Ebe123 has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/370306 )
Change subject: Run lilypond from inside firejail
......................................................................
Run lilypond from inside firejail
Firejail prevents the execution of malicious code and is used by
Wikimedia when running commands such as `convert`. This change
replaces the current line of defence in Lilypond code, of which used
the `-dsafe` argument, with Firejail.
A new global: `$wgScoreFirejail` has been created for Firejail's path,
and a profile (based on puppet's) was added to the extension.
This change resolves T171372 and its subtasks, even though the subtasks
appear to be unrelated. The were nonetheless all caused by the very
restrictive `safe` argument, of which Firejail supercedes.
Bug: T171372
Bug: T54883
Bug: T60526
Bug: T161293
Change-Id: I926fbe6b31b7ef95a0994c6a460972e46a07b4ae
---
M README
M Score.body.php
M Score.hooks.php
M extension.json
A firejail.profile
5 files changed, 56 insertions(+), 3 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/Score
refs/changes/06/370306/1
diff --git a/README b/README
index bece82e..b5a5d6a 100644
--- a/README
+++ b/README
@@ -33,6 +33,8 @@
5. Add the lines
require_once("$IP/extensions/Score/Score.php");
+ $wgScoreFirejail = '/path/to/your/firejail/executable'; /* required for
+ security */
$wgScoreLilyPond = '/path/to/your/lilypond/executable'; /* required */
$wgScoreAbc2Ly = '/path/to/your/abc2ly/executable'; /* if you want ABC to
LilyPond conversion
*/
diff --git a/Score.body.php b/Score.body.php
index 0a6517f..2c01986 100644
--- a/Score.body.php
+++ b/Score.body.php
@@ -517,10 +517,14 @@
* @throws ScoreException on error.
*/
private static function generatePngAndMidi( $code, $options, &$metaData
) {
- global $wgScoreLilyPond, $wgScoreTrim;
+ global $wgScoreLilyPond, $wgScoreFirejail, $wgScoreTrim;
if ( !is_executable( $wgScoreLilyPond ) ) {
throw new ScoreException( wfMessage(
'score-notexecutable', $wgScoreLilyPond ) );
+ }
+
+ if ( !is_executable( $wgScoreFirejail ) ) {
+ throw new ScoreException( wfMessage(
'score-notexecutable', $wgScoreFirejail ) );
}
/* Create the working environment */
@@ -564,8 +568,9 @@
// probably won't do anything.
$env = [ 'LILYPOND_GC_YIELD' => '25' ];
- $cmd = wfEscapeShellArg( $wgScoreLilyPond )
- . ' ' . wfEscapeShellArg( '-dsafe=#t' )
+ $cmd = wfEscapeShellArg( $wgScoreFirejail ) // Setup Firejail
+ . ' --profile=' . wfEscapeShellArg( __DIR__ ) .
'/firejail.profile '
+ . wfEscapeShellArg( $wgScoreLilyPond )
. ' -dmidi-extension=midi' // midi needed for Windows
to generate the file
. ' -dbackend=ps --png --header=texidoc '
. wfEscapeShellArg( $factoryLy )
diff --git a/Score.hooks.php b/Score.hooks.php
index 855a7b4..f36d17c 100644
--- a/Score.hooks.php
+++ b/Score.hooks.php
@@ -18,8 +18,24 @@
public static function onSoftwareInfo( array &$software ) {
try {
$software[ '[http://lilypond.org/ LilyPond]' ] =
Score::getLilypondVersion();
+ $software[ '[https://firejail.wordpress.com/ Firejail]'
] = self::getFJVersion();
} catch ( ScoreException $ex ) {
// LilyPond executable can't found
}
}
+
+ private static function getFJVersion() {
+ global $wgScoreFirejail;
+
+ if ( !is_executable( $wgScoreFirejail ) ) {
+ throw new ScoreException( wfMessage(
'score-notexecutable', $wgScoreFirejail ) );
+ }
+
+ $cmd = wfEscapeShellArg( $wgScoreFirejail ) . ' --version 2>&1';
+ $output = wfShellExec( $cmd, $rc );
+ if ( $rc != 0 ) {
+ self::throwCallException( wfMessage( 'score-versionerr'
), $output );
+ }
+ return sscanf( $output, 'firejail version %s' )[0];
+ }
}
diff --git a/extension.json b/extension.json
index f585433..d37b58c 100644
--- a/extension.json
+++ b/extension.json
@@ -68,6 +68,7 @@
},
"config": {
"ScoreTrim": null,
+ "ScoreFirejail": "/usr/bin/firejail",
"ScoreLilyPond": "/usr/bin/lilypond",
"ScoreAbc2Ly": "/usr/bin/abc2ly",
"ScoreTimidity": "/usr/bin/timidity",
diff --git a/firejail.profile b/firejail.profile
new file mode 100644
index 0000000..b0431c8
--- /dev/null
+++ b/firejail.profile
@@ -0,0 +1,29 @@
+# Taken from
wikimedia-puppet/modules/mediawiki/files/mediawiki-converters.profile
+
+# system directories
+blacklist /sbin
+blacklist /usr/sbin
+blacklist /usr/local/sbin
+
+# system management
+blacklist ${PATH}/umount
+blacklist ${PATH}/mount
+blacklist ${PATH}/fusermount
+blacklist ${PATH}/su
+blacklist ${PATH}/sudo
+blacklist ${PATH}/xinput
+blacklist ${PATH}/evtest
+blacklist ${PATH}/xev
+blacklist ${PATH}/strace
+blacklist ${PATH}/nc
+blacklist ${PATH}/ncat
+
+blacklist /etc/shadow
+blacklist /etc/ssh
+blacklist /root
+blacklist /home
+noroot
+caps.drop all
+seccomp
+net none
+private-dev
--
To view, visit https://gerrit.wikimedia.org/r/370306
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I926fbe6b31b7ef95a0994c6a460972e46a07b4ae
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/extensions/Score
Gerrit-Branch: master
Gerrit-Owner: Ebe123 <beauleetien...@gmail.com>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
