ensure that apparmor is supported by the kernel trailofbits#215

flyryan · Jan 15, 2017 · 2798f84 · 2798f84
1 parent 1681b98
commit 2798f84
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 1 deletion.
diff --git a/.travis.yml b/.travis.yml
@@ -45,4 +45,4 @@ install:
 
 script:
   - ansible-playbook deploy.yml --syntax-check
-  - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y" --skip-tags apparmor
+  - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y"
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
@@ -94,3 +94,12 @@
   sysctl: name=net.ipv6.conf.all.forwarding value=1
   tags:
     - always
+
+- name: Check apparmor support
+  shell: apparmor_status
+  ignore_errors: yes
+  register: apparmor_status
+
+- set_fact:
+    apparmor_enabled: true
+  when: '"profiles are in enforce mode" in apparmor_status.stdout'
diff --git a/roles/dns_adblocking/tasks/main.yml b/roles/dns_adblocking/tasks/main.yml
@@ -6,6 +6,7 @@
 
 - name: Dnsmasq profile for apparmor configured
   template: src=usr.sbin.dnsmasq.j2 dest=/etc/apparmor.d/usr.sbin.dnsmasq owner=root group=root mode=0600
+  when: apparmor_enabled is defined and apparmor_enabled == true
   notify:
     - restart dnsmasq
 
@@ -14,6 +15,7 @@
 
 - name: Enforce the dnsmasq AppArmor policy
   shell: aa-enforce usr.sbin.dnsmasq
+  when: apparmor_enabled is defined and apparmor_enabled == true
   tags: ['apparmor']
 
 - name: Ensure that the dnsmasq service directory exist

diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml
@@ -14,11 +14,13 @@
 
 - name: Privoxy profile for apparmor configured
   template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=0600
+  when: apparmor_enabled is defined and apparmor_enabled == true
   notify:
     - restart privoxy
 
 - name: Enforce the privoxy AppArmor policy
   shell: aa-enforce usr.sbin.privoxy
+  when: apparmor_enabled is defined and apparmor_enabled == true
   tags: ['apparmor']
 
 - name: Ensure that the privoxy service directory exist

diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
@@ -15,6 +15,7 @@
 
 - name: Enforcing ipsec with apparmor
   shell: aa-enforce "{{ item }}"
+  when: apparmor_enabled is defined and apparmor_enabled == true
   with_items:
     - /usr/lib/ipsec/charon
     - /usr/lib/ipsec/lookip