Commit e0c8f696 authored by samueldibella's avatar samueldibella
Browse files

Merge remote-tracking branch 'origin/master' into doc/18113-external-hard-disk

Merge from new-release master, to review branch edits
parents 2d0cca4a 44774ca3
......@@ -11,7 +11,3 @@
[submodule "submodules/tails-workarounds"]
path = submodules/tails-workarounds
url = https://gitlab.tails.boum.org/tails/workarounds.git
[submodule "submodules/sof"]
path = submodules/sof
url = https://github.com/thesofproject/sof-bin.git
branch = stable-v1.5.1
......@@ -523,6 +523,8 @@ def retrieve_artifacts(missing_ok: false)
fetch_command = [
'scp',
'-i', key_file,
# We don't want to use any identity saved in ssh agent'
'-o', 'IdentityAgent=none',
# We need this since the user will not necessarily have a
# known_hosts entry. It is safe since an attacker must
# compromise libvirt's network config or the user running the
......
......@@ -60,12 +60,6 @@ echo "POTFILES_DOT_IN='$(
| sed -e 's,^config/chroot_local-includes,,' | tr "\n" ' '
)'" \
>> config/chroot_local-includes/usr/share/tails/build/variables
echo "SOF_VERSION='$(
git -C submodules/sof branch --all --contains HEAD \
--format '%(refname:short)' 'origin/stable-v*' \
| cut -d"-" -f 2
)'" \
>> config/chroot_local-includes/usr/share/tails/build/variables
# fix permissions on some source files that will be copied as is to the chroot.
# they may be wrong, e.g. if the Git repository was cloned with a strict umask.
......@@ -154,7 +148,7 @@ BUILD_USB_IMAGE_FILENAME="${BUILD_BASENAME}.img"
) > "$BUILD_APT_SOURCES"
# make submodules available in the chroot:
SUBMODULES_SRC="submodules/sof submodules/tails-workarounds"
SUBMODULES_SRC="submodules/tails-workarounds"
SUBMODULES_DST="config/chroot_local-includes/tmp/submodules"
mkdir -p "$SUBMODULES_DST"
cp -a $SUBMODULES_SRC "$SUBMODULES_DST"/
......
......@@ -20,7 +20,8 @@ perl -ni \
| \A(?:lib/live/mount/overlay/rw/)?etc/(?:group|gshadow|passwd|shadow)-\s
| \A(?:lib/live/mount/overlay/rw/)?etc/resolv-over-clearnet[.]conf\s
| \A(?:lib/live/mount/overlay/rw/)?etc/skel/[.]config/autostart/end-profile[.]desktop\s
| \Alib/modules/.*/kernel/drivers/(?:cpufreq|net)/
| \Alib/modules/.*/kernel/drivers/(?:cpufreq|net|thermal)/
| \Alib/modules/.*/kernel/net/
| \Arun/
| \Avar/lib/AccountsService/users/Debian-gdm\s
| \Avar/lib/gdm3/[#]\d+\s
......
......@@ -21,7 +21,7 @@ AMNESIA_APPEND="live-media=removable nopersistence noprompt timezone=Etc/UTC spl
AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
# Kernel version
KERNEL_VERSION='5.9.0-0.bpo.2'
KERNEL_VERSION='5.9.0-0.bpo.5'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
......
This diff is collapsed.
......@@ -26,6 +26,11 @@ Package: python3-construct
Pin: release o=Debian,n=buster-backports
Pin-Priority: 999
Explanation: Electrum 4.0.2 needs >= 0.1.30
Package: python3-btchip
Pin: release o=Debian,n=bullseye
Pin-Priority: 999
Package: firmware-b43-installer
Pin: release o=Debian,n=sid
Pin-Priority: 999
......@@ -43,6 +48,10 @@ Package: firmware-linux firmware-linux-nonfree firmware-amd-graphics firmware-at
Pin: release o=Debian,n=sid
Pin-Priority: 990
Package: firmware-sof-signed
Pin: release o=Debian,n=sid
Pin-Priority: 999
Package: firmware-zd1211
Pin: release o=Debian,n=sid
Pin-Priority: 999
......
#!/bin/sh
set -e
set -u
echo "Adding Intel SOF firmware and topology binaries (#17898)"
# Get $SOF_VERSION
. /usr/share/tails/build/variables
SRC_DIR='/tmp/submodules/sof/lib/firmware/intel'
INTEL_FIRMWARE_DIR='/lib/firmware/intel'
SOF_DEST_DIR="${INTEL_FIRMWARE_DIR}/sof"
SOF_TPLG_DEST_DIR="${INTEL_FIRMWARE_DIR}/sof-tplg"
# Sanity check
for dir in "$SOF_DEST_DIR" "$SOF_TPLG_DEST_DIR"; do
if [ -e "$dir" ]; then
echo "E: $dir already exists, maybe this hook could be dropped"
exit 1
fi
done
# Install topology
cp -r "$SRC_DIR/sof-tplg-${SOF_VERSION}" "$SOF_TPLG_DEST_DIR"
# Install firmware
mkdir "$SOF_DEST_DIR"
cd "$SOF_DEST_DIR"
for versioned_firmware in "${SRC_DIR}/sof/${SOF_VERSION}"/*.ri \
"${SRC_DIR}/sof/${SOF_VERSION}"/intel-signed/*.ri ; do
cp "$versioned_firmware" ./
unversioned_firmware=$(python3 -c "print('$(basename "$versioned_firmware")'.replace('-${SOF_VERSION}', ''))")
ln -s "$(basename "$versioned_firmware")" "$unversioned_firmware"
done
ln -s sof-apl-"${SOF_VERSION}".ri sof-glk.ri
ln -s sof-cnl-"${SOF_VERSION}".ri sof-cfl.ri
ln -s sof-cnl-"${SOF_VERSION}".ri sof-cml.ri
......@@ -8,8 +8,24 @@ BUNDLE=/usr/local/etc/ssl/certs/tails.boum.org-CA.pem
mkdir -p $(dirname "${BUNDLE}")
cat /etc/ssl/certs/AddTrust_External_Root.pem \
/etc/ssl/certs/Lets-Encrypt-Authority-X3.pem \
### Last updated: 2021-01-19
# - R3: RSA 2048, active
# - R4: RSA 2048, backup
# - E1: ECDSA P-384, upcoming
# - E2: ECDSA P-384, upcoming backup
# References:
# - https://letsencrypt.org/certificates/
# - https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html
cat \
/usr/share/tails/certs/Lets-Encrypt-Authority-X3.pem \
/usr/share/tails/certs/lets-encrypt-r3.pem \
/usr/share/tails/certs/lets-encrypt-r4.pem \
/usr/share/tails/certs/lets-encrypt-e1.pem \
/usr/share/tails/certs/lets-encrypt-e2.pem \
> "$BUNDLE"
chmod a+r "$BUNDLE"
rm \
/usr/share/tails/certs/Lets-Encrypt-Authority-X3.pem \
/usr/share/tails/certs/lets-encrypt-*.pem
......@@ -66,6 +66,7 @@ domain ip {
# White-list access to system DNS and Tor's DNSPort
daddr 127.0.0.1 proto udp dport (53 5353) {
mod owner uid-owner $amnesia_uid ACCEPT;
mod owner uid-owner htp ACCEPT;
mod owner uid-owner _apt DROP;
}
......
#!/bin/sh
set -eu
SETTINGS_DIR='/live/persistence/TailsData_unlocked/dont-ask-again'
if [ ! -d "${SETTINGS_DIR}" ]; then
echo 'unavailable'
exit 0
fi
LONGOPTS='dont-ask-again,timeout:'
OPTS="$(getopt -o "" --longoptions ${LONGOPTS} -n "$(basename "${0}")" -- "$@")"
eval set -- "$OPTS"
while [ "${#}" -gt 0 ]; do
case "${1}" in
--dont-ask-again)
DONT_ASK_AGAIN='yes'
;;
--timeout)
shift
TIMEOUT="${1}" # in days
;;
--)
shift
break
;;
esac
shift
done
IDENTIFIER="${1}"
if [ "${DONT_ASK_AGAIN:-}" = yes ]; then
touch "${SETTINGS_DIR}/${IDENTIFIER}"
else
if [ -n "${TIMEOUT:-}" ]; then
find "${SETTINGS_DIR}" -name "${IDENTIFIER}" -mtime +"${TIMEOUT}" -delete
fi
if [ -e "${SETTINGS_DIR}/${IDENTIFIER}" ]; then
echo 'hide'
else
echo 'show'
fi
fi
......@@ -59,8 +59,8 @@ def main():
uri = uri + '#' + anchor
os.environ['TOR_BROWSER_SKIP_OFFLINE_WARNING'] = 'yes'
os.execv('/usr/local/bin/tor-browser',
['/usr/local/bin/tor-browser', '--new-tab', uri])
os.execv('/usr/bin/gtk-launch',
['/usr/bin/gtk-launch', 'tor-browser.desktop', uri])
if __name__ == "__main__":
......
#!/usr/bin/perl
use strict;
use warnings;
#man{{{
=head1 NAME
tails-virt-notify-user
=head1 VERSION
Version X.XX
=head1 AUTHOR
Tails dev team <amnesia@boum.org>
See https://tails.boum.org/.
=cut
#}}}
use Desktop::Notify;
use English '-no_match_vars';
use IPC::System::Simple qw{capturex $EXITVAL};
use Locale::TextDomain 'tails';
use Net::DBus::Reactor;
use POSIX;
### callbacks
sub action_cb {
my $reactor = shift;
unless (fork) {
exec(
'/usr/local/bin/tails-documentation',
'doc/advanced_topics/virtualization',
'security'
);
}
$reactor->shutdown;
}
### main
# both 0 and 1 are acceptable exit values:
# - 0 means that we're running in a virtualized environment
# - 1 means that we're not running in a virtualized environment
# - anything else means there is a problem, and capturex will throw an exception
my $vm_name = capturex([0, 1], qw{/usr/bin/systemd-detect-virt --vm});
exit 0 if $EXITVAL == 1;
my @whitelist = qw(bochs kvm qemu uml virtualbox xen);
my $reactor = Net::DBus::Reactor->main;
my $notify = Desktop::Notify->new();
$notify->action_callback(sub { action_cb($reactor, @_) });
$notify->close_callback(sub { $reactor->shutdown; });
my ($body, $summary);
chomp($vm_name);
if (grep {$_ eq $vm_name} @whitelist) {
$summary = __("Warning: virtual machine detected!");
}
else {
$summary = __("Warning: non-free virtual machine detected!");
}
$body = __("Both the host operating system and the virtualization software are able to monitor what you are doing in Tails. Only free software can be considered trustworthy, for both the host operating system and the virtualization software.");
$notify->create(summary => $summary,
body => $body,
actions => { "moreinfo_$PID" => __('Learn more'), },
hints => { 'transient' => 1, },
timeout => 0)->show();
$reactor->run;
#!/usr/bin/env python3
import gettext
import subprocess
import sys
from tailslib.gnome import gnome_env_vars
import gi
from gi.repository import GLib
gi.require_version('Notify', '0.7')
from gi.repository import Notify # NOQA: E402
DONT_ASK_IDENTIFIER = 'virt-notify-user'
class VirtNotifier(object):
def __init__(self, free_vm=False, show_suppress_button=False):
if free_vm:
self.title = _("Warning: virtual machine detected!")
else:
self.title = _("Warning: non-free virtual machine detected!")
self.body = _(
"Both the host operating system and the virtualization software "
"are able to monitor what you are doing in Tails. Only free "
"software can be considered trustworthy, for both the host "
"operating system and the virtualization software."
)
Notify.init("org.boum.tails.virt-notify-user")
# We need to hold a reference to the notification until the callbacks
# are called. That's why we use an instance variable.
self.notification = Notify.Notification.new(self.title, self.body)
self.notification.set_hint("transient", GLib.Variant("u", 1))
self.notification.set_timeout(0)
if show_suppress_button:
self.notification.add_action("hide", _("Don't Show Again"),
self.cb_notification_clicked)
self.notification.add_action("documentation", _("Learn More"),
self.cb_notification_clicked)
self.notification.connect("closed", lambda *x: sys.exit(0))
self.notification.show()
def cb_notification_clicked(self, notification, action, user_data=None):
if action == "hide":
subprocess.run(
['/usr/local/bin/tails-ask-again', '--dont-ask-again',
DONT_ASK_IDENTIFIER]
)
elif action == "documentation":
subprocess.run(
["env", *gnome_env_vars(), "tails-documentation",
'doc/advanced_topics/virtualization', 'security']
)
sys.exit(0)
if __name__ == "__main__":
gettext.install('tails')
dont_ask_status = subprocess.check_output(
['/usr/local/bin/tails-ask-again', '--timeout', '30',
DONT_ASK_IDENTIFIER]).decode().strip()
if dont_ask_status == 'hide':
sys.exit(0)
# both 0 and 1 are acceptable exit values:
# - 0 means that we're running in a virtualized environment
# - 1 means that we're not running in a virtualized environment
# - anything else means there is a problem, and we'll exit with
# an exception
c = subprocess.run(['/usr/bin/systemd-detect-virt', '--vm'],
stdout=subprocess.PIPE)
if c.returncode == 1:
sys.exit(0)
vm_name = c.stdout.decode().strip()
free_vms = ['bochs', 'kvm', 'qemu', 'uml', 'virtualbox', 'xen']
mainloop = GLib.MainLoop.new(None, False)
VirtNotifier(
free_vm=(vm_name in free_vms),
show_suppress_button=(dont_ask_status != 'unavailable')
)
mainloop.run()
......@@ -25,10 +25,11 @@ use File::Path qw(rmtree);
use File::Spec::Functions;
use File::Temp qw/tempdir/;
use Getopt::Long::Descriptive;
use IPC::Run;
use IPC::System::Simple qw(capturex);
use List::Util qw( shuffle );
use open qw{:utf8 :std};
use POSIX qw( WIFEXITED );
use String::Errf qw{errf};
use threads;
use Try::Tiny;
......@@ -221,19 +222,31 @@ sub getUrlDateDiff {
my $tmpdir = tempdir("XXXXXXXXXX", TMPDIR => 1);
my @curl_options = (
'--user-agent', $useragent, '--silent',
'--user-agent', $useragent, '--silent', '--show-error',
'--proto', '=https', '--tlsv1',
'--max-time', '30',
'--head', '--output', catfile($tmpdir, 'headers'),
);
push @curl_options, ('--socks5-hostname', $proxy) if defined $proxy;
# Resolve the host name "locally" rather than via the SOCKS proxy,
# in order to get a "curl: (6) Could not resolve host" error upon
# name resolution, instead of the unhelpful "curl: (7) Can't
# complete SOCKS5 connection".
push @curl_options, ('--proxy', "socks5://$proxy") if defined $proxy;
my @cmdline = ('curl', @curl_options, $url);
# fetch (the page and) referenced resources:
# images, stylesheets, scripts, etc.
my $before = DateTime->now->epoch();
WIFEXITED(system(@cmdline)) or error "Failed to fetch content from $url: $!";
my ($stdout, $stderr, $exit_code);
my $success = 1;
IPC::Run::run \@cmdline, '>', \$stdout, '2>', \$stderr or $success = 0;
$exit_code = $?;
$success or error errf(
"Failed to fetch content from $url:\n".
"exit code: %{exit_code}i\n\n".
"stdout:\n%{stdout}s\n\n".
"stderr:\n%{stderr}s",
{ exit_code => $exit_code, stdout => $stdout, stderr => $stderr }
);
my $local = DateTime->now->epoch();
my $newestdt;
eval { $newestdt = newestDateHeader($tmpdir) };
......
......@@ -436,6 +436,13 @@ activate_volumes ()
done
done
# Enable support for "Don't ask again" (#10553)
for persistent_fs in $(ls -d /live/persistence/*_unlocked || true)
do
mkdir -p "${persistent_fs}/dont-ask-again"
chown amnesia:amnesia "${persistent_fs}/dont-ask-again"
done
# Load the new persistence.conf.
custom_mounts="$(mktemp /tmp/custom_mounts-XXXXXX.list)"
get_custom_mounts ${custom_mounts} ${open_volumes}
......
......@@ -79,11 +79,15 @@ if [ "${GUID}" != "17B81DA0-8B1E-4269-9C39-FE5C7B9B58A3" ]; then
exit 0
fi
DEVICE_TOO_SMALL_ERROR_MESSAGE="Sorry, this device is too small to run Tails. Please use a device with at least 8 GiB. Press ENTER to shut down."
# Compute the new system partition size
# Get new system partition size
# in 512 bytes sectors
DEVICE_SIZE=$(cat "/sys/block/${DEVICE_NAME}/size")
DEVICE_SIZE_IN_GB=$(echo "scale=1; ${DEVICE_SIZE} / 2 / 1000 / 1000" | bc)
DEVICE_SIZE_IN_MiB=$((${DEVICE_SIZE} / 2 / 1024))
DEVICE_TOO_SMALL_ERROR_MESSAGE="Sorry, this USB stick is too small to run Tails (${DEVICE_SIZE_IN_GB} GB). Please use a USB stick of at least 8 GB. Press ENTER to shut down."
if [ "${DEVICE_SIZE_IN_MiB}" -lt 7200 ]; then
plymouth message --text="${DEVICE_TOO_SMALL_ERROR_MESSAGE}"
plymouth watch-keystroke > /dev/null
......
From bdf2874f60fada9a894c5be4f4846ed2fbc2c124 Mon Sep 17 00:00:00 2001
From: anonym <anonym@riseup.net>
Date: Fri, 24 Apr 2020 16:01:39 +0200
Subject: [PATCH 4/4] Fix buggy pref for disabling MS Exchange autoconfig
method.
Before the upstream work that made the autoconfig methods happen in
parallel this was working, but when I adapted it to that work I seem
to have made a mistake or misunderstood something. In fact, the error
propagation now happens in a way that makes it very unsuitable to have
this check this deep down in the call stack. The check should happen
earlier.
So let's just not initiate this autoconfig method at all when
disabled, with the added benefit of it not showing up as an
immediately failed method in the list of attempts. This makes so much
more sense!
While we're at it, let's do the same for when the MX method is
disabled since there is no reason for it to be listed as a failure
when disabled either.
---
.../accountcreation/content/emailWizard.js | 91 ++++++++++---------
.../content/exchangeAutoDiscover.js | 10 --
2 files changed, 50 insertions(+), 51 deletions(-)
diff --git a/comm/mail/components/accountcreation/content/emailWizard.js b/comm/mail/components/accountcreation/content/emailWizard.js
index b677bb718cd..deff02f74ad 100644
--- a/comm/mail/components/accountcreation/content/emailWizard.js
+++ b/comm/mail/components/accountcreation/content/emailWizard.js
@@ -757,51 +757,60 @@ EmailConfigWizard.prototype = {
);
call.setAbortable(fetch);
- call = priority.addCall();
- this.addStatusLine("looking_up_settings_mx", call);
- // "found_settings_db" is correct. We display the same message for both db and mx cases.
- call.foundMsg = "found_settings_db";
- fetch = fetchConfigForMX(
- domain,
- call.successCallback(),
- call.errorCallback()
- );
- call.setAbortable(fetch);
+ if (Services.prefs.getBoolPref("mailnews.auto_config.mx.enabled", true)) {
+ call = priority.addCall();
+ this.addStatusLine("looking_up_settings_mx", call);
+ // "found_settings_db" is correct. We display the same message for both db and mx cases.
+ call.foundMsg = "found_settings_db";
+ fetch = fetchConfigForMX(
+ domain,
+ call.successCallback(),
+ call.errorCallback()
+ );
+ call.setAbortable(fetch);
+ }
- call = priority.addCall();
- this.addStatusLine("looking_up_settings_exchange", call);
- call.foundMsg = "found_settings_exchange";
- fetch = fetchConfigFromExchange(
- domain,
- emailAddress,
- this._exchangeUsername,
- this._password,
- call.successCallback(),
- (e, allErrors) => {
- // Must call error callback in any case to stop the discover mode.
- let errorCallback = call.errorCallback();
- if (e instanceof CancelledException) {
- errorCallback(e);
- } else if (allErrors && allErrors.some(e => e.code == 401)) {
- // Auth failed.
- // Ask user for username.
- this.onStartOver();
- this.stopSpinner(); // clears status message
- _show("usernameRow");
- _show("status-area");
- if (!this._exchangeUsername) {
- this.showErrorStatus("credentials_incomplete");
+ if (
+ Services.prefs.getBoolPref(
+ "mailnews.auto_config.fetchFromExchange.enabled",
+ true
+ )
+ ) {
+ call = priority.addCall();
+ this.addStatusLine("looking_up_settings_exchange", call);
+ call.foundMsg = "found_settings_exchange";
+ fetch = fetchConfigFromExchange(
+ domain,
+ emailAddress,
+ this._exchangeUsername,
+ this._password,
+ call.successCallback(),
+ (e, allErrors) => {
+ // Must call error callback in any case to stop the discover mode.
+ let errorCallback = call.errorCallback();
+ if (e instanceof CancelledException) {
+ errorCallback(e);
+ } else if (allErrors && allErrors.some(e => e.code == 401)) {
+ // Auth failed.
+ // Ask user for username.
+ this.onStartOver();
+ this.stopSpinner(); // clears status message
+ _show("usernameRow");
+ _show("status-area");
+ if (!this._exchangeUsername) {
+ this.showErrorStatus("credentials_incomplete");