From 1476429857b41eaf72f12a35002f7fc1647adb3e Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@member.fsf.org>
Date: Thu, 7 Dec 2017 10:46:45 -0800
Subject: [PATCH] shell: Add NO_LOCALSETTINGS restriction

Most secret information like database passwords are kept in LocalSettings.php,
so blacklisting that file by default would take away a lot of information an
attacker would want.

Since most commands shouldn't need to read the PHP configuration, add it to
RESTRICT_DEFAULT. People can still use:
 $cmd->restrict( Shell::RESTRICT_DEFAULT & ~Shell::NO_LOCALSETTINGS );

if they need to still access LocalSettings.php

Bug: T182484
Change-Id: I4032e2706e808e9b819e92a06eff536ccf043388
---
 includes/shell/FirejailCommand.php                   |  4 ++++
 includes/shell/Shell.php                             | 11 +++++++++--
 tests/phpunit/includes/shell/FirejailCommandTest.php |  3 ++-
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/includes/shell/FirejailCommand.php b/includes/shell/FirejailCommand.php
index 79f679d87b..68a1822f7a 100644
--- a/includes/shell/FirejailCommand.php
+++ b/includes/shell/FirejailCommand.php
@@ -110,6 +110,10 @@ class FirejailCommand extends Command {
 			}
 		}
 
+		if ( $this->hasRestriction( Shell::NO_LOCALSETTINGS ) ) {
+			$cmd[] = '--blacklist=' . realpath( MW_CONFIG_FILE );
+		}
+
 		if ( $this->hasRestriction( Shell::NO_ROOT ) ) {
 			$cmd[] = '--noroot';
 		}
diff --git a/includes/shell/Shell.php b/includes/shell/Shell.php
index 084e10e793..05463dbf35 100644
--- a/includes/shell/Shell.php
+++ b/includes/shell/Shell.php
@@ -45,13 +45,13 @@ class Shell {
 	 * Apply a default set of restrictions for improved
 	 * security out of the box.
 	 *
-	 * Equal to NO_ROOT | SECCOMP | PRIVATE_DEV
+	 * Equal to NO_ROOT | SECCOMP | PRIVATE_DEV | NO_LOCALSETTINGS
 	 *
 	 * @note This value will change over time to provide increased security
 	 *       by default, and is not guaranteed to be backwards-compatible.
 	 * @since 1.31
 	 */
-	const RESTRICT_DEFAULT = 7;
+	const RESTRICT_DEFAULT = 39;
 
 	/**
 	 * Disallow any root access. Any setuid binaries
@@ -92,6 +92,13 @@ class Shell {
 	 */
 	const NO_EXECVE = 16;
 
+	/**
+	 * Deny access to LocalSettings.php (MW_CONFIG_FILE)
+	 *
+	 * @since 1.31
+	 */
+	const NO_LOCALSETTINGS = 32;
+
 	/**
 	 * Returns a new instance of Command class
 	 *
diff --git a/tests/phpunit/includes/shell/FirejailCommandTest.php b/tests/phpunit/includes/shell/FirejailCommandTest.php
index c9db74f5f9..57d820e0d7 100644
--- a/tests/phpunit/includes/shell/FirejailCommandTest.php
+++ b/tests/phpunit/includes/shell/FirejailCommandTest.php
@@ -31,7 +31,8 @@ class FirejailCommandTest extends PHPUnit_Framework_TestCase {
 		// @codingStandardsIgnoreEnd
 		$limit = "$IP/includes/shell/limit.sh";
 		$profile = "--profile=$IP/includes/shell/firejail.profile";
-		$default = '--noroot --seccomp=@default --private-dev';
+		$blacklist = '--blacklist=' . realpath( MW_CONFIG_FILE );
+		$default = "$blacklist --noroot --seccomp=@default --private-dev";
 		return [
 			[
 				'No restrictions',
-- 
2.20.1