| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
|
|
|
|
|
| |
Escape `.` only when generating the syntax files rather than directly in
the syntax lists, so that the latter contain the command names as is.
This also makes the escaping apply to the arg1 syntax list as well.
Note: Double escaping (`\\\\.`) is used in `regex_fromlf` because its
output is used in another sed replacement (where it needs to be `\\.`).
Relates to #5627.
|
|
|
|
| |
Relates to #5627.
|
|
|
|
|
|
|
|
|
|
| |
Make the non-phony targets that are defined in the root Makefile depend
on it, to ensure that they get re-generated if their recipes change.
Note that these targets are generated nearly instantly, so this should
not noticeably affect rebuild times.
Relates to #5627.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes the following errors:
$ make codespell
[...]
codespell --ignore-regex "UE|creat|doas|shotcut|ether" src test
src/firemon/procevent.c:188: duble ==> double
src/fnettrace/main.c:30: postive ==> positive
src/fnettrace/main.c:30: defiend ==> defined
src/fnettrace/main.c:482: isplay ==> display
make: *** [Makefile:371: codespell] Error 65
$ codespell --version
2.2.5
Added in the following commits:
* bef5d86a1 ("increase socket buffer size for firemon, bug #2700",
2019-09-29)
* c4962789f ("nettrace stats", 2023-08-08)
|
|
|
|
|
|
|
| |
This removes the need to manually pass variables such as `$(TARNAME)`
and `$(VERSION)` to shell scripts in the root Makefile.
Relates to #5140.
|
|\
| |
| | |
build: dist and asc improvements
|
| |
| |
| |
| |
| |
| | |
Similarly to mkdeb.sh.
Relates to #5140.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The clean target is currently enough to remove all generated files other
than the ones directly in the root directory, so to simplify the dist
target, make it depend on clean instead of distclean.
See commit 5f2785290 ("build: remove unnecessary distclean targets",
2023-07-15) / PR #5911.
Relates to #5142 #5182.
|
| |
| |
| |
| |
| | |
The only other svn-related code seems to have been removed on commit
7e1c057ae ("make testing", 2016-04-23).
|
| | |
|
| | |
|
|/ |
|
|
|
|
| |
This also fixes the duplicate execution of the "clean" targets.
|
|
|
|
|
|
|
| |
Use the `$(MAKE)` macro to ensure that the same make program is used in
the recursive invocation.
Note: Most recursive calls already use `$(MAKE)`.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commands used to find the relevant paths in /etc:
$ pacman -Qo /etc/* 2>/dev/null | grep sudo | LC_ALL=C sort
/etc/pam.d/ is owned by sudo 1.9.14.p1-1
/etc/sudo.conf is owned by sudo 1.9.14.p1-1
/etc/sudo_logsrvd.conf is owned by sudo 1.9.14.p1-1
/etc/sudoers is owned by sudo 1.9.14.p1-1
/etc/sudoers.d/ is owned by sudo 1.9.14.p1-1
Environment: Artix Linux.
Also, add missing paths sudo/doas to etc/ids.config and jailcheck.
See also commit dbebd71db ("disable-common.inc: blacklist doas binary",
2022-10-05).
Relates to #5385.
Reported-by: Dieter Plaetinck <dieter@plaetinck.be>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Simplify the main targets and use wildcards instead of repeating the
filenames manually.
Also, restore the `man` target and building only when `HAVE_MAN` is
enabled.
Note: Make automatically removes intermediate files (.1 and .5), so in
general only the .gz files have to be cleaned.
Commands used to rename the man pages:
cd src/man
git mv firecfg.txt firecfg.1.in
git mv firejail-login.txt firejail-login.5.in
git mv firejail-profile.txt firejail-profile.5.in
git mv firejail-users.txt firejail-users.5.in
git mv firejail.txt firejail.1.in
git mv firemon.txt firemon.1.in
git mv jailcheck.txt jailcheck.1.in
This is kind of a follow-up to commit 9e206b7f2 ("rework src/man
Makefile", 2023-07-07).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This partially reverts commit 2b34747db ("generate seccomp filters at
install time", 2023-07-07). See also commit 6fa19aab9 ("feature: use
seccomp filters build at install time for --restrict-namespaces",
2023-07-12).
The seccomp filters were always being built because
src/fseccomp/fseccomp (and other programs) are in `$(ALL_ITEMS)`, which
is incorrectly marked as phony. This commit fixes that and restores the
previous target logic, for consistency with the other targets and so
that the seccomp filters are made at build time rather than at install
time.
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
To reduce the amount of boilerplate in the makefiles.
This amends commit 9789c263a ("build: disable all built-in implicit make
rules", 2023-06-21) / PR #5864.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use `make -r` to reduce unnecessary filesystem lookups.
Overall, this appears to reduce the amount of implicit rule searches by
~93.3% (~97.5% compared to a8f01a383) for the default build and by
~83.3% (~99.3% compared to a8f01a383) for the "man" target (as an
example):
$ git show --pretty='%h %ai %s' -s
a8f01a383 2023-06-20 05:26:23 +0000 Merge pull request #5859 from kmk3/build-remove-retpoline
$ ./configure >/dev/null
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
6798
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1085
# (in the previous commit)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
2535
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
42
# (with this commit applied)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
170
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
7
Environment: GNU make 4.4.1-2 on Artix Linux.
Note: According to make(1p) in POSIX.1-2017, "If .SUFFIXES does not have
any prerequisites, the list of known suffixes shall be cleared.", while
"The result of setting MAKEFLAGS in the Makefile is unspecified."
Commands used to search and replace:
$ git ls-files -z -- '*Makefile*' | xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\$(sed -E \
's/^(.SUFFIXES:)/\1\nMAKEFLAGS += -r\n/' '{}')\" >'{}'"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clear `.SUFFIXES:` to reduce unnecessary filesystem lookups.
Overall, this appears to reduce the amount of implicit rule searches by
~62% for the default build and by ~96% for the "man" target (as an
example):
$ git checkout master >/dev/null 2>&1
$ git show --pretty='%h %ai %s' -s
a8f01a383 2023-06-20 05:26:23 +0000 Merge pull request #5859 from kmk3/build-remove-retpoline
$ ./configure >/dev/null
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
6798
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1085
# (with this commit applied)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
2535
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
42
Environment: GNU make 4.4.1-2 on Artix Linux.
Commands used to search and replace:
$ git ls-files -z -- '*Makefile*' | xargs -0 -I '{}' sh -c \
"printf '%s\n' \"\$(sed '1s/^/.SUFFIXES:\n/' '{}')\" >'{}'"
See also commit f48886f25 ("build: mark most phony targets as such",
2023-02-01) / PR #5637.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The -mretpoline flag is not documented in the current versions of gcc
and clang and it is what causes scan-build to fail:
$ ./configure CC=clang | grep retpoline
checking whether C compiler accepts -mretpoline... yes
EXTRA_CFLAGS: -mretpoline -fstack-clash-protection -fstack-protector-strong
$ scan-build --status-bugs make
scan-build: Using '/usr/bin/clang-15' for static analysis
make -C src/lib
make[1]: Entering directory '/tmp/firejail/src/lib'
/usr/bin/../lib/clang/ccc-analyzer [...] -mretpoline [...] -c common.c -o common.o
gcc: error: unrecognized command-line option ‘-mretpoline’
make[1]: *** [../../src/prog.mk:16: common.o] Error 1
make[1]: Leaving directory '/tmp/firejail/src/lib'
make: *** [Makefile:59: src/lib] Error 2
scan-build: Analysis run complete.
scan-build: Removing directory '/tmp/scan-build-[...]' because it contains no reports.
scan-build: No bugs found.
Environment: clang 15.0.7-9 and gcc 13.1.1-1 on Artix Linux.
Note: NO_EXTRA_CFLAGS was added to work around this issue by causing all
of the flags in EXTRA_CFLAGS to be ignored.
Note2: -mretpoline was added on commit 4a99c8aa2 ("spectre support for
clang compiler", 2018-03-30) and NO_EXTRA_CFLAGS was added on commit
490918c35 ("fix make scan-build for debian 10 and arch", 2019-07-22).
See also commit 2c64d1fdd ("use AX_CHECK_COMPILE_FLAG to check for
spectre flags", 2019-06-21).
Closes #5509.
Kind of relates to #2661.
|
|
|
|
|
| |
See commit f48886f25 ("build: mark most phony targets as such",
2023-02-01) / PR #5637.
|
|
|
|
|
|
|
| |
To make debugging easier.
Use a separate shell script instead of just a make target to ensure that
it can safely run before ./configure and without having make installed.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
build: deb: enable apparmor by default & remove deb-apparmor
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The official .deb package is always built with apparmor support, so use
`--enable-apparmor` in mkdeb.sh and remove the "deb-apparmor" target in
order to reduce redundancy.
Note that custom configure options may be specified by calling
./mkdeb.sh directly.
For example, to build the .deb package without apparmor support, instead
of running `make deb`, the following commands can be used:
make dist
./mkdeb.sh --disable-apparmor
Also, change the `build_apparmor` GitLab CI job into
`build_no_apparmor`, which is intended to check that building without
apparmor still works.
Note: This commit makes the resulting .deb package not have an
"-apparmor" suffix (see `EXTRA_VERSION` in mkdeb.sh), to avoid
redundancy (as having apparmor support becomes the default).
Misc: This is a follow-up to #5654.
Relates to #5154 #5176 #5547.
|
|\|
| |
| | |
build: mkdeb.sh: pass all arguments to ./configure
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Instead of using the first argument as the `EXTRA_VERSION` variable.
This should make the usage of mkdeb.sh less confusing, especially when
one is not trying to set the variable.
As for using `EXTRA_VERSION` (which is still optional with this commit),
make sure that it is set as an environment variable before caling
mkdeb.sh. Example:
env EXTRA_VERSION=-apparmor ./mkdeb.sh --enable-apparmor
See also commit 9a0fbbd71 ("mkdeb.sh.in: pass remaining arguments to
./configure", 2022-05-13) / PR #5154.
|
| | |
|
| | |
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To improve clarity and to prevent unnecessary filesystem lookups.
Overall, this appears to reduce the amount of implicit rule searches by
~4% for the default build and by ~12% for the "man" target (as an
example):
$ git checkout master >/dev/null 2>&1
$ git show --pretty='%h %ai %s' -s
b55cb6a80 2023-01-31 18:56:42 -0500 testing
$ ./configure >/dev/null
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
7101
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1239
# (with this commit applied)
$ make clean >/dev/null && make --debug=i -j 4 | grep -F 'Trying implicit' | wc -l
6793
$ make clean >/dev/null && make --debug=i -j 4 man | grep -F 'Trying implicit' | wc -l
1085
Environment: GNU make 4.4-1 on Artix Linux.
Note: The amount lines printed is the same on non-parallel builds (that
is, without `-j 4`).
See commit 2465f9248 ("makefiles: make all, clean and distclean PHONY",
2021-02-12) / PR #4024 for details.
Note: By "most phony targets" I mean all non-path targets except for the
testing targets, which were being changed recently (for example, the
"test-github" target) and so might still be under development.
|
| |
|
| |
|
|
|
|
|
|
| |
To ensure a consistent order.
Misc: This might also make it a bit faster.
|
|
|
|
|
|
|
|
|
|
|
| |
Make the syntax target by default to make it harder to forget to update
the syntax files.
Note that the syntax files are built mostly silently and that they are
generated relatively fast (they only take 40~70ms to build on a not
exactly recent machine with `make clean; time make -j 4 syntax`), so
they should not add much noise nor time noise when just trying to build
firejail, for example.
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* Generate firejail.vim from firejail.vim.in
* Generate firejail-profile.lang from firejail-profile.lang.in
* Update the manual syntax file steps on the new command checklist on
CONTRIBUTING.md to use `make syntax` instead
Relates to #2679 #5502 #5577 #5612.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
* Use the commands from contrib/vim/syntax/firejail.vim to create
makefile targets to generate syntax lists in contrib/syntax/lists
* Add contrib/syntax/files/example.in as an example of how to generate
syntax files
* Generate and add the syntax lists, to make it easier to spot if they
are properly updated when a new command is added or if their recipes
also need changes
* Add "syntax" and "contrib" makefile targets
Note: The generation commands are executed mostly silently to avoid
generating too much noise when also making other targets.
Note2: In some generation commands, a `$$` escape is used to pass `$` to
the shell, to avoid being interpreted by make as the start of a macro.
Note3: `@make_input@` is used in example.in to make it clear that the
file is generated (and that it is generated by make rather than
configure), similarly to how `@configure_input@` is used in configure
input files. See also apparmor.vim:
$ head -n 2 /usr/share/vim/vimfiles/syntax/apparmor.vim
" generated from apparmor.vim.in by create-apparmor.vim.py
" do not edit this file - edit apparmor.vim.in or create-apparmor.vim.py instead
Environment: apparmor 3.1.2-1 on Artix Linux.
Relates to #2679 #5502 #5577 #5612.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Having all of syntax files in the same directory makes it easier to
reference all of them at once on a makefile (such as with
`contrib/syntax/files/*.in`).
Also, this makes the path to the gtksourceview language-spec shorter.
Current path/new path:
* contrib/gtksourceview-5/language-specs/firejail-profile.lang
* contrib/syntax/files/firejail-profile.lang
Currently, adding a rule to the root Makefile to generate the
language-spec in the same directory as an input file would take at least
95 characters (with only a single dependency):
contrib/gtksourceview-5/language-specs/%.lang: contrib/gtksourceview-5/language-specs/%.lang.in
With this commit, the above shortened to 59 characters:
contrib/syntax/files/%.lang: contrib/syntax/files/%.lang.in
Which should make it more readable.
Relates to #2679 #5502.
|