Commit ad5ef2e4 authored by intrigeri's avatar intrigeri
Browse files

Merge branch 'devel' into feature/tor-nightly-master

parents c85bd048 a26375d9
......@@ -155,7 +155,7 @@ if [ -d "$WORKAROUNDS_SRC" ]; then
fi
echo "I: Building ISO image ${BUILD_ISO_FILENAME}..."
time lb build noauto ${@}
time lb build noauto "${@}"
[ -e binary.iso ] || fatal "lb build failed ($?)."
echo "I: ISO image was successfully created"
......
......@@ -10,7 +10,7 @@ for dir in chroot/{dev/pts,proc,sys,var/lib/dpkg} ; do
fi
done
lb clean noauto ${@}
lb clean noauto "${@}"
# rm -f build-*.log
......
......@@ -91,7 +91,7 @@ export LB_BOOTSTRAP_INCLUDE="gnupg"
RUN_LB_CONFIG="lb config noauto"
# init config/ with defaults for the target distribution
$RUN_LB_CONFIG --distribution buster ${@}
$RUN_LB_CONFIG --distribution buster "${@}"
# set up everything for time-based snapshots:
if [ -n "${APT_SNAPSHOTS_SERIALS:-}" ]; then
......@@ -159,7 +159,7 @@ $RUN_LB_CONFIG \
--syslinux-splash data/splash.png \
--syslinux-timeout 4 \
--initramfs=live-boot \
${@}
"${@}"
install -d config/chroot_local-includes/etc/amnesia/
......
......@@ -16,9 +16,14 @@ output_apt_binary_source() {
}
output_overlay_apt_binary_sources() {
for suite in $(ls config/APT_overlays.d) ; do
cd config/APT_overlays.d/
for suite in * ; do
# handle the case when no APT overlay is enabled
[[ -e "$suite" ]] || break
output_apt_binary_source "$suite"
done
cd ../../
}
### Sanity checks
......
# shellcheck shell=bash
# This library is meant to be used in bash, with "set -e" and "set -u".
BASE_BRANCHES="stable testing devel"
......
......@@ -23,7 +23,7 @@ AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC blo
AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
# Kernel version
KERNEL_VERSION='5.6.0-2'
KERNEL_VERSION='5.7.0-1'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
......
This diff is collapsed.
#!/bin/sh
set -e
echo "Checking if PAM uses SHA512 to hash passwords"
if ! grep -q -E "^password\s.*\ssha512" /etc/pam.d/common-password; then
echo "PAM does not seem to use SHA512 anymore. Please adjust the
Tails Greeter code which hashes the admin password."
exit 1
fi
#!/bin/sh
set -e
set -u
echo "Checking for possibly missing rtw88 firmware (#17323)"
# Decide where to copy from, and what:
WORKAROUNDS_FW_DIR='/tmp/tails-workarounds/linux-firmware'
DIR='rtw88'
FILES='rtw8822b_fw.bin rtw8822c_fw.bin'
# Sanity check:
orig_dir="$WORKAROUNDS_FW_DIR/$DIR"
if [ ! -d "$orig_dir" ]; then
echo "=> ERROR: Missing origin directory ($orig_dir)"
exit 1
fi
firmware_dir="/lib/firmware/$DIR"
if [ ! -d "$firmware_dir" ]; then
echo "=> Missing parent directory ($firmware_dir), creating"
mkdir -p "$firmware_dir"
fi
for file in $FILES; do
path="$firmware_dir/$file"
if [ ! -f "$path" ]; then
echo "=> Missing firmware ($file), copying"
cp "$orig_dir/$file" "$path"
else
echo "=> ERROR: Firmware for $file found, maybe this hook could be dropped"
exit 1
fi
done
......@@ -18,7 +18,8 @@ ensure_hook_dependency_is_installed dkms
ensure_hook_dependency_is_installed \
virtualbox-guest-dkms
for log in $(ls /var/lib/dkms/*/*/build/make.log); do
for log in /var/lib/dkms/*/*/build/make.log; do
[ -e "$log" ] || break # handle the case when no file matched the glob
echo "---- $log"
cat "$log"
done
......
#!/bin/sh
set -e
echo 'Configuring seahorse-tool'
mkdir -p /usr/lib/seahorse
dpkg-divert --add --rename --divert /usr/lib/seahorse/seahorse-tool \
/usr/bin/seahorse-tool
ln -s /usr/local/lib/seahorse-tool-wrapper /usr/bin/seahorse-tool
......@@ -7,9 +7,11 @@
# =====
#
# * /etc/live/config.d/username.conf : $LIVE_USERNAME
# * /var/lib/gdm3/tails.locale : $TAILS_LOCALE_NAME, $TAILS_XKBMODEL,
# $TAILS_XKBLAYOUT, $TAILS_XKBVARIANT, $TAILS_XKBOPTIONS, $CODESET
# * /var/lib/gdm3/tails.password : $TAILS_USER_PASSWORD
# * /var/lib/gdm3/settings/tails.language: $TAILS_LOCALE_NAME
# * /var/lib/gdm3/settings/tails.formats: $TAILS_FORMATS
# * /var/lib/gdm3/settings/tails.keyboard: $TAILS_XKBMODEL,
# $TAILS_XKBLAYOUT, $TAILS_XKBVARIANT, $TAILS_XKBOPTIONS
# * /var/lib/gdm3/settings/tails.password : $TAILS_USER_PASSWORD
# For whatever reason, /usr/sbin (needed by at least chpasswd)
# is not in our PATH
......@@ -22,6 +24,7 @@ KBDSET=/etc/default/keyboard
CONSET=/etc/default/console-setup
LOCALE_CFG=/etc/default/locale
CODSET="Uni1" # universal codeset to properly display glyphs in localized console
GREETER_EXPORTED_SETTINGS="tails.macspoof tails.network tails.unsafe-browser"
log() {
echo "$1" >&2
......@@ -60,6 +63,17 @@ grep_n_set() {
log "Entering PostLogin"
### Export the Greeter settings
# It's important we export the settings from tails.macspoof before
# unblocking the network below; doing so will make the user-set MAC
# spoofing option apply (via the custom udev rule) when loading the
# modules for the previously blocked network devices.
for setting in ${GREETER_EXPORTED_SETTINGS}; do
/usr/bin/install -m 0640 -o root -g root \
"/var/lib/gdm3/settings/$setting" \
"/var/lib/live/config/$setting"
done
### Gather general configuration
# Import the name of the live user
......@@ -68,15 +82,12 @@ if [ -z "${LIVE_USERNAME}" ] ; then
log_n_exit "Username variable not found."
fi
### Physical security
log "Running /usr/local/lib/tails-unblock-network..."
/usr/local/lib/tails-unblock-network
log "tails-unblock-network has exited (status=$?)."
### Localization
# Import locale name
. /var/lib/gdm3/tails.locale || log_n_exit "Locale file not found."
# Import locale settings
. /var/lib/gdm3/settings/tails.language || log_n_exit "Language settings file not found."
. /var/lib/gdm3/settings/tails.formats || log_n_exit "Formats settings file not found."
. /var/lib/gdm3/settings/tails.keyboard || log_n_exit "Keyboard settings file not found."
if [ -z "${TAILS_LOCALE_NAME}" ] ; then
log_n_exit "Locale variable not found."
fi
......@@ -109,16 +120,18 @@ XKBVARIANT="$TAILS_XKBVARIANT"
XKBOPTIONS="$TAILS_XKBOPTIONS"
EOF
### Physical security
log "Running /usr/local/lib/tails-unblock-network..."
/usr/local/lib/tails-unblock-network
log "tails-unblock-network has exited (status=$?)."
### Password
# Import password for superuser access
if [ -e /var/lib/gdm3/tails.password ] ; then
. /var/lib/gdm3/tails.password
if [ -e /var/lib/gdm3/settings/tails.password ] ; then
. /var/lib/gdm3/settings/tails.password
fi
# Remove password file
rm --interactive=never -f /var/lib/gdm3/tails.password
# Check if password is actually set
if [ -z "${TAILS_USER_PASSWORD}" ] ; then
rm -f "${POLKIT}" "${SUDOERS}"
......@@ -132,7 +145,7 @@ if [ -z "${TAILS_USER_PASSWORD}" ] ; then
fi
# Sets the password
echo "${LIVE_USERNAME}:${TAILS_USER_PASSWORD}" | chpasswd
echo "${LIVE_USERNAME}:${TAILS_USER_PASSWORD}" | chpasswd -e
# Add sudoers entry
echo "${LIVE_USERNAME} ALL = (ALL) ALL" >> "${SUDOERS}"
......
......@@ -51,6 +51,11 @@ pref("mailnews.auto_config.fetchFromISP.sslOnly", true);
pref("mailnews.auto_config.sslOnly", true);
pref("mailnews.auto_config.guess.sslOnly", true);
// Disable automatic configuration methods that could be serving
// configurations without authentication.
pref("mailnews.auto_config.fetchFromExchange.enabled", false);
pref("mailnews.auto_config.mx.enabled", false);
// Drop auto-fetched configurations using Oauth2 -- they do not work
// since we disable needed functionality (like JavaScript and cookies)
// in the embedded browser.
......@@ -359,8 +364,8 @@ pref("media.cache_size", 0);
// Disable CSS :visited selector.
pref("layout.css.visited_links_enabled", false);
// Disable downloadable fonts.
pref("gfx.downloadable_fonts.enabled", false);
// downloadable fonts are NOT disabled: disabling them cause bug #17328: "Find in Message" stops working
//pref("gfx.downloadable_fonts.enabled", false);
// Disable third-party images.
pref("permissions.default.image", 3);
......@@ -19,6 +19,7 @@
["file", {"user": "root", "path": "/var/lib/live/config/tails.macspoof"}],
["file", {"user": "root", "path": "/var/lib/live/config/tails.network"}],
["file", {"user": "root", "path": "/var/lib/live/config/tails.persistence"}],
["file", {"user": "root", "path": "/var/lib/live/config/tails.unsafe-browser"}],
["file", {"user": "tails-persistence-setup", "path": "/live/persistence/TailsData_unlocked/persistence.conf"}],
["file", {"user": "tails-persistence-setup", "path": "/live/persistence/TailsData_unlocked/live-additional-software.conf"}],
["directory", {"user": "root", "path": "/live/persistence/TailsData_unlocked/apt-sources.list.d"}],
......
......@@ -11,6 +11,8 @@ After=plymouth-quit.service
Requires=plymouth-quit-wait.service
After=plymouth-quit-wait.service
# for instructions on how to test this unit, see config/chroot_local-includes/usr/lib/gdm3/gdm-x-session.tails
[Service]
Type=oneshot
# We use VT5 that is clean of boot messages and does not get a getty started
......@@ -26,11 +28,4 @@ ExecStart=/bin/sh -c \
--kernel-command-line="plymouth.ignore-udev $(cat /proc/cmdline)"'
ExecStart=/bin/chvt 5
ExecStart=/bin/plymouth show-splash
ExecStart=/bin/sh -c \
'MAX_LENGTH=254 ; \
PREFIX="Error starting GDM with your graphics card: " ; \
SUFFIX=". Please take note of this error and visit https://tails.boum.org/gdm for troubleshooting." ; \
MAX_VIDEO_CARD_LENGTH=$(($MAX_LENGTH - $(echo -n "$PREFIX$SUFFIX" | wc -c))) ; \
VIDEO_CARD=$(lspci -d::0300 -nn | sed -E "s,.* VGA compatible controller \\[0300\\]:\s*,," | cut -c "1-$MAX_VIDEO_CARD_LENGTH") ; \
/bin/plymouth display-message --text="$PREFIX$VIDEO_CARD$SUFFIX" \
'
ExecStart=/usr/local/lib/tails-gdm-error-message
......@@ -2,6 +2,7 @@
Description=Wipe memory on live media removal
Documentation=https://tails.boum.org/contribute/design/memory_erasure/
After=memlockd.service initramfs-shutdown.service
ConditionKernelCommandLine=!toram
[Service]
Type=simple
......
......@@ -5,19 +5,8 @@ Documentation=https://tails.boum.org/contribute/design/MAC_address/
[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=/var/lib/gdm3/tails.network
EnvironmentFile=/var/lib/gdm3/settings/tails.network
# It's important we "export" the settings from tails.macspoof before
# unblocking the network; doing so will make the user-set MAC spoofing
# option apply (via the custom udev rule) when loading the modules for the
# previously blocked network devices.
ExecStartPre=/bin/sh -c \
'for setting in macspoof network; do \
/usr/bin/install -m 0640 -o root -g root \
"/var/lib/gdm3/tails.$setting" \
"/var/lib/live/config/tails.$setting" ; \
done'
ExecStartPre=/bin/sync
ExecStartPre=/bin/sh -c \
'if [ "${TAILS_NETCONF}" = "obstacle" ] ; then \
. /usr/local/lib/tails-shell-library/tor.sh ; \
......
......@@ -32,17 +32,33 @@ supported_locales_path = os.path.join(data_path, 'supported_locales')
# System locales directory
system_locale_dir = '/usr/share/locale/'
# File where session locale settings are stored
locale_output_path = '/var/lib/gdm3/tails.locale'
# Directory where the Greeter settings are stored
settings_dir = '/var/lib/gdm3/settings'
# File where the session sudo password is stored
admin_password_output_path = '/var/lib/gdm3/tails.password'
# Directory where the persistent Greeter settings are stored
persistent_settings_dir = '/var/lib/gdm3/settings/persistent'
# World-readable file where Tails persistence status is stored
persistence_state_file = '/var/lib/live/config/tails.persistence'
# File where the session language setting is stored
language_setting_path = os.path.join(settings_dir, 'tails.language')
# File where the session formats setting is stored
formats_setting_path = os.path.join(settings_dir, 'tails.formats')
# File where the session keyboard setting is stored
keyboard_setting_path = os.path.join(settings_dir, 'tails.keyboard')
# File where the session sudo password is stored
admin_password_path = os.path.join(settings_dir, 'tails.password')
# File where the network setting is stored
network_setting = '/var/lib/gdm3/tails.network'
network_setting_path = os.path.join(settings_dir, 'tails.network')
# File where the MAC address spoofing setting is stored
macspoof_setting = '/var/lib/gdm3/tails.macspoof'
macspoof_setting_path = os.path.join(settings_dir, 'tails.macspoof')
# File where the unsafe browser setting is stored
unsafe_browser_setting_filename = 'tails.unsafe-browser'
unsafe_browser_setting_path = os.path.join(settings_dir, unsafe_browser_setting_filename)
# World-readable file where Tails persistence status is stored
persistence_state_file = '/var/lib/live/config/tails.persistence'
......@@ -20,7 +20,9 @@
import gi
import logging
import os
from tailsgreeter.config import settings_dir, persistent_settings_dir
from tailsgreeter.gdmclient import GdmClient
from tailsgreeter.settings import localization
from tailsgreeter.settings.admin import AdminSetting
......@@ -28,8 +30,9 @@ from tailsgreeter.settings.localization_settings import LocalisationSettings
from tailsgreeter.settings.macspoof import MacSpoofSetting
from tailsgreeter.settings.network import NetworkSetting
from tailsgreeter.settings.persistence import PersistenceSettings
from tailsgreeter.settings.unsafe_browser import UnsafeBrowserSetting
from tailsgreeter.translatable_window import TranslatableWindow
from tailsgreeter.ui.additional_settings import AdminSettingUI, MACSpoofSettingUI, NetworkSettingUI
from tailsgreeter.ui.additional_settings import AdminSettingUI, MACSpoofSettingUI, NetworkSettingUI, UnsafeBrowserSettingUI
from tailsgreeter.ui.main_window import GreeterMainWindow
from tailsgreeter.ui.region_settings import LanguageSettingUI, KeyboardSettingUI, FormatsSettingUI
from tailsgreeter.ui.settings_collection import GreeterSettingsCollection
......@@ -60,30 +63,41 @@ class GreeterApplication(object):
"/org/gnome/SessionManager",
"org.gnome.SessionManager")
# Create the settings directory
os.makedirs(settings_dir, mode=0o700, exist_ok=True)
# Create the persistent settings directory
os.makedirs(persistent_settings_dir, mode=0o700, exist_ok=True)
# Load models
self.gdmclient = GdmClient(session_opened_cb=self.close_app)
persistence = PersistenceSettings()
self.localisationsettings = LocalisationSettings(
usermanager_loaded_cb=self.usermanager_loaded,
locale_selected_cb=self.on_language_changed
)
self.admin_setting = AdminSetting()
self.network_setting = NetworkSetting()
self.macspoof_setting = MacSpoofSetting()
self.network_setting = NetworkSetting()
self.unsafe_browser_setting = UnsafeBrowserSetting()
# Initialize the settings
settings = GreeterSettingsCollection(
LanguageSettingUI(self.localisationsettings.language),
self.settings = GreeterSettingsCollection(
LanguageSettingUI(self.localisationsettings.language, self.on_language_changed),
KeyboardSettingUI(self.localisationsettings.keyboard),
FormatsSettingUI(self.localisationsettings.formats),
AdminSettingUI(self.admin_setting),
MACSpoofSettingUI(self.macspoof_setting),
NetworkSettingUI(self.network_setting),
UnsafeBrowserSettingUI(self.unsafe_browser_setting),
)
# Initialize main window
self.mainwindow = GreeterMainWindow(self, persistence, settings)
self.mainwindow = GreeterMainWindow(self, persistence, self.settings)
# Apply the default settings
for setting in self.settings:
setting.apply()
# Inhibit the session being marked as idle
self.inhibit_idle()
......@@ -95,13 +109,6 @@ class GreeterApplication(object):
def login(self):
"""Login GDM to the server"""
logging.debug("login called")
# Apply settings
self.localisationsettings.apply_to_upcoming_session()
self.admin_setting.apply_to_upcoming_session()
self.macspoof_setting.apply_to_upcoming_session()
self.network_setting.apply_to_upcoming_session()
self.mainwindow.hide()
self.gdmclient.do_login()
......@@ -114,8 +121,9 @@ class GreeterApplication(object):
def on_language_changed(self, locale_code: str):
"""Translate to the given locale"""
self.localisationsettings.formats.on_language_changed(locale_code) # XXX: notify
self.localisationsettings.keyboard.on_language_changed(locale_code) # XXX: notify
for setting in self.settings.region_settings:
setting.on_language_changed(locale_code)
self.translate_to(locale_code)
self.mainwindow.current_language = localization.language_from_locale(locale_code)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment