Update grsecurity kernels to 4.14.175 #5188
Conversation
There was a problem hiding this comment.
Thanks @conorsch , took a spin through changes in
freedomofpress/ansible-role-grsecurity-build#57 and freedomofpress/securedrop-apt-test#37 ,
Kernel seems to work well (functional app, no errors in syslog) for libvirt VMs, Mac Minis and NUC 5's. However, running into some issues with testinfra in the staging scenario, after installing the 175 kernels, where I observe 26 failing tests (13 per VM), all having to do with kernel configuration or grub.conf (see below). This appears to be an issue with the tests, but not the kernel configuration itself, based on manual testing:
E RuntimeError: Unexpected output CommandResult(command=b'cat -- /boot/config-4.14.175-grsec-securedrop', exit_status=1, stdout=None, stderr=b"Warning: Permanently added '192.168.121.116' (ECDSA) to the list of known hosts.\r\ncat: /boot/config-4.14.175-grsec-securedrop: Permission denied\n")
/home/m/.virtualenvs/securedrop/lib/python3.7/site-packages/testinfra/modules/file.py:135: RuntimeError
_________ test_mds_mitigations_and_smt_disabled[ansible://app-staging] _________
[gw3] linux -- Python 3.7.3 /home/m/.virtualenvs/securedrop/bin/python3
host = <testinfra.host.Host object at 0x7fda8fc3e208>
def test_mds_mitigations_and_smt_disabled(host):
"""
Ensure that full mitigations are in place for MDS
see https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
"""
grub_config_path = "/boot/grub/grub.cfg"
grub_config = host.file(grub_config_path)
> assert grub_config.contains("mds=full,nosmt")
../testinfra/staging/common/test_grsecurity.py:222:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/home/m/.virtualenvs/securedrop/lib/python3.7/site-packages/testinfra/modules/file.py:122: in contains
return self.run_test("grep -qs -- %s %s", pattern, self.path).rc == 0
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
self = <testinfra.host.Host object at 0x7fda8fc3e208>
command = 'grep -qs -- %s %s', args = ('mds=full,nosmt', '/boot/grub/grub.cfg')
kwargs = {}
def run_test(self, command, *args, **kwargs):
"""Run command and check it return an exit status of 0 or 1
:raises: AssertionError
"""
> return self.run_expect([0, 1], command, *args, **kwargs)
E AssertionError: Unexpected exit code 2 for CommandResult(command=b'grep -qs -- mds=full,nosmt /boot/grub/grub.cfg', exit_status=2, stdout=None, stderr=b"Warning: Permanently added '192.168.121.116' (ECDSA) to the list of known hosts.\r\n")
E assert 2 in [0, 1]
E + where 2 = CommandResult(command=b'grep -qs -- mds=full,nosmt /boot/grub/grub.cfg', exit_status=2, stdout=None, stderr=b"Warning: Permanently added '192.168.121.116' (ECDSA) to the list of known hosts.\r\n").rc
/home/m/.virtualenvs/securedrop/lib/python3.7/site-packages/testinfra/host.py:90: AssertionError
__________________ test_apt_autoremove[ansible://app-staging] __________________
Kernel config no longer appears to be world-readable
-rw-r--r-- 1 root root 197K Nov 13 00:19 config-4.14.154-grsec-securedrop
-rw------- 1 root root 197K Apr 6 22:05 config-4.14.175-grsec-securedrop
|
4.14.175 kernels good on Dell r620 and r440 test hardware, no install issues or errors on first reboot. Will take a look again after they've been running for a nightly reboot cycle. |
| @@ -40,5 +40,5 @@ securedrop_cond_reboot_file: /tmp/sd-reboot-now | |||
|
|
|||
| # If you bump this, also remember to bump in molecule/builder/tests/vars.yml | |||
| securedrop_pkg_grsec: | |||
| ver: "4.14.154" | |||
| ver: "4.14.175" | |||
| depends: "linux-image-4.14.154-grsec-securedrop,linux-image-4.4.182-grsec,linux-firmware-image-4.4.182-grsec,intel-microcode" | |||
There was a problem hiding this comment.
The depends: line should be updated with the new version package. Overlooked that in my first round of changes. Will amend, build, update freedomofpress/securedrop-apt-test#37, then add the test changes suggested by @emkll.
There was a problem hiding this comment.
Done. Ready for re-review.
conorsch
force-pushed
the
5111-kernels-4.14.175
branch
from
9c19bfe
to
da07ca7
Compare
As of the upgrade to 4.14.175 kernels, the entire /boot directly is 700 root:root. That means we'll have to use sudo on the testinfra checks reading files in there, particularly the kernel config.
There was a problem hiding this comment.
Thanks @conorsch for the fix, confirming all tests pass for me locally. Once freedomofpress/securedrop-apt-test#37 is merged and the cron job runs, we should restart a CI job. Once CI passes, this is good to merge.
| ver: "4.14.154" | ||
| depends: "linux-image-4.14.154-grsec-securedrop,linux-image-4.4.182-grsec,linux-firmware-image-4.4.182-grsec,intel-microcode" | ||
| ver: "4.14.175" | ||
| depends: "linux-image-4.14.175-grsec-securedrop,linux-image-4.4.182-grsec,linux-firmware-image-4.4.182-grsec,intel-microcode" |
There was a problem hiding this comment.
is there a reason we are still dependending on an older 4.4 series kernel, and not the last known good kernel (4.14.154)? should we not simply preserve the previous known good kernel version
There was a problem hiding this comment.
Great point, @emkll. I admit the same issue gave my pause while making the update. Will raise in standup today to make sure support team doesn't have any concerns, then proceed with updating to current-and-previous as standard going forward.
There was a problem hiding this comment.
No concerns raised in standup, proceeding with updating the pinned dependencies as suggested.
The 4.4.x kernel series is EOL, so let's update the metapackage dependencies to require: * current latest (4.14.175) * previous versoin (4.14.154) That'll still provide rollback capability in the event of problems.
|
Thanks @conorsch new changes to metapackage look good visually. Based on my review and @zenmonkeykstop 's review above, I think we can now update the metapackage in freedomofpress/securedrop-apt-test#37 and proceed to the next step in the PR's testplan. |
|
CI appears to be failing due to the latest Tor Browser update (https://circleci.com/gh/freedomofpress/securedrop/39518?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link) @conorsch since the merge of this PR is blocking other PRs (due to merge of the kernels to the pat repo), would you mind appending a commit to this branch (similar to https://github.com/freedomofpress/securedrop/pull/5173/files)? The latest version is 9.0.9 (https://www.torproject.org/download/) |
|
Oops, just seeing your message @emkll, jumping on the TBB fix to unbreak CI... |
Closes #5111
Status
Work in progress
Description of Changes
Fixes #4989, towards #4992 upgrades SecureDrop kernels to 4.14.184
Testing
Deployment
New and existing installs will be updated via deb packages and unattended upgrades via cron-apt
Checklist
If you made changes to the server application code:
make lint) and tests (make test) pass in the development containerIf you made changes to
securedrop-admin:make -C admin test) pass in the admin development containerIf you made changes to the system configuration:
If you made non-trivial code changes:
If you made changes to documentation:
make docs-lint) passed locallyIf you added or updated a code dependency:
Choose one of the following: