diff --git a/includes/shell/FirejailCommand.php b/includes/shell/FirejailCommand.php index 79f679d87bd..68a1822f7a5 100644 --- a/includes/shell/FirejailCommand.php +++ b/includes/shell/FirejailCommand.php @@ -110,6 +110,10 @@ class FirejailCommand extends Command { } } + if ( $this->hasRestriction( Shell::NO_LOCALSETTINGS ) ) { + $cmd[] = '--blacklist=' . realpath( MW_CONFIG_FILE ); + } + if ( $this->hasRestriction( Shell::NO_ROOT ) ) { $cmd[] = '--noroot'; } diff --git a/includes/shell/Shell.php b/includes/shell/Shell.php index 084e10e7935..05463dbf35a 100644 --- a/includes/shell/Shell.php +++ b/includes/shell/Shell.php @@ -45,13 +45,13 @@ class Shell { * Apply a default set of restrictions for improved * security out of the box. * - * Equal to NO_ROOT | SECCOMP | PRIVATE_DEV + * Equal to NO_ROOT | SECCOMP | PRIVATE_DEV | NO_LOCALSETTINGS * * @note This value will change over time to provide increased security * by default, and is not guaranteed to be backwards-compatible. * @since 1.31 */ - const RESTRICT_DEFAULT = 7; + const RESTRICT_DEFAULT = 39; /** * Disallow any root access. Any setuid binaries @@ -92,6 +92,13 @@ class Shell { */ const NO_EXECVE = 16; + /** + * Deny access to LocalSettings.php (MW_CONFIG_FILE) + * + * @since 1.31 + */ + const NO_LOCALSETTINGS = 32; + /** * Returns a new instance of Command class * diff --git a/tests/phpunit/includes/shell/FirejailCommandTest.php b/tests/phpunit/includes/shell/FirejailCommandTest.php index c9db74f5f97..57d820e0d70 100644 --- a/tests/phpunit/includes/shell/FirejailCommandTest.php +++ b/tests/phpunit/includes/shell/FirejailCommandTest.php @@ -31,7 +31,8 @@ class FirejailCommandTest extends PHPUnit_Framework_TestCase { // @codingStandardsIgnoreEnd $limit = "$IP/includes/shell/limit.sh"; $profile = "--profile=$IP/includes/shell/firejail.profile"; - $default = '--noroot --seccomp=@default --private-dev'; + $blacklist = '--blacklist=' . realpath( MW_CONFIG_FILE ); + $default = "$blacklist --noroot --seccomp=@default --private-dev"; return [ [ 'No restrictions',