Node.js stack refactoring (#4255)

* Create node.profile * Create node-gyp.profile * refactor npm as redirect * Create npx.profile * Create nvm.profile * Create semver.profile * refactor yarn as redirect * collect node.js stack configuration in common profile * add ~/.nvm to node section * account for node-gyp python dependency * read-only ~/.nvm for node.js stack * blacklist ~/.nvm for node.js stack * move env var comment cfr. profile.template * Delete node-gyp.profile node-gyp is a shell script with a node shebang. We've got that covered via node.profile. * Delete npx.profile npx is a shell script with a node shebang. We've got that covered via node.profile. * Delete semver.profile semver is a shell script that calls node. We've got that covered via node.profile. * add node and nvm to new profiles section
author: glitsj16 <glitsj16@users.noreply.github.com> 2021-05-08 15:27:30 +0000
committer: GitHub <noreply@github.com> 2021-05-08 15:27:30 +0000
commit: 699a803f174662a8ec62442438bb0807e41d3971 (patch)
tree: f9b8e2a121e2fc8c4e91005ac97241922bc309ad /etc/profile-m-z/nodejs-common.profile
parent: revert comment changes from #4257 (#4258) (diff)
download: firejail-699a803f174662a8ec62442438bb0807e41d3971.tar.gz
firejail-699a803f174662a8ec62442438bb0807e41d3971.tar.zst
firejail-699a803f174662a8ec62442438bb0807e41d3971.zip
1 files changed, 45 insertions, 4 deletions
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index 4095337dd..fa69f9214 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -10,6 +10,20 @@ include nodejs-common.local
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
+ignore read-only ${HOME}/.npm-packages
+ignore read-only ${HOME}/.npmrc
+ignore read-only ${HOME}/.nvm
+ignore read-only ${HOME}/.yarnrc
+noblacklist ${HOME}/.node-gyp
+noblacklist ${HOME}/.npm
+noblacklist ${HOME}/.npmrc
+noblacklist ${HOME}/.nvm
+noblacklist ${HOME}/.yarn
+noblacklist ${HOME}/.yarn-config
+noblacklist ${HOME}/.yarncache
+noblacklist ${HOME}/.yarnrc
 ignore noexec ${HOME}
 include allow-bin-sh.inc
@@ -21,6 +35,32 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
+# If you want whitelisting, change ${HOME}/Projects below to your node projects directory
+# and add the next lines to your nodejs-common.local.
+#mkdir ${HOME}/.node-gyp
+#mkdir ${HOME}/.npm
+#mkdir ${HOME}/.npm-packages
+#mkfile ${HOME}/.npmrc
+#mkdir ${HOME}/.nvm
+#mkdir ${HOME}/.yarn
+#mkdir ${HOME}/.yarn-config
+#mkdir ${HOME}/.yarncache
+#mkfile ${HOME}/.yarnrc
+#whitelist ${HOME}/.node-gyp
+#whitelist ${HOME}/.npm
+#whitelist ${HOME}/.npm-packages
+#whitelist ${HOME}/.npmrc
+#whitelist ${HOME}/.nvm
+#whitelist ${HOME}/.yarn
+#whitelist ${HOME}/.yarn-config
+#whitelist ${HOME}/.yarncache
+#whitelist ${HOME}/.yarnrc
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+whitelist /usr/share/doc/node
+whitelist /usr/share/nvm
+whitelist /usr/share/systemtap/tapset/node.stp
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -46,10 +86,11 @@ shell none
 disable-mnt
 private-dev
-# May need to add `passwd` to `private-etc` below to enable debugging with some IDEs
+private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl,xdg
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
+#private-tmp
-# May need to be commented out in order to enable debugging with some IDEs
-private-tmp
 dbus-user none
 dbus-system none
+# Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry.
+#env GATSBY_TELEMETRY_DISABLED=1
author	glitsj16 <glitsj16@users.noreply.github.com>	2021-05-08 15:27:30 +0000
committer	GitHub <noreply@github.com>	2021-05-08 15:27:30 +0000
commit	699a803f174662a8ec62442438bb0807e41d3971 (patch)
tree	f9b8e2a121e2fc8c4e91005ac97241922bc309ad /etc/profile-m-z/nodejs-common.profile
parent	revert comment changes from #4257 (#4258) (diff)
download	firejail-699a803f174662a8ec62442438bb0807e41d3971.tar.gz firejail-699a803f174662a8ec62442438bb0807e41d3971.tar.zst firejail-699a803f174662a8ec62442438bb0807e41d3971.zip

diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index 4095337dd..fa69f9214 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile
@@ -10,6 +10,20 @@ include nodejs-common.local
10	blacklist /tmp/.X11-unix	10	blacklist /tmp/.X11-unix
11	blacklist ${RUNUSER}	11	blacklist ${RUNUSER}
12		12
		13	ignore read-only ${HOME}/.npm-packages
		14	ignore read-only ${HOME}/.npmrc
		15	ignore read-only ${HOME}/.nvm
		16	ignore read-only ${HOME}/.yarnrc
		17
		18	noblacklist ${HOME}/.node-gyp
		19	noblacklist ${HOME}/.npm
		20	noblacklist ${HOME}/.npmrc
		21	noblacklist ${HOME}/.nvm
		22	noblacklist ${HOME}/.yarn
		23	noblacklist ${HOME}/.yarn-config
		24	noblacklist ${HOME}/.yarncache
		25	noblacklist ${HOME}/.yarnrc
		26
13	ignore noexec ${HOME}	27	ignore noexec ${HOME}
14		28
15	include allow-bin-sh.inc	29	include allow-bin-sh.inc
@@ -21,6 +35,32 @@ include disable-programs.inc
21	include disable-shell.inc	35	include disable-shell.inc
22	include disable-xdg.inc	36	include disable-xdg.inc
23		37
		38	# If you want whitelisting, change ${HOME}/Projects below to your node projects directory
		39	# and add the next lines to your nodejs-common.local.
		40	#mkdir ${HOME}/.node-gyp
		41	#mkdir ${HOME}/.npm
		42	#mkdir ${HOME}/.npm-packages
		43	#mkfile ${HOME}/.npmrc
		44	#mkdir ${HOME}/.nvm
		45	#mkdir ${HOME}/.yarn
		46	#mkdir ${HOME}/.yarn-config
		47	#mkdir ${HOME}/.yarncache
		48	#mkfile ${HOME}/.yarnrc
		49	#whitelist ${HOME}/.node-gyp
		50	#whitelist ${HOME}/.npm
		51	#whitelist ${HOME}/.npm-packages
		52	#whitelist ${HOME}/.npmrc
		53	#whitelist ${HOME}/.nvm
		54	#whitelist ${HOME}/.yarn
		55	#whitelist ${HOME}/.yarn-config
		56	#whitelist ${HOME}/.yarncache
		57	#whitelist ${HOME}/.yarnrc
		58	#whitelist ${HOME}/Projects
		59	#include whitelist-common.inc
		60
		61	whitelist /usr/share/doc/node
		62	whitelist /usr/share/nvm
		63	whitelist /usr/share/systemtap/tapset/node.stp
24	include whitelist-runuser-common.inc	64	include whitelist-runuser-common.inc
25	include whitelist-usr-share-common.inc	65	include whitelist-usr-share-common.inc
26	include whitelist-var-common.inc	66	include whitelist-var-common.inc
@@ -46,10 +86,11 @@ shell none
46		86
47	disable-mnt	87	disable-mnt
48	private-dev	88	private-dev
49	# May need to add `passwd` to `private-etc` below to enable debugging with some IDEs	89	private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl,xdg
50	private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg	90	#private-tmp
51	# May need to be commented out in order to enable debugging with some IDEs
52	private-tmp
53		91
54	dbus-user none	92	dbus-user none
55	dbus-system none	93	dbus-system none
		94
		95	# Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry.
		96	#env GATSBY_TELEMETRY_DISABLED=1