Code Self Study Forum

Can AppArmor help deal with the npm security problem?

Has anyone used AppArmor? I saw this snippet in some Hacker News comments. I wonder if it could isolate npm packages so they don’t compromise the entire system with supply chain attacks. (recently: rc, coa, etc.)

If you are on a linux distro that supports apparmor (ubuntu/debian etc), such issues can be easily prevented by creating a sandbox profile and alias commands like node/npm to run using it.

alias npm='aa-exec -p sandbox npm'
alias node='aa-exec -p sandbox node'

sandbox profile:

  # /etc/apparmor.d/sandbox
  include <tunables/global>

  profile sandbox {
    #include <abstractions/base>
    #include <abstractions/consoles>
    #include <abstractions/nameservice>

    /sys/** r,
    /{usr/,}bin/* ixr,

    # nodejs install dir
    owner /home/*/nodejs/**/* rix,

    owner /tmp/**           rw,
    owner /tmp/**/          rw,

    owner /home/*/.npm/_* lrw,
    owner /home/*/.npm/_*/ lrw,
    owner /home/*/.npm/_*/** lrw,
    owner /home/*/.npmrc r,

    owner /home/**/node_modules/ rwix,
    owner /home/**/node_modules/** rwix,
    owner /home/**/package.json rw,
    owner /home/**/package-lock.json rw,

    owner /home/*/projects/**/ r,
    owner /home/*/projects/** r,
  }

To load the profile:

sudo apparmor_parser -r /etc/apparmor.d/sandbox

edit: For completeness, added step to load the profile.

Is there anything else that can be done to prevent getting your computer wrecked by running npm install?