Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop setting vm.heap_stack_gap and net.ipv4 sysctl flags #7324

Merged
merged 1 commit into from
Nov 21, 2024
Merged

Drop setting vm.heap_stack_gap and net.ipv4 sysctl flags #7324

merged 1 commit into from
Nov 21, 2024
+3 −51

Conversation

legoktm
Copy link
Member

@legoktm legoktm commented Nov 1, 2024
edited
Loading

Status

Ready for review

Description of Changes

These are now set via the securedrop-grsec metapackage (see freedomofpress/kernel-builder#55).

Refs #7323.

Testing

How should the reviewer test this PR?

Deployment

Any special considerations for deployment?

This can only be deployed after a kernel with freedomofpress/kernel-builder#55 is released stable. It's safe to merge ahead of time though once the kernel-builder one is approved.

Checklist

@legoktm legoktm added the noble Ubuntu Noble related work label Nov 1, 2024
@legoktm legoktm requested a review from a team as a code owner November 1, 2024 21:38
@legoktm legoktm mentioned this pull request Nov 1, 2024
Open
5 tasks
@legoktm legoktm added this to the SecureDrop 2.11.0 milestone Nov 4, 2024
@zenmonkeykstop zenmonkeykstop mentioned this pull request Nov 4, 2024
Merged
zenmonkeykstop
zenmonkeykstop previously requested changes Nov 4, 2024
View reviewed changes
Copy link
Contributor

@zenmonkeykstop zenmonkeykstop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

kernel-builder change looks good, but unless there's a compelling reason I'd keep the testinfra check.

molecule/testinfra/common/test_system_hardening.py Outdated Show resolved Hide resolved
molecule/testinfra/common/test_grsecurity.py Show resolved Hide resolved
@legoktm
Drop setting vm.heap_stack_gap and net.ipv4 sysctl flags
37f1827 
These are now set via the securedrop-grsec metapackage (see
<freedomofpress/kernel-builder#55>).

Tests are left in to verify the migration works properly.

Refs #7323.
@legoktm
Copy link
Member Author

legoktm commented Nov 6, 2024

This should fail CI now because we haven't built new kernel packages yet, I will see about doing some today or tomorrow.

@cfm cfm self-assigned this Nov 19, 2024
@legoktm
Copy link
Member Author

legoktm commented Nov 19, 2024

The error is: sed -i '/^vm\\.heap_stack_gap/d' /etc/sysctld.conf", "sed: can't read /etc/sysctld.conf: No such file or directory

which I guess is an install order issue in that we're installing the new kernel before we try setting grsec kernel flags, so there's no sysctld.conf yet. Let me guard it with an if exists check in the metapackage.

@legoktm
Copy link
Member Author

legoktm commented Nov 19, 2024

kernel-builder fix: freedomofpress/kernel-builder#57

@cfm
Copy link
Member

cfm commented Nov 20, 2024
edited
Loading

I've merged freedomofpress/kernel-builder#57, @legoktm, and I'll be happy to re-review this once it passes with kernels rebuilt with it. (Let me know if you'd like me to build them tomorrow.)

@cfm cfm added the blocked label Nov 20, 2024
cfm
cfm approved these changes Nov 21, 2024
View reviewed changes
Copy link
Member

@cfm cfm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good after 37f1827 and freedomofpress/securedrop-apt-test#258. Thanks, @legoktm.

@cfm cfm added this pull request to the merge queue Nov 21, 2024
Merged via the queue into develop with commit 0517e37 Nov 21, 2024
45 checks passed
@legoktm legoktm deleted the stg-less-sysctl branch November 22, 2024 04:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cfm cfm cfm approved these changes

@zenmonkeykstop zenmonkeykstop zenmonkeykstop left review comments

Assignees

@cfm cfm

Labels
blocked noble Ubuntu Noble related work
Projects
SecureDrop dev cycle
Status: Done
Milestone
SecureDrop 2.11.0
Development

Successfully merging this pull request may close these issues.
3 participants
@legoktm @cfm @zenmonkeykstop