Merge remote-tracking branch 'origin/feature/12263-remove-i2p' into feature/stretch (refs: #12263).

.gitignore

@@ -46,7 +46,6 @@
 /config/chroot_local-includes/usr/share/applications/tails-reboot.desktop
 /config/chroot_local-includes/usr/share/applications/unsafe-browser.desktop
 /config/chroot_local-includes/usr/share/applications/tails-shutdown.desktop
-/config/chroot_local-includes/usr/share/applications/i2p-browser.desktop
 /config/chroot_local-includes/usr/share/applications/tor-browser.desktop
 /config/chroot_local-includes/usr/share/applications/tails-about.desktop
 /config/chroot_local-includes/usr/share/desktop-directories/Tails.directory

config/binary_rootfs/squashfs.sort

@@ -460,8 +460,6 @@ usr/bin/expr                                                         32082
 usr/bin/bc                                                           32081
 lib/live/config/2060-create-upgrader-run-directory                   32079
 usr/bin/install                                                      32078
-lib/live/config/2080-install-i2p                                     32077
-usr/local/lib/tails-shell-library/i2p.sh                             32076
 usr/local/lib/tails-shell-library/common.sh                          32075
 usr/local/lib/tails-shell-library/localization.sh                    32074
 lib/live/config/7000-debug                                           32073
@@ -2839,7 +2837,6 @@ usr/share/applications/mimeinfo.cache                                29205
 usr/share/gnome/applications/vim.desktop                             29204
 usr/share/gnome/applications/nm-connection-editor.desktop            29203
 usr/share/gnome/applications/gnome-power-statistics.desktop          29202
-usr/share/gnome/applications/openjdk-7-policytool.desktop            29201
 usr/share/gnome/applications/orca.desktop                            29200
 usr/share/applications/gnome-bluetooth-panel.desktop                 29199
 usr/lib/libreoffice/share/xdg/xsltfilter.desktop                     29198
@@ -3122,7 +3119,6 @@ etc/xdg/menus/applications-merged/Tails.menu                         28920
 usr/share/applications/gnome-power-statistics.desktop                28919
 usr/share/applications/nm-connection-editor.desktop                  28918
 usr/lib/i386-linux-gnu/tracker-1.0/libtracker-data.so.0.0.0          28917
-usr/share/applications/openjdk-7-policytool.desktop                  28916
 usr/share/applications/orca.desktop                                  28915
 usr/share/applications/vim.desktop                                   28914
 usr/share/desktop-directories/ActionGames.directory                  28913
@@ -4097,7 +4093,6 @@ usr/lib/i386-linux-gnu/libopencv_contrib.so.2.4.9                    27944
 usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt 27943
 usr/lib/i386-linux-gnu/libopencv_core.so.2.4.9                       27942
 usr/lib/i386-linux-gnu/libopencv_highgui.so.2.4.9                    27941
-etc/NetworkManager/dispatcher.d/30-i2p.sh                            27940
 etc/NetworkManager/dispatcher.d/60-tor-ready.sh                      27939
 usr/local/sbin/tor-has-bootstrapped                                  27938
 usr/bin/gettext                                                      27937

config/chroot_local-hooks/06-adduser_i2pbrowser

-#!/bin/sh
-
-set -e
-
-# Create the i2pbrowser user.
-#
-# We run i2p-browser under this user
-
-echo "Creating the i2pbrowser user"
-
-adduser --system --quiet --group i2pbrowser

config/chroot_local-hooks/16-i2p_config

-#!/bin/sh
-
-set -e
-
-echo "Configuring I2P"
-
-I2P="/usr/share/i2p"
-I2PROUTER="/usr/bin/i2prouter"
-WRAPPER="/etc/i2p/wrapper.config"
-
-# This must be set in order for the i2p init script to work
-sed -i 's/^RUN_DAEMON=.*$/RUN_DAEMON="true"/' /etc/default/i2p
-
-# Remove the "i2prouter" script, its man page, and its apparmor profile
-# since these are not used by Tails:
-rm /etc/apparmor.d/usr.bin.i2prouter /usr/share/man/man1/i2prouter.1.gz
-
-# Install custom i2prouter stub scripts
-for script in ${I2PROUTER} ${I2PROUTER}-nowrapper; do
-    echo "Removing $script"
-    dpkg-divert --rename --add "${script}"
-    cat > "$script" << EOF
-#!/bin/sh
-echo "This script is not used by Tails."
-echo "See https://tails.boum.org/doc/anonymous_internet/i2p/ for more information."
-exit 0
-EOF
-    chmod 755 "$script"
-done
-
-# Remove the outproxy from the tunnel on port 4444
-# This will remove the following lines:
-#      tunnel.0.proxyList=false.i2p
-#      tunnel.0.option.i2ptunnel.httpclient.SSLOutproxies=false.i2p
-# The SSLOutproxies option was first set in I2P 0.9.15
-sed -i '/^.*tunnel\.0\.\(proxyList\|option\.i2ptunnel\.httpclient\.SSLOutproxies\)/d' "$I2P/i2ptunnel.config"
-
-# Disable the https outproxy (port 4445)
-sed -i 's|^.*\(tunnel\.6\.startOnLoad\).*|\1=false|' "$I2P/i2ptunnel.config"
-
-# Don't serve the router console on IPv6
-sed -i 's|^clientApp\.0\.args=7657\s\+::1,127\.0\.0\.1|clientApp.0.args=7657 127.0.0.1|' "$I2P/clients.config"
-
-# Disable IPv6 in the wrapper
-sed -i 's|^.*\(wrapper\.java\.additional\.5=-Djava\.net\.preferIPv4Stack=\).*|\1true|' "$WRAPPER"
-sed -i 's|^.*\(wrapper\.java\.additional\.6=-Djava\.net\.preferIPv6Addresses=\).*|\1false|' "$WRAPPER"
-
-# Tails specific router configs:
-# * i2cp: allows java clients to communicate with I2P outside of the JVM. Disabled.
-# * IPv6: Disabled
-# * HiddenMode: Enabled
-# * In-I2P Network Updates: Disabled
-# * Inbound connections: Disabled (setting is "i2cp.ntcp.autoip")
-# * Disable I2P plugins
-# * Disable NTP
-cat > "$I2P/router.config" << EOF
-# NOTE: This I2P config file must use UTF-8 encoding
-i2cp.disableInterface=true
-i2np.ntcp.ipv6=false
-i2np.ntcp.autoip=false
-i2np.udp.ipv6=false
-router.isHidden=true
-router.updateDisabled=true
-router.enablePlugins=false
-time.disabled=true
-EOF
-
-cat > "$I2P/susimail.config" << EOF
-susimail.pop3.leave.on.server=true
-EOF
-
-# enforce apparmor
-echo Setting the I2P apparmor profile to enforce mode
-sed  -i -re 's|flags=\(complain\)||' /etc/apparmor.d/system_i2p

config/chroot_local-hooks/52-update-rc.d

@@ -22,7 +22,6 @@ systemctl enable tor-controlport-filter.service
 systemctl --global enable tails-add-GNOME-bookmarks.service
 systemctl --global enable tails-configure-keyboard.service
 systemctl --global enable tails-create-tor-browser-directories.service
-systemctl --global enable tails-i2p-removal-notify-user.service
 systemctl --global enable tails-security-check.service
 systemctl --global enable tails-upgrade-frontend.service
 systemctl --global enable tails-virt-notify-user.service
@@ -46,9 +45,6 @@ systemctl disable tor.service
 systemctl disable NetworkManager.service
 systemctl disable NetworkManager-wait-online.service
 
-# We don't run these services by default
-systemctl disable i2p.service
-
 # Don't hide tails-kexec's shutdown messages with an empty splash screen
 for suffix in halt kexec poweroff reboot shutdown ; do
    systemctl mask "plymouth-${suffix}.service"

config/chroot_local-hooks/97-remove_i2p

-#!/bin/sh
-
-set -u
-set -e
-
-# Everything moved by this hook script will be reversed in the event that
-# the string "i2p" is entered at a boot prompt
-
-DEST="/usr/share/tails/i2p-disabled"
-
-[ -d "/usr/share/i2p" ] || return 0
-
-mkdir "$DEST"
-mv -f /usr/share/i2p "$DEST"
-mv -f /usr/sbin/wrapper "$DEST"
-mv -f /usr/share/applications/i2p-browser.desktop "$DEST"

config/chroot_local-includes/etc/NetworkManager/dispatcher.d/30-i2p.sh

-#!/bin/sh
-
-# I2P isn't started automatically at system boot.
-# Instead, it is started with this hook script.
-
-# Import i2p_is_enabled().
-. /usr/local/lib/tails-shell-library/i2p.sh
-
-# Don't even try to run this script if I2P is not enabled.
-i2p_is_enabled || exit 0
-
-# don't run if interface is 'lo'
-if [ -z "$1" ] || [ "$1" = "lo" ]; then
-    exit 0
-fi
-
-if [ "$2" = "up" ]; then
-    /usr/local/sbin/tails-i2p start &
-fi

config/chroot_local-includes/etc/ferm/ferm.conf

@@ -3,11 +3,6 @@
 #  Configuration file for ferm(1).
 #
 
-# I2P rules that grant access to the "i2psvc" user (those with $use_i2p) will
-# only be enabled if the string "i2p" is entered at the boot prompt.
-# Deny or reject rules affecting "i2psvc" will always be set.
-def $use_i2p = `test -d /usr/share/i2p && echo 1 || echo 0`;
-
 # When ferm starts initially during early boot, the "amnesia" user does not
 # exist yet, so we have to use its UID (#7018).
 def $amnesia_uid = 1000;
@@ -74,42 +69,12 @@ domain ip {
                     mod owner uid-owner $amnesia_uid ACCEPT;
                 }
 
-                # Whitelist access to Tor's DNSPort so I2P can resolve hostnames when bootstrapping
-                daddr 127.0.0.1 proto udp dport 5353 {
-                    @if $use_i2p mod owner uid-owner i2psvc ACCEPT;
-                }
-
                 # White-list access to the accessibility daemon
                 daddr 127.0.0.1 proto tcp syn dport 4101 {
                     mod owner uid-owner $amnesia_uid ACCEPT;
                     mod owner uid-owner Debian-gdm ACCEPT;
                 }
 
-                # White-list access to I2P services for the amnesia user (IRC, SAM, POP3, SMTP, and Monotone)
-                # For more information, see https://tails/boum.org/contribute/design/I2P and https://geti2p.net/ports
-                daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (6668 7656 7659 7660 8998) {
-                    @if $use_i2p mod owner uid-owner $amnesia_uid ACCEPT;
-                }
-
-                # Whitelist access to I2P services for the i2psvc user,
-                # otherwise mail and eepsite hosting won't work. The mail ports (7659 and 7660) are
-                # accessed by the webmail app
-                daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (7658 7659 7660) {
-                    @if $use_i2p mod owner uid-owner i2psvc ACCEPT;
-                }
-
-                # Whitelist access to the i2pbrowser user
-                daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (4444 7657 7658) {
-                    @if $use_i2p mod owner uid-owner i2pbrowser ACCEPT;
-                }
-
-                # White-list access to the java wrapper's (used by I2P) control ports
-                # (see: http://wrapper.tanukisoftware.com/doc/english/prop-port.html)
-                # If, for example, port 31000 is in use, it'll try the next one in sequence.
-                daddr 127.0.0.1 proto tcp sport (31000 31001 31002) dport (32000 32001 32002) {
-                    @if $use_i2p mod owner uid-owner i2psvc ACCEPT;
-                }
-
                 # White-list access to CUPS
                 daddr 127.0.0.1 proto tcp syn dport 631 {
                     mod owner uid-owner $amnesia_uid ACCEPT;
@@ -136,14 +101,13 @@ domain ip {
             }
 
             # Local network connections should not go through Tor but DNS shall be
-            # rejected. I2P is explicitly blocked from communicating with the LAN.
-            # (Note that we exclude the VirtualAddrNetwork used for .onion:s here.)
+            # rejected. (Note that we exclude the VirtualAddrNetwork used for
+            # .onion:s here.)
             daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" {
                 proto tcp dport domain REJECT;
                 proto udp dport domain REJECT;
                 proto tcp dport netbios-ns REJECT;
                 proto udp dport netbios-ns REJECT;
-                mod owner uid-owner i2psvc REJECT;
                 ACCEPT;
             }
 
@@ -152,11 +116,6 @@ domain ip {
                 proto tcp syn mod state state (NEW) ACCEPT;
             }
 
-            # i2p is allowed to do anything it wants to on the internet.
-            outerface ! lo mod owner uid-owner i2psvc {
-                @if $use_i2p proto (tcp udp) ACCEPT;
-            }
-
             # Everything else is logged and dropped.
             LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
             REJECT reject-with icmp-port-unreachable;

config/chroot_local-includes/etc/skel/.purple/blist.xml

 <?xml version='1.0' encoding='UTF-8' ?>
 
 <purple version='1.0'>
-	<blist>
-		<group name='Discussions'>
-			<setting name='collapsed' type='bool'>0</setting>
-			<chat proto='prpl-irc' account='XXX_NICK_XXX@127.0.0.1'>
-				<component name='channel'>#i2p</component>
-			</chat>
-		</group>
-	</blist>
 	<privacy>
 		<account proto='prpl-irc' name='XXX_NICK_XXX@irc.oftc.net' mode='1'/>
-		<account proto='prpl-irc' name='XXX_NICK_XXX@127.0.0.1' mode='1'/>
 	</privacy>
 </purple>

config/chroot_local-includes/lib/live/config/2080-install-i2p

-#!/bin/sh
-
-# This script reverses everything done by config/chroot_local-hooks/97_remove_i2p
-# when the string "i2p" is added to the boot prompt.
-
-# Import i2p_is_enabled().
-. /usr/local/lib/tails-shell-library/i2p.sh
-
-SRC="/usr/share/tails/i2p-disabled"
-
-Install_I2P(){
-    mv "$SRC/wrapper" /usr/sbin/wrapper
-    mv "$SRC/i2p-browser.desktop" /usr/share/applications
-    mv "$SRC/i2p" /usr/share
-    rmdir "$SRC"
-}
-
-Add_Sudo_Config(){
-    echo "amnesia   ALL = NOPASSWD: /usr/local/sbin/i2p-browser" > /etc/sudoers.d/zzz_i2pbrowser
-    chown root:root /etc/sudoers.d/zzz_i2pbrowser
-    chmod 0440 /etc/sudoers.d/zzz_i2pbrowser
-}
-
-if i2p_is_enabled && [ -d "$SRC" ]; then
-   Install_I2P
-   Add_Sudo_Config
-fi

config/chroot_local-includes/lib/systemd/system/i2p.service.d/AppArmor.conf

-[Service]
-# XXX:Stretch: on Jessie, AppArmorProfile=system_i2p is a no-op, since
-# AppArmor support was enabled in Debian's systemd 218-4 (#10925).
-ExecStart=
-ExecStart=/usr/sbin/aa-exec --profile=system_i2p -- /usr/sbin/wrapper "$I2P_ARGS"

config/chroot_local-includes/usr/lib/systemd/user/tails-i2p-removal-notify-user.service

-[Unit]
-Description=Warn the user that I2P will be removed
-ConditionKernelCommandLine=i2p
-
-[Service]
-Type=oneshot
-ExecStart=/usr/local/lib/tails-i2p-removal-notify-user
-RemainAfterExit=yes
-
-[Install]
-WantedBy=desktop.target

config/chroot_local-includes/usr/local/lib/tails-i2p-removal-notify-user

-#!/usr/bin/perl
-
-use strict;
-use warnings;
-
-#man{{{
-
-=head1 NAME
-
-tails-i2p-removal-notify-user
-
-=head1 VERSION
-
-Version X.XX
-
-=head1 AUTHOR
-
-Tails dev team <amnesia@boum.org>
-See https://tails.boum.org/.
-
-=cut
-
-#}}}
-
-use Desktop::Notify;
-use English '-no_match_vars';
-use Locale::gettext;
-use Net::DBus::Reactor;
-use POSIX;
-
-### initialization
-setlocale(LC_MESSAGES, "");
-textdomain("tails");
-
-### callbacks
-
-sub action_cb {
-    my $reactor = shift;
-    unless (fork) {
-        exec(
-            '/usr/local/bin/tails-documentation',
-            'doc/anonymous_internet/i2p',
-            'removal',
-        );
-    }
-    $reactor->shutdown;
-}
-
-### main
-
-my $reactor = Net::DBus::Reactor->main;
-
-my $notify  = Desktop::Notify->new();
-$notify->action_callback(sub { action_cb($reactor, @_) });
-$notify->close_callback(sub { $reactor->shutdown; });
-
-my $summary = gettext("Warning: I2P will be removed in Tails 2.12");
-$notify->create(summary => $summary,
-                actions => { "moreinfo_$PID" => gettext('Learn more'), },
-                hints   => { 'transient' => 1, },
-                timeout => 0)->show();
-
-$reactor->run;

config/chroot_local-includes/usr/local/lib/tails-shell-library/i2p.sh

-#!/bin/sh
-
-# Import set_simple_config_key().
-. /usr/local/lib/tails-shell-library/common.sh
-
-# Import language_code_from_locale().
-. /usr/local/lib/tails-shell-library/localization.sh
-
-I2P_DEFAULT_CONFIG="/usr/share/i2p"
-I2P_CONFIG="/var/lib/i2p/i2p-config"
-I2P_TUNNEL_CONFIG="${I2P_CONFIG}/i2ptunnel.config"
-I2P_WRAPPER_LOG="/var/log/i2p/wrapper.log"
-
-i2p_is_enabled() {
-    grep -qw "i2p" /proc/cmdline
-}
-
-i2p_eep_proxy_address() {
-    # We retrieve the host and port number from the I2P profile. This
-    # shouldn't be anywhere other than 127.0.0.1:4444 but in case
-    # someone modifies the hook scripts or the default changes in I2P,
-    # this check should still work.
-    local listen_host listen_port
-    listen_host=$(awk -F= '/^tunnel\.0\.interface/{print $2}' \
-                      "${I2P_TUNNEL_CONFIG}")
-    listen_port=$(awk -F= '/^tunnel\.0\.listenPort/{print $2}' \
-                      "${I2P_TUNNEL_CONFIG}")
-    echo ${listen_host}:${listen_port}
-}
-
-i2p_reseed_started() {
-    grep -q 'Reseed start$' "${I2P_WRAPPER_LOG}"
-}
-
-i2p_reseed_failed() {
-    grep -q 'Reseed failed, check network connection$' "${I2P_WRAPPER_LOG}"
-}
-
-i2p_reseed_completed() {
-    grep -q "Reseed complete" "${I2P_WRAPPER_LOG}"
-}
-
-i2p_reseed_status() {
-    if i2p_reseed_completed; then
-        echo success
-    elif i2p_reseed_failed; then
-        echo failure
-    elif i2p_reseed_started; then
-        echo running
-    fi
-}
-
-i2p_built_a_tunnel() {
-    ss -nlp | grep -qwF "$(i2p_eep_proxy_address)"
-}
-
-i2p_router_console_address() {
-    echo 127.0.0.1:7657
-}
-
-i2p_router_console_is_ready() {
-    ss -nlp | grep -qwF "$(i2p_router_console_address)"
-}
-
-set_best_i2p_router_console_lang() {
-    # We will use the detected language even if I2P doesn't support it; it
-    # will default to English in that case.
-    local lang="$(language_code_from_locale "${LANG}")"
-    # We first try to set it in an existing "live" config, even though
-    # the effect will only appear after a restart.
-    local config
-    for config in "${I2P_CONFIG}/router.config" \
-                  "${I2P_DEFAULT_CONFIG}/router.config"; do
-        if [ -e "${config}" ]; then
-            set_simple_config_key "${config}" "routerconsole.lang" "${lang}"
-            return 0
-        fi
-    done
-    return 1
-}

config/chroot_local-includes/usr/local/sbin/i2p-browser

-#!/bin/sh
-
-set -e
-set -u
-
-. gettext.sh
-TEXTDOMAIN="tails"
-export TEXTDOMAIN
-
-# Import the TBB_EXT variable, and guess_best_tor_browser_locale().
-. /usr/local/lib/tails-shell-library/tor-browser.sh
-
-# Import try_cleanup_browser_chroot(), setup_browser_chroot(),
-# configure_chroot_dns_servers(), configure_chroot_browser(),
-# configure_chroot_browser(), set_chroot_browser_locale()
-# set_chroot_torbutton_browser_name(), set_chroot_browser_permissions()
-# and run_browser_in_chroot().
-. /usr/local/lib/tails-shell-library/chroot-browser.sh
-
-# Import i2p_router_console_is_ready() and i2p_is_enabled().
-. /usr/local/lib/tails-shell-library/i2p.sh
-
-error () {
-    local cli_text="${CMD}: `gettext \"error:\"` ${@}"
-    local dialog_text="<b><big>`gettext \"Error\"`</big></b>
-
-${@}"
-    echo "${cli_text}" >&2
-    sudo -u "${SUDO_USER}" zenity --error --title "" --text "${dialog_text}"
-    exit 1
-}
-
-verify_start () {
-    # Make sure the user really wants to start the browser in case the router console isn't available
-    local dialog_msg="<b><big>`gettext \"Do you still want to launch I2P Browser?\"`</big></b>
-
-`gettext \"The I2P router console is not ready.\"`"
-    local launch="`gettext \"_Launch\"`"
-    local exit="`gettext \"_Exit\"`"
-    if ! sudo -u "${SUDO_USER}" \
-         zenity --question --title "" --text "${dialog_msg}" --default-cancel \
-         --cancel-label "${exit}"  --ok-label "${launch}" ; then
-        exit 0
-    fi
-}
-
-show_start_notification () {
-    local title="`gettext \"Starting the I2P Browser...\"`"
-    local body="`gettext \"This may take a while, so please be patient.\"`"
-    tails-notify-user "${title}" "${body}" 10000
-}
-
-copy_extra_tbb_prefs () {
-    local chroot="${1}"
-    local browser_name="${2}"
-    local browser_user="${3}"
-
-    local tbb_prefs="/etc/tor-browser/profile/preferences"
-    local browser_prefs_dir="${chroot}/home/${browser_user}/.${browser_name}/profile.default/preferences"
-    mkdir -p "${browser_prefs_dir}"
-    # Selectively copy the TBB prefs we want
-    sed '/\(security\|update\|download\|spell\|noscript\|torbrowser\)/!d' "${tbb_prefs}/0000tails.js" > \
-                    "${browser_prefs_dir}/0000tails.js"
-    sed '/\(capability\|noscript\)/!d' "${tbb_prefs}/extension-overrides.js" > \
-                    "${browser_prefs_dir}/extension-overrides.js"
-    chown -R "${browser_user}:${browser_user}" "${browser_prefs_dir}"
-}
-
-show_shutdown_notification () {
-    local title="`gettext \"Shutting down the I2P Browser...\"`"
-    local body="`gettext \"This may take a while, and you may not restart the I2P Browser until it is properly shut down.\"`"
-    tails-notify-user "${title}" "${body}" 10000
-}
-
-# Main script:
-
-# This isn't very useful without I2P...
-i2p_is_enabled || exit 0
-
-CMD="$(basename "${0}")"
-LOCK="/var/lock/${CMD}"
-CONF_DIR="/var/lib/i2p-browser"
-COW="${CONF_DIR}/cow"
-CHROOT="${CONF_DIR}/chroot"
-BROWSER_NAME="i2p-browser"
-BROWSER_USER="i2pbrowser"
-HOME_PAGE="http://127.0.0.1:7657"
-NOSCRIPT_EXT_XPI="${TBB_EXT}/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi"
-TORBUTTON_EXT_DIR="${TBB_EXT}/torbutton@torproject.org"
-HUMAN_READABLE_NAME="`gettext \"I2P Browser\"`"
-IP4_NAMESERVERS="0.0.0.0"
-
-# Prevent multiple instances of the script.
-exec 9>"${LOCK}"
-if ! flock -x -n 9; then
-    error "`gettext \"Another I2P Browser is currently running, or being cleaned up. Please retry in a while.\"`"
-fi