diff options
| author | Kunal Mehta <legoktm@member.fsf.org> | 2020-07-06 12:58:16 -0700 |
|---|---|---|
| committer | Krinkle <krinklemail@gmail.com> | 2020-07-18 03:09:04 +0000 |
| commit | 9f10c04579e3cb2c58a8f78095ed22772af0de0d (patch) | |
| tree | 52e572ab9b5d1c0956354bf9d90e4d2c34203409 /includes/shell | |
| parent | 436d7fbf067604ecfa1f15a502fba056dfb66925 (diff) | |
| download | mediawikicore-9f10c04579e3cb2c58a8f78095ed22772af0de0d.tar.gz mediawikicore-9f10c04579e3cb2c58a8f78095ed22772af0de0d.zip | |
shell: Expand documentation in firejail.profile
Explain what content should go in the profile and what the two inclusions
are for.
Bug: T257207
Change-Id: I7a0fbc558a85baa91624414f67f84d2dc23a41bb
Diffstat (limited to 'includes/shell')
| -rw-r--r-- | includes/shell/firejail.profile | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/includes/shell/firejail.profile b/includes/shell/firejail.profile index 07f059bad034..d87d3ee9beef 100644 --- a/includes/shell/firejail.profile +++ b/includes/shell/firejail.profile @@ -1,7 +1,16 @@ # Firejail profile used by MediaWiki when shelling out +# Most rules are applied via command-line flags controlled by the +# Shell::RESTRICTION_* constants. +# Rules added to this file must be compatible with every command that could +# be invoked. If something might need to be disabled, then it should be added +# as a Shell:RESTRICTION_* constant instead so that commands can opt-in/out. + # See <https://firejail.wordpress.com/features-3/man-firejail-profile/> for -# syntax documentation -# Persistent local customizations +# syntax documentation. + +# Optionally allow sysadmins to set extra restrictions that apply to their +# MediaWiki setup, e.g. disallowing access to extra private directories. include /etc/firejail/mediawiki.local -# Persistent global definitions + +# Include any global firejail customizations. include /etc/firejail/globals.local |