shell: Don't use --seccomp=@default for firejail < 0.9.50 support

Just using a plain `--seccomp` automatically enables the default list.

Bug: T183680
Change-Id: I623db943eeb5c3e9d4f7a553fb6a17a60d659dce

diff --git a/includes/shell/FirejailCommand.php b/includes/shell/FirejailCommand.php
index a71b376..d818930 100644 (file)
--- a/includes/shell/FirejailCommand.php
+++ b/includes/shell/FirejailCommand.php
@@ -123,22 +123,24 @@ class FirejailCommand extends Command {
                        $cmd[] = '--noroot';
                }
 
-               $seccomp = [];
-
-               if ( $this->hasRestriction( Shell::SECCOMP ) ) {
-                       $seccomp[] = '@default';
-               }
+               $useSeccomp = $this->hasRestriction( Shell::SECCOMP );
+               $extraSeccomp = [];
 
                if ( $this->hasRestriction( Shell::NO_EXECVE ) ) {
-                       $seccomp[] = 'execve';
+                       $extraSeccomp[] = 'execve';
                        // Normally firejail will run commands in a bash shell,
                        // but that won't work if we ban the execve syscall, so
                        // run the command without a shell.
                        $cmd[] = '--shell=none';
                }
 
-               if ( $seccomp ) {
-                       $cmd[] = '--seccomp=' . implode( ',', $seccomp );
+               if ( $useSeccomp ) {
+                       $seccomp = '--seccomp';
+                       if ( $extraSeccomp ) {
+                               // The "@default" seccomp group will always be enabled
+                               $seccomp .= '=' . implode( ',', $extraSeccomp );
+                       }
+                       $cmd[] = $seccomp;
                }
 
                if ( $this->hasRestriction( Shell::PRIVATE_DEV ) ) {

diff --git a/tests/phpunit/includes/shell/FirejailCommandTest.php b/tests/phpunit/includes/shell/FirejailCommandTest.php
index 199393c..681c3dc 100644 (file)
--- a/tests/phpunit/includes/shell/FirejailCommandTest.php
+++ b/tests/phpunit/includes/shell/FirejailCommandTest.php
@@ -34,7 +34,7 @@ class FirejailCommandTest extends PHPUnit\Framework\TestCase {
                $limit = "/bin/bash '$IP/includes/shell/limit.sh'";
                $profile = "--profile=$IP/includes/shell/firejail.profile";
                $blacklist = '--blacklist=' . realpath( MW_CONFIG_FILE );
-               $default = "$blacklist --noroot --seccomp=@default --private-dev";
+               $default = "$blacklist --noroot --seccomp --private-dev";
                return [
                        [
                                'No restrictions',
@@ -58,12 +58,12 @@ class FirejailCommandTest extends PHPUnit\Framework\TestCase {
                        [
                                'seccomp',
                                'ls', Shell::SECCOMP,
-                               "$limit 'firejail --quiet $profile --seccomp=@default -- '\''ls'\''' $env"
+                               "$limit 'firejail --quiet $profile --seccomp -- '\''ls'\''' $env"
                        ],
                        [
                                'seccomp & no execve',
                                'ls', Shell::SECCOMP | Shell::NO_EXECVE,
-                               "$limit 'firejail --quiet $profile --shell=none --seccomp=@default,execve -- '\''ls'\''' $env"
+                               "$limit 'firejail --quiet $profile --shell=none --seccomp=execve -- '\''ls'\''' $env"
                        ],
                ];
        }