The current install role cautiously refuses to install a grsec deb package if the grsec kernel is already running. This limitation exists because the check for whether grsec is currently running isn't smart enough to check for a specific version that matches the deb file used.
We can add logic to extract the version from the deb file specified in grsecurity_deb_package, then verify that the same version is running post-reboot, via ansible_kernel.
We also need to test the upgrade procedure between multiple grsec versions. In particular, pay attention to the match filter used in the grub_menu_options module (see #22). Current theory: the way it's written it'll match the last entry, with entries sorted by order of appearance inside the GRUB config file. We want to make sure that the entries are sorted via semver, and the latest wins.
conorsch
commented
8 years ago
The current install role cautiously refuses to install a grsec deb package if the grsec kernel is already running. This limitation exists because the check for whether grsec is currently running isn't smart enough to check for a specific version that matches the deb file used.
We can add logic to extract the version from the deb file specified in
grsecurity_deb_package, then verify that the same version is running post-reboot, viaansible_kernel.We also need to test the upgrade procedure between multiple grsec versions. In particular, pay attention to the
matchfilter used in thegrub_menu_optionsmodule (see #22). Current theory: the way it's written it'll match the last entry, with entries sorted by order of appearance inside the GRUB config file. We want to make sure that the entries are sorted via semver, and the latest wins.