Page MenuHomePhabricator

Command::whitelistPaths() with firejail doesn't work exactly as expected
Open, Needs TriagePublic


The expectation of Command::whitelistPaths() is that you pass just the files you want, and everything else is invisible inside the firejail. The problem is that this behavior really depends on how MediaWiki is set up, and where it is set up.

$ man firejail
              Whitelist directory or file. A temporary file system is mounted
              on the top directory, and  the  whitelisted  files  are  mount-
              binded  inside.  Modifications to whitelisted files are persis‐
              tent, everything else is discarded when the sandbox is  closed.
              The top directory could be user home, /dev, /media, /mnt, /opt,
              /srv, /var, and /tmp.

When firejail gets --whitelist=/srv/mediawiki/core/includes/shell/, it will hide everything in /srv except for the whitelisted file. Except it leaves anything outside of /srv fully accessible.

Consider the file structure of the Debian package, MediaWiki is in /usr/share/mediawiki, so all of that will get hidden, but /etc/mediawiki/LocalSettings.php with your database password will be fully visible (mitigated by T182484).

Note that firejail prevents you from shooting yourself in the foot, so if you try --whitelist=/usr/share/mediawiki/..., it will make sure that /usr/bin/, /usr/lib , etc. are still available (it only hides /usr/share). But that means that if you are shelling out to something that depends upon fonts (texvc, lilypond, ...), which are located in /usr/share/fonts/... you're out of luck.