summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-includes/etc
diff options
context:
space:
mode:
authorsajolida <sajolida@pimienta.org>2018-09-06 10:02:49 +0000
committersajolida <sajolida@pimienta.org>2018-09-06 10:02:49 +0000
commit7d452d39998b5543bacc53696a0897dd2906da4f (patch)
treea51c412b3dbd9b5f3a2100619d8b61d4eebcc78a /config/chroot_local-includes/etc
parentbda974fa5d21c9cb2ba54611687d78a1eb11a23f (diff)
parent3629361577a8af12247ec95a151ad3922cc2ecc5 (diff)
Merge remote-tracking branch 'origin/devel' into feature/15291-remove-softwarewip/feature/15291-remove-software-sajolida-experiment
Diffstat (limited to 'config/chroot_local-includes/etc')
-rw-r--r--config/chroot_local-includes/etc/apt/apt.conf.d/80tails-additional-software.disabled5
-rw-r--r--config/chroot_local-includes/etc/environment3
-rw-r--r--config/chroot_local-includes/etc/onion-grater.d/tor-browser.yml1
-rw-r--r--config/chroot_local-includes/etc/polkit-1/localauthority/10-vendor.d/org.boum.tails.pkla5
-rwxr-xr-xconfig/chroot_local-includes/etc/skel/Desktop/Report_an_error.desktop.in1
-rwxr-xr-xconfig/chroot_local-includes/etc/skel/Desktop/tails-documentation.desktop.in1
-rw-r--r--config/chroot_local-includes/etc/sudoers.d/zzz_persistence-setup2
-rw-r--r--config/chroot_local-includes/etc/thunderbird/pref/thunderbird.js19
-rw-r--r--config/chroot_local-includes/etc/tor-browser/profile/chrome/userChrome.css11
-rw-r--r--config/chroot_local-includes/etc/tor-browser/profile/preferences/0000tails.js94
-rw-r--r--config/chroot_local-includes/etc/tor-browser/profile/prefs.js3
-rw-r--r--config/chroot_local-includes/etc/udisks2/tcrypt.conf2
-rw-r--r--config/chroot_local-includes/etc/whisperback/config.py61
-rw-r--r--config/chroot_local-includes/etc/whisperback/debugging-info.json24
-rw-r--r--config/chroot_local-includes/etc/xul-ext/tor-launcher.js1
-rw-r--r--config/chroot_local-includes/etc/xul-ext/torbirdy.js2
16 files changed, 102 insertions, 133 deletions
diff --git a/config/chroot_local-includes/etc/apt/apt.conf.d/80tails-additional-software.disabled b/config/chroot_local-includes/etc/apt/apt.conf.d/80tails-additional-software.disabled
new file mode 100644
index 0000000..5a18b87
--- /dev/null
+++ b/config/chroot_local-includes/etc/apt/apt.conf.d/80tails-additional-software.disabled
@@ -0,0 +1,5 @@
+# This configuration should not run during Tails build. It is enabled in the
+# end of the build by /config/chroot_local-hooks/99-zz-install-ASP-DPKG-hooks
+DPkg::Pre-Install-Pkgs { "/usr/local/sbin/tails-additional-software apt-pre"; };
+DPkg::Post-Invoke { "/usr/local/sbin/tails-additional-software apt-post"; };
+DPkg::Tools::Options::/usr/local/sbin/tails-additional-software::Version "3";
diff --git a/config/chroot_local-includes/etc/environment b/config/chroot_local-includes/etc/environment
index 3782cc7..61b1165 100644
--- a/config/chroot_local-includes/etc/environment
+++ b/config/chroot_local-includes/etc/environment
@@ -8,3 +8,6 @@ MSVA_PORT='6136'
# Have Qt applications use the Adwaita theme
QT_STYLE_OVERRIDE=adwaita
+
+# Add our Python version independent search path
+PYTHONPATH=/usr/local/lib/python3/dist-packages
diff --git a/config/chroot_local-includes/etc/onion-grater.d/tor-browser.yml b/config/chroot_local-includes/etc/onion-grater.d/tor-browser.yml
index 13d58a9..8ea9330 100644
--- a/config/chroot_local-includes/etc/onion-grater.d/tor-browser.yml
+++ b/config/chroot_local-includes/etc/onion-grater.d/tor-browser.yml
@@ -8,6 +8,7 @@
- 'NEWNYM'
GETINFO:
- 'circuit-status'
+ - 'net/listeners/socks'
- 'ns/id/[a-fA-F0-9]+'
- 'ip-to-country/\d+\.\d+\.\d+\.\d+'
confs:
diff --git a/config/chroot_local-includes/etc/polkit-1/localauthority/10-vendor.d/org.boum.tails.pkla b/config/chroot_local-includes/etc/polkit-1/localauthority/10-vendor.d/org.boum.tails.pkla
index f5e258b..0cdd418 100644
--- a/config/chroot_local-includes/etc/polkit-1/localauthority/10-vendor.d/org.boum.tails.pkla
+++ b/config/chroot_local-includes/etc/polkit-1/localauthority/10-vendor.d/org.boum.tails.pkla
@@ -5,6 +5,11 @@ ResultAny=yes
ResultActive=yes
ResultInactive=yes
+[Mount storage devices]
+Identity=unix-user:tails-persistence-setup
+Action=org.freedesktop.udisks2.filesystem-mount
+ResultAny=yes
+
[Mount internal storage devices]
Identity=unix-user:tails-persistence-setup
Action=org.freedesktop.udisks2.filesystem-mount-system
diff --git a/config/chroot_local-includes/etc/skel/Desktop/Report_an_error.desktop.in b/config/chroot_local-includes/etc/skel/Desktop/Report_an_error.desktop.in
index 02311a7..fad85f9 100755
--- a/config/chroot_local-includes/etc/skel/Desktop/Report_an_error.desktop.in
+++ b/config/chroot_local-includes/etc/skel/Desktop/Report_an_error.desktop.in
@@ -6,3 +6,4 @@ Type=Application
Terminal=false
Exec=/usr/local/bin/tails-documentation support
Icon=/usr/share/pixmaps/whisperback.svg
+StartupNotify=true
diff --git a/config/chroot_local-includes/etc/skel/Desktop/tails-documentation.desktop.in b/config/chroot_local-includes/etc/skel/Desktop/tails-documentation.desktop.in
index f59204b..8aa0331 100755
--- a/config/chroot_local-includes/etc/skel/Desktop/tails-documentation.desktop.in
+++ b/config/chroot_local-includes/etc/skel/Desktop/tails-documentation.desktop.in
@@ -6,3 +6,4 @@ Type=Application
Terminal=false
Exec=/usr/local/bin/tails-documentation doc
Icon=/usr/share/icons/gnome/48x48/categories/system-help.png
+StartupNotify=true
diff --git a/config/chroot_local-includes/etc/sudoers.d/zzz_persistence-setup b/config/chroot_local-includes/etc/sudoers.d/zzz_persistence-setup
index 3186ada..2ed2aab 100644
--- a/config/chroot_local-includes/etc/sudoers.d/zzz_persistence-setup
+++ b/config/chroot_local-includes/etc/sudoers.d/zzz_persistence-setup
@@ -1,4 +1,4 @@
-Cmnd_Alias PERSISTENCE_SETUP = /usr/bin/tails-persistence-setup "", /usr/bin/tails-persistence-setup --verbose, /usr/bin/tails-persistence-setup --step delete, /usr/bin/tails-persistence-setup --step delete --verbose
+Cmnd_Alias PERSISTENCE_SETUP = /usr/bin/tails-persistence-setup "", /usr/bin/tails-persistence-setup --verbose, /usr/bin/tails-persistence-setup --step delete, /usr/bin/tails-persistence-setup --step delete --verbose, /usr/bin/tails-persistence-setup --force-enable-preset AdditionalSoftware
amnesia ALL = (tails-persistence-setup) NOPASSWD: PERSISTENCE_SETUP
tails-persistence-setup ALL = (root) NOPASSWD: /usr/bin/tails-fix-persistent-volume-permissions
diff --git a/config/chroot_local-includes/etc/thunderbird/pref/thunderbird.js b/config/chroot_local-includes/etc/thunderbird/pref/thunderbird.js
index a835d89..7ae590b 100644
--- a/config/chroot_local-includes/etc/thunderbird/pref/thunderbird.js
+++ b/config/chroot_local-includes/etc/thunderbird/pref/thunderbird.js
@@ -40,21 +40,26 @@ pref("toolkit.telemetry.prompted", 2);
pref("toolkit.telemetry.rejected", true);
pref("toolkit.telemetry.enabled", false);
+// Only allow SSL channels when fetching from the ISP.
+pref("mailnews.auto_config.fetchFromISP.ssl_only", true);
// Only allow Thunderbird's automatic configuration wizard to use and
// configure secure (SSL/TLS) protocols. This is the Thunderbird default
// but let's be extra sure!
-pref("mailnews.auto_config.ssl_only", true);
+pref("mailnews.auto_config.account_constraints.ssl_only", true);
// Drop auto-fetched configurations using Oauth2 -- they do not work
// together with Torbirdy since it disables needed functionality (like
// JavaScript and cookies) in the embedded browser.
-pref("mailnews.auto_config.oauth2.enabled", false);
-// Disable MX lookup which is susceptible to MitM (without
-// DNSSEC). Note that the lookup is not done using the system
-// resolver, but over HTTPS to some DNS web service, but that web
-// service could still be targeted.
-pref("mailnews.auto_config.dns_mx_lookup.enabled", false);
+pref("mailnews.auto_config.account_constraints.allow_oauth2", false);
+// The timeout (in seconds) for each guess
+pref("mailnews.auto_config.guess.timeout", 30);
// We disable Memory Hole for encrypted email until support is more
// mature and widely spread (#15201).
pref("extensions.enigmail.protectedHeaders", 0);
pref("extensions.torbirdy.custom.extensions.enigmail.protectedHeaders", 0);
+
+// Don't decrypt subordinate message parts that otherwise might reveal
+// decrypted content to the attacker, i.e. the optional part of the fixes
+// for EFAIL.
+// Reference: https://www.thunderbird.net/en-US/thunderbird/52.9.1/releasenotes/
+pref("mailnews.p7m_subparts_external", true);
diff --git a/config/chroot_local-includes/etc/tor-browser/profile/chrome/userChrome.css b/config/chroot_local-includes/etc/tor-browser/profile/chrome/userChrome.css
index cc2c33f..4de8299 100644
--- a/config/chroot_local-includes/etc/tor-browser/profile/chrome/userChrome.css
+++ b/config/chroot_local-includes/etc/tor-browser/profile/chrome/userChrome.css
@@ -25,3 +25,14 @@
/* Hide HTTPS Everywhere button in the toolbar */
#https-everywhere-button { display: none; }
+
+/* Hide the uBlock sidebar, that's opened on first launch
+ References:
+ - https://github.com/gorhill/uBlock/releases/tag/1.16.6
+ - https://github.com/uBlock-LLC/uBlock/issues/1764 */
+vbox#sidebar-box[sidebarcommand="_UUID~ADDON_-sidebar-action"] {
+ display: none !important;
+}
+vbox#sidebar-box[sidebarcommand="ublock0_raymondhill_net-sidebar-action"] {
+ display: none !important;
+}
diff --git a/config/chroot_local-includes/etc/tor-browser/profile/preferences/0000tails.js b/config/chroot_local-includes/etc/tor-browser/profile/preferences/0000tails.js
deleted file mode 100644
index 8ff53e7..0000000
--- a/config/chroot_local-includes/etc/tor-browser/profile/preferences/0000tails.js
+++ /dev/null
@@ -1,94 +0,0 @@
-// As suggested in TBB's start-tor-browser script for system-wide Tor
-// instances
-pref("extensions.torbutton.banned_ports", "631,6136,4444,4445,6668,7656,7657,7658,7659,7660,8998,9040,9050,9062,9150,9051");
-pref("extensions.torbutton.custom.socks_host", "127.0.0.1");
-pref("extensions.torbutton.custom.socks_port", 9150);
-pref("extensions.torbutton.launch_warning", false);
-pref("extensions.torbutton.settings_method", "custom");
-pref("extensions.torbutton.socks_port", 9150);
-pref("extensions.torbutton.use_privoxy", false);
-
-// Tails-specific configuration below
-
-// Since the slider notification will be shown everytime at each Tails
-// boot, which is bad (nagging) UX, we disable it.
-pref("extensions.torbutton.show_slider_notification", false);
-
-// Disable the Tor Browser's automatic update checking
-pref("app.update.enabled", false);
-
-// Suppress prompt and always spoof useragent as English
-pref("extensions.torbutton.spoof_english", true);
-pref("extensions.torbutton.prompted_language", true);
-
-// Block read and write access to the history in non-Tor mode
-pref("extensions.torbutton.block_nthread", true);
-pref("extensions.torbutton.block_nthwrite", true);
-
-// Tails-specific Torbutton preferences
-pref("extensions.torbutton.block_tforms", false);
-pref("extensions.torbutton.display_panel", false);
-pref("extensions.torbutton.lastUpdateCheck", "9999999999.999");
-pref("extensions.torbutton.no_updates", true);
-pref("extensions.torbutton.nonontor_sessionstore", true);
-pref("extensions.torbutton.nontor_memory_jar", true);
-pref("extensions.torbutton.startup", true);
-pref("extensions.torbutton.startup_state", 1);
-pref("extensions.torbutton.test_enabled", false); // Tails-specific
-pref("extensions.torbutton.tor_memory_jar", true);
-pref("extensions.torbutton.control_port", 9051);
-
-// Not setting this prevents some add-on GUI elements from appearing
-// on the first run of the browser, e.g. uBlock Origin's button.
-pref("extensions.torbutton.inserted_button", true);
-
-// These must be set to the same value to prevent Torbutton from
-// flashing its upgrade notification.
-pref("extensions.torbutton.lastBrowserVersion", "Tails");
-pref("torbrowser.version", "Tails");
-
-// Quoting TBB: "Now handled by plugins.click_to_play"
-// Tails: we don't support these plugins, so letting NoScript block it seems
-// to be potentially useful defense-in-depth.
-pref("noscript.forbidFlash", true);
-pref("noscript.forbidSilverlight", true);
-pref("noscript.forbidJava", true);
-pref("noscript.forbidPlugins", true);
-
-// Other Tails-specific NoScript preferences
-pref("noscript.untrusted", "google-analytics.com");
-
-// Other non-Torbutton, Tails-specific prefs
-pref("browser.download.dir", "/home/amnesia/Tor Browser");
-pref("dom.input.fallbackUploadDir", "/home/amnesia/Tor Browser");
-pref("print.print_to_filename", "/home/amnesia/Tor Browser/output.pdf");
-pref("browser.download.folderList", 2);
-pref("browser.download.manager.closeWhenDone", true);
-pref("extensions.update.enabled", false);
-pref("layout.spellcheckDefault", 0);
-pref("network.dns.disableIPv6", true);
-pref("security.warn_submit_insecure", true);
-
-// Disable fetching of the new tab page's Tiles links/ads. Ads are
-// generally unwanted, and also the fetching is a "phone home" type of
-// feature that generates traffic at least the first time the browser
-// is started.
-pref("browser.newtabpage.directory.source", "");
-pref("browser.newtabpage.directory.ping", "");
-// ... and disable the explanation shown the first time
-pref("browser.newtabpage.introShown", true);
-
-// Don't use geographically specific search prefs, like
-// browser.search.*.US for US locales. Our generated localization
-// profiles localizes search-engines in an incompatible but equivalent
-// way.
-pref("browser.search.geoSpecificDefaults", false);
-
-// Without setting this, the Download Management page will not update
-// the progress being made.
-pref("browser.download.panel.shown", true);
-
-// Given our AppArmor sandboxing, Tor Browser will not be allowed to
-// open external applications, so let's not offer the option to the user,
-// and instead only propose them to save downloaded files.
-pref("browser.download.forbid_open_with", true);
diff --git a/config/chroot_local-includes/etc/tor-browser/profile/prefs.js b/config/chroot_local-includes/etc/tor-browser/profile/prefs.js
new file mode 100644
index 0000000..d904749
--- /dev/null
+++ b/config/chroot_local-includes/etc/tor-browser/profile/prefs.js
@@ -0,0 +1,3 @@
+// Prefs that *need* to be here because they are not honored
+// if we set them via /usr/share/tails/tor-browser-prefs.js
+user_pref("extensions.torbutton.launch_warning", false);
diff --git a/config/chroot_local-includes/etc/udisks2/tcrypt.conf b/config/chroot_local-includes/etc/udisks2/tcrypt.conf
new file mode 100644
index 0000000..a350fdc
--- /dev/null
+++ b/config/chroot_local-includes/etc/udisks2/tcrypt.conf
@@ -0,0 +1,2 @@
+# This flag file needs to exist in order to activate VeraCrypt detection
+# heuristics in udisks. Its content does not matter.
diff --git a/config/chroot_local-includes/etc/whisperback/config.py b/config/chroot_local-includes/etc/whisperback/config.py
index fe5bc85..32ee87d 100644
--- a/config/chroot_local-includes/etc/whisperback/config.py
+++ b/config/chroot_local-includes/etc/whisperback/config.py
@@ -18,6 +18,7 @@ import gettext
# DOCUMENTATION
+
def __get_localised_doc_link():
"""Return the link to the localised documentation
@@ -49,18 +50,20 @@ def __get_localised_doc_link():
localised_doc_language = 'en'
return ("file:///usr/share/doc/tails/website/doc/first_steps/bug_reporting." +
- localised_doc_language +
- ".html")
+ localised_doc_language +
+ ".html")
+
def _(string):
try:
encoded = gettext.translation("tails", "/usr/share/locale").lgettext(string)
- string = encoded.decode('utf-8')
+ string = encoded.decode('utf-8')
except IOError:
pass
finally:
return string
+
# The right panel help (HTML string)
html_help = _(
"""<h1>Help us fix your bug!</h1>
@@ -92,7 +95,7 @@ gnupg_keyring = "/usr/share/keyrings/whisperback-keyring.gpg"
# The address of the recipient
to_address = "tails-bugs@boum.org"
-# The fingerprint of the recipient's GPG key
+# The fingerprint of the recipient's GPG key
to_fingerprint = "1F56EDD30741048035DAC1C5EC57B56EF0C43132"
# SENDER
@@ -132,47 +135,49 @@ socks_port = 9062
# Please take into account that this will not be encrypted
mail_subject = "Bug report: %x" % random.randrange(16**32)
-# A callback function to get information to prepend to the mail
-# (this information will be encrypted). This is useful to add
-# software version.
-#
-# It should not take any parameter, and should return a string to be
-# preprended to the email
+
def mail_prepended_info():
"""Returns the version of the running Tails system
-
+ A callback function to get information to prepend to the mail
+ (this information will be encrypted). This is useful to add
+ software version.
+
+ It should not take any parameter, and should return a string to be
+ preprended to the email
+
@return The output of tails-version, if any, or an English string
explaining the error
"""
-
+
try:
- tails_version_process = subprocess.Popen ("tails-version",
+ tails_version_process = subprocess.Popen("tails-version",
stdout=subprocess.PIPE)
- tails_version_process.wait()
- tails_version = tails_version_process.stdout.read().decode('utf-8')
+ tails_version_process.wait()
+ tails_version = tails_version_process.stdout.read().decode('utf-8')
except OSError:
- tails_version = "tails-version command not found"
+ tails_version = "tails-version command not found"
except subprocess.CalledProcessError:
- tails_version = "tails-version returned an error"
-
+ tails_version = "tails-version returned an error"
+
return "Tails-Version: %s\n" % tails_version
-# A callback function to get information to append to the email
-# (this information will be encrypted). This is useful to add
-# configuration files useful for debugging.
-#
-# It should not take any parameter, and should return a string to be
-# appended to the email
+
def mail_appended_info():
"""Returns debugging information on the running Tails system
-
- @return a long string containing debugging information
+ A callback function to get information to append to the email
+ (this information will be encrypted). This is useful to add
+ configuration files useful for debugging.
+
+ It should not take any parameter, and should return a string serialized
+ json to be deserialized to append infos to the email
+
+ @return a string containing serialized json with debugging information
"""
debugging_info = ""
try:
- process = subprocess.Popen (["sudo", "/usr/local/sbin/tails-debugging-info"],
- stdout=subprocess.PIPE)
+ process = subprocess.Popen(["sudo", "/usr/local/sbin/tails-debugging-info"],
+ stdout=subprocess.PIPE)
for line in process.stdout:
debugging_info += re.sub(r'^--\s*', '', line.decode('utf-8'))
process.wait()
diff --git a/config/chroot_local-includes/etc/whisperback/debugging-info.json b/config/chroot_local-includes/etc/whisperback/debugging-info.json
new file mode 100644
index 0000000..586bf93
--- /dev/null
+++ b/config/chroot_local-includes/etc/whisperback/debugging-info.json
@@ -0,0 +1,24 @@
+[
+["file", {"user": "root", "path": "/proc/cmdline"}],
+["command", {"args": ["/usr/sbin/dmidecode", "-s", "system-manufacturer"]}],
+["command", {"args": ["/usr/sbin/dmidecode", "-s", "system-product-name"]}],
+["command", {"args": ["/usr/sbin/dmidecode", "-s", "system-version"]}],
+["command", {"args": ["/usr/bin/lspci", "-nn"]}],
+["command", {"args": ["/bin/df", "--human-readable", "--print-type"]}],
+["command", {"args": ["/bin/mount", "--show-labels"]}],
+["command", {"args": ["/bin/lsmod"]}],
+["file", {"user": "root", "path": "/proc/asound/cards"}],
+["file", {"user": "root", "path": "/proc/asound/devices"}],
+["file", {"user": "root", "path": "/proc/asound/modules"}],
+["file", {"user": "root", "path": "/etc/X11/xorg.conf"}],
+["file", {"user": "Debian-gdm", "path": "/var/log/gdm3/tails-greeter.errors"}],
+["file", {"user": "root", "path": "/var/log/live/boot.log"}],
+["file", {"user": "root", "path": "/var/log/live/config.log"}],
+["file", {"user": "root", "path": "/var/lib/live/config/tails.physical_security"}],
+["file", {"user": "root", "path": "/var/lib/gdm3/tails.persistence"}],
+["file", {"user": "tails-persistence-setup", "path": "/live/persistence/TailsData_unlocked/persistence.conf"}],
+["file", {"user": "tails-persistence-setup", "path": "/live/persistence/TailsData_unlocked/live-additional-software.conf"}],
+["directory", {"user": "root", "path": "/live/persistence/TailsData_unlocked/apt-sources.list.d"}],
+["file", {"user": "root", "path": "/var/log/live-persist"}],
+["command", {"args": ["/bin/journalctl", "--catalog", "--no-pager"]}]
+]
diff --git a/config/chroot_local-includes/etc/xul-ext/tor-launcher.js b/config/chroot_local-includes/etc/xul-ext/tor-launcher.js
deleted file mode 100644
index 2775bba..0000000
--- a/config/chroot_local-includes/etc/xul-ext/tor-launcher.js
+++ /dev/null
@@ -1 +0,0 @@
-pref("extensions.torlauncher.transportproxy_path", "/usr/bin/obfs4proxy");
diff --git a/config/chroot_local-includes/etc/xul-ext/torbirdy.js b/config/chroot_local-includes/etc/xul-ext/torbirdy.js
deleted file mode 100644
index a6b3e40..0000000
--- a/config/chroot_local-includes/etc/xul-ext/torbirdy.js
+++ /dev/null
@@ -1,2 +0,0 @@
-pref("extensions.torbirdy.emailwizard", true);
-pref("extensions.torbirdy.gpg_already_torified", true);