summaryrefslogtreecommitdiffstats
path: root/config/chroot_local-hooks
diff options
context:
space:
mode:
Diffstat (limited to 'config/chroot_local-hooks')
-rwxr-xr-xconfig/chroot_local-hooks/10-tbb24
-rwxr-xr-xconfig/chroot_local-hooks/19-install-tor-browser-AppArmor-profile48
-rwxr-xr-xconfig/chroot_local-hooks/43-adjust_path_to_ibus-unikey_binaries18
-rwxr-xr-xconfig/chroot_local-hooks/52-update-rc.d1
-rwxr-xr-xconfig/chroot_local-hooks/58-create-tails-website-CA-bundle12
-rwxr-xr-xconfig/chroot_local-hooks/99-zzz_runtime_apt_proxy14
6 files changed, 100 insertions, 17 deletions
diff --git a/config/chroot_local-hooks/10-tbb b/config/chroot_local-hooks/10-tbb
index 2a0903f..e0e31c9 100755
--- a/config/chroot_local-hooks/10-tbb
+++ b/config/chroot_local-hooks/10-tbb
@@ -42,7 +42,7 @@ download_and_verify_files() {
}
install_tor_browser() {
- local bundle destination tmp prep
+ local bundle destination tmp prep torbutton_xpi_path
bundle="${1}"
destination="${2}"
@@ -75,7 +75,14 @@ install_tor_browser() {
# Remove TBB's torbutton since the "Tor test" will fail and about:tor
# will report an error. We'll install our own Torbutton later, which
# has the extensions.torbutton.test_enabled boolean pref as a workaround.
- rm "${prep}/TorBrowser/Data/Browser/profile.default/extensions/torbutton@torproject.org.xpi"
+ torbutton_xpi_path="${prep}/TorBrowser/Data/Browser/profile.default/extensions/torbutton@torproject.org.xpi"
+ TORBUTTON_BUNDLED_VERSION="$(7z e -so ${torbutton_xpi_path} install.rdf | \
+ sed -n 's,^ <em:version>\([0-9\.]\+\)</em:version>,\1,p')"
+ if [ -z "${TORBUTTON_BUNDLED_VERSION}" ]; then
+ echo "Couldn't extract Torbutton's bundled version" >&2
+ exit 1
+ fi
+ rm "${torbutton_xpi_path}"
# The Tor Browser will fail, complaining about an incomplete profile,
# unless there's a readable TorBrowser/Data/Browser/Caches
@@ -207,9 +214,22 @@ FAKE_ICEWEASEL_VERSION=${FIREFOX_VERSION}+fake1
install_fake_iceweasel_pkg "${FAKE_ICEWEASEL_VERSION}"
install_debian_extensions "${TBB_EXT}" ${DEBIAN_EXT_PKGS}
+# Make sure that we have installed a Torbutton based on the same
+# version as the one bundled with the Tor Browser
+TORBUTTON_VERSION="$(dpkg -s xul-ext-torbutton | \
+ sed -n 's/^Version: \(.*\)-[0-9]\+$/\1/p')"
+if [ "${TORBUTTON_VERSION}" != "${TORBUTTON_BUNDLED_VERSION}" ]; then
+ echo "We have installed a Torbutton based on version '${TORBUTTON_VERSION}' but the version bundled with the Tor Browser is version '${TORBUTTON_BUNDLED_VERSION}'" >&2
+ exit 1
+fi
+
mkdir -p "${TBB_PROFILE}"
create_default_profile "${TBB_INSTALL}"/TorBrowser/Data/Browser/profile.default "${TBB_EXT}" "${TBB_PROFILE}"
+# Create a copy of the Firefox binary, for use e.g. by Tor Launcher.
+# It won't be subject to AppArmor confinement.
+cp -a "${TBB_INSTALL}/firefox" "${TBB_INSTALL}/firefox-unconfined"
+
chown -R root:root "${TBB_INSTALL}" "${TBB_PROFILE}" "${TBB_EXT}"
chmod -R a+rX "${TBB_INSTALL}" "${TBB_PROFILE}" "${TBB_EXT}"
diff --git a/config/chroot_local-hooks/19-install-tor-browser-AppArmor-profile b/config/chroot_local-hooks/19-install-tor-browser-AppArmor-profile
new file mode 100755
index 0000000..91fe2ab
--- /dev/null
+++ b/config/chroot_local-hooks/19-install-tor-browser-AppArmor-profile
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+set -e
+
+echo "Installing AppArmor profile for Tor Browser"
+
+PATCH='/usr/share/tails/torbrowser-AppArmor-profile.patch'
+PROFILE='/etc/apparmor.d/torbrowser'
+
+### Functions
+
+toggle_src_APT_sources() {
+ MODE="$1"
+ TEMP_APT_SOURCES='/etc/apt/sources.list.d/tmp-deb-src.list'
+
+ case "$MODE" in
+ on)
+ cat /etc/apt/sources.list /etc/apt/sources.list.d/*.list \
+ | sed --regexp-extended -e 's,^deb(\s+),deb-src\1,' \
+ > "$TEMP_APT_SOURCES"
+ ;;
+ off)
+ rm "$TEMP_APT_SOURCES"
+ ;;
+ esac
+
+ apt-get --yes update
+}
+
+install_torbrowser_AppArmor_profile() {
+ tmpdir="$(mktemp -d)"
+ (
+ cd "$tmpdir"
+ apt-get source torbrowser-launcher/testing
+ install -m 0644 \
+ torbrowser-launcher-*/apparmor/torbrowser.Browser.firefox \
+ "$PROFILE"
+ )
+ rm -r "$tmpdir"
+}
+
+### Main
+
+toggle_src_APT_sources on
+install_torbrowser_AppArmor_profile
+toggle_src_APT_sources off
+patch --forward --batch "$PROFILE" < "$PATCH"
+rm "$PATCH"
diff --git a/config/chroot_local-hooks/43-adjust_path_to_ibus-unikey_binaries b/config/chroot_local-hooks/43-adjust_path_to_ibus-unikey_binaries
new file mode 100755
index 0000000..d690708
--- /dev/null
+++ b/config/chroot_local-hooks/43-adjust_path_to_ibus-unikey_binaries
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -e
+
+echo "Moving IBus Unikey binaries to /usr/lib/ibus/"
+
+# Workaround Debian bug #714932 -- we can't just dpkg-divert it, since
+# the original path is hardcoded in these binaries.
+for infix in engine setup ; do
+ orig="/usr/lib/ibus-unikey/ibus-$infix-unikey"
+ dest="/usr/lib/ibus/ibus-$infix-unikey"
+ ln -s "$orig" "$dest"
+done
+
+# Adjust path to the binary in unikey.xml
+sed -i -e \
+ 's,/usr/lib/ibus-unikey/ibus-engine-unikey,/usr/lib/ibus/ibus-engine-unikey,' \
+ /usr/share/ibus/component/unikey.xml
diff --git a/config/chroot_local-hooks/52-update-rc.d b/config/chroot_local-hooks/52-update-rc.d
index d27f7cb..27f9148 100755
--- a/config/chroot_local-hooks/52-update-rc.d
+++ b/config/chroot_local-hooks/52-update-rc.d
@@ -24,7 +24,6 @@ laptop-mode
memlockd
network-manager
plymouth
-polipo
pulseaudio
resolvconf
saned
diff --git a/config/chroot_local-hooks/58-create-tails-website-CA-bundle b/config/chroot_local-hooks/58-create-tails-website-CA-bundle
new file mode 100755
index 0000000..900630f
--- /dev/null
+++ b/config/chroot_local-hooks/58-create-tails-website-CA-bundle
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -e
+
+echo "Creating CA bundle for authenticating https://tails.boum.org/"
+
+BUNDLE=/usr/local/etc/ssl/certs/tails.boum.org-CA.pem
+
+cat /etc/ssl/certs/AddTrust_External_Root.pem \
+ > "$BUNDLE"
+
+chmod a+r "$BUNDLE"
diff --git a/config/chroot_local-hooks/99-zzz_runtime_apt_proxy b/config/chroot_local-hooks/99-zzz_runtime_apt_proxy
deleted file mode 100755
index 91f5b96..0000000
--- a/config/chroot_local-hooks/99-zzz_runtime_apt_proxy
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/sh
-
-set -e
-
-echo "Configuring the runtime APT proxy"
-
-cat > /etc/apt/apt.conf.d/0000runtime-proxy <<EOF
-// Proxy through Polipo to torify outgoing APT HTTP connections.
-// This setting must be overriden at build time by live-build's
-// 00http-proxy configuration file.
-// That's why it is created in a chroot local hook.
-
-Acquire::http::Proxy "http://127.0.0.1:8118/";
-EOF