sandbox ffmpeg by default

[ghost]

ffmpeg is project with a lot of security fixes shipped every version. Adding firejail, other than adding SELinux or AppArmor support, is fast and portable across all Linux 3.x+ targets and provides some protection from malicious user input.

A profile for ffmpeg that works with Mastodon out of the box ships with firejail, but could probably be refined (e.g. Mastodon doesn't need ffmpeg to have write access to the FS).

I've written a guide on how to set this up manually.

---

• I searched or browsed the repo’s other issues to ensure this is not a duplicate.

[abochmann]

@sascha-sl Tried that configuration, but I see no signs of the ffmpeg wrapper actually being used by Mastodon, specifically by paperclip (is ffmpeg being called from anywhere else?).
Paperclip also doesn't seem to have any configuration options to provide paths for individual binaries. From quickly browsing docs, the only way I see is to provide a directory with wrappers for all the programs that paperclip expects to find, and then point to that using the command_path configuration option.