Prevent disabling of filesystems via whitelist

2024-11-10 09:14:18 +00:00 · 2017-10-30 19:00:47 +01:00 · 2017-10-30 19:00:47 +01:00 · d429d53c60
commit d429d53c60
parent bf6cb73cd5
4 changed files with 7 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -84,6 +84,8 @@ We disable the following filesystems, because they're most likely not used:
 * "udf"
 * "vfat"

+To prevent some of the filesystems from being disabled, add them to the `os_filesystem_whitelist` variable.
+
 ## Example Playbook

    - hosts: localhost
--- a/default.yml
+++ b/default.yml
@ -18,6 +18,7 @@
    os_auth_allow_homeless: true
    os_security_suid_sgid_blacklist: ['/bin/umount']
    os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
+    os_filesystem_whitelist: ['vfat']
    sysctl_config:
      net.ipv4.ip_forward: 0
      net.ipv6.conf.all.forwarding: 0
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -194,3 +194,5 @@ os_unused_filesystems:
  - "udf"
  - "vfat"

+# whitelist for used filesystems
+os_filesystem_whitelist: []
--- a/templates/modprobe.j2
+++ b/templates/modprobe.j2
@ -1,5 +1,5 @@
-# {{ ansible_managed | comment }}
+{{ ansible_managed | comment }}

-{% for fs in os_unused_filesystems %}
+{% for fs in os_unused_filesystems | difference(os_filesystem_whitelist) %}
 install {{fs}} /bin/true
 {% endfor %}