debops-contrib.apparmor default variables

Packages and installation

apparmor__base_packages

List of base packages to install.

apparmor__base_packages:
  - 'apparmor'
  - 'apparmor-utils'
  - 'apparmor-profiles'
  - '{{ []
        if (ansible_distribution == "Ubuntu" and not (ansible_distribution_version|version_compare("15.10", ">=")))
        else [ "apparmor-profiles-extra" ] }}'
apparmor__packages

List of additional packages to install with AppArmor.

Example:

apparmor__packages:
  - 'apparmor-notify'

apparmor__packages: []
apparmor__enabled

Should AppArmor be enabled?

apparmor__enabled: True
apparmor__kernel_options

Default kernel options needed to enable AppArmor. You probably don’t need to change this.

apparmor__kernel_options:
  - 'apparmor=1'
  - 'security=apparmor'
apparmor__manage_grub

How should role write the required kernel options into the Grub configuration. The default is delegate this to the debops.grub role. If set to False, this role will do that internally without debops.grub. Note that this role is not as flexible in configuring Grub as debops.grub is.

apparmor__manage_grub: False
apparmor__additional_kernel_parameters

Legacy: Only considered when apparmor__manage_grub == True.

apparmor__additional_kernel_parameters: ''
apparmor__mail_to

List of recipients to which a mail will be send in case a reboot is required.

apparmor__mail_to: [ 'root@{{ ansible_domain }}' ]
apparmor__mail_subject

Subject of the Email to be send in case a reboot is required to boot into a updated kernel version.

apparmor__mail_subject: 'Reboot required by AppArmor on {{ ansible_fqdn }}'
apparmor__mail_body

Body of the Email to be send in case a reboot is required to boot into a updated kernel version.

apparmor__mail_body: |
  Ansible has enabled AppArmor thought the boot loader configuration for the
  Linux kernel parameters on host {{ ansible_fqdn }}.
  You should check the status of the host and reboot it when convenient.

AppArmor profiles

apparmor__enforce_all_profiles

Put all profiles into enforcement mode. Use this only if you know what you are doing.

apparmor__enforce_all_profiles: False
apparmor__global_profile_status

Global configuration of the status of individual profiles. More specific matches overwrite more generic matches (example host overrules global).

Choices are:

enforce
Result in enforcement of the policy defined in the profile as well as logging policy violation attempts.
complain
This will not enforce the policy. Instead, it will log policy violations.
disable
In this mode, policy violations are neither prevented nor logged.

Example:

apparmor__global_profile_status:
  'usr.sbin.nmbd': 'complain'

apparmor__global_profile_status: {}
apparmor__host_group_profile_status

Host group configuration of the status of individual profiles.

apparmor__host_group_profile_status: {}
apparmor__host_profile_status

Host configuration of the status of individual profiles.

apparmor__host_profile_status: {}
apparmor__local_config_global

Global additions or overrides of system profiles. Those changes will be configured in /etc/apparmor.d/local/. Check /etc/apparmor.d/local/README for details. All three dictionaries are merged into one profile configuration.

comment
String, optional, default "Uncommented rule group". Comment for the given rules.
rules
List of strings, required. AppArmor rules. Note that the rules are not comma terminated, this is done by the role template.
by_role
Strings, optional, default "". Name of a role which manages the rules. Useful for using this role as role dependency.
delete
Boolean, optional, default False. Delete the given rule(s).

Example:

apparmor__local_config_global:

  'usr.sbin.dnsmasq':
    - comment: 'Allow dnsmasq to read upstream DNS servers'
      rules:
        - '/etc/resolvconf/upstream.conf r'
        - '/etc/hosts.dnsmasq r'
      by_role: 'debops.dnsmasq'
    - comment: 'Allow dnsmasq to read /usr/share/dnsmasq-base/trust-anchors.conf'
      rules:
        - '/usr/share/dnsmasq-base/* r'
      by_role: 'debops.dnsmasq'

  'usr.bin.pidgin':
    - comment: 'Allow local Pidgin plugins'
      rules:
        - '@{HOME}/.purple/plugins/** rm'

apparmor__local_config_global: {}
apparmor__local_group_config

Host group additions or overrides of system profiles.

apparmor__local_group_config: {}
apparmor__local_host_config

Host additions or overrides of system profiles.

apparmor__local_host_config: {}
apparmor__local_dependent_config

System profiles managed by other roles using this role as dependency.

apparmor__local_dependent_config: {}
apparmor__global_tunables

Allows you to define or append variables which will be included by most profiles via the tunable concept of AppArmor. See also: https://wiki.ubuntu.com/DebuggingApparmor#Adjusting_Tunables

Examples:

1
2
apparmor__global_tunables: |
  @{HOMEDIRS}+=/exports/home/

apparmor__global_tunables: ''
apparmor__group_tunables

Host group definitions or additions to variables.

apparmor__group_tunables: ''
apparmor__host_tunables

Host definitions or additions to variables.

apparmor__host_tunables: ''
apparmor__tunables_dependent

Variable definitions managed by roles using this role as dependency.

apparmor__tunables_dependent: ''