /dev/null +++ b/tasks/Ubuntu16_no_systemd.yml @@ -0,0 +1,11 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +# http://without-systemd.org/wiki/index.php/How_to_remove_systemd_from_an_Ubuntu_Xenial_installation + +--- + +- name: "DEBUG: Including proxy Ubuntu16_no_systemd.yml" + debug: + verbosity: 1 + msg: "DEBUG: Including proxy Ubuntu16_no_systemd.yml" + diff --git a/tasks/Ubuntu_post.yml b/tasks/Ubuntu_post.yml new file mode 100644 index 0000000..4db99a2 --- /dev/null +++ b/tasks/Ubuntu_post.yml @@ -0,0 +1,23 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +- debug: + verbosity: 1 + msg: "DEBUG: Including proxy Ubuntu_post.yml" + +- name: /etc/apt/apt.conf.d/80proxy.conf + blockinfile: + dest: /etc/apt/apt.conf.d/80proxy.conf + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy" + block: | + Acquire::http::Proxy "{{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}"; + Acquire::https::Proxy "{{HTTP_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}"; + when: HTTP_PROXYHOST != '' + +- name: /etc/apt/apt.conf.d/80proxy.conf + file: + path: /etc/apt/apt.conf.d/80proxy.conf + state: absent + when: HTTP_PROXYHOST == '' + diff --git a/tasks/dirmngr.err b/tasks/dirmngr.err new file mode 100644 index 0000000..bd441d5 --- /dev/null +++ b/tasks/dirmngr.err @@ -0,0 +1,20 @@ +3root@Ulati:# dirmngr --help|less +3root@Ulati:# dirmngr --server --http-proxy $http_proxy & +[1] 8783 +3root@Ulati:# dirmngr[8783]: No ldapserver file at: '/root/.gnupg/dirmngr_ldapservers.conf' +dirmngr[8783.0]: oops: ksba_cert_hash failed: No value +dirmngr[8783.0]: error loading certificate '/etc/ssl/certs/ca-certificates.crt': Invalid certificate object +dirmngr[8783.0]: oops: ksba_cert_hash failed: No value +dirmngr[8783.0]: error loading certificate '/etc/ssl/certs/ca-certificates.crt': Invalid certificate object +dirmngr[8783.0]: oops: ksba_cert_hash failed: No value +dirmngr[8783.0]: error loading certificate '/etc/ssl/certs/ca-certificates.crt': Invalid certificate object +ksba: ERROR: object length field 2 octects too large +ksba: ERROR: object length field 12 octects too large +ksba: ERROR: object length field 12 octects too large +ksba: ERROR: object length field 71 octects too large +ksba: ERROR: object length field 59 octects too large +ksba: ber-decoder: node `?': TLV length too large +dirmngr[8783.0]: can't parse certificate '/etc/ssl/certs/ca-certificates.crt': BER error +dirmngr[8783.0]: permanently loaded certificates: 2 +dirmngr[8783.0]: runtime cached certificates: 0 +dirmngr[8783.0]: trusted certificates: 2 (1,0,0,1) diff --git a/tasks/dirmngr.hlp b/tasks/dirmngr.hlp new file mode 100644 index 0000000..4f67185 --- /dev/null +++ b/tasks/dirmngr.hlp @@ -0,0 +1,54 @@ +dirmngr (GnuPG) 2.2.12 +Copyright (C) 2018 Free Software Foundation, Inc. +License GPLv3+: GNU GPL version 3 or later +This is free software: you are free to change and redistribute it. +There is NO WARRANTY, to the extent permitted by law. + +Syntax: dirmngr [options] [command [args]] +Keyserver, CRL, and OCSP access for GnuPG + +Commands: + + --server run in server mode (foreground) + --daemon run in daemon mode (background) + --supervised run in supervised mode + --list-crls list the contents of the CRL cache + --load-crl FILE load CRL from FILE into cache + --fetch-crl URL fetch a CRL from URL + --shutdown shutdown the dirmngr + --flush flush the cache + +Options: + + -v, --verbose verbose + -q, --quiet be somewhat more quiet + -s, --sh sh-style command output + -c, --csh csh-style command output + --options FILE read options from FILE + --debug-level LEVEL set the debugging level to LEVEL + --no-detach do not detach from the console + --log-file FILE write server mode logs to FILE + --batch run without asking a user + --force force loading of outdated CRLs + --allow-ocsp allow sending OCSP requests + --allow-version-check allow online software version check + --disable-http inhibit the use of HTTP + --disable-ldap inhibit the use of LDAP + --ignore-http-dp ignore HTTP CRL distribution points + --ignore-ldap-dp ignore LDAP CRL distribution points + --ignore-ocsp-service-url ignore certificate contained OCSP service URLs + --http-proxy URL redirect all HTTP requests to URL + --ldap-proxy HOST use HOST for LDAP queries + --only-ldap-proxy do not use fallback hosts with --ldap-proxy + --ldapserverlist-file FILE read LDAP server list from FILE + --add-servers add new servers discovered in CRL distribution points to serverlist + --ldaptimeout N set LDAP timeout to N seconds + --ocsp-responder URL use OCSP responder at URL + --ocsp-signer FPR OCSP response signed by FPR + --max-replies N do not return more than N items in one query + --hkp-cacert FILE use the CA certificates in FILE for HKP over TLS + --use-tor route all network traffic via Tor + +(See the "info" manual for a complete listing of all commands and options) + +Please report bugs to . diff --git a/tasks/dirmngr.sh b/tasks/dirmngr.sh new file mode 100644 index 0000000..c64b9cf --- /dev/null +++ b/tasks/dirmngr.sh @@ -0,0 +1 @@ +dirmngr --server --http-proxy http://127.0.0.1:3128 --options /etc/dirmngr/dirmngr.conf --disable-ldap --hkp-cacert /usr/local/etc/ssl/cacert-testforge.pem --log-file /var/log/dirmngr.log --no-detach diff --git a/tasks/dirmngr.yml b/tasks/dirmngr.yml new file mode 100644 index 0000000..fb57023 --- /dev/null +++ b/tasks/dirmngr.yml @@ -0,0 +1,172 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +--- + +- name: "DEBUG: proxy dirmngr.yml" + debug: + verbosity: 1 + msg: "DEBUG: Including proxy dirmngr.yml" + +- name: /etc/gnupg/ + shell: | + [ -d "/etc/gnupg" ] || mkdir -p "{{USR_LOCAL}}/etc/gnupg" + + +- name: /etc/dirmngr/dirmngr.conf + lineinfile: + dest: "/etc/dirmngr/dirmngr.conf" + insertbefore: BOF + mode: 0755 + owner: "{{BOX_ROOT_USER}}" + group: "{{BOX_ROOT_GROUP}}" + create: yes + regexp: "# -.- mode: conf; tab-width: 0; coding: utf-8-unix -.-" + line: "# -*- mode: conf; tab-width: 0; coding: utf-8-unix -*-" + when: + - not ansible_check_mode + # FixMe: + ignore_errors: true + +- name: /etc/gnupg/gpgconf.conf + lineinfile: + dest: "/etc/gnupg/gpgconf.conf" + # insertbefore: BOF + mode: 0755 + owner: "{{BOX_ROOT_USER}}" + group: "{{BOX_ROOT_GROUP}}" + create: yes + state: "{{item.state}}" + regexp: "^#*{{item.key}} .*" + line: "{{item.key}} {{item.val}}" + when: + - not ansible_check_mode + with_items: + - key: keyserver-options + val: no-try-dns-srv + # Debian! gpg: keyserver option 'no-try-dns-srv' is unknown + # gentoo unknown - dirmngr ? + state: absent + - key: debug-level + val: "4" + # not on gentoo + state: "{{ 'present' if ansible_distribution != 'Gentoo' else 'absent' }}" +# - key: connect-timeout +# val: "20" +# value: "" +# state: present + + +- name: /etc/dirmngr/dirmngr.conf + blockinfile: + dest: "/etc/dirmngr/dirmngr.conf" + create: false + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dirmngr.yml head" + block: | + verbose + debug-all + standard-resolver + disable-ldap + when: + - not ansible_check_mode + +- name: /etc/dirmngr/dirmngr.conf + blockinfile: + dest: /etc/dirmngr/dirmngr.conf + create: true + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dirmngr.yml ipv6" + block: | + disable-ipv6 + when: + - not ansible_check_mode + - BASE_IPV6_DISABLE == 1 + +- name: /etc/dirmngr/dirmngr.conf + blockinfile: + dest: "/etc/dirmngr/dirmngr.conf" + create: false + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dirmngr.yml head" + block: | + {% for elt in PROXY_GNUPG_SERVERS %} + keyserver hkp://{{ elt }} + {% endfor %} + {% for elt in PROXY_GNUPG_CERTS %} + hkp-cacert {{ elt }} + {% endfor %} + when: + - not ansible_check_mode + + +- name: /var/log/dirmngr.log + shell: | + [ -f /var/log/dirmngr.log ] || touch /var/log/dirmngr.log + chown root /var/log/dirmngr.log + args: + creates: /var/log/dirmngr.log + +- name: /etc/dirmngr/dirmngr.conf.tor + shell: | + [ -e /etc/dirmngr/dirmngr.conf.tor ] || \ + cp -p /etc/dirmngr/dirmngr.conf /etc/dirmngr/dirmngr.conf.tor + when: + - PROXY_MODE == 'tor' + +- name: /etc/dirmngr/dirmngr.conf use-tor + blockinfile: + dest: "/etc/dirmngr/dirmngr.conf" + create: true + marker: "# {mark} ANSIBLE MANAGED BLOCK tor" + block: | + use-tor + # https://keys.openpgp.org/about/usage + keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion + + when: + - not ansible_check_mode + - PROXY_MODE == 'tor' + +- name: /etc/dirmngr/dirmngr.conf.whonix + shell: | + [ -e /etc/dirmngr/dirmngr.conf.whonix ] || \ + cp -p /etc/dirmngr/dirmngr.conf /etc/dirmngr/dirmngr.conf.whonix + when: + - PROXY_MODE == 'whonix' + +# This is not enough: +- name: /usr/bin/dirmngr.bin + # FixMe: blockinfile + shell: | + # /usr/bin/dirmngr.bin --dump-options >> /tmp/$$.out + [ -d /etc/dirmngr ] || mkdir /etc/dirmngr + [ -f /etc/dirmngr/dirmngr.conf ] || touch /etc/dirmngr/dirmngr.conf + grep -q disable-ipv6 /etc/dirmngr/dirmngr.conf ] || \ + echo disable-ipv6 >> /etc/dirmngr/dirmngr.conf + args: + creates: /etc/dirmngr/dirmngr.conf + when: + - not ansible_check_mode + - BASE_IPV6_DISABLE == 1 + +- block: + + - name: /usr/bin/dirmngr.bin + shell: | + [ -f /usr/local/bin/proxy_dirmngr.bash ] || exit 1 + + # This is recent + cd /usr/bin/ + if [ ! -f dirmngr.bin ] ; then + mv dirmngr dirmngr.bin + elif file dirmngr | grep -q ELF ; then + mv dirmngr dirmngr.bin + fi + + [ -h dirmngr ] || ln -s /usr/local/bin/proxy_dirmngr.bash dirmngr + + chmod 755 dirmngr /usr/local/bin/proxy_dirmngr.bash + [ -x /usr/local/bin/proxy_dirmngr.bash ] || exit 2 + + when: + # the --keyserver may be required even with ipv6 + - true or BASE_IPV6_DISABLE == 1 + - not ansible_check_mode + diff --git a/tasks/dns-dnscrypt.yml b/tasks/dns-dnscrypt.yml new file mode 100644 index 0000000..1709bad --- /dev/null +++ b/tasks/dns-dnscrypt.yml @@ -0,0 +1,203 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +--- + +- name: "dns-dnscrypt.yml" + debug: + verbosity: 1 + msg: "dns-dnscrypt.yml socks5={{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}" + +- name: "/var/local/src/dnscrypt-proxy" + file: + dest: "{{ item }}" + state: directory + mode: 0755 + owner: "{{ BOX_USER_NAME }}" + group: "{{ BOX_ALSO_GROUP }}" + with_items: + - "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy" + - "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy" + +- name: "untar dnscrypt tgz" + shell: | + URL="{{ PROXY_DNSCRYPT_TGZ_URL }}" + [ -f {{PROXY_VAR_LOCAL}}/net/Http/$URL ] || \ + wget {{BASE_WGET_ARGS}} -xcqP {{PROXY_VAR_LOCAL}}/net/Http/ https://$URL + which dnscrypt-proxy 2>/dev/null || \ + tar xvfz {{PROXY_VAR_LOCAL}}/net/Http/$URL \ + -C "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy" + args: + creates: "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy" + when: "BASE_ARE_CONNECTED|default('') != ''" + +- name: "roles/privacy/templates/etc/example-dnscrypt-proxy.toml" + template: + force: no + src: templates/etc/example-dnscrypt-proxy.toml + dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml" + mode: 0644 + owner: "{{BOX_ROOT_USER}}" + group: "{{ BOX_ALSO_GROUP }}" + +- name: "get generate-domains-blacklist.py" + uri: + url: https://github.com/jedisct1/dnscrypt-proxy/raw/master/utils/generate-domains-blacklists/generate-domains-blacklist.py + dest: "{{PROXY_VAR_LOCAL}}/bin/generate-domains-blacklist.py" + creates: "{{PROXY_VAR_LOCAL}}/bin/generate-domains-blacklist.py" + mode: 0775 + owner: "{{ BOX_USER_NAME }}" + group: "{{ BOX_ALSO_GROUP }}" + notify: shebang after pip + # in tar + when: false and "BASE_ARE_CONNECTED|default('') != ''" + +- name: "Invalid rule *.workgroup - wildcards can only be used as a suffix" + shell: | + sed -e '/^\\*/d' -i {{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/domains-blacklist-local-additions.txt + +# why? dir +- name: "touch {{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy" + file: + dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy" + state: touch + mode: 0644 + owner: "{{ BOX_USER_NAME }}" + group: "{{ BOX_ALSO_GROUP }}" + when: false + +- name: "symlink /etc/dnscrypt-proxy.toml" + file: + dest: /etc/dnscrypt-proxy.toml + src: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml" + state: link + when: not ansible_check_mode + +- name: "forward dnscrypt-proxy to SOCKS5 - socks5 or tor/harden or privacy" + lineinfile: + dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml" + regexp: '^#* *{{item.name}} =.*' + line: "{{item.name}} = {{item.val}}" + state: present + backup: no + with_items: + - { name: "proxy", val: "'socks5://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}'" } + - { name: "force_tcp", val: "true" } + when: not ansible_check_mode and ( SOCKS_PROXY|default('') != "" or 'privacy' in ROLES ) + +- name: "dnscrypt-proxy settings" + lineinfile: + dest: "{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy.toml" + regexp: '^ *#* *{{item.name}} =.*' + line: "{{item.name}} = {{item.val}}" + state: present + backup: no + with_items: + - { name: "log_file", val: "'{{PROXY_VAR_LOCAL}}/var/log/dnscrypt-proxy.log'" } + - { name: "log_level", val: 2 } + - { name: "listen_addresses", val: "['127.0.0.1:53']" } + #? server_names = ['bn-fr0', 'bn-fr1', 'bn-nl0', 'cs-cfi', 'cs-cfii', 'cs-ch', 'cs-de', 'cs-de3', 'cs-dk', 'cs-dk2', 'cs-es', 'cs-fi', 'cs-fr', 'cs-fr2', 'cs-lt', 'cs-lv', 'cs-md', 'cs-nl', 'cs-pl', 'cs-pt', 'cs-ro', 'cs-rome', 'cs-uk', 'cs-useast', 'cs-useast2', 'cs-usnorth', 'cs-ussouth', 'cs-ussouth2', 'cs-uswest', 'cs-uswest3', 'cs-uswest5', 'dnscrypt.ca-2', 'dnscrypt.eu-dk', 'dnscrypt.eu-nl', 'dnscrypt.org-fr', 'ns0.dnscrypt.is', 'securedn'] + - { name: "server_names", val: "['dnscrypt.eu-nl', 'dnscrypt.nl-ns0', 'securedns', 'dnscrypt.nl-ns0', 'scaleway-fr', 'cloudflare', 'google']" } + # Server must support DNS security extensions (DNSSEC) ?? + - { name: "require_dnssec", val: "true" } + # Server must not log user queries (declarative) + - { name: "require_nolog", val: "true" } + # Server must not enforce its own blacklist (for parental control, ads blocking...) + - { name: "require_nofilter", val: "true" } + #/ var/local/etc/dnscrypt-proxy/ + - { name: "blacklist_file", val: "'{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/blacklist.txt'" } + - { name: "whitelist_file", val: "'{{PROXY_VAR_LOCAL}}/etc/dnscrypt-proxy/domains-whitelist.txt'" } + # opendns - Other popular options include 8.8.8.8 and 1.1.1.1 9.9.9.9:53 + - { name: "fallback_resolver", val: "'nameserver 208.67.222.222:53 208.67.220.220:53'" } + #? - { name: "ignore_system_dns", val: "true" } + when: not ansible_check_mode +## Switch to a different system user after listening sockets have been created. +## Note (1): this feature is currently unsupported on Windows. +## Note (2): this feature is not compatible with systemd socket activation. +## Note (3): when using -pidfile, the PID file directory must be writable by the new user +# user_name = 'nobody' + +- name: "install dnscrypt-proxy in /var/local/bin" + file: + src: "{{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy" + dest: "{{PROXY_VAR_LOCAL}}/bin/dnscrypt-proxy" + state: link + when: not ansible_check_mode + +# [NOTICE] System DNS configuration not usable yet, exceptionally resolving [raw.githubusercontent.com] using fallback resolver [9.9.9.9:53] +# [NOTICE] System DNS configuration not usable yet, exceptionally resolving [download.dnscrypt.info] using fallback resolver [9.9.9.9:53] +- name: "dnscrypt-proxy fallback resolver" + lineinfile: + dest: "/etc/hosts" + regexp: '^ *{{item.name}}.*' + line: "{{item.name}} {{item.val}}" + state: present + backup: no + with_items: + - { name: "151.101.36.133", val: "raw.githubusercontent.com" } + - { name: "37.59.238.213", val: "download.dnscrypt.info" } + +- block: + + - name: "install dnscrypt-proxy" + shell: | + {{PROXY_VAR_LOCAL}}/src/dnscrypt-proxy/linux-x86_64/dnscrypt-proxy -service install + args: + creates: /etc/systemd/system/dnscrypt-proxy.service + + # see https://askubuntu.com/questions/953467/how-to-cache-dnscrypt-proxy-with-dnsmasqresolvconf + - name: "/etc/NetworkManager/NetworkManager.conf" + lineinfile: + dest: /etc/NetworkManager/NetworkManager.conf + create: false + regexp: "^#*dns=dnsmasq" + line: "#dns=dnsmasq" + + #? not really needed + # FixMe: wicd? + + #? systemctl disable systemd-resolved + - name: "/etc/resolve.conf.dnscrypt" + blockinfile: + path: /etc/resolve.conf.dnscrypt + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy" + block: | + nameserver 127.0.0.1 + + #? clobber or symlink /var/run/resolvconf/resolv.conf + + # FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor + - name: "/etc/dnsmasq.conf disable DNS" + lineinfile: + dest: /etc/dnsmasq.conf + regexp: '^#* *{{item.name}}=.*' + line: "{{item.name}}={{item.val}}" + state: present + # backup: yes + mode: 0644 + owner: "{{BOX_ROOT_USER}}" + group: "{{BOX_ROOT_GROUP}}" + with_items: + - { name: "port", val: "0" } + # just guessing + - { name: "resolv-file", val: "/etc/resolve.conf.dnscrypt" } + when: + # just guessing + - false + - "ansible_distribution in ['Ubuntu', 'Debian']" + +# stop dhclient from overwriting resolv.conf +# with scripts in /lib/dhcpcd/dhcpcd-hooks/ +- name: "enable and start service dnscrypt-proxy" + service: + name: "{{ item.name }}" + enabled: "{{ item.able }}" + state: "{{ item.state }}" + failed_when: false + with_items: +# - { name: "pdnsd", able: "no", state: "stopped" } + - { name: "dnscrypt-proxy", able: "yes", state: "restarted" } + - { name: "network-manager", able: "no", state: "stopped" } + # when: "ansible_distribution in ['Ubuntu', 'Debian']" + when: ansible_connection|default('') not in PLAY_SERVICE_CONNECTIONS + diff --git a/tasks/dns-dnsmasq.yml b/tasks/dns-dnsmasq.yml new file mode 100644 index 0000000..ff8c419 --- /dev/null +++ b/tasks/dns-dnsmasq.yml @@ -0,0 +1,170 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +- name: "dns-dnsmasq.yml" + debug: + verbosity: 1 + msg: "dns-dnsmasq.yml socks5={{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}" + +- block: + + - name: "uninstall dnscrypt-proxy" + shell: | + systemctl disabled dnscrypt-proxy + rm -f /etc/systemd/system/dnscrypt-proxy.service + args: + removes: /etc/systemd/system/dnscrypt-proxy.service + + when: + - "BOX_SERVICE_MGR == 'systemd'" + +# see https://askubuntu.com/questions/953467/how-to-cache-dnscrypt-proxy-with-dnsmasqresolvconf +- name: "/etc/NetworkManager/NetworkManager.conf dns" + lineinfile: + dest: /etc/NetworkManager/NetworkManager.conf + create: true + regexp: "^#*dns=dnsmasq" + line: "dns=none" + when: + - true + +# /mnt/linuxKick15/etc/NetworkManager/conf.d/dns.conf +# https://wiki.archlinux.org/index.php/NetworkManager#/etc/resolv.conf +#[main] +#ns=none +# Tip: You might also want to set main. +#systemd-resolved=false + +- name: "/etc/NetworkManager/NetworkManager.conf no proxy dns" + blockinfile: + dest: /etc/NetworkManager/NetworkManager.conf + create: true + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml" + mode: 0644 + owner: "{{BOX_ROOT_USER}}" + group: "{{BOX_ROOT_GROUP}}" + block: | + [main] + plugins=ifupdown,keyfile + dns=none + # will always write resolv.conf to its runtime state + # directory /run/NetworkManager/resolv.conf. + rc-manager=unmanaged + unmanaged-devices=interface-name:virbr1 + unmanaged-devices=interface-name:virbr2 + + [ifupdown] + # If set to false, then any interface + # listed in /etc/network/interfaces will be ignored + managed=false + + [logging] + level=info + backend=syslog + +# FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor +# FixMe tor client vss whnoix gateway +- name: "/etc/dnsmasq.conf.tor enable DNS" + blockinfile: + dest: /etc/dnsmasq.conf.tor + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml" + mode: 0644 + owner: "{{BOX_ROOT_USER}}" + group: "{{BOX_ROOT_GROUP}}" + block: | + log-facility=/var/log/dnsmasq.log + no-resolv + listen-address=127.0.0.1 + server=127.0.0.1#9053 + port=53 + # {{ BASE_ARE_CONNECTED|default('') }} + interface={{ BASE_DEFAULT_OUTPUT_IF }} + bind-interfaces + no-dhcp-interface={{ BASE_DEFAULT_OUTPUT_IF }} + +# FixMe: https://unix.stackexchange.com/questions/327432/resolving-dns-via-tor +- name: "/etc/dnsmasq.conf enable DNS" + blockinfile: + dest: /etc/dnsmasq.conf.whonix + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml" + mode: 0644 + owner: "{{BOX_ROOT_USER}}" + group: "{{BOX_ROOT_GROUP}}" + block: | + log-facility=/var/log/dnsmasq.log + no-resolv + listen-address=127.0.0.1 + server={{ PROXY_WHONIX_SOCKS_HOST }}#9053 + port=53 + # {{ BASE_ARE_CONNECTED|default('') }} + interface={{ BASE_DEFAULT_OUTPUT_IF }} + bind-interfaces + no-dhcp-interface={{ BASE_DEFAULT_OUTPUT_IF }} + +- name: "/etc/dnsmasq.conf enable srv-host" + blockinfile: + dest: "{{item}}" + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml srv-host" + # after srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 + block: | + # dirmgr + # dns: getsrv(_pgpkey-https._tcp.keyserver.ubuntu.com): Try again later + srv-host=_pgpkey-https._tcp.keyserver.ubuntu.com,keyserver.ubuntu.com,443 + srv-host=_pgpkey-https._tcp.keys.gnupg.net,keys.gnupg.net,443 + srv-host=_pgpkey-https._tcp.hkps.pool.sks-keyservers.net,hkps.pool.sks-keyservers.net,443 + srv-host=_pgpkey-https._tcp.keys.gnupg.net,keys.gnupg.net,443 + #dead srv-host=_pgpkey-https._tcp.pgp.uni-mainz.de,pgp.uni-mainz.de,443 + srv-host=_pgpkey-https._tcp.pgp.mit.edu,pgp.mit.edu,443 + + srv-host=_pgpkey-http._tcp.keyserver.ubuntu.com,keyserver.ubuntu.com,80 + srv-host=_pgpkey-http._tcp.keys.gnupg.net,keys.gnupg.net,80 + srv-host=_pgpkey-http._tcp.hkps.pool.sks-keyservers.net,hkps.pool.sks-keyservers.net,80 + srv-host=_pgpkey-http._tcp.keys.gnupg.net,keys.gnupg.net,80 + #dead srv-host=_pgpkey-http._tcp.pgp.uni-mainz.de,pgp.uni-mainz.de,80 + srv-host=_pgpkey-http._tcp.pgp.mit.edu,pgp.mit.edu,80 + + with_items: + - /etc/dnsmasq.conf.whonix + - /etc/dnsmasq.conf.tor + +- name: "/etc/dnsmasq.conf enable dnssec" + blockinfile: + dest: "{{item}}" + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dns-dnsmasq.yml dnssec" + block: | + # DNSSEC setup + dnssec + trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 + trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D + dnssec-check-unsigned + when: + - "'dnsmasq_dnssec' in BOX_PROXY_FEATURES" + - false # stops it for starting + with_items: + - /etc/dnsmasq.conf.whonix + - /etc/dnsmasq.conf.tor + - /etc/dnsmasq.conf + +- name: + shell: | + [ "{{PROXY_MODE}}" = tor ] && \ + cp -p /etc/dnsmasq.conf.tor /etc/dnsmasq.conf + [ "{{PROXY_MODE}}" = tor ] && \ + cp -p /etc/dnsmasq.conf.whonix /etc/dnsmasq.conf + exit 0 + +- name: "enable and start service dnsmasq" + service: + name: "{{ item.name }}" + enabled: false + state: "{{ item.state }}" + # WARNING: dnsmasq will start when NetworkManager has started + failed_when: false + with_items: + #no - { name: "dnscrypt-proxy", able: "no", state: "restarted" } + - { name: "dnsmasq", able: "no", state: "started" } + diff --git a/tasks/dns-socat.yml b/tasks/dns-socat.yml new file mode 100644 index 0000000..c7b8831 --- /dev/null +++ b/tasks/dns-socat.yml @@ -0,0 +1,15 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +- name: "dns-socat.yml" + debug: + verbosity: 1 + msg: "dns-socat.yml PROXY_DNS_PROXY={{PROXY_DNS_PROXY}}" + +- assert: + that: "'{{PROXY_DNS_PROXY}}' in ['socat']" + +- name: /usr/local/bin/proxy_dns_forward.bash + shell: | + netstat -nlpe4 | grep -q 127.0.0.1:53 || \ + echo WARN: run /usr/local/bin/proxy_dns_forward.bash diff --git a/tasks/dns.yml b/tasks/dns.yml new file mode 100644 index 0000000..6838205 --- /dev/null +++ b/tasks/dns.yml @@ -0,0 +1,139 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +- name: "dns.yml" + debug: + verbosity: 1 + msg: "dns.yml PROXY_DNS_PROXY={{PROXY_DNS_PROXY}}" + +- name: /etc/hostname + shell: | + grep -q localhost /etc/hostname && echo {{inventory_hostname}} > /etc/hostname + exit 0 + when: + - ansible_distribution in ['Ubuntu', 'Debian', 'Devuan'] + check_mode: false + +- name: /etc/hosts + shell: | + grep '^127.0.0.1.* {{inventory_hostname}}' /etc/hosts || \ + sed -e 's@^127.0.0.1.*@\& {{inventory_hostname}}@' -i /etc/hosts + exit 0 + +- assert: + that: + - '"{{ PROXY_DNS_PROXY }}" in ["dnsmasq", "dnscrypt"]' + - '"{{ PROXY_DNS_PROXY }}" not in ["pdnsd"]' + - '"{{ PROXY_DNS_NETMAN }}" in {{PROXY_DNS_NETMAN_ALL}}' + +- name: "include 'netman.yml tasks" + include_tasks: "netman.yml" + when: PROXY_DNS_NETMAN == 'networkmanager' + +- set_fact: + PROXY_DNS_PROXY: "socat" + when: + - BOX_WHONIX_PROXY_HOST != "" or BOX_OS_FLAVOR|default('') in ['WhonixWorkstation' , 'WhonixGateway'] or PROXY_MODE in ['tor', 'selektor'] + +- set_fact: + PROXY_DNS_PROXY: "dnsmasq" + when: + - BOX_WHONIX_PROXY_HOST != "" + - BOX_OS_FLAVOR|default('') != 'WhonixWorkstation' and BOX_OS_FLAVOR|default('') != 'WhonixGateway' + - false + +- name: "include dns-dnscrypt.yml tasks" + include_tasks: "dns-dnscrypt.yml" + when: PROXY_DNS_PROXY == "dnscrypt" + +- name: "include dns-dnsmasq.yml tasks" + include_tasks: "dns-dnsmasq.yml" + when: PROXY_DNS_PROXY == "dnsmasq" + +- name: "include dns-socat.yml tasks" + include_tasks: "dns-socat.yml" + when: PROXY_DNS_PROXY == "socat" + +# System hook scripts are found in /lib/dhcpcd/dhcpcd-hooks and the user defined hooks are /etc/dhcpcd.enter-hook +# dhclient->resolvconf overwrites this - for now, use testforge.start for things like starbucks +# https://www.techrepublic.com/article/pro-tip-take-back-control-of-resolv-conf/ +# https://www.linuxquestions.org/questions/slackware-14/how-to-prevent-wicd-overwriting-etc-resolv-conf-4175488551/ +- name: "/etc/resolv.conf" + blockinfile: + dest: /etc/resolv.conf + marker: "# {mark} ANSIBLE MANAGED BLOCK privacy" + create: yes + block: | + nameserver 127.0.0.1 + when: + - PROXY_DNS_PROXY in ['dnscrypt', 'dnsmasq', 'socat'] + +# stop dhclient from overwriting resolv.conf +# with scripts in /lib/dhcpcd/dhcpcd-hooks/ +# FixMe: /etc/dhcp/dhcp-client.conf? + +# dnscrypt is not a system service +- name: "service disable not {{PROXY_DNS_PROXY}}" + service: + enabled: '{{ "yes" if PROXY_DNS_PROXY == "{{ item }}" else "no" }}' + state: '{{ "started" if PROXY_DNS_PROXY == "{{ item }}" else "stopped" }}' + name: "{{ item }}" + with_items: + # leave 'dnsmasq' running + # maybe shutting dnsmasq shuts NetworkManager? + - "{{PROXY_DNS_PROXY}}" + # "dnscrypt" is not a system service + ignore_errors: true + when: + - ansible_connection|default('') not in PLAY_NOSERVICE_CONNECTIONS + +- name: "service disable not {{PROXY_DNS_NETMAN}}" + service: + enabled: '{{ "yes" if PROXY_DNS_NETMAN == "{{ item }}" else "no" }}' + state: '{{ "started" if PROXY_DNS_NETMAN == "{{ item }}" else "stopped" }}' + name: "{{ item }}" + with_items: "{{ PROXY_DNS_NETMAN_ALL }}" + ignore_errors: true + when: + - ansible_connection|default('') not in PLAY_NOSERVICE_CONNECTIONS + +- name: "/etc/dhcpcd.conf {{ansible_distribution}}" + blockinfile: + dest: "{{ item }}" + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy" + create: true + block: | + # we route dns queries through tor + # we will configure ntp generically + nohook resolv.conf,ntp.conf + # with_first_found: + with_items: + - /etc/dhcpcd.conf + when: + - "'run_dnsmasq' in PROXY_FEATURES" + +- name: "/etc/resolvconf.conf" + lineinfile: + dest: /etc/resolvconf.conf + create: true + regexp: "{{ item.name }}" + line: "{{ item.val }}" + with_items: + - { name: "^#*resolvconf=.*", val: "resolvconf=no" } + - { name: "^#*name_servers=.*", val: "name_servers=127.0.0.1" } + - { name: "^#*resolv_conf.*", val: "resolv_conf=/etc/resolv.conf" } + when: + - ansible_distribution == 'Gentoo' + - "'run_dnsmasq' in PROXY_FEATURES" + +# /etc/resolvconf/update.d/ for Ubuntu + +# /etc/resolvconf/update.d/dnsmasq for Debian +- name: "/etc/resolvconf/update.d/dnsmasq" + shell: | + [ -f /etc/resolvconf/update.d/dnsmasq ] || exit 0 + chmod 644 /etc/resolvconf/update.d/dnsmasq + mv /etc/resolvconf/update.d/dnsmasq /etc/resolvconf/update.d/.dnsmasq + when: + - PROXY_DNS_PROXY != "" + diff --git a/tasks/hourly.yml b/tasks/hourly.yml new file mode 100644 index 0000000..49e07fb --- /dev/null +++ b/tasks/hourly.yml @@ -0,0 +1,97 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +--- + +- name: "proxy hourly.yml" + debug: + verbosity: 1 + msg: "proxy hourly.yml" + +- block: + + - name: check privoxy is listening + shell: | + echo '{{ proxy_netstat_nlp_fact.stdout|default('')}}' | grep ':{{HTTP_PROXYPORT}}' + ignore_errors: true # FixMe: defer to hourly.bash + when: + - HTTP_PROXYPORT != '' + + when: + - PROXY_MODE in ['tor', 'whonix'] + - proxy_netstat_nlp_fact is defined and proxy_netstat_nlp_fact.rc == 0 + +- block: + + - name: "check dns is listening" + shell: | + # ip route | grep ^default || exit 0 + . /usr/local/etc/local.d/local.bash + echo '{{ proxy_netstat_nlp_fact.stdout}}' | grep ':53' || { exit 1 ; } + echo '{{proxy_netstat_nlp_fact.stdout}}' | grep ':{{PROXY_DNS_PORT}}' || { + proxy_rc_service {{PROXY_DNS_PROXY}} status || proxy_rc_service {{PROXY_DNS_PROXY}} start || exit 1 + sleep 10 + netstat -nl -t inet | grep ':{{PROXY_DNS_PORT}}' && exit 0 + echo ERROR: {{PROXY_DNS_PROXY}} is not running + exit 2 + } + + ignore_errors: true # FixMe: defer to hourly.bash + when: + - ansible_connection|default('') not in PLAY_NOSERVICE_CONNECTIONS + - BOX_PROXY_MODE != 'nat' + + when: + - PROXY_DNS_PROXY == "dnsmasq" + - not ansible_check_mode + - proxy_netstat_nlp_fact is defined + +- name: check route + shell: | + ip route | grep default || \ + echo WARN: no default route + +- name: check eix-update + shell: | + eix-update + args: + creates: /var/cache/eix/portage.eix + when: + - ansible_distribution == 'Gentoo' + +- name: check resolv.conf + shell: | + grep 127.0.0.1 /etc/resolv.conf || { + echo WARN: /etc/resolv.conf is not local + echo nameserver 127.0.0.1 > /etc/resolv.conf + } + exit 0 + when: + - PROXY_DNS_PROXY in ["pdnsd", "dnsmasq"] + - not ansible_check_mode + # - BASE_ARE_CONNECTED|default('') != '' + +- name: check /etc/sysctl.conf + shell: | + cd /etc/sysctl.d + cat *.conf | grep '^[a-z]' | while read elt rest ; do + grep "^$elt" ../sysctl.conf && echo WARN: dup "^$elt" in ../sysctl.conf + done + exit 0 + +# This is dupped on daily/weekly/monthly +# [ $MYID -eq 0 ] || echo WARN: $prog should be run as root $MYID +- name: run proxy_hourly.bash + environment: "{{ shell_proxy_env }}" + shell: | + umask 0027 + echo "INFO: proxy_log_hourly" + cd {{USR_LOCAL}}/bin + [ -x proxy_hourly.bash ] || exit 0 + bash proxy_hourly.bash + register: proxy_log_hourly + notify: summary of logs + when: + - not ansible_check_mode + - ansible_connection not in PLAY_CHROOT_CONNECTIONS + # FixMe + ignore_errors: true diff --git a/tasks/local_connection.yml b/tasks/local_connection.yml new file mode 100755 index 0000000..1a1d062 --- /dev/null +++ b/tasks/local_connection.yml @@ -0,0 +1,39 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +--- + +- name: "DEBUG: Including proxy local_connection.yml" + debug: + verbosity: 1 + msg: "DEBUG: Including proxy local_connection.yml BASE_ARE_CONNECTED={{BASE_ARE_CONNECTED}}" + +- block: + + - name: Convert-WindowsImage-and-Resize-VHDX-Command.zip + shell: | + [ -e /e/net/Http/devblogs.microsoft.com/wp-content/uploads/sites/32/2019/03/Convert-WindowsImage-and-Resize-VHDX-Command.zip ] || \ + wget --restrict-file-names=windows -xcP /e/net/Http/devblogs.microsoft.com/wp-content/uploads/sites/32/2019/03/Convert-WindowsImage-and-Resize-VHDX-Command.zip + [ -d /e/lib/PowerShell ] || mkdir /e/lib/PowerShell + [ -f /e/lib/PowerShell/"Convert-WindowsImage.ps1" ] || \ + unzip -o /e/tmp/Topics/ConvertVhd/devblogs.microsoft.com/wp-content/uploads/sites/32/2019/03/Convert-WindowsImage-and-Resize-VHDX-Command.zip \ + -d /e/lib/PowerShell + + # 206326 Defl:N 35661 83% 2017-01-18 21:01 816b27ad Convert-WindowsImage.ps1 + # 173 Defl:N 141 19% 2017-01-21 11:08 51449cb6 ReSize VHDX Commands.t + + - name: dsfok.zip + shell: | + # https://stackoverflow.com/questions/37481737/error-when-converting-vmware-virtual-disk-to-hyperv + # https://gist.github.com/sukesh-ak/9a633c48ceefe9560b8f2eb5d8fcff72 + # https://docs.microsoft.com/en-us/azure/virtual-machines/linux/create-upload-generic + # https://gist.github.com/rahilwazir/69a750b70348459875cbf40935af02cbxf + [ -d https://web.archive.org/web/20190910101150/http://members.ozemail.com.au/%7Enulifetv/freezip/freeware/dsfok.zip ] || \ + wget --restrict-file-names=windows -xcP /e/var/local/net/Http \ + https://web.archive.org/web/20190910101150/http://members.ozemail.com.au/%7Enulifetv/freezip/freeware/dsfok.zip || exit 1 + [ -d /e/lib/dsfok ] || { + unzip /e/var/local/net/Http/web.archive.org/web/20190910101150/http%3A/members.ozemail.com.au/~nulifetv/freezip/freeware/dsfok.zip -d /e/lib + exit 2 + } + + when: + - BASE_ARE_CONNECTED|default('') != '' diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..2982f19 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,416 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +--- + +- name: "proxy main.yml CORP_NTLM_PROXY={{ CORP_NTLM_PROXY | default('') }}" + debug: + verbosity: 1 + msg: "DEBUG: Including proxy main.yml" + +- name: include proxy by-platform vars + include_vars: "{{item}}.yml" + with_items: + - Unix + - "{{ ansible_distribution }}{{ ansible_distribution_major_version }}" + tags: always + +- name: "rsync proxy root_overlay" + synchronize: + src: "roles/proxy/overlay/{{item}}/" + dest: / + compress: no + copy_links: yes + archive: no + recursive: yes + links: no + owner: no + perms: no + times: yes + rsync_opts: "{{base_rsync_opts}}" + with_items: + - Linux + - "{{ ansible_distribution }}" + notify: +#? - chmod /usr/local + - update-ca-certificates + when: + - not ansible_check_mode + # FixAns: This remote host is being accessed via chroot instead so it cannot work + - ansible_connection|default('') not in PLAY_NORSYNC_CONNECTIONS + tags: + - always + +- name: rsync root_overlay - the tar gets made by a make before running + unarchive: + dest: / + src: "{{item}}.tar" + keep_newer: true + owner: "{{BOX_ROOT_USER}}" + # extra_opts: "{{ BASE_UNTAR_ARGS }}" + ignore_errors: true + with_items: + - Linux + - "{{ ansible_distribution }}" + notify: +#? - chmod /usr/local + - update-ca-certificates + when: + - not ansible_check_mode + # FixAns: This remote host is being accessed via chroot instead so it cannot work + - ansible_connection|default('') in PLAY_NORSYNC_CONNECTIONS + +- name: "grep -q root=/dev/vda /proc/cmdline " + environment: "{{ shell_proxy_env }}" + shell: | + grep -q root=/dev/vda /proc/cmdline + failed_when: false + register: proxy_vda_cmdline_fact + tags: + - always + +- name: proxy post tasks first + include_tasks: "proxy_mode.yml" + +# We are running these tasks here to set the proxy up to download and install packages +- name: proxy post tasks first + include_tasks: "proxy_post.yml" + +- name: include proxy by-platform tasks + include_tasks: "{{ ansible_distribution }}.yml" + +- name: "proxy gpg keys system" + # Option --keyserver must be used to + environment: "{{ shell_proxy_env }}" + shell: | + /usr/bin/gpg --list-keys | grep "{{ item.uid }}" || \ + /usr/bin/gpg --recv-keys "{{ item.uid }}" + # --keyserver "{{ TESTF_GPG_SERVER }}" + # deprecated - please use the --keyserver in ?dirmngr.conf? instead + with_items: "{{ proxy_gpg_keys_system }}" + when: + - proxy_gpg_keys_system|length > 0 + - BASE_ARE_CONNECTED|default('') != '' + # FixMe: + ignore_errors: true + +- name: fix pip + shell: | + find /usr/local/lib*/python*/*-packages/pip \ + -name filesystem.py | while read file ; do + [ -f $file.dst ] && continue + cp -p $file $file.dst + sed -e 's/path_uid == 0/os.access(path, os.W_OK)/' -i $file + done + exit 0 + +- block: + + - name: /usr/local/patches/proxy + shell: | + [ -d /usr/local/patches/proxy/ ] || exit 0 + cd /usr/local/patches/proxy/ || exit 1 + ls || exit 2 + /usr/local/sbin/base_patch_from_diff.bash * + + when: + - true or ansible_distribution == 'Gentoo' + +- name: install proxy pips 2 + changed_when: false + environment: "{{pip_proxy_env}}" + pip: + executable: "{{BASE_USR_LOCAL}}/bin/pip2.sh" + state: present + extra_args: "{{BASE_PIP_INSTALL_ARGS}} --log {{BASE_LOG_DIR}}/pip/pip2/proxy.log" + name: "{{ proxy_pips2_inst }}" + become: yes + become_user: "{{ BOX_USER_NAME }}" + notify: shebang after pip + when: + - false + # this must be empty aas shebang after pip is in testforge + - proxy_pips2_inst|length > 0 + - BASE_ARE_CONNECTED|default('') != '' + - "BASE_PYTHON2_MINOR != ''" + ignore_errors: "{{ base_pip_ignore_errors }}" + +- name: install proxy pips 3 + changed_when: false + environment: "{{pip_proxy_env}}" + pip: + executable: "{{BASE_USR_LOCAL}}/bin/pip3.sh" + state: present + extra_args: "{{BASE_PIP_INSTALL_ARGS}} --log {{BASE_LOG_DIR}}/pip/pip3/proxy.log" + name: "{{ proxy_pips3_inst }}" + become: yes + become_user: "{{ BOX_USER_NAME }}" + notify: shebang after pip + when: + - false + # this must be empty aas shebang after pip is in testforge + - proxy_pips3_inst|length > 0 + - BASE_ARE_CONNECTED|default('') != '' + ignore_errors: "{{ base_pip_ignore_errors }}" + +- name: "/usr/local/etc/local.d/Whonix-Lati.rc" + blockinfile: + dest: /usr/local/etc/local.d/Whonix-Lati.rc + create: yes + mode: 0770 + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy main.yml start" + insertafter: EOF + block: | + grep -q root=/dev/vda /proc/cmdline + PROXY_IS_VDA=$? + +#? # this should not run as root +- name: "/usr/local/src/usr_local_python.bash" + environment: "{{ shell_proxy_env }}" + shell: | + umask 0002 + #? usr_local_python.bash + [ ! -f usr_local_proxy.bash ] && exit 1 + bash usr_local_python.bash \ + {{ 'check' if ansible_check_mode }} + args: + chdir: "{{PROXY_USR_LOCAL}}/src" + become: yes + become_user: "{{ BOX_USER_NAME }}" + check_mode: false + # FixMe: + ignore_errors: true + + # this should be run as root +- name: run usr_local_src item + environment: "{{ shell_proxy_env }}" + shell: | + umask 0002 + bash /usr/local/src/{{item}}.bash + args: + chdir: "{{ PROXY_USR_LOCAL }}/src" + when: + - item != '' and item != [] + with_items: +# - "{{ 'sdwdate' if ansible_distribution == 'Gentoo' else '' }}" + - [] + +- name: "enable and start services" + service: + name: "{{ item }}" + enabled: yes + state: restarted + failed_when: false + when: + - "item != ''" + - ansible_connection|default('') not in PLAY_NOSERVICE_CONNECTIONS + with_items: "{{ proxy_services }}" + +# We are running these tasks here to work around handler issues with include_tasks +- name: "proxy post tasks end" + include_tasks: "proxy_post.yml" + +- name: "proxy dirmngr tasks end" + include_tasks: "dirmngr.yml" + when: + - "http_proxy != '' or https_proxy != '' or socks_proxy != ''" + +- name: "whonix host tasks end" + include_tasks: "{{LOOP_FILE}}.yml" + when: + - LOOP_FILE != '' and LOOP_FILE != [] + - ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS + with_items: + - "{{ 'whonix_host' if (PROXY_MODE == 'whonix' and BOX_WHONIX_PROXY_HOST != '' ) else [] }}" + loop_control: + loop_var: LOOP_FILE + +- name: "whonix guest tasks end" + include_tasks: "whonix_guest.yml" + when: + - "PROXY_MODE in ['gateway','ws', 'vda', 'nat']" + # works? + - ansible_virtualization_role|replace('NA', 'host') == 'guest' + +- name: "include_tasks proxy users.yml" + include_tasks: + file: "users.yml" + apply: + environment: "{{ proxy_env }}" + become_user: "{{ LOOP_USER }}" + when: + - LOOP_USER != [] and LOOP_USER != '' + with_items: + # FixMe: need user groups fixing + - root + - "{{ base_system_users }}" + - "{{ proxy_also_users }}" + - "{{ 'portage' if ansible_distribution == 'Gentoo' else '' }}" + loop_control: + loop_var: LOOP_USER + +- name: "/usr/local/etc/testforge/testforge.ini BOF" + lineinfile: + dest: "/usr/local/etc/testforge/testforge.ini" + insertbefore: BOF + mode: 0755 + owner: "{{BOX_ROOT_USER}}" + group: "{{BOX_ROOT_GROUP}}" + create: yes + regexp: "# -.- mode: sh; tab-width: 0; coding: utf-8-unix -.-" + line: "# -*- mode: sh; tab-width: 0; coding: utf-8-unix -*-" + +- name: /usr/local/etc/testforge/testforge.ini proxy + blockinfile: + dest: /usr/local/etc/testforge/testforge.ini + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK ini [proxy]" +#? PROXY_VAR_LOCAL={{PROXY_VAR_LOCAL}} + block: | + [proxy] + HTTP_PROXYHOST="{{ HTTP_PROXYHOST }}" + HTTP_PROXYPORT={{HTTP_PROXYPORT}} + HTTP_PROXYTYPE="{{ HTTP_PROXYTYPE }}" + HTTPS_PROXYHOST="{{ HTTPS_PROXYHOST }}" + HTTPS_PROXYPORT={{HTTPS_PROXYPORT}} + HTTPS_PROXYTYPE="{{ HTTPS_PROXYTYPE }}" + SOCKS_PROXYHOST="{{ SOCKS_PROXYHOST }}" + SOCKS_PROXYPORT={{SOCKS_PROXYPORT}} + SOCKS_PROXYTYPE="{{ SOCKS_PROXYTYPE }}" + NO_PROXY="{{ NO_PROXY }}" + CORP_PROXY_PAC="{{ CORP_PROXY_PAC|default('') }}" + CORP_NTLM_PROXY="{{ CORP_NTLM_PROXY|default('') }}" + PROXY_FEATURES={{ PROXY_FEATURES }} + PROXY_DNS_PROXY="{{ PROXY_DNS_PROXY }}" + PROXY_DNS_NETMAN="{{ PROXY_DNS_NETMAN }}" + PROXY_HTTP_PROXY_NAME="{{ PROXY_HTTP_PROXY_NAME|default('privoxy')}}" + PROXY_HTTP_PROXY_PORT="{{ PROXY_HTTP_PROXY_PORT|default(3128)}}" + PROXY_HTTP_PROXY_HOST="{{ PROXY_HTTP_PROXY_HOST|default('127.0.0.1')}}" + + notify: update facts +#? PLAY_PIP_CACHE="{{BASE_USR_LOCAL}}/net/Cache/Pip" + +- name: /usr/local/etc/testforge/testforge.ini proxy gitconfig + blockinfile: + dest: /usr/local/etc/testforge/testforge.ini + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy main.yml" + block: | + [gitconfig] + # FixMe: this may not be needed + GIT_ALLOW_PROTOCOL="https" + # This may not be needed if you put it in ~/.gitconfig + GIT_SSL_CAINFO="/usr/local/etc/ssl/cacert-testforge.pem" + # FixMe: this may not be needed + # GIT_PROTOCOL_COMMAND="/usr/local/bin/gitproxy.bash" + when: + - true or CORP_NTLM_PROXY|default('') != '' + notify: update facts + +- name: "include dns.yml tasks" + include_tasks: "dns.yml" + when: + - PROXY_DNS_PROXY != '' + +- name: "include wicd.yml tasks" + include_tasks: "wicd.yml" + when: + - false + +- name: "find listening sockets for daily" + environment: "{{ shell_proxy_env }}" + shell: | + netstat -t inet -npl | grep LISTEN + register: proxy_netstat_nlp_fact + failed_when: false + tags: + - always + +- name: proxy hourly include_tasks + include_tasks: + file: "hourly.yml" + apply: + environment: "{{ shell_proxy_env }}" + tags: + - always + tags: + - always + +# maybe should be in testforge but may use them early + +- stat: path=/etc/java-config-2/current-system-vm/jre/lib/net.properties + register: etc_x11_xsession_d + when: + - not ansible_check_mode + +- name: "check arp length" + environment: "{{ shell_proxy_env }}" + shell: | + a=`arp -i wlan7|tail -n -1|wc -l` + [ $? -eq 0 ] || exit 1 + [ $a -eq 1 ] || exit $a + exit 0 + +- name: "dnscrypt-proxy address already in use" + shell: | + tail -100 '{{PROXY_VAR_LOCAL}}/var/log/dnscrypt-proxy.log' | grep -q 'bind: address already in use' || \ + { echo 'ERROR: dnscrypt-proxy address already in use' ; exit 1 ; } + when: + - not ansible_check_mode + - PROXY_DNS_PROXY == "dnscrypt" + - PROXY_DNS_PORT != '' + - BASE_ARE_CONNECTED|default('') != '' + - testforge_netstat_nlp_fact is defined + +# FixMe: /etc/systemd/system/sntp.service.d/00gentoo.conf +- name: /etc/ntp.conf + blockinfile: + dest: /etc/ntp.conf + marker: "# {mark} ANSIBLE MANAGED BLOCK testforge" + mode: 0640 + owner: "{{BOX_ROOT_USER}}" +# group: ntp + create: yes + block: | + # conf.d interface ignore all wlan7 + + # If you want to deny all machines (including your own) + # from accessing the NTP server, uncomment: + restrict default ignore + + # Default configuration: + # - Allow only time queries, at a limited rate, sending KoD when in excess. + # - Allow all local queries (IPv4, IPv6) + #restrict default nomodify nopeer noquery limited kod + restrict 127.0.0.1 + restrict [::1] + + # You do need to talk to an NTP server or two (or three). + {% for elt in PROXY_NTP_SERVERS %} + server {{ elt }} + {% endfor %} + # {{ PROXY_NTP_SERVERS|join('\n') }} + when: + - "BOX_TIME_DAEMON == 'ntp'" + +- name: apt-get update + raw: | + [ -f /var/log/dpkg.log ] || apt-get update + when: + - ansible_distribution in ['Ubuntu', 'Debian', 'Deuvan'] + - BASE_ARE_CONNECTED|default('') != '' + ignore_errors: true + check_mode: false + +- name: base gpg keys system + # Option --keyserver must be used to + environment: "{{ shell_env }}" + shell: | + /usr/bin/gpg --list-keys | grep "{{ item.uid }}" || \ + /usr/bin/gpg --recv-keys "{{ item.uid }}" --keyserver "{{ BASE_GPG_SERVER }}" + with_items: "{{ base_gpg_keys_system }}" + when: + - proxy_gpg_keys_system|length > 0 + - BASE_ARE_CONNECTED|default('') != '' + # FixMe: + ignore_errors: true + diff --git a/tasks/netman.yml b/tasks/netman.yml new file mode 100644 index 0000000..f494e8c --- /dev/null +++ b/tasks/netman.yml @@ -0,0 +1,80 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +--- + +- block: + + - name: "/etc/NetworkManager/pre-up.d/" + file: + dest: "{{ item }}" + state: directory + mode: 0755 + owner: "{{BOX_ROOT_USER}}" # required + with_items: + - /etc/NetworkManager/dispatcher.d/pre-up.d/ + + # what about -resolvconf on Gentoo? + # see /etc/resolvconf/update.d/dnsmasq on Debian + # see /etc/dhcp/dhclient-exit-hooks.d/ntpdate on Debian + # see also etc/network/if-down.d/ on Debian + # and etc/ppp/ip-down.d/ + - name: "/etc/NetworkManager/dispatcher.d/20-resolv-conf-override" + lineinfile: + path: /etc/NetworkManager/dispatcher.d/20-resolv-conf-override + create: yes + mode: 0755 + insertafter: BOF + line: "#!/bin/sh" + regexp: "#./bin/sh" + + - name: "/etc/NetworkManager/dispatcher.d/20-resolv-conf-override dnscrypt" + blockinfile: + path: /etc/NetworkManager/dispatcher.d/20-resolv-conf-override + create: yes + mode: 0755 + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dnscrypt" + block: | + [ -f /etc/resolv.conf.localhost ] || echo nameserver 127.0.0.1 > /etc/resolv.conf.localhost + [ -f /etc/resolv.conf.dnscrypt ] && \ + [ -d /run/resolvconf ] && \ + cp -f /etc/resolv.conf.dnscrypt /run/resolvconf/resolv.conf + exit 0 + state: "{{ 'present' if PROXY_DNS_PROXY == 'dnscrypt' else 'absent' }}" + + - name: "/etc/NetworkManager/dispatcher.d/20-resolv-conf-override dnscrypt" + blockinfile: + path: /etc/NetworkManager/dispatcher.d/20-resolv-conf-override + create: yes + mode: 0755 + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy dnsmasq" + state: "{{ 'present' if PROXY_DNS_PROXY == 'dnsmasq' else 'absent' }}" + block: | + [ -f /etc/resolv.conf.localhost ] || echo nameserver 127.0.0.1 > /etc/resolv.conf.localhost + + diff -q /etc/resolv.conf.localhost /etc/resolv.conf || \ + cp -f /etc/resolv.conf.localhost /etc/resolv.conf + + [ -d /run/resolvconf ] && \ + cp -f /etc/resolv.conf.localhost /run/resolvconf/resolv.conf + + [ -f /etc/resolvconf.conf ] || cat > /etc/resolvconf.conf < /tmp/proxy_export.txt << EOF + http_proxy: "$http_proxy" + https_proxy: "$https_proxy" + socks_proxy: "$socks_proxy" + no_proxy: "$no_proxy" + RSYNC_PROXY: "$RSYNC_PROXY" + EOF + exit 0 + + - name: "slurp REMOTE proxy_export.txt" + slurp: + src: "/tmp/proxy_export.txt" + register: proxy_export_txt + + - name: "copy slurped proxy_export.txt to tempfile" + copy: + dest: "{{ proxy_export_txt_file.path}}" + content: "{{ proxy_export_txt['content']|b64decode }}" + delegate_to: localhost + + - name: "include copied proxy_export.txt" + include_vars: "{{proxy_export_txt_file.path}}" + + check_mode: false + rescue: + - debug: + msg: "WARN: error including proxy_export.txt" diff --git a/tasks/proxy_post.yml b/tasks/proxy_post.yml new file mode 100644 index 0000000..abc502e --- /dev/null +++ b/tasks/proxy_post.yml @@ -0,0 +1,399 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +--- + +# NB - dirmngr fails incomprehesibly if there are repeated commands in conf + +- name: "DEBUG: proxy proxy_post.yml" + debug: + verbosity: 1 + msg: "DEBUG: Including proxy proxy_post.yml" + +- name: if there is no /etc/cntlm.conf it has not been installed + stat: path=/etc/cntlm.conf + register: cntlm_conf_fact + +- block: + + # make sure double quotes do not end up in the cntlm.conf + - lineinfile: + dest: /etc/cntlm.conf + regexp: "^#* *{{item.name}}.*" + line: "{{item.name}} {{item.val}}" + state: present + with_items: + - { name: Username, val: "{{ MY_CORP_USER }}" } + - { name: Domain, val: "{{ MY_CORP_DOMAIN }}" } + - { name: Password, val: "{{ MY_CORP_PASS }}" } + - { name: Proxy, val: "{{NTLM_PROXYHOST}}:{{NTLM_PROXYPORT}}" } + - { name: NoProxy, val: "{{ NO_PROXY }}" } + - { name: Listen, val: "{{CNTLM_BIND_IP}}:{{CNTLM_HTTP_PORT}}" } + - { name: SOCKS5Proxy, val: "{{ CNTLM_SOCKS_PORT }}"} + + - lineinfile: + dest: /etc/cntlm.conf + regexp: "^Proxy.*8080" + state: absent + + - name: enable and start cntlm + service: + name: cntlm + enabled: yes + state: restarted + register: retval + failed_when: false + when: ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS + + # FixMe: test to see if cntlm has started + - stat: path="{{ cntlm_pid_file }}" + register: cntlm_pid + + # only if its started do we override + - name: override HTTP_PROXY with retval is success + set_fact: > + HTTP_PROXY=http://127.0.0.1:{{CNTLM_HTTP_PORT}} + HTTP_PROXYHOST=127.0.0.1 + HTTP_PROXYPORT={{NTLM_PROXYPORT}} + HTTP_PROXYTYPE=http + HTTPS_PROXY=http://127.0.0.1:{{CNTLM_HTTP_PORT}} + HTTPS_PROXYHOST=127.0.0.1 + HTTPS_PROXYPORT={{NTLM_PROXYPORT}} + HTTPS_PROXYTYPE=http + # this works with cntlm as we configured it + SOCKS_PROXY=socks5://127.0.0.1:{{CNTLM_SOCKS_PORT}} + SOCKS_PROXYHOST=127.0.0.1 + SOCKS_PROXYPORT={{CNTLM_SOCKS_PORT}} + SOCKS_PROXYTYPE=socks5 + when: retval.rc|default(0) == 0 and cntlm_pid.stat.exists == true + + - name: override HTTP_PROXY with retval is failed + set_fact: > + HTTP_PROXY=http://{{NTLM_PROXYHOST}}:{{NTLM_PROXYPORT}} + HTTP_PROXYHOST={{NTLM_PROXYHOST}} + HTTP_PROXYPORT={{NTLM_PROXYPORT}} + HTTP_PROXYTYPE=http + HTTPS_PROXY=http://{{NTLM_PROXYHOST}}:{{NTLM_PROXYPORT}} + HTTPS_PROXYHOST={{NTLM_PROXYHOST}} + HTTPS_PROXYPORT={{NTLM_PROXYPORT}} + HTTPS_PROXYTYPE=http + # dunno if this works + SOCKS_PROXY=socks5://{{NTLM_PROXYHOST}}:9050 + SOCKS_PROXYHOST={{NTLM_PROXYHOST}} + SOCKS_PROXYPORT=9050 + SOCKS_PROXYTYPE=socks5 + when: retval.rc|default(1) == 0 or cntlm_pid.stat.exists == false + + #? does retval.rc exist? + - debug: + msg: "proxy/tasks/main.yml cntlm.rc={{cntlm_pid.stat.exists}} HTTP_PROXY={{ HTTP_PROXY }}" + + when: NTLM_PROXYPORT != '' and cntlm_conf_fact.stat.exists == true + +- name: gather the http_proxy information together for subsequent roles + set_fact: + proxy_env: + TERM: "linux" + http_proxy: "{{ HTTP_PROXY }}" + https_proxy: "{{ HTTPS_PROXY }}" + socks_proxy: "{{ SOCKS_PROXY }}" + ftp_proxy: "{{ HTTP_PROXY }}" + no_proxy: "{{ NO_PROXY }}" + SSL_CERT_FILE: "{{ SSL_CERT_FILE|default(PLAY_CA_CERT) }}" + RSYNC_PROXY: "{{ HTTP_PROXY|replace('http://', '') }}" + no_proxy_env: + TERM: "linux" + http_proxy: "http://127.0.0.1:9999" + https_proxy: "http://127.0.0.1:9999" + socks_proxy: "socks4://127.0.0.1:9999" + ftp_proxy: "ftp://127.0.0.1:9999" + no_proxy: "{{ NO_PROXY|default('127.0.0.1,localhost') }}" + RSYNC_PROXY: "http://127.0.0.1:9999" + +- set_fact: + # allowed out {'PATH': PATH, 'PYTHONPATH': '' } + shell_proxy_env: "{{ proxy_env|combine(shell_env) }}" + # forbidden out {'PATH': PATH, 'PYTHONPATH': '' } + shell_no_proxy_env: "{{ no_proxy_env|combine(shell_env) }}" + apt_env: {'RUNLEVEL': 1} + +- set_fact: + portage_proxy_env: "{{ shell_proxy_env }}" + # we're letting pip out to install but with --nodeps + # so that we must list a prerequisites expcitly + # and to prevent it from having a free hand. + pip_proxy_env: "{{ shell_proxy_env }}" + apt_proxy_env: "{{ proxy_env|combine(apt_env) }}" + +#- name: "roles/proxy/tasks/main.yml" +# debug: msg="roles/proxy/tasks/main.yml NTLM_PROXYPORT={{ NTLM_PROXYPORT }}" + +- name: roles/proxy/tasks/ _post.yml + include_tasks: "roles/proxy/tasks/{{ ansible_distribution }}_post.yml" + +# sync this with ../../roles/base/overlay/Linux/usr/local/share/scripts/bootstrap_proxy.bash +# no global setting for this now +- name: /etc/wgetrc without proxy + blockinfile: + dest: /etc/wgetrc + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy" + state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}" + block: | + #http_proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}} + #https_proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}} + no_proxy={{ NO_PROXY }} + ca-certificate = /usr/local/etc/ssl/cacert-testforge.pem + check_certificate = on + +# dont change the environment for everyon with env.d/70proxy +# maually include box_proxy_tor.bash -> ~/bin/tor.sh +- name: proxy http export + blockinfile: + dest: "{{ item.dest }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http" + state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}" + block: | + export http_proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}} + export https_proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}} + export no_proxy="{{ NO_PROXY }}" + export RSYNC_PROXY={{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}} + with_items: + - {dest: "{{BASE_SCRIPT_DIR}}/box_proxy_tor.bash", owner: "{{BOX_ROOT_USER}}", group: "{{BOX_ROOT_GROUP}}", mode: "0755" } + when: false + +- name: /usr/local/share/scripts/box_proxy_tor.bash socks + blockinfile: + dest: "{{ item.dest }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy socks" + state: "{{ 'present' if SOCKS_PROXYHOST != '' else 'absent' }}" + block: | + export socks_proxy={{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}} + with_items: + - {dest: "{{BASE_SCRIPT_DIR}}/box_proxy_tor.bash", owner: "{{BOX_ROOT_USER}}", group: "{{BOX_ROOT_GROUP}}", mode: "0644" } + when: false + +- name: /etc/privoxy/config.whonix socks + blockinfile: + dest: "{{ item.dest }}" + owner: "{{ item.owner }}" + group: "{{ item.group }}" + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy socks" + state: "{{ 'present' if SOCKS_PROXYHOST != '' else 'absent' }}" + block: | + # https://tor.stackexchange.com/questions/947/socks-server-with-dynamic-traffic-routing-trought-tor-i2p-depending-on-the-e + forward .i2p 127.0.0.1:4444 + forward-socks5t / {{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}} . + with_items: + - { dest: "/etc/privoxy/config.whonix", owner: "root", group: "root", mode: "0644" } + - { dest: "/etc/privoxy/config.tor", owner: "root", group: "root", mode: "0644" } + - { dest: "/etc/privoxy/config.nat", owner: "root", group: "root", mode: "0644" } + - { dest: "/etc/privoxy/config.selektor", owner: "root", group: "root", mode: "0644" } + when: + - SOCKS_PROXYHOST != '' and SOCKS_PROXYPORT != '' + - "PROXY_MODE|default('') in ['tor', 'whonix', 'selektor']" + +- name: check if /etc/gnupg/gpgconf.conf exists + stat: path=/etc/gnupg/gpgconf.conf + register: etc_gpgconf_fact + +- name: /etc/gnupg/gpgconf.conf + lineinfile: + dest: "/etc/gnupg/gpgconf.conf" + # insertbefore: BOF + mode: 0755 + owner: "{{BOX_ROOT_USER}}" + group: "{{BOX_ROOT_GROUP}}" + create: yes + state: "{{item.state}}" + regexp: "^#*{{item.key}} {{item.val}}.*" + line: "{{item.key}} {{item.val}}{{item.value}}" + with_items: + - key: keyserver-options + val: http-proxy= + value: "{{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}" + # gpg: keyserver option 'https-proxy' is unknown + state: absent # "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}" + + - key: keyserver-options + val: https-proxy= + value: "{{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}}" + # gpg: keyserver option 'https-proxy' is unknown + state: absent # "{{ 'present' if HTTPS_PROXYHOST != '' else 'absent' }}" + + - key: keyserver + val: hkp://keys.gnupg.net + value: "" + state: "present" + + - key: keyserver-options + val: verbose + value: "" + state: absent # is unknown "present" + + - key: keyserver-options + val: "options " + value: "/etc/dirmngr/dirmngr.conf" + state: absent # is unknown "present" + + when: + - not ansible_check_mode + - etc_gpgconf_fact.stat.exists == true + +- name: check if /etc/npmrc exists + stat: path=/etc/npmrc + register: npm_npmrc_fact + + +#? do I want these in /etc/environment? + +# FixMe: harden/templates/etc/example-dnscrypt-proxy.toml +# force_tcp = true + +#? ~/.gnupg/gnupg.conf +# https://github.com/riseupnet/riseup_help/issues/294 +# keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem + +# .repo_.gitconfig.json + +# handle setting up an ssh server in proxy - for libvirt_qemu (or chroot?) +- name: /etc/conf.d/sshd + blockinfile: + dest: "/etc/{{ETC_CONF_D}}/sshd" + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK testforge" + block: | + SSHD_OPTS="-4 -E /var/log/sshd.log" + +- name: /etc/dirmngr/dirmngr.conf + shell: | + [ -d /etc/dirmngr ] || mkdir /etc/dirmngr + [ -f /etc/dirmngr/dirmngr.conf ] && [ -h /etc/gnupg/dirmngr.conf ] && exit 0 + [ -f /etc/dirmngr/dirmngr.conf ] && [ ! -f /etc/gnupg/dirmngr.conf ] && \ + mv /etc/dirmngr/dirmngr.conf /etc/gnupg/dirmngr.conf && \ + ln -s /etc/gnupg/dirmngr.conf /etc/dirmngr/dirmngr.conf + exit 0 + +- name: /etc/dirmngr/dirmngr.conf + lineinfile: + dest: "/etc/dirmngr/dirmngr.conf" + insertbefore: BOF + mode: 0755 + owner: "{{BOX_ROOT_USER}}" + group: "{{BOX_ROOT_GROUP}}" + create: yes + regexp: "#*keyserver-options http-proxy.*" + line: "keyserver-options http-proxy=http://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}}" + when: + - not ansible_check_mode + - HTTP_PROXYHOST == '' and HTTP_PROXYPORT == '' + +- name: /etc/dirmngr/dirmngr.conf + lineinfile: + dest: "/etc/dirmngr/dirmngr.conf" + mode: 0755 + owner: "{{BOX_ROOT_USER}}" + group: "{{BOX_ROOT_GROUP}}" + create: yes + regexp: "^keyserver-options no-try-dns-srv" + line: "keyserver-options no-try-dns-srv" + state: "{{ 'present' if ansible_distribution == 'never' else 'absent' }}" + when: + - not ansible_check_mode + +- name: /etc/dirmngr/dirmngr.conf dnsmasq + blockinfile: + dest: "/etc/dirmngr/dirmngr.conf" + create: true + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy_post.yml dnsmasq" + block: | + debug-level 5 + log-file /var/log/dirmngr.log + nameserver 127.0.0.1 + when: + - not ansible_check_mode + - "'run_dnsmasq' in PROXY_FEATURES" + + +- block: + + - name: /etc/dirmngr/dirmngr.conf no proxy + blockinfile: + dest: "/etc/dirmngr/dirmngr.conf" + create: false + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml http-proxy" + block: | + # honor-http-proxy + # may not exist + ignore_errors: true + + when: + - HTTP_PROXYHOST == '' and HTTP_PROXYPORT == '' + + +- block: + + - name: /etc/dirmngr/dirmngr.conf proxy_post.yml http-https + blockinfile: + dest: "{{item}}" + create: true + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml https" + state: "{{ 'present' if HTTPS_PROXYHOST != '' else 'absent' }}" + block: | + #! debian10: /etc/dirmngr/dirmngr.conf:3: invalid option + #! https-proxy {{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}} + with_items: + - /etc/dirmngr/dirmngr.conf + - /etc/dirmngr/dirmngr.conf.whonix + # may not exist + ignore_errors: true + + when: + - HTTPS_PROXYHOST != '' and HTTPS_PROXYPORT != '' + +- block: + + - name: /etc/dirmngr/dirmngr.conf proxy_post.yml http-proxy + blockinfile: + dest: /etc/dirmngr/dirmngr.conf + create: true + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml http-proxy" + block: | + honor-http-proxy + # may not exist + ignore_errors: true + + - name: /etc/dirmngr/dirmngr.conf proxy_post.yml http + blockinfile: + dest: /etc/dirmngr/dirmngr.conf + create: true + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy proxy_post.yml http" + state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}" + block: | + honor-http-proxy + http-proxy {{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}} + +- block: + + + # FixMe: should be lineinfile + - name: /etc/npmrc with proxy http + blockinfile: + dest: /etc/npmrc + create: false + mode: 0644 + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy http" + state: "{{ 'present' if HTTP_PROXYHOST != '' else 'absent' }}" + block: | + proxy={{HTTP_PROXYTYPE}}://{{HTTP_PROXYHOST}}:{{HTTP_PROXYPORT}} + https-proxy={{HTTPS_PROXYTYPE}}://{{HTTPS_PROXYHOST}}:{{HTTPS_PROXYPORT}} + cafile=/usr/local/etc/ssl/cacert-testforge.pem + progress=false + when: + - npm_npmrc_fact.stat.exists == true diff --git a/tasks/users.yml b/tasks/users.yml new file mode 100644 index 0000000..1903b04 --- /dev/null +++ b/tasks/users.yml @@ -0,0 +1,114 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +--- + +- name: "DEBUG: proxy users.yml LOOP_USER" + debug: + verbosity: 1 + msg: "DEBUG: Including proxy users.yml LOOP_USER={{LOOP_USER}}" + +# why LOOP_USER == portage +# was in testforge base.yml +- name: "gpgconf --list {{LOOP_USER}}" + shell: | + [ -d ~/.gpg ] || mkdir ~/.gpg + gpgconf --list-dirs | grep 'socketdir\|homedir' | \ + sed -e 's/.*://' | \ + while read path; do + [ -e $path ] || continue; chmod -R 'go-rwx' $path + done +# wierd error +# TASK [proxy : ~/.gitconfig with proxy http] *****************************************An exception occurred during task execution. To see the full traceback, use -vvv. The error was: FileNotFoundError: [Errno 2] No usable temporary directory found in ['/tmp', '/var/tmp', '/usr/tmp', '/mnt/o/data/TestForge/src/ansible'] +# failed: [pentoo] (item={'dest': '~portage/.gitconfig', 'owner': 'portage'}) => changed=false + when: false + +# Unable to look up a name or access an attribute in template string ({{ item.dest|expanduser }}). +- name: ~/.gitconfig pull + blockinfile: + dest: "{{ item.dest | expanduser }}" + owner: "{{ item.owner }}" + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy pull" + block: | + [pull] + # ff = true + rebase = true + with_items: + - dest: "~{{LOOP_USER}}/.gitconfig" + owner: "{{ LOOP_USER }}" + ignore_errors: true + +- block: + + # dont change the environment for everyone with env.d/70proxy + # manually include tor.sh + - name: "/usr/local/share/scripts/box_proxy_tor.bash no_proxy /bin/sh" + lineinfile: + path: "{{ item.dest|expanduser }}/box_proxy_tor.bash" + create: yes + owner: "{{ item.owner }}" + mode: "{{ item.mode }}" + insertafter: BOF + line: "#!/bin/sh" + regexp: "#./bin/sh" + with_items: + - dest: "~{{LOOP_USER}}/bin" + owner: "{{ LOOP_USER }}" + mode: "0755" + + # unused? + - name: ~/bin/box_proxy_tor.bash no_proxy + blockinfile: + dest: "{{ item.dest|expanduser }}/box_proxy_tor.bash" + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy noproxy" + insertafter: "#./bin/sh" + mode: "{{ item.mode }}" + block: | + [ -f {{BASE_SCRIPT_DIR}}/box_proxy_tor.bash ] && . {{BASE_SCRIPT_DIR}}/box_proxy_tor.bash + [ -n "$no_proxy" ] && export no_proxy=$no_proxy || export no_proxy={{ NO_PROXY }} + when: + - "LOOP_USER != 'portage'" + with_items: + - dest: "~{{LOOP_USER}}/bin" + owner: "{{ LOOP_USER }}" + mode: "0755" + + - name: /etc/dirmngr/dirmngr.conf + shell: | + [ -e "/etc/dirmngr/dirmngr.conf" ] || exit 0 + [ -e "{{ item|expanduser }}" ] && exit 0 + ln -s "/etc/dirmngr/dirmngr.conf" "{{ item|expanduser }}" + with_items: + - "~{{LOOP_USER}}/.gpg/dirmngr.conf" + when: + - not ansible_check_mode + # FixMe + ignore_errors: true + + when: + - "LOOP_USER != 'portage'" + +- name: cacert.org + shell: | + PREFIX=/var/local + [ -d $PREFIX/net/Http//www.cacert.org/certs/ ] || \ + mkdir -p $PREFIX/net/Http//www.cacert.org/certs/ + [ -f $PREFIX/net/Http//www.cacert.org/certs/cacert.asc ] || \ + scurl.bash -P $PREFIX/net/Http/www.cacert.org/certs/ \ + -- http://www.cacert.org/certs/cacert.asc + [ -f $PREFIX/net/Http//www.cacert.org/certs/CAcert_Class3Root_x14E228.crt ] || \ + scurl.bash -P $PREFIX/net/Http/www.cacert.org/certs/ \ + -- http://www.cacert.org/certs/CAcert_Class3Root_x14E228.crt + [ -f $PREFIX/net/Http//www.cacert.org/certs/root_X0F.crt ] || \ + scurl.bash -P $PREFIX/net/Http/www.cacert.org/certs/ \ + http://www.cacert.org/certs/root_X0F.crt + ls -l $PREFIX/net/Http//www.cacert.org/certs/ + + ignore_errors: true + when: + - false + - LOOP_USER != 'portage' + - BASE_ARE_CONNECTED|default('') != '' + +# git config --global http.sslversion tlsv1.3 diff --git a/tasks/vms.yml b/tasks/vms.yml new file mode 100644 index 0000000..c49434d --- /dev/null +++ b/tasks/vms.yml @@ -0,0 +1,9 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +--- + +- name: "proxy vms.yml" + debug: + verbosity: 1 + msg: "proxy vms.yml HOSTVMS_FEATURES={{HOSTVMS_FEATURES}}" + diff --git a/tasks/whonix_guest.yml b/tasks/whonix_guest.yml new file mode 100644 index 0000000..7699590 --- /dev/null +++ b/tasks/whonix_guest.yml @@ -0,0 +1,135 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +--- + +# to be run on the guest our guest workstation by libvirt_qemu + +- name: "proxy whonix_guest.yml" + debug: + verbosity: 1 + msg: "proxy whonix_guest.yml PROXY_FEATURES={{PROXY_FEATURES}}" + +## Whonix Guest or libvirt nat +- block: + + - name: "proxy whonix_guest" + debug: + verbosity: 1 + msg: "proxy whonix.yml HOST={{ansible_virtualization_role|replace('NA', 'host')}}" + + - name: /etc/init.d/qemu-guest-agent + shell: | + # even systemd + [ -x /etc/init.d/qemu-guest-agent ] || exit 1 + /etc/init.d/qemu-guest-agent status || /etc/init.d/qemu-guest-agent start + /etc/init.d/qemu-guest-agent status + + - name: /dev/virtio-ports/org/qemu.guest_agent.0 + shell: | + [ -e /dev/virtio-ports/org.qemu.guest_agent.0 ] + + - name: external + delegate_to: localhost + shell: | + grep ' external$' /etc/hosts | sed -e 's/ .*//' + register: external_out + check_mode: false + + - name: BASE_EXTERNAL_IP + set_fact: + BASE_EXTERNAL_IP: "{{external_out.stdout}}" + when: external_out.rc|default(1) == 0 + check_mode: false + + when: + - "ansible_virtualization_role|replace('NA', 'host') == 'guest'" + - BOX_OS_FLAVOR|default('') in [ 'WhonixWorkstation', 'WhonixGateway', 'Gentoo'] + +- block: + + - name: /etc/rc.local + shell: | + [ -f /etc/rc.local ] && exit 0 + cp -p /usr/local/etc/local.d/Whonix-Gateway.local /etc/rc.local + + - name: /etc/sysctl.d/80_whonix_gateway.conf + blockinfile: + dest: /etc/sysctl.d/80_whonix_gateway.conf + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_guest.yml" + insertafter: "Type=oneshot" + mode: 0644 + owner: "{{BOX_ROOT_USER}}" + group: "{{BOX_ROOT_GROUP}}" + create: yes + block: | + LimitNOFILE=100000 + RestartSec=600s + Restart=never + + when: + - BOX_OS_FLAVOR|default('') == 'WhonixGateway' + +- block: + + - name: /etc/rc.local + shell: | + [ -f /etc/rc.local ] && exit 0 + cp -p /usr/local/etc/local.d/Whonix-Workstation.local /etc/rc.local + + - name: /etc/sysctl.d/80_whonix_gateway.conf + blockinfile: + dest: /etc/sysctl.d/80_whonix_gateway.conf + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_guest.yml" + mode: 0644 + owner: "{{BOX_ROOT_USER}}" + group: "{{BOX_ROOT_GROUP}}" + create: yes + block: | + fs.file-max = 100000 + + when: + - BOX_OS_FLAVOR|default('') == 'WhonixWorkstation' + +- block: + + # #x1:12345:respawn:/sbin/agetty -J 38400 console linux /etc/inittab + - name: "/etc/inittab" + lineinfile: + dest: "/etc/inittab" + insertbefore: BOF + mode: 0755 + owner: "{{BOX_ROOT_USER}}" + group: "{{BOX_ROOT_GROUP}}" + create: yes + regexp: "^#x1:12345:respawn:/sbin/agetty" + line: "x1:12345:respawn:/sbin/agetty" + + when: + proxy_vda_cmdline_fact|default(1) == 0 + +- block: + + - name: /etc/X11/xorg.conf.d/80_qxl.conf + blockinfile: + dest: /etc/X11/xorg.conf.d/80_qxl.conf + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_guest.yml" + insertafter: "Type=oneshot" + mode: 0644 + owner: "{{BOX_ROOT_USER}}" + group: "{{BOX_ROOT_GROUP}}" + create: yes + block: | + Section "Device" + Identifier "qxl" + Driver "qxl" + Option "DPI" "96 x 96" + Option "ENABLE_IMAGE_CACHE" "True" + Option "ENABLE_FALLBACK_CACHE" "False" + Option "ENABLE_SURFACES" "False" + EndSection + + + when: + - BOX_OS_FLAVOR|default('') != 'WhonixWorkstation' # already done + - BOX_OS_FLAVOR|default('') != 'WhonixGateway' # already done + - ansible_virtualization_role|replace('NA', 'host') == 'guest' diff --git a/tasks/whonix_host.yml b/tasks/whonix_host.yml new file mode 100644 index 0000000..f01ac78 --- /dev/null +++ b/tasks/whonix_host.yml @@ -0,0 +1,303 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- + +--- + +- name: "proxy whonix_host.yml" + debug: + verbosity: 1 + msg: "proxy whonix_host.yml BOX_WHONIX_PROXY_HOST={{BOX_WHONIX_PROXY_HOST}}" + +- name: chmod 664 /etc/libvirt/qemu/*xml + shell: | + chmod 664 /etc/libvirt/qemu/*xml || true + +- name: /etc/libvirt/hooks/network + blockinfile: + dest: /etc/libvirt/hooks/network + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_host.yml" + mode: 0775 + block: | + [ ! -f /usr/local/sbin/proxy_libvirt_hook_network.bash ] || \ + /usr/local/sbin/proxy_libvirt_hook_network.bash + when: false # now in overlay + +# FixMe: Whats the right consitonal for starting polipo +#- block: + +# to be run on the host to use the gateway as our proxy using ports via iptables +# The proxy setup to be run are a way of centralizing tasks from other roles be run on the gateway. + +- stat: path=/etc/polipo/config + register: polipo_conf + +- name: PRIV_TOR_TYPE in ['client'] + assert: + # drive from {{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}} + that: + - "'{{PROXY_WHONIX_HTTPS_PORT}}' != ''" + - "'{{PROXY_WHONIX_SOCKS_PORT}}' != ''" + - "'{{PROXY_WHONIX_SOCKS_USER}}' != ''" + - "'{{PROXY_WHONIX_SOCKS_PASS}}' != ''" + - "'{{PROXY_WHONIX_DNS_PORT}}' != ''" + - "'{{PROXY_WHONIX_TRANS_PORT}}' != ''" + - "'{{PROXY_WHONIX_BUKU_PORT}}' != ''" + +- name: PRIV_TOR_TYPE in ['client'] + set_fact: + # {{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}} + PROXY_POLIPO_SOCKSHOST: "{{PROXY_WHONIX_SOCKS_HOST}}" + PROXY_POLIPO_SOCKSPORT: "{{PROXY_WHONIX_SOCKS_PORT}}" + PROXY_POLIPO_SOCKSUSER: "{{PROXY_WHONIX_SOCKS_USER}}" + PROXY_POLIPO_SOCKSPASS: "{{PROXY_WHONIX_SOCKS_PASS}}" + PROXY_POLIPO_SOCKSTYPE: "socks5" + PRIV_FIREWALL_SET: whonix + HARDEN_DNS_PORT: "{{PROXY_DNS_PORT}}" + when: + - BOX_WHONIX_PROXY_HOST != "" + +- name: "/etc/modules-load.d/firewall.conf" + blockinfile: + dest: /etc/modules-load.d/firewall.conf + create: yes + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_host.yml" + block: | + ip_tables + ipt_REJECT + iptable_filter + iptable_nat + xt_LOG + xt_conntrack + xt_nat + xt_owner + xt_state + xt_tcpudp + nf_conntrack + nf_defrag_ipv4 + # 5.15 nf_log_common + nf_log_ipv4 + nf_nat + #5 nf_nat_ipv4 + #5 nf_reject_ipv4 + #5 x_tables + xt_MASQUERADE + nft_masq + iptable_mangle + bridge + +- name: template /etc/firewall.conf + template: + force: no + src: "etc/firewall-tor_{{PRIV_FIREWALL_SET}}.conf" + dest: /etc/firewall.conf + +- name: /etc/polipo/config + lineinfile: + dest: /etc/polipo/config + regexp: '^#* *{{item.name}}.*' + line: "{{item.name}}={{item.val}}" + state: present + owner: "{{BOX_ROOT_USER}}" + group: "{{BOX_ROOT_GROUP}}" + mode: 0644 + create: yes + with_items: + - { name: daemonise, val: false } + - { name: diskCacheRoot, val: "" } + - { name: disableLocalInterface, val: true } + - { name: proxyAddress, val: 127.0.0.1 } + - { name: proxyName, val: 127.0.0.1 } + - { name: proxyPort, val: "{{ PROXY_POLIPO_PROXYPORT }}" } + - { name: allowedClients, val: 127.0.0.1 } + - { name: socksParentProxy, val: "{{PROXY_POLIPO_SOCKSHOST}}:{{PROXY_POLIPO_SOCKSPORT}}" } + - { name: socksProxyType, val: "{{PROXY_POLIPO_SOCKSTYPE}}" } +# - { name: socksUserName, val: "foo" } # not Debian - unenforced? + - { name: disableVia, val: true } + # can be a directory + - { name: forbiddenFile, val: /etc/polipo/forbidden } + # maybe the same directory forbids the same tunnelling + - { name: forbiddenTunnelsFile, val: /etc/polipo/forbidden } + - { name: allowedPorts, val: 1-65535 } + - { name: tunnelAllowedPorts, val: 1-65535 } + - { name: logFile, val: "{{ PROXY_POLIPO_LOG }}" } + - { name: logSyslog, val: false } + - { name: logLevel, val: 455 } + # logLevel=0x107 + when: + - not ansible_check_mode + - polipo_conf.stat.exists == true + +# FixMe: make logLevel high but make the log file root readable only +- name: chmod /var/log/polipo.log + file: + state: file + path: "{{ PROXY_POLIPO_LOG }}" + mode: 0640 + owner: "{{ PROXY_POLIPO_OWNER }}" + group: "{{ PROXY_POLIPO_GROUP }}" + when: + - not ansible_check_mode + # FixMe: may not have been started + ignore_errors: true + +#- name: virsh list +# command: virsh list +# register: virsh_list +# when: +# - ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS + +- block: + + - name: polipo Whonix-Gateway + shell: | + ifconfig | grep virbr || exit 0 + # FixMe: which is gateway + grep '^allowedClients=.*/' /etc/polipo/config && \ + sed -e 's/allowedClients=.*/allowedClients=127.0.0.1/' -i /etc/polipo/config || \ + echo 'allowedClients=127.0.0.1' >> /etc/polipo/config + + ifconfig | grep br | grep inet | while read inet ip rest ; do + sed -e "s/allowedClients=.*/&,$ip/" -i /etc/polipo/config + done + . /usr/local/etc/local.d/local.bash + proxy_rc_service polipo restart + + when: + - false + - ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS +# was in hostvms libvirt.yml +- block: + + - name: /etc/libvirt/hooks/network + lineinfile: + path: "/etc/libvirt/hooks/network" + create: yes + mode: 0775 + insertafter: BOF + line: "#!/bin/sh" + regexp: "#./bin/sh" + when: false # now in overlay + + - name: /usr/local/bin/proxy_libvirt_hook_network.bash + blockinfile: + dest: /etc/libvirt/hooks/network + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_host.yml" + mode: 0775 + block: | + export PATH=$PATH:/usr/local/bin:/usr/local/sbin + + # hung processes will hang virsh list + [ ! -x /usr/local/bin/proxy_libvirt_hook_network.bash ] || \ + timeout --kill-after=10 10 /usr/local/bin/proxy_libvirt_hook_network.bash $* + [ $? -ne 0 ] && \ + logger $0 WARN: /usr/local/bin/proxy_libvirt_hook_network.bash retval=$? + exit 0 + when: false # now in overlay + + - name: proxy_libvirt_no_autostart + shell: | + /usr/local/bin/proxy_ping_lib.bash proxy_libvirt_no_autostart + + - name: /etc/init.d/libvirtd + shell: | + # now moved to /usr/local/bin/proxy_hourly.bash + [ ! -f /usr/local/bin/proxy_hourly.bash ] || /usr/local/bin/proxy_hourly.bash + exit 0 + when: false + + - name: "/etc/conf.d/libvirtd" + lineinfile: + dest: "/etc/{{ETC_CONF_D}}/libvirtd" + insertbefore: BOF + mode: 0755 + owner: "{{BOX_ROOT_USER}}" + group: "{{BOX_ROOT_GROUP}}" + create: yes + regexp: "^rc_need" + line: "#rc_need" + + when: + - ansible_virtualization_role|replace('NA', 'host') == 'host' + - ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS + - "'libvirt' in BOX_HOSTVMS_FEATURES or BOX_WHONIX_PROXY_HOST != ''" + +- block: + + - name: /etc/rc.local + shell: | + [ -f /etc/rc.local ] && exit 0 + cp -p /usr/local/etc/local.d/Whonix-Host.local /etc/rc.local + when: + - BOX_OS_FLAVOR|default('') == 'KickSecure' + + - name: /usr/local/src/secbrowser.bash + shell: | + [ -f /usr/local/src/secbrowser.bash ] && exit 0 + /local/src/secbrowser.bash + when: + - BOX_OS_FLAVOR|default('') == 'KickSecure' + when: + - "ansible_virtualization_role|replace('NA', 'host') == 'host'" + +- block: + + - name: /run/tmp + shell: | + [ -d /run/tmp ] && exit 0 + mkdir /run/tmp + chmod 1777 /run/tmp + # lib64 is not being made + mkdir -p /usr/local/lib/python3.11/site-packages \ + /usr/local/lib64/python3.11/site-packages + when: + - external_out.rc|default(1) == 0 + - external_out.stdout|default('') != '' + + - name: proxy_libvirt_forward.bash + shell: | + ps ax | grep proxy_libvirt_forward.bash && exit 0 + proxy_libvirt_forward.bash + when: + - external_out.rc|default(1) == 0 + - external_out.stdout|default('') != '' + # box mode is tor or + become: yes + become_user: "{{ BOX_USER_NAME }}" + + when: + - ansible_connection|default('') in ['libvirt_qemu'] + + - name: /etc/rc.local + shell: | + [ -f /etc/rc.local ] && exit 0 + cp -p /usr/local/etc/local.d/Whonix-Vda.local /etc/rc.local + when: + - proxy_vda_cmdline_fact|default(1) == 0 + + - name: /etc/rc.local + shell: | + [ -f /etc/rc.local ] && exit 0 + cp -p /usr/local/etc/local.d/Whonix-Gateway.local /etc/rc.local + when: + - BOX_OS_FLAVOR|default('') == 'WhonixGateway' + + - name: /etc/rc.local Workstation + shell: | + [ -f /etc/rc.local ] && exit 0 + cp -p /usr/local/etc/local.d/Whonix-Workstation.local /etc/rc.local + when: + - BOX_OS_FLAVOR|default('') == 'WhonixWorkstation' + + when: + - ansible_virtualization_role|replace('NA', 'host') == 'guest' + + +- block: + + - name: /usr/local/src/secbrowser.bash + shell: | + [ -f /usr/local/src/secbrowser.bash ] && exit 0 + /local/src/secbrowser.bash + + when: + - BOX_OS_FLAVOR|default('') == 'KickSecure' or proxy_vda_cmdline_fact|default(1) == 0 diff --git a/tasks/wicd.yml b/tasks/wicd.yml new file mode 100644 index 0000000..1532474 --- /dev/null +++ b/tasks/wicd.yml @@ -0,0 +1,90 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +- name: "wicd.yml" + debug: + verbosity: 1 + msg: "proxy wicd.yml " + +- name: "/etc/dhcp/dhcpd.conf" + blockinfile: + dest: /etc/dhcp/dhcpd.conf + marker: "# {mark} ANSIBLE MANAGED BLOCK privacy" + create: yes + block: | + default-lease-time 36000; + ipv4only; + randomise_hwaddr; + #? whitelist 10.16.238.1; + logfile /var/log/dhcpd.log; + nohook resolv.conf; + +# stop dhclient from overwriting resolv.conf +# with scripts in /lib/dhcpcd/dhcpcd-hooks/ +# FixMe: /etc/dhcp/dhcp-client.conf? + +# dnscrypt is not a system service +- name: "service disable not {{PROXY_DNS_PROXY}}" + service: + enabled: '{{ "yes" if PROXY_DNS_PROXY == "{{ item }}" else "no" }}' + state: '{{ "started" if PROXY_DNS_PROXY == "{{ item }}" else "stopped" }}' + name: "{{ item }}" + with_items: + # leave 'dnsmasq' running + # maybe shutting dnsmasq shuts NetworkManager? + - "{{PROXY_DNS_PROXY}}" + # "dnscrypt" is not a system service + ignore_errors: true + when: + - ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS + +- name: "service disable not {{PROXY_DNS_NETMAN}}" + service: + enabled: '{{ "yes" if PROXY_DNS_NETMAN == "{{ item }}" else "no" }}' + state: '{{ "started" if PROXY_DNS_NETMAN == "{{ item }}" else "stopped" }}' + name: "{{ item }}" + with_items: "{{ PROXY_DNS_NETMAN_ALL }}" + ignore_errors: true + when: + - ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS + +- name: "/etc/dhcpcd.conf {{ansible_distribution}}" + blockinfile: + dest: "{{ item }}" + marker: "# {mark} ANSIBLE MANAGED BLOCK proxy" + create: true + block: | + # we route dns queries through tor + # we will configure ntp generically + nohook resolv.conf,ntp.conf + # with_first_found: + with_items: + - /etc/dhcpcd.conf + when: + - "'run_dnsmasq' in PROXY_FEATURES" + +- name: "/etc/resolvconf.conf" + lineinfile: + dest: /etc/resolvconf.conf + create: true + regexp: "{{ item.name }}" + line: "{{ item.val }}" + with_items: + - { name: "^#*resolvconf=.*", val: "resolvconf=no" } + - { name: "^#*name_servers=.*", val: "name_servers=127.0.0.1" } + - { name: "^#*resolv_conf.*", val: "resolv_conf=/etc/resolv.conf" } + when: + - ansible_distribution == 'Gentoo' + - "'run_dnsmasq' in PROXY_FEATURES" + +# /etc/resolvconf/update.d/ for Ubuntu + +# /etc/resolvconf/update.d/dnsmasq for Debian +- name: "/etc/resolvconf/update.d/dnsmasq" + shell: | + [ -f /etc/resolvconf/update.d/dnsmasq ] || exit 0 + chmod 644 /etc/resolvconf/update.d/dnsmasq + mv /etc/resolvconf/update.d/dnsmasq /etc/resolvconf/update.d/.dnsmasq + when: + - PROXY_DNS_PROXY != "" + diff --git a/templates/Debian/Gateway/etc/rc.local b/templates/Debian/Gateway/etc/rc.local new file mode 100644 index 0000000..470fbc6 --- /dev/null +++ b/templates/Debian/Gateway/etc/rc.local @@ -0,0 +1,22 @@ +#!/bin/sh + +setfont /usr/share/consolefonts/Lat15-TerminusBold22x11.psf.gz + +echo nameserver 127.0.0.1> /etc/resolv.conf + +IP=`ifconfig eth0 | grep inet | sed -e 's/.*inet //' -e 's/ .*//'` +[ $? -eq 0 ] || return 1$? +[ -n "$IP" ] || return 2$? + +if ! iptables-save | grep -q 'iptables -A INPUT -i eth0 -p udp -m udp --dport 9053 -j ACCEPT' ; then + iptables -D INPUT -j DROP + iptables -A INPUT -i eth0 -p udp -m udp --dport 9053 -j ACCEPT + iptables -A INPUT -j DROP + fi + +ps ax | grep -q 'su -c tor -s /bin/sh debian-tor' || \ + sh /usr/local/bin/proxy_whonix_tor_start.bash + +dig @$IP -p 9053 -b $IP google.com + +exit 0 diff --git a/templates/cntlm-proxy.conf b/templates/cntlm-proxy.conf new file mode 100644 index 0000000..de5a78b --- /dev/null +++ b/templates/cntlm-proxy.conf @@ -0,0 +1,92 @@ +# +# Cntlm Authentication Proxy Configuration +# +# NOTE: all values are parsed literally, do NOT escape spaces, +# do not quote. Use 0600 perms if you use plaintext password. +# + +Username testuser +Domain corp-uk +Password password +# NOTE: Use plaintext password only at your own risk +# Use hashes instead. You can use a "cntlm -M" and "cntlm -H" +# command sequence to get the right config for your environment. +# See cntlm man page +# Example secure config shown below. +# PassLM 1AD35398BE6565DDB5C4EF70C0593492 +# PassNT 77B9081511704EE852F94227CF48A793 +### Only for user 'testuser', domain 'corp-uk' +# PassNTLMv2 D5826E9C665C37C80B53397D5C07BBCB + +# Specify the netbios hostname cntlm will send to the parent +# proxies. Normally the value is auto-guessed. +# +# Workstation netbios_hostname + +# List of parent proxies to use. More proxies can be defined +# one per line in format : +# +Proxy 10.0.0.41:8080 +Proxy 10.0.0.42:8080 + +# List addresses you do not want to pass to parent proxies +# * and ? wildcards can be used +# +NoProxy localhost, 127.0.0.*, 10.*, 192.168.* + +# Specify the port cntlm will listen on +# You can bind cntlm to specific interface by specifying +# the appropriate IP address also in format : +# Cntlm listens on 127.0.0.1:3128 by default +# +Listen 3128 + +# If you wish to use the SOCKS5 proxy feature as well, uncomment +# the following option. It can be used several times +# to have SOCKS5 on more than one port or on different network +# interfaces (specify explicit source address for that). +# +# WARNING: The service accepts all requests, unless you use +# SOCKS5User and make authentication mandatory. SOCKS5User +# can be used repeatedly for a whole bunch of individual accounts. +# +#SOCKS5Proxy 8010 +#SOCKS5User dave:password + +# Use -M first to detect the best NTLM settings for your proxy. +# Default is to use the only secure hash, NTLMv2, but it is not +# as available as the older stuff. +# +# This example is the most universal setup known to man, but it +# uses the weakest hash ever. I won't have it's usage on my +# conscience. :) Really, try -M first. +# +#Auth LM +#Flags 0x06820000 + +# Enable to allow access from other computers +# +#Gateway yes + +# Useful in Gateway mode to allow/restrict certain IPs +# Specifiy individual IPs or subnets one rule per line. +# +#Allow 127.0.0.1 +#Deny 0/0 + +# GFI WebMonitor-handling plugin parameters, disabled by default +# +#ISAScannerSize 1024 +#ISAScannerAgent Wget/ +#ISAScannerAgent APT-HTTP/ +#ISAScannerAgent Yum/ + +# Headers which should be replaced if present in the request +# +#Header User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98) + +# Tunnels mapping local port to a machine behind the proxy. +# The format is :: +# +#Tunnel 11443:remote.com:443 + diff --git a/templates/usr/local/src/usr_local_python2.sed b/templates/usr/local/src/usr_local_python2.sed new file mode 100644 index 0000000..6dad0d0 --- /dev/null +++ b/templates/usr/local/src/usr_local_python2.sed @@ -0,0 +1,3 @@ +1,1s@^#./usr/bin/env python@#!/usr/local/bin/python2.sh@ +1,1s@^#./usr/bin/python2.7@#!/usr/local/bin/python2.sh@ +1,1s@^#./usr/lib/python-exec/python2.7/python@#!/usr/local/bin/python2.sh@ diff --git a/templates/usr/local/src/usr_local_python3.sed b/templates/usr/local/src/usr_local_python3.sed new file mode 100644 index 0000000..22ba2d2 --- /dev/null +++ b/templates/usr/local/src/usr_local_python3.sed @@ -0,0 +1,3 @@ +1,1s@^#./usr/bin/env python@#!/usr/local/bin/python3.bash@ +1,1s@^#./usr/bin/python3.4@#!/usr/local/bin/python3.bash@ +1,1s@^#./usr/lib/python-exec/python3.4/python@#!/usr/local/bin/python3.bash@ diff --git a/vars/Debian11.yml b/vars/Debian11.yml new file mode 100755 index 0000000..7ef9617 --- /dev/null +++ b/vars/Debian11.yml @@ -0,0 +1,1005 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +PROXY_TIME_DAEMON: ntp +PROXY_GPG_KEYERVER_URL: hkps:// + +proxy_masked_services: + - apt-daily-upgrade + - sdwdate + - tb-updater-first-boot + +# List of proxy packages to install. +proxy_debs_inst: +# Install packages to allow apt to use a repository over HTTPS: + - apt + - apt-transport-tor + - apt-utils + - apt-transport-https + - bootlogd + - ca-certificates + - dnsmasq + - ntpdate + - bzip2 + - corkscrew + - console-data + - cron + - curl + - less + - mg + - netcat + - ncat + - openssl + - passwd + - patch + - pciutils + - perl + - perl-base + - sudo + - unzip + - xsltproc + - zip + - openssh-client + - openssh-server + - openssh-sftp-server + - nmap + - wireless-tools + - software-properties-common + - lsof + - ifupdown + - iproute2 + - iptables + - iputils-ping + - htop + - iotop + - jnettop + - iw + - jq + - python3-argcomplete + - libnet-ifconfig-wrapper-perl +# I need this for Ubuntu even though it come in the bootstrap - 2 setuptools, 1 pip +# - pip + # for pip + - python-cryptography + - python3-pkg-resources + - python3-pip + - python3-setuptools +# - python3-wheel +# Install packages to allow apt to use a repository over HTTPS: + # niceities from testforge + - file + - findutils + - gcc + - gdisk + - gnupg + - gnupg-utils + - gnupg2 + - gpg + - gpg-agent + - gpg-wks-client + - gpg-wks-server + - grep + - groff-base + - haveged + - hostname + - init + - init-system-helpers + - inotify-tools + - install-info + - iso-codes + - kbd + - keyboard-configuration + - klibc-utils + - login + - lsb-base + - lsb-release + - lynx + - make + - man-db + - mount + - nano + - ncurses-base + - ncurses-bin + - ncurses-term + - net-tools + - netbase + - parted + - pinentry-curses + - pm-utils + - policykit-1 + - policykit-1-gnome + - policyrcd-script-zg2 + - powermgmt-base + - procps + - psmisc + - rsync + - sed + - strace + - tar + - traceroute + - tzdata + - upower + - util-linux + - wget + - xz-utils + - geoip-bin + - nss-plugin-pem + - torsocks + - whois + - yamllint + # drawn in + - python3-yaml + +proxy_kicksecure_debs_inst: + - scurl + - usability-misc + +proxy_qemu_guest_debs_inst: + - qemu-guest-agent + +proxy_pips2_inst: [] + +proxy_pips3_inst: + - jq + +proxy_pips_reinstall: +# pip prerequisites + - setuptools + - appdirs + - ipaddress + - six + - cachecontrol + - pyparsing + - colorama +#? - distlib + - html5lib +#? - lockfile + - packaging + - requests + - webencodings + - jq +# pip itself? NO + - cryptography +# + - pyOpenSSL + - paramiko + - Jinja2 + - pyasn1 + - bcrypt + - PyNaCl + - cffi + - idna + - asn1crypto + # whonix general + - acpi-support + - acpi-support-base + - acpid + - adduser + - busybox + - console-common + - console-data + - console-setup + - console-setup-linux + - coreutils + - cpio + +cntlm_pid_file: /var/run/cntlm/cntlm.pid + + +# BOX_OS_FLAVOR in ['WhonixGateway']}}" +proxy_gateway_debs_inst: [] + +# BOX_OS_FLAVOR in ['KickSecure', 'WhonixGateway', 'WhonixWorkstation'] +proxy_xfce_debs_inst: + - apt-transport-https + - libnetfilter-conntrack3 + - dnsmasq-base + - dnsmasq + - firmware-linux-free + - firmware-misc-nonfree + - firmware-amd-graphics + - firmware-linux-nonfree + - firmware-linux + - firmware-atheros + - firmware-iwlwifi +#linux-headers-5.8.0-0.bpo.2-amd64 +#linux-image-5.8.0-0.bpo.2-amd64 + - ntpdate + - corkscrew + - cron + - mg + # No package matching 'liblua5.3' is available + # - liblua5.3 + - netcat-traditional + - netcat + - ncat + - xsltproc + - openssh-client + - openssh-server + - openssh-sftp-server + - polipo + - nmap-common + - libgfortran5 + - libblas3 + - liblinear3 + - libncurses-dev + - libreadline-dev + - nmap + - wireless-tools + - gir1.2-glib-2.0 + - gir1.2-packagekitglib-1.0 + - python3-dbus + - libgirepository-1.0 + - python3-gi + - python3-pycurl + - python3-software-properties + - software-properties-common + - ifupdown + - libpcap0.8 + - libnfnetlink0 + - libnftnl11 + - libiptc0 + - libip6tc0 + - libip6tc0 + - libnetfilter-conntrack3 + - iptables + - htop + - iotop + - libpcap0.8 + - jnettop + - python3-argcomplete + - libnet-ifconfig-wrapper-perl +# I need this for Ubuntu even though it come in the bootstrap - 2 setuptools, 1 pip +#pip +#! python-cryptography +#! python3-pkg-resources +#! apython3-pip +#! python3-setuptools +#! python3-wheel + - install-info + - lynx-common + - lynx + - ncurses-term + - rsync + - traceroute + - tzdata + - geoip-bin + - nss-plugin-pem + - scurl + - torsocks + - whois +## non-qubes-whonix-gateway-xfce + - xauth +# kicksecure-desktop-applications-recommended : Depends: monero-gui + - libpackagekit-glib2-18 +# kicksecure-xfce-vm: kicksecure-cli-vm, kicksecure-xfce, kicksecure-network-conf-gui, non-qubes-audio, non-qubes-vm-enhancements-gui, kicksecure-desktop-applications-recommended + +## The following NEW packages will be installed: +## apt-transport-https corkscrew cron dnsmasq dnsmasq-base +## firmware-amd-graphics firmware-atheros firmware-iwlwifi firmware-linux +## firmware-linux-free firmware-linux-nonfree firmware-misc-nonfree geoip-bin +## gir1.2-glib-2.0 gir1.2-packagekitglib-1.0 htop ifupdown install-info iotop + +# No package matching 'liblua5.3' is available## # xiptables jnettop libblas3 libgfortran5 libgirepository-1.0-1 libip6tc0 +## libiptc0 libiw30 liblinear3 liblua5.3-0 liblua5.3-0-dbg liblua5.3-dev +## libncurses-dev libnet-ifconfig-wrapper-perl libnetfilter-conntrack3 +## libnfnetlink0 libnftnl11 libpackagekit-glib2-18 libpcap0.8 libreadline-dev +## lynx lynx-common mg ncat ncurses-term netcat netcat-traditional nmap +## nmap-common nss-plugin-pem ntpdate openssh-client openssh-server +## openssh-sftp-server polipo python3-argcomplete python3-dbus python3-gi +## python3-pycurl python3-software-properties rsync scurl +## software-properties-common torsocks traceroute whois wireless-tools xauth +## xsltproc + +# RAW complete overlap + + +whonix_gateway_debs: + - anon-apps-config + - anon-apt-sources-list + - anon-connection-wizard + - anon-gw-anonymizer-config + - anon-gw-base-files + - anon-icon-pack + - apparmor + - apparmor-profile-dist + - apparmor-utils + - arc-theme + - auditd + - basez + - bash + - bash-completion + - bc + - bind9-host + - bindp + - binutils + - binutils-common + - binutils-x86-64-linux-gnu + - bootclockrandomization + - bsdmainutils + - bsdtar + - bsdutils + - bubblewrap + - cryptsetup + - cryptsetup-bin + - cryptsetup-initramfs + - cryptsetup-run + - damngpl + - dash + - dbus + - dbus-user-session + - dconf-gsettings-backend + - dconf-service + - debconf + - debian-archive-keyring + - debianutils + - debsums + - desktop-file-utils + - dialog + - dictionaries-common + - diffutils + - dirmngr + - dist-base-files + - distro-info-data + - dkms + - dmidecode + - dmsetup + - dnsutils + - dpkg + - dpkg-dev + - e2fslibs + - e2fsprogs + - eatmydata + - elpa-auto-complete + - elpa-concurrent + - elpa-ctable + - elpa-deferred + - elpa-epc + - elpa-jedi + - elpa-jedi-core + - elpa-popup + - elpa-python-environment + - exo-utils + - faketime + - fdisk + - flashproxy-client + - flashproxy-common + - fontconfig + - fontconfig-config + - fonts-dejavu-core + - fteproxy + - gettext-base + - gir1.2-atk-1.0 + - gir1.2-freedesktop + - gir1.2-gdkpixbuf-2.0 + - gir1.2-glib-2.0 + - gir1.2-gtk-3.0 + - gir1.2-pango-1.0 + - glib-networking + - glib-networking-common + - glib-networking-services + - gnome-brave-icon-theme + - gnome-colors-common + - gnome-icon-theme + - gnome-themes-extra + - gnome-themes-extra-data + - gnustep-base-common + - gnustep-base-runtime + - gnustep-common + - gpgconf + - gpgsm + - gpgv + - hardened-malloc + - helper-scripts + - hicolor-icon-theme + - jitterentropy-rngd + - kicksecure-dependencies-cli + - linux-headers-amd64 + - linux-image-amd64 + - live-boot + - live-boot-initramfs-tools + - live-tools + - locales + - mawk + - menu + - mime-support + - most + - mousepad + - msgcollector + - msgcollector-gui + - non-qubes-vm-enhancements-cli + - non-qubes-vm-enhancements-gui + - non-qubes-whonix-gateway-cli + - nyx + - obfs4proxy + - obfsproxy + - onion-grater + - onioncircuits + - open-link-confirmation + - openvpn + - os-prober + - p7zip + - p7zip-full + - pv + - pychecker + - pymacs + - pypy + - pypy-ipaddress + - pypy-lib + - pypy-pkg-resources + - pypy-setuptools + - pypy-stem + - python + - python-asn1crypto + - python-attr + - python-automat + - python-cffi-backend + - python-constantly + - python-crypto + - python-enum34 + - python-epc + - python-fte + - python-hyperlink + - python-incremental + - python-ipaddress + - python-m2crypto + - python-minimal + - python-mode + - python-openssl + - python-pip-whl + - python-pyasn1 + - python-pyasn1-modules + - python-pyptlib + - python-service-identity + - python-sexpdata + - python-six + - python-twisted-bin + - python-twisted-core + - python-typing + - python-yaml + - python-zope.interface + - python2 + - python2-minimal + - python2.7 + - python2.7-minimal + - python3 + - python3-apparmor + - python3-dateutil + - python3-distutils + - python3-gevent + - python3-gi + - python3-greenlet + - python3-ipy + - python3-jedi + - python3-lib2to3 + - python3-libapparmor + - python3-minimal + - python3-parso + - python3-pkg-resources + - python3-psutil + - python3-pycountry + - python3-pyqt5 + - python3-scapy + - python3-sdnotify + - python3-sip + - python3-six + - python3-socks + - python3-stem + - python3-virtualenv + - python3-yaml + - python3.7 + - python3.7-minimal + - rads + - readline-common + - sdwdate + - sdwdate-gui + - secure-delete + - security-misc + - sensible-utils + - serial-console-enable + - shared-mime-info + - sound-theme-freedesktop + - spectre-meltdown-checker + - spice-vdagent + - swap-file-creator + - sysfsutils + - systemd + - systemd-sysv + - sysvinit-utils + - timesanitycheck + - tirdad + - tirdad-dkms + - tor + - tor-control-panel + - tor-geoipdb + - torsocks + - ucf + - udev + - udisks2 + - unar + - uwt + - vanguards + - virt-what + - virtualenv + - vm-config-dist + - vrms + # whonix + - whonix-base-files + - whonix-firewall + - whonix-gateway-default-applications-gui + - whonix-gateway-packages-dependencies-cli + - whonix-gateway-packages-dependencies-pre + - whonix-gw-network-conf + - whonix-initializer + - whonix-legacy + - whonix-repository + - whonix-setup-wizard + - whonix-shared-default-applications-gui + - whonix-shared-packages-dependencies-cli + - whonix-shared-packages-recommended-cli + - whonix-xfce-desktop-config + - whonixcheck + - whonixsetup + - wmctrl + - xxd + - zenity + - zenity-common + - zlib1g + - zsh + - zsh-common + - zulucrypt-cli + - zulupolkit + - yq + +proxy_libvirt_debs_inst: + - libvirt-daemon-system + - libvirt-clients + - libvirt-daemon + - usbutils + - usb.ids + - libvirt-doc + - virt-manager + +proxy_libs_debs: + - libacl1 + - libapparmor1 + - libapt-inst2.0 + - libapt-pkg5.0 + - libarchive-tools + - libarchive13 + - libargon2-1 + - libasan5 + - libasound2 + - libasound2-data + - libaspell15 + - libassuan0 + - libasyncns0 + - libatasmart4 + - libatk-bridge2.0-0 + - libatk1.0-0 + - libatk1.0-data + - libatomic1 + - libatspi2.0-0 + - libattr1 + - libaudit-common + - libaudit1 + - libauparse0 + - libavahi-client3 + - libavahi-common-data + - libavahi-common3 + - libbind9-161 + - libbinutils + - libblkid1 + - libblockdev-crypto2 + - libblockdev-fs2 + - libblockdev-loop2 + - libblockdev-part-err2 + - libblockdev-part2 + - libblockdev-swap2 + - libblockdev-utils2 + - libblockdev2 + - libbluray2 + - libbrotli1 + - libbsd0 + - libbz2-1.0 + - libc-bin + - libc-dev-bin + - libc-l10n + - libc6 + - libc6-dev + - libcairo-gobject2 + - libcairo2 + - libcanberra-gtk3-0 + - libcanberra0 + - libcap-ng0 + - libcap2 + - libcap2-bin + - libcc1-0 + - libcolord2 + - libcom-err2 + - libcomerr2 + - libcrack2 + - libcroco3 + - libcryptsetup12 + - libcups2 + - libcurl4 + - libdatrie1 + - libdb5.3 + - libdbus-1-3 + - libdbus-glib-1-2 + - libdconf1 + - libdebconfclient0 + - libdevmapper1.02.1 + - libdns1104 + - libdouble-conversion1 + - libdpkg-perl + - libdrm-amdgpu1 + - libdrm-common + - libdrm-intel1 + - libdrm-nouveau2 + - libdrm-radeon1 + - libdrm2 + - libeatmydata1 + - libedit2 + - libefiboot1 + - libefivar1 + - libegl-mesa0 + - libegl1 + - libelf1 + - libenchant1c2a + - libepoxy0 + - libevdev2 + - libevent-2.1-6 + - libexif12 + - libexo-1-0 + - libexo-2-0 + - libexo-common + - libexo-helpers + - libexpat1 + - libext2fs2 + - libfaketime + - libfdisk1 + - libffi6 + - libfile-basedir-perl + - libfile-desktopentry-perl + - libfile-fnmatch-perl + - libfile-mimeinfo-perl + - libflac8 + - libfontconfig1 + - libfontenc1 + - libfreetype6 + - libfribidi0 + - libfstrm0 + - libfuse2 + - libgarcon-1-0 + - libgarcon-common + - libgbm1 + - libgc1c2 + - libgcc-8-dev + - libgcc1 + - libgck-1-0 + - libgcr-base-3-1 + - libgcrypt20 + - libgdbm-compat4 + - libgdbm6 + - libgdk-pixbuf2.0-0 + - libgdk-pixbuf2.0-common + - libgeoip1 + - libgirepository-1.0-1 + - libgl1 + - libgl1-mesa-dri + - libglapi-mesa + - libglib2.0-0 + - libglib2.0-bin + - libglib2.0-data + - libglvnd0 + - libglx-mesa0 + - libglx0 + - libgmp10 + - libgnustep-base1.26 + - libgnutls30 + - libgomp1 + - libgpg-error0 + - libgpgme11 + - libgpm2 + - libgraphite2-3 + - libgssapi-krb5-2 + - libgstreamer-gl1.0-0 + - libgstreamer-plugins-base1.0-0 + - libgstreamer1.0-0 + - libgtk-3-0 + - libgtk-3-common + - libgtk2.0-0 + - libgtk2.0-common + - libgtksourceview-3.0-1 + - libgtksourceview-3.0-common + - libgudev-1.0-0 + - libharfbuzz-icu0 + - libharfbuzz0b + - libhavege1 + - libhogweed4 + - libhunspell-1.7-0 + - libhyphen0 + - libice6 + - libicu63 + - libidn11 + - libidn2-0 + - libimobiledevice6 + - libindicator3-7 + - libinotifytools0 + - libinput-bin + - libinput10 + - libip4tc0 + - libip6tc0 + - libipc-system-simple-perl + - libiptc0 + - libirs161 + - libisc1100 + - libisccc161 + - libisccfg163 + - libisl19 + - libitm1 + - libjavascriptcoregtk-4.0-18 + - libjbig0 + - libjpeg62-turbo + - libjson-c3 + - libjson-glib-1.0-0 + - libjson-glib-1.0-common + - libk5crypto3 + - libkeybinder-3.0-0 + - libkeyutils1 + - libkf5windowsystem-data + - libkf5windowsystem5 + - libklibc + - libkmod2 + - libkrb5-3 + - libkrb5support0 + - libksba8 + - liblcms2-2 + - libldap-2.4-2 + - libldap-common + - liblightdm-gobject-1-0 + - libllvm7 + - liblmdb0 + - liblocale-gettext-perl + - liblsan0 + - libltdl7 + - liblwres161 + - liblxqt0 + - liblz4-1 + - liblzma5 + - liblzo2-2 + - libmagic-mgc + - libmagic1 + - libmnl0 + - libmount1 + - libmpc3 + - libmpdec2 + - libmpfr6 + - libmpx2 + - libmtdev1 + - libncurses6 + - libncursesw6 + - libnetfilter-conntrack3 + - libnettle6 + - libnfnetlink0 + - libnftnl11 + - libnghttp2-14 + - libnotify-bin + - libnotify4 + - libnpth0 + - libnspr4 + - libnss3 + - libobjc4 + - libogg0 + - libopenjp2-7 + - liborc-0.4-0 + - libp11-kit0 + - libpam-modules + - libpam-modules-bin + - libpam-runtime + - libpam-systemd + - libpam0g + - libpango-1.0-0 + - libpangocairo-1.0-0 + - libpangoft2-1.0-0 + - libpangoxft-1.0-0 + - libparted-fs-resize0 + - libparted2 + - libpcap0.8 + - libpci3 + - libpciaccess0 + - libpcre2-16-0 + - libpcre2-8-0 + - libpcre3 + - libperl5.28 + - libpipeline1 + - libpixman-1-0 + - libpkcs11-helper1 + - libplist3 + - libpng16-16 + - libpolkit-agent-1-0 + - libpolkit-backend-1-0 + - libpolkit-gobject-1-0 + - libpopt0 + - libprocps7 + - libprotobuf-c1 + - libproxy1v5 + - libpsl5 + - libpulse-mainloop-glib0 + - libpulse0 + - libpwquality-common + - libpwquality1 + - libpython-stdlib + - libpython2-stdlib + - libpython2.7 + - libpython2.7-minimal + - libpython2.7-stdlib + - libpython3-stdlib + - libpython3.7 + - libpython3.7-minimal + - libpython3.7-stdlib + - libqt5core5a + - libqt5dbus5 + - libqt5designer5 + - libqt5gui5 + - libqt5help5 + - libqt5network5 + - libqt5printsupport5 + - libqt5sql5 + - libqt5test5 + - libqt5widgets5 + - libqt5x11extras5 + - libqt5xdg3 + - libqt5xdgiconloader3 + - libqt5xml5 + - libquadmath0 + - libreadline7 + - librest-0.7-0 + - librsvg2-2 + - librsvg2-common + - librtmp1 + - libsasl2-2 + - libsasl2-modules-db + - libseccomp2 + - libsecret-1-0 + - libsecret-common + - libselinux1 + - libsemanage-common + - libsemanage1 + - libsensors-config + - libsensors5 + - libsepol1 + - libslang2 + - libsm6 + - libsmartcols1 + - libsndfile1 + - libsoup-gnome2.4-1 + - libsoup2.4-1 + - libsqlite3-0 + - libss2 + - libssh2-1 + - libssl1.1 + - libstartup-notification0 + - libstdc++6 + - libsysfs2 + - libsystemd0 + - libtasn1-6 + - libtdb1 + - libtext-iconv-perl + - libthai-data + - libthai0 + - libthunarx-3-0 + - libtiff5 + - libtinfo6 + - libtsan0 + - libubsan1 + - libuchardet0 + - libudev1 + - libudisks2-0 + - libunistring2 + - libunwind8 + - libupower-glib3 + - liburi-perl + - libusb-1.0-0 + - libusbmuxd4 + - libutempter0 + - libuuid1 + - libvolume-key1 + - libvorbis0a + - libvorbisenc2 + - libvorbisfile3 + - libvte-2.91-0 + - libvte-2.91-common + - libwacom-common + - libwacom2 + - libwavpack1 + - libwayland-client0 + - libwayland-cursor0 + - libwayland-egl1 + - libwayland-server0 + - libwebkit2gtk-4.0-37 + - libwebp6 + - libwebpdemux2 + - libwnck-3-0 + - libwnck-3-common + - libwnck-common + - libwnck22 + - libwoff1 + - libwrap0 + - libx11-6 + - libx11-data + - libx11-xcb1 + - libxatracker2 + - libxau6 + - libxaw7 + - libxcb-dri2-0 + - libxcb-dri3-0 + - libxcb-glx0 + - libxcb-icccm4 + - libxcb-image0 + - libxcb-keysyms1 + - libxcb-present0 + - libxcb-randr0 + - libxcb-render-util0 + - libxcb-render0 + - libxcb-shape0 + - libxcb-shm0 + - libxcb-sync1 + - libxcb-util0 + - libxcb-xfixes0 + - libxcb-xinerama0 + - libxcb-xkb1 + - libxcb1 + - libxcomposite1 + - libxcursor1 + - libxdamage1 + - libxdmcp6 + - libxext6 + - libxfce4panel-2.0-4 + - libxfce4ui-1-0 + - libxfce4ui-2-0 + - libxfce4ui-common + - libxfce4ui-utils + - libxfce4util-common + - libxfce4util7 + - libxfconf-0-2 + - libxfixes3 + - libxfont2 + - libxft2 + - libxi6 + - libxinerama1 + - libxkbcommon-x11-0 + - libxkbcommon0 + - libxkbfile1 + - libxklavier16 + - libxml2 + - libxmu6 + - libxmuu1 + - libxpm4 + - libxrandr2 + - libxrender1 + - libxres1 + - libxshmfence1 + - libxslt1.1 + - libxss1 + - libxt6 + - libxtables12 + - libxtst6 + - libxv1 + - libxxf86dga1 + - libxxf86vm1 + - libyaml-0-2 + - libzstd1 + - libzulucrypt-exe1.2.0 + - libzulucrypt-plugins + - libzulucrypt1.2.0 + - libzulucryptpluginmanager1.0.0 + +proxy_services: + # console-setup.sh Debian - in /usr/local/etc/local.d/Whonix-Lati.rc + - "{{ 'console-setup' if ansible_os_family in ['Debian'] else '' }}" + - bootlogd + - "{{ '{{BOX_HTTP_PROXY}}' if BOX_WHONIX_PROXY_HOST != '' else '' }}" +# FixMe: tie in with +# - "{{ 'polipo' if PRIV_TOR_TYPE == 'client' else ''}}" diff --git a/vars/Devuan.uris b/vars/Devuan.uris new file mode 100644 index 0000000..d729fe4 --- /dev/null +++ b/vars/Devuan.uris @@ -0,0 +1,110 @@ +Reading package lists... +Building dependency tree... +Reading state information... +apt is already the newest version (2.2.4+devuan1). +apt-utils is already the newest version (2.2.4+devuan1). +bootlogd is already the newest version (2.96-7+devuan1). +bzip2 is already the newest version (1.0.8-4). +ca-certificates is already the newest version (20210119). +cron is already the newest version (3.0pl1-137). +curl is already the newest version (7.74.0-1.3+b1). +dnsmasq-base is already the newest version (2.85-1). +file is already the newest version (1:5.39-3). +findutils is already the newest version (4.8.0-1). +gcc is already the newest version (4:10.2.1-1). +gcc set to manually installed. +gdisk is already the newest version (1.0.6-1.1). +gnupg is already the newest version (2.2.27-2). +gnupg-utils is already the newest version (2.2.27-2). +gnupg2 is already the newest version (2.2.27-2). +gpg is already the newest version (2.2.27-2). +gpg-agent is already the newest version (2.2.27-2). +gpg-wks-client is already the newest version (2.2.27-2). +gpg-wks-server is already the newest version (2.2.27-2). +grep is already the newest version (3.6-1). +groff-base is already the newest version (1.22.4-6). +hostname is already the newest version (3.23). +htop is already the newest version (3.0.5-7). +ifupdown is already the newest version (0.8.36). +init is already the newest version (1.60+devuan1). +init-system-helpers is already the newest version (1.60+devuan1). +install-info is already the newest version (6.7.0.dfsg.2-6). +iproute2 is already the newest version (5.10.0-4). +iptables is already the newest version (1.8.7-1). +iputils-ping is already the newest version (3:20210202-1). +iso-codes is already the newest version (4.6.0-1). +iw is already the newest version (5.9-3). +kbd is already the newest version (2.3.0-3). +keyboard-configuration is already the newest version (1.205). +klibc-utils is already the newest version (2.0.8-6.1). +less is already the newest version (551-2). +login is already the newest version (1:4.8.1-1). +lsb-base is already the newest version (11.1.0). +lsb-release is already the newest version (11.1.0). +lsof is already the newest version (4.93.2+dfsg-1.1). +lynx is already the newest version (2.9.0dev.6-3~deb11u1). +make is already the newest version (4.3-4.1). +man-db is already the newest version (2.9.4-2). +mg is already the newest version (20200723-1). +mount is already the newest version (2.36.1-8+devuan1). +nano is already the newest version (5.4-2). +ncurses-base is already the newest version (6.2+20201114-2). +ncurses-bin is already the newest version (6.2+20201114-2). +ncurses-term is already the newest version (6.2+20201114-2). +net-tools is already the newest version (1.60+git20181103.0eebece-1+devuan1). +netbase is already the newest version (6.3). +openssh-client is already the newest version (1:8.4p1-5). +openssl is already the newest version (1.1.1k-1+deb11u1). +parted is already the newest version (3.4-1). +passwd is already the newest version (1:4.8.1-1). +patch is already the newest version (2.7.6-7). +pciutils is already the newest version (1:3.7.0-5). +perl is already the newest version (5.32.1-4+deb11u2). +perl-base is already the newest version (5.32.1-4+deb11u2). +pinentry-curses is already the newest version (1.1.0-4). +policykit-1 is already the newest version (0.105-31+devuan1). +policykit-1-gnome is already the newest version (0.105-7). +procps is already the newest version (2:3.3.17-5+devuan1). +psmisc is already the newest version (23.4-2). +python3-pip is already the newest version (20.3.4-4). +python3-pkg-resources is already the newest version (52.0.0-4). +python3-setuptools is already the newest version (52.0.0-4). +python3-setuptools set to manually installed. +rsync is already the newest version (3.2.3-4+deb11u1). +sed is already the newest version (4.7-1). +sudo is already the newest version (1.9.5p2-3). +tar is already the newest version (1.34+dfsg-1). +traceroute is already the newest version (1:2.1.0-2+b1). +tzdata is already the newest version (2021a-1+deb11u1). +unzip is already the newest version (6.0-26). +upower is already the newest version (0.99.11-2). +util-linux is already the newest version (2.36.1-8+devuan1). +wget is already the newest version (1.21-1+b1). +whois is already the newest version (5.5.10). +wireless-tools is already the newest version (30~pre9-13.1). +xz-utils is already the newest version (5.2.5-2). +The following additional packages will be installed: + ethtool geoip-database hdparm libgeoip1 libhavege2 libinotifytools0 libjq1 + liblinear4 liblua5.3-0 libnet-netmask-perl libnetaddr-ip-perl libonig5 + libsocket6-perl libx86-1 lua-lpeg netcat-openbsd nmap-common + python3-distro-info python3-pathspec python3-software-properties + python3-yaml tor tor-geoipdb unattended-upgrades vbetool +Suggested packages: + resolvconf liblinear-tools liblinear-dev ndiff zenmap molly-guard + monkeysphere ssh-askpass ufw cpufrequtils radeontool mixmaster + torbrowser-launcher socat tor-arm apparmor-utils obfs4proxy bsd-mailx + needrestart +The following NEW packages will be installed: + apt-transport-https apt-transport-tor corkscrew dnsmasq ethtool geoip-bin + geoip-database haveged hdparm inotify-tools iotop jnettop jq libgeoip1 + libhavege2 libinotifytools0 libjq1 liblinear4 liblua5.3-0 + libnet-ifconfig-wrapper-perl libnet-netmask-perl libnetaddr-ip-perl libonig5 + libsocket6-perl libx86-1 lua-lpeg ncat netcat netcat-openbsd nmap + nmap-common nss-plugin-pem ntpdate openssh-server openssh-sftp-server + pm-utils policyrcd-script-zg2 powermgmt-base python3-argcomplete + python3-distro-info python3-pathspec python3-software-properties + python3-yaml software-properties-common strace tor tor-geoipdb torsocks + unattended-upgrades vbetool xsltproc yamllint zip +0 upgraded, 53 newly installed, 0 to remove and 0 not upgraded. +Need to get 0 B/17.3 MB of archives. +After this operation, 65.4 MB of additional disk space will be used. diff --git a/vars/Devuan5.yml b/vars/Devuan5.yml new file mode 100644 index 0000000..f9a1ff2 --- /dev/null +++ b/vars/Devuan5.yml @@ -0,0 +1,463 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +PROXY_TIME_DAEMON: sdwdate +PROXY_GPG_KEYERVER_URL: hkps:// + +proxy_masked_services: + - apt-daily-upgrade + +# List of proxy packages to install. +proxy_debs_inst: +# Install packages to allow apt to use a repository over HTTPS: + - apt + - apt-transport-tor + - apt-utils + - apt-transport-https + - bootlogd + - ca-certificates + - debsums + - debsecan + - apt-listbugs + - dnsmasq + - ntpdate + - bzip2 + - corkscrew + - console-data + - cron + - curl + - less + - mg + - netcat + - ncat + - openssl + - passwd + - patch + - pciutils + - perl + - perl-base + - sudo + - unzip + - xsltproc + - zip + - openssh-client + - openssh-server + - openssh-sftp-server + - nmap + - wireless-tools + - software-properties-common + - lsof + - ifupdown + - iproute2 + - iptables + - iputils-ping + - htop + - iotop + - jnettop + - iw + - jq + - python3-argcomplete + - libnet-ifconfig-wrapper-perl +# I need this for Ubuntu even though it come in the bootstrap - 2 setuptools, 1 pip +# - pip + # for pip + - python3-pkg-resources + - python3-pip + - python3-setuptools +# - python3-wheel +# Install packages to allow apt to use a repository over HTTPS: + # niceities from testforge + - file + - findutils + - gcc + - gdisk + - gnupg + - gnupg-utils + - gnupg2 + - gpg + - gpg-agent + - gpg-wks-client + - gpg-wks-server + - grep + - groff-base + - haveged + - hostname + - init + - init-system-helpers + - inotify-tools + - install-info + - iso-codes + - kbd + - keyboard-configuration + - klibc-utils + - login + - lsb-base + - lsb-release + - lynx + - make + - man-db + - mount + - nano + - ncurses-base + - ncurses-bin + - ncurses-term + - net-tools + - netbase + - parted + - pinentry-curses + - pm-utils + - policykit-1 + - policykit-1-gnome + - policyrcd-script-zg2 + - powermgmt-base + - procps + - psmisc + - python-six + - rsync + - sed + - strace + - tar + - traceroute + - tzdata + - upower + - util-linux + - wget + - xz-utils + - geoip-bin + - nss-plugin-pem + - torsocks + - whois + - yamllint + - python3-impacket + - python3-altgraph + +proxy_qemu_guest_debs_inst: + - qemu-guest-agent + +proxy_pips2_inst: [] + +proxy_pips3_inst: + - jq + +proxy_pips_reinstall: +# pip prerequisites +#? - distlib +#? - lockfile + - jq +# pip itself? NO +# + # whonix general + - acpi-support + - acpi-support-base + - acpid + - adduser + - busybox + - console-common + - console-data + - console-setup + - console-setup-linux + - coreutils + - cpio + +cntlm_pid_file: /var/run/cntlm/cntlm.pid + + +# BOX_OS_FLAVOR in ['WhonixGateway']}}" +proxy_gateway_debs_inst: [] + +# BOX_OS_FLAVOR in ['KickSecure', 'WhonixGateway', 'WhonixWorkstation'] +proxy_xfce_debs_inst: + - apt-transport-https + - libnetfilter-conntrack3 + - dnsmasq-base + - dnsmasq + - firmware-linux-free + - firmware-misc-nonfree + - firmware-amd-graphics + - firmware-linux-nonfree + - firmware-linux + - firmware-atheros + - firmware-iwlwifi +#linux-headers-5.8.0-0.bpo.2-amd64 +#linux-image-5.8.0-0.bpo.2-amd64 + - ntpdate + - corkscrew + - cron + - mg + # No package matching 'liblua5.3' is available + # - liblua5.3 + - netcat-traditional + - netcat + - ncat + - xsltproc + - openssh-client + - openssh-server + - openssh-sftp-server + - nmap-common + - libgfortran5 + - libblas3 + - libncurses-dev + - libreadline-dev + - nmap + - wireless-tools + - gir1.2-glib-2.0 + - gir1.2-packagekitglib-1.0 + - python3-dbus + - libgirepository-1.0 + - python3-gi + - python3-pycurl + - python3-software-properties + - software-properties-common + - ifupdown + - libpcap0.8 + - libnfnetlink0 + - libnftnl11 + - libiptc0 + - libnetfilter-conntrack3 + - iptables + - htop + - iotop + - libpcap0.8 + - jnettop + - python3-argcomplete + - libnet-ifconfig-wrapper-perl +# I need this for Ubuntu even though it come in the bootstrap - 2 setuptools, 1 pip +#pip +#! python-cryptography +#! python3-pkg-resources +#! apython3-pip +#! python3-setuptools +#! python3-wheel + - install-info + - lynx-common + - lynx + - ncurses-term + - rsync + - traceroute + - tzdata + - geoip-bin + - nss-plugin-pem + - torsocks + - whois +## non-qubes-whonix-gateway-xfce + - xauth +# kicksecure-desktop-applications-recommended : Depends: monero-gui + - libpackagekit-glib2-18 +# kicksecure-xfce-vm: kicksecure-cli-vm, kicksecure-xfce, kicksecure-network-conf-gui, non-qubes-audio, non-qubes-vm-enhancements-gui, kicksecure-desktop-applications-recommended + +## The following NEW packages will be installed: +## apt-transport-https corkscrew cron dnsmasq dnsmasq-base +## firmware-amd-graphics firmware-atheros firmware-iwlwifi firmware-linux +## firmware-linux-free firmware-linux-nonfree firmware-misc-nonfree geoip-bin +## gir1.2-glib-2.0 gir1.2-packagekitglib-1.0 htop ifupdown install-info iotop + +# No package matching 'liblua5.3' is available## # xiptables jnettop libblas3 libgfortran5 libgirepository-1.0-1 libip6tc0 +## libiptc0 libiw30 liblinear3 liblua5.3-0 liblua5.3-0-dbg liblua5.3-dev +## libncurses-dev libnet-ifconfig-wrapper-perl libnetfilter-conntrack3 +## libnfnetlink0 libnftnl11 libpackagekit-glib2-18 libpcap0.8 libreadline-dev +## lynx lynx-common mg ncat ncurses-term netcat netcat-traditional nmap +## nmap-common nss-plugin-pem ntpdate openssh-client openssh-server +## openssh-sftp-server polipo python3-argcomplete python3-dbus python3-gi +## python3-pycurl python3-software-properties rsync scurl +## software-properties-common torsocks traceroute whois wireless-tools xauth +## xsltproc + +# RAW complete overlap + + +whonix_gateway_debs: + - apparmor + - apparmor-utils + - arc-theme + - auditd + - basez + - bash + - bash-completion + - bc + - bind9-host + - binutils + - binutils-common + - binutils-x86-64-linux-gnu + - bsdmainutils + - bsdtar + - bsdutils + - bubblewrap + - cryptsetup + - cryptsetup-bin + - cryptsetup-initramfs + - cryptsetup-run + - dash + - dbus + - dbus-user-session + - dconf-gsettings-backend + - dconf-service + - debconf + - debsums + - desktop-file-utils + - dialog + - dictionaries-common + - diffutils + - dirmngr + - distro-info-data + - dkms + - dmidecode + - dmsetup + - dnsutils + - dpkg + - dpkg-dev + - e2fslibs + - e2fsprogs + - eatmydata + - elpa-auto-complete + - elpa-concurrent + - elpa-ctable + - elpa-deferred + - elpa-epc + - elpa-jedi + - elpa-jedi-core + - elpa-popup + - elpa-python-environment + - exo-utils + - faketime + - fdisk + - fontconfig + - fontconfig-config + - fonts-dejavu-core + - gettext-base + - gir1.2-atk-1.0 + - gir1.2-freedesktop + - gir1.2-gdkpixbuf-2.0 + - gir1.2-glib-2.0 + - gir1.2-gtk-3.0 + - gir1.2-pango-1.0 + - glib-networking + - glib-networking-common + - glib-networking-services + - gnome-brave-icon-theme + - gnome-colors-common + - gnome-icon-theme + - gnome-themes-extra + - gnome-themes-extra-data + - gnustep-base-common + - gnustep-base-runtime + - gnustep-common + - gpgconf + - gpgsm + - gpgv + - hicolor-icon-theme + - jitterentropy-rngd + - linux-headers-amd64 + - linux-image-amd64 + - live-boot + - live-boot-initramfs-tools + - live-tools + - locales + - mawk + - menu + - mime-support + - most + - mousepad + - nyx + - obfs4proxy + - onioncircuits + - openvpn + - os-prober + - p7zip + - p7zip-full + - pv + - pymacs + - pypy + - pypy-ipaddress + - pypy-lib + - pypy-pkg-resources + - pypy-setuptools + - pypy-stem + - python + - python-m2crypto + - python-minimal + - python-pip-whl + - python-pyasn1 + - python-six + - python-yaml + - python2 + - python2-minimal + - python2.7 + - python2.7-minimal + - python3 + - python3-apparmor + - python3-dateutil + - python3-distutils + - python3-gevent + - python3-gi + - python3-greenlet + - python3-ipy + - python3-jedi + - python3-lib2to3 + - python3-libapparmor + - python3-minimal + - python3-parso + - python3-pkg-resources + - python3-psutil + - python3-pycountry + - python3-pyqt5 + - python3-scapy + - python3-sdnotify + - python3-sip + - python3-six + - python3-socks + - python3-stem + - python3-virtualenv + - python3-yaml + - python3.7 + - readline-common + - secure-delete + - sensible-utils + - shared-mime-info + - sound-theme-freedesktop + - spectre-meltdown-checker + - spice-vdagent + - sysfsutils + - systemd + - systemd-sysv + - sysvinit-utils + - tor + - tor-geoipdb + - torsocks + - ucf + - udev + - udisks2 + - unar + - vanguards + - virt-what + - virtualenv + - vrms + # whonix + - wmctrl + - xxd + - zenity + - zenity-common + - zlib1g + - zsh + - zsh-common + - zulucrypt-cli + - zulupolkit + +proxy_libvirt_debs_inst: + - libvirt-daemon-system + - libvirt-clients + - libvirt-daemon + - usbutils + - usb.ids + - libvirt-doc + - virt-manager + - privoxy + +proxy_libs_debs: [] + +proxy_services: + # console-setup.sh Debian - in /usr/local/etc/local.d/Whonix-Lati.rc + - "{{ 'console-setup' if ansible_distribution in ['Ubuntu', 'Debian'] else '' }}" + - bootlogd + - "{{ 'privoxy' if BOX_WHONIX_PROXY_HOST != '' else '' }}" +# FixMe: tie in with +# - "{{ 'privoxy' if PRIV_TOR_TYPE == 'client' else ''}}" diff --git a/vars/Firefox.yml b/vars/Firefox.yml new file mode 100644 index 0000000..e97b327 --- /dev/null +++ b/vars/Firefox.yml @@ -0,0 +1,33 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +# careful - strings need doublequoting +# now merged with src/ansible/roles/privacy/overlay/Linux/var/local/src/firefox_prefs.bash +proxy_firefox_userprefs: + - { name: "extensions.torbutton.socks_host", val: "'127.0.0.1'", invalid: [] } + - { name: "extensions.torbutton.socks_port", val: 9150, invalid: [] } +#? - { name: "extensions.torbutton.startup", val: true, invalid: [] } +#? - { name: "extensions.torbutton.use_privoxy", val: true, invalid: [] } + + #user_pref("extensions.torlauncher.control_port", {{PRIV_TOR_CONTROLPORT}} ); + #user_pref("extensions.torlauncher.default_bridge_type", '""'); + #user_pref("extensions.torlauncher.loglevel", 2); + #user_pref("extensions.torlauncher.logmethod", 0); + #user_pref("extensions.torlauncher.prompt_at_startup", false); + - { name: "extensions.torlauncher.start_tor", val: false, invalid: [] } + + - { name: "extensions.torbutton.socks_host", '127.0.0.1', invalid: [] } + - { name: "extensions.torbutton.socks_port", 9050, invalid: [] } + - { name: "extensions.torlauncher.socks_port_flags", "PreferIPv4", invalid: [] } + - { name: "extensions.torlauncher.start_tor", false, invalid: [] } + + - { name: "network.proxy.http", val: "'127.0.0.1'", invalid: [] } + - { name: "network.proxy.http_port", val: 3128, invalid: [] } + - { name: "network.proxy.no_proxies_on", val: "127.0.0.1,localhost", invalid: [] } + - { name: "network.proxy.socks", val: "'127.0.0.1'", invalid: [] } + - { name: "network.proxy.socks_port", val: 9050, invalid: [] } + - { name: "network.proxy.socks_remote_dns", true, invalid: [] } + - { name: "network.proxy.socks_version", val: 5, invalid: [] } + - { name: "network.proxy.ssl", val: "'127.0.0.1'", invalid: [] } + - { name: "network.proxy.ssl_port", val: 9128, invalid: [] } + - { name: "network.proxy.type", val: 1, invalid: [] } diff --git a/vars/Gentoo2.yml b/vars/Gentoo2.yml new file mode 100755 index 0000000..02fa8ee --- /dev/null +++ b/vars/Gentoo2.yml @@ -0,0 +1,73 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +PROXY_TIME_DAEMON: sdwdate +PROXY_GPG_KEYERVER_URL: hkps://keys.gentoo.org + +# dont put stage3 elts in here +# these are really bootstrap packages +proxy_pkgs_bootstrap: + - app-admin/sudo + - sys-boot/grub:2 + - sys-boot/syslinux + - app-editors/mg + - qemu-guest-agent + - sys-apps/gptfdisk + - net-analyzer/openbsd-netcat + - app-admin/logrotate + - media-fonts/terminus-font + - net-misc/curl + - app-arch/unzip + - net-libs/pacparser + - sys-process/lsof + - dev-util/strace + - app-portage/eix + - sys-libs/gpm + - linux-firmware + - net-dns/bind-tools + - net-misc/socat + +proxy_pkgs_inst: +# move these to testforge - epecially gnupg for static + - net-proxy/privoxy + - net-analyzer/nmap + +proxy_pkgs_inst_guest: [] + +proxy_funtoo_pkgs_inst: [] + +proxy_pips2_inst: [] + +proxy_pips3_inst: [] + +proxy_pips_reinstall: +# pip prerequisites + - setuptools + - appdirs + - ipaddress + - six +# - cachecontrol + - pyparsing + - colorama +#? - distlib + - html5lib +#? - lockfile + - packaging + - requests + - webencodings +# pip itself? NO +# - pip + - cryptography==1.9 + + +cntlm_pid_file: /var/run/cntlm.pid + + +proxy_services: + # console-setup.sh Debian - in /usr/local/etc/local.d/Whonix-Lati.rc + - "{{ 'consolefont' if ansible_distribution == 'Gentoo' else '' }}" + - "{{ 'console-setup' if ansible_distribution in ['Ubuntu', 'Debian'] else '' }}" + - bootlogd + - "{{ 'polipo' if BOX_WHONIX_PROXY_HOST != '' else '' }}" +# FixMe: tie in with +# - "{{ 'polipo' if PRIV_TOR_TYPE == 'client' else ''}}" diff --git a/vars/Msys8.yml b/vars/Msys8.yml new file mode 100755 index 0000000..0326eb1 --- /dev/null +++ b/vars/Msys8.yml @@ -0,0 +1,322 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +PROXY_TIME_DAEMON: "" +PROXY_GPG_KEYERVER_URL: hkp:// + +proxy_masked_services: [] + +# List of proxy packages to install. +proxy_pacs_inst: + # for pip + - aspell + - aspell6-en + - bash + - bash-completion + - binutils + - brotli + - bsdcpio + - bsdtar + - bzip2 + - ca-certificates + - coreutils + - ctags + - curl + - dash + - db + - dialog + - diffutils + - dos2unix + - doxygen + - dtc + - elinks-git + - emacs + - file + - filesystem + - findutils + - flex + - gamin + - gawk + - gcc + - gcc-libs + - gdbm + - getent + - gettext + - glib2 + - gmp + - gnu-netcat + - gnupg + - grep + - gzip + - heimdal + - heimdal-libs + - icu + - inetutils + - info + - isl + - jansson + - less + - libarchive + - libargp + - libasprintf + - libassuan + - libatomic_ops + - libbz2 + - libcrypt + - libcurl + - libdb + - libedit + - libevent + - libexpat + - libffi + - libgc + - libgcrypt + - libgdbm + - libgettextpo + - libgnutls + - libgpg-error + - libgpgme + - libhogweed + - libiconv + - libidn + - libidn2 + - libintl + - libksba + - liblz4 + - liblzma + - liblzo2 + - libmetalink + - libnettle + - libnghttp2 + - libnpth + - libopenssl + - libp11-kit + - libpcre + - libpcre16 + - libpcre2_8 + - libpcre32 + - libpcrecpp + - libpcreposix + - libpsl + - libreadline + - libsqlite + - libssh2 + - libtasn1 + - libtre-git + - libunistring + - libutil-linux + - libxml2 + - libxslt + - libzstd + - lndir + - m4 + - make + - meson + - mingw-w64-i686-ctags + - mingw-w64-i686-gcc-libs + - mingw-w64-i686-gmp + - mingw-w64-i686-libwinpthread-git + - mingw-w64-i686-mpc + - mingw-w64-i686-mpfr + - mingw-w64-x86_64-adns + - mingw-w64-x86_64-aspell + - mingw-w64-x86_64-aspell-en + - mingw-w64-x86_64-brotli + - mingw-w64-x86_64-bzip2 + - mingw-w64-x86_64-c-ares + - mingw-w64-x86_64-ca-certificates + - mingw-w64-x86_64-curl + - mingw-w64-x86_64-expat + - mingw-w64-x86_64-gcc-libs + - mingw-w64-x86_64-gettext + - mingw-w64-x86_64-glib2 + - mingw-w64-x86_64-gmp + - mingw-w64-x86_64-gnupg + - mingw-w64-x86_64-gnutls + - mingw-w64-x86_64-gpgme + - mingw-w64-x86_64-jansson + - mingw-w64-x86_64-jemalloc + - mingw-w64-x86_64-libassuan + - mingw-w64-x86_64-libffi + - mingw-w64-x86_64-libgcrypt + - mingw-w64-x86_64-libgpg-error + - mingw-w64-x86_64-libiconv + - mingw-w64-x86_64-libidn2 + - mingw-w64-x86_64-libksba + - mingw-w64-x86_64-libmetalink + - mingw-w64-x86_64-libpsl + - mingw-w64-x86_64-libssh2 + - mingw-w64-x86_64-libsystre + - mingw-w64-x86_64-libtasn1 + - mingw-w64-x86_64-libtre-git + - mingw-w64-x86_64-libunistring + - mingw-w64-x86_64-libusb + - mingw-w64-x86_64-libusb-compat-git + - mingw-w64-x86_64-libwinpthread-git + - mingw-w64-x86_64-meson + - mingw-w64-x86_64-mpc + - mingw-w64-x86_64-mpdecimal + - mingw-w64-x86_64-mpfr + - mingw-w64-x86_64-ncurses + - mingw-w64-x86_64-nettle + - mingw-w64-x86_64-nghttp2 + - mingw-w64-x86_64-ninja + - mingw-w64-x86_64-npth + - mingw-w64-x86_64-openssl + - mingw-w64-x86_64-p11-kit + - mingw-w64-x86_64-pcre + - mingw-w64-x86_64-putty + - mingw-w64-x86_64-putty-ssh + - mingw-w64-x86_64-python + - mingw-w64-x86_64-python-appdirs + - mingw-w64-x86_64-python-attrs + - mingw-w64-x86_64-python-ordered-set + - mingw-w64-x86_64-python-packaging + - mingw-w64-x86_64-python-pyparsing + - mingw-w64-x86_64-python-setuptools + - mingw-w64-x86_64-python-six + - mingw-w64-x86_64-readline + - mingw-w64-x86_64-sqlite3 + - mingw-w64-x86_64-tcl + - mingw-w64-x86_64-termcap + - mingw-w64-x86_64-tk + - mingw-w64-x86_64-wineditline + - mingw-w64-x86_64-xz + - mingw-w64-x86_64-zlib + - mingw-w64-x86_64-zstd + - mintty + - mpc + - mpdecimal + - mpfr + - msys2-keyring + - msys2-launcher-git + - msys2-runtime + - msys2-runtime-devel + - msys2-w32api-headers + - msys2-w32api-runtime + - ncurses + - nettle + - ninja + - openssh + - openssl + - p11-kit + - pacman + - pacman-mirrors + - pactoys-git + - pass + - patch + - pax-git + - pcre + - perl + - perl-Module-Build + - perl-Test-Pod + - perl-YAML-Syck + - perl-inc-latest + - pinentry + - pkgfile + - psmisc + - python + - python-configobj + - python2 + - python2-appdirs + - python2-attrs + - python2-packaging + - python2-pip + - python2-pyparsing + - python2-setuptools + - python2-six + - python3-appdirs + - python3-attrs + - python3-packaging + - python3-pip + - python3-pyparsing + - python3-setuptools + - python3-six + - rebase + - rsync + - sed + - tar + - tcl + - texinfo + - tftp-hpa + - time + - tmux + - tree + - ttyrec + - tzcode + - u-boot-tools + - unrar + - unzip + - util-linux + - w3m + - wget + - which + - whois + - windows-default-manifest + - xmlto + - xz + - zip + - zlib + - zstd + +proxy_qemu_guest_pacs_inst: [] #? + +proxy_pips2_inst: + - jq + +proxy_pips3_inst: [] + +proxy_pips_reinstall: +# pip prerequisites + - setuptools + - appdirs + - ipaddress + - six + - cachecontrol + - pyparsing + - colorama +#? - distlib + - html5lib +#? - lockfile + - packaging + - requests + - webencodings + - jq +# pip itself? NO + - cryptography +# + - pyOpenSSL + - paramiko + - Jinja2 + - pyasn1 + - bcrypt + - PyNaCl + - cffi + - idna + - asn1crypto + # whonix general + - acpi-support + - acpi-support-base + - acpid + - adduser + - busybox + - console-common + - console-data + - console-setup + - console-setup-linux + - coreutils + - cpio + +cntlm_pid_file: "" + +# BOX_OS_FLAVOR in ['WhonixGateway']}}" +proxy_gateway_pacs_inst: [] + +# BOX_OS_FLAVOR in ['KickSecure', 'WhonixGateway', 'WhonixWorkstation'] +proxy_xfce_pacs_inst: [] + +proxy_whonix_gateway_pacs: [] + +proxy_libvirt_pacs_inst: [] + +proxy_libs_pacs: [] diff --git a/vars/Ubuntu18.yml b/vars/Ubuntu18.yml new file mode 100755 index 0000000..94243b1 --- /dev/null +++ b/vars/Ubuntu18.yml @@ -0,0 +1,83 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +PROXY_TIME_DAEMON: ntp + +HARDEN_FIREJAIL_VERSION: "0.9.58" + +# List of proxy packages to install. +proxy_debs_inst: + - python-dev + - libffi-dev + - libssl-dev + - libcurl4-openssl-dev + - ca-certificates + - curl + - less + - sudo + - unzip + - zip + - cron + - xsltproc + - corkscrew + - openssl + - mg + - polipo +# I need this for Ubuntu even though it come in the bootstrap - 2 setuptools, 1 pip +# - pip + # for pip + - python-cryptography +# - python-pip +# - python-pip-whl + - python-pkg-resources + - python-setuptools +# - python-wheel +# - python3-pip + - python3-setuptools +# - python3-wheel +# Install packages to allow apt to use a repository over HTTPS: + - apt-transport-https + +# these may be unuseable before testforge role installs pip +proxy_pips2_inst: [] + +proxy_pips3_inst: [] + +proxy_pips_reinstall: +# pip prerequisites + - setuptools + - appdirs + - ipaddress + - six + - cachecontrol + - pyparsing + - colorama +#? - distlib + - html5lib +#? - lockfile + - packaging + - requests + - webencodings +# pip itself? NO + - cryptography +# + - pyOpenSSL + - paramiko + - Jinja2 + - pyasn1 + - bcrypt + - PyNaCl + - cffi + - idna + - asn1crypto + +cntlm_pid_file: /var/run/cntlm/cntlm.pid + +proxy_services: + # console-setup.sh Debian - in /usr/local/etc/local.d/Whonix-Lati.rc + - "{{ 'consolefont' if ansible_distribution == 'Gentoo' else '' }}" + - "{{ 'console-setup' if ansible_distribution in ['Ubuntu', 'Debian'] else '' }}" + - bootlogd + - "{{ 'polipo' if BOX_WHONIX_PROXY_HOST != '' else '' }}" +# FixMe: tie in with +# - "{{ 'polipo' if PRIV_TOR_TYPE == 'client' else ''}}" diff --git a/vars/Unix.yml b/vars/Unix.yml new file mode 100755 index 0000000..9b5e56f --- /dev/null +++ b/vars/Unix.yml @@ -0,0 +1,8 @@ +# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*- +--- + +# no notion of LOG_DIR - its before testforge so user /var/log or /var/tmp + +# no - conflicts with harden +# - sshd +proxy_gpg_keys_system: []