Merge pull request #57 from freedomofpress/update-pip-deps-2020-04-02

Updates python requirements with security fixes

Makefile

@@ -8,6 +8,14 @@ securedrop-rebuild: ## Rebuilds SecureDrop kernels from source tarball.
 	@ansible-playbook -vv --diff molecule/securedrop-rebuild/playbook.yml \
 		-i molecule/securedrop-rebuild/.molecule/ansible_inventory.yml
 
+.PHONY: securedrop-core
+securedrop-core: ## Builds kernels for SecureDrop servers
+	molecule converge -s securedrop-docker
+
+.PHONY: securedrop-workstation
+securedrop-workstation: ## Builds kernels for SecureDrop Workstation VMs
+	molecule converge -s workstation
+
 .PHONY: help
 help: ## Prints this message and exits.
 	@printf "Subcommands:\n\n"

files/config-securedrop-4.14

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.14.154 Kernel Configuration
+# Linux/x86 4.14.175 Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -11,8 +11,8 @@ CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
 CONFIG_LOCKDEP_SUPPORT=y
 CONFIG_STACKTRACE_SUPPORT=y
 CONFIG_MMU=y
-CONFIG_ARCH_MMAP_RND_BITS_MIN=27
-CONFIG_ARCH_MMAP_RND_BITS_MAX=27
+CONFIG_ARCH_MMAP_RND_BITS_MIN=28
+CONFIG_ARCH_MMAP_RND_BITS_MAX=32
 CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
 CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16
 CONFIG_NEED_DMA_MAP_STATE=y
@@ -326,7 +326,7 @@ CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
 CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
 CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
 CONFIG_HAVE_EXIT_THREAD=y
-CONFIG_ARCH_MMAP_RND_BITS=27
+CONFIG_ARCH_MMAP_RND_BITS=28
 CONFIG_HAVE_ARCH_MMAP_RND_COMPAT_BITS=y
 CONFIG_ARCH_MMAP_RND_COMPAT_BITS=8
 CONFIG_HAVE_ARCH_COMPAT_MMAP_BASES=y
@@ -3379,6 +3379,7 @@ CONFIG_TELCLOCK=m
 CONFIG_XILLYBUS=m
 CONFIG_XILLYBUS_PCIE=m
 # CONFIG_RANDOM_TRUST_CPU is not set
+# CONFIG_RANDOM_TRUST_BOOTLOADER is not set
 
 #
 # I2C support
@@ -8099,6 +8100,7 @@ CONFIG_UNWINDER_ORC=y
 # Grsecurity
 #
 CONFIG_ARCH_NEEDS_NX=y
+CONFIG_PLUGIN_WANTS_ASMMACRO=y
 CONFIG_PAX_PER_CPU_PGD=y
 CONFIG_GRKERNSEC=y
 CONFIG_GRKERNSEC_CONFIG_AUTO=y
@@ -8184,6 +8186,7 @@ CONFIG_PAX_RESPECTRE_PLUGIN=y
 # CONFIG_PAX_RESPECTRE_PLUGIN_LOOPINDEX is not set
 # CONFIG_PAX_RESPECTRE_PLUGIN_SSB is not set
 # CONFIG_PAX_RESPECTRE_PLUGIN_VERBOSE is not set
+CONFIG_WANTS_HIDDEN_OBJECT_PATHS=y
 
 #
 # Memory Protections

library/grsecurity_urls.py

@@ -30,8 +30,7 @@
 - action: grsecurity_urls patch_type=minipli
 '''
 
-from StringIO import StringIO
-from urlparse import urljoin
+from urllib.parse import urljoin
 import re
 
 HAS_REQUESTS = True
@@ -150,7 +149,7 @@ def parse_grsecurity_latest_patch(self):
         Get latest patch name, according to sought patch type.
         """
         r = requests.get(self.patch_name_url)
-        patch_name = r.content.rstrip()
+        patch_name = r.content.rstrip().decode("utf-8")
 
         config = dict()
         config['grsecurity_patch_filename'] = patch_name

molecule/ansible-override-vars.yml

@@ -0,0 +1,3 @@
+---
+# Force use of Python 3 on remote host
+ansible_python_interpreter: "/usr/bin/python3"

molecule/ci-minipli/molecule.yml

@@ -13,6 +13,8 @@ provisioner:
   name: ansible
   lint:
     name: ansible-lint
+  options:
+    e: "@../ansible-override-vars.yml"
 scenario:
   name: ci-minipli
   test_sequence:

molecule/ci-official-stable3/Dockerfile.j2

@@ -0,0 +1 @@
+../ci-skel/Dockerfile.j2

molecule/ci-official-stable3/molecule.yml

@@ -13,6 +13,8 @@ provisioner:
   name: ansible
   lint:
     name: ansible-lint
+  options:
+    e: "@../ansible-override-vars.yml"
 scenario:
   name: ci-official-stable3
   test_sequence:

molecule/ci-skel/Dockerfile.j2

@@ -2,19 +2,16 @@
 
 FROM {{ item.image }}@{{ (lookup('pipe', 'cat ../container-hashes.yml')|from_yaml)[item.image_hash_lookup] }}
 
-RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates && apt-get clean; \
-    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python python-devel python2-dnf bash && dnf clean all; \
-    elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
-    elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml && zypper clean -a; \
-    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates; fi
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python3 python3-requests sudo bash ca-certificates && apt-get clean; \
+    fi
 
 
 RUN apt-get install -y sudo paxctl
 RUN adduser --disabled-password vagrant
 RUN usermod -aG sudo vagrant
 RUN echo "%sudo ALL=(ALL:ALL) NOPASSWD: ALL" > /etc/sudoers
 
-RUN paxctl -cm /usr/bin/python2.7
+RUN paxctl -cm /usr/bin/python3
 
 
 USER vagrant

molecule/ci-skel/molecule.yml

@@ -13,6 +13,8 @@ provisioner:
   name: ansible
   lint:
     name: ansible-lint
+  options:
+    e: "@../ansible-override-vars.yml"
 scenario:
   name: ci
   test_sequence:

molecule/ci-unofficial/molecule.yml

@@ -13,6 +13,8 @@ provisioner:
   name: ansible
   lint:
     name: ansible-lint
+  options:
+    e: "@../ansible-override-vars.yml"
 scenario:
   name: ci-unofficial
   test_sequence:

molecule/securedrop-docker/Dockerfile.j2

@@ -2,17 +2,13 @@
 
 FROM {{ item.image }}@{{ (lookup('pipe', 'cat ../container-hashes.yml')|from_yaml)[item.image_hash_lookup] }}
 
-RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python sudo bash ca-certificates libssl-dev libelf-dev && apt-get clean; \
-    elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python python-devel python2-dnf bash libssl-dev libelf-dev&& dnf clean all; \
-    elif [ $(command -v yum) ]; then yum makecache fast && yum update -y && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
-    elif [ $(command -v zypper) ]; then zypper refresh && zypper update -y && zypper install -y python sudo bash python-xml  libssl-dev libelf-dev && zypper clean -a; \
-    elif [ $(command -v apk) ]; then apk update && apk add --no-cache python sudo bash ca-certificates libssl-dev libelf-dev; fi
-
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get upgrade -y && apt-get install -y python3 python3-requests sudo bash ca-certificates libssl-dev libelf-dev && apt-get clean; \
+    fi
 
 RUN apt-get install -y sudo paxctl
 RUN adduser --disabled-password vagrant
 RUN usermod -aG sudo vagrant
 
-RUN paxctl -cm /usr/bin/python2.7
+RUN paxctl -cm /usr/bin/python3
 
 USER vagrant

molecule/securedrop-docker/molecule.yml

@@ -13,6 +13,8 @@ provisioner:
   name: ansible
   lint:
     name: ansible-lint
+  options:
+    e: "@../ansible-override-vars.yml"
 scenario:
   name: securedrop-docker
   test_sequence: