Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix sysctl handling for noble/Linux 6.6 #7323

Open
4 of 5 tasks
legoktm opened this issue Nov 1, 2024 · 1 comment
Open
4 of 5 tasks

Fix sysctl handling for noble/Linux 6.6 #7323

legoktm opened this issue Nov 1, 2024 · 1 comment
Assignees
Labels
noble Ubuntu Noble related work

Comments

@legoktm
Copy link
Member

legoktm commented Nov 1, 2024

Description

With noble/Linux 6.6, the grsec_lock flag now strictly enforces that it cannot be set again, even if the value is the same as the current. This means running sysctl -p /etc/sysctl.conf after it is set will error out.

We also set each sysctl flag twice, once for each one explicitly, and then again with sysctl -p /etc/sysctl.conf. I think we should switch to just doing sysctl -p once, globally.

  • grsec_sysctl_flags:
    • kernel.grsecurity.rwxmap_logging
    • kernel.grsecurity.grsec_lock
    • vm.heap_stack_gap <-- now fails because it's after grsec_lock; note that this is already set via the securedrop-grsec package
  • sysctl_flags, which is all net.ipv4.* stuff. setting these also fail because it's after the grsec_lock. I think we can just move them all to the kernel metapackage, and ensure it gets released before the next SD server release.

So proposed work plan:

  1. Move net.ipv4 flags to securedrop-grsec metapackage; postinst will remove vm.heap_stack_gap and net.ipv4 flags from sysctl.conf: Set net.ipv4 sysctl flags via server metapackage kernel-builder#55
  2. ansible change to stop setting vm.heap_stack_gap and net.ipv4 flags for new installs: Drop setting vm.heap_stack_gap and net.ipv4 sysctl flags #7324
  3. Switch to sysctl -p once, globally (in ansible provisioning) Only try to apply grsec_lock once #7353
  4. Ship kernel upgrade for step 1: https://github.com/freedomofpress/securedrop-apt-prod/pull/154
  5. Release SD server with step 2
@legoktm legoktm added the noble Ubuntu Noble related work label Nov 1, 2024
@legoktm legoktm self-assigned this Nov 1, 2024
legoktm added a commit to freedomofpress/kernel-builder that referenced this issue Nov 1, 2024
Instead of setting these via ansible, let's ship them in this package so
it's easier to tweak them in the future without needing future ansible
runs.

This should be safe to ship even with these values in /etc/sysctld.conf
since they're the same values for now; but we'll have the next server
version remove them from that file now that they're owned by the kernel
packaging.

Fixes <freedomofpress/securedrop#7323>.
legoktm added a commit to freedomofpress/kernel-builder that referenced this issue Nov 1, 2024
Instead of setting these via ansible, let's ship them in this package so
it's easier to tweak them in the future without needing future ansible
runs.

This should be safe to ship even with these values in /etc/sysctld.conf
since they're the same values for now; but we'll have the next server
version remove them from that file now that they're owned by the kernel
packaging.

Refs <freedomofpress/securedrop#7323>.
legoktm added a commit to freedomofpress/kernel-builder that referenced this issue Nov 1, 2024
Instead of setting these via ansible, let's ship them in this package so
it's easier to tweak them in the future without needing future ansible
runs.

A postinst snippet removes the values from /etc/sysctld.conf; it's
okay if they're temporarily duplicated since they'll have the same
values.

Refs <freedomofpress/securedrop#7323>.
legoktm added a commit that referenced this issue Nov 1, 2024
These are now set via the securedrop-grsec metapackage (see
<freedomofpress/kernel-builder#55>).

Refs #7323.
@legoktm legoktm moved this to In Progress in SecureDrop dev cycle Nov 1, 2024
legoktm added a commit that referenced this issue Nov 6, 2024
These are now set via the securedrop-grsec metapackage (see
<freedomofpress/kernel-builder#55>).

Tests are left in to verify the migration works properly.

Refs #7323.
legoktm added a commit that referenced this issue Nov 23, 2024
Currently we specify both `sysctl_set: yes` and `reload: yes` when
setting sysctl settings, which ends up with it being applied twice,
first with `sysctl -w` (sysctl_set) and then through `sysctl -p`
(reload).

With noble/Linux 6.6, setting the lock twice errors out, so just enable
it once with `sysctl -p`. This is also closer to what the kernel will do
normally when booting in which the whole file is loaded at once.

Refs #7323.
@legoktm
Copy link
Member Author

legoktm commented Nov 26, 2024

The kernel update is now live, I think we can close this tomorrow once it's successfully rolled out. (No point keeping this open until 2.11.0 is out, which is the final step).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
noble Ubuntu Noble related work
Projects
Status: In Progress
Development

No branches or pull requests

1 participant