From c435ac6d4fbafc71736a2958d28010ccc3450277 Mon Sep 17 00:00:00 2001
From: Kushal Das <mail@kushaldas.in>
Date: Mon, 3 Jun 2019 20:12:24 +0530
Subject: [PATCH 1/5] Fixes #205 installs libreoffice in svs disp

Also restarts and enables paxctl service
---
 dom0/sd-svs-disp-files.sls | 12 ++++++++++++
 tests/test_svs.py          |  3 +++
 2 files changed, 15 insertions(+)

diff --git a/dom0/sd-svs-disp-files.sls b/dom0/sd-svs-disp-files.sls
index 184a9967..dd3772bd 100644
--- a/dom0/sd-svs-disp-files.sls
+++ b/dom0/sd-svs-disp-files.sls
@@ -19,3 +19,15 @@ sd-svs-disp-install-mimetype-handler-package:
       - securedrop-workstation-svs-disp
     - require:
       - sls: fpf-apt-test-repo
+
+paxctld:
+  service.running:
+    - enable: True
+    - reload: True
+
+sd-svs-disp-install-libreoffice:
+  pkg.installed:
+    - name: libreoffice
+    - retry:
+        attempts: 3
+        interval: 60
diff --git a/tests/test_svs.py b/tests/test_svs.py
index 9ba186b1..0ebdff3f 100644
--- a/tests/test_svs.py
+++ b/tests/test_svs.py
@@ -36,6 +36,9 @@ def test_sd_client_package_installed(self):
         pkg = "securedrop-workstation-svs-disp"
         self.assertTrue(self._package_is_installed(pkg))
 
+    def test_sd_svs_libreoffice_installed(self):
+        self.assertTrue(self._package_is_installed("libreoffice"))
+
 
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_SVS_Tests)

From 80fb9363fcee9b5c4fcaacbcb984c995e225283e Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Thu, 6 Jun 2019 15:00:30 -0400
Subject: [PATCH 2/5] Specify run order for paxctld and don't install
 recommends for Libreoffice

Setting the paxctld in the requires block of the libreoffice install will ensure the service is always started prior to installing the package.
ca-certificates-java was posing some issues at install time. As it is listed in "recommends" and not "requires", we can sidestep the issue and also reduce total amount of packages installed.
---
 dom0/sd-svs-disp-files.sls | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dom0/sd-svs-disp-files.sls b/dom0/sd-svs-disp-files.sls
index dd3772bd..7e9007ab 100644
--- a/dom0/sd-svs-disp-files.sls
+++ b/dom0/sd-svs-disp-files.sls
@@ -31,3 +31,6 @@ sd-svs-disp-install-libreoffice:
     - retry:
         attempts: 3
         interval: 60
+    - install_recommends: False
+    - require:
+      - service: paxctld

From 16d4446ef838d80a649898e5b699f75cf9988336 Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Thu, 6 Jun 2019 16:26:17 -0400
Subject: [PATCH 3/5] Fix svs_disp tests and add test for paxctld

Some sd-svs-disp tests were not running, moving sd-svs-disp tests to their own file resolves.
---
 tests/test_svs.py      | 13 -------------
 tests/test_svs_disp.py | 28 ++++++++++++++++++++++++++++
 2 files changed, 28 insertions(+), 13 deletions(-)
 create mode 100644 tests/test_svs_disp.py

diff --git a/tests/test_svs.py b/tests/test_svs.py
index 0ebdff3f..61133469 100644
--- a/tests/test_svs.py
+++ b/tests/test_svs.py
@@ -27,19 +27,6 @@ def test_sd_client_package_installed(self):
         self.assertTrue(self._package_is_installed("securedrop-client"))
 
 
-class SD_SVS_Disp_Tests(SD_VM_Local_Test):
-    def setUp(self):
-        self.vm_name = "sd-svs-disp"
-        super(SD_SVS_Disp_Tests, self).setUp()
-
-    def test_sd_client_package_installed(self):
-        pkg = "securedrop-workstation-svs-disp"
-        self.assertTrue(self._package_is_installed(pkg))
-
-    def test_sd_svs_libreoffice_installed(self):
-        self.assertTrue(self._package_is_installed("libreoffice"))
-
-
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_SVS_Tests)
     return suite
diff --git a/tests/test_svs_disp.py b/tests/test_svs_disp.py
new file mode 100644
index 00000000..f8de23f4
--- /dev/null
+++ b/tests/test_svs_disp.py
@@ -0,0 +1,28 @@
+import subprocess
+import unittest
+
+from base import SD_VM_Local_Test
+
+
+class SD_SVS_Disp_Tests(SD_VM_Local_Test):
+    def setUp(self):
+        self.vm_name = "sd-svs-disp"
+        super(SD_SVS_Disp_Tests, self).setUp()
+
+    def test_sd_svs_disp_config_package_installed(self):
+        pkg = "securedrop-workstation-svs-disp"
+        self.assertTrue(self._package_is_installed(pkg))
+
+    def test_sd_svs_disp_libreoffice_installed(self):
+        self.assertTrue(self._package_is_installed("libreoffice"))
+
+    def test_sd_svs_disp_paxctld_is_running(self):
+        cmd = ["qvm-run", "-p", "sd-svs-disp",
+               "/usr/sbin/service paxctld status"]
+        p = subprocess.check_output(cmd)
+        self.assertTrue("active (running)".encode() in p)
+
+
+def load_tests(loader, tests, pattern):
+    suite = unittest.TestLoader().loadTestsFromTestCase(SD_SVS_Disp_Tests)
+    return suite

From 39c5a46a43e70468dfaba5d7e78c34f8a7fce1bf Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Thu, 6 Jun 2019 10:31:12 -0700
Subject: [PATCH 4/5] Adds config test to check for running services

Used to determine whether paxctld is running inside the VMs. The most
important is sd-svs-disp, since that's where we'll be installing
libreoffice, and libreoffice requires pax flags to be set on java dependencies
in order for the package to install successfully.

Removes the previous implementation of a service check in favor of a
more generalized approach. Overall, the config test suite should
probably be reorganized.
---
 tests/test_svs_disp.py  |  7 -------
 tests/test_vms_exist.py | 13 +++++++++++++
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/tests/test_svs_disp.py b/tests/test_svs_disp.py
index f8de23f4..fd8edbfe 100644
--- a/tests/test_svs_disp.py
+++ b/tests/test_svs_disp.py
@@ -1,4 +1,3 @@
-import subprocess
 import unittest
 
 from base import SD_VM_Local_Test
@@ -16,12 +15,6 @@ def test_sd_svs_disp_config_package_installed(self):
     def test_sd_svs_disp_libreoffice_installed(self):
         self.assertTrue(self._package_is_installed("libreoffice"))
 
-    def test_sd_svs_disp_paxctld_is_running(self):
-        cmd = ["qvm-run", "-p", "sd-svs-disp",
-               "/usr/sbin/service paxctld status"]
-        p = subprocess.check_output(cmd)
-        self.assertTrue("active (running)".encode() in p)
-
 
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_SVS_Disp_Tests)
diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py
index b246b712..0e8692c2 100644
--- a/tests/test_vms_exist.py
+++ b/tests/test_vms_exist.py
@@ -33,6 +33,16 @@ def _check_kernel(self, vm):
         assert kernel_version.endswith("-grsec")
         assert kernel_version == EXPECTED_KERNEL_VERSION
 
+    def _check_service_running(self, vm, service):
+        """
+        Ensures a given service is running inside a given VM.
+        Uses systemctl is-active to query the service state.
+        """
+        cmd = "systemctl is-active {}".format(service)
+        stdout, stderr = vm.run(cmd)
+        service_status = stdout.decode("utf-8").rstrip()
+        assert service_status == "active"
+
     def test_sd_whonix_config(self):
         vm = self.app.domains["sd-whonix"]
         nvm = vm.netvm
@@ -65,6 +75,7 @@ def test_sd_svs_config(self):
         self.assertFalse(vm.provides_network)
         self.assertFalse(vm.template_for_dispvms)
         self._check_kernel(vm)
+        self._check_service_running(vm, "paxctld")
         self.assertTrue('sd-workstation' in vm.tags)
 
     def test_sd_svs_disp_config(self):
@@ -75,6 +86,7 @@ def test_sd_svs_disp_config(self):
         self.assertFalse(vm.provides_network)
         self.assertTrue(vm.template_for_dispvms)
         self._check_kernel(vm)
+        self._check_service_running(vm, "paxctld")
         self.assertTrue('sd-workstation' in vm.tags)
 
     def test_sd_gpg_config(self):
@@ -97,6 +109,7 @@ def test_sd_workstation_template(self):
         self.assertTrue(vm.kernel == "")
         self.assertTrue('sd-workstation' in vm.tags)
         self._check_kernel(vm)
+        self._check_service_running(vm, "paxctld")
 
     def test_sd_proxy_template(self):
         vm = self.app.domains["sd-proxy-template"]

From 5b548ad188296e73fe9b706ea9c4820233125200 Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Thu, 6 Jun 2019 11:44:18 -0700
Subject: [PATCH 5/5] Ensures paxctld is running inside SDW VMs

Using Salt to force the service to run, so it's active immediately.
More important for the child VMs is using the qvm-service calls to
enable the service on boot of other, non-Template but Template-based
VMs.

Since we're now properly enforcing the paxctld service state in all VMs,
removes the previous implementation specific to sd-svs-disp.
---
 dom0/sd-export.sls                     |  3 +++
 dom0/sd-svs-disp-files.sls             |  7 -------
 dom0/sd-svs-disp.sls                   |  3 +++
 dom0/sd-svs.sls                        |  3 +++
 dom0/sd-workstation-template-files.sls | 10 ++++++++++
 dom0/sd-workstation-template.sls       |  3 +++
 6 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/dom0/sd-export.sls b/dom0/sd-export.sls
index 36ff844e..73169aef 100644
--- a/dom0/sd-export.sls
+++ b/dom0/sd-export.sls
@@ -32,6 +32,9 @@ sd-export-usb-dvm:
     - tags:
       - add:
         - sd-workstation
+    - features:
+      - enable:
+        - service.paxctld
     - require:
       - qvm: sd-export-template
 
diff --git a/dom0/sd-svs-disp-files.sls b/dom0/sd-svs-disp-files.sls
index 7e9007ab..9d418cd4 100644
--- a/dom0/sd-svs-disp-files.sls
+++ b/dom0/sd-svs-disp-files.sls
@@ -20,11 +20,6 @@ sd-svs-disp-install-mimetype-handler-package:
     - require:
       - sls: fpf-apt-test-repo
 
-paxctld:
-  service.running:
-    - enable: True
-    - reload: True
-
 sd-svs-disp-install-libreoffice:
   pkg.installed:
     - name: libreoffice
@@ -32,5 +27,3 @@ sd-svs-disp-install-libreoffice:
         attempts: 3
         interval: 60
     - install_recommends: False
-    - require:
-      - service: paxctld
diff --git a/dom0/sd-svs-disp.sls b/dom0/sd-svs-disp.sls
index 2f67cf5a..e8eecca9 100644
--- a/dom0/sd-svs-disp.sls
+++ b/dom0/sd-svs-disp.sls
@@ -36,5 +36,8 @@ sd-svs-disp:
       - add:
         - sd-workstation
         - sd-svs-disp-vm
+    - features:
+      - enable:
+        - service.paxctld
     - require:
       - qvm: sd-svs-disp-template
diff --git a/dom0/sd-svs.sls b/dom0/sd-svs.sls
index 364ad1cd..648a1f1a 100644
--- a/dom0/sd-svs.sls
+++ b/dom0/sd-svs.sls
@@ -34,6 +34,9 @@ sd-svs:
     - tags:
       - add:
         - sd-workstation
+    - features:
+      - enable:
+        - service.paxctld
     - require:
       - qvm: sd-svs-template
 
diff --git a/dom0/sd-workstation-template-files.sls b/dom0/sd-workstation-template-files.sls
index 20cd9a0d..70efef85 100644
--- a/dom0/sd-workstation-template-files.sls
+++ b/dom0/sd-workstation-template-files.sls
@@ -10,3 +10,13 @@ sd-workstation-template-install-kernel-config-packages:
       - securedrop-workstation-grsec
     - require:
       - sls: fpf-apt-test-repo
+
+# Ensure that paxctld starts immediately. For AppVMs,
+# use qvm.features.enabled = ["paxctld"] to ensure service start.
+sd-workstation-template-enable-paxctld:
+  service.running:
+    - name: paxctld
+    - enable: True
+    - reload: True
+    - require:
+      - pkg: sd-workstation-template-install-kernel-config-packages
diff --git a/dom0/sd-workstation-template.sls b/dom0/sd-workstation-template.sls
index 59b373d5..16a14fdf 100644
--- a/dom0/sd-workstation-template.sls
+++ b/dom0/sd-workstation-template.sls
@@ -14,5 +14,8 @@ sd-workstation-template:
     - tags:
       - add:
         - sd-workstation
+    - features:
+      - enable:
+        - service.paxctld
     - require:
       - pkg: dom0-install-securedrop-workstation-template