From 2f5af57472d3fffe156f8be6b3ae392e00afd817 Mon Sep 17 00:00:00 2001 From: mickael e Date: Thu, 4 Feb 2021 14:47:29 -0500 Subject: [PATCH 1/5] Bump securedrop-grsec-focal metapackage to 5.4.88 This will pull in and install 5.4 series kernels for Focal installs, thanks to the split metapackage logic introduced in #5691 --- .../ansible-base/group_vars/all/securedrop | 6 +++++- .../tasks/from_local_pkg_install_grsec.yml | 6 +++++- .../securedrop-grsec-focal/DEBIAN/control.j2 | 4 ++-- .../securedrop-grsec-focal/DEBIAN/postinst.j2 | 2 +- install_files/securedrop-grsec/DEBIAN/control.j2 | 4 ++-- .../tests/test_securedrop_deb_package.py | 15 +++++++++++---- molecule/builder-xenial/tests/vars.yml | 3 ++- 7 files changed, 28 insertions(+), 12 deletions(-) diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop index 622a1bb88d..bd7bfc364a 100644 --- a/install_files/ansible-base/group_vars/all/securedrop +++ b/install_files/ansible-base/group_vars/all/securedrop @@ -38,6 +38,10 @@ enable_ssh_over_tor: true securedrop_cond_reboot_file: /tmp/sd-reboot-now # If you bump this, also remember to bump in molecule/builder-xenial/tests/vars.yml -securedrop_pkg_grsec: +securedrop_pkg_grsec_xenial: ver: "4.14.188" depends: "linux-image-4.14.188-grsec-securedrop,linux-image-4.14.175-grsec-securedrop,intel-microcode" + +securedrop_pkg_grsec_focal: + ver: "5.4.88" + depends: "linux-image-5.4.88-grsec-securedrop,linux-image-4.14.188-grsec-securedrop,intel-microcode" diff --git a/install_files/ansible-base/roles/grsecurity/tasks/from_local_pkg_install_grsec.yml b/install_files/ansible-base/roles/grsecurity/tasks/from_local_pkg_install_grsec.yml index 662aed90c9..adfe2e5b70 100644 --- a/install_files/ansible-base/roles/grsecurity/tasks/from_local_pkg_install_grsec.yml +++ b/install_files/ansible-base/roles/grsecurity/tasks/from_local_pkg_install_grsec.yml @@ -1,7 +1,11 @@ --- +- name: Get the grsec version of the current scenario + set_fact: + grsec_version: "{% if ansible_distribution_release == 'xenial' %}{{ securedrop_pkg_grsec_xenial.ver }}{% else %}{{ securedrop_pkg_grsec_focal.ver }}{% endif %}" + - name: Copy locally built securedrop-grsec metapackage copy: - src: "../../build/{{ securedrop_target_distribution }}/securedrop-grsec-{{ securedrop_pkg_grsec.ver }}+{{ securedrop_target_distribution }}-amd64.deb" + src: "../../build/{{ securedrop_target_distribution }}/securedrop-grsec-{{ grsec_version }}+{{ securedrop_target_distribution }}-amd64.deb" dest: /root/securedrop-grsec.deb - name: Install locally built securedrop-grsec metapackage diff --git a/install_files/securedrop-grsec-focal/DEBIAN/control.j2 b/install_files/securedrop-grsec-focal/DEBIAN/control.j2 index 3baeac8f04..b168512643 100644 --- a/install_files/securedrop-grsec-focal/DEBIAN/control.j2 +++ b/install_files/securedrop-grsec-focal/DEBIAN/control.j2 @@ -1,9 +1,9 @@ Package: securedrop-grsec Source: securedrop-grsec -Version: {{ securedrop_pkg_grsec.ver }}+{{ securedrop_target_distribution }} +Version: {{ securedrop_pkg_grsec_focal.ver }}+{{ securedrop_target_distribution }} Architecture: amd64 Maintainer: SecureDrop Team -Depends: {{ securedrop_pkg_grsec.depends }},paxctld +Depends: {{ securedrop_pkg_grsec_focal.depends }},paxctld Section: admin Priority: optional Homepage: https://securedrop.org diff --git a/install_files/securedrop-grsec-focal/DEBIAN/postinst.j2 b/install_files/securedrop-grsec-focal/DEBIAN/postinst.j2 index cbd77f46ca..6d251e9b03 100755 --- a/install_files/securedrop-grsec-focal/DEBIAN/postinst.j2 +++ b/install_files/securedrop-grsec-focal/DEBIAN/postinst.j2 @@ -17,7 +17,7 @@ set -x # the debian-policy package # Pin current version of custom kernel -GRSEC_VERSION="{{ securedrop_pkg_grsec.ver }}-grsec-securedrop" +GRSEC_VERSION="{{ securedrop_pkg_grsec_focal.ver }}-grsec-securedrop" # Sets default grub boot parameter to the kernel version specified # by $GRSEC_VERSION. diff --git a/install_files/securedrop-grsec/DEBIAN/control.j2 b/install_files/securedrop-grsec/DEBIAN/control.j2 index 35912543d1..3b8b839b5b 100644 --- a/install_files/securedrop-grsec/DEBIAN/control.j2 +++ b/install_files/securedrop-grsec/DEBIAN/control.j2 @@ -1,9 +1,9 @@ Package: securedrop-grsec Source: securedrop-grsec -Version: {{ securedrop_pkg_grsec.ver }}+{{ securedrop_target_distribution }} +Version: {{ securedrop_pkg_grsec_xenial.ver }}+{{ securedrop_target_distribution }} Architecture: amd64 Maintainer: SecureDrop Team -Depends: {{ securedrop_pkg_grsec.depends }} +Depends: {{ securedrop_pkg_grsec_xenial.depends }} Section: admin Priority: optional Homepage: https://securedrop.org diff --git a/molecule/builder-xenial/tests/test_securedrop_deb_package.py b/molecule/builder-xenial/tests/test_securedrop_deb_package.py index 7dc4b855a2..24ab33c2c9 100644 --- a/molecule/builder-xenial/tests/test_securedrop_deb_package.py +++ b/molecule/builder-xenial/tests/test_securedrop_deb_package.py @@ -61,10 +61,17 @@ def make_deb_paths() -> Dict[str, Path]: Jinja-based evaluation of the YAML files (so we can't trivially reuse vars in other var values, as is the case with Ansible). """ - grsec_version = "{}+{}".format( - securedrop_test_vars["grsec_version"], - SECUREDROP_TARGET_DISTRIBUTION - ) + + if SECUREDROP_TARGET_DISTRIBUTION == "xenial": + grsec_version = "{}+{}".format( + securedrop_test_vars["grsec_version_xenial"], + SECUREDROP_TARGET_DISTRIBUTION + ) + else: + grsec_version = "{}+{}".format( + securedrop_test_vars["grsec_version_focal"], + SECUREDROP_TARGET_DISTRIBUTION + ) substitutions = dict( securedrop_version=securedrop_test_vars["securedrop_version"], diff --git a/molecule/builder-xenial/tests/vars.yml b/molecule/builder-xenial/tests/vars.yml index 3fb30a40f8..93b0471141 100644 --- a/molecule/builder-xenial/tests/vars.yml +++ b/molecule/builder-xenial/tests/vars.yml @@ -3,7 +3,8 @@ securedrop_version: "1.8.0~rc1" ossec_version: "3.6.0" keyring_version: "0.1.4" config_version: "0.1.4" -grsec_version: "4.14.188" +grsec_version_xenial: "4.14.188" +grsec_version_focal: "5.4.88" # These values will be interpolated with values populated above # via helper functions in the tests. From c7d30dffc7fb33863a91582c759d40e09e6e0e94 Mon Sep 17 00:00:00 2001 From: mickael e Date: Thu, 4 Feb 2021 17:08:25 -0500 Subject: [PATCH 2/5] Fix test for Focal kernel version --- molecule/testinfra/common/test_grsecurity.py | 5 ++++- molecule/testinfra/vars/staging.yml | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/molecule/testinfra/common/test_grsecurity.py b/molecule/testinfra/common/test_grsecurity.py index a9e4faf15e..be1dd89d8f 100644 --- a/molecule/testinfra/common/test_grsecurity.py +++ b/molecule/testinfra/common/test_grsecurity.py @@ -4,7 +4,10 @@ import testutils sdvars = testutils.securedrop_test_vars -KERNEL_VERSION = sdvars.grsec_version +if host.system_info.codename == "xenial": + KERNEL_VERSION = sdvars.grsec_version_xenial +else: + KERNEL_VERSION = sdvars.grsec_version_focal testinfra_hosts = [sdvars.app_hostname, sdvars.monitor_hostname] diff --git a/molecule/testinfra/vars/staging.yml b/molecule/testinfra/vars/staging.yml index 9e32406a4d..6a26c292e7 100644 --- a/molecule/testinfra/vars/staging.yml +++ b/molecule/testinfra/vars/staging.yml @@ -197,4 +197,5 @@ log_events_with_ossec_alerts: rule_id: "400700" fpf_apt_repo_url: "https://apt-test.freedom.press" -grsec_version: "4.14.188" +grsec_version_xenial: "4.14.188" +grsec_version_focal: "5.4.88" From 026f254f952a646439809a141f553409999f190c Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Fri, 5 Feb 2021 18:10:41 +0530 Subject: [PATCH 3/5] Fixes the grsec test with python reformatting KERNEL_VERSION is defined for each function as required. --- molecule/testinfra/common/test_grsecurity.py | 24 ++++++++++++++++---- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/molecule/testinfra/common/test_grsecurity.py b/molecule/testinfra/common/test_grsecurity.py index be1dd89d8f..258ef518c5 100644 --- a/molecule/testinfra/common/test_grsecurity.py +++ b/molecule/testinfra/common/test_grsecurity.py @@ -4,10 +4,6 @@ import testutils sdvars = testutils.securedrop_test_vars -if host.system_info.codename == "xenial": - KERNEL_VERSION = sdvars.grsec_version_xenial -else: - KERNEL_VERSION = sdvars.grsec_version_focal testinfra_hosts = [sdvars.app_hostname, sdvars.monitor_hostname] @@ -22,7 +18,7 @@ def test_ssh_motd_disabled(host): @pytest.mark.parametrize("package", [ - 'linux-image-{}-grsec-securedrop'.format(KERNEL_VERSION), + 'linux-image-{}-grsec-securedrop', 'paxctl', 'securedrop-grsec', ]) @@ -32,6 +28,12 @@ def test_grsecurity_apt_packages(host, package): Includes the FPF-maintained metapackage, as well as paxctl, for managing PaX flags on binaries. """ + if host.system_info.codename == "xenial": + KERNEL_VERSION = sdvars.grsec_version_xenial + else: + KERNEL_VERSION = sdvars.grsec_version_focal + if package.startswith("linux-image"): + package = package.format(KERNEL_VERSION) assert host.package(package).is_installed @@ -75,6 +77,10 @@ def test_grsecurity_kernel_is_running(host): """ Make sure the currently running kernel is specific grsec kernel. """ + if host.system_info.codename == "xenial": + KERNEL_VERSION = sdvars.grsec_version_xenial + else: + KERNEL_VERSION = sdvars.grsec_version_focal c = host.run('uname -r') assert c.stdout.strip().endswith('-grsec-securedrop') assert c.stdout.strip() == '{}-grsec-securedrop'.format(KERNEL_VERSION) @@ -208,6 +214,10 @@ def test_wireless_disabled_in_kernel_config(host, kernel_opts): remove wireless support from the kernel. Let's make sure wireless is disabled in the running kernel config! """ + if host.system_info.codename == "xenial": + KERNEL_VERSION = sdvars.grsec_version_xenial + else: + KERNEL_VERSION = sdvars.grsec_version_focal with host.sudo(): kernel_config_path = "/boot/config-{}-grsec-securedrop".format(KERNEL_VERSION) kernel_config = host.file(kernel_config_path).content_string @@ -226,6 +236,10 @@ def test_kernel_options_enabled_config(host, kernel_opts): Tests kernel config for options that should be enabled """ + if host.system_info.codename == "xenial": + KERNEL_VERSION = sdvars.grsec_version_xenial + else: + KERNEL_VERSION = sdvars.grsec_version_focal with host.sudo(): kernel_config_path = "/boot/config-{}-grsec-securedrop".format(KERNEL_VERSION) kernel_config = host.file(kernel_config_path).content_string From 69003ee034b507e80350383f9698eb9b3d40332c Mon Sep 17 00:00:00 2001 From: mickael e Date: Fri, 5 Feb 2021 15:33:34 -0500 Subject: [PATCH 4/5] Fix IRDA test for 5.4.x kernel CONFIG_IRDA is simply not present in the kernel configuration for 5.4 series kernels, in previous kernel configurations it was commented out. --- molecule/testinfra/common/test_grsecurity.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/molecule/testinfra/common/test_grsecurity.py b/molecule/testinfra/common/test_grsecurity.py index 258ef518c5..157327e1d1 100644 --- a/molecule/testinfra/common/test_grsecurity.py +++ b/molecule/testinfra/common/test_grsecurity.py @@ -223,7 +223,7 @@ def test_wireless_disabled_in_kernel_config(host, kernel_opts): kernel_config = host.file(kernel_config_path).content_string line = "# CONFIG_{} is not set".format(kernel_opts) - assert line in kernel_config + assert line in kernel_config or kernel_opts not in kernel_config @pytest.mark.parametrize('kernel_opts', [ From e465cf2843837c9660f4e433f1818606196a3fab Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Mon, 8 Feb 2021 07:11:37 -0800 Subject: [PATCH 5/5] Fix Focal kernel metapackage Discovered by @emkll in [0]. The forked package build logic was including an empty dir based on the distro string. Update the path munging logic to use the proper var to avoid. [0] https://github.com/freedomofpress/securedrop/pull/5772#issuecomment-775208976 --- .../ansible-base/roles/build-generic-pkg/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install_files/ansible-base/roles/build-generic-pkg/tasks/main.yml b/install_files/ansible-base/roles/build-generic-pkg/tasks/main.yml index 9b81b3f3ae..a46fff89f9 100644 --- a/install_files/ansible-base/roles/build-generic-pkg/tasks/main.yml +++ b/install_files/ansible-base/roles/build-generic-pkg/tasks/main.yml @@ -29,7 +29,7 @@ - name: Create any necessary parent directories for jinja files file: - path: "{{ build_path }}/{{ item.path | dirname |regex_replace('^\\/.*'+package_name, '') }}" + path: "{{ build_path }}/{{ item.path | dirname |regex_replace('^\\/.*'+package_dirname, '') }}" state: directory with_items: "{{ jinja_files_found.files }}"