jail all the things

roles/browsers/files/chromium.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+FIREJAIL=""
+
+hash firejail 2> /dev/null
+
+if [ $? -eq 0 ]; then
+    FIREJAIL=firejail
+fi
+
+$FIREJAIL /usr/bin/chromium "$@"

roles/browsers/files/firefox.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+FIREJAIL=""
+
+hash firejail 2> /dev/null
+
+if [ $? -eq 0 ]; then
+    FIREJAIL=firejail
+fi
+
+$FIREJAIL /usr/bin/firefox "$@"

roles/browsers/tasks/main.yml

@@ -8,9 +8,19 @@
 - name: Install Firefox
   pacman: name=firefox state=present
 
+- name: Jail Firefox
+  copy: src=firefox.sh dest=/usr/local/bin/firefox mode=0755
+  tags:
+    - firejail
+
 - name: Install Chromium
   pacman: name=chromium state=present
 
+- name: Jail Chromium
+  copy: src=chromium.sh dest=/usr/local/bin/chromium mode=0755
+  tags:
+    - firejail
+
 - name: Download Chromium Pepper Flash
   command: cower -dq chromium-pepper-flash
            chdir=/home/{{ user.name }}/{{ aur.dir }}

roles/chat/files/weechat.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+FIREJAIL=""
+
+hash firejail 2> /dev/null
+
+if [ $? -eq 0 ]; then
+    FIREJAIL=firejail
+fi
+
+$FIREJAIL /usr/bin/weechat "$@"

roles/chat/tasks/weechat.yml

@@ -4,6 +4,12 @@
   tags:
     - weechat
 
+- name: Jail weechat
+  copy: src=weechat.sh dest=/usr/local/bin/weechat mode=0755
+  tags:
+    - weechat
+    - firejail
+
 - name: Install dunst
   pacman: name=dunst state=present
   tags:

roles/rtorrent/files/rtorrent.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+FIREJAIL=""
+
+hash firejail 2> /dev/null
+
+if [ $? -eq 0 ]; then
+    FIREJAIL=firejail
+fi
+
+$FIREJAIL /usr/bin/rtorrent "$@"

roles/rtorrent/tasks/main.yml

@@ -1,3 +1,8 @@
 ---
 - name: Install rtorrent
   pacman: name=rtorrent state=present
+
+- name: Jail rtorrent
+  copy: src=rtorrent.sh dest=/usr/local/bin/rtorrent mode=0755
+  tags:
+    - firejail