X-Git-Url: https://git.heureux-cyclage.org/?a=blobdiff_plain;f=includes%2Fshell%2FFirejailCommand.php;h=a71b37638900ba035a40f61dbd1702826a10aa16;hb=818e93ed2b822cd9cbae25046d6e4ab55d999aee;hp=79f679d87bdcdcc87a87c8805fc8aeb4c2a05893;hpb=b4afa47225cc65d163cc1b9ccf1b51a1ecf42542;p=lhc%2Fweb%2Fwiklou.git

diff --git a/includes/shell/FirejailCommand.php b/includes/shell/FirejailCommand.php
index 79f679d87b..a71b376389 100644
--- a/includes/shell/FirejailCommand.php
+++ b/includes/shell/FirejailCommand.php
@@ -59,10 +59,15 @@ class FirejailCommand extends Command {
 	/**
 	 * @inheritDoc
 	 */
-	protected function buildFinalCommand() {
+	protected function buildFinalCommand( $command ) {
 		// If there are no restrictions, don't use firejail
 		if ( $this->restrictions === 0 ) {
-			return parent::buildFinalCommand();
+			$splitCommand = explode( ' ', $command, 2 );
+			$this->logger->debug(
+				"firejail: Command {$splitCommand[0]} {params} has no restrictions",
+				[ 'params' => isset( $splitCommand[1] ) ? $splitCommand[1] : '' ]
+			);
+			return parent::buildFinalCommand( $command );
 		}
 
 		if ( $this->firejail === false ) {
@@ -110,6 +115,10 @@ class FirejailCommand extends Command {
 			}
 		}
 
+		if ( $this->hasRestriction( Shell::NO_LOCALSETTINGS ) ) {
+			$cmd[] = '--blacklist=' . realpath( MW_CONFIG_FILE );
+		}
+
 		if ( $this->hasRestriction( Shell::NO_ROOT ) ) {
 			$cmd[] = '--noroot';
 		}
@@ -122,6 +131,10 @@ class FirejailCommand extends Command {
 
 		if ( $this->hasRestriction( Shell::NO_EXECVE ) ) {
 			$seccomp[] = 'execve';
+			// Normally firejail will run commands in a bash shell,
+			// but that won't work if we ban the execve syscall, so
+			// run the command without a shell.
+			$cmd[] = '--shell=none';
 		}
 
 		if ( $seccomp ) {
@@ -136,11 +149,10 @@ class FirejailCommand extends Command {
 			$cmd[] = '--net=none';
 		}
 
-		list( $fullCommand, $useLogPipe ) = parent::buildFinalCommand();
-
 		$builtCmd = implode( ' ', $cmd );
 
-		return [ "$builtCmd -- $fullCommand", $useLogPipe ];
+		// Prefix the firejail command in front of the wanted command
+		return parent::buildFinalCommand( "$builtCmd -- {$command}" );
 	}
 
 }