dépôts
/
lhc
/
web
/
wiklou.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
shell: Run firejail inside limit.sh, make NO_EXECVE work
[lhc/web/wiklou.git]
/
includes
/
shell
/
FirejailCommand.php
diff --git
a/includes/shell/FirejailCommand.php
b/includes/shell/FirejailCommand.php
index
79f679d
..
0338b53
100644
(file)
--- a/
includes/shell/FirejailCommand.php
+++ b/
includes/shell/FirejailCommand.php
@@
-59,10
+59,10
@@
class FirejailCommand extends Command {
/**
* @inheritDoc
*/
/**
* @inheritDoc
*/
- protected function buildFinalCommand() {
+ protected function buildFinalCommand(
$command
) {
// If there are no restrictions, don't use firejail
if ( $this->restrictions === 0 ) {
// If there are no restrictions, don't use firejail
if ( $this->restrictions === 0 ) {
- return parent::buildFinalCommand();
+ return parent::buildFinalCommand(
$command
);
}
if ( $this->firejail === false ) {
}
if ( $this->firejail === false ) {
@@
-122,6
+122,10
@@
class FirejailCommand extends Command {
if ( $this->hasRestriction( Shell::NO_EXECVE ) ) {
$seccomp[] = 'execve';
if ( $this->hasRestriction( Shell::NO_EXECVE ) ) {
$seccomp[] = 'execve';
+ // Normally firejail will run commands in a bash shell,
+ // but that won't work if we ban the execve syscall, so
+ // run the command without a shell.
+ $cmd[] = '--shell=none';
}
if ( $seccomp ) {
}
if ( $seccomp ) {
@@
-136,11
+140,10
@@
class FirejailCommand extends Command {
$cmd[] = '--net=none';
}
$cmd[] = '--net=none';
}
- list( $fullCommand, $useLogPipe ) = parent::buildFinalCommand();
-
$builtCmd = implode( ' ', $cmd );
$builtCmd = implode( ' ', $cmd );
- return [ "$builtCmd -- $fullCommand", $useLogPipe ];
+ // Prefix the firejail command in front of the wanted command
+ return parent::buildFinalCommand( "$builtCmd -- {$command}" );
}
}
}
}