Merge pull request #7324 from freedomofpress/stg-less-sysctl

Drop setting vm.heap_stack_gap and net.ipv4 sysctl flags
freedomofpress · Nov 21, 2024 · 0517e37 · 0517e37
2 parents 6a875bc + 37f1827
commit 0517e37
Show file tree

Hide file tree

Showing 6 changed files with 3 additions and 51 deletions.
diff --git a/install_files/ansible-base/roles/common/defaults/main.yml b/install_files/ansible-base/roles/common/defaults/main.yml
@@ -5,36 +5,6 @@ disabled_kernel_modules:
   - iwlmvm
   - iwlwifi
 
-sysctl_flags:
-  - name: "net.ipv4.tcp_max_syn_backlog"
-    value: "4096"
-  - name: "net.ipv4.tcp_syncookies"
-    value: "1"
-  - name: "net.ipv4.conf.all.rp_filter"
-    value: "1"
-  - name: "net.ipv4.conf.all.accept_source_route"
-    value: "0"
-  - name: "net.ipv4.conf.all.accept_redirects"
-    value: "0"
-  - name: "net.ipv4.conf.all.secure_redirects"
-    value: "0"
-  - name: "net.ipv4.conf.default.rp_filter"
-    value: "1"
-  - name: "net.ipv4.conf.default.accept_source_route"
-    value: "0"
-  - name: "net.ipv4.conf.default.accept_redirects"
-    value: "0"
-  - name: "net.ipv4.conf.default.secure_redirects"
-    value: "0"
-  - name: "net.ipv4.icmp_echo_ignore_broadcasts"
-    value: "1"
-  - name: "net.ipv4.ip_forward"
-    value: "0"
-  - name: "net.ipv4.conf.all.send_redirects"
-    value: "0"
-  - name: "net.ipv4.conf.default.send_redirects"
-    value: "0"
-
 unused_packages:
   - libiw30
   - wireless-tools

diff --git a/install_files/ansible-base/roles/common/tasks/main.yml b/install_files/ansible-base/roles/common/tasks/main.yml
@@ -22,8 +22,6 @@
 
 - include_tasks: remove_unused_packages.yml
 
-- include_tasks: sysctl.yml
-
 - include_tasks: disable_swap.yml
 
 - include_tasks: remove_kernel_modules.yml
diff --git a/install_files/ansible-base/roles/common/tasks/sysctl.yml b/install_files/ansible-base/roles/common/tasks/sysctl.yml
diff --git a/install_files/ansible-base/roles/grsecurity/defaults/main.yml b/install_files/ansible-base/roles/grsecurity/defaults/main.yml
@@ -6,8 +6,3 @@ grsec_sysctl_flags:
     # rest will not be applied
   - name: "kernel.grsecurity.grsec_lock"
     value: "1"
-    # Stack clash mitigation, increasing main stack gap to 1MB.
-    # Storing as part of grsecurity vars, because sysctl option won't
-    # exist otherwise.
-  - name: "vm.heap_stack_gap"
-    value: "1048576"
diff --git a/molecule/testinfra/common/test_grsecurity.py b/molecule/testinfra/common/test_grsecurity.py
@@ -82,6 +82,7 @@ def test_grsecurity_kernel_is_running(host):
     [
         ("kernel.grsecurity.grsec_lock", 1),
         ("kernel.grsecurity.rwxmap_logging", 0),
+        # set via securedrop-grsec (in kernel-builder)
         ("vm.heap_stack_gap", 1048576),
     ],
 )

diff --git a/molecule/testinfra/common/test_system_hardening.py b/molecule/testinfra/common/test_system_hardening.py
@@ -31,6 +31,8 @@ def test_sysctl_options(host, sysctl_opt):
     """
     Ensure sysctl flags are set correctly. Most of these checks
     are hardening IPv4, which is appropriate due to the heavy use of Tor.
+
+    These are all set via securedrop-grsec (in kernel-builder).
     """
     with host.sudo():
         assert host.sysctl(sysctl_opt[0]) == sysctl_opt[1]