Commit 67d84856 authored by sajolida's avatar sajolida
Browse files

Merge branch 'web/16928-define-fundraising' into web/16928-definition

parents cf525309 18030cfa
#!/bin/sh
set -eu
po4a --version | head -n1 | perl -pE 's{\Apo4a version ([0-9.]+)[.]$}{$1}'
......@@ -21,7 +21,7 @@ AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC spl
AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
# Kernel version
KERNEL_VERSION='5.10.0-3'
KERNEL_VERSION='5.10.0-0.bpo.3'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
......
This diff is collapsed.
......@@ -68,7 +68,7 @@ Pin: release o=Debian,n=buster-backports
Pin-Priority: 999
Package: linux-compiler-* linux-headers-* linux-image-* linux-kbuild-* linux-source-*
Pin: release o=Debian,n=bullseye
Pin: release o=Debian,n=buster-backports
Pin-Priority: 999
Explanation: src:live-boot (#15477)
......
......@@ -15,6 +15,7 @@ systemctl enable tails-allow-external-TailsData-access.service
systemctl enable tails-synchronize-data-to-new-persistent-volume-on-shutdown.service
systemctl enable tails-autotest-broken-Xorg.service
systemctl enable tails-autotest-remote-shell.service
systemctl enable tails-create-netns.service
systemctl enable tails-remove-overlayfs-dirs.service
systemctl enable tails-set-wireless-devices-state.service
systemctl enable tails-shutdown-on-media-removal.service
......@@ -34,6 +35,7 @@ systemctl --global enable tails-security-check.service
systemctl --global enable tails-upgrade-frontend.service
systemctl --global enable tails-virt-notify-user.service
systemctl --global enable tails-wait-until-tor-has-bootstrapped.service
systemctl --global enable tails-a11y-proxy-netns@onioncircs.service
# Use socket activation only, to delay the startup of cupsd.
# In practice, this means that cupsd is started during
......
......@@ -4,6 +4,15 @@ set -e
echo "Generating blocklist for all network devices"
is_allowed() {
mod="$(basename "$1" .ko)"
shift
# the heredoc is the allowlist
grep -qwF "$mod" <<END
veth
END
}
is_net_module() {
# Here we assume that if any of the patterns below are matched, it
# is a network driver. This is not comprehensive, but should be
......@@ -14,11 +23,18 @@ is_net_module() {
-e "^depends:\s*(cfg|lib|mac)80211" \
-e "^parm:\s*ifname:"
}
net_module_filter() {
local path
while read path; do
if is_net_module "${path}"; then
if ! is_allowed "${path}" && is_net_module "${path}"; then
echo "${path}"
fi
done
}
remove_allowlist_filter() {
local path
while read path; do
if ! is_allowed "${path}"; then
echo "${path}"
fi
done
......@@ -37,6 +53,7 @@ BLACKLIST=/etc/modprobe.d/all-net-blacklist.conf
(
find /lib/modules/*/kernel/drivers/net -name "*.ko" | \
remove_allowlist_filter | \
generate_blocking_line && \
# Let's try to find the network drivers in the staging directory as well
......
......@@ -18,6 +18,12 @@ domain ip {
# Traffic on the loopback interface is accepted.
interface lo ACCEPT;
# netns configuration; see config/chroot_local-includes/usr/local/lib/tails-create-netns
interface veth-tbb saddr 10.200.1.2 daddr 10.200.1.1 proto tcp mod multiport destination-ports (9050 9051) ACCEPT;
interface veth-onioncircs saddr 10.200.1.6 daddr 10.200.1.5 proto tcp mod multiport destination-ports (9051) ACCEPT;
interface veth-torlaunch saddr 10.200.1.10 daddr 10.200.1.9 proto tcp mod multiport destination-ports (9051) ACCEPT;
interface veth-onionshare saddr 10.200.1.14 daddr 10.200.1.13 proto tcp mod multiport destination-ports (9050 9051) ACCEPT;
}
chain OUTPUT {
......
---
- apparmor-profiles:
- '/usr/bin/onioncircuits'
users:
- 'amnesia'
- hosts:
- '10.200.1.6'
commands:
GETINFO:
- 'version'
......
amnesia ALL = NOPASSWD: /usr/local/bin/onioncircuits ""
......@@ -2,8 +2,9 @@ Cmnd_Alias INSTALL_IUK = /bin/dd, /bin/mount, /bin/umount, /bin/rm, /lib/live/mo
Cmnd_Alias IUK_GET_TARGET_FILE = /usr/local/bin/tails-iuk-get-target-file
Cmnd_Alias UPGRADE_FRONTEND = /usr/local/bin/tails-upgrade-frontend ""
Defaults!IUK_GET_TARGET_FILE env_keep+="HARNESS_ACTIVE DISABLE_PROXY"
Defaults!UPGRADE_FRONTEND env_keep+="DISABLE_PROXY SSL_NO_VERIFY"
## Settings that might be useful for developers
# Defaults!IUK_GET_TARGET_FILE env_keep+="HARNESS_ACTIVE DISABLE_PROXY"
# Defaults!UPGRADE_FRONTEND env_keep+="DISABLE_PROXY"
amnesia ALL = (tails-upgrade-frontend) NOPASSWD: UPGRADE_FRONTEND
tails-upgrade-frontend ALL = NOPASSWD: /usr/local/bin/tails-shutdown-network ""
......
......@@ -7,8 +7,7 @@ SocksPort 127.0.0.1:9150 IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth
## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
ControlPort 9052
ControlListenAddress 127.0.0.1
ControlPort 127.0.0.1:9052
## Torified DNS
DNSPort 5353
......@@ -16,16 +15,11 @@ AutomapHostsOnResolve 1
AutomapHostsSuffixes .exit,.onion
## Transparent proxy
TransPort 9040
TransListenAddress 127.0.0.1
TransPort 127.0.0.1:9040
## Misc
AvoidDiskWrites 1
## We don't care if applications do their own DNS lookups since our Tor
## enforcement will handle it safely.
WarnUnsafeSocks 0
## Disable default warnings on StartTLS for email. Let's not train our
## users to click through security warnings.
WarnPlaintextPorts 23,109
......
......@@ -4,7 +4,7 @@ Documentation=https://tails.boum.org/contribute/design/
[Service]
Type=simple
ExecStart=/usr/local/lib/onion-grater
ExecStart=/usr/local/lib/onion-grater --listen-address 0.0.0.0
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SYS_PTRACE
PrivateDevices=yes
PrivateTmp=yes
......
[Unit]
Description=Prepare network namespaces
Documentation=https://gitlab.tails.boum.org/tails/tails/-/issues/18123
Wants=network.target
Before=network.target
Before=NetworkManager.service
Before=onion-grater.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/lib/tails-create-netns start
ExecStop=/usr/local/lib/tails-create-netns stop
[Install]
WantedBy=sysinit.target
#!/usr/bin/python3
import os
import shlex
import subprocess
def _gnome_sh_wrapper(cmd):
def _gnome_sh_wrapper(cmd) -> str:
command = shlex.split(
"env -i sh -c '. {lib} && {cmd}'".format(lib=GNOME_SH_PATH, cmd=cmd)
)
......@@ -13,7 +12,8 @@ def _gnome_sh_wrapper(cmd):
GNOME_SH_PATH = "/usr/local/lib/tails-shell-library/gnome.sh"
GNOME_ENV_VARS = _gnome_sh_wrapper("echo ${GNOME_ENV_VARS}").strip().split()
def gnome_env_vars():
def gnome_env_vars() -> list:
ret = []
for line in _gnome_sh_wrapper("export_gnome_env && env").split("\n"):
(key, _, value) = line.rstrip().partition("=")
......
[Unit]
Description=Proxy AT-SPI bus inside a netns
After=at-spi-dbus-bus.service
Requires=at-spi-dbus-bus.service
[Service]
Type=notify
NotifyAccess=all
ExecStart=/usr/local/bin/a11y-proxy-netns --log-level DEBUG %i
ExecStop=/bin/kill -INT $MAINPID
[Install]
WantedBy=desktop.target
#!/usr/bin/python3
import os.path
import time
import subprocess
from logging import getLogger, basicConfig
from argparse import ArgumentParser
import dbus
log = getLogger(os.path.basename(__file__))
def get_parser():
p = ArgumentParser()
p.add_argument(
"--log-level", choices=["DEBUG", "INFO", "WARNING", "ERROR"], default="DEBUG"
)
p.add_argument("netns")
return p
def get_bus() -> str:
bus = dbus.SessionBus()
obj = bus.get_object("org.a11y.Bus", "/org/a11y/bus")
iface = dbus.Interface(obj, dbus_interface="org.a11y.Bus")
response = iface.GetAddress()
return str(response)
def netns_exists(name: str) -> bool:
return os.path.exists(os.path.join("/var/run/netns", name))
def wait_netns(name: str, sleep_time=1):
notified = False
while not netns_exists(name):
if not notified:
log.info("Waiting for netns %s to be ready", name)
time.sleep(1)
def systemd_ready():
try:
# XXX: discard stdout/stderr
subprocess.Popen(["systemd-notify", "--ready"])
except FileNotFoundError:
# systemd not installed
pass
else:
log.info("systemd was notified")
def main():
args = get_parser().parse_args()
basicConfig(level=args.log_level)
wait_netns(args.netns)
log.debug("get address")
at_bus_address = get_bus()
log.debug("address got! %s", at_bus_address)
dirname = os.path.join("/tmp/netns-specific/", args.netns)
os.makedirs(dirname, exist_ok=True)
dest_bus_path = os.path.join(dirname, "at.sock")
log.debug("Binding at %s", dest_bus_path)
if os.path.exists(dest_bus_path):
os.unlink(dest_bus_path)
args = ["xdg-dbus-proxy", at_bus_address, dest_bus_path]
log.debug("Running %r", args)
# we fork-exec to handle systemd notifications. though not strictly needed, they are nice!
p = subprocess.Popen(args)
log.debug("Started!")
# XXX: we could wait for dest_bus_path to appear, before signaling us ready.
systemd_ready()
try:
p.communicate()
except KeyboardInterrupt:
# this except clause will handle SIGINT, but not other signals
# we should probably explicitly do that!
p.kill()
log.debug("Killed %s", args[0])
return
if __name__ == "__main__":
main()
#!/usr/bin/env python3
import os
import logging
from tailslib.gnome import gnome_env_vars
def run_in_netns(*args, netns, user="amnesia"):
# base bwrap sharing most of the system
bwrap = ["bwrap", "--bind", "/", "/", "--proc", "/proc", "--dev", "/dev"]
# passes data to us
bwrap += [
"--bind",
os.path.join("/tmp/netns-specific/", netns),
"/tmp/shared-with-me/",
]
# hide data not for us
bwrap += ["--tmpfs", "/tmp/netns-specific/"]
cmd = [
"/bin/ip",
"netns",
"exec",
netns,
"/sbin/runuser",
"-u",
user,
"--",
*bwrap,
"/usr/bin/env",
*gnome_env_vars(),
"AT_SPI_BUS_ADDRESS=unix:path=/tmp/shared-with-me/at.sock",
*args,
]
logging.info("Running %s", cmd)
os.execvp(cmd[0], cmd)
def drop_and_run():
run_in_netns("/usr/bin/onioncircuits", netns="onioncircs")
def main():
if os.getuid() == 0:
drop_and_run()
else:
os.execlp("sudo", "sudo", "--non-interactive", "/usr/local/bin/onioncircuits")
if __name__ == "__main__":
logging.basicConfig(level=logging.INFO)
main()
......@@ -43,6 +43,7 @@ mkdir -p /mnt/live/run
# Finally, really unmount relevant filesystems
/bin/umount /oldroot
/bin/umount /mnt/live/medium
# Debugging
/bin/mount
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment