fix: remove use of sudo to allow running from root shell for repeat runs

This commit is contained in:
mustard 2025-09-18 02:39:42 +02:00
parent abf2dd653d
commit bbd2e01bac
6 changed files with 13 additions and 11 deletions

View file

@ -100,7 +100,7 @@
- 'etc/dconf/db/local.d/privacy'
- name: Update dconf
shell: sudo dconf update
shell: 'dconf update'
- name: Setup ZRAM, flatpak updater and environment variables to disable GJS + WebkitGTK JIT
ansible.builtin.copy:
@ -125,10 +125,10 @@
state: latest
- name: Mark packages as manually installed to avoid removal
shell: 'sudo dnf mark user flatpak gnome-menus qubes-menus -y'
shell: 'dnf mark user flatpak gnome-menus qubes-menus -y'
- name: Enable hardened_malloc COPR
shell: 'sudo dnf copr enable secureblue/hardened_malloc -y'
shell: 'dnf copr enable secureblue/hardened_malloc -y'
- name: Install hardened_malloc
ansible.builtin.dnf5:
@ -153,7 +153,7 @@
when: use_hardened_malloc == true
- name: Enable hardened_malloc for system wide flatpak
shell: 'sudo flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
shell: 'flatpak override --system --filesystem=host-os:ro --env=LD_PRELOAD=/var/run/host/usr/lib64/libhardened_malloc.so'
when: use_hardened_malloc == true
- name: Enable hardened_malloc for user flatpak # has to be run per APP VM

View file

@ -44,7 +44,7 @@ kernel.unprivileged_userns_clone = 1
# Disable ptrace. Not needed on workstations.
{% if allow_ptrace %}
kernel.yama.ptrace_scope = 2
kernel.yama.ptrace_scope = 1
{% else %}
kernel.yama.ptrace_scope = 3
{% endif %}