From b3d5d684484953f902b863705af5d681b4a1191d Mon Sep 17 00:00:00 2001
From: Benedek Nagy <mail@nbenedek.me>
Date: Tue, 26 Apr 2022 21:03:07 +0000
Subject: [PATCH] mediawiki: Add stricter sandbox rules for jobrunner service

Tests:

- Run ./setup.py install and check that 'systemctl daemon-reload; systemctl show
mediawiki-jobrunner.service' shows the required sandbox changes.

- Tested a few MediaWiki jobs. See:
https://salsa.debian.org/freedombox-team/freedombox/-/issues/299#note_306788

[sunil: Relax the restrictions on read/write paths and networking]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tested-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 .../freedombox.conf                           | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 plinth/modules/mediawiki/data/usr/lib/systemd/system/mediawiki-jobrunner.service.d/freedombox.conf

diff --git a/plinth/modules/mediawiki/data/usr/lib/systemd/system/mediawiki-jobrunner.service.d/freedombox.conf b/plinth/modules/mediawiki/data/usr/lib/systemd/system/mediawiki-jobrunner.service.d/freedombox.conf
new file mode 100644
index 000000000..0c9fe63ce
--- /dev/null
+++ b/plinth/modules/mediawiki/data/usr/lib/systemd/system/mediawiki-jobrunner.service.d/freedombox.conf
@@ -0,0 +1,28 @@
+[Service]
+CacheDirectory=mediawiki
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_KILL CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_LINUX_IMMUTABLE CAP_IPC_LOCK CAP_SYS_CHROOT CAP_BLOCK_SUSPEND CAP_LEASE CAP_SYS_PACCT CAP_SYS_TTY_CONFIG CAP_SYS_BOOT CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_SYS_NICE CAP_SYS_RESOURCE
+DevicePolicy=closed
+LockPersonality=yes
+NoNewPrivileges=yes
+PrivateMounts=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectClock=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWritePaths=/var/lib/mediawiki /var/lib/mediawiki-db
+RemoveIPC=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictSUIDSGID=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources
+SystemCallFilter=~@privileged
+SystemCallErrorNumber=EPERM