diff options
| author |  Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-05-17 14:04:35 -0300 |
|---|---|---|
| committer | Kelvin M. Klann <kmk3.code@protonmail.com> | 2021-05-22 08:57:39 -0300 |
| commit | 0c5d5d77b334059716ed753687abb3bf823bfcfa (patch) | |
| tree | f95323b54ed48d56e02a39f7f448408b5661717a /configure.ac | |
| parent | support trailing comments on profile lines (diff) | |
| download | firejail-0c5d5d77b334059716ed753687abb3bf823bfcfa.tar.gz firejail-0c5d5d77b334059716ed753687abb3bf823bfcfa.tar.zst firejail-0c5d5d77b334059716ed753687abb3bf823bfcfa.zip | |
configure*: fix build with non-bash /bin/sh
The configure script happens to work if /bin/sh supports the non-POSIX
"+=" operator (e.g.: bash) and fails otherwise (e.g.: dash).
This usage first appeared on configure.ac on commit 66a476419 ("gcov
support"), which is from 2016.
If the --enable-apparmor flag is passed to ./configure (which is the
default on Arch Linux), running `make` fails due to the missing
-lapparmor LDFLAG. Thus, building firejail-git from the AUR does not
work if /bin/sh is e.g.: dash.
Errors when running the build commands below from makepkg:
$ ./configure --prefix=/usr --enable-apparmor >/dev/null
./configure: 3174: EXTRA_CFLAGS+= -mindirect-branch=thunk: not found
./configure: 3246: EXTRA_CFLAGS+= -fstack-clash-protection: not found
./configure: 3282: EXTRA_CFLAGS+= -fstack-protector-strong: not found
./configure: 3518: EXTRA_CFLAGS+= : not found
$ make >/dev/null
/usr/bin/ld: apparmor.o: in function `apparmor_test':
/tmp/firejail-git/src/firejail-git/src/jailcheck/apparmor.c:28: undefined reference to `aa_gettaskcon'
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:10: jailcheck] Error 1
make: *** [Makefile:42: src/jailcheck/jailcheck] Error 2
make: *** Waiting for unfinished jobs....
/usr/bin/ld: apparmor.o: in function `print_apparmor':
/tmp/firejail-git/src/firejail-git/src/firemon/apparmor.c:28: undefined reference to `aa_gettaskcon'
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:10: firemon] Error 1
make: *** [Makefile:42: src/firemon/firemon] Error 2
/usr/bin/ld: join.o: in function `extract_apparmor':
/tmp/firejail-git/src/firejail-git/src/firejail/join.c:65: undefined reference to `aa_is_enabled'
/usr/bin/ld: sandbox.o: in function `set_apparmor':
/tmp/firejail-git/src/firejail-git/src/firejail/sandbox.c:133: undefined reference to `aa_change_onexec'
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:10: firejail] Error 1
make: *** [Makefile:42: src/firejail/firejail] Error 2
Without the apparmor flag, the CFLAGS related to HAVE_SPECTRE do not get
applied either, but `make` does not error out, so the problem is harder
to detect in this case.
Diff comparing the output of `./configure 2>&1` when running without and
then with this patch:
$ git --no-pager diff --no-index configure_current.log configure_patch.log
diff --git a/configure_current.log b/configure_patch.log
index f5e814f..099d836 100644
--- a/configure_current.log
+++ b/configure_patch.log
@@ -10,12 +10,9 @@ checking for gcc option to accept ISO C89... none needed
checking for a BSD-compatible install... /usr/bin/install -c
checking for ranlib... ranlib
checking whether C compiler accepts -mindirect-branch=thunk... yes
-./configure: 3174: EXTRA_CFLAGS+= -mindirect-branch=thunk: not found
checking whether C compiler accepts -mretpoline... no
checking whether C compiler accepts -fstack-clash-protection... yes
-./configure: 3246: EXTRA_CFLAGS+= -fstack-clash-protection: not found
checking whether C compiler accepts -fstack-protector-strong... yes
-./configure: 3282: EXTRA_CFLAGS+= -fstack-protector-strong: not found
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for gawk... yes
@@ -88,7 +85,7 @@ Configuration options:
busybox workaround: no
Spectre compiler patch: yes
EXTRA_LDFLAGS:
- EXTRA_CFLAGS:
+ EXTRA_CFLAGS: -mindirect-branch=thunk -fstack-clash-protection -fstack-protector-strong
fatal warnings:
Gcov instrumentation:
Install contrib scripts: yes
Diffstat (limited to 'configure.ac')
| -rw-r--r-- | configure.ac | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/configure.ac b/configure.ac index 036b62484..606f4ef7e 100644 --- a/configure.ac +++ b/configure.ac | |||
| @@ -24,25 +24,25 @@ AC_PROG_RANLIB | |||
| 24 | HAVE_SPECTRE="no" | 24 | HAVE_SPECTRE="no" |
| 25 | AX_CHECK_COMPILE_FLAG( | 25 | AX_CHECK_COMPILE_FLAG( |
| 26 | [-mindirect-branch=thunk], | 26 | [-mindirect-branch=thunk], |
| 27 | [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mindirect-branch=thunk"] | 27 | [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk"] |
| 28 | ) | 28 | ) |
| 29 | AX_CHECK_COMPILE_FLAG( | 29 | AX_CHECK_COMPILE_FLAG( |
| 30 | [-mretpoline], | 30 | [-mretpoline], |
| 31 | [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -mretpoline"] | 31 | [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline"] |
| 32 | ) | 32 | ) |
| 33 | AX_CHECK_COMPILE_FLAG( | 33 | AX_CHECK_COMPILE_FLAG( |
| 34 | [-fstack-clash-protection], | 34 | [-fstack-clash-protection], |
| 35 | [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-clash-protection"] | 35 | [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection"] |
| 36 | ) | 36 | ) |
| 37 | AX_CHECK_COMPILE_FLAG( | 37 | AX_CHECK_COMPILE_FLAG( |
| 38 | [-fstack-protector-strong], | 38 | [-fstack-protector-strong], |
| 39 | [HAVE_SPECTRE="yes" && EXTRA_CFLAGS+=" -fstack-protector-strong"] | 39 | [HAVE_SPECTRE="yes" && EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-protector-strong"] |
| 40 | ) | 40 | ) |
| 41 | 41 | ||
| 42 | AC_ARG_ENABLE([analyzer], | 42 | AC_ARG_ENABLE([analyzer], |
| 43 | AS_HELP_STRING([--enable-analyzer], [enable GCC 10 static analyzer])) | 43 | AS_HELP_STRING([--enable-analyzer], [enable GCC 10 static analyzer])) |
| 44 | AS_IF([test "x$enable_analyzer" = "xyes"], [ | 44 | AS_IF([test "x$enable_analyzer" = "xyes"], [ |
| 45 | EXTRA_CFLAGS+=" -fanalyzer" | 45 | EXTRA_CFLAGS="$EXTRA_CFLAGS -fanalyzer" |
| 46 | ]) | 46 | ]) |
| 47 | 47 | ||
| 48 | HAVE_APPARMOR="" | 48 | HAVE_APPARMOR="" |
| @@ -50,7 +50,8 @@ AC_ARG_ENABLE([apparmor], | |||
| 50 | AS_HELP_STRING([--enable-apparmor], [enable apparmor])) | 50 | AS_HELP_STRING([--enable-apparmor], [enable apparmor])) |
| 51 | AS_IF([test "x$enable_apparmor" = "xyes"], [ | 51 | AS_IF([test "x$enable_apparmor" = "xyes"], [ |
| 52 | HAVE_APPARMOR="-DHAVE_APPARMOR" | 52 | HAVE_APPARMOR="-DHAVE_APPARMOR" |
| 53 | PKG_CHECK_MODULES([AA], libapparmor, [EXTRA_CFLAGS+=" $AA_CFLAGS" && EXTRA_LDFLAGS+=" $AA_LIBS"]) | 53 | PKG_CHECK_MODULES([AA], libapparmor, |
| 54 | [EXTRA_CFLAGS="$EXTRA_CFLAGS $AA_CFLAGS" && EXTRA_LDFLAGS="$EXTRA_LDFLAGS $AA_LIBS"]) | ||
| 54 | AC_SUBST(HAVE_APPARMOR) | 55 | AC_SUBST(HAVE_APPARMOR) |
| 55 | ]) | 56 | ]) |
| 56 | 57 | ||
| @@ -59,7 +60,7 @@ AC_ARG_ENABLE([selinux], | |||
| 59 | AS_HELP_STRING([--enable-selinux], [SELinux labeling support])) | 60 | AS_HELP_STRING([--enable-selinux], [SELinux labeling support])) |
| 60 | AS_IF([test "x$enable_selinux" = "xyes"], [ | 61 | AS_IF([test "x$enable_selinux" = "xyes"], [ |
| 61 | HAVE_SELINUX="-DHAVE_SELINUX" | 62 | HAVE_SELINUX="-DHAVE_SELINUX" |
| 62 | EXTRA_LDFLAGS+=" -lselinux " | 63 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lselinux " |
| 63 | AC_SUBST(HAVE_SELINUX) | 64 | AC_SUBST(HAVE_SELINUX) |
| 64 | ]) | 65 | ]) |
| 65 | 66 | ||
| @@ -215,7 +216,7 @@ AC_ARG_ENABLE([gcov], | |||
| 215 | AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])) | 216 | AS_HELP_STRING([--enable-gcov], [Gcov instrumentation])) |
| 216 | AS_IF([test "x$enable_gcov" = "xyes"], [ | 217 | AS_IF([test "x$enable_gcov" = "xyes"], [ |
| 217 | HAVE_GCOV="--coverage -DHAVE_GCOV " | 218 | HAVE_GCOV="--coverage -DHAVE_GCOV " |
| 218 | EXTRA_LDFLAGS+=" -lgcov --coverage " | 219 | EXTRA_LDFLAGS="$EXTRA_LDFLAGS -lgcov --coverage " |
| 219 | AC_SUBST(HAVE_GCOV) | 220 | AC_SUBST(HAVE_GCOV) |
| 220 | ]) | 221 | ]) |
| 221 | 222 | ||