do not blacklist used filesystems (dev-sec#289)

* add additional check for efi some systems seem to require vfat because of efi, despite not exposing a /sys/firmware/efi directory. Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * make linter happy Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * rework check to check for all used filesystems so we don't break existing mounts with our configuration Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * do not check this on el6 Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * add comment to clarify Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
divialth · Aug 7, 2020 · adb431e · adb431e
1 parent 3970cf3
commit adb431e
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/tasks/modprobe.yml b/tasks/modprobe.yml
@@ -14,6 +14,12 @@
     os_unused_filesystems: "{{ os_unused_filesystems | difference('vfat') }}"
   when: efi_installed.stat.isdir is defined and efi_installed.stat.isdir
 
+- name: remove used filesystems from fs-list
+  set_fact:
+    os_unused_filesystems: "{{ os_unused_filesystems | difference(ansible_mounts | map(attribute='fstype') | list) }}"
+  # we cannot do this on el6 and below, because these systems don't support the map function
+  when: not ((ansible_facts.os_family in ['Oracle Linux', 'RedHat']) and ansible_facts.distribution_major_version < '7')
+
 - name: disable unused filesystems | os-10
   template:
     src: 'etc/modprobe.d/modprobe.j2'