MediaWiki REL1_33
FirejailCommand.php
Go to the documentation of this file.
1<?php
21namespace MediaWiki\Shell;
22
23use RuntimeException;
24
31class FirejailCommand extends Command {
32
36 private $firejail;
37
41 private $whitelistedPaths = [];
42
46 public function __construct( $firejail ) {
47 parent::__construct();
48 $this->firejail = $firejail;
49 }
50
54 public function whitelistPaths( array $paths ) {
55 $this->whitelistedPaths = array_merge( $this->whitelistedPaths, $paths );
56 return $this;
57 }
58
62 protected function buildFinalCommand( $command ) {
63 // If there are no restrictions, don't use firejail
64 if ( $this->restrictions === 0 ) {
65 $splitCommand = explode( ' ', $command, 2 );
66 $this->logger->debug(
67 "firejail: Command {$splitCommand[0]} {params} has no restrictions",
68 [ 'params' => $splitCommand[1] ?? '' ]
69 );
70 return parent::buildFinalCommand( $command );
71 }
72
73 if ( $this->firejail === false ) {
74 throw new RuntimeException( 'firejail is enabled, but cannot be found' );
75 }
76 // quiet has to come first to prevent firejail from adding
77 // any output.
78 $cmd = [ $this->firejail, '--quiet' ];
79 // Use a profile that allows people to add local overrides
80 // if their system is setup in an incompatible manner. Also it
81 // prevents any default profiles from running.
82 // FIXME: Doesn't actually override command-line switches?
83 $cmd[] = '--profile=' . __DIR__ . '/firejail.profile';
84
85 // By default firejail hides all other user directories, so if
86 // MediaWiki is inside a home directory (/home) but not the
87 // current user's home directory, pass --allusers to whitelist
88 // the home directories again.
89 static $useAllUsers = null;
90 if ( $useAllUsers === null ) {
91 global $IP;
92 // In case people are doing funny things with symlinks
93 // or relative paths, resolve them all.
94 $realIP = realpath( $IP );
95 $currentUser = posix_getpwuid( posix_geteuid() );
96 $useAllUsers = ( strpos( $realIP, '/home/' ) === 0 )
97 && ( strpos( $realIP, $currentUser['dir'] ) !== 0 );
98 if ( $useAllUsers ) {
99 $this->logger->warning( 'firejail: MediaWiki is located ' .
100 'in a home directory that does not belong to the ' .
101 'current user, so allowing access to all home ' .
102 'directories (--allusers)' );
103 }
104 }
105
106 if ( $useAllUsers ) {
107 $cmd[] = '--allusers';
108 }
109
110 if ( $this->whitelistedPaths ) {
111 // Always whitelist limit.sh
112 $cmd[] = '--whitelist=' . __DIR__ . '/limit.sh';
113 foreach ( $this->whitelistedPaths as $whitelistedPath ) {
114 $cmd[] = "--whitelist={$whitelistedPath}";
115 }
116 }
117
118 if ( $this->hasRestriction( Shell::NO_LOCALSETTINGS ) ) {
119 $cmd[] = '--blacklist=' . realpath( MW_CONFIG_FILE );
120 }
121
122 if ( $this->hasRestriction( Shell::NO_ROOT ) ) {
123 $cmd[] = '--noroot';
124 }
125
126 $useSeccomp = $this->hasRestriction( Shell::SECCOMP );
127 $extraSeccomp = [];
128
129 if ( $this->hasRestriction( Shell::NO_EXECVE ) ) {
130 $extraSeccomp[] = 'execve';
131 // Normally firejail will run commands in a bash shell,
132 // but that won't work if we ban the execve syscall, so
133 // run the command without a shell.
134 $cmd[] = '--shell=none';
135 }
136
137 if ( $useSeccomp ) {
138 $seccomp = '--seccomp';
139 if ( $extraSeccomp ) {
140 // The "@default" seccomp group will always be enabled
141 $seccomp .= '=' . implode( ',', $extraSeccomp );
142 }
143 $cmd[] = $seccomp;
144 }
145
146 if ( $this->hasRestriction( Shell::PRIVATE_DEV ) ) {
147 $cmd[] = '--private-dev';
148 }
149
150 if ( $this->hasRestriction( Shell::NO_NETWORK ) ) {
151 $cmd[] = '--net=none';
152 }
153
154 $builtCmd = implode( ' ', $cmd );
155
156 // Prefix the firejail command in front of the wanted command
157 return parent::buildFinalCommand( "$builtCmd -- {$command}" );
158 }
159
160}
and
and that you know you can do these things To protect your we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights These restrictions translate to certain responsibilities for you if you distribute copies of the or if you modify it For if you distribute copies of such a whether gratis or for a you must give the recipients all the rights that you have You must make sure that receive or can get the source code And you must show them these terms so they know their rights We protect your rights with two and(2) offer you this license which gives you legal permission to copy
MediaWiki\Shell\Command
Class used for executing shell commands.
Definition Command.php:35
MediaWiki\Shell\Command\hasRestriction
hasRestriction( $restriction)
Bitfield helper on whether a specific restriction is enabled.
Definition Command.php:264
MediaWiki\Shell\FirejailCommand
Restricts execution of shell commands using firejail.
Definition FirejailCommand.php:31
MediaWiki\Shell\FirejailCommand\buildFinalCommand
buildFinalCommand( $command)
@inheritDoc
Definition FirejailCommand.php:62
MediaWiki\Shell\FirejailCommand\whitelistPaths
whitelistPaths(array $paths)
@inheritDoc
Definition FirejailCommand.php:54
MediaWiki\Shell\FirejailCommand\$firejail
string $firejail
Path to firejail.
Definition FirejailCommand.php:36
MediaWiki\Shell\Shell\NO_EXECVE
const NO_EXECVE
Deny execve syscall with seccomp.
Definition Shell.php:83
MediaWiki\Shell\Shell\SECCOMP
const SECCOMP
Use seccomp to block dangerous syscalls.
Definition Shell.php:60
MediaWiki\Shell\Shell\NO_NETWORK
const NO_NETWORK
Restrict the request to have no network access.
Definition Shell.php:75
MediaWiki\Shell\Shell\PRIVATE_DEV
const PRIVATE_DEV
Create a private /dev.
Definition Shell.php:67
MediaWiki\Shell\Shell\NO_ROOT
const NO_ROOT
Disallow any root access.
Definition Shell.php:52
MediaWiki\Shell\Shell\NO_LOCALSETTINGS
const NO_LOCALSETTINGS
Deny access to LocalSettings.php (MW_CONFIG_FILE)
Definition Shell.php:90
$IP
$IP
Definition update.php:3
array
The wiki should then use memcached to cache various data To use multiple just add more items to the array To increase the weight of a make its entry a array("192.168.0.1:11211", 2))
MediaWiki\Shell
Copyright (C) 2017 Kunal Mehta legoktm@member.fsf.org
Definition Command.php:21