Find: /isset\(\s*([^()]+?)\s*\)\s*\?\s*\1\s*:\s*/
Replace with: '\1 ?? '
(Everywhere except includes/PHPVersionCheck.php)
(Then, manually fix some line length and indentation issues)
Then manually reviewed the replacements for cases where confusing
operator precedence would result in incorrect results
(fixing those in I478db046a1cc162c6767003ce45c9b56270f3372).
Change-Id: I33b421c8cb11cdd4ce896488c9ff5313f03a38cf
Assume the first part of the command is the binary, and include it directly
in the message to make grouping work on a per-binary basis. Includ the rest
of the params as log context just in case it is useful.
Change-Id: Ibfff7b1fee083efffae833b9bfa71ae9806c1bbd
NO_EXECVE doesn't work because limit.sh needs to execute the main
command, and does so through the execve syscall. Eventually we should be
able to replace limit.sh with firejail functionality entirely (T179021),
but in the meantime we can run firejail inside limit.sh.
We also need to stop firejail from running the command in a bash shell
via --shell=none, since that shell would also use the execve syscall.
Bug: T182489
Change-Id: I3fc8ad2f9e5eb5bf13b49d0bccd6094668a5ec55
Most secret information like database passwords are kept in LocalSettings.php,
so blacklisting that file by default would take away a lot of information an
attacker would want.
Since most commands shouldn't need to read the PHP configuration, add it to
RESTRICT_DEFAULT. People can still use:
$cmd->restrict( Shell::RESTRICT_DEFAULT & ~Shell::NO_LOCALSETTINGS );
if they need to still access LocalSettings.php
Bug: T182484
Change-Id: I4032e2706e808e9b819e92a06eff536ccf043388
Introduces a FirejailCommand class, which can be used to add additional
restrictions to a command, for increased security. For now, firejail
containment needs to be enabled on a per-command basis.
The following restrictions are implemented:
* NO_ROOT - disallows any root access, including via setuid binaries
* SECCOMP - block dangerous syscalls with seccomp
* PRIVATE_DEV - create a private /dev
* NO_NETWORK - deny all network access
* NO_EXECVE - block the execve syscall
A convenient Shell::RESTRICT_DEFAULT is equivalent to NO_ROOT | SECCOMP
| PRIVATE_DEV, with the expectation that more restrictions may be added
to it in the future.
In addition, specific paths can be whitelisted with
Command::whitelistPaths(). Any file/directory that isn't whitelisted in
that top level directory (e.g. /srv) won't exist inside the firejail.
$wgShellRestrictionMethod can be set to false for no restriction system,
'firejail' to explicitly use it, or 'autodetect' to autodetect whatever
system is available. In the future the default should be changed to
autodetection once firejail is tested more.
Bug: T173370
Change-Id: Id74df0dbba40e1e7c07c4368aacffb6eb06a17c5
