From bc185a94c839b04a18786acb285977821591fcb5 Mon Sep 17 00:00:00 2001
From: glitsj16 <glitsj16@users.noreply.github.com>
Date: Sun, 20 Mar 2022 07:33:25 +0000
Subject: nodejs-common: add comment & minor hardening

---
 etc/profile-m-z/nodejs-common.profile | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
index ab69136f6..6382c29f4 100644
--- a/etc/profile-m-z/nodejs-common.profile
+++ b/etc/profile-m-z/nodejs-common.profile
@@ -7,7 +7,14 @@ include nodejs-common.local
 # added by caller profile
 #include globals.local
 
-blacklist /tmp/.X11-unix
+NOTE: gulp, node-gyp, npm, npx, semver and yarn are all node scripts
+# using the `#!/usr/bin/env node` shebang. By sandboxing node the full
+# node.js stack will be firejailed. The only exception is nvm, which is implemented
+# as a sourced shell function, not an executable binary. Hence it is not
+# directly firejailable. You can work around this by sandboxing the programs
+# used by nvm: curl, sha256sum, tar and wget. We have comments in these
+# profiles on how to enable nvm support via local overrides.
+
 blacklist ${RUNUSER}
 
 ignore read-only ${HOME}/.npm-packages
@@ -25,13 +32,13 @@ noblacklist ${HOME}/.yarncache
 noblacklist ${HOME}/.yarnrc
 
 ignore noexec ${HOME}
-
 include allow-bin-sh.inc
 
 include disable-common.inc
 include disable-exec.inc
 include disable-programs.inc
 include disable-shell.inc
+include disable-X11.inc
 include disable-xdg.inc
 
 # If you want whitelisting, change ${HOME}/Projects below to your node projects directory
@@ -73,6 +80,7 @@ nodvd
 nogroups
 noinput
 nonewprivs
+noprinters
 noroot
 nosound
 notv
-- 
cgit v1.2.3-70-g09d2