summaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
authorTails developers <amnesia@boum.org>2015-02-10 19:23:16 +0100
committerTails developers <amnesia@boum.org>2015-02-10 19:23:16 +0100
commit3ce737a0bd2c27f7c04265f6423954c78e28621f (patch)
treea3d54b103cdc2599199ac977d877432442130e24 /config
parentc177a22d76c6643b2a8011eec32dd94b668e9200 (diff)
parenta3f460e38e273d69abbb691b585fa9782e0cbd7c (diff)
Merge remote-tracking branch 'origin/feature/5525-sandbox-web-browser' into devel
Fix-committed: #5525
Diffstat (limited to 'config')
-rwxr-xr-xconfig/chroot_local-hooks/19-install-tor-browser-AppArmor-profile48
-rw-r--r--config/chroot_local-includes/etc/asound.conf16
-rw-r--r--config/chroot_local-includes/etc/skel/.gnome2/accels/.placeholder0
-rw-r--r--config/chroot_local-includes/etc/skel/.gnome2_private/.placeholder0
-rw-r--r--config/chroot_local-includes/etc/skel/.purple/prefs.xml2
-rw-r--r--config/chroot_local-includes/etc/tor-browser/profile/preferences/0000tails.js2
-rw-r--r--config/chroot_local-includes/etc/xdg/autostart/add-GNOME-bookmarks.desktop10
-rw-r--r--config/chroot_local-includes/etc/xdg/autostart/add-bookmark-for-persistent-directory.desktop10
-rw-r--r--config/chroot_local-includes/etc/xdg/autostart/create-tor-browser-directories.desktop10
-rwxr-xr-xconfig/chroot_local-includes/usr/local/bin/tails-add-bookmark-for-persistent-directory7
-rwxr-xr-xconfig/chroot_local-includes/usr/local/lib/add-GNOME-bookmarks28
-rwxr-xr-xconfig/chroot_local-includes/usr/local/lib/create-tor-browser-directories15
-rw-r--r--config/chroot_local-includes/usr/local/lib/tails-shell-library/tails-greeter.sh9
-rw-r--r--config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch124
-rw-r--r--config/chroot_local-packageslists/tails-common.list1
15 files changed, 264 insertions, 18 deletions
diff --git a/config/chroot_local-hooks/19-install-tor-browser-AppArmor-profile b/config/chroot_local-hooks/19-install-tor-browser-AppArmor-profile
new file mode 100755
index 0000000..91fe2ab
--- /dev/null
+++ b/config/chroot_local-hooks/19-install-tor-browser-AppArmor-profile
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+set -e
+
+echo "Installing AppArmor profile for Tor Browser"
+
+PATCH='/usr/share/tails/torbrowser-AppArmor-profile.patch'
+PROFILE='/etc/apparmor.d/torbrowser'
+
+### Functions
+
+toggle_src_APT_sources() {
+ MODE="$1"
+ TEMP_APT_SOURCES='/etc/apt/sources.list.d/tmp-deb-src.list'
+
+ case "$MODE" in
+ on)
+ cat /etc/apt/sources.list /etc/apt/sources.list.d/*.list \
+ | sed --regexp-extended -e 's,^deb(\s+),deb-src\1,' \
+ > "$TEMP_APT_SOURCES"
+ ;;
+ off)
+ rm "$TEMP_APT_SOURCES"
+ ;;
+ esac
+
+ apt-get --yes update
+}
+
+install_torbrowser_AppArmor_profile() {
+ tmpdir="$(mktemp -d)"
+ (
+ cd "$tmpdir"
+ apt-get source torbrowser-launcher/testing
+ install -m 0644 \
+ torbrowser-launcher-*/apparmor/torbrowser.Browser.firefox \
+ "$PROFILE"
+ )
+ rm -r "$tmpdir"
+}
+
+### Main
+
+toggle_src_APT_sources on
+install_torbrowser_AppArmor_profile
+toggle_src_APT_sources off
+patch --forward --batch "$PROFILE" < "$PATCH"
+rm "$PATCH"
diff --git a/config/chroot_local-includes/etc/asound.conf b/config/chroot_local-includes/etc/asound.conf
new file mode 100644
index 0000000..d8eb4cf
--- /dev/null
+++ b/config/chroot_local-includes/etc/asound.conf
@@ -0,0 +1,16 @@
+# Use PulseAudio by default
+pcm.!default {
+ type pulse
+ fallback "sysdefault"
+ hint {
+ show on
+ description "Default ALSA Output (currently PulseAudio Sound Server)"
+ }
+}
+
+ctl.!default {
+ type pulse
+ fallback "sysdefault"
+}
+
+# vim:set ft=alsaconf:
diff --git a/config/chroot_local-includes/etc/skel/.gnome2/accels/.placeholder b/config/chroot_local-includes/etc/skel/.gnome2/accels/.placeholder
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/config/chroot_local-includes/etc/skel/.gnome2/accels/.placeholder
diff --git a/config/chroot_local-includes/etc/skel/.gnome2_private/.placeholder b/config/chroot_local-includes/etc/skel/.gnome2_private/.placeholder
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/config/chroot_local-includes/etc/skel/.gnome2_private/.placeholder
diff --git a/config/chroot_local-includes/etc/skel/.purple/prefs.xml b/config/chroot_local-includes/etc/skel/.purple/prefs.xml
index b268433..94fa8df 100644
--- a/config/chroot_local-includes/etc/skel/.purple/prefs.xml
+++ b/config/chroot_local-includes/etc/skel/.purple/prefs.xml
@@ -231,7 +231,7 @@
</pref>
<pref name='pidgin'>
<pref name='browsers'>
- <pref name='command' type='path' value='sensible-browser'/>
+ <pref name='manual_command' type='string' value='/usr/local/bin/tor-browser %s'/>
<pref name='browser' type='string' value='custom'/>
<pref name='place' type='int' value='0'/>
</pref>
diff --git a/config/chroot_local-includes/etc/tor-browser/profile/preferences/0000tails.js b/config/chroot_local-includes/etc/tor-browser/profile/preferences/0000tails.js
index 2b64498..1a66eb5 100644
--- a/config/chroot_local-includes/etc/tor-browser/profile/preferences/0000tails.js
+++ b/config/chroot_local-includes/etc/tor-browser/profile/preferences/0000tails.js
@@ -59,6 +59,8 @@ pref("noscript.forbidPlugins", true);
pref("noscript.untrusted", "google-analytics.com");
// Other non-Torbutton, Tails-specific prefs
+pref("browser.download.dir", "/home/amnesia/Tor Browser");
+pref("browser.download.folderList", 2);
pref("browser.download.manager.closeWhenDone", true);
pref("extensions.update.enabled", false);
pref("layout.spellcheckDefault", 0);
diff --git a/config/chroot_local-includes/etc/xdg/autostart/add-GNOME-bookmarks.desktop b/config/chroot_local-includes/etc/xdg/autostart/add-GNOME-bookmarks.desktop
new file mode 100644
index 0000000..2e83c5b
--- /dev/null
+++ b/config/chroot_local-includes/etc/xdg/autostart/add-GNOME-bookmarks.desktop
@@ -0,0 +1,10 @@
+[Desktop Entry]
+Name=add-GNOME-bookmarks
+GenericName=add GTK bookmarks to some directories
+Comment=display some directories in Places and GtkFileChooser
+Exec=/usr/local/lib/add-GNOME-bookmarks
+Terminal=false
+Type=Application
+Categories=GNOME;X-GNOME-PersonalSettings;
+NoDisplay=true
+MimeType=application/x-add-GNOME-bookmarks;
diff --git a/config/chroot_local-includes/etc/xdg/autostart/add-bookmark-for-persistent-directory.desktop b/config/chroot_local-includes/etc/xdg/autostart/add-bookmark-for-persistent-directory.desktop
deleted file mode 100644
index a185290..0000000
--- a/config/chroot_local-includes/etc/xdg/autostart/add-bookmark-for-persistent-directory.desktop
+++ /dev/null
@@ -1,10 +0,0 @@
-[Desktop Entry]
-Name=tails-add-bookmark-for-persistent-directory
-GenericName=add GTK bookmark to Persistent directory
-Comment=display Persistent directory in Places and GtkFileChooser
-Exec=/usr/local/bin/tails-add-bookmark-for-persistent-directory
-Terminal=false
-Type=Application
-Categories=GNOME;X-GNOME-PersonalSettings;
-NoDisplay=true
-MimeType=application/x-tails-add-bookmark-for-persistent-directory;
diff --git a/config/chroot_local-includes/etc/xdg/autostart/create-tor-browser-directories.desktop b/config/chroot_local-includes/etc/xdg/autostart/create-tor-browser-directories.desktop
new file mode 100644
index 0000000..349743e
--- /dev/null
+++ b/config/chroot_local-includes/etc/xdg/autostart/create-tor-browser-directories.desktop
@@ -0,0 +1,10 @@
+[Desktop Entry]
+Name=create-tor-browser-directories
+GenericName=Create the Tor Browser directories
+Comment=Create the Tor Browser amnesiac and persistent directories
+Exec=/usr/local/lib/create-tor-browser-directories
+Terminal=false
+Type=Application
+Categories=GNOME;X-GNOME-PersonalSettings;
+NoDisplay=true
+MimeType=application/x-create-tor-browser-directories;
diff --git a/config/chroot_local-includes/usr/local/bin/tails-add-bookmark-for-persistent-directory b/config/chroot_local-includes/usr/local/bin/tails-add-bookmark-for-persistent-directory
deleted file mode 100755
index c652f76..0000000
--- a/config/chroot_local-includes/usr/local/bin/tails-add-bookmark-for-persistent-directory
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh
-
-PERSISTENT_DIRECTORY="${HOME}/Persistent"
-
-if mountpoint -q "$PERSISTENT_DIRECTORY" 2>/dev/null ; then
- echo "file://$PERSISTENT_DIRECTORY" >> "${HOME}/.gtk-bookmarks"
-fi
diff --git a/config/chroot_local-includes/usr/local/lib/add-GNOME-bookmarks b/config/chroot_local-includes/usr/local/lib/add-GNOME-bookmarks
new file mode 100755
index 0000000..77bf41f
--- /dev/null
+++ b/config/chroot_local-includes/usr/local/lib/add-GNOME-bookmarks
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+set -eu
+
+. /usr/local/lib/tails-shell-library/tails-greeter.sh
+
+add_gtk_bookmark_for() {
+ local target
+ target=$(echo "$1" | sed 's, ,%20,g')
+
+ if [ $# -ge 2 ]; then
+ title="$2"
+ echo "file://$target $title" >> "${HOME}/.gtk-bookmarks"
+ else
+ echo "file://$target" >> "${HOME}/.gtk-bookmarks"
+ fi
+}
+
+add_gtk_bookmark_for "${HOME}/Tor Browser"
+
+if persistence_is_enabled_for "${HOME}/Persistent" ; then
+ add_gtk_bookmark_for "${HOME}/Persistent"
+
+ if persistence_is_enabled_read_write ; then
+ add_gtk_bookmark_for "${HOME}/Persistent/Tor Browser" \
+ "Tor Browser (persistent)"
+ fi
+fi
diff --git a/config/chroot_local-includes/usr/local/lib/create-tor-browser-directories b/config/chroot_local-includes/usr/local/lib/create-tor-browser-directories
new file mode 100755
index 0000000..e1fe2c3
--- /dev/null
+++ b/config/chroot_local-includes/usr/local/lib/create-tor-browser-directories
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -eu
+
+TOR_BROWSER_AMNESIAC_DIR='/home/amnesia/Tor Browser'
+TOR_BROWSER_PERSISTENT_DIR='/home/amnesia/Persistent/Tor Browser'
+
+. /usr/local/lib/tails-shell-library/tails-greeter.sh
+
+install -d -o amnesia -g amnesia -m 0700 "$TOR_BROWSER_AMNESIAC_DIR"
+
+if persistence_is_enabled_for "${HOME}/Persistent" && \
+ persistence_is_enabled_read_write ; then
+ install -d -o amnesia -g amnesia -m 0700 "$TOR_BROWSER_PERSISTENT_DIR"
+fi
diff --git a/config/chroot_local-includes/usr/local/lib/tails-shell-library/tails-greeter.sh b/config/chroot_local-includes/usr/local/lib/tails-shell-library/tails-greeter.sh
index 31e25d3..9c301f1 100644
--- a/config/chroot_local-includes/usr/local/lib/tails-shell-library/tails-greeter.sh
+++ b/config/chroot_local-includes/usr/local/lib/tails-shell-library/tails-greeter.sh
@@ -14,6 +14,15 @@ persistence_is_enabled() {
[ "$(_get_tg_setting "${PERSISTENCE_STATE}" TAILS_PERSISTENCE_ENABLED)" = true ]
}
+persistence_is_enabled_for() {
+ persistence_is_enabled && mountpoint -q "$1" 2>/dev/null
+}
+
+persistence_is_enabled_read_write() {
+ persistence_is_enabled && \
+ [ "$(_get_tg_setting "${PERSISTENCE_STATE}" TAILS_PERSISTENCE_READONLY)" != true ]
+}
+
mac_spoof_is_enabled() {
# Only return false when explicitly told so to increase failure
# safety.
diff --git a/config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch b/config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch
new file mode 100644
index 0000000..d6f8bf6
--- /dev/null
+++ b/config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch
@@ -0,0 +1,124 @@
+diff --git a/apparmor/torbrowser.Browser.firefox b/apparmor/torbrowser.Browser.firefox
+index 0df7ad9..ae26e61 100644
+--- a/apparmor/torbrowser.Browser.firefox
++++ b/apparmor/torbrowser.Browser.firefox
+@@ -1,13 +1,15 @@
+ # Last modified
+ #include <tunables/global>
+
+-/home/*/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox {
++/usr/local/lib/tor-browser/firefox {
+ #include <abstractions/gnome>
++ #include <abstractions/gstreamer>
++ #include <abstractions/ibus>
+
+ # Uncomment the following line if you don't want the Tor Browser
+ # to have direct access to your sound hardware. Note that this is not
+ # enough to have working sound support in Tor Browser.
+- # #include <abstractions/audio>
++ #include <abstractions/audio>
+
+ # Uncomment the following lines if you want to give the Tor Browser read-write
+ # access to most of your personal files.
+@@ -17,40 +19,52 @@
+ #dbus,
+ network tcp,
+
++ /etc/asound.conf r,
+ deny /etc/host.conf r,
+- deny /etc/hosts r,
+- deny /etc/nsswitch.conf r,
++ /etc/hosts r,
++ /etc/nsswitch.conf r,
+ deny /etc/resolv.conf r,
+- deny /etc/passwd r,
+- deny /etc/group r,
++ /etc/passwd r,
++ /etc/group r,
+ deny /etc/mailcap r,
++ deny @{HOME}/.local/share/gvfs-metadata/home r,
++ deny /run/resolvconf/resolv.conf r,
+
+- deny /etc/machine-id r,
+- deny /var/lib/dbus/machine-id r,
++ /etc/machine-id r,
++ /var/lib/dbus/machine-id r,
+
+ @{PROC}/[0-9]*/mountinfo r,
+ @{PROC}/[0-9]*/stat r,
+ @{PROC}/[0-9]*/task/*/stat r,
+ @{PROC}/sys/kernel/random/uuid r,
+
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/ r,
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/* r,
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/.** rwk,
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/.** rwk,
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/ r,
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** r,
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/*.so mr,
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/components/*.so mr,
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/browser/components/*.so mr,
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/firefox rix,
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profiles.ini r,
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profile.default/ r,
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Data/Browser/profile.default/** rwk,
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/TorBrowser/,}Tor/tor Px,
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/,}Desktop/ rw,
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/,}Desktop/** rwk,
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/,}Downloads/ rw,
+- owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/{Browser/,}Downloads/** rwk,
++ /usr/local/lib/tor-browser/ r,
++ /usr/local/lib/tor-browser/** r,
++ /usr/local/lib/tor-browser/*.so{,.6} mr,
++ /usr/local/lib/tor-browser/**/*.so mr,
++ /usr/local/lib/tor-browser/browser/* r,
++ /usr/local/lib/tor-browser/TorBrowser/Data/Browser/profiles.ini r,
++
++ owner "@{HOME}/Tor Browser/" rw,
++ owner "@{HOME}/Tor Browser/**" rwk,
++ owner "@{HOME}/Persistent/Tor Browser/" rw,
++ owner "@{HOME}/Persistent/Tor Browser/**" rwk,
++ owner "/live/persistence/TailsData_unlocked/Persistent/Tor Browser/" rw,
++ owner "/live/persistence/TailsData_unlocked/Persistent/Tor Browser/**" rwk,
++ owner @{HOME}/.mozilla/firefox/bookmarks/places.sqlite rwk,
++ owner /live/persistence/TailsData_unlocked/bookmarks/places.sqlite rwk,
++ owner @{HOME}/.tor-browser/profile.default/ r,
++ owner @{HOME}/.tor-browser/profile.default/** rwk,
++
++ /etc/xul-ext/ r,
++ /etc/xul-ext/** r,
++ /usr/local/share/tor-browser-extensions/ r,
++ /usr/local/share/tor-browser-extensions/** rk,
++ /usr/share/xul-ext/ r,
++ /usr/share/xul-ext/** r,
++
++ /usr/share/doc/tails/website/ r,
++ /usr/share/doc/tails/website/** r,
+
+ /etc/mailcap r,
+ /etc/mime.types r,
+@@ -65,6 +79,7 @@
+
+ /sys/devices/system/cpu/ r,
+ /sys/devices/system/cpu/present r,
++ deny /sys/devices/virtual/block/*/uevent r,
+
+ # Should use abstractions/gstreamer instead once merged upstream
+ /etc/udev/udev.conf r,
+@@ -72,6 +87,16 @@
+ /sys/devices/pci[0-9]*/**/uevent r,
+ owner /{dev,run}/shm/shmfd-* rw,
+
++ /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner Cix -> gst_plugin_scanner,
++ owner @{HOME}/.gstreamer*/ rw,
++ owner @{HOME}/.gstreamer*/** rw,
++ owner @{PROC}/[0-9]*/fd/ r,
++
++ deny /usr/bin/pulseaudio x,
++
++ /usr/local/lib/tor-browser/firefox Pix,
++ /usr/bin/seahorse-tool Ux,
++
+ # KDE 4
+ owner @{HOME}/.kde/share/config/* r,
+
diff --git a/config/chroot_local-packageslists/tails-common.list b/config/chroot_local-packageslists/tails-common.list
index ce0df79..8e4cfd5 100644
--- a/config/chroot_local-packageslists/tails-common.list
+++ b/config/chroot_local-packageslists/tails-common.list
@@ -203,6 +203,7 @@ plymouth
poedit
ppp
pulseaudio
+pulseaudio-utils
pwgen
p7zip-full
resolvconf