Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
tails
tails
Commits
58f005b5
Commit
58f005b5
authored
Apr 15, 2017
by
segfault
Browse files
Merge commit '
70091e58
' (Tails 3.0~beta3 release) into feature/5688-tails-server
parents
e8adad89
70091e58
Changes
503
Hide whitespace changes
Inline
Side-by-side
config/chroot_local-hooks/98-remove_unwanted_packages
View file @
58f005b5
...
...
@@ -14,11 +14,10 @@ echo "Removing unwanted packages"
apt-get
--yes
purge
\
'^linux-kbuild-*'
\
'^linux-headers-*'
\
'^linux-source-*'
\
build-essential debhelper dkms dpatch dpkg-dev
\
gcc gcc-4.8 gcc-4.9 gcc-5 gcc-5-base gcc-6
\
build-essential debhelper dkms dpkg-dev
\
gcc gcc-6
\
intltool-debian
\
libc6-dev
libgl1-mesa-dev
linux-libc-dev
\
libc6-dev linux-libc-dev
\
make
\
po-debconf
\
rsyslog
\
...
...
@@ -29,26 +28,18 @@ apt-get --yes purge \
### since they have Priority: standard.
apt-get
--yes
purge
\
apt-listchanges
\
at
\
bsd-mailx
\
dc
\
debian-faq
\
doc-debian
\
'^exim4*'
\
ftp
\
m4
\
mlocate
\
mutt
\
ncurses-term
\
nfs-common
\
portmap
\
procmail
\
python3-reportbug
\
reportbug
\
telnet
\
texinfo
\
time
\
w3m
\
wamerican
### Deinstall some other unwanted packages.
...
...
@@ -59,7 +50,6 @@ apt-get --yes purge \
libdvdcss2-dbgsym
\
live-build
\
locales
\
paxctld
\
rpcbind
\
tasksel
\
tasksel-data
\
...
...
config/chroot_local-includes/etc/NetworkManager/dispatcher.d/20-time.sh
View file @
58f005b5
...
...
@@ -21,7 +21,7 @@
### Init variables
TORDATE_DIR
=
/
var/
run/tordate
TORDATE_DIR
=
/run/tordate
TORDATE_DONE_FILE
=
${
TORDATE_DIR
}
/done
TOR_CONSENSUS
=
${
TOR_DIR
}
/cached-microdesc-consensus
TOR_UNVERIFIED_CONSENSUS
=
${
TOR_DIR
}
/unverified-microdesc-consensus
...
...
@@ -48,10 +48,6 @@ if [ -e "$TORDATE_DONE_FILE" ]; then
fi
### Create status directory
install
-o
root
-g
root
-m
0755
-d
${
TORDATE_DIR
}
### Functions
log
()
{
...
...
config/chroot_local-includes/etc/NetworkManager/dispatcher.d/30-i2p.sh
deleted
100755 → 0
View file @
e8adad89
#!/bin/sh
# I2P isn't started automatically at system boot.
# Instead, it is started with this hook script.
# Import i2p_is_enabled().
.
/usr/local/lib/tails-shell-library/i2p.sh
# Don't even try to run this script if I2P is not enabled.
i2p_is_enabled
||
exit
0
# don't run if interface is 'lo'
if
[
-z
"
$1
"
]
||
[
"
$1
"
=
"lo"
]
;
then
exit
0
fi
if
[
"
$2
"
=
"up"
]
;
then
/usr/local/sbin/tails-i2p start &
fi
config/chroot_local-includes/etc/ferm/ferm.conf
View file @
58f005b5
...
...
@@ -3,11 +3,6 @@
# Configuration file for ferm(1).
#
# I2P rules that grant access to the "i2psvc" user (those with $use_i2p) will
# only be enabled if the string "i2p" is entered at the boot prompt.
# Deny or reject rules affecting "i2psvc" will always be set.
def
$
use_i2p
= `
test
-
d
/
usr
/
share
/
i2p
&&
echo
1
||
echo
0
`;
# When ferm starts initially during early boot, the "amnesia" user does not
# exist yet, so we have to use its UID (#7018).
def
$
amnesia_uid
=
1000
;
...
...
@@ -74,42 +69,12 @@ domain ip {
mod
owner
uid
-
owner
$
amnesia_uid
ACCEPT
;
}
# Whitelist access to Tor's DNSPort so I2P can resolve hostnames when bootstrapping
daddr
127
.
0
.
0
.
1
proto
udp
dport
5353
{
@
if
$
use_i2p
mod
owner
uid
-
owner
i2psvc
ACCEPT
;
}
# White-list access to the accessibility daemon
daddr
127
.
0
.
0
.
1
proto
tcp
syn
dport
4101
{
mod
owner
uid
-
owner
$
amnesia_uid
ACCEPT
;
mod
owner
uid
-
owner
Debian
-
gdm
ACCEPT
;
}
# White-list access to I2P services for the amnesia user (IRC, SAM, POP3, SMTP, and Monotone)
# For more information, see https://tails/boum.org/contribute/design/I2P and https://geti2p.net/ports
daddr
127
.
0
.
0
.
1
proto
tcp
syn
mod
multiport
destination
-
ports
(
6668
7656
7659
7660
8998
) {
@
if
$
use_i2p
mod
owner
uid
-
owner
$
amnesia_uid
ACCEPT
;
}
# Whitelist access to I2P services for the i2psvc user,
# otherwise mail and eepsite hosting won't work. The mail ports (7659 and 7660) are
# accessed by the webmail app
daddr
127
.
0
.
0
.
1
proto
tcp
syn
mod
multiport
destination
-
ports
(
7658
7659
7660
) {
@
if
$
use_i2p
mod
owner
uid
-
owner
i2psvc
ACCEPT
;
}
# Whitelist access to the i2pbrowser user
daddr
127
.
0
.
0
.
1
proto
tcp
syn
mod
multiport
destination
-
ports
(
4444
7657
7658
) {
@
if
$
use_i2p
mod
owner
uid
-
owner
i2pbrowser
ACCEPT
;
}
# White-list access to the java wrapper's (used by I2P) control ports
# (see: http://wrapper.tanukisoftware.com/doc/english/prop-port.html)
# If, for example, port 31000 is in use, it'll try the next one in sequence.
daddr
127
.
0
.
0
.
1
proto
tcp
sport
(
31000
31001
31002
)
dport
(
32000
32001
32002
) {
@
if
$
use_i2p
mod
owner
uid
-
owner
i2psvc
ACCEPT
;
}
# White-list access to CUPS
daddr
127
.
0
.
0
.
1
proto
tcp
syn
dport
631
{
mod
owner
uid
-
owner
$
amnesia_uid
ACCEPT
;
...
...
@@ -122,7 +87,7 @@ domain ip {
# White-list access to OnionShare
daddr
127
.
0
.
0
.
1
proto
tcp
syn
dport
17600
:
17650
{
mod
owner
uid
-
owner
amnesia
ACCEPT
;
mod
owner
uid
-
owner
$
amnesia
_uid
ACCEPT
;
}
}
...
...
@@ -136,14 +101,13 @@ domain ip {
}
# Local network connections should not go through Tor but DNS shall be
# rejected.
I2P is explicitly blocked from communicating with the LAN.
#
(Note that we exclude the VirtualAddrNetwork used for
.onion:s here.)
# rejected.
(Note that we exclude the VirtualAddrNetwork used for
# .onion:s here.)
daddr
(
10
.
0
.
0
.
0
/
8
172
.
16
.
0
.
0
/
12
192
.
168
.
0
.
0
/
16
) @
subchain
"lan"
{
proto
tcp
dport
domain
REJECT
;
proto
udp
dport
domain
REJECT
;
proto
tcp
dport
netbios
-
ns
REJECT
;
proto
udp
dport
netbios
-
ns
REJECT
;
mod
owner
uid
-
owner
i2psvc
REJECT
;
ACCEPT
;
}
...
...
@@ -152,11 +116,6 @@ domain ip {
proto
tcp
syn
mod
state
state
(
NEW
)
ACCEPT
;
}
# i2p is allowed to do anything it wants to on the internet.
outerface
!
lo
mod
owner
uid
-
owner
i2psvc
{
@
if
$
use_i2p
proto
(
tcp
udp
)
ACCEPT
;
}
# Everything else is logged and dropped.
LOG
log
-
prefix
"Dropped outbound packet: "
log
-
level
debug
log
-
uid
;
REJECT
reject
-
with
icmp
-
port
-
unreachable
;
...
...
config/chroot_local-includes/etc/mailname
0 → 100644
View file @
58f005b5
localhost
config/chroot_local-includes/etc/modprobe.d/no-mei.conf
View file @
58f005b5
blacklist
mei
-
m
e
blacklist
mei
install
mei
-
me
/
bin
/
tru
e
install
mei
/
bin
/
true
config/chroot_local-includes/etc/modprobe.d/no-n-hdlc.conf
0 → 100644
View file @
58f005b5
# Protect against CVE-2017-2636
install
n
-
hdlc
/
bin
/
true
config/chroot_local-includes/etc/modprobe.d/uncommon-network-protocols.conf
0 → 100644
View file @
58f005b5
install
dccp
/
bin
/
true
install
sctp
/
bin
/
true
install
rds
/
bin
/
true
install
tipc
/
bin
/
true
config/chroot_local-includes/etc/skel/.config/keepassx/config.ini
deleted
100644 → 0
View file @
e8adad89
[Options]
ShowSysTrayIcon
=
true
MinimizeTray
=
true
MinimizeToTray
=
false
AutoSaveChange
=
true
LastFile
=
/home/amnesia/Persistent/keepassx.kdb
[FileDlgHistory]
ENTRY0
=
MainWindow_FileSave, /home/amnesia/Persistent/, 0
config/chroot_local-includes/etc/skel/.config/keepassx/keepassx2.ini
0 → 100644
View file @
58f005b5
[General]
ShowToolbar
=
true
LastOpenedDatabases
=
/home/amnesia/Persistent/keepassx.kdbx
LastDatabases
=
/home/amnesia/Persistent/keepassx.kdbx
LastDir
=
/home/amnesia/Persistent/
\ No newline at end of file
config/chroot_local-includes/etc/skel/.purple/blist.xml
View file @
58f005b5
<?xml version='1.0' encoding='UTF-8' ?>
<purple
version=
'1.0'
>
<blist>
<group
name=
'Discussions'
>
<setting
name=
'collapsed'
type=
'bool'
>
0
</setting>
<chat
proto=
'prpl-irc'
account=
'XXX_NICK_XXX@127.0.0.1'
>
<component
name=
'channel'
>
#i2p
</component>
</chat>
</group>
</blist>
<privacy>
<account
proto=
'prpl-irc'
name=
'XXX_NICK_XXX@irc.oftc.net'
mode=
'1'
/>
<account
proto=
'prpl-irc'
name=
'XXX_NICK_XXX@127.0.0.1'
mode=
'1'
/>
</privacy>
</purple>
config/chroot_local-includes/etc/sudoers.d/zzz_upgrade
View file @
58f005b5
Cmnd_Alias INSTALL_IUK = /bin/chmod,
/bin/cp,
/bin/dd, /bin/mkdir, /bin/mktemp, /bin/mount, /bin/rm, /bin/tar, /lib/live/mount/medium/utils/linux/syslinux
Cmnd_Alias INSTALL_IUK = /bin/chmod, /bin/dd, /bin/mkdir, /bin/mktemp, /bin/mount, /bin/rm, /bin/tar, /lib/live/mount/medium/utils/linux/syslinux
, /usr/bin/nocache /bin/cp *
Cmnd_Alias IUK_GET_TARGET_FILE = /usr/bin/tails-iuk-get-target-file
Cmnd_Alias UPGRADE_FRONTEND = /usr/bin/tails-upgrade-frontend ""
...
...
config/chroot_local-includes/etc/xul-ext/torbirdy.js
View file @
58f005b5
pref
(
"
extensions.torbirdy.custom.network.proxy.socks_port
"
,
9061
);
pref
(
"
extensions.torbirdy.emailwizard
"
,
true
);
pref
(
"
extensions.torbirdy.
custom.extensions.enigmail.
already_torified
"
,
true
);
pref
(
"
extensions.torbirdy.
gpg_
already_torified
"
,
true
);
config/chroot_local-includes/lib/live/config/0000-readahead
View file @
58f005b5
...
...
@@ -41,7 +41,7 @@ Start_readahead ()
(
cd
/
start-stop-daemon
\
--start
--background
--make-pidfile
--startas
/bin/sh
\
--pidfile
/var
/run/background-readahead.pid
--
\
--pidfile
/run/background-readahead.pid
--
\
-c
"
$BG_FILES
| xargs cat >/dev/null 2>&1"
)
# Creating state file
...
...
config/chroot_local-includes/lib/live/config/1500-reconfigure-APT
View file @
58f005b5
...
...
@@ -8,6 +8,9 @@ sed -i 's,^\(\#\?\s*deb\(-src\)\?\s\+\)http://,\1tor+http://,' \
sed
-E
-i
's,\s+non-free$,,'
\
/etc/apt/sources.list /etc/apt/sources.list.d/
*
.list
sed
-E
-i
'/^deb(-src)?\s+\S+\s+\S+-proposed-updates\s+/d'
\
/etc/apt/sources.list /etc/apt/sources.list.d/
*
.list
echo
'
### Time-based snapshots
...
...
@@ -85,3 +88,5 @@ s{
}{$1tor+http://jenw7xbd6tf7vfhp.onion/$2}xms;
'
| perl
-pi
- /etc/apt/sources.list /etc/apt/sources.list.d/
*
.list
find /etc/apt/sources.list
*
-size
0
-delete
config/chroot_local-includes/lib/live/config/2000-import-gnupg-key
View file @
58f005b5
...
...
@@ -6,7 +6,6 @@ Import_GnuPG_key ()
sudo
-H
-u
"
${
LIVE_USERNAME
}
"
gpg
--batch
--import
/usr/share/doc/tails/website/
*
.key
echo
"- importing GnuPG signing key into tails-iuk's trusted keyring"
mkdir
-p
/usr/share/tails-iuk/trusted_gnupg_homedir
gpg
--batch
--homedir
/usr/share/tails-iuk/trusted_gnupg_homedir
\
--import
/usr/share/doc/tails/website/tails-signing.key
chmod
-R
go+rX /usr/share/tails-iuk/trusted_gnupg_homedir/
*
...
...
config/chroot_local-includes/lib/live/config/2060-create-upgrader-run-directory
deleted
100755 → 0
View file @
e8adad89
#!/bin/sh
install
-m
0775
-o
root
-g
tails-upgrade-frontend
-d
/var/run/tails-upgrader
config/chroot_local-includes/lib/live/config/2080-install-i2p
deleted
100755 → 0
View file @
e8adad89
#!/bin/sh
# This script reverses everything done by config/chroot_local-hooks/97_remove_i2p
# when the string "i2p" is added to the boot prompt.
# Import i2p_is_enabled().
.
/usr/local/lib/tails-shell-library/i2p.sh
SRC
=
"/usr/share/tails/i2p-disabled"
Install_I2P
(){
mv
"
$SRC
/wrapper"
/usr/sbin/wrapper
mv
"
$SRC
/i2p-browser.desktop"
/usr/share/applications
mv
"
$SRC
/i2p"
/usr/share
rmdir
"
$SRC
"
}
Add_Sudo_Config
(){
echo
"amnesia ALL = NOPASSWD: /usr/local/sbin/i2p-browser"
>
/etc/sudoers.d/zzz_i2pbrowser
chown
root:root /etc/sudoers.d/zzz_i2pbrowser
chmod
0440 /etc/sudoers.d/zzz_i2pbrowser
}
if
i2p_is_enabled
&&
[
-d
"
$SRC
"
]
;
then
Install_I2P
Add_Sudo_Config
fi
config/chroot_local-includes/lib/systemd/system/alsa-restore.service.d/dont-store-state-on-shutdown.conf
0 → 100644
View file @
58f005b5
[
Service
]
ExecStop
=
config/chroot_local-includes/lib/systemd/system/htpdate.service
View file @
58f005b5
...
...
@@ -17,7 +17,6 @@ ExecStartPre=/bin/sh -c \
[ -n "${HTP_POOL_FOE}" ]'
ExecStartPre
=
/bin/rm -f "${DONE_FILE}"
ExecStartPre
=
/bin/rm -f "${SUCCESS_FILE}"
ExecStartPre
=
/usr/bin/install -o root -g root -m 0755 -d /run/htpdate
ExecStartPre
=
/usr/bin/install -o htp -g nogroup -m 0644 /dev/null "${LOG}"
ExecStart
=
/usr/local/sbin/htpdate
\
--debug
\
...
...
Prev
1
2
3
4
5
6
…
26
Next
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment