wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-06-05 22:54:01 +02:00
Code Issues Projects Releases Wiki Activity

ensure that apparmor is supported by the kernel #215

Browse source
This commit is contained in:
Jack Ivanov 2017-01-16 00:17:47 +03:00
parent 1681b98eb2
commit 2798f84d3f
5 changed files with 15 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.travis.yml
View file

@ -45,4 +45,4 @@ install:
script:
- ansible-playbook deploy.yml --syntax-check
- ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y" --skip-tags apparmor
- ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y"

9
roles/common/tasks/main.yml
View file

@ -94,3 +94,12 @@
sysctl: name=net.ipv6.conf.all.forwarding value=1
tags:
- always
- name: Check apparmor support
shell: apparmor_status
ignore_errors: yes
register: apparmor_status
- set_fact:
apparmor_enabled: true
when: '"profiles are in enforce mode" in apparmor_status.stdout'

2
roles/dns_adblocking/tasks/main.yml
View file

@ -6,6 +6,7 @@
- name: Dnsmasq profile for apparmor configured
template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600
when: apparmor_enabled is defined and apparmor_enabled == true
notify:
- restart dnsmasq
@ -14,6 +15,7 @@
- name: Enforce the dnsmasq AppArmor policy
shell: aa-enforce usr.sbin.dnsmasq
when: apparmor_enabled is defined and apparmor_enabled == true
tags: ['apparmor']
- name: Ensure that the dnsmasq service directory exist

2
roles/proxy/tasks/main.yml
View file

@ -14,11 +14,13 @@
- name: Privoxy profile for apparmor configured
template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=0600
when: apparmor_enabled is defined and apparmor_enabled == true
notify:
- restart privoxy
- name: Enforce the privoxy AppArmor policy
shell: aa-enforce usr.sbin.privoxy
when: apparmor_enabled is defined and apparmor_enabled == true
tags: ['apparmor']
- name: Ensure that the privoxy service directory exist

1
roles/vpn/tasks/main.yml
View file

@ -15,6 +15,7 @@
- name: Enforcing ipsec with apparmor
shell: aa-enforce "{{ item }}"
when: apparmor_enabled is defined and apparmor_enabled == true
with_items:
- /usr/lib/ipsec/charon
- /usr/lib/ipsec/lookip