Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use paxctld to manage all PaX flags in Ubuntu Focal #4134

Closed
emkll opened this issue Feb 14, 2019 · 1 comment · Fixed by #5691
Closed

Use paxctld to manage all PaX flags in Ubuntu Focal #4134

emkll opened this issue Feb 14, 2019 · 1 comment · Fixed by #5691
Assignees

Comments

@emkll
Copy link
Contributor

emkll commented Feb 14, 2019

Description

Initially raised during review of #4114, we should consolidate the PaX flag management logic. We are using both paxctl and paxctld for management of PaX flags, it would be best to maintain a single paxctld.conf file with all flags. It will also simplify some of the install logic, and allow us to more consistenly apply these flags to binaries and persist reboots (as an added feature, it might also help address #3916).

We could also evaluate and reuse what was done as part of the SecureDrop Workstation as an example: https://github.com/freedomofpress/securedrop-debian-packaging/tree/master/securedrop-workstation-svs-disp

UPDATE 2020-11-16

The following based on a conversation with @conorsch, as part of the current sprint commitments:

The paxctl header formats/commands are different in Focal from Xenial, and as a result, some existing paxctl logic from Xenial will not work in Focal. Specifically, updates to the flags for grub binaries (grub-probe, grub-mkdevicemap, grub-script-check) will not work in Focal under the current logic[1]. If grub is updated, PaX flags won't be applied, leading to cascading failures (grub update will fail, kernel update will fail, packages may be held back/broken)

Based on our conversation, we went through various approaches and decided on the following:

  1. Fork securedrop-grsec for Focal only (and leave the existing version for Xenial unchanged, because it works and we aren't supporting Xenial for much longer)
  2. Add paxctld to the Requires field in the Control file. Since we are installing from scratch on Focal, it's a good opportunity to add, but also make 1. easier.
  3. Add a securedrop-managed paxctld.conf file to the Focal-specific metapackage, to configure the pax flags as we would expect them.
  4. Remove kernel postinst file from the metapackage, since use of paxctld makes use of paxctl moot

User Stories

As a SecureDrop administrator or developer, I would like to manage all PaX flags in a single place and would like to consistently apply them across the system.

[1] https://github.com/freedomofpress/securedrop/blob/develop/install_files/securedrop-grsec/etc/kernel/postinst.d/paxctl-grub

@conorsch
Copy link
Contributor

conorsch commented Jan 6, 2021

Fork securedrop-grsec for Focal only

I created a separate issue to track: #5690. In terms of paxctld support, we'll reuse the logic from https://github.com/freedomofpress/securedrop-debian-packaging/tree/cee267e7dfebd9553cdf4b02ecbe54783049121c/securedrop-workstation-grsec/debian for the most part.

Using paxctld for Focal also means that most of the Ansible tasks in this file should be skipped, by marking them Xenial-only:

- name: Get grsec kernel string from grub config.
shell: grep menuentry /boot/grub/grub.cfg | grep grsec | grep -v recovery | head -1 | cut -d "'" -f2
# Read-only task for
changed_when: false
register: grsec_str
tags:
- grsec
- kernel
- hardening
- name: Check initial default grub entry for next boot.
stat:
path: /boot/grub/grubenv
register: grubenv_check_initial_result
tags:
- grsec
- grub
- hardening
- kernel
- name: Set grsec kernel as default for next boot.
command: grub-reboot "Advanced options for Ubuntu>{{ grsec_str.stdout }}"
# The grub-reboot command writes to /boot/grub/grubenv,
# so "changed" status can only be determined by comparing
# checksums on that file. We'll do so in the subsequent task.
changed_when: false
tags:
- grsec
- grub
- hardening
- kernel
# Kludge to detect changes accurately from the `grub-reboot` command
# in the previous task. We're just comparing checksums on the
# /boot/grub/grubenv file before and after the command, since that's
# where `grub-reboot` writes its changes. Hopefully a future version
# of Ansible will provide an `args: changes:` parameter to command calls.
- name: Check customized default grub entry for next boot.
stat:
path: /boot/grub/grubenv
register: grubenv_check_configured_result
changed_when: grubenv_check_initial_result.stat.checksum !=
grubenv_check_configured_result.stat.checksum
tags:
- grsec
- grub
- hardening
- kernel

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants