Raises main stack gap 64KB -> 1MB via sysctl

We're already setting this value via the `securedrop-grsec` metapackage,
as described in #1861 and implemented in the grsec repo [0]. Let's also
ensure it at install time by setting it directly along with the other
sysctl options.

Included a config test so that test suite will fail if the sysctl
doesn't stick during CI or local development.

[0] freedomofpress/ansible-role-grsecurity#100

install_files/ansible-base/roles/grsecurity/defaults/main.yml

@@ -6,4 +6,8 @@ grsec_sysctl_flags:
     # rest will not be applied
   - name: "kernel.grsecurity.grsec_lock"
     value: "1"
-
+    # Stack clash mitigation, increasing main stack gap to 1MB.
+    # Storing as part of grsecurity vars, because sysctl option won't
+    # exist otherwise.
+  - name: "vm.heap_stack_gap"
+    value: "1048576"

testinfra/common/test_grsecurity.py

@@ -28,6 +28,23 @@ def test_grsecurity_apt_packages(Package, package):
     assert Package(package).is_installed
 
 
+@pytest.mark.skipif(os.environ.get('FPF_GRSEC','true') == "false",
+                    reason="Need to skip in environment w/o grsec")
+@pytest.mark.parametrize('sysctl_opt', [
+  ('kernel.grsecurity.rwxmap_logging', 0)
+  ('kernel.grsecurity.grsec_lock', 1)
+  ('vm.heap_stack_gap', 1048576),
+])
+def test_grsecurity_sysctl_options(Sysctl, Sudo, sysctl_opt):
+    """
+    Ensure grsecurity-specific sysctl flags are set correctly.
+    Separate from the other sysctl checks, because these options
+    won't exist on a non-grsec kernel (e.g. in CI).
+    """
+    with Sudo():
+        assert Sysctl(sysctl_opt[0]) == sysctl_opt[1]
+
+
 @pytest.mark.skipif(os.environ.get('FPF_GRSEC','true') == "false",
                     reason="Need to skip in environment w/o grsec")
 @pytest.mark.parametrize("package", [