From b4871b6ababf37fe89d365529120933a53ed69e2 Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Tue, 2 Oct 2018 16:35:48 -0400
Subject: [PATCH] Always use latest kernel

Until now, the postinst action for the securedrop-grsec metapackage
would preserve preferences for a rolled back kernel. This will now
remove this preference, by setting GRUB_DEFAUT=0, which will instruct
grub to use the highest kernel version available on the system.
---
 .../ansible-base/group_vars/all/securedrop        |  2 +-
 install_files/securedrop-grsec/DEBIAN/postinst    | 15 +++++----------
 2 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop
index 87d60914842..a24f613004a 100644
--- a/install_files/ansible-base/group_vars/all/securedrop
+++ b/install_files/ansible-base/group_vars/all/securedrop
@@ -53,5 +53,5 @@ securedrop_cond_reboot_file: /tmp/sd-reboot-now
 
 # If you bump this, also remember to bump in molecule/builder/tests/vars.yml
 securedrop_pkg_grsec:
-  ver: "4.4.144"
+  ver: "4.4.144-1"
   depends: "linux-image-3.14.79-grsec,linux-image-4.4.135-grsec,linux-firmware-image-4.4.135-grsec,linux-image-4.4.144-grsec,linux-firmware-image-4.4.144-grsec"
diff --git a/install_files/securedrop-grsec/DEBIAN/postinst b/install_files/securedrop-grsec/DEBIAN/postinst
index 48971c0648d..526883bb009 100755
--- a/install_files/securedrop-grsec/DEBIAN/postinst
+++ b/install_files/securedrop-grsec/DEBIAN/postinst
@@ -19,16 +19,11 @@ set -x
 case "$1" in
     configure)
 
-    # If the SecureDrop instance is running a rolled-back kernel, this will
-    # preserve the kernel boot priority specfied in its ordinal form by the
-    # canonical form. (In this specific case, 1>2 as GRUB_DEFAULT in
-    # /etc/default/grub indicates the instance is running 3.14.79-grsec)
-    # In any other case, we want to run the latest 4.4 series kernel.
-    if grep -qE "^GRUB_DEFAULT=[\"\' ]*1>2[\"\' ]*$" /etc/default/grub; then
-        sed -i "s/^\(GRUB_DEFAULT=\)[\"\' ]*1>2[\"\' ]*$/\1\"Advanced options for Ubuntu>Ubuntu, with Linux 3.14.79-grsec\"/" /etc/default/grub
-        # update grub to set the new default
-        update-grub2
-    fi
+    # Replace the default GRUB boot option with 0, which defaults to the
+    # highest kernel version. Any kernel provided by apt.freedom.press must
+    # suprecede the ones provided by Ubuntu.
+    sed -i '/^GRUB_DEFAULT=/s/=.*/=0/' /etc/default/grub
+    update-grub
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)