Commit f685b235 authored by intrigeri's avatar intrigeri
Browse files

Merge branch 'devel' into bugfix/8007-AppArmor-hardening

parents bbf32c89 1e4e5c85
......@@ -21,12 +21,6 @@ Set_defaults
# Seems like we'll have work to do
Echo_message 'including syslinux in the ISO filesystem'
### Functions
syslinux_deb_version_in_chroot () {
chroot chroot dpkg-query -W -f='${Version}\n' syslinux
}
### Variables
LINUX_BINARY_UTILS_DIR='binary/utils/linux'
WIN32_BINARY_UTILS_DIR='binary/utils/win32'
......@@ -34,31 +28,16 @@ BINARY_MBR_DIR='binary/utils/mbr'
CHROOT_SYSLINUX_BIN='chroot/usr/bin/syslinux'
CHROOT_SYSLINUX_MBR='chroot/usr/lib/SYSLINUX/gptmbr.bin'
CHROOT_TEMP_APT_SOURCES='chroot/etc/apt/sources.list.d/tmp-deb-src.list'
SYSLINUX_DEB_VERSION_IN_CHROOT=$(syslinux_deb_version_in_chroot)
### Functions
syslinux_deb_version_in_chroot () {
chroot chroot dpkg-query -W -f='${Version}\n' syslinux
}
### Main
mkdir -p "$LINUX_BINARY_UTILS_DIR" "$WIN32_BINARY_UTILS_DIR" "$BINARY_MBR_DIR"
# Copy 32-bit syslinux binary
cp "$CHROOT_SYSLINUX_BIN" "$LINUX_BINARY_UTILS_DIR/"
# Copy 64-bit syslinux binary
(
olddir=$(pwd)
workdir=$(mktemp -d)
cd "$workdir"
chroot="$olddir/chroot"
Chroot "$chroot" \
apt-get --yes download \
syslinux:amd64="$SYSLINUX_DEB_VERSION_IN_CHROOT"
dpkg-deb --extract "$chroot"/syslinux_*.deb .
rm "$chroot"/syslinux_*.deb
cp ./usr/bin/syslinux "$olddir/$LINUX_BINARY_UTILS_DIR/syslinux-amd64"
cd "$olddir"
rm -r "$workdir"
)
# Copy syslinux MBR
cp "$CHROOT_SYSLINUX_MBR" "$BINARY_MBR_DIR/mbr.bin"
cat chroot/etc/apt/sources.list chroot/etc/apt/sources.list.d/*.list \
......@@ -68,7 +47,7 @@ cat chroot/etc/apt/sources.list chroot/etc/apt/sources.list.d/*.list \
> "$CHROOT_TEMP_APT_SOURCES"
Chroot chroot apt-get --yes update
Chroot chroot apt-get --yes install dpkg-dev
Chroot chroot apt-get source syslinux="$SYSLINUX_DEB_VERSION_IN_CHROOT"
Chroot chroot apt-get source syslinux="$(syslinux_deb_version_in_chroot)"
cp chroot/syslinux-*/bios/win32/syslinux.exe "$WIN32_BINARY_UTILS_DIR/"
rm -r chroot/syslinux*
rm "$CHROOT_TEMP_APT_SOURCES"
......
#! /bin/sh
# Some of this file was adapted from the Debian Installer's
# build/util/efi-image, which is:
#
# Copyright (C) 2010, 2011 Canonical Ltd.
# Author: Colin Watson <cjwatson@ubuntu.com>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the Free
# Software Foundation; either version 2, or (at your option) any later
# version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
set -e
set -x
platform="i386-efi"
outdir="binary/EFI/BOOT/grub/$platform"
efi_name="ia32"
grub_cpmodules () {
if [ -z "$1" ] || [ -z "$2" ]; then
echo "usage: $0 OUTPUT-DIRECTORY GRUB-PLATFORM"
return 1
fi
outdir="$1"
platform="$2"
# Copy over GRUB modules, except for those already built in.
cp -a "chroot/usr/lib/grub/$platform"/*.lst "$outdir/"
for x in "chroot/usr/lib/grub/$platform"/*.mod; do
# Some of these exclusions are based on knowledge of module
# dependencies.
case $(basename "$x" .mod) in
configfile|search|search_fs_file|search_fs_uuid|search_label|tar|part_gpt|linux|gzio)
# included in boot image
;;
affs|afs|afs_be|befs|befs_be|minix|nilfs2|sfs|zfs|zfsinfo)
# unnecessary filesystem modules
;;
example_functional_test|functional_test|hello)
# other cruft
;;
*)
cp -a "$x" "$outdir/"
;;
esac
done
}
# Including common functions
. "${LB_BASE:-/usr/share/live/build}"/scripts/build.sh
# Setting static variables
DESCRIPTION="$(Echo 'including GRUB EFI for ia32 in the ISO filesystem')"
HELP=""
USAGE="${PROGRAM}"
# Reading configuration files
Read_conffiles config/all config/bootstrap config/common config/binary
Set_defaults
# Safeguards
[ "${LB_ARCHITECTURE}" = "i386" ] || exit 0
# Seems like we'll have work to do
Echo_message 'including GRUB EFI for ia32 in the ISO filesystem'
# Build the core image
Chroot chroot grub-mkimage -O "$platform" \
-o "/tmp/boot$efi_name.efi" -p "/efi/boot/grub" \
search configfile normal tar fat part_gpt linux \
gzio
mv "chroot/tmp/boot$efi_name.efi" "binary/EFI/BOOT/boot$efi_name.efi"
mkdir -p "$outdir"
grub_cpmodules "$outdir" "$platform"
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
set linux_gfx_mode=
export linux_gfx_mode
load_video
insmod syslinuxcfg
insmod cpuid
echo "Loading syslinux configuration..."
syslinux_configfile /efi/boot/syslinux.cfg
#! /bin/sh
set -e
echo "Configuring dpkg architectures"
dpkg --add-architecture amd64
......@@ -125,6 +125,7 @@ gobby-0.5
## breaks lb because of desktop-base.postinst (see Debian bug #467620)
#if ARCHITECTURE i386 amd64
# grub
grub-efi-ia32
#endif
gstreamer0.10-ffmpeg
gstreamer0.10-plugins-base
......
......@@ -19,11 +19,6 @@ Testing results
Ideas for future work
=====================
32-bit UEFI
-----------
See [[blueprint/UEFI/32-bit]].
Other ideas
-----------
......
......@@ -147,69 +147,8 @@ Seeing that:
- Tails is running more or less on this devices.
- There are a limited number of different models.
We suggest to maintain a list of the state of Tails compatibility on
these computers. In the router of the web assistant, a potential user
could know if Tails works on her computer and on which media (DVD or
USB) before she tries to install it.
### Data type
The data could be stored in a YAML file, in the git repo.
### Data content
Something like:
model / part of the serial number
Tails version | working? | boot on USB? | boot on DVD? | comments
* In we want to keep history of compatibility (with older Tails
versions) in this file, maybe we will have to show to the user only
the last relevant informations.
* "Tails version" can be useful to:
- Have a better view of how the support Mac evolves.
- Let the user or frontdesk know when the compatibility got broken.
* "Comments" is raw information on Wi-Fi support, graphic support, etc.
### How to feed the list
- Call to heavily test sometimes
- Ask to people doing Tails trainings
- Update from frontdesk
- Maybe something editable by users
### Implementation
In the Mac page of the router, we could implement this in two ways, that
could be two iterations.
#### All information (without form)
- Raw data is transformed server-side into an HTML table with links to
the available scenarios for each model (maybe using
<https://ikiwiki.info/plugins/contrib/ymlfront/>).
- The full list is included in the HTML page sent to the user by hidden
in toggle by default.
- Some information is displayed to help the user identify his type of
Mac (maybe simplifying <https://fr.ifixit.com/Info/ID-your-Mac>).
- The user can toggle to display the sublist corresponding to her type
of Mac (iMac, Macbook, MacBook Air, etc.)
- If JavaScript is disabled, the full list is displayed.
#### Only relevant information (with form)
- Some information is displayed to know easily what kind of mac is
working
- The user types in a form the serial number of her Mac or clicks in a
dedicated tiny wizard like <https://fr.ifixit.com/Info/ID-your-Mac>.
- Some server-side code (Ruby?) or client-side code (JavaScript) gets
the relevant model and displays the possible scenarios.
- If implemented in JavaScript, it would fallback on the "without form"
version described earlier.
### Redmine
This tickets wants to fix the same problem : [[!tails_ticket 9150]]
We want to maintain a list of the state of Tails compatibility on
these computers. [[More details here.|mac]]
<a id="overview"></a>
......
Global process:
- First step (simple solution):
- Generic instructions that would work in most of the case.
- Second step (difficult solution):
- Maintain a list of Macs and their compatibility
Generic instructions that would work in most of the case
========================================================
Implementation is happening there : [[!tails_ticket 9316]]
Truths about Mac:
- DVD
- No DVD on some model
- DVD works on 32-bit UEFI
- Reported to fail very rarely (cf. known issues)
- MacBookPro (early 2011) fails to boot from DVD since Tails 1.1
- dd
- Not working on:
- Macbook Air 1.1: 32-bit UEFI
- Macbook Air 3.1: 64-bit UEFI
- 32-bit might work with next version (#8471)
- Test Tails 1.5 with dd :mercedes:tchou:
- Tails Installer
- 32-bit doesn't work with Tails Installer
- 64-bit work sometimes yes and sometimes no
- Test Tails 1.5 with Installer on Macbook Air 1.1 :mercedes:
- rEFInd
- Don't ask people to do that
- Bootcamp
- No good
Algorithm:
- if have a friend
- clone
- if works → happy
- if fails
- DVD
- dd
- if works → stay on DVD or dd
- if fails → sad
- else
- DVD
- dd
- another computer (different Mac, different OS)
- if fails → sad
- if DVD or dd works
- clone
- if works → happy
- else → stay on DVD or dd
- if another computer works until full-feature Tails
- if works → happy
- else → try temporary Tails
List of compatibility with Mac
==============================
Seeing that:
- A lot of current and potential users are Mac users.
- Tails is running more or less on this devices.
- There are a limited number of different models.
We will maintain the state of Tails compatibility on these computers.
Roadmap
-------
1 Bootstrap
-----------
- Specifing the data type.
- Know the precise models. #9322
- Setup a git repo.
2 Start to fill it
------------------
- Frontdesk starts to fill it
3 Have it on the website
------------------------
- Full list in markdown thanks to a routine
- In the web installation assistant
- In/linked in the troubleshooting section
- Maybe later an interactive app in the assistant
### Data type
The data could be stored in a YAML file, in the git repo. See [[!tails_ticket 9892]] for work in progress.
### Data content
- Fields ("strings", boolean?):
"model id"
- "Tails version" | DVD? | dd ? | tails installer? | SD? | wifi? | gaphic card? | mac address?
- ... (an other user reports on this model)
Writing the report after the summit, I would add :
- Anonymised uniq identifier per users
- Timestemp
- Comments (if there is non anticipated things to keep)
- Explicit say if the device type and if it boot or not (I feel it's easiest to write and read)
Trying a yaml type (optional or not):
model_id: (required)
reports:
- date: (required)
user: (optional)
tails: (required)
media: (required)
boot: (required)
install: (required)
wifi: (optional)
mac_address (optional)
graphic_card (optional)
comments: (optional)
And some samples :
model_id: MacBookAir3.2
reports:
- date: 2012-08-06
user: Oothai1iu6iefaiy
tails: 1.5
media: usb
boot: true
install: tails_installer
comments:
Touchpad not working.
- date: 2012-07-26
user: seyuo4daiChei3Oo
tails: 1.4
media: sd
boot: true
install: tails_installer
wifi: true
mac_spoofing: false
- date: 2012-06-12
user: aif0ueveeb0Ahkii
tails: 1.2
media: dvd
boot: false
comments:
Tried to boot on external DVD. Tails is on not on the Mac boot menu.
* "model id" : #9322. For one model id, there is one or several reports. (note that there is not realy the "state" for one model : the is different reports who can help to guess the state.)
* "Tails version" : can be useful to:
- Have a better view of how the support Mac evolves.
- Let the user or frontdesk know when the compatibility got broken.
* We want to keep history of compatibility (with older Tails
versions) in this file, maybe we will have to show to the user only
the last relevant informations.
* "Comments" is raw information on harward issues (touchpad, bluetooth). The most common issues are fields (wifi, mac spoofing, graphic card)
### How to feed the list
- Call to heavily test sometimes
- Ask to people doing Tails trainings
- Update from frontdesk
- Maybe something editable by users
### Later implementation
In the Mac page of the router, we could implement this in two ways, that
could be two iterations.
#### All information (without form)
- Raw data is transformed server-side into an HTML table with links to
the available scenarios for each model (maybe using
<https://ikiwiki.info/plugins/contrib/ymlfront/>).
- The full list is included in the HTML page sent to the user by hidden
in toggle by default.
- Some information is displayed to help the user identify his type of
Mac (maybe simplifying <https://fr.ifixit.com/Info/ID-your-Mac>).
- The user can toggle to display the sublist corresponding to her type
of Mac (iMac, Macbook, MacBook Air, etc.)
- If JavaScript is disabled, the full list is displayed.
#### Only relevant information (with form)
- Some information is displayed to know easily what kind of mac is
working
- The user types in a form the serial number of her Mac or clicks in a
dedicated tiny wizard like <https://fr.ifixit.com/Info/ID-your-Mac>.
- Some server-side code (Ruby?) or client-side code (JavaScript) gets
the relevant model and displays the possible scenarios.
- If implemented in JavaScript, it would fallback on the "without form"
version described earlier.
### Redmine
This tickets wants to fix the same problem : [[!tails_ticket 9150]]
......@@ -191,22 +191,22 @@ We are not considering an attacker who can:
on a native interface accessible from the add-ons menu.
- [I] Provide a malicious extension in the same browser as this would
have similar effects than attack [F].
have similar effects to attack [F].
<a id="inside_the_browser"></a>
Security inside the browser
---------------------------
The thread described as [H] is taken care of by the internals of the
The threat described as [H] is taken care of by the internals of the
browser (and the proper coding of the extension). Web pages from a
different origin cannot interfere in any way with the result of the
verification performed by the extension. Only tabs from the same origin,
or if the content of the other tab opts-in for some form of cross-domain
communication, or it's been opened with window.open() by a script in
communication, or it's been opened with `window.open()` by a script in
this tab or vice-versa (in the latter cases it has a handle to the
window of the other tab, either as the return value of window.open() or
as the window.opener property, but it cannot actually touch the content
window of the other tab, either as the return value of `window.open()` or
as the `window.opener` property, but it cannot actually touch the content
unless it's same domain).
Of course, any tab can open an alert box saying "Verification
......@@ -217,7 +217,7 @@ instead modifies the content of the page.
Bugs in the browser itself that could temper with the verification
mechanism would need to be of the "remote code execution vulnerability"
and would represent a thread in many more use cases than when verifying
and would represent a threat in many more use cases than when verifying
an ISO image.
Open questions
......
......@@ -4,6 +4,13 @@
<http://tp.linux.it/glossario.html>
# Info
Qualche informazione sui file po:
<http://tp.linux.it/guida-po/index.html>
# Repository GIT
Accesso: send {username, SSH pubkey} tuples to <intrigeri@boum.org>.
......@@ -16,11 +23,130 @@ to add it, run:
... in an existing clone of our Git repo.
# info
# Come configurare il workflow git sul vostro pc
NOTA:
tutte le righe che iniziano con $ sono da digitare nel terminale, a volte sotto c'è la risposta del terminale, oppure niente. In generale nei sistemi unix-like se il terminale dopo aver dato un comando non vi risponde niente, vuol dire che tutto è andato bene.
1) Creata una cartella con TRADUZIONI:
$ mkdir TRADUZIONI
2) Entrata nella cartella:
$ cd TRADUZIONI
3) Clonato i file per il mio uso locale nella cartella mytails (indicata
in fondo al comando):
$ git clone https://git-tails.immerda.ch/l10n-italian/tails/ mytails
Cloning into 'mytails'...
remote: Counting objects: 184366, done.
remote: Compressing objects: 100% (48007/48007), done.
remote: Total 184366 (delta 121678), reused 184279 (delta 121629)
Ricezione degli oggetti: 100% (184366/184366), 49.13 MiB | 892.00 KiB/s,
done.
Risoluzione dei delta: 100% (121678/121678), done.
Checking connectivity... fatto.
qualche informazione sui file po:
4)Entro nell cartella mytails e controllo che mi dice git:
$ git status
Sul branch master
Your branch is up-to-date with 'origin/master'.
nothing to commit, working directory clean
5)Aggiungo il repository remoto:
$ git remote add l10n-italian tails@git.tails.boum.org:l10n-italian/tails
6)Controllo che funzioni:
$ git remote -v
l10n-italian tails@git.tails.boum.org:l10n-italian/tails (fetch)
l10n-italian tails@git.tails.boum.org:l10n-italian/tails (push)
tails https://git-tails.immerda.ch/l10n-italian/tails/ (fetch)
tails https://git-tails.immerda.ch/l10n-italian/tails/ (push)
7)Modifico dei file, aggiungo traduzioni, etc.. poi torno al terminale.
8)Aggiungo due file che ho creato e modificato:
$ git add wiki/src/doc/about/license.it.po
$ git add wiki/src/doc/about/requirements.it.po
$ git status
Sul branch master
Your branch is up-to-date with 'origin/master'.
Changes to be committed:
(use "git reset HEAD <file>..." to unstage)
new file: wiki/src/doc/about/license.it.po
new file: wiki/src/doc/about/requirements.it.po
9) Faccio il commit locale
$ git commit -m "primi file tradotti"
[master c149e1b] primi file tradotti
Committer: cri <cri@localhost.lan>
Il tuo nome e l'indirizzo email sono stati configurati automaticamente usando
il tuo nome utente ed il nome host. Per favore, verifica che siano esatti.