From 98b7b55a53c945f4fa4f271bf2fe7916e18f3be3 Mon Sep 17 00:00:00 2001 From: Felix Stupp Date: Wed, 17 Mar 2021 11:30:21 +0100 Subject: [PATCH] Whitelist multiple services of proc's hidepid feature Not only required for systemd-logind, but also for user@.service --- group_vars/all/vars.yml | 5 +++++ roles/common/tasks/kernel_hidepid.yml | 10 ++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 49c7a35..ce1ff81 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -100,6 +100,10 @@ raspbian_repository_use_sources: yes global_fstab_file: "/etc/fstab" +global_proc_hidepid_service_whitelist: + - "{{ global_systemd_login_service_name }}" + - "{{ global_systemd_user_service_name }}" + global_users_directory: "/home" # Application configurations @@ -193,6 +197,7 @@ global_systemd_login_service_name: "systemd-logind.service" global_systemd_network_directory: "/etc/systemd/network" global_systemd_network_service_name: "systemd-networkd.service" global_systemd_network_system_user: "systemd-network" +global_systemd_user_service_name: "user@.service" global_zsh_antigen_source: "/usr/share/zsh-antigen/antigen.zsh" diff --git a/roles/common/tasks/kernel_hidepid.yml b/roles/common/tasks/kernel_hidepid.yml index 6695e64..89cc8f1 100644 --- a/roles/common/tasks/kernel_hidepid.yml +++ b/roles/common/tasks/kernel_hidepid.yml @@ -18,20 +18,22 @@ nosuid,nodev,noexec,hidepid=2,gid=proc 0 0 -- name: Ensure configuration directory for systemd-logind service exists +- name: Ensure configuration directory for whitelisted services exist file: state: directory - path: "{{ global_systemd_configuration_directory }}/{{ global_systemd_login_service_name }}.d" + path: "{{ global_systemd_configuration_directory }}/{{ item }}.d" owner: root group: root mode: u=rwx,g=rx,o=rx + loop: "{{ global_proc_hidepid_service_whitelist }}" -- name: Configure systemd-logind to adapt to hidepid setting +- name: Configure whitelisted services to adapt to hidepid setting copy: content: | [Service] SupplementaryGroups=proc - dest: "{{ global_systemd_configuration_directory }}/{{ global_systemd_login_service_name }}.d/hidepid.conf" + dest: "{{ global_systemd_configuration_directory }}/{{ item }}.d/proc_hidepid_whitelist.conf" owner: root group: root mode: u=rw,g=r,o=r + loop: "{{ global_proc_hidepid_service_whitelist }}"