[MediaWiki-commits] [Gerrit] Provide a wrapper to invoke convert using firejail - change (operations/puppet)

Muehlenhoff (Code Review) Thu, 26 May 2016 03:13:50 -0700

Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/290909


Change subject: Provide a wrapper to invoke convert using firejail
......................................................................

Provide a wrapper to invoke convert using firejail

Change-Id: I57eb02017e0da7777d3101b121509a766d04a5d6
---
A modules/mediawiki/files/mediawiki-firejail-convert
M modules/mediawiki/manifests/firejail.pp
2 files changed, 13 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/09/290909/1

diff --git a/modules/mediawiki/files/mediawiki-firejail-convert 
b/modules/mediawiki/files/mediawiki-firejail-convert
new file mode 100755
index 0000000..7b66816
--- /dev/null
+++ b/modules/mediawiki/files/mediawiki-firejail-convert
@@ -0,0 +1,5 @@
+#! /usr/bin/python
+# -*- coding: utf-8 -*-
+
+import sys, subprocess
+subprocess.call(['/usr/bin/firejail', 
'--profile=/etc/firejail/mediawiki-imagemagick.profile', '/usr/bin/convert'] + 
sys.argv[1:])
diff --git a/modules/mediawiki/manifests/firejail.pp 
b/modules/mediawiki/manifests/firejail.pp
index 113c5b6..fc20221 100644
--- a/modules/mediawiki/manifests/firejail.pp
+++ b/modules/mediawiki/manifests/firejail.pp
@@ -3,6 +3,7 @@
 # This Puppet class provides profile data for firejail, a sandbox to restrict
 # an application environment. These profiles are used to contain the image
 # scaling process (since imagemagick has a high risk security profile).
+# It also provides a wrapper script to invoke imagemagick's convert via 
firejail.
 
 class mediawiki::firejail {
 
@@ -13,4 +14,11 @@
         group  => 'root',
         mode   => '0644',
     }
+
+    file { '/usr/local/bin/mediawiki-firejail-convert':
+        source => 'puppet:///modules/mediawiki/mediawiki-firejail-convert',
+        owner  => 'root',
+        group  => 'root',
+        mode   => '0555',
+    }
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/290909
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I57eb02017e0da7777d3101b121509a766d04a5d6
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] Provide a wrapper to invoke convert using firejail - change (operations/puppet)

Reply via email to