3 * Copyright (C) 2017 Kunal Mehta <legoktm@member.fsf.org>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 namespace MediaWiki\Shell
;
26 * Restricts execution of shell commands using firejail
28 * @see https://firejail.wordpress.com/
31 class FirejailCommand
extends Command
{
34 * @var string Path to firejail
41 private $whitelistedPaths = [];
44 * @param string $firejail Path to firejail
46 public function __construct( $firejail ) {
47 parent
::__construct();
48 $this->firejail
= $firejail;
54 public function whitelistPaths( array $paths ): Command
{
55 $this->whitelistedPaths
= array_merge( $this->whitelistedPaths
, $paths );
62 protected function buildFinalCommand( $command ) {
63 // If there are no restrictions, don't use firejail
64 if ( $this->restrictions
=== 0 ) {
65 $splitCommand = explode( ' ', $command, 2 );
67 "firejail: Command {$splitCommand[0]} {params} has no restrictions",
68 [ 'params' => $splitCommand[1] ??
'' ]
70 return parent
::buildFinalCommand( $command );
73 if ( $this->firejail
=== false ) {
74 throw new RuntimeException( 'firejail is enabled, but cannot be found' );
76 // quiet has to come first to prevent firejail from adding
78 $cmd = [ $this->firejail
, '--quiet' ];
79 // Use a profile that allows people to add local overrides
80 // if their system is setup in an incompatible manner. Also it
81 // prevents any default profiles from running.
82 // FIXME: Doesn't actually override command-line switches?
83 $cmd[] = '--profile=' . __DIR__
. '/firejail.profile';
85 // By default firejail hides all other user directories, so if
86 // MediaWiki is inside a home directory (/home) but not the
87 // current user's home directory, pass --allusers to whitelist
88 // the home directories again.
89 static $useAllUsers = null;
90 if ( $useAllUsers === null ) {
92 // In case people are doing funny things with symlinks
93 // or relative paths, resolve them all.
94 $realIP = realpath( $IP );
95 $currentUser = posix_getpwuid( posix_geteuid() );
96 $useAllUsers = ( strpos( $realIP, '/home/' ) === 0 )
97 && ( strpos( $realIP, $currentUser['dir'] ) !== 0 );
99 $this->logger
->warning( 'firejail: MediaWiki is located ' .
100 'in a home directory that does not belong to the ' .
101 'current user, so allowing access to all home ' .
102 'directories (--allusers)' );
106 if ( $useAllUsers ) {
107 $cmd[] = '--allusers';
110 if ( $this->whitelistedPaths
) {
111 // Always whitelist limit.sh
112 $cmd[] = '--whitelist=' . __DIR__
. '/limit.sh';
113 foreach ( $this->whitelistedPaths
as $whitelistedPath ) {
114 $cmd[] = "--whitelist={$whitelistedPath}";
118 if ( $this->hasRestriction( Shell
::NO_LOCALSETTINGS
) ) {
119 $cmd[] = '--blacklist=' . realpath( MW_CONFIG_FILE
);
122 if ( $this->hasRestriction( Shell
::NO_ROOT
) ) {
126 $useSeccomp = $this->hasRestriction( Shell
::SECCOMP
);
129 if ( $this->hasRestriction( Shell
::NO_EXECVE
) ) {
130 $extraSeccomp[] = 'execve';
131 // Normally firejail will run commands in a bash shell,
132 // but that won't work if we ban the execve syscall, so
133 // run the command without a shell.
134 $cmd[] = '--shell=none';
138 $seccomp = '--seccomp';
139 if ( $extraSeccomp ) {
140 // The "@default" seccomp group will always be enabled
141 $seccomp .= '=' . implode( ',', $extraSeccomp );
146 if ( $this->hasRestriction( Shell
::PRIVATE_DEV
) ) {
147 $cmd[] = '--private-dev';
150 if ( $this->hasRestriction( Shell
::NO_NETWORK
) ) {
151 $cmd[] = '--net=none';
154 $builtCmd = implode( ' ', $cmd );
156 // Prefix the firejail command in front of the wanted command
157 return parent
::buildFinalCommand( "$builtCmd -- {$command}" );