Commit 58f005b5 authored by segfault's avatar segfault
Browse files

Merge commit '70091e58' (Tails 3.0~beta3 release) into feature/5688-tails-server

parents e8adad89 70091e58
......@@ -48,7 +48,6 @@
/config/chroot_local-includes/usr/share/applications/tails-reboot.desktop
/config/chroot_local-includes/usr/share/applications/unsafe-browser.desktop
/config/chroot_local-includes/usr/share/applications/tails-shutdown.desktop
/config/chroot_local-includes/usr/share/applications/i2p-browser.desktop
/config/chroot_local-includes/usr/share/applications/tor-browser.desktop
/config/chroot_local-includes/usr/share/applications/tails-about.desktop
/config/chroot_local-includes/usr/share/desktop-directories/Tails.directory
......
......@@ -31,7 +31,7 @@ VAGRANT_PATH = File.expand_path('../vagrant', __FILE__)
STABLE_BRANCH_NAMES = ['stable', 'testing']
# Environment variables that will be exported to the build script
EXPORTED_VARIABLES = ['http_proxy', 'MKSQUASHFS_OPTIONS', 'TAILS_RAM_BUILD', 'TAILS_CLEAN_BUILD']
EXPORTED_VARIABLES = ['http_proxy', 'MKSQUASHFS_OPTIONS', 'TAILS_RAM_BUILD', 'TAILS_CLEAN_BUILD', 'TAILS_OFFLINE_MODE']
# Let's save the http_proxy set before playing with it
EXTERNAL_HTTP_PROXY = ENV['http_proxy']
......@@ -175,6 +175,8 @@ task :parse_build_options do
ENV['http_proxy'] = INTERNAL_HTTP_PROXY
when 'noproxy'
ENV['http_proxy'] = nil
when 'offline'
ENV['TAILS_OFFLINE_MODE'] = '1'
# SquashFS compression settings
when 'gzipcomp'
ENV['MKSQUASHFS_OPTIONS'] = '-comp gzip -Xcompression-level 1'
......@@ -195,6 +197,15 @@ task :parse_build_options do
raise "Unknown Tails build option '#{opt}'"
end
end
if ENV['TAILS_OFFLINE_MODE'] == '1'
if ENV['http_proxy'].nil?
abort "You must use a caching proxy when building offline"
end
if ENV['TAILS_NO_AUTO_PROVISION'] == '1'
abort "Offline mode requires provisioning"
end
end
end
task :ensure_clean_repository do
......
......@@ -60,6 +60,7 @@ echo "POTFILES_DOT_IN='$(
# fix permissions on some source files that will be copied as is to the chroot.
# they may be wrong, e.g. if the Git repository was cloned with a strict umask.
chown 0:0 config/chroot_local-includes/etc/resolv.conf
chmod -R go+rX config/binary_local-includes/
chmod -R go+rX config/chroot_local-includes/etc
chmod 0440 config/chroot_local-includes/etc/sudoers.d/*
......
......@@ -86,6 +86,7 @@ $RUN_LB_CONFIG \
--packages-lists="standard" \
--tasks="standard" \
--linux-packages="linux-image-${KERNEL_VERSION}" \
--security false \
--syslinux-menu vesamenu \
--syslinux-splash data/splash.png \
--syslinux-timeout 4 \
......
......@@ -29,18 +29,21 @@ output_time_based_snapshot() {
SERIAL=$(cat "config/APT_snapshots.d/$ARCHIVE/serial")
RESOLVED_SERIAL=$(cat "tmp/APT_snapshots.d/$ARCHIVE/serial")
BASE_BRANCH=$(base_branch)
CURRENT_BRANCH=$(current_branch)
if [ "$BASE_BRANCH" = stable ] || [ "$BASE_BRANCH" = testing ] ; then
if [ "$BASE_BRANCH" = stable ] || [ "$BASE_BRANCH" = testing ] || [ "$CURRENT_BRANCH" = feature/stretch ] ; then
case "$ARCHIVE" in
debian-security)
[ "$SERIAL" = latest ] \
|| fatal "APT snapshots are frozen for the debian-security archive," \
"which should not happen on a branch based on $BASE_BRANCH"
"which should happen neither on feature/stretch nor on" \
"a branch based on $BASE_BRANCH"
;;
*)
[ "$SERIAL" != latest ] \
|| fatal "APT snapshots are not frozen for the $ARCHIVE archive," \
"which should not happen on a branch based on $BASE_BRANCH"
"which should happen neither on feature/stretch nor on" \
"a branch based on $BASE_BRANCH"
esac
if version_was_released "$(version_in_changelog)"; then
on_a_tag \
......@@ -55,9 +58,11 @@ if [ "$BASE_BRANCH" = stable ] || [ "$BASE_BRANCH" = testing ] ; then
output_time_based_snapshot "$ARCHIVE" "$RESOLVED_SERIAL"
fi
else
if [ "$(base_branch)" = devel ] && [ "$SERIAL" != latest ]; then
fatal "APT snapshots are frozen, which should not happen on a branch" \
"based on the devel one"
if [ "$BASE_BRANCH" = devel ] || [ "$CURRENT_BRANCH" = feature/stretch ]; then
if [ "$SERIAL" != latest ]; then
fatal "APT snapshots are frozen, which should happen neither on" \
"feature/stretch nor on a branch based on the devel one"
fi
fi
output_time_based_snapshot "$ARCHIVE" "$RESOLVED_SERIAL"
fi
......@@ -7,7 +7,7 @@ set -u
APT_MIRROR_URL="http://deb.tails.boum.org/"
DEFAULT_COMPONENTS="main contrib non-free"
BASE_BRANCHES="stable testing devel feature/jessie"
BASE_BRANCHES="stable testing devel feature/stretch"
output_apt_binary_source() {
local suite="$1"
......
......@@ -22,7 +22,7 @@ AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63"
REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION="6.03~pre20"
# Kernel version
KERNEL_VERSION='4.9.0-1'
KERNEL_VERSION='4.9.0-2'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
......
......@@ -460,8 +460,6 @@ usr/bin/expr 32082
usr/bin/bc 32081
lib/live/config/2060-create-upgrader-run-directory 32079
usr/bin/install 32078
lib/live/config/2080-install-i2p 32077
usr/local/lib/tails-shell-library/i2p.sh 32076
usr/local/lib/tails-shell-library/common.sh 32075
usr/local/lib/tails-shell-library/localization.sh 32074
lib/live/config/7000-debug 32073
......@@ -2839,7 +2837,6 @@ usr/share/applications/mimeinfo.cache 29205
usr/share/gnome/applications/vim.desktop 29204
usr/share/gnome/applications/nm-connection-editor.desktop 29203
usr/share/gnome/applications/gnome-power-statistics.desktop 29202
usr/share/gnome/applications/openjdk-7-policytool.desktop 29201
usr/share/gnome/applications/orca.desktop 29200
usr/share/applications/gnome-bluetooth-panel.desktop 29199
usr/lib/libreoffice/share/xdg/xsltfilter.desktop 29198
......@@ -3122,7 +3119,6 @@ etc/xdg/menus/applications-merged/Tails.menu 28920
usr/share/applications/gnome-power-statistics.desktop 28919
usr/share/applications/nm-connection-editor.desktop 28918
usr/lib/i386-linux-gnu/tracker-1.0/libtracker-data.so.0.0.0 28917
usr/share/applications/openjdk-7-policytool.desktop 28916
usr/share/applications/orca.desktop 28915
usr/share/applications/vim.desktop 28914
usr/share/desktop-directories/ActionGames.directory 28913
......@@ -4097,7 +4093,6 @@ usr/lib/i386-linux-gnu/libopencv_contrib.so.2.4.9 27944
usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt 27943
usr/lib/i386-linux-gnu/libopencv_core.so.2.4.9 27942
usr/lib/i386-linux-gnu/libopencv_highgui.so.2.4.9 27941
etc/NetworkManager/dispatcher.d/30-i2p.sh 27940
etc/NetworkManager/dispatcher.d/60-tor-ready.sh 27939
usr/local/sbin/tor-has-bootstrapped 27938
usr/bin/gettext 27937
......
#!/bin/sh
set -e
# Create the i2pbrowser user.
#
# We run i2p-browser under this user
echo "Creating the i2pbrowser user"
adduser --system --quiet --group i2pbrowser
......@@ -4,9 +4,9 @@ set -e
echo "Configure torsocks"
# Allow TCP outbound connections to the loopback interface, so
# Allow TCP and UDP outbound connections to the loopback interface, so
# that we can wrap git with torsocks without breaking Git-over-SSH
# (SSH is torified via ProxyCommand already).
sed -i'' \
--regexp-extended 's,^#?AllowOutboundLocalhost\s+.*,AllowOutboundLocalhost 1,' \
--regexp-extended 's,^#?AllowOutboundLocalhost\s+.*,AllowOutboundLocalhost 2,' \
/etc/tor/torsocks.conf
......@@ -35,7 +35,7 @@ download_and_verify_files() {
(
cd "${destination}"
echo "Fetching ${base_url}/${tarball} ..."
curl --remote-name "${base_url}/${tarball}"
curl --retry 20 --remote-name "${base_url}/${tarball}"
)
actual_sha256="$(sha256sum "${destination}/${tarball}" | cut -d' ' -f1)"
if [ "${actual_sha256}" != "${expected_sha256}" ]; then
......
#!/bin/sh
set -e
echo "Configuring I2P"
I2P="/usr/share/i2p"
I2PROUTER="/usr/bin/i2prouter"
WRAPPER="/etc/i2p/wrapper.config"
# This must be set in order for the i2p init script to work
sed -i 's/^RUN_DAEMON=.*$/RUN_DAEMON="true"/' /etc/default/i2p
# Remove the "i2prouter" script, its man page, and its apparmor profile
# since these are not used by Tails:
rm /etc/apparmor.d/usr.bin.i2prouter /usr/share/man/man1/i2prouter.1.gz
# Install custom i2prouter stub scripts
for script in ${I2PROUTER} ${I2PROUTER}-nowrapper; do
echo "Removing $script"
dpkg-divert --rename --add "${script}"
cat > "$script" << EOF
#!/bin/sh
echo "This script is not used by Tails."
echo "See https://tails.boum.org/doc/anonymous_internet/i2p/ for more information."
exit 0
EOF
chmod 755 "$script"
done
# Remove the outproxy from the tunnel on port 4444
# This will remove the following lines:
# tunnel.0.proxyList=false.i2p
# tunnel.0.option.i2ptunnel.httpclient.SSLOutproxies=false.i2p
# The SSLOutproxies option was first set in I2P 0.9.15
sed -i '/^.*tunnel\.0\.\(proxyList\|option\.i2ptunnel\.httpclient\.SSLOutproxies\)/d' "$I2P/i2ptunnel.config"
# Disable the https outproxy (port 4445)
sed -i 's|^.*\(tunnel\.6\.startOnLoad\).*|\1=false|' "$I2P/i2ptunnel.config"
# Don't serve the router console on IPv6
sed -i 's|^clientApp\.0\.args=7657\s\+::1,127\.0\.0\.1|clientApp.0.args=7657 127.0.0.1|' "$I2P/clients.config"
# Disable IPv6 in the wrapper
sed -i 's|^.*\(wrapper\.java\.additional\.5=-Djava\.net\.preferIPv4Stack=\).*|\1true|' "$WRAPPER"
sed -i 's|^.*\(wrapper\.java\.additional\.6=-Djava\.net\.preferIPv6Addresses=\).*|\1false|' "$WRAPPER"
# Tails specific router configs:
# * i2cp: allows java clients to communicate with I2P outside of the JVM. Disabled.
# * IPv6: Disabled
# * HiddenMode: Enabled
# * In-I2P Network Updates: Disabled
# * Inbound connections: Disabled (setting is "i2cp.ntcp.autoip")
# * Disable I2P plugins
# * Disable NTP
cat > "$I2P/router.config" << EOF
# NOTE: This I2P config file must use UTF-8 encoding
i2cp.disableInterface=true
i2np.ntcp.ipv6=false
i2np.ntcp.autoip=false
i2np.udp.ipv6=false
router.isHidden=true
router.updateDisabled=true
router.enablePlugins=false
time.disabled=true
EOF
cat > "$I2P/susimail.config" << EOF
susimail.pop3.leave.on.server=true
EOF
# enforce apparmor
echo Setting the I2P apparmor profile to enforce mode
sed -i -re 's|flags=\(complain\)||' /etc/apparmor.d/system_i2p
......@@ -10,6 +10,13 @@ SERVICES_DIR=/usr/share/dbus-1/services
sed -i'' 's,^Exec=.*$,Exec=/bin/false,' \
"${SERVICES_DIR}"/org.gnome.evolution.dataserver.*.service \
"${SERVICES_DIR}"/org.gnome.Shell.CalendarServer.service \
"${SERVICES_DIR}"/org.freedesktop.Telepathy.AccountManager.service \
"${SERVICES_DIR}"/org.freedesktop.Telepathy.MissionControl5.service
"${SERVICES_DIR}"/org.gnome.Shell.CalendarServer.service
for service in \
"${SERVICES_DIR}"/org.freedesktop.Telepathy.AccountManager.service \
"${SERVICES_DIR}"/org.freedesktop.Telepathy.MissionControl5.service ; do
if [ -f "$service" ]; then
echo "$service is back: consider disabling it" >&2
exit 1
fi
done
......@@ -2,32 +2,6 @@
set -e
CUSTOM_INITSCRIPTS="
"
PATCHED_INITSCRIPTS="
alsa-utils
haveged
hwclock.sh
i2p
kexec-load
laptop-mode
memlockd
saned
spice-vdagent
tor
"
echo "Configuring boot sequence"
# The patches to adjust the runlevels are applied to the chroot
# after the packages have been installed. So we need to remove them first,
# to re-install them with our settings.
insserv -r $PATCHED_INITSCRIPTS
# Re-install overriden initscripts and install our custom ones.
insserv $PATCHED_INITSCRIPTS $CUSTOM_INITSCRIPTS
### Tweak systemd unit files
# Workaround for https://bugs.debian.org/714957
......@@ -71,9 +45,6 @@ systemctl disable tor.service
systemctl disable NetworkManager.service
systemctl disable NetworkManager-wait-online.service
# We don't run these services by default
systemctl disable i2p.service
# Don't hide tails-kexec's shutdown messages with an empty splash screen
for suffix in halt kexec poweroff reboot shutdown ; do
systemctl mask "plymouth-${suffix}.service"
......@@ -91,15 +62,3 @@ systemctl mask hwclock-save.service
# Do not run timesyncd: we have our own time synchronization mechanism
systemctl mask systemd-timesyncd.service
# Unmute and sanitize mixer levels at boot time
# (`systemctl unmask` does not support initscripts on Jessie,
# hence the manual unmasking)
dpkg-divert --add --rename --divert \
/lib/systemd/system/alsa-utils.service.orig \
/lib/systemd/system/alsa-utils.service
# Disable the ALSA state store/restore systemd services (that lack mixer
# levels unmuting/sanitizing), we use the legacy initscript instead
systemctl mask alsa-restore.service
systemctl mask alsa-state.service
systemctl mask alsa-store.service
......@@ -13,7 +13,6 @@ done
rm \
/usr/share/applications/gnome-online-accounts-panel.desktop \
/usr/share/applications/laptop-mode-tools.desktop \
/usr/share/applications/openjdk-8-policytool.desktop \
/usr/share/applications/sniff.desktop
sed -i'' --regexp-extended 's,^Exec=pidgin$,Exec=/usr/local/bin/pidgin,' \
......
......@@ -17,6 +17,7 @@ dpkg-reconfigure libdvd-pkg
# without the build-essential dependency to satisfy libdvdcss2.
LIBDVD_PKG_VERSION="$(dpkg-query -s libdvd-pkg | grep Version | cut -d ' ' -f2)+fake1"
install_fake_package libdvd-pkg "${LIBDVD_PKG_VERSION}" multimedia
rm -r /usr/src/libdvd-pkg
# Verify installed packages:
for x in libdvd-pkg
......
......@@ -5,6 +5,6 @@ set -e
echo "Generating blocklist for all network devices"
find /lib/modules/*/kernel/drivers/net \
-name "*.ko" -printf "blacklist %f\n" | \
sed 's/\.ko$//' | \
-name "*.ko" -printf "install %f /bin/true\n" | \
sed 's/\.ko / /' | \
sort -u > /etc/modprobe.d/all-net-blacklist.conf
#!/bin/sh
set -u
set -e
# Everything moved by this hook script will be reversed in the event that
# the string "i2p" is entered at a boot prompt
DEST="/usr/share/tails/i2p-disabled"
[ -d "/usr/share/i2p" ] || return 0
mkdir "$DEST"
mv -f /usr/share/i2p "$DEST"
mv -f /usr/sbin/wrapper "$DEST"
mv -f /usr/share/applications/i2p-browser.desktop "$DEST"
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment