bug: if grsecurity patch fails with "patch: **** out of memory" error, build continues instead of failing

[zenmonkeykstop]

As observed in https://raw.githubusercontent.com/freedomofpress/build-logs/main/core/focal/20231011-securedrop-core-5.15.log, if the grsecurity patch isn't applied due to an OOM error, the build script doesn't error out but keeps going, producing the expected packages with no grsecurity changes.

Luckily this doesn't affect the most recent prod kernels, looking at https://raw.githubusercontent.com/freedomofpress/build-logs/main/core/focal/20230906-securedrop-core-5.15.log the patch was applied properly (and hardware tests would have caught it anyway).

Update: I encountered this on a Qubes-based build with 12GB max RAM. Naively bumping it to 20GB didn't help, and the VM's usage didn't get over about 3GB before the patch command failed.

Update the second: Applying the patch to the source tree outside of docker works fine! Patch itself is 14MB or so.

[zenmonkeykstop]

Cleared out old Docker images with docker system prune -a, and the patch is now being applied correctly! But the bug still stands IMO, the build script should fail if a patch command fails.

Update: spoke too soon, the kernel build itself is now failing with a bunch of compilation errors

[zenmonkeykstop]

Still playing around - make vanilla builds work fine, only builds with the grsec patch applied are failing. Possibly the patch is not being applied correctly?

[legoktm]

Despite the set -euo pipefail at the top of the script, we were running find /patches-grsec -maxdepth 1 -type f -exec patch -p 1 -i {} \;., which apparently will keep going even if patch returns a non-zero exit code (per stackoverflow).

As of #45, we do:

        subprocess.check_call(
            ["patch", "-p", "1", "-i", "/patches-grsec/grsec"],
            cwd=f"linux-{linux_version}",
        )

which means that any failure by patch will bubble up and stop execution.