Legoktm has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/396570 )
Change subject: shell: Run firejail inside limit.sh, make NO_EXECVE work
......................................................................
shell: Run firejail inside limit.sh, make NO_EXECVE work
NO_EXECVE doesn't work because limit.sh needs to execute the main
command, and does so through the execve syscall. Eventually we should be
able to replace limit.sh with firejail functionality entirely (T179021),
but in the meantime we can run firejail inside limit.sh.
We also need to stop firejail from running the command in a bash shell
via --shell=none, since that shell would also use the execve syscall.
Bug: T182489
Change-Id: I3fc8ad2f9e5eb5bf13b49d0bccd6094668a5ec55
---
M includes/shell/Command.php
M includes/shell/FirejailCommand.php
M tests/phpunit/includes/shell/FirejailCommandTest.php
3 files changed, 16 insertions(+), 10 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/core
refs/changes/70/396570/1
diff --git a/includes/shell/Command.php b/includes/shell/Command.php
index 998b3ed..f642330 100644
--- a/includes/shell/Command.php
+++ b/includes/shell/Command.php
@@ -36,7 +36,7 @@
use LoggerAwareTrait;
/** @var string */
- private $command = '';
+ protected $command = '';
/** @var array */
private $limits = [
diff --git a/includes/shell/FirejailCommand.php
b/includes/shell/FirejailCommand.php
index 79f679d..9fcdded 100644
--- a/includes/shell/FirejailCommand.php
+++ b/includes/shell/FirejailCommand.php
@@ -122,6 +122,10 @@
if ( $this->hasRestriction( Shell::NO_EXECVE ) ) {
$seccomp[] = 'execve';
+ // Normally firejail will run commands in a bash shell,
+ // but that won't work if we ban the execve syscall, so
+ // run the command without a shell.
+ $cmd[] = '--shell=none';
}
if ( $seccomp ) {
@@ -136,11 +140,13 @@
$cmd[] = '--net=none';
}
- list( $fullCommand, $useLogPipe ) = parent::buildFinalCommand();
$builtCmd = implode( ' ', $cmd );
- return [ "$builtCmd -- $fullCommand", $useLogPipe ];
+ // Prefix the firejail command in front of the wanted command
+ $this->command = "$builtCmd -- {$this->command}";
+
+ return parent::buildFinalCommand();
}
}
diff --git a/tests/phpunit/includes/shell/FirejailCommandTest.php
b/tests/phpunit/includes/shell/FirejailCommandTest.php
index c9db74f..d92eeaa 100644
--- a/tests/phpunit/includes/shell/FirejailCommandTest.php
+++ b/tests/phpunit/includes/shell/FirejailCommandTest.php
@@ -29,38 +29,38 @@
// @codingStandardsIgnoreStart
$env = "'MW_INCLUDE_STDERR=;MW_CPU_LIMIT=180;
MW_CGROUP='\'''\''; MW_MEM_LIMIT=307200; MW_FILE_SIZE_LIMIT=102400;
MW_WALL_CLOCK_LIMIT=180; MW_USE_LOG_PIPE=yes'";
// @codingStandardsIgnoreEnd
- $limit = "$IP/includes/shell/limit.sh";
+ $limit = "/bin/bash '$IP/includes/shell/limit.sh'";
$profile = "--profile=$IP/includes/shell/firejail.profile";
$default = '--noroot --seccomp=@default --private-dev';
return [
[
'No restrictions',
- 'ls', 0, "/bin/bash '$limit' ''\''ls'\''' $env"
+ 'ls', 0, "$limit ''\''ls'\''' $env"
],
[
'default restriction',
'ls', Shell::RESTRICT_DEFAULT,
- "firejail --quiet $profile $default --
/bin/bash '$limit' ''\''ls'\''' $env"
+ "$limit 'firejail --quiet $profile $default --
'\''ls'\''' $env"
],
[
'no network',
'ls', Shell::NO_NETWORK,
- "firejail --quiet $profile --net=none --
/bin/bash '$limit' ''\''ls'\''' $env"
+ "$limit 'firejail --quiet $profile --net=none
-- '\''ls'\''' $env"
],
[
'default restriction & no network',
'ls', Shell::RESTRICT_DEFAULT |
Shell::NO_NETWORK,
- "firejail --quiet $profile $default --net=none
-- /bin/bash '$limit' ''\''ls'\''' $env"
+ "$limit 'firejail --quiet $profile $default
--net=none -- '\''ls'\''' $env"
],
[
'seccomp',
'ls', Shell::SECCOMP,
- "firejail --quiet $profile --seccomp=@default
-- /bin/bash '$limit' ''\''ls'\''' $env"
+ "$limit 'firejail --quiet $profile
--seccomp=@default -- '\''ls'\''' $env"
],
[
'seccomp & no execve',
'ls', Shell::SECCOMP | Shell::NO_EXECVE,
- "firejail --quiet $profile
--seccomp=@default,execve -- /bin/bash '$limit' ''\''ls'\''' $env"
+ "$limit 'firejail --quiet $profile --shell=none
--seccomp=@default,execve -- '\''ls'\''' $env"
],
];
}
--
To view, visit https://gerrit.wikimedia.org/r/396570
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3fc8ad2f9e5eb5bf13b49d0bccd6094668a5ec55
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/core
Gerrit-Branch: master
Gerrit-Owner: Legoktm <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
