nodejs-common: add comment & minor hardening

1 files changed, 10 insertions, 2 deletions

diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index ab69136f6..6382c29f4 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,7 +7,14 @@ include nodejs-common.local
 # added by caller profile
 #include globals.local
 
-blacklist /tmp/.X11-unix
+NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
+# using the `#!/usr/bin/env node` shebang. By sandboxing node the full
+# node.js stack will be firejailed. The only exception is nvm, which is implemented
+# as a sourced shell function, not an executable binary. Hence it is not
+# directly firejailable. You can work around this by sandboxing the programs
+# used by nvm: curl, sha256sum, tar and wget. We have comments in these
+# profiles on how to enable nvm support via local overrides.
+
 blacklist ${RUNUSER}
 
 ignore read-only ${HOME}/.npm-packages
@@ -25,13 +32,13 @@ noblacklist ${HOME}/.yarncache
 noblacklist ${HOME}/.yarnrc
 
 ignore noexec ${HOME}
-
 include allow-bin-sh.inc
 
 include disable-common.inc
 include disable-exec.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 # If you want whitelisting, change ${HOME}/Projects below to your node projects directory
@@ -73,6 +80,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv