Commit 85b14c91 authored by intrigeri's avatar intrigeri
Browse files

Merge branch 'bugfix/12092-kill-gdm-session-after-login-squashed' into devel...

Merge branch 'bugfix/12092-kill-gdm-session-after-login-squashed' into devel (Fix-committed: #12092)
parents 02ea848c edc71c6f
#!/bin/sh
set -e
set -u
echo "Enable GDM debug logs"
sed --in-place --regexp-extended \
's/^#Enable=true$/Enable=true/' /etc/gdm3/daemon.conf
......@@ -27,6 +27,7 @@ systemctl --global enable tails-add-GNOME-bookmarks.service
systemctl --global enable tails-additional-software-install.service
systemctl --global enable tails-configure-keyboard.service
systemctl --global enable tails-create-tor-browser-directories.service
systemctl --global enable tails-kill-gdm-session.service
systemctl --global enable tails-security-check.service
systemctl --global enable tails-upgrade-frontend.service
systemctl --global enable tails-virt-notify-user.service
......
amnesia ALL = NOPASSWD: /usr/local/lib/tails-kill-gdm-session ""
#!/bin/sh
# tails-kill-gdm-session renames this script to /usr/lib/gdm3/gdm-session-worker
# before it kills Debian-gdm's GNOME session. And then, whenever GDM tries
# to start a new session worker, this script will only allow it to do so if
# that's for reauthentication purposes, i.e. to unlock the screen.
# Otherwise, we return exit code 0, so that GDM does not start a full-blown
# GNOME session that would uselessly eat hundreds of MB of memory.
# No "set -e" because we need to capture the exit status of gdm-session-worker.real.
# No "set -u" because we need to check an environment variable that may
# not be set: $GDM_SESSION_FOR_REAUTH.
if [ "$GDM_SESSION_FOR_REAUTH" = 1 ]; then
# Use "exec" so that real worker gets the same PID as this script,
# otherwise GDM's find_conversation_by_pid will fail to find the
# corresponding conversation, log "GdmSession: New worker
# connection is from unknown source", ignore the worker's query,
# and as a result unlocking the script will fail.
exec /usr/lib/gdm3/gdm-session-worker.real "$@"
else
exit 0
fi
[Unit]
Description=Terminate the GDM session to free the corresponding memory
Documentation=https://tails.boum.org/contribute/design/
ConditionUser=1000
[Service]
Type=oneshot
ExecStart=/usr/bin/sudo /usr/local/lib/tails-kill-gdm-session
RemainAfterExit=yes
[Install]
WantedBy=desktop.target
#!/bin/sh
# Terminate GDM's GNOME session, in order to free a few hundreds of MB
# of memory. This script is run by the tails-kill-gdm-session.service
# under "systemd --user", during the "Applications" phase of the
# initialization of the amnesia user's GNOME session.
set -e
set -u
set -x
# Get LIVE_USERNAME
. /etc/live/config.d/username.conf
# Returns the identifier of the first X11 session of $LIVE_USERNAME.
# In this context, we know that:
# - There is one such session: we're run via desktop.target, which is started
# after GDM has logged in $LIVE_USERNAME and pam_systemd has allocated them
# a logind session.
# - There's no more than one such session: our Greeter/GDM integration code
# allows only one graphical login. Note that there can be other,
# non-graphical sessions: for example, when
# tails-virt-notify-user is running at the same time as we are.
# That's why we're looking specifically for sessions of type 'x11'.
live_user_logind_x_session_id() {
# The value of the Sessions property is a space-separated list
# of session identifiers
for session in $(loginctl --property=Sessions --value show-user "$LIVE_USERNAME"); do
if [ "$(loginctl --property=Type --value show-session "$session")" = 'x11' ]; then
loginctl --property=Id --value show-session "$session"
return 0
fi
done
echo "Unexpected error: no X11 session for ${LIVE_USERNAME}" >&2
return 1
}
logind_session_tty_number() {
session="$1"
loginctl --property=TTY --value show-session "$session" \
| sed -E 's,^tty,,'
}
# Replace gdm-session-worker with a version that won't start new
# sessions, except for reauthentication, i.e. for unlocking
# the screen.
mv /usr/lib/gdm3/gdm-session-worker /usr/lib/gdm3/gdm-session-worker.real
cp -a /usr/lib/gdm3/gdm-session-worker-only-reauth \
/usr/lib/gdm3/gdm-session-worker
# Kill GDM's gdm-session-worker: it's the parent process for all
# Debian-gdm processes, such as gdm-x-session; it would otherwise
# respawn another gdm-x-session after we've killed the first one.
pkill -u root --full --exact 'gdm-session-worker \[pam/gdm-launch-environment\]'
# Forcibly kill the Debian-gdm GNOME session,
# in case the former command was not enough.
loginctl --signal SIGKILL kill-user Debian-gdm || true
loginctl terminate-user Debian-gdm || true
# Activate the amnesia user's desktop session, in case we've killed
# the Debian-gdm session before GDM had time to do so; do this
# repeatedly for about 10 seconds, in case GDM take back control of
# the seat and switches back to VT1, after we've already activated
# amnesia's session and switched to VT2, because its own session was killed.
# Note that it may happen that GDM switches to VT1 while
# "loginctl --property=State --value show-user amnesia" still returns "active":
# disabling gdm-session-worker makes GDM confuse logind, that believes amnesia's
# desktop session is still active while we've switched to another VT.
tries=0
while [ $tries -lt 10 ]; do
LIVE_USER_LOGIND_X_SESSION_ID="$(live_user_logind_x_session_id)"
chvt "$(logind_session_tty_number "$LIVE_USER_LOGIND_X_SESSION_ID")"
loginctl activate "$LIVE_USER_LOGIND_X_SESSION_ID"
tries="$(expr "$tries" + 1)"
sleep 1
done
--- a/etc/xdg/autostart/spice-vdagent.desktop 2018-05-17 16:26:33.000000000 +0200
+++ b/etc/xdg/autostart/spice-vdagent.desktop 2019-08-14 10:25:08.000000000 +0200
@@ -5,5 +5,5 @@
Terminal=false
Type=Application
Categories=
-X-GNOME-Autostart-Phase=Initialization
+X-GNOME-Autostart-Phase=WindowManager
NoDisplay=true
......@@ -10,17 +10,7 @@ Feature: Additional software
# dependencies (which are documented below).
Scenario: I am warned I can not use Additional Software when I start Tails from a DVD and install a package
Given a computer
And the computer has 2650 MiB of RAM
And the network is unplugged
And I start the computer
And the computer boots Tails
And I set an administration password
And I log in to a new session
And the network is plugged
And Tor is ready
And all notifications have disappeared
And available upgrades have been checked
Given I have started Tails from DVD and logged in with an administration password and the network is connected
And I update APT using apt
When I install "sslh" using apt
Then I am notified I can not use Additional Software for "sslh"
......
......@@ -48,10 +48,6 @@ Given /^a computer$/ do
$vm = VM.new($virt, VM_XML_PATH, $vmnet, $vmstorage, DISPLAY)
end
Given /^the computer has (\d+) ([[:alpha:]]+) of RAM$/ do |size, unit|
$vm.set_ram_size(size, unit)
end
Given /^the computer is set to boot from the Tails DVD$/ do
$vm.set_cdrom_boot(TAILS_ISO)
end
......
......@@ -394,16 +394,6 @@ class VM
return list
end
def set_ram_size(size, unit = "KiB")
raise "System memory can only be added to inactive vms" if is_running?
domain_xml = REXML::Document.new(@domain.xml_desc)
domain_xml.elements['domain/memory'].text = size
domain_xml.elements['domain/memory'].attributes['unit'] = unit
domain_xml.elements['domain/currentMemory'].text = size
domain_xml.elements['domain/currentMemory'].attributes['unit'] = unit
update(domain_xml.to_s)
end
def set_os_loader(type)
if is_running?
raise "boot settings can only be set for inactive vms"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment