From ee519c8aa34e44ca0ea685d36d22e0f044621db5 Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Fri, 1 Nov 2024 17:06:08 -0400
Subject: [PATCH] Set net.ipv4 sysctl flags via server metapackage

Instead of setting these via ansible, let's ship them in this package so
it's easier to tweak them in the future without needing future ansible
runs.

A postinst snippet removes the values from /etc/sysctld.conf; it's
okay if they're temporarily duplicated since they'll have the same
values.

Refs <https://github.com/freedomofpress/securedrop/issues/7323>.
---
 debian/securedrop-grsec/DEBIAN/postinst           |  9 +++++++++
 .../etc/sysctl.d/30-securedrop.conf               | 15 +++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/debian/securedrop-grsec/DEBIAN/postinst b/debian/securedrop-grsec/DEBIAN/postinst
index c1d5297..bc1045e 100755
--- a/debian/securedrop-grsec/DEBIAN/postinst
+++ b/debian/securedrop-grsec/DEBIAN/postinst
@@ -42,12 +42,21 @@ start_paxctld() {
     sleep 1
 }
 
+cleanup_sysctld() {
+    # Remove settings previously set by ansible that are now set via
+    # our sysctl.d/30-securedrop.conf file
+    sed -i '/^vm\.heap_stack_gap/d' /etc/sysctld.conf
+    sed -i '/^net\.ipv4\./d' /etc/sysctld.conf
+}
+
 case "$1" in
     configure)
     # Configure paxctld, required before update-grub runs
     start_paxctld
     # Ensure latest grsec kernel is used on every boot.
     set_grub_default
+    # Remove sysctld configuration
+    cleanup_sysctld
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
diff --git a/debian/securedrop-grsec/etc/sysctl.d/30-securedrop.conf b/debian/securedrop-grsec/etc/sysctl.d/30-securedrop.conf
index 05d116c..09e5a3e 100644
--- a/debian/securedrop-grsec/etc/sysctl.d/30-securedrop.conf
+++ b/debian/securedrop-grsec/etc/sysctl.d/30-securedrop.conf
@@ -1 +1,16 @@
 vm.heap_stack_gap=1048576
+
+net.ipv4.tcp_max_syn_backlog = 4096
+net.ipv4.tcp_syncookies = 1
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.ip_forward = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0