Added initscripts/, NM dispatcher script, ferm configs, launchers

NetworkManager/60-yokai-launcher.sh

@@ -0,0 +1,45 @@
+#! /bin/sh
+
+set -e
+
+killtree() {
+   local _pid=$1
+   local _sig=${2:--KILL}
+   for _child in $(ps -o pid --no-headers --ppid ${_pid}); do
+      killtree ${_child} ${_sig}
+   done
+
+   kill -9 ${_pid}
+}
+
+# Get LIVE_USERNAME
+. /etc/live/config.d/username.conf
+
+# Get LANG
+. /etc/default/locale
+
+export LANG
+export DISPLAY=':0.0'
+export XAUTHORITY="`echo /var/run/gdm3/auth-for-${LIVE_USERNAME}-*/database`"
+
+LOCKFILE=/var/lock/yokai-launcher.lock
+
+# Run only when the interface is not "lo":
+if [ "${1}" = "lo" ]; then
+   exit 0
+fi
+
+if [ "${2}" = "up" ]; then
+	(
+	sudo -u ${LIVE_USERNAME} lckdo $LOCKFILE yokai-launcher -DISPLAY=${DISPLAY}
+	) &
+elif [ "${2}" = "down" ]; then
+   for i in $(seq 10); do
+      PPID=`pgrep "^yokai-launcher$"`
+      killtree $PPID
+      sleep 1
+      if ! pgrep "^yokai-launcher$"; then
+         break
+      fi
+   done
+fi

environment.clean

@@ -0,0 +1,18 @@
+#http_proxy=http://127.0.0.1:8118
+#HTTP_PROXY=http://127.0.0.1:8118
+#https_proxy=http://127.0.0.1:8118
+#HTTPS_PROXY=http://127.0.0.1:8118
+#SOCKS_SERVER=127.0.0.1:9050
+#SOCKS5_SERVER=127.0.0.1:9050
+
+# Allow Torbutton access to the control port filter (for new identity).
+# Setting a password is required, otherwise Torbutton attempts to
+# read the authentication cookie file instead, which fails.
+#TOR_CONTROL_HOST='127.0.0.1'
+#TOR_CONTROL_PORT='9052'
+#TOR_CONTROL_PASSWD='passwd'
+
+#GIT_PROXY_COMMAND=/usr/local/bin/connect-socks
+
+# Port that the monkeysphere validation agent listens on
+MSVA_PORT='6136'

ferm-clear.conf

@@ -0,0 +1,52 @@
+# -*- mode: conf[space] -*-
+#
+#  Configuration file for ferm(1).
+#
+
+# IPv4
+domain ip {
+    table filter {
+        chain INPUT {
+            policy ACCEPT;
+        }
+
+        chain OUTPUT {
+            policy ACCEPT;
+        }
+
+        chain FORWARD {
+            policy ACCEPT;
+        }
+    }
+
+    table nat {
+        chain PREROUTING {
+            policy ACCEPT;
+        }
+
+        chain POSTROUTING {
+            policy ACCEPT;
+        }
+
+        chain OUTPUT {
+            policy ACCEPT;
+        }
+    }
+}
+
+# IPv6:
+domain ip6 {
+    table filter {
+        chain INPUT {
+            policy ACCEPT;
+        }
+
+        chain FORWARD {
+            policy ACCEPT;
+        }
+
+        chain OUTPUT {
+            policy ACCEPT;
+        }
+    }
+}

ferm-offline.conf

@@ -0,0 +1,52 @@
+# -*- mode: conf[space] -*-
+#
+#  Configuration file for ferm(1).
+#
+
+# IPv4
+domain ip {
+    table filter {
+        chain INPUT {
+            policy DROP;
+        }
+
+        chain OUTPUT {
+            policy DROP;
+        }
+
+        chain FORWARD {
+            policy DROP;
+        }
+    }
+
+    table nat {
+        chain PREROUTING {
+            policy DROP;
+        }
+
+        chain POSTROUTING {
+            policy DROP;
+        }
+
+        chain OUTPUT {
+            policy DROP;
+        }
+    }
+}
+
+# IPv6:
+domain ip6 {
+    table filter {
+        chain INPUT {
+            policy DROP;
+        }
+
+        chain FORWARD {
+            policy DROP;
+        }
+
+        chain OUTPUT {
+            policy DROP;
+        }
+    }
+}

initscripts/longkeyword

@@ -0,0 +1,40 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          longkeyword
+# Required-Start:    $remote_fs
+# Required-Stop:     $remote_fs
+# Default-Start:     5
+# Default-Stop:      0 1 2 3 4 6
+# X-Start-Before:    untorify
+# Short-Description: Check for the long keyword in
+### END INIT INFO
+#
+# Author:	czesiek
+#
+
+set -e
+
+NAME=longkeyword
+DESC=longkeyword
+
+case "$1" in
+  start)
+	echo -n "Starting $DESC: "
+	if grep -q iwillnotbuythisrecorditisscratched /proc/cmdline
+	then
+		echo "Direct connection keyword found, doing nothing."
+	else
+		echo "No keyword for direct connection found, restarting..."
+		sleep 2
+		shutdown -h now
+	fi
+	echo "Done"
+	;;
+  *)
+	N=/etc/init.d/$NAME
+	echo "Usage: $N {start}" >&2
+	exit 1
+	;;
+esac
+
+exit 0

initscripts/unfermify

@@ -0,0 +1,36 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          unfermify
+# Required-Start:    $remote_fs
+# Required-Stop:     $remote_fs
+# Default-Start:     3 4 5
+# Default-Stop:      0 1 2 6
+# X-Start-Before:    ferm
+# Short-Description: Clear iptables modifications made by ferm's default ruleset
+### END INIT INFO
+#
+# Author:	czesiek
+#
+
+set -e
+
+NAME=unfermify
+DESC=unfermify
+
+case "$1" in
+  start)
+	echo -n "Starting $DESC: "
+
+	# replace Tails' ferm config with ours
+	mv /etc/ferm/ferm-clear.conf /etc/ferm/ferm.conf
+
+	echo "Done"
+	;;
+  *)
+	N=/etc/init.d/$NAME
+	echo "Usage: $N {start}" >&2
+	exit 1
+	;;
+esac
+
+exit 0

initscripts/untorify

@@ -0,0 +1,80 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          untorify
+# Required-Start:    $remote_fs
+# Required-Stop:     $remote_fs
+# Default-Start:     3 4 5
+# Default-Stop:      0 1 2 6
+# X-Start-After:     resolvconf
+# Short-Description: Clear proxy modifications done by Tails to enable VPN/SSH capabilities or direct connection.
+### END INIT INFO
+#
+# Author:	czesiek
+#
+
+set -e
+
+NAME=untorify
+DESC=untorify
+
+case "$1" in
+  start)
+	echo -n "Starting $DESC: "
+
+	# delete apt's proxy config
+	rm -rf /etc/apt/apt.conf.d/0000runtime-proxy
+
+	# overwrite /etc/environment with out modified one
+	cp /etc/environment.clean /etc/environment
+
+	# delete Iceweasel's wrapper script
+	#rm -rf /usr/local/bin/iceweasel
+	rm -rf /usr/local/bin/tor-browser  # XXX: Not tested
+
+	# FIXME
+	## switch Iceweasel's default profile for Debian's clean one
+	#mv /etc/iceweasel/profile /etc/iceweasel/profile.tails
+	#mv /etc/iceweasel/profile.clean /etc/iceweasel/profile
+
+	# move the default ~/.mozilla
+	# live-config starts before us
+	mv /etc/skel/.mozilla /etc/skel/.mozilla.tails
+	# so we need this
+	rm -rf /home/amnesia/.mozilla
+
+	# FIXME
+	## TODO: /opt/yokai cleanup
+	#FILE=/usr/lib/iceweasel/browser/defaults/preferences/000-tor-browser.js
+	#sed -r -i '/^(user_|)pref\("network\.proxy\..*",/d' ${FILE}
+   	#echo 'user_pref("network.proxy.type", 0);' >> ${FILE}
+   	#echo 'user_pref("network.proxy.socks_remote_dns", false);' >> ${FILE}
+	#
+	#FILE=/usr/lib/iceweasel/browser/defaults/syspref/000-tor-browser.js
+	#sed -r -i '/^(user_|)pref\("network\.proxy\..*",/d' ${FILE}
+   	#echo 'user_pref("network.proxy.type", 0);' >> ${FILE}
+   	#echo 'user_pref("network.proxy.socks_remote_dns", false);' >> ${FILE}
+
+	# resolvconf
+	echo '' > /etc/resolvconf/resolv.conf.d/base
+	echo -e 'tun*\n*' > /etc/resolvconf/interface-order
+
+	# delete NetworkManager dispatcher scripts
+	rm /etc/NetworkManager/dispatcher.d/10-tor.sh
+	rm /etc/NetworkManager/dispatcher.d/20-time.sh
+	rm /etc/NetworkManager/dispatcher.d/60-tor-ready-notification.sh
+	rm /etc/NetworkManager/dispatcher.d/60-ttdnsd.sh
+	rm /etc/NetworkManager/dispatcher.d/60-vidalia.sh
+
+	# ssh client
+	rm /etc/ssh/ssh_config
+
+	echo "Done"
+	;;
+  *)
+	N=/etc/init.d/$NAME
+	echo "Usage: $N {start}" >&2
+	exit 1
+	;;
+esac
+
+exit 0

yokai-launcher

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q 'quiet 3' /proc/cmdline; then
+	sudo /usr/local/bin/yokai-openvpn-launcher
+elif grep -q 'quiet 4' /proc/cmdline; then
+	sudo /usr/local/bin/yokai-sshuttle-launcher
+fi

yokai-launcher-nosudo

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -q 'quiet 3' /proc/cmdline; then
+	/usr/local/bin/yokai-openvpn-launcher
+elif grep -q 'quiet 4' /proc/cmdline; then
+	/usr/local/bin/yokai-sshuttle-launcher
+fi

yokai-openvpn-launcher

@@ -0,0 +1,91 @@
+#!/bin/bash
+SCRIPT=$0
+
+function run_yokai_openvpn() {
+    openvpn --up '/usr/bin/zenity --notification --text "OpenVPN connection established and running."' --down '/usr/bin/zenity --notification --text "OpenVPN connection closed!"' --config /etc/openvpn/client.conf
+
+    zenity --question --text 'OpenVPN client process exited, do you want to reconnect?'
+    if [ "$?" -ne 0 ]; then
+        exit 0
+    fi
+    
+    # user said "yes", get on with it (again)
+    $SCRIPT
+}
+
+# CA file selection
+while true; do
+	echo 'Asking for CA file.'
+	CA_CERT=`zenity --file-selection --title="Select an OpenVPN CA certificate"`
+
+	case $? in
+		0)
+			echo "CA file \"$CA_CERT\" selected."
+			break
+			;;
+		1)
+			echo 'User cancelled while selecting CA file'
+			zenity --warning --text 'Please select a CA certificate file.'
+			;;
+		-1)
+			echo 'An error occured during CA certificate file selection.'
+			zenity --error --text 'An unexpected error has occured during CA certificate file selection.'
+			exit 1
+			;;
+	esac
+done
+
+# copy CA file to a place specified in /etc/openvpn/client.conf
+cp $CA_CERT /etc/openvpn/ca.crt
+
+
+# hostname, port number, credentials
+HOST_NAME=`zenity --entry --title 'Enter hostname' --text 'Please enter OpenVPN server hostname'`
+HOST_PORT=`zenity --entry --title 'Enter port number' --text 'Please enter OpenVPN server port number'`
+CRED_USER=`zenity --entry --title 'Enter username' --text 'Please enter your OpenVPN username'`
+CRED_PASS=`zenity --entry --hide-text --title 'Enter password' --text 'Please enter your OpenVPN password'`
+
+#ENTRY=`zenity --password --username`
+#CRED_USER=`echo $ENTRY | cut -d'|' -f1`
+#CRED_PASS=`echo $ENTRY | cut -d'|' -f2`
+
+# Note: Replaced by the above because of old Zenity version in Tails
+#while true; do
+#	ENTRY=`zenity --forms --title 'OpenVPN server details' --text 'Please enter OpenVPN server details.' --add-entry 'Hostname' --add-entry 'Port' --add-entry 'Username' --add-password 'Password'`
+#	case $? in
+#		0)
+#			HOST_NAME=`echo $ENTRY | cut -d'|' -f1`
+#			HOST_PORT=`echo $ENTRY | cut -d'|' -f2`
+#			CRED_USER=`echo $ENTRY | cut -d'|' -f3`
+#			CRED_PASS=`echo $ENTRY | cut -d'|' -f4`
+#			# TODO: simple validity checks (port number, empty strings)
+#			break
+#			;;
+#		1)
+#			echo 'User cancelled while entering OpenVPN server data'
+#			zenity --warning --text='You must enter OpenVPN server credentials in order to connect to the Net.'
+#			;;
+#		-1)
+#			echo 'An error occured during credentials input.'
+#			zenity --error --text 'An unexpected error has occured during credentials input.'
+#			exit 1
+#			;;
+#	esac
+#done
+
+# replace 'remote' line in /etc/openvpn/client.conf
+echo "== remote $HOST_NAME $HOST_PORT"
+sed -i "s/remote .*/remote $HOST_NAME $HOST_PORT/g" /etc/openvpn/client.conf
+
+# fill in /etc/openvpn/credentials file
+echo $CRED_USER >  /etc/openvpn/credentials
+echo $CRED_PASS >> /etc/openvpn/credentials
+
+openvpn /etc/openvpn/client.conf
+
+zenity --question --text 'OpenVPN client process exited, do you want to reconnect?'
+if [ "$?" -ne 0 ]; then
+	exit 0
+fi
+
+run_yokai_openvpn &

yokai-sshuttle-launcher

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+while true; do
+
+	HOST_NAME=`zenity --entry --title 'Enter hostname' --text 'Please enter SSH server hostname'`
+	HOST_PORT=`zenity --entry --title 'Enter port number' --text 'Please enter SSH server port number' --entry-text '22'`
+	CRED_USER=`zenity --entry --title 'Enter username' --text 'Please enter your SSH username'`
+
+	SSHUTTLE=/opt/sshuttle/sshuttle
+	setsid ${SSHUTTLE} --dns -e 'ssh -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null' -r ${CRED_USER}@${HOST_NAME}:${HOST_PORT} 0/0
+
+	zenity --question --text 'sshuttle process exited, do you want to reconnect?'
+	if [ "$?" -ne 0 ]; then
+		exit 0
+	fi
+
+done