diff options
-rw-r--r-- | logc/Makefile | 74 | ||||
-rw-r--r-- | medkit-initial-config/Makefile | 32 | ||||
-rw-r--r-- | medkit-initial-config/files/README.md | 50 | ||||
-rw-r--r-- | medkit-initial-config/files/medkit-initial-config | 156 | ||||
-rw-r--r-- | sentinel-fwlogs/Makefile | 69 | ||||
-rw-r--r-- | sentinel-fwlogs/files/defaults.sh | 2 | ||||
-rwxr-xr-x | sentinel-fwlogs/files/init | 25 | ||||
-rwxr-xr-x | sentinel-fwlogs/files/restart-proxy-hook.sh | 5 | ||||
-rwxr-xr-x | sentinel-fwlogs/files/sentinel-firewall.sh | 37 | ||||
-rwxr-xr-x | sentinel-fwlogs/files/uci-defaults | 19 |
10 files changed, 0 insertions, 469 deletions
diff --git a/logc/Makefile b/logc/Makefile deleted file mode 100644 index 1a4eb58..0000000 --- a/logc/Makefile +++ /dev/null @@ -1,74 +0,0 @@ -# -## Copyright (C) 2020 CZ.NIC z.s.p.o. (https://www.nic.cz/) -# -## This is free software, licensed under the GNU General Public License v3. -# See /LICENSE for more information. -# # -# -include $(TOPDIR)/rules.mk - -PKG_NAME:=logc -PKG_VERSION:=0.0.1 -PKG_RELEASE:=1 - -PKG_SOURCE_PROTO:=git -PKG_SOURCE_URL:=https://gitlab.nic.cz/turris/logc.git -#PKG_SOURCE_VERSION:=v$(PKG_VERSION) -PKG_SOURCE_VERSION:=8ea2adae681bffaec1e9efaad1d6b2b1fbb39496 - -PKG_MAINTAINER:=CZ.NIC <packaging@turris.cz> -PKG_LICENSE:=MIT -PKG_LICENSE_FILES:=LICENSE - -PKG_BUILD_DEPENDS:=argp-standalone - -PKG_INSTALL:=1 -PKG_FIXUP:=autoreconf - -include $(INCLUDE_DIR)/package.mk -include $(INCLUDE_DIR)/autotools.mk - -define Package/Common - SECTION:=libs - CATEGORY:=Libraries - URL:=https://gitlab.nic.cz/turris/logc.git -endef - -define Package/logc - $(call Package/Common) - TITLE:=logc -endef - -define Package/logc-argp - $(call Package/Common) - TITLE:=logc-argp -endef - -define Package/logc/description - Logging library for C (LogC) -endef - -define Package/logc-argp/description - Argument parsing library for LogC base on argp. -endef - -define Build/InstallDev - $(INSTALL_DIR) $(1)/usr/include - $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ - - $(INSTALL_DIR) $(1)/usr/lib/ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/ -endef - -define Package/logc/install - $(INSTALL_DIR) $(1)/usr/lib/ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/liblogc.so* $(1)/usr/lib/ -endef - -define Package/logc-argp/install - $(INSTALL_DIR) $(1)/usr/lib/ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/liblogc_argp.so* $(1)/usr/lib/ -endef - -$(eval $(call BuildPackage,logc)) -$(eval $(call BuildPackage,logc-argp)) diff --git a/medkit-initial-config/Makefile b/medkit-initial-config/Makefile deleted file mode 100644 index c95fa53..0000000 --- a/medkit-initial-config/Makefile +++ /dev/null @@ -1,32 +0,0 @@ -# -## Copyright (C) 2020 CZ.NIC z.s.p.o. (http://www.nic.cz/) -# -## This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# # -# -include $(TOPDIR)/rules.mk - -PKG_NAME:=medkit-initial-config -PKG_VERSION:=0.1.0 -PKG_RELEASE:=1 - -PKG_MAINTAINER:=CZ.NIC <packaging@turris.cz> - -include $(INCLUDE_DIR)/package.mk - -define Package/medkit-initial-config - SECTION:=updater - CATEGORY:=Turris Updater - TITLE:=Initial config for use with medkit - DEPENDS:=+schnapps -endef - -define Package/medkit-initial-config/install - $(INSTALL_DIR) $(1)/etc/uci-defaults - $(INSTALL_BIN) ./files/medkit-initial-config $(1)/etc/uci-defaults/99-medkit-initial-config -endef - -Build/Compile:=: - -$(eval $(call BuildPackage,medkit-initial-config)) diff --git a/medkit-initial-config/files/README.md b/medkit-initial-config/files/README.md deleted file mode 100644 index 528f20b..0000000 --- a/medkit-initial-config/files/README.md +++ /dev/null @@ -1,50 +0,0 @@ -Medkit initial system configuration ------------------------------------ -This package provides script that allows limited configuration of router after -medkit is used. The idea is to allow users to preconfigure router in a way they -can connect to it in secure manner over WiFi if needed. - -It is applied only with first boot on medkited router. It intentionally does not -work with just factory reset, medkit reflash is required. - -## Usage -User places alongside medkit configuration file to flash drive. The name of file -has to be in format `BOARD-medkit-config.json` where `BOARD` is name of board -consistent with medkit prefix. - -## Configuration file format -Configuration file has to contain valid JSON. - -### Example configuration -``` -{ - "foris_password": "m4ZZMC9cpyu3xpbw", - "system_password": "Wru4FU0TLw8avIVY", - "wireless": { - "ssid": "TurrisConfigWifi", - "key": "tScqsSAr0DXEqUe0" - } -} -``` - -### Foris Password -Option `foris_password` can be used to configure password for Foris web interface -and that way skip initial step in setup. - -This is suggested to be used as web interfaces allows anyone to set initial -password. That makes router administration accessible by anyone. By setting -password even before WiFi or/and Foris are started prevents access to just -everyone. - -### System Password -Option `system_password` can be used to configure password for `root` account on -router. This is password used by LuCI web interfaces as well as SSH. - -This is not essentially required on Turris, because in default root account is -blocked for interactive login. This is included rather for convenience for cases -when user wants to use SSH rather than Foris. - -### Wireless AP configuration -Option `wireless` has to be set to object with `ssid` and `key` fields. It -configures first radio it can access on system to AP mode with provided SSID and -key (password). diff --git a/medkit-initial-config/files/medkit-initial-config b/medkit-initial-config/files/medkit-initial-config deleted file mode 100644 index c1c6f2f..0000000 --- a/medkit-initial-config/files/medkit-initial-config +++ /dev/null @@ -1,156 +0,0 @@ -#!/bin/sh -set -eu - -# There are multiple reasons why we do not want to just automatically always run -# this script on any other occasion except when you do medkit. -# It is also more strait forward for users to have it as some sort of extension to -# medkit. That is placing appropriate file beside medkit. -# When router is medkited then there is no snapshots. Only other case when this -# happen is when you unpack router from the box (from factory). This means that we -# can safely assume that no snapshot is the symptom of medkit. -# Why we want to allow configuration just in case of medkit is because we want to -# force user to update router to latest version of drivers. It is potentially -# dangerous to enable WiFi in old versions of system as there could be known -# vulnerabilities. -if ! schnapps list -j | jsonfilter -e '$.snapshots[0]' >/dev/null; then - echo "For security concerns " >&2 - exit 1 -fi - - -. /etc/os-release -case "$OPENWRT_DEVICE_PRODUCT" in - "Turris Mox") - board="mox" - ;; - "Turris Omnia") - board="omnia" - ;; - "Turris 1.x") - board="turris1x" - ;; - *) - echo "Router we are running on is not known to medkit-initial-config!" >&2 - exit 1 - ;; -esac - - -tmpmnt="$(mktemp -d)" -tmpclean() { - umount -fl "$tmpmnt" 2>/dev/null || true - rmdir "$tmpmnt" 2>/dev/null || true -} -trap tmpclean HUP INT QUIT TERM EXIT - -# Locate drive with medkit and configuration file -for dev in /dev/mmcblk*p* /dev/sd*; do - [ -e "$dev" ] || continue - echo "Checking device: $dev" - mount "$dev" "$tmpmnt" || continue - - for medkit in \ - "$tmpmnt/$board"-medkit-*.tar.gz \ - "$tmpmnt/medkit-$board"*.tar.gz \ - ; do - [ -f "$medkit" ] || continue - [ -f "$medkit.md5" ] && \ - (cd "${medkit%/*}" && md5sum "$medkit.md5") || continue - [ -f "$medkit.sha256" ] && \ - (cd "${medkit%/*}" && sha256sum "$medkit.sha256") || continue - [ -f "$medkit.sig" ] && \ - usign -V -m "$medkit" -P /etc/opkg/keys || continue - - echo "Located drive used for medkit: $dev (medkit: ${medit##*/})" >&2 - - config_file="${medkit%/*}/$board-medkit-config.json" - if [ -f "$config_file" ]; then - echo "Located config file: ${config_file##*/}" >&2 - break - else - echo "No config file located alongside the medkit." >&2 - umount -fl - exit 0 - fi - done - [ -f "$config_file" ] && break - umount -fl "$tmpmnt" -done - -if [ ! -f "$config_file" ]; then - # The only way we could get here is that device with medkit is not connected - echo "Device with appropriate medkit not located." >&2 - exit 0 -fi - - -################################################################################## -# Load config and apply it on system -. /usr/share/libubox/jshn.sh -json_init -json_load_file "$config_file" - - -foris_password() { - local password - json_get_var password "foris_password" || { - echo "foris_password configuration not present." >&2 - return - } - - uci -q batch <<-EOF - foris.auth=config - foris.auth.password=$password - commit foris.auth - EOF - echo "Foris password set." >&2 -} - -system_password() { - local password - json_get_var password "system_password" || { - echo "system_password configuration not present." >&2 - return - } - - echo "root:$password" | chpasswd - passwd -u root - echo "System password set." >&2 -} - -wireless() { - json_select "wireless" >/dev/null || { - echo "wireless configuration not present." >&2 - return - } - local ssid key - for var in ssid key; do - json_get_var "$var" "$var" || { - echo "wireless.$var configuration is missing. Wireless configuration not performed." >&2 - return - } - done - - local wifi_dev - wifi_dev="$(uci show 'wireless.@wifi-device[0]' | \ - sed -n 's/^wireless\.\([^.]\+\)=.*$/\1/p')" || { - echo "Wireless configuration is not possible as there is no WiFi device." >&2 - return - } - - uci -q batch <<-EOF - wireless.wifinet_auto=wifi-iface - wireless.wifinet_auto.device=$wifi_dev - wireless.wifinet_auto.network=lan - wireless.wifinet_auto.mode=ap - wireless.wifinet_auto.ssid=$ssid - wireless.wifinet_auto.encryption=psk2+tkip+aes - wireless.wifinet_auto.key=$key - commit wireless.wifinet_auto - EOF -} - - -foris_password -system_password -wireless diff --git a/sentinel-fwlogs/Makefile b/sentinel-fwlogs/Makefile deleted file mode 100644 index 32874a9..0000000 --- a/sentinel-fwlogs/Makefile +++ /dev/null @@ -1,69 +0,0 @@ -# -## Copyright (C) 2020 CZ.NIC z.s.p.o. (https://www.nic.cz/) -# -## This is free software, licensed under the GNU General Public License v3. -# See /LICENSE for more information. -# # -# -include $(TOPDIR)/rules.mk - -PKG_NAME:=sentinel-fwlogs -PKG_VERSION:=0.0.1 -PKG_RELEASE:=4 - -PKG_SOURCE_PROTO:=git -PKG_SOURCE_URL:=https://gitlab.nic.cz/turris/sentinel/fwlogs.git -#PKG_SOURCE_VERSION:=v$(PKG_VERSION) -PKG_SOURCE_VERSION:=2b4d3924d213696cb93d2e2690a84b947ff187df - -PKG_MAINTAINER:=CZ.NIC <packaging@turris.cz> -PKG_LICENSE:=GPL-3.0-or-later -PKG_LICENSE_FILES:=LICENSE - -PKG_BUILD_DEPENDS:=argp-standalone - -PKG_INSTALL:=1 -PKG_FIXUP:=autoreconf - -include $(INCLUDE_DIR)/package.mk - -define Package/sentinel-fwlogs - SECTION:=collect - CATEGORY:=Collect - SUBMENU:=Sentinel - TITLE:=FWLogs - URL:=https://gitlab.nic.cz/turris/sentinel/fwlogs - DEPENDS:=\ - +czmq \ - +msgpack-c \ - +logc +logc-argp \ - +libnetfilter-log \ - +sentinel-firewall +iptables-mod-nflog \ - +sentinel-proxy - PROVIDES:=sentinel-nikola - CONFLICTS:=sentinel-nikola -endef - -define Package/sentinel-fwlogs/description - Collector of firewall logs using libnetfilter-log for Turris Sentinel. -endef - -define Package/sentinel-fwlogs/install - $(INSTALL_DIR) $(1)/usr/bin - $(INSTALL_BIN) $(PKG_BUILD_DIR)/sentinel-fwlogs $(1)/usr/bin/sentinel-fwlogs - - $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) ./files/init $(1)/etc/init.d/sentinel-fwlogs - - $(INSTALL_DIR) $(1)/etc/uci-defaults - $(INSTALL_BIN) ./files/uci-defaults $(1)/etc/uci-defaults/99-sentinel-fwlogs - - $(INSTALL_DIR) $(1)/usr/libexec/sentinel/firewall.d - $(INSTALL_BIN) ./files/sentinel-firewall.sh $(1)/usr/libexec/sentinel/firewall.d/60-fwlogs.sh - $(INSTALL_DATA) ./files/defaults.sh $(1)/usr/libexec/sentinel/fwlogs-defaults.sh - - $(INSTALL_DIR) $(1)/usr/libexec/sentinel/reload_hooks.d - $(INSTALL_BIN) ./files/restart-proxy-hook.sh $(1)/usr/libexec/sentinel/reload_hooks.d/50_nikola.sh -endef - -$(eval $(call BuildPackage,sentinel-fwlogs)) diff --git a/sentinel-fwlogs/files/defaults.sh b/sentinel-fwlogs/files/defaults.sh deleted file mode 100644 index 78345b4..0000000 --- a/sentinel-fwlogs/files/defaults.sh +++ /dev/null @@ -1,2 +0,0 @@ -DEFAULT_NFLOG_GROUP="1914" -DEFAULT_NFLOG_THRESHOLD="32" diff --git a/sentinel-fwlogs/files/init b/sentinel-fwlogs/files/init deleted file mode 100755 index 955b333..0000000 --- a/sentinel-fwlogs/files/init +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh /etc/rc.common - -USE_PROCD=1 -START=99 -STOP=10 - - -start_service() { - source /lib/functions/sentinel.sh - source /usr/libexec/sentinel/fwlogs-defaults.sh - allowed_to_run "fwlogs" || return 1 - - config_load sentinel - local nflog_group nflog_threshold - config_get nflog_group fwlogs nflog_group "$DEFAULT_NFLOG_GROUP" - - procd_open_instance - procd_set_param command /usr/bin/sentinel-fwlogs - procd_append_param command --nflog-group="$nflog_group" - procd_set_param respawn 3600 5 5 - procd_set_param stdout 1 - procd_set_param stderr 1 - procd_set_param file /etc/config/sentinel - procd_close_instance -} diff --git a/sentinel-fwlogs/files/restart-proxy-hook.sh b/sentinel-fwlogs/files/restart-proxy-hook.sh deleted file mode 100755 index 938adf4..0000000 --- a/sentinel-fwlogs/files/restart-proxy-hook.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh -# restart Sentinel:FWLogs service -/etc/init.d/sentinel-fwlogs restart -# Apply logging rules -/etc/init.d/firewall reload diff --git a/sentinel-fwlogs/files/sentinel-firewall.sh b/sentinel-fwlogs/files/sentinel-firewall.sh deleted file mode 100755 index e066b16..0000000 --- a/sentinel-fwlogs/files/sentinel-firewall.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/sh -set -e -. "${0%/*}/common.sh" -. /lib/functions.sh -. /lib/functions/sentinel.sh -. /usr/libexec/sentinel/fwlogs-defaults.sh - -allowed_to_run "fwlogs" 2>/dev/null || return 0 - - -config_load "sentinel" -config_get nflog_group fwlogs nflog_group "$DEFAULT_NFLOG_GROUP" -config_get nflog_threshold fwlogs nflog_threshold "$DEFAULT_NFLOG_THRESHOLD" - - -fwlogs_logging() { - local config_section="$1" - local zone enabled - config_get zone "$config_section" "name" - config_get_bool enabled "$config_section" "sentinel_fwlogs" "0" - [ "$enabled" = "1" ] || return 0 - - report_operation "Logging of zone '$zone'" - for fate in DROP REJECT; do - local chain="zone_${zone}_src_${fate}" - iptables_chain_exists "$chain" || continue - report_info "$fate" - iptables -I "$chain" 1 \ - -m comment --comment "!sentinel: fwlogs" \ - -j NFLOG \ - --nflog-group "$nflog_group" \ - --nflog-threshold "$nflog_threshold" - done -} - -config_load "firewall" -config_foreach fwlogs_logging "zone" diff --git a/sentinel-fwlogs/files/uci-defaults b/sentinel-fwlogs/files/uci-defaults deleted file mode 100755 index c3c2644..0000000 --- a/sentinel-fwlogs/files/uci-defaults +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/sh -set -e -. /lib/functions/sentinel-firewall.sh - -# fwlogs entry in sentinel config -if [ "$(uci -q get sentinel.fwlogs)" != "fwlogs" ]; then - uci -q batch <<EOT - delete sentinel.fwlogs - set sentinel.fwlogs='fwlogs' - commit sentinel.fwlogs -EOT -fi - - -# Enable for default interface -config_firewall_default_enable "sentinel_fwlogs" - -# Always reload firewall to use latest version of sentinel-firewall script -/etc/init.d/firewall reload |