diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index 5b44e7b9f7d..406343ef9b8 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml @@ -49,9 +49,11 @@ jobs: egress-policy: block allowed-endpoints: > azure.archive.ubuntu.com:80 + files.pythonhosted.org:443 github.com:443 packages.microsoft.com:443 ppa.launchpadcontent.net:443 + pypi.org:443 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 - name: update package information run: sudo apt-get update -qy @@ -61,15 +63,14 @@ jobs: libapparmor-dev libselinux1-dev - name: print env run: ./ci/printenv.sh - - name: configure - run: > - ./configure CC=clang-14 - --prefix=/usr --enable-fatal-warnings - --enable-apparmor --enable-selinux - || (cat config.log; exit 1) - - name: make - run: make - - name: make install - run: sudo make install - - name: print version - run: make print-version + - name: install dependencies + run: sudo apt-get install ninja-build + - name: Install meson + run: pip install --pre meson==0.56.2 # https://packages.debian.org/oldstable/meson + - name: meson setup + run: CC=clang-14 meson setup _builddir -Dprefix=/usr -Dapparmor=true -Dselinux=true --werror + - name: meson compile + run: meson compile -C _builddir + - name: meson install + run: sudo apt-get install meson + - run: sudo meson install -C _builddir diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 60420d4419a..3be25b87671 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -74,18 +74,12 @@ jobs: - name: install dependencies run: > sudo apt-get install -qy - gcc-12 libapparmor-dev libselinux1-dev + gcc-12 libapparmor-dev libselinux1-dev ninja-build meson - name: print env run: ./ci/printenv.sh - - name: configure - run: > - ./configure CC=gcc-12 - --prefix=/usr --enable-fatal-warnings --enable-analyzer - --enable-apparmor --enable-selinux - || (cat config.log; exit 1) - - name: make - run: make - - name: make install - run: sudo make install - - name: print version - run: make print-version + - name: meson setup + run: CC=gcc-12 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + - name: meson compile + run: meson compile -C _builddir + - name: meson install + run: sudo -E meson install -C _builddir diff --git a/.github/workflows/check-c.yml b/.github/workflows/check-c.yml index 307b0c37c69..f7209471f3f 100644 --- a/.github/workflows/check-c.yml +++ b/.github/workflows/check-c.yml @@ -62,17 +62,15 @@ jobs: - name: install clang-tools-14 and dependencies run: > sudo apt-get install -qy - clang-tools-14 libapparmor-dev libselinux1-dev + clang-tools-14 libapparmor-dev libselinux1-dev ninja-build meson - name: print env run: ./ci/printenv.sh - - name: configure - run: > - ./configure CC=clang-14 SCAN_BUILD=scan-build-14 - --prefix=/usr --enable-fatal-warnings - --enable-apparmor --enable-selinux - || (cat config.log; exit 1) + - name: meson setup + run: CC=clang-14 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + - name: meson compile + run: meson compile -C _builddir - name: scan-build - run: make scan-build + run: ninja -C _builddir scan-build cppcheck: runs-on: ubuntu-22.04 @@ -93,14 +91,12 @@ jobs: - name: update package information run: sudo apt-get update -qy - name: install cppcheck - run: sudo apt-get install -qy cppcheck - - name: configure - run: > - ./configure CPPCHECK='cppcheck -q' - || (cat config.log; exit 1) - - run: cppcheck --version - - name: cppcheck - run: make cppcheck + run: sudo apt-get install -qy cppcheck ninja-build meson + - name: meson setup + run: CC=clang-14 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + - name: meson compile + run: cppcheck --version + - run: meson compile -C _builddir cppcheck # new cppcheck version currently chokes on checkcfg.c and main.c, therefore # scan all files also with older cppcheck version from ubuntu 20.04. @@ -124,14 +120,12 @@ jobs: - name: update package information run: sudo apt-get update -qy - name: install cppcheck - run: sudo apt-get install -qy cppcheck - - name: configure - run: > - ./configure CPPCHECK='cppcheck -q' - || (cat config.log; exit 1) - - run: cppcheck --version - - name: cppcheck-old - run: make cppcheck-old + run: sudo apt-get install -qy cppcheck ninja-build meson + - name: meson setup + run: CC=clang-14 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + - name: meson compile + run: cppcheck --version + - run: meson compile -C _builddir cppcheck codeql-cpp: permissions: @@ -165,11 +159,11 @@ jobs: with: languages: cpp - - name: configure - run: ./configure + - name: meson setup + run: CC=clang-14 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true - - name: make - run: make -j "$(nproc)" + - name: meson compile + run: meson compile -C _builddir - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a diff --git a/.github/workflows/requirements.txt b/.github/workflows/requirements.txt new file mode 100644 index 00000000000..0c41a98fef9 --- /dev/null +++ b/.github/workflows/requirements.txt @@ -0,0 +1,19 @@ +meson==1.3.1 \ + --hash=sha256:6020568bdede1643d4fb41e28215be38eff5d52da28ac7d125457c59e0032ad7 \ + --hash=sha256:d5223ecca9564d735d36daaba2571abc6c032c8c3a7ffa0674e803ef0c7e0219 +ninja==1.11.1.1 \ + --hash=sha256:18302d96a5467ea98b68e1cae1ae4b4fb2b2a56a82b955193c637557c7273dbd \ + --hash=sha256:185e0641bde601e53841525c4196278e9aaf4463758da6dd1e752c0a0f54136a \ + --hash=sha256:376889c76d87b95b5719fdd61dd7db193aa7fd4432e5d52d2e44e4c497bdbbee \ + --hash=sha256:3e0f9be5bb20d74d58c66cc1c414c3e6aeb45c35b0d0e41e8d739c2c0d57784f \ + --hash=sha256:73b93c14046447c7c5cc892433d4fae65d6364bec6685411cb97a8bcf815f93a \ + --hash=sha256:7563ce1d9fe6ed5af0b8dd9ab4a214bf4ff1f2f6fd6dc29f480981f0f8b8b249 \ + --hash=sha256:76482ba746a2618eecf89d5253c0d1e4f1da1270d41e9f54dfbd91831b0f6885 \ + --hash=sha256:84502ec98f02a037a169c4b0d5d86075eaf6afc55e1879003d6cab51ced2ea4b \ + --hash=sha256:95da904130bfa02ea74ff9c0116b4ad266174fafb1c707aa50212bc7859aebf1 \ + --hash=sha256:9d793b08dd857e38d0b6ffe9e6b7145d7c485a42dcfea04905ca0cdb6017cc3c \ + --hash=sha256:9df724344202b83018abb45cb1efc22efd337a1496514e7e6b3b59655be85205 \ + --hash=sha256:aad34a70ef15b12519946c5633344bc775a7656d789d9ed5fdb0d456383716ef \ + --hash=sha256:d491fc8d89cdcb416107c349ad1e3a735d4c4af5e1cb8f5f727baca6350fdaea \ + --hash=sha256:ecf80cf5afd09f14dcceff28cb3f11dc90fb97c999c89307aea435889cb66877 \ + --hash=sha256:fa2ba9d74acfdfbfbcf06fad1b8282de8a7a8c481d9dee45c859a8c93fcc1082 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index fb10f2b7feb..8b8e41fa940 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -68,29 +68,17 @@ jobs: - name: install dependencies run: > sudo apt-get install -qy - gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils + gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils ninja-build meson - name: print env run: ./ci/printenv.sh - - name: configure - run: > - ./configure CC=gcc-12 - --prefix=/usr --enable-fatal-warnings --enable-analyzer - --enable-apparmor --enable-selinux - || (cat config.log; exit 1) - - name: make - run: make -j "$(nproc)" - - name: make install - run: sudo make install - - name: print version - run: make print-version - - run: make lab-setup - - run: make test-seccomp-extra - - run: make test-firecfg - - run: make test-capabilities - - run: make test-apparmor - - run: make test-appimage - - run: make test-chroot - - run: make test-fcopy + - name: meson setup + run: CC=gcc-12 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + - name: meson compile + run: meson compile -C _builddir + - name: meson install + run: sudo -E meson install -C _builddir + - name: test main + run: meson test -C _builddir seccomp-extra firecfg capabilities apparmor appimage chroot fcopy # # Slower tests @@ -117,24 +105,17 @@ jobs: - name: install dependencies run: > sudo apt-get install -qy - gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils + gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils ninja-build meson - name: print env run: ./ci/printenv.sh - - name: configure - run: > - ./configure CC=gcc-12 - --prefix=/usr --enable-fatal-warnings --enable-analyzer - --enable-apparmor --enable-selinux - || (cat config.log; exit 1) - - name: make - run: make -j "$(nproc)" - - name: make install - run: sudo make install - - name: print version - run: make print-version - - run: make lab-setup - - run: make test-private-etc - - run: make test-fs + - name: meson setup + run: CC=gcc-12 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + - name: meson compile + run: meson compile -C _builddir + - name: meson install + run: sudo -E meson install -C _builddir + - name: test fs + run: meson test -C _builddir private-etc fs test-environment: runs-on: ubuntu-22.04 @@ -157,24 +138,17 @@ jobs: - name: install dependencies run: > sudo apt-get install -qy - gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils + gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils ninja-build meson - name: print env run: ./ci/printenv.sh - - name: configure - run: > - ./configure CC=gcc-12 - --prefix=/usr --enable-fatal-warnings --enable-analyzer - --enable-apparmor --enable-selinux - || (cat config.log; exit 1) - - name: make - run: make -j "$(nproc)" - - name: make install - run: sudo make install - - name: print version - run: make print-version - - run: make lab-setup - - run: make test-environment - - run: make test-profiles + - name: meson setup + run: CC=gcc-12 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + - name: meson compile + run: meson compile -C _builddir + - name: meson install + run: sudo -E meson install -C _builddir + - name: test environment + run: meson test -C _builddir environment profiles test-utils: runs-on: ubuntu-22.04 @@ -200,23 +174,17 @@ jobs: - name: install dependencies run: > sudo apt-get install -qy - gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils + gcc-12 libapparmor-dev libselinux1-dev expect xzdec bridge-utils ninja-build meson - name: print env run: ./ci/printenv.sh - - name: configure - run: > - ./configure CC=gcc-12 - --prefix=/usr --enable-fatal-warnings --enable-analyzer - --enable-apparmor --enable-selinux - || (cat config.log; exit 1) - - name: make - run: make -j "$(nproc)" - - name: make install - run: sudo make install - - name: print version - run: make print-version - - run: make lab-setup - - run: make test-utils + - name: meson setup + run: CC=gcc-12 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + - name: meson compile + run: meson compile -C _builddir + - name: meson install + run: sudo -E meson install -C _builddir + - name: test utils + run: meson test -C _builddir utils test-network: runs-on: ubuntu-22.04 @@ -247,22 +215,14 @@ jobs: run: > sudo apt-get install -qy gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois - bridge-utils + bridge-utils ninja-build meson - name: print env run: ./ci/printenv.sh - - name: configure - run: > - ./configure CC=gcc-12 - --prefix=/usr --enable-fatal-warnings --enable-analyzer - --enable-apparmor --enable-selinux - || (cat config.log; exit 1) - - name: make - run: make -j "$(nproc)" - - name: make install - run: sudo make install - - name: print version - run: make print-version - - run: make lab-setup - - run: make test-fnetfilter - - run: make test-sysutils - - run: make test-network + - name: meson setup + run: CC=gcc-12 meson setup _builddir --werror --prefix=/usr -Danalyzer=true -Dapparmor=true -Dselinux=true + - name: meson compile + run: meson compile -C _builddir + - name: meson install + run: sudo -E meson install -C _builddir + - name: test network + run: meson test -C _builddir fnetfilter sysutils network diff --git a/config.sh.in b/config.sh.in index 0a91c68f273..9883e20b35b 100644 --- a/config.sh.in +++ b/config.sh.in @@ -1,4 +1,4 @@ -# @configure_input@ +# configure_input # # shellcheck shell=sh # shellcheck disable=SC2034 diff --git a/contrib/meson.build b/contrib/meson.build new file mode 100644 index 00000000000..7f1052643f4 --- /dev/null +++ b/contrib/meson.build @@ -0,0 +1,23 @@ +contrib_scripts = [ + 'fix_private-bin.py', + 'fjclip.py', + 'fjdisplay.py', + 'fj-mkdeb.py', + 'fjresize.py', + 'gdb-firejail.sh', + 'jail_prober.py', + 'sort.py', + 'syscalls.sh', + 'update_deb.sh', +] +install_data(contrib_scripts, + install_dir: libdir_firejail, + install_mode: 'rwxr-xr-x', +) + +install_data('vim/ftdetect/firejail.vim', + install_dir: datadir / 'vim' / 'vimfiles' / 'ftdetect', +) +install_data('syntax/files/firejail.vim.in', + install_dir: datadir / 'vim' / 'vimfiles' / 'syntax', +) diff --git a/etc/meson.build b/etc/meson.build new file mode 100644 index 00000000000..324486d9b4f --- /dev/null +++ b/etc/meson.build @@ -0,0 +1,55 @@ +install_data('firejail.config', 'ids.config', 'login.users', + install_dir: sysconfdir / project_name, +) + +foreach dir : ['inc', 'net', 'profile-a-l', 'profile-m-z'] + install_subdir(dir, + exclude_files: ['disable-common.inc'], + install_dir: sysconfdir / project_name, + strip_directory: true, + ) +endforeach + +if get_option('busybox-workaround') + meson.add_install_script(sh.path(), '-e', '-c', +''' +disable_common_inc="$MESON_INSTALL_DESTDIR_PREFIX/$1/firejail/disable-common.inc" +cat >"$disable_common_inc" <<\EOF +# Workaround for systems where common UNIX utilities are symlinks to busybox. +# If this is not your case you can remove -Dbusybox-workaround=true from +# meson setup options, for added security. +noblacklist ${PATH}/busybox +noblacklist ${PATH}/crontab +noblacklist ${PATH}/mount +noblacklist ${PATH}/nc +noblacklist ${PATH}/su +noblacklist ${PATH}/sudo +noblacklist ${PATH}/umount + +EOF +cat >>"$disable_common_inc" <"$2" +''', '--', sysconfdir, meson.current_source_dir() / 'inc/disable-common.inc', + ) +else + install_data('inc/disable-common.inc', + install_dir: sysconfdir / project_name, + ) +endif + +install_subdir('templates', + install_dir: docdir, + strip_directory: true, +) + +if get_option('apparmor') + install_data('apparmor/firejail-default', + install_dir: sysconfdir / 'apparmor.d', + ) + install_data('apparmor/firejail-local', + install_dir: sysconfdir / 'apparmor.d' / 'local', + rename: 'firejail-default', + ) + install_data('apparmor/firejail-base', + install_dir: sysconfdir / 'apparmor.d' / 'abstractions' / 'base.d', + ) +endif diff --git a/meson.build b/meson.build new file mode 100644 index 00000000000..b08d40ef037 --- /dev/null +++ b/meson.build @@ -0,0 +1,185 @@ +project('firejail', 'c', + license: 'GPL-2.0-or-later', + default_options: [ + # -D_FORTIFY_SOURCE=2 requires optimization + 'buildtype=debugoptimized', + 'strip=true', + 'b_pie=true', + ], + # https://packages.debian.org/oldstable/meson + meson_version: '>=0.56.2', + version: '0.9.73', +) + +# # # # # # # # # # + +c_compiler = meson.get_compiler('c') +cc = find_program(c_compiler.cmd_array()[0]) +sh = find_program('sh') +gawk = find_program('gawk') + +project_name = meson.project_name() +prefix = get_option('prefix') +bindir = get_option('bindir') +datadir = get_option('datadir') +bashcompletiondir = datadir / 'bash-completion' / 'completions' +docdir = datadir / 'doc' / project_name +zshcompletiondir = datadir / 'zsh' / 'site-functions' +sysconfdir = get_option('sysconfdir') +libdir = get_option('libdir') +libdir_firejail = libdir / project_name +firejail_perms = get_option('suid') ? 'rwsr-xr-x' : 'rwxr-xr-x' +sbox_apps_non_dumpable_perms = 'rwx--x--x' + +noopdep = dependency('', required: false) +libapparmor = get_option('apparmor') ? dependency('libapparmor') : noopdep +libselinux = get_option('selinux') ? dependency('libselinux') : noopdep + +# # # # # # # # # # + +if get_option('lts') + # meson _builddir_lts --prefix=/usr -Dlts=true -Dchroot=false -Ddbusproxy=false -Dfile-transfer=false -Dfiretunnel=false -Dglobalcfg=false -Doutput=false -Dprivate-home=false -Duserns=false -Dusertmpfs=false -Dx11=false + foreach option : ['chroot', 'dbusproxy', 'file-transfer', 'firetunnel', 'globalcfg', + 'output', 'private-home', 'userns', 'usertmpfs', 'x11'] + assert(get_option(option) == false, 'get_option(\'@0@\') == false'.format(option)) + endforeach +endif + + +# Enable static analysis if wanted and supported. +if get_option('analyzer') and c_compiler.has_argument('-fanalyzer') + add_project_arguments('-fanalyzer', language: 'c') + add_project_arguments('-Wno-analyzer-malloc-leak', language: 'c') +endif + +c_args = [] +if get_option('buildtype') != 'plain' + c_args += c_compiler.get_supported_arguments([ + '-mretpoline', + '-fstack-protector-strong', + '-fstack-clash-protection', + '-D_FORTIFY_SOURCE=2', + ]) + if get_option('warning_level').to_int() > 0 + c_args += ['-Wformat', '-Wformat-security'] + endif +endif + + +facilities = [] +foreach option, flag : { + 'apparmor': '-DHAVE_APPARMOR', + 'chroot': '-DHAVE_CHROOT', + 'dbusproxy': '-DHAVE_DBUSPROXY', + 'file-transfer': '-DHAVE_FILE_TRANSFER', + 'firetunnel': '-DHAVE_FIRETUNNEL', + 'force-nonewprivs': '-DHAVE_FORCE_NONEWPRIVS', + 'globalcfg': '-DHAVE_GLOBALCFG', + 'ids': '-DHAVE_IDS', + 'lts': '-DHAVE_LTS', + 'network': '-DHAVE_NETWORK', + 'output': '-DHAVE_OUTPUT', +# 'overlayfs': '-DHAVE_OVERLAYFS', + 'private-home': '-DHAVE_PRIVATE_HOME', + 'selinux': '-DHAVE_SELINUX', + 'suid': '-DHAVE_SUID', + 'userns': '-DHAVE_USERNS', + 'usertmpfs': '-DHAVE_USERTMPFS', +# 'whitelist': '-DHAVE_WHITELIST', + 'x11': '-DHAVE_X11', + } + + if get_option(option) + facilities += flag + endif +endforeach + + +constants = [] +foreach name, value : { + 'PREFIX': prefix, + 'BINDIR': prefix / bindir, + 'SYSCONFDIR': prefix / sysconfdir / project_name, + 'LIBDIR': prefix / libdir, + 'VARDIR': '/var/lib' / project_name, + 'VERSION': meson.project_version(), + } + + constants += '-D@0@="@1@"'.format(name, value) +endforeach + +# # # # # # # # # # + +if get_option('contrib') + subdir('contrib') +endif +subdir('etc') +subdir('src') +subdir('test') + +install_data('COPYING', 'README', 'RELNOTES', + install_dir: docdir, +) + +# # # # # # # # # # + +cppcheck = find_program('cppcheck', required: false) +if cppcheck.found() + run_target('cppcheck', + command: [ + cppcheck, '--force', '--error-exitcode=1', '--enable=warning,performance', meson.source_root(), + ], + ) +endif + +# # # # # # # # # # + +show_summary = true +if show_summary and meson.version().version_compare('>=0.53.0') + summary('prefix', prefix, section: 'Directories') + summary('bindir', bindir, section: 'Directories') + summary('datadir', datadir, section: 'Directories') + summary('docdir', docdir, section: 'Directories') + summary('sysconfdir', sysconfdir, section: 'Directories') + summary('libdir', libdir, section: 'Directories') + summary('libdir_firejail', libdir_firejail, section: 'Directories') + + summary('apparmor', get_option('apparmor'), section: 'Facilities') + summary('chroot', get_option('chroot'), section: 'Facilities') + summary('dbusproxy', get_option('dbusproxy'), section: 'Facilities') + summary('file-transfer', get_option('file-transfer'), section: 'Facilities') + summary('firetunnel', get_option('firetunnel'), section: 'Facilities') + summary('force-nonewprivs', get_option('force-nonewprivs'), section: 'Facilities') + summary('globalcfg', get_option('globalcfg'), section: 'Facilities') + summary('ids', get_option('ids'), section: 'Facilities') + summary('network', get_option('network'), section: 'Facilities') + summary('output', get_option('output'), section: 'Facilities') + summary('overlayfs', get_option('overlayfs'), section: 'Facilities') + summary('private-home', get_option('private-home'), section: 'Facilities') + summary('selinux', get_option('selinux'), section: 'Facilities') + summary('suid', get_option('suid'), section: 'Facilities') + summary('userns', get_option('userns'), section: 'Facilities') + summary('usertmpfs', get_option('usertmpfs'), section: 'Facilities') + summary('whitelist', get_option('whitelist'), section: 'Facilities') + summary('x11', get_option('x11'), section: 'Facilities') + + summary('lts', get_option('lts'), section: 'LTS') + + summary('busybox-workaround', get_option('busybox-workaround'), section: 'Misc') + summary('contrib', get_option('contrib'), section: 'Misc') + summary('manpage', get_option('manpage'), section: 'Misc') +endif + +conf = configuration_data() +conf.set('PACKAGE_BUGREPORT', 'netblue30@protonmail.com') +conf.set('PACKAGE_NAME', 'firejail') +conf.set('PACKAGE_STRING', 'firejail ' + meson.project_version()) +conf.set('PACKAGE_TARNAME', 'firejail') +conf.set('PACKAGE_VERSION', meson.project_version()) +conf.set_quoted('PACKAGE_URL', 'https://firejail.wordpress.com') + +test_config_sh = configure_file( + configuration: conf, + input: 'config.sh.in', + output: '@BASENAME@', +) diff --git a/meson_options.txt b/meson_options.txt new file mode 100644 index 00000000000..b6cfe40be06 --- /dev/null +++ b/meson_options.txt @@ -0,0 +1,51 @@ +option('analyzer', type: 'boolean', value: false, + description: 'Enable gcc\'s Static Analyzer') +# sanitizer: Use -Db_sanitize= +# gcov: TODO + +option('apparmor', type: 'boolean', value: false, + description: 'AppArmor support') +option('chroot', type: 'boolean', value: true, + description: 'chroot') +option('dbusproxy', type: 'boolean', value: true, + description: 'D-Bus proxy support') +option('file-transfer', type: 'boolean', value: true, + description: 'file transfer') +option('firetunnel', type: 'boolean', value: true, + description: 'firetunnel') +option('force-nonewprivs', type: 'boolean', value: true, + description: 'force nonewprivs') +option('globalcfg', type: 'boolean', value: true, + description: 'Abort execution if the global config is not present') +option('ids', type: 'boolean', value: false, + description: 'IDS support') +option('network', type: 'boolean', value: true, + description: 'network') +option('output', type: 'boolean', value: true, + description: '--output logging') +option('overlayfs', type: 'boolean', value: true, + description: 'overlayfs support') +option('private-home', type: 'boolean', value: true, + description: 'private home feature') +option('selinux', type: 'boolean', value: false, + description: 'SELinux labeling support') +option('suid', type: 'boolean', value: true, + description: 'Install firejail as SUID executable') +option('userns', type: 'boolean', value: true, + description: 'user namespace') +option('usertmpfs', type: 'boolean', value: true, + description: 'tmpfs as regular user') +option('whitelist', type: 'boolean', value: true, + description: 'whitelist support') +option('x11', type: 'boolean', value: true, + description: 'X11 sandboxing support') + +option('lts', type: 'boolean', value: false, + description: 'LTS') + +option('busybox-workaround', type: 'boolean', value: false, + description: 'busybox workaround') +option('contrib', type: 'boolean', value: true, + description: 'Install contrib files') +option('manpage', type: 'boolean', value: true, + description: 'Manpages') diff --git a/src/bash_completion/firejail.bash_completion.in b/src/bash_completion/firejail.bash_completion.in index 4a1adbc26ba..998080c06de 100644 --- a/src/bash_completion/firejail.bash_completion.in +++ b/src/bash_completion/firejail.bash_completion.in @@ -15,7 +15,7 @@ _profiles() { fi } _all_profiles() { - local sys_profiles=$(_profiles _SYSCONFDIR_/firejail) + local sys_profiles=$(_profiles @SYSCONFDIR@/firejail) local user_profiles=$(_profiles $HOME/.config/firejail) COMPREPLY=($(compgen -W "${sys_profiles} ${user_profiles}" -- "$cur")) } diff --git a/src/bash_completion/meson.build b/src/bash_completion/meson.build new file mode 100644 index 00000000000..833654be723 --- /dev/null +++ b/src/bash_completion/meson.build @@ -0,0 +1,19 @@ +firejail_bash_completion = configure_file( + configuration: {'SYSCONFDIR': sysconfdir}, + input: 'firejail.bash_completion.in', + output: '@BASENAME@', +) +custom_target('firejail.bash_completion', + build_by_default: true, + capture: true, + command: preproc_awk_cmd, + input: firejail_bash_completion, + install: true, + install_dir: bashcompletiondir, + output: 'firejail', +) + +install_data('firecfg.bash_completion', 'firemon.bash_completion', + install_dir: bashcompletiondir, + rename: ['firecfg', 'firemon'] +) diff --git a/src/build-make-compile-seccomp-filters.sh b/src/build-make-compile-seccomp-filters.sh new file mode 100755 index 00000000000..10b14fb24f6 --- /dev/null +++ b/src/build-make-compile-seccomp-filters.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +set -e + +fseccomp="$1" +fsec_optimize="$2" +outdir="$3" + +cd "$outdir" || exit 1 + +# seccomp +$fseccomp default seccomp +$fsec_optimize seccomp + +# seccomp.debug +$fseccomp default seccomp.debug allow-debuggers +$fsec_optimize seccomp.debug + +# seccomp.32 +$fseccomp secondary 32 seccomp.32 +$fsec_optimize seccomp.32 + +# seccomp.block_secondary +$fseccomp secondary block seccomp.block_secondary + +# seccomp.mdwx +$fseccomp memory-deny-write-execute seccomp.mdwx + +# seccomp.mdwx.32 +$fseccomp memory-deny-write-execute.32 seccomp.mdwx.32 diff --git a/src/fbuilder/meson.build b/src/fbuilder/meson.build new file mode 100644 index 00000000000..98b86a4bf04 --- /dev/null +++ b/src/fbuilder/meson.build @@ -0,0 +1,19 @@ +fbuilder_sources = [ + 'main.c', + 'build_bin.c', + 'build_fs.c', + 'build_home.c', + 'build_profile.c', + 'build_seccomp.c', + 'filedb.c', + 'utils.c', +] + +executable('fbuilder', fbuilder_sources, + install: true, + install_dir: libdir_firejail, + + c_args: [ + c_args, constants, facilities, + ], +) diff --git a/src/fcopy/meson.build b/src/fcopy/meson.build new file mode 100644 index 00000000000..436a0dd4afc --- /dev/null +++ b/src/fcopy/meson.build @@ -0,0 +1,17 @@ +fcopy_sources = [ + 'main.c', + + '../lib/common.c', +] + +executable('fcopy', fcopy_sources, + install: true, + install_dir: libdir_firejail, + install_mode: sbox_apps_non_dumpable_perms, + + dependencies: libselinux, + + c_args: [ + c_args, constants, facilities, + ], +) diff --git a/src/fids/meson.build b/src/fids/meson.build new file mode 100644 index 00000000000..47d3e4bf30e --- /dev/null +++ b/src/fids/meson.build @@ -0,0 +1,15 @@ +fids_sources = [ + 'main.c', + 'blake2b.c', + 'db.c', + 'db_exclude.c', +] + +executable('fids', fids_sources, + install: true, + install_dir: libdir_firejail, + + c_args: [ + c_args, constants, facilities, + ], +) diff --git a/src/firecfg/meson.build b/src/firecfg/meson.build new file mode 100644 index 00000000000..c835bb65174 --- /dev/null +++ b/src/firecfg/meson.build @@ -0,0 +1,18 @@ +firecfg_sources = [ + 'main.c', + 'desktop_files.c', + 'sound.c', + 'util.c', + + '../lib/firejail_user.c', +] + +executable('firecfg', firecfg_sources, + install: true, + + c_args: [ + c_args, constants, facilities + ], +) + +install_data('firecfg.config', install_dir: libdir_firejail) diff --git a/src/firejail/meson.build b/src/firejail/meson.build new file mode 100644 index 00000000000..71001ea8b20 --- /dev/null +++ b/src/firejail/meson.build @@ -0,0 +1,77 @@ +firejail_sources = [ + 'main.c', + 'appimage.c', + 'appimage_size.c', + 'arp.c', + 'bandwidth.c', + 'caps.c', + 'checkcfg.c', + 'chroot.c', + 'cmdline.c', + 'cpu.c', + 'dbus.c', + 'dhcp.c', + 'env.c', + 'fs.c', + 'fs_bin.c', + 'fs_dev.c', + 'fs_etc.c', + 'fs_home.c', + 'fs_hostname.c', + 'fs_lib.c', + 'fs_lib2.c', + 'fs_logger.c', + 'fs_mkdir.c', + 'fs_trace.c', + 'fs_var.c', + 'fs_whitelist.c', + 'ids.c', + 'join.c', + 'landlock.c', + 'ls.c', + 'macros.c', + 'mountinfo.c', + 'netfilter.c', + 'netns.c', + 'network.c', + 'network_main.c', + 'no_sandbox.c', + 'oom.c', + 'output.c', + 'paths.c', + 'preproc.c', + 'process.c', + 'profile.c', + 'protocol.c', + 'pulseaudio.c', + 'restricted_shell.c', + 'restrict_users.c', + 'rlimit.c', + 'run_files.c', + 'run_symlink.c', + 'sandbox.c', + 'sbox.c', + 'seccomp.c', + 'selinux.c', + 'shutdown.c', + 'usage.c', + 'util.c', + 'x11.c', + + '../lib/common.c', + '../lib/errno.c', + '../lib/firejail_user.c', + '../lib/ldd_utils.c', + '../lib/syscall.c', +] + +executable('firejail', firejail_sources, + install: true, + install_mode: [firejail_perms, 0, 0], + + dependencies: [libapparmor, libselinux], + + c_args: [ + c_args, constants, facilities, + ], +) diff --git a/src/firemon/meson.build b/src/firemon/meson.build new file mode 100644 index 00000000000..73126199619 --- /dev/null +++ b/src/firemon/meson.build @@ -0,0 +1,29 @@ +firemon_sources = [ + 'firemon.c', + 'apparmor.c', + 'arp.c', + 'caps.c', + 'cpu.c', + 'list.c', + 'netstats.c', + 'procevent.c', + 'route.c', + 'seccomp.c', + 'top.c', + 'tree.c', + 'usage.c', + 'x11.c', + + '../lib/common.c', + '../lib/pid.c', +] + +executable('firemon', firemon_sources, + install: true, + + dependencies: libapparmor, + + c_args: [ + c_args, constants, facilities, + ], +) diff --git a/src/fldd/meson.build b/src/fldd/meson.build new file mode 100644 index 00000000000..f9eb85736e4 --- /dev/null +++ b/src/fldd/meson.build @@ -0,0 +1,16 @@ +fldd_sources = [ + 'main.c', + + '../lib/common.c', + '../lib/ldd_utils.c', +] + +executable('fldd', fldd_sources, + install: true, + install_dir: libdir_firejail, + install_mode: sbox_apps_non_dumpable_perms, + + c_args: [ + c_args, constants, facilities, + ], +) diff --git a/src/fnet/meson.build b/src/fnet/meson.build new file mode 100644 index 00000000000..6f34e40d950 --- /dev/null +++ b/src/fnet/meson.build @@ -0,0 +1,20 @@ +fnet_sources = [ + 'main.c', + 'arp.c', + 'interface.c', + 'veth.c', + + '../lib/common.c', + '../lib/libnetlink.c', +] + +executable('fnet', fnet_sources, + install: true, + install_dir: libdir_firejail, + install_mode: sbox_apps_non_dumpable_perms, + + c_args: [ + c_args, constants, facilities, + ], +) + diff --git a/src/fnetfilter/meson.build b/src/fnetfilter/meson.build new file mode 100644 index 00000000000..7609ccc9bfa --- /dev/null +++ b/src/fnetfilter/meson.build @@ -0,0 +1,15 @@ +fnetfilter_sources = [ + 'main.c', + + '../lib/common.c', +] + +executable('fnetfilter', fnetfilter_sources, + install: true, + install_dir: libdir_firejail, + install_mode: sbox_apps_non_dumpable_perms, + + c_args: [ + c_args, constants, facilities, + ], +) diff --git a/src/fsec-optimize/meson.build b/src/fsec-optimize/meson.build new file mode 100644 index 00000000000..a91aba49e56 --- /dev/null +++ b/src/fsec-optimize/meson.build @@ -0,0 +1,17 @@ +fsec_optimize_sources = [ + 'main.c', + 'optimizer.c', + + '../lib/common.c', + '../lib/errno.c', +] + +fsec_optimize = executable('fsec-optimize', fsec_optimize_sources, + install: true, + install_dir: libdir_firejail, + install_mode: sbox_apps_non_dumpable_perms, + + c_args: [ + c_args, constants, facilities, + ], +) diff --git a/src/fsec-print/meson.build b/src/fsec-print/meson.build new file mode 100644 index 00000000000..2a720d57a57 --- /dev/null +++ b/src/fsec-print/meson.build @@ -0,0 +1,18 @@ +fsec_print_sources = [ + 'main.c', + 'print.c', + + '../lib/common.c', + '../lib/errno.c', + '../lib/syscall.c', +] + +executable('fsec-print', fsec_print_sources, + install: true, + install_dir: libdir_firejail, + install_mode: sbox_apps_non_dumpable_perms, + + c_args: [ + c_args, constants, facilities, + ], +) diff --git a/src/fseccomp/meson.build b/src/fseccomp/meson.build new file mode 100644 index 00000000000..b0a7751d512 --- /dev/null +++ b/src/fseccomp/meson.build @@ -0,0 +1,21 @@ +fseccomp_sources = [ + 'main.c', + 'protocol.c', + 'namespaces.c', + 'seccomp.c', + 'seccomp_file.c', + 'seccomp_secondary.c', + + '../lib/common.c', + '../lib/errno.c', + '../lib/syscall.c', +] +fseccomp = executable('fseccomp', fseccomp_sources, + install: true, + install_dir: libdir_firejail, + install_mode: sbox_apps_non_dumpable_perms, + + c_args: [ + c_args, constants, facilities, + ], +) diff --git a/src/fshaper/meson.build b/src/fshaper/meson.build new file mode 100644 index 00000000000..f154578fcb9 --- /dev/null +++ b/src/fshaper/meson.build @@ -0,0 +1,4 @@ +install_data('fshaper.sh', + install_dir: libdir_firejail, + install_mode: sbox_apps_non_dumpable_perms, +) diff --git a/src/ftee/meson.build b/src/ftee/meson.build new file mode 100644 index 00000000000..1355b4de964 --- /dev/null +++ b/src/ftee/meson.build @@ -0,0 +1,12 @@ +ftee_sources = [ + 'main.c', +] + +executable('ftee', ftee_sources, + install: true, + install_dir: libdir_firejail, + + c_args: [ + c_args, constants, facilities, + ], +) diff --git a/src/jailcheck/meson.build b/src/jailcheck/meson.build new file mode 100644 index 00000000000..3bcf9251341 --- /dev/null +++ b/src/jailcheck/meson.build @@ -0,0 +1,24 @@ +jailcheck_sources = [ + 'main.c', + 'access.c', + 'apparmor.c', + 'network.c', + 'noexec.c', + 'seccomp.c', + 'sysfiles.c', + 'utils.c', + 'virtual.c', + + '../lib/common.c', + '../lib/pid.c', +] + +executable('jailcheck', jailcheck_sources, + install: true, + + dependencies: libapparmor, + + c_args: [ + c_args, constants, facilities, + ], +) diff --git a/src/libpostexecseccomp/meson.build b/src/libpostexecseccomp/meson.build new file mode 100644 index 00000000000..1b490e6f2be --- /dev/null +++ b/src/libpostexecseccomp/meson.build @@ -0,0 +1,8 @@ +shared_library('postexecseccomp', 'libpostexecseccomp.c', + install: true, + install_dir: libdir_firejail, + + c_args: [ + c_args, constants, facilities, + ], +) diff --git a/src/libtrace/meson.build b/src/libtrace/meson.build new file mode 100644 index 00000000000..d91e5d52ca7 --- /dev/null +++ b/src/libtrace/meson.build @@ -0,0 +1,8 @@ +custom_target('libtrace.so', + build_by_default: true, + command: [cc, c_args, c_args_libtrace, '-o', '@OUTPUT@', '@INPUT@'], + input: 'libtrace.c', + install: true, + install_dir: libdir_firejail, + output: 'libtrace.so', +) diff --git a/src/libtracelog/meson.build b/src/libtracelog/meson.build new file mode 100644 index 00000000000..8ee15f74a73 --- /dev/null +++ b/src/libtracelog/meson.build @@ -0,0 +1,8 @@ +custom_target('libtracelog.so', + build_by_default: true, + command: [cc, c_args, c_args_libtrace, '-o', '@OUTPUT@', '@INPUT@'], + input: 'libtracelog.c', + install: true, + install_dir: libdir_firejail, + output: 'libtracelog.so', +) diff --git a/src/man/firecfg.1.in b/src/man/firecfg.1.in index a50ed765eef..1766c7c10b0 100644 --- a/src/man/firecfg.1.in +++ b/src/man/firecfg.1.in @@ -1,4 +1,4 @@ -.TH FIRECFG 1 "MONTH YEAR" "VERSION" "firecfg man page" +.TH FIRECFG 1 "@MONTH@ @YEAR@" "@VERSION@" "firecfg man page" .SH NAME Firecfg \- Desktop integration utility for Firejail software. .SH SYNOPSIS diff --git a/src/man/firejail-login.5.in b/src/man/firejail-login.5.in index f03fc3c374f..9ee783e342f 100644 --- a/src/man/firejail-login.5.in +++ b/src/man/firejail-login.5.in @@ -1,4 +1,4 @@ -.TH FIREJAIL-LOGIN 5 "MONTH YEAR" "VERSION" "login.users man page" +.TH FIREJAIL-LOGIN 5 "@MONTH@ @YEAR@" "@VERSION@" "login.users man page" .SH NAME login.users \- Login file syntax for Firejail diff --git a/src/man/firejail-profile.5.in b/src/man/firejail-profile.5.in index 8c039eb46eb..14c6a6fe5fa 100644 --- a/src/man/firejail-profile.5.in +++ b/src/man/firejail-profile.5.in @@ -1,4 +1,4 @@ -.TH FIREJAIL-PROFILE 5 "MONTH YEAR" "VERSION" "firejail profiles man page" +.TH FIREJAIL-PROFILE 5 "@MONTH@ @YEAR@" "@VERSION@" "firejail profiles man page" .SH NAME profile \- Security profile file syntax, and information about building new application profiles. diff --git a/src/man/firejail-users.5.in b/src/man/firejail-users.5.in index 7aa151680c7..494b1c1a4b8 100644 --- a/src/man/firejail-users.5.in +++ b/src/man/firejail-users.5.in @@ -1,4 +1,4 @@ -.TH FIREJAIL-USERS 5 "MONTH YEAR" "VERSION" "firejail.users man page" +.TH FIREJAIL-USERS 5 "@MONTH@ @YEAR@" "@VERSION@" "firejail.users man page" .SH NAME firejail.users \- Firejail user access database diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in index 87bd6fcc254..cebe086b4c6 100644 --- a/src/man/firejail.1.in +++ b/src/man/firejail.1.in @@ -1,4 +1,4 @@ -.TH FIREJAIL 1 "MONTH YEAR" "VERSION" "firejail man page" +.TH FIREJAIL 1 "@MONTH@ @YEAR@" "@VERSION@" "firejail man page" .SH NAME Firejail \- Linux namespaces sandbox program .SH SYNOPSIS diff --git a/src/man/firemon.1.in b/src/man/firemon.1.in index fb0cf1175bd..8cd8b0cc597 100644 --- a/src/man/firemon.1.in +++ b/src/man/firemon.1.in @@ -1,4 +1,4 @@ -.TH FIREMON 1 "MONTH YEAR" "VERSION" "firemon man page" +.TH FIREMON 1 "@MONTH@ @YEAR@" "@VERSION@" "firemon man page" .SH NAME Firemon \- Monitoring program for processes started in a Firejail sandbox. .SH SYNOPSIS diff --git a/src/man/jailcheck.1.in b/src/man/jailcheck.1.in index eea5987b769..c9f1f97818d 100644 --- a/src/man/jailcheck.1.in +++ b/src/man/jailcheck.1.in @@ -1,4 +1,4 @@ -.TH JAILCHECK 1 "MONTH YEAR" "VERSION" "JAILCHECK man page" +.TH JAILCHECK 1 "@MONTH@ @YEAR@" "@VERSION@" "JAILCHECK man page" .SH NAME jailcheck \- Simple utility program to test running sandboxes .SH SYNOPSIS diff --git a/src/man/meson.build b/src/man/meson.build new file mode 100644 index 00000000000..a6b9571d023 --- /dev/null +++ b/src/man/meson.build @@ -0,0 +1,38 @@ +# The kwarg env: of run_command is only supported by meson>=0.50 +date = run_command(sh, '-c', + 'LC_ALL=C date --utc --date="@${SOURCE_DATE_EPOCH:-$(date +%s)}" +%Y-%b', + check: true, +).stdout().strip().split('-') + +manconf = configuration_data() +manconf.set('VERSION', meson.project_version()) +manconf.set('YEAR', date[0]) +manconf.set('MONTH', date[1]) + +manpages = [ + 'firecfg.1', + 'firejail-login.5', + 'firejail-profile.5', + 'firejail.1', + 'firejail-users.5', + 'firemon.1', + 'jailcheck.1', +] + +foreach manpage : manpages + section = manpage.split('.')[1] + configured_manpage = configure_file( + configuration: manconf, + input: manpage + '.in', + output: '@PLAINNAME@', + ) + custom_target(manpage, + build_by_default: true, + capture: true, + command: preproc_awk_cmd, + input: configured_manpage, + install: true, + install_dir: get_option('mandir') / 'man' + section, + output: manpage, + ) +endforeach diff --git a/src/man/preproc.awk b/src/man/preproc.awk index b9d78e27653..e554b24733a 100755 --- a/src/man/preproc.awk +++ b/src/man/preproc.awk @@ -25,8 +25,8 @@ BEGIN { for (arg in ARGV) { if (ARGV[arg] ~ /^-D[A-Z0-9_]+$/) { macros[length(macros) + 1] = substr(ARGV[arg], 3) + ARGV[arg] = "" } - ARGV[arg] = "" } include = 1 diff --git a/src/meson.build b/src/meson.build new file mode 100644 index 00000000000..dbcd1c71966 --- /dev/null +++ b/src/meson.build @@ -0,0 +1,69 @@ +# libtrace/libtracelog do not compile with shared_library(), instead we +# directly call the compiler. Therefore we need additional flags which +# are set otherwise by meson. +c_args_libtrace = ['-Wall', '-O2', '-shared', '-fPIC', '-Wl,-z,relro'] +if get_option('werror') + c_args_libtrace += ['-Werror'] +endif + +preproc_awk_cmd = [ + gawk, '-f', files('man/preproc.awk'), '--', facilities, '@INPUT@', +] + +# # # # # # # # # # + +# APPS +subdir('firecfg') +subdir('firejail') +subdir('firemon') +subdir('jailcheck') +subdir('profstats') + +# SBOX_APPS +subdir('fbuilder') +if get_option('ids') + subdir('fids') +endif +subdir('ftee') + +# SBOX_APPS_NON_DUMPABLE +subdir('fcopy') +subdir('fldd') +subdir('fnet') +subdir('fnetfilter') +subdir('fseccomp') +subdir('fsec-optimize') +subdir('fsec-print') +subdir('fshaper') + +# MYLIBS +subdir('libpostexecseccomp') +subdir('libtrace') +subdir('libtracelog') + +# MANPAGES +if get_option('manpage') + subdir('man') +endif + +# COMPLETIONDIRS +subdir('bash_completion') +subdir('zsh_completion') + +# # # # # # # # # # + +build_make_compile_seccmop_filters_sh = files('build-make-compile-seccomp-filters.sh') +custom_target('seccomp filters', + build_by_default: true, + command: [build_make_compile_seccmop_filters_sh, fseccomp, fsec_optimize, '@OUTDIR@'], + install: true, + install_dir: libdir_firejail, + output: [ + 'seccomp', + 'seccomp.debug', + 'seccomp.32', + 'seccomp.block_secondary', + 'seccomp.mdwx', + 'seccomp.mdwx.32', + ], +) diff --git a/src/profstats/meson.build b/src/profstats/meson.build new file mode 100644 index 00000000000..326060d59a7 --- /dev/null +++ b/src/profstats/meson.build @@ -0,0 +1,11 @@ +profstats_sources = [ + 'main.c', +] + +executable('profstats', profstats_sources, + build_by_default: false, + + c_args: [ + c_args, constants, facilities, + ], +) diff --git a/src/zsh_completion/_firejail.in b/src/zsh_completion/_firejail.in index 15e9a511162..7eb2cce85c2 100644 --- a/src/zsh_completion/_firejail.in +++ b/src/zsh_completion/_firejail.in @@ -26,7 +26,7 @@ _profiles_with_ext() { } _all_profiles() { - _values 'profiles' $(_profiles _SYSCONFDIR_/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .) + _values 'profiles' $(_profiles @SYSCONFDIR@/firejail) $(_profiles $HOME/.config/firejail) $(_profiles_with_ext .) } _session_bus_names() { diff --git a/src/zsh_completion/meson.build b/src/zsh_completion/meson.build new file mode 100644 index 00000000000..c61ccb85572 --- /dev/null +++ b/src/zsh_completion/meson.build @@ -0,0 +1,14 @@ +firejail_zsh_completion = configure_file( + configuration: {'SYSCONFDIR': sysconfdir}, + input: '_firejail.in', + output: 'firejail.zsh_completion', +) +custom_target('firejail.zsh_completion', + build_by_default: true, + capture: true, + command: preproc_awk_cmd, + input: firejail_zsh_completion, + install: true, + install_dir: zshcompletiondir, + output: '_firejail', +) diff --git a/test/build-test.sh b/test/build-test.sh new file mode 100644 index 00000000000..b631640fa6c --- /dev/null +++ b/test/build-test.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +set -e +src=$1 +dir=$2 +build=$3 +log=test/${dir}.log + +echo src:$src +echo dir:$dir +echo log:$log +echo build:$build + +(cd $src/$dir && BUILD_ROOT=$build ./${dir}.sh 2>&1) | tee $log +grep -a TESTING $log && ! grep -a -q "TESTING ERROR" $log + +exit 0 diff --git a/test/compile/compile.sh b/test/compile/compile.sh index f3e5c4f33a2..d52d1451a9b 100755 --- a/test/compile/compile.sh +++ b/test/compile/compile.sh @@ -12,7 +12,8 @@ # --enable-analyzer enable GCC 10 static analyzer # shellcheck source=config.sh -. "$(dirname "$0")/../../config.sh" || exit 1 +echo PWD: $PWD +. "$BUILD_ROOT/config.sh" || exit 1 arr[1]="TEST 1: standard compilation" arr[2]="TEST 2: compile dbus proxy disabled" @@ -77,14 +78,15 @@ cleanup #***************************************************************** print_title "${arr[1]}" echo "$DIST" -tar -xJvf ../../"$DIST.tar.xz" +(cd "$BUILD_ROOT" && meson dist --allow-dirty --no-tests) +tar -xJvf "$BUILD_ROOT"/meson-dist/"$DIST.tar.xz" mv "$DIST" firejail cd firejail || exit 1 -./configure --prefix=/usr --enable-fatal-warnings \ +meson setup _builddir --prefix=/usr --werror \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test1 grep Error output-configure output-make >> ./report-test1 @@ -99,12 +101,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[2]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-dbusproxy \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Ddbusproxy=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test2 grep Error output-configure output-make >> ./report-test2 @@ -119,12 +121,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[3]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-chroot \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dchroot=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test3 grep Error output-configure output-make >> ./report-test3 @@ -139,12 +141,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[4]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-firetunnel \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dfiretunnel=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test4 grep Error output-configure output-make >> ./report-test4 @@ -159,12 +161,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[5]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-userns \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Duserns=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test5 grep Error output-configure output-make >> ./report-test5 @@ -180,12 +182,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[6]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-network \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dnetwork=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test6 grep Error output-configure output-make >> ./report-test6 @@ -200,12 +202,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[7]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-x11 \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dx11=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test7 grep Error output-configure output-make >> ./report-test7 @@ -220,12 +222,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[8]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --enable-selinux \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dselinux=true \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test8 grep Error output-configure output-make >> ./report-test8 @@ -240,12 +242,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[9]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-file-transfer \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dfile-transfer=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test9 grep Error output-configure output-make >> ./report-test9 @@ -260,12 +262,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[10]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-whitelist \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dwhitelist=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test10 grep Error output-configure output-make >> ./report-test10 @@ -280,12 +282,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[11]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-globalcfg \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dglobalcfg=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test11 grep Error output-configure output-make >> ./report-test11 @@ -300,12 +302,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[12]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --enable-apparmor \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dapparmor=true \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test12 grep Error output-configure output-make >> ./report-test12 @@ -320,12 +322,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[13]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --enable-busybox-workaround \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dbusybox-workaround=true \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test13 grep Error output-configure output-make >> ./report-test13 @@ -340,12 +342,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[14]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-overlayfs \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Doverlayfs=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test14 grep Error output-configure output-make >> ./report-test14 @@ -360,12 +362,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[15]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-private-home \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dprivate-home=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test15 grep Error output-configure output-make >> ./report-test15 @@ -380,12 +382,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[16]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-man \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dmanpage=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test16 grep Error output-configure output-make >> ./report-test16 @@ -400,12 +402,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[17]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-usertmpfs \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dusertmpfs=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test17 grep Error output-configure output-make >> ./report-test17 @@ -420,12 +422,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[18]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --disable-private-home \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dprivate-home=false \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test18 grep Error output-configure output-make >> ./report-test18 @@ -440,12 +442,12 @@ rm output-configure output-make #***************************************************************** print_title "${arr[19]}" cd firejail || exit 1 -make distclean -./configure --prefix=/usr --enable-fatal-warnings \ - --enable-ids \ +rm -rf _builddir +meson setup --reconfigure _builddir --prefix=/usr --werror \ + -Dids=true \ 2>&1 | tee ../output-configure -make -j "$(nproc)" 2>&1 | tee ../output-make +ninja -C _builddir 2>&1 | tee ../output-make cd .. grep Warning output-configure output-make > ./report-test19 grep Error output-configure output-make >> ./report-test19 diff --git a/test/meson.build b/test/meson.build new file mode 100644 index 00000000000..8d867210949 --- /dev/null +++ b/test/meson.build @@ -0,0 +1,27 @@ +test_dirs = [ + 'apparmor', + 'appimage', + 'apps', + 'apps-x11', + 'apps-x11-xorg', + 'capabilities', + 'chroot', + 'compile', + 'environment', + 'fcopy', + 'filters', + 'firecfg', + 'fnetfilter', + 'fs', + 'network', + 'private-etc', + 'private-lib', + 'profiles', + 'seccomp-extra', + 'sysutils', + 'utils', +] +build_test_sh = files('build-test.sh') +foreach test_dir : test_dirs + test(test_dir, build_test_sh, args: [meson.current_source_dir(), test_dir, meson.project_build_root()], timeout: 600) +endforeach