Commit 56111076 authored by bertagaz's avatar bertagaz
Browse files

Merge remote-tracking branch 'origin/stable' into bugfix/11037-icedove-spellchecker

parents 16e10ec7 47c3da5b
--- a/etc/apparmor.d/usr.bin.totem 2014-09-16 11:17:44.000000000 +0000
+++ b/etc/apparmor.d/usr.bin.totem 2014-11-28 09:40:26.960000000 +0000
@@ -9,6 +9,9 @@
diff -Naur etc/apparmor.d.orig/abstractions/totem etc/apparmor.d/abstractions/totem
--- a/etc/apparmor.d/abstractions/totem 2014-08-28 15:51:48.000000000 +0000
+++ b/etc/apparmor.d/abstractions/totem 2016-11-05 14:58:38.676759826 +0000
@@ -30,6 +30,10 @@
/usr/lib/@{multiarch}/gstreamer[0-9].[0-9]/gstreamer-[0-9].[0-9]/gst-plugin-scanner Cix -> gst_plugin_scanner,
+ owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
+ owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,
owner @{HOME}/.cache/tracker/meta.db k,
owner @{HOME}/.cache/tracker/meta.db-shm k,
+ owner @{HOME}/.config/totem/** rwk,
owner @{HOME}/.local/share/grilo-plugins/*.db k,
+ owner @{HOME}/.local/share/gvfs-metadata/** r,
diff -Naur etc/apparmor.d.orig/usr.bin.totem etc/apparmor.d/usr.bin.totem
--- a/etc/apparmor.d/usr.bin.totem 2015-11-14 13:39:59.000000000 +0000
+++ b/etc/apparmor.d/usr.bin.totem 2016-11-05 14:57:21.817646742 +0000
@@ -9,16 +9,20 @@
#include <abstractions/python>
#include <abstractions/totem>
......@@ -10,3 +25,33 @@
# Maybe in an abstraction?
/usr/include/**/pyconfig.h r,
/usr/bin/totem r,
/dev/sr* r,
- # Allow read and write on anything in @{HOME}. Lenient, but
+ # Allow read and write on almost anything in @{HOME}. Lenient, but
# private-files-strict is in effect.
#include <abstractions/private-files-strict>
- owner @{HOME}/** rw,
+ owner @{HOME}/[a-zA-Z0-9]* rw,
+ owner @{HOME}/[a-zA-Z0-9]*/** rw,
owner /{,var/}run/user/*/dconf/user w,
owner /{,var/}run/user/*/at-spi2-*/ rw,
diff -Naur etc/apparmor.d.orig/usr.bin.totem-previewers etc/apparmor.d/usr.bin.totem-previewers
--- a/etc/apparmor.d/usr.bin.totem-previewers 2014-10-14 23:22:57.000000000 +0000
+++ b/etc/apparmor.d/usr.bin.totem-previewers 2016-11-05 14:57:21.817646742 +0000
@@ -6,10 +6,11 @@
/usr/bin/totem-video-thumbnailer {
#include <abstractions/totem>
- # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
+ # Allow read on almost anything in @{HOME}. Lenient, but private-files-strict is in
# effect.
#include <abstractions/private-files-strict>
- owner @{HOME}/** r,
+ owner @{HOME}/[a-zA-Z0-9]* rw,
+ owner @{HOME}/[a-zA-Z0-9]*/** rw,
# Not needed by nautilus, but maybe other applications
owner /**.[pP][nN][gG] w,
tails (2.7) UNRELEASED; urgency=medium
* Major new features and changes
- Install Tor 0.2.8.8. (Closes: #11832)
- Upgrade Icedove to 1:45.4.0-1~deb8u1+tails1. (Closes: #11854,
#11860)
* Security fixes
- Upgrade to Linux 4.7. (Closes: #11885, #11818)
- Upgrade to Tor 0.2.8.9. (Closes: #11832, #11891)
- Upgrade imagemagick to 8:6.8.9.9-5+deb8u5.
- Upgrade openssl to 1.0.1t-1+deb8u5.
- Upgrade libarchive to 3.1.2-11+deb8u3.
- Upgrade bind9 to 1:9.9.5.dfsg-9+deb8u8.
- Upgrade c-ares to 1.10.0-2+deb8u1.
- Upgrade nspr to 2:4.12-1+debu8u1.
- Upgrade nss to 2:3.26-1+debu8u1.
- Upgrade tar to 1.27.1-2+deb8u1.
- Upgrade mat to 0.5.2-3+deb8u1.
* Minor improvements
- Ship Let's encrypt intermediate certificate to prepare the
the next certificate renewal of our website. Also unify the
......
@product
#11901: mat does not clean PDF files anymore
@product @fragile
Feature: Metadata Anonymization Toolkit
As a Tails user
I want to be able to remove leaky metadata from documents and media files
......
......@@ -39,6 +39,12 @@ Feature: Using Totem
# Due to our AppArmor aliases, /live/overlay will be treated
# as /lib/live/mount/overlay.
And AppArmor has denied "/usr/bin/totem" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/video.mp4"
Given I close Totem
And I copy "/home/amnesia/video.mp4" to "/home/amnesia/.purple/otr.private_key" as user "amnesia"
And I restart monitoring the AppArmor log of "/usr/bin/totem"
When I try to open "/home/amnesia/.purple/otr.private_key" with Totem
Then I see "TotemUnableToOpen.png" after at most 10 seconds
And AppArmor has denied "/usr/bin/totem" from opening "/home/amnesia/.purple/otr.private_key"
@check_tor_leaks @fragile
Scenario: Watching a WebM video over HTTPS
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment