refactor nodejs applications (npm & yarn) (#3876)

* add yarn & reorder * add node-gyp & yarn files * Create nodejs-common.profile * Create yarn.profile * refactor npm.profile * add new profile: yarn * read-only's for npm/yarn Thanks to the [suggestion](#3876 (review)) from @kmk3. * ignore read-only's for npm As [suggested](#3876 (review)) by @kmk3. * ignore read-only for yarn As suggested in #3876 (review) by @kmk3. * remove quiet from nodejs-common.profile quiet should go into the caller profiles instead * add quiet to npm.profile Thanks @rusty-snake for the review. * re-ordering some options * re-ordering
netblue30 · Jan 11, 2021 · 37452ef · 37452ef
1 parent 2c85ded
commit 37452ef
Show file tree

Hide file tree

Showing 7 changed files with 109 additions and 49 deletions.
diff --git a/README.md b/README.md
@@ -195,4 +195,4 @@ Stats:
 
 ### New profiles:
 
-spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, tutanota-desktop, npm, marker
+spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, tutanota-desktop, npm, marker, yarn
diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc
@@ -11,6 +11,15 @@ noblacklist ${HOME}/.git-credentials
 noblacklist ${HOME}/.gradle
 noblacklist ${HOME}/.java
 
+# Node.js
+noblacklist ${HOME}/.node-gyp
+noblacklist ${HOME}/.npm
+noblacklist ${HOME}/.npmrc
+noblacklist ${HOME}/.yarn
+noblacklist ${HOME}/.yarn-config
+noblacklist ${HOME}/.yarncache
+noblacklist ${HOME}/.yarnrc
+
 # Python
 noblacklist ${HOME}/.pylint.d
 noblacklist ${HOME}/.python-history
@@ -25,7 +34,3 @@ noblacklist ${HOME}/.cargo/registry
 noblacklist ${HOME}/.cargo/.crates.toml
 noblacklist ${HOME}/.cargo/.crates2.json
 noblacklist ${HOME}/.cargo/.package-cache
-
-# npm
-noblacklist ${HOME}/.npm
-noblacklist ${HOME}/.npmrc
diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc
@@ -310,6 +310,7 @@ read-only ${HOME}/.msmtprc
 read-only ${HOME}/.mutt/muttrc
 read-only ${HOME}/.muttrc
 read-only ${HOME}/.nano
+read-only ${HOME}/.npmrc
 read-only ${HOME}/.pythonrc.py
 read-only ${HOME}/.reportbugrc
 read-only ${HOME}/.tmux.conf
@@ -318,6 +319,7 @@ read-only ${HOME}/.viminfo
 read-only ${HOME}/.vimrc
 read-only ${HOME}/.xmonad
 read-only ${HOME}/.xscreensaver
+read-only ${HOME}/.yarnrc
 read-only ${HOME}/_exrc
 read-only ${HOME}/_gvimrc
 read-only ${HOME}/_vimrc

diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
@@ -761,6 +761,7 @@ blacklist ${HOME}/.neverball
 blacklist ${HOME}/.newsbeuter
 blacklist ${HOME}/.newsboat
 blacklist ${HOME}/.nicotine
+blacklist ${HOME}/.node-gyp
 blacklist ${HOME}/.npm
 blacklist ${HOME}/.npmrc
 blacklist ${HOME}/.nv
@@ -849,6 +850,10 @@ blacklist ${HOME}/.xmr-stak
 blacklist ${HOME}/.xonotic
 blacklist ${HOME}/.xournalpp
 blacklist ${HOME}/.xpdfrc
+blacklist ${HOME}/.yarn
+blacklist ${HOME}/.yarn-config
+blacklist ${HOME}/.yarncache
+blacklist ${HOME}/.yarnrc
 blacklist ${HOME}/.zoom
 blacklist /tmp/akonadi-*
 blacklist /tmp/ssh-*

diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile
@@ -0,0 +1,54 @@
+# Firejail profile for Node.js
+# Description: Common profile for npm/yarn
+# This file is overwritten after every install/update
+# Persistent local customizations
+include nodejs-common.local
+# Persistent global definitions
+# added by caller profile
+#include globals.local
+
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}
+
+ignore noexec ${HOME}
+
+noblacklist ${PATH}/bash
+noblacklist ${PATH}/dash
+noblacklist ${PATH}/sh
+
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+include disable-shell.inc
+include disable-xdg.inc
+
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
+include whitelist-var-common.inc
+
+caps.drop all
+ipc-namespace
+machine-id
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+noroot
+nosound
+notv
+nou2f
+novideo
+protocol unix,inet,inet6,netlink
+seccomp
+seccomp.block-secondary
+shell none
+
+disable-mnt
+private-dev
+private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
+private-tmp
+
+dbus-user none
+dbus-system none
diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile
@@ -1,64 +1,29 @@
 # Firejail profile for npm
 # Description: The Node.js Package Manager
+quiet
 # This file is overwritten after every install/update
 # Persistent local customizations
 include npm.local
 # Persistent global definitions
 include globals.local
 
-blacklist /tmp/.X11-unix
-blacklist ${RUNUSER}
+ignore read-only ${HOME}/.npm-packages
+ignore read-only ${HOME}/.npmrc
 
+noblacklist ${HOME}/.node-gyp
 noblacklist ${HOME}/.npm
 noblacklist ${HOME}/.npmrc
 
-noblacklist ${PATH}/bash
-noblacklist ${PATH}/dash
-noblacklist ${PATH}/sh
-
-ignore noexec ${HOME}
-
-include disable-common.inc
-include disable-exec.inc
-include disable-passwdmgr.inc
-include disable-programs.inc
-include disable-shell.inc
-include disable-xdg.inc
-
-# If you want whitelisting, change the line below to your npm projects directory
+# If you want whitelisting, change ${HOME}/Projects below to your npm projects directory
 # and uncomment the lines below.
+#mkdir ${HOME}/.node-gyp
 #mkdir ${HOME}/.npm
 #mkfile ${HOME}/.npmrc
+#whitelist ${HOME}/.node-gyp
 #whitelist ${HOME}/.npm
 #whitelist ${HOME}/.npmrc
 #whitelist ${HOME}/Projects
 #include whitelist-common.inc
-include whitelist-runuser-common.inc
-include whitelist-usr-share-common.inc
-include whitelist-var-common.inc
-
-caps.drop all
-ipc-namespace
-machine-id
-netfilter
-no3d
-nodvd
-nogroups
-nonewprivs
-noroot
-nosound
-notv
-nou2f
-novideo
-protocol unix,inet,inet6,netlink
-seccomp
-seccomp.block-secondary
-shell none
-
-disable-mnt
-private-dev
-private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg
-private-tmp
 
-dbus-user none
-dbus-system none
+# Redirect
+include nodejs-common.profile
diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile
@@ -0,0 +1,29 @@
+# Firejail profile for yarn
+# Description: Fast, reliable, and secure dependency management
+quiet
+# Persistent local customizations
+include yarn.local
+# Persistent global definitions
+include globals.local
+
+ignore read-only ${HOME}/.yarnrc
+
+noblacklist ${HOME}/.yarn
+noblacklist ${HOME}/.yarn-config
+noblacklist ${HOME}/.yarncache
+noblacklist ${HOME}/.yarnrc
+
+# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and uncomment the lines below.
+#mkdir ${HOME}/.yarn
+#mkdir ${HOME}/.yarn-config
+#mkdir ${HOME}/.yarncache
+#mkfile ${HOME}/.yarnrc
+#whitelist ${HOME}/.yarn
+#whitelist ${HOME}/.yarn-config
+#whitelist ${HOME}/.yarncache
+#whitelist ${HOME}/.yarnrc
+#whitelist ${HOME}/Projects
+#include whitelist-common.inc
+
+# Redirect
+include nodejs-common.profile