Merge pull request #5188 from freedomofpress/5111-kernels-4.14.175

Update grsecurity kernels to 4.14.175

Author: emkll

install_files/ansible-base/group_vars/all/securedrop

@@ -38,7 +38,7 @@ enable_ssh_over_tor: true
 # the many roles of the current prod playbook
 securedrop_cond_reboot_file: /tmp/sd-reboot-now
 
-# If you bump this, also remember to bump in molecule/builder/tests/vars.yml
+# If you bump this, also remember to bump in molecule/builder-xenial/tests/vars.yml
 securedrop_pkg_grsec:
-  ver: "4.14.154"
-  depends: "linux-image-4.14.154-grsec-securedrop,linux-image-4.4.182-grsec,linux-firmware-image-4.4.182-grsec,intel-microcode"
+  ver: "4.14.175"
+  depends: "linux-image-4.14.175-grsec-securedrop,linux-image-4.14.154-grsec-securedrop,intel-microcode"

molecule/builder-xenial/tests/vars.yml

@@ -3,7 +3,7 @@ securedrop_version: "1.3.0~rc1"
 ossec_version: "3.0.0"
 keyring_version: "0.1.3"
 config_version: "0.1.3"
-grsec_version: "4.14.154"
+grsec_version: "4.14.175"
 
 # These values will be interpolated with values populated above
 # via helper functions in the tests.

molecule/testinfra/staging/common/test_grsecurity.py

@@ -185,12 +185,12 @@ def test_wireless_disabled_in_kernel_config(host, kernel_opts):
     remove wireless support from the kernel. Let's make sure wireless is
     disabled in the running kernel config!
     """
+    with host.sudo():
+        kernel_config_path = "/boot/config-{}-grsec-securedrop".format(KERNEL_VERSION)
+        kernel_config = host.file(kernel_config_path).content_string
 
-    kernel_config_path = "/boot/config-{}-grsec-securedrop".format(KERNEL_VERSION)
-    kernel_config = host.file(kernel_config_path).content_string
-
-    line = "# CONFIG_{} is not set".format(kernel_opts)
-    assert line in kernel_config
+        line = "# CONFIG_{} is not set".format(kernel_opts)
+        assert line in kernel_config
 
 
 @pytest.mark.parametrize('kernel_opts', [
@@ -203,11 +203,12 @@ def test_kernel_options_enabled_config(host, kernel_opts):
     Tests kernel config for options that should be enabled
     """
 
-    kernel_config_path = "/boot/config-{}-grsec-securedrop".format(KERNEL_VERSION)
-    kernel_config = host.file(kernel_config_path).content_string
+    with host.sudo():
+        kernel_config_path = "/boot/config-{}-grsec-securedrop".format(KERNEL_VERSION)
+        kernel_config = host.file(kernel_config_path).content_string
 
-    line = "{}=y".format(kernel_opts)
-    assert line in kernel_config
+        line = "{}=y".format(kernel_opts)
+        assert line in kernel_config
 
 
 def test_mds_mitigations_and_smt_disabled(host):
@@ -216,7 +217,8 @@ def test_mds_mitigations_and_smt_disabled(host):
     see https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
     """
 
-    grub_config_path = "/boot/grub/grub.cfg"
-    grub_config = host.file(grub_config_path)
+    with host.sudo():
+        grub_config_path = "/boot/grub/grub.cfg"
+        grub_config = host.file(grub_config_path)
 
-    assert grub_config.contains("mds=full,nosmt")
+        assert grub_config.contains("mds=full,nosmt")

molecule/testinfra/staging/vars/staging.yml

@@ -195,4 +195,4 @@ log_events_with_ossec_alerts:
     rule_id: "400700"
 
 fpf_apt_repo_url: "https://apt-test.freedom.press"
-grsec_version: "4.14.154"
+grsec_version: "4.14.175"

securedrop/dockerfiles/xenial/python3/Dockerfile

@@ -29,7 +29,7 @@ RUN curl -LO https://ftp.mozilla.org/pub/firefox/releases/${FF_ESR_VER}/linux-x8
 
 COPY ./tor_project_public.pub /opt/
 
-ENV TBB_VERSION 9.0.7
+ENV TBB_VERSION 9.0.9
 RUN gpg --import /opt/tor_project_public.pub && \
     wget  https://www.torproject.org/dist/torbrowser/${TBB_VERSION}/tor-browser-linux64-${TBB_VERSION}_en-US.tar.xz && \
     wget https://www.torproject.org/dist/torbrowser/${TBB_VERSION}/tor-browser-linux64-${TBB_VERSION}_en-US.tar.xz.asc && \