Merge commit '70091e58' (Tails 3.0~beta3 release) into feature/5688-tails-server

58f005b5 · segfault · e8adad89 · 70091e58 · 58f005b5 · 58f005b5
Commit 58f005b5 authored Apr 15, 2017 by segfault
--- a/config/chroot_local-hooks/98-remove_unwanted_packages
+++ b/config/chroot_local-hooks/98-remove_unwanted_packages
@@ -14,11 +14,10 @@ echo "Removing unwanted packages"
 apt-get --yes purge  \
   '^linux-kbuild-*' \
   '^linux-headers-*' \
-   '^linux-source-*' \
-   build-essential debhelper dkms dpatch dpkg-dev \
-   gcc gcc-4.8 gcc-4.9 gcc-5 gcc-5-base gcc-6 \
+   build-essential debhelper dkms dpkg-dev \
+   gcc gcc-6 \
   intltool-debian \
-   libc6-dev libgl1-mesa-dev linux-libc-dev \
+   libc6-dev linux-libc-dev \
   make \
   po-debconf \
   rsyslog \
@@ -29,26 +28,18 @@ apt-get --yes purge  \
 ### since they have Priority: standard.
 apt-get --yes purge  \
   apt-listchanges \
-   at \
-   bsd-mailx \
-   dc \
   debian-faq \
   doc-debian \
   '^exim4*' \
-   ftp \
   m4 \
   mlocate \
-   mutt \
   ncurses-term \
   nfs-common \
-   portmap \
   procmail \
   python3-reportbug \
   reportbug \
   telnet \
   texinfo \
-   time \
-   w3m \
   wamerican

 ### Deinstall some other unwanted packages.
@@ -59,7 +50,6 @@ apt-get --yes purge  \
    libdvdcss2-dbgsym \
    live-build \
    locales \
-    paxctld \
    rpcbind \
    tasksel \
    tasksel-data \

--- a/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/20-time.sh
+++ b/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/20-time.sh
@@ -21,7 +21,7 @@

 ### Init variables

-TORDATE_DIR=/var/run/tordate
+TORDATE_DIR=/run/tordate
 TORDATE_DONE_FILE=${TORDATE_DIR}/done
 TOR_CONSENSUS=${TOR_DIR}/cached-microdesc-consensus
 TOR_UNVERIFIED_CONSENSUS=${TOR_DIR}/unverified-microdesc-consensus
@@ -48,10 +48,6 @@ if [ -e "$TORDATE_DONE_FILE" ]; then
 fi


-### Create status directory
-install -o root -g root -m 0755 -d ${TORDATE_DIR}
-
-
 ### Functions

 log() {

--- a/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/30-i2p.sh
+++ b/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/30-i2p.sh
-#!/bin/sh
-
-# I2P isn't started automatically at system boot.
-# Instead, it is started with this hook script.
-
-# Import i2p_is_enabled().
-. /usr/local/lib/tails-shell-library/i2p.sh
-
-# Don't even try to run this script if I2P is not enabled.
-i2p_is_enabled || exit 0
-
-# don't run if interface is 'lo'
-if [ -z "$1" ] || [ "$1" = "lo" ]; then
-    exit 0
-fi
-
-if [ "$2" = "up" ]; then
-    /usr/local/sbin/tails-i2p start &
-fi
--- a/config/chroot_local-includes/etc/ferm/ferm.conf
+++ b/config/chroot_local-includes/etc/ferm/ferm.conf
@@ -3,11 +3,6 @@
 #  Configuration file for ferm(1).
 #

-# I2P rules that grant access to the "i2psvc" user (those with $use_i2p) will
-# only be enabled if the string "i2p" is entered at the boot prompt.
-# Deny or reject rules affecting "i2psvc" will always be set.
-def $use_i2p = `test -d /usr/share/i2p && echo 1 || echo 0`;
-
 # When ferm starts initially during early boot, the "amnesia" user does not
 # exist yet, so we have to use its UID (#7018).
 def $amnesia_uid = 1000;
@@ -74,42 +69,12 @@ domain ip {
                    mod owner uid-owner $amnesia_uid ACCEPT;
                }

-                # Whitelist access to Tor's DNSPort so I2P can resolve hostnames when bootstrapping
-                daddr 127.0.0.1 proto udp dport 5353 {
-                    @if $use_i2p mod owner uid-owner i2psvc ACCEPT;
-                }
-
                # White-list access to the accessibility daemon
                daddr 127.0.0.1 proto tcp syn dport 4101 {
                    mod owner uid-owner $amnesia_uid ACCEPT;
                    mod owner uid-owner Debian-gdm ACCEPT;
                }

-                # White-list access to I2P services for the amnesia user (IRC, SAM, POP3, SMTP, and Monotone)
-                # For more information, see https://tails/boum.org/contribute/design/I2P and https://geti2p.net/ports
-                daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (6668 7656 7659 7660 8998) {
-                    @if $use_i2p mod owner uid-owner $amnesia_uid ACCEPT;
-                }
-
-                # Whitelist access to I2P services for the i2psvc user,
-                # otherwise mail and eepsite hosting won't work. The mail ports (7659 and 7660) are
-                # accessed by the webmail app
-                daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (7658 7659 7660) {
-                    @if $use_i2p mod owner uid-owner i2psvc ACCEPT;
-                }
-
-                # Whitelist access to the i2pbrowser user
-                daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (4444 7657 7658) {
-                    @if $use_i2p mod owner uid-owner i2pbrowser ACCEPT;
-                }
-
-                # White-list access to the java wrapper's (used by I2P) control ports
-                # (see: http://wrapper.tanukisoftware.com/doc/english/prop-port.html)
-                # If, for example, port 31000 is in use, it'll try the next one in sequence.
-                daddr 127.0.0.1 proto tcp sport (31000 31001 31002) dport (32000 32001 32002) {
-                    @if $use_i2p mod owner uid-owner i2psvc ACCEPT;
-                }
-
                # White-list access to CUPS
                daddr 127.0.0.1 proto tcp syn dport 631 {
                    mod owner uid-owner $amnesia_uid ACCEPT;
@@ -122,7 +87,7 @@ domain ip {

                # White-list access to OnionShare
                daddr 127.0.0.1 proto tcp syn dport 17600:17650 {
-                    mod owner uid-owner amnesia ACCEPT;
+                    mod owner uid-owner $amnesia_uid ACCEPT;
                }
            }

@@ -136,14 +101,13 @@ domain ip {
            }

            # Local network connections should not go through Tor but DNS shall be
-            # rejected. I2P is explicitly blocked from communicating with the LAN.
-            # (Note that we exclude the VirtualAddrNetwork used for .onion:s here.)
+            # rejected. (Note that we exclude the VirtualAddrNetwork used for
+            # .onion:s here.)
            daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" {
                proto tcp dport domain REJECT;
                proto udp dport domain REJECT;
                proto tcp dport netbios-ns REJECT;
                proto udp dport netbios-ns REJECT;
-                mod owner uid-owner i2psvc REJECT;
                ACCEPT;
            }

@@ -152,11 +116,6 @@ domain ip {
                proto tcp syn mod state state (NEW) ACCEPT;
            }

-            # i2p is allowed to do anything it wants to on the internet.
-            outerface ! lo mod owner uid-owner i2psvc {
-                @if $use_i2p proto (tcp udp) ACCEPT;
-            }
-
            # Everything else is logged and dropped.
            LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
            REJECT reject-with icmp-port-unreachable;

--- a/config/chroot_local-includes/etc/mailname
+++ b/config/chroot_local-includes/etc/mailname
+localhost
--- a/config/chroot_local-includes/etc/modprobe.d/no-mei.conf
+++ b/config/chroot_local-includes/etc/modprobe.d/no-mei.conf
-blacklist mei-me
-blacklist mei
+install mei-me /bin/true
+install mei /bin/true
--- a/config/chroot_local-includes/etc/modprobe.d/no-n-hdlc.conf
+++ b/config/chroot_local-includes/etc/modprobe.d/no-n-hdlc.conf
+# Protect against CVE-2017-2636
+install n-hdlc /bin/true
--- a/config/chroot_local-includes/etc/modprobe.d/uncommon-network-protocols.conf
+++ b/config/chroot_local-includes/etc/modprobe.d/uncommon-network-protocols.conf
+install dccp /bin/true
+install sctp /bin/true
+install rds /bin/true
+install tipc /bin/true
--- a/config/chroot_local-includes/etc/skel/.config/keepassx/config.ini
+++ b/config/chroot_local-includes/etc/skel/.config/keepassx/config.ini
-[Options]
-ShowSysTrayIcon=true
-MinimizeTray=true
-MinimizeToTray=false
-AutoSaveChange=true
-LastFile=/home/amnesia/Persistent/keepassx.kdb
-
-[FileDlgHistory]
-ENTRY0=MainWindow_FileSave, /home/amnesia/Persistent/, 0
--- a/config/chroot_local-includes/etc/skel/.config/keepassx/keepassx2.ini
+++ b/config/chroot_local-includes/etc/skel/.config/keepassx/keepassx2.ini
+[General]
+ShowToolbar=true
+LastOpenedDatabases=/home/amnesia/Persistent/keepassx.kdbx
+LastDatabases=/home/amnesia/Persistent/keepassx.kdbx
+LastDir=/home/amnesia/Persistent/
\ No newline at end of file
--- a/config/chroot_local-includes/etc/skel/.purple/blist.xml
+++ b/config/chroot_local-includes/etc/skel/.purple/blist.xml
 <?xml version='1.0' encoding='UTF-8' ?>

 <purple version='1.0'>
-	<blist>
-		<group name='Discussions'>
-			<setting name='collapsed' type='bool'>0</setting>
-			<chat proto='prpl-irc' account='XXX_NICK_XXX@127.0.0.1'>
-				<component name='channel'>#i2p</component>
-			</chat>
-		</group>
-	</blist>
 	<privacy>
 		<account proto='prpl-irc' name='XXX_NICK_XXX@irc.oftc.net' mode='1'/>
-		<account proto='prpl-irc' name='XXX_NICK_XXX@127.0.0.1' mode='1'/>
 	</privacy>
 </purple>
--- a/config/chroot_local-includes/etc/sudoers.d/zzz_upgrade
+++ b/config/chroot_local-includes/etc/sudoers.d/zzz_upgrade
-Cmnd_Alias INSTALL_IUK = /bin/chmod, /bin/cp, /bin/dd, /bin/mkdir, /bin/mktemp, /bin/mount, /bin/rm, /bin/tar, /lib/live/mount/medium/utils/linux/syslinux
+Cmnd_Alias INSTALL_IUK = /bin/chmod, /bin/dd, /bin/mkdir, /bin/mktemp, /bin/mount, /bin/rm, /bin/tar, /lib/live/mount/medium/utils/linux/syslinux, /usr/bin/nocache /bin/cp *
 Cmnd_Alias IUK_GET_TARGET_FILE = /usr/bin/tails-iuk-get-target-file
 Cmnd_Alias UPGRADE_FRONTEND = /usr/bin/tails-upgrade-frontend ""


--- a/config/chroot_local-includes/etc/xul-ext/torbirdy.js
+++ b/config/chroot_local-includes/etc/xul-ext/torbirdy.js
 pref("extensions.torbirdy.custom.network.proxy.socks_port", 9061);
 pref("extensions.torbirdy.emailwizard", true);
-pref("extensions.torbirdy.custom.extensions.enigmail.already_torified", true);
+pref("extensions.torbirdy.gpg_already_torified", true);
--- a/config/chroot_local-includes/lib/live/config/0000-readahead
+++ b/config/chroot_local-includes/lib/live/config/0000-readahead
@@ -41,7 +41,7 @@ Start_readahead ()
 	(cd /
 	 start-stop-daemon \
 		--start --background --make-pidfile --startas /bin/sh \
-		--pidfile /var/run/background-readahead.pid -- \
+		--pidfile /run/background-readahead.pid -- \
 		-c "$BG_FILES | xargs cat >/dev/null 2>&1")

 	# Creating state file

--- a/config/chroot_local-includes/lib/live/config/1500-reconfigure-APT
+++ b/config/chroot_local-includes/lib/live/config/1500-reconfigure-APT
@@ -8,6 +8,9 @@ sed -i 's,^\(\#\?\s*deb\(-src\)\?\s\+\)http://,\1tor+http://,' \
 sed -E -i 's,\s+non-free$,,' \
           /etc/apt/sources.list /etc/apt/sources.list.d/*.list

+sed -E -i '/^deb(-src)?\s+\S+\s+\S+-proposed-updates\s+/d' \
+           /etc/apt/sources.list /etc/apt/sources.list.d/*.list
+
 echo '

 ### Time-based snapshots
@@ -85,3 +88,5 @@ s{
 }{$1tor+http://jenw7xbd6tf7vfhp.onion/$2}xms;

 ' | perl -pi - /etc/apt/sources.list /etc/apt/sources.list.d/*.list
+
+find /etc/apt/sources.list* -size 0 -delete
--- a/config/chroot_local-includes/lib/live/config/2000-import-gnupg-key
+++ b/config/chroot_local-includes/lib/live/config/2000-import-gnupg-key
@@ -6,7 +6,6 @@ Import_GnuPG_key ()
 	sudo -H -u "${LIVE_USERNAME}" gpg --batch --import /usr/share/doc/tails/website/*.key

 	echo "- importing GnuPG signing key into tails-iuk's trusted keyring"
-	mkdir -p /usr/share/tails-iuk/trusted_gnupg_homedir
 	gpg --batch --homedir /usr/share/tails-iuk/trusted_gnupg_homedir \
 	    --import /usr/share/doc/tails/website/tails-signing.key
 	chmod -R go+rX /usr/share/tails-iuk/trusted_gnupg_homedir/*

--- a/config/chroot_local-includes/lib/live/config/2060-create-upgrader-run-directory
+++ b/config/chroot_local-includes/lib/live/config/2060-create-upgrader-run-directory
-#!/bin/sh
-
-install -m 0775 -o root -g tails-upgrade-frontend -d /var/run/tails-upgrader
--- a/config/chroot_local-includes/lib/live/config/2080-install-i2p
+++ b/config/chroot_local-includes/lib/live/config/2080-install-i2p
-#!/bin/sh
-
-# This script reverses everything done by config/chroot_local-hooks/97_remove_i2p
-# when the string "i2p" is added to the boot prompt.
-
-# Import i2p_is_enabled().
-. /usr/local/lib/tails-shell-library/i2p.sh
-
-SRC="/usr/share/tails/i2p-disabled"
-
-Install_I2P(){
-    mv "$SRC/wrapper" /usr/sbin/wrapper
-    mv "$SRC/i2p-browser.desktop" /usr/share/applications
-    mv "$SRC/i2p" /usr/share
-    rmdir "$SRC"
-}
-
-Add_Sudo_Config(){
-    echo "amnesia   ALL = NOPASSWD: /usr/local/sbin/i2p-browser" > /etc/sudoers.d/zzz_i2pbrowser
-    chown root:root /etc/sudoers.d/zzz_i2pbrowser
-    chmod 0440 /etc/sudoers.d/zzz_i2pbrowser
-}
-
-if i2p_is_enabled && [ -d "$SRC" ]; then
-   Install_I2P
-   Add_Sudo_Config
-fi
--- a/config/chroot_local-includes/lib/systemd/system/alsa-restore.service.d/dont-store-state-on-shutdown.conf
+++ b/config/chroot_local-includes/lib/systemd/system/alsa-restore.service.d/dont-store-state-on-shutdown.conf
+[Service]
+ExecStop=
--- a/config/chroot_local-includes/lib/systemd/system/htpdate.service
+++ b/config/chroot_local-includes/lib/systemd/system/htpdate.service
@@ -17,7 +17,6 @@ ExecStartPre=/bin/sh -c \
     [ -n "${HTP_POOL_FOE}"     ]'
 ExecStartPre=/bin/rm -f "${DONE_FILE}"
 ExecStartPre=/bin/rm -f "${SUCCESS_FILE}"
-ExecStartPre=/usr/bin/install -o root -g root -m 0755 -d /run/htpdate
 ExecStartPre=/usr/bin/install -o htp -g nogroup -m 0644 /dev/null "${LOG}"
 ExecStart=/usr/local/sbin/htpdate                   \
              --debug                               \