| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use `make -r` to reduce unnecessary filesystem lookups.
Overall, this appears to reduce the amount of implicit rule searches by
~93.3% (~97.5% compared to a8f01a383) for the default build and by
~83.3% (~99.3% compared to a8f01a383) for the "man" target (as an
example):
$ git show --pretty='%h %ai %s' -s
a8f01a383 2023-06-20 05:26:23 +0000 Merge pull request #5859 from kmk3/build-remove-retpoline
$ ./configure >/dev/null
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
6798
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1085
# (in the previous commit)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
2535
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
42
# (with this commit applied)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
170
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
7
Environment: GNU make 4.4.1-2 on Artix Linux.
Note: According to make(1p) in POSIX.1-2017, "If .SUFFIXES does not have
any prerequisites, the list of known suffixes shall be cleared.", while
"The result of setting MAKEFLAGS in the Makefile is unspecified."
Commands used to search and replace:
$ git ls-files -z -- '*Makefile*' | xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\$(sed -E \
's/^(.SUFFIXES:)/\1\nMAKEFLAGS += -r\n/' '{}')\" >'{}'"
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clear `.SUFFIXES:` to reduce unnecessary filesystem lookups.
Overall, this appears to reduce the amount of implicit rule searches by
~62% for the default build and by ~96% for the "man" target (as an
example):
$ git checkout master >/dev/null 2>&1
$ git show --pretty='%h %ai %s' -s
a8f01a383 2023-06-20 05:26:23 +0000 Merge pull request #5859 from kmk3/build-remove-retpoline
$ ./configure >/dev/null
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
6798
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1085
# (with this commit applied)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
2535
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
42
Environment: GNU make 4.4.1-2 on Artix Linux.
Commands used to search and replace:
$ git ls-files -z -- '*Makefile*' | xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\$(sed '1s/^/.SUFFIXES:\n/' '{}')\" >'{}'"
See also commit f48886f25 ("build: mark most phony targets as such",
2023-02-01) / PR #5637.
|
| |
|
|
| |
To make the makefiles look more similar.
|
| |\
| |
| | |
build: remove -mretpoline and NO_EXTRA_CFLAGS
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The -mretpoline flag is not documented in the current versions of gcc
and clang and it is what causes scan-build to fail:
$ ./configure CC=clang | grep retpoline
checking whether C compiler accepts -mretpoline... yes
EXTRA_CFLAGS: -mretpoline -fstack-clash-protection -fstack-protector-strong
$ scan-build --status-bugs make
scan-build: Using '/usr/bin/clang-15' for static analysis
make -C src/lib
make[1]: Entering directory '/tmp/firejail/src/lib'
/usr/bin/../lib/clang/ccc-analyzer [...] -mretpoline [...] -c common.c -o common.o
gcc: error: unrecognized command-line option ‘-mretpoline’
make[1]: *** [../../src/prog.mk:16: common.o] Error 1
make[1]: Leaving directory '/tmp/firejail/src/lib'
make: *** [Makefile:59: src/lib] Error 2
scan-build: Analysis run complete.
scan-build: Removing directory '/tmp/scan-build-[...]' because it contains no reports.
scan-build: No bugs found.
Environment: clang 15.0.7-9 and gcc 13.1.1-1 on Artix Linux.
Note: NO_EXTRA_CFLAGS was added to work around this issue by causing all
of the flags in EXTRA_CFLAGS to be ignored.
Note2: -mretpoline was added on commit 4a99c8aa2 ("spectre support for
clang compiler", 2018-03-30) and NO_EXTRA_CFLAGS was added on commit
490918c35 ("fix make scan-build for debian 10 and arch", 2019-07-22).
See also commit 2c64d1fdd ("use AX_CHECK_COMPILE_FLAG to check for
spectre flags", 2019-06-21).
Closes #5509.
Kind of relates to #2661.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.6 to 2.20.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/83f0fe6c4988d98a455712a27f0255212bba9bd4...6c089f53dd51dc3fc7e599c3cb5356453a52ca9e)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.2 to 3.5.3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/8e5e7e5ab8b370d6c329ec480221332ada57f0ab...c85c95e3d7251135ab7dc9ce3241c5835cc595a9)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Added on commit b689b69f6 ("make --private-lib a compile time option,
disabled by default", 2023-03-09) and on commit 91f2b3ffc ("private-lib
cleanup", 2023-03-09).
Relates to #5727 #5732.
|
| | |
| |
| |
| | |
Relates to #5708 #5741 #5856.
|
| |\ \
| | |
| | | |
modif: Standardize and add missing name/hostname checks
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Note that the sandbox name may also be set through the "join-or-start"
option.
Relates to #5578 #5708.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Changes:
* Use only `invalid_name` to check the name and hostname instead of
ad-hoc checks
* Standardize empty/invalid error messages for name/hostname
Note: This makes the hostname validation less strict, though it still
forbids control characters and only numbers.
Relates to #5578 #5708.
See also commit b4ffaa207 ("merges; more on cleaning up esc chars",
2023-02-14).
|
| | | |
| | |
| | |
| | | |
In `invalid_name`.
|
| | | |
| | |
| | |
| | | |
To match the hostname check in src/firejail/main.c.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The `invalid_name` function does not allow control characters.
Added on commit d349a2ff8 ("Forbid control chars in names", 2023-03-03)
/ PR #5708.
|
| | | |
| | |
| | |
| | | |
Relates to #5842 #5850 #5857.
|
| | |/
|/| |
|
| |\ \
| | |
| | | |
ci: standardize apt-get update/install & misc improvements
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
General changes:
* Use a single -q on update, as the output is not too long
* Use a single -q on install, to show all packages at once
GitLab-specific changes:
* Use `DEBIAN_FRONTEND=noninteractive` to reduce noise
* Use --no-install-recommends to avoid installing unnecessary packages
* Filter out uninteresting lines on install
Note: `DEBIAN_FRONTEND` does not appear to be needed in the default
GitHub runner container and not many packages are currently being
downloaded/installed in them, so do the above changes only jobs that use
custom Docker images.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There already exists a workflow dedicated to profile checks:
* .github/workflows/profile-checks.yml.
Keep the build and lint jobs separate to make it easier to spot build vs
lint failures in CI.
See also commit c3b42dbd2 ("ci: disable sort.py on gitlab jobs as well",
2023-04-10).
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Example log of it failing:
$ ./configure
checking for gcc... gcc
checking whether the C compiler works... no
configure: error: in `/tmp/build':
configure: error: C compiler cannot create executables
See `config.log' for more details
|
| |\ \
| | |
| | | |
contrib/vim: match profile files more broadly
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently it only sets the appropriate filetype for files in
`/etc/firejail` and `~/.config/firejail`.
With this commit, the firejail filetype should also be set when opening
`etc/inc/*.inc`, for example, as long as there is a "firejail" directory
somewhere before that (such as in `/foo/firejail/bar/etc/inc/*.inc`).
Note: At least `*/firejail/*.inc` needs to force the match (by using
`set filetype` rather than `setfiletype`), or else the default vim
checks take precedence (and the filetype for all files in
`etc/inc/*.inc` gets set to `pov`).
Fixes #4319.
Relates to #2679.
Co-authored-by: rusty-snake <41237666+rusty-snake@users.noreply.github.com>
|
| | |/ |
|
| |/
|
|
|
| |
See commit f48886f25 ("build: mark most phony targets as such",
2023-02-01) / PR #5637.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.5 to 2.3.6.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/0225834cc549ee0ca93cb085b92954821a145866...83f0fe6c4988d98a455712a27f0255212bba9bd4)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| | |
|
| |\
| |
| | |
build: enable compiler warnings by default
|
| | |
| |
| |
| | |
Enable -Wall by default and add -Wextra.
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.3 to 2.3.5.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/29b1f65c5e92e24fe6b6647da1eaabe529cec70f...0225834cc549ee0ca93cb085b92954821a145866)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
| |
|
|
| |
Relates to #5829.
|
| | |
|
| |\
| |
| | |
email-common.profile: allow clamav plugin for claws-mail
|
| | |\
| |/
|/| |
|
| |\ \
| | |
| | | |
qutebrowser: update MPRIS name for qutebrowser-qt6
|
| | | |
| | |
| | |
| | | |
see https://github.com/qutebrowser/qutebrowser/issues/7431
|
| |\ \ \
| | | |
| | | | |
modif: Improve --version/--help & print version on startup
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
It is not too uncommon for the firejail version to be missing when
issues are reported; this commit makes it more likely that any posted
logs will contain the program version.
Do so just for firejail and firecfg for now because they are the most
common user-facing programs.
Print the version after argument parsing, in order to avoid printing the
program version more than once and to avoid interfering with commands
that generate machine-readable output (like `firejail --list` and
`firecfg --list`). Also, only print it after all profiles have been
loaded, because a profile may contain `quiet`.
Note: This does not cover the case where the program exits before the
end of argument/profile parsing (such as when an error occurs).
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
For consistency and readability.
Note: This also makes exactly one extra blank line be printed at the end
of every usage text, which is currently only done in the following
files:
* src/fcopy/main.c
* src/fnettrace-dns/main.c
* src/fnettrace-icmp/main.c
* src/fnettrace-sni/main.c
* src/fnettrace/main.c
* src/profstats/main.c
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Changes:
* Name them all "usage_str"
* Make them const
For the latter item, see commit eb20f52ef ("Make list of paths const to
fix a false positive of gcc analyzer", 2022-07-27) / PR #5275.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Changes:
* Only print the version line in the print_version function
* Add a print_version function where missing (put it in usage.c if the
file exists)
* Always a blank line after the version
|
| | | | |
| | | |
| | | |
| | | | |
Build the entire string at once and print it only once.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Split print_version into two functions:
* print_version: only prints the version line
* print_version_full: also prints compile-time support
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Currently, --version doesn't print a dash while --help does. Example:
$ firejail --version | grep 'version 0'
firejail version 0.9.73
$ firejail --help | grep 'version 0'
firejail - version 0.9.73
For consistency, always print the version without a dash.
Commands used to search and replace:
$ git grep -IFlz ' - version' -- src | xargs -0 -I '{}' sh -c
"printf '%s\n' \"\$(sed 's/ - version/ version/' '{}')\" >'{}'"
|
| |/ / /
| | |
| | |
| | |
| | | |
Added on commit 42e2db127 ("jaitest - simple sandbox testing utility
program", 2021-02-20).
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This is causing main.o to be built using an implicit rule (rather than
the rule from src/prog.mk), which does not use PROG_CFLAGS. Example
(using src/fldd as a working example for comparison):
$ make -C src/etc-cleanup clean >/dev/null &&
make -C src/etc-cleanup | grep -Ev '(Entering|Leaving) directory'
gcc -g -O2 -c -o main.o main.c
gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -o etc-cleanup main.o
$ make -C src/etc-cleanup clean >/dev/null &&
make -C src/etc-cleanup -r | grep -Ev '(Entering|Leaving) directory'
make: *** No rule to make target 'main.o', needed by 'etc-cleanup'. Stop.
$ make -C src/fldd clean >/dev/null &&
make -C src/fldd | grep -Ev '(Entering|Leaving) directory'
gcc -ggdb -O2 -DVERSION='"0.9.73"' -fstack-protector-all [...]
gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -o fldd main.o ../lib/common.o ../lib/ldd_utils.o
$ make -C src/fldd clean >/dev/null &&
make -C src/fldd -r | grep -Ev '(Entering|Leaving) directory'
gcc -ggdb -O2 -DVERSION='"0.9.73"' -fstack-protector-all [...]
gcc -pie -fPIE -Wl,-z,relro -Wl,-z,now -o fldd main.o ../lib/common.o ../lib/ldd_utils.o
Environment: GNU make 4.4.1-2 on Artix Linux.
This amends commit e889db095 ("build fix", 2023-02-06).
See also commit 02d37680c ("private-etc rework: file groups moved to
src/include/etc_groups.h, new groups added", 2023-01-25).
Relates to #5610.
|
| | | |
| | |
| | | |
Co-authored-by: pirate486743186 <>
|
Kelvin M. Klann
dependabot[bot]
netblue
glitsj16
netblue30
Dieter Plaetinck
pirate486743186