Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use paxctl for Xenial, paxctld for Focal #5808

Merged
merged 1 commit into from
Feb 23, 2021
Merged

Use paxctl for Xenial, paxctld for Focal #5808

merged 1 commit into from
Feb 23, 2021

Conversation

conorsch
Copy link
Contributor

@conorsch conorsch commented Feb 22, 2021
edited
Loading

Status

Ready for review

Description of Changes

Closes #3916.

Continues to use paxctld under Xenial, same as always, but removes any
use of it under Focal, where paxctld is already preferred.

Updated the tests accordingly. Removes an unused (xfail) paxctl test,
since it wasn't running anyway. Preserved the "paxctld" dependency for
securedrop-app-code, since the postinst logic still uses it. We can
remove that after OS migration.

Removes mention of the 4.14.x kernel series for Focal, as well, since we
don't plan to support that series post-Xenial.

Testing

  • Visual review of test changes
  • CI passing is sufficient

Deployment

Changes are Focal-specific, Xenial behavior has been preserved.

Checklist

If you made changes to the server application code:

  • Linting (make lint) and tests (make test) pass in the development container

If you made changes to securedrop-admin:

  • Linting and tests (make -C admin test) pass in the admin development container

If you made changes to the system configuration:

If you added or removed a file deployed with the application:

  • I have updated AppArmor rules to include the change

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

Choose one of the following:

  • I have opened a PR in the docs repo for these changes, or will do so later
  • I would appreciate help with the documentation
  • These changes do not require documentation

If you added or updated a code dependency:

Choose one of the following:

  • I have performed a diff review and pasted the contents to the packaging wiki
  • I would like someone else to do the diff review

@conorsch conorsch force-pushed the no-paxctl-for-focal branch 2 times, most recently from ae46ad9 to a308769 Compare February 22, 2021 22:19
Use paxctl for Xenial, paxctld for Focal
4cf8cc8 
Continues to use paxctld under Xenial, same as always, but removes any
use of it under Focal, where paxctld is already preferred.

Updated the tests accordingly. Removes an unused (xfail) paxctl test,
since it wasn't running anyway. Preserved the "paxctld" dependency for
securedrop-app-code, since the postinst logic still uses it. We can
remove that after OS migration.

Removes mention of the 4.14.x kernel series for Focal, as well, since we
don't plan to support that series post-Xenial.
@conorsch conorsch force-pushed the no-paxctl-for-focal branch from a308769 to 4cf8cc8 Compare February 23, 2021 01:25
@conorsch conorsch marked this pull request as ready for review February 23, 2021 01:26
kushaldas
kushaldas approved these changes Feb 23, 2021
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks sound. The tests are good. Approved.

install_files/ansible-base/group_vars/all/securedrop
@@ -44,4 +44,4 @@ securedrop_pkg_grsec_xenial:

securedrop_pkg_grsec_focal:
ver: "5.4.97"
depends: "linux-image-5.4.97-grsec-securedrop,linux-image-4.14.188-grsec-securedrop,intel-microcode"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Finally :)

@kushaldas kushaldas merged commit d95de9e into develop Feb 23, 2021
@kushaldas kushaldas deleted the no-paxctl-for-focal branch February 23, 2021 04:16
@kushaldas kushaldas mentioned this pull request Feb 26, 2021
Closed
27 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kushaldas kushaldas kushaldas approved these changes

@emkll emkll Awaiting requested review from emkll

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

PaX flags are unset during install time
2 participants
@conorsch @kushaldas