Merge remote-tracking branch 'origin/devel' into bugfix/8007-AppArmor-hardening

Conflicts:
	features/evince.feature
	features/images/TorBrowserUnableToOpen.png
	features/torified_browsing.feature
	features/totem.feature

config/chroot_local-includes/etc/tor-browser/profile/chrome/userChrome.css

 /* Required, do not remove */
 @namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul");
 
+/* Hide Firefox Sync options. Sync hasn't been audited by the
+   Tor Browser developers yet (Tor bug #10368), and it doesn't seem to
+   work any way (Tor bug #13279). Weak passwords would be a pretty
+   serious issue too. */
+#BrowserPreferences radio[pane="paneSync"],
+#sync-button,
+#sync-menu-button,
+#sync-setup,
+#sync-setup-appmenu,
+#sync-status-button,
+#sync-syncnowitem-appmenu,
+#wrapper-sync-button,
+
+/* Hide the Tools -> Apps link to the Firefox Marketplace. It doesn't
+   seem to work in the Tor Browser, and may have privacy issues. */
+#menu_openApps,
+
+/* Hide the "Share this page" button in the Tool bar, which encourages
+   the use of social (= tracking) networks. Note that this one likely
+   will be removed upstream in the final Tor Browser 5.0 release. */
+#social-share-button,
+
 /* Hide HTTPS Everywhere button in the toolbar */
 #https-everywhere-button { display: none; }

config/chroot_local-includes/etc/tor-browser/profile/preferences/0000tails.js

@@ -78,3 +78,18 @@ pref("extensions.update.enabled", false);
 pref("layout.spellcheckDefault", 0);
 pref("network.dns.disableIPv6", true);
 pref("security.warn_submit_insecure", true);
+
+// Disable fetching of the new tab page's Tiles links/ads. Ads are
+// generally unwanted, and also the fetching is a "phone home" type of
+// feature that generates traffic at least the first time the browser
+// is started.
+pref("browser.newtabpage.directory.source", "");
+pref("browser.newtabpage.directory.ping", "");
+// ... and disable the explanation shown the first time
+pref("browser.newtabpage.introShown", true);
+
+// Don't use geographically specific search prefs, like
+// browser.search.*.US for US locales. Our generated amnesia branding
+// add-on localizes search-engines in an incompatible but equivalent
+// way.
+pref("browser.search.geoSpecificDefaults", false);

config/chroot_local-includes/usr/share/tails/i2p-browser/prefs.js

@@ -15,3 +15,10 @@ pref("extensions.getAddons.showPane", false);
    for several minutes while trying to communicate with CUPS, since
    access to port 631 isn't allowed through. */
 pref("print.postscript.cups.enabled", false);
+
+// Disable fetching of the new tab page's Tiles links/ads. It will not
+// work in the I2P Browser.
+pref("browser.newtabpage.directory.source", "");
+pref("browser.newtabpage.directory.ping", "");
+// ... and disable the explanation shown the first time
+pref("browser.newtabpage.introShown", true);

config/chroot_local-includes/usr/share/tails/i2p-browser/userChrome.css

@@ -24,7 +24,13 @@
 #wrapper-history-button,
 #wrapper-bookmarks-button,
 
-/* Remove the Addons menu options */
+/* Hide the Tools -> Apps link to the Firefox Marketplace, and
+   Tools -> Add-ons link to the Add-ons manager. We do not want to
+   encourage installing such things as it's not part of the supported
+   use-cases and may have privacy issues. Also they will not persist a
+   restart, which is just confusing. In the I2P Browser, many of these
+   features will not work any way. */
+#menu_openApps,
 #menu_openAddons,          /* traditional menu */
 #add-ons-button,           /* new style Firefox menu */
 #wrapper-add-ons-button,   /* Customize toolbar */
@@ -70,6 +76,12 @@ menuitem[command="Browser:SendLink"],
 #sync-syncnowitem-appmenu,
 #wrapper-sync-button,
 
+/* Hide the "Share this page" button in the Tool bar, which encourages
+   the use of social (= tracking) networks. These will not work in the
+   I2P browser any way. Note that this one likely will be removed
+   upstream in the final Tor Browser 5.0 release. */
+#social-share-button,
+
 /* Hide the "Keyboard shortcuts" and "Tour" options from
 from the Help menu */
 #menu_keyboardShortcuts,

config/chroot_local-includes/usr/share/tails/tbb-dist-url.txt

-http://torbrowser-archive.tails.boum.org/4.5.3-build2/
+http://people.torproject.org/~mikeperry/builds/5.0a4-build3/

config/chroot_local-includes/usr/share/tails/tbb-sha256sums.txt

-9a6425afeeae40f1cd7ebd3dd0a8672b8ed13e4df1863282ee39607c5b3cea2d  tor-browser-linux32-4.5.3_ar.tar.xz
-d9af6bf2585ac7905534fecd8c9df016fa833ba90b95babdfbf7b2225760c774  tor-browser-linux32-4.5.3_de.tar.xz
-154d659583048e91870c40921561f0519babf6d3c9ac439f6fb74ed66824463f  tor-browser-linux32-4.5.3_en-US.tar.xz
-196cfd81e726d0e1f7ecf0fe0183eac6b7e2cf8e8c5bc89b9105ce4d82e0922a  tor-browser-linux32-4.5.3_es-ES.tar.xz
-61dfee81c930f1b6c12911917b880bd62f99a7e61fdcc3d8d5cb71657770adeb  tor-browser-linux32-4.5.3_fa.tar.xz
-dcb98570ac927298a086771524b283ee4f64268b72d0b5ec36268817073612aa  tor-browser-linux32-4.5.3_fr.tar.xz
-6d94c31bf8ed708a49e0e4ecdbfd7c20db1b382fe4d8039971aadd8c87240fc6  tor-browser-linux32-4.5.3_it.tar.xz
-59dad0fbcbc8fd02953af03cb587c1b89d534812c6580d9cd78e883c55f2b34c  tor-browser-linux32-4.5.3_ko.tar.xz
-0cf9401dd5383212871c12bc7c7db44953aa4796db2692528c949ebc2b0219e3  tor-browser-linux32-4.5.3_nl.tar.xz
-487ebbe2260666476a9a72e927025783567767dc3fc1c5403ad60e7f37c80734  tor-browser-linux32-4.5.3_pl.tar.xz
-78688df77ad688c0458e5ff959b5ff1bf5579435ee480093e98f9ad537400dbd  tor-browser-linux32-4.5.3_pt-PT.tar.xz
-0a1cbdae6e13dad17ab228970a3b7c0c1dd86c71c1ad4950d4c591947be1b04b  tor-browser-linux32-4.5.3_ru.tar.xz
-4ebce91c056b67e4b2aed183d816d299b005111f895f726d2bd49494231a76cb  tor-browser-linux32-4.5.3_tr.tar.xz
-71a80614bee6a0349b3e9e297c08925d0a6682768bf3f43352586d4c28e7dacd  tor-browser-linux32-4.5.3_vi.tar.xz
-6675936035691de5e20ac899c5c1a004462b41e38bda29040aba7351ca4fb3b2  tor-browser-linux32-4.5.3_zh-CN.tar.xz
+14463ac344a60e08187566de3ff97796f5f8f1d20356c7ea434fbc50c1e107e6  tor-browser-linux32-5.0a4_ar.tar.xz
+95da22c9ddd3a84d1c064e7cc90b5a47faf6642a1128a815878c4d0ef5e31d51  tor-browser-linux32-5.0a4_de.tar.xz
+adb15b4526dd85c449af5cf088b462cb73539285098ddbd7cb429ccd205c0861  tor-browser-linux32-5.0a4_en-US.tar.xz
+77fd6cdc2781a5191c57d2232914abc8816660db884c7e679f8834e2f165cf4a  tor-browser-linux32-5.0a4_es-ES.tar.xz
+3b8fac32a86383fe7cfb890177b86ccb607aacca1a0ce68578c6166ca53280ce  tor-browser-linux32-5.0a4_fa.tar.xz
+009e1b9b23ae4f5d62d0700aaf390108c0ba1cd686cc2233762112fa90f29a8f  tor-browser-linux32-5.0a4_fr.tar.xz
+d755e1fe4a4c7b28d8333d3b57785f75cf2dfcc4126817c6e26212462b6d8c6d  tor-browser-linux32-5.0a4_it.tar.xz
+63b4beaca5c9c69e7be76ae08e92a5cd024e5176d0f0380edf1324c16e51be58  tor-browser-linux32-5.0a4_ko.tar.xz
+8240527be7369e0541c26d2f216c6b98d23498d766c54e1ae20490894a57e6a8  tor-browser-linux32-5.0a4_nl.tar.xz
+d12e1e4434ac673b9d2448aaf96c50896b6c1e0a4ca0a0ebb88cdebdbe9e1f9c  tor-browser-linux32-5.0a4_pl.tar.xz
+c9316225a26883d0627a3df40295835e5f2a831b393c90748937ac6b2e630854  tor-browser-linux32-5.0a4_pt-PT.tar.xz
+09651300fc51e06a3ffc033a630eb58bd33c2901b377a605cb96549e1866013a  tor-browser-linux32-5.0a4_ru.tar.xz
+de55a1870d8636ef6543b57343bcc666f207f7288b48fd806284d46658e9865a  tor-browser-linux32-5.0a4_tr.tar.xz
+3ee683edc60f10861668ebcca92ffaecb4ca36ef0c7ffe96d8345724434c517e  tor-browser-linux32-5.0a4_vi.tar.xz
+f5e5c808f7a34cecc9dd1be4e4d9844da2b6a7778bb5a6146db2493e8f4ca5ea  tor-browser-linux32-5.0a4_zh-CN.tar.xz

config/chroot_local-includes/usr/share/tails/unsafe-browser/prefs.js

@@ -17,3 +17,18 @@ pref("extensions.getAddons.showPane", false);
    engine for the Unsafe Browser's in-the-clear traffic. */
 user_pref("browser.search.defaultenginename", "Google");
 user_pref("browser.search.selectedEngine", "Google");
+
+// Disable fetching of the new tab page's Tiles links/ads. Ads are
+// generally unwanted, and also the fetching is a "phone home" type of
+// feature that generates traffic at least the first time the browser
+// is started.
+pref("browser.newtabpage.directory.source", "");
+pref("browser.newtabpage.directory.ping", "");
+// ... and disable the explanation shown the first time
+pref("browser.newtabpage.introShown", true);
+
+// Don't use geographically specific search prefs, like
+// browser.search.*.US for US locales. Our generated amnesia branding
+// add-on localizes search-engines in an incompatible but equivalent
+// way.
+pref("browser.search.geoSpecificDefaults", false);

config/chroot_local-includes/usr/share/tails/unsafe-browser/userChrome.css

 /* Required, do not remove */
 @namespace url("http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul");
 
-/* Remove the Addons menu options */
+/* Hide Firefox Sync options. Sync hasn't been audited by the
+   Tor Browser developers yet (Tor bug #10368), and it doesn't seem to
+   work any way (Tor bug #13279). Weak passwords would be a pretty
+   serious issue too. */
+#BrowserPreferences radio[pane="paneSync"],
+#sync-button,
+#sync-menu-button,
+#sync-setup,
+#sync-setup-appmenu,
+#sync-status-button,
+#sync-syncnowitem-appmenu,
+#wrapper-sync-button,
+
+/* Hide the Tools -> Apps link to the Firefox Marketplace, and
+   Tools -> Add-ons link to the Add-ons manager. We do not want to
+   encourage installing such things as it's not part of the supported
+   use-cases and may have privacy issues. Also they will not persist a
+   restart, which is just confusing. */
+#menu_openApps,
 #menu_openAddons,          /* traditional menu */
 #add-ons-button,           /* new style Firefox menu */
 #wrapper-add-ons-button,   /* Customize toolbar */
 
+/* Hide the "Share this page" button in the Tool bar, which encourages
+   the use of social (= tracking) networks. Note that this one likely
+   will be removed upstream in the final Tor Browser 5.0 release. */
+#social-share-button,
+
 /* Hide TorBrowser Health Report and its configuration option */
 #appmenu_healthReport,
 #dataChoicesTab,

features/erase_memory.feature

@@ -14,6 +14,7 @@ Feature: System memory erasure on shutdown
     And at least 8 GiB of RAM was detected
     And process "memlockd" is running
     And process "udev-watchdog" is running
+    And udev-watchdog is monitoring the correct device
     When I fill the guest's memory with a known pattern without verifying
     And I reboot without wiping the memory
     Then I find many patterns in the guest's memory
@@ -28,6 +29,7 @@ Feature: System memory erasure on shutdown
     And at least 8 GiB of RAM was detected
     And process "memlockd" is running
     And process "udev-watchdog" is running
+    And udev-watchdog is monitoring the correct device
     When I fill the guest's memory with a known pattern
     And I shutdown and wait for Tails to finish wiping the memory
     Then I find very few patterns in the guest's memory
@@ -42,6 +44,7 @@ Feature: System memory erasure on shutdown
     And at least 3500 MiB of RAM was detected
     And process "memlockd" is running
     And process "udev-watchdog" is running
+    And udev-watchdog is monitoring the correct device
     When I fill the guest's memory with a known pattern without verifying
     And I reboot without wiping the memory
     Then I find many patterns in the guest's memory
@@ -56,6 +59,7 @@ Feature: System memory erasure on shutdown
     And at least 3500 MiB of RAM was detected
     And process "memlockd" is running
     And process "udev-watchdog" is running
+    And udev-watchdog is monitoring the correct device
     When I fill the guest's memory with a known pattern
     And I shutdown and wait for Tails to finish wiping the memory
     Then I find very few patterns in the guest's memory

features/evince.feature

@@ -25,14 +25,20 @@ Feature: Using Evince
     Then the file "/home/amnesia/.gnupg/default-testpage.pdf" exists
     And the file "/lib/live/mount/overlay/home/amnesia/.gnupg/default-testpage.pdf" exists
     And the file "/live/overlay/home/amnesia/.gnupg/default-testpage.pdf" exists
+    Given AppArmor has not denied "/usr/bin/evince" from opening "/home/amnesia/.gnupg/default-testpage.pdf"
     When I try to open "/home/amnesia/.gnupg/default-testpage.pdf" with Evince
     Then I see "EvinceUnableToOpen.png" after at most 10 seconds
+    And AppArmor has denied "/usr/bin/evince" from opening "/home/amnesia/.gnupg/default-testpage.pdf"
+    Given AppArmor has not denied "/usr/bin/evince" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/default-testpage.pdf"
     When I close Evince
     And I try to open "/lib/live/mount/overlay/home/amnesia/.gnupg/default-testpage.pdf" with Evince
     Then I see "EvinceUnableToOpen.png" after at most 10 seconds
+    And AppArmor has denied "/usr/bin/evince" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/default-testpage.pdf"
+    Given AppArmor has not denied "/usr/bin/evince" from opening "/live/overlay/home/amnesia/.gnupg/default-testpage.pdf"
     When I close Evince
     And I try to open "/live/overlay/home/amnesia/.gnupg/default-testpage.pdf" with Evince
     Then I see "EvinceUnableToOpen.png" after at most 10 seconds
+    And AppArmor has denied "/usr/bin/evince" from opening "/live/overlay/home/amnesia/.gnupg/default-testpage.pdf"
 
   @keep_volumes
   Scenario: Installing Tails on a USB drive, creating a persistent partition, copying PDF files to it
@@ -57,5 +63,8 @@ Feature: Using Evince
   Scenario: I cannot view a PDF file stored in persistent /home/amnesia/.gnupg
     Given a computer
     When I start Tails from USB drive "current" with network unplugged and I login with persistence password "asdf"
+    Then the file "/home/amnesia/Persistent/default-testpage.pdf" exists
+    Given AppArmor has not denied "/usr/bin/evince" from opening "/home/amnesia/.gnupg/default-testpage.pdf"
     And I try to open "/home/amnesia/.gnupg/default-testpage.pdf" with Evince
     Then I see "EvinceUnableToOpen.png" after at most 10 seconds
+    And AppArmor has denied "/usr/bin/evince" from opening "/home/amnesia/.gnupg/default-testpage.pdf"