From 39f1d8bfd278caf65d0ce8eac36cc35dafb44895 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 8 Jan 2021 22:32:37 +0000 Subject: [PATCH 01/13] add yarn & reorder --- etc/inc/allow-common-devel.inc | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 68e91a09b27..41643657d53 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc @@ -11,6 +11,15 @@ noblacklist ${HOME}/.git-credentials noblacklist ${HOME}/.gradle noblacklist ${HOME}/.java +# Node.js +noblacklist ${HOME}/.node-gyp +noblacklist ${HOME}/.npm +noblacklist ${HOME}/.npmrc +noblacklist ${HOME}/.yarn +noblacklist ${HOME}/.yarn-config +noblacklist ${HOME}/.yarncache +noblacklist ${HOME}/.yarnrc + # Python noblacklist ${HOME}/.pylint.d noblacklist ${HOME}/.python-history @@ -25,7 +34,3 @@ noblacklist ${HOME}/.cargo/registry noblacklist ${HOME}/.cargo/.crates.toml noblacklist ${HOME}/.cargo/.crates2.json noblacklist ${HOME}/.cargo/.package-cache - -# npm -noblacklist ${HOME}/.npm -noblacklist ${HOME}/.npmrc From 116920a3a8054c7e8ecf2bc14a46ddd660696a38 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 8 Jan 2021 22:35:58 +0000 Subject: [PATCH 02/13] add node-gyp & yarn files --- etc/inc/disable-programs.inc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index e3fa10ed089..5f329ba42cc 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -760,6 +760,7 @@ blacklist ${HOME}/.neverball blacklist ${HOME}/.newsbeuter blacklist ${HOME}/.newsboat blacklist ${HOME}/.nicotine +blacklist ${HOME}/.node-gyp blacklist ${HOME}/.npm blacklist ${HOME}/.npmrc blacklist ${HOME}/.nv @@ -848,6 +849,10 @@ blacklist ${HOME}/.xmr-stak blacklist ${HOME}/.xonotic blacklist ${HOME}/.xournalpp blacklist ${HOME}/.xpdfrc +blacklist ${HOME}/.yarn +blacklist ${HOME}/.yarn-config +blacklist ${HOME}/.yarncache +blacklist ${HOME}/.yarnrc blacklist ${HOME}/.zoom blacklist /tmp/akonadi-* blacklist /tmp/ssh-* From cb3a4c2ed08cedb3cb7eab9ae25bf86bcf45df8a Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 8 Jan 2021 22:38:30 +0000 Subject: [PATCH 03/13] Create nodejs-common.profile --- etc/profile-m-z/nodejs-common.profile | 55 +++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 etc/profile-m-z/nodejs-common.profile diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile new file mode 100644 index 00000000000..71d473aef26 --- /dev/null +++ b/etc/profile-m-z/nodejs-common.profile @@ -0,0 +1,55 @@ +# Firejail profile for Node.js +# Description: Common profile for npm/yarn +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include nodejs-common.local +# Persistent global definitions +# added by caller profile +#include globals.local + +blacklist /tmp/.X11-unix +blacklist ${RUNUSER} + +ignore noexec ${HOME} + +noblacklist ${PATH}/bash +noblacklist ${PATH}/dash +noblacklist ${PATH}/sh + +include disable-common.inc +include disable-exec.inc +include disable-passwdmgr.inc +include disable-programs.inc +include disable-shell.inc +include disable-xdg.inc + +include whitelist-runuser-common.inc +include whitelist-usr-share-common.inc +include whitelist-var-common.inc + +caps.drop all +ipc-namespace +machine-id +netfilter +no3d +nodvd +nogroups +nonewprivs +noroot +nosound +notv +nou2f +novideo +protocol unix,inet,inet6,netlink +seccomp +seccomp.block-secondary +shell none + +disable-mnt +private-dev +private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg +private-tmp + +dbus-user none +dbus-system none From 557cc4efb17386198de854ea38381324dea4e46e Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 8 Jan 2021 22:39:38 +0000 Subject: [PATCH 04/13] Create yarn.profile --- etc/profile-m-z/yarn.profile | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 etc/profile-m-z/yarn.profile diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile new file mode 100644 index 00000000000..06a5e0fc2f1 --- /dev/null +++ b/etc/profile-m-z/yarn.profile @@ -0,0 +1,27 @@ +# Firejail profile for yarn +# Description: Fast, reliable, and secure dependency management +quiet +# Persistent local customizations +include yarn.local +# Persistent global definitions +include globals.local + +noblacklist ${HOME}/.yarn +noblacklist ${HOME}/.yarn-config +noblacklist ${HOME}/.yarncache +noblacklist ${HOME}/.yarnrc + +# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and uncomment the lines below. +#mkdir ${HOME}/.yarn +#mkdir ${HOME}/.yarn-config +#mkdir ${HOME}/.yarncache +#mkfile ${HOME}/.yarnrc +#whitelist ${HOME}/.yarn +#whitelist ${HOME}/.yarn-config +#whitelist ${HOME}/.yarncache +#whitelist ${HOME}/.yarnrc +#whitelist ${HOME}/Projects +#include whitelist-common.inc + +# Redirect +include nodejs-common.profile From 06f23009cb5df607809f2f00f733b1cd4b7b1503 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 8 Jan 2021 22:43:33 +0000 Subject: [PATCH 05/13] refactor npm.profile --- etc/profile-m-z/npm.profile | 51 +++++-------------------------------- 1 file changed, 6 insertions(+), 45 deletions(-) diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile index 2136fb443cb..29bab4cb9b0 100644 --- a/etc/profile-m-z/npm.profile +++ b/etc/profile-m-z/npm.profile @@ -6,59 +6,20 @@ include npm.local # Persistent global definitions include globals.local -blacklist /tmp/.X11-unix -blacklist ${RUNUSER} - +noblacklist ${HOME}/.node-gyp noblacklist ${HOME}/.npm noblacklist ${HOME}/.npmrc -noblacklist ${PATH}/bash -noblacklist ${PATH}/dash -noblacklist ${PATH}/sh - -ignore noexec ${HOME} - -include disable-common.inc -include disable-exec.inc -include disable-passwdmgr.inc -include disable-programs.inc -include disable-shell.inc -include disable-xdg.inc - -# If you want whitelisting, change the line below to your npm projects directory +# If you want whitelisting, change ${HOME}/Projects below to your npm projects directory # and uncomment the lines below. +#mkdir ${HOME}/.node-gyp #mkdir ${HOME}/.npm #mkfile ${HOME}/.npmrc +#whitelist ${HOME}/.node-gyp #whitelist ${HOME}/.npm #whitelist ${HOME}/.npmrc #whitelist ${HOME}/Projects #include whitelist-common.inc -include whitelist-runuser-common.inc -include whitelist-usr-share-common.inc -include whitelist-var-common.inc - -caps.drop all -ipc-namespace -machine-id -netfilter -no3d -nodvd -nogroups -nonewprivs -noroot -nosound -notv -nou2f -novideo -protocol unix,inet,inet6,netlink -seccomp -seccomp.block-secondary -shell none - -disable-mnt -private-dev -private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg -private-tmp -dbus-user none -dbus-system none +# Redirect +include nodejs-common.profile From 656bb77bbe0d37363d173d9dd3e560f960baf535 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 8 Jan 2021 22:55:26 +0000 Subject: [PATCH 06/13] add new profile: yarn --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ff578196ff5..e9e3ca10638 100644 --- a/README.md +++ b/README.md @@ -195,4 +195,4 @@ Stats: ### New profiles: -spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, tutanota-desktop, npm, marker +spectacle, chromium-browser-privacy, gtk-straw-viewer, gtk-youtube-viewer, gtk2-youtube-viewer, gtk3-youtube-viewer, straw-viewer, lutris, dolphin-emu, authenticator-rs, servo, tutanota-desktop, npm, marker, yarn From 340ea1330ee7e51c702e454f82d1bb7a161bcabd Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 9 Jan 2021 07:33:07 +0000 Subject: [PATCH 07/13] read-only's for npm/yarn Thanks to the [suggestion](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) from @kmk3. --- etc/inc/disable-common.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index d88506d900d..0de539d5798 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -310,6 +310,7 @@ read-only ${HOME}/.msmtprc read-only ${HOME}/.mutt/muttrc read-only ${HOME}/.muttrc read-only ${HOME}/.nano +read-only ${HOME}/.npmrc read-only ${HOME}/.pythonrc.py read-only ${HOME}/.reportbugrc read-only ${HOME}/.tmux.conf @@ -318,6 +319,7 @@ read-only ${HOME}/.viminfo read-only ${HOME}/.vimrc read-only ${HOME}/.xmonad read-only ${HOME}/.xscreensaver +read-only ${HOME}/.yarnrc read-only ${HOME}/_exrc read-only ${HOME}/_gvimrc read-only ${HOME}/_vimrc From 62247bedefb385521a6c3779fef935a4e9b290a1 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 9 Jan 2021 07:36:35 +0000 Subject: [PATCH 08/13] ignore read-only's for npm As [suggested](https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989) by @kmk3. --- etc/profile-m-z/npm.profile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile index 29bab4cb9b0..efbf7b71dc5 100644 --- a/etc/profile-m-z/npm.profile +++ b/etc/profile-m-z/npm.profile @@ -9,6 +9,8 @@ include globals.local noblacklist ${HOME}/.node-gyp noblacklist ${HOME}/.npm noblacklist ${HOME}/.npmrc +ignore read-only ${HOME}/.npm-packages +ignore read-only ${HOME}/.npmrc # If you want whitelisting, change ${HOME}/Projects below to your npm projects directory # and uncomment the lines below. From 491a78be8ddb57ccfeeefb553adaaa96e48bc666 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 9 Jan 2021 07:39:23 +0000 Subject: [PATCH 09/13] ignore read-only for yarn As suggested in https://github.com/netblue30/firejail/pull/3876#pullrequestreview-564682989 by @kmk3. --- etc/profile-m-z/yarn.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile index 06a5e0fc2f1..a67e76f9b6c 100644 --- a/etc/profile-m-z/yarn.profile +++ b/etc/profile-m-z/yarn.profile @@ -10,6 +10,7 @@ noblacklist ${HOME}/.yarn noblacklist ${HOME}/.yarn-config noblacklist ${HOME}/.yarncache noblacklist ${HOME}/.yarnrc +ignore read-only ${HOME}/.yarnrc # If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and uncomment the lines below. #mkdir ${HOME}/.yarn From 708c87a7cb2ea33893270f89c493f4810838531f Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 9 Jan 2021 08:36:06 +0000 Subject: [PATCH 10/13] remove quiet from nodejs-common.profile quiet should go into the caller profiles instead --- etc/profile-m-z/nodejs-common.profile | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index 71d473aef26..acef622c217 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile @@ -1,6 +1,5 @@ # Firejail profile for Node.js # Description: Common profile for npm/yarn -quiet # This file is overwritten after every install/update # Persistent local customizations include nodejs-common.local From b01c5588637676437d2f88c5a23fe491a988c8ed Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Sat, 9 Jan 2021 08:38:04 +0000 Subject: [PATCH 11/13] add quiet to npm.profile Thanks @rusty-snake for the review. --- etc/profile-m-z/npm.profile | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile index efbf7b71dc5..20d3d75d784 100644 --- a/etc/profile-m-z/npm.profile +++ b/etc/profile-m-z/npm.profile @@ -1,5 +1,6 @@ # Firejail profile for npm # Description: The Node.js Package Manager +quiet # This file is overwritten after every install/update # Persistent local customizations include npm.local From 46d0bbd145d118832aade9841e0ed3ed1e45b5d4 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 11 Jan 2021 17:21:01 +0000 Subject: [PATCH 12/13] re-ordering some options --- etc/profile-m-z/npm.profile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile index 20d3d75d784..e95e875be14 100644 --- a/etc/profile-m-z/npm.profile +++ b/etc/profile-m-z/npm.profile @@ -7,11 +7,12 @@ include npm.local # Persistent global definitions include globals.local +ignore read-only ${HOME}/.npm-packages +ignore read-only ${HOME}/.npmrc + noblacklist ${HOME}/.node-gyp noblacklist ${HOME}/.npm noblacklist ${HOME}/.npmrc -ignore read-only ${HOME}/.npm-packages -ignore read-only ${HOME}/.npmrc # If you want whitelisting, change ${HOME}/Projects below to your npm projects directory # and uncomment the lines below. From 3387ccf89a5bc754fcf0cd5a2c511de5b451deb8 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Mon, 11 Jan 2021 17:22:36 +0000 Subject: [PATCH 13/13] re-ordering --- etc/profile-m-z/yarn.profile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile index a67e76f9b6c..f202250504d 100644 --- a/etc/profile-m-z/yarn.profile +++ b/etc/profile-m-z/yarn.profile @@ -6,11 +6,12 @@ include yarn.local # Persistent global definitions include globals.local +ignore read-only ${HOME}/.yarnrc + noblacklist ${HOME}/.yarn noblacklist ${HOME}/.yarn-config noblacklist ${HOME}/.yarncache noblacklist ${HOME}/.yarnrc -ignore read-only ${HOME}/.yarnrc # If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and uncomment the lines below. #mkdir ${HOME}/.yarn