Drop setting vm.heap_stack_gap and net.ipv4 sysctl flags

legoktm · legoktm · commit 37f182724bfc · 2024-11-06T15:33:18.000-05:00
These are now set via the securedrop-grsec metapackage (see <freedomofpress/kernel-builder#55>). Tests are left in to verify the migration works properly. Refs #7323.
diff --git a/install_files/ansible-base/roles/common/defaults/main.yml b/install_files/ansible-base/roles/common/defaults/main.yml
@@ -5,36 +5,6 @@ disabled_kernel_modules:
   - iwlmvm
   - iwlwifi
 
-sysctl_flags:
-  - name: "net.ipv4.tcp_max_syn_backlog"
-    value: "4096"
-  - name: "net.ipv4.tcp_syncookies"
-    value: "1"
-  - name: "net.ipv4.conf.all.rp_filter"
-    value: "1"
-  - name: "net.ipv4.conf.all.accept_source_route"
-    value: "0"
-  - name: "net.ipv4.conf.all.accept_redirects"
-    value: "0"
-  - name: "net.ipv4.conf.all.secure_redirects"
-    value: "0"
-  - name: "net.ipv4.conf.default.rp_filter"
-    value: "1"
-  - name: "net.ipv4.conf.default.accept_source_route"
-    value: "0"
-  - name: "net.ipv4.conf.default.accept_redirects"
-    value: "0"
-  - name: "net.ipv4.conf.default.secure_redirects"
-    value: "0"
-  - name: "net.ipv4.icmp_echo_ignore_broadcasts"
-    value: "1"
-  - name: "net.ipv4.ip_forward"
-    value: "0"
-  - name: "net.ipv4.conf.all.send_redirects"
-    value: "0"
-  - name: "net.ipv4.conf.default.send_redirects"
-    value: "0"
-
 unused_packages:
   - libiw30
   - wireless-tools
diff --git a/install_files/ansible-base/roles/common/tasks/main.yml b/install_files/ansible-base/roles/common/tasks/main.yml
@@ -22,8 +22,6 @@
 
 - include_tasks: remove_unused_packages.yml
 
-- include_tasks: sysctl.yml
-
 - include_tasks: disable_swap.yml
 
 - include_tasks: remove_kernel_modules.yml
diff --git a/install_files/ansible-base/roles/common/tasks/sysctl.yml b/install_files/ansible-base/roles/common/tasks/sysctl.yml
diff --git a/install_files/ansible-base/roles/grsecurity/defaults/main.yml b/install_files/ansible-base/roles/grsecurity/defaults/main.yml
@@ -6,8 +6,3 @@ grsec_sysctl_flags:
     # rest will not be applied
   - name: "kernel.grsecurity.grsec_lock"
     value: "1"
-    # Stack clash mitigation, increasing main stack gap to 1MB.
-    # Storing as part of grsecurity vars, because sysctl option won't
-    # exist otherwise.
-  - name: "vm.heap_stack_gap"
-    value: "1048576"
diff --git a/molecule/testinfra/common/test_grsecurity.py b/molecule/testinfra/common/test_grsecurity.py
@@ -81,6 +81,7 @@ def test_grsecurity_kernel_is_running(host):
     [
         ("kernel.grsecurity.grsec_lock", 1),
         ("kernel.grsecurity.rwxmap_logging", 0),
+        # set via securedrop-grsec (in kernel-builder)
         ("vm.heap_stack_gap", 1048576),
     ],
 )
diff --git a/molecule/testinfra/common/test_system_hardening.py b/molecule/testinfra/common/test_system_hardening.py
@@ -30,6 +30,8 @@ def test_sysctl_options(host, sysctl_opt):
     """
     Ensure sysctl flags are set correctly. Most of these checks
     are hardening IPv4, which is appropriate due to the heavy use of Tor.
+
+    These are all set via securedrop-grsec (in kernel-builder).
     """
     with host.sudo():
         assert host.sysctl(sysctl_opt[0]) == sysctl_opt[1]

Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,7 @@ def test_grsecurity_kernel_is_running(host):`
`81`	`81`	`[`
`82`	`82`	`("kernel.grsecurity.grsec_lock", 1),`
`83`	`83`	`("kernel.grsecurity.rwxmap_logging", 0),`
	`84`	`+ # set via securedrop-grsec (in kernel-builder)`
`84`	`85`	`("vm.heap_stack_gap", 1048576),`
`85`	`86`	`],`
`86`	`87`	`)`