Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Re-enables unattended upgrades to AppArmor profiles #4167

Merged
merged 4 commits into from
Feb 22, 2019
Merged

Re-enables unattended upgrades to AppArmor profiles #4167

merged 4 commits into from
Feb 22, 2019

Conversation

conorsch
Copy link
Contributor

Status

Ready for review.

Description of Changes

Fixes #4161.

Changes proposed in this pull request:

  • Disables conffiles classification of AppArmor profiles in securedrop-app-code deb package
  • Removes legacy, unused aa-complain logic from Ansible
  • Adds regression tests

Testing

  • Build debs on this branch
  • Run make upgrade-start to provision 0.11.1 VMs
  • Configure user accounts and set a custom logo
  • Perform Trusty 0.11.1 -> 0.12.0~rc upgrade via make upgrade-test-local
  • Confirm AppArmor profile is updated correctly
  • Confirm /etc/apparmor.d/usr.sbin.apache2.dpkg-dist does not exist
  • Confirm Xenial upgrade message displays on Journalist Interface
  • Confirm custom logo is still present

Note that I have not actually tested these changes end-to-end myself yet, so feel free to append fixes as part of review.

Deployment

Certainly! This change is designed to ensure proper updates, given the recent packaging logic changes in #4080.

Checklist

If you made changes to the server application code:

  • Linting (make ci-lint) and tests (make -C securedrop test) pass in the development container

If you made changes to securedrop-admin:

  • Linting and tests (make -C admin test) pass in the admin development container

If you made changes to the system configuration:

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

If you made changes to documentation:

  • Doc linting (make docs-lint) passed locally

@conorsch conorsch requested review from kushaldas and emkll February 21, 2019 02:42
@conorsch conorsch requested a review from msheiny as a code owner February 21, 2019 02:42
emkll
emkll reviewed Feb 21, 2019
View reviewed changes
Copy link
Contributor

@emkll emkll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Went through the test plan, functional upgrade testing LGTM

  • Build debs on this branch
  • Run make upgrade-start to provision 0.11.1 VMs
  • Configure user accounts and set a custom logo
  • Perform Trusty 0.11.1 -> 0.12.0~rc upgrade via make upgrade-test-local
  • Confirm AppArmor profile is updated correctly
  • Confirm /etc/apparmor.d/usr.sbin.apache2.dpkg-dist does not exist
  • Confirm Xenial upgrade message displays on Journalist Interface
  • Confirm custom logo is still present

There is also another way to resolve this issue, in the packaging logic itself rather than via postinst, see https://github.com/freedomofpress/securedrop/compare/4161-override-conffiles

Let's discuss this in the engineering meeting today, to ensure we are using the most simple and maintainable solution.

@conorsch conorsch force-pushed the 4161-force-apparmor-profiles-in-app-code-deb-package branch from ec6779f to c4b679f Compare February 21, 2019 23:19
@conorsch
Copy link
Contributor Author

Updated the implementation with the far simpler approach advocated by @emkll, as discussed in engineering meeting earlier today. The diff is far more concise now, and the regression tests should prevent similar problems in the future.

Given that @emkll and I have already implicitly signed off on these changes, requesting full review from @kushaldas, according to test plan above.

kushaldas
kushaldas previously approved these changes Feb 22, 2019
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test result

  • Build debs on this branch
  • Run make upgrade-start to provision 0.11.1 VMs
  • Configure user accounts and set a custom logo
  • Perform Trusty 0.11.1 -> 0.12.0~rc upgrade via make upgrade-test-local
  • Confirm AppArmor profile is updated correctly
  • Confirm /etc/apparmor.d/usr.sbin.apache2.dpkg-dist does not exist
  • Confirm Xenial upgrade message displays on Journalist Interface
  • Confirm custom logo is still present

Works as intended. Approved 🎉 🏊‍♀️ 🏊‍♂️

We will need someone with enough CI experience to tell what is wrong below.

Conor Schaefer and others added 3 commits February 22, 2019 09:16
@emkll
Adds regression test for conffiles in app-code
5585979 
The recent migration to debhelper caused the AppArmor profiles to be
considered conffiles, which breaks our ability to ship unattended
updates to those files. We want the AppArmor profiles to be exactly as
we configure them, including any updates over time, so we cannot permit
the conffiles classification.

This test ensures that the `securedrop-app-code` deb package contains
only the explicitly whitelisted conffile of the default logo location.
Any additional conffiles, automatically classified via debhelper or
otherwise, will cause the test to fail, to guard against regressions.
@emkll
Removes aa-complain logic from Ansible
1a04ad8 
The aa-complain logic paths were off by default, and are left over from
the days when we did not enforce AppArmor on staging VMs. We've since
switched to enforcing AppArmor profiles by default in staging, to catch
problems earlier in the development and testing cycle.
@emkll
Use only explicitly declared conffiles
dd6b14d 
At compat level>=3, debhelper will automatically add any file in /etc/ in a package as a conffile. Since the securedrop-app-code package ships AppArmor profiles in /etc/ that we want to squash at every install, they must not be specified as conffiles. We can override dh_installdeb to substitute the automatically generated conffile with the one we create.
@emkll emkll force-pushed the 4161-force-apparmor-profiles-in-app-code-deb-package branch from c4b679f to dd6b14d Compare February 22, 2019 14:17
@emkll
Copy link
Contributor

emkll commented Feb 22, 2019

It seems like a branch was forced pushed to this branch and is not found by circle: 4161-force-apparmor-profiles-in-app-code-deb-package-simplified (see https://circleci.com/gh/freedomofpress/securedrop/23247).

I've rebased on lastest develop and the code seems to be checking out as expected. You review was dismissed as a result, @kushaldas . Could you please re-review/restamp?

kushaldas
kushaldas approved these changes Feb 22, 2019
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Restamping the PR. Approved once again.

@emkll emkll merged commit 66452c3 into develop Feb 22, 2019
@emkll emkll deleted the 4161-force-apparmor-profiles-in-app-code-deb-package branch February 22, 2019 16:30
@emkll emkll mentioned this pull request Feb 22, 2019
Merged
@redshiftzero redshiftzero mentioned this pull request Feb 25, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emkll emkll emkll left review comments

@kushaldas kushaldas kushaldas approved these changes

@msheiny msheiny Awaiting requested review from msheiny

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[0.12.0] AppArmor deny messages for lsb-release on upgrade
3 participants
@conorsch @emkll @kushaldas