New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #5507 marks grsec kernel as default on Focal #5521
Conversation
81db342
to
207eb42
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @kushaldas went through the test plan and a experienced a couple of issues:
GRUB_DEFAULT
value remains unchanged in /etc/default/grub
when running molecule converge -s libvirt-staging-xenial
This will only work on playbook installs, it may be more prudent to apply those changes as part of the metapackage as part of the postinst, similar to how we do it for workstation kernels [1]? What do you think?
Yes, I modified this to be applied only on Focal installations. If we want, I can mark it for both Xenial and Focal.
Yes, but as that would be on the Kernel metapackage itself, I did not touch it in this. |
If we force a specific kernel, we must do so in the metapackage. The effect of this PR would be that a Focal instance is permanently on a specific kernel version, meaning nightly updates won't change that value. The only way to change it woudl be to require an admin to run the playbook again. It's worth noting that right now, when using Focal VMs, the grsec kernel is preferred. The logic that we have in place to force grsec on the subsequent boot, followed by removing all non-grsec kernels, is sufficient to force grsec over multiple reboots. Before Focal support is production-ready we should indeed peg a version via the metapackage, as @emkll recommends, but I don't see a pressing need to do that right now, especially since we're entering freeze for 1.6.0. |
@kushaldas Based on our conversation today, I suggest we close this PR. Since the kernel-related config tests are currently passing, we don't need to update the metapackage logic, and deferring such changes simplifies the ongoing release QA, as well. We'd still keep #5507 open to track a more durable update, but we can do that after the entirety of the Focal tests, both config & app, are passing. What do you think? |
Marking the current version of the grsec kernel as the default on Focal. We will have to update the version string when we releae new kernel.
207eb42
to
f672804
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed above, I'm closing this issue. We're currently able to test the custom kernels in Focal VMs without this patch, which is good enough for the next steps on Focal support. I'll add some more info to #5507 tracking related concerns that we'll want to address prior to prod.
GRSEC_VERSION='4.14.188-grsec' | ||
|
||
# Sets default grub boot parameter to the kernel version specified | ||
# by $GRSEC_VERSION. The debian buster default kernel is 4.19, thus |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment references "buster" & "4.19" kernel, neither of which are relevant to SecureDrop servers. The comment and the rest of the postinst
patch are pulled from https://github.com/freedomofpress/securedrop-debian-packaging/blob/05eedc6e2a5d9a1c53ebb6dda0a2188365063e05/securedrop-workstation-grsec/debian/postinst#L26-L32 We should definitely rewrite for clarity if/when we adopt this approach.
# by $GRSEC_VERSION. The debian buster default kernel is 4.19, thus | ||
# supersedes this 4.14.x series grsecurity kernel at boot-time | ||
set_grub_default() { | ||
GRUB_OPT="'Advanced options for Debian GNU/Linux>Debian GNU/Linux, with Linux $GRSEC_VERSION'" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the grub menu, does Ubuntu still set Debian GNU/Linux>Debian GNU/Linux
? That is, I'd expect "Ubuntu", not "Debian". See in
securedrop/install_files/ansible-base/roles/grsecurity/tasks/from_fpf_repo_install_grsec.yml
Line 61 in f81e415
command: grub-reboot "Advanced options for Ubuntu>{{ grsec_str.stdout }}" |
where we're explicitly referring to the menu entry as Advanced options for Ubuntu>
. It's possible the appropriate settings have changed between Xenial & Focal, but at the very least we should be setting the same in both places.
Status
Ready for review
Description of Changes
Fixes #5507
Marking the current version of the grsec kernel as the default
on Focal. We will have to update the version string when we releae
new kernel.
Testing
NOTE If I manually install the freshly built
securedrop-grsec
metapackage on the vms, it behaves as it should. But, otherwise it installs the package from the apt repo (instead of the local one). Any tips? @conorsch @emkll ?make build-debs-focal
molecule converge -s libvirt-staging-focal
grsec
kernelmolecule destroy -s libvirt-staging-focal
make build-debs
molecule converge -s libvirt-staging-xenial
grsec
kernelDeployment
Any special considerations for deployment? Consider both:
Checklist
If you made changes to the server application code:
make lint
) and tests (make test
) pass in the development containerIf you made changes to
securedrop-admin
:make -C admin test
) pass in the admin development containerIf you made changes to the system configuration:
If you made non-trivial code changes:
If you made changes to documentation:
make docs-lint
) passed locallyIf you added or updated a code dependency:
Choose one of the following: