diff options
| author | Kunal Mehta <legoktm@member.fsf.org> | 2018-02-26 13:40:27 -0800 |
|---|---|---|
| committer | Kunal Mehta <legoktm@member.fsf.org> | 2018-02-26 14:11:42 -0800 |
| commit | a44c2b62ca05d049351f1b20b2658c5559ae920a (patch) | |
| tree | cffa0c468d61bd69288f1083fcfb6658ee650e97 /includes/shell | |
| parent | 368dea479a112288b0b3e69241afa55d3c1cc1b7 (diff) | |
| download | mediawikicore-a44c2b62ca05d049351f1b20b2658c5559ae920a.tar.gz mediawikicore-a44c2b62ca05d049351f1b20b2658c5559ae920a.zip | |
shell: Don't use --seccomp=@default for firejail < 0.9.50 support
Just using a plain `--seccomp` automatically enables the default list.
Bug: T183680
Change-Id: I623db943eeb5c3e9d4f7a553fb6a17a60d659dce
Diffstat (limited to 'includes/shell')
| -rw-r--r-- | includes/shell/FirejailCommand.php | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/includes/shell/FirejailCommand.php b/includes/shell/FirejailCommand.php index a71b37638900..d8189304cb82 100644 --- a/includes/shell/FirejailCommand.php +++ b/includes/shell/FirejailCommand.php @@ -123,22 +123,24 @@ class FirejailCommand extends Command { $cmd[] = '--noroot'; } - $seccomp = []; - - if ( $this->hasRestriction( Shell::SECCOMP ) ) { - $seccomp[] = '@default'; - } + $useSeccomp = $this->hasRestriction( Shell::SECCOMP ); + $extraSeccomp = []; if ( $this->hasRestriction( Shell::NO_EXECVE ) ) { - $seccomp[] = 'execve'; + $extraSeccomp[] = 'execve'; // Normally firejail will run commands in a bash shell, // but that won't work if we ban the execve syscall, so // run the command without a shell. $cmd[] = '--shell=none'; } - if ( $seccomp ) { - $cmd[] = '--seccomp=' . implode( ',', $seccomp ); + if ( $useSeccomp ) { + $seccomp = '--seccomp'; + if ( $extraSeccomp ) { + // The "@default" seccomp group will always be enabled + $seccomp .= '=' . implode( ',', $extraSeccomp ); + } + $cmd[] = $seccomp; } if ( $this->hasRestriction( Shell::PRIVATE_DEV ) ) { |