From f60221e2aa4d00a4e8e3d16a615eb46a011d24e6 Mon Sep 17 00:00:00 2001
From: Mathieu Bridon <bochecha@fedoraproject.org>
Date: Thu, 17 Jul 2014 17:15:28 +0200
Subject: [PATCH] Add the confine_ssh task

This is required by the drbackup stuff, which is required to migrate
Dist Git to ansible.
---
 files/scripts/confine-ssh.sh | 16 ++++++++++++++++
 tasks/confine_ssh.yml        |  6 ++++++
 2 files changed, 22 insertions(+)
 create mode 100644 files/scripts/confine-ssh.sh
 create mode 100644 tasks/confine_ssh.yml

diff --git a/files/scripts/confine-ssh.sh b/files/scripts/confine-ssh.sh
new file mode 100644
index 0000000000..07a448fc46
--- /dev/null
+++ b/files/scripts/confine-ssh.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+# Confine ssh commands
+case "$SSH_ORIGINAL_COMMAND" in
+*\&*)
+echo "Rejected"
+;;
+*\;*)
+echo "Rejected"
+;;
+rsync\ --server\ --sender*)
+$SSH_ORIGINAL_COMMAND
+;;
+*)
+echo "Rejected"
+;;
+esac
diff --git a/tasks/confine_ssh.yml b/tasks/confine_ssh.yml
new file mode 100644
index 0000000000..914d5ad1eb
--- /dev/null
+++ b/tasks/confine_ssh.yml
@@ -0,0 +1,6 @@
+---
+- name: install the confine-ssh script
+  copy: >
+    src={{files}}/scripts/confine-ssh.sh
+    dest=/usr/local/bin/confine-ssh.sh
+    mode=0755