Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only try to apply grsec_lock once #7353

Merged
merged 1 commit into from
Nov 25, 2024
Merged

Only try to apply grsec_lock once #7353

merged 1 commit into from
Nov 25, 2024

Conversation

legoktm
Copy link
Member

@legoktm legoktm commented Nov 23, 2024

Status

Ready for review

Description of Changes

Currently we specify both sysctl_set: yes and reload: yes when setting sysctl settings, which ends up with it being applied twice, first with sysctl -w (sysctl_set) and then through sysctl -p (reload).

With noble/Linux 6.6, setting the lock twice errors out, so just enable it once with sysctl -p. This is also closer to what the kernel will do normally when booting in which the whole file is loaded at once.

Refs #7323.

Testing

How should the reviewer test this PR?

  • staging CI passes (this is a no-op, but tests will verify the sysctl flags are being applied)
  • visual review

Deployment

Any special considerations for deployment? only affects new installs, which is where the bug is

Checklist

@legoktm
Only try to apply grsec_lock once
6ffc52a 
Currently we specify both `sysctl_set: yes` and `reload: yes` when
setting sysctl settings, which ends up with it being applied twice,
first with `sysctl -w` (sysctl_set) and then through `sysctl -p`
(reload).

With noble/Linux 6.6, setting the lock twice errors out, so just enable
it once with `sysctl -p`. This is also closer to what the kernel will do
normally when booting in which the whole file is loaded at once.

Refs #7323.
@legoktm legoktm added the noble Ubuntu Noble related work label Nov 23, 2024
@legoktm legoktm requested a review from a team as a code owner November 23, 2024 00:27
@legoktm legoktm mentioned this pull request Nov 23, 2024
Open
5 tasks
zenmonkeykstop
zenmonkeykstop approved these changes Nov 25, 2024
View reviewed changes
Copy link
Contributor

@zenmonkeykstop zenmonkeykstop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@zenmonkeykstop zenmonkeykstop added this pull request to the merge queue Nov 25, 2024
Merged via the queue into develop with commit 50cae7c Nov 25, 2024
45 checks passed
@legoktm legoktm deleted the stg-sysctl-once branch November 26, 2024 00:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zenmonkeykstop zenmonkeykstop zenmonkeykstop approved these changes

Assignees
No one assigned
Labels
noble Ubuntu Noble related work
Projects
SecureDrop dev cycle
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@legoktm @zenmonkeykstop