Feat: adds signal-desktop and tor-transproxy

8 files changed, 327 insertions, 0 deletions

diff --git a/share/trashman/signal-desktop/info b/share/trashman/signal-desktop/info
new file mode 100644
index 0000000..bf2119f
--- /dev/null
+++ b/share/trashman/signal-desktop/info
@@ -0,0 +1 @@
+signal messenger desktop client
diff --git a/share/trashman/signal-desktop/unix/linux/debian/files/etc/apt/trusted.gpg.d/signal.org.gpg b/share/trashman/signal-desktop/unix/linux/debian/files/etc/apt/trusted.gpg.d/signal.org.gpg
new file mode 100644
index 0000000..b5e68a0
--- /dev/null
+++ b/share/trashman/signal-desktop/unix/linux/debian/files/etc/apt/trusted.gpg.d/signal.org.gpg
diff --git a/share/trashman/signal-desktop/unix/linux/debian/install b/share/trashman/signal-desktop/unix/linux/debian/install
new file mode 100755
index 0000000..aa291f6
--- /dev/null
+++ b/share/trashman/signal-desktop/unix/linux/debian/install
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+#
+# Installs Signal Desktop.
+#
+
+# Parameters
+SHARE="$1"
+
+# Include basic functions
+. $SHARE/trashman/functions || exit 1
+. $SHARE/trashman/debian    || exit 1
+
+# Install requirements
+trashman_apt_install curl apt-transport-https
+
+# Setup Signal repository
+#curl -s https://updates.signal.org/desktop/apt/keys.asc | apt-key add -
+cp $SHARE/signal-desktop/unix/linux/debian/files/etc/apt/trusted.gpg.d/signal.org.gpg /etc/apt/trusted.gpg.d/
+echo "deb [arch=amd64] https://updates.signal.org/desktop/apt xenial main" | tee /etc/apt/sources.list.d/signal-xenial.list > /dev/null
+
+# Install Signal
+trashman_apt_install signal-desktop
+
+# The SUID sandbox helper binary was found, but is not configured correctly.
+# Rather than run without sandboxing I'm aborting now.
+# You need to make sure that /opt/Signal/chrome-sandbox is owned by root and has mode 4755.
+chmod 4755 /opt/Signal/chrome-sandbox
diff --git a/share/trashman/tor-transproxy/info b/share/trashman/tor-transproxy/info
new file mode 100644
index 0000000..c56d1f7
--- /dev/null
+++ b/share/trashman/tor-transproxy/info
@@ -0,0 +1 @@
+Tor transparent proxy
diff --git a/share/trashman/tor-transproxy/unix/linux/debian/files/etc/network/if-pre-up.d/iptables b/share/trashman/tor-transproxy/unix/linux/debian/files/etc/network/if-pre-up.d/iptables
new file mode 100755
index 0000000..68e4501
--- /dev/null
+++ b/share/trashman/tor-transproxy/unix/linux/debian/files/etc/network/if-pre-up.d/iptables
@@ -0,0 +1,58 @@
+#!/bin/bash
+#
+# Based on https://lists.torproject.org/pipermail/tor-talk/2014-March/032503.html
+# See also:
+#
+#  https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
+#- https://askubuntu.com/questions/324685/how-to-route-all-internet-traffic-through-tor-the-onion-router
+#- https://tor.stackexchange.com/questions/12343/use-iptables-to-force-traffic-through-tor
+#- https://tails.boum.org/contribute/design/Tor_enforcement/Network_filter/
+#- https://git.tails.boum.org/tails/plain/config/chroot_local-includes/etc/ferm/ferm.conf
+#- https://git.tails.boum.org/tails/plain/config/chroot_local-includes/etc/tor/torrc
+#- https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver
+#- https://trac.torproject.org/projects/tor/wiki/doc/PreventingDnsLeaksInTor
+
+# Parameters
+IPTABLES=/sbin/iptables
+TOR_UID=`id -u debian-tor`
+NETWORK_USER_ID=1000
+
+# Clear existing rules
+$IPTABLES -F INPUT  || exit
+$IPTABLES -F OUTPUT || exit
+$IPTABLES -t nat -F || exit
+
+# Transproxy rules for Tor
+$IPTABLES -t nat -A OUTPUT ! -d 127.0.0.1 -m owner ! --uid-owner $TOR_UID -p tcp -j REDIRECT --to-ports 9040    || exit
+$IPTABLES -t nat -A OUTPUT -p udp -m owner ! --uid-owner $TOR_UID -m udp --dport 53 -j REDIRECT --to-ports 5353 || exit
+
+# Allow Tor, _apt, root and the network user
+$IPTABLES -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT         || exit
+$IPTABLES -A OUTPUT -m owner --uid-owner $NETWORK_USER_ID -j ACCEPT || exit
+$IPTABLES -A OUTPUT -m owner --uid-owner root -j ACCEPT             || exit
+$IPTABLES -A OUTPUT -m owner --uid-owner _apt -j ACCEPT             || exit
+$IPTABLES -A INPUT -j LOG --log-prefix "OUTPUT DROPPED: " --log-uid || exit
+$IPTABLES -A OUTPUT -j DROP                                         || exit
+
+# Allow SSH
+$IPTABLES -A INPUT -p tcp --dport ssh -j ACCEPT || exit
+
+# Create INPUT firewall. Allow established connections and transproxy
+$IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT || exit
+$IPTABLES -A INPUT -i lo -j ACCEPT                                      || exit # Transproxy output comes from lo
+$IPTABLES -A INPUT -d 127.0.0.1 -m udp -p udp --dport 5300 -j ACCEPT    || exit
+$IPTABLES -A INPUT -j LOG --log-prefix "INPUT DROPPED: " --log-uid      || exit
+$IPTABLES -A INPUT -j DROP                                              || exit
+
+# Avoid packet leaks
+# https://lists.torproject.org/pipermail/tor-talk/2014-March/032507.html
+#iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP
+#iptables -I OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP
+#iptables -A OUTPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "Transproxy ctstate leak blocked: " --log-uid
+iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP                                                                                                    || exit
+iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "Transproxy state leak blocked: " --log-uid                                                  || exit
+iptables -A OUTPUT -m state --state INVALID -j DROP                                                                                                          || exit
+iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j LOG --log-prefix "Transproxy leak blocked: " --log-uid || exit
+iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j LOG --log-prefix "Transproxy leak blocked: " --log-uid || exit
+iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,FIN ACK,FIN -j DROP                                                   || exit
+iptables -A OUTPUT ! -o lo ! -d 127.0.0.1 ! -s 127.0.0.1 -p tcp -m tcp --tcp-flags ACK,RST ACK,RST -j DROP                                                   || exit
diff --git a/share/trashman/tor-transproxy/unix/linux/debian/files/etc/tor/torrc b/share/trashman/tor-transproxy/unix/linux/debian/files/etc/tor/torrc
new file mode 100644
index 0000000..2b7369f
--- /dev/null
+++ b/share/trashman/tor-transproxy/unix/linux/debian/files/etc/tor/torrc
@@ -0,0 +1,183 @@
+## Configuration file for a typical Tor user
+## Last updated 22 December 2007 for Tor 0.2.0.14-alpha.
+## (May or may not work for much older or much newer versions of Tor.)
+##
+## Lines that begin with "## " try to explain what's going on. Lines
+## that begin with just "#" are disabled commands: you can enable them
+## by removing the "#" symbol.
+##
+## See the man page, or https://www.torproject.org/tor-manual-dev.html,
+## for more options you can use in this file.
+##
+## Tor will look for this file in various places based on your platform:
+## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#torrc
+
+
+## Default SocksPort
+SocksPort 127.0.0.1:9050 IsolateDestAddr IsolateDestPort
+## SocksPort for Tails-specific applications
+SocksPort 127.0.0.1:9062 IsolateDestAddr IsolateDestPort
+## SocksPort for the default web browser
+SocksPort 127.0.0.1:9150 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth
+
+## Entry policies to allow/deny SOCKS requests based on IP address.
+## First entry that matches wins. If no SocksPolicy is set, we accept
+## all (and only) requests from SocksListenAddress.
+#SocksPolicy accept 192.168.0.0/16
+#SocksPolicy reject *
+
+## Logs go to stdout at level "notice" unless redirected by something
+## else, like one of the below lines. You can have as many Log lines as
+## you want.
+##
+## We advise using "notice" in most cases, since anything more verbose
+## may provide sensitive information to an attacker who obtains the logs.
+##
+## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
+#Log notice file /var/log/tor/notices.log
+## Send every possible message to /var/log/tor/debug.log
+#Log debug file /var/log/tor/debug.log
+## Use the system log instead of Tor's logfiles
+#Log notice syslog
+## To send all messages to stderr:
+#Log debug stderr
+
+## Uncomment this to start the process in the background... or use
+## --runasdaemon 1 on the command line. This is ignored on Windows;
+## see the FAQ entry if you want Tor to run as an NT service.
+#RunAsDaemon 1
+
+## The directory for keeping all the keys/etc. By default, we store
+## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
+#DataDirectory /var/lib/tor
+
+## The port on which Tor will listen for local connections from Tor
+## controller applications, as documented in control-spec.txt.
+ControlPort 9052
+ControlListenAddress 127.0.0.1
+
+############### This section is just for location-hidden services ###
+
+## Once you have configured a hidden service, you can look at the
+## contents of the file ".../hidden_service/hostname" for the address
+## to tell people.
+##
+## HiddenServicePort x y:z says to redirect requests on port x to the
+## address y:z.
+
+#HiddenServiceDir /var/lib/tor/hidden_service/
+#HiddenServicePort 80 127.0.0.1:80
+
+#HiddenServiceDir /var/lib/tor/other_hidden_service/
+#HiddenServicePort 80 127.0.0.1:80
+#HiddenServicePort 22 127.0.0.1:22
+
+################ This section is just for relays #####################
+#
+## See https://www.torproject.org/docs/tor-doc-relay for details.
+
+## A unique handle for your server.
+#Nickname ididnteditheconfig
+
+## The IP or FQDN for your server. Leave commented out and Tor will guess.
+#Address noname.example.com
+
+## Define these to limit the bandwidth usage of relayed (server)
+## traffic. Your own traffic is still unthrottled.
+## Note that RelayBandwidthRate must be at least 20 KB.
+#RelayBandwidthRate 100 KBytes  # Throttle traffic to 100KB/s (800Kbps)
+#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB/s (1600Kbps)
+
+## Contact info to be published in the directory, so we can contact you
+## if your server is misconfigured or something else goes wrong.
+#ContactInfo Random Person <nobody AT example dot com>
+## You might also include your PGP or GPG fingerprint if you have one:
+#ContactInfo 1234D/FFFFFFFF Random Person <nobody AT example dot com>
+
+## Required: what port to advertise for Tor connections.
+#ORPort 9001
+## If you need to listen on a port other than the one advertised
+## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the
+## line below too. You'll need to do ipchains or other port forwarding
+## yourself to make this work.
+#ORListenAddress 0.0.0.0:9090
+
+## Uncomment this to mirror directory information for others. Please do
+## if you have enough bandwidth.
+#DirPort 9030 # what port to advertise for directory connections
+## If you need to listen on a port other than the one advertised
+## in DirPort (e.g. to advertise 80 but bind to 9091), uncomment the line
+## below too. You'll need to do ipchains or other port forwarding yourself
+## to make this work.
+#DirListenAddress 0.0.0.0:9091
+
+## Uncomment this if you run more than one Tor server, and add the
+## nickname of each Tor server you control, even if they're on different
+## networks. You declare it here so Tor clients can avoid using more than
+## one of your servers in a single circuit. See
+## http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#MultipleServers
+#MyFamily nickname1,nickname2,...
+
+## A comma-separated list of exit policies. They're considered first
+## to last, and the first match wins. If you want to _replace_
+## the default exit policy, end this with either a reject *:* or an
+## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
+## default exit policy. Leave commented to just use the default, which is
+## available in the man page or at https://www.torproject.org/documentation.html
+##
+## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
+## for issues you might encounter if you use the default exit policy.
+##
+## If certain IPs and ports are blocked externally, e.g. by your firewall,
+## you should update your exit policy to reflect this -- otherwise Tor
+## users will be told that those destinations are down.
+##
+#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
+#ExitPolicy accept *:119 # accept nntp as well as default exit policy
+#ExitPolicy reject *:* # no exits allowed
+#
+################ This section is just for bridge relays ##############
+#
+## Bridge relays (or "bridges" ) are Tor relays that aren't listed in the
+## main directory. Since there is no complete public list of them, even if an
+## ISP is filtering connections to all the known Tor relays, they probably
+## won't be able to block all the bridges. Unlike running an exit relay,
+## running a bridge relay just passes data to and from the Tor network --
+## so it shouldn't expose the operator to abuse complaints.
+
+#ORPort 443
+#BridgeRelay 1
+#RelayBandwidthRate 50KBytes
+#ExitPolicy reject *:*
+
+
+################ Local settings ########################################
+
+## Torified DNS
+DNSPort 5353
+AutomapHostsOnResolve 1
+AutomapHostsSuffixes .exit,.onion
+
+## Transparent proxy
+TransPort 9040
+TransListenAddress 127.0.0.1
+
+## Misc
+AvoidDiskWrites 1
+
+## We don't care if applications do their own DNS lookups since our Tor
+## enforcement will handle it safely.
+WarnUnsafeSocks 0
+
+## Disable default warnings on StartTLS for email. Let's not train our
+## users to click through security warnings.
+WarnPlaintextPorts 23,109
+
+## Tor 0.3.x logs to syslog by default, which we redirect to the Journal;
+## but we have some code that reads Tor's logs and only supports plaintext
+## log files at the moment, so let's keep logging to a file.
+Log notice file /var/log/tor/log
+
+# WARNING: Hashed empty password, useful for a box with only a single user running Tor Browser
+# using the system-installed tor daemon and with sane firewall rules set.
+HashedControlPassword 16:756491A440833A1B609F2CCC095BFD2769A1634B4BEC4214BAA9E20629
diff --git a/share/trashman/tor-transproxy/unix/linux/debian/files/tbb/user.js b/share/trashman/tor-transproxy/unix/linux/debian/files/tbb/user.js
new file mode 100644
index 0000000..f8d9c0d
--- /dev/null
+++ b/share/trashman/tor-transproxy/unix/linux/debian/files/tbb/user.js
@@ -0,0 +1,20 @@
+// Preferences for system-installed Tor Browser
+// Needs either
+//
+//   * Setting TOR_CONTROL_PASSWORD at ~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/start-tor-browser
+//   * Passing TOR_CONTROL_PASSWORD to start-tor-browser via the command line
+//
+// See https://trac.torproject.org/projects/tor/wiki/TorBrowserBundleSAQ
+//
+user_pref("network.security.ports.banned",           "9050,9052");
+user_pref("network.proxy.socks",                     "127.0.0.1");
+user_pref("network.proxy.socks_port",                9050);
+user_pref("extensions.torbutton.inserted_button",    true);
+user_pref("extensions.torbutton.launch_warning",     false);
+user_pref("extensions.torbutton.loglevel",           2);
+user_pref("extensions.torbutton.logmethod",          0);
+user_pref("extensions.torlauncher.control_port",     9052);
+user_pref("extensions.torlauncher.loglevel",         2);
+user_pref("extensions.torlauncher.logmethod",        0);
+user_pref("extensions.torlauncher.prompt_at_startup",false);
+user_pref("extensions.torlauncher.start_tor",        false);
diff --git a/share/trashman/tor-transproxy/unix/linux/debian/install b/share/trashman/tor-transproxy/unix/linux/debian/install
new file mode 100755
index 0000000..7972ac4
--- /dev/null
+++ b/share/trashman/tor-transproxy/unix/linux/debian/install
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+#
+# Tor transparent proxy
+#
+
+# Parameters
+SHARE="$1"
+
+# Include basic functions
+. $SHARE/trashman/functions || exit 1
+. $SHARE/trashman/debian    || exit 1
+
+# Dependencies
+trashman_apt_install tor iptables
+
+# Firewall config
+cp $SHARE/tor-transproxy/unix/linux/debian/files/etc/network/if-pre-up.d/iptables /etc/network/if-pre-up.d/iptables
+/etc/network/if-pre-up.d/iptables
+
+# DNS config
+echo "nameserver 127.0.0.1" | tee /etc/resolv.conf > /dev/null
+
+# Tor config
+cp $SHARE/tor-transproxy/unix/linux/debian/files/etc/tor/torrc /etc/tor/torrc
+service tor restart
+
+# Tor Browser config to use the system-installed tor daemon
+# Use this to configure your regular user account
+# See https://trac.torproject.org/projects/tor/wiki/TorBrowserBundleSAQ
+#if [ -e "$HOME/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser" ]; then
+#  # Force about:config preferences
+#  cp $SHARE/tor-transproxy/unix/linux/debian/files/tbb/user.js $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/TorBrowser/Data/Browser/profile.default/user.js
+#
+#  # Hard code control port password into the start-tor-browser script
+#  sed -i -e "s/setControlPortPasswd \${TOR_CONTROL_PASSWD:='\"secret\"'/setControlPortPasswd \${TOR_CONTROL_PASSWD:='\"\"'}/" \
+#    $HOME/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/start-tor-browser
+#fi