From 5a86de660852543576d78fc79aca15a9b3e07372 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 7 May 2021 11:40:39 +0000 Subject: [PATCH 01/17] Create node.profile --- etc/profile-m-z/node.profile | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 etc/profile-m-z/node.profile diff --git a/etc/profile-m-z/node.profile b/etc/profile-m-z/node.profile new file mode 100644 index 00000000000..cd48ed3c7fb --- /dev/null +++ b/etc/profile-m-z/node.profile @@ -0,0 +1,11 @@ +# Firejail profile for node +# Description: Evented I/O for V8 javascript +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include node.local +# Persistent global definitions +include globals.local + +# Redirect +include nodejs-common.profile From 000a3f64f6a4bb7d2d14a1e77f27cef1a5fac092 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 7 May 2021 11:42:18 +0000 Subject: [PATCH 02/17] Create node-gyp.profile --- etc/profile-m-z/node-gyp.profile | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 etc/profile-m-z/node-gyp.profile diff --git a/etc/profile-m-z/node-gyp.profile b/etc/profile-m-z/node-gyp.profile new file mode 100644 index 00000000000..99bc50b5fa3 --- /dev/null +++ b/etc/profile-m-z/node-gyp.profile @@ -0,0 +1,15 @@ +# Firejail profile for node-gyp +# Description: Node.js native addon build tool +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include node-gyp.local +# Persistent global definitions +include globals.local + +# Allow python (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc + +# Redirect +include nodejs-common.profile From 65ce781f60b7fc9a1f1275155634ee744a5aac06 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 7 May 2021 11:44:13 +0000 Subject: [PATCH 03/17] refactor npm as redirect --- etc/profile-m-z/npm.profile | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile index f51d587820c..4d8beea5af7 100644 --- a/etc/profile-m-z/npm.profile +++ b/etc/profile-m-z/npm.profile @@ -7,23 +7,5 @@ include npm.local # Persistent global definitions include globals.local -ignore read-only ${HOME}/.npm-packages -ignore read-only ${HOME}/.npmrc - -noblacklist ${HOME}/.node-gyp -noblacklist ${HOME}/.npm -noblacklist ${HOME}/.npmrc - -# If you want whitelisting, change ${HOME}/Projects below to your npm projects directory -# and add the next lines to your npm.local. -#mkdir ${HOME}/.node-gyp -#mkdir ${HOME}/.npm -#mkfile ${HOME}/.npmrc -#whitelist ${HOME}/.node-gyp -#whitelist ${HOME}/.npm -#whitelist ${HOME}/.npmrc -#whitelist ${HOME}/Projects -#include whitelist-common.inc - # Redirect include nodejs-common.profile From c493bad1d95053ff1ec9b9febc29733ed7534b64 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 7 May 2021 11:45:29 +0000 Subject: [PATCH 04/17] Create npx.profile --- etc/profile-m-z/npx.profile | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 etc/profile-m-z/npx.profile diff --git a/etc/profile-m-z/npx.profile b/etc/profile-m-z/npx.profile new file mode 100644 index 00000000000..bc11211e65a --- /dev/null +++ b/etc/profile-m-z/npx.profile @@ -0,0 +1,10 @@ +# Firejail profile for npx +# Description: Execute npm package binaries +quiet +# Persistent local customizations +include npx.local +# Persistent global definitions +include globals.local + +# Redirect +include nodejs-common.profile From 65d01b9323250a615a8ab228b383f5ae58675b0d Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 7 May 2021 11:46:35 +0000 Subject: [PATCH 05/17] Create nvm.profile --- etc/profile-m-z/nvm.profile | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 etc/profile-m-z/nvm.profile diff --git a/etc/profile-m-z/nvm.profile b/etc/profile-m-z/nvm.profile new file mode 100644 index 00000000000..80da228340c --- /dev/null +++ b/etc/profile-m-z/nvm.profile @@ -0,0 +1,13 @@ +# Firejail profile for nvm +# Description: Node Version Manager - Simple bash script to manage multiple active node.js versions +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include nvm.local +# Persistent global definitions +include globals.local + +ignore noroot + +# Redirect +include nodejs-common.profile From b56cb36bb295c5bc9ef331652f4eb9f10e385888 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 7 May 2021 11:47:42 +0000 Subject: [PATCH 06/17] Create semver.profile --- etc/profile-m-z/semver.profile | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 etc/profile-m-z/semver.profile diff --git a/etc/profile-m-z/semver.profile b/etc/profile-m-z/semver.profile new file mode 100644 index 00000000000..fa5cda95cd0 --- /dev/null +++ b/etc/profile-m-z/semver.profile @@ -0,0 +1,10 @@ +# Firejail profile for semver +# Description: The semantic version parser used by npm +quiet +# Persistent local customizations +include semver.local +# Persistent global definitions +include globals.local + +# Redirect +include nodejs-common.profile From 33905d8af92a37cbffd5b72348048f00c5a9150d Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 7 May 2021 11:49:18 +0000 Subject: [PATCH 07/17] refactor yarn as redirect --- etc/profile-m-z/yarn.profile | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile index 360bd8442aa..05b55d07116 100644 --- a/etc/profile-m-z/yarn.profile +++ b/etc/profile-m-z/yarn.profile @@ -6,25 +6,5 @@ include yarn.local # Persistent global definitions include globals.local -ignore read-only ${HOME}/.yarnrc - -noblacklist ${HOME}/.yarn -noblacklist ${HOME}/.yarn-config -noblacklist ${HOME}/.yarncache -noblacklist ${HOME}/.yarnrc - -# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and -# add the next lines to you yarn.local. -#mkdir ${HOME}/.yarn -#mkdir ${HOME}/.yarn-config -#mkdir ${HOME}/.yarncache -#mkfile ${HOME}/.yarnrc -#whitelist ${HOME}/.yarn -#whitelist ${HOME}/.yarn-config -#whitelist ${HOME}/.yarncache -#whitelist ${HOME}/.yarnrc -#whitelist ${HOME}/Projects -#include whitelist-common.inc - # Redirect include nodejs-common.profile From be51cf361bef6fbcfe4b5a30a8594f44f6f00b34 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 7 May 2021 11:56:32 +0000 Subject: [PATCH 08/17] collect node.js stack configuration in common profile --- etc/profile-m-z/nodejs-common.profile | 49 ++++++++++++++++++++++++--- 1 file changed, 45 insertions(+), 4 deletions(-) diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index 4095337dd28..823acbc403c 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile @@ -7,9 +7,26 @@ include nodejs-common.local # added by caller profile #include globals.local +# Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry. +#env GATSBY_TELEMETRY_DISABLED=1 + blacklist /tmp/.X11-unix blacklist ${RUNUSER} +ignore read-only ${HOME}/.npm-packages +ignore read-only ${HOME}/.npmrc +ignore read-only ${HOME}/.nvm +ignore read-only ${HOME}/.yarnrc + +noblacklist ${HOME}/.node-gyp +noblacklist ${HOME}/.npm +noblacklist ${HOME}/.npmrc +noblacklist ${HOME}/.nvm +noblacklist ${HOME}/.yarn +noblacklist ${HOME}/.yarn-config +noblacklist ${HOME}/.yarncache +noblacklist ${HOME}/.yarnrc + ignore noexec ${HOME} include allow-bin-sh.inc @@ -21,6 +38,32 @@ include disable-programs.inc include disable-shell.inc include disable-xdg.inc +# If you want whitelisting, change ${HOME}/Projects below to your node projects directory +# and add the next lines to your nodejs-common.local. +#mkdir ${HOME}/.node-gyp +#mkdir ${HOME}/.npm +#mkdir ${HOME}/.npm-packages +#mkfile ${HOME}/.npmrc +#mkdir ${HOME}/.nvm +#mkdir ${HOME}/.yarn +#mkdir ${HOME}/.yarn-config +#mkdir ${HOME}/.yarncache +#mkfile ${HOME}/.yarnrc +#whitelist ${HOME}/.node-gyp +#whitelist ${HOME}/.npm +#whitelist ${HOME}/.npm-packages +#whitelist ${HOME}/.npmrc +#whitelist ${HOME}/.nvm +#whitelist ${HOME}/.yarn +#whitelist ${HOME}/.yarn-config +#whitelist ${HOME}/.yarncache +#whitelist ${HOME}/.yarnrc +#whitelist ${HOME}/Projects +#include whitelist-common.inc + +whitelist /usr/share/doc/node +whitelist /usr/share/nvm +whitelist /usr/share/systemtap/tapset/node.stp include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -46,10 +89,8 @@ shell none disable-mnt private-dev -# May need to add `passwd` to `private-etc` below to enable debugging with some IDEs -private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg -# May need to be commented out in order to enable debugging with some IDEs -private-tmp +private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl,xdg +#private-tmp dbus-user none dbus-system none From 2666c7a67bbcdf8047a6b7886bf9829d3eb2bb8a Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 7 May 2021 11:58:51 +0000 Subject: [PATCH 09/17] add ~/.nvm to node section --- etc/inc/allow-common-devel.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 41643657d53..babe465716d 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc @@ -15,6 +15,7 @@ noblacklist ${HOME}/.java noblacklist ${HOME}/.node-gyp noblacklist ${HOME}/.npm noblacklist ${HOME}/.npmrc +noblacklist ${HOME}/.nvm noblacklist ${HOME}/.yarn noblacklist ${HOME}/.yarn-config noblacklist ${HOME}/.yarncache From f6ef2b2fe58d374338a5e5f372ae1970c1a3fb5b Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 7 May 2021 12:01:25 +0000 Subject: [PATCH 10/17] account for node-gyp python dependency --- etc/inc/allow-nodejs.inc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc index 78a4bed8095..351c94ab86e 100644 --- a/etc/inc/allow-nodejs.inc +++ b/etc/inc/allow-nodejs.inc @@ -4,3 +4,7 @@ include allow-nodejs.local noblacklist ${PATH}/node noblacklist /usr/include/node + +# Allow python for node-gyp (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc From 678f3d84321f782ba66b3fa6003349e598d3f1c7 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 7 May 2021 12:04:06 +0000 Subject: [PATCH 11/17] read-only ~/.nvm for node.js stack --- etc/inc/disable-common.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 35f89e11b87..a6dbb740383 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -338,6 +338,7 @@ read-only ${HOME}/dotfiles read-only ${HOME}/.gem read-only ${HOME}/.luarocks read-only ${HOME}/.npm-packages +read-only ${HOME}/.nvm read-only ${HOME}/bin read-only ${HOME}/.bin read-only ${HOME}/.local/bin From 7d6f6f50091b44bfaaff759b52311dc7dbc44548 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 7 May 2021 12:06:46 +0000 Subject: [PATCH 12/17] blacklist ~/.nvm for node.js stack --- etc/inc/disable-programs.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index cbc8ef6d2e1..90abe1d3e20 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -816,6 +816,7 @@ blacklist ${HOME}/.node-gyp blacklist ${HOME}/.npm blacklist ${HOME}/.npmrc blacklist ${HOME}/.nv +blacklist ${HOME}/.nvm blacklist ${HOME}/.nylas-mail blacklist ${HOME}/.openarena blacklist ${HOME}/.opencity From 0f3088a3261cc1503dd0704c8bc1d9df6c35c5d0 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 7 May 2021 14:30:13 +0000 Subject: [PATCH 13/17] move env var comment cfr. profile.template --- etc/profile-m-z/nodejs-common.profile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index 823acbc403c..fa69f9214a7 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile @@ -7,9 +7,6 @@ include nodejs-common.local # added by caller profile #include globals.local -# Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry. -#env GATSBY_TELEMETRY_DISABLED=1 - blacklist /tmp/.X11-unix blacklist ${RUNUSER} @@ -94,3 +91,6 @@ private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostnam dbus-user none dbus-system none + +# Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry. +#env GATSBY_TELEMETRY_DISABLED=1 From 59eba46b0640875dd2b0435e0ec7e5597c119fa1 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 7 May 2021 18:42:25 +0000 Subject: [PATCH 14/17] Delete node-gyp.profile node-gyp is a shell script with a node shebang. We've got that covered via node.profile. --- etc/profile-m-z/node-gyp.profile | 15 --------------- 1 file changed, 15 deletions(-) delete mode 100644 etc/profile-m-z/node-gyp.profile diff --git a/etc/profile-m-z/node-gyp.profile b/etc/profile-m-z/node-gyp.profile deleted file mode 100644 index 99bc50b5fa3..00000000000 --- a/etc/profile-m-z/node-gyp.profile +++ /dev/null @@ -1,15 +0,0 @@ -# Firejail profile for node-gyp -# Description: Node.js native addon build tool -quiet -# This file is overwritten after every install/update -# Persistent local customizations -include node-gyp.local -# Persistent global definitions -include globals.local - -# Allow python (blacklisted by disable-interpreters.inc) -include allow-python2.inc -include allow-python3.inc - -# Redirect -include nodejs-common.profile From 65e26268943f9c32a1ad723c0b83bf30da940d12 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 7 May 2021 18:43:27 +0000 Subject: [PATCH 15/17] Delete npx.profile npx is a shell script with a node shebang. We've got that covered via node.profile. --- etc/profile-m-z/npx.profile | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 etc/profile-m-z/npx.profile diff --git a/etc/profile-m-z/npx.profile b/etc/profile-m-z/npx.profile deleted file mode 100644 index bc11211e65a..00000000000 --- a/etc/profile-m-z/npx.profile +++ /dev/null @@ -1,10 +0,0 @@ -# Firejail profile for npx -# Description: Execute npm package binaries -quiet -# Persistent local customizations -include npx.local -# Persistent global definitions -include globals.local - -# Redirect -include nodejs-common.profile From 5fa4e2a4aa51bdd45f8ab754893e1778c040f40f Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 7 May 2021 18:45:02 +0000 Subject: [PATCH 16/17] Delete semver.profile semver is a shell script that calls node. We've got that covered via node.profile. --- etc/profile-m-z/semver.profile | 10 ---------- 1 file changed, 10 deletions(-) delete mode 100644 etc/profile-m-z/semver.profile diff --git a/etc/profile-m-z/semver.profile b/etc/profile-m-z/semver.profile deleted file mode 100644 index fa5cda95cd0..00000000000 --- a/etc/profile-m-z/semver.profile +++ /dev/null @@ -1,10 +0,0 @@ -# Firejail profile for semver -# Description: The semantic version parser used by npm -quiet -# Persistent local customizations -include semver.local -# Persistent global definitions -include globals.local - -# Redirect -include nodejs-common.profile From 0a8a5fca637b80f9c2a570c42347e5475fcd4931 Mon Sep 17 00:00:00 2001 From: glitsj16 Date: Fri, 7 May 2021 19:02:51 +0000 Subject: [PATCH 17/17] add node and nvm to new profiles section --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 40e9eff4164..b8303ff1baa 100644 --- a/README.md +++ b/README.md @@ -336,4 +336,4 @@ pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, c sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon -neochat +neochat, node, nvm