Merge branch 'master' into stable

8b56e3f6 · bertagaz · 52eaf89d · 0e901e24 · 8b56e3f6 · 8b56e3f6
Commit 8b56e3f6 authored Mar 14, 2018 by bertagaz
--- a/config/chroot_local-hooks/45-enable-AppArmor-profiles
+++ b/config/chroot_local-hooks/45-enable-AppArmor-profiles
+#!/bin/sh
+
+set -e
+
+echo "Enable various AppArmor profiles"
+
+rm /etc/apparmor.d/disable/usr.bin.thunderbird
--- a/config/chroot_local-hooks/50-dkms
+++ b/config/chroot_local-hooks/50-dkms
@@ -4,36 +4,18 @@ set -e
 set -u
 set -x

-echo "Building dkms modules"
+echo "Building VirtualBox guest modules"

 . /usr/share/amnesia/build/variables

-# Import install_fake_package
+# Import ensure_hook_dependency_is_installed()
 . /usr/local/lib/tails-shell-library/build.sh

-# Install gcc-6 and fake linux-compiler-gcc-7-x86
-# (linux-headers-4.14+ depends on it, but Stretch hasn't GCC 7)
-# XXX:Buster: remove this hack.
-apt-get install --yes gcc-6
-NEWEST_INSTALLED_KERNEL_VERSION="$(
-    dpkg-query --showformat '${Version}\n' --show 'linux-image-*-amd64' \
-    | sort --version-sort | tail -n1
-)"
-install_fake_package \
-    linux-compiler-gcc-7-x86 \
-    "${NEWEST_INSTALLED_KERNEL_VERSION}~0tails1"
-ln -s /usr/bin/gcc-6 /usr/bin/gcc-7
-
 # Any -dkms package must be installed *after* dkms to be properly registered
-apt-get install --yes \
-    build-essential \
-    dkms \
-    libelf-dev
+ensure_hook_dependency_is_installed dkms

-apt-get install --yes \
-    "linux-headers-${KERNEL_VERSION}-amd64" \
-    aufs-dkms \
-    virtualbox-guest-dkms
+ensure_hook_dependency_is_installed \
+   virtualbox-guest-dkms

 for log in $(ls /var/lib/dkms/*/*/build/make.log); do
   echo "---- $log"
@@ -44,12 +26,6 @@ done
 # dkms.conf for a DKMS module includes a BUILD_EXCLUSIVE directive
 # which does not match our kernel version, the modules won't be built
 # and then we should abort the build.
-for modules_dir in /lib/modules/*/kernel/fs/aufs ; do
-   if [ ! -f "${modules_dir}/aufs.ko" ]; then
-       echo "Can not find aufs.ko module in '${modules_dir}" >&2
-       exit 1
-   fi
-done
 for module in vboxguest vboxsf vboxvideo ; do
   for modules_dir in /lib/modules/*/updates ; do
      if [ ! -f "${modules_dir}/${module}.ko" ]; then
@@ -61,7 +37,6 @@ done

 # virtualbox-guest-dkms's postrm script deletes any previously
 # built binary module; let's delete it before the package gets purged.
-rm /var/lib/dpkg/info/aufs-dkms.prerm
 rm /var/lib/dpkg/info/virtualbox-guest-dkms.prerm

 # Also copy the udev rules installed by virtualbox-guest-dkms to enable guest

--- a/config/chroot_local-hooks/52-udev-watchdog
+++ b/config/chroot_local-hooks/52-udev-watchdog
@@ -6,12 +6,13 @@ set -e

 echo "Compiling and installing a custom udev-watchdog program"

-apt-get install --yes build-essential binutils libudev-dev
+# Import ensure_hook_dependency_is_installed()
+. /usr/local/lib/tails-shell-library/build.sh
+
+ensure_hook_dependency_is_installed build-essential binutils libudev-dev

 SRC="/usr/src/udev-watchdog.c"
 DST="/usr/local/sbin/udev-watchdog"

 gcc -o "$DST" "$SRC" -Wall -ludev -lrt
 strip --strip-all "$DST"
-
-apt-get --yes purge libudev-dev
--- a/config/chroot_local-hooks/52-update-rc.d
+++ b/config/chroot_local-hooks/52-update-rc.d
@@ -10,17 +10,18 @@ systemctl enable memlockd.service
 # Enable our own systemd unit files
 systemctl enable initramfs-shutdown.service
 systemctl enable onion-grater.service
+systemctl enable tails-autotest-broken-Xorg.service
 systemctl enable tails-autotest-remote-shell.service
 systemctl enable tails-set-wireless-devices-state.service
 systemctl enable tails-shutdown-on-media-removal.service
 systemctl enable tails-tor-has-bootstrapped.target
 systemctl enable tails-wait-until-tor-has-bootstrapped.service
 systemctl enable tails-tor-has-bootstrapped-flag-file.service
-systemctl enable update-ca-certificates.service
 systemctl enable var-tmp.mount

 # Enable our own systemd user unit files
 systemctl --global enable tails-add-GNOME-bookmarks.service
+systemctl --global enable tails-additional-software-install.service
 systemctl --global enable tails-configure-keyboard.service
 systemctl --global enable tails-create-tor-browser-directories.service
 systemctl --global enable tails-security-check.service

--- a/config/chroot_local-hooks/54-menu
+++ b/config/chroot_local-hooks/54-menu
@@ -4,6 +4,11 @@ set -e

 echo "Registering and tweaking menus"

+# Import ensure_hook_dependency_is_installed()
+. /usr/local/lib/tails-shell-library/build.sh
+
+ensure_hook_dependency_is_installed xdg-utils
+
 for app in tails-installer tails-persistence-delete tails-persistence-setup tails-about tails-documentation; do
   xdg-desktop-menu install --novendor \
      /usr/share/desktop-directories/Tails.directory \

--- a/config/chroot_local-hooks/60-copy-syslinux-modules
+++ b/config/chroot_local-hooks/60-copy-syslinux-modules
@@ -2,7 +2,8 @@

 set -e

-# Make syslinux 6.x packaging play well with live-build 2.x
+echo 'Adapting syslinux 6.x packaging to play well with live-build 2.x'
+
 cp -a /usr/lib/syslinux/modules/bios/ifcpu64.c32 \
      /usr/lib/syslinux/modules/bios/vesamenu.c32 \
      /usr/lib/ISOLINUX/isolinux.bin \

--- a/config/chroot_local-hooks/70-wget
+++ b/config/chroot_local-hooks/70-wget
 #!/bin/sh
 set -e

+echo 'Configuring wget'
+
 # We don't want the real binary to be in $PATH:
 # Also note that wget uses the executable name in some help/error messages,
 # so wget-real/etc. should be avoided.

--- a/config/chroot_local-hooks/98-remove_unwanted_files
+++ b/config/chroot_local-hooks/98-remove_unwanted_files
@@ -18,9 +18,6 @@ rm $POTFILES_DOT_IN
 # (by the 10-tbb hook)
 rm /usr/share/tails/tbb-*.txt

-# This shell library is only used during build
-rm /usr/local/lib/tails-shell-library/build.sh
-
 # Remove the snakeoil SSL key pair generated by ssl-cert
 find /etc/ssl/certs /etc/ssl/private |
    while read f; do

--- a/config/chroot_local-hooks/98-remove_unwanted_packages
+++ b/config/chroot_local-hooks/98-remove_unwanted_packages
@@ -14,8 +14,7 @@ echo "Removing unwanted packages"
 apt-get --yes purge  \
   '^linux-compiler-*' \
   '^linux-kbuild-*' \
-   '^linux-headers-*' \
-   build-essential debhelper dkms dpkg-dev \
+   debhelper dpkg-dev \
   gcc gcc-6 \
   intltool-debian \
   libc6-dev \
@@ -24,8 +23,7 @@ apt-get --yes purge  \
   make \
   po-debconf \
   rsyslog \
-   libdvdcss-dev \
-   equivs virtualbox-guest-dkms
+   libdvdcss-dev

 ### Deinstall a few unwanted packages that were pulled by tasksel
 ### since they have Priority: standard.

--- a/config/chroot_local-hooks/99-disable-pam-secure-password-check
+++ b/config/chroot_local-hooks/99-disable-pam-secure-password-check
+#!/bin/sh
+
+set -e
+
+echo "Disabling PAM secure password check"
+
+sed -i 's/pam_unix.so obscure/pam_unix.so minlen=1/' /etc/pam.d/common-password
--- a/config/chroot_local-hooks/99-initramfs-compress
+++ b/config/chroot_local-hooks/99-initramfs-compress
@@ -4,6 +4,11 @@ set -e

 echo "Configuring compression of the initramfs"

+# Import ensure_hook_dependency_is_installed()
+. /usr/local/lib/tails-shell-library/build.sh
+
+ensure_hook_dependency_is_installed initramfs-tools xz-utils
+
 # Compress the initramfs using a more size-wise efficient algorithm.

 OPTS_FILE='/etc/initramfs-tools/initramfs.conf'

--- a/config/chroot_local-hooks/99-zzzzzz_reproducible-builds-post-processing
+++ b/config/chroot_local-hooks/99-zzzzzz_reproducible-builds-post-processing
@@ -29,7 +29,17 @@ rm /var/lib/systemd/catalog/database
 # Delete non-deterministically generated files, that should not be shared among
 # all Tails systems anyway. We don't ship SSHd, so we don't bother generating
 # them at boot.
-rm -r /var/lib/monkeysphere/authentication/
+# We remove with -f due to a suspected race condition: it seems that
+# .../authentication/sphere/S.gpg-agent can be removed (by gpg-agent?)
+# *right after* `rm -r` has listed it, so that when `rm` tries to
+# remove it, it doesn't exist any more and it fails.
+if [ -d /var/lib/monkeysphere/authentication/ ]; then
+    rm -rf /var/lib/monkeysphere/authentication/
+else
+    echo 'Cannot remove /var/lib/monkeysphere/authentication/:' \
+         'directory does not exist' >&2
+    exit 1
+fi

 # Empty non-deterministically generated file. If it exists and is empty, systemd
 # will automatically set up a new unique ID. But if does not exist, systemd

--- a/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-resolv-over-clearnet
+++ b/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-resolv-over-clearnet
+#!/bin/sh
+
+# This file is needed by the Unsafe Browser, and Tor while in bridge
+# mode.
+
+# Run only when the interface is not "lo":
+if [ -z "$1" ] || [ "$1" = "lo" ]; then
+   exit 0
+fi
+
+RESOLV_CLEARNET_CONF=/etc/resolv-over-clearnet.conf
+# We are truncating the file as opposed to deleting + recreating it
+# for a reason: we mount-bind this file over /etc/resolv.conf for
+# processes (via mount namespaces) that we want to give clearnet DNS
+# resolving, and deleting + recreating it would mean that the
+# bind-mount would remain outdated.
+echo -n > "${RESOLV_CLEARNET_CONF}"
+IP4_REGEX='[0-9]{1,3}(\.[0-9]{1,3}){3}'
+for ns in ${IP4_NAMESERVERS}; do
+    if echo "${ns}" | grep --extended-regexp -q "^${IP4_REGEX}$"; then
+        echo "nameserver ${ns}" >> "${RESOLV_CLEARNET_CONF}"
+    fi
+done
--- a/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-save-env
+++ b/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/00-save-env
-#!/bin/sh
-
-# This information is needed by the Unsafe Browser.
-
-# Run only when the interface is not "lo":
-if [ -z "$1" ] || [ "$1" = "lo" ]; then
-   exit 0
-fi
-
-# Run whenever an interface gets "up", not otherwise:
-if [ "$2" != "up" ]; then
-   exit 0
-fi
-
-echo "IP4_NAMESERVERS=\"${IP4_NAMESERVERS}\""  > /var/lib/NetworkManager/env
--- a/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/10-tor.sh
+++ b/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/10-tor.sh
@@ -54,7 +54,21 @@ fi
 # * https://tails.boum.org/bugs/tor_vs_networkmanager/
 # To work around this we restart Tor, in various ways, no matter the
 # case below.
+TOR_SYSTEMD_OVERRIDE_DIR="/lib/systemd/system/tor@default.service.d"
+TOR_RESOLV_CONF_OVERRIDE="${TOR_SYSTEMD_OVERRIDE_DIR}/50-resolv-conf-override.conf"
 if [ "$(tails_netconf)" = "obstacle" ]; then
+    # Override /etc/resolv.conf for tor only, so it can use a clearnet
+    # DNS server to resolve hostnames used for pluggable transport and
+    # proxies.
+    if [ ! -e "${TOR_RESOLV_CONF_OVERRIDE}" ]; then
+        mkdir -p "${TOR_SYSTEMD_OVERRIDE_DIR}"
+        cat > "${TOR_RESOLV_CONF_OVERRIDE}" <<EOF
+[Service]
+BindReadOnlyPaths=/etc/resolv-over-clearnet.conf:/etc/resolv.conf
+EOF
+        systemctl daemon-reload
+    fi
+
    # We do not use restart-tor since it validates that bootstraping
    # succeeds. That cannot happen until Tor Launcher has started
    # (below) and the user is done configuring it.
@@ -70,7 +84,7 @@ if [ "$(tails_netconf)" = "obstacle" ]; then
    # Enable the transports we support. We cannot do this in general,
    # when bridge mode is not enabled, since we then use seccomp
    # sandboxing.
-    tor_control_setconf 'ClientTransportPlugin="obfs2,obfs3,obfs4 exec /usr/bin/obfs4proxy managed"'
+    tor_control_setconf 'ClientTransportPlugin="obfs2,obfs3,obfs4,meek_lite exec /usr/bin/obfs4proxy managed"'

    /usr/local/sbin/tails-tor-launcher &

@@ -79,5 +93,9 @@ if [ "$(tails_netconf)" = "obstacle" ]; then
        sleep 1
    done
 else
+    if [ -e "${TOR_RESOLV_CONF_OVERRIDE}" ]; then
+        rm "${TOR_RESOLV_CONF_OVERRIDE}"
+        systemctl daemon-reload
+    fi
    ( restart-tor ) &
 fi
--- a/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/60-tor-ready.sh
+++ b/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/60-tor-ready.sh
@@ -30,7 +30,7 @@ done
 TOR_LAUNCHER_PROCESS_REGEX="firefox-unconfined -?-app.*tor-launcher-standalone"
 if pgrep -f "${TOR_LAUNCHER_PROCESS_REGEX}"; then
   pkill -f "${TOR_LAUNCHER_PROCESS_REGEX}"
-   pref=/user/Data/Browser/profile.default/prefs.js
+   pref=/home/tor-launcher/.tor-launcher/profile.default/prefs.js
   sed -i '/^user_pref("extensions\.torlauncher\.prompt_at_startup"/d' "${pref}"
   echo 'user_pref("extensions.torlauncher.prompt_at_startup", false);' >> "${pref}"
 fi

--- a/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/70-upgrade-additional-software.sh
+++ b/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/70-upgrade-additional-software.sh
@@ -12,4 +12,4 @@ if [ "$2" != "up" ]; then
   exit 0
 fi

-/usr/local/sbin/tails-additional-software upgrade
+/bin/systemctl --no-block start tails-additional-software-upgrade.path
--- a/config/chroot_local-includes/etc/apparmor.d/disable/usr.bin.thunderbird
+++ b/config/chroot_local-includes/etc/apparmor.d/disable/usr.bin.thunderbird
-/etc/apparmor.d/usr.bin.thunderbird
\ No newline at end of file
--- a/config/chroot_local-includes/etc/dconf/db/local.d/00_Tails_defaults
+++ b/config/chroot_local-includes/etc/dconf/db/local.d/00_Tails_defaults
@@ -28,7 +28,7 @@ autorun-x-content-start-app = @as []
 autorun-x-content-ignore = @as []

 [org/gnome/desktop/screensaver]
-lock-enabled = false
+lock-enabled = true
 picture-uri = 'file:///usr/share/tails/screensaver_background.png'
 user-switch-enabled = false

@@ -52,13 +52,22 @@ natural-scroll = true
 tap-to-click = true
 two-finger-scrolling-enabled = true

+[org/gnome/settings-daemon/plugins/media-keys]
+custom-keybindings=['/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/']
+screensaver=''
+
+[org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0]
+binding='<Super>l'
+command='tails-screen-locker'
+name='Lock Screen'
+
 [org/gnome/settings-daemon/plugins/power]
 power-button-action = 'nothing'
 lid-close-ac-action = 'blank'
 lid-close-battery-action = 'blank'

 [org/gnome/shell]
-enabled-extensions = ['apps-menu@gnome-shell-extensions.gcampax.github.com', 'places-menu@gnome-shell-extensions.gcampax.github.com', 'window-list@gnome-shell-extensions.gcampax.github.com', 'TopIcons@phocean.net', 'shutdown-helper@tails.boum.org', 'torstatus@tails.boum.org']
+enabled-extensions = ['apps-menu@gnome-shell-extensions.gcampax.github.com', 'places-menu@gnome-shell-extensions.gcampax.github.com', 'window-list@gnome-shell-extensions.gcampax.github.com', 'TopIcons@phocean.net', 'status-menu-helper@tails.boum.org', 'torstatus@tails.boum.org']
 favorite-apps=['tor-browser.desktop', 'thunderbird.desktop', 'pidgin.desktop', 'keepassx.desktop', 'gnome-terminal.desktop']

 [org/gnome/shell/extensions/topicons]

--- a/config/chroot_local-includes/etc/ferm/ferm.conf
+++ b/config/chroot_local-includes/etc/ferm/ferm.conf
@@ -37,7 +37,7 @@ domain ip {
                    mod owner uid-owner proxy ACCEPT;
                    mod owner uid-owner nobody ACCEPT;
                }
-                daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (9050 9061 9062 9150) {
+                daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (9050 9062 9150) {
                    mod owner uid-owner $amnesia_uid ACCEPT;
                }
                daddr 127.0.0.1 proto tcp syn dport 9062 {
@@ -100,6 +100,12 @@ domain ip {
                proto udp dport domain ACCEPT;
            }

+            # Tor is allowed to do anything it wants to.
+            mod owner uid-owner debian-tor {
+                proto tcp syn mod state state (NEW) ACCEPT;
+                proto udp dport domain ACCEPT;
+            }
+
            # Local network connections should not go through Tor but DNS shall be
            # rejected. (Note that we exclude the VirtualAddrNetwork used for
            # .onion:s here.)
@@ -111,11 +117,6 @@ domain ip {
                ACCEPT;
            }

-            # Tor is allowed to do anything it wants to.
-            mod owner uid-owner debian-tor {
-                proto tcp syn mod state state (NEW) ACCEPT;
-            }
-
            # Everything else is logged and dropped.
            LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
            REJECT reject-with icmp-port-unreachable;