Only try to apply grsec_lock once

Currently we specify both `sysctl_set: yes` and `reload: yes` when setting sysctl settings, which ends up with it being applied twice, first with `sysctl -w` (sysctl_set) and then through `sysctl -p` (reload). With noble/Linux 6.6, setting the lock twice errors out, so just enable it once with `sysctl -p`. This is also closer to what the kernel will do normally when booting in which the whole file is loaded at once. Refs #7323.
freedomofpress · Nov 23, 2024 · 6ffc52a · 6ffc52a
1 parent 21ee737
commit 6ffc52a
Showing 1 changed file with 0 additions and 1 deletion.
diff --git a/install_files/ansible-base/roles/grsecurity/tasks/apply_grsec_lock.yml b/install_files/ansible-base/roles/grsecurity/tasks/apply_grsec_lock.yml
@@ -22,7 +22,6 @@
   sysctl:
     name: "{{ item.name }}"
     value: "{{ item.value }}"
-    sysctl_set: yes
     state: present
     reload: yes
   with_items: "{{ grsec_sysctl_flags }}"