Commit 8fa9c593 authored by Tails developers's avatar Tails developers
Browse files

Merge remote-tracking branch 'origin/master' into wiki/7258-img-clickable

parents 76795b78 57b79551
......@@ -65,7 +65,7 @@ chmod -R go+rX config/chroot_sources
# build the image
: ${MKSQUASHFS_OPTIONS:='-comp xz'}
: ${MKSQUASHFS_OPTIONS:='-comp xz -Xbcj x86 -b 1024K -Xdict-size 1024K'}
MKSQUASHFS_OPTIONS="${MKSQUASHFS_OPTIONS} -wildcards -ef chroot/usr/share/amnesia/build/mksquashfs-excludes"
export MKSQUASHFS_OPTIONS
......
......@@ -35,7 +35,7 @@ $RUN_LB_CONFIG \
--memtest none \
--packages-lists="standard" \
--tasks="standard" \
--linux-packages="linux-image-3.14-1" \
--linux-packages="linux-image-3.14-2" \
--syslinux-menu vesamenu \
--syslinux-splash data/splash.png \
--syslinux-timeout 4 \
......
......@@ -43,11 +43,13 @@ cp "$CHROOT_SYSLINUX_MBR" "$BINARY_MBR_DIR/mbr.bin"
cat chroot/etc/apt/sources.list chroot/etc/apt/sources.list.d/*.list \
| sed --regexp-extended -e 's,^deb(\s+),deb-src\1,' \
> "$CHROOT_TEMP_APT_SOURCES"
mv chroot/etc/apt/apt.conf.d/{,.}0000runtime-proxy
Chroot chroot apt-get --yes update
Chroot chroot apt-get --yes install dpkg-dev
Chroot chroot apt-get source syslinux="$(syslinux_deb_version_in_chroot)"
cp chroot/syslinux-*/bios/win32/syslinux.exe "$WIN32_BINARY_UTILS_DIR/"
rm -r chroot/syslinux*
rm "$CHROOT_TEMP_APT_SOURCES"
mv chroot/etc/apt/apt.conf.d/{.,}0000runtime-proxy
Chroot chroot apt-get --yes update
Chroot chroot apt-get --yes purge dpkg-dev make # dpkg-dev depends on make
This diff is collapsed.
......@@ -114,19 +114,19 @@ Package: linux-headers-amd64
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-headers-3.14-1-common
Package: linux-headers-3.14-2-common
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-headers-3.14-1-486
Package: linux-headers-3.14-2-486
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-headers-3.14-1-686-pae
Package: linux-headers-3.14-2-686-pae
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-headers-3.14-1-amd64
Package: linux-headers-3.14-2-amd64
Pin: release o=Debian,a=unstable
Pin-Priority: 999
......@@ -142,15 +142,15 @@ Package: linux-image-amd64
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-image-3.14-1-486
Package: linux-image-3.14-2-486
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-image-3.14-1-686-pae
Package: linux-image-3.14-2-686-pae
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-image-3.14-1-amd64
Package: linux-image-3.14-2-amd64
Pin: release o=Debian,a=unstable
Pin-Priority: 999
......
......@@ -30,6 +30,7 @@ sed -i 's|^.*\(wrapper\.java\.additional\.6=-Djava\.net\.preferIPv6Addresses=\).
# * HiddenMode: Enabled
# * In-I2P Network Updates: Disabled
# * Inbound connections: Disabled (setting is "i2cp.ntcp.autoip")
# * Disable I2P plugins
cat > "$I2P/router.config" << EOF
# NOTE: This I2P config file must use UTF-8 encoding
i2cp.disableInterface=true
......@@ -38,4 +39,9 @@ i2np.ntcp.autoip=false
i2np.udp.ipv6=false
router.isHidden=true
router.updateDisabled=true
router.enablePlugins=false
EOF
cat > "$I2P/susimail.config" << EOF
susimail.pop3.leave.on.server=true
EOF
#!/bin/sh
set -u
set -e
# Everything moved by this hook script will be reversed in the event that
# the string "i2p" is entered at a boot prompt
DEST="/usr/share/tails/i2p-disabled"
[ -d "/usr/share/i2p" ] || return 0
mkdir "$DEST"
mv -f /usr/share/i2p "$DEST"
mv -f /usr/sbin/wrapper "$DEST"
mv -f /usr/share/applications/i2p.desktop "$DEST"
......@@ -3,6 +3,11 @@
# Configuration file for ferm(1).
#
# I2P rules that grant access to the "i2psvc" user (those with $use_i2p) will
# only be enabled if the string "i2p" is entered at the boot prompt.
# Deny or reject rules affecting "i2psvc" will always be set.
def $use_i2p = `test -d /usr/share/i2p && echo 1 || echo 0`;
# IPv4
domain ip {
table filter {
......@@ -62,6 +67,11 @@ domain ip {
mod owner uid-owner amnesia ACCEPT;
}
# Whitelist access to Tor's DNSPort so I2P can resolve hostnames when bootstrapping
daddr 127.0.0.1 proto udp dport 5353 {
@if $use_i2p mod owner uid-owner i2psvc ACCEPT;
}
# White-list access to ttdnsd
daddr 127.0.0.2 proto udp dport 53 {
mod owner uid-owner amnesia ACCEPT;
......@@ -76,12 +86,24 @@ domain ip {
mod owner uid-owner amnesia ACCEPT;
}
# White-list access to I2P
# White-list access to I2P services for both the amnesia user (client) and i2psvc (server)
# For more information, see https://tails/boum.org/contribute/design/I2P and https://geti2p.net/ports
daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (2827 4444 4445 6668 7656 7657 7658 7659 7660 8998) {
mod owner uid-owner amnesia ACCEPT;
daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (4444 4445 6668 7656 7657 7658 7659 7660 8998) {
@if $use_i2p mod owner uid-owner amnesia ACCEPT;
}
# Whitelist access to I2P services for the i2psvc user,
# otherwise mail and eepsite hosting won't work.
daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (7658 7659 7660) {
@if $use_i2p mod owner uid-owner i2psvc ACCEPT;
}
# White-list access to the java wrapper's (used by I2P) control ports
# (see: http://wrapper.tanukisoftware.com/doc/english/prop-port.html)
# If, for example, port 31000 is in use, it'll try the next one in sequence.
daddr 127.0.0.1 proto tcp sport (31000 31001 31002) dport (32000 32001 32002) {
@if $use_i2p mod owner uid-owner i2psvc ACCEPT;
}
# White-list access to CUPS
daddr 127.0.0.1 proto tcp syn dport 631 {
......@@ -104,19 +126,22 @@ domain ip {
}
# Local network connections should not go through Tor but DNS shall be
# rejected.
# rejected. I2P is explicitly blocked from communicating with the LAN.
# (Note that we exclude the VirtualAddrNetwork used for .onion:s here.)
daddr (10.0.0.0/8 172.16.0.0/12 192.168.0.0/16) @subchain "lan" {
proto tcp dport domain REJECT;
proto udp dport domain REJECT;
mod owner uid-owner i2psvc REJECT;
ACCEPT;
}
# Tor is allowed to do anything it wants to.
mod owner uid-owner debian-tor ACCEPT;
# i2p is allowed to do anything it wants to.
mod owner uid-owner i2psvc ACCEPT;
# i2p is allowed to do anything it wants to on the internet.
outerface ! lo mod owner uid-owner i2psvc {
@if $use_i2p proto (tcp udp) ACCEPT;
}
# Everything else is logged and dropped.
LOG log-prefix "Dropped outbound packet: " log-level debug log-uid;
......
......@@ -73,6 +73,7 @@ pref("dom.enable_performance", false);
pref("plugin.expose_full_path", false);
pref("browser.zoom.siteSpecific", false);
pref("intl.charset.default", "windows-1252");
pref("browser.link.open_newwindow.restriction", 0); // Bug 9881: Open popups in new tabs (to avoid fullscreen popups)
// pref("intl.accept_languages", "en-us, en"); // Set by Torbutton
// pref("intl.accept_charsets", "iso-8859-1,*,utf-8"); // Set by Torbutton
// pref("intl.charsetmenu.browser.cache", "UTF-8"); // Set by Torbutton
......
#!/bin/sh
# This script reverses everything done by config/chroot_local-hooks/97_remove_i2p
# when the string "i2p" is added to the boot prompt.
SRC="/usr/share/tails/i2p-disabled"
Install_I2P(){
mv "$SRC/wrapper" /usr/sbin/wrapper
mv "$SRC/i2p.desktop" /usr/share/applications
mv "$SRC/i2p" /usr/share
rmdir "$SRC"
}
Add_Sudo_Config(){
echo "amnesia ALL = NOPASSWD: /etc/init.d/i2p" > /etc/sudoers.d/zzz_i2p
chown root:root /etc/sudoers.d/zzz_i2p
chmod 0440 /etc/sudoers.d/zzz_i2p
}
if grep -qw "i2p" /proc/cmdline && [ -d "$SRC" ]; then
Install_I2P
Add_Sudo_Config
fi
......@@ -184,7 +184,7 @@ sub is_not_fixed {
my $entry = shift;
assert_isa($entry, 'XML::Atom::Entry');
! grep { 'security/fixed' } categories($entry);
! grep { $_ eq 'security/fixed' } categories($entry);
}
=head2 unfixed_entries
......
......@@ -77,6 +77,7 @@ audacity
barry-util
bilibop-udev
cups
cups-pk-helper
cryptsetup
rsync
bash-completion
......@@ -117,6 +118,7 @@ gnome-system-monitor
gnome-terminal
gnome-themes
gnome-themes-standard
gnome-user-guide
gnupg-agent
gnupg-curl
gobi-loader
......@@ -402,3 +404,5 @@ wireless-regdb
python-serial
i2p
# Prevent java 6 from being installed
openjdk-7-jre
diff -Naur orig/etc/dhcp/dhclient.conf new/etc/dhcp/dhclient.conf
--- orig/etc/dhcp/dhclient.conf 2014-07-31 22:31:11.363605131 +0200
+++ new/etc/dhcp/dhclient.conf 2014-07-31 22:31:43.535349519 +0200
@@ -14,7 +14,8 @@
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
#send host-name "andare.fugue.com";
-send host-name = gethostname();
+#send host-name = gethostname();
+supersede host-name "amnesia";
#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;
#send dhcp-lease-time 3600;
#supersede domain-name "fugue.com home.vix.com";
diff -Naur orig/etc/NetworkManager/NetworkManager.conf new/etc/NetworkManager/NetworkManager.conf
--- orig/etc/NetworkManager/NetworkManager.conf 2014-07-31 22:31:19.347541763 +0200
+++ new/etc/NetworkManager/NetworkManager.conf 2014-07-31 22:31:58.823227808 +0200
@@ -1,5 +1,8 @@
[main]
-plugins=ifupdown,keyfile
+plugins=keyfile
[ifupdown]
managed=false
+
+[ipv4]
+dhcp-send-hostname=false
This diff is collapsed.
tails (1.1.1) UNRELEASED; urgency=medium
tails (1.1.1) unstable; urgency=medium
* Dummy entry for next release.
* Security fixes
- Upgrade the web browser to 24.8.0esr-0+tails1~bpo70+1
(Firefox 24.8.0esr + Iceweasel patches + Torbrowser patches).
Also import the Tor Browser profile at commit
271b64b889e5c549196c3ee91c888de88148560f from
ttp/tor-browser-24.8.0esr-3.x-1.
- Upgrade Tor to 0.2.4.23-2~d70.wheezy+1 (fixes CVE-2014-5117).
- Upgrade I2P to 0.9.14.1-1~deb7u+1.
- Upgrade Linux to 3.14.15-2 (fixes CVE-2014-3534, CVE-2014-4667
and CVE-2014-4943).
- Upgrade CUPS-based packages to 1.5.3-5+deb7u4 (fixes
CVE-2014-3537, CVE-2014-5029, CVE-2014-5030 and CVE-2014-5031).
- Upgrade libnss3 to 2:3.14.5-1+deb7u1 (fixes CVE-2013-1741,
CVE-2013-5606, CVE-2014-1491 and CVE-2014-1492).
- Upgrade openssl to 1.0.1e-2+deb7u12 (fixes CVE-2014-3505,
CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509,
CVE-2014-3510, CVE-2014-3511, CVE-2014-3512 and CVE-2014-5139).
- Upgrade krb5-based packages to 1.10.1+dfsg-5+deb7u2 (fixes
CVE-2014-4341, CVE-2014-4342, CVE-2014-4343, CVE-2014-4344 and
CVE-2014-4345).
- Upgrade libav-based packages to 6:0.8.15-1 (fixes CVE-2011-3934,
CVE-2011-3935, CVE-2011-3946, CVE-2013-0848, CVE-2013-0851,
CVE-2013-0852, CVE-2013-0860, CVE-2013-0868, CVE-2013-3672,
CVE-2013-3674 and CVE-2014-2263.
- Upgrade libgpgme11 to 1.2.0-1.4+deb7u1 (fixes CVE-2014-5117).
- Upgrade python-imaging to 1.1.7-4+deb7u1 (fixes CVE-2014-3589).
- Prevent dhclient from sending the hostname over the network
(Closes: #7688).
- Override the hostname provided by the DHCP server (Closes: #7769).
- Add an I2P boot parameter. Without adding "i2p" to the kernel
command line, I2P will not be accessible for the Live user.
- Stricter I2P firewall rules:
* deny I2P from accessing the LAN
* deny I2P from accessing the loopback device, except for select
whitelisted services
* allow I2P access to the Internet
The ACCEPT rules will only be enabled when the string 'i2p' is
passed at the boot prompt. The rules which DENY or REJECT
access for the 'i2psvc' user will always be applied.
- Disable I2P plugins, since it doesn't make much sense without
persistence, and should eliminate some attack vectors.
- Disable I2P's BOB port. No maintained I2P application uses it.
-- Tails developers <tails@boum.org> Wed, 23 Jul 2014 00:49:19 +0200
* Bugfixes
- Fix condition clause in tails-security-check (Closes: #7657).
- Don't ship OpenJDK 6: I2P prefers v7, and we don't need both.
- Prevent Tails Installer from updating the system partition
properties on MBR partitions (Closes: #7716).
* Minor improvements
- Upgrade to Torbutton 1.6.12.1.
- Install gnome-user-guide (Closes: #7618).
- Install cups-pk-helper (Closes: #7636).
- Update the SquashFS sort file.
- Compress the SquashFS more aggressively (Closes: #7706).
- I2P: Keep POP3 email on server. The default in the I2P webmail
app was to keep mail on the server, but that setting was changed
recently. This configuration setting (susimail.config) will only
be copied over in I2P 0.9.14 and newer.
- Add a Close button to the Tails Installer launcher window.
* Build system
- Migrate Vagrant basebox to Debian Wheezy (Closes #7133, #6736).
- Consistently use the same Debian mirror.
- Disable runtime APT proxy configuration when using APT in
binary_local-hooks (Closes: #7691).
* Automated test suite
- Automatically test hostname leaks (Closes: #7712).
- Move autotest live-config hook to be run last. This way we'll
notice if some earlier live-config hook cancels all hooks by
running the automated test suite since the remote shell won't be
running in that case.
- Test that the I2P boot parameter does what it's supposed to do
(Closes: #7760).
- Start applications by using the GNOME Applications menu instead
of the GNOME Run Dialog (Closes: #5550, #7060).
-- Tails developers <tails@boum.org> Sun, 31 Aug 2014 20:49:28 +0000
tails (1.1) unstable; urgency=medium
......
......@@ -28,8 +28,7 @@ Feature: Installing packages through APT
And all Internet traffic has only flowed through Tor
Scenario: Install packages using Synaptic
When I run "gksu synaptic"
And I enter the sudo password in the gksu prompt
When I start Synaptic
And I update APT using Synaptic
Then I should be able to install a package using Synaptic
And all Internet traffic has only flowed through Tor
@product
Feature: Getting a DHCP lease without leaking too much information
As a Tails user
when I connect to a network with a DHCP server
I should be able to connect to the Internet
and the hostname should not have been leaked on the network.
Scenario: Getting a DHCP lease with the default NetworkManager connection
Given a computer
And I capture all network traffic
And I start the computer
And the computer boots Tails
And I log in to a new session
And GNOME has started
And Tor is ready
And all notifications have disappeared
And available upgrades have been checked
Then the hostname should not have been leaked on the network
Scenario: Getting a DHCP lease with a manually configured NetworkManager connection
Given a computer
And I capture all network traffic
And I start the computer
And the computer boots Tails
And I log in to a new session
And GNOME has started
And Tor is ready
And all notifications have disappeared
And available upgrades have been checked
And I add a wired DHCP NetworkManager connection called "manually-added-con"
And I switch to the "manually-added-con" NetworkManager connection
Then the hostname should not have been leaked on the network
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment