47 parent::__construct();
59 if ( count(
$args ) === 1 && is_array( reset(
$args ) ) ) {
64 foreach (
$args as $arg ) {
65 if ( substr( $arg, 0, 8 ) ===
'--output' ) {
66 $ex =
new RuntimeException(
67 'FirejailCommand does not support parameters that start with --output'
70 'command tried to shell out with a parameter starting with --output',
80 return parent::params( ...
$args );
87 $this->whitelistedPaths = array_merge( $this->whitelistedPaths, $paths );
96 if ( $this->restrictions === 0 ) {
97 $splitCommand = explode(
' ',
$command, 2 );
99 "firejail: Command {$splitCommand[0]} {params} has no restrictions",
100 [
'params' => $splitCommand[1] ??
'' ]
102 return parent::buildFinalCommand(
$command );
105 if ( $this->firejail ===
false ) {
106 throw new RuntimeException(
'firejail is enabled, but cannot be found' );
115 $cmd[] =
'--profile=' . __DIR__ .
'/firejail.profile';
121 static $useAllUsers =
null;
122 if ( $useAllUsers ===
null ) {
126 $realIP = realpath(
$IP );
127 $currentUser = posix_getpwuid( posix_geteuid() );
128 $useAllUsers = ( strpos( $realIP,
'/home/' ) === 0 )
129 && ( strpos( $realIP, $currentUser[
'dir'] ) !== 0 );
130 if ( $useAllUsers ) {
131 $this->logger->warning(
'firejail: MediaWiki is located ' .
132 'in a home directory that does not belong to the ' .
133 'current user, so allowing access to all home ' .
134 'directories (--allusers)' );
138 if ( $useAllUsers ) {
139 $cmd[] =
'--allusers';
142 if ( $this->whitelistedPaths ) {
144 $cmd[] =
'--whitelist=' . __DIR__ .
'/limit.sh';
145 foreach ( $this->whitelistedPaths as $whitelistedPath ) {
146 $cmd[] =
"--whitelist={$whitelistedPath}";
151 $cmd[] =
'--blacklist=' . realpath( MW_CONFIG_FILE );
162 $extraSeccomp[] =
'execve';
166 $cmd[] =
'--shell=none';
170 $seccomp =
'--seccomp';
171 if ( $extraSeccomp ) {
173 $seccomp .=
'=' . implode(
',', $extraSeccomp );
179 $cmd[] =
'--private-dev';
183 $cmd[] =
'--net=none';
186 $builtCmd = implode(
' ', $cmd );
189 return parent::buildFinalCommand(
"$builtCmd -- {$command}" );