To be able to use non-default Shellbox URLs, we need to be able to
pass in a service name when creating the ShellboxClient.
Have CommandFactory::createBoxed() take a $service parameter that can
be used to change which Shellbox will be hit, as intended.
Bug: T290193
Change-Id: Ic1671a69070f962dbb0083028faf34d6d437022a
Make Command extend Shellbox's UnboxedCommand. Only a few MediaWiki-
specific features remain in the subclass.
Also add BoxedCommand abstraction and Shellbox client.
The Result alias didn't actually work, I just had to change the return
type hint.
Bug: T260330
Change-Id: Iff7428e4c5fe3959a5cda8e113f223caa0976fc1
Fixes a regression from 3f94708eff. ExecutableFinder returns false if
the executable isn't found, but CommandFactory was expecting a null response,
This caused autodetection to always think firejail was present.
Adjust CommandFactoryTest to ensure we're always passing a string to
FirejailCommand. We need to switch findFirejail to protected so it can
be mocked.
Bug: T257282
Change-Id: Ie73418ebef6dce2bd5ec18fa38e29219d5bb2fd6
This is a collection of random bits from my local stashes. This patch
intentionally only touches comments, no code.
Notably:
* Use more specific string[] instead of array, if possible.
* Some comments mention "or null", but miss to list the type.
Change-Id: I712b28964f125c8e3dcb4e3fb993757a09f96644
Before it's too late, let's boil the oceans
and just do it. This patch assumes that old code
calling wfShellExec() doesn't know about restrictions
so it doesn't restrict anything. New code, however,
needs to specify its restrictions or deal with defaults.
Change-Id: I58963901087202d4a405bcdb6bd12758bb6b0ff7
Introduces a FirejailCommand class, which can be used to add additional
restrictions to a command, for increased security. For now, firejail
containment needs to be enabled on a per-command basis.
The following restrictions are implemented:
* NO_ROOT - disallows any root access, including via setuid binaries
* SECCOMP - block dangerous syscalls with seccomp
* PRIVATE_DEV - create a private /dev
* NO_NETWORK - deny all network access
* NO_EXECVE - block the execve syscall
A convenient Shell::RESTRICT_DEFAULT is equivalent to NO_ROOT | SECCOMP
| PRIVATE_DEV, with the expectation that more restrictions may be added
to it in the future.
In addition, specific paths can be whitelisted with
Command::whitelistPaths(). Any file/directory that isn't whitelisted in
that top level directory (e.g. /srv) won't exist inside the firejail.
$wgShellRestrictionMethod can be set to false for no restriction system,
'firejail' to explicitly use it, or 'autodetect' to autodetect whatever
system is available. In the future the default should be changed to
autodetection once firejail is tested more.
Bug: T173370
Change-Id: Id74df0dbba40e1e7c07c4368aacffb6eb06a17c5
