-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi,
For a while now, Wikimedia has been restricting the different binaries that we shell out to (mostly image handling things) with firejail[1]. This was a manual process by writing wrapper scripts that invoked firejail, and pointing MediaWiki to use those "binaries". It was a pretty manual process, and other users of MediaWiki didn't benefit from any of the work that was being done. With [2], it's now possible to have MediaWiki invoke firejail with restrictions specified in the code rather than configured separately. For example, I converted the Score extension[3] to use the new shell restrictions system. There's more documentation available on-wiki[4]. You can test this out yourself by installing firejail, and by setting $wgShellRestrictionMethod = 'firejail';. Note that firejail is a Linux-specific program, but the restriction framework itself is abstract enough that it's likely that support for other restriction software could be introduced. [1] https://firejail.wordpress.com/ [2] https://gerrit.wikimedia.org/r/#/c/384930/ [3] https://gerrit.wikimedia.org/r/#/c/393830/ [4] https://www.mediawiki.org/wiki/Manual:Shell_framework#Restrictions - -- Kunal / Legoktm -----BEGIN PGP SIGNATURE----- iQJLBAEBCgA1FiEE+h6fmkHn9DUCyl1jUvyOe+23/KIFAlolpfoXHGxlZ29rdG1A bWVtYmVyLmZzZi5vcmcACgkQUvyOe+23/KI8CBAApq8rMUGf0SKIPYCddyBLJgMO vL02D6xjA0j1HCmxwynolUh751ZbAi+kgNbEA8gtosxfvQls++vs+V4x1OXfxFWJ +Fz2Q0WYLv0j0o8pQPbugDknNlMljmILDf5ISxlCyGxw+i6bGLdFOuLWVWVTBsAx eGlGLiFT6ROZfG72K/V0hgDnT760bwLHMVhBR672zo+Sau3UdY2hGu1uG/9GJbQv 50/9z2JtZs7ZrriqX240DZNSQwi8O7L4ppJRRUo+z+Apc4+QbxUgE0hgbe6RYKCg K0qLksh2zZwW4c/5rqwq4P85hCS56JeW+++Wq1q7iapQH+PWsCWoztyDc0yZAp1P +UVVSe9aOEAhudoU6yvoHlxlatAJGJv6H9LcyNHTPTAyKwYJtOc5u30PHMpt65mB oVHu7KbSljkGTpnTd01d1VY2gLjil40FwjoL76M1LBxIPe1Fx9SFJVDgwXxpK1BM gY0RcwWSXjzB+vnUOcQL6G4FQ/BYP9+43y4G3OtMTrkK8FkANaqgdpBECM7wJltl lP6DGluQBBVv0cgXwZ+PKQg2dJkYxbWOR0m1T219REoP6O85EEZjvhyCx3IEaHGG NAaTc5s93XR85hP4+gjdaC8lAJRIld4y3OjQQ7w4tWVygy7Ve4J/cYiRreWyTiBf nRgXZj47aHrM92jY2q4= =HIvI -----END PGP SIGNATURE----- _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
