Page MenuHomePhabricator

Determine whether firejail shell restrictions can be enabled by default
Closed, ResolvedPublic


The new shell restriction framework was introduced as opt-in - you have to explicitly call $command->restrict( ... ) to enable it. MediaWiki generally follows a secure by default philosophy, and ideally these new restrictions should be enabled by default too, so developers don't need to remember to add them.

For purposes of migration to firejail it's much easier to do it one by one, which is why this is initially opt-in. But once all/most are restricted, we should evaluate whether we can enable this by default.

Questions to consider:

  • How many external commands are incompatible with Shell::RESTRICT_DEFAULT?
    • Is there anything else we can add to Shell::RESTRICT_DEFAULT?
  • How can commands opt-out of the default restrictions? (->disableRestrictions()?)
  • If something does break, is it possible for a sysadmin to work around it without disabling all of firejail or manually patching? (/etc/firejail/mediawiki.profile support)

Tagged as MW-1.31-release since if this happens, it should happen as part of 1.31.

Event Timeline

Change 402578 had a related patch set uploaded (by Legoktm; owner: MaxSem):
[mediawiki/core@master] WIP: add default shell restrictions

MaxSem claimed this task.

The above patch has been merged, so all executions using the new API are now restricted by default.