Remove ufw from new and existing installs

We don't use ufw and in noble, it conflicts with iptables-persistent, which we do want to use. Remove it during provisioning and install a systemd timer to remove it. (We can't do it during a postinst because we're already in an apt session at that time.) Fixes #7313.
freedomofpress · Oct 31, 2024 · c13410f · c13410f
1 parent eb39e65
commit c13410f
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 2 deletions.
diff --git a/install_files/ansible-base/roles/prepare-servers/tasks/main.yml b/install_files/ansible-base/roles/prepare-servers/tasks/main.yml
@@ -23,9 +23,11 @@
       custom kernel that is not signed. Please disable SecureBoot on the
       target servers and try again.
 
-- name: Remove cloud-init
+- name: Remove cloud-init and ufw
   apt:
-    name: cloud-init
+    name:
+      - cloud-init
+      - ufw
     state: absent
     purge: yes
   tags:

diff --git a/molecule/testinfra/common/test_system_hardening.py b/molecule/testinfra/common/test_system_hardening.py
@@ -173,6 +173,7 @@ def test_iptables_packages(host):
     firewall config across reboots.
     """
     assert host.package("iptables-persistent").is_installed
+    assert not host.package("ufw").is_installed
 
 
 def test_snapd_absent(host):

diff --git a/securedrop/debian/config/lib/systemd/system/securedrop-remove-ufw.service b/securedrop/debian/config/lib/systemd/system/securedrop-remove-ufw.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Remove ufw if installed
+ConditionPathExists=/usr/sbin/ufw
+
+[Service]
+Type=oneshot
+Environment="DEBIAN_FRONTEND=noninteractive"
+ExecStart=/usr/bin/apt-get purge --yes ufw
+User=root
diff --git a/securedrop/debian/config/lib/systemd/system/securedrop-remove-ufw.timer b/securedrop/debian/config/lib/systemd/system/securedrop-remove-ufw.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Remove ufw if installed
+
+[Timer]
+OnCalendar=daily
+Persistent=true
+RandomizedDelaySec=5m
+
+[Install]
+WantedBy=timers.target
diff --git a/securedrop/debian/rules b/securedrop/debian/rules
@@ -78,6 +78,7 @@ override_dh_systemd_enable:
 	dh_systemd_enable --no-enable securedrop-submissions-today.service
 	dh_systemd_enable --no-enable securedrop-clean-tmp.service
 	dh_systemd_enable --no-enable securedrop-remove-pending-sources.service
+	dh_systemd_enable --no-enable securedrop-remove-ufw.service
 	dh_systemd_enable
 
 # This is basically the same as the enable stanza above, just whether the
@@ -86,4 +87,5 @@ override_dh_systemd_start:
 	dh_systemd_start --no-start securedrop-submissions-today.service
 	dh_systemd_start --no-start securedrop-clean-tmp.service
 	dh_systemd_start --no-start securedrop-remove-pending-sources.service
+	dh_systemd_start --no-start securedrop-remove-ufw.service
 	dh_systemd_start
diff --git a/securedrop/debian/securedrop-config.install b/securedrop/debian/securedrop-config.install
@@ -1,2 +1,3 @@
 debian/config/etc /
+debian/config/lib /
 debian/config/opt /