jail ncmpcpp

roles/mpd/files/firejail/ncmpcpp.profile

@@ -0,0 +1,14 @@
+include /etc/firejail/disable-mgmt.inc
+include /etc/firejail/disable-secret.inc
+include /etc/firejail/disable-common.inc
+include /etc/firejail/disable-devel.inc
+
+caps.drop all
+seccomp
+protocol unix,inet,inet6
+netfilter
+noroot
+nogroups
+
+whitelist ~/.ncmpcpp
+whitelist ~/audio

roles/mpd/tasks/main.yml

@@ -31,3 +31,15 @@
 
 - name: Install ncmpcpp
   pacman: name=ncmpcpp state=present
+
+- name: Jail ncmpcpp
+  file: src=/usr/bin/firejail
+        dest=/usr/local/bin/ncmpcpp
+        state=link
+  tags:
+    - firejail
+
+- name: Push ncmpcpp firejail profile
+  copy: src=firejail/ncmpcpp.profile dest=/usr/local/etc/firejail/ncmpcpp.profile
+  tags:
+    - firejail