From 2a6c25e46cce879ff40d54f23aa10b3d94441b0e Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Thu, 20 Dec 2018 09:06:23 -0500
Subject: [PATCH 1/2] Update grsecurity kernel to 4.4.167

Also removes 4.4.144 kernels
---
 install_files/ansible-base/group_vars/all/securedrop | 4 ++--
 molecule/builder/tests/vars.yml                      | 2 +-
 molecule/testinfra/staging/vars/staging.yml          | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop
index 557101991a..0e77ff2762 100644
--- a/install_files/ansible-base/group_vars/all/securedrop
+++ b/install_files/ansible-base/group_vars/all/securedrop
@@ -53,5 +53,5 @@ securedrop_cond_reboot_file: /tmp/sd-reboot-now
 
 # If you bump this, also remember to bump in molecule/builder/tests/vars.yml
 securedrop_pkg_grsec:
-  ver: "4.4.162"
-  depends: "linux-image-4.4.144-grsec,linux-firmware-image-4.4.144-grsec,linux-image-4.4.162-grsec,linux-firmware-image-4.4.162-grsec"
+  ver: "4.4.167"
+  depends: "linux-image-4.4.162-grsec,linux-firmware-image-4.4.162-grsec,linux-image-4.4.167-grsec,linux-firmware-image-4.4.167-grsec"
diff --git a/molecule/builder/tests/vars.yml b/molecule/builder/tests/vars.yml
index f0f54ec967..ebd1edfe1f 100644
--- a/molecule/builder/tests/vars.yml
+++ b/molecule/builder/tests/vars.yml
@@ -3,7 +3,7 @@ securedrop_version: "0.12.0~rc1"
 ossec_version: "3.0.0"
 keyring_version: "0.1.2"
 config_version: "0.1.1"
-grsec_version: "4.4.162"
+grsec_version: "4.4.167"
 
 # These values will be interpolated with values populated above
 # via helper functions in the tests.
diff --git a/molecule/testinfra/staging/vars/staging.yml b/molecule/testinfra/staging/vars/staging.yml
index 665a40c635..03aa5a8c73 100644
--- a/molecule/testinfra/staging/vars/staging.yml
+++ b/molecule/testinfra/staging/vars/staging.yml
@@ -169,4 +169,4 @@ log_events_with_ossec_alerts:
     rule_id: "400503"
 
 fpf_apt_repo_url: "https://apt-test.freedom.press"
-grsec_version: "4.4.162"
+grsec_version: "4.4.167"

From ecfe49d93bffd9c302dc2502387611d90e994510 Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Thu, 20 Dec 2018 09:52:08 -0500
Subject: [PATCH 2/2] Add test for kernel config options

Ensures wireless functionality is disabled.
---
 .../staging/common/test_grsecurity.py         | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/molecule/testinfra/staging/common/test_grsecurity.py b/molecule/testinfra/staging/common/test_grsecurity.py
index f5355dced6..0cad64502d 100644
--- a/molecule/testinfra/staging/common/test_grsecurity.py
+++ b/molecule/testinfra/staging/common/test_grsecurity.py
@@ -170,3 +170,26 @@ def test_pax_flags(Command, File, binary):
     # the "p" and "m" flags.
     assert "PAGEEXEC is disabled" not in c.stdout
     assert "MPROTECT is disabled" not in c.stdout
+
+
+@pytest.mark.parametrize('kernel_opts', [
+  'WLAN',
+  'NFC',
+  'WIMAX',
+  'WIRELESS',
+  'HAMRADIO',
+  'IRDA',
+  'BT',
+])
+def test_wireless_disabled_in_kernel_config(host, kernel_opts):
+    """
+    Kernel modules for wireless are blacklisted, but we go one step further and
+    remove wireless support from the kernel. Let's make sure wireless is
+    disabled in the running kernel config!
+    """
+
+    kernel_config_path = "/boot/config-{}-grsec".format(KERNEL_VERSION)
+    kernel_config = host.file(kernel_config_path).content_string
+
+    line = "# CONFIG_{} is not set".format(kernel_opts)
+    assert line in kernel_config