Commit b5a165b4 authored by Tails developers's avatar Tails developers
Browse files

Merge branch 'devel' into wheezy

Conflicts:
	config/chroot_apt/preferences
	config/chroot_local-packages/tails-greeter_0.6.3_all.deb
	config/chroot_local-patches/torsocks_claws-mail.diff
parents a46f0014 782820d1
......@@ -28,3 +28,7 @@
/.lock
/.stage
/source
/vagrant/.vagrant
/vagrant/definitions/squeeze/preseed.cfg
/vagrant/iso
/vagrant/squeeze.box
# -*- mode: ruby -*-
# vi: set ft=ruby :
#
# Tails: The Amnesic Incognito Live System
# Copyright © 2012 Tails developers <tails@boum.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
require 'rbconfig'
require 'rubygems'
require 'vagrant'
require 'uri'
$:.unshift File.expand_path('../vagrant/lib', __FILE__)
require 'tails_build_settings'
# Path to the directory which holds our Vagrantfile
VAGRANT_PATH = File.expand_path('../vagrant', __FILE__)
# Branches that are considered 'stable' (used to select SquashFS compression)
STABLE_BRANCH_NAMES = ['stable', 'testing']
# Environment variables that will be exported to the build script
EXPORTED_VARIABLES = ['http_proxy', 'MKSQUASHFS_OPTIONS', 'TAILS_RAM_BUILD', 'TAILS_CLEAN_BUILD']
# Let's save the http_proxy set before playing with it
EXTERNAL_HTTP_PROXY = ENV['http_proxy']
# In-VM proxy URL
INTERNEL_HTTP_PROXY = "http://#{VIRTUAL_MACHINE_HOSTNAME}:3142"
def current_vm_memory
env = Vagrant::Environment.new(:cwd => VAGRANT_PATH, :ui_class => Vagrant::UI::Basic)
uuid = env.primary_vm.uuid
info = env.primary_vm.driver.execute 'showvminfo', uuid, '--machinereadable'
$1.to_i if info =~ /^memory=(\d+)/
end
def current_vm_cpus
env = Vagrant::Environment.new(:cwd => VAGRANT_PATH, :ui_class => Vagrant::UI::Basic)
uuid = env.primary_vm.uuid
info = env.primary_vm.driver.execute 'showvminfo', uuid, '--machinereadable'
$1.to_i if info =~ /^cpus=(\d+)/
end
def enough_free_memory?
return false unless RbConfig::CONFIG['host_os'] =~ /linux/i
begin
usable_free_mem = `free`.split[16].to_i
usable_free_mem > VM_MEMORY_FOR_RAM_BUILDS * 1024
rescue
false
end
end
def stable_branch?
branch_name = `git name-rev --name-only HEAD`
STABLE_BRANCH_NAMES.include? branch_name
end
def system_cpus
return nil unless RbConfig::CONFIG['host_os'] =~ /linux/i
begin
File.read('/proc/cpuinfo').scan(/^processor\s+:/).count
rescue
nil
end
end
task :parse_build_options do
options = ''
# Default to in-memory builds if there is enough RAM available
options += 'ram ' if enough_free_memory?
# Use in-VM proxy unless an external proxy is set
options += 'vmproxy ' unless EXTERNAL_HTTP_PROXY
# Default to fast compression on development branches
options += 'gzipcomp ' unless stable_branch?
# Default to the number of system CPUs when we can figure it out
cpus = system_cpus
options += "cpus=#{cpus} " if cpus
options += ENV['TAILS_BUILD_OPTIONS'] if ENV['TAILS_BUILD_OPTIONS']
options.split(' ').each do |opt|
case opt
# Memory build settings
when 'ram'
abort "Not enough free memory to do an in-memory build. Aborting." unless enough_free_memory?
ENV['TAILS_RAM_BUILD'] = '1'
when 'noram'
ENV['TAILS_RAM_BUILD'] = nil
# HTTP proxy settings
when 'extproxy'
abort "No HTTP proxy set, but one is required by TAILS_BUILD_OPTIONS. Aborting." unless EXTERNAL_HTTP_PROXY
ENV['http_proxy'] = EXTERNAL_HTTP_PROXY
when 'vmproxy'
ENV['http_proxy'] = INTERNEL_HTTP_PROXY
when 'noproxy'
ENV['http_proxy'] = nil
# SquashFS compression settings
when 'gzipcomp'
ENV['MKSQUASHFS_OPTIONS'] = '-comp gzip'
when 'defaultcomp'
ENV['MKSQUASHFS_OPTIONS'] = nil
# Clean-up settings
when 'cleanall'
ENV['TAILS_CLEAN_BUILD'] = '1'
# Virtual CPUs settings
when /cpus=(\d+)/
ENV['TAILS_BUILD_CPUS'] = $1
# Git settings
when 'ignorechanges'
ENV['TAILS_BUILD_IGNORE_CHANGES'] = '1'
end
end
end
task :ensure_clean_repository do
unless `git status --porcelain`.empty?
if ENV['TAILS_BUILD_IGNORE_CHANGES']
$stderr.puts <<-END_OF_MESSAGE.gsub(/^ /, '')
You have uncommited changes in the Git repository. They will
be ignored for the upcoming build.
END_OF_MESSAGE
else
$stderr.puts <<-END_OF_MESSAGE.gsub(/^ /, '')
You have uncommited changes in the Git repository. Due to limitations
of the build system, you need to commit them before building Tails.
If you don't care about those changes and want to build Tails nonetheless,
please add `ignorechanges` to the TAILS_BUILD_OPTIONS environment
variable.
END_OF_MESSAGE
abort 'Uncommited changes. Aborting.'
end
end
end
task :validate_http_proxy do
if ENV['http_proxy']
proxy_host = URI.parse(ENV['http_proxy']).host
if proxy_host.nil?
ENV['http_proxy'] = nil
$stderr.puts "Ignoring invalid HTTP proxy."
return
end
if ['localhost', '[::1]'].include?(proxy_host) || proxy_host.start_with?('127.0.0.')
abort 'Using an HTTP proxy listening on the loopback is doomed to fail. Aborting.'
end
$stderr.puts "Using HTTP proxy: #{ENV['http_proxy']}"
else
$stderr.puts "No HTTP proxy set."
end
end
desc 'Build Tails'
task :build => ['parse_build_options', 'ensure_clean_repository', 'validate_http_proxy', 'vm:up'] do
exported_env = EXPORTED_VARIABLES.select { |k| ENV[k] }.
collect { |k| "#{k}='#{ENV[k]}'" }.join(' ')
env = Vagrant::Environment.new(:cwd => VAGRANT_PATH)
status = env.primary_vm.channel.execute("#{exported_env} build-tails",
:error_check => false) do |fd, data|
(fd == :stdout ? $stdout : $stderr).write data
end
# Move build products to the current directory
FileUtils.mv Dir.glob("#{VAGRANT_PATH}/tails-*"),
File.expand_path('..', __FILE__), :force => true
exit status
end
namespace :vm do
desc 'Start the build virtual machine'
task :up => ['parse_build_options', 'validate_http_proxy'] do
env = Vagrant::Environment.new(:cwd => VAGRANT_PATH, :ui_class => Vagrant::UI::Basic)
case env.primary_vm.state
when :not_created
# Do not use non-existant in-VM proxy to download the basebox
if ENV['http_proxy'] == INTERNEL_HTTP_PROXY
ENV['http_proxy'] = nil
restore_internal_proxy = true
end
$stderr.puts <<-END_OF_MESSAGE.gsub(/^ /, '')
This is the first time that the Tails builder virtual machine is
started. The virtual machine template is about 300 MB to download,
so the process might take some time.
Please remember to shut the virtual machine down once your work on
Tails in done:
$ rake vm:halt
END_OF_MESSAGE
when :poweroff
$stderr.puts <<-END_OF_MESSAGE.gsub(/^ /, '')
Starting Tails builder virtual machine. This might take a short while.
Please remember to shut it down once your work on Tails in done:
$ rake vm:halt
END_OF_MESSAGE
when :running
if ENV['TAILS_RAM_BUILD'] && current_vm_memory < VM_MEMORY_FOR_RAM_BUILDS
$stderr.puts <<-END_OF_MESSAGE.gsub(/^ /, '')
The virtual machine is not currently set with enough memory to
perform an in-memory build. Either remove the `ram` option from
the TAILS_BUILD_OPTIONS environment variable, or shut the
virtual machine down using `rake vm:halt` before trying again.
END_OF_MESSAGE
abort 'Not enough memory for the virtual machine to run an in-memory build. Aborting.'
end
if ENV['TAILS_BUILD_CPUS'] && current_vm_cpus != ENV['TAILS_BUILD_CPUS'].to_i
$stderr.puts <<-END_OF_MESSAGE.gsub(/^ /, '')
The virtual machine is currently running with #{current_vm_cpus}
virtual CPU(s). In order to change that number, you need to
stop the VM first, using `rake vm:halt`. Otherwise, please
adjust the `cpus` options accordingly.
END_OF_MESSAGE
abort 'The virtual machine needs to be reloaded to change the number of CPUs. Aborting.'
end
end
result = env.cli('up')
abort "'vagrant up' failed" unless result
ENV['http_proxy'] = INTERNEL_HTTP_PROXY if restore_internal_proxy
end
desc 'Stop the build virtual machine'
task :halt do
env = Vagrant::Environment.new(:cwd => VAGRANT_PATH, :ui_class => Vagrant::UI::Basic)
result = env.cli('halt')
abort "'vagrant halt' failed" unless result
end
desc 'Re-run virtual machine setup'
task :provision => ['parse_build_options', 'validate_http_proxy'] do
env = Vagrant::Environment.new(:cwd => VAGRANT_PATH, :ui_class => Vagrant::UI::Basic)
result = env.cli('provision')
abort "'vagrant provision' failed" unless result
end
desc 'Destroy build virtual machine (clean up all files)'
task :destroy do
env = Vagrant::Environment.new(:cwd => VAGRANT_PATH, :ui_class => Vagrant::UI::Basic)
result = env.cli('destroy', '--force')
abort "'vagrant destroy' failed" unless result
end
end
namespace :basebox do
task :create_preseed_cfg => 'validate_http_proxy' do
require 'erb'
preseed_cfg_path = File.expand_path('../vagrant/definitions/squeeze/preseed.cfg', __FILE__)
template = ERB.new(File.read("#{preseed_cfg_path}.erb"))
File.open(preseed_cfg_path, 'w') do |f|
f.write template.result
end
end
desc 'Create virtual machine template (a.k.a. basebox)'
task :create_basebox => [:create_preseed_cfg] do
# veewee is pretty stupid regarding path handling
Dir.chdir(VAGRANT_PATH) do
require 'veewee'
# Veewee assumes a separate process for each task. So we mimic that.
env = Vagrant::Environment.new(:ui_class => Vagrant::UI::Basic)
Process.fork do
env.cli('basebox', 'build', 'squeeze')
end
Process.wait
abort "Building the basebox failed (exit code: #{$?.exitstatus})." if $?.exitstatus != 0
Process.fork do
env.cli('basebox', 'validate', 'squeeze')
end
Process.wait
abort "Validating the basebox failed (exit code: #{$?.exitstatus})." if $?.exitstatus != 0
Process.fork do
env.cli('basebox', 'export', 'squeeze')
end
Process.wait
abort "Exporting the basebox failed (exit code: #{$?.exitstatus})." if $?.exitstatus != 0
end
end
end
This diff is collapsed.
......@@ -102,19 +102,19 @@ Package: linux-headers-2.6-amd64
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-headers-3.2.0-2-common
Package: linux-headers-3.2.0-3-common
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-headers-3.2.0-2-486
Package: linux-headers-3.2.0-3-486
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-headers-3.2.0-2-686-pae
Package: linux-headers-3.2.0-3-686-pae
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-headers-3.2.0-2-amd64
Package: linux-headers-3.2.0-3-amd64
Pin: release o=Debian,a=unstable
Pin-Priority: 999
......@@ -142,15 +142,15 @@ Package: linux-image-2.6-amd64
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-image-3.2.0-2-486
Package: linux-image-3.2.0-3-486
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-image-3.2.0-2-686-pae
Package: linux-image-3.2.0-3-686-pae
Pin: release o=Debian,a=unstable
Pin-Priority: 999
Package: linux-image-3.2.0-2-amd64
Package: linux-image-3.2.0-3-amd64
Pin: release o=Debian,a=unstable
Pin-Priority: 999
......@@ -163,6 +163,10 @@ Package: *
Pin: release o=chroot_local-packages
Pin-Priority: 1001
Package: *
Pin: release o=Debian,n=wheezy-updates
Pin-Priority: 990
Package: *
Pin: release o=Debian,n=wheezy
Pin-Priority: 900
......
#!/bin/sh
# Create the clear user.
#
# We run unsafe-browser under this user, so that we can whitelist its
# non-Torified outgoing packets.
echo "creating the clearnet user"
adduser --system --quiet --group clearnet || :
#!/bin/sh
echo "Installing Iceweasel localization packages"
apt-get install --yes -t squeeze-backports iceweasel-l10n-all
#!/bin/sh
echo > /etc/apt/apt.conf.d/0000runtime-proxy <<EOF
cat > /etc/apt/apt.conf.d/0000runtime-proxy <<EOF
// Proxy through Polipo to torify outgoing APT HTTP connections.
// This setting must be overriden at build time by live-build's
// 00http-proxy configuration file.
......
#!/bin/sh
# This information is needed by the Unsafe Browser.
# Run only when the interface is not "lo":
if [ $1 = "lo" ]; then
exit 0
fi
# Run whenever an interface gets "up", not otherwise:
if [ $2 != "up" ]; then
exit 0
fi
echo "IP4_NAMESERVERS=\"${IP4_NAMESERVERS}\"" > /var/lib/NetworkManager/env
......@@ -12,8 +12,14 @@
# Established outgoing connections are accepted.
[0:0] -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Internal network connections are accepted.
[0:0] -A OUTPUT -d 127.0.0.0/255.0.0.0 -j ACCEPT
# Internal network connections are accepted (see exception below).
[0:0] -A OUTPUT -m owner ! --uid-owner clearnet -d 127.0.0.0/255.0.0.0 -j ACCEPT
# clearnet is allowed to connect to any TCP port via the external
# interfaces (but lo is blocked so it cannot interfere with Tor etc)
# including DNS on the LAN. UDP DNS queries are also allowed.
[0:0] -A OUTPUT ! -o lo -p TCP -m owner --uid-owner clearnet -j ACCEPT
[0:0] -A OUTPUT ! -o lo -p UDP -m owner --uid-owner clearnet --dport domain -j ACCEPT
# Local network connections should not go through Tor but DNS shall be
# rejected.
......
......@@ -7,6 +7,7 @@
<H1>Bookmarks</H1>
<DT><A HREF="https://tails.boum.org/">Tails</A>
<DT><A HREF="file:///usr/share/doc/tails/website/index.en.html">Tails documentation (offline)</A>
<DT><h3>Webmail</h3>
<DL><p>
<DT><A HREF="https://webmail.no-log.org/">no-log.org</A>
......
......@@ -33,6 +33,10 @@ install -o htp -g nogroup -m 0644 /dev/null ${LOG}
# Source configuration
. /etc/default/$NAME
log() {
echo "$@" >> "${LOG}"
}
# Sanity checks
if [ -z "$HTTP_USER_AGENT" ]; then
log "HTTP_USER_AGENT is not set."
......@@ -51,10 +55,6 @@ if [ -z "$HTP_POOL_FOE" ]; then
exit 3
fi
log() {
echo "$@" >> "${LOG}"
}
do_start() {
if [ -e "$HTP_DONE_FILE" ]; then
rm -f "$HTP_DONE_FILE"
......
......@@ -67,7 +67,7 @@ recvtype=3
#mailbox name if pop3 or local
#relative path from the user's home
#default is "Mail"
#mailbox=
mailbox=.claws-mail/Mail
#whether to use ssl on STMP connections
#default is 0, 1 is ssl, 2 is starttls
......
amnesia ALL = NOPASSWD: /usr/local/sbin/unsafe-browser
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment