Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Raises main stack gap 64KB -> 1MB via sysctl #1873

Merged
merged 1 commit into from
Jun 26, 2017
Merged

Raises main stack gap 64KB -> 1MB via sysctl #1873

merged 1 commit into from
Jun 26, 2017

Conversation

conorsch
Copy link
Contributor

@conorsch conorsch commented Jun 22, 2017
edited
Loading

Status

Ready for review.

Description of Changes

We're already setting this value via the securedrop-grsec metapackage, as described in #1861 and implemented in the grsec repo [0]. Let's also ensure it at install time by setting it directly along with the other
sysctl options.

Included a config test so that test suite will fail if the sysctl doesn't stick during CI or local development.

[0] freedomofpress/ansible-role-grsecurity#100

Fixes #1861.

Testing

CI it not sufficient here, since the CI hosts don't use grsecurity-patched kernels. Run through the provisioning with staging VMs, and confirm manually that sudo sysctl vm.heap_stack_gap shows 1048576.

Deployment

We already posted the new kernel packages in the apt repo, and the sysctl setting is set in the securedrop-grsec metapackage, so we're good to go for deployed instances. Adding the setting within Ansible is simply to guard against regressions, and also allows us to clean up the metapackage in the future.

Checklist

If you made changes to the app code:

  • Unit and functional tests pass on the development VM

If you made changes to the system configuration:

If you made changes to documentation:

  • Doc linting passed locally

@conorsch conorsch force-pushed the adjust-stack-gap-via-sysctl-for-stack-clash branch 3 times, most recently from 3e72b65 to e4698c5 Compare June 23, 2017 00:01
Raises main stack gap 64KB -> 1MB via sysctl
3005138 
We're already setting this value via the `securedrop-grsec` metapackage,
as described in #1861 and implemented in the grsec repo [0]. Let's also
ensure it at install time by setting it directly along with the other
sysctl options.

Included a config test so that test suite will fail if the sysctl
doesn't stick during CI or local development.

[0] freedomofpress/ansible-role-grsecurity#100
@conorsch conorsch force-pushed the adjust-stack-gap-via-sysctl-for-stack-clash branch from e4698c5 to 3005138 Compare June 23, 2017 19:00
@conorsch
Copy link
Contributor Author

Rebased on top of latest develop to incorporate #1875, which should resolve the Travis failures.

@conorsch conorsch requested a review from msheiny June 23, 2017 19:05
redshiftzero
redshiftzero approved these changes Jun 26, 2017
View reviewed changes
Copy link
Contributor

@redshiftzero redshiftzero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Provisioned staging locally and confirmed the heap/stack gap is 1048576 as expected. 👍 to merge

@psivesely psivesely merged commit afb7db9 into develop Jun 26, 2017
@psivesely psivesely deleted the adjust-stack-gap-via-sysctl-for-stack-clash branch June 26, 2017 19:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@redshiftzero redshiftzero redshiftzero approved these changes

@psivesely psivesely psivesely approved these changes

@msheiny msheiny Awaiting requested review from msheiny

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@conorsch @psivesely @redshiftzero