Quirks: Change fips libgcrypt functions from subp.Popen to safer alternatives
Robie Basak pointed out during SRU review that subprocess.Popen()
requires the author to call wait() and check the return code manually
when it could be done in a more safe fashion with check_call().
Change _fipsLibgcryptDivert() to use subprocess.check_call().
Additionally, change the subprocess.Popen() for manual rm to
os.unlink(), again a safer way of removing the hmac file.
Quirks: Add a dpkg-divert for fips enabled systems to work around libgcrypt20-hmac file
libgcrypt20-hmac versions 1.8.5-5ubuntu1.fips.1.4 and below contain a
bug where .libgcrypt.so.20.hmac is placed in /lib/x86_64-linux-gnu/
instead of /usr/lib/x86_64-linux-gnu/, which leads to issues on
non-usrmerged systems during upgrade.
Affected users would see:
update-initramfs: Generating /boot/initrd.img-5.4.0-84-generic
Failed to copy HMAC file "/usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac".
E: /usr/share/initramfs-tools/hooks/fips-libgcrypt failed with return 1.
This only affects users using the certified fips pocket, as it has been
resolved in 1.8.5-5ubuntu1.fips.1.5 in fips-updates. Since recertification
is a year or two away, add an upgrade quirk for the time being.
A comprehensive test suite is included for all edge cases.
do-release-upgrade: preserve env vars needed for screen lock prevention
The screen lock prevention code relies on environment variables such as
DBUS_SESSION_BUS_ADDRESS being preserved, since the
org.freedesktop.ScreenSaver DBus interface is needed. This works in
cases where the dist-upgrade script is invoked with 'sudo -E' (e.g.
DistUpgradeViewText frontend). However, when pkexec is used (e.g.
DistUpgradeViewGtk3 frontend) the environment variables cannot be
preserved as per pkexec's design.
Add an --env flag to do-release-upgrade that accepts a comma-separated
list of environment variables (e.g. VAR1=VALUE1,VAR2=VALUE2) which should be set when
executing the dist-upgrade script. This approach is similar to the
existing workaround for RELEASE_UPGRADER_ALLOW_THIRD_PARTY, but is
generalized to allow any environment variables to be set.
Finally, when the DistUpgradeViewGtk3 or DistUpgradeViewKDE frontends
are used, and the do-release-upgrade script is re-exec'd with pkexec,
set the DBUS_SESSION_BUS_ADDRESS and XDG_SESSION_TYPE variables with
--env so that the screen lock prevention code works with these
frontends.