Ansible integration and role design¶
Design goals¶
firecfg is not being used to enabling/disabling system wide sandboxes. This is done by the role itself to have more control over the process.
Note that running firecfg without arguments will have a similar affect than when using this role with
firejail__global_profiles_system_wide_sandboxed
set to if_installed but without all the other logic of this role. So firecfg might change settings done by the role. You can rerun the role to ensure that the state defined by Ansible is present on the system.
Alternative roles¶
As of 2016-10-31 ypid was aware of two alternative Ansible roles for Firejail:
- gbraad.firejail, targets Fedora, has a major security issue: Installation can be trivially MITMed leading to the system being comprised. Only deals with installing the Firejail suite itself.
- Firejail role by aaaaaaaaaaaaaaaaaaaaa1, targets system which use APT. Only deals with building and installing Firejail itself.
None of the existing roles where found to be a suitable start for this role so it has been designed and written from scratch.