Page MenuHomePhabricator

Confine Graphoid with firejail
Closed, ResolvedPublic

Description

The Graphoid instances running in production should be locked down as much as possible to avoid possible security issues caused by various penetration techniques. To that end, it should be firejail-ed.

Event Timeline

mobrovac assigned this task to MoritzMuehlenhoff.
mobrovac raised the priority of this task from to High.
mobrovac updated the task description. (Show Details)

@Yurik, could you provide a Graphoid URL that should return a valid PNG in deployment-prep so we can test?

Change 219801 had a related patch set uploaded (by Muehlenhoff):
Enable firejail for graphoid

https://gerrit.wikimedia.org/r/219801

Change 219801 merged by Muehlenhoff:
Enable firejail for graphoid

https://gerrit.wikimedia.org/r/219801

Firejail for Graphoid has been enabled in production on sca100[12].