From 4024fce08cecf9dcadd74f59fc2aa4f179087090 Mon Sep 17 00:00:00 2001 From: Pig Monkey Date: Sat, 29 Jul 2017 16:30:00 -0700 Subject: [PATCH] take advantage of local profiles in /etc/firejail Existing users will want to clean up their /usr/local/etc/firejail and ~/.config/firejail directories. --- .../browsers/files/firejail/chromium.profile | 5 ---- roles/browsers/files/firejail/firefox.profile | 5 ---- roles/browsers/tasks/main.yml | 30 ++++++++++++++----- roles/mail/files/firejail/mutt.profile | 9 ------ roles/mail/tasks/main.yml | 20 ++++++++++--- .../office/files/firejail/libreoffice.profile | 4 --- roles/office/tasks/main.yml | 22 +++++++++++--- 7 files changed, 56 insertions(+), 39 deletions(-) delete mode 100644 roles/browsers/files/firejail/chromium.profile delete mode 100644 roles/browsers/files/firejail/firefox.profile delete mode 100644 roles/mail/files/firejail/mutt.profile delete mode 100644 roles/office/files/firejail/libreoffice.profile diff --git a/roles/browsers/files/firejail/chromium.profile b/roles/browsers/files/firejail/chromium.profile deleted file mode 100644 index b6f05eb..0000000 --- a/roles/browsers/files/firejail/chromium.profile +++ /dev/null @@ -1,5 +0,0 @@ -include /etc/firejail/chromium.profile - -# Note that localtime should be added to private-etc if you wish Chromium to be -# able to determine you timezone. -private-etc firejail,passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types,asound.conf,pulse,localtime diff --git a/roles/browsers/files/firejail/firefox.profile b/roles/browsers/files/firejail/firefox.profile deleted file mode 100644 index d9a0b21..0000000 --- a/roles/browsers/files/firejail/firefox.profile +++ /dev/null @@ -1,5 +0,0 @@ -include /etc/firejail/firefox.profile - -# Note that localtime should be added to private-etc if you wish Firefox to be -# able to determine you timezone. -private-etc firejail,passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types,asound.conf,pulse,localtime diff --git a/roles/browsers/tasks/main.yml b/roles/browsers/tasks/main.yml index 8ecb441..4209f95 100644 --- a/roles/browsers/tasks/main.yml +++ b/roles/browsers/tasks/main.yml @@ -15,10 +15,17 @@ - firefox - firejail -- name: Push Firefox firejail profile - copy: src=firejail/firefox.profile dest=/usr/local/etc/firejail/firefox.profile - notify: - - activate firejail profiles +- name: Verify Firefox firejail local profile exists + file: path=/etc/firejail/firefox.local state=touch + tags: + - firefox + - firejail + +- name: Restrict Firefox access to /etc + lineinfile: + dest: /etc/firejail/firefox.local + regexp: "^private-etc" + line: "private-etc firejail,passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types,asound.conf,pulse,localtime" tags: - firefox - firejail @@ -36,10 +43,17 @@ - chromium - firejail -- name: Push Chromium firejail profile - copy: src=firejail/chromium.profile dest=/usr/local/etc/firejail/chromium.profile - notify: - - activate firejail profiles +- name: Verify Chromium firejail local profile exists + file: path=/etc/firejail/chromium.local state=touch + tags: + - chromium + - firejail + +- name: Restrict Chromium access to /etc + lineinfile: + dest: /etc/firejail/chromium.local + regexp: "^private-etc" + line: "private-etc firejail,passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types,asound.conf,pulse,localtime" tags: - chromium - firejail diff --git a/roles/mail/files/firejail/mutt.profile b/roles/mail/files/firejail/mutt.profile deleted file mode 100644 index 086f6e3..0000000 --- a/roles/mail/files/firejail/mutt.profile +++ /dev/null @@ -1,9 +0,0 @@ -noblacklist ~/.config/vdirsyncer -noblacklist ~/.vdirsyncer -noblacklist ~/.calendars -noblacklist ~/.contacts -noblacklist ~/.mbsyncrc -noblacklist ~/.offlineimap -noblacklist ~/.offlineimaprc - -include /etc/firejail/mutt.profile diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml index cf1662d..f771894 100644 --- a/roles/mail/tasks/main.yml +++ b/roles/mail/tasks/main.yml @@ -4,10 +4,22 @@ tags: - aur -- name: Push mutt firejail profile - copy: src=firejail/mutt.profile dest=/usr/local/etc/firejail/mutt.profile - notify: - - activate firejail profiles +- name: Verify mutt firejail local profile exists + file: path=/etc/firejail/mutt.local state=touch + tags: + - firejail + +- name: Whitelist mutt related files + blockinfile: + dest: /etc/firejail/mutt.local + block: | + noblacklist ~/.config/vdirsyncer + noblacklist ~/.vdirsyncer + noblacklist ~/.calendars + noblacklist ~/.contacts + noblacklist ~/.mbsyncrc + noblacklist ~/.offlineimap + noblacklist ~/.offlineimaprc tags: - firejail diff --git a/roles/office/files/firejail/libreoffice.profile b/roles/office/files/firejail/libreoffice.profile deleted file mode 100644 index 42de32a..0000000 --- a/roles/office/files/firejail/libreoffice.profile +++ /dev/null @@ -1,4 +0,0 @@ -include /etc/firejail/libreoffice.profile - -net none -private-etc firejail,libreoffice,fonts,passwd diff --git a/roles/office/tasks/main.yml b/roles/office/tasks/main.yml index f79e7b5..7b51b44 100644 --- a/roles/office/tasks/main.yml +++ b/roles/office/tasks/main.yml @@ -9,10 +9,24 @@ tags: - firejail -- name: Push LibreOffice firejail profile - copy: src=firejail/libreoffice.profile dest=/usr/local/etc/firejail/libreoffice.profile - notify: - - activate firejail profiles +- name: Verify LibreOffice firejail local profile exists + file: path=/etc/firejail/libreoffice.local state=touch + tags: + - firejail + +- name: Restrict LibreOffice network access + lineinfile: + dest: /etc/firejail/libreoffice.local + regexp: "^net" + line: "net none" + tags: + - firejail + +- name: Restrict LibreOffice access to /etc + lineinfile: + dest: /etc/firejail/libreoffice.local + regexp: "^private-etc" + line: "private-etc firejail,libreoffice,fonts,passwd" tags: - firejail