$cmd[] = '--noroot';
}
- $seccomp = [];
-
- if ( $this->hasRestriction( Shell::SECCOMP ) ) {
- $seccomp[] = '@default';
- }
+ $useSeccomp = $this->hasRestriction( Shell::SECCOMP );
+ $extraSeccomp = [];
if ( $this->hasRestriction( Shell::NO_EXECVE ) ) {
- $seccomp[] = 'execve';
+ $extraSeccomp[] = 'execve';
// Normally firejail will run commands in a bash shell,
// but that won't work if we ban the execve syscall, so
// run the command without a shell.
$cmd[] = '--shell=none';
}
- if ( $seccomp ) {
- $cmd[] = '--seccomp=' . implode( ',', $seccomp );
+ if ( $useSeccomp ) {
+ $seccomp = '--seccomp';
+ if ( $extraSeccomp ) {
+ // The "@default" seccomp group will always be enabled
+ $seccomp .= '=' . implode( ',', $extraSeccomp );
+ }
+ $cmd[] = $seccomp;
}
if ( $this->hasRestriction( Shell::PRIVATE_DEV ) ) {
$limit = "/bin/bash '$IP/includes/shell/limit.sh'";
$profile = "--profile=$IP/includes/shell/firejail.profile";
$blacklist = '--blacklist=' . realpath( MW_CONFIG_FILE );
- $default = "$blacklist --noroot --seccomp=@default --private-dev";
+ $default = "$blacklist --noroot --seccomp --private-dev";
return [
[
'No restrictions',
[
'seccomp',
'ls', Shell::SECCOMP,
- "$limit 'firejail --quiet $profile --seccomp=@default -- '\''ls'\''' $env"
+ "$limit 'firejail --quiet $profile --seccomp -- '\''ls'\''' $env"
],
[
'seccomp & no execve',
'ls', Shell::SECCOMP | Shell::NO_EXECVE,
- "$limit 'firejail --quiet $profile --shell=none --seccomp=@default,execve -- '\''ls'\''' $env"
+ "$limit 'firejail --quiet $profile --shell=none --seccomp=execve -- '\''ls'\''' $env"
],
];
}