jail zathura

For shady PDFs, firewarden is still the better solution, but jailing
zathura with the generic profile isn't going to hurt anything when
viewing trusted docs.

roles/office/files/zathura.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+FIREJAIL=""
+
+hash firejail 2> /dev/null
+
+if [ $? -eq 0 ]; then
+    FIREJAIL=firejail
+fi
+
+$FIREJAIL /usr/bin/zathura "$@"

roles/office/meta/main.yml

@@ -1,4 +1,3 @@
 ---
 dependencies:
-  - { role: base }
-  - { role: x }
+  - { role: firejail }

roles/office/tasks/main.yml

@@ -8,6 +8,11 @@
     - zathura-pdf-mupdf
     - zathura-ps
 
+- name: Jail Zathura
+  copy: src=zathura.sh dest=/usr/local/bin/zathura mode=0755
+  tags:
+    - firejail
+
 - name: Install enscript
   pacman: name=enscript state=present