[MediaWiki-commits] [Gerrit] Provide a wrapper to invoke convert using firejail - change (operations/puppet)

Fri, 27 May 2016 00:40:48 -0700 

Muehlenhoff has submitted this change and it was merged.

Change subject: Provide a wrapper to invoke convert using firejail
......................................................................


Provide a wrapper to invoke convert using firejail

Change-Id: I57eb02017e0da7777d3101b121509a766d04a5d6
---
A modules/mediawiki/files/mediawiki-firejail-convert
M modules/mediawiki/manifests/firejail.pp
2 files changed, 13 insertions(+), 0 deletions(-)

Approvals:
  Muehlenhoff: Verified; Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/mediawiki/files/mediawiki-firejail-convert 
b/modules/mediawiki/files/mediawiki-firejail-convert
new file mode 100755
index 0000000..7b66816
--- /dev/null
+++ b/modules/mediawiki/files/mediawiki-firejail-convert
@@ -0,0 +1,5 @@
+#! /usr/bin/python
+# -*- coding: utf-8 -*-
+
+import sys, subprocess
+subprocess.call(['/usr/bin/firejail', 
'--profile=/etc/firejail/mediawiki-imagemagick.profile', '/usr/bin/convert'] + 
sys.argv[1:])
diff --git a/modules/mediawiki/manifests/firejail.pp 
b/modules/mediawiki/manifests/firejail.pp
index 113c5b6..fc20221 100644
--- a/modules/mediawiki/manifests/firejail.pp
+++ b/modules/mediawiki/manifests/firejail.pp
@@ -3,6 +3,7 @@
 # This Puppet class provides profile data for firejail, a sandbox to restrict
 # an application environment. These profiles are used to contain the image
 # scaling process (since imagemagick has a high risk security profile).
+# It also provides a wrapper script to invoke imagemagick's convert via 
firejail.
 
 class mediawiki::firejail {
 
@@ -13,4 +14,11 @@
         group  => 'root',
         mode   => '0644',
     }
+
+    file { '/usr/local/bin/mediawiki-firejail-convert':
+        source => 'puppet:///modules/mediawiki/mediawiki-firejail-convert',
+        owner  => 'root',
+        group  => 'root',
+        mode   => '0555',
+    }
 }

-- 
To view, visit https://gerrit.wikimedia.org/r/290909
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I57eb02017e0da7777d3101b121509a766d04a5d6
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <[email protected]>
Gerrit-Reviewer: Alex Monk <[email protected]>
Gerrit-Reviewer: Gilles <[email protected]>
Gerrit-Reviewer: Muehlenhoff <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to