diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000000..e68be7c125 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,20 @@ +name: CI +on: [push, pull_request] + +defaults: + run: + shell: bash + +jobs: + build-bullseye: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + with: + repository: "freedomofpress/securedrop-builder" + path: "securedrop-builder" + lfs: true + - name: Lint and test Rust code + run: | + BUILDER=securedrop-builder ./scripts/build-debs.sh diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000000..6649f6b34d --- /dev/null +++ b/debian/changelog @@ -0,0 +1,188 @@ +securedrop-client (0.9.0+bullseye) unstable; urgency=medium + + * see changelog.md + + -- SecureDrop Team Thu, 16 Mar 2023 16:29:03 -0400 + +securedrop-client (0.8.1+bullseye) unstable; urgency=medium + + * See changelog.md + + -- SecureDrop Team Thu, 15 Sep 2022 08:37:55 +1000 + +securedrop-client (0.8.0+buster) unstable; urgency=medium + + * See changelog.md + + -- SecureDrop Team Wed, 06 Jul 2022 14:06:23 +1000 + +securedrop-client (0.7.0+buster) unstable; urgency=medium + + * See changelog.md + + -- SecureDrop Team Wed, 20 Apr 2022 10:41:31 -0400 + +securedrop-client (0.6.0+buster) unstable; urgency=medium + + * See changelog.md + + -- SecureDrop Team Tue, 15 Feb 2022 10:45:20 -0800 + +securedrop-client (0.5.1+buster) unstable; urgency=medium + + * See changelog.md + + -- SecureDrop Team Thu, 02 Dec 2021 16:41:49 -0800 + +securedrop-client (0.5.0+buster) unstable; urgency=medium + + * See changelog.md + + -- SecureDrop Team Wed, 01 Dec 2021 12:09:27 -0800 + +securedrop-client (0.4.1+buster) unstable; urgency=medium + + * See changelog.md + + -- SecureDrop Team Wed, 17 Mar 2021 11:20:12 -0700 + +securedrop-client (0.4.0+buster) unstable; urgency=medium + + * See changelog.md + + -- SecureDrop Team Thu, 10 Dec 2020 14:36:06 -0800 + +securedrop-client (0.3.0+buster) unstable; urgency=medium + + * See changelog.md + + -- SecureDrop Team Thu, 05 Nov 2020 11:40:46 -0500 + +securedrop-client (0.2.1+buster) unstable; urgency=medium + + * See changelog.md + + -- SecureDrop Team Thu, 16 Jul 2020 11:56:07 -0400 + +securedrop-client (0.2.0+buster) unstable; urgency=medium + + * See changelog.md + + -- SecureDrop Team Fri, 29 May 2020 17:19:31 -0400 + +securedrop-client (0.1.6+buster) unstable; urgency=medium + + * See changelog.md + + -- SecureDrop Team Tue, 31 Mar 2020 10:45:27 -0400 + +securedrop-client (0.1.5+buster) unstable; urgency=medium + + * See changelog.md + + -- SecureDrop Team Mon, 30 Mar 2020 14:11:21 -0400 + +securedrop-client (0.1.4+buster) unstable; urgency=medium + + * See changelog.md + + -- SecureDrop Team Thu, 26 Mar 2020 11:45:01 -0400 + +securedrop-client (0.1.3+buster) unstable; urgency=medium + + * See changelog.md + + -- mickael e. Wed, 18 Mar 2020 12:32:35 -0400 + +securedrop-client (0.1.2+buster) unstable; urgency=medium + + * See changelog.md + + -- redshiftzero Tue, 10 Mar 2020 13:12:54 -0400 + +securedrop-client (0.1.1+buster) unstable; urgency=medium + + * See changelog.md + + -- redshiftzero Tue, 03 Mar 2020 11:39:03 -0500 + +securedrop-client (0.1.0+buster) unstable; urgency=medium + + * See changelog.md + + -- redshiftzero Fri, 21 Feb 2020 13:34:42 -0500 + +securedrop-client (0.0.13+buster) unstable; urgency=medium + + * remove user refresh and replace with sync icon (#732) + * build-requirements: update for production beta (#730) + * No sync on ui operations (#721) + * Use SecureQLabel for message previews (#720) + * Show DD MMM format for source title (#719) + * Add new metadata queue. (#715) + * Improve performance of storage.get_remote_data (#709) + * app/queue: prioritize user-triggered state changes (#708) + * Fix HTML entities being escaped in speech bubbles. (#703) + * Activity indicator for file download / decryption. (#702) + * Rename VMs (#701) + + -- SecureDrop Team Fri, 17 Jan 2020 18:20:20 -0800 + +securedrop-client (0.0.12+buster) unstable; urgency=medium + + * Use revised VM names (securedrop-workstation #285) + * Delete sources using the general queue (#402) + * Add a preview snippet for sources (#135) + * Add a show/hide password feature on the login screen (#659) + * Disable sync icon during active sync (#388) + * Add keyboard shortcuts for sending replies (#606) + * Add hover states for UI elements (#591) + + -- SecureDrop Team Fri, 17 Jan 2020 18:20:20 -0800 + +securedrop-client (0.0.11+buster) unstable; urgency=medium + + * Add apparmor profile (#673) + * Add failure message for replies (#664) + * Move metadata sync to api queue (#640) + * Add print integration (#631) + * Populate source list immediately upon login (#626) + + -- SecureDrop Team Thu, 19 Dec 2019 12:20:20 -0500 + +securedrop-client (0.0.10+buster) unstable; urgency=medium + + * Add Python 3.7/buster support (#568, #609) + * Add export to USB support (#611, #547, #562, #563, #564) + * Retry failed replies (#530) + * Pause queue on auth errors, connection failures, and timeouts (#531) + * Add pending reply status, persist replies in the database (#578) + * Set realistic timeouts, scale file/message download timeouts using file size (#515, #567) + * Update qrexec keyword prefix characters (#537) + * Reply box no longer accepts rich text input (#580) + * Format reply box placeholder text (#597) + * Redesign FileWidget (#535) + * Style conversation header (#543) + * Login form submits if user presses Enter or Return (#615) + * Enable changeable log levels (#603) + * Remove borders around source list, send icon, and reply box (#505) + * Move star and date in source widget (#506) + * Polish source widget (#522) + * Polish offline UI (#586) + * Add branding image to left pane and polish styling (#520) + * Add empty conversation view (#510) + * Update fonts weights and colors (#502) + * Bugfix: handle missing files during export and open (#566) + * Bugfix: do not escape quotes in SecureQLabel (#516) + * Bugfix: skip round trip to user endpoint during logic (#605, #621, #623) + * Bugfix: fix bug of sources disappearing from source list (#620) + * Bugfix: fix db warnings upon source deletion (#581) + * Add more detailed developer documentation (#508) + * Add documentation for updating dependencies (#536) + * Ensure build/dev requirements files stay in sync (#602) + * Parallelize test suite (#569) + * Ignore third-party deprecation warnings (#576) + * Add bandit to check target (#548) + + -- redshiftzero Wed, 20 Nov 2019 09:20:22 -0500 + diff --git a/debian/control b/debian/control new file mode 100644 index 0000000000..95fb5003ee --- /dev/null +++ b/debian/control @@ -0,0 +1,53 @@ +Source: securedrop-client +Section: unknown +Priority: optional +Maintainer: SecureDrop Team +Build-Depends: debhelper-compat (= 11), python3-virtualenv +Standards-Version: 3.9.8 +Homepage: https://github.com/freedomofpress/securedrop-client +X-Python3-Version: >= 3.5 + +Package: securedrop-client +Architecture: all +Depends: ${python3:Depends},${misc:Depends}, python3-pyqt5, python3-pyqt5.qtsvg, apparmor-utils +Description: securedrop client for qubes workstation + +Package: securedrop-export +Architecture: all +Depends: ${python3:Depends}, ${misc:Depends}, cryptsetup, cups, printer-driver-brlaser, printer-driver-hpcups, system-config-printer, xpp, libcups2-dev, python3-dev, libtool-bin, unoconv, gnome-disk-utility +Description: Submission export scripts for SecureDrop Workstation + This package provides scripts used by the SecureDrop Qubes Workstation to + export submissions from the client to external storage, via the sd-export + Qube. + +Package: securedrop-keyring +Architecture: all +Depends: gnupg +Description: Provides an apt keyring for SecureDrop-related packages, so the master signing key used for SecureDrop packages can be updated via apt. + +Package: securedrop-log +Architecture: all +Depends: python3-distutils, ${misc:Depends}, ${python3:Depends} +Description: Python module and qrexec service to store logs for SecureDrop Workstation + This package provides Python module and qrexec service files to create a logging VM in + SecureDrop Workstation project in Qubes. + +Package: securedrop-proxy +Architecture: all +Depends: ${python3:Depends}, ${misc:Depends}, libyaml-0-2 +Description: This is securedrop Qubes proxy service + This package provides the network proxy on Qubes to talk to the SecureDrop server. + +Package: securedrop-workstation-config +Architecture: all +Depends: nautilus, gvfs-bin, securedrop-keyring +Description: This is the SecureDrop workstation template configuration package. + This package provides dependencies and configuration for the Qubes SecureDrop workstation VM Templates. + +Package: securedrop-workstation-viewer +Architecture: all +Depends: securedrop-workstation-config,securedrop-workstation-grsec,apparmor-profiles,apparmor-profiles-extra,apparmor-utils,audacious,eog,evince,file-roller,gedit,totem +Description: This is the SecureDrop workstation SecureDrop Viewer Disposable VM template configuration package. This package provides dependencies and configuration for the Qubes SecureDrop workstation sd-viewer Template VM. +Provides: securedrop-workstation-svs-disp +Conflicts: securedrop-workstation-svs-disp +Replaces: securedrop-workstation-svs-disp diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000000..bbdb6d9854 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,7 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: securedrop-client +Source: https://github.com/freedomofpress/securedrop-client + +Files: * +Copyright: 2020 Freedom of the Press Foundation +License: AGPL-3.0+ diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000000..8d25cf9b40 --- /dev/null +++ b/debian/rules @@ -0,0 +1,18 @@ +#!/usr/bin/make -f + +%: + dh $@ + +override_dh_auto_install: + bash ./debian/setup-venv.sh client + bash ./debian/setup-venv.sh export + bash ./debian/setup-venv.sh log + bash ./debian/setup-venv.sh proxy + dh_auto_install + +override_dh_strip_nondeterminism: + find ./debian/ -type f -name '*.pyc' -delete + find ./debian/ -type f -name 'pip-selfcheck.json' -delete + find ./debian/ -type f -name 'direct_url.json' -delete + find ./debian/ -type f -name 'RECORD' -delete + dh_strip_nondeterminism $@ diff --git a/debian/securedrop-client.install b/debian/securedrop-client.install new file mode 100644 index 0000000000..93db676691 --- /dev/null +++ b/debian/securedrop-client.install @@ -0,0 +1,7 @@ +client/files/alembic.ini usr/share/securedrop-client/ +client/alembic usr/share/securedrop-client/ +client/files/sd-app-qubes-gpg-domain.sh etc/profile.d/ +client/files/securedrop-client usr/bin/ +client/files/securedrop-client.desktop usr/share/applications/ +client/files/press.freedom.SecureDropClient.desktop usr/share/applications/ +client/files/usr.bin.securedrop-client /etc/apparmor.d/ diff --git a/debian/securedrop-client.postinst b/debian/securedrop-client.postinst new file mode 100644 index 0000000000..f04f9bc892 --- /dev/null +++ b/debian/securedrop-client.postinst @@ -0,0 +1,44 @@ +#!/bin/sh +# postinst script for securedrop-client +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see https://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + + update-desktop-database /usr/share/applications + aa-enforce /usr/bin/securedrop-client + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + update-desktop-database /usr/share/applications + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/securedrop-export.install b/debian/securedrop-export.install new file mode 100644 index 0000000000..0d356bcf26 --- /dev/null +++ b/debian/securedrop-export.install @@ -0,0 +1,3 @@ +export/files/application-x-sd-export.xml usr/share/mime/packages +export/files/send-to-usb.desktop usr/share/applications +export/files/sd-logo.png usr/share/securedrop/icons diff --git a/debian/securedrop-export.links b/debian/securedrop-export.links new file mode 100644 index 0000000000..38aae3b7cb --- /dev/null +++ b/debian/securedrop-export.links @@ -0,0 +1 @@ +opt/venvs/securedrop-export/bin/send-to-usb usr/bin/send-to-usb diff --git a/debian/securedrop-export.postinst b/debian/securedrop-export.postinst new file mode 100644 index 0000000000..243a9a2d12 --- /dev/null +++ b/debian/securedrop-export.postinst @@ -0,0 +1,51 @@ +#!/bin/sh +# postinst script for securedrop-export +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see https://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +NOTIFICATION_SERVICE_PATH='/usr/share/dbus-1/services/org.freedesktop.mate.Notifications.service' + +case "$1" in + configure) + + update-desktop-database /usr/share/applications + update-mime-database /usr/share/mime + # Disable notifictions service, since the printer configuration + # is not required and will not persist + if [ -e ${NOTIFICATION_SERVICE_PATH} ]; then + mv "${NOTIFICATION_SERVICE_PATH}" "${NOTIFICATION_SERVICE_PATH}.disabled" + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + update-desktop-database /usr/share/applications + update-mime-database /usr/share/mime + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/securedrop-export.postrm b/debian/securedrop-export.postrm new file mode 100644 index 0000000000..0753737d16 --- /dev/null +++ b/debian/securedrop-export.postrm @@ -0,0 +1,40 @@ +#!/bin/sh +# postrm script for securedrop-export +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `remove' +# * `purge' +# * `upgrade' +# * `failed-upgrade' +# * `abort-install' +# * `abort-install' +# * `abort-upgrade' +# * `disappear' +# +# for details, see https://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + + update-desktop-database /usr/share/applications + update-mime-database /usr/share/mime + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/securedrop-keyring.install b/debian/securedrop-keyring.install new file mode 100644 index 0000000000..54915d7e78 --- /dev/null +++ b/debian/securedrop-keyring.install @@ -0,0 +1 @@ +keyring/securedrop-keyring.gpg etc/apt/trusted.gpg.d/ diff --git a/debian/securedrop-keyring.postinst b/debian/securedrop-keyring.postinst new file mode 100644 index 0000000000..94fc4dec4e --- /dev/null +++ b/debian/securedrop-keyring.postinst @@ -0,0 +1,39 @@ +#!/bin/sh +# postinst script for securedrop-keyring +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see https://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +case "$1" in + configure) + chown -R root:root /etc/apt/trusted.gpg.d/ + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/securedrop-keyring.preinst b/debian/securedrop-keyring.preinst new file mode 100644 index 0000000000..2e08480992 --- /dev/null +++ b/debian/securedrop-keyring.preinst @@ -0,0 +1,34 @@ +#!/bin/bash + +set -e + +# Solution adapted from DKG's work on `deb.torproject.org-keyring` and +# the securedrop core keyring package. +# +# The salt provisioning logic uses pkgrepo.managed, which writes the +# key to `/etc/apt/trusted.gpg`. It's cleaner to use the trusted.gpg.d +# subdirectory, since we can update that trivially in future versions +# of the keyring package. +# +# Therefore let's clean up prior versions of the key installed +# to the general apt keyring, to ensure we only have one signing key +# installed for authenticating securedrop-related packages. + +if [ -e /etc/apt/trusted.gpg ] && which gpg >/dev/null; then + ( + h="$(mktemp -d)" + trap "rm -rf '$h'" EXIT + + if gpg --homedir="$h" \ + --batch --no-tty --no-default-keyring --keyring /etc/apt/trusted.gpg \ + --list-key 0x2359E6538C0613E652955E6C188EDD3B7B22E6A3 > /dev/null 2>&1 ; then + gpg --homedir="$h" \ + --batch --no-tty --no-default-keyring --keyring /etc/apt/trusted.gpg \ + --no-auto-check-trustdb \ + --delete-key 0x2359E6538C0613E652955E6C188EDD3B7B22E6A3 || true + fi + ) +fi + +#DEBHELPER# + diff --git a/debian/securedrop-log.install b/debian/securedrop-log.install new file mode 100644 index 0000000000..79256901f1 --- /dev/null +++ b/debian/securedrop-log.install @@ -0,0 +1,4 @@ +log/securedrop.Log etc/qubes-rpc/ +log/sd-rsyslog usr/sbin/ +log/securedrop-log.service etc/systemd/system +log/sdlog.conf etc/rsyslog.d/ diff --git a/debian/securedrop-log.links b/debian/securedrop-log.links new file mode 100644 index 0000000000..e5480a6238 --- /dev/null +++ b/debian/securedrop-log.links @@ -0,0 +1,3 @@ +opt/venvs/securedrop-log/sbin/securedrop-log usr/sbin/securedrop-log +opt/venvs/securedrop-log/sbin/securedrop-log-saver usr/sbin/securedrop-log-saver +opt/venvs/securedrop-log/sbin/securedrop-redis-log usr/sbin/securedrop-redis-log diff --git a/debian/securedrop-proxy.install b/debian/securedrop-proxy.install new file mode 100644 index 0000000000..e598af1a1c --- /dev/null +++ b/debian/securedrop-proxy.install @@ -0,0 +1 @@ +proxy/qubes/securedrop.Proxy etc/qubes-rpc/ diff --git a/debian/securedrop-proxy.links b/debian/securedrop-proxy.links new file mode 100644 index 0000000000..abddf108f8 --- /dev/null +++ b/debian/securedrop-proxy.links @@ -0,0 +1 @@ +opt/venvs/securedrop-proxy/bin/sd-proxy usr/bin/sd-proxy diff --git a/debian/securedrop-workstation-config.install b/debian/securedrop-workstation-config.install new file mode 100644 index 0000000000..3c3bc7975d --- /dev/null +++ b/debian/securedrop-workstation-config.install @@ -0,0 +1,6 @@ +workstation-config/mailcap.default opt/sdw/ +workstation-config/mimeapps.list.sd-viewer opt/sdw/ +workstation-config/mimeapps.list.sd-app opt/sdw/ +workstation-config/mimeapps.list.sd-devices-dvm opt/sdw/ +workstation-config/open-in-dvm.desktop opt/sdw/ +workstation-config/paxctld.conf opt/sdw/ diff --git a/debian/securedrop-workstation-config.postinst b/debian/securedrop-workstation-config.postinst new file mode 100644 index 0000000000..2084a52ff0 --- /dev/null +++ b/debian/securedrop-workstation-config.postinst @@ -0,0 +1,49 @@ +#!/bin/sh +# postinst script for securedrop-workstation-config +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see https://www.debian.org/doc/debian-policy/ or +# the debian-policy package + + +case "$1" in + configure) + # move pax flags and restart paxctld service + # copy and set default mimeapps handling + # except for whonix-based VMs + if [ ! -e "/etc/whonix_version" ]; then + cp /opt/sdw/paxctld.conf /etc/paxctld.conf + systemctl restart paxctld + cp /opt/sdw/open-in-dvm.desktop /usr/share/applications/ + cp /opt/sdw/mimeapps.list.sd-app /usr/share/applications/mimeapps.list + cp /opt/sdw/mimeapps.list.sd-app /opt/sdw/mimeapps.list.default + fi + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/setup-venv.sh b/debian/setup-venv.sh new file mode 100644 index 0000000000..7b303de331 --- /dev/null +++ b/debian/setup-venv.sh @@ -0,0 +1,20 @@ +#!/bin/bash +set -euxo pipefail + +NAME=$1 +if [[ $NAME == "client" ]]; then + VENV_ARGS="--system-site-packages" +else + VENV_ARGS="" +fi +WHEELS_DIR="/builder/securedrop-${NAME}/wheels" +PIP_ARGS="--ignore-installed --no-index --find-links ${WHEELS_DIR} --no-deps --no-cache-dir --no-use-pep517" + +/usr/bin/python3 -m virtualenv $VENV_ARGS ./debian/securedrop-${NAME}/opt/venvs/securedrop-${NAME} +./debian/securedrop-${NAME}/opt/venvs/securedrop-${NAME}/bin/pip install $PIP_ARGS -r ${NAME}/build-requirements.txt +./debian/securedrop-${NAME}/opt/venvs/securedrop-${NAME}/bin/pip install $PIP_ARGS ./${NAME} + +# Adjust paths to reflect installed paths +find ./debian/securedrop-${NAME}/ -type f -exec sed -i "s#$(pwd)/debian/securedrop-${NAME}##" {} \; +# Cleanup wheels +rm -rf ./debian/securedrop-${NAME}/opt/venvs/securedrop-${NAME}/share/python-wheels diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000000..89ae9db8f8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/debian/source/options b/debian/source/options new file mode 100644 index 0000000000..26ae970081 --- /dev/null +++ b/debian/source/options @@ -0,0 +1,2 @@ +# speed is preferred over disk space +compression = "gzip" diff --git a/keyring/securedrop-keyring.gpg b/keyring/securedrop-keyring.gpg new file mode 100644 index 0000000000..51b1fd7883 Binary files /dev/null and b/keyring/securedrop-keyring.gpg differ diff --git a/scripts/build-debs-real.sh b/scripts/build-debs-real.sh new file mode 100755 index 0000000000..ea89bf0b5d --- /dev/null +++ b/scripts/build-debs-real.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# Build packages. This runs *inside* the container. +export PIP_DISABLE_PIP_VERSION_CHECK=1 +export PIP_PROGRESS_BAR=off +export CARGO_TERM_COLOR=never +export CARGO_TERM_PROGRESS_WHEN=never + +set -euxo pipefail + +# Update container +apt-get update && apt-get upgrade --yes + +# Make a copy of the source tree since we do destructive operations on it +cp -R /src/ /srv/securedrop-client +cd /srv/securedrop-client +apt-get build-dep . --yes +dpkg-buildpackage --no-sign +ls ../ +# Copy the built artifacts back and print checksums +mkdir -p /src/build/ +mv -v ../*.{buildinfo,changes,deb,tar.gz} /src/build/ +cd /src/build/ +sha256sum ./* diff --git a/scripts/build-debs.sh b/scripts/build-debs.sh new file mode 100755 index 0000000000..574cf288bc --- /dev/null +++ b/scripts/build-debs.sh @@ -0,0 +1,42 @@ +#!/bin/bash +# shellcheck disable=SC2209,SC2086 +# Build packages. This runs *outside* the container. + +set -euxo pipefail + +git --no-pager log -1 --oneline --show-signature --no-color + +OCI_RUN_ARGUMENTS="--user=root -v $(pwd):/src:Z" + +# Default to podman if available +if which podman > /dev/null 2>&1; then + OCI_BIN="podman" + # Make sure host UID/GID are mapped into container, + # see podman-run(1) manual. + OCI_RUN_ARGUMENTS="${OCI_RUN_ARGUMENTS} --userns=keep-id" +else + OCI_BIN="docker" +fi +# Pass -it if we're a tty +if test -t 0; then + OCI_RUN_ARGUMENTS="${OCI_RUN_ARGUMENTS} -it" +fi + +# Look for the builder repo with our local wheels +export BUILDER=$(realpath "${BUILDER:-../securedrop-builder}") +if [[ ! -d $BUILDER ]]; then + echo "Cannot find securedrop-builder repository, please check it out \ +to ${BUILDER} or set the BUILDER variable" + exit 1 +fi + +export DEBIAN_VERSION="${DEBIAN_VERSION:-bullseye}" +export OCI_RUN_ARGUMENTS +export OCI_BIN + +$OCI_BIN pull debian:${DEBIAN_VERSION} + +$OCI_BIN run --rm $OCI_RUN_ARGUMENTS \ + -v "${BUILDER}:/builder:Z" \ + --entrypoint "/src/scripts/build-debs-real.sh" \ + debian:${DEBIAN_VERSION} diff --git a/workstation-config/mailcap.default b/workstation-config/mailcap.default new file mode 100644 index 0000000000..4c3bb89767 --- /dev/null +++ b/workstation-config/mailcap.default @@ -0,0 +1,7 @@ +# Mailcap acts as a fallback mechanism if MIME type lookup fails in tools like +# xdg-open. Because the Mailcap MIME type definitions do not match the +# ones used by the SecureDrop Workstation, we disable Mailcap for the default +# user using a wildcard rule. Lookup attempts are logged to /var/log/syslog +# and sd-log. + +*/*; logger "Mailcap is disabled." diff --git a/workstation-config/mimeapps.list.sd-app b/workstation-config/mimeapps.list.sd-app new file mode 100644 index 0000000000..6a23b86071 --- /dev/null +++ b/workstation-config/mimeapps.list.sd-app @@ -0,0 +1,297 @@ +[Default Applications] +application/x-dia-diagram=open-in-dvm.desktop; +text/x-vcard=open-in-dvm.desktop; +text/directory=open-in-dvm.desktop; +text/calendar=open-in-dvm.desktop; +application/x-cd-image=open-in-dvm.desktop; +application/x-desktop=open-in-dvm.desktop; +application/x-raw-disk-image=open-in-dvm.desktop; +application/x-raw-disk-image-xz-compressed=open-in-dvm.desktop; +image/x-compressed-xcf=open-in-dvm.desktop; +image/x-xcf=open-in-dvm.desktop; +image/x-psd=open-in-dvm.desktop; +image/x-fits=open-in-dvm.desktop; +image/bmp=open-in-dvm.desktop; +image/gif=open-in-dvm.desktop; +image/x-icb=open-in-dvm.desktop; +image/x-ico=open-in-dvm.desktop; +image/x-pcx=open-in-dvm.desktop; +image/x-portable-anymap=open-in-dvm.desktop; +image/x-portable-bitmap=open-in-dvm.desktop; +image/x-portable-graymap=open-in-dvm.desktop; +image/x-portable-pixmap=open-in-dvm.desktop; +image/x-xbitmap=open-in-dvm.desktop; +image/x-xpixmap=open-in-dvm.desktop; +image/svg+xml=open-in-dvm.desktop; +application/vnd.ms-word=open-in-dvm.desktop; +application/vnd.wordperfect=open-in-dvm.desktop; +application/vnd.sun.xml.writer=open-in-dvm.desktop; +application/vnd.sun.xml.writer.global=open-in-dvm.desktop; +application/vnd.sun.xml.writer.template=open-in-dvm.desktop; +application/vnd.stardivision.writer=open-in-dvm.desktop; +application/vnd.oasis.opendocument.text=open-in-dvm.desktop; +application/vnd.oasis.opendocument.text-template=open-in-dvm.desktop; +application/vnd.oasis.opendocument.text-web=open-in-dvm.desktop; +application/vnd.oasis.opendocument.text-master=open-in-dvm.desktop; +application/vnd.openxmlformats-officedocument.wordprocessingml.document=open-in-dvm.desktop; +application/vnd.openxmlformats-officedocument.wordprocessingml.template=open-in-dvm.desktop; +application/vnd.ms-excel=open-in-dvm.desktop; +application/vnd.stardivision.calc=open-in-dvm.desktop; +application/vnd.sun.xml.calc=open-in-dvm.desktop; +application/vnd.sun.xml.calc.template=open-in-dvm.desktop; +application/vnd.openxmlformats-officedocument.spreadsheetml.sheet=open-in-dvm.desktop; +application/vnd.openxmlformats-officedocument.spreadsheetml.template=open-in-dvm.desktop; +application/vnd.oasis.opendocument.spreadsheet=open-in-dvm.desktop; +application/vnd.oasis.opendocument.spreadsheet-template=open-in-dvm.desktop; +application/vnd.ms-powerpoint=open-in-dvm.desktop; +application/vnd.stardivision.impress=open-in-dvm.desktop; +application/vnd.sun.xml.impress=open-in-dvm.desktop; +application/vnd.sun.xml.impress.template=open-in-dvm.desktop; +application/vnd.oasis.opendocument.presentation=open-in-dvm.desktop; +application/vnd.oasis.opendocument.presentation-template=open-in-dvm.desktop; +application/vnd.openxmlformats-officedocument.presentationml.presentation=open-in-dvm.desktop; +application/vnd.openxmlformats-officedocument.presentationml.template=open-in-dvm.desktop; +application/vnd.stardivision.draw=open-in-dvm.desktop; +application/vnd.sun.xml.draw=open-in-dvm.desktop; +application/vnd.sun.xml.draw.template=open-in-dvm.desktop; +application/vnd.oasis.opendocument.graphics=open-in-dvm.desktop; +application/vnd.oasis.opendocument.graphics-template=open-in-dvm.desktop; +application/vnd.oasis.opendocument.formula=open-in-dvm.desktop; +application/vnd.sun.xml.math=open-in-dvm.desktop; +application/vnd.stardivision.math=open-in-dvm.desktop; +application/vnd.oasis.opendocument.database=open-in-dvm.desktop; +application/vnd.sun.xml.base=open-in-dvm.desktop; +application/pdf=open-in-dvm.desktop; +application/postscript=open-in-dvm.desktop; +application/x-qw=open-in-dvm.desktop; +application/x-gnucash=open-in-dvm.desktop; +application/vnd.lotus-1-2-3=open-in-dvm.desktop; +application/x-oleo=open-in-dvm.desktop; +application/x-gnumeric=open-in-dvm.desktop; +application/x-xbase=open-in-dvm.desktop; +application/x-abiword=open-in-dvm.desktop; +application/x-dvi=open-in-dvm.desktop; +application/x-catalog=open-in-dvm.desktop; +application/x-rpm=open-in-dvm.desktop; +text/csv=open-in-dvm.desktop; +text/plain=open-in-dvm.desktop; +text/html=open-in-dvm.desktop; +application/xhtml+xml=open-in-dvm.desktop; +inode/directory=open-in-dvm.desktop; +x-content/blank-cd=open-in-dvm.desktop; +x-content/blank-dvd=open-in-dvm.desktop; +x-content/blank-bd=open-in-dvm.desktop; +x-content/blank-hddvd=open-in-dvm.desktop; +x-content/video-dvd=open-in-dvm.desktop; +x-content/video-vcd=open-in-dvm.desktop; +x-content/video-svcd=open-in-dvm.desktop; +#x-content/video-bluray=open-in-dvm.desktop; +#x-content/video-hddvd=open-in-dvm.desktop; +x-content/audio-cdda=open-in-dvm.desktop; +x-content/audio-dvd=open-in-dvm.desktop; +x-content/audio-player=open-in-dvm.desktop; +x-content/image-dcf=open-in-dvm.desktop; +x-content/image-picturecd=open-in-dvm.desktop; +# URI scheme handlers +x-scheme-handler/mailto=open-in-dvm.desktop; +x-scheme-handler/http=open-in-dvm.desktop; +x-scheme-handler/https=open-in-dvm.desktop; +application/mxf=open-in-dvm.desktop; +application/ogg=open-in-dvm.desktop; +application/ram=open-in-dvm.desktop; +application/sdp=open-in-dvm.desktop; +application/smil=open-in-dvm.desktop; +application/smil+xml=open-in-dvm.desktop; +application/vnd.apple.mpegurl=open-in-dvm.desktop; +application/vnd.ms-wpl=open-in-dvm.desktop; +application/vnd.rn-realmedia=open-in-dvm.desktop; +application/x-extension-m4a=open-in-dvm.desktop; +application/x-extension-mp4=open-in-dvm.desktop; +application/x-flac=open-in-dvm.desktop; +application/x-flash-video=open-in-dvm.desktop; +application/x-matroska=open-in-dvm.desktop; +application/x-netshow-channel=open-in-dvm.desktop; +application/x-ogg=open-in-dvm.desktop; +application/x-quicktime-media-link=open-in-dvm.desktop; +application/x-quicktimeplayer=open-in-dvm.desktop; +application/x-shorten=open-in-dvm.desktop; +application/x-smil=open-in-dvm.desktop; +application/xspf+xml=open-in-dvm.desktop; +audio/3gpp=open-in-dvm.desktop; +audio/ac3=open-in-dvm.desktop; +audio/AMR=open-in-dvm.desktop; +audio/AMR-WB=open-in-dvm.desktop; +audio/basic=open-in-dvm.desktop; +audio/midi=open-in-dvm.desktop; +audio/mp2=open-in-dvm.desktop; +audio/mp4=open-in-dvm.desktop; +audio/mpeg=open-in-dvm.desktop; +audio/mpegurl=open-in-dvm.desktop; +audio/ogg=open-in-dvm.desktop; +audio/prs.sid=open-in-dvm.desktop; +audio/vnd.rn-realaudio=open-in-dvm.desktop; +audio/x-aiff=open-in-dvm.desktop; +audio/x-ape=open-in-dvm.desktop; +audio/x-flac=open-in-dvm.desktop; +audio/x-gsm=open-in-dvm.desktop; +audio/x-it=open-in-dvm.desktop; +audio/x-m4a=open-in-dvm.desktop; +audio/x-matroska=open-in-dvm.desktop; +audio/x-mod=open-in-dvm.desktop; +audio/x-mp3=open-in-dvm.desktop; +audio/x-mpeg=open-in-dvm.desktop; +audio/x-mpegurl=open-in-dvm.desktop; +audio/x-ms-asf=open-in-dvm.desktop; +audio/x-ms-asx=open-in-dvm.desktop; +audio/x-ms-wax=open-in-dvm.desktop; +audio/x-ms-wma=open-in-dvm.desktop; +audio/x-musepack=open-in-dvm.desktop; +audio/x-pn-aiff=open-in-dvm.desktop; +audio/x-pn-au=open-in-dvm.desktop; +audio/x-pn-realaudio=open-in-dvm.desktop; +audio/x-pn-realaudio-plugin=open-in-dvm.desktop; +audio/x-pn-wav=open-in-dvm.desktop; +audio/x-pn-windows-acm=open-in-dvm.desktop; +audio/x-realaudio=open-in-dvm.desktop; +audio/x-real-audio=open-in-dvm.desktop; +audio/x-s3m=open-in-dvm.desktop; +audio/x-sbc=open-in-dvm.desktop; +audio/x-scpls=open-in-dvm.desktop; +audio/x-speex=open-in-dvm.desktop; +audio/x-stm=open-in-dvm.desktop; +audio/x-tta=open-in-dvm.desktop; +audio/x-wav=open-in-dvm.desktop; +audio/x-wavpack=open-in-dvm.desktop; +audio/x-vorbis=open-in-dvm.desktop; +audio/x-vorbis+ogg=open-in-dvm.desktop; +audio/x-xm=open-in-dvm.desktop; +image/vnd.rn-realpix=open-in-dvm.desktop; +image/x-pict=open-in-dvm.desktop; +misc/ultravox=open-in-dvm.desktop; +text/google-video-pointer=open-in-dvm.desktop; +text/x-google-video-pointer=open-in-dvm.desktop; +video/3gp=open-in-dvm.desktop; +video/3gpp=open-in-dvm.desktop; +video/dv=open-in-dvm.desktop; +video/divx=open-in-dvm.desktop; +video/fli=open-in-dvm.desktop; +video/flv=open-in-dvm.desktop; +video/mp2t=open-in-dvm.desktop; +video/mp4=open-in-dvm.desktop; +video/mp4v-es=open-in-dvm.desktop; +video/mpeg=open-in-dvm.desktop; +video/msvideo=open-in-dvm.desktop; +video/ogg=open-in-dvm.desktop; +video/quicktime=open-in-dvm.desktop; +video/vivo=open-in-dvm.desktop; +video/vnd.divx=open-in-dvm.desktop; +video/vnd.mpegurl=open-in-dvm.desktop; +video/vnd.rn-realvideo=open-in-dvm.desktop; +video/vnd.vivo=open-in-dvm.desktop; +video/webm=open-in-dvm.desktop; +video/x-anim=open-in-dvm.desktop; +video/x-avi=open-in-dvm.desktop; +video/x-flc=open-in-dvm.desktop; +video/x-fli=open-in-dvm.desktop; +video/x-flic=open-in-dvm.desktop; +video/x-flv=open-in-dvm.desktop; +video/x-m4v=open-in-dvm.desktop; +video/x-matroska=open-in-dvm.desktop; +video/x-mpeg=open-in-dvm.desktop; +video/x-mpeg2=open-in-dvm.desktop; +video/x-ms-asf=open-in-dvm.desktop; +video/x-ms-asx=open-in-dvm.desktop; +video/x-msvideo=open-in-dvm.desktop; +video/x-ms-wm=open-in-dvm.desktop; +video/x-ms-wmv=open-in-dvm.desktop; +video/x-ms-wmx=open-in-dvm.desktop; +video/x-ms-wvx=open-in-dvm.desktop; +video/x-nsv=open-in-dvm.desktop; +video/x-ogm+ogg=open-in-dvm.desktop; +video/x-theora+ogg=open-in-dvm.desktop; +video/x-totem-stream=open-in-dvm.desktop; +x-content/video-dvd=open-in-dvm.desktop; +x-content/video-vcd=open-in-dvm.desktop; +x-content/video-svcd=open-in-dvm.desktop; +x-scheme-handler/pnm=open-in-dvm.desktop; +x-scheme-handler/mms=open-in-dvm.desktop; +x-scheme-handler/net=open-in-dvm.desktop; +x-scheme-handler/rtp=open-in-dvm.desktop; +x-scheme-handler/rtmp=open-in-dvm.desktop; +x-scheme-handler/rtsp=open-in-dvm.desktop; +x-scheme-handler/mmsh=open-in-dvm.desktop; +x-scheme-handler/uvox=open-in-dvm.desktop; +x-scheme-handler/icy=open-in-dvm.desktop; +x-scheme-handler/icyx=open-in-dvm.desktop; +application/x-7z-compressed=open-in-dvm.desktop; +application/x-7z-compressed-tar=open-in-dvm.desktop; +application/x-ace=open-in-dvm.desktop; +application/x-alz=open-in-dvm.desktop; +application/x-ar=open-in-dvm.desktop; +application/x-arj=open-in-dvm.desktop; +application/x-bzip=open-in-dvm.desktop; +application/x-bzip-compressed-tar=open-in-dvm.desktop; +application/x-bzip1=open-in-dvm.desktop; +application/x-bzip1-compressed-tar=open-in-dvm.desktop; +application/x-cabinet=open-in-dvm.desktop; +application/x-cbr=open-in-dvm.desktop; +application/x-cbz=open-in-dvm.desktop; +application/x-compress=open-in-dvm.desktop; +application/x-compressed-tar=open-in-dvm.desktop; +application/x-cpio=open-in-dvm.desktop; +application/x-deb=open-in-dvm.desktop; +application/x-ear=open-in-dvm.desktop; +application/x-ms-dos-executable=open-in-dvm.desktop; +application/x-gtar=open-in-dvm.desktop; +application/x-gzip=open-in-dvm.desktop; +application/x-gzpostscript=open-in-dvm.desktop; +application/x-java-archive=open-in-dvm.desktop; +application/x-lha=open-in-dvm.desktop; +application/x-lhz=open-in-dvm.desktop; +application/x-lrzip=open-in-dvm.desktop; +application/x-lrzip-compressed-tar=open-in-dvm.desktop; +application/x-lzip=open-in-dvm.desktop; +application/x-lzip-compressed-tar=open-in-dvm.desktop; +application/x-lzma=open-in-dvm.desktop; +application/x-lzma-compressed-tar=open-in-dvm.desktop; +application/x-lzop=open-in-dvm.desktop; +application/x-lzop-compressed-tar=open-in-dvm.desktop; +application/x-ms-wim=open-in-dvm.desktop; +application/x-rar=open-in-dvm.desktop; +application/x-rar-compressed=open-in-dvm.desktop; +application/x-rzip=open-in-dvm.desktop; +application/x-tar=open-in-dvm.desktop; +application/x-tarz=open-in-dvm.desktop; +application/x-stuffit=open-in-dvm.desktop; +application/x-war=open-in-dvm.desktop; +application/x-xz=open-in-dvm.desktop; +application/x-xz-compressed-tar=open-in-dvm.desktop; +application/x-zip=open-in-dvm.desktop; +application/x-zip-compressed=open-in-dvm.desktop; +application/x-zoo=open-in-dvm.desktop; +application/zip=open-in-dvm.desktop; +application/x-archive=open-in-dvm.desktop; +application/vnd.ms-cab-compressed=open-in-dvm.desktop; +application/x-source-rpm=open-in-dvm.desktop; +image/bmp=open-in-dvm.desktop; +image/gif=open-in-dvm.desktop; +image/jpeg=open-in-dvm.desktop; +image/jpg=open-in-dvm.desktop; +image/pjpeg=open-in-dvm.desktop; +image/png=open-in-dvm.desktop; +image/tiff=open-in-dvm.desktop; +image/x-bmp=open-in-dvm.desktop; +image/x-gray=open-in-dvm.desktop; +image/x-icb=open-in-dvm.desktop; +image/x-ico=open-in-dvm.desktop; +image/x-png=open-in-dvm.desktop; +image/x-portable-anymap=open-in-dvm.desktop; +image/x-portable-bitmap=open-in-dvm.desktop; +image/x-portable-graymap=open-in-dvm.desktop; +image/x-portable-pixmap=open-in-dvm.desktop; +image/x-xbitmap=open-in-dvm.desktop; +image/x-xpixmap=open-in-dvm.desktop; +image/x-pcx=open-in-dvm.desktop; +image/svg+xml=open-in-dvm.desktop; +image/svg+xml-compressed=open-in-dvm.desktop; +image/vnd.wap.wbmp=open-in-dvm.desktop; diff --git a/workstation-config/mimeapps.list.sd-devices-dvm b/workstation-config/mimeapps.list.sd-devices-dvm new file mode 100644 index 0000000000..886a600b0e --- /dev/null +++ b/workstation-config/mimeapps.list.sd-devices-dvm @@ -0,0 +1,298 @@ +[Default Applications] +application/x-sd-export=send-to-usb.desktop; +application/x-dia-diagram=open-in-dvm.desktop; +text/x-vcard=open-in-dvm.desktop; +text/directory=open-in-dvm.desktop; +text/calendar=open-in-dvm.desktop; +application/x-cd-image=open-in-dvm.desktop; +application/x-desktop=open-in-dvm.desktop; +application/x-raw-disk-image=open-in-dvm.desktop; +application/x-raw-disk-image-xz-compressed=open-in-dvm.desktop; +image/x-compressed-xcf=open-in-dvm.desktop; +image/x-xcf=open-in-dvm.desktop; +image/x-psd=open-in-dvm.desktop; +image/x-fits=open-in-dvm.desktop; +image/bmp=open-in-dvm.desktop; +image/gif=open-in-dvm.desktop; +image/x-icb=open-in-dvm.desktop; +image/x-ico=open-in-dvm.desktop; +image/x-pcx=open-in-dvm.desktop; +image/x-portable-anymap=open-in-dvm.desktop; +image/x-portable-bitmap=open-in-dvm.desktop; +image/x-portable-graymap=open-in-dvm.desktop; +image/x-portable-pixmap=open-in-dvm.desktop; +image/x-xbitmap=open-in-dvm.desktop; +image/x-xpixmap=open-in-dvm.desktop; +image/svg+xml=open-in-dvm.desktop; +application/vnd.ms-word=open-in-dvm.desktop; +application/vnd.wordperfect=open-in-dvm.desktop; +application/vnd.sun.xml.writer=open-in-dvm.desktop; +application/vnd.sun.xml.writer.global=open-in-dvm.desktop; +application/vnd.sun.xml.writer.template=open-in-dvm.desktop; +application/vnd.stardivision.writer=open-in-dvm.desktop; +application/vnd.oasis.opendocument.text=open-in-dvm.desktop; +application/vnd.oasis.opendocument.text-template=open-in-dvm.desktop; +application/vnd.oasis.opendocument.text-web=open-in-dvm.desktop; +application/vnd.oasis.opendocument.text-master=open-in-dvm.desktop; +application/vnd.openxmlformats-officedocument.wordprocessingml.document=open-in-dvm.desktop; +application/vnd.openxmlformats-officedocument.wordprocessingml.template=open-in-dvm.desktop; +application/vnd.ms-excel=open-in-dvm.desktop; +application/vnd.stardivision.calc=open-in-dvm.desktop; +application/vnd.sun.xml.calc=open-in-dvm.desktop; +application/vnd.sun.xml.calc.template=open-in-dvm.desktop; +application/vnd.openxmlformats-officedocument.spreadsheetml.sheet=open-in-dvm.desktop; +application/vnd.openxmlformats-officedocument.spreadsheetml.template=open-in-dvm.desktop; +application/vnd.oasis.opendocument.spreadsheet=open-in-dvm.desktop; +application/vnd.oasis.opendocument.spreadsheet-template=open-in-dvm.desktop; +application/vnd.ms-powerpoint=open-in-dvm.desktop; +application/vnd.stardivision.impress=open-in-dvm.desktop; +application/vnd.sun.xml.impress=open-in-dvm.desktop; +application/vnd.sun.xml.impress.template=open-in-dvm.desktop; +application/vnd.oasis.opendocument.presentation=open-in-dvm.desktop; +application/vnd.oasis.opendocument.presentation-template=open-in-dvm.desktop; +application/vnd.openxmlformats-officedocument.presentationml.presentation=open-in-dvm.desktop; +application/vnd.openxmlformats-officedocument.presentationml.template=open-in-dvm.desktop; +application/vnd.stardivision.draw=open-in-dvm.desktop; +application/vnd.sun.xml.draw=open-in-dvm.desktop; +application/vnd.sun.xml.draw.template=open-in-dvm.desktop; +application/vnd.oasis.opendocument.graphics=open-in-dvm.desktop; +application/vnd.oasis.opendocument.graphics-template=open-in-dvm.desktop; +application/vnd.oasis.opendocument.formula=open-in-dvm.desktop; +application/vnd.sun.xml.math=open-in-dvm.desktop; +application/vnd.stardivision.math=open-in-dvm.desktop; +application/vnd.oasis.opendocument.database=open-in-dvm.desktop; +application/vnd.sun.xml.base=open-in-dvm.desktop; +application/pdf=open-in-dvm.desktop; +application/postscript=open-in-dvm.desktop; +application/x-qw=open-in-dvm.desktop; +application/x-gnucash=open-in-dvm.desktop; +application/vnd.lotus-1-2-3=open-in-dvm.desktop; +application/x-oleo=open-in-dvm.desktop; +application/x-gnumeric=open-in-dvm.desktop; +application/x-xbase=open-in-dvm.desktop; +application/x-abiword=open-in-dvm.desktop; +application/x-dvi=open-in-dvm.desktop; +application/x-catalog=open-in-dvm.desktop; +application/x-rpm=open-in-dvm.desktop; +text/csv=open-in-dvm.desktop; +text/plain=open-in-dvm.desktop; +text/html=open-in-dvm.desktop; +application/xhtml+xml=open-in-dvm.desktop; +inode/directory=open-in-dvm.desktop; +x-content/blank-cd=open-in-dvm.desktop; +x-content/blank-dvd=open-in-dvm.desktop; +x-content/blank-bd=open-in-dvm.desktop; +x-content/blank-hddvd=open-in-dvm.desktop; +x-content/video-dvd=open-in-dvm.desktop; +x-content/video-vcd=open-in-dvm.desktop; +x-content/video-svcd=open-in-dvm.desktop; +#x-content/video-bluray=open-in-dvm.desktop; +#x-content/video-hddvd=open-in-dvm.desktop; +x-content/audio-cdda=open-in-dvm.desktop; +x-content/audio-dvd=open-in-dvm.desktop; +x-content/audio-player=open-in-dvm.desktop; +x-content/image-dcf=open-in-dvm.desktop; +x-content/image-picturecd=open-in-dvm.desktop; +# URI scheme handlers +x-scheme-handler/mailto=open-in-dvm.desktop; +x-scheme-handler/http=open-in-dvm.desktop; +x-scheme-handler/https=open-in-dvm.desktop; +application/mxf=open-in-dvm.desktop; +application/ogg=open-in-dvm.desktop; +application/ram=open-in-dvm.desktop; +application/sdp=open-in-dvm.desktop; +application/smil=open-in-dvm.desktop; +application/smil+xml=open-in-dvm.desktop; +application/vnd.apple.mpegurl=open-in-dvm.desktop; +application/vnd.ms-wpl=open-in-dvm.desktop; +application/vnd.rn-realmedia=open-in-dvm.desktop; +application/x-extension-m4a=open-in-dvm.desktop; +application/x-extension-mp4=open-in-dvm.desktop; +application/x-flac=open-in-dvm.desktop; +application/x-flash-video=open-in-dvm.desktop; +application/x-matroska=open-in-dvm.desktop; +application/x-netshow-channel=open-in-dvm.desktop; +application/x-ogg=open-in-dvm.desktop; +application/x-quicktime-media-link=open-in-dvm.desktop; +application/x-quicktimeplayer=open-in-dvm.desktop; +application/x-shorten=open-in-dvm.desktop; +application/x-smil=open-in-dvm.desktop; +application/xspf+xml=open-in-dvm.desktop; +audio/3gpp=open-in-dvm.desktop; +audio/ac3=open-in-dvm.desktop; +audio/AMR=open-in-dvm.desktop; +audio/AMR-WB=open-in-dvm.desktop; +audio/basic=open-in-dvm.desktop; +audio/midi=open-in-dvm.desktop; +audio/mp2=open-in-dvm.desktop; +audio/mp4=open-in-dvm.desktop; +audio/mpeg=open-in-dvm.desktop; +audio/mpegurl=open-in-dvm.desktop; +audio/ogg=open-in-dvm.desktop; +audio/prs.sid=open-in-dvm.desktop; +audio/vnd.rn-realaudio=open-in-dvm.desktop; +audio/x-aiff=open-in-dvm.desktop; +audio/x-ape=open-in-dvm.desktop; +audio/x-flac=open-in-dvm.desktop; +audio/x-gsm=open-in-dvm.desktop; +audio/x-it=open-in-dvm.desktop; +audio/x-m4a=open-in-dvm.desktop; +audio/x-matroska=open-in-dvm.desktop; +audio/x-mod=open-in-dvm.desktop; +audio/x-mp3=open-in-dvm.desktop; +audio/x-mpeg=open-in-dvm.desktop; +audio/x-mpegurl=open-in-dvm.desktop; +audio/x-ms-asf=open-in-dvm.desktop; +audio/x-ms-asx=open-in-dvm.desktop; +audio/x-ms-wax=open-in-dvm.desktop; +audio/x-ms-wma=open-in-dvm.desktop; +audio/x-musepack=open-in-dvm.desktop; +audio/x-pn-aiff=open-in-dvm.desktop; +audio/x-pn-au=open-in-dvm.desktop; +audio/x-pn-realaudio=open-in-dvm.desktop; +audio/x-pn-realaudio-plugin=open-in-dvm.desktop; +audio/x-pn-wav=open-in-dvm.desktop; +audio/x-pn-windows-acm=open-in-dvm.desktop; +audio/x-realaudio=open-in-dvm.desktop; +audio/x-real-audio=open-in-dvm.desktop; +audio/x-s3m=open-in-dvm.desktop; +audio/x-sbc=open-in-dvm.desktop; +audio/x-scpls=open-in-dvm.desktop; +audio/x-speex=open-in-dvm.desktop; +audio/x-stm=open-in-dvm.desktop; +audio/x-tta=open-in-dvm.desktop; +audio/x-wav=open-in-dvm.desktop; +audio/x-wavpack=open-in-dvm.desktop; +audio/x-vorbis=open-in-dvm.desktop; +audio/x-vorbis+ogg=open-in-dvm.desktop; +audio/x-xm=open-in-dvm.desktop; +image/vnd.rn-realpix=open-in-dvm.desktop; +image/x-pict=open-in-dvm.desktop; +misc/ultravox=open-in-dvm.desktop; +text/google-video-pointer=open-in-dvm.desktop; +text/x-google-video-pointer=open-in-dvm.desktop; +video/3gp=open-in-dvm.desktop; +video/3gpp=open-in-dvm.desktop; +video/dv=open-in-dvm.desktop; +video/divx=open-in-dvm.desktop; +video/fli=open-in-dvm.desktop; +video/flv=open-in-dvm.desktop; +video/mp2t=open-in-dvm.desktop; +video/mp4=open-in-dvm.desktop; +video/mp4v-es=open-in-dvm.desktop; +video/mpeg=open-in-dvm.desktop; +video/msvideo=open-in-dvm.desktop; +video/ogg=open-in-dvm.desktop; +video/quicktime=open-in-dvm.desktop; +video/vivo=open-in-dvm.desktop; +video/vnd.divx=open-in-dvm.desktop; +video/vnd.mpegurl=open-in-dvm.desktop; +video/vnd.rn-realvideo=open-in-dvm.desktop; +video/vnd.vivo=open-in-dvm.desktop; +video/webm=open-in-dvm.desktop; +video/x-anim=open-in-dvm.desktop; +video/x-avi=open-in-dvm.desktop; +video/x-flc=open-in-dvm.desktop; +video/x-fli=open-in-dvm.desktop; +video/x-flic=open-in-dvm.desktop; +video/x-flv=open-in-dvm.desktop; +video/x-m4v=open-in-dvm.desktop; +video/x-matroska=open-in-dvm.desktop; +video/x-mpeg=open-in-dvm.desktop; +video/x-mpeg2=open-in-dvm.desktop; +video/x-ms-asf=open-in-dvm.desktop; +video/x-ms-asx=open-in-dvm.desktop; +video/x-msvideo=open-in-dvm.desktop; +video/x-ms-wm=open-in-dvm.desktop; +video/x-ms-wmv=open-in-dvm.desktop; +video/x-ms-wmx=open-in-dvm.desktop; +video/x-ms-wvx=open-in-dvm.desktop; +video/x-nsv=open-in-dvm.desktop; +video/x-ogm+ogg=open-in-dvm.desktop; +video/x-theora+ogg=open-in-dvm.desktop; +video/x-totem-stream=open-in-dvm.desktop; +x-content/video-dvd=open-in-dvm.desktop; +x-content/video-vcd=open-in-dvm.desktop; +x-content/video-svcd=open-in-dvm.desktop; +x-scheme-handler/pnm=open-in-dvm.desktop; +x-scheme-handler/mms=open-in-dvm.desktop; +x-scheme-handler/net=open-in-dvm.desktop; +x-scheme-handler/rtp=open-in-dvm.desktop; +x-scheme-handler/rtmp=open-in-dvm.desktop; +x-scheme-handler/rtsp=open-in-dvm.desktop; +x-scheme-handler/mmsh=open-in-dvm.desktop; +x-scheme-handler/uvox=open-in-dvm.desktop; +x-scheme-handler/icy=open-in-dvm.desktop; +x-scheme-handler/icyx=open-in-dvm.desktop; +application/x-7z-compressed=open-in-dvm.desktop; +application/x-7z-compressed-tar=open-in-dvm.desktop; +application/x-ace=open-in-dvm.desktop; +application/x-alz=open-in-dvm.desktop; +application/x-ar=open-in-dvm.desktop; +application/x-arj=open-in-dvm.desktop; +application/x-bzip=open-in-dvm.desktop; +application/x-bzip-compressed-tar=open-in-dvm.desktop; +application/x-bzip1=open-in-dvm.desktop; +application/x-bzip1-compressed-tar=open-in-dvm.desktop; +application/x-cabinet=open-in-dvm.desktop; +application/x-cbr=open-in-dvm.desktop; +application/x-cbz=open-in-dvm.desktop; +application/x-compress=open-in-dvm.desktop; +application/x-compressed-tar=open-in-dvm.desktop; +application/x-cpio=open-in-dvm.desktop; +application/x-deb=open-in-dvm.desktop; +application/x-ear=open-in-dvm.desktop; +application/x-ms-dos-executable=open-in-dvm.desktop; +application/x-gtar=open-in-dvm.desktop; +application/x-gzip=open-in-dvm.desktop; +application/x-gzpostscript=open-in-dvm.desktop; +application/x-java-archive=open-in-dvm.desktop; +application/x-lha=open-in-dvm.desktop; +application/x-lhz=open-in-dvm.desktop; +application/x-lrzip=open-in-dvm.desktop; +application/x-lrzip-compressed-tar=open-in-dvm.desktop; +application/x-lzip=open-in-dvm.desktop; +application/x-lzip-compressed-tar=open-in-dvm.desktop; +application/x-lzma=open-in-dvm.desktop; +application/x-lzma-compressed-tar=open-in-dvm.desktop; +application/x-lzop=open-in-dvm.desktop; +application/x-lzop-compressed-tar=open-in-dvm.desktop; +application/x-ms-wim=open-in-dvm.desktop; +application/x-rar=open-in-dvm.desktop; +application/x-rar-compressed=open-in-dvm.desktop; +application/x-rzip=open-in-dvm.desktop; +application/x-tar=open-in-dvm.desktop; +application/x-tarz=open-in-dvm.desktop; +application/x-stuffit=open-in-dvm.desktop; +application/x-war=open-in-dvm.desktop; +application/x-xz=open-in-dvm.desktop; +application/x-xz-compressed-tar=open-in-dvm.desktop; +application/x-zip=open-in-dvm.desktop; +application/x-zip-compressed=open-in-dvm.desktop; +application/x-zoo=open-in-dvm.desktop; +application/zip=open-in-dvm.desktop; +application/x-archive=open-in-dvm.desktop; +application/vnd.ms-cab-compressed=open-in-dvm.desktop; +application/x-source-rpm=open-in-dvm.desktop; +image/bmp=open-in-dvm.desktop; +image/gif=open-in-dvm.desktop; +image/jpeg=open-in-dvm.desktop; +image/jpg=open-in-dvm.desktop; +image/pjpeg=open-in-dvm.desktop; +image/png=open-in-dvm.desktop; +image/tiff=open-in-dvm.desktop; +image/x-bmp=open-in-dvm.desktop; +image/x-gray=open-in-dvm.desktop; +image/x-icb=open-in-dvm.desktop; +image/x-ico=open-in-dvm.desktop; +image/x-png=open-in-dvm.desktop; +image/x-portable-anymap=open-in-dvm.desktop; +image/x-portable-bitmap=open-in-dvm.desktop; +image/x-portable-graymap=open-in-dvm.desktop; +image/x-portable-pixmap=open-in-dvm.desktop; +image/x-xbitmap=open-in-dvm.desktop; +image/x-xpixmap=open-in-dvm.desktop; +image/x-pcx=open-in-dvm.desktop; +image/svg+xml=open-in-dvm.desktop; +image/svg+xml-compressed=open-in-dvm.desktop; +image/vnd.wap.wbmp=open-in-dvm.desktop; diff --git a/workstation-config/mimeapps.list.sd-viewer b/workstation-config/mimeapps.list.sd-viewer new file mode 100644 index 0000000000..00a680e68c --- /dev/null +++ b/workstation-config/mimeapps.list.sd-viewer @@ -0,0 +1,32 @@ +[Default Applications] +text/plain=org.gnome.gedit.desktop +text/csv=libreoffice-base.desktop +application/vnd.oasis.opendocument.text=libreoffice-base.desktop +application/vnd.oasis.opendocument.spreadsheet=libreoffice-base.desktop +application/vnd.oasis.opendocument.presentation=libreoffice-base.desktop +application/msword=libreoffice-base.desktop +application/vnd.ms-excel=libreoffice-base.desktop +application/vnd.ms-powerpoint=libreoffice-base.desktop +application/vnd.openxmlformats-officedocument.wordprocessingml.document=libreoffice-base.desktop +application/vnd.openxmlformats-officedocument.spreadsheetml.sheet=libreoffice-base.desktop +application/vnd.openxmlformats-officedocument.presentationml.presentation=libreoffice-base.desktop +application/pdf=org.gnome.Evince.desktop +application/x-desktop=org.gnome.gedit.desktop +audio/mp4=audacious.desktop +audio/mpeg=audacious.desktop +audio/x-vorbis+ogg=audacious.desktop +audio/x-wav=audacious.desktop +video/quicktime=org.gnome.Totem.desktop +video/x-theora+ogg=org.gnome.Totem.desktop +video/mp4=org.gnome.Totem.desktop +video/x-msvideo=org.gnome.Totem.desktop +video/x-ms-wmv=org.gnome.Totem.desktop +image/jpeg=org.gnome.eog.desktop +image/gif=org.gnome.eog.desktop +image/tiff=org.gnome.Evince.desktop +image/png=org.gnome.eog.desktop +image/svg+xml=org.gnome.eog.desktop +image/vnd.djvu=org.gnome.Evince.desktop +application/vnd.rar=org.gnome.FileRoller.desktop +application/zip=org.gnome.FileRoller.desktop +application/x-7z-compressed=org.gnome.FileRoller.desktop diff --git a/workstation-config/open-in-dvm.desktop b/workstation-config/open-in-dvm.desktop new file mode 100644 index 0000000000..a3aaad78e1 --- /dev/null +++ b/workstation-config/open-in-dvm.desktop @@ -0,0 +1,10 @@ +[Desktop Entry] +Type=Application +Version=1.0 +Name=Open in Disposable VM +Comment=Open file in a Disposable VM +TryExec=/usr/bin/qvm-open-in-vm +Exec=/usr/bin/qvm-open-in-vm --view-only @dispvm:sd-viewer %f +Icon=/usr/share/icons/Qubes/dispvm-gray.png +Terminal=false +Categories=Utility diff --git a/workstation-config/paxctld.conf b/workstation-config/paxctld.conf new file mode 100644 index 0000000000..b41b399ff8 --- /dev/null +++ b/workstation-config/paxctld.conf @@ -0,0 +1,117 @@ +# This file was provisioned via securedrop-workstation-svs-disp +# grub + +/usr/bin/grub-script-check E +/usr/bin/grub-bios-setup E +/usr/sbin/grub-mkdevicemap E +/usr/sbin/grub-probe E + +# qemu +/usr/bin/qemu-alpha m +/usr/bin/qemu-arm m +/usr/bin/qemu-armeb m +/usr/bin/qemu-cris m +/usr/bin/qemu-i386 m +/usr/bin/qemu-m68k m +/usr/bin/qemu-microblaze m +/usr/bin/qemu-microblazeel m +/usr/bin/qemu-mips m +/usr/bin/qemu-mips64 m +/usr/bin/qemu-mips64el m +/usr/bin/qemu-mipsel m +/usr/bin/qemu-mipsn32 m +/usr/bin/qemu-mipsn32el m +/usr/bin/qemu-or32 m +/usr/bin/qemu-ppc m +/usr/bin/qemu-ppc64 m +/usr/bin/qemu-ppc64abi32 m +/usr/bin/qemu-s390x m +/usr/bin/qemu-sh4 m +/usr/bin/qemu-sh4eb m +/usr/bin/qemu-sparc m +/usr/bin/qemu-sparc32plus m +/usr/bin/qemu-sparc64 m +/usr/bin/qemu-unicore32 m +/usr/bin/qemu-x86_64 m + +/usr/bin/qemu-system-aarch64 m +/usr/bin/qemu-system-alpha m +/usr/bin/qemu-system-arm m +/usr/bin/qemu-system-cris m +/usr/bin/qemu-system-i386 m +/usr/bin/qemu-system-lm32 m +/usr/bin/qemu-system-m68k m +/usr/bin/qemu-system-microblaze m +/usr/bin/qemu-system-microblazeel m +/usr/bin/qemu-system-mips m +/usr/bin/qemu-system-mips64 m +/usr/bin/qemu-system-mips64el m +/usr/bin/qemu-system-mipsel m +/usr/bin/qemu-system-moxie m +/usr/bin/qemu-system-or32 m +/usr/bin/qemu-system-ppc m +/usr/bin/qemu-system-ppc64 m +/usr/bin/qemu-system-ppcemb m +/usr/bin/qemu-system-s390x m +/usr/bin/qemu-system-sh4 m +/usr/bin/qemu-system-sh4eb m +/usr/bin/qemu-system-sparc m +/usr/bin/qemu-system-sparc64 m +/usr/bin/qemu-system-unicore32 m +/usr/bin/qemu-system-x86_64 m +/usr/bin/qemu-system-xtensa m +/usr/bin/qemu-system-xtensaeb m + +# skype +/usr/lib/skype/skype m +/usr/lib32/skype/skype m + +# steam +/usr/lib32/ld-linux.so.2 m + +# node +/usr/bin/node m + +# chrome +/opt/google/chrome/chrome-sandbox m +/opt/google/chrome/nacl_helper m +/opt/google/chrome/chrome m + +# chromium +/usr/lib/chromium-browser/chromium-browser m + +# firefox +/usr/lib/firefox/firefox m +/usr/lib/firefox/plugin-container m + +# webapp-container +/usr/bin/webapp-container m + +# oxide +/usr/lib/x86_64-linux-gnu/oxide-qt/oxide-renderer m + +# valgrind +/usr/bin/valgrind m + +# python +/usr/bin/python2.7 E +/usr/bin/python3.5 E + +# java +/usr/lib/jvm/java-6-sun-1.6.0.10/jre/bin/java m +/usr/lib/jvm/java-6-sun-1.6.0.10/jre/bin/javaws m +/usr/lib/jvm/java-6-openjdk/jre/bin/java m +/usr/lib/jvm/java-6-openjdk/jre/bin/java m +/usr/lib/jvm/java-8-openjdk/jre/bin/java m +/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java m +# openrc +/lib/rc/bin/lsb2rcconf E + +# libreoffice +# Ubuntu doesn't seem to carry this patch: +# https://bz.apache.org/ooo/show_bug.cgi?id=80816 +# libreoffice will still run fine without the below line, +# but it will report an RWX mprotect attempt +# /usr/lib/libreoffice/program/soffice.bin m + +/usr/bin/totem m