[MediaWiki-commits] [Gerrit] Provide a firejail profile for the image scalers - change (operations/puppet)

Wed, 25 May 2016 07:29:44 -0700 

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/290696

Change subject: Provide a firejail profile for the image scalers
......................................................................

Provide a firejail profile for the image scalers

This excludes the root user, drops all capabilities, limits the network
to a loopback device, enables a seccomp filter for potentially harmful
syscalls and uses a private /dev directory. Also sensitive directories
and commands are blacklisted.

The profile will be used in a followup patch.

Bug: T135111
Change-Id: I9720488d9add2389b3f9b391f7d825a12d8622aa
---
A modules/mediawiki/files/mediawiki-imagemagick.profile
A modules/mediawiki/manifests/firejail.pp
2 files changed, 29 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/96/290696/1

diff --git a/modules/mediawiki/files/mediawiki-imagemagick.profile 
b/modules/mediawiki/files/mediawiki-imagemagick.profile
new file mode 100644
index 0000000..cc2e42e
--- /dev/null
+++ b/modules/mediawiki/files/mediawiki-imagemagick.profile
@@ -0,0 +1,13 @@
+
+# This blacklists the sbin directories and admin tools like sudo
+include /etc/firejail/disable-mgmt.inc
+
+blacklist /etc/shadow
+blacklist /etc/ssh
+blacklist /root
+blacklist /home
+noroot
+caps.drop all
+seccomp
+net none
+private-dev
diff --git a/modules/mediawiki/manifests/firejail.pp 
b/modules/mediawiki/manifests/firejail.pp
new file mode 100644
index 0000000..113c5b6
--- /dev/null
+++ b/modules/mediawiki/manifests/firejail.pp
@@ -0,0 +1,16 @@
+# == Class: mediawiki::firejail
+#
+# This Puppet class provides profile data for firejail, a sandbox to restrict
+# an application environment. These profiles are used to contain the image
+# scaling process (since imagemagick has a high risk security profile).
+
+class mediawiki::firejail {
+
+    # This profile is used to contain the convert command of imagemagick
+    file { '/etc/firejail/mediawiki-imagemagick.profile':
+        source => 'puppet:///modules/mediawiki/mediawiki-imagemagick.profile',
+        owner  => 'root',
+        group  => 'root',
+        mode   => '0644',
+    }
+}

-- 
To view, visit https://gerrit.wikimedia.org/r/290696
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I9720488d9add2389b3f9b391f7d825a12d8622aa
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to