Grub live ideas and suggestions / Grub live entry for offline mode / Grub live entry that boots with Tor only firewall rules

Yatogami · August 29, 2024, 3:46am

Dear Kicksecure Development Team,

I would like to suggest some enhancements to the GRUB Live environment. Specifically, it would be beneficial to include additional features or options that could improve user experience and functionality. Here are two ideas to include with the grub-live package:

Grub live entry for offline mode: another grub live entry for booting into Live mode USER with all networking disabled
Grub live entry that boots with Tor only firewall rules: another grub live entry for booting into Live mode USER with Tor only firewall with tor transparent proxy for users that are on lower RAM systems that don’t want to install whonix with the installer in usability misc but already have tb-launcher installed. Tor daemon already comes installed with Kicksecure so additionally maybe load some torsocks wrappers for certain commands like curl, wget, git, whois, etc. if possible.

Here are some drafts that I havent tried yet but will put them here for a starting point, reference, and ideas.

offline mode
/etc/grub.d/40_offline_mode

# GRUB Live entry to disable networking (offline mode)
menuentry "LIVE mode USER (Offline Mode)" {
    # Run the disable networking script that blacklists all wireless drivers and firewall to block all traffic
    /usr/local/bin/disable_networking
    set root=(hd0,1)  # Adjust this to your root partition
    # mask network target
    linux /vmlinuz-linux root=/dev/sda1 quiet splash systemd.mask=network.target
    initrd /initramfs-linux.img
}

/usr/local/bin/disable_networking

#!/bin/bash
### Grub disable networking script called by 
## Blacklist all wifi drivers
## Blacklist bluetooth driver (commented out)

# Create blacklist file

touch /etc/modprobe.d/disable_networking.conf 2>/dev/null

# Define the blacklist file path
BLACKLIST_FILE="/etc/modprobe.d/disable_networking.conf"

# Create or clear the blacklist file
echo "# Custom blacklist for wireless drivers" | tee $BLACKLIST_FILE > /dev/null

# Get the list of wireless drivers
WIRELESS_DRIVERS=$(ls /lib/modules/$(uname -r)/kernel/drivers/net/wireless/)

# Check if there are any wireless drivers
if [ -z "$WIRELESS_DRIVERS" ]; then
    echo "No wireless drivers found in /lib/modules/$(uname -r)/kernel/drivers/net/wireless/"
else
    # Loop through each driver and add it to the blacklist
    for DRIVER in $WIRELESS_DRIVERS; do
        DRIVER_NAME=$(basename "$DRIVER" | sed 's/\.[^.]*$//')  # Remove file extension
        echo "blacklist $DRIVER_NAME" | tee -a $BLACKLIST_FILE > /dev/null
        echo "Blacklisted driver: $DRIVER_NAME"
        
        # Remove the driver if it is currently loaded
        if lsmod | grep -q "$DRIVER_NAME"; then
            echo "Removing loaded driver: $DRIVER_NAME"
            modprobe -r "$DRIVER_NAME"
        fi
    done
fi

## Blacklist bluetooth
# List of Bluetooth drivers to blacklist
#BT_DRIVERS=(
#    "btusb"
#    "bluetooth"
#    "btintel"
#)
#
# Loop through the drivers and add them to the blacklist
#for DRIVER in "${BT_DRIVERS[@]}"; do
#    echo "blacklist $DRIVER" >> "BLACKLIST_FILE"
#    modprobe -r "$DRIVER"
#done


### Firewall
# Set up nftables to disable all incoming, forwarding, and outgoing traffic
echo "Setting up nftables to disable all network traffic..."

# Flush existing rules
nft flush ruleset

# Create a new ruleset
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0; }
nft add chain inet filter forward { type filter hook forward priority 0; }
nft add chain inet filter output { type filter hook output priority 0; }

# Set default policies to drop all traffic
nft add rule inet filter input drop
nft add rule inet filter forward drop
nft add rule inet filter output drop

echo -e " All wireless drivers have been blacklisted in $BLACKLIST_FILE.\n All network traffic has been disabled.\n Offline mode enabled"

Tor only
/etc/grub.d/40_tor_only_firewall

menuentry "LIVE mode USER (Tor Only)" {
    # Run the Tor firewall script
    /usr/local/bin/Tor_only_firewall
    # Boot into the default kernel
    linux /vmlinuz-<your-kernel-version> root=/dev/sda1 ro
    initrd /initrd.img-<your-kernel-version>
}

/usr/local/bin/Tor_only_firewall

#!/bin/bash
### Tor only firewall for GRUB Live (Tor Only)
# Flush existing rules
nft flush ruleset

# Create a new ruleset
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0; }
nft add chain inet filter forward { type filter hook forward priority 0; }
nft add chain inet filter output { type filter hook output priority 0; }

# Allow loopback traffic
nft add rule inet filter input iif "lo" accept
nft add rule inet filter output oif "lo" accept

# Allow established and related connections
nft add rule inet filter input ct state established,related accept
nft add rule inet filter output ct state established,related accept

# Allow Tor traffic (default Tor port is 9050)
nft add rule inet filter input tcp dport 9050 accept
nft add rule inet filter output tcp sport 9050 accept

# Allow DNS traffic (UDP port 53)
nft add rule inet filter input udp dport 53 accept
nft add rule inet filter output udp sport 53 accept

# Drop all other traffic
nft add rule inet filter input drop
nft add rule inet filter forward drop
nft add rule inet filter output drop

echo "Tor only firewall rules applied."

Patrick · August 29, 2024, 11:49am

Unfortunately, this is probably incompatible with future plans, that is
allowing the user to choose user or admin during boot. See:

That way, all boot options would quickly double.

There’s just a limited amount of boot menu entries that make sense to
not over-complicate Kicksecure.

Grub live entry that boots with Tor only firewall rules: another grub live entry for booting into Live mode USER with Tor only firewall with tor transparent proxy for users that are on lower RAM systems that don’t want to install whonix with the installer in usability misc but already have tb-launcher installed. Tor daemon already comes installed with Kicksecure so additionally maybe load some torsocks wrappers for certain commands like curl, wget, git, whois, etc. if possible.

Out of scope for Kicksecure as per:

Here are some drafts that I havent tried yet but will put them here for a starting point, reference, and ideas.

offline mode
/etc/grub.d/40_offline_mode

We cannot write menuentry directly to /etc/grub.d/. We cannot hardcode
any /etc/grub.d/ because these need to be automatically updated on
kernel upgrades. So the proper mechanisms need to be used similar to how
grub-live is implementing this.

 /usr/local/bin/disable_networking

It’s not possible to run shell scripts from grub boot menu. At best, a
kernel parameter can be set. Then during boot, the init system (in case
of Kicksecure at time of writing: systemd) can react on that kernel
parameter and act accordingly such as by executing a shells script.

This is non-trivial to develop. Hence, above proposal has not been
implemented yet.

BLACKLIST_FILE=“/etc/modprobe.d/disable_networking.conf”

This would need to be written before it is processed. Probably doable
with the correct systemd unit file ordering but non-trivial.

Then also there needs to be a solid implementation to delete or
deactivate such a file during a regular boot.

Since this is unlikely getting implemented into Kicksecure anytime soon
or never at all, I recommend to look for other places where you can
request such features. To mind come the initrd generator (dracut),
systemd, the network stack (NetworkManager), Linux, Debian.

If such features are implemented upstream, these become much easier to
use within Kicksecure.