Page MenuHomePhabricator

The NO_EXECVE shell restriction doesn't work with firejail because of limit.sh
Closed, ResolvedPublic

Description

First, to get --seccomp=execve to even work, you also need to pass in --shell=none. Otherwise firejail will start a bash shell, and then execute the command in that...using the execve syscall. Not sure of the full impacts of disabling the shell, will it interfere with signal handling?

Regardless, because of limit.sh, we end up with:

km@km-pt:~$ firejail --quiet --profile=/srv/mediawiki/core/includes/shell/firejail.profile --blacklist=/srv/mediawiki/core/LocalSettings.php --noroot --seccomp=@default,execve --shell=none --net=none --debug --allow-debuggers -- /bin/bash '/srv/mediawiki/core/includes/shell/limit.sh' ''\''timidity'\'' '\''--version'\'' 'MW_INCLUDE_STDERR=;MW_CPU_LIMIT=180; MW_CGROUP='\'''\''; MW_MEM_LIMIT=307200; MW_FILE_SIZE_LIMIT=102400; MW_WALL_CLOCK_LIMIT=180; MW_USE_LOG_PIPE=yes' 
/srv/mediawiki/core/includes/shell/limit.sh: line 99:     5 Bad system call         'timidity' '--version' MW_INCLUDE_STDERR=

If we implemented T179021: Investigate using firejail to replace limits.sh if it's installed this problem would go away, but that requires a newer version of firejail.

Event Timeline

Legoktm created this task.Dec 9 2017, 9:32 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 9 2017, 9:32 AM

Another option...we could run firejail inside of limit.sh!

km@km-pt:~$ /bin/bash '/srv/mediawiki/core/includes/shell/limit.sh' '/usr/local/bin/firejail --quiet --profile=/srv/mediawiki/core/includes/shell/firejail.profile --noroot --seccomp=@default,execve --shell=none --net=none -- '\''/usr/bin/timidity'\'' '\''--version'\''' 'MW_INCLUDE_STDERR=1;MW_CPU_LIMIT=180; MW_CGROUP='\'''\''; MW_MEM_LIMIT=307200; MW_FILE_SIZE_LIMIT=102400; MW_WALL_CLOCK_LIMIT=180; MW_USE_LOG_PIPE=yes'
TiMidity++ version 2.13.2

Change 396570 had a related patch set uploaded (by Legoktm; owner: Legoktm):
[mediawiki/core@master] shell: Run firejail inside limit.sh, make NO_EXECVE work

https://gerrit.wikimedia.org/r/396570

With the above patch I tested using NO_EXECVE with both abc2ly and timidity in Score and it ran fine. (lilypond requires execve because of a weird wrapper script)

Change 396570 merged by jenkins-bot:
[mediawiki/core@master] shell: Run firejail inside limit.sh, make NO_EXECVE work

https://gerrit.wikimedia.org/r/396570

Legoktm closed this task as Resolved.Dec 22 2017, 6:47 AM