Merge branch 'feature/17620-buster-10.4+force-all-tests' into 'stable'

Buster 10.4 + Linux 5.6

See merge request tails/tails!44

config/APT_snapshots.d/debian/serial

-2020032503
+2020061003
\ No newline at end of file

config/amnesia

@@ -23,7 +23,7 @@ AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC blo
 AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
 
 # Kernel version
-KERNEL_VERSION='5.4.0-4'
+KERNEL_VERSION='5.6.0-2'
 KERNEL_SOURCE_VERSION=$(
    echo "$KERNEL_VERSION" \
        | perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'

config/chroot_apt/preferences

@@ -70,6 +70,11 @@ Package: webext-ublock-origin
 Pin: release o=Debian,n=sid
 Pin-Priority: 999
 
+Explanation: since linux-image-5.6.0-1-amd64 we have: Breaks: wireless-regdb (< 2019.06.03-1~) and 2016.06.10-1 is stable
+Package: wireless-regdb
+Pin: release o=Debian,n=sid
+Pin-Priority: 999
+
 Explanation: weirdness in chroot_apt install-binary
 Package: *
 Pin: release o=chroot_local-packages

config/chroot_local-includes/usr/share/initramfs-tools/scripts/init-premount/partitioning

@@ -13,6 +13,18 @@ esac
 
 set -eu
 
+# We will run this after each action that alters the device/partition
+# in any way in an attempt to avoid various races that has caused this
+# script to fail at various points. Examples:
+#  * `partprobe /dev/sda` exiting before /dev/sda1 exists, causing
+#    errors in subsequent commands attempting to use /dev/sda1
+#  * `mlabel` complaining that it "could not read boot sector"
+settle() {
+    sync
+    udevadm settle
+    sync
+}
+
 # Print executed commands for debugging
 if [ -n "$debug" ]; then
 	set -x
@@ -99,29 +111,36 @@ sgdisk \
 	--typecode="1:${ESP_GUID}" \
 	--change-name=1:Tails \
 	"${PARENT_DEVICE}"
+settle
 log_end_msg
 
 # Tell the kernel to reload the partition table
 partprobe "${PARENT_DEVICE}"
+settle
 
 # fatresize overwrites the VBR, so we have to back it up to be able to
 # restore the boot code later
 dd if="${SYSTEM_PARTITION}" of=/tmp/vbr bs=512 count=1
+settle
 
 # Grow the filesystem
 # Note that fatresize resets partition attributes
 # fatresize uses "Mi" for MiB, so we have to append an "i"
 FS_SIZE="${SYSTEM_PARTITION_SIZE}"i
 fatresize --size="${FS_SIZE}" "${SYSTEM_PARTITION}"
+settle
 
 # Restore boot code overwritten by fatresize
 dd if=/tmp/vbr of="${SYSTEM_PARTITION}" bs=1 skip=90 seek=90 count=414
+settle
 
 # Restore JMP instruction which jumps to the bootcode
 dd if=/tmp/vbr of="${SYSTEM_PARTITION}" bs=3 count=1
+settle
 
 # Set a random filesystem UUID (aka. FAT "Volume ID" / "serial number")
 MTOOLS_SKIP_CHECK=1 mlabel -i "${SYSTEM_PARTITION}" -n ::Tails
+settle
 
 # Recompute CHS values for the hybrid MBR (see #16389) and set the
 # following attributes on the system partition (we have to set them
@@ -139,6 +158,8 @@ sgdisk \
 	--attributes=1:set:63 \
 	--recompute-chs \
 	"${PARENT_DEVICE}"
+settle
 
 # Tell the kernel to reload the partition table
 partprobe "${PARENT_DEVICE}"
+settle

config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch

+diff --git a/etc/apparmor.d/torbrowser.Browser.firefox b/etc/apparmor.d/torbrowser.Browser.firefox
+index ece3159..c1ff8bf 100644
 --- a/etc/apparmor.d/torbrowser.Browser.firefox
 +++ b/etc/apparmor.d/torbrowser.Browser.firefox
 @@ -1,11 +1,12 @@
@@ -14,7 +16,7 @@
  
    # Uncomment the following lines if you want to give the Tor Browser read-write
    # access to most of your personal files.
-@@ -14,6 +15,7 @@
+@@ -14,6 +15,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
  
    # Audio support
    /{,usr/}bin/pulseaudio Pixr,
@@ -22,7 +24,7 @@
  
    #dbus,
    network netlink raw,
-@@ -29,6 +31,8 @@
+@@ -29,6 +31,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
    deny /etc/passwd r,
    deny /etc/group r,
    deny /etc/mailcap r,
@@ -31,7 +33,7 @@
  
    /etc/machine-id r,
    /var/lib/dbus/machine-id r,
-@@ -44,37 +48,35 @@
+@@ -44,38 +48,35 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
    owner @{PROC}/@{pid}/task/*/stat r,
    @{PROC}/sys/kernel/random/uuid r,
  
@@ -59,6 +61,7 @@
 -  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
 -  owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/{,**} rwk,
 -  owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
+-  owner @{torbrowser_home_dir}/fonts/* l,
 -  owner @{torbrowser_home_dir}/TorBrowser/Tor/tor px,
 -  owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
 -  owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
@@ -96,7 +99,7 @@
  
    /etc/mailcap r,
    /etc/mime.types r,
-@@ -98,12 +100,6 @@
+@@ -99,12 +100,6 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
    /sys/devices/system/node/node[0-9]*/meminfo r,
    deny /sys/devices/virtual/block/*/uevent r,
  
@@ -109,7 +112,7 @@
    # Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
    owner /{dev,run}/shm/org.chromium.* rw,
    owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw, # for Chromium IPC
-@@ -118,6 +114,25 @@
+@@ -119,6 +114,25 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
    deny @{HOME}/.cache/fontconfig/** rw,
    deny @{HOME}/.config/gtk-2.0/ rw,
    deny @{HOME}/.config/gtk-2.0/** rw,
@@ -135,9 +138,9 @@
    deny @{PROC}/@{pid}/net/route r,
    deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
    deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
-@@ -134,5 +149,10 @@
-   /etc/xfce4/defaults.list r,
-   /usr/share/xfce4/applications/ r,
+@@ -145,5 +159,10 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
+   # Yubikey NEO also needs this:
+   /sys/devices/**/hidraw/hidraw*/uevent r,
  
 -  #include <local/torbrowser.Browser.firefox>
 +  # Deny access to global tmp directories, that's granted by the user-tmp
@@ -147,6 +150,8 @@
 +  deny owner /tmp/**         rwklx,
 +  deny /tmp/                 rwklx,
  }
+diff --git a/etc/apparmor.d/tunables/torbrowser b/etc/apparmor.d/tunables/torbrowser
+index 9b31139..f77e082 100644
 --- a/etc/apparmor.d/tunables/torbrowser
 +++ b/etc/apparmor.d/tunables/torbrowser
 @@ -1,2 +1 @@