Commit bf714344 authored by Kill Your TV's avatar Kill Your TV

I2P Browser

Browser specifically for I2P based on the scripts that
configure the "unsafe-browser".

* Adds a new i2pbrowser user
* change the I2P menu entry and related sudoers file to start
  this new browser. I2P will be started via NetworkManager (added in a later
  commit) when a user adds 'i2p' to the boot prompt.

Update I2P firewall rules

Since the anmesia user won't be browsing eepsites with the Torbrowser
anymore, and the i2pbrowser user *will* be browsing them, the firewall
rules needed another update.

disable cups

fixes the same problem as ticket #7771 addresses for the
'unsafe'browser'

Remove I2P settings from FoxyProxy

Since I2P Browser is now used for visiting eepsites (.i2p tld) the I2P
configs are no longer appropriate for FoxyProxy.
parent 3caa2763
#!/bin/sh
set -e
# Create the i2pbrowser user.
#
# We run i2p-browser under this user
echo "Creating the i2pbrowser user"
adduser --system --quiet --group i2pbrowser
......@@ -86,18 +86,24 @@ domain ip {
mod owner uid-owner amnesia ACCEPT;
}
# White-list access to I2P services for both the amnesia user (client) and i2psvc (server)
# White-list access to I2P services for the amnesia user (IRC, SAM, POP3, SMTP, and Monotone)
# For more information, see https://tails/boum.org/contribute/design/I2P and https://geti2p.net/ports
daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (4444 4445 6668 7656 7657 7658 7659 7660 8998) {
daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (6668 7656 7659 7660 8998) {
@if $use_i2p mod owner uid-owner amnesia ACCEPT;
}
# Whitelist access to I2P services for the i2psvc user,
# otherwise mail and eepsite hosting won't work.
# otherwise mail and eepsite hosting won't work. The mail ports (7659 and 7660) are
# accessed by the webmail app
daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (7658 7659 7660) {
@if $use_i2p mod owner uid-owner i2psvc ACCEPT;
}
# Whitelist access to the i2pbrowser user
daddr 127.0.0.1 proto tcp syn mod multiport destination-ports (4444 7657 7658) {
@if $use_i2p mod owner uid-owner i2pbrowser ACCEPT;
}
# White-list access to the java wrapper's (used by I2P) control ports
# (see: http://wrapper.tanukisoftware.com/doc/english/prop-port.html)
# If, for example, port 31000 is in use, it'll try the next one in sequence.
......
......@@ -46,39 +46,6 @@ caseSensitive="false" />
autoReload="false" reloadFreqMins="60" disableOnBadPAC="true" />
<manualconf host="" port="" socksversion="5" isSocks="false" />
</proxy>
<proxy name="I2P router console and eepsite" id="2404203472" notes=""
enabled="true" mode="direct" selectedTabIndex="2"
lastresort="false" animatedIcons="true" includeInCycle="true"
color="#00FFFF" proxyDNS="true">
<matches>
<match enabled="true" name="I2P router console IP"
pattern="http://127.0.0.1:7657/*"
isRegEx="false" isBlackList="false" isMultiLine="false"
caseSensitive="false" />
<match enabled="true" name="I2P eepsite IP"
pattern="http://127.0.0.1:7658/*"
isRegEx="false" isBlackList="false" isMultiLine="false"
caseSensitive="false" />
</matches>
<autoconf url="" loadNotification="true" errorNotification="true"
autoReload="false" reloadFreqMins="60" disableOnBadPAC="true" />
<manualconf host="" port="" socksversion="5" isSocks="false" />
</proxy>
<proxy name="i2p" id="3035002503" notes="" enabled="true"
mode="manual" selectedTabIndex="0" lastresort="false"
animatedIcons="true" includeInCycle="true" color="#0000FF"
proxyDNS="true">
<matches>
<match enabled="true" name="eepsites"
pattern="^https?://[-a-zA-Z0-9.]+\.i2p(:[0-9]{1,5})?(/.*)?$"
isRegEx="true" isBlackList="false" isMultiLine="false"
caseSensitive="false" />
</matches>
<autoconf url="" loadNotification="true" errorNotification="true"
autoReload="false" reloadFreqMins="60" disableOnBadPAC="true" />
<manualconf host="127.0.0.1" port="4444" socksversion="5"
isSocks="false" />
</proxy>
<proxy name="LAN" id="2433300243" notes="" enabled="true"
mode="direct" selectedTabIndex="0" lastresort="false"
animatedIcons="true" includeInCycle="true" color="#995400"
......
......@@ -13,9 +13,9 @@ Install_I2P(){
}
Add_Sudo_Config(){
echo "amnesia ALL = NOPASSWD: /etc/init.d/i2p" > /etc/sudoers.d/zzz_i2p
chown root:root /etc/sudoers.d/zzz_i2p
chmod 0440 /etc/sudoers.d/zzz_i2p
echo "amnesia ALL = NOPASSWD: /usr/local/sbin/i2p-browser" > /etc/sudoers.d/zzz_i2pbrowser
chown root:root /etc/sudoers.d/zzz_i2pbrowser
chmod 0440 /etc/sudoers.d/zzz_i2pbrowser
}
if grep -qw "i2p" /proc/cmdline && [ -d "$SRC" ]; then
......
#!/bin/sh
set -e
# This isn't very useful without I2P...
grep -qw "i2p" /proc/cmdline || exit 0
CMD=$(basename ${0})
LOCK=/var/lock/${CMD}
. gettext.sh
TEXTDOMAIN="tails"
export TEXTDOMAIN
ROFS=/lib/live/mount/rootfs/filesystem.squashfs
CONF_DIR=/var/lib/i2p-browser
COW=${CONF_DIR}/cow
CHROOT=${CONF_DIR}/chroot
BROWSER_USER=i2pbrowser
START_PAGE="http://127.0.0.1:7657"
if [ -e /var/lib/gdm3/tails.camouflage ]; then
CAMOUFLAGE=yes
fi
cleanup () {
# Break down the chroot and kill all of its processes
local counter=0
local ret=0
while [ "${counter}" -le 10 ] && \
pgrep -u ${BROWSER_USER} 1>/dev/null 2>&1; do
pkill -u ${BROWSER_USER} 1>/dev/null 2>&1
ret=${?}
sleep 1
counter=$((${counter}+1))
done
[ ${ret} -eq 0 ] || pkill -9 -u ${BROWSER_USER} 1>/dev/null 2>&1
for mnt in ${CHROOT}/dev ${CHROOT}/proc ${CHROOT} ${COW}; do
counter=0
while [ "${counter}" -le 10 ] && mountpoint -q ${mnt} 2>/dev/null; do
umount ${mnt} 2>/dev/null
sleep 1
counter=$((${counter}+1))
done
done
rmdir ${COW} ${CHROOT} 2>/dev/null
}
verify_start () {
# Make sure the user really wants to start the browser in case the router console isn't available
local dialog_msg="<b><big>`gettext \"Do you still want to launch I2P Browser?\"`</big></b>
`gettext \"The I2P router console is not ready.\"`"
local launch="`gettext \"_Launch\"`"
local exit="`gettext \"_Exit\"`"
# Since zenity can't set the default button to cancel, we switch the
# labels and interpret the return value as its negation.
if sudo -u ${SUDO_USER} zenity --question --title "" --ok-label "${exit}" \
--cancel-label "${launch}" --text "${dialog_msg}"; then
exit 0
fi
}
error () {
local cli_text="${CMD}: `gettext \"error:\"` ${@}"
local dialog_text="<b><big>`gettext \"Error\"`</big></b>
${@}"
echo "${cli_text}" >&2
sudo -u ${SUDO_USER} zenity --error --title "" --text "${dialog_text}"
exit 1
}
show_start_notification () {
local title="`gettext \"Starting the I2P Browser...\"`"
local body="`gettext \"This may take a while, so please be patient.\"`"
tails-notify-user "${title}" "${body}" 10000
}
setup_chroot () {
# Setup a chroot on an aufs "fork" of the filesystem.
# FIXME: When LXC matures to the point where it becomes a viable option
# for creating isolated jails, the chroot can be used as its rootfs.
echo "* Setting up chroot"
trap cleanup INT
trap cleanup EXIT
mkdir -p ${COW} ${CHROOT} && \
mount -t tmpfs tmpfs ${COW} && \
mount -t aufs -o noatime,noxino,dirs=${COW}=rw:${ROFS}=rr+wh aufs ${CHROOT} && \
mount -t proc proc ${CHROOT}/proc && \
mount --bind /dev ${CHROOT}/dev || \
error "`gettext \"Failed to setup chroot.\"`"
# Workaround for todo/buggy_aufs_vs_unsafe-browser
chmod -t ${COW}
}
set_chroot_browser_name () {
NAME="${1}"
LONG=$(echo ${LANG} | grep -o "^[a-zA-Z_]*")
SHORT=${LONG%%_*}
EXT_DIR=${CHROOT}/usr/lib/iceweasel/browser/extensions
BRANDING=branding/brand.dtd
if [ -e "${EXT_DIR}/langpack-${LONG}@iceweasel.mozilla.org.xpi" ]; then
PACK="${EXT_DIR}/langpack-${LONG}@iceweasel.mozilla.org.xpi"
TOP=browser/chrome
REST=${LONG}/locale
elif [ -e "${EXT_DIR}/langpack-${SHORT}@iceweasel.mozilla.org.xpi" ]; then
PACK="${EXT_DIR}/langpack-${SHORT}@iceweasel.mozilla.org.xpi"
TOP=browser/chrome
REST=${SHORT}/locale
else
PACK=${CHROOT}/usr/share/iceweasel/browser/chrome/en-US.jar
TOP=locale
REST=
fi
TMP=$(mktemp -d)
# Non-zero exit code due to non-standard ZIP archive.
# The following steps will fail soon if the extraction failed anyway.
unzip -d "${TMP}" "${PACK}" || true
sed -i "s/Iceweasel/${NAME}/" "${TMP}"/"${TOP}"/"${REST}"/"${BRANDING}"
rm "${PACK}"
(cd $TMP ; 7z a -tzip "${PACK}" .)
chmod a+r "${PACK}"
rm -Rf "${TMP}"
}
configure_chroot () {
echo "* Configuring chroot"
# Prevent sudo from complaining about failing to resolve the 'amnesia' host
echo "127.0.0.1 localhost amnesia" > ${CHROOT}/etc/hosts
# Remove Torbutton and Foxyproxy Iceweasel addons
chroot ${CHROOT} dpkg -l 'xul-ext*' |grep -v 'noscript\|adblock' \
| awk '/^ii/{print $2}' | xargs chroot ${CHROOT} dpkg --remove
# Create a fresh Iceweasel profile for the i2pbrowser user
cp -a ${CHROOT}/etc/skel/.mozilla/ ${CHROOT}/home/i2pbrowser/
chown -R i2pbrowser:i2pbrowser ${CHROOT}/home/i2pbrowser/.mozilla/
BROWSER_PROFILE=${CHROOT}/home/i2pbrowser/.mozilla/firefox/default
# Remove any existing FoxyProxy or Torbutton configs
sed -i '/extensions\.\(foxyproxy\|torbutton\)/d' \
${BROWSER_PROFILE}/*.js
# Remove any existing proxies in the chroot
sed -r -i '/^(user_|)pref\("network\.proxy\..*",/d' \
${BROWSER_PROFILE}/*.js
# Prevent File -> Print or CTRL+P from causing the browser to hang for several minutes
# while trying to communicate with CUPS, since access to port 631 isn't allowed through.
echo 'user_pref("print.postscript.cups.enabled", false);' >> \
${BROWSER_PROFILE}/user.js
# add the I2P proxy to all protocols
cat >> ${BROWSER_PROFILE}/user.js << EOF
user_pref("network.proxy.http", "127.0.0.1");
user_pref("network.proxy.http_port", 4444);
user_pref("network.proxy.ftp", "127.0.0.1");
user_pref("network.proxy.ftp_port", 4444);
user_pref("network.proxy.ssl", "127.0.0.1");
user_pref("network.proxy.ssl_port", 4444);
user_pref("network.proxy.share_proxy_settings", true);
user_pref("network.proxy.no_proxies_on", "127.0.0.1");
EOF
rm -rf ${BROWSER_PROFILE}/extensions
# Change the theme when not using Windows camouflage
if [ -z "${CAMOUFLAGE}" ]; then
cat >> ${BROWSER_PROFILE}/user.js <<EOF
user_pref("lightweightThemes.isThemeSelected", true);
user_pref("lightweightThemes.usedThemes", "[{\"id\":\"1\",\"name\":\"I2P Browser\",\"headerURL\":\"file:///usr/share/pixmaps/red_dot.png\",\"footerURL\":\"file:///usr/share/pixmaps/red_dot.png\",\"textcolor\":\"#FFFFFF\",\"accentcolor\":\"#66ABEB\",\"updateDate\":0,\"installDate\":0}]");
EOF
else
# The camouflage activation script requires a dbus server for
# properly configuring GNOME, so we start one in the chroot
chroot ${CHROOT} sudo -H -u i2pbrowser sh -c 'eval `dbus-launch --auto-syntax`; tails-activate-win8-theme' || :
fi
# Set the name (e.g. window title) of the browser
set_chroot_browser_name "`gettext \"I2P Browser\"`"
# Set start page to something that explains what's going on
echo 'user_pref("browser.startup.homepage", "'${START_PAGE}'");' >> \
${BROWSER_PROFILE}/user.js
## Remove all bookmarks
rm -f ${CHROOT}/etc/iceweasel/profile/bookmarks.html
rm -f ${BROWSER_PROFILE}/bookmarks.html
rm -f ${BROWSER_PROFILE}/places.sqlite
}
run_browser_in_chroot () {
# Start Iceweasel in the chroot
echo "* Starting I2P Browser"
sudo -u ${SUDO_USER} xhost +SI:localuser:${BROWSER_USER} 2>/dev/null
chroot ${CHROOT} sudo -u ${BROWSER_USER} /usr/bin/iceweasel -DISPLAY=:0.0
sudo -u ${SUDO_USER} xhost -SI:localuser:${BROWSER_USER} 2>/dev/null
}
show_shutdown_notification () {
local title="`gettext \"Shutting down the I2P Browser...\"`"
local body="`gettext \"This may take a while, and you may not restart the I2P Browser until it is properly shut down.\"`"
tails-notify-user "${title}" "${body}" 10000
}
# Prevent multiple instances of the script.
exec 9>${LOCK}
if ! flock -x -n 9; then
error "`gettext \"Another I2P Browser is currently running, or being cleaned up. Please retry in a while.\"`"
fi
if ! netstat -4nlp |grep -wq "127\.0\.0\.1:7657"; then
verify_start
fi
show_start_notification
setup_chroot
configure_chroot
run_browser_in_chroot
show_shutdown_notification
exit 0
[Desktop Entry]
Categories=Network;
_Comment=Anonymous overlay network
Exec=/usr/local/bin/tails-start-i2p
Exec=sudo /usr/local/sbin/i2p-browser
Icon=/usr/share/i2p/eepsite/docroot/favicon.ico
_Name=i2p
_Name=I2P-enabled Browser
_GenericName=Anonymous overlay network
Terminal=false
Type=Application
......@@ -12,6 +12,7 @@ PYTHON_PROGS="/etc/whisperback/config.py /usr/local/lib/shutdown-helper-applet \
SHELL_PROGS="/etc/NetworkManager/dispatcher.d/60-tor-ready-notification.sh \
/usr/local/bin/tails-upgrade-frontend-wrapper \
/usr/local/sbin/tails-spoof-mac \
/usr/local/sbin/i2p-browser \
/usr/local/sbin/unsafe-browser /usr/share/tails/truecrypt-wrapper.disabled"
LOCALE_BASEDIR=config/chroot_local-includes/usr/share/locale
......
......@@ -980,12 +980,7 @@ forces HTTPS usage for requests to a number of major websites.
Tails also ships the
[FoxyProxy](https://addons.mozilla.org/fr/firefox/addon/2464/)
extension that:
- allows using I2P instead of Tor to visit eepsites (I2P's own hidden
services look-alike); see [[the design document dedicated to Tails
use of I2P|I2P]] for details;
- could help [[!tails_todo FTP_in_Iceweasel desc="fixing Iceweasel's FTP support"]].
extension that could help [[!tails_todo FTP_in_Iceweasel desc="fixing Iceweasel's FTP support"]].
Thanks to Torbutton, to the Tor Browser patches, and to us importing
(most of) the TBB preferences, Iceweasel is configured so that Tor browser
......
......@@ -11,7 +11,7 @@ be able to access eepsites from Tails.
Versions
========
[I2P](https:/geti2p.net) has been included since Tails v0.7 with Iceweasel
[I2P](https:/geti2p.net) has been included since Tails 0.7 with Iceweasel
preconfigured using FoxyProxy so that eepsites (`.i2p` TLD) are directed to
I2P. All other traffic gets routed through Tor.
......@@ -19,6 +19,8 @@ Starting with Tails 1.1.1, I2P is not enabled by default when Tails starts.
In order to use I2P, a user must add the <span class="command">i2p</span> boot option
to the <span class="application">boot menu</span>.
Starting with Tails 1.2, I2P sites are accessed with the [[I2P Browser]]. The I2P-specific FoxyProxy rules were removed.
<a id="design"></a>
Design
......@@ -63,7 +65,8 @@ directory is not writable by the `i2psvc` user.
For better performance an exception has been made in the [[firewall
configuration|Tor_enforcement/Network_filter]] that grants direct access to the
network for the I2P user running the client so it can reach the I2P
network directly, both through TCP and UDP.
network directly, both through TCP and UDP. I2P is explicitly blocked from
communicating with the LAN.
The I2P router is configured to run in hidden mode: killing I2P
ungracefully is bad for the I2P network, and this is most likely
......@@ -77,41 +80,11 @@ this is a good reason to enable hidden mode, that is to disable
participating in I2P traffic:
[[!tails_gitweb config/chroot_local-hooks/16-i2p_config]].
[[!tails_todo iceweasel_addon_-_FoxyProxy desc="FoxyProxy"]] has been installed
system-wide, and the default iceweasel profile provides with a
configuration handling the I2P integration. FoxyProxy's whitelist
filter is used to make sure that the corresponding urls will be
proxied appropriately.
Below are the patterns that each url handled by iceweasel will be
matched against. These patterns will be tried in order, from top to
bottom, until the first match is found:
1. The I2P router console: urls matching the `http://127.0.0.1:7657/*` wildcard
pattern will get a direct connection to the local host so the I2P
router console can be reached.
2. The local *eepsite*: urls matching the `http://127.0.0.1:7658/*` wildcard
pattern will get a direct connection to the local host so the locally
hosted eepsite can be reached.
3. I2P eepsites: urls matching the
`^https?://[-a-zA-Z0-9.]+\.i2p(:[0-9]{1,5})?(/.*)?$` regexp will be
proxied through the local eepsite HTTP proxy run by the I2P client.
Implementation note: FoxyProxy encloses the regexps between `^` and
`$` itself since `isMultiLine="false"`, that's why the regexp in
`foxyproxy.xml` lacks these chars.
Starting with Tails 1.2, I2P *eepsites* are accessed via the [[I2P Browser]], a
modification of the [[Unsafe Browser]]'s setup scripts. See [[its page|I2P
Browser]] for more information.
4. Tor HTTP(s): urls matching one of the `https://*` and `http://*`
wildcard patterns will be proxied through polipo (and then its
parent proxy, Tor).
5. The rest: all remaining urls will be SOCKS5-proxied through Tor.
Also, do note that Tails' [[netfilter-based
blocking|Tor_enforcement/Network_filter]] ensures that no Internet
traffic can be escape both Tor or I2P (and thus be non-anonymous) even
if something is wrong in the above filters (or a future revision).
Disabling / Enabling I2P
========================
......@@ -130,21 +103,12 @@ Services on I2P are accessed through tunnels built by I2P. Services that a user
hosts, such as an *eepsite* or *IRC Server* are accessed remotely via **Server Tunnels**.
End users will access services using **client tunnels**. I2P is shipped with a
few tunnels preconfigured and the ports that they use have exceptions added to
ferm. These ports include:
ferm. The ports accessible to the `amnesia` user include:
* 4444, I2P HTTP Proxy: Used to access sites with the `.i2p` TLD
* 4445, HTTPS Outproxy tunnel: Disabled in by default in Tails in
[I2PTunnel](http://127.0.0.1:7657/i2ptunnel) since all HTTPS traffic in Tails
gets routed through Tor.
* 6668, Tunnel to Irc2P: Used to connect to the main I2P-only IRC network
* 7656, [SAM](https://geti2p.net/sam): SAM is an application bridge allowing
non-Java clients to use I2P. More information:
[SAMv1](https://geti2p.net/samv1), [SAMv2](https://geti2p.net/samv2),
* 7657, I2P router console: The router console is accessible in the web browser at <http://127.0.0.1:7657>
* 7658, local 'eepsite': Each I2P installation is configured out of the box
with the possibility to host one's own website (or *eepsite*) on the I2P
network. The eepsite will not be acessible remotely unless its
[tunnel](http://127.0.0.1:7657/i2ptunnel#localServerTunnelList) is started.
* 7659, SMTP Proxy: Tunnel to `smtp.postman.i2p`. More information is available from within I2P at [Postman's HQ](http://hq.postman.i2p/?page_id=10)
* 7660, POP3 Proxy: Tunnel to `pop3.postman.i2p`. More information is available from within I2P at [Postman's HQ](http://hq.postman.i2p/?page_id=11)
* 8998, MTN Proxy: Tunnel to `mtn.i2p2.i2p`, a [Monotone](http://monotone.ca) server.
......@@ -170,6 +134,7 @@ Changes from upstream
* i2cp, allowing java clients to communicate with I2P from outside of the JVM, is disabled
* IPv6 is disabled
* Outproxies are disabled
* HiddenMode is set for all users
* Updating I2P from within the I2P network is disabled; updates are done using the .debs
* Inbound connections are disabled
......@@ -227,14 +192,6 @@ scripts in each binary package.
Things to meditate upon
=======================
* Pattern 4 will catch ftp://.* and redirect them to Tor through
SOCKS5. This effectively breaks FTP completely, so there's room for
adding a pattern above number 4 which matches ftp connections
(i.e. `^ftp://.*`) and proxies them through some ftp proxy using Tor
as its parent proxy. See [[!tails_todo FTP_in_Iceweasel]]. As an addition,
at the moment (versions <=0.8) ftp does not work in I2P for
technical reasons, so no pattern for that is needed.
* Do we want to enable the "Hidden mode" which completely disables
participating traffic?
......@@ -255,7 +212,3 @@ Things to meditate upon
- there's no "cover-traffic", which may decrease the anonymity
somewhat.
* Are the patterns used above correct for their intended purposes?
Does the FoxyProxy setup in any way open up for attacks? See
[[!tails_todo iceweasel_addon_-_FoxyProxy]].
Allowed Access
==============
The HTTP Proxy is set to 127.0.0.1 on port 4444 with an exception made for
http://127.0.0.1 which does not go through the proxy. With this set-up, only eepsites (`.i2p`
TLD), offline Tails documentation, and the router console are acessible from I2P Browser.
Also, do note that Tails' [[netfilter-based
blocking|Tor_enforcement/Network_filter]] ensures that no Internet
traffic can escape I2P (and thus be non-anonymous), even if something is
wrong in the above filters (or a future revision).
Ports allowed through the firewall
==================================
I2P is shipped with several preconfigured tunnels, and the ports used have had
exceptions added to ferm. The ports accessible by the i2pbrowser user include:
* 4444, I2P HTTP Proxy: Used to access sites with the `.i2p` TLD
* 7657, I2P router console: The router console is accessible in the web browser at <http://127.0.0.1:7657>
* 7658, local 'eepsite': Each I2P installation is configured out of the box
with the possibility to host one's own website (or *eepsite*) on the I2P
network. The eepsite will not be acessible remotely unless its
[tunnel](http://127.0.0.1:7657/i2ptunnel#localServerTunnelList) is started.
Note: These ports will only be opened if the user explicitly requests I2P at the boot prompt.
See [[!tails_gitweb config/chroot_local-includes/etc/ferm/ferm.conf]] for details.
Security
========
The I2P Browser is run by a separate `i2pbrowser` user, which is only allowed
to make TCP connections to the ports explicitly mentioned above. DNS lookups
are prohibited.
The I2P Browser is run inside a chroot consisting of a throw away
aufs union between a read-only version of the pre-boot Tails
filesystem, and a tmpfs as the rw branch. Hence, the post-boot
filesystem (which contains all user data) isn't available to the
I2P Browser within the chroot. The chroot and aufs union is created
upon I2P Browser start, and is torn down after it exits, forcefully
killing any remaining processes run from inside it.
It should be noted that chroots are pretty weak jails, so an exploit
could easily escape it and have access to the complete filesystem (as
restricted for the `i2pbrowser` user). Hence, the reason for using a
chroot is not for that purpose, but for separating its configuration from the rest of the Tails system.
Code
----
* [[!tails_gitweb config/chroot_local-includes/usr/local/sbin/i2p-browser]]
* [[!tails_gitweb config/chroot_local-includes/usr/share/applications/i2p.desktop.in]]
* [[!tails_gitweb chroot_local-includes/lib/live/config/2080-install-i2p]
* [[!tails_gitweb config/chroot_local-includes/usr/local/bin/tails-activate-win8-theme]]
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment