Restricts execution of shell commands using firejail. More...
Public Member Functions | |
| __construct ( $firejail) | |
| params (... $args) | |
| Reject any parameters that start with –output to prevent exploitation of a firejail RCE (CVE-2020-17367 and CVE-2020-17368) | |
| whitelistPaths (array $paths) | |
| @inheritDoc | |
 Public Member Functions inherited from MediaWiki\Shell\Command | |
| __construct () | |
| Constructor. | |
| __destruct () | |
| Destructor. | |
| cgroup ( $cgroup) | |
| Sets cgroup for this command. | |
| environment (array $env) | |
| Sets environment variables which should be added to the executed command environment. | |
| execute () | |
| Executes command. | |
| includeStderr ( $yesno=true) | |
| Controls whether stderr should be included in stdout, including errors from limit.sh. | |
| input ( $inputString) | |
| Sends the provided input to the command. | |
| limits (array $limits) | |
| Sets execution limits. | |
| logStderr ( $yesno=true) | |
| When enabled, text sent to stderr will be logged with a level of 'error'. | |
| params () | |
| Adds parameters to the command. | |
| profileMethod ( $method) | |
| Sets calling function for profiler. | |
| restrict ( $restrictions) | |
| Set restrictions for this request, overwriting any previously set restrictions. | |
| unsafeParams () | |
| Adds unsafe parameters to the command. | |
Protected Member Functions | |
| buildFinalCommand ( $command) | |
| @inheritDoc | |
| Protected Member Functions inherited from MediaWiki\Shell\Command | |
| hasRestriction ( $restriction) | |
| Bitfield helper on whether a specific restriction is enabled. | |
Private Attributes | |
| string | $firejail |
| Path to firejail. | |
| string[] | $whitelistedPaths = [] |
Additional Inherited Members | |
| Protected Attributes inherited from MediaWiki\Shell\Command | |
| string | $command = '' |
| int | $restrictions = 0 |
| bitfield with restrictions | |
Detailed Description
Restricts execution of shell commands using firejail.
- See also
- https://firejail.wordpress.com/
- Since
- 1.31
Definition at line 31 of file FirejailCommand.php.
Constructor & Destructor Documentation
◆ __construct()
| MediaWiki\Shell\FirejailCommand::__construct | ( | $firejail | ) |
- Parameters
-
string $firejail Path to firejail
Definition at line 46 of file FirejailCommand.php.
References MediaWiki\Shell\FirejailCommand\$firejail.
Member Function Documentation
◆ buildFinalCommand()
|
protected |
@inheritDoc
Reimplemented from MediaWiki\Shell\Command.
Definition at line 94 of file FirejailCommand.php.
References $command, $IP, MediaWiki\Shell\Shell\NO_EXECVE, MediaWiki\Shell\Shell\NO_LOCALSETTINGS, MediaWiki\Shell\Shell\NO_NETWORK, MediaWiki\Shell\Shell\NO_ROOT, MediaWiki\Shell\Shell\PRIVATE_DEV, and MediaWiki\Shell\Shell\SECCOMP.
◆ params()
| MediaWiki\Shell\FirejailCommand::params | ( | $args | ) |
Reject any parameters that start with –output to prevent exploitation of a firejail RCE (CVE-2020-17367 and CVE-2020-17368)
- Parameters
-
string|string[] ...$args
- Returns
- $this
Definition at line 58 of file FirejailCommand.php.
References $args.
◆ whitelistPaths()
| MediaWiki\Shell\FirejailCommand::whitelistPaths | ( | array | $paths | ) |
@inheritDoc
Reimplemented from MediaWiki\Shell\Command.
Definition at line 86 of file FirejailCommand.php.
Member Data Documentation
◆ $firejail
|
private |
Path to firejail.
Definition at line 36 of file FirejailCommand.php.
Referenced by MediaWiki\Shell\FirejailCommand\__construct().
◆ $whitelistedPaths
|
private |
Definition at line 41 of file FirejailCommand.php.
The documentation for this class was generated from the following file:
- includes/shell/FirejailCommand.php
