Commit 321f8b9d authored by anonym's avatar anonym
Browse files

Merge remote-tracking branch 'origin/feature/14976-linux-4.14+force-all-tests' into stable

Fix-committed: #14976
parents c61ac2f1 49cefd79
......@@ -26,7 +26,7 @@ AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION="6.03~pre20"
# Kernel version
KERNEL_VERSION='4.13.0-1'
KERNEL_VERSION='4.14.0-3'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
......
#! /bin/sh
set -e
set -u
set -x
echo "Checking if we should stop shipping our own AppArmor feature set"
if [ -f /usr/share/apparmor-features/features ]; then
if cmp -q /usr/share/apparmor-features/features.Tails \
/usr/share/apparmor-features/features; then
echo "Debian ships the same AppArmor feature set as ours. " \
"Likely we can now remove our own one." >&2
else
echo "Debian ships a different AppArmor feature set from ours. " \
"Likely our own one is outdated and can be removed:" >&2
diff -Naur \
/usr/share/apparmor-features/features.Tails \
/usr/share/apparmor-features/features \
>&2
fi
# In any case, we probably have to do something about it.
exit 1
fi
......@@ -2,31 +2,39 @@
set -e
set -u
set -x
echo "Building dkms modules"
. /usr/share/amnesia/build/variables
# the -dkms package must be installed *after* dkms to be properly registered
apt-get install --yes build-essential dkms
# Import install_fake_package
. /usr/local/lib/tails-shell-library/build.sh
# Install gcc-6 and fake linux-compiler-gcc-7-x86
# (linux-headers-4.14+ depends on it, but Stretch hasn't GCC 7)
# XXX:Buster: remove this hack.
apt-get install --yes gcc-6
install_fake_package \
linux-compiler-gcc-7-x86 \
"$(apt-cache policy linux-compiler-gcc-7-x86 | awk '/ +Candidate:/ {print $2}')~0tails1"
ln -s /usr/bin/gcc-6 /usr/bin/gcc-7
# Any -dkms package must be installed *after* dkms to be properly registered
apt-get install --yes \
build-essential \
dkms \
libelf-dev
# Installing the headers triggers the building of the modules for that kernel
apt-get install --yes \
"linux-headers-${KERNEL_VERSION}-amd64" \
aufs-dkms \
virtualbox-guest-dkms
MODULES_VERSION="$(dpkg-query -W -f='${Version}\n' virtualbox-guest-dkms \
| sed -E 's,-.*,,')"
dkms build \
-a amd64 -k "${KERNEL_VERSION}-amd64" \
-m virtualbox-guest -v "$MODULES_VERSION"
dkms install \
-a amd64 -k "${KERNEL_VERSION}-amd64" \
-m virtualbox-guest -v "$MODULES_VERSION"
# clean the build directory
# rm -r /var/lib/dkms/virtualbox-guest/
for log in $(ls /var/lib/dkms/*/*/build/make.log); do
echo "---- $log"
cat "$log"
done
# Ensure the modules were actually built and installed: when
# dkms.conf for a DKMS module includes a BUILD_EXCLUSIVE directive
......
......@@ -12,12 +12,15 @@ echo "Removing unwanted packages"
# - libgcc1 (apt depends on it)
# - cpp, cpp-* (big parts of GNOME depend on it)
apt-get --yes purge \
'^linux-compiler-*' \
'^linux-kbuild-*' \
'^linux-headers-*' \
build-essential debhelper dkms dpkg-dev \
gcc gcc-6 \
intltool-debian \
libc6-dev linux-libc-dev \
libc6-dev \
libelf-dev \
linux-libc-dev \
make \
po-debconf \
rsyslog \
......
caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
}
}
rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
}
}
capability {0xffffff
}
file {mask {create read write exec append mmap_exec link lock
}
}
domain {change_profile {yes
}
change_onexec {yes
}
change_hatv {yes
}
change_hat {yes
}
}
policy {set_load {yes
}
}
Description: pin the AppArmor feature set to the Stretch's kernel one
.
Let's smooth UX on kernel upgrades and allow ourselves to update the AppArmor
policy in a relaxed manner.
Bug-Debian: https://bugs.debian.org/879585
Forwarded: not-needed
Author: intrigeri <intrigeri@debian.org>
--- a/etc/apparmor/parser.conf
+++ b/etc/apparmor/parser.conf
@@ -60,3 +60,7 @@
## Adjust compression
#Optimize=compress-small
#Optimize=compress-fast
+
+## Pin feature set (avoid regressions when policy is lagging behind
+## the kernel)
+features-file=/usr/share/apparmor-features/features.Tails
--- a/lib/live/boot/9990-misc-helpers.sh.orig 2018-01-04 13:27:17.845454685 +0000
+++ b/lib/live/boot/9990-misc-helpers.sh 2018-01-04 14:40:06.852067492 +0000
@@ -1337,6 +1337,8 @@
esac
mount -t ${UNIONTYPE} ${unionmountopts} ${UNIONTYPE} "${unionmountpoint}"
+ # Workaround aufs bug (Debian#886329)
+ ls "${unionmountpoint}" >/dev/null 2>&1 || true
}
get_custom_mounts ()
......@@ -102,7 +102,7 @@ Then /^the Unsafe Browser has a red theme$/ do
end
Then /^the Unsafe Browser shows a warning as its start page$/ do
@screen.wait("UnsafeBrowserStartPage.png", 10)
@screen.wait("UnsafeBrowserStartPage.png", 30)
end
Then /^the Unsafe Browser has started$/ do
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment