summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-includes/lib
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2018-02-08 06:24:59 +0000
committerintrigeri <intrigeri@boum.org>2018-02-08 06:24:59 +0000
commitb8da8928e5da49500afa5ead40efc5d302576c06 (patch)
treeee1d9743783ea37910e195e2a3e93d3edbbf5ecf /config/chroot_local-includes/lib
parent6bab624c167adbcf37aedef7f594a53f337ffe5b (diff)
parent547bbdf40c21392a346b2fe80777b1080b7a461c (diff)
Merge remote-tracking branch 'origin/feature/12679-sandbox-firefox-content-renderers' into feature/14521-improve-UX-when-GDM-fails-to-start
Diffstat (limited to 'config/chroot_local-includes/lib')
-rw-r--r--config/chroot_local-includes/lib/systemd/system/tails-additional-software-install.service22
-rw-r--r--config/chroot_local-includes/lib/systemd/system/tails-additional-software-upgrade.path9
-rw-r--r--config/chroot_local-includes/lib/systemd/system/tails-additional-software-upgrade.service23
-rw-r--r--config/chroot_local-includes/lib/systemd/system/update-ca-certificates.service21
4 files changed, 54 insertions, 21 deletions
diff --git a/config/chroot_local-includes/lib/systemd/system/tails-additional-software-install.service b/config/chroot_local-includes/lib/systemd/system/tails-additional-software-install.service
new file mode 100644
index 0000000..4f57709
--- /dev/null
+++ b/config/chroot_local-includes/lib/systemd/system/tails-additional-software-install.service
@@ -0,0 +1,22 @@
+[Unit]
+Description=Install Additional Software Packages
+Documentation=https://tails.boum.org/contribute/design/persistence/
+ConditionFileNotEmpty=/live/persistence/TailsData_unlocked/live-additional-software.conf
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/tails-additional-software install
+ExecStartPost=/usr/bin/install -m 0644 -D /dev/null /run/live-additional-software/installed
+TimeoutStartSec=infinity
+PrivateDevices=yes
+PrivateTmp=yes
+# Capabilities needed by tails-additional-software
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
+# Capabilities needed by apt/dpkg
+CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID
+ProtectSystem=no
+# Capabilities needed by tails-notify-user
+CapabilityBoundingSet=CAP_SYS_PTRACE CAP_AUDIT_WRITE CAP_SYS_RESOURCE
+ProtectHome=no
diff --git a/config/chroot_local-includes/lib/systemd/system/tails-additional-software-upgrade.path b/config/chroot_local-includes/lib/systemd/system/tails-additional-software-upgrade.path
new file mode 100644
index 0000000..27fa138
--- /dev/null
+++ b/config/chroot_local-includes/lib/systemd/system/tails-additional-software-upgrade.path
@@ -0,0 +1,9 @@
+[Unit]
+Description=Trigger upgrade of Additional Software Packages
+Documentation=https://tails.boum.org/contribute/design/persistence/
+After=tails-additional-software-install.service
+After=tor-has-bootstrapped.service
+ConditionFileNotEmpty=/live/persistence/TailsData_unlocked/live-additional-software.conf
+
+[Path]
+PathExists=/run/live-additional-software/installed
diff --git a/config/chroot_local-includes/lib/systemd/system/tails-additional-software-upgrade.service b/config/chroot_local-includes/lib/systemd/system/tails-additional-software-upgrade.service
new file mode 100644
index 0000000..4d62e3b
--- /dev/null
+++ b/config/chroot_local-includes/lib/systemd/system/tails-additional-software-upgrade.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=Upgrade Additional Software Packages
+Documentation=https://tails.boum.org/contribute/design/persistence/
+After=tails-additional-software-install.service
+After=tor-has-bootstrapped.service
+ConditionFileNotEmpty=/live/persistence/TailsData_unlocked/live-additional-software.conf
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/sbin/tails-additional-software upgrade
+TimeoutStartSec=infinity
+PrivateDevices=yes
+PrivateTmp=yes
+# Capabilities needed by tails-additional-software
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
+# Capabilities needed by apt/dpkg
+CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_FSETID
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID
+ProtectSystem=no
+# Capabilities needed by tails-notify-user
+CapabilityBoundingSet=CAP_SYS_PTRACE CAP_AUDIT_WRITE CAP_SYS_RESOURCE
+ProtectHome=no
diff --git a/config/chroot_local-includes/lib/systemd/system/update-ca-certificates.service b/config/chroot_local-includes/lib/systemd/system/update-ca-certificates.service
deleted file mode 100644
index 90948da..0000000
--- a/config/chroot_local-includes/lib/systemd/system/update-ca-certificates.service
+++ /dev/null
@@ -1,21 +0,0 @@
-# We remove /etc/ssl/certs/java/cacert at build-time to ensure a
-# deterministic build, so we need to re-create it at boot time.
-
-[Unit]
-Description=Update /etc/ssl/certs and ca-certificates.crt
-After=local-fs.target systemd-tmpfiles-setup.service
-Before=systemd-user-sessions.service
-DefaultDependencies=no
-
-[Service]
-Type=oneshot
-ExecStart=/usr/sbin/update-ca-certificates --fresh
-RemainAfterExit=yes
-CapabilityBoundingSet=
-PrivateDevices=yes
-PrivateTmp=yes
-ProtectHome=yes
-ProtectSystem=yes
-
-[Install]
-WantedBy=multi-user.target