-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
For a while now, Wikimedia has been restricting the different binaries that we shell out to (mostly image handling things) with firejail[1]. This was a manual process by writing wrapper scripts that invoked firejail, and pointing MediaWiki to use those "binaries". It was a pretty manual process, and other users of MediaWiki didn't benefit from any of the work that was being done.
With [2], it's now possible to have MediaWiki invoke firejail with restrictions specified in the code rather than configured separately. For example, I converted the Score extension[3] to use the new shell restrictions system.
There's more documentation available on-wiki[4]. You can test this out yourself by installing firejail, and by setting $wgShellRestrictionMethod = 'firejail';.
Note that firejail is a Linux-specific program, but the restriction framework itself is abstract enough that it's likely that support for other restriction software could be introduced.
[1] https://firejail.wordpress.com/ [2] https://gerrit.wikimedia.org/r/#/c/384930/ [3] https://gerrit.wikimedia.org/r/#/c/393830/ [4] https://www.mediawiki.org/wiki/Manual:Shell_framework#Restrictions
- -- Kunal / Legoktm
wikitech-l@lists.wikimedia.org