From 2798f84d3fdbaf8289ebbe9ec384a266d8ad4b1d Mon Sep 17 00:00:00 2001
From: Jack Ivanov <e601809@gmail.com>
Date: Mon, 16 Jan 2017 00:17:47 +0300
Subject: [PATCH] ensure that apparmor is supported by the kernel #215

---
 .travis.yml                         | 2 +-
 roles/common/tasks/main.yml         | 9 +++++++++
 roles/dns_adblocking/tasks/main.yml | 2 ++
 roles/proxy/tasks/main.yml          | 2 ++
 roles/vpn/tasks/main.yml            | 1 +
 5 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index b3cde5e..76d8bb2 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -45,4 +45,4 @@ install:
 
 script:
   - ansible-playbook deploy.yml --syntax-check
-  - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y" --skip-tags apparmor
+  - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y"
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 79c7cfe..1262d3f 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -94,3 +94,12 @@
   sysctl: name=net.ipv6.conf.all.forwarding value=1
   tags:
     - always
+
+- name: Check apparmor support
+  shell: apparmor_status
+  ignore_errors: yes
+  register: apparmor_status
+
+- set_fact:
+    apparmor_enabled: true
+  when: '"profiles are in enforce mode" in apparmor_status.stdout'
diff --git a/roles/dns_adblocking/tasks/main.yml b/roles/dns_adblocking/tasks/main.yml
index e3692bb..bf58931 100644
--- a/roles/dns_adblocking/tasks/main.yml
+++ b/roles/dns_adblocking/tasks/main.yml
@@ -6,6 +6,7 @@
 
 - name: Dnsmasq profile for apparmor configured
   template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600
+  when: apparmor_enabled is defined and apparmor_enabled == true
   notify:
     - restart dnsmasq
 
@@ -14,6 +15,7 @@
 
 - name: Enforce the dnsmasq AppArmor policy
   shell: aa-enforce usr.sbin.dnsmasq
+  when: apparmor_enabled is defined and apparmor_enabled == true
   tags: ['apparmor']
 
 - name: Ensure that the dnsmasq service directory exist
diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml
index 9117dfb..0af30df 100644
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -14,11 +14,13 @@
 
 - name: Privoxy profile for apparmor configured
   template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=0600
+  when: apparmor_enabled is defined and apparmor_enabled == true
   notify:
     - restart privoxy
 
 - name: Enforce the privoxy AppArmor policy
   shell: aa-enforce usr.sbin.privoxy
+  when: apparmor_enabled is defined and apparmor_enabled == true
   tags: ['apparmor']
 
 - name: Ensure that the privoxy service directory exist
diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
index 0ec3a18..1770ac5 100644
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@@ -15,6 +15,7 @@
 
 - name: Enforcing ipsec with apparmor
   shell: aa-enforce "{{ item }}"
+  when: apparmor_enabled is defined and apparmor_enabled == true
   with_items:
     - /usr/lib/ipsec/charon
     - /usr/lib/ipsec/lookip