diff --git a/README.md b/README.md index 40e9eff41..b8303ff1b 100644 --- a/README.md +++ b/README.md @@ -336,4 +336,4 @@ pcsxr, PPSSPPSDL, openmw, openmw-launcher, jami-gnome, PCSX2, bcompare, b2sum, c sha256sum, sha384sum, sha512sum, sum, librewold-nightly, Quodlibet, tmux, sway, alienarena, alienarena-wrapper, ballbuster, ballbuster-wrapper, colorful, colorful-wrapper, gl-117, gl-117-wrapper, glaxium, glaxium-wrapper, pinball, pinball-wrapper, etr-wrapper, neverball-wrapper, neverputt-wrapper, supertuxkart-wrapper, firedragon -neochat +neochat, node, nvm diff --git a/etc/inc/allow-common-devel.inc b/etc/inc/allow-common-devel.inc index 41643657d..babe46571 100644 --- a/etc/inc/allow-common-devel.inc +++ b/etc/inc/allow-common-devel.inc @@ -15,6 +15,7 @@ noblacklist ${HOME}/.java noblacklist ${HOME}/.node-gyp noblacklist ${HOME}/.npm noblacklist ${HOME}/.npmrc +noblacklist ${HOME}/.nvm noblacklist ${HOME}/.yarn noblacklist ${HOME}/.yarn-config noblacklist ${HOME}/.yarncache diff --git a/etc/inc/allow-nodejs.inc b/etc/inc/allow-nodejs.inc index 78a4bed80..351c94ab8 100644 --- a/etc/inc/allow-nodejs.inc +++ b/etc/inc/allow-nodejs.inc @@ -4,3 +4,7 @@ include allow-nodejs.local noblacklist ${PATH}/node noblacklist /usr/include/node + +# Allow python for node-gyp (blacklisted by disable-interpreters.inc) +include allow-python2.inc +include allow-python3.inc diff --git a/etc/inc/disable-common.inc b/etc/inc/disable-common.inc index 35f89e11b..a6dbb7403 100644 --- a/etc/inc/disable-common.inc +++ b/etc/inc/disable-common.inc @@ -338,6 +338,7 @@ read-only ${HOME}/dotfiles read-only ${HOME}/.gem read-only ${HOME}/.luarocks read-only ${HOME}/.npm-packages +read-only ${HOME}/.nvm read-only ${HOME}/bin read-only ${HOME}/.bin read-only ${HOME}/.local/bin diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc index cbc8ef6d2..90abe1d3e 100644 --- a/etc/inc/disable-programs.inc +++ b/etc/inc/disable-programs.inc @@ -816,6 +816,7 @@ blacklist ${HOME}/.node-gyp blacklist ${HOME}/.npm blacklist ${HOME}/.npmrc blacklist ${HOME}/.nv +blacklist ${HOME}/.nvm blacklist ${HOME}/.nylas-mail blacklist ${HOME}/.openarena blacklist ${HOME}/.opencity diff --git a/etc/profile-m-z/node.profile b/etc/profile-m-z/node.profile new file mode 100644 index 000000000..cd48ed3c7 --- /dev/null +++ b/etc/profile-m-z/node.profile @@ -0,0 +1,11 @@ +# Firejail profile for node +# Description: Evented I/O for V8 javascript +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include node.local +# Persistent global definitions +include globals.local + +# Redirect +include nodejs-common.profile diff --git a/etc/profile-m-z/nodejs-common.profile b/etc/profile-m-z/nodejs-common.profile index 4095337dd..fa69f9214 100644 --- a/etc/profile-m-z/nodejs-common.profile +++ b/etc/profile-m-z/nodejs-common.profile @@ -10,6 +10,20 @@ include nodejs-common.local blacklist /tmp/.X11-unix blacklist ${RUNUSER} +ignore read-only ${HOME}/.npm-packages +ignore read-only ${HOME}/.npmrc +ignore read-only ${HOME}/.nvm +ignore read-only ${HOME}/.yarnrc + +noblacklist ${HOME}/.node-gyp +noblacklist ${HOME}/.npm +noblacklist ${HOME}/.npmrc +noblacklist ${HOME}/.nvm +noblacklist ${HOME}/.yarn +noblacklist ${HOME}/.yarn-config +noblacklist ${HOME}/.yarncache +noblacklist ${HOME}/.yarnrc + ignore noexec ${HOME} include allow-bin-sh.inc @@ -21,6 +35,32 @@ include disable-programs.inc include disable-shell.inc include disable-xdg.inc +# If you want whitelisting, change ${HOME}/Projects below to your node projects directory +# and add the next lines to your nodejs-common.local. +#mkdir ${HOME}/.node-gyp +#mkdir ${HOME}/.npm +#mkdir ${HOME}/.npm-packages +#mkfile ${HOME}/.npmrc +#mkdir ${HOME}/.nvm +#mkdir ${HOME}/.yarn +#mkdir ${HOME}/.yarn-config +#mkdir ${HOME}/.yarncache +#mkfile ${HOME}/.yarnrc +#whitelist ${HOME}/.node-gyp +#whitelist ${HOME}/.npm +#whitelist ${HOME}/.npm-packages +#whitelist ${HOME}/.npmrc +#whitelist ${HOME}/.nvm +#whitelist ${HOME}/.yarn +#whitelist ${HOME}/.yarn-config +#whitelist ${HOME}/.yarncache +#whitelist ${HOME}/.yarnrc +#whitelist ${HOME}/Projects +#include whitelist-common.inc + +whitelist /usr/share/doc/node +whitelist /usr/share/nvm +whitelist /usr/share/systemtap/tapset/node.stp include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc @@ -46,10 +86,11 @@ shell none disable-mnt private-dev -# May need to add `passwd` to `private-etc` below to enable debugging with some IDEs -private-etc alternatives,ca-certificates,crypto-policies,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,pki,protocols,resolv.conf,rpc,services,ssl,xdg -# May need to be commented out in order to enable debugging with some IDEs -private-tmp +private-etc alternatives,ca-certificates,crypto-policies,group,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,mime.types,nsswitch.conf,passwd,pki,protocols,resolv.conf,rpc,services,ssl,xdg +#private-tmp dbus-user none dbus-system none + +# Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry. +#env GATSBY_TELEMETRY_DISABLED=1 diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile index f51d58782..4d8beea5a 100644 --- a/etc/profile-m-z/npm.profile +++ b/etc/profile-m-z/npm.profile @@ -7,23 +7,5 @@ include npm.local # Persistent global definitions include globals.local -ignore read-only ${HOME}/.npm-packages -ignore read-only ${HOME}/.npmrc - -noblacklist ${HOME}/.node-gyp -noblacklist ${HOME}/.npm -noblacklist ${HOME}/.npmrc - -# If you want whitelisting, change ${HOME}/Projects below to your npm projects directory -# and add the next lines to your npm.local. -#mkdir ${HOME}/.node-gyp -#mkdir ${HOME}/.npm -#mkfile ${HOME}/.npmrc -#whitelist ${HOME}/.node-gyp -#whitelist ${HOME}/.npm -#whitelist ${HOME}/.npmrc -#whitelist ${HOME}/Projects -#include whitelist-common.inc - # Redirect include nodejs-common.profile diff --git a/etc/profile-m-z/nvm.profile b/etc/profile-m-z/nvm.profile new file mode 100644 index 000000000..80da22834 --- /dev/null +++ b/etc/profile-m-z/nvm.profile @@ -0,0 +1,13 @@ +# Firejail profile for nvm +# Description: Node Version Manager - Simple bash script to manage multiple active node.js versions +quiet +# This file is overwritten after every install/update +# Persistent local customizations +include nvm.local +# Persistent global definitions +include globals.local + +ignore noroot + +# Redirect +include nodejs-common.profile diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile index 360bd8442..05b55d071 100644 --- a/etc/profile-m-z/yarn.profile +++ b/etc/profile-m-z/yarn.profile @@ -6,25 +6,5 @@ include yarn.local # Persistent global definitions include globals.local -ignore read-only ${HOME}/.yarnrc - -noblacklist ${HOME}/.yarn -noblacklist ${HOME}/.yarn-config -noblacklist ${HOME}/.yarncache -noblacklist ${HOME}/.yarnrc - -# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and -# add the next lines to you yarn.local. -#mkdir ${HOME}/.yarn -#mkdir ${HOME}/.yarn-config -#mkdir ${HOME}/.yarncache -#mkfile ${HOME}/.yarnrc -#whitelist ${HOME}/.yarn -#whitelist ${HOME}/.yarn-config -#whitelist ${HOME}/.yarncache -#whitelist ${HOME}/.yarnrc -#whitelist ${HOME}/Projects -#include whitelist-common.inc - # Redirect include nodejs-common.profile