Disables IPv6 via cmdline option for Focal

Adds a Focal-only cmdline option for the boot to disable IPv6 functionality completely. Adds a config test to ensure no IPv6 addresses are assigned. Since the IPv6 stack is disabled at boot time, the associated sysctl tasks won't exist. Therefore we'll add those only on Xenial. This is the type of config that could be moved into a metapackage.
freedomofpress · Feb 23, 2021 · 00568de · 00568de
1 parent 9969993
commit 00568de
Show file tree

Hide file tree

Showing 6 changed files with 60 additions and 2 deletions.
diff --git a/install_files/ansible-base/roles/common/defaults/main.yml b/install_files/ansible-base/roles/common/defaults/main.yml
@@ -38,6 +38,9 @@ sysctl_flags:
     value: "0"
   - name: "net.ipv4.conf.default.send_redirects"
     value: "0"
+
+# Store IPv6-related sysctl flags separately, for distro-specific handling
+sysctl_flags_ipv6:
   - name: "net.ipv6.conf.all.disable_ipv6"
     value: "1"
   - name: "net.ipv6.conf.default.disable_ipv6"

diff --git a/install_files/ansible-base/roles/common/tasks/sysctl.yml b/install_files/ansible-base/roles/common/tasks/sysctl.yml
@@ -12,3 +12,16 @@
   tags:
     - sysctl
     - hardening
+
+- name: Set sysctl flags for net.ipv6 config.
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    sysctl_set: yes
+    state: present
+    reload: yes
+  with_items: "{{ sysctl_flags_ipv6 }}"
+  when: ansible_distribution_release == "xenial"
+  tags:
+    - sysctl
+    - hardening
diff --git a/install_files/securedrop-grsec-focal/DEBIAN/postinst.j2 b/install_files/securedrop-grsec-focal/DEBIAN/postinst.j2
@@ -28,7 +28,7 @@ set_grub_default() {
     # When using CONFIG_PAX_KERNEXEC, the grsecurity team recommends the kernel
     # is booted with "noefi" on the kernel command line if "CONFIG_EFI" is
     # enabled, as EFI runtime services are necessarily mapped as RWX.
-    sed -i '/^GRUB_CMDLINE_LINUX_DEFAULT=/s/=.*/=\"noefi\"/' /etc/default/grub
+    perl -pi -e 's|^GRUB_CMDLINE_LINUX_DEFAULT=|GRUB_CMDLINE_LINUX_DEFAULT="noefi ipv6.disable=1"|' /etc/default/grub
     update-grub
 }
 

diff --git a/molecule/testinfra/common/test_grsecurity.py b/molecule/testinfra/common/test_grsecurity.py
@@ -277,3 +277,15 @@ def test_mds_mitigations_and_smt_disabled(host):
         grub_config = host.file(grub_config_path)
 
         assert grub_config.contains("mds=full,nosmt")
+
+
+def test_kernel_boot_options(host):
+    """
+    Ensure command-line options for currently booted kernel are set.
+    """
+    with host.sudo():
+        f = host.file("/proc/cmdline")
+        boot_opts = f.content_string.split()
+    assert "noefi" in boot_opts
+    if host.system_info.codename == "focal":
+        assert "ipv6.disable=1" in boot_opts
diff --git a/molecule/testinfra/common/test_ip6tables.py b/molecule/testinfra/common/test_ip6tables.py
@@ -4,11 +4,15 @@
 testinfra_hosts = [test_vars.app_hostname, test_vars.monitor_hostname]
 
 
-def test_ip6tables_drop_everything(host):
+def test_ip6tables_drop_everything_xenial(host):
     """
     Ensure that all IPv6 packets are dropped by default.
     The IPv4 rules are more complicated, and tested separately.
+    This test is Xenial-specific, given that on Focal we disable
+    IPv6 functionality completely.
     """
+    if host.system_info.codename != "xenial":
+        return True
     desired_ip6tables_output = """
 -P INPUT DROP
 -P FORWARD DROP
@@ -18,3 +22,26 @@ def test_ip6tables_drop_everything(host):
     with host.sudo():
         c = host.check_output("ip6tables -S")
         assert c == desired_ip6tables_output
+
+
+def test_ip6tables_drop_everything_focal(host):
+    """
+    Ensures that IPv6 firewall settings are inaccessible,
+    due to fully disabling IPv6 functionality at boot-time,
+    via boot options.
+    """
+    if host.system_info.codename != "focal":
+        return True
+    with host.sudo():
+        c = host.run("ip6tables -S")
+        assert c.rc != 0
+        assert c.stdout == ""
+
+
+def test_ipv6_addresses_absent(host):
+    """
+    Ensure that no IPv6 addresses are assigned to interfaces.
+    """
+    with host.sudo():
+        c = host.check_output("ip -6 addr")
+        assert c == ""
diff --git a/molecule/testinfra/common/test_system_hardening.py b/molecule/testinfra/common/test_system_hardening.py
@@ -33,6 +33,9 @@ def test_sysctl_options(host, sysctl_opt):
     due to the heavy use of Tor.
     """
     with host.sudo():
+        # For Focal, we disable IPv6 entirely, so the IPv6 sysctl options won't exist
+        if sysctl_opt[0].startswith("net.ipv6") and host.system_info.codename == "focal":
+            return True
         assert host.sysctl(sysctl_opt[0]) == sysctl_opt[1]