summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2018-01-09 10:56:30 +0000
committerintrigeri <intrigeri@boum.org>2018-01-09 10:56:30 +0000
commit6aa6106ec07b2363533c4a6131f83ca67f20244e (patch)
tree7e1d4632acf093df971ed3253b561f1a37f177fe
parentd7e7d100cf17966d4e745b8baacbdf27c9703265 (diff)
parente7ea5fd0b81b9520199bd2312e7bff2a09a25a7d (diff)
Merge remote-tracking branch 'origin/devel' into bugfix/15029-AppArmor-cups-backends
-rw-r--r--config/APT_overlays.d/bugfix-15132-devel-ftbfs0
-rw-r--r--config/amnesia2
-rw-r--r--config/chroot_apt/preferences8
-rwxr-xr-xconfig/chroot_local-hooks/01-check-for-outdated-AppArmor-feature-set24
-rwxr-xr-xconfig/chroot_local-hooks/50-dkms36
-rwxr-xr-xconfig/chroot_local-hooks/98-remove_unwanted_packages5
-rw-r--r--config/chroot_local-includes/usr/share/apparmor-features/features.Tails23
-rw-r--r--config/chroot_local-packageslists/tails-common.list1
-rw-r--r--config/chroot_local-patches/AppArmor-pin-feature-set.patch18
-rw-r--r--config/chroot_local-patches/live-boot:_workaround_aufs_bug.patch11
-rw-r--r--debian/changelog6
-rw-r--r--features/step_definitions/unsafe_browser.rb2
-rw-r--r--wiki/src/doc/about/features.mdwn2
-rw-r--r--wiki/src/doc/sensitive_documents/metadata.mdwn6
14 files changed, 121 insertions, 23 deletions
diff --git a/config/APT_overlays.d/bugfix-15132-devel-ftbfs b/config/APT_overlays.d/bugfix-15132-devel-ftbfs
deleted file mode 100644
index e69de29..0000000
--- a/config/APT_overlays.d/bugfix-15132-devel-ftbfs
+++ /dev/null
diff --git a/config/amnesia b/config/amnesia
index 4eb5546..b879407 100644
--- a/config/amnesia
+++ b/config/amnesia
@@ -26,7 +26,7 @@ AMNESIA_ISOHYBRID_OPTS="-h 255 -s 63 --id 42 --verbose"
REQUIRED_SYSLINUX_UTILS_UPSTREAM_VERSION="6.03~pre20"
# Kernel version
-KERNEL_VERSION='4.13.0-0.bpo.1'
+KERNEL_VERSION='4.14.0-3'
KERNEL_SOURCE_VERSION=$(
echo "$KERNEL_VERSION" \
| perl -p -E 's{\A (\d+ [.] \d+) [.] .*}{$1}xms'
diff --git a/config/chroot_apt/preferences b/config/chroot_apt/preferences
index d91683d..65003a0 100644
--- a/config/chroot_apt/preferences
+++ b/config/chroot_apt/preferences
@@ -1,5 +1,5 @@
Package: aufs-dkms
-Pin: origin deb.tails.boum.org
+Pin: release o=Debian,n=sid
Pin-Priority: 999
Package: b43-fwcutter
@@ -33,7 +33,7 @@ Pin: version 2.36.5-2.0tails*
Pin-Priority: -1
Package: linux-compiler-* linux-headers-* linux-image-* linux-kbuild-* linux-source-*
-Pin: release o=Debian,n=stretch-backports
+Pin: release o=Debian,n=sid
Pin-Priority: 999
Explanation: We ship our custom-built Thunderbird for now, see #6156
@@ -61,6 +61,10 @@ Package: xul-ext-ublock-origin
Pin: release o=Debian,n=sid
Pin-Priority: 999
+Package: pdf-redact-tools
+Pin: release o=Debian,n=sid
+Pin-Priority: 999
+
Explanation: weirdness in chroot_apt install-binary
Package: *
Pin: release o=chroot_local-packages
diff --git a/config/chroot_local-hooks/01-check-for-outdated-AppArmor-feature-set b/config/chroot_local-hooks/01-check-for-outdated-AppArmor-feature-set
new file mode 100755
index 0000000..b05189d
--- /dev/null
+++ b/config/chroot_local-hooks/01-check-for-outdated-AppArmor-feature-set
@@ -0,0 +1,24 @@
+#! /bin/sh
+
+set -e
+set -u
+set -x
+
+echo "Checking if we should stop shipping our own AppArmor feature set"
+
+if [ -f /usr/share/apparmor-features/features ]; then
+ if cmp -q /usr/share/apparmor-features/features.Tails \
+ /usr/share/apparmor-features/features; then
+ echo "Debian ships the same AppArmor feature set as ours. " \
+ "Likely we can now remove our own one." >&2
+ else
+ echo "Debian ships a different AppArmor feature set from ours. " \
+ "Likely our own one is outdated and can be removed:" >&2
+ diff -Naur \
+ /usr/share/apparmor-features/features.Tails \
+ /usr/share/apparmor-features/features \
+ >&2
+ fi
+ # In any case, we probably have to do something about it.
+ exit 1
+fi
diff --git a/config/chroot_local-hooks/50-dkms b/config/chroot_local-hooks/50-dkms
index 2061aa8..1e83074 100755
--- a/config/chroot_local-hooks/50-dkms
+++ b/config/chroot_local-hooks/50-dkms
@@ -2,31 +2,39 @@
set -e
set -u
+set -x
echo "Building dkms modules"
. /usr/share/amnesia/build/variables
-# the -dkms package must be installed *after* dkms to be properly registered
-apt-get install --yes build-essential dkms
+# Import install_fake_package
+. /usr/local/lib/tails-shell-library/build.sh
+
+# Install gcc-6 and fake linux-compiler-gcc-7-x86
+# (linux-headers-4.14+ depends on it, but Stretch hasn't GCC 7)
+# XXX:Buster: remove this hack.
+apt-get install --yes gcc-6
+install_fake_package \
+ linux-compiler-gcc-7-x86 \
+ "$(apt-cache policy linux-compiler-gcc-7-x86 | awk '/ +Candidate:/ {print $2}')~0tails1"
+ln -s /usr/bin/gcc-6 /usr/bin/gcc-7
+
+# Any -dkms package must be installed *after* dkms to be properly registered
+apt-get install --yes \
+ build-essential \
+ dkms \
+ libelf-dev
-# Installing the headers triggers the building of the modules for that kernel
apt-get install --yes \
"linux-headers-${KERNEL_VERSION}-amd64" \
aufs-dkms \
virtualbox-guest-dkms
-MODULES_VERSION="$(dpkg-query -W -f='${Version}\n' virtualbox-guest-dkms \
- | sed -E 's,-.*,,')"
-dkms build \
- -a amd64 -k "${KERNEL_VERSION}-amd64" \
- -m virtualbox-guest -v "$MODULES_VERSION"
-dkms install \
- -a amd64 -k "${KERNEL_VERSION}-amd64" \
- -m virtualbox-guest -v "$MODULES_VERSION"
-
-# clean the build directory
-# rm -r /var/lib/dkms/virtualbox-guest/
+for log in $(ls /var/lib/dkms/*/*/build/make.log); do
+ echo "---- $log"
+ cat "$log"
+done
# Ensure the modules were actually built and installed: when
# dkms.conf for a DKMS module includes a BUILD_EXCLUSIVE directive
diff --git a/config/chroot_local-hooks/98-remove_unwanted_packages b/config/chroot_local-hooks/98-remove_unwanted_packages
index d56a910..8be39ee 100755
--- a/config/chroot_local-hooks/98-remove_unwanted_packages
+++ b/config/chroot_local-hooks/98-remove_unwanted_packages
@@ -12,12 +12,15 @@ echo "Removing unwanted packages"
# - libgcc1 (apt depends on it)
# - cpp, cpp-* (big parts of GNOME depend on it)
apt-get --yes purge \
+ '^linux-compiler-*' \
'^linux-kbuild-*' \
'^linux-headers-*' \
build-essential debhelper dkms dpkg-dev \
gcc gcc-6 \
intltool-debian \
- libc6-dev linux-libc-dev \
+ libc6-dev \
+ libelf-dev \
+ linux-libc-dev \
make \
po-debconf \
rsyslog \
diff --git a/config/chroot_local-includes/usr/share/apparmor-features/features.Tails b/config/chroot_local-includes/usr/share/apparmor-features/features.Tails
new file mode 100644
index 0000000..4684a0c
--- /dev/null
+++ b/config/chroot_local-includes/usr/share/apparmor-features/features.Tails
@@ -0,0 +1,23 @@
+caps {mask {chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap mac_override mac_admin syslog wake_alarm block_suspend audit_read
+}
+}
+rlimit {mask {cpu fsize data stack core rss nproc nofile memlock as locks sigpending msgqueue nice rtprio rttime
+}
+}
+capability {0xffffff
+}
+file {mask {create read write exec append mmap_exec link lock
+}
+}
+domain {change_profile {yes
+}
+change_onexec {yes
+}
+change_hatv {yes
+}
+change_hat {yes
+}
+}
+policy {set_load {yes
+}
+}
diff --git a/config/chroot_local-packageslists/tails-common.list b/config/chroot_local-packageslists/tails-common.list
index 98f8fe1..e6e654f 100644
--- a/config/chroot_local-packageslists/tails-common.list
+++ b/config/chroot_local-packageslists/tails-common.list
@@ -149,6 +149,7 @@ live-tools
lvm2
macchanger
mat
+pdf-redact-tools
mesa-utils
monkeysign
monkeysphere
diff --git a/config/chroot_local-patches/AppArmor-pin-feature-set.patch b/config/chroot_local-patches/AppArmor-pin-feature-set.patch
new file mode 100644
index 0000000..4470f25
--- /dev/null
+++ b/config/chroot_local-patches/AppArmor-pin-feature-set.patch
@@ -0,0 +1,18 @@
+Description: pin the AppArmor feature set to the Stretch's kernel one
+ .
+ Let's smooth UX on kernel upgrades and allow ourselves to update the AppArmor
+ policy in a relaxed manner.
+Bug-Debian: https://bugs.debian.org/879585
+Forwarded: not-needed
+Author: intrigeri <intrigeri@debian.org>
+
+--- a/etc/apparmor/parser.conf
++++ b/etc/apparmor/parser.conf
+@@ -60,3 +60,7 @@
+ ## Adjust compression
+ #Optimize=compress-small
+ #Optimize=compress-fast
++
++## Pin feature set (avoid regressions when policy is lagging behind
++## the kernel)
++features-file=/usr/share/apparmor-features/features.Tails
diff --git a/config/chroot_local-patches/live-boot:_workaround_aufs_bug.patch b/config/chroot_local-patches/live-boot:_workaround_aufs_bug.patch
new file mode 100644
index 0000000..797face
--- /dev/null
+++ b/config/chroot_local-patches/live-boot:_workaround_aufs_bug.patch
@@ -0,0 +1,11 @@
+--- a/lib/live/boot/9990-misc-helpers.sh.orig 2018-01-04 13:27:17.845454685 +0000
++++ b/lib/live/boot/9990-misc-helpers.sh 2018-01-04 14:40:06.852067492 +0000
+@@ -1337,6 +1337,8 @@
+ esac
+
+ mount -t ${UNIONTYPE} ${unionmountopts} ${UNIONTYPE} "${unionmountpoint}"
++ # Workaround aufs bug (Debian#886329)
++ ls "${unionmountpoint}" >/dev/null 2>&1 || true
+ }
+
+ get_custom_mounts ()
diff --git a/debian/changelog b/debian/changelog
index 9fa3104..605a03c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,14 +1,14 @@
-tails (3.4) UNRELEASED; urgency=medium
+tails (3.5) UNRELEASED; urgency=medium
* Dummy entry for next release.
-- Tails developers <tails@boum.org> Tue, 26 Sep 2017 06:03:57 +0000
-tails (3.3.1) UNRELEASED; urgency=medium
+tails (3.4) UNRELEASED; urgency=medium
* Dummy entry for next release.
- -- Tails developers <tails@boum.org> Wed, 15 Nov 2017 13:22:29 +0100
+ -- Tails developers <tails@boum.org> Tue, 26 Sep 2017 06:03:57 +0000
tails (3.3) unstable; urgency=medium
diff --git a/features/step_definitions/unsafe_browser.rb b/features/step_definitions/unsafe_browser.rb
index e18f1ae..8ca8dce 100644
--- a/features/step_definitions/unsafe_browser.rb
+++ b/features/step_definitions/unsafe_browser.rb
@@ -102,7 +102,7 @@ Then /^the Unsafe Browser has a red theme$/ do
end
Then /^the Unsafe Browser shows a warning as its start page$/ do
- @screen.wait("UnsafeBrowserStartPage.png", 10)
+ @screen.wait("UnsafeBrowserStartPage.png", 30)
end
Then /^the Unsafe Browser has started$/ do
diff --git a/wiki/src/doc/about/features.mdwn b/wiki/src/doc/about/features.mdwn
index 71ada57..d0cefa6 100644
--- a/wiki/src/doc/about/features.mdwn
+++ b/wiki/src/doc/about/features.mdwn
@@ -77,6 +77,8 @@ Encryption and privacy
for accessibility, and as a countermeasure against hardware
[[!wikipedia Keystroke logging desc="keyloggers"]] ([[More...|doc/encryption_and_privacy/virtual_keyboard]])
* [MAT](https://mat.boum.org/) to anonymize metadata in files
+* [pdf-redact-tools](https://github.com/firstlookmedia/pdf-redact-tools) to help
+ with securely redacting and stripping metadata from documents before publishing
* [KeePassX](http://www.keepassx.org/) password manager ([[More...|doc/encryption_and_privacy/manage_passwords]])
* [GtkHash](http://gtkhash.sourceforge.net/) to calculate checksums ([[More...|doc/encryption_and_privacy/checksums]])
* [Keyringer](https://keyringer.pw/), a command line tool to encrypt secrets shared through Git ([[More...|doc/encryption_and_privacy/keyringer]])
diff --git a/wiki/src/doc/sensitive_documents/metadata.mdwn b/wiki/src/doc/sensitive_documents/metadata.mdwn
index c8caadc..1fc342e 100644
--- a/wiki/src/doc/sensitive_documents/metadata.mdwn
+++ b/wiki/src/doc/sensitive_documents/metadata.mdwn
@@ -12,6 +12,10 @@ and company information to texts and spreadsheets.</li>
<p>You can use the <span
class="application"><a href="https://mat.boum.org">MAT</a></span> to
-clean the metadata from your files before publishing them.</p>
+clean the metadata from your files before publishing them. To redact
+the content of a PDF and strip metadatas from it, you can use <span
+class="application"><a
+href="https://github.com/firstlookmedia/pdf-redact-tools">pdf-redact-tools
+</a></span>.</p>
</div>