Skip to content

Commit

Permalink
Use paxctl for Xenial, paxctld for Focal
Browse files Browse the repository at this point in the history
Continues to use paxctld under Xenial, same as always, but removes any
use of it under Focal, where paxctld is already preferred.

Updated the tests accordingly. Removes an unused (xfail) paxctl test,
since it wasn't running anyway. Preserved the "paxctld" dependency for
securedrop-app-code, since the postinst logic still uses it. We can
remove that after OS migration.

Removes mention of the 4.14.x kernel series for Focal, as well, since we
don't plan to support that series post-Xenial.
  • Loading branch information
Conor Schaefer committed Feb 22, 2021
1 parent 33f94c9 commit ae46ad9
Show file tree
Hide file tree
Showing 4 changed files with 41 additions and 29 deletions.
2 changes: 1 addition & 1 deletion install_files/ansible-base/group_vars/all/securedrop
Original file line number Diff line number Diff line change
Expand Up @@ -44,4 +44,4 @@ securedrop_pkg_grsec_xenial:

securedrop_pkg_grsec_focal:
ver: "5.4.97"
depends: "linux-image-5.4.97-grsec-securedrop,linux-image-4.14.188-grsec-securedrop,intel-microcode"
depends: "linux-image-5.4.97-grsec-securedrop,intel-microcode"
1 change: 1 addition & 0 deletions install_files/ansible-base/roles/grsecurity/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
- include: check_installation.yml

- include: paxctl.yml
when: ansible_distribution_release == "xenial"
tags:
- paxctl
- kernel
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -115,3 +115,6 @@
# /usr/lib/libreoffice/program/soffice.bin m

/usr/bin/totem m

# Disable memprotect for Apache, see 4110 for context.
/usr/sbin/apache2 m
64 changes: 36 additions & 28 deletions molecule/testinfra/common/test_grsecurity.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ def test_ssh_motd_disabled(host):

@pytest.mark.parametrize("package", [
'linux-image-{}-grsec-securedrop',
'paxctl',
'securedrop-grsec',
])
def test_grsecurity_apt_packages(host, package):
Expand Down Expand Up @@ -155,49 +154,58 @@ def test_apt_autoremove(host):
assert "The following packages will be REMOVED" not in c.stdout


@pytest.mark.xfail(reason="PaX flags unset at install time, see issue #3916")
@pytest.mark.parametrize("binary", [
"/usr/sbin/grub-probe",
"/usr/sbin/grub-mkdevicemap",
"/usr/bin/grub-script-check",
])
def test_pax_flags(host, binary):
def test_paxctl(host):
"""
Ensure PaX flags are set correctly on critical Grub binaries.
These flags are maintained as part of a post-install kernel hook
in the `securedrop-grsec` metapackage. If they aren't set correctly,
the machine may fail to boot into a new kernel.
As of Focal, paxctl is not used, and shouldn't be installed.
"""
p = host.package("paxctl")
if host.system_info.codename == "xenial":
assert p.is_installed
else:
assert not p.is_installed

f = host.file("/etc/kernel/postinst.d/paxctl-grub")
assert f.is_file
assert f.contains("^paxctl -zCE {}".format(binary))

c = host.run("paxctl -v {}".format(binary))
assert c.rc == 0
def test_paxctld_xenial(host):
"""
Xenial-specific paxctld config checks.
"""
if host.system_info.codename != "xenial":
return True
hostname = host.ansible.get_variables()["inventory_hostname"]
# Under Xenial, apache2 pax flags managed by securedrop-app-code.
if "app" not in hostname:
return True

assert host.package("paxctld").is_installed
f = host.file("/etc/paxctld.conf")
assert f.is_file
assert f.contains("^/usr/sbin/apache2\tm")

assert "- PaX flags: --------E--- [{}]".format(binary) in c.stdout
assert "EMUTRAMP is enabled" in c.stdout
# Tracking regressions; previous versions of the Ansible config set
# the "p" and "m" flags.
assert "PAGEEXEC is disabled" not in c.stdout
assert "MPROTECT is disabled" not in c.stdout
s = host.service("paxctld")
assert s.is_enabled
assert s.is_running


def test_paxctld(host):
"""
Ensures that paxctld is configured and running. Only relevant
for Focal hosts.
Ensures paxctld is running and enabled, and relevant
exemptions are present in the config file.
"""
if host.system_info.codename == "xenial":
if host.system_info.codename != "focal":
return True
assert f.contains("^/usr/sbin/apache2\tm")

assert host.package("paxctld").is_installed
assert host.file("/etc/paxctld.conf").is_file
assert host.file("/opt/securedrop/paxctld.conf").is_file
f = host.file("/etc/paxctld.conf")
assert f.is_file
assert f.contains("^/usr/sbin/apache2\tm")

s = host.service("paxctld")
assert s.is_enabled
assert s.is_running

assert host.file("/opt/securedrop/paxctld.conf").is_file


@pytest.mark.parametrize('kernel_opts', [
'WLAN',
Expand Down

0 comments on commit ae46ad9

Please sign in to comment.