59 lines
1.7 KiB
YAML
59 lines
1.7 KiB
YAML
---
|
|
# pyenv, doom (cli of Doom Emacs), ... need exec inside /tmp
|
|
- name: fstab | Harden mount options for /tmp
|
|
ansible.posix.mount:
|
|
src: tmpfs
|
|
path: /tmp
|
|
fstype: tmpfs
|
|
opts: rw,nosuid,nodev,size=4G,mode=1777
|
|
state: present
|
|
|
|
# /run is mounted with exec by default
|
|
- name: fstab | Harden mount options for /run
|
|
ansible.posix.mount:
|
|
src: tmpfs
|
|
path: /run
|
|
fstype: tmpfs
|
|
opts: rw,nosuid,nodev,noexec,size=1G,mode=0755
|
|
state: present
|
|
|
|
# polkit daemon obviously needs access to /proc to work
|
|
# Note: Add the normal user to polkitd group afterward
|
|
- name: fstab | Configure /proc restriction
|
|
vars:
|
|
proc_group: '{{ use_polkit | ternary("polkitd", "wheel") }}'
|
|
block:
|
|
# Busybox's mount doesn't interpret group name in GID, so check it
|
|
# wheel group on Alpine by default has GID=10
|
|
- name: fstab | Check GID of group {{ proc_group }} # noqa: risky-shell-pipe
|
|
shell: /usr/bin/getent group {{ proc_group }} | awk -F':' '{print $3}'
|
|
register: proc_gid
|
|
changed_when: false
|
|
|
|
- name: fstab | Restrict read access on /proc for group {{ proc_group }}
|
|
ansible.posix.mount:
|
|
src: proc
|
|
path: /proc
|
|
fstype: proc
|
|
opts: 'rw,nosuid,nodev,noexec,hidepid=2,gid={{ proc_gid.stdout }}'
|
|
state: present
|
|
|
|
- name: fstab | Disable UEFI variable access
|
|
ansible.posix.mount:
|
|
src: efivarfs
|
|
path: /sys/firmware/efi/efivars
|
|
fstype: efivars
|
|
opts: ro,nosuid,nodev,noexec
|
|
state: present
|
|
when: disable_uefi_access
|
|
|
|
- name: fstab | Allow UEFI variable access
|
|
lineinfile:
|
|
path: /etc/fstab
|
|
search_string: /sys/firmware/efi/efivars
|
|
state: absent
|
|
owner: root
|
|
group: root
|
|
mode: '644'
|
|
when: not disable_uefi_access
|