From f5e6e6b373cdee6bcc2e02ab6394fe000c8359ee Mon Sep 17 00:00:00 2001
From: Pig Monkey <pm@pig-monkey.com>
Date: Thu, 31 Mar 2016 20:28:07 -0700
Subject: [PATCH] jail ncmpcpp

---
 roles/mpd/files/firejail/ncmpcpp.profile | 14 ++++++++++++++
 roles/mpd/tasks/main.yml                 | 12 ++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 roles/mpd/files/firejail/ncmpcpp.profile

diff --git a/roles/mpd/files/firejail/ncmpcpp.profile b/roles/mpd/files/firejail/ncmpcpp.profile
new file mode 100644
index 0000000..371b1f5
--- /dev/null
+++ b/roles/mpd/files/firejail/ncmpcpp.profile
@@ -0,0 +1,14 @@
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+seccomp
+protocol unix,inet,inet6
+netfilter
+noroot
+nogroups
+
+whitelist ~/.ncmpcpp
+whitelist ~/audio
diff --git a/roles/mpd/tasks/main.yml b/roles/mpd/tasks/main.yml
index 0994b86..88a9bc6 100644
--- a/roles/mpd/tasks/main.yml
+++ b/roles/mpd/tasks/main.yml
@@ -31,3 +31,15 @@
 
 - name: Install ncmpcpp
   pacman: name=ncmpcpp state=present
+
+- name: Jail ncmpcpp
+  file: src=/usr/bin/firejail
+        dest=/usr/local/bin/ncmpcpp
+        state=link
+  tags:
+    - firejail
+
+- name: Push ncmpcpp firejail profile
+  copy: src=firejail/ncmpcpp.profile dest=/usr/local/etc/firejail/ncmpcpp.profile
+  tags:
+    - firejail