-
Notifications
You must be signed in to change notification settings - Fork 686
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix sysctl handling for noble/Linux 6.6 #7323
Labels
noble
Ubuntu Noble related work
Comments
legoktm
added a commit
to freedomofpress/kernel-builder
that referenced
this issue
Nov 1, 2024
Instead of setting these via ansible, let's ship them in this package so it's easier to tweak them in the future without needing future ansible runs. This should be safe to ship even with these values in /etc/sysctld.conf since they're the same values for now; but we'll have the next server version remove them from that file now that they're owned by the kernel packaging. Fixes <freedomofpress/securedrop#7323>.
legoktm
added a commit
to freedomofpress/kernel-builder
that referenced
this issue
Nov 1, 2024
Instead of setting these via ansible, let's ship them in this package so it's easier to tweak them in the future without needing future ansible runs. This should be safe to ship even with these values in /etc/sysctld.conf since they're the same values for now; but we'll have the next server version remove them from that file now that they're owned by the kernel packaging. Refs <freedomofpress/securedrop#7323>.
legoktm
added a commit
to freedomofpress/kernel-builder
that referenced
this issue
Nov 1, 2024
Instead of setting these via ansible, let's ship them in this package so it's easier to tweak them in the future without needing future ansible runs. A postinst snippet removes the values from /etc/sysctld.conf; it's okay if they're temporarily duplicated since they'll have the same values. Refs <freedomofpress/securedrop#7323>.
legoktm
added a commit
that referenced
this issue
Nov 1, 2024
These are now set via the securedrop-grsec metapackage (see <freedomofpress/kernel-builder#55>). Refs #7323.
2 tasks
legoktm
added a commit
that referenced
this issue
Nov 6, 2024
These are now set via the securedrop-grsec metapackage (see <freedomofpress/kernel-builder#55>). Tests are left in to verify the migration works properly. Refs #7323.
legoktm
added a commit
that referenced
this issue
Nov 23, 2024
Currently we specify both `sysctl_set: yes` and `reload: yes` when setting sysctl settings, which ends up with it being applied twice, first with `sysctl -w` (sysctl_set) and then through `sysctl -p` (reload). With noble/Linux 6.6, setting the lock twice errors out, so just enable it once with `sysctl -p`. This is also closer to what the kernel will do normally when booting in which the whole file is loaded at once. Refs #7323.
The kernel update is now live, I think we can close this tomorrow once it's successfully rolled out. (No point keeping this open until 2.11.0 is out, which is the final step). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
With noble/Linux 6.6, the grsec_lock flag now strictly enforces that it cannot be set again, even if the value is the same as the current. This means running
sysctl -p /etc/sysctl.conf
after it is set will error out.We also set each sysctl flag twice, once for each one explicitly, and then again with
sysctl -p /etc/sysctl.conf
. I think we should switch to just doingsysctl -p
once, globally.net.ipv4.*
stuff. setting these also fail because it's after the grsec_lock. I think we can just move them all to the kernel metapackage, and ensure it gets released before the next SD server release.So proposed work plan:
The text was updated successfully, but these errors were encountered: