Commit cca902e0 authored by intrigeri's avatar intrigeri
Browse files

Merge remote-tracking branch 'origin/devel' into feature/11082-deprecate-liferea

parents a2e14c11 4625f031
......@@ -26,7 +26,7 @@ AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION="6.03~pre20"
# Kernel version
KERNEL_VERSION='4.15.0-2'
KERNEL_VERSION='4.16.0-2'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
......
......@@ -59,10 +59,6 @@ Package: systemd systemd-sysv systemd-container systemd-journal-remote systemd-c
Pin: release o=Debian,n=stretch-backports
Pin-Priority: 999
Package: onionshare
Pin: release o=Debian,n=sid
Pin-Priority: 999
Package: openpgp-applet
Pin: release o=Debian,n=sid
Pin-Priority: 999
......@@ -72,7 +68,7 @@ Pin: origin deb.tails.boum.org
Pin-Priority: 999
Package: virtualbox*
Pin: release o=Debian,n=sid
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Explanation: src:xorg-server
......@@ -81,7 +77,7 @@ Pin: release o=Debian,n=stretch
Pin-Priority: 999
Package: xul-ext-ublock-origin
Pin: release o=Debian,n=sid
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Package: pdf-redact-tools
......
#! /bin/sh
set -e
set -u
echo "Configure Enigmail's version"
# Import set_mozilla_pref()
. /usr/local/lib/tails-shell-library/tor-browser.sh
# Rationale: the only way to suppress Enigmail's "first run" wizard is
# to have *some* version configured. But too old versions might
# trigger work-around code to run unnecessarily.
version="$(dpkg-query --show \
--showformat='${source:Upstream-Version}' \
enigmail)"
set_mozilla_pref /etc/xul-ext/enigmail.js \
extensions.enigmail.configuredVersion \
"\"${version}\""
......@@ -9,6 +9,7 @@ echo "Building VirtualBox guest modules"
. /usr/share/amnesia/build/variables
# Import ensure_hook_dependency_is_installed()
# and install_fake_package()
. /usr/local/lib/tails-shell-library/build.sh
# Any -dkms package must be installed *after* dkms to be properly registered
......@@ -39,6 +40,10 @@ done
# built binary module; let's delete it before the package gets purged.
rm /var/lib/dpkg/info/virtualbox-guest-dkms.prerm
# Also copy the udev rules installed by virtualbox-guest-dkms to enable guest
# additions by default.
cp -a /lib/udev/rules.d/60-virtualbox-guest-dkms.rules /etc/udev/rules.d/
# Install a fake package so that the real virtualbox-guest-dkms can be purged
# when the clean-up for this hook happens, even if virtualbox-guest-utils
# depends on it. The 4th parameter needs to embed the real package version
# since there's a dependency on the source version between packages.
REAL_PKG_VERSION=$(dpkg-query -W -f='${Version}\n' virtualbox-guest-dkms)
FAKE_PKG_VERSION=${REAL_PKG_VERSION}+tails.fake1
install_fake_package virtualbox-guest-dkms-dummy "${FAKE_PKG_VERSION}" kernel "virtualbox-guest-dkms (= ${REAL_PKG_VERSION})"
---
- exe-paths:
- apparmor-profiles:
- '/usr/bin/onioncircuits'
users:
- 'amnesia'
......
---
- exe-paths:
- apparmor-profiles:
- '/usr/bin/onionshare'
- '/usr/bin/onionshare-gui'
users:
......
---
- exe-paths:
- '/usr/local/lib/tor-browser/firefox'
- apparmor-profiles:
- 'torbrowser_firefox'
users:
- 'amnesia'
commands:
......
---
- exe-paths:
- apparmor-profiles:
- '/usr/local/lib/tor-browser/firefox-unconfined'
users:
- 'tor-launcher'
......
......@@ -34,21 +34,6 @@ start_thunderbird() {
configure_default_incoming_protocol
# Apply only the relevant parts of Debian's Icedove → Thunderbird
# migration procedure.
TB_PROFILE_FOLDER="${THUNDERBIRD_CONFIG_DIR}"
if [ ! -f "${TB_PROFILE_FOLDER}/.migrated" ]; then
# Debian's migration helpers are not designed to have set -e
# or -u enabled.
set +e
set +u
. /usr/lib/thunderbird/thunderbird-wrapper-helper.sh
do_fix_mimetypes_rdf
do_create_migrated_mark_file
set -e
set -u
fi
exec /usr/bin/thunderbird --class "Thunderbird" -profile "${PROFILE}" "${@}"
}
......
......@@ -12,8 +12,10 @@
# dictionary looking something like this:
#
# - name: blabla
# exe-paths:
# - path_to_executable
# apparmor-profiles:
# - path_to_executable_if_that_is_the_name_of_the_apparmor_profile
# # or
# - explicit_apparmor_profile_name
# ...
# users:
# - user
......@@ -47,10 +49,10 @@
# least one of the elements match the client. For local (loopback)
# clients the following qualifiers are relevant:
#
# * `exe-paths`: a list of strings, each describing the path to
# the binary or script of the client with `*` matching
# anything. While this matcher always works for binaries, it only
# works for scripts with an enabled AppArmor profile (not
# * `apparmor-profiles`: a list of strings, each being the name
# of the AppArmor profile applied to the binary or script of the client,
# with `*` matching anything. While this matcher always works for binaries,
# it only works for scripts with an enabled AppArmor profile (not
# necessarily enforced, complain mode is good enough).
#
# * `users`: a list of strings, each describing the user of the
......@@ -163,7 +165,7 @@ def pid_of_laddr(address):
return None
def exe_path_of_pid(pid):
def apparmor_profile_of_pid(pid):
# Here we leverage AppArmor's in-kernel solution for determining
# the exact executable invoked. Looking at /proc/pid/exe when an
# interpreted script is running will just point to the
......@@ -172,12 +174,12 @@ def exe_path_of_pid(pid):
# using one of its profiles. However, we fallback to /proc/pid/exe
# in case there is no AppArmor profile, so the only unsupported
# mode here is unconfined scripts.
enabled_aa_profile_re = r'^(/.+) \((?:complain|enforce)\)$'
enabled_aa_profile_re = r'^(.+) \((?:complain|enforce)\)$'
with open('/proc/{}/attr/current'.format(str(pid)), "rb") as fh:
aa_profile_status = str(fh.read().strip(), 'UTF-8')
exe_path_match = re.match(enabled_aa_profile_re, aa_profile_status)
if exe_path_match:
return exe_path_match.group(1)
apparmor_profile_match = re.match(enabled_aa_profile_re, aa_profile_status)
if apparmor_profile_match:
return apparmor_profile_match.group(1)
else:
return psutil.Process(pid).exe()
......@@ -580,11 +582,11 @@ class FilteredControlPortProxyHandler(socketserver.StreamRequestHandler):
# client being killed before we find the PID.
if not self.client_pid:
return
client_exe_path = exe_path_of_pid(self.client_pid)
client_apparmor_profile = apparmor_profile_of_pid(self.client_pid)
client_user = psutil.Process(self.client_pid).username()
matchers = [
('exe-paths', client_exe_path),
('users', client_user),
('apparmor-profiles', client_apparmor_profile),
('users', client_user),
]
else:
self.client_pid = None
......@@ -593,9 +595,9 @@ class FilteredControlPortProxyHandler(socketserver.StreamRequestHandler):
]
self.match_and_parse_filter(matchers)
if local_connection:
self.client_desc = '{exe} (pid: {pid}, user: {user}, ' \
self.client_desc = '{aa_profile} (pid: {pid}, user: {user}, ' \
'port: {port}, filter: {filter_name})'.format(
exe=client_exe_path,
aa_profile=client_apparmor_profile,
pid=self.client_pid,
user=client_user,
port=self.client_address[1],
......
......@@ -36,10 +36,11 @@ ensure_hook_dependency_is_installed() {
}
install_fake_package() {
local name version section tmp control_file
local name version section provides tmp control_file
name="${1}"
version="${2}"
section="${3:-misc}"
provides="${4:-}"
ensure_hook_dependency_is_installed equivs
tmp="$(mktemp -d)"
control_file="${tmp}/${name}_${version}.control"
......@@ -53,6 +54,7 @@ Package: ${name}
Version: ${version}
Maintainer: Tails developers <tails@boum.org>
Architecture: all
Provides: ${provides}
Description: (Fake) ${name}
Dummy packaged used to meet some dependency without installing the
real ${name} package.
......
......@@ -244,7 +244,7 @@ sub getUrlDateDiff {
rmtree($tmpdir);
defined $newestdt or error "Could not get any Date header";
defined $newestdt or error "Could not get any Date header from $url";
my $newest_epoch = $newestdt->epoch();
my $diff = $newest_epoch - $local;
......
......@@ -128,21 +128,6 @@ migrate_persistence_preset()
fi
}
migrate_icedove_to_thunderbird() {
local CONFIG="${1}"
local PERSISTENCE_DIR="$(dirname "${CONFIG}")"
if [ -d "${PERSISTENCE_DIR}/thunderbird" ] || \
! [ -d "${PERSISTENCE_DIR}/icedove" ]
then
return
fi
mv "${PERSISTENCE_DIR}/icedove" "${PERSISTENCE_DIR}/thunderbird"
add_persistence_preset /home/amnesia/.thunderbird thunderbird "${conf}"
remove_persistence_preset /home/amnesia/.icedove "${conf}"
# The script /usr/local/bin/thunderbird takes care of the rest of
# the migration when starting Thunderbird.
}
# We override live-boot's logging facilities to get more useful error messages
log_warning_msg ()
{
......@@ -384,21 +369,6 @@ activate_volumes ()
fi
done
# Migrate persistence settings
for conf in $(ls /live/persistence/*_unlocked/persistence.conf || true)
do
migrate_icedove_to_thunderbird "${conf}"
# Let's make sure to get rid of any Enigmail configuredVersion
# that we previously used to set in a way that would become
# persistent in these files (see #12680).
tb_profile="$(dirname "${conf}")/thunderbird/profile.default"
rm -f "${tb_profile}/preferences/0000tails.js"
sed -i --regexp-extended \
'/^(user_)?pref\("extensions\.enigmail\.configuredVersion",/d' \
"${tb_profile}/prefs.js"
done
# Fix permissions on persistent directories that were created
# with unsafe permissions.
for persistent_fs in $(ls -d /live/persistence/*_unlocked || true)
......
diff --git a/etc/apparmor.d/torbrowser.Browser.firefox b/etc/apparmor.d/torbrowser.Browser.firefox
index d0aded9..3be3872 100644
--- a/etc/apparmor.d/torbrowser.Browser.firefox
+++ b/etc/apparmor.d/torbrowser.Browser.firefox
@@ -1,8 +1,9 @@
@@ -1,10 +1,11 @@
#include <tunables/global>
#include <tunables/torbrowser>
-/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox {
+/usr/local/lib/tor-browser/firefox {
-@{torbrowser_firefox_executable} = /home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox
+@{torbrowser_firefox_executable} = /usr/local/lib/tor-browser/firefox
profile torbrowser_firefox @{torbrowser_firefox_executable} {
#include <abstractions/gnome>
+ #include <abstractions/ibus>
# Uncomment the following lines if you want to give the Tor Browser read-write
# access to most of your personal files.
@@ -22,13 +23,16 @@
@@ -25,13 +26,16 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
deny /etc/passwd r,
deny /etc/group r,
deny /etc/mailcap r,
......@@ -30,7 +34,7 @@
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/stat r,
@@ -36,28 +40,32 @@
@@ -39,30 +43,32 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
owner @{PROC}/@{pid}/task/*/stat r,
@{PROC}/sys/kernel/random/uuid r,
......@@ -44,6 +48,8 @@
- owner @{torbrowser_home_dir}.bak/ rwk,
- owner @{torbrowser_home_dir}.bak/** rwk,
- owner @{torbrowser_home_dir}/*.so mr,
- owner @{torbrowser_home_dir}/.cache/fontconfig/ rwk,
- owner @{torbrowser_home_dir}/.cache/fontconfig/** rwkl,
- owner @{torbrowser_home_dir}/components/*.so mr,
- owner @{torbrowser_home_dir}/browser/components/*.so mr,
- owner @{torbrowser_home_dir}/firefox rix,
......@@ -85,7 +91,7 @@
/etc/mailcap r,
/etc/mime.types r,
@@ -80,12 +88,6 @@
@@ -85,12 +91,6 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
/sys/devices/system/node/node[0-9]*/meminfo r,
deny /sys/devices/virtual/block/*/uevent r,
......@@ -98,7 +104,7 @@
# Required for multiprocess Firefox (aka Electrolysis, i.e. e10s)
owner /{dev,run}/shm/org.chromium.* rw,
@@ -99,6 +101,32 @@
@@ -104,6 +104,32 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
deny @{HOME}/.cache/fontconfig/** rw,
deny @{HOME}/.config/gtk-2.0/ rw,
deny @{HOME}/.config/gtk-2.0/** rw,
......@@ -131,7 +137,7 @@
deny @{PROC}/@{pid}/net/route r,
deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
@@ -110,5 +138,11 @@
@@ -119,5 +145,10 @@ profile torbrowser_firefox @{torbrowser_firefox_executable} {
/etc/xfce4/defaults.list r,
/usr/share/xfce4/applications/ r,
......@@ -143,25 +149,24 @@
+ deny owner /tmp/** rwklx,
+ deny /tmp/ rwklx,
}
+
diff --git a/etc/apparmor.d/torbrowser.Browser.plugin-container b/etc/apparmor.d/torbrowser.Browser.plugin-container
index fe95fdb..7ebf9d6 100644
--- a/etc/apparmor.d/torbrowser.Browser.plugin-container
+++ b/etc/apparmor.d/torbrowser.Browser.plugin-container
@@ -8,10 +8,10 @@ profile torbrowser_plugin_container {
# to have direct access to your sound hardware. You will also
# need to remove the "deny" word in the machine-id lines further
# bellow.
@@ -10,9 +10,9 @@ profile torbrowser_plugin_container {
# - the "deny" word in the machine-id lines
# - the rules that deny reading /etc/pulse/client.conf
# and executing /usr/bin/pulseaudio
- # #include <abstractions/audio>
- # /etc/asound.conf r,
- # owner @{PROC}/@{pid}/fd/ r,
- # owner @{torbrowser_home_dir}/TorBrowser/Data/Browser/profile.default/tmp/mozilla-temp-* rw,
+ #include <abstractions/audio>
+ /etc/asound.conf r,
+ owner @{PROC}/@{pid}/fd/ r,
+ owner @{HOME}/.tor-browser/profile.default/tmp/mozilla-temp-* rw,
deny /etc/host.conf r,
deny /etc/hosts r,
@@ -21,8 +21,10 @@ profile torbrowser_plugin_container {
signal (receive) set=("term") peer=torbrowser_firefox,
@@ -24,8 +24,8 @@ profile torbrowser_plugin_container {
deny /etc/group r,
deny /etc/mailcap r,
......@@ -169,12 +174,10 @@
- deny /var/lib/dbus/machine-id r,
+ /etc/machine-id r,
+ /var/lib/dbus/machine-id r,
+
+ /usr/share/applications/gnome-mimeapps.list r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/stat r,
@@ -30,28 +32,27 @@ profile torbrowser_plugin_container {
/etc/mime.types r,
/usr/share/applications/gnome-mimeapps.list r,
@@ -39,28 +39,27 @@ profile torbrowser_plugin_container {
owner @{PROC}/@{pid}/task/*/stat r,
@{PROC}/sys/kernel/random/uuid r,
......@@ -224,12 +227,16 @@
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/present r,
@@ -77,6 +78,12 @@ profile torbrowser_plugin_container {
@@ -86,10 +85,16 @@ profile torbrowser_plugin_container {
deny @{PROC}/@{pid}/net/route r,
deny /sys/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
deny /sys/devices/system/cpu/*/cache/index[0-9]*/size r,
+ deny @{HOME}/.cache/fontconfig/ w,
# Silence denial logs about PulseAudio
deny /etc/pulse/client.conf r,
deny /usr/bin/pulseaudio x,
- #include <local/torbrowser.Browser.plugin-container>
+ # Deny access to global tmp directories, that's granted by the user-tmp
+ # abstraction, which is sourced by the gnome abstraction, that we include.
......@@ -238,6 +245,8 @@
+ deny owner /tmp/** rwklx,
+ deny /tmp/ rwklx,
}
diff --git a/etc/apparmor.d/tunables/torbrowser b/etc/apparmor.d/tunables/torbrowser
index 9b31139..f77e082 100644
--- a/etc/apparmor.d/tunables/torbrowser
+++ b/etc/apparmor.d/tunables/torbrowser
@@ -1,2 +1 @@
......
diff --git a/usr/lib/python3/dist-packages/tailsgreeter/persistence.py b/usr/lib/python3/dist-packages/tailsgreeter/persistence.py
index e1415fa..cabefd6 100644
--- a/usr/lib/python3/dist-packages/tailsgreeter/persistence.py
+++ b/usr/lib/python3/dist-packages/tailsgreeter/persistence.py
@@ -54,15 +54,17 @@ class PersistenceSettings(object):
Returns: True if everything went fine, False if the user should try
again."""
logging.debug("Unlocking persistence")
- try:
- self.activate_container(
- device=self.containers[0]['path'],
- password=passphrase,
- readonly=readonly)
- self.is_unlocked = True
- return True
- except tailsgreeter.errors.WrongPassphraseError:
- return False
+ for container in self.containers:
+ try:
+ self.activate_container(
+ device=container['path'],
+ password=passphrase,
+ readonly=readonly)
+ self.is_unlocked = True
+ return True
+ except tailsgreeter.errors.WrongPassphraseError:
+ pass
+ return False
def lock(self):
logging.debug("Locking persistence")
@@ -133,7 +135,7 @@ class PersistenceSettings(object):
"/sbin/cryptsetup", "luksClose",
self.cleartext_name
]
- self.check_output_and_error(
+ tailsgreeter.utils.check_output_and_error(
args,
exception=tailsgreeter.errors.LivePersistError,
error_message=_("cryptsetup failed with return code "
deb http://deb.torproject.org/torproject.org stretch main
deb http://deb.torproject.org/torproject.org sid main
tails (3.9) UNRELEASED; urgency=medium
* Dummy entry for next major release.
-- Tails developers <tails@boum.org> Sat, 09 Jun 2018 15:22:28 +0000
tails (3.8) unstable; urgency=medium
* Security fixes
......
......@@ -70,26 +70,26 @@ Feature: Browsing the web using the Tor Browser
And the file "/lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html" exists
And the file "/live/overlay/home/amnesia/.gnupg/synaptic.html" exists
And the file "/tmp/synaptic.html" exists
Given I start monitoring the AppArmor log of "/usr/local/lib/tor-browser/firefox"
Given I start monitoring the AppArmor log of "torbrowser_firefox"
When I start the Tor Browser
And the Tor Browser loads the startup page
And I open the address "file:///home/amnesia/Tor Browser/synaptic.html" in the Tor Browser
Then I see "TorBrowserSynapticManual.png" after at most 5 seconds
And AppArmor has not denied "/usr/local/lib/tor-browser/firefox" from opening "/home/amnesia/Tor Browser/synaptic.html"
Given I restart monitoring the AppArmor log of "/usr/local/lib/tor-browser/firefox"
And AppArmor has not denied "torbrowser_firefox" from opening "/home/amnesia/Tor Browser/synaptic.html"
Given I restart monitoring the AppArmor log of "torbrowser_firefox"
When I open the address "file:///home/amnesia/.gnupg/synaptic.html" in the Tor Browser
Then I do not see "TorBrowserSynapticManual.png" after at most 5 seconds
And AppArmor has denied "/usr/local/lib/tor-browser/firefox" from opening "/home/amnesia/.gnupg/synaptic.html"
Given I restart monitoring the AppArmor log of "/usr/local/lib/tor-browser/firefox"
And AppArmor has denied "torbrowser_firefox" from opening "/home/amnesia/.gnupg/synaptic.html"
Given I restart monitoring the AppArmor log of "torbrowser_firefox"
When I open the address "file:///lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html" in the Tor Browser
Then I do not see "TorBrowserSynapticManual.png" after at most 5 seconds
And AppArmor has denied "/usr/local/lib/tor-browser/firefox" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html"
Given I restart monitoring the AppArmor log of "/usr/local/lib/tor-browser/firefox"
And AppArmor has denied "torbrowser_firefox" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html"
Given I restart monitoring the AppArmor log of "torbrowser_firefox"
When I open the address "file:///live/overlay/home/amnesia/.gnupg/synaptic.html" in the Tor Browser
Then I do not see "TorBrowserSynapticManual.png" after at most 5 seconds
# Due to our AppArmor aliases, /live/overlay will be treated
# as /lib/live/mount/overlay.
And AppArmor has denied "/usr/local/lib/tor-browser/firefox" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html"
And AppArmor has denied "torbrowser_firefox" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html"
# We do not get any AppArmor log for when access to files in /tmp is denied
# since we explictly override (commit 51c0060) the rules (from the user-tmp
# abstration) that would otherwise allow it, and we do so with "deny", which
......
Subproject commit 84295fc49a4778dd60a4a3e9b3075e1b341a356d
Subproject commit 8ed212d3987b8aed42d89dd0137bd44bad4a0a6c
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment