From 7bdd2afef50cb3c4efecc86a7ad9847f5ef0e36a Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Thu, 6 Mar 2025 14:16:42 -0500
Subject: [PATCH 1/2] Remove systemd-resolved on noble

We don't use systemd-resolved and during the focal -> noble migration,
it gets dropped since it was split out to a separate package.

Now that we can remove it entirely, let's have noble installs absent the
package instead of merely stopping the systemd unit.

Fixes #7464.
---
 .../roles/common/tasks/harden_dns.yml             | 15 ++++++++++++++-
 .../testinfra/common/test_system_hardening.py     | 10 ++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/install_files/ansible-base/roles/common/tasks/harden_dns.yml b/install_files/ansible-base/roles/common/tasks/harden_dns.yml
index 6810be4a83..933c7b42cf 100644
--- a/install_files/ansible-base/roles/common/tasks/harden_dns.yml
+++ b/install_files/ansible-base/roles/common/tasks/harden_dns.yml
@@ -7,11 +7,24 @@
     - dns
     - hardening
 
-- name: Disable systemd-resolved
+- name: Disable systemd-resolved (focal)
   systemd:
     name: systemd-resolved
     state: stopped
     enabled: no
+  when: ansible_distribution_release == "focal"
   tags:
     - dns
     - hardening
+
+- name: Uninstall systemd-resolved (noble)
+  apt:
+    name:
+      - systemd-resolved
+    state: absent
+    purge: yes
+  when: ansible_distribution_release != "focal"
+  tags:
+    - apt
+    - dns
+    - hardening
diff --git a/molecule/testinfra/common/test_system_hardening.py b/molecule/testinfra/common/test_system_hardening.py
index 4d621cfafb..c3e26b479a 100644
--- a/molecule/testinfra/common/test_system_hardening.py
+++ b/molecule/testinfra/common/test_system_hardening.py
@@ -49,6 +49,16 @@ def test_dns_setting(host):
     assert f.mode == 0o644
     assert f.contains(r"^nameserver 8\.8\.8\.8$")
 
+    if host.system_info.codename == "focal":
+        # On focal, systemd-resolved's unit is disabled
+        with host.sudo():
+            s = host.service("systemd-resolved")
+            assert not s.is_enabled
+            assert not s.is_running
+    else:
+        # On noble, systemd-resolved is not installed
+        assert not host.package("systemd-resolved").is_installed
+
 
 @pytest.mark.parametrize(
     "kernel_module",

From 52106d9da9a1f9a319dfc89e918ffdb0444460fc Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Fri, 7 Mar 2025 11:36:40 -0500
Subject: [PATCH 2/2] Explicitly install systemd-hwe-hwdb

This package is installed on fresh systems, but not on upgrades because
it was split out of the systemd package. Set the dependency ourselves to
make sure it's always pulled in.

Currently none of these udev rules apply to expected SecureDrop
hardware, but it's good to futureproof ourselves just in case.
---
 builder/tests/test_securedrop_deb_package.py | 19 +++++++++++++++++++
 securedrop/debian/control                    |  2 +-
 securedrop/debian/rules                      |  2 ++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/builder/tests/test_securedrop_deb_package.py b/builder/tests/test_securedrop_deb_package.py
index 46c92c99ac..0c87503b36 100644
--- a/builder/tests/test_securedrop_deb_package.py
+++ b/builder/tests/test_securedrop_deb_package.py
@@ -130,3 +130,22 @@ def test_apparmor_conditional():
 
     print(info)
     assert found, "Depends: line wasn't found"
+
+
+def test_systemd_conditional():
+    try:
+        path = [pkg for pkg in DEB_PATHS if pkg.name.startswith("securedrop-config")][0]
+    except IndexError:
+        raise RuntimeError("Unable to find securedrop-config package in build/ folder")
+    info = subprocess.check_output(["dpkg", "--info", path]).decode()
+    found = False
+    for line in info.splitlines():
+        if line.startswith(" Depends:"):
+            found = True
+            if UBUNTU_VERSION == "focal":
+                assert "systemd-hwe-hwdb" not in line, "focal has no systemd-hwe-hwdb dependency"
+            else:
+                assert "systemd-hwe-hwdb" in line, "noble has systemd-hwe-hwdb dependency"
+
+    print(info)
+    assert found, "Depends: line wasn't found"
diff --git a/securedrop/debian/control b/securedrop/debian/control
index 5e7f5b97d3..4b4fd7fe5b 100644
--- a/securedrop/debian/control
+++ b/securedrop/debian/control
@@ -15,7 +15,7 @@ Description: SecureDrop application code, dependencies, Apache configuration, sy
 
 Package: securedrop-config
 Architecture: amd64
-Depends: ${shlibs:Depends}, unattended-upgrades, update-notifier-common
+Depends: ${shlibs:Depends}, ${systemd:Depends}, unattended-upgrades, update-notifier-common
 Description: Establishes baseline system state for running SecureDrop.
  Configures apt repositories.
 
diff --git a/securedrop/debian/rules b/securedrop/debian/rules
index 6f86d0ae85..d51f6769be 100755
--- a/securedrop/debian/rules
+++ b/securedrop/debian/rules
@@ -67,8 +67,10 @@ override_dh_strip_nondeterminism:
 override_dh_gencontrol:
 ifneq ($(findstring +noble,$(DEB_VERSION)),)
 	dh_gencontrol -psecuredrop-app-code -- "-Vapparmor:Depends=apparmor (>= 4.0.1really4.0.1-0ubuntu0.24.04.3)"
+	dh_gencontrol -psecuredrop-config -- "-Vsystemd:Depends=systemd-hwe-hwdb"
 else
 	dh_gencontrol -psecuredrop-app-code -- "-Vapparmor:Depends="
+	dh_gencontrol -psecuredrop-config -- "-Vsystemd:Depends="
 endif
 	dh_gencontrol -psecuredrop-ossec-agent -- "-v3.6.0+${DEB_VERSION}"
 	dh_gencontrol -psecuredrop-ossec-server -- "-v3.6.0+${DEB_VERSION}"