mirror of
https://github.com/V4bel/dirtyfrag.git
synced 2026-05-16 10:50:10 +00:00
45 lines
1.2 KiB
YAML
45 lines
1.2 KiB
YAML
- name: Blacklist kernel modules
|
|
hosts: all
|
|
become: yes
|
|
gather_facts: no
|
|
|
|
vars:
|
|
modules_to_blacklist:
|
|
# DirtyFrag
|
|
- esp4
|
|
- esp6
|
|
- rxrpc
|
|
|
|
tasks:
|
|
- name: Ensure blacklist directory exists
|
|
file:
|
|
path: /etc/modprobe.d
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Check if module is currently loaded
|
|
shell: "lsmod | grep -qw '{{ item }}'"
|
|
loop: "{{ modules_to_blacklist }}"
|
|
register: lsmod_check
|
|
changed_when: false
|
|
# If rc is 0, the module is loaded -> Fail the task
|
|
failed_when: lsmod_check.rc == 0
|
|
|
|
- name: Blacklist kernel modules
|
|
# Only executes if the previous task succeeded (meaning module was NOT loaded)
|
|
lineinfile:
|
|
path: /etc/modprobe.d/blacklist.conf
|
|
line: "blacklist {{ item }}"
|
|
create: yes
|
|
mode: '0644'
|
|
state: present
|
|
loop: "{{ modules_to_blacklist }}"
|
|
|
|
- name: Force /bin/false return on attempts to load kernel modules
|
|
lineinfile:
|
|
path: /etc/modprobe.d/blacklist.conf
|
|
line: "install {{ item }} /bin/false"
|
|
create: yes
|
|
mode: '0644'
|
|
state: present
|
|
loop: "{{ modules_to_blacklist }}"
|