diff options
author | glitsj16 <glitsj16@users.noreply.github.com> | 2021-01-11 17:32:31 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-01-11 17:32:31 +0000 |
commit | 37452ef1a71473b87431c3c708d3b31ca1b7a25f (patch) | |
tree | cbd95f66f264c2c049052f4434757db9ebf99c1e | |
parent | fix ordering in ssh.profile (#3882) (diff) | |
download | firejail-37452ef1a71473b87431c3c708d3b31ca1b7a25f.tar.gz firejail-37452ef1a71473b87431c3c708d3b31ca1b7a25f.tar.zst firejail-37452ef1a71473b87431c3c708d3b31ca1b7a25f.zip |
refactor nodejs applications (npm & yarn) (#3876)
* add yarn & reorder
* add node-gyp & yarn files
* Create nodejs-common.profile
* Create yarn.profile
* refactor npm.profile
* add new profile: yarn
* read-only's for npm/yarn
Thanks to the [suggestion](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) from @kmk3.
* ignore read-only's for npm
As [suggested](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) by @kmk3.
* ignore read-only for yarn
As suggested in https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989 by @kmk3.
* remove quiet from nodejs-common.profile
quiet should go into the caller profiles instead
* add quiet to npm.profile
Thanks @rusty-snake for the review.
* re-ordering some options
* re-ordering
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | etc/inc/allow-common-devel.inc | 13 | ||||
-rw-r--r-- | etc/inc/disable-common.inc | 2 | ||||
-rw-r--r-- | etc/inc/disable-programs.inc | 5 | ||||
-rw-r--r-- | etc/profile-m-z/nodejs-common.profile | 54 | ||||
-rw-r--r-- | etc/profile-m-z/npm.profile | 53 | ||||
-rw-r--r-- | etc/profile-m-z/yarn.profile | 29 |
7 files changed, 109 insertions, 49 deletions
@@ -195,4 +195,4 @@ Stats: | |||
195 | 195 | ||
196 | ### New profiles: | 196 | ### New profiles: |
197 | 197 | ||
198 | spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, tutanota-desktop, npm, marker | 198 | spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, tutanota-desktop, npm, marker, yarn |
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 68e91a09b..41643657d 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc | |||
@@ -11,6 +11,15 @@ noblacklist ${HOME}/.git-credentials | |||
11 | noblacklist ${HOME}/.gradle | 11 | noblacklist ${HOME}/.gradle |
12 | noblacklist ${HOME}/.java | 12 | noblacklist ${HOME}/.java |
13 | 13 | ||
14 | # Node.js | ||
15 | noblacklist ${HOME}/.node-gyp | ||
16 | noblacklist ${HOME}/.npm | ||
17 | noblacklist ${HOME}/.npmrc | ||
18 | noblacklist ${HOME}/.yarn | ||
19 | noblacklist ${HOME}/.yarn-config | ||
20 | noblacklist ${HOME}/.yarncache | ||
21 | noblacklist ${HOME}/.yarnrc | ||
22 | |||
14 | # Python | 23 | # Python |
15 | noblacklist ${HOME}/.pylint.d | 24 | noblacklist ${HOME}/.pylint.d |
16 | noblacklist ${HOME}/.python-history | 25 | noblacklist ${HOME}/.python-history |
@@ -25,7 +34,3 @@ noblacklist ${HOME}/.cargo/registry | |||
25 | noblacklist ${HOME}/.cargo/.crates.toml | 34 | noblacklist ${HOME}/.cargo/.crates.toml |
26 | noblacklist ${HOME}/.cargo/.crates2.json | 35 | noblacklist ${HOME}/.cargo/.crates2.json |
27 | noblacklist ${HOME}/.cargo/.package-cache | 36 | noblacklist ${HOME}/.cargo/.package-cache |
28 | |||
29 | # npm | ||
30 | noblacklist ${HOME}/.npm | ||
31 | noblacklist ${HOME}/.npmrc | ||
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index d88506d90..0de539d57 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc | |||
@@ -310,6 +310,7 @@ read-only ${HOME}/.msmtprc | |||
310 | read-only ${HOME}/.mutt/muttrc | 310 | read-only ${HOME}/.mutt/muttrc |
311 | read-only ${HOME}/.muttrc | 311 | read-only ${HOME}/.muttrc |
312 | read-only ${HOME}/.nano | 312 | read-only ${HOME}/.nano |
313 | read-only ${HOME}/.npmrc | ||
313 | read-only ${HOME}/.pythonrc.py | 314 | read-only ${HOME}/.pythonrc.py |
314 | read-only ${HOME}/.reportbugrc | 315 | read-only ${HOME}/.reportbugrc |
315 | read-only ${HOME}/.tmux.conf | 316 | read-only ${HOME}/.tmux.conf |
@@ -318,6 +319,7 @@ read-only ${HOME}/.viminfo | |||
318 | read-only ${HOME}/.vimrc | 319 | read-only ${HOME}/.vimrc |
319 | read-only ${HOME}/.xmonad | 320 | read-only ${HOME}/.xmonad |
320 | read-only ${HOME}/.xscreensaver | 321 | read-only ${HOME}/.xscreensaver |
322 | read-only ${HOME}/.yarnrc | ||
321 | read-only ${HOME}/_exrc | 323 | read-only ${HOME}/_exrc |
322 | read-only ${HOME}/_gvimrc | 324 | read-only ${HOME}/_gvimrc |
323 | read-only ${HOME}/_vimrc | 325 | read-only ${HOME}/_vimrc |
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index f5bce4ba4..74cbfbcbe 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc | |||
@@ -761,6 +761,7 @@ blacklist ${HOME}/.neverball | |||
761 | blacklist ${HOME}/.newsbeuter | 761 | blacklist ${HOME}/.newsbeuter |
762 | blacklist ${HOME}/.newsboat | 762 | blacklist ${HOME}/.newsboat |
763 | blacklist ${HOME}/.nicotine | 763 | blacklist ${HOME}/.nicotine |
764 | blacklist ${HOME}/.node-gyp | ||
764 | blacklist ${HOME}/.npm | 765 | blacklist ${HOME}/.npm |
765 | blacklist ${HOME}/.npmrc | 766 | blacklist ${HOME}/.npmrc |
766 | blacklist ${HOME}/.nv | 767 | blacklist ${HOME}/.nv |
@@ -849,6 +850,10 @@ blacklist ${HOME}/.xmr-stak | |||
849 | blacklist ${HOME}/.xonotic | 850 | blacklist ${HOME}/.xonotic |
850 | blacklist ${HOME}/.xournalpp | 851 | blacklist ${HOME}/.xournalpp |
851 | blacklist ${HOME}/.xpdfrc | 852 | blacklist ${HOME}/.xpdfrc |
853 | blacklist ${HOME}/.yarn | ||
854 | blacklist ${HOME}/.yarn-config | ||
855 | blacklist ${HOME}/.yarncache | ||
856 | blacklist ${HOME}/.yarnrc | ||
852 | blacklist ${HOME}/.zoom | 857 | blacklist ${HOME}/.zoom |
853 | blacklist /tmp/akonadi-* | 858 | blacklist /tmp/akonadi-* |
854 | blacklist /tmp/ssh-* | 859 | blacklist /tmp/ssh-* |
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile new file mode 100644 index 000000000..acef622c2 --- /dev/null +++ b/etc/profile-m-z/nodejs-common.profile | |||
@@ -0,0 +1,54 @@ | |||
1 | # Firejail profile for Node.js | ||
2 | # Description: Common profile for npm/yarn | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include nodejs-common.local | ||
6 | # Persistent global definitions | ||
7 | # added by caller profile | ||
8 | #include globals.local | ||
9 | |||
10 | blacklist /tmp/.X11-unix | ||
11 | blacklist ${RUNUSER} | ||
12 | |||
13 | ignore noexec ${HOME} | ||
14 | |||
15 | noblacklist ${PATH}/bash | ||
16 | noblacklist ${PATH}/dash | ||
17 | noblacklist ${PATH}/sh | ||
18 | |||
19 | include disable-common.inc | ||
20 | include disable-exec.inc | ||
21 | include disable-passwdmgr.inc | ||
22 | include disable-programs.inc | ||
23 | include disable-shell.inc | ||
24 | include disable-xdg.inc | ||
25 | |||
26 | include whitelist-runuser-common.inc | ||
27 | include whitelist-usr-share-common.inc | ||
28 | include whitelist-var-common.inc | ||
29 | |||
30 | caps.drop all | ||
31 | ipc-namespace | ||
32 | machine-id | ||
33 | netfilter | ||
34 | no3d | ||
35 | nodvd | ||
36 | nogroups | ||
37 | nonewprivs | ||
38 | noroot | ||
39 | nosound | ||
40 | notv | ||
41 | nou2f | ||
42 | novideo | ||
43 | protocol unix,inet,inet6,netlink | ||
44 | seccomp | ||
45 | seccomp.block-secondary | ||
46 | shell none | ||
47 | |||
48 | disable-mnt | ||
49 | private-dev | ||
50 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg | ||
51 | private-tmp | ||
52 | |||
53 | dbus-user none | ||
54 | dbus-system none | ||
diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile index 2136fb443..e95e875be 100644 --- a/etc/profile-m-z/npm.profile +++ b/etc/profile-m-z/npm.profile | |||
@@ -1,64 +1,29 @@ | |||
1 | # Firejail profile for npm | 1 | # Firejail profile for npm |
2 | # Description: The Node.js Package Manager | 2 | # Description: The Node.js Package Manager |
3 | quiet | ||
3 | # This file is overwritten after every install/update | 4 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 5 | # Persistent local customizations |
5 | include npm.local | 6 | include npm.local |
6 | # Persistent global definitions | 7 | # Persistent global definitions |
7 | include globals.local | 8 | include globals.local |
8 | 9 | ||
9 | blacklist /tmp/.X11-unix | 10 | ignore read-only ${HOME}/.npm-packages |
10 | blacklist ${RUNUSER} | 11 | ignore read-only ${HOME}/.npmrc |
11 | 12 | ||
13 | noblacklist ${HOME}/.node-gyp | ||
12 | noblacklist ${HOME}/.npm | 14 | noblacklist ${HOME}/.npm |
13 | noblacklist ${HOME}/.npmrc | 15 | noblacklist ${HOME}/.npmrc |
14 | 16 | ||
15 | noblacklist ${PATH}/bash | 17 | # If you want whitelisting, change ${HOME}/Projects below to your npm projects directory |
16 | noblacklist ${PATH}/dash | ||
17 | noblacklist ${PATH}/sh | ||
18 | |||
19 | ignore noexec ${HOME} | ||
20 | |||
21 | include disable-common.inc | ||
22 | include disable-exec.inc | ||
23 | include disable-passwdmgr.inc | ||
24 | include disable-programs.inc | ||
25 | include disable-shell.inc | ||
26 | include disable-xdg.inc | ||
27 | |||
28 | # If you want whitelisting, change the line below to your npm projects directory | ||
29 | # and uncomment the lines below. | 18 | # and uncomment the lines below. |
19 | #mkdir ${HOME}/.node-gyp | ||
30 | #mkdir ${HOME}/.npm | 20 | #mkdir ${HOME}/.npm |
31 | #mkfile ${HOME}/.npmrc | 21 | #mkfile ${HOME}/.npmrc |
22 | #whitelist ${HOME}/.node-gyp | ||
32 | #whitelist ${HOME}/.npm | 23 | #whitelist ${HOME}/.npm |
33 | #whitelist ${HOME}/.npmrc | 24 | #whitelist ${HOME}/.npmrc |
34 | #whitelist ${HOME}/Projects | 25 | #whitelist ${HOME}/Projects |
35 | #include whitelist-common.inc | 26 | #include whitelist-common.inc |
36 | include whitelist-runuser-common.inc | ||
37 | include whitelist-usr-share-common.inc | ||
38 | include whitelist-var-common.inc | ||
39 | |||
40 | caps.drop all | ||
41 | ipc-namespace | ||
42 | machine-id | ||
43 | netfilter | ||
44 | no3d | ||
45 | nodvd | ||
46 | nogroups | ||
47 | nonewprivs | ||
48 | noroot | ||
49 | nosound | ||
50 | notv | ||
51 | nou2f | ||
52 | novideo | ||
53 | protocol unix,inet,inet6,netlink | ||
54 | seccomp | ||
55 | seccomp.block-secondary | ||
56 | shell none | ||
57 | |||
58 | disable-mnt | ||
59 | private-dev | ||
60 | private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg | ||
61 | private-tmp | ||
62 | 27 | ||
63 | dbus-user none | 28 | # Redirect |
64 | dbus-system none | 29 | include nodejs-common.profile |
diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile new file mode 100644 index 000000000..f20225050 --- /dev/null +++ b/etc/profile-m-z/yarn.profile | |||
@@ -0,0 +1,29 @@ | |||
1 | # Firejail profile for yarn | ||
2 | # Description: Fast, reliable, and secure dependency management | ||
3 | quiet | ||
4 | # Persistent local customizations | ||
5 | include yarn.local | ||
6 | # Persistent global definitions | ||
7 | include globals.local | ||
8 | |||
9 | ignore read-only ${HOME}/.yarnrc | ||
10 | |||
11 | noblacklist ${HOME}/.yarn | ||
12 | noblacklist ${HOME}/.yarn-config | ||
13 | noblacklist ${HOME}/.yarncache | ||
14 | noblacklist ${HOME}/.yarnrc | ||
15 | |||
16 | # If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and uncomment the lines below. | ||
17 | #mkdir ${HOME}/.yarn | ||
18 | #mkdir ${HOME}/.yarn-config | ||
19 | #mkdir ${HOME}/.yarncache | ||
20 | #mkfile ${HOME}/.yarnrc | ||
21 | #whitelist ${HOME}/.yarn | ||
22 | #whitelist ${HOME}/.yarn-config | ||
23 | #whitelist ${HOME}/.yarncache | ||
24 | #whitelist ${HOME}/.yarnrc | ||
25 | #whitelist ${HOME}/Projects | ||
26 | #include whitelist-common.inc | ||
27 | |||
28 | # Redirect | ||
29 | include nodejs-common.profile | ||