Drop setting vm.heap_stack_gap and net.ipv4 sysctl flags

These are now set via the securedrop-grsec metapackage (see
<freedomofpress/kernel-builder#55>).

Refs #7323.

install_files/ansible-base/roles/common/defaults/main.yml

@@ -5,36 +5,6 @@ disabled_kernel_modules:
   - iwlmvm
   - iwlwifi
 
-sysctl_flags:
-  - name: "net.ipv4.tcp_max_syn_backlog"
-    value: "4096"
-  - name: "net.ipv4.tcp_syncookies"
-    value: "1"
-  - name: "net.ipv4.conf.all.rp_filter"
-    value: "1"
-  - name: "net.ipv4.conf.all.accept_source_route"
-    value: "0"
-  - name: "net.ipv4.conf.all.accept_redirects"
-    value: "0"
-  - name: "net.ipv4.conf.all.secure_redirects"
-    value: "0"
-  - name: "net.ipv4.conf.default.rp_filter"
-    value: "1"
-  - name: "net.ipv4.conf.default.accept_source_route"
-    value: "0"
-  - name: "net.ipv4.conf.default.accept_redirects"
-    value: "0"
-  - name: "net.ipv4.conf.default.secure_redirects"
-    value: "0"
-  - name: "net.ipv4.icmp_echo_ignore_broadcasts"
-    value: "1"
-  - name: "net.ipv4.ip_forward"
-    value: "0"
-  - name: "net.ipv4.conf.all.send_redirects"
-    value: "0"
-  - name: "net.ipv4.conf.default.send_redirects"
-    value: "0"
-
 unused_packages:
   - libiw30
   - wireless-tools

install_files/ansible-base/roles/common/tasks/main.yml

@@ -22,8 +22,6 @@
 
 - include_tasks: remove_unused_packages.yml
 
-- include_tasks: sysctl.yml
-
 - include_tasks: disable_swap.yml
 
 - include_tasks: remove_kernel_modules.yml

install_files/ansible-base/roles/grsecurity/defaults/main.yml

@@ -6,8 +6,3 @@ grsec_sysctl_flags:
     # rest will not be applied
   - name: "kernel.grsecurity.grsec_lock"
     value: "1"
-    # Stack clash mitigation, increasing main stack gap to 1MB.
-    # Storing as part of grsecurity vars, because sysctl option won't
-    # exist otherwise.
-  - name: "vm.heap_stack_gap"
-    value: "1048576"

molecule/testinfra/common/test_grsecurity.py

@@ -81,7 +81,6 @@ def test_grsecurity_kernel_is_running(host):
     [
         ("kernel.grsecurity.grsec_lock", 1),
         ("kernel.grsecurity.rwxmap_logging", 0),
-        ("vm.heap_stack_gap", 1048576),
     ],
 )
 def test_grsecurity_sysctl_options(host, sysctl_opt):

molecule/testinfra/common/test_system_hardening.py

@@ -7,34 +7,6 @@
 testinfra_hosts = [sdvars.app_hostname, sdvars.monitor_hostname]
 
 
-@pytest.mark.parametrize(
-    "sysctl_opt",
-    [
-        ("net.ipv4.conf.all.accept_redirects", 0),
-        ("net.ipv4.conf.all.accept_source_route", 0),
-        ("net.ipv4.conf.all.rp_filter", 1),
-        ("net.ipv4.conf.all.secure_redirects", 0),
-        ("net.ipv4.conf.all.send_redirects", 0),
-        ("net.ipv4.conf.default.accept_redirects", 0),
-        ("net.ipv4.conf.default.accept_source_route", 0),
-        ("net.ipv4.conf.default.rp_filter", 1),
-        ("net.ipv4.conf.default.secure_redirects", 0),
-        ("net.ipv4.conf.default.send_redirects", 0),
-        ("net.ipv4.icmp_echo_ignore_broadcasts", 1),
-        ("net.ipv4.ip_forward", 0),
-        ("net.ipv4.tcp_max_syn_backlog", 4096),
-        ("net.ipv4.tcp_syncookies", 1),
-    ],
-)
-def test_sysctl_options(host, sysctl_opt):
-    """
-    Ensure sysctl flags are set correctly. Most of these checks
-    are hardening IPv4, which is appropriate due to the heavy use of Tor.
-    """
-    with host.sudo():
-        assert host.sysctl(sysctl_opt[0]) == sysctl_opt[1]
-
-
 def test_dns_setting(host):
     """
     Ensure DNS service is hard-coded in resolv.conf config.