diff options
Diffstat (limited to 'etc/profile-m-z/nodejs-common.profile')
-rw-r--r-- | etc/profile-m-z/nodejs-common.profile | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index ab69136f6..dd3080ad9 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile | |||
@@ -7,7 +7,14 @@ include nodejs-common.local | |||
7 | # added by caller profile | 7 | # added by caller profile |
8 | #include globals.local | 8 | #include globals.local |
9 | 9 | ||
10 | blacklist /tmp/.X11-unix | 10 | # NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts |
11 | # using the `#!/usr/bin/env node` shebang. By sandboxing node the full | ||
12 | # node.js stack will be firejailed. The only exception is nvm, which is implemented | ||
13 | # as a sourced shell function, not an executable binary. Hence it is not | ||
14 | # directly firejailable. You can work around this by sandboxing the programs | ||
15 | # used by nvm: curl, sha256sum, tar and wget. We have comments in these | ||
16 | # profiles on how to enable nvm support via local overrides. | ||
17 | |||
11 | blacklist ${RUNUSER} | 18 | blacklist ${RUNUSER} |
12 | 19 | ||
13 | ignore read-only ${HOME}/.npm-packages | 20 | ignore read-only ${HOME}/.npm-packages |
@@ -25,13 +32,13 @@ noblacklist ${HOME}/.yarncache | |||
25 | noblacklist ${HOME}/.yarnrc | 32 | noblacklist ${HOME}/.yarnrc |
26 | 33 | ||
27 | ignore noexec ${HOME} | 34 | ignore noexec ${HOME} |
28 | |||
29 | include allow-bin-sh.inc | 35 | include allow-bin-sh.inc |
30 | 36 | ||
31 | include disable-common.inc | 37 | include disable-common.inc |
32 | include disable-exec.inc | 38 | include disable-exec.inc |
33 | include disable-programs.inc | 39 | include disable-programs.inc |
34 | include disable-shell.inc | 40 | include disable-shell.inc |
41 | include disable-X11.inc | ||
35 | include disable-xdg.inc | 42 | include disable-xdg.inc |
36 | 43 | ||
37 | # If you want whitelisting, change ${HOME}/Projects below to your node projects directory | 44 | # If you want whitelisting, change ${HOME}/Projects below to your node projects directory |
@@ -73,6 +80,7 @@ nodvd | |||
73 | nogroups | 80 | nogroups |
74 | noinput | 81 | noinput |
75 | nonewprivs | 82 | nonewprivs |
83 | noprinters | ||
76 | noroot | 84 | noroot |
77 | nosound | 85 | nosound |
78 | notv | 86 | notv |