From 7e99a97eaf7bf371f4f095f31976b57d28c63bc1 Mon Sep 17 00:00:00 2001 From: Pig Monkey Date: Thu, 20 Feb 2020 09:30:22 -0800 Subject: [PATCH] optionally enable unprivileged containers for non-root users This is enabled by default in the vanilla kernel and disabled by default in the hardened kernel. --- group_vars/all | 3 +++ roles/hardened/files/99-userns.conf | 1 + roles/hardened/meta/main.yml | 1 + roles/hardened/tasks/main.yml | 8 ++++++++ 4 files changed, 13 insertions(+) create mode 100644 roles/hardened/files/99-userns.conf diff --git a/group_vars/all b/group_vars/all index c2048b8..3fc8b37 100644 --- a/group_vars/all +++ b/group_vars/all @@ -312,4 +312,7 @@ units: pkgfile: run_on: trusted +hardened: + enable_namespaces: true + kernel_parameters: "quiet consoleblank=60 i915.enable_psr=2" diff --git a/roles/hardened/files/99-userns.conf b/roles/hardened/files/99-userns.conf new file mode 100644 index 0000000..c4ee63d --- /dev/null +++ b/roles/hardened/files/99-userns.conf @@ -0,0 +1 @@ +kernel.unprivileged_userns_clone = 1 diff --git a/roles/hardened/meta/main.yml b/roles/hardened/meta/main.yml index 36c5cff..f1efacd 100644 --- a/roles/hardened/meta/main.yml +++ b/roles/hardened/meta/main.yml @@ -1,3 +1,4 @@ --- dependencies: - { role: grub } + - { role: sysctl } diff --git a/roles/hardened/tasks/main.yml b/roles/hardened/tasks/main.yml index 0ba3378..b61d994 100644 --- a/roles/hardened/tasks/main.yml +++ b/roles/hardened/tasks/main.yml @@ -7,3 +7,11 @@ state: present notify: - rebuild grub + +- name: Enable unprivileged containers for non-root users + copy: + src: 99-userns.conf + dest: /etc/sysctl.d/99-userns.conf + notify: + - reload sysctl + when: hardened is defined and hardened.enable_namespaces