wiki.techinc.nl/tests/phpunit/includes/shell/FirejailCommandTest.php

<?php

/**
 * Copyright (C) 2017 Kunal Mehta <legoktm@member.fsf.org>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 */

use MediaWiki\Shell\FirejailCommand;
use MediaWiki\Shell\Shell;
use Wikimedia\TestingAccessWrapper;

class FirejailCommandTest extends PHPUnit_Framework_TestCase {
	public function provideBuildFinalCommand() {
		global $IP;
		// @codingStandardsIgnoreStart
		$env = "'MW_INCLUDE_STDERR=;MW_CPU_LIMIT=180; MW_CGROUP='\'''\''; MW_MEM_LIMIT=307200; MW_FILE_SIZE_LIMIT=102400; MW_WALL_CLOCK_LIMIT=180; MW_USE_LOG_PIPE=yes'";
		// @codingStandardsIgnoreEnd
		$limit = "$IP/includes/shell/limit.sh";
		$profile = "--profile=$IP/includes/shell/firejail.profile";
		$default = '--noroot --seccomp=@default --private-dev';
		return [
			[
				'No restrictions',
				'ls', 0, "/bin/bash '$limit' ''\''ls'\''' $env"
			],
			[
				'default restriction',
				'ls', Shell::RESTRICT_DEFAULT,
				"firejail --quiet $profile $default -- /bin/bash '$limit' ''\''ls'\''' $env"
			],
			[
				'no network',
				'ls', Shell::NO_NETWORK,
				"firejail --quiet $profile --net=none -- /bin/bash '$limit' ''\''ls'\''' $env"
			],
			[
				'default restriction & no network',
				'ls', Shell::RESTRICT_DEFAULT | Shell::NO_NETWORK,
				"firejail --quiet $profile $default --net=none -- /bin/bash '$limit' ''\''ls'\''' $env"
			],
			[
				'seccomp',
				'ls', Shell::SECCOMP,
				"firejail --quiet $profile --seccomp=@default -- /bin/bash '$limit' ''\''ls'\''' $env"
			],
			[
				'seccomp & no execve',
				'ls', Shell::SECCOMP | Shell::NO_EXECVE,
				"firejail --quiet $profile --seccomp=@default,execve -- /bin/bash '$limit' ''\''ls'\''' $env"
			],
		];
	}

	/**
	 * @covers \MediaWiki\Shell\FirejailCommand::buildFinalCommand()
	 * @dataProvider provideBuildFinalCommand
	 */
	public function testBuildFinalCommand( $desc, $params, $flags, $expected ) {
		$command = new FirejailCommand( 'firejail' );
		$command
			->params( $params )
			->restrict( $flags );
		$wrapper = TestingAccessWrapper::newFromObject( $command );
		$output = $wrapper->buildFinalCommand();
		$this->assertEquals( $expected, $output[0], $desc );
	}

}
shell: Optionally restrict commands' access with firejail Introduces a FirejailCommand class, which can be used to add additional restrictions to a command, for increased security. For now, firejail containment needs to be enabled on a per-command basis. The following restrictions are implemented: * NO_ROOT - disallows any root access, including via setuid binaries * SECCOMP - block dangerous syscalls with seccomp * PRIVATE_DEV - create a private /dev * NO_NETWORK - deny all network access * NO_EXECVE - block the execve syscall A convenient Shell::RESTRICT_DEFAULT is equivalent to NO_ROOT \| SECCOMP \| PRIVATE_DEV, with the expectation that more restrictions may be added to it in the future. In addition, specific paths can be whitelisted with Command::whitelistPaths(). Any file/directory that isn't whitelisted in that top level directory (e.g. /srv) won't exist inside the firejail. $wgShellRestrictionMethod can be set to false for no restriction system, 'firejail' to explicitly use it, or 'autodetect' to autodetect whatever system is available. In the future the default should be changed to autodetection once firejail is tested more. Bug: T173370 Change-Id: Id74df0dbba40e1e7c07c4368aacffb6eb06a17c5 2017-10-18 06:54:19 +00:00			`<?php`

			`/**`
			`* Copyright (C) 2017 Kunal Mehta <legoktm@member.fsf.org>`
			`*`
			`* This program is free software; you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License as published by`
			`* the Free Software Foundation; either version 2 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License along`
			`* with this program; if not, write to the Free Software Foundation, Inc.,`
			`* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.`
			`*`
			`*/`

			`use MediaWiki\Shell\FirejailCommand;`
			`use MediaWiki\Shell\Shell;`
			`use Wikimedia\TestingAccessWrapper;`

			`class FirejailCommandTest extends PHPUnit_Framework_TestCase {`
			`public function provideBuildFinalCommand() {`
			`global $IP;`
			`// @codingStandardsIgnoreStart`
			`$env = "'MW_INCLUDE_STDERR=;MW_CPU_LIMIT=180; MW_CGROUP='\'''\''; MW_MEM_LIMIT=307200; MW_FILE_SIZE_LIMIT=102400; MW_WALL_CLOCK_LIMIT=180; MW_USE_LOG_PIPE=yes'";`
			`// @codingStandardsIgnoreEnd`
			`$limit = "$IP/includes/shell/limit.sh";`
			`$profile = "--profile=$IP/includes/shell/firejail.profile";`
			`$default = '--noroot --seccomp=@default --private-dev';`
			`return [`
			`[`
			`'No restrictions',`
			`'ls', 0, "/bin/bash '$limit' ''\''ls'\''' $env"`
			`],`
			`[`
			`'default restriction',`
			`'ls', Shell::RESTRICT_DEFAULT,`
			`"firejail --quiet $profile $default -- /bin/bash '$limit' ''\''ls'\''' $env"`
			`],`
			`[`
			`'no network',`
			`'ls', Shell::NO_NETWORK,`
			`"firejail --quiet $profile --net=none -- /bin/bash '$limit' ''\''ls'\''' $env"`
			`],`
			`[`
			`'default restriction & no network',`
			`'ls', Shell::RESTRICT_DEFAULT \| Shell::NO_NETWORK,`
			`"firejail --quiet $profile $default --net=none -- /bin/bash '$limit' ''\''ls'\''' $env"`
			`],`
			`[`
			`'seccomp',`
			`'ls', Shell::SECCOMP,`
			`"firejail --quiet $profile --seccomp=@default -- /bin/bash '$limit' ''\''ls'\''' $env"`
			`],`
			`[`
			`'seccomp & no execve',`
			`'ls', Shell::SECCOMP \| Shell::NO_EXECVE,`
			`"firejail --quiet $profile --seccomp=@default,execve -- /bin/bash '$limit' ''\''ls'\''' $env"`
			`],`
			`];`
			`}`

			`/**`
			`* @covers \MediaWiki\Shell\FirejailCommand::buildFinalCommand()`
			`* @dataProvider provideBuildFinalCommand`
			`*/`
			`public function testBuildFinalCommand( $desc, $params, $flags, $expected ) {`
			`$command = new FirejailCommand( 'firejail' );`
			`$command`
			`->params( $params )`
			`->restrict( $flags );`
			`$wrapper = TestingAccessWrapper::newFromObject( $command );`
			`$output = $wrapper->buildFinalCommand();`
			`$this->assertEquals( $expected, $output[0], $desc );`
			`}`

			`}`