summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2017-03-05 14:11:02 +0000
committerintrigeri <intrigeri@boum.org>2017-03-05 14:11:02 +0000
commit35ee9e7603ab6b9f9f2bd4cd92061e75461a026c (patch)
treed9f19e43d5bdde90c1beba5426b828a95d2b515c
parent288a74ac8de88269c032f883cba28e2c4f4d4d9a (diff)
parentf95a8ea01d1fac27eddbf2720fbea0c472550199 (diff)
Merge branch 'stable' into feature/12193-notify-if-32-bit
-rw-r--r--config/APT_overlays.d/bugfix-12217-linux-4.8.150
-rw-r--r--config/APT_overlays.d/bugfix-8449-iuk-install-robustness0
-rw-r--r--config/chroot_apt/preferences15
-rwxr-xr-xconfig/chroot_local-hooks/80-block-network4
-rw-r--r--config/chroot_local-includes/etc/modprobe.d/no-mei.conf4
-rw-r--r--config/chroot_local-includes/etc/modprobe.d/uncommon-network-protocols.conf4
-rw-r--r--config/chroot_local-includes/etc/sudoers.d/zzz_upgrade2
-rwxr-xr-xconfig/chroot_local-includes/usr/local/lib/tails-spoof-mac3
-rw-r--r--wiki/src/contribute/design/incremental_upgrades.mdwn6
9 files changed, 24 insertions, 14 deletions
diff --git a/config/APT_overlays.d/bugfix-12217-linux-4.8.15 b/config/APT_overlays.d/bugfix-12217-linux-4.8.15
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/config/APT_overlays.d/bugfix-12217-linux-4.8.15
diff --git a/config/APT_overlays.d/bugfix-8449-iuk-install-robustness b/config/APT_overlays.d/bugfix-8449-iuk-install-robustness
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/config/APT_overlays.d/bugfix-8449-iuk-install-robustness
diff --git a/config/chroot_apt/preferences b/config/chroot_apt/preferences
index 7791fb4..fb9166f 100644
--- a/config/chroot_apt/preferences
+++ b/config/chroot_apt/preferences
@@ -88,24 +88,29 @@ Package: linux-base
Pin: release o=Debian,n=sid
Pin-Priority: 999
+Explanation: freeze exception added for Tails 2.11
Package: linux-compiler-gcc-*
-Pin: release o=Debian,n=jessie-backports
+Pin: origin deb.tails.boum.org
Pin-Priority: 999
+Explanation: freeze exception added for Tails 2.11
Package: linux-compiler-gcc-*:amd64
-Pin: release o=Debian,n=jessie-backports
+Pin: origin deb.tails.boum.org
Pin-Priority: 999
+Explanation: freeze exception added for Tails 2.11
Package: linux-headers-* linux-headers-*:amd64
-Pin: release o=Debian,n=jessie-backports
+Pin: origin deb.tails.boum.org
Pin-Priority: 999
+Explanation: freeze exception added for Tails 2.11
Package: linux-image-*-unsigned linux-image-*-unsigned:amd64
-Pin: release o=Debian,n=jessie-backports
+Pin: origin deb.tails.boum.org
Pin-Priority: 999
+Explanation: freeze exception added for Tails 2.11
Package: linux-kbuild-* linux-source-*
-Pin: release o=Debian,n=jessie-backports
+Pin: origin deb.tails.boum.org
Pin-Priority: 999
Package: monkeysphere
diff --git a/config/chroot_local-hooks/80-block-network b/config/chroot_local-hooks/80-block-network
index f6b4dd0..1d375b3 100755
--- a/config/chroot_local-hooks/80-block-network
+++ b/config/chroot_local-hooks/80-block-network
@@ -5,6 +5,6 @@ set -e
echo "Generating blocklist for all network devices"
find /lib/modules/*/kernel/drivers/net \
- -name "*.ko" -printf "blacklist %f\n" | \
- sed 's/\.ko$//' | \
+ -name "*.ko" -printf "install %f /bin/true\n" | \
+ sed 's/\.ko / /' | \
sort -u > /etc/modprobe.d/all-net-blacklist.conf
diff --git a/config/chroot_local-includes/etc/modprobe.d/no-mei.conf b/config/chroot_local-includes/etc/modprobe.d/no-mei.conf
index 1d917d1..7a51479 100644
--- a/config/chroot_local-includes/etc/modprobe.d/no-mei.conf
+++ b/config/chroot_local-includes/etc/modprobe.d/no-mei.conf
@@ -1,2 +1,2 @@
-blacklist mei-me
-blacklist mei
+install mei-me /bin/true
+install mei /bin/true
diff --git a/config/chroot_local-includes/etc/modprobe.d/uncommon-network-protocols.conf b/config/chroot_local-includes/etc/modprobe.d/uncommon-network-protocols.conf
new file mode 100644
index 0000000..92966bd
--- /dev/null
+++ b/config/chroot_local-includes/etc/modprobe.d/uncommon-network-protocols.conf
@@ -0,0 +1,4 @@
+install dccp /bin/true
+install sctp /bin/true
+install rds /bin/true
+install tipc /bin/true
diff --git a/config/chroot_local-includes/etc/sudoers.d/zzz_upgrade b/config/chroot_local-includes/etc/sudoers.d/zzz_upgrade
index ac29a44..4cc0618 100644
--- a/config/chroot_local-includes/etc/sudoers.d/zzz_upgrade
+++ b/config/chroot_local-includes/etc/sudoers.d/zzz_upgrade
@@ -1,4 +1,4 @@
-Cmnd_Alias INSTALL_IUK = /bin/chmod, /bin/cp, /bin/dd, /bin/mkdir, /bin/mktemp, /bin/mount, /bin/rm, /bin/tar, /lib/live/mount/medium/utils/linux/syslinux
+Cmnd_Alias INSTALL_IUK = /bin/chmod, /bin/dd, /bin/mkdir, /bin/mktemp, /bin/mount, /bin/rm, /bin/tar, /lib/live/mount/medium/utils/linux/syslinux, /usr/bin/nocache /bin/cp *
Cmnd_Alias IUK_GET_TARGET_FILE = /usr/bin/tails-iuk-get-target-file
Cmnd_Alias UPGRADE_FRONTEND = /usr/bin/tails-upgrade-frontend ""
diff --git a/config/chroot_local-includes/usr/local/lib/tails-spoof-mac b/config/chroot_local-includes/usr/local/lib/tails-spoof-mac
index 774a347..b43811c 100755
--- a/config/chroot_local-includes/usr/local/lib/tails-spoof-mac
+++ b/config/chroot_local-includes/usr/local/lib/tails-spoof-mac
@@ -75,7 +75,8 @@ mac_spoof_panic() {
fi
module=$(get_module_used_by_nic "${nic}")
nic_name="$(get_name_of_nic ${nic})"
- echo "blacklist ${module}" >> /etc/modprobe.d/"${module}"-blacklist.conf
+ echo "install ${module} /bin/true" >> \
+ /etc/modprobe.d/"${module}"-blacklist.conf
unload_module_and_rev_deps "${module}" || :
if nic_exists "${nic}"; then
log "Failed to unload module ${module} of NIC ${nic}."
diff --git a/wiki/src/contribute/design/incremental_upgrades.mdwn b/wiki/src/contribute/design/incremental_upgrades.mdwn
index faaf241..e1e7ee2 100644
--- a/wiki/src/contribute/design/incremental_upgrades.mdwn
+++ b/wiki/src/contribute/design/incremental_upgrades.mdwn
@@ -717,9 +717,9 @@ user, who itself:
passwordless sudo, as the `tails-iuk-get-target-file` user.
The `tails-install-iuk` user is allowed to run, using passwordless
-sudo, every command required by its task (currently: `chmod`, `cp`,
-`dd`, `mkdir`, `mktemp`, `mount`, `rm`, `tar` and
-`/lib/live/mount/medium/utils/linux/syslinux`) with any arguments.
+sudo, every command required by its task with any arguments.
+This includes e.g. `cp` so for all practical security purposes,
+it can effectively escalate to arbitrary code execution as root.
It is a member of the `tails-iuk-get-target-file` group, which allows it to
read the files downloaded by the `tails-iuk-get-target-file` program.