diff options
52 files changed, 285 insertions, 160 deletions
diff --git a/.github/workflows/build-extra.yml b/.github/workflows/build-extra.yml index c812e4572..dd0dc4da0 100644 --- a/.github/workflows/build-extra.yml +++ b/.github/workflows/build-extra.yml | |||
@@ -60,17 +60,20 @@ jobs: | |||
60 | allowed-endpoints: > | 60 | allowed-endpoints: > |
61 | azure.archive.ubuntu.com:80 | 61 | azure.archive.ubuntu.com:80 |
62 | github.com:443 | 62 | github.com:443 |
63 | - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab | 63 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 |
64 | - name: update package information | 64 | - name: update package information |
65 | run: sudo apt-get update | 65 | run: sudo apt-get update -qy |
66 | - name: install dependencies | 66 | - name: install dependencies |
67 | run: sudo apt-get install libapparmor-dev libselinux1-dev | 67 | run: > |
68 | sudo apt-get install -qy | ||
69 | libapparmor-dev libselinux1-dev | ||
68 | - name: print env | 70 | - name: print env |
69 | run: ./ci/printenv.sh | 71 | run: ./ci/printenv.sh |
70 | - name: configure | 72 | - name: configure |
71 | run: > | 73 | run: > |
72 | CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor | 74 | CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor |
73 | --enable-selinux | 75 | --enable-selinux |
76 | || (cat config.log; exit 1) | ||
74 | - name: make | 77 | - name: make |
75 | run: make | 78 | run: make |
76 | - name: make install | 79 | - name: make install |
@@ -87,19 +90,22 @@ jobs: | |||
87 | allowed-endpoints: > | 90 | allowed-endpoints: > |
88 | azure.archive.ubuntu.com:80 | 91 | azure.archive.ubuntu.com:80 |
89 | github.com:443 | 92 | github.com:443 |
90 | - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab | 93 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 |
91 | - name: update package information | 94 | - name: update package information |
92 | run: sudo apt-get update | 95 | run: sudo apt-get update -qy |
93 | - name: install clang-tools-14 and dependencies | 96 | - name: install clang-tools-14 and dependencies |
94 | run: sudo apt-get install clang-tools-14 libapparmor-dev libselinux1-dev | 97 | run: > |
98 | sudo apt-get install -qy | ||
99 | clang-tools-14 libapparmor-dev libselinux1-dev | ||
95 | - name: print env | 100 | - name: print env |
96 | run: ./ci/printenv.sh | 101 | run: ./ci/printenv.sh |
97 | - name: configure | 102 | - name: configure |
98 | run: > | 103 | run: > |
99 | CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor | 104 | CC=clang-14 ./configure --enable-fatal-warnings --enable-apparmor |
100 | --enable-selinux | 105 | --enable-selinux |
106 | || (cat config.log; exit 1) | ||
101 | - name: scan-build | 107 | - name: scan-build |
102 | run: NO_EXTRA_CFLAGS="yes" scan-build-14 --status-bugs make | 108 | run: scan-build-14 --status-bugs make |
103 | cppcheck: | 109 | cppcheck: |
104 | runs-on: ubuntu-22.04 | 110 | runs-on: ubuntu-22.04 |
105 | steps: | 111 | steps: |
@@ -110,11 +116,11 @@ jobs: | |||
110 | allowed-endpoints: > | 116 | allowed-endpoints: > |
111 | azure.archive.ubuntu.com:80 | 117 | azure.archive.ubuntu.com:80 |
112 | github.com:443 | 118 | github.com:443 |
113 | - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab | 119 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 |
114 | - name: update package information | 120 | - name: update package information |
115 | run: sudo apt-get update | 121 | run: sudo apt-get update -qy |
116 | - name: install cppcheck | 122 | - name: install cppcheck |
117 | run: sudo apt-get install cppcheck | 123 | run: sudo apt-get install -qy cppcheck |
118 | - run: cppcheck --version | 124 | - run: cppcheck --version |
119 | - name: cppcheck | 125 | - name: cppcheck |
120 | run: > | 126 | run: > |
@@ -132,11 +138,11 @@ jobs: | |||
132 | allowed-endpoints: > | 138 | allowed-endpoints: > |
133 | azure.archive.ubuntu.com:80 | 139 | azure.archive.ubuntu.com:80 |
134 | github.com:443 | 140 | github.com:443 |
135 | - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab | 141 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 |
136 | - name: update package information | 142 | - name: update package information |
137 | run: sudo apt-get update | 143 | run: sudo apt-get update -qy |
138 | - name: install cppcheck | 144 | - name: install cppcheck |
139 | run: sudo apt-get install cppcheck | 145 | run: sudo apt-get install -qy cppcheck |
140 | - run: cppcheck --version | 146 | - run: cppcheck --version |
141 | - name: cppcheck | 147 | - name: cppcheck |
142 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . | 148 | run: cppcheck -q --force --error-exitcode=1 --enable=warning,performance . |
@@ -150,11 +156,11 @@ jobs: | |||
150 | allowed-endpoints: > | 156 | allowed-endpoints: > |
151 | azure.archive.ubuntu.com:80 | 157 | azure.archive.ubuntu.com:80 |
152 | github.com:443 | 158 | github.com:443 |
153 | - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab | 159 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 |
154 | - name: update package information | 160 | - name: update package information |
155 | run: sudo apt-get update | 161 | run: sudo apt-get update -qy |
156 | - name: install dependencies | 162 | - name: install dependencies |
157 | run: sudo apt-get install codespell | 163 | run: sudo apt-get install -qy codespell |
158 | - run: codespell --version | 164 | - run: codespell --version |
159 | - name: codespell | 165 | - name: codespell |
160 | run: make codespell | 166 | run: make codespell |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e896ba8e0..afa8d1305 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml | |||
@@ -61,12 +61,12 @@ jobs: | |||
61 | www.debian.org:443 | 61 | www.debian.org:443 |
62 | www.debian.org:80 | 62 | www.debian.org:80 |
63 | yahoo.com:1025 | 63 | yahoo.com:1025 |
64 | - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab | 64 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 |
65 | - name: update package information | 65 | - name: update package information |
66 | run: sudo apt-get update | 66 | run: sudo apt-get update -qy |
67 | - name: install dependencies | 67 | - name: install dependencies |
68 | run: > | 68 | run: > |
69 | sudo apt-get install | 69 | sudo apt-get install -qy |
70 | gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois | 70 | gcc-12 libapparmor-dev libselinux1-dev expect xzdec whois |
71 | bridge-utils | 71 | bridge-utils |
72 | - name: print env | 72 | - name: print env |
@@ -75,6 +75,7 @@ jobs: | |||
75 | run: > | 75 | run: > |
76 | CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings | 76 | CC=gcc-12 ./configure --prefix=/usr --enable-fatal-warnings |
77 | --enable-analyzer --enable-apparmor --enable-selinux | 77 | --enable-analyzer --enable-apparmor --enable-selinux |
78 | || (cat config.log; exit 1) | ||
78 | - name: make | 79 | - name: make |
79 | run: make | 80 | run: make |
80 | - name: make install | 81 | - name: make install |
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 8c17646a3..eec359f40 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml | |||
@@ -86,14 +86,14 @@ jobs: | |||
86 | uploads.github.com:443 | 86 | uploads.github.com:443 |
87 | 87 | ||
88 | - name: Checkout repository | 88 | - name: Checkout repository |
89 | uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab | 89 | uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 |
90 | 90 | ||
91 | - name: print env | 91 | - name: print env |
92 | run: ./ci/printenv.sh | 92 | run: ./ci/printenv.sh |
93 | 93 | ||
94 | # Initializes the CodeQL tools for scanning. | 94 | # Initializes the CodeQL tools for scanning. |
95 | - name: Initialize CodeQL | 95 | - name: Initialize CodeQL |
96 | uses: github/codeql-action/init@83f0fe6c4988d98a455712a27f0255212bba9bd4 | 96 | uses: github/codeql-action/init@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e |
97 | with: | 97 | with: |
98 | languages: ${{ matrix.language }} | 98 | languages: ${{ matrix.language }} |
99 | # If you wish to specify custom queries, you can do so here or in a config file. | 99 | # If you wish to specify custom queries, you can do so here or in a config file. |
@@ -104,7 +104,7 @@ jobs: | |||
104 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). | 104 | # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). |
105 | # If this step fails, then you should remove it and run the build manually (see below) | 105 | # If this step fails, then you should remove it and run the build manually (see below) |
106 | - name: Autobuild | 106 | - name: Autobuild |
107 | uses: github/codeql-action/autobuild@83f0fe6c4988d98a455712a27f0255212bba9bd4 | 107 | uses: github/codeql-action/autobuild@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e |
108 | 108 | ||
109 | # ℹ️ Command-line programs to run using the OS shell. | 109 | # ℹ️ Command-line programs to run using the OS shell. |
110 | # 📚 https://git.io/JvXDl | 110 | # 📚 https://git.io/JvXDl |
@@ -118,4 +118,4 @@ jobs: | |||
118 | # make release | 118 | # make release |
119 | 119 | ||
120 | - name: Perform CodeQL Analysis | 120 | - name: Perform CodeQL Analysis |
121 | uses: github/codeql-action/analyze@83f0fe6c4988d98a455712a27f0255212bba9bd4 | 121 | uses: github/codeql-action/analyze@6c089f53dd51dc3fc7e599c3cb5356453a52ca9e |
diff --git a/.github/workflows/profile-checks.yml b/.github/workflows/profile-checks.yml index 8500481cd..8418a390b 100644 --- a/.github/workflows/profile-checks.yml +++ b/.github/workflows/profile-checks.yml | |||
@@ -31,7 +31,7 @@ jobs: | |||
31 | allowed-endpoints: > | 31 | allowed-endpoints: > |
32 | github.com:443 | 32 | github.com:443 |
33 | 33 | ||
34 | - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab | 34 | - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 |
35 | - name: print env | 35 | - name: print env |
36 | run: ./ci/printenv.sh | 36 | run: ./ci/printenv.sh |
37 | - run: python3 --version | 37 | - run: python3 --version |
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 38d121c49..cb88c0263 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml | |||
@@ -8,28 +8,32 @@ | |||
8 | 8 | ||
9 | build_ubuntu_package: | 9 | build_ubuntu_package: |
10 | image: ubuntu:rolling | 10 | image: ubuntu:rolling |
11 | variables: | ||
12 | DEBIAN_FRONTEND: noninteractive | ||
11 | script: | 13 | script: |
12 | - apt-get update -qq | 14 | - apt-get update -qy |
13 | - > | 15 | - > |
14 | DEBIAN_FRONTEND=noninteractive apt-get install -y -qq | 16 | apt-get install --no-install-recommends -qy |
15 | build-essential lintian libapparmor-dev pkg-config python3 gawk | 17 | build-essential fakeroot lintian libapparmor-dev pkg-config gawk |
18 | | grep -Ev '^(Selecting|Preparing to unpack|Unpacking)' | ||
16 | - ./ci/printenv.sh | 19 | - ./ci/printenv.sh |
17 | - ./configure | 20 | - ./configure || (cat config.log; exit 1) |
18 | - make deb | 21 | - make deb |
19 | - dpkg -i firejail*.deb | 22 | - dpkg -i firejail*.deb |
20 | - command -V firejail && firejail --version | 23 | - command -V firejail && firejail --version |
21 | # - python3 --version | ||
22 | # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc | ||
23 | 24 | ||
24 | build_debian_package: | 25 | build_debian_package: |
25 | image: debian:buster | 26 | image: debian:buster |
27 | variables: | ||
28 | DEBIAN_FRONTEND: noninteractive | ||
26 | script: | 29 | script: |
27 | - apt-get update -qq | 30 | - apt-get update -qy |
28 | - > | 31 | - > |
29 | apt-get install -y -qq | 32 | apt-get install --no-install-recommends -qy |
30 | build-essential lintian libapparmor-dev pkg-config gawk | 33 | build-essential fakeroot lintian libapparmor-dev pkg-config gawk |
34 | | grep -Ev '^(Selecting|Preparing to unpack|Unpacking)' | ||
31 | - ./ci/printenv.sh | 35 | - ./ci/printenv.sh |
32 | - ./configure | 36 | - ./configure || (cat config.log; exit 1) |
33 | - make deb | 37 | - make deb |
34 | - dpkg -i firejail*.deb | 38 | - dpkg -i firejail*.deb |
35 | - command -V firejail && firejail --version | 39 | - command -V firejail && firejail --version |
@@ -40,7 +44,7 @@ build_redhat_package: | |||
40 | - dnf update -y | 44 | - dnf update -y |
41 | - dnf install -y rpm-build gcc make | 45 | - dnf install -y rpm-build gcc make |
42 | - ./ci/printenv.sh | 46 | - ./ci/printenv.sh |
43 | - ./configure --prefix=/usr | 47 | - ./configure --prefix=/usr || (cat config.log; exit 1) |
44 | - make rpms | 48 | - make rpms |
45 | - rpm -i firejail*.rpm | 49 | - rpm -i firejail*.rpm |
46 | - command -V firejail && firejail --version | 50 | - command -V firejail && firejail --version |
@@ -51,36 +55,35 @@ build_fedora_package: | |||
51 | - dnf update -y | 55 | - dnf update -y |
52 | - dnf install -y rpm-build gcc make | 56 | - dnf install -y rpm-build gcc make |
53 | - ./ci/printenv.sh | 57 | - ./ci/printenv.sh |
54 | - ./configure --prefix=/usr | 58 | - ./configure --prefix=/usr || (cat config.log; exit 1) |
55 | - make rpms | 59 | - make rpms |
56 | - rpm -i firejail*.rpm | 60 | - rpm -i firejail*.rpm |
57 | - command -V firejail && firejail --version | 61 | - command -V firejail && firejail --version |
58 | # - python3 --version | ||
59 | # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc | ||
60 | 62 | ||
61 | build_src_package: | 63 | build_src_package: |
62 | image: alpine:latest | 64 | image: alpine:latest |
63 | script: | 65 | script: |
64 | - apk update | 66 | - apk update |
65 | - apk upgrade | 67 | - apk upgrade |
66 | - apk add build-base linux-headers python3 gawk | 68 | - apk add build-base linux-headers gawk |
67 | - ./ci/printenv.sh | 69 | - ./ci/printenv.sh |
68 | - ./configure --prefix=/usr | 70 | - ./configure --prefix=/usr || (cat config.log; exit 1) |
69 | - make | 71 | - make |
70 | - make install-strip | 72 | - make install-strip |
71 | - command -V firejail && firejail --version | 73 | - command -V firejail && firejail --version |
72 | # - python3 --version | ||
73 | # - python3 contrib/sort.py etc/profile-*/*.profile etc/inc/*.inc | ||
74 | 74 | ||
75 | build_no_apparmor: | 75 | build_no_apparmor: |
76 | image: ubuntu:latest | 76 | image: ubuntu:latest |
77 | variables: | ||
78 | DEBIAN_FRONTEND: noninteractive | ||
77 | script: | 79 | script: |
78 | - apt-get update -qq | 80 | - apt-get update -qy |
79 | - > | 81 | - > |
80 | DEBIAN_FRONTEND=noninteractive apt-get install -y -qq | 82 | apt-get install --no-install-recommends -qy |
81 | build-essential lintian pkg-config gawk | 83 | build-essential fakeroot lintian pkg-config gawk |
84 | | grep -Ev '^(Selecting|Preparing to unpack|Unpacking)' | ||
82 | - ./ci/printenv.sh | 85 | - ./ci/printenv.sh |
83 | - ./configure | 86 | - ./configure || (cat config.log; exit 1) |
84 | - make dist | 87 | - make dist |
85 | - ./mkdeb.sh --disable-apparmor | 88 | - ./mkdeb.sh --disable-apparmor |
86 | - dpkg -i firejail*.deb | 89 | - dpkg -i firejail*.deb |
@@ -92,6 +95,7 @@ debian_ci: | |||
92 | variables: | 95 | variables: |
93 | DEBFULLNAME: "$GITLAB_USER_NAME" | 96 | DEBFULLNAME: "$GITLAB_USER_NAME" |
94 | DEBEMAIL: "$GITLAB_USER_EMAIL" | 97 | DEBEMAIL: "$GITLAB_USER_EMAIL" |
98 | DEBIAN_FRONTEND: noninteractive | ||
95 | before_script: | 99 | before_script: |
96 | - git checkout -B ci_build "$CI_COMMIT_SHA" | 100 | - git checkout -B ci_build "$CI_COMMIT_SHA" |
97 | - gitlab-ci-enable-sid | 101 | - gitlab-ci-enable-sid |
@@ -101,7 +105,7 @@ debian_ci: | |||
101 | deb-src http://deb.debian.org/debian sid main | 105 | deb-src http://deb.debian.org/debian sid main |
102 | deb-src http://deb.debian.org/debian experimental main | 106 | deb-src http://deb.debian.org/debian experimental main |
103 | EOF | 107 | EOF |
104 | - apt-get update | 108 | - apt-get update -qy |
105 | - git config user.name "$DEBFULLNAME" | 109 | - git config user.name "$DEBFULLNAME" |
106 | - git config user.email "$DEBEMAIL" | 110 | - git config user.email "$DEBEMAIL" |
107 | - | | 111 | - | |
@@ -122,7 +126,7 @@ debian_ci: | |||
122 | - git commit -m 'add debian/' | 126 | - git commit -m 'add debian/' |
123 | - export CI_COMMIT_SHA="$(git rev-parse HEAD)" | 127 | - export CI_COMMIT_SHA="$(git rev-parse HEAD)" |
124 | script: | 128 | script: |
125 | - apt-get --no-install-recommends install -y -qq gawk | 129 | - apt-get install --no-install-recommends -qy gawk |
126 | - ./ci/printenv.sh | 130 | - ./ci/printenv.sh |
127 | - gitlab-ci-git-buildpackage | 131 | - gitlab-ci-git-buildpackage |
128 | - gitlab-ci-lintian | 132 | - gitlab-ci-lintian |
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = . | 4 | ROOT = . |
2 | -include config.mk | 5 | -include config.mk |
3 | 6 | ||
@@ -358,7 +361,7 @@ cppcheck: clean | |||
358 | 361 | ||
359 | .PHONY: scan-build | 362 | .PHONY: scan-build |
360 | scan-build: clean | 363 | scan-build: clean |
361 | NO_EXTRA_CFLAGS="yes" scan-build make | 364 | scan-build make |
362 | 365 | ||
363 | .PHONY: codespell | 366 | .PHONY: codespell |
364 | codespell: clean | 367 | codespell: clean |
@@ -380,36 +383,45 @@ $(TEST_TARGETS): | |||
380 | 383 | ||
381 | 384 | ||
382 | # extract some data about the testing setup: kernel, network connectivity, user | 385 | # extract some data about the testing setup: kernel, network connectivity, user |
386 | .PHONY: lab-setup | ||
383 | lab-setup:; uname -r; ldd --version | grep GLIBC; pwd; whoami; ip addr show; cat /etc/resolv.conf; cat /etc/hosts; ls /etc | 387 | lab-setup:; uname -r; ldd --version | grep GLIBC; pwd; whoami; ip addr show; cat /etc/resolv.conf; cat /etc/hosts; ls /etc |
384 | 388 | ||
389 | .PHONY: test | ||
385 | test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-private-etc test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-seccomp-extra | 390 | test: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-private-etc test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters test-seccomp-extra |
386 | echo "TEST COMPLETE" | 391 | echo "TEST COMPLETE" |
387 | 392 | ||
393 | .PHONY: test-noprofiles | ||
388 | test-noprofiles: lab-setup test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters | 394 | test-noprofiles: lab-setup test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment test-apps test-apps-x11 test-apps-x11-xorg test-filters |
389 | echo "TEST COMPLETE" | 395 | echo "TEST COMPLETE" |
390 | 396 | ||
391 | # not included in "make dist" and "make test" | 397 | # not included in "make dist" and "make test" |
398 | .PHONY: test-appimage | ||
392 | test-appimage: | 399 | test-appimage: |
393 | $(MAKE) -C test $(subst test-,,$@) | 400 | $(MAKE) -C test $(subst test-,,$@) |
394 | 401 | ||
395 | # using sudo; not included in "make dist" and "make test" | 402 | # using sudo; not included in "make dist" and "make test" |
403 | .PHONY: test-chroot | ||
396 | test-chroot: | 404 | test-chroot: |
397 | $(MAKE) -C test $(subst test-,,$@) | 405 | $(MAKE) -C test $(subst test-,,$@) |
398 | 406 | ||
399 | # using sudo; not included in "make dist" and "make test" | 407 | # using sudo; not included in "make dist" and "make test" |
408 | .PHONY: test-network | ||
400 | test-network: | 409 | test-network: |
401 | $(MAKE) -C test $(subst test-,,$@) | 410 | $(MAKE) -C test $(subst test-,,$@) |
402 | 411 | ||
403 | # using sudo; not included in "make dist" and "make test" | 412 | # using sudo; not included in "make dist" and "make test" |
413 | .PHONY: test-apparmor | ||
404 | test-apparmor: | 414 | test-apparmor: |
405 | $(MAKE) -C test $(subst test-,,$@) | 415 | $(MAKE) -C test $(subst test-,,$@) |
406 | 416 | ||
407 | # using sudo; not included in "make dist" and "make test" | 417 | # using sudo; not included in "make dist" and "make test" |
418 | .PHONY: test-firecfg | ||
408 | test-firecfg: | 419 | test-firecfg: |
409 | $(MAKE) -C test $(subst test-,,$@) | 420 | $(MAKE) -C test $(subst test-,,$@) |
410 | 421 | ||
411 | 422 | ||
412 | # old gihub test; the new test is driven directly from .github/workflows/build.yml | 423 | # old gihub test; the new test is driven directly from .github/workflows/build.yml |
424 | .PHONY: test-github | ||
413 | test-github: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment | 425 | test-github: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-utils test-sysutils test-environment |
414 | echo "TEST COMPLETE" | 426 | echo "TEST COMPLETE" |
415 | 427 | ||
@@ -419,6 +431,7 @@ test-github: lab-setup test-profiles test-fcopy test-fnetfilter test-fs test-uti | |||
419 | # with them you will need to restart your computer. | 431 | # with them you will need to restart your computer. |
420 | ########################################## | 432 | ########################################## |
421 | # private-lib is disabled by default in /etc/firejail/firejail.config | 433 | # private-lib is disabled by default in /etc/firejail/firejail.config |
434 | .PHONY: test-private-lib | ||
422 | test-private-lib: | 435 | test-private-lib: |
423 | $(MAKE) -C test $(subst test-,,$@) | 436 | $(MAKE) -C test $(subst test-,,$@) |
424 | 437 | ||
@@ -7,21 +7,24 @@ firejail (0.9.73) baseline; urgency=low | |||
7 | * feature: add IPv6 support for --net.print option | 7 | * feature: add IPv6 support for --net.print option |
8 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) | 8 | * modif: Stop forwarding own double-dash to the shell (#5599 #5600) |
9 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) | 9 | * modif: Prevent sandbox name (--name=) and host name (--hostname=) |
10 | from containing only digits (#5578) | 10 | from containing only digits (#5578 #5741) |
11 | * modif: Escape control characters of the command line (#5613) | 11 | * modif: Escape control characters of the command line (#5613) |
12 | * modif: Allow only letters and digits for sandbox name (--name=) and | 12 | * modif: Allow mostly only ASCII letters and digits for sandbox name |
13 | host name (--hostname=) | 13 | (--name=) and host name (--hostname=) (#5708 #5856) |
14 | * modif: remove firemon --interface option (duplicating --net.print option) | 14 | * modif: remove firemon --interface option (duplicating --net.print option) |
15 | * modif: make private-lib a configure-time option, disabled by default (see | ||
16 | --enable-private-lib) (#5727 #5732) | ||
15 | * modif: Improve --version/--help & print version on startup (#5829) | 17 | * modif: Improve --version/--help & print version on startup (#5829) |
16 | * bugfix: qutebrowser: links will not open in the existing instance (#5601 | 18 | * bugfix: qutebrowser: links will not open in the existing instance (#5601 |
17 | #5618) | 19 | #5618) |
18 | * bugfix: fix --hostname and --hosts-file commands | 20 | * bugfix: fix --hostname and --hosts-file commands |
19 | * bugfix: arp.c: ensure positive timeout on select(2) (#5806) | 21 | * bugfix: arp.c: ensure positive timeout on select(2) (#5806) |
20 | * build: auto-generate syntax files (#5627) | 22 | * build: auto-generate syntax files (#5627) |
21 | * build: mark most phony targets as such (#5637) | 23 | * build: mark all phony targets as such (#5637) |
22 | * build: mkdeb.sh: pass all arguments to ./configure (#5654) | 24 | * build: mkdeb.sh: pass all arguments to ./configure (#5654) |
23 | * build: deb: enable apparmor by default & remove deb-apparmor (#5668) | 25 | * build: deb: enable apparmor by default & remove deb-apparmor (#5668) |
24 | * build: Fix whitespace and add .editorconfig (#5674) | 26 | * build: Fix whitespace and add .editorconfig (#5674) |
27 | * build: enable compiler warnings by default (#5842) | ||
25 | * ci: always update the package db before installing packages (#5742) | 28 | * ci: always update the package db before installing packages (#5742) |
26 | * ci: fix codeql unable to download its own bundle (#5783) | 29 | * ci: fix codeql unable to download its own bundle (#5783) |
27 | * ci: split configure/build/install commands on gitlab (#5784) | 30 | * ci: split configure/build/install commands on gitlab (#5784) |
@@ -29,6 +32,8 @@ firejail (0.9.73) baseline; urgency=low | |||
29 | * ci: formatting and misc improvements (#5802) | 32 | * ci: formatting and misc improvements (#5802) |
30 | * ci: run for every branch instead of just master (#5815) | 33 | * ci: run for every branch instead of just master (#5815) |
31 | * ci: upgrade debian:stretch to debian:buster (#5818) | 34 | * ci: upgrade debian:stretch to debian:buster (#5818) |
35 | * ci: standardize apt-get update/install & misc improvements (#5857) | ||
36 | * contrib/vim: match profile files more broadly (#5850) | ||
32 | * test: split individual test groups in github workflows | 37 | * test: split individual test groups in github workflows |
33 | * test: add chroot, appimage and network tests in github workflows | 38 | * test: add chroot, appimage and network tests in github workflows |
34 | * docs: remove apparmor options in --help when building without apparmor | 39 | * docs: remove apparmor options in --help when building without apparmor |
diff --git a/config.mk.in b/config.mk.in index 6b6cf1b99..dea3d8a52 100644 --- a/config.mk.in +++ b/config.mk.in | |||
@@ -61,9 +61,5 @@ LDFLAGS=@LDFLAGS@ | |||
61 | # Project variables | 61 | # Project variables |
62 | LIBS=@LIBS@ | 62 | LIBS=@LIBS@ |
63 | 63 | ||
64 | ifdef NO_EXTRA_CFLAGS | ||
65 | else | ||
66 | EXTRA_CFLAGS +=@EXTRA_CFLAGS@ | 64 | EXTRA_CFLAGS +=@EXTRA_CFLAGS@ |
67 | endif | ||
68 | |||
69 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ | 65 | EXTRA_LDFLAGS +=@EXTRA_LDFLAGS@ |
@@ -2925,44 +2925,6 @@ else | |||
2925 | : | 2925 | : |
2926 | fi | 2926 | fi |
2927 | 2927 | ||
2928 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mretpoline" >&5 | ||
2929 | $as_echo_n "checking whether C compiler accepts -mretpoline... " >&6; } | ||
2930 | if ${ax_cv_check_cflags___mretpoline+:} false; then : | ||
2931 | $as_echo_n "(cached) " >&6 | ||
2932 | else | ||
2933 | |||
2934 | ax_check_save_flags=$CFLAGS | ||
2935 | CFLAGS="$CFLAGS -mretpoline" | ||
2936 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | ||
2937 | /* end confdefs.h. */ | ||
2938 | |||
2939 | int | ||
2940 | main () | ||
2941 | { | ||
2942 | |||
2943 | ; | ||
2944 | return 0; | ||
2945 | } | ||
2946 | _ACEOF | ||
2947 | if ac_fn_c_try_compile "$LINENO"; then : | ||
2948 | ax_cv_check_cflags___mretpoline=yes | ||
2949 | else | ||
2950 | ax_cv_check_cflags___mretpoline=no | ||
2951 | fi | ||
2952 | rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | ||
2953 | CFLAGS=$ax_check_save_flags | ||
2954 | fi | ||
2955 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mretpoline" >&5 | ||
2956 | $as_echo "$ax_cv_check_cflags___mretpoline" >&6; } | ||
2957 | if test "x$ax_cv_check_cflags___mretpoline" = xyes; then : | ||
2958 | |||
2959 | HAVE_SPECTRE="yes" | ||
2960 | EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline" | ||
2961 | |||
2962 | else | ||
2963 | : | ||
2964 | fi | ||
2965 | |||
2966 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-clash-protection" >&5 | 2928 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-clash-protection" >&5 |
2967 | $as_echo_n "checking whether C compiler accepts -fstack-clash-protection... " >&6; } | 2929 | $as_echo_n "checking whether C compiler accepts -fstack-clash-protection... " >&6; } |
2968 | if ${ax_cv_check_cflags___fstack_clash_protection+:} false; then : | 2930 | if ${ax_cv_check_cflags___fstack_clash_protection+:} false; then : |
diff --git a/configure.ac b/configure.ac index 30b031801..93de61b95 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -25,10 +25,6 @@ AX_CHECK_COMPILE_FLAG([-mindirect-branch=thunk], [ | |||
25 | HAVE_SPECTRE="yes" | 25 | HAVE_SPECTRE="yes" |
26 | EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk" | 26 | EXTRA_CFLAGS="$EXTRA_CFLAGS -mindirect-branch=thunk" |
27 | ]) | 27 | ]) |
28 | AX_CHECK_COMPILE_FLAG([-mretpoline], [ | ||
29 | HAVE_SPECTRE="yes" | ||
30 | EXTRA_CFLAGS="$EXTRA_CFLAGS -mretpoline" | ||
31 | ]) | ||
32 | AX_CHECK_COMPILE_FLAG([-fstack-clash-protection], [ | 28 | AX_CHECK_COMPILE_FLAG([-fstack-clash-protection], [ |
33 | HAVE_SPECTRE="yes" | 29 | HAVE_SPECTRE="yes" |
34 | EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection" | 30 | EXTRA_CFLAGS="$EXTRA_CFLAGS -fstack-clash-protection" |
diff --git a/contrib/vim/ftdetect/firejail.vim b/contrib/vim/ftdetect/firejail.vim index 2edc741da..6180048f7 100644 --- a/contrib/vim/ftdetect/firejail.vim +++ b/contrib/vim/ftdetect/firejail.vim | |||
@@ -1,6 +1,12 @@ | |||
1 | autocmd BufNewFile,BufRead /etc/firejail/*.profile setfiletype firejail | 1 | " Default paths |
2 | autocmd BufNewFile,BufRead /etc/firejail/*.local setfiletype firejail | ||
3 | autocmd BufNewFile,BufRead /etc/firejail/*.inc setfiletype firejail | 2 | autocmd BufNewFile,BufRead /etc/firejail/*.inc setfiletype firejail |
4 | autocmd BufNewFile,BufRead ~/.config/firejail/*.profile setfiletype firejail | 3 | autocmd BufNewFile,BufRead /etc/firejail/*.local setfiletype firejail |
5 | autocmd BufNewFile,BufRead ~/.config/firejail/*.local setfiletype firejail | 4 | autocmd BufNewFile,BufRead /etc/firejail/*.profile setfiletype firejail |
6 | autocmd BufNewFile,BufRead ~/.config/firejail/*.inc setfiletype firejail | 5 | autocmd BufNewFile,BufRead ~/.config/firejail/*.inc setfiletype firejail |
6 | autocmd BufNewFile,BufRead ~/.config/firejail/*.local setfiletype firejail | ||
7 | autocmd BufNewFile,BufRead ~/.config/firejail/*.profile setfiletype firejail | ||
8 | |||
9 | " Arbitrary paths | ||
10 | autocmd BufNewFile,BufRead */firejail/*.inc set filetype=firejail | ||
11 | autocmd BufNewFile,BufRead */firejail/*.local set filetype=firejail | ||
12 | autocmd BufNewFile,BufRead */firejail/*.profile set filetype=firejail | ||
diff --git a/etc/profile-a-l/fdns.profile b/etc/profile-a-l/fdns.profile index 77e16a56b..4dbf3c194 100644 --- a/etc/profile-a-l/fdns.profile +++ b/etc/profile-a-l/fdns.profile | |||
@@ -21,6 +21,7 @@ include disable-xdg.inc | |||
21 | #include whitelist-usr-share-common.inc | 21 | #include whitelist-usr-share-common.inc |
22 | #include whitelist-var-common.inc | 22 | #include whitelist-var-common.inc |
23 | 23 | ||
24 | apparmor /usr/bin/fdns | ||
24 | caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot | 25 | caps.keep kill,net_bind_service,setgid,setuid,sys_admin,sys_chroot |
25 | ipc-namespace | 26 | ipc-namespace |
26 | # netfilter /etc/firejail/webserver.net | 27 | # netfilter /etc/firejail/webserver.net |
@@ -47,4 +48,3 @@ private-etc @tls-ca,fdns | |||
47 | private-tmp | 48 | private-tmp |
48 | 49 | ||
49 | memory-deny-write-execute | 50 | memory-deny-write-execute |
50 | restrict-namespaces | ||
diff --git a/etc/profile-m-z/vmplayer.profile b/etc/profile-m-z/vmplayer.profile new file mode 100644 index 000000000..4b386fed7 --- /dev/null +++ b/etc/profile-m-z/vmplayer.profile | |||
@@ -0,0 +1,8 @@ | |||
1 | # Firejail profile for vmware-player | ||
2 | # Description: VMWare Workstation Player, used for running virtual machines | ||
3 | # This file is overwritten after every install/update | ||
4 | # Persistent local customizations | ||
5 | include vmplayer.local | ||
6 | |||
7 | # Redirect | ||
8 | include vmware.profile | ||
diff --git a/etc/profile-m-z/vmware-player.profile b/etc/profile-m-z/vmware-player.profile index 582a0f693..8be9acc92 100644 --- a/etc/profile-m-z/vmware-player.profile +++ b/etc/profile-m-z/vmware-player.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for vmware-player | 1 | # Firejail profile for vmware-player |
2 | # Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC. | 2 | # Description: VMWare Workstation Player, used for running virtual machines |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include vmware-player.local | 5 | include vmware-player.local |
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile index c2fd14811..e924d2119 100644 --- a/etc/profile-m-z/vmware-view.profile +++ b/etc/profile-m-z/vmware-view.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for vmware-view | 1 | # Firejail profile for vmware-view |
2 | # Description: VMware Horizon Client | 2 | # Description: VMware Horizon Client, used as a remote desktop client |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include vmware-view.local | 5 | include vmware-view.local |
diff --git a/etc/profile-m-z/vmware-workstation.profile b/etc/profile-m-z/vmware-workstation.profile index 6290b57f4..5311cd123 100644 --- a/etc/profile-m-z/vmware-workstation.profile +++ b/etc/profile-m-z/vmware-workstation.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for vmware-workstation | 1 | # Firejail profile for vmware-workstation |
2 | # Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC. | 2 | # Description: VMWare Workstation Player, used for running virtual machines |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include vmware-workstation.local | 5 | include vmware-workstation.local |
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile index 7619ef47b..ed4a47a83 100644 --- a/etc/profile-m-z/vmware.profile +++ b/etc/profile-m-z/vmware.profile | |||
@@ -1,5 +1,5 @@ | |||
1 | # Firejail profile for vmware | 1 | # Firejail profile for vmware |
2 | # Description: The industry standard for running multiple operating systems as virtual machines on a single Linux PC. | 2 | # Description: VMWare Workstation Player, used for running virtual machines |
3 | # This file is overwritten after every install/update | 3 | # This file is overwritten after every install/update |
4 | # Persistent local customizations | 4 | # Persistent local customizations |
5 | include vmware.local | 5 | include vmware.local |
@@ -11,7 +11,7 @@ noblacklist ${HOME}/.vmware | |||
11 | noblacklist /usr/lib/vmware | 11 | noblacklist /usr/lib/vmware |
12 | 12 | ||
13 | include disable-common.inc | 13 | include disable-common.inc |
14 | include disable-devel.inc | 14 | #include disable-devel.inc # gcc is used to compile kernel modules |
15 | include disable-exec.inc | 15 | include disable-exec.inc |
16 | include disable-interpreters.inc | 16 | include disable-interpreters.inc |
17 | include disable-programs.inc | 17 | include disable-programs.inc |
diff --git a/src/bash_completion/Makefile b/src/bash_completion/Makefile index e787a7b92..6d5c45532 100644 --- a/src/bash_completion/Makefile +++ b/src/bash_completion/Makefile | |||
@@ -1,9 +1,12 @@ | |||
1 | .PHONY: all | 1 | .SUFFIXES: |
2 | all: firejail.bash_completion | 2 | MAKEFLAGS += -r |
3 | 3 | ||
4 | ROOT = ../.. | 4 | ROOT = ../.. |
5 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
6 | 6 | ||
7 | .PHONY: all | ||
8 | all: firejail.bash_completion | ||
9 | |||
7 | firejail.bash_completion: firejail.bash_completion.in $(ROOT)/config.mk | 10 | firejail.bash_completion: firejail.bash_completion.in $(ROOT)/config.mk |
8 | gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp | 11 | gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp |
9 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ | 12 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ |
diff --git a/src/etc-cleanup/Makefile b/src/etc-cleanup/Makefile index 10c28cd76..7c542c4a9 100644 --- a/src/etc-cleanup/Makefile +++ b/src/etc-cleanup/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/fbuilder/Makefile b/src/fbuilder/Makefile index ad73e8960..803ea18a3 100644 --- a/src/fbuilder/Makefile +++ b/src/fbuilder/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/fcopy/Makefile b/src/fcopy/Makefile index 27054627c..29ea719a3 100644 --- a/src/fcopy/Makefile +++ b/src/fcopy/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/fids/Makefile b/src/fids/Makefile index 44ea396d7..1aaac5c75 100644 --- a/src/fids/Makefile +++ b/src/fids/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/firecfg/Makefile b/src/firecfg/Makefile index 05cc088f4..c9489e3a4 100644 --- a/src/firecfg/Makefile +++ b/src/firecfg/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config index 1e996ef72..fdda5c2c7 100644 --- a/src/firecfg/firecfg.config +++ b/src/firecfg/firecfg.config | |||
@@ -895,9 +895,10 @@ vivaldi-beta | |||
895 | vivaldi-snapshot | 895 | vivaldi-snapshot |
896 | vivaldi-stable | 896 | vivaldi-stable |
897 | vlc | 897 | vlc |
898 | vmware | 898 | #vmplayer - unable to install kernel modules (see #5861) |
899 | vmware-player | 899 | #vmware - unable to install kernel modules (see #5861) |
900 | vmware-workstation | 900 | #vmware-player - unable to install kernel modules (see #5861) |
901 | #vmware-workstation - unable to install kernel modules (see #5861) | ||
901 | vscodium | 902 | vscodium |
902 | vulturesclaw | 903 | vulturesclaw |
903 | vultureseye | 904 | vultureseye |
diff --git a/src/firejail/Makefile b/src/firejail/Makefile index 47edc5ac6..064373588 100644 --- a/src/firejail/Makefile +++ b/src/firejail/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/firejail/main.c b/src/firejail/main.c index 1835d8de2..070eb47f3 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2187,34 +2187,21 @@ int main(int argc, char **argv, char **envp) { | |||
2187 | else if (strncmp(argv[i], "--name=", 7) == 0) { | 2187 | else if (strncmp(argv[i], "--name=", 7) == 0) { |
2188 | cfg.name = argv[i] + 7; | 2188 | cfg.name = argv[i] + 7; |
2189 | if (strlen(cfg.name) == 0) { | 2189 | if (strlen(cfg.name) == 0) { |
2190 | fprintf(stderr, "Error: please provide a name for sandbox\n"); | 2190 | fprintf(stderr, "Error: invalid sandbox name: cannot be empty\n"); |
2191 | return 1; | 2191 | return 1; |
2192 | } | 2192 | } |
2193 | if (invalid_name(cfg.name) || has_cntrl_chars(cfg.name)) { | 2193 | if (invalid_name(cfg.name)) { |
2194 | fprintf(stderr, "Error: invalid sandbox name\n"); | 2194 | fprintf(stderr, "Error: invalid sandbox name\n"); |
2195 | return 1; | 2195 | return 1; |
2196 | } | 2196 | } |
2197 | } | 2197 | } |
2198 | else if (strncmp(argv[i], "--hostname=", 11) == 0) { | 2198 | else if (strncmp(argv[i], "--hostname=", 11) == 0) { |
2199 | cfg.hostname = argv[i] + 11; | 2199 | cfg.hostname = argv[i] + 11; |
2200 | size_t len = strlen(cfg.hostname); | 2200 | if (strlen(cfg.hostname) == 0) { |
2201 | if (len == 0 || len > 253) { | 2201 | fprintf(stderr, "Error: invalid hostname: cannot be empty\n"); |
2202 | fprintf(stderr, "Error: please provide a valid hostname for sandbox, with maximum length of 253 ASCII characters\n"); | ||
2203 | return 1; | 2202 | return 1; |
2204 | } | 2203 | } |
2205 | int invalid = invalid_name(cfg.hostname); | 2204 | if (invalid_name(cfg.hostname)) { |
2206 | char* hostname = cfg.hostname; | ||
2207 | while (*hostname && !invalid) { | ||
2208 | invalid = invalid || !( | ||
2209 | (*hostname >= 'a' && *hostname <= 'z') || | ||
2210 | (*hostname >= 'A' && *hostname <= 'Z') || | ||
2211 | (*hostname >= '0' && *hostname <= '9') || | ||
2212 | (*hostname == '-' || *hostname == '.')); | ||
2213 | hostname++; | ||
2214 | } | ||
2215 | invalid = invalid || cfg.hostname[0] == '-'; // must not start with - | ||
2216 | invalid = invalid || cfg.hostname[len - 1] == '-'; // must not end with - | ||
2217 | if (invalid) { | ||
2218 | fprintf(stderr, "Error: invalid hostname\n"); | 2205 | fprintf(stderr, "Error: invalid hostname\n"); |
2219 | return 1; | 2206 | return 1; |
2220 | } | 2207 | } |
@@ -2847,7 +2834,11 @@ int main(int argc, char **argv, char **envp) { | |||
2847 | // set sandbox name and start normally | 2834 | // set sandbox name and start normally |
2848 | cfg.name = argv[i] + 16; | 2835 | cfg.name = argv[i] + 16; |
2849 | if (strlen(cfg.name) == 0) { | 2836 | if (strlen(cfg.name) == 0) { |
2850 | fprintf(stderr, "Error: please provide a name for sandbox\n"); | 2837 | fprintf(stderr, "Error: invalid sandbox name: cannot be empty\n"); |
2838 | return 1; | ||
2839 | } | ||
2840 | if (invalid_name(cfg.name)) { | ||
2841 | fprintf(stderr, "Error: invalid sandbox name\n"); | ||
2851 | return 1; | 2842 | return 1; |
2852 | } | 2843 | } |
2853 | } | 2844 | } |
diff --git a/src/firejail/no_sandbox.c b/src/firejail/no_sandbox.c index 22ee9dc3c..9c5e3ee58 100644 --- a/src/firejail/no_sandbox.c +++ b/src/firejail/no_sandbox.c | |||
@@ -120,7 +120,7 @@ int check_kernel_procs(void) { | |||
120 | 120 | ||
121 | // read file | 121 | // read file |
122 | char buf[100]; | 122 | char buf[100]; |
123 | if (fgets(buf, 10, fp) == NULL) { | 123 | if (fgets(buf, 100, fp) == NULL) { |
124 | fwarning("cannot read %s\n", fname); | 124 | fwarning("cannot read %s\n", fname); |
125 | fclose(fp); | 125 | fclose(fp); |
126 | free(fname); | 126 | free(fname); |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index 202bcf4da..ae881664b 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -326,22 +326,13 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
326 | } | 326 | } |
327 | // sandbox name | 327 | // sandbox name |
328 | else if (strncmp(ptr, "name ", 5) == 0) { | 328 | else if (strncmp(ptr, "name ", 5) == 0) { |
329 | int only_numbers = 1; | ||
330 | cfg.name = ptr + 5; | 329 | cfg.name = ptr + 5; |
331 | if (strlen(cfg.name) == 0) { | 330 | if (strlen(cfg.name) == 0) { |
332 | fprintf(stderr, "Error: invalid sandbox name\n"); | 331 | fprintf(stderr, "Error: invalid sandbox name: cannot be empty\n"); |
333 | exit(1); | 332 | exit(1); |
334 | } | 333 | } |
335 | const char *c = cfg.name; | 334 | if (invalid_name(cfg.name)) { |
336 | while (*c) { | 335 | fprintf(stderr, "Error: invalid sandbox name\n"); |
337 | if (!isdigit(*c)) { | ||
338 | only_numbers = 0; | ||
339 | break; | ||
340 | } | ||
341 | ++c; | ||
342 | } | ||
343 | if (only_numbers) { | ||
344 | fprintf(stderr, "Error: invalid sandbox name: it only contains digits\n"); | ||
345 | exit(1); | 336 | exit(1); |
346 | } | 337 | } |
347 | return 0; | 338 | return 0; |
@@ -1165,6 +1156,14 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1165 | // hostname | 1156 | // hostname |
1166 | if (strncmp(ptr, "hostname ", 9) == 0) { | 1157 | if (strncmp(ptr, "hostname ", 9) == 0) { |
1167 | cfg.hostname = ptr + 9; | 1158 | cfg.hostname = ptr + 9; |
1159 | if (strlen(cfg.hostname) == 0) { | ||
1160 | fprintf(stderr, "Error: invalid hostname: cannot be empty\n"); | ||
1161 | exit(1); | ||
1162 | } | ||
1163 | if (invalid_name(cfg.hostname)) { | ||
1164 | fprintf(stderr, "Error: invalid hostname\n"); | ||
1165 | exit(1); | ||
1166 | } | ||
1168 | return 0; | 1167 | return 0; |
1169 | } | 1168 | } |
1170 | 1169 | ||
@@ -1647,6 +1646,10 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
1647 | // set sandbox name and start normally | 1646 | // set sandbox name and start normally |
1648 | cfg.name = ptr + 14; | 1647 | cfg.name = ptr + 14; |
1649 | if (strlen(cfg.name) == 0) { | 1648 | if (strlen(cfg.name) == 0) { |
1649 | fprintf(stderr, "Error: invalid sandbox name: cannot be empty\n"); | ||
1650 | exit(1); | ||
1651 | } | ||
1652 | if (invalid_name(cfg.name)) { | ||
1650 | fprintf(stderr, "Error: invalid sandbox name\n"); | 1653 | fprintf(stderr, "Error: invalid sandbox name\n"); |
1651 | exit(1); | 1654 | exit(1); |
1652 | } | 1655 | } |
diff --git a/src/firejail/util.c b/src/firejail/util.c index a0af3d4bf..555486916 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c | |||
@@ -1476,23 +1476,46 @@ int ascii_isxdigit(unsigned char c) { | |||
1476 | return ret; | 1476 | return ret; |
1477 | } | 1477 | } |
1478 | 1478 | ||
1479 | // allow strict ASCII letters and numbers; names with only numbers are rejected; spaces are rejected | 1479 | // Note: Keep this in sync with NAME VALIDATION in src/man/firejail.txt. |
1480 | // | ||
1481 | // Allow only ASCII letters, digits and a few special characters; names with | ||
1482 | // only numbers are rejected; spaces and control characters are rejected. | ||
1480 | int invalid_name(const char *name) { | 1483 | int invalid_name(const char *name) { |
1481 | const char *c = name; | 1484 | const char *c = name; |
1482 | |||
1483 | int only_numbers = 1; | 1485 | int only_numbers = 1; |
1486 | |||
1487 | if (strlen(name) > 253) | ||
1488 | return 1; | ||
1489 | |||
1490 | // must start with alnum | ||
1491 | if (!ascii_isalnum(*c)) | ||
1492 | return 1; | ||
1493 | if (!ascii_isdigit(*c)) | ||
1494 | only_numbers = 0; | ||
1495 | ++c; | ||
1496 | |||
1484 | while (*c) { | 1497 | while (*c) { |
1485 | if (!ascii_isalnum(*c)) | 1498 | switch (*c) { |
1486 | return 1; | 1499 | case '-': |
1487 | if (!ascii_isdigit(*c)) | 1500 | case '.': |
1501 | case '_': | ||
1488 | only_numbers = 0; | 1502 | only_numbers = 0; |
1503 | break; | ||
1504 | default: | ||
1505 | if (!ascii_isalnum(*c)) | ||
1506 | return 1; | ||
1507 | if (!ascii_isdigit(*c)) | ||
1508 | only_numbers = 0; | ||
1509 | } | ||
1489 | ++c; | 1510 | ++c; |
1490 | } | 1511 | } |
1491 | if (only_numbers) | 1512 | |
1513 | // must end with alnum | ||
1514 | --c; | ||
1515 | if (!ascii_isalnum(*c)) | ||
1492 | return 1; | 1516 | return 1; |
1493 | 1517 | ||
1494 | // restrict name to 64 chars max | 1518 | if (only_numbers) |
1495 | if (strlen(name) > 64) | ||
1496 | return 1; | 1519 | return 1; |
1497 | 1520 | ||
1498 | return 0; | 1521 | return 0; |
diff --git a/src/firemon/Makefile b/src/firemon/Makefile index 433e4267d..514eb98eb 100644 --- a/src/firemon/Makefile +++ b/src/firemon/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/fldd/Makefile b/src/fldd/Makefile index 0c127af55..35ce019a7 100644 --- a/src/fldd/Makefile +++ b/src/fldd/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/fnet/Makefile b/src/fnet/Makefile index 91de109fa..a40d69b11 100644 --- a/src/fnet/Makefile +++ b/src/fnet/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/fnetfilter/Makefile b/src/fnetfilter/Makefile index 506d287ab..fbae2e027 100644 --- a/src/fnetfilter/Makefile +++ b/src/fnetfilter/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/fnettrace-dns/Makefile b/src/fnettrace-dns/Makefile index 36542f567..3c825467c 100644 --- a/src/fnettrace-dns/Makefile +++ b/src/fnettrace-dns/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/fnettrace-icmp/Makefile b/src/fnettrace-icmp/Makefile index 12ae42e9a..9e94fa144 100644 --- a/src/fnettrace-icmp/Makefile +++ b/src/fnettrace-icmp/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/fnettrace-sni/Makefile b/src/fnettrace-sni/Makefile index 8d9a437d5..21dfde3d3 100644 --- a/src/fnettrace-sni/Makefile +++ b/src/fnettrace-sni/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/fnettrace/Makefile b/src/fnettrace/Makefile index 952036ad3..a952a84a4 100644 --- a/src/fnettrace/Makefile +++ b/src/fnettrace/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/fsec-optimize/Makefile b/src/fsec-optimize/Makefile index ce65f4719..40511bdaa 100644 --- a/src/fsec-optimize/Makefile +++ b/src/fsec-optimize/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/fsec-print/Makefile b/src/fsec-print/Makefile index cbe061d45..6f09e9161 100644 --- a/src/fsec-print/Makefile +++ b/src/fsec-print/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/fseccomp/Makefile b/src/fseccomp/Makefile index 1b8d0bb48..bd5c92113 100644 --- a/src/fseccomp/Makefile +++ b/src/fseccomp/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/ftee/Makefile b/src/ftee/Makefile index 2f26ab900..8b4e7fdf4 100644 --- a/src/ftee/Makefile +++ b/src/ftee/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/fzenity/Makefile b/src/fzenity/Makefile index aeb862d9b..6b93886f5 100644 --- a/src/fzenity/Makefile +++ b/src/fzenity/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/jailcheck/Makefile b/src/jailcheck/Makefile index e3b84fbf3..029fd422b 100644 --- a/src/jailcheck/Makefile +++ b/src/jailcheck/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/lib/Makefile b/src/lib/Makefile index f5b92e389..e359bba08 100644 --- a/src/lib/Makefile +++ b/src/lib/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/libpostexecseccomp/Makefile b/src/libpostexecseccomp/Makefile index 62e167b73..874de098e 100644 --- a/src/libpostexecseccomp/Makefile +++ b/src/libpostexecseccomp/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/libtrace/Makefile b/src/libtrace/Makefile index d45b3e2f6..d261828ea 100644 --- a/src/libtrace/Makefile +++ b/src/libtrace/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/libtracelog/Makefile b/src/libtracelog/Makefile index bfc5adddc..5e14a5dbe 100644 --- a/src/libtracelog/Makefile +++ b/src/libtracelog/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/man/Makefile b/src/man/Makefile index 283822d1f..ce55ffd34 100644 --- a/src/man/Makefile +++ b/src/man/Makefile | |||
@@ -1,9 +1,12 @@ | |||
1 | .PHONY: all | 1 | .SUFFIXES: |
2 | all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailcheck.man | 2 | MAKEFLAGS += -r |
3 | 3 | ||
4 | ROOT = ../.. | 4 | ROOT = ../.. |
5 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
6 | 6 | ||
7 | .PHONY: all | ||
8 | all: firecfg.man firejail.man firejail-login.man firejail-users.man firejail-profile.man firemon.man jailcheck.man | ||
9 | |||
7 | %.man: %.txt $(ROOT)/config.mk | 10 | %.man: %.txt $(ROOT)/config.mk |
8 | gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@ | 11 | gawk -f ./preproc.awk -- $(MANFLAGS) < $< > $@ |
9 | 12 | ||
diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 586ef9852..19fc94ebd 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt | |||
@@ -876,6 +876,8 @@ Print options end exit. | |||
876 | \fB\-\-hostname=name | 876 | \fB\-\-hostname=name |
877 | Set sandbox hostname. | 877 | Set sandbox hostname. |
878 | .br | 878 | .br |
879 | For valid names, see the \fBNAME VALIDATION\fR section. | ||
880 | .br | ||
879 | 881 | ||
880 | .br | 882 | .br |
881 | Example: | 883 | Example: |
@@ -1180,7 +1182,9 @@ Switching to pid 1932, the first child process inside the sandbox | |||
1180 | .TP | 1182 | .TP |
1181 | \fB\-\-join-or-start=name | 1183 | \fB\-\-join-or-start=name |
1182 | Join the sandbox identified by name or start a new one. | 1184 | Join the sandbox identified by name or start a new one. |
1183 | Same as "firejail --join=name" if sandbox with specified name exists, otherwise same as "firejail --name=name ..." | 1185 | Same as "firejail --join=name" if sandbox with specified name exists, otherwise |
1186 | same as "firejail --name=name ...". | ||
1187 | See \fB\-\-name\fR for details. | ||
1184 | .br | 1188 | .br |
1185 | Note that in contrary to other join options there is respective profile option. | 1189 | Note that in contrary to other join options there is respective profile option. |
1186 | 1190 | ||
@@ -1340,8 +1344,13 @@ $ firejail \-\-net=eth0 \-\-mtu=1492 | |||
1340 | \fB\-\-name=name | 1344 | \fB\-\-name=name |
1341 | Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use | 1345 | Set sandbox name. Several options, such as \-\-join and \-\-shutdown, can use |
1342 | this name to identify a sandbox. | 1346 | this name to identify a sandbox. |
1343 | The name cannot contain only digits, as that is treated as a PID in the other options, such as in \-\-join. | 1347 | The name cannot contain only digits, as that is treated as a PID in the other |
1348 | options, such as in \-\-join. | ||
1349 | .br | ||
1350 | For valid names, see the \fBNAME VALIDATION\fR section. | ||
1351 | .br | ||
1344 | 1352 | ||
1353 | .br | ||
1345 | In case the name supplied by the user is already in use by another sandbox, Firejail will assign a | 1354 | In case the name supplied by the user is already in use by another sandbox, Firejail will assign a |
1346 | new name as "name-PID", where PID is the process ID of the sandbox. This functionality | 1355 | new name as "name-PID", where PID is the process ID of the sandbox. This functionality |
1347 | can be disabled at run time in /etc/firejail/firejail.config file, by setting "name-change" flag to "no". | 1356 | can be disabled at run time in /etc/firejail/firejail.config file, by setting "name-change" flag to "no". |
@@ -3296,6 +3305,17 @@ Example: | |||
3296 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox | 3305 | $ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox |
3297 | .br | 3306 | .br |
3298 | #endif | 3307 | #endif |
3308 | .\" Note: Keep this in sync with invalid_name() in src/firejail/util.c. | ||
3309 | .SH NAME VALIDATION | ||
3310 | For simplicity, the same name validation is used for multiple options. | ||
3311 | Rules: | ||
3312 | .PP | ||
3313 | The name must be 1-253 characters long. | ||
3314 | The name can only contain ASCII letters, digits and the special characters | ||
3315 | "-._" (that is, the name cannot contain spaces or control characters). | ||
3316 | The name cannot contain only digits. | ||
3317 | The first and last characters must be an ASCII letter or digit and the name | ||
3318 | may contain special characters in the middle. | ||
3299 | #ifdef HAVE_APPARMOR | 3319 | #ifdef HAVE_APPARMOR |
3300 | .SH APPARMOR | 3320 | .SH APPARMOR |
3301 | .TP | 3321 | .TP |
diff --git a/src/profstats/Makefile b/src/profstats/Makefile index 47b39e76c..936b575e1 100644 --- a/src/profstats/Makefile +++ b/src/profstats/Makefile | |||
@@ -1,3 +1,6 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
1 | ROOT = ../.. | 4 | ROOT = ../.. |
2 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
3 | 6 | ||
diff --git a/src/zsh_completion/Makefile b/src/zsh_completion/Makefile index d7bc1038a..fab53ca0a 100644 --- a/src/zsh_completion/Makefile +++ b/src/zsh_completion/Makefile | |||
@@ -1,9 +1,12 @@ | |||
1 | .PHONY: all | 1 | .SUFFIXES: |
2 | all: _firejail | 2 | MAKEFLAGS += -r |
3 | 3 | ||
4 | ROOT = ../.. | 4 | ROOT = ../.. |
5 | -include $(ROOT)/config.mk | 5 | -include $(ROOT)/config.mk |
6 | 6 | ||
7 | .PHONY: all | ||
8 | all: _firejail | ||
9 | |||
7 | _firejail: _firejail.in $(ROOT)/config.mk | 10 | _firejail: _firejail.in $(ROOT)/config.mk |
8 | gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp | 11 | gawk -f ../man/preproc.awk -- $(MANFLAGS) < $< > $@.tmp |
9 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ | 12 | sed "s|_SYSCONFDIR_|$(sysconfdir)|" < $@.tmp > $@ |
diff --git a/test/Makefile b/test/Makefile index 2c376da58..02a628928 100644 --- a/test/Makefile +++ b/test/Makefile | |||
@@ -1,3 +1,9 @@ | |||
1 | .SUFFIXES: | ||
2 | MAKEFLAGS += -r | ||
3 | |||
4 | ROOT = .. | ||
5 | -include $(ROOT)/config.mk | ||
6 | |||
1 | TESTS=$(patsubst %/,%,$(wildcard */)) | 7 | TESTS=$(patsubst %/,%,$(wildcard */)) |
2 | 8 | ||
3 | .PHONY: $(TESTS) | 9 | .PHONY: $(TESTS) |