From f032517a94089aff97bfb85b529497e413a902f3 Mon Sep 17 00:00:00 2001 From: Raphael Dannecker Date: Wed, 10 Dec 2025 15:40:21 +0100 Subject: [PATCH] Restrict outbound traffic in exam-mode --- roles/lmn_exam/defaults/main.yml | 1 + roles/lmn_exam/tasks/main.yml | 19 +++++++++++++++++++ roles/lmn_exam/templates/no-way-out.xml.j2 | 10 ++++++++++ 3 files changed, 30 insertions(+) create mode 100644 roles/lmn_exam/templates/no-way-out.xml.j2 diff --git a/roles/lmn_exam/defaults/main.yml b/roles/lmn_exam/defaults/main.yml index da8c198..fc97945 100644 --- a/roles/lmn_exam/defaults/main.yml +++ b/roles/lmn_exam/defaults/main.yml @@ -1,2 +1,3 @@ --- exam_mode: true +exam_teacherpc_last_digit: 80 diff --git a/roles/lmn_exam/tasks/main.yml b/roles/lmn_exam/tasks/main.yml index 0e3bc4e..aba8b29 100644 --- a/roles/lmn_exam/tasks/main.yml +++ b/roles/lmn_exam/tasks/main.yml @@ -50,6 +50,25 @@ - pam-exec.sh - rmexam +- name: Append teacherPC to exam_destination_allowed_ipv4 addresses + ansible.builtin.set_fact: + exam_destination_allowed_ipv4: "{{ exam_destination_allowed_ipv4 + [ ansible_default_ipv4.address[:-1] ~ exam_teacherpc_last_digit ] }}" + when: + - exam_destination_allowed_ipv4 is defined + - exam_destination_allowed_ipv4 | length > 0 + +- name: Install no-way-out-policy + ansible.builtin.template: + src: no-way-out.xml.j2 + dest: "/etc/firewalld/policies/no-way-out-{{ item }}.xml" + mode: '0644' + loop: + - HOST + - libvirt + when: + - exam_destination_allowed_ipv4 is defined + - exam_destination_allowed_ipv4 | length > 0 + - name: Enable login script via pam_exec.so ansible.builtin.lineinfile: dest: /etc/pam.d/common-session diff --git a/roles/lmn_exam/templates/no-way-out.xml.j2 b/roles/lmn_exam/templates/no-way-out.xml.j2 new file mode 100644 index 0000000..7cf782f --- /dev/null +++ b/roles/lmn_exam/templates/no-way-out.xml.j2 @@ -0,0 +1,10 @@ + +{% for address in exam_destination_allowed_ipv4 %} + + + + +{% endfor %} + + +