From b1c2d2a278efe3f91f955323a0c4da1281b36d08 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 20 Mar 2022 06:41:55 +0000 Subject: allow-nodejs.inc: add nvm support --- etc/inc/allow-nodejs.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc index 351c94ab8..f69d9eee2 100644 --- a/etc/inc/allow-nodejs.inc +++ b/etc/inc/allow-nodejs.inc @@ -2,6 +2,8 @@ # Persistent customizations should go in a .local file. include allow-nodejs.local +ignore read-only ${HOME}/.nvm +noblacklist ${HOME}/.nvm noblacklist ${PATH}/node noblacklist /usr/include/node -- cgit v1.2.3-54-g00ecf From 76c966877b31a11681027f872963883726cc4ae0 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 20 Mar 2022 06:46:34 +0000 Subject: curl: add nvm support comment --- etc/profile-a-l/curl.profile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile index 448d8b655..7d7863b6a 100644 --- a/etc/profile-a-l/curl.profile +++ b/etc/profile-a-l/curl.profile @@ -18,6 +18,10 @@ noblacklist ${HOME}/.curlrc blacklist /tmp/.X11-unix blacklist ${RUNUSER} +# If you use nvm, add the below lines to your curl.local +#ignore read-only ${HOME}/.nvm +#noblacklist ${HOME}/.nvm + include disable-common.inc include disable-exec.inc include disable-programs.inc -- cgit v1.2.3-54-g00ecf From 8012fef42dbd0ef94d58b511fe2b334a2d3dedb2 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 20 Mar 2022 06:56:22 +0000 Subject: nvm: remove profile [nvm](https://github.com/nvm-sh/nvm) is implemented as a sourced shell function, not an executable binary. Regular sandboxing doesn't work but we can add nvm support to the applications used by it internally (curl, sha256sum, tar & wget). --- etc/profile-m-z/nvm.profile | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 etc/profile-m-z/nvm.profile diff --git a/etc/profile-m-z/nvm.profile b/etc/profile-m-z/nvm.profile deleted file mode 100644 index 80da22834..000000000 --- a/etc/profile-m-z/nvm.profile +++ /dev/null @@ -1,13 +0,0 @@ -# Firejail profile for nvm -# Description: Node Version Manager - Simple bash script to manage multiple active node.js versions -quiet -# This file is overwritten after every install/update -# Persistent local customizations -include nvm.local -# Persistent global definitions -include globals.local - -ignore noroot - -# Redirect -include nodejs-common.profile -- cgit v1.2.3-54-g00ecf From 713249c988d4b0c3c4754b2a1ac837e5d194a420 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 20 Mar 2022 06:59:05 +0000 Subject: sha256sum: add nvm support comment --- etc/profile-m-z/sha256sum.profile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/profile-m-z/sha256sum.profile b/etc/profile-m-z/sha256sum.profile index 48944ebea..45ddecd2d 100644 --- a/etc/profile-m-z/sha256sum.profile +++ b/etc/profile-m-z/sha256sum.profile @@ -7,6 +7,9 @@ include sha256sum.local # Persistent global definitions include globals.local +# If you use nvm, add the below lines to your sha256sum.local +#noblacklist ${HOME}/.nvm + private-bin sha256sum # Redirect -- cgit v1.2.3-54-g00ecf From d96cf4c8c674716df7f0cbfbdcdf939080c7cd4e Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 20 Mar 2022 07:01:09 +0000 Subject: tar: add nvm support comment --- etc/profile-m-z/tar.profile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/profile-m-z/tar.profile b/etc/profile-m-z/tar.profile index 0817adda8..a9d0a60d1 100644 --- a/etc/profile-m-z/tar.profile +++ b/etc/profile-m-z/tar.profile @@ -7,6 +7,9 @@ include tar.local # Persistent global definitions include globals.local +# If you use nvm, add the below lines to your tar.local +#noblacklist ${HOME}/.nvm + # Included in archiver-common.profile ignore include disable-shell.inc -- cgit v1.2.3-54-g00ecf From d09d1dc4a80d8dcdab53644a8fa22d7ee087d1a0 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 20 Mar 2022 07:03:36 +0000 Subject: webstorm: fix ordering --- etc/profile-m-z/webstorm.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/profile-m-z/webstorm.profile b/etc/profile-m-z/webstorm.profile index 4d849c582..52d2091fe 100644 --- a/etc/profile-m-z/webstorm.profile +++ b/etc/profile-m-z/webstorm.profile @@ -18,8 +18,8 @@ include allow-common-devel.inc # Allow ssh (blacklisted by disable-common.inc) include allow-ssh.inc -noblacklist ${PATH}/node noblacklist ${HOME}/.nvm +noblacklist ${PATH}/node include disable-common.inc include disable-devel.inc -- cgit v1.2.3-54-g00ecf From 114e4eba27b3d92952d1dcb5d756b6f0c0bd0f02 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 20 Mar 2022 07:05:35 +0000 Subject: webui-aria2: add nvm support --- etc/profile-m-z/webui-aria2.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/profile-m-z/webui-aria2.profile b/etc/profile-m-z/webui-aria2.profile index 2fe727b9c..1aa546a29 100644 --- a/etc/profile-m-z/webui-aria2.profile +++ b/etc/profile-m-z/webui-aria2.profile @@ -6,6 +6,7 @@ include webui-aria2.local # Persistent global definitions include globals.local +noblacklist ${HOME}/.nvm noblacklist ${PATH}/node include disable-common.inc -- cgit v1.2.3-54-g00ecf From 538050b981892cf026db7be57087c3a099bf974d Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 20 Mar 2022 07:08:44 +0000 Subject: wget: add nvm support comment --- etc/profile-m-z/wget.profile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile index 4c21d6965..82af30d2a 100644 --- a/etc/profile-m-z/wget.profile +++ b/etc/profile-m-z/wget.profile @@ -11,6 +11,10 @@ noblacklist ${HOME}/.netrc noblacklist ${HOME}/.wget-hsts noblacklist ${HOME}/.wgetrc +# If you use nvm, add the below lines to your wget.local +#ignore read-only ${HOME}/.nvm +#noblacklist ${HOME}/.nvm + blacklist /tmp/.X11-unix blacklist ${RUNUSER} -- cgit v1.2.3-54-g00ecf From bc185a94c839b04a18786acb285977821591fcb5 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 20 Mar 2022 07:33:25 +0000 Subject: nodejs-common: add comment & minor hardening --- etc/profile-m-z/nodejs-common.profile | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index ab69136f6..6382c29f4 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile @@ -7,7 +7,14 @@ include nodejs-common.local # added by caller profile #include globals.local -blacklist /tmp/.X11-unix +NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts +# using the `#!/usr/bin/env node` shebang. By sandboxing node the full +# node.js stack will be firejailed. The only exception is nvm, which is implemented +# as a sourced shell function, not an executable binary. Hence it is not +# directly firejailable. You can work around this by sandboxing the programs +# used by nvm: curl, sha256sum, tar and wget. We have comments in these +# profiles on how to enable nvm support via local overrides. + blacklist ${RUNUSER} ignore read-only ${HOME}/.npm-packages @@ -25,13 +32,13 @@ noblacklist ${HOME}/.yarncache noblacklist ${HOME}/.yarnrc ignore noexec ${HOME} - include allow-bin-sh.inc include disable-common.inc include disable-exec.inc include disable-programs.inc include disable-shell.inc +include disable-X11.inc include disable-xdg.inc # If you want whitelisting, change ${HOME}/Projects below to your node projects directory @@ -73,6 +80,7 @@ nodvd nogroups noinput nonewprivs +noprinters noroot nosound notv -- cgit v1.2.3-54-g00ecf From ee8c57ee5fbb9c1dff42f48777b53cc1631ea114 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 20 Mar 2022 07:43:21 +0000 Subject: Create node-gyp.profile --- etc/profile-m-z/node-gyp.profile | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 etc/profile-m-z/node-gyp.profile diff --git a/etc/profile-m-z/node-gyp.profile b/etc/profile-m-z/node-gyp.profile new file mode 100644 index 000000000..015607087 --- /dev/null +++ b/etc/profile-m-z/node-gyp.profile @@ -0,0 +1,11 @@ +# Firejail profile for node-gyp +# Description: Part of the Node.js stack +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include node-gyp.local +# Persistent global definitions +include globals.local + +# Redirect +include nodejs-common.profile -- cgit v1.2.3-54-g00ecf From 41b62007245ad7a1814b2cd2e59b7deab18eccdd Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 20 Mar 2022 07:45:08 +0000 Subject: Create npx.profile --- etc/profile-m-z/npx.profile | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 etc/profile-m-z/npx.profile diff --git a/etc/profile-m-z/npx.profile b/etc/profile-m-z/npx.profile new file mode 100644 index 000000000..6d5602c88 --- /dev/null +++ b/etc/profile-m-z/npx.profile @@ -0,0 +1,11 @@ +# Firejail profile for npx +# Description: Part of the Node.js stack +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include npx.local +# Persistent global definitions +include globals.local + +# Redirect +include nodejs-common.profile -- cgit v1.2.3-54-g00ecf From e9a23a427e78280ac6ff0335b8e074ae72bf3778 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sun, 20 Mar 2022 07:47:27 +0000 Subject: Create semver.profile --- etc/profile-m-z/semver.profile | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 etc/profile-m-z/semver.profile diff --git a/etc/profile-m-z/semver.profile b/etc/profile-m-z/semver.profile new file mode 100644 index 000000000..3e0c19b8b --- /dev/null +++ b/etc/profile-m-z/semver.profile @@ -0,0 +1,11 @@ +# Firejail profile for semver +# Description: Part of the Node.js stack +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include semver.local +# Persistent global definitions +include globals.local + +# Redirect +include nodejs-common.profile -- cgit v1.2.3-54-g00ecf From 376c100779ae7e26bbbd68d5550bab6e2eaa6a35 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 21 Mar 2022 03:15:06 +0000 Subject: nodejs-common: fix note --- etc/profile-m-z/nodejs-common.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index 6382c29f4..dd3080ad9 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile @@ -7,7 +7,7 @@ include nodejs-common.local # added by caller profile #include globals.local -NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts +# NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts # using the `#!/usr/bin/env node` shebang. By sandboxing node the full # node.js stack will be firejailed. The only exception is nvm, which is implemented # as a sourced shell function, not an executable binary. Hence it is not -- cgit v1.2.3-54-g00ecf