From a44c2b62ca05d049351f1b20b2658c5559ae920a Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Mon, 26 Feb 2018 13:40:27 -0800 Subject: [PATCH] shell: Don't use --seccomp=@default for firejail < 0.9.50 support Just using a plain `--seccomp` automatically enables the default list. Bug: T183680 Change-Id: I623db943eeb5c3e9d4f7a553fb6a17a60d659dce --- includes/shell/FirejailCommand.php | 18 ++++++++++-------- .../includes/shell/FirejailCommandTest.php | 6 +++--- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/includes/shell/FirejailCommand.php b/includes/shell/FirejailCommand.php index a71b376389..d8189304cb 100644 --- a/includes/shell/FirejailCommand.php +++ b/includes/shell/FirejailCommand.php @@ -123,22 +123,24 @@ class FirejailCommand extends Command { $cmd[] = '--noroot'; } - $seccomp = []; - - if ( $this->hasRestriction( Shell::SECCOMP ) ) { - $seccomp[] = '@default'; - } + $useSeccomp = $this->hasRestriction( Shell::SECCOMP ); + $extraSeccomp = []; if ( $this->hasRestriction( Shell::NO_EXECVE ) ) { - $seccomp[] = 'execve'; + $extraSeccomp[] = 'execve'; // Normally firejail will run commands in a bash shell, // but that won't work if we ban the execve syscall, so // run the command without a shell. $cmd[] = '--shell=none'; } - if ( $seccomp ) { - $cmd[] = '--seccomp=' . implode( ',', $seccomp ); + if ( $useSeccomp ) { + $seccomp = '--seccomp'; + if ( $extraSeccomp ) { + // The "@default" seccomp group will always be enabled + $seccomp .= '=' . implode( ',', $extraSeccomp ); + } + $cmd[] = $seccomp; } if ( $this->hasRestriction( Shell::PRIVATE_DEV ) ) { diff --git a/tests/phpunit/includes/shell/FirejailCommandTest.php b/tests/phpunit/includes/shell/FirejailCommandTest.php index 199393c692..681c3dcda0 100644 --- a/tests/phpunit/includes/shell/FirejailCommandTest.php +++ b/tests/phpunit/includes/shell/FirejailCommandTest.php @@ -34,7 +34,7 @@ class FirejailCommandTest extends PHPUnit\Framework\TestCase { $limit = "/bin/bash '$IP/includes/shell/limit.sh'"; $profile = "--profile=$IP/includes/shell/firejail.profile"; $blacklist = '--blacklist=' . realpath( MW_CONFIG_FILE ); - $default = "$blacklist --noroot --seccomp=@default --private-dev"; + $default = "$blacklist --noroot --seccomp --private-dev"; return [ [ 'No restrictions', @@ -58,12 +58,12 @@ class FirejailCommandTest extends PHPUnit\Framework\TestCase { [ 'seccomp', 'ls', Shell::SECCOMP, - "$limit 'firejail --quiet $profile --seccomp=@default -- '\''ls'\''' $env" + "$limit 'firejail --quiet $profile --seccomp -- '\''ls'\''' $env" ], [ 'seccomp & no execve', 'ls', Shell::SECCOMP | Shell::NO_EXECVE, - "$limit 'firejail --quiet $profile --shell=none --seccomp=@default,execve -- '\''ls'\''' $env" + "$limit 'firejail --quiet $profile --shell=none --seccomp=execve -- '\''ls'\''' $env" ], ]; } -- 2.20.1