From f165871b63b52fb093a480c459b74eff6ea23fb0 Mon Sep 17 00:00:00 2001 From: czesiek Date: Sat, 1 Nov 2014 18:52:30 +0100 Subject: [PATCH] Added initscripts/, NM dispatcher script, ferm configs, launchers --- NetworkManager/60-yokai-launcher.sh | 45 ++++++++++++++ environment.clean | 18 ++++++ ferm-clear.conf | 52 +++++++++++++++++ ferm-offline.conf | 52 +++++++++++++++++ initscripts/longkeyword | 40 +++++++++++++ initscripts/unfermify | 36 ++++++++++++ initscripts/untorify | 80 +++++++++++++++++++++++++ yokai-launcher | 7 +++ yokai-launcher-nosudo | 7 +++ yokai-openvpn-launcher | 91 +++++++++++++++++++++++++++++ yokai-sshuttle-launcher | 17 ++++++ 11 files changed, 445 insertions(+) create mode 100755 NetworkManager/60-yokai-launcher.sh create mode 100644 environment.clean create mode 100644 ferm-clear.conf create mode 100644 ferm-offline.conf create mode 100755 initscripts/longkeyword create mode 100755 initscripts/unfermify create mode 100755 initscripts/untorify create mode 100755 yokai-launcher create mode 100755 yokai-launcher-nosudo create mode 100755 yokai-openvpn-launcher create mode 100755 yokai-sshuttle-launcher diff --git a/NetworkManager/60-yokai-launcher.sh b/NetworkManager/60-yokai-launcher.sh new file mode 100755 index 0000000..1368b47 --- /dev/null +++ b/NetworkManager/60-yokai-launcher.sh @@ -0,0 +1,45 @@ +#! /bin/sh + +set -e + +killtree() { + local _pid=$1 + local _sig=${2:--KILL} + for _child in $(ps -o pid --no-headers --ppid ${_pid}); do + killtree ${_child} ${_sig} + done + + kill -9 ${_pid} +} + +# Get LIVE_USERNAME +. /etc/live/config.d/username.conf + +# Get LANG +. /etc/default/locale + +export LANG +export DISPLAY=':0.0' +export XAUTHORITY="`echo /var/run/gdm3/auth-for-${LIVE_USERNAME}-*/database`" + +LOCKFILE=/var/lock/yokai-launcher.lock + +# Run only when the interface is not "lo": +if [ "${1}" = "lo" ]; then + exit 0 +fi + +if [ "${2}" = "up" ]; then + ( + sudo -u ${LIVE_USERNAME} lckdo $LOCKFILE yokai-launcher -DISPLAY=${DISPLAY} + ) & +elif [ "${2}" = "down" ]; then + for i in $(seq 10); do + PPID=`pgrep "^yokai-launcher$"` + killtree $PPID + sleep 1 + if ! pgrep "^yokai-launcher$"; then + break + fi + done +fi diff --git a/environment.clean b/environment.clean new file mode 100644 index 0000000..24f488c --- /dev/null +++ b/environment.clean @@ -0,0 +1,18 @@ +#http_proxy=http://127.0.0.1:8118 +#HTTP_PROXY=http://127.0.0.1:8118 +#https_proxy=http://127.0.0.1:8118 +#HTTPS_PROXY=http://127.0.0.1:8118 +#SOCKS_SERVER=127.0.0.1:9050 +#SOCKS5_SERVER=127.0.0.1:9050 + +# Allow Torbutton access to the control port filter (for new identity). +# Setting a password is required, otherwise Torbutton attempts to +# read the authentication cookie file instead, which fails. +#TOR_CONTROL_HOST='127.0.0.1' +#TOR_CONTROL_PORT='9052' +#TOR_CONTROL_PASSWD='passwd' + +#GIT_PROXY_COMMAND=/usr/local/bin/connect-socks + +# Port that the monkeysphere validation agent listens on +MSVA_PORT='6136' diff --git a/ferm-clear.conf b/ferm-clear.conf new file mode 100644 index 0000000..82f9fc3 --- /dev/null +++ b/ferm-clear.conf @@ -0,0 +1,52 @@ +# -*- mode: conf[space] -*- +# +# Configuration file for ferm(1). +# + +# IPv4 +domain ip { + table filter { + chain INPUT { + policy ACCEPT; + } + + chain OUTPUT { + policy ACCEPT; + } + + chain FORWARD { + policy ACCEPT; + } + } + + table nat { + chain PREROUTING { + policy ACCEPT; + } + + chain POSTROUTING { + policy ACCEPT; + } + + chain OUTPUT { + policy ACCEPT; + } + } +} + +# IPv6: +domain ip6 { + table filter { + chain INPUT { + policy ACCEPT; + } + + chain FORWARD { + policy ACCEPT; + } + + chain OUTPUT { + policy ACCEPT; + } + } +} diff --git a/ferm-offline.conf b/ferm-offline.conf new file mode 100644 index 0000000..349b92b --- /dev/null +++ b/ferm-offline.conf @@ -0,0 +1,52 @@ +# -*- mode: conf[space] -*- +# +# Configuration file for ferm(1). +# + +# IPv4 +domain ip { + table filter { + chain INPUT { + policy DROP; + } + + chain OUTPUT { + policy DROP; + } + + chain FORWARD { + policy DROP; + } + } + + table nat { + chain PREROUTING { + policy DROP; + } + + chain POSTROUTING { + policy DROP; + } + + chain OUTPUT { + policy DROP; + } + } +} + +# IPv6: +domain ip6 { + table filter { + chain INPUT { + policy DROP; + } + + chain FORWARD { + policy DROP; + } + + chain OUTPUT { + policy DROP; + } + } +} diff --git a/initscripts/longkeyword b/initscripts/longkeyword new file mode 100755 index 0000000..a841ff3 --- /dev/null +++ b/initscripts/longkeyword @@ -0,0 +1,40 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: longkeyword +# Required-Start: $remote_fs +# Required-Stop: $remote_fs +# Default-Start: 5 +# Default-Stop: 0 1 2 3 4 6 +# X-Start-Before: untorify +# Short-Description: Check for the long keyword in +### END INIT INFO +# +# Author: czesiek +# + +set -e + +NAME=longkeyword +DESC=longkeyword + +case "$1" in + start) + echo -n "Starting $DESC: " + if grep -q iwillnotbuythisrecorditisscratched /proc/cmdline + then + echo "Direct connection keyword found, doing nothing." + else + echo "No keyword for direct connection found, restarting..." + sleep 2 + shutdown -h now + fi + echo "Done" + ;; + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/initscripts/unfermify b/initscripts/unfermify new file mode 100755 index 0000000..32faf93 --- /dev/null +++ b/initscripts/unfermify @@ -0,0 +1,36 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: unfermify +# Required-Start: $remote_fs +# Required-Stop: $remote_fs +# Default-Start: 3 4 5 +# Default-Stop: 0 1 2 6 +# X-Start-Before: ferm +# Short-Description: Clear iptables modifications made by ferm's default ruleset +### END INIT INFO +# +# Author: czesiek +# + +set -e + +NAME=unfermify +DESC=unfermify + +case "$1" in + start) + echo -n "Starting $DESC: " + + # replace Tails' ferm config with ours + mv /etc/ferm/ferm-clear.conf /etc/ferm/ferm.conf + + echo "Done" + ;; + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/initscripts/untorify b/initscripts/untorify new file mode 100755 index 0000000..173c1e0 --- /dev/null +++ b/initscripts/untorify @@ -0,0 +1,80 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: untorify +# Required-Start: $remote_fs +# Required-Stop: $remote_fs +# Default-Start: 3 4 5 +# Default-Stop: 0 1 2 6 +# X-Start-After: resolvconf +# Short-Description: Clear proxy modifications done by Tails to enable VPN/SSH capabilities or direct connection. +### END INIT INFO +# +# Author: czesiek +# + +set -e + +NAME=untorify +DESC=untorify + +case "$1" in + start) + echo -n "Starting $DESC: " + + # delete apt's proxy config + rm -rf /etc/apt/apt.conf.d/0000runtime-proxy + + # overwrite /etc/environment with out modified one + cp /etc/environment.clean /etc/environment + + # delete Iceweasel's wrapper script + #rm -rf /usr/local/bin/iceweasel + rm -rf /usr/local/bin/tor-browser # XXX: Not tested + + # FIXME + ## switch Iceweasel's default profile for Debian's clean one + #mv /etc/iceweasel/profile /etc/iceweasel/profile.tails + #mv /etc/iceweasel/profile.clean /etc/iceweasel/profile + + # move the default ~/.mozilla + # live-config starts before us + mv /etc/skel/.mozilla /etc/skel/.mozilla.tails + # so we need this + rm -rf /home/amnesia/.mozilla + + # FIXME + ## TODO: /opt/yokai cleanup + #FILE=/usr/lib/iceweasel/browser/defaults/preferences/000-tor-browser.js + #sed -r -i '/^(user_|)pref\("network\.proxy\..*",/d' ${FILE} + #echo 'user_pref("network.proxy.type", 0);' >> ${FILE} + #echo 'user_pref("network.proxy.socks_remote_dns", false);' >> ${FILE} + # + #FILE=/usr/lib/iceweasel/browser/defaults/syspref/000-tor-browser.js + #sed -r -i '/^(user_|)pref\("network\.proxy\..*",/d' ${FILE} + #echo 'user_pref("network.proxy.type", 0);' >> ${FILE} + #echo 'user_pref("network.proxy.socks_remote_dns", false);' >> ${FILE} + + # resolvconf + echo '' > /etc/resolvconf/resolv.conf.d/base + echo -e 'tun*\n*' > /etc/resolvconf/interface-order + + # delete NetworkManager dispatcher scripts + rm /etc/NetworkManager/dispatcher.d/10-tor.sh + rm /etc/NetworkManager/dispatcher.d/20-time.sh + rm /etc/NetworkManager/dispatcher.d/60-tor-ready-notification.sh + rm /etc/NetworkManager/dispatcher.d/60-ttdnsd.sh + rm /etc/NetworkManager/dispatcher.d/60-vidalia.sh + + # ssh client + rm /etc/ssh/ssh_config + + echo "Done" + ;; + *) + N=/etc/init.d/$NAME + echo "Usage: $N {start}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/yokai-launcher b/yokai-launcher new file mode 100755 index 0000000..d6dbb90 --- /dev/null +++ b/yokai-launcher @@ -0,0 +1,7 @@ +#!/bin/bash + +if grep -q 'quiet 3' /proc/cmdline; then + sudo /usr/local/bin/yokai-openvpn-launcher +elif grep -q 'quiet 4' /proc/cmdline; then + sudo /usr/local/bin/yokai-sshuttle-launcher +fi diff --git a/yokai-launcher-nosudo b/yokai-launcher-nosudo new file mode 100755 index 0000000..3a702b2 --- /dev/null +++ b/yokai-launcher-nosudo @@ -0,0 +1,7 @@ +#!/bin/bash + +if grep -q 'quiet 3' /proc/cmdline; then + /usr/local/bin/yokai-openvpn-launcher +elif grep -q 'quiet 4' /proc/cmdline; then + /usr/local/bin/yokai-sshuttle-launcher +fi diff --git a/yokai-openvpn-launcher b/yokai-openvpn-launcher new file mode 100755 index 0000000..ad9775b --- /dev/null +++ b/yokai-openvpn-launcher @@ -0,0 +1,91 @@ +#!/bin/bash +SCRIPT=$0 + +function run_yokai_openvpn() { + openvpn --up '/usr/bin/zenity --notification --text "OpenVPN connection established and running."' --down '/usr/bin/zenity --notification --text "OpenVPN connection closed!"' --config /etc/openvpn/client.conf + + zenity --question --text 'OpenVPN client process exited, do you want to reconnect?' + if [ "$?" -ne 0 ]; then + exit 0 + fi + + # user said "yes", get on with it (again) + $SCRIPT +} + +# CA file selection +while true; do + echo 'Asking for CA file.' + CA_CERT=`zenity --file-selection --title="Select an OpenVPN CA certificate"` + + case $? in + 0) + echo "CA file \"$CA_CERT\" selected." + break + ;; + 1) + echo 'User cancelled while selecting CA file' + zenity --warning --text 'Please select a CA certificate file.' + ;; + -1) + echo 'An error occured during CA certificate file selection.' + zenity --error --text 'An unexpected error has occured during CA certificate file selection.' + exit 1 + ;; + esac +done + +# copy CA file to a place specified in /etc/openvpn/client.conf +cp $CA_CERT /etc/openvpn/ca.crt + + +# hostname, port number, credentials +HOST_NAME=`zenity --entry --title 'Enter hostname' --text 'Please enter OpenVPN server hostname'` +HOST_PORT=`zenity --entry --title 'Enter port number' --text 'Please enter OpenVPN server port number'` +CRED_USER=`zenity --entry --title 'Enter username' --text 'Please enter your OpenVPN username'` +CRED_PASS=`zenity --entry --hide-text --title 'Enter password' --text 'Please enter your OpenVPN password'` + +#ENTRY=`zenity --password --username` +#CRED_USER=`echo $ENTRY | cut -d'|' -f1` +#CRED_PASS=`echo $ENTRY | cut -d'|' -f2` + +# Note: Replaced by the above because of old Zenity version in Tails +#while true; do +# ENTRY=`zenity --forms --title 'OpenVPN server details' --text 'Please enter OpenVPN server details.' --add-entry 'Hostname' --add-entry 'Port' --add-entry 'Username' --add-password 'Password'` +# case $? in +# 0) +# HOST_NAME=`echo $ENTRY | cut -d'|' -f1` +# HOST_PORT=`echo $ENTRY | cut -d'|' -f2` +# CRED_USER=`echo $ENTRY | cut -d'|' -f3` +# CRED_PASS=`echo $ENTRY | cut -d'|' -f4` +# # TODO: simple validity checks (port number, empty strings) +# break +# ;; +# 1) +# echo 'User cancelled while entering OpenVPN server data' +# zenity --warning --text='You must enter OpenVPN server credentials in order to connect to the Net.' +# ;; +# -1) +# echo 'An error occured during credentials input.' +# zenity --error --text 'An unexpected error has occured during credentials input.' +# exit 1 +# ;; +# esac +#done + +# replace 'remote' line in /etc/openvpn/client.conf +echo "== remote $HOST_NAME $HOST_PORT" +sed -i "s/remote .*/remote $HOST_NAME $HOST_PORT/g" /etc/openvpn/client.conf + +# fill in /etc/openvpn/credentials file +echo $CRED_USER > /etc/openvpn/credentials +echo $CRED_PASS >> /etc/openvpn/credentials + +openvpn /etc/openvpn/client.conf + +zenity --question --text 'OpenVPN client process exited, do you want to reconnect?' +if [ "$?" -ne 0 ]; then + exit 0 +fi + +run_yokai_openvpn & diff --git a/yokai-sshuttle-launcher b/yokai-sshuttle-launcher new file mode 100755 index 0000000..0be10dc --- /dev/null +++ b/yokai-sshuttle-launcher @@ -0,0 +1,17 @@ +#!/bin/sh + +while true; do + + HOST_NAME=`zenity --entry --title 'Enter hostname' --text 'Please enter SSH server hostname'` + HOST_PORT=`zenity --entry --title 'Enter port number' --text 'Please enter SSH server port number' --entry-text '22'` + CRED_USER=`zenity --entry --title 'Enter username' --text 'Please enter your SSH username'` + + SSHUTTLE=/opt/sshuttle/sshuttle + setsid ${SSHUTTLE} --dns -e 'ssh -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null' -r ${CRED_USER}@${HOST_NAME}:${HOST_PORT} 0/0 + + zenity --question --text 'sshuttle process exited, do you want to reconnect?' + if [ "$?" -ne 0 ]; then + exit 0 + fi + +done