Introduction

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.

This Ansible role allows you to setup and configure Firejail.

Features

  • Install Firejail from jessie-backports or other configured APT repositories. debops.apt can be used to enable Backports if needed.
  • Sandbox programs system wide by placing a symlink to firejail into the PATH so that firejail can wrap program invocations and sandbox the invoked program using security profiles that Firejail ships or that the system administrator defines.

Installation

This role requires at least Ansible v2.1.3. To install it, run:

ansible-galaxy install debops-contrib.firejail

Note that this role uses features recently introduced in Jinja2, namely the equalto filter which was released with Jinja 2.8 and thus requires Jinja 2.8. If you use Debian Jessie, you can install it from Debian Jessie Backports.