Merge pull request 'Whonix installation and onion-grater profile' (#715) from nyxnor/cwtch-ui:whonix into trunk

Reviewed-on: #715

linux/cwtch-whonix.yml

@@ -1,57 +1,73 @@
-# TODO: This can likely be restricted even further, especially in regards to the ADD_ONION pattern
+## Keep profiles in sync:
+## - https://git.openprivacy.ca/cwtch.im/cwtch-ui/src/branch/trunk/linux/cwtch-whonix.yml
+## - https://github.com/Whonix/onion-grater/blob/master/usr/share/doc/onion-grater-merger/examples/40_cwtch.yml
+
+---
 - exe-paths:
-  - ''
+    - '*'
-users:
+  users:
-  - '*'
+    - '*'
-hosts:
+  hosts:
-  - '*'
+    - '*'
-commands:
+  commands:
-  AUTHCHALLENGE:
+    SETEVENTS:
-    - 'SAFECOOKIE .*'
+      - 'CIRC WARN ERR'
-  SETEVENTS:
+      - 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT'
-    - 'CIRC WARN ERR'
+    GETINFO:
-    - 'CIRC ORCONN INFO NOTICE WARN ERR HS_DESC HS_DESC_CONTENT'
+      - pattern:       'network-liveness'
-  GETINFO:
+        response:
-    - 'net/listeners/socks'
+        - pattern:     '250-network-liveness=.*'
-    - '.*'
+          replacement: '250-network-liveness=up'
-  GETCONF:
+      - pattern:       'status/bootstrap-phase'
-    - 'DisableNetwork'
+        response:
-  SETCONF:
+        - pattern:     '250-status/bootstrap-phase=*'
-    - 'DisableNetwork.*'
+          replacement: '250-status/bootstrap-phase=NOTICE BOOTSTRAP PROGRESS=100 TAG=done SUMMARY="Done"'
-  ADD_ONION:
+    GETCONF:
-    - '.*'
+      - pattern:       'DisableNetwork'
-  DEL_ONION:
+        response:
-    - '.+'
+        - pattern:     '250 DisableNetwork=.*'
-  HSFETCH:
+          replacement: '250 DisableNetwork=0'
-    - '.+'
+    ADD_ONION:
-events:
+      ## {{{ Host: [::], Ports: 15000-15378
-  CIRC:
+      - pattern:     'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(15[0-2][0-9][0-9])'
-    suppress: true
+        replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}'
-  ORCONN:
+      - pattern:     'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(153[0-6][0-9])'
-    suppress: true
+        replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}'
-  INFO:
+      - pattern:     'ED25519-V3:(\S+) Flags=DiscardPK,Detach Port=9878,\[::\]:(1537[0-8])'
-    suppress: true
+        replacement: 'ED25519-V3:{} Flags=DiscardPK,Detach Port=9878,{client-address}:{}'
-  NOTICE:
+      ## }}}
-    suppress: true
+    DEL_ONION:
-  WARN:
+      - '.+'
-    suppress: true
+    HSFETCH:
-  ERR:
+      - '.+'
-    suppress: true
+  events:
-  HS_DESC:
+    CIRC:
-    response:
+      suppress: true
-      - pattern:     '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)'
+    ORCONN:
-      replacement: '650 HS_DESC CREATED {} {} {} redacted {}'
+      suppress: true
-      - pattern:     '650 HS_DESC UPLOAD (\S+) (\S+) .*'
+    INFO:
-      replacement: '650 HS_DESC UPLOAD {} {} redacted redacted'
+      suppress: true
-      - pattern:     '650 HS_DESC UPLOADED (\S+) (\S+) .+'
+    NOTICE:
-      replacement: '650 HS_DESC UPLOADED {} {} redacted'
+      suppress: true
-      - pattern:     '650 HS_DESC REQUESTED (\S+) NO_AUTH'
+    WARN:
-      replacement: '650 HS_DESC REQUESTED {} NO_AUTH'
+      suppress: true
-      - pattern:     '650 HS_DESC REQUESTED (\S+) NO_AUTH \S+ \S+'
+    ERR:
-      replacement: '650 HS_DESC REQUESTED {} NO_AUTH redacted redacted'
+      suppress: true
-      - pattern:     '650 HS_DESC RECEIVED (\S+) NO_AUTH \S+ \S+'
+    HS_DESC:
-      replacement: '650 HS_DESC RECEIVED {} NO_AUTH redacted redacted'
+      response:
-      - pattern:     '.*'
+        - pattern:     '650 HS_DESC CREATED (\S+) (\S+) (\S+) \S+ (.+)'
-      replacement: ''
+          replacement: '650 HS_DESC CREATED {} {} {} redacted {}'
-  HS_DESC_CONTENT:
+        - pattern:     '650 HS_DESC UPLOAD (\S+) (\S+) .*'
-    suppress: true
+          replacement: '650 HS_DESC UPLOAD {} {} redacted redacted'
+        - pattern:     '650 HS_DESC UPLOADED (\S+) (\S+) .+'
+          replacement: '650 HS_DESC UPLOADED {} {} redacted'
+        - pattern:     '650 HS_DESC REQUESTED (\S+) NO_AUTH'
+          replacement: '650 HS_DESC REQUESTED {} NO_AUTH'
+        - pattern:     '650 HS_DESC REQUESTED (\S+) NO_AUTH \S+ \S+'
+          replacement: '650 HS_DESC REQUESTED {} NO_AUTH redacted redacted'
+        - pattern:     '650 HS_DESC RECEIVED (\S+) NO_AUTH \S+ \S+'
+          replacement: '650 HS_DESC RECEIVED {} NO_AUTH redacted redacted'
+        - pattern:     '.*'
+          replacement: ''
+    HS_DESC_CONTENT:
+      suppress: true

linux/install-whonix.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+set -eu
+
+INSTALL_PREFIX=$HOME/.local
+INSTALL_PREFIX=$INSTALL_PREFIX DESKTOP_PREFIX=$INSTALL_PREFIX ./install.sh
+
+# Open incoming ports
+echo "Opening Cwtch firewall for incoming traffic on ports 15000 to 15378"
+sudo mkdir -p /usr/local/etc/whonix_firewall.d
+echo "EXTERNAL_OPEN_PORTS+=\" \$(seq 15000 15378) \"" | \
+  sudo tee /usr/local/etc/whonix_firewall.d/40_cwtch.conf >/dev/null
+sudo whonix_firewall
+
+# Set launch options
+sed -i "s|env LD|env CWTCH_TAILS=true CWTCH_RESTRICT_PORTS=true CWTCH_BIND_EXTERNAL_WHONIX=true LD|" $INSTALL_PREFIX/bin/cwtch
+
+# Inform about steps to be done in the gateway
+echo "Complete installation in the Whonix-Gateway with the following command:"
+echo "  $ sudo onion-grater-add 40_cwtch"
+
+echo "Launch Cwtch in the Whonix-Workstation with:"
+echo "  $ $INSTALL_PREFIX/bin/cwtch"