Muehlenhoff has uploaded a new change for review.
https://gerrit.wikimedia.org/r/313669
Change subject: Profile firejail containment for ghostscript
......................................................................
Profile firejail containment for ghostscript
This should be improved in followup commits to convert to the generic
profiles (but they are not yet installed on an all mw systems)
Change-Id: Iae31ed1a7ee9eff1c8403c2b26e0e0a0d1169f68
---
A modules/mediawiki/files/mediawiki-firejail-gs
A modules/mediawiki/files/mediawiki-gs.profile
M modules/mediawiki/manifests/init.pp
3 files changed, 48 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/69/313669/1
diff --git a/modules/mediawiki/files/mediawiki-firejail-gs
b/modules/mediawiki/files/mediawiki-firejail-gs
new file mode 100755
index 0000000..378d941
--- /dev/null
+++ b/modules/mediawiki/files/mediawiki-firejail-gs
@@ -0,0 +1,5 @@
+#! /usr/bin/python
+# -*- coding: utf-8 -*-
+
+import sys, subprocess
+subprocess.call(['/usr/bin/firejail',
'--profile=/etc/firejail/mediawiki-gs.profile', '/usr/bin/gs'] + sys.argv[1:])
diff --git a/modules/mediawiki/files/mediawiki-gs.profile
b/modules/mediawiki/files/mediawiki-gs.profile
new file mode 100644
index 0000000..b96a5aa
--- /dev/null
+++ b/modules/mediawiki/files/mediawiki-gs.profile
@@ -0,0 +1,27 @@
+# system directories
+blacklist /sbin
+blacklist /usr/sbin
+blacklist /usr/local/sbin
+
+# system management
+blacklist ${PATH}/umount
+blacklist ${PATH}/mount
+blacklist ${PATH}/fusermount
+blacklist ${PATH}/su
+blacklist ${PATH}/sudo
+blacklist ${PATH}/xinput
+blacklist ${PATH}/evtest
+blacklist ${PATH}/xev
+blacklist ${PATH}/strace
+blacklist ${PATH}/nc
+blacklist ${PATH}/ncat
+
+blacklist /etc/shadow
+blacklist /etc/ssh
+blacklist /root
+blacklist /home
+noroot
+caps.drop all
+seccomp
+net none
+private-dev
diff --git a/modules/mediawiki/manifests/init.pp
b/modules/mediawiki/manifests/init.pp
index b915399..5e99539 100644
--- a/modules/mediawiki/manifests/init.pp
+++ b/modules/mediawiki/manifests/init.pp
@@ -52,6 +52,22 @@
mode => '0555',
}
+ # This profile is used to contain ghostscript
+ file { '/etc/firejail/mediawiki-gs.profile':
+ source => 'puppet:///modules/mediawiki/mediawiki-gs.profile',
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ require => Package['firejail'],
+ }
+
+ file { '/usr/local/bin/mediawiki-firejail-gs':
+ source => 'puppet:///modules/mediawiki/mediawiki-firejail-gs',
+ owner => 'root',
+ group => 'root',
+ mode => '0555',
+ }
+
# We've set the 'php' grain in the past, but we don't really need it
anymore
salt::grain { 'php':
ensure => absent,
--
To view, visit https://gerrit.wikimedia.org/r/313669
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Iae31ed1a7ee9eff1c8403c2b26e0e0a0d1169f68
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
