Add profile for npm (netblue30#3866)

* Add profile for npm * Apply suggestions from code review * Remove redundant blacklisting of Wayland. * Remove unnecessary noblacklist lines for nodejs. * Replace absolute paths to .inc files with filenames. * Remove unneeded dbus whitelisting. Co-authored-by: rusty-snake <[email protected]> * Remove empty line To keep consistent with other profiles, remove the blank line after the header comment. Co-authored-by: rusty-snake <[email protected]> * Add npm files to add-common-devel So that our addition of npm paths to disable-programs.inc dose not break IDEs, we need to unblacklist these same paths in allow-common-devel.inc. * Remove extra blank line * Add common whitelist includes to npm profile * Tighten npm profile Include disable-exec.inc, but allowing ${HOME}. * Remove whitelist-common.inc from npm profile whitelist-common breaks npm, and since we don't know where the user's npm projects will be, leave the whitelist-common include in a comment with a note about how to enable it for their setup. * Fix inverted commands Co-authored-by: rusty-snake <[email protected]> * Fixes for whitelisting * Add login.defs to npm profile's private-etc Co-authored-by: Aidan Gauland <[email protected]> Co-authored-by: rusty-snake <[email protected]>
kmk3 · Jan 8, 2021 · 3203dd2 · 3203dd2
1 parent d94e757
commit 3203dd2
Show file tree

Hide file tree

Showing 4 changed files with 76 additions and 0 deletions.
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
@@ -25,3 +25,7 @@ noblacklist ${HOME}/.cargo/registry
 noblacklist ${HOME}/.cargo/.crates.toml
 noblacklist ${HOME}/.cargo/.crates2.json
 noblacklist ${HOME}/.cargo/.package-cache
+
+# npm
+noblacklist ${HOME}/.npm
+noblacklist ${HOME}/.npmrc
diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc
@@ -0,0 +1,6 @@
+# This file is overwritten during software install.
+# Persistent customizations should go in a .local file.
+include allow-nodejs.local
+
+noblacklist ${PATH}/node
+noblacklist /usr/include/node
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
@@ -760,6 +760,8 @@ blacklist ${HOME}/.neverball
 blacklist ${HOME}/.newsbeuter
 blacklist ${HOME}/.newsboat
 blacklist ${HOME}/.nicotine
+blacklist ${HOME}/.npm
+blacklist ${HOME}/.npmrc
 blacklist ${HOME}/.nv
 blacklist ${HOME}/.nylas-mail
 blacklist ${HOME}/.openarena

diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile
@@ -0,0 +1,64 @@
+# Firejail profile for npm
+# Description: The Node.js Package Manager
+# This file is overwritten after every install/update
+# Persistent local customizations
+include npm.local
+# Persistent global definitions
+include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+noblacklist ${HOME}/.npm
+noblacklist ${HOME}/.npmrc
+
+noblacklist ${PATH}/bash
+noblacklist ${PATH}/dash
+noblacklist ${PATH}/sh
+
+ignore noexec ${HOME}
+
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+# If you want whitelisting, change the line below to your npm projects directory
+# and uncomment the lines below.
+#mkdir ${HOME}/.npm
+#mkfile ${HOME}/.npmrc
+#whitelist ${HOME}/.npm
+#whitelist ${HOME}/.npmrc
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+
+disable-mnt
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
+private-tmp
+
+dbus-user none
+dbus-system none