MediaWiki can run various external binaries for varying reasons, some, but not all of these are secured in firejails/similar
We should audit these, and move to securing them all as appropriate
MediaWiki can run various external binaries for varying reasons, some, but not all of these are secured in firejails/similar
We should audit these, and move to securing them all as appropriate
We can fix all these, but I think the best mid-term solution would be to implement support for contained execution on the Mediawiki end. I also spoke about this with @Bawolff at Wikimania and have just created
https://phabricator.wikimedia.org/T173370 for this. Comments welcome, I can help with all the bits on the firejail end.
Other candidates...
Can we make this task public? With firejail support in core now, most of these will go through MediaWiki code review now. And there's quite a few binaries missing from here, e.g. pygments, diff, ...
https://gerrit.wikimedia.org/r/397606 - shell: Add debug logging to find binaries that aren't being restricted
There is no point in working on firejail profiles given we've introduced shellbox in the meantime.