enter Whonix firewall timesync-fail-closed mode before suspend / ente…

…r Whonix firewall full mode after resume and clock-fix https://phabricator.whonix.org/T551
Kicksecure · Sep 15, 2016 · 5262c9d · 5262c9d
1 parent 6ad5c7b
commit 5262c9d
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 0 deletions.
diff --git a/usr/lib/sdwdate/clock-fix b/usr/lib/sdwdate/clock-fix
@@ -21,6 +21,20 @@ date --set "@$randomized_unix_time" >/dev/null
 
 echo "$0 INFO: date after roughly fixing it : $(date -u)" >> /var/log/sdwdate.log
 
+echo "$0 INFO: Running /usr/lib/sdwdate/restart_fresh..." >> /var/log/sdwdate.log
+## Deletes '/var/run/sdwdate/first_success'.
+/usr/lib/sdwdate/restart_fresh
+echo "$0 INFO: Done, with /usr/lib/sdwdate/restart_fresh." >> /var/log/sdwdate.log
+
 echo "$0 INFO: Restarting sdwdate..." >> /var/log/sdwdate.log
 service sdwdate restart
 echo "$0 INFO: Done, restarted sdwdate." >> /var/log/sdwdate.log
+
+## Whonix firewall full mode
+##
+## After sdwdate restart, sdwdate will on success recreate the status file
+## '/var/run/sdwdate/first_success'.
+##
+## ( whonix-[gw|ws]-firewall ) /lib/systemd/system/whonix-firewall-sdwdate-watcher.service /
+## ( anon-shared-helper-scripts ) /usr/lib/anon-shared-helper-scripts/firewall-restarter
+## will notice this, and restart Whonix firewall in full mode.
diff --git a/usr/lib/sdwdate/suspend-pre b/usr/lib/sdwdate/suspend-pre
@@ -12,6 +12,22 @@ if service sdwdate status >/dev/null ; then
    echo "$0 INFO: Creating /var/run/sdwdate/was_running.status..." >> /var/log/sdwdate.log
    touch /var/run/sdwdate/was_running.status
    echo "$0 INFO: Done, created /var/run/sdwdate/was_running.status." >> /var/log/sdwdate.log
+
+   if command -v whonix_firewall >/dev/null 2>&1 ; then
+      if [ -d "/usr/lib/qubes" ]; then
+         ## Whonix firewall timesync-fail-closed mode
+         echo "$0 INFO: Entering Whonix firewall timesync-fail-closed mode." >> /var/log/sdwdate.log
+         firewall_mode="timesync-fail-closed" whonix_firewall
+         echo "$0 INFO: Done, entered Whonix firewall timesync-fail-closed mode." >> /var/log/sdwdate.log
+      else
+         echo "$0 INFO: Not entering Whonix firewall timesync-fail-closed mode,
+because non-interactive /usr/lib/sdwdate/clock-fix is not implemented for Non-Qubes-Whonix. See:
+https://phabricator.whonix.org/T551" >> /var/log/sdwdate.log
+      fi
+   else
+      true "$0 INFO: Whonix firewall not installed, probably running outside of Whonix." >> /var/log/sdwdate.log
+   fi
+
    echo "$0 INFO: Stopping sdwdate..." >> /var/log/sdwdate.log
    service sdwdate stop
    echo "$0 INFO: Done, stopped sdwdate." >> /var/log/sdwdate.log