From 8c4430c93b734adc54aac7180d77d2bd077447cd Mon Sep 17 00:00:00 2001 From: mickael e Date: Thu, 4 Feb 2021 14:47:29 -0500 Subject: [PATCH] Bump securedrop-grsec-focal metapackage to 5.4.88 This will pull in and install 5.4 series kernels for Focal installs, thanks to the split metapackage logic introduced in #5691 --- .../ansible-base/group_vars/all/securedrop | 6 +++++- .../securedrop-grsec-focal/DEBIAN/control.j2 | 4 ++-- .../securedrop-grsec-focal/DEBIAN/postinst.j2 | 2 +- install_files/securedrop-grsec/DEBIAN/control.j2 | 4 ++-- .../tests/test_securedrop_deb_package.py | 15 +++++++++++---- molecule/builder-xenial/tests/vars.yml | 3 ++- 6 files changed, 23 insertions(+), 11 deletions(-) diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop index 622a1bb88d5..bd7bfc364a1 100644 --- a/install_files/ansible-base/group_vars/all/securedrop +++ b/install_files/ansible-base/group_vars/all/securedrop @@ -38,6 +38,10 @@ enable_ssh_over_tor: true securedrop_cond_reboot_file: /tmp/sd-reboot-now # If you bump this, also remember to bump in molecule/builder-xenial/tests/vars.yml -securedrop_pkg_grsec: +securedrop_pkg_grsec_xenial: ver: "4.14.188" depends: "linux-image-4.14.188-grsec-securedrop,linux-image-4.14.175-grsec-securedrop,intel-microcode" + +securedrop_pkg_grsec_focal: + ver: "5.4.88" + depends: "linux-image-5.4.88-grsec-securedrop,linux-image-4.14.188-grsec-securedrop,intel-microcode" diff --git a/install_files/securedrop-grsec-focal/DEBIAN/control.j2 b/install_files/securedrop-grsec-focal/DEBIAN/control.j2 index 3baeac8f04e..b168512643c 100644 --- a/install_files/securedrop-grsec-focal/DEBIAN/control.j2 +++ b/install_files/securedrop-grsec-focal/DEBIAN/control.j2 @@ -1,9 +1,9 @@ Package: securedrop-grsec Source: securedrop-grsec -Version: {{ securedrop_pkg_grsec.ver }}+{{ securedrop_target_distribution }} +Version: {{ securedrop_pkg_grsec_focal.ver }}+{{ securedrop_target_distribution }} Architecture: amd64 Maintainer: SecureDrop Team -Depends: {{ securedrop_pkg_grsec.depends }},paxctld +Depends: {{ securedrop_pkg_grsec_focal.depends }},paxctld Section: admin Priority: optional Homepage: https://securedrop.org diff --git a/install_files/securedrop-grsec-focal/DEBIAN/postinst.j2 b/install_files/securedrop-grsec-focal/DEBIAN/postinst.j2 index cbd77f46ca9..6d251e9b03d 100755 --- a/install_files/securedrop-grsec-focal/DEBIAN/postinst.j2 +++ b/install_files/securedrop-grsec-focal/DEBIAN/postinst.j2 @@ -17,7 +17,7 @@ set -x # the debian-policy package # Pin current version of custom kernel -GRSEC_VERSION="{{ securedrop_pkg_grsec.ver }}-grsec-securedrop" +GRSEC_VERSION="{{ securedrop_pkg_grsec_focal.ver }}-grsec-securedrop" # Sets default grub boot parameter to the kernel version specified # by $GRSEC_VERSION. diff --git a/install_files/securedrop-grsec/DEBIAN/control.j2 b/install_files/securedrop-grsec/DEBIAN/control.j2 index 35912543d10..3b8b839b5b3 100644 --- a/install_files/securedrop-grsec/DEBIAN/control.j2 +++ b/install_files/securedrop-grsec/DEBIAN/control.j2 @@ -1,9 +1,9 @@ Package: securedrop-grsec Source: securedrop-grsec -Version: {{ securedrop_pkg_grsec.ver }}+{{ securedrop_target_distribution }} +Version: {{ securedrop_pkg_grsec_xenial.ver }}+{{ securedrop_target_distribution }} Architecture: amd64 Maintainer: SecureDrop Team -Depends: {{ securedrop_pkg_grsec.depends }} +Depends: {{ securedrop_pkg_grsec_xenial.depends }} Section: admin Priority: optional Homepage: https://securedrop.org diff --git a/molecule/builder-xenial/tests/test_securedrop_deb_package.py b/molecule/builder-xenial/tests/test_securedrop_deb_package.py index 7685f7c42be..4def03520cb 100644 --- a/molecule/builder-xenial/tests/test_securedrop_deb_package.py +++ b/molecule/builder-xenial/tests/test_securedrop_deb_package.py @@ -61,10 +61,17 @@ def make_deb_paths() -> Dict[str, Path]: Jinja-based evaluation of the YAML files (so we can't trivially reuse vars in other var values, as is the case with Ansible). """ - grsec_version = "{}+{}".format( - securedrop_test_vars["grsec_version"], - SECUREDROP_TARGET_DISTRIBUTION - ) + + if SECUREDROP_TARGET_DISTRIBUTION == "xenial": + grsec_version = "{}+{}".format( + securedrop_test_vars["grsec_version_xenial"], + SECUREDROP_TARGET_DISTRIBUTION + ) + else: + grsec_version = "{}+{}".format( + securedrop_test_vars["grsec_version_focal"], + SECUREDROP_TARGET_DISTRIBUTION + ) substitutions = dict( securedrop_version=securedrop_test_vars["securedrop_version"], diff --git a/molecule/builder-xenial/tests/vars.yml b/molecule/builder-xenial/tests/vars.yml index 01f17decaf1..e812b0e5509 100644 --- a/molecule/builder-xenial/tests/vars.yml +++ b/molecule/builder-xenial/tests/vars.yml @@ -3,7 +3,8 @@ securedrop_version: "1.8.0~rc1" ossec_version: "3.6.0" keyring_version: "0.1.4" config_version: "0.1.3" -grsec_version: "4.14.188" +grsec_version_xenial: "4.14.188" +grsec_version_focal: "5.4.88" # These values will be interpolated with values populated above # via helper functions in the tests.