[MediaWiki-commits] [Gerrit] services firejail: make fs blacklist more obvious - change (operations/puppet)

JanZerebecki (Code Review) Thu, 09 Jun 2016 08:13:50 -0700

JanZerebecki has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/293515


Change subject: services firejail: make fs blacklist more obvious
......................................................................

services firejail: make fs blacklist more obvious

Don't end in /* and anchor path blacklist at / .

Change-Id: I0407986defbc038ba6ab9bd86e4d4abfdd23298c
---
M modules/service/templates/initscripts/node.systemd.erb
M modules/service/templates/initscripts/node.upstart.erb
M modules/zotero/templates/upstart.erb
3 files changed, 3 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/15/293515/1

diff --git a/modules/service/templates/initscripts/node.systemd.erb 
b/modules/service/templates/initscripts/node.systemd.erb
index 7679f08..f4204e8 100644
--- a/modules/service/templates/initscripts/node.systemd.erb
+++ b/modules/service/templates/initscripts/node.systemd.erb
@@ -18,7 +18,7 @@
 # wait 60 seconds for a graceful restart before killing the master
 TimeoutStopSec=60
 WorkingDirectory=/srv/deployment/<%= @repo %>
-ExecStart=/usr/bin/firejail --blacklist=root --blacklist=/home/* --tmpfs=/tmp 
--caps --seccomp /usr/bin/nodejs <%= @starter_script %> -c /etc/<%= @title 
%>/config.yaml
+ExecStart=/usr/bin/firejail --blacklist=/root --blacklist=/home --tmpfs=/tmp 
--caps --seccomp /usr/bin/nodejs <%= @starter_script %> -c /etc/<%= @title 
%>/config.yaml
 
 [Install]
 WantedBy=multi-user.target
diff --git a/modules/service/templates/initscripts/node.upstart.erb 
b/modules/service/templates/initscripts/node.upstart.erb
index 04e6f7e..af0a339 100644
--- a/modules/service/templates/initscripts/node.upstart.erb
+++ b/modules/service/templates/initscripts/node.upstart.erb
@@ -23,4 +23,4 @@
 kill timeout 60
 
 chdir /srv/deployment/<%= @repo %>
-exec /usr/bin/firejail --blacklist=root --blacklist=/home/* --tmpfs=/tmp 
--caps --seccomp /usr/bin/nodejs <%= @starter_script %> -c /etc/<%= @title 
%>/config.yaml
+exec /usr/bin/firejail --blacklist=/root --blacklist=/home --tmpfs=/tmp --caps 
--seccomp /usr/bin/nodejs <%= @starter_script %> -c /etc/<%= @title 
%>/config.yaml
diff --git a/modules/zotero/templates/upstart.erb 
b/modules/zotero/templates/upstart.erb
index efc10d8..a5ffcaa 100644
--- a/modules/zotero/templates/upstart.erb
+++ b/modules/zotero/templates/upstart.erb
@@ -17,7 +17,7 @@
 # wait 60 seconds for a graceful restart before killing the master
 kill timeout 60
 
-exec /usr/bin/firejail --blacklist=/root/ --blacklist=/home/* --tmpfs=/tmp 
--caps --seccomp \
+exec /usr/bin/firejail --blacklist=/root --blacklist=/home --tmpfs=/tmp --caps 
--seccomp \
   /usr/lib/xulrunner-devel-24.0/sdk/bin/xpcshell                               
             \
   -g /usr/lib/xulrunner-24.0/                                                  
             \
   -a /srv/deployment/zotero/translation-server                                 
             \

-- 
To view, visit https://gerrit.wikimedia.org/r/293515
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0407986defbc038ba6ab9bd86e4d4abfdd23298c
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: JanZerebecki <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] services firejail: make fs blacklist more obvious - change (operations/puppet)

Reply via email to