Muehlenhoff has submitted this change and it was merged.
Change subject: Provide a firejail profile for the image scalers
......................................................................
Provide a firejail profile for the image scalers
This excludes the root user, drops all capabilities, limits the network
to a loopback device, enables a seccomp filter for potentially harmful
syscalls and uses a private /dev directory. Also sensitive directories
and commands are blacklisted.
The profile will be used in a followup patch.
Bug: T135111
Change-Id: I9720488d9add2389b3f9b391f7d825a12d8622aa
---
A modules/mediawiki/files/mediawiki-imagemagick.profile
A modules/mediawiki/manifests/firejail.pp
M modules/mediawiki/manifests/multimedia.pp
3 files changed, 30 insertions(+), 0 deletions(-)
Approvals:
Muehlenhoff: Verified; Looks good to me, approved
diff --git a/modules/mediawiki/files/mediawiki-imagemagick.profile
b/modules/mediawiki/files/mediawiki-imagemagick.profile
new file mode 100644
index 0000000..cc2e42e
--- /dev/null
+++ b/modules/mediawiki/files/mediawiki-imagemagick.profile
@@ -0,0 +1,13 @@
+
+# This blacklists the sbin directories and admin tools like sudo
+include /etc/firejail/disable-mgmt.inc
+
+blacklist /etc/shadow
+blacklist /etc/ssh
+blacklist /root
+blacklist /home
+noroot
+caps.drop all
+seccomp
+net none
+private-dev
diff --git a/modules/mediawiki/manifests/firejail.pp
b/modules/mediawiki/manifests/firejail.pp
new file mode 100644
index 0000000..113c5b6
--- /dev/null
+++ b/modules/mediawiki/manifests/firejail.pp
@@ -0,0 +1,16 @@
+# == Class: mediawiki::firejail
+#
+# This Puppet class provides profile data for firejail, a sandbox to restrict
+# an application environment. These profiles are used to contain the image
+# scaling process (since imagemagick has a high risk security profile).
+
+class mediawiki::firejail {
+
+ # This profile is used to contain the convert command of imagemagick
+ file { '/etc/firejail/mediawiki-imagemagick.profile':
+ source => 'puppet:///modules/mediawiki/mediawiki-imagemagick.profile',
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ }
+}
diff --git a/modules/mediawiki/manifests/multimedia.pp
b/modules/mediawiki/manifests/multimedia.pp
index 1b588f3..4ce246a 100644
--- a/modules/mediawiki/manifests/multimedia.pp
+++ b/modules/mediawiki/manifests/multimedia.pp
@@ -7,6 +7,7 @@
include ::mediawiki::packages::multimedia
include ::mediawiki::packages::fonts
include ::mediawiki::users
+ include ::mediawiki::firejail
file { '/etc/fonts/conf.d/70-no-bitmaps.conf':
ensure => link,
--
To view, visit https://gerrit.wikimedia.org/r/290696
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I9720488d9add2389b3f9b391f7d825a12d8622aa
Gerrit-PatchSet: 5
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <[email protected]>
Gerrit-Reviewer: Alex Monk <[email protected]>
Gerrit-Reviewer: CSteipp <[email protected]>
Gerrit-Reviewer: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: Muehlenhoff <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
