Node.js stack refactoring (#4255)

* Create node.profile

* Create node-gyp.profile

* refactor npm as redirect

* Create npx.profile

* Create nvm.profile

* Create semver.profile

* refactor yarn as redirect

* collect node.js stack configuration in common profile

* add ~/.nvm to node section

* account for node-gyp python dependency

* read-only ~/.nvm for node.js stack

* blacklist ~/.nvm for node.js stack

* move env var comment cfr. profile.template

* Delete node-gyp.profile

node-gyp is a shell script with a node shebang. We've got that covered via node.profile.

* Delete npx.profile

npx is a shell script with a node shebang. We've got that covered via node.profile.

* Delete semver.profile

semver is a shell script that calls node. We've got that covered via node.profile.

* add node and nvm to new profiles section

9 files changed, 76 insertions, 42 deletions

diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
index 41643657d..babe46571 100644
--- a/etc/inc/allow-common-devel.inc
+++ b/etc/inc/allow-common-devel.inc
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.java
 noblacklist ${HOME}/.node-gyp
 noblacklist ${HOME}/.npm
 noblacklist ${HOME}/.npmrc
+noblacklist ${HOME}/.nvm
 noblacklist ${HOME}/.yarn
 noblacklist ${HOME}/.yarn-config
 noblacklist ${HOME}/.yarncache
diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc
index 78a4bed80..351c94ab8 100644
--- a/etc/inc/allow-nodejs.inc
+++ b/etc/inc/allow-nodejs.inc
@@ -4,3 +4,7 @@ include allow-nodejs.local
 
 noblacklist ${PATH}/node
 noblacklist /usr/include/node
+
+# Allow python for node-gyp (blacklisted by disable-interpreters.inc)
+include allow-python2.inc
+include allow-python3.inc
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
index 35f89e11b..a6dbb7403 100644
--- a/etc/inc/disable-common.inc
+++ b/etc/inc/disable-common.inc
@@ -338,6 +338,7 @@ read-only ${HOME}/dotfiles
 read-only ${HOME}/.gem
 read-only ${HOME}/.luarocks
 read-only ${HOME}/.npm-packages
+read-only ${HOME}/.nvm
 read-only ${HOME}/bin
 read-only ${HOME}/.bin
 read-only ${HOME}/.local/bin
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index cbc8ef6d2..90abe1d3e 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -816,6 +816,7 @@ blacklist ${HOME}/.node-gyp
 blacklist ${HOME}/.npm
 blacklist ${HOME}/.npmrc
 blacklist ${HOME}/.nv
+blacklist ${HOME}/.nvm
 blacklist ${HOME}/.nylas-mail
 blacklist ${HOME}/.openarena
 blacklist ${HOME}/.opencity
diff --git a/etc/profile-m-z/node.profile b/etc/profile-m-z/node.profile
new file mode 100644
index 000000000..cd48ed3c7
--- /dev/null
+++ b/etc/profile-m-z/node.profile
@@ -0,0 +1,11 @@
+# Firejail profile for node
+# Description: Evented I/O for V8 javascript
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include node.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index 4095337dd..fa69f9214 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -10,6 +10,20 @@ include nodejs-common.local
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
+ignore read-only ${HOME}/.npm-packages
+ignore read-only ${HOME}/.npmrc
+ignore read-only ${HOME}/.nvm
+ignore read-only ${HOME}/.yarnrc
+
+noblacklist ${HOME}/.node-gyp
+noblacklist ${HOME}/.npm
+noblacklist ${HOME}/.npmrc
+noblacklist ${HOME}/.nvm
+noblacklist ${HOME}/.yarn
+noblacklist ${HOME}/.yarn-config
+noblacklist ${HOME}/.yarncache
+noblacklist ${HOME}/.yarnrc
+
 ignore noexec ${HOME}
 
 include allow-bin-sh.inc
@@ -21,6 +35,32 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 
+# If you want whitelisting, change ${HOME}/Projects below to your node projects directory
+# and add the next lines to your nodejs-common.local.
+#mkdir ${HOME}/.node-gyp
+#mkdir ${HOME}/.npm
+#mkdir ${HOME}/.npm-packages
+#mkfile ${HOME}/.npmrc
+#mkdir ${HOME}/.nvm
+#mkdir ${HOME}/.yarn
+#mkdir ${HOME}/.yarn-config
+#mkdir ${HOME}/.yarncache
+#mkfile ${HOME}/.yarnrc
+#whitelist ${HOME}/.node-gyp
+#whitelist ${HOME}/.npm
+#whitelist ${HOME}/.npm-packages
+#whitelist ${HOME}/.npmrc
+#whitelist ${HOME}/.nvm
+#whitelist ${HOME}/.yarn
+#whitelist ${HOME}/.yarn-config
+#whitelist ${HOME}/.yarncache
+#whitelist ${HOME}/.yarnrc
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+
+whitelist /usr/share/doc/node
+whitelist /usr/share/nvm
+whitelist /usr/share/systemtap/tapset/node.stp
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -46,10 +86,11 @@ shell none
 
 disable-mnt
 private-dev
-# May need to add `passwd` to `private-etc` below to enable debugging with some IDEs
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
-# May need to be commented out in order to enable debugging with some IDEs
-private-tmp
+private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl,xdg
+#private-tmp
 
 dbus-user none
 dbus-system none
+
+# Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry.
+#env GATSBY_TELEMETRY_DISABLED=1
diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile
index f51d58782..4d8beea5a 100644
--- a/etc/profile-m-z/npm.profile
+++ b/etc/profile-m-z/npm.profile
@@ -7,23 +7,5 @@ include npm.local
 # Persistent global definitions
 include globals.local
 
-ignore read-only ${HOME}/.npm-packages
-ignore read-only ${HOME}/.npmrc
-
-noblacklist ${HOME}/.node-gyp
-noblacklist ${HOME}/.npm
-noblacklist ${HOME}/.npmrc
-
-# If you want whitelisting, change ${HOME}/Projects below to your npm projects directory
-# and add the next lines to your npm.local.
-#mkdir ${HOME}/.node-gyp
-#mkdir ${HOME}/.npm
-#mkfile ${HOME}/.npmrc
-#whitelist ${HOME}/.node-gyp
-#whitelist ${HOME}/.npm
-#whitelist ${HOME}/.npmrc
-#whitelist ${HOME}/Projects
-#include whitelist-common.inc
-
 # Redirect
 include nodejs-common.profile
diff --git a/etc/profile-m-z/nvm.profile b/etc/profile-m-z/nvm.profile
new file mode 100644
index 000000000..80da22834
--- /dev/null
+++ b/etc/profile-m-z/nvm.profile
@@ -0,0 +1,13 @@
+# Firejail profile for nvm
+# Description: Node Version Manager - Simple bash script to manage multiple active node.js versions
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nvm.local
+# Persistent global definitions
+include globals.local
+
+ignore noroot
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile
index 360bd8442..05b55d071 100644
--- a/etc/profile-m-z/yarn.profile
+++ b/etc/profile-m-z/yarn.profile
@@ -6,25 +6,5 @@ include yarn.local
 # Persistent global definitions
 include globals.local
 
-ignore read-only ${HOME}/.yarnrc
-
-noblacklist ${HOME}/.yarn
-noblacklist ${HOME}/.yarn-config
-noblacklist ${HOME}/.yarncache
-noblacklist ${HOME}/.yarnrc
-
-# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and
-# add the next lines to you yarn.local.
-#mkdir ${HOME}/.yarn
-#mkdir ${HOME}/.yarn-config
-#mkdir ${HOME}/.yarncache
-#mkfile ${HOME}/.yarnrc
-#whitelist ${HOME}/.yarn
-#whitelist ${HOME}/.yarn-config
-#whitelist ${HOME}/.yarncache
-#whitelist ${HOME}/.yarnrc
-#whitelist ${HOME}/Projects
-#include whitelist-common.inc
-
 # Redirect
 include nodejs-common.profile