Page MenuHomePhabricator
Create Task
Maniphest T135111

Contain imagemagick on the image scalers with firejail
Closed, ResolvedPublic
Actions

Description

imagemagick is full of crusty old code, which was never written with security in mind. This task is about containing the scaling process with firejail.

Details

SubjectRepoBranchLines +/-
Reenable firejail wrapper for imagemagick's convertoperations/mediawiki-configmaster+1 -1
Provide the firejail containment for imagemagick's convert(1) on all app serversoperations/puppetproduction+22 -19
Add firejail profile and wrapper for ghostscriptoperations/puppetproduction+32 -0
Enable firejail for image scalingoperations/mediawiki-configmaster+1 -1
Provide a firejail profile for the image scalersoperations/puppetproduction+30 -0
WIP: Use firejail in image scalingoperations/mediawiki-configmaster+1 -1
Install firejail on image/video scalersoperations/puppetproduction+1 -0
Customize query in gerrit

Related Objects

Event Timeline

MoritzMuehlenhoff created this task.May 12 2016, 10:38 AM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptMay 12 2016, 10:38 AM
MoritzMuehlenhoff claimed this task.May 12 2016, 10:38 AM
MoritzMuehlenhoff triaged this task as High priority.
gerritbot subscribed.May 12 2016, 12:58 PM

Change 288379 had a related patch set uploaded (by Muehlenhoff):
Install firejail von image/video scalers

https://gerrit.wikimedia.org/r/288379

gerritbot added a project: Patch-For-Review.May 12 2016, 12:58 PM
gerritbot added a comment.May 12 2016, 1:42 PM

Change 288390 had a related patch set uploaded (by Muehlenhoff):
WIP: Use firejail in image scaling

https://gerrit.wikimedia.org/r/288390

gerritbot added a comment.May 25 2016, 2:08 PM

Change 288379 merged by Muehlenhoff:
Install firejail on image/video scalers

https://gerrit.wikimedia.org/r/288379

Muehlenhoff mentioned this in rOPUP2d6c5d6b880f: Install firejail on image/video scalers.May 25 2016, 2:10 PM
gerritbot added a comment.May 25 2016, 2:29 PM

Change 290696 had a related patch set uploaded (by Muehlenhoff):
Provide a firejail profile for the image scalers

https://gerrit.wikimedia.org/r/290696

gerritbot added a comment.May 26 2016, 10:16 AM

Change 288390 abandoned by Muehlenhoff:
WIP: Use firejail in image scaling

Reason:
This will be handled differently: The current patch doesn't work with the way the scaler extension shells out. Also since other extensions also invoke convert(1) this is now going to be handled via a wrapper (which was tested successfully). The respective new changes are 290696 and 290909

https://gerrit.wikimedia.org/r/288390

gerritbot added a comment.May 27 2016, 7:04 AM

Change 290696 merged by Muehlenhoff:
Provide a firejail profile for the image scalers

https://gerrit.wikimedia.org/r/290696

Muehlenhoff mentioned this in rOPUP378f6463efb3: Provide a firejail profile for the image scalers.May 27 2016, 7:08 AM
gerritbot added a comment.May 27 2016, 9:38 AM

Change 291202 had a related patch set uploaded (by Muehlenhoff):
Enable firejail for image scaling

https://gerrit.wikimedia.org/r/291202

gerritbot added a comment.May 30 2016, 1:50 PM

Change 291202 merged by Muehlenhoff:
Enable firejail for image scaling

https://gerrit.wikimedia.org/r/291202

gerritbot added a comment.May 31 2016, 2:15 PM

Change 291924 had a related patch set uploaded (by Muehlenhoff):
Add firejail profile and wrapper for ghostscript

https://gerrit.wikimedia.org/r/291924

gerritbot added a comment.Jun 1 2016, 2:01 PM

Change 291924 merged by Muehlenhoff:
Add firejail profile and wrapper for ghostscript

https://gerrit.wikimedia.org/r/291924

Muehlenhoff mentioned this in rOPUP811faad18cf9: Add firejail profile and wrapper for ghostscript.Jun 1 2016, 2:06 PM
gerritbot added a comment.Jun 8 2016, 4:13 PM

Change 293328 had a related patch set uploaded (by Muehlenhoff):
Provide the firejail containment for imagemagick's convert(1) on all app servers

https://gerrit.wikimedia.org/r/293328

gerritbot added a comment.Jun 9 2016, 9:47 AM

Change 293328 merged by Muehlenhoff:
Provide the firejail containment for imagemagick's convert(1) on all app servers

https://gerrit.wikimedia.org/r/293328

Muehlenhoff mentioned this in rOPUP3fb3c17264f4: Provide the firejail containment for imagemagick's convert(1) on all app servers.Jun 9 2016, 9:48 AM
Muehlenhoff mentioned this in rOPUP74f226dd476d: Install firejail profile for convert.Jun 10 2016, 12:31 PM
gerritbot added a comment.Jun 15 2016, 10:17 AM

Change 294458 had a related patch set uploaded (by Muehlenhoff):
Reenable firejail wrapper for imagemagick's convert

https://gerrit.wikimedia.org/r/294458

gerritbot added a comment.Jun 15 2016, 10:45 AM

Change 294458 merged by Muehlenhoff:
Reenable firejail wrapper for imagemagick's convert

https://gerrit.wikimedia.org/r/294458

Muehlenhoff mentioned this in rOPUP8653d7115b57: Install firejail profile for convert.Jun 17 2016, 6:05 PM
Muehlenhoff mentioned this in rOPUP9d9feea1df57: Provide the firejail containment for imagemagick's convert(1) on all app servers.
Muehlenhoff mentioned this in rOPUPbd9563de9528: Provide the firejail containment for imagemagick's convert(1) on all app servers.
Muehlenhoff mentioned this in rOPUPa16f9792a7c8: Provide the firejail containment for imagemagick's convert(1) on all app servers.
Muehlenhoff mentioned this in rOPUP3fbbcc64c500: Add firejail profile and wrapper for ghostscript.
Muehlenhoff mentioned this in rOPUPed6ddbc11a0a: Add firejail profile and wrapper for ghostscript.
Muehlenhoff mentioned this in rOPUPed7b634a2805: Add firejail profile and wrapper for ghostscript.
Muehlenhoff mentioned this in rOPUPf95a596861d3: Provide a firejail profile for the image scalers.
Muehlenhoff mentioned this in rOPUPe6cb6629c388: Provide a firejail profile for the image scalers.Jun 17 2016, 6:08 PM
Muehlenhoff mentioned this in rOPUP05478b9594bf: Provide a firejail profile for the image scalers.
Muehlenhoff mentioned this in rOPUP91ff88e657ac: Provide a firejail profile for the image scalers.
Muehlenhoff mentioned this in rOPUPf5b694ff4b9a: Install firejail on image/video scalers.
akosiaris mentioned this in rOPUP05538c3d5be3: Install firejail on image/video scalers.Jun 17 2016, 6:09 PM
Muehlenhoff mentioned this in rOPUP4d8d6c717117: Install firejail von image/video scalers.Jun 17 2016, 6:09 PM
MoritzMuehlenhoff closed this task as Resolved.Jun 23 2016, 11:17 AM

This is enabled on the image scalers (and app servers for the Score extensions) since last week

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL