Use paxctld to manage all PaX flags in Ubuntu Focal

[emkll]

Description

Initially raised during review of #4114, we should consolidate the PaX flag management logic. We are using both paxctl and paxctld for management of PaX flags, it would be best to maintain a single paxctld.conf file with all flags. It will also simplify some of the install logic, and allow us to more consistenly apply these flags to binaries and persist reboots (as an added feature, it might also help address #3916).

We could also evaluate and reuse what was done as part of the SecureDrop Workstation as an example: https://github.com/freedomofpress/securedrop-debian-packaging/tree/master/securedrop-workstation-svs-disp

UPDATE 2020-11-16

The following based on a conversation with @conorsch, as part of the current sprint commitments:

The paxctl header formats/commands are different in Focal from Xenial, and as a result, some existing paxctl logic from Xenial will not work in Focal. Specifically, updates to the flags for grub binaries (grub-probe, grub-mkdevicemap, grub-script-check) will not work in Focal under the current logic[1]. If grub is updated, PaX flags won't be applied, leading to cascading failures (grub update will fail, kernel update will fail, packages may be held back/broken)

Based on our conversation, we went through various approaches and decided on the following:

1. Fork securedrop-grsec for Focal only (and leave the existing version for Xenial unchanged, because it works and we aren't supporting Xenial for much longer)
2. Add paxctld to the Requires field in the Control file. Since we are installing from scratch on Focal, it's a good opportunity to add, but also make 1. easier.
3. Add a securedrop-managed paxctld.conf file to the Focal-specific metapackage, to configure the pax flags as we would expect them.
4. Remove kernel postinst file from the metapackage, since use of paxctld makes use of paxctl moot

User Stories

As a SecureDrop administrator or developer, I would like to manage all PaX flags in a single place and would like to consistently apply them across the system.

[1] https://github.com/freedomofpress/securedrop/blob/develop/install_files/securedrop-grsec/etc/kernel/postinst.d/paxctl-grub

[conorsch]

Fork securedrop-grsec for Focal only

I created a separate issue to track: #5690. In terms of paxctld support, we'll reuse the logic from https://github.com/freedomofpress/securedrop-debian-packaging/tree/cee267e7dfebd9553cdf4b02ecbe54783049121c/securedrop-workstation-grsec/debian for the most part.

Using paxctld for Focal also means that most of the Ansible tasks in this file should be skipped, by marking them Xenial-only:

securedrop/install_files/ansible-base/roles/grsecurity/tasks/from_fpf_repo_install_grsec.yml

Lines 40 to 87 in 0454478

	- name: Get grsec kernel string from grub config.
	shell: grep menuentry /boot/grub/grub.cfg | grep grsec | grep -v recovery | head -1 | cut -d "'" -f2
	# Read-only task for
	changed_when: false
	register: grsec_str
	tags:
	- grsec
	- kernel
	- hardening
	- name: Check initial default grub entry for next boot.
	stat:
	path: /boot/grub/grubenv
	register: grubenv_check_initial_result
	tags:
	- grsec
	- grub
	- hardening
	- kernel
	- name: Set grsec kernel as default for next boot.
	command: grub-reboot "Advanced options for Ubuntu>{{ grsec_str.stdout }}"
	# The grub-reboot command writes to /boot/grub/grubenv,
	# so "changed" status can only be determined by comparing
	# checksums on that file. We'll do so in the subsequent task.
	changed_when: false
	tags:
	- grsec
	- grub
	- hardening
	- kernel
	# Kludge to detect changes accurately from the `grub-reboot` command
	# in the previous task. We're just comparing checksums on the
	# /boot/grub/grubenv file before and after the command, since that's
	# where `grub-reboot` writes its changes. Hopefully a future version
	# of Ansible will provide an `args: changes:` parameter to command calls.
	- name: Check customized default grub entry for next boot.
	stat:
	path: /boot/grub/grubenv
	register: grubenv_check_configured_result
	changed_when: grubenv_check_initial_result.stat.checksum !=
	grubenv_check_configured_result.stat.checksum
	tags:
	- grsec
	- grub
	- hardening
	- kernel