Run apache2 under jemalloc

jemalloc ends up resolving the memory fragmentation issues we've seen
under APIv2 with the default glibc allocator.

It should be relatively safe to swap in given how battle tested jemalloc
is by much larger corporate users.

See <freedomofpress/securedrop-client#3234 (comment)>
and following comments.

Fixes #7817.

Author: legoktm

securedrop/debian/app-code/etc/apparmor.d/usr.sbin.apache2

@@ -92,6 +92,7 @@
   /run/shm rw,
   /sbin/ldconfig rix,
   /sbin/ldconfig.real rix,
+  /sys/kernel/mm/transparent_hugepage/enabled r,
   /tmp/** rwm,
   /usr/bin/ r,
   /usr/bin/dash rix,

securedrop/debian/app-code/lib/systemd/system/apache2.service.d/jemalloc.conf

@@ -0,0 +1,2 @@
+[Service]
+Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2

securedrop/debian/control

@@ -10,7 +10,7 @@ Package: securedrop-app-code
 Architecture: amd64
 Conflicts: libapache2-mod-wsgi, supervisor
 Replaces: libapache2-mod-wsgi, supervisor
-Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, ${apparmor:Depends}, apache2, apparmor-utils, coreutils, gnupg2, libapache2-mod-xsendfile, paxctld, python3, redis-server, securedrop-config, securedrop-keyring, sqlite3
+Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, ${apparmor:Depends}, apache2, apparmor-utils, coreutils, gnupg2, libapache2-mod-xsendfile, libjemalloc2, paxctld, python3, redis-server, securedrop-config, securedrop-keyring, sqlite3
 Description: SecureDrop application code, dependencies, Apache configuration, systemd services, and AppArmor profiles. This package will put the AppArmor profiles in enforce mode.
 
 Package: securedrop-config