Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
tails
tails
Commits
25581930
Commit
25581930
authored
Jun 15, 2020
by
intrigeri
Browse files
Merge branch 'feature/17620-buster-10.4+force-all-tests' into 'stable'
Buster 10.4 + Linux 5.6 See merge request
tails/tails!44
parents
29f653d2
bfa3801c
Changes
5
Hide whitespace changes
Inline
Side-by-side
config/APT_snapshots.d/debian/serial
View file @
25581930
20200
325
03
20200
610
03
\ No newline at end of file
config/amnesia
View file @
25581930
...
...
@@ -23,7 +23,7 @@ AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC blo
AMNESIA_ISOHYBRID_OPTS
=
"-h 255 -s 63 --id 42 --verbose"
# Kernel version
KERNEL_VERSION
=
'5.
4
.0-
4
'
KERNEL_VERSION
=
'5.
6
.0-
2
'
KERNEL_SOURCE_VERSION
=
$(
echo
"
$KERNEL_VERSION
"
\
| perl
-p
-E
's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
...
...
config/chroot_apt/preferences
View file @
25581930
...
...
@@ -70,6 +70,11 @@ Package: webext-ublock-origin
Pin: release o=Debian,n=sid
Pin-Priority: 999
Explanation: since linux-image-5.6.0-1-amd64 we have: Breaks: wireless-regdb (< 2019.06.03-1~) and 2016.06.10-1 is stable
Package: wireless-regdb
Pin: release o=Debian,n=sid
Pin-Priority: 999
Explanation: weirdness in chroot_apt install-binary
Package: *
Pin: release o=chroot_local-packages
...
...
config/chroot_local-includes/usr/share/initramfs-tools/scripts/init-premount/partitioning
View file @
25581930
...
...
@@ -13,6 +13,18 @@ esac
set
-eu
# We will run this after each action that alters the device/partition
# in any way in an attempt to avoid various races that has caused this
# script to fail at various points. Examples:
# * `partprobe /dev/sda` exiting before /dev/sda1 exists, causing
# errors in subsequent commands attempting to use /dev/sda1
# * `mlabel` complaining that it "could not read boot sector"
settle
()
{
sync
udevadm settle
sync
}
# Print executed commands for debugging
if
[
-n
"
$debug
"
]
;
then
set
-x
...
...
@@ -99,29 +111,36 @@ sgdisk \
--typecode
=
"1:
${
ESP_GUID
}
"
\
--change-name
=
1:Tails
\
"
${
PARENT_DEVICE
}
"
settle
log_end_msg
# Tell the kernel to reload the partition table
partprobe
"
${
PARENT_DEVICE
}
"
settle
# fatresize overwrites the VBR, so we have to back it up to be able to
# restore the boot code later
dd
if
=
"
${
SYSTEM_PARTITION
}
"
of
=
/tmp/vbr
bs
=
512
count
=
1
settle
# Grow the filesystem
# Note that fatresize resets partition attributes
# fatresize uses "Mi" for MiB, so we have to append an "i"
FS_SIZE
=
"
${
SYSTEM_PARTITION_SIZE
}
"
i
fatresize
--size
=
"
${
FS_SIZE
}
"
"
${
SYSTEM_PARTITION
}
"
settle
# Restore boot code overwritten by fatresize
dd
if
=
/tmp/vbr
of
=
"
${
SYSTEM_PARTITION
}
"
bs
=
1
skip
=
90
seek
=
90
count
=
414
settle
# Restore JMP instruction which jumps to the bootcode
dd
if
=
/tmp/vbr
of
=
"
${
SYSTEM_PARTITION
}
"
bs
=
3
count
=
1
settle
# Set a random filesystem UUID (aka. FAT "Volume ID" / "serial number")
MTOOLS_SKIP_CHECK
=
1 mlabel
-i
"
${
SYSTEM_PARTITION
}
"
-n
::Tails
settle
# Recompute CHS values for the hybrid MBR (see #16389) and set the
# following attributes on the system partition (we have to set them
...
...
@@ -139,6 +158,8 @@ sgdisk \
--attributes
=
1:set:63
\
--recompute-chs
\
"
${
PARENT_DEVICE
}
"
settle
# Tell the kernel to reload the partition table
partprobe
"
${
PARENT_DEVICE
}
"
settle
config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch
View file @
25581930
diff --git a/etc/apparmor.d/torbrowser.Browser.firefox b/etc/apparmor.d/torbrowser.Browser.firefox
index ece3159..c1ff8bf 100644
--- a/etc/apparmor.d/torbrowser.Browser.firefox
+++ b/etc/apparmor.d/torbrowser.Browser.firefox
@@ -1,11 +1,12 @@
...
...
@@ -14,7 +16,7 @@
# Uncomment the following lines if you want to give the Tor Browser read-write
# access to most of your personal files.
@@ -14,6 +15,7 @@
@@ -14,6 +15,7 @@
profile torbrowser_firefox @{torbrowser_firefox_executable} {
# Audio support
/{,usr/}bin/pulseaudio Pixr,
...
...
@@ -22,7 +24,7 @@
#dbus,
network netlink raw,
@@ -29,6 +31,8 @@
@@ -29,6 +31,8 @@
profile torbrowser_firefox @{torbrowser_firefox_executable} {
deny /etc/passwd r,
deny /etc/group r,
deny /etc/mailcap r,
...
...
@@ -31,7 +33,7 @@
/etc/machine-id r,
/var/lib/dbus/machine-id r,
@@ -44,3
7
+48,35 @@
@@ -44,3
8
+48,35 @@
profile torbrowser_firefox @{torbrowser_firefox_executable} {
owner @{PROC}/@{pid}/task/*/stat r,
@{PROC}/sys/kernel/random/uuid r,
...
...
@@ -59,6 +61,7 @@
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/{,**} rwk,
- owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
- owner @{torbrowser_home_dir}/fonts/* l,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/tor px,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
...
...
@@ -96,7 +99,7 @@
/etc/mailcap r,
/etc/mime.types r,
@@ -9
8
,12 +100,6 @@
@@ -9
9
,12 +100,6 @@
profile torbrowser_firefox @{torbrowser_firefox_executable} {
/sys/devices/system/node/node[0-9]*/meminfo r,
deny /sys/devices/virtual/block/*/uevent r,
...
...
@@ -109,7 +112,7 @@
# Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
owner /{dev,run}/shm/org.chromium.* rw,
owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw, # for Chromium IPC
@@ -11
8
,6 +114,25 @@
@@ -11
9
,6 +114,25 @@
profile torbrowser_firefox @{torbrowser_firefox_executable} {
deny @{HOME}/.cache/fontconfig/** rw,
deny @{HOME}/.config/gtk-2.0/ rw,
deny @{HOME}/.config/gtk-2.0/** rw,
...
...
@@ -135,9 +138,9 @@
deny @{PROC}/@{pid}/net/route r,
deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
@@ -1
3
4,5 +1
4
9,10 @@
/etc/xfce4/defaults.list r,
/
usr/share/xfce4/applications/
r,
@@ -14
5
,5 +1
5
9,10 @@
profile torbrowser_firefox @{torbrowser_firefox_executable} {
# Yubikey NEO also needs this:
/
sys/devices/**/hidraw/hidraw*/uevent
r,
- #include <local/torbrowser.Browser.firefox>
+ # Deny access to global tmp directories, that's granted by the user-tmp
...
...
@@ -147,6 +150,8 @@
+ deny owner /tmp/** rwklx,
+ deny /tmp/ rwklx,
}
diff --git a/etc/apparmor.d/tunables/torbrowser b/etc/apparmor.d/tunables/torbrowser
index 9b31139..f77e082 100644
--- a/etc/apparmor.d/tunables/torbrowser
+++ b/etc/apparmor.d/tunables/torbrowser
@@ -1,2 +1 @@
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment