initial import

tor-hardened-preferences/PKGBUILD

@@ -0,0 +1,29 @@
+# Maintainer: Jesus E. <heckyel@riseup.net>
+
+pkgname=tor-hardened-preferences
+pkgver=0.1
+pkgrel=3
+pkgdesc="Creates clean chroot for TOR to run in, and cleans left over files when done running."
+arch=(any)
+license=(GPL-2)
+depends=('tor')
+install=tor-hardened-preferences.install
+source=('tor-hardened.initd'
+        'tor-hardened.run'
+        'tor-hardened.sh'
+        'torchroot.sh'
+        'torrc')
+sha512sums=('f211ef6d6a6eea0551c09c6affc233a92974e5d3a82ed576b437f56a0aaecf99342e1623d1ceaf462c1182f3db7c542df66dd70c156adda8924c1f59c533e4ab'
+            '07e4c76c061b43f4f6f505d10c9dd585b37b67e61266ce68ac627636ac36f8c67ce6e69448ca83a06a96a8bfaa4a0cd5d3de53768f6e41bc3385727f50913f5d'
+            '74cd4f64a5be879d49798349793d779d0c4332dffcbae78d6d2ffd4b8ed59aed1b65cfc92dc4fddbb384634692acb270651bfb418a91636e4513910c7a750574'
+            'ec7aea855a53ac549e3ecde25ee72d1ba07203f06dbc316f194cb973f6fdf3dc2c275294d590f457948146cadff19879f23f74f9b86935989552ef51ec476567'
+            '5d732ddbd96c0467434a03c1ba3aa14f5536affb1fa713a78b0d95eccefbfe4c9b6d68fefcbbf7fc9f23e5e80e4ddfb67f2047ad3bdd14a0b5bb72a9e947404e')
+
+package() {
+    mkdir -p ${pkgdir}/usr/libexec/tor-hardened-scripts
+    install -Dm755 tor-hardened.sh ${pkgdir}/usr/libexec/tor-hardened-scripts/tor-hardened.sh
+    install -Dm755 torchroot.sh ${pkgdir}/usr/libexec/tor-hardened-scripts/torchroot.sh
+    install -Dm755 tor-hardened.initd ${pkgdir}/etc/init.d/tor-hardened
+    install -Dm755 tor-hardened.run "$pkgdir"/etc/sv/tor-hardened/run
+    install -Dm644 torrc ${pkgdir}/usr/libexec/tor-hardened-scripts/torrc
+}

tor-hardened-preferences/tor-hardened-preferences.install

@@ -0,0 +1,86 @@
+pre_install() {
+	echo "Cleaning any old chroots before installing a new one..."
+        if [ -d '/opt/torchroot' ]; then
+	  rm -rf /opt/torchroot
+	fi
+        if [ -d '/srv/torchroot' ]; then
+	  rm -rf /srv/torchroot
+	fi
+}
+
+post_install() {
+	echo "Installing a new chroot ... "
+	/bin/sh -c "/usr/libexec/tor-hardened-scripts/torchroot.sh"
+	wait
+	echo "Done!"
+	echo "====="
+	echo "To use this service please disable tor,"
+	echo "then enable tor-hardened via HyperRC or runit."
+	echo "----"
+	echo "You may now use stream isolated ports for added security."
+	echo "Please configure your applications as follows:"
+	echo "Default Port: 9050"
+	echo "Mail Client isolated port: 9061"
+	echo "Browser isolated port: 9150"
+	echo "Other applications you want isolated: 9062"
+	echo "----"
+	echo "To request new IP from TOR:"
+	echo "killall -HUP tor"
+	echo "---"
+	echo "WARNING: UDP traffic may still leak! All traffic goes through single port."
+	echo "====="
+}
+
+post_upgrade() {
+        echo "Stopping chrooted tor..."
+        if [ -x /etc/init.d/tor-hardened ]; then
+	  /etc/init.d/tor-hardened stop
+	fi
+
+	echo "Cleaning old chroot and putting in a new one..."
+        if [ -d '/opt/torchroot' ]; then
+	  rm -rf /opt/torchroot
+	fi
+        if [ -d '/srv/torchroot' ]; then
+	  rm -rf /srv/torchroot
+	fi
+	wait
+	/bin/sh -c "/usr/libexec/tor-hardened-scripts/torchroot.sh"
+	wait
+	echo "Done!"
+	echo "====="
+	echo "To use this service please disable tor,"
+	echo "then enable tor-hardened via HyperRC or runit."
+	echo "----"
+	echo "You may now use stream isolated ports for added security."
+	echo "Please configure your applications as follows:"
+	echo "Default Port: 9050"
+	echo "Mail Client isolated port: 9061"
+	echo "Browser isolated port: 9150"
+	echo "Other applications you want isolated: 9062"
+	echo "----"
+	echo "To request new IP from TOR:"
+	echo "killall -HUP tor"
+	echo "---"
+	echo "WARNING: UDP traffic may still leak! All traffic goes through single port."
+	echo "====="
+}
+
+pre_remove() {
+         echo "Stopping chrooted tor..."
+         if [ -x /etc/init.d/tor-hardened ]; then
+	   /etc/init.d/tor-hardened stop
+	 fi
+}
+
+post_remove() {
+	echo "Deleting chroot..."
+        if [ -d '/opt/torchroot' ]; then
+	  rm -rf /opt/torchroot
+	fi
+        if [ -d '/srv/torchroot' ]; then
+	  rm -rf /srv/torchroot
+	fi
+	wait
+	echo "Done!"
+}

tor-hardened-preferences/tor-hardened.initd

@@ -0,0 +1,108 @@
+#!/sbin/openrc-run
+# Copyright 2017-2021 Hyperbola Project
+# Distributed under the terms of the GNU General Public License v2
+
+CHROOT=/srv/torchroot
+PIDFILE=/var/run/tor/tor.pid
+CONFFILE=/etc/tor/torrc
+SVCNAME=tor
+GRACEFUL_TIMEOUT=${GRACEFUL_TIMEOUT:-60}
+EXTRA_COMMANDS="torvercheck"
+
+# See bug #523552, and https://trac.torproject.org/projects/tor/ticket/5525
+# Graceful = wait 30 secs or so until all connections are properly closed.
+extra_commands="checkconfig"
+extra_started_commands="graceful gracefulstop reload"
+description="Anonymizing overlay network for TCP"
+description_checkconfig="Check for valid config file."
+description_reload="Reload the configuration."
+description_graceful="Gracefully restart."
+description_gracefulstop="Gracefully stop."
+
+depend() {
+        need net
+}
+
+checkconfig() {
+        # first check that it exists
+        if [ ! -f ${CHROOT}${CONFFILE} ] ; then
+                eerror "You need to setup ${CHROOT}${CONFFILE} first"
+                eerror "Example is in ${CHROOT}${CONFFILE}.sample"
+                return 1
+        fi
+
+        if [ ! -c ${CHROOT}/dev/random ] ; then
+                mknod -m 666 ${CHROOT}/dev/null c 1 3
+                mknod -m 644 ${CHROOT}/dev/random c 1 8
+                mknod -m 644 ${CHROOT}/dev/urandom c 1 9
+                mount -ro remount ${CHROOT}/dev
+        fi
+
+        checkpath --quiet --mode 755 --owner "${SVCNAME}":"${SVCNAME}" --directory `dirname ${CHROOT}${PIDFILE}`
+
+        # now verify whether the configuration is valid
+        /usr/bin/${SVCNAME} --verify-config -f ${CHROOT}${CONFFILE} > /dev/null 2>&1
+        if [ $? -eq 0 ] ; then
+                einfo "Tor configuration (${CHROOT}${CONFFILE}) is valid."
+                return 0
+        else
+                eerror "Tor configuration (${CHROOT}${CONFFILE}) not valid."
+                /usr/bin/${SVCNAME} --verify-config -f ${CHROOT}${CONFFILE}
+                return 1
+        fi
+}
+
+start() {
+        checkconfig || return 1
+        ebegin "Starting chrooted Tor"
+        HOME=/var/lib/${SVCNAME}
+        echo "Cleaning any files left over from a previous run..."
+        rm -rf /srv/torchroot/var/lib/tor/*
+        # Detect old version and upgrade
+        Torchroothash=$(sha256sum /srv/torchroot/usr/bin/tor | awk '{print $1}')
+        Toroutsidehash=$(sha256sum /usr/bin/tor | awk '{print $1}')
+        if [ "$Torchroothash" != "$Toroutsidehash" ]
+        then
+            	echo "New version of Tor detected! Updating chroot before running."
+                rm -rf /srv/torchroot
+                wait
+                /usr/bin/sh -c "/usr/libexec/tor-hardened-scripts/torchroot.sh"
+                wait
+        fi
+        start-stop-daemon --start --pidfile "${CHROOT}${PIDFILE}" --quiet --exec chroot -- --userspec=tor:tor ${CHROOT} /usr/bin/${SVCNAME} -f "${CONFFILE}" --runasdaemon 1 --PidFile "${PIDFILE}" > /dev/null 2>&1
+        eend $?
+}
+
+stop() {
+        ebegin "Stopping chrooted Tor"
+        start-stop-daemon --stop --pidfile "${CHROOT}${PIDFILE}"
+	rm -f "${CHROOT}${PIDFILE}"
+        eend $?
+}
+
+graceful() {
+        gracefulstop
+        start
+        eend $?
+}
+
+gracefulstop() {
+        local rc=0
+        ebegin "Gracefully stopping chrooted Tor"
+        ebegin "This can take up to ${GRACEFUL_TIMEOUT} seconds"
+        start-stop-daemon -P --stop --signal INT -R ${GRACEFUL_TIMEOUT} --pidfile "${CHROOT}${PIDFILE}"
+        rc=$?
+        eend "done"
+        eend $rc
+}
+
+reload() {
+        if [ ! -f ${CHROOT}${PIDFILE} ]; then
+                eerror "${SVCNAME} isn't running"
+                return 1
+        fi
+        checkconfig || return 1
+        ebegin "Reloading chrooted Tor configuration"
+        start-stop-daemon --signal HUP --pidfile ${CHROOT}${PIDFILE}
+        eend $?
+}

tor-hardened-preferences/tor-hardened.run

@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /usr/libexec/tor-hardened-scripts/tor-hardened.sh 2>&1

tor-hardened-preferences/tor-hardened.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+##############################################
+# Tor-Hardened Cleaner & Startup Script #
+##############################################
+# Clean left over files
+echo "Cleaning any files left over from a previous run..."
+rm /srv/torchroot/var/lib/tor/*
+# Detect old version and upgrade
+Torchroothash=$(sha256sum /srv/torchroot/usr/bin/tor | awk '{print $1}')
+Toroutsidehash=$(sha256sum /usr/bin/tor | awk '{print $1}')
+if [ "$Torchroothash" != "$Toroutsidehash" ]
+then
+	echo "New version of Tor detected! Updating chroot before running."
+	rm -rf /srv/torchroot
+	wait
+	/bin/sh -c "/usr/libexec/tor-hardened-scripts/torchroot.sh"
+	wait
+fi
+
+# Start Tor inside of our chroot
+echo "Running Tor..."
+chroot --userspec=tor:tor /srv/torchroot /usr/bin/tor -f /etc/tor/torrc

tor-hardened-preferences/torchroot.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+# torchroot generate script
+export TORCHROOT=/srv/torchroot
+
+mkdir -p $TORCHROOT
+mkdir -p $TORCHROOT/etc/tor
+mkdir -p $TORCHROOT/dev
+mkdir -p $TORCHROOT/usr/bin
+mkdir -p $TORCHROOT/usr/lib
+mkdir -p $TORCHROOT/usr/share/tor
+mkdir -p $TORCHROOT/var/lib
+mkdir -p $TORCHROOT/var/run
+
+ln -s /usr/lib  $TORCHROOT/lib
+# Replace this line if you want to copy your own torrc instead of the one provided by hardened script.
+cp /usr/libexec/tor-hardened-scripts/torrc       $TORCHROOT/etc/tor/
+
+cp /usr/bin/tor         $TORCHROOT/usr/bin/
+cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/
+cp /lib/libnss* /lib/libnsl* /lib/ld-linux-*.so* /lib/libresolv* /usr/lib/libgcc_s.so* $TORCHROOT/usr/lib/
+cp $(ldd /usr/bin/tor | awk '{print $3}'|grep --color=never "^/") $TORCHROOT/usr/lib/
+cp -r /var/lib/tor      $TORCHROOT/var/lib/
+chown -R tor:tor $TORCHROOT/var/lib/tor
+
+sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"
+sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"
+
+mknod -m 644 $TORCHROOT/dev/random c 1 8
+mknod -m 644 $TORCHROOT/dev/urandom c 1 9
+mknod -m 666 $TORCHROOT/dev/null c 1 3
+
+if [[ "$(uname -m)" == "x86_64" ]]; then
+  cp /lib64/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.
+  ln -sr /usr/lib64 $TORCHROOT/lib64
+  ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64
+fi
+
+chown -R root:root /var/lib/tor

tor-hardened-preferences/torrc

@@ -0,0 +1,49 @@
+## Configuration file for an atypical Tor user
+## Based on torrc configurations provided by...
+# https://gitweb.torproject.org/tor.git/plain/src/config/torrc.sample.in
+# https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/etc/tor/torrc
+# https://www.torproject.org/docs/tor-manual.html.en
+
+## The directory for keeping all the keys/etc. By default, we store
+## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
+DataDirectory /var/lib/tor
+
+# Stream Isolation
+## https://tails.boum.org/contribute/design/stream_isolation/
+## https://wiki.gentoo.org/wiki/Tor#Stream_isolation
+
+## Default SocksPort
+SocksPort 127.0.0.1:9050 IsolateDestAddr IsolateDestPort
+
+## SocksPort for the MUA
+SocksPort 127.0.0.1:9061 IsolateDestAddr
+
+## SocksPort for misc applications
+SocksPort 127.0.0.1:9062 IsolateDestAddr IsolateDestPort
+
+## SocksPort for the default web browser
+SocksPort 127.0.0.1:9150 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth
+
+
+## The port on which Tor will listen for local connections from Tor
+## controller applications, as documented in control-spec.txt.
+#ControlPort 9051
+#ControlListenAddress 127.0.0.1
+
+
+
+## Torified DNS
+DNSPort 127.0.0.1:9053 IsolateClientAddr IsolateSOCKSAuth IsolateClientProtocol IsolateDestPort IsolateDestAddr
+AutomapHostsOnResolve 1
+AutomapHostsSuffixes .exit, .onion
+#ClientDNSRejectInternalAddresses 1 (Default is already 1)
+ClientRejectInternalAddresses 1
+
+## Transparent proxy
+TransPort 127.0.0.1:9040 IsolateClientAddr IsolateSOCKSAuth IsolateClientProtocol IsolateDestPort IsolateDestAddr
+
+## Misc
+AvoidDiskWrites 1
+Sandbox 1
+ExtraInfoStatistics 0
+EnforceDistinctSubnets 1