From f6cbd3f89de210ec5baac7882b7d5ff907cb9986 Mon Sep 17 00:00:00 2001
From: Evangelos Foutras <evangelos@foutrelis.com>
Date: Sun, 13 Feb 2022 16:54:50 +0200
Subject: [PATCH] hardening: use default ptrace scope on buildservers

Making 'kernel.yama.ptrace_scope' more strict by setting it to '2'
causes failures in elfutils' test suite. While tentatively helpful
on other servers, it seems kind of unnecessary for a build server.

Fixes: #424 (to be reopened though, if more restrictions are found)
---
 roles/hardening/tasks/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/hardening/tasks/main.yml b/roles/hardening/tasks/main.yml
index cddd4d264..623e98e97 100644
--- a/roles/hardening/tasks/main.yml
+++ b/roles/hardening/tasks/main.yml
@@ -7,6 +7,7 @@
 
 - name: set ptrace scope, restrict ptrace to CAP_SYS_PTRACE
   copy: src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf owner=root group=root mode=0644
+  when: "'buildservers' not in group_names"
   notify:
     - apply sysctl settings
 
-- 
GitLab