From 3e72b6578dd0c1479989a5364d7a0f1279ec3b5a Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Thu, 22 Jun 2017 11:33:49 -0700
Subject: [PATCH] Raises main stack gap 64KB -> 1MB via sysctl

We're already setting this value via the `securedrop-grsec` metapackage,
as described in #1861 and implemented in the grsec repo [0]. Let's also
ensure it at install time by setting it directly along with the other
sysctl options.

Included a config test so that test suite will fail if the sysctl
doesn't stick during CI or local development.

[0] https://github.com/freedomofpress/ansible-role-grsecurity/pull/100
---
 .../roles/grsecurity/defaults/main.yml          |  6 +++++-
 testinfra/common/test_grsecurity.py             | 17 +++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/install_files/ansible-base/roles/grsecurity/defaults/main.yml b/install_files/ansible-base/roles/grsecurity/defaults/main.yml
index dece2f33b03..4d245bdcffb 100644
--- a/install_files/ansible-base/roles/grsecurity/defaults/main.yml
+++ b/install_files/ansible-base/roles/grsecurity/defaults/main.yml
@@ -6,4 +6,8 @@ grsec_sysctl_flags:
     # rest will not be applied
   - name: "kernel.grsecurity.grsec_lock"
     value: "1"
-
+    # Stack clash mitigation, increasing main stack gap to 1MB.
+    # Storing as part of grsecurity vars, because sysctl option won't
+    # exist otherwise.
+  - name: "vm.heap_stack_gap"
+    value: "1048576"
diff --git a/testinfra/common/test_grsecurity.py b/testinfra/common/test_grsecurity.py
index f983c2b156c..110a39133c9 100644
--- a/testinfra/common/test_grsecurity.py
+++ b/testinfra/common/test_grsecurity.py
@@ -28,6 +28,23 @@ def test_grsecurity_apt_packages(Package, package):
     assert Package(package).is_installed
 
 
+@pytest.mark.skipif(os.environ.get('FPF_GRSEC','true') == "false",
+                    reason="Need to skip in environment w/o grsec")
+@pytest.mark.parametrize('sysctl_opt', [
+  ('kernel.grsecurity.rwxmap_logging', 0)
+  ('kernel.grsecurity.grsec_lock', 1)
+  ('vm.heap_stack_gap', 1048576),
+])
+def test_grsecurity_sysctl_options(Sysctl, Sudo, sysctl_opt):
+    """
+    Ensure grsecurity-specific sysctl flags are set correctly.
+    Separate from the other sysctl checks, because these options
+    won't exist on a non-grsec kernel (e.g. in CI).
+    """
+    with Sudo():
+        assert Sysctl(sysctl_opt[0]) == sysctl_opt[1]
+
+
 @pytest.mark.skipif(os.environ.get('FPF_GRSEC','true') == "false",
                     reason="Need to skip in environment w/o grsec")
 @pytest.mark.parametrize("package", [