Ensures paxctld is running inside SDW VMs

Using Salt to force the service to run, so it's active immediately. More important for the child VMs is using the qvm-service calls to enable the service on boot of other, non-Template but Template-based VMs. Since we're now properly enforcing the paxctld service state in all VMs, removes the previous implementation specific to sd-svs-disp.
freedomofpress · Jun 6, 2019 · 5b548ad · 5b548ad
1 parent 39c5a46
commit 5b548ad
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 7 deletions.
diff --git a/dom0/sd-export.sls b/dom0/sd-export.sls
@@ -32,6 +32,9 @@ sd-export-usb-dvm:
     - tags:
       - add:
         - sd-workstation
+    - features:
+      - enable:
+        - service.paxctld
     - require:
       - qvm: sd-export-template
 

diff --git a/dom0/sd-svs-disp-files.sls b/dom0/sd-svs-disp-files.sls
@@ -20,17 +20,10 @@ sd-svs-disp-install-mimetype-handler-package:
     - require:
       - sls: fpf-apt-test-repo
 
-paxctld:
-  service.running:
-    - enable: True
-    - reload: True
-
 sd-svs-disp-install-libreoffice:
   pkg.installed:
     - name: libreoffice
     - retry:
         attempts: 3
         interval: 60
     - install_recommends: False
-    - require:
-      - service: paxctld
diff --git a/dom0/sd-svs-disp.sls b/dom0/sd-svs-disp.sls
@@ -36,5 +36,8 @@ sd-svs-disp:
       - add:
         - sd-workstation
         - sd-svs-disp-vm
+    - features:
+      - enable:
+        - service.paxctld
     - require:
       - qvm: sd-svs-disp-template
diff --git a/dom0/sd-svs.sls b/dom0/sd-svs.sls
@@ -34,6 +34,9 @@ sd-svs:
     - tags:
       - add:
         - sd-workstation
+    - features:
+      - enable:
+        - service.paxctld
     - require:
       - qvm: sd-svs-template
 

diff --git a/dom0/sd-workstation-template-files.sls b/dom0/sd-workstation-template-files.sls
@@ -10,3 +10,13 @@ sd-workstation-template-install-kernel-config-packages:
       - securedrop-workstation-grsec
     - require:
       - sls: fpf-apt-test-repo
+
+# Ensure that paxctld starts immediately. For AppVMs,
+# use qvm.features.enabled = ["paxctld"] to ensure service start.
+sd-workstation-template-enable-paxctld:
+  service.running:
+    - name: paxctld
+    - enable: True
+    - reload: True
+    - require:
+      - pkg: sd-workstation-template-install-kernel-config-packages
diff --git a/dom0/sd-workstation-template.sls b/dom0/sd-workstation-template.sls
@@ -14,5 +14,8 @@ sd-workstation-template:
     - tags:
       - add:
         - sd-workstation
+    - features:
+      - enable:
+        - service.paxctld
     - require:
       - pkg: dom0-install-securedrop-workstation-template