This needs further investigation.
$ cat ~/journal-test.c #include <systemd/sd-journal.h> int main(int argc, char *argv[]) { sd_journal_print(LOG_NOTICE, "Hello World"); return 0; } $ gcc -o /tmp/test `pkg-config --cflags --libs libsystemd` /app/phil/journal-test.c $ strace /tmp/test [...] sendmsg(3, {msg_name={sa_family=AF_UNIX, sun_path="/run/systemd/journal/socket"}, msg_namelen=30, msg_iov=[{iov_base="MESSAGE=Hello World", iov_len=19}, {iov_base="\n", iov_len=1}, {iov_base="PRIORITY=5", iov_len=10}, {iov_base="\n", iov_len=1}, {iov_base="CODE_FILE=/app/phil/journal-test"..., iov_len=34}, {iov_base="\n", iov_len=1}, {iov_base="CODE_LINE=5", iov_len=11}, {iov_base="\n", iov_len=1}, {iov_base="CODE_FUNC=main", iov_len=14}, {iov_base="\n", iov_len=1}, {iov_base="SYSLOG_IDENTIFIER=", iov_len=18}, {iov_base="test", iov_len=4}, {iov_base="\n", iov_len=1}], msg_iovlen=13, msg_controllen=0, msg_flags=0}, MSG_NOSIGNAL) = -1 ENOENT (No such file or directory)
Created attachment 393865 [details] Patch
Created attachment 393870 [details] Patch
Comment on attachment 393870 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393870&action=review > Tools/flatpak/flatpakutils.py:580 > + # systemd journal socket. So white-list everything in /run. ¯\_(ã)_/¯ Seems like unintentional characters here: ¯\_(ã)_/¯ breaks gtk api-tests. https://ews-build.webkit.org/#/builders/34/builds/5027/steps/10/logs/stdio
I think pulling in all of `/run` is quite scary when it comes to reproducability. I'd rather see specific paths but if the goal is to just get things working and tighten it down later maybe its fine.
Created attachment 393959 [details] Patch
(In reply to Patrick Griffis from comment #5) > I think pulling in all of `/run` is quite scary when it comes to > reproducability. I'd rather see specific paths but if the goal is to just > get things working and tighten it down later maybe its fine. Would you support adding a --socket=journal option to `flatpak build`?
Comment on attachment 393959 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393959&action=review > Tools/flatpak/flatpakutils.py:581 > + "--bind-mount=/run=/run", Wouldn't it be enough to bind-mount only /run/systemd/journal? I think that would be better than using the big hammer.
Created attachment 393962 [details] Patch
Comment on attachment 393962 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393962&action=review > Tools/flatpak/flatpakutils.py:-579 > - # Workaround for https://webkit.org/b/187384 to have our own perl modules usable inside the sandbox > - # as setting the PERL5LIB envvar won't work inside apache (and for scripts using `perl -T``). > - "--bind-mount=/run/host/%s=%s" % (tempfile.gettempdir(), tempfile.gettempdir()), the crash log code assumes /run/host its there, if you delete this you have to adapt that. grep for /run/host on Tools > Tools/flatpak/flatpakutils.py:583 > + "--bind-mount=/run/systemd/journal=/run/systemd/journal", I wonder about ICECC support. Doesn't it need to access /run/icecc/iceccd.socket from the host?
Comment on attachment 393962 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=393962&action=review >> Tools/flatpak/flatpakutils.py:-579 >> - "--bind-mount=/run/host/%s=%s" % (tempfile.gettempdir(), tempfile.gettempdir()), > > the crash log code assumes /run/host its there, if you delete this you have to adapt that. grep for /run/host on Tools Gotcha >> Tools/flatpak/flatpakutils.py:583 >> + "--bind-mount=/run/systemd/journal=/run/systemd/journal", > > I wonder about ICECC support. Doesn't it need to access /run/icecc/iceccd.socket from the host? Access to the socket is already granted, you can check in this method a few lines below :)
Created attachment 393977 [details] Patch
Committed r258699: <https://trac.webkit.org/changeset/258699>