Skip to content
Snippets Groups Projects

ChangeRoot

Last edited by Alexander Færøy

DRAFT!

# save as ~/TorBOX-chroot

script_help() {
echo \
"
# FLAGS / WORKFLOW:
# -tg-mount
# Mounts the vm image.
#
# -tg-chroot
# Prepares chroot.
#
# -tg-unchroot
# Terminates chroot.
#
# -tg-dns
# Sets up dns.
#
# -tg-unmount
# Unmounts the vm image.
#
# -tw-mount
# -tw-chroot
# -tw-unchroot
# NOT needed: -tw-dns
# -tw-unmount
"
}



# TODO:
# Changing disk uuids has do be done somewhere...

# Verbose output.
set -x



USERNAME="user"



root_check() {
######################################################
# Checking script environment
######################################################
# Check if we are root
if [ "$(id -u)" != "0" ]; then
     echo "ERROR: This must be run as root (sudo)!"
     exit 1
else
     echo "INFO: Script running as root."
fi
}



mount_vm_image() {
# Ensure powered is off. Otherwise disk corruption is at high risk.
sudo -u $USERNAME VBoxManage controlvm "$VMNAME" poweroff

# Make sure required module to mount vdi images is installed.
modprobe nbd

# Create loopback dev for the image.
qemu-nbd -c /dev/nbd0 "/home/$USERNAME/VirtualBox VMs/""$VMNAME"/"$VMNAME".vdi

# Folder has to exist to mount the image.
mkdir -p $CHROOT_FOLDER

# Mount the partitions, that are exposed as /dev/nbd0pXXX.
mount -o noatime /dev/nbd0p1 $CHROOT_FOLDER
}



unmount_vm_image() {
# Shutdown the ndb.
qemu-nbd -d /dev/nbd0

# In the end unmount.
umount $CHROOT_FOLDER

# Delete temporary folder.
# It did not contain anything. It was only a mount point.
rm -r $CHROOT_FOLDER
}



do_chroot() {
# Discussion: This would leak uuid of the host disk!
#  We would need to phrase it and somehow to remove the uuids. How?
#  And only use relevant stuff...
#  grep -v rootfs /proc/mounts > /etc/mtab

# No longer needed?
# Missing info on mounted /dev/loop, needs testing.
# (proper) Please elborate.
#echo "/dev/sda1 / ext4 rw,noatime,errors=remount-ro 0 0
#proc /proc proc rw,noexec,nosuid,nodev 0 0
#sysfs /sys sysfs rw,noexec,nosuid,nodev 0 0
#none /sys/fs/fuse/connections fusectl rw 0 0
#none /sys/kernel/debug debugfs rw 0 0
#none /sys/kernel/security securityfs rw 0 0
#udev /dev devtmpfs rw,mode=0755 0 0
#devpts /dev/pts devpts rw,noexec,nosuid,gid=5,mode=0620 0 0
#tmpfs /run tmpfs rw,noexec,nosuid,size=10%,mode=0755 0 0
#none /run/lock tmpfs rw,noexec,nosuid,nodev,size=5242880 0 0
#none /run/shm tmpfs rw,nosuid,nodev 0 0" > /etc/mtab

# Review: not sure if we better mount more or less of them.
mount --bind /dev $CHROOT_FOLDER/dev
mount --bind /proc $CHROOT_FOLDER/proc
mount --bind /sys $CHROOT_FOLDER/sys

# Discussion: we may also think about mounting everything,
#             i.e. recursively mounting.
#             i.e. mount --rbind

# Fixes "Can not write log, openpty() failed (/dev/pts not mounted?)"
# Thanks to
# http://www.gentoo.org/proj/en/base/amd64/howtos/index.xml?part=1&chap=2
# for the idea.
# Would not be needed if we used mount --rbind.
# Review: not sure if we better ommit it.
mount -o bind /dev/pts $CHROOT_FOLDER/dev/pts

# /etc/resolv.conf controversy:
# When we are inside chroot, we need a functional /etc/resolv.conf,
# otherwise dns lookups and subsequently apt-get and wget would be defunct.
#
# On the other hand, we do not want to copy /etc/resolv.conf from the
# build machine into chroot, to prevent leaking personal data into chroot.
#
# Finally we also require to rewrite /etc/resolv.conf, so that after
# booting the Virtual Machine, localhost (Tor) gets used for dns lookups.

# Remove write protection, if any. Should not be the case after a fresh
# creation of the image. Just to prevent an error if we ever support
# re-running the script. Will not hurt.
chattr -i $CHROOT_FOLDER/etc/resolv.conf

# Must exist to be able to mount.
echo "" > $CHROOT_FOLDER/etc/resolv.conf

# We need two commands to remount an existing file read only.
# Thanks to
# https://lwn.net/Articles/281157/
mount --bind /etc/resolv.conf $CHROOT_FOLDER/etc/resolv.conf
mount -o remount,ro,noload $CHROOT_FOLDER/etc/resolv.conf
}



# Currently not used.
inside_chroot() {
# chroot $CHROOT_FOLDER ...

# TODO: sources.list incomplete. Bug in preseed?

# No longer neccessary.
# Lets keep it in case we need it again.
# locale-gen en_US.UTF-8
# dpkg-reconfigure locales 
# echo 'LANG="en_US.UTF-8"' > /etc/default/locale

# TODO: No longer neccessary?
#echo "GRUB_TERMINAL=console" >> /etc/default/grub
#update-grub

# TODO: No longer neccessary? Move to T-G/W script?
#useradd -m -d /home/user -s /bin/bash user
#usermod -a -G adm,cdrom,audio,dip,sudo,plugdev user

echo "
inside_chroot does nothing. One command is required
to prevent an error message while running the script.
"
}



do_unchroot() {
umount $CHROOT_FOLDER/dev/pts
umount $CHROOT_FOLDER/dev
umount $CHROOT_FOLDER/proc
umount $CHROOT_FOLDER/sys
umount $CHROOT_FOLDER/etc/resolv.conf
}


# Note: Most code shared with TorBOX_Gateway script.
config_dns_tg() {
#trap not implemented yet.
#trap "cleanup" ERR INT TERM
echo "
######################################################
config_dns_tg
######################################################
"

# Delete /etc/resolv.conf to work around some strange bug
# "Operation not supported While reading flags on" while
# trying to set -i on /etc/resolv.conf.
# Override trap function, if /etc/resolv.conf does not
# exist or is write protected (+i).
rm $CHROOT_FOLDER/etc/resolv.conf || true

# Remove write protection from resolv.conf.
# Override trap function, if /etc/resolv.conf does not exist.
chattr -i $CHROOT_FOLDER/etc/resolv.conf || true

# Delete file to keep care of potential leaks.
# Override trap function, if /etc/resolv.conf does not exist.
rm $CHROOT_FOLDER/etc/resolv.conf || true

# Set nameserver to localhost.
# iptables redirects any of TorBOX-Gateways DNS requests to DNS_PORT_TG
# Do not override trap function, this step is essential.
echo "nameserver 127.0.0.1" > $CHROOT_FOLDER/etc/resolv.conf

# Add write protection to resolv.conf to prevent DNS leaks by getting
# edited by DHCP.
# Do not override trap function, this step is essential.
chattr +i $CHROOT_FOLDER/etc/resolv.conf
}



################################################################ 
# -tg-mount                                                    #
################################################################ 
if [[ "$1" = "-tg-mount" ]]; then
   root_check
   VMNAME="TorBOX-Gateway"
   CHROOT_FOLDER=/home/"$USERNAME"/TorBOX_binary/"$VMNAME"_image
   mount_vm_image
   exit 0
fi



################################################################ 
# -tg-chroot                                                   #
################################################################ 
if [[ "$1" = "-tg-chroot" ]]; then
   root_check
   VMNAME="TorBOX-Gateway"
   CHROOT_FOLDER=/home/"$USERNAME"/TorBOX_binary/"$VMNAME"_image
   do_chroot
   exit 0
fi



################################################################ 
# -tg-unchroot                                                 #
################################################################ 
if [[ "$1" = "-tg-unchroot" ]]; then
   root_check
   VMNAME="TorBOX-Gateway"
   CHROOT_FOLDER=/home/"$USERNAME"/TorBOX_binary/"$VMNAME"_image
   do_unchroot
   exit 0
fi



################################################################ 
# -tg-dns                                                      #
################################################################ 
if [[ "$1" = "-tg-dns" ]]; then
   root_check
   VMNAME="TorBOX-Gateway"
   CHROOT_FOLDER=/home/"$USERNAME"/TorBOX_binary/"$VMNAME"_image
   config_dns_tg
   exit 0
fi



################################################################ 
# -tg-unmount                                                  #
################################################################ 
if [[ "$1" = "-tg-unmount" ]]; then
   root_check
   VMNAME="TorBOX-Gateway"
   CHROOT_FOLDER=/home/"$USERNAME"/TorBOX_binary/"$VMNAME"_image
   unmount_vm_image
   exit 0
fi



################################################################ 
# -tw-mount                                                    #
################################################################ 
if [[ "$1" = "-tw-mount" ]]; then
   root_check
   VMNAME="TorBOX-Workstation"
   CHROOT_FOLDER=/home/"$USERNAME"/TorBOX_binary/"$VMNAME"_image
   mount_vm_image
   exit 0
fi



################################################################ 
# -tw-chroot                                                   #
################################################################ 
if [[ "$1" = "-tw-chroot" ]]; then
   root_check
   VMNAME="TorBOX-Workstation"
   CHROOT_FOLDER=/home/"$USERNAME"/TorBOX_binary/"$VMNAME"_image
   do_chroot
   exit 0
fi



################################################################ 
# -tw-unchroot                                                 #
################################################################ 
if [[ "$1" = "-tw-unchroot" ]]; then
   root_check
   VMNAME="TorBOX-Workstation"
   CHROOT_FOLDER=/home/"$USERNAME"/TorBOX_binary/"$VMNAME"_image
   do_unchroot
   exit 0
fi



################################################################ 
# -tw-unmount                                                  #
################################################################ 
if [[ "$1" = "-tw-unmount" ]]; then
   root_check
   VMNAME="TorBOX-Workstation"
   CHROOT_FOLDER=/home/"$USERNAME"/TorBOX_binary/"$VMNAME"_image
   unmount_vm_image
   exit 0
fi

script_help

Comments

    Please register or sign in to add a comment.