From e79141d2d21c3fe5a9296886cec973fcb2897de5 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Thu, 17 Feb 2022 16:25:20 +0100
Subject: [PATCH] lxc: Fail if /var is nosuid

---
 CHANGELOG.md       | 1 +
 lxc/tasks/main.yml | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index afaccbbc..f55cf0cd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 ### Changed
 
 * elasticsearch: Use `/etc/elasticsearch/jvm.options.d/evolinux` instead of default `/etc/elasticsearch/jvm.options`
+* lxc: Fail if /var is nosuid
 * openvpn: make it compatible with OpenBSD and add some improvements
 
 ### Fixed
diff --git a/lxc/tasks/main.yml b/lxc/tasks/main.yml
index daf2885a..70f5dc2b 100644
--- a/lxc/tasks/main.yml
+++ b/lxc/tasks/main.yml
@@ -43,8 +43,8 @@
     - lxc_unprivilegied_containers | bool
     - root_subuids.rc != 0
 
-- name: Check if /var has not mount options nodev or noexec
-  shell: findmnt | grep -E "/var[^/]" | grep -e nodev -e noexec
+- name: Check if /var has not mount options or nosuid or nodev or noexec
+  shell: findmnt | grep -E "/var[^/]" | grep -e nodev -e noexec -e nosuid
   register: check_var
   changed_when: false
   failed_when: "check_var.rc == 0"