Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add profile for luarocks #4596

Draft
wants to merge 13 commits into
base: master
Choose a base branch
from
Draft

Add profile for luarocks #4596

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
990ffbb
Add profile for luarocks
matu3ba Oct 7, 2021
eb7dab0
use allow-lua as its smaller.
matu3ba Oct 8, 2021
4e670d2
remove disable-write-mnt
matu3ba Oct 8, 2021
5df4c63
shortening (default-disabled) private-etc
matu3ba Oct 8, 2021
f6f0021
remove private-bin and s/allow/whitelist
matu3ba Oct 8, 2021
65242d9
add luarocks to firecfg.config
matu3ba Oct 8, 2021
4c5ca65
fix allow-lua.inc and disable-interpreters.inc
matu3ba Oct 8, 2021
161df63
add seccomp.block-secondary
matu3ba Oct 8, 2021
29ef011
update luarocks profile
matu3ba Oct 8, 2021
e610d2e
Merge branch 'luarocks' of github.com:matu3ba/firejail into luarocks
matu3ba Oct 8, 2021
f3e9ea0
update luarocks profile
matu3ba Oct 8, 2021
ce1b231
add whitelist-var-common and whitelist-run-common
matu3ba Oct 8, 2021
1d1f524
fix order
matu3ba Oct 8, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Add profile for luarocks 
DO NOT MERGE! Please review.

MERGE BLOCKER: firecfg does not create the necessary symlink in
/usr/local/bin
/usr/bin/luarocks however is a proper working binary.

Another annoyance from this: Neovim has a package manager called packer,
which pollutes $HOME with manifest-5-[1-4].zip and a pile of .rockspec
and .src.rock files.
  • Loading branch information
@matu3ba
matu3ba committed Oct 7, 2021
commit 990ffbb86919c12d5b2712b7d422d680eaea2d04
74 changes: 74 additions & 0 deletions etc/profile-a-l/luarocks.profile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# Firejail profile for luarocks
# Description: LuaRocks is the package manager for the Lua programming language.
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include luarocks.local
# Persistent global definitions
include globals.local

# disable blacklist for lua interpreter paths
noblacklist ${PATH}/lua*
noblacklist /usr/include/lua*
noblacklist /usr/lib/liblua*
noblacklist /usr/lib/lua
noblacklist /usr/lib64/liblua*
noblacklist /usr/lib64/lua
noblacklist /usr/share/lua*
matu3ba marked this conversation as resolved.
Show resolved Hide resolved

matu3ba marked this conversation as resolved.
Show resolved Hide resolved
include disable-common.inc
# luarocks can invoke compilers
#include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
# luarocks is hacky and needs shell access
#include disable-shell.inc
matu3ba marked this conversation as resolved.
Show resolved Hide resolved
include disable-write-mnt.inc
matu3ba marked this conversation as resolved.
Show resolved Hide resolved
include disable-xdg.inc

allow ${HOME}/.netrc
allow ${HOME}/.config/pkcs11
allow ${HOME}/.wget-hsts
allow ${HOME}/.cache/luarocks
allow ${HOME}/luarocks/cmd/external
allow ${HOME}/.nix-profile/bin
allow ${HOME}/.luarocks
allow ${HOME}/.config/luarocks

allow /usr/share/ca-certificates
allow /usr/share/p11-kit
allow /usr/share/terminfo
allow /usr/share/lua
rusty-snake marked this conversation as resolved.
Show resolved Hide resolved
rusty-snake marked this conversation as resolved.
Show resolved Hide resolved

# apparmor
caps.drop all
ipc-namespace
machine-id
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
matu3ba marked this conversation as resolved.
Show resolved Hide resolved
shell none
tracelog

disable-mnt
#private-bin md5sum,chmod,unzip,wget,gcc,bash,lua,luarocks
rusty-snake marked this conversation as resolved.
Show resolved Hide resolved
private-cache
private-dev
#private-etc ssl,ca-certificates,pkcs11,wgetrc,login.defs,luarocks,
matu3ba marked this conversation as resolved.
Show resolved Hide resolved
private-tmp

dbus-user none
dbus-system none

read-write ${HOME}/.luarocks