dépôts / lhc / web / wiklou.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw (from parent 1: 69240c4)
Merge "shell: Add NO_LOCALSETTINGS restriction"
authorjenkins-bot <jenkins-bot@gerrit.wikimedia.org>
Fri, 22 Dec 2017 01:44:22 +0000 (01:44 +0000)
committerGerrit Code Review <gerrit@wikimedia.org>
Fri, 22 Dec 2017 01:44:22 +0000 (01:44 +0000)
includes/shell/FirejailCommand.php patch | blob | history
includes/shell/Shell.php patch | blob | history
tests/phpunit/includes/shell/FirejailCommandTest.php patch | blob | history

diff --git a/includes/shell/FirejailCommand.php b/includes/shell/FirejailCommand.php
index ec9eb09..a71b376 100644 (file)
--- a/includes/shell/FirejailCommand.php
+++ b/includes/shell/FirejailCommand.php
@@ -115,6 +115,10 @@ class FirejailCommand extends Command {
                        }
                }
 
+               if ( $this->hasRestriction( Shell::NO_LOCALSETTINGS ) ) {
+                       $cmd[] = '--blacklist=' . realpath( MW_CONFIG_FILE );
+               }
+
                if ( $this->hasRestriction( Shell::NO_ROOT ) ) {
                        $cmd[] = '--noroot';
                }
diff --git a/includes/shell/Shell.php b/includes/shell/Shell.php
index 084e10e..05463db 100644 (file)
--- a/includes/shell/Shell.php
+++ b/includes/shell/Shell.php
@@ -45,13 +45,13 @@ class Shell {
         * Apply a default set of restrictions for improved
         * security out of the box.
         *
-        * Equal to NO_ROOT | SECCOMP | PRIVATE_DEV
+        * Equal to NO_ROOT | SECCOMP | PRIVATE_DEV | NO_LOCALSETTINGS
         *
         * @note This value will change over time to provide increased security
         *       by default, and is not guaranteed to be backwards-compatible.
         * @since 1.31
         */
-       const RESTRICT_DEFAULT = 7;
+       const RESTRICT_DEFAULT = 39;
 
        /**
         * Disallow any root access. Any setuid binaries
@@ -92,6 +92,13 @@ class Shell {
         */
        const NO_EXECVE = 16;
 
+       /**
+        * Deny access to LocalSettings.php (MW_CONFIG_FILE)
+        *
+        * @since 1.31
+        */
+       const NO_LOCALSETTINGS = 32;
+
        /**
         * Returns a new instance of Command class
         *
diff --git a/tests/phpunit/includes/shell/FirejailCommandTest.php b/tests/phpunit/includes/shell/FirejailCommandTest.php
index fab14ca..7d6d7f8 100644 (file)
--- a/tests/phpunit/includes/shell/FirejailCommandTest.php
+++ b/tests/phpunit/includes/shell/FirejailCommandTest.php
@@ -31,7 +31,8 @@ class FirejailCommandTest extends PHPUnit_Framework_TestCase {
                // @codingStandardsIgnoreEnd
                $limit = "/bin/bash '$IP/includes/shell/limit.sh'";
                $profile = "--profile=$IP/includes/shell/firejail.profile";
-               $default = '--noroot --seccomp=@default --private-dev';
+               $blacklist = '--blacklist=' . realpath( MW_CONFIG_FILE );
+               $default = "$blacklist --noroot --seccomp=@default --private-dev";
                return [
                        [
                                'No restrictions',
Wiklou, le Wiki du Wiklou