remove firejail

2020-04-03 10:07:32 -07:00 · 2020-04-03 10:07:32 -07:00 · d5fc3ac344
--- a/5
+++ b/5
@ -9,13 +9,10 @@ RUN groupadd --gid 10001 app && \
 RUN apt-get update && \
    apt-get install -y \
      yasm libvpx-dev libgmp-dev git python build-essential opus-tools && \
-    git clone https://github.com/netblue30/firejail.git /app/firejail && \
-    cd /app/firejail && \
-    ./configure && make && make install-strip && \
    git clone https://github.com/FFmpeg/FFmpeg /app/ffmpeg && \
    cd /app/ffmpeg && git checkout release/3.4 && \
    ./configure  --enable-libvpx && make && make install && \
-    rm -rf /app/firejail && rm -rf /app/ffmpeg && \
+    rm -rf /app/ffmpeg && \
    apt remove -y libgmp-dev git python build-essential && \
    apt-get autoremove -y && \
    apt-get clean
--- a/opusdec.profile
+++ b/opusdec.profile
@ -1,24 +0,0 @@
-blacklist /usr/local/bin
-blacklist /usr/bin
-blacklist /bin
-blacklist /sbin
-blacklist /boot
-blacklist /media
-blacklist /mnt
-blacklist /opt
-blacklist /var
-blacklist /tmp
-blacklist /home
-blacklist /app
-
-private-bin opusdec
-
-shell none
-seccomp.keep access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,getdents,getuid,ioctl,lseek,mmap,mprotect,munmap,nanosleep,open,openat,read,rt_sigaction,set_robust_list,setresgid,setresuid,socket,stat,unshare,wait4,write
-caps.drop all
-net none
-noroot
-nosound
-novideo
-nogroups
-nonewprivs
--- a/server.js
+++ b/server.js
@ -31,14 +31,12 @@ const languages = (() => {

 const configSchema = Joi.object({
  asr_url: Joi.string(),
-  disable_jail: Joi.boolean(),
  port: Joi.number(),
  s3_bucket: Joi.string().optional(),
 });

 const config = {
  asr_url: process.env.ASR_URL,
-  disable_jail: process.env.DISABLE_DECODE_JAIL === '1',
  port: process.env.PORT || 9001,
  s3_bucket: process.env.S3_BUCKET,
 };
@ -241,15 +239,6 @@ app.get('/', (req, res) => {

 app.post('*', function(req, res, next) {
  let decodeArgs;
-
-  // then we convert it from opus to raw pcm
-  const jailArgs = [
-    'firejail',
-    '--profile=opusdec.profile',
-    '--debug',
-    '--force',
-  ];
-
  const header_validation = validateHeaders(req.headers);

  if (header_validation !== null) {
@ -298,12 +287,8 @@ app.post('*', function(req, res, next) {
      .json({message: 'Body should be an Opus or Webm audio file'});
  }

-  let args = null;
-  if (config.disable_jail) {
-    args = decodeArgs;
-  } else {
-    args = jailArgs.concat(decodeArgs);
-  }
+  const args = decodeArgs;
+
  const opusdec_start = Date.now();
  mozlog.info('request.opusdec.start', {
    request_id: res.locals.request_id,