github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-21 06:45:29 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 1
firejail/etc/profile-m-z/nodejs-common.profile
Kelvin M. Klann 0060b5105b
profiles: rename disable-X11.inc to disable-x11.inc (#6294) 
That is, make "X11" lowercase so that the order of the includes in the
disable- section remain the same when sorted with `LC_ALL=C`, as is the
case for most of the other sections.  That is also likely to be the
default in text editors (such as in vim on Arch), so this should make
the disable- section more consistent and easier to sort when editing the
profile.

Also, keep the old include as a redirect to the new one for now to avoid
breakage.

Commands used to search and replace:

    git mv etc/inc/disable-X11.inc etc/inc/disable-x11.inc
    git grep -Ilz 'disable-X11' -- etc | xargs -0 \
      perl -pi -e 's/disable-X11/disable-x11/'

Relates to #4462 #4854 #6070 #6289.

This is a follow-up to #6286.
2024-03-27 12:13:47 +00:00

106 lines
2.8 KiB
Text
Raw Blame History

# Firejail profile for Node.js
# Description: Asynchronous event-driven JavaScript runtime
# This file is overwritten after every install/update
# Persistent local customizations
include nodejs-common.local
# Persistent global definitions
# added by caller profile
#include globals.local
# Note: gulp, node-gyp, npm, npx, pnpm, pnpx, semver and yarn are all node scripts
# using the `#!/usr/bin/env node` shebang. By sandboxing node the full
# node.js stack will be firejailed. The only exception is nvm, which is implemented
# as a sourced shell function, not an executable binary. Hence it is not
# directly firejailable. You can work around this by sandboxing the programs
# used by nvm: curl, sha256sum, tar and wget. We have comments in these
# profiles on how to enable nvm support via local overrides.
blacklist ${RUNUSER}
ignore read-only ${HOME}/.npm-packages
ignore read-only ${HOME}/.npmrc
ignore read-only ${HOME}/.nvm
ignore read-only ${HOME}/.yarnrc
noblacklist ${HOME}/.local/share/pnpm
noblacklist ${HOME}/.node-gyp
noblacklist ${HOME}/.npm
noblacklist ${HOME}/.npmrc
noblacklist ${HOME}/.nvm
noblacklist ${HOME}/.yarn
noblacklist ${HOME}/.yarn-config
noblacklist ${HOME}/.yarncache
noblacklist ${HOME}/.yarnrc
ignore noexec ${HOME}
include allow-bin-sh.inc
include disable-common.inc
include disable-exec.inc
include disable-programs.inc
include disable-shell.inc
include disable-x11.inc
include disable-xdg.inc
# If you want whitelisting, change ${HOME}/Projects below to your node projects directory
# and add the next lines to your nodejs-common.local.
#mkdir ${HOME}/.local/share/pnpm
#mkdir ${HOME}/.node-gyp
#mkdir ${HOME}/.npm
#mkdir ${HOME}/.npm-packages
#mkfile ${HOME}/.npmrc
#mkdir ${HOME}/.nvm
#mkdir ${HOME}/.yarn
#mkdir ${HOME}/.yarn-config
#mkdir ${HOME}/.yarncache
#mkfile ${HOME}/.yarnrc
#whitelist ${HOME}/.local/share/pnpm
#whitelist ${HOME}/.node-gyp
#whitelist ${HOME}/.npm
#whitelist ${HOME}/.npm-packages
#whitelist ${HOME}/.npmrc
#whitelist ${HOME}/.nvm
#whitelist ${HOME}/.yarn
#whitelist ${HOME}/.yarn-config
#whitelist ${HOME}/.yarncache
#whitelist ${HOME}/.yarnrc
#whitelist ${HOME}/Projects
#include whitelist-common.inc
whitelist /usr/share/doc/node
whitelist /usr/share/nvm
whitelist /usr/share/systemtap/tapset/node.stp
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc
caps.drop all
ipc-namespace
machine-id
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noprinters
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6,netlink
seccomp
seccomp.block-secondary
disable-mnt
private-dev
private-etc @tls-ca,@x11,host.conf,mime.types,rpc,services
#private-tmp
dbus-user none
dbus-system none
# Add the next line to your nodejs-common.local if you prefer to disable gatsby telemetry.
#env GATSBY_TELEMETRY_DISABLED=1
restrict-namespaces
Reference in a new issue View git blame Copy permalink