Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
tails
tails
Commits
58f005b5
Commit
58f005b5
authored
Apr 15, 2017
by
segfault
Browse files
Merge commit '
70091e58
' (Tails 3.0~beta3 release) into feature/5688-tails-server
parents
e8adad89
70091e58
Changes
503
Hide whitespace changes
Inline
Side-by-side
.gitignore
View file @
58f005b5
...
...
@@ -48,7 +48,6 @@
/config/chroot_local-includes/usr/share/applications/tails-reboot.desktop
/config/chroot_local-includes/usr/share/applications/unsafe-browser.desktop
/config/chroot_local-includes/usr/share/applications/tails-shutdown.desktop
/config/chroot_local-includes/usr/share/applications/i2p-browser.desktop
/config/chroot_local-includes/usr/share/applications/tor-browser.desktop
/config/chroot_local-includes/usr/share/applications/tails-about.desktop
/config/chroot_local-includes/usr/share/desktop-directories/Tails.directory
...
...
Rakefile
View file @
58f005b5
...
...
@@ -31,7 +31,7 @@ VAGRANT_PATH = File.expand_path('../vagrant', __FILE__)
STABLE_BRANCH_NAMES
=
[
'stable'
,
'testing'
]
# Environment variables that will be exported to the build script
EXPORTED_VARIABLES
=
[
'http_proxy'
,
'MKSQUASHFS_OPTIONS'
,
'TAILS_RAM_BUILD'
,
'TAILS_CLEAN_BUILD'
]
EXPORTED_VARIABLES
=
[
'http_proxy'
,
'MKSQUASHFS_OPTIONS'
,
'TAILS_RAM_BUILD'
,
'TAILS_CLEAN_BUILD'
,
'TAILS_OFFLINE_MODE'
]
# Let's save the http_proxy set before playing with it
EXTERNAL_HTTP_PROXY
=
ENV
[
'http_proxy'
]
...
...
@@ -175,6 +175,8 @@ task :parse_build_options do
ENV
[
'http_proxy'
]
=
INTERNAL_HTTP_PROXY
when
'noproxy'
ENV
[
'http_proxy'
]
=
nil
when
'offline'
ENV
[
'TAILS_OFFLINE_MODE'
]
=
'1'
# SquashFS compression settings
when
'gzipcomp'
ENV
[
'MKSQUASHFS_OPTIONS'
]
=
'-comp gzip -Xcompression-level 1'
...
...
@@ -195,6 +197,15 @@ task :parse_build_options do
raise
"Unknown Tails build option '
#{
opt
}
'"
end
end
if
ENV
[
'TAILS_OFFLINE_MODE'
]
==
'1'
if
ENV
[
'http_proxy'
].
nil?
abort
"You must use a caching proxy when building offline"
end
if
ENV
[
'TAILS_NO_AUTO_PROVISION'
]
==
'1'
abort
"Offline mode requires provisioning"
end
end
end
task
:ensure_clean_repository
do
...
...
auto/build
View file @
58f005b5
...
...
@@ -60,6 +60,7 @@ echo "POTFILES_DOT_IN='$(
# fix permissions on some source files that will be copied as is to the chroot.
# they may be wrong, e.g. if the Git repository was cloned with a strict umask.
chown
0
:
0
config
/
chroot_local
-
includes
/
etc
/
resolv
.
conf
chmod
-
R
go
+
rX
config
/
binary_local
-
includes
/
chmod
-
R
go
+
rX
config
/
chroot_local
-
includes
/
etc
chmod
0440
config
/
chroot_local
-
includes
/
etc
/
sudoers
.
d
/*
...
...
auto/config
View file @
58f005b5
...
...
@@ -86,6 +86,7 @@ $RUN_LB_CONFIG \
--packages-lists
=
"standard"
\
--tasks
=
"standard"
\
--linux-packages
=
"linux-image-
${
KERNEL_VERSION
}
"
\
--security
false
\
--syslinux-menu
vesamenu
\
--syslinux-splash
data/splash.png
\
--syslinux-timeout
4
\
...
...
auto/scripts/apt-mirror
View file @
58f005b5
...
...
@@ -29,18 +29,21 @@ output_time_based_snapshot() {
SERIAL
=
$(
cat
"config/APT_snapshots.d/
$ARCHIVE
/serial"
)
RESOLVED_SERIAL
=
$(
cat
"tmp/APT_snapshots.d/
$ARCHIVE
/serial"
)
BASE_BRANCH
=
$(
base_branch
)
CURRENT_BRANCH
=
$(
current_branch
)
if
[
"
$BASE_BRANCH
"
=
stable
]
||
[
"
$BASE_BRANCH
"
=
testing
]
;
then
if
[
"
$BASE_BRANCH
"
=
stable
]
||
[
"
$BASE_BRANCH
"
=
testing
]
||
[
"
$CURRENT_BRANCH
"
=
feature/stretch
]
;
then
case
"
$ARCHIVE
"
in
debian-security
)
[
"
$SERIAL
"
=
latest
]
\
||
fatal
"APT snapshots are frozen for the debian-security archive,"
\
"which should not happen on a branch based on
$BASE_BRANCH
"
"which should happen neither on feature/stretch nor on"
\
"a branch based on
$BASE_BRANCH
"
;;
*
)
[
"
$SERIAL
"
!=
latest
]
\
||
fatal
"APT snapshots are not frozen for the
$ARCHIVE
archive,"
\
"which should not happen on a branch based on
$BASE_BRANCH
"
"which should happen neither on feature/stretch nor on"
\
"a branch based on
$BASE_BRANCH
"
esac
if
version_was_released
"
$(
version_in_changelog
)
"
;
then
on_a_tag
\
...
...
@@ -55,9 +58,11 @@ if [ "$BASE_BRANCH" = stable ] || [ "$BASE_BRANCH" = testing ] ; then
output_time_based_snapshot
"
$ARCHIVE
"
"
$RESOLVED_SERIAL
"
fi
else
if
[
"
$(
base_branch
)
"
=
devel
]
&&
[
"
$SERIAL
"
!=
latest
]
;
then
fatal
"APT snapshots are frozen, which should not happen on a branch"
\
"based on the devel one"
if
[
"
$BASE_BRANCH
"
=
devel
]
||
[
"
$CURRENT_BRANCH
"
=
feature/stretch
]
;
then
if
[
"
$SERIAL
"
!=
latest
]
;
then
fatal
"APT snapshots are frozen, which should happen neither on"
\
"feature/stretch nor on a branch based on the devel one"
fi
fi
output_time_based_snapshot
"
$ARCHIVE
"
"
$RESOLVED_SERIAL
"
fi
auto/scripts/tails-custom-apt-sources
View file @
58f005b5
...
...
@@ -7,7 +7,7 @@ set -u
APT_MIRROR_URL
=
"http://deb.tails.boum.org/"
DEFAULT_COMPONENTS
=
"main contrib non-free"
BASE_BRANCHES
=
"stable testing devel feature/
jessie
"
BASE_BRANCHES
=
"stable testing devel feature/
stretch
"
output_apt_binary_source
()
{
local
suite
=
"
$1
"
...
...
config/APT_snapshots.d/debian/serial
View file @
58f005b5
20170
130
02
20170
317
02
config/APT_snapshots.d/torproject/serial
View file @
58f005b5
20170
130
02
20170
317
02
config/amnesia
View file @
58f005b5
...
...
@@ -22,7 +22,7 @@ AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63"
REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION
=
"6.03~pre20"
# Kernel version
KERNEL_VERSION
=
'4.9.0-
1
'
KERNEL_VERSION
=
'4.9.0-
2
'
KERNEL_SOURCE_VERSION
=
$(
echo
"
$KERNEL_VERSION
"
\
| perl
-p
-E
's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
...
...
config/binary_rootfs/squashfs.sort
View file @
58f005b5
...
...
@@ -460,8 +460,6 @@ usr/bin/expr 32082
usr/bin/bc 32081
lib/live/config/2060-create-upgrader-run-directory 32079
usr/bin/install 32078
lib/live/config/2080-install-i2p 32077
usr/local/lib/tails-shell-library/i2p.sh 32076
usr/local/lib/tails-shell-library/common.sh 32075
usr/local/lib/tails-shell-library/localization.sh 32074
lib/live/config/7000-debug 32073
...
...
@@ -2839,7 +2837,6 @@ usr/share/applications/mimeinfo.cache 29205
usr/share/gnome/applications/vim.desktop 29204
usr/share/gnome/applications/nm-connection-editor.desktop 29203
usr/share/gnome/applications/gnome-power-statistics.desktop 29202
usr/share/gnome/applications/openjdk-7-policytool.desktop 29201
usr/share/gnome/applications/orca.desktop 29200
usr/share/applications/gnome-bluetooth-panel.desktop 29199
usr/lib/libreoffice/share/xdg/xsltfilter.desktop 29198
...
...
@@ -3122,7 +3119,6 @@ etc/xdg/menus/applications-merged/Tails.menu 28920
usr/share/applications/gnome-power-statistics.desktop 28919
usr/share/applications/nm-connection-editor.desktop 28918
usr/lib/i386-linux-gnu/tracker-1.0/libtracker-data.so.0.0.0 28917
usr/share/applications/openjdk-7-policytool.desktop 28916
usr/share/applications/orca.desktop 28915
usr/share/applications/vim.desktop 28914
usr/share/desktop-directories/ActionGames.directory 28913
...
...
@@ -4097,7 +4093,6 @@ usr/lib/i386-linux-gnu/libopencv_contrib.so.2.4.9 27944
usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt 27943
usr/lib/i386-linux-gnu/libopencv_core.so.2.4.9 27942
usr/lib/i386-linux-gnu/libopencv_highgui.so.2.4.9 27941
etc/NetworkManager/dispatcher.d/30-i2p.sh 27940
etc/NetworkManager/dispatcher.d/60-tor-ready.sh 27939
usr/local/sbin/tor-has-bootstrapped 27938
usr/bin/gettext 27937
...
...
config/chroot_local-hooks/06-adduser_i2pbrowser
deleted
100755 → 0
View file @
e8adad89
#!/bin/sh
set
-e
# Create the i2pbrowser user.
#
# We run i2p-browser under this user
echo
"Creating the i2pbrowser user"
adduser
--system
--quiet
--group
i2pbrowser
config/chroot_local-hooks/09-torsocks-configuration
View file @
58f005b5
...
...
@@ -4,9 +4,9 @@ set -e
echo
"Configure torsocks"
# Allow TCP outbound connections to the loopback interface, so
# Allow TCP
and UDP
outbound connections to the loopback interface, so
# that we can wrap git with torsocks without breaking Git-over-SSH
# (SSH is torified via ProxyCommand already).
sed
-i
''
\
--regexp-extended
's,^#?AllowOutboundLocalhost\s+.*,AllowOutboundLocalhost
1
,'
\
--regexp-extended
's,^#?AllowOutboundLocalhost\s+.*,AllowOutboundLocalhost
2
,'
\
/etc/tor/torsocks.conf
config/chroot_local-hooks/10-tbb
View file @
58f005b5
...
...
@@ -35,7 +35,7 @@ download_and_verify_files() {
(
cd
"
${
destination
}
"
echo
"Fetching
${
base_url
}
/
${
tarball
}
..."
curl
--remote-name
"
${
base_url
}
/
${
tarball
}
"
curl
--retry
20
--remote-name
"
${
base_url
}
/
${
tarball
}
"
)
actual_sha256
=
"
$(
sha256sum
"
${
destination
}
/
${
tarball
}
"
|
cut
-d
' '
-f1
)
"
if
[
"
${
actual_sha256
}
"
!=
"
${
expected_sha256
}
"
]
;
then
...
...
config/chroot_local-hooks/16-i2p_config
deleted
100755 → 0
View file @
e8adad89
#!/bin/sh
set
-e
echo
"Configuring I2P"
I2P
=
"/usr/share/i2p"
I2PROUTER
=
"/usr/bin/i2prouter"
WRAPPER
=
"/etc/i2p/wrapper.config"
# This must be set in order for the i2p init script to work
sed
-i
's/^RUN_DAEMON=.*$/RUN_DAEMON="true"/'
/etc/default/i2p
# Remove the "i2prouter" script, its man page, and its apparmor profile
# since these are not used by Tails:
rm
/etc/apparmor.d/usr.bin.i2prouter /usr/share/man/man1/i2prouter.1.gz
# Install custom i2prouter stub scripts
for
script
in
${
I2PROUTER
}
${
I2PROUTER
}
-nowrapper
;
do
echo
"Removing
$script
"
dpkg-divert
--rename
--add
"
${
script
}
"
cat
>
"
$script
"
<<
EOF
#!/bin/sh
echo "This script is not used by Tails."
echo "See https://tails.boum.org/doc/anonymous_internet/i2p/ for more information."
exit 0
EOF
chmod
755
"
$script
"
done
# Remove the outproxy from the tunnel on port 4444
# This will remove the following lines:
# tunnel.0.proxyList=false.i2p
# tunnel.0.option.i2ptunnel.httpclient.SSLOutproxies=false.i2p
# The SSLOutproxies option was first set in I2P 0.9.15
sed
-i
'/^.*tunnel\.0\.\(proxyList\|option\.i2ptunnel\.httpclient\.SSLOutproxies\)/d'
"
$I2P
/i2ptunnel.config"
# Disable the https outproxy (port 4445)
sed
-i
's|^.*\(tunnel\.6\.startOnLoad\).*|\1=false|'
"
$I2P
/i2ptunnel.config"
# Don't serve the router console on IPv6
sed
-i
's|^clientApp\.0\.args=7657\s\+::1,127\.0\.0\.1|clientApp.0.args=7657 127.0.0.1|'
"
$I2P
/clients.config"
# Disable IPv6 in the wrapper
sed
-i
's|^.*\(wrapper\.java\.additional\.5=-Djava\.net\.preferIPv4Stack=\).*|\1true|'
"
$WRAPPER
"
sed
-i
's|^.*\(wrapper\.java\.additional\.6=-Djava\.net\.preferIPv6Addresses=\).*|\1false|'
"
$WRAPPER
"
# Tails specific router configs:
# * i2cp: allows java clients to communicate with I2P outside of the JVM. Disabled.
# * IPv6: Disabled
# * HiddenMode: Enabled
# * In-I2P Network Updates: Disabled
# * Inbound connections: Disabled (setting is "i2cp.ntcp.autoip")
# * Disable I2P plugins
# * Disable NTP
cat
>
"
$I2P
/router.config"
<<
EOF
# NOTE: This I2P config file must use UTF-8 encoding
i2cp.disableInterface=true
i2np.ntcp.ipv6=false
i2np.ntcp.autoip=false
i2np.udp.ipv6=false
router.isHidden=true
router.updateDisabled=true
router.enablePlugins=false
time.disabled=true
EOF
cat
>
"
$I2P
/susimail.config"
<<
EOF
susimail.pop3.leave.on.server=true
EOF
# enforce apparmor
echo
Setting the I2P apparmor profile to enforce mode
sed
-i
-re
's|flags=\(complain\)||'
/etc/apparmor.d/system_i2p
config/chroot_local-hooks/45-disable-unneeded-dbus-services
View file @
58f005b5
...
...
@@ -10,6 +10,13 @@ SERVICES_DIR=/usr/share/dbus-1/services
sed
-i
''
's,^Exec=.*$,Exec=/bin/false,'
\
"
${
SERVICES_DIR
}
"
/org.gnome.evolution.dataserver.
*
.service
\
"
${
SERVICES_DIR
}
"
/org.gnome.Shell.CalendarServer.service
\
"
${
SERVICES_DIR
}
"
/org.freedesktop.Telepathy.AccountManager.service
\
"
${
SERVICES_DIR
}
"
/org.freedesktop.Telepathy.MissionControl5.service
"
${
SERVICES_DIR
}
"
/org.gnome.Shell.CalendarServer.service
for
service
in
\
"
${
SERVICES_DIR
}
"
/org.freedesktop.Telepathy.AccountManager.service
\
"
${
SERVICES_DIR
}
"
/org.freedesktop.Telepathy.MissionControl5.service
;
do
if
[
-f
"
$service
"
]
;
then
echo
"
$service
is back: consider disabling it"
>
&2
exit
1
fi
done
config/chroot_local-hooks/52-update-rc.d
View file @
58f005b5
...
...
@@ -2,32 +2,6 @@
set
-
e
CUSTOM_INITSCRIPTS
=
"
"
PATCHED_INITSCRIPTS
=
"
alsa-utils
haveged
hwclock.sh
i2p
kexec-load
laptop-mode
memlockd
saned
spice-vdagent
tor
"
echo
"Configuring boot sequence"
#
The
patches
to
adjust
the
runlevels
are
applied
to
the
chroot
#
after
the
packages
have
been
installed
.
So
we
need
to
remove
them
first
,
#
to
re
-
install
them
with
our
settings
.
insserv
-
r
$
PATCHED_INITSCRIPTS
#
Re
-
install
overriden
initscripts
and
install
our
custom
ones
.
insserv
$
PATCHED_INITSCRIPTS
$
CUSTOM_INITSCRIPTS
###
Tweak
systemd
unit
files
#
Workaround
for
https
:
//bugs.debian.org/714957
...
...
@@ -71,9 +45,6 @@ systemctl disable tor.service
systemctl
disable
NetworkManager
.
service
systemctl
disable
NetworkManager
-
wait
-
online
.
service
#
We
don
'
t
run
these
services
by
default
systemctl
disable
i2p
.
service
#
Don
'
t
hide
tails
-
kexec
'
s
shutdown
messages
with
an
empty
splash
screen
for
suffix
in
halt
kexec
poweroff
reboot
shutdown
;
do
systemctl
mask
"plymouth-${suffix}.service"
...
...
@@ -91,15 +62,3 @@ systemctl mask hwclock-save.service
#
Do
not
run
timesyncd
:
we
have
our
own
time
synchronization
mechanism
systemctl
mask
systemd
-
timesyncd
.
service
#
Unmute
and
sanitize
mixer
levels
at
boot
time
#
(
`systemctl unmask`
does
not
support
initscripts
on
Jessie
,
#
hence
the
manual
unmasking
)
dpkg
-
divert
--
add
--
rename
--
divert
\
/
lib
/
systemd
/
system
/
alsa
-
utils
.
service
.
orig
\
/
lib
/
systemd
/
system
/
alsa
-
utils
.
service
#
Disable
the
ALSA
state
store
/
restore
systemd
services
(
that
lack
mixer
#
levels
unmuting
/
sanitizing
),
we
use
the
legacy
initscript
instead
systemctl
mask
alsa
-
restore
.
service
systemctl
mask
alsa
-
state
.
service
systemctl
mask
alsa
-
store
.
service
config/chroot_local-hooks/54-menu
View file @
58f005b5
...
...
@@ -13,7 +13,6 @@ done
rm
\
/usr/share/applications/gnome-online-accounts-panel.desktop
\
/usr/share/applications/laptop-mode-tools.desktop
\
/usr/share/applications/openjdk-8-policytool.desktop
\
/usr/share/applications/sniff.desktop
sed
-i
''
--regexp-extended
's,^Exec=pidgin$,Exec=/usr/local/bin/pidgin,'
\
...
...
config/chroot_local-hooks/59-libdvd-pkg
View file @
58f005b5
...
...
@@ -17,6 +17,7 @@ dpkg-reconfigure libdvd-pkg
# without the build-essential dependency to satisfy libdvdcss2.
LIBDVD_PKG_VERSION
=
"
$(
dpkg-query
-s
libdvd-pkg |
grep
Version |
cut
-d
' '
-f2
)
+fake1"
install_fake_package libdvd-pkg
"
${
LIBDVD_PKG_VERSION
}
"
multimedia
rm
-r
/usr/src/libdvd-pkg
# Verify installed packages:
for
x
in
libdvd-pkg
...
...
config/chroot_local-hooks/80-block-network
View file @
58f005b5
...
...
@@ -5,6 +5,6 @@ set -e
echo
"Generating blocklist for all network devices"
find /lib/modules/
*
/kernel/drivers/net
\
-name
"*.ko"
-printf
"
blacklist %f
\n
"
|
\
sed
's/\.ko
$/
/'
|
\
-name
"*.ko"
-printf
"
install %f /bin/true
\n
"
|
\
sed
's/\.ko
/
/'
|
\
sort
-u
>
/etc/modprobe.d/all-net-blacklist.conf
config/chroot_local-hooks/97-remove_i2p
deleted
100755 → 0
View file @
e8adad89
#!/bin/sh
set
-u
set
-e
# Everything moved by this hook script will be reversed in the event that
# the string "i2p" is entered at a boot prompt
DEST
=
"/usr/share/tails/i2p-disabled"
[
-d
"/usr/share/i2p"
]
||
return
0
mkdir
"
$DEST
"
mv
-f
/usr/share/i2p
"
$DEST
"
mv
-f
/usr/sbin/wrapper
"
$DEST
"
mv
-f
/usr/share/applications/i2p-browser.desktop
"
$DEST
"
Prev
1
2
3
4
5
…
26
Next
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment