take advantage of local profiles in /etc/firejail

Existing users will want to clean up their /usr/local/etc/firejail and ~/.config/firejail directories.
2026-01-23 02:24:09 +00:00 · 2017-07-29 16:30:00 -07:00 · 2017-07-29 16:30:00 -07:00 · 4024fce08c
commit 4024fce08c
parent 8d499dc7f7
7 changed files with 56 additions and 39 deletions
--- a/roles/browsers/files/firejail/chromium.profile
+++ b/roles/browsers/files/firejail/chromium.profile
@ -1,5 +0,0 @@
-include /etc/firejail/chromium.profile
-
-# Note that localtime should be added to private-etc if you wish Chromium to be
-# able to determine you timezone.
-private-etc firejail,passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types,asound.conf,pulse,localtime
--- a/roles/browsers/files/firejail/firefox.profile
+++ b/roles/browsers/files/firejail/firefox.profile
@ -1,5 +0,0 @@
-include /etc/firejail/firefox.profile
-
-# Note that localtime should be added to private-etc if you wish Firefox to be
-# able to determine you timezone.
-private-etc firejail,passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types,asound.conf,pulse,localtime
--- a/roles/browsers/tasks/main.yml
+++ b/roles/browsers/tasks/main.yml
@ -15,10 +15,17 @@
    - firefox
    - firejail

- name: Push Firefox firejail profile
-  copy: src=firejail/firefox.profile dest=/usr/local/etc/firejail/firefox.profile
-  notify:
-    - activate firejail profiles
+- name: Verify Firefox firejail local profile exists
+  file: path=/etc/firejail/firefox.local state=touch
+  tags:
+    - firefox
+    - firejail
+
+- name: Restrict Firefox access to /etc
+  lineinfile:
+    dest: /etc/firejail/firefox.local
+    regexp: "^private-etc"
+    line: "private-etc firejail,passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types,asound.conf,pulse,localtime"
  tags:
    - firefox
    - firejail
@ -36,10 +43,17 @@
    - chromium
    - firejail

- name: Push Chromium firejail profile
-  copy: src=firejail/chromium.profile dest=/usr/local/etc/firejail/chromium.profile
-  notify:
-    - activate firejail profiles
+- name: Verify Chromium firejail local profile exists
+  file: path=/etc/firejail/chromium.local state=touch
+  tags:
+    - chromium
+    - firejail
+
+- name: Restrict Chromium access to /etc
+  lineinfile:
+    dest: /etc/firejail/chromium.local
+    regexp: "^private-etc"
+    line: "private-etc firejail,passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types,asound.conf,pulse,localtime"
  tags:
    - chromium
    - firejail
--- a/roles/mail/files/firejail/mutt.profile
+++ b/roles/mail/files/firejail/mutt.profile
@ -1,9 +0,0 @@
-noblacklist ~/.config/vdirsyncer
-noblacklist ~/.vdirsyncer
-noblacklist ~/.calendars
-noblacklist ~/.contacts
-noblacklist ~/.mbsyncrc
-noblacklist ~/.offlineimap
-noblacklist ~/.offlineimaprc
-
-include /etc/firejail/mutt.profile
--- a/roles/mail/tasks/main.yml
+++ b/roles/mail/tasks/main.yml
@ -4,10 +4,22 @@
  tags:
    - aur

- name: Push mutt firejail profile
-  copy: src=firejail/mutt.profile dest=/usr/local/etc/firejail/mutt.profile
-  notify:
-    - activate firejail profiles
+- name: Verify mutt firejail local profile exists
+  file: path=/etc/firejail/mutt.local state=touch
+  tags:
+    - firejail
+
+- name: Whitelist mutt related files
+  blockinfile:
+    dest: /etc/firejail/mutt.local
+    block: |
+        noblacklist ~/.config/vdirsyncer
+        noblacklist ~/.vdirsyncer
+        noblacklist ~/.calendars
+        noblacklist ~/.contacts
+        noblacklist ~/.mbsyncrc
+        noblacklist ~/.offlineimap
+        noblacklist ~/.offlineimaprc
  tags:
    - firejail

--- a/roles/office/files/firejail/libreoffice.profile
+++ b/roles/office/files/firejail/libreoffice.profile
@ -1,4 +0,0 @@
-include /etc/firejail/libreoffice.profile
-
-net none
-private-etc firejail,libreoffice,fonts,passwd
--- a/roles/office/tasks/main.yml
+++ b/roles/office/tasks/main.yml
@ -9,10 +9,24 @@
  tags:
    - firejail

- name: Push LibreOffice firejail profile
-  copy: src=firejail/libreoffice.profile dest=/usr/local/etc/firejail/libreoffice.profile
-  notify:
-    - activate firejail profiles
+- name: Verify LibreOffice firejail local profile exists
+  file: path=/etc/firejail/libreoffice.local state=touch
+  tags:
+    - firejail
+
+- name: Restrict LibreOffice network access
+  lineinfile:
+    dest: /etc/firejail/libreoffice.local
+    regexp: "^net"
+    line: "net none"
+  tags:
+    - firejail
+
+- name: Restrict LibreOffice access to /etc
+  lineinfile:
+    dest: /etc/firejail/libreoffice.local
+    regexp: "^private-etc"
+    line: "private-etc firejail,libreoffice,fonts,passwd"
  tags:
    - firejail