simplify firejail profiles with our own generic profile

2026-01-23 02:24:09 +00:00 · 2016-03-31 20:42:23 -07:00 · 2016-03-31 20:42:23 -07:00 · f2485a2781
commit f2485a2781
parent f5e6e6b373
7 changed files with 17 additions and 58 deletions
--- a/roles/calibre/files/firejail/calibre.profile
+++ b/roles/calibre/files/firejail/calibre.profile
@ -1,14 +1,5 @@
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
+include /usr/local/etc/firejail/generic.profile

-caps.drop all
-seccomp
-protocol unix,inet,inet6
-netfilter
-noroot
-
-private-tmp
 private-dev
 private-etc passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types
+private-tmp
--- a/roles/firejail/files/generic.profile
+++ b/roles/firejail/files/generic.profile
@ -0,0 +1,2 @@
+include /etc/firejail/generic.profile
+include /etc/firejail/disable-devel.inc
--- a/roles/firejail/tasks/main.yml
+++ b/roles/firejail/tasks/main.yml
@ -9,3 +9,8 @@

 - name: Create firejail profile directory
  file: path=/usr/local/etc/firejail state=directory
+
+- name: Push generic firejail profile
+  copy: src=generic.profile dest=/usr/local/etc/firejail/generic.profile
+  tags:
+    - firejail
--- a/roles/mpd/files/firejail/ncmpcpp.profile
+++ b/roles/mpd/files/firejail/ncmpcpp.profile
@ -1,14 +1,4 @@
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-
-caps.drop all
-seccomp
-protocol unix,inet,inet6
-netfilter
-noroot
-nogroups
+include /usr/local/etc/firejail/generic.profile

 whitelist ~/.ncmpcpp
 whitelist ~/audio
--- a/roles/mpv/files/firejail/mpv.profile
+++ b/roles/mpv/files/firejail/mpv.profile
@ -1,11 +1 @@
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-
-caps.drop all
-seccomp
-protocol unix,inet,inet6
-netfilter
-noroot
-nogroups
+include /usr/local/etc/firejail/generic.profile
--- a/roles/office/files/firejail/libreoffice.profile
+++ b/roles/office/files/firejail/libreoffice.profile
@ -1,17 +1,6 @@
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
-
-caps.drop all
-seccomp
-protocol unix,inet,inet6
-netfilter
-noroot
-nogroups
-
-private-dev
-private-etc libreoffice,fonts,passwd
+include /usr/local/etc/firejail/generic.profile

 net none
+private-dev
+private-etc libreoffice,fonts,passwd
 shell none
--- a/roles/pianobar/files/firejail/pianobar.profile
+++ b/roles/pianobar/files/firejail/pianobar.profile
@ -1,14 +1,6 @@
-include /etc/firejail/disable-mgmt.inc
-include /etc/firejail/disable-secret.inc
-include /etc/firejail/disable-common.inc
-include /etc/firejail/disable-devel.inc
+include /usr/local/etc/firejail/generic.profile

-caps.drop all
-seccomp
-protocol unix,inet,inet6
-netfilter
-noroot
-nogroups
-shell none
 private-etc group,hosts,nsswitch.conf,resolv.conf,asound.conf,pulse,ssl,ca-certificates
+private-tmp
+shell none
 whitelist ~/.config/pianobar