Page MenuHomePhabricator
Create Task
Maniphest T182489

The NO_EXECVE shell restriction doesn't work with firejail because of limit.sh
Closed, ResolvedPublic
Actions

Description

First, to get --seccomp=execve to even work, you also need to pass in --shell=none. Otherwise firejail will start a bash shell, and then execute the command in that...using the execve syscall. Not sure of the full impacts of disabling the shell, will it interfere with signal handling?

Regardless, because of limit.sh, we end up with:

km@km-pt:~$ firejail --quiet --profile=/srv/mediawiki/core/includes/shell/firejail.profile --blacklist=/srv/mediawiki/core/LocalSettings.php --noroot --seccomp=@default,execve --shell=none --net=none --debug --allow-debuggers -- /bin/bash '/srv/mediawiki/core/includes/shell/limit.sh' ''\''timidity'\'' '\''--version'\'' 'MW_INCLUDE_STDERR=;MW_CPU_LIMIT=180; MW_CGROUP='\'''\''; MW_MEM_LIMIT=307200; MW_FILE_SIZE_LIMIT=102400; MW_WALL_CLOCK_LIMIT=180; MW_USE_LOG_PIPE=yes' 
/srv/mediawiki/core/includes/shell/limit.sh: line 99:     5 Bad system call         'timidity' '--version' MW_INCLUDE_STDERR=

If we implemented T179021: Investigate using firejail to replace limits.sh if it's installed this problem would go away, but that requires a newer version of firejail.

Details

ProjectBranchLines +/-Subject
mediawiki/coremaster+21 -17shell: Run firejail inside limit.sh, make NO_EXECVE work
Customize query in gerrit

Related Objects

Event Timeline

Legoktm created this task.Dec 9 2017, 9:32 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 9 2017, 9:32 AM
Legoktm added a comment.Dec 9 2017, 9:40 AM

Another option...we could run firejail inside of limit.sh!

km@km-pt:~$ /bin/bash '/srv/mediawiki/core/includes/shell/limit.sh' '/usr/local/bin/firejail --quiet --profile=/srv/mediawiki/core/includes/shell/firejail.profile --noroot --seccomp=@default,execve --shell=none --net=none -- '\''/usr/bin/timidity'\'' '\''--version'\''' 'MW_INCLUDE_STDERR=1;MW_CPU_LIMIT=180; MW_CGROUP='\'''\''; MW_MEM_LIMIT=307200; MW_FILE_SIZE_LIMIT=102400; MW_WALL_CLOCK_LIMIT=180; MW_USE_LOG_PIPE=yes'
TiMidity++ version 2.13.2
gerritbot added a subscriber: gerritbot.Dec 9 2017, 10:11 AM

Change 396570 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/core@master] shell: Run firejail inside limit.sh, make NO_EXECVE work

https://gerrit.wikimedia.org/r/396570

gerritbot added a project: Patch-For-Review.Dec 9 2017, 10:11 AM
Legoktm added a comment.Dec 9 2017, 10:21 AM

With the above patch I tested using NO_EXECVE with both abc2ly and timidity in Score and it ran fine. (lilypond requires execve because of a weird wrapper script)

Legoktm mentioned this in T173370: Support restricted execution of external commands (via firejail).Dec 9 2017, 10:29 AM
Legoktm claimed this task.Dec 9 2017, 10:41 AM
Legoktm added a project: MediaWiki-Platform-Team (MWPT-Q2-Oct-Dec-2017).
Legoktm moved this task from Ready to In Progress on the MediaWiki-Platform-Team (MWPT-Q2-Oct-Dec-2017) board.
gerritbot added a comment.Dec 22 2017, 1:33 AM

Change 396570 merged by jenkins-bot:
[mediawiki/core@master] shell: Run firejail inside limit.sh, make NO_EXECVE work

https://gerrit.wikimedia.org/r/396570

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2018-01-02 (1.31.0-wmf.15)).Dec 22 2017, 2:00 AM
Legoktm closed this task as Resolved.Dec 22 2017, 6:47 AM
CCicalese_WMF moved this task from In Progress to Done on the MediaWiki-Platform-Team (MWPT-Q2-Oct-Dec-2017) board.Jan 2 2018, 3:42 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL