Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Focal staging paxctl command to convert grub binaries are failing #5495

Closed
1 task
kushaldas opened this issue Sep 15, 2020 · 6 comments
Closed
1 task

Focal staging paxctl command to convert grub binaries are failing #5495

kushaldas opened this issue Sep 15, 2020 · 6 comments
Assignees
@rmol

Comments

@kushaldas
Copy link
Contributor

Description

When we are doing new Focal staging environment, the paxctl task to convert grub binaries is failing.

This is task in question https://github.com/freedomofpress/securedrop/blob/develop/install_files/ansible-base/roles/grsecurity/tasks/paxctl.yml#L23-L27

Steps to Reproduce

  • molecule converge -s libvirt-staging-focal

Expected Behavior

This should happen without any error.

Actual Behavior

Example error

    failed: [app-staging] (item={'msg': 'non-zero return code', 'cmd': ['paxctl', '-vQ', '/usr/bin/grub-script-check'], 'stdout': '', 'stderr': 'PaX control v0.9\nCopyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <[email protected]>\n\nfile /usr/bin/grub-script-check does not have a PT_PAX_FLAGS program header, try conversion', 'rc': 1, 'start': '2020-09-15 12:41:58.046968', 'end': '2020-09-15 12:41:58.048760', 'delta': '0:00:00.001792', 'changed': False, 'failed': False, 'invocation': {'module_args': {'_raw_params': 'paxctl -vQ /usr/bin/grub-script-check', 'warn': True, '_uses_shell': False, 'stdin_add_newline': True, 'strip_empty_ends': True, 'argv': None, 'chdir': None, 'executable': None, 'creates': None, 'removes': None, 'stdin': None}}, 'stdout_lines': [], 'stderr_lines': ['PaX control v0.9', 'Copyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <[email protected]>', '', 'file /usr/bin/grub-script-check does not have a PT_PAX_FLAGS program header, try conversion'], 'failed_when_result': False, 'item': '/usr/bin/grub-script-check', 'ansible_loop_var': 'item'}) => {"ansible_loop_var": "item", "changed": true, "cmd": ["paxctl", "-zCE", "/usr/bin/grub-script-check"], "delta": "0:00:00.001769", "end": "2020-09-15 12:41:58.612150", "item": {"ansible_loop_var": "item", "changed": false, "cmd": ["paxctl", "-vQ", "/usr/bin/grub-script-check"], "delta": "0:00:00.001792", "end": "2020-09-15 12:41:58.048760", "failed": false, "failed_when_result": false, "invocation": {"module_args": {"_raw_params": "paxctl -vQ /usr/bin/grub-script-check", "_uses_shell": false, "argv": null, "chdir": null, "creates": null, "executable": null, "removes": null, "stdin": null, "stdin_add_newline": true, "strip_empty_ends": true, "warn": true}}, "item": "/usr/bin/grub-script-check", "msg": "non-zero return code", "rc": 1, "start": "2020-09-15 12:41:58.046968", "stderr": "PaX control v0.9\nCopyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <[email protected]>\n\nfile /usr/bin/grub-script-check does not have a PT_PAX_FLAGS program header, try conversion", "stderr_lines": ["PaX control v0.9", "Copyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <[email protected]>", "", "file /usr/bin/grub-script-check does not have a PT_PAX_FLAGS program header, try conversion"], "stdout": "", "stdout_lines": []}, "msg": "non-zero return code", "rc": 1, "start": "2020-09-15 12:41:58.610381", "stderr": "file /usr/bin/grub-script-check cannot have a PT_PAX_FLAGS program header, creation failed", "stderr_lines": ["file /usr/bin/grub-script-check cannot have a PT_PAX_FLAGS program header, creation failed"], "stdout": "", "stdout_lines": []}                             
    failed: [mon-staging] (item={'msg': 'non-zero return code', 'cmd': ['paxctl', '-vQ', '/usr/bin/grub-script-check'], 'stdout': '', 'stderr': 'PaX control v0.9\nCopyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <[email protected]>\n\nfile /usr/bin/grub-script-check does not have a PT_PAX_FLAGS program header, try conversion', 'rc': 1, 'start': '2020-09-15 12:41:58.607287', 'end': '2020-09-15 12:41:58.609454', 'delta': '0:00:00.002167', 'changed': False, 'failed': False, 'invocation': {'module_args': {'_raw_params': 'paxctl -vQ /usr/bin/grub-script-check', 'warn': True, '_uses_shell': False, 'stdin_add_newline': True, 'strip_empty_ends': True, 'argv': None, 'chdir': None, 'executable': None, 'creates': None, 'removes': None, 'stdin': None}}, 'stdout_lines': [], 'stderr_lines': ['PaX control v0.9', 'Copyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <[email protected]>', '', 'file /usr/bin/grub-script-check does not have a PT_PAX_FLAGS program header, try conversion'], 'failed_when_result': False, 'item': '/usr/bin/grub-script-check', 'ansible_loop_var': 'item'}) => {"ansible_loop_var": "item", "changed": true, "cmd": ["paxctl", "-zCE", "/usr/bin/grub-script-check"], "delta": "0:00:00.001961", "end": "2020-09-15 12:41:59.166776", "item": {"ansible_loop_var": "item", "changed": false, "cmd": ["paxctl", "-vQ", "/usr/bin/grub-script-check"], "delta": "0:00:00.002167", "end": "2020-09-15 12:41:58.609454", "failed": false, "failed_when_result": false, "invocation": {"module_args": {"_raw_params": "paxctl -vQ /usr/bin/grub-script-check", "_uses_shell": false, "argv": null, "chdir": null, "creates": null, "executable": null, "removes": null, "stdin": null, "stdin_add_newline": true, "strip_empty_ends": true, "warn": true}}, "item": "/usr/bin/grub-script-check", "msg": "non-zero return code", "rc": 1, "start": "2020-09-15 12:41:58.607287", "stderr": "PaX control v0.9\nCopyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <[email protected]>\n\nfile /usr/bin/grub-script-check does not have a PT_PAX_FLAGS program header, try conversion", "stderr_lines": ["PaX control v0.9", "Copyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <[email protected]>", "", "file /usr/bin/grub-script-check does not have a PT_PAX_FLAGS program header, try conversion"], "stdout": "", "stdout_lines": []}, "msg": "non-zero return code", "rc": 1, "start": "2020-09-15 12:41:59.164815", "stderr": "file /usr/bin/grub-script-check cannot have a PT_PAX_FLAGS program header, creation failed", "stderr_lines": ["file /usr/bin/grub-script-check cannot have a PT_PAX_FLAGS program header, creation failed"], "stdout": "", "stdout_lines": []}
@kushaldas kushaldas mentioned this issue Sep 15, 2020
Closed
53 tasks
@rmol rmol self-assigned this Sep 15, 2020
@kushaldas
Copy link
Contributor Author 

diff --git a/install_files/ansible-base/roles/grsecurity/tasks/paxctl.yml b/install_files/ansible-base/roles/grsecurity/tasks/paxctl.yml
index 38072505e..8a2f204c1 100644
--- a/install_files/ansible-base/roles/grsecurity/tasks/paxctl.yml
+++ b/install_files/ansible-base/roles/grsecurity/tasks/paxctl.yml
@@ -21,7 +21,7 @@
     - /usr/bin/grub-script-check
 
 - name: Adjust paxctl headers on grub binaries.
-  command: paxctl -zCE {{ item.item }}
+  command: paxctl -zcE {{ item.item }}
   with_items: "{{ paxctl_grub_header_check.results }}"
   when: "item.stdout != '- PaX flags: --------E--- [{{ item.item }}]' or
          item.rc != 0"

Wondering if this is the right way, I added to just to see if works on my staging focal.

@conorsch
Copy link
Contributor

conorsch commented Sep 15, 2020
edited
Loading

Related discussion in #5468 (comment)

@rmol Modifying the create-header flags for paxctl only for Xenial will work as far as the provisioning flow, but that's not the only place we set the flags, unfortunately:

securedrop/install_files/securedrop-grsec/etc/kernel/postinst.d/paxctl-grub

Lines 15 to 17 in f41c2f7

paxctl -zCE /usr/sbin/grub-probe
paxctl -zCE /usr/sbin/grub-mkdevicemap
paxctl -zCE /usr/bin/grub-script-check

Which means that the naive approach in freedomofpress/securedrop-apt-test#62 is unlikely to work. =/ Let's discuss use of paxctld, same as we do in the Workstation.

@kushaldas
Copy link
Contributor Author

Related discussion in #5468 (comment)

@rmol Modifying the create-header flags for paxctl only for Xenial will work as far as the provisioning flow, but that's not the only place we set the flags, unfortunately:

securedrop/install_files/securedrop-grsec/etc/kernel/postinst.d/paxctl-grub

Lines 15 to 17 in f41c2f7

paxctl -zCE /usr/sbin/grub-probe
paxctl -zCE /usr/sbin/grub-mkdevicemap
paxctl -zCE /usr/bin/grub-script-check

Which means that the naive approach in freedomofpress/securedrop-dev-packages-lfs#62 is unlikely to work. =/ Let's discuss use of paxctld, same as we do in the Workstation.

If I use the patch I posed in #5495 (comment) then the above mentioned paxctl commands are passing properly. I did not see any error yet.

@conorsch
Copy link
Contributor

@kushaldas Seems to me we only want to modify the behavior on Focal, not on Xenial. So customizing the behavior a bit should give us a working staging first-time install, although the need to modify the metapackage is a more significant issue for Focal support (looking like #4134 might be the path forward, after 1.6).

This was referenced Sep 19, 2020
Closed
Merged
@kushaldas
Copy link
Contributor Author

I think we can close this issue now, can do this after standup today.

@conorsch
Copy link
Contributor

Closing, based on changes in #5518. Still unresolved are the securedrop-grsec metapackage flags, which currently won't work for Focal kernel upgrades, but we'll tackle #4134 next sprint, which solves the same problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rmol rmol

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kushaldas @conorsch @rmol