bdb5b592f4
Introduces a FirejailCommand class, which can be used to add additional restrictions to a command, for increased security. For now, firejail containment needs to be enabled on a per-command basis. The following restrictions are implemented: * NO_ROOT - disallows any root access, including via setuid binaries * SECCOMP - block dangerous syscalls with seccomp * PRIVATE_DEV - create a private /dev * NO_NETWORK - deny all network access * NO_EXECVE - block the execve syscall A convenient Shell::RESTRICT_DEFAULT is equivalent to NO_ROOT | SECCOMP | PRIVATE_DEV, with the expectation that more restrictions may be added to it in the future. In addition, specific paths can be whitelisted with Command::whitelistPaths(). Any file/directory that isn't whitelisted in that top level directory (e.g. /srv) won't exist inside the firejail. $wgShellRestrictionMethod can be set to false for no restriction system, 'firejail' to explicitly use it, or 'autodetect' to autodetect whatever system is available. In the future the default should be changed to autodetection once firejail is tested more. Bug: T173370 Change-Id: Id74df0dbba40e1e7c07c4368aacffb6eb06a17c5 |
||
|---|---|---|
| .. | ||
| data | ||
| docs | ||
| includes | ||
| languages | ||
| maintenance | ||
| mocks | ||
| skins | ||
| structure | ||
| suites | ||
| tests | ||
| autoload.ide.php | ||
| bootstrap.php | ||
| LessFileCompilationTest.php | ||
| Makefile | ||
| MediaWikiLangTestCase.php | ||
| MediaWikiPHPUnitTestListener.php | ||
| MediaWikiTestCase.php | ||
| phpunit.php | ||
| README | ||
| ResourceLoaderTestCase.php | ||
| run-tests.bat | ||
| suite.xml | ||
| TODO | ||
== MediaWiki PHPUnit Tests == The unit tests for MediaWiki are implemented using the PHPUnit testing framework and require PHPUnit to run. === WARNING === Some of the unit tests are DESTRUCTIVE and WILL ALTER YOUR WIKI'S CONTENTS. DO NOT RUN THESE TESTS ON A PRODUCTION SYSTEM OR ON ANY SYSTEM WHERE YOU NEED TO RETAIN YOUR DATA. == Installation == If you used composer to install MediaWiki's dependencies PHPUnit will already be available, unless you explicitly specified the --no-dev flag during the install. In this case just run "composer update". Otherwise follow the installation instructions in the PHPUnit Manual at: https://phpunit.de/manual/current/en/installation.html == Running tests == The tests are run from your operating system's command line. Ensure that you are in the tests/phpunit directory of your MediaWiki installation. On Unix-like operating systems, the tests runs are controlled with a makefile. Run command: make help for a full list of options for running tests. On Windows-family operating systems, run the 'run-tests.bat' batch file. === Writing tests === A guide to writing PHP unit tests for MediaWiki can be found at: https://www.mediawiki.org/wiki/Manual:PHP_unit_testing