Muehlenhoff has submitted this change and it was merged. Change subject: Enable firejail for image scaling ......................................................................
Enable firejail for image scaling This enables firejail for the bulk of image scaling (some extensions need more work). This uses a wrapper which invokes convert(1) with a Firejail profile which runs the scaling in a sandbox which: - implements a seccomp filter which blocks common, potentially harmful system calls typically used in privilege escalation exploits - drops all capabilities - disables the root user - mounts of private /dev directory which only provides requires pseudo devices like /dev/zero, ttys or /dev/(u)random - creates an unconnected network namespace with only a loopback interface - blacklists access to various directories (e.g. /etc/ssh, /home/, sbin dirs) One thing I would like to add in the future is to use a local overlayfs for /tmp (but that will only be available once we migrate to jessie since it requires a Linux kernel >= 3.18). The wrapper can also be reused at a later point when we move to Thumbor (and we can also provide it for our mediawiki distribution so that others can deploy that change as well). I have already enabled this change as a canary on mw1153 without any problems (but will revert later on since this is not a change to make on a Friday) with the plan to merge on Monday. Bug: T135111 Change-Id: Ia02b8fc72449367ad1afa231d0548c2d561494ad --- M wmf-config/CommonSettings.php 1 file changed, 1 insertion(+), 1 deletion(-) Approvals: Muehlenhoff: Verified; Looks good to me, approved jenkins-bot: Verified diff --git a/wmf-config/CommonSettings.php b/wmf-config/CommonSettings.php index 32df79a..f9df1b0 100644 --- a/wmf-config/CommonSettings.php +++ b/wmf-config/CommonSettings.php @@ -447,7 +447,7 @@ $wgUseImageResize = true; $wgUseImageMagick = true; -$wgImageMagickConvertCommand = '/usr/bin/convert'; +$wgImageMagickConvertCommand = '/usr/local/bin/mediawiki-firejail-convert'; $wgSharpenParameter = '0x0.8'; # for IM>6.5, T26857 $wgFileBlacklist[] = 'txt'; -- To view, visit https://gerrit.wikimedia.org/r/291202 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ia02b8fc72449367ad1afa231d0548c2d561494ad Gerrit-PatchSet: 2 Gerrit-Project: operations/mediawiki-config Gerrit-Branch: master Gerrit-Owner: Muehlenhoff <[email protected]> Gerrit-Reviewer: CSteipp <[email protected]> Gerrit-Reviewer: Faidon Liambotis <[email protected]> Gerrit-Reviewer: Florianschmidtwelzow <[email protected]> Gerrit-Reviewer: Gilles <[email protected]> Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]> Gerrit-Reviewer: Muehlenhoff <[email protected]> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
