ansible-collection-hardening icon indicating copy to clipboard operation
ansible-collection-hardening copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

Allow skipping /proc mount options management

Open Tristan971 opened this issue 1 year ago • 0 comments

Description

Seems like you cannot remount /proc (anymore? never could? unsure) for LXC containers, at least in some cases.

It is persistently failing with the following error here (Ubuntu 22.04 inside Proxmox 8.2, kernel is 6.8.4):

TASK [devsec.hardening.os_hardening : Set option hidepid for proc filesystem] ***************************************
fatal: [quic-tests-lon1]: FAILED! => changed=false 
  ansible_facts:
    discovered_interpreter_python: /usr/bin/python3
  msg: |-
    Error mounting /proc: umount: /proc: target is busy.

Solution

I would have filed it as a bug report, but given https://github.com/dev-sec/ansible-collection-hardening/issues/460#issuecomment-1875554371, I believe it might be better to allow leaving /proc as-is in general.

Allowing to skip it altogether also happens to match the similar toggles like os_mnt_boot_enabled, os_mnt_home_enabled, os_mnt_var_enabled, etc.

Alternatives

Figuring out whether it is intended for /proc to be remountable on LXC in the first place, and if yes finding the culprit between the Kernel, Proxmox, Ubuntu, and the Apparmor profiles of the host and guest... all for rather minimal value.

Additional information

I'm willing to make the PR for this feature to happen

Tristan971 avatar Jul 16 '24 14:07 Tristan971