From 37452ef1a71473b87431c3c708d3b31ca1b7a25f Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 11 Jan 2021 17:32:31 +0000 Subject: refactor nodejs applications (npm & yarn) (#3876) * add yarn & reorder * add node-gyp & yarn files * Create nodejs-common.profile * Create yarn.profile * refactor npm.profile * add new profile: yarn * read-only's for npm/yarn Thanks to the [suggestion](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) from @kmk3. * ignore read-only's for npm As [suggested](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) by @kmk3. * ignore read-only for yarn As suggested in https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989 by @kmk3. * remove quiet from nodejs-common.profile quiet should go into the caller profiles instead * add quiet to npm.profile Thanks @rusty-snake for the review. * re-ordering some options * re-ordering --- README.md | 2 +- etc/inc/allow-common-devel.inc | 13 ++++++--- etc/inc/disable-common.inc | 2 ++ etc/inc/disable-programs.inc | 5 ++++ etc/profile-m-z/nodejs-common.profile | 54 +++++++++++++++++++++++++++++++++++ etc/profile-m-z/npm.profile | 53 ++++++---------------------------- etc/profile-m-z/yarn.profile | 29 +++++++++++++++++++ 7 files changed, 109 insertions(+), 49 deletions(-) create mode 100644 etc/profile-m-z/nodejs-common.profile create mode 100644 etc/profile-m-z/yarn.profile diff --git a/README.md b/README.md index ff578196f..e9e3ca106 100644 --- a/README.md +++ b/README.md @@ -195,4 +195,4 @@ Stats: ### New profiles: -spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, tutanota-desktop, npm, marker +spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, tutanota-desktop, npm, marker, yarn diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 68e91a09b..41643657d 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc @@ -11,6 +11,15 @@ noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.gradle noblacklist ${HOME}/.java +# Node.js +noblacklist ${HOME}/.node-gyp +noblacklist ${HOME}/.npm +noblacklist ${HOME}/.npmrc +noblacklist ${HOME}/.yarn +noblacklist ${HOME}/.yarn-config +noblacklist ${HOME}/.yarncache +noblacklist ${HOME}/.yarnrc + # Python noblacklist ${HOME}/.pylint.d noblacklist ${HOME}/.python-history @@ -25,7 +34,3 @@ noblacklist ${HOME}/.cargo/registry noblacklist ${HOME}/.cargo/.crates.toml noblacklist ${HOME}/.cargo/.crates2.json noblacklist ${HOME}/.cargo/.package-cache - -# npm -noblacklist ${HOME}/.npm -noblacklist ${HOME}/.npmrc diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index d88506d90..0de539d57 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -310,6 +310,7 @@ read-only ${HOME}/.msmtprc read-only ${HOME}/.mutt/muttrc read-only ${HOME}/.muttrc read-only ${HOME}/.nano +read-only ${HOME}/.npmrc read-only ${HOME}/.pythonrc.py read-only ${HOME}/.reportbugrc read-only ${HOME}/.tmux.conf @@ -318,6 +319,7 @@ read-only ${HOME}/.viminfo read-only ${HOME}/.vimrc read-only ${HOME}/.xmonad read-only ${HOME}/.xscreensaver +read-only ${HOME}/.yarnrc read-only ${HOME}/_exrc read-only ${HOME}/_gvimrc read-only ${HOME}/_vimrc diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index f5bce4ba4..74cbfbcbe 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -761,6 +761,7 @@ blacklist ${HOME}/.neverball blacklist ${HOME}/.newsbeuter blacklist ${HOME}/.newsboat blacklist ${HOME}/.nicotine +blacklist ${HOME}/.node-gyp blacklist ${HOME}/.npm blacklist ${HOME}/.npmrc blacklist ${HOME}/.nv @@ -849,6 +850,10 @@ blacklist ${HOME}/.xmr-stak blacklist ${HOME}/.xonotic blacklist ${HOME}/.xournalpp blacklist ${HOME}/.xpdfrc +blacklist ${HOME}/.yarn +blacklist ${HOME}/.yarn-config +blacklist ${HOME}/.yarncache +blacklist ${HOME}/.yarnrc blacklist ${HOME}/.zoom blacklist /tmp/akonadi-* blacklist /tmp/ssh-* diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile new file mode 100644 index 000000000..acef622c2 --- /dev/null +++ b/etc/profile-m-z/nodejs-common.profile @@ -0,0 +1,54 @@ +# Firejail profile for Node.js +# Description: Common profile for npm/yarn +# This file is overwritten after every install/update +# Persistent local customizations +include nodejs-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER} + +ignore noexec ${HOME} + +noblacklist ${PATH}/bash +noblacklist ${PATH}/dash +noblacklist ${PATH}/sh + +include disable-common.inc +include disable-exec.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +seccomp.block-secondary +shell none + +disable-mnt +private-dev +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg +private-tmp + +dbus-user none +dbus-system none diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile index 2136fb443..e95e875be 100644 --- a/etc/profile-m-z/npm.profile +++ b/etc/profile-m-z/npm.profile @@ -1,64 +1,29 @@ # Firejail profile for npm # Description: The Node.js Package Manager +quiet # This file is overwritten after every install/update # Persistent local customizations include npm.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix -blacklist ${RUNUSER} +ignore read-only ${HOME}/.npm-packages +ignore read-only ${HOME}/.npmrc +noblacklist ${HOME}/.node-gyp noblacklist ${HOME}/.npm noblacklist ${HOME}/.npmrc -noblacklist ${PATH}/bash -noblacklist ${PATH}/dash -noblacklist ${PATH}/sh - -ignore noexec ${HOME} - -include disable-common.inc -include disable-exec.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-shell.inc -include disable-xdg.inc - -# If you want whitelisting, change the line below to your npm projects directory +# If you want whitelisting, change ${HOME}/Projects below to your npm projects directory # and uncomment the lines below. +#mkdir ${HOME}/.node-gyp #mkdir ${HOME}/.npm #mkfile ${HOME}/.npmrc +#whitelist ${HOME}/.node-gyp #whitelist ${HOME}/.npm #whitelist ${HOME}/.npmrc #whitelist ${HOME}/Projects #include whitelist-common.inc -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc - -caps.drop all -ipc-namespace -machine-id -netfilter -no3d -nodvd -nogroups -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix,inet,inet6,netlink -seccomp -seccomp.block-secondary -shell none - -disable-mnt -private-dev -private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg -private-tmp -dbus-user none -dbus-system none +# Redirect +include nodejs-common.profile diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile new file mode 100644 index 000000000..f20225050 --- /dev/null +++ b/etc/profile-m-z/yarn.profile @@ -0,0 +1,29 @@ +# Firejail profile for yarn +# Description: Fast, reliable, and secure dependency management +quiet +# Persistent local customizations +include yarn.local +# Persistent global definitions +include globals.local + +ignore read-only ${HOME}/.yarnrc + +noblacklist ${HOME}/.yarn +noblacklist ${HOME}/.yarn-config +noblacklist ${HOME}/.yarncache +noblacklist ${HOME}/.yarnrc + +# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and uncomment the lines below. +#mkdir ${HOME}/.yarn +#mkdir ${HOME}/.yarn-config +#mkdir ${HOME}/.yarncache +#mkfile ${HOME}/.yarnrc +#whitelist ${HOME}/.yarn +#whitelist ${HOME}/.yarn-config +#whitelist ${HOME}/.yarncache +#whitelist ${HOME}/.yarnrc +#whitelist ${HOME}/Projects +#include whitelist-common.inc + +# Redirect +include nodejs-common.profile -- cgit v1.2.3-70-g09d2