Commit 7a8c0304 authored by bertagaz's avatar bertagaz
Browse files

Merge remote-tracking branch 'origin/devel' into feature/11753-port-to-python

parents 1ee5a550 ef971b11
......@@ -53,9 +53,9 @@ Package: obfs4proxy
Pin: release o=TorProject,n=obfs4proxy
Pin-Priority: 990
# Explanation: systemd > v233 required for meek_lite and enable the unsafe
# browser and Tor launcher applications to do clearnet DNS resolution. (#8243)
Package: systemd libsystemd0 libpam-systemd systemd-sysv
Explanation: src:systemd
Explanation: systemd >= v233 required for meek_lite and enable the unsafe browser and Tor launcher applications to do clearnet DNS resolution. (#8243)
Package: systemd systemd-sysv systemd-container systemd-journal-remote systemd-coredump systemd-tests libpam-systemd libnss-myhostname libnss-mymachines libnss-resolve libnss-systemd libsystemd0 libsystemd-dev udev libudev1 libudev-dev udev-udeb libudev1-udeb
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
......@@ -63,6 +63,10 @@ Package: onionshare
Pin: release o=Debian,n=sid
Pin-Priority: 999
Package: openpgp-applet
Pin: release o=Debian,n=sid
Pin-Priority: 999
Package: tails-installer
Pin: origin deb.tails.boum.org
Pin-Priority: 999
......@@ -124,3 +128,7 @@ Pin-Priority: -10
Package: *
Pin: release o=TorProject
Pin-Priority: -10
Package: electrum python3-electrum python3-jsonrpclib-pelix python3-pyaes
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
......@@ -4,19 +4,21 @@ set -e
echo "Checking for .orig files"
DOT_ORIG_WHITELIST=$(cat <<EOF
DOT_ORIG_WHITELIST_DELETE=$(cat <<EOF
/bin/hostname.orig
/etc/resolv.conf.orig
/lib/systemd/system/alsa-utils.service.orig
/sbin/start-stop-daemon.orig
EOF
)
rm -f ${DOT_ORIG_WHITELIST}
# live-build creates this backup copy and restores it later in the build process
DOT_ORIG_WHITELIST_KEEP="/sbin/start-stop-daemon.orig"
rm -f ${DOT_ORIG_WHITELIST_DELETE}
DOT_ORIG_FILES=$(find / -type f -name *.orig || :)
if [ -n "$DOT_ORIG_FILES" ]; then
if [ "$DOT_ORIG_FILES" != "$DOT_ORIG_WHITELIST_KEEP" ]; then
echo "Some patches are fuzzy and leave .orig files around:" >&2
echo "$DOT_ORIG_FILES" >&2
exit 1
......
#!/bin/sh
set -e
echo "Enable various AppArmor profiles"
rm /etc/apparmor.d/disable/usr.bin.thunderbird
/etc/apparmor.d/usr.bin.thunderbird
\ No newline at end of file
......@@ -50,3 +50,8 @@ pref("mailnews.auto_config.oauth2.enabled", false);
// resolver, but over HTTPS to some DNS web service, but that web
// service could still be targeted.
pref("mailnews.auto_config.dns_mx_lookup.enabled", false);
// We disable Memory Hole for encrypted email until support is more
// mature and widely spread (#15201).
pref("extensions.enigmail.protectHeaders", false);
pref("extensions.torbirdy.custom.extensions.enigmail.protectHeaders", false);
......@@ -86,6 +86,13 @@ try:
page = sys.argv[1]
except IndexError:
page = 'getting_started'
# If possible, let's hand-off to our website, which should be the most
# up-to-date option.
if os.system('/usr/local/sbin/tor-has-bootstrapped') == 0:
os.execv('/usr/local/bin/tor-browser',
['--new-tab', 'https://tails.boum.org/' + page])
wiki_path = '/usr/share/doc/tails/website'
lang_code = os.getenv('LANG', 'en')[0:2]
trials = [
......
--- a/etc/apparmor.d/usr.bin.thunderbird.orig 2018-01-09 20:30:54.000000000 +0000
+++ b/etc/apparmor.d/usr.bin.thunderbird 2018-02-23 14:48:02.180000000 +0000
@@ -16,7 +16,6 @@
# TODO: finetune this for required accesses
#include <abstractions/dbus>
#include <abstractions/dbus-accessibility>
- #include <abstractions/dbus-session>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/nameservice>
@@ -24,29 +23,19 @@
#include <abstractions/p11-kit>
#include <abstractions/private-files>
#include <abstractions/ssl_certs>
- #include <abstractions/ubuntu-browsers>
#include <abstractions/ubuntu-browsers.d/java>
#include <abstractions/ubuntu-helpers>
# Allow opening attachments
# TODO: create and use abstractions for opening various file formats
- /{usr/local/,usr/,}bin/* Cx -> sanitized_helper,
+ /{usr/local/,usr/,}bin/{[^g],g[^p],gp[^g]}* Cx -> sanitized_helper,
/usr/lib/libreoffice/program/soffice Cxr -> sanitized_helper,
- # For Xubuntu to launch the browser
- /usr/bin/exo-open ixr,
- /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
- /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
- /etc/xdg/xfce4/helpers.rc r,
-
# for crash reports?
ptrace (read,trace) peer=@{profile_name},
@{thunderbird_executable} ixr,
- # Pulseaudio
- /usr/bin/pulseaudio Pixr,
-
owner @{HOME}/.{cache,config}/dconf/user rw,
owner /run/user/[0-9]*/dconf/user rw,
owner @{HOME}/.config/gtk-3.0/bookmarks r,
@@ -107,6 +96,8 @@
/etc/gre.d/* r,
# noisy
+ deny /etc/dconf/profile/user r,
+ deny /etc/machine-id r,
deny @{MOZ_LIBDIR}/** w,
deny /usr/lib/thunderbird-addons/** w,
deny /usr/lib/xulrunner-addons/** w,
@@ -138,7 +129,6 @@
/etc/lsb-release r,
/etc/ssl/openssl.cnf r,
/usr/lib/thunderbird/crashreporter ix,
- /usr/bin/expr ix,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
@@ -190,15 +180,6 @@
deny /usr/share/mozilla/extensions/**/ w,
deny /usr/share/mozilla/ w,
- # Miscellaneous (to be abstracted)
- # Ideally these would use a child profile. They are all ELF executables
- # so running with 'Ux', while not ideal, is ok because we will at least
- # benefit from glibc's secure execute.
- /usr/bin/mkfifo Uxr, # investigate
- /{usr/,}bin/ps Uxr,
- /{usr/,}bin/uname Uxr,
- /usr/bin/locale Uxr,
-
/usr/bin/gpg Cx -> gpg,
/usr/bin/gpg2 Cx -> gpg,
/usr/bin/gpgconf Cx -> gpg,
@@ -224,7 +205,9 @@
deny owner @{HOME}/.cache/thunderbird/**/_CACHE_* w,
# noise from inherited files
+ deny @{HOME}/.thunderbird/*.default/ImapMail/*/INBOX w,
deny /usr/{lib,share}/thunderbird/omni.ja r,
+ deny /usr/share/thunderbird/extensions/** r,
# For smartcards?
/dev/bus/usb/ r,
@@ -255,6 +255,7 @@
owner @{HOME}/.gnupg/.#*[0-9]x rwl,
owner @{HOME}/.gnupg/.#lk0x[0-9a-f]* rwl,
owner @{HOME}/.gnupg/.gpg-v[0-9]*-migrated rw,
+ owner @{HOME}/.gnupg/openpgp-revocs.d/{,[A-F0-9]*.rev} rw,
owner @{HOME}/** r,
owner @{PROC}/@{pids}/mountinfo r,
@@ -272,13 +255,16 @@
/usr/bin/dirmngr ix,
owner @{PROC}/@{pids}/task/@{tid}/comm rw,
+ # for revocation certificate generation
+ owner @{HOME}/.{icedove,thunderbird}/*.default/0x[A-F0-9]*_rev.asc rw,
+
# for signature generation
- owner /tmp/nsemail.eml w,
- owner /tmp/nsemail-[0-9]*.eml w,
+ owner @{HOME}/.{icedove,thunderbird}/*.default/tmp/nsemail.eml w,
+ owner @{HOME}/.{icedove,thunderbird}/*.default/tmp/nsemail-[0-9]*.eml w,
# for signature verifications
- owner /tmp/data.sig r,
- owner /tmp/data-[0-9]*.sig r,
+ owner @{HOME}/.{icedove,thunderbird}/*.default/tmp/data.sig r,
+ owner @{HOME}/.{icedove,thunderbird}/*.default/tmp/data-[0-9]*.sig r,
owner /tmp/gpg-[a-zA-Z0-9]*/S.gpg-agent rw,
@product @doc
Feature: Tails documentation
Scenario: The Tails documentation launcher on the desktop works
Scenario: The Tails documentation launcher on the desktop works when offline
Given I have started Tails from DVD without network and logged in
When I double-click on the Tails documentation launcher on the desktop
Then the documentation viewer opens the "Getting started" page
Scenario: The Tails documentation launcher on the desktop works when online
Given I have started Tails from DVD and logged in and the network is connected
When I double-click on the Tails documentation launcher on the desktop
Then the Tor Browser starts
And the Tor Browser opens the Getting started page
#15321
@fragile
Scenario: The Report an Error launcher will open the support documentation
......
......@@ -8,7 +8,7 @@ Feature: Electrum Bitcoin client
Given I have started Tails from DVD without network and logged in
When I start Electrum through the GNOME menu
But persistence for "electrum" is not enabled
Then I see a warning that Electrum is not persistent
And I see a warning that Electrum is not persistent
#11697
@fragile
......@@ -21,14 +21,18 @@ Feature: Electrum Bitcoin client
Then persistence for "electrum" is enabled
When I start Electrum through the GNOME menu
But a bitcoin wallet is not present
Then I am prompted to configure Electrum
When I create a new bitcoin wallet
Then Electrum starts
And I am prompted to configure Electrum
When I follow the Electrum wizard to create a new bitcoin wallet
Then a bitcoin wallet is present
And I see the main Electrum client window
And Electrum successfully connects to the network
And I shutdown Tails and wait for the computer to power off
Then I shutdown Tails and wait for the computer to power off
Given I start Tails from USB drive "__internal" and I login with persistence enabled
When I start Electrum through the GNOME menu
And a bitcoin wallet is present
And I see the main Electrum client window
Then Electrum successfully connects to the network
But a bitcoin wallet is present
Then Electrum starts
And I am prompted to enter my Electrum wallet password
When I enter my Electrum wallet password
Then I see the main Electrum client window
And Electrum successfully connects to the network
# coding: utf-8
When /^I start the Unsafe Browser(?: through the GNOME menu)?$/ do
step "I start \"Unsafe Browser\" via GNOME Activities Overview"
end
......@@ -213,3 +214,16 @@ Then /^the Tor Browser shows the "([^"]+)" error$/ do |error|
found = headers.any? { |heading| heading.text == error }
raise "Could not find the '#{error}' error in the Tor Browser" unless found
end
# This step shouldn't be needed (the '"$title}" has loaded in the Tor
# Browser' step should be enough), but since we run Dogtail with
# python2 (#12185) we have terrible unicode support; for instance
# `.child('Tails - Getting started…')` will fail since Dogtail expects
# ascii and cannot decode "…".
Then /^the Tor Browser opens the Getting started page$/ do
try_for(60) do
@torbrowser
.children(roleName: "document frame")
.any? { |f| f.name == 'Tails - Getting started…' }
end
end
......@@ -395,7 +395,7 @@ When /^I start the Tor Browser( in offline mode)?$/ do |offline|
end
end
Given /^the Tor Browser has started( in offline mode)?$/ do |offline|
Given /^the Tor Browser (?:has started|starts)( in offline mode)?$/ do |offline|
try_for(60) do
@torbrowser = Dogtail::Application.new('Firefox')
@torbrowser.child?(roleName: 'frame', recursive: false)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment