Commit e9ab172a authored by intrigeri's avatar intrigeri
Browse files

Merge branch 'feature/stretch-unfrozen' into feature/stretch

parents 9bf78fba 73e2a02a
......@@ -22,7 +22,7 @@ AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63"
REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION="6.03~pre20"
# Kernel version
KERNEL_VERSION='4.8.0-2'
KERNEL_VERSION='4.9.0-1'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
......
......@@ -4,8 +4,8 @@ set -e
echo "Wrapping some applications with torsocks"
APPS="gobby-0.5 liferea openpgp-applet seahorse"
DBUS_SERVICES="org.gnome.seahorse.Application org.fedoraproject.Config.Printing"
APPS="gobby-0.5 net.sourceforge.liferea openpgp-applet seahorse"
DBUS_SERVICES="net.sourceforge.liferea org.gnome.seahorse.Application org.fedoraproject.Config.Printing"
for app in $APPS; do
sed -i'' --regexp-extended 's,^Exec=(.*),Exec=torsocks \1,' \
......
......@@ -11,7 +11,6 @@ echo "Deleting unused AppArmor profiles"
sbin.klogd \
sbin.syslogd \
sbin.syslog-ng \
usr.bin.chromium-browser \
usr.lib.dovecot.* \
usr.sbin.dnsmasq \
usr.sbin.dovecot \
......
......@@ -43,7 +43,7 @@ apt-get --yes purge \
nfs-common \
portmap \
procmail \
python-reportbug \
python3-reportbug \
reportbug \
telnet \
texinfo \
......
alias / -> /lib/live/mount/overlay/,
alias / -> /lib/live/mount/rootfs/*.squashfs/,
......@@ -30,8 +30,8 @@
- /usr/bin/* ixr,
+ /usr/bin/{[^h],h[^p],hp[^i],hpi[^j],hpij[^s]}* ixr,
/usr/sbin/* ixr,
/bin/* ixr,
/sbin/* ixr,
/{usr/,}bin/* ixr,
/{usr/,}sbin/* ixr,
@@ -80,7 +83,10 @@
/usr/lib/cups/backend/bluetooth ixr,
/usr/lib/cups/backend/dnssd ixr,
......@@ -82,8 +82,8 @@
# likewise authentication
@@ -184,7 +201,7 @@
/bin/bash ixr,
/bin/cp ixr,
/{usr/,}bin/bash ixr,
/{usr/,}bin/cp ixr,
/etc/papersize r,
- /etc/cups/cups-pdf.conf r,
+ @{etccups}/cups-pdf.conf r,
......
--- a/etc/apparmor.d/abstractions/gnome 2016-11-08 13:05:14.000000000 +0000
+++ b/etc/apparmor.d/abstractions/gnome 2016-11-15 11:38:13.448032162 +0000
@@ -87,6 +87,7 @@
# mime-types
/etc/gnome/defaults.list r,
+ /etc/xdg/*-mimeapps.list r,
/usr/share/gnome/applications/ r,
/usr/share/gnome/applications/mimeinfo.cache r,
--- a/etc/apparmor.d.orig/tunables/alias 2016-12-17 11:25:27.000000000 +0000
+++ b/etc/apparmor.d/tunables/alias 2017-01-02 20:47:35.987919057 +0000
@@ -14,3 +14,5 @@
#
# Or if mysql databases are stored in /home:
# alias /var/lib/mysql/ -> /home/mysql/,
+
+#include <tunables/alias.d>
......@@ -9,34 +9,27 @@ diff -Naur etc/apparmor.d.orig/abstractions/base etc/apparmor.d/abstractions/bas
/etc/writable/localtime r,
/usr/share/locale-bundle/** r,
/usr/share/locale-langpack/** r,
@@ -49,17 +50,19 @@
# available everywhere
/etc/ld.so.cache mr,
/lib{,32,64}/ld{,32,64}-*.so mrix,
- /lib{,32,64}/**/ld{,32,64}-*.so mrix,
+ /lib{32,64}/**/ld{,32,64}-*.so mrix,
+ /lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}**/ld{,32,64}-*.so mrix,
/lib/@{multiarch}/ld{,32,64}-*.so mrix,
/lib/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
/lib/i386-linux-gnu/tls/i686/{cmov,nosegneg}/ld-*.so mrix,
/opt/*-linux-uclibc/lib/ld-uClibc*so* mrix,
@@ -56,10 +57,12 @@
/opt/*-linux-uclibc/lib/ld-uClibc*so* mr,
# we might as well allow everything to use common libraries
- /lib{,32,64}/** r,
+ /lib{32,64}/** r,
+ /lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}** r,
/lib{,32,64}/lib*.so* mr,
- /lib{,32,64}/**/lib*.so* mr,
- /lib/@{multiarch}/** r,
+ /lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}**/lib*.so* mr,
+ /lib/@{multiarch}/{[^l],l[^i],li[^v],liv[^e],live[^/]}** r,
/lib/@{multiarch}/lib*.so* mr,
/lib/@{multiarch}/**/lib*.so* mr,
/usr/lib{,32,64}/** r,
- /{usr/,}lib{,32,64}/** r,
- /{usr/,}lib{,32,64}/lib*.so* mr,
- /{usr/,}lib{,32,64}/**/lib*.so* mr,
- /{usr/,}lib/@{multiarch}/** r,
+ /{usr/,}lib{32,64}/** r,
+ /{usr/,}lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}** r,
+ /{usr/,}lib{,32,64}/lib*.so* mr,
+ /{usr/,}lib{32,64}/**/lib*.so* mr,
+ /{usr/,}lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}**/lib*.so* mr,
+ /{usr/,}lib/@{multiarch}/{[^l],l[^i],li[^v],liv[^e],live[^/]}** r,
/{usr/,}lib/@{multiarch}/lib*.so* mr,
/{usr/,}lib/@{multiarch}/**/lib*.so* mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/lib*.so* mr,
diff -Naur '--exclude=cache' /etc/apparmor.d.orig/abstractions/ubuntu-helpers /etc/apparmor.d/abstractions/ubuntu-helpers
--- a/etc/apparmor.d.orig/abstractions/ubuntu-helpers 2013-07-10 22:05:57.000000000 +0000
+++ b/etc/apparmor.d/abstractions/ubuntu-helpers 2015-06-03 18:16:42.022380000 +0000
@@ -66,8 +66,8 @@
@@ -64,8 +64,8 @@
# in limited libraries so glibc's secure execution should be enough to not
# require the santized_helper (ie, LD_PRELOAD will only use standard system
# paths (man ld.so)).
......@@ -47,7 +40,7 @@ diff -Naur '--exclude=cache' /etc/apparmor.d.orig/abstractions/ubuntu-helpers /e
/opt/google/chrome/chrome-sandbox PUxr,
/opt/google/chrome/google-chrome Pixr,
/opt/google/chrome/chrome Pixr,
@@ -76,7 +76,8 @@
@@ -74,7 +74,8 @@
# Full access
/ r,
/** rwkl,
......@@ -57,15 +50,3 @@ diff -Naur '--exclude=cache' /etc/apparmor.d.orig/abstractions/ubuntu-helpers /e
# Dangerous files
audit deny owner /**/* m, # compiled libraries
diff -Naur '--exclude=cache' /etc/apparmor.d.orig/tunables/alias /etc/apparmor.d/tunables/alias
--- a/etc/apparmor.d.orig/tunables/alias 2013-07-10 22:05:57.000000000 +0000
+++ b/etc/apparmor.d/tunables/alias 2015-06-03 18:12:46.426380000 +0000
@@ -14,3 +14,7 @@
#
# Or if mysql databases are stored in /home:
# alias /var/lib/mysql/ -> /home/mysql/,
+
+alias / -> /lib/live/mount/overlay/,
+alias / -> /lib/live/mount/rootfs/*.squashfs/,
+
......@@ -69,7 +69,10 @@ subsequent problems with overlapping rules, and to mitigate the
increased policy compilation time (see details below), we also patch
some some very broad rules to make them _not_ apply to `/lib/live/*`.
All these changes live in
[[!tails_gitweb config/chroot_local-patches/apparmor-aliases.diff]].
[[!tails_gitweb config/chroot_local-patches/apparmor-aliases.diff]],
[[!tails_gitweb config/chroot_local-patches/apparmor-alias-dot-d.diff]]
and
[[!tails_gitweb config/chroot_local-includes/etc/apparmor.d/tunables/alias.d/tails]].
Second, few more targeted adjustments are also applied:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment