From 3203dd23a83fc45924b0b46e1bf204bafa878b33 Mon Sep 17 00:00:00 2001 From: Aidan Gauland Date: Sat, 9 Jan 2021 09:51:41 +1300 Subject: Add profile for npm (#3866) * Add profile for npm * Apply suggestions from code review * Remove redundant blacklisting of Wayland. * Remove unnecessary noblacklist lines for nodejs. * Replace absolute paths to .inc files with filenames. * Remove unneeded dbus whitelisting. Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> * Remove empty line To keep consistent with other profiles, remove the blank line after the header comment. Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> * Add npm files to add-common-devel So that our addition of npm paths to disable-programs.inc dose not break IDEs, we need to unblacklist these same paths in allow-common-devel.inc. * Remove extra blank line * Add common whitelist includes to npm profile * Tighten npm profile Include disable-exec.inc, but allowing ${HOME}. * Remove whitelist-common.inc from npm profile whitelist-common breaks npm, and since we don't know where the user's npm projects will be, leave the whitelist-common include in a comment with a note about how to enable it for their setup. * Fix inverted commands Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> * Fixes for whitelisting * Add login.defs to npm profile's private-etc Co-authored-by: Aidan Gauland Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com> --- etc/inc/allow-common-devel.inc | 4 +++ etc/inc/allow-nodejs.inc | 6 ++++ etc/inc/disable-programs.inc | 2 ++ etc/profile-m-z/npm.profile | 64 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 76 insertions(+) create mode 100644 etc/inc/allow-nodejs.inc create mode 100644 etc/profile-m-z/npm.profile diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 7cd087b14..68e91a09b 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc @@ -25,3 +25,7 @@ noblacklist ${HOME}/.cargo/registry noblacklist ${HOME}/.cargo/.crates.toml noblacklist ${HOME}/.cargo/.crates2.json noblacklist ${HOME}/.cargo/.package-cache + +# npm +noblacklist ${HOME}/.npm +noblacklist ${HOME}/.npmrc diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc new file mode 100644 index 000000000..78a4bed80 --- /dev/null +++ b/etc/inc/allow-nodejs.inc @@ -0,0 +1,6 @@ +# This file is overwritten during software install. +# Persistent customizations should go in a .local file. +include allow-nodejs.local + +noblacklist ${PATH}/node +noblacklist /usr/include/node diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index 74d45c4ca..2112c9b4f 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -760,6 +760,8 @@ blacklist ${HOME}/.neverball blacklist ${HOME}/.newsbeuter blacklist ${HOME}/.newsboat blacklist ${HOME}/.nicotine +blacklist ${HOME}/.npm +blacklist ${HOME}/.npmrc blacklist ${HOME}/.nv blacklist ${HOME}/.nylas-mail blacklist ${HOME}/.openarena diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile new file mode 100644 index 000000000..2136fb443 --- /dev/null +++ b/etc/profile-m-z/npm.profile @@ -0,0 +1,64 @@ +# Firejail profile for npm +# Description: The Node.js Package Manager +# This file is overwritten after every install/update +# Persistent local customizations +include npm.local +# Persistent global definitions +include globals.local + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER} + +noblacklist ${HOME}/.npm +noblacklist ${HOME}/.npmrc + +noblacklist ${PATH}/bash +noblacklist ${PATH}/dash +noblacklist ${PATH}/sh + +ignore noexec ${HOME} + +include disable-common.inc +include disable-exec.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +# If you want whitelisting, change the line below to your npm projects directory +# and uncomment the lines below. +#mkdir ${HOME}/.npm +#mkfile ${HOME}/.npmrc +#whitelist ${HOME}/.npm +#whitelist ${HOME}/.npmrc +#whitelist ${HOME}/Projects +#include whitelist-common.inc +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +seccomp.block-secondary +shell none + +disable-mnt +private-dev +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg +private-tmp + +dbus-user none +dbus-system none -- cgit v1.2.3-54-g00ecf