Merge pull request #4641 from freedomofpress/xenial-vagrant-20190618-…

…support

Remove old kernels as part of common role and not via grsecurity role

install_files/ansible-base/roles/common/tasks/main.yml

@@ -15,12 +15,12 @@
   tags:
     - reboot
 
+- include: remove_unused_packages.yml
+
 - include: apt_upgrade.yml
 
 - include: sysctl.yml
 
 - include: disable_swap.yml
 
 - include: remove_kernel_modules.yml
-
-- include: remove_unused_packages.yml

install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml

@@ -8,6 +8,41 @@
     - apt
     - hardening
 
+# After installing securedrop-grsec, remove
+# old generic kernels to avoid accidental
+# boots into a less secure environment.
+# We must used command due to the use of wildcards
+- name: Remove generic kernel packages.
+  command: apt-get remove -y {{ item }}
+  with_items:
+    - linux-signed-generic
+    - linux-signed-generic-lts-utopic
+    - linux-signed-image-generic
+    - linux-signed-image-generic-lts-utopic
+    - linux-image-generic-lts-xenial
+    - 'linux-image-.*generic'
+    - 'linux-headers-.*'
+  register: apt_removed_kernels
+  changed_when: "'The following packages will be REMOVED' in apt_removed_kernels.stdout"
+  tags:
+    - apt
+
+- name: Get list of all installed kernels.
+  shell: dpkg-query -f '${Package} ${Status}\n' -W 'linux-image*' | awk '$NF == "installed"{print $1}'
+  register: apt_installed_kernels
+  changed_when: false
+  tags:
+    - apt
+
+- name: Validate that all installed kernels are grsecurity-hardened.
+  assert:
+    that:
+      - item is search('-grsec')
+    msg: "Not all non-grsec kernels have been removed, run dpkg-query -W 'linux-image*' for more details."
+  with_items: "{{ apt_installed_kernels.stdout_lines }}"
+  tags:
+    - apt
+
 - name: Remove dependencies that are no longer required
   apt:
     autoremove: yes

install_files/ansible-base/roles/grsecurity/tasks/clean_packages.yml

@@ -1,38 +1,4 @@
 ---
-# After installing securedrop-grsec, remove
-# old generic kernels to avoid accidental
-# boots into a less secure environment.
-- name: Remove generic kernel packages.
-  command: apt-get remove -y {{ item }}
-  with_items:
-    - linux-signed-generic
-    - linux-signed-generic-lts-utopic
-    - linux-signed-image-generic
-    - linux-signed-image-generic-lts-utopic
-    - linux-image-generic-lts-xenial
-    - 'linux-image-.*generic'
-    - 'linux-headers-.*'
-  register: apt_removed_kernels
-  changed_when: "'The following packages will be REMOVED' in apt_removed_kernels.stdout"
-  tags:
-    - apt
-
-- name: Get list of all installed kernels.
-  shell: dpkg-query -f '${Package} ${Status}\n' -W 'linux-image*' | awk '$NF == "installed"{print $1}'
-  register: apt_installed_kernels
-  changed_when: false
-  tags:
-    - apt
-
-- name: Validate that all installed kernels are grsecurity-hardened.
-  assert:
-    that:
-      - item is search('-grsec')
-    msg: "Not all non-grsec kernels have been removed, run dpkg-query -W 'linux-image*' for more details."
-  with_items: "{{ apt_installed_kernels.stdout_lines }}"
-  tags:
-    - apt
-
 - name: Mark GRUB2 as manually installed so its not removed.
   command: apt-mark manual grub-pc
   register: grubpc_manual_mark