Commit 6b0fbd32 authored by intrigeri's avatar intrigeri
Browse files

Merge remote-tracking branch...

Merge remote-tracking branch 'origin/bugfix/16728-upgrade-firmware-amd-graphics' into stable (Fix-committed: #16728, #16970)
parents 1c5fe7ca b3453370
......@@ -37,21 +37,16 @@ Pin: release o=Debian,n=sid
Pin-Priority: 999
Explanation: src:firmware-nonfree
Package: firmware-linux firmware-linux-nonfree firmware-atheros firmware-brcm80211 firmware-intel-sound firmware-ipw2x00 firmware-iwlwifi firmware-libertas firmware-misc-nonfree firmware-realtek firmware-ti-connectivity
Package: firmware-linux firmware-linux-nonfree firmware-amd-graphics firmware-atheros firmware-brcm80211 firmware-intel-sound firmware-ipw2x00 firmware-iwlwifi firmware-libertas firmware-misc-nonfree firmware-realtek firmware-ti-connectivity
Pin: release o=Debian,n=sid
Pin-Priority: 990
Explanation: Exception to src:firmware-nonfree pinning due to Debian#928631
Package: firmware-amd-graphics
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 990
Package: firmware-zd1211
Pin: release o=Debian,n=sid
Pin-Priority: 999
Package: fonts-noto*
Pin: release o=Debian,n=sid
Pin: release o=Debian,n=buster
Pin-Priority: 999
Explanation: src:gdk-pixbuf
......@@ -61,7 +56,7 @@ Pin-Priority: -1
Explanation: not available in Stretch; XXX:Buster: remove this entry
Package: hunspell-id hunspell-tr
Pin: release o=Debian,n=sid
Pin: release o=Debian,n=buster
Pin-Priority: 990
Package: intel-microcode
......
......@@ -276,7 +276,7 @@ install_debian_extensions() {
destination="${1}"
shift
apt-get install --yes "${@}"
ln -s /usr/share/webext/ublock-origin/ \
ln -s '/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/uBlock0@raymondhill.net' \
"${destination}"/'uBlock0@raymondhill.net'
patch -p1 < /usr/share/tails/uBlock-disable-autoUpdate.diff
}
......
......@@ -25,3 +25,14 @@
/* Hide HTTPS Everywhere button in the toolbar */
#https-everywhere-button { display: none; }
/* Hide the uBlock sidebar, that's opened on first launch
References:
- https://github.com/gorhill/uBlock/releases/tag/1.16.6
- https://github.com/uBlock-LLC/uBlock/issues/1764 */
vbox#sidebar-box[sidebarcommand="_UUID~ADDON_-sidebar-action"] {
display: none !important;
}
vbox#sidebar-box[sidebarcommand="ublock0_raymondhill_net-sidebar-action"] {
display: none !important;
}
diff --git a/etc/apparmor.d/torbrowser.Browser.firefox b/etc/apparmor.d/torbrowser.Browser.firefox
index 9f269e1..8c7c830 100644
index f782f35..a80365d 100644
--- a/etc/apparmor.d/torbrowser.Browser.firefox
+++ b/etc/apparmor.d/torbrowser.Browser.firefox
@@ -1,10 +1,11 @@
@@ -1,11 +1,12 @@
#include <tunables/global>
#include <tunables/torbrowser>
......@@ -10,31 +10,30 @@ index 9f269e1..8c7c830 100644
+@{torbrowser_firefox_executable} = /usr/local/lib/tor-browser/firefox.real
profile torbrowser_firefox @{torbrowser_firefox_executable} {
#include <abstractions/audio>
#include <abstractions/gnome>
+ #include <abstractions/ibus>
# Uncomment the following lines if you want to give the Tor Browser read-write
# access to most of your personal files.
@@ -25,13 +26,16 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
@@ -14,6 +15,7 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
# Audio support
/{,usr/}bin/pulseaudio Pixr,
+ /etc/asound.conf r,
#dbus,
network netlink raw,
@@ -29,6 +31,8 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
deny /etc/passwd r,
deny /etc/group r,
deny /etc/mailcap r,
+ deny @{HOME}/.local/share/gvfs-metadata/home r,
+ deny /run/resolvconf/resolv.conf r,
- deny /etc/machine-id r,
- deny /var/lib/dbus/machine-id r,
+ /etc/machine-id r,
+ /var/lib/dbus/machine-id r,
/dev/ r,
/dev/shm/ r,
+ owner @{PROC}/@{pid}/environ r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/stat r,
@@ -39,32 +43,34 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
@@ -44,36 +48,35 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
owner @{PROC}/@{pid}/task/*/stat r,
@{PROC}/sys/kernel/random/uuid r,
......@@ -50,13 +49,17 @@ index 9f269e1..8c7c830 100644
- owner @{torbrowser_home_dir}/*.so mr,
- owner @{torbrowser_home_dir}/.cache/fontconfig/ rwk,
- owner @{torbrowser_home_dir}/.cache/fontconfig/** rwkl,
- owner @{torbrowser_home_dir}/components/*.so mr,
- owner @{torbrowser_home_dir}/browser/components/*.so mr,
- owner @{torbrowser_home_dir}/browser/** r,
- owner @{torbrowser_home_dir}/{,browser/}components/*.so mr,
- owner @{torbrowser_home_dir}/Downloads/ rwk,
- owner @{torbrowser_home_dir}/Downloads/** rwk,
- owner @{torbrowser_home_dir}/firefox rix,
- owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/updater ix,
- owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/0/MozUpdater/bgupdate/updater ix,
- owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/* rw,
- owner @{torbrowser_home_dir}/{,TorBrowser/UpdateInfo/}updates/[0-9]*/{,MozUpdater/bgupdate/}updater ix,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/.parentwritetest rw,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/ r,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/{,**} rwk,
- owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/tor px,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
......@@ -74,8 +77,7 @@ index 9f269e1..8c7c830 100644
+ owner @{HOME}/.mozilla/firefox/bookmarks/** rwk,
+ owner /live/persistence/TailsData_unlocked/bookmarks/ rwk,
+ owner /live/persistence/TailsData_unlocked/bookmarks/** rwk,
+ owner @{HOME}/.tor-browser/profile.default/ r,
+ owner @{HOME}/.tor-browser/profile.default/** rwk,
+ owner @{HOME}/.tor-browser/profile.default/{,**} rwk,
+
+ /etc/xul-ext/ r,
+ /etc/xul-ext/** r,
......@@ -83,17 +85,19 @@ index 9f269e1..8c7c830 100644
+ /usr/local/share/tor-browser-extensions/** rk,
+ /usr/share/{xul-,web}ext/ r,
+ /usr/share/{xul-,web}ext/** r,
+ /usr/share/{chromium,mozilla}/extensions/ r,
+ /usr/share/{chromium,mozilla}/extensions/** r,
+
+ /usr/share/doc/tails/website/ r,
+ /usr/share/doc/tails/website/** r,
# Web Content processes
- owner @{torbrowser_firefox_executable} px -> torbrowser_plugin_container,
+ @{torbrowser_firefox_executable} px -> torbrowser_plugin_container,
# parent Firefox process when restarting after upgrade, Web Content processes
- owner @{torbrowser_firefox_executable} ixmr -> torbrowser_firefox,
+ @{torbrowser_firefox_executable} ixmr -> torbrowser_firefox,
/etc/mailcap r,
/etc/mime.types r,
@@ -88,12 +94,6 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
@@ -97,12 +100,6 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
/sys/devices/system/node/node[0-9]*/meminfo r,
deny /sys/devices/virtual/block/*/uevent r,
......@@ -106,7 +110,7 @@ index 9f269e1..8c7c830 100644
# Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
owner /{dev,run}/shm/org.chromium.* rw,
@@ -107,6 +107,29 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
@@ -116,6 +113,29 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
deny @{HOME}/.cache/fontconfig/** rw,
deny @{HOME}/.config/gtk-2.0/ rw,
deny @{HOME}/.config/gtk-2.0/** rw,
......@@ -136,7 +140,7 @@ index 9f269e1..8c7c830 100644
deny @{PROC}/@{pid}/net/route r,
deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
@@ -122,5 +145,10 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
@@ -132,5 +152,10 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
/etc/xfce4/defaults.list r,
/usr/share/xfce4/applications/ r,
......@@ -146,119 +150,6 @@ index 9f269e1..8c7c830 100644
+ deny owner /var/tmp/** rwklx,
+ deny /var/tmp/ rwklx,
+ deny owner /tmp/** rwklx,
+ deny /tmp/ rwklx,
}
diff --git a/etc/apparmor.d/torbrowser.Browser.plugin-container b/etc/apparmor.d/torbrowser.Browser.plugin-container
index fdf5fda..346f2ad 100644
--- a/etc/apparmor.d/torbrowser.Browser.plugin-container
+++ b/etc/apparmor.d/torbrowser.Browser.plugin-container
@@ -1,7 +1,7 @@
#include <tunables/global>
#include <tunables/torbrowser>
-@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox.real
+@{torbrowser_firefox_executable} = /usr/local/lib/tor-browser/firefox.real
profile torbrowser_plugin_container {
#include <abstractions/gnome>
@@ -12,9 +12,9 @@ profile torbrowser_plugin_container {
# - the "deny" word in the machine-id lines
# - the rules that deny reading /etc/pulse/client.conf
# and executing /usr/bin/pulseaudio
- # #include <abstractions/audio>
- # /etc/asound.conf r,
- # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw,
+ #include <abstractions/audio>
+ /etc/asound.conf r,
+ owner @{HOME}/.tor-browser/profile.default/tmp/mozilla-temp-* rw,
signal (receive) set=("term") peer=torbrowser_firefox,
@@ -26,8 +26,8 @@ profile torbrowser_plugin_container {
deny /etc/group r,
deny /etc/mailcap r,
- deny /etc/machine-id r,
- deny /var/lib/dbus/machine-id r,
+ /etc/machine-id r,
+ /var/lib/dbus/machine-id r,
/etc/mime.types r,
/usr/share/applications/gnome-mimeapps.list r,
@@ -42,34 +42,29 @@ profile torbrowser_plugin_container {
owner @{PROC}/@{pid}/task/*/stat r,
@{PROC}/sys/kernel/random/uuid r,
- owner @{torbrowser_home_dir}/*.dat r,
- owner @{torbrowser_home_dir}/*.manifest r,
- owner @{torbrowser_home_dir}/*.so mr,
- owner @{torbrowser_home_dir}/.cache/fontconfig/ rw,
- owner @{torbrowser_home_dir}/.cache/fontconfig/** rw,
- owner @{torbrowser_home_dir}/browser/** r,
- owner @{torbrowser_home_dir}/components/*.so mr,
- owner @{torbrowser_home_dir}/browser/components/*.so mr,
- owner @{torbrowser_home_dir}/defaults/pref/ r,
- owner @{torbrowser_home_dir}/defaults/pref/*.js r,
- owner @{torbrowser_home_dir}/dependentlibs.list r,
- owner @{torbrowser_home_dir}/fonts/ r,
- owner @{torbrowser_home_dir}/fonts/** r,
- owner @{torbrowser_home_dir}/omni.ja r,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/extensions/*.xpi r,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profiles.ini r,
- owner @{torbrowser_home_dir}/TorBrowser/UpdateInfo/updates/[0-9]*/update.{status,version} r,
- owner @{torbrowser_home_dir}/TorBrowser/UpdateInfo/updates/[0-9]/updater rw,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/startupCache/* r,
- owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/* rw,
- owner @{torbrowser_home_dir}/TorBrowser/Data/fontconfig/fonts.conf r,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/ r,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so mr,
- owner @{torbrowser_home_dir}/TorBrowser/Tor/*.so.* mr,
- owner @{torbrowser_home_dir}/Downloads/ rwk,
- owner @{torbrowser_home_dir}/Downloads/** rwk,
-
- owner @{torbrowser_firefox_executable} ixmr -> torbrowser_plugin_container,
+ @{torbrowser_home_dir}/ r,
+ @{torbrowser_home_dir}/** mr,
+
+ owner @{HOME}/.tor-browser/profile.default/startupCache/* r,
+ owner @{HOME}/.tor-browser/profile.default/tmp/* rw,
+
+ owner "@{HOME}/Tor Browser/" rw,
+ owner "@{HOME}/Tor Browser/**" rwk,
+ owner "@{HOME}/Persistent/Tor Browser/" rw,
+ owner "@{HOME}/Persistent/Tor Browser/**" rwk,
+
+ owner @{HOME}/.tor-browser/profile.default/extensions/*.xpi r,
+ /etc/xul-ext/ r,
+ /etc/xul-ext/** r,
+ /usr/local/share/tor-browser-extensions/ r,
+ /usr/local/share/tor-browser-extensions/** rk,
+ /usr/share/{xul-,web}ext/ r,
+ /usr/share/{xul-,web}ext/** r,
+
+ /usr/share/doc/tails/website/ r,
+ /usr/share/doc/tails/website/** r,
+
+ @{torbrowser_firefox_executable} ixmr -> torbrowser_plugin_container,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/present r,
@@ -95,10 +90,16 @@ profile torbrowser_plugin_container {
deny @{PROC}/@{pid}/net/route r,
deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
+ deny @{HOME}/.cache/fontconfig/ w,
# Silence denial logs about PulseAudio
deny /etc/pulse/client.conf r,
deny /usr/bin/pulseaudio x,
- #include <local/torbrowser.Browser.plugin-container>
+ # Deny access to global tmp directories, that's granted by the user-tmp
+ # abstraction, which is sourced by the gnome abstraction, that we include.
+ deny owner /var/tmp/** rwklx,
+ deny /var/tmp/ rwklx,
+ deny owner /tmp/** rwklx,
+ deny /tmp/ rwklx,
}
diff --git a/etc/apparmor.d/tunables/torbrowser b/etc/apparmor.d/tunables/torbrowser
......
--- a/usr/share/webext/ublock-origin/js/background.js 2018-10-11 17:14:14.000000000 +0200
+++ b/usr/share/webext/ublock-origin/js/background.js 2018-10-12 12:07:07.951778615 +0200
@@ -74,7 +74,7 @@
--- a/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/uBlock0@raymondhill.net/js/background.js 2019-07-07 21:57:21.000000000 +0000
+++ b/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/uBlock0@raymondhill.net/js/background.js 2019-07-08 10:21:49.658415914 +0000
@@ -73,7 +73,7 @@
userSettings: {
advancedUserEnabled: false,
alwaysDetachLogger: true,
......
......@@ -246,7 +246,9 @@ firmware-intel-sound
firmware-ipw2x00
firmware-iwlwifi
firmware-libertas
firmware-linux
firmware-linux-free
firmware-linux-nonfree
firmware-misc-nonfree
firmware-realtek
firmware-ti-connectivity
......
buster.chroot
\ No newline at end of file
deb http://ftp.us.debian.org/debian/ buster main contrib non-free
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment