Has anyone used AppArmor? I saw this snippet in some Hacker News comments. I wonder if it could isolate npm packages so they don’t compromise the entire system with supply chain attacks. (recently: rc
, coa
, etc.)
If you are on a linux distro that supports apparmor (ubuntu/debian etc), such issues can be easily prevented by creating a sandbox profile and alias commands like node/npm to run using it.
alias npm='aa-exec -p sandbox npm' alias node='aa-exec -p sandbox node'
sandbox profile:
# /etc/apparmor.d/sandbox include <tunables/global> profile sandbox { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> /sys/** r, /{usr/,}bin/* ixr, # nodejs install dir owner /home/*/nodejs/**/* rix, owner /tmp/** rw, owner /tmp/**/ rw, owner /home/*/.npm/_* lrw, owner /home/*/.npm/_*/ lrw, owner /home/*/.npm/_*/** lrw, owner /home/*/.npmrc r, owner /home/**/node_modules/ rwix, owner /home/**/node_modules/** rwix, owner /home/**/package.json rw, owner /home/**/package-lock.json rw, owner /home/*/projects/**/ r, owner /home/*/projects/** r, }
To load the profile:
sudo apparmor_parser -r /etc/apparmor.d/sandbox
edit: For completeness, added step to load the profile.
Is there anything else that can be done to prevent getting your computer wrecked by running npm install
?