Now that /run is blacklisted by default, firejail fails to start up in my local test install:
> print MediaWiki\Shell\Shell::command('echo','hello')->execute()->getStderr();
Error disable file: fs.c:135 disable_file: No such file or directory
Error: proc 8964 cannot sync with peer: unexpected EOF
Peer 8965 unexpectedly exited with status 1strace shows that firejail is using /run for its own purposes, specifically as a place to store the source of bind mounts:
[pid 9246] mount("/run/firejail/firejail.ro.dir", "/run", 0x557700818051, MS_BIND, 0x557700810729) = 0
[pid 9246] mount("/run/firejail/firejail.ro.file", "/etc/shadow", 0x557700818051, MS_BIND, 0x557700810729) = -1 ENOENT (No such file or directory)The only mystery is how/why it works in production. I'm using firejail 0.9.52 and production is using 0.9.44, but the code looks pretty similar and strace shows them doing the same mounts. It's just that the mount somehow works in production:
[pid 31227] mount("/run/firejail/firejail.ro.dir", "/run", 0x564bc10bce80, MS_BIND, 0x564bc10b598c) = 0
[pid 31227] mount("/run/firejail/firejail.ro.file", "/etc/shadow", 0x564bc10bce80, MS_BIND, 0x564bc10b598c) = 0Perhaps it is a kernel change. I'm using 5.4.0 (specifically linux-generic 5.4.0.45.49 from Ubuntu 20.04) whereas production is using 4.9.0.
I normally run MediaWiki inside systemd-nspawn, but I ruled this out as a cause by testing it on the host, with firejail 0.9.62:
$ firejail --profile=includes/shell/firejail.profile echo hello Reading profile includes/shell/firejail.profile Parent pid 103898, child pid 103899 Error disable file: fs.c:141 disable_file: No such file or directory Error: proc 103898 cannot sync with peer: unexpected EOF Peer 103899 unexpectedly exited with status 1