14 files changed, 81 insertions, 12 deletions

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 98b713e9e..e1d972d04 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -47,7 +47,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@f5d822707ee6e8fb81b04a5c0040b736da22e587
+      uses: github/codeql-action/init@883476649888a9e8e219d5b2e6b789dc024f690c
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@f5d822707ee6e8fb81b04a5c0040b736da22e587
+      uses: github/codeql-action/autobuild@883476649888a9e8e219d5b2e6b789dc024f690c
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -72,4 +72,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@f5d822707ee6e8fb81b04a5c0040b736da22e587
+      uses: github/codeql-action/analyze@883476649888a9e8e219d5b2e6b789dc024f690c
diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc
index 351c94ab8..f69d9eee2 100644
--- a/etc/inc/allow-nodejs.inc
+++ b/etc/inc/allow-nodejs.inc
@@ -2,6 +2,8 @@
 # Persistent customizations should go in a .local file.
 include allow-nodejs.local
 
+ignore read-only ${HOME}/.nvm
+noblacklist ${HOME}/.nvm
 noblacklist ${PATH}/node
 noblacklist /usr/include/node
 
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index 448d8b655..7d7863b6a 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -18,6 +18,10 @@ noblacklist ${HOME}/.curlrc
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
+# If you use nvm, add the below lines to your curl.local
+#ignore read-only ${HOME}/.nvm
+#noblacklist ${HOME}/.nvm
+
 include disable-common.inc
 include disable-exec.inc
 include disable-programs.inc
diff --git a/etc/profile-m-z/nvm.profile b/etc/profile-m-z/node-gyp.profile
index 80da22834..015607087 100644
--- a/etc/profile-m-z/nvm.profile
+++ b/etc/profile-m-z/node-gyp.profile
@@ -1,13 +1,11 @@
-# Firejail profile for nvm
-# Description: Node Version Manager - Simple bash script to manage multiple active node.js versions
+# Firejail profile for node-gyp
+# Description: Part of the Node.js stack
 quiet
 # This file is overwritten after every install/update
 # Persistent local customizations
-include nvm.local
+include node-gyp.local
 # Persistent global definitions
 include globals.local
 
-ignore noroot
-
 # Redirect
 include nodejs-common.profile
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index ab69136f6..dd3080ad9 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,7 +7,14 @@ include nodejs-common.local
 # added by caller profile
 #include globals.local
 
-blacklist /tmp/.X11-unix
+# NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
+# using the `#!/usr/bin/env node` shebang. By sandboxing node the full
+# node.js stack will be firejailed. The only exception is nvm, which is implemented
+# as a sourced shell function, not an executable binary. Hence it is not
+# directly firejailable. You can work around this by sandboxing the programs
+# used by nvm: curl, sha256sum, tar and wget. We have comments in these
+# profiles on how to enable nvm support via local overrides.
+
 blacklist ${RUNUSER}
 
 ignore read-only ${HOME}/.npm-packages
@@ -25,13 +32,13 @@ noblacklist ${HOME}/.yarncache
 noblacklist ${HOME}/.yarnrc
 
 ignore noexec ${HOME}
-
 include allow-bin-sh.inc
 
 include disable-common.inc
 include disable-exec.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 # If you want whitelisting, change ${HOME}/Projects below to your node projects directory
@@ -73,6 +80,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
diff --git a/etc/profile-m-z/npx.profile b/etc/profile-m-z/npx.profile
new file mode 100644
index 000000000..6d5602c88
--- /dev/null
+++ b/etc/profile-m-z/npx.profile
@@ -0,0 +1,11 @@
+# Firejail profile for npx
+# Description: Part of the Node.js stack
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include npx.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/semver.profile b/etc/profile-m-z/semver.profile
new file mode 100644
index 000000000..3e0c19b8b
--- /dev/null
+++ b/etc/profile-m-z/semver.profile
@@ -0,0 +1,11 @@
+# Firejail profile for semver
+# Description: Part of the Node.js stack
+quiet
+# This file is overwritten after every install/update
+# Persistent local customizations
+include semver.local
+# Persistent global definitions
+include globals.local
+
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/sha256sum.profile b/etc/profile-m-z/sha256sum.profile
index 48944ebea..45ddecd2d 100644
--- a/etc/profile-m-z/sha256sum.profile
+++ b/etc/profile-m-z/sha256sum.profile
@@ -7,6 +7,9 @@ include sha256sum.local
 # Persistent global definitions
 include globals.local
 
+# If you use nvm, add the below lines to your sha256sum.local
+#noblacklist ${HOME}/.nvm
+
 private-bin sha256sum
 
 # Redirect
diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile
index 0817adda8..a9d0a60d1 100644
--- a/etc/profile-m-z/tar.profile
+++ b/etc/profile-m-z/tar.profile
@@ -7,6 +7,9 @@ include tar.local
 # Persistent global definitions
 include globals.local
 
+# If you use nvm, add the below lines to your tar.local
+#noblacklist ${HOME}/.nvm
+
 # Included in archiver-common.profile
 ignore include disable-shell.inc
 
diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile
index 4d849c582..52d2091fe 100644
--- a/etc/profile-m-z/webstorm.profile
+++ b/etc/profile-m-z/webstorm.profile
@@ -18,8 +18,8 @@ include allow-common-devel.inc
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
 
-noblacklist ${PATH}/node
 noblacklist ${HOME}/.nvm
+noblacklist ${PATH}/node
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile
index 2fe727b9c..1aa546a29 100644
--- a/etc/profile-m-z/webui-aria2.profile
+++ b/etc/profile-m-z/webui-aria2.profile
@@ -6,6 +6,7 @@ include webui-aria2.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.nvm
 noblacklist ${PATH}/node
 
 include disable-common.inc
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
index 4c21d6965..82af30d2a 100644
--- a/etc/profile-m-z/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -11,6 +11,10 @@ noblacklist ${HOME}/.netrc
 noblacklist ${HOME}/.wget-hsts
 noblacklist ${HOME}/.wgetrc
 
+# If you use nvm, add the below lines to your wget.local
+#ignore read-only ${HOME}/.nvm
+#noblacklist ${HOME}/.nvm
+
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}
 
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index e962e18da..3dd339d94 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -343,6 +343,18 @@ closed.
 .TP
 \fBprivate directory
 Use directory as user home.
+--private and --private=directory cannot be used together.
+.br
+
+.br
+Bug: Even with this enabled, some commands (such as mkdir, mkfile and
+private-cache) will still operate on the original home directory.
+Workaround: Disable the incompatible commands, such as by using "ignore mkdir"
+and "ignore mkfile".
+For details, see
+.UR https://github.com/netblue30/firejail/issues/903
+#903
+.UE
 .TP
 \fBprivate-bin file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
@@ -505,7 +517,7 @@ There is no root account (uid 0) defined in the namespace.
 Enable protocol filter. The filter is based on seccomp and checks the
 first argument to socket system call. Recognized values: \fBunix\fR,
 \fBinet\fR, \fBinet6\fR, \fBnetlink\fR, \fBpacket\fR, and \fBbluetooth\fR.
-Multiple protocol commands are allowed.
+Multiple protocol commands are allowed and they accumulate.
 .TP
 \fBseccomp
 Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index feb9e4e81..41171a4e7 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -1905,6 +1905,17 @@ Use directory as user home.
 Example:
 .br
 $ firejail \-\-private=/home/netblue/firefox-home firefox
+.br
+
+.br
+Bug: Even with this enabled, some commands (such as mkdir, mkfile and
+private-cache) will still operate on the original home directory.
+Workaround: Disable the incompatible commands, such as by using "ignore mkdir"
+and "ignore mkfile".
+For details, see
+.UR https://github.com/netblue30/firejail/issues/903
+#903
+.UE
 
 .TP
 \fB\-\-private-bin=file,file
@@ -2171,6 +2182,7 @@ $ firejail \-\-profile.print=browser
 \fB\-\-protocol=protocol,protocol,protocol
 Enable protocol filter. The filter is based on seccomp and checks the first argument to socket system call.
 Recognized values: unix, inet, inet6, netlink, packet, and bluetooth. This option is not supported for i386 architecture.
+Multiple protocol commands are allowed and they accumulate.
 .br
 
 .br