diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop index 87d6091484..a24f613004 100644 --- a/install_files/ansible-base/group_vars/all/securedrop +++ b/install_files/ansible-base/group_vars/all/securedrop @@ -53,5 +53,5 @@ securedrop_cond_reboot_file: /tmp/sd-reboot-now # If you bump this, also remember to bump in molecule/builder/tests/vars.yml securedrop_pkg_grsec: - ver: "4.4.144" + ver: "4.4.144-1" depends: "linux-image-3.14.79-grsec,linux-image-4.4.135-grsec,linux-firmware-image-4.4.135-grsec,linux-image-4.4.144-grsec,linux-firmware-image-4.4.144-grsec" diff --git a/install_files/securedrop-grsec/DEBIAN/postinst b/install_files/securedrop-grsec/DEBIAN/postinst index 48971c0648..526883bb00 100755 --- a/install_files/securedrop-grsec/DEBIAN/postinst +++ b/install_files/securedrop-grsec/DEBIAN/postinst @@ -19,16 +19,11 @@ set -x case "$1" in configure) - # If the SecureDrop instance is running a rolled-back kernel, this will - # preserve the kernel boot priority specfied in its ordinal form by the - # canonical form. (In this specific case, 1>2 as GRUB_DEFAULT in - # /etc/default/grub indicates the instance is running 3.14.79-grsec) - # In any other case, we want to run the latest 4.4 series kernel. - if grep -qE "^GRUB_DEFAULT=[\"\' ]*1>2[\"\' ]*$" /etc/default/grub; then - sed -i "s/^\(GRUB_DEFAULT=\)[\"\' ]*1>2[\"\' ]*$/\1\"Advanced options for Ubuntu>Ubuntu, with Linux 3.14.79-grsec\"/" /etc/default/grub - # update grub to set the new default - update-grub2 - fi + # Replace the default GRUB boot option with 0, which defaults to the + # highest kernel version. Any kernel provided by apt.freedom.press must + # suprecede the ones provided by Ubuntu. + sed -i '/^GRUB_DEFAULT=/s/=.*/=0/' /etc/default/grub + update-grub ;; abort-upgrade|abort-remove|abort-deconfigure) diff --git a/molecule/builder/tests/vars.yml b/molecule/builder/tests/vars.yml index 907ff6464c..10f041f205 100644 --- a/molecule/builder/tests/vars.yml +++ b/molecule/builder/tests/vars.yml @@ -3,7 +3,7 @@ securedrop_version: "0.10.0~rc1" ossec_version: "3.0.0" keyring_version: "0.1.2" config_version: "0.1.1" -grsec_version: "4.4.144" +grsec_version: "4.4.144-1" # These values will be interpolated with values populated above # via helper functions in the tests.