X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2Fshell%2FFirejailCommand.php;h=0338b5325eebebd645d2f7a077fda76213d0b3b0;hb=416975c3ac1bf838369846c2ba2e3217edcde2cb;hp=79f679d87bdcdcc87a87c8805fc8aeb4c2a05893;hpb=2443406d3765e31dc734ea74985420773940c37d;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/shell/FirejailCommand.php b/includes/shell/FirejailCommand.php
index 79f679d87b..0338b5325e 100644
--- a/includes/shell/FirejailCommand.php
+++ b/includes/shell/FirejailCommand.php
@@ -59,10 +59,10 @@ class FirejailCommand extends Command {
 	/**
 	 * @inheritDoc
 	 */
-	protected function buildFinalCommand() {
+	protected function buildFinalCommand( $command ) {
 		// If there are no restrictions, don't use firejail
 		if ( $this->restrictions === 0 ) {
-			return parent::buildFinalCommand();
+			return parent::buildFinalCommand( $command );
 		}
 
 		if ( $this->firejail === false ) {
@@ -122,6 +122,10 @@ class FirejailCommand extends Command {
 
 		if ( $this->hasRestriction( Shell::NO_EXECVE ) ) {
 			$seccomp[] = 'execve';
+			// Normally firejail will run commands in a bash shell,
+			// but that won't work if we ban the execve syscall, so
+			// run the command without a shell.
+			$cmd[] = '--shell=none';
 		}
 
 		if ( $seccomp ) {
@@ -136,11 +140,10 @@ class FirejailCommand extends Command {
 			$cmd[] = '--net=none';
 		}
 
-		list( $fullCommand, $useLogPipe ) = parent::buildFinalCommand();
-
 		$builtCmd = implode( ' ', $cmd );
 
-		return [ "$builtCmd -- $fullCommand", $useLogPipe ];
+		// Prefix the firejail command in front of the wanted command
+		return parent::buildFinalCommand( "$builtCmd -- {$command}" );
 	}
 
 }