Merge pull request #4962 from freedomofpress/4843-linux-4.14.150

Update SecureDrop kernels to 4.14 series
freedomofpress · Nov 12, 2019 · 10187b7 · 10187b7
2 parents 380166c + aa2493d
commit 10187b7
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 10 deletions.
diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop
@@ -40,5 +40,5 @@ securedrop_cond_reboot_file: /tmp/sd-reboot-now
 
 # If you bump this, also remember to bump in molecule/builder/tests/vars.yml
 securedrop_pkg_grsec:
-  ver: "4.4.182"
-  depends: "linux-image-4.4.177-grsec,linux-firmware-image-4.4.177-grsec,linux-image-4.4.182-grsec,linux-firmware-image-4.4.182-grsec,intel-microcode"
+  ver: "4.14.152"
+  depends: "linux-image-4.14.152-grsec-securedrop,linux-image-4.4.182-grsec,linux-firmware-image-4.4.182-grsec,intel-microcode"
diff --git a/install_files/securedrop-grsec/DEBIAN/postinst b/install_files/securedrop-grsec/DEBIAN/postinst
@@ -23,6 +23,11 @@ case "$1" in
     # highest kernel version. Any kernel provided by apt.freedom.press must
     # suprecede the ones provided by Ubuntu.
     sed -i '/^GRUB_DEFAULT=/s/=.*/=0/' /etc/default/grub
+    # When using CONFIG_PAX_KERNEXEC, the grsecurity team recommends the kernel
+    # is booted with "noefi" on the kernel command line if "CONFIG_EFI" is
+    # enabled, as EFI runtime services are necessarily mapped as RWX.
+    sed -i '/^GRUB_CMDLINE_LINUX_DEFAULT=/s/=.*/=\"noefi\"/' /etc/default/grub
+
     update-grub
     ;;
 

diff --git a/molecule/builder-xenial/tests/vars.yml b/molecule/builder-xenial/tests/vars.yml
@@ -3,7 +3,7 @@ securedrop_version: "1.2.0~rc1"
 ossec_version: "3.0.0"
 keyring_version: "0.1.3"
 config_version: "0.1.3"
-grsec_version: "4.4.182"
+grsec_version: "4.14.152"
 
 # These values will be interpolated with values populated above
 # via helper functions in the tests.

diff --git a/molecule/testinfra/staging/common/test_grsecurity.py b/molecule/testinfra/staging/common/test_grsecurity.py
@@ -16,8 +16,7 @@ def test_ssh_motd_disabled(host):
 
 
 @pytest.mark.parametrize("package", [
-    'linux-firmware-image-{}-grsec'.format(KERNEL_VERSION),
-    'linux-image-{}-grsec'.format(KERNEL_VERSION),
+    'linux-image-{}-grsec-securedrop'.format(KERNEL_VERSION),
     'paxctl',
     'securedrop-grsec',
 ])
@@ -71,8 +70,8 @@ def test_grsecurity_kernel_is_running(host):
     Make sure the currently running kernel is specific grsec kernel.
     """
     c = host.run('uname -r')
-    assert c.stdout.strip().endswith('-grsec')
-    assert c.stdout.strip() == '{}-grsec'.format(KERNEL_VERSION)
+    assert c.stdout.strip().endswith('-grsec-securedrop')
+    assert c.stdout.strip() == '{}-grsec-securedrop'.format(KERNEL_VERSION)
 
 
 @pytest.mark.parametrize('sysctl_opt', [
@@ -177,7 +176,6 @@ def test_pax_flags(host, binary):
   'WIMAX',
   'WIRELESS',
   'HAMRADIO',
-  'IRDA',
   'BT',
 ])
 def test_wireless_disabled_in_kernel_config(host, kernel_opts):
@@ -187,7 +185,7 @@ def test_wireless_disabled_in_kernel_config(host, kernel_opts):
     disabled in the running kernel config!
     """
 
-    kernel_config_path = "/boot/config-{}-grsec".format(KERNEL_VERSION)
+    kernel_config_path = "/boot/config-{}-grsec-securedrop".format(KERNEL_VERSION)
     kernel_config = host.file(kernel_config_path).content_string
 
     line = "# CONFIG_{} is not set".format(kernel_opts)

diff --git a/molecule/testinfra/staging/vars/staging.yml b/molecule/testinfra/staging/vars/staging.yml
@@ -192,4 +192,4 @@ log_events_with_ossec_alerts:
     rule_id: "400700"
 
 fpf_apt_repo_url: "https://apt-test.freedom.press"
-grsec_version: "4.4.182"
+grsec_version: "4.14.152"