Commit d197378c authored by anonym's avatar anonym
Browse files

Merge remote-tracking branch 'origin/devel' into feature/stretch

parents 57f1ab89 0236b115
......@@ -23,6 +23,7 @@
# TARGET_DIST='testing' \
# ./bin/import-package libgsecuredelete
set -x
set -e
set -u
......@@ -45,6 +46,7 @@ trap "rm -r $WORKDIR" EXIT HUP INT QUIT TERM
# download source and binary packages
cat > script <<EOF
#!/bin/sh
set -x
set -e
set -u
......
......@@ -37,12 +37,16 @@ perl -pni -E 'exit if m{^label[[:blank:]]+help$}' "${CFG_FILE}"
Echo_message "customize syslinux menu"
sed -i -e "s/Boot menu/Boot Tails/" "${CFG_FILE}"
sed -i -e "s/Boot menu//" "${CFG_FILE}"
sed -i -e "s/menu label Live/menu label Tails/" "${SYSLINUX_PATH}"/live*.cfg
sed -i -r -e 's/(menu label .* )\(failsafe\)/\1(Troubleshooting Mode)/' \
"${SYSLINUX_PATH}"/live*.cfg
cat > "${SYSLINUX_PATH}/tails.cfg" << EOF
menu color sel * #ffffffff #55555555 *
menu color hotsel 1;7;37;40 #ffffffff #22222222 *
menu width 53
menu vshift 12
menu rows 7
menu helpmsgrow 15
......
This diff is collapsed.
#!/bin/sh
set -e
# Create the onioncircuits user.
#
# We run onioncircuits under this user,
# which belongs to the debian-tor group.
echo "Creating the onioncircuits user"
adduser --system --quiet --group onioncircuits
adduser onioncircuits debian-tor
#!/bin/sh
set -e
# Create the tor-controlport-filter user.
#
# We run tor-controlport-filter under this user,
# which belongs to the debian-tor group.
echo "Creating the tor-controlport-filter user"
adduser --system --quiet --group --no-create-home tor-controlport-filter
adduser tor-controlport-filter debian-tor
......@@ -13,6 +13,8 @@ echo "Install the Tor Browser"
# a new browser profile we can simply copy the profile directory
# without duplicating all extensions.
. /usr/local/lib/tails-shell-library/tor-browser.sh
# Import install_fake_package
. /usr/local/lib/tails-shell-library/build.sh
download_and_verify_files() {
local base_url bundles destination apt_proxy
......@@ -130,42 +132,13 @@ get_firefox_version() {
sed -n 's/^Version=\(.*\)$/\1/p' "${appini}"
}
# Create and install a fake iceweasel package so we can install our
# desired Debian-packaged Iceweasel addons
install_fake_iceweasel_pkg() {
local fake_version tmp
fake_version="${1}"
tmp="$(mktemp -d)"
apt-get install --yes equivs
cat > "${tmp}"/iceweasel.control << EOF
Section: web
Priority: optional
Homepage: https://tails.boum.org/
Standards-Version: 3.6.2
Package: iceweasel
Version: ${fake_version}
Maintainer: Tails developers <amnesia@boum.org>
Architecture: all
Description: (Fake) Iceweasel
Make it possible to install Debian's Iceweasel addons without having to
install a real Iceweasel.
EOF
(
cd "${tmp}"
equivs-build "${tmp}"/iceweasel.control
dpkg -i "${tmp}"/iceweasel_"${fake_version}"_all.deb
)
rm -R "${tmp}"
}
install_debian_extensions() {
local destination
destination="${1}"
shift
apt-get install --yes "${@}"
ln -s /usr/share/xul-ext/adblock-plus/ \
"${destination}"/'{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}'
ln -s /usr/share/xul-ext/ublock-origin/ \
"${destination}"/'uBlock0@raymondhill.net'
}
create_default_profile() {
......@@ -197,7 +170,7 @@ TBB_TARBALLS_BASE_URL="$(cat "${TBB_DIST_URL_FILE}")"
# The Debian Iceweasel extensions we want to install and make
# available in the Tor Browser.
DEBIAN_EXT_PKGS="xul-ext-adblock-plus"
DEBIAN_EXT_PKGS="xul-ext-ublock-origin"
TMP="$(mktemp -d)"
download_and_verify_files "${TBB_TARBALLS_BASE_URL}" "${TBB_TARBALLS}" "${TMP}"
......@@ -218,7 +191,7 @@ rmdir "${TBB_INSTALL}"/TorBrowser/Data/Browser/profile.default/extensions
# Iceweasel equivs package to satisfy the dependencies.
FIREFOX_VERSION=$(get_firefox_version "${TBB_INSTALL}"/application.ini)
FAKE_ICEWEASEL_VERSION=${FIREFOX_VERSION}+fake1
install_fake_iceweasel_pkg "${FAKE_ICEWEASEL_VERSION}"
install_fake_package iceweasel "${FAKE_ICEWEASEL_VERSION}" web
install_debian_extensions "${TBB_EXT}" ${DEBIAN_EXT_PKGS}
mkdir -p "${TBB_PROFILE}"
......
#!/bin/sh
set -e
echo "Converting uBlock database dump into sqlite blob"
apt-get install --yes sqlite3
DUMP="/usr/share/tails/ublock-origin/ublock0.dump"
DATABASE="/etc/tor-browser/profile/extension-data/ublock0.sqlite"
mkdir -p "$(dirname "${DATABASE}")"
# The sed expression simply means: remove all CRLF ("\r\n"). The use
# of labels is simply to make this able to remove multiple CRLF to
# create a single (long) line. In the end, this restores the
# diff-friendly dump to the original sqlite dump.
sed ':a;N;$!ba;s_\r\n__g' "${DUMP}" | sqlite3 "${DATABASE}"
echo "Created uBlock sqlite blob successfully"
apt-get purge --yes sqlite3
#!/bin/sh
# Rationale: onionshare depends on torbrowser-launcher, which we don't
# want (since we install Tor Browser in a different way), so it is
# installed by now. Let's replace it with a fake package.
# Note: this hook must run before the (currently named)
# 19-install-tor-browser-AppArmor-profile hook since the real
# torbrowser-launcher package installs a profile for tor-browser with
# the same name, and this hook will remove it.
set -e
set -u
echo "Install a fake torbrowser-launcher package"
# Import install_fake_package
. /usr/local/lib/tails-shell-library/build.sh
REAL_PKG_VERSION="$(dpkg-query -W -f='${Version}\n' torbrowser-launcher)"
FAKE_PKG_VERSION="${REAL_PKG_VERSION}+tails.fake1"
install_fake_package torbrowser-launcher "${FAKE_PKG_VERSION}" gnome
......@@ -5,31 +5,9 @@ set -u
echo "Install a fake gnome-backgrounds package"
tmp="$(mktemp -d)"
apt-get install --yes equivs
# Import install_fake_package
. /usr/local/lib/tails-shell-library/build.sh
REAL_PKG_VERSION=$(dpkg-query -W -f='${Version}\n' gnome-backgrounds)
FAKE_PKG_VERSION=${REAL_PKG_VERSION}+tails.fake1
cat > "${tmp}"/gnome-backgrounds.control << EOF
Section: gnome
Priority: optional
Homepage: https://tails.boum.org/
Standards-Version: 3.9.6
Package: gnome-backgrounds
Version: ${FAKE_PKG_VERSION}
Maintainer: Tails developers <amnesia@boum.org>
Architecture: all
Description: (Fake) gnome-backgrounds
Make it possible to install gnome-shell without having to
install a real gnome-backgrounds package.
EOF
(
cd "${tmp}"
equivs-build "${tmp}"/gnome-backgrounds.control
dpkg -i "${tmp}"/gnome-backgrounds_"${FAKE_PKG_VERSION}"_all.deb
)
rm -R "${tmp}"
install_fake_package gnome-backgrounds "${FAKE_PKG_VERSION}" gnome
......@@ -16,6 +16,15 @@ apt-get install --yes \
aufs-dkms \
virtualbox-guest-dkms
MODULES_VERSION="$(dpkg-query -W -f='${Version}\n' virtualbox-guest-dkms \
| sed -E 's,-.*,,')"
dkms build \
-a i386 -k "${KERNEL_VERSION}-686" \
-m virtualbox-guest -v "$MODULES_VERSION"
dkms install \
-a i386 -k "${KERNEL_VERSION}-686" \
-m virtualbox-guest -v "$MODULES_VERSION"
# clean the build directory
# rm -r /var/lib/dkms/virtualbox-guest/
......
......@@ -4,6 +4,9 @@ set -u
echo "Installing libdvd-pkg"
# Import install_fake_package
. /usr/local/lib/tails-shell-library/build.sh
apt-get --yes install libdvd-pkg
dpkg-reconfigure libdvd-pkg
......@@ -12,31 +15,8 @@ dpkg-reconfigure libdvd-pkg
# libdvd-pkg. libdvd-pkg however depends on build-essential, which is
# explicitly removed. So instead we build/install a fake libdvd-pkg
# without the build-essential dependency to satisfy libdvdcss2.
tmp="$(mktemp -d)"
apt-get install --yes equivs
LIBDVD_PKG_VERSION="$(dpkg-query -s libdvd-pkg | grep Version | cut -d ' ' -f2)+fake1"
cat > "${tmp}/libdvd-pkg-${LIBDVD_PKG_VERSION}.control" << EOF
Section: multimedia
Priority: optional
Homepage: https://tails.boum.org/
Standards-Version: 3.6.2
Package: libdvd-pkg
Version: ${LIBDVD_PKG_VERSION}
Maintainer: Tails developers <amnesia@boum.org>
Architecture: all
Description: (Fake) libdvd-pkg package
Provide placeholder to keep libdvdcss2 happy.
EOF
(
cd "${tmp}"
equivs-build "libdvd-pkg-${LIBDVD_PKG_VERSION}.control"
dpkg -i "libdvd-pkg_${LIBDVD_PKG_VERSION}_all.deb"
)
rm -rf "${tmp}" /usr/src/libdvd-pkg
install_fake_package libdvd-pkg "${LIBDVD_PKG_VERSION}" multimedia
# Verify installed packages:
for x in libdvd-pkg
......
......@@ -18,6 +18,9 @@ rm $POTFILES_DOT_IN
# (by the 10-tbb hook)
rm /usr/share/tails/tbb-*.txt
# This shell library is only used during build
rm /usr/local/lib/tails-shell-library/build.sh
# Remove the snakeoil SSL key pair generated by ssl-cert
find /etc/ssl/certs /etc/ssl/private |
while read f; do
......@@ -32,3 +35,6 @@ update-ca-certificates
# debugging (and slightly make things easier for malware, perhaps) and
# otherwise just occupy disk space.
rm -f /boot/*.map /boot/*.map-*
# Remove text dump of uBlock settings file
rm -rf /usr/share/tails/ublock-origin/
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/private-files-strict>
#include <abstractions/python>
# Why are these not in abstractions/python?
/usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/ rw,
/usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/* rw,
/usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/ rw,
/usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/* rw,
/usr/lib{,32,64}/python{2,3}/**/__pycache__/ rw,
/usr/lib{,32,64}/python{2,3}/**/__pycache__/* rw,
/bin/dash rix,
/proc/*/mounts r,
/proc/*/fd/ r,
/sbin/ldconfig rix,
/sbin/ldconfig.real rix,
/bin/uname rix,
/etc/mime.types r,
/usr/share/onionshare/ r,
/usr/share/onionshare/** r,
/tmp/ rw,
/tmp/** rw,
# Allow read on almost anything in @{HOME}. Lenient, but
# private-files-strict is in effect.
owner @{HOME}/ r,
owner @{HOME}/[^.]** r,
# Site-specific additions and overrides for usr.bin.onionshare.
# For more details, please see /etc/apparmor.d/local/README.
# Site-specific additions and overrides for usr.bin.onionshare-gui.
# For more details, please see /etc/apparmor.d/local/README.
#include <tunables/global>
/usr/bin/onioncircuits {
#include <abstractions/base>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/python>
# Why are these not in abstractions/python?
/usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/ rw,
/usr/lib{,32,64}/python{2,3}.[0-9]/__pycache__/* rw,
/usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/ rw,
/usr/lib{,32,64}/python{2,3}.[0-9]/**/__pycache__/* rw,
/usr/lib{,32,64}/python{2,3}/**/__pycache__/ rw,
/usr/lib{,32,64}/python{2,3}/**/__pycache__/* rw,
/usr/bin/ r,
/usr/bin/onioncircuits r,
/usr/share/xml/iso-codes/** r,
deny /etc/machine-id r,
# Accessibility support
owner /{,var/}run/user/*/at-spi2-*/ rw,
owner /{,var/}run/user/*/at-spi2-*/** rw,
}
#include <tunables/global>
/usr/bin/onionshare {
#include <abstractions/onionshare>
/usr/bin/ r,
/usr/bin/onionshare r,
#include <local/usr.bin.onionshare>
}
#include <tunables/global>
/usr/bin/onionshare-gui {
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/onionshare>
/usr/bin/ r,
/usr/bin/onionshare-gui r,
/proc/*/cmdline r,
# The freedesktop.org abstraction doesn't allow `k`
/usr/share/icons/*/index.theme k,
# Why do these still emit audit journal entries?
owner @{HOME}/.config/ibus/bus/ rw,
owner @{HOME}/.config/ibus/bus/* rw,
deny @{HOME}/.ICEauthority r,
deny /etc/machine-id r,
deny /var/lib/dbus/machine-id.* rw,
# Accessibility support
owner /{,var/}run/user/*/at-spi2-*/ rw,
owner /{,var/}run/user/*/at-spi2-*/** rw,
#include <local/usr.bin.onionshare-gui>
}
......@@ -52,16 +52,16 @@ domain ip {
}
# White-list access to Tor's ControlPort
daddr 127.0.0.1 proto tcp dport 9051 {
mod owner uid-owner tor-launcher ACCEPT;
daddr 127.0.0.1 proto tcp dport 9052 {
# Needed by a workaround in tordate (NM's 20-time.sh hook)
# for temporarily changing Tor's logging severity.
mod owner uid-owner root ACCEPT;
}
# White-list access to the Tor control port filter
daddr 127.0.0.1 proto tcp dport 9052 {
daddr 127.0.0.1 proto tcp dport 9051 {
mod owner uid-owner $amnesia_uid ACCEPT;
mod owner uid-owner tor-launcher ACCEPT;
}
# White-list access to Tor's TransPort
......@@ -119,6 +119,11 @@ domain ip {
daddr 127.0.0.1 proto tcp syn dport 6136 {
mod owner uid-owner $amnesia_uid ACCEPT;
}
# White-list access to OnionShare
daddr 127.0.0.1 proto tcp syn dport 17600:17650 {
mod owner uid-owner amnesia ACCEPT;
}
}
# clearnet is allowed to connect to any TCP port via the
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment