AnarchoTechNYC/ansible-role-apparmor

Ensure the AppArmor LSM is enabled, recompiling Raspberry Pi kernels if necessary.

Anarcho-Tech NYC: AppArmor

Ensure the AppArmor LSM is enabled, recompiling the Linux kernel itself on Raspberry Pis running Raspbian OS, if they do not already have AppArmor support compiled in. Also install userspace AppArmor utilities and profiles.

Role Variables

There is only one user-settable variable in this role (for now):

• raspberry_pi_linux_kernel_version: Git reference to the Raspberry Pi Foundation's Linux kernel source repository to determine which version of their Linux kernel to recompile to, if necessary. This only affects managed hosts that are detected as running Raspbian OS by your playbook(s), for now. Defaults to rpi-5.4.y.

Example Playbook

This role is immediately usable on Debian-based systems, in which case it will ensure AppArmor is added to the GRUB configuration to pass to the Linux kernel command line. Raspberry Pi hardware, however, requires special consideration. An easy way to detect Raspbian OS in your playbook is like this:

# In `playbooks/site.yaml` or similar.
---
- name: Identify Raspbian OS hosts.
  hosts: all
  tasks:
    - stat:
        path: /etc/rpi-issue
      register: rpi_issue
    - set_fact:
        raspbian: "{{ rpi_issue.stat.exists }}"

- name: Ensure AppArmor is enabled.
  hosts: all
  tasks:
    - import_role: anarchotechnyc.apparmor

The Ansible set_fact module in the first play will associate the raspbian variable with each host in your inventory. For Raspbian OS hosts, the value will be true, based on the existence of Raspbian OS's /etc/rpi-issue distribution version info file, generated by pi-gen.

License

AGPL-3.0-or-later

Testing

Use Molecule to run the tests. (You'll also need to install VirtualBox and Vagrant, as tests are run in Vagrant-managed, VirtualBox-backed virtual machines.) Here's how to install Molecule into a virtual environment.

# Molecule is written in Python, so you'll also need Python.
python -m venv venv                                # Create your virtual environment.
source venv/bin/activate                           # Activate it.
pip install molecule ansible-lint molecule-vagrant # Install testing tools.

# Then, you can run the tests:
molecule test

# When you're done, deactivate your virtual environment.
deactivate