Dont deactivate non-existing kernel module

kernel.unprivileged_userns_clone doesn't exist in some cloud providers or non-debian kernels. I'm not entirely sure if it's best to add it this way, testing if /proc/sys/kernel/unprivileged_userns_clone exists could be another way.
author: kwadronaut <kwadronaut@autistici.org> 2022-07-05 11:41:18 +0200
committer: kwadronaut <kwadronaut@autistici.org> 2022-07-05 11:41:18 +0200
commit: 9e6165f16e14898a28eadb1679b0c41ddb1f9f45 (patch)
tree: 163276de873252fa0a4527fcc8be1bef2781ceb0
parent: a13d6e7f190078c330b8aeaf574af5de5c25cad7 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/float/roles/float-base/templates/sysctl.conf.j2 b/float/roles/float-base/templates/sysctl.conf.j2
index 2a443ea..c28c31e 100644
--- a/float/roles/float-base/templates/sysctl.conf.j2
+++ b/float/roles/float-base/templates/sysctl.conf.j2
@@ -116,10 +116,12 @@ net.core.bpf_jit_harden=2
 kernel.unprivileged_bpf_disabled=1
 {% endif %}
 
+{% if not disable_restricted_sysctl %}
 # Disable unprivileged user namespaces
 # https://lwn.net/Articles/673597
 # (linux-hardened default)
 kernel.unprivileged_userns_clone=0
+{% endif %}
 
 # Enable yama ptrace restrictions
 # https://www.kernel.org/doc/Documentation/security/Yama.txt
author	kwadronaut <kwadronaut@autistici.org>	2022-07-05 11:41:18 +0200
committer	kwadronaut <kwadronaut@autistici.org>	2022-07-05 11:41:18 +0200
commit	9e6165f16e14898a28eadb1679b0c41ddb1f9f45 (patch)
tree	163276de873252fa0a4527fcc8be1bef2781ceb0
parent	a13d6e7f190078c330b8aeaf574af5de5c25cad7 (diff)