Bump securedrop-grsec-focal metapackage to 5.4.88

This will pull in and install 5.4 series kernels for Focal installs, thanks to the split metapackage logic introduced in #5691
freedomofpress · Feb 4, 2021 · 8c4430c · 8c4430c
1 parent bf2cc5b
commit 8c4430c
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 11 deletions.
diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop
@@ -38,6 +38,10 @@ enable_ssh_over_tor: true
 securedrop_cond_reboot_file: /tmp/sd-reboot-now
 
 # If you bump this, also remember to bump in molecule/builder-xenial/tests/vars.yml
-securedrop_pkg_grsec:
+securedrop_pkg_grsec_xenial:
   ver: "4.14.188"
   depends: "linux-image-4.14.188-grsec-securedrop,linux-image-4.14.175-grsec-securedrop,intel-microcode"
+
+securedrop_pkg_grsec_focal:
+  ver: "5.4.88"
+  depends: "linux-image-5.4.88-grsec-securedrop,linux-image-4.14.188-grsec-securedrop,intel-microcode"
diff --git a/install_files/securedrop-grsec-focal/DEBIAN/control.j2 b/install_files/securedrop-grsec-focal/DEBIAN/control.j2
@@ -1,9 +1,9 @@
 Package: securedrop-grsec
 Source: securedrop-grsec
-Version: {{ securedrop_pkg_grsec.ver }}+{{ securedrop_target_distribution }}
+Version: {{ securedrop_pkg_grsec_focal.ver }}+{{ securedrop_target_distribution }}
 Architecture: amd64
 Maintainer: SecureDrop Team <securedrop@freedom.press>
-Depends: {{ securedrop_pkg_grsec.depends }},paxctld
+Depends: {{ securedrop_pkg_grsec_focal.depends }},paxctld
 Section: admin
 Priority: optional
 Homepage: https://securedrop.org

diff --git a/install_files/securedrop-grsec-focal/DEBIAN/postinst.j2 b/install_files/securedrop-grsec-focal/DEBIAN/postinst.j2
@@ -17,7 +17,7 @@ set -x
 # the debian-policy package
 
 # Pin current version of custom kernel
-GRSEC_VERSION="{{ securedrop_pkg_grsec.ver }}-grsec-securedrop"
+GRSEC_VERSION="{{ securedrop_pkg_grsec_focal.ver }}-grsec-securedrop"
 
 # Sets default grub boot parameter to the kernel version specified
 # by $GRSEC_VERSION.

diff --git a/install_files/securedrop-grsec/DEBIAN/control.j2 b/install_files/securedrop-grsec/DEBIAN/control.j2
@@ -1,9 +1,9 @@
 Package: securedrop-grsec
 Source: securedrop-grsec
-Version: {{ securedrop_pkg_grsec.ver }}+{{ securedrop_target_distribution }}
+Version: {{ securedrop_pkg_grsec_xenial.ver }}+{{ securedrop_target_distribution }}
 Architecture: amd64
 Maintainer: SecureDrop Team <securedrop@freedom.press>
-Depends: {{ securedrop_pkg_grsec.depends }}
+Depends: {{ securedrop_pkg_grsec_xenial.depends }}
 Section: admin
 Priority: optional
 Homepage: https://securedrop.org

diff --git a/molecule/builder-xenial/tests/test_securedrop_deb_package.py b/molecule/builder-xenial/tests/test_securedrop_deb_package.py
@@ -61,10 +61,17 @@ def make_deb_paths() -> Dict[str, Path]:
     Jinja-based evaluation of the YAML files (so we can't trivially
     reuse vars in other var values, as is the case with Ansible).
     """
-    grsec_version = "{}+{}".format(
-        securedrop_test_vars["grsec_version"],
-        SECUREDROP_TARGET_DISTRIBUTION
-    )
+
+    if SECUREDROP_TARGET_DISTRIBUTION == "xenial":
+        grsec_version = "{}+{}".format(
+            securedrop_test_vars["grsec_version_xenial"],
+            SECUREDROP_TARGET_DISTRIBUTION
+        )
+    else:
+        grsec_version = "{}+{}".format(
+            securedrop_test_vars["grsec_version_focal"],
+            SECUREDROP_TARGET_DISTRIBUTION
+        )
 
     substitutions = dict(
         securedrop_version=securedrop_test_vars["securedrop_version"],

diff --git a/molecule/builder-xenial/tests/vars.yml b/molecule/builder-xenial/tests/vars.yml
@@ -3,7 +3,8 @@ securedrop_version: "1.8.0~rc1"
 ossec_version: "3.6.0"
 keyring_version: "0.1.4"
 config_version: "0.1.3"
-grsec_version: "4.14.188"
+grsec_version_xenial: "4.14.188"
+grsec_version_focal: "5.4.88"
 
 # These values will be interpolated with values populated above
 # via helper functions in the tests.