Create `firejail` profiles

[ProfessorManhattan]

trafficstars

💡 Feature/Idea

We need to come up with a generic approach to applying Firejail profiles to all the software we install. We should come up with a base profile that incorporates the minimum necessary permissions for most apps to run. Then, for instance in the case of apps that need access to the ~/.ssh folder, we can add that permission for that exact app.

We can manage this by defining a new attribute in the software.yml file that is called _firejail. For an app that only needs access to the SSH keys, we would define the permissions as:

ssh-vault:
  _firejail:
    - ssh

Write a script that scans for every executable in the PATH and then add a new entry to the PATH with the same executable name that calls the original with the addition of a Firejail profile.

The main idea behind this is to get enough done so that we can begin testing it as we are developing the system.

The goal is to add a layer of security, not necessarily create the perfect permissions for everything right at the start.

:thumbsup: Can you contribute?

No response

[enggnr]

@ProfessorManhattan, can we use sudo firecfg to enable desktop integratoin? This takes care of running the installed programs with firejail automatically. It is not clear if it supports all the installed programs or just those that it has support for (which they say is over a 1000).

If the above sounds OK, we can examine and tweak settings for specific applications as needed.