Merge remote-tracking branch 'origin/master'

9ea0a57c · sajolida · 52e48a4d · 3fb908d4 · 9ea0a57c · 9ea0a57c
Commit 9ea0a57c authored Apr 09, 2020 by sajolida
--- a/.gitignore
+++ b/.gitignore
@@ -50,6 +50,8 @@
 /config/chroot_local-includes/usr/share/applications/org.boum.tails.additional-software-config.desktop
 /config/chroot_local-includes/usr/share/applications/root-terminal.desktop
 /config/chroot_local-includes/usr/share/applications/tails-documentation.desktop
+/config/chroot_local-includes/usr/share/applications/tails-persistence-delete.desktop
+/config/chroot_local-includes/usr/share/applications/tails-persistence-setup.desktop
 /config/chroot_local-includes/usr/share/applications/tails-reboot.desktop
 /config/chroot_local-includes/usr/share/applications/unsafe-browser.desktop
 /config/chroot_local-includes/usr/share/applications/tails-shutdown.desktop

--- a/.gitmodules
+++ b/.gitmodules
@@ -8,9 +8,6 @@
 [submodule "submodules/mirror-pool-dispatcher"]
 	path = submodules/mirror-pool-dispatcher
 	url = https://git-tails.immerda.ch/mirror-pool-dispatcher
-[submodule "submodules/aufs-standalone"]
-	path = submodules/aufs-standalone
-	url = https://github.com/sfjro/aufs5-standalone.git
 [submodule "submodules/tails-workarounds"]
 	path = submodules/tails-workarounds
 	url = https://git-tails.immerda.ch/tails-workarounds
--- a/Rakefile
+++ b/Rakefile
@@ -59,8 +59,6 @@ ENV['ARTIFACTS'] ||= '.'

 ENV['APT_SNAPSHOTS_SERIALS'] ||= ''

-ENV['TAILS_WEBSITE_CACHE'] = '1'
-
 class CommandError < StandardError
  attr_reader :status, :stderr

@@ -206,6 +204,8 @@ def system_cpus
  end
 end

+ENV['TAILS_WEBSITE_CACHE'] = is_release? ? '0' : '1'
+
 task :parse_build_options do
  options = []

@@ -431,7 +431,7 @@ task :ensure_correct_permissions do
      on every parent directory of #{ENV['PWD']} up to #{ENV['HOME']}
      (inclusive):

-        chmod g+x DIR && setfacl -m user:libvirt-qemu:x DIR
+        chmod g+rx DIR && setfacl -m user:libvirt-qemu:rx DIR

    END_OF_MESSAGE
  end

--- a/auto/config
+++ b/auto/config
@@ -203,10 +203,6 @@ install -m 0755 \
   submodules/mirror-pool-dispatcher/lib/js/mirror-dispatcher.js \
   config/chroot_local-includes/usr/local/lib/nodejs/

-# aufs-standalone
-rm -rf config/chroot_local-includes/usr/src/aufs-standalone
-cp -a submodules/aufs-standalone config/chroot_local-includes/usr/src/
-
 # save the original file, shipped by the debootstrap package,
 # so we can always apply our debian-common.patch to the original
 # version

--- a/bin/create-test-iuks
+++ b/bin/create-test-iuks
@@ -4,7 +4,7 @@ set -e
 set -u
 set -x

-VERSIONS="2.0~test 2.2~test 2.3~test"
+VERSIONS="2.0~testoverlayfs 2.2~testoverlayfs 2.3~testoverlayfs"
 export SOURCE_DATE_EPOCH=$(date --utc '+%s')

 [ -d "$TAILS_CHECKOUT" ] || exit 2
@@ -21,11 +21,16 @@ for version in $VERSIONS; do
   mkdir -p "$SQUASHFS_SRC"/etc/amnesia "$SQUASHFS_SRC"/usr/share

   cp -a /usr/share/common-licenses "$SQUASHFS_SRC"/usr/share/
-   if [ "$version" != '2.0~test' ]; then
+   mkdir -p "$SQUASHFS_SRC"/usr/share/doc
+   if [ "$version" = '2.0~testoverlayfs' ]; then
+      mkdir -p "$SQUASHFS_SRC"/usr/share/doc/tor
+      echo "Some content" > "$SQUASHFS_SRC"/usr/share/doc/tor/README.Debian
+   fi
+   if [ "$version" != '2.0~testoverlayfs' ]; then
      echo "Some content" > "$SQUASHFS_SRC"/some_new_file
      rm "$SQUASHFS_SRC"/usr/share/common-licenses/BSD
   fi
-   if [ "$version" = '2.3~test' ]; then
+   if [ "$version" = '2.3~testoverlayfs' ]; then
      echo "Some content 2.3" > "$SQUASHFS_SRC"/some_new_file_2.3
      rm "$SQUASHFS_SRC"/usr/share/common-licenses/MPL-1.1
   fi
@@ -43,17 +48,18 @@ EOF
   mksquashfs \
      "$SQUASHFS_SRC" \
      "$ISO_SRC"/live/filesystem.squashfs \
-      -no-progress -noappend -comp xz -Xbcj x86 -b 1024K -Xdict-size 1024K
+      -no-progress -noappend -comp xz -Xbcj x86 -b 1024K -Xdict-size 1024K \
+      -all-root

   echo vmlinuz > "$ISO_SRC"/live/vmlinuz
   echo initrd > "$ISO_SRC"/live/initrd.img
   echo isolinux > "$ISO_SRC"/isolinux/isolinux.cfg
   echo 'filesystem.squashfs' > "$ISO_SRC"/live/Tails.module
   cp /usr/lib/syslinux/mbr/gptmbr.bin "$ISO_SRC"/utils/mbr/mbr.bin
-   if [ "$version" = '2.0~test' ]; then
+   if [ "$version" = '2.0~testoverlayfs' ]; then
      cp /usr/bin/syslinux "$ISO_SRC"/utils/linux
   fi
-   if [ "$version" = '2.3~test' ]; then
+   if [ "$version" = '2.3~testoverlayfs' ]; then
      rm "$ISO_SRC"/utils/mbr/mbr.bin
   fi
   xorriso \
@@ -62,8 +68,8 @@ EOF
      -o "$WORKDIR/$version.iso" "$ISO_SRC"
 done

-for dest_version in 2.2~test 2.3~test; do
-   echo "Generating IUK file from 2.0~test to $dest_version"
+for dest_version in 2.2~testoverlayfs 2.3~testoverlayfs; do
+   echo "Generating IUK file from 2.0~testoverlayfs to $dest_version"
   sudo su -c \
         "SOURCE_DATE_EPOCH=$SOURCE_DATE_EPOCH \
          LC_ALL=C \
@@ -71,9 +77,9 @@ for dest_version in 2.2~test 2.3~test; do
          PERL5LIB=\"${TAILS_CHECKOUT:?}/config/chroot_local-includes/usr/src/perl5lib/lib\" \
          ${TAILS_CHECKOUT:?}/config/chroot_local-includes/usr/src/iuk/bin/tails-create-iuk \
               --squashfs_diff_name \"${dest_version}.squashfs\"           \
-               --old_iso \"$WORKDIR/2.0~test.iso\" \
+               --old_iso \"$WORKDIR/2.0~testoverlayfs.iso\" \
               --new_iso \"$WORKDIR/${dest_version}.iso\" \
-               --outfile \"$WORKDIR/Tails_amd64_2.0~test_to_${dest_version}.iuk\""
+               --outfile \"$WORKDIR/Tails_amd64_2.0~testoverlayfs_to_${dest_version}.iuk\""
 done

 echo "Generated test IUKS:"

--- a/config/APT_snapshots.d/debian/serial
+++ b/config/APT_snapshots.d/debian/serial
-2020030101
+2020032503
--- a/config/APT_snapshots.d/torproject/serial
+++ b/config/APT_snapshots.d/torproject/serial
-2020032002
+2020032503
--- a/config/amnesia
+++ b/config/amnesia
@@ -17,7 +17,7 @@ export SOURCE_DATE_FAKETIME="$(date --utc --date="$(dpkg-parsechangelog --show-f
 # Base for the string that will be passed to "lb config --bootappend-live"
 # FIXME: see [[bugs/sdmem_on_eject_broken_for_CD]] for explanation why we
 # need to set block.events_dfl_poll_msecs
-AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 init_on_alloc=1 init_on_free=1 mds=full,nosmt union=aufs"
+AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC block.events_dfl_poll_msecs=1000 splash noautologin module=Tails slab_nomerge slub_debug=FZP mce=0 vsyscall=none page_poison=1 init_on_alloc=1 init_on_free=1 mds=full,nosmt"

 # Options passed to isohybrid
 AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"

--- a/config/binary_local-hooks/10-syslinux_customize
+++ b/config/binary_local-hooks/10-syslinux_customize
@@ -37,7 +37,7 @@ perl -pni -E 'exit if m{^label[[:blank:]]+help$}' "${CFG_FILE}"

 Echo_message "customize syslinux menu"

-sed -i -e "s/Boot menu//" "${CFG_FILE}"
+sed -i -e "s/Boot menu/SYSLINUX/" "${CFG_FILE}"
 sed -i -e "s/menu label Live/menu label Tails/" "${SYSLINUX_PATH}"/live*.cfg
 sed -i -r -e 's/(menu label .* )\(failsafe\)/\1(Troubleshooting Mode)/' \
    "${SYSLINUX_PATH}"/live*.cfg

--- a/config/binary_local-hooks/50-grub-efi-ia32
+++ b/config/binary_local-hooks/50-grub-efi-ia32
@@ -23,9 +23,44 @@
 set -e
 set -x

-platform="i386-efi"
-outdir="binary/EFI/BOOT/grub/$platform"
-efi_name="IA32"
+# Including common functions
+. "${LB_BASE:-/usr/share/live/build}"/scripts/build.sh
+
+# Setting static variables
+DESCRIPTION="$(Echo 'including GRUB EFI in the ISO filesystem')"
+HELP=""
+USAGE="${PROGRAM}"
+
+# Reading configuration files
+Read_conffiles config/all config/bootstrap config/common config/binary
+# Import AMNESIA_APPEND
+Read_conffiles config/amnesia
+Set_defaults
+
+# Safeguards
+[ "${LB_ARCHITECTURE}" = "amd64" ] || exit 0
+
+# Seems like we'll have work to do
+Echo_message 'including GRUB EFI in the ISO filesystem'
+
+grub_dir="binary/EFI/debian/grub"
+platforms="x86_64-efi i386-efi"
+
+efi_name () {
+   local platform="$1"
+   case "$platform" in
+      i386-efi)
+	 echo IA32
+	 ;;
+      x86_64-efi)
+	 echo X64
+	 ;;
+      *)
+	 echo "E: invalid GRUB platform: $platform" >&2
+	 exit 1
+	 ;;
+   esac
+}

 grub_cpmodules () {
 	if [ -z "$1" ] || [ -z "$2" ]; then
@@ -33,8 +68,8 @@ grub_cpmodules () {
 		return 1
 	fi

-	outdir="$1"
-	platform="$2"
+	local outdir="$1"
+	local platform="$2"

 	# Copy over GRUB modules, except for those already built in.
 	cp -a "chroot/usr/lib/grub/$platform"/*.lst "$outdir/"
@@ -58,30 +93,44 @@ grub_cpmodules () {
 	done
 }

-# Including common functions
-. "${LB_BASE:-/usr/share/live/build}"/scripts/build.sh
+for platform in $platforms ; do
+   echo "I: installing GRUB EFI for $platform"
+   efi_fallback_dir="binary/EFI/BOOT"
+   grub_module_dir="$grub_dir/$platform"
+   efi_name="$(efi_name "$platform")"

-# Setting static variables
-DESCRIPTION="$(Echo 'including GRUB EFI for ia32 in the ISO filesystem')"
-HELP=""
-USAGE="${PROGRAM}"
+   mkdir -p "$efi_fallback_dir"
+   signed_grub_src="chroot/usr/lib/grub/$platform-signed/grub$(echo "$efi_name" | tr '[:upper:]' '[:lower:]').efi.signed"
+   signed_shim_src="chroot/usr/lib/shim/shim$(echo "$efi_name" | tr '[:upper:]' '[:lower:]').efi.signed"
+   if [ -f "$signed_grub_src" ] && [ -f "$signed_shim_src" ]; then
+      echo "I: copying Debian-signed GRUB and shim EFI binaries for $efi_name"
+      cp "$signed_grub_src" "${efi_fallback_dir}/GRUB${efi_name}.EFI"
+      cp "$signed_shim_src" "${efi_fallback_dir}/BOOT${efi_name}.EFI"
+   else
+      if [ "$platform" = 'x86_64-efi' ]; then
+         echo "E: no signed GRUB or shim for ${efi_name}, aborting" >&2
+         exit 1
+      fi
+      echo "I: no signed GRUB or shim for ${efi_name}, generating an unsigned GRUB image"
+      Chroot chroot grub-mkimage -O "$platform" \
+             -o "/tmp/BOOT$efi_name.EFI" -p "/efi/debian/grub" \
+	     search configfile normal tar fat part_gpt linux \
+	     gzio
+      mv "chroot/tmp/BOOT$efi_name.EFI" "${efi_fallback_dir}/BOOT${efi_name}.EFI"
+   fi

-# Reading configuration files
-Read_conffiles config/all config/bootstrap config/common config/binary
-Set_defaults
+   cp chroot/usr/share/tails/bootx64.png "${efi_fallback_dir}/BOOT${efi_name}.PNG"

-# Safeguards
-[ "${LB_ARCHITECTURE}" = "amd64" ] || exit 0
+   mkdir -p "$grub_module_dir"
+   grub_cpmodules "$grub_module_dir" "$platform"
+done

-# Seems like we'll have work to do
-Echo_message 'including GRUB EFI for ia32 in the ISO filesystem'
+# Copy unicode fonts
+cp "chroot/boot/grub/unicode.pf2" "${grub_dir}"

-# Build the core image
-Chroot chroot grub-mkimage -O "$platform" \
-	-o "/tmp/BOOT$efi_name.EFI" -p "/efi/boot/grub" \
-	search configfile normal tar fat part_gpt linux \
-	gzio
-mv "chroot/tmp/BOOT$efi_name.EFI" "binary/EFI/BOOT/BOOT$efi_name.EFI"
+# Append our custom kernel command-line parameters
+sed -i -E "s#AMNESIA_APPEND#${AMNESIA_APPEND}#g" "binary/EFI/debian/grub.cfg"

-mkdir -p "$outdir"
-grub_cpmodules "$outdir" "$platform"
+# Copy the configuration for 32-bit EFI, which looks there
+# due to -p "/efi/debian/grub"
+cp -a "binary/EFI/debian/grub.cfg" "binary/EFI/debian/grub/grub.cfg"
--- a/config/binary_local-hooks/99-syslinux_uefi
+++ b/config/binary_local-hooks/99-syslinux_uefi
-#!/bin/bash
-
-set -e
-
-# Including common functions
-. "${LB_BASE:-/usr/share/live/build}"/scripts/build.sh
-
-# Setting static variables
-DESCRIPTION="$(Echo 'installing syslinux UEFI bootloader')"
-HELP=""
-USAGE="${PROGRAM}"
-
-# Reading configuration files
-Read_conffiles config/all config/bootstrap config/common config/binary
-Set_defaults
-
-# Safeguards
-[ "${LB_BOOTLOADER}"   = "syslinux" ] || exit 0
-[ "${LB_ARCHITECTURE}" = "amd64"    ] || exit 0
-
-# Seems like we'll have work to do
-Echo_message "installing syslinux UEFI bootloader"
-
-# Setting boot method specific variables
-case "${LB_BINARY_IMAGES}" in
-	iso|iso-hybrid)
-		SYSLINUX_PATH="binary/isolinux"
-		;;
-	usb-hdd)
-		SYSLINUX_PATH="binary/syslinux"
-		;;
-esac
-
-# Main
-mkdir -p binary/EFI/BOOT
-cp chroot/usr/lib/SYSLINUX.EFI/efi64/syslinux.efi binary/EFI/BOOT/BOOTX64.EFI
-cp chroot/usr/share/tails/bootx64.png binary/EFI/BOOT/BOOTX64.PNG
-cp "$SYSLINUX_PATH"/* binary/EFI/BOOT/
-mv binary/EFI/BOOT/isolinux.cfg binary/EFI/BOOT/syslinux.cfg
-cp -f chroot/usr/lib/syslinux/modules/efi64/* binary/EFI/BOOT/
-sed -r -i -e 's,^(menu background splash\.png)$,\#\1,' binary/EFI/BOOT/stdmenu.cfg
--- a/config/binary_local-includes/EFI/BOOT/grub/grub.cfg
+++ b/config/binary_local-includes/EFI/BOOT/grub/grub.cfg
-function load_video {
-  if [ x$feature_all_video_module = xy ]; then
-    insmod all_video
-  else
-    insmod efi_gop
-    insmod efi_uga
-    insmod ieee1275_fb
-    insmod vbe
-    insmod vga
-    insmod video_bochs
-    insmod video_cirrus
-  fi
-}
-
-set linux_gfx_mode=
-export linux_gfx_mode
-load_video
-
-insmod syslinuxcfg
-insmod cpuid
-echo "Loading syslinux configuration..."
-syslinux_configfile /efi/boot/syslinux.cfg
--- a/config/binary_local-includes/EFI/debian/grub.cfg
+++ b/config/binary_local-includes/EFI/debian/grub.cfg
+# The Debian-signed GRUB binaries have the path of this very configuration file
+# (/EFI/debian/grub.cfg) hardcoded. Let's use it instead of adding layers
+# of indirection.
+
+function load_video {
+  if [ x$feature_all_video_module = xy ]; then
+    insmod all_video
+  else
+    insmod efi_gop
+    insmod efi_uga
+    insmod ieee1275_fb
+    insmod vbe
+    insmod vga
+    insmod video_bochs
+    insmod video_cirrus
+  fi
+}
+
+set linux_gfx_mode=
+export linux_gfx_mode
+load_video
+
+set grub_dir="/EFI/debian/grub"
+
+# Load background image
+insmod gfxterm
+insmod png
+loadfont ${grub_dir}/unicode.pf2
+terminal_output gfxterm
+background_image ${grub_dir}/splash.png
+
+set timeout=4
+
+probe --set rootuuid --fs-uuid ($root)
+
+# Based on the output of `grub-syslinux2cfg /EFI/BOOT/syslinux.cfg`
+menuentry 'Tails' --id 'live' {
+	  echo "Loading the Linux kernel..."
+	  linux /live/vmlinuz initrd=/live/initrd.img boot=live config AMNESIA_APPEND FSUUID=${rootuuid} quiet
+	  echo "Loading the initramfs..."
+	  initrd /live/initrd.img
+	  echo "Booting..."
+	  boot
+}
+
+menuentry 'Tails (Troubleshooting Mode)' --id 'livefailsafe' {
+	  echo "Loading the Linux kernel..."
+	  linux /live/vmlinuz initrd=/live/initrd.img boot=live config AMNESIA_APPEND FSUUID=${rootuuid} noapic noapm nodma nomce nolapic nomodeset nosmp vga=normal
+	  echo "Loading the initramfs..."
+	  initrd /live/initrd.img
+	  echo "Booting..."
+	  boot
+}
--- a/config/binary_local-includes/EFI/debian/grub/splash.png
+++ b/config/binary_local-includes/EFI/debian/grub/splash.png
--- a/config/binary_rootfs/squashfs.sort
+++ b/config/binary_rootfs/squashfs.sort
--- a/config/chroot_apt/preferences
+++ b/config/chroot_apt/preferences
@@ -2,10 +2,6 @@ Package: amd64-microcode
 Pin: release o=Debian,n=sid
 Pin-Priority: 999

-Package: aufs-dkms
-Pin: release o=Debian,n=sid
-Pin-Priority: 999
-
 Package: b43-fwcutter
 Pin: release o=Debian,n=sid
 Pin-Priority: 999
@@ -36,6 +32,11 @@ Package: firmware-zd1211
 Pin: release o=Debian,n=sid
 Pin-Priority: 999

+Explanation: install 2.04 (refs: #15806)
+Package: grub*
+Pin: release o=Debian,n=bullseye
+Pin-Priority: 999
+
 Package: linux-compiler-* linux-headers-* linux-image-* linux-kbuild-* linux-source-*
 Pin: release o=Debian,n=sid
 Pin-Priority: 999

--- a/config/chroot_local-hooks/04-change-gids-and-uids
+++ b/config/chroot_local-hooks/04-change-gids-and-uids
@@ -12,7 +12,8 @@
 # side-effects, as the maintainer scripts, may react differently, if they are
 # not in charge of creating group/user themselves.

-# We may get rid of this script with the switch to overlayfs (#8415, #15689).
+# We may be able to get rid of this script with the switch from aufs to overlayfs
+# (#17256).

 set -e


--- a/config/chroot_local-hooks/08-install-Perl-programs
+++ b/config/chroot_local-hooks/08-install-Perl-programs
@@ -14,7 +14,7 @@ ensure_hook_dependency_is_installed \
   libdist-zilla-plugin-test-notabs-perl \
   libdist-zilla-plugin-test-perl-critic-perl

-for dist in perl5lib iuk; do
+for dist in perl5lib persistence-setup iuk; do
   dist_dir="/usr/src/${dist}"
   cd "$dist_dir"
   PERL5LIB=/usr/src/perl5lib/lib PERL_CPANM_OPT=--notest dzil install
@@ -23,13 +23,10 @@ for dist in perl5lib iuk; do
 done
 rm -r /root/.cpanm

-# Satisfy the dependency of the tails-persistence-setup package
-# on tails-perl5lib
-install_fake_package tails-perl5lib 4.0
-
-apt-get install --yes tails-persistence-setup
-
-for patch in /usr/share/tails/build/run_t-p-s_as_its_dedicated_user.diff ; do
-   (cd / && patch --forward --batch -p1 < "$patch")
-   rm "$patch"
-done
+# dzil installs the tails-persistence-setup Perl program to
+# /usr/local/bin/; we move it to /usr/bin/ and replace it in
+# /usr/local/bin/ with a wrapper that runs it as the
+# tails-persistence-setup user
+mv /usr/local/bin/tails-persistence-setup /usr/bin/
+mv /usr/local/bin/tails-persistence-setup.wrapper \
+   /usr/local/bin/tails-persistence-setup
--- a/config/chroot_local-hooks/13-aufs
+++ b/config/chroot_local-hooks/13-aufs
-#! /bin/sh
-
-set -e
-set -u
-
-echo "Building the aufs module"
-
-. /usr/share/tails/build/variables
-
-# Import ensure_hook_dependency_is_installed()
-. /usr/local/lib/tails-shell-library/build.sh
-
-ensure_hook_dependency_is_installed \
-    "linux-source-${KERNEL_SOURCE_VERSION}"
-
-# aufs build needs fs/mount.h, which is in linux-source-* but not
-# in linux-headers-*, so we'll symlink it.
-tar --directory=/usr/src \
-    -xf "/usr/src/linux-source-${KERNEL_SOURCE_VERSION}"*.tar.*
-
-arch=amd64
-ln -s \
-   "/usr/src/linux-source-${KERNEL_SOURCE_VERSION}"*/fs \
-   "/usr/src/linux-headers-${KERNEL_VERSION}-${arch}/fs"
-(
-   cd /usr/src/aufs-standalone
-   perl -pi -E \
-        's{\A CONFIG_AUFS_DEBUG \s* = \s* y $}{CONFIG_AUFS_DEBUG =}xms' \
-        config.mk
-   KDIR="/usr/src/linux-headers-${KERNEL_VERSION}-${arch}"
-   make clean   KDIR="$KDIR"
-   make install KDIR="$KDIR"
-)
-
-for modules_dir in /lib/modules/*/extra ; do
-   if [ ! -f "${modules_dir}/aufs.ko" ]; then
-       echo "Can not find aufs.ko module in '${modules_dir}" >&2
-       exit 1
-   fi
-done
-
-strip --strip-debug /lib/modules/*/extra/aufs.ko
-
-depmod "${KERNEL_VERSION}-${arch}"
-rm -r /usr/src/aufs-standalone
-rm -r "/usr/src/linux-source-${KERNEL_SOURCE_VERSION}"*/
--- a/config/chroot_local-hooks/48-tweak-AppArmor-profiles
+++ b/config/chroot_local-hooks/48-tweak-AppArmor-profiles
+#!/bin/sh
+
+set -e
+
+echo "Tweaking AppArmor profiles"
+
+# Pass all profiles the attach_disconnected flag,
+# that's needed for compatibility with overlayfs (#9045)
+find /etc/apparmor.d/ /etc/apparmor.d/abstractions -maxdepth 1 -type f \
+     -exec perl -pi -E 's,([a-z]+\s+)[{],$1flags=(attach_disconnected) {,' '{}' \;
+
+find /etc/apparmor.d/ -maxdepth 1 -type f \
+     -exec perl -pi -E 's|flags=[(]complain[)]\s+[{]|flags=(complain,attach_disconnected) {|' '{}' \;
+
+# Also pass the attach_disconnected flag to the Thunderbird and Tor Browser
+# profiles, because the above regexps don't match these ones.
+perl -pi -E 's,(profile.*[}]\s+)[{],$1flags=(attach_disconnected) {,' \
+     /etc/apparmor.d/torbrowser.Browser.firefox \
+     /etc/apparmor.d/usr.bin.thunderbird