Update apparmor configurations.

Allow for the app armor configuration files to be loaded from secure repo if available and loaded from the base configuration otherwise.

Update apparmor configurations.
Allow for the app armor configuration files to be loaded from secure repo if available and loaded from the base configuration otherwise.
1e7ae9de · Feanil Patel · 989fa18c · 1e7ae9de · 1e7ae9de · 1e7ae9de
Commit 1e7ae9de authored Jun 18, 2013 by Feanil Patel
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 2 deletions

playbooks/roles/xserver/files/sandbox.sudoers
+0 -0

playbooks/roles/xserver/tasks/main.yml
+8 -2

playbooks/roles/xserver/templates/usr.bin.python-sandbox.j2
+0 -0

No files found.
--- a/playbooks/roles/xserver/files/01-sandbox
+++ b/playbooks/roles/xserver/files/01-sandbox
--- a/playbooks/roles/xserver/tasks/main.yml
+++ b/playbooks/roles/xserver/tasks/main.yml
@@ -24,13 +24,19 @@
    line="session required pam_limits.so"

 - name: set sandbox limits
-  copy: src=sandbox.conf dest=/etc/security/limits.d/sandbox.conf
+  copy: src={{ item }} dest=/etc/security/limits.d/sandbox.conf
+  first_available_file:
+  - {{ secure_dir }}/sandbox.conf
+  - sandbox.conf

 - name: ensure apparmor package
  apt: pkg=apparmor-utils state=present

 - name: load python-sandbox apparmor profile
-  copy: src=usr.bin.python-sandbox dest=/etc/apparmor.d/usr.bin.python-sandbox
+  template: src={{ item }} dest=/etc/apparmor.d/edx_apparmor_sandbox
+  first_available_file:
+  - {{ secure_dir }}/files/edx_apparmor_sandbox.j2
+  - usr.bin.python-sandbox.j2

 - name: enforce app-armor rules
  command: aa-enforce {{ sandbox_venv_dir }}

--- a/playbooks/roles/xserver/files/usr.bin.python-sandbox
+++ b/playbooks/roles/xserver/files/usr.bin.python-sandbox