bdb5b592f4
Introduces a FirejailCommand class, which can be used to add additional restrictions to a command, for increased security. For now, firejail containment needs to be enabled on a per-command basis. The following restrictions are implemented: * NO_ROOT - disallows any root access, including via setuid binaries * SECCOMP - block dangerous syscalls with seccomp * PRIVATE_DEV - create a private /dev * NO_NETWORK - deny all network access * NO_EXECVE - block the execve syscall A convenient Shell::RESTRICT_DEFAULT is equivalent to NO_ROOT | SECCOMP | PRIVATE_DEV, with the expectation that more restrictions may be added to it in the future. In addition, specific paths can be whitelisted with Command::whitelistPaths(). Any file/directory that isn't whitelisted in that top level directory (e.g. /srv) won't exist inside the firejail. $wgShellRestrictionMethod can be set to false for no restriction system, 'firejail' to explicitly use it, or 'autodetect' to autodetect whatever system is available. In the future the default should be changed to autodetection once firejail is tested more. Bug: T173370 Change-Id: Id74df0dbba40e1e7c07c4368aacffb6eb06a17c5
146 lines
3.9 KiB
PHP
146 lines
3.9 KiB
PHP
<?php
|
|
/**
|
|
* Copyright (C) 2017 Kunal Mehta <legoktm@member.fsf.org>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along
|
|
* with this program; if not, write to the Free Software Foundation, Inc.,
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
*/
|
|
|
|
namespace MediaWiki\Shell;
|
|
|
|
use RuntimeException;
|
|
|
|
/**
|
|
* Restricts execution of shell commands using firejail
|
|
*
|
|
* @see https://firejail.wordpress.com/
|
|
* @since 1.31
|
|
*/
|
|
class FirejailCommand extends Command {
|
|
|
|
/**
|
|
* @var string Path to firejail
|
|
*/
|
|
private $firejail;
|
|
|
|
/**
|
|
* @var string[]
|
|
*/
|
|
private $whitelistedPaths = [];
|
|
|
|
/**
|
|
* @param string $firejail Path to firejail
|
|
*/
|
|
public function __construct( $firejail ) {
|
|
parent::__construct();
|
|
$this->firejail = $firejail;
|
|
}
|
|
|
|
/**
|
|
* @inheritDoc
|
|
*/
|
|
public function whitelistPaths( array $paths ) {
|
|
$this->whitelistedPaths = array_merge( $this->whitelistedPaths, $paths );
|
|
return $this;
|
|
}
|
|
|
|
/**
|
|
* @inheritDoc
|
|
*/
|
|
protected function buildFinalCommand() {
|
|
// If there are no restrictions, don't use firejail
|
|
if ( $this->restrictions === 0 ) {
|
|
return parent::buildFinalCommand();
|
|
}
|
|
|
|
if ( $this->firejail === false ) {
|
|
throw new RuntimeException( 'firejail is enabled, but cannot be found' );
|
|
}
|
|
// quiet has to come first to prevent firejail from adding
|
|
// any output.
|
|
$cmd = [ $this->firejail, '--quiet' ];
|
|
// Use a profile that allows people to add local overrides
|
|
// if their system is setup in an incompatible manner. Also it
|
|
// prevents any default profiles from running.
|
|
// FIXME: Doesn't actually override command-line switches?
|
|
$cmd[] = '--profile=' . __DIR__ . '/firejail.profile';
|
|
|
|
// By default firejail hides all other user directories, so if
|
|
// MediaWiki is inside a home directory (/home) but not the
|
|
// current user's home directory, pass --allusers to whitelist
|
|
// the home directories again.
|
|
static $useAllUsers = null;
|
|
if ( $useAllUsers === null ) {
|
|
global $IP;
|
|
// In case people are doing funny things with symlinks
|
|
// or relative paths, resolve them all.
|
|
$realIP = realpath( $IP );
|
|
$currentUser = posix_getpwuid( posix_geteuid() );
|
|
$useAllUsers = ( strpos( $realIP, '/home/' ) === 0 )
|
|
&& ( strpos( $realIP, $currentUser['dir'] ) !== 0 );
|
|
if ( $useAllUsers ) {
|
|
$this->logger->warning( 'firejail: MediaWiki is located ' .
|
|
'in a home directory that does not belong to the ' .
|
|
'current user, so allowing access to all home ' .
|
|
'directories (--allusers)' );
|
|
}
|
|
}
|
|
|
|
if ( $useAllUsers ) {
|
|
$cmd[] = '--allusers';
|
|
}
|
|
|
|
if ( $this->whitelistedPaths ) {
|
|
// Always whitelist limit.sh
|
|
$cmd[] = '--whitelist=' . __DIR__ . '/limit.sh';
|
|
foreach ( $this->whitelistedPaths as $whitelistedPath ) {
|
|
$cmd[] = "--whitelist={$whitelistedPath}";
|
|
}
|
|
}
|
|
|
|
if ( $this->hasRestriction( Shell::NO_ROOT ) ) {
|
|
$cmd[] = '--noroot';
|
|
}
|
|
|
|
$seccomp = [];
|
|
|
|
if ( $this->hasRestriction( Shell::SECCOMP ) ) {
|
|
$seccomp[] = '@default';
|
|
}
|
|
|
|
if ( $this->hasRestriction( Shell::NO_EXECVE ) ) {
|
|
$seccomp[] = 'execve';
|
|
}
|
|
|
|
if ( $seccomp ) {
|
|
$cmd[] = '--seccomp=' . implode( ',', $seccomp );
|
|
}
|
|
|
|
if ( $this->hasRestriction( Shell::PRIVATE_DEV ) ) {
|
|
$cmd[] = '--private-dev';
|
|
}
|
|
|
|
if ( $this->hasRestriction( Shell::NO_NETWORK ) ) {
|
|
$cmd[] = '--net=none';
|
|
}
|
|
|
|
list( $fullCommand, $useLogPipe ) = parent::buildFinalCommand();
|
|
|
|
$builtCmd = implode( ' ', $cmd );
|
|
|
|
return [ "$builtCmd -- $fullCommand", $useLogPipe ];
|
|
}
|
|
|
|
}
|