24 use Wikimedia\TestingAccessWrapper;
28 use MediaWikiCoversValidator;
33 $env =
"'MW_INCLUDE_STDERR=;MW_CPU_LIMIT=180; MW_CGROUP='\'''\''; MW_MEM_LIMIT=307200; MW_FILE_SIZE_LIMIT=102400; MW_WALL_CLOCK_LIMIT=180; MW_USE_LOG_PIPE=yes'";
34 $limit =
"/bin/bash '$IP/includes/shell/limit.sh'";
35 $profile =
"--profile=$IP/includes/shell/firejail.profile";
36 $blacklist =
'--blacklist=' . realpath( MW_CONFIG_FILE );
37 $default =
"$blacklist --noroot --seccomp --private-dev";
41 'ls', 0,
"$limit ''\''ls'\''' $env"
44 'default restriction',
45 'ls', Shell::RESTRICT_DEFAULT,
46 "$limit 'firejail --quiet $profile $default -- '\''ls'\''' $env"
50 'ls', Shell::NO_NETWORK,
51 "$limit 'firejail --quiet $profile --net=none -- '\''ls'\''' $env"
54 'default restriction & no network',
55 'ls', Shell::RESTRICT_DEFAULT | Shell::NO_NETWORK,
56 "$limit 'firejail --quiet $profile $default --net=none -- '\''ls'\''' $env"
61 "$limit 'firejail --quiet $profile --seccomp -- '\''ls'\''' $env"
64 'seccomp & no execve',
65 'ls', Shell::SECCOMP | Shell::NO_EXECVE,
66 "$limit 'firejail --quiet $profile --shell=none --seccomp=execve -- '\''ls'\''' $env"
80 $wrapper = TestingAccessWrapper::newFromObject(
$command );
81 $output = $wrapper->buildFinalCommand( $wrapper->command );
82 $this->assertEquals( $expected,
$output[0], $desc );