Merge pull request #5518 from freedomofpress/5495-focal-kernels-early…

…-days Provides first-run custom kernel support for Focal
freedomofpress · Sep 21, 2020 · b61404e · b61404e
2 parents 79e322f + 05018a4
commit b61404e
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml b/install_files/ansible-base/roles/common/vars/Ubuntu_focal.yml
@@ -2,3 +2,4 @@
 securedrop_kernel_packages_to_remove:
   - linux-virtual
   - linux-generic
+  - 'linux-image-.*generic'
diff --git a/install_files/ansible-base/roles/grsecurity/defaults/main.yml b/install_files/ansible-base/roles/grsecurity/defaults/main.yml
@@ -11,3 +11,8 @@ grsec_sysctl_flags:
     # exist otherwise.
   - name: "vm.heap_stack_gap"
     value: "1048576"
+
+# Lookup table for how to create PaX flags, depending on OS.
+paxctl_header_type:
+  xenial: C
+  focal: c
diff --git a/install_files/ansible-base/roles/grsecurity/tasks/paxctl.yml b/install_files/ansible-base/roles/grsecurity/tasks/paxctl.yml
@@ -21,7 +21,8 @@
     - /usr/bin/grub-script-check
 
 - name: Adjust paxctl headers on grub binaries.
-  command: paxctl -zCE {{ item.item }}
+  command: paxctl -z{{ paxctl_header_type[ansible_distribution_release] }}E {{ item.item }}
   with_items: "{{ paxctl_grub_header_check.results }}"
-  when: "item.stdout != '- PaX flags: --------E--- [{{ item.item }}]' or
-         item.rc != 0"
+  when: >
+    item.stdout != '- PaX flags: --------E--- ['+item.item+']'
+    or item.rc != 0