Merge pull request #5058 from glitsj16/nodejs-nvm

Node.js stack refactoring

11 files changed, 53 insertions, 8 deletions

diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc
index 351c94ab8..f69d9eee2 100644
--- a/etc/inc/allow-nodejs.inc
+++ b/etc/inc/allow-nodejs.inc
@@ -2,6 +2,8 @@
 # Persistent customizations should go in a .local file.
 include allow-nodejs.local
 
+ignore read-only ${HOME}/.nvm
+noblacklist ${HOME}/.nvm
 noblacklist ${PATH}/node
 noblacklist /usr/include/node
 
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index 448d8b655..7d7863b6a 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -18,6 +18,10 @@ noblacklist ${HOME}/.curlrc
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
+# If you use nvm, add the below lines to your curl.local
+#ignore read-only ${HOME}/.nvm
+#noblacklist ${HOME}/.nvm
+
 include disable-common.inc
 include disable-exec.inc
 include disable-programs.inc
diff --git a/etc/profile-m-z/nvm.profile b/etc/profile-m-z/node-gyp.profile
index 80da22834..015607087 100644
--- a/etc/profile-m-z/nvm.profile
+++ b/etc/profile-m-z/node-gyp.profile
@@ -1,13 +1,11 @@
-# Firejail profile for nvm
-# Description: Node Version Manager - Simple bash script to manage multiple active node.js versions
+# Firejail profile for node-gyp
+# Description: Part of the Node.js stack
 quiet
 # This file is overwritten after every install/update
 # Persistent local customizations
-include nvm.local
+include node-gyp.local
 # Persistent global definitions
 include globals.local
 
-ignore noroot
-
 # Redirect
 include nodejs-common.profile
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index ab69136f6..dd3080ad9 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,7 +7,14 @@ include nodejs-common.local
 # added by caller profile
 #include globals.local
 
-blacklist /tmp/.X11-unix
+# NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
+# using the `#!/usr/bin/env node` shebang. By sandboxing node the full
+# node.js stack will be firejailed. The only exception is nvm, which is implemented
+# as a sourced shell function, not an executable binary. Hence it is not
+# directly firejailable. You can work around this by sandboxing the programs
+# used by nvm: curl, sha256sum, tar and wget. We have comments in these
+# profiles on how to enable nvm support via local overrides.
+
 blacklist ${RUNUSER}
 
 ignore read-only ${HOME}/.npm-packages
@@ -25,13 +32,13 @@ noblacklist ${HOME}/.yarncache
 noblacklist ${HOME}/.yarnrc
 
 ignore noexec ${HOME}
-
 include allow-bin-sh.inc
 
 include disable-common.inc
 include disable-exec.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 # If you want whitelisting, change ${HOME}/Projects below to your node projects directory
@@ -73,6 +80,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
diff --git a/etc/profile-m-z/npx.profile b/etc/profile-m-z/npx.profile
new file mode 100644
index 000000000..6d5602c88
--- /dev/null
+++ b/etc/profile-m-z/npx.profile
@@ -0,0 +1,11 @@
+# Firejail profile for npx
+# Description: Part of the Node.js stack
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include npx.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/semver.profile b/etc/profile-m-z/semver.profile
new file mode 100644
index 000000000..3e0c19b8b
--- /dev/null
+++ b/etc/profile-m-z/semver.profile
@@ -0,0 +1,11 @@
+# Firejail profile for semver
+# Description: Part of the Node.js stack
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include semver.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/sha256sum.profile b/etc/profile-m-z/sha256sum.profile
index 48944ebea..45ddecd2d 100644
--- a/etc/profile-m-z/sha256sum.profile
+++ b/etc/profile-m-z/sha256sum.profile
@@ -7,6 +7,9 @@ include sha256sum.local
 # Persistent global definitions
 include globals.local
 
+# If you use nvm, add the below lines to your sha256sum.local
+#noblacklist ${HOME}/.nvm
+
 private-bin sha256sum
 
 # Redirect
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index 0817adda8..a9d0a60d1 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -7,6 +7,9 @@ include tar.local
 # Persistent global definitions
 include globals.local
 
+# If you use nvm, add the below lines to your tar.local
+#noblacklist ${HOME}/.nvm
+
 # Included in archiver-common.profile
 ignore include disable-shell.inc
 
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile
index 4d849c582..52d2091fe 100644
--- a/etc/profile-m-z/webstorm.profile
+++ b/etc/profile-m-z/webstorm.profile
@@ -18,8 +18,8 @@ include allow-common-devel.inc
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
 
-noblacklist ${PATH}/node
 noblacklist ${HOME}/.nvm
+noblacklist ${PATH}/node
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile
index 2fe727b9c..1aa546a29 100644
--- a/etc/profile-m-z/webui-aria2.profile
+++ b/etc/profile-m-z/webui-aria2.profile
@@ -6,6 +6,7 @@ include webui-aria2.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.nvm
 noblacklist ${PATH}/node
 
 include disable-common.inc
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
index 4c21d6965..82af30d2a 100644
--- a/etc/profile-m-z/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -11,6 +11,10 @@ noblacklist ${HOME}/.netrc
 noblacklist ${HOME}/.wget-hsts
 noblacklist ${HOME}/.wgetrc
 
+# If you use nvm, add the below lines to your wget.local
+#ignore read-only ${HOME}/.nvm
+#noblacklist ${HOME}/.nvm
+
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}