Commit 8b56e3f6 authored by bertagaz's avatar bertagaz
Browse files

Merge branch 'master' into stable

parents 52eaf89d 0e901e24
#!/bin/sh
set -e
echo "Enable various AppArmor profiles"
rm /etc/apparmor.d/disable/usr.bin.thunderbird
......@@ -4,36 +4,18 @@ set -e
set -u
set -x
echo "Building dkms modules"
echo "Building VirtualBox guest modules"
. /usr/share/amnesia/build/variables
# Import install_fake_package
# Import ensure_hook_dependency_is_installed()
. /usr/local/lib/tails-shell-library/build.sh
# Install gcc-6 and fake linux-compiler-gcc-7-x86
# (linux-headers-4.14+ depends on it, but Stretch hasn't GCC 7)
# XXX:Buster: remove this hack.
apt-get install --yes gcc-6
NEWEST_INSTALLED_KERNEL_VERSION="$(
dpkg-query --showformat '${Version}\n' --show 'linux-image-*-amd64' \
| sort --version-sort | tail -n1
)"
install_fake_package \
linux-compiler-gcc-7-x86 \
"${NEWEST_INSTALLED_KERNEL_VERSION}~0tails1"
ln -s /usr/bin/gcc-6 /usr/bin/gcc-7
# Any -dkms package must be installed *after* dkms to be properly registered
apt-get install --yes \
build-essential \
dkms \
libelf-dev
ensure_hook_dependency_is_installed dkms
apt-get install --yes \
"linux-headers-${KERNEL_VERSION}-amd64" \
aufs-dkms \
virtualbox-guest-dkms
ensure_hook_dependency_is_installed \
virtualbox-guest-dkms
for log in $(ls /var/lib/dkms/*/*/build/make.log); do
echo "---- $log"
......@@ -44,12 +26,6 @@ done
# dkms.conf for a DKMS module includes a BUILD_EXCLUSIVE directive
# which does not match our kernel version, the modules won't be built
# and then we should abort the build.
for modules_dir in /lib/modules/*/kernel/fs/aufs ; do
if [ ! -f "${modules_dir}/aufs.ko" ]; then
echo "Can not find aufs.ko module in '${modules_dir}" >&2
exit 1
fi
done
for module in vboxguest vboxsf vboxvideo ; do
for modules_dir in /lib/modules/*/updates ; do
if [ ! -f "${modules_dir}/${module}.ko" ]; then
......@@ -61,7 +37,6 @@ done
# virtualbox-guest-dkms's postrm script deletes any previously
# built binary module; let's delete it before the package gets purged.
rm /var/lib/dpkg/info/aufs-dkms.prerm
rm /var/lib/dpkg/info/virtualbox-guest-dkms.prerm
# Also copy the udev rules installed by virtualbox-guest-dkms to enable guest
......
......@@ -6,12 +6,13 @@ set -e
echo "Compiling and installing a custom udev-watchdog program"
apt-get install --yes build-essential binutils libudev-dev
# Import ensure_hook_dependency_is_installed()
. /usr/local/lib/tails-shell-library/build.sh
ensure_hook_dependency_is_installed build-essential binutils libudev-dev
SRC="/usr/src/udev-watchdog.c"
DST="/usr/local/sbin/udev-watchdog"
gcc -o "$DST" "$SRC" -Wall -ludev -lrt
strip --strip-all "$DST"
apt-get --yes purge libudev-dev
......@@ -10,17 +10,18 @@ systemctl enable memlockd.service
# Enable our own systemd unit files
systemctl enable initramfs-shutdown.service
systemctl enable onion-grater.service
systemctl enable tails-autotest-broken-Xorg.service
systemctl enable tails-autotest-remote-shell.service
systemctl enable tails-set-wireless-devices-state.service
systemctl enable tails-shutdown-on-media-removal.service
systemctl enable tails-tor-has-bootstrapped.target
systemctl enable tails-wait-until-tor-has-bootstrapped.service
systemctl enable tails-tor-has-bootstrapped-flag-file.service
systemctl enable update-ca-certificates.service
systemctl enable var-tmp.mount
# Enable our own systemd user unit files
systemctl --global enable tails-add-GNOME-bookmarks.service
systemctl --global enable tails-additional-software-install.service
systemctl --global enable tails-configure-keyboard.service
systemctl --global enable tails-create-tor-browser-directories.service
systemctl --global enable tails-security-check.service
......
......@@ -4,6 +4,11 @@ set -e
echo "Registering and tweaking menus"
# Import ensure_hook_dependency_is_installed()
. /usr/local/lib/tails-shell-library/build.sh
ensure_hook_dependency_is_installed xdg-utils
for app in tails-installer tails-persistence-delete tails-persistence-setup tails-about tails-documentation; do
xdg-desktop-menu install --novendor \
/usr/share/desktop-directories/Tails.directory \
......
......@@ -2,7 +2,8 @@
set -e
# Make syslinux 6.x packaging play well with live-build 2.x
echo 'Adapting syslinux 6.x packaging to play well with live-build 2.x'
cp -a /usr/lib/syslinux/modules/bios/ifcpu64.c32 \
/usr/lib/syslinux/modules/bios/vesamenu.c32 \
/usr/lib/ISOLINUX/isolinux.bin \
......
#!/bin/sh
set -e
echo 'Configuring wget'
# We don't want the real binary to be in $PATH:
# Also note that wget uses the executable name in some help/error messages,
# so wget-real/etc. should be avoided.
......
......@@ -18,9 +18,6 @@ rm $POTFILES_DOT_IN
# (by the 10-tbb hook)
rm /usr/share/tails/tbb-*.txt
# This shell library is only used during build
rm /usr/local/lib/tails-shell-library/build.sh
# Remove the snakeoil SSL key pair generated by ssl-cert
find /etc/ssl/certs /etc/ssl/private |
while read f; do
......
......@@ -14,8 +14,7 @@ echo "Removing unwanted packages"
apt-get --yes purge \
'^linux-compiler-*' \
'^linux-kbuild-*' \
'^linux-headers-*' \
build-essential debhelper dkms dpkg-dev \
debhelper dpkg-dev \
gcc gcc-6 \
intltool-debian \
libc6-dev \
......@@ -24,8 +23,7 @@ apt-get --yes purge \
make \
po-debconf \
rsyslog \
libdvdcss-dev \
equivs virtualbox-guest-dkms
libdvdcss-dev
### Deinstall a few unwanted packages that were pulled by tasksel
### since they have Priority: standard.
......
#!/bin/sh
set -e
echo "Disabling PAM secure password check"
sed -i 's/pam_unix.so obscure/pam_unix.so minlen=1/' /etc/pam.d/common-password
......@@ -4,6 +4,11 @@ set -e
echo "Configuring compression of the initramfs"
# Import ensure_hook_dependency_is_installed()
. /usr/local/lib/tails-shell-library/build.sh
ensure_hook_dependency_is_installed initramfs-tools xz-utils
# Compress the initramfs using a more size-wise efficient algorithm.
OPTS_FILE='/etc/initramfs-tools/initramfs.conf'
......
......@@ -29,7 +29,17 @@ rm /var/lib/systemd/catalog/database
# Delete non-deterministically generated files, that should not be shared among
# all Tails systems anyway. We don't ship SSHd, so we don't bother generating
# them at boot.
rm -r /var/lib/monkeysphere/authentication/
# We remove with -f due to a suspected race condition: it seems that
# .../authentication/sphere/S.gpg-agent can be removed (by gpg-agent?)
# *right after* `rm -r` has listed it, so that when `rm` tries to
# remove it, it doesn't exist any more and it fails.
if [ -d /var/lib/monkeysphere/authentication/ ]; then
rm -rf /var/lib/monkeysphere/authentication/
else
echo 'Cannot remove /var/lib/monkeysphere/authentication/:' \
'directory does not exist' >&2
exit 1
fi
# Empty non-deterministically generated file. If it exists and is empty, systemd
# will automatically set up a new unique ID. But if does not exist, systemd
......
#!/bin/sh
# This file is needed by the Unsafe Browser, and Tor while in bridge
# mode.
# Run only when the interface is not "lo":
if [ -z "$1" ] || [ "$1" = "lo" ]; then
exit 0
fi
RESOLV_CLEARNET_CONF=/etc/resolv-over-clearnet.conf
# We are truncating the file as opposed to deleting + recreating it
# for a reason: we mount-bind this file over /etc/resolv.conf for
# processes (via mount namespaces) that we want to give clearnet DNS
# resolving, and deleting + recreating it would mean that the
# bind-mount would remain outdated.
echo -n > "${RESOLV_CLEARNET_CONF}"
IP4_REGEX='[0-9]{1,3}(\.[0-9]{1,3}){3}'
for ns in ${IP4_NAMESERVERS}; do
if echo "${ns}" | grep --extended-regexp -q "^${IP4_REGEX}$"; then
echo "nameserver ${ns}" >> "${RESOLV_CLEARNET_CONF}"
fi
done
#!/bin/sh
# This information is needed by the Unsafe Browser.
# Run only when the interface is not "lo":
if [ -z "$1" ] || [ "$1" = "lo" ]; then
exit 0
fi
# Run whenever an interface gets "up", not otherwise:
if [ "$2" != "up" ]; then
exit 0
fi
echo "IP4_NAMESERVERS=\"${IP4_NAMESERVERS}\"" > /var/lib/NetworkManager/env
......@@ -54,7 +54,21 @@ fi
# * https://tails.boum.org/bugs/tor_vs_networkmanager/
# To work around this we restart Tor, in various ways, no matter the
# case below.
TOR_SYSTEMD_OVERRIDE_DIR="/lib/systemd/system/tor@default.service.d"
TOR_RESOLV_CONF_OVERRIDE="${TOR_SYSTEMD_OVERRIDE_DIR}/50-resolv-conf-override.conf"
if [ "$(tails_netconf)" = "obstacle" ]; then
# Override /etc/resolv.conf for tor only, so it can use a clearnet
# DNS server to resolve hostnames used for pluggable transport and
# proxies.
if [ ! -e "${TOR_RESOLV_CONF_OVERRIDE}" ]; then
mkdir -p "${TOR_SYSTEMD_OVERRIDE_DIR}"
cat > "${TOR_RESOLV_CONF_OVERRIDE}" <<EOF
[Service]
BindReadOnlyPaths=/etc/resolv-over-clearnet.conf:/etc/resolv.conf
EOF
systemctl daemon-reload
fi
# We do not use restart-tor since it validates that bootstraping
# succeeds. That cannot happen until Tor Launcher has started
# (below) and the user is done configuring it.
......@@ -70,7 +84,7 @@ if [ "$(tails_netconf)" = "obstacle" ]; then
# Enable the transports we support. We cannot do this in general,
# when bridge mode is not enabled, since we then use seccomp
# sandboxing.
tor_control_setconf 'ClientTransportPlugin="obfs2,obfs3,obfs4 exec /usr/bin/obfs4proxy managed"'
tor_control_setconf 'ClientTransportPlugin="obfs2,obfs3,obfs4,meek_lite exec /usr/bin/obfs4proxy managed"'
/usr/local/sbin/tails-tor-launcher &
......@@ -79,5 +93,9 @@ if [ "$(tails_netconf)" = "obstacle" ]; then
sleep 1
done
else
if [ -e "${TOR_RESOLV_CONF_OVERRIDE}" ]; then
rm "${TOR_RESOLV_CONF_OVERRIDE}"
systemctl daemon-reload
fi
( restart-tor ) &
fi
......@@ -30,7 +30,7 @@ done
TOR_LAUNCHER_PROCESS_REGEX="firefox-unconfined -?-app.*tor-launcher-standalone"
if pgrep -f "${TOR_LAUNCHER_PROCESS_REGEX}"; then
pkill -f "${TOR_LAUNCHER_PROCESS_REGEX}"
pref=/user/Data/Browser/profile.default/prefs.js
pref=/home/tor-launcher/.tor-launcher/profile.default/prefs.js
sed -i '/^user_pref("extensions\.torlauncher\.prompt_at_startup"/d' "${pref}"
echo 'user_pref("extensions.torlauncher.prompt_at_startup", false);' >> "${pref}"
fi
......
......@@ -12,4 +12,4 @@ if [ "$2" != "up" ]; then
exit 0
fi
/usr/local/sbin/tails-additional-software upgrade
/bin/systemctl --no-block start tails-additional-software-upgrade.path
/etc/apparmor.d/usr.bin.thunderbird
\ No newline at end of file
......@@ -28,7 +28,7 @@ autorun-x-content-start-app = @as []
autorun-x-content-ignore = @as []
[org/gnome/desktop/screensaver]
lock-enabled = false
lock-enabled = true
picture-uri = 'file:///usr/share/tails/screensaver_background.png'
user-switch-enabled = false
......@@ -52,13 +52,22 @@ natural-scroll = true
tap-to-click = true
two-finger-scrolling-enabled = true
[org/gnome/settings-daemon/plugins/media-keys]
custom-keybindings=['/org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0/']
screensaver=''
[org/gnome/settings-daemon/plugins/media-keys/custom-keybindings/custom0]
binding='<Super>l'
command='tails-screen-locker'
name='Lock Screen'
[org/gnome/settings-daemon/plugins/power]
power-button-action = 'nothing'
lid-close-ac-action = 'blank'
lid-close-battery-action = 'blank'
[org/gnome/shell]
enabled-extensions = ['apps-menu@gnome-shell-extensions.gcampax.github.com', 'places-menu@gnome-shell-extensions.gcampax.github.com', 'window-list@gnome-shell-extensions.gcampax.github.com', 'TopIcons@phocean.net', 'shutdown-helper@tails.boum.org', 'torstatus@tails.boum.org']
enabled-extensions = ['apps-menu@gnome-shell-extensions.gcampax.github.com', 'places-menu@gnome-shell-extensions.gcampax.github.com', 'window-list@gnome-shell-extensions.gcampax.github.com', 'TopIcons@phocean.net', 'status-menu-helper@tails.boum.org', 'torstatus@tails.boum.org']
favorite-apps=['tor-browser.desktop', 'thunderbird.desktop', 'pidgin.desktop', 'keepassx.desktop', 'gnome-terminal.desktop']
[org/gnome/shell/extensions/topicons]
......
......@@ -37,7 +37,7 @@ domain ip {
mod owner uid-owner proxy ACCEPT;
mod owner uid-owner nobody ACCEPT;
}
daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (9050 9061 9062 9150) {
daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (9050 9062 9150) {
mod owner uid-owner $amnesia_uid ACCEPT;
}
daddr 127.0.0.1 proto tcp syn dport 9062 {
......@@ -100,6 +100,12 @@ domain ip {
proto udp dport domain ACCEPT;
}
# Tor is allowed to do anything it wants to.
mod owner uid-owner debian-tor {
proto tcp syn mod state state (NEW) ACCEPT;
proto udp dport domain ACCEPT;
}
# Local network connections should not go through Tor but DNS shall be
# rejected. (Note that we exclude the VirtualAddrNetwork used for
# .onion:s here.)
......@@ -111,11 +117,6 @@ domain ip {
ACCEPT;
}
# Tor is allowed to do anything it wants to.
mod owner uid-owner debian-tor {
proto tcp syn mod state state (NEW) ACCEPT;
}
# Everything else is logged and dropped.
LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
REJECT reject-with icmp-port-unreachable;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment