From 1bf67f4f8816e12aaabb4577b0b94d2681a5e427 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Fri, 29 Oct 2021 14:06:36 +0200 Subject: [PATCH 01/36] MWE 1 --- meson.build | 101 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 meson.build diff --git a/meson.build b/meson.build new file mode 100644 index 00000000000..1adcb51a46b --- /dev/null +++ b/meson.build @@ -0,0 +1,101 @@ +project('firejail', 'c', + license: 'GPL-2.0-or-later', + # https://packages.debian.org/oldstable/meson + meson_version: '>=0.49.2', + version: '0.9.67', +) + +# # # # # # # # + +PREFIX = get_option('prefix') +BINDIR = PREFIX / get_option('bindir') +SYSCONFDIR = PREFIX / get_option('sysconfdir') +LIBDIR = PREFIX / get_option('libdir') + +constants = { + 'PREFIX': PREFIX, + 'BINDIR': BINDIR, + 'SYSCONFDIR': SYSCONFDIR, + 'LIBDIR': LIBDIR, + + 'VERSION': meson.project_version(), + 'VARDIR': '/var/lib/firejail', +} + +c_args_constants = [] +foreach name, value : constants + c_args_constants += '-D@0@="@1@"'.format(name, value) +endforeach + +# # # # # # # # + +firejail_sources = [ + 'src/firejail/main.c', + 'src/firejail/appimage.c', + 'src/firejail/appimage_size.c', + 'src/firejail/arp.c', + 'src/firejail/bandwidth.c', + 'src/firejail/caps.c', + 'src/firejail/cgroup.c', + 'src/firejail/checkcfg.c', + 'src/firejail/cmdline.c', + 'src/firejail/cpu.c', + 'src/firejail/dhcp.c', + 'src/firejail/env.c', + 'src/firejail/fs.c', + 'src/firejail/fs_bin.c', + 'src/firejail/fs_dev.c', + 'src/firejail/fs_etc.c', + 'src/firejail/fs_home.c', + 'src/firejail/fs_hostname.c', + 'src/firejail/fs_lib.c', + 'src/firejail/fs_lib2.c', + 'src/firejail/fs_logger.c', + 'src/firejail/fs_mkdir.c', + 'src/firejail/fs_trace.c', + 'src/firejail/fs_var.c', + 'src/firejail/fs_whitelist.c', + 'src/firejail/ids.c', + 'src/firejail/join.c', + 'src/firejail/ls.c', + 'src/firejail/macros.c', + 'src/firejail/mountinfo.c', + 'src/firejail/netfilter.c', + 'src/firejail/netns.c', + 'src/firejail/network.c', + 'src/firejail/network_main.c', + 'src/firejail/no_sandbox.c', + 'src/firejail/paths.c', + 'src/firejail/preproc.c', + 'src/firejail/profile.c', + 'src/firejail/protocol.c', + 'src/firejail/pulseaudio.c', + 'src/firejail/restricted_shell.c', + 'src/firejail/restrict_users.c', + 'src/firejail/rlimit.c', + 'src/firejail/run_files.c', + 'src/firejail/run_symlink.c', + 'src/firejail/sandbox.c', + 'src/firejail/sbox.c', + 'src/firejail/seccomp.c', + 'src/firejail/selinux.c', + 'src/firejail/shutdown.c', + 'src/firejail/usage.c', + 'src/firejail/util.c', + 'src/firejail/x11.c', + + 'src/lib/common.c', + 'src/lib/errno.c', + 'src/lib/firejail_user.c', + 'src/lib/ldd_utils.c', + 'src/lib/syscall.c', +] + +executable('firejail', firejail_sources, + install: true, + install_mode: ['rwsr-xr-x', 0, 0], + + c_args: [ + c_args_constants + ], +) From b3c20e61969d43a9c5071a7b70abe56e38fd9191 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Fri, 29 Oct 2021 15:37:39 +0200 Subject: [PATCH 02/36] MWE 2 --- meson.build | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/meson.build b/meson.build index 1adcb51a46b..a514e337ffb 100644 --- a/meson.build +++ b/meson.build @@ -99,3 +99,39 @@ executable('firejail', firejail_sources, c_args_constants ], ) + +# # # # # # # # + +fseccomp_sources = [ + 'src/fseccomp/main.c', + 'src/fseccomp/protocol.c', + 'src/fseccomp/seccomp.c', + 'src/fseccomp/seccomp_file.c', + 'src/fseccomp/seccomp_secondary.c', + + 'src/lib/common.c', + 'src/lib/errno.c', + 'src/lib/syscall.c', +] +fseccomp = executable('fseccomp', fseccomp_sources, + install: true, + install_dir: get_option('libdir') / meson.project_name(), +) + +# TODO: fsec-optimize OUTPUT +custom_target('seccomp', + build_by_default: true, + command: [fseccomp, 'default', '@OUTPUT@'], + install: true, + install_dir: get_option('libdir') / meson.project_name(), + output: 'seccomp', +) + +# TODO: fsec-optimize OUTPUT +custom_target('seccomp.32', + build_by_default: true, + command: [fseccomp, 'secondary', '32', '@OUTPUT@'], + install: true, + install_dir: get_option('libdir') / meson.project_name(), + output: 'seccomp.32', +) From 95451a816427a0411640444afbccc14577504780 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Fri, 29 Oct 2021 16:35:15 +0200 Subject: [PATCH 03/36] WE 3 --- meson.build | 97 +++++--------------------------------- src/fbuilder/meson.build | 19 ++++++++ src/fcopy/meson.build | 10 ++++ src/fids/meson.build | 15 ++++++ src/firecfg/meson.build | 19 ++++++++ src/firejail/meson.build | 70 +++++++++++++++++++++++++++ src/firemon/meson.build | 29 ++++++++++++ src/fldd/meson.build | 15 ++++++ src/fnet/meson.build | 15 ++++++ src/fnetfilter/meson.build | 10 ++++ src/fseccomp/meson.build | 15 ++++++ src/ftee/meson.build | 8 ++++ src/jailcheck/meson.build | 22 +++++++++ 13 files changed, 259 insertions(+), 85 deletions(-) create mode 100644 src/fbuilder/meson.build create mode 100644 src/fcopy/meson.build create mode 100644 src/fids/meson.build create mode 100644 src/firecfg/meson.build create mode 100644 src/firejail/meson.build create mode 100644 src/firemon/meson.build create mode 100644 src/fldd/meson.build create mode 100644 src/fnet/meson.build create mode 100644 src/fnetfilter/meson.build create mode 100644 src/fseccomp/meson.build create mode 100644 src/ftee/meson.build create mode 100644 src/jailcheck/meson.build diff --git a/meson.build b/meson.build index a514e337ffb..ab511764f68 100644 --- a/meson.build +++ b/meson.build @@ -29,95 +29,22 @@ endforeach # # # # # # # # -firejail_sources = [ - 'src/firejail/main.c', - 'src/firejail/appimage.c', - 'src/firejail/appimage_size.c', - 'src/firejail/arp.c', - 'src/firejail/bandwidth.c', - 'src/firejail/caps.c', - 'src/firejail/cgroup.c', - 'src/firejail/checkcfg.c', - 'src/firejail/cmdline.c', - 'src/firejail/cpu.c', - 'src/firejail/dhcp.c', - 'src/firejail/env.c', - 'src/firejail/fs.c', - 'src/firejail/fs_bin.c', - 'src/firejail/fs_dev.c', - 'src/firejail/fs_etc.c', - 'src/firejail/fs_home.c', - 'src/firejail/fs_hostname.c', - 'src/firejail/fs_lib.c', - 'src/firejail/fs_lib2.c', - 'src/firejail/fs_logger.c', - 'src/firejail/fs_mkdir.c', - 'src/firejail/fs_trace.c', - 'src/firejail/fs_var.c', - 'src/firejail/fs_whitelist.c', - 'src/firejail/ids.c', - 'src/firejail/join.c', - 'src/firejail/ls.c', - 'src/firejail/macros.c', - 'src/firejail/mountinfo.c', - 'src/firejail/netfilter.c', - 'src/firejail/netns.c', - 'src/firejail/network.c', - 'src/firejail/network_main.c', - 'src/firejail/no_sandbox.c', - 'src/firejail/paths.c', - 'src/firejail/preproc.c', - 'src/firejail/profile.c', - 'src/firejail/protocol.c', - 'src/firejail/pulseaudio.c', - 'src/firejail/restricted_shell.c', - 'src/firejail/restrict_users.c', - 'src/firejail/rlimit.c', - 'src/firejail/run_files.c', - 'src/firejail/run_symlink.c', - 'src/firejail/sandbox.c', - 'src/firejail/sbox.c', - 'src/firejail/seccomp.c', - 'src/firejail/selinux.c', - 'src/firejail/shutdown.c', - 'src/firejail/usage.c', - 'src/firejail/util.c', - 'src/firejail/x11.c', +subdir('src/firecfg') +subdir('src/firejail') +subdir('src/firemon') +subdir('src/jailcheck') - 'src/lib/common.c', - 'src/lib/errno.c', - 'src/lib/firejail_user.c', - 'src/lib/ldd_utils.c', - 'src/lib/syscall.c', -] - -executable('firejail', firejail_sources, - install: true, - install_mode: ['rwsr-xr-x', 0, 0], - - c_args: [ - c_args_constants - ], -) +subdir('src/fbuilder') +subdir('src/fcopy') +subdir('src/fids') +subdir('src/fldd') +subdir('src/fnet') +subdir('src/fnetfilter') +subdir('src/fseccomp') +subdir('src/ftee') # # # # # # # # -fseccomp_sources = [ - 'src/fseccomp/main.c', - 'src/fseccomp/protocol.c', - 'src/fseccomp/seccomp.c', - 'src/fseccomp/seccomp_file.c', - 'src/fseccomp/seccomp_secondary.c', - - 'src/lib/common.c', - 'src/lib/errno.c', - 'src/lib/syscall.c', -] -fseccomp = executable('fseccomp', fseccomp_sources, - install: true, - install_dir: get_option('libdir') / meson.project_name(), -) - # TODO: fsec-optimize OUTPUT custom_target('seccomp', build_by_default: true, diff --git a/src/fbuilder/meson.build b/src/fbuilder/meson.build new file mode 100644 index 00000000000..7a0de954900 --- /dev/null +++ b/src/fbuilder/meson.build @@ -0,0 +1,19 @@ +fbuilder_sources = [ + 'main.c', + 'build_bin.c', + 'build_fs.c', + 'build_home.c', + 'build_profile.c', + 'build_seccomp.c', + 'filedb.c', + 'utils.c', +] + +executable('fbuilder', fbuilder_sources, + install: true, + install_dir: get_option('libdir') / meson.project_name(), + + c_args: [ + c_args_constants, + ], +) diff --git a/src/fcopy/meson.build b/src/fcopy/meson.build new file mode 100644 index 00000000000..a5e4781c8ef --- /dev/null +++ b/src/fcopy/meson.build @@ -0,0 +1,10 @@ +fcopy_sources = [ + 'main.c', + + '../lib/common.c', +] + +executable('fcopy', fcopy_sources, + install: true, + install_dir: get_option('libdir') / meson.project_name(), +) diff --git a/src/fids/meson.build b/src/fids/meson.build new file mode 100644 index 00000000000..a3b8f3c0faa --- /dev/null +++ b/src/fids/meson.build @@ -0,0 +1,15 @@ +fids_sources = [ + 'main.c', + 'blake2b.c', + 'db.c', + 'db_exclude.c', +] + +executable('fids', fids_sources, + install: true, + install_dir: get_option('libdir') / meson.project_name(), + + c_args: [ + c_args_constants, + ], +) diff --git a/src/firecfg/meson.build b/src/firecfg/meson.build new file mode 100644 index 00000000000..3620933261e --- /dev/null +++ b/src/firecfg/meson.build @@ -0,0 +1,19 @@ +firecfg_sources = [ + 'main.c', + 'desktop_files.c', + 'sound.c', + 'util.c', + + '../lib/firejail_user.c', +] + +executable('firecfg', firecfg_sources, + install: true, + + c_args: [ + c_args_constants + ], + +) + +install_data('firecfg.config', install_dir: get_option('libdir') / meson.project_name()) diff --git a/src/firejail/meson.build b/src/firejail/meson.build new file mode 100644 index 00000000000..e2c471b2de5 --- /dev/null +++ b/src/firejail/meson.build @@ -0,0 +1,70 @@ +firejail_sources = [ + 'main.c', + 'appimage.c', + 'appimage_size.c', + 'arp.c', + 'bandwidth.c', + 'caps.c', + 'cgroup.c', + 'checkcfg.c', + 'cmdline.c', + 'cpu.c', + 'dhcp.c', + 'env.c', + 'fs.c', + 'fs_bin.c', + 'fs_dev.c', + 'fs_etc.c', + 'fs_home.c', + 'fs_hostname.c', + 'fs_lib.c', + 'fs_lib2.c', + 'fs_logger.c', + 'fs_mkdir.c', + 'fs_trace.c', + 'fs_var.c', + 'fs_whitelist.c', + 'ids.c', + 'join.c', + 'ls.c', + 'macros.c', + 'mountinfo.c', + 'netfilter.c', + 'netns.c', + 'network.c', + 'network_main.c', + 'no_sandbox.c', + 'paths.c', + 'preproc.c', + 'profile.c', + 'protocol.c', + 'pulseaudio.c', + 'restricted_shell.c', + 'restrict_users.c', + 'rlimit.c', + 'run_files.c', + 'run_symlink.c', + 'sandbox.c', + 'sbox.c', + 'seccomp.c', + 'selinux.c', + 'shutdown.c', + 'usage.c', + 'util.c', + 'x11.c', + + '../lib/common.c', + '../lib/errno.c', + '../lib/firejail_user.c', + '../lib/ldd_utils.c', + '../lib/syscall.c', +] + +executable('firejail', firejail_sources, + install: true, + install_mode: ['rwsr-xr-x', 0, 0], + + c_args: [ + c_args_constants + ], +) diff --git a/src/firemon/meson.build b/src/firemon/meson.build new file mode 100644 index 00000000000..1a4456dabad --- /dev/null +++ b/src/firemon/meson.build @@ -0,0 +1,29 @@ +firemon_sources = [ + 'firemon.c', + 'apparmor.c', + 'arp.c', + 'caps.c', + 'cgroup.c', + 'cpu.c', + 'interface.c', + 'list.c', + 'netstats.c', + 'procevent.c', + 'route.c', + 'seccomp.c', + 'top.c', + 'tree.c', + 'usage.c', + 'x11.c', + + '../lib/common.c', + '../lib/pid.c', +] + +executable('firemon', firemon_sources, + install: true, + + c_args: [ + c_args_constants + ], +) diff --git a/src/fldd/meson.build b/src/fldd/meson.build new file mode 100644 index 00000000000..a5b3ae44aef --- /dev/null +++ b/src/fldd/meson.build @@ -0,0 +1,15 @@ +fldd_source = [ + 'main.c', + + '../lib/common.c', + '../lib/ldd_utils.c', +] + +executable('fldd', fldd_source, + install: true, + install_dir: get_option('libdir') / meson.project_name(), + + c_args: [ + c_args_constants, + ], +) diff --git a/src/fnet/meson.build b/src/fnet/meson.build new file mode 100644 index 00000000000..6831c13a700 --- /dev/null +++ b/src/fnet/meson.build @@ -0,0 +1,15 @@ +fnet_sources = [ + 'main.c', + 'arp.c', + 'interface.c', + 'veth.c', + + '../lib/common.c', + '../lib/libnetlink.c', +] + +executable('fnet', fnet_sources, + install: true, + install_dir: get_option('libdir') / meson.project_name(), +) + diff --git a/src/fnetfilter/meson.build b/src/fnetfilter/meson.build new file mode 100644 index 00000000000..7f48586fb91 --- /dev/null +++ b/src/fnetfilter/meson.build @@ -0,0 +1,10 @@ +fnetfilter_sources = [ + 'main.c', + + '../lib/common.c', +] + +executable('fnetfilter', fnetfilter_sources, + install: true, + install_dir: get_option('libdir') / meson.project_name(), +) diff --git a/src/fseccomp/meson.build b/src/fseccomp/meson.build new file mode 100644 index 00000000000..bb51a2e1e33 --- /dev/null +++ b/src/fseccomp/meson.build @@ -0,0 +1,15 @@ +fseccomp_sources = [ + 'main.c', + 'protocol.c', + 'seccomp.c', + 'seccomp_file.c', + 'seccomp_secondary.c', + + '../lib/common.c', + '../lib/errno.c', + '../lib/syscall.c', +] +fseccomp = executable('fseccomp', fseccomp_sources, + install: true, + install_dir: get_option('libdir') / meson.project_name(), +) diff --git a/src/ftee/meson.build b/src/ftee/meson.build new file mode 100644 index 00000000000..5e95591504d --- /dev/null +++ b/src/ftee/meson.build @@ -0,0 +1,8 @@ +ftee_sources = [ + 'main.c', +] + +executable('ftee', ftee_sources, + install: true, + install_dir: get_option('libdir') / meson.project_name(), +) diff --git a/src/jailcheck/meson.build b/src/jailcheck/meson.build new file mode 100644 index 00000000000..89436fc46b4 --- /dev/null +++ b/src/jailcheck/meson.build @@ -0,0 +1,22 @@ +jailcheck_sources = [ + 'main.c', + 'access.c', + 'apparmor.c', + 'network.c', + 'noexec.c', + 'seccomp.c', + 'sysfiles.c', + 'utils.c', + 'virtual.c', + + '../lib/common.c', + '../lib/pid.c', +] + +executable('jailcheck', jailcheck_sources, + install: true, + + c_args: [ + c_args_constants + ], +) From 1619d89d867cc1c512399696d05f1ed4c69e1f8a Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Fri, 29 Oct 2021 17:40:14 +0200 Subject: [PATCH 04/36] Use meson in build/build-extra workflows for now --- .github/workflows/build-extra.yml | 36 ++++++++++++++++++++----------- .github/workflows/build.yml | 25 +++++++++++---------- 2 files changed, 36 insertions(+), 25 deletions(-) diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 5b44e7b9f7d..314abaecfe0 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -38,6 +38,7 @@ on: permissions: # added using https://github.com/step-security/secure-workflows contents: read +# TODO: Add jobs for minimal (0.49.2) and maximal (latest release(-candidate)) meson version jobs: build-clang: runs-on: ubuntu-22.04 @@ -61,15 +62,26 @@ jobs: libapparmor-dev libselinux1-dev - name: print env run: ./ci/printenv.sh - - name: configure - run: > - ./configure CC=clang-14 - --prefix=/usr --enable-fatal-warnings - --enable-apparmor --enable-selinux - || (cat config.log; exit 1) - - name: make - run: make - - name: make install - run: sudo make install - - name: print version - run: make print-version + - uses: actions/checkout@v2 + - name: meson setup + run: CC=clang-11 meson setup _builddir --werror + - name: meson compile + run: meson compile -C _builddir + scan-build: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + - name: install clang-tools-11 + run: sudo apt-get install clang-tools-11 + - name: meson setup + run: CC=clang-11 meson setup _builddir --werror + - name: scan-build + run: ninja -C builddir scan-build + cppcheck: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + - name: install cppcheck + run: sudo apt-get install cppcheck + - name: cppcheck + run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 60420d4419a..d6800e74b9f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -74,18 +74,17 @@ jobs: - name: install dependencies run: > sudo apt-get install -qy - gcc-12 libapparmor-dev libselinux1-dev + gcc-12 libapparmor-dev libselinux1-dev expect xzdec - name: print env run: ./ci/printenv.sh - - name: configure - run: > - ./configure CC=gcc-12 - --prefix=/usr --enable-fatal-warnings --enable-analyzer - --enable-apparmor --enable-selinux - || (cat config.log; exit 1) - - name: make - run: make - - name: make install - run: sudo make install - - name: print version - run: make print-version + - name: meson setup + #TODO: --enable-analyzer --enable-apparmor --enable-selinux + run: CC=gcc-11 meson setup _builddir --werror --prefix=/usr + - name: meson compile + run: meson compile -C _builddir + - name: meson install + run: sudo meson install -C _builddir + # TODO: Why do we run this for profile changes? + # TODO: meson test + #- name: meson test + # run: SHELL=/bin/bash meson test From 9412323b0c28f660e890fa9baf149401d5075c66 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Fri, 29 Oct 2021 19:35:54 +0200 Subject: [PATCH 05/36] WE 4 --- etc/meson.build | 18 ++++++++ meson.build | 65 ++++------------------------ meson_options.txt | 50 ++++++++++++++++++++++ src/fsec-optimize/meson.build | 12 ++++++ src/fsec-print/meson.build | 13 ++++++ src/fshaper/meson.build | 4 ++ src/libpostexecseccomp/meson.build | 4 ++ src/libtrace/meson.build | 9 ++++ src/libtracelog/meson.build | 9 ++++ src/man/meson.build | 12 ++++++ src/meson.build | 68 ++++++++++++++++++++++++++++++ src/profstats/meson.build | 7 +++ test/meson.build | 1 + 13 files changed, 215 insertions(+), 57 deletions(-) create mode 100644 etc/meson.build create mode 100644 meson_options.txt create mode 100644 src/fsec-optimize/meson.build create mode 100644 src/fsec-print/meson.build create mode 100644 src/fshaper/meson.build create mode 100644 src/libpostexecseccomp/meson.build create mode 100644 src/libtrace/meson.build create mode 100644 src/libtracelog/meson.build create mode 100644 src/man/meson.build create mode 100644 src/meson.build create mode 100644 src/profstats/meson.build create mode 100644 test/meson.build diff --git a/etc/meson.build b/etc/meson.build new file mode 100644 index 00000000000..37b7132a4cd --- /dev/null +++ b/etc/meson.build @@ -0,0 +1,18 @@ +install_data( + sources: ['firejail.config', 'ids.config', 'login.users'], + install_dir: get_option('sysconfdir') / meson.project_name(), +) + +foreach dir : ['inc', 'net', 'profile-a-l', 'profile-m-z'] + install_subdir(dir, + install_dir: get_option('sysconfdir') / meson.project_name(), + strip_directory: true, + ) +endforeach + +install_subdir('templates', + install_dir: get_option('datadir') / 'doc' / meson.project_name(), + strip_directory: true, +) + +# TODO: apparmor diff --git a/meson.build b/meson.build index ab511764f68..7d02cf019df 100644 --- a/meson.build +++ b/meson.build @@ -5,60 +5,11 @@ project('firejail', 'c', version: '0.9.67', ) -# # # # # # # # - -PREFIX = get_option('prefix') -BINDIR = PREFIX / get_option('bindir') -SYSCONFDIR = PREFIX / get_option('sysconfdir') -LIBDIR = PREFIX / get_option('libdir') - -constants = { - 'PREFIX': PREFIX, - 'BINDIR': BINDIR, - 'SYSCONFDIR': SYSCONFDIR, - 'LIBDIR': LIBDIR, - - 'VERSION': meson.project_version(), - 'VARDIR': '/var/lib/firejail', -} - -c_args_constants = [] -foreach name, value : constants - c_args_constants += '-D@0@="@1@"'.format(name, value) -endforeach - -# # # # # # # # - -subdir('src/firecfg') -subdir('src/firejail') -subdir('src/firemon') -subdir('src/jailcheck') - -subdir('src/fbuilder') -subdir('src/fcopy') -subdir('src/fids') -subdir('src/fldd') -subdir('src/fnet') -subdir('src/fnetfilter') -subdir('src/fseccomp') -subdir('src/ftee') - -# # # # # # # # - -# TODO: fsec-optimize OUTPUT -custom_target('seccomp', - build_by_default: true, - command: [fseccomp, 'default', '@OUTPUT@'], - install: true, - install_dir: get_option('libdir') / meson.project_name(), - output: 'seccomp', -) - -# TODO: fsec-optimize OUTPUT -custom_target('seccomp.32', - build_by_default: true, - command: [fseccomp, 'secondary', '32', '@OUTPUT@'], - install: true, - install_dir: get_option('libdir') / meson.project_name(), - output: 'seccomp.32', -) +cc = meson.get_compiler('c') +if get_option('analyzer') and cc.get_id() == 'gcc' and cc.version().version_compare('>=10') + add_project_arguments('-fanalyzer', language: 'c') +endif + +subdir('etc') +subdir('src') +subdir('test') diff --git a/meson_options.txt b/meson_options.txt new file mode 100644 index 00000000000..4038c3bfc32 --- /dev/null +++ b/meson_options.txt @@ -0,0 +1,50 @@ +option('analyzer', type: 'boolean', value: false, + description: 'Enable gcc\'s Static Analyzer') +option('sanitizer', type: 'combo', choices: ['none', 'address', 'memory', 'undefined'], + description: 'Enable a compiler-based sanitizer (debug)') +option('gcov', type: 'boolean', value: true, + description: 'Gcov instrumentation') + +option('lts', type: 'boolean', value: false, + description: 'LTS') + +option('busybox', type: 'boolean', value: false, + description: 'busybox workaround') +option('contrib', type: 'boolean', value: true, + description: 'Install contrib files') +option('suid', type: 'boolean', value: true, + description: 'Install firejail as SUID executable') + +#option('globalcfg', type: 'boolean', value: truefalse, +# description: '') + +option('apparmor', type: 'boolean', value: false, + description: 'AppArmor support') +option('selinux', type: 'boolean', value: false, + description: 'SELinux labeling support') +option('dbusproxy', type: 'boolean', value: true, + description: 'D-Bus proxy support') +option('man', type: 'boolean', value: true, + description: 'Manpages') + +option('output', type: 'boolean', value: true, + description: '--output logging') +option('usertmpfs', type: 'boolean', value: true, + description: 'tmpfs as regular user') +option('firetunnel', type: 'boolean', value: true, + description: 'firetunnel') +option('private-home', type: 'boolean', value: true, + description: 'private home feature') +option('chroot', type: 'boolean', value: true, + description: 'chroot') +option('network', type: 'boolean', value: true, + description: 'network') +option('userns', type: 'boolean', value: true, + description: 'user namespace') +option('x11', type: 'boolean', value: true, + description: 'X11 sandboxing support') +option('file-transfer', type: 'boolean', value: true, + description: 'file transfer') + +option('force-nonewprivs', type: 'boolean', value: true, + description: 'force nonewprivs') diff --git a/src/fsec-optimize/meson.build b/src/fsec-optimize/meson.build new file mode 100644 index 00000000000..a0b115fa6ea --- /dev/null +++ b/src/fsec-optimize/meson.build @@ -0,0 +1,12 @@ +fsec_optimize_seources = [ + 'main.c', + 'optimizer.c', + + '../lib/common.c', + '../lib/errno.c', +] + +executable('fsec-optimize', fsec_optimize_seources, + install: true, + install_dir: get_option('libdir') / meson.project_name(), +) diff --git a/src/fsec-print/meson.build b/src/fsec-print/meson.build new file mode 100644 index 00000000000..63b7fe3866a --- /dev/null +++ b/src/fsec-print/meson.build @@ -0,0 +1,13 @@ +fsec_print_sources = [ + 'main.c', + 'print.c', + + '../lib/common.c', + '../lib/errno.c', + '../lib/syscall.c', +] + +executable('fsec_print', fsec_print_sources, + install: true, + install_dir: get_option('libdir') / meson.project_name(), +) diff --git a/src/fshaper/meson.build b/src/fshaper/meson.build new file mode 100644 index 00000000000..09fa4e9d5c3 --- /dev/null +++ b/src/fshaper/meson.build @@ -0,0 +1,4 @@ +install_data('fshaper.sh', + install_dir: get_option('libdir') / meson.project_name(), + install_mode: 'rwx--x--x', +) diff --git a/src/libpostexecseccomp/meson.build b/src/libpostexecseccomp/meson.build new file mode 100644 index 00000000000..0e53db1f189 --- /dev/null +++ b/src/libpostexecseccomp/meson.build @@ -0,0 +1,4 @@ +shared_library('postexecseccomp', 'libpostexecseccomp.c', + install: true, + install_dir: get_option('libdir') / meson.project_name(), +) diff --git a/src/libtrace/meson.build b/src/libtrace/meson.build new file mode 100644 index 00000000000..980432418ab --- /dev/null +++ b/src/libtrace/meson.build @@ -0,0 +1,9 @@ +shared_library('trace', 'libtrace.c', + install: true, + install_dir: get_option('libdir') / meson.project_name(), + + c_args: [ + ], + link_args: [ + ], +) diff --git a/src/libtracelog/meson.build b/src/libtracelog/meson.build new file mode 100644 index 00000000000..bcedf9c037b --- /dev/null +++ b/src/libtracelog/meson.build @@ -0,0 +1,9 @@ +shared_library('tracelog', 'libtracelog.c', + install: true, + install_dir: get_option('libdir') / meson.project_name(), + + c_args: [ + ], + link_args: [ + ], +) diff --git a/src/man/meson.build b/src/man/meson.build new file mode 100644 index 00000000000..0dad5011315 --- /dev/null +++ b/src/man/meson.build @@ -0,0 +1,12 @@ +sh = find_program('sh') +gawk = find_program('gawk') +preproc_awk = files('preproc.awk') + +manflags = [] + +#if get_option('') +# manflags += '-D...' +#endif + +#generator(gawk, s/generator/custom_target/ +# arguments: [sh, '-c', '"@0@" -f "@1@" -- @3@ < > '.format(gawk, preproc_awk, ' '.join(manflags)), '--', 'FIXME:MANFLAGS', ] diff --git a/src/meson.build b/src/meson.build new file mode 100644 index 00000000000..50efb7efd57 --- /dev/null +++ b/src/meson.build @@ -0,0 +1,68 @@ +PREFIX = get_option('prefix') +BINDIR = PREFIX / get_option('bindir') +SYSCONFDIR = PREFIX / get_option('sysconfdir') +LIBDIR = PREFIX / get_option('libdir') + +constants = { + 'PREFIX': PREFIX, + 'BINDIR': BINDIR, + 'SYSCONFDIR': SYSCONFDIR, + 'LIBDIR': LIBDIR, + + 'VERSION': meson.project_version(), + 'VARDIR': '/var/lib/firejail', +} + +c_args_constants = [] +foreach name, value : constants + c_args_constants += '-D@0@="@1@"'.format(name, value) +endforeach + +# # # # # # # # # # + +subdir('firecfg') +subdir('firejail') +subdir('firemon') +subdir('jailcheck') +subdir('profstats') + +subdir('fbuilder') +subdir('fcopy') +subdir('fids') +subdir('fldd') +subdir('fnet') +subdir('fnetfilter') +subdir('fseccomp') +subdir('fsec-optimize') +subdir('fsec-print') +subdir('fshaper') +subdir('ftee') + +subdir('libpostexecseccomp') +#subdir('libtrace') +#subdir('libtracelog') + +#subdir('man') + +#subdir('bash_completion') +#subdir('zsh_completion') + +# # # # # # # # # # + +# TODO: fsec-optimize OUTPUT +custom_target('seccomp', + build_by_default: true, + command: [fseccomp, 'default', '@OUTPUT@'], + install: true, + install_dir: get_option('libdir') / meson.project_name(), + output: 'seccomp', +) + +# TODO: fsec-optimize OUTPUT +custom_target('seccomp.32', + build_by_default: true, + command: [fseccomp, 'secondary', '32', '@OUTPUT@'], + install: true, + install_dir: get_option('libdir') / meson.project_name(), + output: 'seccomp.32', +) diff --git a/src/profstats/meson.build b/src/profstats/meson.build new file mode 100644 index 00000000000..59766b033e5 --- /dev/null +++ b/src/profstats/meson.build @@ -0,0 +1,7 @@ +profstats_sources = [ + 'main.c', +] + +executable('profstats', profstats_sources, + build_by_default: false, +) diff --git a/test/meson.build b/test/meson.build new file mode 100644 index 00000000000..464090415c4 --- /dev/null +++ b/test/meson.build @@ -0,0 +1 @@ +# TODO From 0d2c134d1e4ae03b628cd1c0ea066bbe367a41e8 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Fri, 29 Oct 2021 21:23:15 +0200 Subject: [PATCH 06/36] E 5 --- contrib/meson.build | 24 +++++++++++++++++ etc/meson.build | 13 ++++++++- meson.build | 50 +++++++++++++++++++++++++++++++++++ meson_options.txt | 40 ++++++++++++++++------------ src/fbuilder/meson.build | 1 + src/fcopy/meson.build | 2 ++ src/fids/meson.build | 1 + src/fldd/meson.build | 1 + src/fnet/meson.build | 1 + src/fnetfilter/meson.build | 1 + src/fsec-optimize/meson.build | 1 + src/fsec-print/meson.build | 1 + src/fseccomp/meson.build | 1 + src/ftee/meson.build | 1 + src/meson.build | 4 ++- 15 files changed, 123 insertions(+), 19 deletions(-) create mode 100644 contrib/meson.build diff --git a/contrib/meson.build b/contrib/meson.build new file mode 100644 index 00000000000..dd0bc932fbe --- /dev/null +++ b/contrib/meson.build @@ -0,0 +1,24 @@ +contrib_scripts = [ + 'firejail-welcome.sh', + 'fix_private-bin.py', + 'fjclip.py', + 'fjdisplay.py', + 'fj-mkdeb.py', + 'fjresize.py', + 'gdb-firejail.sh', + 'jail_prober.py', + 'sort.py', + 'syscalls.sh', + 'update_deb.sh', +] +install_data(contrib_scripts, + install_dir: get_option('libdir') / meson.project_name(), + install_mode: 'rwxr-xr-x', +) + +install_data('vim/ftdetect/firejail.vim', + install_dir: get_option('datadir') / 'vim' / 'vimfiles' / 'ftdetect', +) +install_data('vim/syntax/firejail.vim', + install_dir: get_option('datadir') / 'vim' / 'vimfiles' / 'syntax', +) diff --git a/etc/meson.build b/etc/meson.build index 37b7132a4cd..b0db5e60218 100644 --- a/etc/meson.build +++ b/etc/meson.build @@ -15,4 +15,15 @@ install_subdir('templates', strip_directory: true, ) -# TODO: apparmor +install_data('apparmor/firejail-default', + install_dir: get_option('sysconfdir') / 'apparmor.d', +) +install_data('apparmor/firejail-local', + install_dir: get_option('sysconfdir') / 'apparmor.d' / 'local', + rename: 'firejail-default', +) +install_data('apparmor/firejail-base', + install_dir: get_option('sysconfdir') / 'apparmor.d' / 'abstractions' / 'base.d', +) + +# TODO: get_option('busybox') >> edit disable-common.inc diff --git a/meson.build b/meson.build index 7d02cf019df..14bf70bcff3 100644 --- a/meson.build +++ b/meson.build @@ -5,11 +5,61 @@ project('firejail', 'c', version: '0.9.67', ) +# # # # # # # # # # + +# TODO: +# -mindirect-branch=thunk +# -mretpoline +# -fstack-clash-protection +# -fstack-protector-strong + cc = meson.get_compiler('c') if get_option('analyzer') and cc.get_id() == 'gcc' and cc.version().version_compare('>=10') add_project_arguments('-fanalyzer', language: 'c') + add_project_arguments('-Wno-analyzer-malloc-leak', language: 'c') endif +if get_option('sanitizer') != 'none' + # TODO: MSAN is not supported by gcc (i.e. requires clang) + # TODO: -fno-common? https://github.com/google/sanitizers/wiki/AddressSanitizer#faq + add_project_arguments('-fsanitize=' + get_option('sanitizer'), language: 'c') + add_project_arguments('-fno-omit-frame-pointer', language: 'c') + #add_project_link_arguments() +endif + +option_flag = { + 'chroot': '-DHAVE_CHROOT', + 'dbusproxy': '-DHAVE_DBUSPROXY', + 'file-transfer': '-DHAVE_FILE_TRANSFER', + 'firetunnel': '-DHAVE_FIRETUNNEL', + 'force-nonewprivs': '-DHAVE_FORCE_NONEWPRIVS', + #'globalcfg': '-DHAVE_GLOBALCFG' + 'network': '-DHAVE_NETWORK', + 'output': '-DHAVE_OUTPUT', + 'private-home': '-DHAVE_PRIVATE_HOME', + 'userns': '-DHAVE_USERNS', + 'usertmpfs': '-DHAVE_USERTMPFS', + 'x11': '-DHAVE_X11', +} + +manflags = [] +foreach option, flag : option_flag + if get_option(option) + manflags += flag + else + endif + #set_variable(name, value) +endforeach + +# # # # # # # # # # + +if get_option('contrib') + subdir('contrib') +endif subdir('etc') subdir('src') subdir('test') + +install_data(['COPYING', 'README', 'RELNOTES'], + install_dir: get_option('datadir') / 'doc' / meson.project_name(), +) diff --git a/meson_options.txt b/meson_options.txt index 4038c3bfc32..643118c5bbc 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -2,12 +2,15 @@ option('analyzer', type: 'boolean', value: false, description: 'Enable gcc\'s Static Analyzer') option('sanitizer', type: 'combo', choices: ['none', 'address', 'memory', 'undefined'], description: 'Enable a compiler-based sanitizer (debug)') -option('gcov', type: 'boolean', value: true, - description: 'Gcov instrumentation') +# TODO +#option('gcov', type: 'boolean', value: true, +# description: 'Gcov instrumentation') +# TODO option('lts', type: 'boolean', value: false, description: 'LTS') +# TODO option('busybox', type: 'boolean', value: false, description: 'busybox workaround') option('contrib', type: 'boolean', value: true, @@ -15,36 +18,39 @@ option('contrib', type: 'boolean', value: true, option('suid', type: 'boolean', value: true, description: 'Install firejail as SUID executable') +# TODO #option('globalcfg', type: 'boolean', value: truefalse, # description: '') +# TODO option('apparmor', type: 'boolean', value: false, description: 'AppArmor support') +# TODO option('selinux', type: 'boolean', value: false, description: 'SELinux labeling support') -option('dbusproxy', type: 'boolean', value: true, - description: 'D-Bus proxy support') option('man', type: 'boolean', value: true, description: 'Manpages') -option('output', type: 'boolean', value: true, - description: '--output logging') -option('usertmpfs', type: 'boolean', value: true, - description: 'tmpfs as regular user') -option('firetunnel', type: 'boolean', value: true, - description: 'firetunnel') -option('private-home', type: 'boolean', value: true, - description: 'private home feature') +# TODO option('chroot', type: 'boolean', value: true, description: 'chroot') +option('dbusproxy', type: 'boolean', value: true, + description: 'D-Bus proxy support') +option('file-transfer', type: 'boolean', value: true, + description: 'file transfer') +option('firetunnel', type: 'boolean', value: true, + description: 'firetunnel') +option('force-nonewprivs', type: 'boolean', value: true, + description: 'force nonewprivs') option('network', type: 'boolean', value: true, description: 'network') +option('output', type: 'boolean', value: true, + description: '--output logging') +option('private-home', type: 'boolean', value: true, + description: 'private home feature') option('userns', type: 'boolean', value: true, description: 'user namespace') +option('usertmpfs', type: 'boolean', value: true, + description: 'tmpfs as regular user') option('x11', type: 'boolean', value: true, description: 'X11 sandboxing support') -option('file-transfer', type: 'boolean', value: true, - description: 'file transfer') - -option('force-nonewprivs', type: 'boolean', value: true, - description: 'force nonewprivs') diff --git a/src/fbuilder/meson.build b/src/fbuilder/meson.build index 7a0de954900..b231fb1e10c 100644 --- a/src/fbuilder/meson.build +++ b/src/fbuilder/meson.build @@ -12,6 +12,7 @@ fbuilder_sources = [ executable('fbuilder', fbuilder_sources, install: true, install_dir: get_option('libdir') / meson.project_name(), + install_mode: 'rwxr-xr-x', c_args: [ c_args_constants, diff --git a/src/fcopy/meson.build b/src/fcopy/meson.build index a5e4781c8ef..6fc9d3c88c0 100644 --- a/src/fcopy/meson.build +++ b/src/fcopy/meson.build @@ -7,4 +7,6 @@ fcopy_sources = [ executable('fcopy', fcopy_sources, install: true, install_dir: get_option('libdir') / meson.project_name(), + # TODO: Maybe use something like 'install_mode: SBOX_APPS_NON_DUMPABLE_PERMS' + install_mode: 'rwx--x--x', ) diff --git a/src/fids/meson.build b/src/fids/meson.build index a3b8f3c0faa..1f61cb16913 100644 --- a/src/fids/meson.build +++ b/src/fids/meson.build @@ -8,6 +8,7 @@ fids_sources = [ executable('fids', fids_sources, install: true, install_dir: get_option('libdir') / meson.project_name(), + install_mode: 'rwxr-xr-x', c_args: [ c_args_constants, diff --git a/src/fldd/meson.build b/src/fldd/meson.build index a5b3ae44aef..12485a57248 100644 --- a/src/fldd/meson.build +++ b/src/fldd/meson.build @@ -8,6 +8,7 @@ fldd_source = [ executable('fldd', fldd_source, install: true, install_dir: get_option('libdir') / meson.project_name(), + install_mode: 'rwx--x--x', c_args: [ c_args_constants, diff --git a/src/fnet/meson.build b/src/fnet/meson.build index 6831c13a700..c3ad19576c1 100644 --- a/src/fnet/meson.build +++ b/src/fnet/meson.build @@ -11,5 +11,6 @@ fnet_sources = [ executable('fnet', fnet_sources, install: true, install_dir: get_option('libdir') / meson.project_name(), + install_mode: 'rwx--x--x', ) diff --git a/src/fnetfilter/meson.build b/src/fnetfilter/meson.build index 7f48586fb91..47a7c27207b 100644 --- a/src/fnetfilter/meson.build +++ b/src/fnetfilter/meson.build @@ -7,4 +7,5 @@ fnetfilter_sources = [ executable('fnetfilter', fnetfilter_sources, install: true, install_dir: get_option('libdir') / meson.project_name(), + install_mode: 'rwx--x--x', ) diff --git a/src/fsec-optimize/meson.build b/src/fsec-optimize/meson.build index a0b115fa6ea..35b9aae84ea 100644 --- a/src/fsec-optimize/meson.build +++ b/src/fsec-optimize/meson.build @@ -9,4 +9,5 @@ fsec_optimize_seources = [ executable('fsec-optimize', fsec_optimize_seources, install: true, install_dir: get_option('libdir') / meson.project_name(), + install_mode: 'rwx--x--x', ) diff --git a/src/fsec-print/meson.build b/src/fsec-print/meson.build index 63b7fe3866a..e9a5e7cb021 100644 --- a/src/fsec-print/meson.build +++ b/src/fsec-print/meson.build @@ -10,4 +10,5 @@ fsec_print_sources = [ executable('fsec_print', fsec_print_sources, install: true, install_dir: get_option('libdir') / meson.project_name(), + install_mode: 'rwx--x--x', ) diff --git a/src/fseccomp/meson.build b/src/fseccomp/meson.build index bb51a2e1e33..148585b9222 100644 --- a/src/fseccomp/meson.build +++ b/src/fseccomp/meson.build @@ -12,4 +12,5 @@ fseccomp_sources = [ fseccomp = executable('fseccomp', fseccomp_sources, install: true, install_dir: get_option('libdir') / meson.project_name(), + install_mode: 'rwx--x--x', ) diff --git a/src/ftee/meson.build b/src/ftee/meson.build index 5e95591504d..df859ced37e 100644 --- a/src/ftee/meson.build +++ b/src/ftee/meson.build @@ -5,4 +5,5 @@ ftee_sources = [ executable('ftee', ftee_sources, install: true, install_dir: get_option('libdir') / meson.project_name(), + install_mode: 'rwxr-xr-x', ) diff --git a/src/meson.build b/src/meson.build index 50efb7efd57..459a5a5a45b 100644 --- a/src/meson.build +++ b/src/meson.build @@ -42,7 +42,9 @@ subdir('libpostexecseccomp') #subdir('libtrace') #subdir('libtracelog') -#subdir('man') +if get_option('man') and false + subdir('man') +endif #subdir('bash_completion') #subdir('zsh_completion') From ce30f85b5c29d3bf4865a36d96d8415192ef612e Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Fri, 29 Oct 2021 22:58:45 +0200 Subject: [PATCH 07/36] E 6 --- meson.build | 4 ++ src/fbuilder/meson.build | 3 +- src/fcopy/meson.build | 5 +-- src/fids/meson.build | 3 +- src/firecfg/meson.build | 1 - src/firejail/meson.build | 8 +++- src/fldd/meson.build | 4 +- src/fnet/meson.build | 4 +- src/fnetfilter/meson.build | 4 +- src/fsec-optimize/meson.build | 6 +-- src/fsec-print/meson.build | 4 +- src/fseccomp/meson.build | 4 +- src/fshaper/meson.build | 4 +- src/ftee/meson.build | 3 +- src/libpostexecseccomp/meson.build | 2 +- src/libtrace/meson.build | 2 +- src/libtracelog/meson.build | 2 +- src/meson.build | 64 +++++++++++++++++++++++++----- 18 files changed, 88 insertions(+), 39 deletions(-) diff --git a/meson.build b/meson.build index 14bf70bcff3..c80aa3a6431 100644 --- a/meson.build +++ b/meson.build @@ -12,6 +12,8 @@ project('firejail', 'c', # -mretpoline # -fstack-clash-protection # -fstack-protector-strong +# -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security +# -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread cc = meson.get_compiler('c') if get_option('analyzer') and cc.get_id() == 'gcc' and cc.version().version_compare('>=10') @@ -37,6 +39,7 @@ option_flag = { 'network': '-DHAVE_NETWORK', 'output': '-DHAVE_OUTPUT', 'private-home': '-DHAVE_PRIVATE_HOME', + #not suid -DHAVE_NOSUID 'userns': '-DHAVE_USERNS', 'usertmpfs': '-DHAVE_USERTMPFS', 'x11': '-DHAVE_X11', @@ -61,5 +64,6 @@ subdir('src') subdir('test') install_data(['COPYING', 'README', 'RELNOTES'], + # docdir ? install_dir: get_option('datadir') / 'doc' / meson.project_name(), ) diff --git a/src/fbuilder/meson.build b/src/fbuilder/meson.build index b231fb1e10c..35c9ad873aa 100644 --- a/src/fbuilder/meson.build +++ b/src/fbuilder/meson.build @@ -11,8 +11,7 @@ fbuilder_sources = [ executable('fbuilder', fbuilder_sources, install: true, - install_dir: get_option('libdir') / meson.project_name(), - install_mode: 'rwxr-xr-x', + install_dir: libdir_firejail, c_args: [ c_args_constants, diff --git a/src/fcopy/meson.build b/src/fcopy/meson.build index 6fc9d3c88c0..0758d6ef757 100644 --- a/src/fcopy/meson.build +++ b/src/fcopy/meson.build @@ -6,7 +6,6 @@ fcopy_sources = [ executable('fcopy', fcopy_sources, install: true, - install_dir: get_option('libdir') / meson.project_name(), - # TODO: Maybe use something like 'install_mode: SBOX_APPS_NON_DUMPABLE_PERMS' - install_mode: 'rwx--x--x', + install_dir: libdir_firejail, + install_mode: sbox_apps_non_dumpable_perms, ) diff --git a/src/fids/meson.build b/src/fids/meson.build index 1f61cb16913..5e4ddbde231 100644 --- a/src/fids/meson.build +++ b/src/fids/meson.build @@ -7,8 +7,7 @@ fids_sources = [ executable('fids', fids_sources, install: true, - install_dir: get_option('libdir') / meson.project_name(), - install_mode: 'rwxr-xr-x', + install_dir: libdir_firejail, c_args: [ c_args_constants, diff --git a/src/firecfg/meson.build b/src/firecfg/meson.build index 3620933261e..868067f11ce 100644 --- a/src/firecfg/meson.build +++ b/src/firecfg/meson.build @@ -13,7 +13,6 @@ executable('firecfg', firecfg_sources, c_args: [ c_args_constants ], - ) install_data('firecfg.config', install_dir: get_option('libdir') / meson.project_name()) diff --git a/src/firejail/meson.build b/src/firejail/meson.build index e2c471b2de5..7387a6f0e33 100644 --- a/src/firejail/meson.build +++ b/src/firejail/meson.build @@ -60,9 +60,15 @@ firejail_sources = [ '../lib/syscall.c', ] +if get_option('suid') + firejail_perms = 'rwsr-xr-x' +else + firejail_perms = 'rwxr-xr-x' +endif + executable('firejail', firejail_sources, install: true, - install_mode: ['rwsr-xr-x', 0, 0], + install_mode: [firejail_perms, 0, 0], c_args: [ c_args_constants diff --git a/src/fldd/meson.build b/src/fldd/meson.build index 12485a57248..6b4e58784c5 100644 --- a/src/fldd/meson.build +++ b/src/fldd/meson.build @@ -7,8 +7,8 @@ fldd_source = [ executable('fldd', fldd_source, install: true, - install_dir: get_option('libdir') / meson.project_name(), - install_mode: 'rwx--x--x', + install_dir: libdir_firejail, + install_mode: sbox_apps_non_dumpable_perms, c_args: [ c_args_constants, diff --git a/src/fnet/meson.build b/src/fnet/meson.build index c3ad19576c1..cead2fbce21 100644 --- a/src/fnet/meson.build +++ b/src/fnet/meson.build @@ -10,7 +10,7 @@ fnet_sources = [ executable('fnet', fnet_sources, install: true, - install_dir: get_option('libdir') / meson.project_name(), - install_mode: 'rwx--x--x', + install_dir: libdir_firejail, + install_mode: sbox_apps_non_dumpable_perms, ) diff --git a/src/fnetfilter/meson.build b/src/fnetfilter/meson.build index 47a7c27207b..dab15ead7ea 100644 --- a/src/fnetfilter/meson.build +++ b/src/fnetfilter/meson.build @@ -6,6 +6,6 @@ fnetfilter_sources = [ executable('fnetfilter', fnetfilter_sources, install: true, - install_dir: get_option('libdir') / meson.project_name(), - install_mode: 'rwx--x--x', + install_dir: libdir_firejail, + install_mode: sbox_apps_non_dumpable_perms, ) diff --git a/src/fsec-optimize/meson.build b/src/fsec-optimize/meson.build index 35b9aae84ea..76aee2fa1ad 100644 --- a/src/fsec-optimize/meson.build +++ b/src/fsec-optimize/meson.build @@ -6,8 +6,8 @@ fsec_optimize_seources = [ '../lib/errno.c', ] -executable('fsec-optimize', fsec_optimize_seources, +fsec_optimize = executable('fsec-optimize', fsec_optimize_seources, install: true, - install_dir: get_option('libdir') / meson.project_name(), - install_mode: 'rwx--x--x', + install_dir: libdir_firejail, + install_mode: sbox_apps_non_dumpable_perms, ) diff --git a/src/fsec-print/meson.build b/src/fsec-print/meson.build index e9a5e7cb021..9e2223b50b8 100644 --- a/src/fsec-print/meson.build +++ b/src/fsec-print/meson.build @@ -9,6 +9,6 @@ fsec_print_sources = [ executable('fsec_print', fsec_print_sources, install: true, - install_dir: get_option('libdir') / meson.project_name(), - install_mode: 'rwx--x--x', + install_dir: libdir_firejail, + install_mode: sbox_apps_non_dumpable_perms, ) diff --git a/src/fseccomp/meson.build b/src/fseccomp/meson.build index 148585b9222..38343da77c4 100644 --- a/src/fseccomp/meson.build +++ b/src/fseccomp/meson.build @@ -11,6 +11,6 @@ fseccomp_sources = [ ] fseccomp = executable('fseccomp', fseccomp_sources, install: true, - install_dir: get_option('libdir') / meson.project_name(), - install_mode: 'rwx--x--x', + install_dir: libdir_firejail, + install_mode: sbox_apps_non_dumpable_perms, ) diff --git a/src/fshaper/meson.build b/src/fshaper/meson.build index 09fa4e9d5c3..f154578fcb9 100644 --- a/src/fshaper/meson.build +++ b/src/fshaper/meson.build @@ -1,4 +1,4 @@ install_data('fshaper.sh', - install_dir: get_option('libdir') / meson.project_name(), - install_mode: 'rwx--x--x', + install_dir: libdir_firejail, + install_mode: sbox_apps_non_dumpable_perms, ) diff --git a/src/ftee/meson.build b/src/ftee/meson.build index df859ced37e..a1195cfc441 100644 --- a/src/ftee/meson.build +++ b/src/ftee/meson.build @@ -4,6 +4,5 @@ ftee_sources = [ executable('ftee', ftee_sources, install: true, - install_dir: get_option('libdir') / meson.project_name(), - install_mode: 'rwxr-xr-x', + install_dir: libdir_firejail ) diff --git a/src/libpostexecseccomp/meson.build b/src/libpostexecseccomp/meson.build index 0e53db1f189..bc929faa6b3 100644 --- a/src/libpostexecseccomp/meson.build +++ b/src/libpostexecseccomp/meson.build @@ -1,4 +1,4 @@ shared_library('postexecseccomp', 'libpostexecseccomp.c', install: true, - install_dir: get_option('libdir') / meson.project_name(), + install_dir: libdir_firejail, ) diff --git a/src/libtrace/meson.build b/src/libtrace/meson.build index 980432418ab..98091c0cd0e 100644 --- a/src/libtrace/meson.build +++ b/src/libtrace/meson.build @@ -1,6 +1,6 @@ shared_library('trace', 'libtrace.c', install: true, - install_dir: get_option('libdir') / meson.project_name(), + install_dir: libdir_firejail, c_args: [ ], diff --git a/src/libtracelog/meson.build b/src/libtracelog/meson.build index bcedf9c037b..6f9a6783a5f 100644 --- a/src/libtracelog/meson.build +++ b/src/libtracelog/meson.build @@ -1,6 +1,6 @@ shared_library('tracelog', 'libtracelog.c', install: true, - install_dir: get_option('libdir') / meson.project_name(), + install_dir: libdir_firejail, c_args: [ ], diff --git a/src/meson.build b/src/meson.build index 459a5a5a45b..0eba6b39453 100644 --- a/src/meson.build +++ b/src/meson.build @@ -6,7 +6,8 @@ LIBDIR = PREFIX / get_option('libdir') constants = { 'PREFIX': PREFIX, 'BINDIR': BINDIR, - 'SYSCONFDIR': SYSCONFDIR, + # WTF + 'SYSCONFDIR': SYSCONFDIR / meson.project_name(), 'LIBDIR': LIBDIR, 'VERSION': meson.project_version(), @@ -20,15 +21,23 @@ endforeach # # # # # # # # # # +libdir_firejail = get_option('libdir') / meson.project_name() +sbox_apps_non_dumpable_perms = 'rwx--x--x' + +# APPS subdir('firecfg') subdir('firejail') subdir('firemon') subdir('jailcheck') subdir('profstats') - + +# SBOX_APPS subdir('fbuilder') -subdir('fcopy') subdir('fids') +subdir('ftee') + +# SBOX_APPS_NON_DUMPABLE +subdir('fcopy') subdir('fldd') subdir('fnet') subdir('fnetfilter') @@ -36,35 +45,70 @@ subdir('fseccomp') subdir('fsec-optimize') subdir('fsec-print') subdir('fshaper') -subdir('ftee') - + +# MYLIBS subdir('libpostexecseccomp') #subdir('libtrace') #subdir('libtracelog') - + +# MANPAGES if get_option('man') and false subdir('man') endif - + +# COMPLETIONDIRS #subdir('bash_completion') #subdir('zsh_completion') # # # # # # # # # # -# TODO: fsec-optimize OUTPUT +# TODO: fsec-optimize OUTPUT (add_install_script ?) custom_target('seccomp', build_by_default: true, command: [fseccomp, 'default', '@OUTPUT@'], install: true, - install_dir: get_option('libdir') / meson.project_name(), + install_dir: libdir_firejail, output: 'seccomp', ) +# TODO: fsec-optimize OUTPUT +custom_target('seccomp.debug', + build_by_default: true, + command: [fseccomp, 'default', '@OUTPUT@', 'allow-debuggers'], + install: true, + install_dir: libdir_firejail, + output: 'seccomp.debug', +) + # TODO: fsec-optimize OUTPUT custom_target('seccomp.32', build_by_default: true, command: [fseccomp, 'secondary', '32', '@OUTPUT@'], install: true, - install_dir: get_option('libdir') / meson.project_name(), + install_dir: libdir_firejail, output: 'seccomp.32', ) + +custom_target('seccomp.block_secondary', + build_by_default: true, + command: [fseccomp, 'secondary', 'block', '@OUTPUT@'], + install: true, + install_dir: libdir_firejail, + output: 'seccomp.block_secondary', +) + +custom_target('seccomp.mdwx', + build_by_default: true, + command: [fseccomp, 'memory-deny-write-execute', '@OUTPUT@'], + install: true, + install_dir: libdir_firejail, + output: 'seccomp.mdwx', +) + +custom_target('seccomp.mdwx.32', + build_by_default: true, + command: [fseccomp, 'memory-deny-write-execute.32', '@OUTPUT@'], + install: true, + install_dir: libdir_firejail, + output: 'seccomp.mdwx.32', +) From 607a28e4230b9e09b745733ef909eb3d01fdc864 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sat, 30 Oct 2021 16:34:48 +0200 Subject: [PATCH 08/36] prep for meson --- src/man/firecfg.1.in | 2 +- src/man/firejail-login.5.in | 2 +- src/man/firejail-profile.5.in | 2 +- src/man/firejail-users.5.in | 2 +- src/man/firejail.1.in | 2 +- src/man/firemon.1.in | 2 +- src/man/jailcheck.1.in | 2 +- src/man/preproc.awk | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/man/firecfg.1.in b/src/man/firecfg.1.in index a50ed765eef..1766c7c10b0 100644 --- a/src/man/firecfg.1.in +++ b/src/man/firecfg.1.in @@ -1,4 +1,4 @@ -.TH FIRECFG 1 "MONTH YEAR" "VERSION" "firecfg man page" +.TH FIRECFG 1 "@MONTH@ @YEAR@" "@VERSION@" "firecfg man page" .SH NAME Firecfg \- Desktop integration utility for Firejail software. .SH SYNOPSIS diff --git a/src/man/firejail-login.5.in b/src/man/firejail-login.5.in index f03fc3c374f..9ee783e342f 100644 --- a/src/man/firejail-login.5.in +++ b/src/man/firejail-login.5.in @@ -1,4 +1,4 @@ -.TH FIREJAIL-LOGIN 5 "MONTH YEAR" "VERSION" "login.users man page" +.TH FIREJAIL-LOGIN 5 "@MONTH@ @YEAR@" "@VERSION@" "login.users man page" .SH NAME login.users \- Login file syntax for Firejail diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 8c039eb46eb..14c6a6fe5fa 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in @@ -1,4 +1,4 @@ -.TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page" +.TH FIREJAIL-PROFILE 5 "@MONTH@ @YEAR@" "@VERSION@" "firejail profiles man page" .SH NAME profile \- Security profile file syntax, and information about building new application profiles. diff --git a/src/man/firejail-users.5.in b/src/man/firejail-users.5.in index 7aa151680c7..494b1c1a4b8 100644 --- a/src/man/firejail-users.5.in +++ b/src/man/firejail-users.5.in @@ -1,4 +1,4 @@ -.TH FIREJAIL-USERS 5 "MONTH YEAR" "VERSION" "firejail.users man page" +.TH FIREJAIL-USERS 5 "@MONTH@ @YEAR@" "@VERSION@" "firejail.users man page" .SH NAME firejail.users \- Firejail user access database diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 87bd6fcc254..cebe086b4c6 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in @@ -1,4 +1,4 @@ -.TH FIREJAIL 1 "MONTH YEAR" "VERSION" "firejail man page" +.TH FIREJAIL 1 "@MONTH@ @YEAR@" "@VERSION@" "firejail man page" .SH NAME Firejail \- Linux namespaces sandbox program .SH SYNOPSIS diff --git a/src/man/firemon.1.in b/src/man/firemon.1.in index fb0cf1175bd..8cd8b0cc597 100644 --- a/src/man/firemon.1.in +++ b/src/man/firemon.1.in @@ -1,4 +1,4 @@ -.TH FIREMON 1 "MONTH YEAR" "VERSION" "firemon man page" +.TH FIREMON 1 "@MONTH@ @YEAR@" "@VERSION@" "firemon man page" .SH NAME Firemon \- Monitoring program for processes started in a Firejail sandbox. .SH SYNOPSIS diff --git a/src/man/jailcheck.1.in b/src/man/jailcheck.1.in index eea5987b769..c9f1f97818d 100644 --- a/src/man/jailcheck.1.in +++ b/src/man/jailcheck.1.in @@ -1,4 +1,4 @@ -.TH JAILCHECK 1 "MONTH YEAR" "VERSION" "JAILCHECK man page" +.TH JAILCHECK 1 "@MONTH@ @YEAR@" "@VERSION@" "JAILCHECK man page" .SH NAME jailcheck \- Simple utility program to test running sandboxes .SH SYNOPSIS diff --git a/src/man/preproc.awk b/src/man/preproc.awk index b9d78e27653..e554b24733a 100755 --- a/src/man/preproc.awk +++ b/src/man/preproc.awk @@ -25,8 +25,8 @@ BEGIN { for (arg in ARGV) { if (ARGV[arg] ~ /^-D[A-Z0-9_]+$/) { macros[length(macros) + 1] = substr(ARGV[arg], 3) + ARGV[arg] = "" } - ARGV[arg] = "" } include = 1 From bd427ecab5db34d2f34f2841051fe1fb758d6a1b Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sat, 30 Oct 2021 18:43:53 +0200 Subject: [PATCH 09/36] Build firejail with meson 7 --- contrib/meson.build | 6 +- etc/meson.build | 39 ++++++---- meson.build | 111 +++++++++++++++++++---------- meson_options.txt | 26 +++---- src/fbuilder/meson.build | 2 +- src/fcopy/meson.build | 4 ++ src/fids/meson.build | 2 +- src/firecfg/meson.build | 4 +- src/firejail/meson.build | 8 +-- src/firemon/meson.build | 2 +- src/fldd/meson.build | 2 +- src/fnet/meson.build | 4 ++ src/fnetfilter/meson.build | 4 ++ src/fsec-optimize/meson.build | 4 ++ src/fsec-print/meson.build | 4 ++ src/fseccomp/meson.build | 4 ++ src/ftee/meson.build | 6 +- src/jailcheck/meson.build | 2 +- src/libpostexecseccomp/meson.build | 4 ++ src/libtrace/meson.build | 12 ++-- src/libtracelog/meson.build | 11 ++- src/man/meson.build | 59 ++++++++++++--- src/meson.build | 37 +++------- src/profstats/meson.build | 4 ++ 24 files changed, 229 insertions(+), 132 deletions(-) diff --git a/contrib/meson.build b/contrib/meson.build index dd0bc932fbe..78f7f7a081c 100644 --- a/contrib/meson.build +++ b/contrib/meson.build @@ -12,13 +12,13 @@ contrib_scripts = [ 'update_deb.sh', ] install_data(contrib_scripts, - install_dir: get_option('libdir') / meson.project_name(), + install_dir: libdir_firejail, install_mode: 'rwxr-xr-x', ) install_data('vim/ftdetect/firejail.vim', - install_dir: get_option('datadir') / 'vim' / 'vimfiles' / 'ftdetect', + install_dir: datadir / 'vim' / 'vimfiles' / 'ftdetect', ) install_data('vim/syntax/firejail.vim', - install_dir: get_option('datadir') / 'vim' / 'vimfiles' / 'syntax', + install_dir: datadir / 'vim' / 'vimfiles' / 'syntax', ) diff --git a/etc/meson.build b/etc/meson.build index b0db5e60218..259bc07d3bf 100644 --- a/etc/meson.build +++ b/etc/meson.build @@ -1,29 +1,38 @@ install_data( sources: ['firejail.config', 'ids.config', 'login.users'], - install_dir: get_option('sysconfdir') / meson.project_name(), + install_dir: sysconfdir / project_name, ) foreach dir : ['inc', 'net', 'profile-a-l', 'profile-m-z'] install_subdir(dir, - install_dir: get_option('sysconfdir') / meson.project_name(), + exclude_files: ['disable-common.inc'], + install_dir: sysconfdir / project_name, strip_directory: true, ) endforeach +if get_option('busybox') + #TODO: meson.add_install_script() +else + install_data('inc/disable-common.inc', + install_dir: sysconfdir / project_name, + ) +endif + install_subdir('templates', - install_dir: get_option('datadir') / 'doc' / meson.project_name(), + install_dir: docdir, strip_directory: true, ) -install_data('apparmor/firejail-default', - install_dir: get_option('sysconfdir') / 'apparmor.d', -) -install_data('apparmor/firejail-local', - install_dir: get_option('sysconfdir') / 'apparmor.d' / 'local', - rename: 'firejail-default', -) -install_data('apparmor/firejail-base', - install_dir: get_option('sysconfdir') / 'apparmor.d' / 'abstractions' / 'base.d', -) - -# TODO: get_option('busybox') >> edit disable-common.inc +if get_option('apparmor') + install_data('apparmor/firejail-default', + install_dir: sysconfdir / 'apparmor.d', + ) + install_data('apparmor/firejail-local', + install_dir: sysconfdir / 'apparmor.d' / 'local', + rename: 'firejail-default', + ) + install_data('apparmor/firejail-base', + install_dir: sysconfdir / 'apparmor.d' / 'abstractions' / 'base.d', + ) +endif diff --git a/meson.build b/meson.build index c80aa3a6431..93d44304598 100644 --- a/meson.build +++ b/meson.build @@ -1,5 +1,8 @@ project('firejail', 'c', license: 'GPL-2.0-or-later', + default_options: [ + 'b_pie=true', + ], # https://packages.debian.org/oldstable/meson meson_version: '>=0.49.2', version: '0.9.67', @@ -7,51 +10,80 @@ project('firejail', 'c', # # # # # # # # # # +c_compiler = meson.get_compiler('c') +cc = find_program(c_compiler.cmd_array()[0]) +sh = find_program('sh') + +project_name = meson.project_name() +prefix = get_option('prefix') +bindir = get_option('bindir') +datadir = get_option('datadir') +docdir = datadir / 'doc' / project_name +sysconfdir = get_option('sysconfdir') +libdir = get_option('libdir') +libdir_firejail = libdir / project_name +firejail_perms = get_option('suid') ? 'rwsr-xr-x' : 'rwxr-xr-x' +sbox_apps_non_dumpable_perms = 'rwx--x--x' + +# # # # # # # # # # + # TODO: -# -mindirect-branch=thunk -# -mretpoline -# -fstack-clash-protection -# -fstack-protector-strong -# -fstack-protector-all -D_FORTIFY_SOURCE=2 -fPIE -Wformat -Wformat-security -# -pie -fPIE -Wl,-z,relro -Wl,-z,now -lpthread - -cc = meson.get_compiler('c') -if get_option('analyzer') and cc.get_id() == 'gcc' and cc.version().version_compare('>=10') +# -Wl,-z,relro -Wl,-z,now -lpthread + + +# Enable static analysis if wanted and supported. +if get_option('analyzer') and c_compiler.has_argument('-fanalyzer') add_project_arguments('-fanalyzer', language: 'c') add_project_arguments('-Wno-analyzer-malloc-leak', language: 'c') endif -if get_option('sanitizer') != 'none' - # TODO: MSAN is not supported by gcc (i.e. requires clang) - # TODO: -fno-common? https://github.com/google/sanitizers/wiki/AddressSanitizer#faq - add_project_arguments('-fsanitize=' + get_option('sanitizer'), language: 'c') - add_project_arguments('-fno-omit-frame-pointer', language: 'c') - #add_project_link_arguments() +# Default compiler flags +c_args = c_compiler.get_supported_arguments([ + '-mindirect-branch=thunk', + '-mretpoline', + '-fstack-protector-strong', + '-fstack-clash-protection', + '-D_FORTIFY_SOURCE=2', +]) +if get_option('warning_level').to_int() > 0 + c_args += ['-Wformat', '-Wformat-security'] endif -option_flag = { - 'chroot': '-DHAVE_CHROOT', - 'dbusproxy': '-DHAVE_DBUSPROXY', - 'file-transfer': '-DHAVE_FILE_TRANSFER', - 'firetunnel': '-DHAVE_FIRETUNNEL', - 'force-nonewprivs': '-DHAVE_FORCE_NONEWPRIVS', - #'globalcfg': '-DHAVE_GLOBALCFG' - 'network': '-DHAVE_NETWORK', - 'output': '-DHAVE_OUTPUT', - 'private-home': '-DHAVE_PRIVATE_HOME', - #not suid -DHAVE_NOSUID - 'userns': '-DHAVE_USERNS', - 'usertmpfs': '-DHAVE_USERTMPFS', - 'x11': '-DHAVE_X11', -} - -manflags = [] -foreach option, flag : option_flag + +facilities = [] +foreach option, flag : { + 'chroot': '-DHAVE_CHROOT', + 'dbusproxy': '-DHAVE_DBUSPROXY', + 'file-transfer': '-DHAVE_FILE_TRANSFER', + 'firetunnel': '-DHAVE_FIRETUNNEL', + 'force-nonewprivs': '-DHAVE_FORCE_NONEWPRIVS', + 'globalcfg': '-DHAVE_GLOBALCFG', + 'network': '-DHAVE_NETWORK', + 'output': '-DHAVE_OUTPUT', + 'private-home': '-DHAVE_PRIVATE_HOME', + 'suid': '-DHAVE_SUID', + 'userns': '-DHAVE_USERNS', + 'usertmpfs': '-DHAVE_USERTMPFS', + 'x11': '-DHAVE_X11', + } + if get_option(option) - manflags += flag - else + facilities += flag endif - #set_variable(name, value) +endforeach + + +constants = [] +foreach name, value : { + 'PREFIX': prefix, + 'BINDIR': prefix / bindir, + 'SYSCONFDIR': prefix / sysconfdir / project_name, + 'LIBDIR': prefix / libdir, + 'VARDIR': '/var/lib' / project_name, + 'VERSION': meson.project_version(), + } + + constants += '-D@0@="@1@"'.format(name, value) endforeach # # # # # # # # # # @@ -64,6 +96,9 @@ subdir('src') subdir('test') install_data(['COPYING', 'README', 'RELNOTES'], - # docdir ? - install_dir: get_option('datadir') / 'doc' / meson.project_name(), + install_dir: docdir, ) + +# # # # # # # # # # + +# TODO: summary() diff --git a/meson_options.txt b/meson_options.txt index 643118c5bbc..3ae11320ec5 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -1,26 +1,18 @@ option('analyzer', type: 'boolean', value: false, description: 'Enable gcc\'s Static Analyzer') -option('sanitizer', type: 'combo', choices: ['none', 'address', 'memory', 'undefined'], - description: 'Enable a compiler-based sanitizer (debug)') -# TODO -#option('gcov', type: 'boolean', value: true, -# description: 'Gcov instrumentation') - -# TODO -option('lts', type: 'boolean', value: false, - description: 'LTS') +# sanitizer: Use -Db_sanitize= +# gcov: TODO # TODO option('busybox', type: 'boolean', value: false, description: 'busybox workaround') option('contrib', type: 'boolean', value: true, description: 'Install contrib files') +option('manpage', type: 'boolean', value: true, + description: 'Manpages') option('suid', type: 'boolean', value: true, description: 'Install firejail as SUID executable') -# TODO -#option('globalcfg', type: 'boolean', value: truefalse, -# description: '') # TODO option('apparmor', type: 'boolean', value: false, @@ -28,10 +20,8 @@ option('apparmor', type: 'boolean', value: false, # TODO option('selinux', type: 'boolean', value: false, description: 'SELinux labeling support') -option('man', type: 'boolean', value: true, - description: 'Manpages') -# TODO + option('chroot', type: 'boolean', value: true, description: 'chroot') option('dbusproxy', type: 'boolean', value: true, @@ -42,6 +32,8 @@ option('firetunnel', type: 'boolean', value: true, description: 'firetunnel') option('force-nonewprivs', type: 'boolean', value: true, description: 'force nonewprivs') +option('globalcfg', type: 'boolean', value: true, + description: 'Abort execution if the global config is not present') option('network', type: 'boolean', value: true, description: 'network') option('output', type: 'boolean', value: true, @@ -54,3 +46,7 @@ option('usertmpfs', type: 'boolean', value: true, description: 'tmpfs as regular user') option('x11', type: 'boolean', value: true, description: 'X11 sandboxing support') + +# TODO +option('lts', type: 'boolean', value: false, + description: 'LTS') diff --git a/src/fbuilder/meson.build b/src/fbuilder/meson.build index 35c9ad873aa..98b86a4bf04 100644 --- a/src/fbuilder/meson.build +++ b/src/fbuilder/meson.build @@ -14,6 +14,6 @@ executable('fbuilder', fbuilder_sources, install_dir: libdir_firejail, c_args: [ - c_args_constants, + c_args, constants, facilities, ], ) diff --git a/src/fcopy/meson.build b/src/fcopy/meson.build index 0758d6ef757..700760519d3 100644 --- a/src/fcopy/meson.build +++ b/src/fcopy/meson.build @@ -8,4 +8,8 @@ executable('fcopy', fcopy_sources, install: true, install_dir: libdir_firejail, install_mode: sbox_apps_non_dumpable_perms, + + c_args: [ + c_args, constants, facilities, + ], ) diff --git a/src/fids/meson.build b/src/fids/meson.build index 5e4ddbde231..bf63f9beec2 100644 --- a/src/fids/meson.build +++ b/src/fids/meson.build @@ -10,6 +10,6 @@ executable('fids', fids_sources, install_dir: libdir_firejail, c_args: [ - c_args_constants, + c_args, constants, facilities, ], ) diff --git a/src/firecfg/meson.build b/src/firecfg/meson.build index 868067f11ce..4e92ad2cf44 100644 --- a/src/firecfg/meson.build +++ b/src/firecfg/meson.build @@ -11,8 +11,8 @@ executable('firecfg', firecfg_sources, install: true, c_args: [ - c_args_constants + c_args, constants, facilities ], ) -install_data('firecfg.config', install_dir: get_option('libdir') / meson.project_name()) +install_data('firecfg.config', install_dir: libdir_firejail) diff --git a/src/firejail/meson.build b/src/firejail/meson.build index 7387a6f0e33..e5398df91c9 100644 --- a/src/firejail/meson.build +++ b/src/firejail/meson.build @@ -60,17 +60,11 @@ firejail_sources = [ '../lib/syscall.c', ] -if get_option('suid') - firejail_perms = 'rwsr-xr-x' -else - firejail_perms = 'rwxr-xr-x' -endif - executable('firejail', firejail_sources, install: true, install_mode: [firejail_perms, 0, 0], c_args: [ - c_args_constants + c_args, constants, facilities, ], ) diff --git a/src/firemon/meson.build b/src/firemon/meson.build index 1a4456dabad..4dc1bb60a9c 100644 --- a/src/firemon/meson.build +++ b/src/firemon/meson.build @@ -24,6 +24,6 @@ executable('firemon', firemon_sources, install: true, c_args: [ - c_args_constants + c_args, constants, facilities, ], ) diff --git a/src/fldd/meson.build b/src/fldd/meson.build index 6b4e58784c5..793a9b70645 100644 --- a/src/fldd/meson.build +++ b/src/fldd/meson.build @@ -11,6 +11,6 @@ executable('fldd', fldd_source, install_mode: sbox_apps_non_dumpable_perms, c_args: [ - c_args_constants, + c_args, constants, facilities, ], ) diff --git a/src/fnet/meson.build b/src/fnet/meson.build index cead2fbce21..8b8ddaf73fd 100644 --- a/src/fnet/meson.build +++ b/src/fnet/meson.build @@ -12,5 +12,9 @@ executable('fnet', fnet_sources, install: true, install_dir: libdir_firejail, install_mode: sbox_apps_non_dumpable_perms, + + c_args: [ + c_args, constants, facilities, + ], ) diff --git a/src/fnetfilter/meson.build b/src/fnetfilter/meson.build index dab15ead7ea..70d1ed36366 100644 --- a/src/fnetfilter/meson.build +++ b/src/fnetfilter/meson.build @@ -8,4 +8,8 @@ executable('fnetfilter', fnetfilter_sources, install: true, install_dir: libdir_firejail, install_mode: sbox_apps_non_dumpable_perms, + + c_args: [ + c_args, constants, facilities, + ], ) diff --git a/src/fsec-optimize/meson.build b/src/fsec-optimize/meson.build index 76aee2fa1ad..88f7f7cb1ea 100644 --- a/src/fsec-optimize/meson.build +++ b/src/fsec-optimize/meson.build @@ -10,4 +10,8 @@ fsec_optimize = executable('fsec-optimize', fsec_optimize_seources, install: true, install_dir: libdir_firejail, install_mode: sbox_apps_non_dumpable_perms, + + c_args: [ + c_args, constants, facilities, + ], ) diff --git a/src/fsec-print/meson.build b/src/fsec-print/meson.build index 9e2223b50b8..93400f3e204 100644 --- a/src/fsec-print/meson.build +++ b/src/fsec-print/meson.build @@ -11,4 +11,8 @@ executable('fsec_print', fsec_print_sources, install: true, install_dir: libdir_firejail, install_mode: sbox_apps_non_dumpable_perms, + + c_args: [ + c_args, constants, facilities, + ], ) diff --git a/src/fseccomp/meson.build b/src/fseccomp/meson.build index 38343da77c4..b0162b1fd30 100644 --- a/src/fseccomp/meson.build +++ b/src/fseccomp/meson.build @@ -13,4 +13,8 @@ fseccomp = executable('fseccomp', fseccomp_sources, install: true, install_dir: libdir_firejail, install_mode: sbox_apps_non_dumpable_perms, + + c_args: [ + c_args, constants, facilities, + ], ) diff --git a/src/ftee/meson.build b/src/ftee/meson.build index a1195cfc441..1355b4de964 100644 --- a/src/ftee/meson.build +++ b/src/ftee/meson.build @@ -4,5 +4,9 @@ ftee_sources = [ executable('ftee', ftee_sources, install: true, - install_dir: libdir_firejail + install_dir: libdir_firejail, + + c_args: [ + c_args, constants, facilities, + ], ) diff --git a/src/jailcheck/meson.build b/src/jailcheck/meson.build index 89436fc46b4..3fff94064db 100644 --- a/src/jailcheck/meson.build +++ b/src/jailcheck/meson.build @@ -17,6 +17,6 @@ executable('jailcheck', jailcheck_sources, install: true, c_args: [ - c_args_constants + c_args, constants, facilities, ], ) diff --git a/src/libpostexecseccomp/meson.build b/src/libpostexecseccomp/meson.build index bc929faa6b3..1b490e6f2be 100644 --- a/src/libpostexecseccomp/meson.build +++ b/src/libpostexecseccomp/meson.build @@ -1,4 +1,8 @@ shared_library('postexecseccomp', 'libpostexecseccomp.c', install: true, install_dir: libdir_firejail, + + c_args: [ + c_args, constants, facilities, + ], ) diff --git a/src/libtrace/meson.build b/src/libtrace/meson.build index 98091c0cd0e..4ab7cef703a 100644 --- a/src/libtrace/meson.build +++ b/src/libtrace/meson.build @@ -1,9 +1,9 @@ -shared_library('trace', 'libtrace.c', +custom_target('libtrace.so', + build_by_default: true, + command: [cc, c_args, c_args_libtrace, '-o', '@OUTPUT@', '@INPUT@'], + input: 'libtrace.c', install: true, install_dir: libdir_firejail, - - c_args: [ - ], - link_args: [ - ], + output: 'libtrace.so', ) + diff --git a/src/libtracelog/meson.build b/src/libtracelog/meson.build index 6f9a6783a5f..8ee15f74a73 100644 --- a/src/libtracelog/meson.build +++ b/src/libtracelog/meson.build @@ -1,9 +1,8 @@ -shared_library('tracelog', 'libtracelog.c', +custom_target('libtracelog.so', + build_by_default: true, + command: [cc, c_args, c_args_libtrace, '-o', '@OUTPUT@', '@INPUT@'], + input: 'libtracelog.c', install: true, install_dir: libdir_firejail, - - c_args: [ - ], - link_args: [ - ], + output: 'libtracelog.so', ) diff --git a/src/man/meson.build b/src/man/meson.build index 0dad5011315..73eb076e8e8 100644 --- a/src/man/meson.build +++ b/src/man/meson.build @@ -1,12 +1,55 @@ -sh = find_program('sh') -gawk = find_program('gawk') +gawk = find_program('gawk', required: false) +gzip = find_program('gzip', required: false) + +# TODO: preproc.awk is also used by completions +if not gawk.found() or not gzip.found() + message('Disable manpage because of missing requirements.') + subdir_done() +endif + +# The kwarg env: of run_command is only supported by meson>=0.50 +month = run_command(sh, '-c', 'LC_ALL=C date -u +%b', check: true).stdout() +year = run_command(sh, '-c', 'LC_ALL=C date -u +%Y', check: true).stdout() + +manconf = configuration_data() +manconf.set('VERSION', meson.project_version()) +manconf.set('MONTH', month) +manconf.set('YEAR', year) + preproc_awk = files('preproc.awk') +preproc = generator(gawk, + arguments: ['-f', './preproc.awk', '--', facilities, '@INPUT@'], + capture: true, + output: '@PLAINNAME@', +) -manflags = [] +# Should we compress manpages? +# https://mesonbuild.com/Release-notes-for-0-49-0.html#manpages-are-no-longer-compressed-implicitly +compress = generator(gzip, + arguments: ['-9n', '@INPUT@'], + output: '@BASENAME@.gz' +) -#if get_option('') -# manflags += '-D...' -#endif +manpages = { + 'firecfg.txt': '1', + 'firejail-login.txt': '5', + 'firejail-profile.txt': '5', + 'firejail.txt': '1', + 'firejail-users.txt': '5', + 'firemon.txt': '1', + 'jailcheck.txt': '1', +} -#generator(gawk, s/generator/custom_target/ -# arguments: [sh, '-c', '"@0@" -f "@1@" -- @3@ < > '.format(gawk, preproc_awk, ' '.join(manflags)), '--', 'FIXME:MANFLAGS', ] +# TODO: Refactor, use custom_target and maybe a own build-aux/make-manpages script +# FIXME: Does only work with meson >=0.57 +foreach manpage, section : manpages + manpage = configure_file( + configuration: manconf, + input: manpage, + output: '@BASENAME@.@0@'.format(section), + ) + manpage = preproc.process(manpage) + manpage = compress.process(manpage) + #FIXME: does not work + install_man(manpage[0], install_dir: get_option('mandir') / 'man' + section) +endforeach diff --git a/src/meson.build b/src/meson.build index 0eba6b39453..d4789c54a75 100644 --- a/src/meson.build +++ b/src/meson.build @@ -1,29 +1,14 @@ -PREFIX = get_option('prefix') -BINDIR = PREFIX / get_option('bindir') -SYSCONFDIR = PREFIX / get_option('sysconfdir') -LIBDIR = PREFIX / get_option('libdir') - -constants = { - 'PREFIX': PREFIX, - 'BINDIR': BINDIR, - # WTF - 'SYSCONFDIR': SYSCONFDIR / meson.project_name(), - 'LIBDIR': LIBDIR, - - 'VERSION': meson.project_version(), - 'VARDIR': '/var/lib/firejail', -} - -c_args_constants = [] -foreach name, value : constants - c_args_constants += '-D@0@="@1@"'.format(name, value) -endforeach +# libtrace/libtracelog do not compile with shared_library(), instead we +# directly call the compiler. Therefore we need additional flags which +# are set otherwise by meson. +c_args_libtrace = ['-Wall', '-O2', '-shared', '-fPIC', '-Wl,-z,relro'] +#c_args_libtrace += ['-O' + get_option('optimization')] +if get_option('werror') + c_args_libtrace += ['-Werror'] +endif # # # # # # # # # # -libdir_firejail = get_option('libdir') / meson.project_name() -sbox_apps_non_dumpable_perms = 'rwx--x--x' - # APPS subdir('firecfg') subdir('firejail') @@ -48,11 +33,11 @@ subdir('fshaper') # MYLIBS subdir('libpostexecseccomp') -#subdir('libtrace') -#subdir('libtracelog') +subdir('libtrace') +subdir('libtracelog') # MANPAGES -if get_option('man') and false +if get_option('manpage') and false subdir('man') endif diff --git a/src/profstats/meson.build b/src/profstats/meson.build index 59766b033e5..326060d59a7 100644 --- a/src/profstats/meson.build +++ b/src/profstats/meson.build @@ -4,4 +4,8 @@ profstats_sources = [ executable('profstats', profstats_sources, build_by_default: false, + + c_args: [ + c_args, constants, facilities, + ], ) From c658bee52a950c29339c0f99d218ad220dd1760e Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sat, 30 Oct 2021 20:42:05 +0200 Subject: [PATCH 10/36] 8 --- meson.build | 42 ++++++++++++++++- meson_options.txt | 29 ++++++------ src/build-make-compile-seccomp-filters.sh | 30 ++++++++++++ src/firejail/meson.build | 3 ++ src/meson.build | 56 ++++------------------- 5 files changed, 96 insertions(+), 64 deletions(-) create mode 100644 src/build-make-compile-seccomp-filters.sh diff --git a/meson.build b/meson.build index 93d44304598..998d4bfb65f 100644 --- a/meson.build +++ b/meson.build @@ -1,6 +1,11 @@ project('firejail', 'c', license: 'GPL-2.0-or-later', default_options: [ + # -D_FORTIFY_SOURCE=2 requires optimization + # TODO: Decide between buildtype=debugoptimized, + # buildtype=release and optimization=g|1|2 + 'buildtype=debugoptimized', + # TODO: 'strip=true', 'b_pie=true', ], # https://packages.debian.org/oldstable/meson @@ -52,6 +57,7 @@ endif facilities = [] foreach option, flag : { + 'apparmor': '-DHAVE_APPARMOR', 'chroot': '-DHAVE_CHROOT', 'dbusproxy': '-DHAVE_DBUSPROXY', 'file-transfer': '-DHAVE_FILE_TRANSFER', @@ -61,6 +67,7 @@ foreach option, flag : { 'network': '-DHAVE_NETWORK', 'output': '-DHAVE_OUTPUT', 'private-home': '-DHAVE_PRIVATE_HOME', + 'selinux': '-DHAVE_SELINUX', 'suid': '-DHAVE_SUID', 'userns': '-DHAVE_USERNS', 'usertmpfs': '-DHAVE_USERTMPFS', @@ -95,10 +102,41 @@ subdir('etc') subdir('src') subdir('test') -install_data(['COPYING', 'README', 'RELNOTES'], +install_data( + sources: ['COPYING', 'README', 'RELNOTES'], install_dir: docdir, ) # # # # # # # # # # -# TODO: summary() +if meson.version().version_compare('>=0.53.0') + summary('prefix', prefix, section: 'Directories') + summary('bindir', bindir, section: 'Directories') + summary('datadir', datadir, section: 'Directories') + summary('docdir', docdir, section: 'Directories') + summary('sysconfdir', sysconfdir, section: 'Directories') + summary('libdir', libdir, section: 'Directories') + summary('libdir_firejail', libdir_firejail, section: 'Directories') + + summary('apparmor', get_option('apparmor'), section: 'Facilities') + summary('chroot', get_option('chroot'), section: 'Facilities') + summary('dbusproxy', get_option('dbusproxy'), section: 'Facilities') + summary('file-transfer', get_option('file-transfer'), section: 'Facilities') + summary('firetunnel', get_option('firetunnel'), section: 'Facilities') + summary('force-nonewprivs', get_option('force-nonewprivs'), section: 'Facilities') + summary('globalcfg', get_option('globalcfg'), section: 'Facilities') + summary('network', get_option('network'), section: 'Facilities') + summary('output', get_option('output'), section: 'Facilities') + summary('private-home', get_option('private-home'), section: 'Facilities') + summary('selinux', get_option('selinux'), section: 'Facilities') + summary('suid', get_option('suid'), section: 'Facilities') + summary('userns', get_option('userns'), section: 'Facilities') + summary('usertmpfs', get_option('usertmpfs'), section: 'Facilities') + summary('x11', get_option('x11'), section: 'Facilities') + + summary('lts', get_option('lts'), section: 'LTS') + + summary('busybox-workaround', get_option('busybox-workaround'), section: 'Misc') + summary('contrib', get_option('contrib'), section: 'Misc') + summary('manpage', get_option('manpage'), section: 'Misc') +endif diff --git a/meson_options.txt b/meson_options.txt index 3ae11320ec5..2491edaf932 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -3,25 +3,9 @@ option('analyzer', type: 'boolean', value: false, # sanitizer: Use -Db_sanitize= # gcov: TODO -# TODO -option('busybox', type: 'boolean', value: false, - description: 'busybox workaround') -option('contrib', type: 'boolean', value: true, - description: 'Install contrib files') -option('manpage', type: 'boolean', value: true, - description: 'Manpages') -option('suid', type: 'boolean', value: true, - description: 'Install firejail as SUID executable') - - # TODO option('apparmor', type: 'boolean', value: false, description: 'AppArmor support') -# TODO -option('selinux', type: 'boolean', value: false, - description: 'SELinux labeling support') - - option('chroot', type: 'boolean', value: true, description: 'chroot') option('dbusproxy', type: 'boolean', value: true, @@ -40,6 +24,11 @@ option('output', type: 'boolean', value: true, description: '--output logging') option('private-home', type: 'boolean', value: true, description: 'private home feature') +# TODO +option('selinux', type: 'boolean', value: false, + description: 'SELinux labeling support') +option('suid', type: 'boolean', value: true, + description: 'Install firejail as SUID executable') option('userns', type: 'boolean', value: true, description: 'user namespace') option('usertmpfs', type: 'boolean', value: true, @@ -50,3 +39,11 @@ option('x11', type: 'boolean', value: true, # TODO option('lts', type: 'boolean', value: false, description: 'LTS') + +option('busybox-workaround', type: 'boolean', value: false, + description: 'busybox workaround') +option('contrib', type: 'boolean', value: true, + description: 'Install contrib files') +option('manpage', type: 'boolean', value: true, + description: 'Manpages') + diff --git a/src/build-make-compile-seccomp-filters.sh b/src/build-make-compile-seccomp-filters.sh new file mode 100644 index 00000000000..10b14fb24f6 --- /dev/null +++ b/src/build-make-compile-seccomp-filters.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +set -e + +fseccomp="$1" +fsec_optimize="$2" +outdir="$3" + +cd "$outdir" || exit 1 + +# seccomp +$fseccomp default seccomp +$fsec_optimize seccomp + +# seccomp.debug +$fseccomp default seccomp.debug allow-debuggers +$fsec_optimize seccomp.debug + +# seccomp.32 +$fseccomp secondary 32 seccomp.32 +$fsec_optimize seccomp.32 + +# seccomp.block_secondary +$fseccomp secondary block seccomp.block_secondary + +# seccomp.mdwx +$fseccomp memory-deny-write-execute seccomp.mdwx + +# seccomp.mdwx.32 +$fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 diff --git a/src/firejail/meson.build b/src/firejail/meson.build index e5398df91c9..99533dfcb0f 100644 --- a/src/firejail/meson.build +++ b/src/firejail/meson.build @@ -7,8 +7,10 @@ firejail_sources = [ 'caps.c', 'cgroup.c', 'checkcfg.c', + 'chroot.c', 'cmdline.c', 'cpu.c', + 'dbus.c', 'dhcp.c', 'env.c', 'fs.c', @@ -34,6 +36,7 @@ firejail_sources = [ 'network.c', 'network_main.c', 'no_sandbox.c', + 'output.c', 'paths.c', 'preproc.c', 'profile.c', diff --git a/src/meson.build b/src/meson.build index d4789c54a75..f77b98a6c25 100644 --- a/src/meson.build +++ b/src/meson.build @@ -47,53 +47,17 @@ endif # # # # # # # # # # -# TODO: fsec-optimize OUTPUT (add_install_script ?) -custom_target('seccomp', +custom_target('seccomp filters', build_by_default: true, - command: [fseccomp, 'default', '@OUTPUT@'], + command: ['build-make-compile-seccomp-filters.sh', fseccomp, fsec_optimize, '@OUTDIR@'], install: true, install_dir: libdir_firejail, - output: 'seccomp', -) - -# TODO: fsec-optimize OUTPUT -custom_target('seccomp.debug', - build_by_default: true, - command: [fseccomp, 'default', '@OUTPUT@', 'allow-debuggers'], - install: true, - install_dir: libdir_firejail, - output: 'seccomp.debug', -) - -# TODO: fsec-optimize OUTPUT -custom_target('seccomp.32', - build_by_default: true, - command: [fseccomp, 'secondary', '32', '@OUTPUT@'], - install: true, - install_dir: libdir_firejail, - output: 'seccomp.32', -) - -custom_target('seccomp.block_secondary', - build_by_default: true, - command: [fseccomp, 'secondary', 'block', '@OUTPUT@'], - install: true, - install_dir: libdir_firejail, - output: 'seccomp.block_secondary', -) - -custom_target('seccomp.mdwx', - build_by_default: true, - command: [fseccomp, 'memory-deny-write-execute', '@OUTPUT@'], - install: true, - install_dir: libdir_firejail, - output: 'seccomp.mdwx', -) - -custom_target('seccomp.mdwx.32', - build_by_default: true, - command: [fseccomp, 'memory-deny-write-execute.32', '@OUTPUT@'], - install: true, - install_dir: libdir_firejail, - output: 'seccomp.mdwx.32', + output: [ + 'seccomp', + 'seccomp.debug', + 'seccomp.32', + 'seccomp.block_secondary', + 'seccomp.mdwx', + 'seccomp.mdwx.32', + ], ) From 956ccb8c86c8f01729aaf892229755df803956c1 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sat, 30 Oct 2021 20:46:17 +0200 Subject: [PATCH 11/36] 9 --- src/fids/meson.build | 8 ++++---- src/firecfg/meson.build | 6 +++--- src/firejail/meson.build | 6 +++--- src/fldd/meson.build | 22 +++++++++++----------- src/fnet/meson.build | 2 +- src/fnetfilter/meson.build | 6 +++--- src/fseccomp/meson.build | 6 +++--- src/jailcheck/meson.build | 8 ++++---- src/meson.build | 2 +- 9 files changed, 33 insertions(+), 33 deletions(-) diff --git a/src/fids/meson.build b/src/fids/meson.build index bf63f9beec2..47d3e4bf30e 100644 --- a/src/fids/meson.build +++ b/src/fids/meson.build @@ -1,10 +1,10 @@ -fids_sources = [ - 'main.c', +fids_sources = [ + 'main.c', 'blake2b.c', 'db.c', 'db_exclude.c', -] - +] + executable('fids', fids_sources, install: true, install_dir: libdir_firejail, diff --git a/src/firecfg/meson.build b/src/firecfg/meson.build index 4e92ad2cf44..c835bb65174 100644 --- a/src/firecfg/meson.build +++ b/src/firecfg/meson.build @@ -5,10 +5,10 @@ firecfg_sources = [ 'util.c', '../lib/firejail_user.c', -] +] -executable('firecfg', firecfg_sources, - install: true, +executable('firecfg', firecfg_sources, + install: true, c_args: [ c_args, constants, facilities diff --git a/src/firejail/meson.build b/src/firejail/meson.build index 99533dfcb0f..8be31ef1939 100644 --- a/src/firejail/meson.build +++ b/src/firejail/meson.build @@ -48,8 +48,8 @@ firejail_sources = [ 'run_files.c', 'run_symlink.c', 'sandbox.c', - 'sbox.c', - 'seccomp.c', + 'sbox.c', + 'seccomp.c', 'selinux.c', 'shutdown.c', 'usage.c', @@ -60,7 +60,7 @@ firejail_sources = [ '../lib/errno.c', '../lib/firejail_user.c', '../lib/ldd_utils.c', - '../lib/syscall.c', + '../lib/syscall.c', ] executable('firejail', firejail_sources, diff --git a/src/fldd/meson.build b/src/fldd/meson.build index 793a9b70645..731ae6b8507 100644 --- a/src/fldd/meson.build +++ b/src/fldd/meson.build @@ -1,16 +1,16 @@ -fldd_source = [ - 'main.c', - - '../lib/common.c', - '../lib/ldd_utils.c', -] - +fldd_source = [ + 'main.c', + + '../lib/common.c', + '../lib/ldd_utils.c', +] + executable('fldd', fldd_source, - install: true, + install: true, install_dir: libdir_firejail, install_mode: sbox_apps_non_dumpable_perms, - - c_args: [ + + c_args: [ c_args, constants, facilities, - ], + ], ) diff --git a/src/fnet/meson.build b/src/fnet/meson.build index 8b8ddaf73fd..6f34e40d950 100644 --- a/src/fnet/meson.build +++ b/src/fnet/meson.build @@ -9,7 +9,7 @@ fnet_sources = [ ] executable('fnet', fnet_sources, - install: true, + install: true, install_dir: libdir_firejail, install_mode: sbox_apps_non_dumpable_perms, diff --git a/src/fnetfilter/meson.build b/src/fnetfilter/meson.build index 70d1ed36366..7609ccc9bfa 100644 --- a/src/fnetfilter/meson.build +++ b/src/fnetfilter/meson.build @@ -2,10 +2,10 @@ fnetfilter_sources = [ 'main.c', '../lib/common.c', -] +] -executable('fnetfilter', fnetfilter_sources, - install: true, +executable('fnetfilter', fnetfilter_sources, + install: true, install_dir: libdir_firejail, install_mode: sbox_apps_non_dumpable_perms, diff --git a/src/fseccomp/meson.build b/src/fseccomp/meson.build index b0162b1fd30..1518c5be8b2 100644 --- a/src/fseccomp/meson.build +++ b/src/fseccomp/meson.build @@ -1,11 +1,11 @@ fseccomp_sources = [ 'main.c', 'protocol.c', - 'seccomp.c', + 'seccomp.c', 'seccomp_file.c', 'seccomp_secondary.c', - - '../lib/common.c', + + '../lib/common.c', '../lib/errno.c', '../lib/syscall.c', ] diff --git a/src/jailcheck/meson.build b/src/jailcheck/meson.build index 3fff94064db..421173d295d 100644 --- a/src/jailcheck/meson.build +++ b/src/jailcheck/meson.build @@ -11,12 +11,12 @@ jailcheck_sources = [ '../lib/common.c', '../lib/pid.c', -] +] executable('jailcheck', jailcheck_sources, install: true, - - c_args: [ + + c_args: [ c_args, constants, facilities, ], -) +) diff --git a/src/meson.build b/src/meson.build index f77b98a6c25..78026260017 100644 --- a/src/meson.build +++ b/src/meson.build @@ -27,7 +27,7 @@ subdir('fldd') subdir('fnet') subdir('fnetfilter') subdir('fseccomp') -subdir('fsec-optimize') +subdir('fsec-optimize') subdir('fsec-print') subdir('fshaper') From 5bfc05bd7d3abeaae6dd061121d52d75a960a7e1 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sat, 30 Oct 2021 21:27:19 +0200 Subject: [PATCH 12/36] prep for meson --- src/bash_completion/firejail.bash_completion.in | 2 +- src/zsh_completion/_firejail.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in index 4a1adbc26ba..998080c06de 100644 --- a/src/bash_completion/firejail.bash_completion.in +++ b/src/bash_completion/firejail.bash_completion.in @@ -15,7 +15,7 @@ _profiles() { fi } _all_profiles() { - local sys_profiles=$(_profiles _SYSCONFDIR_/firejail) + local sys_profiles=$(_profiles @SYSCONFDIR@/firejail) local user_profiles=$(_profiles $HOME/.config/firejail) COMPREPLY=($(compgen -W "${sys_profiles} ${user_profiles}" -- "$cur")) } diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 15e9a511162..7eb2cce85c2 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in @@ -26,7 +26,7 @@ _profiles_with_ext() { } _all_profiles() { - _values 'profiles' $(_profiles _SYSCONFDIR_/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .) + _values 'profiles' $(_profiles @SYSCONFDIR@/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .) } _session_bus_names() { From 6f03cd6c19592b868d0ab6b99294eb95bca70684 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 00:00:37 +0200 Subject: [PATCH 13/36] WE 10 --- etc/meson.build | 5 ++- meson.build | 21 ++++++++++-- meson_options.txt | 2 -- src/bash_completion/meson.build | 20 ++++++++++++ src/fcopy/meson.build | 2 ++ src/firejail/meson.build | 2 ++ src/man/meson.build | 58 ++++++++++++--------------------- src/meson.build | 6 ++-- src/zsh_completion/meson.build | 15 +++++++++ 9 files changed, 82 insertions(+), 49 deletions(-) create mode 100644 src/bash_completion/meson.build create mode 100644 src/zsh_completion/meson.build diff --git a/etc/meson.build b/etc/meson.build index 259bc07d3bf..ac4115f985d 100644 --- a/etc/meson.build +++ b/etc/meson.build @@ -1,5 +1,4 @@ -install_data( - sources: ['firejail.config', 'ids.config', 'login.users'], +install_data('firejail.config', 'ids.config', 'login.users', install_dir: sysconfdir / project_name, ) @@ -11,7 +10,7 @@ foreach dir : ['inc', 'net', 'profile-a-l', 'profile-m-z'] ) endforeach -if get_option('busybox') +if get_option('busybox-workaround') #TODO: meson.add_install_script() else install_data('inc/disable-common.inc', diff --git a/meson.build b/meson.build index 998d4bfb65f..b1dd0681fdf 100644 --- a/meson.build +++ b/meson.build @@ -18,23 +18,38 @@ project('firejail', 'c', c_compiler = meson.get_compiler('c') cc = find_program(c_compiler.cmd_array()[0]) sh = find_program('sh') +gawk = find_program('gawk') project_name = meson.project_name() prefix = get_option('prefix') bindir = get_option('bindir') datadir = get_option('datadir') +bashcompletiondir = datadir / 'bash-completion' / 'completions' docdir = datadir / 'doc' / project_name +zshcompletiondir = datadir / 'zsh' / 'site-functions' sysconfdir = get_option('sysconfdir') libdir = get_option('libdir') libdir_firejail = libdir / project_name firejail_perms = get_option('suid') ? 'rwsr-xr-x' : 'rwxr-xr-x' sbox_apps_non_dumpable_perms = 'rwx--x--x' +noopdep = dependency('', required: false) +libapparmor = get_option('apparmor') ? dependency('libapparmor') : noopdep +libselinux = get_option('selinux') ? dependency('libselinux') : noopdep + # # # # # # # # # # # TODO: # -Wl,-z,relro -Wl,-z,now -lpthread +# TODO: lts +# -DHAVE_LTS +# suid = true +# man = true +# busybox-workaround = false +# contrib = false +# dbuxproxy = output = usertmpfs = firetunnel = private-home = chroot = globalcfg = userns = x11 = file-transfer = false + # Enable static analysis if wanted and supported. if get_option('analyzer') and c_compiler.has_argument('-fanalyzer') @@ -102,14 +117,14 @@ subdir('etc') subdir('src') subdir('test') -install_data( - sources: ['COPYING', 'README', 'RELNOTES'], +install_data('COPYING', 'README', 'RELNOTES', install_dir: docdir, ) # # # # # # # # # # -if meson.version().version_compare('>=0.53.0') +show_summary = true +if show_summary and meson.version().version_compare('>=0.53.0') summary('prefix', prefix, section: 'Directories') summary('bindir', bindir, section: 'Directories') summary('datadir', datadir, section: 'Directories') diff --git a/meson_options.txt b/meson_options.txt index 2491edaf932..b727cf53eaf 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -3,7 +3,6 @@ option('analyzer', type: 'boolean', value: false, # sanitizer: Use -Db_sanitize= # gcov: TODO -# TODO option('apparmor', type: 'boolean', value: false, description: 'AppArmor support') option('chroot', type: 'boolean', value: true, @@ -24,7 +23,6 @@ option('output', type: 'boolean', value: true, description: '--output logging') option('private-home', type: 'boolean', value: true, description: 'private home feature') -# TODO option('selinux', type: 'boolean', value: false, description: 'SELinux labeling support') option('suid', type: 'boolean', value: true, diff --git a/src/bash_completion/meson.build b/src/bash_completion/meson.build new file mode 100644 index 00000000000..9490e2e24a7 --- /dev/null +++ b/src/bash_completion/meson.build @@ -0,0 +1,20 @@ +firejail_bash_completion = configure_file( + configuration: {'SYSCONFDIR': sysconfdir}, + input: 'firejail.bash_completion.in', + output: '@BASENAME@', +) +custom_target(manpage, + build_by_default: true, + capture: true, + # BIG FAT FIXME: This will fail if -Dmanpage=false + command: [gawk, '-f', preproc_awk, '--', facilities, '@INPUT@'], + input: firejail_bash_completion, + install: true, + install_dir: bashcompletiondir, + output: 'firejail', +) + +install_data('firecfg.bash_completion', 'firemon.bash_completion', + install_dir: bashcompletiondir, + rename: ['firecfg', 'firemon'] +) diff --git a/src/fcopy/meson.build b/src/fcopy/meson.build index 700760519d3..2302be9d398 100644 --- a/src/fcopy/meson.build +++ b/src/fcopy/meson.build @@ -9,6 +9,8 @@ executable('fcopy', fcopy_sources, install_dir: libdir_firejail, install_mode: sbox_apps_non_dumpable_perms, + dependencies: [libapparmor, libselinux], + c_args: [ c_args, constants, facilities, ], diff --git a/src/firejail/meson.build b/src/firejail/meson.build index 8be31ef1939..8f9306613d7 100644 --- a/src/firejail/meson.build +++ b/src/firejail/meson.build @@ -67,6 +67,8 @@ executable('firejail', firejail_sources, install: true, install_mode: [firejail_perms, 0, 0], + dependencies: [libapparmor, libselinux], + c_args: [ c_args, constants, facilities, ], diff --git a/src/man/meson.build b/src/man/meson.build index 73eb076e8e8..8603f01efb0 100644 --- a/src/man/meson.build +++ b/src/man/meson.build @@ -1,11 +1,4 @@ -gawk = find_program('gawk', required: false) -gzip = find_program('gzip', required: false) - -# TODO: preproc.awk is also used by completions -if not gawk.found() or not gzip.found() - message('Disable manpage because of missing requirements.') - subdir_done() -endif +preproc_awk = files('preproc.awk') # The kwarg env: of run_command is only supported by meson>=0.50 month = run_command(sh, '-c', 'LC_ALL=C date -u +%b', check: true).stdout() @@ -16,40 +9,29 @@ manconf.set('VERSION', meson.project_version()) manconf.set('MONTH', month) manconf.set('YEAR', year) -preproc_awk = files('preproc.awk') -preproc = generator(gawk, - arguments: ['-f', './preproc.awk', '--', facilities, '@INPUT@'], - capture: true, - output: '@PLAINNAME@', -) - -# Should we compress manpages? -# https://mesonbuild.com/Release-notes-for-0-49-0.html#manpages-are-no-longer-compressed-implicitly -compress = generator(gzip, - arguments: ['-9n', '@INPUT@'], - output: '@BASENAME@.gz' -) - manpages = { - 'firecfg.txt': '1', - 'firejail-login.txt': '5', - 'firejail-profile.txt': '5', - 'firejail.txt': '1', - 'firejail-users.txt': '5', - 'firemon.txt': '1', - 'jailcheck.txt': '1', + 'firecfg': '1', + 'firejail-login': '5', + 'firejail-profile': '5', + 'firejail': '1', + 'firejail-users': '5', + 'firemon': '1', + 'jailcheck': '1', } -# TODO: Refactor, use custom_target and maybe a own build-aux/make-manpages script -# FIXME: Does only work with meson >=0.57 foreach manpage, section : manpages - manpage = configure_file( + configured_manpage = configure_file( configuration: manconf, - input: manpage, - output: '@BASENAME@.@0@'.format(section), + input: manpage + '.txt', + output: '@PLAINNAME@', + ) + custom_target(manpage, + build_by_default: true, + capture: true, + command: [gawk, '-f', preproc_awk, '--', facilities, '@INPUT@'], + input: configured_manpage, + install: true, + install_dir: get_option('mandir') / 'man' + section, + output: manpage + '.' + section, ) - manpage = preproc.process(manpage) - manpage = compress.process(manpage) - #FIXME: does not work - install_man(manpage[0], install_dir: get_option('mandir') / 'man' + section) endforeach diff --git a/src/meson.build b/src/meson.build index 78026260017..657de9459f6 100644 --- a/src/meson.build +++ b/src/meson.build @@ -37,13 +37,13 @@ subdir('libtrace') subdir('libtracelog') # MANPAGES -if get_option('manpage') and false +if get_option('manpage') subdir('man') endif # COMPLETIONDIRS -#subdir('bash_completion') -#subdir('zsh_completion') +subdir('bash_completion') +subdir('zsh_completion') # # # # # # # # # # diff --git a/src/zsh_completion/meson.build b/src/zsh_completion/meson.build new file mode 100644 index 00000000000..eabad3f1616 --- /dev/null +++ b/src/zsh_completion/meson.build @@ -0,0 +1,15 @@ +firejail_zsh_completion = configure_file( + configuration: {'SYSCONFDIR': sysconfdir}, + input: '_firejail.in', + output: 'firejail.zsh_completion', +) +custom_target(manpage, + build_by_default: true, + capture: true, + # BIG FAT FIXME: This will fail if -Dmanpage=false + command: [gawk, '-f', preproc_awk, '--', facilities, '@INPUT@'], + input: firejail_zsh_completion, + install: true, + install_dir: zshcompletiondir, + output: '_firejail', +) From 1f09fc05f186332986560b79465e5fefb1e1f1bf Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 10:11:29 +0100 Subject: [PATCH 14/36] WE 11 --- meson.build | 1 - src/man/meson.build | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/meson.build b/meson.build index b1dd0681fdf..2d71400cff2 100644 --- a/meson.build +++ b/meson.build @@ -57,7 +57,6 @@ if get_option('analyzer') and c_compiler.has_argument('-fanalyzer') add_project_arguments('-Wno-analyzer-malloc-leak', language: 'c') endif -# Default compiler flags c_args = c_compiler.get_supported_arguments([ '-mindirect-branch=thunk', '-mretpoline', diff --git a/src/man/meson.build b/src/man/meson.build index 8603f01efb0..26e1d7b4655 100644 --- a/src/man/meson.build +++ b/src/man/meson.build @@ -1,8 +1,8 @@ preproc_awk = files('preproc.awk') # The kwarg env: of run_command is only supported by meson>=0.50 -month = run_command(sh, '-c', 'LC_ALL=C date -u +%b', check: true).stdout() -year = run_command(sh, '-c', 'LC_ALL=C date -u +%Y', check: true).stdout() +month = run_command(sh, '-c', 'LC_ALL=C date -u +%b', check: true).stdout().strip() +year = run_command(sh, '-c', 'LC_ALL=C date -u +%Y', check: true).stdout().strip() manconf = configuration_data() manconf.set('VERSION', meson.project_version()) From 0756b43427bd5192281cba368788be9887aef76d Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 10:16:14 +0100 Subject: [PATCH 15/36] Update .github/workflows/build.yml --- .github/workflows/build.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d6800e74b9f..4db73d47567 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -78,8 +78,7 @@ jobs: - name: print env run: ./ci/printenv.sh - name: meson setup - #TODO: --enable-analyzer --enable-apparmor --enable-selinux - run: CC=gcc-11 meson setup _builddir --werror --prefix=/usr + run: CC=gcc-11 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true - name: meson compile run: meson compile -C _builddir - name: meson install From e50afda284d850cb8645ad6399407b034d249c39 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 10:40:10 +0100 Subject: [PATCH 16/36] Update workflows --- .github/workflows/build-extra.yml | 5 ++++- .github/workflows/build.yml | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 314abaecfe0..dac0eba4220 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -38,7 +38,6 @@ on: permissions: # added using https://github.com/step-security/secure-workflows contents: read -# TODO: Add jobs for minimal (0.49.2) and maximal (latest release(-candidate)) meson version jobs: build-clang: runs-on: ubuntu-22.04 @@ -63,6 +62,8 @@ jobs: - name: print env run: ./ci/printenv.sh - uses: actions/checkout@v2 + - name: Install meson + run: pip install --pre meson==0.49.2 - name: meson setup run: CC=clang-11 meson setup _builddir --werror - name: meson compile @@ -71,6 +72,8 @@ jobs: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v2 + - name: Install meson + run: pip install --pre meson - name: install clang-tools-11 run: sudo apt-get install clang-tools-11 - name: meson setup diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4db73d47567..284a9ab174e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -77,6 +77,8 @@ jobs: gcc-12 libapparmor-dev libselinux1-dev expect xzdec - name: print env run: ./ci/printenv.sh + - name: Install meson + run: pip install meson - name: meson setup run: CC=gcc-11 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true - name: meson compile From af97761f6a30017f933085777f9677984e7c6d1f Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 10:45:31 +0100 Subject: [PATCH 17/36] Update workflows --- .github/workflows/build-extra.yml | 6 ++++-- .github/workflows/build.yml | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index dac0eba4220..187a9e7971b 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -62,6 +62,8 @@ jobs: - name: print env run: ./ci/printenv.sh - uses: actions/checkout@v2 + - name: install dependencies + run: sudo apt-get install ninja-build - name: Install meson run: pip install --pre meson==0.49.2 - name: meson setup @@ -72,10 +74,10 @@ jobs: runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v2 + - name: install dependencies + run: sudo apt-get install clang-tools-11 ninja-build - name: Install meson run: pip install --pre meson - - name: install clang-tools-11 - run: sudo apt-get install clang-tools-11 - name: meson setup run: CC=clang-11 meson setup _builddir --werror - name: scan-build diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 284a9ab174e..0ecf4690744 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -74,7 +74,7 @@ jobs: - name: install dependencies run: > sudo apt-get install -qy - gcc-12 libapparmor-dev libselinux1-dev expect xzdec + gcc-12 libapparmor-dev libselinux1-dev expect ninja-build xzdec - name: print env run: ./ci/printenv.sh - name: Install meson From d7a175f71ae5daecaa8f73671372a3654cb871ba Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 10:47:35 +0100 Subject: [PATCH 18/36] Update workflows --- .github/workflows/build-extra.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 187a9e7971b..fcfbfa8a196 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -81,7 +81,7 @@ jobs: - name: meson setup run: CC=clang-11 meson setup _builddir --werror - name: scan-build - run: ninja -C builddir scan-build + run: ninja -C _builddir scan-build cppcheck: runs-on: ubuntu-20.04 steps: From 2c077a733f363e7fcf97dd64f563323e63b77451 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 11:03:54 +0100 Subject: [PATCH 19/36] NHWE 11 --- meson.build | 1 + src/bash_completion/meson.build | 2 +- src/man/meson.build | 2 +- src/zsh_completion/meson.build | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/meson.build b/meson.build index 2d71400cff2..b1dd0681fdf 100644 --- a/meson.build +++ b/meson.build @@ -57,6 +57,7 @@ if get_option('analyzer') and c_compiler.has_argument('-fanalyzer') add_project_arguments('-Wno-analyzer-malloc-leak', language: 'c') endif +# Default compiler flags c_args = c_compiler.get_supported_arguments([ '-mindirect-branch=thunk', '-mretpoline', diff --git a/src/bash_completion/meson.build b/src/bash_completion/meson.build index 9490e2e24a7..c78aa8727e0 100644 --- a/src/bash_completion/meson.build +++ b/src/bash_completion/meson.build @@ -3,7 +3,7 @@ firejail_bash_completion = configure_file( input: 'firejail.bash_completion.in', output: '@BASENAME@', ) -custom_target(manpage, +custom_target('firejail.bash_completion', build_by_default: true, capture: true, # BIG FAT FIXME: This will fail if -Dmanpage=false diff --git a/src/man/meson.build b/src/man/meson.build index 26e1d7b4655..142039f09b2 100644 --- a/src/man/meson.build +++ b/src/man/meson.build @@ -25,7 +25,7 @@ foreach manpage, section : manpages input: manpage + '.txt', output: '@PLAINNAME@', ) - custom_target(manpage, + custom_target(manpage + '.' + section, build_by_default: true, capture: true, command: [gawk, '-f', preproc_awk, '--', facilities, '@INPUT@'], diff --git a/src/zsh_completion/meson.build b/src/zsh_completion/meson.build index eabad3f1616..78484c15c79 100644 --- a/src/zsh_completion/meson.build +++ b/src/zsh_completion/meson.build @@ -3,7 +3,7 @@ firejail_zsh_completion = configure_file( input: '_firejail.in', output: 'firejail.zsh_completion', ) -custom_target(manpage, +custom_target('firejail.zsh_completion', build_by_default: true, capture: true, # BIG FAT FIXME: This will fail if -Dmanpage=false From 46be2489f16a568fc4ac956ce2ba74366bea5192 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 11:19:24 +0100 Subject: [PATCH 20/36] Update workflows --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0ecf4690744..b33039101eb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -82,7 +82,7 @@ jobs: - name: meson setup run: CC=gcc-11 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true - name: meson compile - run: meson compile -C _builddir + run: ninja -C _builddir - name: meson install run: sudo meson install -C _builddir # TODO: Why do we run this for profile changes? From c1356f28d7b17ee756f164c2a4cdaa9793699430 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 11:36:26 +0100 Subject: [PATCH 21/36] E 12 --- meson.build | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/meson.build b/meson.build index b1dd0681fdf..95908983a2d 100644 --- a/meson.build +++ b/meson.build @@ -57,16 +57,21 @@ if get_option('analyzer') and c_compiler.has_argument('-fanalyzer') add_project_arguments('-Wno-analyzer-malloc-leak', language: 'c') endif -# Default compiler flags -c_args = c_compiler.get_supported_arguments([ - '-mindirect-branch=thunk', - '-mretpoline', - '-fstack-protector-strong', - '-fstack-clash-protection', - '-D_FORTIFY_SOURCE=2', -]) -if get_option('warning_level').to_int() > 0 - c_args += ['-Wformat', '-Wformat-security'] +c_args = [] +if get_option('buildtype') != 'plain' + c_args += c_compiler.get_supported_arguments([ + # Breaks CI with 'error: ‘-mindirect-branch’ and ‘-fcf-protection’ are not compatible'. TODO WHY?! + # How set -fcf-protection? This does work localy for me even with meson 0.49.2 + # (Fedora 34 / gcc 11.2.1 20210728 (Red Hat 11.2.1-1)) + #'-mindirect-branch=thunk', + '-mretpoline', + '-fstack-protector-strong', + '-fstack-clash-protection', + '-D_FORTIFY_SOURCE=2', + ]) + if get_option('warning_level').to_int() > 0 + c_args += ['-Wformat', '-Wformat-security'] + endif endif From 3a7aff324b936b415dad79c89da52ab6471aefbf Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 11:47:48 +0100 Subject: [PATCH 22/36] NHWE 13 --- src/fcopy/meson.build | 2 +- src/firemon/meson.build | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/fcopy/meson.build b/src/fcopy/meson.build index 2302be9d398..436a0dd4afc 100644 --- a/src/fcopy/meson.build +++ b/src/fcopy/meson.build @@ -9,7 +9,7 @@ executable('fcopy', fcopy_sources, install_dir: libdir_firejail, install_mode: sbox_apps_non_dumpable_perms, - dependencies: [libapparmor, libselinux], + dependencies: libselinux, c_args: [ c_args, constants, facilities, diff --git a/src/firemon/meson.build b/src/firemon/meson.build index 4dc1bb60a9c..de3e2bbc98c 100644 --- a/src/firemon/meson.build +++ b/src/firemon/meson.build @@ -23,6 +23,8 @@ firemon_sources = [ executable('firemon', firemon_sources, install: true, + dependencies: libapparmor, + c_args: [ c_args, constants, facilities, ], From 2d03322ca8ad0d7ec73a0a4d466509d13d4a81dd Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 11:50:21 +0100 Subject: [PATCH 23/36] NHWE 14 --- src/jailcheck/meson.build | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/jailcheck/meson.build b/src/jailcheck/meson.build index 421173d295d..3bcf9251341 100644 --- a/src/jailcheck/meson.build +++ b/src/jailcheck/meson.build @@ -16,6 +16,8 @@ jailcheck_sources = [ executable('jailcheck', jailcheck_sources, install: true, + dependencies: libapparmor, + c_args: [ c_args, constants, facilities, ], From 828f260174e283b4675b0c74f6ad3fdb1b7841ed Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 11:58:37 +0100 Subject: [PATCH 24/36] NHWE 15 --- src/meson.build | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/meson.build b/src/meson.build index 657de9459f6..9ba5da59af7 100644 --- a/src/meson.build +++ b/src/meson.build @@ -47,9 +47,10 @@ subdir('zsh_completion') # # # # # # # # # # +build_make_compile_seccmop_filters_sh = files('build-make-compile-seccomp-filters.sh') custom_target('seccomp filters', build_by_default: true, - command: ['build-make-compile-seccomp-filters.sh', fseccomp, fsec_optimize, '@OUTDIR@'], + command: [build_make_compile_seccmop_filters_sh, fseccomp, fsec_optimize, '@OUTDIR@'], install: true, install_dir: libdir_firejail, output: [ From 7ae01d717e07177cc8051f27d0775068397e7c6a Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 12:01:50 +0100 Subject: [PATCH 25/36] NHWE 16 --- src/build-make-compile-seccomp-filters.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 src/build-make-compile-seccomp-filters.sh diff --git a/src/build-make-compile-seccomp-filters.sh b/src/build-make-compile-seccomp-filters.sh old mode 100644 new mode 100755 From 165db0680b40670eb7274f2b1672db57ba01e8dd Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 12:07:11 +0100 Subject: [PATCH 26/36] Update workflows --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b33039101eb..a49f12507ca 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -84,7 +84,7 @@ jobs: - name: meson compile run: ninja -C _builddir - name: meson install - run: sudo meson install -C _builddir + run: sudo "$(which meson)" install -C _builddir --no-rebuild # TODO: Why do we run this for profile changes? # TODO: meson test #- name: meson test From 59254b7a073138abf3e2ba82023559b8fec2a10e Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 12:12:50 +0100 Subject: [PATCH 27/36] Update workflows --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index a49f12507ca..631ea2107f8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -84,7 +84,7 @@ jobs: - name: meson compile run: ninja -C _builddir - name: meson install - run: sudo "$(which meson)" install -C _builddir --no-rebuild + run: sudo -E meson install -C _builddir --no-rebuild # TODO: Why do we run this for profile changes? # TODO: meson test #- name: meson test From bbd88e27dd494e0b8633d455eb168627574f15f0 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 12:15:32 +0100 Subject: [PATCH 28/36] Update workflows --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 631ea2107f8..1b65a5a44c6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -84,7 +84,7 @@ jobs: - name: meson compile run: ninja -C _builddir - name: meson install - run: sudo -E meson install -C _builddir --no-rebuild + run: sudo -E "$(which meson)" install -C _builddir --no-rebuild # TODO: Why do we run this for profile changes? # TODO: meson test #- name: meson test From 775a7faf0f2fd09c84b7770a260b3fc347c00199 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 14:16:43 +0100 Subject: [PATCH 29/36] 17 --- src/fldd/meson.build | 4 ++-- src/fsec-optimize/meson.build | 4 ++-- src/fsec-print/meson.build | 2 +- src/libtrace/meson.build | 1 - 4 files changed, 5 insertions(+), 6 deletions(-) diff --git a/src/fldd/meson.build b/src/fldd/meson.build index 731ae6b8507..f9eb85736e4 100644 --- a/src/fldd/meson.build +++ b/src/fldd/meson.build @@ -1,11 +1,11 @@ -fldd_source = [ +fldd_sources = [ 'main.c', '../lib/common.c', '../lib/ldd_utils.c', ] -executable('fldd', fldd_source, +executable('fldd', fldd_sources, install: true, install_dir: libdir_firejail, install_mode: sbox_apps_non_dumpable_perms, diff --git a/src/fsec-optimize/meson.build b/src/fsec-optimize/meson.build index 88f7f7cb1ea..a91aba49e56 100644 --- a/src/fsec-optimize/meson.build +++ b/src/fsec-optimize/meson.build @@ -1,4 +1,4 @@ -fsec_optimize_seources = [ +fsec_optimize_sources = [ 'main.c', 'optimizer.c', @@ -6,7 +6,7 @@ fsec_optimize_seources = [ '../lib/errno.c', ] -fsec_optimize = executable('fsec-optimize', fsec_optimize_seources, +fsec_optimize = executable('fsec-optimize', fsec_optimize_sources, install: true, install_dir: libdir_firejail, install_mode: sbox_apps_non_dumpable_perms, diff --git a/src/fsec-print/meson.build b/src/fsec-print/meson.build index 93400f3e204..2a720d57a57 100644 --- a/src/fsec-print/meson.build +++ b/src/fsec-print/meson.build @@ -7,7 +7,7 @@ fsec_print_sources = [ '../lib/syscall.c', ] -executable('fsec_print', fsec_print_sources, +executable('fsec-print', fsec_print_sources, install: true, install_dir: libdir_firejail, install_mode: sbox_apps_non_dumpable_perms, diff --git a/src/libtrace/meson.build b/src/libtrace/meson.build index 4ab7cef703a..d91e5d52ca7 100644 --- a/src/libtrace/meson.build +++ b/src/libtrace/meson.build @@ -6,4 +6,3 @@ custom_target('libtrace.so', install_dir: libdir_firejail, output: 'libtrace.so', ) - From 9ea43aa7b22b5ce315d30365d63ef226290fd028 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 17:58:57 +0100 Subject: [PATCH 30/36] WE 18 --- etc/meson.build | 20 ++++++++++++++++- src/bash_completion/meson.build | 3 +-- src/man/meson.build | 40 ++++++++++++++++----------------- src/meson.build | 5 ++++- src/zsh_completion/meson.build | 3 +-- 5 files changed, 45 insertions(+), 26 deletions(-) diff --git a/etc/meson.build b/etc/meson.build index ac4115f985d..324486d9b4f 100644 --- a/etc/meson.build +++ b/etc/meson.build @@ -11,7 +11,25 @@ foreach dir : ['inc', 'net', 'profile-a-l', 'profile-m-z'] endforeach if get_option('busybox-workaround') - #TODO: meson.add_install_script() + meson.add_install_script(sh.path(), '-e', '-c', +''' +disable_common_inc="$MESON_INSTALL_DESTDIR_PREFIX/$1/firejail/disable-common.inc" +cat >"$disable_common_inc" <<\EOF +# Workaround for systems where common UNIX utilities are symlinks to busybox. +# If this is not your case you can remove -Dbusybox-workaround=true from +# meson setup options, for added security. +noblacklist ${PATH}/busybox +noblacklist ${PATH}/crontab +noblacklist ${PATH}/mount +noblacklist ${PATH}/nc +noblacklist ${PATH}/su +noblacklist ${PATH}/sudo +noblacklist ${PATH}/umount + +EOF +cat >>"$disable_common_inc" <"$2" +''', '--', sysconfdir, meson.current_source_dir() / 'inc/disable-common.inc', + ) else install_data('inc/disable-common.inc', install_dir: sysconfdir / project_name, diff --git a/src/bash_completion/meson.build b/src/bash_completion/meson.build index c78aa8727e0..833654be723 100644 --- a/src/bash_completion/meson.build +++ b/src/bash_completion/meson.build @@ -6,8 +6,7 @@ firejail_bash_completion = configure_file( custom_target('firejail.bash_completion', build_by_default: true, capture: true, - # BIG FAT FIXME: This will fail if -Dmanpage=false - command: [gawk, '-f', preproc_awk, '--', facilities, '@INPUT@'], + command: preproc_awk_cmd, input: firejail_bash_completion, install: true, install_dir: bashcompletiondir, diff --git a/src/man/meson.build b/src/man/meson.build index 142039f09b2..53f5e897edd 100644 --- a/src/man/meson.build +++ b/src/man/meson.build @@ -1,37 +1,37 @@ -preproc_awk = files('preproc.awk') - # The kwarg env: of run_command is only supported by meson>=0.50 -month = run_command(sh, '-c', 'LC_ALL=C date -u +%b', check: true).stdout().strip() -year = run_command(sh, '-c', 'LC_ALL=C date -u +%Y', check: true).stdout().strip() +date = run_command(sh, '-c', 'LC_ALL=C date -u +%Y-%b', + check: true, +).stdout().strip().split('-') manconf = configuration_data() manconf.set('VERSION', meson.project_version()) -manconf.set('MONTH', month) -manconf.set('YEAR', year) +manconf.set('YEAR', date[0]) +manconf.set('MONTH', date[1]) -manpages = { - 'firecfg': '1', - 'firejail-login': '5', - 'firejail-profile': '5', - 'firejail': '1', - 'firejail-users': '5', - 'firemon': '1', - 'jailcheck': '1', -} +manpages = [ + 'firecfg.1', + 'firejail-login.5', + 'firejail-profile.5', + 'firejail.1', + 'firejail-users.5', + 'firemon.1', + 'jailcheck.1', +] -foreach manpage, section : manpages +foreach manpage : manpages + section = manpage.split('.')[1] configured_manpage = configure_file( configuration: manconf, - input: manpage + '.txt', + input: manpage.split('.')[0] + '.txt', output: '@PLAINNAME@', ) - custom_target(manpage + '.' + section, + custom_target(manpage, build_by_default: true, capture: true, - command: [gawk, '-f', preproc_awk, '--', facilities, '@INPUT@'], + command: preproc_awk_cmd, input: configured_manpage, install: true, install_dir: get_option('mandir') / 'man' + section, - output: manpage + '.' + section, + output: manpage, ) endforeach diff --git a/src/meson.build b/src/meson.build index 9ba5da59af7..7a6c4e3d402 100644 --- a/src/meson.build +++ b/src/meson.build @@ -2,11 +2,14 @@ # directly call the compiler. Therefore we need additional flags which # are set otherwise by meson. c_args_libtrace = ['-Wall', '-O2', '-shared', '-fPIC', '-Wl,-z,relro'] -#c_args_libtrace += ['-O' + get_option('optimization')] if get_option('werror') c_args_libtrace += ['-Werror'] endif +preproc_awk_cmd = [ + gawk, '-f', files('man/preproc.awk'), '--', facilities, '@INPUT@', +] + # # # # # # # # # # # APPS diff --git a/src/zsh_completion/meson.build b/src/zsh_completion/meson.build index 78484c15c79..c61ccb85572 100644 --- a/src/zsh_completion/meson.build +++ b/src/zsh_completion/meson.build @@ -6,8 +6,7 @@ firejail_zsh_completion = configure_file( custom_target('firejail.zsh_completion', build_by_default: true, capture: true, - # BIG FAT FIXME: This will fail if -Dmanpage=false - command: [gawk, '-f', preproc_awk, '--', facilities, '@INPUT@'], + command: preproc_awk_cmd, input: firejail_zsh_completion, install: true, install_dir: zshcompletiondir, From 995f7b7109d29743f85b5c564ae05bf99758c4cf Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 19:13:27 +0100 Subject: [PATCH 31/36] Update workflows --- .github/workflows/build-extra.yml | 6 +++--- .github/workflows/build.yml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index fcfbfa8a196..a9e8105f633 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -67,9 +67,9 @@ jobs: - name: Install meson run: pip install --pre meson==0.49.2 - name: meson setup - run: CC=clang-11 meson setup _builddir --werror + run: CC=clang-11 meson _builddir --werror - name: meson compile - run: meson compile -C _builddir + run: ninja -C _builddir scan-build: runs-on: ubuntu-20.04 steps: @@ -79,7 +79,7 @@ jobs: - name: Install meson run: pip install --pre meson - name: meson setup - run: CC=clang-11 meson setup _builddir --werror + run: CC=clang-11 meson _builddir --werror - name: scan-build run: ninja -C _builddir scan-build cppcheck: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1b65a5a44c6..fcc4af32e71 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -80,11 +80,11 @@ jobs: - name: Install meson run: pip install meson - name: meson setup - run: CC=gcc-11 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + run: CC=gcc-11 meson _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true - name: meson compile run: ninja -C _builddir - name: meson install - run: sudo -E "$(which meson)" install -C _builddir --no-rebuild + run: sudo ninja -C _builddir install # TODO: Why do we run this for profile changes? # TODO: meson test #- name: meson test From f27fc9a2e66ee18c5999d8024ab6439dbc5e5423 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 19:13:45 +0100 Subject: [PATCH 32/36] WE 19 --- meson.build | 24 +++++++----------------- meson_options.txt | 1 - 2 files changed, 7 insertions(+), 18 deletions(-) diff --git a/meson.build b/meson.build index 95908983a2d..008bcfbc566 100644 --- a/meson.build +++ b/meson.build @@ -2,10 +2,8 @@ project('firejail', 'c', license: 'GPL-2.0-or-later', default_options: [ # -D_FORTIFY_SOURCE=2 requires optimization - # TODO: Decide between buildtype=debugoptimized, - # buildtype=release and optimization=g|1|2 'buildtype=debugoptimized', - # TODO: 'strip=true', + 'strip=true', 'b_pie=true', ], # https://packages.debian.org/oldstable/meson @@ -39,16 +37,11 @@ libselinux = get_option('selinux') ? dependency('libselinux') : noopdep # # # # # # # # # # -# TODO: -# -Wl,-z,relro -Wl,-z,now -lpthread - -# TODO: lts -# -DHAVE_LTS -# suid = true -# man = true -# busybox-workaround = false -# contrib = false -# dbuxproxy = output = usertmpfs = firetunnel = private-home = chroot = globalcfg = userns = x11 = file-transfer = false +if get_option('lts') + foreach option : ['chroot', 'dbuxproxy', 'file-transfer', 'firetunnel', 'globalcfg', + 'output', 'private-home', 'userns', 'usertmpfs', 'x11'] + assert(get_option(option) == false, 'get_option(\'@0@\') == false'.foramt(option)) +endif # Enable static analysis if wanted and supported. @@ -60,10 +53,6 @@ endif c_args = [] if get_option('buildtype') != 'plain' c_args += c_compiler.get_supported_arguments([ - # Breaks CI with 'error: ‘-mindirect-branch’ and ‘-fcf-protection’ are not compatible'. TODO WHY?! - # How set -fcf-protection? This does work localy for me even with meson 0.49.2 - # (Fedora 34 / gcc 11.2.1 20210728 (Red Hat 11.2.1-1)) - #'-mindirect-branch=thunk', '-mretpoline', '-fstack-protector-strong', '-fstack-clash-protection', @@ -84,6 +73,7 @@ foreach option, flag : { 'firetunnel': '-DHAVE_FIRETUNNEL', 'force-nonewprivs': '-DHAVE_FORCE_NONEWPRIVS', 'globalcfg': '-DHAVE_GLOBALCFG', + 'lts': '-DHAVE_LTS', 'network': '-DHAVE_NETWORK', 'output': '-DHAVE_OUTPUT', 'private-home': '-DHAVE_PRIVATE_HOME', diff --git a/meson_options.txt b/meson_options.txt index b727cf53eaf..4d857505d89 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -34,7 +34,6 @@ option('usertmpfs', type: 'boolean', value: true, option('x11', type: 'boolean', value: true, description: 'X11 sandboxing support') -# TODO option('lts', type: 'boolean', value: false, description: 'LTS') From b13e588313106167f993c971e02516a90d7ae279 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 19:19:32 +0100 Subject: [PATCH 33/36] NHWE 20 --- meson.build | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/meson.build b/meson.build index 008bcfbc566..5849c01fbe2 100644 --- a/meson.build +++ b/meson.build @@ -38,9 +38,11 @@ libselinux = get_option('selinux') ? dependency('libselinux') : noopdep # # # # # # # # # # if get_option('lts') - foreach option : ['chroot', 'dbuxproxy', 'file-transfer', 'firetunnel', 'globalcfg', + # meson _builddir_lts --prefix=/usr -Dlts=true -Dchroot=false -Ddbusproxy=false -Dfile-transfer=false -Dfiretunnel=false -Dglobalcfg=false -Doutput=false -Dprivate-home=false -Duserns=false -Dusertmpfs=false -Dx11=false + foreach option : ['chroot', 'dbusproxy', 'file-transfer', 'firetunnel', 'globalcfg', 'output', 'private-home', 'userns', 'usertmpfs', 'x11'] - assert(get_option(option) == false, 'get_option(\'@0@\') == false'.foramt(option)) + assert(get_option(option) == false, 'get_option(\'@0@\') == false'.format(option)) + endforeach endif From c64f0036a6d73f39e69616e07c06a447bae4421d Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Sun, 31 Oct 2021 19:23:19 +0100 Subject: [PATCH 34/36] Update workflows --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fcc4af32e71..42992b41789 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -84,7 +84,7 @@ jobs: - name: meson compile run: ninja -C _builddir - name: meson install - run: sudo ninja -C _builddir install + run: sudo -E ninja -C _builddir install # TODO: Why do we run this for profile changes? # TODO: meson test #- name: meson test From 5bf2e28595834795265fde7569cc53d4e82caba7 Mon Sep 17 00:00:00 2001 From: rusty-snake <41237666+rusty-snake@users.noreply.github.com> Date: Tue, 2 Nov 2021 21:05:43 +0100 Subject: [PATCH 35/36] 21 --- meson.build | 11 +++++++++++ meson_options.txt | 1 - src/man/meson.build | 3 ++- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/meson.build b/meson.build index 5849c01fbe2..f3d18825540 100644 --- a/meson.build +++ b/meson.build @@ -120,6 +120,17 @@ install_data('COPYING', 'README', 'RELNOTES', # # # # # # # # # # +cppcheck = find_program('cppcheck', required: false) +if cppcheck.found() + run_target('cppcheck', + command: [ + cppcheck, '--force', '--error-exitcode=1', '--enable=warning,performance', meson.source_root(), + ], + ) +endif + +# # # # # # # # # # + show_summary = true if show_summary and meson.version().version_compare('>=0.53.0') summary('prefix', prefix, section: 'Directories') diff --git a/meson_options.txt b/meson_options.txt index 4d857505d89..c7e2ed1cd11 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -43,4 +43,3 @@ option('contrib', type: 'boolean', value: true, description: 'Install contrib files') option('manpage', type: 'boolean', value: true, description: 'Manpages') - diff --git a/src/man/meson.build b/src/man/meson.build index 53f5e897edd..1a6b44dac5f 100644 --- a/src/man/meson.build +++ b/src/man/meson.build @@ -1,5 +1,6 @@ # The kwarg env: of run_command is only supported by meson>=0.50 -date = run_command(sh, '-c', 'LC_ALL=C date -u +%Y-%b', +date = run_command(sh, '-c', + 'LC_ALL=C date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y-%b', check: true, ).stdout().strip().split('-') From d2d7b3192bf8807fb1c9e3d64944277bb8399bd0 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Sat, 13 Apr 2024 14:41:44 +0300 Subject: [PATCH 36/36] WIP: meson build system Rebased and updated from #4656 by rusty-snake. Closes: #4642 --- .github/workflows/build-extra.yml | 32 ++---- .github/workflows/build.yml | 14 +-- .github/workflows/check-c.yml | 50 +++++----- .github/workflows/requirements.txt | 19 ++++ .github/workflows/test.yml | 130 +++++++++--------------- config.sh.in | 2 +- contrib/meson.build | 3 +- meson.build | 24 ++++- meson_options.txt | 6 ++ src/firejail/meson.build | 4 +- src/firemon/meson.build | 2 - src/fseccomp/meson.build | 1 + src/man/meson.build | 2 +- src/meson.build | 4 +- test/build-test.sh | 17 ++++ test/compile/compile.sh | 154 +++++++++++++++-------------- test/meson.build | 28 +++++- 17 files changed, 258 insertions(+), 234 deletions(-) create mode 100644 .github/workflows/requirements.txt create mode 100644 test/build-test.sh diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index a9e8105f633..406343ef9b8 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -49,9 +49,11 @@ jobs: egress-policy: block allowed-endpoints: > azure.archive.ubuntu.com:80 + files.pythonhosted.org:443 github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 + pypi.org:443 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 - name: update package information run: sudo apt-get update -qy @@ -61,32 +63,14 @@ jobs: libapparmor-dev libselinux1-dev - name: print env run: ./ci/printenv.sh - - uses: actions/checkout@v2 - name: install dependencies run: sudo apt-get install ninja-build - name: Install meson - run: pip install --pre meson==0.49.2 + run: pip install --pre meson==0.56.2 # https://packages.debian.org/oldstable/meson - name: meson setup - run: CC=clang-11 meson _builddir --werror + run: CC=clang-14 meson setup _builddir -Dprefix=/usr -Dapparmor=true -Dselinux=true --werror - name: meson compile - run: ninja -C _builddir - scan-build: - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v2 - - name: install dependencies - run: sudo apt-get install clang-tools-11 ninja-build - - name: Install meson - run: pip install --pre meson - - name: meson setup - run: CC=clang-11 meson _builddir --werror - - name: scan-build - run: ninja -C _builddir scan-build - cppcheck: - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v2 - - name: install cppcheck - run: sudo apt-get install cppcheck - - name: cppcheck - run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . + run: meson compile -C _builddir + - name: meson install + run: sudo apt-get install meson + - run: sudo meson install -C _builddir diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 42992b41789..3be25b87671 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -74,18 +74,12 @@ jobs: - name: install dependencies run: > sudo apt-get install -qy - gcc-12 libapparmor-dev libselinux1-dev expect ninja-build xzdec + gcc-12 libapparmor-dev libselinux1-dev ninja-build meson - name: print env run: ./ci/printenv.sh - - name: Install meson - run: pip install meson - name: meson setup - run: CC=gcc-11 meson _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + run: CC=gcc-12 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true - name: meson compile - run: ninja -C _builddir + run: meson compile -C _builddir - name: meson install - run: sudo -E ninja -C _builddir install - # TODO: Why do we run this for profile changes? - # TODO: meson test - #- name: meson test - # run: SHELL=/bin/bash meson test + run: sudo -E meson install -C _builddir diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 307b0c37c69..f7209471f3f 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml @@ -62,17 +62,15 @@ jobs: - name: install clang-tools-14 and dependencies run: > sudo apt-get install -qy - clang-tools-14 libapparmor-dev libselinux1-dev + clang-tools-14 libapparmor-dev libselinux1-dev ninja-build meson - name: print env run: ./ci/printenv.sh - - name: configure - run: > - ./configure CC=clang-14 SCAN_BUILD=scan-build-14 - --prefix=/usr --enable-fatal-warnings - --enable-apparmor --enable-selinux - || (cat config.log; exit 1) + - name: meson setup + run: CC=clang-14 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + - name: meson compile + run: meson compile -C _builddir - name: scan-build - run: make scan-build + run: ninja -C _builddir scan-build cppcheck: runs-on: ubuntu-22.04 @@ -93,14 +91,12 @@ jobs: - name: update package information run: sudo apt-get update -qy - name: install cppcheck - run: sudo apt-get install -qy cppcheck - - name: configure - run: > - ./configure CPPCHECK='cppcheck -q' - || (cat config.log; exit 1) - - run: cppcheck --version - - name: cppcheck - run: make cppcheck + run: sudo apt-get install -qy cppcheck ninja-build meson + - name: meson setup + run: CC=clang-14 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + - name: meson compile + run: cppcheck --version + - run: meson compile -C _builddir cppcheck # new cppcheck version currently chokes on checkcfg.c and main.c, therefore # scan all files also with older cppcheck version from ubuntu 20.04. @@ -124,14 +120,12 @@ jobs: - name: update package information run: sudo apt-get update -qy - name: install cppcheck - run: sudo apt-get install -qy cppcheck - - name: configure - run: > - ./configure CPPCHECK='cppcheck -q' - || (cat config.log; exit 1) - - run: cppcheck --version - - name: cppcheck-old - run: make cppcheck-old + run: sudo apt-get install -qy cppcheck ninja-build meson + - name: meson setup + run: CC=clang-14 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + - name: meson compile + run: cppcheck --version + - run: meson compile -C _builddir cppcheck codeql-cpp: permissions: @@ -165,11 +159,11 @@ jobs: with: languages: cpp - - name: configure - run: ./configure + - name: meson setup + run: CC=clang-14 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true - - name: make - run: make -j "$(nproc)" + - name: meson compile + run: meson compile -C _builddir - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a diff --git a/.github/workflows/requirements.txt b/.github/workflows/requirements.txt new file mode 100644 index 00000000000..0c41a98fef9 --- /dev/null +++ b/.github/workflows/requirements.txt @@ -0,0 +1,19 @@ +meson==1.3.1 \ + --hash=sha256:6020568bdede1643d4fb41e28215be38eff5d52da28ac7d125457c59e0032ad7 \ + --hash=sha256:d5223ecca9564d735d36daaba2571abc6c032c8c3a7ffa0674e803ef0c7e0219 +ninja==1.11.1.1 \ + --hash=sha256:18302d96a5467ea98b68e1cae1ae4b4fb2b2a56a82b955193c637557c7273dbd \ + --hash=sha256:185e0641bde601e53841525c4196278e9aaf4463758da6dd1e752c0a0f54136a \ + --hash=sha256:376889c76d87b95b5719fdd61dd7db193aa7fd4432e5d52d2e44e4c497bdbbee \ + --hash=sha256:3e0f9be5bb20d74d58c66cc1c414c3e6aeb45c35b0d0e41e8d739c2c0d57784f \ + --hash=sha256:73b93c14046447c7c5cc892433d4fae65d6364bec6685411cb97a8bcf815f93a \ + --hash=sha256:7563ce1d9fe6ed5af0b8dd9ab4a214bf4ff1f2f6fd6dc29f480981f0f8b8b249 \ + --hash=sha256:76482ba746a2618eecf89d5253c0d1e4f1da1270d41e9f54dfbd91831b0f6885 \ + --hash=sha256:84502ec98f02a037a169c4b0d5d86075eaf6afc55e1879003d6cab51ced2ea4b \ + --hash=sha256:95da904130bfa02ea74ff9c0116b4ad266174fafb1c707aa50212bc7859aebf1 \ + --hash=sha256:9d793b08dd857e38d0b6ffe9e6b7145d7c485a42dcfea04905ca0cdb6017cc3c \ + --hash=sha256:9df724344202b83018abb45cb1efc22efd337a1496514e7e6b3b59655be85205 \ + --hash=sha256:aad34a70ef15b12519946c5633344bc775a7656d789d9ed5fdb0d456383716ef \ + --hash=sha256:d491fc8d89cdcb416107c349ad1e3a735d4c4af5e1cb8f5f727baca6350fdaea \ + --hash=sha256:ecf80cf5afd09f14dcceff28cb3f11dc90fb97c999c89307aea435889cb66877 \ + --hash=sha256:fa2ba9d74acfdfbfbcf06fad1b8282de8a7a8c481d9dee45c859a8c93fcc1082 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index fb10f2b7feb..8b8e41fa940 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -68,29 +68,17 @@ jobs: - name: install dependencies run: > sudo apt-get install -qy - gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils + gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils ninja-build meson - name: print env run: ./ci/printenv.sh - - name: configure - run: > - ./configure CC=gcc-12 - --prefix=/usr --enable-fatal-warnings --enable-analyzer - --enable-apparmor --enable-selinux - || (cat config.log; exit 1) - - name: make - run: make -j "$(nproc)" - - name: make install - run: sudo make install - - name: print version - run: make print-version - - run: make lab-setup - - run: make test-seccomp-extra - - run: make test-firecfg - - run: make test-capabilities - - run: make test-apparmor - - run: make test-appimage - - run: make test-chroot - - run: make test-fcopy + - name: meson setup + run: CC=gcc-12 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + - name: meson compile + run: meson compile -C _builddir + - name: meson install + run: sudo -E meson install -C _builddir + - name: test main + run: meson test -C _builddir seccomp-extra firecfg capabilities apparmor appimage chroot fcopy # # Slower tests @@ -117,24 +105,17 @@ jobs: - name: install dependencies run: > sudo apt-get install -qy - gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils + gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils ninja-build meson - name: print env run: ./ci/printenv.sh - - name: configure - run: > - ./configure CC=gcc-12 - --prefix=/usr --enable-fatal-warnings --enable-analyzer - --enable-apparmor --enable-selinux - || (cat config.log; exit 1) - - name: make - run: make -j "$(nproc)" - - name: make install - run: sudo make install - - name: print version - run: make print-version - - run: make lab-setup - - run: make test-private-etc - - run: make test-fs + - name: meson setup + run: CC=gcc-12 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + - name: meson compile + run: meson compile -C _builddir + - name: meson install + run: sudo -E meson install -C _builddir + - name: test fs + run: meson test -C _builddir private-etc fs test-environment: runs-on: ubuntu-22.04 @@ -157,24 +138,17 @@ jobs: - name: install dependencies run: > sudo apt-get install -qy - gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils + gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils ninja-build meson - name: print env run: ./ci/printenv.sh - - name: configure - run: > - ./configure CC=gcc-12 - --prefix=/usr --enable-fatal-warnings --enable-analyzer - --enable-apparmor --enable-selinux - || (cat config.log; exit 1) - - name: make - run: make -j "$(nproc)" - - name: make install - run: sudo make install - - name: print version - run: make print-version - - run: make lab-setup - - run: make test-environment - - run: make test-profiles + - name: meson setup + run: CC=gcc-12 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + - name: meson compile + run: meson compile -C _builddir + - name: meson install + run: sudo -E meson install -C _builddir + - name: test environment + run: meson test -C _builddir environment profiles test-utils: runs-on: ubuntu-22.04 @@ -200,23 +174,17 @@ jobs: - name: install dependencies run: > sudo apt-get install -qy - gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils + gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils ninja-build meson - name: print env run: ./ci/printenv.sh - - name: configure - run: > - ./configure CC=gcc-12 - --prefix=/usr --enable-fatal-warnings --enable-analyzer - --enable-apparmor --enable-selinux - || (cat config.log; exit 1) - - name: make - run: make -j "$(nproc)" - - name: make install - run: sudo make install - - name: print version - run: make print-version - - run: make lab-setup - - run: make test-utils + - name: meson setup + run: CC=gcc-12 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + - name: meson compile + run: meson compile -C _builddir + - name: meson install + run: sudo -E meson install -C _builddir + - name: test utils + run: meson test -C _builddir utils test-network: runs-on: ubuntu-22.04 @@ -247,22 +215,14 @@ jobs: run: > sudo apt-get install -qy gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois - bridge-utils + bridge-utils ninja-build meson - name: print env run: ./ci/printenv.sh - - name: configure - run: > - ./configure CC=gcc-12 - --prefix=/usr --enable-fatal-warnings --enable-analyzer - --enable-apparmor --enable-selinux - || (cat config.log; exit 1) - - name: make - run: make -j "$(nproc)" - - name: make install - run: sudo make install - - name: print version - run: make print-version - - run: make lab-setup - - run: make test-fnetfilter - - run: make test-sysutils - - run: make test-network + - name: meson setup + run: CC=gcc-12 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + - name: meson compile + run: meson compile -C _builddir + - name: meson install + run: sudo -E meson install -C _builddir + - name: test network + run: meson test -C _builddir fnetfilter sysutils network diff --git a/config.sh.in b/config.sh.in index 0a91c68f273..9883e20b35b 100644 --- a/config.sh.in +++ b/config.sh.in @@ -1,4 +1,4 @@ -# @configure_input@ +# configure_input # # shellcheck shell=sh # shellcheck disable=SC2034 diff --git a/contrib/meson.build b/contrib/meson.build index 78f7f7a081c..7f1052643f4 100644 --- a/contrib/meson.build +++ b/contrib/meson.build @@ -1,5 +1,4 @@ contrib_scripts = [ - 'firejail-welcome.sh', 'fix_private-bin.py', 'fjclip.py', 'fjdisplay.py', @@ -19,6 +18,6 @@ install_data(contrib_scripts, install_data('vim/ftdetect/firejail.vim', install_dir: datadir / 'vim' / 'vimfiles' / 'ftdetect', ) -install_data('vim/syntax/firejail.vim', +install_data('syntax/files/firejail.vim.in', install_dir: datadir / 'vim' / 'vimfiles' / 'syntax', ) diff --git a/meson.build b/meson.build index f3d18825540..b08d40ef037 100644 --- a/meson.build +++ b/meson.build @@ -7,8 +7,8 @@ project('firejail', 'c', 'b_pie=true', ], # https://packages.debian.org/oldstable/meson - meson_version: '>=0.49.2', - version: '0.9.67', + meson_version: '>=0.56.2', + version: '0.9.73', ) # # # # # # # # # # @@ -75,14 +75,17 @@ foreach option, flag : { 'firetunnel': '-DHAVE_FIRETUNNEL', 'force-nonewprivs': '-DHAVE_FORCE_NONEWPRIVS', 'globalcfg': '-DHAVE_GLOBALCFG', + 'ids': '-DHAVE_IDS', 'lts': '-DHAVE_LTS', 'network': '-DHAVE_NETWORK', 'output': '-DHAVE_OUTPUT', +# 'overlayfs': '-DHAVE_OVERLAYFS', 'private-home': '-DHAVE_PRIVATE_HOME', 'selinux': '-DHAVE_SELINUX', 'suid': '-DHAVE_SUID', 'userns': '-DHAVE_USERNS', 'usertmpfs': '-DHAVE_USERTMPFS', +# 'whitelist': '-DHAVE_WHITELIST', 'x11': '-DHAVE_X11', } @@ -148,13 +151,16 @@ if show_summary and meson.version().version_compare('>=0.53.0') summary('firetunnel', get_option('firetunnel'), section: 'Facilities') summary('force-nonewprivs', get_option('force-nonewprivs'), section: 'Facilities') summary('globalcfg', get_option('globalcfg'), section: 'Facilities') + summary('ids', get_option('ids'), section: 'Facilities') summary('network', get_option('network'), section: 'Facilities') summary('output', get_option('output'), section: 'Facilities') + summary('overlayfs', get_option('overlayfs'), section: 'Facilities') summary('private-home', get_option('private-home'), section: 'Facilities') summary('selinux', get_option('selinux'), section: 'Facilities') summary('suid', get_option('suid'), section: 'Facilities') summary('userns', get_option('userns'), section: 'Facilities') summary('usertmpfs', get_option('usertmpfs'), section: 'Facilities') + summary('whitelist', get_option('whitelist'), section: 'Facilities') summary('x11', get_option('x11'), section: 'Facilities') summary('lts', get_option('lts'), section: 'LTS') @@ -163,3 +169,17 @@ if show_summary and meson.version().version_compare('>=0.53.0') summary('contrib', get_option('contrib'), section: 'Misc') summary('manpage', get_option('manpage'), section: 'Misc') endif + +conf = configuration_data() +conf.set('PACKAGE_BUGREPORT', 'netblue30@protonmail.com') +conf.set('PACKAGE_NAME', 'firejail') +conf.set('PACKAGE_STRING', 'firejail ' + meson.project_version()) +conf.set('PACKAGE_TARNAME', 'firejail') +conf.set('PACKAGE_VERSION', meson.project_version()) +conf.set_quoted('PACKAGE_URL', 'https://firejail.wordpress.com') + +test_config_sh = configure_file( + configuration: conf, + input: 'config.sh.in', + output: '@BASENAME@', +) diff --git a/meson_options.txt b/meson_options.txt index c7e2ed1cd11..b6cfe40be06 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -17,10 +17,14 @@ option('force-nonewprivs', type: 'boolean', value: true, description: 'force nonewprivs') option('globalcfg', type: 'boolean', value: true, description: 'Abort execution if the global config is not present') +option('ids', type: 'boolean', value: false, + description: 'IDS support') option('network', type: 'boolean', value: true, description: 'network') option('output', type: 'boolean', value: true, description: '--output logging') +option('overlayfs', type: 'boolean', value: true, + description: 'overlayfs support') option('private-home', type: 'boolean', value: true, description: 'private home feature') option('selinux', type: 'boolean', value: false, @@ -31,6 +35,8 @@ option('userns', type: 'boolean', value: true, description: 'user namespace') option('usertmpfs', type: 'boolean', value: true, description: 'tmpfs as regular user') +option('whitelist', type: 'boolean', value: true, + description: 'whitelist support') option('x11', type: 'boolean', value: true, description: 'X11 sandboxing support') diff --git a/src/firejail/meson.build b/src/firejail/meson.build index 8f9306613d7..71001ea8b20 100644 --- a/src/firejail/meson.build +++ b/src/firejail/meson.build @@ -5,7 +5,6 @@ firejail_sources = [ 'arp.c', 'bandwidth.c', 'caps.c', - 'cgroup.c', 'checkcfg.c', 'chroot.c', 'cmdline.c', @@ -28,6 +27,7 @@ firejail_sources = [ 'fs_whitelist.c', 'ids.c', 'join.c', + 'landlock.c', 'ls.c', 'macros.c', 'mountinfo.c', @@ -36,9 +36,11 @@ firejail_sources = [ 'network.c', 'network_main.c', 'no_sandbox.c', + 'oom.c', 'output.c', 'paths.c', 'preproc.c', + 'process.c', 'profile.c', 'protocol.c', 'pulseaudio.c', diff --git a/src/firemon/meson.build b/src/firemon/meson.build index de3e2bbc98c..73126199619 100644 --- a/src/firemon/meson.build +++ b/src/firemon/meson.build @@ -3,9 +3,7 @@ firemon_sources = [ 'apparmor.c', 'arp.c', 'caps.c', - 'cgroup.c', 'cpu.c', - 'interface.c', 'list.c', 'netstats.c', 'procevent.c', diff --git a/src/fseccomp/meson.build b/src/fseccomp/meson.build index 1518c5be8b2..b0a7751d512 100644 --- a/src/fseccomp/meson.build +++ b/src/fseccomp/meson.build @@ -1,6 +1,7 @@ fseccomp_sources = [ 'main.c', 'protocol.c', + 'namespaces.c', 'seccomp.c', 'seccomp_file.c', 'seccomp_secondary.c', diff --git a/src/man/meson.build b/src/man/meson.build index 1a6b44dac5f..a6b9571d023 100644 --- a/src/man/meson.build +++ b/src/man/meson.build @@ -23,7 +23,7 @@ foreach manpage : manpages section = manpage.split('.')[1] configured_manpage = configure_file( configuration: manconf, - input: manpage.split('.')[0] + '.txt', + input: manpage + '.in', output: '@PLAINNAME@', ) custom_target(manpage, diff --git a/src/meson.build b/src/meson.build index 7a6c4e3d402..dbcd1c71966 100644 --- a/src/meson.build +++ b/src/meson.build @@ -21,7 +21,9 @@ subdir('profstats') # SBOX_APPS subdir('fbuilder') -subdir('fids') +if get_option('ids') + subdir('fids') +endif subdir('ftee') # SBOX_APPS_NON_DUMPABLE diff --git a/test/build-test.sh b/test/build-test.sh new file mode 100644 index 00000000000..b631640fa6c --- /dev/null +++ b/test/build-test.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +set -e +src=$1 +dir=$2 +build=$3 +log=test/${dir}.log + +echo src:$src +echo dir:$dir +echo log:$log +echo build:$build + +(cd $src/$dir && BUILD_ROOT=$build ./${dir}.sh 2>&1) | tee $log +grep -a TESTING $log && ! grep -a -q "TESTING ERROR" $log + +exit 0 diff --git a/test/compile/compile.sh b/test/compile/compile.sh index f3e5c4f33a2..d52d1451a9b 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh @@ -12,7 +12,8 @@ # --enable-analyzer enable GCC 10 static analyzer # shellcheck source=config.sh -. "$(dirname "$0")/../../config.sh" || exit 1 +echo PWD: $PWD +. "$BUILD_ROOT/config.sh" || exit 1 arr[1]="TEST 1: standard compilation" arr[2]="TEST 2: compile dbus proxy disabled" @@ -77,14 +78,15 @@ cleanup #***************************************************************** print_title "${arr[1]}" echo "$DIST" -tar -xJvf ../../"$DIST.tar.xz" +(cd "$BUILD_ROOT" && meson dist --allow-dirty --no-tests) +tar -xJvf "$BUILD_ROOT"/meson-dist/"$DIST.tar.xz" mv "$DIST" firejail cd firejail || exit 1 -./configure --prefix=/usr --enable-fatal-warnings \ +meson setup _builddir --prefix=/usr --werror \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test1 grep Error output-configure output-make >> ./report-test1 @@ -99,12 +101,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[2]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-dbusproxy \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Ddbusproxy=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test2 grep Error output-configure output-make >> ./report-test2 @@ -119,12 +121,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[3]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-chroot \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dchroot=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test3 grep Error output-configure output-make >> ./report-test3 @@ -139,12 +141,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[4]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-firetunnel \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dfiretunnel=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test4 grep Error output-configure output-make >> ./report-test4 @@ -159,12 +161,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[5]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-userns \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Duserns=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test5 grep Error output-configure output-make >> ./report-test5 @@ -180,12 +182,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[6]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-network \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dnetwork=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test6 grep Error output-configure output-make >> ./report-test6 @@ -200,12 +202,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[7]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-x11 \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dx11=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test7 grep Error output-configure output-make >> ./report-test7 @@ -220,12 +222,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[8]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --enable-selinux \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dselinux=true \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test8 grep Error output-configure output-make >> ./report-test8 @@ -240,12 +242,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[9]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-file-transfer \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dfile-transfer=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test9 grep Error output-configure output-make >> ./report-test9 @@ -260,12 +262,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[10]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-whitelist \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dwhitelist=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test10 grep Error output-configure output-make >> ./report-test10 @@ -280,12 +282,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[11]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-globalcfg \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dglobalcfg=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test11 grep Error output-configure output-make >> ./report-test11 @@ -300,12 +302,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[12]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --enable-apparmor \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dapparmor=true \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test12 grep Error output-configure output-make >> ./report-test12 @@ -320,12 +322,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[13]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --enable-busybox-workaround \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dbusybox-workaround=true \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test13 grep Error output-configure output-make >> ./report-test13 @@ -340,12 +342,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[14]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-overlayfs \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Doverlayfs=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test14 grep Error output-configure output-make >> ./report-test14 @@ -360,12 +362,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[15]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-private-home \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dprivate-home=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test15 grep Error output-configure output-make >> ./report-test15 @@ -380,12 +382,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[16]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-man \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dmanpage=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test16 grep Error output-configure output-make >> ./report-test16 @@ -400,12 +402,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[17]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-usertmpfs \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dusertmpfs=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test17 grep Error output-configure output-make >> ./report-test17 @@ -420,12 +422,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[18]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-private-home \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dprivate-home=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test18 grep Error output-configure output-make >> ./report-test18 @@ -440,12 +442,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[19]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --enable-ids \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dids=true \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test19 grep Error output-configure output-make >> ./report-test19 diff --git a/test/meson.build b/test/meson.build index 464090415c4..8d867210949 100644 --- a/test/meson.build +++ b/test/meson.build @@ -1 +1,27 @@ -# TODO +test_dirs = [ + 'apparmor', + 'appimage', + 'apps', + 'apps-x11', + 'apps-x11-xorg', + 'capabilities', + 'chroot', + 'compile', + 'environment', + 'fcopy', + 'filters', + 'firecfg', + 'fnetfilter', + 'fs', + 'network', + 'private-etc', + 'private-lib', + 'profiles', + 'seccomp-extra', + 'sysutils', + 'utils', +] +build_test_sh = files('build-test.sh') +foreach test_dir : test_dirs + test(test_dir, build_test_sh, args: [meson.current_source_dir(), test_dir, meson.project_build_root()], timeout: 600) +endforeach