Ebe123 has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/370306 )
Change subject: Run lilypond from inside firejail ...................................................................... Run lilypond from inside firejail Firejail prevents the execution of malicious code and is used by Wikimedia when running commands such as `convert`. This change replaces the current line of defence in Lilypond code, of which used the `-dsafe` argument, with Firejail. A new global: `$wgScoreFirejail` has been created for Firejail's path, and a profile (based on puppet's) was added to the extension. This change resolves T171372 and its subtasks, even though the subtasks appear to be unrelated. The were nonetheless all caused by the very restrictive `safe` argument, of which Firejail supercedes. Bug: T171372 Bug: T54883 Bug: T60526 Bug: T161293 Change-Id: I926fbe6b31b7ef95a0994c6a460972e46a07b4ae --- M README M Score.body.php M Score.hooks.php M extension.json A firejail.profile 5 files changed, 56 insertions(+), 3 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/extensions/Score refs/changes/06/370306/1 diff --git a/README b/README index bece82e..b5a5d6a 100644 --- a/README +++ b/README @@ -33,6 +33,8 @@ 5. Add the lines require_once("$IP/extensions/Score/Score.php"); + $wgScoreFirejail = '/path/to/your/firejail/executable'; /* required for + security */ $wgScoreLilyPond = '/path/to/your/lilypond/executable'; /* required */ $wgScoreAbc2Ly = '/path/to/your/abc2ly/executable'; /* if you want ABC to LilyPond conversion */ diff --git a/Score.body.php b/Score.body.php index 0a6517f..2c01986 100644 --- a/Score.body.php +++ b/Score.body.php @@ -517,10 +517,14 @@ * @throws ScoreException on error. */ private static function generatePngAndMidi( $code, $options, &$metaData ) { - global $wgScoreLilyPond, $wgScoreTrim; + global $wgScoreLilyPond, $wgScoreFirejail, $wgScoreTrim; if ( !is_executable( $wgScoreLilyPond ) ) { throw new ScoreException( wfMessage( 'score-notexecutable', $wgScoreLilyPond ) ); + } + + if ( !is_executable( $wgScoreFirejail ) ) { + throw new ScoreException( wfMessage( 'score-notexecutable', $wgScoreFirejail ) ); } /* Create the working environment */ @@ -564,8 +568,9 @@ // probably won't do anything. $env = [ 'LILYPOND_GC_YIELD' => '25' ]; - $cmd = wfEscapeShellArg( $wgScoreLilyPond ) - . ' ' . wfEscapeShellArg( '-dsafe=#t' ) + $cmd = wfEscapeShellArg( $wgScoreFirejail ) // Setup Firejail + . ' --profile=' . wfEscapeShellArg( __DIR__ ) . '/firejail.profile ' + . wfEscapeShellArg( $wgScoreLilyPond ) . ' -dmidi-extension=midi' // midi needed for Windows to generate the file . ' -dbackend=ps --png --header=texidoc ' . wfEscapeShellArg( $factoryLy ) diff --git a/Score.hooks.php b/Score.hooks.php index 855a7b4..f36d17c 100644 --- a/Score.hooks.php +++ b/Score.hooks.php @@ -18,8 +18,24 @@ public static function onSoftwareInfo( array &$software ) { try { $software[ '[http://lilypond.org/ LilyPond]' ] = Score::getLilypondVersion(); + $software[ '[https://firejail.wordpress.com/ Firejail]' ] = self::getFJVersion(); } catch ( ScoreException $ex ) { // LilyPond executable can't found } } + + private static function getFJVersion() { + global $wgScoreFirejail; + + if ( !is_executable( $wgScoreFirejail ) ) { + throw new ScoreException( wfMessage( 'score-notexecutable', $wgScoreFirejail ) ); + } + + $cmd = wfEscapeShellArg( $wgScoreFirejail ) . ' --version 2>&1'; + $output = wfShellExec( $cmd, $rc ); + if ( $rc != 0 ) { + self::throwCallException( wfMessage( 'score-versionerr' ), $output ); + } + return sscanf( $output, 'firejail version %s' )[0]; + } } diff --git a/extension.json b/extension.json index f585433..d37b58c 100644 --- a/extension.json +++ b/extension.json @@ -68,6 +68,7 @@ }, "config": { "ScoreTrim": null, + "ScoreFirejail": "/usr/bin/firejail", "ScoreLilyPond": "/usr/bin/lilypond", "ScoreAbc2Ly": "/usr/bin/abc2ly", "ScoreTimidity": "/usr/bin/timidity", diff --git a/firejail.profile b/firejail.profile new file mode 100644 index 0000000..b0431c8 --- /dev/null +++ b/firejail.profile @@ -0,0 +1,29 @@ +# Taken from wikimedia-puppet/modules/mediawiki/files/mediawiki-converters.profile + +# system directories +blacklist /sbin +blacklist /usr/sbin +blacklist /usr/local/sbin + +# system management +blacklist ${PATH}/umount +blacklist ${PATH}/mount +blacklist ${PATH}/fusermount +blacklist ${PATH}/su +blacklist ${PATH}/sudo +blacklist ${PATH}/xinput +blacklist ${PATH}/evtest +blacklist ${PATH}/xev +blacklist ${PATH}/strace +blacklist ${PATH}/nc +blacklist ${PATH}/ncat + +blacklist /etc/shadow +blacklist /etc/ssh +blacklist /root +blacklist /home +noroot +caps.drop all +seccomp +net none +private-dev -- To view, visit https://gerrit.wikimedia.org/r/370306 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I926fbe6b31b7ef95a0994c6a460972e46a07b4ae Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/extensions/Score Gerrit-Branch: master Gerrit-Owner: Ebe123 <beauleetien...@gmail.com> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits