From 5b548ad188296e73fe9b706ea9c4820233125200 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Thu, 6 Jun 2019 11:44:18 -0700
Subject: [PATCH] Ensures paxctld is running inside SDW VMs

Using Salt to force the service to run, so it's active immediately.
More important for the child VMs is using the qvm-service calls to
enable the service on boot of other, non-Template but Template-based
VMs.

Since we're now properly enforcing the paxctld service state in all VMs,
removes the previous implementation specific to sd-svs-disp.
---
 dom0/sd-export.sls                     |  3 +++
 dom0/sd-svs-disp-files.sls             |  7 -------
 dom0/sd-svs-disp.sls                   |  3 +++
 dom0/sd-svs.sls                        |  3 +++
 dom0/sd-workstation-template-files.sls | 10 ++++++++++
 dom0/sd-workstation-template.sls       |  3 +++
 6 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/dom0/sd-export.sls b/dom0/sd-export.sls
index 36ff844e..73169aef 100644
--- a/dom0/sd-export.sls
+++ b/dom0/sd-export.sls
@@ -32,6 +32,9 @@ sd-export-usb-dvm:
     - tags:
       - add:
         - sd-workstation
+    - features:
+      - enable:
+        - service.paxctld
     - require:
       - qvm: sd-export-template
 
diff --git a/dom0/sd-svs-disp-files.sls b/dom0/sd-svs-disp-files.sls
index 7e9007ab..9d418cd4 100644
--- a/dom0/sd-svs-disp-files.sls
+++ b/dom0/sd-svs-disp-files.sls
@@ -20,11 +20,6 @@ sd-svs-disp-install-mimetype-handler-package:
     - require:
       - sls: fpf-apt-test-repo
 
-paxctld:
-  service.running:
-    - enable: True
-    - reload: True
-
 sd-svs-disp-install-libreoffice:
   pkg.installed:
     - name: libreoffice
@@ -32,5 +27,3 @@ sd-svs-disp-install-libreoffice:
         attempts: 3
         interval: 60
     - install_recommends: False
-    - require:
-      - service: paxctld
diff --git a/dom0/sd-svs-disp.sls b/dom0/sd-svs-disp.sls
index 2f67cf5a..e8eecca9 100644
--- a/dom0/sd-svs-disp.sls
+++ b/dom0/sd-svs-disp.sls
@@ -36,5 +36,8 @@ sd-svs-disp:
       - add:
         - sd-workstation
         - sd-svs-disp-vm
+    - features:
+      - enable:
+        - service.paxctld
     - require:
       - qvm: sd-svs-disp-template
diff --git a/dom0/sd-svs.sls b/dom0/sd-svs.sls
index 364ad1cd..648a1f1a 100644
--- a/dom0/sd-svs.sls
+++ b/dom0/sd-svs.sls
@@ -34,6 +34,9 @@ sd-svs:
     - tags:
       - add:
         - sd-workstation
+    - features:
+      - enable:
+        - service.paxctld
     - require:
       - qvm: sd-svs-template
 
diff --git a/dom0/sd-workstation-template-files.sls b/dom0/sd-workstation-template-files.sls
index 20cd9a0d..70efef85 100644
--- a/dom0/sd-workstation-template-files.sls
+++ b/dom0/sd-workstation-template-files.sls
@@ -10,3 +10,13 @@ sd-workstation-template-install-kernel-config-packages:
       - securedrop-workstation-grsec
     - require:
       - sls: fpf-apt-test-repo
+
+# Ensure that paxctld starts immediately. For AppVMs,
+# use qvm.features.enabled = ["paxctld"] to ensure service start.
+sd-workstation-template-enable-paxctld:
+  service.running:
+    - name: paxctld
+    - enable: True
+    - reload: True
+    - require:
+      - pkg: sd-workstation-template-install-kernel-config-packages
diff --git a/dom0/sd-workstation-template.sls b/dom0/sd-workstation-template.sls
index 59b373d5..16a14fdf 100644
--- a/dom0/sd-workstation-template.sls
+++ b/dom0/sd-workstation-template.sls
@@ -14,5 +14,8 @@ sd-workstation-template:
     - tags:
       - add:
         - sd-workstation
+    - features:
+      - enable:
+        - service.paxctld
     - require:
       - pkg: dom0-install-securedrop-workstation-template