Commit 25581930 authored by intrigeri's avatar intrigeri
Browse files

Merge branch 'feature/17620-buster-10.4+force-all-tests' into 'stable'

Buster 10.4 + Linux 5.6

See merge request !44
parents 29f653d2 bfa3801c
2020032503 2020061003
\ No newline at end of file
...@@ -23,7 +23,7 @@ AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC blo ...@@ -23,7 +23,7 @@ AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC blo
AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose" AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
# Kernel version # Kernel version
KERNEL_VERSION='5.4.0-4' KERNEL_VERSION='5.6.0-2'
KERNEL_SOURCE_VERSION=$( KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \ echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms' | perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
......
...@@ -70,6 +70,11 @@ Package: webext-ublock-origin ...@@ -70,6 +70,11 @@ Package: webext-ublock-origin
Pin: release o=Debian,n=sid Pin: release o=Debian,n=sid
Pin-Priority: 999 Pin-Priority: 999
Explanation: since linux-image-5.6.0-1-amd64 we have: Breaks: wireless-regdb (< 2019.06.03-1~) and 2016.06.10-1 is stable
Package: wireless-regdb
Pin: release o=Debian,n=sid
Pin-Priority: 999
Explanation: weirdness in chroot_apt install-binary Explanation: weirdness in chroot_apt install-binary
Package: * Package: *
Pin: release o=chroot_local-packages Pin: release o=chroot_local-packages
......
...@@ -13,6 +13,18 @@ esac ...@@ -13,6 +13,18 @@ esac
set -eu set -eu
# We will run this after each action that alters the device/partition
# in any way in an attempt to avoid various races that has caused this
# script to fail at various points. Examples:
# * `partprobe /dev/sda` exiting before /dev/sda1 exists, causing
# errors in subsequent commands attempting to use /dev/sda1
# * `mlabel` complaining that it "could not read boot sector"
settle() {
sync
udevadm settle
sync
}
# Print executed commands for debugging # Print executed commands for debugging
if [ -n "$debug" ]; then if [ -n "$debug" ]; then
set -x set -x
...@@ -99,29 +111,36 @@ sgdisk \ ...@@ -99,29 +111,36 @@ sgdisk \
--typecode="1:${ESP_GUID}" \ --typecode="1:${ESP_GUID}" \
--change-name=1:Tails \ --change-name=1:Tails \
"${PARENT_DEVICE}" "${PARENT_DEVICE}"
settle
log_end_msg log_end_msg
# Tell the kernel to reload the partition table # Tell the kernel to reload the partition table
partprobe "${PARENT_DEVICE}" partprobe "${PARENT_DEVICE}"
settle
# fatresize overwrites the VBR, so we have to back it up to be able to # fatresize overwrites the VBR, so we have to back it up to be able to
# restore the boot code later # restore the boot code later
dd if="${SYSTEM_PARTITION}" of=/tmp/vbr bs=512 count=1 dd if="${SYSTEM_PARTITION}" of=/tmp/vbr bs=512 count=1
settle
# Grow the filesystem # Grow the filesystem
# Note that fatresize resets partition attributes # Note that fatresize resets partition attributes
# fatresize uses "Mi" for MiB, so we have to append an "i" # fatresize uses "Mi" for MiB, so we have to append an "i"
FS_SIZE="${SYSTEM_PARTITION_SIZE}"i FS_SIZE="${SYSTEM_PARTITION_SIZE}"i
fatresize --size="${FS_SIZE}" "${SYSTEM_PARTITION}" fatresize --size="${FS_SIZE}" "${SYSTEM_PARTITION}"
settle
# Restore boot code overwritten by fatresize # Restore boot code overwritten by fatresize
dd if=/tmp/vbr of="${SYSTEM_PARTITION}" bs=1 skip=90 seek=90 count=414 dd if=/tmp/vbr of="${SYSTEM_PARTITION}" bs=1 skip=90 seek=90 count=414
settle
# Restore JMP instruction which jumps to the bootcode # Restore JMP instruction which jumps to the bootcode
dd if=/tmp/vbr of="${SYSTEM_PARTITION}" bs=3 count=1 dd if=/tmp/vbr of="${SYSTEM_PARTITION}" bs=3 count=1
settle
# Set a random filesystem UUID (aka. FAT "Volume ID" / "serial number") # Set a random filesystem UUID (aka. FAT "Volume ID" / "serial number")
MTOOLS_SKIP_CHECK=1 mlabel -i "${SYSTEM_PARTITION}" -n ::Tails MTOOLS_SKIP_CHECK=1 mlabel -i "${SYSTEM_PARTITION}" -n ::Tails
settle
# Recompute CHS values for the hybrid MBR (see #16389) and set the # Recompute CHS values for the hybrid MBR (see #16389) and set the
# following attributes on the system partition (we have to set them # following attributes on the system partition (we have to set them
...@@ -139,6 +158,8 @@ sgdisk \ ...@@ -139,6 +158,8 @@ sgdisk \
--attributes=1:set:63 \ --attributes=1:set:63 \
--recompute-chs \ --recompute-chs \
"${PARENT_DEVICE}" "${PARENT_DEVICE}"
settle
# Tell the kernel to reload the partition table # Tell the kernel to reload the partition table
partprobe "${PARENT_DEVICE}" partprobe "${PARENT_DEVICE}"
settle
diff --git a/etc/apparmor.d/torbrowser.Browser.firefox b/etc/apparmor.d/torbrowser.Browser.firefox
index ece3159..c1ff8bf 100644
--- a/etc/apparmor.d/torbrowser.Browser.firefox --- a/etc/apparmor.d/torbrowser.Browser.firefox
+++ b/etc/apparmor.d/torbrowser.Browser.firefox +++ b/etc/apparmor.d/torbrowser.Browser.firefox
@@ -1,11 +1,12 @@ @@ -1,11 +1,12 @@
...@@ -14,7 +16,7 @@ ...@@ -14,7 +16,7 @@
# Uncomment the following lines if you want to give the Tor Browser read-write # Uncomment the following lines if you want to give the Tor Browser read-write
# access to most of your personal files. # access to most of your personal files.
@@ -14,6 +15,7 @@ @@ -14,6 +15,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
# Audio support # Audio support
/{,usr/}bin/pulseaudio Pixr, /{,usr/}bin/pulseaudio Pixr,
...@@ -22,7 +24,7 @@ ...@@ -22,7 +24,7 @@
#dbus, #dbus,
network netlink raw, network netlink raw,
@@ -29,6 +31,8 @@ @@ -29,6 +31,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
deny /etc/passwd r, deny /etc/passwd r,
deny /etc/group r, deny /etc/group r,
deny /etc/mailcap r, deny /etc/mailcap r,
...@@ -31,7 +33,7 @@ ...@@ -31,7 +33,7 @@
/etc/machine-id r, /etc/machine-id r,
/var/lib/dbus/machine-id r, /var/lib/dbus/machine-id r,
@@ -44,37 +48,35 @@ @@ -44,38 +48,35 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
owner @{PROC}/@{pid}/task/*/stat r, owner @{PROC}/@{pid}/task/*/stat r,
@{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/random/uuid r,
...@@ -59,6 +61,7 @@ ...@@ -59,6 +61,7 @@
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r, - owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/{,**} rwk, - owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/{,**} rwk,
- owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r, - owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
- owner @{torbrowser_home_dir}/fonts/* l,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/tor px, - owner @{torbrowser_home_dir}/TorBrowser/Tor/tor px,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/ r, - owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr, - owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
...@@ -96,7 +99,7 @@ ...@@ -96,7 +99,7 @@
/etc/mailcap r, /etc/mailcap r,
/etc/mime.types r, /etc/mime.types r,
@@ -98,12 +100,6 @@ @@ -99,12 +100,6 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
/sys/devices/system/node/node[0-9]*/meminfo r, /sys/devices/system/node/node[0-9]*/meminfo r,
deny /sys/devices/virtual/block/*/uevent r, deny /sys/devices/virtual/block/*/uevent r,
...@@ -109,7 +112,7 @@ ...@@ -109,7 +112,7 @@
# Required for multiprocess Firefox (aka Electrolysis, i.e. e10s) # Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
owner /{dev,run}/shm/org.chromium.* rw, owner /{dev,run}/shm/org.chromium.* rw,
owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw, # for Chromium IPC owner /dev/shm/org.mozilla.ipc.[0-9]*.[0-9]* rw, # for Chromium IPC
@@ -118,6 +114,25 @@ @@ -119,6 +114,25 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
deny @{HOME}/.cache/fontconfig/** rw, deny @{HOME}/.cache/fontconfig/** rw,
deny @{HOME}/.config/gtk-2.0/ rw, deny @{HOME}/.config/gtk-2.0/ rw,
deny @{HOME}/.config/gtk-2.0/** rw, deny @{HOME}/.config/gtk-2.0/** rw,
...@@ -135,9 +138,9 @@ ...@@ -135,9 +138,9 @@
deny @{PROC}/@{pid}/net/route r, deny @{PROC}/@{pid}/net/route r,
deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r, deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r, deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
@@ -134,5 +149,10 @@ @@ -145,5 +159,10 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
/etc/xfce4/defaults.list r, # Yubikey NEO also needs this:
/usr/share/xfce4/applications/ r, /sys/devices/**/hidraw/hidraw*/uevent r,
- #include <local/torbrowser.Browser.firefox> - #include <local/torbrowser.Browser.firefox>
+ # Deny access to global tmp directories, that's granted by the user-tmp + # Deny access to global tmp directories, that's granted by the user-tmp
...@@ -147,6 +150,8 @@ ...@@ -147,6 +150,8 @@
+ deny owner /tmp/** rwklx, + deny owner /tmp/** rwklx,
+ deny /tmp/ rwklx, + deny /tmp/ rwklx,
} }
diff --git a/etc/apparmor.d/tunables/torbrowser b/etc/apparmor.d/tunables/torbrowser
index 9b31139..f77e082 100644
--- a/etc/apparmor.d/tunables/torbrowser --- a/etc/apparmor.d/tunables/torbrowser
+++ b/etc/apparmor.d/tunables/torbrowser +++ b/etc/apparmor.d/tunables/torbrowser
@@ -1,2 +1 @@ @@ -1,2 +1 @@
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment