4 * Copyright (C) 2017 Kunal Mehta <legoktm@member.fsf.org>
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 use MediaWiki\Shell\FirejailCommand
;
23 use MediaWiki\Shell\Shell
;
24 use Wikimedia\TestingAccessWrapper
;
26 class FirejailCommandTest
extends PHPUnit_Framework_TestCase
{
27 public function provideBuildFinalCommand() {
29 // @codingStandardsIgnoreStart
30 $env = "'MW_INCLUDE_STDERR=;MW_CPU_LIMIT=180; MW_CGROUP='\'''\''; MW_MEM_LIMIT=307200; MW_FILE_SIZE_LIMIT=102400; MW_WALL_CLOCK_LIMIT=180; MW_USE_LOG_PIPE=yes'";
31 // @codingStandardsIgnoreEnd
32 $limit = "$IP/includes/shell/limit.sh";
33 $profile = "--profile=$IP/includes/shell/firejail.profile";
34 $default = '--noroot --seccomp=@default --private-dev';
38 'ls', 0, "/bin/bash '$limit' ''\''ls'\''' $env"
41 'default restriction',
42 'ls', Shell
::RESTRICT_DEFAULT
,
43 "firejail --quiet $profile $default -- /bin/bash '$limit' ''\''ls'\''' $env"
47 'ls', Shell
::NO_NETWORK
,
48 "firejail --quiet $profile --net=none -- /bin/bash '$limit' ''\''ls'\''' $env"
51 'default restriction & no network',
52 'ls', Shell
::RESTRICT_DEFAULT | Shell
::NO_NETWORK
,
53 "firejail --quiet $profile $default --net=none -- /bin/bash '$limit' ''\''ls'\''' $env"
58 "firejail --quiet $profile --seccomp=@default -- /bin/bash '$limit' ''\''ls'\''' $env"
61 'seccomp & no execve',
62 'ls', Shell
::SECCOMP | Shell
::NO_EXECVE
,
63 "firejail --quiet $profile --seccomp=@default,execve -- /bin/bash '$limit' ''\''ls'\''' $env"
69 * @covers \MediaWiki\Shell\FirejailCommand::buildFinalCommand()
70 * @dataProvider provideBuildFinalCommand
72 public function testBuildFinalCommand( $desc, $params, $flags, $expected ) {
73 $command = new FirejailCommand( 'firejail' );
77 $wrapper = TestingAccessWrapper
::newFromObject( $command );
78 $output = $wrapper->buildFinalCommand();
79 $this->assertEquals( $expected, $output[0], $desc );