aboutsummaryrefslogtreecommitdiffstats
path: root/etc/profile-m-z
diff options
context:
space:
mode:
authorLibravatar glitsj16 <glitsj16@users.noreply.github.com>2021-01-11 17:32:31 +0000
committerLibravatar GitHub <noreply@github.com>2021-01-11 17:32:31 +0000
commit37452ef1a71473b87431c3c708d3b31ca1b7a25f (patch)
treecbd95f66f264c2c049052f4434757db9ebf99c1e /etc/profile-m-z
parentfix ordering in ssh.profile (#3882) (diff)
downloadfirejail-37452ef1a71473b87431c3c708d3b31ca1b7a25f.tar.gz
firejail-37452ef1a71473b87431c3c708d3b31ca1b7a25f.tar.zst
firejail-37452ef1a71473b87431c3c708d3b31ca1b7a25f.zip
refactor nodejs applications (npm & yarn) (#3876)
* add yarn & reorder * add node-gyp & yarn files * Create nodejs-common.profile * Create yarn.profile * refactor npm.profile * add new profile: yarn * read-only's for npm/yarn Thanks to the [suggestion](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) from @kmk3. * ignore read-only's for npm As [suggested](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) by @kmk3. * ignore read-only for yarn As suggested in https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989 by @kmk3. * remove quiet from nodejs-common.profile quiet should go into the caller profiles instead * add quiet to npm.profile Thanks @rusty-snake for the review. * re-ordering some options * re-ordering
Diffstat (limited to 'etc/profile-m-z')
-rw-r--r--etc/profile-m-z/nodejs-common.profile54
-rw-r--r--etc/profile-m-z/npm.profile53
-rw-r--r--etc/profile-m-z/yarn.profile29
3 files changed, 92 insertions, 44 deletions
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
new file mode 100644
index 000000000..acef622c2
--- /dev/null
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -0,0 +1,54 @@
1# Firejail profile for Node.js
2# Description: Common profile for npm/yarn
3# This file is overwritten after every install/update
4# Persistent local customizations
5include nodejs-common.local
6# Persistent global definitions
7# added by caller profile
8#include globals.local
9
10blacklist /tmp/.X11-unix
11blacklist ${RUNUSER}
12
13ignore noexec ${HOME}
14
15noblacklist ${PATH}/bash
16noblacklist ${PATH}/dash
17noblacklist ${PATH}/sh
18
19include disable-common.inc
20include disable-exec.inc
21include disable-passwdmgr.inc
22include disable-programs.inc
23include disable-shell.inc
24include disable-xdg.inc
25
26include whitelist-runuser-common.inc
27include whitelist-usr-share-common.inc
28include whitelist-var-common.inc
29
30caps.drop all
31ipc-namespace
32machine-id
33netfilter
34no3d
35nodvd
36nogroups
37nonewprivs
38noroot
39nosound
40notv
41nou2f
42novideo
43protocol unix,inet,inet6,netlink
44seccomp
45seccomp.block-secondary
46shell none
47
48disable-mnt
49private-dev
50private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
51private-tmp
52
53dbus-user none
54dbus-system none
diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile
index 2136fb443..e95e875be 100644
--- a/etc/profile-m-z/npm.profile
+++ b/etc/profile-m-z/npm.profile
@@ -1,64 +1,29 @@
1# Firejail profile for npm 1# Firejail profile for npm
2# Description: The Node.js Package Manager 2# Description: The Node.js Package Manager
3quiet
3# This file is overwritten after every install/update 4# This file is overwritten after every install/update
4# Persistent local customizations 5# Persistent local customizations
5include npm.local 6include npm.local
6# Persistent global definitions 7# Persistent global definitions
7include globals.local 8include globals.local
8 9
9blacklist /tmp/.X11-unix 10ignore read-only ${HOME}/.npm-packages
10blacklist ${RUNUSER} 11ignore read-only ${HOME}/.npmrc
11 12
13noblacklist ${HOME}/.node-gyp
12noblacklist ${HOME}/.npm 14noblacklist ${HOME}/.npm
13noblacklist ${HOME}/.npmrc 15noblacklist ${HOME}/.npmrc
14 16
15noblacklist ${PATH}/bash 17# If you want whitelisting, change ${HOME}/Projects below to your npm projects directory
16noblacklist ${PATH}/dash
17noblacklist ${PATH}/sh
18
19ignore noexec ${HOME}
20
21include disable-common.inc
22include disable-exec.inc
23include disable-passwdmgr.inc
24include disable-programs.inc
25include disable-shell.inc
26include disable-xdg.inc
27
28# If you want whitelisting, change the line below to your npm projects directory
29# and uncomment the lines below. 18# and uncomment the lines below.
19#mkdir ${HOME}/.node-gyp
30#mkdir ${HOME}/.npm 20#mkdir ${HOME}/.npm
31#mkfile ${HOME}/.npmrc 21#mkfile ${HOME}/.npmrc
22#whitelist ${HOME}/.node-gyp
32#whitelist ${HOME}/.npm 23#whitelist ${HOME}/.npm
33#whitelist ${HOME}/.npmrc 24#whitelist ${HOME}/.npmrc
34#whitelist ${HOME}/Projects 25#whitelist ${HOME}/Projects
35#include whitelist-common.inc 26#include whitelist-common.inc
36include whitelist-runuser-common.inc
37include whitelist-usr-share-common.inc
38include whitelist-var-common.inc
39
40caps.drop all
41ipc-namespace
42machine-id
43netfilter
44no3d
45nodvd
46nogroups
47nonewprivs
48noroot
49nosound
50notv
51nou2f
52novideo
53protocol unix,inet,inet6,netlink
54seccomp
55seccomp.block-secondary
56shell none
57
58disable-mnt
59private-dev
60private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
61private-tmp
62 27
63dbus-user none 28# Redirect
64dbus-system none 29include nodejs-common.profile
diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile
new file mode 100644
index 000000000..f20225050
--- /dev/null
+++ b/etc/profile-m-z/yarn.profile
@@ -0,0 +1,29 @@
1# Firejail profile for yarn
2# Description: Fast, reliable, and secure dependency management
3quiet
4# Persistent local customizations
5include yarn.local
6# Persistent global definitions
7include globals.local
8
9ignore read-only ${HOME}/.yarnrc
10
11noblacklist ${HOME}/.yarn
12noblacklist ${HOME}/.yarn-config
13noblacklist ${HOME}/.yarncache
14noblacklist ${HOME}/.yarnrc
15
16# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and uncomment the lines below.
17#mkdir ${HOME}/.yarn
18#mkdir ${HOME}/.yarn-config
19#mkdir ${HOME}/.yarncache
20#mkfile ${HOME}/.yarnrc
21#whitelist ${HOME}/.yarn
22#whitelist ${HOME}/.yarn-config
23#whitelist ${HOME}/.yarncache
24#whitelist ${HOME}/.yarnrc
25#whitelist ${HOME}/Projects
26#include whitelist-common.inc
27
28# Redirect
29include nodejs-common.profile