Default variable details¶
Some of debops-contrib.firejail
default variables have more extensive
configuration than simple strings or lists, here you can find documentation and
examples for them.
program_sandboxes¶
The firejail__program_sandboxes
and similar dictionaries allow you to
configure program sandboxes using Firejail profiles (firejail-profile(5)).
The dictionary key is the program name, the value is a dictionary with the
following supported keys:
system_wide_sandboxed
Optional, string. Should the program be sandboxed with firejail for all users of the system by creating a symlink under
/usr/local/bin/{{ item.key }}
with the firejail program binary file path as target. The directory path where the symlink is being created/removed (/usr/local/bin/
) can be changed viafirejail__system_local_bin_path
. This option relies on the feature of firejail to be called via a different file path which causes firejail to act as a wrapper around the real program.These options are supported:
present
- The sandbox should be present system wide.
if_installed
- The sandbox should be present system wide but only if the program is
installed (is found in
PATH
) on role run. This can be used to not make it look like the program is installed (by creating a symlink with the name in thePATH
) and to avoid the case where a user tries to run the program and firejail complaining with "Error: cannot find the program in the path". If the program is not found, then the system wide sandbox will be madeabsent
. absent
- The sandbox should be absent system wide.
Defaults to
firejail__global_profiles_system_wide_sandboxed
. Refer to firejail(1) under "Desktop Integration" or Firejail 0.9.38 Release Announcement under "Symlink invocation".profile
- Optional, dictionary.
Use a provided profile by copying it from the Ansible controller into the
firejail__config_path
directory of the remote system using the Ansible copy module.profile
is basically just passed to the module. Refer to it’s documentation for details with the exception that thestate
parameter is handled properly.state
defaults topresent
but can be set toabsent
which will cause the profile on the remote systems to become absent. Refer to Examples for providing additional profiles for how this can be used.
Examples for sandboxing additional programs¶
Sandbox the given programs on all hosts even if Firejail does not yet ship with a profile for them:
firejail__program_sandboxes:
jq: {}
my_cool_program:
system_wide_sandboxed: 'present'
The symlink for jq will only be created if jq is installed.
The symlink for my_cool_program will be created regardless whether
it has been found in the PATH
.
Example to exclude a program from being sandboxed¶
Depending on the value of firejail__global_profiles_system_wide_sandboxed
,
the role might sandbox all programs which are installed and for which security
profiles are defined. Check out the following example in case you want to
exclude programs from being sandboxed system wide:
firejail__program_sandboxes:
less:
# Less can’t possibly have an issue with parsing untrusted input (TM).
# I know what I am doing! Don’t sandbox it!
system_wide_sandboxed: 'absent'
Examples for providing additional profiles¶
Copy Firejail security profiles from the Ansible controller to all remote systems:
firejail__program_sandboxes:
smplayer:
profile:
src: '/home/user/.config/firejail/smplayer.profile'
## `content` can be used alternatively to `src` to provide the profile inlined
## (supports Jinja templating as usual):
# content: |
# # {{ ansible_managed }}
# # smplyer security profile.
# noblacklist ${HOME}/.config/smplayer
# # And so on.
## `state` can be used to make the profile absent:
# state: 'absent'
This will create /etc/firejail/smplayer.profile
on all remote systems.