From da07ca70ab358330fef6455e3bb8fafcf00240e5 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Mon, 6 Apr 2020 16:39:37 -0700
Subject: [PATCH 1/4] Update grsecurity kernels to 4.14.175

Closes #5111
---
 install_files/ansible-base/group_vars/all/securedrop | 6 +++---
 molecule/builder-xenial/tests/vars.yml               | 2 +-
 molecule/testinfra/staging/vars/staging.yml          | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop
index f7d7ec9a07..6ec1982d17 100644
--- a/install_files/ansible-base/group_vars/all/securedrop
+++ b/install_files/ansible-base/group_vars/all/securedrop
@@ -38,7 +38,7 @@ enable_ssh_over_tor: true
 # the many roles of the current prod playbook
 securedrop_cond_reboot_file: /tmp/sd-reboot-now
 
-# If you bump this, also remember to bump in molecule/builder/tests/vars.yml
+# If you bump this, also remember to bump in molecule/builder-xenial/tests/vars.yml
 securedrop_pkg_grsec:
-  ver: "4.14.154"
-  depends: "linux-image-4.14.154-grsec-securedrop,linux-image-4.4.182-grsec,linux-firmware-image-4.4.182-grsec,intel-microcode"
+  ver: "4.14.175"
+  depends: "linux-image-4.14.175-grsec-securedrop,linux-image-4.4.182-grsec,linux-firmware-image-4.4.182-grsec,intel-microcode"
diff --git a/molecule/builder-xenial/tests/vars.yml b/molecule/builder-xenial/tests/vars.yml
index 823b1e2bd1..b6936b938f 100644
--- a/molecule/builder-xenial/tests/vars.yml
+++ b/molecule/builder-xenial/tests/vars.yml
@@ -3,7 +3,7 @@ securedrop_version: "1.3.0~rc1"
 ossec_version: "3.0.0"
 keyring_version: "0.1.3"
 config_version: "0.1.3"
-grsec_version: "4.14.154"
+grsec_version: "4.14.175"
 
 # These values will be interpolated with values populated above
 # via helper functions in the tests.
diff --git a/molecule/testinfra/staging/vars/staging.yml b/molecule/testinfra/staging/vars/staging.yml
index 3b7181e68f..ffc9881d2b 100644
--- a/molecule/testinfra/staging/vars/staging.yml
+++ b/molecule/testinfra/staging/vars/staging.yml
@@ -195,4 +195,4 @@ log_events_with_ossec_alerts:
     rule_id: "400700"
 
 fpf_apt_repo_url: "https://apt-test.freedom.press"
-grsec_version: "4.14.154"
+grsec_version: "4.14.175"

From 13147a71d27642e9dc900efb1e29efa48f5765e1 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Tue, 7 Apr 2020 17:25:53 -0700
Subject: [PATCH 2/4] Updates kernel config tests for /boot perms

As of the upgrade to 4.14.175 kernels, the entire /boot directly is 700
root:root. That means we'll have to use sudo on the testinfra checks
reading files in there, particularly the kernel config.
---
 .../staging/common/test_grsecurity.py         | 26 ++++++++++---------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/molecule/testinfra/staging/common/test_grsecurity.py b/molecule/testinfra/staging/common/test_grsecurity.py
index 029f272bf3..60934e43fa 100644
--- a/molecule/testinfra/staging/common/test_grsecurity.py
+++ b/molecule/testinfra/staging/common/test_grsecurity.py
@@ -185,12 +185,12 @@ def test_wireless_disabled_in_kernel_config(host, kernel_opts):
     remove wireless support from the kernel. Let's make sure wireless is
     disabled in the running kernel config!
     """
+    with host.sudo():
+        kernel_config_path = "/boot/config-{}-grsec-securedrop".format(KERNEL_VERSION)
+        kernel_config = host.file(kernel_config_path).content_string
 
-    kernel_config_path = "/boot/config-{}-grsec-securedrop".format(KERNEL_VERSION)
-    kernel_config = host.file(kernel_config_path).content_string
-
-    line = "# CONFIG_{} is not set".format(kernel_opts)
-    assert line in kernel_config
+        line = "# CONFIG_{} is not set".format(kernel_opts)
+        assert line in kernel_config
 
 
 @pytest.mark.parametrize('kernel_opts', [
@@ -203,11 +203,12 @@ def test_kernel_options_enabled_config(host, kernel_opts):
     Tests kernel config for options that should be enabled
     """
 
-    kernel_config_path = "/boot/config-{}-grsec-securedrop".format(KERNEL_VERSION)
-    kernel_config = host.file(kernel_config_path).content_string
+    with host.sudo():
+        kernel_config_path = "/boot/config-{}-grsec-securedrop".format(KERNEL_VERSION)
+        kernel_config = host.file(kernel_config_path).content_string
 
-    line = "{}=y".format(kernel_opts)
-    assert line in kernel_config
+        line = "{}=y".format(kernel_opts)
+        assert line in kernel_config
 
 
 def test_mds_mitigations_and_smt_disabled(host):
@@ -216,7 +217,8 @@ def test_mds_mitigations_and_smt_disabled(host):
     see https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
     """
 
-    grub_config_path = "/boot/grub/grub.cfg"
-    grub_config = host.file(grub_config_path)
+    with host.sudo():
+        grub_config_path = "/boot/grub/grub.cfg"
+        grub_config = host.file(grub_config_path)
 
-    assert grub_config.contains("mds=full,nosmt")
+        assert grub_config.contains("mds=full,nosmt")

From d3e5c73a72a331d5732ba523902ee6d0f078d003 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Wed, 8 Apr 2020 10:50:57 -0700
Subject: [PATCH 3/4] Removes old kernel dependencies from metapackage

The 4.4.x kernel series is EOL, so let's update the metapackage
dependencies to require:

  * current latest (4.14.175)
  * previous versoin (4.14.154)

That'll still provide rollback capability in the event of problems.
---
 install_files/ansible-base/group_vars/all/securedrop | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop
index 6ec1982d17..8e23d7b8f2 100644
--- a/install_files/ansible-base/group_vars/all/securedrop
+++ b/install_files/ansible-base/group_vars/all/securedrop
@@ -41,4 +41,4 @@ securedrop_cond_reboot_file: /tmp/sd-reboot-now
 # If you bump this, also remember to bump in molecule/builder-xenial/tests/vars.yml
 securedrop_pkg_grsec:
   ver: "4.14.175"
-  depends: "linux-image-4.14.175-grsec-securedrop,linux-image-4.4.182-grsec,linux-firmware-image-4.4.182-grsec,intel-microcode"
+  depends: "linux-image-4.14.175-grsec-securedrop,linux-image-4.14.154-grsec-securedrop,intel-microcode"

From 12bdfc934d032645b3fc3c4c3c124f8ebb37081c Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Thu, 9 Apr 2020 13:55:33 -0700
Subject: [PATCH 4/4] Update TBB version to 9.0.9

---
 securedrop/dockerfiles/xenial/python3/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/securedrop/dockerfiles/xenial/python3/Dockerfile b/securedrop/dockerfiles/xenial/python3/Dockerfile
index d0b8fd676d..5033a51ad5 100644
--- a/securedrop/dockerfiles/xenial/python3/Dockerfile
+++ b/securedrop/dockerfiles/xenial/python3/Dockerfile
@@ -29,7 +29,7 @@ RUN curl -LO https://ftp.mozilla.org/pub/firefox/releases/${FF_ESR_VER}/linux-x8
 
 COPY ./tor_project_public.pub /opt/
 
-ENV TBB_VERSION 9.0.7
+ENV TBB_VERSION 9.0.9
 RUN gpg --import /opt/tor_project_public.pub && \
     wget  https://www.torproject.org/dist/torbrowser/${TBB_VERSION}/tor-browser-linux64-${TBB_VERSION}_en-US.tar.xz && \
     wget https://www.torproject.org/dist/torbrowser/${TBB_VERSION}/tor-browser-linux64-${TBB_VERSION}_en-US.tar.xz.asc && \