Merge "mediawiki.api.edit: Fix errors"
[lhc/web/wiklou.git] / includes / shell / FirejailCommand.php
index 79f679d..a71b376 100644 (file)
@@ -59,10 +59,15 @@ class FirejailCommand extends Command {
        /**
         * @inheritDoc
         */
-       protected function buildFinalCommand() {
+       protected function buildFinalCommand( $command ) {
                // If there are no restrictions, don't use firejail
                if ( $this->restrictions === 0 ) {
-                       return parent::buildFinalCommand();
+                       $splitCommand = explode( ' ', $command, 2 );
+                       $this->logger->debug(
+                               "firejail: Command {$splitCommand[0]} {params} has no restrictions",
+                               [ 'params' => isset( $splitCommand[1] ) ? $splitCommand[1] : '' ]
+                       );
+                       return parent::buildFinalCommand( $command );
                }
 
                if ( $this->firejail === false ) {
@@ -110,6 +115,10 @@ class FirejailCommand extends Command {
                        }
                }
 
+               if ( $this->hasRestriction( Shell::NO_LOCALSETTINGS ) ) {
+                       $cmd[] = '--blacklist=' . realpath( MW_CONFIG_FILE );
+               }
+
                if ( $this->hasRestriction( Shell::NO_ROOT ) ) {
                        $cmd[] = '--noroot';
                }
@@ -122,6 +131,10 @@ class FirejailCommand extends Command {
 
                if ( $this->hasRestriction( Shell::NO_EXECVE ) ) {
                        $seccomp[] = 'execve';
+                       // Normally firejail will run commands in a bash shell,
+                       // but that won't work if we ban the execve syscall, so
+                       // run the command without a shell.
+                       $cmd[] = '--shell=none';
                }
 
                if ( $seccomp ) {
@@ -136,11 +149,10 @@ class FirejailCommand extends Command {
                        $cmd[] = '--net=none';
                }
 
-               list( $fullCommand, $useLogPipe ) = parent::buildFinalCommand();
-
                $builtCmd = implode( ' ', $cmd );
 
-               return [ "$builtCmd -- $fullCommand", $useLogPipe ];
+               // Prefix the firejail command in front of the wanted command
+               return parent::buildFinalCommand( "$builtCmd -- {$command}" );
        }
 
 }