[xenial] Manages PaX flags on Apache under Xenial

[conorsch]

Status

Ready for review.

Description of Changes

Fixes #4110.

Changes proposed in this pull request:

Installs paxctld from distro repos under Xenial, edits the config in
place, and bounces the service. Using paxctld rather than paxctl to
ensure that flags are restored after security updates to the apache2
package via apt, which may occur outside the scope of SecureDrop
updates.

Includes changes to PaX flag management against Firefox (used for
testing) because paxctld ships with suitable flags for firefox already,
via the upstream config. Therefore we can stick to paxctl for Trusty,
but leverage paxctld under Xenial. Reminder that we plan to axe
the entire app-test role once we have external browser testing
working.

Testing

1. make build-debs-xenial
2. make staging-xenial
3. Make a test submission, with both a text and file upload component.
4. Confirm submission successful.

Deployment

Quite necessary for Xenial compatibility.

Checklist

If you made changes to the server application code:

• Linting (make ci-lint) and tests (make -C securedrop test) pass in the development container

If you made changes to securedrop-admin:

• Linting and tests (make -C admin test) pass in the admin development container

If you made changes to the system configuration:

• Configuration tests pass

If you made non-trivial code changes:

• I have written a test plan and validated it for this PR

If you made changes to documentation:

• Doc linting (make docs-lint) passed locally

[conorsch]

Reminder that the new flag enforcement logic is not present on apt-test; once this PR is approved and merged, we can build and push to facilitate upgrade testing.

[zenmonkeykstop]

Tested on staging VMs as per plan, file uploads no longer generate the memprotect or temporaryfile errors (did see some larger file uploads fail but that's a known and unrelated issue)

Also removed and reinstalled apache2 on app-staging (as a naive way to test if pax flags are applied on new apache2 binary):

apt-get remove securedrop-app-code
apt-get remove apache2
apt-get install apache2
dpkg -i ~/securedrop-app-code_0.12.0~rc1+xenial_amd64.deb 

File uploads continue to work afterwards.

[emkll]

Local testing following the test plan looks good to me:

• make build-debs-xenial
• make staging-xenial
• Make a test submission, with both a text and file upload component.
• Confirm submission successful.

Furthermore, I can confirm that:

• paxctld systemd service is running (and restarts on reboot)
• all infra tests pass (since only trusty infra tests are run in ci)

As noted in the PR message, once this is merged we should rebuild packages and test the trusty->xenial upgrade scenario to ensure paxctld is installed when ./securedrop-admin install is invoked post-xenial-upgrade.
A couple of minor comments, which shouldn't block merge but might be worth exploring for maintainability:

1. We are using paxctl elsewhere to handle PaX flags for grub binaries (https://github.com/freedomofpress/securedrop/blob/develop/install_files/ansible-base/roles/grsecurity/tasks/paxctl.yml). Would it make sense to open a ticket to consolidate the PaX flag management?

2. paxctld by default installs a 97-line config file that sets PaX flags for binaries that either do not exist or do not require it. Would it be less risky for us to manage the paxctld.conf file, instead of relying on the default provided config and appending via postinst? (perhaps similar to what was done in the workstation context?: https://github.com/freedomofpress/securedrop-debian-packaging/tree/master/securedrop-workstation-svs-disp).

[emkll]

Noting that paxctld is in the universe channel for xenial, but not in the security channel: https://packages.ubuntu.com/xenial/paxctld . Since the cron-apt logic uses only security as the source list (https://github.com/freedomofpress/securedrop/blob/develop/install_files/ansible-base/roles/common/files/5-security), the paxctld dependency will not be resolved if the package is upgraded via the unattended apt upgrades.

In the current upgrade scenario this should work work, since the first version of the xenial package will be installed via ./securedrop-admin install, once the app server has been upgraded to Xenial.

[kushaldas]

• make build-debs-xenial
• make staging-xenial
• Make a test submission, with both a text and file upload component.
• Confirm submission successful.