DesobedienteTecnologico · DesobedienteTecnologico · Jun 25, 2023 · Jun 25, 2023 · Jun 25, 2023 · Jun 25, 2023
diff --git a/README.md b/README.md
@@ -84,6 +84,7 @@ Bisq   | GIMP  |
 BIP39 iancoleman
 SeedTool
 Border Wallets
+Whirlpool GUI
 Hodl Hodl and RoboSats
 Mempool.space
 Briar

diff --git a/dotfiles/dotconf/9000-hosts-file-samourai b/dotfiles/dotconf/9000-hosts-file-samourai
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# Note: must run after /lib/live/config/0020-hostname since it
+# otherwise will overwrite any hosts file generated at build time with
+# a bloated one that also include the IPv6 host `::1 localhost`, which
+# can lead to IPv6 traffic, which we block, which may lead to stuff
+# breaking (for instance APT's tor+http transport).
+#
+# localhost.localdomain added to prevent loopback leaks to Tor circuits
+# for applications that use the FQDN (fully qualified domain name) model
+#
+
+echo "- setting up hosts file"
+
+. /etc/live/config.d/hostname.conf
+
+cat > /etc/hosts << EOF
+127.0.0.1       localhost localhost.localdomain ${LIVE_HOSTNAME}
+185.165.170.167 code.samourai.io
+EOF
diff --git a/dotfiles/dotconf/ferm.conf b/dotfiles/dotconf/ferm.conf
@@ -0,0 +1,197 @@
+# -*- mode: conf[space] -*-
+#
+#  Configuration file for ferm(1).
+#
+
+# When ferm starts initially during early boot, the "amnesia" user does not
+# exist yet, so we have to use its UID (#7018).
+def $amnesia_uid = 1000;
+
+# IPv4
+domain ip {
+    table filter {
+        chain INPUT {
+            policy DROP;
+
+            # Established incoming connections are accepted.
+            mod state state (ESTABLISHED) ACCEPT;
+
+            # Traffic on the loopback interface is accepted.
+            interface lo ACCEPT;
+
+            # netns configuration; see config/chroot_local-includes/usr/local/lib/tails-create-netns
+            interface veth-tbb saddr 10.200.1.2 daddr 10.200.1.1 proto tcp mod multiport destination-ports (9050 951) ACCEPT;
+            interface veth-onioncircs saddr 10.200.1.6 daddr 10.200.1.5 proto tcp mod multiport destination-ports (951) ACCEPT;
+            interface veth-tca saddr 10.200.1.10 daddr 10.200.1.9 proto tcp mod multiport destination-ports (951) ACCEPT;
+            interface veth-onionshare saddr 10.200.1.14 daddr 10.200.1.13 proto tcp mod multiport destination-ports (9050 951) ACCEPT;
+
+            # block connections from clearnet that are not directed to the outside
+            interface veth-clearnet daddr 10.200.1.0/24 REJECT;
+        }
+
+        chain OUTPUT {
+            policy DROP;
+
+            # Established outgoing connections are accepted.
+            mod state state (ESTABLISHED) ACCEPT;
+
+            # White-list access to local resources
+            outerface lo {
+                # Related outgoing ICMP packets are accepted.
+                mod state state (RELATED) proto icmp ACCEPT;
+
+                # White-list access to Tor's SOCKSPort's
+                daddr 127.0.0.1 proto tcp syn dport 9050 {
+                    mod owner uid-owner _apt ACCEPT;
+                    mod owner uid-owner proxy ACCEPT;
+                    mod owner uid-owner nobody ACCEPT;
+                    mod owner uid-owner tails-upgrade-frontend ACCEPT;
+                }
+                daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (9050 9062) {
+                    mod owner uid-owner $amnesia_uid ACCEPT;
+                }
+                daddr 127.0.0.1 proto tcp syn dport 9062 {
+                    mod owner uid-owner htp ACCEPT;
+                    mod owner uid-owner tails-upgrade-frontend ACCEPT;
+                }
+                daddr 127.0.0.1 proto tcp syn dport 9063 {
+                    mod owner uid-owner tails-iuk-get-target-file ACCEPT;
+                }
+
+                # White-list access to Tor's ControlPort
+                daddr 127.0.0.1 proto tcp dport 9052 {
+                    # Needed for running the Tor control port filter
+                    mod owner uid-owner root ACCEPT;
+                }
+
+                # White-list access to the Tor control port filter
+                daddr 127.0.0.1 proto tcp dport 951 {
+                    mod owner uid-owner $amnesia_uid ACCEPT;
+                    mod owner uid-owner root ACCEPT;
+                }
+
+                # White-list access to Whirlpool
+                daddr 127.0.0.1 proto tcp udp dport 8899 {
+                    mod owner uid-owner $amnesia_uid ACCEPT;
+                    mod owner uid-owner root ACCEPT;
+                }
+
+                # White-list access to Tor's TransPort
+                daddr 127.0.0.1 proto tcp dport 9040 {
+                    mod owner uid-owner $amnesia_uid ACCEPT;
+                }
+
+                # White-list access to system DNS and Tor's DNSPort
+                daddr 127.0.0.1 proto udp dport (53 5353) {
+                    mod owner uid-owner $amnesia_uid ACCEPT;
+                    mod owner uid-owner htp ACCEPT;
+                    mod owner uid-owner _apt DROP;
+                }
+
+                # White-list access to the accessibility daemon
+                daddr 127.0.0.1 proto tcp syn dport 4101 {
+                    mod owner uid-owner $amnesia_uid ACCEPT;
+                    mod owner uid-owner Debian-gdm ACCEPT;
+                }
+
+                # White-list access to CUPS
+                daddr 127.0.0.1 proto tcp syn dport 631 {
+                    mod owner uid-owner $amnesia_uid ACCEPT;
+                }
+
+                # White-list access to OnionShare
+                daddr 127.0.0.1 proto tcp syn dport 17600:17650 {
+                    mod owner uid-owner $amnesia_uid ACCEPT;
+                }
+            }
+
+            # clearnet is allowed to connect to any TCP port via the
+            # external interfaces (but lo is blocked so it cannot interfere
+            # with Tor etc) including DNS on the LAN. UDP DNS queries are
+            # also allowed.
+            outerface ! lo mod owner uid-owner clearnet {
+                proto tcp ACCEPT;
+                proto udp dport domain ACCEPT;
+            }
+
+            # Tor is allowed to do anything it wants to.
+            mod owner uid-owner debian-tor {
+                proto tcp syn mod state state (NEW) ACCEPT;
+                proto udp dport domain ACCEPT;
+            }
+
+            # Local network connections should not go through Tor but DNS shall be
+            # rejected. (Note that we exclude the VirtualAddrNetwork used for
+            # .onion:s here.)
+            daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" {
+                proto tcp dport domain REJECT;
+                proto udp dport domain REJECT;
+                proto udp dport netbios-ns REJECT;
+                ACCEPT;
+            }
+
+            # Everything else is logged and dropped.
+            LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
+            REJECT reject-with icmp-port-unreachable;
+        }
+
+        chain FORWARD {
+            policy DROP;
+        }
+    }
+
+    table nat {
+        chain PREROUTING {
+            policy ACCEPT;
+        }
+
+        chain POSTROUTING {
+            policy ACCEPT;
+        }
+
+        chain OUTPUT {
+            policy ACCEPT;
+
+            # .onion mapped addresses redirection to Tor.
+            daddr 127.192.0.0/10 proto tcp REDIRECT to-ports 9040;
+
+            # Redirect system DNS to Tor's DNSport
+            daddr 127.0.0.1 proto udp dport 53 REDIRECT to-ports 5353;
+        }
+    }
+}
+
+# IPv6:
+domain ip6 {
+    table filter {
+        chain INPUT {
+            policy DROP;
+
+            # White-list access to the accessibility daemon
+            interface lo saddr ::1 daddr ::1 proto tcp {
+                dport 4101 ACCEPT;
+                sport 4101 mod state state (ESTABLISHED) ACCEPT;
+            }
+
+        }
+
+        chain FORWARD {
+            policy DROP;
+        }
+
+        chain OUTPUT {
+            policy DROP;
+
+            # White-list access to the accessibility daemon
+            outerface lo saddr ::1 daddr ::1 proto tcp {
+                dport 4101 mod owner uid-owner $amnesia_uid ACCEPT;
+                dport 4101 mod owner uid-owner Debian-gdm ACCEPT;
+                sport 4101 mod state state (ESTABLISHED) ACCEPT;
+            }
+
+            # Everything else is logged and dropped.
+            LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
+            REJECT reject-with icmp6-port-unreachable;
+        }
+    }
+}
diff --git a/dotfiles/menu/Bitcoin.menu b/dotfiles/menu/Bitcoin.menu
@@ -15,6 +15,7 @@
         <Filename>bip39ian.desktop</Filename>
         <Filename>seedtool.desktop</Filename>
         <Filename>borderwallet.desktop</Filename>
+        <Filename>whirlpool-gui.desktop</Filename>
     </Include>
   </Menu>
 </Menu>
diff --git a/dtails.py b/dtails.py
@@ -75,6 +75,7 @@ def __init__(self):
         self.create_checkbox(left_frame, "BIP39 iancoleman (4.34MB)", "")
         self.create_checkbox(left_frame, "SeedTool (6.58MB)", "")
         self.create_checkbox(left_frame, "Border Wallets (1.59MB)", "")
+        self.create_checkbox(left_frame, "Whirlpool GUI (327MB)", "")
         self.create_checkbox(left_frame, "Hodl Hodl and RoboSats (~1MB)", "")
         self.create_checkbox(left_frame, "Mempool.space (~1MB)", "")
         self.create_checkbox(left_frame, "Briar (221MB)", "")

diff --git a/src/apps.py b/src/apps.py
@@ -9,6 +9,8 @@
 bisq_url = "v1.9.10/Bisq-64bit-1.9.10"
 bisq_v = bisq_url.split("/")[1]
 briar_v = "briar-desktop-debian-bullseye"
+whirlpool_url = "fda2da816431c25598f532486ac0da09/whirlpool-gui_0.10.3_amd64"
+whirlpool_v = whirlpool_url.split("/")[1]
 
 ################## Print functions ##################
 def print_green(text):
@@ -135,6 +137,32 @@ def mempool_space():
     subprocess.run("cp dotfiles/logos/mempool_space.png shared_with_chroot/", shell=True)
     add_script_config("\ncp /tmp/mempool_space.png /opt/logos/")
 
+def whirlpool_gui():
+    print_green("Downloading...")
+    subprocess.run("wget https://code.samourai.io/whirlpool/whirlpool-gui/uploads/"+ whirlpool_url +".deb -P shared_with_chroot", shell=True)
+    print_yellow("Chroot connecting to the internet to download openjdk...")
+    subprocess.run("chmod 777 shared_with_chroot", shell=True)
+    add_script_config("\necho 'nameserver 1.1.1.1' > /etc/resolv.conf")
+    add_script_config("\necho 'deb http://security.debian.org/debian-security bullseye-security main' >> /etc/apt/sources.list")
+    add_script_config("\necho 'deb http://ftp.de.debian.org/debian bullseye main' >> /etc/apt/sources.list")
+    add_script_config("\nsed -i 's/^/#/' /etc/apt/apt.conf.d/80tails-additional-software")
+    add_script_config("\nsed -i 's/^/#/' /etc/apt/apt.conf.d/70debconf")
+    add_script_config("\napt update ; apt install -y openjdk-17-jdk")
+    add_script_config("\ndpkg -i /tmp/"+ whirlpool_v +".deb")
+    subprocess.run("cp dotfiles/dotconf/ferm.conf shared_with_chroot/", shell=True)
+    subprocess.run("cp dotfiles/dotconf/9000-hosts-file-samourai shared_with_chroot/9000-hosts-file", shell=True)
+    add_script_config("\nmv /tmp/9000-hosts-file /lib/live/config/")
+    add_script_config("\nmv /tmp/ferm.conf /etc/ferm/ferm.conf")
+
+    # Tails config files as default
+    add_script_config("\necho "" > /etc/resolv.conf")
+    add_script_config("\nsed -i 's/^#//' /etc/apt/apt.conf.d/80tails-additional-software")
+    add_script_config("\nsed -i 's/^#//' /etc/apt/apt.conf.d/70debconf")
+    add_script_config("\nhead -n -2 /etc/apt/sources.list > /etc/apt/sources.list")
+
+    # Cleaning logs and unnecessary Java certificates
+    add_script_config("\nrm -rf /var/log/apt/term.log /var/log/alternatives.log /var/cache/man/* /var/cache/apt/pkgcache.bin /etc/ssl/certs/java")
+    add_script_config("\necho '' | tee /var/log/dpkg.log | tee /var/log/apt/history.log")
 ################## Remove packages ##################
 def thunderbird():
     add_script_config("\ndpkg -r --force-depends thunderbird")

diff --git a/src/commands.py b/src/commands.py
@@ -7,7 +7,7 @@
 
 ################## START Functions to unpack and pack the final image ##################
 def iso_work(iso):
-    print_green("\nModifying the .iso and adding the new configurations...")
+    print_green("\nModifying the image and adding the new configurations...")
 
     # Create directories needed to work on
     subprocess.run("mkdir iso_mounted future_iso", shell=True) 
@@ -32,6 +32,7 @@ def iso_work(iso):
     # Mount from Host to Chroot to get chroot working fine
     subprocess.run("sudo mount --bind /run/ system_to_edit/run", shell=True)
     subprocess.run("sudo mount --bind /dev/ system_to_edit/dev", shell=True)
+    subprocess.run("sudo mount --bind /proc/ system_to_edit/proc", shell=True)
 
     # Mount shared_with_chroot. This will allow us to exchange data to/from chroot
     subprocess.run("sudo mount --bind shared_with_chroot system_to_edit/tmp", shell=True)
@@ -69,6 +70,7 @@ def ending_chroot_and_cleaning_up():
 def build_iso(img):
     print_yellow("\n\nGetting -unrecognize xattr prefix system.posix_acl_access- message. IS NOT AN ISSUE.\nThat happen because we are running it by scripts.\nThat is kind of know bug :) \n\n")
     # Make squashfs
+    subprocess.run("sudo umount system_to_edit/proc", shell=True)
     subprocess.run("sudo mksquashfs system_to_edit/ filesystem.squashfs", shell=True)
     subprocess.run("mv filesystem.squashfs future_iso/live/", shell=True)
     # Build the .iso