From f2485a2781587cdcdbfb295f5dd6ea20afc3a779 Mon Sep 17 00:00:00 2001 From: Pig Monkey Date: Thu, 31 Mar 2016 20:42:23 -0700 Subject: [PATCH] simplify firejail profiles with our own generic profile --- roles/calibre/files/firejail/calibre.profile | 13 ++----------- roles/firejail/files/generic.profile | 2 ++ roles/firejail/tasks/main.yml | 5 +++++ roles/mpd/files/firejail/ncmpcpp.profile | 12 +----------- roles/mpv/files/firejail/mpv.profile | 12 +----------- roles/office/files/firejail/libreoffice.profile | 17 +++-------------- roles/pianobar/files/firejail/pianobar.profile | 14 +++----------- 7 files changed, 17 insertions(+), 58 deletions(-) create mode 100644 roles/firejail/files/generic.profile diff --git a/roles/calibre/files/firejail/calibre.profile b/roles/calibre/files/firejail/calibre.profile index 77d53f7..5fac5c6 100644 --- a/roles/calibre/files/firejail/calibre.profile +++ b/roles/calibre/files/firejail/calibre.profile @@ -1,14 +1,5 @@ -include /etc/firejail/disable-mgmt.inc -include /etc/firejail/disable-secret.inc -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc +include /usr/local/etc/firejail/generic.profile -caps.drop all -seccomp -protocol unix,inet,inet6 -netfilter -noroot - -private-tmp private-dev private-etc passwd,group,hostname,hosts,nsswitch.conf,resolv.conf,gtk-2.0,gtk-3.0,fonts,mime.types +private-tmp diff --git a/roles/firejail/files/generic.profile b/roles/firejail/files/generic.profile new file mode 100644 index 0000000..8af36c8 --- /dev/null +++ b/roles/firejail/files/generic.profile @@ -0,0 +1,2 @@ +include /etc/firejail/generic.profile +include /etc/firejail/disable-devel.inc diff --git a/roles/firejail/tasks/main.yml b/roles/firejail/tasks/main.yml index fc3fd2f..f12de21 100644 --- a/roles/firejail/tasks/main.yml +++ b/roles/firejail/tasks/main.yml @@ -9,3 +9,8 @@ - name: Create firejail profile directory file: path=/usr/local/etc/firejail state=directory + +- name: Push generic firejail profile + copy: src=generic.profile dest=/usr/local/etc/firejail/generic.profile + tags: + - firejail diff --git a/roles/mpd/files/firejail/ncmpcpp.profile b/roles/mpd/files/firejail/ncmpcpp.profile index 371b1f5..649960a 100644 --- a/roles/mpd/files/firejail/ncmpcpp.profile +++ b/roles/mpd/files/firejail/ncmpcpp.profile @@ -1,14 +1,4 @@ -include /etc/firejail/disable-mgmt.inc -include /etc/firejail/disable-secret.inc -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc - -caps.drop all -seccomp -protocol unix,inet,inet6 -netfilter -noroot -nogroups +include /usr/local/etc/firejail/generic.profile whitelist ~/.ncmpcpp whitelist ~/audio diff --git a/roles/mpv/files/firejail/mpv.profile b/roles/mpv/files/firejail/mpv.profile index 3f8d844..e43dddf 100644 --- a/roles/mpv/files/firejail/mpv.profile +++ b/roles/mpv/files/firejail/mpv.profile @@ -1,11 +1 @@ -include /etc/firejail/disable-mgmt.inc -include /etc/firejail/disable-secret.inc -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc - -caps.drop all -seccomp -protocol unix,inet,inet6 -netfilter -noroot -nogroups +include /usr/local/etc/firejail/generic.profile diff --git a/roles/office/files/firejail/libreoffice.profile b/roles/office/files/firejail/libreoffice.profile index 098b47e..42118da 100644 --- a/roles/office/files/firejail/libreoffice.profile +++ b/roles/office/files/firejail/libreoffice.profile @@ -1,17 +1,6 @@ -include /etc/firejail/disable-mgmt.inc -include /etc/firejail/disable-secret.inc -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc - -caps.drop all -seccomp -protocol unix,inet,inet6 -netfilter -noroot -nogroups - -private-dev -private-etc libreoffice,fonts,passwd +include /usr/local/etc/firejail/generic.profile net none +private-dev +private-etc libreoffice,fonts,passwd shell none diff --git a/roles/pianobar/files/firejail/pianobar.profile b/roles/pianobar/files/firejail/pianobar.profile index 77232c2..bf0c96f 100644 --- a/roles/pianobar/files/firejail/pianobar.profile +++ b/roles/pianobar/files/firejail/pianobar.profile @@ -1,14 +1,6 @@ -include /etc/firejail/disable-mgmt.inc -include /etc/firejail/disable-secret.inc -include /etc/firejail/disable-common.inc -include /etc/firejail/disable-devel.inc +include /usr/local/etc/firejail/generic.profile -caps.drop all -seccomp -protocol unix,inet,inet6 -netfilter -noroot -nogroups -shell none private-etc group,hosts,nsswitch.conf,resolv.conf,asound.conf,pulse,ssl,ca-certificates +private-tmp +shell none whitelist ~/.config/pianobar