evolinux-base: On debian 10 and later, add noexec on /dev/shm

CHANGELOG.md

@@ -11,6 +11,7 @@ The **patch** part changes incrementally at each release.
 ## [Unreleased]
 
 ### Added
+* evolinux-base: On debian 10 and later, add noexec on /dev/shm
 
 ### Changed
 * elasticsearch: listen on local interface only by default

evolinux-base/defaults/main.yml

@@ -67,6 +67,8 @@ evolinux_fstab_home: True
 evolinux_fstab_home_options: defaults,noexec,nosuid,nodev
 evolinux_fstab_var_tmp: True
 evolinux_fstab_var_tmp_options: defaults,noexec,nosuid,nodev,size=1024m
+evolinux_fstab_dev_shm: True
+evolinux_fstab_dev_shm_options: defaults,nodev,nosuid,noexec
 
 # packages
 

evolinux-base/tasks/fstab.yml

@@ -57,4 +57,15 @@
   when:
   - evolinux_fstab_var_tmp
 
+- name: /dev/shm is created (Debian 10 and later)
+  mount:
+    src: tmpfs
+    name: /dev/shm
+    fstype: tmpfs
+    opts: "{{ evolinux_fstab_dev_shm_options | mandatory }}"
+    state: mounted
+  when:
+  - evolinux_fstab_dev_shm
+  - ansible_distribution_major_version | version_compare('10', '>=')
+
 - meta: flush_handlers