Merge remote-tracking branch 'spwhitton/firejail'

1 files changed, 31 insertions, 0 deletions

diff --git a/src/Propellor/Property/Firejail.hs b/src/Propellor/Property/Firejail.hs
new file mode 100644
index 00000000..b7841e07
--- /dev/null
+++ b/src/Propellor/Property/Firejail.hs
@@ -0,0 +1,31 @@
+-- | Maintainer: Sean Whitton <spwhitton@spwhitton.name>
+
+module Propellor.Property.Firejail (
+	installed,
+	jailed,
+) where
+
+import Propellor.Base
+import qualified Propellor.Property.Apt as Apt
+import qualified Propellor.Property.File as File
+
+-- | Ensures that Firejail is installed
+installed :: Property DebianLike
+installed = Apt.installed ["firejail"]
+
+-- | For each program name passed, create symlinks in /usr/local/bin that
+-- will launch that program in a Firejail sandbox.
+--
+-- The profile for the sandbox will be the same as if the user had run
+-- @firejail@ directly without passing @--profile@ (see "SECURITY PROFILES" in
+-- firejail(1)).
+--
+-- See "DESKTOP INTEGRATION" in firejail(1).
+jailed :: [String] -> Property DebianLike
+jailed ps = (jailed' `applyToList` ps)
+	`requires` installed
+	`describe` unwords ("firejail jailed":ps)
+
+jailed' :: String -> Property UnixLike
+jailed' p = ("/usr/local/bin" </> p)
+	`File.isSymlinkedTo` File.LinkTarget "/usr/bin/firejail"