Always use latest kernel

Until now, the postinst action for the securedrop-grsec metapackage would preserve preferences for a rolled back kernel. This will now remove this preference, by setting GRUB_DEFAUT=0, which will instruct grub to use the highest kernel version available on the system.
freedomofpress · Oct 10, 2018 · b37ebb2 · b37ebb2
1 parent 890321e
commit b37ebb2
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 12 deletions.
diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop
@@ -53,5 +53,5 @@ securedrop_cond_reboot_file: /tmp/sd-reboot-now
 
 # If you bump this, also remember to bump in molecule/builder/tests/vars.yml
 securedrop_pkg_grsec:
-  ver: "4.4.144"
+  ver: "4.4.144-1"
   depends: "linux-image-3.14.79-grsec,linux-image-4.4.135-grsec,linux-firmware-image-4.4.135-grsec,linux-image-4.4.144-grsec,linux-firmware-image-4.4.144-grsec"
diff --git a/install_files/securedrop-grsec/DEBIAN/postinst b/install_files/securedrop-grsec/DEBIAN/postinst
@@ -19,16 +19,11 @@ set -x
 case "$1" in
     configure)
 
-    # If the SecureDrop instance is running a rolled-back kernel, this will
-    # preserve the kernel boot priority specfied in its ordinal form by the
-    # canonical form. (In this specific case, 1>2 as GRUB_DEFAULT in
-    # /etc/default/grub indicates the instance is running 3.14.79-grsec)
-    # In any other case, we want to run the latest 4.4 series kernel.
-    if grep -qE "^GRUB_DEFAULT=[\"\' ]*1>2[\"\' ]*$" /etc/default/grub; then
-        sed -i "s/^\(GRUB_DEFAULT=\)[\"\' ]*1>2[\"\' ]*$/\1\"Advanced options for Ubuntu>Ubuntu, with Linux 3.14.79-grsec\"/" /etc/default/grub
-        # update grub to set the new default
-        update-grub2
-    fi
+    # Replace the default GRUB boot option with 0, which defaults to the
+    # highest kernel version. Any kernel provided by apt.freedom.press must
+    # suprecede the ones provided by Ubuntu.
+    sed -i '/^GRUB_DEFAULT=/s/=.*/=0/' /etc/default/grub
+    update-grub
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)

diff --git a/molecule/builder/tests/vars.yml b/molecule/builder/tests/vars.yml
@@ -3,7 +3,7 @@ securedrop_version: "0.10.0~rc1"
 ossec_version: "3.0.0"
 keyring_version: "0.1.2"
 config_version: "0.1.1"
-grsec_version: "4.4.144"
+grsec_version: "4.4.144-1"
 
 # These values will be interpolated with values populated above
 # via helper functions in the tests.