Add profile for npm (#3866)

* Add profile for npm * Apply suggestions from code review * Remove redundant blacklisting of Wayland. * Remove unnecessary noblacklist lines for nodejs. * Replace absolute paths to .inc files with filenames. * Remove unneeded dbus whitelisting. Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> * Remove empty line To keep consistent with other profiles, remove the blank line after the header comment. Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> * Add npm files to add-common-devel So that our addition of npm paths to disable-programs.inc dose not break IDEs, we need to unblacklist these same paths in allow-common-devel.inc. * Remove extra blank line * Add common whitelist includes to npm profile * Tighten npm profile Include disable-exec.inc, but allowing ${HOME}. * Remove whitelist-common.inc from npm profile whitelist-common breaks npm, and since we don't know where the user's npm projects will be, leave the whitelist-common include in a comment with a note about how to enable it for their setup. * Fix inverted commands Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> * Fixes for whitelisting * Add login.defs to npm profile's private-etc Co-authored-by: Aidan Gauland <aidalgol+git@fastmail.net> Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
author: Aidan Gauland <aidalgol@users.noreply.github.com> 2021-01-09 09:51:41 +1300
committer: GitHub <noreply@github.com> 2021-01-08 20:51:41 +0000
commit: 3203dd23a83fc45924b0b46e1bf204bafa878b33 (patch)
tree: 68a46d9fdff2212a45cfea0e76b291e36608dc6d /etc/profile-m-z/npm.profile
parent: fbuilder: check Yama permissions (diff)
download: firejail-3203dd23a83fc45924b0b46e1bf204bafa878b33.tar.gz
firejail-3203dd23a83fc45924b0b46e1bf204bafa878b33.tar.zst
firejail-3203dd23a83fc45924b0b46e1bf204bafa878b33.zip
1 files changed, 64 insertions, 0 deletions
diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile
new file mode 100644
index 000000000..2136fb443
--- /dev/null
+++ b/etc/profile-m-z/npm.profile
@@ -0,0 +1,64 @@
+# Firejail profile for npm
+# Description: The Node.js Package Manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include npm.local
+# Persistent global definitions
+include globals.local
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+noblacklist ${HOME}/.npm
+noblacklist ${HOME}/.npmrc
+noblacklist ${PATH}/bash
+noblacklist ${PATH}/dash
+noblacklist ${PATH}/sh
+ignore noexec ${HOME}
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+# If you want whitelisting, change the line below to your npm projects directory
+# and uncomment the lines below.
+#mkdir ${HOME}/.npm
+#mkfile ${HOME}/.npmrc
+#whitelist ${HOME}/.npm
+#whitelist ${HOME}/.npmrc
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+disable-mnt
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
+private-tmp
+dbus-user none
+dbus-system none
author	Aidan Gauland <aidalgol@users.noreply.github.com>	2021-01-09 09:51:41 +1300
committer	GitHub <noreply@github.com>	2021-01-08 20:51:41 +0000
commit	3203dd23a83fc45924b0b46e1bf204bafa878b33 (patch)
tree	68a46d9fdff2212a45cfea0e76b291e36608dc6d /etc/profile-m-z/npm.profile
parent	fbuilder: check Yama permissions (diff)
download	firejail-3203dd23a83fc45924b0b46e1bf204bafa878b33.tar.gz firejail-3203dd23a83fc45924b0b46e1bf204bafa878b33.tar.zst firejail-3203dd23a83fc45924b0b46e1bf204bafa878b33.zip

diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile new file mode 100644 index 000000000..2136fb443 --- /dev/null +++ b/etc/profile-m-z/npm.profile
@@ -0,0 +1,64 @@
	1	# Firejail profile for npm
	2	# Description: The Node.js Package Manager
	3	# This file is overwritten after every install/update
	4	# Persistent local customizations
	5	include npm.local
	6	# Persistent global definitions
	7	include globals.local
	8
	9	blacklist /tmp/.X11-unix
	10	blacklist ${RUNUSER}
	11
	12	noblacklist ${HOME}/.npm
	13	noblacklist ${HOME}/.npmrc
	14
	15	noblacklist ${PATH}/bash
	16	noblacklist ${PATH}/dash
	17	noblacklist ${PATH}/sh
	18
	19	ignore noexec ${HOME}
	20
	21	include disable-common.inc
	22	include disable-exec.inc
	23	include disable-passwdmgr.inc
	24	include disable-programs.inc
	25	include disable-shell.inc
	26	include disable-xdg.inc
	27
	28	# If you want whitelisting, change the line below to your npm projects directory
	29	# and uncomment the lines below.
	30	#mkdir ${HOME}/.npm
	31	#mkfile ${HOME}/.npmrc
	32	#whitelist ${HOME}/.npm
	33	#whitelist ${HOME}/.npmrc
	34	#whitelist ${HOME}/Projects
	35	#include whitelist-common.inc
	36	include whitelist-runuser-common.inc
	37	include whitelist-usr-share-common.inc
	38	include whitelist-var-common.inc
	39
	40	caps.drop all
	41	ipc-namespace
	42	machine-id
	43	netfilter
	44	no3d
	45	nodvd
	46	nogroups
	47	nonewprivs
	48	noroot
	49	nosound
	50	notv
	51	nou2f
	52	novideo
	53	protocol unix,inet,inet6,netlink
	54	seccomp
	55	seccomp.block-secondary
	56	shell none
	57
	58	disable-mnt
	59	private-dev
	60	private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
	61	private-tmp
	62
	63	dbus-user none
	64	dbus-system none