From a3970edd602cd174571f175355198b7d920dcfc3 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Thu, 2 Apr 2020 17:04:06 -0700 Subject: [PATCH 1/5] Updates python requirements with security fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Based on local `safety check -r requirements.txt`, which reported: │ REPORT │ │ checked 73 packages, using default DB │ ╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡ │ package │ installed │ affected │ ID │ ╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡ │ psutil │ 5.6.3 │ <=5.6.5 │ 37765 │ │ pyyaml │ 5.1.2 │ <5.3.1 │ 38100 │ │ urllib3 │ 1.25.2 │ >=1.25.2,<=1.25.7 │ 27519 updated those three packages and everything's happy again. Also updated Ansible 2.7.14 -> 2.7.16 for CVE-2019-14864, which 'safety' didn't complain about, but GitHub security alerts did. --- requirements.in | 2 +- requirements.txt | 78 +++++++++++++++++++++++++----------------------- 2 files changed, 42 insertions(+), 38 deletions(-) diff --git a/requirements.in b/requirements.in index 8cf9706..cacdf6a 100644 --- a/requirements.in +++ b/requirements.in @@ -1,4 +1,4 @@ -ansible>=2.7.14<2.8 +ansible>=2.7.16,<2.8 docker>=3.5.1 molecule pip-tools diff --git a/requirements.txt b/requirements.txt index c817045..c817aa7 100644 --- a/requirements.txt +++ b/requirements.txt @@ -8,8 +8,9 @@ ansible-lint==4.1.0 \ --hash=sha256:9430ea6e654ba4bf5b9c6921efc040f46cda9c4fd2896a99ff71d21037bcb123 \ --hash=sha256:c1b442b01091eca13ef11d98c3376e9489ba5b69a8467828ca86044f384bc0a1 \ # via molecule -ansible==2.7.14 \ - --hash=sha256:6a52f43b5e4446aa04f3907a750010fbbf41eb050cb726065c6c877ed3a98d02 +ansible==2.7.16 \ + --hash=sha256:bb4a95a3e1a0f9e1aabd8cf628de68f5218fba3057b970b6b3c41cc53ab06268 \ + # via -r requirements.in, ansible-lint, molecule anyconfig==0.9.7 \ --hash=sha256:4d6016ae6eecc5e502bc7e99ae0639c5710c5c67bde5f21b06b9eaafd9ce0e7e \ # via molecule @@ -141,7 +142,8 @@ cryptography==2.6.1 \ # via ansible, paramiko docker==4.0.1 \ --hash=sha256:3db499d4d25847fed86acf8e100c989f7bc0f75a6fff6c52855726ada1d124f6 \ - --hash=sha256:f61c37d721b489b7d55ef631b241be2d6a5884c3ffe63dc8f7dd9a3c3cd60489 + --hash=sha256:f61c37d721b489b7d55ef631b241be2d6a5884c3ffe63dc8f7dd9a3c3cd60489 \ + # via -r requirements.in entrypoints==0.3 \ --hash=sha256:589f874b313739ad35be6e0cd7efde2a4e9b6fea91edcc34e58ecbb8dbe56d19 \ --hash=sha256:c70dd71abe5a8c85e55e12c19bd91ccfeec11a6e99044204511f9ed547d48451 \ @@ -218,7 +220,8 @@ mccabe==0.6.1 \ # via flake8 molecule==2.22 \ --hash=sha256:12fa4231ed69c6e7f50432588eaace36cea917a8c73c1751269ce55df32ced24 \ - --hash=sha256:d9d7621167041ae2a8eb19f1f8dc23c071cdab2cd3ca80655e2c8796b4c00e09 + --hash=sha256:d9d7621167041ae2a8eb19f1f8dc23c071cdab2cd3ca80655e2c8796b4c00e09 \ + # via -r requirements.in monotonic==1.5 \ --hash=sha256:23953d55076df038541e648a53676fb24980f7a1be290cdda21300b3bc21dfb0 \ --hash=sha256:552a91f381532e33cbd07c6a2655a21908088962bb8fa7239ecbcc6ad1140cc7 \ @@ -248,7 +251,8 @@ pexpect==4.7.0 \ # via molecule pip-tools==3.7.0 \ --hash=sha256:4ff38ab655bec47db2d5a82fa6c6807e231ecddf3b7cbb2f2b957a9b11f016c3 \ - --hash=sha256:542cc32393ec8e97932b4710462567e3ecbd0a1d483d8b1d5ef05bc6ef83f7f8 + --hash=sha256:542cc32393ec8e97932b4710462567e3ecbd0a1d483d8b1d5ef05bc6ef83f7f8 \ + # via -r requirements.in pluggy==0.11.0 \ --hash=sha256:25a1bc1d148c9a640211872b4ff859878d422bccb59c9965e04eed468a0aa180 \ --hash=sha256:964cedd2b27c492fbf0b7f58b3284a09cf7f99b0f715941fb24a439b3af1bd1a \ @@ -261,17 +265,18 @@ pre-commit==1.19.0 \ --hash=sha256:2080b7a375e54e4fdc41bd0606193d0bad06b4d4f23526ffb73f0b512b537353 \ --hash=sha256:8dbdad6e79fa438b9ae4dafc91c85baf93a5ff29aeff5d6899396d5aebe2d338 \ # via molecule -psutil==5.6.3 \ - --hash=sha256:028a1ec3c6197eadd11e7b46e8cc2f0720dc18ac6d7aabdb8e8c0d6c9704f000 \ - --hash=sha256:12542c3642909f4cd1928a2fba59e16fa27e47cbeea60928ebb62a8cbd1ce123 \ - --hash=sha256:503e4b20fa9d3342bcf58191bbc20a4a5ef79ca7df8972e6197cc14c5513e73d \ - --hash=sha256:863a85c1c0a5103a12c05a35e59d336e1d665747e531256e061213e2e90f63f3 \ - --hash=sha256:954f782608bfef9ae9f78e660e065bd8ffcfaea780f9f2c8a133bb7cb9e826d7 \ - --hash=sha256:b6e08f965a305cd84c2d07409bc16fbef4417d67b70c53b299116c5b895e3f45 \ - --hash=sha256:bc96d437dfbb8865fc8828cf363450001cb04056bbdcdd6fc152c436c8a74c61 \ - --hash=sha256:cf49178021075d47c61c03c0229ac0c60d5e2830f8cab19e2d88e579b18cdb76 \ - --hash=sha256:d5350cb66690915d60f8b233180f1e49938756fb2d501c93c44f8fb5b970cc63 \ - --hash=sha256:eba238cf1989dfff7d483c029acb0ac4fcbfc15de295d682901f0e2497e6781a \ +psutil==5.7.0 \ + --hash=sha256:1413f4158eb50e110777c4f15d7c759521703bd6beb58926f1d562da40180058 \ + --hash=sha256:298af2f14b635c3c7118fd9183843f4e73e681bb6f01e12284d4d70d48a60953 \ + --hash=sha256:60b86f327c198561f101a92be1995f9ae0399736b6eced8f24af41ec64fb88d4 \ + --hash=sha256:685ec16ca14d079455892f25bd124df26ff9137664af445563c1bd36629b5e0e \ + --hash=sha256:73f35ab66c6c7a9ce82ba44b1e9b1050be2a80cd4dcc3352cc108656b115c74f \ + --hash=sha256:75e22717d4dbc7ca529ec5063000b2b294fc9a367f9c9ede1f65846c7955fd38 \ + --hash=sha256:a02f4ac50d4a23253b68233b07e7cdb567bd025b982d5cf0ee78296990c22d9e \ + --hash=sha256:d008ddc00c6906ec80040d26dc2d3e3962109e40ad07fd8a12d0284ce5e0e4f8 \ + --hash=sha256:d84029b190c8a66a946e28b4d3934d2ca1528ec94764b180f7d6ea57b0e75e26 \ + --hash=sha256:e2d0c5b07c6fe5a87fa27b7855017edb0d52ee73b71e6ee368fae268605cc3f5 \ + --hash=sha256:f344ca230dd8e8d5eee16827596f1c22ec0876127c28e800d7ae20ed44c4b310 \ # via molecule ptyprocess==0.6.0 \ --hash=sha256:923f299cc5ad920c68f2bc0bc98b75b9f838b93b599941a6b63ddbc2476394c0 \ @@ -326,24 +331,23 @@ python-gilt==1.2.1 \ --hash=sha256:c7321ef1a8efddbdef657b4fd21c3eaf1b4cb24a9656d97b73a444b1feb2067a \ --hash=sha256:e23a45a6905e6bb7aec3ff7652b48309933a6991fad4546d9e793ac7e0513f8a \ # via molecule -pyyaml==5.1.2 \ - --hash=sha256:0113bc0ec2ad727182326b61326afa3d1d8280ae1122493553fd6f4397f33df9 \ - --hash=sha256:01adf0b6c6f61bd11af6e10ca52b7d4057dd0be0343eb9283c878cf3af56aee4 \ - --hash=sha256:5124373960b0b3f4aa7df1707e63e9f109b5263eca5976c66e08b1c552d4eaf8 \ - --hash=sha256:5ca4f10adbddae56d824b2c09668e91219bb178a1eee1faa56af6f99f11bf696 \ - --hash=sha256:7907be34ffa3c5a32b60b95f4d95ea25361c951383a894fec31be7252b2b6f34 \ - --hash=sha256:7ec9b2a4ed5cad025c2278a1e6a19c011c80a3caaac804fd2d329e9cc2c287c9 \ - --hash=sha256:87ae4c829bb25b9fe99cf71fbb2140c448f534e24c998cc60f39ae4f94396a73 \ - --hash=sha256:9de9919becc9cc2ff03637872a440195ac4241c80536632fffeb6a1e25a74299 \ - --hash=sha256:a5a85b10e450c66b49f98846937e8cfca1db3127a9d5d1e31ca45c3d0bef4c5b \ - --hash=sha256:b0997827b4f6a7c286c01c5f60384d218dca4ed7d9efa945c3e1aa623d5709ae \ - --hash=sha256:b631ef96d3222e62861443cc89d6563ba3eeb816eeb96b2629345ab795e53681 \ - --hash=sha256:bf47c0607522fdbca6c9e817a6e81b08491de50f3766a7a0e6a5be7905961b41 \ - --hash=sha256:f81025eddd0327c7d4cfe9b62cf33190e1e736cc6e97502b3ec425f574b3e7a8 \ +pyyaml==5.3.1 \ + --hash=sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97 \ + --hash=sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76 \ + --hash=sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2 \ + --hash=sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648 \ + --hash=sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf \ + --hash=sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f \ + --hash=sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2 \ + --hash=sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee \ + --hash=sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d \ + --hash=sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c \ + --hash=sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a \ # via ansible, ansible-lint, aspy.yaml, molecule, pre-commit, python-gilt, yamllint requests==2.22.0 \ --hash=sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4 \ - --hash=sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31 + --hash=sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31 \ + # via -r requirements.in, cookiecutter, docker ruamel.yaml.clib==0.2.0 \ --hash=sha256:1e77424825caba5553bbade750cec2277ef130647d685c2b38f68bc03453bac6 \ --hash=sha256:392b7c371312abf27fb549ec2d5e0092f7ef6e6c9f767bfb13e83cb903aca0fd \ @@ -391,9 +395,9 @@ tree-format==0.1.2 \ --hash=sha256:a538523aa78ae7a4b10003b04f3e1b37708e0e089d99c9d3b9e1c71384c9a7f9 \ --hash=sha256:b5056228dbedde1fb81b79f71fb0c23c98e9d365230df9b29af76e8d8003de11 \ # via molecule -urllib3==1.25.2 \ - --hash=sha256:a53063d8b9210a7bdec15e7b272776b9d42b2fd6816401a0d43006ad2f9902db \ - --hash=sha256:d363e3607d8de0c220d31950a8f38b18d5ba7c0830facd71a1c6b1036b7ce06c \ +urllib3==1.25.8 \ + --hash=sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc \ + --hash=sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc \ # via requests virtualenv==16.7.7 \ --hash=sha256:11cb4608930d5fd3afb545ecf8db83fa50e1f96fc4fca80c94b07d2c83146589 \ @@ -421,7 +425,7 @@ zipp==0.6.0 \ # via importlib-metadata # The following packages are considered to be unsafe in a requirements file: -setuptools==41.5.0 \ - --hash=sha256:1aaf68966c16fe31be9a87f7c02f4393355159bf96396068f380b70b1fc6860d \ - --hash=sha256:3025741f235bee01847ec315b31b34fa6673d5076d666a92594e3999b20a9ee1 \ +setuptools==46.1.3 \ + --hash=sha256:4fe404eec2738c20ab5841fa2d791902d2a645f32318a7850ef26f8d7215a8ee \ + --hash=sha256:795e0475ba6cd7fa082b1ee6e90d552209995627a2a227a47c6ea93282f4bfb1 \ # via ansible, pytest From 23ff8d8f9205d00662f8cd60436130076466b26e Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Fri, 3 Apr 2020 15:51:34 -0700 Subject: [PATCH 2/5] Updates role for python3 The Ansible intepreter was still set to python2, which went EOL on 2020-01-01. Moving to python3 requires a few package/syntax updates in various places. --- library/grsecurity_urls.py | 5 ++--- molecule/securedrop-docker/Dockerfile.j2 | 10 +++------- molecule/securedrop-docker/ansible-override-vars.yml | 3 +++ molecule/securedrop-docker/molecule.yml | 2 ++ molecule/securedrop-docker/playbook.yml | 6 ++++++ 5 files changed, 16 insertions(+), 10 deletions(-) create mode 100644 molecule/securedrop-docker/ansible-override-vars.yml diff --git a/library/grsecurity_urls.py b/library/grsecurity_urls.py index 5ccde0c..31528be 100644 --- a/library/grsecurity_urls.py +++ b/library/grsecurity_urls.py @@ -30,8 +30,7 @@ - action: grsecurity_urls patch_type=minipli ''' -from StringIO import StringIO -from urlparse import urljoin +from urllib.parse import urljoin import re HAS_REQUESTS = True @@ -150,7 +149,7 @@ def parse_grsecurity_latest_patch(self): Get latest patch name, according to sought patch type. """ r = requests.get(self.patch_name_url) - patch_name = r.content.rstrip() + patch_name = r.content.rstrip().decode("utf-8") config = dict() config['grsecurity_patch_filename'] = patch_name diff --git a/molecule/securedrop-docker/Dockerfile.j2 b/molecule/securedrop-docker/Dockerfile.j2 index e5d0261..d3efb9b 100644 --- a/molecule/securedrop-docker/Dockerfile.j2 +++ b/molecule/securedrop-docker/Dockerfile.j2 @@ -2,17 +2,13 @@ FROM {{ item.image }}@{{ (lookup('pipe', 'cat ../container-hashes.yml')|from_yaml)[item.image_hash_lookup] }} -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates libssl-dev libelf-dev && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python python-devel python2-dnf bash libssl-dev libelf-dev&& dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml libssl-dev libelf-dev && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates libssl-dev libelf-dev; fi - +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python3 python3-requests sudo bash ca-certificates libssl-dev libelf-dev && apt-get clean; \ + fi RUN apt-get install -y sudo paxctl RUN adduser --disabled-password vagrant RUN usermod -aG sudo vagrant -RUN paxctl -cm /usr/bin/python2.7 +RUN paxctl -cm /usr/bin/python3 USER vagrant diff --git a/molecule/securedrop-docker/ansible-override-vars.yml b/molecule/securedrop-docker/ansible-override-vars.yml new file mode 100644 index 0000000..5e0ae51 --- /dev/null +++ b/molecule/securedrop-docker/ansible-override-vars.yml @@ -0,0 +1,3 @@ +--- +# Force use of Python 3 on remote host +ansible_python_interpreter: "/usr/bin/python3" diff --git a/molecule/securedrop-docker/molecule.yml b/molecule/securedrop-docker/molecule.yml index d622c94..bb6d2a1 100644 --- a/molecule/securedrop-docker/molecule.yml +++ b/molecule/securedrop-docker/molecule.yml @@ -13,6 +13,8 @@ provisioner: name: ansible lint: name: ansible-lint + options: + e: "@ansible-override-vars.yml" scenario: name: securedrop-docker test_sequence: diff --git a/molecule/securedrop-docker/playbook.yml b/molecule/securedrop-docker/playbook.yml index 3ca1fd7..1f02322 100644 --- a/molecule/securedrop-docker/playbook.yml +++ b/molecule/securedrop-docker/playbook.yml @@ -12,6 +12,7 @@ - name: Configure kernel build. hosts: all + gather_facts: yes pre_tasks: # You can set these values via env vars: # @@ -26,6 +27,11 @@ - grsecurity_build_download_username != '' - grsecurity_build_download_password != '' + - name: Ensure modern Python is used to manage build + assert: + that: + - ansible_python_interpreter == "/usr/bin/python3" + remote_user: vagrant environment: USER: vagrant From 0d27bcdfb99c49d75b4097fd0291e76f3fb03fb9 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Fri, 3 Apr 2020 17:25:28 -0700 Subject: [PATCH 3/5] Modify retry logic on patch fetch We'd implemented retry logic because occasionally the fetch tasks for grsec patches would fail. Newer versions of Ansible & Python have changed how the try logic operates in tandem with loops. Rather than debug the syntax changes, let's raise the timeout and expect the task to complete. --- tasks/fetch_grsecurity_files.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/tasks/fetch_grsecurity_files.yml b/tasks/fetch_grsecurity_files.yml index b71e0f1..ee78050 100644 --- a/tasks/fetch_grsecurity_files.yml +++ b/tasks/fetch_grsecurity_files.yml @@ -7,13 +7,10 @@ password: "{{ grsecurity_build_download_password if grsecurity_build_patch_type.startswith('stable') else omit }}" dest: "{{ item.dest }}" creates: "{{ item.dest }}" - status_code: 200 + status_code: "200" + timeout: "300" with_items: - url: "{{ grsecurity_patch_url }}" dest: "{{ grsecurity_build_download_directory }}/{{ grsecurity_patch_filename }}" - url: "{{ grsecurity_signature_url }}" dest: "{{ grsecurity_build_download_directory }}/{{ grsecurity_signature_filename }}" - register: _fetch_grsec_results - delay: 15 - retries: 5 - until: not _fetch_grsec_results is failed From 38d80f31c5e3d3c53d77cdd2bc712b08427bf389 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Mon, 6 Apr 2020 11:54:46 -0700 Subject: [PATCH 4/5] Forces Python3 in all scenarios Removes unused vagrant-based scenarios --- Makefile | 8 +++ .../ansible-override-vars.yml | 0 molecule/ci-minipli/molecule.yml | 2 + molecule/ci-official-stable3/Dockerfile.j2 | 19 +------ molecule/ci-official-stable3/molecule.yml | 2 + molecule/ci-skel/Dockerfile.j2 | 9 +-- molecule/ci-skel/molecule.yml | 2 + molecule/ci-unofficial/molecule.yml | 2 + molecule/install/INSTALL.rst | 17 ------ molecule/install/create.yml | 56 ------------------- molecule/install/destroy.yml | 36 ------------ molecule/install/molecule.yml | 28 ---------- molecule/install/playbook.yml | 26 --------- molecule/install/prepare.yml | 9 --- molecule/install/requirements.yml | 2 - molecule/install/tests/test_default.py | 14 ----- molecule/securedrop-docker/molecule.yml | 2 +- molecule/securedrop/molecule.yml | 33 ----------- molecule/workstation/Dockerfile.j2 | 10 +--- molecule/workstation/molecule.yml | 2 + 20 files changed, 26 insertions(+), 253 deletions(-) rename molecule/{securedrop-docker => }/ansible-override-vars.yml (100%) mode change 100644 => 120000 molecule/ci-official-stable3/Dockerfile.j2 delete mode 100644 molecule/install/INSTALL.rst delete mode 100644 molecule/install/create.yml delete mode 100644 molecule/install/destroy.yml delete mode 100644 molecule/install/molecule.yml delete mode 100644 molecule/install/playbook.yml delete mode 100644 molecule/install/prepare.yml delete mode 100644 molecule/install/requirements.yml delete mode 100644 molecule/install/tests/test_default.py delete mode 100644 molecule/securedrop/molecule.yml diff --git a/Makefile b/Makefile index ea0c7da..6169678 100644 --- a/Makefile +++ b/Makefile @@ -8,6 +8,14 @@ securedrop-rebuild: ## Rebuilds SecureDrop kernels from source tarball. @ansible-playbook -vv --diff molecule/securedrop-rebuild/playbook.yml \ -i molecule/securedrop-rebuild/.molecule/ansible_inventory.yml +.PHONY: securedrop-core +securedrop-core: ## Builds kernels for SecureDrop servers + molecule converge -s securedrop-docker + +.PHONY: securedrop-workstation +securedrop-workstation: ## Builds kernels for SecureDrop Workstation VMs + molecule converge -s workstation + .PHONY: help help: ## Prints this message and exits. @printf "Subcommands:\n\n" diff --git a/molecule/securedrop-docker/ansible-override-vars.yml b/molecule/ansible-override-vars.yml similarity index 100% rename from molecule/securedrop-docker/ansible-override-vars.yml rename to molecule/ansible-override-vars.yml diff --git a/molecule/ci-minipli/molecule.yml b/molecule/ci-minipli/molecule.yml index 9926fb1..6a1687f 100644 --- a/molecule/ci-minipli/molecule.yml +++ b/molecule/ci-minipli/molecule.yml @@ -13,6 +13,8 @@ provisioner: name: ansible lint: name: ansible-lint + options: + e: "@../ansible-override-vars.yml" scenario: name: ci-minipli test_sequence: diff --git a/molecule/ci-official-stable3/Dockerfile.j2 b/molecule/ci-official-stable3/Dockerfile.j2 deleted file mode 100644 index de09818..0000000 --- a/molecule/ci-official-stable3/Dockerfile.j2 +++ /dev/null @@ -1,18 +0,0 @@ -# Molecule managed - -FROM {{ item.image }}@{{ (lookup('pipe', 'cat ../container-hashes.yml')|from_yaml)[item.image_hash_lookup] }} - -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python python-devel python2-dnf bash && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; fi - - -RUN apt-get install -y sudo paxctl -RUN adduser --disabled-password vagrant -RUN usermod -aG sudo vagrant - -RUN paxctl -cm /usr/bin/python2.7 - -USER vagrant diff --git a/molecule/ci-official-stable3/Dockerfile.j2 b/molecule/ci-official-stable3/Dockerfile.j2 new file mode 120000 index 0000000..4272d7a --- /dev/null +++ b/molecule/ci-official-stable3/Dockerfile.j2 @@ -0,0 +1 @@ +../ci-skel/Dockerfile.j2 \ No newline at end of file diff --git a/molecule/ci-official-stable3/molecule.yml b/molecule/ci-official-stable3/molecule.yml index 95bd55e..4a0bf84 100644 --- a/molecule/ci-official-stable3/molecule.yml +++ b/molecule/ci-official-stable3/molecule.yml @@ -13,6 +13,8 @@ provisioner: name: ansible lint: name: ansible-lint + options: + e: "@../ansible-override-vars.yml" scenario: name: ci-official-stable3 test_sequence: diff --git a/molecule/ci-skel/Dockerfile.j2 b/molecule/ci-skel/Dockerfile.j2 index 3355d12..0f12345 100644 --- a/molecule/ci-skel/Dockerfile.j2 +++ b/molecule/ci-skel/Dockerfile.j2 @@ -2,11 +2,8 @@ FROM {{ item.image }}@{{ (lookup('pipe', 'cat ../container-hashes.yml')|from_yaml)[item.image_hash_lookup] }} -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python python-devel python2-dnf bash && dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; fi +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python3 python3-requests sudo bash ca-certificates && apt-get clean; \ + fi RUN apt-get install -y sudo paxctl @@ -14,7 +11,7 @@ RUN adduser --disabled-password vagrant RUN usermod -aG sudo vagrant RUN echo "%sudo ALL=(ALL:ALL) NOPASSWD: ALL" > /etc/sudoers -RUN paxctl -cm /usr/bin/python2.7 +RUN paxctl -cm /usr/bin/python3 USER vagrant diff --git a/molecule/ci-skel/molecule.yml b/molecule/ci-skel/molecule.yml index 1050644..89b6a2e 100644 --- a/molecule/ci-skel/molecule.yml +++ b/molecule/ci-skel/molecule.yml @@ -13,6 +13,8 @@ provisioner: name: ansible lint: name: ansible-lint + options: + e: "@../ansible-override-vars.yml" scenario: name: ci test_sequence: diff --git a/molecule/ci-unofficial/molecule.yml b/molecule/ci-unofficial/molecule.yml index f7ca89d..a954f5a 100644 --- a/molecule/ci-unofficial/molecule.yml +++ b/molecule/ci-unofficial/molecule.yml @@ -13,6 +13,8 @@ provisioner: name: ansible lint: name: ansible-lint + options: + e: "@../ansible-override-vars.yml" scenario: name: ci-unofficial test_sequence: diff --git a/molecule/install/INSTALL.rst b/molecule/install/INSTALL.rst deleted file mode 100644 index 44c26af..0000000 --- a/molecule/install/INSTALL.rst +++ /dev/null @@ -1,17 +0,0 @@ -******* -Install -******* - -Requirements -============ - -* Vagrant -* Virtualbox, Parallels, VMware Fusion, VMware Workstation or VMware Desktop -* python-vagrant - -Install -======= - -.. code-block:: bash - - $ sudo pip install python-vagrant diff --git a/molecule/install/create.yml b/molecule/install/create.yml deleted file mode 100644 index f8eb37c..0000000 --- a/molecule/install/create.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -- name: Create - hosts: localhost - connection: local - gather_facts: False - no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}" - vars: - molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}" - molecule_instance_config: "{{ lookup('env', 'MOLECULE_INSTANCE_CONFIG') }}" - molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}" - tasks: - - name: Create molecule instance(s) - molecule_vagrant: - instance_name: "{{ item.name }}" - instance_interfaces: "{{ item.interfaces | default(omit) }}" - instance_raw_config_args: "{{ item.instance_raw_config_args | default(omit) }}" - - platform_box: "{{ item.box }}" - platform_box_version: "{{ item.box_version | default(omit) }}" - platform_box_url: "{{ item.box_url | default(omit) }}" - - provider_name: "{{ molecule_yml.driver.provider.name }}" - provider_memory: "{{ item.memory | default(omit) }}" - provider_cpus: "{{ item.cpus | default(omit) }}" - provider_raw_config_args: "{{ item.raw_config_args | default(omit) }}" - - state: up - register: server - with_items: "{{ molecule_yml.platforms }}" - - # Mandatory configuration for Molecule to function. - - - name: Populate instance config dict - set_fact: - instance_conf_dict: { - 'instance': "{{ item.Host }}", - 'address': "{{ item.HostName }}", - 'user': "{{ item.User }}", - 'port': "{{ item.Port }}", - 'identity_file': "{{ item.IdentityFile }}", } - with_items: "{{ server.results }}" - register: instance_config_dict - when: server.changed | bool - - - name: Convert instance config dict to a list - set_fact: - instance_conf: "{{ instance_config_dict.results | map(attribute='ansible_facts.instance_conf_dict') | list }}" - when: server.changed | bool - - - name: Dump instance config - copy: - # NOTE(retr0h): Workaround for Ansible 2.2. - # https://github.com/ansible/ansible/issues/20885 - content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}" - dest: "{{ molecule_instance_config }}" - when: server.changed | bool diff --git a/molecule/install/destroy.yml b/molecule/install/destroy.yml deleted file mode 100644 index 3972a2d..0000000 --- a/molecule/install/destroy.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- - -- name: Destroy - hosts: localhost - connection: local - gather_facts: False - no_log: "{{ not lookup('env', 'MOLECULE_DEBUG') | bool }}" - vars: - molecule_file: "{{ lookup('env', 'MOLECULE_FILE') }}" - molecule_instance_config: "{{ lookup('env',' MOLECULE_INSTANCE_CONFIG') }}" - molecule_yml: "{{ lookup('file', molecule_file) | molecule_from_yaml }}" - tasks: - - name: Destroy molecule instance(s) - molecule_vagrant: - instance_name: "{{ item.name }}" - platform_box: "{{ item.box }}" - provider_name: "{{ molecule_yml.driver.provider.name }}" - force_stop: "{{ item.force_stop | default(True) }}" - - state: destroy - register: server - with_items: "{{ molecule_yml.platforms }}" - - # Mandatory configuration for Molecule to function. - - - name: Populate instance config - set_fact: - instance_conf: {} - - - name: Dump instance config - copy: - # NOTE(retr0h): Workaround for Ansible 2.2. - # https://github.com/ansible/ansible/issues/20885 - content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}" - dest: "{{ molecule_instance_config }}" - when: server.changed | bool diff --git a/molecule/install/molecule.yml b/molecule/install/molecule.yml deleted file mode 100644 index 8707c99..0000000 --- a/molecule/install/molecule.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: vagrant - provider: - name: libvirt -lint: - name: yamllint -platforms: - - name: grsecurity-install-ubuntu-xenial - box: bento/ubuntu-16.04 - instance_raw_config_args: - - "vm.synced_folder './', '/vagrant', disabled: true" - - name: grsecurity-install-debian-stretch - box: debian/stretch64 - instance_raw_config_args: - - "vm.synced_folder './', '/vagrant', disabled: true" -provisioner: - name: ansible - lint: - name: ansible-lint -scenario: - name: install -verifier: - name: testinfra - lint: - name: flake8 diff --git a/molecule/install/playbook.yml b/molecule/install/playbook.yml deleted file mode 100644 index 8d359f9..0000000 --- a/molecule/install/playbook.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- name: Converge - hosts: all - vars: - molecule_scenario_directory: "{{ lookup('env', 'MOLECULE_SCENARIO_DIRECTORY') }}" - pre_tasks: - - name: Find local deb packages. - become: no - delegate_to: localhost - find: - paths: - - "{{ molecule_scenario_directory+'/../' }}" - patterns: - - '*-image-*.deb' - recurse: yes - register: grsec_deb_packages_result - run_once: yes - - - debug: var=grsec_deb_packages_result - - roles: - - role: freedomofpress.grsecurity-install - grsecurity_install_deb_packages: "{{ grsec_deb_packages_result.files|map(attribute='path')|list }}" - # PaX flags support via `paxctl` was only tested under Trusty. The current - # logic fails under Debian Stretch. - grsecurity_install_set_paxctl_flags: no diff --git a/molecule/install/prepare.yml b/molecule/install/prepare.yml deleted file mode 100644 index 112da19..0000000 --- a/molecule/install/prepare.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Prepare - hosts: all - gather_facts: False - tasks: - - name: Install python for Ansible - raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal) - become: True - changed_when: False diff --git a/molecule/install/requirements.yml b/molecule/install/requirements.yml deleted file mode 100644 index 0460136..0000000 --- a/molecule/install/requirements.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -- src: freedomofpress.grsecurity-install diff --git a/molecule/install/tests/test_default.py b/molecule/install/tests/test_default.py deleted file mode 100644 index eedd64a..0000000 --- a/molecule/install/tests/test_default.py +++ /dev/null @@ -1,14 +0,0 @@ -import os - -import testinfra.utils.ansible_runner - -testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( - os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') - - -def test_hosts_file(host): - f = host.file('/etc/hosts') - - assert f.exists - assert f.user == 'root' - assert f.group == 'root' diff --git a/molecule/securedrop-docker/molecule.yml b/molecule/securedrop-docker/molecule.yml index bb6d2a1..d0b6ac2 100644 --- a/molecule/securedrop-docker/molecule.yml +++ b/molecule/securedrop-docker/molecule.yml @@ -14,7 +14,7 @@ provisioner: lint: name: ansible-lint options: - e: "@ansible-override-vars.yml" + e: "@../ansible-override-vars.yml" scenario: name: securedrop-docker test_sequence: diff --git a/molecule/securedrop/molecule.yml b/molecule/securedrop/molecule.yml deleted file mode 100644 index a5e8a80..0000000 --- a/molecule/securedrop/molecule.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -dependency: - name: galaxy -driver: - name: vagrant - provider: - name: libvirt -lint: - name: yamllint -platforms: - - name: grsecurity-build-securedrop - box: bento/ubuntu-14.04 - instance_raw_config_args: - - "vm.synced_folder './', '/vagrant', disabled: true" - provider_memory: 4096 -provisioner: - name: ansible - lint: - name: ansible-lint -scenario: - name: securedrop - test_sequence: - - lint - - destroy - - create - - converge - # Disable idempotence check because build always reports changed - # - idempotence - - verify -verifier: - name: testinfra - lint: - name: flake8 diff --git a/molecule/workstation/Dockerfile.j2 b/molecule/workstation/Dockerfile.j2 index e5d0261..d3efb9b 100644 --- a/molecule/workstation/Dockerfile.j2 +++ b/molecule/workstation/Dockerfile.j2 @@ -2,17 +2,13 @@ FROM {{ item.image }}@{{ (lookup('pipe', 'cat ../container-hashes.yml')|from_yaml)[item.image_hash_lookup] }} -RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates libssl-dev libelf-dev && apt-get clean; \ - elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python python-devel python2-dnf bash libssl-dev libelf-dev&& dnf clean all; \ - elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \ - elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml libssl-dev libelf-dev && zypper clean -a; \ - elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates libssl-dev libelf-dev; fi - +RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python3 python3-requests sudo bash ca-certificates libssl-dev libelf-dev && apt-get clean; \ + fi RUN apt-get install -y sudo paxctl RUN adduser --disabled-password vagrant RUN usermod -aG sudo vagrant -RUN paxctl -cm /usr/bin/python2.7 +RUN paxctl -cm /usr/bin/python3 USER vagrant diff --git a/molecule/workstation/molecule.yml b/molecule/workstation/molecule.yml index c338bd4..69f9bf4 100644 --- a/molecule/workstation/molecule.yml +++ b/molecule/workstation/molecule.yml @@ -13,6 +13,8 @@ provisioner: name: ansible lint: name: ansible-lint + options: + e: "@../ansible-override-vars.yml" scenario: name: workstation test_sequence: From bd561aeb270afd22d5d8d3063a9076484e0d5db9 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Mon, 6 Apr 2020 17:54:58 -0700 Subject: [PATCH 5/5] Updates SecureDrop core kernel config 4.14.175 Copied out of the source tarball, changes are quite minimal. --- files/config-securedrop-4.14 | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/files/config-securedrop-4.14 b/files/config-securedrop-4.14 index 3d04b11..e64c6c4 100644 --- a/files/config-securedrop-4.14 +++ b/files/config-securedrop-4.14 @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 4.14.154 Kernel Configuration +# Linux/x86 4.14.175 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -11,8 +11,8 @@ CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig" CONFIG_LOCKDEP_SUPPORT=y CONFIG_STACKTRACE_SUPPORT=y CONFIG_MMU=y -CONFIG_ARCH_MMAP_RND_BITS_MIN=27 -CONFIG_ARCH_MMAP_RND_BITS_MAX=27 +CONFIG_ARCH_MMAP_RND_BITS_MIN=28 +CONFIG_ARCH_MMAP_RND_BITS_MAX=32 CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8 CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16 CONFIG_NEED_DMA_MAP_STATE=y @@ -326,7 +326,7 @@ CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y CONFIG_ARCH_HAS_ELF_RANDOMIZE=y CONFIG_HAVE_ARCH_MMAP_RND_BITS=y CONFIG_HAVE_EXIT_THREAD=y -CONFIG_ARCH_MMAP_RND_BITS=27 +CONFIG_ARCH_MMAP_RND_BITS=28 CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8 CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES=y @@ -3379,6 +3379,7 @@ CONFIG_TELCLOCK=m CONFIG_XILLYBUS=m CONFIG_XILLYBUS_PCIE=m # CONFIG_RANDOM_TRUST_CPU is not set +# CONFIG_RANDOM_TRUST_BOOTLOADER is not set # # I2C support @@ -8099,6 +8100,7 @@ CONFIG_UNWINDER_ORC=y # Grsecurity # CONFIG_ARCH_NEEDS_NX=y +CONFIG_PLUGIN_WANTS_ASMMACRO=y CONFIG_PAX_PER_CPU_PGD=y CONFIG_GRKERNSEC=y CONFIG_GRKERNSEC_CONFIG_AUTO=y @@ -8184,6 +8186,7 @@ CONFIG_PAX_RESPECTRE_PLUGIN=y # CONFIG_PAX_RESPECTRE_PLUGIN_LOOPINDEX is not set # CONFIG_PAX_RESPECTRE_PLUGIN_SSB is not set # CONFIG_PAX_RESPECTRE_PLUGIN_VERBOSE is not set +CONFIG_WANTS_HIDDEN_OBJECT_PATHS=y # # Memory Protections