Commit 9fb0136e authored by intrigeri's avatar intrigeri
Browse files

Convert a few X session startup programs to `systemd --user' units.

This is merely preparatory work that lays down some foundations.

For now, we're using two targets:

 * basic.target sets up things that should be done as early as possible, don't
   need access to X, notifications, nor D-Bus ; it is automatically started by
   `systemd --user' when the logind session is created. Note that this happens
   after persistence has been set up, when the GDM autologin is triggered, and
   before /etc/gdm3/Xsession is run:

   - tails-add-GNOME-bookmarks.service
   - tails-create-tor-browser-directories.service

 * desktop.target: we're starting it via xdg/autostart during the GNOME session
   startup. There are a few units wanted by this target so far:

   - tails-configure-keyboard.service

   - tails-virt-notify-user: ideally, this should have something like
     After=notifications-ready.target (and then, most other things that
     wait for GNOME Shell to be ready to handle notifications could do the
     same instead of grep'ing the process list).

   - tails-warn-about-disabled-persistence.service

   - tails-upgrade-frontend.service: the idea is to later use systemd units
     ordering to make it run at a time that increases chances for the system
     having enough free memory; e.g. as soon as possible once the session is
     ready, Tor has bootstrapped, and some other memory-hungry programs we run
     at session startup time have completed.

   - tails-security-check.service: similarly, the idea is that we could get
     rid of the wrapper — that merely waits for Tor to have finished
     bootstrapping — given another systemd unit.

Most of these units exit early unless they're run by the `amnesia' user.
Otherwise they break e.g. Tails Greeter startup, and probably worse.

Also note that the units that may take ages to complete have Type=simple.
With Type=oneshot, systemd would wait for them to complete before running any
follow-up units, and before considering the target they're part of has been
reached. Two of our units can take minutes to complete, so the desktop.target
startup would fail. Now, using Type=simple has one drawback: it makes it harder
to order other units relatively to tails-security-check-wrapper's and
tails-upgrade-frontend-wrapper's completion. This doesn't feel too bothering,
though: it's more likely that we want to configure these units to start after
others, than the opposite.

Also, when the GNOME session is initialized, we import the relevant D-Bus, X11
and locales variables into systemd --user's environment, so that our units can
use them. We do that immediately before starting desktop.target.
parent df03f60d
......@@ -43,6 +43,15 @@ systemctl enable tails-sdmem-on-media-removal.service
systemctl enable tails-set-wireless-devices-state.service
systemctl enable tor-controlport-filter.service
# Enable our own systemd user unit files
systemctl --global enable tails-add-GNOME-bookmarks.service
systemctl --global enable tails-configure-keyboard.service
systemctl --global enable tails-create-tor-browser-directories.service
systemctl --global enable tails-security-check.service
systemctl --global enable tails-upgrade-frontend.service
systemctl --global enable tails-virt-notify-user.service
systemctl --global enable tails-warn-about-disabled-persistence.service
# Use socket activation only, to save a bit of memory and boot time
systemctl disable cups.service
systemctl enable cups.socket
......
[Desktop Entry]
Name=add-GNOME-bookmarks
GenericName=add GTK bookmarks to some directories
Comment=display some directories in Places and GtkFileChooser
Exec=/usr/local/lib/add-GNOME-bookmarks
Terminal=false
Type=Application
Categories=GNOME;X-GNOME-PersonalSettings;
NoDisplay=true
MimeType=application/x-add-GNOME-bookmarks;
[Desktop Entry]
Name=create-tor-browser-directories
GenericName=Create the Tor Browser directories
Comment=Create the Tor Browser amnesiac and persistent directories
Exec=/usr/local/lib/create-tor-browser-directories
Terminal=false
Type=Application
Categories=GNOME;X-GNOME-PersonalSettings;
NoDisplay=true
MimeType=application/x-create-tor-browser-directories;
[Desktop Entry]
Name=tails-security-check
GenericName=check Tails known security issues
Comment=check Tails known security issues
Exec=/usr/local/bin/tails-security-check-wrapper
Terminal=false
Type=Application
Categories=GNOME;X-GNOME-PersonalSettings;
NoDisplay=true
MimeType=application/x-tails-security-check;
[Desktop Entry]
Name=systemd Desktop target
GenericName=Start the Desktop target in the systemd user session
Version=1.0
Exec=/usr/local/lib/start-systemd-desktop-target
Terminal=false
Type=Application
Categories=
[Desktop Entry]
Name=tails-configure-keyboard
GenericName=configure the keyboard layout
Comment=configure the keyboard layout according to settings chosen in Tails Greeter
Exec=/usr/local/bin/tails-configure-keyboard
Terminal=false
Type=Application
Categories=GNOME;X-GNOME-PersonalSettings;
NoDisplay=true
MimeType=application/x-tails-configure-keyboard;
[Desktop Entry]
Name=tails-upgrade-frontend
GenericName=check available Tails upgrades
Comment=check available Tails upgrades
Exec=/usr/local/bin/tails-upgrade-frontend-wrapper
Terminal=false
Type=Application
Categories=GNOME;X-GNOME-PersonalSettings;
NoDisplay=true
MimeType=application/x-tails-upgrade-frontend;
[Desktop Entry]
Name=tails-warn-about-disabled-persistence
GenericName=Warn when unmigrated or insecure persistence settings are found
Version=1.0
Exec=/usr/local/bin/tails-warn-about-disabled-persistence
Terminal=false
Type=Application
NoDisplay=true
Categories=Application;Utility
[Desktop Entry]
Name=tails-virt-notify-user
GenericName=warn the user if Tails is running inside a virtual machine
Comment=warn the user if Tails is running inside a virtual machine
Exec=/usr/local/bin/tails-virt-notify-user
Terminal=false
Type=Application
Categories=GNOME;X-GNOME-PersonalSettings;
NoDisplay=true
MimeType=application/x-tails-virt-notify-user;
[Unit]
Description=Desktop
Requires=default.target
After=default.target
AllowIsolate=yes
[Unit]
Description=Add GTK bookmarks to some directories
Documentation=https://tails.boum.org/contribute/design/application_isolation/
[Service]
Type=oneshot
ExecStart=/usr/local/lib/add-GNOME-bookmarks
RemainAfterExit=yes
[Install]
WantedBy=basic.target
[Unit]
Description=Configure the keyboard layout according to settings chosen in Tails Greeter
Documentation=https://tails.boum.org/contribute/design/
[Service]
Type=oneshot
ExecStart=/usr/local/bin/tails-configure-keyboard
RemainAfterExit=yes
[Install]
WantedBy=desktop.target
[Unit]
Description=Create the Tor Browser amnesiac and persistent directories
Documentation=https://tails.boum.org/contribute/design/application_isolation/
[Service]
Type=oneshot
ExecStart=/usr/local/lib/create-tor-browser-directories
RemainAfterExit=yes
[Install]
WantedBy=basic.target
[Unit]
Description=Check Tails known, unfixed security issues
Documentation=https://tails.boum.org/contribute/design/
[Service]
ExecStart=/usr/local/bin/tails-security-check-wrapper
RemainAfterExit=yes
[Install]
WantedBy=desktop.target
[Unit]
Description=Check available Tails upgrades
Documentation=https://tails.boum.org/contribute/design/incremental_upgrades/
[Service]
ExecStart=/usr/local/bin/tails-upgrade-frontend-wrapper
RemainAfterExit=yes
[Install]
WantedBy=desktop.target
[Unit]
Description=Warn the user if Tails is running inside a virtual machine
Documentation=https://tails.boum.org/contribute/design/virtualization_support/
[Service]
Type=oneshot
ExecStart=/usr/local/bin/tails-virt-notify-user
RemainAfterExit=yes
[Install]
WantedBy=desktop.target
[Unit]
Description=Warn the user if unmigrated or insecure persistence settings are found
Documentation=https://tails.boum.org/contribute/design/persistence/
[Service]
Type=oneshot
ExecStart=/usr/local/bin/tails-warn-about-disabled-persistence
RemainAfterExit=yes
[Install]
WantedBy=desktop.target
......@@ -2,6 +2,9 @@
set -eu
# We're a no-op unless running as the default desktop user
[ "$(/usr/bin/id -u)" = 1000 ] || exit 0
. /usr/local/lib/tails-shell-library/tails-greeter.sh
add_gtk_bookmark_for() {
......
......@@ -2,6 +2,9 @@
set -eu
# We're a no-op unless running as the default desktop user
[ "$(/usr/bin/id -u)" = 1000 ] || exit 0
TOR_BROWSER_AMNESIAC_DIR='/home/amnesia/Tor Browser'
TOR_BROWSER_PERSISTENT_DIR='/home/amnesia/Persistent/Tor Browser'
......
#!/bin/sh
set -eu
# Import (almost all) XDG_*, locale-related and DBUS_SESSION_BUS_ADDRESS variables
# into the systemd user instance's environment. We're filtering some
# XDG_* out in order not to pretend that processes run via `systemd --user`
# are part of the desktop session.
/usr/bin/env \
| /bin/grep '^XDG_' \
| /bin/grep -E -v '^XDG_(SEAT=|SESSION_)' \
| /usr/bin/xargs /bin/systemctl --user set-environment
/usr/bin/locale | /usr/bin/xargs /bin/systemctl --user set-environment
/bin/systemctl --user import-environment \
DBUS_SESSION_BUS_ADDRESS \
DISPLAY \
XAUTHORITY
# Start desktop.target
/bin/systemctl --user start desktop.target
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment