Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update grsecurity kernels to 4.14.175 #5188

Merged
merged 4 commits into from
Apr 9, 2020
Merged

Update grsecurity kernels to 4.14.175 #5188

merged 4 commits into from
Apr 9, 2020

Conversation

conorsch
Copy link
Contributor

@conorsch conorsch commented Apr 7, 2020

Closes #5111

Status

Work in progress

Description of Changes

Fixes #4989, towards #4992 upgrades SecureDrop kernels to 4.14.184

Testing

Deployment

New and existing installs will be updated via deb packages and unattended upgrades via cron-apt

Checklist

If you made changes to the server application code:

  • Linting (make lint) and tests (make test) pass in the development container

If you made changes to securedrop-admin:

  • Linting and tests (make -C admin test) pass in the admin development container

If you made changes to the system configuration:

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

If you made changes to documentation:

  • Doc linting (make docs-lint) passed locally

If you added or updated a code dependency:

Choose one of the following:

  • I have performed a diff review and pasted the contents to the packaging wiki
  • I would like someone else to do the diff review

@conorsch conorsch requested a review from emkll April 7, 2020 00:38
@conorsch conorsch marked this pull request as ready for review April 7, 2020 00:56
@conorsch conorsch requested a review from kushaldas as a code owner April 7, 2020 00:56
Copy link
Contributor

@emkll emkll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @conorsch , took a spin through changes in
freedomofpress/ansible-role-grsecurity-build#57 and freedomofpress/securedrop-apt-test#37 ,

Kernel seems to work well (functional app, no errors in syslog) for libvirt VMs, Mac Minis and NUC 5's. However, running into some issues with testinfra in the staging scenario, after installing the 175 kernels, where I observe 26 failing tests (13 per VM), all having to do with kernel configuration or grub.conf (see below). This appears to be an issue with the tests, but not the kernel configuration itself, based on manual testing:

    E           RuntimeError: Unexpected output CommandResult(command=b'cat -- /boot/config-4.14.175-grsec-securedrop', exit_status=1, stdout=None, stderr=b"Warning: Permanently added '192.168.121.116' (ECDSA) to the list of known hosts.\r\ncat: /boot/config-4.14.175-grsec-securedrop: Permission denied\n")
    
    /home/m/.virtualenvs/securedrop/lib/python3.7/site-packages/testinfra/modules/file.py:135: RuntimeError
    _________ test_mds_mitigations_and_smt_disabled[ansible://app-staging] _________
    [gw3] linux -- Python 3.7.3 /home/m/.virtualenvs/securedrop/bin/python3
    
    host = <testinfra.host.Host object at 0x7fda8fc3e208>
    
        def test_mds_mitigations_and_smt_disabled(host):
            """
            Ensure that full mitigations are in place for MDS
            see https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
            """
        
            grub_config_path = "/boot/grub/grub.cfg"
            grub_config = host.file(grub_config_path)
        
    >       assert grub_config.contains("mds=full,nosmt")
    
    ../testinfra/staging/common/test_grsecurity.py:222:
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    /home/m/.virtualenvs/securedrop/lib/python3.7/site-packages/testinfra/modules/file.py:122: in contains
        return self.run_test("grep -qs -- %s %s", pattern, self.path).rc == 0
    _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
    
    self = <testinfra.host.Host object at 0x7fda8fc3e208>
    command = 'grep -qs -- %s %s', args = ('mds=full,nosmt', '/boot/grub/grub.cfg')
    kwargs = {}
    
        def run_test(self, command, *args, **kwargs):
            """Run command and check it return an exit status of 0 or 1
        
                :raises: AssertionError
                """
    >       return self.run_expect([0, 1], command, *args, **kwargs)
    E       AssertionError: Unexpected exit code 2 for CommandResult(command=b'grep -qs -- mds=full,nosmt /boot/grub/grub.cfg', exit_status=2, stdout=None, stderr=b"Warning: Permanently added '192.168.121.116' (ECDSA) to the list of known hosts.\r\n")
    E       assert 2 in [0, 1]
    E        +  where 2 = CommandResult(command=b'grep -qs -- mds=full,nosmt /boot/grub/grub.cfg', exit_status=2, stdout=None, stderr=b"Warning: Permanently added '192.168.121.116' (ECDSA) to the list of known hosts.\r\n").rc
    
    /home/m/.virtualenvs/securedrop/lib/python3.7/site-packages/testinfra/host.py:90: AssertionError
    __________________ test_apt_autoremove[ansible://app-staging] __________________

Kernel config no longer appears to be world-readable

-rw-r--r--  1 root root 197K Nov 13 00:19 config-4.14.154-grsec-securedrop
-rw-------  1 root root 197K Apr  6 22:05 config-4.14.175-grsec-securedrop

@zenmonkeykstop
Copy link
Contributor

4.14.175 kernels good on Dell r620 and r440 test hardware, no install issues or errors on first reboot. Will take a look again after they've been running for a nightly reboot cycle.

@@ -40,5 +40,5 @@ securedrop_cond_reboot_file: /tmp/sd-reboot-now

# If you bump this, also remember to bump in molecule/builder/tests/vars.yml
securedrop_pkg_grsec:
ver: "4.14.154"
ver: "4.14.175"
depends: "linux-image-4.14.154-grsec-securedrop,linux-image-4.4.182-grsec,linux-firmware-image-4.4.182-grsec,intel-microcode"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The depends: line should be updated with the new version package. Overlooked that in my first round of changes. Will amend, build, update freedomofpress/securedrop-apt-test#37, then add the test changes suggested by @emkll.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Ready for re-review.

@conorsch conorsch force-pushed the 5111-kernels-4.14.175 branch from 9c19bfe to da07ca7 Compare April 7, 2020 23:28
As of the upgrade to 4.14.175 kernels, the entire /boot directly is 700
root:root. That means we'll have to use sudo on the testinfra checks
reading files in there, particularly the kernel config.
Copy link
Contributor

@emkll emkll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @conorsch for the fix, confirming all tests pass for me locally. Once freedomofpress/securedrop-apt-test#37 is merged and the cron job runs, we should restart a CI job. Once CI passes, this is good to merge.

ver: "4.14.154"
depends: "linux-image-4.14.154-grsec-securedrop,linux-image-4.4.182-grsec,linux-firmware-image-4.4.182-grsec,intel-microcode"
ver: "4.14.175"
depends: "linux-image-4.14.175-grsec-securedrop,linux-image-4.4.182-grsec,linux-firmware-image-4.4.182-grsec,intel-microcode"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a reason we are still dependending on an older 4.4 series kernel, and not the last known good kernel (4.14.154)? should we not simply preserve the previous known good kernel version

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great point, @emkll. I admit the same issue gave my pause while making the update. Will raise in standup today to make sure support team doesn't have any concerns, then proceed with updating to current-and-previous as standard going forward.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No concerns raised in standup, proceeding with updating the pinned dependencies as suggested.

The 4.4.x kernel series is EOL, so let's update the metapackage
dependencies to require:

  * current latest (4.14.175)
  * previous versoin (4.14.154)

That'll still provide rollback capability in the event of problems.
@emkll
Copy link
Contributor

emkll commented Apr 9, 2020

Thanks @conorsch new changes to metapackage look good visually. Based on my review and @zenmonkeykstop 's review above, I think we can now update the metapackage in freedomofpress/securedrop-apt-test#37 and proceed to the next step in the PR's testplan.

@emkll
Copy link
Contributor

emkll commented Apr 9, 2020

CI appears to be failing due to the latest Tor Browser update (https://circleci.com/gh/freedomofpress/securedrop/39518?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link)

@conorsch since the merge of this PR is blocking other PRs (due to merge of the kernels to the pat repo), would you mind appending a commit to this branch (similar to https://github.com/freedomofpress/securedrop/pull/5173/files)? The latest version is 9.0.9 (https://www.torproject.org/download/)

@conorsch
Copy link
Contributor Author

conorsch commented Apr 9, 2020

Oops, just seeing your message @emkll, jumping on the TBB fix to unbreak CI...

@conorsch conorsch requested a review from redshiftzero as a code owner April 9, 2020 20:56
Copy link
Contributor

@emkll emkll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, changes look good to me and CI is passing

@emkll emkll merged commit 9309456 into develop Apr 9, 2020
@emkll emkll deleted the 5111-kernels-4.14.175 branch April 9, 2020 22:50
@zenmonkeykstop zenmonkeykstop mentioned this pull request Apr 29, 2020
22 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Update kernels to 4.14.169 or later Upgrade SecureDrop kernels to 4.14.154
3 participants