/**
* @inheritDoc
*/
- protected function buildFinalCommand() {
+ protected function buildFinalCommand( $command ) {
// If there are no restrictions, don't use firejail
if ( $this->restrictions === 0 ) {
- return parent::buildFinalCommand();
+ $splitCommand = explode( ' ', $command, 2 );
+ $this->logger->debug(
+ "firejail: Command {$splitCommand[0]} {params} has no restrictions",
+ [ 'params' => isset( $splitCommand[1] ) ? $splitCommand[1] : '' ]
+ );
+ return parent::buildFinalCommand( $command );
}
if ( $this->firejail === false ) {
}
}
+ if ( $this->hasRestriction( Shell::NO_LOCALSETTINGS ) ) {
+ $cmd[] = '--blacklist=' . realpath( MW_CONFIG_FILE );
+ }
+
if ( $this->hasRestriction( Shell::NO_ROOT ) ) {
$cmd[] = '--noroot';
}
if ( $this->hasRestriction( Shell::NO_EXECVE ) ) {
$seccomp[] = 'execve';
+ // Normally firejail will run commands in a bash shell,
+ // but that won't work if we ban the execve syscall, so
+ // run the command without a shell.
+ $cmd[] = '--shell=none';
}
if ( $seccomp ) {
$cmd[] = '--net=none';
}
- list( $fullCommand, $useLogPipe ) = parent::buildFinalCommand();
-
$builtCmd = implode( ' ', $cmd );
- return [ "$builtCmd -- $fullCommand", $useLogPipe ];
+ // Prefix the firejail command in front of the wanted command
+ return parent::buildFinalCommand( "$builtCmd -- {$command}" );
}
}