Installs mimetype handlers for SVS DispVM via package

[conorsch]

Converts the mimetype handler logic for sd-svs-disp (used to open submissions) to Debian package, based on logic presented in freedomofpress/securedrop-builder#10.

Also updated the config tests to Python 3 because it was easy and closes another issue.

Closes #182. Closes #188.

I'm able to open a test submission (tried a JPG) just fine using the new logic.

[zenmonkeykstop]

Testing mime types:

• ❌ avi - opens in Totem (but closes immediately - could be an issue with the test file)
• ❌ csv - opens in gedit, not libreoffice
• djvu - opens in evince
• ❌ doc - fails with "unable to handle mimetype of the requested file" message
• ❌ docx - opens in Archive Manager, not libreoffice
• gif - opens in eog
• jpg - opens in eog
• ❌ mov - opens in totem, immediately closes
• mp3 - opens in audacious
• ❌ mp4 - opens in totem, immediately closes
• ❌ odp - something flashes up, too quick to see which application
• ❌ ods - same as odp
• ❌ odt - same as odt
• ogg - opens in audacious
• ❌ ogv - opens in totem, immediately closes
• pdf - opens in evince
• png - opens in eog
• ❌ ppt - fails with "unable to handle mimetype" message
• ❌ pptx - opens in Archive Manager, not libreoffice
• rar - opens in Archive Manager
• svg - opens in eog
• tiff - opens in evince
• 7z - opens in Archive Manager
• wav - opens in audacious
• ❌ wmv - opens in totem, immediately closes
• ❌ xls - fails with "unable to handle mimetype" message
• ❌ xlsx - opens in Archive Manager
• zip - opens in Archive Manager

Checking config tests:

• ✔️ Confirmed that they run in Python 3, a couple of fails for me but unrelated to the language update. 👍

[conorsch]

Regarding libreoffice, we don't have that installed yet due to a race with the java pax flags. For the others you report as "immediately closes," that sounds like it could be pax flags, as well. For the "immediately closes" apps,

• sudo systemctl status paxctld inside the dispvm; is it dead?
• sudo journalctl -a | grep -i grsec inside the dispvm; do you see memprotect triggering?

The coverage of filetype handling is something we'll have to continually improve on; if we have pax flags to add, we'll need to store them in the packaging logic and bump releases.

[zenmonkeykstop]

Ran an sd-svs-disp dispvm, get

$ sudo systemctl status paxctld
● paxctld.service - PaX flags maintenance daemon
   Loaded: loaded (/lib/systemd/system/paxctld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)

and a bunch of "denied RWX mmap"s for totem in journalctl output.

[emkll]

Totem does indeed require m PaX flag:

Nov 10 15:14:10 localhost kernel: [  395.388179] grsec: denied RWX mprotect of <anonymous mapping> by /usr/bin/totem[totem:3727] uid/euid:1000/1000 gid/egid:1000/1000, parent /lib/systemd/systemd[systemd:726] uid/euid:1000/1000 gid/egid:1000/1000

[emkll]

I've uploaded securedrop-workstation-svs-disp 0.1.2 package to apt-test-qubes containing the paxflag update for totem. Totem should now work once the sd-svs-disp-template is updated.

I've opened #205 to track progress on LibreOffice.

[emkll]

Thanks @conorsch , all tests are passing, and confirm the mime types are being honored by svs dispvms. With the fix to Totem pax flag, videos are now viewable in svs-dispvms.

The only mimetype from the list that is not being handled is Libreoffice, which is tracked in #205 .