Commit 2bb6dfed authored by intrigeri's avatar intrigeri

Merge remote-tracking branch 'origin/devel' into...

Merge remote-tracking branch 'origin/devel' into hefee/bugfix/16186-disable-autocrypt+force-all-tests
parents 6c9cd212 b8bf6b87
......@@ -26,7 +26,7 @@ AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION="6.03~pre20"
# Kernel version
KERNEL_VERSION='4.18.0-3'
KERNEL_VERSION='4.19.0-1'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
......
......@@ -92,6 +92,12 @@ Package: systemd systemd-sysv systemd-container systemd-journal-remote systemd-c
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
Explanation: src:systemd
Explanation: systemd >= v240 required to fix CVE-2018-16864, CVE-2018-16865 and CVE-2018-16866 (#16352)
Package: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump systemd-tests libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Package: openpgp-applet
Pin: release o=Debian,n=sid
Pin-Priority: 999
......@@ -100,6 +106,11 @@ Package: tails-installer
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Explanation: #16348
Package: tor tor-geoipdb
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Package: virtualbox*
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
......
......@@ -27,5 +27,5 @@ done
# Redirect to existing wrapper
sed -i'' --regexp-extended 's,^Exec=pidgin$,Exec=/usr/local/bin/pidgin,' \
"/usr/share/applications/pidgin.desktop"
sed -i'' --regexp-extended 's,^Exec=/usr/bin/totem$,Exec=/usr/local/bin/totem,' \
sed -i'' --regexp-extended 's,^Exec=/usr/bin/totem(\s+.*)?$,Exec=/usr/local/bin/totem,' \
"/usr/share/dbus-1/services/org.gnome.Totem.service"
......@@ -12,8 +12,8 @@ echo "Setting up a build environment for kernel modules"
# install_fake_package()
. /usr/local/lib/tails-shell-library/build.sh
# Install gcc-6 and fake linux-compiler-gcc-7-x86
# (linux-headers-4.14+ depends on it, but Stretch hasn't GCC 7)
# Install gcc-6 and fake linux-compiler-gcc-8-x86
# (linux-headers-4.19+ depends on it, but Stretch hasn't GCC 8)
# XXX:Buster: remove this hack.
ensure_hook_dependency_is_installed gcc-6
NEWEST_INSTALLED_KERNEL_VERSION="$(
......@@ -21,9 +21,9 @@ NEWEST_INSTALLED_KERNEL_VERSION="$(
| sort --version-sort | tail -n1
)"
install_fake_package \
linux-compiler-gcc-7-x86 \
linux-compiler-gcc-8-x86 \
"${NEWEST_INSTALLED_KERNEL_VERSION}~0tails1"
ln -s /usr/bin/gcc-6 /usr/bin/gcc-7
ln -s /usr/bin/gcc-6 /usr/bin/gcc-8
ensure_hook_dependency_is_installed \
build-essential \
......
......@@ -18,6 +18,7 @@ systemctl enable tails-shutdown-on-media-removal.service
systemctl enable tails-tor-has-bootstrapped.target
systemctl enable tails-wait-until-tor-has-bootstrapped.service
systemctl enable tails-tor-has-bootstrapped-flag-file.service
systemctl enable run-initramfs.mount
systemctl enable var-tmp.mount
# Enable our own systemd user unit files
......
fs.protected_fifos = 2
fs.protected_regular = 2
......@@ -8,9 +8,6 @@ set -x
# initramfs during shutdown: in the initramfs, this script is
# overwritten with /usr/local/lib/initramfs-pre-shutdown-hook.
# Otherwise systemd-shutdown cannot execute /run/initramfs/shutdown
/bin/mount -o remount,exec /run
# Debugging
/bin/ls -l /run/initramfs
......
# This allows systemd-shutdown to execute /run/initramfs/shutdown.
# XXX:Bullseye: if https://github.com/systemd/systemd/pull/9429 is merged,
# we can remove this custom code.
[Unit]
Description=Extracted initrd directory
ConditionPathIsSymbolicLink=!/run/initramfs
DefaultDependencies=no
Before=initramfs-shutdown.service local-fs.target
[Mount]
What=tmpfs
Where=/run/initramfs
Type=tmpfs
Options=mode=755
[Install]
WantedBy=local-fs.target
......@@ -44,13 +44,6 @@ boot_device() {
# First clean the screen, then brutally shutdown the machine.
do_stop() {
# Really make sure that the CD is ejected
# FIXME: this might not be necessary with future kernel/udev
if [ "${DEV_TYPE}" = "cd" ]; then
/usr/bin/eject -i off "${BOOT_DEVICE}" || true
/usr/bin/eject -m "${BOOT_DEVICE}" || true
fi
# Kill everything run by amnesia or Debian-gdm, otherwise emergency
# shutdown fails for some reason. Incidentally, this also allows
# the test suite to look for a known message ("Happy dumping!")
......
@product
Feature: Emergency shutdown
As a Tails user
when I unplug my Tails device to trigger emergency shutdown
I want the system memory to be free from sensitive data.
# Test something close to real-world usage, without interfering,
# i.e. without the "I prepare Tails for memory erasure tests" step;
......
......@@ -36,20 +36,20 @@ Feature: Spoofing MAC addresses
Scenario: MAC address spoofing fails and macchanger returns false
Given macchanger will fail by not spoofing and always returns false
When I log in to a new session
# XXX: workaround for #11941
And I see the "Network card disabled" notification after at most 60 seconds
Then no network interfaces are enabled
And no network device leaked the real MAC address
# XXX: workaround for #11941
And I see the "Network card disabled" notification after at most 60 seconds
#10774
@fragile
Scenario: MAC address spoofing fails and macchanger returns true
Given macchanger will fail by not spoofing and always returns true
When I log in to a new session
# XXX: workaround for #11941
And I see the "Network card disabled" notification after at most 60 seconds
Then no network interfaces are enabled
And no network device leaked the real MAC address
# XXX: workaround for #11941
And I see the "Network card disabled" notification after at most 60 seconds
#10774
@fragile
......@@ -57,10 +57,10 @@ Feature: Spoofing MAC addresses
Given macchanger will fail by not spoofing and always returns true
And no network interface modules can be unloaded
When I log in to a new session
And I see the "All networking disabled" notification after at most 60 seconds
Then 1 network interface is enabled
But the MAC spoofing panic mode disabled networking
And no network device leaked the real MAC address
And I see the "All networking disabled" notification after at most 60 seconds
Scenario: The MAC address is not leaked when booting Tails
Given a computer
......
Subproject commit a93b3dc526afe614f133b738ddf7fcab06bfd366
Subproject commit dc68432bc8fed5faf20f2a0889739a13110abdc1
......@@ -29,6 +29,16 @@ in the initramfs. That one will unmount all filesystems, run
that helps us automatically test this behavior, and finally perform
the requested poweroff/reboot action.
To make this work, a dedicated `tmpfs` filesystem is [[!tails_gitweb
config/chroot_local-includes/lib/systemd/system/run-initramfs.mount
desc="mounted"]] on `/run/initramfs`: `/run` is mounted with the
`noexec` option and while our attempts to remount it with `exec`
worked for clean shutdown, they failed for emergency shutdown, i.e.
when the boot medium is physically removed.
For details about the underlying systemd mechanisms, see `bootup(7)`
and `systemd-shutdown(8)`.
#### Triggers
Different kinds of events trigger the memory erasure process. All lead
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment