Commit f365b9bf authored by intrigeri's avatar intrigeri

Revert incomplete and partly broken attempt to adjust to live-boot 1:20180328+ (refs: #15477)

I've uploaded Stretch's live-boot to our feature-buster APT overlay suite.
Let's install it and postpone finishing these adjustments. Accordingly, let's
revert our code to a state suitable for Stretch's live-boot.

This reverts commits 016e53e9,
4377f177,
99a01f8a,
df3c2dea,
928c868e
and 8b452697.
parent 7e3de9ce
......@@ -34,7 +34,7 @@ KERNEL_SOURCE_VERSION=$(
# Files to exclude from the readahead list
# (passed to `grep --extended-regexp`)
READAHEAD_EXCLUDE_PATTERN='^run/live/medium/'
READAHEAD_EXCLUDE_PATTERN='^lib/live/mount/medium/'
### You should not have to change anything below this line ####################
......
......@@ -35,6 +35,11 @@ Package: linux-compiler-* linux-headers-* linux-image-* linux-kbuild-* linux-sou
Pin: release o=Debian,n=sid
Pin-Priority: 999
Explanation: src:live-boot (#15477)
Package: live-boot live-boot-doc live-boot-initramfs-tools
Pin: origin deb.tails.boum.org
Pin-Priority: 999
Explanation: Pick Thunderbird from sid for the time being (not available in Buster right now)
Package: thunderbird* calendar-google-provider
Pin: release o=Debian,n=sid
......
alias / -> /run/live/overlay/,
alias / -> /run/live/rootfs/*.squashfs/,
alias / -> /lib/live/mount/overlay/,
alias / -> /lib/live/mount/rootfs/*.squashfs/,
@{HOMEDIRS}+=/run/live/overlay/home/
@{HOMEDIRS}+=/lib/live/mount/overlay/home/
Cmnd_Alias INSTALL_IUK = /bin/chmod, /bin/dd, /bin/mkdir, /bin/mktemp, /bin/mount, /bin/rm, /bin/tar, /run/live/medium/utils/linux/syslinux, /usr/bin/nocache /bin/cp *
Cmnd_Alias INSTALL_IUK = /bin/chmod, /bin/dd, /bin/mkdir, /bin/mktemp, /bin/mount, /bin/rm, /bin/tar, /lib/live/mount/medium/utils/linux/syslinux, /usr/bin/nocache /bin/cp *
Cmnd_Alias IUK_GET_TARGET_FILE = /usr/bin/tails-iuk-get-target-file
Cmnd_Alias UPGRADE_FRONTEND = /usr/bin/tails-upgrade-frontend ""
......
# Type Path Mode UID GID Age Argument
L /run/live/persistence - - - - /live/persistence
......@@ -8,9 +8,9 @@ goodcrypto.com converted from bash to python and added basic tests.
>>> import sh
>>> sh.Command(sys.argv[0])('kernel')
/run/live/medium/live/vmlinuz
/lib/live/mount/medium/live/vmlinuz
>>> sh.Command(sys.argv[0])('initrd')
/run/live/medium/live/initrd.img
/lib/live/mount/medium/live/initrd.img
>>> sh.Command(sys.argv[0])(_ok_code=(1))
Usage: tails-get-bootinfo kernel|initrd
<BLANKLINE>
......@@ -18,7 +18,7 @@ Usage: tails-get-bootinfo kernel|initrd
import sys
LIVE_IMAGE_MOUNTPOINT = '/run/live/medium'
LIVE_IMAGE_MOUNTPOINT = '/lib/live/mount/medium'
def main(*args):
......
......@@ -12,7 +12,7 @@ import os.path
IGNORE_RE = "^/(tmp|sys|proc|dev|live/cow)"
# Remove the following prefix (except the last /) from all paths
IGNORE_PREFIX="/run/live/rootfs/filesystem.squashfs/"
IGNORE_PREFIX="/lib/live/mount/rootfs/filesystem.squashfs/"
class ProfileProcessor(ProcessEvent):
def __init__(self, profile_path):
......
......@@ -22,20 +22,20 @@ mount -o remount,rw /
# Otherwise aufs pseudo-links can't be removed while unmounting /oldroot,
# and we can't clean up the content of /mnt/live/overlay.
mount -o remount,rw /oldroot/run/live/overlay
mount -o remount,rw /oldroot/lib/live/mount/overlay
# Move /oldroot/* mountpoints out of the way
mkdir -p /mnt/live/overlay
mount --move \
/oldroot/run/live/overlay \
/oldroot/lib/live/mount/overlay \
/mnt/live/overlay
mkdir -p /mnt/live/squashfs
mount --move \
/oldroot/run/live/rootfs/filesystem.squashfs \
/oldroot/lib/live/mount/rootfs/filesystem.squashfs \
/mnt/live/squashfs
mkdir -p /mnt/live/medium
mount --move \
/oldroot/run/live/medium \
/oldroot/lib/live/mount/medium \
/mnt/live/medium
# Finally, really unmount relevant filesystems
......
......@@ -46,8 +46,8 @@ setup_chroot_for_browser () {
trap "${cleanup_cmd}" INT EXIT
local rootfs_dir
local rootfs_dirs_path="/run/live/rootfs"
local tails_module_path="/run/live/medium/live/Tails.module"
local rootfs_dirs_path="/lib/live/mount/rootfs"
local tails_module_path="/lib/live/mount/medium/live/Tails.module"
local aufs_dirs=
# We have to pay attention to the order we stack the filesystems;
......
......@@ -18,7 +18,7 @@ using_fromiso() {
boot_device() {
if using_fromiso ; then
# When booting with e.g. fromiso=/dev/sdx3/tails-XXX.iso, a loop device
# is mounted onto /run/live/medium => we cannot get the boot device from there.
# is mounted onto /lib/live/mount/medium => we cannot get the boot device from there.
# This loop device's backing file is seen by the system as
# /isofrom/XXX.iso, which is not available presumably because pivotroot
# was run => we cannot get the boot device from there either.
......@@ -37,7 +37,7 @@ boot_device() {
# the path returned in this case is suitable to be passed as an argument
# to --path in "udevadm info --query" commands... which is not the case
# of paths in the /dev/sdxN form.
DEV_NUMBER="$(udevadm info --device-id-of-file=/run/live/medium)"
DEV_NUMBER="$(udevadm info --device-id-of-file=/lib/live/mount/medium)"
echo "/dev/block/$DEV_NUMBER"
fi
}
......
......@@ -9,6 +9,23 @@ diff -Naur etc/apparmor.d.orig/abstractions/base etc/apparmor.d/abstractions/bas
/etc/writable/localtime r,
/usr/share/locale-bundle/** r,
/usr/share/locale-langpack/** r,
@@ -64,10 +65,12 @@
/opt/*-linux-uclibc/lib/ld-uClibc*so* mr,
# we might as well allow everything to use common libraries
- /{usr/,}lib{,32,64}/** r,
- /{usr/,}lib{,32,64}/lib*.so* mr,
- /{usr/,}lib{,32,64}/**/lib*.so* mr,
- /{usr/,}lib/@{multiarch}/** r,
+ /{usr/,}lib{32,64}/** r,
+ /{usr/,}lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}** r,
+ /{usr/,}lib{,32,64}/lib*.so* mr,
+ /{usr/,}lib{32,64}/**/lib*.so* mr,
+ /{usr/,}lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}**/lib*.so* mr,
+ /{usr/,}lib/@{multiarch}/{[^l],l[^i],li[^v],liv[^e],live[^/]}** r,
/{usr/,}lib/@{multiarch}/lib*.so* mr,
/{usr/,}lib/@{multiarch}/**/lib*.so* mr,
/{usr/,}lib/tls/i686/{cmov,nosegneg}/lib*.so* mr,
diff -Naur etc/apparmor.d.orig/abstractions/ubuntu-helpers etc/apparmor.d/abstractions/ubuntu-helpers
--- a/etc/apparmor.d/abstractions/ubuntu-helpers 2018-11-01 11:52:15.000000000 +0000
+++ b/etc/apparmor.d/abstractions/ubuntu-helpers 2018-11-05 19:49:38.227528246 +0000
......@@ -23,3 +40,13 @@ diff -Naur etc/apparmor.d.orig/abstractions/ubuntu-helpers etc/apparmor.d/abstra
/opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr,
/opt/google/chrome{,-beta,-unstable}/google-chrome Pixr,
/opt/google/chrome{,-beta,-unstable}/chrome Pixr,
@@ -77,7 +77,8 @@
# Full access
/ r,
/** rwkl,
- /{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m,
+ /lib/{[^l],l[^i],li[^v],liv[^e],live[^/]}{,**/}*.so{,.*} m,
+ /usr{/,/local/}lib{,32,64}/{,**/}*.so{,.*} m,
# Dangerous files
audit deny owner /**/* m, # compiled libraries
diff --git a/scripts/boot/9990-overlay.sh b/scripts/boot/9990-overlay.sh
index 098111c..e1cfd15 100755
--- a/lib/live/boot/9990-overlay.sh
+++ b/lib/live/boot/9990-overlay.sh
@@ -136,7 +136,7 @@
# tmpfs file systems
touch /etc/fstab
mkdir -p /live/overlay
- mount -t tmpfs tmpfs /live/overlay
+ # mount -t tmpfs tmpfs /live/overlay
# Looking for persistence devices or files
if [ -n "${PERSISTENCE}" ] && [ -z "${NOPERSISTENCE}" ]
Tails/ Tails.pm
diff --git a/usr/share/perl5/Tails/RunningSystem.pm b/usr/share/perl5/Tails/RunningSystem.pm
index 9409ad4..c4b6905 100644
--- a/usr/share/perl5/Tails/RunningSystem.pm
+++ b/usr/share/perl5/Tails/RunningSystem.pm
@@ -177,7 +177,7 @@
}
method _build_liveos_mountpoint () {
- path('/lib/live/mount/medium');
+ path('/run/live/medium');
}
method _build_boot_block_device () {
......@@ -25,7 +25,7 @@ Feature: Using Evince
Given I have started Tails from DVD without network and logged in
And I copy "/usr/share/cups/data/default-testpage.pdf" to "/home/amnesia/.gnupg" as user "amnesia"
Then the file "/home/amnesia/.gnupg/default-testpage.pdf" exists
And the file "/run/live/overlay/home/amnesia/.gnupg/default-testpage.pdf" exists
And the file "/lib/live/mount/overlay/home/amnesia/.gnupg/default-testpage.pdf" exists
And the file "/live/overlay/home/amnesia/.gnupg/default-testpage.pdf" exists
Given I start monitoring the AppArmor log of "/usr/bin/evince"
When I try to open "/home/amnesia/.gnupg/default-testpage.pdf" with Evince
......@@ -33,16 +33,16 @@ Feature: Using Evince
And AppArmor has denied "/usr/bin/evince" from opening "/home/amnesia/.gnupg/default-testpage.pdf"
When I close Evince
Given I restart monitoring the AppArmor log of "/usr/bin/evince"
When I try to open "/run/live/overlay/home/amnesia/.gnupg/default-testpage.pdf" with Evince
When I try to open "/lib/live/mount/overlay/home/amnesia/.gnupg/default-testpage.pdf" with Evince
Then I see "EvinceUnableToOpen.png" after at most 10 seconds
And AppArmor has denied "/usr/bin/evince" from opening "/run/live/overlay/home/amnesia/.gnupg/default-testpage.pdf"
And AppArmor has denied "/usr/bin/evince" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/default-testpage.pdf"
When I close Evince
Given I restart monitoring the AppArmor log of "/usr/bin/evince"
When I try to open "/live/overlay/home/amnesia/.gnupg/default-testpage.pdf" with Evince
Then I see "EvinceUnableToOpen.png" after at most 10 seconds
# Due to our AppArmor aliases, /live/overlay will be treated
# as /run/live/overlay.
And AppArmor has denied "/usr/bin/evince" from opening "/run/live/overlay/home/amnesia/.gnupg/default-testpage.pdf"
# as /lib/live/mount/overlay.
And AppArmor has denied "/usr/bin/evince" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/default-testpage.pdf"
#10994
@fragile
......
......@@ -92,7 +92,7 @@ Feature: Chatting anonymously using Pidgin
Then I cannot add a certificate from the "/home/amnesia/.gnupg" directory to Pidgin
When I close Pidgin's certificate import failure dialog
And I close Pidgin's certificate manager
Then I cannot add a certificate from the "/run/live/overlay/home/amnesia/.gnupg" directory to Pidgin
Then I cannot add a certificate from the "/lib/live/mount/overlay/home/amnesia/.gnupg" directory to Pidgin
When I close Pidgin's certificate import failure dialog
And I close Pidgin's certificate manager
Then I cannot add a certificate from the "/live/overlay/home/amnesia/.gnupg" directory to Pidgin
......
......@@ -329,7 +329,7 @@ end
Then /^the running Tails is installed on USB drive "([^"]+)"$/ do |target_name|
loader = boot_device_type == "usb" ? "syslinux" : "isolinux"
tails_is_installed_helper(target_name, "/run/live/medium", loader)
tails_is_installed_helper(target_name, "/lib/live/mount/medium", loader)
end
Then /^the ISO's Tails is installed on USB drive "([^"]+)"$/ do |target_name|
......@@ -437,7 +437,7 @@ end
def boot_device
# Approach borrowed from
# config/chroot_local_includes/lib/live/config/998-permissions
boot_dev_id = $vm.execute("udevadm info --device-id-of-file=/run/live/medium").stdout.chomp
boot_dev_id = $vm.execute("udevadm info --device-id-of-file=/lib/live/mount/medium").stdout.chomp
boot_dev = $vm.execute("readlink -f /dev/block/'#{boot_dev_id}'").stdout.chomp
return boot_dev
end
......@@ -731,7 +731,7 @@ TAILS_VERSION_ID="#{version}"
path += "var/lib/#{chroot_browser}/chroot/" if chroot_browser
path += change[:path]
when :medium
path = '/run/live/medium/' + change[:path]
path = '/lib/live/mount/medium/' + change[:path]
else
raise "Unknown filesysten '#{change[:filesystem]}'"
end
......
......@@ -63,7 +63,7 @@ Feature: Browsing the web using the Tor Browser
And I copy "/usr/share/synaptic/html/index.html" to "/home/amnesia/.gnupg/synaptic.html" as user "amnesia"
And I copy "/usr/share/synaptic/html/index.html" to "/tmp/synaptic.html" as user "amnesia"
Then the file "/home/amnesia/.gnupg/synaptic.html" exists
And the file "/run/live/overlay/home/amnesia/.gnupg/synaptic.html" exists
And the file "/lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html" exists
And the file "/live/overlay/home/amnesia/.gnupg/synaptic.html" exists
And the file "/tmp/synaptic.html" exists
Given I start monitoring the AppArmor log of "torbrowser_firefox"
......@@ -77,15 +77,15 @@ Feature: Browsing the web using the Tor Browser
Then I do not see "TorBrowserSynapticManual.png" after at most 5 seconds
And AppArmor has denied "torbrowser_firefox" from opening "/home/amnesia/.gnupg/synaptic.html"
Given I restart monitoring the AppArmor log of "torbrowser_firefox"
When I open the address "file:///run/live/overlay/home/amnesia/.gnupg/synaptic.html" in the Tor Browser
When I open the address "file:///lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html" in the Tor Browser
Then I do not see "TorBrowserSynapticManual.png" after at most 5 seconds
And AppArmor has denied "torbrowser_firefox" from opening "/run/live/overlay/home/amnesia/.gnupg/synaptic.html"
And AppArmor has denied "torbrowser_firefox" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html"
Given I restart monitoring the AppArmor log of "torbrowser_firefox"
When I open the address "file:///live/overlay/home/amnesia/.gnupg/synaptic.html" in the Tor Browser
Then I do not see "TorBrowserSynapticManual.png" after at most 5 seconds
# Due to our AppArmor aliases, /live/overlay will be treated
# as /run/live/overlay.
And AppArmor has denied "torbrowser_firefox" from opening "/run/live/overlay/home/amnesia/.gnupg/synaptic.html"
# as /lib/live/mount/overlay.
And AppArmor has denied "torbrowser_firefox" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/synaptic.html"
# We do not get any AppArmor log for when access to files in /tmp is denied
# since we explictly override (commit 51c0060) the rules (from the user-tmp
# abstration) that would otherwise allow it, and we do so with "deny", which
......
......@@ -25,19 +25,19 @@ Feature: Using Totem
Then I see "TotemUnableToOpen.png" after at most 10 seconds
And AppArmor has denied "/usr/bin/totem" from opening "/home/amnesia/.gnupg/video.mp4"
Given I close Totem
And the file "/run/live/overlay/home/amnesia/.gnupg/video.mp4" exists
And the file "/lib/live/mount/overlay/home/amnesia/.gnupg/video.mp4" exists
And I restart monitoring the AppArmor log of "/usr/bin/totem"
When I try to open "/run/live/overlay/home/amnesia/.gnupg/video.mp4" with Totem
When I try to open "/lib/live/mount/overlay/home/amnesia/.gnupg/video.mp4" with Totem
Then I see "TotemUnableToOpen.png" after at most 10 seconds
And AppArmor has denied "/usr/bin/totem" from opening "/run/live/overlay/home/amnesia/.gnupg/video.mp4"
And AppArmor has denied "/usr/bin/totem" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/video.mp4"
Given I close Totem
And the file "/live/overlay/home/amnesia/.gnupg/video.mp4" exists
And I restart monitoring the AppArmor log of "/usr/bin/totem"
When I try to open "/live/overlay/home/amnesia/.gnupg/video.mp4" with Totem
Then I see "TotemUnableToOpen.png" after at most 10 seconds
# Due to our AppArmor aliases, /live/overlay will be treated
# as /run/live/overlay.
And AppArmor has denied "/usr/bin/totem" from opening "/run/live/overlay/home/amnesia/.gnupg/video.mp4"
# as /lib/live/mount/overlay.
And AppArmor has denied "/usr/bin/totem" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/video.mp4"
Given I close Totem
And I copy "/home/amnesia/video.mp4" to "/home/amnesia/.purple/otr.private_key" as user "amnesia"
And I restart monitoring the AppArmor log of "/usr/bin/totem"
......
......@@ -17,8 +17,8 @@ report:
- the output of the five following commands, run in a
[[<span class=\"application\">Terminal</span>|first_steps/introduction_to_gnome_and_the_tails_desktop#terminal]]:
<pre>
ls -l /run/live/medium/live
cat /run/live/medium/live/Tails.module
ls -l /lib/live/mount/medium/live
cat /lib/live/mount/medium/live/Tails.module
mount
df -h
free -m
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment