Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use paxctld to manage all PaX flags in Ubuntu Focal #4134

Closed
emkll opened this issue Feb 14, 2019 · 1 comment · Fixed by #5691
Closed

Use paxctld to manage all PaX flags in Ubuntu Focal #4134

emkll opened this issue Feb 14, 2019 · 1 comment · Fixed by #5691
Assignees
@conorsch

Comments

@emkll
Copy link
Contributor

emkll commented Feb 14, 2019
edited by conorsch
Loading

Description

Initially raised during review of #4114, we should consolidate the PaX flag management logic. We are using both paxctl and paxctld for management of PaX flags, it would be best to maintain a single paxctld.conf file with all flags. It will also simplify some of the install logic, and allow us to more consistenly apply these flags to binaries and persist reboots (as an added feature, it might also help address #3916).

We could also evaluate and reuse what was done as part of the SecureDrop Workstation as an example: https://github.com/freedomofpress/securedrop-debian-packaging/tree/master/securedrop-workstation-svs-disp

UPDATE 2020-11-16

The following based on a conversation with @conorsch, as part of the current sprint commitments:

The paxctl header formats/commands are different in Focal from Xenial, and as a result, some existing paxctl logic from Xenial will not work in Focal. Specifically, updates to the flags for grub binaries (grub-probe, grub-mkdevicemap, grub-script-check) will not work in Focal under the current logic[1]. If grub is updated, PaX flags won't be applied, leading to cascading failures (grub update will fail, kernel update will fail, packages may be held back/broken)

Based on our conversation, we went through various approaches and decided on the following:

  1. Fork securedrop-grsec for Focal only (and leave the existing version for Xenial unchanged, because it works and we aren't supporting Xenial for much longer)
  2. Add paxctld to the Requires field in the Control file. Since we are installing from scratch on Focal, it's a good opportunity to add, but also make 1. easier.
  3. Add a securedrop-managed paxctld.conf file to the Focal-specific metapackage, to configure the pax flags as we would expect them.
  4. Remove kernel postinst file from the metapackage, since use of paxctld makes use of paxctl moot

User Stories

As a SecureDrop administrator or developer, I would like to manage all PaX flags in a single place and would like to consistently apply them across the system.

[1] https://github.com/freedomofpress/securedrop/blob/develop/install_files/securedrop-grsec/etc/kernel/postinst.d/paxctl-grub
This was referenced Sep 18, 2020
Closed
Merged
Closed
@conorsch conorsch mentioned this issue Oct 1, 2020
Closed
@eloquence eloquence mentioned this issue Oct 8, 2020
Closed
53 tasks
@emkll emkll changed the title Use paxctld to manage all PaX flags Use paxctld to manage all PaX flags in Ubuntu Focal Nov 16, 2020
@conorsch conorsch self-assigned this Jan 5, 2021
@conorsch conorsch mentioned this issue Jan 6, 2021
Closed
@conorsch
Copy link
Contributor

conorsch commented Jan 6, 2021

Fork securedrop-grsec for Focal only

I created a separate issue to track: #5690. In terms of paxctld support, we'll reuse the logic from https://github.com/freedomofpress/securedrop-debian-packaging/tree/cee267e7dfebd9553cdf4b02ecbe54783049121c/securedrop-workstation-grsec/debian for the most part.

Using paxctld for Focal also means that most of the Ansible tasks in this file should be skipped, by marking them Xenial-only:

securedrop/install_files/ansible-base/roles/grsecurity/tasks/from_fpf_repo_install_grsec.yml

Lines 40 to 87 in 0454478

- name: Get grsec kernel string from grub config.
shell: grep menuentry /boot/grub/grub.cfg | grep grsec | grep -v recovery | head -1 | cut -d "'" -f2
# Read-only task for
changed_when: false
register: grsec_str
tags:
- grsec
- kernel
- hardening
- name: Check initial default grub entry for next boot.
stat:
path: /boot/grub/grubenv
register: grubenv_check_initial_result
tags:
- grsec
- grub
- hardening
- kernel
- name: Set grsec kernel as default for next boot.
command: grub-reboot "Advanced options for Ubuntu>{{ grsec_str.stdout }}"
# The grub-reboot command writes to /boot/grub/grubenv,
# so "changed" status can only be determined by comparing
# checksums on that file. We'll do so in the subsequent task.
changed_when: false
tags:
- grsec
- grub
- hardening
- kernel
# Kludge to detect changes accurately from the `grub-reboot` command
# in the previous task. We're just comparing checksums on the
# /boot/grub/grubenv file before and after the command, since that's
# where `grub-reboot` writes its changes. Hopefully a future version
# of Ansible will provide an `args: changes:` parameter to command calls.
- name: Check customized default grub entry for next boot.
stat:
path: /boot/grub/grubenv
register: grubenv_check_configured_result
changed_when: grubenv_check_initial_result.stat.checksum !=
grubenv_check_configured_result.stat.checksum
tags:
- grsec
- grub
- hardening
- kernel

@conorsch conorsch mentioned this issue Jan 6, 2021
Merged
9 tasks
@conorsch conorsch mentioned this issue Jan 8, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@conorsch conorsch

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Creates Focal-specific kernel metapackage freedomofpress/securedrop
2 participants
@conorsch @emkll