shell: Expand documentation in firejail.profile

author Kunal Mehta <legoktm@member.fsf.org>

Mon, 6 Jul 2020 19:58:16 +0000 (12:58 -0700)

committer Reedy <reedy@wikimedia.org>

Sat, 18 Jul 2020 03:10:29 +0000 (03:10 +0000)
author Kunal Mehta <legoktm@member.fsf.org>
Mon, 6 Jul 2020 19:58:16 +0000 (12:58 -0700)
committer Reedy <reedy@wikimedia.org>
Sat, 18 Jul 2020 03:10:29 +0000 (03:10 +0000)
diff --git a/includes/shell/firejail.profile b/includes/shell/firejail.profile

index 07f059b..d87d3ee 100644 (file)
--- a/includes/shell/firejail.profile
+++ b/includes/shell/firejail.profile
@@ -1,7 +1,16 @@
  # Firejail profile used by MediaWiki when shelling out
+# Most rules are applied via command-line flags controlled by the
+# Shell::RESTRICTION_* constants.
+# Rules added to this file must be compatible with every command that could
+# be invoked. If something might need to be disabled, then it should be added
+# as a Shell:RESTRICTION_* constant instead so that commands can opt-in/out.
+
  # See <https://firejail.wordpress.com/features-3/man-firejail-profile/> for
-# syntax documentation
-# Persistent local customizations
+# syntax documentation.
+
+# Optionally allow sysadmins to set extra restrictions that apply to their
+# MediaWiki setup, e.g. disallowing access to extra private directories.
  include /etc/firejail/mediawiki.local
-# Persistent global definitions
+
+# Include any global firejail customizations.
  include /etc/firejail/globals.local
author	Kunal Mehta <legoktm@member.fsf.org>
	Mon, 6 Jul 2020 19:58:16 +0000 (12:58 -0700)
committer	Reedy <reedy@wikimedia.org>
	Sat, 18 Jul 2020 03:10:29 +0000 (03:10 +0000)