search

freedomofpress / ansible-role-grsecurity

The documentation and build system for the grsecurity kernel maintained by the Freedom of the Press Foundation for SecureDrop
GNU General Public License v2.0
49 stars 13 forks source link

Incorporate upstream grsec patch rev. in deb pkg #76

Closed msheiny closed 7 years ago

msheiny commented 8 years ago

Specifically, start incorporating the upstream grsec patch revisions into the kernel deb package and enhance ansible comparison detection when installing.

The revision is passed as part of the make-kpkg command, specifically the --revision flag. This part of the code needs to be expanded (as well as other hard-coded references and the detection/comparison logic):

fakeroot make-kpkg
  --revision 10.00.{{ grsecurity_build_strategy }}

Test if this tackles the issue of attempting to install the same upstream kernel version with a different revision without scary ncurses prompt warnings. If not, then shove that issue off to another ticket to investigate/resolve.

conorsch commented 8 years ago

Omitting the --revision flag entirely would give us a more meaningful Version field in the control file, but it wouldn't provide a mechanism for distinguishing between config targets, e.g. if the same kernel version is compiled for multiple platforms, such as virtualized cloud servers and physical hardware. Thus the inclusion of grsecurity_build_strategy, but the current implementation is definitely insufficient.

psivesely commented 8 years ago

I think the best way to do this would be to just make a small modification to the grsecurity_urls module to return the grsecurity revision. https://grsecurity.net/latest_stable2_patch currently looks like this: 

grsecurity-3.1-4.4.32-201611150755.patch

Do we want the build date info or just the 3.1 bit? What specifically would replace 10.00?

psivesely commented 8 years ago

Happy to make a PR for this one btw as soon as we figure out what we want to do.

conorsch commented 7 years ago

I think the best way to do this would be to just make a small modification to the grsecurity_urls module to return the grsecurity revision.

Not necessary, the regex already supports that value and the module returns it!

Do we want the build date info or just the 3.1 bit?

The 3.1 bit won't be nearly enough info, and it's fairly static, meaning we can't use it to detect changes of grsec patch versions based on the same patch. Looking at the original goal of the issue:

start incorporating the upstream grsec patch revisions into the kernel deb package and enhance ansible comparison detection when installing

It seems like using the grsecurity version plus the build timestamp (which will always increment upwards and remain an integer) would be the sanest solution. Typically I'd implement as a suffix to the linux kernel version, and that's probably the best bet here, as long as we're talking about the linux-*.deb packages.

Zooming out a bit, it's really the metapackage that's designed to handle delicate manipulations of the underlying dependencies on kernel sources; we can selectively bump the metapackage version all day long, if we need to update the patch version but not the source version.