Whitelist multiple services of proc's hidepid feature

Not only required for systemd-logind, but also for user@.service
master
Felix Stupp 4 years ago
parent 15ad953131
commit 98b7b55a53
Signed by: zocker
GPG Key ID: 93E1BD26F6B02FB7

@ -100,6 +100,10 @@ raspbian_repository_use_sources: yes
global_fstab_file: "/etc/fstab"
global_proc_hidepid_service_whitelist:
- "{{ global_systemd_login_service_name }}"
- "{{ global_systemd_user_service_name }}"
global_users_directory: "/home"
# Application configurations
@ -193,6 +197,7 @@ global_systemd_login_service_name: "systemd-logind.service"
global_systemd_network_directory: "/etc/systemd/network"
global_systemd_network_service_name: "systemd-networkd.service"
global_systemd_network_system_user: "systemd-network"
global_systemd_user_service_name: "user@.service"
global_zsh_antigen_source: "/usr/share/zsh-antigen/antigen.zsh"

@ -18,20 +18,22 @@
nosuid,nodev,noexec,hidepid=2,gid=proc
0 0
- name: Ensure configuration directory for systemd-logind service exists
- name: Ensure configuration directory for whitelisted services exist
file:
state: directory
path: "{{ global_systemd_configuration_directory }}/{{ global_systemd_login_service_name }}.d"
path: "{{ global_systemd_configuration_directory }}/{{ item }}.d"
owner: root
group: root
mode: u=rwx,g=rx,o=rx
loop: "{{ global_proc_hidepid_service_whitelist }}"
- name: Configure systemd-logind to adapt to hidepid setting
- name: Configure whitelisted services to adapt to hidepid setting
copy:
content: |
[Service]
SupplementaryGroups=proc
dest: "{{ global_systemd_configuration_directory }}/{{ global_systemd_login_service_name }}.d/hidepid.conf"
dest: "{{ global_systemd_configuration_directory }}/{{ item }}.d/proc_hidepid_whitelist.conf"
owner: root
group: root
mode: u=rw,g=r,o=r
loop: "{{ global_proc_hidepid_service_whitelist }}"

Loading…
Cancel
Save