Merge pull request #5784 from freedomofpress/5128-remove-snappy

Fixes #5128 removes snappy from the default installation
freedomofpress · Feb 12, 2021 · f4b7805 · f4b7805
2 parents 240a9a9 + 9492b10
commit f4b7805
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/install_files/ansible-base/roles/common/defaults/main.yml b/install_files/ansible-base/roles/common/defaults/main.yml
@@ -49,3 +49,4 @@ unused_packages:
   - libiw30
   - wireless-tools
   - wpasupplicant
+  - snapd
diff --git a/install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml b/install_files/ansible-base/roles/common/tasks/remove_unused_packages.yml
@@ -3,6 +3,7 @@
   apt:
     name: "{{ unused_packages }}"
     state: absent
+    purge: yes
   tags:
     - apt
     - hardening

diff --git a/molecule/testinfra/common/test_system_hardening.py b/molecule/testinfra/common/test_system_hardening.py
@@ -148,8 +148,9 @@ def test_no_ecrypt_messages_in_logs(host, logfile):
 @pytest.mark.parametrize('package', [
     'cloud-init',
     'libiw30',
-    'wpasupplicant',
+    'snapd',
     'wireless-tools',
+    'wpasupplicant',
 ])
 def test_unused_packages_are_removed(host, package):
     """ Check if unused package is present """
@@ -165,3 +166,10 @@ def test_iptables_packages(host):
         assert host.package("iptables-persistent").is_installed
     else:
         assert not host.package("iptables-persistent").is_installed
+
+
+def test_snapd_absent(host):
+    assert not host.file("/lib/systemd/system/snapd.service").exists
+    assert not host.file("/etc/apparmor.d/usr.lib.snapd.snap-confine.real").exists
+    assert not host.file("/usr/bin/snap").exists
+    assert not host.file("/var/lib/snapd/snaps").exists
-Original file line number
+Diff line change
@@ Expand Up / @@ -49,3 +49,4 @@ unused_packages: @@
       - libiw30
       - wireless-tools
       - wpasupplicant
+      - snapd