Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.
This Ansible role allows you to setup and configure Firejail.
- Install Firejail from jessie-backports or other configured APT repositories. debops.apt can be used to enable Backports if needed.
- Sandbox programs system wide by placing a symlink to firejail into the
PATHso that firejail can wrap program invocations and sandbox the invoked program using security profiles that Firejail ships or that the system administrator defines.
This role requires at least Ansible
v2.1.3. To install it, run:
ansible-galaxy install debops-contrib.firejail
Note that this role uses features recently introduced in Jinja2, namely the equalto filter which was released with Jinja 2.8 and thus requires Jinja 2.8. If you use Debian Jessie, you can install it from Debian Jessie Backports.